ok github.com/google/syzkaller/dashboard/app (cached) ? github.com/google/syzkaller/dashboard/dashapi [no test files] ok github.com/google/syzkaller/executor 0.316s ok github.com/google/syzkaller/pkg/ast 1.613s ok github.com/google/syzkaller/pkg/auth (cached) ok github.com/google/syzkaller/pkg/bisect 21.279s ok github.com/google/syzkaller/pkg/build 24.133s ok github.com/google/syzkaller/pkg/compiler 4.481s ? github.com/google/syzkaller/pkg/config [no test files] ok github.com/google/syzkaller/pkg/cover 44.057s ok github.com/google/syzkaller/pkg/cover/backend (cached) --- FAIL: TestGenerate (35.32s) --- FAIL: TestGenerate/linux/386 (1.56s) csource_test.go:52: seed=1633617755320636792 --- FAIL: TestGenerate/linux/386/0 (1.38s) csource_test.go:118: opts: {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) (fail_nth: 1) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000080)={r0, 0x3ff}, &(0x7f00000000c0)=0x8) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='cpu.stat\x00', 0x0, 0x0) ioctl$BLKROGET(r2, 0x125e, &(0x7f0000000140)) r3 = signalfd4(r2, &(0x7f0000000180)={[0x5, 0x4]}, 0x8, 0x80800) sendmsg$NL80211_CMD_UPDATE_OWE_INFO(r3, &(0x7f0000000500)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x20002011}, 0xc, &(0x7f00000004c0)={&(0x7f0000000200)={0x29c, 0x0, 0x8, 0x70bd29, 0x25dfdbff, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x46, 0x2a, [@erp={0x2a, 0x1, {0x0, 0x1, 0x1}}, @channel_switch={0x25, 0x3, {0x1, 0x95, 0xcb}}, @peer_mgmt={0x75, 0x16, {0x1, 0x401, @void, @val=0x37, @val="02011bf2907bddcbfaf4d0d9d319cb38"}}, @mesh_chsw={0x76, 0x6, {0x7f, 0x3, 0x6, 0x2050}}, @link_id={0x65, 0x12, {@from_mac=@device_b, @broadcast, @device_b}}, @chsw_timing={0x68, 0x4, {0x9, 0x81}}]}, @NL80211_ATTR_IE={0xcc, 0x2a, [@cf={0x4, 0x6, {0x1, 0x1, 0x100, 0x8000}}, @ext_channel_switch={0x3c, 0x4, {0x0, 0x7, 0xac, 0x6}}, @supported_rates={0x1, 0x6, [{0x6}, {0xc, 0x1}, {0x3f, 0x1}, {0x9}, {0x16}, {0x24}]}, @prep={0x83, 0x25, @ext={{}, 0xff, 0x3f, @device_a, 0x1f, @broadcast, 0x0, 0x6, @device_b, 0x6}}, @measure_req={0x26, 0x44, {0x4, 0x7, 0x8, "2ef531b7be2dde42fc395f76447c92879c4d9511182ee077cb102d54d8e9bd0376741affce00728e65cefb04cacd7c82880f113d4a79378bfd5c8d752bd251e31b"}}, @ht={0x2d, 0x1a, {0x482, 0x1, 0x1, 0x0, {0x5, 0x3f, 0x0, 0x80, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x400, 0x5, 0x56}}, @mic={0x8c, 0x10, {0x9b2, "e74338ed57a9", @short="4dbe86f39565408a"}}, @rann={0x7e, 0x15, {{0x1, 0x9}, 0xc0, 0x40, @device_a, 0x7fff, 0x6, 0xff}}]}, @NL80211_ATTR_IE={0x148, 0x2a, [@rann={0x7e, 0x15, {{0x0, 0x2}, 0x0, 0x8, @device_a, 0x1ff, 0x3, 0x3}}, @preq={0x82, 0x30, @not_ext={{}, 0x3, 0xf7, 0x8, @device_a, 0xae, "", 0x71a4, 0x2, 0x2, [{{0x0, 0x0, 0x1}, @device_b}, {{}, @device_b, 0x6}]}}, @mesh_config={0x71, 0x7, {0x1, 0x1, 0x1, 0x0, 0x0, 0xfb, 0x25}}, @ibss={0x6, 0x2, 0x1fc}, @fast_bss_trans={0x37, 0xe6, {0x7, 0x5, "5f3964d8629adf1c06ecdf8987bb845b", "c5d2bb2459d5ba0e8d1de04e57374f6227210ea404eb95465fa1e2e09c7c17d4", "2781c876157d6988a5dc1efde5e5d8d7fdfb3dad871989497060e2d72d3afa38", [{0x3, 0x1, "ce"}, {0x1, 0x25, "d5a7640b4fb5df22e725130f6f006c487342cb847e2cbe0e36b141aa91f7f41d6b13482c1d"}, {0x4, 0x26, "a1d5f67474fa123100046dc2695e3bbda6dee8657f032e087504156eba2f54bf2f31cd5b78d5"}, {0x3, 0x25, "ae36258ad7f04d6a213024ac426fba3da69e74ab662fbb9d28448099946cbbf9b8f921f8e0"}, {0x2, 0x19, "69ad29c66f47f87c5349ab5f16a1e8030e7c0b21db8bc4bee4"}]}}, @peer_mgmt={0x75, 0x4, {0x0, 0x0, @void, @void, @void}}]}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x4b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x43}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x11}]}, 0x29c}, 0x1, 0x0, 0x0, 0x40000}, 0x80) r4 = openat$irnet(0xffffff9c, &(0x7f0000000540), 0x189000, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f0000000580)=[@in6={0xa, 0x4e20, 0x80000000, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x81}, @in6={0xa, 0x4e24, 0x3, @mcast1}], 0x38) openat2$dir(0xffffff9c, &(0x7f00000005c0)='./file0\x00', &(0x7f0000000600)={0x101000, 0x182, 0x4}, 0x18) setsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f0000000640)=@sack_info={r1, 0x7, 0x20}, 0xc) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@data_frame={@no_qos=@type01={{0x0, 0x2, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, {0x7}, @device_b, @from_mac=@broadcast, @device_b, {0x7, 0x40}}, @a_msdu=[{@device_a, @device_b, 0x89, "a374cb1e56d79e5a647d9f9d7ebb099ca75e920a720ce76551c26bb86842da48ec22636f2ee20001359b8e2fb376ba32d07425dd1b9b9b4ff7a3539a5eeb99a447a58fec224cacb7d6e5f0cc9099904c92fd37746afc1cbd2b8b102a3fe4af78d5fa729590f1e5035f470a44321e924787a4666e21a4ca5cbd1256c170217cd6967ad7236d2f702e24"}, {@broadcast, @device_a, 0x1000, ""}]}, 0x10c0) syz_80211_join_ibss(&(0x7f0000001100)='wlan1\x00', &(0x7f0000001140)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000001180)='bpf_lsm_socket_recvmsg\x00') syz_emit_ethernet(0x35b, &(0x7f00000011c0)={@multicast, @multicast, @void, {@mpls_uc={0x8847, {[{0x2}], @ipv4=@gre={{0x11, 0x4, 0x1, 0x7, 0x349, 0x68, 0x0, 0x6, 0x2f, 0x0, @remote, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@lsrr={0x83, 0x1b, 0x6e, [@local, @broadcast, @loopback, @multicast1, @initdev={0xac, 0x1e, 0x0, 0x0}, @dev={0xac, 0x14, 0x14, 0xc}]}, @end, @lsrr={0x83, 0x13, 0xb4, [@multicast1, @private=0xa010100, @remote, @multicast1]}]}}, {{0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x880b, 0xf7, 0x2, [0x0, 0x1f], "c2150837371931ae3bab975586d95914c9773f748be9a8a3a19fe297783946f87cf48cb1483b1b52713f5b2c61255adbc108b86ef5471c54a9338b8573e1f632742ac011cf327a15e84e165e1588ab664b81d2498c54b50574e54aba3cf97bb1ae75911fd5ad4851fa1421715163917c9258d782a401fdfd12f1b51c5fbef8bd854f084ca2db2d46c7ee8b3b429e9c2dd5200572c54b9956e0bce7e10ae21f398f9db9c7e5fe8c67da417265c2e5c4074c97b404e840e0705b4154275e83551ac4328eae261c5d86e08cd40fbdb3a9d5fdcf6ba0ba4549aa7405fafe1367186578ec8cb827c887cc919c3a926daa592a4edb5150bfd380"}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, [0x0, 0x3], "a0437805682464ebade1f7bc908a4fb8fe0d2cbd6c705201920234d09c1819942d4534d78830cc26b67fa8b9bf41331cf464dba472a58870852fa852e628157fd8b5d1d6835454fb3aedae74305ed0c45b79ff50beb7405c"}, {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x86dd, [0xf0, 0x4], "7caa4b32feb81faa052cba4e34663ac59d2ed14a1e13701fdffe0c346ddae941fc7a2623c24d7a0b85a042492bf692148b57ddaf3b577a52fca2c4c68131f7bd98fa18e48551c8eecb9d3be00868430c3a25bc3569876946d43e6eb2b903b359a813c4ba89e6d970d3d4523fd219f45ff44df25838"}, {0x8, 0x88be, 0x2, {{0x8, 0x1, 0x9, 0x3, 0x0, 0x3, 0x3, 0x4}, 0x1, {0x4}}}, {0x8, 0x22eb, 0x3, {{0x5, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x81}, 0x2, {0x1ff, 0x6, 0x0, 0x7, 0x0, 0x1, 0x2, 0x1, 0x1}}}, {0x8, 0x6558, 0x3, "35b802485048e00654ea02f811d2f99e610c98af70faf08b416472e3e0bbd45e35631db45124b3b77db1699442696b52c13ae2bf33fb3973a1d570c20b2a5b4d8b9a260bb385dcba6f2ccdaf52d5a0a4c2c39422acd9f8b911a20ba0d03a6e796927d057cf487cc459623fa76fb89989080999bf9b3ab3f6e3f319849238b9d2dea6ac5b66c4b632b76084b3fbfee0fc6215f5b274246d30cd41e07638413a2d65b80fde92db56faa4160868cd0b008bfcf18d9c54be76cf39248d298318581d7a8be2fe09849d5cfd2cd105c8dd8c0fd7c5f27bed33374f70e3173b413dd37ecff631f2f44c6640a43a358b6eff14540f"}}}}}}}, &(0x7f0000001540)={0x1, 0x2, [0xfbe, 0xc0a, 0x501, 0x489]}) syz_emit_vhci(&(0x7f0000001580)=@HCI_ACLDATA_PKT={0x2, {0xc8, 0x2, 0x1, 0x32}, @l2cap_cid_signaling={{0x2e}, [@l2cap_create_chan_rsp={{0xd, 0x3, 0x8}, {0x6, 0x1, 0x31, 0x7}}, @l2cap_conn_req={{0x2, 0x5, 0x4}, {0x3fc, 0x6}}, @l2cap_info_rsp={{0xb, 0x1f, 0x4}, {0xb476, 0x1d}}, @l2cap_info_req={{0xa, 0xfc, 0x2}, {0x1}}, @l2cap_cmd_rej_unk={{0x1, 0x4, 0x2}}, @l2cap_info_req={{0xa, 0x8, 0x2}, {0x9e}}]}}, 0x37) syz_execute_func(&(0x7f00000015c0)="660f72d501df5fd6c4c1f96f9f52e40000dff2da36660f3a62c08cc4c11d583ce8660f3a0a450df0c4e121752360") syz_extract_tcp_res(&(0x7f0000001600), 0x1e21, 0x1) r5 = openat$cuse(0xffffff9c, &(0x7f0000001640), 0x2, 0x0) ioctl$NS_GET_OWNER_UID(0xffffffffffffffff, 0xb704, &(0x7f0000003980)=0x0) clock_gettime(0x0, &(0x7f0000003e00)={0x0, 0x0}) recvmmsg$unix(0xffffffffffffffff, &(0x7f0000003dc0)=[{{&(0x7f0000003a40)=@abs, 0x6e, &(0x7f0000003d40)=[{&(0x7f0000003ac0)=""/37, 0x25}, {&(0x7f0000003b00)=""/107, 0x6b}, {&(0x7f0000003b80)=""/47, 0x2f}, {&(0x7f0000003bc0)=""/162, 0xa2}, {&(0x7f0000003c80)=""/189, 0xbd}], 0x5, &(0x7f0000003d80)=[@cred={{0x18}}, @cred={{0x18, 0x1, 0x2, {0x0, 0x0, 0x0}}}], 0x30}}], 0x1, 0x10202, &(0x7f0000003e40)={r7, r8+10000000}) lstat(&(0x7f0000004040)='./file0\x00', &(0x7f0000004080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004100)={{{@in6=@initdev, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast1}}, &(0x7f0000004200)=0xe4) statx(0xffffffffffffff9c, &(0x7f0000004240)='./file0\x00', 0x4000, 0x400, &(0x7f0000004280)={0x0, 0x0, 0x0, 0x0, 0x0}) lstat(&(0x7f0000004380)='./file0\x00', &(0x7f00000043c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000004980)={{{@in6=@dev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@private2}}, &(0x7f0000004a80)=0xe4) r15 = getegid() syz_fuse_handle_req(r5, &(0x7f0000001680)="", 0x2000, &(0x7f0000004bc0)={&(0x7f0000003680)={0x50, 0x0, 0x0, {0x7, 0x22, 0x6, 0x60, 0x5, 0x48, 0x80000001, 0x7}}, &(0x7f0000003700)={0x18, 0x0, 0xfffe, {0x200}}, &(0x7f0000003740)={0x18, 0x0, 0x4, {0x8000}}, &(0x7f0000003780)={0x18, 0x0, 0x0, {0x8}}, &(0x7f00000037c0)={0x18, 0x0, 0x80000001, {0x5}}, &(0x7f0000003800)={0x28, 0x0, 0x0, {{0x19, 0x200, 0x3, 0xffffffffffffffff}}}, &(0x7f0000003840)={0x60, 0xfffffffffffffffe, 0xfffffffffffffffe, {{0x4, 0x80000001, 0x1, 0x52b8, 0x7, 0x0, 0xfffffffa, 0x1ff}}}, &(0x7f00000038c0)={0x18, 0xffffffffffffffda, 0x1f, {0x9}}, &(0x7f0000003900)={0x11, 0xfffffffffffffffe, 0x4588, {'\x00'}}, &(0x7f0000003940)={0x20, 0x0, 0x100000000, {0x0, 0x18}}, &(0x7f00000039c0)={0x78, 0x0, 0x7, {0x4, 0x6, 0x0, {0x0, 0x7, 0x8, 0x10001, 0x1, 0x509, 0x80, 0x3, 0x1, 0xc000, 0x5, r6, 0xee00, 0x7, 0x9}}}, &(0x7f0000003e80)={0x90, 0x0, 0x8, {0x6, 0x3, 0xcd0, 0x7fffffff, 0x5, 0x1, {0x5, 0x5, 0xf34, 0x86, 0x6, 0x2, 0xab8c, 0x0, 0x5, 0x8000, 0x9, 0xee00, r9, 0x1000, 0x1000}}}, &(0x7f0000003f40)={0xd0, 0x0, 0xffffffffffffffbc, [{0x0, 0x2, 0x6, 0x3, '\x02\x02\x02\x02\x02\x02'}, {0x0, 0x0, 0x0, 0x9}, {0x2, 0x100000001, 0x17, 0xffff, 'bpf_lsm_socket_recvmsg\x00'}, {0x0, 0x401, 0xf, 0xfffffff9, '&,$:+)\xef&\\)/$$[}'}, {0x6, 0x1, 0x17, 0x1f, 'bpf_lsm_socket_recvmsg\x00'}]}, &(0x7f0000004440)={0x508, 0x0, 0x2, [{{0x4, 0x1, 0x5, 0x80000000, 0x3, 0xffffffec, {0x2, 0x3, 0x20, 0x100000001, 0x80, 0xffffffffffffffe1, 0x9e41, 0x1f, 0xf0f6, 0xc000, 0x401, 0xee01, 0xee00, 0x400000, 0x800}}, {0x3, 0x7, 0x6, 0xfffffffe, '\xbb\xbb\xbb\xbb\xbb\xbb'}}, {{0x1, 0x2, 0x10001, 0x0, 0x5, 0x0, {0x3, 0x8000, 0x9, 0x80000001, 0x100, 0x5, 0xf06, 0x932b, 0x2, 0x1000, 0x5, 0xee01, 0xffffffffffffffff, 0x5, 0x1}}, {0x5, 0x9, 0x2, 0x2, '*)'}}, {{0x1, 0x0, 0xcc3, 0x4, 0x101, 0x3, {0x2, 0x1, 0x1, 0x113, 0x1, 0x3, 0xd36, 0x8c12, 0xfffffffc, 0x1000, 0xfffffffc, 0xee01, r10, 0x9, 0xacd}}, {0x3, 0x97, 0x6, 0x9, 'wlan1\x00'}}, {{0x1, 0x2, 0x8, 0x8000, 0x9, 0x0, {0x1, 0x200, 0xff, 0x100000001, 0x30000, 0x9, 0x3, 0x6, 0x7f, 0x8000, 0x101, r11, 0xee00, 0x10000, 0x9}}, {0x3, 0x0, 0x2, 0x401, 'b@'}}, {{0x4, 0x1, 0x0, 0x5, 0x4, 0x101, {0x1, 0x5, 0x1, 0x10000, 0x7, 0x8, 0x5, 0x5, 0x4010000, 0x8000, 0x4d800000, 0x0, 0xee01, 0x6, 0x7}}, {0x2, 0x61}}, {{0x7, 0x0, 0x5, 0x5, 0x0, 0x3ff, {0x0, 0xfffffffffffffff7, 0x1, 0x80, 0x100000001, 0x401, 0xd49d, 0x80, 0x1, 0x6000, 0x8b, r12, 0xee01, 0x8001}}, {0x6, 0x200, 0x1, 0xfffffff8, ')'}}, {{0x0, 0x3, 0x8, 0x81, 0x6, 0x5, {0x1, 0x8, 0x7, 0x5, 0x8, 0x1, 0x5, 0x90c555ad, 0x0, 0xc000, 0x800, 0xee00, 0xee01, 0xf98d, 0x20}}, {0x4, 0x4, 0x5, 0x1, '\\U\xc2-^'}}, {{0x1, 0x0, 0x2, 0x6, 0x0, 0xb5e, {0x4, 0x12, 0xe87, 0x7, 0x1, 0xfffffffffffffffe, 0xfffffffd, 0x7, 0x401, 0xa000, 0x8ee, r13, 0x0, 0x8236, 0x3c89862b}}, {0x4, 0xfffffffffffffbf7, 0x6, 0x4, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004ac0)={0xa0, 0xffffffffffffffda, 0x2, {{0x1, 0x3, 0xff, 0x401, 0x9, 0x1000, {0x1, 0xfff, 0x733, 0x0, 0x7, 0x7fff, 0x4, 0x1f, 0x1f, 0x0, 0x1, r14, r15, 0x9eb, 0x1}}, {0x0, 0x1c}}}, &(0x7f0000004b80)={0x20, 0xfffffffffffffffe, 0xa87, {0x1ff, 0x0, 0x10001, 0x4}}}) r16 = openat$autofs(0xffffff9c, &(0x7f0000004c40), 0x0, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000004c00), r16) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r17 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x300000a, 0x10, r16, 0x0) r18 = syz_io_uring_complete(r17) syz_io_uring_setup(0x3a9b, &(0x7f0000004c80)={0x0, 0xcaa6, 0x4, 0x3, 0x276, 0x0, r18}, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000004d00)=0x0, &(0x7f0000004d40)) syz_io_uring_submit(r19, 0x0, &(0x7f0000005080)=@IORING_OP_WRITEV={0x2, 0x5, 0x0, @fd_index=0x7, 0x0, &(0x7f0000005040)=[{&(0x7f0000004d80)="8f8c61ba2d93006aadbd12a3a08f146f7dadf6fcaf91370d8cdbb10473cfc4737fc2920f761e5f9f43ac7c94ff2d84a3f6", 0x31}, {&(0x7f0000004dc0)="e79e609caf0b113f2e3a9b6ed9a5197bd4c9ef3abee6ff372b0677f980ef46165c071ec9a7e4b8e118c95c2b5f733b29c50f1e5df4f1837e9a2962cd241c43d7a605878749919d2d932d22010e4c8c29ce6028dc71e23c5ec2b4f3bb38b2e7c3beaf83c887a45f16ea87842b7002c7513397835d375589d64e9c8d0daa7c709974ddc935145190bac6e8d31238d5ad70377e03b1111546f8a83a2d7e3fc550408a227e6ab558331de5", 0xa9}, {&(0x7f0000004e80)="1fe1d0a7ea42ed60eb8379f55fba5f108da4233288e8a8bbacc0", 0x1a}, {&(0x7f0000004ec0)="1d5a7e020f94e9eee2415cca5eb6045cc9f817f1d3275ba949677ee2ca2357b74e67c6d4ddfbe8e8c0c6fdcd2352dd301ff30f0ebc2b58f2c69c3f8032ff0d4a2d2d400c3d07914d835b6218c2eb25724b426a888b2822d4945b35f2d1459d915e2b2d66541af52bdbbe1ad517515e01b8290e654443a67bec3d0b03fc10b90b49c3d33593e063bd0df72494b22bfc391f6b296a68735eeaac4fb550be4beeabb74d7ca77139248cf8003e4fa63954c2e5c68e48b1f59b3162a9a3b020771f7c1aff6d7de57b40fcb59002f2709ed2e12d50a3edadc2c55de6634c8e91dd8cd28faf3b52", 0xe4}, {&(0x7f0000004fc0)="3dc50079393684ee15456233e2e4b47d0d7616a6fbb08055931c400e66d6ee8307c988db68c3a56873e4c94c210cee63aa53ee80947c5644cffd0ee809b4554ef3d3d5d4b6268040d66cba34c7b8645abfe3696e041fe13f", 0x58}], 0x5, 0x1}, 0x100) r20 = openat$selinux_policy(0xffffff9c, &(0x7f00000050c0), 0x0, 0x0) r21 = openat$dlm_monitor(0xffffff9c, &(0x7f0000005100), 0x0, 0x0) syz_kvm_setup_cpu$arm64(r20, r21, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005180)=[{0x0, &(0x7f0000005140)="45cf83e34827dae70d9c50f676f523b0ce6bee88952baac1a7220887521e1e10250184dabaaa4fbf9e94349f1148dee8238a", 0x32}], 0x1, 0x0, &(0x7f00000051c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r17, 0x114, &(0x7f0000005200)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005240), &(0x7f0000005280)='./file0\x00', 0x5, 0xa, &(0x7f0000005980)=[{&(0x7f00000052c0), 0x0, 0x4}, {&(0x7f0000005300)="8586cff12029eb8ad76f6261d1fe9c2df97d6b5047f70221ce7c26e1ad050096db75ff7ffd7b4dad59f5e070723e8a2cea446602ed86da15975f4f9dad4355f17d1441f9c1d9721e8bc269c91b43934bb3823eba880de01b586e0d592fc978084812a5dd940d6ea61e46ee9f1d53e0d3155c2c34946ca286d646398a4d60b56e48644ce421d53a65fc504680601a0cb3b78cdc3d14d0f9f754d88a4c5d80c2681aca64a4793f17d0f8a5b8dc820fdadee2ee87d42050172286e4b371eac497bf7467890a472d766a442a56a6e75bc39ba4edab5a0cb11eb66a247a2f3ca7d18cbe8bd7516b2d99c763d8c23d753c13937ab99b578e42f359275e86", 0xfb, 0x5}, {&(0x7f0000005400)="0f553c28b9842c44674abe34856e72a402eaf08ea7d106186b17f1d3f00dcbcb5f98a1eae4b0e494da0d44fa94917367478f2e39ce8435b132a570ec78c1b1d859ab652168bec9156cc5b4543f0571d2a75d3ad03f490c0fc93251f6ab57f01cf62283d42eec0abb186148b05ef55f8de1a2eb7c1622fc6d3ac274f10a0754563398efc9335aea31061cf4bb64d44f87c615c99b3eca46ddc2ce68eb2b780c54bb6a1a20947e16cbc6f7fa0712d0b12e665a214c3502154e5b8dda8b01df53c81b2da2c92b7573506b175a34ba1dda39954f36f0ff6ebefeee31326813422cb4d53b47c6fe65f3332698d9e3d776", 0xee, 0xfff}, {&(0x7f0000005500)="abff9c2482d96489f0afbe085daee1e2bd8a3000af21e5b4aa0d2e6662293d5fe6eeb60a5cc8b90e84ede0d21318688e285def54cb6780abfdcb64c700da5e8775bb60d0192a5f8113a70ddb1627087f7bb8f232f80a120e214ef31c385711f4b12afd9a024fc48c41c3c887255a17b86f709a30ee23a5d55c6c3e1986f6fd69309dc6664846396a5f0cde1e382a7018dcdeac00ff1ef54bbb58201fc9dfcbba39cfb45f49ace1e9908188", 0xab, 0x80000001}, {&(0x7f00000055c0)="fb36dffb4a0e4377fa3bedec2325f5c073", 0x11, 0x1}, {&(0x7f0000005600)="8ff2544804ed79e1bb5f173b80fdb09a444f02bbacdab87710a30382271db7257055fbbe057f4e4b3e1bcbcf08f1ea0b41be533d7d7f84199c4cf241e2bc3cebf680f5c2648882abfe61bb5211c4cf0f1f8035c6962e74f5976e954c3db5545bdccc6e67b68dd612", 0x68, 0x7f}, {&(0x7f0000005680)="ca838d09579a972657260b824f369161c83d3649b2309de4aca5191c6a3550ce704f6606bac0f1102563011d768b1cd5bd83565bfbe9311f71c2698f2bb4572ef6602f2487626e21fcef7034f50e28fd36db92433de1c0fbd9baa0b2ef3b17ecbd5f214a814f9979c0cfcea566bd418788a9e026ff83089e4e1eb491eebb582e84c6d956e1f8d4bd5327fcf26d9218a6e745a904846da61e6970e7c3f8f6777eb2eec182c6626aebc2b46d6e18ec79ce9f3a34c2c9ce74dce5f38a493ce752633b9cd881d3e73977b728208b730c0aa0bfd41f0374798c2b6cfd20a83dde8821f896431df1620eacddb4846d3f67983b95", 0xf1, 0x2}, {&(0x7f0000005780)="b549cfe18deb455b4a8b6d56e7c03f251024217cf427c09056bdb6b4a1317e6f9cd53ece2f2ee68e7d73e936e6d7b376483595c8db7292ffb0520cf037ba7012f5d90d0e4bdced46131d6a44120546fad87f475670fec86f9784888d14dc2ed6a1a7ed3c98bd0e035cbd504da40efbeb5a5bcd48c0ca513ff53ddada3cb447a48bcef01d9883f699997c5a0b2499865862db5f785a75e1b3463d354af112e7f8622883683086190fa4507646cbeab5ed", 0xb0, 0x1}, {&(0x7f0000005840)="a2eecacaa02fc76189e00e6fc58f38b5599959730376281721becf840cd12b230c2dc84b7f5fe5e37057b3732fcfeb", 0x2f, 0x4}, {&(0x7f0000005880)="35ed9c854f542ba3a56e7b75409a3197d31e6ec31934811dd9abe83e50a060ea25994cb33770ed99b25c9b560891eca433fe5bf1e02d136600687ee4933b3538bbceca61deb8fb0a1a2567843fd871b991d514329a465a97eb92123576e83a652c51dfa84117c262a7b8bab47bd3f81b24d33e687f39265002ef92f2248de027ac0285fcad2a3c732a1ed7409307037e41f3a7907477387d1199c18e5c43959b2ec46c078cec67a8b559b31cefd856f456b9f81bcc6a8b2cb1a4d8147562bdac6034e3e8d35d797659844fea3694b3288ce68fa8f986bf2fba03ec0110154befc8402258afb3d583d0bf3d02798073867fc66640726072c82a", 0xf9, 0x1ff}], 0x0, &(0x7f0000005a00)={[{'%'}], [{@seclabel}, {@permit_directio}, {@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@subj_role={'subj_role', 0x3d, '}'}}, {@mask={'mask', 0x3d, '^MAY_APPEND'}}, {@fsname={'fsname', 0x3d, '&%]'}}, {@measure}]}) syz_open_dev$I2C(&(0x7f0000005a80), 0x6, 0x40000) syz_open_procfs(0xffffffffffffffff, &(0x7f0000005ac0)='net/raw6\x00') syz_open_pts(r16, 0x583000) syz_read_part_table(0xb0, 0x3, &(0x7f0000006cc0)=[{&(0x7f0000005b00)="a895c30edc07297723a4aea802034622d1bbb85b4ae3628afc2d4e10934550a9d92f12a51b9f5b3a7b596b59b99b4b2acaedda32b83bdc263c53aa10114a149a4d7a4f0c40b946159b374396fb6cd18734ea5c3a5192786222da89f4213b5d9d027799da36d68bd510f537855ce10d3b8439c2237740ea7541478a81f9f92adceb5100366dccf149cc4c59796959ba5d85a50d0dd72941a0eabbe7a9dd9fe50850113f5e2d055e1bbcd667daf7363e027d7c66678dad2add62b5", 0xba, 0x4}, {&(0x7f0000005bc0)="f229f58b9fef91f7178523f041a4967589924680bf4dc34a52d8f7f8436083aee94ab74f0369f7403a8c26b72fd44b488fe59c616c8a1cae299c490eb15f98f8f49df33502ccfd38265f6d186578a71b92ba5c5b903f9a64bc560a43590bd70f76efb7b63bc3909e632db68f77d98bdf12ebe1707d7d1436857490c13ddb239c837faf46ead62381d43f3d2346c1fcd5b2a7a1ebe9fa5dd7fddefc50b0e7a57f500e2f79ba11b18972dc78871460eb7e2a249b603283b5128320555c9d74143e027bb5ca08b462aebf58244387556d718680c4a37459dd", 0xd7, 0x3ff}, {&(0x7f0000005cc0)="", 0x1000, 0x34}]) syz_usb_connect(0x5, 0x72e, &(0x7f0000006d00)={{0x12, 0x1, 0x201, 0x10, 0x2a, 0xdc, 0xff, 0x781, 0x5, 0x5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x71c, 0x3, 0x9, 0x3, 0x50, 0xff, [{{0x9, 0x4, 0x34, 0x9, 0xc, 0x2d, 0xe7, 0xd6, 0xc4, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "9e3dd83f5e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x40, 0x5, 0x101, 0x5}, [@mbim_extended={0x8, 0x24, 0x1c, 0x1000, 0x2, 0x8}, @dmm={0x7, 0x24, 0x14, 0x8671}, @mbim={0xc, 0x24, 0x1b, 0xfffd, 0x9, 0x0, 0x5, 0x100, 0x5f}, @obex={0x5, 0x24, 0x15, 0x40}, @network_terminal={0x7, 0x24, 0xa, 0x0, 0x1, 0x4, 0x1}, @dmm={0x7, 0x24, 0x14, 0xff81, 0x9c6f}]}], [{{0x9, 0x5, 0x80, 0x14, 0x10, 0x15, 0x1f, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x80}]}}, {{0x9, 0x5, 0x8b, 0x0, 0x7ff, 0xed, 0x1, 0x2}}, {{0x9, 0x5, 0x8, 0x4, 0x200, 0x81, 0x6, 0x2, [@generic={0xeb, 0x1, "8c3f63086154141f739f2870d3a81884905e8c3ff7eb6425085204077b4102c3d81bfdf4b262fa95b268561228b747fca91f5fdeb592b379d66a5f1d2d1d735fd02b3b2402d0340fcc8ac6c544720cb596008a93b0202cb8f9558344cb200e0b4b52aad1e70d9c0049ff2a6b546e3502bc881f3eb655aa817a2a3fd95ad1bea68ab048c1a43ed3458b674c27df090568c371a9e00cbc2b597a730a1864447583e30b8b9d2774d884575311843a18bfe0052b404714c722766342b226c4fe8e87ee448250c3b3668ab50745e0fbb6e969e6b49b9b8528ce81dfaa24e1438072d07d6e92602a390535f6"}]}}, {{0x9, 0x5, 0xc, 0x8, 0x40, 0x1, 0x5, 0x20}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xbc, 0x0, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x5, 0x9}, @generic={0xd4, 0x22, "70c23955e1d16cdef416bcb138108967f0e9ac2c096fe9362b99ec6c198d2f0f0446ce29332844fd546d2323e7f9d7b2713c1f92b90b4481bf8d4ea34ea8321b585db5f3cc6f63fc9ee543e86c15769e08a212c2ffb0237defb1a28228e999fabf3733a27b828703faaac053d44fe7a66d7a278e31f15d65edb349b157a799d922f0c970f98b35b75650793123e05752d74ddb89f0fcc0479822a0f833f4343a70548b3b4c80574be7cfdd59db69ce1efc24ca44ee316609f58ca5a30dee0b59e1668f248c196ae1c022a19995595430fea4"}]}}, {{0x9, 0x5, 0x87, 0x3, 0x8, 0x80, 0x7, 0x6, [@generic={0x56, 0x4, "f78a356675cffa2de94539194afab8603fe5e412021ba937df8f496ce2c0543148f09b19ebbc05091fcc32e0bdde441d7ccaa5cc26fb696bd67b3830bf3e5730fb3fe5ee89156bd1d2fa101e6c39068af8c2ae87"}]}}, {{0x9, 0x5, 0x89, 0x0, 0x20, 0x20, 0x81, 0x8}}, {{0x9, 0x5, 0xe, 0x3, 0x8, 0x1, 0x20, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x43, 0x234}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x3, 0x5, 0x7, [@generic={0x34, 0x8, "b6a121b46cabce4e361f2104dcf2663e402ee04faa90dd18a918e4642eaa6a716192f8bc32f321ce9eb548904d87d7bdad56"}, @generic={0xac, 0x30, "1a5d30c7d13843b0146943b2e67687f3147019db1ca1a3c7e48d700f655bea7f42692c5a87a6b91d03a6d4905fbb18b76028c902f7cc3f0c056d87d0fbc12f32150222a7dad7023bc45ab25c72aa3ad26e8dfd8d3654640038396aa355f069f7a9e762b85dca0a81a7d7c37d259d0f2a631a6abc4e36fba201dc677fc7b2c28190e91523553cfb1bbf462d9d057c31910ad39c357cd2dd1c3f22c604ad6c923faee4c13db3fe350375cc"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x10, 0x7f, 0x56, 0x83}}, {{0x9, 0x5, 0x1f645c4d20962547, 0x0, 0x3ff, 0xbb, 0x7, 0x3, [@generic={0x6b, 0x30, "6a8065c0ee1fa72bb9fab498b565e856090e0ad4cb9a072e0995264b935bed4910dde6e4a11ff93742383cba0c51a1f1cf695aa394a5f4868363e986260569ba8be82437cc58db1ee88ce5101308938edbd982075462cf0bba05bb0d7ae55092a2862ee6e6430e22f7"}, @generic={0x41, 0x21, "0acd9c7743c7509f5eb898784f8767f385a0e1c7f102c9adcad6d81fb4193e88cb2f6c3936ee2ef3dae61f58322593d9beeafcc0915c86fc3a72f0426c83f3"}]}}, {{0x9, 0x5, 0x6, 0x4, 0x400, 0x20, 0x74, 0x5}}]}}, {{0x9, 0x4, 0x26, 0xab, 0x5, 0x3, 0xf1, 0xcb, 0x9, [], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x5, 0x1, 0x1}}, {{0x9, 0x5, 0xb, 0x4, 0x20, 0x1, 0x2, 0x4, [@generic={0xda, 0x14, "10f16e3796fbe335b564b29416031e12d26f4d53e237ca3cb1e049170335d631432469cf8e2b207d62283f3b91f4d63154bce35faeb87b51d30b38876c38b31acc347be67793e56a1784eb29a7ddab72e736eecd3b4e98bce7b170ab687e6f31f5e9f3f96e31032d3bf9476eef54f354c6efc00da39a695ec1c095254cb416bdc574d4fb6adbeca99b77508d6c6f791c2cfc29ae3eccea73c13627d93807af1a7d3492520ed1f153327d857537f556294bdddd988bae73226a48c4cab963d3d8c226951b21a7c3138de55b8d0e1f0bcd77663ae8bfe20f44"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x5, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x40, 0x2c, 0xd4, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0xa, 0x2, 0x400, 0xd0, 0x1, 0x6}}, {{0x9, 0x5, 0xe, 0x8, 0x40, 0x40, 0xff, 0xb0}}]}}, {{0x9, 0x4, 0x6c, 0x8, 0x2, 0x59, 0x51, 0xd5, 0x1, [@cdc_ncm={{0x8, 0x24, 0x6, 0x0, 0x1, "b2bd60"}, {0x5, 0x24, 0x0, 0x5}, {0xd, 0x24, 0xf, 0x1, 0xfffffffd, 0xfff, 0x63, 0xdb}, {0x6, 0x24, 0x1a, 0x8, 0x8}, [@mdlm_detail={0xf7, 0x24, 0x13, 0x19, "189cdea85c892fe736d99d2ae835705ddc3907363c57da1fc0033ab26742022ab0af7516c0545f0fc3ecaa0728229f95fd5d2ebce5c98dbba6222153e2ce70bfead32d5d59146f0dd679852007b13ac9d16d48f9484d6192e79c88079f8cd3bd1a3740f3a8f0fd1d57a10bf41cf8c45a79ab1a969c9a6a83bf31571bce542e8fcfa6761ebfa924e1eb05d3af5b3644c3040280ca59737d89c0caa8bd9d56c92178b82b2078e43975f15e6f0b6fa1d0cd819521154d236aa6a85e50f3f0531f6192e5c4ba8a2d506f744780747cbb9ee6723298b72b713b52be54835fcc04906c658ce61f16f95a6c437988df239c430ff47db7"}]}, @cdc_ecm={{0x6, 0x24, 0x6, 0x0, 0x0, "a3"}, {0x5, 0x24, 0x0, 0xf85b}, {0xd, 0x24, 0xf, 0x1, 0x0, 0x7, 0x2, 0x40}}], [{{0x9, 0x5, 0xf, 0x4, 0x0, 0x81, 0xe8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x51, 0xbf81}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xb, 0x8001}]}}, {{0x9, 0x5, 0x6, 0x0, 0x10, 0x7f, 0x0, 0x80, [@generic={0x28, 0xa, "61df67a624859052df593a2258bc970fe4304a8f899ac040d9fc350ed5e63660a76a96aea7a3"}]}}]}}]}}]}}, &(0x7f00000076c0)={0xa, &(0x7f0000007440)={0xa, 0x6, 0x300, 0x8, 0x1, 0x9, 0x8, 0x81}, 0x133, &(0x7f0000007480)={0x5, 0xf, 0x133, 0x6, [@wireless={0xb, 0x10, 0x1, 0x2, 0x74, 0xff, 0xff, 0x0, 0x7}, @wireless={0xb, 0x10, 0x1, 0x8, 0x43, 0x4, 0x3, 0x6, 0x21}, @ext_cap={0x7, 0x10, 0x2, 0xa, 0x5, 0x6, 0x3b4d}, @wireless={0xb, 0x10, 0x1, 0x0, 0x2c, 0x7, 0x2, 0x1, 0x2f}, @ptm_cap={0x3}, @generic={0x103, 0x10, 0x3, "b35e852c500147880fa2f6dcc5d4e16a59df9bff5d44ac9f6680a31b1ebce7f4d4afe6d2ae93f6eee79b703b03f7a0ebea72bdc3ca70ded450bedec42d31beced3625c6bfa5dc9897b68a4e8b1a54b9444b85a77d52efea02e84045a2c51af22596a4c59a43c590c4d1369d229db0f228b739b41419c00708219ac07585dcaded8820f6fe0b35e7496ca59ebd93c1cfbeca8666928613fb084cb1ad930cfed80a024b803fc94967f08d731d0647cee073e55844b9978ae6035865fd98991fb7a5fa3f00529e81f1d3b853a0db041eaa3777ba10fe753674a698cd389bf5bca626cb8c7bf9b71150d572d07d9a11855a419fb0212d9a5bf2c3360357cf942511f"}]}, 0x2, [{0x97, &(0x7f00000075c0)=@string={0x97, 0x3, "79533652485908847450e434babd9e7b783925f478b3b35c0a4e6aa0a1e8f78e37f1d5666fe87b28df9b7734fdd141b3c78a19031effd729a36c0cf9fae5c589a1a9886b78f66c7391bd443cc6b3ab5b4acdeb5acf4a0d36359e749df37ccf92c50e845fce93e4c611f0fb559f5b2f8b72bab3b8a91779cd78204d67a183187560eb912c0f9dd27f402f1decdc61444d3702bf05cf"}}, {0x4, &(0x7f0000007680)=@lang_id={0x4, 0x3, 0x4ff}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007700)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f0000007900)={0x18, &(0x7f0000007780)={0x40, 0x22, 0x1f, {0x1f, 0x22, "a7841403afd7ddbdb6ce9dacfb6cdbe29fbe4e58b55fec117de56ed6a5"}}, &(0x7f00000077c0)={0x0, 0x3, 0x5a, @string={0x5a, 0x3, "b51fa75ce1575da79aa41fd155728498bc7e4f85d19d2394314e6381f5e6b0e786c3ff705cb7184487f35094030178bc291a3980fa0b83908b7fe1cb2459daa1308fa2fbda94a98ca7134bc986487bae15766636e0852c7a"}}, &(0x7f0000007840)={0x0, 0xf, 0x1b, {0x5, 0xf, 0x1b, 0x2, [@wireless={0xb, 0x10, 0x1, 0xc, 0x82, 0x0, 0x85, 0x8, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x48, 0x0, 0x80, 0xfffa, 0x81}]}}, &(0x7f0000007880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x2, 0x4, 0x2, "7e461ab4", 'gg]\a'}}, &(0x7f00000078c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x9, 0x3, 0x3f, 0x20, 0x40, 0x0, 0xef}}}, &(0x7f0000007dc0)={0x44, &(0x7f0000007940)={0x40, 0xc, 0xb6, "df1d8807adaa376ec164fe686f791fc7268a85c468008423c35bf0da6f10ce0b3c7f80e67352d8063e9524fb3d91a1d442b85d351288c60badef7369494efa5012978930b8817bb13fba0f307416861457221322136027a98682f3a5c91806d490c51ef51ce6c9e9c8087e547fc2cfe567bfbf3e65f97c5e79d68706922d2c084ee894eaf12a3c0b2e1ef894dff86d0792fd11f5152f67321b9db36a02b7b0935e7424cbd6b286c55c8cf0f0f4949fd21b22675eb060"}, &(0x7f0000007a00)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000007a40)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000007a80)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000007ac0)={0x20, 0x0, 0x4, {0x160, 0x1}}, &(0x7f0000007b00)={0x40, 0x7, 0x2, 0x3}, &(0x7f0000007b40)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000007b80)={0x40, 0xb, 0x2, "9efe"}, &(0x7f0000007bc0)={0x40, 0xf, 0x2, 0x4}, &(0x7f0000007c00)={0x40, 0x13, 0x6}, &(0x7f0000007c40)={0x40, 0x17, 0x6, @remote}, &(0x7f0000007c80)={0x40, 0x19, 0x2, 'vw'}, &(0x7f0000007cc0)={0x40, 0x1a, 0x2, 0x1}, &(0x7f0000007d00)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007d40)={0x40, 0x1e, 0x1, 0x7e}, &(0x7f0000007d80)={0x40, 0x21, 0x1, 0x2}}) r23 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007e40)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ncm(0x6, 0x7c, &(0x7f0000007ec0)={{0x12, 0x1, 0x389, 0x2, 0x0, 0x0, 0x70, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6a, 0x2, 0x1, 0xff, 0x90, 0x5, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, "a6"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9ff, 0x6000, 0x5, 0xb5}, {0x6, 0x24, 0x1a, 0xdd, 0x32}, [@call_mgmt={0x5, 0x24, 0x1, 0x2, 0x95}, @mbim_extended={0x8, 0x24, 0x1c, 0x7, 0x40, 0x1}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x21, 0x2, 0xc4}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0x1, 0x1, 0x4e}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x81, 0x9, 0x48}}}}}}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f40)={0xa, 0x6, 0x200, 0x3, 0x40, 0x1, 0x40, 0x68}, 0x72, &(0x7f0000007f80)={0x5, 0xf, 0x72, 0x6, [@ssp_cap={0x20, 0x10, 0xa, 0x7f, 0x5, 0x4, 0x0, 0x101, [0xf, 0xc000, 0x4100, 0xc000, 0x0]}, @ssp_cap={0x18, 0x10, 0xa, 0x5, 0x3, 0x3f, 0xf, 0x9, [0x3f00, 0xff0030, 0xff0000]}, @ssp_cap={0xc, 0x10, 0xa, 0x9, 0x0, 0x3, 0xf00, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0xfc, "11d5f99068e5068a1e42e2bf000e221f"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x0, 0x2, 0x0, 0x80, 0x1}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x0, 0x3, 0x3f, 0x8}]}, 0x8, [{0x4, &(0x7f0000008000)=@lang_id={0x4, 0x3, 0x2001}}, {0x4, &(0x7f0000008040)=@lang_id={0x4, 0x3, 0x43f}}, {0x2a, &(0x7f0000008080)=@string={0x2a, 0x3, "5e7460eb32a6b96bd2ff9ff3a49620853364cef4b1180034bbee7bdeb3753ec47a7b68436004dfa3"}}, {0x4, &(0x7f00000080c0)=@lang_id={0x4, 0x3, 0x406}}, {0x4, &(0x7f0000008100)=@lang_id={0x4, 0x3, 0x200a}}, {0x83, &(0x7f0000008140)=@string={0x83, 0x3, "98bfbed5f02f0541393b27163c18aba0f8d6c9069ae8ed732f7b8b4fd040726512572b20493498b080e96c7409c1ff222cbfe8fc739a7a6eb701a8125f18af24cdabbfb52cc666cf1204b6bf96514aca5b0475e21dafcaaffcd8d584eca6939d815dc4c974727a2fba78d5044d9e9f08e35c9e2bf470f466accaa1301fac54bcff"}}, {0x4, &(0x7f0000008200)=@lang_id={0x4, 0x3, 0x1627}}, {0x39, &(0x7f0000008240)=@string={0x39, 0x3, "aa56bf4048dd06e2845d2e04df75b391f766463f0954053221ac36e1db6fe509c05b86c776d20ffc6ac3d99349322b400aea394cd6719c"}}]}) syz_usb_ep_read(r24, 0x75, 0xa5, &(0x7f0000008300)=""/165) syz_usb_ep_write(r22, 0x0, 0xf5, &(0x7f00000083c0)="db885599b60aec82ad70cdb2886a2e73e2f0447ddd5deaaa15f56b76ab5804b9f86f60df6b12cbc1e5906d238889da544d9b5652f60bfc34a108dffdffa9ae904614e2bf15ce0c349aea1551b7544b69bd2bde8f82e18d42ba167180b1a6a4d11844312c116ee0b85fca52a11ec9f37acd323eb287c8b3c4ffdbcaaa329df920e0f7dfaaccc17fd5ff16f039c693cdfcdfae81529a02cc973d8e5020093c1b68e88a827e230b28448899b9617552b1dd9b412b34deec9a93fd08823aebf354e238d04dca957a50aa9ab18a30460e2455e3fd164109cd4a857b99d223b21831ca292d1b0cd77fbfe263f7ca57ee3a70a8fdd489cb7f") syz_usbip_server_init(0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_clock_gettime #define __NR_clock_gettime 265 #endif #ifndef __NR_getegid #define __NR_getegid 50 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_openat2 #define __NR_openat2 437 #endif #ifndef __NR_recvmmsg #define __NR_recvmmsg 337 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_signalfd4 #define __NR_signalfd4 327 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[25] = {0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; *(uint32_t*)0x20000040 = 8; inject_fault(1); res = syscall(__NR_getsockopt, -1, 0x84, 0x14, 0x20000000, 0x20000040); if (res != -1) r[0] = *(uint32_t*)0x20000000; *(uint32_t*)0x20000080 = r[0]; *(uint32_t*)0x20000084 = 0x3ff; *(uint32_t*)0x200000c0 = 8; res = syscall(__NR_getsockopt, -1, 0x84, 0x13, 0x20000080, 0x200000c0); if (res != -1) r[1] = *(uint32_t*)0x20000080; memcpy((void*)0x20000100, "cpu.stat\000", 9); res = syscall(__NR_openat, -1, 0x20000100, 0, 0); if (res != -1) r[2] = res; syscall(__NR_ioctl, (intptr_t)r[2], 0x125e, 0x20000140); *(uint32_t*)0x20000180 = 5; *(uint32_t*)0x20000184 = 4; res = syscall(__NR_signalfd4, (intptr_t)r[2], 0x20000180, 8, 0x80800); if (res != -1) r[3] = res; *(uint32_t*)0x20000500 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x10; *(uint16_t*)0x200001c2 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = 0x20002011; *(uint32_t*)0x20000504 = 0xc; *(uint32_t*)0x20000508 = 0x200004c0; *(uint32_t*)0x200004c0 = 0x20000200; *(uint32_t*)0x20000200 = 0x29c; *(uint16_t*)0x20000204 = 0; *(uint16_t*)0x20000206 = 8; *(uint32_t*)0x20000208 = 0x70bd29; *(uint32_t*)0x2000020c = 0x25dfdbff; *(uint8_t*)0x20000210 = 0x87; *(uint8_t*)0x20000211 = 0; *(uint16_t*)0x20000212 = 0; *(uint16_t*)0x20000214 = 8; *(uint16_t*)0x20000216 = 3; *(uint32_t*)0x20000218 = 0; *(uint16_t*)0x2000021c = 0x46; *(uint16_t*)0x2000021e = 0x2a; *(uint8_t*)0x20000220 = 0x2a; *(uint8_t*)0x20000221 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 3, 5); *(uint8_t*)0x20000223 = 0x25; *(uint8_t*)0x20000224 = 3; *(uint8_t*)0x20000225 = 1; *(uint8_t*)0x20000226 = 0x95; *(uint8_t*)0x20000227 = 0xcb; *(uint8_t*)0x20000228 = 0x75; *(uint8_t*)0x20000229 = 0x16; *(uint16_t*)0x2000022a = 1; *(uint16_t*)0x2000022c = 0x401; *(uint16_t*)0x2000022e = 0x37; memcpy((void*)0x20000230, "\x02\x01\x1b\xf2\x90\x7b\xdd\xcb\xfa\xf4\xd0\xd9\xd3\x19\xcb\x38", 16); *(uint8_t*)0x20000240 = 0x76; *(uint8_t*)0x20000241 = 6; *(uint8_t*)0x20000242 = 0x7f; *(uint8_t*)0x20000243 = 3; *(uint16_t*)0x20000244 = 6; *(uint16_t*)0x20000246 = 0x2050; *(uint8_t*)0x20000248 = 0x65; *(uint8_t*)0x20000249 = 0x12; *(uint8_t*)0x2000024a = 8; *(uint8_t*)0x2000024b = 2; *(uint8_t*)0x2000024c = 0x11; *(uint8_t*)0x2000024d = 0; *(uint8_t*)0x2000024e = 0; *(uint8_t*)0x2000024f = 1; memset((void*)0x20000250, 255, 6); *(uint8_t*)0x20000256 = 8; *(uint8_t*)0x20000257 = 2; *(uint8_t*)0x20000258 = 0x11; *(uint8_t*)0x20000259 = 0; *(uint8_t*)0x2000025a = 0; *(uint8_t*)0x2000025b = 1; *(uint8_t*)0x2000025c = 0x68; *(uint8_t*)0x2000025d = 4; *(uint16_t*)0x2000025e = 9; *(uint16_t*)0x20000260 = 0x81; *(uint16_t*)0x20000264 = 0xcc; *(uint16_t*)0x20000266 = 0x2a; *(uint8_t*)0x20000268 = 4; *(uint8_t*)0x20000269 = 6; *(uint8_t*)0x2000026a = 1; *(uint8_t*)0x2000026b = 1; *(uint16_t*)0x2000026c = 0x100; *(uint16_t*)0x2000026e = 0x8000; *(uint8_t*)0x20000270 = 0x3c; *(uint8_t*)0x20000271 = 4; *(uint8_t*)0x20000272 = 0; *(uint8_t*)0x20000273 = 7; *(uint8_t*)0x20000274 = 0xac; *(uint8_t*)0x20000275 = 6; *(uint8_t*)0x20000276 = 1; *(uint8_t*)0x20000277 = 6; STORE_BY_BITMASK(uint8_t, , 0x20000278, 6, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000278, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x20000279, 0xc, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000279, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 0x3f, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 9, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0x16, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0x24, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0, 7, 1); *(uint8_t*)0x2000027e = 0x83; *(uint8_t*)0x2000027f = 0x25; STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 0, 6); STORE_BY_BITMASK(uint8_t, , 0x20000280, 1, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 7, 1); *(uint8_t*)0x20000281 = -1; *(uint8_t*)0x20000282 = 0x3f; *(uint8_t*)0x20000283 = 8; *(uint8_t*)0x20000284 = 2; *(uint8_t*)0x20000285 = 0x11; *(uint8_t*)0x20000286 = 0; *(uint8_t*)0x20000287 = 0; *(uint8_t*)0x20000288 = 0; *(uint32_t*)0x20000289 = 0x1f; memset((void*)0x2000028d, 255, 6); *(uint32_t*)0x20000293 = 0; *(uint32_t*)0x20000297 = 6; *(uint8_t*)0x2000029b = 8; *(uint8_t*)0x2000029c = 2; *(uint8_t*)0x2000029d = 0x11; *(uint8_t*)0x2000029e = 0; *(uint8_t*)0x2000029f = 0; *(uint8_t*)0x200002a0 = 1; *(uint32_t*)0x200002a1 = 6; *(uint8_t*)0x200002a5 = 0x26; *(uint8_t*)0x200002a6 = 0x44; *(uint8_t*)0x200002a7 = 4; *(uint8_t*)0x200002a8 = 7; *(uint8_t*)0x200002a9 = 8; memcpy((void*)0x200002aa, "\x2e\xf5\x31\xb7\xbe\x2d\xde\x42\xfc\x39\x5f\x76\x44\x7c\x92\x87\x9c\x4d\x95\x11\x18\x2e\xe0\x77\xcb\x10\x2d\x54\xd8\xe9\xbd\x03\x76\x74\x1a\xff\xce\x00\x72\x8e\x65\xce\xfb\x04\xca\xcd\x7c\x82\x88\x0f\x11\x3d\x4a\x79\x37\x8b\xfd\x5c\x8d\x75\x2b\xd2\x51\xe3\x1b", 65); *(uint8_t*)0x200002eb = 0x2d; *(uint8_t*)0x200002ec = 0x1a; *(uint16_t*)0x200002ed = 0x482; STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 2, 3); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 0, 5, 3); *(uint64_t*)0x200002f0 = 5; STORE_BY_BITMASK(uint64_t, , 0x200002f8, 0x3f, 0, 13); STORE_BY_BITMASK(uint64_t, , 0x200002f9, 0, 5, 3); STORE_BY_BITMASK(uint64_t, , 0x200002fa, 0x80, 0, 10); STORE_BY_BITMASK(uint64_t, , 0x200002fb, 0, 2, 6); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 2, 2); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 5, 27); *(uint16_t*)0x20000300 = 0x400; *(uint32_t*)0x20000302 = 5; *(uint8_t*)0x20000306 = 0x56; *(uint8_t*)0x20000307 = 0x8c; *(uint8_t*)0x20000308 = 0x10; *(uint16_t*)0x20000309 = 0x9b2; memcpy((void*)0x2000030b, "\xe7\x43\x38\xed\x57\xa9", 6); memcpy((void*)0x20000311, "\x4d\xbe\x86\xf3\x95\x65\x40\x8a", 8); *(uint8_t*)0x20000319 = 0x7e; *(uint8_t*)0x2000031a = 0x15; STORE_BY_BITMASK(uint8_t, , 0x2000031b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000031b, 9, 1, 7); *(uint8_t*)0x2000031c = 0xc0; *(uint8_t*)0x2000031d = 0x40; *(uint8_t*)0x2000031e = 8; *(uint8_t*)0x2000031f = 2; *(uint8_t*)0x20000320 = 0x11; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0; *(uint8_t*)0x20000323 = 0; *(uint32_t*)0x20000324 = 0x7fff; *(uint32_t*)0x20000328 = 6; *(uint32_t*)0x2000032c = 0xff; *(uint16_t*)0x20000330 = 0x148; *(uint16_t*)0x20000332 = 0x2a; *(uint8_t*)0x20000334 = 0x7e; *(uint8_t*)0x20000335 = 0x15; STORE_BY_BITMASK(uint8_t, , 0x20000336, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000336, 2, 1, 7); *(uint8_t*)0x20000337 = 0; *(uint8_t*)0x20000338 = 8; *(uint8_t*)0x20000339 = 8; *(uint8_t*)0x2000033a = 2; *(uint8_t*)0x2000033b = 0x11; *(uint8_t*)0x2000033c = 0; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0; *(uint32_t*)0x2000033f = 0x1ff; *(uint32_t*)0x20000343 = 3; *(uint32_t*)0x20000347 = 3; *(uint8_t*)0x2000034b = 0x82; *(uint8_t*)0x2000034c = 0x30; STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 3, 3); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 7, 1); *(uint8_t*)0x2000034e = 3; *(uint8_t*)0x2000034f = 0xf7; *(uint32_t*)0x20000350 = 8; *(uint8_t*)0x20000354 = 8; *(uint8_t*)0x20000355 = 2; *(uint8_t*)0x20000356 = 0x11; *(uint8_t*)0x20000357 = 0; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 0; *(uint32_t*)0x2000035a = 0xae; *(uint32_t*)0x2000035e = 0x71a4; *(uint32_t*)0x20000362 = 2; *(uint8_t*)0x20000366 = 2; STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 3, 5); *(uint8_t*)0x20000368 = 8; *(uint8_t*)0x20000369 = 2; *(uint8_t*)0x2000036a = 0x11; *(uint8_t*)0x2000036b = 0; *(uint8_t*)0x2000036c = 0; *(uint8_t*)0x2000036d = 1; *(uint32_t*)0x2000036e = 0; STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 3, 5); *(uint8_t*)0x20000373 = 8; *(uint8_t*)0x20000374 = 2; *(uint8_t*)0x20000375 = 0x11; *(uint8_t*)0x20000376 = 0; *(uint8_t*)0x20000377 = 0; *(uint8_t*)0x20000378 = 1; *(uint32_t*)0x20000379 = 6; *(uint8_t*)0x2000037d = 0x71; *(uint8_t*)0x2000037e = 7; *(uint8_t*)0x2000037f = 1; *(uint8_t*)0x20000380 = 1; *(uint8_t*)0x20000381 = 1; *(uint8_t*)0x20000382 = 0; *(uint8_t*)0x20000383 = 0; *(uint8_t*)0x20000384 = 0xfb; *(uint8_t*)0x20000385 = 0x25; *(uint8_t*)0x20000386 = 6; *(uint8_t*)0x20000387 = 2; *(uint16_t*)0x20000388 = 0x1fc; *(uint8_t*)0x2000038a = 0x37; *(uint8_t*)0x2000038b = 0xe6; *(uint8_t*)0x2000038c = 7; *(uint8_t*)0x2000038d = 5; memcpy((void*)0x2000038e, "\x5f\x39\x64\xd8\x62\x9a\xdf\x1c\x06\xec\xdf\x89\x87\xbb\x84\x5b", 16); memcpy((void*)0x2000039e, "\xc5\xd2\xbb\x24\x59\xd5\xba\x0e\x8d\x1d\xe0\x4e\x57\x37\x4f\x62\x27\x21\x0e\xa4\x04\xeb\x95\x46\x5f\xa1\xe2\xe0\x9c\x7c\x17\xd4", 32); memcpy((void*)0x200003be, "\x27\x81\xc8\x76\x15\x7d\x69\x88\xa5\xdc\x1e\xfd\xe5\xe5\xd8\xd7\xfd\xfb\x3d\xad\x87\x19\x89\x49\x70\x60\xe2\xd7\x2d\x3a\xfa\x38", 32); *(uint8_t*)0x200003de = 3; *(uint8_t*)0x200003df = 1; memset((void*)0x200003e0, 206, 1); *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0x25; memcpy((void*)0x200003e3, "\xd5\xa7\x64\x0b\x4f\xb5\xdf\x22\xe7\x25\x13\x0f\x6f\x00\x6c\x48\x73\x42\xcb\x84\x7e\x2c\xbe\x0e\x36\xb1\x41\xaa\x91\xf7\xf4\x1d\x6b\x13\x48\x2c\x1d", 37); *(uint8_t*)0x20000408 = 4; *(uint8_t*)0x20000409 = 0x26; memcpy((void*)0x2000040a, "\xa1\xd5\xf6\x74\x74\xfa\x12\x31\x00\x04\x6d\xc2\x69\x5e\x3b\xbd\xa6\xde\xe8\x65\x7f\x03\x2e\x08\x75\x04\x15\x6e\xba\x2f\x54\xbf\x2f\x31\xcd\x5b\x78\xd5", 38); *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 0x25; memcpy((void*)0x20000432, "\xae\x36\x25\x8a\xd7\xf0\x4d\x6a\x21\x30\x24\xac\x42\x6f\xba\x3d\xa6\x9e\x74\xab\x66\x2f\xbb\x9d\x28\x44\x80\x99\x94\x6c\xbb\xf9\xb8\xf9\x21\xf8\xe0", 37); *(uint8_t*)0x20000457 = 2; *(uint8_t*)0x20000458 = 0x19; memcpy((void*)0x20000459, "\x69\xad\x29\xc6\x6f\x47\xf8\x7c\x53\x49\xab\x5f\x16\xa1\xe8\x03\x0e\x7c\x0b\x21\xdb\x8b\xc4\xbe\xe4", 25); *(uint8_t*)0x20000472 = 0x75; *(uint8_t*)0x20000473 = 4; *(uint16_t*)0x20000474 = 0; *(uint16_t*)0x20000476 = 0; *(uint16_t*)0x20000478 = 6; *(uint16_t*)0x2000047a = 0x48; *(uint16_t*)0x2000047c = 0x4b; *(uint16_t*)0x20000480 = 6; *(uint16_t*)0x20000482 = 0x48; *(uint16_t*)0x20000484 = 0x43; *(uint16_t*)0x20000488 = 0xa; *(uint16_t*)0x2000048a = 6; *(uint8_t*)0x2000048c = 8; *(uint8_t*)0x2000048d = 2; *(uint8_t*)0x2000048e = 0x11; *(uint8_t*)0x2000048f = 0; *(uint8_t*)0x20000490 = 0; *(uint8_t*)0x20000491 = 1; *(uint16_t*)0x20000494 = 6; *(uint16_t*)0x20000496 = 0x48; *(uint16_t*)0x20000498 = 0x11; *(uint32_t*)0x200004c4 = 0x29c; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = 0x40000; syscall(__NR_sendmsg, (intptr_t)r[3], 0x20000500, 0x80); memcpy((void*)0x20000540, "/dev/irnet\000", 11); res = syscall(__NR_openat, 0xffffff9c, 0x20000540, 0x189000, 0); if (res != -1) r[4] = res; *(uint16_t*)0x20000580 = 0xa; *(uint16_t*)0x20000582 = htobe16(0x4e20); *(uint32_t*)0x20000584 = htobe32(0x80000000); *(uint8_t*)0x20000588 = 0xfe; *(uint8_t*)0x20000589 = 0x88; memset((void*)0x2000058a, 0, 12); *(uint8_t*)0x20000596 = 0; *(uint8_t*)0x20000597 = 1; *(uint32_t*)0x20000598 = 0x81; *(uint16_t*)0x2000059c = 0xa; *(uint16_t*)0x2000059e = htobe16(0x4e24); *(uint32_t*)0x200005a0 = htobe32(3); *(uint8_t*)0x200005a4 = -1; *(uint8_t*)0x200005a5 = 1; memset((void*)0x200005a6, 0, 13); *(uint8_t*)0x200005b3 = 1; *(uint32_t*)0x200005b4 = 0; syscall(__NR_setsockopt, (intptr_t)r[4], 0x84, 0x6b, 0x20000580, 0x38); memcpy((void*)0x200005c0, "./file0\000", 8); *(uint64_t*)0x20000600 = 0x101000; *(uint64_t*)0x20000608 = 0x182; *(uint64_t*)0x20000610 = 4; syscall(__NR_openat2, 0xffffff9c, 0x200005c0, 0x20000600, 0x18); *(uint32_t*)0x20000640 = r[1]; *(uint32_t*)0x20000644 = 7; *(uint32_t*)0x20000648 = 0x20; syscall(__NR_setsockopt, -1, 0x84, 0x10, 0x20000640, 0xc); *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 6, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 7, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); *(uint8_t*)0x20000044 = 8; *(uint8_t*)0x20000045 = 2; *(uint8_t*)0x20000046 = 0x11; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 1; memset((void*)0x2000004a, 255, 6); *(uint8_t*)0x20000050 = 8; *(uint8_t*)0x20000051 = 2; *(uint8_t*)0x20000052 = 0x11; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x20000056, 7, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0x40, 4, 12); *(uint8_t*)0x20000058 = 8; *(uint8_t*)0x20000059 = 2; *(uint8_t*)0x2000005a = 0x11; *(uint8_t*)0x2000005b = 0; *(uint8_t*)0x2000005c = 0; *(uint8_t*)0x2000005d = 0; *(uint8_t*)0x2000005e = 8; *(uint8_t*)0x2000005f = 2; *(uint8_t*)0x20000060 = 0x11; *(uint8_t*)0x20000061 = 0; *(uint8_t*)0x20000062 = 0; *(uint8_t*)0x20000063 = 1; *(uint16_t*)0x20000064 = 0x89; memcpy((void*)0x20000066, "\xa3\x74\xcb\x1e\x56\xd7\x9e\x5a\x64\x7d\x9f\x9d\x7e\xbb\x09\x9c\xa7\x5e\x92\x0a\x72\x0c\xe7\x65\x51\xc2\x6b\xb8\x68\x42\xda\x48\xec\x22\x63\x6f\x2e\xe2\x00\x01\x35\x9b\x8e\x2f\xb3\x76\xba\x32\xd0\x74\x25\xdd\x1b\x9b\x9b\x4f\xf7\xa3\x53\x9a\x5e\xeb\x99\xa4\x47\xa5\x8f\xec\x22\x4c\xac\xb7\xd6\xe5\xf0\xcc\x90\x99\x90\x4c\x92\xfd\x37\x74\x6a\xfc\x1c\xbd\x2b\x8b\x10\x2a\x3f\xe4\xaf\x78\xd5\xfa\x72\x95\x90\xf1\xe5\x03\x5f\x47\x0a\x44\x32\x1e\x92\x47\x87\xa4\x66\x6e\x21\xa4\xca\x5c\xbd\x12\x56\xc1\x70\x21\x7c\xd6\x96\x7a\xd7\x23\x6d\x2f\x70\x2e\x24", 137); memset((void*)0x200000f0, 255, 6); *(uint8_t*)0x200000f6 = 8; *(uint8_t*)0x200000f7 = 2; *(uint8_t*)0x200000f8 = 0x11; *(uint8_t*)0x200000f9 = 0; *(uint8_t*)0x200000fa = 0; *(uint8_t*)0x200000fb = 0; *(uint16_t*)0x200000fc = 0x1000; memcpy((void*)0x200000fe, "\x2b\xc8\xbe\xd3\xad\xe3\x14\x70\x49\x10\xb6\xee\x62\x4c\xfe\x54\xbe\xbe\x1b\x4b\x09\xba\x79\x5c\x51\x1c\xd0\xe7\x64\x85\x8a\x68\x8e\x31\x7f\x9f\x28\x73\xd1\x87\xb6\x5f\x7d\x6d\xed\x9b\x4b\x7e\xf7\xf8\x67\xd6\x5d\x32\x18\xdc\x1a\x2a\xd2\x4b\x5c\xb3\xe4\xe0\x78\x49\xf7\x08\x5c\x63\x7a\xe4\x51\x0c\x2c\x14\x43\x80\x0a\xc4\x4d\xdf\x23\xec\x3e\x00\xa0\xa2\xd2\x6d\xcf\x4e\x4f\x20\x9d\x20\xf1\xe6\x58\x29\x0a\xb4\x3a\x3f\xa2\x4e\xe8\xdc\xd4\x84\xc6\x23\xbd\xc9\x86\xb8\xea\x88\xd4\x32\x74\xe2\x06\xb9\xbe\x4c\xdf\xcc\x94\x5b\x09\x3d\x09\x37\xd9\x4f\x8f\x98\x7c\x5c\x5e\xd4\x8a\xc9\x95\x14\xb5\x45\xd0\xcb\x74\x20\x36\xae\xd4\x98\xba\xe8\x0b\xb1\xee\x39\x5e\x8e\x0a\x67\x7d\xaa\xed\x22\xdd\xc1\x60\x4d\x14\x83\x5d\xbc\x28\xc4\x3c\x64\xb1\x18\x76\x57\x4f\x8d\x89\x70\x56\x23\xf7\xf0\x78\xc5\x01\x7c\x92\xcd\x46\xaf\xf0\x81\x1e\x9b\x98\x91\x25\x06\xb3\x45\x00\x64\x0f\x97\x91\xe3\x08\x1d\x1f\xd1\x78\xc2\x13\x05\x93\x45\xba\x63\x17\x7e\xa9\xb9\x3f\xfa\x53\x06\xe2\x06\xb5\xa2\x94\x02\x25\x21\xec\x6a\xaf\x8e\x26\xd0\xb5\xbd\x00\x32\x59\x76\xa0\xb1\xe0\xff\x75\x4e\x4b\x48\x91\xd3\x68\x8e\x0b\xea\x0a\xc6\xd8\x11\x2e\x04\xfb\xe6\x06\x8e\xc0\x3f\x4b\x66\x5e\xfa\x12\xe3\xf2\xe6\xc9\xd3\x1e\xb4\x45\x83\xa9\xac\x92\xdd\x3a\xb3\xf3\x4d\xb1\x15\xe9\xcf\x42\xf0\x97\x41\x9c\xb5\x94\x9e\xb7\x40\x3d\x44\x95\x90\x0b\x52\xc9\x55\x83\x70\xe2\xf1\xff\x76\xa9\xde\xd5\x3e\x26\x79\x3b\xf9\x39\x76\xe9\x6a\xc7\x14\x07\x47\x89\xe8\xbd\xb1\xc4\xca\x56\x2b\x51\x50\x2b\x46\x8f\x89\x54\x39\x83\x0f\x91\x5a\x5d\x8a\x50\xff\x73\xa4\x9f\xa4\x29\x3b\xfc\x35\x48\x68\x51\xea\x8d\x5c\x76\x13\x7c\x5e\x2f\xc9\xca\x45\xa3\x8c\x94\x28\xbe\x30\xf5\x03\x59\xb2\xcb\x3f\x9d\xbc\x76\x7d\x63\xf4\x19\xf5\xe7\x6c\xe5\xfb\xb6\x1e\xde\xb1\xbe\xb7\xa3\x7c\x60\xc6\x01\x1b\x56\xb8\x57\x49\x63\x42\x5a\x95\x6d\x40\x1f\x70\x3a\x19\xe9\xac\xe4\x68\x65\x41\xdd\x31\x32\xf5\xaa\x85\xae\x6d\xb1\xb7\xdd\x6d\xad\x9b\x65\x43\xe3\x57\x53\x31\x28\xab\x2c\x90\x1e\x9d\x56\xa2\x2e\xcd\x64\x45\x50\x72\x71\xf6\xfc\xe2\xa5\x74\xd5\x87\x13\x53\x0a\xff\x28\xf7\xb4\xe8\x46\x17\x80\xdf\x54\xce\x2a\x06\x7c\x9c\x38\x85\x17\xb9\xe0\x40\xbc\x88\xba\xa7\x31\x79\x6b\x13\xa8\x9a\xd7\xa0\x1c\x30\x9e\x02\x4b\x22\x06\x21\x2e\x81\xa0\xf8\x27\x9c\x36\x9c\xc4\x0f\x85\x99\x01\x18\xa3\x31\x1a\xd1\x69\x8a\x4b\x0d\x73\xe7\xde\x65\x7c\x5a\xc4\x04\xb7\xa5\xcb\xb3\xf1\xc5\xfc\xcc\xfa\x7b\xf2\x17\x83\x0b\x73\x0d\x4d\x54\x54\xf2\x76\x04\xc0\x34\x16\xd3\xbe\x6c\xb3\x78\x81\x3a\x84\xa7\x29\x26\xc4\xd4\x3d\xd5\xa7\x94\x11\xd3\x5c\x4f\x69\x82\x87\xa0\x59\x29\x60\x05\x9c\x48\xa6\xd9\xfc\xce\x84\xd0\x88\xa2\x6d\xfb\x2e\xf3\x0e\xde\xa2\x11\x41\x11\xfa\x86\xfd\x22\x87\x2a\x03\x1d\x11\x16\xd7\x48\xb3\x3f\x61\xb9\xc1\xea\x8e\x8f\xf0\x96\x89\x01\x14\x27\xf8\x88\x6c\x0c\x71\xb6\x38\x51\x67\xd4\x97\x1d\x4b\xc9\xd1\xb9\xfe\x6d\xb9\x66\xd5\x0b\x59\x24\xfb\x56\xc1\xb1\x1f\x8e\x05\xf2\x9c\xfd\xe7\xf3\x02\xaf\xe1\x61\xfd\x9d\x82\xfc\xe3\x55\x1d\xf3\xf4\x01\x3d\xa7\x76\x6a\x21\x4f\xc9\xb1\x64\xa6\xd8\xb0\x3f\x6c\xba\x91\x84\x72\xc9\xb7\xd8\x6e\x7a\xbd\xa7\xe3\xc9\xa4\x07\x8a\x64\xa9\x66\xec\xb6\xe4\x13\x34\x11\xc4\x93\xa7\xa5\xd1\x7b\x60\x5d\xe1\x39\x01\x8d\x69\x8d\x32\x5e\x31\x93\x34\x39\x5d\xa0\xb5\x1b\x3e\x89\xd9\x59\x61\x49\x53\x1e\x92\x58\x32\xe0\x0a\x35\xbb\xea\xc1\x37\xa0\x8a\x4f\x66\x1d\xad\x30\xd0\x92\xd1\xf6\xa3\x4c\x1d\x38\x89\x4d\xa3\xea\xe2\xc4\x74\x95\x30\x92\xfb\xac\x4f\x39\xa2\xe1\x4d\x5e\x13\x06\x2c\x98\xc8\x93\xd9\x6e\xbd\xf7\x9f\x1e\xba\xd3\xcb\xb1\x6f\x8f\x7d\x17\x39\x70\x75\x23\x9b\x74\x25\x09\xb0\x76\x37\x1a\xaa\xb7\x85\x9e\x6b\x29\xc7\xcd\x83\x15\x7b\x91\xb4\xd0\xbf\x47\x9c\x7f\xa5\x3f\xd8\x57\x35\x6f\x11\x47\xdf\xa5\x90\xbf\xff\xae\x2c\x99\xbf\xc6\xa1\xa3\x84\xce\x26\x16\xa7\xc0\xd1\x49\x91\x95\x5f\xf2\x27\xe3\x55\x40\x13\x1e\x6c\x9f\xd2\xa5\xb5\x8f\x88\xf1\x83\xf6\x4a\xcc\x3d\x58\xe4\x73\x07\x6b\xf3\x14\x9d\xa2\x66\x42\x4b\x98\x2f\x73\x4a\xa0\x4b\x81\x88\x13\xdd\xd9\x01\x88\x56\x76\x17\x99\xd5\xb0\x50\x4c\xa7\xec\xf7\xae\x17\x59\x2c\x1f\x0c\x78\x4d\x60\x39\x31\x61\x71\x42\x21\xa1\x0d\x90\x19\x28\x3c\x6a\x8f\x92\x03\xc7\x97\x63\x45\x0f\x94\x70\xa3\xf5\xe2\xf9\x4e\xb9\x42\xa2\xbe\xba\x32\x21\x46\xfc\x44\x9f\x40\x22\x6b\x7f\x7d\x9e\x4d\x58\x9c\xdf\xc9\x53\xef\x76\x51\x5e\x48\x4d\xdb\x27\x5e\xfd\x8f\xb9\xe4\xb3\xf1\x75\xb9\xc6\x00\x74\x58\xce\xdb\xcf\x05\xeb\x6e\x42\xbe\xa2\x26\x85\x50\x87\x02\xb7\x8e\x77\xe6\x72\xc7\x2f\xe4\x3c\xef\x92\x49\x74\x00\x61\xf8\x3d\xfd\x86\xc1\xe9\x73\xda\xb8\x1a\x08\x30\x32\x37\xe5\x8c\x2d\x75\xa1\x21\x25\xc0\xb6\x34\x58\x5e\x3b\xfe\xe0\x81\x0e\xaa\x59\x4d\x12\xc5\xca\x25\x36\x6f\x04\x37\x86\x48\x5e\x57\xf5\xf9\x30\xcb\xcd\xee\x90\x1c\x59\x10\x0e\xbb\xc6\xe8\x23\xa1\xb7\x4b\xcd\xef\xb1\x96\x1b\x89\xdb\x6d\xf5\xe4\x61\x8e\x2b\xd8\xd9\x6f\xd8\xa1\x2b\x18\x48\x2f\xdc\xcd\x72\x95\x0a\xfe\x3c\x20\x66\xa7\x3c\x73\xf1\xca\x99\x86\xce\x15\x8c\x10\x52\x0a\xab\xee\xc9\x4d\x61\x72\xc0\x92\x48\xaa\x76\xc3\x9f\xc5\x42\x63\xfd\x44\xbf\x93\x68\x1b\x30\x92\xb8\xe8\xdb\x78\x0d\xd6\x5c\x6c\x8b\xc3\xb4\x23\xd2\x21\xe1\x3d\x3e\xde\x9d\xd0\xfc\x4f\x14\x68\x5a\x80\xd8\xee\x14\xe8\x26\xa2\x25\x38\xcf\x31\x4d\x8a\x48\xe6\x37\x54\xe8\x9b\x45\x3f\xb2\x23\x68\x62\xdc\x7c\xcc\x49\x53\xee\x56\x26\x54\xdb\x98\x95\x85\xca\xee\x6b\x65\x5b\x2b\xf9\xdb\x0f\x22\x06\xb8\x63\x48\x0d\x71\xfa\x21\xd9\x38\xe4\x73\x58\xb2\xc0\xda\x20\x14\xa1\x95\xdf\x64\x3b\xe9\xd8\x0e\x52\x00\x3e\x9b\x45\xb1\x8f\xf7\xb6\xaa\x56\x92\x4b\xc2\xdc\x0c\xad\x61\xd9\x63\x0e\x6b\xd8\xea\xf7\x60\xb3\xf7\xfb\x31\x77\xf7\x3a\xf8\x9b\x15\x5e\x0d\x06\x1c\xe3\x2b\x9d\x45\x88\xeb\x6a\x4f\x60\x91\x9c\x2e\x3d\x41\xf6\xca\x8d\x31\xfe\xf0\x02\x7e\x06\xf9\xb7\xc2\xc2\xec\x6e\x5c\x12\x14\x42\xe4\xb7\xee\xc7\xe1\x09\xaf\x0f\xc8\x65\x80\xda\x66\xf0\xb0\x28\xd9\x3a\x00\x88\xd8\x52\x53\xfa\x9b\x5e\x21\xe4\x95\x53\x71\x4a\x1d\xc3\x92\xfd\xb3\x54\x13\x29\x10\xe0\xc6\x25\x03\xc0\x09\x6c\x6b\x85\xf1\x64\xbb\x2a\x7d\x3b\xe1\x79\xc1\xa3\xc7\xcf\xf9\xd4\x64\x34\x13\x10\x84\x6c\x51\x7f\x85\x1b\x8e\x69\x43\x1c\x64\xed\xe9\xd5\x97\xc9\x43\xbf\xe2\x91\x6d\x56\x4a\xe1\xcf\x27\x0c\x8c\x16\x7e\x96\xc1\x46\x88\xa7\x23\x15\x8d\x7b\x9c\x45\xe3\xf8\x24\x34\x19\x00\x86\xcd\xfe\xde\x4b\xfd\x95\x0f\xda\x09\xfe\x05\xa6\x14\x2b\x90\xe7\x73\x6e\xca\x65\x91\x40\xb2\x2b\x3c\x77\x67\x06\x07\xe5\x11\x58\xd9\xf7\xea\xcd\xff\xc2\x93\x20\x2b\xaf\x0b\xc7\xe2\x04\x89\x99\x68\x91\xd1\xa7\xa6\xc3\x28\x4e\x5a\xc3\x51\x39\xec\x5b\xeb\x4a\xfb\xa9\x2f\xaf\xfb\x0d\x2e\x62\x10\x26\xc7\x01\x99\x43\xf7\xbe\x68\x09\xe5\x87\x9f\x60\x78\xcd\xa7\x22\xd1\x19\x57\xb7\xe7\xac\x74\xff\x47\x9b\x3f\x65\xa0\xfb\x71\xb1\xe8\x7e\x67\x03\xa9\xda\xf4\x7f\x31\x3a\xdc\xb6\x56\x47\x7f\x53\x03\x60\x83\x6b\xc0\xb0\x07\x68\x09\x9d\xb9\x2d\x7b\xf7\x90\x31\x6c\x1c\xec\x79\x4c\xcc\x29\xdc\x04\x88\x71\xa6\x75\xdd\xe3\x16\xd9\x14\xb7\x3c\x85\xc9\x96\xe7\xf4\x1e\x52\x86\x07\xa7\x60\xb7\x78\xb3\xe0\x68\xb1\xe7\xfb\xa0\x81\x37\x36\x8a\xf0\x6b\x59\x96\xb5\x69\x87\x1b\x4a\x54\xe7\x27\x2e\xcc\x44\x18\x10\xf9\x5c\xe8\x4c\x37\xe1\x0d\xa6\x16\x24\x71\x5f\xd5\x99\x1c\x77\xa2\x24\xd5\x7a\x53\x22\x77\xf9\xdd\x36\xbb\xdc\x56\xb7\x0b\x64\xed\xc0\x38\x15\x94\xb9\xb6\xc3\x28\xe5\x9d\xd0\xf0\x4d\x34\x3f\x6d\x82\x86\x72\xd9\x7c\xc8\x15\xb1\x4b\x22\xf5\x9d\x08\x76\x1b\xa7\x75\x1e\x52\xd1\xc5\x5f\x32\x49\xb6\xaa\xcc\x51\xe1\x07\x94\x4b\xfa\x70\xa5\x42\x19\x06\xf5\x29\x6d\x41\x84\x57\x75\xe3\x4a\x5d\x1a\x06\xc4\xc8\x79\xc7\x78\x5a\x03\x50\xba\x89\x93\x41\x25\x90\x64\xea\x42\x74\xe2\x13\x96\x41\x82\x44\x0a\xdf\x7e\x02\x30\xb3\x12\x0e\xe6\x23\x5b\xce\x98\x29\x28\x99\x79\x2c\xff\x10\x75\x88\xe3\xe9\x15\xdc\xe9\xbf\xe6\x1c\xf6\x37\x3a\x33\x11\xe7\x47\xaf\x21\x8f\xbd\x16\x58\x09\xdb\x4f\x0e\x51\x7b\x13\xe5\x92\x53\xf7\x21\xc6\x8c\x80\x14\xed\xce\x97\x45\x5a\xda\x5c\x33\xb7\xc6\x79\x4d\x38\xb7\x4b\x6d\xf4\x65\xe1\x89\x40\x4c\x7d\xf5\x6b\xee\x55\x18\xa5\xd2\x02\xfb\x50\xb5\x36\xa5\x37\x2e\x04\xc7\x0d\xec\x26\x6c\xdb\xcc\x83\x6b\x49\x88\x47\xa6\xa3\x94\x56\xf7\xb5\x94\x73\x80\x4a\xae\xd9\x66\xd7\x64\xe2\x5f\xf2\xda\x79\xd3\x4c\xe9\xfe\x72\x75\x7a\xe0\x07\xcd\xa3\x35\xbf\x37\x87\xc0\x68\x72\x55\x51\xef\x27\x76\x7d\x35\xd2\x0f\x24\x1d\x1d\x29\x21\x97\x85\x8a\xd4\xb4\x38\x18\x5e\x0a\x10\x3e\xdb\xe6\xe5\xca\xa4\xbb\x37\xe5\xcb\xdd\x71\x61\xee\xce\xb9\x3f\x9c\x7a\x39\x97\x6b\x4e\x6e\x19\xd5\xc1\xf3\xd0\x8f\x9d\x0f\xc6\xc9\x05\x5f\x4b\x05\x7d\xce\x9c\x1e\x67\x7e\x8b\xbe\x56\xb7\xc4\xed\x73\x34\xe5\xad\xcb\xa2\xaa\x5b\x1b\xf4\x45\x0a\x76\x2d\x16\x7a\x95\xbf\xc1\x09\x72\x04\x4c\x8d\x79\x7e\xf3\xad\x9d\x10\x91\xbb\x1a\xe5\xe1\x28\xe0\xdd\x22\xf4\xb7\x70\x77\x59\xf2\x79\xd4\xdd\xc9\x2a\x68\x1f\x6c\xf9\x9e\x75\x96\x0a\x32\x1b\x3d\x5b\x55\x66\x28\x07\xe5\x77\xc2\x0e\xea\x7f\x87\xe8\x8f\x29\x07\x79\xa6\x59\x8b\xc1\x9c\xcb\x74\xc3\x13\x83\x27\x88\x95\xc5\xfc\x6a\x62\xb5\x46\xf8\x1f\x7b\xd6\x78\xb2\x7f\xa6\x2d\x8d\x6f\x85\x9d\x86\x37\x29\x16\x01\x81\x20\x5b\x06\x20\x3c\x9f\x72\xa3\xa6\x59\x3f\x61\x8a\xb9\xef\x48\x8a\x24\xce\xfe\x7c\xdf\xa6\x6b\x46\xf3\x0f\x1d\x3f\x8a\xbe\xce\x64\x40\xdb\x93\x48\x3d\xf5\x23\x3b\x52\xf6\xfc\x47\xee\x3f\xd3\xbb\x98\xb0\x06\x24\x68\xc9\x16\xdc\x0f\xb1\x59\x62\x90\x2c\xb7\x30\x29\x93\x69\x51\x75\xd5\xfd\x4b\xc7\x7e\xab\x9e\xc8\xd4\x40\xee\xe3\x6a\xe6\x83\x5c\x43\x62\xf7\x81\x9f\x39\x01\x21\xa6\x9b\xc7\x0d\x63\x6e\xea\x8d\x4d\xd0\x9b\x90\xda\xd5\xc2\xdb\x03\x1d\x2b\xc3\xdf\x45\x82\x56\x24\x41\x56\x80\xa0\x3b\x3d\xfc\x71\xce\xf6\x3f\xda\x72\x6b\x76\x5d\x58\xab\xe8\x63\xad\xf0\x34\x2b\x8f\x1e\x8e\xc8\xf8\x07\xb3\xb5\x6d\xcc\xfd\xcd\xe8\x5f\xd2\x0a\x7e\xc9\x43\x44\xcf\x31\x95\x48\x67\x81\x70\x0b\x4c\x35\x72\x15\x78\x14\xd7\xf1\x0d\xc6\x8e\x13\xad\x64\x61\x39\x77\x58\xea\xd6\x2e\x5c\x20\x4b\xa5\x7b\x2a\x4a\xf4\x22\x08\x2a\x1f\xff\xbf\xc8\x70\x96\x88\xa1\x13\x93\xe9\xdc\xf8\x7b\x6f\xa4\x0b\x10\xf4\x58\xc6\x7e\x56\x5a\xe4\xf0\x2c\x2b\xa9\x30\xfd\xa2\x13\x9b\x0f\x18\x12\xaf\xbe\x21\x2e\x89\xeb\x51\x0e\x8d\x74\xc4\x65\x05\x00\x82\xb2\xbd\xfc\x09\x17\x6a\xe9\xa1\x70\x82\x1c\xde\x09\x7c\x33\xf5\x7f\x83\x50\x0f\x18\x2f\x23\xc2\xcd\x71\x3f\x82\x68\xfa\x04\xe5\xee\x58\x00\xad\xb1\xe8\x91\xbc\x90\x2b\x2c\x10\x05\x55\x79\xbe\xd0\xb6\xac\xef\xfc\x22\x06\x54\x4e\x2d\x17\xa1\x04\x4e\xc2\x01\x24\x66\x0f\x90\xd2\xcc\xb1\xe9\xdd\x04\xab\xa7\xf6\xb3\x3d\xec\x5f\x6f\xf6\xa2\xe1\xa1\x09\xc1\x43\xf2\xb0\xa8\x08\xeb\xeb\x45\xca\xac\xdc\x39\x82\x8b\x55\x5e\x3f\xb3\xad\xb7\x44\x71\x30\x26\x6d\xa8\xb3\x33\xd0\x4a\xb7\x11\xb9\x1a\x23\xd8\x81\x78\x57\x31\xfb\xd2\xc0\x37\x60\x8f\x31\x2f\x8b\x18\xba\x63\x00\x2d\x17\x75\x44\x1a\xdf\x3d\x4c\xe8\xe5\x56\x64\x26\x4e\x1d\x22\xe4\x78\xf4\x93\x01\x74\xdf\xb8\x1f\x7e\x31\xeb\x3f\xdb\x22\xeb\x06\x88\xf3\xa1\x04\x54\x18\xf9\x08\x4a\xf4\x52\x78\xc0\x4b\xf1\x32\x00\x17\xd0\xb0\xfa\xa2\xcf\x7e\x27\x7d\xe2\x66\xa3\xfd\xb4\xb0\xf0\x55\x25\x9d\x76\xf5\x0c\x99\x4c\xba\xe7\x03\xe8\xd1\x30\x7f\x4b\xc5\x45\x3f\x32\xa7\x08\x92\x1f\xa8\x33\xb0\x3f\x5d\x18\x40\xf5\xa1\x24\x69\x29\xb1\x75\xd9\x35\x37\xa1\xd7\x46\x78\x38\xd2\x5d\x19\x8b\x17\xfb\x4b\x9a\xac\x7d\x99\xee\x1f\x1e\x2f\xdf\x4a\xe7\x28\x62\x90\xe0\xf1\xc0\x88\xe2\x43\x94\xea\x57\xf9\xa7\x33\xe4\x53\x62\x79\x22\xc5\xa6\x23\x62\x3f\xff\x29\xc6\xa5\xab\x6f\xdf\x7b\xa7\xfd\x43\x80\x34\x9a\x77\xbb\xc4\x09\xd1\x86\x9b\xc7\xf2\x45\x32\x94\xca\x2f\x17\x85\xb8\xcc\x50\xb8\x8f\xcc\xe8\xfc\x6d\x3d\xd7\x9c\x19\x8e\x36\xff\x5a\x21\x6e\x7a\x8a\xe3\xd1\x0d\xb5\xbe\x0c\xbb\x76\x17\xdf\x80\x14\xac\x68\x9c\x31\x11\x32\xc1\xdb\x34\xd0\xee\x7a\xdb\xb6\x62\x32\xc1\xa4\x32\xc2\xca\xf7\xcf\x30\xff\x8b\xad\x84\x46\x7c\x0e\x40\xda\x4d\x0b\x10\x20\x1f\x6f\xb8\x2b\xec\x94\x83\xc7\x5b\xc8\x59\x48\x0c\x9b\xca\x13\xc5\x90\x5a\xcf\xa5\x6e\xad\x48\x8f\xc2\xbd\xe3\xa2\x2c\xa4\xfa\xbc\xea\xb9\xb9\xe3\x77\x6b\x5a\x62\x14\x63\xe1\x29\x6d\xde\x15\x24\x0d\xac\x24\xbb\xaf\x67\xc2\x03\x86\x55\x1a\x8f\xe3\x52\x96\x0e\xcd\x36\x1d\x42\x94\x90\x3f\x25\x25\xa3\x68\xd3\x63\x07\xde\x3a\xb0\x21\xbe\x4b\x64\x77\xe8\x61\x82\xf6\xa5\x65\xcf\x67\x95\xc2\x64\xaa\xda\xe3\xd3\x07\x2b\xae\xbc\x48\x8c\x74\x30\x7e\x27\xbc\xea\x4a\x74\x6b\x67\xad\xf8\xe2\x0a\x21\x9c\xb9\x11\xe2\x93\xad\xaa\xe8\xd5\x2e\x63\x08\x09\x11\x29\xc0\x2a\xfd\x50\x59\x95\x88\xc9\x20\x15\x85\x82\xdb\x85\x6c\xeb\xd3\xd6\x65\x9d\x14\x77\xf9\x66\xfb\x54\xe9\xea\x1b\x36\x59\x90\xff\x5b\xba\x6f\xce\xd2\xb5\x9f\xc8\xa6\xf9\xfd\x57\x28\x70\x61\xc5\x21\xeb\xc1\xac\xe5\x21\xab\xe0\x04\xf5\xf0\xb5\xf8\xb9\x02\xd6\xc7\x5a\xc5\x7d\xf5\xd2\xe9\x7f\x1f\xfa\xd3\xa5\x31\xf9\x1f\xa1\xcb\xa4\x8b\x58\x93\x5f\x05\x03\x35\x41\x5d\xca\x8e\x46\x02\x43\xe2\x1e\xa7\x1f\x99\x0c\x37\xa6\xc9\x8c\xd1\x9c\x2c\xc3\x47\x1e\xc2\xec\xd0\x42\xc8\x20\x71\x8d\x00\xb6\x37\x9d\x80\x69\x83\x62\x8e\x08\x64\xad\x14\x6e\xe1\x70\xdc\x91\xfc\x25\x55\x94\x0d\xb1\x36\x4c\xb7\x43\xc0\xc7\x03\x7d\xba\x3e\x9b\x10\x8f\xea\x98\x84\x01\xd5\x52\xd4\xac\xe6\xa8\x30\x83\x65\xc0\xb1\xed\xe6\xb8\x73\xa2\x94\xd6\x25\x23\x86\x55\x33\x1a\xcd\x6e\xe2\x38\x0d\xba\x98\x0e\x35\xb2\xbb\xd4\x0f\x65\xfe\x32\xef\x03\xcb\xf0\xcf\x57\x55\x2e\x81\x8e\xc6\x07\x0c\x52\x25\x66\xd8\x2a\xa2\xc4\xd0\x46\xd9\x5b\xcb\xb4\xed\x89\x7a\x3b\x59\x3d\xdc\x57\xb3\xbf\x4b\x2d\xee\x34\xcb\x50\x53\x69\x2e\x45\xde\xec\x78\xbf\x7f\xa7\x00\x2c\xfe\x74\x15\x7a\x5d\xd4\xc5\xae\xc1\xb9\x86\x28\x06\xd8\x88\x39\xa6\xa3\x91\xa0\x4d\x0d\x46\x78\x1e\x45\xb3\xfb\x78\xe7\x1e\xb9\xa6\xba\xda\x4d\x6e\x45\xf6\x45\x2c\x41\x93\x1c\x91\x23\xc8\x78\x38\x32\x0b\xf9\xcd\xe6\x13\xab\x41\xec\x0f\x23\xaf\xcc\x01\xa6\x98\x66\xf8\x32\x39\xe5\xb7\x7e\xc5\x6c\x1b\xf1\x3c\x4f\xa5\x37\x9b\xc5\xe6\x78\xf4\x5c\x3f\xb9\x12\xe1\xaf\xdb\xc4\x66\xba\xdb\x62\x36\xb5\xfb\x85\x00\xc7\x43\x58\x65\xae\x64\x22\x70\xb2\xa9\x42\x43\x0b\xe5\x4d\xca\x09\xec\xb2\x4e\xc6\xd0\x51\xd0\xc6\x3b\x02\xe2\xcc\xbe\x57\xdd\x90\x12\xb7\xc0\x95\x80\x67\xb4\x06\x21\x50\xb3\x47\x98\x31\x96\x11\xdb\x1f\x48\x79\xaa\x8b\x5b\x55\xee\x2f\x20\xb0\xd7\x9a\x14\xcd\x7c\xc1\x8a\x76\xb4\xb3\xf0\x0f\xff\x45\xec\x9d\x07\x64\x07\x6d\xc1\xdc\x00\x72\xe0\x9b\x67\x4f\x18\x7a\x18\xd4\x57\xa1\x1c\xf2\xb6\x54\xbf\xc8\x51\xb5\x5f\x46\x4d\x95\xe5\x1a\x45\xd2\xda\x43\xc7\x90\xeb\xc7\x72\xca\x27\xb8\x28\xa0\x61\xca\x4b\xa2\x8c\x98\x67\x22\xcb\xd4\x86\x73\x32\x87\x8e\x2a\x7b\x87\x6f\xaf\xaa\x74\x34\xf4\x3c\xb4\x48\xb2\x16\xd4\xae\x0e\x18\xa1\xaa\x66\x77\x76\xdb\x69\x99\x9b\xe0\x81\x82\x2d\x56\x47\x8e\x57\x68\x10\x6b\xa1\xfb\xcb\x04\x4d\x16\x68\x2c\xfe\x2b\xa1\x7a\x06\x99\x7f\x88\xbd\x68\x36\x69\xaa\x2a\xe4\xd9\x6a\x15\x5e\x0b\x8a\x41\xe3\x31\xa9\xa0\x20\x0f\x15\x9a\x47\x40\xe0\x11\x04\xad\x63\x89\x21\x8a\xd1\x5d\x1f\xac\x53\xbd\x1b\x91\xd7\x23\x43\x52\x78\xdb\xc5\xe7\x90\xa0\x54\xf3\xcf\x24\xfa\x4e\x78\x66\x62\x99\x15\x40\x0e\x7d\x25\x60\xcf\x97\x64\x8b\x60\x31\x52\x8d\xb2\xc7\xd4\xca\x72\x7f\x67\xc2\x97\x42\x4f\xc9\x9a\x7b\x01\xb1\x04\xfc\xb2\xd9\xb8\x02\x6a\xd1\x92\xac\x4c\x1d\xf8\xc2\x31\x8b\x5d\xee\xa4\x79\xa3\x78\x89\x71\x17\xac\xb1\x4a\x79\x21\xb7\xdd\xe8\xaa\x78\xc5\x8d\x04\x7f\x90\xfb\x1a\x1c\x1e\xdb\x84\x7b\xf7\xba\xd3\xab\x09\x6b\xf9\x19\xd1\xb1\x03\xe7\x40\x43\xfa\xf3\x52\xe1\x63\x94\xbc\xa1\x71\x3e\x14\x8b\x69\xd2\x0e\x0c\x5f\xae\x6e\xdb\x67\xe9\x16\x20\xc2\x8d\x7f\xb7\x0b\xf7\x66\xd2\x1e\xe3\xa9\xdc\x9d\x4a\xc7\x5a\x41\xbc\xb3\xa3\x22\xe7\xec\xc8\x5e\x34\x6a\x5f\xed\x19\x0d\x0c\x69\x8f\x15\x22\x60\x67\xe5\x15\x5e\xcb\x0b\x8f\xff\xcd\x5c\x1c\x95\x52\xa5\xb8\x5a\xfc\x66\x36\x98\xcf\x47\x50\xa3\xee\xc6\xcd\xec\xcc\xaa\xf6\x37\x08\x7e\x18\x8f\x3c\xc5\x65\x7c\x40\x12\x3c\x20\xd1\xa0\x2e\xbb\x08\x18\x07\x38\x83\x53\x5a\x22\x09\xcc\xa0\x8c\xdb\xe3\xce\x0f\x94\x4d\xef\xb4\x1f\x43\x70\x29\xc0\x78\xcb\x5e\x6c\x03\xde\xfc\x67\xc9\x59\x92\x6d\xcf\x45\xd0\xfe\xb6\xf2\x4f\xcf\xaf\x49\x97\x6b\xd3\x64\x1c\xbe\xd6\x97\x58\xcc\xd5\xaf\x8b\x95\x52\x59\xda\x1c\xd6\xfd\x82\x87\x1f\x09\xf3\x3a\x63\x4d\x54\xf5\x44\xa6\x82\x93\xdc\x73\x7f\xea\xf8\x48\x8c\x15\x42\x0f\x69\xc4\x93\x04\x2a\x5e\xe1\xed\x63\xf3\x39\xe4\x10\xf5\x80\xc0\xcb\xad\xab\xbe\xa2\xcf\xfb\xea\xf9\x68\xca\xf2\x56\x20\xde\x5f\x5b\xf7\x4e\xdd\x33\x9d\xed\x9a\x1f\x58\x53\xa2\xcf\x22\x6d\x21\xcd\xbd\x91\x72\xab\xf5\xe0\x85\x95\x60\xdd\x2e\x70\xce\x31\x0a\x33\x3d\x72\x36\x60\x67\x09\xb1\xf5\xa3\x35\x95\xec\x49\xe1\x87\xaa\x5d\xf0\x63\x51\x39\x23\xdf\xd2\x9b\xb1\x51\xa8\x25\x40\xf4\xb0\xd4\x45\x40\x4c\x8c\x5e\x1b\xd8\x40\x33\x5c\x23\x35\x7c\x5e\x6b\x1c\xdb\xfb\x1c\xcd\x72\x47\x1e\x4d\x63\x8b\x10\xc5\xb4\x22\xd9\xe6\x51\x9f\x98\x15\x1a\xd5\x25\x5e\x10\xf7\x2c\x07\x32\x63\x8a\x57\x2e\xa6\x2a\x3a\x98\xcd\x86\xb0\x49\x5f\x24\xfb\x90\xe3\xbf\xa3\x21\x6a\xbf\x88\xbd\xdd\x5f\xdc\xd1\xab\x7f\xc2\x13\xed\x7f\xe7\x62\x8b\xf5\x2e\xd3\x3f\xbf\x61\x24\xb5\x24\x6e\xab\x59\x38\xf4\xfd\xae\xa3\x96\x08\x7f\x76\x43\x49\xbe\xf8\x99\x6f\x22\x40\x92\x60\x40\x93\x44\x19\xdf\x2e\x40\x7b\xe7\xe6\x7a\x64\x2d\x69\x2b\x39\x49\xe4\x78\xed\x55\x92\x72\x06\x64\xee\xc0\xdd\x41\x50\x87\x61\x57\xa6\xf1\x85", 4096); syz_80211_inject_frame(0x20000000, 0x20000040, 0x10c0); memcpy((void*)0x20001100, "wlan1\000", 6); memset((void*)0x20001140, 2, 6); syz_80211_join_ibss(0x20001100, 0x20001140, 6, 2); memcpy((void*)0x20001180, "bpf_lsm_socket_recvmsg\000", 23); syz_btf_id_by_name(0x20001180); memcpy((void*)0x200015c0, "\x66\x0f\x72\xd5\x01\xdf\x5f\xd6\xc4\xc1\xf9\x6f\x9f\x52\xe4\x00\x00\xdf\xf2\xda\x36\x66\x0f\x3a\x62\xc0\x8c\xc4\xc1\x1d\x58\x3c\xe8\x66\x0f\x3a\x0a\x45\x0d\xf0\xc4\xe1\x21\x75\x23\x60", 46); syz_execute_func(0x200015c0); memcpy((void*)0x20001640, "/dev/cuse\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20001640, 2, 0); if (res != -1) r[5] = res; res = syscall(__NR_ioctl, -1, 0xb704, 0x20003980); if (res != -1) r[6] = *(uint32_t*)0x20003980; res = syscall(__NR_clock_gettime, 0, 0x20003e00); if (res != -1) { r[7] = *(uint32_t*)0x20003e00; r[8] = *(uint32_t*)0x20003e04; } *(uint32_t*)0x20003dc0 = 0x20003a40; *(uint32_t*)0x20003dc4 = 0x6e; *(uint32_t*)0x20003dc8 = 0x20003d40; *(uint32_t*)0x20003d40 = 0x20003ac0; *(uint32_t*)0x20003d44 = 0x25; *(uint32_t*)0x20003d48 = 0x20003b00; *(uint32_t*)0x20003d4c = 0x6b; *(uint32_t*)0x20003d50 = 0x20003b80; *(uint32_t*)0x20003d54 = 0x2f; *(uint32_t*)0x20003d58 = 0x20003bc0; *(uint32_t*)0x20003d5c = 0xa2; *(uint32_t*)0x20003d60 = 0x20003c80; *(uint32_t*)0x20003d64 = 0xbd; *(uint32_t*)0x20003dcc = 5; *(uint32_t*)0x20003dd0 = 0x20003d80; *(uint32_t*)0x20003dd4 = 0x30; *(uint32_t*)0x20003dd8 = 0; *(uint32_t*)0x20003ddc = 0; *(uint32_t*)0x20003e40 = r[7]; *(uint32_t*)0x20003e44 = r[8]+10000000; res = syscall(__NR_recvmmsg, -1, 0x20003dc0, 1, 0x10202, 0x20003e40); if (res != -1) r[9] = *(uint32_t*)0x20003dac; memcpy((void*)0x20004040, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004040, 0x20004080); if (res != -1) r[10] = *(uint32_t*)0x20004094; *(uint32_t*)0x20004200 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004100, 0x20004200); if (res != -1) r[11] = *(uint32_t*)0x20004134; memcpy((void*)0x20004240, "./file0\000", 8); res = syscall(__NR_statx, 0xffffff9c, 0x20004240, 0x4000, 0x400, 0x20004280); if (res != -1) r[12] = *(uint32_t*)0x20004294; memcpy((void*)0x20004380, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004380, 0x200043c0); if (res != -1) r[13] = *(uint32_t*)0x200043d0; *(uint32_t*)0x20004a80 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x11, 0x20004980, 0x20004a80); if (res != -1) r[14] = *(uint32_t*)0x200049b4; res = syscall(__NR_getegid); if (res != -1) r[15] = res; memcpy((void*)0x20001680, "\x47\xa8\x4c\x3d\x9c\xa1\xd1\xb4\xb2\x5b\x6d\xa5\xc6\xdd\x9f\x48\xac\x0b\x1a\x50\x14\x5d\x57\xaa\x24\x4d\xc1\xbb\x1a\x54\x1c\x93\x16\x0d\x23\xf1\xcb\xf0\x3d\x77\x7a\x21\xe7\xd1\xf0\xf2\x61\x38\x37\xc0\xe0\x5d\x6f\x4b\xc9\x98\xb1\xdd\x5e\xc7\x6e\x06\x98\x26\xfc\x47\xb4\xa0\x81\x6b\x5a\x85\x9c\x9a\x8a\x42\x88\xf2\xe7\x17\x88\x66\x28\x3d\x96\x7a\x95\x12\x2a\xb3\x8c\x64\xe1\xd6\xc0\x50\x57\x2b\xdd\x7c\x98\x27\x13\xb5\xb3\x7a\x79\xe2\xdb\xe0\x8a\x6a\x9b\xd3\xd6\xfd\x57\x96\x04\xac\x48\x7b\x65\x2b\xee\x18\x03\x90\xe3\x66\x8f\x2a\xad\xa1\x71\x7a\x5b\x2a\x21\xcb\x84\xb3\xb9\xa8\xb5\x97\x78\x4c\x01\x15\xc8\xf2\xc0\x87\x08\xd9\xa2\x26\xd6\xf5\x89\x02\xad\x29\xf3\x78\x4f\x64\x80\x06\x9d\x25\xe0\xec\x46\xc3\x78\x10\x92\x3b\xbe\x2d\xac\x50\x43\x85\x6a\x11\xb7\xb9\x8c\x43\x29\x4e\xf4\xc2\xbf\xda\x08\xb0\x4e\xe5\x41\x06\x26\xcb\x64\x95\x7c\xf1\xee\xa3\xd3\xf0\x07\xd6\x95\x83\xbc\xde\xbf\x40\x22\xf8\x5f\x65\x23\x73\xa5\x90\x36\xb6\x2b\x4a\x3e\x9d\xef\xe6\x05\xa9\x89\x2e\x57\x18\xcb\x6f\xc9\xde\x81\xc2\x47\x9e\xf9\x5a\x13\xf8\xca\x78\x9f\x4b\x2a\xc5\xeb\x89\x7f\xab\xbe\xbc\x00\x46\xd8\xe2\x35\xeb\xbf\x54\xa5\x6a\xac\xd1\x40\xae\x4c\xfb\x41\x1b\x9c\x15\x18\xe6\x2f\xa8\x7a\x98\x76\xaf\xc8\x9e\xd8\xa4\xba\x24\xd8\xb9\xef\x13\x39\xf4\xf7\x94\xce\xc9\x86\x51\xe7\xd9\x4d\xdd\x25\x99\x88\xa7\xa4\xf7\x99\xb0\x88\x9c\x16\x80\xd3\x90\xba\x62\x53\xff\x66\xa1\x82\xea\x2c\xf0\x6b\x6f\xd9\xab\x07\xa8\x7f\x69\x7c\x33\x1c\x9a\x83\x25\x64\xec\xab\x23\x83\x84\xff\xef\x50\xc2\x49\xcb\xf1\x1f\x7f\x40\xec\xd4\x4b\x94\x5b\xd5\x7c\x59\x9b\xa3\xd8\x8c\x0b\xe3\x5a\xdd\xf5\xb5\x83\x7b\x18\x8d\x64\xe2\x49\xce\x31\x50\x66\x98\xbd\x73\x75\x46\x53\x04\xd2\x0e\xb3\x80\x23\x26\xb3\x52\x8b\xcb\xe6\xee\x11\x0e\x57\x82\x1c\xcb\x89\x9f\x5e\xee\xce\xc6\x04\xc3\xa5\xe5\x93\x8a\x3a\x94\x26\x60\x99\x2d\x67\x6b\x81\xc5\xaf\x74\x70\x17\x6d\x72\xd7\xc6\xa9\xd6\xc4\x12\x1b\x57\x11\xb1\x6e\xe1\x19\xb5\x77\x64\xd7\xfd\x6d\xfc\xb5\xa3\x9c\x1b\xc9\x7e\x5c\x5f\x5d\xc1\x02\x5a\x5e\xcc\xa4\x8b\x65\xaf\xb8\x7a\x55\x83\xcf\x17\x96\x90\x98\xae\xc3\xb1\xb9\x29\x1f\x77\x5e\xd6\xa5\xa7\x10\xf7\x3e\x32\xef\x7a\x0e\x8c\x84\xff\x56\x54\x51\x44\xca\x50\x4b\x81\x97\xa9\x19\x6c\x9b\x68\xa4\xb5\x7a\xba\xd8\x19\xff\x6f\x6f\x99\x16\x3f\xa3\xe2\x76\x27\x84\x84\xae\xf1\xe2\x87\x84\x1f\x45\x72\x06\x2d\xa6\x77\xf0\xe1\x47\xb9\x33\x58\xe5\xad\x7a\x50\xaf\x84\x2c\xad\xbf\xf4\x19\x2d\xfb\x2f\x98\xcd\xc8\xd8\x78\xd0\xf7\xf3\x5b\x31\xa2\xe8\x03\xce\xa2\xc3\xa2\x87\x8d\x46\x9c\x9a\xa7\xb2\xde\x1e\x8b\xfd\xa5\x1e\xcb\x47\x51\xcd\x86\x1f\xb2\x29\x3e\x37\xeb\x98\x82\xbb\x97\xcf\x70\x45\x3f\x19\x44\x6c\x56\x5f\xd8\x14\x11\x4b\x30\x2a\x4b\xc5\xb6\x42\xa7\x6c\x4c\xfd\xdb\x0f\x4c\xeb\x41\xca\x29\xbe\x4d\x35\x58\x77\x55\xd2\xe8\xe1\xf4\x2e\x97\x1b\x38\x3f\xdf\xd0\xcb\xef\x9f\x5d\x50\x3c\x72\x0a\x3e\x3b\xb8\xb4\x09\x7d\x69\xa7\x20\x82\x35\xa8\x2f\x6a\x75\x1f\x3e\x26\xf2\xe1\x40\x3e\x0d\xa6\x3f\xed\x0f\xa0\x42\x74\x0d\xf1\xd6\x1c\x98\x85\x72\xc8\xad\x71\x1f\x20\x41\x0e\x02\xb3\x2b\x1e\xe7\xf4\x18\xfd\x0c\xc6\x57\xe9\xde\x33\x28\x8e\xc8\x39\x57\x56\xc4\x7e\x16\xd4\xab\x5e\xd7\xca\x4c\x1e\x53\xad\x65\x08\xd5\x8f\x70\xdf\x85\x7d\x41\x89\x09\xe8\x13\x44\xb7\x56\x4e\x00\x64\xa4\x9a\x1d\xb8\xa3\x33\xfc\x60\x9b\xcb\x51\x11\xef\x10\x0e\x0e\xde\x88\xf4\x9f\x3f\x43\x56\x84\x21\x1d\xea\x4d\xe5\xbc\xa1\x85\x3c\xae\x7b\x60\x5e\x3c\xea\x2f\xab\xb8\x0b\xaa\x41\x62\x6d\x31\x04\x7f\xe3\x85\x69\xe6\xab\xbd\xdc\x2e\x1c\x2b\x85\x56\x23\x3f\xeb\x57\x04\x7f\x06\x9d\xf8\x1d\x88\xd2\x9b\xf0\x42\xce\x92\x28\xdb\xd1\x43\x49\x97\x3e\x86\xf7\x8d\x72\x82\x7a\x60\x80\xa2\xce\x65\x29\xd1\x85\x66\x07\x84\x89\x37\xcf\xe5\xcd\x17\x42\x93\xe9\x22\x34\xcb\x0f\x6e\xdf\x65\x30\xf8\x6b\x60\x6e\x48\xe9\xfa\x3e\x1d\x25\x45\x73\x12\x08\x08\xe0\xff\xf3\xd2\x16\x9d\x1c\xf4\x4a\x71\x96\x64\xb7\xf0\xe3\xda\x7b\xb1\x5b\x64\xb6\x2c\x07\x10\x34\x3c\xe1\x5b\xd0\x1a\x05\x64\x2f\x4a\x3f\xa5\x9b\xa6\x05\xd0\xa6\xef\x3e\x5a\xd6\x3c\xd9\x6d\x69\x14\xca\xa4\x06\x34\x98\x7f\x2d\xbe\xeb\x30\x46\x72\x22\x2d\x12\x58\x3b\x9b\xc3\x8c\xf9\xde\x18\xe5\x7d\xe1\x00\xf2\x63\x67\x7d\x31\xec\x37\xae\xa6\xf0\x4b\x81\x5d\x6f\x4e\x8c\xd5\x70\x81\x0d\xaa\xee\xb1\x41\xdc\x0f\xeb\x60\x0a\xa8\x4f\x4a\xfc\xc3\xbd\x6d\x2e\x4d\x69\xe9\xdc\x4d\xc4\xf7\xa4\x56\x74\xa3\x2a\x62\xd4\x14\x43\x7c\x3a\xa4\x51\x84\xb6\x6c\xe5\x69\x49\x91\x28\xbb\xa0\x6e\x38\x62\x74\x28\xd5\x01\x2c\x65\x1f\x8f\xf6\xd5\xb8\xf5\xbb\xbb\x5b\x1f\x8b\xe6\x03\x89\x58\xbd\x4f\xbb\x0b\xdb\xbe\x1f\x3f\x44\x8d\x78\x5d\x97\x10\xf0\x1b\xe8\x87\x87\x4f\xfa\x1b\xfa\x7e\x5a\x81\x8e\xe7\x46\x4b\xfc\xb5\xf9\xe4\x92\x68\xfb\xbd\x39\x8d\x73\x2c\x15\x57\x9a\x46\x97\x1f\xd7\xf2\x2c\x1c\xc4\xe1\x41\x57\xf2\x92\xf6\x16\x38\xf4\x1a\x58\xbc\xcd\xd4\x98\x6b\x9c\xa6\xab\x66\xff\x5f\x53\x6a\x7b\x09\x25\x1a\x6d\x41\x7a\x3e\x15\x9b\x85\xdd\x21\xd9\xb2\x19\xa1\xa1\xce\xa8\xb9\x6d\xd4\xca\xa0\xc0\xc8\xfd\xf9\x2d\xef\x01\xaf\x6b\xe5\xcc\xc2\x42\x8e\x57\x13\x22\x85\xc3\x7e\x80\xfd\x28\x58\xb4\x94\x57\xd1\xd6\x89\x0e\xae\x38\x90\x62\xd5\x68\x0a\xec\xec\x74\x8c\xef\x59\x18\x7d\x91\xc1\xd4\x5b\x29\x00\xe3\x3b\xe9\x46\x4e\xdc\xeb\x83\x1e\xc4\x44\x57\xbe\x52\x57\x5e\x1d\xf1\xde\x6a\xf9\x45\xdb\xf3\xf5\xc9\xcd\x41\xbd\x8c\x26\xcb\x66\x45\xae\x03\x78\xd9\x2d\x75\x8b\x07\x69\xc5\x15\x4f\x52\xd8\x9a\x8e\x0e\x91\x18\x82\xf6\x9e\x46\x61\x04\x53\x79\x2c\x64\x8e\xb0\x82\x11\x19\x47\xc2\xe3\x35\xcb\x48\x56\xe4\x69\x6f\x7a\x53\x31\x8c\xda\xe6\xc5\x91\xa7\x42\x02\x02\xcf\x03\xf0\x69\x12\x8e\x58\xa3\x82\x2a\x89\x2d\x4b\x4d\x14\xa7\xf3\xe2\x7f\x4c\xa5\x9a\x8e\x47\x1a\xaf\x3c\xe1\xaf\x81\xce\xd1\xdf\x87\x1d\xf6\x09\x91\xac\xcc\x0a\xfc\x19\xc6\xaa\x58\x67\x0d\xcc\x3c\xa4\x04\x66\x6e\xc5\x46\x3e\x95\x4c\x60\x59\x94\x01\x4a\x0b\x2e\xb9\x99\x28\x3e\x7d\x26\x46\xab\x55\xa5\xfe\x5f\xe7\xcb\x5b\x07\x38\xc5\x79\x10\x7c\x43\xfc\xf5\x95\xa0\x95\x6a\x49\x35\xf6\xa7\x86\xd6\x56\x1f\x0b\x09\x94\xcc\xe9\x3b\x29\x9a\x50\xc6\xe4\x24\xc1\x59\x62\x0b\x3d\x05\x37\x6f\xc4\xe0\xb9\xff\xbd\xec\xdb\x67\x98\xdd\x51\xd0\x94\x1d\x31\xcf\x41\x93\xc0\x9d\x05\x8c\x25\x96\x99\x19\x12\x35\x01\xfa\x5e\xa8\xfb\x82\xf9\x80\xa3\x5b\xf0\x15\x32\xc2\xc8\x31\xba\x35\x22\x2f\x80\x5d\xae\x24\x25\x27\xeb\x71\x27\x05\x53\x94\x60\x52\x84\xd2\x40\x8c\xfa\x10\xc9\x92\xd6\x4d\x60\x9e\x52\x4b\x30\x34\x8f\xfa\x5e\x44\xb7\x72\x57\xad\xba\xb0\x1c\x38\x3e\x81\x2f\x1d\x71\xb6\x13\xad\x16\x0e\xd1\x5c\x21\x6f\x2a\x45\x9a\x91\x7d\x35\x34\x14\x62\xbf\x72\x35\xf9\x1d\x9d\xdd\xc1\xe2\x40\x2f\x32\xb7\xb7\xa9\x98\x74\x81\xce\x66\x11\xbb\x78\x12\x7b\xc8\xb6\xef\xf4\x19\xd3\xc4\xdd\x77\x25\x24\x02\xf4\x32\x6a\x6e\x9a\xff\xc5\x06\x49\x73\x75\x0a\x8b\xba\x9b\xa1\x7d\x64\x64\x8c\xf7\x93\x4b\xd0\x24\x29\x9b\x9d\xec\x58\xd1\x18\xcd\xa3\x44\x8a\x25\x56\xfa\x96\xa8\x57\xc0\x10\x6a\x00\xcd\x0a\x38\x2f\x10\xb8\x47\xe3\xa8\x69\x97\xc2\x4b\xb8\x46\xc3\xdd\x93\x72\xc6\xcf\x28\xd1\x8b\xb2\xa6\xfc\x48\xd7\xba\xc5\x8d\x56\xbc\x84\x50\xc3\xf4\x20\x99\x9b\x63\x47\x86\x4d\x52\xf0\x50\x75\x24\xf4\x16\xe6\xcb\x64\xce\x7c\xa2\x1a\x85\xe8\xd2\xc2\xb1\xe9\x4b\xe2\xde\xa3\x1c\xda\xf1\xf3\x83\x50\x34\x24\xbe\xc4\x4c\x68\xb9\xa9\x14\xf4\x0b\x0a\x66\x27\x2f\x64\xc9\xef\x19\x85\xed\xb9\xca\x6e\x66\xee\x8c\xac\x08\x4b\x39\xef\x78\x01\xb7\x50\xce\x19\x0f\xf8\x96\xc1\x99\xc1\x27\x85\x24\xb1\x2b\x54\x9a\xcb\xf0\x9f\x63\x3d\x87\xf7\x04\x27\x2d\x47\x79\xf3\x25\xa1\xe9\x45\x67\xe5\x93\x32\x97\x15\x5e\x98\x7f\x3b\x32\xe3\xfa\xdf\x2a\x06\xfa\x01\xaf\xc0\xdc\x35\xdf\xb7\xbe\x7f\x57\x76\x26\x4a\x6b\x7f\xec\x98\xdf\x0a\x5a\xff\x8c\x1a\x02\x9b\x6a\x22\xa9\xa0\x51\x18\x8b\xb2\x8b\xdf\x72\x38\xea\xe3\x24\x6a\x1b\xfd\x05\x86\x84\xf7\xa0\x93\xaa\x68\x79\xcb\x6a\xda\xe5\xa7\xcd\x5e\x12\x19\xa0\xd1\x6d\xee\xf1\x44\xb2\xbe\x90\x39\x01\x44\x74\x0a\xc2\x4d\xa3\x80\x17\xc1\x05\x66\x92\xb3\xb6\x65\x92\x21\x5a\x62\x3d\xac\x91\x3b\x33\xb9\xd5\x6b\x47\xcf\xa9\x18\xd6\xd9\x0c\xaf\xf0\x1a\xa4\x45\x35\x49\x23\xef\xa1\x9e\x8b\x0c\x79\x70\x82\x50\x5d\x54\xf2\xfa\x48\xc5\xad\x96\x63\x2f\xe1\xb6\x2a\x2e\x34\xd0\x85\x76\x22\x07\xd9\x35\x4a\x9f\x03\x9d\x68\x8e\xaf\xe1\xb5\x12\x83\x67\xfd\xd3\xbe\x22\x55\xac\x11\x0d\xf0\x5d\x10\x9b\x86\x9f\x33\x4b\x93\x2b\x29\xbe\xb6\x87\x87\xe2\x0a\x8a\x9f\x37\x31\x18\x9c\x95\x7e\x53\xc6\x96\x73\xe8\x63\xae\x1d\x49\x88\x8d\x6e\xda\xb9\x6e\xed\x78\x6c\xb8\x14\xd1\xa6\x2b\x68\x9c\x29\x4c\x48\x2e\x84\x19\x96\x22\x99\x04\x10\xb6\x7f\x6d\x18\xb8\xcd\x31\x19\xf1\x9a\x66\x7d\x34\x1b\xb7\x83\x88\xff\xe1\x5a\x0f\x64\x32\x7f\xe9\xb8\x06\x5b\xe9\x03\x54\xc1\xfa\xcb\x74\x66\x2e\x2d\x9c\x6d\x02\x24\x8d\xa0\xc8\x0c\x87\x26\x45\x59\xf6\x48\x15\xb8\xb9\xdd\xff\x72\xa9\x44\xeb\x23\x48\x88\xf5\x3d\x1c\xc8\xbe\xd4\x38\xbd\x99\xa2\x07\x4f\x75\x3d\xb2\x9e\xfd\x06\x78\x8c\x7f\x44\x76\xef\xee\x3e\x92\x80\x94\xc0\x32\x6a\xf8\xc9\x17\x1d\xb6\x0b\x1a\x37\xc7\xbd\x56\xd1\x13\x29\x1a\xa9\xa2\x60\xea\xfc\x12\x68\x1e\xb6\x2b\x1e\x70\x63\xb1\x51\x73\xe2\x74\x90\xd8\x4d\x47\xe3\xc7\x56\x6e\xc4\xfc\x1e\xc6\x35\x50\x57\xb2\x2c\x2a\x0f\xd9\x4b\x8d\x90\xb6\x48\x64\x9c\x73\xac\x46\x04\x9c\x01\x1d\x67\x41\xfb\x6d\x89\x56\x14\x3b\xcb\x17\x1f\x4b\xba\xdf\x01\xd1\xca\xe0\x7c\x31\x78\xa8\x46\x90\x01\xdc\xa3\x7a\xb3\xae\x03\x90\x95\xfb\xda\x7f\x05\xdf\xad\x20\x53\x55\xa5\xd6\xef\xf8\xf0\x9c\x32\x47\x58\xa7\x44\xde\x5f\x43\xb6\x94\xf8\x34\xf6\xe5\x98\x3f\x2a\xee\x32\x09\xce\xf4\x63\x54\xdb\x41\x30\x5a\x09\x3a\xb7\x8c\x80\xa8\xfb\x2e\x8a\xb7\xb1\x73\x33\x7b\xcf\x29\x3c\x65\x94\x9a\x4c\x01\x37\x8c\x94\xce\x7c\xd7\x09\xe7\x98\xbe\xf8\x27\x9d\x4a\xd1\xe7\x34\x6f\x4b\x9f\xda\x6d\x29\x2f\x1e\x66\x99\x62\x2c\x1b\xbc\x4b\x02\xe8\x83\xb3\x0e\x77\xcb\xa7\x51\xbc\xfd\xd6\xef\xd6\x7f\xcc\x56\x5c\x00\x36\xf1\x3e\x13\x8d\x81\xd6\xf5\x8d\x34\xe6\xa2\x51\x61\xf2\xa8\x56\x00\x29\xf9\x12\x05\x32\x40\x1f\xb6\xd7\xdd\xef\x43\xf9\xea\xe9\xee\x3c\xd2\x3f\x14\xa1\xf0\x26\xf4\x0a\x9f\xba\xc6\xbe\x6a\x15\x90\x27\xd7\xe8\x7a\x53\x65\x01\x0d\x27\xb0\x9d\xf1\x3d\xfd\x32\xa7\xe7\x5d\xcc\x14\xd9\xda\x85\xd8\x40\xa1\xbb\x91\xbf\x95\xdd\x75\x89\xef\x4f\x4a\x30\x7d\x3c\x74\x1d\xf2\x50\xe3\x4d\xe9\xff\x0f\x15\x15\xa9\x79\xc1\x2f\xca\xea\x17\x0d\x34\x44\x67\x8b\x96\x3c\xcc\x5b\x3c\x06\x56\xaf\x7e\x67\x6b\xf7\x4d\xe9\xc8\xcc\x9c\x70\xb5\x0c\x38\x06\x10\x8f\x6c\x9e\x92\x0a\xcc\x25\xf1\x3c\x3b\xf5\xe9\x10\x18\x9e\xa8\xe0\x46\x61\xb9\xf6\x27\x1d\x34\xe2\x42\x8b\x3f\x5c\x86\x0f\x7a\x41\x37\xc7\x9a\xb4\x09\x20\x64\x56\x34\xf9\x03\x89\xec\xde\x1b\x23\x98\x84\x24\x4c\xa3\x5e\xb5\x59\x2b\x48\x56\x4f\x23\x07\xde\xf1\x6c\x6a\x99\x43\xab\xd7\x30\xff\x0f\x2d\xd4\x7b\x0d\xb1\x19\xc8\x40\x03\xfc\x29\xfc\xe3\xed\x9f\x17\x35\x7a\xab\xc7\x09\xed\x6a\x09\x34\x8d\xa8\xe2\x82\xbb\x0f\x7e\xeb\x6d\x98\x53\xed\xd5\xee\x21\x45\x36\xa5\x5c\x83\x34\x01\x20\x48\x8d\xca\x92\x3e\xc5\xa4\x61\x84\x0d\x20\x07\x5a\xc5\x37\xba\xa4\xdf\xb7\x80\x46\x96\xa8\x9c\xb9\x9c\x82\xcc\x9e\xa9\x21\x2c\x70\x97\x4c\x93\x16\x16\xe9\xbf\x8c\xce\x8f\xaa\x21\x5d\xea\x85\x50\x6c\x71\xed\xf7\x98\x2a\xef\x07\x4e\x1a\x04\xed\x46\xa7\x22\x1b\xeb\x11\xdb\x3c\x3c\x4e\x30\x76\x74\x56\xdd\x39\x5e\x3f\x22\xc0\x48\xb0\x69\x53\x3b\x1e\x34\x7c\x20\x56\x5a\x74\x6f\xbf\x07\x86\xba\x75\x13\x98\xd2\x26\xbb\x58\x3c\xdb\xc7\x89\xa1\xe7\x8c\x07\x5e\x8b\x53\x5c\x17\xbe\x36\x42\x77\x96\x51\xaa\x33\x56\xc9\x28\xbd\x60\x1c\x6f\x70\x4e\x79\x96\x85\x21\x03\x67\x21\x90\x89\xf2\x41\xc9\x36\x52\xaf\xb3\xf0\x57\x9b\xa4\x73\xea\xdc\x1c\x5a\xab\x58\x9b\x61\x8c\x80\x1d\x71\x1e\xaf\x00\xd9\xef\x73\xa3\xa6\x3f\xaa\x06\x92\xd7\x66\x2c\x6e\x61\xd7\x73\x00\x97\xb1\x1a\x9e\x98\x95\x76\x35\x33\xe3\xb8\x25\xb5\xeb\x65\x48\x11\xe8\x0b\x6e\x67\x13\x6d\x6e\x6e\xc1\xbd\xf2\x3e\x34\x7a\xc0\xdc\x50\xd8\x45\xa0\x2f\xb1\x1e\x87\x64\xc7\xcb\xd1\x98\xf8\x03\x7c\xe9\xcc\x4d\x38\x88\xcf\x50\x9e\xf9\xe5\x5b\xa5\x67\xd5\x00\x89\xc6\x9a\x6f\xc2\xa1\x02\x90\x88\xe4\xbb\x86\x60\x6f\x25\xd8\x65\x51\x28\x65\x74\x23\xce\xfb\xec\x47\xff\x5c\xee\x05\xb6\x1c\x35\xe4\x7c\xe9\x2d\xd8\x5b\x86\xaa\x83\xfc\x3d\x37\x06\x9d\xba\x58\x32\x77\x9e\x04\x79\x7e\xe4\x51\x0f\x3e\x86\x0a\x5d\xb6\xc4\x1a\x6c\xfc\xc4\xf2\x7a\x9b\x90\x54\x91\xfa\x56\x0b\xc4\x9a\x1d\xec\x70\xf9\xb6\x9a\xe6\x93\x62\x97\x3a\x12\x3e\x07\xf5\x41\xac\x3a\x3a\x94\x31\x60\xd3\xd6\x31\x40\x49\xc9\x53\x1a\x1f\x72\xb7\x4c\x1c\xc5\xc0\x31\x7f\xcc\x7b\x45\xd8\xf1\xdd\x92\x36\x2b\x1e\xc0\x73\x8a\xd5\xc8\xd9\x9e\x9f\xf4\x4d\x3d\xb2\x41\xe1\x31\x5d\x0f\x14\x48\xe6\xf1\x00\xa5\xdb\x6f\xd5\x71\x5c\xa0\x46\x22\x13\x41\x64\x53\x38\x71\x50\x0e\xde\x0f\x2d\x35\x8b\x31\xf8\x56\x36\x32\x80\xb9\x92\xe4\x9b\xa8\xe5\x92\x09\xbd\x91\x8e\x11\xff\xe3\x27\xd9\x73\xb2\xbc\x54\x53\x7f\x54\x07\x30\x17\x85\x6f\x0b\xb7\x68\x22\x47\x57\x6a\xf4\xd2\x7d\x8b\xe2\x61\x1f\x90\xad\x38\x4f\x11\xde\x84\x7c\x24\x73\x4b\x74\x7f\xfe\x2e\x5c\x85\x49\x00\x9f\xb1\x19\x8b\xce\x2f\xb0\x48\x4f\xc6\x68\xaa\x28\x85\xc7\xc0\x15\x38\x5e\x2b\x58\x8c\x95\x0f\xde\xca\xdf\x30\xad\xf6\x5a\x71\xf5\x64\xe0\xfa\x93\x72\x4b\x8d\xe0\xac\xab\x7c\x3f\xaa\xad\x13\x84\x8e\xbf\x7d\x70\xbb\xc4\x47\xd6\xd9\xdd\xb4\x6a\xf6\x31\xb0\x8e\x4c\x34\xf4\xaa\xbd\xa8\xe5\x0d\x9f\x73\xc3\xff\x3a\x60\x03\x81\xa7\xf8\x4a\xac\x18\xaf\x41\x87\xd1\xbc\x18\x73\x14\xb2\x40\x38\x7f\x29\xeb\xe8\x32\x8a\xce\x89\x65\x43\xb2\x3f\x8d\xb1\x20\x1d\x51\xee\x90\x42\x43\x65\x78\xd1\x27\x3c\x9b\x97\x4b\x27\xfc\x9b\x71\x71\xf4\x39\x11\x17\x54\x1d\xc8\xe8\xe5\x82\xef\x9d\xeb\x11\x60\x6d\x49\x35\x57\x7d\x13\xe3\x91\x2f\x98\x7d\xac\x22\xe1\x4c\x7c\xab\xf8\xdb\x41\x3a\xc7\x96\x38\x1f\x3d\x45\x01\x5c\xe6\x1e\xa3\xb7\x37\x63\xd2\x02\xdb\xe1\x18\xbe\x06\xe7\xd0\xf6\x24\x5c\x71\x81\x86\x14\x81\x21\xba\x61\x19\x2e\x62\xb2\xac\x87\x52\xcb\xa6\xf2\x87\x3f\x4c\x59\xae\x40\xb8\xb9\xc5\x15\xcd\x6a\xd8\x88\x84\x0e\x65\x7a\x11\x47\xa8\xb0\x96\x12\x3d\x73\x8e\x1c\xc1\xb5\xeb\xbe\xec\x6f\x15\xcb\x10\x42\xed\xda\x5c\xf7\xa5\xb2\xb0\xa0\x71\xa2\x68\x77\xbe\xed\xaa\x9e\x24\x32\xef\x85\xf7\x2a\xbc\xeb\x7c\xcd\x73\x36\x27\xcb\x12\xd4\xcf\xe3\xd9\xc9\xd8\x85\xa0\xb0\x89\xdb\x05\x6b\x02\x92\x28\xe6\x45\xf7\x4d\x92\x84\x69\x5b\x08\xa6\x7f\x7f\x92\x28\xe9\x80\xc0\xc3\x64\xd0\x31\x2b\x10\xf6\x25\x6c\x9a\x2d\xe4\x83\x29\x32\xb6\x98\x97\xd0\xf2\x9f\x70\xf1\x8d\xde\x25\x7a\x94\xd9\x6e\xc7\x6d\x71\x67\x3e\x95\x98\x32\x64\x7f\x6a\x74\x45\x82\x35\xe8\x00\xdf\x80\xb7\x18\xbe\xdb\xe9\xb2\xca\xfe\x1a\x98\xad\x89\x34\x1a\x56\x6d\x20\xca\x13\xaf\xb2\x89\x85\x6f\x79\x53\x05\x66\x12\x60\x65\x19\x27\x99\x89\x9c\x02\x43\x31\x7f\xee\x5b\x22\x11\x6d\x9d\xfe\xa0\xc4\x25\x1d\x89\x8d\x57\x44\x43\xd8\x0c\x4d\xaf\xd5\x61\x65\xf2\xcf\xb5\xa2\xdb\x62\xe7\xfc\xb9\x78\x70\xea\x56\xdd\xca\x1c\x27\x32\x75\x48\x09\x9b\x79\xd3\x8f\x9d\x6d\xd2\x4a\x65\x65\x73\x1b\x2a\xfc\x0d\xdc\x12\xa3\x5f\x96\x05\xb2\xe7\xe7\x57\x53\xfa\xab\xe2\x81\x7d\xd1\x1e\x3f\x9f\xe7\x6c\xb2\xb8\xbf\x18\xd4\xf4\x19\xaa\x96\x58\x4c\xf9\x89\x99\xfc\x0f\xe4\x2e\x54\xb0\xe7\x9d\xfd\xd4\xc5\x7f\x55\xc0\x7a\xd1\xca\x33\xa4\xde\x6f\xba\xa7\x80\x18\x5e\x36\xfc\x3e\xc7\xc5\xf1\x04\xc5\xda\xda\xc7\xcc\xcb\xba\xcc\x5a\xbe\x21\x7e\x4e\x61\xef\x6c\x36\x60\x57\xd1\xcf\xb1\xa5\xde\x8c\x75\x68\xda\xd7\x69\xc8\x8a\xfd\x8e\xc1\xbf\x56\x11\x7c\xed\x76\x0e\xd3\x01\x90\x21\xc3\x2b\xed\xd7\xea\x87\xfb\x67\x0c\xa3\x24\x84\x61\xdf\x64\x60\x07\x04\xf1\x16\x51\x58\xcf\x9d\xb2\xb5\xc6\xf4\x56\x3b\x9f\x10\xa3\xa6\x69\xf3\xa9\x45\x21\xbe\x8e\xd5\x1c\x90\xc4\x5c\x59\x48\x9c\xde\x96\xcc\xd1\x18\x44\xc6\xca\xbf\xb1\x65\x0e\x19\x4c\xdf\x17\xaa\xf8\xad\x0b\xf9\x17\x14\xc7\x02\xea\x60\x75\xc0\xc3\x36\x18\x44\xec\xea\x0f\xc9\xad\xe8\x3a\x42\xcd\x91\x8f\xbb\x4c\x90\x90\x66\x73\x98\x18\xcb\xf7\x7a\x3d\x71\x64\xc3\x60\x7d\x8c\x0e\xfe\x3c\x8e\x85\x24\xfd\xf1\x5d\x33\x21\x0b\x43\xca\x55\x1b\x9a\x67\x26\xa5\x60\xa2\x74\x24\x66\x2f\x5f\xd9\x72\x02\xf9\x2a\xb8\xca\xc1\x20\xdf\xb1\x37\xc3\x36\x8c\xaf\xb7\xc1\x48\x35\xd8\xad\x15\xd1\x8b\x3e\xc4\xfe\x3c\x74\x1b\xe3\x90\x65\x71\x1a\xbc\x30\xa0\x0d\x31\xa2\x09\x36\xd2\xfb\x66\x23\xb1\x27\x42\x7b\x2d\x46\x05\x45\xf4\xeb\x25\x68\x1b\x46\x1f\xbc\x3a\x1a\xc6\xdb\x3b\xdf\x1d\x89\x02\x97\x76\xe0\x4b\x9c\xbf\x3e\x1e\x46\x07\xf3\x63\x23\x36\x73\x8b\xd9\x5c\xfc\x81\x2d\xe5\xe8\x2e\x0c\x6a\xa8\xd0\x19\x07\xe1\xf3\x75\xac\xb1\x80\x10\x69\x5e\xa3\xa2\x42\xd2\xb3\x60\xee\xd6\xf0\x77\xa0\x08\x68\x06\xa8\x8e\x2b\xe9\x9d\xef\xc3\x46\x0d\x81\x17\x5d\xec\xb6\x97\x3e\x54\xe7\xff\x1c\x29\x14\x8f\x04\xd1\xa9\x6c\x68\xd4\x3f\x03\x6e\xc2\xe4\xa5\x4b\xeb\x80\xf8\x8b\x8c\x71\x1a\xa0\x1a\x74\x57\xf5\x8d\x72\xaf\xe5\x68\x49\xfd\x09\xd2\x77\xe3\x01\xce\x64\x40\x2b\x0b\xc2\x0d\x43\xea\x78\x74\x54\x86\x97\x2a\x8b\xd6\xf5\x79\xd8\xd8\x2b\xd3\x1c\x8c\x86\xb7\xe8\xa3\xb2\x72\xd1\x6d\x38\xfc\x64\x80\xd2\x13\xc0\x30\x00\xad\xda\x6e\xb5\xe0\x08\x71\x87\x92\x64\xeb\xa4\xb0\xf9\x5c\x92\xe1\x0b\x79\x73\x81\x11\xba\x0c\xfd\xd1\xde\xeb\x39\xc9\x1e\xb4\x07\xe5\x98\x81\xbf\x53\xea\xd7\x8f\x7a\xd3\x50\x29\xec\x22\xb5\x83\xaf\x27\x44\x15\x25\x46\xc3\x98\x28\x50\xb4\x49\x41\x5e\x4b\x79\x0a\x2d\x03\x2c\xae\x50\x31\x9c\x3a\x15\xe0\x09\xae\xee\xfe\x71\x00\x73\x78\x19\x7e\x51\xdf\x97\x37\xee\x36\xd9\x54\x03\xa5\x62\x2a\x00\x7e\xb5\xdf\x41\x02\x33\x37\x6e\x51\x31\x82\x24\x62\x54\x0e\x6e\xbb\xf6\xd4\xe2\xdc\x46\xbe\xb7\xea\x3b\x2c\x22\x19\x97\xc2\xba\x3c\x26\x73\xc1\xb4\x4f\x7c\xd8\xc8\x6a\xac\xdd\x89\xe8\x70\x00\x73\x93\xab\x35\xc4\x85\x74\x29\x13\xf4\xfc\xef\x3c\x5c\x4d\x5c\xfe\xba\x1e\xcb\x50\xef\x05\x03\x7d\x54\xaa\x3f\x5e\x69\x94\x11\x40\x26\xf5\xcd\xa7\x5e\x18\x56\xb3\x1e\xfc\x5b\xf0\xda\x81\x09\x97\x84\x46\x30\xa0\x0a\xbd\x3a\x1c\xa3\xc6\xc9\x39\xe1\xe7\xf7\xc2\xd1\x71\x71\xea\x26\xfc\xd3\x1a\xe7\x17\xc0\x40\xb3\xc5\x94\xcf\x06\xa5\xc1\x25\x76\xbc\x18\x82\xd1\xe0\x45\x7a\x99\x38\x7f\x74\x6f\x15\x12\xd1\x5c\x86\x7c\xfd\xaf\x35\xfb\xf0\xe6\xbe\xec\x95\xc8\xc4\x2a\x3d\xd6\xae\x19\x47\xc6\x69\xfc\xd0\x10\x50\x80\xd8\xa9\x89\x4d\x93\x45\x21\x39\x08\x35\x74\x56\xb5\xdb\x7d\xea\x0f\x3f\x53\x29\xff\xd3\xc8\x90\x8f\x50\x47\xe3\x6a\x94\x1f\x90\x91\x2e\xcb\x4c\x01\xec\x56\x7c\xbe\xb0\x9f\xad\xe5\xec\x9b\xf4\x14\x2e\x24\xef\xf3\xac\xd2\x6b\x1d\x46\xd9\xfc\xab\xdb\x09\x70\xa1\x9b\x45\x79\x47\xab\xda\xac\x79\xa3\x69\x2b\x7a\x0d\x70\x3c\x02\xfd\x3d\x7c\x43\x3d\xcb\x59\xf9\x79\xa3\xa9\x1e\x3f\xc9\x50\xa5\xdf\x58\x54\x65\x69\x63\x97\x47\xc4\x34\x7c\x4e\x1a\x1f\xd0\x8f\x9a\xa8\x0c\xa5\x12\xd3\x6e\x6f\xac\x84\x61\xfa\xc7\xac\x93\x46\x7b\xea\x71\xfd\x28\x6b\x5f\x69\x2d\xdb\xc6\x99\xb9\x88\x7d\x31\x15\x9d\xe1\x07\xc0\xec\x97\xdb\x3b\x37\x77\x1c\x82\x61\x92\x51\xe9\xe0\x87\xe7\x97\x0e\xc1\x3e\x97\x1a\x85\x7a\x3d\x87\x1d\x13\xd8\x9d\xd6\x18\x43\x1d\x57\x75\xf9\x25\xf0\xbe\x14\x11\xf4\x94\x70\xe1\x42\xb1\xce\xef\xa6\x69\x28\x0d\x6e\x9a\x52\xe8\xc8\xeb\x38\x7d\x22\xf2\xfa\x8f\x5b\x77\xbd\x2a\xea\x73\xa0\xa2\x9c\x84\x47\xa6\xad\x29\x2b\x1e\x4b\x44\x6c\x6e\xd0\x08\xc0\xa6\xba\x97\xd1\x5b\xcb\xaa\x10\xb1\x6d\x7b\x1a\xd9\x49\x8b\xf5\xb8\x68\x59\xfd\x9c\x03\x2e\xab\x98\x93\xbe\x93\xb1\xe9\xf4\x5c\x9d\xc1\x9a\x78\xc4\xfe\xa5\x89\xd3\x93\xe8\xed\x9d\xbe\x54\xbf\xad\xf5\xcd\x11\x0e\xb7\x6a\x2a\xdf\x8b\x9d\xd2\x3a\xc0\x57\xbf\x1a\xb6\xba\x1d\x04\xc0\xc6\xda\xc4\x82\x50\xda\x3d\x25\x64\xce\x90\x4d\x67\xe6\x9c\x5d\xec\x58\x2d\xa5\x7e\xde\x76\xd9\xaa\x85\x49\xbf\x50\xa9\x0d\xcc\x0c\xab\x97\x7f\x5d\x73\x00\xfc\x0d\x86\x86\xe3\xbe\x13\xb8\x4a\x7a\x14\x1b\xb7\x92\xc3\x97\x58\xb0\x04\xd8\x4a\x0f\xf8\xc9\x30\xe4\xe0\x3c\xb3\xc1\x34\xe6\xe9\x00\xfe\x41\x64\xe5\xb5\xe0\x6b\xa4\xce\x62\x87\xb7\xb0\x0a\xcf\xdb\x05\xf4\xaf\xc0\xf4\xcb\x1b\x0e\x38\x3e\x4b\x69\x17\x1b\xda\x38\x9a\x2d\x00\x96\xb0\x67\x7d\x79\x3f\xaf\x22\x70\x2f\x3e\xdc\xda\x47\x82\xdf\x48\x30\x2a\xe3\xba\x1e\x05\x60\xf2\xc1\xbc\x7c\xda\x89\xac\x42\x14\xe8\xba\x79\x1c\xd6\xfb\x08\x92\xa1\x1b\x3f\x87\x81\xcf\x4d\x1b\x07\x31\x95\x92\x2d\xa6\xb7\x11\x16\x05\x96\x56\x0b\x53\x5c\x5c\x97\x6e\x42\xa8\x66\x24\xa3\x4f\x74\xac\x66\x46\xc0\xfd\xa0\x57\xa3\x13\xf7\x9d\x2e\x2f\x9c\x9f\xee\xab\xcd\x39\x9c\xd2\xe7\xe0\x8c\x9f\x02\x29\xc2\x66\x64\x8c\x78\x75\xca\x23\x0c\xfe\x4f\xed\x9f\x2d\x3d\x0d\xeb\xe6\xb5\x36\x85\x5c\xeb\xcb\xdb\x54\x60\x92\x0c\xea\xae\x25\xa1\x5c\xee\x7a\x00\xae\xdd\x72\x19\x53\x7d\xfc\x72\xd3\x33\x2d\x26\x43\x61\x5c\x7e\x17\xb5\x5a\x90\x3f\x8f\x25\xd0\x2f\xd6\x1d\x4c\x56\xc2\x32\x85\xd5\x2e\x0c\x23\xbb\x25\x16\x2b\x10\xd9\x33\x9b\x72\x74\x6b\xe7\xda\x47\xe9\xfa\x05\x22\x69\xda\xf6\xa0\x12\x2d\xe4\x9f\xb4\xd2\xc9\xb5\xd7\x8b\x70\x96\x23\x11\x3c\xb7\x1d\x42\xa5\xab\x08\xda\xa6\x01\xec\xd0\x94\x6a\x79\xda\x44\xcb\x1c\x3a\x5c\xfb\x64\x60\xe2\xcb\xd5\x9b\xf3\x56\x93\x09\xa4\xd4\x17\x77\x39\x80\xcd\x90\xad\xb6\xab\xe4\x75\x95\x4b\x05\x6e\x12\xc7\xe9\xe4\xb7\xef\xd2\x43\x96\xe7\xa9\xd6\x2f\xfe\xd4\x2c\xaa\xba\x45\x98\xa8\x9b\x14\xd8\x5d\x1c\xa3\x97\x27\xbf\xa0\x85\x90\x4c\x1e\xb5\x4d\x24\x27\x3d\x0a\x97\xfa\x59\x3b\xdd\xbc\xf4\x60\x8c\xef\x45\x6a\xb4\x17\x03\x16\x07\x33\x15\x16\xc8\x05\x79\x2e\xbd\xfd\x8d\x10\xe5\xed\xdc\x9f\x50\xdf\x88\x85\x71\xf9\x79\x75\x03\x94\xfe\xff\xdf\x87\xeb\xc9\xe8\xa8\x53\x4f\x89\x37\x2a\xfa\x8e\xac\xf0\x6d\x34\xb9\x74\x25\x0a\xc1\xba\xe5\xc0\x7e\x63\xb7\x46\x47\x19\xdb\x5e\xb1\x69\x34\xde\x34\x01\x93\xbf\xce\xe2\xdf\x0b\xfd\x92\x50\xdd\x44\xf3\xf7\x3e\xb4\xa4\x3f\x99\x0f\x2e\xdc\xa9\xb5\xfd\xd4\xac\xa4\xea\x21\x7e\x14\xb6\xd7\xc5\xa3\x20\xfd\x5e\x4c\x72\x88\xcd\xcb\x4e\x20\x76\x00\x4a\xd6\x61\x81\x9b\xda\xe6\xcf\xba\xd2\xdc\x0b\xce\x61\x23\xc4\x8b\x14\x23\xb2\x2e\x3f\x85\xcc\x2f\x31\x07\x1d\xd1\xcf\xa3\x87\xbc\xa0\x9a\x2d\xd9\x9c\x29\xe6\xc0\xcd\x8d\x51\x90\x1d\x74\x85\x81\x3d\xa7\x32\xc9\xa7\xe2\xfc\xcd\x42\x7d\x43\x9b\xfe\xc1\x07\x87\x4f\x87\x7e\x9b\x0a\xa5\xe1\xbd\xad\xd5\xa1\x85\x47\x99\x65\xe9\x5a\x3c\x2f\x66\x91\x2d\x44\x1c\xb7\x5e\x44\x69\x57\x3b\xf5\xa4\xc5\x3f\x58\xd2\x7a\xbd\x5e\x68\x42\x2a\xef\xce\x50\x1c\x6d\x8d\x95\x42\xb6\x1e\xa6\xbf\xd6\xfd\x2b\x6b\x33\x6c\x89\x61\xf4\xee\xa7\x20\x88\xd0\x69\x70\x89\xd1\x76\x82\x0a\x10\x3d\x09\xd9\x5f\x3e\xf0\xbd\x28\x98\x2e\xef\x77\xfc\x1b\xbf\xe7\xde\x1b\xfb\xe3\xd5\x0a\x93\x21\x88\x66\xfc\x48\xf6\x28\x01\xc7\x15\x39\x7d\xdf\x1f\x36\xd9\x77\xf2\xb5\xb2\xb7\x6f\x2e\x1d\x64\xc6\x10\x6a\x88\x9b\x80\xb4\x1b\xe5\x19\x94\x0c\xe2\x2f\xf0\x36\x4f\xaf\xb7\x03\xcf\xcd\x7b\xf7\x80\x8e\x41\x50\xac\x7d\x7a\xf1\xf0\xb5\xae\x82\x1c\x9b\xf1\x63\x74\x0d\xb1\xb5\xa3\x66\xe2\xdb\x4a\x02\x92\x10\x00\xd6\x07\x52\xd7\x43\xcd\x58\x4c\x48\x59\x0a\x31\xe2\x7c\xb4\x0d\x7a\xd8\x9a\xbd\x2c\x8e\xe8\x11\x76\x78\x98\x88\xbc\x48\xe8\x2a\x63\x00\x84\xc5\x9d\x4d\x34\x46\x4a\x52\xd5\xf2\x6d\x22\x14\x79\xb4\x51\xef\x3c\x2a\x6c\x81\x66\xb6\x64\x09\x9d\xaa\xf8\xe7\x4e\xac\x84\xdc\xfe\x3e\x86\xd5\x3b\xcd\x3b\x2f\x03\x37\xc8\x03\x7d\xb0\x7b\x65\xf7\xcd\x26\x5d\x2a\xc1\x95\xf8\xf5\x8e\x00\x96\xac\x1f\xb6\x54\xb9\x57\xfc\xa3\xef\x32\xab\xcf\x91\x6b\x55\x8b\xff\x85\x4d\x09\x9a\x2c\x9f\xb8\x88\x9f\x39\x8b\x53\x51\x41\x17\x0e\xa0\x36\xf9\xe5\xa7\xa2\xfe\x1d\x14\xf4\xa5\xa6\xdb\x8c\x03\xb0\xa7\x7f\x6e\x3b\xe9\x64\x81\x05\x06\x11\x35\x59\x59\xf6\x5e\x67\x81\x64\x54\xed\xa4\xcd\x84\x36\xd6\x64\xd6\xe6\xd9\xfc\x2f\xf2\x48\x95\x92\x3f\x10\x67\x70\x45\x8d\xc8\x75\x93\xc3\x91\x91\x2e\xda\x79\xa6\xe8\x71\x4b\xb4\x37\xc8\x6b\x97\xae\xbe\x10\xad\xde\xf3\x62\x84\x32\x38\x4e\x5a\x52\x83\x06\x7a\x80\x69\xa8\x92\x47\x3c\x05\x44\x68\x03\xce\xe1\x31\x09\x6d\xfb\xcd\x4a\x08\xf3\xe0\x8b\xc1\xdb\x84\x70\xd3\xab\x04\xc4\x80\x91\xf8\x24\xcb\xc4\x4a\x22\x15\x1f\x21\x71\x9a\xc2\x9b\x90\x43\x82\x2b\x29\x8b\x17\x82\xfa\x4f\x7d\x55\x6c\x41\xcc\x38\xd4\x34\x22\xf3\xda\x35\xcb\x3e\x45\xa5\xd2\x29\x6a\x1c\xfc\x1c\xcb\xeb\x9e\xa3\x49\x77\x2d\xa9\xa8\xc6\xb7\xca\x0d\xb7\x29\x92\xf8\xb4\x86\xb4\x26\x6f\xb6\xd4\x47\x96\x30\xfa\x39\xbd\xbd\x5f\xaa\xaa\x5b\x47\x51\x4f\x37\x80\x5e\xdb\x61\x85\xb3\x3b\x5b\x82\xdf\xb8\x5d\xad\x17\xed\x9f\xc8\x20\xd1\x78\xc4\x43\x3f\xae\x2b\xf5\x0f\xb5\x6f\xf5\xd8\xd7\xf7\x2e\xbb\x91\x3b\x88\x12\xce\x80\xfb\x00\x0c\xf3\x56\xf6\x69\xae\xb2\xb4\x8c\x8f\x67\x5c\xd0\xc0\xa5\x71\x08\x2f\xdb\x0e\xe1\xb1\x3b\x7a\xd2\x23\xcb\x68\x6f\x8b\x6e\xa5\x11\x19\x2c\x5d\xca\xab\xe2\x70\x26\x50\x37\xb7\xa7\xff\x48\xa1\x10\xf6\x60\xe0\x45\xe6\xe5\x1d\x6f\xfa\xce\x61\x7a\x5a\xd8\x5c\xac\x70\x4c\xc2\x57\x6b\x22\xaf\x27\xbf\x84\x2c\x1f\xce\x89\xf7\x1f\xb1\x88\x68\x57\xd1\x87\xad\xf3\x64\x47\xda\x8e\xde\x27\x97\xbb\xb4\x1b\x4b\xa5\xf0\x94\x11\x09\x44\x08\x35\x7a\xc6\x86\xf0\x90\xdc\x75\x58\x4f\xb2\xd0\x0d\x6e\xb5\xf1\xd5\x45\x63\x3c\x1a\xab\x04\xa6\xa9\x47\xe4\x9e\xb4\x5a\x0a\x73\xe7\xd0\xc6\xc4\xac\x5f\xac\xf4\x08\xa0\xcf\xde\x43\x9d\x86\x1d\xba\x90\xea\x9c\x57\x58\xbb\xa9\x09\xaa\x4d\x5b\x71\x42\x32\x07\x23\xb0\xfb\x55\x38\xfa\x33\x5e\x62\xd1\x4b\xf3\x60\x8a\xeb\xbd\x76\xff\x2b\x0d\x01\x3a\x4d\x5a\x4d\x46\xfb\x24\xa0\x47\x46\x0b\x5d\x63\xa6\x0d\xea\xa4\x3c\x63\xa9\x8b\x51\xc5\xaa\x0b\x3d\xac\xef\x60\x23\x41\x86\xf4\x5e\xd9\x61\x4f\x0e\x88\xb0\xb3\xa4\x53\x0c\x88\xa3\xdb\xea\xea\x40\x29\xcc\xfb\x1a\xa0\xbb\x8e\xa4\x52\x2c\x51\x25\xa3\x8d\x97\x72\xb7\xde\x03\x3a\xf7\xb2\x81\x2e\x89\xbd\x58\x19\xd2\xd0\xf3\x7a\x15\x6b\x70\x1e\xff\xa2\xf0\xb7\xfc\xe9\xc2\x87\x24\xae\x0e\xb3\x27\xc2\x5c\x8e\x36\x18\x78\x10\xaa\xa1\xa3\x3c\xc6\x9e\xa8\x48\xe1\x2f\xda\x7a\x27\x48\x67\xf4\x77\x95\xe1\x68\x95\x41\x96\x9e\xf7\xf6\x8d\x65\x9c\x3a\xd6\xc7\xf6\x72\x51\xac\x05\xa8\xee\x17\xc5\xd7\xc2\xdc\xb9\x2b\x4a\x54\x5f\x3d\xb5\xbf\x08\x14\x4a\x71\xf2\x9f\x76\xf7\x07\x81\x92\x9b\x06\x45\xf7\xa2\xd3\xcc\x3e\x97\x40\x1f\xfc\x4c\x70\x02\x4d\xf3\xa8\x8a\x3b\x80\xd8\xbb\x4a\xe9\xd2\xd4\xc0\xd1\x17\x24\xfa\x12\x82\x76\x0b\x1c\xc8\x12\x00\x84\x01\xd6\x9b\x8f\x79\x31\xf3\x6a\x72\xe3\x2c\x5d\x8f\x3a\x3f\x23\x3e\x86\x36\x7b\x48\x85\x2c\x0f\xd2\xd1\xf2\x59\x55\x34\x06\x16\xcb\x57\xe7\x9d\xb0\xe0\xa3\x7b\x81\x62\x76\x34\x02\xd0\xb8\x64\xdb\xf0\xa9\x0d\x50\x37\xc8\x8e\xba\x9f\xa8\x09\x98\x08\xcf\x84\x56\x4d\x2e\xd2\xbd\x00\x24\xb7\x19\xb7\x62\x28\x27\x9e\xe3\xc9\x07\x27\xf3\xae\x67\xe5\xcc\x7d\xd7\x6e\x8a\xf1\x67\xc4\xb1\x1e\xe9\xf1\xe3\x49\x5e\x05\x06\x1f\xe5\x20\x44\x5c\xd8\xfe\xdd\xc4\x76\xf5\x0b\x40\xbf\x73\xe4\xf9\xc1\x4e\x49\x1c\x11\x42\x30\xe1\xea\xe5\x87\xac\x01\xaf\x7d\x8e\xe5\xb2\x50\x51\xcd\x58\x85\x19\xe9\xcc\x3f\xb7\xb4\x30\x9d\x2a\x74\xb9\x48\x6d\x31\x80\xf6\x5f\x02\x5f\x43\xbb\x6a\x98\x9e\x2c\x4b\x05\x23\x83\xf4\x24\x4c\xbf\x36\x81\xf8\xfb\x4b\x9f\x0c\xab\x34\x26\xc0\xd6\x78\x4a\xb0\x8c\x76\xce\xee\xbc\x21\x2e\x76\x5f\xd9\xc5\xf2\x4c\xad\x12\x9b\x44\x0e\x2f\x85\x74\x90\x45\xbb\xb1\xb0\x30\xfd\x5b\x31\x10\x44\x25\x80\xd4\x51\xb2\x71\xd9\xa4\x5d\x04\x75\xd1\x66\x47\xe4\xe6\x6b\xf4\x0a\xcb\xde\xbc\x97\x53\x85\xaa\x50\x89\x83\x22\xe8\xb2\xaa\xca\x18\xba\xa6\xee\x86\x1f\xc9\x74\xfc\xd0\xe3\x79\x75\x82\x4c\x47\x58\x42\xbd\x3f\xa1\xf1\x78\x97\x92\xb2\xb6\x54\xaf\xeb\xc7\x8b\x95\x57\xbe\x28\x3c\xe9\x74\xea\x60\xb0\x1a\xf1\x11\xe8\x22\x62\x70\x47\x7c\xaf\xba\x24\xac\xb1\xfb\x28\xfc\x25\x92\xad\x2e\xbc\x2b\xa3\x7a\x1b\xbf\xed\xba\x63\x00\x02\xe4\x23\x43\x0d\x76\x2d\x9e\x31\xcd\x86\x17\x0a\x98\x9e\xe9\x7e\x26\xd4\x87\x4b\xd7\xd1\xa8\xf7\xd2\xf2\x04\x6c\xe9\x37\x68\x59\x27\x49\xbf\x7f\x5b\x28\x93\x3f\x3f\xba\xa1\x38\x0d\x42\x96\x1b\x9a\x94\xd2\x31\x3c\x26\x47\x40\xfe\xa1\x49\x5f\xa2\x6f\xc0\x7a\x56\x1e\x4b\x90\x8b\x2e\x30\xe0\xac\x4d\x48\xf6\x89\xeb\x49\x58\x5d\x3b\x72\x95\xe8\xc2\x75\x1d\x05\x62\xc0\x6d\x49\x19\xd5\xdd\x8a\xf3\x26\xde\xd0\xc1\x51\x6e\xcc\x6c\x1d\x3c\xf1\x39\xd3\xa9\xfe\x6e\xde\x64\x76\x8c\x31\x9b\x98\xb7\xda\x44\x5f\xd7\x85\x4b\x64\x64\x0f\xbd\x67\x6b\x7a\x09\xe5\x6e\xa2\x5c\xff\x1d\x31\xde\xc4\x1d\xa0\x8c\xb1\xb0\x7e\x4d\x84\x16\x81\xfc\xb7\x9a\x72\xb7\x22\x0a\x3f\xc3\x6c\xe8\xdc\x63\x88\xca\xea\xea\x4f\xff\xa7\xb2\x98\x05\xef\x2d\xc8\x9a\xcf\x85\xf2\x27\x24\x8b\xca\x1b\x8c\xb8\x1e\xc4\xb9\x86\xa9\xa1\x58\x7e\x57\xe1\xc5\x4d\x16\x3b\xc6\xa9\xd6\x8c\x67\x8c\x48\x24\x09\x35\xfb\xe9\x89\xf5\x50\xb5\x4c\x51\xba\xcb\x9f\x21\xde\x67\x01\x8d\x5e\x3f\xba\xd7\xef\xba\xe1\x03\x83\xe6\x2f\xa9\x29\x41\x5e\xbd\xb7\x7f\xfc\xad\xcc\x36\xec\x7c\x01\xb7\x6f\x7c\x80\x02\x7d\xfc\xba\x9e\x15\xd2\x6f\x30\x6e\x1d\xcb\xf6\x24\xc8\x0f\x4d\xc9\x2e\xab\xfe\x7a\x81\x7d\x7b\xcb\x47\x0d\x60\x13\xaa\x89\x5e\x08\x24\x40\x57\x1e\x14\x3f\xbb\x2a\xc1\xaf\x5b\x4f\xd6\x4b\xb2\x0f\x31\xef\x1f\x5e\x1d\xb9\x6f\xb8\xca\x1e\x6b\x4d\x36\x0d\x2c\xd0\x55\x91\x36\x6a\xd7\x1a\x41\x17\xc9\x12\x5f\xee\xd0\xe6\xd9\x5c\x03\x9d\xac\x71\x00\x0f\x40\x4d\x71\x80\xfb\x1e\x3b\x9d\x10\xb6\x24\x84\xeb\x2e\x3d\x45\xb8\xa4\xc6\x44\x4e\xa5\x44\xc7\xc1\xa4\x9b\xcd\xd1\x72\x3c\x22\x12\x7e\x2f\x81\xfc\x4c\xa3\xda\x6b\x97\x71\x5a\x0c\x9c\xd3\x05\xae\x21\xa1\x5c\xa6\x95\xf1\xa7\x4d\xf2\x26\x0a\x95\xec\x30\x42\xb1\x6d\x83\xab\x1d\xa2\xba\x76\x7d\xf0\x36\x01\xb4\xb3\xab\x71\x71\xe2\xe0\xe8\xa2\x00\x9f\xc6\xcb\x2c\x98\xcd\x20\x68\x17\x36\x55\x22\x2b\xa6\xbc\x51\xaf\x64\x49\x93\xcb\xd1\x92\x33\xd0\xc0\xf1\xdb\x62\x30\x69\x74\x45\xfd\x77\x8f\x14\xa0\x85\x57\x25\x26\xdb\x2d\x12\x56\xe8\x27\xac\x9b\x77\xa9\x7e\xc6\x41\xa5\x3a\xa5\x80\xb3\xa7\x83\xcb\x0f\xc5\xa1\xb3\xb9\xb3\xff\x38\xe4\x18\xdb\x65\x8b\x48\x4a\x68\xcc\x9a\x9e\x33\x0d\x3d\x7a\x4e\xd2\x82\x58\x1d\xc0\x6f\x9e\xe9\x6a\x1a\x46\x98\xbc\x23\xeb\x41\xbe\xde\x47\x6c\x00\x52\x96\x40\x79\x71\x0f\x68\x8f\x87\x6d\x4c\xef\xf2\x19\x0f\x2d\x81\x9b\xbd\x4c\xdb\x36\x1f\xb5\xc6\x4d\x7c\x41\x93\xff\x9f\x6b\x44\xb2\xc1\x43\x71\x39\xbc\xfa\x8c\xe0\xa9\x43\x0a\xce\xb4\x98\xb4\xf0\xb0\x19\x7b\xf3\x39\xd0\x4b\x70\x51\x23\x24\x3b\x1a\x44\xfc\xec\x56\x6d\x64\xfe\x85\x0b\x29\x89\xb5\xb7\x09\x9e\xf9\xbf\x74\x46\x07\x46\xf6\x0c\x46\x07\x89\x16\x89\x58\x17\x75\xad\x12\xcc\x0f\x04\xce\x01\x6c\x5b\x01\xe4\x55\x6e\x09\x80\x7e\xb8\x2e\x19\xc4\x54\x2e\x88\xca\x22\xac\x95\x13\xa4\x6b\x3e\x43\xc5\x28\x77\xc0\xa8\x37\x20\x1f\xd8\x2e\x9f\x74\x53\x8b\x75\x1c\x8b\x0a\xca\xbf\x1e\xb2\x8a\x7d\xec\x9b\xf6\x98\xc1\x22\xfd\xc5\x46\x4f\x6c\xd4\x0e\x81\xd0\x60\x18\x3a\xf8\x04\xea\x5c\x5a\x51\x09\xfe\x21\x9a\x85\x21\xc7\x3b\x95\xe4\x2b\x82\xac\xd6\x93\xa8\x45\x3c\x40\xc7\x40\x27\xdc\xb1\x78\x81\x75\x83\x42\xe2\x56\x42\x58\xb9\xf1\x2f\xf6\x75\xd9\x5c\x1a\xc4\x2e\x94\x47\x3e\x5d\xd5\x18\x38\xd6\xb1\xc2\x8f\x7b\xae\x7e\x16\x41\x7e\xea\x23\x33\x18\x83\x17\x23\x4d\x3a\x96\x94\x35\x6d\xb9\xff\x64\x9e\xda\x9d\x9d\xe4\xd6\xdf\x34\x57\x70\x13\xbc\x9f\x17\x14\x04\xb0\x8f\xd4\x19\x0d\x15\xd7\xde\xfe\xcd\xc1\x95\x19\x9d\x8a\x71\xf6\x41\x40\xa8\x65\x61\xe8\x4c\x3b\xde\x2a\x43\x37\xac\x14\x05\x08\x54\x31\x4d\xe0\xa3\xef\x2a\xe2\x6a\x6c\xb3\x97\x79\xb1\x0b\xdd\x57\x10\x41\xba\x31\x99\x6c\x60\x2c\x99\x7e\x70\x35\x8a\xe9\x86\x23\x92\x55\xa9\x37\x10\xf2\x11\x1e\x7c\xb1\xc8\xb3\xb7\x28\x03\x37\x34\x85\x6a\x41\xcd\xd5\x5a\xb2\xcf\x54\x15\x6b\x48\xe1\x34\x9e\x97\xd3\x9f\x6f\xc1\x27\x5f\xdb\x19\xb3\x7c\x8c\xf0\x04\xb3\x8c\xc3\xef\x37\x83\x4c\x85\x12\x8b\x3c\xb5\x9b\x77\x3d\xcc\x7d\x7b\x85\x80\x5b\x8f\x3b\xd6\xae\x79\x1e\xfa\x7c\xdb\xcc\x4b\xe5\x53\x9b\xb6\x6a\xfd\x8a\xc5\xde\x59\x50\x9b\x34\x10\x20\xe1\xc6\xff\x67\xb6\x6a\x0c\x94\xbb\x79\x53\x49\x92\x05\xb3\x07\xca\x77\x27\x7f\x6c\xcf\x39\x80\x1e\xe6\x28\xfb\x33\xd2\x07\x3f\x38\x1e\x80\xdc\x41\xc9\xe7\x99\xe7\x5c\x31\xcf\x2a\xa4\x9f\x8b\x0a\x6f\x73\x24\x08\xaf\xdc\x65\x0f\xd2\xb0\xec\x57\x4d\x50\xc6\xe2\x48\xf2\xaf\xcf\xb8\xf8\x20\x79\xb2\x62\x55\x47\xdb\x16\xe4\x61\xe6\x01\x59\x88\x3a\xaf\xbe\xdf\x9e\xe9\xfa\xde\xc8\x39\x8b\x91\x98\x6f\x9a\x8e\x79\x47\x06\x49\xa9\x9d\x6e\x8b\x4c\xb3\xb7\x99\x5b\xd5\xb6\xaf\x47\x20\x6b\xbf\x06\xaa\x69\x38\x3e\x97\x63\xcb\x17\x31\xe7\xc1\x5b\x0d\xe4\xb3\x5c\x00\x80\xdd\xfc\xeb\xac\x4d\xea\x21\x30\x96\xd8\x29\xed\x58\xf7\x7c\x09\xa0\xc0\xd4\xf3\x00\xdd\x5f\xaf\x2e\x01\x2a\xcf\x83\xd7\x7b\x73\x32\x3a\x93\x21\xcc\xa8\x64\x6b\xfe\x55\xfc\xce\x50\x6c\x82\x2e\xe4\x40\x4f\x20\x03\x18\xf6\x50\x44\xb3\xec\xdd\x8a\x21\x35\xe8\xee\x0a\xdb\xb8\xc4\x22\xc8\x9d\x37\x3e\xe4\x21\x82\x6b\xd1\x14\xd5\xae\x08\x6c\x9a\x47\xbe\x5a\x78\x88\xec\x74\xfc\x9e\x8d\x7e\x75\x85\xe6\xe8\x8f\xef\xa1\xb6\xa0\xc5\x57\x7b\x91\x43\x13\x77\xa3\x05\xa6\x65\x81\x02\xef\xf2\x95\x75\xde\x43\x92\x0b\xd4\x66\x96\xa2\xbd\x26\xa9\x39\xde\x74\x15\xc8\x36\x1c\x98\x89\x7b\xc0\xa4\x93\xe9\x08\x76\xd4\xf7\xa6\x38\x9a\xe9\xfe\xd4\x4d\x6e\xf2\x1e\xdf\x68\x1a\xe3\xa3\x5d\xc4\xa2\x6a\x40\xa7\x41\x1e\x7d\x51\xa8\x58\x43\x13\xdf\x95\xe4\x8f\xb0\x12\x79\x9b\x83\xc2\x5c\x2d\xd8\xf2\x43\xe9\x88\x05\x46\xb8\xf5\x1e\x25\xcc\x2f\xfa\x83\xc3\x6d\x81\xd3\x1b\xce\xbe\x40\x53\x62\x87\x5c\x49\x43\x00\x66\x24\x90\xc3\xf4\xbb\x38\x68\x2b\x17\xe0\xcb\xb9\x0e\x47\x70\x86\x4e\xe6\x0c\xc1\x36\xfa\x7b\xb2\x17\x0f\x69\x39\x4f\x62\x35\xe0\x07\x83\xfc\x6c\x2c\xab\x09\x74\x07\xff\xf9\x31\xbf\xa7\x42\xd7\xae\xfe\xf3\x3d\x69\x96\x70\x1d\x39\xb4\xad\xfb\x76\x28\xee\x8c\xb2\x76\x5a\xc0\x39\x92\xdb\x7b\xfd\x93\x04\xe1\x5f\x27\xf3\xea\x37\x12\x49\x4e\x98\xd1\x5b\x7c\x7e\x78\x14\x2d\xdb\xcc\x1e\x2d\x18\x47\x81\xcb\xc1\x17\x45\x59\x9e\xb5\xa6\x9b\x39\x18\x69\x4b\x78\x20\x9b\x1e\xe1\xc1\x18\x54\x15\x7e\xda\x2e\x0f\x03\xed\xd8\x84\xab\x4f\x60\x13\x4a\xf1\x58\xff\x15\xa9\x22\x59\xd4\x29\x37\x0c\xef\xab\x10\xcf\x6f\xb2\x82\xf7\x60\xd8\xd5\x4a\x8d\xb0\xc0\xc4\x3f\x56\xbc\xcf\x68\xb8\x37\x74\x5d\xd6\x42\xb3\x9d\x44\xdb\x29\x7b\x01\xeb\x9f\x5b\x48\xd1\xb1\x14\x84\x8a\x5d\x7c\x74\xa2\x2e\x3c\x30\x84\xee\xbc\x02\x98\xe7\xdd\xbb\xe6\x6e\x10\x5f\x89\x23\x8e\x96\x1d\x34\x98\x5f\x29\xde\x20\x31\xa5\x17\x56\xba\x3c\x77\xce\x83\x24\x8e\xf8\x32\x30\x9b\xf9\xad\x9d\x3f\x79\xdd\x12\xf7\x62\xe9\x12\x25\xb0\x87\x6c\xfc\x22\x02\xb2\xe0\x46\x82\x43\x16\xc8\x20\x88\x9e\x93\xf6\x3e\xad\x22\x9c\x08\x7b\x2f\x6c\xfc\x99\xf7\x97\x02\x2c\xda\xb8\x45\x6d\xe0\xc7\x64\xa0\x6a\x79\x40\xb0\xf2\x85\x98\xcb\xa5\x6d\xa0\xbb\xc7\xeb\xce\x48\x22\x12\x21\x37\x54\xd3\xc3\x4f\x74\x9e\xb9\x43\xbf\xf8\x1a\xab\x71\x0a\x98\x1e\x89\x15\xd8\x9f\x50\x98\xca\xa6\x74\x63\x6b\xda\x15\x11\xe9\x6b\x7a\xb0\xe6\x51\xd1\x01\x75\x09\x76\xda\x0b\x2a\x08\xc5\x61\x76", 8192); *(uint32_t*)0x20004bc0 = 0x20003680; *(uint32_t*)0x20003680 = 0x50; *(uint32_t*)0x20003684 = 0; *(uint64_t*)0x20003688 = 0; *(uint32_t*)0x20003690 = 7; *(uint32_t*)0x20003694 = 0x22; *(uint32_t*)0x20003698 = 6; *(uint32_t*)0x2000369c = 0x60; *(uint16_t*)0x200036a0 = 5; *(uint16_t*)0x200036a2 = 0x48; *(uint32_t*)0x200036a4 = 0x80000001; *(uint32_t*)0x200036a8 = 7; *(uint16_t*)0x200036ac = 0; *(uint16_t*)0x200036ae = 0; memset((void*)0x200036b0, 0, 32); *(uint32_t*)0x20004bc4 = 0x20003700; *(uint32_t*)0x20003700 = 0x18; *(uint32_t*)0x20003704 = 0; *(uint64_t*)0x20003708 = 0xfffe; *(uint64_t*)0x20003710 = 0x200; *(uint32_t*)0x20004bc8 = 0x20003740; *(uint32_t*)0x20003740 = 0x18; *(uint32_t*)0x20003744 = 0; *(uint64_t*)0x20003748 = 4; *(uint64_t*)0x20003750 = 0x8000; *(uint32_t*)0x20004bcc = 0x20003780; *(uint32_t*)0x20003780 = 0x18; *(uint32_t*)0x20003784 = 0; *(uint64_t*)0x20003788 = 0; *(uint32_t*)0x20003790 = 8; *(uint32_t*)0x20003794 = 0; *(uint32_t*)0x20004bd0 = 0x200037c0; *(uint32_t*)0x200037c0 = 0x18; *(uint32_t*)0x200037c4 = 0; *(uint64_t*)0x200037c8 = 0x80000001; *(uint32_t*)0x200037d0 = 5; *(uint32_t*)0x200037d4 = 0; *(uint32_t*)0x20004bd4 = 0x20003800; *(uint32_t*)0x20003800 = 0x28; *(uint32_t*)0x20003804 = 0; *(uint64_t*)0x20003808 = 0; *(uint64_t*)0x20003810 = 0x19; *(uint64_t*)0x20003818 = 0x200; *(uint32_t*)0x20003820 = 3; *(uint32_t*)0x20003824 = -1; *(uint32_t*)0x20004bd8 = 0x20003840; *(uint32_t*)0x20003840 = 0x60; *(uint32_t*)0x20003844 = 0xfffffffe; *(uint64_t*)0x20003848 = 0xfffffffffffffffe; *(uint64_t*)0x20003850 = 4; *(uint64_t*)0x20003858 = 0x80000001; *(uint64_t*)0x20003860 = 1; *(uint64_t*)0x20003868 = 0x52b8; *(uint64_t*)0x20003870 = 7; *(uint32_t*)0x20003878 = 0; *(uint32_t*)0x2000387c = 0xfffffffa; *(uint32_t*)0x20003880 = 0x1ff; *(uint32_t*)0x20003884 = 0; memset((void*)0x20003888, 0, 24); *(uint32_t*)0x20004bdc = 0x200038c0; *(uint32_t*)0x200038c0 = 0x18; *(uint32_t*)0x200038c4 = 0xffffffda; *(uint64_t*)0x200038c8 = 0x1f; *(uint32_t*)0x200038d0 = 9; *(uint32_t*)0x200038d4 = 0; *(uint32_t*)0x20004be0 = 0x20003900; *(uint32_t*)0x20003900 = 0x11; *(uint32_t*)0x20003904 = 0xfffffffe; *(uint64_t*)0x20003908 = 0x4588; memset((void*)0x20003910, 0, 1); *(uint32_t*)0x20004be4 = 0x20003940; *(uint32_t*)0x20003940 = 0x20; *(uint32_t*)0x20003944 = 0; *(uint64_t*)0x20003948 = 0x100000000; *(uint64_t*)0x20003950 = 0; *(uint32_t*)0x20003958 = 0x18; *(uint32_t*)0x2000395c = 0; *(uint32_t*)0x20004be8 = 0x200039c0; *(uint32_t*)0x200039c0 = 0x78; *(uint32_t*)0x200039c4 = 0; *(uint64_t*)0x200039c8 = 7; *(uint64_t*)0x200039d0 = 4; *(uint32_t*)0x200039d8 = 6; *(uint32_t*)0x200039dc = 0; *(uint64_t*)0x200039e0 = 0; *(uint64_t*)0x200039e8 = 7; *(uint64_t*)0x200039f0 = 8; *(uint64_t*)0x200039f8 = 0x10001; *(uint64_t*)0x20003a00 = 1; *(uint64_t*)0x20003a08 = 0x509; *(uint32_t*)0x20003a10 = 0x80; *(uint32_t*)0x20003a14 = 3; *(uint32_t*)0x20003a18 = 1; *(uint32_t*)0x20003a1c = 0xc000; *(uint32_t*)0x20003a20 = 5; *(uint32_t*)0x20003a24 = r[6]; *(uint32_t*)0x20003a28 = 0xee00; *(uint32_t*)0x20003a2c = 7; *(uint32_t*)0x20003a30 = 9; *(uint32_t*)0x20003a34 = 0; *(uint32_t*)0x20004bec = 0x20003e80; *(uint32_t*)0x20003e80 = 0x90; *(uint32_t*)0x20003e84 = 0; *(uint64_t*)0x20003e88 = 8; *(uint64_t*)0x20003e90 = 6; *(uint64_t*)0x20003e98 = 3; *(uint64_t*)0x20003ea0 = 0xcd0; *(uint64_t*)0x20003ea8 = 0x7fffffff; *(uint32_t*)0x20003eb0 = 5; *(uint32_t*)0x20003eb4 = 1; *(uint64_t*)0x20003eb8 = 5; *(uint64_t*)0x20003ec0 = 5; *(uint64_t*)0x20003ec8 = 0xf34; *(uint64_t*)0x20003ed0 = 0x86; *(uint64_t*)0x20003ed8 = 6; *(uint64_t*)0x20003ee0 = 2; *(uint32_t*)0x20003ee8 = 0xab8c; *(uint32_t*)0x20003eec = 0; *(uint32_t*)0x20003ef0 = 5; *(uint32_t*)0x20003ef4 = 0x8000; *(uint32_t*)0x20003ef8 = 9; *(uint32_t*)0x20003efc = 0xee00; *(uint32_t*)0x20003f00 = r[9]; *(uint32_t*)0x20003f04 = 0x1000; *(uint32_t*)0x20003f08 = 0x1000; *(uint32_t*)0x20003f0c = 0; *(uint32_t*)0x20004bf0 = 0x20003f40; *(uint32_t*)0x20003f40 = 0xd0; *(uint32_t*)0x20003f44 = 0; *(uint64_t*)0x20003f48 = 0xffffffffffffffbc; *(uint64_t*)0x20003f50 = 0; *(uint64_t*)0x20003f58 = 2; *(uint32_t*)0x20003f60 = 6; *(uint32_t*)0x20003f64 = 3; memset((void*)0x20003f68, 2, 6); *(uint64_t*)0x20003f70 = 0; *(uint64_t*)0x20003f78 = 0; *(uint32_t*)0x20003f80 = 0; *(uint32_t*)0x20003f84 = 9; *(uint64_t*)0x20003f88 = 2; *(uint64_t*)0x20003f90 = 0x100000001; *(uint32_t*)0x20003f98 = 0x17; *(uint32_t*)0x20003f9c = 0xffff; memcpy((void*)0x20003fa0, "bpf_lsm_socket_recvmsg\000", 23); *(uint64_t*)0x20003fb8 = 0; *(uint64_t*)0x20003fc0 = 0x401; *(uint32_t*)0x20003fc8 = 0xf; *(uint32_t*)0x20003fcc = 0xfffffff9; memcpy((void*)0x20003fd0, "&,$:+)\357&\\)/$$[}", 15); *(uint64_t*)0x20003fe0 = 6; *(uint64_t*)0x20003fe8 = 1; *(uint32_t*)0x20003ff0 = 0x17; *(uint32_t*)0x20003ff4 = 0x1f; memcpy((void*)0x20003ff8, "bpf_lsm_socket_recvmsg\000", 23); *(uint32_t*)0x20004bf4 = 0x20004440; *(uint32_t*)0x20004440 = 0x508; *(uint32_t*)0x20004444 = 0; *(uint64_t*)0x20004448 = 2; *(uint64_t*)0x20004450 = 4; *(uint64_t*)0x20004458 = 1; *(uint64_t*)0x20004460 = 5; *(uint64_t*)0x20004468 = 0x80000000; *(uint32_t*)0x20004470 = 3; *(uint32_t*)0x20004474 = 0xffffffec; *(uint64_t*)0x20004478 = 2; *(uint64_t*)0x20004480 = 3; *(uint64_t*)0x20004488 = 0x20; *(uint64_t*)0x20004490 = 0x100000001; *(uint64_t*)0x20004498 = 0x80; *(uint64_t*)0x200044a0 = 0xffffffffffffffe1; *(uint32_t*)0x200044a8 = 0x9e41; *(uint32_t*)0x200044ac = 0x1f; *(uint32_t*)0x200044b0 = 0xf0f6; *(uint32_t*)0x200044b4 = 0xc000; *(uint32_t*)0x200044b8 = 0x401; *(uint32_t*)0x200044bc = 0xee01; *(uint32_t*)0x200044c0 = 0xee00; *(uint32_t*)0x200044c4 = 0x400000; *(uint32_t*)0x200044c8 = 0x800; *(uint32_t*)0x200044cc = 0; *(uint64_t*)0x200044d0 = 3; *(uint64_t*)0x200044d8 = 7; *(uint32_t*)0x200044e0 = 6; *(uint32_t*)0x200044e4 = 0xfffffffe; memset((void*)0x200044e8, 187, 6); *(uint64_t*)0x200044f0 = 1; *(uint64_t*)0x200044f8 = 2; *(uint64_t*)0x20004500 = 0x10001; *(uint64_t*)0x20004508 = 0; *(uint32_t*)0x20004510 = 5; *(uint32_t*)0x20004514 = 0; *(uint64_t*)0x20004518 = 3; *(uint64_t*)0x20004520 = 0x8000; *(uint64_t*)0x20004528 = 9; *(uint64_t*)0x20004530 = 0x80000001; *(uint64_t*)0x20004538 = 0x100; *(uint64_t*)0x20004540 = 5; *(uint32_t*)0x20004548 = 0xf06; *(uint32_t*)0x2000454c = 0x932b; *(uint32_t*)0x20004550 = 2; *(uint32_t*)0x20004554 = 0x1000; *(uint32_t*)0x20004558 = 5; *(uint32_t*)0x2000455c = 0xee01; *(uint32_t*)0x20004560 = -1; *(uint32_t*)0x20004564 = 5; *(uint32_t*)0x20004568 = 1; *(uint32_t*)0x2000456c = 0; *(uint64_t*)0x20004570 = 5; *(uint64_t*)0x20004578 = 9; *(uint32_t*)0x20004580 = 2; *(uint32_t*)0x20004584 = 2; memcpy((void*)0x20004588, "*)", 2); *(uint64_t*)0x20004590 = 1; *(uint64_t*)0x20004598 = 0; *(uint64_t*)0x200045a0 = 0xcc3; *(uint64_t*)0x200045a8 = 4; *(uint32_t*)0x200045b0 = 0x101; *(uint32_t*)0x200045b4 = 3; *(uint64_t*)0x200045b8 = 2; *(uint64_t*)0x200045c0 = 1; *(uint64_t*)0x200045c8 = 1; *(uint64_t*)0x200045d0 = 0x113; *(uint64_t*)0x200045d8 = 1; *(uint64_t*)0x200045e0 = 3; *(uint32_t*)0x200045e8 = 0xd36; *(uint32_t*)0x200045ec = 0x8c12; *(uint32_t*)0x200045f0 = 0xfffffffc; *(uint32_t*)0x200045f4 = 0x1000; *(uint32_t*)0x200045f8 = 0xfffffffc; *(uint32_t*)0x200045fc = 0xee01; *(uint32_t*)0x20004600 = r[10]; *(uint32_t*)0x20004604 = 9; *(uint32_t*)0x20004608 = 0xacd; *(uint32_t*)0x2000460c = 0; *(uint64_t*)0x20004610 = 3; *(uint64_t*)0x20004618 = 0x97; *(uint32_t*)0x20004620 = 6; *(uint32_t*)0x20004624 = 9; memcpy((void*)0x20004628, "wlan1\000", 6); *(uint64_t*)0x20004630 = 1; *(uint64_t*)0x20004638 = 2; *(uint64_t*)0x20004640 = 8; *(uint64_t*)0x20004648 = 0x8000; *(uint32_t*)0x20004650 = 9; *(uint32_t*)0x20004654 = 0; *(uint64_t*)0x20004658 = 1; *(uint64_t*)0x20004660 = 0x200; *(uint64_t*)0x20004668 = 0xff; *(uint64_t*)0x20004670 = 0x100000001; *(uint64_t*)0x20004678 = 0x30000; *(uint64_t*)0x20004680 = 9; *(uint32_t*)0x20004688 = 3; *(uint32_t*)0x2000468c = 6; *(uint32_t*)0x20004690 = 0x7f; *(uint32_t*)0x20004694 = 0x8000; *(uint32_t*)0x20004698 = 0x101; *(uint32_t*)0x2000469c = r[11]; *(uint32_t*)0x200046a0 = 0xee00; *(uint32_t*)0x200046a4 = 0x10000; *(uint32_t*)0x200046a8 = 9; *(uint32_t*)0x200046ac = 0; *(uint64_t*)0x200046b0 = 3; *(uint64_t*)0x200046b8 = 0; *(uint32_t*)0x200046c0 = 2; *(uint32_t*)0x200046c4 = 0x401; memcpy((void*)0x200046c8, "b@", 2); *(uint64_t*)0x200046d0 = 4; *(uint64_t*)0x200046d8 = 1; *(uint64_t*)0x200046e0 = 0; *(uint64_t*)0x200046e8 = 5; *(uint32_t*)0x200046f0 = 4; *(uint32_t*)0x200046f4 = 0x101; *(uint64_t*)0x200046f8 = 1; *(uint64_t*)0x20004700 = 5; *(uint64_t*)0x20004708 = 1; *(uint64_t*)0x20004710 = 0x10000; *(uint64_t*)0x20004718 = 7; *(uint64_t*)0x20004720 = 8; *(uint32_t*)0x20004728 = 5; *(uint32_t*)0x2000472c = 5; *(uint32_t*)0x20004730 = 0x4010000; *(uint32_t*)0x20004734 = 0x8000; *(uint32_t*)0x20004738 = 0x4d800000; *(uint32_t*)0x2000473c = 0; *(uint32_t*)0x20004740 = 0xee01; *(uint32_t*)0x20004744 = 6; *(uint32_t*)0x20004748 = 7; *(uint32_t*)0x2000474c = 0; *(uint64_t*)0x20004750 = 2; *(uint64_t*)0x20004758 = 0x61; *(uint32_t*)0x20004760 = 0; *(uint32_t*)0x20004764 = 0; *(uint64_t*)0x20004768 = 7; *(uint64_t*)0x20004770 = 0; *(uint64_t*)0x20004778 = 5; *(uint64_t*)0x20004780 = 5; *(uint32_t*)0x20004788 = 0; *(uint32_t*)0x2000478c = 0x3ff; *(uint64_t*)0x20004790 = 0; *(uint64_t*)0x20004798 = 0xfffffffffffffff7; *(uint64_t*)0x200047a0 = 1; *(uint64_t*)0x200047a8 = 0x80; *(uint64_t*)0x200047b0 = 0x100000001; *(uint64_t*)0x200047b8 = 0x401; *(uint32_t*)0x200047c0 = 0xd49d; *(uint32_t*)0x200047c4 = 0x80; *(uint32_t*)0x200047c8 = 1; *(uint32_t*)0x200047cc = 0x6000; *(uint32_t*)0x200047d0 = 0x8b; *(uint32_t*)0x200047d4 = r[12]; *(uint32_t*)0x200047d8 = 0xee01; *(uint32_t*)0x200047dc = 0x8001; *(uint32_t*)0x200047e0 = 0; *(uint32_t*)0x200047e4 = 0; *(uint64_t*)0x200047e8 = 6; *(uint64_t*)0x200047f0 = 0x200; *(uint32_t*)0x200047f8 = 1; *(uint32_t*)0x200047fc = 0xfffffff8; memset((void*)0x20004800, 41, 1); *(uint64_t*)0x20004808 = 0; *(uint64_t*)0x20004810 = 3; *(uint64_t*)0x20004818 = 8; *(uint64_t*)0x20004820 = 0x81; *(uint32_t*)0x20004828 = 6; *(uint32_t*)0x2000482c = 5; *(uint64_t*)0x20004830 = 1; *(uint64_t*)0x20004838 = 8; *(uint64_t*)0x20004840 = 7; *(uint64_t*)0x20004848 = 5; *(uint64_t*)0x20004850 = 8; *(uint64_t*)0x20004858 = 1; *(uint32_t*)0x20004860 = 5; *(uint32_t*)0x20004864 = 0x90c555ad; *(uint32_t*)0x20004868 = 0; *(uint32_t*)0x2000486c = 0xc000; *(uint32_t*)0x20004870 = 0x800; *(uint32_t*)0x20004874 = 0xee00; *(uint32_t*)0x20004878 = 0xee01; *(uint32_t*)0x2000487c = 0xf98d; *(uint32_t*)0x20004880 = 0x20; *(uint32_t*)0x20004884 = 0; *(uint64_t*)0x20004888 = 4; *(uint64_t*)0x20004890 = 4; *(uint32_t*)0x20004898 = 5; *(uint32_t*)0x2000489c = 1; memcpy((void*)0x200048a0, "\\U\302-^", 5); *(uint64_t*)0x200048a8 = 1; *(uint64_t*)0x200048b0 = 0; *(uint64_t*)0x200048b8 = 2; *(uint64_t*)0x200048c0 = 6; *(uint32_t*)0x200048c8 = 0; *(uint32_t*)0x200048cc = 0xb5e; *(uint64_t*)0x200048d0 = 4; *(uint64_t*)0x200048d8 = 0x12; *(uint64_t*)0x200048e0 = 0xe87; *(uint64_t*)0x200048e8 = 7; *(uint64_t*)0x200048f0 = 1; *(uint64_t*)0x200048f8 = 0xfffffffffffffffe; *(uint32_t*)0x20004900 = 0xfffffffd; *(uint32_t*)0x20004904 = 7; *(uint32_t*)0x20004908 = 0x401; *(uint32_t*)0x2000490c = 0xa000; *(uint32_t*)0x20004910 = 0x8ee; *(uint32_t*)0x20004914 = r[13]; *(uint32_t*)0x20004918 = 0; *(uint32_t*)0x2000491c = 0x8236; *(uint32_t*)0x20004920 = 0x3c89862b; *(uint32_t*)0x20004924 = 0; *(uint64_t*)0x20004928 = 4; *(uint64_t*)0x20004930 = 0xfffffffffffffbf7; *(uint32_t*)0x20004938 = 6; *(uint32_t*)0x2000493c = 4; memset((void*)0x20004940, 2, 6); *(uint32_t*)0x20004bf8 = 0x20004ac0; *(uint32_t*)0x20004ac0 = 0xa0; *(uint32_t*)0x20004ac4 = 0xffffffda; *(uint64_t*)0x20004ac8 = 2; *(uint64_t*)0x20004ad0 = 1; *(uint64_t*)0x20004ad8 = 3; *(uint64_t*)0x20004ae0 = 0xff; *(uint64_t*)0x20004ae8 = 0x401; *(uint32_t*)0x20004af0 = 9; *(uint32_t*)0x20004af4 = 0x1000; *(uint64_t*)0x20004af8 = 1; *(uint64_t*)0x20004b00 = 0xfff; *(uint64_t*)0x20004b08 = 0x733; *(uint64_t*)0x20004b10 = 0; *(uint64_t*)0x20004b18 = 7; *(uint64_t*)0x20004b20 = 0x7fff; *(uint32_t*)0x20004b28 = 4; *(uint32_t*)0x20004b2c = 0x1f; *(uint32_t*)0x20004b30 = 0x1f; *(uint32_t*)0x20004b34 = 0; *(uint32_t*)0x20004b38 = 1; *(uint32_t*)0x20004b3c = r[14]; *(uint32_t*)0x20004b40 = r[15]; *(uint32_t*)0x20004b44 = 0x9eb; *(uint32_t*)0x20004b48 = 1; *(uint32_t*)0x20004b4c = 0; *(uint64_t*)0x20004b50 = 0; *(uint32_t*)0x20004b58 = 0x1c; *(uint32_t*)0x20004b5c = 0; *(uint32_t*)0x20004bfc = 0x20004b80; *(uint32_t*)0x20004b80 = 0x20; *(uint32_t*)0x20004b84 = 0xfffffffe; *(uint64_t*)0x20004b88 = 0xa87; *(uint32_t*)0x20004b90 = 0x1ff; *(uint32_t*)0x20004b94 = 0; *(uint32_t*)0x20004b98 = 0x10001; *(uint32_t*)0x20004b9c = 4; syz_fuse_handle_req(r[5], 0x20001680, 0x2000, 0x20004bc0); memcpy((void*)0x20004c40, "/dev/autofs\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20004c40, 0, 0); if (res != -1) r[16] = res; memcpy((void*)0x20004c00, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004c00, r[16]); syz_init_net_socket(0x24, 2, 0); res = syscall(__NR_mmap, 0x20ffe000, 0x1000, 0x300000a, 0x10, (intptr_t)r[16], 0); if (res != -1) r[17] = res; res = -1; res = syz_io_uring_complete(r[17]); if (res != -1) r[18] = res; *(uint32_t*)0x20004c84 = 0xcaa6; *(uint32_t*)0x20004c88 = 4; *(uint32_t*)0x20004c8c = 3; *(uint32_t*)0x20004c90 = 0x276; *(uint32_t*)0x20004c98 = r[18]; memset((void*)0x20004c9c, 0, 12); res = -1; res = syz_io_uring_setup(0x3a9b, 0x20004c80, 0x20ffe000, 0x20ffe000, 0x20004d00, 0x20004d40); if (res != -1) r[19] = *(uint64_t*)0x20004d00; *(uint8_t*)0x20005080 = 2; *(uint8_t*)0x20005081 = 5; *(uint16_t*)0x20005082 = 0; *(uint32_t*)0x20005084 = 7; *(uint64_t*)0x20005088 = 0; *(uint32_t*)0x20005090 = 0x20005040; *(uint32_t*)0x20005040 = 0x20004d80; memcpy((void*)0x20004d80, "\x8f\x8c\x61\xba\x2d\x93\x00\x6a\xad\xbd\x12\xa3\xa0\x8f\x14\x6f\x7d\xad\xf6\xfc\xaf\x91\x37\x0d\x8c\xdb\xb1\x04\x73\xcf\xc4\x73\x7f\xc2\x92\x0f\x76\x1e\x5f\x9f\x43\xac\x7c\x94\xff\x2d\x84\xa3\xf6", 49); *(uint32_t*)0x20005044 = 0x31; *(uint32_t*)0x20005048 = 0x20004dc0; memcpy((void*)0x20004dc0, "\xe7\x9e\x60\x9c\xaf\x0b\x11\x3f\x2e\x3a\x9b\x6e\xd9\xa5\x19\x7b\xd4\xc9\xef\x3a\xbe\xe6\xff\x37\x2b\x06\x77\xf9\x80\xef\x46\x16\x5c\x07\x1e\xc9\xa7\xe4\xb8\xe1\x18\xc9\x5c\x2b\x5f\x73\x3b\x29\xc5\x0f\x1e\x5d\xf4\xf1\x83\x7e\x9a\x29\x62\xcd\x24\x1c\x43\xd7\xa6\x05\x87\x87\x49\x91\x9d\x2d\x93\x2d\x22\x01\x0e\x4c\x8c\x29\xce\x60\x28\xdc\x71\xe2\x3c\x5e\xc2\xb4\xf3\xbb\x38\xb2\xe7\xc3\xbe\xaf\x83\xc8\x87\xa4\x5f\x16\xea\x87\x84\x2b\x70\x02\xc7\x51\x33\x97\x83\x5d\x37\x55\x89\xd6\x4e\x9c\x8d\x0d\xaa\x7c\x70\x99\x74\xdd\xc9\x35\x14\x51\x90\xba\xc6\xe8\xd3\x12\x38\xd5\xad\x70\x37\x7e\x03\xb1\x11\x15\x46\xf8\xa8\x3a\x2d\x7e\x3f\xc5\x50\x40\x8a\x22\x7e\x6a\xb5\x58\x33\x1d\xe5", 169); *(uint32_t*)0x2000504c = 0xa9; *(uint32_t*)0x20005050 = 0x20004e80; memcpy((void*)0x20004e80, "\x1f\xe1\xd0\xa7\xea\x42\xed\x60\xeb\x83\x79\xf5\x5f\xba\x5f\x10\x8d\xa4\x23\x32\x88\xe8\xa8\xbb\xac\xc0", 26); *(uint32_t*)0x20005054 = 0x1a; *(uint32_t*)0x20005058 = 0x20004ec0; memcpy((void*)0x20004ec0, "\x1d\x5a\x7e\x02\x0f\x94\xe9\xee\xe2\x41\x5c\xca\x5e\xb6\x04\x5c\xc9\xf8\x17\xf1\xd3\x27\x5b\xa9\x49\x67\x7e\xe2\xca\x23\x57\xb7\x4e\x67\xc6\xd4\xdd\xfb\xe8\xe8\xc0\xc6\xfd\xcd\x23\x52\xdd\x30\x1f\xf3\x0f\x0e\xbc\x2b\x58\xf2\xc6\x9c\x3f\x80\x32\xff\x0d\x4a\x2d\x2d\x40\x0c\x3d\x07\x91\x4d\x83\x5b\x62\x18\xc2\xeb\x25\x72\x4b\x42\x6a\x88\x8b\x28\x22\xd4\x94\x5b\x35\xf2\xd1\x45\x9d\x91\x5e\x2b\x2d\x66\x54\x1a\xf5\x2b\xdb\xbe\x1a\xd5\x17\x51\x5e\x01\xb8\x29\x0e\x65\x44\x43\xa6\x7b\xec\x3d\x0b\x03\xfc\x10\xb9\x0b\x49\xc3\xd3\x35\x93\xe0\x63\xbd\x0d\xf7\x24\x94\xb2\x2b\xfc\x39\x1f\x6b\x29\x6a\x68\x73\x5e\xea\xac\x4f\xb5\x50\xbe\x4b\xee\xab\xb7\x4d\x7c\xa7\x71\x39\x24\x8c\xf8\x00\x3e\x4f\xa6\x39\x54\xc2\xe5\xc6\x8e\x48\xb1\xf5\x9b\x31\x62\xa9\xa3\xb0\x20\x77\x1f\x7c\x1a\xff\x6d\x7d\xe5\x7b\x40\xfc\xb5\x90\x02\xf2\x70\x9e\xd2\xe1\x2d\x50\xa3\xed\xad\xc2\xc5\x5d\xe6\x63\x4c\x8e\x91\xdd\x8c\xd2\x8f\xaf\x3b\x52", 228); *(uint32_t*)0x2000505c = 0xe4; *(uint32_t*)0x20005060 = 0x20004fc0; memcpy((void*)0x20004fc0, "\x3d\xc5\x00\x79\x39\x36\x84\xee\x15\x45\x62\x33\xe2\xe4\xb4\x7d\x0d\x76\x16\xa6\xfb\xb0\x80\x55\x93\x1c\x40\x0e\x66\xd6\xee\x83\x07\xc9\x88\xdb\x68\xc3\xa5\x68\x73\xe4\xc9\x4c\x21\x0c\xee\x63\xaa\x53\xee\x80\x94\x7c\x56\x44\xcf\xfd\x0e\xe8\x09\xb4\x55\x4e\xf3\xd3\xd5\xd4\xb6\x26\x80\x40\xd6\x6c\xba\x34\xc7\xb8\x64\x5a\xbf\xe3\x69\x6e\x04\x1f\xe1\x3f", 88); *(uint32_t*)0x20005064 = 0x58; *(uint32_t*)0x20005094 = 5; *(uint32_t*)0x20005098 = 1; *(uint64_t*)0x2000509c = 0; *(uint16_t*)0x200050a4 = 0; *(uint16_t*)0x200050a6 = 0; memset((void*)0x200050a8, 0, 20); syz_io_uring_submit(r[19], 0, 0x20005080, 0x100); memcpy((void*)0x200050c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 0, 0); if (res != -1) r[20] = res; memcpy((void*)0x20005100, "/dev/dlm-monitor\000", 17); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0, 0); if (res != -1) r[21] = res; *(uint32_t*)0x20005180 = 0; *(uint32_t*)0x20005184 = 0x20005140; memcpy((void*)0x20005140, "\x45\xcf\x83\xe3\x48\x27\xda\xe7\x0d\x9c\x50\xf6\x76\xf5\x23\xb0\xce\x6b\xee\x88\x95\x2b\xaa\xc1\xa7\x22\x08\x87\x52\x1e\x1e\x10\x25\x01\x84\xda\xba\xaa\x4f\xbf\x9e\x94\x34\x9f\x11\x48\xde\xe8\x23\x8a", 50); *(uint32_t*)0x20005188 = 0x32; *(uint64_t*)0x200051c0 = 1; *(uint64_t*)0x200051c8 = 0; syz_kvm_setup_cpu(r[20], r[21], 0x20fe8000, 0x20005180, 1, 0, 0x200051c0, 1); *(uint32_t*)0x20005200 = 1; syz_memcpy_off(r[17], 0x114, 0x20005200, 0, 4); memcpy((void*)0x20005240, "adfs\000", 5); memcpy((void*)0x20005280, "./file0\000", 8); *(uint32_t*)0x20005980 = 0x200052c0; *(uint32_t*)0x20005984 = 0; *(uint32_t*)0x20005988 = 4; *(uint32_t*)0x2000598c = 0x20005300; memcpy((void*)0x20005300, "\x85\x86\xcf\xf1\x20\x29\xeb\x8a\xd7\x6f\x62\x61\xd1\xfe\x9c\x2d\xf9\x7d\x6b\x50\x47\xf7\x02\x21\xce\x7c\x26\xe1\xad\x05\x00\x96\xdb\x75\xff\x7f\xfd\x7b\x4d\xad\x59\xf5\xe0\x70\x72\x3e\x8a\x2c\xea\x44\x66\x02\xed\x86\xda\x15\x97\x5f\x4f\x9d\xad\x43\x55\xf1\x7d\x14\x41\xf9\xc1\xd9\x72\x1e\x8b\xc2\x69\xc9\x1b\x43\x93\x4b\xb3\x82\x3e\xba\x88\x0d\xe0\x1b\x58\x6e\x0d\x59\x2f\xc9\x78\x08\x48\x12\xa5\xdd\x94\x0d\x6e\xa6\x1e\x46\xee\x9f\x1d\x53\xe0\xd3\x15\x5c\x2c\x34\x94\x6c\xa2\x86\xd6\x46\x39\x8a\x4d\x60\xb5\x6e\x48\x64\x4c\xe4\x21\xd5\x3a\x65\xfc\x50\x46\x80\x60\x1a\x0c\xb3\xb7\x8c\xdc\x3d\x14\xd0\xf9\xf7\x54\xd8\x8a\x4c\x5d\x80\xc2\x68\x1a\xca\x64\xa4\x79\x3f\x17\xd0\xf8\xa5\xb8\xdc\x82\x0f\xda\xde\xe2\xee\x87\xd4\x20\x50\x17\x22\x86\xe4\xb3\x71\xea\xc4\x97\xbf\x74\x67\x89\x0a\x47\x2d\x76\x6a\x44\x2a\x56\xa6\xe7\x5b\xc3\x9b\xa4\xed\xab\x5a\x0c\xb1\x1e\xb6\x6a\x24\x7a\x2f\x3c\xa7\xd1\x8c\xbe\x8b\xd7\x51\x6b\x2d\x99\xc7\x63\xd8\xc2\x3d\x75\x3c\x13\x93\x7a\xb9\x9b\x57\x8e\x42\xf3\x59\x27\x5e\x86", 251); *(uint32_t*)0x20005990 = 0xfb; *(uint32_t*)0x20005994 = 5; *(uint32_t*)0x20005998 = 0x20005400; memcpy((void*)0x20005400, "\x0f\x55\x3c\x28\xb9\x84\x2c\x44\x67\x4a\xbe\x34\x85\x6e\x72\xa4\x02\xea\xf0\x8e\xa7\xd1\x06\x18\x6b\x17\xf1\xd3\xf0\x0d\xcb\xcb\x5f\x98\xa1\xea\xe4\xb0\xe4\x94\xda\x0d\x44\xfa\x94\x91\x73\x67\x47\x8f\x2e\x39\xce\x84\x35\xb1\x32\xa5\x70\xec\x78\xc1\xb1\xd8\x59\xab\x65\x21\x68\xbe\xc9\x15\x6c\xc5\xb4\x54\x3f\x05\x71\xd2\xa7\x5d\x3a\xd0\x3f\x49\x0c\x0f\xc9\x32\x51\xf6\xab\x57\xf0\x1c\xf6\x22\x83\xd4\x2e\xec\x0a\xbb\x18\x61\x48\xb0\x5e\xf5\x5f\x8d\xe1\xa2\xeb\x7c\x16\x22\xfc\x6d\x3a\xc2\x74\xf1\x0a\x07\x54\x56\x33\x98\xef\xc9\x33\x5a\xea\x31\x06\x1c\xf4\xbb\x64\xd4\x4f\x87\xc6\x15\xc9\x9b\x3e\xca\x46\xdd\xc2\xce\x68\xeb\x2b\x78\x0c\x54\xbb\x6a\x1a\x20\x94\x7e\x16\xcb\xc6\xf7\xfa\x07\x12\xd0\xb1\x2e\x66\x5a\x21\x4c\x35\x02\x15\x4e\x5b\x8d\xda\x8b\x01\xdf\x53\xc8\x1b\x2d\xa2\xc9\x2b\x75\x73\x50\x6b\x17\x5a\x34\xba\x1d\xda\x39\x95\x4f\x36\xf0\xff\x6e\xbe\xfe\xee\x31\x32\x68\x13\x42\x2c\xb4\xd5\x3b\x47\xc6\xfe\x65\xf3\x33\x26\x98\xd9\xe3\xd7\x76", 238); *(uint32_t*)0x2000599c = 0xee; *(uint32_t*)0x200059a0 = 0xfff; *(uint32_t*)0x200059a4 = 0x20005500; memcpy((void*)0x20005500, "\xab\xff\x9c\x24\x82\xd9\x64\x89\xf0\xaf\xbe\x08\x5d\xae\xe1\xe2\xbd\x8a\x30\x00\xaf\x21\xe5\xb4\xaa\x0d\x2e\x66\x62\x29\x3d\x5f\xe6\xee\xb6\x0a\x5c\xc8\xb9\x0e\x84\xed\xe0\xd2\x13\x18\x68\x8e\x28\x5d\xef\x54\xcb\x67\x80\xab\xfd\xcb\x64\xc7\x00\xda\x5e\x87\x75\xbb\x60\xd0\x19\x2a\x5f\x81\x13\xa7\x0d\xdb\x16\x27\x08\x7f\x7b\xb8\xf2\x32\xf8\x0a\x12\x0e\x21\x4e\xf3\x1c\x38\x57\x11\xf4\xb1\x2a\xfd\x9a\x02\x4f\xc4\x8c\x41\xc3\xc8\x87\x25\x5a\x17\xb8\x6f\x70\x9a\x30\xee\x23\xa5\xd5\x5c\x6c\x3e\x19\x86\xf6\xfd\x69\x30\x9d\xc6\x66\x48\x46\x39\x6a\x5f\x0c\xde\x1e\x38\x2a\x70\x18\xdc\xde\xac\x00\xff\x1e\xf5\x4b\xbb\x58\x20\x1f\xc9\xdf\xcb\xba\x39\xcf\xb4\x5f\x49\xac\xe1\xe9\x90\x81\x88", 171); *(uint32_t*)0x200059a8 = 0xab; *(uint32_t*)0x200059ac = 0x80000001; *(uint32_t*)0x200059b0 = 0x200055c0; memcpy((void*)0x200055c0, "\xfb\x36\xdf\xfb\x4a\x0e\x43\x77\xfa\x3b\xed\xec\x23\x25\xf5\xc0\x73", 17); *(uint32_t*)0x200059b4 = 0x11; *(uint32_t*)0x200059b8 = 1; *(uint32_t*)0x200059bc = 0x20005600; memcpy((void*)0x20005600, "\x8f\xf2\x54\x48\x04\xed\x79\xe1\xbb\x5f\x17\x3b\x80\xfd\xb0\x9a\x44\x4f\x02\xbb\xac\xda\xb8\x77\x10\xa3\x03\x82\x27\x1d\xb7\x25\x70\x55\xfb\xbe\x05\x7f\x4e\x4b\x3e\x1b\xcb\xcf\x08\xf1\xea\x0b\x41\xbe\x53\x3d\x7d\x7f\x84\x19\x9c\x4c\xf2\x41\xe2\xbc\x3c\xeb\xf6\x80\xf5\xc2\x64\x88\x82\xab\xfe\x61\xbb\x52\x11\xc4\xcf\x0f\x1f\x80\x35\xc6\x96\x2e\x74\xf5\x97\x6e\x95\x4c\x3d\xb5\x54\x5b\xdc\xcc\x6e\x67\xb6\x8d\xd6\x12", 104); *(uint32_t*)0x200059c0 = 0x68; *(uint32_t*)0x200059c4 = 0x7f; *(uint32_t*)0x200059c8 = 0x20005680; memcpy((void*)0x20005680, "\xca\x83\x8d\x09\x57\x9a\x97\x26\x57\x26\x0b\x82\x4f\x36\x91\x61\xc8\x3d\x36\x49\xb2\x30\x9d\xe4\xac\xa5\x19\x1c\x6a\x35\x50\xce\x70\x4f\x66\x06\xba\xc0\xf1\x10\x25\x63\x01\x1d\x76\x8b\x1c\xd5\xbd\x83\x56\x5b\xfb\xe9\x31\x1f\x71\xc2\x69\x8f\x2b\xb4\x57\x2e\xf6\x60\x2f\x24\x87\x62\x6e\x21\xfc\xef\x70\x34\xf5\x0e\x28\xfd\x36\xdb\x92\x43\x3d\xe1\xc0\xfb\xd9\xba\xa0\xb2\xef\x3b\x17\xec\xbd\x5f\x21\x4a\x81\x4f\x99\x79\xc0\xcf\xce\xa5\x66\xbd\x41\x87\x88\xa9\xe0\x26\xff\x83\x08\x9e\x4e\x1e\xb4\x91\xee\xbb\x58\x2e\x84\xc6\xd9\x56\xe1\xf8\xd4\xbd\x53\x27\xfc\xf2\x6d\x92\x18\xa6\xe7\x45\xa9\x04\x84\x6d\xa6\x1e\x69\x70\xe7\xc3\xf8\xf6\x77\x7e\xb2\xee\xc1\x82\xc6\x62\x6a\xeb\xc2\xb4\x6d\x6e\x18\xec\x79\xce\x9f\x3a\x34\xc2\xc9\xce\x74\xdc\xe5\xf3\x8a\x49\x3c\xe7\x52\x63\x3b\x9c\xd8\x81\xd3\xe7\x39\x77\xb7\x28\x20\x8b\x73\x0c\x0a\xa0\xbf\xd4\x1f\x03\x74\x79\x8c\x2b\x6c\xfd\x20\xa8\x3d\xde\x88\x21\xf8\x96\x43\x1d\xf1\x62\x0e\xac\xdd\xb4\x84\x6d\x3f\x67\x98\x3b\x95", 241); *(uint32_t*)0x200059cc = 0xf1; *(uint32_t*)0x200059d0 = 2; *(uint32_t*)0x200059d4 = 0x20005780; memcpy((void*)0x20005780, "\xb5\x49\xcf\xe1\x8d\xeb\x45\x5b\x4a\x8b\x6d\x56\xe7\xc0\x3f\x25\x10\x24\x21\x7c\xf4\x27\xc0\x90\x56\xbd\xb6\xb4\xa1\x31\x7e\x6f\x9c\xd5\x3e\xce\x2f\x2e\xe6\x8e\x7d\x73\xe9\x36\xe6\xd7\xb3\x76\x48\x35\x95\xc8\xdb\x72\x92\xff\xb0\x52\x0c\xf0\x37\xba\x70\x12\xf5\xd9\x0d\x0e\x4b\xdc\xed\x46\x13\x1d\x6a\x44\x12\x05\x46\xfa\xd8\x7f\x47\x56\x70\xfe\xc8\x6f\x97\x84\x88\x8d\x14\xdc\x2e\xd6\xa1\xa7\xed\x3c\x98\xbd\x0e\x03\x5c\xbd\x50\x4d\xa4\x0e\xfb\xeb\x5a\x5b\xcd\x48\xc0\xca\x51\x3f\xf5\x3d\xda\xda\x3c\xb4\x47\xa4\x8b\xce\xf0\x1d\x98\x83\xf6\x99\x99\x7c\x5a\x0b\x24\x99\x86\x58\x62\xdb\x5f\x78\x5a\x75\xe1\xb3\x46\x3d\x35\x4a\xf1\x12\xe7\xf8\x62\x28\x83\x68\x30\x86\x19\x0f\xa4\x50\x76\x46\xcb\xea\xb5\xed", 176); *(uint32_t*)0x200059d8 = 0xb0; *(uint32_t*)0x200059dc = 1; *(uint32_t*)0x200059e0 = 0x20005840; memcpy((void*)0x20005840, "\xa2\xee\xca\xca\xa0\x2f\xc7\x61\x89\xe0\x0e\x6f\xc5\x8f\x38\xb5\x59\x99\x59\x73\x03\x76\x28\x17\x21\xbe\xcf\x84\x0c\xd1\x2b\x23\x0c\x2d\xc8\x4b\x7f\x5f\xe5\xe3\x70\x57\xb3\x73\x2f\xcf\xeb", 47); *(uint32_t*)0x200059e4 = 0x2f; *(uint32_t*)0x200059e8 = 4; *(uint32_t*)0x200059ec = 0x20005880; memcpy((void*)0x20005880, "\x35\xed\x9c\x85\x4f\x54\x2b\xa3\xa5\x6e\x7b\x75\x40\x9a\x31\x97\xd3\x1e\x6e\xc3\x19\x34\x81\x1d\xd9\xab\xe8\x3e\x50\xa0\x60\xea\x25\x99\x4c\xb3\x37\x70\xed\x99\xb2\x5c\x9b\x56\x08\x91\xec\xa4\x33\xfe\x5b\xf1\xe0\x2d\x13\x66\x00\x68\x7e\xe4\x93\x3b\x35\x38\xbb\xce\xca\x61\xde\xb8\xfb\x0a\x1a\x25\x67\x84\x3f\xd8\x71\xb9\x91\xd5\x14\x32\x9a\x46\x5a\x97\xeb\x92\x12\x35\x76\xe8\x3a\x65\x2c\x51\xdf\xa8\x41\x17\xc2\x62\xa7\xb8\xba\xb4\x7b\xd3\xf8\x1b\x24\xd3\x3e\x68\x7f\x39\x26\x50\x02\xef\x92\xf2\x24\x8d\xe0\x27\xac\x02\x85\xfc\xad\x2a\x3c\x73\x2a\x1e\xd7\x40\x93\x07\x03\x7e\x41\xf3\xa7\x90\x74\x77\x38\x7d\x11\x99\xc1\x8e\x5c\x43\x95\x9b\x2e\xc4\x6c\x07\x8c\xec\x67\xa8\xb5\x59\xb3\x1c\xef\xd8\x56\xf4\x56\xb9\xf8\x1b\xcc\x6a\x8b\x2c\xb1\xa4\xd8\x14\x75\x62\xbd\xac\x60\x34\xe3\xe8\xd3\x5d\x79\x76\x59\x84\x4f\xea\x36\x94\xb3\x28\x8c\xe6\x8f\xa8\xf9\x86\xbf\x2f\xba\x03\xec\x01\x10\x15\x4b\xef\xc8\x40\x22\x58\xaf\xb3\xd5\x83\xd0\xbf\x3d\x02\x79\x80\x73\x86\x7f\xc6\x66\x40\x72\x60\x72\xc8\x2a", 249); *(uint32_t*)0x200059f0 = 0xf9; *(uint32_t*)0x200059f4 = 0x1ff; memset((void*)0x20005a00, 37, 1); *(uint8_t*)0x20005a01 = 0x2c; memcpy((void*)0x20005a02, "seclabel", 8); *(uint8_t*)0x20005a0a = 0x2c; memcpy((void*)0x20005a0b, "permit_directio", 15); *(uint8_t*)0x20005a1a = 0x2c; memcpy((void*)0x20005a1b, "mask", 4); *(uint8_t*)0x20005a1f = 0x3d; memcpy((void*)0x20005a20, "^MAY_EXEC", 9); *(uint8_t*)0x20005a29 = 0x2c; memcpy((void*)0x20005a2a, "subj_role", 9); *(uint8_t*)0x20005a33 = 0x3d; memset((void*)0x20005a34, 125, 1); *(uint8_t*)0x20005a35 = 0x2c; memcpy((void*)0x20005a36, "mask", 4); *(uint8_t*)0x20005a3a = 0x3d; memcpy((void*)0x20005a3b, "^MAY_APPEND", 11); *(uint8_t*)0x20005a46 = 0x2c; memcpy((void*)0x20005a47, "fsname", 6); *(uint8_t*)0x20005a4d = 0x3d; memcpy((void*)0x20005a4e, "&%]", 3); *(uint8_t*)0x20005a51 = 0x2c; memcpy((void*)0x20005a52, "measure", 7); *(uint8_t*)0x20005a59 = 0x2c; *(uint8_t*)0x20005a5a = 0; syz_mount_image(0x20005240, 0x20005280, 5, 0xa, 0x20005980, 0, 0x20005a00); memcpy((void*)0x20005a80, "/dev/i2c-#\000", 11); syz_open_dev(0x20005a80, 6, 0x40000); memcpy((void*)0x20005ac0, "net/raw6\000", 9); syz_open_procfs(-1, 0x20005ac0); syz_open_pts(r[16], 0x583000); *(uint32_t*)0x20006cc0 = 0x20005b00; memcpy((void*)0x20005b00, "\xa8\x95\xc3\x0e\xdc\x07\x29\x77\x23\xa4\xae\xa8\x02\x03\x46\x22\xd1\xbb\xb8\x5b\x4a\xe3\x62\x8a\xfc\x2d\x4e\x10\x93\x45\x50\xa9\xd9\x2f\x12\xa5\x1b\x9f\x5b\x3a\x7b\x59\x6b\x59\xb9\x9b\x4b\x2a\xca\xed\xda\x32\xb8\x3b\xdc\x26\x3c\x53\xaa\x10\x11\x4a\x14\x9a\x4d\x7a\x4f\x0c\x40\xb9\x46\x15\x9b\x37\x43\x96\xfb\x6c\xd1\x87\x34\xea\x5c\x3a\x51\x92\x78\x62\x22\xda\x89\xf4\x21\x3b\x5d\x9d\x02\x77\x99\xda\x36\xd6\x8b\xd5\x10\xf5\x37\x85\x5c\xe1\x0d\x3b\x84\x39\xc2\x23\x77\x40\xea\x75\x41\x47\x8a\x81\xf9\xf9\x2a\xdc\xeb\x51\x00\x36\x6d\xcc\xf1\x49\xcc\x4c\x59\x79\x69\x59\xba\x5d\x85\xa5\x0d\x0d\xd7\x29\x41\xa0\xea\xbb\xe7\xa9\xdd\x9f\xe5\x08\x50\x11\x3f\x5e\x2d\x05\x5e\x1b\xbc\xd6\x67\xda\xf7\x36\x3e\x02\x7d\x7c\x66\x67\x8d\xad\x2a\xdd\x62\xb5", 186); *(uint32_t*)0x20006cc4 = 0xba; *(uint32_t*)0x20006cc8 = 4; *(uint32_t*)0x20006ccc = 0x20005bc0; memcpy((void*)0x20005bc0, "\xf2\x29\xf5\x8b\x9f\xef\x91\xf7\x17\x85\x23\xf0\x41\xa4\x96\x75\x89\x92\x46\x80\xbf\x4d\xc3\x4a\x52\xd8\xf7\xf8\x43\x60\x83\xae\xe9\x4a\xb7\x4f\x03\x69\xf7\x40\x3a\x8c\x26\xb7\x2f\xd4\x4b\x48\x8f\xe5\x9c\x61\x6c\x8a\x1c\xae\x29\x9c\x49\x0e\xb1\x5f\x98\xf8\xf4\x9d\xf3\x35\x02\xcc\xfd\x38\x26\x5f\x6d\x18\x65\x78\xa7\x1b\x92\xba\x5c\x5b\x90\x3f\x9a\x64\xbc\x56\x0a\x43\x59\x0b\xd7\x0f\x76\xef\xb7\xb6\x3b\xc3\x90\x9e\x63\x2d\xb6\x8f\x77\xd9\x8b\xdf\x12\xeb\xe1\x70\x7d\x7d\x14\x36\x85\x74\x90\xc1\x3d\xdb\x23\x9c\x83\x7f\xaf\x46\xea\xd6\x23\x81\xd4\x3f\x3d\x23\x46\xc1\xfc\xd5\xb2\xa7\xa1\xeb\xe9\xfa\x5d\xd7\xfd\xde\xfc\x50\xb0\xe7\xa5\x7f\x50\x0e\x2f\x79\xba\x11\xb1\x89\x72\xdc\x78\x87\x14\x60\xeb\x7e\x2a\x24\x9b\x60\x32\x83\xb5\x12\x83\x20\x55\x5c\x9d\x74\x14\x3e\x02\x7b\xb5\xca\x08\xb4\x62\xae\xbf\x58\x24\x43\x87\x55\x6d\x71\x86\x80\xc4\xa3\x74\x59\xdd", 215); *(uint32_t*)0x20006cd0 = 0xd7; *(uint32_t*)0x20006cd4 = 0x3ff; *(uint32_t*)0x20006cd8 = 0x20005cc0; memcpy((void*)0x20005cc0, "\x79\xfb\xc7\x05\xf3\xf5\xab\x2b\x17\x6d\x8c\x81\xf1\x15\x48\xc5\xfd\x71\x74\x41\x15\xd9\xbc\x95\x33\x2f\xeb\x2a\xe2\x6c\xd3\xb6\xa5\x08\x4c\xf6\x35\xa6\xb1\x9d\x91\x6f\x68\x3e\xbe\x24\x01\x80\xc6\xbb\x6a\x18\xe3\x4f\xa2\x67\x7a\xe7\x45\x61\xf3\xbb\x25\x09\xfc\x09\x59\xad\xc1\x32\xae\x36\x12\x7c\x31\x9f\xcb\x4a\x80\xb0\x25\x1d\xed\xee\xe6\x56\x0f\xd7\x02\x22\x1e\x14\x43\x66\x85\xc7\xfa\x2f\x3a\xf3\x6f\xda\x9d\x69\xd0\x44\xc1\x6a\x77\xe8\x22\xf9\x8b\xf6\x5c\xd4\x58\x33\x54\x4b\xa6\xbd\x06\xb8\x3a\xd7\x8b\x10\x49\xf1\xbc\xdb\x9b\xce\xc0\x47\x38\xa8\x6c\xa3\x7b\x88\x95\x3d\xe3\x54\x9b\x6e\x3a\x4c\x2f\x31\xbd\xd4\xce\xde\xe3\x7b\x70\x3b\x8e\xd6\xd1\x1c\x38\xff\x03\x0a\x10\x18\xaf\xae\xbe\x05\x38\xed\x70\x4b\xbe\x63\x10\xa0\xde\xa9\x43\x05\x66\x65\x29\x01\x69\x92\x99\xc1\x84\xa8\x15\x60\x1e\x01\x86\xa6\xe1\xff\x97\xd2\xb9\x60\x38\xab\x59\x13\xdc\x44\x0e\xde\xd7\x83\x6f\xbd\xd7\xbd\x39\x1a\x90\xcf\x40\x3a\xbb\x6d\xfe\x0f\x7d\xdd\xda\xf1\xa7\xc7\x3f\x02\x19\x35\x33\xf0\xa7\x2e\xf1\xb5\x58\xcf\x69\x6f\x57\x22\xa3\xe8\xc0\x92\xc1\x7d\xe9\x8a\xf4\x15\xf4\x0a\xfc\x1f\xfe\x0d\x7c\x7d\x0f\xb4\x4d\x59\x7e\x55\x18\x86\xb4\x0b\x8e\xc7\xde\x8f\x18\xbf\x5e\xd7\xa7\x4a\xcd\xeb\xe9\xb2\xcc\xb9\x8c\xcd\x37\x1d\xf0\x0d\x78\xc9\x7f\x8d\xe0\xab\xe7\xf8\x28\x13\x68\x61\x68\x9b\x0f\x53\x80\xfd\x28\x36\x09\x2c\x1b\xee\xc0\xf4\x51\x9e\x1b\x50\x40\xca\x17\x09\xe0\x83\xee\x61\x1d\x6a\x1e\xbc\x5a\xd1\x85\xd3\x9b\x91\xef\x84\x4a\xf3\x4d\x02\x13\xe6\x3e\xdd\x19\x54\x53\x46\xe3\x01\x2d\x61\xbd\xe7\x1d\x4d\x3c\x52\xcd\x21\x01\xd4\x57\xac\xc0\x15\x23\x81\x81\xfc\xc4\xe9\x2a\x6b\xd1\xc9\xae\x47\x5d\xd0\x4d\x15\xa3\x90\x71\x7c\x29\x5e\x18\x13\x1f\x30\xa1\xb0\x03\xfe\x36\x7f\x88\x9b\xa4\x9e\xd8\x32\x8d\x69\xbd\xe3\x8b\xfd\xb3\x2e\xc4\xff\x21\x2b\x38\x3d\xa6\x54\xad\x2d\xa7\x59\x26\x60\x0d\x56\xfd\x2c\x8a\x64\x81\xc0\x2f\x0d\xd9\x04\x08\xb0\x1d\xcb\xdd\xd0\x1c\xfb\x4c\xf6\x1c\x14\xe8\xaf\xc5\xda\x58\x91\xe9\x3a\x0b\x6f\xe1\x2f\x50\xf0\x62\x94\xd6\x6c\xe3\x71\x0c\x8e\x13\xe7\x97\x62\x9c\x4b\x05\x71\x40\xbd\xb8\xcf\xa3\x84\x83\x0e\x9e\x18\xcc\xcb\x63\xc2\x82\xc9\x7b\x1e\xc7\xcb\xaf\xc5\xf4\x96\xf2\xb0\x30\x53\xf8\x55\x8f\x62\x7e\xaa\x78\x46\x62\xf2\xf4\xf1\x5b\xac\x06\xa3\x8d\xcc\x8c\x3f\x2e\x07\x6b\x2f\xdf\x8b\x62\x2c\x93\xa2\x27\xc9\x0d\x42\xe4\xfa\x38\xda\xcd\x82\xfd\x6c\xd2\x21\x15\x29\x41\x4c\x5c\xf3\x88\x2d\x94\x87\x42\x42\x59\xa6\x51\x4c\x56\xf0\xb7\xd6\x0c\x95\xd3\x44\xa0\x9d\x90\xe7\xdd\x8f\xf0\x73\x21\xd7\xe7\xae\x03\xba\xc6\xde\x0f\xd3\x79\x9a\x8c\x34\xd7\xaa\x3e\x4c\xe7\xcd\x99\x98\x03\x64\xc6\x60\xcc\x09\x97\x46\x15\x2a\x07\xfb\xc0\x26\xfc\x89\x0a\x7a\x57\xf2\x8d\xce\xea\xcd\xc2\x36\x60\xc0\xf8\x59\x2d\x86\xd0\x8d\x99\x64\x4b\x67\x51\xa5\x53\x16\x2b\xa1\x03\x83\xda\x49\x1e\xfc\x3d\x33\xae\xd8\x95\x2b\x8f\x51\xcf\x6c\xfa\x84\xae\x5c\x9d\x76\x89\x8b\xf5\xe8\x09\x90\x8b\xdb\xf8\xcf\x63\x38\xf5\xbe\x2f\x5b\x1e\xa8\x17\x44\xbe\x7e\x72\x68\xc4\x9e\x49\x30\x50\x89\x23\xe6\x39\xd9\xf4\x84\x59\x7f\xc2\x0e\x69\x58\xa2\x69\xe1\x66\xec\x09\xd1\xb7\xe2\xa8\xf7\xfd\x83\xc5\x34\x64\xc3\xa1\xac\xc4\x84\xeb\x5f\x9d\xe1\x05\x9d\xa0\x45\xda\x6c\xf6\x63\x07\x9e\x2b\x22\xd7\x8e\x78\xbd\xbc\xda\xb3\x9c\x33\xbc\x5c\x1d\x05\xb8\xd4\x0e\x40\x2c\x8b\xbf\xa5\x74\xf2\xcb\x5a\xfb\x1c\xb1\x99\xe5\x91\x17\x13\x0b\x94\x0a\x96\x48\xe8\x98\xd5\xf0\xf2\x7f\xc0\x04\xc6\x78\xe5\x52\x0a\x4c\x79\x0e\xb7\x0e\xd2\xea\x6a\x60\x61\xe4\x9d\x12\x24\x35\xf3\x48\xcc\x92\x7b\x49\xad\x13\xbd\xf1\x80\x4e\x75\x28\xbc\x1e\x3b\xb6\x33\xf8\xb2\x76\xbb\xbb\xad\x12\x5a\xbe\xcd\x28\x94\xc2\x89\x28\x85\xfc\xd1\x9a\xed\x92\x20\xe4\x63\x2c\x13\x6f\x14\x37\x8e\x29\x91\x20\x40\x40\x65\x71\x1d\xdb\xff\x8d\xf8\x70\xab\xae\x93\x4b\xb5\xbb\x64\xff\xa2\xf7\x3f\x18\xb1\x33\x74\x53\x8a\x08\x37\x9d\x74\xc7\x12\xe0\x2a\x97\xc8\x5b\x08\xad\xae\x84\xf9\xc4\xa2\x91\x66\x56\x12\x9a\xa4\xb5\x46\xf1\x43\x4e\xf1\x53\xff\x7f\x2c\x94\xcb\x42\xb3\xe7\xea\x23\x54\x40\x95\x15\x9e\xe0\xe8\x69\xd7\x8d\x08\xce\x48\x6d\xa4\x30\x4b\x15\x47\x3a\x23\x1f\xec\x42\x3c\xf5\x53\x96\x8c\xa0\x74\x3c\x1c\x4b\x09\x45\x73\x0b\xa4\xe3\xfd\xc3\x1f\xf0\x2a\x48\x70\x56\xc7\x29\xef\x7f\x84\xf6\x5e\x85\xfb\x16\xfa\xbb\x17\x2d\x24\x75\x38\x62\xf9\x20\x34\x60\x28\x8a\x37\xcf\x6e\x6f\x5b\x84\xd1\xd8\x1f\x24\x27\x07\xbf\x57\x5b\x15\x34\xcd\x6b\xea\x81\x0d\xc3\x94\xca\xb3\x1b\x32\x43\x38\x8f\x01\x5b\x99\x98\xaa\x7c\xa3\xe8\x26\xd9\xec\xcd\x95\x32\x87\x33\x28\xf3\x43\xcf\x71\xa0\x79\x82\x0f\xfc\x61\x60\xef\x55\xb7\xda\x7a\x29\x76\x2f\xea\x1b\x45\x22\xb9\x81\xcc\xfd\xac\xea\x0f\x52\xe2\xed\xc3\xec\x50\x16\x89\xe8\xc5\xe0\x88\x54\x43\xd1\x3e\xa4\xda\xe6\x07\x65\xf9\xed\x48\x68\x6b\xeb\x01\x0b\xb0\x4e\x2f\xa7\x3f\x3a\xd0\x8a\x77\xf0\xc2\xf5\x9a\x99\xc4\x72\x30\xb8\x52\x9d\x1b\xa2\xbd\x09\x1d\x83\x6d\xd3\x08\x99\xe7\xe8\x41\x71\xf2\xa8\x86\x7b\x16\x49\x22\x8e\x85\x15\xcb\x39\x8b\x75\xa5\xbc\xa2\xe7\x11\x4a\x7a\xf7\x1b\x18\x5f\x37\x1b\x4f\x9f\x68\x9e\x81\xf2\x25\x97\x54\x89\x6f\xf5\x46\x85\xbc\x7b\x9c\xf5\xf5\xfd\x14\xd0\x63\xd2\xf8\xc6\x20\xff\x19\x5e\x26\x36\x0a\x21\xd9\x2d\x19\x02\xa7\x48\x35\xe0\x25\x4f\xe4\x73\x75\xa0\xf1\x71\x11\xd1\x45\x9d\x77\xdf\xcf\x0a\xdf\x21\x59\xc2\x00\x35\x35\x75\x78\x90\x15\x01\xa4\x09\x2e\x64\x14\xc5\x43\x41\x73\x11\x5a\x4a\x03\x39\x9d\x81\x34\x91\x33\xd3\xac\x25\x4b\x69\xfd\x90\x6f\xbc\x11\x56\xbe\xaa\xea\xb3\x7f\x1f\xd9\xfe\xfa\x37\x7c\xa1\x3b\x58\x19\xe5\x36\x1a\x75\x03\x2d\x78\x8c\xe9\x5c\xe9\xd1\x61\xdd\xfa\x04\xa5\x55\x29\x71\x68\xf6\xe0\xf3\x17\x6c\x8b\x0c\x41\xc8\x42\xce\x33\x81\x3b\x59\xeb\x0a\x9c\x3b\xcd\xf4\x65\xad\xe6\xd2\x9d\x0e\x25\x74\x41\x16\x77\x5b\x2f\x14\xd0\x30\xf5\xb2\x18\x1c\x89\x6a\x29\xcf\xc2\x9d\xcb\x9f\xaa\x9e\xa0\xed\x4a\x45\x45\xe2\xe5\x41\x29\x51\x12\x6b\x30\x99\x8b\x7b\x58\xc4\x47\x44\x84\x1d\x85\xe7\x9c\xc7\x61\x3b\x3b\x4a\xd0\x18\x72\x10\xc5\xb3\xe8\x19\x59\xc9\x38\xa8\x9e\xa5\xa7\x68\x1b\xcc\xc0\x2c\x55\x58\x3d\x69\xfa\xcc\x86\x53\x95\x27\x9c\xce\x47\xa8\xc4\x6c\x3b\x99\xd3\xbc\xba\xda\xea\xce\x79\xc1\x22\xc8\x7e\x72\xa9\x91\xd3\x1a\xe5\x2e\xa9\x5d\x35\xc6\x16\xb5\xae\xbf\xd9\x86\x40\x90\x33\x18\xdc\x60\x00\x21\x08\x6c\x28\x07\xf1\xfc\x8a\xe7\x61\x40\x7f\xcf\x43\x11\x09\xaf\xd1\x9e\xc4\xb0\x3a\x94\xeb\x9c\x89\x4f\x86\x6b\xb4\xb9\xa3\xa5\x86\x24\xcf\xa6\xae\x7d\x44\xd2\xf2\x02\x83\x5a\xc9\x90\x3d\x23\x26\x14\x0f\xc5\x47\x9b\x94\xba\x27\x5f\xe8\xf6\xba\x03\x9d\x98\xf5\x8d\x9c\x00\x60\x26\xff\x15\x5f\x0d\x36\x8c\x51\xd0\x05\xd2\xaf\x37\xa6\x14\xc1\x41\x88\xed\x22\x6c\x9f\x67\xc7\xb7\x83\x93\x3d\x05\x23\x5c\xb2\xf8\x81\x0f\x18\x89\xd1\x26\xed\xac\xe7\x40\x78\xb0\xf9\x0c\x6f\x2c\x16\xd0\x1d\x60\xdd\xe2\xd4\x6a\xb8\xc2\x53\x2a\xe0\xc1\x54\x01\x05\x57\x52\xfb\x19\xdb\xe5\x49\xcc\xbe\x43\x85\x9c\xcb\x4d\x47\xc9\x9e\x6f\x54\x02\xce\xd2\x3d\x44\x90\x29\x80\x2a\xd7\xd2\x99\x0b\x94\x1f\xad\xb0\xde\x10\xf9\xfe\x17\x84\x61\xe1\x14\xc7\xca\x31\x36\xf7\xfb\xad\x6e\x1d\x71\xeb\x1a\x1a\x24\xfb\x89\x2e\x7f\x1a\x41\xb9\xeb\x92\xd5\xb0\x4a\x79\x49\x1e\xef\x83\x18\xce\x1d\x98\x06\xe7\x06\x4e\x0f\xda\x0a\x66\xa7\xb6\x95\xa6\x78\x15\x60\xba\x98\xbf\x4d\x54\x00\x79\x5b\x11\xfe\xab\x29\x73\x53\xa7\x2a\x2d\x78\x5f\xf2\xfa\x3f\x06\xe6\x39\x5a\xab\x65\x6e\x55\xef\x7f\x49\x51\x76\x03\x86\xcd\xb1\xa1\xd2\x30\xda\x5b\x09\x44\xa9\xaf\x05\xa7\x6b\xce\x13\x88\x69\x2a\xfa\x4b\x21\xc3\x46\x4a\x2b\x50\xdd\x0d\x2a\x0f\x64\x51\xa4\x3f\x2e\x48\x62\x29\x0b\xe1\xf1\x29\x74\x60\xeb\x51\x39\x9f\xa9\x68\xf8\xdc\xa4\x19\x39\xa6\x19\xd1\x0a\x8a\x01\xad\x1b\x64\x93\xb0\xf8\x9a\xad\xc5\xf0\x6f\xf9\x26\x46\xff\x2f\xbd\x33\x6c\x97\x73\xa9\x33\xeb\xb1\xde\xee\x49\xa2\x67\xd8\xd1\x95\xe1\x3f\x58\x39\xc9\x54\xd8\xda\x7c\x02\x2c\xbd\xd8\xa2\x68\xdb\x8a\x06\x5c\x63\x24\x77\x56\x79\x54\x03\x3b\xd3\x40\xdb\x14\x5f\xd4\xee\x3c\x1e\x6e\xf1\x5f\xd4\x5e\x72\xf5\x27\xad\x2b\xa3\xbb\xf8\xa9\x4b\xa2\x5a\x23\x7c\xed\x70\x50\x4b\x6d\x20\xc8\x99\xa6\xd1\xa4\x09\x2b\x57\x2a\xc7\x44\xf6\x2e\x04\x4b\x25\xf4\xf1\x09\x7e\x12\xbc\x0b\xfd\xa3\x6c\xad\xd3\x4a\x0a\xa7\xbd\x49\xa3\x82\x08\xee\x36\x60\x3f\x1e\x9c\x56\x7d\xe6\x94\xcb\xba\xe7\x36\x1e\x99\x79\xa8\x4d\x58\x9f\xbd\x5f\x05\xfa\x73\xfe\x31\x68\x37\xdd\xb9\x67\x2c\x63\x75\x90\x77\x79\x33\x71\x17\xbf\xfe\x5a\x85\x09\x93\x99\xe3\x5e\x9c\x3a\x50\xbe\x94\xa4\xed\x33\xa5\x86\x3d\xa7\x37\x7e\x5c\x8b\xce\xd5\x22\x0d\xa0\xaa\x9f\xc0\x97\xbc\x61\x3b\xb7\x6e\xe7\x0b\x6a\x0b\xd9\x78\x01\xb0\xad\xc5\x7b\xc6\xd3\xc0\x26\x51\xf1\x64\xf7\x80\x9f\xb7\xeb\xe2\x18\x73\xf9\xa1\x7a\x65\xa8\x38\x0e\x5f\x1a\x18\x17\xdb\xea\x2e\xa9\x6f\x9b\x1e\xf1\xbe\x6c\x1f\xcd\x53\xc6\x2e\xa2\xba\xce\xe8\x66\xf3\x57\x4b\x1a\x35\xc5\xf8\xc5\x93\xd2\x01\x07\xd6\xcd\xe2\x6c\x84\x0e\xa8\x3f\xae\x8d\x77\x7e\xa1\x22\x7b\xd1\xaf\x62\x19\x83\x35\x3e\xf0\x27\x57\x01\x96\xf8\xfb\xdf\x4f\x79\xa7\x81\x2b\x7f\x71\x8f\xca\xa5\xec\x35\x53\x97\x9a\x86\x4b\x8c\x65\x3e\x9c\x9e\xcf\x8e\x68\x3b\xfc\x55\x8e\xf2\xd9\xb7\x64\x7e\xfc\xd5\xbe\x98\xf4\x3d\x0d\x38\xd9\x47\x4a\x7a\x50\x74\x0a\x5a\x23\x02\x31\x92\xd4\x5b\x43\x34\x38\x0e\x99\x5b\x8d\xbe\x94\x30\xea\xa1\xa8\x26\x85\x5b\x3d\x7e\xc2\x2f\x6c\xbe\xa4\x4b\x75\x53\x66\xba\x42\x76\x21\x77\xdb\xa9\x80\x65\xdc\x59\xef\x23\x92\x49\x7c\x17\xd2\xe8\x99\x23\x0c\xe3\x4f\xfa\x7f\xc2\x75\x0c\x9b\x25\x5a\x2b\x53\x42\x3d\x9c\xa1\xbd\x3a\xab\x8b\xa4\x71\xf3\x9f\x10\xa2\x50\x05\x0a\x22\x54\x1e\x08\x35\xe8\xa3\x93\xe1\x76\x20\x9c\x31\xd2\x5b\x6e\x1f\x69\x9c\x82\xeb\x15\x55\xf0\x47\xa6\xe8\xf9\x1d\x97\xcf\x2a\xba\x02\x50\xa7\xf3\x11\x67\xb8\x61\x54\x89\xfb\x5c\x90\xcf\xce\x45\xcc\x63\xcd\x21\xd0\x01\x5b\x58\x0c\xae\x16\x45\x2f\x01\x43\xd3\x0c\xb9\xee\xce\x66\x21\x93\x1f\x5d\xc5\x42\x8b\x2f\x92\x58\xd7\xe8\xfb\x10\xec\xfe\x72\x06\x06\xad\x71\x94\x11\x10\xbd\x67\xaf\x44\xce\x4e\xa0\x03\x77\x99\x97\xc4\xac\x5c\x11\x1b\x77\x91\x71\x2b\x79\x76\x52\x37\xf7\xa2\x79\xec\x43\x3f\x18\xfa\x8e\x69\x60\x43\x68\x00\x8c\xa9\xa5\xd6\x26\x44\x41\x79\x84\x88\x72\x54\xf4\xd1\x7a\x1c\xdf\x8b\xde\xbc\x90\x76\x2a\x64\xc5\x0c\x58\x6d\xa8\x59\x8f\x15\x56\x61\xe9\x3f\xea\x74\x65\x29\x6f\x6c\xce\xe5\xdf\xf3\x6c\xcb\x6c\x46\xdf\xbd\x24\x84\x60\xbb\x39\x12\x4c\xd3\xf9\xac\x2c\xd9\x16\x77\x66\xd2\x24\xe2\x97\x6f\xac\xed\xcd\x65\xff\x28\xc4\x18\x08\xc9\x8c\xcf\xe3\x1b\xa1\xef\xa8\x69\xf5\x16\xb6\xfc\x8b\x3a\x7d\x6f\xa1\xfb\xc8\xe1\x82\x67\xa8\xef\x0c\xfa\x96\xc4\xc6\xc8\xdb\xf9\x45\x21\x1d\x98\x89\x89\x95\xab\x76\xc1\x63\x06\x35\x47\x8f\xde\xb5\xb7\xfc\x9b\xba\xe3\x07\xd0\x54\x50\x2f\x17\x45\x27\x87\x47\xa5\xae\x90\x85\xe2\xce\x6f\x7b\xdd\x02\x2c\x68\x0d\x1f\x8a\xda\x4c\xb6\x30\x66\x42\x3f\x77\x04\x2b\x9a\xe4\xa1\x38\x6f\x41\x6c\xb9\xb4\x11\x00\x12\xe8\x00\x57\x04\xcd\xff\xae\x04\x41\x86\x89\xfd\x64\xd1\xe8\x83\x27\x49\xb7\x46\xc1\x41\x2e\x91\xc3\x81\x68\x4a\x80\x30\x5a\xad\x84\xd6\x2f\x1c\xc5\xfd\x5d\x26\xa2\x47\x6b\x5b\xfe\xd4\xdc\xcf\x7f\x35\xbb\xb0\x7e\xff\x6c\xa5\x09\x05\x0f\xea\x82\x04\xa3\x9d\x25\x5e\xc1\xc8\x3d\x0d\x38\xff\x3a\x9d\xa4\x28\x5b\x99\xf9\x8b\xfa\x2a\xfb\x12\x01\x63\x01\xbd\xce\xa9\xc4\xb8\x05\xf0\x3f\x5c\x1d\x64\xb2\x31\xe2\xf0\x12\xc3\x39\x88\xfe\x59\x31\x82\xbe\x19\xe5\x33\xae\x72\x4b\xc5\xf3\x74\xc5\xdb\x4e\x26\x7d\x11\xeb\x7c\x3b\xf6\x51\xd8\x53\xf4\x87\x32\x1b\x59\xe3\xc5\x80\xe0\x9f\x55\x10\x1d\x52\x95\x81\x12\xea\xd4\x84\xda\xac\x70\x62\xb2\x74\x5b\x3e\xf0\xd8\x6c\x3f\xf4\xc9\xcd\xb0\x4e\x5c\x61\x26\x56\x2f\xa8\x07\x2d\x44\x08\xc5\xa4\x1f\x38\x88\x90\x0c\x61\x7b\xb3\x2c\x60\x7e\x3c\x67\x88\x01\x37\xa4\xfd\xa0\x0f\x25\x73\x96\x95\x27\xf3\xac\x8b\xc7\x3d\x4a\x1c\xa6\x3a\x6e\x55\x28\x3a\x43\x75\x90\xcb\xa5\x84\xaf\xf7\xda\xab\x6d\x95\x08\x57\xf3\x06\x4a\xfa\x06\xd8\x49\x89\xb1\xf1\xfe\x7a\x07\x11\x8d\x84\x67\x33\x3b\xd9\xc3\xb0\xbf\x57\x4a\xec\xc5\xbd\xf1\x85\x88\x69\xc0\x2f\x2e\xc1\xad\x26\x6d\x13\x54\x99\x41\x6a\xa1\x6c\x3e\xec\x12\x2d\x6e\x57\x70\xf9\x26\x77\x4e\xc2\x69\x15\x5f\x36\xc7\xab\x25\xfc\x2c\xf6\x51\xf6\xde\x56\x32\x9e\x3c\x2f\x9a\xdf\x11\xb8\x9c\x5b\xa3\xa4\xbd\xd6\xed\x16\x04\xe6\x6a\x80\x50\x14\x98\x1b\x6c\xc8\x4b\xd7\x8d\x9e\xf9\xb5\x2e\x8f\x0e\x09\x70\x05\x21\x0a\x9e\x00\x81\x68\x47\x0f\xd1\x2a\x2c\x3e\xe6\x0d\x1c\xef\x8c\x35\xca\x58\xd8\x62\xb6\x81\xe7\x4c\xf6\x0b\x08\xca\xeb\x22\xaf\x37\xfb\x04\x5f\xdf\xf3\x53\x2a\xf6\xf1\x16\x22\x90\x93\x42\x15\xc8\x52\xe8\xbd\x41\xbe\x48\x8d\x56\x6e\xe2\x49\x7e\x6d\xfe\x85\x52\x50\x85\x3e\x6c\x24\xde\x6e\x0a\xab\xbc\xf5\xc5\x7b\xea\x60\x2e\x80\x82\x97\xa6\xf3\xee\xdf\xc7\x62\x2c\x60\x10\x6f\xe5\xac\x3c\x2c\x18\xf1\x9d\x80\x93\x6e\x13\x85\xb1\xb1\x1f\x34\x34\x8e\xe9\x79\x4b\x4c\xef\x18\x55\xcf\xea\x0b\x4c\x67\xf4\xa3\x6f\x69\xe6\xee\xe3\x98\x1a\xf6\xe3\x2c\xbf\xd7\x9b\x36\xf6\x48\x7f\x51\xe6\xbc\xfb\x5e\x25\x0c\xff\x78\x92\x52\x15\xf6\x02\x6f\x86\x9e\xd1\xe3\xc3\xea\x65\x9c\xf5\x80\xb3\x7f\xc8\xa8\xfb\x06\x41\x8f\xfd\x26\x63\xfb\x1c\x5b\x2a\x58\xae\x63\x44\x83\x89\x84\xb9\x60\x81\xae\xe1\x4d\xc7\x4a\x36\xbb\x18\x8a\x15\xfc\x47\xa0\xe8\xfb\x1d\xa2\xc9\x29\x09\x12\x53\x00\xf6\xcc\x9f\xf2\x81\x5a\x86\xbd\x0f\x51\xd3\x8c\xb1\xd9\x20\x65\x5a\x34\x34\xca\xa4\x3c\xba\x6a\xeb\x04\x53\x8b\x0a\xe6\xfc\x4d\xf1\x42\x9f\xca\x0c\xb9\xbf\x55\x05\xd5\x21\xd9\x4c\xea\x75\x9f\x50\xb9\xfc\x8f\xbd\x0d\xb1\x8b\xaa\x08\x03\xd1\x6a\xec\x6e\x59\x88\x70\xed\x80\x14\x9f\xdf\x70\xf5\x7f\x4b\x89\x32\x0f\x3a\x57\x17\x68\xbb\x09\x66\xf0\x8e\x6a\x1a\x93\xfa\xd9\x3b\xaf\x72\x88\xe6\xa6\x6f\x15\x8e\x35\x9d\x47\x24\xb3\xd5\xec\x61\xde\xe3\xa6\x4e\x1e\xab\xf0\x82\x7e\xa7\x9c\x2a\x7b\xac\x1f\x37\xf8\x1f\x09\x69\x1d\xad\x1f\xf6\x82\x49\x93\x25\xe7\x85\x73\xd6\x03\x10\x52\x92\xf8\x44\x1c\x72\xd4\xa8\x6e\xab\x95\x5e\x9a\xb0\xb6\x66\xc7\x1c\x86\xd1\x77\xa5\x94\xfa\x10\xdd\x0f\xf6\x5d\x38\x6c\x54\x4c\x21\xc3\x5e\x41\xef\x27\xbe\xc9\x4d\xab\x6f\xc3\x38\x70\x06\x01\x7e\x54\x59\xad\x20\xca\xcd\x5a\xfe\x56\x1f\xad\xd3\x80\x4b\xef\x50\xfe\x91\x09\xc0\xcf\x20\xd5\xfb\x32\x0a\x19\x19\x0e\xa3\x23\xc5\xbb\x45\x6d\xc7\x33\x8e\xd1\x9b\x5e\xa1\x17\x27\x7c\xda\x66\xbf\x37\x65\x7b\x27\x86\x25\xc9\x86\xf5\x44\x77\x75\xba\xf7\xc2\x83\x56\xd4\x31\xa3\x82\x0e\x3e\x24\x57\xe5\x3e\xba\xd4\xb7\xd8\xb0\xee\xa6\x4b\x5f\x17\x62\xdd\xb1\x16\x9b\xce\x93\x8a\x22\xaa\x17\x4b\x33\xaf\xd2\xb6\xca\x3f\xd2\x1e\x40\x2c\x4e\xba\xa6\x53\x97\xde\x07\x5d\xbc\x91\x41\x29\x16\x35\x04\xe2\x86\x72\x57\x89\xf3\xea\xfb\x66\x30\x29\x4c\x9e\x9e\xd8\x76\x5b\x41\x64\x12\xe6\xa7\x4a\xda\x02\xdf\x4b\x66\x8b\x95\xf1\xab\x41\xda\x29\xee\x91\x8a\xb5\xa5\xea\xa3\x45\x01\x47\x07\x76\x36\x9e\x96\x12\x9c\x89\x8c\xcc\x10\xef\x66\xa2\xce\xb8\xb4\xed\xfe\xad\x79\xff\xd8\x98\xd5\xde\x2d\xb4\x60\x87\x9f\xb2\x3b\x2a\xfc\x14\x66\x47\xc9\x49\x36\xa7\x03\xbb\x3c\xe5\x0f\x7e\x5e\x7d\xbf\xe7\x29\x57\xea\x5c\x48\x9e\x01\x0f\x08\x95\x84\xe0\x69\xaf\xf5\x3e\x8e\x03\xe1\x5c\xb8\x33\xa9\x61\x0a\xe7\xa9\xc2\x62\xc5\xcd\x37\x1b\x81\xf9\xaa\xbb\x03\x0d\xdd\xae\xed\xad\x10\x19\xd2\xe9\xdb\xe7\x17\xde\x10\xad\x3a\x49\x1e\x29\x0b\x2b\xfc\xda\x80\xed\xc5\xa1\xc1\x60\x12\x52\x7c\x5f\xa2\x79\xa6\x7c\x5d\x01\x13\x24\xa7\x9a\xad\x7c\xb7\xa9\x76\x6c\x64\xa1\xfc\xc2\x78\x4b\xe7\xab\x91\x2f\x7d\x4c\xc5\x71\x0c\x9e\x5a\x1f\x97\xf0\x0b\xb8\x69\x8d\x5f\x6e\x58\xe6\xb6\x9a\x1e\x8c\xcb\x7a\x22\xd3\xf4\xfb\x1f\xb6\x0a\x4b\xb9\x4d\x49\x2b\xc5\xe4\xa8\xbb\xe6\xb5\x34\xc1\x75\x00\x01\x6a\x89\x0a\xd5\x29\xdf\xf4\x2f\xb5\x13\x45\xc7\x65\x35\x1a\x5d\x87\x79\x12\x54\xb7\xdc\x62\x90\xe2\x76\xf1\xc2\xd8\xf7\x82\xcb\x2d\xbd\x2e\x70\x13\x09\xe6\x43\x06\x19\x25\x69\x40\x67\x02\x7f\x6d\x95\x65\x09\xb2\x47\x3c\x5b\x5c\x66\x08\x76\xdd\x69\x7e\x5d\x1b\xfb\x8e\x48\xc5\xbe\x80\x4a\x27\x5d\xb0\xed\x4c\x5a\x02\x40\x85\x93\x60\x8e\xcb\x2c\x97\x1d\xa8\x25\xf8\xd4\x8d\xd6\xc6\x4b\x98\xef\x9e\x28\x52\xd1\x6e\xea\xc2\x12\x13\x4a\xba\x3e\xfb\x67\x00\xd5\xa0\x52\xba\x23\x27\x18\x5a\x1c\x56\x05\xfe\xa9\x07\xf1\xf7\x63\xaf\x01\xc5\x03\xa7\x67\x00\x97\x00\x9f\x73\x63\x88\x31\xed\x01\x8b\xc8\x03\x27\x49\x37\x97\xa7\x2f\xce\x75\x38\xb2\x2e\x16\xfe\x27\x48\xc9\x66\xf3\x8f\x5b\x56\x89\xd8\x8c\xc6\xf2\x21\xd4\x06\x21\x47\x2d\x5a\x5a\x40\xa1\x72\x9e\x51\xe3\x60\xf4\xc4\xc9\xb1\x13\xf3\x0b\x96\x99\xd2\x77\x21\x14\x27\xf3\x60\xae\xd4\x5e\x01\x74\x98\x3d\x7a\xed\x11\xf8\x9b\x0c\xa0\x87\x41\x44\xe3\xfd\x83\xca\x6d\x88\xcf\x4d\x8d\x81\xde\x61\x3d\xb7\x27\x2d\xc5\xcf\x74\x5a\x65\x0b\xf3\xcc\xad\x96\x48\x7d\xd2\x4b\x1a\xcc\x8a\x8b\x96\xa9\x9d\x48\xbc\xcf\xa4\x78\xdc\xbb\xb0\x66\xcb\x8f\x19\x0f\x0d\xac\xcf\x91\x6f\x4d\xbc\x63\x44\xe5\xe0\x26\x07\x4d\x42\xd9\x62\xdf\xd2\x8b\x1d\x57\x8a\x17\x07\x3f\x78\xb7\x1d\x6f\xf7\x85\x25\x80\xb1\xc6\xe8\x3b\x8a\xc5\x15\x58\x49\xc1\x26\xa6\xbc\x54\x24\x6d\x15\xf7\x59\x92\x9c\x72\xbf\x44\xba\x8c\x78\x38\x12\xe7\x3d\xa5\xa6\x94\xf9\x6d\x52\x00\xf1\x9c\x82\x0c\x8c\x86\x51\xfb\x2b\xe7\xf7\x6c\xd2\x8a\x54\xae\xea\x4f\x0e\x09\x92\xb8\x4d\xbd\xef\x78\x92\x13\x4e\x37\x9f\x14\x0f\xb0\xb1\x22\x30\x99\x3d\xcc\x13\xbc\x48\x9c\x94\x26\x07\x63\xc1\xa8\xec\xf7\xaa\xeb\xe1\x1a\xe6\xf4\x39\xb7", 4096); *(uint32_t*)0x20006cdc = 0x1000; *(uint32_t*)0x20006ce0 = 0x34; syz_read_part_table(0xb0, 3, 0x20006cc0); *(uint8_t*)0x20006d00 = 0x12; *(uint8_t*)0x20006d01 = 1; *(uint16_t*)0x20006d02 = 0x201; *(uint8_t*)0x20006d04 = 0x10; *(uint8_t*)0x20006d05 = 0x2a; *(uint8_t*)0x20006d06 = 0xdc; *(uint8_t*)0x20006d07 = -1; *(uint16_t*)0x20006d08 = 0x781; *(uint16_t*)0x20006d0a = 5; *(uint16_t*)0x20006d0c = 5; *(uint8_t*)0x20006d0e = 1; *(uint8_t*)0x20006d0f = 2; *(uint8_t*)0x20006d10 = 3; *(uint8_t*)0x20006d11 = 1; *(uint8_t*)0x20006d12 = 9; *(uint8_t*)0x20006d13 = 2; *(uint16_t*)0x20006d14 = 0x71c; *(uint8_t*)0x20006d16 = 3; *(uint8_t*)0x20006d17 = 9; *(uint8_t*)0x20006d18 = 3; *(uint8_t*)0x20006d19 = 0x50; *(uint8_t*)0x20006d1a = -1; *(uint8_t*)0x20006d1b = 9; *(uint8_t*)0x20006d1c = 4; *(uint8_t*)0x20006d1d = 0x34; *(uint8_t*)0x20006d1e = 9; *(uint8_t*)0x20006d1f = 0xc; *(uint8_t*)0x20006d20 = 0x2d; *(uint8_t*)0x20006d21 = 0xe7; *(uint8_t*)0x20006d22 = 0xd6; *(uint8_t*)0x20006d23 = 0xc4; *(uint8_t*)0x20006d24 = 0xa; *(uint8_t*)0x20006d25 = 0x24; *(uint8_t*)0x20006d26 = 6; *(uint8_t*)0x20006d27 = 0; *(uint8_t*)0x20006d28 = 0; memcpy((void*)0x20006d29, "\x9e\x3d\xd8\x3f\x5e", 5); *(uint8_t*)0x20006d2e = 5; *(uint8_t*)0x20006d2f = 0x24; *(uint8_t*)0x20006d30 = 0; *(uint16_t*)0x20006d31 = 2; *(uint8_t*)0x20006d33 = 0xd; *(uint8_t*)0x20006d34 = 0x24; *(uint8_t*)0x20006d35 = 0xf; *(uint8_t*)0x20006d36 = 1; *(uint32_t*)0x20006d37 = 0x40; *(uint16_t*)0x20006d3b = 5; *(uint16_t*)0x20006d3d = 0x101; *(uint8_t*)0x20006d3f = 5; *(uint8_t*)0x20006d40 = 8; *(uint8_t*)0x20006d41 = 0x24; *(uint8_t*)0x20006d42 = 0x1c; *(uint16_t*)0x20006d43 = 0x1000; *(uint8_t*)0x20006d45 = 2; *(uint16_t*)0x20006d46 = 8; *(uint8_t*)0x20006d48 = 7; *(uint8_t*)0x20006d49 = 0x24; *(uint8_t*)0x20006d4a = 0x14; *(uint16_t*)0x20006d4b = 0x8671; *(uint16_t*)0x20006d4d = 0; *(uint8_t*)0x20006d4f = 0xc; *(uint8_t*)0x20006d50 = 0x24; *(uint8_t*)0x20006d51 = 0x1b; *(uint16_t*)0x20006d52 = 0xfffd; *(uint16_t*)0x20006d54 = 9; *(uint8_t*)0x20006d56 = 0; *(uint8_t*)0x20006d57 = 5; *(uint16_t*)0x20006d58 = 0x100; *(uint8_t*)0x20006d5a = 0x5f; *(uint8_t*)0x20006d5b = 5; *(uint8_t*)0x20006d5c = 0x24; *(uint8_t*)0x20006d5d = 0x15; *(uint16_t*)0x20006d5e = 0x40; *(uint8_t*)0x20006d60 = 7; *(uint8_t*)0x20006d61 = 0x24; *(uint8_t*)0x20006d62 = 0xa; *(uint8_t*)0x20006d63 = 0; *(uint8_t*)0x20006d64 = 1; *(uint8_t*)0x20006d65 = 4; *(uint8_t*)0x20006d66 = 1; *(uint8_t*)0x20006d67 = 7; *(uint8_t*)0x20006d68 = 0x24; *(uint8_t*)0x20006d69 = 0x14; *(uint16_t*)0x20006d6a = 0xff81; *(uint16_t*)0x20006d6c = 0x9c6f; *(uint8_t*)0x20006d6e = 9; *(uint8_t*)0x20006d6f = 5; *(uint8_t*)0x20006d70 = 0x80; *(uint8_t*)0x20006d71 = 0x14; *(uint16_t*)0x20006d72 = 0x10; *(uint8_t*)0x20006d74 = 0x15; *(uint8_t*)0x20006d75 = 0x1f; *(uint8_t*)0x20006d76 = 8; *(uint8_t*)0x20006d77 = 7; *(uint8_t*)0x20006d78 = 0x25; *(uint8_t*)0x20006d79 = 1; *(uint8_t*)0x20006d7a = 0x80; *(uint8_t*)0x20006d7b = 0; *(uint16_t*)0x20006d7c = 0; *(uint8_t*)0x20006d7e = 9; *(uint8_t*)0x20006d7f = 5; *(uint8_t*)0x20006d80 = 0x8b; *(uint8_t*)0x20006d81 = 0; *(uint16_t*)0x20006d82 = 0x7ff; *(uint8_t*)0x20006d84 = 0xed; *(uint8_t*)0x20006d85 = 1; *(uint8_t*)0x20006d86 = 2; *(uint8_t*)0x20006d87 = 9; *(uint8_t*)0x20006d88 = 5; *(uint8_t*)0x20006d89 = 8; *(uint8_t*)0x20006d8a = 4; *(uint16_t*)0x20006d8b = 0x200; *(uint8_t*)0x20006d8d = 0x81; *(uint8_t*)0x20006d8e = 6; *(uint8_t*)0x20006d8f = 2; *(uint8_t*)0x20006d90 = 0xeb; *(uint8_t*)0x20006d91 = 1; memcpy((void*)0x20006d92, "\x8c\x3f\x63\x08\x61\x54\x14\x1f\x73\x9f\x28\x70\xd3\xa8\x18\x84\x90\x5e\x8c\x3f\xf7\xeb\x64\x25\x08\x52\x04\x07\x7b\x41\x02\xc3\xd8\x1b\xfd\xf4\xb2\x62\xfa\x95\xb2\x68\x56\x12\x28\xb7\x47\xfc\xa9\x1f\x5f\xde\xb5\x92\xb3\x79\xd6\x6a\x5f\x1d\x2d\x1d\x73\x5f\xd0\x2b\x3b\x24\x02\xd0\x34\x0f\xcc\x8a\xc6\xc5\x44\x72\x0c\xb5\x96\x00\x8a\x93\xb0\x20\x2c\xb8\xf9\x55\x83\x44\xcb\x20\x0e\x0b\x4b\x52\xaa\xd1\xe7\x0d\x9c\x00\x49\xff\x2a\x6b\x54\x6e\x35\x02\xbc\x88\x1f\x3e\xb6\x55\xaa\x81\x7a\x2a\x3f\xd9\x5a\xd1\xbe\xa6\x8a\xb0\x48\xc1\xa4\x3e\xd3\x45\x8b\x67\x4c\x27\xdf\x09\x05\x68\xc3\x71\xa9\xe0\x0c\xbc\x2b\x59\x7a\x73\x0a\x18\x64\x44\x75\x83\xe3\x0b\x8b\x9d\x27\x74\xd8\x84\x57\x53\x11\x84\x3a\x18\xbf\xe0\x05\x2b\x40\x47\x14\xc7\x22\x76\x63\x42\xb2\x26\xc4\xfe\x8e\x87\xee\x44\x82\x50\xc3\xb3\x66\x8a\xb5\x07\x45\xe0\xfb\xb6\xe9\x69\xe6\xb4\x9b\x9b\x85\x28\xce\x81\xdf\xaa\x24\xe1\x43\x80\x72\xd0\x7d\x6e\x92\x60\x2a\x39\x05\x35\xf6", 233); *(uint8_t*)0x20006e7b = 9; *(uint8_t*)0x20006e7c = 5; *(uint8_t*)0x20006e7d = 0xc; *(uint8_t*)0x20006e7e = 8; *(uint16_t*)0x20006e7f = 0x40; *(uint8_t*)0x20006e81 = 1; *(uint8_t*)0x20006e82 = 5; *(uint8_t*)0x20006e83 = 0x20; *(uint8_t*)0x20006e84 = 9; *(uint8_t*)0x20006e85 = 5; *(uint8_t*)0x20006e86 = 7; *(uint8_t*)0x20006e87 = 0x10; *(uint16_t*)0x20006e88 = 8; *(uint8_t*)0x20006e8a = 0xbc; *(uint8_t*)0x20006e8b = 0; *(uint8_t*)0x20006e8c = 7; *(uint8_t*)0x20006e8d = 7; *(uint8_t*)0x20006e8e = 0x25; *(uint8_t*)0x20006e8f = 1; *(uint8_t*)0x20006e90 = 1; *(uint8_t*)0x20006e91 = 5; *(uint16_t*)0x20006e92 = 9; *(uint8_t*)0x20006e94 = 0xd4; *(uint8_t*)0x20006e95 = 0x22; memcpy((void*)0x20006e96, "\x70\xc2\x39\x55\xe1\xd1\x6c\xde\xf4\x16\xbc\xb1\x38\x10\x89\x67\xf0\xe9\xac\x2c\x09\x6f\xe9\x36\x2b\x99\xec\x6c\x19\x8d\x2f\x0f\x04\x46\xce\x29\x33\x28\x44\xfd\x54\x6d\x23\x23\xe7\xf9\xd7\xb2\x71\x3c\x1f\x92\xb9\x0b\x44\x81\xbf\x8d\x4e\xa3\x4e\xa8\x32\x1b\x58\x5d\xb5\xf3\xcc\x6f\x63\xfc\x9e\xe5\x43\xe8\x6c\x15\x76\x9e\x08\xa2\x12\xc2\xff\xb0\x23\x7d\xef\xb1\xa2\x82\x28\xe9\x99\xfa\xbf\x37\x33\xa2\x7b\x82\x87\x03\xfa\xaa\xc0\x53\xd4\x4f\xe7\xa6\x6d\x7a\x27\x8e\x31\xf1\x5d\x65\xed\xb3\x49\xb1\x57\xa7\x99\xd9\x22\xf0\xc9\x70\xf9\x8b\x35\xb7\x56\x50\x79\x31\x23\xe0\x57\x52\xd7\x4d\xdb\x89\xf0\xfc\xc0\x47\x98\x22\xa0\xf8\x33\xf4\x34\x3a\x70\x54\x8b\x3b\x4c\x80\x57\x4b\xe7\xcf\xdd\x59\xdb\x69\xce\x1e\xfc\x24\xca\x44\xee\x31\x66\x09\xf5\x8c\xa5\xa3\x0d\xee\x0b\x59\xe1\x66\x8f\x24\x8c\x19\x6a\xe1\xc0\x22\xa1\x99\x95\x59\x54\x30\xfe\xa4", 210); *(uint8_t*)0x20006f68 = 9; *(uint8_t*)0x20006f69 = 5; *(uint8_t*)0x20006f6a = 0x87; *(uint8_t*)0x20006f6b = 3; *(uint16_t*)0x20006f6c = 8; *(uint8_t*)0x20006f6e = 0x80; *(uint8_t*)0x20006f6f = 7; *(uint8_t*)0x20006f70 = 6; *(uint8_t*)0x20006f71 = 0x56; *(uint8_t*)0x20006f72 = 4; memcpy((void*)0x20006f73, "\xf7\x8a\x35\x66\x75\xcf\xfa\x2d\xe9\x45\x39\x19\x4a\xfa\xb8\x60\x3f\xe5\xe4\x12\x02\x1b\xa9\x37\xdf\x8f\x49\x6c\xe2\xc0\x54\x31\x48\xf0\x9b\x19\xeb\xbc\x05\x09\x1f\xcc\x32\xe0\xbd\xde\x44\x1d\x7c\xca\xa5\xcc\x26\xfb\x69\x6b\xd6\x7b\x38\x30\xbf\x3e\x57\x30\xfb\x3f\xe5\xee\x89\x15\x6b\xd1\xd2\xfa\x10\x1e\x6c\x39\x06\x8a\xf8\xc2\xae\x87", 84); *(uint8_t*)0x20006fc7 = 9; *(uint8_t*)0x20006fc8 = 5; *(uint8_t*)0x20006fc9 = 0x89; *(uint8_t*)0x20006fca = 0; *(uint16_t*)0x20006fcb = 0x20; *(uint8_t*)0x20006fcd = 0x20; *(uint8_t*)0x20006fce = 0x81; *(uint8_t*)0x20006fcf = 8; *(uint8_t*)0x20006fd0 = 9; *(uint8_t*)0x20006fd1 = 5; *(uint8_t*)0x20006fd2 = 0xe; *(uint8_t*)0x20006fd3 = 3; *(uint16_t*)0x20006fd4 = 8; *(uint8_t*)0x20006fd6 = 1; *(uint8_t*)0x20006fd7 = 0x20; *(uint8_t*)0x20006fd8 = 2; *(uint8_t*)0x20006fd9 = 7; *(uint8_t*)0x20006fda = 0x25; *(uint8_t*)0x20006fdb = 1; *(uint8_t*)0x20006fdc = 2; *(uint8_t*)0x20006fdd = 0x43; *(uint16_t*)0x20006fde = 0x234; *(uint8_t*)0x20006fe0 = 9; *(uint8_t*)0x20006fe1 = 5; *(uint8_t*)0x20006fe2 = 2; *(uint8_t*)0x20006fe3 = 0; *(uint16_t*)0x20006fe4 = 0x3ff; *(uint8_t*)0x20006fe6 = 3; *(uint8_t*)0x20006fe7 = 5; *(uint8_t*)0x20006fe8 = 7; *(uint8_t*)0x20006fe9 = 0x34; *(uint8_t*)0x20006fea = 8; memcpy((void*)0x20006feb, "\xb6\xa1\x21\xb4\x6c\xab\xce\x4e\x36\x1f\x21\x04\xdc\xf2\x66\x3e\x40\x2e\xe0\x4f\xaa\x90\xdd\x18\xa9\x18\xe4\x64\x2e\xaa\x6a\x71\x61\x92\xf8\xbc\x32\xf3\x21\xce\x9e\xb5\x48\x90\x4d\x87\xd7\xbd\xad\x56", 50); *(uint8_t*)0x2000701d = 0xac; *(uint8_t*)0x2000701e = 0x30; memcpy((void*)0x2000701f, "\x1a\x5d\x30\xc7\xd1\x38\x43\xb0\x14\x69\x43\xb2\xe6\x76\x87\xf3\x14\x70\x19\xdb\x1c\xa1\xa3\xc7\xe4\x8d\x70\x0f\x65\x5b\xea\x7f\x42\x69\x2c\x5a\x87\xa6\xb9\x1d\x03\xa6\xd4\x90\x5f\xbb\x18\xb7\x60\x28\xc9\x02\xf7\xcc\x3f\x0c\x05\x6d\x87\xd0\xfb\xc1\x2f\x32\x15\x02\x22\xa7\xda\xd7\x02\x3b\xc4\x5a\xb2\x5c\x72\xaa\x3a\xd2\x6e\x8d\xfd\x8d\x36\x54\x64\x00\x38\x39\x6a\xa3\x55\xf0\x69\xf7\xa9\xe7\x62\xb8\x5d\xca\x0a\x81\xa7\xd7\xc3\x7d\x25\x9d\x0f\x2a\x63\x1a\x6a\xbc\x4e\x36\xfb\xa2\x01\xdc\x67\x7f\xc7\xb2\xc2\x81\x90\xe9\x15\x23\x55\x3c\xfb\x1b\xbf\x46\x2d\x9d\x05\x7c\x31\x91\x0a\xd3\x9c\x35\x7c\xd2\xdd\x1c\x3f\x22\xc6\x04\xad\x6c\x92\x3f\xae\xe4\xc1\x3d\xb3\xfe\x35\x03\x75\xcc", 170); *(uint8_t*)0x200070c9 = 9; *(uint8_t*)0x200070ca = 5; *(uint8_t*)0x200070cb = 0xc; *(uint8_t*)0x200070cc = 0; *(uint16_t*)0x200070cd = 0x10; *(uint8_t*)0x200070cf = 0x7f; *(uint8_t*)0x200070d0 = 0x56; *(uint8_t*)0x200070d1 = 0x83; *(uint8_t*)0x200070d2 = 9; *(uint8_t*)0x200070d3 = 5; *(uint8_t*)0x200070d4 = 0x47; *(uint8_t*)0x200070d5 = 0; *(uint16_t*)0x200070d6 = 0x3ff; *(uint8_t*)0x200070d8 = 0xbb; *(uint8_t*)0x200070d9 = 7; *(uint8_t*)0x200070da = 3; *(uint8_t*)0x200070db = 0x6b; *(uint8_t*)0x200070dc = 0x30; memcpy((void*)0x200070dd, "\x6a\x80\x65\xc0\xee\x1f\xa7\x2b\xb9\xfa\xb4\x98\xb5\x65\xe8\x56\x09\x0e\x0a\xd4\xcb\x9a\x07\x2e\x09\x95\x26\x4b\x93\x5b\xed\x49\x10\xdd\xe6\xe4\xa1\x1f\xf9\x37\x42\x38\x3c\xba\x0c\x51\xa1\xf1\xcf\x69\x5a\xa3\x94\xa5\xf4\x86\x83\x63\xe9\x86\x26\x05\x69\xba\x8b\xe8\x24\x37\xcc\x58\xdb\x1e\xe8\x8c\xe5\x10\x13\x08\x93\x8e\xdb\xd9\x82\x07\x54\x62\xcf\x0b\xba\x05\xbb\x0d\x7a\xe5\x50\x92\xa2\x86\x2e\xe6\xe6\x43\x0e\x22\xf7", 105); *(uint8_t*)0x20007146 = 0x41; *(uint8_t*)0x20007147 = 0x21; memcpy((void*)0x20007148, "\x0a\xcd\x9c\x77\x43\xc7\x50\x9f\x5e\xb8\x98\x78\x4f\x87\x67\xf3\x85\xa0\xe1\xc7\xf1\x02\xc9\xad\xca\xd6\xd8\x1f\xb4\x19\x3e\x88\xcb\x2f\x6c\x39\x36\xee\x2e\xf3\xda\xe6\x1f\x58\x32\x25\x93\xd9\xbe\xea\xfc\xc0\x91\x5c\x86\xfc\x3a\x72\xf0\x42\x6c\x83\xf3", 63); *(uint8_t*)0x20007187 = 9; *(uint8_t*)0x20007188 = 5; *(uint8_t*)0x20007189 = 6; *(uint8_t*)0x2000718a = 4; *(uint16_t*)0x2000718b = 0x400; *(uint8_t*)0x2000718d = 0x20; *(uint8_t*)0x2000718e = 0x74; *(uint8_t*)0x2000718f = 5; *(uint8_t*)0x20007190 = 9; *(uint8_t*)0x20007191 = 4; *(uint8_t*)0x20007192 = 0x26; *(uint8_t*)0x20007193 = 0xab; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 0xf1; *(uint8_t*)0x20007197 = 0xcb; *(uint8_t*)0x20007198 = 9; *(uint8_t*)0x20007199 = 9; *(uint8_t*)0x2000719a = 5; *(uint8_t*)0x2000719b = 1; *(uint8_t*)0x2000719c = 0; *(uint16_t*)0x2000719d = 0x200; *(uint8_t*)0x2000719f = 5; *(uint8_t*)0x200071a0 = 1; *(uint8_t*)0x200071a1 = 1; *(uint8_t*)0x200071a2 = 9; *(uint8_t*)0x200071a3 = 5; *(uint8_t*)0x200071a4 = 0xb; *(uint8_t*)0x200071a5 = 4; *(uint16_t*)0x200071a6 = 0x20; *(uint8_t*)0x200071a8 = 1; *(uint8_t*)0x200071a9 = 2; *(uint8_t*)0x200071aa = 4; *(uint8_t*)0x200071ab = 0xda; *(uint8_t*)0x200071ac = 0x14; memcpy((void*)0x200071ad, "\x10\xf1\x6e\x37\x96\xfb\xe3\x35\xb5\x64\xb2\x94\x16\x03\x1e\x12\xd2\x6f\x4d\x53\xe2\x37\xca\x3c\xb1\xe0\x49\x17\x03\x35\xd6\x31\x43\x24\x69\xcf\x8e\x2b\x20\x7d\x62\x28\x3f\x3b\x91\xf4\xd6\x31\x54\xbc\xe3\x5f\xae\xb8\x7b\x51\xd3\x0b\x38\x87\x6c\x38\xb3\x1a\xcc\x34\x7b\xe6\x77\x93\xe5\x6a\x17\x84\xeb\x29\xa7\xdd\xab\x72\xe7\x36\xee\xcd\x3b\x4e\x98\xbc\xe7\xb1\x70\xab\x68\x7e\x6f\x31\xf5\xe9\xf3\xf9\x6e\x31\x03\x2d\x3b\xf9\x47\x6e\xef\x54\xf3\x54\xc6\xef\xc0\x0d\xa3\x9a\x69\x5e\xc1\xc0\x95\x25\x4c\xb4\x16\xbd\xc5\x74\xd4\xfb\x6a\xdb\xec\xa9\x9b\x77\x50\x8d\x6c\x6f\x79\x1c\x2c\xfc\x29\xae\x3e\xcc\xea\x73\xc1\x36\x27\xd9\x38\x07\xaf\x1a\x7d\x34\x92\x52\x0e\xd1\xf1\x53\x32\x7d\x85\x75\x37\xf5\x56\x29\x4b\xdd\xdd\x98\x8b\xae\x73\x22\x6a\x48\xc4\xca\xb9\x63\xd3\xd8\xc2\x26\x95\x1b\x21\xa7\xc3\x13\x8d\xe5\x5b\x8d\x0e\x1f\x0b\xcd\x77\x66\x3a\xe8\xbf\xe2\x0f\x44", 216); *(uint8_t*)0x20007285 = 7; *(uint8_t*)0x20007286 = 0x25; *(uint8_t*)0x20007287 = 1; *(uint8_t*)0x20007288 = 0x83; *(uint8_t*)0x20007289 = 5; *(uint16_t*)0x2000728a = 9; *(uint8_t*)0x2000728c = 9; *(uint8_t*)0x2000728d = 5; *(uint8_t*)0x2000728e = 5; *(uint8_t*)0x2000728f = 2; *(uint16_t*)0x20007290 = 0x40; *(uint8_t*)0x20007292 = 0x2c; *(uint8_t*)0x20007293 = 0xd4; *(uint8_t*)0x20007294 = 2; *(uint8_t*)0x20007295 = 7; *(uint8_t*)0x20007296 = 0x25; *(uint8_t*)0x20007297 = 1; *(uint8_t*)0x20007298 = 2; *(uint8_t*)0x20007299 = 3; *(uint16_t*)0x2000729a = 7; *(uint8_t*)0x2000729c = 9; *(uint8_t*)0x2000729d = 5; *(uint8_t*)0x2000729e = 0xa; *(uint8_t*)0x2000729f = 2; *(uint16_t*)0x200072a0 = 0x400; *(uint8_t*)0x200072a2 = 0xd0; *(uint8_t*)0x200072a3 = 1; *(uint8_t*)0x200072a4 = 6; *(uint8_t*)0x200072a5 = 9; *(uint8_t*)0x200072a6 = 5; *(uint8_t*)0x200072a7 = 0xe; *(uint8_t*)0x200072a8 = 8; *(uint16_t*)0x200072a9 = 0x40; *(uint8_t*)0x200072ab = 0x40; *(uint8_t*)0x200072ac = -1; *(uint8_t*)0x200072ad = 0xb0; *(uint8_t*)0x200072ae = 9; *(uint8_t*)0x200072af = 4; *(uint8_t*)0x200072b0 = 0x6c; *(uint8_t*)0x200072b1 = 8; *(uint8_t*)0x200072b2 = 2; *(uint8_t*)0x200072b3 = 0x59; *(uint8_t*)0x200072b4 = 0x51; *(uint8_t*)0x200072b5 = 0xd5; *(uint8_t*)0x200072b6 = 1; *(uint8_t*)0x200072b7 = 8; *(uint8_t*)0x200072b8 = 0x24; *(uint8_t*)0x200072b9 = 6; *(uint8_t*)0x200072ba = 0; *(uint8_t*)0x200072bb = 1; memcpy((void*)0x200072bc, "\xb2\xbd\x60", 3); *(uint8_t*)0x200072bf = 5; *(uint8_t*)0x200072c0 = 0x24; *(uint8_t*)0x200072c1 = 0; *(uint16_t*)0x200072c2 = 5; *(uint8_t*)0x200072c4 = 0xd; *(uint8_t*)0x200072c5 = 0x24; *(uint8_t*)0x200072c6 = 0xf; *(uint8_t*)0x200072c7 = 1; *(uint32_t*)0x200072c8 = 0xfffffffd; *(uint16_t*)0x200072cc = 0xfff; *(uint16_t*)0x200072ce = 0x63; *(uint8_t*)0x200072d0 = 0xdb; *(uint8_t*)0x200072d1 = 6; *(uint8_t*)0x200072d2 = 0x24; *(uint8_t*)0x200072d3 = 0x1a; *(uint16_t*)0x200072d4 = 8; *(uint8_t*)0x200072d6 = 8; *(uint8_t*)0x200072d7 = 0xf7; *(uint8_t*)0x200072d8 = 0x24; *(uint8_t*)0x200072d9 = 0x13; *(uint8_t*)0x200072da = 0x19; memcpy((void*)0x200072db, "\x18\x9c\xde\xa8\x5c\x89\x2f\xe7\x36\xd9\x9d\x2a\xe8\x35\x70\x5d\xdc\x39\x07\x36\x3c\x57\xda\x1f\xc0\x03\x3a\xb2\x67\x42\x02\x2a\xb0\xaf\x75\x16\xc0\x54\x5f\x0f\xc3\xec\xaa\x07\x28\x22\x9f\x95\xfd\x5d\x2e\xbc\xe5\xc9\x8d\xbb\xa6\x22\x21\x53\xe2\xce\x70\xbf\xea\xd3\x2d\x5d\x59\x14\x6f\x0d\xd6\x79\x85\x20\x07\xb1\x3a\xc9\xd1\x6d\x48\xf9\x48\x4d\x61\x92\xe7\x9c\x88\x07\x9f\x8c\xd3\xbd\x1a\x37\x40\xf3\xa8\xf0\xfd\x1d\x57\xa1\x0b\xf4\x1c\xf8\xc4\x5a\x79\xab\x1a\x96\x9c\x9a\x6a\x83\xbf\x31\x57\x1b\xce\x54\x2e\x8f\xcf\xa6\x76\x1e\xbf\xa9\x24\xe1\xeb\x05\xd3\xaf\x5b\x36\x44\xc3\x04\x02\x80\xca\x59\x73\x7d\x89\xc0\xca\xa8\xbd\x9d\x56\xc9\x21\x78\xb8\x2b\x20\x78\xe4\x39\x75\xf1\x5e\x6f\x0b\x6f\xa1\xd0\xcd\x81\x95\x21\x15\x4d\x23\x6a\xa6\xa8\x5e\x50\xf3\xf0\x53\x1f\x61\x92\xe5\xc4\xba\x8a\x2d\x50\x6f\x74\x47\x80\x74\x7c\xbb\x9e\xe6\x72\x32\x98\xb7\x2b\x71\x3b\x52\xbe\x54\x83\x5f\xcc\x04\x90\x6c\x65\x8c\xe6\x1f\x16\xf9\x5a\x6c\x43\x79\x88\xdf\x23\x9c\x43\x0f\xf4\x7d\xb7", 243); *(uint8_t*)0x200073ce = 6; *(uint8_t*)0x200073cf = 0x24; *(uint8_t*)0x200073d0 = 6; *(uint8_t*)0x200073d1 = 0; *(uint8_t*)0x200073d2 = 0; memset((void*)0x200073d3, 163, 1); *(uint8_t*)0x200073d4 = 5; *(uint8_t*)0x200073d5 = 0x24; *(uint8_t*)0x200073d6 = 0; *(uint16_t*)0x200073d7 = 0xf85b; *(uint8_t*)0x200073d9 = 0xd; *(uint8_t*)0x200073da = 0x24; *(uint8_t*)0x200073db = 0xf; *(uint8_t*)0x200073dc = 1; *(uint32_t*)0x200073dd = 0; *(uint16_t*)0x200073e1 = 7; *(uint16_t*)0x200073e3 = 2; *(uint8_t*)0x200073e5 = 0x40; *(uint8_t*)0x200073e6 = 9; *(uint8_t*)0x200073e7 = 5; *(uint8_t*)0x200073e8 = 0xf; *(uint8_t*)0x200073e9 = 4; *(uint16_t*)0x200073ea = 0; *(uint8_t*)0x200073ec = 0x81; *(uint8_t*)0x200073ed = 0xe8; *(uint8_t*)0x200073ee = 2; *(uint8_t*)0x200073ef = 7; *(uint8_t*)0x200073f0 = 0x25; *(uint8_t*)0x200073f1 = 1; *(uint8_t*)0x200073f2 = 0; *(uint8_t*)0x200073f3 = 0x51; *(uint16_t*)0x200073f4 = 0xbf81; *(uint8_t*)0x200073f6 = 7; *(uint8_t*)0x200073f7 = 0x25; *(uint8_t*)0x200073f8 = 1; *(uint8_t*)0x200073f9 = 0x80; *(uint8_t*)0x200073fa = 0xb; *(uint16_t*)0x200073fb = 0x8001; *(uint8_t*)0x200073fd = 9; *(uint8_t*)0x200073fe = 5; *(uint8_t*)0x200073ff = 6; *(uint8_t*)0x20007400 = 0; *(uint16_t*)0x20007401 = 0x10; *(uint8_t*)0x20007403 = 0x7f; *(uint8_t*)0x20007404 = 0; *(uint8_t*)0x20007405 = 0x80; *(uint8_t*)0x20007406 = 0x28; *(uint8_t*)0x20007407 = 0xa; memcpy((void*)0x20007408, "\x61\xdf\x67\xa6\x24\x85\x90\x52\xdf\x59\x3a\x22\x58\xbc\x97\x0f\xe4\x30\x4a\x8f\x89\x9a\xc0\x40\xd9\xfc\x35\x0e\xd5\xe6\x36\x60\xa7\x6a\x96\xae\xa7\xa3", 38); *(uint32_t*)0x200076c0 = 0xa; *(uint32_t*)0x200076c4 = 0x20007440; *(uint8_t*)0x20007440 = 0xa; *(uint8_t*)0x20007441 = 6; *(uint16_t*)0x20007442 = 0x300; *(uint8_t*)0x20007444 = 8; *(uint8_t*)0x20007445 = 1; *(uint8_t*)0x20007446 = 9; *(uint8_t*)0x20007447 = 8; *(uint8_t*)0x20007448 = 0x81; *(uint8_t*)0x20007449 = 0; *(uint32_t*)0x200076c8 = 0x133; *(uint32_t*)0x200076cc = 0x20007480; *(uint8_t*)0x20007480 = 5; *(uint8_t*)0x20007481 = 0xf; *(uint16_t*)0x20007482 = 0x133; *(uint8_t*)0x20007484 = 6; *(uint8_t*)0x20007485 = 0xb; *(uint8_t*)0x20007486 = 0x10; *(uint8_t*)0x20007487 = 1; *(uint8_t*)0x20007488 = 2; *(uint16_t*)0x20007489 = 0x74; *(uint8_t*)0x2000748b = -1; *(uint8_t*)0x2000748c = -1; *(uint16_t*)0x2000748d = 0; *(uint8_t*)0x2000748f = 7; *(uint8_t*)0x20007490 = 0xb; *(uint8_t*)0x20007491 = 0x10; *(uint8_t*)0x20007492 = 1; *(uint8_t*)0x20007493 = 8; *(uint16_t*)0x20007494 = 0x43; *(uint8_t*)0x20007496 = 4; *(uint8_t*)0x20007497 = 3; *(uint16_t*)0x20007498 = 6; *(uint8_t*)0x2000749a = 0x21; *(uint8_t*)0x2000749b = 7; *(uint8_t*)0x2000749c = 0x10; *(uint8_t*)0x2000749d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000749e, 0xa, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200074a0, 0x3b4d, 0, 16); *(uint8_t*)0x200074a2 = 0xb; *(uint8_t*)0x200074a3 = 0x10; *(uint8_t*)0x200074a4 = 1; *(uint8_t*)0x200074a5 = 0; *(uint16_t*)0x200074a6 = 0x2c; *(uint8_t*)0x200074a8 = 7; *(uint8_t*)0x200074a9 = 2; *(uint16_t*)0x200074aa = 1; *(uint8_t*)0x200074ac = 0x2f; *(uint8_t*)0x200074ad = 3; *(uint8_t*)0x200074ae = 0x10; *(uint8_t*)0x200074af = 0xb; *(uint8_t*)0x200074b0 = 3; *(uint8_t*)0x200074b1 = 0x10; *(uint8_t*)0x200074b2 = 3; memcpy((void*)0x200074b3, "\xb3\x5e\x85\x2c\x50\x01\x47\x88\x0f\xa2\xf6\xdc\xc5\xd4\xe1\x6a\x59\xdf\x9b\xff\x5d\x44\xac\x9f\x66\x80\xa3\x1b\x1e\xbc\xe7\xf4\xd4\xaf\xe6\xd2\xae\x93\xf6\xee\xe7\x9b\x70\x3b\x03\xf7\xa0\xeb\xea\x72\xbd\xc3\xca\x70\xde\xd4\x50\xbe\xde\xc4\x2d\x31\xbe\xce\xd3\x62\x5c\x6b\xfa\x5d\xc9\x89\x7b\x68\xa4\xe8\xb1\xa5\x4b\x94\x44\xb8\x5a\x77\xd5\x2e\xfe\xa0\x2e\x84\x04\x5a\x2c\x51\xaf\x22\x59\x6a\x4c\x59\xa4\x3c\x59\x0c\x4d\x13\x69\xd2\x29\xdb\x0f\x22\x8b\x73\x9b\x41\x41\x9c\x00\x70\x82\x19\xac\x07\x58\x5d\xca\xde\xd8\x82\x0f\x6f\xe0\xb3\x5e\x74\x96\xca\x59\xeb\xd9\x3c\x1c\xfb\xec\xa8\x66\x69\x28\x61\x3f\xb0\x84\xcb\x1a\xd9\x30\xcf\xed\x80\xa0\x24\xb8\x03\xfc\x94\x96\x7f\x08\xd7\x31\xd0\x64\x7c\xee\x07\x3e\x55\x84\x4b\x99\x78\xae\x60\x35\x86\x5f\xd9\x89\x91\xfb\x7a\x5f\xa3\xf0\x05\x29\xe8\x1f\x1d\x3b\x85\x3a\x0d\xb0\x41\xea\xa3\x77\x7b\xa1\x0f\xe7\x53\x67\x4a\x69\x8c\xd3\x89\xbf\x5b\xca\x62\x6c\xb8\xc7\xbf\x9b\x71\x15\x0d\x57\x2d\x07\xd9\xa1\x18\x55\xa4\x19\xfb\x02\x12\xd9\xa5\xbf\x2c\x33\x60\x35\x7c\xf9\x42\x51\x1f", 256); *(uint32_t*)0x200076d0 = 2; *(uint32_t*)0x200076d4 = 0x97; *(uint32_t*)0x200076d8 = 0x200075c0; *(uint8_t*)0x200075c0 = 0x97; *(uint8_t*)0x200075c1 = 3; memcpy((void*)0x200075c2, "\x79\x53\x36\x52\x48\x59\x08\x84\x74\x50\xe4\x34\xba\xbd\x9e\x7b\x78\x39\x25\xf4\x78\xb3\xb3\x5c\x0a\x4e\x6a\xa0\xa1\xe8\xf7\x8e\x37\xf1\xd5\x66\x6f\xe8\x7b\x28\xdf\x9b\x77\x34\xfd\xd1\x41\xb3\xc7\x8a\x19\x03\x1e\xff\xd7\x29\xa3\x6c\x0c\xf9\xfa\xe5\xc5\x89\xa1\xa9\x88\x6b\x78\xf6\x6c\x73\x91\xbd\x44\x3c\xc6\xb3\xab\x5b\x4a\xcd\xeb\x5a\xcf\x4a\x0d\x36\x35\x9e\x74\x9d\xf3\x7c\xcf\x92\xc5\x0e\x84\x5f\xce\x93\xe4\xc6\x11\xf0\xfb\x55\x9f\x5b\x2f\x8b\x72\xba\xb3\xb8\xa9\x17\x79\xcd\x78\x20\x4d\x67\xa1\x83\x18\x75\x60\xeb\x91\x2c\x0f\x9d\xd2\x7f\x40\x2f\x1d\xec\xdc\x61\x44\x4d\x37\x02\xbf\x05\xcf", 149); *(uint32_t*)0x200076dc = 4; *(uint32_t*)0x200076e0 = 0x20007680; *(uint8_t*)0x20007680 = 4; *(uint8_t*)0x20007681 = 3; *(uint16_t*)0x20007682 = 0x4ff; syz_usb_connect(5, 0x72e, 0x20006d00, 0x200076c0); *(uint8_t*)0x20007700 = 0x12; *(uint8_t*)0x20007701 = 1; *(uint16_t*)0x20007702 = 0x200; *(uint8_t*)0x20007704 = -1; *(uint8_t*)0x20007705 = -1; *(uint8_t*)0x20007706 = -1; *(uint8_t*)0x20007707 = 0x40; *(uint16_t*)0x20007708 = 0xcf3; *(uint16_t*)0x2000770a = 0x9271; *(uint16_t*)0x2000770c = 0x108; *(uint8_t*)0x2000770e = 1; *(uint8_t*)0x2000770f = 2; *(uint8_t*)0x20007710 = 3; *(uint8_t*)0x20007711 = 1; *(uint8_t*)0x20007712 = 9; *(uint8_t*)0x20007713 = 2; *(uint16_t*)0x20007714 = 0x48; *(uint8_t*)0x20007716 = 1; *(uint8_t*)0x20007717 = 1; *(uint8_t*)0x20007718 = 0; *(uint8_t*)0x20007719 = 0x80; *(uint8_t*)0x2000771a = 0xfa; *(uint8_t*)0x2000771b = 9; *(uint8_t*)0x2000771c = 4; *(uint8_t*)0x2000771d = 0; *(uint8_t*)0x2000771e = 0; *(uint8_t*)0x2000771f = 6; *(uint8_t*)0x20007720 = -1; *(uint8_t*)0x20007721 = 0; *(uint8_t*)0x20007722 = 0; *(uint8_t*)0x20007723 = 0; *(uint8_t*)0x20007724 = 9; *(uint8_t*)0x20007725 = 5; *(uint8_t*)0x20007726 = 1; *(uint8_t*)0x20007727 = 2; *(uint16_t*)0x20007728 = 0x200; *(uint8_t*)0x2000772a = 0; *(uint8_t*)0x2000772b = 0; *(uint8_t*)0x2000772c = 0; *(uint8_t*)0x2000772d = 9; *(uint8_t*)0x2000772e = 5; *(uint8_t*)0x2000772f = 0x82; *(uint8_t*)0x20007730 = 2; *(uint16_t*)0x20007731 = 0x200; *(uint8_t*)0x20007733 = 0; *(uint8_t*)0x20007734 = 0; *(uint8_t*)0x20007735 = 0; *(uint8_t*)0x20007736 = 9; *(uint8_t*)0x20007737 = 5; *(uint8_t*)0x20007738 = 0x83; *(uint8_t*)0x20007739 = 3; *(uint16_t*)0x2000773a = 0x40; *(uint8_t*)0x2000773c = 1; *(uint8_t*)0x2000773d = 0; *(uint8_t*)0x2000773e = 0; *(uint8_t*)0x2000773f = 9; *(uint8_t*)0x20007740 = 5; *(uint8_t*)0x20007741 = 4; *(uint8_t*)0x20007742 = 3; *(uint16_t*)0x20007743 = 0x40; *(uint8_t*)0x20007745 = 1; *(uint8_t*)0x20007746 = 0; *(uint8_t*)0x20007747 = 0; *(uint8_t*)0x20007748 = 9; *(uint8_t*)0x20007749 = 5; *(uint8_t*)0x2000774a = 5; *(uint8_t*)0x2000774b = 2; *(uint16_t*)0x2000774c = 0x200; *(uint8_t*)0x2000774e = 0; *(uint8_t*)0x2000774f = 0; *(uint8_t*)0x20007750 = 0; *(uint8_t*)0x20007751 = 9; *(uint8_t*)0x20007752 = 5; *(uint8_t*)0x20007753 = 6; *(uint8_t*)0x20007754 = 2; *(uint16_t*)0x20007755 = 0x200; *(uint8_t*)0x20007757 = 0; *(uint8_t*)0x20007758 = 0; *(uint8_t*)0x20007759 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007700, 0); if (res != -1) r[22] = res; *(uint32_t*)0x20007900 = 0x18; *(uint32_t*)0x20007904 = 0x20007780; *(uint8_t*)0x20007780 = 0x40; *(uint8_t*)0x20007781 = 0x22; *(uint32_t*)0x20007782 = 0x1f; *(uint8_t*)0x20007786 = 0x1f; *(uint8_t*)0x20007787 = 0x22; memcpy((void*)0x20007788, "\xa7\x84\x14\x03\xaf\xd7\xdd\xbd\xb6\xce\x9d\xac\xfb\x6c\xdb\xe2\x9f\xbe\x4e\x58\xb5\x5f\xec\x11\x7d\xe5\x6e\xd6\xa5", 29); *(uint32_t*)0x20007908 = 0x200077c0; *(uint8_t*)0x200077c0 = 0; *(uint8_t*)0x200077c1 = 3; *(uint32_t*)0x200077c2 = 0x5a; *(uint8_t*)0x200077c6 = 0x5a; *(uint8_t*)0x200077c7 = 3; memcpy((void*)0x200077c8, "\xb5\x1f\xa7\x5c\xe1\x57\x5d\xa7\x9a\xa4\x1f\xd1\x55\x72\x84\x98\xbc\x7e\x4f\x85\xd1\x9d\x23\x94\x31\x4e\x63\x81\xf5\xe6\xb0\xe7\x86\xc3\xff\x70\x5c\xb7\x18\x44\x87\xf3\x50\x94\x03\x01\x78\xbc\x29\x1a\x39\x80\xfa\x0b\x83\x90\x8b\x7f\xe1\xcb\x24\x59\xda\xa1\x30\x8f\xa2\xfb\xda\x94\xa9\x8c\xa7\x13\x4b\xc9\x86\x48\x7b\xae\x15\x76\x66\x36\xe0\x85\x2c\x7a", 88); *(uint32_t*)0x2000790c = 0x20007840; *(uint8_t*)0x20007840 = 0; *(uint8_t*)0x20007841 = 0xf; *(uint32_t*)0x20007842 = 0x1b; *(uint8_t*)0x20007846 = 5; *(uint8_t*)0x20007847 = 0xf; *(uint16_t*)0x20007848 = 0x1b; *(uint8_t*)0x2000784a = 2; *(uint8_t*)0x2000784b = 0xb; *(uint8_t*)0x2000784c = 0x10; *(uint8_t*)0x2000784d = 1; *(uint8_t*)0x2000784e = 0xc; *(uint16_t*)0x2000784f = 0x82; *(uint8_t*)0x20007851 = 0; *(uint8_t*)0x20007852 = 0x85; *(uint16_t*)0x20007853 = 8; *(uint8_t*)0x20007855 = 1; *(uint8_t*)0x20007856 = 0xb; *(uint8_t*)0x20007857 = 0x10; *(uint8_t*)0x20007858 = 1; *(uint8_t*)0x20007859 = 0xc; *(uint16_t*)0x2000785a = 0x48; *(uint8_t*)0x2000785c = 0; *(uint8_t*)0x2000785d = 0x80; *(uint16_t*)0x2000785e = 0xfffa; *(uint8_t*)0x20007860 = 0x81; *(uint32_t*)0x20007910 = 0x20007880; *(uint8_t*)0x20007880 = 0x20; *(uint8_t*)0x20007881 = 0x29; *(uint32_t*)0x20007882 = 0xf; *(uint8_t*)0x20007886 = 0xf; *(uint8_t*)0x20007887 = 0x29; *(uint8_t*)0x20007888 = 9; *(uint16_t*)0x20007889 = 2; *(uint8_t*)0x2000788b = 4; *(uint8_t*)0x2000788c = 2; memcpy((void*)0x2000788d, "\x7e\x46\x1a\xb4", 4); memcpy((void*)0x20007891, "gg]\a", 4); *(uint32_t*)0x20007914 = 0x200078c0; *(uint8_t*)0x200078c0 = 0x20; *(uint8_t*)0x200078c1 = 0x2a; *(uint32_t*)0x200078c2 = 0xc; *(uint8_t*)0x200078c6 = 0xc; *(uint8_t*)0x200078c7 = 0x2a; *(uint8_t*)0x200078c8 = 9; *(uint16_t*)0x200078c9 = 3; *(uint8_t*)0x200078cb = 0x3f; *(uint8_t*)0x200078cc = 0x20; *(uint8_t*)0x200078cd = 0x40; *(uint16_t*)0x200078ce = 0; *(uint16_t*)0x200078d0 = 0xef; *(uint32_t*)0x20007dc0 = 0x44; *(uint32_t*)0x20007dc4 = 0x20007940; *(uint8_t*)0x20007940 = 0x40; *(uint8_t*)0x20007941 = 0xc; *(uint32_t*)0x20007942 = 0xb6; memcpy((void*)0x20007946, "\xdf\x1d\x88\x07\xad\xaa\x37\x6e\xc1\x64\xfe\x68\x6f\x79\x1f\xc7\x26\x8a\x85\xc4\x68\x00\x84\x23\xc3\x5b\xf0\xda\x6f\x10\xce\x0b\x3c\x7f\x80\xe6\x73\x52\xd8\x06\x3e\x95\x24\xfb\x3d\x91\xa1\xd4\x42\xb8\x5d\x35\x12\x88\xc6\x0b\xad\xef\x73\x69\x49\x4e\xfa\x50\x12\x97\x89\x30\xb8\x81\x7b\xb1\x3f\xba\x0f\x30\x74\x16\x86\x14\x57\x22\x13\x22\x13\x60\x27\xa9\x86\x82\xf3\xa5\xc9\x18\x06\xd4\x90\xc5\x1e\xf5\x1c\xe6\xc9\xe9\xc8\x08\x7e\x54\x7f\xc2\xcf\xe5\x67\xbf\xbf\x3e\x65\xf9\x7c\x5e\x79\xd6\x87\x06\x92\x2d\x2c\x08\x4e\xe8\x94\xea\xf1\x2a\x3c\x0b\x2e\x1e\xf8\x94\xdf\xf8\x6d\x07\x92\xfd\x11\xf5\x15\x2f\x67\x32\x1b\x9d\xb3\x6a\x02\xb7\xb0\x93\x5e\x74\x24\xcb\xd6\xb2\x86\xc5\x5c\x8c\xf0\xf0\xf4\x94\x9f\xd2\x1b\x22\x67\x5e\xb0\x60", 182); *(uint32_t*)0x20007dc8 = 0x20007a00; *(uint8_t*)0x20007a00 = 0; *(uint8_t*)0x20007a01 = 0xa; *(uint32_t*)0x20007a02 = 1; *(uint8_t*)0x20007a06 = 9; *(uint32_t*)0x20007dcc = 0x20007a40; *(uint8_t*)0x20007a40 = 0; *(uint8_t*)0x20007a41 = 8; *(uint32_t*)0x20007a42 = 1; *(uint8_t*)0x20007a46 = 6; *(uint32_t*)0x20007dd0 = 0x20007a80; *(uint8_t*)0x20007a80 = 0x20; *(uint8_t*)0x20007a81 = 0; *(uint32_t*)0x20007a82 = 4; *(uint16_t*)0x20007a86 = 1; *(uint16_t*)0x20007a88 = 3; *(uint32_t*)0x20007dd4 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0x20; *(uint8_t*)0x20007ac1 = 0; *(uint32_t*)0x20007ac2 = 4; *(uint16_t*)0x20007ac6 = 0x160; *(uint16_t*)0x20007ac8 = 1; *(uint32_t*)0x20007dd8 = 0x20007b00; *(uint8_t*)0x20007b00 = 0x40; *(uint8_t*)0x20007b01 = 7; *(uint32_t*)0x20007b02 = 2; *(uint16_t*)0x20007b06 = 3; *(uint32_t*)0x20007ddc = 0x20007b40; *(uint8_t*)0x20007b40 = 0x40; *(uint8_t*)0x20007b41 = 9; *(uint32_t*)0x20007b42 = 1; *(uint8_t*)0x20007b46 = 3; *(uint32_t*)0x20007de0 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x40; *(uint8_t*)0x20007b81 = 0xb; *(uint32_t*)0x20007b82 = 2; memcpy((void*)0x20007b86, "\x9e\xfe", 2); *(uint32_t*)0x20007de4 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 0xf; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 4; *(uint32_t*)0x20007de8 = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 0x13; *(uint32_t*)0x20007c02 = 6; memset((void*)0x20007c06, 0, 6); *(uint32_t*)0x20007dec = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0x17; *(uint32_t*)0x20007c42 = 6; memset((void*)0x20007c46, 170, 5); *(uint8_t*)0x20007c4b = 0xbb; *(uint32_t*)0x20007df0 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0x19; *(uint32_t*)0x20007c82 = 2; memcpy((void*)0x20007c86, "vw", 2); *(uint32_t*)0x20007df4 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x1a; *(uint32_t*)0x20007cc2 = 2; *(uint16_t*)0x20007cc6 = 1; *(uint32_t*)0x20007df8 = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x1c; *(uint32_t*)0x20007d02 = 1; *(uint8_t*)0x20007d06 = 6; *(uint32_t*)0x20007dfc = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x1e; *(uint32_t*)0x20007d42 = 1; *(uint8_t*)0x20007d46 = 0x7e; *(uint32_t*)0x20007e00 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x21; *(uint32_t*)0x20007d82 = 1; *(uint8_t*)0x20007d86 = 2; syz_usb_control_io(r[22], 0x20007900, 0x20007dc0); *(uint8_t*)0x20007e40 = 0x12; *(uint8_t*)0x20007e41 = 1; *(uint16_t*)0x20007e42 = 0x200; *(uint8_t*)0x20007e44 = -1; *(uint8_t*)0x20007e45 = -1; *(uint8_t*)0x20007e46 = -1; *(uint8_t*)0x20007e47 = 0x40; *(uint16_t*)0x20007e48 = 0xcf3; *(uint16_t*)0x20007e4a = 0x9271; *(uint16_t*)0x20007e4c = 0x108; *(uint8_t*)0x20007e4e = 1; *(uint8_t*)0x20007e4f = 2; *(uint8_t*)0x20007e50 = 3; *(uint8_t*)0x20007e51 = 1; *(uint8_t*)0x20007e52 = 9; *(uint8_t*)0x20007e53 = 2; *(uint16_t*)0x20007e54 = 0x48; *(uint8_t*)0x20007e56 = 1; *(uint8_t*)0x20007e57 = 1; *(uint8_t*)0x20007e58 = 0; *(uint8_t*)0x20007e59 = 0x80; *(uint8_t*)0x20007e5a = 0xfa; *(uint8_t*)0x20007e5b = 9; *(uint8_t*)0x20007e5c = 4; *(uint8_t*)0x20007e5d = 0; *(uint8_t*)0x20007e5e = 0; *(uint8_t*)0x20007e5f = 6; *(uint8_t*)0x20007e60 = -1; *(uint8_t*)0x20007e61 = 0; *(uint8_t*)0x20007e62 = 0; *(uint8_t*)0x20007e63 = 0; *(uint8_t*)0x20007e64 = 9; *(uint8_t*)0x20007e65 = 5; *(uint8_t*)0x20007e66 = 1; *(uint8_t*)0x20007e67 = 2; *(uint16_t*)0x20007e68 = 0x200; *(uint8_t*)0x20007e6a = 0; *(uint8_t*)0x20007e6b = 0; *(uint8_t*)0x20007e6c = 0; *(uint8_t*)0x20007e6d = 9; *(uint8_t*)0x20007e6e = 5; *(uint8_t*)0x20007e6f = 0x82; *(uint8_t*)0x20007e70 = 2; *(uint16_t*)0x20007e71 = 0x200; *(uint8_t*)0x20007e73 = 0; *(uint8_t*)0x20007e74 = 0; *(uint8_t*)0x20007e75 = 0; *(uint8_t*)0x20007e76 = 9; *(uint8_t*)0x20007e77 = 5; *(uint8_t*)0x20007e78 = 0x83; *(uint8_t*)0x20007e79 = 3; *(uint16_t*)0x20007e7a = 0x40; *(uint8_t*)0x20007e7c = 1; *(uint8_t*)0x20007e7d = 0; *(uint8_t*)0x20007e7e = 0; *(uint8_t*)0x20007e7f = 9; *(uint8_t*)0x20007e80 = 5; *(uint8_t*)0x20007e81 = 4; *(uint8_t*)0x20007e82 = 3; *(uint16_t*)0x20007e83 = 0x40; *(uint8_t*)0x20007e85 = 1; *(uint8_t*)0x20007e86 = 0; *(uint8_t*)0x20007e87 = 0; *(uint8_t*)0x20007e88 = 9; *(uint8_t*)0x20007e89 = 5; *(uint8_t*)0x20007e8a = 5; *(uint8_t*)0x20007e8b = 2; *(uint16_t*)0x20007e8c = 0x200; *(uint8_t*)0x20007e8e = 0; *(uint8_t*)0x20007e8f = 0; *(uint8_t*)0x20007e90 = 0; *(uint8_t*)0x20007e91 = 9; *(uint8_t*)0x20007e92 = 5; *(uint8_t*)0x20007e93 = 6; *(uint8_t*)0x20007e94 = 2; *(uint16_t*)0x20007e95 = 0x200; *(uint8_t*)0x20007e97 = 0; *(uint8_t*)0x20007e98 = 0; *(uint8_t*)0x20007e99 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007e40, 0); if (res != -1) r[23] = res; syz_usb_disconnect(r[23]); *(uint8_t*)0x20007ec0 = 0x12; *(uint8_t*)0x20007ec1 = 1; *(uint16_t*)0x20007ec2 = 0x389; *(uint8_t*)0x20007ec4 = 2; *(uint8_t*)0x20007ec5 = 0; *(uint8_t*)0x20007ec6 = 0; *(uint8_t*)0x20007ec7 = 0x70; *(uint16_t*)0x20007ec8 = 0x525; *(uint16_t*)0x20007eca = 0xa4a1; *(uint16_t*)0x20007ecc = 0x40; *(uint8_t*)0x20007ece = 1; *(uint8_t*)0x20007ecf = 2; *(uint8_t*)0x20007ed0 = 3; *(uint8_t*)0x20007ed1 = 1; *(uint8_t*)0x20007ed2 = 9; *(uint8_t*)0x20007ed3 = 2; *(uint16_t*)0x20007ed4 = 0x6a; *(uint8_t*)0x20007ed6 = 2; *(uint8_t*)0x20007ed7 = 1; *(uint8_t*)0x20007ed8 = -1; *(uint8_t*)0x20007ed9 = 0x90; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 9; *(uint8_t*)0x20007edc = 4; *(uint8_t*)0x20007edd = 0; *(uint8_t*)0x20007ede = 0; *(uint8_t*)0x20007edf = 1; *(uint8_t*)0x20007ee0 = 2; *(uint8_t*)0x20007ee1 = 0xd; *(uint8_t*)0x20007ee2 = 0; *(uint8_t*)0x20007ee3 = 0; *(uint8_t*)0x20007ee4 = 6; *(uint8_t*)0x20007ee5 = 0x24; *(uint8_t*)0x20007ee6 = 6; *(uint8_t*)0x20007ee7 = 0; *(uint8_t*)0x20007ee8 = 1; memset((void*)0x20007ee9, 166, 1); *(uint8_t*)0x20007eea = 5; *(uint8_t*)0x20007eeb = 0x24; *(uint8_t*)0x20007eec = 0; *(uint16_t*)0x20007eed = 8; *(uint8_t*)0x20007eef = 0xd; *(uint8_t*)0x20007ef0 = 0x24; *(uint8_t*)0x20007ef1 = 0xf; *(uint8_t*)0x20007ef2 = 1; *(uint32_t*)0x20007ef3 = 0x9ff; *(uint16_t*)0x20007ef7 = 0x6000; *(uint16_t*)0x20007ef9 = 5; *(uint8_t*)0x20007efb = 0xb5; *(uint8_t*)0x20007efc = 6; *(uint8_t*)0x20007efd = 0x24; *(uint8_t*)0x20007efe = 0x1a; *(uint16_t*)0x20007eff = 0xdd; *(uint8_t*)0x20007f01 = 0x32; *(uint8_t*)0x20007f02 = 5; *(uint8_t*)0x20007f03 = 0x24; *(uint8_t*)0x20007f04 = 1; *(uint8_t*)0x20007f05 = 2; *(uint8_t*)0x20007f06 = 0x95; *(uint8_t*)0x20007f07 = 8; *(uint8_t*)0x20007f08 = 0x24; *(uint8_t*)0x20007f09 = 0x1c; *(uint16_t*)0x20007f0a = 7; *(uint8_t*)0x20007f0c = 0x40; *(uint16_t*)0x20007f0d = 1; *(uint8_t*)0x20007f0f = 9; *(uint8_t*)0x20007f10 = 5; *(uint8_t*)0x20007f11 = 0x81; *(uint8_t*)0x20007f12 = 3; *(uint16_t*)0x20007f13 = 0x10; *(uint8_t*)0x20007f15 = 0x21; *(uint8_t*)0x20007f16 = 2; *(uint8_t*)0x20007f17 = 0xc4; *(uint8_t*)0x20007f18 = 9; *(uint8_t*)0x20007f19 = 4; *(uint8_t*)0x20007f1a = 1; *(uint8_t*)0x20007f1b = 0; *(uint8_t*)0x20007f1c = 0; *(uint8_t*)0x20007f1d = 2; *(uint8_t*)0x20007f1e = 0xd; *(uint8_t*)0x20007f1f = 0; *(uint8_t*)0x20007f20 = 0; *(uint8_t*)0x20007f21 = 9; *(uint8_t*)0x20007f22 = 4; *(uint8_t*)0x20007f23 = 1; *(uint8_t*)0x20007f24 = 1; *(uint8_t*)0x20007f25 = 2; *(uint8_t*)0x20007f26 = 2; *(uint8_t*)0x20007f27 = 0xd; *(uint8_t*)0x20007f28 = 0; *(uint8_t*)0x20007f29 = 0; *(uint8_t*)0x20007f2a = 9; *(uint8_t*)0x20007f2b = 5; *(uint8_t*)0x20007f2c = 0x82; *(uint8_t*)0x20007f2d = 2; *(uint16_t*)0x20007f2e = 8; *(uint8_t*)0x20007f30 = 1; *(uint8_t*)0x20007f31 = 1; *(uint8_t*)0x20007f32 = 0x4e; *(uint8_t*)0x20007f33 = 9; *(uint8_t*)0x20007f34 = 5; *(uint8_t*)0x20007f35 = 3; *(uint8_t*)0x20007f36 = 2; *(uint16_t*)0x20007f37 = 8; *(uint8_t*)0x20007f39 = 0x81; *(uint8_t*)0x20007f3a = 9; *(uint8_t*)0x20007f3b = 0x48; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f40; *(uint8_t*)0x20007f40 = 0xa; *(uint8_t*)0x20007f41 = 6; *(uint16_t*)0x20007f42 = 0x200; *(uint8_t*)0x20007f44 = 3; *(uint8_t*)0x20007f45 = 0x40; *(uint8_t*)0x20007f46 = 1; *(uint8_t*)0x20007f47 = 0x40; *(uint8_t*)0x20007f48 = 0x68; *(uint8_t*)0x20007f49 = 0; *(uint32_t*)0x20008288 = 0x72; *(uint32_t*)0x2000828c = 0x20007f80; *(uint8_t*)0x20007f80 = 5; *(uint8_t*)0x20007f81 = 0xf; *(uint16_t*)0x20007f82 = 0x72; *(uint8_t*)0x20007f84 = 6; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x10; *(uint8_t*)0x20007f87 = 0xa; *(uint8_t*)0x20007f88 = 0x7f; STORE_BY_BITMASK(uint32_t, , 0x20007f89, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007f89, 4, 5, 27); *(uint16_t*)0x20007f8d = 0; *(uint16_t*)0x20007f8f = 0x101; *(uint32_t*)0x20007f91 = 0xf; *(uint32_t*)0x20007f95 = 0xc000; *(uint32_t*)0x20007f99 = 0x4100; *(uint32_t*)0x20007f9d = 0xc000; *(uint32_t*)0x20007fa1 = 0; *(uint8_t*)0x20007fa5 = 0x18; *(uint8_t*)0x20007fa6 = 0x10; *(uint8_t*)0x20007fa7 = 0xa; *(uint8_t*)0x20007fa8 = 5; STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 0x3f, 5, 27); *(uint16_t*)0x20007fad = 0xf; *(uint16_t*)0x20007faf = 9; *(uint32_t*)0x20007fb1 = 0x3f00; *(uint32_t*)0x20007fb5 = 0xff0030; *(uint32_t*)0x20007fb9 = 0xff0000; *(uint8_t*)0x20007fbd = 0xc; *(uint8_t*)0x20007fbe = 0x10; *(uint8_t*)0x20007fbf = 0xa; *(uint8_t*)0x20007fc0 = 9; STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 3, 5, 27); *(uint16_t*)0x20007fc5 = 0xf00; *(uint16_t*)0x20007fc7 = 4; *(uint8_t*)0x20007fc9 = 0x14; *(uint8_t*)0x20007fca = 0x10; *(uint8_t*)0x20007fcb = 4; *(uint8_t*)0x20007fcc = 0xfc; memcpy((void*)0x20007fcd, "\x11\xd5\xf9\x90\x68\xe5\x06\x8a\x1e\x42\xe2\xbf\x00\x0e\x22\x1f", 16); *(uint8_t*)0x20007fdd = 0xb; *(uint8_t*)0x20007fde = 0x10; *(uint8_t*)0x20007fdf = 1; *(uint8_t*)0x20007fe0 = 2; *(uint16_t*)0x20007fe1 = 0; *(uint8_t*)0x20007fe3 = 2; *(uint8_t*)0x20007fe4 = 0; *(uint16_t*)0x20007fe5 = 0x80; *(uint8_t*)0x20007fe7 = 1; *(uint8_t*)0x20007fe8 = 0xa; *(uint8_t*)0x20007fe9 = 0x10; *(uint8_t*)0x20007fea = 3; *(uint8_t*)0x20007feb = 2; *(uint16_t*)0x20007fec = 0; *(uint8_t*)0x20007fee = 3; *(uint8_t*)0x20007fef = 0x3f; *(uint16_t*)0x20007ff0 = 8; *(uint32_t*)0x20008290 = 8; *(uint32_t*)0x20008294 = 4; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 4; *(uint8_t*)0x20008001 = 3; *(uint16_t*)0x20008002 = 0x2001; *(uint32_t*)0x2000829c = 4; *(uint32_t*)0x200082a0 = 0x20008040; *(uint8_t*)0x20008040 = 4; *(uint8_t*)0x20008041 = 3; *(uint16_t*)0x20008042 = 0x43f; *(uint32_t*)0x200082a4 = 0x2a; *(uint32_t*)0x200082a8 = 0x20008080; *(uint8_t*)0x20008080 = 0x2a; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x5e\x74\x60\xeb\x32\xa6\xb9\x6b\xd2\xff\x9f\xf3\xa4\x96\x20\x85\x33\x64\xce\xf4\xb1\x18\x00\x34\xbb\xee\x7b\xde\xb3\x75\x3e\xc4\x7a\x7b\x68\x43\x60\x04\xdf\xa3", 40); *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x200080c0; *(uint8_t*)0x200080c0 = 4; *(uint8_t*)0x200080c1 = 3; *(uint16_t*)0x200080c2 = 0x406; *(uint32_t*)0x200082b4 = 4; *(uint32_t*)0x200082b8 = 0x20008100; *(uint8_t*)0x20008100 = 4; *(uint8_t*)0x20008101 = 3; *(uint16_t*)0x20008102 = 0x200a; *(uint32_t*)0x200082bc = 0x83; *(uint32_t*)0x200082c0 = 0x20008140; *(uint8_t*)0x20008140 = 0x83; *(uint8_t*)0x20008141 = 3; memcpy((void*)0x20008142, "\x98\xbf\xbe\xd5\xf0\x2f\x05\x41\x39\x3b\x27\x16\x3c\x18\xab\xa0\xf8\xd6\xc9\x06\x9a\xe8\xed\x73\x2f\x7b\x8b\x4f\xd0\x40\x72\x65\x12\x57\x2b\x20\x49\x34\x98\xb0\x80\xe9\x6c\x74\x09\xc1\xff\x22\x2c\xbf\xe8\xfc\x73\x9a\x7a\x6e\xb7\x01\xa8\x12\x5f\x18\xaf\x24\xcd\xab\xbf\xb5\x2c\xc6\x66\xcf\x12\x04\xb6\xbf\x96\x51\x4a\xca\x5b\x04\x75\xe2\x1d\xaf\xca\xaf\xfc\xd8\xd5\x84\xec\xa6\x93\x9d\x81\x5d\xc4\xc9\x74\x72\x7a\x2f\xba\x78\xd5\x04\x4d\x9e\x9f\x08\xe3\x5c\x9e\x2b\xf4\x70\xf4\x66\xac\xca\xa1\x30\x1f\xac\x54\xbc\xff", 129); *(uint32_t*)0x200082c4 = 4; *(uint32_t*)0x200082c8 = 0x20008200; *(uint8_t*)0x20008200 = 4; *(uint8_t*)0x20008201 = 3; *(uint16_t*)0x20008202 = 0x1627; *(uint32_t*)0x200082cc = 0x39; *(uint32_t*)0x200082d0 = 0x20008240; *(uint8_t*)0x20008240 = 0x39; *(uint8_t*)0x20008241 = 3; memcpy((void*)0x20008242, "\xaa\x56\xbf\x40\x48\xdd\x06\xe2\x84\x5d\x2e\x04\xdf\x75\xb3\x91\xf7\x66\x46\x3f\x09\x54\x05\x32\x21\xac\x36\xe1\xdb\x6f\xe5\x09\xc0\x5b\x86\xc7\x76\xd2\x0f\xfc\x6a\xc3\xd9\x93\x49\x32\x2b\x40\x0a\xea\x39\x4c\xd6\x71\x9c", 55); res = -1; res = syz_usb_connect(6, 0x7c, 0x20007ec0, 0x20008280); if (res != -1) r[24] = res; syz_usb_ep_read(r[24], 0x75, 0xa5, 0x20008300); memcpy((void*)0x200083c0, "\xdb\x88\x55\x99\xb6\x0a\xec\x82\xad\x70\xcd\xb2\x88\x6a\x2e\x73\xe2\xf0\x44\x7d\xdd\x5d\xea\xaa\x15\xf5\x6b\x76\xab\x58\x04\xb9\xf8\x6f\x60\xdf\x6b\x12\xcb\xc1\xe5\x90\x6d\x23\x88\x89\xda\x54\x4d\x9b\x56\x52\xf6\x0b\xfc\x34\xa1\x08\xdf\xfd\xff\xa9\xae\x90\x46\x14\xe2\xbf\x15\xce\x0c\x34\x9a\xea\x15\x51\xb7\x54\x4b\x69\xbd\x2b\xde\x8f\x82\xe1\x8d\x42\xba\x16\x71\x80\xb1\xa6\xa4\xd1\x18\x44\x31\x2c\x11\x6e\xe0\xb8\x5f\xca\x52\xa1\x1e\xc9\xf3\x7a\xcd\x32\x3e\xb2\x87\xc8\xb3\xc4\xff\xdb\xca\xaa\x32\x9d\xf9\x20\xe0\xf7\xdf\xaa\xcc\xc1\x7f\xd5\xff\x16\xf0\x39\xc6\x93\xcd\xfc\xdf\xae\x81\x52\x9a\x02\xcc\x97\x3d\x8e\x50\x20\x09\x3c\x1b\x68\xe8\x8a\x82\x7e\x23\x0b\x28\x44\x88\x99\xb9\x61\x75\x52\xb1\xdd\x9b\x41\x2b\x34\xde\xec\x9a\x93\xfd\x08\x82\x3a\xeb\xf3\x54\xe2\x38\xd0\x4d\xca\x95\x7a\x50\xaa\x9a\xb1\x8a\x30\x46\x0e\x24\x55\xe3\xfd\x16\x41\x09\xcd\x4a\x85\x7b\x99\xd2\x23\xb2\x18\x31\xca\x29\x2d\x1b\x0c\xd7\x7f\xbf\xe2\x63\xf7\xca\x57\xee\x3a\x70\xa8\xfd\xd4\x89\xcb\x7f", 245); syz_usb_ep_write(r[22], 0, 0xf5, 0x200083c0); syz_usbip_server_init(1); } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :103:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :90:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :85:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor354628595 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/17 (1.49s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) (fail_nth: 1) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000080)={r0, 0x3ff}, &(0x7f00000000c0)=0x8) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='cpu.stat\x00', 0x0, 0x0) ioctl$BLKROGET(r2, 0x125e, &(0x7f0000000140)) r3 = signalfd4(r2, &(0x7f0000000180)={[0x5, 0x4]}, 0x8, 0x80800) sendmsg$NL80211_CMD_UPDATE_OWE_INFO(r3, &(0x7f0000000500)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x20002011}, 0xc, &(0x7f00000004c0)={&(0x7f0000000200)={0x29c, 0x0, 0x8, 0x70bd29, 0x25dfdbff, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x46, 0x2a, [@erp={0x2a, 0x1, {0x0, 0x1, 0x1}}, @channel_switch={0x25, 0x3, {0x1, 0x95, 0xcb}}, @peer_mgmt={0x75, 0x16, {0x1, 0x401, @void, @val=0x37, @val="02011bf2907bddcbfaf4d0d9d319cb38"}}, @mesh_chsw={0x76, 0x6, {0x7f, 0x3, 0x6, 0x2050}}, @link_id={0x65, 0x12, {@from_mac=@device_b, @broadcast, @device_b}}, @chsw_timing={0x68, 0x4, {0x9, 0x81}}]}, @NL80211_ATTR_IE={0xcc, 0x2a, [@cf={0x4, 0x6, {0x1, 0x1, 0x100, 0x8000}}, @ext_channel_switch={0x3c, 0x4, {0x0, 0x7, 0xac, 0x6}}, @supported_rates={0x1, 0x6, [{0x6}, {0xc, 0x1}, {0x3f, 0x1}, {0x9}, {0x16}, {0x24}]}, @prep={0x83, 0x25, @ext={{}, 0xff, 0x3f, @device_a, 0x1f, @broadcast, 0x0, 0x6, @device_b, 0x6}}, @measure_req={0x26, 0x44, {0x4, 0x7, 0x8, "2ef531b7be2dde42fc395f76447c92879c4d9511182ee077cb102d54d8e9bd0376741affce00728e65cefb04cacd7c82880f113d4a79378bfd5c8d752bd251e31b"}}, @ht={0x2d, 0x1a, {0x482, 0x1, 0x1, 0x0, {0x5, 0x3f, 0x0, 0x80, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x400, 0x5, 0x56}}, @mic={0x8c, 0x10, {0x9b2, "e74338ed57a9", @short="4dbe86f39565408a"}}, @rann={0x7e, 0x15, {{0x1, 0x9}, 0xc0, 0x40, @device_a, 0x7fff, 0x6, 0xff}}]}, @NL80211_ATTR_IE={0x148, 0x2a, [@rann={0x7e, 0x15, {{0x0, 0x2}, 0x0, 0x8, @device_a, 0x1ff, 0x3, 0x3}}, @preq={0x82, 0x30, @not_ext={{}, 0x3, 0xf7, 0x8, @device_a, 0xae, "", 0x71a4, 0x2, 0x2, [{{0x0, 0x0, 0x1}, @device_b}, {{}, @device_b, 0x6}]}}, @mesh_config={0x71, 0x7, {0x1, 0x1, 0x1, 0x0, 0x0, 0xfb, 0x25}}, @ibss={0x6, 0x2, 0x1fc}, @fast_bss_trans={0x37, 0xe6, {0x7, 0x5, "5f3964d8629adf1c06ecdf8987bb845b", "c5d2bb2459d5ba0e8d1de04e57374f6227210ea404eb95465fa1e2e09c7c17d4", "2781c876157d6988a5dc1efde5e5d8d7fdfb3dad871989497060e2d72d3afa38", [{0x3, 0x1, "ce"}, {0x1, 0x25, "d5a7640b4fb5df22e725130f6f006c487342cb847e2cbe0e36b141aa91f7f41d6b13482c1d"}, {0x4, 0x26, "a1d5f67474fa123100046dc2695e3bbda6dee8657f032e087504156eba2f54bf2f31cd5b78d5"}, {0x3, 0x25, "ae36258ad7f04d6a213024ac426fba3da69e74ab662fbb9d28448099946cbbf9b8f921f8e0"}, {0x2, 0x19, "69ad29c66f47f87c5349ab5f16a1e8030e7c0b21db8bc4bee4"}]}}, @peer_mgmt={0x75, 0x4, {0x0, 0x0, @void, @void, @void}}]}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x4b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x43}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x11}]}, 0x29c}, 0x1, 0x0, 0x0, 0x40000}, 0x80) r4 = openat$irnet(0xffffff9c, &(0x7f0000000540), 0x189000, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f0000000580)=[@in6={0xa, 0x4e20, 0x80000000, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x81}, @in6={0xa, 0x4e24, 0x3, @mcast1}], 0x38) openat2$dir(0xffffff9c, &(0x7f00000005c0)='./file0\x00', &(0x7f0000000600)={0x101000, 0x182, 0x4}, 0x18) setsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f0000000640)=@sack_info={r1, 0x7, 0x20}, 0xc) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@data_frame={@no_qos=@type01={{0x0, 0x2, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, {0x7}, @device_b, @from_mac=@broadcast, @device_b, {0x7, 0x40}}, @a_msdu=[{@device_a, @device_b, 0x89, "a374cb1e56d79e5a647d9f9d7ebb099ca75e920a720ce76551c26bb86842da48ec22636f2ee20001359b8e2fb376ba32d07425dd1b9b9b4ff7a3539a5eeb99a447a58fec224cacb7d6e5f0cc9099904c92fd37746afc1cbd2b8b102a3fe4af78d5fa729590f1e5035f470a44321e924787a4666e21a4ca5cbd1256c170217cd6967ad7236d2f702e24"}, {@broadcast, @device_a, 0x1000, ""}]}, 0x10c0) syz_80211_join_ibss(&(0x7f0000001100)='wlan1\x00', &(0x7f0000001140)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000001180)='bpf_lsm_socket_recvmsg\x00') syz_emit_ethernet(0x35b, &(0x7f00000011c0)={@multicast, @multicast, @void, {@mpls_uc={0x8847, {[{0x2}], @ipv4=@gre={{0x11, 0x4, 0x1, 0x7, 0x349, 0x68, 0x0, 0x6, 0x2f, 0x0, @remote, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@lsrr={0x83, 0x1b, 0x6e, [@local, @broadcast, @loopback, @multicast1, @initdev={0xac, 0x1e, 0x0, 0x0}, @dev={0xac, 0x14, 0x14, 0xc}]}, @end, @lsrr={0x83, 0x13, 0xb4, [@multicast1, @private=0xa010100, @remote, @multicast1]}]}}, {{0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x880b, 0xf7, 0x2, [0x0, 0x1f], "c2150837371931ae3bab975586d95914c9773f748be9a8a3a19fe297783946f87cf48cb1483b1b52713f5b2c61255adbc108b86ef5471c54a9338b8573e1f632742ac011cf327a15e84e165e1588ab664b81d2498c54b50574e54aba3cf97bb1ae75911fd5ad4851fa1421715163917c9258d782a401fdfd12f1b51c5fbef8bd854f084ca2db2d46c7ee8b3b429e9c2dd5200572c54b9956e0bce7e10ae21f398f9db9c7e5fe8c67da417265c2e5c4074c97b404e840e0705b4154275e83551ac4328eae261c5d86e08cd40fbdb3a9d5fdcf6ba0ba4549aa7405fafe1367186578ec8cb827c887cc919c3a926daa592a4edb5150bfd380"}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, [0x0, 0x3], "a0437805682464ebade1f7bc908a4fb8fe0d2cbd6c705201920234d09c1819942d4534d78830cc26b67fa8b9bf41331cf464dba472a58870852fa852e628157fd8b5d1d6835454fb3aedae74305ed0c45b79ff50beb7405c"}, {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x86dd, [0xf0, 0x4], "7caa4b32feb81faa052cba4e34663ac59d2ed14a1e13701fdffe0c346ddae941fc7a2623c24d7a0b85a042492bf692148b57ddaf3b577a52fca2c4c68131f7bd98fa18e48551c8eecb9d3be00868430c3a25bc3569876946d43e6eb2b903b359a813c4ba89e6d970d3d4523fd219f45ff44df25838"}, {0x8, 0x88be, 0x2, {{0x8, 0x1, 0x9, 0x3, 0x0, 0x3, 0x3, 0x4}, 0x1, {0x4}}}, {0x8, 0x22eb, 0x3, {{0x5, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x81}, 0x2, {0x1ff, 0x6, 0x0, 0x7, 0x0, 0x1, 0x2, 0x1, 0x1}}}, {0x8, 0x6558, 0x3, "35b802485048e00654ea02f811d2f99e610c98af70faf08b416472e3e0bbd45e35631db45124b3b77db1699442696b52c13ae2bf33fb3973a1d570c20b2a5b4d8b9a260bb385dcba6f2ccdaf52d5a0a4c2c39422acd9f8b911a20ba0d03a6e796927d057cf487cc459623fa76fb89989080999bf9b3ab3f6e3f319849238b9d2dea6ac5b66c4b632b76084b3fbfee0fc6215f5b274246d30cd41e07638413a2d65b80fde92db56faa4160868cd0b008bfcf18d9c54be76cf39248d298318581d7a8be2fe09849d5cfd2cd105c8dd8c0fd7c5f27bed33374f70e3173b413dd37ecff631f2f44c6640a43a358b6eff14540f"}}}}}}}, &(0x7f0000001540)={0x1, 0x2, [0xfbe, 0xc0a, 0x501, 0x489]}) syz_emit_vhci(&(0x7f0000001580)=@HCI_ACLDATA_PKT={0x2, {0xc8, 0x2, 0x1, 0x32}, @l2cap_cid_signaling={{0x2e}, [@l2cap_create_chan_rsp={{0xd, 0x3, 0x8}, {0x6, 0x1, 0x31, 0x7}}, @l2cap_conn_req={{0x2, 0x5, 0x4}, {0x3fc, 0x6}}, @l2cap_info_rsp={{0xb, 0x1f, 0x4}, {0xb476, 0x1d}}, @l2cap_info_req={{0xa, 0xfc, 0x2}, {0x1}}, @l2cap_cmd_rej_unk={{0x1, 0x4, 0x2}}, @l2cap_info_req={{0xa, 0x8, 0x2}, {0x9e}}]}}, 0x37) syz_execute_func(&(0x7f00000015c0)="660f72d501df5fd6c4c1f96f9f52e40000dff2da36660f3a62c08cc4c11d583ce8660f3a0a450df0c4e121752360") syz_extract_tcp_res(&(0x7f0000001600), 0x1e21, 0x1) r5 = openat$cuse(0xffffff9c, &(0x7f0000001640), 0x2, 0x0) ioctl$NS_GET_OWNER_UID(0xffffffffffffffff, 0xb704, &(0x7f0000003980)=0x0) clock_gettime(0x0, &(0x7f0000003e00)={0x0, 0x0}) recvmmsg$unix(0xffffffffffffffff, &(0x7f0000003dc0)=[{{&(0x7f0000003a40)=@abs, 0x6e, &(0x7f0000003d40)=[{&(0x7f0000003ac0)=""/37, 0x25}, {&(0x7f0000003b00)=""/107, 0x6b}, {&(0x7f0000003b80)=""/47, 0x2f}, {&(0x7f0000003bc0)=""/162, 0xa2}, {&(0x7f0000003c80)=""/189, 0xbd}], 0x5, &(0x7f0000003d80)=[@cred={{0x18}}, @cred={{0x18, 0x1, 0x2, {0x0, 0x0, 0x0}}}], 0x30}}], 0x1, 0x10202, &(0x7f0000003e40)={r7, r8+10000000}) lstat(&(0x7f0000004040)='./file0\x00', &(0x7f0000004080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004100)={{{@in6=@initdev, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast1}}, &(0x7f0000004200)=0xe4) statx(0xffffffffffffff9c, &(0x7f0000004240)='./file0\x00', 0x4000, 0x400, &(0x7f0000004280)={0x0, 0x0, 0x0, 0x0, 0x0}) lstat(&(0x7f0000004380)='./file0\x00', &(0x7f00000043c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000004980)={{{@in6=@dev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@private2}}, &(0x7f0000004a80)=0xe4) r15 = getegid() syz_fuse_handle_req(r5, &(0x7f0000001680)="", 0x2000, &(0x7f0000004bc0)={&(0x7f0000003680)={0x50, 0x0, 0x0, {0x7, 0x22, 0x6, 0x60, 0x5, 0x48, 0x80000001, 0x7}}, &(0x7f0000003700)={0x18, 0x0, 0xfffe, {0x200}}, &(0x7f0000003740)={0x18, 0x0, 0x4, {0x8000}}, &(0x7f0000003780)={0x18, 0x0, 0x0, {0x8}}, &(0x7f00000037c0)={0x18, 0x0, 0x80000001, {0x5}}, &(0x7f0000003800)={0x28, 0x0, 0x0, {{0x19, 0x200, 0x3, 0xffffffffffffffff}}}, &(0x7f0000003840)={0x60, 0xfffffffffffffffe, 0xfffffffffffffffe, {{0x4, 0x80000001, 0x1, 0x52b8, 0x7, 0x0, 0xfffffffa, 0x1ff}}}, &(0x7f00000038c0)={0x18, 0xffffffffffffffda, 0x1f, {0x9}}, &(0x7f0000003900)={0x11, 0xfffffffffffffffe, 0x4588, {'\x00'}}, &(0x7f0000003940)={0x20, 0x0, 0x100000000, {0x0, 0x18}}, &(0x7f00000039c0)={0x78, 0x0, 0x7, {0x4, 0x6, 0x0, {0x0, 0x7, 0x8, 0x10001, 0x1, 0x509, 0x80, 0x3, 0x1, 0xc000, 0x5, r6, 0xee00, 0x7, 0x9}}}, &(0x7f0000003e80)={0x90, 0x0, 0x8, {0x6, 0x3, 0xcd0, 0x7fffffff, 0x5, 0x1, {0x5, 0x5, 0xf34, 0x86, 0x6, 0x2, 0xab8c, 0x0, 0x5, 0x8000, 0x9, 0xee00, r9, 0x1000, 0x1000}}}, &(0x7f0000003f40)={0xd0, 0x0, 0xffffffffffffffbc, [{0x0, 0x2, 0x6, 0x3, '\x02\x02\x02\x02\x02\x02'}, {0x0, 0x0, 0x0, 0x9}, {0x2, 0x100000001, 0x17, 0xffff, 'bpf_lsm_socket_recvmsg\x00'}, {0x0, 0x401, 0xf, 0xfffffff9, '&,$:+)\xef&\\)/$$[}'}, {0x6, 0x1, 0x17, 0x1f, 'bpf_lsm_socket_recvmsg\x00'}]}, &(0x7f0000004440)={0x508, 0x0, 0x2, [{{0x4, 0x1, 0x5, 0x80000000, 0x3, 0xffffffec, {0x2, 0x3, 0x20, 0x100000001, 0x80, 0xffffffffffffffe1, 0x9e41, 0x1f, 0xf0f6, 0xc000, 0x401, 0xee01, 0xee00, 0x400000, 0x800}}, {0x3, 0x7, 0x6, 0xfffffffe, '\xbb\xbb\xbb\xbb\xbb\xbb'}}, {{0x1, 0x2, 0x10001, 0x0, 0x5, 0x0, {0x3, 0x8000, 0x9, 0x80000001, 0x100, 0x5, 0xf06, 0x932b, 0x2, 0x1000, 0x5, 0xee01, 0xffffffffffffffff, 0x5, 0x1}}, {0x5, 0x9, 0x2, 0x2, '*)'}}, {{0x1, 0x0, 0xcc3, 0x4, 0x101, 0x3, {0x2, 0x1, 0x1, 0x113, 0x1, 0x3, 0xd36, 0x8c12, 0xfffffffc, 0x1000, 0xfffffffc, 0xee01, r10, 0x9, 0xacd}}, {0x3, 0x97, 0x6, 0x9, 'wlan1\x00'}}, {{0x1, 0x2, 0x8, 0x8000, 0x9, 0x0, {0x1, 0x200, 0xff, 0x100000001, 0x30000, 0x9, 0x3, 0x6, 0x7f, 0x8000, 0x101, r11, 0xee00, 0x10000, 0x9}}, {0x3, 0x0, 0x2, 0x401, 'b@'}}, {{0x4, 0x1, 0x0, 0x5, 0x4, 0x101, {0x1, 0x5, 0x1, 0x10000, 0x7, 0x8, 0x5, 0x5, 0x4010000, 0x8000, 0x4d800000, 0x0, 0xee01, 0x6, 0x7}}, {0x2, 0x61}}, {{0x7, 0x0, 0x5, 0x5, 0x0, 0x3ff, {0x0, 0xfffffffffffffff7, 0x1, 0x80, 0x100000001, 0x401, 0xd49d, 0x80, 0x1, 0x6000, 0x8b, r12, 0xee01, 0x8001}}, {0x6, 0x200, 0x1, 0xfffffff8, ')'}}, {{0x0, 0x3, 0x8, 0x81, 0x6, 0x5, {0x1, 0x8, 0x7, 0x5, 0x8, 0x1, 0x5, 0x90c555ad, 0x0, 0xc000, 0x800, 0xee00, 0xee01, 0xf98d, 0x20}}, {0x4, 0x4, 0x5, 0x1, '\\U\xc2-^'}}, {{0x1, 0x0, 0x2, 0x6, 0x0, 0xb5e, {0x4, 0x12, 0xe87, 0x7, 0x1, 0xfffffffffffffffe, 0xfffffffd, 0x7, 0x401, 0xa000, 0x8ee, r13, 0x0, 0x8236, 0x3c89862b}}, {0x4, 0xfffffffffffffbf7, 0x6, 0x4, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004ac0)={0xa0, 0xffffffffffffffda, 0x2, {{0x1, 0x3, 0xff, 0x401, 0x9, 0x1000, {0x1, 0xfff, 0x733, 0x0, 0x7, 0x7fff, 0x4, 0x1f, 0x1f, 0x0, 0x1, r14, r15, 0x9eb, 0x1}}, {0x0, 0x1c}}}, &(0x7f0000004b80)={0x20, 0xfffffffffffffffe, 0xa87, {0x1ff, 0x0, 0x10001, 0x4}}}) r16 = openat$autofs(0xffffff9c, &(0x7f0000004c40), 0x0, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000004c00), r16) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r17 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x300000a, 0x10, r16, 0x0) r18 = syz_io_uring_complete(r17) syz_io_uring_setup(0x3a9b, &(0x7f0000004c80)={0x0, 0xcaa6, 0x4, 0x3, 0x276, 0x0, r18}, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000004d00)=0x0, &(0x7f0000004d40)) syz_io_uring_submit(r19, 0x0, &(0x7f0000005080)=@IORING_OP_WRITEV={0x2, 0x5, 0x0, @fd_index=0x7, 0x0, &(0x7f0000005040)=[{&(0x7f0000004d80)="8f8c61ba2d93006aadbd12a3a08f146f7dadf6fcaf91370d8cdbb10473cfc4737fc2920f761e5f9f43ac7c94ff2d84a3f6", 0x31}, {&(0x7f0000004dc0)="e79e609caf0b113f2e3a9b6ed9a5197bd4c9ef3abee6ff372b0677f980ef46165c071ec9a7e4b8e118c95c2b5f733b29c50f1e5df4f1837e9a2962cd241c43d7a605878749919d2d932d22010e4c8c29ce6028dc71e23c5ec2b4f3bb38b2e7c3beaf83c887a45f16ea87842b7002c7513397835d375589d64e9c8d0daa7c709974ddc935145190bac6e8d31238d5ad70377e03b1111546f8a83a2d7e3fc550408a227e6ab558331de5", 0xa9}, {&(0x7f0000004e80)="1fe1d0a7ea42ed60eb8379f55fba5f108da4233288e8a8bbacc0", 0x1a}, {&(0x7f0000004ec0)="1d5a7e020f94e9eee2415cca5eb6045cc9f817f1d3275ba949677ee2ca2357b74e67c6d4ddfbe8e8c0c6fdcd2352dd301ff30f0ebc2b58f2c69c3f8032ff0d4a2d2d400c3d07914d835b6218c2eb25724b426a888b2822d4945b35f2d1459d915e2b2d66541af52bdbbe1ad517515e01b8290e654443a67bec3d0b03fc10b90b49c3d33593e063bd0df72494b22bfc391f6b296a68735eeaac4fb550be4beeabb74d7ca77139248cf8003e4fa63954c2e5c68e48b1f59b3162a9a3b020771f7c1aff6d7de57b40fcb59002f2709ed2e12d50a3edadc2c55de6634c8e91dd8cd28faf3b52", 0xe4}, {&(0x7f0000004fc0)="3dc50079393684ee15456233e2e4b47d0d7616a6fbb08055931c400e66d6ee8307c988db68c3a56873e4c94c210cee63aa53ee80947c5644cffd0ee809b4554ef3d3d5d4b6268040d66cba34c7b8645abfe3696e041fe13f", 0x58}], 0x5, 0x1}, 0x100) r20 = openat$selinux_policy(0xffffff9c, &(0x7f00000050c0), 0x0, 0x0) r21 = openat$dlm_monitor(0xffffff9c, &(0x7f0000005100), 0x0, 0x0) syz_kvm_setup_cpu$arm64(r20, r21, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005180)=[{0x0, &(0x7f0000005140)="45cf83e34827dae70d9c50f676f523b0ce6bee88952baac1a7220887521e1e10250184dabaaa4fbf9e94349f1148dee8238a", 0x32}], 0x1, 0x0, &(0x7f00000051c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r17, 0x114, &(0x7f0000005200)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005240), &(0x7f0000005280)='./file0\x00', 0x5, 0xa, &(0x7f0000005980)=[{&(0x7f00000052c0), 0x0, 0x4}, {&(0x7f0000005300)="8586cff12029eb8ad76f6261d1fe9c2df97d6b5047f70221ce7c26e1ad050096db75ff7ffd7b4dad59f5e070723e8a2cea446602ed86da15975f4f9dad4355f17d1441f9c1d9721e8bc269c91b43934bb3823eba880de01b586e0d592fc978084812a5dd940d6ea61e46ee9f1d53e0d3155c2c34946ca286d646398a4d60b56e48644ce421d53a65fc504680601a0cb3b78cdc3d14d0f9f754d88a4c5d80c2681aca64a4793f17d0f8a5b8dc820fdadee2ee87d42050172286e4b371eac497bf7467890a472d766a442a56a6e75bc39ba4edab5a0cb11eb66a247a2f3ca7d18cbe8bd7516b2d99c763d8c23d753c13937ab99b578e42f359275e86", 0xfb, 0x5}, {&(0x7f0000005400)="0f553c28b9842c44674abe34856e72a402eaf08ea7d106186b17f1d3f00dcbcb5f98a1eae4b0e494da0d44fa94917367478f2e39ce8435b132a570ec78c1b1d859ab652168bec9156cc5b4543f0571d2a75d3ad03f490c0fc93251f6ab57f01cf62283d42eec0abb186148b05ef55f8de1a2eb7c1622fc6d3ac274f10a0754563398efc9335aea31061cf4bb64d44f87c615c99b3eca46ddc2ce68eb2b780c54bb6a1a20947e16cbc6f7fa0712d0b12e665a214c3502154e5b8dda8b01df53c81b2da2c92b7573506b175a34ba1dda39954f36f0ff6ebefeee31326813422cb4d53b47c6fe65f3332698d9e3d776", 0xee, 0xfff}, {&(0x7f0000005500)="abff9c2482d96489f0afbe085daee1e2bd8a3000af21e5b4aa0d2e6662293d5fe6eeb60a5cc8b90e84ede0d21318688e285def54cb6780abfdcb64c700da5e8775bb60d0192a5f8113a70ddb1627087f7bb8f232f80a120e214ef31c385711f4b12afd9a024fc48c41c3c887255a17b86f709a30ee23a5d55c6c3e1986f6fd69309dc6664846396a5f0cde1e382a7018dcdeac00ff1ef54bbb58201fc9dfcbba39cfb45f49ace1e9908188", 0xab, 0x80000001}, {&(0x7f00000055c0)="fb36dffb4a0e4377fa3bedec2325f5c073", 0x11, 0x1}, {&(0x7f0000005600)="8ff2544804ed79e1bb5f173b80fdb09a444f02bbacdab87710a30382271db7257055fbbe057f4e4b3e1bcbcf08f1ea0b41be533d7d7f84199c4cf241e2bc3cebf680f5c2648882abfe61bb5211c4cf0f1f8035c6962e74f5976e954c3db5545bdccc6e67b68dd612", 0x68, 0x7f}, {&(0x7f0000005680)="ca838d09579a972657260b824f369161c83d3649b2309de4aca5191c6a3550ce704f6606bac0f1102563011d768b1cd5bd83565bfbe9311f71c2698f2bb4572ef6602f2487626e21fcef7034f50e28fd36db92433de1c0fbd9baa0b2ef3b17ecbd5f214a814f9979c0cfcea566bd418788a9e026ff83089e4e1eb491eebb582e84c6d956e1f8d4bd5327fcf26d9218a6e745a904846da61e6970e7c3f8f6777eb2eec182c6626aebc2b46d6e18ec79ce9f3a34c2c9ce74dce5f38a493ce752633b9cd881d3e73977b728208b730c0aa0bfd41f0374798c2b6cfd20a83dde8821f896431df1620eacddb4846d3f67983b95", 0xf1, 0x2}, {&(0x7f0000005780)="b549cfe18deb455b4a8b6d56e7c03f251024217cf427c09056bdb6b4a1317e6f9cd53ece2f2ee68e7d73e936e6d7b376483595c8db7292ffb0520cf037ba7012f5d90d0e4bdced46131d6a44120546fad87f475670fec86f9784888d14dc2ed6a1a7ed3c98bd0e035cbd504da40efbeb5a5bcd48c0ca513ff53ddada3cb447a48bcef01d9883f699997c5a0b2499865862db5f785a75e1b3463d354af112e7f8622883683086190fa4507646cbeab5ed", 0xb0, 0x1}, {&(0x7f0000005840)="a2eecacaa02fc76189e00e6fc58f38b5599959730376281721becf840cd12b230c2dc84b7f5fe5e37057b3732fcfeb", 0x2f, 0x4}, {&(0x7f0000005880)="35ed9c854f542ba3a56e7b75409a3197d31e6ec31934811dd9abe83e50a060ea25994cb33770ed99b25c9b560891eca433fe5bf1e02d136600687ee4933b3538bbceca61deb8fb0a1a2567843fd871b991d514329a465a97eb92123576e83a652c51dfa84117c262a7b8bab47bd3f81b24d33e687f39265002ef92f2248de027ac0285fcad2a3c732a1ed7409307037e41f3a7907477387d1199c18e5c43959b2ec46c078cec67a8b559b31cefd856f456b9f81bcc6a8b2cb1a4d8147562bdac6034e3e8d35d797659844fea3694b3288ce68fa8f986bf2fba03ec0110154befc8402258afb3d583d0bf3d02798073867fc66640726072c82a", 0xf9, 0x1ff}], 0x0, &(0x7f0000005a00)={[{'%'}], [{@seclabel}, {@permit_directio}, {@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@subj_role={'subj_role', 0x3d, '}'}}, {@mask={'mask', 0x3d, '^MAY_APPEND'}}, {@fsname={'fsname', 0x3d, '&%]'}}, {@measure}]}) syz_open_dev$I2C(&(0x7f0000005a80), 0x6, 0x40000) syz_open_procfs(0xffffffffffffffff, &(0x7f0000005ac0)='net/raw6\x00') syz_open_pts(r16, 0x583000) syz_read_part_table(0xb0, 0x3, &(0x7f0000006cc0)=[{&(0x7f0000005b00)="a895c30edc07297723a4aea802034622d1bbb85b4ae3628afc2d4e10934550a9d92f12a51b9f5b3a7b596b59b99b4b2acaedda32b83bdc263c53aa10114a149a4d7a4f0c40b946159b374396fb6cd18734ea5c3a5192786222da89f4213b5d9d027799da36d68bd510f537855ce10d3b8439c2237740ea7541478a81f9f92adceb5100366dccf149cc4c59796959ba5d85a50d0dd72941a0eabbe7a9dd9fe50850113f5e2d055e1bbcd667daf7363e027d7c66678dad2add62b5", 0xba, 0x4}, {&(0x7f0000005bc0)="f229f58b9fef91f7178523f041a4967589924680bf4dc34a52d8f7f8436083aee94ab74f0369f7403a8c26b72fd44b488fe59c616c8a1cae299c490eb15f98f8f49df33502ccfd38265f6d186578a71b92ba5c5b903f9a64bc560a43590bd70f76efb7b63bc3909e632db68f77d98bdf12ebe1707d7d1436857490c13ddb239c837faf46ead62381d43f3d2346c1fcd5b2a7a1ebe9fa5dd7fddefc50b0e7a57f500e2f79ba11b18972dc78871460eb7e2a249b603283b5128320555c9d74143e027bb5ca08b462aebf58244387556d718680c4a37459dd", 0xd7, 0x3ff}, {&(0x7f0000005cc0)="", 0x1000, 0x34}]) syz_usb_connect(0x5, 0x72e, &(0x7f0000006d00)={{0x12, 0x1, 0x201, 0x10, 0x2a, 0xdc, 0xff, 0x781, 0x5, 0x5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x71c, 0x3, 0x9, 0x3, 0x50, 0xff, [{{0x9, 0x4, 0x34, 0x9, 0xc, 0x2d, 0xe7, 0xd6, 0xc4, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "9e3dd83f5e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x40, 0x5, 0x101, 0x5}, [@mbim_extended={0x8, 0x24, 0x1c, 0x1000, 0x2, 0x8}, @dmm={0x7, 0x24, 0x14, 0x8671}, @mbim={0xc, 0x24, 0x1b, 0xfffd, 0x9, 0x0, 0x5, 0x100, 0x5f}, @obex={0x5, 0x24, 0x15, 0x40}, @network_terminal={0x7, 0x24, 0xa, 0x0, 0x1, 0x4, 0x1}, @dmm={0x7, 0x24, 0x14, 0xff81, 0x9c6f}]}], [{{0x9, 0x5, 0x80, 0x14, 0x10, 0x15, 0x1f, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x80}]}}, {{0x9, 0x5, 0x8b, 0x0, 0x7ff, 0xed, 0x1, 0x2}}, {{0x9, 0x5, 0x8, 0x4, 0x200, 0x81, 0x6, 0x2, [@generic={0xeb, 0x1, "8c3f63086154141f739f2870d3a81884905e8c3ff7eb6425085204077b4102c3d81bfdf4b262fa95b268561228b747fca91f5fdeb592b379d66a5f1d2d1d735fd02b3b2402d0340fcc8ac6c544720cb596008a93b0202cb8f9558344cb200e0b4b52aad1e70d9c0049ff2a6b546e3502bc881f3eb655aa817a2a3fd95ad1bea68ab048c1a43ed3458b674c27df090568c371a9e00cbc2b597a730a1864447583e30b8b9d2774d884575311843a18bfe0052b404714c722766342b226c4fe8e87ee448250c3b3668ab50745e0fbb6e969e6b49b9b8528ce81dfaa24e1438072d07d6e92602a390535f6"}]}}, {{0x9, 0x5, 0xc, 0x8, 0x40, 0x1, 0x5, 0x20}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xbc, 0x0, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x5, 0x9}, @generic={0xd4, 0x22, "70c23955e1d16cdef416bcb138108967f0e9ac2c096fe9362b99ec6c198d2f0f0446ce29332844fd546d2323e7f9d7b2713c1f92b90b4481bf8d4ea34ea8321b585db5f3cc6f63fc9ee543e86c15769e08a212c2ffb0237defb1a28228e999fabf3733a27b828703faaac053d44fe7a66d7a278e31f15d65edb349b157a799d922f0c970f98b35b75650793123e05752d74ddb89f0fcc0479822a0f833f4343a70548b3b4c80574be7cfdd59db69ce1efc24ca44ee316609f58ca5a30dee0b59e1668f248c196ae1c022a19995595430fea4"}]}}, {{0x9, 0x5, 0x87, 0x3, 0x8, 0x80, 0x7, 0x6, [@generic={0x56, 0x4, "f78a356675cffa2de94539194afab8603fe5e412021ba937df8f496ce2c0543148f09b19ebbc05091fcc32e0bdde441d7ccaa5cc26fb696bd67b3830bf3e5730fb3fe5ee89156bd1d2fa101e6c39068af8c2ae87"}]}}, {{0x9, 0x5, 0x89, 0x0, 0x20, 0x20, 0x81, 0x8}}, {{0x9, 0x5, 0xe, 0x3, 0x8, 0x1, 0x20, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x43, 0x234}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x3, 0x5, 0x7, [@generic={0x34, 0x8, "b6a121b46cabce4e361f2104dcf2663e402ee04faa90dd18a918e4642eaa6a716192f8bc32f321ce9eb548904d87d7bdad56"}, @generic={0xac, 0x30, "1a5d30c7d13843b0146943b2e67687f3147019db1ca1a3c7e48d700f655bea7f42692c5a87a6b91d03a6d4905fbb18b76028c902f7cc3f0c056d87d0fbc12f32150222a7dad7023bc45ab25c72aa3ad26e8dfd8d3654640038396aa355f069f7a9e762b85dca0a81a7d7c37d259d0f2a631a6abc4e36fba201dc677fc7b2c28190e91523553cfb1bbf462d9d057c31910ad39c357cd2dd1c3f22c604ad6c923faee4c13db3fe350375cc"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x10, 0x7f, 0x56, 0x83}}, {{0x9, 0x5, 0x1f645c4d20962547, 0x0, 0x3ff, 0xbb, 0x7, 0x3, [@generic={0x6b, 0x30, "6a8065c0ee1fa72bb9fab498b565e856090e0ad4cb9a072e0995264b935bed4910dde6e4a11ff93742383cba0c51a1f1cf695aa394a5f4868363e986260569ba8be82437cc58db1ee88ce5101308938edbd982075462cf0bba05bb0d7ae55092a2862ee6e6430e22f7"}, @generic={0x41, 0x21, "0acd9c7743c7509f5eb898784f8767f385a0e1c7f102c9adcad6d81fb4193e88cb2f6c3936ee2ef3dae61f58322593d9beeafcc0915c86fc3a72f0426c83f3"}]}}, {{0x9, 0x5, 0x6, 0x4, 0x400, 0x20, 0x74, 0x5}}]}}, {{0x9, 0x4, 0x26, 0xab, 0x5, 0x3, 0xf1, 0xcb, 0x9, [], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x5, 0x1, 0x1}}, {{0x9, 0x5, 0xb, 0x4, 0x20, 0x1, 0x2, 0x4, [@generic={0xda, 0x14, "10f16e3796fbe335b564b29416031e12d26f4d53e237ca3cb1e049170335d631432469cf8e2b207d62283f3b91f4d63154bce35faeb87b51d30b38876c38b31acc347be67793e56a1784eb29a7ddab72e736eecd3b4e98bce7b170ab687e6f31f5e9f3f96e31032d3bf9476eef54f354c6efc00da39a695ec1c095254cb416bdc574d4fb6adbeca99b77508d6c6f791c2cfc29ae3eccea73c13627d93807af1a7d3492520ed1f153327d857537f556294bdddd988bae73226a48c4cab963d3d8c226951b21a7c3138de55b8d0e1f0bcd77663ae8bfe20f44"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x5, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x40, 0x2c, 0xd4, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0xa, 0x2, 0x400, 0xd0, 0x1, 0x6}}, {{0x9, 0x5, 0xe, 0x8, 0x40, 0x40, 0xff, 0xb0}}]}}, {{0x9, 0x4, 0x6c, 0x8, 0x2, 0x59, 0x51, 0xd5, 0x1, [@cdc_ncm={{0x8, 0x24, 0x6, 0x0, 0x1, "b2bd60"}, {0x5, 0x24, 0x0, 0x5}, {0xd, 0x24, 0xf, 0x1, 0xfffffffd, 0xfff, 0x63, 0xdb}, {0x6, 0x24, 0x1a, 0x8, 0x8}, [@mdlm_detail={0xf7, 0x24, 0x13, 0x19, "189cdea85c892fe736d99d2ae835705ddc3907363c57da1fc0033ab26742022ab0af7516c0545f0fc3ecaa0728229f95fd5d2ebce5c98dbba6222153e2ce70bfead32d5d59146f0dd679852007b13ac9d16d48f9484d6192e79c88079f8cd3bd1a3740f3a8f0fd1d57a10bf41cf8c45a79ab1a969c9a6a83bf31571bce542e8fcfa6761ebfa924e1eb05d3af5b3644c3040280ca59737d89c0caa8bd9d56c92178b82b2078e43975f15e6f0b6fa1d0cd819521154d236aa6a85e50f3f0531f6192e5c4ba8a2d506f744780747cbb9ee6723298b72b713b52be54835fcc04906c658ce61f16f95a6c437988df239c430ff47db7"}]}, @cdc_ecm={{0x6, 0x24, 0x6, 0x0, 0x0, "a3"}, {0x5, 0x24, 0x0, 0xf85b}, {0xd, 0x24, 0xf, 0x1, 0x0, 0x7, 0x2, 0x40}}], [{{0x9, 0x5, 0xf, 0x4, 0x0, 0x81, 0xe8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x51, 0xbf81}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xb, 0x8001}]}}, {{0x9, 0x5, 0x6, 0x0, 0x10, 0x7f, 0x0, 0x80, [@generic={0x28, 0xa, "61df67a624859052df593a2258bc970fe4304a8f899ac040d9fc350ed5e63660a76a96aea7a3"}]}}]}}]}}]}}, &(0x7f00000076c0)={0xa, &(0x7f0000007440)={0xa, 0x6, 0x300, 0x8, 0x1, 0x9, 0x8, 0x81}, 0x133, &(0x7f0000007480)={0x5, 0xf, 0x133, 0x6, [@wireless={0xb, 0x10, 0x1, 0x2, 0x74, 0xff, 0xff, 0x0, 0x7}, @wireless={0xb, 0x10, 0x1, 0x8, 0x43, 0x4, 0x3, 0x6, 0x21}, @ext_cap={0x7, 0x10, 0x2, 0xa, 0x5, 0x6, 0x3b4d}, @wireless={0xb, 0x10, 0x1, 0x0, 0x2c, 0x7, 0x2, 0x1, 0x2f}, @ptm_cap={0x3}, @generic={0x103, 0x10, 0x3, "b35e852c500147880fa2f6dcc5d4e16a59df9bff5d44ac9f6680a31b1ebce7f4d4afe6d2ae93f6eee79b703b03f7a0ebea72bdc3ca70ded450bedec42d31beced3625c6bfa5dc9897b68a4e8b1a54b9444b85a77d52efea02e84045a2c51af22596a4c59a43c590c4d1369d229db0f228b739b41419c00708219ac07585dcaded8820f6fe0b35e7496ca59ebd93c1cfbeca8666928613fb084cb1ad930cfed80a024b803fc94967f08d731d0647cee073e55844b9978ae6035865fd98991fb7a5fa3f00529e81f1d3b853a0db041eaa3777ba10fe753674a698cd389bf5bca626cb8c7bf9b71150d572d07d9a11855a419fb0212d9a5bf2c3360357cf942511f"}]}, 0x2, [{0x97, &(0x7f00000075c0)=@string={0x97, 0x3, "79533652485908847450e434babd9e7b783925f478b3b35c0a4e6aa0a1e8f78e37f1d5666fe87b28df9b7734fdd141b3c78a19031effd729a36c0cf9fae5c589a1a9886b78f66c7391bd443cc6b3ab5b4acdeb5acf4a0d36359e749df37ccf92c50e845fce93e4c611f0fb559f5b2f8b72bab3b8a91779cd78204d67a183187560eb912c0f9dd27f402f1decdc61444d3702bf05cf"}}, {0x4, &(0x7f0000007680)=@lang_id={0x4, 0x3, 0x4ff}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007700)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f0000007900)={0x18, &(0x7f0000007780)={0x40, 0x22, 0x1f, {0x1f, 0x22, "a7841403afd7ddbdb6ce9dacfb6cdbe29fbe4e58b55fec117de56ed6a5"}}, &(0x7f00000077c0)={0x0, 0x3, 0x5a, @string={0x5a, 0x3, "b51fa75ce1575da79aa41fd155728498bc7e4f85d19d2394314e6381f5e6b0e786c3ff705cb7184487f35094030178bc291a3980fa0b83908b7fe1cb2459daa1308fa2fbda94a98ca7134bc986487bae15766636e0852c7a"}}, &(0x7f0000007840)={0x0, 0xf, 0x1b, {0x5, 0xf, 0x1b, 0x2, [@wireless={0xb, 0x10, 0x1, 0xc, 0x82, 0x0, 0x85, 0x8, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x48, 0x0, 0x80, 0xfffa, 0x81}]}}, &(0x7f0000007880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x2, 0x4, 0x2, "7e461ab4", 'gg]\a'}}, &(0x7f00000078c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x9, 0x3, 0x3f, 0x20, 0x40, 0x0, 0xef}}}, &(0x7f0000007dc0)={0x44, &(0x7f0000007940)={0x40, 0xc, 0xb6, "df1d8807adaa376ec164fe686f791fc7268a85c468008423c35bf0da6f10ce0b3c7f80e67352d8063e9524fb3d91a1d442b85d351288c60badef7369494efa5012978930b8817bb13fba0f307416861457221322136027a98682f3a5c91806d490c51ef51ce6c9e9c8087e547fc2cfe567bfbf3e65f97c5e79d68706922d2c084ee894eaf12a3c0b2e1ef894dff86d0792fd11f5152f67321b9db36a02b7b0935e7424cbd6b286c55c8cf0f0f4949fd21b22675eb060"}, &(0x7f0000007a00)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000007a40)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000007a80)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000007ac0)={0x20, 0x0, 0x4, {0x160, 0x1}}, &(0x7f0000007b00)={0x40, 0x7, 0x2, 0x3}, &(0x7f0000007b40)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000007b80)={0x40, 0xb, 0x2, "9efe"}, &(0x7f0000007bc0)={0x40, 0xf, 0x2, 0x4}, &(0x7f0000007c00)={0x40, 0x13, 0x6}, &(0x7f0000007c40)={0x40, 0x17, 0x6, @remote}, &(0x7f0000007c80)={0x40, 0x19, 0x2, 'vw'}, &(0x7f0000007cc0)={0x40, 0x1a, 0x2, 0x1}, &(0x7f0000007d00)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007d40)={0x40, 0x1e, 0x1, 0x7e}, &(0x7f0000007d80)={0x40, 0x21, 0x1, 0x2}}) r23 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007e40)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ncm(0x6, 0x7c, &(0x7f0000007ec0)={{0x12, 0x1, 0x389, 0x2, 0x0, 0x0, 0x70, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6a, 0x2, 0x1, 0xff, 0x90, 0x5, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, "a6"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9ff, 0x6000, 0x5, 0xb5}, {0x6, 0x24, 0x1a, 0xdd, 0x32}, [@call_mgmt={0x5, 0x24, 0x1, 0x2, 0x95}, @mbim_extended={0x8, 0x24, 0x1c, 0x7, 0x40, 0x1}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x21, 0x2, 0xc4}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0x1, 0x1, 0x4e}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x81, 0x9, 0x48}}}}}}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f40)={0xa, 0x6, 0x200, 0x3, 0x40, 0x1, 0x40, 0x68}, 0x72, &(0x7f0000007f80)={0x5, 0xf, 0x72, 0x6, [@ssp_cap={0x20, 0x10, 0xa, 0x7f, 0x5, 0x4, 0x0, 0x101, [0xf, 0xc000, 0x4100, 0xc000, 0x0]}, @ssp_cap={0x18, 0x10, 0xa, 0x5, 0x3, 0x3f, 0xf, 0x9, [0x3f00, 0xff0030, 0xff0000]}, @ssp_cap={0xc, 0x10, 0xa, 0x9, 0x0, 0x3, 0xf00, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0xfc, "11d5f99068e5068a1e42e2bf000e221f"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x0, 0x2, 0x0, 0x80, 0x1}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x0, 0x3, 0x3f, 0x8}]}, 0x8, [{0x4, &(0x7f0000008000)=@lang_id={0x4, 0x3, 0x2001}}, {0x4, &(0x7f0000008040)=@lang_id={0x4, 0x3, 0x43f}}, {0x2a, &(0x7f0000008080)=@string={0x2a, 0x3, "5e7460eb32a6b96bd2ff9ff3a49620853364cef4b1180034bbee7bdeb3753ec47a7b68436004dfa3"}}, {0x4, &(0x7f00000080c0)=@lang_id={0x4, 0x3, 0x406}}, {0x4, &(0x7f0000008100)=@lang_id={0x4, 0x3, 0x200a}}, {0x83, &(0x7f0000008140)=@string={0x83, 0x3, "98bfbed5f02f0541393b27163c18aba0f8d6c9069ae8ed732f7b8b4fd040726512572b20493498b080e96c7409c1ff222cbfe8fc739a7a6eb701a8125f18af24cdabbfb52cc666cf1204b6bf96514aca5b0475e21dafcaaffcd8d584eca6939d815dc4c974727a2fba78d5044d9e9f08e35c9e2bf470f466accaa1301fac54bcff"}}, {0x4, &(0x7f0000008200)=@lang_id={0x4, 0x3, 0x1627}}, {0x39, &(0x7f0000008240)=@string={0x39, 0x3, "aa56bf4048dd06e2845d2e04df75b391f766463f0954053221ac36e1db6fe509c05b86c776d20ffc6ac3d99349322b400aea394cd6719c"}}]}) syz_usb_ep_read(r24, 0x75, 0xa5, &(0x7f0000008300)=""/165) syz_usb_ep_write(r22, 0x0, 0xf5, &(0x7f00000083c0)="db885599b60aec82ad70cdb2886a2e73e2f0447ddd5deaaa15f56b76ab5804b9f86f60df6b12cbc1e5906d238889da544d9b5652f60bfc34a108dffdffa9ae904614e2bf15ce0c349aea1551b7544b69bd2bde8f82e18d42ba167180b1a6a4d11844312c116ee0b85fca52a11ec9f37acd323eb287c8b3c4ffdbcaaa329df920e0f7dfaaccc17fd5ff16f039c693cdfcdfae81529a02cc973d8e5020093c1b68e88a827e230b28448899b9617552b1dd9b412b34deec9a93fd08823aebf354e238d04dca957a50aa9ab18a30460e2455e3fd164109cd4a857b99d223b21831ca292d1b0cd77fbfe263f7ca57ee3a70a8fdd489cb7f") syz_usbip_server_init(0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } static void setup_binfmt_misc() { if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0)) { } write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:"); write_file("/proc/sys/fs/binfmt_misc/register", ":syz1:M:1:\x02::./file0:POC"); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 39 ? 50 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 3000 : 0) + (call == 46 ? 300 : 0) + (call == 47 ? 3000 : 0) + (call == 48 ? 300 : 0) + (call == 49 ? 3000 : 0) + (call == 50 ? 300 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_clock_gettime #define __NR_clock_gettime 265 #endif #ifndef __NR_getegid #define __NR_getegid 50 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_openat2 #define __NR_openat2 437 #endif #ifndef __NR_recvmmsg #define __NR_recvmmsg 337 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_signalfd4 #define __NR_signalfd4 327 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[25] = {0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000040 = 8; inject_fault(1); res = syscall(__NR_getsockopt, -1, 0x84, 0x14, 0x20000000, 0x20000040); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000080 = r[0]; *(uint32_t*)0x20000084 = 0x3ff; *(uint32_t*)0x200000c0 = 8; res = syscall(__NR_getsockopt, -1, 0x84, 0x13, 0x20000080, 0x200000c0); if (res != -1) r[1] = *(uint32_t*)0x20000080; break; case 2: memcpy((void*)0x20000100, "cpu.stat\000", 9); res = syscall(__NR_openat, -1, 0x20000100, 0, 0); if (res != -1) r[2] = res; break; case 3: syscall(__NR_ioctl, (intptr_t)r[2], 0x125e, 0x20000140); break; case 4: *(uint32_t*)0x20000180 = 5; *(uint32_t*)0x20000184 = 4; res = syscall(__NR_signalfd4, (intptr_t)r[2], 0x20000180, 8, 0x80800); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000500 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x10; *(uint16_t*)0x200001c2 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = 0x20002011; *(uint32_t*)0x20000504 = 0xc; *(uint32_t*)0x20000508 = 0x200004c0; *(uint32_t*)0x200004c0 = 0x20000200; *(uint32_t*)0x20000200 = 0x29c; *(uint16_t*)0x20000204 = 0; *(uint16_t*)0x20000206 = 8; *(uint32_t*)0x20000208 = 0x70bd29; *(uint32_t*)0x2000020c = 0x25dfdbff; *(uint8_t*)0x20000210 = 0x87; *(uint8_t*)0x20000211 = 0; *(uint16_t*)0x20000212 = 0; *(uint16_t*)0x20000214 = 8; *(uint16_t*)0x20000216 = 3; *(uint32_t*)0x20000218 = 0; *(uint16_t*)0x2000021c = 0x46; *(uint16_t*)0x2000021e = 0x2a; *(uint8_t*)0x20000220 = 0x2a; *(uint8_t*)0x20000221 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 3, 5); *(uint8_t*)0x20000223 = 0x25; *(uint8_t*)0x20000224 = 3; *(uint8_t*)0x20000225 = 1; *(uint8_t*)0x20000226 = 0x95; *(uint8_t*)0x20000227 = 0xcb; *(uint8_t*)0x20000228 = 0x75; *(uint8_t*)0x20000229 = 0x16; *(uint16_t*)0x2000022a = 1; *(uint16_t*)0x2000022c = 0x401; *(uint16_t*)0x2000022e = 0x37; memcpy((void*)0x20000230, "\x02\x01\x1b\xf2\x90\x7b\xdd\xcb\xfa\xf4\xd0\xd9\xd3\x19\xcb\x38", 16); *(uint8_t*)0x20000240 = 0x76; *(uint8_t*)0x20000241 = 6; *(uint8_t*)0x20000242 = 0x7f; *(uint8_t*)0x20000243 = 3; *(uint16_t*)0x20000244 = 6; *(uint16_t*)0x20000246 = 0x2050; *(uint8_t*)0x20000248 = 0x65; *(uint8_t*)0x20000249 = 0x12; *(uint8_t*)0x2000024a = 8; *(uint8_t*)0x2000024b = 2; *(uint8_t*)0x2000024c = 0x11; *(uint8_t*)0x2000024d = 0; *(uint8_t*)0x2000024e = 0; *(uint8_t*)0x2000024f = 1; memset((void*)0x20000250, 255, 6); *(uint8_t*)0x20000256 = 8; *(uint8_t*)0x20000257 = 2; *(uint8_t*)0x20000258 = 0x11; *(uint8_t*)0x20000259 = 0; *(uint8_t*)0x2000025a = 0; *(uint8_t*)0x2000025b = 1; *(uint8_t*)0x2000025c = 0x68; *(uint8_t*)0x2000025d = 4; *(uint16_t*)0x2000025e = 9; *(uint16_t*)0x20000260 = 0x81; *(uint16_t*)0x20000264 = 0xcc; *(uint16_t*)0x20000266 = 0x2a; *(uint8_t*)0x20000268 = 4; *(uint8_t*)0x20000269 = 6; *(uint8_t*)0x2000026a = 1; *(uint8_t*)0x2000026b = 1; *(uint16_t*)0x2000026c = 0x100; *(uint16_t*)0x2000026e = 0x8000; *(uint8_t*)0x20000270 = 0x3c; *(uint8_t*)0x20000271 = 4; *(uint8_t*)0x20000272 = 0; *(uint8_t*)0x20000273 = 7; *(uint8_t*)0x20000274 = 0xac; *(uint8_t*)0x20000275 = 6; *(uint8_t*)0x20000276 = 1; *(uint8_t*)0x20000277 = 6; STORE_BY_BITMASK(uint8_t, , 0x20000278, 6, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000278, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x20000279, 0xc, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000279, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 0x3f, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 9, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0x16, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0x24, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0, 7, 1); *(uint8_t*)0x2000027e = 0x83; *(uint8_t*)0x2000027f = 0x25; STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 0, 6); STORE_BY_BITMASK(uint8_t, , 0x20000280, 1, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 7, 1); *(uint8_t*)0x20000281 = -1; *(uint8_t*)0x20000282 = 0x3f; *(uint8_t*)0x20000283 = 8; *(uint8_t*)0x20000284 = 2; *(uint8_t*)0x20000285 = 0x11; *(uint8_t*)0x20000286 = 0; *(uint8_t*)0x20000287 = 0; *(uint8_t*)0x20000288 = 0; *(uint32_t*)0x20000289 = 0x1f; memset((void*)0x2000028d, 255, 6); *(uint32_t*)0x20000293 = 0; *(uint32_t*)0x20000297 = 6; *(uint8_t*)0x2000029b = 8; *(uint8_t*)0x2000029c = 2; *(uint8_t*)0x2000029d = 0x11; *(uint8_t*)0x2000029e = 0; *(uint8_t*)0x2000029f = 0; *(uint8_t*)0x200002a0 = 1; *(uint32_t*)0x200002a1 = 6; *(uint8_t*)0x200002a5 = 0x26; *(uint8_t*)0x200002a6 = 0x44; *(uint8_t*)0x200002a7 = 4; *(uint8_t*)0x200002a8 = 7; *(uint8_t*)0x200002a9 = 8; memcpy((void*)0x200002aa, "\x2e\xf5\x31\xb7\xbe\x2d\xde\x42\xfc\x39\x5f\x76\x44\x7c\x92\x87\x9c\x4d\x95\x11\x18\x2e\xe0\x77\xcb\x10\x2d\x54\xd8\xe9\xbd\x03\x76\x74\x1a\xff\xce\x00\x72\x8e\x65\xce\xfb\x04\xca\xcd\x7c\x82\x88\x0f\x11\x3d\x4a\x79\x37\x8b\xfd\x5c\x8d\x75\x2b\xd2\x51\xe3\x1b", 65); *(uint8_t*)0x200002eb = 0x2d; *(uint8_t*)0x200002ec = 0x1a; *(uint16_t*)0x200002ed = 0x482; STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 2, 3); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 0, 5, 3); *(uint64_t*)0x200002f0 = 5; STORE_BY_BITMASK(uint64_t, , 0x200002f8, 0x3f, 0, 13); STORE_BY_BITMASK(uint64_t, , 0x200002f9, 0, 5, 3); STORE_BY_BITMASK(uint64_t, , 0x200002fa, 0x80, 0, 10); STORE_BY_BITMASK(uint64_t, , 0x200002fb, 0, 2, 6); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 2, 2); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 5, 27); *(uint16_t*)0x20000300 = 0x400; *(uint32_t*)0x20000302 = 5; *(uint8_t*)0x20000306 = 0x56; *(uint8_t*)0x20000307 = 0x8c; *(uint8_t*)0x20000308 = 0x10; *(uint16_t*)0x20000309 = 0x9b2; memcpy((void*)0x2000030b, "\xe7\x43\x38\xed\x57\xa9", 6); memcpy((void*)0x20000311, "\x4d\xbe\x86\xf3\x95\x65\x40\x8a", 8); *(uint8_t*)0x20000319 = 0x7e; *(uint8_t*)0x2000031a = 0x15; STORE_BY_BITMASK(uint8_t, , 0x2000031b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000031b, 9, 1, 7); *(uint8_t*)0x2000031c = 0xc0; *(uint8_t*)0x2000031d = 0x40; *(uint8_t*)0x2000031e = 8; *(uint8_t*)0x2000031f = 2; *(uint8_t*)0x20000320 = 0x11; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0; *(uint8_t*)0x20000323 = 0; *(uint32_t*)0x20000324 = 0x7fff; *(uint32_t*)0x20000328 = 6; *(uint32_t*)0x2000032c = 0xff; *(uint16_t*)0x20000330 = 0x148; *(uint16_t*)0x20000332 = 0x2a; *(uint8_t*)0x20000334 = 0x7e; *(uint8_t*)0x20000335 = 0x15; STORE_BY_BITMASK(uint8_t, , 0x20000336, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000336, 2, 1, 7); *(uint8_t*)0x20000337 = 0; *(uint8_t*)0x20000338 = 8; *(uint8_t*)0x20000339 = 8; *(uint8_t*)0x2000033a = 2; *(uint8_t*)0x2000033b = 0x11; *(uint8_t*)0x2000033c = 0; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0; *(uint32_t*)0x2000033f = 0x1ff; *(uint32_t*)0x20000343 = 3; *(uint32_t*)0x20000347 = 3; *(uint8_t*)0x2000034b = 0x82; *(uint8_t*)0x2000034c = 0x30; STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 3, 3); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 7, 1); *(uint8_t*)0x2000034e = 3; *(uint8_t*)0x2000034f = 0xf7; *(uint32_t*)0x20000350 = 8; *(uint8_t*)0x20000354 = 8; *(uint8_t*)0x20000355 = 2; *(uint8_t*)0x20000356 = 0x11; *(uint8_t*)0x20000357 = 0; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 0; *(uint32_t*)0x2000035a = 0xae; *(uint32_t*)0x2000035e = 0x71a4; *(uint32_t*)0x20000362 = 2; *(uint8_t*)0x20000366 = 2; STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 3, 5); *(uint8_t*)0x20000368 = 8; *(uint8_t*)0x20000369 = 2; *(uint8_t*)0x2000036a = 0x11; *(uint8_t*)0x2000036b = 0; *(uint8_t*)0x2000036c = 0; *(uint8_t*)0x2000036d = 1; *(uint32_t*)0x2000036e = 0; STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 3, 5); *(uint8_t*)0x20000373 = 8; *(uint8_t*)0x20000374 = 2; *(uint8_t*)0x20000375 = 0x11; *(uint8_t*)0x20000376 = 0; *(uint8_t*)0x20000377 = 0; *(uint8_t*)0x20000378 = 1; *(uint32_t*)0x20000379 = 6; *(uint8_t*)0x2000037d = 0x71; *(uint8_t*)0x2000037e = 7; *(uint8_t*)0x2000037f = 1; *(uint8_t*)0x20000380 = 1; *(uint8_t*)0x20000381 = 1; *(uint8_t*)0x20000382 = 0; *(uint8_t*)0x20000383 = 0; *(uint8_t*)0x20000384 = 0xfb; *(uint8_t*)0x20000385 = 0x25; *(uint8_t*)0x20000386 = 6; *(uint8_t*)0x20000387 = 2; *(uint16_t*)0x20000388 = 0x1fc; *(uint8_t*)0x2000038a = 0x37; *(uint8_t*)0x2000038b = 0xe6; *(uint8_t*)0x2000038c = 7; *(uint8_t*)0x2000038d = 5; memcpy((void*)0x2000038e, "\x5f\x39\x64\xd8\x62\x9a\xdf\x1c\x06\xec\xdf\x89\x87\xbb\x84\x5b", 16); memcpy((void*)0x2000039e, "\xc5\xd2\xbb\x24\x59\xd5\xba\x0e\x8d\x1d\xe0\x4e\x57\x37\x4f\x62\x27\x21\x0e\xa4\x04\xeb\x95\x46\x5f\xa1\xe2\xe0\x9c\x7c\x17\xd4", 32); memcpy((void*)0x200003be, "\x27\x81\xc8\x76\x15\x7d\x69\x88\xa5\xdc\x1e\xfd\xe5\xe5\xd8\xd7\xfd\xfb\x3d\xad\x87\x19\x89\x49\x70\x60\xe2\xd7\x2d\x3a\xfa\x38", 32); *(uint8_t*)0x200003de = 3; *(uint8_t*)0x200003df = 1; memset((void*)0x200003e0, 206, 1); *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0x25; memcpy((void*)0x200003e3, "\xd5\xa7\x64\x0b\x4f\xb5\xdf\x22\xe7\x25\x13\x0f\x6f\x00\x6c\x48\x73\x42\xcb\x84\x7e\x2c\xbe\x0e\x36\xb1\x41\xaa\x91\xf7\xf4\x1d\x6b\x13\x48\x2c\x1d", 37); *(uint8_t*)0x20000408 = 4; *(uint8_t*)0x20000409 = 0x26; memcpy((void*)0x2000040a, "\xa1\xd5\xf6\x74\x74\xfa\x12\x31\x00\x04\x6d\xc2\x69\x5e\x3b\xbd\xa6\xde\xe8\x65\x7f\x03\x2e\x08\x75\x04\x15\x6e\xba\x2f\x54\xbf\x2f\x31\xcd\x5b\x78\xd5", 38); *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 0x25; memcpy((void*)0x20000432, "\xae\x36\x25\x8a\xd7\xf0\x4d\x6a\x21\x30\x24\xac\x42\x6f\xba\x3d\xa6\x9e\x74\xab\x66\x2f\xbb\x9d\x28\x44\x80\x99\x94\x6c\xbb\xf9\xb8\xf9\x21\xf8\xe0", 37); *(uint8_t*)0x20000457 = 2; *(uint8_t*)0x20000458 = 0x19; memcpy((void*)0x20000459, "\x69\xad\x29\xc6\x6f\x47\xf8\x7c\x53\x49\xab\x5f\x16\xa1\xe8\x03\x0e\x7c\x0b\x21\xdb\x8b\xc4\xbe\xe4", 25); *(uint8_t*)0x20000472 = 0x75; *(uint8_t*)0x20000473 = 4; *(uint16_t*)0x20000474 = 0; *(uint16_t*)0x20000476 = 0; *(uint16_t*)0x20000478 = 6; *(uint16_t*)0x2000047a = 0x48; *(uint16_t*)0x2000047c = 0x4b; *(uint16_t*)0x20000480 = 6; *(uint16_t*)0x20000482 = 0x48; *(uint16_t*)0x20000484 = 0x43; *(uint16_t*)0x20000488 = 0xa; *(uint16_t*)0x2000048a = 6; *(uint8_t*)0x2000048c = 8; *(uint8_t*)0x2000048d = 2; *(uint8_t*)0x2000048e = 0x11; *(uint8_t*)0x2000048f = 0; *(uint8_t*)0x20000490 = 0; *(uint8_t*)0x20000491 = 1; *(uint16_t*)0x20000494 = 6; *(uint16_t*)0x20000496 = 0x48; *(uint16_t*)0x20000498 = 0x11; *(uint32_t*)0x200004c4 = 0x29c; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = 0x40000; syscall(__NR_sendmsg, (intptr_t)r[3], 0x20000500, 0x80); break; case 6: memcpy((void*)0x20000540, "/dev/irnet\000", 11); res = syscall(__NR_openat, 0xffffff9c, 0x20000540, 0x189000, 0); if (res != -1) r[4] = res; break; case 7: *(uint16_t*)0x20000580 = 0xa; *(uint16_t*)0x20000582 = htobe16(0x4e20); *(uint32_t*)0x20000584 = htobe32(0x80000000); *(uint8_t*)0x20000588 = 0xfe; *(uint8_t*)0x20000589 = 0x88; memset((void*)0x2000058a, 0, 12); *(uint8_t*)0x20000596 = 0; *(uint8_t*)0x20000597 = 1; *(uint32_t*)0x20000598 = 0x81; *(uint16_t*)0x2000059c = 0xa; *(uint16_t*)0x2000059e = htobe16(0x4e24); *(uint32_t*)0x200005a0 = htobe32(3); *(uint8_t*)0x200005a4 = -1; *(uint8_t*)0x200005a5 = 1; memset((void*)0x200005a6, 0, 13); *(uint8_t*)0x200005b3 = 1; *(uint32_t*)0x200005b4 = 0; syscall(__NR_setsockopt, (intptr_t)r[4], 0x84, 0x6b, 0x20000580, 0x38); break; case 8: memcpy((void*)0x200005c0, "./file0\000", 8); *(uint64_t*)0x20000600 = 0x101000; *(uint64_t*)0x20000608 = 0x182; *(uint64_t*)0x20000610 = 4; syscall(__NR_openat2, 0xffffff9c, 0x200005c0, 0x20000600, 0x18); break; case 9: *(uint32_t*)0x20000640 = r[1]; *(uint32_t*)0x20000644 = 7; *(uint32_t*)0x20000648 = 0x20; syscall(__NR_setsockopt, -1, 0x84, 0x10, 0x20000640, 0xc); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 6, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 7, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); *(uint8_t*)0x20000044 = 8; *(uint8_t*)0x20000045 = 2; *(uint8_t*)0x20000046 = 0x11; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 1; memset((void*)0x2000004a, 255, 6); *(uint8_t*)0x20000050 = 8; *(uint8_t*)0x20000051 = 2; *(uint8_t*)0x20000052 = 0x11; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x20000056, 7, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0x40, 4, 12); *(uint8_t*)0x20000058 = 8; *(uint8_t*)0x20000059 = 2; *(uint8_t*)0x2000005a = 0x11; *(uint8_t*)0x2000005b = 0; *(uint8_t*)0x2000005c = 0; *(uint8_t*)0x2000005d = 0; *(uint8_t*)0x2000005e = 8; *(uint8_t*)0x2000005f = 2; *(uint8_t*)0x20000060 = 0x11; *(uint8_t*)0x20000061 = 0; *(uint8_t*)0x20000062 = 0; *(uint8_t*)0x20000063 = 1; *(uint16_t*)0x20000064 = 0x89; memcpy((void*)0x20000066, "\xa3\x74\xcb\x1e\x56\xd7\x9e\x5a\x64\x7d\x9f\x9d\x7e\xbb\x09\x9c\xa7\x5e\x92\x0a\x72\x0c\xe7\x65\x51\xc2\x6b\xb8\x68\x42\xda\x48\xec\x22\x63\x6f\x2e\xe2\x00\x01\x35\x9b\x8e\x2f\xb3\x76\xba\x32\xd0\x74\x25\xdd\x1b\x9b\x9b\x4f\xf7\xa3\x53\x9a\x5e\xeb\x99\xa4\x47\xa5\x8f\xec\x22\x4c\xac\xb7\xd6\xe5\xf0\xcc\x90\x99\x90\x4c\x92\xfd\x37\x74\x6a\xfc\x1c\xbd\x2b\x8b\x10\x2a\x3f\xe4\xaf\x78\xd5\xfa\x72\x95\x90\xf1\xe5\x03\x5f\x47\x0a\x44\x32\x1e\x92\x47\x87\xa4\x66\x6e\x21\xa4\xca\x5c\xbd\x12\x56\xc1\x70\x21\x7c\xd6\x96\x7a\xd7\x23\x6d\x2f\x70\x2e\x24", 137); memset((void*)0x200000f0, 255, 6); *(uint8_t*)0x200000f6 = 8; *(uint8_t*)0x200000f7 = 2; *(uint8_t*)0x200000f8 = 0x11; *(uint8_t*)0x200000f9 = 0; *(uint8_t*)0x200000fa = 0; *(uint8_t*)0x200000fb = 0; *(uint16_t*)0x200000fc = 0x1000; memcpy((void*)0x200000fe, "\x2b\xc8\xbe\xd3\xad\xe3\x14\x70\x49\x10\xb6\xee\x62\x4c\xfe\x54\xbe\xbe\x1b\x4b\x09\xba\x79\x5c\x51\x1c\xd0\xe7\x64\x85\x8a\x68\x8e\x31\x7f\x9f\x28\x73\xd1\x87\xb6\x5f\x7d\x6d\xed\x9b\x4b\x7e\xf7\xf8\x67\xd6\x5d\x32\x18\xdc\x1a\x2a\xd2\x4b\x5c\xb3\xe4\xe0\x78\x49\xf7\x08\x5c\x63\x7a\xe4\x51\x0c\x2c\x14\x43\x80\x0a\xc4\x4d\xdf\x23\xec\x3e\x00\xa0\xa2\xd2\x6d\xcf\x4e\x4f\x20\x9d\x20\xf1\xe6\x58\x29\x0a\xb4\x3a\x3f\xa2\x4e\xe8\xdc\xd4\x84\xc6\x23\xbd\xc9\x86\xb8\xea\x88\xd4\x32\x74\xe2\x06\xb9\xbe\x4c\xdf\xcc\x94\x5b\x09\x3d\x09\x37\xd9\x4f\x8f\x98\x7c\x5c\x5e\xd4\x8a\xc9\x95\x14\xb5\x45\xd0\xcb\x74\x20\x36\xae\xd4\x98\xba\xe8\x0b\xb1\xee\x39\x5e\x8e\x0a\x67\x7d\xaa\xed\x22\xdd\xc1\x60\x4d\x14\x83\x5d\xbc\x28\xc4\x3c\x64\xb1\x18\x76\x57\x4f\x8d\x89\x70\x56\x23\xf7\xf0\x78\xc5\x01\x7c\x92\xcd\x46\xaf\xf0\x81\x1e\x9b\x98\x91\x25\x06\xb3\x45\x00\x64\x0f\x97\x91\xe3\x08\x1d\x1f\xd1\x78\xc2\x13\x05\x93\x45\xba\x63\x17\x7e\xa9\xb9\x3f\xfa\x53\x06\xe2\x06\xb5\xa2\x94\x02\x25\x21\xec\x6a\xaf\x8e\x26\xd0\xb5\xbd\x00\x32\x59\x76\xa0\xb1\xe0\xff\x75\x4e\x4b\x48\x91\xd3\x68\x8e\x0b\xea\x0a\xc6\xd8\x11\x2e\x04\xfb\xe6\x06\x8e\xc0\x3f\x4b\x66\x5e\xfa\x12\xe3\xf2\xe6\xc9\xd3\x1e\xb4\x45\x83\xa9\xac\x92\xdd\x3a\xb3\xf3\x4d\xb1\x15\xe9\xcf\x42\xf0\x97\x41\x9c\xb5\x94\x9e\xb7\x40\x3d\x44\x95\x90\x0b\x52\xc9\x55\x83\x70\xe2\xf1\xff\x76\xa9\xde\xd5\x3e\x26\x79\x3b\xf9\x39\x76\xe9\x6a\xc7\x14\x07\x47\x89\xe8\xbd\xb1\xc4\xca\x56\x2b\x51\x50\x2b\x46\x8f\x89\x54\x39\x83\x0f\x91\x5a\x5d\x8a\x50\xff\x73\xa4\x9f\xa4\x29\x3b\xfc\x35\x48\x68\x51\xea\x8d\x5c\x76\x13\x7c\x5e\x2f\xc9\xca\x45\xa3\x8c\x94\x28\xbe\x30\xf5\x03\x59\xb2\xcb\x3f\x9d\xbc\x76\x7d\x63\xf4\x19\xf5\xe7\x6c\xe5\xfb\xb6\x1e\xde\xb1\xbe\xb7\xa3\x7c\x60\xc6\x01\x1b\x56\xb8\x57\x49\x63\x42\x5a\x95\x6d\x40\x1f\x70\x3a\x19\xe9\xac\xe4\x68\x65\x41\xdd\x31\x32\xf5\xaa\x85\xae\x6d\xb1\xb7\xdd\x6d\xad\x9b\x65\x43\xe3\x57\x53\x31\x28\xab\x2c\x90\x1e\x9d\x56\xa2\x2e\xcd\x64\x45\x50\x72\x71\xf6\xfc\xe2\xa5\x74\xd5\x87\x13\x53\x0a\xff\x28\xf7\xb4\xe8\x46\x17\x80\xdf\x54\xce\x2a\x06\x7c\x9c\x38\x85\x17\xb9\xe0\x40\xbc\x88\xba\xa7\x31\x79\x6b\x13\xa8\x9a\xd7\xa0\x1c\x30\x9e\x02\x4b\x22\x06\x21\x2e\x81\xa0\xf8\x27\x9c\x36\x9c\xc4\x0f\x85\x99\x01\x18\xa3\x31\x1a\xd1\x69\x8a\x4b\x0d\x73\xe7\xde\x65\x7c\x5a\xc4\x04\xb7\xa5\xcb\xb3\xf1\xc5\xfc\xcc\xfa\x7b\xf2\x17\x83\x0b\x73\x0d\x4d\x54\x54\xf2\x76\x04\xc0\x34\x16\xd3\xbe\x6c\xb3\x78\x81\x3a\x84\xa7\x29\x26\xc4\xd4\x3d\xd5\xa7\x94\x11\xd3\x5c\x4f\x69\x82\x87\xa0\x59\x29\x60\x05\x9c\x48\xa6\xd9\xfc\xce\x84\xd0\x88\xa2\x6d\xfb\x2e\xf3\x0e\xde\xa2\x11\x41\x11\xfa\x86\xfd\x22\x87\x2a\x03\x1d\x11\x16\xd7\x48\xb3\x3f\x61\xb9\xc1\xea\x8e\x8f\xf0\x96\x89\x01\x14\x27\xf8\x88\x6c\x0c\x71\xb6\x38\x51\x67\xd4\x97\x1d\x4b\xc9\xd1\xb9\xfe\x6d\xb9\x66\xd5\x0b\x59\x24\xfb\x56\xc1\xb1\x1f\x8e\x05\xf2\x9c\xfd\xe7\xf3\x02\xaf\xe1\x61\xfd\x9d\x82\xfc\xe3\x55\x1d\xf3\xf4\x01\x3d\xa7\x76\x6a\x21\x4f\xc9\xb1\x64\xa6\xd8\xb0\x3f\x6c\xba\x91\x84\x72\xc9\xb7\xd8\x6e\x7a\xbd\xa7\xe3\xc9\xa4\x07\x8a\x64\xa9\x66\xec\xb6\xe4\x13\x34\x11\xc4\x93\xa7\xa5\xd1\x7b\x60\x5d\xe1\x39\x01\x8d\x69\x8d\x32\x5e\x31\x93\x34\x39\x5d\xa0\xb5\x1b\x3e\x89\xd9\x59\x61\x49\x53\x1e\x92\x58\x32\xe0\x0a\x35\xbb\xea\xc1\x37\xa0\x8a\x4f\x66\x1d\xad\x30\xd0\x92\xd1\xf6\xa3\x4c\x1d\x38\x89\x4d\xa3\xea\xe2\xc4\x74\x95\x30\x92\xfb\xac\x4f\x39\xa2\xe1\x4d\x5e\x13\x06\x2c\x98\xc8\x93\xd9\x6e\xbd\xf7\x9f\x1e\xba\xd3\xcb\xb1\x6f\x8f\x7d\x17\x39\x70\x75\x23\x9b\x74\x25\x09\xb0\x76\x37\x1a\xaa\xb7\x85\x9e\x6b\x29\xc7\xcd\x83\x15\x7b\x91\xb4\xd0\xbf\x47\x9c\x7f\xa5\x3f\xd8\x57\x35\x6f\x11\x47\xdf\xa5\x90\xbf\xff\xae\x2c\x99\xbf\xc6\xa1\xa3\x84\xce\x26\x16\xa7\xc0\xd1\x49\x91\x95\x5f\xf2\x27\xe3\x55\x40\x13\x1e\x6c\x9f\xd2\xa5\xb5\x8f\x88\xf1\x83\xf6\x4a\xcc\x3d\x58\xe4\x73\x07\x6b\xf3\x14\x9d\xa2\x66\x42\x4b\x98\x2f\x73\x4a\xa0\x4b\x81\x88\x13\xdd\xd9\x01\x88\x56\x76\x17\x99\xd5\xb0\x50\x4c\xa7\xec\xf7\xae\x17\x59\x2c\x1f\x0c\x78\x4d\x60\x39\x31\x61\x71\x42\x21\xa1\x0d\x90\x19\x28\x3c\x6a\x8f\x92\x03\xc7\x97\x63\x45\x0f\x94\x70\xa3\xf5\xe2\xf9\x4e\xb9\x42\xa2\xbe\xba\x32\x21\x46\xfc\x44\x9f\x40\x22\x6b\x7f\x7d\x9e\x4d\x58\x9c\xdf\xc9\x53\xef\x76\x51\x5e\x48\x4d\xdb\x27\x5e\xfd\x8f\xb9\xe4\xb3\xf1\x75\xb9\xc6\x00\x74\x58\xce\xdb\xcf\x05\xeb\x6e\x42\xbe\xa2\x26\x85\x50\x87\x02\xb7\x8e\x77\xe6\x72\xc7\x2f\xe4\x3c\xef\x92\x49\x74\x00\x61\xf8\x3d\xfd\x86\xc1\xe9\x73\xda\xb8\x1a\x08\x30\x32\x37\xe5\x8c\x2d\x75\xa1\x21\x25\xc0\xb6\x34\x58\x5e\x3b\xfe\xe0\x81\x0e\xaa\x59\x4d\x12\xc5\xca\x25\x36\x6f\x04\x37\x86\x48\x5e\x57\xf5\xf9\x30\xcb\xcd\xee\x90\x1c\x59\x10\x0e\xbb\xc6\xe8\x23\xa1\xb7\x4b\xcd\xef\xb1\x96\x1b\x89\xdb\x6d\xf5\xe4\x61\x8e\x2b\xd8\xd9\x6f\xd8\xa1\x2b\x18\x48\x2f\xdc\xcd\x72\x95\x0a\xfe\x3c\x20\x66\xa7\x3c\x73\xf1\xca\x99\x86\xce\x15\x8c\x10\x52\x0a\xab\xee\xc9\x4d\x61\x72\xc0\x92\x48\xaa\x76\xc3\x9f\xc5\x42\x63\xfd\x44\xbf\x93\x68\x1b\x30\x92\xb8\xe8\xdb\x78\x0d\xd6\x5c\x6c\x8b\xc3\xb4\x23\xd2\x21\xe1\x3d\x3e\xde\x9d\xd0\xfc\x4f\x14\x68\x5a\x80\xd8\xee\x14\xe8\x26\xa2\x25\x38\xcf\x31\x4d\x8a\x48\xe6\x37\x54\xe8\x9b\x45\x3f\xb2\x23\x68\x62\xdc\x7c\xcc\x49\x53\xee\x56\x26\x54\xdb\x98\x95\x85\xca\xee\x6b\x65\x5b\x2b\xf9\xdb\x0f\x22\x06\xb8\x63\x48\x0d\x71\xfa\x21\xd9\x38\xe4\x73\x58\xb2\xc0\xda\x20\x14\xa1\x95\xdf\x64\x3b\xe9\xd8\x0e\x52\x00\x3e\x9b\x45\xb1\x8f\xf7\xb6\xaa\x56\x92\x4b\xc2\xdc\x0c\xad\x61\xd9\x63\x0e\x6b\xd8\xea\xf7\x60\xb3\xf7\xfb\x31\x77\xf7\x3a\xf8\x9b\x15\x5e\x0d\x06\x1c\xe3\x2b\x9d\x45\x88\xeb\x6a\x4f\x60\x91\x9c\x2e\x3d\x41\xf6\xca\x8d\x31\xfe\xf0\x02\x7e\x06\xf9\xb7\xc2\xc2\xec\x6e\x5c\x12\x14\x42\xe4\xb7\xee\xc7\xe1\x09\xaf\x0f\xc8\x65\x80\xda\x66\xf0\xb0\x28\xd9\x3a\x00\x88\xd8\x52\x53\xfa\x9b\x5e\x21\xe4\x95\x53\x71\x4a\x1d\xc3\x92\xfd\xb3\x54\x13\x29\x10\xe0\xc6\x25\x03\xc0\x09\x6c\x6b\x85\xf1\x64\xbb\x2a\x7d\x3b\xe1\x79\xc1\xa3\xc7\xcf\xf9\xd4\x64\x34\x13\x10\x84\x6c\x51\x7f\x85\x1b\x8e\x69\x43\x1c\x64\xed\xe9\xd5\x97\xc9\x43\xbf\xe2\x91\x6d\x56\x4a\xe1\xcf\x27\x0c\x8c\x16\x7e\x96\xc1\x46\x88\xa7\x23\x15\x8d\x7b\x9c\x45\xe3\xf8\x24\x34\x19\x00\x86\xcd\xfe\xde\x4b\xfd\x95\x0f\xda\x09\xfe\x05\xa6\x14\x2b\x90\xe7\x73\x6e\xca\x65\x91\x40\xb2\x2b\x3c\x77\x67\x06\x07\xe5\x11\x58\xd9\xf7\xea\xcd\xff\xc2\x93\x20\x2b\xaf\x0b\xc7\xe2\x04\x89\x99\x68\x91\xd1\xa7\xa6\xc3\x28\x4e\x5a\xc3\x51\x39\xec\x5b\xeb\x4a\xfb\xa9\x2f\xaf\xfb\x0d\x2e\x62\x10\x26\xc7\x01\x99\x43\xf7\xbe\x68\x09\xe5\x87\x9f\x60\x78\xcd\xa7\x22\xd1\x19\x57\xb7\xe7\xac\x74\xff\x47\x9b\x3f\x65\xa0\xfb\x71\xb1\xe8\x7e\x67\x03\xa9\xda\xf4\x7f\x31\x3a\xdc\xb6\x56\x47\x7f\x53\x03\x60\x83\x6b\xc0\xb0\x07\x68\x09\x9d\xb9\x2d\x7b\xf7\x90\x31\x6c\x1c\xec\x79\x4c\xcc\x29\xdc\x04\x88\x71\xa6\x75\xdd\xe3\x16\xd9\x14\xb7\x3c\x85\xc9\x96\xe7\xf4\x1e\x52\x86\x07\xa7\x60\xb7\x78\xb3\xe0\x68\xb1\xe7\xfb\xa0\x81\x37\x36\x8a\xf0\x6b\x59\x96\xb5\x69\x87\x1b\x4a\x54\xe7\x27\x2e\xcc\x44\x18\x10\xf9\x5c\xe8\x4c\x37\xe1\x0d\xa6\x16\x24\x71\x5f\xd5\x99\x1c\x77\xa2\x24\xd5\x7a\x53\x22\x77\xf9\xdd\x36\xbb\xdc\x56\xb7\x0b\x64\xed\xc0\x38\x15\x94\xb9\xb6\xc3\x28\xe5\x9d\xd0\xf0\x4d\x34\x3f\x6d\x82\x86\x72\xd9\x7c\xc8\x15\xb1\x4b\x22\xf5\x9d\x08\x76\x1b\xa7\x75\x1e\x52\xd1\xc5\x5f\x32\x49\xb6\xaa\xcc\x51\xe1\x07\x94\x4b\xfa\x70\xa5\x42\x19\x06\xf5\x29\x6d\x41\x84\x57\x75\xe3\x4a\x5d\x1a\x06\xc4\xc8\x79\xc7\x78\x5a\x03\x50\xba\x89\x93\x41\x25\x90\x64\xea\x42\x74\xe2\x13\x96\x41\x82\x44\x0a\xdf\x7e\x02\x30\xb3\x12\x0e\xe6\x23\x5b\xce\x98\x29\x28\x99\x79\x2c\xff\x10\x75\x88\xe3\xe9\x15\xdc\xe9\xbf\xe6\x1c\xf6\x37\x3a\x33\x11\xe7\x47\xaf\x21\x8f\xbd\x16\x58\x09\xdb\x4f\x0e\x51\x7b\x13\xe5\x92\x53\xf7\x21\xc6\x8c\x80\x14\xed\xce\x97\x45\x5a\xda\x5c\x33\xb7\xc6\x79\x4d\x38\xb7\x4b\x6d\xf4\x65\xe1\x89\x40\x4c\x7d\xf5\x6b\xee\x55\x18\xa5\xd2\x02\xfb\x50\xb5\x36\xa5\x37\x2e\x04\xc7\x0d\xec\x26\x6c\xdb\xcc\x83\x6b\x49\x88\x47\xa6\xa3\x94\x56\xf7\xb5\x94\x73\x80\x4a\xae\xd9\x66\xd7\x64\xe2\x5f\xf2\xda\x79\xd3\x4c\xe9\xfe\x72\x75\x7a\xe0\x07\xcd\xa3\x35\xbf\x37\x87\xc0\x68\x72\x55\x51\xef\x27\x76\x7d\x35\xd2\x0f\x24\x1d\x1d\x29\x21\x97\x85\x8a\xd4\xb4\x38\x18\x5e\x0a\x10\x3e\xdb\xe6\xe5\xca\xa4\xbb\x37\xe5\xcb\xdd\x71\x61\xee\xce\xb9\x3f\x9c\x7a\x39\x97\x6b\x4e\x6e\x19\xd5\xc1\xf3\xd0\x8f\x9d\x0f\xc6\xc9\x05\x5f\x4b\x05\x7d\xce\x9c\x1e\x67\x7e\x8b\xbe\x56\xb7\xc4\xed\x73\x34\xe5\xad\xcb\xa2\xaa\x5b\x1b\xf4\x45\x0a\x76\x2d\x16\x7a\x95\xbf\xc1\x09\x72\x04\x4c\x8d\x79\x7e\xf3\xad\x9d\x10\x91\xbb\x1a\xe5\xe1\x28\xe0\xdd\x22\xf4\xb7\x70\x77\x59\xf2\x79\xd4\xdd\xc9\x2a\x68\x1f\x6c\xf9\x9e\x75\x96\x0a\x32\x1b\x3d\x5b\x55\x66\x28\x07\xe5\x77\xc2\x0e\xea\x7f\x87\xe8\x8f\x29\x07\x79\xa6\x59\x8b\xc1\x9c\xcb\x74\xc3\x13\x83\x27\x88\x95\xc5\xfc\x6a\x62\xb5\x46\xf8\x1f\x7b\xd6\x78\xb2\x7f\xa6\x2d\x8d\x6f\x85\x9d\x86\x37\x29\x16\x01\x81\x20\x5b\x06\x20\x3c\x9f\x72\xa3\xa6\x59\x3f\x61\x8a\xb9\xef\x48\x8a\x24\xce\xfe\x7c\xdf\xa6\x6b\x46\xf3\x0f\x1d\x3f\x8a\xbe\xce\x64\x40\xdb\x93\x48\x3d\xf5\x23\x3b\x52\xf6\xfc\x47\xee\x3f\xd3\xbb\x98\xb0\x06\x24\x68\xc9\x16\xdc\x0f\xb1\x59\x62\x90\x2c\xb7\x30\x29\x93\x69\x51\x75\xd5\xfd\x4b\xc7\x7e\xab\x9e\xc8\xd4\x40\xee\xe3\x6a\xe6\x83\x5c\x43\x62\xf7\x81\x9f\x39\x01\x21\xa6\x9b\xc7\x0d\x63\x6e\xea\x8d\x4d\xd0\x9b\x90\xda\xd5\xc2\xdb\x03\x1d\x2b\xc3\xdf\x45\x82\x56\x24\x41\x56\x80\xa0\x3b\x3d\xfc\x71\xce\xf6\x3f\xda\x72\x6b\x76\x5d\x58\xab\xe8\x63\xad\xf0\x34\x2b\x8f\x1e\x8e\xc8\xf8\x07\xb3\xb5\x6d\xcc\xfd\xcd\xe8\x5f\xd2\x0a\x7e\xc9\x43\x44\xcf\x31\x95\x48\x67\x81\x70\x0b\x4c\x35\x72\x15\x78\x14\xd7\xf1\x0d\xc6\x8e\x13\xad\x64\x61\x39\x77\x58\xea\xd6\x2e\x5c\x20\x4b\xa5\x7b\x2a\x4a\xf4\x22\x08\x2a\x1f\xff\xbf\xc8\x70\x96\x88\xa1\x13\x93\xe9\xdc\xf8\x7b\x6f\xa4\x0b\x10\xf4\x58\xc6\x7e\x56\x5a\xe4\xf0\x2c\x2b\xa9\x30\xfd\xa2\x13\x9b\x0f\x18\x12\xaf\xbe\x21\x2e\x89\xeb\x51\x0e\x8d\x74\xc4\x65\x05\x00\x82\xb2\xbd\xfc\x09\x17\x6a\xe9\xa1\x70\x82\x1c\xde\x09\x7c\x33\xf5\x7f\x83\x50\x0f\x18\x2f\x23\xc2\xcd\x71\x3f\x82\x68\xfa\x04\xe5\xee\x58\x00\xad\xb1\xe8\x91\xbc\x90\x2b\x2c\x10\x05\x55\x79\xbe\xd0\xb6\xac\xef\xfc\x22\x06\x54\x4e\x2d\x17\xa1\x04\x4e\xc2\x01\x24\x66\x0f\x90\xd2\xcc\xb1\xe9\xdd\x04\xab\xa7\xf6\xb3\x3d\xec\x5f\x6f\xf6\xa2\xe1\xa1\x09\xc1\x43\xf2\xb0\xa8\x08\xeb\xeb\x45\xca\xac\xdc\x39\x82\x8b\x55\x5e\x3f\xb3\xad\xb7\x44\x71\x30\x26\x6d\xa8\xb3\x33\xd0\x4a\xb7\x11\xb9\x1a\x23\xd8\x81\x78\x57\x31\xfb\xd2\xc0\x37\x60\x8f\x31\x2f\x8b\x18\xba\x63\x00\x2d\x17\x75\x44\x1a\xdf\x3d\x4c\xe8\xe5\x56\x64\x26\x4e\x1d\x22\xe4\x78\xf4\x93\x01\x74\xdf\xb8\x1f\x7e\x31\xeb\x3f\xdb\x22\xeb\x06\x88\xf3\xa1\x04\x54\x18\xf9\x08\x4a\xf4\x52\x78\xc0\x4b\xf1\x32\x00\x17\xd0\xb0\xfa\xa2\xcf\x7e\x27\x7d\xe2\x66\xa3\xfd\xb4\xb0\xf0\x55\x25\x9d\x76\xf5\x0c\x99\x4c\xba\xe7\x03\xe8\xd1\x30\x7f\x4b\xc5\x45\x3f\x32\xa7\x08\x92\x1f\xa8\x33\xb0\x3f\x5d\x18\x40\xf5\xa1\x24\x69\x29\xb1\x75\xd9\x35\x37\xa1\xd7\x46\x78\x38\xd2\x5d\x19\x8b\x17\xfb\x4b\x9a\xac\x7d\x99\xee\x1f\x1e\x2f\xdf\x4a\xe7\x28\x62\x90\xe0\xf1\xc0\x88\xe2\x43\x94\xea\x57\xf9\xa7\x33\xe4\x53\x62\x79\x22\xc5\xa6\x23\x62\x3f\xff\x29\xc6\xa5\xab\x6f\xdf\x7b\xa7\xfd\x43\x80\x34\x9a\x77\xbb\xc4\x09\xd1\x86\x9b\xc7\xf2\x45\x32\x94\xca\x2f\x17\x85\xb8\xcc\x50\xb8\x8f\xcc\xe8\xfc\x6d\x3d\xd7\x9c\x19\x8e\x36\xff\x5a\x21\x6e\x7a\x8a\xe3\xd1\x0d\xb5\xbe\x0c\xbb\x76\x17\xdf\x80\x14\xac\x68\x9c\x31\x11\x32\xc1\xdb\x34\xd0\xee\x7a\xdb\xb6\x62\x32\xc1\xa4\x32\xc2\xca\xf7\xcf\x30\xff\x8b\xad\x84\x46\x7c\x0e\x40\xda\x4d\x0b\x10\x20\x1f\x6f\xb8\x2b\xec\x94\x83\xc7\x5b\xc8\x59\x48\x0c\x9b\xca\x13\xc5\x90\x5a\xcf\xa5\x6e\xad\x48\x8f\xc2\xbd\xe3\xa2\x2c\xa4\xfa\xbc\xea\xb9\xb9\xe3\x77\x6b\x5a\x62\x14\x63\xe1\x29\x6d\xde\x15\x24\x0d\xac\x24\xbb\xaf\x67\xc2\x03\x86\x55\x1a\x8f\xe3\x52\x96\x0e\xcd\x36\x1d\x42\x94\x90\x3f\x25\x25\xa3\x68\xd3\x63\x07\xde\x3a\xb0\x21\xbe\x4b\x64\x77\xe8\x61\x82\xf6\xa5\x65\xcf\x67\x95\xc2\x64\xaa\xda\xe3\xd3\x07\x2b\xae\xbc\x48\x8c\x74\x30\x7e\x27\xbc\xea\x4a\x74\x6b\x67\xad\xf8\xe2\x0a\x21\x9c\xb9\x11\xe2\x93\xad\xaa\xe8\xd5\x2e\x63\x08\x09\x11\x29\xc0\x2a\xfd\x50\x59\x95\x88\xc9\x20\x15\x85\x82\xdb\x85\x6c\xeb\xd3\xd6\x65\x9d\x14\x77\xf9\x66\xfb\x54\xe9\xea\x1b\x36\x59\x90\xff\x5b\xba\x6f\xce\xd2\xb5\x9f\xc8\xa6\xf9\xfd\x57\x28\x70\x61\xc5\x21\xeb\xc1\xac\xe5\x21\xab\xe0\x04\xf5\xf0\xb5\xf8\xb9\x02\xd6\xc7\x5a\xc5\x7d\xf5\xd2\xe9\x7f\x1f\xfa\xd3\xa5\x31\xf9\x1f\xa1\xcb\xa4\x8b\x58\x93\x5f\x05\x03\x35\x41\x5d\xca\x8e\x46\x02\x43\xe2\x1e\xa7\x1f\x99\x0c\x37\xa6\xc9\x8c\xd1\x9c\x2c\xc3\x47\x1e\xc2\xec\xd0\x42\xc8\x20\x71\x8d\x00\xb6\x37\x9d\x80\x69\x83\x62\x8e\x08\x64\xad\x14\x6e\xe1\x70\xdc\x91\xfc\x25\x55\x94\x0d\xb1\x36\x4c\xb7\x43\xc0\xc7\x03\x7d\xba\x3e\x9b\x10\x8f\xea\x98\x84\x01\xd5\x52\xd4\xac\xe6\xa8\x30\x83\x65\xc0\xb1\xed\xe6\xb8\x73\xa2\x94\xd6\x25\x23\x86\x55\x33\x1a\xcd\x6e\xe2\x38\x0d\xba\x98\x0e\x35\xb2\xbb\xd4\x0f\x65\xfe\x32\xef\x03\xcb\xf0\xcf\x57\x55\x2e\x81\x8e\xc6\x07\x0c\x52\x25\x66\xd8\x2a\xa2\xc4\xd0\x46\xd9\x5b\xcb\xb4\xed\x89\x7a\x3b\x59\x3d\xdc\x57\xb3\xbf\x4b\x2d\xee\x34\xcb\x50\x53\x69\x2e\x45\xde\xec\x78\xbf\x7f\xa7\x00\x2c\xfe\x74\x15\x7a\x5d\xd4\xc5\xae\xc1\xb9\x86\x28\x06\xd8\x88\x39\xa6\xa3\x91\xa0\x4d\x0d\x46\x78\x1e\x45\xb3\xfb\x78\xe7\x1e\xb9\xa6\xba\xda\x4d\x6e\x45\xf6\x45\x2c\x41\x93\x1c\x91\x23\xc8\x78\x38\x32\x0b\xf9\xcd\xe6\x13\xab\x41\xec\x0f\x23\xaf\xcc\x01\xa6\x98\x66\xf8\x32\x39\xe5\xb7\x7e\xc5\x6c\x1b\xf1\x3c\x4f\xa5\x37\x9b\xc5\xe6\x78\xf4\x5c\x3f\xb9\x12\xe1\xaf\xdb\xc4\x66\xba\xdb\x62\x36\xb5\xfb\x85\x00\xc7\x43\x58\x65\xae\x64\x22\x70\xb2\xa9\x42\x43\x0b\xe5\x4d\xca\x09\xec\xb2\x4e\xc6\xd0\x51\xd0\xc6\x3b\x02\xe2\xcc\xbe\x57\xdd\x90\x12\xb7\xc0\x95\x80\x67\xb4\x06\x21\x50\xb3\x47\x98\x31\x96\x11\xdb\x1f\x48\x79\xaa\x8b\x5b\x55\xee\x2f\x20\xb0\xd7\x9a\x14\xcd\x7c\xc1\x8a\x76\xb4\xb3\xf0\x0f\xff\x45\xec\x9d\x07\x64\x07\x6d\xc1\xdc\x00\x72\xe0\x9b\x67\x4f\x18\x7a\x18\xd4\x57\xa1\x1c\xf2\xb6\x54\xbf\xc8\x51\xb5\x5f\x46\x4d\x95\xe5\x1a\x45\xd2\xda\x43\xc7\x90\xeb\xc7\x72\xca\x27\xb8\x28\xa0\x61\xca\x4b\xa2\x8c\x98\x67\x22\xcb\xd4\x86\x73\x32\x87\x8e\x2a\x7b\x87\x6f\xaf\xaa\x74\x34\xf4\x3c\xb4\x48\xb2\x16\xd4\xae\x0e\x18\xa1\xaa\x66\x77\x76\xdb\x69\x99\x9b\xe0\x81\x82\x2d\x56\x47\x8e\x57\x68\x10\x6b\xa1\xfb\xcb\x04\x4d\x16\x68\x2c\xfe\x2b\xa1\x7a\x06\x99\x7f\x88\xbd\x68\x36\x69\xaa\x2a\xe4\xd9\x6a\x15\x5e\x0b\x8a\x41\xe3\x31\xa9\xa0\x20\x0f\x15\x9a\x47\x40\xe0\x11\x04\xad\x63\x89\x21\x8a\xd1\x5d\x1f\xac\x53\xbd\x1b\x91\xd7\x23\x43\x52\x78\xdb\xc5\xe7\x90\xa0\x54\xf3\xcf\x24\xfa\x4e\x78\x66\x62\x99\x15\x40\x0e\x7d\x25\x60\xcf\x97\x64\x8b\x60\x31\x52\x8d\xb2\xc7\xd4\xca\x72\x7f\x67\xc2\x97\x42\x4f\xc9\x9a\x7b\x01\xb1\x04\xfc\xb2\xd9\xb8\x02\x6a\xd1\x92\xac\x4c\x1d\xf8\xc2\x31\x8b\x5d\xee\xa4\x79\xa3\x78\x89\x71\x17\xac\xb1\x4a\x79\x21\xb7\xdd\xe8\xaa\x78\xc5\x8d\x04\x7f\x90\xfb\x1a\x1c\x1e\xdb\x84\x7b\xf7\xba\xd3\xab\x09\x6b\xf9\x19\xd1\xb1\x03\xe7\x40\x43\xfa\xf3\x52\xe1\x63\x94\xbc\xa1\x71\x3e\x14\x8b\x69\xd2\x0e\x0c\x5f\xae\x6e\xdb\x67\xe9\x16\x20\xc2\x8d\x7f\xb7\x0b\xf7\x66\xd2\x1e\xe3\xa9\xdc\x9d\x4a\xc7\x5a\x41\xbc\xb3\xa3\x22\xe7\xec\xc8\x5e\x34\x6a\x5f\xed\x19\x0d\x0c\x69\x8f\x15\x22\x60\x67\xe5\x15\x5e\xcb\x0b\x8f\xff\xcd\x5c\x1c\x95\x52\xa5\xb8\x5a\xfc\x66\x36\x98\xcf\x47\x50\xa3\xee\xc6\xcd\xec\xcc\xaa\xf6\x37\x08\x7e\x18\x8f\x3c\xc5\x65\x7c\x40\x12\x3c\x20\xd1\xa0\x2e\xbb\x08\x18\x07\x38\x83\x53\x5a\x22\x09\xcc\xa0\x8c\xdb\xe3\xce\x0f\x94\x4d\xef\xb4\x1f\x43\x70\x29\xc0\x78\xcb\x5e\x6c\x03\xde\xfc\x67\xc9\x59\x92\x6d\xcf\x45\xd0\xfe\xb6\xf2\x4f\xcf\xaf\x49\x97\x6b\xd3\x64\x1c\xbe\xd6\x97\x58\xcc\xd5\xaf\x8b\x95\x52\x59\xda\x1c\xd6\xfd\x82\x87\x1f\x09\xf3\x3a\x63\x4d\x54\xf5\x44\xa6\x82\x93\xdc\x73\x7f\xea\xf8\x48\x8c\x15\x42\x0f\x69\xc4\x93\x04\x2a\x5e\xe1\xed\x63\xf3\x39\xe4\x10\xf5\x80\xc0\xcb\xad\xab\xbe\xa2\xcf\xfb\xea\xf9\x68\xca\xf2\x56\x20\xde\x5f\x5b\xf7\x4e\xdd\x33\x9d\xed\x9a\x1f\x58\x53\xa2\xcf\x22\x6d\x21\xcd\xbd\x91\x72\xab\xf5\xe0\x85\x95\x60\xdd\x2e\x70\xce\x31\x0a\x33\x3d\x72\x36\x60\x67\x09\xb1\xf5\xa3\x35\x95\xec\x49\xe1\x87\xaa\x5d\xf0\x63\x51\x39\x23\xdf\xd2\x9b\xb1\x51\xa8\x25\x40\xf4\xb0\xd4\x45\x40\x4c\x8c\x5e\x1b\xd8\x40\x33\x5c\x23\x35\x7c\x5e\x6b\x1c\xdb\xfb\x1c\xcd\x72\x47\x1e\x4d\x63\x8b\x10\xc5\xb4\x22\xd9\xe6\x51\x9f\x98\x15\x1a\xd5\x25\x5e\x10\xf7\x2c\x07\x32\x63\x8a\x57\x2e\xa6\x2a\x3a\x98\xcd\x86\xb0\x49\x5f\x24\xfb\x90\xe3\xbf\xa3\x21\x6a\xbf\x88\xbd\xdd\x5f\xdc\xd1\xab\x7f\xc2\x13\xed\x7f\xe7\x62\x8b\xf5\x2e\xd3\x3f\xbf\x61\x24\xb5\x24\x6e\xab\x59\x38\xf4\xfd\xae\xa3\x96\x08\x7f\x76\x43\x49\xbe\xf8\x99\x6f\x22\x40\x92\x60\x40\x93\x44\x19\xdf\x2e\x40\x7b\xe7\xe6\x7a\x64\x2d\x69\x2b\x39\x49\xe4\x78\xed\x55\x92\x72\x06\x64\xee\xc0\xdd\x41\x50\x87\x61\x57\xa6\xf1\x85", 4096); syz_80211_inject_frame(0x20000000, 0x20000040, 0x10c0); break; case 11: memcpy((void*)0x20001100, "wlan1\000", 6); memset((void*)0x20001140, 2, 6); syz_80211_join_ibss(0x20001100, 0x20001140, 6, 2); break; case 12: memcpy((void*)0x20001180, "bpf_lsm_socket_recvmsg\000", 23); syz_btf_id_by_name(0x20001180); break; case 13: memcpy((void*)0x200015c0, "\x66\x0f\x72\xd5\x01\xdf\x5f\xd6\xc4\xc1\xf9\x6f\x9f\x52\xe4\x00\x00\xdf\xf2\xda\x36\x66\x0f\x3a\x62\xc0\x8c\xc4\xc1\x1d\x58\x3c\xe8\x66\x0f\x3a\x0a\x45\x0d\xf0\xc4\xe1\x21\x75\x23\x60", 46); syz_execute_func(0x200015c0); break; case 14: memcpy((void*)0x20001640, "/dev/cuse\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20001640, 2, 0); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_ioctl, -1, 0xb704, 0x20003980); if (res != -1) r[6] = *(uint32_t*)0x20003980; break; case 16: res = syscall(__NR_clock_gettime, 0, 0x20003e00); if (res != -1) { r[7] = *(uint32_t*)0x20003e00; r[8] = *(uint32_t*)0x20003e04; } break; case 17: *(uint32_t*)0x20003dc0 = 0x20003a40; *(uint32_t*)0x20003dc4 = 0x6e; *(uint32_t*)0x20003dc8 = 0x20003d40; *(uint32_t*)0x20003d40 = 0x20003ac0; *(uint32_t*)0x20003d44 = 0x25; *(uint32_t*)0x20003d48 = 0x20003b00; *(uint32_t*)0x20003d4c = 0x6b; *(uint32_t*)0x20003d50 = 0x20003b80; *(uint32_t*)0x20003d54 = 0x2f; *(uint32_t*)0x20003d58 = 0x20003bc0; *(uint32_t*)0x20003d5c = 0xa2; *(uint32_t*)0x20003d60 = 0x20003c80; *(uint32_t*)0x20003d64 = 0xbd; *(uint32_t*)0x20003dcc = 5; *(uint32_t*)0x20003dd0 = 0x20003d80; *(uint32_t*)0x20003dd4 = 0x30; *(uint32_t*)0x20003dd8 = 0; *(uint32_t*)0x20003ddc = 0; *(uint32_t*)0x20003e40 = r[7]; *(uint32_t*)0x20003e44 = r[8]+10000000; res = syscall(__NR_recvmmsg, -1, 0x20003dc0, 1, 0x10202, 0x20003e40); if (res != -1) r[9] = *(uint32_t*)0x20003dac; break; case 18: memcpy((void*)0x20004040, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004040, 0x20004080); if (res != -1) r[10] = *(uint32_t*)0x20004094; break; case 19: *(uint32_t*)0x20004200 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004100, 0x20004200); if (res != -1) r[11] = *(uint32_t*)0x20004134; break; case 20: memcpy((void*)0x20004240, "./file0\000", 8); res = syscall(__NR_statx, 0xffffff9c, 0x20004240, 0x4000, 0x400, 0x20004280); if (res != -1) r[12] = *(uint32_t*)0x20004294; break; case 21: memcpy((void*)0x20004380, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004380, 0x200043c0); if (res != -1) r[13] = *(uint32_t*)0x200043d0; break; case 22: *(uint32_t*)0x20004a80 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x11, 0x20004980, 0x20004a80); if (res != -1) r[14] = *(uint32_t*)0x200049b4; break; case 23: res = syscall(__NR_getegid); if (res != -1) r[15] = res; break; case 24: memcpy((void*)0x20001680, "\x47\xa8\x4c\x3d\x9c\xa1\xd1\xb4\xb2\x5b\x6d\xa5\xc6\xdd\x9f\x48\xac\x0b\x1a\x50\x14\x5d\x57\xaa\x24\x4d\xc1\xbb\x1a\x54\x1c\x93\x16\x0d\x23\xf1\xcb\xf0\x3d\x77\x7a\x21\xe7\xd1\xf0\xf2\x61\x38\x37\xc0\xe0\x5d\x6f\x4b\xc9\x98\xb1\xdd\x5e\xc7\x6e\x06\x98\x26\xfc\x47\xb4\xa0\x81\x6b\x5a\x85\x9c\x9a\x8a\x42\x88\xf2\xe7\x17\x88\x66\x28\x3d\x96\x7a\x95\x12\x2a\xb3\x8c\x64\xe1\xd6\xc0\x50\x57\x2b\xdd\x7c\x98\x27\x13\xb5\xb3\x7a\x79\xe2\xdb\xe0\x8a\x6a\x9b\xd3\xd6\xfd\x57\x96\x04\xac\x48\x7b\x65\x2b\xee\x18\x03\x90\xe3\x66\x8f\x2a\xad\xa1\x71\x7a\x5b\x2a\x21\xcb\x84\xb3\xb9\xa8\xb5\x97\x78\x4c\x01\x15\xc8\xf2\xc0\x87\x08\xd9\xa2\x26\xd6\xf5\x89\x02\xad\x29\xf3\x78\x4f\x64\x80\x06\x9d\x25\xe0\xec\x46\xc3\x78\x10\x92\x3b\xbe\x2d\xac\x50\x43\x85\x6a\x11\xb7\xb9\x8c\x43\x29\x4e\xf4\xc2\xbf\xda\x08\xb0\x4e\xe5\x41\x06\x26\xcb\x64\x95\x7c\xf1\xee\xa3\xd3\xf0\x07\xd6\x95\x83\xbc\xde\xbf\x40\x22\xf8\x5f\x65\x23\x73\xa5\x90\x36\xb6\x2b\x4a\x3e\x9d\xef\xe6\x05\xa9\x89\x2e\x57\x18\xcb\x6f\xc9\xde\x81\xc2\x47\x9e\xf9\x5a\x13\xf8\xca\x78\x9f\x4b\x2a\xc5\xeb\x89\x7f\xab\xbe\xbc\x00\x46\xd8\xe2\x35\xeb\xbf\x54\xa5\x6a\xac\xd1\x40\xae\x4c\xfb\x41\x1b\x9c\x15\x18\xe6\x2f\xa8\x7a\x98\x76\xaf\xc8\x9e\xd8\xa4\xba\x24\xd8\xb9\xef\x13\x39\xf4\xf7\x94\xce\xc9\x86\x51\xe7\xd9\x4d\xdd\x25\x99\x88\xa7\xa4\xf7\x99\xb0\x88\x9c\x16\x80\xd3\x90\xba\x62\x53\xff\x66\xa1\x82\xea\x2c\xf0\x6b\x6f\xd9\xab\x07\xa8\x7f\x69\x7c\x33\x1c\x9a\x83\x25\x64\xec\xab\x23\x83\x84\xff\xef\x50\xc2\x49\xcb\xf1\x1f\x7f\x40\xec\xd4\x4b\x94\x5b\xd5\x7c\x59\x9b\xa3\xd8\x8c\x0b\xe3\x5a\xdd\xf5\xb5\x83\x7b\x18\x8d\x64\xe2\x49\xce\x31\x50\x66\x98\xbd\x73\x75\x46\x53\x04\xd2\x0e\xb3\x80\x23\x26\xb3\x52\x8b\xcb\xe6\xee\x11\x0e\x57\x82\x1c\xcb\x89\x9f\x5e\xee\xce\xc6\x04\xc3\xa5\xe5\x93\x8a\x3a\x94\x26\x60\x99\x2d\x67\x6b\x81\xc5\xaf\x74\x70\x17\x6d\x72\xd7\xc6\xa9\xd6\xc4\x12\x1b\x57\x11\xb1\x6e\xe1\x19\xb5\x77\x64\xd7\xfd\x6d\xfc\xb5\xa3\x9c\x1b\xc9\x7e\x5c\x5f\x5d\xc1\x02\x5a\x5e\xcc\xa4\x8b\x65\xaf\xb8\x7a\x55\x83\xcf\x17\x96\x90\x98\xae\xc3\xb1\xb9\x29\x1f\x77\x5e\xd6\xa5\xa7\x10\xf7\x3e\x32\xef\x7a\x0e\x8c\x84\xff\x56\x54\x51\x44\xca\x50\x4b\x81\x97\xa9\x19\x6c\x9b\x68\xa4\xb5\x7a\xba\xd8\x19\xff\x6f\x6f\x99\x16\x3f\xa3\xe2\x76\x27\x84\x84\xae\xf1\xe2\x87\x84\x1f\x45\x72\x06\x2d\xa6\x77\xf0\xe1\x47\xb9\x33\x58\xe5\xad\x7a\x50\xaf\x84\x2c\xad\xbf\xf4\x19\x2d\xfb\x2f\x98\xcd\xc8\xd8\x78\xd0\xf7\xf3\x5b\x31\xa2\xe8\x03\xce\xa2\xc3\xa2\x87\x8d\x46\x9c\x9a\xa7\xb2\xde\x1e\x8b\xfd\xa5\x1e\xcb\x47\x51\xcd\x86\x1f\xb2\x29\x3e\x37\xeb\x98\x82\xbb\x97\xcf\x70\x45\x3f\x19\x44\x6c\x56\x5f\xd8\x14\x11\x4b\x30\x2a\x4b\xc5\xb6\x42\xa7\x6c\x4c\xfd\xdb\x0f\x4c\xeb\x41\xca\x29\xbe\x4d\x35\x58\x77\x55\xd2\xe8\xe1\xf4\x2e\x97\x1b\x38\x3f\xdf\xd0\xcb\xef\x9f\x5d\x50\x3c\x72\x0a\x3e\x3b\xb8\xb4\x09\x7d\x69\xa7\x20\x82\x35\xa8\x2f\x6a\x75\x1f\x3e\x26\xf2\xe1\x40\x3e\x0d\xa6\x3f\xed\x0f\xa0\x42\x74\x0d\xf1\xd6\x1c\x98\x85\x72\xc8\xad\x71\x1f\x20\x41\x0e\x02\xb3\x2b\x1e\xe7\xf4\x18\xfd\x0c\xc6\x57\xe9\xde\x33\x28\x8e\xc8\x39\x57\x56\xc4\x7e\x16\xd4\xab\x5e\xd7\xca\x4c\x1e\x53\xad\x65\x08\xd5\x8f\x70\xdf\x85\x7d\x41\x89\x09\xe8\x13\x44\xb7\x56\x4e\x00\x64\xa4\x9a\x1d\xb8\xa3\x33\xfc\x60\x9b\xcb\x51\x11\xef\x10\x0e\x0e\xde\x88\xf4\x9f\x3f\x43\x56\x84\x21\x1d\xea\x4d\xe5\xbc\xa1\x85\x3c\xae\x7b\x60\x5e\x3c\xea\x2f\xab\xb8\x0b\xaa\x41\x62\x6d\x31\x04\x7f\xe3\x85\x69\xe6\xab\xbd\xdc\x2e\x1c\x2b\x85\x56\x23\x3f\xeb\x57\x04\x7f\x06\x9d\xf8\x1d\x88\xd2\x9b\xf0\x42\xce\x92\x28\xdb\xd1\x43\x49\x97\x3e\x86\xf7\x8d\x72\x82\x7a\x60\x80\xa2\xce\x65\x29\xd1\x85\x66\x07\x84\x89\x37\xcf\xe5\xcd\x17\x42\x93\xe9\x22\x34\xcb\x0f\x6e\xdf\x65\x30\xf8\x6b\x60\x6e\x48\xe9\xfa\x3e\x1d\x25\x45\x73\x12\x08\x08\xe0\xff\xf3\xd2\x16\x9d\x1c\xf4\x4a\x71\x96\x64\xb7\xf0\xe3\xda\x7b\xb1\x5b\x64\xb6\x2c\x07\x10\x34\x3c\xe1\x5b\xd0\x1a\x05\x64\x2f\x4a\x3f\xa5\x9b\xa6\x05\xd0\xa6\xef\x3e\x5a\xd6\x3c\xd9\x6d\x69\x14\xca\xa4\x06\x34\x98\x7f\x2d\xbe\xeb\x30\x46\x72\x22\x2d\x12\x58\x3b\x9b\xc3\x8c\xf9\xde\x18\xe5\x7d\xe1\x00\xf2\x63\x67\x7d\x31\xec\x37\xae\xa6\xf0\x4b\x81\x5d\x6f\x4e\x8c\xd5\x70\x81\x0d\xaa\xee\xb1\x41\xdc\x0f\xeb\x60\x0a\xa8\x4f\x4a\xfc\xc3\xbd\x6d\x2e\x4d\x69\xe9\xdc\x4d\xc4\xf7\xa4\x56\x74\xa3\x2a\x62\xd4\x14\x43\x7c\x3a\xa4\x51\x84\xb6\x6c\xe5\x69\x49\x91\x28\xbb\xa0\x6e\x38\x62\x74\x28\xd5\x01\x2c\x65\x1f\x8f\xf6\xd5\xb8\xf5\xbb\xbb\x5b\x1f\x8b\xe6\x03\x89\x58\xbd\x4f\xbb\x0b\xdb\xbe\x1f\x3f\x44\x8d\x78\x5d\x97\x10\xf0\x1b\xe8\x87\x87\x4f\xfa\x1b\xfa\x7e\x5a\x81\x8e\xe7\x46\x4b\xfc\xb5\xf9\xe4\x92\x68\xfb\xbd\x39\x8d\x73\x2c\x15\x57\x9a\x46\x97\x1f\xd7\xf2\x2c\x1c\xc4\xe1\x41\x57\xf2\x92\xf6\x16\x38\xf4\x1a\x58\xbc\xcd\xd4\x98\x6b\x9c\xa6\xab\x66\xff\x5f\x53\x6a\x7b\x09\x25\x1a\x6d\x41\x7a\x3e\x15\x9b\x85\xdd\x21\xd9\xb2\x19\xa1\xa1\xce\xa8\xb9\x6d\xd4\xca\xa0\xc0\xc8\xfd\xf9\x2d\xef\x01\xaf\x6b\xe5\xcc\xc2\x42\x8e\x57\x13\x22\x85\xc3\x7e\x80\xfd\x28\x58\xb4\x94\x57\xd1\xd6\x89\x0e\xae\x38\x90\x62\xd5\x68\x0a\xec\xec\x74\x8c\xef\x59\x18\x7d\x91\xc1\xd4\x5b\x29\x00\xe3\x3b\xe9\x46\x4e\xdc\xeb\x83\x1e\xc4\x44\x57\xbe\x52\x57\x5e\x1d\xf1\xde\x6a\xf9\x45\xdb\xf3\xf5\xc9\xcd\x41\xbd\x8c\x26\xcb\x66\x45\xae\x03\x78\xd9\x2d\x75\x8b\x07\x69\xc5\x15\x4f\x52\xd8\x9a\x8e\x0e\x91\x18\x82\xf6\x9e\x46\x61\x04\x53\x79\x2c\x64\x8e\xb0\x82\x11\x19\x47\xc2\xe3\x35\xcb\x48\x56\xe4\x69\x6f\x7a\x53\x31\x8c\xda\xe6\xc5\x91\xa7\x42\x02\x02\xcf\x03\xf0\x69\x12\x8e\x58\xa3\x82\x2a\x89\x2d\x4b\x4d\x14\xa7\xf3\xe2\x7f\x4c\xa5\x9a\x8e\x47\x1a\xaf\x3c\xe1\xaf\x81\xce\xd1\xdf\x87\x1d\xf6\x09\x91\xac\xcc\x0a\xfc\x19\xc6\xaa\x58\x67\x0d\xcc\x3c\xa4\x04\x66\x6e\xc5\x46\x3e\x95\x4c\x60\x59\x94\x01\x4a\x0b\x2e\xb9\x99\x28\x3e\x7d\x26\x46\xab\x55\xa5\xfe\x5f\xe7\xcb\x5b\x07\x38\xc5\x79\x10\x7c\x43\xfc\xf5\x95\xa0\x95\x6a\x49\x35\xf6\xa7\x86\xd6\x56\x1f\x0b\x09\x94\xcc\xe9\x3b\x29\x9a\x50\xc6\xe4\x24\xc1\x59\x62\x0b\x3d\x05\x37\x6f\xc4\xe0\xb9\xff\xbd\xec\xdb\x67\x98\xdd\x51\xd0\x94\x1d\x31\xcf\x41\x93\xc0\x9d\x05\x8c\x25\x96\x99\x19\x12\x35\x01\xfa\x5e\xa8\xfb\x82\xf9\x80\xa3\x5b\xf0\x15\x32\xc2\xc8\x31\xba\x35\x22\x2f\x80\x5d\xae\x24\x25\x27\xeb\x71\x27\x05\x53\x94\x60\x52\x84\xd2\x40\x8c\xfa\x10\xc9\x92\xd6\x4d\x60\x9e\x52\x4b\x30\x34\x8f\xfa\x5e\x44\xb7\x72\x57\xad\xba\xb0\x1c\x38\x3e\x81\x2f\x1d\x71\xb6\x13\xad\x16\x0e\xd1\x5c\x21\x6f\x2a\x45\x9a\x91\x7d\x35\x34\x14\x62\xbf\x72\x35\xf9\x1d\x9d\xdd\xc1\xe2\x40\x2f\x32\xb7\xb7\xa9\x98\x74\x81\xce\x66\x11\xbb\x78\x12\x7b\xc8\xb6\xef\xf4\x19\xd3\xc4\xdd\x77\x25\x24\x02\xf4\x32\x6a\x6e\x9a\xff\xc5\x06\x49\x73\x75\x0a\x8b\xba\x9b\xa1\x7d\x64\x64\x8c\xf7\x93\x4b\xd0\x24\x29\x9b\x9d\xec\x58\xd1\x18\xcd\xa3\x44\x8a\x25\x56\xfa\x96\xa8\x57\xc0\x10\x6a\x00\xcd\x0a\x38\x2f\x10\xb8\x47\xe3\xa8\x69\x97\xc2\x4b\xb8\x46\xc3\xdd\x93\x72\xc6\xcf\x28\xd1\x8b\xb2\xa6\xfc\x48\xd7\xba\xc5\x8d\x56\xbc\x84\x50\xc3\xf4\x20\x99\x9b\x63\x47\x86\x4d\x52\xf0\x50\x75\x24\xf4\x16\xe6\xcb\x64\xce\x7c\xa2\x1a\x85\xe8\xd2\xc2\xb1\xe9\x4b\xe2\xde\xa3\x1c\xda\xf1\xf3\x83\x50\x34\x24\xbe\xc4\x4c\x68\xb9\xa9\x14\xf4\x0b\x0a\x66\x27\x2f\x64\xc9\xef\x19\x85\xed\xb9\xca\x6e\x66\xee\x8c\xac\x08\x4b\x39\xef\x78\x01\xb7\x50\xce\x19\x0f\xf8\x96\xc1\x99\xc1\x27\x85\x24\xb1\x2b\x54\x9a\xcb\xf0\x9f\x63\x3d\x87\xf7\x04\x27\x2d\x47\x79\xf3\x25\xa1\xe9\x45\x67\xe5\x93\x32\x97\x15\x5e\x98\x7f\x3b\x32\xe3\xfa\xdf\x2a\x06\xfa\x01\xaf\xc0\xdc\x35\xdf\xb7\xbe\x7f\x57\x76\x26\x4a\x6b\x7f\xec\x98\xdf\x0a\x5a\xff\x8c\x1a\x02\x9b\x6a\x22\xa9\xa0\x51\x18\x8b\xb2\x8b\xdf\x72\x38\xea\xe3\x24\x6a\x1b\xfd\x05\x86\x84\xf7\xa0\x93\xaa\x68\x79\xcb\x6a\xda\xe5\xa7\xcd\x5e\x12\x19\xa0\xd1\x6d\xee\xf1\x44\xb2\xbe\x90\x39\x01\x44\x74\x0a\xc2\x4d\xa3\x80\x17\xc1\x05\x66\x92\xb3\xb6\x65\x92\x21\x5a\x62\x3d\xac\x91\x3b\x33\xb9\xd5\x6b\x47\xcf\xa9\x18\xd6\xd9\x0c\xaf\xf0\x1a\xa4\x45\x35\x49\x23\xef\xa1\x9e\x8b\x0c\x79\x70\x82\x50\x5d\x54\xf2\xfa\x48\xc5\xad\x96\x63\x2f\xe1\xb6\x2a\x2e\x34\xd0\x85\x76\x22\x07\xd9\x35\x4a\x9f\x03\x9d\x68\x8e\xaf\xe1\xb5\x12\x83\x67\xfd\xd3\xbe\x22\x55\xac\x11\x0d\xf0\x5d\x10\x9b\x86\x9f\x33\x4b\x93\x2b\x29\xbe\xb6\x87\x87\xe2\x0a\x8a\x9f\x37\x31\x18\x9c\x95\x7e\x53\xc6\x96\x73\xe8\x63\xae\x1d\x49\x88\x8d\x6e\xda\xb9\x6e\xed\x78\x6c\xb8\x14\xd1\xa6\x2b\x68\x9c\x29\x4c\x48\x2e\x84\x19\x96\x22\x99\x04\x10\xb6\x7f\x6d\x18\xb8\xcd\x31\x19\xf1\x9a\x66\x7d\x34\x1b\xb7\x83\x88\xff\xe1\x5a\x0f\x64\x32\x7f\xe9\xb8\x06\x5b\xe9\x03\x54\xc1\xfa\xcb\x74\x66\x2e\x2d\x9c\x6d\x02\x24\x8d\xa0\xc8\x0c\x87\x26\x45\x59\xf6\x48\x15\xb8\xb9\xdd\xff\x72\xa9\x44\xeb\x23\x48\x88\xf5\x3d\x1c\xc8\xbe\xd4\x38\xbd\x99\xa2\x07\x4f\x75\x3d\xb2\x9e\xfd\x06\x78\x8c\x7f\x44\x76\xef\xee\x3e\x92\x80\x94\xc0\x32\x6a\xf8\xc9\x17\x1d\xb6\x0b\x1a\x37\xc7\xbd\x56\xd1\x13\x29\x1a\xa9\xa2\x60\xea\xfc\x12\x68\x1e\xb6\x2b\x1e\x70\x63\xb1\x51\x73\xe2\x74\x90\xd8\x4d\x47\xe3\xc7\x56\x6e\xc4\xfc\x1e\xc6\x35\x50\x57\xb2\x2c\x2a\x0f\xd9\x4b\x8d\x90\xb6\x48\x64\x9c\x73\xac\x46\x04\x9c\x01\x1d\x67\x41\xfb\x6d\x89\x56\x14\x3b\xcb\x17\x1f\x4b\xba\xdf\x01\xd1\xca\xe0\x7c\x31\x78\xa8\x46\x90\x01\xdc\xa3\x7a\xb3\xae\x03\x90\x95\xfb\xda\x7f\x05\xdf\xad\x20\x53\x55\xa5\xd6\xef\xf8\xf0\x9c\x32\x47\x58\xa7\x44\xde\x5f\x43\xb6\x94\xf8\x34\xf6\xe5\x98\x3f\x2a\xee\x32\x09\xce\xf4\x63\x54\xdb\x41\x30\x5a\x09\x3a\xb7\x8c\x80\xa8\xfb\x2e\x8a\xb7\xb1\x73\x33\x7b\xcf\x29\x3c\x65\x94\x9a\x4c\x01\x37\x8c\x94\xce\x7c\xd7\x09\xe7\x98\xbe\xf8\x27\x9d\x4a\xd1\xe7\x34\x6f\x4b\x9f\xda\x6d\x29\x2f\x1e\x66\x99\x62\x2c\x1b\xbc\x4b\x02\xe8\x83\xb3\x0e\x77\xcb\xa7\x51\xbc\xfd\xd6\xef\xd6\x7f\xcc\x56\x5c\x00\x36\xf1\x3e\x13\x8d\x81\xd6\xf5\x8d\x34\xe6\xa2\x51\x61\xf2\xa8\x56\x00\x29\xf9\x12\x05\x32\x40\x1f\xb6\xd7\xdd\xef\x43\xf9\xea\xe9\xee\x3c\xd2\x3f\x14\xa1\xf0\x26\xf4\x0a\x9f\xba\xc6\xbe\x6a\x15\x90\x27\xd7\xe8\x7a\x53\x65\x01\x0d\x27\xb0\x9d\xf1\x3d\xfd\x32\xa7\xe7\x5d\xcc\x14\xd9\xda\x85\xd8\x40\xa1\xbb\x91\xbf\x95\xdd\x75\x89\xef\x4f\x4a\x30\x7d\x3c\x74\x1d\xf2\x50\xe3\x4d\xe9\xff\x0f\x15\x15\xa9\x79\xc1\x2f\xca\xea\x17\x0d\x34\x44\x67\x8b\x96\x3c\xcc\x5b\x3c\x06\x56\xaf\x7e\x67\x6b\xf7\x4d\xe9\xc8\xcc\x9c\x70\xb5\x0c\x38\x06\x10\x8f\x6c\x9e\x92\x0a\xcc\x25\xf1\x3c\x3b\xf5\xe9\x10\x18\x9e\xa8\xe0\x46\x61\xb9\xf6\x27\x1d\x34\xe2\x42\x8b\x3f\x5c\x86\x0f\x7a\x41\x37\xc7\x9a\xb4\x09\x20\x64\x56\x34\xf9\x03\x89\xec\xde\x1b\x23\x98\x84\x24\x4c\xa3\x5e\xb5\x59\x2b\x48\x56\x4f\x23\x07\xde\xf1\x6c\x6a\x99\x43\xab\xd7\x30\xff\x0f\x2d\xd4\x7b\x0d\xb1\x19\xc8\x40\x03\xfc\x29\xfc\xe3\xed\x9f\x17\x35\x7a\xab\xc7\x09\xed\x6a\x09\x34\x8d\xa8\xe2\x82\xbb\x0f\x7e\xeb\x6d\x98\x53\xed\xd5\xee\x21\x45\x36\xa5\x5c\x83\x34\x01\x20\x48\x8d\xca\x92\x3e\xc5\xa4\x61\x84\x0d\x20\x07\x5a\xc5\x37\xba\xa4\xdf\xb7\x80\x46\x96\xa8\x9c\xb9\x9c\x82\xcc\x9e\xa9\x21\x2c\x70\x97\x4c\x93\x16\x16\xe9\xbf\x8c\xce\x8f\xaa\x21\x5d\xea\x85\x50\x6c\x71\xed\xf7\x98\x2a\xef\x07\x4e\x1a\x04\xed\x46\xa7\x22\x1b\xeb\x11\xdb\x3c\x3c\x4e\x30\x76\x74\x56\xdd\x39\x5e\x3f\x22\xc0\x48\xb0\x69\x53\x3b\x1e\x34\x7c\x20\x56\x5a\x74\x6f\xbf\x07\x86\xba\x75\x13\x98\xd2\x26\xbb\x58\x3c\xdb\xc7\x89\xa1\xe7\x8c\x07\x5e\x8b\x53\x5c\x17\xbe\x36\x42\x77\x96\x51\xaa\x33\x56\xc9\x28\xbd\x60\x1c\x6f\x70\x4e\x79\x96\x85\x21\x03\x67\x21\x90\x89\xf2\x41\xc9\x36\x52\xaf\xb3\xf0\x57\x9b\xa4\x73\xea\xdc\x1c\x5a\xab\x58\x9b\x61\x8c\x80\x1d\x71\x1e\xaf\x00\xd9\xef\x73\xa3\xa6\x3f\xaa\x06\x92\xd7\x66\x2c\x6e\x61\xd7\x73\x00\x97\xb1\x1a\x9e\x98\x95\x76\x35\x33\xe3\xb8\x25\xb5\xeb\x65\x48\x11\xe8\x0b\x6e\x67\x13\x6d\x6e\x6e\xc1\xbd\xf2\x3e\x34\x7a\xc0\xdc\x50\xd8\x45\xa0\x2f\xb1\x1e\x87\x64\xc7\xcb\xd1\x98\xf8\x03\x7c\xe9\xcc\x4d\x38\x88\xcf\x50\x9e\xf9\xe5\x5b\xa5\x67\xd5\x00\x89\xc6\x9a\x6f\xc2\xa1\x02\x90\x88\xe4\xbb\x86\x60\x6f\x25\xd8\x65\x51\x28\x65\x74\x23\xce\xfb\xec\x47\xff\x5c\xee\x05\xb6\x1c\x35\xe4\x7c\xe9\x2d\xd8\x5b\x86\xaa\x83\xfc\x3d\x37\x06\x9d\xba\x58\x32\x77\x9e\x04\x79\x7e\xe4\x51\x0f\x3e\x86\x0a\x5d\xb6\xc4\x1a\x6c\xfc\xc4\xf2\x7a\x9b\x90\x54\x91\xfa\x56\x0b\xc4\x9a\x1d\xec\x70\xf9\xb6\x9a\xe6\x93\x62\x97\x3a\x12\x3e\x07\xf5\x41\xac\x3a\x3a\x94\x31\x60\xd3\xd6\x31\x40\x49\xc9\x53\x1a\x1f\x72\xb7\x4c\x1c\xc5\xc0\x31\x7f\xcc\x7b\x45\xd8\xf1\xdd\x92\x36\x2b\x1e\xc0\x73\x8a\xd5\xc8\xd9\x9e\x9f\xf4\x4d\x3d\xb2\x41\xe1\x31\x5d\x0f\x14\x48\xe6\xf1\x00\xa5\xdb\x6f\xd5\x71\x5c\xa0\x46\x22\x13\x41\x64\x53\x38\x71\x50\x0e\xde\x0f\x2d\x35\x8b\x31\xf8\x56\x36\x32\x80\xb9\x92\xe4\x9b\xa8\xe5\x92\x09\xbd\x91\x8e\x11\xff\xe3\x27\xd9\x73\xb2\xbc\x54\x53\x7f\x54\x07\x30\x17\x85\x6f\x0b\xb7\x68\x22\x47\x57\x6a\xf4\xd2\x7d\x8b\xe2\x61\x1f\x90\xad\x38\x4f\x11\xde\x84\x7c\x24\x73\x4b\x74\x7f\xfe\x2e\x5c\x85\x49\x00\x9f\xb1\x19\x8b\xce\x2f\xb0\x48\x4f\xc6\x68\xaa\x28\x85\xc7\xc0\x15\x38\x5e\x2b\x58\x8c\x95\x0f\xde\xca\xdf\x30\xad\xf6\x5a\x71\xf5\x64\xe0\xfa\x93\x72\x4b\x8d\xe0\xac\xab\x7c\x3f\xaa\xad\x13\x84\x8e\xbf\x7d\x70\xbb\xc4\x47\xd6\xd9\xdd\xb4\x6a\xf6\x31\xb0\x8e\x4c\x34\xf4\xaa\xbd\xa8\xe5\x0d\x9f\x73\xc3\xff\x3a\x60\x03\x81\xa7\xf8\x4a\xac\x18\xaf\x41\x87\xd1\xbc\x18\x73\x14\xb2\x40\x38\x7f\x29\xeb\xe8\x32\x8a\xce\x89\x65\x43\xb2\x3f\x8d\xb1\x20\x1d\x51\xee\x90\x42\x43\x65\x78\xd1\x27\x3c\x9b\x97\x4b\x27\xfc\x9b\x71\x71\xf4\x39\x11\x17\x54\x1d\xc8\xe8\xe5\x82\xef\x9d\xeb\x11\x60\x6d\x49\x35\x57\x7d\x13\xe3\x91\x2f\x98\x7d\xac\x22\xe1\x4c\x7c\xab\xf8\xdb\x41\x3a\xc7\x96\x38\x1f\x3d\x45\x01\x5c\xe6\x1e\xa3\xb7\x37\x63\xd2\x02\xdb\xe1\x18\xbe\x06\xe7\xd0\xf6\x24\x5c\x71\x81\x86\x14\x81\x21\xba\x61\x19\x2e\x62\xb2\xac\x87\x52\xcb\xa6\xf2\x87\x3f\x4c\x59\xae\x40\xb8\xb9\xc5\x15\xcd\x6a\xd8\x88\x84\x0e\x65\x7a\x11\x47\xa8\xb0\x96\x12\x3d\x73\x8e\x1c\xc1\xb5\xeb\xbe\xec\x6f\x15\xcb\x10\x42\xed\xda\x5c\xf7\xa5\xb2\xb0\xa0\x71\xa2\x68\x77\xbe\xed\xaa\x9e\x24\x32\xef\x85\xf7\x2a\xbc\xeb\x7c\xcd\x73\x36\x27\xcb\x12\xd4\xcf\xe3\xd9\xc9\xd8\x85\xa0\xb0\x89\xdb\x05\x6b\x02\x92\x28\xe6\x45\xf7\x4d\x92\x84\x69\x5b\x08\xa6\x7f\x7f\x92\x28\xe9\x80\xc0\xc3\x64\xd0\x31\x2b\x10\xf6\x25\x6c\x9a\x2d\xe4\x83\x29\x32\xb6\x98\x97\xd0\xf2\x9f\x70\xf1\x8d\xde\x25\x7a\x94\xd9\x6e\xc7\x6d\x71\x67\x3e\x95\x98\x32\x64\x7f\x6a\x74\x45\x82\x35\xe8\x00\xdf\x80\xb7\x18\xbe\xdb\xe9\xb2\xca\xfe\x1a\x98\xad\x89\x34\x1a\x56\x6d\x20\xca\x13\xaf\xb2\x89\x85\x6f\x79\x53\x05\x66\x12\x60\x65\x19\x27\x99\x89\x9c\x02\x43\x31\x7f\xee\x5b\x22\x11\x6d\x9d\xfe\xa0\xc4\x25\x1d\x89\x8d\x57\x44\x43\xd8\x0c\x4d\xaf\xd5\x61\x65\xf2\xcf\xb5\xa2\xdb\x62\xe7\xfc\xb9\x78\x70\xea\x56\xdd\xca\x1c\x27\x32\x75\x48\x09\x9b\x79\xd3\x8f\x9d\x6d\xd2\x4a\x65\x65\x73\x1b\x2a\xfc\x0d\xdc\x12\xa3\x5f\x96\x05\xb2\xe7\xe7\x57\x53\xfa\xab\xe2\x81\x7d\xd1\x1e\x3f\x9f\xe7\x6c\xb2\xb8\xbf\x18\xd4\xf4\x19\xaa\x96\x58\x4c\xf9\x89\x99\xfc\x0f\xe4\x2e\x54\xb0\xe7\x9d\xfd\xd4\xc5\x7f\x55\xc0\x7a\xd1\xca\x33\xa4\xde\x6f\xba\xa7\x80\x18\x5e\x36\xfc\x3e\xc7\xc5\xf1\x04\xc5\xda\xda\xc7\xcc\xcb\xba\xcc\x5a\xbe\x21\x7e\x4e\x61\xef\x6c\x36\x60\x57\xd1\xcf\xb1\xa5\xde\x8c\x75\x68\xda\xd7\x69\xc8\x8a\xfd\x8e\xc1\xbf\x56\x11\x7c\xed\x76\x0e\xd3\x01\x90\x21\xc3\x2b\xed\xd7\xea\x87\xfb\x67\x0c\xa3\x24\x84\x61\xdf\x64\x60\x07\x04\xf1\x16\x51\x58\xcf\x9d\xb2\xb5\xc6\xf4\x56\x3b\x9f\x10\xa3\xa6\x69\xf3\xa9\x45\x21\xbe\x8e\xd5\x1c\x90\xc4\x5c\x59\x48\x9c\xde\x96\xcc\xd1\x18\x44\xc6\xca\xbf\xb1\x65\x0e\x19\x4c\xdf\x17\xaa\xf8\xad\x0b\xf9\x17\x14\xc7\x02\xea\x60\x75\xc0\xc3\x36\x18\x44\xec\xea\x0f\xc9\xad\xe8\x3a\x42\xcd\x91\x8f\xbb\x4c\x90\x90\x66\x73\x98\x18\xcb\xf7\x7a\x3d\x71\x64\xc3\x60\x7d\x8c\x0e\xfe\x3c\x8e\x85\x24\xfd\xf1\x5d\x33\x21\x0b\x43\xca\x55\x1b\x9a\x67\x26\xa5\x60\xa2\x74\x24\x66\x2f\x5f\xd9\x72\x02\xf9\x2a\xb8\xca\xc1\x20\xdf\xb1\x37\xc3\x36\x8c\xaf\xb7\xc1\x48\x35\xd8\xad\x15\xd1\x8b\x3e\xc4\xfe\x3c\x74\x1b\xe3\x90\x65\x71\x1a\xbc\x30\xa0\x0d\x31\xa2\x09\x36\xd2\xfb\x66\x23\xb1\x27\x42\x7b\x2d\x46\x05\x45\xf4\xeb\x25\x68\x1b\x46\x1f\xbc\x3a\x1a\xc6\xdb\x3b\xdf\x1d\x89\x02\x97\x76\xe0\x4b\x9c\xbf\x3e\x1e\x46\x07\xf3\x63\x23\x36\x73\x8b\xd9\x5c\xfc\x81\x2d\xe5\xe8\x2e\x0c\x6a\xa8\xd0\x19\x07\xe1\xf3\x75\xac\xb1\x80\x10\x69\x5e\xa3\xa2\x42\xd2\xb3\x60\xee\xd6\xf0\x77\xa0\x08\x68\x06\xa8\x8e\x2b\xe9\x9d\xef\xc3\x46\x0d\x81\x17\x5d\xec\xb6\x97\x3e\x54\xe7\xff\x1c\x29\x14\x8f\x04\xd1\xa9\x6c\x68\xd4\x3f\x03\x6e\xc2\xe4\xa5\x4b\xeb\x80\xf8\x8b\x8c\x71\x1a\xa0\x1a\x74\x57\xf5\x8d\x72\xaf\xe5\x68\x49\xfd\x09\xd2\x77\xe3\x01\xce\x64\x40\x2b\x0b\xc2\x0d\x43\xea\x78\x74\x54\x86\x97\x2a\x8b\xd6\xf5\x79\xd8\xd8\x2b\xd3\x1c\x8c\x86\xb7\xe8\xa3\xb2\x72\xd1\x6d\x38\xfc\x64\x80\xd2\x13\xc0\x30\x00\xad\xda\x6e\xb5\xe0\x08\x71\x87\x92\x64\xeb\xa4\xb0\xf9\x5c\x92\xe1\x0b\x79\x73\x81\x11\xba\x0c\xfd\xd1\xde\xeb\x39\xc9\x1e\xb4\x07\xe5\x98\x81\xbf\x53\xea\xd7\x8f\x7a\xd3\x50\x29\xec\x22\xb5\x83\xaf\x27\x44\x15\x25\x46\xc3\x98\x28\x50\xb4\x49\x41\x5e\x4b\x79\x0a\x2d\x03\x2c\xae\x50\x31\x9c\x3a\x15\xe0\x09\xae\xee\xfe\x71\x00\x73\x78\x19\x7e\x51\xdf\x97\x37\xee\x36\xd9\x54\x03\xa5\x62\x2a\x00\x7e\xb5\xdf\x41\x02\x33\x37\x6e\x51\x31\x82\x24\x62\x54\x0e\x6e\xbb\xf6\xd4\xe2\xdc\x46\xbe\xb7\xea\x3b\x2c\x22\x19\x97\xc2\xba\x3c\x26\x73\xc1\xb4\x4f\x7c\xd8\xc8\x6a\xac\xdd\x89\xe8\x70\x00\x73\x93\xab\x35\xc4\x85\x74\x29\x13\xf4\xfc\xef\x3c\x5c\x4d\x5c\xfe\xba\x1e\xcb\x50\xef\x05\x03\x7d\x54\xaa\x3f\x5e\x69\x94\x11\x40\x26\xf5\xcd\xa7\x5e\x18\x56\xb3\x1e\xfc\x5b\xf0\xda\x81\x09\x97\x84\x46\x30\xa0\x0a\xbd\x3a\x1c\xa3\xc6\xc9\x39\xe1\xe7\xf7\xc2\xd1\x71\x71\xea\x26\xfc\xd3\x1a\xe7\x17\xc0\x40\xb3\xc5\x94\xcf\x06\xa5\xc1\x25\x76\xbc\x18\x82\xd1\xe0\x45\x7a\x99\x38\x7f\x74\x6f\x15\x12\xd1\x5c\x86\x7c\xfd\xaf\x35\xfb\xf0\xe6\xbe\xec\x95\xc8\xc4\x2a\x3d\xd6\xae\x19\x47\xc6\x69\xfc\xd0\x10\x50\x80\xd8\xa9\x89\x4d\x93\x45\x21\x39\x08\x35\x74\x56\xb5\xdb\x7d\xea\x0f\x3f\x53\x29\xff\xd3\xc8\x90\x8f\x50\x47\xe3\x6a\x94\x1f\x90\x91\x2e\xcb\x4c\x01\xec\x56\x7c\xbe\xb0\x9f\xad\xe5\xec\x9b\xf4\x14\x2e\x24\xef\xf3\xac\xd2\x6b\x1d\x46\xd9\xfc\xab\xdb\x09\x70\xa1\x9b\x45\x79\x47\xab\xda\xac\x79\xa3\x69\x2b\x7a\x0d\x70\x3c\x02\xfd\x3d\x7c\x43\x3d\xcb\x59\xf9\x79\xa3\xa9\x1e\x3f\xc9\x50\xa5\xdf\x58\x54\x65\x69\x63\x97\x47\xc4\x34\x7c\x4e\x1a\x1f\xd0\x8f\x9a\xa8\x0c\xa5\x12\xd3\x6e\x6f\xac\x84\x61\xfa\xc7\xac\x93\x46\x7b\xea\x71\xfd\x28\x6b\x5f\x69\x2d\xdb\xc6\x99\xb9\x88\x7d\x31\x15\x9d\xe1\x07\xc0\xec\x97\xdb\x3b\x37\x77\x1c\x82\x61\x92\x51\xe9\xe0\x87\xe7\x97\x0e\xc1\x3e\x97\x1a\x85\x7a\x3d\x87\x1d\x13\xd8\x9d\xd6\x18\x43\x1d\x57\x75\xf9\x25\xf0\xbe\x14\x11\xf4\x94\x70\xe1\x42\xb1\xce\xef\xa6\x69\x28\x0d\x6e\x9a\x52\xe8\xc8\xeb\x38\x7d\x22\xf2\xfa\x8f\x5b\x77\xbd\x2a\xea\x73\xa0\xa2\x9c\x84\x47\xa6\xad\x29\x2b\x1e\x4b\x44\x6c\x6e\xd0\x08\xc0\xa6\xba\x97\xd1\x5b\xcb\xaa\x10\xb1\x6d\x7b\x1a\xd9\x49\x8b\xf5\xb8\x68\x59\xfd\x9c\x03\x2e\xab\x98\x93\xbe\x93\xb1\xe9\xf4\x5c\x9d\xc1\x9a\x78\xc4\xfe\xa5\x89\xd3\x93\xe8\xed\x9d\xbe\x54\xbf\xad\xf5\xcd\x11\x0e\xb7\x6a\x2a\xdf\x8b\x9d\xd2\x3a\xc0\x57\xbf\x1a\xb6\xba\x1d\x04\xc0\xc6\xda\xc4\x82\x50\xda\x3d\x25\x64\xce\x90\x4d\x67\xe6\x9c\x5d\xec\x58\x2d\xa5\x7e\xde\x76\xd9\xaa\x85\x49\xbf\x50\xa9\x0d\xcc\x0c\xab\x97\x7f\x5d\x73\x00\xfc\x0d\x86\x86\xe3\xbe\x13\xb8\x4a\x7a\x14\x1b\xb7\x92\xc3\x97\x58\xb0\x04\xd8\x4a\x0f\xf8\xc9\x30\xe4\xe0\x3c\xb3\xc1\x34\xe6\xe9\x00\xfe\x41\x64\xe5\xb5\xe0\x6b\xa4\xce\x62\x87\xb7\xb0\x0a\xcf\xdb\x05\xf4\xaf\xc0\xf4\xcb\x1b\x0e\x38\x3e\x4b\x69\x17\x1b\xda\x38\x9a\x2d\x00\x96\xb0\x67\x7d\x79\x3f\xaf\x22\x70\x2f\x3e\xdc\xda\x47\x82\xdf\x48\x30\x2a\xe3\xba\x1e\x05\x60\xf2\xc1\xbc\x7c\xda\x89\xac\x42\x14\xe8\xba\x79\x1c\xd6\xfb\x08\x92\xa1\x1b\x3f\x87\x81\xcf\x4d\x1b\x07\x31\x95\x92\x2d\xa6\xb7\x11\x16\x05\x96\x56\x0b\x53\x5c\x5c\x97\x6e\x42\xa8\x66\x24\xa3\x4f\x74\xac\x66\x46\xc0\xfd\xa0\x57\xa3\x13\xf7\x9d\x2e\x2f\x9c\x9f\xee\xab\xcd\x39\x9c\xd2\xe7\xe0\x8c\x9f\x02\x29\xc2\x66\x64\x8c\x78\x75\xca\x23\x0c\xfe\x4f\xed\x9f\x2d\x3d\x0d\xeb\xe6\xb5\x36\x85\x5c\xeb\xcb\xdb\x54\x60\x92\x0c\xea\xae\x25\xa1\x5c\xee\x7a\x00\xae\xdd\x72\x19\x53\x7d\xfc\x72\xd3\x33\x2d\x26\x43\x61\x5c\x7e\x17\xb5\x5a\x90\x3f\x8f\x25\xd0\x2f\xd6\x1d\x4c\x56\xc2\x32\x85\xd5\x2e\x0c\x23\xbb\x25\x16\x2b\x10\xd9\x33\x9b\x72\x74\x6b\xe7\xda\x47\xe9\xfa\x05\x22\x69\xda\xf6\xa0\x12\x2d\xe4\x9f\xb4\xd2\xc9\xb5\xd7\x8b\x70\x96\x23\x11\x3c\xb7\x1d\x42\xa5\xab\x08\xda\xa6\x01\xec\xd0\x94\x6a\x79\xda\x44\xcb\x1c\x3a\x5c\xfb\x64\x60\xe2\xcb\xd5\x9b\xf3\x56\x93\x09\xa4\xd4\x17\x77\x39\x80\xcd\x90\xad\xb6\xab\xe4\x75\x95\x4b\x05\x6e\x12\xc7\xe9\xe4\xb7\xef\xd2\x43\x96\xe7\xa9\xd6\x2f\xfe\xd4\x2c\xaa\xba\x45\x98\xa8\x9b\x14\xd8\x5d\x1c\xa3\x97\x27\xbf\xa0\x85\x90\x4c\x1e\xb5\x4d\x24\x27\x3d\x0a\x97\xfa\x59\x3b\xdd\xbc\xf4\x60\x8c\xef\x45\x6a\xb4\x17\x03\x16\x07\x33\x15\x16\xc8\x05\x79\x2e\xbd\xfd\x8d\x10\xe5\xed\xdc\x9f\x50\xdf\x88\x85\x71\xf9\x79\x75\x03\x94\xfe\xff\xdf\x87\xeb\xc9\xe8\xa8\x53\x4f\x89\x37\x2a\xfa\x8e\xac\xf0\x6d\x34\xb9\x74\x25\x0a\xc1\xba\xe5\xc0\x7e\x63\xb7\x46\x47\x19\xdb\x5e\xb1\x69\x34\xde\x34\x01\x93\xbf\xce\xe2\xdf\x0b\xfd\x92\x50\xdd\x44\xf3\xf7\x3e\xb4\xa4\x3f\x99\x0f\x2e\xdc\xa9\xb5\xfd\xd4\xac\xa4\xea\x21\x7e\x14\xb6\xd7\xc5\xa3\x20\xfd\x5e\x4c\x72\x88\xcd\xcb\x4e\x20\x76\x00\x4a\xd6\x61\x81\x9b\xda\xe6\xcf\xba\xd2\xdc\x0b\xce\x61\x23\xc4\x8b\x14\x23\xb2\x2e\x3f\x85\xcc\x2f\x31\x07\x1d\xd1\xcf\xa3\x87\xbc\xa0\x9a\x2d\xd9\x9c\x29\xe6\xc0\xcd\x8d\x51\x90\x1d\x74\x85\x81\x3d\xa7\x32\xc9\xa7\xe2\xfc\xcd\x42\x7d\x43\x9b\xfe\xc1\x07\x87\x4f\x87\x7e\x9b\x0a\xa5\xe1\xbd\xad\xd5\xa1\x85\x47\x99\x65\xe9\x5a\x3c\x2f\x66\x91\x2d\x44\x1c\xb7\x5e\x44\x69\x57\x3b\xf5\xa4\xc5\x3f\x58\xd2\x7a\xbd\x5e\x68\x42\x2a\xef\xce\x50\x1c\x6d\x8d\x95\x42\xb6\x1e\xa6\xbf\xd6\xfd\x2b\x6b\x33\x6c\x89\x61\xf4\xee\xa7\x20\x88\xd0\x69\x70\x89\xd1\x76\x82\x0a\x10\x3d\x09\xd9\x5f\x3e\xf0\xbd\x28\x98\x2e\xef\x77\xfc\x1b\xbf\xe7\xde\x1b\xfb\xe3\xd5\x0a\x93\x21\x88\x66\xfc\x48\xf6\x28\x01\xc7\x15\x39\x7d\xdf\x1f\x36\xd9\x77\xf2\xb5\xb2\xb7\x6f\x2e\x1d\x64\xc6\x10\x6a\x88\x9b\x80\xb4\x1b\xe5\x19\x94\x0c\xe2\x2f\xf0\x36\x4f\xaf\xb7\x03\xcf\xcd\x7b\xf7\x80\x8e\x41\x50\xac\x7d\x7a\xf1\xf0\xb5\xae\x82\x1c\x9b\xf1\x63\x74\x0d\xb1\xb5\xa3\x66\xe2\xdb\x4a\x02\x92\x10\x00\xd6\x07\x52\xd7\x43\xcd\x58\x4c\x48\x59\x0a\x31\xe2\x7c\xb4\x0d\x7a\xd8\x9a\xbd\x2c\x8e\xe8\x11\x76\x78\x98\x88\xbc\x48\xe8\x2a\x63\x00\x84\xc5\x9d\x4d\x34\x46\x4a\x52\xd5\xf2\x6d\x22\x14\x79\xb4\x51\xef\x3c\x2a\x6c\x81\x66\xb6\x64\x09\x9d\xaa\xf8\xe7\x4e\xac\x84\xdc\xfe\x3e\x86\xd5\x3b\xcd\x3b\x2f\x03\x37\xc8\x03\x7d\xb0\x7b\x65\xf7\xcd\x26\x5d\x2a\xc1\x95\xf8\xf5\x8e\x00\x96\xac\x1f\xb6\x54\xb9\x57\xfc\xa3\xef\x32\xab\xcf\x91\x6b\x55\x8b\xff\x85\x4d\x09\x9a\x2c\x9f\xb8\x88\x9f\x39\x8b\x53\x51\x41\x17\x0e\xa0\x36\xf9\xe5\xa7\xa2\xfe\x1d\x14\xf4\xa5\xa6\xdb\x8c\x03\xb0\xa7\x7f\x6e\x3b\xe9\x64\x81\x05\x06\x11\x35\x59\x59\xf6\x5e\x67\x81\x64\x54\xed\xa4\xcd\x84\x36\xd6\x64\xd6\xe6\xd9\xfc\x2f\xf2\x48\x95\x92\x3f\x10\x67\x70\x45\x8d\xc8\x75\x93\xc3\x91\x91\x2e\xda\x79\xa6\xe8\x71\x4b\xb4\x37\xc8\x6b\x97\xae\xbe\x10\xad\xde\xf3\x62\x84\x32\x38\x4e\x5a\x52\x83\x06\x7a\x80\x69\xa8\x92\x47\x3c\x05\x44\x68\x03\xce\xe1\x31\x09\x6d\xfb\xcd\x4a\x08\xf3\xe0\x8b\xc1\xdb\x84\x70\xd3\xab\x04\xc4\x80\x91\xf8\x24\xcb\xc4\x4a\x22\x15\x1f\x21\x71\x9a\xc2\x9b\x90\x43\x82\x2b\x29\x8b\x17\x82\xfa\x4f\x7d\x55\x6c\x41\xcc\x38\xd4\x34\x22\xf3\xda\x35\xcb\x3e\x45\xa5\xd2\x29\x6a\x1c\xfc\x1c\xcb\xeb\x9e\xa3\x49\x77\x2d\xa9\xa8\xc6\xb7\xca\x0d\xb7\x29\x92\xf8\xb4\x86\xb4\x26\x6f\xb6\xd4\x47\x96\x30\xfa\x39\xbd\xbd\x5f\xaa\xaa\x5b\x47\x51\x4f\x37\x80\x5e\xdb\x61\x85\xb3\x3b\x5b\x82\xdf\xb8\x5d\xad\x17\xed\x9f\xc8\x20\xd1\x78\xc4\x43\x3f\xae\x2b\xf5\x0f\xb5\x6f\xf5\xd8\xd7\xf7\x2e\xbb\x91\x3b\x88\x12\xce\x80\xfb\x00\x0c\xf3\x56\xf6\x69\xae\xb2\xb4\x8c\x8f\x67\x5c\xd0\xc0\xa5\x71\x08\x2f\xdb\x0e\xe1\xb1\x3b\x7a\xd2\x23\xcb\x68\x6f\x8b\x6e\xa5\x11\x19\x2c\x5d\xca\xab\xe2\x70\x26\x50\x37\xb7\xa7\xff\x48\xa1\x10\xf6\x60\xe0\x45\xe6\xe5\x1d\x6f\xfa\xce\x61\x7a\x5a\xd8\x5c\xac\x70\x4c\xc2\x57\x6b\x22\xaf\x27\xbf\x84\x2c\x1f\xce\x89\xf7\x1f\xb1\x88\x68\x57\xd1\x87\xad\xf3\x64\x47\xda\x8e\xde\x27\x97\xbb\xb4\x1b\x4b\xa5\xf0\x94\x11\x09\x44\x08\x35\x7a\xc6\x86\xf0\x90\xdc\x75\x58\x4f\xb2\xd0\x0d\x6e\xb5\xf1\xd5\x45\x63\x3c\x1a\xab\x04\xa6\xa9\x47\xe4\x9e\xb4\x5a\x0a\x73\xe7\xd0\xc6\xc4\xac\x5f\xac\xf4\x08\xa0\xcf\xde\x43\x9d\x86\x1d\xba\x90\xea\x9c\x57\x58\xbb\xa9\x09\xaa\x4d\x5b\x71\x42\x32\x07\x23\xb0\xfb\x55\x38\xfa\x33\x5e\x62\xd1\x4b\xf3\x60\x8a\xeb\xbd\x76\xff\x2b\x0d\x01\x3a\x4d\x5a\x4d\x46\xfb\x24\xa0\x47\x46\x0b\x5d\x63\xa6\x0d\xea\xa4\x3c\x63\xa9\x8b\x51\xc5\xaa\x0b\x3d\xac\xef\x60\x23\x41\x86\xf4\x5e\xd9\x61\x4f\x0e\x88\xb0\xb3\xa4\x53\x0c\x88\xa3\xdb\xea\xea\x40\x29\xcc\xfb\x1a\xa0\xbb\x8e\xa4\x52\x2c\x51\x25\xa3\x8d\x97\x72\xb7\xde\x03\x3a\xf7\xb2\x81\x2e\x89\xbd\x58\x19\xd2\xd0\xf3\x7a\x15\x6b\x70\x1e\xff\xa2\xf0\xb7\xfc\xe9\xc2\x87\x24\xae\x0e\xb3\x27\xc2\x5c\x8e\x36\x18\x78\x10\xaa\xa1\xa3\x3c\xc6\x9e\xa8\x48\xe1\x2f\xda\x7a\x27\x48\x67\xf4\x77\x95\xe1\x68\x95\x41\x96\x9e\xf7\xf6\x8d\x65\x9c\x3a\xd6\xc7\xf6\x72\x51\xac\x05\xa8\xee\x17\xc5\xd7\xc2\xdc\xb9\x2b\x4a\x54\x5f\x3d\xb5\xbf\x08\x14\x4a\x71\xf2\x9f\x76\xf7\x07\x81\x92\x9b\x06\x45\xf7\xa2\xd3\xcc\x3e\x97\x40\x1f\xfc\x4c\x70\x02\x4d\xf3\xa8\x8a\x3b\x80\xd8\xbb\x4a\xe9\xd2\xd4\xc0\xd1\x17\x24\xfa\x12\x82\x76\x0b\x1c\xc8\x12\x00\x84\x01\xd6\x9b\x8f\x79\x31\xf3\x6a\x72\xe3\x2c\x5d\x8f\x3a\x3f\x23\x3e\x86\x36\x7b\x48\x85\x2c\x0f\xd2\xd1\xf2\x59\x55\x34\x06\x16\xcb\x57\xe7\x9d\xb0\xe0\xa3\x7b\x81\x62\x76\x34\x02\xd0\xb8\x64\xdb\xf0\xa9\x0d\x50\x37\xc8\x8e\xba\x9f\xa8\x09\x98\x08\xcf\x84\x56\x4d\x2e\xd2\xbd\x00\x24\xb7\x19\xb7\x62\x28\x27\x9e\xe3\xc9\x07\x27\xf3\xae\x67\xe5\xcc\x7d\xd7\x6e\x8a\xf1\x67\xc4\xb1\x1e\xe9\xf1\xe3\x49\x5e\x05\x06\x1f\xe5\x20\x44\x5c\xd8\xfe\xdd\xc4\x76\xf5\x0b\x40\xbf\x73\xe4\xf9\xc1\x4e\x49\x1c\x11\x42\x30\xe1\xea\xe5\x87\xac\x01\xaf\x7d\x8e\xe5\xb2\x50\x51\xcd\x58\x85\x19\xe9\xcc\x3f\xb7\xb4\x30\x9d\x2a\x74\xb9\x48\x6d\x31\x80\xf6\x5f\x02\x5f\x43\xbb\x6a\x98\x9e\x2c\x4b\x05\x23\x83\xf4\x24\x4c\xbf\x36\x81\xf8\xfb\x4b\x9f\x0c\xab\x34\x26\xc0\xd6\x78\x4a\xb0\x8c\x76\xce\xee\xbc\x21\x2e\x76\x5f\xd9\xc5\xf2\x4c\xad\x12\x9b\x44\x0e\x2f\x85\x74\x90\x45\xbb\xb1\xb0\x30\xfd\x5b\x31\x10\x44\x25\x80\xd4\x51\xb2\x71\xd9\xa4\x5d\x04\x75\xd1\x66\x47\xe4\xe6\x6b\xf4\x0a\xcb\xde\xbc\x97\x53\x85\xaa\x50\x89\x83\x22\xe8\xb2\xaa\xca\x18\xba\xa6\xee\x86\x1f\xc9\x74\xfc\xd0\xe3\x79\x75\x82\x4c\x47\x58\x42\xbd\x3f\xa1\xf1\x78\x97\x92\xb2\xb6\x54\xaf\xeb\xc7\x8b\x95\x57\xbe\x28\x3c\xe9\x74\xea\x60\xb0\x1a\xf1\x11\xe8\x22\x62\x70\x47\x7c\xaf\xba\x24\xac\xb1\xfb\x28\xfc\x25\x92\xad\x2e\xbc\x2b\xa3\x7a\x1b\xbf\xed\xba\x63\x00\x02\xe4\x23\x43\x0d\x76\x2d\x9e\x31\xcd\x86\x17\x0a\x98\x9e\xe9\x7e\x26\xd4\x87\x4b\xd7\xd1\xa8\xf7\xd2\xf2\x04\x6c\xe9\x37\x68\x59\x27\x49\xbf\x7f\x5b\x28\x93\x3f\x3f\xba\xa1\x38\x0d\x42\x96\x1b\x9a\x94\xd2\x31\x3c\x26\x47\x40\xfe\xa1\x49\x5f\xa2\x6f\xc0\x7a\x56\x1e\x4b\x90\x8b\x2e\x30\xe0\xac\x4d\x48\xf6\x89\xeb\x49\x58\x5d\x3b\x72\x95\xe8\xc2\x75\x1d\x05\x62\xc0\x6d\x49\x19\xd5\xdd\x8a\xf3\x26\xde\xd0\xc1\x51\x6e\xcc\x6c\x1d\x3c\xf1\x39\xd3\xa9\xfe\x6e\xde\x64\x76\x8c\x31\x9b\x98\xb7\xda\x44\x5f\xd7\x85\x4b\x64\x64\x0f\xbd\x67\x6b\x7a\x09\xe5\x6e\xa2\x5c\xff\x1d\x31\xde\xc4\x1d\xa0\x8c\xb1\xb0\x7e\x4d\x84\x16\x81\xfc\xb7\x9a\x72\xb7\x22\x0a\x3f\xc3\x6c\xe8\xdc\x63\x88\xca\xea\xea\x4f\xff\xa7\xb2\x98\x05\xef\x2d\xc8\x9a\xcf\x85\xf2\x27\x24\x8b\xca\x1b\x8c\xb8\x1e\xc4\xb9\x86\xa9\xa1\x58\x7e\x57\xe1\xc5\x4d\x16\x3b\xc6\xa9\xd6\x8c\x67\x8c\x48\x24\x09\x35\xfb\xe9\x89\xf5\x50\xb5\x4c\x51\xba\xcb\x9f\x21\xde\x67\x01\x8d\x5e\x3f\xba\xd7\xef\xba\xe1\x03\x83\xe6\x2f\xa9\x29\x41\x5e\xbd\xb7\x7f\xfc\xad\xcc\x36\xec\x7c\x01\xb7\x6f\x7c\x80\x02\x7d\xfc\xba\x9e\x15\xd2\x6f\x30\x6e\x1d\xcb\xf6\x24\xc8\x0f\x4d\xc9\x2e\xab\xfe\x7a\x81\x7d\x7b\xcb\x47\x0d\x60\x13\xaa\x89\x5e\x08\x24\x40\x57\x1e\x14\x3f\xbb\x2a\xc1\xaf\x5b\x4f\xd6\x4b\xb2\x0f\x31\xef\x1f\x5e\x1d\xb9\x6f\xb8\xca\x1e\x6b\x4d\x36\x0d\x2c\xd0\x55\x91\x36\x6a\xd7\x1a\x41\x17\xc9\x12\x5f\xee\xd0\xe6\xd9\x5c\x03\x9d\xac\x71\x00\x0f\x40\x4d\x71\x80\xfb\x1e\x3b\x9d\x10\xb6\x24\x84\xeb\x2e\x3d\x45\xb8\xa4\xc6\x44\x4e\xa5\x44\xc7\xc1\xa4\x9b\xcd\xd1\x72\x3c\x22\x12\x7e\x2f\x81\xfc\x4c\xa3\xda\x6b\x97\x71\x5a\x0c\x9c\xd3\x05\xae\x21\xa1\x5c\xa6\x95\xf1\xa7\x4d\xf2\x26\x0a\x95\xec\x30\x42\xb1\x6d\x83\xab\x1d\xa2\xba\x76\x7d\xf0\x36\x01\xb4\xb3\xab\x71\x71\xe2\xe0\xe8\xa2\x00\x9f\xc6\xcb\x2c\x98\xcd\x20\x68\x17\x36\x55\x22\x2b\xa6\xbc\x51\xaf\x64\x49\x93\xcb\xd1\x92\x33\xd0\xc0\xf1\xdb\x62\x30\x69\x74\x45\xfd\x77\x8f\x14\xa0\x85\x57\x25\x26\xdb\x2d\x12\x56\xe8\x27\xac\x9b\x77\xa9\x7e\xc6\x41\xa5\x3a\xa5\x80\xb3\xa7\x83\xcb\x0f\xc5\xa1\xb3\xb9\xb3\xff\x38\xe4\x18\xdb\x65\x8b\x48\x4a\x68\xcc\x9a\x9e\x33\x0d\x3d\x7a\x4e\xd2\x82\x58\x1d\xc0\x6f\x9e\xe9\x6a\x1a\x46\x98\xbc\x23\xeb\x41\xbe\xde\x47\x6c\x00\x52\x96\x40\x79\x71\x0f\x68\x8f\x87\x6d\x4c\xef\xf2\x19\x0f\x2d\x81\x9b\xbd\x4c\xdb\x36\x1f\xb5\xc6\x4d\x7c\x41\x93\xff\x9f\x6b\x44\xb2\xc1\x43\x71\x39\xbc\xfa\x8c\xe0\xa9\x43\x0a\xce\xb4\x98\xb4\xf0\xb0\x19\x7b\xf3\x39\xd0\x4b\x70\x51\x23\x24\x3b\x1a\x44\xfc\xec\x56\x6d\x64\xfe\x85\x0b\x29\x89\xb5\xb7\x09\x9e\xf9\xbf\x74\x46\x07\x46\xf6\x0c\x46\x07\x89\x16\x89\x58\x17\x75\xad\x12\xcc\x0f\x04\xce\x01\x6c\x5b\x01\xe4\x55\x6e\x09\x80\x7e\xb8\x2e\x19\xc4\x54\x2e\x88\xca\x22\xac\x95\x13\xa4\x6b\x3e\x43\xc5\x28\x77\xc0\xa8\x37\x20\x1f\xd8\x2e\x9f\x74\x53\x8b\x75\x1c\x8b\x0a\xca\xbf\x1e\xb2\x8a\x7d\xec\x9b\xf6\x98\xc1\x22\xfd\xc5\x46\x4f\x6c\xd4\x0e\x81\xd0\x60\x18\x3a\xf8\x04\xea\x5c\x5a\x51\x09\xfe\x21\x9a\x85\x21\xc7\x3b\x95\xe4\x2b\x82\xac\xd6\x93\xa8\x45\x3c\x40\xc7\x40\x27\xdc\xb1\x78\x81\x75\x83\x42\xe2\x56\x42\x58\xb9\xf1\x2f\xf6\x75\xd9\x5c\x1a\xc4\x2e\x94\x47\x3e\x5d\xd5\x18\x38\xd6\xb1\xc2\x8f\x7b\xae\x7e\x16\x41\x7e\xea\x23\x33\x18\x83\x17\x23\x4d\x3a\x96\x94\x35\x6d\xb9\xff\x64\x9e\xda\x9d\x9d\xe4\xd6\xdf\x34\x57\x70\x13\xbc\x9f\x17\x14\x04\xb0\x8f\xd4\x19\x0d\x15\xd7\xde\xfe\xcd\xc1\x95\x19\x9d\x8a\x71\xf6\x41\x40\xa8\x65\x61\xe8\x4c\x3b\xde\x2a\x43\x37\xac\x14\x05\x08\x54\x31\x4d\xe0\xa3\xef\x2a\xe2\x6a\x6c\xb3\x97\x79\xb1\x0b\xdd\x57\x10\x41\xba\x31\x99\x6c\x60\x2c\x99\x7e\x70\x35\x8a\xe9\x86\x23\x92\x55\xa9\x37\x10\xf2\x11\x1e\x7c\xb1\xc8\xb3\xb7\x28\x03\x37\x34\x85\x6a\x41\xcd\xd5\x5a\xb2\xcf\x54\x15\x6b\x48\xe1\x34\x9e\x97\xd3\x9f\x6f\xc1\x27\x5f\xdb\x19\xb3\x7c\x8c\xf0\x04\xb3\x8c\xc3\xef\x37\x83\x4c\x85\x12\x8b\x3c\xb5\x9b\x77\x3d\xcc\x7d\x7b\x85\x80\x5b\x8f\x3b\xd6\xae\x79\x1e\xfa\x7c\xdb\xcc\x4b\xe5\x53\x9b\xb6\x6a\xfd\x8a\xc5\xde\x59\x50\x9b\x34\x10\x20\xe1\xc6\xff\x67\xb6\x6a\x0c\x94\xbb\x79\x53\x49\x92\x05\xb3\x07\xca\x77\x27\x7f\x6c\xcf\x39\x80\x1e\xe6\x28\xfb\x33\xd2\x07\x3f\x38\x1e\x80\xdc\x41\xc9\xe7\x99\xe7\x5c\x31\xcf\x2a\xa4\x9f\x8b\x0a\x6f\x73\x24\x08\xaf\xdc\x65\x0f\xd2\xb0\xec\x57\x4d\x50\xc6\xe2\x48\xf2\xaf\xcf\xb8\xf8\x20\x79\xb2\x62\x55\x47\xdb\x16\xe4\x61\xe6\x01\x59\x88\x3a\xaf\xbe\xdf\x9e\xe9\xfa\xde\xc8\x39\x8b\x91\x98\x6f\x9a\x8e\x79\x47\x06\x49\xa9\x9d\x6e\x8b\x4c\xb3\xb7\x99\x5b\xd5\xb6\xaf\x47\x20\x6b\xbf\x06\xaa\x69\x38\x3e\x97\x63\xcb\x17\x31\xe7\xc1\x5b\x0d\xe4\xb3\x5c\x00\x80\xdd\xfc\xeb\xac\x4d\xea\x21\x30\x96\xd8\x29\xed\x58\xf7\x7c\x09\xa0\xc0\xd4\xf3\x00\xdd\x5f\xaf\x2e\x01\x2a\xcf\x83\xd7\x7b\x73\x32\x3a\x93\x21\xcc\xa8\x64\x6b\xfe\x55\xfc\xce\x50\x6c\x82\x2e\xe4\x40\x4f\x20\x03\x18\xf6\x50\x44\xb3\xec\xdd\x8a\x21\x35\xe8\xee\x0a\xdb\xb8\xc4\x22\xc8\x9d\x37\x3e\xe4\x21\x82\x6b\xd1\x14\xd5\xae\x08\x6c\x9a\x47\xbe\x5a\x78\x88\xec\x74\xfc\x9e\x8d\x7e\x75\x85\xe6\xe8\x8f\xef\xa1\xb6\xa0\xc5\x57\x7b\x91\x43\x13\x77\xa3\x05\xa6\x65\x81\x02\xef\xf2\x95\x75\xde\x43\x92\x0b\xd4\x66\x96\xa2\xbd\x26\xa9\x39\xde\x74\x15\xc8\x36\x1c\x98\x89\x7b\xc0\xa4\x93\xe9\x08\x76\xd4\xf7\xa6\x38\x9a\xe9\xfe\xd4\x4d\x6e\xf2\x1e\xdf\x68\x1a\xe3\xa3\x5d\xc4\xa2\x6a\x40\xa7\x41\x1e\x7d\x51\xa8\x58\x43\x13\xdf\x95\xe4\x8f\xb0\x12\x79\x9b\x83\xc2\x5c\x2d\xd8\xf2\x43\xe9\x88\x05\x46\xb8\xf5\x1e\x25\xcc\x2f\xfa\x83\xc3\x6d\x81\xd3\x1b\xce\xbe\x40\x53\x62\x87\x5c\x49\x43\x00\x66\x24\x90\xc3\xf4\xbb\x38\x68\x2b\x17\xe0\xcb\xb9\x0e\x47\x70\x86\x4e\xe6\x0c\xc1\x36\xfa\x7b\xb2\x17\x0f\x69\x39\x4f\x62\x35\xe0\x07\x83\xfc\x6c\x2c\xab\x09\x74\x07\xff\xf9\x31\xbf\xa7\x42\xd7\xae\xfe\xf3\x3d\x69\x96\x70\x1d\x39\xb4\xad\xfb\x76\x28\xee\x8c\xb2\x76\x5a\xc0\x39\x92\xdb\x7b\xfd\x93\x04\xe1\x5f\x27\xf3\xea\x37\x12\x49\x4e\x98\xd1\x5b\x7c\x7e\x78\x14\x2d\xdb\xcc\x1e\x2d\x18\x47\x81\xcb\xc1\x17\x45\x59\x9e\xb5\xa6\x9b\x39\x18\x69\x4b\x78\x20\x9b\x1e\xe1\xc1\x18\x54\x15\x7e\xda\x2e\x0f\x03\xed\xd8\x84\xab\x4f\x60\x13\x4a\xf1\x58\xff\x15\xa9\x22\x59\xd4\x29\x37\x0c\xef\xab\x10\xcf\x6f\xb2\x82\xf7\x60\xd8\xd5\x4a\x8d\xb0\xc0\xc4\x3f\x56\xbc\xcf\x68\xb8\x37\x74\x5d\xd6\x42\xb3\x9d\x44\xdb\x29\x7b\x01\xeb\x9f\x5b\x48\xd1\xb1\x14\x84\x8a\x5d\x7c\x74\xa2\x2e\x3c\x30\x84\xee\xbc\x02\x98\xe7\xdd\xbb\xe6\x6e\x10\x5f\x89\x23\x8e\x96\x1d\x34\x98\x5f\x29\xde\x20\x31\xa5\x17\x56\xba\x3c\x77\xce\x83\x24\x8e\xf8\x32\x30\x9b\xf9\xad\x9d\x3f\x79\xdd\x12\xf7\x62\xe9\x12\x25\xb0\x87\x6c\xfc\x22\x02\xb2\xe0\x46\x82\x43\x16\xc8\x20\x88\x9e\x93\xf6\x3e\xad\x22\x9c\x08\x7b\x2f\x6c\xfc\x99\xf7\x97\x02\x2c\xda\xb8\x45\x6d\xe0\xc7\x64\xa0\x6a\x79\x40\xb0\xf2\x85\x98\xcb\xa5\x6d\xa0\xbb\xc7\xeb\xce\x48\x22\x12\x21\x37\x54\xd3\xc3\x4f\x74\x9e\xb9\x43\xbf\xf8\x1a\xab\x71\x0a\x98\x1e\x89\x15\xd8\x9f\x50\x98\xca\xa6\x74\x63\x6b\xda\x15\x11\xe9\x6b\x7a\xb0\xe6\x51\xd1\x01\x75\x09\x76\xda\x0b\x2a\x08\xc5\x61\x76", 8192); *(uint32_t*)0x20004bc0 = 0x20003680; *(uint32_t*)0x20003680 = 0x50; *(uint32_t*)0x20003684 = 0; *(uint64_t*)0x20003688 = 0; *(uint32_t*)0x20003690 = 7; *(uint32_t*)0x20003694 = 0x22; *(uint32_t*)0x20003698 = 6; *(uint32_t*)0x2000369c = 0x60; *(uint16_t*)0x200036a0 = 5; *(uint16_t*)0x200036a2 = 0x48; *(uint32_t*)0x200036a4 = 0x80000001; *(uint32_t*)0x200036a8 = 7; *(uint16_t*)0x200036ac = 0; *(uint16_t*)0x200036ae = 0; memset((void*)0x200036b0, 0, 32); *(uint32_t*)0x20004bc4 = 0x20003700; *(uint32_t*)0x20003700 = 0x18; *(uint32_t*)0x20003704 = 0; *(uint64_t*)0x20003708 = 0xfffe; *(uint64_t*)0x20003710 = 0x200; *(uint32_t*)0x20004bc8 = 0x20003740; *(uint32_t*)0x20003740 = 0x18; *(uint32_t*)0x20003744 = 0; *(uint64_t*)0x20003748 = 4; *(uint64_t*)0x20003750 = 0x8000; *(uint32_t*)0x20004bcc = 0x20003780; *(uint32_t*)0x20003780 = 0x18; *(uint32_t*)0x20003784 = 0; *(uint64_t*)0x20003788 = 0; *(uint32_t*)0x20003790 = 8; *(uint32_t*)0x20003794 = 0; *(uint32_t*)0x20004bd0 = 0x200037c0; *(uint32_t*)0x200037c0 = 0x18; *(uint32_t*)0x200037c4 = 0; *(uint64_t*)0x200037c8 = 0x80000001; *(uint32_t*)0x200037d0 = 5; *(uint32_t*)0x200037d4 = 0; *(uint32_t*)0x20004bd4 = 0x20003800; *(uint32_t*)0x20003800 = 0x28; *(uint32_t*)0x20003804 = 0; *(uint64_t*)0x20003808 = 0; *(uint64_t*)0x20003810 = 0x19; *(uint64_t*)0x20003818 = 0x200; *(uint32_t*)0x20003820 = 3; *(uint32_t*)0x20003824 = -1; *(uint32_t*)0x20004bd8 = 0x20003840; *(uint32_t*)0x20003840 = 0x60; *(uint32_t*)0x20003844 = 0xfffffffe; *(uint64_t*)0x20003848 = 0xfffffffffffffffe; *(uint64_t*)0x20003850 = 4; *(uint64_t*)0x20003858 = 0x80000001; *(uint64_t*)0x20003860 = 1; *(uint64_t*)0x20003868 = 0x52b8; *(uint64_t*)0x20003870 = 7; *(uint32_t*)0x20003878 = 0; *(uint32_t*)0x2000387c = 0xfffffffa; *(uint32_t*)0x20003880 = 0x1ff; *(uint32_t*)0x20003884 = 0; memset((void*)0x20003888, 0, 24); *(uint32_t*)0x20004bdc = 0x200038c0; *(uint32_t*)0x200038c0 = 0x18; *(uint32_t*)0x200038c4 = 0xffffffda; *(uint64_t*)0x200038c8 = 0x1f; *(uint32_t*)0x200038d0 = 9; *(uint32_t*)0x200038d4 = 0; *(uint32_t*)0x20004be0 = 0x20003900; *(uint32_t*)0x20003900 = 0x11; *(uint32_t*)0x20003904 = 0xfffffffe; *(uint64_t*)0x20003908 = 0x4588; memset((void*)0x20003910, 0, 1); *(uint32_t*)0x20004be4 = 0x20003940; *(uint32_t*)0x20003940 = 0x20; *(uint32_t*)0x20003944 = 0; *(uint64_t*)0x20003948 = 0x100000000; *(uint64_t*)0x20003950 = 0; *(uint32_t*)0x20003958 = 0x18; *(uint32_t*)0x2000395c = 0; *(uint32_t*)0x20004be8 = 0x200039c0; *(uint32_t*)0x200039c0 = 0x78; *(uint32_t*)0x200039c4 = 0; *(uint64_t*)0x200039c8 = 7; *(uint64_t*)0x200039d0 = 4; *(uint32_t*)0x200039d8 = 6; *(uint32_t*)0x200039dc = 0; *(uint64_t*)0x200039e0 = 0; *(uint64_t*)0x200039e8 = 7; *(uint64_t*)0x200039f0 = 8; *(uint64_t*)0x200039f8 = 0x10001; *(uint64_t*)0x20003a00 = 1; *(uint64_t*)0x20003a08 = 0x509; *(uint32_t*)0x20003a10 = 0x80; *(uint32_t*)0x20003a14 = 3; *(uint32_t*)0x20003a18 = 1; *(uint32_t*)0x20003a1c = 0xc000; *(uint32_t*)0x20003a20 = 5; *(uint32_t*)0x20003a24 = r[6]; *(uint32_t*)0x20003a28 = 0xee00; *(uint32_t*)0x20003a2c = 7; *(uint32_t*)0x20003a30 = 9; *(uint32_t*)0x20003a34 = 0; *(uint32_t*)0x20004bec = 0x20003e80; *(uint32_t*)0x20003e80 = 0x90; *(uint32_t*)0x20003e84 = 0; *(uint64_t*)0x20003e88 = 8; *(uint64_t*)0x20003e90 = 6; *(uint64_t*)0x20003e98 = 3; *(uint64_t*)0x20003ea0 = 0xcd0; *(uint64_t*)0x20003ea8 = 0x7fffffff; *(uint32_t*)0x20003eb0 = 5; *(uint32_t*)0x20003eb4 = 1; *(uint64_t*)0x20003eb8 = 5; *(uint64_t*)0x20003ec0 = 5; *(uint64_t*)0x20003ec8 = 0xf34; *(uint64_t*)0x20003ed0 = 0x86; *(uint64_t*)0x20003ed8 = 6; *(uint64_t*)0x20003ee0 = 2; *(uint32_t*)0x20003ee8 = 0xab8c; *(uint32_t*)0x20003eec = 0; *(uint32_t*)0x20003ef0 = 5; *(uint32_t*)0x20003ef4 = 0x8000; *(uint32_t*)0x20003ef8 = 9; *(uint32_t*)0x20003efc = 0xee00; *(uint32_t*)0x20003f00 = r[9]; *(uint32_t*)0x20003f04 = 0x1000; *(uint32_t*)0x20003f08 = 0x1000; *(uint32_t*)0x20003f0c = 0; *(uint32_t*)0x20004bf0 = 0x20003f40; *(uint32_t*)0x20003f40 = 0xd0; *(uint32_t*)0x20003f44 = 0; *(uint64_t*)0x20003f48 = 0xffffffffffffffbc; *(uint64_t*)0x20003f50 = 0; *(uint64_t*)0x20003f58 = 2; *(uint32_t*)0x20003f60 = 6; *(uint32_t*)0x20003f64 = 3; memset((void*)0x20003f68, 2, 6); *(uint64_t*)0x20003f70 = 0; *(uint64_t*)0x20003f78 = 0; *(uint32_t*)0x20003f80 = 0; *(uint32_t*)0x20003f84 = 9; *(uint64_t*)0x20003f88 = 2; *(uint64_t*)0x20003f90 = 0x100000001; *(uint32_t*)0x20003f98 = 0x17; *(uint32_t*)0x20003f9c = 0xffff; memcpy((void*)0x20003fa0, "bpf_lsm_socket_recvmsg\000", 23); *(uint64_t*)0x20003fb8 = 0; *(uint64_t*)0x20003fc0 = 0x401; *(uint32_t*)0x20003fc8 = 0xf; *(uint32_t*)0x20003fcc = 0xfffffff9; memcpy((void*)0x20003fd0, "&,$:+)\357&\\)/$$[}", 15); *(uint64_t*)0x20003fe0 = 6; *(uint64_t*)0x20003fe8 = 1; *(uint32_t*)0x20003ff0 = 0x17; *(uint32_t*)0x20003ff4 = 0x1f; memcpy((void*)0x20003ff8, "bpf_lsm_socket_recvmsg\000", 23); *(uint32_t*)0x20004bf4 = 0x20004440; *(uint32_t*)0x20004440 = 0x508; *(uint32_t*)0x20004444 = 0; *(uint64_t*)0x20004448 = 2; *(uint64_t*)0x20004450 = 4; *(uint64_t*)0x20004458 = 1; *(uint64_t*)0x20004460 = 5; *(uint64_t*)0x20004468 = 0x80000000; *(uint32_t*)0x20004470 = 3; *(uint32_t*)0x20004474 = 0xffffffec; *(uint64_t*)0x20004478 = 2; *(uint64_t*)0x20004480 = 3; *(uint64_t*)0x20004488 = 0x20; *(uint64_t*)0x20004490 = 0x100000001; *(uint64_t*)0x20004498 = 0x80; *(uint64_t*)0x200044a0 = 0xffffffffffffffe1; *(uint32_t*)0x200044a8 = 0x9e41; *(uint32_t*)0x200044ac = 0x1f; *(uint32_t*)0x200044b0 = 0xf0f6; *(uint32_t*)0x200044b4 = 0xc000; *(uint32_t*)0x200044b8 = 0x401; *(uint32_t*)0x200044bc = 0xee01; *(uint32_t*)0x200044c0 = 0xee00; *(uint32_t*)0x200044c4 = 0x400000; *(uint32_t*)0x200044c8 = 0x800; *(uint32_t*)0x200044cc = 0; *(uint64_t*)0x200044d0 = 3; *(uint64_t*)0x200044d8 = 7; *(uint32_t*)0x200044e0 = 6; *(uint32_t*)0x200044e4 = 0xfffffffe; memset((void*)0x200044e8, 187, 6); *(uint64_t*)0x200044f0 = 1; *(uint64_t*)0x200044f8 = 2; *(uint64_t*)0x20004500 = 0x10001; *(uint64_t*)0x20004508 = 0; *(uint32_t*)0x20004510 = 5; *(uint32_t*)0x20004514 = 0; *(uint64_t*)0x20004518 = 3; *(uint64_t*)0x20004520 = 0x8000; *(uint64_t*)0x20004528 = 9; *(uint64_t*)0x20004530 = 0x80000001; *(uint64_t*)0x20004538 = 0x100; *(uint64_t*)0x20004540 = 5; *(uint32_t*)0x20004548 = 0xf06; *(uint32_t*)0x2000454c = 0x932b; *(uint32_t*)0x20004550 = 2; *(uint32_t*)0x20004554 = 0x1000; *(uint32_t*)0x20004558 = 5; *(uint32_t*)0x2000455c = 0xee01; *(uint32_t*)0x20004560 = -1; *(uint32_t*)0x20004564 = 5; *(uint32_t*)0x20004568 = 1; *(uint32_t*)0x2000456c = 0; *(uint64_t*)0x20004570 = 5; *(uint64_t*)0x20004578 = 9; *(uint32_t*)0x20004580 = 2; *(uint32_t*)0x20004584 = 2; memcpy((void*)0x20004588, "*)", 2); *(uint64_t*)0x20004590 = 1; *(uint64_t*)0x20004598 = 0; *(uint64_t*)0x200045a0 = 0xcc3; *(uint64_t*)0x200045a8 = 4; *(uint32_t*)0x200045b0 = 0x101; *(uint32_t*)0x200045b4 = 3; *(uint64_t*)0x200045b8 = 2; *(uint64_t*)0x200045c0 = 1; *(uint64_t*)0x200045c8 = 1; *(uint64_t*)0x200045d0 = 0x113; *(uint64_t*)0x200045d8 = 1; *(uint64_t*)0x200045e0 = 3; *(uint32_t*)0x200045e8 = 0xd36; *(uint32_t*)0x200045ec = 0x8c12; *(uint32_t*)0x200045f0 = 0xfffffffc; *(uint32_t*)0x200045f4 = 0x1000; *(uint32_t*)0x200045f8 = 0xfffffffc; *(uint32_t*)0x200045fc = 0xee01; *(uint32_t*)0x20004600 = r[10]; *(uint32_t*)0x20004604 = 9; *(uint32_t*)0x20004608 = 0xacd; *(uint32_t*)0x2000460c = 0; *(uint64_t*)0x20004610 = 3; *(uint64_t*)0x20004618 = 0x97; *(uint32_t*)0x20004620 = 6; *(uint32_t*)0x20004624 = 9; memcpy((void*)0x20004628, "wlan1\000", 6); *(uint64_t*)0x20004630 = 1; *(uint64_t*)0x20004638 = 2; *(uint64_t*)0x20004640 = 8; *(uint64_t*)0x20004648 = 0x8000; *(uint32_t*)0x20004650 = 9; *(uint32_t*)0x20004654 = 0; *(uint64_t*)0x20004658 = 1; *(uint64_t*)0x20004660 = 0x200; *(uint64_t*)0x20004668 = 0xff; *(uint64_t*)0x20004670 = 0x100000001; *(uint64_t*)0x20004678 = 0x30000; *(uint64_t*)0x20004680 = 9; *(uint32_t*)0x20004688 = 3; *(uint32_t*)0x2000468c = 6; *(uint32_t*)0x20004690 = 0x7f; *(uint32_t*)0x20004694 = 0x8000; *(uint32_t*)0x20004698 = 0x101; *(uint32_t*)0x2000469c = r[11]; *(uint32_t*)0x200046a0 = 0xee00; *(uint32_t*)0x200046a4 = 0x10000; *(uint32_t*)0x200046a8 = 9; *(uint32_t*)0x200046ac = 0; *(uint64_t*)0x200046b0 = 3; *(uint64_t*)0x200046b8 = 0; *(uint32_t*)0x200046c0 = 2; *(uint32_t*)0x200046c4 = 0x401; memcpy((void*)0x200046c8, "b@", 2); *(uint64_t*)0x200046d0 = 4; *(uint64_t*)0x200046d8 = 1; *(uint64_t*)0x200046e0 = 0; *(uint64_t*)0x200046e8 = 5; *(uint32_t*)0x200046f0 = 4; *(uint32_t*)0x200046f4 = 0x101; *(uint64_t*)0x200046f8 = 1; *(uint64_t*)0x20004700 = 5; *(uint64_t*)0x20004708 = 1; *(uint64_t*)0x20004710 = 0x10000; *(uint64_t*)0x20004718 = 7; *(uint64_t*)0x20004720 = 8; *(uint32_t*)0x20004728 = 5; *(uint32_t*)0x2000472c = 5; *(uint32_t*)0x20004730 = 0x4010000; *(uint32_t*)0x20004734 = 0x8000; *(uint32_t*)0x20004738 = 0x4d800000; *(uint32_t*)0x2000473c = 0; *(uint32_t*)0x20004740 = 0xee01; *(uint32_t*)0x20004744 = 6; *(uint32_t*)0x20004748 = 7; *(uint32_t*)0x2000474c = 0; *(uint64_t*)0x20004750 = 2; *(uint64_t*)0x20004758 = 0x61; *(uint32_t*)0x20004760 = 0; *(uint32_t*)0x20004764 = 0; *(uint64_t*)0x20004768 = 7; *(uint64_t*)0x20004770 = 0; *(uint64_t*)0x20004778 = 5; *(uint64_t*)0x20004780 = 5; *(uint32_t*)0x20004788 = 0; *(uint32_t*)0x2000478c = 0x3ff; *(uint64_t*)0x20004790 = 0; *(uint64_t*)0x20004798 = 0xfffffffffffffff7; *(uint64_t*)0x200047a0 = 1; *(uint64_t*)0x200047a8 = 0x80; *(uint64_t*)0x200047b0 = 0x100000001; *(uint64_t*)0x200047b8 = 0x401; *(uint32_t*)0x200047c0 = 0xd49d; *(uint32_t*)0x200047c4 = 0x80; *(uint32_t*)0x200047c8 = 1; *(uint32_t*)0x200047cc = 0x6000; *(uint32_t*)0x200047d0 = 0x8b; *(uint32_t*)0x200047d4 = r[12]; *(uint32_t*)0x200047d8 = 0xee01; *(uint32_t*)0x200047dc = 0x8001; *(uint32_t*)0x200047e0 = 0; *(uint32_t*)0x200047e4 = 0; *(uint64_t*)0x200047e8 = 6; *(uint64_t*)0x200047f0 = 0x200; *(uint32_t*)0x200047f8 = 1; *(uint32_t*)0x200047fc = 0xfffffff8; memset((void*)0x20004800, 41, 1); *(uint64_t*)0x20004808 = 0; *(uint64_t*)0x20004810 = 3; *(uint64_t*)0x20004818 = 8; *(uint64_t*)0x20004820 = 0x81; *(uint32_t*)0x20004828 = 6; *(uint32_t*)0x2000482c = 5; *(uint64_t*)0x20004830 = 1; *(uint64_t*)0x20004838 = 8; *(uint64_t*)0x20004840 = 7; *(uint64_t*)0x20004848 = 5; *(uint64_t*)0x20004850 = 8; *(uint64_t*)0x20004858 = 1; *(uint32_t*)0x20004860 = 5; *(uint32_t*)0x20004864 = 0x90c555ad; *(uint32_t*)0x20004868 = 0; *(uint32_t*)0x2000486c = 0xc000; *(uint32_t*)0x20004870 = 0x800; *(uint32_t*)0x20004874 = 0xee00; *(uint32_t*)0x20004878 = 0xee01; *(uint32_t*)0x2000487c = 0xf98d; *(uint32_t*)0x20004880 = 0x20; *(uint32_t*)0x20004884 = 0; *(uint64_t*)0x20004888 = 4; *(uint64_t*)0x20004890 = 4; *(uint32_t*)0x20004898 = 5; *(uint32_t*)0x2000489c = 1; memcpy((void*)0x200048a0, "\\U\302-^", 5); *(uint64_t*)0x200048a8 = 1; *(uint64_t*)0x200048b0 = 0; *(uint64_t*)0x200048b8 = 2; *(uint64_t*)0x200048c0 = 6; *(uint32_t*)0x200048c8 = 0; *(uint32_t*)0x200048cc = 0xb5e; *(uint64_t*)0x200048d0 = 4; *(uint64_t*)0x200048d8 = 0x12; *(uint64_t*)0x200048e0 = 0xe87; *(uint64_t*)0x200048e8 = 7; *(uint64_t*)0x200048f0 = 1; *(uint64_t*)0x200048f8 = 0xfffffffffffffffe; *(uint32_t*)0x20004900 = 0xfffffffd; *(uint32_t*)0x20004904 = 7; *(uint32_t*)0x20004908 = 0x401; *(uint32_t*)0x2000490c = 0xa000; *(uint32_t*)0x20004910 = 0x8ee; *(uint32_t*)0x20004914 = r[13]; *(uint32_t*)0x20004918 = 0; *(uint32_t*)0x2000491c = 0x8236; *(uint32_t*)0x20004920 = 0x3c89862b; *(uint32_t*)0x20004924 = 0; *(uint64_t*)0x20004928 = 4; *(uint64_t*)0x20004930 = 0xfffffffffffffbf7; *(uint32_t*)0x20004938 = 6; *(uint32_t*)0x2000493c = 4; memset((void*)0x20004940, 2, 6); *(uint32_t*)0x20004bf8 = 0x20004ac0; *(uint32_t*)0x20004ac0 = 0xa0; *(uint32_t*)0x20004ac4 = 0xffffffda; *(uint64_t*)0x20004ac8 = 2; *(uint64_t*)0x20004ad0 = 1; *(uint64_t*)0x20004ad8 = 3; *(uint64_t*)0x20004ae0 = 0xff; *(uint64_t*)0x20004ae8 = 0x401; *(uint32_t*)0x20004af0 = 9; *(uint32_t*)0x20004af4 = 0x1000; *(uint64_t*)0x20004af8 = 1; *(uint64_t*)0x20004b00 = 0xfff; *(uint64_t*)0x20004b08 = 0x733; *(uint64_t*)0x20004b10 = 0; *(uint64_t*)0x20004b18 = 7; *(uint64_t*)0x20004b20 = 0x7fff; *(uint32_t*)0x20004b28 = 4; *(uint32_t*)0x20004b2c = 0x1f; *(uint32_t*)0x20004b30 = 0x1f; *(uint32_t*)0x20004b34 = 0; *(uint32_t*)0x20004b38 = 1; *(uint32_t*)0x20004b3c = r[14]; *(uint32_t*)0x20004b40 = r[15]; *(uint32_t*)0x20004b44 = 0x9eb; *(uint32_t*)0x20004b48 = 1; *(uint32_t*)0x20004b4c = 0; *(uint64_t*)0x20004b50 = 0; *(uint32_t*)0x20004b58 = 0x1c; *(uint32_t*)0x20004b5c = 0; *(uint32_t*)0x20004bfc = 0x20004b80; *(uint32_t*)0x20004b80 = 0x20; *(uint32_t*)0x20004b84 = 0xfffffffe; *(uint64_t*)0x20004b88 = 0xa87; *(uint32_t*)0x20004b90 = 0x1ff; *(uint32_t*)0x20004b94 = 0; *(uint32_t*)0x20004b98 = 0x10001; *(uint32_t*)0x20004b9c = 4; syz_fuse_handle_req(r[5], 0x20001680, 0x2000, 0x20004bc0); break; case 25: memcpy((void*)0x20004c40, "/dev/autofs\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20004c40, 0, 0); if (res != -1) r[16] = res; break; case 26: memcpy((void*)0x20004c00, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004c00, r[16]); break; case 27: syz_init_net_socket(0x24, 2, 0); break; case 28: res = syscall(__NR_mmap, 0x20ffe000, 0x1000, 0x300000a, 0x10, (intptr_t)r[16], 0); if (res != -1) r[17] = res; break; case 29: res = -1; res = syz_io_uring_complete(r[17]); if (res != -1) r[18] = res; break; case 30: *(uint32_t*)0x20004c84 = 0xcaa6; *(uint32_t*)0x20004c88 = 4; *(uint32_t*)0x20004c8c = 3; *(uint32_t*)0x20004c90 = 0x276; *(uint32_t*)0x20004c98 = r[18]; memset((void*)0x20004c9c, 0, 12); res = -1; res = syz_io_uring_setup(0x3a9b, 0x20004c80, 0x20ffe000, 0x20ffe000, 0x20004d00, 0x20004d40); if (res != -1) r[19] = *(uint64_t*)0x20004d00; break; case 31: *(uint8_t*)0x20005080 = 2; *(uint8_t*)0x20005081 = 5; *(uint16_t*)0x20005082 = 0; *(uint32_t*)0x20005084 = 7; *(uint64_t*)0x20005088 = 0; *(uint32_t*)0x20005090 = 0x20005040; *(uint32_t*)0x20005040 = 0x20004d80; memcpy((void*)0x20004d80, "\x8f\x8c\x61\xba\x2d\x93\x00\x6a\xad\xbd\x12\xa3\xa0\x8f\x14\x6f\x7d\xad\xf6\xfc\xaf\x91\x37\x0d\x8c\xdb\xb1\x04\x73\xcf\xc4\x73\x7f\xc2\x92\x0f\x76\x1e\x5f\x9f\x43\xac\x7c\x94\xff\x2d\x84\xa3\xf6", 49); *(uint32_t*)0x20005044 = 0x31; *(uint32_t*)0x20005048 = 0x20004dc0; memcpy((void*)0x20004dc0, "\xe7\x9e\x60\x9c\xaf\x0b\x11\x3f\x2e\x3a\x9b\x6e\xd9\xa5\x19\x7b\xd4\xc9\xef\x3a\xbe\xe6\xff\x37\x2b\x06\x77\xf9\x80\xef\x46\x16\x5c\x07\x1e\xc9\xa7\xe4\xb8\xe1\x18\xc9\x5c\x2b\x5f\x73\x3b\x29\xc5\x0f\x1e\x5d\xf4\xf1\x83\x7e\x9a\x29\x62\xcd\x24\x1c\x43\xd7\xa6\x05\x87\x87\x49\x91\x9d\x2d\x93\x2d\x22\x01\x0e\x4c\x8c\x29\xce\x60\x28\xdc\x71\xe2\x3c\x5e\xc2\xb4\xf3\xbb\x38\xb2\xe7\xc3\xbe\xaf\x83\xc8\x87\xa4\x5f\x16\xea\x87\x84\x2b\x70\x02\xc7\x51\x33\x97\x83\x5d\x37\x55\x89\xd6\x4e\x9c\x8d\x0d\xaa\x7c\x70\x99\x74\xdd\xc9\x35\x14\x51\x90\xba\xc6\xe8\xd3\x12\x38\xd5\xad\x70\x37\x7e\x03\xb1\x11\x15\x46\xf8\xa8\x3a\x2d\x7e\x3f\xc5\x50\x40\x8a\x22\x7e\x6a\xb5\x58\x33\x1d\xe5", 169); *(uint32_t*)0x2000504c = 0xa9; *(uint32_t*)0x20005050 = 0x20004e80; memcpy((void*)0x20004e80, "\x1f\xe1\xd0\xa7\xea\x42\xed\x60\xeb\x83\x79\xf5\x5f\xba\x5f\x10\x8d\xa4\x23\x32\x88\xe8\xa8\xbb\xac\xc0", 26); *(uint32_t*)0x20005054 = 0x1a; *(uint32_t*)0x20005058 = 0x20004ec0; memcpy((void*)0x20004ec0, "\x1d\x5a\x7e\x02\x0f\x94\xe9\xee\xe2\x41\x5c\xca\x5e\xb6\x04\x5c\xc9\xf8\x17\xf1\xd3\x27\x5b\xa9\x49\x67\x7e\xe2\xca\x23\x57\xb7\x4e\x67\xc6\xd4\xdd\xfb\xe8\xe8\xc0\xc6\xfd\xcd\x23\x52\xdd\x30\x1f\xf3\x0f\x0e\xbc\x2b\x58\xf2\xc6\x9c\x3f\x80\x32\xff\x0d\x4a\x2d\x2d\x40\x0c\x3d\x07\x91\x4d\x83\x5b\x62\x18\xc2\xeb\x25\x72\x4b\x42\x6a\x88\x8b\x28\x22\xd4\x94\x5b\x35\xf2\xd1\x45\x9d\x91\x5e\x2b\x2d\x66\x54\x1a\xf5\x2b\xdb\xbe\x1a\xd5\x17\x51\x5e\x01\xb8\x29\x0e\x65\x44\x43\xa6\x7b\xec\x3d\x0b\x03\xfc\x10\xb9\x0b\x49\xc3\xd3\x35\x93\xe0\x63\xbd\x0d\xf7\x24\x94\xb2\x2b\xfc\x39\x1f\x6b\x29\x6a\x68\x73\x5e\xea\xac\x4f\xb5\x50\xbe\x4b\xee\xab\xb7\x4d\x7c\xa7\x71\x39\x24\x8c\xf8\x00\x3e\x4f\xa6\x39\x54\xc2\xe5\xc6\x8e\x48\xb1\xf5\x9b\x31\x62\xa9\xa3\xb0\x20\x77\x1f\x7c\x1a\xff\x6d\x7d\xe5\x7b\x40\xfc\xb5\x90\x02\xf2\x70\x9e\xd2\xe1\x2d\x50\xa3\xed\xad\xc2\xc5\x5d\xe6\x63\x4c\x8e\x91\xdd\x8c\xd2\x8f\xaf\x3b\x52", 228); *(uint32_t*)0x2000505c = 0xe4; *(uint32_t*)0x20005060 = 0x20004fc0; memcpy((void*)0x20004fc0, "\x3d\xc5\x00\x79\x39\x36\x84\xee\x15\x45\x62\x33\xe2\xe4\xb4\x7d\x0d\x76\x16\xa6\xfb\xb0\x80\x55\x93\x1c\x40\x0e\x66\xd6\xee\x83\x07\xc9\x88\xdb\x68\xc3\xa5\x68\x73\xe4\xc9\x4c\x21\x0c\xee\x63\xaa\x53\xee\x80\x94\x7c\x56\x44\xcf\xfd\x0e\xe8\x09\xb4\x55\x4e\xf3\xd3\xd5\xd4\xb6\x26\x80\x40\xd6\x6c\xba\x34\xc7\xb8\x64\x5a\xbf\xe3\x69\x6e\x04\x1f\xe1\x3f", 88); *(uint32_t*)0x20005064 = 0x58; *(uint32_t*)0x20005094 = 5; *(uint32_t*)0x20005098 = 1; *(uint64_t*)0x2000509c = 0; *(uint16_t*)0x200050a4 = 0; *(uint16_t*)0x200050a6 = 0; memset((void*)0x200050a8, 0, 20); syz_io_uring_submit(r[19], 0, 0x20005080, 0x100); break; case 32: memcpy((void*)0x200050c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 0, 0); if (res != -1) r[20] = res; break; case 33: memcpy((void*)0x20005100, "/dev/dlm-monitor\000", 17); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0, 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x20005180 = 0; *(uint32_t*)0x20005184 = 0x20005140; memcpy((void*)0x20005140, "\x45\xcf\x83\xe3\x48\x27\xda\xe7\x0d\x9c\x50\xf6\x76\xf5\x23\xb0\xce\x6b\xee\x88\x95\x2b\xaa\xc1\xa7\x22\x08\x87\x52\x1e\x1e\x10\x25\x01\x84\xda\xba\xaa\x4f\xbf\x9e\x94\x34\x9f\x11\x48\xde\xe8\x23\x8a", 50); *(uint32_t*)0x20005188 = 0x32; *(uint64_t*)0x200051c0 = 1; *(uint64_t*)0x200051c8 = 0; syz_kvm_setup_cpu(r[20], r[21], 0x20fe8000, 0x20005180, 1, 0, 0x200051c0, 1); break; case 35: *(uint32_t*)0x20005200 = 1; syz_memcpy_off(r[17], 0x114, 0x20005200, 0, 4); break; case 36: memcpy((void*)0x20005240, "adfs\000", 5); memcpy((void*)0x20005280, "./file0\000", 8); *(uint32_t*)0x20005980 = 0x200052c0; *(uint32_t*)0x20005984 = 0; *(uint32_t*)0x20005988 = 4; *(uint32_t*)0x2000598c = 0x20005300; memcpy((void*)0x20005300, "\x85\x86\xcf\xf1\x20\x29\xeb\x8a\xd7\x6f\x62\x61\xd1\xfe\x9c\x2d\xf9\x7d\x6b\x50\x47\xf7\x02\x21\xce\x7c\x26\xe1\xad\x05\x00\x96\xdb\x75\xff\x7f\xfd\x7b\x4d\xad\x59\xf5\xe0\x70\x72\x3e\x8a\x2c\xea\x44\x66\x02\xed\x86\xda\x15\x97\x5f\x4f\x9d\xad\x43\x55\xf1\x7d\x14\x41\xf9\xc1\xd9\x72\x1e\x8b\xc2\x69\xc9\x1b\x43\x93\x4b\xb3\x82\x3e\xba\x88\x0d\xe0\x1b\x58\x6e\x0d\x59\x2f\xc9\x78\x08\x48\x12\xa5\xdd\x94\x0d\x6e\xa6\x1e\x46\xee\x9f\x1d\x53\xe0\xd3\x15\x5c\x2c\x34\x94\x6c\xa2\x86\xd6\x46\x39\x8a\x4d\x60\xb5\x6e\x48\x64\x4c\xe4\x21\xd5\x3a\x65\xfc\x50\x46\x80\x60\x1a\x0c\xb3\xb7\x8c\xdc\x3d\x14\xd0\xf9\xf7\x54\xd8\x8a\x4c\x5d\x80\xc2\x68\x1a\xca\x64\xa4\x79\x3f\x17\xd0\xf8\xa5\xb8\xdc\x82\x0f\xda\xde\xe2\xee\x87\xd4\x20\x50\x17\x22\x86\xe4\xb3\x71\xea\xc4\x97\xbf\x74\x67\x89\x0a\x47\x2d\x76\x6a\x44\x2a\x56\xa6\xe7\x5b\xc3\x9b\xa4\xed\xab\x5a\x0c\xb1\x1e\xb6\x6a\x24\x7a\x2f\x3c\xa7\xd1\x8c\xbe\x8b\xd7\x51\x6b\x2d\x99\xc7\x63\xd8\xc2\x3d\x75\x3c\x13\x93\x7a\xb9\x9b\x57\x8e\x42\xf3\x59\x27\x5e\x86", 251); *(uint32_t*)0x20005990 = 0xfb; *(uint32_t*)0x20005994 = 5; *(uint32_t*)0x20005998 = 0x20005400; memcpy((void*)0x20005400, "\x0f\x55\x3c\x28\xb9\x84\x2c\x44\x67\x4a\xbe\x34\x85\x6e\x72\xa4\x02\xea\xf0\x8e\xa7\xd1\x06\x18\x6b\x17\xf1\xd3\xf0\x0d\xcb\xcb\x5f\x98\xa1\xea\xe4\xb0\xe4\x94\xda\x0d\x44\xfa\x94\x91\x73\x67\x47\x8f\x2e\x39\xce\x84\x35\xb1\x32\xa5\x70\xec\x78\xc1\xb1\xd8\x59\xab\x65\x21\x68\xbe\xc9\x15\x6c\xc5\xb4\x54\x3f\x05\x71\xd2\xa7\x5d\x3a\xd0\x3f\x49\x0c\x0f\xc9\x32\x51\xf6\xab\x57\xf0\x1c\xf6\x22\x83\xd4\x2e\xec\x0a\xbb\x18\x61\x48\xb0\x5e\xf5\x5f\x8d\xe1\xa2\xeb\x7c\x16\x22\xfc\x6d\x3a\xc2\x74\xf1\x0a\x07\x54\x56\x33\x98\xef\xc9\x33\x5a\xea\x31\x06\x1c\xf4\xbb\x64\xd4\x4f\x87\xc6\x15\xc9\x9b\x3e\xca\x46\xdd\xc2\xce\x68\xeb\x2b\x78\x0c\x54\xbb\x6a\x1a\x20\x94\x7e\x16\xcb\xc6\xf7\xfa\x07\x12\xd0\xb1\x2e\x66\x5a\x21\x4c\x35\x02\x15\x4e\x5b\x8d\xda\x8b\x01\xdf\x53\xc8\x1b\x2d\xa2\xc9\x2b\x75\x73\x50\x6b\x17\x5a\x34\xba\x1d\xda\x39\x95\x4f\x36\xf0\xff\x6e\xbe\xfe\xee\x31\x32\x68\x13\x42\x2c\xb4\xd5\x3b\x47\xc6\xfe\x65\xf3\x33\x26\x98\xd9\xe3\xd7\x76", 238); *(uint32_t*)0x2000599c = 0xee; *(uint32_t*)0x200059a0 = 0xfff; *(uint32_t*)0x200059a4 = 0x20005500; memcpy((void*)0x20005500, "\xab\xff\x9c\x24\x82\xd9\x64\x89\xf0\xaf\xbe\x08\x5d\xae\xe1\xe2\xbd\x8a\x30\x00\xaf\x21\xe5\xb4\xaa\x0d\x2e\x66\x62\x29\x3d\x5f\xe6\xee\xb6\x0a\x5c\xc8\xb9\x0e\x84\xed\xe0\xd2\x13\x18\x68\x8e\x28\x5d\xef\x54\xcb\x67\x80\xab\xfd\xcb\x64\xc7\x00\xda\x5e\x87\x75\xbb\x60\xd0\x19\x2a\x5f\x81\x13\xa7\x0d\xdb\x16\x27\x08\x7f\x7b\xb8\xf2\x32\xf8\x0a\x12\x0e\x21\x4e\xf3\x1c\x38\x57\x11\xf4\xb1\x2a\xfd\x9a\x02\x4f\xc4\x8c\x41\xc3\xc8\x87\x25\x5a\x17\xb8\x6f\x70\x9a\x30\xee\x23\xa5\xd5\x5c\x6c\x3e\x19\x86\xf6\xfd\x69\x30\x9d\xc6\x66\x48\x46\x39\x6a\x5f\x0c\xde\x1e\x38\x2a\x70\x18\xdc\xde\xac\x00\xff\x1e\xf5\x4b\xbb\x58\x20\x1f\xc9\xdf\xcb\xba\x39\xcf\xb4\x5f\x49\xac\xe1\xe9\x90\x81\x88", 171); *(uint32_t*)0x200059a8 = 0xab; *(uint32_t*)0x200059ac = 0x80000001; *(uint32_t*)0x200059b0 = 0x200055c0; memcpy((void*)0x200055c0, "\xfb\x36\xdf\xfb\x4a\x0e\x43\x77\xfa\x3b\xed\xec\x23\x25\xf5\xc0\x73", 17); *(uint32_t*)0x200059b4 = 0x11; *(uint32_t*)0x200059b8 = 1; *(uint32_t*)0x200059bc = 0x20005600; memcpy((void*)0x20005600, "\x8f\xf2\x54\x48\x04\xed\x79\xe1\xbb\x5f\x17\x3b\x80\xfd\xb0\x9a\x44\x4f\x02\xbb\xac\xda\xb8\x77\x10\xa3\x03\x82\x27\x1d\xb7\x25\x70\x55\xfb\xbe\x05\x7f\x4e\x4b\x3e\x1b\xcb\xcf\x08\xf1\xea\x0b\x41\xbe\x53\x3d\x7d\x7f\x84\x19\x9c\x4c\xf2\x41\xe2\xbc\x3c\xeb\xf6\x80\xf5\xc2\x64\x88\x82\xab\xfe\x61\xbb\x52\x11\xc4\xcf\x0f\x1f\x80\x35\xc6\x96\x2e\x74\xf5\x97\x6e\x95\x4c\x3d\xb5\x54\x5b\xdc\xcc\x6e\x67\xb6\x8d\xd6\x12", 104); *(uint32_t*)0x200059c0 = 0x68; *(uint32_t*)0x200059c4 = 0x7f; *(uint32_t*)0x200059c8 = 0x20005680; memcpy((void*)0x20005680, "\xca\x83\x8d\x09\x57\x9a\x97\x26\x57\x26\x0b\x82\x4f\x36\x91\x61\xc8\x3d\x36\x49\xb2\x30\x9d\xe4\xac\xa5\x19\x1c\x6a\x35\x50\xce\x70\x4f\x66\x06\xba\xc0\xf1\x10\x25\x63\x01\x1d\x76\x8b\x1c\xd5\xbd\x83\x56\x5b\xfb\xe9\x31\x1f\x71\xc2\x69\x8f\x2b\xb4\x57\x2e\xf6\x60\x2f\x24\x87\x62\x6e\x21\xfc\xef\x70\x34\xf5\x0e\x28\xfd\x36\xdb\x92\x43\x3d\xe1\xc0\xfb\xd9\xba\xa0\xb2\xef\x3b\x17\xec\xbd\x5f\x21\x4a\x81\x4f\x99\x79\xc0\xcf\xce\xa5\x66\xbd\x41\x87\x88\xa9\xe0\x26\xff\x83\x08\x9e\x4e\x1e\xb4\x91\xee\xbb\x58\x2e\x84\xc6\xd9\x56\xe1\xf8\xd4\xbd\x53\x27\xfc\xf2\x6d\x92\x18\xa6\xe7\x45\xa9\x04\x84\x6d\xa6\x1e\x69\x70\xe7\xc3\xf8\xf6\x77\x7e\xb2\xee\xc1\x82\xc6\x62\x6a\xeb\xc2\xb4\x6d\x6e\x18\xec\x79\xce\x9f\x3a\x34\xc2\xc9\xce\x74\xdc\xe5\xf3\x8a\x49\x3c\xe7\x52\x63\x3b\x9c\xd8\x81\xd3\xe7\x39\x77\xb7\x28\x20\x8b\x73\x0c\x0a\xa0\xbf\xd4\x1f\x03\x74\x79\x8c\x2b\x6c\xfd\x20\xa8\x3d\xde\x88\x21\xf8\x96\x43\x1d\xf1\x62\x0e\xac\xdd\xb4\x84\x6d\x3f\x67\x98\x3b\x95", 241); *(uint32_t*)0x200059cc = 0xf1; *(uint32_t*)0x200059d0 = 2; *(uint32_t*)0x200059d4 = 0x20005780; memcpy((void*)0x20005780, "\xb5\x49\xcf\xe1\x8d\xeb\x45\x5b\x4a\x8b\x6d\x56\xe7\xc0\x3f\x25\x10\x24\x21\x7c\xf4\x27\xc0\x90\x56\xbd\xb6\xb4\xa1\x31\x7e\x6f\x9c\xd5\x3e\xce\x2f\x2e\xe6\x8e\x7d\x73\xe9\x36\xe6\xd7\xb3\x76\x48\x35\x95\xc8\xdb\x72\x92\xff\xb0\x52\x0c\xf0\x37\xba\x70\x12\xf5\xd9\x0d\x0e\x4b\xdc\xed\x46\x13\x1d\x6a\x44\x12\x05\x46\xfa\xd8\x7f\x47\x56\x70\xfe\xc8\x6f\x97\x84\x88\x8d\x14\xdc\x2e\xd6\xa1\xa7\xed\x3c\x98\xbd\x0e\x03\x5c\xbd\x50\x4d\xa4\x0e\xfb\xeb\x5a\x5b\xcd\x48\xc0\xca\x51\x3f\xf5\x3d\xda\xda\x3c\xb4\x47\xa4\x8b\xce\xf0\x1d\x98\x83\xf6\x99\x99\x7c\x5a\x0b\x24\x99\x86\x58\x62\xdb\x5f\x78\x5a\x75\xe1\xb3\x46\x3d\x35\x4a\xf1\x12\xe7\xf8\x62\x28\x83\x68\x30\x86\x19\x0f\xa4\x50\x76\x46\xcb\xea\xb5\xed", 176); *(uint32_t*)0x200059d8 = 0xb0; *(uint32_t*)0x200059dc = 1; *(uint32_t*)0x200059e0 = 0x20005840; memcpy((void*)0x20005840, "\xa2\xee\xca\xca\xa0\x2f\xc7\x61\x89\xe0\x0e\x6f\xc5\x8f\x38\xb5\x59\x99\x59\x73\x03\x76\x28\x17\x21\xbe\xcf\x84\x0c\xd1\x2b\x23\x0c\x2d\xc8\x4b\x7f\x5f\xe5\xe3\x70\x57\xb3\x73\x2f\xcf\xeb", 47); *(uint32_t*)0x200059e4 = 0x2f; *(uint32_t*)0x200059e8 = 4; *(uint32_t*)0x200059ec = 0x20005880; memcpy((void*)0x20005880, "\x35\xed\x9c\x85\x4f\x54\x2b\xa3\xa5\x6e\x7b\x75\x40\x9a\x31\x97\xd3\x1e\x6e\xc3\x19\x34\x81\x1d\xd9\xab\xe8\x3e\x50\xa0\x60\xea\x25\x99\x4c\xb3\x37\x70\xed\x99\xb2\x5c\x9b\x56\x08\x91\xec\xa4\x33\xfe\x5b\xf1\xe0\x2d\x13\x66\x00\x68\x7e\xe4\x93\x3b\x35\x38\xbb\xce\xca\x61\xde\xb8\xfb\x0a\x1a\x25\x67\x84\x3f\xd8\x71\xb9\x91\xd5\x14\x32\x9a\x46\x5a\x97\xeb\x92\x12\x35\x76\xe8\x3a\x65\x2c\x51\xdf\xa8\x41\x17\xc2\x62\xa7\xb8\xba\xb4\x7b\xd3\xf8\x1b\x24\xd3\x3e\x68\x7f\x39\x26\x50\x02\xef\x92\xf2\x24\x8d\xe0\x27\xac\x02\x85\xfc\xad\x2a\x3c\x73\x2a\x1e\xd7\x40\x93\x07\x03\x7e\x41\xf3\xa7\x90\x74\x77\x38\x7d\x11\x99\xc1\x8e\x5c\x43\x95\x9b\x2e\xc4\x6c\x07\x8c\xec\x67\xa8\xb5\x59\xb3\x1c\xef\xd8\x56\xf4\x56\xb9\xf8\x1b\xcc\x6a\x8b\x2c\xb1\xa4\xd8\x14\x75\x62\xbd\xac\x60\x34\xe3\xe8\xd3\x5d\x79\x76\x59\x84\x4f\xea\x36\x94\xb3\x28\x8c\xe6\x8f\xa8\xf9\x86\xbf\x2f\xba\x03\xec\x01\x10\x15\x4b\xef\xc8\x40\x22\x58\xaf\xb3\xd5\x83\xd0\xbf\x3d\x02\x79\x80\x73\x86\x7f\xc6\x66\x40\x72\x60\x72\xc8\x2a", 249); *(uint32_t*)0x200059f0 = 0xf9; *(uint32_t*)0x200059f4 = 0x1ff; memset((void*)0x20005a00, 37, 1); *(uint8_t*)0x20005a01 = 0x2c; memcpy((void*)0x20005a02, "seclabel", 8); *(uint8_t*)0x20005a0a = 0x2c; memcpy((void*)0x20005a0b, "permit_directio", 15); *(uint8_t*)0x20005a1a = 0x2c; memcpy((void*)0x20005a1b, "mask", 4); *(uint8_t*)0x20005a1f = 0x3d; memcpy((void*)0x20005a20, "^MAY_EXEC", 9); *(uint8_t*)0x20005a29 = 0x2c; memcpy((void*)0x20005a2a, "subj_role", 9); *(uint8_t*)0x20005a33 = 0x3d; memset((void*)0x20005a34, 125, 1); *(uint8_t*)0x20005a35 = 0x2c; memcpy((void*)0x20005a36, "mask", 4); *(uint8_t*)0x20005a3a = 0x3d; memcpy((void*)0x20005a3b, "^MAY_APPEND", 11); *(uint8_t*)0x20005a46 = 0x2c; memcpy((void*)0x20005a47, "fsname", 6); *(uint8_t*)0x20005a4d = 0x3d; memcpy((void*)0x20005a4e, "&%]", 3); *(uint8_t*)0x20005a51 = 0x2c; memcpy((void*)0x20005a52, "measure", 7); *(uint8_t*)0x20005a59 = 0x2c; *(uint8_t*)0x20005a5a = 0; syz_mount_image(0x20005240, 0x20005280, 5, 0xa, 0x20005980, 0, 0x20005a00); break; case 37: memcpy((void*)0x20005a80, "/dev/i2c-#\000", 11); syz_open_dev(0x20005a80, 6, 0x40000); break; case 38: memcpy((void*)0x20005ac0, "net/raw6\000", 9); syz_open_procfs(-1, 0x20005ac0); break; case 39: syz_open_pts(r[16], 0x583000); break; case 40: *(uint32_t*)0x20006cc0 = 0x20005b00; memcpy((void*)0x20005b00, "\xa8\x95\xc3\x0e\xdc\x07\x29\x77\x23\xa4\xae\xa8\x02\x03\x46\x22\xd1\xbb\xb8\x5b\x4a\xe3\x62\x8a\xfc\x2d\x4e\x10\x93\x45\x50\xa9\xd9\x2f\x12\xa5\x1b\x9f\x5b\x3a\x7b\x59\x6b\x59\xb9\x9b\x4b\x2a\xca\xed\xda\x32\xb8\x3b\xdc\x26\x3c\x53\xaa\x10\x11\x4a\x14\x9a\x4d\x7a\x4f\x0c\x40\xb9\x46\x15\x9b\x37\x43\x96\xfb\x6c\xd1\x87\x34\xea\x5c\x3a\x51\x92\x78\x62\x22\xda\x89\xf4\x21\x3b\x5d\x9d\x02\x77\x99\xda\x36\xd6\x8b\xd5\x10\xf5\x37\x85\x5c\xe1\x0d\x3b\x84\x39\xc2\x23\x77\x40\xea\x75\x41\x47\x8a\x81\xf9\xf9\x2a\xdc\xeb\x51\x00\x36\x6d\xcc\xf1\x49\xcc\x4c\x59\x79\x69\x59\xba\x5d\x85\xa5\x0d\x0d\xd7\x29\x41\xa0\xea\xbb\xe7\xa9\xdd\x9f\xe5\x08\x50\x11\x3f\x5e\x2d\x05\x5e\x1b\xbc\xd6\x67\xda\xf7\x36\x3e\x02\x7d\x7c\x66\x67\x8d\xad\x2a\xdd\x62\xb5", 186); *(uint32_t*)0x20006cc4 = 0xba; *(uint32_t*)0x20006cc8 = 4; *(uint32_t*)0x20006ccc = 0x20005bc0; memcpy((void*)0x20005bc0, "\xf2\x29\xf5\x8b\x9f\xef\x91\xf7\x17\x85\x23\xf0\x41\xa4\x96\x75\x89\x92\x46\x80\xbf\x4d\xc3\x4a\x52\xd8\xf7\xf8\x43\x60\x83\xae\xe9\x4a\xb7\x4f\x03\x69\xf7\x40\x3a\x8c\x26\xb7\x2f\xd4\x4b\x48\x8f\xe5\x9c\x61\x6c\x8a\x1c\xae\x29\x9c\x49\x0e\xb1\x5f\x98\xf8\xf4\x9d\xf3\x35\x02\xcc\xfd\x38\x26\x5f\x6d\x18\x65\x78\xa7\x1b\x92\xba\x5c\x5b\x90\x3f\x9a\x64\xbc\x56\x0a\x43\x59\x0b\xd7\x0f\x76\xef\xb7\xb6\x3b\xc3\x90\x9e\x63\x2d\xb6\x8f\x77\xd9\x8b\xdf\x12\xeb\xe1\x70\x7d\x7d\x14\x36\x85\x74\x90\xc1\x3d\xdb\x23\x9c\x83\x7f\xaf\x46\xea\xd6\x23\x81\xd4\x3f\x3d\x23\x46\xc1\xfc\xd5\xb2\xa7\xa1\xeb\xe9\xfa\x5d\xd7\xfd\xde\xfc\x50\xb0\xe7\xa5\x7f\x50\x0e\x2f\x79\xba\x11\xb1\x89\x72\xdc\x78\x87\x14\x60\xeb\x7e\x2a\x24\x9b\x60\x32\x83\xb5\x12\x83\x20\x55\x5c\x9d\x74\x14\x3e\x02\x7b\xb5\xca\x08\xb4\x62\xae\xbf\x58\x24\x43\x87\x55\x6d\x71\x86\x80\xc4\xa3\x74\x59\xdd", 215); *(uint32_t*)0x20006cd0 = 0xd7; *(uint32_t*)0x20006cd4 = 0x3ff; *(uint32_t*)0x20006cd8 = 0x20005cc0; memcpy((void*)0x20005cc0, "\x79\xfb\xc7\x05\xf3\xf5\xab\x2b\x17\x6d\x8c\x81\xf1\x15\x48\xc5\xfd\x71\x74\x41\x15\xd9\xbc\x95\x33\x2f\xeb\x2a\xe2\x6c\xd3\xb6\xa5\x08\x4c\xf6\x35\xa6\xb1\x9d\x91\x6f\x68\x3e\xbe\x24\x01\x80\xc6\xbb\x6a\x18\xe3\x4f\xa2\x67\x7a\xe7\x45\x61\xf3\xbb\x25\x09\xfc\x09\x59\xad\xc1\x32\xae\x36\x12\x7c\x31\x9f\xcb\x4a\x80\xb0\x25\x1d\xed\xee\xe6\x56\x0f\xd7\x02\x22\x1e\x14\x43\x66\x85\xc7\xfa\x2f\x3a\xf3\x6f\xda\x9d\x69\xd0\x44\xc1\x6a\x77\xe8\x22\xf9\x8b\xf6\x5c\xd4\x58\x33\x54\x4b\xa6\xbd\x06\xb8\x3a\xd7\x8b\x10\x49\xf1\xbc\xdb\x9b\xce\xc0\x47\x38\xa8\x6c\xa3\x7b\x88\x95\x3d\xe3\x54\x9b\x6e\x3a\x4c\x2f\x31\xbd\xd4\xce\xde\xe3\x7b\x70\x3b\x8e\xd6\xd1\x1c\x38\xff\x03\x0a\x10\x18\xaf\xae\xbe\x05\x38\xed\x70\x4b\xbe\x63\x10\xa0\xde\xa9\x43\x05\x66\x65\x29\x01\x69\x92\x99\xc1\x84\xa8\x15\x60\x1e\x01\x86\xa6\xe1\xff\x97\xd2\xb9\x60\x38\xab\x59\x13\xdc\x44\x0e\xde\xd7\x83\x6f\xbd\xd7\xbd\x39\x1a\x90\xcf\x40\x3a\xbb\x6d\xfe\x0f\x7d\xdd\xda\xf1\xa7\xc7\x3f\x02\x19\x35\x33\xf0\xa7\x2e\xf1\xb5\x58\xcf\x69\x6f\x57\x22\xa3\xe8\xc0\x92\xc1\x7d\xe9\x8a\xf4\x15\xf4\x0a\xfc\x1f\xfe\x0d\x7c\x7d\x0f\xb4\x4d\x59\x7e\x55\x18\x86\xb4\x0b\x8e\xc7\xde\x8f\x18\xbf\x5e\xd7\xa7\x4a\xcd\xeb\xe9\xb2\xcc\xb9\x8c\xcd\x37\x1d\xf0\x0d\x78\xc9\x7f\x8d\xe0\xab\xe7\xf8\x28\x13\x68\x61\x68\x9b\x0f\x53\x80\xfd\x28\x36\x09\x2c\x1b\xee\xc0\xf4\x51\x9e\x1b\x50\x40\xca\x17\x09\xe0\x83\xee\x61\x1d\x6a\x1e\xbc\x5a\xd1\x85\xd3\x9b\x91\xef\x84\x4a\xf3\x4d\x02\x13\xe6\x3e\xdd\x19\x54\x53\x46\xe3\x01\x2d\x61\xbd\xe7\x1d\x4d\x3c\x52\xcd\x21\x01\xd4\x57\xac\xc0\x15\x23\x81\x81\xfc\xc4\xe9\x2a\x6b\xd1\xc9\xae\x47\x5d\xd0\x4d\x15\xa3\x90\x71\x7c\x29\x5e\x18\x13\x1f\x30\xa1\xb0\x03\xfe\x36\x7f\x88\x9b\xa4\x9e\xd8\x32\x8d\x69\xbd\xe3\x8b\xfd\xb3\x2e\xc4\xff\x21\x2b\x38\x3d\xa6\x54\xad\x2d\xa7\x59\x26\x60\x0d\x56\xfd\x2c\x8a\x64\x81\xc0\x2f\x0d\xd9\x04\x08\xb0\x1d\xcb\xdd\xd0\x1c\xfb\x4c\xf6\x1c\x14\xe8\xaf\xc5\xda\x58\x91\xe9\x3a\x0b\x6f\xe1\x2f\x50\xf0\x62\x94\xd6\x6c\xe3\x71\x0c\x8e\x13\xe7\x97\x62\x9c\x4b\x05\x71\x40\xbd\xb8\xcf\xa3\x84\x83\x0e\x9e\x18\xcc\xcb\x63\xc2\x82\xc9\x7b\x1e\xc7\xcb\xaf\xc5\xf4\x96\xf2\xb0\x30\x53\xf8\x55\x8f\x62\x7e\xaa\x78\x46\x62\xf2\xf4\xf1\x5b\xac\x06\xa3\x8d\xcc\x8c\x3f\x2e\x07\x6b\x2f\xdf\x8b\x62\x2c\x93\xa2\x27\xc9\x0d\x42\xe4\xfa\x38\xda\xcd\x82\xfd\x6c\xd2\x21\x15\x29\x41\x4c\x5c\xf3\x88\x2d\x94\x87\x42\x42\x59\xa6\x51\x4c\x56\xf0\xb7\xd6\x0c\x95\xd3\x44\xa0\x9d\x90\xe7\xdd\x8f\xf0\x73\x21\xd7\xe7\xae\x03\xba\xc6\xde\x0f\xd3\x79\x9a\x8c\x34\xd7\xaa\x3e\x4c\xe7\xcd\x99\x98\x03\x64\xc6\x60\xcc\x09\x97\x46\x15\x2a\x07\xfb\xc0\x26\xfc\x89\x0a\x7a\x57\xf2\x8d\xce\xea\xcd\xc2\x36\x60\xc0\xf8\x59\x2d\x86\xd0\x8d\x99\x64\x4b\x67\x51\xa5\x53\x16\x2b\xa1\x03\x83\xda\x49\x1e\xfc\x3d\x33\xae\xd8\x95\x2b\x8f\x51\xcf\x6c\xfa\x84\xae\x5c\x9d\x76\x89\x8b\xf5\xe8\x09\x90\x8b\xdb\xf8\xcf\x63\x38\xf5\xbe\x2f\x5b\x1e\xa8\x17\x44\xbe\x7e\x72\x68\xc4\x9e\x49\x30\x50\x89\x23\xe6\x39\xd9\xf4\x84\x59\x7f\xc2\x0e\x69\x58\xa2\x69\xe1\x66\xec\x09\xd1\xb7\xe2\xa8\xf7\xfd\x83\xc5\x34\x64\xc3\xa1\xac\xc4\x84\xeb\x5f\x9d\xe1\x05\x9d\xa0\x45\xda\x6c\xf6\x63\x07\x9e\x2b\x22\xd7\x8e\x78\xbd\xbc\xda\xb3\x9c\x33\xbc\x5c\x1d\x05\xb8\xd4\x0e\x40\x2c\x8b\xbf\xa5\x74\xf2\xcb\x5a\xfb\x1c\xb1\x99\xe5\x91\x17\x13\x0b\x94\x0a\x96\x48\xe8\x98\xd5\xf0\xf2\x7f\xc0\x04\xc6\x78\xe5\x52\x0a\x4c\x79\x0e\xb7\x0e\xd2\xea\x6a\x60\x61\xe4\x9d\x12\x24\x35\xf3\x48\xcc\x92\x7b\x49\xad\x13\xbd\xf1\x80\x4e\x75\x28\xbc\x1e\x3b\xb6\x33\xf8\xb2\x76\xbb\xbb\xad\x12\x5a\xbe\xcd\x28\x94\xc2\x89\x28\x85\xfc\xd1\x9a\xed\x92\x20\xe4\x63\x2c\x13\x6f\x14\x37\x8e\x29\x91\x20\x40\x40\x65\x71\x1d\xdb\xff\x8d\xf8\x70\xab\xae\x93\x4b\xb5\xbb\x64\xff\xa2\xf7\x3f\x18\xb1\x33\x74\x53\x8a\x08\x37\x9d\x74\xc7\x12\xe0\x2a\x97\xc8\x5b\x08\xad\xae\x84\xf9\xc4\xa2\x91\x66\x56\x12\x9a\xa4\xb5\x46\xf1\x43\x4e\xf1\x53\xff\x7f\x2c\x94\xcb\x42\xb3\xe7\xea\x23\x54\x40\x95\x15\x9e\xe0\xe8\x69\xd7\x8d\x08\xce\x48\x6d\xa4\x30\x4b\x15\x47\x3a\x23\x1f\xec\x42\x3c\xf5\x53\x96\x8c\xa0\x74\x3c\x1c\x4b\x09\x45\x73\x0b\xa4\xe3\xfd\xc3\x1f\xf0\x2a\x48\x70\x56\xc7\x29\xef\x7f\x84\xf6\x5e\x85\xfb\x16\xfa\xbb\x17\x2d\x24\x75\x38\x62\xf9\x20\x34\x60\x28\x8a\x37\xcf\x6e\x6f\x5b\x84\xd1\xd8\x1f\x24\x27\x07\xbf\x57\x5b\x15\x34\xcd\x6b\xea\x81\x0d\xc3\x94\xca\xb3\x1b\x32\x43\x38\x8f\x01\x5b\x99\x98\xaa\x7c\xa3\xe8\x26\xd9\xec\xcd\x95\x32\x87\x33\x28\xf3\x43\xcf\x71\xa0\x79\x82\x0f\xfc\x61\x60\xef\x55\xb7\xda\x7a\x29\x76\x2f\xea\x1b\x45\x22\xb9\x81\xcc\xfd\xac\xea\x0f\x52\xe2\xed\xc3\xec\x50\x16\x89\xe8\xc5\xe0\x88\x54\x43\xd1\x3e\xa4\xda\xe6\x07\x65\xf9\xed\x48\x68\x6b\xeb\x01\x0b\xb0\x4e\x2f\xa7\x3f\x3a\xd0\x8a\x77\xf0\xc2\xf5\x9a\x99\xc4\x72\x30\xb8\x52\x9d\x1b\xa2\xbd\x09\x1d\x83\x6d\xd3\x08\x99\xe7\xe8\x41\x71\xf2\xa8\x86\x7b\x16\x49\x22\x8e\x85\x15\xcb\x39\x8b\x75\xa5\xbc\xa2\xe7\x11\x4a\x7a\xf7\x1b\x18\x5f\x37\x1b\x4f\x9f\x68\x9e\x81\xf2\x25\x97\x54\x89\x6f\xf5\x46\x85\xbc\x7b\x9c\xf5\xf5\xfd\x14\xd0\x63\xd2\xf8\xc6\x20\xff\x19\x5e\x26\x36\x0a\x21\xd9\x2d\x19\x02\xa7\x48\x35\xe0\x25\x4f\xe4\x73\x75\xa0\xf1\x71\x11\xd1\x45\x9d\x77\xdf\xcf\x0a\xdf\x21\x59\xc2\x00\x35\x35\x75\x78\x90\x15\x01\xa4\x09\x2e\x64\x14\xc5\x43\x41\x73\x11\x5a\x4a\x03\x39\x9d\x81\x34\x91\x33\xd3\xac\x25\x4b\x69\xfd\x90\x6f\xbc\x11\x56\xbe\xaa\xea\xb3\x7f\x1f\xd9\xfe\xfa\x37\x7c\xa1\x3b\x58\x19\xe5\x36\x1a\x75\x03\x2d\x78\x8c\xe9\x5c\xe9\xd1\x61\xdd\xfa\x04\xa5\x55\x29\x71\x68\xf6\xe0\xf3\x17\x6c\x8b\x0c\x41\xc8\x42\xce\x33\x81\x3b\x59\xeb\x0a\x9c\x3b\xcd\xf4\x65\xad\xe6\xd2\x9d\x0e\x25\x74\x41\x16\x77\x5b\x2f\x14\xd0\x30\xf5\xb2\x18\x1c\x89\x6a\x29\xcf\xc2\x9d\xcb\x9f\xaa\x9e\xa0\xed\x4a\x45\x45\xe2\xe5\x41\x29\x51\x12\x6b\x30\x99\x8b\x7b\x58\xc4\x47\x44\x84\x1d\x85\xe7\x9c\xc7\x61\x3b\x3b\x4a\xd0\x18\x72\x10\xc5\xb3\xe8\x19\x59\xc9\x38\xa8\x9e\xa5\xa7\x68\x1b\xcc\xc0\x2c\x55\x58\x3d\x69\xfa\xcc\x86\x53\x95\x27\x9c\xce\x47\xa8\xc4\x6c\x3b\x99\xd3\xbc\xba\xda\xea\xce\x79\xc1\x22\xc8\x7e\x72\xa9\x91\xd3\x1a\xe5\x2e\xa9\x5d\x35\xc6\x16\xb5\xae\xbf\xd9\x86\x40\x90\x33\x18\xdc\x60\x00\x21\x08\x6c\x28\x07\xf1\xfc\x8a\xe7\x61\x40\x7f\xcf\x43\x11\x09\xaf\xd1\x9e\xc4\xb0\x3a\x94\xeb\x9c\x89\x4f\x86\x6b\xb4\xb9\xa3\xa5\x86\x24\xcf\xa6\xae\x7d\x44\xd2\xf2\x02\x83\x5a\xc9\x90\x3d\x23\x26\x14\x0f\xc5\x47\x9b\x94\xba\x27\x5f\xe8\xf6\xba\x03\x9d\x98\xf5\x8d\x9c\x00\x60\x26\xff\x15\x5f\x0d\x36\x8c\x51\xd0\x05\xd2\xaf\x37\xa6\x14\xc1\x41\x88\xed\x22\x6c\x9f\x67\xc7\xb7\x83\x93\x3d\x05\x23\x5c\xb2\xf8\x81\x0f\x18\x89\xd1\x26\xed\xac\xe7\x40\x78\xb0\xf9\x0c\x6f\x2c\x16\xd0\x1d\x60\xdd\xe2\xd4\x6a\xb8\xc2\x53\x2a\xe0\xc1\x54\x01\x05\x57\x52\xfb\x19\xdb\xe5\x49\xcc\xbe\x43\x85\x9c\xcb\x4d\x47\xc9\x9e\x6f\x54\x02\xce\xd2\x3d\x44\x90\x29\x80\x2a\xd7\xd2\x99\x0b\x94\x1f\xad\xb0\xde\x10\xf9\xfe\x17\x84\x61\xe1\x14\xc7\xca\x31\x36\xf7\xfb\xad\x6e\x1d\x71\xeb\x1a\x1a\x24\xfb\x89\x2e\x7f\x1a\x41\xb9\xeb\x92\xd5\xb0\x4a\x79\x49\x1e\xef\x83\x18\xce\x1d\x98\x06\xe7\x06\x4e\x0f\xda\x0a\x66\xa7\xb6\x95\xa6\x78\x15\x60\xba\x98\xbf\x4d\x54\x00\x79\x5b\x11\xfe\xab\x29\x73\x53\xa7\x2a\x2d\x78\x5f\xf2\xfa\x3f\x06\xe6\x39\x5a\xab\x65\x6e\x55\xef\x7f\x49\x51\x76\x03\x86\xcd\xb1\xa1\xd2\x30\xda\x5b\x09\x44\xa9\xaf\x05\xa7\x6b\xce\x13\x88\x69\x2a\xfa\x4b\x21\xc3\x46\x4a\x2b\x50\xdd\x0d\x2a\x0f\x64\x51\xa4\x3f\x2e\x48\x62\x29\x0b\xe1\xf1\x29\x74\x60\xeb\x51\x39\x9f\xa9\x68\xf8\xdc\xa4\x19\x39\xa6\x19\xd1\x0a\x8a\x01\xad\x1b\x64\x93\xb0\xf8\x9a\xad\xc5\xf0\x6f\xf9\x26\x46\xff\x2f\xbd\x33\x6c\x97\x73\xa9\x33\xeb\xb1\xde\xee\x49\xa2\x67\xd8\xd1\x95\xe1\x3f\x58\x39\xc9\x54\xd8\xda\x7c\x02\x2c\xbd\xd8\xa2\x68\xdb\x8a\x06\x5c\x63\x24\x77\x56\x79\x54\x03\x3b\xd3\x40\xdb\x14\x5f\xd4\xee\x3c\x1e\x6e\xf1\x5f\xd4\x5e\x72\xf5\x27\xad\x2b\xa3\xbb\xf8\xa9\x4b\xa2\x5a\x23\x7c\xed\x70\x50\x4b\x6d\x20\xc8\x99\xa6\xd1\xa4\x09\x2b\x57\x2a\xc7\x44\xf6\x2e\x04\x4b\x25\xf4\xf1\x09\x7e\x12\xbc\x0b\xfd\xa3\x6c\xad\xd3\x4a\x0a\xa7\xbd\x49\xa3\x82\x08\xee\x36\x60\x3f\x1e\x9c\x56\x7d\xe6\x94\xcb\xba\xe7\x36\x1e\x99\x79\xa8\x4d\x58\x9f\xbd\x5f\x05\xfa\x73\xfe\x31\x68\x37\xdd\xb9\x67\x2c\x63\x75\x90\x77\x79\x33\x71\x17\xbf\xfe\x5a\x85\x09\x93\x99\xe3\x5e\x9c\x3a\x50\xbe\x94\xa4\xed\x33\xa5\x86\x3d\xa7\x37\x7e\x5c\x8b\xce\xd5\x22\x0d\xa0\xaa\x9f\xc0\x97\xbc\x61\x3b\xb7\x6e\xe7\x0b\x6a\x0b\xd9\x78\x01\xb0\xad\xc5\x7b\xc6\xd3\xc0\x26\x51\xf1\x64\xf7\x80\x9f\xb7\xeb\xe2\x18\x73\xf9\xa1\x7a\x65\xa8\x38\x0e\x5f\x1a\x18\x17\xdb\xea\x2e\xa9\x6f\x9b\x1e\xf1\xbe\x6c\x1f\xcd\x53\xc6\x2e\xa2\xba\xce\xe8\x66\xf3\x57\x4b\x1a\x35\xc5\xf8\xc5\x93\xd2\x01\x07\xd6\xcd\xe2\x6c\x84\x0e\xa8\x3f\xae\x8d\x77\x7e\xa1\x22\x7b\xd1\xaf\x62\x19\x83\x35\x3e\xf0\x27\x57\x01\x96\xf8\xfb\xdf\x4f\x79\xa7\x81\x2b\x7f\x71\x8f\xca\xa5\xec\x35\x53\x97\x9a\x86\x4b\x8c\x65\x3e\x9c\x9e\xcf\x8e\x68\x3b\xfc\x55\x8e\xf2\xd9\xb7\x64\x7e\xfc\xd5\xbe\x98\xf4\x3d\x0d\x38\xd9\x47\x4a\x7a\x50\x74\x0a\x5a\x23\x02\x31\x92\xd4\x5b\x43\x34\x38\x0e\x99\x5b\x8d\xbe\x94\x30\xea\xa1\xa8\x26\x85\x5b\x3d\x7e\xc2\x2f\x6c\xbe\xa4\x4b\x75\x53\x66\xba\x42\x76\x21\x77\xdb\xa9\x80\x65\xdc\x59\xef\x23\x92\x49\x7c\x17\xd2\xe8\x99\x23\x0c\xe3\x4f\xfa\x7f\xc2\x75\x0c\x9b\x25\x5a\x2b\x53\x42\x3d\x9c\xa1\xbd\x3a\xab\x8b\xa4\x71\xf3\x9f\x10\xa2\x50\x05\x0a\x22\x54\x1e\x08\x35\xe8\xa3\x93\xe1\x76\x20\x9c\x31\xd2\x5b\x6e\x1f\x69\x9c\x82\xeb\x15\x55\xf0\x47\xa6\xe8\xf9\x1d\x97\xcf\x2a\xba\x02\x50\xa7\xf3\x11\x67\xb8\x61\x54\x89\xfb\x5c\x90\xcf\xce\x45\xcc\x63\xcd\x21\xd0\x01\x5b\x58\x0c\xae\x16\x45\x2f\x01\x43\xd3\x0c\xb9\xee\xce\x66\x21\x93\x1f\x5d\xc5\x42\x8b\x2f\x92\x58\xd7\xe8\xfb\x10\xec\xfe\x72\x06\x06\xad\x71\x94\x11\x10\xbd\x67\xaf\x44\xce\x4e\xa0\x03\x77\x99\x97\xc4\xac\x5c\x11\x1b\x77\x91\x71\x2b\x79\x76\x52\x37\xf7\xa2\x79\xec\x43\x3f\x18\xfa\x8e\x69\x60\x43\x68\x00\x8c\xa9\xa5\xd6\x26\x44\x41\x79\x84\x88\x72\x54\xf4\xd1\x7a\x1c\xdf\x8b\xde\xbc\x90\x76\x2a\x64\xc5\x0c\x58\x6d\xa8\x59\x8f\x15\x56\x61\xe9\x3f\xea\x74\x65\x29\x6f\x6c\xce\xe5\xdf\xf3\x6c\xcb\x6c\x46\xdf\xbd\x24\x84\x60\xbb\x39\x12\x4c\xd3\xf9\xac\x2c\xd9\x16\x77\x66\xd2\x24\xe2\x97\x6f\xac\xed\xcd\x65\xff\x28\xc4\x18\x08\xc9\x8c\xcf\xe3\x1b\xa1\xef\xa8\x69\xf5\x16\xb6\xfc\x8b\x3a\x7d\x6f\xa1\xfb\xc8\xe1\x82\x67\xa8\xef\x0c\xfa\x96\xc4\xc6\xc8\xdb\xf9\x45\x21\x1d\x98\x89\x89\x95\xab\x76\xc1\x63\x06\x35\x47\x8f\xde\xb5\xb7\xfc\x9b\xba\xe3\x07\xd0\x54\x50\x2f\x17\x45\x27\x87\x47\xa5\xae\x90\x85\xe2\xce\x6f\x7b\xdd\x02\x2c\x68\x0d\x1f\x8a\xda\x4c\xb6\x30\x66\x42\x3f\x77\x04\x2b\x9a\xe4\xa1\x38\x6f\x41\x6c\xb9\xb4\x11\x00\x12\xe8\x00\x57\x04\xcd\xff\xae\x04\x41\x86\x89\xfd\x64\xd1\xe8\x83\x27\x49\xb7\x46\xc1\x41\x2e\x91\xc3\x81\x68\x4a\x80\x30\x5a\xad\x84\xd6\x2f\x1c\xc5\xfd\x5d\x26\xa2\x47\x6b\x5b\xfe\xd4\xdc\xcf\x7f\x35\xbb\xb0\x7e\xff\x6c\xa5\x09\x05\x0f\xea\x82\x04\xa3\x9d\x25\x5e\xc1\xc8\x3d\x0d\x38\xff\x3a\x9d\xa4\x28\x5b\x99\xf9\x8b\xfa\x2a\xfb\x12\x01\x63\x01\xbd\xce\xa9\xc4\xb8\x05\xf0\x3f\x5c\x1d\x64\xb2\x31\xe2\xf0\x12\xc3\x39\x88\xfe\x59\x31\x82\xbe\x19\xe5\x33\xae\x72\x4b\xc5\xf3\x74\xc5\xdb\x4e\x26\x7d\x11\xeb\x7c\x3b\xf6\x51\xd8\x53\xf4\x87\x32\x1b\x59\xe3\xc5\x80\xe0\x9f\x55\x10\x1d\x52\x95\x81\x12\xea\xd4\x84\xda\xac\x70\x62\xb2\x74\x5b\x3e\xf0\xd8\x6c\x3f\xf4\xc9\xcd\xb0\x4e\x5c\x61\x26\x56\x2f\xa8\x07\x2d\x44\x08\xc5\xa4\x1f\x38\x88\x90\x0c\x61\x7b\xb3\x2c\x60\x7e\x3c\x67\x88\x01\x37\xa4\xfd\xa0\x0f\x25\x73\x96\x95\x27\xf3\xac\x8b\xc7\x3d\x4a\x1c\xa6\x3a\x6e\x55\x28\x3a\x43\x75\x90\xcb\xa5\x84\xaf\xf7\xda\xab\x6d\x95\x08\x57\xf3\x06\x4a\xfa\x06\xd8\x49\x89\xb1\xf1\xfe\x7a\x07\x11\x8d\x84\x67\x33\x3b\xd9\xc3\xb0\xbf\x57\x4a\xec\xc5\xbd\xf1\x85\x88\x69\xc0\x2f\x2e\xc1\xad\x26\x6d\x13\x54\x99\x41\x6a\xa1\x6c\x3e\xec\x12\x2d\x6e\x57\x70\xf9\x26\x77\x4e\xc2\x69\x15\x5f\x36\xc7\xab\x25\xfc\x2c\xf6\x51\xf6\xde\x56\x32\x9e\x3c\x2f\x9a\xdf\x11\xb8\x9c\x5b\xa3\xa4\xbd\xd6\xed\x16\x04\xe6\x6a\x80\x50\x14\x98\x1b\x6c\xc8\x4b\xd7\x8d\x9e\xf9\xb5\x2e\x8f\x0e\x09\x70\x05\x21\x0a\x9e\x00\x81\x68\x47\x0f\xd1\x2a\x2c\x3e\xe6\x0d\x1c\xef\x8c\x35\xca\x58\xd8\x62\xb6\x81\xe7\x4c\xf6\x0b\x08\xca\xeb\x22\xaf\x37\xfb\x04\x5f\xdf\xf3\x53\x2a\xf6\xf1\x16\x22\x90\x93\x42\x15\xc8\x52\xe8\xbd\x41\xbe\x48\x8d\x56\x6e\xe2\x49\x7e\x6d\xfe\x85\x52\x50\x85\x3e\x6c\x24\xde\x6e\x0a\xab\xbc\xf5\xc5\x7b\xea\x60\x2e\x80\x82\x97\xa6\xf3\xee\xdf\xc7\x62\x2c\x60\x10\x6f\xe5\xac\x3c\x2c\x18\xf1\x9d\x80\x93\x6e\x13\x85\xb1\xb1\x1f\x34\x34\x8e\xe9\x79\x4b\x4c\xef\x18\x55\xcf\xea\x0b\x4c\x67\xf4\xa3\x6f\x69\xe6\xee\xe3\x98\x1a\xf6\xe3\x2c\xbf\xd7\x9b\x36\xf6\x48\x7f\x51\xe6\xbc\xfb\x5e\x25\x0c\xff\x78\x92\x52\x15\xf6\x02\x6f\x86\x9e\xd1\xe3\xc3\xea\x65\x9c\xf5\x80\xb3\x7f\xc8\xa8\xfb\x06\x41\x8f\xfd\x26\x63\xfb\x1c\x5b\x2a\x58\xae\x63\x44\x83\x89\x84\xb9\x60\x81\xae\xe1\x4d\xc7\x4a\x36\xbb\x18\x8a\x15\xfc\x47\xa0\xe8\xfb\x1d\xa2\xc9\x29\x09\x12\x53\x00\xf6\xcc\x9f\xf2\x81\x5a\x86\xbd\x0f\x51\xd3\x8c\xb1\xd9\x20\x65\x5a\x34\x34\xca\xa4\x3c\xba\x6a\xeb\x04\x53\x8b\x0a\xe6\xfc\x4d\xf1\x42\x9f\xca\x0c\xb9\xbf\x55\x05\xd5\x21\xd9\x4c\xea\x75\x9f\x50\xb9\xfc\x8f\xbd\x0d\xb1\x8b\xaa\x08\x03\xd1\x6a\xec\x6e\x59\x88\x70\xed\x80\x14\x9f\xdf\x70\xf5\x7f\x4b\x89\x32\x0f\x3a\x57\x17\x68\xbb\x09\x66\xf0\x8e\x6a\x1a\x93\xfa\xd9\x3b\xaf\x72\x88\xe6\xa6\x6f\x15\x8e\x35\x9d\x47\x24\xb3\xd5\xec\x61\xde\xe3\xa6\x4e\x1e\xab\xf0\x82\x7e\xa7\x9c\x2a\x7b\xac\x1f\x37\xf8\x1f\x09\x69\x1d\xad\x1f\xf6\x82\x49\x93\x25\xe7\x85\x73\xd6\x03\x10\x52\x92\xf8\x44\x1c\x72\xd4\xa8\x6e\xab\x95\x5e\x9a\xb0\xb6\x66\xc7\x1c\x86\xd1\x77\xa5\x94\xfa\x10\xdd\x0f\xf6\x5d\x38\x6c\x54\x4c\x21\xc3\x5e\x41\xef\x27\xbe\xc9\x4d\xab\x6f\xc3\x38\x70\x06\x01\x7e\x54\x59\xad\x20\xca\xcd\x5a\xfe\x56\x1f\xad\xd3\x80\x4b\xef\x50\xfe\x91\x09\xc0\xcf\x20\xd5\xfb\x32\x0a\x19\x19\x0e\xa3\x23\xc5\xbb\x45\x6d\xc7\x33\x8e\xd1\x9b\x5e\xa1\x17\x27\x7c\xda\x66\xbf\x37\x65\x7b\x27\x86\x25\xc9\x86\xf5\x44\x77\x75\xba\xf7\xc2\x83\x56\xd4\x31\xa3\x82\x0e\x3e\x24\x57\xe5\x3e\xba\xd4\xb7\xd8\xb0\xee\xa6\x4b\x5f\x17\x62\xdd\xb1\x16\x9b\xce\x93\x8a\x22\xaa\x17\x4b\x33\xaf\xd2\xb6\xca\x3f\xd2\x1e\x40\x2c\x4e\xba\xa6\x53\x97\xde\x07\x5d\xbc\x91\x41\x29\x16\x35\x04\xe2\x86\x72\x57\x89\xf3\xea\xfb\x66\x30\x29\x4c\x9e\x9e\xd8\x76\x5b\x41\x64\x12\xe6\xa7\x4a\xda\x02\xdf\x4b\x66\x8b\x95\xf1\xab\x41\xda\x29\xee\x91\x8a\xb5\xa5\xea\xa3\x45\x01\x47\x07\x76\x36\x9e\x96\x12\x9c\x89\x8c\xcc\x10\xef\x66\xa2\xce\xb8\xb4\xed\xfe\xad\x79\xff\xd8\x98\xd5\xde\x2d\xb4\x60\x87\x9f\xb2\x3b\x2a\xfc\x14\x66\x47\xc9\x49\x36\xa7\x03\xbb\x3c\xe5\x0f\x7e\x5e\x7d\xbf\xe7\x29\x57\xea\x5c\x48\x9e\x01\x0f\x08\x95\x84\xe0\x69\xaf\xf5\x3e\x8e\x03\xe1\x5c\xb8\x33\xa9\x61\x0a\xe7\xa9\xc2\x62\xc5\xcd\x37\x1b\x81\xf9\xaa\xbb\x03\x0d\xdd\xae\xed\xad\x10\x19\xd2\xe9\xdb\xe7\x17\xde\x10\xad\x3a\x49\x1e\x29\x0b\x2b\xfc\xda\x80\xed\xc5\xa1\xc1\x60\x12\x52\x7c\x5f\xa2\x79\xa6\x7c\x5d\x01\x13\x24\xa7\x9a\xad\x7c\xb7\xa9\x76\x6c\x64\xa1\xfc\xc2\x78\x4b\xe7\xab\x91\x2f\x7d\x4c\xc5\x71\x0c\x9e\x5a\x1f\x97\xf0\x0b\xb8\x69\x8d\x5f\x6e\x58\xe6\xb6\x9a\x1e\x8c\xcb\x7a\x22\xd3\xf4\xfb\x1f\xb6\x0a\x4b\xb9\x4d\x49\x2b\xc5\xe4\xa8\xbb\xe6\xb5\x34\xc1\x75\x00\x01\x6a\x89\x0a\xd5\x29\xdf\xf4\x2f\xb5\x13\x45\xc7\x65\x35\x1a\x5d\x87\x79\x12\x54\xb7\xdc\x62\x90\xe2\x76\xf1\xc2\xd8\xf7\x82\xcb\x2d\xbd\x2e\x70\x13\x09\xe6\x43\x06\x19\x25\x69\x40\x67\x02\x7f\x6d\x95\x65\x09\xb2\x47\x3c\x5b\x5c\x66\x08\x76\xdd\x69\x7e\x5d\x1b\xfb\x8e\x48\xc5\xbe\x80\x4a\x27\x5d\xb0\xed\x4c\x5a\x02\x40\x85\x93\x60\x8e\xcb\x2c\x97\x1d\xa8\x25\xf8\xd4\x8d\xd6\xc6\x4b\x98\xef\x9e\x28\x52\xd1\x6e\xea\xc2\x12\x13\x4a\xba\x3e\xfb\x67\x00\xd5\xa0\x52\xba\x23\x27\x18\x5a\x1c\x56\x05\xfe\xa9\x07\xf1\xf7\x63\xaf\x01\xc5\x03\xa7\x67\x00\x97\x00\x9f\x73\x63\x88\x31\xed\x01\x8b\xc8\x03\x27\x49\x37\x97\xa7\x2f\xce\x75\x38\xb2\x2e\x16\xfe\x27\x48\xc9\x66\xf3\x8f\x5b\x56\x89\xd8\x8c\xc6\xf2\x21\xd4\x06\x21\x47\x2d\x5a\x5a\x40\xa1\x72\x9e\x51\xe3\x60\xf4\xc4\xc9\xb1\x13\xf3\x0b\x96\x99\xd2\x77\x21\x14\x27\xf3\x60\xae\xd4\x5e\x01\x74\x98\x3d\x7a\xed\x11\xf8\x9b\x0c\xa0\x87\x41\x44\xe3\xfd\x83\xca\x6d\x88\xcf\x4d\x8d\x81\xde\x61\x3d\xb7\x27\x2d\xc5\xcf\x74\x5a\x65\x0b\xf3\xcc\xad\x96\x48\x7d\xd2\x4b\x1a\xcc\x8a\x8b\x96\xa9\x9d\x48\xbc\xcf\xa4\x78\xdc\xbb\xb0\x66\xcb\x8f\x19\x0f\x0d\xac\xcf\x91\x6f\x4d\xbc\x63\x44\xe5\xe0\x26\x07\x4d\x42\xd9\x62\xdf\xd2\x8b\x1d\x57\x8a\x17\x07\x3f\x78\xb7\x1d\x6f\xf7\x85\x25\x80\xb1\xc6\xe8\x3b\x8a\xc5\x15\x58\x49\xc1\x26\xa6\xbc\x54\x24\x6d\x15\xf7\x59\x92\x9c\x72\xbf\x44\xba\x8c\x78\x38\x12\xe7\x3d\xa5\xa6\x94\xf9\x6d\x52\x00\xf1\x9c\x82\x0c\x8c\x86\x51\xfb\x2b\xe7\xf7\x6c\xd2\x8a\x54\xae\xea\x4f\x0e\x09\x92\xb8\x4d\xbd\xef\x78\x92\x13\x4e\x37\x9f\x14\x0f\xb0\xb1\x22\x30\x99\x3d\xcc\x13\xbc\x48\x9c\x94\x26\x07\x63\xc1\xa8\xec\xf7\xaa\xeb\xe1\x1a\xe6\xf4\x39\xb7", 4096); *(uint32_t*)0x20006cdc = 0x1000; *(uint32_t*)0x20006ce0 = 0x34; syz_read_part_table(0xb0, 3, 0x20006cc0); break; case 41: *(uint8_t*)0x20006d00 = 0x12; *(uint8_t*)0x20006d01 = 1; *(uint16_t*)0x20006d02 = 0x201; *(uint8_t*)0x20006d04 = 0x10; *(uint8_t*)0x20006d05 = 0x2a; *(uint8_t*)0x20006d06 = 0xdc; *(uint8_t*)0x20006d07 = -1; *(uint16_t*)0x20006d08 = 0x781; *(uint16_t*)0x20006d0a = 5; *(uint16_t*)0x20006d0c = 5; *(uint8_t*)0x20006d0e = 1; *(uint8_t*)0x20006d0f = 2; *(uint8_t*)0x20006d10 = 3; *(uint8_t*)0x20006d11 = 1; *(uint8_t*)0x20006d12 = 9; *(uint8_t*)0x20006d13 = 2; *(uint16_t*)0x20006d14 = 0x71c; *(uint8_t*)0x20006d16 = 3; *(uint8_t*)0x20006d17 = 9; *(uint8_t*)0x20006d18 = 3; *(uint8_t*)0x20006d19 = 0x50; *(uint8_t*)0x20006d1a = -1; *(uint8_t*)0x20006d1b = 9; *(uint8_t*)0x20006d1c = 4; *(uint8_t*)0x20006d1d = 0x34; *(uint8_t*)0x20006d1e = 9; *(uint8_t*)0x20006d1f = 0xc; *(uint8_t*)0x20006d20 = 0x2d; *(uint8_t*)0x20006d21 = 0xe7; *(uint8_t*)0x20006d22 = 0xd6; *(uint8_t*)0x20006d23 = 0xc4; *(uint8_t*)0x20006d24 = 0xa; *(uint8_t*)0x20006d25 = 0x24; *(uint8_t*)0x20006d26 = 6; *(uint8_t*)0x20006d27 = 0; *(uint8_t*)0x20006d28 = 0; memcpy((void*)0x20006d29, "\x9e\x3d\xd8\x3f\x5e", 5); *(uint8_t*)0x20006d2e = 5; *(uint8_t*)0x20006d2f = 0x24; *(uint8_t*)0x20006d30 = 0; *(uint16_t*)0x20006d31 = 2; *(uint8_t*)0x20006d33 = 0xd; *(uint8_t*)0x20006d34 = 0x24; *(uint8_t*)0x20006d35 = 0xf; *(uint8_t*)0x20006d36 = 1; *(uint32_t*)0x20006d37 = 0x40; *(uint16_t*)0x20006d3b = 5; *(uint16_t*)0x20006d3d = 0x101; *(uint8_t*)0x20006d3f = 5; *(uint8_t*)0x20006d40 = 8; *(uint8_t*)0x20006d41 = 0x24; *(uint8_t*)0x20006d42 = 0x1c; *(uint16_t*)0x20006d43 = 0x1000; *(uint8_t*)0x20006d45 = 2; *(uint16_t*)0x20006d46 = 8; *(uint8_t*)0x20006d48 = 7; *(uint8_t*)0x20006d49 = 0x24; *(uint8_t*)0x20006d4a = 0x14; *(uint16_t*)0x20006d4b = 0x8671; *(uint16_t*)0x20006d4d = 0; *(uint8_t*)0x20006d4f = 0xc; *(uint8_t*)0x20006d50 = 0x24; *(uint8_t*)0x20006d51 = 0x1b; *(uint16_t*)0x20006d52 = 0xfffd; *(uint16_t*)0x20006d54 = 9; *(uint8_t*)0x20006d56 = 0; *(uint8_t*)0x20006d57 = 5; *(uint16_t*)0x20006d58 = 0x100; *(uint8_t*)0x20006d5a = 0x5f; *(uint8_t*)0x20006d5b = 5; *(uint8_t*)0x20006d5c = 0x24; *(uint8_t*)0x20006d5d = 0x15; *(uint16_t*)0x20006d5e = 0x40; *(uint8_t*)0x20006d60 = 7; *(uint8_t*)0x20006d61 = 0x24; *(uint8_t*)0x20006d62 = 0xa; *(uint8_t*)0x20006d63 = 0; *(uint8_t*)0x20006d64 = 1; *(uint8_t*)0x20006d65 = 4; *(uint8_t*)0x20006d66 = 1; *(uint8_t*)0x20006d67 = 7; *(uint8_t*)0x20006d68 = 0x24; *(uint8_t*)0x20006d69 = 0x14; *(uint16_t*)0x20006d6a = 0xff81; *(uint16_t*)0x20006d6c = 0x9c6f; *(uint8_t*)0x20006d6e = 9; *(uint8_t*)0x20006d6f = 5; *(uint8_t*)0x20006d70 = 0x80; *(uint8_t*)0x20006d71 = 0x14; *(uint16_t*)0x20006d72 = 0x10; *(uint8_t*)0x20006d74 = 0x15; *(uint8_t*)0x20006d75 = 0x1f; *(uint8_t*)0x20006d76 = 8; *(uint8_t*)0x20006d77 = 7; *(uint8_t*)0x20006d78 = 0x25; *(uint8_t*)0x20006d79 = 1; *(uint8_t*)0x20006d7a = 0x80; *(uint8_t*)0x20006d7b = 0; *(uint16_t*)0x20006d7c = 0; *(uint8_t*)0x20006d7e = 9; *(uint8_t*)0x20006d7f = 5; *(uint8_t*)0x20006d80 = 0x8b; *(uint8_t*)0x20006d81 = 0; *(uint16_t*)0x20006d82 = 0x7ff; *(uint8_t*)0x20006d84 = 0xed; *(uint8_t*)0x20006d85 = 1; *(uint8_t*)0x20006d86 = 2; *(uint8_t*)0x20006d87 = 9; *(uint8_t*)0x20006d88 = 5; *(uint8_t*)0x20006d89 = 8; *(uint8_t*)0x20006d8a = 4; *(uint16_t*)0x20006d8b = 0x200; *(uint8_t*)0x20006d8d = 0x81; *(uint8_t*)0x20006d8e = 6; *(uint8_t*)0x20006d8f = 2; *(uint8_t*)0x20006d90 = 0xeb; *(uint8_t*)0x20006d91 = 1; memcpy((void*)0x20006d92, "\x8c\x3f\x63\x08\x61\x54\x14\x1f\x73\x9f\x28\x70\xd3\xa8\x18\x84\x90\x5e\x8c\x3f\xf7\xeb\x64\x25\x08\x52\x04\x07\x7b\x41\x02\xc3\xd8\x1b\xfd\xf4\xb2\x62\xfa\x95\xb2\x68\x56\x12\x28\xb7\x47\xfc\xa9\x1f\x5f\xde\xb5\x92\xb3\x79\xd6\x6a\x5f\x1d\x2d\x1d\x73\x5f\xd0\x2b\x3b\x24\x02\xd0\x34\x0f\xcc\x8a\xc6\xc5\x44\x72\x0c\xb5\x96\x00\x8a\x93\xb0\x20\x2c\xb8\xf9\x55\x83\x44\xcb\x20\x0e\x0b\x4b\x52\xaa\xd1\xe7\x0d\x9c\x00\x49\xff\x2a\x6b\x54\x6e\x35\x02\xbc\x88\x1f\x3e\xb6\x55\xaa\x81\x7a\x2a\x3f\xd9\x5a\xd1\xbe\xa6\x8a\xb0\x48\xc1\xa4\x3e\xd3\x45\x8b\x67\x4c\x27\xdf\x09\x05\x68\xc3\x71\xa9\xe0\x0c\xbc\x2b\x59\x7a\x73\x0a\x18\x64\x44\x75\x83\xe3\x0b\x8b\x9d\x27\x74\xd8\x84\x57\x53\x11\x84\x3a\x18\xbf\xe0\x05\x2b\x40\x47\x14\xc7\x22\x76\x63\x42\xb2\x26\xc4\xfe\x8e\x87\xee\x44\x82\x50\xc3\xb3\x66\x8a\xb5\x07\x45\xe0\xfb\xb6\xe9\x69\xe6\xb4\x9b\x9b\x85\x28\xce\x81\xdf\xaa\x24\xe1\x43\x80\x72\xd0\x7d\x6e\x92\x60\x2a\x39\x05\x35\xf6", 233); *(uint8_t*)0x20006e7b = 9; *(uint8_t*)0x20006e7c = 5; *(uint8_t*)0x20006e7d = 0xc; *(uint8_t*)0x20006e7e = 8; *(uint16_t*)0x20006e7f = 0x40; *(uint8_t*)0x20006e81 = 1; *(uint8_t*)0x20006e82 = 5; *(uint8_t*)0x20006e83 = 0x20; *(uint8_t*)0x20006e84 = 9; *(uint8_t*)0x20006e85 = 5; *(uint8_t*)0x20006e86 = 7; *(uint8_t*)0x20006e87 = 0x10; *(uint16_t*)0x20006e88 = 8; *(uint8_t*)0x20006e8a = 0xbc; *(uint8_t*)0x20006e8b = 0; *(uint8_t*)0x20006e8c = 7; *(uint8_t*)0x20006e8d = 7; *(uint8_t*)0x20006e8e = 0x25; *(uint8_t*)0x20006e8f = 1; *(uint8_t*)0x20006e90 = 1; *(uint8_t*)0x20006e91 = 5; *(uint16_t*)0x20006e92 = 9; *(uint8_t*)0x20006e94 = 0xd4; *(uint8_t*)0x20006e95 = 0x22; memcpy((void*)0x20006e96, "\x70\xc2\x39\x55\xe1\xd1\x6c\xde\xf4\x16\xbc\xb1\x38\x10\x89\x67\xf0\xe9\xac\x2c\x09\x6f\xe9\x36\x2b\x99\xec\x6c\x19\x8d\x2f\x0f\x04\x46\xce\x29\x33\x28\x44\xfd\x54\x6d\x23\x23\xe7\xf9\xd7\xb2\x71\x3c\x1f\x92\xb9\x0b\x44\x81\xbf\x8d\x4e\xa3\x4e\xa8\x32\x1b\x58\x5d\xb5\xf3\xcc\x6f\x63\xfc\x9e\xe5\x43\xe8\x6c\x15\x76\x9e\x08\xa2\x12\xc2\xff\xb0\x23\x7d\xef\xb1\xa2\x82\x28\xe9\x99\xfa\xbf\x37\x33\xa2\x7b\x82\x87\x03\xfa\xaa\xc0\x53\xd4\x4f\xe7\xa6\x6d\x7a\x27\x8e\x31\xf1\x5d\x65\xed\xb3\x49\xb1\x57\xa7\x99\xd9\x22\xf0\xc9\x70\xf9\x8b\x35\xb7\x56\x50\x79\x31\x23\xe0\x57\x52\xd7\x4d\xdb\x89\xf0\xfc\xc0\x47\x98\x22\xa0\xf8\x33\xf4\x34\x3a\x70\x54\x8b\x3b\x4c\x80\x57\x4b\xe7\xcf\xdd\x59\xdb\x69\xce\x1e\xfc\x24\xca\x44\xee\x31\x66\x09\xf5\x8c\xa5\xa3\x0d\xee\x0b\x59\xe1\x66\x8f\x24\x8c\x19\x6a\xe1\xc0\x22\xa1\x99\x95\x59\x54\x30\xfe\xa4", 210); *(uint8_t*)0x20006f68 = 9; *(uint8_t*)0x20006f69 = 5; *(uint8_t*)0x20006f6a = 0x87; *(uint8_t*)0x20006f6b = 3; *(uint16_t*)0x20006f6c = 8; *(uint8_t*)0x20006f6e = 0x80; *(uint8_t*)0x20006f6f = 7; *(uint8_t*)0x20006f70 = 6; *(uint8_t*)0x20006f71 = 0x56; *(uint8_t*)0x20006f72 = 4; memcpy((void*)0x20006f73, "\xf7\x8a\x35\x66\x75\xcf\xfa\x2d\xe9\x45\x39\x19\x4a\xfa\xb8\x60\x3f\xe5\xe4\x12\x02\x1b\xa9\x37\xdf\x8f\x49\x6c\xe2\xc0\x54\x31\x48\xf0\x9b\x19\xeb\xbc\x05\x09\x1f\xcc\x32\xe0\xbd\xde\x44\x1d\x7c\xca\xa5\xcc\x26\xfb\x69\x6b\xd6\x7b\x38\x30\xbf\x3e\x57\x30\xfb\x3f\xe5\xee\x89\x15\x6b\xd1\xd2\xfa\x10\x1e\x6c\x39\x06\x8a\xf8\xc2\xae\x87", 84); *(uint8_t*)0x20006fc7 = 9; *(uint8_t*)0x20006fc8 = 5; *(uint8_t*)0x20006fc9 = 0x89; *(uint8_t*)0x20006fca = 0; *(uint16_t*)0x20006fcb = 0x20; *(uint8_t*)0x20006fcd = 0x20; *(uint8_t*)0x20006fce = 0x81; *(uint8_t*)0x20006fcf = 8; *(uint8_t*)0x20006fd0 = 9; *(uint8_t*)0x20006fd1 = 5; *(uint8_t*)0x20006fd2 = 0xe; *(uint8_t*)0x20006fd3 = 3; *(uint16_t*)0x20006fd4 = 8; *(uint8_t*)0x20006fd6 = 1; *(uint8_t*)0x20006fd7 = 0x20; *(uint8_t*)0x20006fd8 = 2; *(uint8_t*)0x20006fd9 = 7; *(uint8_t*)0x20006fda = 0x25; *(uint8_t*)0x20006fdb = 1; *(uint8_t*)0x20006fdc = 2; *(uint8_t*)0x20006fdd = 0x43; *(uint16_t*)0x20006fde = 0x234; *(uint8_t*)0x20006fe0 = 9; *(uint8_t*)0x20006fe1 = 5; *(uint8_t*)0x20006fe2 = 2; *(uint8_t*)0x20006fe3 = 0; *(uint16_t*)0x20006fe4 = 0x3ff; *(uint8_t*)0x20006fe6 = 3; *(uint8_t*)0x20006fe7 = 5; *(uint8_t*)0x20006fe8 = 7; *(uint8_t*)0x20006fe9 = 0x34; *(uint8_t*)0x20006fea = 8; memcpy((void*)0x20006feb, "\xb6\xa1\x21\xb4\x6c\xab\xce\x4e\x36\x1f\x21\x04\xdc\xf2\x66\x3e\x40\x2e\xe0\x4f\xaa\x90\xdd\x18\xa9\x18\xe4\x64\x2e\xaa\x6a\x71\x61\x92\xf8\xbc\x32\xf3\x21\xce\x9e\xb5\x48\x90\x4d\x87\xd7\xbd\xad\x56", 50); *(uint8_t*)0x2000701d = 0xac; *(uint8_t*)0x2000701e = 0x30; memcpy((void*)0x2000701f, "\x1a\x5d\x30\xc7\xd1\x38\x43\xb0\x14\x69\x43\xb2\xe6\x76\x87\xf3\x14\x70\x19\xdb\x1c\xa1\xa3\xc7\xe4\x8d\x70\x0f\x65\x5b\xea\x7f\x42\x69\x2c\x5a\x87\xa6\xb9\x1d\x03\xa6\xd4\x90\x5f\xbb\x18\xb7\x60\x28\xc9\x02\xf7\xcc\x3f\x0c\x05\x6d\x87\xd0\xfb\xc1\x2f\x32\x15\x02\x22\xa7\xda\xd7\x02\x3b\xc4\x5a\xb2\x5c\x72\xaa\x3a\xd2\x6e\x8d\xfd\x8d\x36\x54\x64\x00\x38\x39\x6a\xa3\x55\xf0\x69\xf7\xa9\xe7\x62\xb8\x5d\xca\x0a\x81\xa7\xd7\xc3\x7d\x25\x9d\x0f\x2a\x63\x1a\x6a\xbc\x4e\x36\xfb\xa2\x01\xdc\x67\x7f\xc7\xb2\xc2\x81\x90\xe9\x15\x23\x55\x3c\xfb\x1b\xbf\x46\x2d\x9d\x05\x7c\x31\x91\x0a\xd3\x9c\x35\x7c\xd2\xdd\x1c\x3f\x22\xc6\x04\xad\x6c\x92\x3f\xae\xe4\xc1\x3d\xb3\xfe\x35\x03\x75\xcc", 170); *(uint8_t*)0x200070c9 = 9; *(uint8_t*)0x200070ca = 5; *(uint8_t*)0x200070cb = 0xc; *(uint8_t*)0x200070cc = 0; *(uint16_t*)0x200070cd = 0x10; *(uint8_t*)0x200070cf = 0x7f; *(uint8_t*)0x200070d0 = 0x56; *(uint8_t*)0x200070d1 = 0x83; *(uint8_t*)0x200070d2 = 9; *(uint8_t*)0x200070d3 = 5; *(uint8_t*)0x200070d4 = 0x47; *(uint8_t*)0x200070d5 = 0; *(uint16_t*)0x200070d6 = 0x3ff; *(uint8_t*)0x200070d8 = 0xbb; *(uint8_t*)0x200070d9 = 7; *(uint8_t*)0x200070da = 3; *(uint8_t*)0x200070db = 0x6b; *(uint8_t*)0x200070dc = 0x30; memcpy((void*)0x200070dd, "\x6a\x80\x65\xc0\xee\x1f\xa7\x2b\xb9\xfa\xb4\x98\xb5\x65\xe8\x56\x09\x0e\x0a\xd4\xcb\x9a\x07\x2e\x09\x95\x26\x4b\x93\x5b\xed\x49\x10\xdd\xe6\xe4\xa1\x1f\xf9\x37\x42\x38\x3c\xba\x0c\x51\xa1\xf1\xcf\x69\x5a\xa3\x94\xa5\xf4\x86\x83\x63\xe9\x86\x26\x05\x69\xba\x8b\xe8\x24\x37\xcc\x58\xdb\x1e\xe8\x8c\xe5\x10\x13\x08\x93\x8e\xdb\xd9\x82\x07\x54\x62\xcf\x0b\xba\x05\xbb\x0d\x7a\xe5\x50\x92\xa2\x86\x2e\xe6\xe6\x43\x0e\x22\xf7", 105); *(uint8_t*)0x20007146 = 0x41; *(uint8_t*)0x20007147 = 0x21; memcpy((void*)0x20007148, "\x0a\xcd\x9c\x77\x43\xc7\x50\x9f\x5e\xb8\x98\x78\x4f\x87\x67\xf3\x85\xa0\xe1\xc7\xf1\x02\xc9\xad\xca\xd6\xd8\x1f\xb4\x19\x3e\x88\xcb\x2f\x6c\x39\x36\xee\x2e\xf3\xda\xe6\x1f\x58\x32\x25\x93\xd9\xbe\xea\xfc\xc0\x91\x5c\x86\xfc\x3a\x72\xf0\x42\x6c\x83\xf3", 63); *(uint8_t*)0x20007187 = 9; *(uint8_t*)0x20007188 = 5; *(uint8_t*)0x20007189 = 6; *(uint8_t*)0x2000718a = 4; *(uint16_t*)0x2000718b = 0x400; *(uint8_t*)0x2000718d = 0x20; *(uint8_t*)0x2000718e = 0x74; *(uint8_t*)0x2000718f = 5; *(uint8_t*)0x20007190 = 9; *(uint8_t*)0x20007191 = 4; *(uint8_t*)0x20007192 = 0x26; *(uint8_t*)0x20007193 = 0xab; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 0xf1; *(uint8_t*)0x20007197 = 0xcb; *(uint8_t*)0x20007198 = 9; *(uint8_t*)0x20007199 = 9; *(uint8_t*)0x2000719a = 5; *(uint8_t*)0x2000719b = 1; *(uint8_t*)0x2000719c = 0; *(uint16_t*)0x2000719d = 0x200; *(uint8_t*)0x2000719f = 5; *(uint8_t*)0x200071a0 = 1; *(uint8_t*)0x200071a1 = 1; *(uint8_t*)0x200071a2 = 9; *(uint8_t*)0x200071a3 = 5; *(uint8_t*)0x200071a4 = 0xb; *(uint8_t*)0x200071a5 = 4; *(uint16_t*)0x200071a6 = 0x20; *(uint8_t*)0x200071a8 = 1; *(uint8_t*)0x200071a9 = 2; *(uint8_t*)0x200071aa = 4; *(uint8_t*)0x200071ab = 0xda; *(uint8_t*)0x200071ac = 0x14; memcpy((void*)0x200071ad, "\x10\xf1\x6e\x37\x96\xfb\xe3\x35\xb5\x64\xb2\x94\x16\x03\x1e\x12\xd2\x6f\x4d\x53\xe2\x37\xca\x3c\xb1\xe0\x49\x17\x03\x35\xd6\x31\x43\x24\x69\xcf\x8e\x2b\x20\x7d\x62\x28\x3f\x3b\x91\xf4\xd6\x31\x54\xbc\xe3\x5f\xae\xb8\x7b\x51\xd3\x0b\x38\x87\x6c\x38\xb3\x1a\xcc\x34\x7b\xe6\x77\x93\xe5\x6a\x17\x84\xeb\x29\xa7\xdd\xab\x72\xe7\x36\xee\xcd\x3b\x4e\x98\xbc\xe7\xb1\x70\xab\x68\x7e\x6f\x31\xf5\xe9\xf3\xf9\x6e\x31\x03\x2d\x3b\xf9\x47\x6e\xef\x54\xf3\x54\xc6\xef\xc0\x0d\xa3\x9a\x69\x5e\xc1\xc0\x95\x25\x4c\xb4\x16\xbd\xc5\x74\xd4\xfb\x6a\xdb\xec\xa9\x9b\x77\x50\x8d\x6c\x6f\x79\x1c\x2c\xfc\x29\xae\x3e\xcc\xea\x73\xc1\x36\x27\xd9\x38\x07\xaf\x1a\x7d\x34\x92\x52\x0e\xd1\xf1\x53\x32\x7d\x85\x75\x37\xf5\x56\x29\x4b\xdd\xdd\x98\x8b\xae\x73\x22\x6a\x48\xc4\xca\xb9\x63\xd3\xd8\xc2\x26\x95\x1b\x21\xa7\xc3\x13\x8d\xe5\x5b\x8d\x0e\x1f\x0b\xcd\x77\x66\x3a\xe8\xbf\xe2\x0f\x44", 216); *(uint8_t*)0x20007285 = 7; *(uint8_t*)0x20007286 = 0x25; *(uint8_t*)0x20007287 = 1; *(uint8_t*)0x20007288 = 0x83; *(uint8_t*)0x20007289 = 5; *(uint16_t*)0x2000728a = 9; *(uint8_t*)0x2000728c = 9; *(uint8_t*)0x2000728d = 5; *(uint8_t*)0x2000728e = 5; *(uint8_t*)0x2000728f = 2; *(uint16_t*)0x20007290 = 0x40; *(uint8_t*)0x20007292 = 0x2c; *(uint8_t*)0x20007293 = 0xd4; *(uint8_t*)0x20007294 = 2; *(uint8_t*)0x20007295 = 7; *(uint8_t*)0x20007296 = 0x25; *(uint8_t*)0x20007297 = 1; *(uint8_t*)0x20007298 = 2; *(uint8_t*)0x20007299 = 3; *(uint16_t*)0x2000729a = 7; *(uint8_t*)0x2000729c = 9; *(uint8_t*)0x2000729d = 5; *(uint8_t*)0x2000729e = 0xa; *(uint8_t*)0x2000729f = 2; *(uint16_t*)0x200072a0 = 0x400; *(uint8_t*)0x200072a2 = 0xd0; *(uint8_t*)0x200072a3 = 1; *(uint8_t*)0x200072a4 = 6; *(uint8_t*)0x200072a5 = 9; *(uint8_t*)0x200072a6 = 5; *(uint8_t*)0x200072a7 = 0xe; *(uint8_t*)0x200072a8 = 8; *(uint16_t*)0x200072a9 = 0x40; *(uint8_t*)0x200072ab = 0x40; *(uint8_t*)0x200072ac = -1; *(uint8_t*)0x200072ad = 0xb0; *(uint8_t*)0x200072ae = 9; *(uint8_t*)0x200072af = 4; *(uint8_t*)0x200072b0 = 0x6c; *(uint8_t*)0x200072b1 = 8; *(uint8_t*)0x200072b2 = 2; *(uint8_t*)0x200072b3 = 0x59; *(uint8_t*)0x200072b4 = 0x51; *(uint8_t*)0x200072b5 = 0xd5; *(uint8_t*)0x200072b6 = 1; *(uint8_t*)0x200072b7 = 8; *(uint8_t*)0x200072b8 = 0x24; *(uint8_t*)0x200072b9 = 6; *(uint8_t*)0x200072ba = 0; *(uint8_t*)0x200072bb = 1; memcpy((void*)0x200072bc, "\xb2\xbd\x60", 3); *(uint8_t*)0x200072bf = 5; *(uint8_t*)0x200072c0 = 0x24; *(uint8_t*)0x200072c1 = 0; *(uint16_t*)0x200072c2 = 5; *(uint8_t*)0x200072c4 = 0xd; *(uint8_t*)0x200072c5 = 0x24; *(uint8_t*)0x200072c6 = 0xf; *(uint8_t*)0x200072c7 = 1; *(uint32_t*)0x200072c8 = 0xfffffffd; *(uint16_t*)0x200072cc = 0xfff; *(uint16_t*)0x200072ce = 0x63; *(uint8_t*)0x200072d0 = 0xdb; *(uint8_t*)0x200072d1 = 6; *(uint8_t*)0x200072d2 = 0x24; *(uint8_t*)0x200072d3 = 0x1a; *(uint16_t*)0x200072d4 = 8; *(uint8_t*)0x200072d6 = 8; *(uint8_t*)0x200072d7 = 0xf7; *(uint8_t*)0x200072d8 = 0x24; *(uint8_t*)0x200072d9 = 0x13; *(uint8_t*)0x200072da = 0x19; memcpy((void*)0x200072db, "\x18\x9c\xde\xa8\x5c\x89\x2f\xe7\x36\xd9\x9d\x2a\xe8\x35\x70\x5d\xdc\x39\x07\x36\x3c\x57\xda\x1f\xc0\x03\x3a\xb2\x67\x42\x02\x2a\xb0\xaf\x75\x16\xc0\x54\x5f\x0f\xc3\xec\xaa\x07\x28\x22\x9f\x95\xfd\x5d\x2e\xbc\xe5\xc9\x8d\xbb\xa6\x22\x21\x53\xe2\xce\x70\xbf\xea\xd3\x2d\x5d\x59\x14\x6f\x0d\xd6\x79\x85\x20\x07\xb1\x3a\xc9\xd1\x6d\x48\xf9\x48\x4d\x61\x92\xe7\x9c\x88\x07\x9f\x8c\xd3\xbd\x1a\x37\x40\xf3\xa8\xf0\xfd\x1d\x57\xa1\x0b\xf4\x1c\xf8\xc4\x5a\x79\xab\x1a\x96\x9c\x9a\x6a\x83\xbf\x31\x57\x1b\xce\x54\x2e\x8f\xcf\xa6\x76\x1e\xbf\xa9\x24\xe1\xeb\x05\xd3\xaf\x5b\x36\x44\xc3\x04\x02\x80\xca\x59\x73\x7d\x89\xc0\xca\xa8\xbd\x9d\x56\xc9\x21\x78\xb8\x2b\x20\x78\xe4\x39\x75\xf1\x5e\x6f\x0b\x6f\xa1\xd0\xcd\x81\x95\x21\x15\x4d\x23\x6a\xa6\xa8\x5e\x50\xf3\xf0\x53\x1f\x61\x92\xe5\xc4\xba\x8a\x2d\x50\x6f\x74\x47\x80\x74\x7c\xbb\x9e\xe6\x72\x32\x98\xb7\x2b\x71\x3b\x52\xbe\x54\x83\x5f\xcc\x04\x90\x6c\x65\x8c\xe6\x1f\x16\xf9\x5a\x6c\x43\x79\x88\xdf\x23\x9c\x43\x0f\xf4\x7d\xb7", 243); *(uint8_t*)0x200073ce = 6; *(uint8_t*)0x200073cf = 0x24; *(uint8_t*)0x200073d0 = 6; *(uint8_t*)0x200073d1 = 0; *(uint8_t*)0x200073d2 = 0; memset((void*)0x200073d3, 163, 1); *(uint8_t*)0x200073d4 = 5; *(uint8_t*)0x200073d5 = 0x24; *(uint8_t*)0x200073d6 = 0; *(uint16_t*)0x200073d7 = 0xf85b; *(uint8_t*)0x200073d9 = 0xd; *(uint8_t*)0x200073da = 0x24; *(uint8_t*)0x200073db = 0xf; *(uint8_t*)0x200073dc = 1; *(uint32_t*)0x200073dd = 0; *(uint16_t*)0x200073e1 = 7; *(uint16_t*)0x200073e3 = 2; *(uint8_t*)0x200073e5 = 0x40; *(uint8_t*)0x200073e6 = 9; *(uint8_t*)0x200073e7 = 5; *(uint8_t*)0x200073e8 = 0xf; *(uint8_t*)0x200073e9 = 4; *(uint16_t*)0x200073ea = 0; *(uint8_t*)0x200073ec = 0x81; *(uint8_t*)0x200073ed = 0xe8; *(uint8_t*)0x200073ee = 2; *(uint8_t*)0x200073ef = 7; *(uint8_t*)0x200073f0 = 0x25; *(uint8_t*)0x200073f1 = 1; *(uint8_t*)0x200073f2 = 0; *(uint8_t*)0x200073f3 = 0x51; *(uint16_t*)0x200073f4 = 0xbf81; *(uint8_t*)0x200073f6 = 7; *(uint8_t*)0x200073f7 = 0x25; *(uint8_t*)0x200073f8 = 1; *(uint8_t*)0x200073f9 = 0x80; *(uint8_t*)0x200073fa = 0xb; *(uint16_t*)0x200073fb = 0x8001; *(uint8_t*)0x200073fd = 9; *(uint8_t*)0x200073fe = 5; *(uint8_t*)0x200073ff = 6; *(uint8_t*)0x20007400 = 0; *(uint16_t*)0x20007401 = 0x10; *(uint8_t*)0x20007403 = 0x7f; *(uint8_t*)0x20007404 = 0; *(uint8_t*)0x20007405 = 0x80; *(uint8_t*)0x20007406 = 0x28; *(uint8_t*)0x20007407 = 0xa; memcpy((void*)0x20007408, "\x61\xdf\x67\xa6\x24\x85\x90\x52\xdf\x59\x3a\x22\x58\xbc\x97\x0f\xe4\x30\x4a\x8f\x89\x9a\xc0\x40\xd9\xfc\x35\x0e\xd5\xe6\x36\x60\xa7\x6a\x96\xae\xa7\xa3", 38); *(uint32_t*)0x200076c0 = 0xa; *(uint32_t*)0x200076c4 = 0x20007440; *(uint8_t*)0x20007440 = 0xa; *(uint8_t*)0x20007441 = 6; *(uint16_t*)0x20007442 = 0x300; *(uint8_t*)0x20007444 = 8; *(uint8_t*)0x20007445 = 1; *(uint8_t*)0x20007446 = 9; *(uint8_t*)0x20007447 = 8; *(uint8_t*)0x20007448 = 0x81; *(uint8_t*)0x20007449 = 0; *(uint32_t*)0x200076c8 = 0x133; *(uint32_t*)0x200076cc = 0x20007480; *(uint8_t*)0x20007480 = 5; *(uint8_t*)0x20007481 = 0xf; *(uint16_t*)0x20007482 = 0x133; *(uint8_t*)0x20007484 = 6; *(uint8_t*)0x20007485 = 0xb; *(uint8_t*)0x20007486 = 0x10; *(uint8_t*)0x20007487 = 1; *(uint8_t*)0x20007488 = 2; *(uint16_t*)0x20007489 = 0x74; *(uint8_t*)0x2000748b = -1; *(uint8_t*)0x2000748c = -1; *(uint16_t*)0x2000748d = 0; *(uint8_t*)0x2000748f = 7; *(uint8_t*)0x20007490 = 0xb; *(uint8_t*)0x20007491 = 0x10; *(uint8_t*)0x20007492 = 1; *(uint8_t*)0x20007493 = 8; *(uint16_t*)0x20007494 = 0x43; *(uint8_t*)0x20007496 = 4; *(uint8_t*)0x20007497 = 3; *(uint16_t*)0x20007498 = 6; *(uint8_t*)0x2000749a = 0x21; *(uint8_t*)0x2000749b = 7; *(uint8_t*)0x2000749c = 0x10; *(uint8_t*)0x2000749d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000749e, 0xa, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200074a0, 0x3b4d, 0, 16); *(uint8_t*)0x200074a2 = 0xb; *(uint8_t*)0x200074a3 = 0x10; *(uint8_t*)0x200074a4 = 1; *(uint8_t*)0x200074a5 = 0; *(uint16_t*)0x200074a6 = 0x2c; *(uint8_t*)0x200074a8 = 7; *(uint8_t*)0x200074a9 = 2; *(uint16_t*)0x200074aa = 1; *(uint8_t*)0x200074ac = 0x2f; *(uint8_t*)0x200074ad = 3; *(uint8_t*)0x200074ae = 0x10; *(uint8_t*)0x200074af = 0xb; *(uint8_t*)0x200074b0 = 3; *(uint8_t*)0x200074b1 = 0x10; *(uint8_t*)0x200074b2 = 3; memcpy((void*)0x200074b3, "\xb3\x5e\x85\x2c\x50\x01\x47\x88\x0f\xa2\xf6\xdc\xc5\xd4\xe1\x6a\x59\xdf\x9b\xff\x5d\x44\xac\x9f\x66\x80\xa3\x1b\x1e\xbc\xe7\xf4\xd4\xaf\xe6\xd2\xae\x93\xf6\xee\xe7\x9b\x70\x3b\x03\xf7\xa0\xeb\xea\x72\xbd\xc3\xca\x70\xde\xd4\x50\xbe\xde\xc4\x2d\x31\xbe\xce\xd3\x62\x5c\x6b\xfa\x5d\xc9\x89\x7b\x68\xa4\xe8\xb1\xa5\x4b\x94\x44\xb8\x5a\x77\xd5\x2e\xfe\xa0\x2e\x84\x04\x5a\x2c\x51\xaf\x22\x59\x6a\x4c\x59\xa4\x3c\x59\x0c\x4d\x13\x69\xd2\x29\xdb\x0f\x22\x8b\x73\x9b\x41\x41\x9c\x00\x70\x82\x19\xac\x07\x58\x5d\xca\xde\xd8\x82\x0f\x6f\xe0\xb3\x5e\x74\x96\xca\x59\xeb\xd9\x3c\x1c\xfb\xec\xa8\x66\x69\x28\x61\x3f\xb0\x84\xcb\x1a\xd9\x30\xcf\xed\x80\xa0\x24\xb8\x03\xfc\x94\x96\x7f\x08\xd7\x31\xd0\x64\x7c\xee\x07\x3e\x55\x84\x4b\x99\x78\xae\x60\x35\x86\x5f\xd9\x89\x91\xfb\x7a\x5f\xa3\xf0\x05\x29\xe8\x1f\x1d\x3b\x85\x3a\x0d\xb0\x41\xea\xa3\x77\x7b\xa1\x0f\xe7\x53\x67\x4a\x69\x8c\xd3\x89\xbf\x5b\xca\x62\x6c\xb8\xc7\xbf\x9b\x71\x15\x0d\x57\x2d\x07\xd9\xa1\x18\x55\xa4\x19\xfb\x02\x12\xd9\xa5\xbf\x2c\x33\x60\x35\x7c\xf9\x42\x51\x1f", 256); *(uint32_t*)0x200076d0 = 2; *(uint32_t*)0x200076d4 = 0x97; *(uint32_t*)0x200076d8 = 0x200075c0; *(uint8_t*)0x200075c0 = 0x97; *(uint8_t*)0x200075c1 = 3; memcpy((void*)0x200075c2, "\x79\x53\x36\x52\x48\x59\x08\x84\x74\x50\xe4\x34\xba\xbd\x9e\x7b\x78\x39\x25\xf4\x78\xb3\xb3\x5c\x0a\x4e\x6a\xa0\xa1\xe8\xf7\x8e\x37\xf1\xd5\x66\x6f\xe8\x7b\x28\xdf\x9b\x77\x34\xfd\xd1\x41\xb3\xc7\x8a\x19\x03\x1e\xff\xd7\x29\xa3\x6c\x0c\xf9\xfa\xe5\xc5\x89\xa1\xa9\x88\x6b\x78\xf6\x6c\x73\x91\xbd\x44\x3c\xc6\xb3\xab\x5b\x4a\xcd\xeb\x5a\xcf\x4a\x0d\x36\x35\x9e\x74\x9d\xf3\x7c\xcf\x92\xc5\x0e\x84\x5f\xce\x93\xe4\xc6\x11\xf0\xfb\x55\x9f\x5b\x2f\x8b\x72\xba\xb3\xb8\xa9\x17\x79\xcd\x78\x20\x4d\x67\xa1\x83\x18\x75\x60\xeb\x91\x2c\x0f\x9d\xd2\x7f\x40\x2f\x1d\xec\xdc\x61\x44\x4d\x37\x02\xbf\x05\xcf", 149); *(uint32_t*)0x200076dc = 4; *(uint32_t*)0x200076e0 = 0x20007680; *(uint8_t*)0x20007680 = 4; *(uint8_t*)0x20007681 = 3; *(uint16_t*)0x20007682 = 0x4ff; syz_usb_connect(5, 0x72e, 0x20006d00, 0x200076c0); break; case 42: *(uint8_t*)0x20007700 = 0x12; *(uint8_t*)0x20007701 = 1; *(uint16_t*)0x20007702 = 0x200; *(uint8_t*)0x20007704 = -1; *(uint8_t*)0x20007705 = -1; *(uint8_t*)0x20007706 = -1; *(uint8_t*)0x20007707 = 0x40; *(uint16_t*)0x20007708 = 0xcf3; *(uint16_t*)0x2000770a = 0x9271; *(uint16_t*)0x2000770c = 0x108; *(uint8_t*)0x2000770e = 1; *(uint8_t*)0x2000770f = 2; *(uint8_t*)0x20007710 = 3; *(uint8_t*)0x20007711 = 1; *(uint8_t*)0x20007712 = 9; *(uint8_t*)0x20007713 = 2; *(uint16_t*)0x20007714 = 0x48; *(uint8_t*)0x20007716 = 1; *(uint8_t*)0x20007717 = 1; *(uint8_t*)0x20007718 = 0; *(uint8_t*)0x20007719 = 0x80; *(uint8_t*)0x2000771a = 0xfa; *(uint8_t*)0x2000771b = 9; *(uint8_t*)0x2000771c = 4; *(uint8_t*)0x2000771d = 0; *(uint8_t*)0x2000771e = 0; *(uint8_t*)0x2000771f = 6; *(uint8_t*)0x20007720 = -1; *(uint8_t*)0x20007721 = 0; *(uint8_t*)0x20007722 = 0; *(uint8_t*)0x20007723 = 0; *(uint8_t*)0x20007724 = 9; *(uint8_t*)0x20007725 = 5; *(uint8_t*)0x20007726 = 1; *(uint8_t*)0x20007727 = 2; *(uint16_t*)0x20007728 = 0x200; *(uint8_t*)0x2000772a = 0; *(uint8_t*)0x2000772b = 0; *(uint8_t*)0x2000772c = 0; *(uint8_t*)0x2000772d = 9; *(uint8_t*)0x2000772e = 5; *(uint8_t*)0x2000772f = 0x82; *(uint8_t*)0x20007730 = 2; *(uint16_t*)0x20007731 = 0x200; *(uint8_t*)0x20007733 = 0; *(uint8_t*)0x20007734 = 0; *(uint8_t*)0x20007735 = 0; *(uint8_t*)0x20007736 = 9; *(uint8_t*)0x20007737 = 5; *(uint8_t*)0x20007738 = 0x83; *(uint8_t*)0x20007739 = 3; *(uint16_t*)0x2000773a = 0x40; *(uint8_t*)0x2000773c = 1; *(uint8_t*)0x2000773d = 0; *(uint8_t*)0x2000773e = 0; *(uint8_t*)0x2000773f = 9; *(uint8_t*)0x20007740 = 5; *(uint8_t*)0x20007741 = 4; *(uint8_t*)0x20007742 = 3; *(uint16_t*)0x20007743 = 0x40; *(uint8_t*)0x20007745 = 1; *(uint8_t*)0x20007746 = 0; *(uint8_t*)0x20007747 = 0; *(uint8_t*)0x20007748 = 9; *(uint8_t*)0x20007749 = 5; *(uint8_t*)0x2000774a = 5; *(uint8_t*)0x2000774b = 2; *(uint16_t*)0x2000774c = 0x200; *(uint8_t*)0x2000774e = 0; *(uint8_t*)0x2000774f = 0; *(uint8_t*)0x20007750 = 0; *(uint8_t*)0x20007751 = 9; *(uint8_t*)0x20007752 = 5; *(uint8_t*)0x20007753 = 6; *(uint8_t*)0x20007754 = 2; *(uint16_t*)0x20007755 = 0x200; *(uint8_t*)0x20007757 = 0; *(uint8_t*)0x20007758 = 0; *(uint8_t*)0x20007759 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007700, 0); if (res != -1) r[22] = res; break; case 43: *(uint32_t*)0x20007900 = 0x18; *(uint32_t*)0x20007904 = 0x20007780; *(uint8_t*)0x20007780 = 0x40; *(uint8_t*)0x20007781 = 0x22; *(uint32_t*)0x20007782 = 0x1f; *(uint8_t*)0x20007786 = 0x1f; *(uint8_t*)0x20007787 = 0x22; memcpy((void*)0x20007788, "\xa7\x84\x14\x03\xaf\xd7\xdd\xbd\xb6\xce\x9d\xac\xfb\x6c\xdb\xe2\x9f\xbe\x4e\x58\xb5\x5f\xec\x11\x7d\xe5\x6e\xd6\xa5", 29); *(uint32_t*)0x20007908 = 0x200077c0; *(uint8_t*)0x200077c0 = 0; *(uint8_t*)0x200077c1 = 3; *(uint32_t*)0x200077c2 = 0x5a; *(uint8_t*)0x200077c6 = 0x5a; *(uint8_t*)0x200077c7 = 3; memcpy((void*)0x200077c8, "\xb5\x1f\xa7\x5c\xe1\x57\x5d\xa7\x9a\xa4\x1f\xd1\x55\x72\x84\x98\xbc\x7e\x4f\x85\xd1\x9d\x23\x94\x31\x4e\x63\x81\xf5\xe6\xb0\xe7\x86\xc3\xff\x70\x5c\xb7\x18\x44\x87\xf3\x50\x94\x03\x01\x78\xbc\x29\x1a\x39\x80\xfa\x0b\x83\x90\x8b\x7f\xe1\xcb\x24\x59\xda\xa1\x30\x8f\xa2\xfb\xda\x94\xa9\x8c\xa7\x13\x4b\xc9\x86\x48\x7b\xae\x15\x76\x66\x36\xe0\x85\x2c\x7a", 88); *(uint32_t*)0x2000790c = 0x20007840; *(uint8_t*)0x20007840 = 0; *(uint8_t*)0x20007841 = 0xf; *(uint32_t*)0x20007842 = 0x1b; *(uint8_t*)0x20007846 = 5; *(uint8_t*)0x20007847 = 0xf; *(uint16_t*)0x20007848 = 0x1b; *(uint8_t*)0x2000784a = 2; *(uint8_t*)0x2000784b = 0xb; *(uint8_t*)0x2000784c = 0x10; *(uint8_t*)0x2000784d = 1; *(uint8_t*)0x2000784e = 0xc; *(uint16_t*)0x2000784f = 0x82; *(uint8_t*)0x20007851 = 0; *(uint8_t*)0x20007852 = 0x85; *(uint16_t*)0x20007853 = 8; *(uint8_t*)0x20007855 = 1; *(uint8_t*)0x20007856 = 0xb; *(uint8_t*)0x20007857 = 0x10; *(uint8_t*)0x20007858 = 1; *(uint8_t*)0x20007859 = 0xc; *(uint16_t*)0x2000785a = 0x48; *(uint8_t*)0x2000785c = 0; *(uint8_t*)0x2000785d = 0x80; *(uint16_t*)0x2000785e = 0xfffa; *(uint8_t*)0x20007860 = 0x81; *(uint32_t*)0x20007910 = 0x20007880; *(uint8_t*)0x20007880 = 0x20; *(uint8_t*)0x20007881 = 0x29; *(uint32_t*)0x20007882 = 0xf; *(uint8_t*)0x20007886 = 0xf; *(uint8_t*)0x20007887 = 0x29; *(uint8_t*)0x20007888 = 9; *(uint16_t*)0x20007889 = 2; *(uint8_t*)0x2000788b = 4; *(uint8_t*)0x2000788c = 2; memcpy((void*)0x2000788d, "\x7e\x46\x1a\xb4", 4); memcpy((void*)0x20007891, "gg]\a", 4); *(uint32_t*)0x20007914 = 0x200078c0; *(uint8_t*)0x200078c0 = 0x20; *(uint8_t*)0x200078c1 = 0x2a; *(uint32_t*)0x200078c2 = 0xc; *(uint8_t*)0x200078c6 = 0xc; *(uint8_t*)0x200078c7 = 0x2a; *(uint8_t*)0x200078c8 = 9; *(uint16_t*)0x200078c9 = 3; *(uint8_t*)0x200078cb = 0x3f; *(uint8_t*)0x200078cc = 0x20; *(uint8_t*)0x200078cd = 0x40; *(uint16_t*)0x200078ce = 0; *(uint16_t*)0x200078d0 = 0xef; *(uint32_t*)0x20007dc0 = 0x44; *(uint32_t*)0x20007dc4 = 0x20007940; *(uint8_t*)0x20007940 = 0x40; *(uint8_t*)0x20007941 = 0xc; *(uint32_t*)0x20007942 = 0xb6; memcpy((void*)0x20007946, "\xdf\x1d\x88\x07\xad\xaa\x37\x6e\xc1\x64\xfe\x68\x6f\x79\x1f\xc7\x26\x8a\x85\xc4\x68\x00\x84\x23\xc3\x5b\xf0\xda\x6f\x10\xce\x0b\x3c\x7f\x80\xe6\x73\x52\xd8\x06\x3e\x95\x24\xfb\x3d\x91\xa1\xd4\x42\xb8\x5d\x35\x12\x88\xc6\x0b\xad\xef\x73\x69\x49\x4e\xfa\x50\x12\x97\x89\x30\xb8\x81\x7b\xb1\x3f\xba\x0f\x30\x74\x16\x86\x14\x57\x22\x13\x22\x13\x60\x27\xa9\x86\x82\xf3\xa5\xc9\x18\x06\xd4\x90\xc5\x1e\xf5\x1c\xe6\xc9\xe9\xc8\x08\x7e\x54\x7f\xc2\xcf\xe5\x67\xbf\xbf\x3e\x65\xf9\x7c\x5e\x79\xd6\x87\x06\x92\x2d\x2c\x08\x4e\xe8\x94\xea\xf1\x2a\x3c\x0b\x2e\x1e\xf8\x94\xdf\xf8\x6d\x07\x92\xfd\x11\xf5\x15\x2f\x67\x32\x1b\x9d\xb3\x6a\x02\xb7\xb0\x93\x5e\x74\x24\xcb\xd6\xb2\x86\xc5\x5c\x8c\xf0\xf0\xf4\x94\x9f\xd2\x1b\x22\x67\x5e\xb0\x60", 182); *(uint32_t*)0x20007dc8 = 0x20007a00; *(uint8_t*)0x20007a00 = 0; *(uint8_t*)0x20007a01 = 0xa; *(uint32_t*)0x20007a02 = 1; *(uint8_t*)0x20007a06 = 9; *(uint32_t*)0x20007dcc = 0x20007a40; *(uint8_t*)0x20007a40 = 0; *(uint8_t*)0x20007a41 = 8; *(uint32_t*)0x20007a42 = 1; *(uint8_t*)0x20007a46 = 6; *(uint32_t*)0x20007dd0 = 0x20007a80; *(uint8_t*)0x20007a80 = 0x20; *(uint8_t*)0x20007a81 = 0; *(uint32_t*)0x20007a82 = 4; *(uint16_t*)0x20007a86 = 1; *(uint16_t*)0x20007a88 = 3; *(uint32_t*)0x20007dd4 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0x20; *(uint8_t*)0x20007ac1 = 0; *(uint32_t*)0x20007ac2 = 4; *(uint16_t*)0x20007ac6 = 0x160; *(uint16_t*)0x20007ac8 = 1; *(uint32_t*)0x20007dd8 = 0x20007b00; *(uint8_t*)0x20007b00 = 0x40; *(uint8_t*)0x20007b01 = 7; *(uint32_t*)0x20007b02 = 2; *(uint16_t*)0x20007b06 = 3; *(uint32_t*)0x20007ddc = 0x20007b40; *(uint8_t*)0x20007b40 = 0x40; *(uint8_t*)0x20007b41 = 9; *(uint32_t*)0x20007b42 = 1; *(uint8_t*)0x20007b46 = 3; *(uint32_t*)0x20007de0 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x40; *(uint8_t*)0x20007b81 = 0xb; *(uint32_t*)0x20007b82 = 2; memcpy((void*)0x20007b86, "\x9e\xfe", 2); *(uint32_t*)0x20007de4 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 0xf; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 4; *(uint32_t*)0x20007de8 = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 0x13; *(uint32_t*)0x20007c02 = 6; memset((void*)0x20007c06, 0, 6); *(uint32_t*)0x20007dec = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0x17; *(uint32_t*)0x20007c42 = 6; memset((void*)0x20007c46, 170, 5); *(uint8_t*)0x20007c4b = 0xbb; *(uint32_t*)0x20007df0 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0x19; *(uint32_t*)0x20007c82 = 2; memcpy((void*)0x20007c86, "vw", 2); *(uint32_t*)0x20007df4 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x1a; *(uint32_t*)0x20007cc2 = 2; *(uint16_t*)0x20007cc6 = 1; *(uint32_t*)0x20007df8 = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x1c; *(uint32_t*)0x20007d02 = 1; *(uint8_t*)0x20007d06 = 6; *(uint32_t*)0x20007dfc = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x1e; *(uint32_t*)0x20007d42 = 1; *(uint8_t*)0x20007d46 = 0x7e; *(uint32_t*)0x20007e00 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x21; *(uint32_t*)0x20007d82 = 1; *(uint8_t*)0x20007d86 = 2; syz_usb_control_io(r[22], 0x20007900, 0x20007dc0); break; case 44: *(uint8_t*)0x20007e40 = 0x12; *(uint8_t*)0x20007e41 = 1; *(uint16_t*)0x20007e42 = 0x200; *(uint8_t*)0x20007e44 = -1; *(uint8_t*)0x20007e45 = -1; *(uint8_t*)0x20007e46 = -1; *(uint8_t*)0x20007e47 = 0x40; *(uint16_t*)0x20007e48 = 0xcf3; *(uint16_t*)0x20007e4a = 0x9271; *(uint16_t*)0x20007e4c = 0x108; *(uint8_t*)0x20007e4e = 1; *(uint8_t*)0x20007e4f = 2; *(uint8_t*)0x20007e50 = 3; *(uint8_t*)0x20007e51 = 1; *(uint8_t*)0x20007e52 = 9; *(uint8_t*)0x20007e53 = 2; *(uint16_t*)0x20007e54 = 0x48; *(uint8_t*)0x20007e56 = 1; *(uint8_t*)0x20007e57 = 1; *(uint8_t*)0x20007e58 = 0; *(uint8_t*)0x20007e59 = 0x80; *(uint8_t*)0x20007e5a = 0xfa; *(uint8_t*)0x20007e5b = 9; *(uint8_t*)0x20007e5c = 4; *(uint8_t*)0x20007e5d = 0; *(uint8_t*)0x20007e5e = 0; *(uint8_t*)0x20007e5f = 6; *(uint8_t*)0x20007e60 = -1; *(uint8_t*)0x20007e61 = 0; *(uint8_t*)0x20007e62 = 0; *(uint8_t*)0x20007e63 = 0; *(uint8_t*)0x20007e64 = 9; *(uint8_t*)0x20007e65 = 5; *(uint8_t*)0x20007e66 = 1; *(uint8_t*)0x20007e67 = 2; *(uint16_t*)0x20007e68 = 0x200; *(uint8_t*)0x20007e6a = 0; *(uint8_t*)0x20007e6b = 0; *(uint8_t*)0x20007e6c = 0; *(uint8_t*)0x20007e6d = 9; *(uint8_t*)0x20007e6e = 5; *(uint8_t*)0x20007e6f = 0x82; *(uint8_t*)0x20007e70 = 2; *(uint16_t*)0x20007e71 = 0x200; *(uint8_t*)0x20007e73 = 0; *(uint8_t*)0x20007e74 = 0; *(uint8_t*)0x20007e75 = 0; *(uint8_t*)0x20007e76 = 9; *(uint8_t*)0x20007e77 = 5; *(uint8_t*)0x20007e78 = 0x83; *(uint8_t*)0x20007e79 = 3; *(uint16_t*)0x20007e7a = 0x40; *(uint8_t*)0x20007e7c = 1; *(uint8_t*)0x20007e7d = 0; *(uint8_t*)0x20007e7e = 0; *(uint8_t*)0x20007e7f = 9; *(uint8_t*)0x20007e80 = 5; *(uint8_t*)0x20007e81 = 4; *(uint8_t*)0x20007e82 = 3; *(uint16_t*)0x20007e83 = 0x40; *(uint8_t*)0x20007e85 = 1; *(uint8_t*)0x20007e86 = 0; *(uint8_t*)0x20007e87 = 0; *(uint8_t*)0x20007e88 = 9; *(uint8_t*)0x20007e89 = 5; *(uint8_t*)0x20007e8a = 5; *(uint8_t*)0x20007e8b = 2; *(uint16_t*)0x20007e8c = 0x200; *(uint8_t*)0x20007e8e = 0; *(uint8_t*)0x20007e8f = 0; *(uint8_t*)0x20007e90 = 0; *(uint8_t*)0x20007e91 = 9; *(uint8_t*)0x20007e92 = 5; *(uint8_t*)0x20007e93 = 6; *(uint8_t*)0x20007e94 = 2; *(uint16_t*)0x20007e95 = 0x200; *(uint8_t*)0x20007e97 = 0; *(uint8_t*)0x20007e98 = 0; *(uint8_t*)0x20007e99 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007e40, 0); if (res != -1) r[23] = res; break; case 45: syz_usb_disconnect(r[23]); break; case 46: *(uint8_t*)0x20007ec0 = 0x12; *(uint8_t*)0x20007ec1 = 1; *(uint16_t*)0x20007ec2 = 0x389; *(uint8_t*)0x20007ec4 = 2; *(uint8_t*)0x20007ec5 = 0; *(uint8_t*)0x20007ec6 = 0; *(uint8_t*)0x20007ec7 = 0x70; *(uint16_t*)0x20007ec8 = 0x525; *(uint16_t*)0x20007eca = 0xa4a1; *(uint16_t*)0x20007ecc = 0x40; *(uint8_t*)0x20007ece = 1; *(uint8_t*)0x20007ecf = 2; *(uint8_t*)0x20007ed0 = 3; *(uint8_t*)0x20007ed1 = 1; *(uint8_t*)0x20007ed2 = 9; *(uint8_t*)0x20007ed3 = 2; *(uint16_t*)0x20007ed4 = 0x6a; *(uint8_t*)0x20007ed6 = 2; *(uint8_t*)0x20007ed7 = 1; *(uint8_t*)0x20007ed8 = -1; *(uint8_t*)0x20007ed9 = 0x90; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 9; *(uint8_t*)0x20007edc = 4; *(uint8_t*)0x20007edd = 0; *(uint8_t*)0x20007ede = 0; *(uint8_t*)0x20007edf = 1; *(uint8_t*)0x20007ee0 = 2; *(uint8_t*)0x20007ee1 = 0xd; *(uint8_t*)0x20007ee2 = 0; *(uint8_t*)0x20007ee3 = 0; *(uint8_t*)0x20007ee4 = 6; *(uint8_t*)0x20007ee5 = 0x24; *(uint8_t*)0x20007ee6 = 6; *(uint8_t*)0x20007ee7 = 0; *(uint8_t*)0x20007ee8 = 1; memset((void*)0x20007ee9, 166, 1); *(uint8_t*)0x20007eea = 5; *(uint8_t*)0x20007eeb = 0x24; *(uint8_t*)0x20007eec = 0; *(uint16_t*)0x20007eed = 8; *(uint8_t*)0x20007eef = 0xd; *(uint8_t*)0x20007ef0 = 0x24; *(uint8_t*)0x20007ef1 = 0xf; *(uint8_t*)0x20007ef2 = 1; *(uint32_t*)0x20007ef3 = 0x9ff; *(uint16_t*)0x20007ef7 = 0x6000; *(uint16_t*)0x20007ef9 = 5; *(uint8_t*)0x20007efb = 0xb5; *(uint8_t*)0x20007efc = 6; *(uint8_t*)0x20007efd = 0x24; *(uint8_t*)0x20007efe = 0x1a; *(uint16_t*)0x20007eff = 0xdd; *(uint8_t*)0x20007f01 = 0x32; *(uint8_t*)0x20007f02 = 5; *(uint8_t*)0x20007f03 = 0x24; *(uint8_t*)0x20007f04 = 1; *(uint8_t*)0x20007f05 = 2; *(uint8_t*)0x20007f06 = 0x95; *(uint8_t*)0x20007f07 = 8; *(uint8_t*)0x20007f08 = 0x24; *(uint8_t*)0x20007f09 = 0x1c; *(uint16_t*)0x20007f0a = 7; *(uint8_t*)0x20007f0c = 0x40; *(uint16_t*)0x20007f0d = 1; *(uint8_t*)0x20007f0f = 9; *(uint8_t*)0x20007f10 = 5; *(uint8_t*)0x20007f11 = 0x81; *(uint8_t*)0x20007f12 = 3; *(uint16_t*)0x20007f13 = 0x10; *(uint8_t*)0x20007f15 = 0x21; *(uint8_t*)0x20007f16 = 2; *(uint8_t*)0x20007f17 = 0xc4; *(uint8_t*)0x20007f18 = 9; *(uint8_t*)0x20007f19 = 4; *(uint8_t*)0x20007f1a = 1; *(uint8_t*)0x20007f1b = 0; *(uint8_t*)0x20007f1c = 0; *(uint8_t*)0x20007f1d = 2; *(uint8_t*)0x20007f1e = 0xd; *(uint8_t*)0x20007f1f = 0; *(uint8_t*)0x20007f20 = 0; *(uint8_t*)0x20007f21 = 9; *(uint8_t*)0x20007f22 = 4; *(uint8_t*)0x20007f23 = 1; *(uint8_t*)0x20007f24 = 1; *(uint8_t*)0x20007f25 = 2; *(uint8_t*)0x20007f26 = 2; *(uint8_t*)0x20007f27 = 0xd; *(uint8_t*)0x20007f28 = 0; *(uint8_t*)0x20007f29 = 0; *(uint8_t*)0x20007f2a = 9; *(uint8_t*)0x20007f2b = 5; *(uint8_t*)0x20007f2c = 0x82; *(uint8_t*)0x20007f2d = 2; *(uint16_t*)0x20007f2e = 8; *(uint8_t*)0x20007f30 = 1; *(uint8_t*)0x20007f31 = 1; *(uint8_t*)0x20007f32 = 0x4e; *(uint8_t*)0x20007f33 = 9; *(uint8_t*)0x20007f34 = 5; *(uint8_t*)0x20007f35 = 3; *(uint8_t*)0x20007f36 = 2; *(uint16_t*)0x20007f37 = 8; *(uint8_t*)0x20007f39 = 0x81; *(uint8_t*)0x20007f3a = 9; *(uint8_t*)0x20007f3b = 0x48; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f40; *(uint8_t*)0x20007f40 = 0xa; *(uint8_t*)0x20007f41 = 6; *(uint16_t*)0x20007f42 = 0x200; *(uint8_t*)0x20007f44 = 3; *(uint8_t*)0x20007f45 = 0x40; *(uint8_t*)0x20007f46 = 1; *(uint8_t*)0x20007f47 = 0x40; *(uint8_t*)0x20007f48 = 0x68; *(uint8_t*)0x20007f49 = 0; *(uint32_t*)0x20008288 = 0x72; *(uint32_t*)0x2000828c = 0x20007f80; *(uint8_t*)0x20007f80 = 5; *(uint8_t*)0x20007f81 = 0xf; *(uint16_t*)0x20007f82 = 0x72; *(uint8_t*)0x20007f84 = 6; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x10; *(uint8_t*)0x20007f87 = 0xa; *(uint8_t*)0x20007f88 = 0x7f; STORE_BY_BITMASK(uint32_t, , 0x20007f89, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007f89, 4, 5, 27); *(uint16_t*)0x20007f8d = 0; *(uint16_t*)0x20007f8f = 0x101; *(uint32_t*)0x20007f91 = 0xf; *(uint32_t*)0x20007f95 = 0xc000; *(uint32_t*)0x20007f99 = 0x4100; *(uint32_t*)0x20007f9d = 0xc000; *(uint32_t*)0x20007fa1 = 0; *(uint8_t*)0x20007fa5 = 0x18; *(uint8_t*)0x20007fa6 = 0x10; *(uint8_t*)0x20007fa7 = 0xa; *(uint8_t*)0x20007fa8 = 5; STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 0x3f, 5, 27); *(uint16_t*)0x20007fad = 0xf; *(uint16_t*)0x20007faf = 9; *(uint32_t*)0x20007fb1 = 0x3f00; *(uint32_t*)0x20007fb5 = 0xff0030; *(uint32_t*)0x20007fb9 = 0xff0000; *(uint8_t*)0x20007fbd = 0xc; *(uint8_t*)0x20007fbe = 0x10; *(uint8_t*)0x20007fbf = 0xa; *(uint8_t*)0x20007fc0 = 9; STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 3, 5, 27); *(uint16_t*)0x20007fc5 = 0xf00; *(uint16_t*)0x20007fc7 = 4; *(uint8_t*)0x20007fc9 = 0x14; *(uint8_t*)0x20007fca = 0x10; *(uint8_t*)0x20007fcb = 4; *(uint8_t*)0x20007fcc = 0xfc; memcpy((void*)0x20007fcd, "\x11\xd5\xf9\x90\x68\xe5\x06\x8a\x1e\x42\xe2\xbf\x00\x0e\x22\x1f", 16); *(uint8_t*)0x20007fdd = 0xb; *(uint8_t*)0x20007fde = 0x10; *(uint8_t*)0x20007fdf = 1; *(uint8_t*)0x20007fe0 = 2; *(uint16_t*)0x20007fe1 = 0; *(uint8_t*)0x20007fe3 = 2; *(uint8_t*)0x20007fe4 = 0; *(uint16_t*)0x20007fe5 = 0x80; *(uint8_t*)0x20007fe7 = 1; *(uint8_t*)0x20007fe8 = 0xa; *(uint8_t*)0x20007fe9 = 0x10; *(uint8_t*)0x20007fea = 3; *(uint8_t*)0x20007feb = 2; *(uint16_t*)0x20007fec = 0; *(uint8_t*)0x20007fee = 3; *(uint8_t*)0x20007fef = 0x3f; *(uint16_t*)0x20007ff0 = 8; *(uint32_t*)0x20008290 = 8; *(uint32_t*)0x20008294 = 4; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 4; *(uint8_t*)0x20008001 = 3; *(uint16_t*)0x20008002 = 0x2001; *(uint32_t*)0x2000829c = 4; *(uint32_t*)0x200082a0 = 0x20008040; *(uint8_t*)0x20008040 = 4; *(uint8_t*)0x20008041 = 3; *(uint16_t*)0x20008042 = 0x43f; *(uint32_t*)0x200082a4 = 0x2a; *(uint32_t*)0x200082a8 = 0x20008080; *(uint8_t*)0x20008080 = 0x2a; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x5e\x74\x60\xeb\x32\xa6\xb9\x6b\xd2\xff\x9f\xf3\xa4\x96\x20\x85\x33\x64\xce\xf4\xb1\x18\x00\x34\xbb\xee\x7b\xde\xb3\x75\x3e\xc4\x7a\x7b\x68\x43\x60\x04\xdf\xa3", 40); *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x200080c0; *(uint8_t*)0x200080c0 = 4; *(uint8_t*)0x200080c1 = 3; *(uint16_t*)0x200080c2 = 0x406; *(uint32_t*)0x200082b4 = 4; *(uint32_t*)0x200082b8 = 0x20008100; *(uint8_t*)0x20008100 = 4; *(uint8_t*)0x20008101 = 3; *(uint16_t*)0x20008102 = 0x200a; *(uint32_t*)0x200082bc = 0x83; *(uint32_t*)0x200082c0 = 0x20008140; *(uint8_t*)0x20008140 = 0x83; *(uint8_t*)0x20008141 = 3; memcpy((void*)0x20008142, "\x98\xbf\xbe\xd5\xf0\x2f\x05\x41\x39\x3b\x27\x16\x3c\x18\xab\xa0\xf8\xd6\xc9\x06\x9a\xe8\xed\x73\x2f\x7b\x8b\x4f\xd0\x40\x72\x65\x12\x57\x2b\x20\x49\x34\x98\xb0\x80\xe9\x6c\x74\x09\xc1\xff\x22\x2c\xbf\xe8\xfc\x73\x9a\x7a\x6e\xb7\x01\xa8\x12\x5f\x18\xaf\x24\xcd\xab\xbf\xb5\x2c\xc6\x66\xcf\x12\x04\xb6\xbf\x96\x51\x4a\xca\x5b\x04\x75\xe2\x1d\xaf\xca\xaf\xfc\xd8\xd5\x84\xec\xa6\x93\x9d\x81\x5d\xc4\xc9\x74\x72\x7a\x2f\xba\x78\xd5\x04\x4d\x9e\x9f\x08\xe3\x5c\x9e\x2b\xf4\x70\xf4\x66\xac\xca\xa1\x30\x1f\xac\x54\xbc\xff", 129); *(uint32_t*)0x200082c4 = 4; *(uint32_t*)0x200082c8 = 0x20008200; *(uint8_t*)0x20008200 = 4; *(uint8_t*)0x20008201 = 3; *(uint16_t*)0x20008202 = 0x1627; *(uint32_t*)0x200082cc = 0x39; *(uint32_t*)0x200082d0 = 0x20008240; *(uint8_t*)0x20008240 = 0x39; *(uint8_t*)0x20008241 = 3; memcpy((void*)0x20008242, "\xaa\x56\xbf\x40\x48\xdd\x06\xe2\x84\x5d\x2e\x04\xdf\x75\xb3\x91\xf7\x66\x46\x3f\x09\x54\x05\x32\x21\xac\x36\xe1\xdb\x6f\xe5\x09\xc0\x5b\x86\xc7\x76\xd2\x0f\xfc\x6a\xc3\xd9\x93\x49\x32\x2b\x40\x0a\xea\x39\x4c\xd6\x71\x9c", 55); res = -1; res = syz_usb_connect(6, 0x7c, 0x20007ec0, 0x20008280); if (res != -1) r[24] = res; break; case 47: syz_usb_ep_read(r[24], 0x75, 0xa5, 0x20008300); break; case 48: memcpy((void*)0x200083c0, "\xdb\x88\x55\x99\xb6\x0a\xec\x82\xad\x70\xcd\xb2\x88\x6a\x2e\x73\xe2\xf0\x44\x7d\xdd\x5d\xea\xaa\x15\xf5\x6b\x76\xab\x58\x04\xb9\xf8\x6f\x60\xdf\x6b\x12\xcb\xc1\xe5\x90\x6d\x23\x88\x89\xda\x54\x4d\x9b\x56\x52\xf6\x0b\xfc\x34\xa1\x08\xdf\xfd\xff\xa9\xae\x90\x46\x14\xe2\xbf\x15\xce\x0c\x34\x9a\xea\x15\x51\xb7\x54\x4b\x69\xbd\x2b\xde\x8f\x82\xe1\x8d\x42\xba\x16\x71\x80\xb1\xa6\xa4\xd1\x18\x44\x31\x2c\x11\x6e\xe0\xb8\x5f\xca\x52\xa1\x1e\xc9\xf3\x7a\xcd\x32\x3e\xb2\x87\xc8\xb3\xc4\xff\xdb\xca\xaa\x32\x9d\xf9\x20\xe0\xf7\xdf\xaa\xcc\xc1\x7f\xd5\xff\x16\xf0\x39\xc6\x93\xcd\xfc\xdf\xae\x81\x52\x9a\x02\xcc\x97\x3d\x8e\x50\x20\x09\x3c\x1b\x68\xe8\x8a\x82\x7e\x23\x0b\x28\x44\x88\x99\xb9\x61\x75\x52\xb1\xdd\x9b\x41\x2b\x34\xde\xec\x9a\x93\xfd\x08\x82\x3a\xeb\xf3\x54\xe2\x38\xd0\x4d\xca\x95\x7a\x50\xaa\x9a\xb1\x8a\x30\x46\x0e\x24\x55\xe3\xfd\x16\x41\x09\xcd\x4a\x85\x7b\x99\xd2\x23\xb2\x18\x31\xca\x29\x2d\x1b\x0c\xd7\x7f\xbf\xe2\x63\xf7\xca\x57\xee\x3a\x70\xa8\xfd\xd4\x89\xcb\x7f", 245); syz_usb_ep_write(r[22], 0, 0xf5, 0x200083c0); break; case 49: syz_usbip_server_init(1); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_binfmt_misc(); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :126:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :113:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :108:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor229227898 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/1 (1.50s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) (fail_nth: 1) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000080)={r0, 0x3ff}, &(0x7f00000000c0)=0x8) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='cpu.stat\x00', 0x0, 0x0) ioctl$BLKROGET(r2, 0x125e, &(0x7f0000000140)) r3 = signalfd4(r2, &(0x7f0000000180)={[0x5, 0x4]}, 0x8, 0x80800) sendmsg$NL80211_CMD_UPDATE_OWE_INFO(r3, &(0x7f0000000500)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x20002011}, 0xc, &(0x7f00000004c0)={&(0x7f0000000200)={0x29c, 0x0, 0x8, 0x70bd29, 0x25dfdbff, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x46, 0x2a, [@erp={0x2a, 0x1, {0x0, 0x1, 0x1}}, @channel_switch={0x25, 0x3, {0x1, 0x95, 0xcb}}, @peer_mgmt={0x75, 0x16, {0x1, 0x401, @void, @val=0x37, @val="02011bf2907bddcbfaf4d0d9d319cb38"}}, @mesh_chsw={0x76, 0x6, {0x7f, 0x3, 0x6, 0x2050}}, @link_id={0x65, 0x12, {@from_mac=@device_b, @broadcast, @device_b}}, @chsw_timing={0x68, 0x4, {0x9, 0x81}}]}, @NL80211_ATTR_IE={0xcc, 0x2a, [@cf={0x4, 0x6, {0x1, 0x1, 0x100, 0x8000}}, @ext_channel_switch={0x3c, 0x4, {0x0, 0x7, 0xac, 0x6}}, @supported_rates={0x1, 0x6, [{0x6}, {0xc, 0x1}, {0x3f, 0x1}, {0x9}, {0x16}, {0x24}]}, @prep={0x83, 0x25, @ext={{}, 0xff, 0x3f, @device_a, 0x1f, @broadcast, 0x0, 0x6, @device_b, 0x6}}, @measure_req={0x26, 0x44, {0x4, 0x7, 0x8, "2ef531b7be2dde42fc395f76447c92879c4d9511182ee077cb102d54d8e9bd0376741affce00728e65cefb04cacd7c82880f113d4a79378bfd5c8d752bd251e31b"}}, @ht={0x2d, 0x1a, {0x482, 0x1, 0x1, 0x0, {0x5, 0x3f, 0x0, 0x80, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x400, 0x5, 0x56}}, @mic={0x8c, 0x10, {0x9b2, "e74338ed57a9", @short="4dbe86f39565408a"}}, @rann={0x7e, 0x15, {{0x1, 0x9}, 0xc0, 0x40, @device_a, 0x7fff, 0x6, 0xff}}]}, @NL80211_ATTR_IE={0x148, 0x2a, [@rann={0x7e, 0x15, {{0x0, 0x2}, 0x0, 0x8, @device_a, 0x1ff, 0x3, 0x3}}, @preq={0x82, 0x30, @not_ext={{}, 0x3, 0xf7, 0x8, @device_a, 0xae, "", 0x71a4, 0x2, 0x2, [{{0x0, 0x0, 0x1}, @device_b}, {{}, @device_b, 0x6}]}}, @mesh_config={0x71, 0x7, {0x1, 0x1, 0x1, 0x0, 0x0, 0xfb, 0x25}}, @ibss={0x6, 0x2, 0x1fc}, @fast_bss_trans={0x37, 0xe6, {0x7, 0x5, "5f3964d8629adf1c06ecdf8987bb845b", "c5d2bb2459d5ba0e8d1de04e57374f6227210ea404eb95465fa1e2e09c7c17d4", "2781c876157d6988a5dc1efde5e5d8d7fdfb3dad871989497060e2d72d3afa38", [{0x3, 0x1, "ce"}, {0x1, 0x25, "d5a7640b4fb5df22e725130f6f006c487342cb847e2cbe0e36b141aa91f7f41d6b13482c1d"}, {0x4, 0x26, "a1d5f67474fa123100046dc2695e3bbda6dee8657f032e087504156eba2f54bf2f31cd5b78d5"}, {0x3, 0x25, "ae36258ad7f04d6a213024ac426fba3da69e74ab662fbb9d28448099946cbbf9b8f921f8e0"}, {0x2, 0x19, "69ad29c66f47f87c5349ab5f16a1e8030e7c0b21db8bc4bee4"}]}}, @peer_mgmt={0x75, 0x4, {0x0, 0x0, @void, @void, @void}}]}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x4b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x43}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x11}]}, 0x29c}, 0x1, 0x0, 0x0, 0x40000}, 0x80) r4 = openat$irnet(0xffffff9c, &(0x7f0000000540), 0x189000, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f0000000580)=[@in6={0xa, 0x4e20, 0x80000000, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x81}, @in6={0xa, 0x4e24, 0x3, @mcast1}], 0x38) openat2$dir(0xffffff9c, &(0x7f00000005c0)='./file0\x00', &(0x7f0000000600)={0x101000, 0x182, 0x4}, 0x18) setsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f0000000640)=@sack_info={r1, 0x7, 0x20}, 0xc) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@data_frame={@no_qos=@type01={{0x0, 0x2, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, {0x7}, @device_b, @from_mac=@broadcast, @device_b, {0x7, 0x40}}, @a_msdu=[{@device_a, @device_b, 0x89, "a374cb1e56d79e5a647d9f9d7ebb099ca75e920a720ce76551c26bb86842da48ec22636f2ee20001359b8e2fb376ba32d07425dd1b9b9b4ff7a3539a5eeb99a447a58fec224cacb7d6e5f0cc9099904c92fd37746afc1cbd2b8b102a3fe4af78d5fa729590f1e5035f470a44321e924787a4666e21a4ca5cbd1256c170217cd6967ad7236d2f702e24"}, {@broadcast, @device_a, 0x1000, ""}]}, 0x10c0) syz_80211_join_ibss(&(0x7f0000001100)='wlan1\x00', &(0x7f0000001140)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000001180)='bpf_lsm_socket_recvmsg\x00') syz_emit_ethernet(0x35b, &(0x7f00000011c0)={@multicast, @multicast, @void, {@mpls_uc={0x8847, {[{0x2}], @ipv4=@gre={{0x11, 0x4, 0x1, 0x7, 0x349, 0x68, 0x0, 0x6, 0x2f, 0x0, @remote, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@lsrr={0x83, 0x1b, 0x6e, [@local, @broadcast, @loopback, @multicast1, @initdev={0xac, 0x1e, 0x0, 0x0}, @dev={0xac, 0x14, 0x14, 0xc}]}, @end, @lsrr={0x83, 0x13, 0xb4, [@multicast1, @private=0xa010100, @remote, @multicast1]}]}}, {{0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x880b, 0xf7, 0x2, [0x0, 0x1f], "c2150837371931ae3bab975586d95914c9773f748be9a8a3a19fe297783946f87cf48cb1483b1b52713f5b2c61255adbc108b86ef5471c54a9338b8573e1f632742ac011cf327a15e84e165e1588ab664b81d2498c54b50574e54aba3cf97bb1ae75911fd5ad4851fa1421715163917c9258d782a401fdfd12f1b51c5fbef8bd854f084ca2db2d46c7ee8b3b429e9c2dd5200572c54b9956e0bce7e10ae21f398f9db9c7e5fe8c67da417265c2e5c4074c97b404e840e0705b4154275e83551ac4328eae261c5d86e08cd40fbdb3a9d5fdcf6ba0ba4549aa7405fafe1367186578ec8cb827c887cc919c3a926daa592a4edb5150bfd380"}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, [0x0, 0x3], "a0437805682464ebade1f7bc908a4fb8fe0d2cbd6c705201920234d09c1819942d4534d78830cc26b67fa8b9bf41331cf464dba472a58870852fa852e628157fd8b5d1d6835454fb3aedae74305ed0c45b79ff50beb7405c"}, {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x86dd, [0xf0, 0x4], "7caa4b32feb81faa052cba4e34663ac59d2ed14a1e13701fdffe0c346ddae941fc7a2623c24d7a0b85a042492bf692148b57ddaf3b577a52fca2c4c68131f7bd98fa18e48551c8eecb9d3be00868430c3a25bc3569876946d43e6eb2b903b359a813c4ba89e6d970d3d4523fd219f45ff44df25838"}, {0x8, 0x88be, 0x2, {{0x8, 0x1, 0x9, 0x3, 0x0, 0x3, 0x3, 0x4}, 0x1, {0x4}}}, {0x8, 0x22eb, 0x3, {{0x5, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x81}, 0x2, {0x1ff, 0x6, 0x0, 0x7, 0x0, 0x1, 0x2, 0x1, 0x1}}}, {0x8, 0x6558, 0x3, "35b802485048e00654ea02f811d2f99e610c98af70faf08b416472e3e0bbd45e35631db45124b3b77db1699442696b52c13ae2bf33fb3973a1d570c20b2a5b4d8b9a260bb385dcba6f2ccdaf52d5a0a4c2c39422acd9f8b911a20ba0d03a6e796927d057cf487cc459623fa76fb89989080999bf9b3ab3f6e3f319849238b9d2dea6ac5b66c4b632b76084b3fbfee0fc6215f5b274246d30cd41e07638413a2d65b80fde92db56faa4160868cd0b008bfcf18d9c54be76cf39248d298318581d7a8be2fe09849d5cfd2cd105c8dd8c0fd7c5f27bed33374f70e3173b413dd37ecff631f2f44c6640a43a358b6eff14540f"}}}}}}}, &(0x7f0000001540)={0x1, 0x2, [0xfbe, 0xc0a, 0x501, 0x489]}) syz_emit_vhci(&(0x7f0000001580)=@HCI_ACLDATA_PKT={0x2, {0xc8, 0x2, 0x1, 0x32}, @l2cap_cid_signaling={{0x2e}, [@l2cap_create_chan_rsp={{0xd, 0x3, 0x8}, {0x6, 0x1, 0x31, 0x7}}, @l2cap_conn_req={{0x2, 0x5, 0x4}, {0x3fc, 0x6}}, @l2cap_info_rsp={{0xb, 0x1f, 0x4}, {0xb476, 0x1d}}, @l2cap_info_req={{0xa, 0xfc, 0x2}, {0x1}}, @l2cap_cmd_rej_unk={{0x1, 0x4, 0x2}}, @l2cap_info_req={{0xa, 0x8, 0x2}, {0x9e}}]}}, 0x37) syz_execute_func(&(0x7f00000015c0)="660f72d501df5fd6c4c1f96f9f52e40000dff2da36660f3a62c08cc4c11d583ce8660f3a0a450df0c4e121752360") syz_extract_tcp_res(&(0x7f0000001600), 0x1e21, 0x1) r5 = openat$cuse(0xffffff9c, &(0x7f0000001640), 0x2, 0x0) ioctl$NS_GET_OWNER_UID(0xffffffffffffffff, 0xb704, &(0x7f0000003980)=0x0) clock_gettime(0x0, &(0x7f0000003e00)={0x0, 0x0}) recvmmsg$unix(0xffffffffffffffff, &(0x7f0000003dc0)=[{{&(0x7f0000003a40)=@abs, 0x6e, &(0x7f0000003d40)=[{&(0x7f0000003ac0)=""/37, 0x25}, {&(0x7f0000003b00)=""/107, 0x6b}, {&(0x7f0000003b80)=""/47, 0x2f}, {&(0x7f0000003bc0)=""/162, 0xa2}, {&(0x7f0000003c80)=""/189, 0xbd}], 0x5, &(0x7f0000003d80)=[@cred={{0x18}}, @cred={{0x18, 0x1, 0x2, {0x0, 0x0, 0x0}}}], 0x30}}], 0x1, 0x10202, &(0x7f0000003e40)={r7, r8+10000000}) lstat(&(0x7f0000004040)='./file0\x00', &(0x7f0000004080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004100)={{{@in6=@initdev, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast1}}, &(0x7f0000004200)=0xe4) statx(0xffffffffffffff9c, &(0x7f0000004240)='./file0\x00', 0x4000, 0x400, &(0x7f0000004280)={0x0, 0x0, 0x0, 0x0, 0x0}) lstat(&(0x7f0000004380)='./file0\x00', &(0x7f00000043c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000004980)={{{@in6=@dev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@private2}}, &(0x7f0000004a80)=0xe4) r15 = getegid() syz_fuse_handle_req(r5, &(0x7f0000001680)="47a84c3d9ca1d1b4b25b6da5c6dd9f48ac0b1a50145d57aa244dc1bb1a541c93160d23f1cbf03d777a21e7d1f0f2613837c0e05d6f4bc998b1dd5ec76e069826fc47b4a0816b5a859c9a8a4288f2e7178866283d967a95122ab38c64e1d6c050572bdd7c982713b5b37a79e2dbe08a6a9bd3d6fd579604ac487b652bee180390e3668f2aada1717a5b2a21cb84b3b9a8b597784c0115c8f2c08708d9a226d6f58902ad29f3784f6480069d25e0ec46c37810923bbe2dac5043856a11b7b98c43294ef4c2bfda08b04ee5410626cb64957cf1eea3d3f007d69583bcdebf4022f85f652373a59036b62b4a3e9defe605a9892e5718cb6fc9de81c2479ef95a13f8ca789f4b2ac5eb897fabbebc0046d8e235ebbf54a56aacd140ae4cfb411b9c1518e62fa87a9876afc89ed8a4ba24d8b9ef1339f4f794cec98651e7d94ddd259988a7a4f799b0889c1680d390ba6253ff66a182ea2cf06b6fd9ab07a87f697c331c9a832564ecab238384ffef50c249cbf11f7f40ecd44b945bd57c599ba3d88c0be35addf5b5837b188d64e249ce31506698bd7375465304d20eb3802326b3528bcbe6ee110e57821ccb899f5eeecec604c3a5e5938a3a942660992d676b81c5af7470176d72d7c6a9d6c4121b5711b16ee119b57764d7fd6dfcb5a39c1bc97e5c5f5dc1025a5ecca48b65afb87a5583cf17969098aec3b1b9291f775ed6a5a710f73e32ef7a0e8c84ff56545144ca504b8197a9196c9b68a4b57abad819ff6f6f99163fa3e276278484aef1e287841f4572062da677f0e147b93358e5ad7a50af842cadbff4192dfb2f98cdc8d878d0f7f35b31a2e803cea2c3a2878d469c9aa7b2de1e8bfda51ecb4751cd861fb2293e37eb9882bb97cf70453f19446c565fd814114b302a4bc5b642a76c4cfddb0f4ceb41ca29be4d35587755d2e8e1f42e971b383fdfd0cbef9f5d503c720a3e3bb8b4097d69a7208235a82f6a751f3e26f2e1403e0da63fed0fa042740df1d61c988572c8ad711f20410e02b32b1ee7f418fd0cc657e9de33288ec8395756c47e16d4ab5ed7ca4c1e53ad6508d58f70df857d418909e81344b7564e0064a49a1db8a333fc609bcb5111ef100e0ede88f49f3f435684211dea4de5bca1853cae7b605e3cea2fabb80baa41626d31047fe38569e6abbddc2e1c2b8556233feb57047f069df81d88d29bf042ce9228dbd14349973e86f78d72827a6080a2ce6529d1856607848937cfe5cd174293e92234cb0f6edf6530f86b606e48e9fa3e1d254573120808e0fff3d2169d1cf44a719664b7f0e3da7bb15b64b62c0710343ce15bd01a05642f4a3fa59ba605d0a6ef3e5ad63cd96d6914caa40634987f2dbeeb304672222d12583b9bc38cf9de18e57de100f263677d31ec37aea6f04b815d6f4e8cd570810daaeeb141dc0feb600aa84f4afcc3bd6d2e4d69e9dc4dc4f7a45674a32a62d414437c3aa45184b66ce569499128bba06e38627428d5012c651f8ff6d5b8f5bbbb5b1f8be6038958bd4fbb0bdbbe1f3f448d785d9710f01be887874ffa1bfa7e5a818ee7464bfcb5f9e49268fbbd398d732c15579a46971fd7f22c1cc4e14157f292f61638f41a58bccdd4986b9ca6ab66ff5f536a7b09251a6d417a3e159b85dd21d9b219a1a1cea8b96dd4caa0c0c8fdf92def01af6be5ccc2428e57132285c37e80fd2858b49457d1d6890eae389062d5680aecec748cef59187d91c1d45b2900e33be9464edceb831ec44457be52575e1df1de6af945dbf3f5c9cd41bd8c26cb6645ae0378d92d758b0769c5154f52d89a8e0e911882f69e46610453792c648eb082111947c2e335cb4856e4696f7a53318cdae6c591a7420202cf03f069128e58a3822a892d4b4d14a7f3e27f4ca59a8e471aaf3ce1af81ced1df871df60991accc0afc19c6aa58670dcc3ca404666ec5463e954c605994014a0b2eb999283e7d2646ab55a5fe5fe7cb5b0738c579107c43fcf595a0956a4935f6a786d6561f0b0994cce93b299a50c6e424c159620b3d05376fc4e0b9ffbdecdb6798dd51d0941d31cf4193c09d058c25969919123501fa5ea8fb82f980a35bf01532c2c831ba35222f805dae242527eb7127055394605284d2408cfa10c992d64d609e524b30348ffa5e44b77257adbab01c383e812f1d71b613ad160ed15c216f2a459a917d35341462bf7235f91d9dddc1e2402f32b7b7a9987481ce6611bb78127bc8b6eff419d3c4dd77252402f4326a6e9affc5064973750a8bba9ba17d64648cf7934bd024299b9dec58d118cda3448a2556fa96a857c0106a00cd0a382f10b847e3a86997c24bb846c3dd9372c6cf28d18bb2a6fc48d7bac58d56bc8450c3f420999b6347864d52f0507524f416e6cb64ce7ca21a85e8d2c2b1e94be2dea31cdaf1f383503424bec44c68b9a914f40b0a66272f64c9ef1985edb9ca6e66ee8cac084b39ef7801b750ce190ff896c199c1278524b12b549acbf09f633d87f704272d4779f325a1e94567e5933297155e987f3b32e3fadf2a06fa01afc0dc35dfb7be7f5776264a6b7fec98df0a5aff8c1a029b6a22a9a051188bb28bdf7238eae3246a1bfd058684f7a093aa6879cb6adae5a7cd5e1219a0d16deef144b2be90390144740ac24da38017c1056692b3b66592215a623dac913b33b9d56b47cfa918d6d90caff01aa445354923efa19e8b0c797082505d54f2fa48c5ad96632fe1b62a2e34d085762207d9354a9f039d688eafe1b5128367fdd3be2255ac110df05d109b869f334b932b29beb68787e20a8a9f3731189c957e53c69673e863ae1d49888d6edab96eed786cb814d1a62b689c294c482e84199622990410b67f6d18b8cd3119f19a667d341bb78388ffe15a0f64327fe9b8065be90354c1facb74662e2d9c6d02248da0c80c87264559f64815b8b9ddff72a944eb234888f53d1cc8bed438bd99a2074f753db29efd06788c7f4476efee3e928094c0326af8c9171db60b1a37c7bd56d113291aa9a260eafc12681eb62b1e7063b15173e27490d84d47e3c7566ec4fc1ec6355057b22c2a0fd94b8d90b648649c73ac46049c011d6741fb6d8956143bcb171f4bbadf01d1cae07c3178a8469001dca37ab3ae039095fbda7f05dfad205355a5d6eff8f09c324758a744de5f43b694f834f6e5983f2aee3209cef46354db41305a093ab78c80a8fb2e8ab7b173337bcf293c65949a4c01378c94ce7cd709e798bef8279d4ad1e7346f4b9fda6d292f1e6699622c1bbc4b02e883b30e77cba751bcfdd6efd67fcc565c0036f13e138d81d6f58d34e6a25161f2a8560029f9120532401fb6d7ddef43f9eae9ee3cd23f14a1f026f40a9fbac6be6a159027d7e87a5365010d27b09df13dfd32a7e75dcc14d9da85d840a1bb91bf95dd7589ef4f4a307d3c741df250e34de9ff0f1515a979c12fcaea170d3444678b963ccc5b3c0656af7e676bf74de9c8cc9c70b50c3806108f6c9e920acc25f13c3bf5e910189ea8e04661b9f6271d34e2428b3f5c860f7a4137c79ab40920645634f90389ecde1b239884244ca35eb5592b48564f2307def16c6a9943abd730ff0f2dd47b0db119c84003fc29fce3ed9f17357aabc709ed6a09348da8e282bb0f7eeb6d9853edd5ee214536a55c83340120488dca923ec5a461840d20075ac537baa4dfb7804696a89cb99c82cc9ea9212c70974c931616e9bf8cce8faa215dea85506c71edf7982aef074e1a04ed46a7221beb11db3c3c4e30767456dd395e3f22c048b069533b1e347c20565a746fbf0786ba751398d226bb583cdbc789a1e78c075e8b535c17be3642779651aa3356c928bd601c6f704e799685210367219089f241c93652afb3f0579ba473eadc1c5aab589b618c801d711eaf00d9ef73a3a63faa0692d7662c6e61d7730097b11a9e9895763533e3b825b5eb654811e80b6e67136d6e6ec1bdf23e347ac0dc50d845a02fb11e8764c7cbd198f8037ce9cc4d3888cf509ef9e55ba567d50089c69a6fc2a1029088e4bb86606f25d8655128657423cefbec47ff5cee05b61c35e47ce92dd85b86aa83fc3d37069dba5832779e04797ee4510f3e860a5db6c41a6cfcc4f27a9b905491fa560bc49a1dec70f9b69ae69362973a123e07f541ac3a3a943160d3d6314049c9531a1f72b74c1cc5c0317fcc7b45d8f1dd92362b1ec0738ad5c8d99e9ff44d3db241e1315d0f1448e6f100a5db6fd5715ca04622134164533871500ede0f2d358b31f856363280b992e49ba8e59209bd918e11ffe327d973b2bc54537f54073017856f0bb7682247576af4d27d8be2611f90ad384f11de847c24734b747ffe2e5c8549009fb1198bce2fb0484fc668aa2885c7c015385e2b588c950fdecadf30adf65a71f564e0fa93724b8de0acab7c3faaad13848ebf7d70bbc447d6d9ddb46af631b08e4c34f4aabda8e50d9f73c3ff3a600381a7f84aac18af4187d1bc187314b240387f29ebe8328ace896543b23f8db1201d51ee9042436578d1273c9b974b27fc9b7171f4391117541dc8e8e582ef9deb11606d4935577d13e3912f987dac22e14c7cabf8db413ac796381f3d45015ce61ea3b73763d202dbe118be06e7d0f6245c718186148121ba61192e62b2ac8752cba6f2873f4c59ae40b8b9c515cd6ad888840e657a1147a8b096123d738e1cc1b5ebbeec6f15cb1042edda5cf7a5b2b0a071a26877beedaa9e2432ef85f72abceb7ccd733627cb12d4cfe3d9c9d885a0b089db056b029228e645f74d9284695b08a67f7f9228e980c0c364d0312b10f6256c9a2de4832932b69897d0f29f70f18dde257a94d96ec76d71673e959832647f6a74458235e800df80b718bedbe9b2cafe1a98ad89341a566d20ca13afb289856f79530566126065192799899c0243317fee5b22116d9dfea0c4251d898d574443d80c4dafd56165f2cfb5a2db62e7fcb97870ea56ddca1c27327548099b79d38f9d6dd24a6565731b2afc0ddc12a35f9605b2e7e75753faabe2817dd11e3f9fe76cb2b8bf18d4f419aa96584cf98999fc0fe42e54b0e79dfdd4c57f55c07ad1ca33a4de6fbaa780185e36fc3ec7c5f104c5dadac7cccbbacc5abe217e4e61ef6c366057d1cfb1a5de8c7568dad769c88afd8ec1bf56117ced760ed3019021c32bedd7ea87fb670ca3248461df64600704f1165158cf9db2b5c6f4563b9f10a3a669f3a94521be8ed51c90c45c59489cde96ccd11844c6cabfb1650e194cdf17aaf8ad0bf91714c702ea6075c0c3361844ecea0fc9ade83a42cd918fbb4c909066739818cbf77a3d7164c3607d8c0efe3c8e8524fdf15d33210b43ca551b9a6726a560a27424662f5fd97202f92ab8cac120dfb137c3368cafb7c14835d8ad15d18b3ec4fe3c741be39065711abc30a00d31a20936d2fb6623b127427b2d460545f4eb25681b461fbc3a1ac6db3bdf1d89029776e04b9cbf3e1e4607f3632336738bd95cfc812de5e82e0c6aa8d01907e1f375acb18010695ea3a242d2b360eed6f077a0086806a88e2be99defc3460d81175decb6973e54e7ff1c29148f04d1a96c68d43f036ec2e4a54beb80f88b8c711aa01a7457f58d72afe56849fd09d277e301ce64402b0bc20d43ea78745486972a8bd6f579d8d82bd31c8c86b7e8a3b272d16d38fc6480d213c03000adda6eb5e00871879264eba4b0f95c92e10b79738111ba0cfdd1deeb39c91eb407e59881bf53ead78f7ad35029ec22b583af2744152546c3982850b449415e4b790a2d032cae50319c3a15e009aeeefe71007378197e51df9737ee36d95403a5622a007eb5df410233376e5131822462540e6ebbf6d4e2dc46beb7ea3b2c221997c2ba3c2673c1b44f7cd8c86aacdd89e870007393ab35c485742913f4fcef3c5c4d5cfeba1ecb50ef05037d54aa3f5e6994114026f5cda75e1856b31efc5bf0da810997844630a00abd3a1ca3c6c939e1e7f7c2d17171ea26fcd31ae717c040b3c594cf06a5c12576bc1882d1e0457a99387f746f1512d15c867cfdaf35fbf0e6beec95c8c42a3dd6ae1947c669fcd0105080d8a9894d9345213908357456b5db7dea0f3f5329ffd3c8908f5047e36a941f90912ecb4c01ec567cbeb09fade5ec9bf4142e24eff3acd26b1d46d9fcabdb0970a19b457947abdaac79a3692b7a0d703c02fd3d7c433dcb59f979a3a91e3fc950a5df58546569639747c4347c4e1a1fd08f9aa80ca512d36e6fac8461fac7ac93467bea71fd286b5f692ddbc699b9887d31159de107c0ec97db3b37771c82619251e9e087e7970ec13e971a857a3d871d13d89dd618431d5775f925f0be1411f49470e142b1ceefa669280d6e9a52e8c8eb387d22f2fa8f5b77bd2aea73a0a29c8447a6ad292b1e4b446c6ed008c0a6ba97d15bcbaa10b16d7b1ad9498bf5b86859fd9c032eab9893be93b1e9f45c9dc19a78c4fea589d393e8ed9dbe54bfadf5cd110eb76a2adf8b9dd23ac057bf1ab6ba1d04c0c6dac48250da3d2564ce904d67e69c5dec582da57ede76d9aa8549bf50a90dcc0cab977f5d7300fc0d8686e3be13b84a7a141bb792c39758b004d84a0ff8c930e4e03cb3c134e6e900fe4164e5b5e06ba4ce6287b7b00acfdb05f4afc0f4cb1b0e383e4b69171bda389a2d0096b0677d793faf22702f3edcda4782df48302ae3ba1e0560f2c1bc7cda89ac4214e8ba791cd6fb0892a11b3f8781cf4d1b073195922da6b711160596560b535c5c976e42a86624a34f74ac6646c0fda057a313f79d2e2f9c9feeabcd399cd2e7e08c9f0229c266648c7875ca230cfe4fed9f2d3d0debe6b536855cebcbdb5460920ceaae25a15cee7a00aedd7219537dfc72d3332d2643615c7e17b55a903f8f25d02fd61d4c56c23285d52e0c23bb25162b10d9339b72746be7da47e9fa052269daf6a0122de49fb4d2c9b5d78b709623113cb71d42a5ab08daa601ecd0946a79da44cb1c3a5cfb6460e2cbd59bf3569309a4d417773980cd90adb6abe475954b056e12c7e9e4b7efd24396e7a9d62ffed42caaba4598a89b14d85d1ca39727bfa085904c1eb54d24273d0a97fa593bddbcf4608cef456ab417031607331516c805792ebdfd8d10e5eddc9f50df888571f979750394feffdf87ebc9e8a8534f89372afa8eacf06d34b974250ac1bae5c07e63b7464719db5eb16934de340193bfcee2df0bfd9250dd44f3f73eb4a43f990f2edca9b5fdd4aca4ea217e14b6d7c5a320fd5e4c7288cdcb4e2076004ad661819bdae6cfbad2dc0bce6123c48b1423b22e3f85cc2f31071dd1cfa387bca09a2dd99c29e6c0cd8d51901d7485813da732c9a7e2fccd427d439bfec107874f877e9b0aa5e1bdadd5a185479965e95a3c2f66912d441cb75e4469573bf5a4c53f58d27abd5e68422aefce501c6d8d9542b61ea6bfd6fd2b6b336c8961f4eea72088d0697089d176820a103d09d95f3ef0bd28982eef77fc1bbfe7de1bfbe3d50a93218866fc48f62801c715397ddf1f36d977f2b5b2b76f2e1d64c6106a889b80b41be519940ce22ff0364fafb703cfcd7bf7808e4150ac7d7af1f0b5ae821c9bf163740db1b5a366e2db4a02921000d60752d743cd584c48590a31e27cb40d7ad89abd2c8ee81176789888bc48e82a630084c59d4d34464a52d5f26d221479b451ef3c2a6c8166b664099daaf8e74eac84dcfe3e86d53bcd3b2f0337c8037db07b65f7cd265d2ac195f8f58e0096ac1fb654b957fca3ef32abcf916b558bff854d099a2c9fb8889f398b535141170ea036f9e5a7a2fe1d14f4a5a6db8c03b0a77f6e3be96481050611355959f65e67816454eda4cd8436d664d6e6d9fc2ff24895923f106770458dc87593c391912eda79a6e8714bb437c86b97aebe10addef3628432384e5a5283067a8069a892473c05446803cee131096dfbcd4a08f3e08bc1db8470d3ab04c48091f824cbc44a22151f21719ac29b9043822b298b1782fa4f7d556c41cc38d43422f3da35cb3e45a5d2296a1cfc1ccbeb9ea349772da9a8c6b7ca0db72992f8b486b4266fb6d4479630fa39bdbd5faaaa5b47514f37805edb6185b33b5b82dfb85dad17ed9fc820d178c4433fae2bf50fb56ff5d8d7f72ebb913b8812ce80fb000cf356f669aeb2b48c8f675cd0c0a571082fdb0ee1b13b7ad223cb686f8b6ea511192c5dcaabe270265037b7a7ff48a110f660e045e6e51d6fface617a5ad85cac704cc2576b22af27bf842c1fce89f71fb1886857d187adf36447da8ede2797bbb41b4ba5f09411094408357ac686f090dc75584fb2d00d6eb5f1d545633c1aab04a6a947e49eb45a0a73e7d0c6c4ac5facf408a0cfde439d861dba90ea9c5758bba909aa4d5b7142320723b0fb5538fa335e62d14bf3608aebbd76ff2b0d013a4d5a4d46fb24a047460b5d63a60deaa43c63a98b51c5aa0b3dacef60234186f45ed9614f0e88b0b3a4530c88a3dbeaea4029ccfb1aa0bb8ea4522c5125a38d9772b7de033af7b2812e89bd5819d2d0f37a156b701effa2f0b7fce9c28724ae0eb327c25c8e36187810aaa1a33cc69ea848e12fda7a274867f47795e1689541969ef7f68d659c3ad6c7f67251ac05a8ee17c5d7c2dcb92b4a545f3db5bf08144a71f29f76f70781929b0645f7a2d3cc3e97401ffc4c70024df3a88a3b80d8bb4ae9d2d4c0d11724fa1282760b1cc812008401d69b8f7931f36a72e32c5d8f3a3f233e86367b48852c0fd2d1f25955340616cb57e79db0e0a37b8162763402d0b864dbf0a90d5037c88eba9fa8099808cf84564d2ed2bd0024b719b76228279ee3c90727f3ae67e5cc7dd76e8af167c4b11ee9f1e3495e05061fe520445cd8feddc476f50b40bf73e4f9c14e491c114230e1eae587ac01af7d8ee5b25051cd588519e9cc3fb7b4309d2a74b9486d3180f65f025f43bb6a989e2c4b052383f4244cbf3681f8fb4b9f0cab3426c0d6784ab08c76ceeebc212e765fd9c5f24cad129b440e2f85749045bbb1b030fd5b3110442580d451b271d9a45d0475d16647e4e66bf40acbdebc975385aa50898322e8b2aaca18baa6ee861fc974fcd0e37975824c475842bd3fa1f1789792b2b654afebc78b9557be283ce974ea60b01af111e8226270477cafba24acb1fb28fc2592ad2ebc2ba37a1bbfedba630002e423430d762d9e31cd86170a989ee97e26d4874bd7d1a8f7d2f2046ce93768592749bf7f5b28933f3fbaa1380d42961b9a94d2313c264740fea1495fa26fc07a561e4b908b2e30e0ac4d48f689eb49585d3b7295e8c2751d0562c06d4919d5dd8af326ded0c1516ecc6c1d3cf139d3a9fe6ede64768c319b98b7da445fd7854b64640fbd676b7a09e56ea25cff1d31dec41da08cb1b07e4d841681fcb79a72b7220a3fc36ce8dc6388caeaea4fffa7b29805ef2dc89acf85f227248bca1b8cb81ec4b986a9a1587e57e1c54d163bc6a9d68c678c48240935fbe989f550b54c51bacb9f21de67018d5e3fbad7efbae10383e62fa929415ebdb77ffcadcc36ec7c01b76f7c80027dfcba9e15d26f306e1dcbf624c80f4dc92eabfe7a817d7bcb470d6013aa895e082440571e143fbb2ac1af5b4fd64bb20f31ef1f5e1db96fb8ca1e6b4d360d2cd05591366ad71a4117c9125feed0e6d95c039dac71000f404d7180fb1e3b9d10b62484eb2e3d45b8a4c6444ea544c7c1a49bcdd1723c22127e2f81fc4ca3da6b97715a0c9cd305ae21a15ca695f1a74df2260a95ec3042b16d83ab1da2ba767df03601b4b3ab7171e2e0e8a2009fc6cb2c98cd2068173655222ba6bc51af644993cbd19233d0c0f1db6230697445fd778f14a085572526db2d1256e827ac9b77a97ec641a53aa580b3a783cb0fc5a1b3b9b3ff38e418db658b484a68cc9a9e330d3d7a4ed282581dc06f9ee96a1a4698bc23eb41bede476c0052964079710f688f876d4ceff2190f2d819bbd4cdb361fb5c64d7c4193ff9f6b44b2c1437139bcfa8ce0a9430aceb498b4f0b0197bf339d04b705123243b1a44fcec566d64fe850b2989b5b7099ef9bf74460746f60c4607891689581775ad12cc0f04ce016c5b01e4556e09807eb82e19c4542e88ca22ac9513a46b3e43c52877c0a837201fd82e9f74538b751c8b0acabf1eb28a7dec9bf698c122fdc5464f6cd40e81d060183af804ea5c5a5109fe219a8521c73b95e42b82acd693a8453c40c74027dcb17881758342e2564258b9f12ff675d95c1ac42e94473e5dd51838d6b1c28f7bae7e16417eea2333188317234d3a9694356db9ff649eda9d9de4d6df34577013bc9f171404b08fd4190d15d7defecdc195199d8a71f64140a86561e84c3bde2a4337ac14050854314de0a3ef2ae26a6cb39779b10bdd571041ba31996c602c997e70358ae986239255a93710f2111e7cb1c8b3b728033734856a41cdd55ab2cf54156b48e1349e97d39f6fc1275fdb19b37c8cf004b38cc3ef37834c85128b3cb59b773dcc7d7b85805b8f3bd6ae791efa7cdbcc4be5539bb66afd8ac5de59509b341020e1c6ff67b66a0c94bb7953499205b307ca77277f6ccf39801ee628fb33d2073f381e80dc41c9e799e75c31cf2aa49f8b0a6f732408afdc650fd2b0ec574d50c6e248f2afcfb8f82079b2625547db16e461e60159883aafbedf9ee9fadec8398b91986f9a8e79470649a99d6e8b4cb3b7995bd5b6af47206bbf06aa69383e9763cb1731e7c15b0de4b35c0080ddfcebac4dea213096d829ed58f77c09a0c0d4f300dd5faf2e012acf83d77b73323a9321cca8646bfe55fcce506c822ee4404f200318f65044b3ecdd8a2135e8ee0adbb8c422c89d373ee421826bd114d5ae086c9a47be5a7888ec74fc9e8d7e7585e6e88fefa1b6a0c5577b91431377a305a6658102eff29575de43920bd46696a2bd26a939de7415c8361c98897bc0a493e90876d4f7a6389ae9fed44d6ef21edf681ae3a35dc4a26a40a7411e7d51a8584313df95e48fb012799b83c25c2dd8f243e9880546b8f51e25cc2ffa83c36d81d31bcebe405362875c494300662490c3f4bb38682b17e0cbb90e4770864ee60cc136fa7bb2170f69394f6235e00783fc6c2cab097407fff931bfa742d7aefef33d6996701d39b4adfb7628ee8cb2765ac03992db7bfd9304e15f27f3ea3712494e98d15b7c7e78142ddbcc1e2d184781cbc11745599eb5a69b3918694b78209b1ee1c11854157eda2e0f03edd884ab4f60134af158ff15a92259d429370cefab10cf6fb282f760d8d54a8db0c0c43f56bccf68b837745dd642b39d44db297b01eb9f5b48d1b114848a5d7c74a22e3c3084eebc0298e7ddbbe66e105f89238e961d34985f29de2031a51756ba3c77ce83248ef832309bf9ad9d3f79dd12f762e91225b0876cfc2202b2e046824316c820889e93f63ead229c087b2f6cfc99f797022cdab8456de0c764a06a7940b0f28598cba56da0bbc7ebce482212213754d3c34f749eb943bff81aab710a981e8915d89f5098caa674636bda1511e96b7ab0e651d101750976da0b2a08c56176", 0x2000, &(0x7f0000004bc0)={&(0x7f0000003680)={0x50, 0x0, 0x0, {0x7, 0x22, 0x6, 0x60, 0x5, 0x48, 0x80000001, 0x7}}, &(0x7f0000003700)={0x18, 0x0, 0xfffe, {0x200}}, &(0x7f0000003740)={0x18, 0x0, 0x4, {0x8000}}, &(0x7f0000003780)={0x18, 0x0, 0x0, {0x8}}, &(0x7f00000037c0)={0x18, 0x0, 0x80000001, {0x5}}, &(0x7f0000003800)={0x28, 0x0, 0x0, {{0x19, 0x200, 0x3, 0xffffffffffffffff}}}, &(0x7f0000003840)={0x60, 0xfffffffffffffffe, 0xfffffffffffffffe, {{0x4, 0x80000001, 0x1, 0x52b8, 0x7, 0x0, 0xfffffffa, 0x1ff}}}, &(0x7f00000038c0)={0x18, 0xffffffffffffffda, 0x1f, {0x9}}, &(0x7f0000003900)={0x11, 0xfffffffffffffffe, 0x4588, {'\x00'}}, &(0x7f0000003940)={0x20, 0x0, 0x100000000, {0x0, 0x18}}, &(0x7f00000039c0)={0x78, 0x0, 0x7, {0x4, 0x6, 0x0, {0x0, 0x7, 0x8, 0x10001, 0x1, 0x509, 0x80, 0x3, 0x1, 0xc000, 0x5, r6, 0xee00, 0x7, 0x9}}}, &(0x7f0000003e80)={0x90, 0x0, 0x8, {0x6, 0x3, 0xcd0, 0x7fffffff, 0x5, 0x1, {0x5, 0x5, 0xf34, 0x86, 0x6, 0x2, 0xab8c, 0x0, 0x5, 0x8000, 0x9, 0xee00, r9, 0x1000, 0x1000}}}, &(0x7f0000003f40)={0xd0, 0x0, 0xffffffffffffffbc, [{0x0, 0x2, 0x6, 0x3, '\x02\x02\x02\x02\x02\x02'}, {0x0, 0x0, 0x0, 0x9}, {0x2, 0x100000001, 0x17, 0xffff, 'bpf_lsm_socket_recvmsg\x00'}, {0x0, 0x401, 0xf, 0xfffffff9, '&,$:+)\xef&\\)/$$[}'}, {0x6, 0x1, 0x17, 0x1f, 'bpf_lsm_socket_recvmsg\x00'}]}, &(0x7f0000004440)={0x508, 0x0, 0x2, [{{0x4, 0x1, 0x5, 0x80000000, 0x3, 0xffffffec, {0x2, 0x3, 0x20, 0x100000001, 0x80, 0xffffffffffffffe1, 0x9e41, 0x1f, 0xf0f6, 0xc000, 0x401, 0xee01, 0xee00, 0x400000, 0x800}}, {0x3, 0x7, 0x6, 0xfffffffe, '\xbb\xbb\xbb\xbb\xbb\xbb'}}, {{0x1, 0x2, 0x10001, 0x0, 0x5, 0x0, {0x3, 0x8000, 0x9, 0x80000001, 0x100, 0x5, 0xf06, 0x932b, 0x2, 0x1000, 0x5, 0xee01, 0xffffffffffffffff, 0x5, 0x1}}, {0x5, 0x9, 0x2, 0x2, '*)'}}, {{0x1, 0x0, 0xcc3, 0x4, 0x101, 0x3, {0x2, 0x1, 0x1, 0x113, 0x1, 0x3, 0xd36, 0x8c12, 0xfffffffc, 0x1000, 0xfffffffc, 0xee01, r10, 0x9, 0xacd}}, {0x3, 0x97, 0x6, 0x9, 'wlan1\x00'}}, {{0x1, 0x2, 0x8, 0x8000, 0x9, 0x0, {0x1, 0x200, 0xff, 0x100000001, 0x30000, 0x9, 0x3, 0x6, 0x7f, 0x8000, 0x101, r11, 0xee00, 0x10000, 0x9}}, {0x3, 0x0, 0x2, 0x401, 'b@'}}, {{0x4, 0x1, 0x0, 0x5, 0x4, 0x101, {0x1, 0x5, 0x1, 0x10000, 0x7, 0x8, 0x5, 0x5, 0x4010000, 0x8000, 0x4d800000, 0x0, 0xee01, 0x6, 0x7}}, {0x2, 0x61}}, {{0x7, 0x0, 0x5, 0x5, 0x0, 0x3ff, {0x0, 0xfffffffffffffff7, 0x1, 0x80, 0x100000001, 0x401, 0xd49d, 0x80, 0x1, 0x6000, 0x8b, r12, 0xee01, 0x8001}}, {0x6, 0x200, 0x1, 0xfffffff8, ')'}}, {{0x0, 0x3, 0x8, 0x81, 0x6, 0x5, {0x1, 0x8, 0x7, 0x5, 0x8, 0x1, 0x5, 0x90c555ad, 0x0, 0xc000, 0x800, 0xee00, 0xee01, 0xf98d, 0x20}}, {0x4, 0x4, 0x5, 0x1, '\\U\xc2-^'}}, {{0x1, 0x0, 0x2, 0x6, 0x0, 0xb5e, {0x4, 0x12, 0xe87, 0x7, 0x1, 0xfffffffffffffffe, 0xfffffffd, 0x7, 0x401, 0xa000, 0x8ee, r13, 0x0, 0x8236, 0x3c89862b}}, {0x4, 0xfffffffffffffbf7, 0x6, 0x4, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004ac0)={0xa0, 0xffffffffffffffda, 0x2, {{0x1, 0x3, 0xff, 0x401, 0x9, 0x1000, {0x1, 0xfff, 0x733, 0x0, 0x7, 0x7fff, 0x4, 0x1f, 0x1f, 0x0, 0x1, r14, r15, 0x9eb, 0x1}}, {0x0, 0x1c}}}, &(0x7f0000004b80)={0x20, 0xfffffffffffffffe, 0xa87, {0x1ff, 0x0, 0x10001, 0x4}}}) r16 = openat$autofs(0xffffff9c, &(0x7f0000004c40), 0x0, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000004c00), r16) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r17 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x300000a, 0x10, r16, 0x0) r18 = syz_io_uring_complete(r17) syz_io_uring_setup(0x3a9b, &(0x7f0000004c80)={0x0, 0xcaa6, 0x4, 0x3, 0x276, 0x0, r18}, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000004d00)=0x0, &(0x7f0000004d40)) syz_io_uring_submit(r19, 0x0, &(0x7f0000005080)=@IORING_OP_WRITEV={0x2, 0x5, 0x0, @fd_index=0x7, 0x0, &(0x7f0000005040)=[{&(0x7f0000004d80)="8f8c61ba2d93006aadbd12a3a08f146f7dadf6fcaf91370d8cdbb10473cfc4737fc2920f761e5f9f43ac7c94ff2d84a3f6", 0x31}, {&(0x7f0000004dc0)="e79e609caf0b113f2e3a9b6ed9a5197bd4c9ef3abee6ff372b0677f980ef46165c071ec9a7e4b8e118c95c2b5f733b29c50f1e5df4f1837e9a2962cd241c43d7a605878749919d2d932d22010e4c8c29ce6028dc71e23c5ec2b4f3bb38b2e7c3beaf83c887a45f16ea87842b7002c7513397835d375589d64e9c8d0daa7c709974ddc935145190bac6e8d31238d5ad70377e03b1111546f8a83a2d7e3fc550408a227e6ab558331de5", 0xa9}, {&(0x7f0000004e80)="1fe1d0a7ea42ed60eb8379f55fba5f108da4233288e8a8bbacc0", 0x1a}, {&(0x7f0000004ec0)="1d5a7e020f94e9eee2415cca5eb6045cc9f817f1d3275ba949677ee2ca2357b74e67c6d4ddfbe8e8c0c6fdcd2352dd301ff30f0ebc2b58f2c69c3f8032ff0d4a2d2d400c3d07914d835b6218c2eb25724b426a888b2822d4945b35f2d1459d915e2b2d66541af52bdbbe1ad517515e01b8290e654443a67bec3d0b03fc10b90b49c3d33593e063bd0df72494b22bfc391f6b296a68735eeaac4fb550be4beeabb74d7ca77139248cf8003e4fa63954c2e5c68e48b1f59b3162a9a3b020771f7c1aff6d7de57b40fcb59002f2709ed2e12d50a3edadc2c55de6634c8e91dd8cd28faf3b52", 0xe4}, {&(0x7f0000004fc0)="3dc50079393684ee15456233e2e4b47d0d7616a6fbb08055931c400e66d6ee8307c988db68c3a56873e4c94c210cee63aa53ee80947c5644cffd0ee809b4554ef3d3d5d4b6268040d66cba34c7b8645abfe3696e041fe13f", 0x58}], 0x5, 0x1}, 0x100) r20 = openat$selinux_policy(0xffffff9c, &(0x7f00000050c0), 0x0, 0x0) r21 = openat$dlm_monitor(0xffffff9c, &(0x7f0000005100), 0x0, 0x0) syz_kvm_setup_cpu$arm64(r20, r21, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005180)=[{0x0, &(0x7f0000005140)="45cf83e34827dae70d9c50f676f523b0ce6bee88952baac1a7220887521e1e10250184dabaaa4fbf9e94349f1148dee8238a", 0x32}], 0x1, 0x0, &(0x7f00000051c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r17, 0x114, &(0x7f0000005200)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005240), &(0x7f0000005280)='./file0\x00', 0x5, 0xa, &(0x7f0000005980)=[{&(0x7f00000052c0), 0x0, 0x4}, {&(0x7f0000005300)="8586cff12029eb8ad76f6261d1fe9c2df97d6b5047f70221ce7c26e1ad050096db75ff7ffd7b4dad59f5e070723e8a2cea446602ed86da15975f4f9dad4355f17d1441f9c1d9721e8bc269c91b43934bb3823eba880de01b586e0d592fc978084812a5dd940d6ea61e46ee9f1d53e0d3155c2c34946ca286d646398a4d60b56e48644ce421d53a65fc504680601a0cb3b78cdc3d14d0f9f754d88a4c5d80c2681aca64a4793f17d0f8a5b8dc820fdadee2ee87d42050172286e4b371eac497bf7467890a472d766a442a56a6e75bc39ba4edab5a0cb11eb66a247a2f3ca7d18cbe8bd7516b2d99c763d8c23d753c13937ab99b578e42f359275e86", 0xfb, 0x5}, {&(0x7f0000005400)="0f553c28b9842c44674abe34856e72a402eaf08ea7d106186b17f1d3f00dcbcb5f98a1eae4b0e494da0d44fa94917367478f2e39ce8435b132a570ec78c1b1d859ab652168bec9156cc5b4543f0571d2a75d3ad03f490c0fc93251f6ab57f01cf62283d42eec0abb186148b05ef55f8de1a2eb7c1622fc6d3ac274f10a0754563398efc9335aea31061cf4bb64d44f87c615c99b3eca46ddc2ce68eb2b780c54bb6a1a20947e16cbc6f7fa0712d0b12e665a214c3502154e5b8dda8b01df53c81b2da2c92b7573506b175a34ba1dda39954f36f0ff6ebefeee31326813422cb4d53b47c6fe65f3332698d9e3d776", 0xee, 0xfff}, {&(0x7f0000005500)="abff9c2482d96489f0afbe085daee1e2bd8a3000af21e5b4aa0d2e6662293d5fe6eeb60a5cc8b90e84ede0d21318688e285def54cb6780abfdcb64c700da5e8775bb60d0192a5f8113a70ddb1627087f7bb8f232f80a120e214ef31c385711f4b12afd9a024fc48c41c3c887255a17b86f709a30ee23a5d55c6c3e1986f6fd69309dc6664846396a5f0cde1e382a7018dcdeac00ff1ef54bbb58201fc9dfcbba39cfb45f49ace1e9908188", 0xab, 0x80000001}, {&(0x7f00000055c0)="fb36dffb4a0e4377fa3bedec2325f5c073", 0x11, 0x1}, {&(0x7f0000005600)="8ff2544804ed79e1bb5f173b80fdb09a444f02bbacdab87710a30382271db7257055fbbe057f4e4b3e1bcbcf08f1ea0b41be533d7d7f84199c4cf241e2bc3cebf680f5c2648882abfe61bb5211c4cf0f1f8035c6962e74f5976e954c3db5545bdccc6e67b68dd612", 0x68, 0x7f}, {&(0x7f0000005680)="ca838d09579a972657260b824f369161c83d3649b2309de4aca5191c6a3550ce704f6606bac0f1102563011d768b1cd5bd83565bfbe9311f71c2698f2bb4572ef6602f2487626e21fcef7034f50e28fd36db92433de1c0fbd9baa0b2ef3b17ecbd5f214a814f9979c0cfcea566bd418788a9e026ff83089e4e1eb491eebb582e84c6d956e1f8d4bd5327fcf26d9218a6e745a904846da61e6970e7c3f8f6777eb2eec182c6626aebc2b46d6e18ec79ce9f3a34c2c9ce74dce5f38a493ce752633b9cd881d3e73977b728208b730c0aa0bfd41f0374798c2b6cfd20a83dde8821f896431df1620eacddb4846d3f67983b95", 0xf1, 0x2}, {&(0x7f0000005780)="b549cfe18deb455b4a8b6d56e7c03f251024217cf427c09056bdb6b4a1317e6f9cd53ece2f2ee68e7d73e936e6d7b376483595c8db7292ffb0520cf037ba7012f5d90d0e4bdced46131d6a44120546fad87f475670fec86f9784888d14dc2ed6a1a7ed3c98bd0e035cbd504da40efbeb5a5bcd48c0ca513ff53ddada3cb447a48bcef01d9883f699997c5a0b2499865862db5f785a75e1b3463d354af112e7f8622883683086190fa4507646cbeab5ed", 0xb0, 0x1}, {&(0x7f0000005840)="a2eecacaa02fc76189e00e6fc58f38b5599959730376281721becf840cd12b230c2dc84b7f5fe5e37057b3732fcfeb", 0x2f, 0x4}, {&(0x7f0000005880)="35ed9c854f542ba3a56e7b75409a3197d31e6ec31934811dd9abe83e50a060ea25994cb33770ed99b25c9b560891eca433fe5bf1e02d136600687ee4933b3538bbceca61deb8fb0a1a2567843fd871b991d514329a465a97eb92123576e83a652c51dfa84117c262a7b8bab47bd3f81b24d33e687f39265002ef92f2248de027ac0285fcad2a3c732a1ed7409307037e41f3a7907477387d1199c18e5c43959b2ec46c078cec67a8b559b31cefd856f456b9f81bcc6a8b2cb1a4d8147562bdac6034e3e8d35d797659844fea3694b3288ce68fa8f986bf2fba03ec0110154befc8402258afb3d583d0bf3d02798073867fc66640726072c82a", 0xf9, 0x1ff}], 0x0, &(0x7f0000005a00)={[{'%'}], [{@seclabel}, {@permit_directio}, {@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@subj_role={'subj_role', 0x3d, '}'}}, {@mask={'mask', 0x3d, '^MAY_APPEND'}}, {@fsname={'fsname', 0x3d, '&%]'}}, {@measure}]}) syz_open_dev$I2C(&(0x7f0000005a80), 0x6, 0x40000) syz_open_procfs(0xffffffffffffffff, &(0x7f0000005ac0)='net/raw6\x00') syz_open_pts(r16, 0x583000) syz_read_part_table(0xb0, 0x3, &(0x7f0000006cc0)=[{&(0x7f0000005b00)="a895c30edc07297723a4aea802034622d1bbb85b4ae3628afc2d4e10934550a9d92f12a51b9f5b3a7b596b59b99b4b2acaedda32b83bdc263c53aa10114a149a4d7a4f0c40b946159b374396fb6cd18734ea5c3a5192786222da89f4213b5d9d027799da36d68bd510f537855ce10d3b8439c2237740ea7541478a81f9f92adceb5100366dccf149cc4c59796959ba5d85a50d0dd72941a0eabbe7a9dd9fe50850113f5e2d055e1bbcd667daf7363e027d7c66678dad2add62b5", 0xba, 0x4}, {&(0x7f0000005bc0)="f229f58b9fef91f7178523f041a4967589924680bf4dc34a52d8f7f8436083aee94ab74f0369f7403a8c26b72fd44b488fe59c616c8a1cae299c490eb15f98f8f49df33502ccfd38265f6d186578a71b92ba5c5b903f9a64bc560a43590bd70f76efb7b63bc3909e632db68f77d98bdf12ebe1707d7d1436857490c13ddb239c837faf46ead62381d43f3d2346c1fcd5b2a7a1ebe9fa5dd7fddefc50b0e7a57f500e2f79ba11b18972dc78871460eb7e2a249b603283b5128320555c9d74143e027bb5ca08b462aebf58244387556d718680c4a37459dd", 0xd7, 0x3ff}, {&(0x7f0000005cc0)="", 0x1000, 0x34}]) syz_usb_connect(0x5, 0x72e, &(0x7f0000006d00)={{0x12, 0x1, 0x201, 0x10, 0x2a, 0xdc, 0xff, 0x781, 0x5, 0x5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x71c, 0x3, 0x9, 0x3, 0x50, 0xff, [{{0x9, 0x4, 0x34, 0x9, 0xc, 0x2d, 0xe7, 0xd6, 0xc4, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "9e3dd83f5e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x40, 0x5, 0x101, 0x5}, [@mbim_extended={0x8, 0x24, 0x1c, 0x1000, 0x2, 0x8}, @dmm={0x7, 0x24, 0x14, 0x8671}, @mbim={0xc, 0x24, 0x1b, 0xfffd, 0x9, 0x0, 0x5, 0x100, 0x5f}, @obex={0x5, 0x24, 0x15, 0x40}, @network_terminal={0x7, 0x24, 0xa, 0x0, 0x1, 0x4, 0x1}, @dmm={0x7, 0x24, 0x14, 0xff81, 0x9c6f}]}], [{{0x9, 0x5, 0x80, 0x14, 0x10, 0x15, 0x1f, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x80}]}}, {{0x9, 0x5, 0x8b, 0x0, 0x7ff, 0xed, 0x1, 0x2}}, {{0x9, 0x5, 0x8, 0x4, 0x200, 0x81, 0x6, 0x2, [@generic={0xeb, 0x1, "8c3f63086154141f739f2870d3a81884905e8c3ff7eb6425085204077b4102c3d81bfdf4b262fa95b268561228b747fca91f5fdeb592b379d66a5f1d2d1d735fd02b3b2402d0340fcc8ac6c544720cb596008a93b0202cb8f9558344cb200e0b4b52aad1e70d9c0049ff2a6b546e3502bc881f3eb655aa817a2a3fd95ad1bea68ab048c1a43ed3458b674c27df090568c371a9e00cbc2b597a730a1864447583e30b8b9d2774d884575311843a18bfe0052b404714c722766342b226c4fe8e87ee448250c3b3668ab50745e0fbb6e969e6b49b9b8528ce81dfaa24e1438072d07d6e92602a390535f6"}]}}, {{0x9, 0x5, 0xc, 0x8, 0x40, 0x1, 0x5, 0x20}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xbc, 0x0, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x5, 0x9}, @generic={0xd4, 0x22, "70c23955e1d16cdef416bcb138108967f0e9ac2c096fe9362b99ec6c198d2f0f0446ce29332844fd546d2323e7f9d7b2713c1f92b90b4481bf8d4ea34ea8321b585db5f3cc6f63fc9ee543e86c15769e08a212c2ffb0237defb1a28228e999fabf3733a27b828703faaac053d44fe7a66d7a278e31f15d65edb349b157a799d922f0c970f98b35b75650793123e05752d74ddb89f0fcc0479822a0f833f4343a70548b3b4c80574be7cfdd59db69ce1efc24ca44ee316609f58ca5a30dee0b59e1668f248c196ae1c022a19995595430fea4"}]}}, {{0x9, 0x5, 0x87, 0x3, 0x8, 0x80, 0x7, 0x6, [@generic={0x56, 0x4, "f78a356675cffa2de94539194afab8603fe5e412021ba937df8f496ce2c0543148f09b19ebbc05091fcc32e0bdde441d7ccaa5cc26fb696bd67b3830bf3e5730fb3fe5ee89156bd1d2fa101e6c39068af8c2ae87"}]}}, {{0x9, 0x5, 0x89, 0x0, 0x20, 0x20, 0x81, 0x8}}, {{0x9, 0x5, 0xe, 0x3, 0x8, 0x1, 0x20, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x43, 0x234}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x3, 0x5, 0x7, [@generic={0x34, 0x8, "b6a121b46cabce4e361f2104dcf2663e402ee04faa90dd18a918e4642eaa6a716192f8bc32f321ce9eb548904d87d7bdad56"}, @generic={0xac, 0x30, "1a5d30c7d13843b0146943b2e67687f3147019db1ca1a3c7e48d700f655bea7f42692c5a87a6b91d03a6d4905fbb18b76028c902f7cc3f0c056d87d0fbc12f32150222a7dad7023bc45ab25c72aa3ad26e8dfd8d3654640038396aa355f069f7a9e762b85dca0a81a7d7c37d259d0f2a631a6abc4e36fba201dc677fc7b2c28190e91523553cfb1bbf462d9d057c31910ad39c357cd2dd1c3f22c604ad6c923faee4c13db3fe350375cc"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x10, 0x7f, 0x56, 0x83}}, {{0x9, 0x5, 0x1f645c4d20962547, 0x0, 0x3ff, 0xbb, 0x7, 0x3, [@generic={0x6b, 0x30, "6a8065c0ee1fa72bb9fab498b565e856090e0ad4cb9a072e0995264b935bed4910dde6e4a11ff93742383cba0c51a1f1cf695aa394a5f4868363e986260569ba8be82437cc58db1ee88ce5101308938edbd982075462cf0bba05bb0d7ae55092a2862ee6e6430e22f7"}, @generic={0x41, 0x21, "0acd9c7743c7509f5eb898784f8767f385a0e1c7f102c9adcad6d81fb4193e88cb2f6c3936ee2ef3dae61f58322593d9beeafcc0915c86fc3a72f0426c83f3"}]}}, {{0x9, 0x5, 0x6, 0x4, 0x400, 0x20, 0x74, 0x5}}]}}, {{0x9, 0x4, 0x26, 0xab, 0x5, 0x3, 0xf1, 0xcb, 0x9, [], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x5, 0x1, 0x1}}, {{0x9, 0x5, 0xb, 0x4, 0x20, 0x1, 0x2, 0x4, [@generic={0xda, 0x14, "10f16e3796fbe335b564b29416031e12d26f4d53e237ca3cb1e049170335d631432469cf8e2b207d62283f3b91f4d63154bce35faeb87b51d30b38876c38b31acc347be67793e56a1784eb29a7ddab72e736eecd3b4e98bce7b170ab687e6f31f5e9f3f96e31032d3bf9476eef54f354c6efc00da39a695ec1c095254cb416bdc574d4fb6adbeca99b77508d6c6f791c2cfc29ae3eccea73c13627d93807af1a7d3492520ed1f153327d857537f556294bdddd988bae73226a48c4cab963d3d8c226951b21a7c3138de55b8d0e1f0bcd77663ae8bfe20f44"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x5, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x40, 0x2c, 0xd4, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0xa, 0x2, 0x400, 0xd0, 0x1, 0x6}}, {{0x9, 0x5, 0xe, 0x8, 0x40, 0x40, 0xff, 0xb0}}]}}, {{0x9, 0x4, 0x6c, 0x8, 0x2, 0x59, 0x51, 0xd5, 0x1, [@cdc_ncm={{0x8, 0x24, 0x6, 0x0, 0x1, "b2bd60"}, {0x5, 0x24, 0x0, 0x5}, {0xd, 0x24, 0xf, 0x1, 0xfffffffd, 0xfff, 0x63, 0xdb}, {0x6, 0x24, 0x1a, 0x8, 0x8}, [@mdlm_detail={0xf7, 0x24, 0x13, 0x19, "189cdea85c892fe736d99d2ae835705ddc3907363c57da1fc0033ab26742022ab0af7516c0545f0fc3ecaa0728229f95fd5d2ebce5c98dbba6222153e2ce70bfead32d5d59146f0dd679852007b13ac9d16d48f9484d6192e79c88079f8cd3bd1a3740f3a8f0fd1d57a10bf41cf8c45a79ab1a969c9a6a83bf31571bce542e8fcfa6761ebfa924e1eb05d3af5b3644c3040280ca59737d89c0caa8bd9d56c92178b82b2078e43975f15e6f0b6fa1d0cd819521154d236aa6a85e50f3f0531f6192e5c4ba8a2d506f744780747cbb9ee6723298b72b713b52be54835fcc04906c658ce61f16f95a6c437988df239c430ff47db7"}]}, @cdc_ecm={{0x6, 0x24, 0x6, 0x0, 0x0, "a3"}, {0x5, 0x24, 0x0, 0xf85b}, {0xd, 0x24, 0xf, 0x1, 0x0, 0x7, 0x2, 0x40}}], [{{0x9, 0x5, 0xf, 0x4, 0x0, 0x81, 0xe8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x51, 0xbf81}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xb, 0x8001}]}}, {{0x9, 0x5, 0x6, 0x0, 0x10, 0x7f, 0x0, 0x80, [@generic={0x28, 0xa, "61df67a624859052df593a2258bc970fe4304a8f899ac040d9fc350ed5e63660a76a96aea7a3"}]}}]}}]}}]}}, &(0x7f00000076c0)={0xa, &(0x7f0000007440)={0xa, 0x6, 0x300, 0x8, 0x1, 0x9, 0x8, 0x81}, 0x133, &(0x7f0000007480)={0x5, 0xf, 0x133, 0x6, [@wireless={0xb, 0x10, 0x1, 0x2, 0x74, 0xff, 0xff, 0x0, 0x7}, @wireless={0xb, 0x10, 0x1, 0x8, 0x43, 0x4, 0x3, 0x6, 0x21}, @ext_cap={0x7, 0x10, 0x2, 0xa, 0x5, 0x6, 0x3b4d}, @wireless={0xb, 0x10, 0x1, 0x0, 0x2c, 0x7, 0x2, 0x1, 0x2f}, @ptm_cap={0x3}, @generic={0x103, 0x10, 0x3, "b35e852c500147880fa2f6dcc5d4e16a59df9bff5d44ac9f6680a31b1ebce7f4d4afe6d2ae93f6eee79b703b03f7a0ebea72bdc3ca70ded450bedec42d31beced3625c6bfa5dc9897b68a4e8b1a54b9444b85a77d52efea02e84045a2c51af22596a4c59a43c590c4d1369d229db0f228b739b41419c00708219ac07585dcaded8820f6fe0b35e7496ca59ebd93c1cfbeca8666928613fb084cb1ad930cfed80a024b803fc94967f08d731d0647cee073e55844b9978ae6035865fd98991fb7a5fa3f00529e81f1d3b853a0db041eaa3777ba10fe753674a698cd389bf5bca626cb8c7bf9b71150d572d07d9a11855a419fb0212d9a5bf2c3360357cf942511f"}]}, 0x2, [{0x97, &(0x7f00000075c0)=@string={0x97, 0x3, "79533652485908847450e434babd9e7b783925f478b3b35c0a4e6aa0a1e8f78e37f1d5666fe87b28df9b7734fdd141b3c78a19031effd729a36c0cf9fae5c589a1a9886b78f66c7391bd443cc6b3ab5b4acdeb5acf4a0d36359e749df37ccf92c50e845fce93e4c611f0fb559f5b2f8b72bab3b8a91779cd78204d67a183187560eb912c0f9dd27f402f1decdc61444d3702bf05cf"}}, {0x4, &(0x7f0000007680)=@lang_id={0x4, 0x3, 0x4ff}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007700)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f0000007900)={0x18, &(0x7f0000007780)={0x40, 0x22, 0x1f, {0x1f, 0x22, "a7841403afd7ddbdb6ce9dacfb6cdbe29fbe4e58b55fec117de56ed6a5"}}, &(0x7f00000077c0)={0x0, 0x3, 0x5a, @string={0x5a, 0x3, "b51fa75ce1575da79aa41fd155728498bc7e4f85d19d2394314e6381f5e6b0e786c3ff705cb7184487f35094030178bc291a3980fa0b83908b7fe1cb2459daa1308fa2fbda94a98ca7134bc986487bae15766636e0852c7a"}}, &(0x7f0000007840)={0x0, 0xf, 0x1b, {0x5, 0xf, 0x1b, 0x2, [@wireless={0xb, 0x10, 0x1, 0xc, 0x82, 0x0, 0x85, 0x8, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x48, 0x0, 0x80, 0xfffa, 0x81}]}}, &(0x7f0000007880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x2, 0x4, 0x2, "7e461ab4", 'gg]\a'}}, &(0x7f00000078c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x9, 0x3, 0x3f, 0x20, 0x40, 0x0, 0xef}}}, &(0x7f0000007dc0)={0x44, &(0x7f0000007940)={0x40, 0xc, 0xb6, "df1d8807adaa376ec164fe686f791fc7268a85c468008423c35bf0da6f10ce0b3c7f80e67352d8063e9524fb3d91a1d442b85d351288c60badef7369494efa5012978930b8817bb13fba0f307416861457221322136027a98682f3a5c91806d490c51ef51ce6c9e9c8087e547fc2cfe567bfbf3e65f97c5e79d68706922d2c084ee894eaf12a3c0b2e1ef894dff86d0792fd11f5152f67321b9db36a02b7b0935e7424cbd6b286c55c8cf0f0f4949fd21b22675eb060"}, &(0x7f0000007a00)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000007a40)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000007a80)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000007ac0)={0x20, 0x0, 0x4, {0x160, 0x1}}, &(0x7f0000007b00)={0x40, 0x7, 0x2, 0x3}, &(0x7f0000007b40)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000007b80)={0x40, 0xb, 0x2, "9efe"}, &(0x7f0000007bc0)={0x40, 0xf, 0x2, 0x4}, &(0x7f0000007c00)={0x40, 0x13, 0x6}, &(0x7f0000007c40)={0x40, 0x17, 0x6, @remote}, &(0x7f0000007c80)={0x40, 0x19, 0x2, 'vw'}, &(0x7f0000007cc0)={0x40, 0x1a, 0x2, 0x1}, &(0x7f0000007d00)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007d40)={0x40, 0x1e, 0x1, 0x7e}, &(0x7f0000007d80)={0x40, 0x21, 0x1, 0x2}}) r23 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007e40)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ncm(0x6, 0x7c, &(0x7f0000007ec0)={{0x12, 0x1, 0x389, 0x2, 0x0, 0x0, 0x70, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6a, 0x2, 0x1, 0xff, 0x90, 0x5, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, "a6"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9ff, 0x6000, 0x5, 0xb5}, {0x6, 0x24, 0x1a, 0xdd, 0x32}, [@call_mgmt={0x5, 0x24, 0x1, 0x2, 0x95}, @mbim_extended={0x8, 0x24, 0x1c, 0x7, 0x40, 0x1}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x21, 0x2, 0xc4}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0x1, 0x1, 0x4e}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x81, 0x9, 0x48}}}}}}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f40)={0xa, 0x6, 0x200, 0x3, 0x40, 0x1, 0x40, 0x68}, 0x72, &(0x7f0000007f80)={0x5, 0xf, 0x72, 0x6, [@ssp_cap={0x20, 0x10, 0xa, 0x7f, 0x5, 0x4, 0x0, 0x101, [0xf, 0xc000, 0x4100, 0xc000, 0x0]}, @ssp_cap={0x18, 0x10, 0xa, 0x5, 0x3, 0x3f, 0xf, 0x9, [0x3f00, 0xff0030, 0xff0000]}, @ssp_cap={0xc, 0x10, 0xa, 0x9, 0x0, 0x3, 0xf00, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0xfc, "11d5f99068e5068a1e42e2bf000e221f"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x0, 0x2, 0x0, 0x80, 0x1}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x0, 0x3, 0x3f, 0x8}]}, 0x8, [{0x4, &(0x7f0000008000)=@lang_id={0x4, 0x3, 0x2001}}, {0x4, &(0x7f0000008040)=@lang_id={0x4, 0x3, 0x43f}}, {0x2a, &(0x7f0000008080)=@string={0x2a, 0x3, "5e7460eb32a6b96bd2ff9ff3a49620853364cef4b1180034bbee7bdeb3753ec47a7b68436004dfa3"}}, {0x4, &(0x7f00000080c0)=@lang_id={0x4, 0x3, 0x406}}, {0x4, &(0x7f0000008100)=@lang_id={0x4, 0x3, 0x200a}}, {0x83, &(0x7f0000008140)=@string={0x83, 0x3, "98bfbed5f02f0541393b27163c18aba0f8d6c9069ae8ed732f7b8b4fd040726512572b20493498b080e96c7409c1ff222cbfe8fc739a7a6eb701a8125f18af24cdabbfb52cc666cf1204b6bf96514aca5b0475e21dafcaaffcd8d584eca6939d815dc4c974727a2fba78d5044d9e9f08e35c9e2bf470f466accaa1301fac54bcff"}}, {0x4, &(0x7f0000008200)=@lang_id={0x4, 0x3, 0x1627}}, {0x39, &(0x7f0000008240)=@string={0x39, 0x3, "aa56bf4048dd06e2845d2e04df75b391f766463f0954053221ac36e1db6fe509c05b86c776d20ffc6ac3d99349322b400aea394cd6719c"}}]}) syz_usb_ep_read(r24, 0x75, 0xa5, &(0x7f0000008300)=""/165) syz_usb_ep_write(r22, 0x0, 0xf5, &(0x7f00000083c0)="db885599b60aec82ad70cdb2886a2e73e2f0447ddd5deaaa15f56b76ab5804b9f86f60df6b12cbc1e5906d238889da544d9b5652f60bfc34a108dffdffa9ae904614e2bf15ce0c349aea1551b7544b69bd2bde8f82e18d42ba167180b1a6a4d11844312c116ee0b85fca52a11ec9f37acd323eb287c8b3c4ffdbcaaa329df920e0f7dfaaccc17fd5ff16f039c693cdfcdfae81529a02cc973d8e5020093c1b68e88a827e230b28448899b9617552b1dd9b412b34deec9a93fd08823aebf354e238d04dca957a50aa9ab18a30460e2455e3fd164109cd4a857b99d223b21831ca292d1b0cd77fbfe263f7ca57ee3a70a8fdd489cb7f") syz_usbip_server_init(0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 39 ? 50 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 3000 : 0) + (call == 46 ? 300 : 0) + (call == 47 ? 3000 : 0) + (call == 48 ? 300 : 0) + (call == 49 ? 3000 : 0) + (call == 50 ? 300 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_clock_gettime #define __NR_clock_gettime 265 #endif #ifndef __NR_getegid #define __NR_getegid 50 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_openat2 #define __NR_openat2 437 #endif #ifndef __NR_recvmmsg #define __NR_recvmmsg 337 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_signalfd4 #define __NR_signalfd4 327 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[25] = {0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000040 = 8; inject_fault(1); res = syscall(__NR_getsockopt, -1, 0x84, 0x14, 0x20000000, 0x20000040); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000080 = r[0]; *(uint32_t*)0x20000084 = 0x3ff; *(uint32_t*)0x200000c0 = 8; res = syscall(__NR_getsockopt, -1, 0x84, 0x13, 0x20000080, 0x200000c0); if (res != -1) r[1] = *(uint32_t*)0x20000080; break; case 2: memcpy((void*)0x20000100, "cpu.stat\000", 9); res = syscall(__NR_openat, -1, 0x20000100, 0, 0); if (res != -1) r[2] = res; break; case 3: syscall(__NR_ioctl, (intptr_t)r[2], 0x125e, 0x20000140); break; case 4: *(uint32_t*)0x20000180 = 5; *(uint32_t*)0x20000184 = 4; res = syscall(__NR_signalfd4, (intptr_t)r[2], 0x20000180, 8, 0x80800); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000500 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x10; *(uint16_t*)0x200001c2 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = 0x20002011; *(uint32_t*)0x20000504 = 0xc; *(uint32_t*)0x20000508 = 0x200004c0; *(uint32_t*)0x200004c0 = 0x20000200; *(uint32_t*)0x20000200 = 0x29c; *(uint16_t*)0x20000204 = 0; *(uint16_t*)0x20000206 = 8; *(uint32_t*)0x20000208 = 0x70bd29; *(uint32_t*)0x2000020c = 0x25dfdbff; *(uint8_t*)0x20000210 = 0x87; *(uint8_t*)0x20000211 = 0; *(uint16_t*)0x20000212 = 0; *(uint16_t*)0x20000214 = 8; *(uint16_t*)0x20000216 = 3; *(uint32_t*)0x20000218 = 0; *(uint16_t*)0x2000021c = 0x46; *(uint16_t*)0x2000021e = 0x2a; *(uint8_t*)0x20000220 = 0x2a; *(uint8_t*)0x20000221 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 3, 5); *(uint8_t*)0x20000223 = 0x25; *(uint8_t*)0x20000224 = 3; *(uint8_t*)0x20000225 = 1; *(uint8_t*)0x20000226 = 0x95; *(uint8_t*)0x20000227 = 0xcb; *(uint8_t*)0x20000228 = 0x75; *(uint8_t*)0x20000229 = 0x16; *(uint16_t*)0x2000022a = 1; *(uint16_t*)0x2000022c = 0x401; *(uint16_t*)0x2000022e = 0x37; memcpy((void*)0x20000230, "\x02\x01\x1b\xf2\x90\x7b\xdd\xcb\xfa\xf4\xd0\xd9\xd3\x19\xcb\x38", 16); *(uint8_t*)0x20000240 = 0x76; *(uint8_t*)0x20000241 = 6; *(uint8_t*)0x20000242 = 0x7f; *(uint8_t*)0x20000243 = 3; *(uint16_t*)0x20000244 = 6; *(uint16_t*)0x20000246 = 0x2050; *(uint8_t*)0x20000248 = 0x65; *(uint8_t*)0x20000249 = 0x12; *(uint8_t*)0x2000024a = 8; *(uint8_t*)0x2000024b = 2; *(uint8_t*)0x2000024c = 0x11; *(uint8_t*)0x2000024d = 0; *(uint8_t*)0x2000024e = 0; *(uint8_t*)0x2000024f = 1; memset((void*)0x20000250, 255, 6); *(uint8_t*)0x20000256 = 8; *(uint8_t*)0x20000257 = 2; *(uint8_t*)0x20000258 = 0x11; *(uint8_t*)0x20000259 = 0; *(uint8_t*)0x2000025a = 0; *(uint8_t*)0x2000025b = 1; *(uint8_t*)0x2000025c = 0x68; *(uint8_t*)0x2000025d = 4; *(uint16_t*)0x2000025e = 9; *(uint16_t*)0x20000260 = 0x81; *(uint16_t*)0x20000264 = 0xcc; *(uint16_t*)0x20000266 = 0x2a; *(uint8_t*)0x20000268 = 4; *(uint8_t*)0x20000269 = 6; *(uint8_t*)0x2000026a = 1; *(uint8_t*)0x2000026b = 1; *(uint16_t*)0x2000026c = 0x100; *(uint16_t*)0x2000026e = 0x8000; *(uint8_t*)0x20000270 = 0x3c; *(uint8_t*)0x20000271 = 4; *(uint8_t*)0x20000272 = 0; *(uint8_t*)0x20000273 = 7; *(uint8_t*)0x20000274 = 0xac; *(uint8_t*)0x20000275 = 6; *(uint8_t*)0x20000276 = 1; *(uint8_t*)0x20000277 = 6; STORE_BY_BITMASK(uint8_t, , 0x20000278, 6, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000278, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x20000279, 0xc, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000279, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 0x3f, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 9, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0x16, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0x24, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0, 7, 1); *(uint8_t*)0x2000027e = 0x83; *(uint8_t*)0x2000027f = 0x25; STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 0, 6); STORE_BY_BITMASK(uint8_t, , 0x20000280, 1, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 7, 1); *(uint8_t*)0x20000281 = -1; *(uint8_t*)0x20000282 = 0x3f; *(uint8_t*)0x20000283 = 8; *(uint8_t*)0x20000284 = 2; *(uint8_t*)0x20000285 = 0x11; *(uint8_t*)0x20000286 = 0; *(uint8_t*)0x20000287 = 0; *(uint8_t*)0x20000288 = 0; *(uint32_t*)0x20000289 = 0x1f; memset((void*)0x2000028d, 255, 6); *(uint32_t*)0x20000293 = 0; *(uint32_t*)0x20000297 = 6; *(uint8_t*)0x2000029b = 8; *(uint8_t*)0x2000029c = 2; *(uint8_t*)0x2000029d = 0x11; *(uint8_t*)0x2000029e = 0; *(uint8_t*)0x2000029f = 0; *(uint8_t*)0x200002a0 = 1; *(uint32_t*)0x200002a1 = 6; *(uint8_t*)0x200002a5 = 0x26; *(uint8_t*)0x200002a6 = 0x44; *(uint8_t*)0x200002a7 = 4; *(uint8_t*)0x200002a8 = 7; *(uint8_t*)0x200002a9 = 8; memcpy((void*)0x200002aa, "\x2e\xf5\x31\xb7\xbe\x2d\xde\x42\xfc\x39\x5f\x76\x44\x7c\x92\x87\x9c\x4d\x95\x11\x18\x2e\xe0\x77\xcb\x10\x2d\x54\xd8\xe9\xbd\x03\x76\x74\x1a\xff\xce\x00\x72\x8e\x65\xce\xfb\x04\xca\xcd\x7c\x82\x88\x0f\x11\x3d\x4a\x79\x37\x8b\xfd\x5c\x8d\x75\x2b\xd2\x51\xe3\x1b", 65); *(uint8_t*)0x200002eb = 0x2d; *(uint8_t*)0x200002ec = 0x1a; *(uint16_t*)0x200002ed = 0x482; STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 2, 3); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 0, 5, 3); *(uint64_t*)0x200002f0 = 5; STORE_BY_BITMASK(uint64_t, , 0x200002f8, 0x3f, 0, 13); STORE_BY_BITMASK(uint64_t, , 0x200002f9, 0, 5, 3); STORE_BY_BITMASK(uint64_t, , 0x200002fa, 0x80, 0, 10); STORE_BY_BITMASK(uint64_t, , 0x200002fb, 0, 2, 6); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 2, 2); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 5, 27); *(uint16_t*)0x20000300 = 0x400; *(uint32_t*)0x20000302 = 5; *(uint8_t*)0x20000306 = 0x56; *(uint8_t*)0x20000307 = 0x8c; *(uint8_t*)0x20000308 = 0x10; *(uint16_t*)0x20000309 = 0x9b2; memcpy((void*)0x2000030b, "\xe7\x43\x38\xed\x57\xa9", 6); memcpy((void*)0x20000311, "\x4d\xbe\x86\xf3\x95\x65\x40\x8a", 8); *(uint8_t*)0x20000319 = 0x7e; *(uint8_t*)0x2000031a = 0x15; STORE_BY_BITMASK(uint8_t, , 0x2000031b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000031b, 9, 1, 7); *(uint8_t*)0x2000031c = 0xc0; *(uint8_t*)0x2000031d = 0x40; *(uint8_t*)0x2000031e = 8; *(uint8_t*)0x2000031f = 2; *(uint8_t*)0x20000320 = 0x11; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0; *(uint8_t*)0x20000323 = 0; *(uint32_t*)0x20000324 = 0x7fff; *(uint32_t*)0x20000328 = 6; *(uint32_t*)0x2000032c = 0xff; *(uint16_t*)0x20000330 = 0x148; *(uint16_t*)0x20000332 = 0x2a; *(uint8_t*)0x20000334 = 0x7e; *(uint8_t*)0x20000335 = 0x15; STORE_BY_BITMASK(uint8_t, , 0x20000336, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000336, 2, 1, 7); *(uint8_t*)0x20000337 = 0; *(uint8_t*)0x20000338 = 8; *(uint8_t*)0x20000339 = 8; *(uint8_t*)0x2000033a = 2; *(uint8_t*)0x2000033b = 0x11; *(uint8_t*)0x2000033c = 0; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0; *(uint32_t*)0x2000033f = 0x1ff; *(uint32_t*)0x20000343 = 3; *(uint32_t*)0x20000347 = 3; *(uint8_t*)0x2000034b = 0x82; *(uint8_t*)0x2000034c = 0x30; STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 3, 3); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 7, 1); *(uint8_t*)0x2000034e = 3; *(uint8_t*)0x2000034f = 0xf7; *(uint32_t*)0x20000350 = 8; *(uint8_t*)0x20000354 = 8; *(uint8_t*)0x20000355 = 2; *(uint8_t*)0x20000356 = 0x11; *(uint8_t*)0x20000357 = 0; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 0; *(uint32_t*)0x2000035a = 0xae; *(uint32_t*)0x2000035e = 0x71a4; *(uint32_t*)0x20000362 = 2; *(uint8_t*)0x20000366 = 2; STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 3, 5); *(uint8_t*)0x20000368 = 8; *(uint8_t*)0x20000369 = 2; *(uint8_t*)0x2000036a = 0x11; *(uint8_t*)0x2000036b = 0; *(uint8_t*)0x2000036c = 0; *(uint8_t*)0x2000036d = 1; *(uint32_t*)0x2000036e = 0; STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 3, 5); *(uint8_t*)0x20000373 = 8; *(uint8_t*)0x20000374 = 2; *(uint8_t*)0x20000375 = 0x11; *(uint8_t*)0x20000376 = 0; *(uint8_t*)0x20000377 = 0; *(uint8_t*)0x20000378 = 1; *(uint32_t*)0x20000379 = 6; *(uint8_t*)0x2000037d = 0x71; *(uint8_t*)0x2000037e = 7; *(uint8_t*)0x2000037f = 1; *(uint8_t*)0x20000380 = 1; *(uint8_t*)0x20000381 = 1; *(uint8_t*)0x20000382 = 0; *(uint8_t*)0x20000383 = 0; *(uint8_t*)0x20000384 = 0xfb; *(uint8_t*)0x20000385 = 0x25; *(uint8_t*)0x20000386 = 6; *(uint8_t*)0x20000387 = 2; *(uint16_t*)0x20000388 = 0x1fc; *(uint8_t*)0x2000038a = 0x37; *(uint8_t*)0x2000038b = 0xe6; *(uint8_t*)0x2000038c = 7; *(uint8_t*)0x2000038d = 5; memcpy((void*)0x2000038e, "\x5f\x39\x64\xd8\x62\x9a\xdf\x1c\x06\xec\xdf\x89\x87\xbb\x84\x5b", 16); memcpy((void*)0x2000039e, "\xc5\xd2\xbb\x24\x59\xd5\xba\x0e\x8d\x1d\xe0\x4e\x57\x37\x4f\x62\x27\x21\x0e\xa4\x04\xeb\x95\x46\x5f\xa1\xe2\xe0\x9c\x7c\x17\xd4", 32); memcpy((void*)0x200003be, "\x27\x81\xc8\x76\x15\x7d\x69\x88\xa5\xdc\x1e\xfd\xe5\xe5\xd8\xd7\xfd\xfb\x3d\xad\x87\x19\x89\x49\x70\x60\xe2\xd7\x2d\x3a\xfa\x38", 32); *(uint8_t*)0x200003de = 3; *(uint8_t*)0x200003df = 1; memset((void*)0x200003e0, 206, 1); *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0x25; memcpy((void*)0x200003e3, "\xd5\xa7\x64\x0b\x4f\xb5\xdf\x22\xe7\x25\x13\x0f\x6f\x00\x6c\x48\x73\x42\xcb\x84\x7e\x2c\xbe\x0e\x36\xb1\x41\xaa\x91\xf7\xf4\x1d\x6b\x13\x48\x2c\x1d", 37); *(uint8_t*)0x20000408 = 4; *(uint8_t*)0x20000409 = 0x26; memcpy((void*)0x2000040a, "\xa1\xd5\xf6\x74\x74\xfa\x12\x31\x00\x04\x6d\xc2\x69\x5e\x3b\xbd\xa6\xde\xe8\x65\x7f\x03\x2e\x08\x75\x04\x15\x6e\xba\x2f\x54\xbf\x2f\x31\xcd\x5b\x78\xd5", 38); *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 0x25; memcpy((void*)0x20000432, "\xae\x36\x25\x8a\xd7\xf0\x4d\x6a\x21\x30\x24\xac\x42\x6f\xba\x3d\xa6\x9e\x74\xab\x66\x2f\xbb\x9d\x28\x44\x80\x99\x94\x6c\xbb\xf9\xb8\xf9\x21\xf8\xe0", 37); *(uint8_t*)0x20000457 = 2; *(uint8_t*)0x20000458 = 0x19; memcpy((void*)0x20000459, "\x69\xad\x29\xc6\x6f\x47\xf8\x7c\x53\x49\xab\x5f\x16\xa1\xe8\x03\x0e\x7c\x0b\x21\xdb\x8b\xc4\xbe\xe4", 25); *(uint8_t*)0x20000472 = 0x75; *(uint8_t*)0x20000473 = 4; *(uint16_t*)0x20000474 = 0; *(uint16_t*)0x20000476 = 0; *(uint16_t*)0x20000478 = 6; *(uint16_t*)0x2000047a = 0x48; *(uint16_t*)0x2000047c = 0x4b; *(uint16_t*)0x20000480 = 6; *(uint16_t*)0x20000482 = 0x48; *(uint16_t*)0x20000484 = 0x43; *(uint16_t*)0x20000488 = 0xa; *(uint16_t*)0x2000048a = 6; *(uint8_t*)0x2000048c = 8; *(uint8_t*)0x2000048d = 2; *(uint8_t*)0x2000048e = 0x11; *(uint8_t*)0x2000048f = 0; *(uint8_t*)0x20000490 = 0; *(uint8_t*)0x20000491 = 1; *(uint16_t*)0x20000494 = 6; *(uint16_t*)0x20000496 = 0x48; *(uint16_t*)0x20000498 = 0x11; *(uint32_t*)0x200004c4 = 0x29c; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = 0x40000; syscall(__NR_sendmsg, (intptr_t)r[3], 0x20000500, 0x80); break; case 6: memcpy((void*)0x20000540, "/dev/irnet\000", 11); res = syscall(__NR_openat, 0xffffff9c, 0x20000540, 0x189000, 0); if (res != -1) r[4] = res; break; case 7: *(uint16_t*)0x20000580 = 0xa; *(uint16_t*)0x20000582 = htobe16(0x4e20); *(uint32_t*)0x20000584 = htobe32(0x80000000); *(uint8_t*)0x20000588 = 0xfe; *(uint8_t*)0x20000589 = 0x88; memset((void*)0x2000058a, 0, 12); *(uint8_t*)0x20000596 = 0; *(uint8_t*)0x20000597 = 1; *(uint32_t*)0x20000598 = 0x81; *(uint16_t*)0x2000059c = 0xa; *(uint16_t*)0x2000059e = htobe16(0x4e24); *(uint32_t*)0x200005a0 = htobe32(3); *(uint8_t*)0x200005a4 = -1; *(uint8_t*)0x200005a5 = 1; memset((void*)0x200005a6, 0, 13); *(uint8_t*)0x200005b3 = 1; *(uint32_t*)0x200005b4 = 0; syscall(__NR_setsockopt, (intptr_t)r[4], 0x84, 0x6b, 0x20000580, 0x38); break; case 8: memcpy((void*)0x200005c0, "./file0\000", 8); *(uint64_t*)0x20000600 = 0x101000; *(uint64_t*)0x20000608 = 0x182; *(uint64_t*)0x20000610 = 4; syscall(__NR_openat2, 0xffffff9c, 0x200005c0, 0x20000600, 0x18); break; case 9: *(uint32_t*)0x20000640 = r[1]; *(uint32_t*)0x20000644 = 7; *(uint32_t*)0x20000648 = 0x20; syscall(__NR_setsockopt, -1, 0x84, 0x10, 0x20000640, 0xc); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 6, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 7, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); *(uint8_t*)0x20000044 = 8; *(uint8_t*)0x20000045 = 2; *(uint8_t*)0x20000046 = 0x11; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 1; memset((void*)0x2000004a, 255, 6); *(uint8_t*)0x20000050 = 8; *(uint8_t*)0x20000051 = 2; *(uint8_t*)0x20000052 = 0x11; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x20000056, 7, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0x40, 4, 12); *(uint8_t*)0x20000058 = 8; *(uint8_t*)0x20000059 = 2; *(uint8_t*)0x2000005a = 0x11; *(uint8_t*)0x2000005b = 0; *(uint8_t*)0x2000005c = 0; *(uint8_t*)0x2000005d = 0; *(uint8_t*)0x2000005e = 8; *(uint8_t*)0x2000005f = 2; *(uint8_t*)0x20000060 = 0x11; *(uint8_t*)0x20000061 = 0; *(uint8_t*)0x20000062 = 0; *(uint8_t*)0x20000063 = 1; *(uint16_t*)0x20000064 = 0x89; memcpy((void*)0x20000066, "\xa3\x74\xcb\x1e\x56\xd7\x9e\x5a\x64\x7d\x9f\x9d\x7e\xbb\x09\x9c\xa7\x5e\x92\x0a\x72\x0c\xe7\x65\x51\xc2\x6b\xb8\x68\x42\xda\x48\xec\x22\x63\x6f\x2e\xe2\x00\x01\x35\x9b\x8e\x2f\xb3\x76\xba\x32\xd0\x74\x25\xdd\x1b\x9b\x9b\x4f\xf7\xa3\x53\x9a\x5e\xeb\x99\xa4\x47\xa5\x8f\xec\x22\x4c\xac\xb7\xd6\xe5\xf0\xcc\x90\x99\x90\x4c\x92\xfd\x37\x74\x6a\xfc\x1c\xbd\x2b\x8b\x10\x2a\x3f\xe4\xaf\x78\xd5\xfa\x72\x95\x90\xf1\xe5\x03\x5f\x47\x0a\x44\x32\x1e\x92\x47\x87\xa4\x66\x6e\x21\xa4\xca\x5c\xbd\x12\x56\xc1\x70\x21\x7c\xd6\x96\x7a\xd7\x23\x6d\x2f\x70\x2e\x24", 137); memset((void*)0x200000f0, 255, 6); *(uint8_t*)0x200000f6 = 8; *(uint8_t*)0x200000f7 = 2; *(uint8_t*)0x200000f8 = 0x11; *(uint8_t*)0x200000f9 = 0; *(uint8_t*)0x200000fa = 0; *(uint8_t*)0x200000fb = 0; *(uint16_t*)0x200000fc = 0x1000; memcpy((void*)0x200000fe, "\x2b\xc8\xbe\xd3\xad\xe3\x14\x70\x49\x10\xb6\xee\x62\x4c\xfe\x54\xbe\xbe\x1b\x4b\x09\xba\x79\x5c\x51\x1c\xd0\xe7\x64\x85\x8a\x68\x8e\x31\x7f\x9f\x28\x73\xd1\x87\xb6\x5f\x7d\x6d\xed\x9b\x4b\x7e\xf7\xf8\x67\xd6\x5d\x32\x18\xdc\x1a\x2a\xd2\x4b\x5c\xb3\xe4\xe0\x78\x49\xf7\x08\x5c\x63\x7a\xe4\x51\x0c\x2c\x14\x43\x80\x0a\xc4\x4d\xdf\x23\xec\x3e\x00\xa0\xa2\xd2\x6d\xcf\x4e\x4f\x20\x9d\x20\xf1\xe6\x58\x29\x0a\xb4\x3a\x3f\xa2\x4e\xe8\xdc\xd4\x84\xc6\x23\xbd\xc9\x86\xb8\xea\x88\xd4\x32\x74\xe2\x06\xb9\xbe\x4c\xdf\xcc\x94\x5b\x09\x3d\x09\x37\xd9\x4f\x8f\x98\x7c\x5c\x5e\xd4\x8a\xc9\x95\x14\xb5\x45\xd0\xcb\x74\x20\x36\xae\xd4\x98\xba\xe8\x0b\xb1\xee\x39\x5e\x8e\x0a\x67\x7d\xaa\xed\x22\xdd\xc1\x60\x4d\x14\x83\x5d\xbc\x28\xc4\x3c\x64\xb1\x18\x76\x57\x4f\x8d\x89\x70\x56\x23\xf7\xf0\x78\xc5\x01\x7c\x92\xcd\x46\xaf\xf0\x81\x1e\x9b\x98\x91\x25\x06\xb3\x45\x00\x64\x0f\x97\x91\xe3\x08\x1d\x1f\xd1\x78\xc2\x13\x05\x93\x45\xba\x63\x17\x7e\xa9\xb9\x3f\xfa\x53\x06\xe2\x06\xb5\xa2\x94\x02\x25\x21\xec\x6a\xaf\x8e\x26\xd0\xb5\xbd\x00\x32\x59\x76\xa0\xb1\xe0\xff\x75\x4e\x4b\x48\x91\xd3\x68\x8e\x0b\xea\x0a\xc6\xd8\x11\x2e\x04\xfb\xe6\x06\x8e\xc0\x3f\x4b\x66\x5e\xfa\x12\xe3\xf2\xe6\xc9\xd3\x1e\xb4\x45\x83\xa9\xac\x92\xdd\x3a\xb3\xf3\x4d\xb1\x15\xe9\xcf\x42\xf0\x97\x41\x9c\xb5\x94\x9e\xb7\x40\x3d\x44\x95\x90\x0b\x52\xc9\x55\x83\x70\xe2\xf1\xff\x76\xa9\xde\xd5\x3e\x26\x79\x3b\xf9\x39\x76\xe9\x6a\xc7\x14\x07\x47\x89\xe8\xbd\xb1\xc4\xca\x56\x2b\x51\x50\x2b\x46\x8f\x89\x54\x39\x83\x0f\x91\x5a\x5d\x8a\x50\xff\x73\xa4\x9f\xa4\x29\x3b\xfc\x35\x48\x68\x51\xea\x8d\x5c\x76\x13\x7c\x5e\x2f\xc9\xca\x45\xa3\x8c\x94\x28\xbe\x30\xf5\x03\x59\xb2\xcb\x3f\x9d\xbc\x76\x7d\x63\xf4\x19\xf5\xe7\x6c\xe5\xfb\xb6\x1e\xde\xb1\xbe\xb7\xa3\x7c\x60\xc6\x01\x1b\x56\xb8\x57\x49\x63\x42\x5a\x95\x6d\x40\x1f\x70\x3a\x19\xe9\xac\xe4\x68\x65\x41\xdd\x31\x32\xf5\xaa\x85\xae\x6d\xb1\xb7\xdd\x6d\xad\x9b\x65\x43\xe3\x57\x53\x31\x28\xab\x2c\x90\x1e\x9d\x56\xa2\x2e\xcd\x64\x45\x50\x72\x71\xf6\xfc\xe2\xa5\x74\xd5\x87\x13\x53\x0a\xff\x28\xf7\xb4\xe8\x46\x17\x80\xdf\x54\xce\x2a\x06\x7c\x9c\x38\x85\x17\xb9\xe0\x40\xbc\x88\xba\xa7\x31\x79\x6b\x13\xa8\x9a\xd7\xa0\x1c\x30\x9e\x02\x4b\x22\x06\x21\x2e\x81\xa0\xf8\x27\x9c\x36\x9c\xc4\x0f\x85\x99\x01\x18\xa3\x31\x1a\xd1\x69\x8a\x4b\x0d\x73\xe7\xde\x65\x7c\x5a\xc4\x04\xb7\xa5\xcb\xb3\xf1\xc5\xfc\xcc\xfa\x7b\xf2\x17\x83\x0b\x73\x0d\x4d\x54\x54\xf2\x76\x04\xc0\x34\x16\xd3\xbe\x6c\xb3\x78\x81\x3a\x84\xa7\x29\x26\xc4\xd4\x3d\xd5\xa7\x94\x11\xd3\x5c\x4f\x69\x82\x87\xa0\x59\x29\x60\x05\x9c\x48\xa6\xd9\xfc\xce\x84\xd0\x88\xa2\x6d\xfb\x2e\xf3\x0e\xde\xa2\x11\x41\x11\xfa\x86\xfd\x22\x87\x2a\x03\x1d\x11\x16\xd7\x48\xb3\x3f\x61\xb9\xc1\xea\x8e\x8f\xf0\x96\x89\x01\x14\x27\xf8\x88\x6c\x0c\x71\xb6\x38\x51\x67\xd4\x97\x1d\x4b\xc9\xd1\xb9\xfe\x6d\xb9\x66\xd5\x0b\x59\x24\xfb\x56\xc1\xb1\x1f\x8e\x05\xf2\x9c\xfd\xe7\xf3\x02\xaf\xe1\x61\xfd\x9d\x82\xfc\xe3\x55\x1d\xf3\xf4\x01\x3d\xa7\x76\x6a\x21\x4f\xc9\xb1\x64\xa6\xd8\xb0\x3f\x6c\xba\x91\x84\x72\xc9\xb7\xd8\x6e\x7a\xbd\xa7\xe3\xc9\xa4\x07\x8a\x64\xa9\x66\xec\xb6\xe4\x13\x34\x11\xc4\x93\xa7\xa5\xd1\x7b\x60\x5d\xe1\x39\x01\x8d\x69\x8d\x32\x5e\x31\x93\x34\x39\x5d\xa0\xb5\x1b\x3e\x89\xd9\x59\x61\x49\x53\x1e\x92\x58\x32\xe0\x0a\x35\xbb\xea\xc1\x37\xa0\x8a\x4f\x66\x1d\xad\x30\xd0\x92\xd1\xf6\xa3\x4c\x1d\x38\x89\x4d\xa3\xea\xe2\xc4\x74\x95\x30\x92\xfb\xac\x4f\x39\xa2\xe1\x4d\x5e\x13\x06\x2c\x98\xc8\x93\xd9\x6e\xbd\xf7\x9f\x1e\xba\xd3\xcb\xb1\x6f\x8f\x7d\x17\x39\x70\x75\x23\x9b\x74\x25\x09\xb0\x76\x37\x1a\xaa\xb7\x85\x9e\x6b\x29\xc7\xcd\x83\x15\x7b\x91\xb4\xd0\xbf\x47\x9c\x7f\xa5\x3f\xd8\x57\x35\x6f\x11\x47\xdf\xa5\x90\xbf\xff\xae\x2c\x99\xbf\xc6\xa1\xa3\x84\xce\x26\x16\xa7\xc0\xd1\x49\x91\x95\x5f\xf2\x27\xe3\x55\x40\x13\x1e\x6c\x9f\xd2\xa5\xb5\x8f\x88\xf1\x83\xf6\x4a\xcc\x3d\x58\xe4\x73\x07\x6b\xf3\x14\x9d\xa2\x66\x42\x4b\x98\x2f\x73\x4a\xa0\x4b\x81\x88\x13\xdd\xd9\x01\x88\x56\x76\x17\x99\xd5\xb0\x50\x4c\xa7\xec\xf7\xae\x17\x59\x2c\x1f\x0c\x78\x4d\x60\x39\x31\x61\x71\x42\x21\xa1\x0d\x90\x19\x28\x3c\x6a\x8f\x92\x03\xc7\x97\x63\x45\x0f\x94\x70\xa3\xf5\xe2\xf9\x4e\xb9\x42\xa2\xbe\xba\x32\x21\x46\xfc\x44\x9f\x40\x22\x6b\x7f\x7d\x9e\x4d\x58\x9c\xdf\xc9\x53\xef\x76\x51\x5e\x48\x4d\xdb\x27\x5e\xfd\x8f\xb9\xe4\xb3\xf1\x75\xb9\xc6\x00\x74\x58\xce\xdb\xcf\x05\xeb\x6e\x42\xbe\xa2\x26\x85\x50\x87\x02\xb7\x8e\x77\xe6\x72\xc7\x2f\xe4\x3c\xef\x92\x49\x74\x00\x61\xf8\x3d\xfd\x86\xc1\xe9\x73\xda\xb8\x1a\x08\x30\x32\x37\xe5\x8c\x2d\x75\xa1\x21\x25\xc0\xb6\x34\x58\x5e\x3b\xfe\xe0\x81\x0e\xaa\x59\x4d\x12\xc5\xca\x25\x36\x6f\x04\x37\x86\x48\x5e\x57\xf5\xf9\x30\xcb\xcd\xee\x90\x1c\x59\x10\x0e\xbb\xc6\xe8\x23\xa1\xb7\x4b\xcd\xef\xb1\x96\x1b\x89\xdb\x6d\xf5\xe4\x61\x8e\x2b\xd8\xd9\x6f\xd8\xa1\x2b\x18\x48\x2f\xdc\xcd\x72\x95\x0a\xfe\x3c\x20\x66\xa7\x3c\x73\xf1\xca\x99\x86\xce\x15\x8c\x10\x52\x0a\xab\xee\xc9\x4d\x61\x72\xc0\x92\x48\xaa\x76\xc3\x9f\xc5\x42\x63\xfd\x44\xbf\x93\x68\x1b\x30\x92\xb8\xe8\xdb\x78\x0d\xd6\x5c\x6c\x8b\xc3\xb4\x23\xd2\x21\xe1\x3d\x3e\xde\x9d\xd0\xfc\x4f\x14\x68\x5a\x80\xd8\xee\x14\xe8\x26\xa2\x25\x38\xcf\x31\x4d\x8a\x48\xe6\x37\x54\xe8\x9b\x45\x3f\xb2\x23\x68\x62\xdc\x7c\xcc\x49\x53\xee\x56\x26\x54\xdb\x98\x95\x85\xca\xee\x6b\x65\x5b\x2b\xf9\xdb\x0f\x22\x06\xb8\x63\x48\x0d\x71\xfa\x21\xd9\x38\xe4\x73\x58\xb2\xc0\xda\x20\x14\xa1\x95\xdf\x64\x3b\xe9\xd8\x0e\x52\x00\x3e\x9b\x45\xb1\x8f\xf7\xb6\xaa\x56\x92\x4b\xc2\xdc\x0c\xad\x61\xd9\x63\x0e\x6b\xd8\xea\xf7\x60\xb3\xf7\xfb\x31\x77\xf7\x3a\xf8\x9b\x15\x5e\x0d\x06\x1c\xe3\x2b\x9d\x45\x88\xeb\x6a\x4f\x60\x91\x9c\x2e\x3d\x41\xf6\xca\x8d\x31\xfe\xf0\x02\x7e\x06\xf9\xb7\xc2\xc2\xec\x6e\x5c\x12\x14\x42\xe4\xb7\xee\xc7\xe1\x09\xaf\x0f\xc8\x65\x80\xda\x66\xf0\xb0\x28\xd9\x3a\x00\x88\xd8\x52\x53\xfa\x9b\x5e\x21\xe4\x95\x53\x71\x4a\x1d\xc3\x92\xfd\xb3\x54\x13\x29\x10\xe0\xc6\x25\x03\xc0\x09\x6c\x6b\x85\xf1\x64\xbb\x2a\x7d\x3b\xe1\x79\xc1\xa3\xc7\xcf\xf9\xd4\x64\x34\x13\x10\x84\x6c\x51\x7f\x85\x1b\x8e\x69\x43\x1c\x64\xed\xe9\xd5\x97\xc9\x43\xbf\xe2\x91\x6d\x56\x4a\xe1\xcf\x27\x0c\x8c\x16\x7e\x96\xc1\x46\x88\xa7\x23\x15\x8d\x7b\x9c\x45\xe3\xf8\x24\x34\x19\x00\x86\xcd\xfe\xde\x4b\xfd\x95\x0f\xda\x09\xfe\x05\xa6\x14\x2b\x90\xe7\x73\x6e\xca\x65\x91\x40\xb2\x2b\x3c\x77\x67\x06\x07\xe5\x11\x58\xd9\xf7\xea\xcd\xff\xc2\x93\x20\x2b\xaf\x0b\xc7\xe2\x04\x89\x99\x68\x91\xd1\xa7\xa6\xc3\x28\x4e\x5a\xc3\x51\x39\xec\x5b\xeb\x4a\xfb\xa9\x2f\xaf\xfb\x0d\x2e\x62\x10\x26\xc7\x01\x99\x43\xf7\xbe\x68\x09\xe5\x87\x9f\x60\x78\xcd\xa7\x22\xd1\x19\x57\xb7\xe7\xac\x74\xff\x47\x9b\x3f\x65\xa0\xfb\x71\xb1\xe8\x7e\x67\x03\xa9\xda\xf4\x7f\x31\x3a\xdc\xb6\x56\x47\x7f\x53\x03\x60\x83\x6b\xc0\xb0\x07\x68\x09\x9d\xb9\x2d\x7b\xf7\x90\x31\x6c\x1c\xec\x79\x4c\xcc\x29\xdc\x04\x88\x71\xa6\x75\xdd\xe3\x16\xd9\x14\xb7\x3c\x85\xc9\x96\xe7\xf4\x1e\x52\x86\x07\xa7\x60\xb7\x78\xb3\xe0\x68\xb1\xe7\xfb\xa0\x81\x37\x36\x8a\xf0\x6b\x59\x96\xb5\x69\x87\x1b\x4a\x54\xe7\x27\x2e\xcc\x44\x18\x10\xf9\x5c\xe8\x4c\x37\xe1\x0d\xa6\x16\x24\x71\x5f\xd5\x99\x1c\x77\xa2\x24\xd5\x7a\x53\x22\x77\xf9\xdd\x36\xbb\xdc\x56\xb7\x0b\x64\xed\xc0\x38\x15\x94\xb9\xb6\xc3\x28\xe5\x9d\xd0\xf0\x4d\x34\x3f\x6d\x82\x86\x72\xd9\x7c\xc8\x15\xb1\x4b\x22\xf5\x9d\x08\x76\x1b\xa7\x75\x1e\x52\xd1\xc5\x5f\x32\x49\xb6\xaa\xcc\x51\xe1\x07\x94\x4b\xfa\x70\xa5\x42\x19\x06\xf5\x29\x6d\x41\x84\x57\x75\xe3\x4a\x5d\x1a\x06\xc4\xc8\x79\xc7\x78\x5a\x03\x50\xba\x89\x93\x41\x25\x90\x64\xea\x42\x74\xe2\x13\x96\x41\x82\x44\x0a\xdf\x7e\x02\x30\xb3\x12\x0e\xe6\x23\x5b\xce\x98\x29\x28\x99\x79\x2c\xff\x10\x75\x88\xe3\xe9\x15\xdc\xe9\xbf\xe6\x1c\xf6\x37\x3a\x33\x11\xe7\x47\xaf\x21\x8f\xbd\x16\x58\x09\xdb\x4f\x0e\x51\x7b\x13\xe5\x92\x53\xf7\x21\xc6\x8c\x80\x14\xed\xce\x97\x45\x5a\xda\x5c\x33\xb7\xc6\x79\x4d\x38\xb7\x4b\x6d\xf4\x65\xe1\x89\x40\x4c\x7d\xf5\x6b\xee\x55\x18\xa5\xd2\x02\xfb\x50\xb5\x36\xa5\x37\x2e\x04\xc7\x0d\xec\x26\x6c\xdb\xcc\x83\x6b\x49\x88\x47\xa6\xa3\x94\x56\xf7\xb5\x94\x73\x80\x4a\xae\xd9\x66\xd7\x64\xe2\x5f\xf2\xda\x79\xd3\x4c\xe9\xfe\x72\x75\x7a\xe0\x07\xcd\xa3\x35\xbf\x37\x87\xc0\x68\x72\x55\x51\xef\x27\x76\x7d\x35\xd2\x0f\x24\x1d\x1d\x29\x21\x97\x85\x8a\xd4\xb4\x38\x18\x5e\x0a\x10\x3e\xdb\xe6\xe5\xca\xa4\xbb\x37\xe5\xcb\xdd\x71\x61\xee\xce\xb9\x3f\x9c\x7a\x39\x97\x6b\x4e\x6e\x19\xd5\xc1\xf3\xd0\x8f\x9d\x0f\xc6\xc9\x05\x5f\x4b\x05\x7d\xce\x9c\x1e\x67\x7e\x8b\xbe\x56\xb7\xc4\xed\x73\x34\xe5\xad\xcb\xa2\xaa\x5b\x1b\xf4\x45\x0a\x76\x2d\x16\x7a\x95\xbf\xc1\x09\x72\x04\x4c\x8d\x79\x7e\xf3\xad\x9d\x10\x91\xbb\x1a\xe5\xe1\x28\xe0\xdd\x22\xf4\xb7\x70\x77\x59\xf2\x79\xd4\xdd\xc9\x2a\x68\x1f\x6c\xf9\x9e\x75\x96\x0a\x32\x1b\x3d\x5b\x55\x66\x28\x07\xe5\x77\xc2\x0e\xea\x7f\x87\xe8\x8f\x29\x07\x79\xa6\x59\x8b\xc1\x9c\xcb\x74\xc3\x13\x83\x27\x88\x95\xc5\xfc\x6a\x62\xb5\x46\xf8\x1f\x7b\xd6\x78\xb2\x7f\xa6\x2d\x8d\x6f\x85\x9d\x86\x37\x29\x16\x01\x81\x20\x5b\x06\x20\x3c\x9f\x72\xa3\xa6\x59\x3f\x61\x8a\xb9\xef\x48\x8a\x24\xce\xfe\x7c\xdf\xa6\x6b\x46\xf3\x0f\x1d\x3f\x8a\xbe\xce\x64\x40\xdb\x93\x48\x3d\xf5\x23\x3b\x52\xf6\xfc\x47\xee\x3f\xd3\xbb\x98\xb0\x06\x24\x68\xc9\x16\xdc\x0f\xb1\x59\x62\x90\x2c\xb7\x30\x29\x93\x69\x51\x75\xd5\xfd\x4b\xc7\x7e\xab\x9e\xc8\xd4\x40\xee\xe3\x6a\xe6\x83\x5c\x43\x62\xf7\x81\x9f\x39\x01\x21\xa6\x9b\xc7\x0d\x63\x6e\xea\x8d\x4d\xd0\x9b\x90\xda\xd5\xc2\xdb\x03\x1d\x2b\xc3\xdf\x45\x82\x56\x24\x41\x56\x80\xa0\x3b\x3d\xfc\x71\xce\xf6\x3f\xda\x72\x6b\x76\x5d\x58\xab\xe8\x63\xad\xf0\x34\x2b\x8f\x1e\x8e\xc8\xf8\x07\xb3\xb5\x6d\xcc\xfd\xcd\xe8\x5f\xd2\x0a\x7e\xc9\x43\x44\xcf\x31\x95\x48\x67\x81\x70\x0b\x4c\x35\x72\x15\x78\x14\xd7\xf1\x0d\xc6\x8e\x13\xad\x64\x61\x39\x77\x58\xea\xd6\x2e\x5c\x20\x4b\xa5\x7b\x2a\x4a\xf4\x22\x08\x2a\x1f\xff\xbf\xc8\x70\x96\x88\xa1\x13\x93\xe9\xdc\xf8\x7b\x6f\xa4\x0b\x10\xf4\x58\xc6\x7e\x56\x5a\xe4\xf0\x2c\x2b\xa9\x30\xfd\xa2\x13\x9b\x0f\x18\x12\xaf\xbe\x21\x2e\x89\xeb\x51\x0e\x8d\x74\xc4\x65\x05\x00\x82\xb2\xbd\xfc\x09\x17\x6a\xe9\xa1\x70\x82\x1c\xde\x09\x7c\x33\xf5\x7f\x83\x50\x0f\x18\x2f\x23\xc2\xcd\x71\x3f\x82\x68\xfa\x04\xe5\xee\x58\x00\xad\xb1\xe8\x91\xbc\x90\x2b\x2c\x10\x05\x55\x79\xbe\xd0\xb6\xac\xef\xfc\x22\x06\x54\x4e\x2d\x17\xa1\x04\x4e\xc2\x01\x24\x66\x0f\x90\xd2\xcc\xb1\xe9\xdd\x04\xab\xa7\xf6\xb3\x3d\xec\x5f\x6f\xf6\xa2\xe1\xa1\x09\xc1\x43\xf2\xb0\xa8\x08\xeb\xeb\x45\xca\xac\xdc\x39\x82\x8b\x55\x5e\x3f\xb3\xad\xb7\x44\x71\x30\x26\x6d\xa8\xb3\x33\xd0\x4a\xb7\x11\xb9\x1a\x23\xd8\x81\x78\x57\x31\xfb\xd2\xc0\x37\x60\x8f\x31\x2f\x8b\x18\xba\x63\x00\x2d\x17\x75\x44\x1a\xdf\x3d\x4c\xe8\xe5\x56\x64\x26\x4e\x1d\x22\xe4\x78\xf4\x93\x01\x74\xdf\xb8\x1f\x7e\x31\xeb\x3f\xdb\x22\xeb\x06\x88\xf3\xa1\x04\x54\x18\xf9\x08\x4a\xf4\x52\x78\xc0\x4b\xf1\x32\x00\x17\xd0\xb0\xfa\xa2\xcf\x7e\x27\x7d\xe2\x66\xa3\xfd\xb4\xb0\xf0\x55\x25\x9d\x76\xf5\x0c\x99\x4c\xba\xe7\x03\xe8\xd1\x30\x7f\x4b\xc5\x45\x3f\x32\xa7\x08\x92\x1f\xa8\x33\xb0\x3f\x5d\x18\x40\xf5\xa1\x24\x69\x29\xb1\x75\xd9\x35\x37\xa1\xd7\x46\x78\x38\xd2\x5d\x19\x8b\x17\xfb\x4b\x9a\xac\x7d\x99\xee\x1f\x1e\x2f\xdf\x4a\xe7\x28\x62\x90\xe0\xf1\xc0\x88\xe2\x43\x94\xea\x57\xf9\xa7\x33\xe4\x53\x62\x79\x22\xc5\xa6\x23\x62\x3f\xff\x29\xc6\xa5\xab\x6f\xdf\x7b\xa7\xfd\x43\x80\x34\x9a\x77\xbb\xc4\x09\xd1\x86\x9b\xc7\xf2\x45\x32\x94\xca\x2f\x17\x85\xb8\xcc\x50\xb8\x8f\xcc\xe8\xfc\x6d\x3d\xd7\x9c\x19\x8e\x36\xff\x5a\x21\x6e\x7a\x8a\xe3\xd1\x0d\xb5\xbe\x0c\xbb\x76\x17\xdf\x80\x14\xac\x68\x9c\x31\x11\x32\xc1\xdb\x34\xd0\xee\x7a\xdb\xb6\x62\x32\xc1\xa4\x32\xc2\xca\xf7\xcf\x30\xff\x8b\xad\x84\x46\x7c\x0e\x40\xda\x4d\x0b\x10\x20\x1f\x6f\xb8\x2b\xec\x94\x83\xc7\x5b\xc8\x59\x48\x0c\x9b\xca\x13\xc5\x90\x5a\xcf\xa5\x6e\xad\x48\x8f\xc2\xbd\xe3\xa2\x2c\xa4\xfa\xbc\xea\xb9\xb9\xe3\x77\x6b\x5a\x62\x14\x63\xe1\x29\x6d\xde\x15\x24\x0d\xac\x24\xbb\xaf\x67\xc2\x03\x86\x55\x1a\x8f\xe3\x52\x96\x0e\xcd\x36\x1d\x42\x94\x90\x3f\x25\x25\xa3\x68\xd3\x63\x07\xde\x3a\xb0\x21\xbe\x4b\x64\x77\xe8\x61\x82\xf6\xa5\x65\xcf\x67\x95\xc2\x64\xaa\xda\xe3\xd3\x07\x2b\xae\xbc\x48\x8c\x74\x30\x7e\x27\xbc\xea\x4a\x74\x6b\x67\xad\xf8\xe2\x0a\x21\x9c\xb9\x11\xe2\x93\xad\xaa\xe8\xd5\x2e\x63\x08\x09\x11\x29\xc0\x2a\xfd\x50\x59\x95\x88\xc9\x20\x15\x85\x82\xdb\x85\x6c\xeb\xd3\xd6\x65\x9d\x14\x77\xf9\x66\xfb\x54\xe9\xea\x1b\x36\x59\x90\xff\x5b\xba\x6f\xce\xd2\xb5\x9f\xc8\xa6\xf9\xfd\x57\x28\x70\x61\xc5\x21\xeb\xc1\xac\xe5\x21\xab\xe0\x04\xf5\xf0\xb5\xf8\xb9\x02\xd6\xc7\x5a\xc5\x7d\xf5\xd2\xe9\x7f\x1f\xfa\xd3\xa5\x31\xf9\x1f\xa1\xcb\xa4\x8b\x58\x93\x5f\x05\x03\x35\x41\x5d\xca\x8e\x46\x02\x43\xe2\x1e\xa7\x1f\x99\x0c\x37\xa6\xc9\x8c\xd1\x9c\x2c\xc3\x47\x1e\xc2\xec\xd0\x42\xc8\x20\x71\x8d\x00\xb6\x37\x9d\x80\x69\x83\x62\x8e\x08\x64\xad\x14\x6e\xe1\x70\xdc\x91\xfc\x25\x55\x94\x0d\xb1\x36\x4c\xb7\x43\xc0\xc7\x03\x7d\xba\x3e\x9b\x10\x8f\xea\x98\x84\x01\xd5\x52\xd4\xac\xe6\xa8\x30\x83\x65\xc0\xb1\xed\xe6\xb8\x73\xa2\x94\xd6\x25\x23\x86\x55\x33\x1a\xcd\x6e\xe2\x38\x0d\xba\x98\x0e\x35\xb2\xbb\xd4\x0f\x65\xfe\x32\xef\x03\xcb\xf0\xcf\x57\x55\x2e\x81\x8e\xc6\x07\x0c\x52\x25\x66\xd8\x2a\xa2\xc4\xd0\x46\xd9\x5b\xcb\xb4\xed\x89\x7a\x3b\x59\x3d\xdc\x57\xb3\xbf\x4b\x2d\xee\x34\xcb\x50\x53\x69\x2e\x45\xde\xec\x78\xbf\x7f\xa7\x00\x2c\xfe\x74\x15\x7a\x5d\xd4\xc5\xae\xc1\xb9\x86\x28\x06\xd8\x88\x39\xa6\xa3\x91\xa0\x4d\x0d\x46\x78\x1e\x45\xb3\xfb\x78\xe7\x1e\xb9\xa6\xba\xda\x4d\x6e\x45\xf6\x45\x2c\x41\x93\x1c\x91\x23\xc8\x78\x38\x32\x0b\xf9\xcd\xe6\x13\xab\x41\xec\x0f\x23\xaf\xcc\x01\xa6\x98\x66\xf8\x32\x39\xe5\xb7\x7e\xc5\x6c\x1b\xf1\x3c\x4f\xa5\x37\x9b\xc5\xe6\x78\xf4\x5c\x3f\xb9\x12\xe1\xaf\xdb\xc4\x66\xba\xdb\x62\x36\xb5\xfb\x85\x00\xc7\x43\x58\x65\xae\x64\x22\x70\xb2\xa9\x42\x43\x0b\xe5\x4d\xca\x09\xec\xb2\x4e\xc6\xd0\x51\xd0\xc6\x3b\x02\xe2\xcc\xbe\x57\xdd\x90\x12\xb7\xc0\x95\x80\x67\xb4\x06\x21\x50\xb3\x47\x98\x31\x96\x11\xdb\x1f\x48\x79\xaa\x8b\x5b\x55\xee\x2f\x20\xb0\xd7\x9a\x14\xcd\x7c\xc1\x8a\x76\xb4\xb3\xf0\x0f\xff\x45\xec\x9d\x07\x64\x07\x6d\xc1\xdc\x00\x72\xe0\x9b\x67\x4f\x18\x7a\x18\xd4\x57\xa1\x1c\xf2\xb6\x54\xbf\xc8\x51\xb5\x5f\x46\x4d\x95\xe5\x1a\x45\xd2\xda\x43\xc7\x90\xeb\xc7\x72\xca\x27\xb8\x28\xa0\x61\xca\x4b\xa2\x8c\x98\x67\x22\xcb\xd4\x86\x73\x32\x87\x8e\x2a\x7b\x87\x6f\xaf\xaa\x74\x34\xf4\x3c\xb4\x48\xb2\x16\xd4\xae\x0e\x18\xa1\xaa\x66\x77\x76\xdb\x69\x99\x9b\xe0\x81\x82\x2d\x56\x47\x8e\x57\x68\x10\x6b\xa1\xfb\xcb\x04\x4d\x16\x68\x2c\xfe\x2b\xa1\x7a\x06\x99\x7f\x88\xbd\x68\x36\x69\xaa\x2a\xe4\xd9\x6a\x15\x5e\x0b\x8a\x41\xe3\x31\xa9\xa0\x20\x0f\x15\x9a\x47\x40\xe0\x11\x04\xad\x63\x89\x21\x8a\xd1\x5d\x1f\xac\x53\xbd\x1b\x91\xd7\x23\x43\x52\x78\xdb\xc5\xe7\x90\xa0\x54\xf3\xcf\x24\xfa\x4e\x78\x66\x62\x99\x15\x40\x0e\x7d\x25\x60\xcf\x97\x64\x8b\x60\x31\x52\x8d\xb2\xc7\xd4\xca\x72\x7f\x67\xc2\x97\x42\x4f\xc9\x9a\x7b\x01\xb1\x04\xfc\xb2\xd9\xb8\x02\x6a\xd1\x92\xac\x4c\x1d\xf8\xc2\x31\x8b\x5d\xee\xa4\x79\xa3\x78\x89\x71\x17\xac\xb1\x4a\x79\x21\xb7\xdd\xe8\xaa\x78\xc5\x8d\x04\x7f\x90\xfb\x1a\x1c\x1e\xdb\x84\x7b\xf7\xba\xd3\xab\x09\x6b\xf9\x19\xd1\xb1\x03\xe7\x40\x43\xfa\xf3\x52\xe1\x63\x94\xbc\xa1\x71\x3e\x14\x8b\x69\xd2\x0e\x0c\x5f\xae\x6e\xdb\x67\xe9\x16\x20\xc2\x8d\x7f\xb7\x0b\xf7\x66\xd2\x1e\xe3\xa9\xdc\x9d\x4a\xc7\x5a\x41\xbc\xb3\xa3\x22\xe7\xec\xc8\x5e\x34\x6a\x5f\xed\x19\x0d\x0c\x69\x8f\x15\x22\x60\x67\xe5\x15\x5e\xcb\x0b\x8f\xff\xcd\x5c\x1c\x95\x52\xa5\xb8\x5a\xfc\x66\x36\x98\xcf\x47\x50\xa3\xee\xc6\xcd\xec\xcc\xaa\xf6\x37\x08\x7e\x18\x8f\x3c\xc5\x65\x7c\x40\x12\x3c\x20\xd1\xa0\x2e\xbb\x08\x18\x07\x38\x83\x53\x5a\x22\x09\xcc\xa0\x8c\xdb\xe3\xce\x0f\x94\x4d\xef\xb4\x1f\x43\x70\x29\xc0\x78\xcb\x5e\x6c\x03\xde\xfc\x67\xc9\x59\x92\x6d\xcf\x45\xd0\xfe\xb6\xf2\x4f\xcf\xaf\x49\x97\x6b\xd3\x64\x1c\xbe\xd6\x97\x58\xcc\xd5\xaf\x8b\x95\x52\x59\xda\x1c\xd6\xfd\x82\x87\x1f\x09\xf3\x3a\x63\x4d\x54\xf5\x44\xa6\x82\x93\xdc\x73\x7f\xea\xf8\x48\x8c\x15\x42\x0f\x69\xc4\x93\x04\x2a\x5e\xe1\xed\x63\xf3\x39\xe4\x10\xf5\x80\xc0\xcb\xad\xab\xbe\xa2\xcf\xfb\xea\xf9\x68\xca\xf2\x56\x20\xde\x5f\x5b\xf7\x4e\xdd\x33\x9d\xed\x9a\x1f\x58\x53\xa2\xcf\x22\x6d\x21\xcd\xbd\x91\x72\xab\xf5\xe0\x85\x95\x60\xdd\x2e\x70\xce\x31\x0a\x33\x3d\x72\x36\x60\x67\x09\xb1\xf5\xa3\x35\x95\xec\x49\xe1\x87\xaa\x5d\xf0\x63\x51\x39\x23\xdf\xd2\x9b\xb1\x51\xa8\x25\x40\xf4\xb0\xd4\x45\x40\x4c\x8c\x5e\x1b\xd8\x40\x33\x5c\x23\x35\x7c\x5e\x6b\x1c\xdb\xfb\x1c\xcd\x72\x47\x1e\x4d\x63\x8b\x10\xc5\xb4\x22\xd9\xe6\x51\x9f\x98\x15\x1a\xd5\x25\x5e\x10\xf7\x2c\x07\x32\x63\x8a\x57\x2e\xa6\x2a\x3a\x98\xcd\x86\xb0\x49\x5f\x24\xfb\x90\xe3\xbf\xa3\x21\x6a\xbf\x88\xbd\xdd\x5f\xdc\xd1\xab\x7f\xc2\x13\xed\x7f\xe7\x62\x8b\xf5\x2e\xd3\x3f\xbf\x61\x24\xb5\x24\x6e\xab\x59\x38\xf4\xfd\xae\xa3\x96\x08\x7f\x76\x43\x49\xbe\xf8\x99\x6f\x22\x40\x92\x60\x40\x93\x44\x19\xdf\x2e\x40\x7b\xe7\xe6\x7a\x64\x2d\x69\x2b\x39\x49\xe4\x78\xed\x55\x92\x72\x06\x64\xee\xc0\xdd\x41\x50\x87\x61\x57\xa6\xf1\x85", 4096); syz_80211_inject_frame(0x20000000, 0x20000040, 0x10c0); break; case 11: memcpy((void*)0x20001100, "wlan1\000", 6); memset((void*)0x20001140, 2, 6); syz_80211_join_ibss(0x20001100, 0x20001140, 6, 2); break; case 12: memcpy((void*)0x20001180, "bpf_lsm_socket_recvmsg\000", 23); syz_btf_id_by_name(0x20001180); break; case 13: memcpy((void*)0x200015c0, "\x66\x0f\x72\xd5\x01\xdf\x5f\xd6\xc4\xc1\xf9\x6f\x9f\x52\xe4\x00\x00\xdf\xf2\xda\x36\x66\x0f\x3a\x62\xc0\x8c\xc4\xc1\x1d\x58\x3c\xe8\x66\x0f\x3a\x0a\x45\x0d\xf0\xc4\xe1\x21\x75\x23\x60", 46); syz_execute_func(0x200015c0); break; case 14: memcpy((void*)0x20001640, "/dev/cuse\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20001640, 2, 0); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_ioctl, -1, 0xb704, 0x20003980); if (res != -1) r[6] = *(uint32_t*)0x20003980; break; case 16: res = syscall(__NR_clock_gettime, 0, 0x20003e00); if (res != -1) { r[7] = *(uint32_t*)0x20003e00; r[8] = *(uint32_t*)0x20003e04; } break; case 17: *(uint32_t*)0x20003dc0 = 0x20003a40; *(uint32_t*)0x20003dc4 = 0x6e; *(uint32_t*)0x20003dc8 = 0x20003d40; *(uint32_t*)0x20003d40 = 0x20003ac0; *(uint32_t*)0x20003d44 = 0x25; *(uint32_t*)0x20003d48 = 0x20003b00; *(uint32_t*)0x20003d4c = 0x6b; *(uint32_t*)0x20003d50 = 0x20003b80; *(uint32_t*)0x20003d54 = 0x2f; *(uint32_t*)0x20003d58 = 0x20003bc0; *(uint32_t*)0x20003d5c = 0xa2; *(uint32_t*)0x20003d60 = 0x20003c80; *(uint32_t*)0x20003d64 = 0xbd; *(uint32_t*)0x20003dcc = 5; *(uint32_t*)0x20003dd0 = 0x20003d80; *(uint32_t*)0x20003dd4 = 0x30; *(uint32_t*)0x20003dd8 = 0; *(uint32_t*)0x20003ddc = 0; *(uint32_t*)0x20003e40 = r[7]; *(uint32_t*)0x20003e44 = r[8]+10000000; res = syscall(__NR_recvmmsg, -1, 0x20003dc0, 1, 0x10202, 0x20003e40); if (res != -1) r[9] = *(uint32_t*)0x20003dac; break; case 18: memcpy((void*)0x20004040, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004040, 0x20004080); if (res != -1) r[10] = *(uint32_t*)0x20004094; break; case 19: *(uint32_t*)0x20004200 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004100, 0x20004200); if (res != -1) r[11] = *(uint32_t*)0x20004134; break; case 20: memcpy((void*)0x20004240, "./file0\000", 8); res = syscall(__NR_statx, 0xffffff9c, 0x20004240, 0x4000, 0x400, 0x20004280); if (res != -1) r[12] = *(uint32_t*)0x20004294; break; case 21: memcpy((void*)0x20004380, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004380, 0x200043c0); if (res != -1) r[13] = *(uint32_t*)0x200043d0; break; case 22: *(uint32_t*)0x20004a80 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x11, 0x20004980, 0x20004a80); if (res != -1) r[14] = *(uint32_t*)0x200049b4; break; case 23: res = syscall(__NR_getegid); if (res != -1) r[15] = res; break; case 24: memcpy((void*)0x20001680, "\x47\xa8\x4c\x3d\x9c\xa1\xd1\xb4\xb2\x5b\x6d\xa5\xc6\xdd\x9f\x48\xac\x0b\x1a\x50\x14\x5d\x57\xaa\x24\x4d\xc1\xbb\x1a\x54\x1c\x93\x16\x0d\x23\xf1\xcb\xf0\x3d\x77\x7a\x21\xe7\xd1\xf0\xf2\x61\x38\x37\xc0\xe0\x5d\x6f\x4b\xc9\x98\xb1\xdd\x5e\xc7\x6e\x06\x98\x26\xfc\x47\xb4\xa0\x81\x6b\x5a\x85\x9c\x9a\x8a\x42\x88\xf2\xe7\x17\x88\x66\x28\x3d\x96\x7a\x95\x12\x2a\xb3\x8c\x64\xe1\xd6\xc0\x50\x57\x2b\xdd\x7c\x98\x27\x13\xb5\xb3\x7a\x79\xe2\xdb\xe0\x8a\x6a\x9b\xd3\xd6\xfd\x57\x96\x04\xac\x48\x7b\x65\x2b\xee\x18\x03\x90\xe3\x66\x8f\x2a\xad\xa1\x71\x7a\x5b\x2a\x21\xcb\x84\xb3\xb9\xa8\xb5\x97\x78\x4c\x01\x15\xc8\xf2\xc0\x87\x08\xd9\xa2\x26\xd6\xf5\x89\x02\xad\x29\xf3\x78\x4f\x64\x80\x06\x9d\x25\xe0\xec\x46\xc3\x78\x10\x92\x3b\xbe\x2d\xac\x50\x43\x85\x6a\x11\xb7\xb9\x8c\x43\x29\x4e\xf4\xc2\xbf\xda\x08\xb0\x4e\xe5\x41\x06\x26\xcb\x64\x95\x7c\xf1\xee\xa3\xd3\xf0\x07\xd6\x95\x83\xbc\xde\xbf\x40\x22\xf8\x5f\x65\x23\x73\xa5\x90\x36\xb6\x2b\x4a\x3e\x9d\xef\xe6\x05\xa9\x89\x2e\x57\x18\xcb\x6f\xc9\xde\x81\xc2\x47\x9e\xf9\x5a\x13\xf8\xca\x78\x9f\x4b\x2a\xc5\xeb\x89\x7f\xab\xbe\xbc\x00\x46\xd8\xe2\x35\xeb\xbf\x54\xa5\x6a\xac\xd1\x40\xae\x4c\xfb\x41\x1b\x9c\x15\x18\xe6\x2f\xa8\x7a\x98\x76\xaf\xc8\x9e\xd8\xa4\xba\x24\xd8\xb9\xef\x13\x39\xf4\xf7\x94\xce\xc9\x86\x51\xe7\xd9\x4d\xdd\x25\x99\x88\xa7\xa4\xf7\x99\xb0\x88\x9c\x16\x80\xd3\x90\xba\x62\x53\xff\x66\xa1\x82\xea\x2c\xf0\x6b\x6f\xd9\xab\x07\xa8\x7f\x69\x7c\x33\x1c\x9a\x83\x25\x64\xec\xab\x23\x83\x84\xff\xef\x50\xc2\x49\xcb\xf1\x1f\x7f\x40\xec\xd4\x4b\x94\x5b\xd5\x7c\x59\x9b\xa3\xd8\x8c\x0b\xe3\x5a\xdd\xf5\xb5\x83\x7b\x18\x8d\x64\xe2\x49\xce\x31\x50\x66\x98\xbd\x73\x75\x46\x53\x04\xd2\x0e\xb3\x80\x23\x26\xb3\x52\x8b\xcb\xe6\xee\x11\x0e\x57\x82\x1c\xcb\x89\x9f\x5e\xee\xce\xc6\x04\xc3\xa5\xe5\x93\x8a\x3a\x94\x26\x60\x99\x2d\x67\x6b\x81\xc5\xaf\x74\x70\x17\x6d\x72\xd7\xc6\xa9\xd6\xc4\x12\x1b\x57\x11\xb1\x6e\xe1\x19\xb5\x77\x64\xd7\xfd\x6d\xfc\xb5\xa3\x9c\x1b\xc9\x7e\x5c\x5f\x5d\xc1\x02\x5a\x5e\xcc\xa4\x8b\x65\xaf\xb8\x7a\x55\x83\xcf\x17\x96\x90\x98\xae\xc3\xb1\xb9\x29\x1f\x77\x5e\xd6\xa5\xa7\x10\xf7\x3e\x32\xef\x7a\x0e\x8c\x84\xff\x56\x54\x51\x44\xca\x50\x4b\x81\x97\xa9\x19\x6c\x9b\x68\xa4\xb5\x7a\xba\xd8\x19\xff\x6f\x6f\x99\x16\x3f\xa3\xe2\x76\x27\x84\x84\xae\xf1\xe2\x87\x84\x1f\x45\x72\x06\x2d\xa6\x77\xf0\xe1\x47\xb9\x33\x58\xe5\xad\x7a\x50\xaf\x84\x2c\xad\xbf\xf4\x19\x2d\xfb\x2f\x98\xcd\xc8\xd8\x78\xd0\xf7\xf3\x5b\x31\xa2\xe8\x03\xce\xa2\xc3\xa2\x87\x8d\x46\x9c\x9a\xa7\xb2\xde\x1e\x8b\xfd\xa5\x1e\xcb\x47\x51\xcd\x86\x1f\xb2\x29\x3e\x37\xeb\x98\x82\xbb\x97\xcf\x70\x45\x3f\x19\x44\x6c\x56\x5f\xd8\x14\x11\x4b\x30\x2a\x4b\xc5\xb6\x42\xa7\x6c\x4c\xfd\xdb\x0f\x4c\xeb\x41\xca\x29\xbe\x4d\x35\x58\x77\x55\xd2\xe8\xe1\xf4\x2e\x97\x1b\x38\x3f\xdf\xd0\xcb\xef\x9f\x5d\x50\x3c\x72\x0a\x3e\x3b\xb8\xb4\x09\x7d\x69\xa7\x20\x82\x35\xa8\x2f\x6a\x75\x1f\x3e\x26\xf2\xe1\x40\x3e\x0d\xa6\x3f\xed\x0f\xa0\x42\x74\x0d\xf1\xd6\x1c\x98\x85\x72\xc8\xad\x71\x1f\x20\x41\x0e\x02\xb3\x2b\x1e\xe7\xf4\x18\xfd\x0c\xc6\x57\xe9\xde\x33\x28\x8e\xc8\x39\x57\x56\xc4\x7e\x16\xd4\xab\x5e\xd7\xca\x4c\x1e\x53\xad\x65\x08\xd5\x8f\x70\xdf\x85\x7d\x41\x89\x09\xe8\x13\x44\xb7\x56\x4e\x00\x64\xa4\x9a\x1d\xb8\xa3\x33\xfc\x60\x9b\xcb\x51\x11\xef\x10\x0e\x0e\xde\x88\xf4\x9f\x3f\x43\x56\x84\x21\x1d\xea\x4d\xe5\xbc\xa1\x85\x3c\xae\x7b\x60\x5e\x3c\xea\x2f\xab\xb8\x0b\xaa\x41\x62\x6d\x31\x04\x7f\xe3\x85\x69\xe6\xab\xbd\xdc\x2e\x1c\x2b\x85\x56\x23\x3f\xeb\x57\x04\x7f\x06\x9d\xf8\x1d\x88\xd2\x9b\xf0\x42\xce\x92\x28\xdb\xd1\x43\x49\x97\x3e\x86\xf7\x8d\x72\x82\x7a\x60\x80\xa2\xce\x65\x29\xd1\x85\x66\x07\x84\x89\x37\xcf\xe5\xcd\x17\x42\x93\xe9\x22\x34\xcb\x0f\x6e\xdf\x65\x30\xf8\x6b\x60\x6e\x48\xe9\xfa\x3e\x1d\x25\x45\x73\x12\x08\x08\xe0\xff\xf3\xd2\x16\x9d\x1c\xf4\x4a\x71\x96\x64\xb7\xf0\xe3\xda\x7b\xb1\x5b\x64\xb6\x2c\x07\x10\x34\x3c\xe1\x5b\xd0\x1a\x05\x64\x2f\x4a\x3f\xa5\x9b\xa6\x05\xd0\xa6\xef\x3e\x5a\xd6\x3c\xd9\x6d\x69\x14\xca\xa4\x06\x34\x98\x7f\x2d\xbe\xeb\x30\x46\x72\x22\x2d\x12\x58\x3b\x9b\xc3\x8c\xf9\xde\x18\xe5\x7d\xe1\x00\xf2\x63\x67\x7d\x31\xec\x37\xae\xa6\xf0\x4b\x81\x5d\x6f\x4e\x8c\xd5\x70\x81\x0d\xaa\xee\xb1\x41\xdc\x0f\xeb\x60\x0a\xa8\x4f\x4a\xfc\xc3\xbd\x6d\x2e\x4d\x69\xe9\xdc\x4d\xc4\xf7\xa4\x56\x74\xa3\x2a\x62\xd4\x14\x43\x7c\x3a\xa4\x51\x84\xb6\x6c\xe5\x69\x49\x91\x28\xbb\xa0\x6e\x38\x62\x74\x28\xd5\x01\x2c\x65\x1f\x8f\xf6\xd5\xb8\xf5\xbb\xbb\x5b\x1f\x8b\xe6\x03\x89\x58\xbd\x4f\xbb\x0b\xdb\xbe\x1f\x3f\x44\x8d\x78\x5d\x97\x10\xf0\x1b\xe8\x87\x87\x4f\xfa\x1b\xfa\x7e\x5a\x81\x8e\xe7\x46\x4b\xfc\xb5\xf9\xe4\x92\x68\xfb\xbd\x39\x8d\x73\x2c\x15\x57\x9a\x46\x97\x1f\xd7\xf2\x2c\x1c\xc4\xe1\x41\x57\xf2\x92\xf6\x16\x38\xf4\x1a\x58\xbc\xcd\xd4\x98\x6b\x9c\xa6\xab\x66\xff\x5f\x53\x6a\x7b\x09\x25\x1a\x6d\x41\x7a\x3e\x15\x9b\x85\xdd\x21\xd9\xb2\x19\xa1\xa1\xce\xa8\xb9\x6d\xd4\xca\xa0\xc0\xc8\xfd\xf9\x2d\xef\x01\xaf\x6b\xe5\xcc\xc2\x42\x8e\x57\x13\x22\x85\xc3\x7e\x80\xfd\x28\x58\xb4\x94\x57\xd1\xd6\x89\x0e\xae\x38\x90\x62\xd5\x68\x0a\xec\xec\x74\x8c\xef\x59\x18\x7d\x91\xc1\xd4\x5b\x29\x00\xe3\x3b\xe9\x46\x4e\xdc\xeb\x83\x1e\xc4\x44\x57\xbe\x52\x57\x5e\x1d\xf1\xde\x6a\xf9\x45\xdb\xf3\xf5\xc9\xcd\x41\xbd\x8c\x26\xcb\x66\x45\xae\x03\x78\xd9\x2d\x75\x8b\x07\x69\xc5\x15\x4f\x52\xd8\x9a\x8e\x0e\x91\x18\x82\xf6\x9e\x46\x61\x04\x53\x79\x2c\x64\x8e\xb0\x82\x11\x19\x47\xc2\xe3\x35\xcb\x48\x56\xe4\x69\x6f\x7a\x53\x31\x8c\xda\xe6\xc5\x91\xa7\x42\x02\x02\xcf\x03\xf0\x69\x12\x8e\x58\xa3\x82\x2a\x89\x2d\x4b\x4d\x14\xa7\xf3\xe2\x7f\x4c\xa5\x9a\x8e\x47\x1a\xaf\x3c\xe1\xaf\x81\xce\xd1\xdf\x87\x1d\xf6\x09\x91\xac\xcc\x0a\xfc\x19\xc6\xaa\x58\x67\x0d\xcc\x3c\xa4\x04\x66\x6e\xc5\x46\x3e\x95\x4c\x60\x59\x94\x01\x4a\x0b\x2e\xb9\x99\x28\x3e\x7d\x26\x46\xab\x55\xa5\xfe\x5f\xe7\xcb\x5b\x07\x38\xc5\x79\x10\x7c\x43\xfc\xf5\x95\xa0\x95\x6a\x49\x35\xf6\xa7\x86\xd6\x56\x1f\x0b\x09\x94\xcc\xe9\x3b\x29\x9a\x50\xc6\xe4\x24\xc1\x59\x62\x0b\x3d\x05\x37\x6f\xc4\xe0\xb9\xff\xbd\xec\xdb\x67\x98\xdd\x51\xd0\x94\x1d\x31\xcf\x41\x93\xc0\x9d\x05\x8c\x25\x96\x99\x19\x12\x35\x01\xfa\x5e\xa8\xfb\x82\xf9\x80\xa3\x5b\xf0\x15\x32\xc2\xc8\x31\xba\x35\x22\x2f\x80\x5d\xae\x24\x25\x27\xeb\x71\x27\x05\x53\x94\x60\x52\x84\xd2\x40\x8c\xfa\x10\xc9\x92\xd6\x4d\x60\x9e\x52\x4b\x30\x34\x8f\xfa\x5e\x44\xb7\x72\x57\xad\xba\xb0\x1c\x38\x3e\x81\x2f\x1d\x71\xb6\x13\xad\x16\x0e\xd1\x5c\x21\x6f\x2a\x45\x9a\x91\x7d\x35\x34\x14\x62\xbf\x72\x35\xf9\x1d\x9d\xdd\xc1\xe2\x40\x2f\x32\xb7\xb7\xa9\x98\x74\x81\xce\x66\x11\xbb\x78\x12\x7b\xc8\xb6\xef\xf4\x19\xd3\xc4\xdd\x77\x25\x24\x02\xf4\x32\x6a\x6e\x9a\xff\xc5\x06\x49\x73\x75\x0a\x8b\xba\x9b\xa1\x7d\x64\x64\x8c\xf7\x93\x4b\xd0\x24\x29\x9b\x9d\xec\x58\xd1\x18\xcd\xa3\x44\x8a\x25\x56\xfa\x96\xa8\x57\xc0\x10\x6a\x00\xcd\x0a\x38\x2f\x10\xb8\x47\xe3\xa8\x69\x97\xc2\x4b\xb8\x46\xc3\xdd\x93\x72\xc6\xcf\x28\xd1\x8b\xb2\xa6\xfc\x48\xd7\xba\xc5\x8d\x56\xbc\x84\x50\xc3\xf4\x20\x99\x9b\x63\x47\x86\x4d\x52\xf0\x50\x75\x24\xf4\x16\xe6\xcb\x64\xce\x7c\xa2\x1a\x85\xe8\xd2\xc2\xb1\xe9\x4b\xe2\xde\xa3\x1c\xda\xf1\xf3\x83\x50\x34\x24\xbe\xc4\x4c\x68\xb9\xa9\x14\xf4\x0b\x0a\x66\x27\x2f\x64\xc9\xef\x19\x85\xed\xb9\xca\x6e\x66\xee\x8c\xac\x08\x4b\x39\xef\x78\x01\xb7\x50\xce\x19\x0f\xf8\x96\xc1\x99\xc1\x27\x85\x24\xb1\x2b\x54\x9a\xcb\xf0\x9f\x63\x3d\x87\xf7\x04\x27\x2d\x47\x79\xf3\x25\xa1\xe9\x45\x67\xe5\x93\x32\x97\x15\x5e\x98\x7f\x3b\x32\xe3\xfa\xdf\x2a\x06\xfa\x01\xaf\xc0\xdc\x35\xdf\xb7\xbe\x7f\x57\x76\x26\x4a\x6b\x7f\xec\x98\xdf\x0a\x5a\xff\x8c\x1a\x02\x9b\x6a\x22\xa9\xa0\x51\x18\x8b\xb2\x8b\xdf\x72\x38\xea\xe3\x24\x6a\x1b\xfd\x05\x86\x84\xf7\xa0\x93\xaa\x68\x79\xcb\x6a\xda\xe5\xa7\xcd\x5e\x12\x19\xa0\xd1\x6d\xee\xf1\x44\xb2\xbe\x90\x39\x01\x44\x74\x0a\xc2\x4d\xa3\x80\x17\xc1\x05\x66\x92\xb3\xb6\x65\x92\x21\x5a\x62\x3d\xac\x91\x3b\x33\xb9\xd5\x6b\x47\xcf\xa9\x18\xd6\xd9\x0c\xaf\xf0\x1a\xa4\x45\x35\x49\x23\xef\xa1\x9e\x8b\x0c\x79\x70\x82\x50\x5d\x54\xf2\xfa\x48\xc5\xad\x96\x63\x2f\xe1\xb6\x2a\x2e\x34\xd0\x85\x76\x22\x07\xd9\x35\x4a\x9f\x03\x9d\x68\x8e\xaf\xe1\xb5\x12\x83\x67\xfd\xd3\xbe\x22\x55\xac\x11\x0d\xf0\x5d\x10\x9b\x86\x9f\x33\x4b\x93\x2b\x29\xbe\xb6\x87\x87\xe2\x0a\x8a\x9f\x37\x31\x18\x9c\x95\x7e\x53\xc6\x96\x73\xe8\x63\xae\x1d\x49\x88\x8d\x6e\xda\xb9\x6e\xed\x78\x6c\xb8\x14\xd1\xa6\x2b\x68\x9c\x29\x4c\x48\x2e\x84\x19\x96\x22\x99\x04\x10\xb6\x7f\x6d\x18\xb8\xcd\x31\x19\xf1\x9a\x66\x7d\x34\x1b\xb7\x83\x88\xff\xe1\x5a\x0f\x64\x32\x7f\xe9\xb8\x06\x5b\xe9\x03\x54\xc1\xfa\xcb\x74\x66\x2e\x2d\x9c\x6d\x02\x24\x8d\xa0\xc8\x0c\x87\x26\x45\x59\xf6\x48\x15\xb8\xb9\xdd\xff\x72\xa9\x44\xeb\x23\x48\x88\xf5\x3d\x1c\xc8\xbe\xd4\x38\xbd\x99\xa2\x07\x4f\x75\x3d\xb2\x9e\xfd\x06\x78\x8c\x7f\x44\x76\xef\xee\x3e\x92\x80\x94\xc0\x32\x6a\xf8\xc9\x17\x1d\xb6\x0b\x1a\x37\xc7\xbd\x56\xd1\x13\x29\x1a\xa9\xa2\x60\xea\xfc\x12\x68\x1e\xb6\x2b\x1e\x70\x63\xb1\x51\x73\xe2\x74\x90\xd8\x4d\x47\xe3\xc7\x56\x6e\xc4\xfc\x1e\xc6\x35\x50\x57\xb2\x2c\x2a\x0f\xd9\x4b\x8d\x90\xb6\x48\x64\x9c\x73\xac\x46\x04\x9c\x01\x1d\x67\x41\xfb\x6d\x89\x56\x14\x3b\xcb\x17\x1f\x4b\xba\xdf\x01\xd1\xca\xe0\x7c\x31\x78\xa8\x46\x90\x01\xdc\xa3\x7a\xb3\xae\x03\x90\x95\xfb\xda\x7f\x05\xdf\xad\x20\x53\x55\xa5\xd6\xef\xf8\xf0\x9c\x32\x47\x58\xa7\x44\xde\x5f\x43\xb6\x94\xf8\x34\xf6\xe5\x98\x3f\x2a\xee\x32\x09\xce\xf4\x63\x54\xdb\x41\x30\x5a\x09\x3a\xb7\x8c\x80\xa8\xfb\x2e\x8a\xb7\xb1\x73\x33\x7b\xcf\x29\x3c\x65\x94\x9a\x4c\x01\x37\x8c\x94\xce\x7c\xd7\x09\xe7\x98\xbe\xf8\x27\x9d\x4a\xd1\xe7\x34\x6f\x4b\x9f\xda\x6d\x29\x2f\x1e\x66\x99\x62\x2c\x1b\xbc\x4b\x02\xe8\x83\xb3\x0e\x77\xcb\xa7\x51\xbc\xfd\xd6\xef\xd6\x7f\xcc\x56\x5c\x00\x36\xf1\x3e\x13\x8d\x81\xd6\xf5\x8d\x34\xe6\xa2\x51\x61\xf2\xa8\x56\x00\x29\xf9\x12\x05\x32\x40\x1f\xb6\xd7\xdd\xef\x43\xf9\xea\xe9\xee\x3c\xd2\x3f\x14\xa1\xf0\x26\xf4\x0a\x9f\xba\xc6\xbe\x6a\x15\x90\x27\xd7\xe8\x7a\x53\x65\x01\x0d\x27\xb0\x9d\xf1\x3d\xfd\x32\xa7\xe7\x5d\xcc\x14\xd9\xda\x85\xd8\x40\xa1\xbb\x91\xbf\x95\xdd\x75\x89\xef\x4f\x4a\x30\x7d\x3c\x74\x1d\xf2\x50\xe3\x4d\xe9\xff\x0f\x15\x15\xa9\x79\xc1\x2f\xca\xea\x17\x0d\x34\x44\x67\x8b\x96\x3c\xcc\x5b\x3c\x06\x56\xaf\x7e\x67\x6b\xf7\x4d\xe9\xc8\xcc\x9c\x70\xb5\x0c\x38\x06\x10\x8f\x6c\x9e\x92\x0a\xcc\x25\xf1\x3c\x3b\xf5\xe9\x10\x18\x9e\xa8\xe0\x46\x61\xb9\xf6\x27\x1d\x34\xe2\x42\x8b\x3f\x5c\x86\x0f\x7a\x41\x37\xc7\x9a\xb4\x09\x20\x64\x56\x34\xf9\x03\x89\xec\xde\x1b\x23\x98\x84\x24\x4c\xa3\x5e\xb5\x59\x2b\x48\x56\x4f\x23\x07\xde\xf1\x6c\x6a\x99\x43\xab\xd7\x30\xff\x0f\x2d\xd4\x7b\x0d\xb1\x19\xc8\x40\x03\xfc\x29\xfc\xe3\xed\x9f\x17\x35\x7a\xab\xc7\x09\xed\x6a\x09\x34\x8d\xa8\xe2\x82\xbb\x0f\x7e\xeb\x6d\x98\x53\xed\xd5\xee\x21\x45\x36\xa5\x5c\x83\x34\x01\x20\x48\x8d\xca\x92\x3e\xc5\xa4\x61\x84\x0d\x20\x07\x5a\xc5\x37\xba\xa4\xdf\xb7\x80\x46\x96\xa8\x9c\xb9\x9c\x82\xcc\x9e\xa9\x21\x2c\x70\x97\x4c\x93\x16\x16\xe9\xbf\x8c\xce\x8f\xaa\x21\x5d\xea\x85\x50\x6c\x71\xed\xf7\x98\x2a\xef\x07\x4e\x1a\x04\xed\x46\xa7\x22\x1b\xeb\x11\xdb\x3c\x3c\x4e\x30\x76\x74\x56\xdd\x39\x5e\x3f\x22\xc0\x48\xb0\x69\x53\x3b\x1e\x34\x7c\x20\x56\x5a\x74\x6f\xbf\x07\x86\xba\x75\x13\x98\xd2\x26\xbb\x58\x3c\xdb\xc7\x89\xa1\xe7\x8c\x07\x5e\x8b\x53\x5c\x17\xbe\x36\x42\x77\x96\x51\xaa\x33\x56\xc9\x28\xbd\x60\x1c\x6f\x70\x4e\x79\x96\x85\x21\x03\x67\x21\x90\x89\xf2\x41\xc9\x36\x52\xaf\xb3\xf0\x57\x9b\xa4\x73\xea\xdc\x1c\x5a\xab\x58\x9b\x61\x8c\x80\x1d\x71\x1e\xaf\x00\xd9\xef\x73\xa3\xa6\x3f\xaa\x06\x92\xd7\x66\x2c\x6e\x61\xd7\x73\x00\x97\xb1\x1a\x9e\x98\x95\x76\x35\x33\xe3\xb8\x25\xb5\xeb\x65\x48\x11\xe8\x0b\x6e\x67\x13\x6d\x6e\x6e\xc1\xbd\xf2\x3e\x34\x7a\xc0\xdc\x50\xd8\x45\xa0\x2f\xb1\x1e\x87\x64\xc7\xcb\xd1\x98\xf8\x03\x7c\xe9\xcc\x4d\x38\x88\xcf\x50\x9e\xf9\xe5\x5b\xa5\x67\xd5\x00\x89\xc6\x9a\x6f\xc2\xa1\x02\x90\x88\xe4\xbb\x86\x60\x6f\x25\xd8\x65\x51\x28\x65\x74\x23\xce\xfb\xec\x47\xff\x5c\xee\x05\xb6\x1c\x35\xe4\x7c\xe9\x2d\xd8\x5b\x86\xaa\x83\xfc\x3d\x37\x06\x9d\xba\x58\x32\x77\x9e\x04\x79\x7e\xe4\x51\x0f\x3e\x86\x0a\x5d\xb6\xc4\x1a\x6c\xfc\xc4\xf2\x7a\x9b\x90\x54\x91\xfa\x56\x0b\xc4\x9a\x1d\xec\x70\xf9\xb6\x9a\xe6\x93\x62\x97\x3a\x12\x3e\x07\xf5\x41\xac\x3a\x3a\x94\x31\x60\xd3\xd6\x31\x40\x49\xc9\x53\x1a\x1f\x72\xb7\x4c\x1c\xc5\xc0\x31\x7f\xcc\x7b\x45\xd8\xf1\xdd\x92\x36\x2b\x1e\xc0\x73\x8a\xd5\xc8\xd9\x9e\x9f\xf4\x4d\x3d\xb2\x41\xe1\x31\x5d\x0f\x14\x48\xe6\xf1\x00\xa5\xdb\x6f\xd5\x71\x5c\xa0\x46\x22\x13\x41\x64\x53\x38\x71\x50\x0e\xde\x0f\x2d\x35\x8b\x31\xf8\x56\x36\x32\x80\xb9\x92\xe4\x9b\xa8\xe5\x92\x09\xbd\x91\x8e\x11\xff\xe3\x27\xd9\x73\xb2\xbc\x54\x53\x7f\x54\x07\x30\x17\x85\x6f\x0b\xb7\x68\x22\x47\x57\x6a\xf4\xd2\x7d\x8b\xe2\x61\x1f\x90\xad\x38\x4f\x11\xde\x84\x7c\x24\x73\x4b\x74\x7f\xfe\x2e\x5c\x85\x49\x00\x9f\xb1\x19\x8b\xce\x2f\xb0\x48\x4f\xc6\x68\xaa\x28\x85\xc7\xc0\x15\x38\x5e\x2b\x58\x8c\x95\x0f\xde\xca\xdf\x30\xad\xf6\x5a\x71\xf5\x64\xe0\xfa\x93\x72\x4b\x8d\xe0\xac\xab\x7c\x3f\xaa\xad\x13\x84\x8e\xbf\x7d\x70\xbb\xc4\x47\xd6\xd9\xdd\xb4\x6a\xf6\x31\xb0\x8e\x4c\x34\xf4\xaa\xbd\xa8\xe5\x0d\x9f\x73\xc3\xff\x3a\x60\x03\x81\xa7\xf8\x4a\xac\x18\xaf\x41\x87\xd1\xbc\x18\x73\x14\xb2\x40\x38\x7f\x29\xeb\xe8\x32\x8a\xce\x89\x65\x43\xb2\x3f\x8d\xb1\x20\x1d\x51\xee\x90\x42\x43\x65\x78\xd1\x27\x3c\x9b\x97\x4b\x27\xfc\x9b\x71\x71\xf4\x39\x11\x17\x54\x1d\xc8\xe8\xe5\x82\xef\x9d\xeb\x11\x60\x6d\x49\x35\x57\x7d\x13\xe3\x91\x2f\x98\x7d\xac\x22\xe1\x4c\x7c\xab\xf8\xdb\x41\x3a\xc7\x96\x38\x1f\x3d\x45\x01\x5c\xe6\x1e\xa3\xb7\x37\x63\xd2\x02\xdb\xe1\x18\xbe\x06\xe7\xd0\xf6\x24\x5c\x71\x81\x86\x14\x81\x21\xba\x61\x19\x2e\x62\xb2\xac\x87\x52\xcb\xa6\xf2\x87\x3f\x4c\x59\xae\x40\xb8\xb9\xc5\x15\xcd\x6a\xd8\x88\x84\x0e\x65\x7a\x11\x47\xa8\xb0\x96\x12\x3d\x73\x8e\x1c\xc1\xb5\xeb\xbe\xec\x6f\x15\xcb\x10\x42\xed\xda\x5c\xf7\xa5\xb2\xb0\xa0\x71\xa2\x68\x77\xbe\xed\xaa\x9e\x24\x32\xef\x85\xf7\x2a\xbc\xeb\x7c\xcd\x73\x36\x27\xcb\x12\xd4\xcf\xe3\xd9\xc9\xd8\x85\xa0\xb0\x89\xdb\x05\x6b\x02\x92\x28\xe6\x45\xf7\x4d\x92\x84\x69\x5b\x08\xa6\x7f\x7f\x92\x28\xe9\x80\xc0\xc3\x64\xd0\x31\x2b\x10\xf6\x25\x6c\x9a\x2d\xe4\x83\x29\x32\xb6\x98\x97\xd0\xf2\x9f\x70\xf1\x8d\xde\x25\x7a\x94\xd9\x6e\xc7\x6d\x71\x67\x3e\x95\x98\x32\x64\x7f\x6a\x74\x45\x82\x35\xe8\x00\xdf\x80\xb7\x18\xbe\xdb\xe9\xb2\xca\xfe\x1a\x98\xad\x89\x34\x1a\x56\x6d\x20\xca\x13\xaf\xb2\x89\x85\x6f\x79\x53\x05\x66\x12\x60\x65\x19\x27\x99\x89\x9c\x02\x43\x31\x7f\xee\x5b\x22\x11\x6d\x9d\xfe\xa0\xc4\x25\x1d\x89\x8d\x57\x44\x43\xd8\x0c\x4d\xaf\xd5\x61\x65\xf2\xcf\xb5\xa2\xdb\x62\xe7\xfc\xb9\x78\x70\xea\x56\xdd\xca\x1c\x27\x32\x75\x48\x09\x9b\x79\xd3\x8f\x9d\x6d\xd2\x4a\x65\x65\x73\x1b\x2a\xfc\x0d\xdc\x12\xa3\x5f\x96\x05\xb2\xe7\xe7\x57\x53\xfa\xab\xe2\x81\x7d\xd1\x1e\x3f\x9f\xe7\x6c\xb2\xb8\xbf\x18\xd4\xf4\x19\xaa\x96\x58\x4c\xf9\x89\x99\xfc\x0f\xe4\x2e\x54\xb0\xe7\x9d\xfd\xd4\xc5\x7f\x55\xc0\x7a\xd1\xca\x33\xa4\xde\x6f\xba\xa7\x80\x18\x5e\x36\xfc\x3e\xc7\xc5\xf1\x04\xc5\xda\xda\xc7\xcc\xcb\xba\xcc\x5a\xbe\x21\x7e\x4e\x61\xef\x6c\x36\x60\x57\xd1\xcf\xb1\xa5\xde\x8c\x75\x68\xda\xd7\x69\xc8\x8a\xfd\x8e\xc1\xbf\x56\x11\x7c\xed\x76\x0e\xd3\x01\x90\x21\xc3\x2b\xed\xd7\xea\x87\xfb\x67\x0c\xa3\x24\x84\x61\xdf\x64\x60\x07\x04\xf1\x16\x51\x58\xcf\x9d\xb2\xb5\xc6\xf4\x56\x3b\x9f\x10\xa3\xa6\x69\xf3\xa9\x45\x21\xbe\x8e\xd5\x1c\x90\xc4\x5c\x59\x48\x9c\xde\x96\xcc\xd1\x18\x44\xc6\xca\xbf\xb1\x65\x0e\x19\x4c\xdf\x17\xaa\xf8\xad\x0b\xf9\x17\x14\xc7\x02\xea\x60\x75\xc0\xc3\x36\x18\x44\xec\xea\x0f\xc9\xad\xe8\x3a\x42\xcd\x91\x8f\xbb\x4c\x90\x90\x66\x73\x98\x18\xcb\xf7\x7a\x3d\x71\x64\xc3\x60\x7d\x8c\x0e\xfe\x3c\x8e\x85\x24\xfd\xf1\x5d\x33\x21\x0b\x43\xca\x55\x1b\x9a\x67\x26\xa5\x60\xa2\x74\x24\x66\x2f\x5f\xd9\x72\x02\xf9\x2a\xb8\xca\xc1\x20\xdf\xb1\x37\xc3\x36\x8c\xaf\xb7\xc1\x48\x35\xd8\xad\x15\xd1\x8b\x3e\xc4\xfe\x3c\x74\x1b\xe3\x90\x65\x71\x1a\xbc\x30\xa0\x0d\x31\xa2\x09\x36\xd2\xfb\x66\x23\xb1\x27\x42\x7b\x2d\x46\x05\x45\xf4\xeb\x25\x68\x1b\x46\x1f\xbc\x3a\x1a\xc6\xdb\x3b\xdf\x1d\x89\x02\x97\x76\xe0\x4b\x9c\xbf\x3e\x1e\x46\x07\xf3\x63\x23\x36\x73\x8b\xd9\x5c\xfc\x81\x2d\xe5\xe8\x2e\x0c\x6a\xa8\xd0\x19\x07\xe1\xf3\x75\xac\xb1\x80\x10\x69\x5e\xa3\xa2\x42\xd2\xb3\x60\xee\xd6\xf0\x77\xa0\x08\x68\x06\xa8\x8e\x2b\xe9\x9d\xef\xc3\x46\x0d\x81\x17\x5d\xec\xb6\x97\x3e\x54\xe7\xff\x1c\x29\x14\x8f\x04\xd1\xa9\x6c\x68\xd4\x3f\x03\x6e\xc2\xe4\xa5\x4b\xeb\x80\xf8\x8b\x8c\x71\x1a\xa0\x1a\x74\x57\xf5\x8d\x72\xaf\xe5\x68\x49\xfd\x09\xd2\x77\xe3\x01\xce\x64\x40\x2b\x0b\xc2\x0d\x43\xea\x78\x74\x54\x86\x97\x2a\x8b\xd6\xf5\x79\xd8\xd8\x2b\xd3\x1c\x8c\x86\xb7\xe8\xa3\xb2\x72\xd1\x6d\x38\xfc\x64\x80\xd2\x13\xc0\x30\x00\xad\xda\x6e\xb5\xe0\x08\x71\x87\x92\x64\xeb\xa4\xb0\xf9\x5c\x92\xe1\x0b\x79\x73\x81\x11\xba\x0c\xfd\xd1\xde\xeb\x39\xc9\x1e\xb4\x07\xe5\x98\x81\xbf\x53\xea\xd7\x8f\x7a\xd3\x50\x29\xec\x22\xb5\x83\xaf\x27\x44\x15\x25\x46\xc3\x98\x28\x50\xb4\x49\x41\x5e\x4b\x79\x0a\x2d\x03\x2c\xae\x50\x31\x9c\x3a\x15\xe0\x09\xae\xee\xfe\x71\x00\x73\x78\x19\x7e\x51\xdf\x97\x37\xee\x36\xd9\x54\x03\xa5\x62\x2a\x00\x7e\xb5\xdf\x41\x02\x33\x37\x6e\x51\x31\x82\x24\x62\x54\x0e\x6e\xbb\xf6\xd4\xe2\xdc\x46\xbe\xb7\xea\x3b\x2c\x22\x19\x97\xc2\xba\x3c\x26\x73\xc1\xb4\x4f\x7c\xd8\xc8\x6a\xac\xdd\x89\xe8\x70\x00\x73\x93\xab\x35\xc4\x85\x74\x29\x13\xf4\xfc\xef\x3c\x5c\x4d\x5c\xfe\xba\x1e\xcb\x50\xef\x05\x03\x7d\x54\xaa\x3f\x5e\x69\x94\x11\x40\x26\xf5\xcd\xa7\x5e\x18\x56\xb3\x1e\xfc\x5b\xf0\xda\x81\x09\x97\x84\x46\x30\xa0\x0a\xbd\x3a\x1c\xa3\xc6\xc9\x39\xe1\xe7\xf7\xc2\xd1\x71\x71\xea\x26\xfc\xd3\x1a\xe7\x17\xc0\x40\xb3\xc5\x94\xcf\x06\xa5\xc1\x25\x76\xbc\x18\x82\xd1\xe0\x45\x7a\x99\x38\x7f\x74\x6f\x15\x12\xd1\x5c\x86\x7c\xfd\xaf\x35\xfb\xf0\xe6\xbe\xec\x95\xc8\xc4\x2a\x3d\xd6\xae\x19\x47\xc6\x69\xfc\xd0\x10\x50\x80\xd8\xa9\x89\x4d\x93\x45\x21\x39\x08\x35\x74\x56\xb5\xdb\x7d\xea\x0f\x3f\x53\x29\xff\xd3\xc8\x90\x8f\x50\x47\xe3\x6a\x94\x1f\x90\x91\x2e\xcb\x4c\x01\xec\x56\x7c\xbe\xb0\x9f\xad\xe5\xec\x9b\xf4\x14\x2e\x24\xef\xf3\xac\xd2\x6b\x1d\x46\xd9\xfc\xab\xdb\x09\x70\xa1\x9b\x45\x79\x47\xab\xda\xac\x79\xa3\x69\x2b\x7a\x0d\x70\x3c\x02\xfd\x3d\x7c\x43\x3d\xcb\x59\xf9\x79\xa3\xa9\x1e\x3f\xc9\x50\xa5\xdf\x58\x54\x65\x69\x63\x97\x47\xc4\x34\x7c\x4e\x1a\x1f\xd0\x8f\x9a\xa8\x0c\xa5\x12\xd3\x6e\x6f\xac\x84\x61\xfa\xc7\xac\x93\x46\x7b\xea\x71\xfd\x28\x6b\x5f\x69\x2d\xdb\xc6\x99\xb9\x88\x7d\x31\x15\x9d\xe1\x07\xc0\xec\x97\xdb\x3b\x37\x77\x1c\x82\x61\x92\x51\xe9\xe0\x87\xe7\x97\x0e\xc1\x3e\x97\x1a\x85\x7a\x3d\x87\x1d\x13\xd8\x9d\xd6\x18\x43\x1d\x57\x75\xf9\x25\xf0\xbe\x14\x11\xf4\x94\x70\xe1\x42\xb1\xce\xef\xa6\x69\x28\x0d\x6e\x9a\x52\xe8\xc8\xeb\x38\x7d\x22\xf2\xfa\x8f\x5b\x77\xbd\x2a\xea\x73\xa0\xa2\x9c\x84\x47\xa6\xad\x29\x2b\x1e\x4b\x44\x6c\x6e\xd0\x08\xc0\xa6\xba\x97\xd1\x5b\xcb\xaa\x10\xb1\x6d\x7b\x1a\xd9\x49\x8b\xf5\xb8\x68\x59\xfd\x9c\x03\x2e\xab\x98\x93\xbe\x93\xb1\xe9\xf4\x5c\x9d\xc1\x9a\x78\xc4\xfe\xa5\x89\xd3\x93\xe8\xed\x9d\xbe\x54\xbf\xad\xf5\xcd\x11\x0e\xb7\x6a\x2a\xdf\x8b\x9d\xd2\x3a\xc0\x57\xbf\x1a\xb6\xba\x1d\x04\xc0\xc6\xda\xc4\x82\x50\xda\x3d\x25\x64\xce\x90\x4d\x67\xe6\x9c\x5d\xec\x58\x2d\xa5\x7e\xde\x76\xd9\xaa\x85\x49\xbf\x50\xa9\x0d\xcc\x0c\xab\x97\x7f\x5d\x73\x00\xfc\x0d\x86\x86\xe3\xbe\x13\xb8\x4a\x7a\x14\x1b\xb7\x92\xc3\x97\x58\xb0\x04\xd8\x4a\x0f\xf8\xc9\x30\xe4\xe0\x3c\xb3\xc1\x34\xe6\xe9\x00\xfe\x41\x64\xe5\xb5\xe0\x6b\xa4\xce\x62\x87\xb7\xb0\x0a\xcf\xdb\x05\xf4\xaf\xc0\xf4\xcb\x1b\x0e\x38\x3e\x4b\x69\x17\x1b\xda\x38\x9a\x2d\x00\x96\xb0\x67\x7d\x79\x3f\xaf\x22\x70\x2f\x3e\xdc\xda\x47\x82\xdf\x48\x30\x2a\xe3\xba\x1e\x05\x60\xf2\xc1\xbc\x7c\xda\x89\xac\x42\x14\xe8\xba\x79\x1c\xd6\xfb\x08\x92\xa1\x1b\x3f\x87\x81\xcf\x4d\x1b\x07\x31\x95\x92\x2d\xa6\xb7\x11\x16\x05\x96\x56\x0b\x53\x5c\x5c\x97\x6e\x42\xa8\x66\x24\xa3\x4f\x74\xac\x66\x46\xc0\xfd\xa0\x57\xa3\x13\xf7\x9d\x2e\x2f\x9c\x9f\xee\xab\xcd\x39\x9c\xd2\xe7\xe0\x8c\x9f\x02\x29\xc2\x66\x64\x8c\x78\x75\xca\x23\x0c\xfe\x4f\xed\x9f\x2d\x3d\x0d\xeb\xe6\xb5\x36\x85\x5c\xeb\xcb\xdb\x54\x60\x92\x0c\xea\xae\x25\xa1\x5c\xee\x7a\x00\xae\xdd\x72\x19\x53\x7d\xfc\x72\xd3\x33\x2d\x26\x43\x61\x5c\x7e\x17\xb5\x5a\x90\x3f\x8f\x25\xd0\x2f\xd6\x1d\x4c\x56\xc2\x32\x85\xd5\x2e\x0c\x23\xbb\x25\x16\x2b\x10\xd9\x33\x9b\x72\x74\x6b\xe7\xda\x47\xe9\xfa\x05\x22\x69\xda\xf6\xa0\x12\x2d\xe4\x9f\xb4\xd2\xc9\xb5\xd7\x8b\x70\x96\x23\x11\x3c\xb7\x1d\x42\xa5\xab\x08\xda\xa6\x01\xec\xd0\x94\x6a\x79\xda\x44\xcb\x1c\x3a\x5c\xfb\x64\x60\xe2\xcb\xd5\x9b\xf3\x56\x93\x09\xa4\xd4\x17\x77\x39\x80\xcd\x90\xad\xb6\xab\xe4\x75\x95\x4b\x05\x6e\x12\xc7\xe9\xe4\xb7\xef\xd2\x43\x96\xe7\xa9\xd6\x2f\xfe\xd4\x2c\xaa\xba\x45\x98\xa8\x9b\x14\xd8\x5d\x1c\xa3\x97\x27\xbf\xa0\x85\x90\x4c\x1e\xb5\x4d\x24\x27\x3d\x0a\x97\xfa\x59\x3b\xdd\xbc\xf4\x60\x8c\xef\x45\x6a\xb4\x17\x03\x16\x07\x33\x15\x16\xc8\x05\x79\x2e\xbd\xfd\x8d\x10\xe5\xed\xdc\x9f\x50\xdf\x88\x85\x71\xf9\x79\x75\x03\x94\xfe\xff\xdf\x87\xeb\xc9\xe8\xa8\x53\x4f\x89\x37\x2a\xfa\x8e\xac\xf0\x6d\x34\xb9\x74\x25\x0a\xc1\xba\xe5\xc0\x7e\x63\xb7\x46\x47\x19\xdb\x5e\xb1\x69\x34\xde\x34\x01\x93\xbf\xce\xe2\xdf\x0b\xfd\x92\x50\xdd\x44\xf3\xf7\x3e\xb4\xa4\x3f\x99\x0f\x2e\xdc\xa9\xb5\xfd\xd4\xac\xa4\xea\x21\x7e\x14\xb6\xd7\xc5\xa3\x20\xfd\x5e\x4c\x72\x88\xcd\xcb\x4e\x20\x76\x00\x4a\xd6\x61\x81\x9b\xda\xe6\xcf\xba\xd2\xdc\x0b\xce\x61\x23\xc4\x8b\x14\x23\xb2\x2e\x3f\x85\xcc\x2f\x31\x07\x1d\xd1\xcf\xa3\x87\xbc\xa0\x9a\x2d\xd9\x9c\x29\xe6\xc0\xcd\x8d\x51\x90\x1d\x74\x85\x81\x3d\xa7\x32\xc9\xa7\xe2\xfc\xcd\x42\x7d\x43\x9b\xfe\xc1\x07\x87\x4f\x87\x7e\x9b\x0a\xa5\xe1\xbd\xad\xd5\xa1\x85\x47\x99\x65\xe9\x5a\x3c\x2f\x66\x91\x2d\x44\x1c\xb7\x5e\x44\x69\x57\x3b\xf5\xa4\xc5\x3f\x58\xd2\x7a\xbd\x5e\x68\x42\x2a\xef\xce\x50\x1c\x6d\x8d\x95\x42\xb6\x1e\xa6\xbf\xd6\xfd\x2b\x6b\x33\x6c\x89\x61\xf4\xee\xa7\x20\x88\xd0\x69\x70\x89\xd1\x76\x82\x0a\x10\x3d\x09\xd9\x5f\x3e\xf0\xbd\x28\x98\x2e\xef\x77\xfc\x1b\xbf\xe7\xde\x1b\xfb\xe3\xd5\x0a\x93\x21\x88\x66\xfc\x48\xf6\x28\x01\xc7\x15\x39\x7d\xdf\x1f\x36\xd9\x77\xf2\xb5\xb2\xb7\x6f\x2e\x1d\x64\xc6\x10\x6a\x88\x9b\x80\xb4\x1b\xe5\x19\x94\x0c\xe2\x2f\xf0\x36\x4f\xaf\xb7\x03\xcf\xcd\x7b\xf7\x80\x8e\x41\x50\xac\x7d\x7a\xf1\xf0\xb5\xae\x82\x1c\x9b\xf1\x63\x74\x0d\xb1\xb5\xa3\x66\xe2\xdb\x4a\x02\x92\x10\x00\xd6\x07\x52\xd7\x43\xcd\x58\x4c\x48\x59\x0a\x31\xe2\x7c\xb4\x0d\x7a\xd8\x9a\xbd\x2c\x8e\xe8\x11\x76\x78\x98\x88\xbc\x48\xe8\x2a\x63\x00\x84\xc5\x9d\x4d\x34\x46\x4a\x52\xd5\xf2\x6d\x22\x14\x79\xb4\x51\xef\x3c\x2a\x6c\x81\x66\xb6\x64\x09\x9d\xaa\xf8\xe7\x4e\xac\x84\xdc\xfe\x3e\x86\xd5\x3b\xcd\x3b\x2f\x03\x37\xc8\x03\x7d\xb0\x7b\x65\xf7\xcd\x26\x5d\x2a\xc1\x95\xf8\xf5\x8e\x00\x96\xac\x1f\xb6\x54\xb9\x57\xfc\xa3\xef\x32\xab\xcf\x91\x6b\x55\x8b\xff\x85\x4d\x09\x9a\x2c\x9f\xb8\x88\x9f\x39\x8b\x53\x51\x41\x17\x0e\xa0\x36\xf9\xe5\xa7\xa2\xfe\x1d\x14\xf4\xa5\xa6\xdb\x8c\x03\xb0\xa7\x7f\x6e\x3b\xe9\x64\x81\x05\x06\x11\x35\x59\x59\xf6\x5e\x67\x81\x64\x54\xed\xa4\xcd\x84\x36\xd6\x64\xd6\xe6\xd9\xfc\x2f\xf2\x48\x95\x92\x3f\x10\x67\x70\x45\x8d\xc8\x75\x93\xc3\x91\x91\x2e\xda\x79\xa6\xe8\x71\x4b\xb4\x37\xc8\x6b\x97\xae\xbe\x10\xad\xde\xf3\x62\x84\x32\x38\x4e\x5a\x52\x83\x06\x7a\x80\x69\xa8\x92\x47\x3c\x05\x44\x68\x03\xce\xe1\x31\x09\x6d\xfb\xcd\x4a\x08\xf3\xe0\x8b\xc1\xdb\x84\x70\xd3\xab\x04\xc4\x80\x91\xf8\x24\xcb\xc4\x4a\x22\x15\x1f\x21\x71\x9a\xc2\x9b\x90\x43\x82\x2b\x29\x8b\x17\x82\xfa\x4f\x7d\x55\x6c\x41\xcc\x38\xd4\x34\x22\xf3\xda\x35\xcb\x3e\x45\xa5\xd2\x29\x6a\x1c\xfc\x1c\xcb\xeb\x9e\xa3\x49\x77\x2d\xa9\xa8\xc6\xb7\xca\x0d\xb7\x29\x92\xf8\xb4\x86\xb4\x26\x6f\xb6\xd4\x47\x96\x30\xfa\x39\xbd\xbd\x5f\xaa\xaa\x5b\x47\x51\x4f\x37\x80\x5e\xdb\x61\x85\xb3\x3b\x5b\x82\xdf\xb8\x5d\xad\x17\xed\x9f\xc8\x20\xd1\x78\xc4\x43\x3f\xae\x2b\xf5\x0f\xb5\x6f\xf5\xd8\xd7\xf7\x2e\xbb\x91\x3b\x88\x12\xce\x80\xfb\x00\x0c\xf3\x56\xf6\x69\xae\xb2\xb4\x8c\x8f\x67\x5c\xd0\xc0\xa5\x71\x08\x2f\xdb\x0e\xe1\xb1\x3b\x7a\xd2\x23\xcb\x68\x6f\x8b\x6e\xa5\x11\x19\x2c\x5d\xca\xab\xe2\x70\x26\x50\x37\xb7\xa7\xff\x48\xa1\x10\xf6\x60\xe0\x45\xe6\xe5\x1d\x6f\xfa\xce\x61\x7a\x5a\xd8\x5c\xac\x70\x4c\xc2\x57\x6b\x22\xaf\x27\xbf\x84\x2c\x1f\xce\x89\xf7\x1f\xb1\x88\x68\x57\xd1\x87\xad\xf3\x64\x47\xda\x8e\xde\x27\x97\xbb\xb4\x1b\x4b\xa5\xf0\x94\x11\x09\x44\x08\x35\x7a\xc6\x86\xf0\x90\xdc\x75\x58\x4f\xb2\xd0\x0d\x6e\xb5\xf1\xd5\x45\x63\x3c\x1a\xab\x04\xa6\xa9\x47\xe4\x9e\xb4\x5a\x0a\x73\xe7\xd0\xc6\xc4\xac\x5f\xac\xf4\x08\xa0\xcf\xde\x43\x9d\x86\x1d\xba\x90\xea\x9c\x57\x58\xbb\xa9\x09\xaa\x4d\x5b\x71\x42\x32\x07\x23\xb0\xfb\x55\x38\xfa\x33\x5e\x62\xd1\x4b\xf3\x60\x8a\xeb\xbd\x76\xff\x2b\x0d\x01\x3a\x4d\x5a\x4d\x46\xfb\x24\xa0\x47\x46\x0b\x5d\x63\xa6\x0d\xea\xa4\x3c\x63\xa9\x8b\x51\xc5\xaa\x0b\x3d\xac\xef\x60\x23\x41\x86\xf4\x5e\xd9\x61\x4f\x0e\x88\xb0\xb3\xa4\x53\x0c\x88\xa3\xdb\xea\xea\x40\x29\xcc\xfb\x1a\xa0\xbb\x8e\xa4\x52\x2c\x51\x25\xa3\x8d\x97\x72\xb7\xde\x03\x3a\xf7\xb2\x81\x2e\x89\xbd\x58\x19\xd2\xd0\xf3\x7a\x15\x6b\x70\x1e\xff\xa2\xf0\xb7\xfc\xe9\xc2\x87\x24\xae\x0e\xb3\x27\xc2\x5c\x8e\x36\x18\x78\x10\xaa\xa1\xa3\x3c\xc6\x9e\xa8\x48\xe1\x2f\xda\x7a\x27\x48\x67\xf4\x77\x95\xe1\x68\x95\x41\x96\x9e\xf7\xf6\x8d\x65\x9c\x3a\xd6\xc7\xf6\x72\x51\xac\x05\xa8\xee\x17\xc5\xd7\xc2\xdc\xb9\x2b\x4a\x54\x5f\x3d\xb5\xbf\x08\x14\x4a\x71\xf2\x9f\x76\xf7\x07\x81\x92\x9b\x06\x45\xf7\xa2\xd3\xcc\x3e\x97\x40\x1f\xfc\x4c\x70\x02\x4d\xf3\xa8\x8a\x3b\x80\xd8\xbb\x4a\xe9\xd2\xd4\xc0\xd1\x17\x24\xfa\x12\x82\x76\x0b\x1c\xc8\x12\x00\x84\x01\xd6\x9b\x8f\x79\x31\xf3\x6a\x72\xe3\x2c\x5d\x8f\x3a\x3f\x23\x3e\x86\x36\x7b\x48\x85\x2c\x0f\xd2\xd1\xf2\x59\x55\x34\x06\x16\xcb\x57\xe7\x9d\xb0\xe0\xa3\x7b\x81\x62\x76\x34\x02\xd0\xb8\x64\xdb\xf0\xa9\x0d\x50\x37\xc8\x8e\xba\x9f\xa8\x09\x98\x08\xcf\x84\x56\x4d\x2e\xd2\xbd\x00\x24\xb7\x19\xb7\x62\x28\x27\x9e\xe3\xc9\x07\x27\xf3\xae\x67\xe5\xcc\x7d\xd7\x6e\x8a\xf1\x67\xc4\xb1\x1e\xe9\xf1\xe3\x49\x5e\x05\x06\x1f\xe5\x20\x44\x5c\xd8\xfe\xdd\xc4\x76\xf5\x0b\x40\xbf\x73\xe4\xf9\xc1\x4e\x49\x1c\x11\x42\x30\xe1\xea\xe5\x87\xac\x01\xaf\x7d\x8e\xe5\xb2\x50\x51\xcd\x58\x85\x19\xe9\xcc\x3f\xb7\xb4\x30\x9d\x2a\x74\xb9\x48\x6d\x31\x80\xf6\x5f\x02\x5f\x43\xbb\x6a\x98\x9e\x2c\x4b\x05\x23\x83\xf4\x24\x4c\xbf\x36\x81\xf8\xfb\x4b\x9f\x0c\xab\x34\x26\xc0\xd6\x78\x4a\xb0\x8c\x76\xce\xee\xbc\x21\x2e\x76\x5f\xd9\xc5\xf2\x4c\xad\x12\x9b\x44\x0e\x2f\x85\x74\x90\x45\xbb\xb1\xb0\x30\xfd\x5b\x31\x10\x44\x25\x80\xd4\x51\xb2\x71\xd9\xa4\x5d\x04\x75\xd1\x66\x47\xe4\xe6\x6b\xf4\x0a\xcb\xde\xbc\x97\x53\x85\xaa\x50\x89\x83\x22\xe8\xb2\xaa\xca\x18\xba\xa6\xee\x86\x1f\xc9\x74\xfc\xd0\xe3\x79\x75\x82\x4c\x47\x58\x42\xbd\x3f\xa1\xf1\x78\x97\x92\xb2\xb6\x54\xaf\xeb\xc7\x8b\x95\x57\xbe\x28\x3c\xe9\x74\xea\x60\xb0\x1a\xf1\x11\xe8\x22\x62\x70\x47\x7c\xaf\xba\x24\xac\xb1\xfb\x28\xfc\x25\x92\xad\x2e\xbc\x2b\xa3\x7a\x1b\xbf\xed\xba\x63\x00\x02\xe4\x23\x43\x0d\x76\x2d\x9e\x31\xcd\x86\x17\x0a\x98\x9e\xe9\x7e\x26\xd4\x87\x4b\xd7\xd1\xa8\xf7\xd2\xf2\x04\x6c\xe9\x37\x68\x59\x27\x49\xbf\x7f\x5b\x28\x93\x3f\x3f\xba\xa1\x38\x0d\x42\x96\x1b\x9a\x94\xd2\x31\x3c\x26\x47\x40\xfe\xa1\x49\x5f\xa2\x6f\xc0\x7a\x56\x1e\x4b\x90\x8b\x2e\x30\xe0\xac\x4d\x48\xf6\x89\xeb\x49\x58\x5d\x3b\x72\x95\xe8\xc2\x75\x1d\x05\x62\xc0\x6d\x49\x19\xd5\xdd\x8a\xf3\x26\xde\xd0\xc1\x51\x6e\xcc\x6c\x1d\x3c\xf1\x39\xd3\xa9\xfe\x6e\xde\x64\x76\x8c\x31\x9b\x98\xb7\xda\x44\x5f\xd7\x85\x4b\x64\x64\x0f\xbd\x67\x6b\x7a\x09\xe5\x6e\xa2\x5c\xff\x1d\x31\xde\xc4\x1d\xa0\x8c\xb1\xb0\x7e\x4d\x84\x16\x81\xfc\xb7\x9a\x72\xb7\x22\x0a\x3f\xc3\x6c\xe8\xdc\x63\x88\xca\xea\xea\x4f\xff\xa7\xb2\x98\x05\xef\x2d\xc8\x9a\xcf\x85\xf2\x27\x24\x8b\xca\x1b\x8c\xb8\x1e\xc4\xb9\x86\xa9\xa1\x58\x7e\x57\xe1\xc5\x4d\x16\x3b\xc6\xa9\xd6\x8c\x67\x8c\x48\x24\x09\x35\xfb\xe9\x89\xf5\x50\xb5\x4c\x51\xba\xcb\x9f\x21\xde\x67\x01\x8d\x5e\x3f\xba\xd7\xef\xba\xe1\x03\x83\xe6\x2f\xa9\x29\x41\x5e\xbd\xb7\x7f\xfc\xad\xcc\x36\xec\x7c\x01\xb7\x6f\x7c\x80\x02\x7d\xfc\xba\x9e\x15\xd2\x6f\x30\x6e\x1d\xcb\xf6\x24\xc8\x0f\x4d\xc9\x2e\xab\xfe\x7a\x81\x7d\x7b\xcb\x47\x0d\x60\x13\xaa\x89\x5e\x08\x24\x40\x57\x1e\x14\x3f\xbb\x2a\xc1\xaf\x5b\x4f\xd6\x4b\xb2\x0f\x31\xef\x1f\x5e\x1d\xb9\x6f\xb8\xca\x1e\x6b\x4d\x36\x0d\x2c\xd0\x55\x91\x36\x6a\xd7\x1a\x41\x17\xc9\x12\x5f\xee\xd0\xe6\xd9\x5c\x03\x9d\xac\x71\x00\x0f\x40\x4d\x71\x80\xfb\x1e\x3b\x9d\x10\xb6\x24\x84\xeb\x2e\x3d\x45\xb8\xa4\xc6\x44\x4e\xa5\x44\xc7\xc1\xa4\x9b\xcd\xd1\x72\x3c\x22\x12\x7e\x2f\x81\xfc\x4c\xa3\xda\x6b\x97\x71\x5a\x0c\x9c\xd3\x05\xae\x21\xa1\x5c\xa6\x95\xf1\xa7\x4d\xf2\x26\x0a\x95\xec\x30\x42\xb1\x6d\x83\xab\x1d\xa2\xba\x76\x7d\xf0\x36\x01\xb4\xb3\xab\x71\x71\xe2\xe0\xe8\xa2\x00\x9f\xc6\xcb\x2c\x98\xcd\x20\x68\x17\x36\x55\x22\x2b\xa6\xbc\x51\xaf\x64\x49\x93\xcb\xd1\x92\x33\xd0\xc0\xf1\xdb\x62\x30\x69\x74\x45\xfd\x77\x8f\x14\xa0\x85\x57\x25\x26\xdb\x2d\x12\x56\xe8\x27\xac\x9b\x77\xa9\x7e\xc6\x41\xa5\x3a\xa5\x80\xb3\xa7\x83\xcb\x0f\xc5\xa1\xb3\xb9\xb3\xff\x38\xe4\x18\xdb\x65\x8b\x48\x4a\x68\xcc\x9a\x9e\x33\x0d\x3d\x7a\x4e\xd2\x82\x58\x1d\xc0\x6f\x9e\xe9\x6a\x1a\x46\x98\xbc\x23\xeb\x41\xbe\xde\x47\x6c\x00\x52\x96\x40\x79\x71\x0f\x68\x8f\x87\x6d\x4c\xef\xf2\x19\x0f\x2d\x81\x9b\xbd\x4c\xdb\x36\x1f\xb5\xc6\x4d\x7c\x41\x93\xff\x9f\x6b\x44\xb2\xc1\x43\x71\x39\xbc\xfa\x8c\xe0\xa9\x43\x0a\xce\xb4\x98\xb4\xf0\xb0\x19\x7b\xf3\x39\xd0\x4b\x70\x51\x23\x24\x3b\x1a\x44\xfc\xec\x56\x6d\x64\xfe\x85\x0b\x29\x89\xb5\xb7\x09\x9e\xf9\xbf\x74\x46\x07\x46\xf6\x0c\x46\x07\x89\x16\x89\x58\x17\x75\xad\x12\xcc\x0f\x04\xce\x01\x6c\x5b\x01\xe4\x55\x6e\x09\x80\x7e\xb8\x2e\x19\xc4\x54\x2e\x88\xca\x22\xac\x95\x13\xa4\x6b\x3e\x43\xc5\x28\x77\xc0\xa8\x37\x20\x1f\xd8\x2e\x9f\x74\x53\x8b\x75\x1c\x8b\x0a\xca\xbf\x1e\xb2\x8a\x7d\xec\x9b\xf6\x98\xc1\x22\xfd\xc5\x46\x4f\x6c\xd4\x0e\x81\xd0\x60\x18\x3a\xf8\x04\xea\x5c\x5a\x51\x09\xfe\x21\x9a\x85\x21\xc7\x3b\x95\xe4\x2b\x82\xac\xd6\x93\xa8\x45\x3c\x40\xc7\x40\x27\xdc\xb1\x78\x81\x75\x83\x42\xe2\x56\x42\x58\xb9\xf1\x2f\xf6\x75\xd9\x5c\x1a\xc4\x2e\x94\x47\x3e\x5d\xd5\x18\x38\xd6\xb1\xc2\x8f\x7b\xae\x7e\x16\x41\x7e\xea\x23\x33\x18\x83\x17\x23\x4d\x3a\x96\x94\x35\x6d\xb9\xff\x64\x9e\xda\x9d\x9d\xe4\xd6\xdf\x34\x57\x70\x13\xbc\x9f\x17\x14\x04\xb0\x8f\xd4\x19\x0d\x15\xd7\xde\xfe\xcd\xc1\x95\x19\x9d\x8a\x71\xf6\x41\x40\xa8\x65\x61\xe8\x4c\x3b\xde\x2a\x43\x37\xac\x14\x05\x08\x54\x31\x4d\xe0\xa3\xef\x2a\xe2\x6a\x6c\xb3\x97\x79\xb1\x0b\xdd\x57\x10\x41\xba\x31\x99\x6c\x60\x2c\x99\x7e\x70\x35\x8a\xe9\x86\x23\x92\x55\xa9\x37\x10\xf2\x11\x1e\x7c\xb1\xc8\xb3\xb7\x28\x03\x37\x34\x85\x6a\x41\xcd\xd5\x5a\xb2\xcf\x54\x15\x6b\x48\xe1\x34\x9e\x97\xd3\x9f\x6f\xc1\x27\x5f\xdb\x19\xb3\x7c\x8c\xf0\x04\xb3\x8c\xc3\xef\x37\x83\x4c\x85\x12\x8b\x3c\xb5\x9b\x77\x3d\xcc\x7d\x7b\x85\x80\x5b\x8f\x3b\xd6\xae\x79\x1e\xfa\x7c\xdb\xcc\x4b\xe5\x53\x9b\xb6\x6a\xfd\x8a\xc5\xde\x59\x50\x9b\x34\x10\x20\xe1\xc6\xff\x67\xb6\x6a\x0c\x94\xbb\x79\x53\x49\x92\x05\xb3\x07\xca\x77\x27\x7f\x6c\xcf\x39\x80\x1e\xe6\x28\xfb\x33\xd2\x07\x3f\x38\x1e\x80\xdc\x41\xc9\xe7\x99\xe7\x5c\x31\xcf\x2a\xa4\x9f\x8b\x0a\x6f\x73\x24\x08\xaf\xdc\x65\x0f\xd2\xb0\xec\x57\x4d\x50\xc6\xe2\x48\xf2\xaf\xcf\xb8\xf8\x20\x79\xb2\x62\x55\x47\xdb\x16\xe4\x61\xe6\x01\x59\x88\x3a\xaf\xbe\xdf\x9e\xe9\xfa\xde\xc8\x39\x8b\x91\x98\x6f\x9a\x8e\x79\x47\x06\x49\xa9\x9d\x6e\x8b\x4c\xb3\xb7\x99\x5b\xd5\xb6\xaf\x47\x20\x6b\xbf\x06\xaa\x69\x38\x3e\x97\x63\xcb\x17\x31\xe7\xc1\x5b\x0d\xe4\xb3\x5c\x00\x80\xdd\xfc\xeb\xac\x4d\xea\x21\x30\x96\xd8\x29\xed\x58\xf7\x7c\x09\xa0\xc0\xd4\xf3\x00\xdd\x5f\xaf\x2e\x01\x2a\xcf\x83\xd7\x7b\x73\x32\x3a\x93\x21\xcc\xa8\x64\x6b\xfe\x55\xfc\xce\x50\x6c\x82\x2e\xe4\x40\x4f\x20\x03\x18\xf6\x50\x44\xb3\xec\xdd\x8a\x21\x35\xe8\xee\x0a\xdb\xb8\xc4\x22\xc8\x9d\x37\x3e\xe4\x21\x82\x6b\xd1\x14\xd5\xae\x08\x6c\x9a\x47\xbe\x5a\x78\x88\xec\x74\xfc\x9e\x8d\x7e\x75\x85\xe6\xe8\x8f\xef\xa1\xb6\xa0\xc5\x57\x7b\x91\x43\x13\x77\xa3\x05\xa6\x65\x81\x02\xef\xf2\x95\x75\xde\x43\x92\x0b\xd4\x66\x96\xa2\xbd\x26\xa9\x39\xde\x74\x15\xc8\x36\x1c\x98\x89\x7b\xc0\xa4\x93\xe9\x08\x76\xd4\xf7\xa6\x38\x9a\xe9\xfe\xd4\x4d\x6e\xf2\x1e\xdf\x68\x1a\xe3\xa3\x5d\xc4\xa2\x6a\x40\xa7\x41\x1e\x7d\x51\xa8\x58\x43\x13\xdf\x95\xe4\x8f\xb0\x12\x79\x9b\x83\xc2\x5c\x2d\xd8\xf2\x43\xe9\x88\x05\x46\xb8\xf5\x1e\x25\xcc\x2f\xfa\x83\xc3\x6d\x81\xd3\x1b\xce\xbe\x40\x53\x62\x87\x5c\x49\x43\x00\x66\x24\x90\xc3\xf4\xbb\x38\x68\x2b\x17\xe0\xcb\xb9\x0e\x47\x70\x86\x4e\xe6\x0c\xc1\x36\xfa\x7b\xb2\x17\x0f\x69\x39\x4f\x62\x35\xe0\x07\x83\xfc\x6c\x2c\xab\x09\x74\x07\xff\xf9\x31\xbf\xa7\x42\xd7\xae\xfe\xf3\x3d\x69\x96\x70\x1d\x39\xb4\xad\xfb\x76\x28\xee\x8c\xb2\x76\x5a\xc0\x39\x92\xdb\x7b\xfd\x93\x04\xe1\x5f\x27\xf3\xea\x37\x12\x49\x4e\x98\xd1\x5b\x7c\x7e\x78\x14\x2d\xdb\xcc\x1e\x2d\x18\x47\x81\xcb\xc1\x17\x45\x59\x9e\xb5\xa6\x9b\x39\x18\x69\x4b\x78\x20\x9b\x1e\xe1\xc1\x18\x54\x15\x7e\xda\x2e\x0f\x03\xed\xd8\x84\xab\x4f\x60\x13\x4a\xf1\x58\xff\x15\xa9\x22\x59\xd4\x29\x37\x0c\xef\xab\x10\xcf\x6f\xb2\x82\xf7\x60\xd8\xd5\x4a\x8d\xb0\xc0\xc4\x3f\x56\xbc\xcf\x68\xb8\x37\x74\x5d\xd6\x42\xb3\x9d\x44\xdb\x29\x7b\x01\xeb\x9f\x5b\x48\xd1\xb1\x14\x84\x8a\x5d\x7c\x74\xa2\x2e\x3c\x30\x84\xee\xbc\x02\x98\xe7\xdd\xbb\xe6\x6e\x10\x5f\x89\x23\x8e\x96\x1d\x34\x98\x5f\x29\xde\x20\x31\xa5\x17\x56\xba\x3c\x77\xce\x83\x24\x8e\xf8\x32\x30\x9b\xf9\xad\x9d\x3f\x79\xdd\x12\xf7\x62\xe9\x12\x25\xb0\x87\x6c\xfc\x22\x02\xb2\xe0\x46\x82\x43\x16\xc8\x20\x88\x9e\x93\xf6\x3e\xad\x22\x9c\x08\x7b\x2f\x6c\xfc\x99\xf7\x97\x02\x2c\xda\xb8\x45\x6d\xe0\xc7\x64\xa0\x6a\x79\x40\xb0\xf2\x85\x98\xcb\xa5\x6d\xa0\xbb\xc7\xeb\xce\x48\x22\x12\x21\x37\x54\xd3\xc3\x4f\x74\x9e\xb9\x43\xbf\xf8\x1a\xab\x71\x0a\x98\x1e\x89\x15\xd8\x9f\x50\x98\xca\xa6\x74\x63\x6b\xda\x15\x11\xe9\x6b\x7a\xb0\xe6\x51\xd1\x01\x75\x09\x76\xda\x0b\x2a\x08\xc5\x61\x76", 8192); *(uint32_t*)0x20004bc0 = 0x20003680; *(uint32_t*)0x20003680 = 0x50; *(uint32_t*)0x20003684 = 0; *(uint64_t*)0x20003688 = 0; *(uint32_t*)0x20003690 = 7; *(uint32_t*)0x20003694 = 0x22; *(uint32_t*)0x20003698 = 6; *(uint32_t*)0x2000369c = 0x60; *(uint16_t*)0x200036a0 = 5; *(uint16_t*)0x200036a2 = 0x48; *(uint32_t*)0x200036a4 = 0x80000001; *(uint32_t*)0x200036a8 = 7; *(uint16_t*)0x200036ac = 0; *(uint16_t*)0x200036ae = 0; memset((void*)0x200036b0, 0, 32); *(uint32_t*)0x20004bc4 = 0x20003700; *(uint32_t*)0x20003700 = 0x18; *(uint32_t*)0x20003704 = 0; *(uint64_t*)0x20003708 = 0xfffe; *(uint64_t*)0x20003710 = 0x200; *(uint32_t*)0x20004bc8 = 0x20003740; *(uint32_t*)0x20003740 = 0x18; *(uint32_t*)0x20003744 = 0; *(uint64_t*)0x20003748 = 4; *(uint64_t*)0x20003750 = 0x8000; *(uint32_t*)0x20004bcc = 0x20003780; *(uint32_t*)0x20003780 = 0x18; *(uint32_t*)0x20003784 = 0; *(uint64_t*)0x20003788 = 0; *(uint32_t*)0x20003790 = 8; *(uint32_t*)0x20003794 = 0; *(uint32_t*)0x20004bd0 = 0x200037c0; *(uint32_t*)0x200037c0 = 0x18; *(uint32_t*)0x200037c4 = 0; *(uint64_t*)0x200037c8 = 0x80000001; *(uint32_t*)0x200037d0 = 5; *(uint32_t*)0x200037d4 = 0; *(uint32_t*)0x20004bd4 = 0x20003800; *(uint32_t*)0x20003800 = 0x28; *(uint32_t*)0x20003804 = 0; *(uint64_t*)0x20003808 = 0; *(uint64_t*)0x20003810 = 0x19; *(uint64_t*)0x20003818 = 0x200; *(uint32_t*)0x20003820 = 3; *(uint32_t*)0x20003824 = -1; *(uint32_t*)0x20004bd8 = 0x20003840; *(uint32_t*)0x20003840 = 0x60; *(uint32_t*)0x20003844 = 0xfffffffe; *(uint64_t*)0x20003848 = 0xfffffffffffffffe; *(uint64_t*)0x20003850 = 4; *(uint64_t*)0x20003858 = 0x80000001; *(uint64_t*)0x20003860 = 1; *(uint64_t*)0x20003868 = 0x52b8; *(uint64_t*)0x20003870 = 7; *(uint32_t*)0x20003878 = 0; *(uint32_t*)0x2000387c = 0xfffffffa; *(uint32_t*)0x20003880 = 0x1ff; *(uint32_t*)0x20003884 = 0; memset((void*)0x20003888, 0, 24); *(uint32_t*)0x20004bdc = 0x200038c0; *(uint32_t*)0x200038c0 = 0x18; *(uint32_t*)0x200038c4 = 0xffffffda; *(uint64_t*)0x200038c8 = 0x1f; *(uint32_t*)0x200038d0 = 9; *(uint32_t*)0x200038d4 = 0; *(uint32_t*)0x20004be0 = 0x20003900; *(uint32_t*)0x20003900 = 0x11; *(uint32_t*)0x20003904 = 0xfffffffe; *(uint64_t*)0x20003908 = 0x4588; memset((void*)0x20003910, 0, 1); *(uint32_t*)0x20004be4 = 0x20003940; *(uint32_t*)0x20003940 = 0x20; *(uint32_t*)0x20003944 = 0; *(uint64_t*)0x20003948 = 0x100000000; *(uint64_t*)0x20003950 = 0; *(uint32_t*)0x20003958 = 0x18; *(uint32_t*)0x2000395c = 0; *(uint32_t*)0x20004be8 = 0x200039c0; *(uint32_t*)0x200039c0 = 0x78; *(uint32_t*)0x200039c4 = 0; *(uint64_t*)0x200039c8 = 7; *(uint64_t*)0x200039d0 = 4; *(uint32_t*)0x200039d8 = 6; *(uint32_t*)0x200039dc = 0; *(uint64_t*)0x200039e0 = 0; *(uint64_t*)0x200039e8 = 7; *(uint64_t*)0x200039f0 = 8; *(uint64_t*)0x200039f8 = 0x10001; *(uint64_t*)0x20003a00 = 1; *(uint64_t*)0x20003a08 = 0x509; *(uint32_t*)0x20003a10 = 0x80; *(uint32_t*)0x20003a14 = 3; *(uint32_t*)0x20003a18 = 1; *(uint32_t*)0x20003a1c = 0xc000; *(uint32_t*)0x20003a20 = 5; *(uint32_t*)0x20003a24 = r[6]; *(uint32_t*)0x20003a28 = 0xee00; *(uint32_t*)0x20003a2c = 7; *(uint32_t*)0x20003a30 = 9; *(uint32_t*)0x20003a34 = 0; *(uint32_t*)0x20004bec = 0x20003e80; *(uint32_t*)0x20003e80 = 0x90; *(uint32_t*)0x20003e84 = 0; *(uint64_t*)0x20003e88 = 8; *(uint64_t*)0x20003e90 = 6; *(uint64_t*)0x20003e98 = 3; *(uint64_t*)0x20003ea0 = 0xcd0; *(uint64_t*)0x20003ea8 = 0x7fffffff; *(uint32_t*)0x20003eb0 = 5; *(uint32_t*)0x20003eb4 = 1; *(uint64_t*)0x20003eb8 = 5; *(uint64_t*)0x20003ec0 = 5; *(uint64_t*)0x20003ec8 = 0xf34; *(uint64_t*)0x20003ed0 = 0x86; *(uint64_t*)0x20003ed8 = 6; *(uint64_t*)0x20003ee0 = 2; *(uint32_t*)0x20003ee8 = 0xab8c; *(uint32_t*)0x20003eec = 0; *(uint32_t*)0x20003ef0 = 5; *(uint32_t*)0x20003ef4 = 0x8000; *(uint32_t*)0x20003ef8 = 9; *(uint32_t*)0x20003efc = 0xee00; *(uint32_t*)0x20003f00 = r[9]; *(uint32_t*)0x20003f04 = 0x1000; *(uint32_t*)0x20003f08 = 0x1000; *(uint32_t*)0x20003f0c = 0; *(uint32_t*)0x20004bf0 = 0x20003f40; *(uint32_t*)0x20003f40 = 0xd0; *(uint32_t*)0x20003f44 = 0; *(uint64_t*)0x20003f48 = 0xffffffffffffffbc; *(uint64_t*)0x20003f50 = 0; *(uint64_t*)0x20003f58 = 2; *(uint32_t*)0x20003f60 = 6; *(uint32_t*)0x20003f64 = 3; memset((void*)0x20003f68, 2, 6); *(uint64_t*)0x20003f70 = 0; *(uint64_t*)0x20003f78 = 0; *(uint32_t*)0x20003f80 = 0; *(uint32_t*)0x20003f84 = 9; *(uint64_t*)0x20003f88 = 2; *(uint64_t*)0x20003f90 = 0x100000001; *(uint32_t*)0x20003f98 = 0x17; *(uint32_t*)0x20003f9c = 0xffff; memcpy((void*)0x20003fa0, "bpf_lsm_socket_recvmsg\000", 23); *(uint64_t*)0x20003fb8 = 0; *(uint64_t*)0x20003fc0 = 0x401; *(uint32_t*)0x20003fc8 = 0xf; *(uint32_t*)0x20003fcc = 0xfffffff9; memcpy((void*)0x20003fd0, "&,$:+)\357&\\)/$$[}", 15); *(uint64_t*)0x20003fe0 = 6; *(uint64_t*)0x20003fe8 = 1; *(uint32_t*)0x20003ff0 = 0x17; *(uint32_t*)0x20003ff4 = 0x1f; memcpy((void*)0x20003ff8, "bpf_lsm_socket_recvmsg\000", 23); *(uint32_t*)0x20004bf4 = 0x20004440; *(uint32_t*)0x20004440 = 0x508; *(uint32_t*)0x20004444 = 0; *(uint64_t*)0x20004448 = 2; *(uint64_t*)0x20004450 = 4; *(uint64_t*)0x20004458 = 1; *(uint64_t*)0x20004460 = 5; *(uint64_t*)0x20004468 = 0x80000000; *(uint32_t*)0x20004470 = 3; *(uint32_t*)0x20004474 = 0xffffffec; *(uint64_t*)0x20004478 = 2; *(uint64_t*)0x20004480 = 3; *(uint64_t*)0x20004488 = 0x20; *(uint64_t*)0x20004490 = 0x100000001; *(uint64_t*)0x20004498 = 0x80; *(uint64_t*)0x200044a0 = 0xffffffffffffffe1; *(uint32_t*)0x200044a8 = 0x9e41; *(uint32_t*)0x200044ac = 0x1f; *(uint32_t*)0x200044b0 = 0xf0f6; *(uint32_t*)0x200044b4 = 0xc000; *(uint32_t*)0x200044b8 = 0x401; *(uint32_t*)0x200044bc = 0xee01; *(uint32_t*)0x200044c0 = 0xee00; *(uint32_t*)0x200044c4 = 0x400000; *(uint32_t*)0x200044c8 = 0x800; *(uint32_t*)0x200044cc = 0; *(uint64_t*)0x200044d0 = 3; *(uint64_t*)0x200044d8 = 7; *(uint32_t*)0x200044e0 = 6; *(uint32_t*)0x200044e4 = 0xfffffffe; memset((void*)0x200044e8, 187, 6); *(uint64_t*)0x200044f0 = 1; *(uint64_t*)0x200044f8 = 2; *(uint64_t*)0x20004500 = 0x10001; *(uint64_t*)0x20004508 = 0; *(uint32_t*)0x20004510 = 5; *(uint32_t*)0x20004514 = 0; *(uint64_t*)0x20004518 = 3; *(uint64_t*)0x20004520 = 0x8000; *(uint64_t*)0x20004528 = 9; *(uint64_t*)0x20004530 = 0x80000001; *(uint64_t*)0x20004538 = 0x100; *(uint64_t*)0x20004540 = 5; *(uint32_t*)0x20004548 = 0xf06; *(uint32_t*)0x2000454c = 0x932b; *(uint32_t*)0x20004550 = 2; *(uint32_t*)0x20004554 = 0x1000; *(uint32_t*)0x20004558 = 5; *(uint32_t*)0x2000455c = 0xee01; *(uint32_t*)0x20004560 = -1; *(uint32_t*)0x20004564 = 5; *(uint32_t*)0x20004568 = 1; *(uint32_t*)0x2000456c = 0; *(uint64_t*)0x20004570 = 5; *(uint64_t*)0x20004578 = 9; *(uint32_t*)0x20004580 = 2; *(uint32_t*)0x20004584 = 2; memcpy((void*)0x20004588, "*)", 2); *(uint64_t*)0x20004590 = 1; *(uint64_t*)0x20004598 = 0; *(uint64_t*)0x200045a0 = 0xcc3; *(uint64_t*)0x200045a8 = 4; *(uint32_t*)0x200045b0 = 0x101; *(uint32_t*)0x200045b4 = 3; *(uint64_t*)0x200045b8 = 2; *(uint64_t*)0x200045c0 = 1; *(uint64_t*)0x200045c8 = 1; *(uint64_t*)0x200045d0 = 0x113; *(uint64_t*)0x200045d8 = 1; *(uint64_t*)0x200045e0 = 3; *(uint32_t*)0x200045e8 = 0xd36; *(uint32_t*)0x200045ec = 0x8c12; *(uint32_t*)0x200045f0 = 0xfffffffc; *(uint32_t*)0x200045f4 = 0x1000; *(uint32_t*)0x200045f8 = 0xfffffffc; *(uint32_t*)0x200045fc = 0xee01; *(uint32_t*)0x20004600 = r[10]; *(uint32_t*)0x20004604 = 9; *(uint32_t*)0x20004608 = 0xacd; *(uint32_t*)0x2000460c = 0; *(uint64_t*)0x20004610 = 3; *(uint64_t*)0x20004618 = 0x97; *(uint32_t*)0x20004620 = 6; *(uint32_t*)0x20004624 = 9; memcpy((void*)0x20004628, "wlan1\000", 6); *(uint64_t*)0x20004630 = 1; *(uint64_t*)0x20004638 = 2; *(uint64_t*)0x20004640 = 8; *(uint64_t*)0x20004648 = 0x8000; *(uint32_t*)0x20004650 = 9; *(uint32_t*)0x20004654 = 0; *(uint64_t*)0x20004658 = 1; *(uint64_t*)0x20004660 = 0x200; *(uint64_t*)0x20004668 = 0xff; *(uint64_t*)0x20004670 = 0x100000001; *(uint64_t*)0x20004678 = 0x30000; *(uint64_t*)0x20004680 = 9; *(uint32_t*)0x20004688 = 3; *(uint32_t*)0x2000468c = 6; *(uint32_t*)0x20004690 = 0x7f; *(uint32_t*)0x20004694 = 0x8000; *(uint32_t*)0x20004698 = 0x101; *(uint32_t*)0x2000469c = r[11]; *(uint32_t*)0x200046a0 = 0xee00; *(uint32_t*)0x200046a4 = 0x10000; *(uint32_t*)0x200046a8 = 9; *(uint32_t*)0x200046ac = 0; *(uint64_t*)0x200046b0 = 3; *(uint64_t*)0x200046b8 = 0; *(uint32_t*)0x200046c0 = 2; *(uint32_t*)0x200046c4 = 0x401; memcpy((void*)0x200046c8, "b@", 2); *(uint64_t*)0x200046d0 = 4; *(uint64_t*)0x200046d8 = 1; *(uint64_t*)0x200046e0 = 0; *(uint64_t*)0x200046e8 = 5; *(uint32_t*)0x200046f0 = 4; *(uint32_t*)0x200046f4 = 0x101; *(uint64_t*)0x200046f8 = 1; *(uint64_t*)0x20004700 = 5; *(uint64_t*)0x20004708 = 1; *(uint64_t*)0x20004710 = 0x10000; *(uint64_t*)0x20004718 = 7; *(uint64_t*)0x20004720 = 8; *(uint32_t*)0x20004728 = 5; *(uint32_t*)0x2000472c = 5; *(uint32_t*)0x20004730 = 0x4010000; *(uint32_t*)0x20004734 = 0x8000; *(uint32_t*)0x20004738 = 0x4d800000; *(uint32_t*)0x2000473c = 0; *(uint32_t*)0x20004740 = 0xee01; *(uint32_t*)0x20004744 = 6; *(uint32_t*)0x20004748 = 7; *(uint32_t*)0x2000474c = 0; *(uint64_t*)0x20004750 = 2; *(uint64_t*)0x20004758 = 0x61; *(uint32_t*)0x20004760 = 0; *(uint32_t*)0x20004764 = 0; *(uint64_t*)0x20004768 = 7; *(uint64_t*)0x20004770 = 0; *(uint64_t*)0x20004778 = 5; *(uint64_t*)0x20004780 = 5; *(uint32_t*)0x20004788 = 0; *(uint32_t*)0x2000478c = 0x3ff; *(uint64_t*)0x20004790 = 0; *(uint64_t*)0x20004798 = 0xfffffffffffffff7; *(uint64_t*)0x200047a0 = 1; *(uint64_t*)0x200047a8 = 0x80; *(uint64_t*)0x200047b0 = 0x100000001; *(uint64_t*)0x200047b8 = 0x401; *(uint32_t*)0x200047c0 = 0xd49d; *(uint32_t*)0x200047c4 = 0x80; *(uint32_t*)0x200047c8 = 1; *(uint32_t*)0x200047cc = 0x6000; *(uint32_t*)0x200047d0 = 0x8b; *(uint32_t*)0x200047d4 = r[12]; *(uint32_t*)0x200047d8 = 0xee01; *(uint32_t*)0x200047dc = 0x8001; *(uint32_t*)0x200047e0 = 0; *(uint32_t*)0x200047e4 = 0; *(uint64_t*)0x200047e8 = 6; *(uint64_t*)0x200047f0 = 0x200; *(uint32_t*)0x200047f8 = 1; *(uint32_t*)0x200047fc = 0xfffffff8; memset((void*)0x20004800, 41, 1); *(uint64_t*)0x20004808 = 0; *(uint64_t*)0x20004810 = 3; *(uint64_t*)0x20004818 = 8; *(uint64_t*)0x20004820 = 0x81; *(uint32_t*)0x20004828 = 6; *(uint32_t*)0x2000482c = 5; *(uint64_t*)0x20004830 = 1; *(uint64_t*)0x20004838 = 8; *(uint64_t*)0x20004840 = 7; *(uint64_t*)0x20004848 = 5; *(uint64_t*)0x20004850 = 8; *(uint64_t*)0x20004858 = 1; *(uint32_t*)0x20004860 = 5; *(uint32_t*)0x20004864 = 0x90c555ad; *(uint32_t*)0x20004868 = 0; *(uint32_t*)0x2000486c = 0xc000; *(uint32_t*)0x20004870 = 0x800; *(uint32_t*)0x20004874 = 0xee00; *(uint32_t*)0x20004878 = 0xee01; *(uint32_t*)0x2000487c = 0xf98d; *(uint32_t*)0x20004880 = 0x20; *(uint32_t*)0x20004884 = 0; *(uint64_t*)0x20004888 = 4; *(uint64_t*)0x20004890 = 4; *(uint32_t*)0x20004898 = 5; *(uint32_t*)0x2000489c = 1; memcpy((void*)0x200048a0, "\\U\302-^", 5); *(uint64_t*)0x200048a8 = 1; *(uint64_t*)0x200048b0 = 0; *(uint64_t*)0x200048b8 = 2; *(uint64_t*)0x200048c0 = 6; *(uint32_t*)0x200048c8 = 0; *(uint32_t*)0x200048cc = 0xb5e; *(uint64_t*)0x200048d0 = 4; *(uint64_t*)0x200048d8 = 0x12; *(uint64_t*)0x200048e0 = 0xe87; *(uint64_t*)0x200048e8 = 7; *(uint64_t*)0x200048f0 = 1; *(uint64_t*)0x200048f8 = 0xfffffffffffffffe; *(uint32_t*)0x20004900 = 0xfffffffd; *(uint32_t*)0x20004904 = 7; *(uint32_t*)0x20004908 = 0x401; *(uint32_t*)0x2000490c = 0xa000; *(uint32_t*)0x20004910 = 0x8ee; *(uint32_t*)0x20004914 = r[13]; *(uint32_t*)0x20004918 = 0; *(uint32_t*)0x2000491c = 0x8236; *(uint32_t*)0x20004920 = 0x3c89862b; *(uint32_t*)0x20004924 = 0; *(uint64_t*)0x20004928 = 4; *(uint64_t*)0x20004930 = 0xfffffffffffffbf7; *(uint32_t*)0x20004938 = 6; *(uint32_t*)0x2000493c = 4; memset((void*)0x20004940, 2, 6); *(uint32_t*)0x20004bf8 = 0x20004ac0; *(uint32_t*)0x20004ac0 = 0xa0; *(uint32_t*)0x20004ac4 = 0xffffffda; *(uint64_t*)0x20004ac8 = 2; *(uint64_t*)0x20004ad0 = 1; *(uint64_t*)0x20004ad8 = 3; *(uint64_t*)0x20004ae0 = 0xff; *(uint64_t*)0x20004ae8 = 0x401; *(uint32_t*)0x20004af0 = 9; *(uint32_t*)0x20004af4 = 0x1000; *(uint64_t*)0x20004af8 = 1; *(uint64_t*)0x20004b00 = 0xfff; *(uint64_t*)0x20004b08 = 0x733; *(uint64_t*)0x20004b10 = 0; *(uint64_t*)0x20004b18 = 7; *(uint64_t*)0x20004b20 = 0x7fff; *(uint32_t*)0x20004b28 = 4; *(uint32_t*)0x20004b2c = 0x1f; *(uint32_t*)0x20004b30 = 0x1f; *(uint32_t*)0x20004b34 = 0; *(uint32_t*)0x20004b38 = 1; *(uint32_t*)0x20004b3c = r[14]; *(uint32_t*)0x20004b40 = r[15]; *(uint32_t*)0x20004b44 = 0x9eb; *(uint32_t*)0x20004b48 = 1; *(uint32_t*)0x20004b4c = 0; *(uint64_t*)0x20004b50 = 0; *(uint32_t*)0x20004b58 = 0x1c; *(uint32_t*)0x20004b5c = 0; *(uint32_t*)0x20004bfc = 0x20004b80; *(uint32_t*)0x20004b80 = 0x20; *(uint32_t*)0x20004b84 = 0xfffffffe; *(uint64_t*)0x20004b88 = 0xa87; *(uint32_t*)0x20004b90 = 0x1ff; *(uint32_t*)0x20004b94 = 0; *(uint32_t*)0x20004b98 = 0x10001; *(uint32_t*)0x20004b9c = 4; syz_fuse_handle_req(r[5], 0x20001680, 0x2000, 0x20004bc0); break; case 25: memcpy((void*)0x20004c40, "/dev/autofs\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20004c40, 0, 0); if (res != -1) r[16] = res; break; case 26: memcpy((void*)0x20004c00, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004c00, r[16]); break; case 27: syz_init_net_socket(0x24, 2, 0); break; case 28: res = syscall(__NR_mmap, 0x20ffe000, 0x1000, 0x300000a, 0x10, (intptr_t)r[16], 0); if (res != -1) r[17] = res; break; case 29: res = -1; res = syz_io_uring_complete(r[17]); if (res != -1) r[18] = res; break; case 30: *(uint32_t*)0x20004c84 = 0xcaa6; *(uint32_t*)0x20004c88 = 4; *(uint32_t*)0x20004c8c = 3; *(uint32_t*)0x20004c90 = 0x276; *(uint32_t*)0x20004c98 = r[18]; memset((void*)0x20004c9c, 0, 12); res = -1; res = syz_io_uring_setup(0x3a9b, 0x20004c80, 0x20ffe000, 0x20ffe000, 0x20004d00, 0x20004d40); if (res != -1) r[19] = *(uint64_t*)0x20004d00; break; case 31: *(uint8_t*)0x20005080 = 2; *(uint8_t*)0x20005081 = 5; *(uint16_t*)0x20005082 = 0; *(uint32_t*)0x20005084 = 7; *(uint64_t*)0x20005088 = 0; *(uint32_t*)0x20005090 = 0x20005040; *(uint32_t*)0x20005040 = 0x20004d80; memcpy((void*)0x20004d80, "\x8f\x8c\x61\xba\x2d\x93\x00\x6a\xad\xbd\x12\xa3\xa0\x8f\x14\x6f\x7d\xad\xf6\xfc\xaf\x91\x37\x0d\x8c\xdb\xb1\x04\x73\xcf\xc4\x73\x7f\xc2\x92\x0f\x76\x1e\x5f\x9f\x43\xac\x7c\x94\xff\x2d\x84\xa3\xf6", 49); *(uint32_t*)0x20005044 = 0x31; *(uint32_t*)0x20005048 = 0x20004dc0; memcpy((void*)0x20004dc0, "\xe7\x9e\x60\x9c\xaf\x0b\x11\x3f\x2e\x3a\x9b\x6e\xd9\xa5\x19\x7b\xd4\xc9\xef\x3a\xbe\xe6\xff\x37\x2b\x06\x77\xf9\x80\xef\x46\x16\x5c\x07\x1e\xc9\xa7\xe4\xb8\xe1\x18\xc9\x5c\x2b\x5f\x73\x3b\x29\xc5\x0f\x1e\x5d\xf4\xf1\x83\x7e\x9a\x29\x62\xcd\x24\x1c\x43\xd7\xa6\x05\x87\x87\x49\x91\x9d\x2d\x93\x2d\x22\x01\x0e\x4c\x8c\x29\xce\x60\x28\xdc\x71\xe2\x3c\x5e\xc2\xb4\xf3\xbb\x38\xb2\xe7\xc3\xbe\xaf\x83\xc8\x87\xa4\x5f\x16\xea\x87\x84\x2b\x70\x02\xc7\x51\x33\x97\x83\x5d\x37\x55\x89\xd6\x4e\x9c\x8d\x0d\xaa\x7c\x70\x99\x74\xdd\xc9\x35\x14\x51\x90\xba\xc6\xe8\xd3\x12\x38\xd5\xad\x70\x37\x7e\x03\xb1\x11\x15\x46\xf8\xa8\x3a\x2d\x7e\x3f\xc5\x50\x40\x8a\x22\x7e\x6a\xb5\x58\x33\x1d\xe5", 169); *(uint32_t*)0x2000504c = 0xa9; *(uint32_t*)0x20005050 = 0x20004e80; memcpy((void*)0x20004e80, "\x1f\xe1\xd0\xa7\xea\x42\xed\x60\xeb\x83\x79\xf5\x5f\xba\x5f\x10\x8d\xa4\x23\x32\x88\xe8\xa8\xbb\xac\xc0", 26); *(uint32_t*)0x20005054 = 0x1a; *(uint32_t*)0x20005058 = 0x20004ec0; memcpy((void*)0x20004ec0, "\x1d\x5a\x7e\x02\x0f\x94\xe9\xee\xe2\x41\x5c\xca\x5e\xb6\x04\x5c\xc9\xf8\x17\xf1\xd3\x27\x5b\xa9\x49\x67\x7e\xe2\xca\x23\x57\xb7\x4e\x67\xc6\xd4\xdd\xfb\xe8\xe8\xc0\xc6\xfd\xcd\x23\x52\xdd\x30\x1f\xf3\x0f\x0e\xbc\x2b\x58\xf2\xc6\x9c\x3f\x80\x32\xff\x0d\x4a\x2d\x2d\x40\x0c\x3d\x07\x91\x4d\x83\x5b\x62\x18\xc2\xeb\x25\x72\x4b\x42\x6a\x88\x8b\x28\x22\xd4\x94\x5b\x35\xf2\xd1\x45\x9d\x91\x5e\x2b\x2d\x66\x54\x1a\xf5\x2b\xdb\xbe\x1a\xd5\x17\x51\x5e\x01\xb8\x29\x0e\x65\x44\x43\xa6\x7b\xec\x3d\x0b\x03\xfc\x10\xb9\x0b\x49\xc3\xd3\x35\x93\xe0\x63\xbd\x0d\xf7\x24\x94\xb2\x2b\xfc\x39\x1f\x6b\x29\x6a\x68\x73\x5e\xea\xac\x4f\xb5\x50\xbe\x4b\xee\xab\xb7\x4d\x7c\xa7\x71\x39\x24\x8c\xf8\x00\x3e\x4f\xa6\x39\x54\xc2\xe5\xc6\x8e\x48\xb1\xf5\x9b\x31\x62\xa9\xa3\xb0\x20\x77\x1f\x7c\x1a\xff\x6d\x7d\xe5\x7b\x40\xfc\xb5\x90\x02\xf2\x70\x9e\xd2\xe1\x2d\x50\xa3\xed\xad\xc2\xc5\x5d\xe6\x63\x4c\x8e\x91\xdd\x8c\xd2\x8f\xaf\x3b\x52", 228); *(uint32_t*)0x2000505c = 0xe4; *(uint32_t*)0x20005060 = 0x20004fc0; memcpy((void*)0x20004fc0, "\x3d\xc5\x00\x79\x39\x36\x84\xee\x15\x45\x62\x33\xe2\xe4\xb4\x7d\x0d\x76\x16\xa6\xfb\xb0\x80\x55\x93\x1c\x40\x0e\x66\xd6\xee\x83\x07\xc9\x88\xdb\x68\xc3\xa5\x68\x73\xe4\xc9\x4c\x21\x0c\xee\x63\xaa\x53\xee\x80\x94\x7c\x56\x44\xcf\xfd\x0e\xe8\x09\xb4\x55\x4e\xf3\xd3\xd5\xd4\xb6\x26\x80\x40\xd6\x6c\xba\x34\xc7\xb8\x64\x5a\xbf\xe3\x69\x6e\x04\x1f\xe1\x3f", 88); *(uint32_t*)0x20005064 = 0x58; *(uint32_t*)0x20005094 = 5; *(uint32_t*)0x20005098 = 1; *(uint64_t*)0x2000509c = 0; *(uint16_t*)0x200050a4 = 0; *(uint16_t*)0x200050a6 = 0; memset((void*)0x200050a8, 0, 20); syz_io_uring_submit(r[19], 0, 0x20005080, 0x100); break; case 32: memcpy((void*)0x200050c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 0, 0); if (res != -1) r[20] = res; break; case 33: memcpy((void*)0x20005100, "/dev/dlm-monitor\000", 17); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0, 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x20005180 = 0; *(uint32_t*)0x20005184 = 0x20005140; memcpy((void*)0x20005140, "\x45\xcf\x83\xe3\x48\x27\xda\xe7\x0d\x9c\x50\xf6\x76\xf5\x23\xb0\xce\x6b\xee\x88\x95\x2b\xaa\xc1\xa7\x22\x08\x87\x52\x1e\x1e\x10\x25\x01\x84\xda\xba\xaa\x4f\xbf\x9e\x94\x34\x9f\x11\x48\xde\xe8\x23\x8a", 50); *(uint32_t*)0x20005188 = 0x32; *(uint64_t*)0x200051c0 = 1; *(uint64_t*)0x200051c8 = 0; syz_kvm_setup_cpu(r[20], r[21], 0x20fe8000, 0x20005180, 1, 0, 0x200051c0, 1); break; case 35: *(uint32_t*)0x20005200 = 1; syz_memcpy_off(r[17], 0x114, 0x20005200, 0, 4); break; case 36: memcpy((void*)0x20005240, "adfs\000", 5); memcpy((void*)0x20005280, "./file0\000", 8); *(uint32_t*)0x20005980 = 0x200052c0; *(uint32_t*)0x20005984 = 0; *(uint32_t*)0x20005988 = 4; *(uint32_t*)0x2000598c = 0x20005300; memcpy((void*)0x20005300, "\x85\x86\xcf\xf1\x20\x29\xeb\x8a\xd7\x6f\x62\x61\xd1\xfe\x9c\x2d\xf9\x7d\x6b\x50\x47\xf7\x02\x21\xce\x7c\x26\xe1\xad\x05\x00\x96\xdb\x75\xff\x7f\xfd\x7b\x4d\xad\x59\xf5\xe0\x70\x72\x3e\x8a\x2c\xea\x44\x66\x02\xed\x86\xda\x15\x97\x5f\x4f\x9d\xad\x43\x55\xf1\x7d\x14\x41\xf9\xc1\xd9\x72\x1e\x8b\xc2\x69\xc9\x1b\x43\x93\x4b\xb3\x82\x3e\xba\x88\x0d\xe0\x1b\x58\x6e\x0d\x59\x2f\xc9\x78\x08\x48\x12\xa5\xdd\x94\x0d\x6e\xa6\x1e\x46\xee\x9f\x1d\x53\xe0\xd3\x15\x5c\x2c\x34\x94\x6c\xa2\x86\xd6\x46\x39\x8a\x4d\x60\xb5\x6e\x48\x64\x4c\xe4\x21\xd5\x3a\x65\xfc\x50\x46\x80\x60\x1a\x0c\xb3\xb7\x8c\xdc\x3d\x14\xd0\xf9\xf7\x54\xd8\x8a\x4c\x5d\x80\xc2\x68\x1a\xca\x64\xa4\x79\x3f\x17\xd0\xf8\xa5\xb8\xdc\x82\x0f\xda\xde\xe2\xee\x87\xd4\x20\x50\x17\x22\x86\xe4\xb3\x71\xea\xc4\x97\xbf\x74\x67\x89\x0a\x47\x2d\x76\x6a\x44\x2a\x56\xa6\xe7\x5b\xc3\x9b\xa4\xed\xab\x5a\x0c\xb1\x1e\xb6\x6a\x24\x7a\x2f\x3c\xa7\xd1\x8c\xbe\x8b\xd7\x51\x6b\x2d\x99\xc7\x63\xd8\xc2\x3d\x75\x3c\x13\x93\x7a\xb9\x9b\x57\x8e\x42\xf3\x59\x27\x5e\x86", 251); *(uint32_t*)0x20005990 = 0xfb; *(uint32_t*)0x20005994 = 5; *(uint32_t*)0x20005998 = 0x20005400; memcpy((void*)0x20005400, "\x0f\x55\x3c\x28\xb9\x84\x2c\x44\x67\x4a\xbe\x34\x85\x6e\x72\xa4\x02\xea\xf0\x8e\xa7\xd1\x06\x18\x6b\x17\xf1\xd3\xf0\x0d\xcb\xcb\x5f\x98\xa1\xea\xe4\xb0\xe4\x94\xda\x0d\x44\xfa\x94\x91\x73\x67\x47\x8f\x2e\x39\xce\x84\x35\xb1\x32\xa5\x70\xec\x78\xc1\xb1\xd8\x59\xab\x65\x21\x68\xbe\xc9\x15\x6c\xc5\xb4\x54\x3f\x05\x71\xd2\xa7\x5d\x3a\xd0\x3f\x49\x0c\x0f\xc9\x32\x51\xf6\xab\x57\xf0\x1c\xf6\x22\x83\xd4\x2e\xec\x0a\xbb\x18\x61\x48\xb0\x5e\xf5\x5f\x8d\xe1\xa2\xeb\x7c\x16\x22\xfc\x6d\x3a\xc2\x74\xf1\x0a\x07\x54\x56\x33\x98\xef\xc9\x33\x5a\xea\x31\x06\x1c\xf4\xbb\x64\xd4\x4f\x87\xc6\x15\xc9\x9b\x3e\xca\x46\xdd\xc2\xce\x68\xeb\x2b\x78\x0c\x54\xbb\x6a\x1a\x20\x94\x7e\x16\xcb\xc6\xf7\xfa\x07\x12\xd0\xb1\x2e\x66\x5a\x21\x4c\x35\x02\x15\x4e\x5b\x8d\xda\x8b\x01\xdf\x53\xc8\x1b\x2d\xa2\xc9\x2b\x75\x73\x50\x6b\x17\x5a\x34\xba\x1d\xda\x39\x95\x4f\x36\xf0\xff\x6e\xbe\xfe\xee\x31\x32\x68\x13\x42\x2c\xb4\xd5\x3b\x47\xc6\xfe\x65\xf3\x33\x26\x98\xd9\xe3\xd7\x76", 238); *(uint32_t*)0x2000599c = 0xee; *(uint32_t*)0x200059a0 = 0xfff; *(uint32_t*)0x200059a4 = 0x20005500; memcpy((void*)0x20005500, "\xab\xff\x9c\x24\x82\xd9\x64\x89\xf0\xaf\xbe\x08\x5d\xae\xe1\xe2\xbd\x8a\x30\x00\xaf\x21\xe5\xb4\xaa\x0d\x2e\x66\x62\x29\x3d\x5f\xe6\xee\xb6\x0a\x5c\xc8\xb9\x0e\x84\xed\xe0\xd2\x13\x18\x68\x8e\x28\x5d\xef\x54\xcb\x67\x80\xab\xfd\xcb\x64\xc7\x00\xda\x5e\x87\x75\xbb\x60\xd0\x19\x2a\x5f\x81\x13\xa7\x0d\xdb\x16\x27\x08\x7f\x7b\xb8\xf2\x32\xf8\x0a\x12\x0e\x21\x4e\xf3\x1c\x38\x57\x11\xf4\xb1\x2a\xfd\x9a\x02\x4f\xc4\x8c\x41\xc3\xc8\x87\x25\x5a\x17\xb8\x6f\x70\x9a\x30\xee\x23\xa5\xd5\x5c\x6c\x3e\x19\x86\xf6\xfd\x69\x30\x9d\xc6\x66\x48\x46\x39\x6a\x5f\x0c\xde\x1e\x38\x2a\x70\x18\xdc\xde\xac\x00\xff\x1e\xf5\x4b\xbb\x58\x20\x1f\xc9\xdf\xcb\xba\x39\xcf\xb4\x5f\x49\xac\xe1\xe9\x90\x81\x88", 171); *(uint32_t*)0x200059a8 = 0xab; *(uint32_t*)0x200059ac = 0x80000001; *(uint32_t*)0x200059b0 = 0x200055c0; memcpy((void*)0x200055c0, "\xfb\x36\xdf\xfb\x4a\x0e\x43\x77\xfa\x3b\xed\xec\x23\x25\xf5\xc0\x73", 17); *(uint32_t*)0x200059b4 = 0x11; *(uint32_t*)0x200059b8 = 1; *(uint32_t*)0x200059bc = 0x20005600; memcpy((void*)0x20005600, "\x8f\xf2\x54\x48\x04\xed\x79\xe1\xbb\x5f\x17\x3b\x80\xfd\xb0\x9a\x44\x4f\x02\xbb\xac\xda\xb8\x77\x10\xa3\x03\x82\x27\x1d\xb7\x25\x70\x55\xfb\xbe\x05\x7f\x4e\x4b\x3e\x1b\xcb\xcf\x08\xf1\xea\x0b\x41\xbe\x53\x3d\x7d\x7f\x84\x19\x9c\x4c\xf2\x41\xe2\xbc\x3c\xeb\xf6\x80\xf5\xc2\x64\x88\x82\xab\xfe\x61\xbb\x52\x11\xc4\xcf\x0f\x1f\x80\x35\xc6\x96\x2e\x74\xf5\x97\x6e\x95\x4c\x3d\xb5\x54\x5b\xdc\xcc\x6e\x67\xb6\x8d\xd6\x12", 104); *(uint32_t*)0x200059c0 = 0x68; *(uint32_t*)0x200059c4 = 0x7f; *(uint32_t*)0x200059c8 = 0x20005680; memcpy((void*)0x20005680, "\xca\x83\x8d\x09\x57\x9a\x97\x26\x57\x26\x0b\x82\x4f\x36\x91\x61\xc8\x3d\x36\x49\xb2\x30\x9d\xe4\xac\xa5\x19\x1c\x6a\x35\x50\xce\x70\x4f\x66\x06\xba\xc0\xf1\x10\x25\x63\x01\x1d\x76\x8b\x1c\xd5\xbd\x83\x56\x5b\xfb\xe9\x31\x1f\x71\xc2\x69\x8f\x2b\xb4\x57\x2e\xf6\x60\x2f\x24\x87\x62\x6e\x21\xfc\xef\x70\x34\xf5\x0e\x28\xfd\x36\xdb\x92\x43\x3d\xe1\xc0\xfb\xd9\xba\xa0\xb2\xef\x3b\x17\xec\xbd\x5f\x21\x4a\x81\x4f\x99\x79\xc0\xcf\xce\xa5\x66\xbd\x41\x87\x88\xa9\xe0\x26\xff\x83\x08\x9e\x4e\x1e\xb4\x91\xee\xbb\x58\x2e\x84\xc6\xd9\x56\xe1\xf8\xd4\xbd\x53\x27\xfc\xf2\x6d\x92\x18\xa6\xe7\x45\xa9\x04\x84\x6d\xa6\x1e\x69\x70\xe7\xc3\xf8\xf6\x77\x7e\xb2\xee\xc1\x82\xc6\x62\x6a\xeb\xc2\xb4\x6d\x6e\x18\xec\x79\xce\x9f\x3a\x34\xc2\xc9\xce\x74\xdc\xe5\xf3\x8a\x49\x3c\xe7\x52\x63\x3b\x9c\xd8\x81\xd3\xe7\x39\x77\xb7\x28\x20\x8b\x73\x0c\x0a\xa0\xbf\xd4\x1f\x03\x74\x79\x8c\x2b\x6c\xfd\x20\xa8\x3d\xde\x88\x21\xf8\x96\x43\x1d\xf1\x62\x0e\xac\xdd\xb4\x84\x6d\x3f\x67\x98\x3b\x95", 241); *(uint32_t*)0x200059cc = 0xf1; *(uint32_t*)0x200059d0 = 2; *(uint32_t*)0x200059d4 = 0x20005780; memcpy((void*)0x20005780, "\xb5\x49\xcf\xe1\x8d\xeb\x45\x5b\x4a\x8b\x6d\x56\xe7\xc0\x3f\x25\x10\x24\x21\x7c\xf4\x27\xc0\x90\x56\xbd\xb6\xb4\xa1\x31\x7e\x6f\x9c\xd5\x3e\xce\x2f\x2e\xe6\x8e\x7d\x73\xe9\x36\xe6\xd7\xb3\x76\x48\x35\x95\xc8\xdb\x72\x92\xff\xb0\x52\x0c\xf0\x37\xba\x70\x12\xf5\xd9\x0d\x0e\x4b\xdc\xed\x46\x13\x1d\x6a\x44\x12\x05\x46\xfa\xd8\x7f\x47\x56\x70\xfe\xc8\x6f\x97\x84\x88\x8d\x14\xdc\x2e\xd6\xa1\xa7\xed\x3c\x98\xbd\x0e\x03\x5c\xbd\x50\x4d\xa4\x0e\xfb\xeb\x5a\x5b\xcd\x48\xc0\xca\x51\x3f\xf5\x3d\xda\xda\x3c\xb4\x47\xa4\x8b\xce\xf0\x1d\x98\x83\xf6\x99\x99\x7c\x5a\x0b\x24\x99\x86\x58\x62\xdb\x5f\x78\x5a\x75\xe1\xb3\x46\x3d\x35\x4a\xf1\x12\xe7\xf8\x62\x28\x83\x68\x30\x86\x19\x0f\xa4\x50\x76\x46\xcb\xea\xb5\xed", 176); *(uint32_t*)0x200059d8 = 0xb0; *(uint32_t*)0x200059dc = 1; *(uint32_t*)0x200059e0 = 0x20005840; memcpy((void*)0x20005840, "\xa2\xee\xca\xca\xa0\x2f\xc7\x61\x89\xe0\x0e\x6f\xc5\x8f\x38\xb5\x59\x99\x59\x73\x03\x76\x28\x17\x21\xbe\xcf\x84\x0c\xd1\x2b\x23\x0c\x2d\xc8\x4b\x7f\x5f\xe5\xe3\x70\x57\xb3\x73\x2f\xcf\xeb", 47); *(uint32_t*)0x200059e4 = 0x2f; *(uint32_t*)0x200059e8 = 4; *(uint32_t*)0x200059ec = 0x20005880; memcpy((void*)0x20005880, "\x35\xed\x9c\x85\x4f\x54\x2b\xa3\xa5\x6e\x7b\x75\x40\x9a\x31\x97\xd3\x1e\x6e\xc3\x19\x34\x81\x1d\xd9\xab\xe8\x3e\x50\xa0\x60\xea\x25\x99\x4c\xb3\x37\x70\xed\x99\xb2\x5c\x9b\x56\x08\x91\xec\xa4\x33\xfe\x5b\xf1\xe0\x2d\x13\x66\x00\x68\x7e\xe4\x93\x3b\x35\x38\xbb\xce\xca\x61\xde\xb8\xfb\x0a\x1a\x25\x67\x84\x3f\xd8\x71\xb9\x91\xd5\x14\x32\x9a\x46\x5a\x97\xeb\x92\x12\x35\x76\xe8\x3a\x65\x2c\x51\xdf\xa8\x41\x17\xc2\x62\xa7\xb8\xba\xb4\x7b\xd3\xf8\x1b\x24\xd3\x3e\x68\x7f\x39\x26\x50\x02\xef\x92\xf2\x24\x8d\xe0\x27\xac\x02\x85\xfc\xad\x2a\x3c\x73\x2a\x1e\xd7\x40\x93\x07\x03\x7e\x41\xf3\xa7\x90\x74\x77\x38\x7d\x11\x99\xc1\x8e\x5c\x43\x95\x9b\x2e\xc4\x6c\x07\x8c\xec\x67\xa8\xb5\x59\xb3\x1c\xef\xd8\x56\xf4\x56\xb9\xf8\x1b\xcc\x6a\x8b\x2c\xb1\xa4\xd8\x14\x75\x62\xbd\xac\x60\x34\xe3\xe8\xd3\x5d\x79\x76\x59\x84\x4f\xea\x36\x94\xb3\x28\x8c\xe6\x8f\xa8\xf9\x86\xbf\x2f\xba\x03\xec\x01\x10\x15\x4b\xef\xc8\x40\x22\x58\xaf\xb3\xd5\x83\xd0\xbf\x3d\x02\x79\x80\x73\x86\x7f\xc6\x66\x40\x72\x60\x72\xc8\x2a", 249); *(uint32_t*)0x200059f0 = 0xf9; *(uint32_t*)0x200059f4 = 0x1ff; memset((void*)0x20005a00, 37, 1); *(uint8_t*)0x20005a01 = 0x2c; memcpy((void*)0x20005a02, "seclabel", 8); *(uint8_t*)0x20005a0a = 0x2c; memcpy((void*)0x20005a0b, "permit_directio", 15); *(uint8_t*)0x20005a1a = 0x2c; memcpy((void*)0x20005a1b, "mask", 4); *(uint8_t*)0x20005a1f = 0x3d; memcpy((void*)0x20005a20, "^MAY_EXEC", 9); *(uint8_t*)0x20005a29 = 0x2c; memcpy((void*)0x20005a2a, "subj_role", 9); *(uint8_t*)0x20005a33 = 0x3d; memset((void*)0x20005a34, 125, 1); *(uint8_t*)0x20005a35 = 0x2c; memcpy((void*)0x20005a36, "mask", 4); *(uint8_t*)0x20005a3a = 0x3d; memcpy((void*)0x20005a3b, "^MAY_APPEND", 11); *(uint8_t*)0x20005a46 = 0x2c; memcpy((void*)0x20005a47, "fsname", 6); *(uint8_t*)0x20005a4d = 0x3d; memcpy((void*)0x20005a4e, "&%]", 3); *(uint8_t*)0x20005a51 = 0x2c; memcpy((void*)0x20005a52, "measure", 7); *(uint8_t*)0x20005a59 = 0x2c; *(uint8_t*)0x20005a5a = 0; syz_mount_image(0x20005240, 0x20005280, 5, 0xa, 0x20005980, 0, 0x20005a00); break; case 37: memcpy((void*)0x20005a80, "/dev/i2c-#\000", 11); syz_open_dev(0x20005a80, 6, 0x40000); break; case 38: memcpy((void*)0x20005ac0, "net/raw6\000", 9); syz_open_procfs(-1, 0x20005ac0); break; case 39: syz_open_pts(r[16], 0x583000); break; case 40: *(uint32_t*)0x20006cc0 = 0x20005b00; memcpy((void*)0x20005b00, "\xa8\x95\xc3\x0e\xdc\x07\x29\x77\x23\xa4\xae\xa8\x02\x03\x46\x22\xd1\xbb\xb8\x5b\x4a\xe3\x62\x8a\xfc\x2d\x4e\x10\x93\x45\x50\xa9\xd9\x2f\x12\xa5\x1b\x9f\x5b\x3a\x7b\x59\x6b\x59\xb9\x9b\x4b\x2a\xca\xed\xda\x32\xb8\x3b\xdc\x26\x3c\x53\xaa\x10\x11\x4a\x14\x9a\x4d\x7a\x4f\x0c\x40\xb9\x46\x15\x9b\x37\x43\x96\xfb\x6c\xd1\x87\x34\xea\x5c\x3a\x51\x92\x78\x62\x22\xda\x89\xf4\x21\x3b\x5d\x9d\x02\x77\x99\xda\x36\xd6\x8b\xd5\x10\xf5\x37\x85\x5c\xe1\x0d\x3b\x84\x39\xc2\x23\x77\x40\xea\x75\x41\x47\x8a\x81\xf9\xf9\x2a\xdc\xeb\x51\x00\x36\x6d\xcc\xf1\x49\xcc\x4c\x59\x79\x69\x59\xba\x5d\x85\xa5\x0d\x0d\xd7\x29\x41\xa0\xea\xbb\xe7\xa9\xdd\x9f\xe5\x08\x50\x11\x3f\x5e\x2d\x05\x5e\x1b\xbc\xd6\x67\xda\xf7\x36\x3e\x02\x7d\x7c\x66\x67\x8d\xad\x2a\xdd\x62\xb5", 186); *(uint32_t*)0x20006cc4 = 0xba; *(uint32_t*)0x20006cc8 = 4; *(uint32_t*)0x20006ccc = 0x20005bc0; memcpy((void*)0x20005bc0, "\xf2\x29\xf5\x8b\x9f\xef\x91\xf7\x17\x85\x23\xf0\x41\xa4\x96\x75\x89\x92\x46\x80\xbf\x4d\xc3\x4a\x52\xd8\xf7\xf8\x43\x60\x83\xae\xe9\x4a\xb7\x4f\x03\x69\xf7\x40\x3a\x8c\x26\xb7\x2f\xd4\x4b\x48\x8f\xe5\x9c\x61\x6c\x8a\x1c\xae\x29\x9c\x49\x0e\xb1\x5f\x98\xf8\xf4\x9d\xf3\x35\x02\xcc\xfd\x38\x26\x5f\x6d\x18\x65\x78\xa7\x1b\x92\xba\x5c\x5b\x90\x3f\x9a\x64\xbc\x56\x0a\x43\x59\x0b\xd7\x0f\x76\xef\xb7\xb6\x3b\xc3\x90\x9e\x63\x2d\xb6\x8f\x77\xd9\x8b\xdf\x12\xeb\xe1\x70\x7d\x7d\x14\x36\x85\x74\x90\xc1\x3d\xdb\x23\x9c\x83\x7f\xaf\x46\xea\xd6\x23\x81\xd4\x3f\x3d\x23\x46\xc1\xfc\xd5\xb2\xa7\xa1\xeb\xe9\xfa\x5d\xd7\xfd\xde\xfc\x50\xb0\xe7\xa5\x7f\x50\x0e\x2f\x79\xba\x11\xb1\x89\x72\xdc\x78\x87\x14\x60\xeb\x7e\x2a\x24\x9b\x60\x32\x83\xb5\x12\x83\x20\x55\x5c\x9d\x74\x14\x3e\x02\x7b\xb5\xca\x08\xb4\x62\xae\xbf\x58\x24\x43\x87\x55\x6d\x71\x86\x80\xc4\xa3\x74\x59\xdd", 215); *(uint32_t*)0x20006cd0 = 0xd7; *(uint32_t*)0x20006cd4 = 0x3ff; *(uint32_t*)0x20006cd8 = 0x20005cc0; memcpy((void*)0x20005cc0, "\x79\xfb\xc7\x05\xf3\xf5\xab\x2b\x17\x6d\x8c\x81\xf1\x15\x48\xc5\xfd\x71\x74\x41\x15\xd9\xbc\x95\x33\x2f\xeb\x2a\xe2\x6c\xd3\xb6\xa5\x08\x4c\xf6\x35\xa6\xb1\x9d\x91\x6f\x68\x3e\xbe\x24\x01\x80\xc6\xbb\x6a\x18\xe3\x4f\xa2\x67\x7a\xe7\x45\x61\xf3\xbb\x25\x09\xfc\x09\x59\xad\xc1\x32\xae\x36\x12\x7c\x31\x9f\xcb\x4a\x80\xb0\x25\x1d\xed\xee\xe6\x56\x0f\xd7\x02\x22\x1e\x14\x43\x66\x85\xc7\xfa\x2f\x3a\xf3\x6f\xda\x9d\x69\xd0\x44\xc1\x6a\x77\xe8\x22\xf9\x8b\xf6\x5c\xd4\x58\x33\x54\x4b\xa6\xbd\x06\xb8\x3a\xd7\x8b\x10\x49\xf1\xbc\xdb\x9b\xce\xc0\x47\x38\xa8\x6c\xa3\x7b\x88\x95\x3d\xe3\x54\x9b\x6e\x3a\x4c\x2f\x31\xbd\xd4\xce\xde\xe3\x7b\x70\x3b\x8e\xd6\xd1\x1c\x38\xff\x03\x0a\x10\x18\xaf\xae\xbe\x05\x38\xed\x70\x4b\xbe\x63\x10\xa0\xde\xa9\x43\x05\x66\x65\x29\x01\x69\x92\x99\xc1\x84\xa8\x15\x60\x1e\x01\x86\xa6\xe1\xff\x97\xd2\xb9\x60\x38\xab\x59\x13\xdc\x44\x0e\xde\xd7\x83\x6f\xbd\xd7\xbd\x39\x1a\x90\xcf\x40\x3a\xbb\x6d\xfe\x0f\x7d\xdd\xda\xf1\xa7\xc7\x3f\x02\x19\x35\x33\xf0\xa7\x2e\xf1\xb5\x58\xcf\x69\x6f\x57\x22\xa3\xe8\xc0\x92\xc1\x7d\xe9\x8a\xf4\x15\xf4\x0a\xfc\x1f\xfe\x0d\x7c\x7d\x0f\xb4\x4d\x59\x7e\x55\x18\x86\xb4\x0b\x8e\xc7\xde\x8f\x18\xbf\x5e\xd7\xa7\x4a\xcd\xeb\xe9\xb2\xcc\xb9\x8c\xcd\x37\x1d\xf0\x0d\x78\xc9\x7f\x8d\xe0\xab\xe7\xf8\x28\x13\x68\x61\x68\x9b\x0f\x53\x80\xfd\x28\x36\x09\x2c\x1b\xee\xc0\xf4\x51\x9e\x1b\x50\x40\xca\x17\x09\xe0\x83\xee\x61\x1d\x6a\x1e\xbc\x5a\xd1\x85\xd3\x9b\x91\xef\x84\x4a\xf3\x4d\x02\x13\xe6\x3e\xdd\x19\x54\x53\x46\xe3\x01\x2d\x61\xbd\xe7\x1d\x4d\x3c\x52\xcd\x21\x01\xd4\x57\xac\xc0\x15\x23\x81\x81\xfc\xc4\xe9\x2a\x6b\xd1\xc9\xae\x47\x5d\xd0\x4d\x15\xa3\x90\x71\x7c\x29\x5e\x18\x13\x1f\x30\xa1\xb0\x03\xfe\x36\x7f\x88\x9b\xa4\x9e\xd8\x32\x8d\x69\xbd\xe3\x8b\xfd\xb3\x2e\xc4\xff\x21\x2b\x38\x3d\xa6\x54\xad\x2d\xa7\x59\x26\x60\x0d\x56\xfd\x2c\x8a\x64\x81\xc0\x2f\x0d\xd9\x04\x08\xb0\x1d\xcb\xdd\xd0\x1c\xfb\x4c\xf6\x1c\x14\xe8\xaf\xc5\xda\x58\x91\xe9\x3a\x0b\x6f\xe1\x2f\x50\xf0\x62\x94\xd6\x6c\xe3\x71\x0c\x8e\x13\xe7\x97\x62\x9c\x4b\x05\x71\x40\xbd\xb8\xcf\xa3\x84\x83\x0e\x9e\x18\xcc\xcb\x63\xc2\x82\xc9\x7b\x1e\xc7\xcb\xaf\xc5\xf4\x96\xf2\xb0\x30\x53\xf8\x55\x8f\x62\x7e\xaa\x78\x46\x62\xf2\xf4\xf1\x5b\xac\x06\xa3\x8d\xcc\x8c\x3f\x2e\x07\x6b\x2f\xdf\x8b\x62\x2c\x93\xa2\x27\xc9\x0d\x42\xe4\xfa\x38\xda\xcd\x82\xfd\x6c\xd2\x21\x15\x29\x41\x4c\x5c\xf3\x88\x2d\x94\x87\x42\x42\x59\xa6\x51\x4c\x56\xf0\xb7\xd6\x0c\x95\xd3\x44\xa0\x9d\x90\xe7\xdd\x8f\xf0\x73\x21\xd7\xe7\xae\x03\xba\xc6\xde\x0f\xd3\x79\x9a\x8c\x34\xd7\xaa\x3e\x4c\xe7\xcd\x99\x98\x03\x64\xc6\x60\xcc\x09\x97\x46\x15\x2a\x07\xfb\xc0\x26\xfc\x89\x0a\x7a\x57\xf2\x8d\xce\xea\xcd\xc2\x36\x60\xc0\xf8\x59\x2d\x86\xd0\x8d\x99\x64\x4b\x67\x51\xa5\x53\x16\x2b\xa1\x03\x83\xda\x49\x1e\xfc\x3d\x33\xae\xd8\x95\x2b\x8f\x51\xcf\x6c\xfa\x84\xae\x5c\x9d\x76\x89\x8b\xf5\xe8\x09\x90\x8b\xdb\xf8\xcf\x63\x38\xf5\xbe\x2f\x5b\x1e\xa8\x17\x44\xbe\x7e\x72\x68\xc4\x9e\x49\x30\x50\x89\x23\xe6\x39\xd9\xf4\x84\x59\x7f\xc2\x0e\x69\x58\xa2\x69\xe1\x66\xec\x09\xd1\xb7\xe2\xa8\xf7\xfd\x83\xc5\x34\x64\xc3\xa1\xac\xc4\x84\xeb\x5f\x9d\xe1\x05\x9d\xa0\x45\xda\x6c\xf6\x63\x07\x9e\x2b\x22\xd7\x8e\x78\xbd\xbc\xda\xb3\x9c\x33\xbc\x5c\x1d\x05\xb8\xd4\x0e\x40\x2c\x8b\xbf\xa5\x74\xf2\xcb\x5a\xfb\x1c\xb1\x99\xe5\x91\x17\x13\x0b\x94\x0a\x96\x48\xe8\x98\xd5\xf0\xf2\x7f\xc0\x04\xc6\x78\xe5\x52\x0a\x4c\x79\x0e\xb7\x0e\xd2\xea\x6a\x60\x61\xe4\x9d\x12\x24\x35\xf3\x48\xcc\x92\x7b\x49\xad\x13\xbd\xf1\x80\x4e\x75\x28\xbc\x1e\x3b\xb6\x33\xf8\xb2\x76\xbb\xbb\xad\x12\x5a\xbe\xcd\x28\x94\xc2\x89\x28\x85\xfc\xd1\x9a\xed\x92\x20\xe4\x63\x2c\x13\x6f\x14\x37\x8e\x29\x91\x20\x40\x40\x65\x71\x1d\xdb\xff\x8d\xf8\x70\xab\xae\x93\x4b\xb5\xbb\x64\xff\xa2\xf7\x3f\x18\xb1\x33\x74\x53\x8a\x08\x37\x9d\x74\xc7\x12\xe0\x2a\x97\xc8\x5b\x08\xad\xae\x84\xf9\xc4\xa2\x91\x66\x56\x12\x9a\xa4\xb5\x46\xf1\x43\x4e\xf1\x53\xff\x7f\x2c\x94\xcb\x42\xb3\xe7\xea\x23\x54\x40\x95\x15\x9e\xe0\xe8\x69\xd7\x8d\x08\xce\x48\x6d\xa4\x30\x4b\x15\x47\x3a\x23\x1f\xec\x42\x3c\xf5\x53\x96\x8c\xa0\x74\x3c\x1c\x4b\x09\x45\x73\x0b\xa4\xe3\xfd\xc3\x1f\xf0\x2a\x48\x70\x56\xc7\x29\xef\x7f\x84\xf6\x5e\x85\xfb\x16\xfa\xbb\x17\x2d\x24\x75\x38\x62\xf9\x20\x34\x60\x28\x8a\x37\xcf\x6e\x6f\x5b\x84\xd1\xd8\x1f\x24\x27\x07\xbf\x57\x5b\x15\x34\xcd\x6b\xea\x81\x0d\xc3\x94\xca\xb3\x1b\x32\x43\x38\x8f\x01\x5b\x99\x98\xaa\x7c\xa3\xe8\x26\xd9\xec\xcd\x95\x32\x87\x33\x28\xf3\x43\xcf\x71\xa0\x79\x82\x0f\xfc\x61\x60\xef\x55\xb7\xda\x7a\x29\x76\x2f\xea\x1b\x45\x22\xb9\x81\xcc\xfd\xac\xea\x0f\x52\xe2\xed\xc3\xec\x50\x16\x89\xe8\xc5\xe0\x88\x54\x43\xd1\x3e\xa4\xda\xe6\x07\x65\xf9\xed\x48\x68\x6b\xeb\x01\x0b\xb0\x4e\x2f\xa7\x3f\x3a\xd0\x8a\x77\xf0\xc2\xf5\x9a\x99\xc4\x72\x30\xb8\x52\x9d\x1b\xa2\xbd\x09\x1d\x83\x6d\xd3\x08\x99\xe7\xe8\x41\x71\xf2\xa8\x86\x7b\x16\x49\x22\x8e\x85\x15\xcb\x39\x8b\x75\xa5\xbc\xa2\xe7\x11\x4a\x7a\xf7\x1b\x18\x5f\x37\x1b\x4f\x9f\x68\x9e\x81\xf2\x25\x97\x54\x89\x6f\xf5\x46\x85\xbc\x7b\x9c\xf5\xf5\xfd\x14\xd0\x63\xd2\xf8\xc6\x20\xff\x19\x5e\x26\x36\x0a\x21\xd9\x2d\x19\x02\xa7\x48\x35\xe0\x25\x4f\xe4\x73\x75\xa0\xf1\x71\x11\xd1\x45\x9d\x77\xdf\xcf\x0a\xdf\x21\x59\xc2\x00\x35\x35\x75\x78\x90\x15\x01\xa4\x09\x2e\x64\x14\xc5\x43\x41\x73\x11\x5a\x4a\x03\x39\x9d\x81\x34\x91\x33\xd3\xac\x25\x4b\x69\xfd\x90\x6f\xbc\x11\x56\xbe\xaa\xea\xb3\x7f\x1f\xd9\xfe\xfa\x37\x7c\xa1\x3b\x58\x19\xe5\x36\x1a\x75\x03\x2d\x78\x8c\xe9\x5c\xe9\xd1\x61\xdd\xfa\x04\xa5\x55\x29\x71\x68\xf6\xe0\xf3\x17\x6c\x8b\x0c\x41\xc8\x42\xce\x33\x81\x3b\x59\xeb\x0a\x9c\x3b\xcd\xf4\x65\xad\xe6\xd2\x9d\x0e\x25\x74\x41\x16\x77\x5b\x2f\x14\xd0\x30\xf5\xb2\x18\x1c\x89\x6a\x29\xcf\xc2\x9d\xcb\x9f\xaa\x9e\xa0\xed\x4a\x45\x45\xe2\xe5\x41\x29\x51\x12\x6b\x30\x99\x8b\x7b\x58\xc4\x47\x44\x84\x1d\x85\xe7\x9c\xc7\x61\x3b\x3b\x4a\xd0\x18\x72\x10\xc5\xb3\xe8\x19\x59\xc9\x38\xa8\x9e\xa5\xa7\x68\x1b\xcc\xc0\x2c\x55\x58\x3d\x69\xfa\xcc\x86\x53\x95\x27\x9c\xce\x47\xa8\xc4\x6c\x3b\x99\xd3\xbc\xba\xda\xea\xce\x79\xc1\x22\xc8\x7e\x72\xa9\x91\xd3\x1a\xe5\x2e\xa9\x5d\x35\xc6\x16\xb5\xae\xbf\xd9\x86\x40\x90\x33\x18\xdc\x60\x00\x21\x08\x6c\x28\x07\xf1\xfc\x8a\xe7\x61\x40\x7f\xcf\x43\x11\x09\xaf\xd1\x9e\xc4\xb0\x3a\x94\xeb\x9c\x89\x4f\x86\x6b\xb4\xb9\xa3\xa5\x86\x24\xcf\xa6\xae\x7d\x44\xd2\xf2\x02\x83\x5a\xc9\x90\x3d\x23\x26\x14\x0f\xc5\x47\x9b\x94\xba\x27\x5f\xe8\xf6\xba\x03\x9d\x98\xf5\x8d\x9c\x00\x60\x26\xff\x15\x5f\x0d\x36\x8c\x51\xd0\x05\xd2\xaf\x37\xa6\x14\xc1\x41\x88\xed\x22\x6c\x9f\x67\xc7\xb7\x83\x93\x3d\x05\x23\x5c\xb2\xf8\x81\x0f\x18\x89\xd1\x26\xed\xac\xe7\x40\x78\xb0\xf9\x0c\x6f\x2c\x16\xd0\x1d\x60\xdd\xe2\xd4\x6a\xb8\xc2\x53\x2a\xe0\xc1\x54\x01\x05\x57\x52\xfb\x19\xdb\xe5\x49\xcc\xbe\x43\x85\x9c\xcb\x4d\x47\xc9\x9e\x6f\x54\x02\xce\xd2\x3d\x44\x90\x29\x80\x2a\xd7\xd2\x99\x0b\x94\x1f\xad\xb0\xde\x10\xf9\xfe\x17\x84\x61\xe1\x14\xc7\xca\x31\x36\xf7\xfb\xad\x6e\x1d\x71\xeb\x1a\x1a\x24\xfb\x89\x2e\x7f\x1a\x41\xb9\xeb\x92\xd5\xb0\x4a\x79\x49\x1e\xef\x83\x18\xce\x1d\x98\x06\xe7\x06\x4e\x0f\xda\x0a\x66\xa7\xb6\x95\xa6\x78\x15\x60\xba\x98\xbf\x4d\x54\x00\x79\x5b\x11\xfe\xab\x29\x73\x53\xa7\x2a\x2d\x78\x5f\xf2\xfa\x3f\x06\xe6\x39\x5a\xab\x65\x6e\x55\xef\x7f\x49\x51\x76\x03\x86\xcd\xb1\xa1\xd2\x30\xda\x5b\x09\x44\xa9\xaf\x05\xa7\x6b\xce\x13\x88\x69\x2a\xfa\x4b\x21\xc3\x46\x4a\x2b\x50\xdd\x0d\x2a\x0f\x64\x51\xa4\x3f\x2e\x48\x62\x29\x0b\xe1\xf1\x29\x74\x60\xeb\x51\x39\x9f\xa9\x68\xf8\xdc\xa4\x19\x39\xa6\x19\xd1\x0a\x8a\x01\xad\x1b\x64\x93\xb0\xf8\x9a\xad\xc5\xf0\x6f\xf9\x26\x46\xff\x2f\xbd\x33\x6c\x97\x73\xa9\x33\xeb\xb1\xde\xee\x49\xa2\x67\xd8\xd1\x95\xe1\x3f\x58\x39\xc9\x54\xd8\xda\x7c\x02\x2c\xbd\xd8\xa2\x68\xdb\x8a\x06\x5c\x63\x24\x77\x56\x79\x54\x03\x3b\xd3\x40\xdb\x14\x5f\xd4\xee\x3c\x1e\x6e\xf1\x5f\xd4\x5e\x72\xf5\x27\xad\x2b\xa3\xbb\xf8\xa9\x4b\xa2\x5a\x23\x7c\xed\x70\x50\x4b\x6d\x20\xc8\x99\xa6\xd1\xa4\x09\x2b\x57\x2a\xc7\x44\xf6\x2e\x04\x4b\x25\xf4\xf1\x09\x7e\x12\xbc\x0b\xfd\xa3\x6c\xad\xd3\x4a\x0a\xa7\xbd\x49\xa3\x82\x08\xee\x36\x60\x3f\x1e\x9c\x56\x7d\xe6\x94\xcb\xba\xe7\x36\x1e\x99\x79\xa8\x4d\x58\x9f\xbd\x5f\x05\xfa\x73\xfe\x31\x68\x37\xdd\xb9\x67\x2c\x63\x75\x90\x77\x79\x33\x71\x17\xbf\xfe\x5a\x85\x09\x93\x99\xe3\x5e\x9c\x3a\x50\xbe\x94\xa4\xed\x33\xa5\x86\x3d\xa7\x37\x7e\x5c\x8b\xce\xd5\x22\x0d\xa0\xaa\x9f\xc0\x97\xbc\x61\x3b\xb7\x6e\xe7\x0b\x6a\x0b\xd9\x78\x01\xb0\xad\xc5\x7b\xc6\xd3\xc0\x26\x51\xf1\x64\xf7\x80\x9f\xb7\xeb\xe2\x18\x73\xf9\xa1\x7a\x65\xa8\x38\x0e\x5f\x1a\x18\x17\xdb\xea\x2e\xa9\x6f\x9b\x1e\xf1\xbe\x6c\x1f\xcd\x53\xc6\x2e\xa2\xba\xce\xe8\x66\xf3\x57\x4b\x1a\x35\xc5\xf8\xc5\x93\xd2\x01\x07\xd6\xcd\xe2\x6c\x84\x0e\xa8\x3f\xae\x8d\x77\x7e\xa1\x22\x7b\xd1\xaf\x62\x19\x83\x35\x3e\xf0\x27\x57\x01\x96\xf8\xfb\xdf\x4f\x79\xa7\x81\x2b\x7f\x71\x8f\xca\xa5\xec\x35\x53\x97\x9a\x86\x4b\x8c\x65\x3e\x9c\x9e\xcf\x8e\x68\x3b\xfc\x55\x8e\xf2\xd9\xb7\x64\x7e\xfc\xd5\xbe\x98\xf4\x3d\x0d\x38\xd9\x47\x4a\x7a\x50\x74\x0a\x5a\x23\x02\x31\x92\xd4\x5b\x43\x34\x38\x0e\x99\x5b\x8d\xbe\x94\x30\xea\xa1\xa8\x26\x85\x5b\x3d\x7e\xc2\x2f\x6c\xbe\xa4\x4b\x75\x53\x66\xba\x42\x76\x21\x77\xdb\xa9\x80\x65\xdc\x59\xef\x23\x92\x49\x7c\x17\xd2\xe8\x99\x23\x0c\xe3\x4f\xfa\x7f\xc2\x75\x0c\x9b\x25\x5a\x2b\x53\x42\x3d\x9c\xa1\xbd\x3a\xab\x8b\xa4\x71\xf3\x9f\x10\xa2\x50\x05\x0a\x22\x54\x1e\x08\x35\xe8\xa3\x93\xe1\x76\x20\x9c\x31\xd2\x5b\x6e\x1f\x69\x9c\x82\xeb\x15\x55\xf0\x47\xa6\xe8\xf9\x1d\x97\xcf\x2a\xba\x02\x50\xa7\xf3\x11\x67\xb8\x61\x54\x89\xfb\x5c\x90\xcf\xce\x45\xcc\x63\xcd\x21\xd0\x01\x5b\x58\x0c\xae\x16\x45\x2f\x01\x43\xd3\x0c\xb9\xee\xce\x66\x21\x93\x1f\x5d\xc5\x42\x8b\x2f\x92\x58\xd7\xe8\xfb\x10\xec\xfe\x72\x06\x06\xad\x71\x94\x11\x10\xbd\x67\xaf\x44\xce\x4e\xa0\x03\x77\x99\x97\xc4\xac\x5c\x11\x1b\x77\x91\x71\x2b\x79\x76\x52\x37\xf7\xa2\x79\xec\x43\x3f\x18\xfa\x8e\x69\x60\x43\x68\x00\x8c\xa9\xa5\xd6\x26\x44\x41\x79\x84\x88\x72\x54\xf4\xd1\x7a\x1c\xdf\x8b\xde\xbc\x90\x76\x2a\x64\xc5\x0c\x58\x6d\xa8\x59\x8f\x15\x56\x61\xe9\x3f\xea\x74\x65\x29\x6f\x6c\xce\xe5\xdf\xf3\x6c\xcb\x6c\x46\xdf\xbd\x24\x84\x60\xbb\x39\x12\x4c\xd3\xf9\xac\x2c\xd9\x16\x77\x66\xd2\x24\xe2\x97\x6f\xac\xed\xcd\x65\xff\x28\xc4\x18\x08\xc9\x8c\xcf\xe3\x1b\xa1\xef\xa8\x69\xf5\x16\xb6\xfc\x8b\x3a\x7d\x6f\xa1\xfb\xc8\xe1\x82\x67\xa8\xef\x0c\xfa\x96\xc4\xc6\xc8\xdb\xf9\x45\x21\x1d\x98\x89\x89\x95\xab\x76\xc1\x63\x06\x35\x47\x8f\xde\xb5\xb7\xfc\x9b\xba\xe3\x07\xd0\x54\x50\x2f\x17\x45\x27\x87\x47\xa5\xae\x90\x85\xe2\xce\x6f\x7b\xdd\x02\x2c\x68\x0d\x1f\x8a\xda\x4c\xb6\x30\x66\x42\x3f\x77\x04\x2b\x9a\xe4\xa1\x38\x6f\x41\x6c\xb9\xb4\x11\x00\x12\xe8\x00\x57\x04\xcd\xff\xae\x04\x41\x86\x89\xfd\x64\xd1\xe8\x83\x27\x49\xb7\x46\xc1\x41\x2e\x91\xc3\x81\x68\x4a\x80\x30\x5a\xad\x84\xd6\x2f\x1c\xc5\xfd\x5d\x26\xa2\x47\x6b\x5b\xfe\xd4\xdc\xcf\x7f\x35\xbb\xb0\x7e\xff\x6c\xa5\x09\x05\x0f\xea\x82\x04\xa3\x9d\x25\x5e\xc1\xc8\x3d\x0d\x38\xff\x3a\x9d\xa4\x28\x5b\x99\xf9\x8b\xfa\x2a\xfb\x12\x01\x63\x01\xbd\xce\xa9\xc4\xb8\x05\xf0\x3f\x5c\x1d\x64\xb2\x31\xe2\xf0\x12\xc3\x39\x88\xfe\x59\x31\x82\xbe\x19\xe5\x33\xae\x72\x4b\xc5\xf3\x74\xc5\xdb\x4e\x26\x7d\x11\xeb\x7c\x3b\xf6\x51\xd8\x53\xf4\x87\x32\x1b\x59\xe3\xc5\x80\xe0\x9f\x55\x10\x1d\x52\x95\x81\x12\xea\xd4\x84\xda\xac\x70\x62\xb2\x74\x5b\x3e\xf0\xd8\x6c\x3f\xf4\xc9\xcd\xb0\x4e\x5c\x61\x26\x56\x2f\xa8\x07\x2d\x44\x08\xc5\xa4\x1f\x38\x88\x90\x0c\x61\x7b\xb3\x2c\x60\x7e\x3c\x67\x88\x01\x37\xa4\xfd\xa0\x0f\x25\x73\x96\x95\x27\xf3\xac\x8b\xc7\x3d\x4a\x1c\xa6\x3a\x6e\x55\x28\x3a\x43\x75\x90\xcb\xa5\x84\xaf\xf7\xda\xab\x6d\x95\x08\x57\xf3\x06\x4a\xfa\x06\xd8\x49\x89\xb1\xf1\xfe\x7a\x07\x11\x8d\x84\x67\x33\x3b\xd9\xc3\xb0\xbf\x57\x4a\xec\xc5\xbd\xf1\x85\x88\x69\xc0\x2f\x2e\xc1\xad\x26\x6d\x13\x54\x99\x41\x6a\xa1\x6c\x3e\xec\x12\x2d\x6e\x57\x70\xf9\x26\x77\x4e\xc2\x69\x15\x5f\x36\xc7\xab\x25\xfc\x2c\xf6\x51\xf6\xde\x56\x32\x9e\x3c\x2f\x9a\xdf\x11\xb8\x9c\x5b\xa3\xa4\xbd\xd6\xed\x16\x04\xe6\x6a\x80\x50\x14\x98\x1b\x6c\xc8\x4b\xd7\x8d\x9e\xf9\xb5\x2e\x8f\x0e\x09\x70\x05\x21\x0a\x9e\x00\x81\x68\x47\x0f\xd1\x2a\x2c\x3e\xe6\x0d\x1c\xef\x8c\x35\xca\x58\xd8\x62\xb6\x81\xe7\x4c\xf6\x0b\x08\xca\xeb\x22\xaf\x37\xfb\x04\x5f\xdf\xf3\x53\x2a\xf6\xf1\x16\x22\x90\x93\x42\x15\xc8\x52\xe8\xbd\x41\xbe\x48\x8d\x56\x6e\xe2\x49\x7e\x6d\xfe\x85\x52\x50\x85\x3e\x6c\x24\xde\x6e\x0a\xab\xbc\xf5\xc5\x7b\xea\x60\x2e\x80\x82\x97\xa6\xf3\xee\xdf\xc7\x62\x2c\x60\x10\x6f\xe5\xac\x3c\x2c\x18\xf1\x9d\x80\x93\x6e\x13\x85\xb1\xb1\x1f\x34\x34\x8e\xe9\x79\x4b\x4c\xef\x18\x55\xcf\xea\x0b\x4c\x67\xf4\xa3\x6f\x69\xe6\xee\xe3\x98\x1a\xf6\xe3\x2c\xbf\xd7\x9b\x36\xf6\x48\x7f\x51\xe6\xbc\xfb\x5e\x25\x0c\xff\x78\x92\x52\x15\xf6\x02\x6f\x86\x9e\xd1\xe3\xc3\xea\x65\x9c\xf5\x80\xb3\x7f\xc8\xa8\xfb\x06\x41\x8f\xfd\x26\x63\xfb\x1c\x5b\x2a\x58\xae\x63\x44\x83\x89\x84\xb9\x60\x81\xae\xe1\x4d\xc7\x4a\x36\xbb\x18\x8a\x15\xfc\x47\xa0\xe8\xfb\x1d\xa2\xc9\x29\x09\x12\x53\x00\xf6\xcc\x9f\xf2\x81\x5a\x86\xbd\x0f\x51\xd3\x8c\xb1\xd9\x20\x65\x5a\x34\x34\xca\xa4\x3c\xba\x6a\xeb\x04\x53\x8b\x0a\xe6\xfc\x4d\xf1\x42\x9f\xca\x0c\xb9\xbf\x55\x05\xd5\x21\xd9\x4c\xea\x75\x9f\x50\xb9\xfc\x8f\xbd\x0d\xb1\x8b\xaa\x08\x03\xd1\x6a\xec\x6e\x59\x88\x70\xed\x80\x14\x9f\xdf\x70\xf5\x7f\x4b\x89\x32\x0f\x3a\x57\x17\x68\xbb\x09\x66\xf0\x8e\x6a\x1a\x93\xfa\xd9\x3b\xaf\x72\x88\xe6\xa6\x6f\x15\x8e\x35\x9d\x47\x24\xb3\xd5\xec\x61\xde\xe3\xa6\x4e\x1e\xab\xf0\x82\x7e\xa7\x9c\x2a\x7b\xac\x1f\x37\xf8\x1f\x09\x69\x1d\xad\x1f\xf6\x82\x49\x93\x25\xe7\x85\x73\xd6\x03\x10\x52\x92\xf8\x44\x1c\x72\xd4\xa8\x6e\xab\x95\x5e\x9a\xb0\xb6\x66\xc7\x1c\x86\xd1\x77\xa5\x94\xfa\x10\xdd\x0f\xf6\x5d\x38\x6c\x54\x4c\x21\xc3\x5e\x41\xef\x27\xbe\xc9\x4d\xab\x6f\xc3\x38\x70\x06\x01\x7e\x54\x59\xad\x20\xca\xcd\x5a\xfe\x56\x1f\xad\xd3\x80\x4b\xef\x50\xfe\x91\x09\xc0\xcf\x20\xd5\xfb\x32\x0a\x19\x19\x0e\xa3\x23\xc5\xbb\x45\x6d\xc7\x33\x8e\xd1\x9b\x5e\xa1\x17\x27\x7c\xda\x66\xbf\x37\x65\x7b\x27\x86\x25\xc9\x86\xf5\x44\x77\x75\xba\xf7\xc2\x83\x56\xd4\x31\xa3\x82\x0e\x3e\x24\x57\xe5\x3e\xba\xd4\xb7\xd8\xb0\xee\xa6\x4b\x5f\x17\x62\xdd\xb1\x16\x9b\xce\x93\x8a\x22\xaa\x17\x4b\x33\xaf\xd2\xb6\xca\x3f\xd2\x1e\x40\x2c\x4e\xba\xa6\x53\x97\xde\x07\x5d\xbc\x91\x41\x29\x16\x35\x04\xe2\x86\x72\x57\x89\xf3\xea\xfb\x66\x30\x29\x4c\x9e\x9e\xd8\x76\x5b\x41\x64\x12\xe6\xa7\x4a\xda\x02\xdf\x4b\x66\x8b\x95\xf1\xab\x41\xda\x29\xee\x91\x8a\xb5\xa5\xea\xa3\x45\x01\x47\x07\x76\x36\x9e\x96\x12\x9c\x89\x8c\xcc\x10\xef\x66\xa2\xce\xb8\xb4\xed\xfe\xad\x79\xff\xd8\x98\xd5\xde\x2d\xb4\x60\x87\x9f\xb2\x3b\x2a\xfc\x14\x66\x47\xc9\x49\x36\xa7\x03\xbb\x3c\xe5\x0f\x7e\x5e\x7d\xbf\xe7\x29\x57\xea\x5c\x48\x9e\x01\x0f\x08\x95\x84\xe0\x69\xaf\xf5\x3e\x8e\x03\xe1\x5c\xb8\x33\xa9\x61\x0a\xe7\xa9\xc2\x62\xc5\xcd\x37\x1b\x81\xf9\xaa\xbb\x03\x0d\xdd\xae\xed\xad\x10\x19\xd2\xe9\xdb\xe7\x17\xde\x10\xad\x3a\x49\x1e\x29\x0b\x2b\xfc\xda\x80\xed\xc5\xa1\xc1\x60\x12\x52\x7c\x5f\xa2\x79\xa6\x7c\x5d\x01\x13\x24\xa7\x9a\xad\x7c\xb7\xa9\x76\x6c\x64\xa1\xfc\xc2\x78\x4b\xe7\xab\x91\x2f\x7d\x4c\xc5\x71\x0c\x9e\x5a\x1f\x97\xf0\x0b\xb8\x69\x8d\x5f\x6e\x58\xe6\xb6\x9a\x1e\x8c\xcb\x7a\x22\xd3\xf4\xfb\x1f\xb6\x0a\x4b\xb9\x4d\x49\x2b\xc5\xe4\xa8\xbb\xe6\xb5\x34\xc1\x75\x00\x01\x6a\x89\x0a\xd5\x29\xdf\xf4\x2f\xb5\x13\x45\xc7\x65\x35\x1a\x5d\x87\x79\x12\x54\xb7\xdc\x62\x90\xe2\x76\xf1\xc2\xd8\xf7\x82\xcb\x2d\xbd\x2e\x70\x13\x09\xe6\x43\x06\x19\x25\x69\x40\x67\x02\x7f\x6d\x95\x65\x09\xb2\x47\x3c\x5b\x5c\x66\x08\x76\xdd\x69\x7e\x5d\x1b\xfb\x8e\x48\xc5\xbe\x80\x4a\x27\x5d\xb0\xed\x4c\x5a\x02\x40\x85\x93\x60\x8e\xcb\x2c\x97\x1d\xa8\x25\xf8\xd4\x8d\xd6\xc6\x4b\x98\xef\x9e\x28\x52\xd1\x6e\xea\xc2\x12\x13\x4a\xba\x3e\xfb\x67\x00\xd5\xa0\x52\xba\x23\x27\x18\x5a\x1c\x56\x05\xfe\xa9\x07\xf1\xf7\x63\xaf\x01\xc5\x03\xa7\x67\x00\x97\x00\x9f\x73\x63\x88\x31\xed\x01\x8b\xc8\x03\x27\x49\x37\x97\xa7\x2f\xce\x75\x38\xb2\x2e\x16\xfe\x27\x48\xc9\x66\xf3\x8f\x5b\x56\x89\xd8\x8c\xc6\xf2\x21\xd4\x06\x21\x47\x2d\x5a\x5a\x40\xa1\x72\x9e\x51\xe3\x60\xf4\xc4\xc9\xb1\x13\xf3\x0b\x96\x99\xd2\x77\x21\x14\x27\xf3\x60\xae\xd4\x5e\x01\x74\x98\x3d\x7a\xed\x11\xf8\x9b\x0c\xa0\x87\x41\x44\xe3\xfd\x83\xca\x6d\x88\xcf\x4d\x8d\x81\xde\x61\x3d\xb7\x27\x2d\xc5\xcf\x74\x5a\x65\x0b\xf3\xcc\xad\x96\x48\x7d\xd2\x4b\x1a\xcc\x8a\x8b\x96\xa9\x9d\x48\xbc\xcf\xa4\x78\xdc\xbb\xb0\x66\xcb\x8f\x19\x0f\x0d\xac\xcf\x91\x6f\x4d\xbc\x63\x44\xe5\xe0\x26\x07\x4d\x42\xd9\x62\xdf\xd2\x8b\x1d\x57\x8a\x17\x07\x3f\x78\xb7\x1d\x6f\xf7\x85\x25\x80\xb1\xc6\xe8\x3b\x8a\xc5\x15\x58\x49\xc1\x26\xa6\xbc\x54\x24\x6d\x15\xf7\x59\x92\x9c\x72\xbf\x44\xba\x8c\x78\x38\x12\xe7\x3d\xa5\xa6\x94\xf9\x6d\x52\x00\xf1\x9c\x82\x0c\x8c\x86\x51\xfb\x2b\xe7\xf7\x6c\xd2\x8a\x54\xae\xea\x4f\x0e\x09\x92\xb8\x4d\xbd\xef\x78\x92\x13\x4e\x37\x9f\x14\x0f\xb0\xb1\x22\x30\x99\x3d\xcc\x13\xbc\x48\x9c\x94\x26\x07\x63\xc1\xa8\xec\xf7\xaa\xeb\xe1\x1a\xe6\xf4\x39\xb7", 4096); *(uint32_t*)0x20006cdc = 0x1000; *(uint32_t*)0x20006ce0 = 0x34; syz_read_part_table(0xb0, 3, 0x20006cc0); break; case 41: *(uint8_t*)0x20006d00 = 0x12; *(uint8_t*)0x20006d01 = 1; *(uint16_t*)0x20006d02 = 0x201; *(uint8_t*)0x20006d04 = 0x10; *(uint8_t*)0x20006d05 = 0x2a; *(uint8_t*)0x20006d06 = 0xdc; *(uint8_t*)0x20006d07 = -1; *(uint16_t*)0x20006d08 = 0x781; *(uint16_t*)0x20006d0a = 5; *(uint16_t*)0x20006d0c = 5; *(uint8_t*)0x20006d0e = 1; *(uint8_t*)0x20006d0f = 2; *(uint8_t*)0x20006d10 = 3; *(uint8_t*)0x20006d11 = 1; *(uint8_t*)0x20006d12 = 9; *(uint8_t*)0x20006d13 = 2; *(uint16_t*)0x20006d14 = 0x71c; *(uint8_t*)0x20006d16 = 3; *(uint8_t*)0x20006d17 = 9; *(uint8_t*)0x20006d18 = 3; *(uint8_t*)0x20006d19 = 0x50; *(uint8_t*)0x20006d1a = -1; *(uint8_t*)0x20006d1b = 9; *(uint8_t*)0x20006d1c = 4; *(uint8_t*)0x20006d1d = 0x34; *(uint8_t*)0x20006d1e = 9; *(uint8_t*)0x20006d1f = 0xc; *(uint8_t*)0x20006d20 = 0x2d; *(uint8_t*)0x20006d21 = 0xe7; *(uint8_t*)0x20006d22 = 0xd6; *(uint8_t*)0x20006d23 = 0xc4; *(uint8_t*)0x20006d24 = 0xa; *(uint8_t*)0x20006d25 = 0x24; *(uint8_t*)0x20006d26 = 6; *(uint8_t*)0x20006d27 = 0; *(uint8_t*)0x20006d28 = 0; memcpy((void*)0x20006d29, "\x9e\x3d\xd8\x3f\x5e", 5); *(uint8_t*)0x20006d2e = 5; *(uint8_t*)0x20006d2f = 0x24; *(uint8_t*)0x20006d30 = 0; *(uint16_t*)0x20006d31 = 2; *(uint8_t*)0x20006d33 = 0xd; *(uint8_t*)0x20006d34 = 0x24; *(uint8_t*)0x20006d35 = 0xf; *(uint8_t*)0x20006d36 = 1; *(uint32_t*)0x20006d37 = 0x40; *(uint16_t*)0x20006d3b = 5; *(uint16_t*)0x20006d3d = 0x101; *(uint8_t*)0x20006d3f = 5; *(uint8_t*)0x20006d40 = 8; *(uint8_t*)0x20006d41 = 0x24; *(uint8_t*)0x20006d42 = 0x1c; *(uint16_t*)0x20006d43 = 0x1000; *(uint8_t*)0x20006d45 = 2; *(uint16_t*)0x20006d46 = 8; *(uint8_t*)0x20006d48 = 7; *(uint8_t*)0x20006d49 = 0x24; *(uint8_t*)0x20006d4a = 0x14; *(uint16_t*)0x20006d4b = 0x8671; *(uint16_t*)0x20006d4d = 0; *(uint8_t*)0x20006d4f = 0xc; *(uint8_t*)0x20006d50 = 0x24; *(uint8_t*)0x20006d51 = 0x1b; *(uint16_t*)0x20006d52 = 0xfffd; *(uint16_t*)0x20006d54 = 9; *(uint8_t*)0x20006d56 = 0; *(uint8_t*)0x20006d57 = 5; *(uint16_t*)0x20006d58 = 0x100; *(uint8_t*)0x20006d5a = 0x5f; *(uint8_t*)0x20006d5b = 5; *(uint8_t*)0x20006d5c = 0x24; *(uint8_t*)0x20006d5d = 0x15; *(uint16_t*)0x20006d5e = 0x40; *(uint8_t*)0x20006d60 = 7; *(uint8_t*)0x20006d61 = 0x24; *(uint8_t*)0x20006d62 = 0xa; *(uint8_t*)0x20006d63 = 0; *(uint8_t*)0x20006d64 = 1; *(uint8_t*)0x20006d65 = 4; *(uint8_t*)0x20006d66 = 1; *(uint8_t*)0x20006d67 = 7; *(uint8_t*)0x20006d68 = 0x24; *(uint8_t*)0x20006d69 = 0x14; *(uint16_t*)0x20006d6a = 0xff81; *(uint16_t*)0x20006d6c = 0x9c6f; *(uint8_t*)0x20006d6e = 9; *(uint8_t*)0x20006d6f = 5; *(uint8_t*)0x20006d70 = 0x80; *(uint8_t*)0x20006d71 = 0x14; *(uint16_t*)0x20006d72 = 0x10; *(uint8_t*)0x20006d74 = 0x15; *(uint8_t*)0x20006d75 = 0x1f; *(uint8_t*)0x20006d76 = 8; *(uint8_t*)0x20006d77 = 7; *(uint8_t*)0x20006d78 = 0x25; *(uint8_t*)0x20006d79 = 1; *(uint8_t*)0x20006d7a = 0x80; *(uint8_t*)0x20006d7b = 0; *(uint16_t*)0x20006d7c = 0; *(uint8_t*)0x20006d7e = 9; *(uint8_t*)0x20006d7f = 5; *(uint8_t*)0x20006d80 = 0x8b; *(uint8_t*)0x20006d81 = 0; *(uint16_t*)0x20006d82 = 0x7ff; *(uint8_t*)0x20006d84 = 0xed; *(uint8_t*)0x20006d85 = 1; *(uint8_t*)0x20006d86 = 2; *(uint8_t*)0x20006d87 = 9; *(uint8_t*)0x20006d88 = 5; *(uint8_t*)0x20006d89 = 8; *(uint8_t*)0x20006d8a = 4; *(uint16_t*)0x20006d8b = 0x200; *(uint8_t*)0x20006d8d = 0x81; *(uint8_t*)0x20006d8e = 6; *(uint8_t*)0x20006d8f = 2; *(uint8_t*)0x20006d90 = 0xeb; *(uint8_t*)0x20006d91 = 1; memcpy((void*)0x20006d92, "\x8c\x3f\x63\x08\x61\x54\x14\x1f\x73\x9f\x28\x70\xd3\xa8\x18\x84\x90\x5e\x8c\x3f\xf7\xeb\x64\x25\x08\x52\x04\x07\x7b\x41\x02\xc3\xd8\x1b\xfd\xf4\xb2\x62\xfa\x95\xb2\x68\x56\x12\x28\xb7\x47\xfc\xa9\x1f\x5f\xde\xb5\x92\xb3\x79\xd6\x6a\x5f\x1d\x2d\x1d\x73\x5f\xd0\x2b\x3b\x24\x02\xd0\x34\x0f\xcc\x8a\xc6\xc5\x44\x72\x0c\xb5\x96\x00\x8a\x93\xb0\x20\x2c\xb8\xf9\x55\x83\x44\xcb\x20\x0e\x0b\x4b\x52\xaa\xd1\xe7\x0d\x9c\x00\x49\xff\x2a\x6b\x54\x6e\x35\x02\xbc\x88\x1f\x3e\xb6\x55\xaa\x81\x7a\x2a\x3f\xd9\x5a\xd1\xbe\xa6\x8a\xb0\x48\xc1\xa4\x3e\xd3\x45\x8b\x67\x4c\x27\xdf\x09\x05\x68\xc3\x71\xa9\xe0\x0c\xbc\x2b\x59\x7a\x73\x0a\x18\x64\x44\x75\x83\xe3\x0b\x8b\x9d\x27\x74\xd8\x84\x57\x53\x11\x84\x3a\x18\xbf\xe0\x05\x2b\x40\x47\x14\xc7\x22\x76\x63\x42\xb2\x26\xc4\xfe\x8e\x87\xee\x44\x82\x50\xc3\xb3\x66\x8a\xb5\x07\x45\xe0\xfb\xb6\xe9\x69\xe6\xb4\x9b\x9b\x85\x28\xce\x81\xdf\xaa\x24\xe1\x43\x80\x72\xd0\x7d\x6e\x92\x60\x2a\x39\x05\x35\xf6", 233); *(uint8_t*)0x20006e7b = 9; *(uint8_t*)0x20006e7c = 5; *(uint8_t*)0x20006e7d = 0xc; *(uint8_t*)0x20006e7e = 8; *(uint16_t*)0x20006e7f = 0x40; *(uint8_t*)0x20006e81 = 1; *(uint8_t*)0x20006e82 = 5; *(uint8_t*)0x20006e83 = 0x20; *(uint8_t*)0x20006e84 = 9; *(uint8_t*)0x20006e85 = 5; *(uint8_t*)0x20006e86 = 7; *(uint8_t*)0x20006e87 = 0x10; *(uint16_t*)0x20006e88 = 8; *(uint8_t*)0x20006e8a = 0xbc; *(uint8_t*)0x20006e8b = 0; *(uint8_t*)0x20006e8c = 7; *(uint8_t*)0x20006e8d = 7; *(uint8_t*)0x20006e8e = 0x25; *(uint8_t*)0x20006e8f = 1; *(uint8_t*)0x20006e90 = 1; *(uint8_t*)0x20006e91 = 5; *(uint16_t*)0x20006e92 = 9; *(uint8_t*)0x20006e94 = 0xd4; *(uint8_t*)0x20006e95 = 0x22; memcpy((void*)0x20006e96, "\x70\xc2\x39\x55\xe1\xd1\x6c\xde\xf4\x16\xbc\xb1\x38\x10\x89\x67\xf0\xe9\xac\x2c\x09\x6f\xe9\x36\x2b\x99\xec\x6c\x19\x8d\x2f\x0f\x04\x46\xce\x29\x33\x28\x44\xfd\x54\x6d\x23\x23\xe7\xf9\xd7\xb2\x71\x3c\x1f\x92\xb9\x0b\x44\x81\xbf\x8d\x4e\xa3\x4e\xa8\x32\x1b\x58\x5d\xb5\xf3\xcc\x6f\x63\xfc\x9e\xe5\x43\xe8\x6c\x15\x76\x9e\x08\xa2\x12\xc2\xff\xb0\x23\x7d\xef\xb1\xa2\x82\x28\xe9\x99\xfa\xbf\x37\x33\xa2\x7b\x82\x87\x03\xfa\xaa\xc0\x53\xd4\x4f\xe7\xa6\x6d\x7a\x27\x8e\x31\xf1\x5d\x65\xed\xb3\x49\xb1\x57\xa7\x99\xd9\x22\xf0\xc9\x70\xf9\x8b\x35\xb7\x56\x50\x79\x31\x23\xe0\x57\x52\xd7\x4d\xdb\x89\xf0\xfc\xc0\x47\x98\x22\xa0\xf8\x33\xf4\x34\x3a\x70\x54\x8b\x3b\x4c\x80\x57\x4b\xe7\xcf\xdd\x59\xdb\x69\xce\x1e\xfc\x24\xca\x44\xee\x31\x66\x09\xf5\x8c\xa5\xa3\x0d\xee\x0b\x59\xe1\x66\x8f\x24\x8c\x19\x6a\xe1\xc0\x22\xa1\x99\x95\x59\x54\x30\xfe\xa4", 210); *(uint8_t*)0x20006f68 = 9; *(uint8_t*)0x20006f69 = 5; *(uint8_t*)0x20006f6a = 0x87; *(uint8_t*)0x20006f6b = 3; *(uint16_t*)0x20006f6c = 8; *(uint8_t*)0x20006f6e = 0x80; *(uint8_t*)0x20006f6f = 7; *(uint8_t*)0x20006f70 = 6; *(uint8_t*)0x20006f71 = 0x56; *(uint8_t*)0x20006f72 = 4; memcpy((void*)0x20006f73, "\xf7\x8a\x35\x66\x75\xcf\xfa\x2d\xe9\x45\x39\x19\x4a\xfa\xb8\x60\x3f\xe5\xe4\x12\x02\x1b\xa9\x37\xdf\x8f\x49\x6c\xe2\xc0\x54\x31\x48\xf0\x9b\x19\xeb\xbc\x05\x09\x1f\xcc\x32\xe0\xbd\xde\x44\x1d\x7c\xca\xa5\xcc\x26\xfb\x69\x6b\xd6\x7b\x38\x30\xbf\x3e\x57\x30\xfb\x3f\xe5\xee\x89\x15\x6b\xd1\xd2\xfa\x10\x1e\x6c\x39\x06\x8a\xf8\xc2\xae\x87", 84); *(uint8_t*)0x20006fc7 = 9; *(uint8_t*)0x20006fc8 = 5; *(uint8_t*)0x20006fc9 = 0x89; *(uint8_t*)0x20006fca = 0; *(uint16_t*)0x20006fcb = 0x20; *(uint8_t*)0x20006fcd = 0x20; *(uint8_t*)0x20006fce = 0x81; *(uint8_t*)0x20006fcf = 8; *(uint8_t*)0x20006fd0 = 9; *(uint8_t*)0x20006fd1 = 5; *(uint8_t*)0x20006fd2 = 0xe; *(uint8_t*)0x20006fd3 = 3; *(uint16_t*)0x20006fd4 = 8; *(uint8_t*)0x20006fd6 = 1; *(uint8_t*)0x20006fd7 = 0x20; *(uint8_t*)0x20006fd8 = 2; *(uint8_t*)0x20006fd9 = 7; *(uint8_t*)0x20006fda = 0x25; *(uint8_t*)0x20006fdb = 1; *(uint8_t*)0x20006fdc = 2; *(uint8_t*)0x20006fdd = 0x43; *(uint16_t*)0x20006fde = 0x234; *(uint8_t*)0x20006fe0 = 9; *(uint8_t*)0x20006fe1 = 5; *(uint8_t*)0x20006fe2 = 2; *(uint8_t*)0x20006fe3 = 0; *(uint16_t*)0x20006fe4 = 0x3ff; *(uint8_t*)0x20006fe6 = 3; *(uint8_t*)0x20006fe7 = 5; *(uint8_t*)0x20006fe8 = 7; *(uint8_t*)0x20006fe9 = 0x34; *(uint8_t*)0x20006fea = 8; memcpy((void*)0x20006feb, "\xb6\xa1\x21\xb4\x6c\xab\xce\x4e\x36\x1f\x21\x04\xdc\xf2\x66\x3e\x40\x2e\xe0\x4f\xaa\x90\xdd\x18\xa9\x18\xe4\x64\x2e\xaa\x6a\x71\x61\x92\xf8\xbc\x32\xf3\x21\xce\x9e\xb5\x48\x90\x4d\x87\xd7\xbd\xad\x56", 50); *(uint8_t*)0x2000701d = 0xac; *(uint8_t*)0x2000701e = 0x30; memcpy((void*)0x2000701f, "\x1a\x5d\x30\xc7\xd1\x38\x43\xb0\x14\x69\x43\xb2\xe6\x76\x87\xf3\x14\x70\x19\xdb\x1c\xa1\xa3\xc7\xe4\x8d\x70\x0f\x65\x5b\xea\x7f\x42\x69\x2c\x5a\x87\xa6\xb9\x1d\x03\xa6\xd4\x90\x5f\xbb\x18\xb7\x60\x28\xc9\x02\xf7\xcc\x3f\x0c\x05\x6d\x87\xd0\xfb\xc1\x2f\x32\x15\x02\x22\xa7\xda\xd7\x02\x3b\xc4\x5a\xb2\x5c\x72\xaa\x3a\xd2\x6e\x8d\xfd\x8d\x36\x54\x64\x00\x38\x39\x6a\xa3\x55\xf0\x69\xf7\xa9\xe7\x62\xb8\x5d\xca\x0a\x81\xa7\xd7\xc3\x7d\x25\x9d\x0f\x2a\x63\x1a\x6a\xbc\x4e\x36\xfb\xa2\x01\xdc\x67\x7f\xc7\xb2\xc2\x81\x90\xe9\x15\x23\x55\x3c\xfb\x1b\xbf\x46\x2d\x9d\x05\x7c\x31\x91\x0a\xd3\x9c\x35\x7c\xd2\xdd\x1c\x3f\x22\xc6\x04\xad\x6c\x92\x3f\xae\xe4\xc1\x3d\xb3\xfe\x35\x03\x75\xcc", 170); *(uint8_t*)0x200070c9 = 9; *(uint8_t*)0x200070ca = 5; *(uint8_t*)0x200070cb = 0xc; *(uint8_t*)0x200070cc = 0; *(uint16_t*)0x200070cd = 0x10; *(uint8_t*)0x200070cf = 0x7f; *(uint8_t*)0x200070d0 = 0x56; *(uint8_t*)0x200070d1 = 0x83; *(uint8_t*)0x200070d2 = 9; *(uint8_t*)0x200070d3 = 5; *(uint8_t*)0x200070d4 = 0x47; *(uint8_t*)0x200070d5 = 0; *(uint16_t*)0x200070d6 = 0x3ff; *(uint8_t*)0x200070d8 = 0xbb; *(uint8_t*)0x200070d9 = 7; *(uint8_t*)0x200070da = 3; *(uint8_t*)0x200070db = 0x6b; *(uint8_t*)0x200070dc = 0x30; memcpy((void*)0x200070dd, "\x6a\x80\x65\xc0\xee\x1f\xa7\x2b\xb9\xfa\xb4\x98\xb5\x65\xe8\x56\x09\x0e\x0a\xd4\xcb\x9a\x07\x2e\x09\x95\x26\x4b\x93\x5b\xed\x49\x10\xdd\xe6\xe4\xa1\x1f\xf9\x37\x42\x38\x3c\xba\x0c\x51\xa1\xf1\xcf\x69\x5a\xa3\x94\xa5\xf4\x86\x83\x63\xe9\x86\x26\x05\x69\xba\x8b\xe8\x24\x37\xcc\x58\xdb\x1e\xe8\x8c\xe5\x10\x13\x08\x93\x8e\xdb\xd9\x82\x07\x54\x62\xcf\x0b\xba\x05\xbb\x0d\x7a\xe5\x50\x92\xa2\x86\x2e\xe6\xe6\x43\x0e\x22\xf7", 105); *(uint8_t*)0x20007146 = 0x41; *(uint8_t*)0x20007147 = 0x21; memcpy((void*)0x20007148, "\x0a\xcd\x9c\x77\x43\xc7\x50\x9f\x5e\xb8\x98\x78\x4f\x87\x67\xf3\x85\xa0\xe1\xc7\xf1\x02\xc9\xad\xca\xd6\xd8\x1f\xb4\x19\x3e\x88\xcb\x2f\x6c\x39\x36\xee\x2e\xf3\xda\xe6\x1f\x58\x32\x25\x93\xd9\xbe\xea\xfc\xc0\x91\x5c\x86\xfc\x3a\x72\xf0\x42\x6c\x83\xf3", 63); *(uint8_t*)0x20007187 = 9; *(uint8_t*)0x20007188 = 5; *(uint8_t*)0x20007189 = 6; *(uint8_t*)0x2000718a = 4; *(uint16_t*)0x2000718b = 0x400; *(uint8_t*)0x2000718d = 0x20; *(uint8_t*)0x2000718e = 0x74; *(uint8_t*)0x2000718f = 5; *(uint8_t*)0x20007190 = 9; *(uint8_t*)0x20007191 = 4; *(uint8_t*)0x20007192 = 0x26; *(uint8_t*)0x20007193 = 0xab; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 0xf1; *(uint8_t*)0x20007197 = 0xcb; *(uint8_t*)0x20007198 = 9; *(uint8_t*)0x20007199 = 9; *(uint8_t*)0x2000719a = 5; *(uint8_t*)0x2000719b = 1; *(uint8_t*)0x2000719c = 0; *(uint16_t*)0x2000719d = 0x200; *(uint8_t*)0x2000719f = 5; *(uint8_t*)0x200071a0 = 1; *(uint8_t*)0x200071a1 = 1; *(uint8_t*)0x200071a2 = 9; *(uint8_t*)0x200071a3 = 5; *(uint8_t*)0x200071a4 = 0xb; *(uint8_t*)0x200071a5 = 4; *(uint16_t*)0x200071a6 = 0x20; *(uint8_t*)0x200071a8 = 1; *(uint8_t*)0x200071a9 = 2; *(uint8_t*)0x200071aa = 4; *(uint8_t*)0x200071ab = 0xda; *(uint8_t*)0x200071ac = 0x14; memcpy((void*)0x200071ad, "\x10\xf1\x6e\x37\x96\xfb\xe3\x35\xb5\x64\xb2\x94\x16\x03\x1e\x12\xd2\x6f\x4d\x53\xe2\x37\xca\x3c\xb1\xe0\x49\x17\x03\x35\xd6\x31\x43\x24\x69\xcf\x8e\x2b\x20\x7d\x62\x28\x3f\x3b\x91\xf4\xd6\x31\x54\xbc\xe3\x5f\xae\xb8\x7b\x51\xd3\x0b\x38\x87\x6c\x38\xb3\x1a\xcc\x34\x7b\xe6\x77\x93\xe5\x6a\x17\x84\xeb\x29\xa7\xdd\xab\x72\xe7\x36\xee\xcd\x3b\x4e\x98\xbc\xe7\xb1\x70\xab\x68\x7e\x6f\x31\xf5\xe9\xf3\xf9\x6e\x31\x03\x2d\x3b\xf9\x47\x6e\xef\x54\xf3\x54\xc6\xef\xc0\x0d\xa3\x9a\x69\x5e\xc1\xc0\x95\x25\x4c\xb4\x16\xbd\xc5\x74\xd4\xfb\x6a\xdb\xec\xa9\x9b\x77\x50\x8d\x6c\x6f\x79\x1c\x2c\xfc\x29\xae\x3e\xcc\xea\x73\xc1\x36\x27\xd9\x38\x07\xaf\x1a\x7d\x34\x92\x52\x0e\xd1\xf1\x53\x32\x7d\x85\x75\x37\xf5\x56\x29\x4b\xdd\xdd\x98\x8b\xae\x73\x22\x6a\x48\xc4\xca\xb9\x63\xd3\xd8\xc2\x26\x95\x1b\x21\xa7\xc3\x13\x8d\xe5\x5b\x8d\x0e\x1f\x0b\xcd\x77\x66\x3a\xe8\xbf\xe2\x0f\x44", 216); *(uint8_t*)0x20007285 = 7; *(uint8_t*)0x20007286 = 0x25; *(uint8_t*)0x20007287 = 1; *(uint8_t*)0x20007288 = 0x83; *(uint8_t*)0x20007289 = 5; *(uint16_t*)0x2000728a = 9; *(uint8_t*)0x2000728c = 9; *(uint8_t*)0x2000728d = 5; *(uint8_t*)0x2000728e = 5; *(uint8_t*)0x2000728f = 2; *(uint16_t*)0x20007290 = 0x40; *(uint8_t*)0x20007292 = 0x2c; *(uint8_t*)0x20007293 = 0xd4; *(uint8_t*)0x20007294 = 2; *(uint8_t*)0x20007295 = 7; *(uint8_t*)0x20007296 = 0x25; *(uint8_t*)0x20007297 = 1; *(uint8_t*)0x20007298 = 2; *(uint8_t*)0x20007299 = 3; *(uint16_t*)0x2000729a = 7; *(uint8_t*)0x2000729c = 9; *(uint8_t*)0x2000729d = 5; *(uint8_t*)0x2000729e = 0xa; *(uint8_t*)0x2000729f = 2; *(uint16_t*)0x200072a0 = 0x400; *(uint8_t*)0x200072a2 = 0xd0; *(uint8_t*)0x200072a3 = 1; *(uint8_t*)0x200072a4 = 6; *(uint8_t*)0x200072a5 = 9; *(uint8_t*)0x200072a6 = 5; *(uint8_t*)0x200072a7 = 0xe; *(uint8_t*)0x200072a8 = 8; *(uint16_t*)0x200072a9 = 0x40; *(uint8_t*)0x200072ab = 0x40; *(uint8_t*)0x200072ac = -1; *(uint8_t*)0x200072ad = 0xb0; *(uint8_t*)0x200072ae = 9; *(uint8_t*)0x200072af = 4; *(uint8_t*)0x200072b0 = 0x6c; *(uint8_t*)0x200072b1 = 8; *(uint8_t*)0x200072b2 = 2; *(uint8_t*)0x200072b3 = 0x59; *(uint8_t*)0x200072b4 = 0x51; *(uint8_t*)0x200072b5 = 0xd5; *(uint8_t*)0x200072b6 = 1; *(uint8_t*)0x200072b7 = 8; *(uint8_t*)0x200072b8 = 0x24; *(uint8_t*)0x200072b9 = 6; *(uint8_t*)0x200072ba = 0; *(uint8_t*)0x200072bb = 1; memcpy((void*)0x200072bc, "\xb2\xbd\x60", 3); *(uint8_t*)0x200072bf = 5; *(uint8_t*)0x200072c0 = 0x24; *(uint8_t*)0x200072c1 = 0; *(uint16_t*)0x200072c2 = 5; *(uint8_t*)0x200072c4 = 0xd; *(uint8_t*)0x200072c5 = 0x24; *(uint8_t*)0x200072c6 = 0xf; *(uint8_t*)0x200072c7 = 1; *(uint32_t*)0x200072c8 = 0xfffffffd; *(uint16_t*)0x200072cc = 0xfff; *(uint16_t*)0x200072ce = 0x63; *(uint8_t*)0x200072d0 = 0xdb; *(uint8_t*)0x200072d1 = 6; *(uint8_t*)0x200072d2 = 0x24; *(uint8_t*)0x200072d3 = 0x1a; *(uint16_t*)0x200072d4 = 8; *(uint8_t*)0x200072d6 = 8; *(uint8_t*)0x200072d7 = 0xf7; *(uint8_t*)0x200072d8 = 0x24; *(uint8_t*)0x200072d9 = 0x13; *(uint8_t*)0x200072da = 0x19; memcpy((void*)0x200072db, "\x18\x9c\xde\xa8\x5c\x89\x2f\xe7\x36\xd9\x9d\x2a\xe8\x35\x70\x5d\xdc\x39\x07\x36\x3c\x57\xda\x1f\xc0\x03\x3a\xb2\x67\x42\x02\x2a\xb0\xaf\x75\x16\xc0\x54\x5f\x0f\xc3\xec\xaa\x07\x28\x22\x9f\x95\xfd\x5d\x2e\xbc\xe5\xc9\x8d\xbb\xa6\x22\x21\x53\xe2\xce\x70\xbf\xea\xd3\x2d\x5d\x59\x14\x6f\x0d\xd6\x79\x85\x20\x07\xb1\x3a\xc9\xd1\x6d\x48\xf9\x48\x4d\x61\x92\xe7\x9c\x88\x07\x9f\x8c\xd3\xbd\x1a\x37\x40\xf3\xa8\xf0\xfd\x1d\x57\xa1\x0b\xf4\x1c\xf8\xc4\x5a\x79\xab\x1a\x96\x9c\x9a\x6a\x83\xbf\x31\x57\x1b\xce\x54\x2e\x8f\xcf\xa6\x76\x1e\xbf\xa9\x24\xe1\xeb\x05\xd3\xaf\x5b\x36\x44\xc3\x04\x02\x80\xca\x59\x73\x7d\x89\xc0\xca\xa8\xbd\x9d\x56\xc9\x21\x78\xb8\x2b\x20\x78\xe4\x39\x75\xf1\x5e\x6f\x0b\x6f\xa1\xd0\xcd\x81\x95\x21\x15\x4d\x23\x6a\xa6\xa8\x5e\x50\xf3\xf0\x53\x1f\x61\x92\xe5\xc4\xba\x8a\x2d\x50\x6f\x74\x47\x80\x74\x7c\xbb\x9e\xe6\x72\x32\x98\xb7\x2b\x71\x3b\x52\xbe\x54\x83\x5f\xcc\x04\x90\x6c\x65\x8c\xe6\x1f\x16\xf9\x5a\x6c\x43\x79\x88\xdf\x23\x9c\x43\x0f\xf4\x7d\xb7", 243); *(uint8_t*)0x200073ce = 6; *(uint8_t*)0x200073cf = 0x24; *(uint8_t*)0x200073d0 = 6; *(uint8_t*)0x200073d1 = 0; *(uint8_t*)0x200073d2 = 0; memset((void*)0x200073d3, 163, 1); *(uint8_t*)0x200073d4 = 5; *(uint8_t*)0x200073d5 = 0x24; *(uint8_t*)0x200073d6 = 0; *(uint16_t*)0x200073d7 = 0xf85b; *(uint8_t*)0x200073d9 = 0xd; *(uint8_t*)0x200073da = 0x24; *(uint8_t*)0x200073db = 0xf; *(uint8_t*)0x200073dc = 1; *(uint32_t*)0x200073dd = 0; *(uint16_t*)0x200073e1 = 7; *(uint16_t*)0x200073e3 = 2; *(uint8_t*)0x200073e5 = 0x40; *(uint8_t*)0x200073e6 = 9; *(uint8_t*)0x200073e7 = 5; *(uint8_t*)0x200073e8 = 0xf; *(uint8_t*)0x200073e9 = 4; *(uint16_t*)0x200073ea = 0; *(uint8_t*)0x200073ec = 0x81; *(uint8_t*)0x200073ed = 0xe8; *(uint8_t*)0x200073ee = 2; *(uint8_t*)0x200073ef = 7; *(uint8_t*)0x200073f0 = 0x25; *(uint8_t*)0x200073f1 = 1; *(uint8_t*)0x200073f2 = 0; *(uint8_t*)0x200073f3 = 0x51; *(uint16_t*)0x200073f4 = 0xbf81; *(uint8_t*)0x200073f6 = 7; *(uint8_t*)0x200073f7 = 0x25; *(uint8_t*)0x200073f8 = 1; *(uint8_t*)0x200073f9 = 0x80; *(uint8_t*)0x200073fa = 0xb; *(uint16_t*)0x200073fb = 0x8001; *(uint8_t*)0x200073fd = 9; *(uint8_t*)0x200073fe = 5; *(uint8_t*)0x200073ff = 6; *(uint8_t*)0x20007400 = 0; *(uint16_t*)0x20007401 = 0x10; *(uint8_t*)0x20007403 = 0x7f; *(uint8_t*)0x20007404 = 0; *(uint8_t*)0x20007405 = 0x80; *(uint8_t*)0x20007406 = 0x28; *(uint8_t*)0x20007407 = 0xa; memcpy((void*)0x20007408, "\x61\xdf\x67\xa6\x24\x85\x90\x52\xdf\x59\x3a\x22\x58\xbc\x97\x0f\xe4\x30\x4a\x8f\x89\x9a\xc0\x40\xd9\xfc\x35\x0e\xd5\xe6\x36\x60\xa7\x6a\x96\xae\xa7\xa3", 38); *(uint32_t*)0x200076c0 = 0xa; *(uint32_t*)0x200076c4 = 0x20007440; *(uint8_t*)0x20007440 = 0xa; *(uint8_t*)0x20007441 = 6; *(uint16_t*)0x20007442 = 0x300; *(uint8_t*)0x20007444 = 8; *(uint8_t*)0x20007445 = 1; *(uint8_t*)0x20007446 = 9; *(uint8_t*)0x20007447 = 8; *(uint8_t*)0x20007448 = 0x81; *(uint8_t*)0x20007449 = 0; *(uint32_t*)0x200076c8 = 0x133; *(uint32_t*)0x200076cc = 0x20007480; *(uint8_t*)0x20007480 = 5; *(uint8_t*)0x20007481 = 0xf; *(uint16_t*)0x20007482 = 0x133; *(uint8_t*)0x20007484 = 6; *(uint8_t*)0x20007485 = 0xb; *(uint8_t*)0x20007486 = 0x10; *(uint8_t*)0x20007487 = 1; *(uint8_t*)0x20007488 = 2; *(uint16_t*)0x20007489 = 0x74; *(uint8_t*)0x2000748b = -1; *(uint8_t*)0x2000748c = -1; *(uint16_t*)0x2000748d = 0; *(uint8_t*)0x2000748f = 7; *(uint8_t*)0x20007490 = 0xb; *(uint8_t*)0x20007491 = 0x10; *(uint8_t*)0x20007492 = 1; *(uint8_t*)0x20007493 = 8; *(uint16_t*)0x20007494 = 0x43; *(uint8_t*)0x20007496 = 4; *(uint8_t*)0x20007497 = 3; *(uint16_t*)0x20007498 = 6; *(uint8_t*)0x2000749a = 0x21; *(uint8_t*)0x2000749b = 7; *(uint8_t*)0x2000749c = 0x10; *(uint8_t*)0x2000749d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000749e, 0xa, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200074a0, 0x3b4d, 0, 16); *(uint8_t*)0x200074a2 = 0xb; *(uint8_t*)0x200074a3 = 0x10; *(uint8_t*)0x200074a4 = 1; *(uint8_t*)0x200074a5 = 0; *(uint16_t*)0x200074a6 = 0x2c; *(uint8_t*)0x200074a8 = 7; *(uint8_t*)0x200074a9 = 2; *(uint16_t*)0x200074aa = 1; *(uint8_t*)0x200074ac = 0x2f; *(uint8_t*)0x200074ad = 3; *(uint8_t*)0x200074ae = 0x10; *(uint8_t*)0x200074af = 0xb; *(uint8_t*)0x200074b0 = 3; *(uint8_t*)0x200074b1 = 0x10; *(uint8_t*)0x200074b2 = 3; memcpy((void*)0x200074b3, "\xb3\x5e\x85\x2c\x50\x01\x47\x88\x0f\xa2\xf6\xdc\xc5\xd4\xe1\x6a\x59\xdf\x9b\xff\x5d\x44\xac\x9f\x66\x80\xa3\x1b\x1e\xbc\xe7\xf4\xd4\xaf\xe6\xd2\xae\x93\xf6\xee\xe7\x9b\x70\x3b\x03\xf7\xa0\xeb\xea\x72\xbd\xc3\xca\x70\xde\xd4\x50\xbe\xde\xc4\x2d\x31\xbe\xce\xd3\x62\x5c\x6b\xfa\x5d\xc9\x89\x7b\x68\xa4\xe8\xb1\xa5\x4b\x94\x44\xb8\x5a\x77\xd5\x2e\xfe\xa0\x2e\x84\x04\x5a\x2c\x51\xaf\x22\x59\x6a\x4c\x59\xa4\x3c\x59\x0c\x4d\x13\x69\xd2\x29\xdb\x0f\x22\x8b\x73\x9b\x41\x41\x9c\x00\x70\x82\x19\xac\x07\x58\x5d\xca\xde\xd8\x82\x0f\x6f\xe0\xb3\x5e\x74\x96\xca\x59\xeb\xd9\x3c\x1c\xfb\xec\xa8\x66\x69\x28\x61\x3f\xb0\x84\xcb\x1a\xd9\x30\xcf\xed\x80\xa0\x24\xb8\x03\xfc\x94\x96\x7f\x08\xd7\x31\xd0\x64\x7c\xee\x07\x3e\x55\x84\x4b\x99\x78\xae\x60\x35\x86\x5f\xd9\x89\x91\xfb\x7a\x5f\xa3\xf0\x05\x29\xe8\x1f\x1d\x3b\x85\x3a\x0d\xb0\x41\xea\xa3\x77\x7b\xa1\x0f\xe7\x53\x67\x4a\x69\x8c\xd3\x89\xbf\x5b\xca\x62\x6c\xb8\xc7\xbf\x9b\x71\x15\x0d\x57\x2d\x07\xd9\xa1\x18\x55\xa4\x19\xfb\x02\x12\xd9\xa5\xbf\x2c\x33\x60\x35\x7c\xf9\x42\x51\x1f", 256); *(uint32_t*)0x200076d0 = 2; *(uint32_t*)0x200076d4 = 0x97; *(uint32_t*)0x200076d8 = 0x200075c0; *(uint8_t*)0x200075c0 = 0x97; *(uint8_t*)0x200075c1 = 3; memcpy((void*)0x200075c2, "\x79\x53\x36\x52\x48\x59\x08\x84\x74\x50\xe4\x34\xba\xbd\x9e\x7b\x78\x39\x25\xf4\x78\xb3\xb3\x5c\x0a\x4e\x6a\xa0\xa1\xe8\xf7\x8e\x37\xf1\xd5\x66\x6f\xe8\x7b\x28\xdf\x9b\x77\x34\xfd\xd1\x41\xb3\xc7\x8a\x19\x03\x1e\xff\xd7\x29\xa3\x6c\x0c\xf9\xfa\xe5\xc5\x89\xa1\xa9\x88\x6b\x78\xf6\x6c\x73\x91\xbd\x44\x3c\xc6\xb3\xab\x5b\x4a\xcd\xeb\x5a\xcf\x4a\x0d\x36\x35\x9e\x74\x9d\xf3\x7c\xcf\x92\xc5\x0e\x84\x5f\xce\x93\xe4\xc6\x11\xf0\xfb\x55\x9f\x5b\x2f\x8b\x72\xba\xb3\xb8\xa9\x17\x79\xcd\x78\x20\x4d\x67\xa1\x83\x18\x75\x60\xeb\x91\x2c\x0f\x9d\xd2\x7f\x40\x2f\x1d\xec\xdc\x61\x44\x4d\x37\x02\xbf\x05\xcf", 149); *(uint32_t*)0x200076dc = 4; *(uint32_t*)0x200076e0 = 0x20007680; *(uint8_t*)0x20007680 = 4; *(uint8_t*)0x20007681 = 3; *(uint16_t*)0x20007682 = 0x4ff; syz_usb_connect(5, 0x72e, 0x20006d00, 0x200076c0); break; case 42: *(uint8_t*)0x20007700 = 0x12; *(uint8_t*)0x20007701 = 1; *(uint16_t*)0x20007702 = 0x200; *(uint8_t*)0x20007704 = -1; *(uint8_t*)0x20007705 = -1; *(uint8_t*)0x20007706 = -1; *(uint8_t*)0x20007707 = 0x40; *(uint16_t*)0x20007708 = 0xcf3; *(uint16_t*)0x2000770a = 0x9271; *(uint16_t*)0x2000770c = 0x108; *(uint8_t*)0x2000770e = 1; *(uint8_t*)0x2000770f = 2; *(uint8_t*)0x20007710 = 3; *(uint8_t*)0x20007711 = 1; *(uint8_t*)0x20007712 = 9; *(uint8_t*)0x20007713 = 2; *(uint16_t*)0x20007714 = 0x48; *(uint8_t*)0x20007716 = 1; *(uint8_t*)0x20007717 = 1; *(uint8_t*)0x20007718 = 0; *(uint8_t*)0x20007719 = 0x80; *(uint8_t*)0x2000771a = 0xfa; *(uint8_t*)0x2000771b = 9; *(uint8_t*)0x2000771c = 4; *(uint8_t*)0x2000771d = 0; *(uint8_t*)0x2000771e = 0; *(uint8_t*)0x2000771f = 6; *(uint8_t*)0x20007720 = -1; *(uint8_t*)0x20007721 = 0; *(uint8_t*)0x20007722 = 0; *(uint8_t*)0x20007723 = 0; *(uint8_t*)0x20007724 = 9; *(uint8_t*)0x20007725 = 5; *(uint8_t*)0x20007726 = 1; *(uint8_t*)0x20007727 = 2; *(uint16_t*)0x20007728 = 0x200; *(uint8_t*)0x2000772a = 0; *(uint8_t*)0x2000772b = 0; *(uint8_t*)0x2000772c = 0; *(uint8_t*)0x2000772d = 9; *(uint8_t*)0x2000772e = 5; *(uint8_t*)0x2000772f = 0x82; *(uint8_t*)0x20007730 = 2; *(uint16_t*)0x20007731 = 0x200; *(uint8_t*)0x20007733 = 0; *(uint8_t*)0x20007734 = 0; *(uint8_t*)0x20007735 = 0; *(uint8_t*)0x20007736 = 9; *(uint8_t*)0x20007737 = 5; *(uint8_t*)0x20007738 = 0x83; *(uint8_t*)0x20007739 = 3; *(uint16_t*)0x2000773a = 0x40; *(uint8_t*)0x2000773c = 1; *(uint8_t*)0x2000773d = 0; *(uint8_t*)0x2000773e = 0; *(uint8_t*)0x2000773f = 9; *(uint8_t*)0x20007740 = 5; *(uint8_t*)0x20007741 = 4; *(uint8_t*)0x20007742 = 3; *(uint16_t*)0x20007743 = 0x40; *(uint8_t*)0x20007745 = 1; *(uint8_t*)0x20007746 = 0; *(uint8_t*)0x20007747 = 0; *(uint8_t*)0x20007748 = 9; *(uint8_t*)0x20007749 = 5; *(uint8_t*)0x2000774a = 5; *(uint8_t*)0x2000774b = 2; *(uint16_t*)0x2000774c = 0x200; *(uint8_t*)0x2000774e = 0; *(uint8_t*)0x2000774f = 0; *(uint8_t*)0x20007750 = 0; *(uint8_t*)0x20007751 = 9; *(uint8_t*)0x20007752 = 5; *(uint8_t*)0x20007753 = 6; *(uint8_t*)0x20007754 = 2; *(uint16_t*)0x20007755 = 0x200; *(uint8_t*)0x20007757 = 0; *(uint8_t*)0x20007758 = 0; *(uint8_t*)0x20007759 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007700, 0); if (res != -1) r[22] = res; break; case 43: *(uint32_t*)0x20007900 = 0x18; *(uint32_t*)0x20007904 = 0x20007780; *(uint8_t*)0x20007780 = 0x40; *(uint8_t*)0x20007781 = 0x22; *(uint32_t*)0x20007782 = 0x1f; *(uint8_t*)0x20007786 = 0x1f; *(uint8_t*)0x20007787 = 0x22; memcpy((void*)0x20007788, "\xa7\x84\x14\x03\xaf\xd7\xdd\xbd\xb6\xce\x9d\xac\xfb\x6c\xdb\xe2\x9f\xbe\x4e\x58\xb5\x5f\xec\x11\x7d\xe5\x6e\xd6\xa5", 29); *(uint32_t*)0x20007908 = 0x200077c0; *(uint8_t*)0x200077c0 = 0; *(uint8_t*)0x200077c1 = 3; *(uint32_t*)0x200077c2 = 0x5a; *(uint8_t*)0x200077c6 = 0x5a; *(uint8_t*)0x200077c7 = 3; memcpy((void*)0x200077c8, "\xb5\x1f\xa7\x5c\xe1\x57\x5d\xa7\x9a\xa4\x1f\xd1\x55\x72\x84\x98\xbc\x7e\x4f\x85\xd1\x9d\x23\x94\x31\x4e\x63\x81\xf5\xe6\xb0\xe7\x86\xc3\xff\x70\x5c\xb7\x18\x44\x87\xf3\x50\x94\x03\x01\x78\xbc\x29\x1a\x39\x80\xfa\x0b\x83\x90\x8b\x7f\xe1\xcb\x24\x59\xda\xa1\x30\x8f\xa2\xfb\xda\x94\xa9\x8c\xa7\x13\x4b\xc9\x86\x48\x7b\xae\x15\x76\x66\x36\xe0\x85\x2c\x7a", 88); *(uint32_t*)0x2000790c = 0x20007840; *(uint8_t*)0x20007840 = 0; *(uint8_t*)0x20007841 = 0xf; *(uint32_t*)0x20007842 = 0x1b; *(uint8_t*)0x20007846 = 5; *(uint8_t*)0x20007847 = 0xf; *(uint16_t*)0x20007848 = 0x1b; *(uint8_t*)0x2000784a = 2; *(uint8_t*)0x2000784b = 0xb; *(uint8_t*)0x2000784c = 0x10; *(uint8_t*)0x2000784d = 1; *(uint8_t*)0x2000784e = 0xc; *(uint16_t*)0x2000784f = 0x82; *(uint8_t*)0x20007851 = 0; *(uint8_t*)0x20007852 = 0x85; *(uint16_t*)0x20007853 = 8; *(uint8_t*)0x20007855 = 1; *(uint8_t*)0x20007856 = 0xb; *(uint8_t*)0x20007857 = 0x10; *(uint8_t*)0x20007858 = 1; *(uint8_t*)0x20007859 = 0xc; *(uint16_t*)0x2000785a = 0x48; *(uint8_t*)0x2000785c = 0; *(uint8_t*)0x2000785d = 0x80; *(uint16_t*)0x2000785e = 0xfffa; *(uint8_t*)0x20007860 = 0x81; *(uint32_t*)0x20007910 = 0x20007880; *(uint8_t*)0x20007880 = 0x20; *(uint8_t*)0x20007881 = 0x29; *(uint32_t*)0x20007882 = 0xf; *(uint8_t*)0x20007886 = 0xf; *(uint8_t*)0x20007887 = 0x29; *(uint8_t*)0x20007888 = 9; *(uint16_t*)0x20007889 = 2; *(uint8_t*)0x2000788b = 4; *(uint8_t*)0x2000788c = 2; memcpy((void*)0x2000788d, "\x7e\x46\x1a\xb4", 4); memcpy((void*)0x20007891, "gg]\a", 4); *(uint32_t*)0x20007914 = 0x200078c0; *(uint8_t*)0x200078c0 = 0x20; *(uint8_t*)0x200078c1 = 0x2a; *(uint32_t*)0x200078c2 = 0xc; *(uint8_t*)0x200078c6 = 0xc; *(uint8_t*)0x200078c7 = 0x2a; *(uint8_t*)0x200078c8 = 9; *(uint16_t*)0x200078c9 = 3; *(uint8_t*)0x200078cb = 0x3f; *(uint8_t*)0x200078cc = 0x20; *(uint8_t*)0x200078cd = 0x40; *(uint16_t*)0x200078ce = 0; *(uint16_t*)0x200078d0 = 0xef; *(uint32_t*)0x20007dc0 = 0x44; *(uint32_t*)0x20007dc4 = 0x20007940; *(uint8_t*)0x20007940 = 0x40; *(uint8_t*)0x20007941 = 0xc; *(uint32_t*)0x20007942 = 0xb6; memcpy((void*)0x20007946, "\xdf\x1d\x88\x07\xad\xaa\x37\x6e\xc1\x64\xfe\x68\x6f\x79\x1f\xc7\x26\x8a\x85\xc4\x68\x00\x84\x23\xc3\x5b\xf0\xda\x6f\x10\xce\x0b\x3c\x7f\x80\xe6\x73\x52\xd8\x06\x3e\x95\x24\xfb\x3d\x91\xa1\xd4\x42\xb8\x5d\x35\x12\x88\xc6\x0b\xad\xef\x73\x69\x49\x4e\xfa\x50\x12\x97\x89\x30\xb8\x81\x7b\xb1\x3f\xba\x0f\x30\x74\x16\x86\x14\x57\x22\x13\x22\x13\x60\x27\xa9\x86\x82\xf3\xa5\xc9\x18\x06\xd4\x90\xc5\x1e\xf5\x1c\xe6\xc9\xe9\xc8\x08\x7e\x54\x7f\xc2\xcf\xe5\x67\xbf\xbf\x3e\x65\xf9\x7c\x5e\x79\xd6\x87\x06\x92\x2d\x2c\x08\x4e\xe8\x94\xea\xf1\x2a\x3c\x0b\x2e\x1e\xf8\x94\xdf\xf8\x6d\x07\x92\xfd\x11\xf5\x15\x2f\x67\x32\x1b\x9d\xb3\x6a\x02\xb7\xb0\x93\x5e\x74\x24\xcb\xd6\xb2\x86\xc5\x5c\x8c\xf0\xf0\xf4\x94\x9f\xd2\x1b\x22\x67\x5e\xb0\x60", 182); *(uint32_t*)0x20007dc8 = 0x20007a00; *(uint8_t*)0x20007a00 = 0; *(uint8_t*)0x20007a01 = 0xa; *(uint32_t*)0x20007a02 = 1; *(uint8_t*)0x20007a06 = 9; *(uint32_t*)0x20007dcc = 0x20007a40; *(uint8_t*)0x20007a40 = 0; *(uint8_t*)0x20007a41 = 8; *(uint32_t*)0x20007a42 = 1; *(uint8_t*)0x20007a46 = 6; *(uint32_t*)0x20007dd0 = 0x20007a80; *(uint8_t*)0x20007a80 = 0x20; *(uint8_t*)0x20007a81 = 0; *(uint32_t*)0x20007a82 = 4; *(uint16_t*)0x20007a86 = 1; *(uint16_t*)0x20007a88 = 3; *(uint32_t*)0x20007dd4 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0x20; *(uint8_t*)0x20007ac1 = 0; *(uint32_t*)0x20007ac2 = 4; *(uint16_t*)0x20007ac6 = 0x160; *(uint16_t*)0x20007ac8 = 1; *(uint32_t*)0x20007dd8 = 0x20007b00; *(uint8_t*)0x20007b00 = 0x40; *(uint8_t*)0x20007b01 = 7; *(uint32_t*)0x20007b02 = 2; *(uint16_t*)0x20007b06 = 3; *(uint32_t*)0x20007ddc = 0x20007b40; *(uint8_t*)0x20007b40 = 0x40; *(uint8_t*)0x20007b41 = 9; *(uint32_t*)0x20007b42 = 1; *(uint8_t*)0x20007b46 = 3; *(uint32_t*)0x20007de0 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x40; *(uint8_t*)0x20007b81 = 0xb; *(uint32_t*)0x20007b82 = 2; memcpy((void*)0x20007b86, "\x9e\xfe", 2); *(uint32_t*)0x20007de4 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 0xf; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 4; *(uint32_t*)0x20007de8 = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 0x13; *(uint32_t*)0x20007c02 = 6; memset((void*)0x20007c06, 0, 6); *(uint32_t*)0x20007dec = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0x17; *(uint32_t*)0x20007c42 = 6; memset((void*)0x20007c46, 170, 5); *(uint8_t*)0x20007c4b = 0xbb; *(uint32_t*)0x20007df0 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0x19; *(uint32_t*)0x20007c82 = 2; memcpy((void*)0x20007c86, "vw", 2); *(uint32_t*)0x20007df4 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x1a; *(uint32_t*)0x20007cc2 = 2; *(uint16_t*)0x20007cc6 = 1; *(uint32_t*)0x20007df8 = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x1c; *(uint32_t*)0x20007d02 = 1; *(uint8_t*)0x20007d06 = 6; *(uint32_t*)0x20007dfc = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x1e; *(uint32_t*)0x20007d42 = 1; *(uint8_t*)0x20007d46 = 0x7e; *(uint32_t*)0x20007e00 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x21; *(uint32_t*)0x20007d82 = 1; *(uint8_t*)0x20007d86 = 2; syz_usb_control_io(r[22], 0x20007900, 0x20007dc0); break; case 44: *(uint8_t*)0x20007e40 = 0x12; *(uint8_t*)0x20007e41 = 1; *(uint16_t*)0x20007e42 = 0x200; *(uint8_t*)0x20007e44 = -1; *(uint8_t*)0x20007e45 = -1; *(uint8_t*)0x20007e46 = -1; *(uint8_t*)0x20007e47 = 0x40; *(uint16_t*)0x20007e48 = 0xcf3; *(uint16_t*)0x20007e4a = 0x9271; *(uint16_t*)0x20007e4c = 0x108; *(uint8_t*)0x20007e4e = 1; *(uint8_t*)0x20007e4f = 2; *(uint8_t*)0x20007e50 = 3; *(uint8_t*)0x20007e51 = 1; *(uint8_t*)0x20007e52 = 9; *(uint8_t*)0x20007e53 = 2; *(uint16_t*)0x20007e54 = 0x48; *(uint8_t*)0x20007e56 = 1; *(uint8_t*)0x20007e57 = 1; *(uint8_t*)0x20007e58 = 0; *(uint8_t*)0x20007e59 = 0x80; *(uint8_t*)0x20007e5a = 0xfa; *(uint8_t*)0x20007e5b = 9; *(uint8_t*)0x20007e5c = 4; *(uint8_t*)0x20007e5d = 0; *(uint8_t*)0x20007e5e = 0; *(uint8_t*)0x20007e5f = 6; *(uint8_t*)0x20007e60 = -1; *(uint8_t*)0x20007e61 = 0; *(uint8_t*)0x20007e62 = 0; *(uint8_t*)0x20007e63 = 0; *(uint8_t*)0x20007e64 = 9; *(uint8_t*)0x20007e65 = 5; *(uint8_t*)0x20007e66 = 1; *(uint8_t*)0x20007e67 = 2; *(uint16_t*)0x20007e68 = 0x200; *(uint8_t*)0x20007e6a = 0; *(uint8_t*)0x20007e6b = 0; *(uint8_t*)0x20007e6c = 0; *(uint8_t*)0x20007e6d = 9; *(uint8_t*)0x20007e6e = 5; *(uint8_t*)0x20007e6f = 0x82; *(uint8_t*)0x20007e70 = 2; *(uint16_t*)0x20007e71 = 0x200; *(uint8_t*)0x20007e73 = 0; *(uint8_t*)0x20007e74 = 0; *(uint8_t*)0x20007e75 = 0; *(uint8_t*)0x20007e76 = 9; *(uint8_t*)0x20007e77 = 5; *(uint8_t*)0x20007e78 = 0x83; *(uint8_t*)0x20007e79 = 3; *(uint16_t*)0x20007e7a = 0x40; *(uint8_t*)0x20007e7c = 1; *(uint8_t*)0x20007e7d = 0; *(uint8_t*)0x20007e7e = 0; *(uint8_t*)0x20007e7f = 9; *(uint8_t*)0x20007e80 = 5; *(uint8_t*)0x20007e81 = 4; *(uint8_t*)0x20007e82 = 3; *(uint16_t*)0x20007e83 = 0x40; *(uint8_t*)0x20007e85 = 1; *(uint8_t*)0x20007e86 = 0; *(uint8_t*)0x20007e87 = 0; *(uint8_t*)0x20007e88 = 9; *(uint8_t*)0x20007e89 = 5; *(uint8_t*)0x20007e8a = 5; *(uint8_t*)0x20007e8b = 2; *(uint16_t*)0x20007e8c = 0x200; *(uint8_t*)0x20007e8e = 0; *(uint8_t*)0x20007e8f = 0; *(uint8_t*)0x20007e90 = 0; *(uint8_t*)0x20007e91 = 9; *(uint8_t*)0x20007e92 = 5; *(uint8_t*)0x20007e93 = 6; *(uint8_t*)0x20007e94 = 2; *(uint16_t*)0x20007e95 = 0x200; *(uint8_t*)0x20007e97 = 0; *(uint8_t*)0x20007e98 = 0; *(uint8_t*)0x20007e99 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007e40, 0); if (res != -1) r[23] = res; break; case 45: syz_usb_disconnect(r[23]); break; case 46: *(uint8_t*)0x20007ec0 = 0x12; *(uint8_t*)0x20007ec1 = 1; *(uint16_t*)0x20007ec2 = 0x389; *(uint8_t*)0x20007ec4 = 2; *(uint8_t*)0x20007ec5 = 0; *(uint8_t*)0x20007ec6 = 0; *(uint8_t*)0x20007ec7 = 0x70; *(uint16_t*)0x20007ec8 = 0x525; *(uint16_t*)0x20007eca = 0xa4a1; *(uint16_t*)0x20007ecc = 0x40; *(uint8_t*)0x20007ece = 1; *(uint8_t*)0x20007ecf = 2; *(uint8_t*)0x20007ed0 = 3; *(uint8_t*)0x20007ed1 = 1; *(uint8_t*)0x20007ed2 = 9; *(uint8_t*)0x20007ed3 = 2; *(uint16_t*)0x20007ed4 = 0x6a; *(uint8_t*)0x20007ed6 = 2; *(uint8_t*)0x20007ed7 = 1; *(uint8_t*)0x20007ed8 = -1; *(uint8_t*)0x20007ed9 = 0x90; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 9; *(uint8_t*)0x20007edc = 4; *(uint8_t*)0x20007edd = 0; *(uint8_t*)0x20007ede = 0; *(uint8_t*)0x20007edf = 1; *(uint8_t*)0x20007ee0 = 2; *(uint8_t*)0x20007ee1 = 0xd; *(uint8_t*)0x20007ee2 = 0; *(uint8_t*)0x20007ee3 = 0; *(uint8_t*)0x20007ee4 = 6; *(uint8_t*)0x20007ee5 = 0x24; *(uint8_t*)0x20007ee6 = 6; *(uint8_t*)0x20007ee7 = 0; *(uint8_t*)0x20007ee8 = 1; memset((void*)0x20007ee9, 166, 1); *(uint8_t*)0x20007eea = 5; *(uint8_t*)0x20007eeb = 0x24; *(uint8_t*)0x20007eec = 0; *(uint16_t*)0x20007eed = 8; *(uint8_t*)0x20007eef = 0xd; *(uint8_t*)0x20007ef0 = 0x24; *(uint8_t*)0x20007ef1 = 0xf; *(uint8_t*)0x20007ef2 = 1; *(uint32_t*)0x20007ef3 = 0x9ff; *(uint16_t*)0x20007ef7 = 0x6000; *(uint16_t*)0x20007ef9 = 5; *(uint8_t*)0x20007efb = 0xb5; *(uint8_t*)0x20007efc = 6; *(uint8_t*)0x20007efd = 0x24; *(uint8_t*)0x20007efe = 0x1a; *(uint16_t*)0x20007eff = 0xdd; *(uint8_t*)0x20007f01 = 0x32; *(uint8_t*)0x20007f02 = 5; *(uint8_t*)0x20007f03 = 0x24; *(uint8_t*)0x20007f04 = 1; *(uint8_t*)0x20007f05 = 2; *(uint8_t*)0x20007f06 = 0x95; *(uint8_t*)0x20007f07 = 8; *(uint8_t*)0x20007f08 = 0x24; *(uint8_t*)0x20007f09 = 0x1c; *(uint16_t*)0x20007f0a = 7; *(uint8_t*)0x20007f0c = 0x40; *(uint16_t*)0x20007f0d = 1; *(uint8_t*)0x20007f0f = 9; *(uint8_t*)0x20007f10 = 5; *(uint8_t*)0x20007f11 = 0x81; *(uint8_t*)0x20007f12 = 3; *(uint16_t*)0x20007f13 = 0x10; *(uint8_t*)0x20007f15 = 0x21; *(uint8_t*)0x20007f16 = 2; *(uint8_t*)0x20007f17 = 0xc4; *(uint8_t*)0x20007f18 = 9; *(uint8_t*)0x20007f19 = 4; *(uint8_t*)0x20007f1a = 1; *(uint8_t*)0x20007f1b = 0; *(uint8_t*)0x20007f1c = 0; *(uint8_t*)0x20007f1d = 2; *(uint8_t*)0x20007f1e = 0xd; *(uint8_t*)0x20007f1f = 0; *(uint8_t*)0x20007f20 = 0; *(uint8_t*)0x20007f21 = 9; *(uint8_t*)0x20007f22 = 4; *(uint8_t*)0x20007f23 = 1; *(uint8_t*)0x20007f24 = 1; *(uint8_t*)0x20007f25 = 2; *(uint8_t*)0x20007f26 = 2; *(uint8_t*)0x20007f27 = 0xd; *(uint8_t*)0x20007f28 = 0; *(uint8_t*)0x20007f29 = 0; *(uint8_t*)0x20007f2a = 9; *(uint8_t*)0x20007f2b = 5; *(uint8_t*)0x20007f2c = 0x82; *(uint8_t*)0x20007f2d = 2; *(uint16_t*)0x20007f2e = 8; *(uint8_t*)0x20007f30 = 1; *(uint8_t*)0x20007f31 = 1; *(uint8_t*)0x20007f32 = 0x4e; *(uint8_t*)0x20007f33 = 9; *(uint8_t*)0x20007f34 = 5; *(uint8_t*)0x20007f35 = 3; *(uint8_t*)0x20007f36 = 2; *(uint16_t*)0x20007f37 = 8; *(uint8_t*)0x20007f39 = 0x81; *(uint8_t*)0x20007f3a = 9; *(uint8_t*)0x20007f3b = 0x48; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f40; *(uint8_t*)0x20007f40 = 0xa; *(uint8_t*)0x20007f41 = 6; *(uint16_t*)0x20007f42 = 0x200; *(uint8_t*)0x20007f44 = 3; *(uint8_t*)0x20007f45 = 0x40; *(uint8_t*)0x20007f46 = 1; *(uint8_t*)0x20007f47 = 0x40; *(uint8_t*)0x20007f48 = 0x68; *(uint8_t*)0x20007f49 = 0; *(uint32_t*)0x20008288 = 0x72; *(uint32_t*)0x2000828c = 0x20007f80; *(uint8_t*)0x20007f80 = 5; *(uint8_t*)0x20007f81 = 0xf; *(uint16_t*)0x20007f82 = 0x72; *(uint8_t*)0x20007f84 = 6; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x10; *(uint8_t*)0x20007f87 = 0xa; *(uint8_t*)0x20007f88 = 0x7f; STORE_BY_BITMASK(uint32_t, , 0x20007f89, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007f89, 4, 5, 27); *(uint16_t*)0x20007f8d = 0; *(uint16_t*)0x20007f8f = 0x101; *(uint32_t*)0x20007f91 = 0xf; *(uint32_t*)0x20007f95 = 0xc000; *(uint32_t*)0x20007f99 = 0x4100; *(uint32_t*)0x20007f9d = 0xc000; *(uint32_t*)0x20007fa1 = 0; *(uint8_t*)0x20007fa5 = 0x18; *(uint8_t*)0x20007fa6 = 0x10; *(uint8_t*)0x20007fa7 = 0xa; *(uint8_t*)0x20007fa8 = 5; STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 0x3f, 5, 27); *(uint16_t*)0x20007fad = 0xf; *(uint16_t*)0x20007faf = 9; *(uint32_t*)0x20007fb1 = 0x3f00; *(uint32_t*)0x20007fb5 = 0xff0030; *(uint32_t*)0x20007fb9 = 0xff0000; *(uint8_t*)0x20007fbd = 0xc; *(uint8_t*)0x20007fbe = 0x10; *(uint8_t*)0x20007fbf = 0xa; *(uint8_t*)0x20007fc0 = 9; STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 3, 5, 27); *(uint16_t*)0x20007fc5 = 0xf00; *(uint16_t*)0x20007fc7 = 4; *(uint8_t*)0x20007fc9 = 0x14; *(uint8_t*)0x20007fca = 0x10; *(uint8_t*)0x20007fcb = 4; *(uint8_t*)0x20007fcc = 0xfc; memcpy((void*)0x20007fcd, "\x11\xd5\xf9\x90\x68\xe5\x06\x8a\x1e\x42\xe2\xbf\x00\x0e\x22\x1f", 16); *(uint8_t*)0x20007fdd = 0xb; *(uint8_t*)0x20007fde = 0x10; *(uint8_t*)0x20007fdf = 1; *(uint8_t*)0x20007fe0 = 2; *(uint16_t*)0x20007fe1 = 0; *(uint8_t*)0x20007fe3 = 2; *(uint8_t*)0x20007fe4 = 0; *(uint16_t*)0x20007fe5 = 0x80; *(uint8_t*)0x20007fe7 = 1; *(uint8_t*)0x20007fe8 = 0xa; *(uint8_t*)0x20007fe9 = 0x10; *(uint8_t*)0x20007fea = 3; *(uint8_t*)0x20007feb = 2; *(uint16_t*)0x20007fec = 0; *(uint8_t*)0x20007fee = 3; *(uint8_t*)0x20007fef = 0x3f; *(uint16_t*)0x20007ff0 = 8; *(uint32_t*)0x20008290 = 8; *(uint32_t*)0x20008294 = 4; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 4; *(uint8_t*)0x20008001 = 3; *(uint16_t*)0x20008002 = 0x2001; *(uint32_t*)0x2000829c = 4; *(uint32_t*)0x200082a0 = 0x20008040; *(uint8_t*)0x20008040 = 4; *(uint8_t*)0x20008041 = 3; *(uint16_t*)0x20008042 = 0x43f; *(uint32_t*)0x200082a4 = 0x2a; *(uint32_t*)0x200082a8 = 0x20008080; *(uint8_t*)0x20008080 = 0x2a; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x5e\x74\x60\xeb\x32\xa6\xb9\x6b\xd2\xff\x9f\xf3\xa4\x96\x20\x85\x33\x64\xce\xf4\xb1\x18\x00\x34\xbb\xee\x7b\xde\xb3\x75\x3e\xc4\x7a\x7b\x68\x43\x60\x04\xdf\xa3", 40); *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x200080c0; *(uint8_t*)0x200080c0 = 4; *(uint8_t*)0x200080c1 = 3; *(uint16_t*)0x200080c2 = 0x406; *(uint32_t*)0x200082b4 = 4; *(uint32_t*)0x200082b8 = 0x20008100; *(uint8_t*)0x20008100 = 4; *(uint8_t*)0x20008101 = 3; *(uint16_t*)0x20008102 = 0x200a; *(uint32_t*)0x200082bc = 0x83; *(uint32_t*)0x200082c0 = 0x20008140; *(uint8_t*)0x20008140 = 0x83; *(uint8_t*)0x20008141 = 3; memcpy((void*)0x20008142, "\x98\xbf\xbe\xd5\xf0\x2f\x05\x41\x39\x3b\x27\x16\x3c\x18\xab\xa0\xf8\xd6\xc9\x06\x9a\xe8\xed\x73\x2f\x7b\x8b\x4f\xd0\x40\x72\x65\x12\x57\x2b\x20\x49\x34\x98\xb0\x80\xe9\x6c\x74\x09\xc1\xff\x22\x2c\xbf\xe8\xfc\x73\x9a\x7a\x6e\xb7\x01\xa8\x12\x5f\x18\xaf\x24\xcd\xab\xbf\xb5\x2c\xc6\x66\xcf\x12\x04\xb6\xbf\x96\x51\x4a\xca\x5b\x04\x75\xe2\x1d\xaf\xca\xaf\xfc\xd8\xd5\x84\xec\xa6\x93\x9d\x81\x5d\xc4\xc9\x74\x72\x7a\x2f\xba\x78\xd5\x04\x4d\x9e\x9f\x08\xe3\x5c\x9e\x2b\xf4\x70\xf4\x66\xac\xca\xa1\x30\x1f\xac\x54\xbc\xff", 129); *(uint32_t*)0x200082c4 = 4; *(uint32_t*)0x200082c8 = 0x20008200; *(uint8_t*)0x20008200 = 4; *(uint8_t*)0x20008201 = 3; *(uint16_t*)0x20008202 = 0x1627; *(uint32_t*)0x200082cc = 0x39; *(uint32_t*)0x200082d0 = 0x20008240; *(uint8_t*)0x20008240 = 0x39; *(uint8_t*)0x20008241 = 3; memcpy((void*)0x20008242, "\xaa\x56\xbf\x40\x48\xdd\x06\xe2\x84\x5d\x2e\x04\xdf\x75\xb3\x91\xf7\x66\x46\x3f\x09\x54\x05\x32\x21\xac\x36\xe1\xdb\x6f\xe5\x09\xc0\x5b\x86\xc7\x76\xd2\x0f\xfc\x6a\xc3\xd9\x93\x49\x32\x2b\x40\x0a\xea\x39\x4c\xd6\x71\x9c", 55); res = -1; res = syz_usb_connect(6, 0x7c, 0x20007ec0, 0x20008280); if (res != -1) r[24] = res; break; case 47: syz_usb_ep_read(r[24], 0x75, 0xa5, 0x20008300); break; case 48: memcpy((void*)0x200083c0, "\xdb\x88\x55\x99\xb6\x0a\xec\x82\xad\x70\xcd\xb2\x88\x6a\x2e\x73\xe2\xf0\x44\x7d\xdd\x5d\xea\xaa\x15\xf5\x6b\x76\xab\x58\x04\xb9\xf8\x6f\x60\xdf\x6b\x12\xcb\xc1\xe5\x90\x6d\x23\x88\x89\xda\x54\x4d\x9b\x56\x52\xf6\x0b\xfc\x34\xa1\x08\xdf\xfd\xff\xa9\xae\x90\x46\x14\xe2\xbf\x15\xce\x0c\x34\x9a\xea\x15\x51\xb7\x54\x4b\x69\xbd\x2b\xde\x8f\x82\xe1\x8d\x42\xba\x16\x71\x80\xb1\xa6\xa4\xd1\x18\x44\x31\x2c\x11\x6e\xe0\xb8\x5f\xca\x52\xa1\x1e\xc9\xf3\x7a\xcd\x32\x3e\xb2\x87\xc8\xb3\xc4\xff\xdb\xca\xaa\x32\x9d\xf9\x20\xe0\xf7\xdf\xaa\xcc\xc1\x7f\xd5\xff\x16\xf0\x39\xc6\x93\xcd\xfc\xdf\xae\x81\x52\x9a\x02\xcc\x97\x3d\x8e\x50\x20\x09\x3c\x1b\x68\xe8\x8a\x82\x7e\x23\x0b\x28\x44\x88\x99\xb9\x61\x75\x52\xb1\xdd\x9b\x41\x2b\x34\xde\xec\x9a\x93\xfd\x08\x82\x3a\xeb\xf3\x54\xe2\x38\xd0\x4d\xca\x95\x7a\x50\xaa\x9a\xb1\x8a\x30\x46\x0e\x24\x55\xe3\xfd\x16\x41\x09\xcd\x4a\x85\x7b\x99\xd2\x23\xb2\x18\x31\xca\x29\x2d\x1b\x0c\xd7\x7f\xbf\xe2\x63\xf7\xca\x57\xee\x3a\x70\xa8\xfd\xd4\x89\xcb\x7f", 245); syz_usb_ep_write(r[22], 0, 0xf5, 0x200083c0); break; case 49: syz_usbip_server_init(1); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :126:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :113:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :108:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor362785765 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/4 (1.50s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:10 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) (fail_nth: 1) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000080)={r0, 0x3ff}, &(0x7f00000000c0)=0x8) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='cpu.stat\x00', 0x0, 0x0) ioctl$BLKROGET(r2, 0x125e, &(0x7f0000000140)) r3 = signalfd4(r2, &(0x7f0000000180)={[0x5, 0x4]}, 0x8, 0x80800) sendmsg$NL80211_CMD_UPDATE_OWE_INFO(r3, &(0x7f0000000500)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x20002011}, 0xc, &(0x7f00000004c0)={&(0x7f0000000200)={0x29c, 0x0, 0x8, 0x70bd29, 0x25dfdbff, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x46, 0x2a, [@erp={0x2a, 0x1, {0x0, 0x1, 0x1}}, @channel_switch={0x25, 0x3, {0x1, 0x95, 0xcb}}, @peer_mgmt={0x75, 0x16, {0x1, 0x401, @void, @val=0x37, @val="02011bf2907bddcbfaf4d0d9d319cb38"}}, @mesh_chsw={0x76, 0x6, {0x7f, 0x3, 0x6, 0x2050}}, @link_id={0x65, 0x12, {@from_mac=@device_b, @broadcast, @device_b}}, @chsw_timing={0x68, 0x4, {0x9, 0x81}}]}, @NL80211_ATTR_IE={0xcc, 0x2a, [@cf={0x4, 0x6, {0x1, 0x1, 0x100, 0x8000}}, @ext_channel_switch={0x3c, 0x4, {0x0, 0x7, 0xac, 0x6}}, @supported_rates={0x1, 0x6, [{0x6}, {0xc, 0x1}, {0x3f, 0x1}, {0x9}, {0x16}, {0x24}]}, @prep={0x83, 0x25, @ext={{}, 0xff, 0x3f, @device_a, 0x1f, @broadcast, 0x0, 0x6, @device_b, 0x6}}, @measure_req={0x26, 0x44, {0x4, 0x7, 0x8, "2ef531b7be2dde42fc395f76447c92879c4d9511182ee077cb102d54d8e9bd0376741affce00728e65cefb04cacd7c82880f113d4a79378bfd5c8d752bd251e31b"}}, @ht={0x2d, 0x1a, {0x482, 0x1, 0x1, 0x0, {0x5, 0x3f, 0x0, 0x80, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x400, 0x5, 0x56}}, @mic={0x8c, 0x10, {0x9b2, "e74338ed57a9", @short="4dbe86f39565408a"}}, @rann={0x7e, 0x15, {{0x1, 0x9}, 0xc0, 0x40, @device_a, 0x7fff, 0x6, 0xff}}]}, @NL80211_ATTR_IE={0x148, 0x2a, [@rann={0x7e, 0x15, {{0x0, 0x2}, 0x0, 0x8, @device_a, 0x1ff, 0x3, 0x3}}, @preq={0x82, 0x30, @not_ext={{}, 0x3, 0xf7, 0x8, @device_a, 0xae, "", 0x71a4, 0x2, 0x2, [{{0x0, 0x0, 0x1}, @device_b}, {{}, @device_b, 0x6}]}}, @mesh_config={0x71, 0x7, {0x1, 0x1, 0x1, 0x0, 0x0, 0xfb, 0x25}}, @ibss={0x6, 0x2, 0x1fc}, @fast_bss_trans={0x37, 0xe6, {0x7, 0x5, "5f3964d8629adf1c06ecdf8987bb845b", "c5d2bb2459d5ba0e8d1de04e57374f6227210ea404eb95465fa1e2e09c7c17d4", "2781c876157d6988a5dc1efde5e5d8d7fdfb3dad871989497060e2d72d3afa38", [{0x3, 0x1, "ce"}, {0x1, 0x25, "d5a7640b4fb5df22e725130f6f006c487342cb847e2cbe0e36b141aa91f7f41d6b13482c1d"}, {0x4, 0x26, "a1d5f67474fa123100046dc2695e3bbda6dee8657f032e087504156eba2f54bf2f31cd5b78d5"}, {0x3, 0x25, "ae36258ad7f04d6a213024ac426fba3da69e74ab662fbb9d28448099946cbbf9b8f921f8e0"}, {0x2, 0x19, "69ad29c66f47f87c5349ab5f16a1e8030e7c0b21db8bc4bee4"}]}}, @peer_mgmt={0x75, 0x4, {0x0, 0x0, @void, @void, @void}}]}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x4b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x43}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x11}]}, 0x29c}, 0x1, 0x0, 0x0, 0x40000}, 0x80) r4 = openat$irnet(0xffffff9c, &(0x7f0000000540), 0x189000, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f0000000580)=[@in6={0xa, 0x4e20, 0x80000000, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x81}, @in6={0xa, 0x4e24, 0x3, @mcast1}], 0x38) openat2$dir(0xffffff9c, &(0x7f00000005c0)='./file0\x00', &(0x7f0000000600)={0x101000, 0x182, 0x4}, 0x18) setsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f0000000640)=@sack_info={r1, 0x7, 0x20}, 0xc) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@data_frame={@no_qos=@type01={{0x0, 0x2, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, {0x7}, @device_b, @from_mac=@broadcast, @device_b, {0x7, 0x40}}, @a_msdu=[{@device_a, @device_b, 0x89, "a374cb1e56d79e5a647d9f9d7ebb099ca75e920a720ce76551c26bb86842da48ec22636f2ee20001359b8e2fb376ba32d07425dd1b9b9b4ff7a3539a5eeb99a447a58fec224cacb7d6e5f0cc9099904c92fd37746afc1cbd2b8b102a3fe4af78d5fa729590f1e5035f470a44321e924787a4666e21a4ca5cbd1256c170217cd6967ad7236d2f702e24"}, {@broadcast, @device_a, 0x1000, ""}]}, 0x10c0) syz_80211_join_ibss(&(0x7f0000001100)='wlan1\x00', &(0x7f0000001140)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000001180)='bpf_lsm_socket_recvmsg\x00') syz_emit_ethernet(0x35b, &(0x7f00000011c0)={@multicast, @multicast, @void, {@mpls_uc={0x8847, {[{0x2}], @ipv4=@gre={{0x11, 0x4, 0x1, 0x7, 0x349, 0x68, 0x0, 0x6, 0x2f, 0x0, @remote, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@lsrr={0x83, 0x1b, 0x6e, [@local, @broadcast, @loopback, @multicast1, @initdev={0xac, 0x1e, 0x0, 0x0}, @dev={0xac, 0x14, 0x14, 0xc}]}, @end, @lsrr={0x83, 0x13, 0xb4, [@multicast1, @private=0xa010100, @remote, @multicast1]}]}}, {{0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x880b, 0xf7, 0x2, [0x0, 0x1f], "c2150837371931ae3bab975586d95914c9773f748be9a8a3a19fe297783946f87cf48cb1483b1b52713f5b2c61255adbc108b86ef5471c54a9338b8573e1f632742ac011cf327a15e84e165e1588ab664b81d2498c54b50574e54aba3cf97bb1ae75911fd5ad4851fa1421715163917c9258d782a401fdfd12f1b51c5fbef8bd854f084ca2db2d46c7ee8b3b429e9c2dd5200572c54b9956e0bce7e10ae21f398f9db9c7e5fe8c67da417265c2e5c4074c97b404e840e0705b4154275e83551ac4328eae261c5d86e08cd40fbdb3a9d5fdcf6ba0ba4549aa7405fafe1367186578ec8cb827c887cc919c3a926daa592a4edb5150bfd380"}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, [0x0, 0x3], "a0437805682464ebade1f7bc908a4fb8fe0d2cbd6c705201920234d09c1819942d4534d78830cc26b67fa8b9bf41331cf464dba472a58870852fa852e628157fd8b5d1d6835454fb3aedae74305ed0c45b79ff50beb7405c"}, {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x86dd, [0xf0, 0x4], "7caa4b32feb81faa052cba4e34663ac59d2ed14a1e13701fdffe0c346ddae941fc7a2623c24d7a0b85a042492bf692148b57ddaf3b577a52fca2c4c68131f7bd98fa18e48551c8eecb9d3be00868430c3a25bc3569876946d43e6eb2b903b359a813c4ba89e6d970d3d4523fd219f45ff44df25838"}, {0x8, 0x88be, 0x2, {{0x8, 0x1, 0x9, 0x3, 0x0, 0x3, 0x3, 0x4}, 0x1, {0x4}}}, {0x8, 0x22eb, 0x3, {{0x5, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x81}, 0x2, {0x1ff, 0x6, 0x0, 0x7, 0x0, 0x1, 0x2, 0x1, 0x1}}}, {0x8, 0x6558, 0x3, "35b802485048e00654ea02f811d2f99e610c98af70faf08b416472e3e0bbd45e35631db45124b3b77db1699442696b52c13ae2bf33fb3973a1d570c20b2a5b4d8b9a260bb385dcba6f2ccdaf52d5a0a4c2c39422acd9f8b911a20ba0d03a6e796927d057cf487cc459623fa76fb89989080999bf9b3ab3f6e3f319849238b9d2dea6ac5b66c4b632b76084b3fbfee0fc6215f5b274246d30cd41e07638413a2d65b80fde92db56faa4160868cd0b008bfcf18d9c54be76cf39248d298318581d7a8be2fe09849d5cfd2cd105c8dd8c0fd7c5f27bed33374f70e3173b413dd37ecff631f2f44c6640a43a358b6eff14540f"}}}}}}}, &(0x7f0000001540)={0x1, 0x2, [0xfbe, 0xc0a, 0x501, 0x489]}) syz_emit_vhci(&(0x7f0000001580)=@HCI_ACLDATA_PKT={0x2, {0xc8, 0x2, 0x1, 0x32}, @l2cap_cid_signaling={{0x2e}, [@l2cap_create_chan_rsp={{0xd, 0x3, 0x8}, {0x6, 0x1, 0x31, 0x7}}, @l2cap_conn_req={{0x2, 0x5, 0x4}, {0x3fc, 0x6}}, @l2cap_info_rsp={{0xb, 0x1f, 0x4}, {0xb476, 0x1d}}, @l2cap_info_req={{0xa, 0xfc, 0x2}, {0x1}}, @l2cap_cmd_rej_unk={{0x1, 0x4, 0x2}}, @l2cap_info_req={{0xa, 0x8, 0x2}, {0x9e}}]}}, 0x37) syz_execute_func(&(0x7f00000015c0)="660f72d501df5fd6c4c1f96f9f52e40000dff2da36660f3a62c08cc4c11d583ce8660f3a0a450df0c4e121752360") syz_extract_tcp_res(&(0x7f0000001600), 0x1e21, 0x1) r5 = openat$cuse(0xffffff9c, &(0x7f0000001640), 0x2, 0x0) ioctl$NS_GET_OWNER_UID(0xffffffffffffffff, 0xb704, &(0x7f0000003980)=0x0) clock_gettime(0x0, &(0x7f0000003e00)={0x0, 0x0}) recvmmsg$unix(0xffffffffffffffff, &(0x7f0000003dc0)=[{{&(0x7f0000003a40)=@abs, 0x6e, &(0x7f0000003d40)=[{&(0x7f0000003ac0)=""/37, 0x25}, {&(0x7f0000003b00)=""/107, 0x6b}, {&(0x7f0000003b80)=""/47, 0x2f}, {&(0x7f0000003bc0)=""/162, 0xa2}, {&(0x7f0000003c80)=""/189, 0xbd}], 0x5, &(0x7f0000003d80)=[@cred={{0x18}}, @cred={{0x18, 0x1, 0x2, {0x0, 0x0, 0x0}}}], 0x30}}], 0x1, 0x10202, &(0x7f0000003e40)={r7, r8+10000000}) lstat(&(0x7f0000004040)='./file0\x00', &(0x7f0000004080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004100)={{{@in6=@initdev, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast1}}, &(0x7f0000004200)=0xe4) statx(0xffffffffffffff9c, &(0x7f0000004240)='./file0\x00', 0x4000, 0x400, &(0x7f0000004280)={0x0, 0x0, 0x0, 0x0, 0x0}) lstat(&(0x7f0000004380)='./file0\x00', &(0x7f00000043c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000004980)={{{@in6=@dev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@private2}}, &(0x7f0000004a80)=0xe4) r15 = getegid() syz_fuse_handle_req(r5, &(0x7f0000001680)="", 0x2000, &(0x7f0000004bc0)={&(0x7f0000003680)={0x50, 0x0, 0x0, {0x7, 0x22, 0x6, 0x60, 0x5, 0x48, 0x80000001, 0x7}}, &(0x7f0000003700)={0x18, 0x0, 0xfffe, {0x200}}, &(0x7f0000003740)={0x18, 0x0, 0x4, {0x8000}}, &(0x7f0000003780)={0x18, 0x0, 0x0, {0x8}}, &(0x7f00000037c0)={0x18, 0x0, 0x80000001, {0x5}}, &(0x7f0000003800)={0x28, 0x0, 0x0, {{0x19, 0x200, 0x3, 0xffffffffffffffff}}}, &(0x7f0000003840)={0x60, 0xfffffffffffffffe, 0xfffffffffffffffe, {{0x4, 0x80000001, 0x1, 0x52b8, 0x7, 0x0, 0xfffffffa, 0x1ff}}}, &(0x7f00000038c0)={0x18, 0xffffffffffffffda, 0x1f, {0x9}}, &(0x7f0000003900)={0x11, 0xfffffffffffffffe, 0x4588, {'\x00'}}, &(0x7f0000003940)={0x20, 0x0, 0x100000000, {0x0, 0x18}}, &(0x7f00000039c0)={0x78, 0x0, 0x7, {0x4, 0x6, 0x0, {0x0, 0x7, 0x8, 0x10001, 0x1, 0x509, 0x80, 0x3, 0x1, 0xc000, 0x5, r6, 0xee00, 0x7, 0x9}}}, &(0x7f0000003e80)={0x90, 0x0, 0x8, {0x6, 0x3, 0xcd0, 0x7fffffff, 0x5, 0x1, {0x5, 0x5, 0xf34, 0x86, 0x6, 0x2, 0xab8c, 0x0, 0x5, 0x8000, 0x9, 0xee00, r9, 0x1000, 0x1000}}}, &(0x7f0000003f40)={0xd0, 0x0, 0xffffffffffffffbc, [{0x0, 0x2, 0x6, 0x3, '\x02\x02\x02\x02\x02\x02'}, {0x0, 0x0, 0x0, 0x9}, {0x2, 0x100000001, 0x17, 0xffff, 'bpf_lsm_socket_recvmsg\x00'}, {0x0, 0x401, 0xf, 0xfffffff9, '&,$:+)\xef&\\)/$$[}'}, {0x6, 0x1, 0x17, 0x1f, 'bpf_lsm_socket_recvmsg\x00'}]}, &(0x7f0000004440)={0x508, 0x0, 0x2, [{{0x4, 0x1, 0x5, 0x80000000, 0x3, 0xffffffec, {0x2, 0x3, 0x20, 0x100000001, 0x80, 0xffffffffffffffe1, 0x9e41, 0x1f, 0xf0f6, 0xc000, 0x401, 0xee01, 0xee00, 0x400000, 0x800}}, {0x3, 0x7, 0x6, 0xfffffffe, '\xbb\xbb\xbb\xbb\xbb\xbb'}}, {{0x1, 0x2, 0x10001, 0x0, 0x5, 0x0, {0x3, 0x8000, 0x9, 0x80000001, 0x100, 0x5, 0xf06, 0x932b, 0x2, 0x1000, 0x5, 0xee01, 0xffffffffffffffff, 0x5, 0x1}}, {0x5, 0x9, 0x2, 0x2, '*)'}}, {{0x1, 0x0, 0xcc3, 0x4, 0x101, 0x3, {0x2, 0x1, 0x1, 0x113, 0x1, 0x3, 0xd36, 0x8c12, 0xfffffffc, 0x1000, 0xfffffffc, 0xee01, r10, 0x9, 0xacd}}, {0x3, 0x97, 0x6, 0x9, 'wlan1\x00'}}, {{0x1, 0x2, 0x8, 0x8000, 0x9, 0x0, {0x1, 0x200, 0xff, 0x100000001, 0x30000, 0x9, 0x3, 0x6, 0x7f, 0x8000, 0x101, r11, 0xee00, 0x10000, 0x9}}, {0x3, 0x0, 0x2, 0x401, 'b@'}}, {{0x4, 0x1, 0x0, 0x5, 0x4, 0x101, {0x1, 0x5, 0x1, 0x10000, 0x7, 0x8, 0x5, 0x5, 0x4010000, 0x8000, 0x4d800000, 0x0, 0xee01, 0x6, 0x7}}, {0x2, 0x61}}, {{0x7, 0x0, 0x5, 0x5, 0x0, 0x3ff, {0x0, 0xfffffffffffffff7, 0x1, 0x80, 0x100000001, 0x401, 0xd49d, 0x80, 0x1, 0x6000, 0x8b, r12, 0xee01, 0x8001}}, {0x6, 0x200, 0x1, 0xfffffff8, ')'}}, {{0x0, 0x3, 0x8, 0x81, 0x6, 0x5, {0x1, 0x8, 0x7, 0x5, 0x8, 0x1, 0x5, 0x90c555ad, 0x0, 0xc000, 0x800, 0xee00, 0xee01, 0xf98d, 0x20}}, {0x4, 0x4, 0x5, 0x1, '\\U\xc2-^'}}, {{0x1, 0x0, 0x2, 0x6, 0x0, 0xb5e, {0x4, 0x12, 0xe87, 0x7, 0x1, 0xfffffffffffffffe, 0xfffffffd, 0x7, 0x401, 0xa000, 0x8ee, r13, 0x0, 0x8236, 0x3c89862b}}, {0x4, 0xfffffffffffffbf7, 0x6, 0x4, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004ac0)={0xa0, 0xffffffffffffffda, 0x2, {{0x1, 0x3, 0xff, 0x401, 0x9, 0x1000, {0x1, 0xfff, 0x733, 0x0, 0x7, 0x7fff, 0x4, 0x1f, 0x1f, 0x0, 0x1, r14, r15, 0x9eb, 0x1}}, {0x0, 0x1c}}}, &(0x7f0000004b80)={0x20, 0xfffffffffffffffe, 0xa87, {0x1ff, 0x0, 0x10001, 0x4}}}) r16 = openat$autofs(0xffffff9c, &(0x7f0000004c40), 0x0, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000004c00), r16) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r17 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x300000a, 0x10, r16, 0x0) r18 = syz_io_uring_complete(r17) syz_io_uring_setup(0x3a9b, &(0x7f0000004c80)={0x0, 0xcaa6, 0x4, 0x3, 0x276, 0x0, r18}, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000004d00)=0x0, &(0x7f0000004d40)) syz_io_uring_submit(r19, 0x0, &(0x7f0000005080)=@IORING_OP_WRITEV={0x2, 0x5, 0x0, @fd_index=0x7, 0x0, &(0x7f0000005040)=[{&(0x7f0000004d80)="8f8c61ba2d93006aadbd12a3a08f146f7dadf6fcaf91370d8cdbb10473cfc4737fc2920f761e5f9f43ac7c94ff2d84a3f6", 0x31}, {&(0x7f0000004dc0)="e79e609caf0b113f2e3a9b6ed9a5197bd4c9ef3abee6ff372b0677f980ef46165c071ec9a7e4b8e118c95c2b5f733b29c50f1e5df4f1837e9a2962cd241c43d7a605878749919d2d932d22010e4c8c29ce6028dc71e23c5ec2b4f3bb38b2e7c3beaf83c887a45f16ea87842b7002c7513397835d375589d64e9c8d0daa7c709974ddc935145190bac6e8d31238d5ad70377e03b1111546f8a83a2d7e3fc550408a227e6ab558331de5", 0xa9}, {&(0x7f0000004e80)="1fe1d0a7ea42ed60eb8379f55fba5f108da4233288e8a8bbacc0", 0x1a}, {&(0x7f0000004ec0)="1d5a7e020f94e9eee2415cca5eb6045cc9f817f1d3275ba949677ee2ca2357b74e67c6d4ddfbe8e8c0c6fdcd2352dd301ff30f0ebc2b58f2c69c3f8032ff0d4a2d2d400c3d07914d835b6218c2eb25724b426a888b2822d4945b35f2d1459d915e2b2d66541af52bdbbe1ad517515e01b8290e654443a67bec3d0b03fc10b90b49c3d33593e063bd0df72494b22bfc391f6b296a68735eeaac4fb550be4beeabb74d7ca77139248cf8003e4fa63954c2e5c68e48b1f59b3162a9a3b020771f7c1aff6d7de57b40fcb59002f2709ed2e12d50a3edadc2c55de6634c8e91dd8cd28faf3b52", 0xe4}, {&(0x7f0000004fc0)="3dc50079393684ee15456233e2e4b47d0d7616a6fbb08055931c400e66d6ee8307c988db68c3a56873e4c94c210cee63aa53ee80947c5644cffd0ee809b4554ef3d3d5d4b6268040d66cba34c7b8645abfe3696e041fe13f", 0x58}], 0x5, 0x1}, 0x100) r20 = openat$selinux_policy(0xffffff9c, &(0x7f00000050c0), 0x0, 0x0) r21 = openat$dlm_monitor(0xffffff9c, &(0x7f0000005100), 0x0, 0x0) syz_kvm_setup_cpu$arm64(r20, r21, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005180)=[{0x0, &(0x7f0000005140)="45cf83e34827dae70d9c50f676f523b0ce6bee88952baac1a7220887521e1e10250184dabaaa4fbf9e94349f1148dee8238a", 0x32}], 0x1, 0x0, &(0x7f00000051c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r17, 0x114, &(0x7f0000005200)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005240), &(0x7f0000005280)='./file0\x00', 0x5, 0xa, &(0x7f0000005980)=[{&(0x7f00000052c0), 0x0, 0x4}, {&(0x7f0000005300)="8586cff12029eb8ad76f6261d1fe9c2df97d6b5047f70221ce7c26e1ad050096db75ff7ffd7b4dad59f5e070723e8a2cea446602ed86da15975f4f9dad4355f17d1441f9c1d9721e8bc269c91b43934bb3823eba880de01b586e0d592fc978084812a5dd940d6ea61e46ee9f1d53e0d3155c2c34946ca286d646398a4d60b56e48644ce421d53a65fc504680601a0cb3b78cdc3d14d0f9f754d88a4c5d80c2681aca64a4793f17d0f8a5b8dc820fdadee2ee87d42050172286e4b371eac497bf7467890a472d766a442a56a6e75bc39ba4edab5a0cb11eb66a247a2f3ca7d18cbe8bd7516b2d99c763d8c23d753c13937ab99b578e42f359275e86", 0xfb, 0x5}, {&(0x7f0000005400)="0f553c28b9842c44674abe34856e72a402eaf08ea7d106186b17f1d3f00dcbcb5f98a1eae4b0e494da0d44fa94917367478f2e39ce8435b132a570ec78c1b1d859ab652168bec9156cc5b4543f0571d2a75d3ad03f490c0fc93251f6ab57f01cf62283d42eec0abb186148b05ef55f8de1a2eb7c1622fc6d3ac274f10a0754563398efc9335aea31061cf4bb64d44f87c615c99b3eca46ddc2ce68eb2b780c54bb6a1a20947e16cbc6f7fa0712d0b12e665a214c3502154e5b8dda8b01df53c81b2da2c92b7573506b175a34ba1dda39954f36f0ff6ebefeee31326813422cb4d53b47c6fe65f3332698d9e3d776", 0xee, 0xfff}, {&(0x7f0000005500)="abff9c2482d96489f0afbe085daee1e2bd8a3000af21e5b4aa0d2e6662293d5fe6eeb60a5cc8b90e84ede0d21318688e285def54cb6780abfdcb64c700da5e8775bb60d0192a5f8113a70ddb1627087f7bb8f232f80a120e214ef31c385711f4b12afd9a024fc48c41c3c887255a17b86f709a30ee23a5d55c6c3e1986f6fd69309dc6664846396a5f0cde1e382a7018dcdeac00ff1ef54bbb58201fc9dfcbba39cfb45f49ace1e9908188", 0xab, 0x80000001}, {&(0x7f00000055c0)="fb36dffb4a0e4377fa3bedec2325f5c073", 0x11, 0x1}, {&(0x7f0000005600)="8ff2544804ed79e1bb5f173b80fdb09a444f02bbacdab87710a30382271db7257055fbbe057f4e4b3e1bcbcf08f1ea0b41be533d7d7f84199c4cf241e2bc3cebf680f5c2648882abfe61bb5211c4cf0f1f8035c6962e74f5976e954c3db5545bdccc6e67b68dd612", 0x68, 0x7f}, {&(0x7f0000005680)="ca838d09579a972657260b824f369161c83d3649b2309de4aca5191c6a3550ce704f6606bac0f1102563011d768b1cd5bd83565bfbe9311f71c2698f2bb4572ef6602f2487626e21fcef7034f50e28fd36db92433de1c0fbd9baa0b2ef3b17ecbd5f214a814f9979c0cfcea566bd418788a9e026ff83089e4e1eb491eebb582e84c6d956e1f8d4bd5327fcf26d9218a6e745a904846da61e6970e7c3f8f6777eb2eec182c6626aebc2b46d6e18ec79ce9f3a34c2c9ce74dce5f38a493ce752633b9cd881d3e73977b728208b730c0aa0bfd41f0374798c2b6cfd20a83dde8821f896431df1620eacddb4846d3f67983b95", 0xf1, 0x2}, {&(0x7f0000005780)="b549cfe18deb455b4a8b6d56e7c03f251024217cf427c09056bdb6b4a1317e6f9cd53ece2f2ee68e7d73e936e6d7b376483595c8db7292ffb0520cf037ba7012f5d90d0e4bdced46131d6a44120546fad87f475670fec86f9784888d14dc2ed6a1a7ed3c98bd0e035cbd504da40efbeb5a5bcd48c0ca513ff53ddada3cb447a48bcef01d9883f699997c5a0b2499865862db5f785a75e1b3463d354af112e7f8622883683086190fa4507646cbeab5ed", 0xb0, 0x1}, {&(0x7f0000005840)="a2eecacaa02fc76189e00e6fc58f38b5599959730376281721becf840cd12b230c2dc84b7f5fe5e37057b3732fcfeb", 0x2f, 0x4}, {&(0x7f0000005880)="35ed9c854f542ba3a56e7b75409a3197d31e6ec31934811dd9abe83e50a060ea25994cb33770ed99b25c9b560891eca433fe5bf1e02d136600687ee4933b3538bbceca61deb8fb0a1a2567843fd871b991d514329a465a97eb92123576e83a652c51dfa84117c262a7b8bab47bd3f81b24d33e687f39265002ef92f2248de027ac0285fcad2a3c732a1ed7409307037e41f3a7907477387d1199c18e5c43959b2ec46c078cec67a8b559b31cefd856f456b9f81bcc6a8b2cb1a4d8147562bdac6034e3e8d35d797659844fea3694b3288ce68fa8f986bf2fba03ec0110154befc8402258afb3d583d0bf3d02798073867fc66640726072c82a", 0xf9, 0x1ff}], 0x0, &(0x7f0000005a00)={[{'%'}], [{@seclabel}, {@permit_directio}, {@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@subj_role={'subj_role', 0x3d, '}'}}, {@mask={'mask', 0x3d, '^MAY_APPEND'}}, {@fsname={'fsname', 0x3d, '&%]'}}, {@measure}]}) syz_open_dev$I2C(&(0x7f0000005a80), 0x6, 0x40000) syz_open_procfs(0xffffffffffffffff, &(0x7f0000005ac0)='net/raw6\x00') syz_open_pts(r16, 0x583000) syz_read_part_table(0xb0, 0x3, &(0x7f0000006cc0)=[{&(0x7f0000005b00)="a895c30edc07297723a4aea802034622d1bbb85b4ae3628afc2d4e10934550a9d92f12a51b9f5b3a7b596b59b99b4b2acaedda32b83bdc263c53aa10114a149a4d7a4f0c40b946159b374396fb6cd18734ea5c3a5192786222da89f4213b5d9d027799da36d68bd510f537855ce10d3b8439c2237740ea7541478a81f9f92adceb5100366dccf149cc4c59796959ba5d85a50d0dd72941a0eabbe7a9dd9fe50850113f5e2d055e1bbcd667daf7363e027d7c66678dad2add62b5", 0xba, 0x4}, {&(0x7f0000005bc0)="f229f58b9fef91f7178523f041a4967589924680bf4dc34a52d8f7f8436083aee94ab74f0369f7403a8c26b72fd44b488fe59c616c8a1cae299c490eb15f98f8f49df33502ccfd38265f6d186578a71b92ba5c5b903f9a64bc560a43590bd70f76efb7b63bc3909e632db68f77d98bdf12ebe1707d7d1436857490c13ddb239c837faf46ead62381d43f3d2346c1fcd5b2a7a1ebe9fa5dd7fddefc50b0e7a57f500e2f79ba11b18972dc78871460eb7e2a249b603283b5128320555c9d74143e027bb5ca08b462aebf58244387556d718680c4a37459dd", 0xd7, 0x3ff}, {&(0x7f0000005cc0)="", 0x1000, 0x34}]) syz_usb_connect(0x5, 0x72e, &(0x7f0000006d00)={{0x12, 0x1, 0x201, 0x10, 0x2a, 0xdc, 0xff, 0x781, 0x5, 0x5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x71c, 0x3, 0x9, 0x3, 0x50, 0xff, [{{0x9, 0x4, 0x34, 0x9, 0xc, 0x2d, 0xe7, 0xd6, 0xc4, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "9e3dd83f5e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x40, 0x5, 0x101, 0x5}, [@mbim_extended={0x8, 0x24, 0x1c, 0x1000, 0x2, 0x8}, @dmm={0x7, 0x24, 0x14, 0x8671}, @mbim={0xc, 0x24, 0x1b, 0xfffd, 0x9, 0x0, 0x5, 0x100, 0x5f}, @obex={0x5, 0x24, 0x15, 0x40}, @network_terminal={0x7, 0x24, 0xa, 0x0, 0x1, 0x4, 0x1}, @dmm={0x7, 0x24, 0x14, 0xff81, 0x9c6f}]}], [{{0x9, 0x5, 0x80, 0x14, 0x10, 0x15, 0x1f, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x80}]}}, {{0x9, 0x5, 0x8b, 0x0, 0x7ff, 0xed, 0x1, 0x2}}, {{0x9, 0x5, 0x8, 0x4, 0x200, 0x81, 0x6, 0x2, [@generic={0xeb, 0x1, "8c3f63086154141f739f2870d3a81884905e8c3ff7eb6425085204077b4102c3d81bfdf4b262fa95b268561228b747fca91f5fdeb592b379d66a5f1d2d1d735fd02b3b2402d0340fcc8ac6c544720cb596008a93b0202cb8f9558344cb200e0b4b52aad1e70d9c0049ff2a6b546e3502bc881f3eb655aa817a2a3fd95ad1bea68ab048c1a43ed3458b674c27df090568c371a9e00cbc2b597a730a1864447583e30b8b9d2774d884575311843a18bfe0052b404714c722766342b226c4fe8e87ee448250c3b3668ab50745e0fbb6e969e6b49b9b8528ce81dfaa24e1438072d07d6e92602a390535f6"}]}}, {{0x9, 0x5, 0xc, 0x8, 0x40, 0x1, 0x5, 0x20}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xbc, 0x0, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x5, 0x9}, @generic={0xd4, 0x22, "70c23955e1d16cdef416bcb138108967f0e9ac2c096fe9362b99ec6c198d2f0f0446ce29332844fd546d2323e7f9d7b2713c1f92b90b4481bf8d4ea34ea8321b585db5f3cc6f63fc9ee543e86c15769e08a212c2ffb0237defb1a28228e999fabf3733a27b828703faaac053d44fe7a66d7a278e31f15d65edb349b157a799d922f0c970f98b35b75650793123e05752d74ddb89f0fcc0479822a0f833f4343a70548b3b4c80574be7cfdd59db69ce1efc24ca44ee316609f58ca5a30dee0b59e1668f248c196ae1c022a19995595430fea4"}]}}, {{0x9, 0x5, 0x87, 0x3, 0x8, 0x80, 0x7, 0x6, [@generic={0x56, 0x4, "f78a356675cffa2de94539194afab8603fe5e412021ba937df8f496ce2c0543148f09b19ebbc05091fcc32e0bdde441d7ccaa5cc26fb696bd67b3830bf3e5730fb3fe5ee89156bd1d2fa101e6c39068af8c2ae87"}]}}, {{0x9, 0x5, 0x89, 0x0, 0x20, 0x20, 0x81, 0x8}}, {{0x9, 0x5, 0xe, 0x3, 0x8, 0x1, 0x20, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x43, 0x234}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x3, 0x5, 0x7, [@generic={0x34, 0x8, "b6a121b46cabce4e361f2104dcf2663e402ee04faa90dd18a918e4642eaa6a716192f8bc32f321ce9eb548904d87d7bdad56"}, @generic={0xac, 0x30, "1a5d30c7d13843b0146943b2e67687f3147019db1ca1a3c7e48d700f655bea7f42692c5a87a6b91d03a6d4905fbb18b76028c902f7cc3f0c056d87d0fbc12f32150222a7dad7023bc45ab25c72aa3ad26e8dfd8d3654640038396aa355f069f7a9e762b85dca0a81a7d7c37d259d0f2a631a6abc4e36fba201dc677fc7b2c28190e91523553cfb1bbf462d9d057c31910ad39c357cd2dd1c3f22c604ad6c923faee4c13db3fe350375cc"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x10, 0x7f, 0x56, 0x83}}, {{0x9, 0x5, 0x1f645c4d20962547, 0x0, 0x3ff, 0xbb, 0x7, 0x3, [@generic={0x6b, 0x30, "6a8065c0ee1fa72bb9fab498b565e856090e0ad4cb9a072e0995264b935bed4910dde6e4a11ff93742383cba0c51a1f1cf695aa394a5f4868363e986260569ba8be82437cc58db1ee88ce5101308938edbd982075462cf0bba05bb0d7ae55092a2862ee6e6430e22f7"}, @generic={0x41, 0x21, "0acd9c7743c7509f5eb898784f8767f385a0e1c7f102c9adcad6d81fb4193e88cb2f6c3936ee2ef3dae61f58322593d9beeafcc0915c86fc3a72f0426c83f3"}]}}, {{0x9, 0x5, 0x6, 0x4, 0x400, 0x20, 0x74, 0x5}}]}}, {{0x9, 0x4, 0x26, 0xab, 0x5, 0x3, 0xf1, 0xcb, 0x9, [], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x5, 0x1, 0x1}}, {{0x9, 0x5, 0xb, 0x4, 0x20, 0x1, 0x2, 0x4, [@generic={0xda, 0x14, "10f16e3796fbe335b564b29416031e12d26f4d53e237ca3cb1e049170335d631432469cf8e2b207d62283f3b91f4d63154bce35faeb87b51d30b38876c38b31acc347be67793e56a1784eb29a7ddab72e736eecd3b4e98bce7b170ab687e6f31f5e9f3f96e31032d3bf9476eef54f354c6efc00da39a695ec1c095254cb416bdc574d4fb6adbeca99b77508d6c6f791c2cfc29ae3eccea73c13627d93807af1a7d3492520ed1f153327d857537f556294bdddd988bae73226a48c4cab963d3d8c226951b21a7c3138de55b8d0e1f0bcd77663ae8bfe20f44"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x5, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x40, 0x2c, 0xd4, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0xa, 0x2, 0x400, 0xd0, 0x1, 0x6}}, {{0x9, 0x5, 0xe, 0x8, 0x40, 0x40, 0xff, 0xb0}}]}}, {{0x9, 0x4, 0x6c, 0x8, 0x2, 0x59, 0x51, 0xd5, 0x1, [@cdc_ncm={{0x8, 0x24, 0x6, 0x0, 0x1, "b2bd60"}, {0x5, 0x24, 0x0, 0x5}, {0xd, 0x24, 0xf, 0x1, 0xfffffffd, 0xfff, 0x63, 0xdb}, {0x6, 0x24, 0x1a, 0x8, 0x8}, [@mdlm_detail={0xf7, 0x24, 0x13, 0x19, "189cdea85c892fe736d99d2ae835705ddc3907363c57da1fc0033ab26742022ab0af7516c0545f0fc3ecaa0728229f95fd5d2ebce5c98dbba6222153e2ce70bfead32d5d59146f0dd679852007b13ac9d16d48f9484d6192e79c88079f8cd3bd1a3740f3a8f0fd1d57a10bf41cf8c45a79ab1a969c9a6a83bf31571bce542e8fcfa6761ebfa924e1eb05d3af5b3644c3040280ca59737d89c0caa8bd9d56c92178b82b2078e43975f15e6f0b6fa1d0cd819521154d236aa6a85e50f3f0531f6192e5c4ba8a2d506f744780747cbb9ee6723298b72b713b52be54835fcc04906c658ce61f16f95a6c437988df239c430ff47db7"}]}, @cdc_ecm={{0x6, 0x24, 0x6, 0x0, 0x0, "a3"}, {0x5, 0x24, 0x0, 0xf85b}, {0xd, 0x24, 0xf, 0x1, 0x0, 0x7, 0x2, 0x40}}], [{{0x9, 0x5, 0xf, 0x4, 0x0, 0x81, 0xe8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x51, 0xbf81}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xb, 0x8001}]}}, {{0x9, 0x5, 0x6, 0x0, 0x10, 0x7f, 0x0, 0x80, [@generic={0x28, 0xa, "61df67a624859052df593a2258bc970fe4304a8f899ac040d9fc350ed5e63660a76a96aea7a3"}]}}]}}]}}]}}, &(0x7f00000076c0)={0xa, &(0x7f0000007440)={0xa, 0x6, 0x300, 0x8, 0x1, 0x9, 0x8, 0x81}, 0x133, &(0x7f0000007480)={0x5, 0xf, 0x133, 0x6, [@wireless={0xb, 0x10, 0x1, 0x2, 0x74, 0xff, 0xff, 0x0, 0x7}, @wireless={0xb, 0x10, 0x1, 0x8, 0x43, 0x4, 0x3, 0x6, 0x21}, @ext_cap={0x7, 0x10, 0x2, 0xa, 0x5, 0x6, 0x3b4d}, @wireless={0xb, 0x10, 0x1, 0x0, 0x2c, 0x7, 0x2, 0x1, 0x2f}, @ptm_cap={0x3}, @generic={0x103, 0x10, 0x3, "b35e852c500147880fa2f6dcc5d4e16a59df9bff5d44ac9f6680a31b1ebce7f4d4afe6d2ae93f6eee79b703b03f7a0ebea72bdc3ca70ded450bedec42d31beced3625c6bfa5dc9897b68a4e8b1a54b9444b85a77d52efea02e84045a2c51af22596a4c59a43c590c4d1369d229db0f228b739b41419c00708219ac07585dcaded8820f6fe0b35e7496ca59ebd93c1cfbeca8666928613fb084cb1ad930cfed80a024b803fc94967f08d731d0647cee073e55844b9978ae6035865fd98991fb7a5fa3f00529e81f1d3b853a0db041eaa3777ba10fe753674a698cd389bf5bca626cb8c7bf9b71150d572d07d9a11855a419fb0212d9a5bf2c3360357cf942511f"}]}, 0x2, [{0x97, &(0x7f00000075c0)=@string={0x97, 0x3, "79533652485908847450e434babd9e7b783925f478b3b35c0a4e6aa0a1e8f78e37f1d5666fe87b28df9b7734fdd141b3c78a19031effd729a36c0cf9fae5c589a1a9886b78f66c7391bd443cc6b3ab5b4acdeb5acf4a0d36359e749df37ccf92c50e845fce93e4c611f0fb559f5b2f8b72bab3b8a91779cd78204d67a183187560eb912c0f9dd27f402f1decdc61444d3702bf05cf"}}, {0x4, &(0x7f0000007680)=@lang_id={0x4, 0x3, 0x4ff}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007700)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f0000007900)={0x18, &(0x7f0000007780)={0x40, 0x22, 0x1f, {0x1f, 0x22, "a7841403afd7ddbdb6ce9dacfb6cdbe29fbe4e58b55fec117de56ed6a5"}}, &(0x7f00000077c0)={0x0, 0x3, 0x5a, @string={0x5a, 0x3, "b51fa75ce1575da79aa41fd155728498bc7e4f85d19d2394314e6381f5e6b0e786c3ff705cb7184487f35094030178bc291a3980fa0b83908b7fe1cb2459daa1308fa2fbda94a98ca7134bc986487bae15766636e0852c7a"}}, &(0x7f0000007840)={0x0, 0xf, 0x1b, {0x5, 0xf, 0x1b, 0x2, [@wireless={0xb, 0x10, 0x1, 0xc, 0x82, 0x0, 0x85, 0x8, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x48, 0x0, 0x80, 0xfffa, 0x81}]}}, &(0x7f0000007880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x2, 0x4, 0x2, "7e461ab4", 'gg]\a'}}, &(0x7f00000078c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x9, 0x3, 0x3f, 0x20, 0x40, 0x0, 0xef}}}, &(0x7f0000007dc0)={0x44, &(0x7f0000007940)={0x40, 0xc, 0xb6, "df1d8807adaa376ec164fe686f791fc7268a85c468008423c35bf0da6f10ce0b3c7f80e67352d8063e9524fb3d91a1d442b85d351288c60badef7369494efa5012978930b8817bb13fba0f307416861457221322136027a98682f3a5c91806d490c51ef51ce6c9e9c8087e547fc2cfe567bfbf3e65f97c5e79d68706922d2c084ee894eaf12a3c0b2e1ef894dff86d0792fd11f5152f67321b9db36a02b7b0935e7424cbd6b286c55c8cf0f0f4949fd21b22675eb060"}, &(0x7f0000007a00)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000007a40)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000007a80)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000007ac0)={0x20, 0x0, 0x4, {0x160, 0x1}}, &(0x7f0000007b00)={0x40, 0x7, 0x2, 0x3}, &(0x7f0000007b40)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000007b80)={0x40, 0xb, 0x2, "9efe"}, &(0x7f0000007bc0)={0x40, 0xf, 0x2, 0x4}, &(0x7f0000007c00)={0x40, 0x13, 0x6}, &(0x7f0000007c40)={0x40, 0x17, 0x6, @remote}, &(0x7f0000007c80)={0x40, 0x19, 0x2, 'vw'}, &(0x7f0000007cc0)={0x40, 0x1a, 0x2, 0x1}, &(0x7f0000007d00)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007d40)={0x40, 0x1e, 0x1, 0x7e}, &(0x7f0000007d80)={0x40, 0x21, 0x1, 0x2}}) r23 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007e40)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ncm(0x6, 0x7c, &(0x7f0000007ec0)={{0x12, 0x1, 0x389, 0x2, 0x0, 0x0, 0x70, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6a, 0x2, 0x1, 0xff, 0x90, 0x5, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, "a6"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9ff, 0x6000, 0x5, 0xb5}, {0x6, 0x24, 0x1a, 0xdd, 0x32}, [@call_mgmt={0x5, 0x24, 0x1, 0x2, 0x95}, @mbim_extended={0x8, 0x24, 0x1c, 0x7, 0x40, 0x1}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x21, 0x2, 0xc4}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0x1, 0x1, 0x4e}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x81, 0x9, 0x48}}}}}}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f40)={0xa, 0x6, 0x200, 0x3, 0x40, 0x1, 0x40, 0x68}, 0x72, &(0x7f0000007f80)={0x5, 0xf, 0x72, 0x6, [@ssp_cap={0x20, 0x10, 0xa, 0x7f, 0x5, 0x4, 0x0, 0x101, [0xf, 0xc000, 0x4100, 0xc000, 0x0]}, @ssp_cap={0x18, 0x10, 0xa, 0x5, 0x3, 0x3f, 0xf, 0x9, [0x3f00, 0xff0030, 0xff0000]}, @ssp_cap={0xc, 0x10, 0xa, 0x9, 0x0, 0x3, 0xf00, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0xfc, "11d5f99068e5068a1e42e2bf000e221f"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x0, 0x2, 0x0, 0x80, 0x1}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x0, 0x3, 0x3f, 0x8}]}, 0x8, [{0x4, &(0x7f0000008000)=@lang_id={0x4, 0x3, 0x2001}}, {0x4, &(0x7f0000008040)=@lang_id={0x4, 0x3, 0x43f}}, {0x2a, &(0x7f0000008080)=@string={0x2a, 0x3, "5e7460eb32a6b96bd2ff9ff3a49620853364cef4b1180034bbee7bdeb3753ec47a7b68436004dfa3"}}, {0x4, &(0x7f00000080c0)=@lang_id={0x4, 0x3, 0x406}}, {0x4, &(0x7f0000008100)=@lang_id={0x4, 0x3, 0x200a}}, {0x83, &(0x7f0000008140)=@string={0x83, 0x3, "98bfbed5f02f0541393b27163c18aba0f8d6c9069ae8ed732f7b8b4fd040726512572b20493498b080e96c7409c1ff222cbfe8fc739a7a6eb701a8125f18af24cdabbfb52cc666cf1204b6bf96514aca5b0475e21dafcaaffcd8d584eca6939d815dc4c974727a2fba78d5044d9e9f08e35c9e2bf470f466accaa1301fac54bcff"}}, {0x4, &(0x7f0000008200)=@lang_id={0x4, 0x3, 0x1627}}, {0x39, &(0x7f0000008240)=@string={0x39, 0x3, "aa56bf4048dd06e2845d2e04df75b391f766463f0954053221ac36e1db6fe509c05b86c776d20ffc6ac3d99349322b400aea394cd6719c"}}]}) syz_usb_ep_read(r24, 0x75, 0xa5, &(0x7f0000008300)=""/165) syz_usb_ep_write(r22, 0x0, 0xf5, &(0x7f00000083c0)="db885599b60aec82ad70cdb2886a2e73e2f0447ddd5deaaa15f56b76ab5804b9f86f60df6b12cbc1e5906d238889da544d9b5652f60bfc34a108dffdffa9ae904614e2bf15ce0c349aea1551b7544b69bd2bde8f82e18d42ba167180b1a6a4d11844312c116ee0b85fca52a11ec9f37acd323eb287c8b3c4ffdbcaaa329df920e0f7dfaaccc17fd5ff16f039c693cdfcdfae81529a02cc973d8e5020093c1b68e88a827e230b28448899b9617552b1dd9b412b34deec9a93fd08823aebf354e238d04dca957a50aa9ab18a30460e2455e3fd164109cd4a857b99d223b21831ca292d1b0cd77fbfe263f7ca57ee3a70a8fdd489cb7f") syz_usbip_server_init(0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 39 ? 50 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 3000 : 0) + (call == 46 ? 300 : 0) + (call == 47 ? 3000 : 0) + (call == 48 ? 300 : 0) + (call == 49 ? 3000 : 0) + (call == 50 ? 300 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (; iter < 10; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_clock_gettime #define __NR_clock_gettime 265 #endif #ifndef __NR_getegid #define __NR_getegid 50 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_openat2 #define __NR_openat2 437 #endif #ifndef __NR_recvmmsg #define __NR_recvmmsg 337 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_signalfd4 #define __NR_signalfd4 327 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[25] = {0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000040 = 8; inject_fault(1); res = syscall(__NR_getsockopt, -1, 0x84, 0x14, 0x20000000, 0x20000040); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000080 = r[0]; *(uint32_t*)0x20000084 = 0x3ff; *(uint32_t*)0x200000c0 = 8; res = syscall(__NR_getsockopt, -1, 0x84, 0x13, 0x20000080, 0x200000c0); if (res != -1) r[1] = *(uint32_t*)0x20000080; break; case 2: memcpy((void*)0x20000100, "cpu.stat\000", 9); res = syscall(__NR_openat, -1, 0x20000100, 0, 0); if (res != -1) r[2] = res; break; case 3: syscall(__NR_ioctl, (intptr_t)r[2], 0x125e, 0x20000140); break; case 4: *(uint32_t*)0x20000180 = 5; *(uint32_t*)0x20000184 = 4; res = syscall(__NR_signalfd4, (intptr_t)r[2], 0x20000180, 8, 0x80800); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000500 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x10; *(uint16_t*)0x200001c2 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = 0x20002011; *(uint32_t*)0x20000504 = 0xc; *(uint32_t*)0x20000508 = 0x200004c0; *(uint32_t*)0x200004c0 = 0x20000200; *(uint32_t*)0x20000200 = 0x29c; *(uint16_t*)0x20000204 = 0; *(uint16_t*)0x20000206 = 8; *(uint32_t*)0x20000208 = 0x70bd29; *(uint32_t*)0x2000020c = 0x25dfdbff; *(uint8_t*)0x20000210 = 0x87; *(uint8_t*)0x20000211 = 0; *(uint16_t*)0x20000212 = 0; *(uint16_t*)0x20000214 = 8; *(uint16_t*)0x20000216 = 3; *(uint32_t*)0x20000218 = 0; *(uint16_t*)0x2000021c = 0x46; *(uint16_t*)0x2000021e = 0x2a; *(uint8_t*)0x20000220 = 0x2a; *(uint8_t*)0x20000221 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 3, 5); *(uint8_t*)0x20000223 = 0x25; *(uint8_t*)0x20000224 = 3; *(uint8_t*)0x20000225 = 1; *(uint8_t*)0x20000226 = 0x95; *(uint8_t*)0x20000227 = 0xcb; *(uint8_t*)0x20000228 = 0x75; *(uint8_t*)0x20000229 = 0x16; *(uint16_t*)0x2000022a = 1; *(uint16_t*)0x2000022c = 0x401; *(uint16_t*)0x2000022e = 0x37; memcpy((void*)0x20000230, "\x02\x01\x1b\xf2\x90\x7b\xdd\xcb\xfa\xf4\xd0\xd9\xd3\x19\xcb\x38", 16); *(uint8_t*)0x20000240 = 0x76; *(uint8_t*)0x20000241 = 6; *(uint8_t*)0x20000242 = 0x7f; *(uint8_t*)0x20000243 = 3; *(uint16_t*)0x20000244 = 6; *(uint16_t*)0x20000246 = 0x2050; *(uint8_t*)0x20000248 = 0x65; *(uint8_t*)0x20000249 = 0x12; *(uint8_t*)0x2000024a = 8; *(uint8_t*)0x2000024b = 2; *(uint8_t*)0x2000024c = 0x11; *(uint8_t*)0x2000024d = 0; *(uint8_t*)0x2000024e = 0; *(uint8_t*)0x2000024f = 1; memset((void*)0x20000250, 255, 6); *(uint8_t*)0x20000256 = 8; *(uint8_t*)0x20000257 = 2; *(uint8_t*)0x20000258 = 0x11; *(uint8_t*)0x20000259 = 0; *(uint8_t*)0x2000025a = 0; *(uint8_t*)0x2000025b = 1; *(uint8_t*)0x2000025c = 0x68; *(uint8_t*)0x2000025d = 4; *(uint16_t*)0x2000025e = 9; *(uint16_t*)0x20000260 = 0x81; *(uint16_t*)0x20000264 = 0xcc; *(uint16_t*)0x20000266 = 0x2a; *(uint8_t*)0x20000268 = 4; *(uint8_t*)0x20000269 = 6; *(uint8_t*)0x2000026a = 1; *(uint8_t*)0x2000026b = 1; *(uint16_t*)0x2000026c = 0x100; *(uint16_t*)0x2000026e = 0x8000; *(uint8_t*)0x20000270 = 0x3c; *(uint8_t*)0x20000271 = 4; *(uint8_t*)0x20000272 = 0; *(uint8_t*)0x20000273 = 7; *(uint8_t*)0x20000274 = 0xac; *(uint8_t*)0x20000275 = 6; *(uint8_t*)0x20000276 = 1; *(uint8_t*)0x20000277 = 6; STORE_BY_BITMASK(uint8_t, , 0x20000278, 6, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000278, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x20000279, 0xc, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000279, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 0x3f, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 9, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0x16, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0x24, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0, 7, 1); *(uint8_t*)0x2000027e = 0x83; *(uint8_t*)0x2000027f = 0x25; STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 0, 6); STORE_BY_BITMASK(uint8_t, , 0x20000280, 1, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 7, 1); *(uint8_t*)0x20000281 = -1; *(uint8_t*)0x20000282 = 0x3f; *(uint8_t*)0x20000283 = 8; *(uint8_t*)0x20000284 = 2; *(uint8_t*)0x20000285 = 0x11; *(uint8_t*)0x20000286 = 0; *(uint8_t*)0x20000287 = 0; *(uint8_t*)0x20000288 = 0; *(uint32_t*)0x20000289 = 0x1f; memset((void*)0x2000028d, 255, 6); *(uint32_t*)0x20000293 = 0; *(uint32_t*)0x20000297 = 6; *(uint8_t*)0x2000029b = 8; *(uint8_t*)0x2000029c = 2; *(uint8_t*)0x2000029d = 0x11; *(uint8_t*)0x2000029e = 0; *(uint8_t*)0x2000029f = 0; *(uint8_t*)0x200002a0 = 1; *(uint32_t*)0x200002a1 = 6; *(uint8_t*)0x200002a5 = 0x26; *(uint8_t*)0x200002a6 = 0x44; *(uint8_t*)0x200002a7 = 4; *(uint8_t*)0x200002a8 = 7; *(uint8_t*)0x200002a9 = 8; memcpy((void*)0x200002aa, "\x2e\xf5\x31\xb7\xbe\x2d\xde\x42\xfc\x39\x5f\x76\x44\x7c\x92\x87\x9c\x4d\x95\x11\x18\x2e\xe0\x77\xcb\x10\x2d\x54\xd8\xe9\xbd\x03\x76\x74\x1a\xff\xce\x00\x72\x8e\x65\xce\xfb\x04\xca\xcd\x7c\x82\x88\x0f\x11\x3d\x4a\x79\x37\x8b\xfd\x5c\x8d\x75\x2b\xd2\x51\xe3\x1b", 65); *(uint8_t*)0x200002eb = 0x2d; *(uint8_t*)0x200002ec = 0x1a; *(uint16_t*)0x200002ed = 0x482; STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 2, 3); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 0, 5, 3); *(uint64_t*)0x200002f0 = 5; STORE_BY_BITMASK(uint64_t, , 0x200002f8, 0x3f, 0, 13); STORE_BY_BITMASK(uint64_t, , 0x200002f9, 0, 5, 3); STORE_BY_BITMASK(uint64_t, , 0x200002fa, 0x80, 0, 10); STORE_BY_BITMASK(uint64_t, , 0x200002fb, 0, 2, 6); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 2, 2); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 5, 27); *(uint16_t*)0x20000300 = 0x400; *(uint32_t*)0x20000302 = 5; *(uint8_t*)0x20000306 = 0x56; *(uint8_t*)0x20000307 = 0x8c; *(uint8_t*)0x20000308 = 0x10; *(uint16_t*)0x20000309 = 0x9b2; memcpy((void*)0x2000030b, "\xe7\x43\x38\xed\x57\xa9", 6); memcpy((void*)0x20000311, "\x4d\xbe\x86\xf3\x95\x65\x40\x8a", 8); *(uint8_t*)0x20000319 = 0x7e; *(uint8_t*)0x2000031a = 0x15; STORE_BY_BITMASK(uint8_t, , 0x2000031b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000031b, 9, 1, 7); *(uint8_t*)0x2000031c = 0xc0; *(uint8_t*)0x2000031d = 0x40; *(uint8_t*)0x2000031e = 8; *(uint8_t*)0x2000031f = 2; *(uint8_t*)0x20000320 = 0x11; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0; *(uint8_t*)0x20000323 = 0; *(uint32_t*)0x20000324 = 0x7fff; *(uint32_t*)0x20000328 = 6; *(uint32_t*)0x2000032c = 0xff; *(uint16_t*)0x20000330 = 0x148; *(uint16_t*)0x20000332 = 0x2a; *(uint8_t*)0x20000334 = 0x7e; *(uint8_t*)0x20000335 = 0x15; STORE_BY_BITMASK(uint8_t, , 0x20000336, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000336, 2, 1, 7); *(uint8_t*)0x20000337 = 0; *(uint8_t*)0x20000338 = 8; *(uint8_t*)0x20000339 = 8; *(uint8_t*)0x2000033a = 2; *(uint8_t*)0x2000033b = 0x11; *(uint8_t*)0x2000033c = 0; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0; *(uint32_t*)0x2000033f = 0x1ff; *(uint32_t*)0x20000343 = 3; *(uint32_t*)0x20000347 = 3; *(uint8_t*)0x2000034b = 0x82; *(uint8_t*)0x2000034c = 0x30; STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 3, 3); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 7, 1); *(uint8_t*)0x2000034e = 3; *(uint8_t*)0x2000034f = 0xf7; *(uint32_t*)0x20000350 = 8; *(uint8_t*)0x20000354 = 8; *(uint8_t*)0x20000355 = 2; *(uint8_t*)0x20000356 = 0x11; *(uint8_t*)0x20000357 = 0; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 0; *(uint32_t*)0x2000035a = 0xae; *(uint32_t*)0x2000035e = 0x71a4; *(uint32_t*)0x20000362 = 2; *(uint8_t*)0x20000366 = 2; STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 3, 5); *(uint8_t*)0x20000368 = 8; *(uint8_t*)0x20000369 = 2; *(uint8_t*)0x2000036a = 0x11; *(uint8_t*)0x2000036b = 0; *(uint8_t*)0x2000036c = 0; *(uint8_t*)0x2000036d = 1; *(uint32_t*)0x2000036e = 0; STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 3, 5); *(uint8_t*)0x20000373 = 8; *(uint8_t*)0x20000374 = 2; *(uint8_t*)0x20000375 = 0x11; *(uint8_t*)0x20000376 = 0; *(uint8_t*)0x20000377 = 0; *(uint8_t*)0x20000378 = 1; *(uint32_t*)0x20000379 = 6; *(uint8_t*)0x2000037d = 0x71; *(uint8_t*)0x2000037e = 7; *(uint8_t*)0x2000037f = 1; *(uint8_t*)0x20000380 = 1; *(uint8_t*)0x20000381 = 1; *(uint8_t*)0x20000382 = 0; *(uint8_t*)0x20000383 = 0; *(uint8_t*)0x20000384 = 0xfb; *(uint8_t*)0x20000385 = 0x25; *(uint8_t*)0x20000386 = 6; *(uint8_t*)0x20000387 = 2; *(uint16_t*)0x20000388 = 0x1fc; *(uint8_t*)0x2000038a = 0x37; *(uint8_t*)0x2000038b = 0xe6; *(uint8_t*)0x2000038c = 7; *(uint8_t*)0x2000038d = 5; memcpy((void*)0x2000038e, "\x5f\x39\x64\xd8\x62\x9a\xdf\x1c\x06\xec\xdf\x89\x87\xbb\x84\x5b", 16); memcpy((void*)0x2000039e, "\xc5\xd2\xbb\x24\x59\xd5\xba\x0e\x8d\x1d\xe0\x4e\x57\x37\x4f\x62\x27\x21\x0e\xa4\x04\xeb\x95\x46\x5f\xa1\xe2\xe0\x9c\x7c\x17\xd4", 32); memcpy((void*)0x200003be, "\x27\x81\xc8\x76\x15\x7d\x69\x88\xa5\xdc\x1e\xfd\xe5\xe5\xd8\xd7\xfd\xfb\x3d\xad\x87\x19\x89\x49\x70\x60\xe2\xd7\x2d\x3a\xfa\x38", 32); *(uint8_t*)0x200003de = 3; *(uint8_t*)0x200003df = 1; memset((void*)0x200003e0, 206, 1); *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0x25; memcpy((void*)0x200003e3, "\xd5\xa7\x64\x0b\x4f\xb5\xdf\x22\xe7\x25\x13\x0f\x6f\x00\x6c\x48\x73\x42\xcb\x84\x7e\x2c\xbe\x0e\x36\xb1\x41\xaa\x91\xf7\xf4\x1d\x6b\x13\x48\x2c\x1d", 37); *(uint8_t*)0x20000408 = 4; *(uint8_t*)0x20000409 = 0x26; memcpy((void*)0x2000040a, "\xa1\xd5\xf6\x74\x74\xfa\x12\x31\x00\x04\x6d\xc2\x69\x5e\x3b\xbd\xa6\xde\xe8\x65\x7f\x03\x2e\x08\x75\x04\x15\x6e\xba\x2f\x54\xbf\x2f\x31\xcd\x5b\x78\xd5", 38); *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 0x25; memcpy((void*)0x20000432, "\xae\x36\x25\x8a\xd7\xf0\x4d\x6a\x21\x30\x24\xac\x42\x6f\xba\x3d\xa6\x9e\x74\xab\x66\x2f\xbb\x9d\x28\x44\x80\x99\x94\x6c\xbb\xf9\xb8\xf9\x21\xf8\xe0", 37); *(uint8_t*)0x20000457 = 2; *(uint8_t*)0x20000458 = 0x19; memcpy((void*)0x20000459, "\x69\xad\x29\xc6\x6f\x47\xf8\x7c\x53\x49\xab\x5f\x16\xa1\xe8\x03\x0e\x7c\x0b\x21\xdb\x8b\xc4\xbe\xe4", 25); *(uint8_t*)0x20000472 = 0x75; *(uint8_t*)0x20000473 = 4; *(uint16_t*)0x20000474 = 0; *(uint16_t*)0x20000476 = 0; *(uint16_t*)0x20000478 = 6; *(uint16_t*)0x2000047a = 0x48; *(uint16_t*)0x2000047c = 0x4b; *(uint16_t*)0x20000480 = 6; *(uint16_t*)0x20000482 = 0x48; *(uint16_t*)0x20000484 = 0x43; *(uint16_t*)0x20000488 = 0xa; *(uint16_t*)0x2000048a = 6; *(uint8_t*)0x2000048c = 8; *(uint8_t*)0x2000048d = 2; *(uint8_t*)0x2000048e = 0x11; *(uint8_t*)0x2000048f = 0; *(uint8_t*)0x20000490 = 0; *(uint8_t*)0x20000491 = 1; *(uint16_t*)0x20000494 = 6; *(uint16_t*)0x20000496 = 0x48; *(uint16_t*)0x20000498 = 0x11; *(uint32_t*)0x200004c4 = 0x29c; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = 0x40000; syscall(__NR_sendmsg, (intptr_t)r[3], 0x20000500, 0x80); break; case 6: memcpy((void*)0x20000540, "/dev/irnet\000", 11); res = syscall(__NR_openat, 0xffffff9c, 0x20000540, 0x189000, 0); if (res != -1) r[4] = res; break; case 7: *(uint16_t*)0x20000580 = 0xa; *(uint16_t*)0x20000582 = htobe16(0x4e20); *(uint32_t*)0x20000584 = htobe32(0x80000000); *(uint8_t*)0x20000588 = 0xfe; *(uint8_t*)0x20000589 = 0x88; memset((void*)0x2000058a, 0, 12); *(uint8_t*)0x20000596 = 0; *(uint8_t*)0x20000597 = 1; *(uint32_t*)0x20000598 = 0x81; *(uint16_t*)0x2000059c = 0xa; *(uint16_t*)0x2000059e = htobe16(0x4e24); *(uint32_t*)0x200005a0 = htobe32(3); *(uint8_t*)0x200005a4 = -1; *(uint8_t*)0x200005a5 = 1; memset((void*)0x200005a6, 0, 13); *(uint8_t*)0x200005b3 = 1; *(uint32_t*)0x200005b4 = 0; syscall(__NR_setsockopt, (intptr_t)r[4], 0x84, 0x6b, 0x20000580, 0x38); break; case 8: memcpy((void*)0x200005c0, "./file0\000", 8); *(uint64_t*)0x20000600 = 0x101000; *(uint64_t*)0x20000608 = 0x182; *(uint64_t*)0x20000610 = 4; syscall(__NR_openat2, 0xffffff9c, 0x200005c0, 0x20000600, 0x18); break; case 9: *(uint32_t*)0x20000640 = r[1]; *(uint32_t*)0x20000644 = 7; *(uint32_t*)0x20000648 = 0x20; syscall(__NR_setsockopt, -1, 0x84, 0x10, 0x20000640, 0xc); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 6, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 7, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); *(uint8_t*)0x20000044 = 8; *(uint8_t*)0x20000045 = 2; *(uint8_t*)0x20000046 = 0x11; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 1; memset((void*)0x2000004a, 255, 6); *(uint8_t*)0x20000050 = 8; *(uint8_t*)0x20000051 = 2; *(uint8_t*)0x20000052 = 0x11; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x20000056, 7, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0x40, 4, 12); *(uint8_t*)0x20000058 = 8; *(uint8_t*)0x20000059 = 2; *(uint8_t*)0x2000005a = 0x11; *(uint8_t*)0x2000005b = 0; *(uint8_t*)0x2000005c = 0; *(uint8_t*)0x2000005d = 0; *(uint8_t*)0x2000005e = 8; *(uint8_t*)0x2000005f = 2; *(uint8_t*)0x20000060 = 0x11; *(uint8_t*)0x20000061 = 0; *(uint8_t*)0x20000062 = 0; *(uint8_t*)0x20000063 = 1; *(uint16_t*)0x20000064 = 0x89; memcpy((void*)0x20000066, "\xa3\x74\xcb\x1e\x56\xd7\x9e\x5a\x64\x7d\x9f\x9d\x7e\xbb\x09\x9c\xa7\x5e\x92\x0a\x72\x0c\xe7\x65\x51\xc2\x6b\xb8\x68\x42\xda\x48\xec\x22\x63\x6f\x2e\xe2\x00\x01\x35\x9b\x8e\x2f\xb3\x76\xba\x32\xd0\x74\x25\xdd\x1b\x9b\x9b\x4f\xf7\xa3\x53\x9a\x5e\xeb\x99\xa4\x47\xa5\x8f\xec\x22\x4c\xac\xb7\xd6\xe5\xf0\xcc\x90\x99\x90\x4c\x92\xfd\x37\x74\x6a\xfc\x1c\xbd\x2b\x8b\x10\x2a\x3f\xe4\xaf\x78\xd5\xfa\x72\x95\x90\xf1\xe5\x03\x5f\x47\x0a\x44\x32\x1e\x92\x47\x87\xa4\x66\x6e\x21\xa4\xca\x5c\xbd\x12\x56\xc1\x70\x21\x7c\xd6\x96\x7a\xd7\x23\x6d\x2f\x70\x2e\x24", 137); memset((void*)0x200000f0, 255, 6); *(uint8_t*)0x200000f6 = 8; *(uint8_t*)0x200000f7 = 2; *(uint8_t*)0x200000f8 = 0x11; *(uint8_t*)0x200000f9 = 0; *(uint8_t*)0x200000fa = 0; *(uint8_t*)0x200000fb = 0; *(uint16_t*)0x200000fc = 0x1000; memcpy((void*)0x200000fe, "\x2b\xc8\xbe\xd3\xad\xe3\x14\x70\x49\x10\xb6\xee\x62\x4c\xfe\x54\xbe\xbe\x1b\x4b\x09\xba\x79\x5c\x51\x1c\xd0\xe7\x64\x85\x8a\x68\x8e\x31\x7f\x9f\x28\x73\xd1\x87\xb6\x5f\x7d\x6d\xed\x9b\x4b\x7e\xf7\xf8\x67\xd6\x5d\x32\x18\xdc\x1a\x2a\xd2\x4b\x5c\xb3\xe4\xe0\x78\x49\xf7\x08\x5c\x63\x7a\xe4\x51\x0c\x2c\x14\x43\x80\x0a\xc4\x4d\xdf\x23\xec\x3e\x00\xa0\xa2\xd2\x6d\xcf\x4e\x4f\x20\x9d\x20\xf1\xe6\x58\x29\x0a\xb4\x3a\x3f\xa2\x4e\xe8\xdc\xd4\x84\xc6\x23\xbd\xc9\x86\xb8\xea\x88\xd4\x32\x74\xe2\x06\xb9\xbe\x4c\xdf\xcc\x94\x5b\x09\x3d\x09\x37\xd9\x4f\x8f\x98\x7c\x5c\x5e\xd4\x8a\xc9\x95\x14\xb5\x45\xd0\xcb\x74\x20\x36\xae\xd4\x98\xba\xe8\x0b\xb1\xee\x39\x5e\x8e\x0a\x67\x7d\xaa\xed\x22\xdd\xc1\x60\x4d\x14\x83\x5d\xbc\x28\xc4\x3c\x64\xb1\x18\x76\x57\x4f\x8d\x89\x70\x56\x23\xf7\xf0\x78\xc5\x01\x7c\x92\xcd\x46\xaf\xf0\x81\x1e\x9b\x98\x91\x25\x06\xb3\x45\x00\x64\x0f\x97\x91\xe3\x08\x1d\x1f\xd1\x78\xc2\x13\x05\x93\x45\xba\x63\x17\x7e\xa9\xb9\x3f\xfa\x53\x06\xe2\x06\xb5\xa2\x94\x02\x25\x21\xec\x6a\xaf\x8e\x26\xd0\xb5\xbd\x00\x32\x59\x76\xa0\xb1\xe0\xff\x75\x4e\x4b\x48\x91\xd3\x68\x8e\x0b\xea\x0a\xc6\xd8\x11\x2e\x04\xfb\xe6\x06\x8e\xc0\x3f\x4b\x66\x5e\xfa\x12\xe3\xf2\xe6\xc9\xd3\x1e\xb4\x45\x83\xa9\xac\x92\xdd\x3a\xb3\xf3\x4d\xb1\x15\xe9\xcf\x42\xf0\x97\x41\x9c\xb5\x94\x9e\xb7\x40\x3d\x44\x95\x90\x0b\x52\xc9\x55\x83\x70\xe2\xf1\xff\x76\xa9\xde\xd5\x3e\x26\x79\x3b\xf9\x39\x76\xe9\x6a\xc7\x14\x07\x47\x89\xe8\xbd\xb1\xc4\xca\x56\x2b\x51\x50\x2b\x46\x8f\x89\x54\x39\x83\x0f\x91\x5a\x5d\x8a\x50\xff\x73\xa4\x9f\xa4\x29\x3b\xfc\x35\x48\x68\x51\xea\x8d\x5c\x76\x13\x7c\x5e\x2f\xc9\xca\x45\xa3\x8c\x94\x28\xbe\x30\xf5\x03\x59\xb2\xcb\x3f\x9d\xbc\x76\x7d\x63\xf4\x19\xf5\xe7\x6c\xe5\xfb\xb6\x1e\xde\xb1\xbe\xb7\xa3\x7c\x60\xc6\x01\x1b\x56\xb8\x57\x49\x63\x42\x5a\x95\x6d\x40\x1f\x70\x3a\x19\xe9\xac\xe4\x68\x65\x41\xdd\x31\x32\xf5\xaa\x85\xae\x6d\xb1\xb7\xdd\x6d\xad\x9b\x65\x43\xe3\x57\x53\x31\x28\xab\x2c\x90\x1e\x9d\x56\xa2\x2e\xcd\x64\x45\x50\x72\x71\xf6\xfc\xe2\xa5\x74\xd5\x87\x13\x53\x0a\xff\x28\xf7\xb4\xe8\x46\x17\x80\xdf\x54\xce\x2a\x06\x7c\x9c\x38\x85\x17\xb9\xe0\x40\xbc\x88\xba\xa7\x31\x79\x6b\x13\xa8\x9a\xd7\xa0\x1c\x30\x9e\x02\x4b\x22\x06\x21\x2e\x81\xa0\xf8\x27\x9c\x36\x9c\xc4\x0f\x85\x99\x01\x18\xa3\x31\x1a\xd1\x69\x8a\x4b\x0d\x73\xe7\xde\x65\x7c\x5a\xc4\x04\xb7\xa5\xcb\xb3\xf1\xc5\xfc\xcc\xfa\x7b\xf2\x17\x83\x0b\x73\x0d\x4d\x54\x54\xf2\x76\x04\xc0\x34\x16\xd3\xbe\x6c\xb3\x78\x81\x3a\x84\xa7\x29\x26\xc4\xd4\x3d\xd5\xa7\x94\x11\xd3\x5c\x4f\x69\x82\x87\xa0\x59\x29\x60\x05\x9c\x48\xa6\xd9\xfc\xce\x84\xd0\x88\xa2\x6d\xfb\x2e\xf3\x0e\xde\xa2\x11\x41\x11\xfa\x86\xfd\x22\x87\x2a\x03\x1d\x11\x16\xd7\x48\xb3\x3f\x61\xb9\xc1\xea\x8e\x8f\xf0\x96\x89\x01\x14\x27\xf8\x88\x6c\x0c\x71\xb6\x38\x51\x67\xd4\x97\x1d\x4b\xc9\xd1\xb9\xfe\x6d\xb9\x66\xd5\x0b\x59\x24\xfb\x56\xc1\xb1\x1f\x8e\x05\xf2\x9c\xfd\xe7\xf3\x02\xaf\xe1\x61\xfd\x9d\x82\xfc\xe3\x55\x1d\xf3\xf4\x01\x3d\xa7\x76\x6a\x21\x4f\xc9\xb1\x64\xa6\xd8\xb0\x3f\x6c\xba\x91\x84\x72\xc9\xb7\xd8\x6e\x7a\xbd\xa7\xe3\xc9\xa4\x07\x8a\x64\xa9\x66\xec\xb6\xe4\x13\x34\x11\xc4\x93\xa7\xa5\xd1\x7b\x60\x5d\xe1\x39\x01\x8d\x69\x8d\x32\x5e\x31\x93\x34\x39\x5d\xa0\xb5\x1b\x3e\x89\xd9\x59\x61\x49\x53\x1e\x92\x58\x32\xe0\x0a\x35\xbb\xea\xc1\x37\xa0\x8a\x4f\x66\x1d\xad\x30\xd0\x92\xd1\xf6\xa3\x4c\x1d\x38\x89\x4d\xa3\xea\xe2\xc4\x74\x95\x30\x92\xfb\xac\x4f\x39\xa2\xe1\x4d\x5e\x13\x06\x2c\x98\xc8\x93\xd9\x6e\xbd\xf7\x9f\x1e\xba\xd3\xcb\xb1\x6f\x8f\x7d\x17\x39\x70\x75\x23\x9b\x74\x25\x09\xb0\x76\x37\x1a\xaa\xb7\x85\x9e\x6b\x29\xc7\xcd\x83\x15\x7b\x91\xb4\xd0\xbf\x47\x9c\x7f\xa5\x3f\xd8\x57\x35\x6f\x11\x47\xdf\xa5\x90\xbf\xff\xae\x2c\x99\xbf\xc6\xa1\xa3\x84\xce\x26\x16\xa7\xc0\xd1\x49\x91\x95\x5f\xf2\x27\xe3\x55\x40\x13\x1e\x6c\x9f\xd2\xa5\xb5\x8f\x88\xf1\x83\xf6\x4a\xcc\x3d\x58\xe4\x73\x07\x6b\xf3\x14\x9d\xa2\x66\x42\x4b\x98\x2f\x73\x4a\xa0\x4b\x81\x88\x13\xdd\xd9\x01\x88\x56\x76\x17\x99\xd5\xb0\x50\x4c\xa7\xec\xf7\xae\x17\x59\x2c\x1f\x0c\x78\x4d\x60\x39\x31\x61\x71\x42\x21\xa1\x0d\x90\x19\x28\x3c\x6a\x8f\x92\x03\xc7\x97\x63\x45\x0f\x94\x70\xa3\xf5\xe2\xf9\x4e\xb9\x42\xa2\xbe\xba\x32\x21\x46\xfc\x44\x9f\x40\x22\x6b\x7f\x7d\x9e\x4d\x58\x9c\xdf\xc9\x53\xef\x76\x51\x5e\x48\x4d\xdb\x27\x5e\xfd\x8f\xb9\xe4\xb3\xf1\x75\xb9\xc6\x00\x74\x58\xce\xdb\xcf\x05\xeb\x6e\x42\xbe\xa2\x26\x85\x50\x87\x02\xb7\x8e\x77\xe6\x72\xc7\x2f\xe4\x3c\xef\x92\x49\x74\x00\x61\xf8\x3d\xfd\x86\xc1\xe9\x73\xda\xb8\x1a\x08\x30\x32\x37\xe5\x8c\x2d\x75\xa1\x21\x25\xc0\xb6\x34\x58\x5e\x3b\xfe\xe0\x81\x0e\xaa\x59\x4d\x12\xc5\xca\x25\x36\x6f\x04\x37\x86\x48\x5e\x57\xf5\xf9\x30\xcb\xcd\xee\x90\x1c\x59\x10\x0e\xbb\xc6\xe8\x23\xa1\xb7\x4b\xcd\xef\xb1\x96\x1b\x89\xdb\x6d\xf5\xe4\x61\x8e\x2b\xd8\xd9\x6f\xd8\xa1\x2b\x18\x48\x2f\xdc\xcd\x72\x95\x0a\xfe\x3c\x20\x66\xa7\x3c\x73\xf1\xca\x99\x86\xce\x15\x8c\x10\x52\x0a\xab\xee\xc9\x4d\x61\x72\xc0\x92\x48\xaa\x76\xc3\x9f\xc5\x42\x63\xfd\x44\xbf\x93\x68\x1b\x30\x92\xb8\xe8\xdb\x78\x0d\xd6\x5c\x6c\x8b\xc3\xb4\x23\xd2\x21\xe1\x3d\x3e\xde\x9d\xd0\xfc\x4f\x14\x68\x5a\x80\xd8\xee\x14\xe8\x26\xa2\x25\x38\xcf\x31\x4d\x8a\x48\xe6\x37\x54\xe8\x9b\x45\x3f\xb2\x23\x68\x62\xdc\x7c\xcc\x49\x53\xee\x56\x26\x54\xdb\x98\x95\x85\xca\xee\x6b\x65\x5b\x2b\xf9\xdb\x0f\x22\x06\xb8\x63\x48\x0d\x71\xfa\x21\xd9\x38\xe4\x73\x58\xb2\xc0\xda\x20\x14\xa1\x95\xdf\x64\x3b\xe9\xd8\x0e\x52\x00\x3e\x9b\x45\xb1\x8f\xf7\xb6\xaa\x56\x92\x4b\xc2\xdc\x0c\xad\x61\xd9\x63\x0e\x6b\xd8\xea\xf7\x60\xb3\xf7\xfb\x31\x77\xf7\x3a\xf8\x9b\x15\x5e\x0d\x06\x1c\xe3\x2b\x9d\x45\x88\xeb\x6a\x4f\x60\x91\x9c\x2e\x3d\x41\xf6\xca\x8d\x31\xfe\xf0\x02\x7e\x06\xf9\xb7\xc2\xc2\xec\x6e\x5c\x12\x14\x42\xe4\xb7\xee\xc7\xe1\x09\xaf\x0f\xc8\x65\x80\xda\x66\xf0\xb0\x28\xd9\x3a\x00\x88\xd8\x52\x53\xfa\x9b\x5e\x21\xe4\x95\x53\x71\x4a\x1d\xc3\x92\xfd\xb3\x54\x13\x29\x10\xe0\xc6\x25\x03\xc0\x09\x6c\x6b\x85\xf1\x64\xbb\x2a\x7d\x3b\xe1\x79\xc1\xa3\xc7\xcf\xf9\xd4\x64\x34\x13\x10\x84\x6c\x51\x7f\x85\x1b\x8e\x69\x43\x1c\x64\xed\xe9\xd5\x97\xc9\x43\xbf\xe2\x91\x6d\x56\x4a\xe1\xcf\x27\x0c\x8c\x16\x7e\x96\xc1\x46\x88\xa7\x23\x15\x8d\x7b\x9c\x45\xe3\xf8\x24\x34\x19\x00\x86\xcd\xfe\xde\x4b\xfd\x95\x0f\xda\x09\xfe\x05\xa6\x14\x2b\x90\xe7\x73\x6e\xca\x65\x91\x40\xb2\x2b\x3c\x77\x67\x06\x07\xe5\x11\x58\xd9\xf7\xea\xcd\xff\xc2\x93\x20\x2b\xaf\x0b\xc7\xe2\x04\x89\x99\x68\x91\xd1\xa7\xa6\xc3\x28\x4e\x5a\xc3\x51\x39\xec\x5b\xeb\x4a\xfb\xa9\x2f\xaf\xfb\x0d\x2e\x62\x10\x26\xc7\x01\x99\x43\xf7\xbe\x68\x09\xe5\x87\x9f\x60\x78\xcd\xa7\x22\xd1\x19\x57\xb7\xe7\xac\x74\xff\x47\x9b\x3f\x65\xa0\xfb\x71\xb1\xe8\x7e\x67\x03\xa9\xda\xf4\x7f\x31\x3a\xdc\xb6\x56\x47\x7f\x53\x03\x60\x83\x6b\xc0\xb0\x07\x68\x09\x9d\xb9\x2d\x7b\xf7\x90\x31\x6c\x1c\xec\x79\x4c\xcc\x29\xdc\x04\x88\x71\xa6\x75\xdd\xe3\x16\xd9\x14\xb7\x3c\x85\xc9\x96\xe7\xf4\x1e\x52\x86\x07\xa7\x60\xb7\x78\xb3\xe0\x68\xb1\xe7\xfb\xa0\x81\x37\x36\x8a\xf0\x6b\x59\x96\xb5\x69\x87\x1b\x4a\x54\xe7\x27\x2e\xcc\x44\x18\x10\xf9\x5c\xe8\x4c\x37\xe1\x0d\xa6\x16\x24\x71\x5f\xd5\x99\x1c\x77\xa2\x24\xd5\x7a\x53\x22\x77\xf9\xdd\x36\xbb\xdc\x56\xb7\x0b\x64\xed\xc0\x38\x15\x94\xb9\xb6\xc3\x28\xe5\x9d\xd0\xf0\x4d\x34\x3f\x6d\x82\x86\x72\xd9\x7c\xc8\x15\xb1\x4b\x22\xf5\x9d\x08\x76\x1b\xa7\x75\x1e\x52\xd1\xc5\x5f\x32\x49\xb6\xaa\xcc\x51\xe1\x07\x94\x4b\xfa\x70\xa5\x42\x19\x06\xf5\x29\x6d\x41\x84\x57\x75\xe3\x4a\x5d\x1a\x06\xc4\xc8\x79\xc7\x78\x5a\x03\x50\xba\x89\x93\x41\x25\x90\x64\xea\x42\x74\xe2\x13\x96\x41\x82\x44\x0a\xdf\x7e\x02\x30\xb3\x12\x0e\xe6\x23\x5b\xce\x98\x29\x28\x99\x79\x2c\xff\x10\x75\x88\xe3\xe9\x15\xdc\xe9\xbf\xe6\x1c\xf6\x37\x3a\x33\x11\xe7\x47\xaf\x21\x8f\xbd\x16\x58\x09\xdb\x4f\x0e\x51\x7b\x13\xe5\x92\x53\xf7\x21\xc6\x8c\x80\x14\xed\xce\x97\x45\x5a\xda\x5c\x33\xb7\xc6\x79\x4d\x38\xb7\x4b\x6d\xf4\x65\xe1\x89\x40\x4c\x7d\xf5\x6b\xee\x55\x18\xa5\xd2\x02\xfb\x50\xb5\x36\xa5\x37\x2e\x04\xc7\x0d\xec\x26\x6c\xdb\xcc\x83\x6b\x49\x88\x47\xa6\xa3\x94\x56\xf7\xb5\x94\x73\x80\x4a\xae\xd9\x66\xd7\x64\xe2\x5f\xf2\xda\x79\xd3\x4c\xe9\xfe\x72\x75\x7a\xe0\x07\xcd\xa3\x35\xbf\x37\x87\xc0\x68\x72\x55\x51\xef\x27\x76\x7d\x35\xd2\x0f\x24\x1d\x1d\x29\x21\x97\x85\x8a\xd4\xb4\x38\x18\x5e\x0a\x10\x3e\xdb\xe6\xe5\xca\xa4\xbb\x37\xe5\xcb\xdd\x71\x61\xee\xce\xb9\x3f\x9c\x7a\x39\x97\x6b\x4e\x6e\x19\xd5\xc1\xf3\xd0\x8f\x9d\x0f\xc6\xc9\x05\x5f\x4b\x05\x7d\xce\x9c\x1e\x67\x7e\x8b\xbe\x56\xb7\xc4\xed\x73\x34\xe5\xad\xcb\xa2\xaa\x5b\x1b\xf4\x45\x0a\x76\x2d\x16\x7a\x95\xbf\xc1\x09\x72\x04\x4c\x8d\x79\x7e\xf3\xad\x9d\x10\x91\xbb\x1a\xe5\xe1\x28\xe0\xdd\x22\xf4\xb7\x70\x77\x59\xf2\x79\xd4\xdd\xc9\x2a\x68\x1f\x6c\xf9\x9e\x75\x96\x0a\x32\x1b\x3d\x5b\x55\x66\x28\x07\xe5\x77\xc2\x0e\xea\x7f\x87\xe8\x8f\x29\x07\x79\xa6\x59\x8b\xc1\x9c\xcb\x74\xc3\x13\x83\x27\x88\x95\xc5\xfc\x6a\x62\xb5\x46\xf8\x1f\x7b\xd6\x78\xb2\x7f\xa6\x2d\x8d\x6f\x85\x9d\x86\x37\x29\x16\x01\x81\x20\x5b\x06\x20\x3c\x9f\x72\xa3\xa6\x59\x3f\x61\x8a\xb9\xef\x48\x8a\x24\xce\xfe\x7c\xdf\xa6\x6b\x46\xf3\x0f\x1d\x3f\x8a\xbe\xce\x64\x40\xdb\x93\x48\x3d\xf5\x23\x3b\x52\xf6\xfc\x47\xee\x3f\xd3\xbb\x98\xb0\x06\x24\x68\xc9\x16\xdc\x0f\xb1\x59\x62\x90\x2c\xb7\x30\x29\x93\x69\x51\x75\xd5\xfd\x4b\xc7\x7e\xab\x9e\xc8\xd4\x40\xee\xe3\x6a\xe6\x83\x5c\x43\x62\xf7\x81\x9f\x39\x01\x21\xa6\x9b\xc7\x0d\x63\x6e\xea\x8d\x4d\xd0\x9b\x90\xda\xd5\xc2\xdb\x03\x1d\x2b\xc3\xdf\x45\x82\x56\x24\x41\x56\x80\xa0\x3b\x3d\xfc\x71\xce\xf6\x3f\xda\x72\x6b\x76\x5d\x58\xab\xe8\x63\xad\xf0\x34\x2b\x8f\x1e\x8e\xc8\xf8\x07\xb3\xb5\x6d\xcc\xfd\xcd\xe8\x5f\xd2\x0a\x7e\xc9\x43\x44\xcf\x31\x95\x48\x67\x81\x70\x0b\x4c\x35\x72\x15\x78\x14\xd7\xf1\x0d\xc6\x8e\x13\xad\x64\x61\x39\x77\x58\xea\xd6\x2e\x5c\x20\x4b\xa5\x7b\x2a\x4a\xf4\x22\x08\x2a\x1f\xff\xbf\xc8\x70\x96\x88\xa1\x13\x93\xe9\xdc\xf8\x7b\x6f\xa4\x0b\x10\xf4\x58\xc6\x7e\x56\x5a\xe4\xf0\x2c\x2b\xa9\x30\xfd\xa2\x13\x9b\x0f\x18\x12\xaf\xbe\x21\x2e\x89\xeb\x51\x0e\x8d\x74\xc4\x65\x05\x00\x82\xb2\xbd\xfc\x09\x17\x6a\xe9\xa1\x70\x82\x1c\xde\x09\x7c\x33\xf5\x7f\x83\x50\x0f\x18\x2f\x23\xc2\xcd\x71\x3f\x82\x68\xfa\x04\xe5\xee\x58\x00\xad\xb1\xe8\x91\xbc\x90\x2b\x2c\x10\x05\x55\x79\xbe\xd0\xb6\xac\xef\xfc\x22\x06\x54\x4e\x2d\x17\xa1\x04\x4e\xc2\x01\x24\x66\x0f\x90\xd2\xcc\xb1\xe9\xdd\x04\xab\xa7\xf6\xb3\x3d\xec\x5f\x6f\xf6\xa2\xe1\xa1\x09\xc1\x43\xf2\xb0\xa8\x08\xeb\xeb\x45\xca\xac\xdc\x39\x82\x8b\x55\x5e\x3f\xb3\xad\xb7\x44\x71\x30\x26\x6d\xa8\xb3\x33\xd0\x4a\xb7\x11\xb9\x1a\x23\xd8\x81\x78\x57\x31\xfb\xd2\xc0\x37\x60\x8f\x31\x2f\x8b\x18\xba\x63\x00\x2d\x17\x75\x44\x1a\xdf\x3d\x4c\xe8\xe5\x56\x64\x26\x4e\x1d\x22\xe4\x78\xf4\x93\x01\x74\xdf\xb8\x1f\x7e\x31\xeb\x3f\xdb\x22\xeb\x06\x88\xf3\xa1\x04\x54\x18\xf9\x08\x4a\xf4\x52\x78\xc0\x4b\xf1\x32\x00\x17\xd0\xb0\xfa\xa2\xcf\x7e\x27\x7d\xe2\x66\xa3\xfd\xb4\xb0\xf0\x55\x25\x9d\x76\xf5\x0c\x99\x4c\xba\xe7\x03\xe8\xd1\x30\x7f\x4b\xc5\x45\x3f\x32\xa7\x08\x92\x1f\xa8\x33\xb0\x3f\x5d\x18\x40\xf5\xa1\x24\x69\x29\xb1\x75\xd9\x35\x37\xa1\xd7\x46\x78\x38\xd2\x5d\x19\x8b\x17\xfb\x4b\x9a\xac\x7d\x99\xee\x1f\x1e\x2f\xdf\x4a\xe7\x28\x62\x90\xe0\xf1\xc0\x88\xe2\x43\x94\xea\x57\xf9\xa7\x33\xe4\x53\x62\x79\x22\xc5\xa6\x23\x62\x3f\xff\x29\xc6\xa5\xab\x6f\xdf\x7b\xa7\xfd\x43\x80\x34\x9a\x77\xbb\xc4\x09\xd1\x86\x9b\xc7\xf2\x45\x32\x94\xca\x2f\x17\x85\xb8\xcc\x50\xb8\x8f\xcc\xe8\xfc\x6d\x3d\xd7\x9c\x19\x8e\x36\xff\x5a\x21\x6e\x7a\x8a\xe3\xd1\x0d\xb5\xbe\x0c\xbb\x76\x17\xdf\x80\x14\xac\x68\x9c\x31\x11\x32\xc1\xdb\x34\xd0\xee\x7a\xdb\xb6\x62\x32\xc1\xa4\x32\xc2\xca\xf7\xcf\x30\xff\x8b\xad\x84\x46\x7c\x0e\x40\xda\x4d\x0b\x10\x20\x1f\x6f\xb8\x2b\xec\x94\x83\xc7\x5b\xc8\x59\x48\x0c\x9b\xca\x13\xc5\x90\x5a\xcf\xa5\x6e\xad\x48\x8f\xc2\xbd\xe3\xa2\x2c\xa4\xfa\xbc\xea\xb9\xb9\xe3\x77\x6b\x5a\x62\x14\x63\xe1\x29\x6d\xde\x15\x24\x0d\xac\x24\xbb\xaf\x67\xc2\x03\x86\x55\x1a\x8f\xe3\x52\x96\x0e\xcd\x36\x1d\x42\x94\x90\x3f\x25\x25\xa3\x68\xd3\x63\x07\xde\x3a\xb0\x21\xbe\x4b\x64\x77\xe8\x61\x82\xf6\xa5\x65\xcf\x67\x95\xc2\x64\xaa\xda\xe3\xd3\x07\x2b\xae\xbc\x48\x8c\x74\x30\x7e\x27\xbc\xea\x4a\x74\x6b\x67\xad\xf8\xe2\x0a\x21\x9c\xb9\x11\xe2\x93\xad\xaa\xe8\xd5\x2e\x63\x08\x09\x11\x29\xc0\x2a\xfd\x50\x59\x95\x88\xc9\x20\x15\x85\x82\xdb\x85\x6c\xeb\xd3\xd6\x65\x9d\x14\x77\xf9\x66\xfb\x54\xe9\xea\x1b\x36\x59\x90\xff\x5b\xba\x6f\xce\xd2\xb5\x9f\xc8\xa6\xf9\xfd\x57\x28\x70\x61\xc5\x21\xeb\xc1\xac\xe5\x21\xab\xe0\x04\xf5\xf0\xb5\xf8\xb9\x02\xd6\xc7\x5a\xc5\x7d\xf5\xd2\xe9\x7f\x1f\xfa\xd3\xa5\x31\xf9\x1f\xa1\xcb\xa4\x8b\x58\x93\x5f\x05\x03\x35\x41\x5d\xca\x8e\x46\x02\x43\xe2\x1e\xa7\x1f\x99\x0c\x37\xa6\xc9\x8c\xd1\x9c\x2c\xc3\x47\x1e\xc2\xec\xd0\x42\xc8\x20\x71\x8d\x00\xb6\x37\x9d\x80\x69\x83\x62\x8e\x08\x64\xad\x14\x6e\xe1\x70\xdc\x91\xfc\x25\x55\x94\x0d\xb1\x36\x4c\xb7\x43\xc0\xc7\x03\x7d\xba\x3e\x9b\x10\x8f\xea\x98\x84\x01\xd5\x52\xd4\xac\xe6\xa8\x30\x83\x65\xc0\xb1\xed\xe6\xb8\x73\xa2\x94\xd6\x25\x23\x86\x55\x33\x1a\xcd\x6e\xe2\x38\x0d\xba\x98\x0e\x35\xb2\xbb\xd4\x0f\x65\xfe\x32\xef\x03\xcb\xf0\xcf\x57\x55\x2e\x81\x8e\xc6\x07\x0c\x52\x25\x66\xd8\x2a\xa2\xc4\xd0\x46\xd9\x5b\xcb\xb4\xed\x89\x7a\x3b\x59\x3d\xdc\x57\xb3\xbf\x4b\x2d\xee\x34\xcb\x50\x53\x69\x2e\x45\xde\xec\x78\xbf\x7f\xa7\x00\x2c\xfe\x74\x15\x7a\x5d\xd4\xc5\xae\xc1\xb9\x86\x28\x06\xd8\x88\x39\xa6\xa3\x91\xa0\x4d\x0d\x46\x78\x1e\x45\xb3\xfb\x78\xe7\x1e\xb9\xa6\xba\xda\x4d\x6e\x45\xf6\x45\x2c\x41\x93\x1c\x91\x23\xc8\x78\x38\x32\x0b\xf9\xcd\xe6\x13\xab\x41\xec\x0f\x23\xaf\xcc\x01\xa6\x98\x66\xf8\x32\x39\xe5\xb7\x7e\xc5\x6c\x1b\xf1\x3c\x4f\xa5\x37\x9b\xc5\xe6\x78\xf4\x5c\x3f\xb9\x12\xe1\xaf\xdb\xc4\x66\xba\xdb\x62\x36\xb5\xfb\x85\x00\xc7\x43\x58\x65\xae\x64\x22\x70\xb2\xa9\x42\x43\x0b\xe5\x4d\xca\x09\xec\xb2\x4e\xc6\xd0\x51\xd0\xc6\x3b\x02\xe2\xcc\xbe\x57\xdd\x90\x12\xb7\xc0\x95\x80\x67\xb4\x06\x21\x50\xb3\x47\x98\x31\x96\x11\xdb\x1f\x48\x79\xaa\x8b\x5b\x55\xee\x2f\x20\xb0\xd7\x9a\x14\xcd\x7c\xc1\x8a\x76\xb4\xb3\xf0\x0f\xff\x45\xec\x9d\x07\x64\x07\x6d\xc1\xdc\x00\x72\xe0\x9b\x67\x4f\x18\x7a\x18\xd4\x57\xa1\x1c\xf2\xb6\x54\xbf\xc8\x51\xb5\x5f\x46\x4d\x95\xe5\x1a\x45\xd2\xda\x43\xc7\x90\xeb\xc7\x72\xca\x27\xb8\x28\xa0\x61\xca\x4b\xa2\x8c\x98\x67\x22\xcb\xd4\x86\x73\x32\x87\x8e\x2a\x7b\x87\x6f\xaf\xaa\x74\x34\xf4\x3c\xb4\x48\xb2\x16\xd4\xae\x0e\x18\xa1\xaa\x66\x77\x76\xdb\x69\x99\x9b\xe0\x81\x82\x2d\x56\x47\x8e\x57\x68\x10\x6b\xa1\xfb\xcb\x04\x4d\x16\x68\x2c\xfe\x2b\xa1\x7a\x06\x99\x7f\x88\xbd\x68\x36\x69\xaa\x2a\xe4\xd9\x6a\x15\x5e\x0b\x8a\x41\xe3\x31\xa9\xa0\x20\x0f\x15\x9a\x47\x40\xe0\x11\x04\xad\x63\x89\x21\x8a\xd1\x5d\x1f\xac\x53\xbd\x1b\x91\xd7\x23\x43\x52\x78\xdb\xc5\xe7\x90\xa0\x54\xf3\xcf\x24\xfa\x4e\x78\x66\x62\x99\x15\x40\x0e\x7d\x25\x60\xcf\x97\x64\x8b\x60\x31\x52\x8d\xb2\xc7\xd4\xca\x72\x7f\x67\xc2\x97\x42\x4f\xc9\x9a\x7b\x01\xb1\x04\xfc\xb2\xd9\xb8\x02\x6a\xd1\x92\xac\x4c\x1d\xf8\xc2\x31\x8b\x5d\xee\xa4\x79\xa3\x78\x89\x71\x17\xac\xb1\x4a\x79\x21\xb7\xdd\xe8\xaa\x78\xc5\x8d\x04\x7f\x90\xfb\x1a\x1c\x1e\xdb\x84\x7b\xf7\xba\xd3\xab\x09\x6b\xf9\x19\xd1\xb1\x03\xe7\x40\x43\xfa\xf3\x52\xe1\x63\x94\xbc\xa1\x71\x3e\x14\x8b\x69\xd2\x0e\x0c\x5f\xae\x6e\xdb\x67\xe9\x16\x20\xc2\x8d\x7f\xb7\x0b\xf7\x66\xd2\x1e\xe3\xa9\xdc\x9d\x4a\xc7\x5a\x41\xbc\xb3\xa3\x22\xe7\xec\xc8\x5e\x34\x6a\x5f\xed\x19\x0d\x0c\x69\x8f\x15\x22\x60\x67\xe5\x15\x5e\xcb\x0b\x8f\xff\xcd\x5c\x1c\x95\x52\xa5\xb8\x5a\xfc\x66\x36\x98\xcf\x47\x50\xa3\xee\xc6\xcd\xec\xcc\xaa\xf6\x37\x08\x7e\x18\x8f\x3c\xc5\x65\x7c\x40\x12\x3c\x20\xd1\xa0\x2e\xbb\x08\x18\x07\x38\x83\x53\x5a\x22\x09\xcc\xa0\x8c\xdb\xe3\xce\x0f\x94\x4d\xef\xb4\x1f\x43\x70\x29\xc0\x78\xcb\x5e\x6c\x03\xde\xfc\x67\xc9\x59\x92\x6d\xcf\x45\xd0\xfe\xb6\xf2\x4f\xcf\xaf\x49\x97\x6b\xd3\x64\x1c\xbe\xd6\x97\x58\xcc\xd5\xaf\x8b\x95\x52\x59\xda\x1c\xd6\xfd\x82\x87\x1f\x09\xf3\x3a\x63\x4d\x54\xf5\x44\xa6\x82\x93\xdc\x73\x7f\xea\xf8\x48\x8c\x15\x42\x0f\x69\xc4\x93\x04\x2a\x5e\xe1\xed\x63\xf3\x39\xe4\x10\xf5\x80\xc0\xcb\xad\xab\xbe\xa2\xcf\xfb\xea\xf9\x68\xca\xf2\x56\x20\xde\x5f\x5b\xf7\x4e\xdd\x33\x9d\xed\x9a\x1f\x58\x53\xa2\xcf\x22\x6d\x21\xcd\xbd\x91\x72\xab\xf5\xe0\x85\x95\x60\xdd\x2e\x70\xce\x31\x0a\x33\x3d\x72\x36\x60\x67\x09\xb1\xf5\xa3\x35\x95\xec\x49\xe1\x87\xaa\x5d\xf0\x63\x51\x39\x23\xdf\xd2\x9b\xb1\x51\xa8\x25\x40\xf4\xb0\xd4\x45\x40\x4c\x8c\x5e\x1b\xd8\x40\x33\x5c\x23\x35\x7c\x5e\x6b\x1c\xdb\xfb\x1c\xcd\x72\x47\x1e\x4d\x63\x8b\x10\xc5\xb4\x22\xd9\xe6\x51\x9f\x98\x15\x1a\xd5\x25\x5e\x10\xf7\x2c\x07\x32\x63\x8a\x57\x2e\xa6\x2a\x3a\x98\xcd\x86\xb0\x49\x5f\x24\xfb\x90\xe3\xbf\xa3\x21\x6a\xbf\x88\xbd\xdd\x5f\xdc\xd1\xab\x7f\xc2\x13\xed\x7f\xe7\x62\x8b\xf5\x2e\xd3\x3f\xbf\x61\x24\xb5\x24\x6e\xab\x59\x38\xf4\xfd\xae\xa3\x96\x08\x7f\x76\x43\x49\xbe\xf8\x99\x6f\x22\x40\x92\x60\x40\x93\x44\x19\xdf\x2e\x40\x7b\xe7\xe6\x7a\x64\x2d\x69\x2b\x39\x49\xe4\x78\xed\x55\x92\x72\x06\x64\xee\xc0\xdd\x41\x50\x87\x61\x57\xa6\xf1\x85", 4096); syz_80211_inject_frame(0x20000000, 0x20000040, 0x10c0); break; case 11: memcpy((void*)0x20001100, "wlan1\000", 6); memset((void*)0x20001140, 2, 6); syz_80211_join_ibss(0x20001100, 0x20001140, 6, 2); break; case 12: memcpy((void*)0x20001180, "bpf_lsm_socket_recvmsg\000", 23); syz_btf_id_by_name(0x20001180); break; case 13: memcpy((void*)0x200015c0, "\x66\x0f\x72\xd5\x01\xdf\x5f\xd6\xc4\xc1\xf9\x6f\x9f\x52\xe4\x00\x00\xdf\xf2\xda\x36\x66\x0f\x3a\x62\xc0\x8c\xc4\xc1\x1d\x58\x3c\xe8\x66\x0f\x3a\x0a\x45\x0d\xf0\xc4\xe1\x21\x75\x23\x60", 46); syz_execute_func(0x200015c0); break; case 14: memcpy((void*)0x20001640, "/dev/cuse\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20001640, 2, 0); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_ioctl, -1, 0xb704, 0x20003980); if (res != -1) r[6] = *(uint32_t*)0x20003980; break; case 16: res = syscall(__NR_clock_gettime, 0, 0x20003e00); if (res != -1) { r[7] = *(uint32_t*)0x20003e00; r[8] = *(uint32_t*)0x20003e04; } break; case 17: *(uint32_t*)0x20003dc0 = 0x20003a40; *(uint32_t*)0x20003dc4 = 0x6e; *(uint32_t*)0x20003dc8 = 0x20003d40; *(uint32_t*)0x20003d40 = 0x20003ac0; *(uint32_t*)0x20003d44 = 0x25; *(uint32_t*)0x20003d48 = 0x20003b00; *(uint32_t*)0x20003d4c = 0x6b; *(uint32_t*)0x20003d50 = 0x20003b80; *(uint32_t*)0x20003d54 = 0x2f; *(uint32_t*)0x20003d58 = 0x20003bc0; *(uint32_t*)0x20003d5c = 0xa2; *(uint32_t*)0x20003d60 = 0x20003c80; *(uint32_t*)0x20003d64 = 0xbd; *(uint32_t*)0x20003dcc = 5; *(uint32_t*)0x20003dd0 = 0x20003d80; *(uint32_t*)0x20003dd4 = 0x30; *(uint32_t*)0x20003dd8 = 0; *(uint32_t*)0x20003ddc = 0; *(uint32_t*)0x20003e40 = r[7]; *(uint32_t*)0x20003e44 = r[8]+10000000; res = syscall(__NR_recvmmsg, -1, 0x20003dc0, 1, 0x10202, 0x20003e40); if (res != -1) r[9] = *(uint32_t*)0x20003dac; break; case 18: memcpy((void*)0x20004040, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004040, 0x20004080); if (res != -1) r[10] = *(uint32_t*)0x20004094; break; case 19: *(uint32_t*)0x20004200 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004100, 0x20004200); if (res != -1) r[11] = *(uint32_t*)0x20004134; break; case 20: memcpy((void*)0x20004240, "./file0\000", 8); res = syscall(__NR_statx, 0xffffff9c, 0x20004240, 0x4000, 0x400, 0x20004280); if (res != -1) r[12] = *(uint32_t*)0x20004294; break; case 21: memcpy((void*)0x20004380, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004380, 0x200043c0); if (res != -1) r[13] = *(uint32_t*)0x200043d0; break; case 22: *(uint32_t*)0x20004a80 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x11, 0x20004980, 0x20004a80); if (res != -1) r[14] = *(uint32_t*)0x200049b4; break; case 23: res = syscall(__NR_getegid); if (res != -1) r[15] = res; break; case 24: memcpy((void*)0x20001680, "\x47\xa8\x4c\x3d\x9c\xa1\xd1\xb4\xb2\x5b\x6d\xa5\xc6\xdd\x9f\x48\xac\x0b\x1a\x50\x14\x5d\x57\xaa\x24\x4d\xc1\xbb\x1a\x54\x1c\x93\x16\x0d\x23\xf1\xcb\xf0\x3d\x77\x7a\x21\xe7\xd1\xf0\xf2\x61\x38\x37\xc0\xe0\x5d\x6f\x4b\xc9\x98\xb1\xdd\x5e\xc7\x6e\x06\x98\x26\xfc\x47\xb4\xa0\x81\x6b\x5a\x85\x9c\x9a\x8a\x42\x88\xf2\xe7\x17\x88\x66\x28\x3d\x96\x7a\x95\x12\x2a\xb3\x8c\x64\xe1\xd6\xc0\x50\x57\x2b\xdd\x7c\x98\x27\x13\xb5\xb3\x7a\x79\xe2\xdb\xe0\x8a\x6a\x9b\xd3\xd6\xfd\x57\x96\x04\xac\x48\x7b\x65\x2b\xee\x18\x03\x90\xe3\x66\x8f\x2a\xad\xa1\x71\x7a\x5b\x2a\x21\xcb\x84\xb3\xb9\xa8\xb5\x97\x78\x4c\x01\x15\xc8\xf2\xc0\x87\x08\xd9\xa2\x26\xd6\xf5\x89\x02\xad\x29\xf3\x78\x4f\x64\x80\x06\x9d\x25\xe0\xec\x46\xc3\x78\x10\x92\x3b\xbe\x2d\xac\x50\x43\x85\x6a\x11\xb7\xb9\x8c\x43\x29\x4e\xf4\xc2\xbf\xda\x08\xb0\x4e\xe5\x41\x06\x26\xcb\x64\x95\x7c\xf1\xee\xa3\xd3\xf0\x07\xd6\x95\x83\xbc\xde\xbf\x40\x22\xf8\x5f\x65\x23\x73\xa5\x90\x36\xb6\x2b\x4a\x3e\x9d\xef\xe6\x05\xa9\x89\x2e\x57\x18\xcb\x6f\xc9\xde\x81\xc2\x47\x9e\xf9\x5a\x13\xf8\xca\x78\x9f\x4b\x2a\xc5\xeb\x89\x7f\xab\xbe\xbc\x00\x46\xd8\xe2\x35\xeb\xbf\x54\xa5\x6a\xac\xd1\x40\xae\x4c\xfb\x41\x1b\x9c\x15\x18\xe6\x2f\xa8\x7a\x98\x76\xaf\xc8\x9e\xd8\xa4\xba\x24\xd8\xb9\xef\x13\x39\xf4\xf7\x94\xce\xc9\x86\x51\xe7\xd9\x4d\xdd\x25\x99\x88\xa7\xa4\xf7\x99\xb0\x88\x9c\x16\x80\xd3\x90\xba\x62\x53\xff\x66\xa1\x82\xea\x2c\xf0\x6b\x6f\xd9\xab\x07\xa8\x7f\x69\x7c\x33\x1c\x9a\x83\x25\x64\xec\xab\x23\x83\x84\xff\xef\x50\xc2\x49\xcb\xf1\x1f\x7f\x40\xec\xd4\x4b\x94\x5b\xd5\x7c\x59\x9b\xa3\xd8\x8c\x0b\xe3\x5a\xdd\xf5\xb5\x83\x7b\x18\x8d\x64\xe2\x49\xce\x31\x50\x66\x98\xbd\x73\x75\x46\x53\x04\xd2\x0e\xb3\x80\x23\x26\xb3\x52\x8b\xcb\xe6\xee\x11\x0e\x57\x82\x1c\xcb\x89\x9f\x5e\xee\xce\xc6\x04\xc3\xa5\xe5\x93\x8a\x3a\x94\x26\x60\x99\x2d\x67\x6b\x81\xc5\xaf\x74\x70\x17\x6d\x72\xd7\xc6\xa9\xd6\xc4\x12\x1b\x57\x11\xb1\x6e\xe1\x19\xb5\x77\x64\xd7\xfd\x6d\xfc\xb5\xa3\x9c\x1b\xc9\x7e\x5c\x5f\x5d\xc1\x02\x5a\x5e\xcc\xa4\x8b\x65\xaf\xb8\x7a\x55\x83\xcf\x17\x96\x90\x98\xae\xc3\xb1\xb9\x29\x1f\x77\x5e\xd6\xa5\xa7\x10\xf7\x3e\x32\xef\x7a\x0e\x8c\x84\xff\x56\x54\x51\x44\xca\x50\x4b\x81\x97\xa9\x19\x6c\x9b\x68\xa4\xb5\x7a\xba\xd8\x19\xff\x6f\x6f\x99\x16\x3f\xa3\xe2\x76\x27\x84\x84\xae\xf1\xe2\x87\x84\x1f\x45\x72\x06\x2d\xa6\x77\xf0\xe1\x47\xb9\x33\x58\xe5\xad\x7a\x50\xaf\x84\x2c\xad\xbf\xf4\x19\x2d\xfb\x2f\x98\xcd\xc8\xd8\x78\xd0\xf7\xf3\x5b\x31\xa2\xe8\x03\xce\xa2\xc3\xa2\x87\x8d\x46\x9c\x9a\xa7\xb2\xde\x1e\x8b\xfd\xa5\x1e\xcb\x47\x51\xcd\x86\x1f\xb2\x29\x3e\x37\xeb\x98\x82\xbb\x97\xcf\x70\x45\x3f\x19\x44\x6c\x56\x5f\xd8\x14\x11\x4b\x30\x2a\x4b\xc5\xb6\x42\xa7\x6c\x4c\xfd\xdb\x0f\x4c\xeb\x41\xca\x29\xbe\x4d\x35\x58\x77\x55\xd2\xe8\xe1\xf4\x2e\x97\x1b\x38\x3f\xdf\xd0\xcb\xef\x9f\x5d\x50\x3c\x72\x0a\x3e\x3b\xb8\xb4\x09\x7d\x69\xa7\x20\x82\x35\xa8\x2f\x6a\x75\x1f\x3e\x26\xf2\xe1\x40\x3e\x0d\xa6\x3f\xed\x0f\xa0\x42\x74\x0d\xf1\xd6\x1c\x98\x85\x72\xc8\xad\x71\x1f\x20\x41\x0e\x02\xb3\x2b\x1e\xe7\xf4\x18\xfd\x0c\xc6\x57\xe9\xde\x33\x28\x8e\xc8\x39\x57\x56\xc4\x7e\x16\xd4\xab\x5e\xd7\xca\x4c\x1e\x53\xad\x65\x08\xd5\x8f\x70\xdf\x85\x7d\x41\x89\x09\xe8\x13\x44\xb7\x56\x4e\x00\x64\xa4\x9a\x1d\xb8\xa3\x33\xfc\x60\x9b\xcb\x51\x11\xef\x10\x0e\x0e\xde\x88\xf4\x9f\x3f\x43\x56\x84\x21\x1d\xea\x4d\xe5\xbc\xa1\x85\x3c\xae\x7b\x60\x5e\x3c\xea\x2f\xab\xb8\x0b\xaa\x41\x62\x6d\x31\x04\x7f\xe3\x85\x69\xe6\xab\xbd\xdc\x2e\x1c\x2b\x85\x56\x23\x3f\xeb\x57\x04\x7f\x06\x9d\xf8\x1d\x88\xd2\x9b\xf0\x42\xce\x92\x28\xdb\xd1\x43\x49\x97\x3e\x86\xf7\x8d\x72\x82\x7a\x60\x80\xa2\xce\x65\x29\xd1\x85\x66\x07\x84\x89\x37\xcf\xe5\xcd\x17\x42\x93\xe9\x22\x34\xcb\x0f\x6e\xdf\x65\x30\xf8\x6b\x60\x6e\x48\xe9\xfa\x3e\x1d\x25\x45\x73\x12\x08\x08\xe0\xff\xf3\xd2\x16\x9d\x1c\xf4\x4a\x71\x96\x64\xb7\xf0\xe3\xda\x7b\xb1\x5b\x64\xb6\x2c\x07\x10\x34\x3c\xe1\x5b\xd0\x1a\x05\x64\x2f\x4a\x3f\xa5\x9b\xa6\x05\xd0\xa6\xef\x3e\x5a\xd6\x3c\xd9\x6d\x69\x14\xca\xa4\x06\x34\x98\x7f\x2d\xbe\xeb\x30\x46\x72\x22\x2d\x12\x58\x3b\x9b\xc3\x8c\xf9\xde\x18\xe5\x7d\xe1\x00\xf2\x63\x67\x7d\x31\xec\x37\xae\xa6\xf0\x4b\x81\x5d\x6f\x4e\x8c\xd5\x70\x81\x0d\xaa\xee\xb1\x41\xdc\x0f\xeb\x60\x0a\xa8\x4f\x4a\xfc\xc3\xbd\x6d\x2e\x4d\x69\xe9\xdc\x4d\xc4\xf7\xa4\x56\x74\xa3\x2a\x62\xd4\x14\x43\x7c\x3a\xa4\x51\x84\xb6\x6c\xe5\x69\x49\x91\x28\xbb\xa0\x6e\x38\x62\x74\x28\xd5\x01\x2c\x65\x1f\x8f\xf6\xd5\xb8\xf5\xbb\xbb\x5b\x1f\x8b\xe6\x03\x89\x58\xbd\x4f\xbb\x0b\xdb\xbe\x1f\x3f\x44\x8d\x78\x5d\x97\x10\xf0\x1b\xe8\x87\x87\x4f\xfa\x1b\xfa\x7e\x5a\x81\x8e\xe7\x46\x4b\xfc\xb5\xf9\xe4\x92\x68\xfb\xbd\x39\x8d\x73\x2c\x15\x57\x9a\x46\x97\x1f\xd7\xf2\x2c\x1c\xc4\xe1\x41\x57\xf2\x92\xf6\x16\x38\xf4\x1a\x58\xbc\xcd\xd4\x98\x6b\x9c\xa6\xab\x66\xff\x5f\x53\x6a\x7b\x09\x25\x1a\x6d\x41\x7a\x3e\x15\x9b\x85\xdd\x21\xd9\xb2\x19\xa1\xa1\xce\xa8\xb9\x6d\xd4\xca\xa0\xc0\xc8\xfd\xf9\x2d\xef\x01\xaf\x6b\xe5\xcc\xc2\x42\x8e\x57\x13\x22\x85\xc3\x7e\x80\xfd\x28\x58\xb4\x94\x57\xd1\xd6\x89\x0e\xae\x38\x90\x62\xd5\x68\x0a\xec\xec\x74\x8c\xef\x59\x18\x7d\x91\xc1\xd4\x5b\x29\x00\xe3\x3b\xe9\x46\x4e\xdc\xeb\x83\x1e\xc4\x44\x57\xbe\x52\x57\x5e\x1d\xf1\xde\x6a\xf9\x45\xdb\xf3\xf5\xc9\xcd\x41\xbd\x8c\x26\xcb\x66\x45\xae\x03\x78\xd9\x2d\x75\x8b\x07\x69\xc5\x15\x4f\x52\xd8\x9a\x8e\x0e\x91\x18\x82\xf6\x9e\x46\x61\x04\x53\x79\x2c\x64\x8e\xb0\x82\x11\x19\x47\xc2\xe3\x35\xcb\x48\x56\xe4\x69\x6f\x7a\x53\x31\x8c\xda\xe6\xc5\x91\xa7\x42\x02\x02\xcf\x03\xf0\x69\x12\x8e\x58\xa3\x82\x2a\x89\x2d\x4b\x4d\x14\xa7\xf3\xe2\x7f\x4c\xa5\x9a\x8e\x47\x1a\xaf\x3c\xe1\xaf\x81\xce\xd1\xdf\x87\x1d\xf6\x09\x91\xac\xcc\x0a\xfc\x19\xc6\xaa\x58\x67\x0d\xcc\x3c\xa4\x04\x66\x6e\xc5\x46\x3e\x95\x4c\x60\x59\x94\x01\x4a\x0b\x2e\xb9\x99\x28\x3e\x7d\x26\x46\xab\x55\xa5\xfe\x5f\xe7\xcb\x5b\x07\x38\xc5\x79\x10\x7c\x43\xfc\xf5\x95\xa0\x95\x6a\x49\x35\xf6\xa7\x86\xd6\x56\x1f\x0b\x09\x94\xcc\xe9\x3b\x29\x9a\x50\xc6\xe4\x24\xc1\x59\x62\x0b\x3d\x05\x37\x6f\xc4\xe0\xb9\xff\xbd\xec\xdb\x67\x98\xdd\x51\xd0\x94\x1d\x31\xcf\x41\x93\xc0\x9d\x05\x8c\x25\x96\x99\x19\x12\x35\x01\xfa\x5e\xa8\xfb\x82\xf9\x80\xa3\x5b\xf0\x15\x32\xc2\xc8\x31\xba\x35\x22\x2f\x80\x5d\xae\x24\x25\x27\xeb\x71\x27\x05\x53\x94\x60\x52\x84\xd2\x40\x8c\xfa\x10\xc9\x92\xd6\x4d\x60\x9e\x52\x4b\x30\x34\x8f\xfa\x5e\x44\xb7\x72\x57\xad\xba\xb0\x1c\x38\x3e\x81\x2f\x1d\x71\xb6\x13\xad\x16\x0e\xd1\x5c\x21\x6f\x2a\x45\x9a\x91\x7d\x35\x34\x14\x62\xbf\x72\x35\xf9\x1d\x9d\xdd\xc1\xe2\x40\x2f\x32\xb7\xb7\xa9\x98\x74\x81\xce\x66\x11\xbb\x78\x12\x7b\xc8\xb6\xef\xf4\x19\xd3\xc4\xdd\x77\x25\x24\x02\xf4\x32\x6a\x6e\x9a\xff\xc5\x06\x49\x73\x75\x0a\x8b\xba\x9b\xa1\x7d\x64\x64\x8c\xf7\x93\x4b\xd0\x24\x29\x9b\x9d\xec\x58\xd1\x18\xcd\xa3\x44\x8a\x25\x56\xfa\x96\xa8\x57\xc0\x10\x6a\x00\xcd\x0a\x38\x2f\x10\xb8\x47\xe3\xa8\x69\x97\xc2\x4b\xb8\x46\xc3\xdd\x93\x72\xc6\xcf\x28\xd1\x8b\xb2\xa6\xfc\x48\xd7\xba\xc5\x8d\x56\xbc\x84\x50\xc3\xf4\x20\x99\x9b\x63\x47\x86\x4d\x52\xf0\x50\x75\x24\xf4\x16\xe6\xcb\x64\xce\x7c\xa2\x1a\x85\xe8\xd2\xc2\xb1\xe9\x4b\xe2\xde\xa3\x1c\xda\xf1\xf3\x83\x50\x34\x24\xbe\xc4\x4c\x68\xb9\xa9\x14\xf4\x0b\x0a\x66\x27\x2f\x64\xc9\xef\x19\x85\xed\xb9\xca\x6e\x66\xee\x8c\xac\x08\x4b\x39\xef\x78\x01\xb7\x50\xce\x19\x0f\xf8\x96\xc1\x99\xc1\x27\x85\x24\xb1\x2b\x54\x9a\xcb\xf0\x9f\x63\x3d\x87\xf7\x04\x27\x2d\x47\x79\xf3\x25\xa1\xe9\x45\x67\xe5\x93\x32\x97\x15\x5e\x98\x7f\x3b\x32\xe3\xfa\xdf\x2a\x06\xfa\x01\xaf\xc0\xdc\x35\xdf\xb7\xbe\x7f\x57\x76\x26\x4a\x6b\x7f\xec\x98\xdf\x0a\x5a\xff\x8c\x1a\x02\x9b\x6a\x22\xa9\xa0\x51\x18\x8b\xb2\x8b\xdf\x72\x38\xea\xe3\x24\x6a\x1b\xfd\x05\x86\x84\xf7\xa0\x93\xaa\x68\x79\xcb\x6a\xda\xe5\xa7\xcd\x5e\x12\x19\xa0\xd1\x6d\xee\xf1\x44\xb2\xbe\x90\x39\x01\x44\x74\x0a\xc2\x4d\xa3\x80\x17\xc1\x05\x66\x92\xb3\xb6\x65\x92\x21\x5a\x62\x3d\xac\x91\x3b\x33\xb9\xd5\x6b\x47\xcf\xa9\x18\xd6\xd9\x0c\xaf\xf0\x1a\xa4\x45\x35\x49\x23\xef\xa1\x9e\x8b\x0c\x79\x70\x82\x50\x5d\x54\xf2\xfa\x48\xc5\xad\x96\x63\x2f\xe1\xb6\x2a\x2e\x34\xd0\x85\x76\x22\x07\xd9\x35\x4a\x9f\x03\x9d\x68\x8e\xaf\xe1\xb5\x12\x83\x67\xfd\xd3\xbe\x22\x55\xac\x11\x0d\xf0\x5d\x10\x9b\x86\x9f\x33\x4b\x93\x2b\x29\xbe\xb6\x87\x87\xe2\x0a\x8a\x9f\x37\x31\x18\x9c\x95\x7e\x53\xc6\x96\x73\xe8\x63\xae\x1d\x49\x88\x8d\x6e\xda\xb9\x6e\xed\x78\x6c\xb8\x14\xd1\xa6\x2b\x68\x9c\x29\x4c\x48\x2e\x84\x19\x96\x22\x99\x04\x10\xb6\x7f\x6d\x18\xb8\xcd\x31\x19\xf1\x9a\x66\x7d\x34\x1b\xb7\x83\x88\xff\xe1\x5a\x0f\x64\x32\x7f\xe9\xb8\x06\x5b\xe9\x03\x54\xc1\xfa\xcb\x74\x66\x2e\x2d\x9c\x6d\x02\x24\x8d\xa0\xc8\x0c\x87\x26\x45\x59\xf6\x48\x15\xb8\xb9\xdd\xff\x72\xa9\x44\xeb\x23\x48\x88\xf5\x3d\x1c\xc8\xbe\xd4\x38\xbd\x99\xa2\x07\x4f\x75\x3d\xb2\x9e\xfd\x06\x78\x8c\x7f\x44\x76\xef\xee\x3e\x92\x80\x94\xc0\x32\x6a\xf8\xc9\x17\x1d\xb6\x0b\x1a\x37\xc7\xbd\x56\xd1\x13\x29\x1a\xa9\xa2\x60\xea\xfc\x12\x68\x1e\xb6\x2b\x1e\x70\x63\xb1\x51\x73\xe2\x74\x90\xd8\x4d\x47\xe3\xc7\x56\x6e\xc4\xfc\x1e\xc6\x35\x50\x57\xb2\x2c\x2a\x0f\xd9\x4b\x8d\x90\xb6\x48\x64\x9c\x73\xac\x46\x04\x9c\x01\x1d\x67\x41\xfb\x6d\x89\x56\x14\x3b\xcb\x17\x1f\x4b\xba\xdf\x01\xd1\xca\xe0\x7c\x31\x78\xa8\x46\x90\x01\xdc\xa3\x7a\xb3\xae\x03\x90\x95\xfb\xda\x7f\x05\xdf\xad\x20\x53\x55\xa5\xd6\xef\xf8\xf0\x9c\x32\x47\x58\xa7\x44\xde\x5f\x43\xb6\x94\xf8\x34\xf6\xe5\x98\x3f\x2a\xee\x32\x09\xce\xf4\x63\x54\xdb\x41\x30\x5a\x09\x3a\xb7\x8c\x80\xa8\xfb\x2e\x8a\xb7\xb1\x73\x33\x7b\xcf\x29\x3c\x65\x94\x9a\x4c\x01\x37\x8c\x94\xce\x7c\xd7\x09\xe7\x98\xbe\xf8\x27\x9d\x4a\xd1\xe7\x34\x6f\x4b\x9f\xda\x6d\x29\x2f\x1e\x66\x99\x62\x2c\x1b\xbc\x4b\x02\xe8\x83\xb3\x0e\x77\xcb\xa7\x51\xbc\xfd\xd6\xef\xd6\x7f\xcc\x56\x5c\x00\x36\xf1\x3e\x13\x8d\x81\xd6\xf5\x8d\x34\xe6\xa2\x51\x61\xf2\xa8\x56\x00\x29\xf9\x12\x05\x32\x40\x1f\xb6\xd7\xdd\xef\x43\xf9\xea\xe9\xee\x3c\xd2\x3f\x14\xa1\xf0\x26\xf4\x0a\x9f\xba\xc6\xbe\x6a\x15\x90\x27\xd7\xe8\x7a\x53\x65\x01\x0d\x27\xb0\x9d\xf1\x3d\xfd\x32\xa7\xe7\x5d\xcc\x14\xd9\xda\x85\xd8\x40\xa1\xbb\x91\xbf\x95\xdd\x75\x89\xef\x4f\x4a\x30\x7d\x3c\x74\x1d\xf2\x50\xe3\x4d\xe9\xff\x0f\x15\x15\xa9\x79\xc1\x2f\xca\xea\x17\x0d\x34\x44\x67\x8b\x96\x3c\xcc\x5b\x3c\x06\x56\xaf\x7e\x67\x6b\xf7\x4d\xe9\xc8\xcc\x9c\x70\xb5\x0c\x38\x06\x10\x8f\x6c\x9e\x92\x0a\xcc\x25\xf1\x3c\x3b\xf5\xe9\x10\x18\x9e\xa8\xe0\x46\x61\xb9\xf6\x27\x1d\x34\xe2\x42\x8b\x3f\x5c\x86\x0f\x7a\x41\x37\xc7\x9a\xb4\x09\x20\x64\x56\x34\xf9\x03\x89\xec\xde\x1b\x23\x98\x84\x24\x4c\xa3\x5e\xb5\x59\x2b\x48\x56\x4f\x23\x07\xde\xf1\x6c\x6a\x99\x43\xab\xd7\x30\xff\x0f\x2d\xd4\x7b\x0d\xb1\x19\xc8\x40\x03\xfc\x29\xfc\xe3\xed\x9f\x17\x35\x7a\xab\xc7\x09\xed\x6a\x09\x34\x8d\xa8\xe2\x82\xbb\x0f\x7e\xeb\x6d\x98\x53\xed\xd5\xee\x21\x45\x36\xa5\x5c\x83\x34\x01\x20\x48\x8d\xca\x92\x3e\xc5\xa4\x61\x84\x0d\x20\x07\x5a\xc5\x37\xba\xa4\xdf\xb7\x80\x46\x96\xa8\x9c\xb9\x9c\x82\xcc\x9e\xa9\x21\x2c\x70\x97\x4c\x93\x16\x16\xe9\xbf\x8c\xce\x8f\xaa\x21\x5d\xea\x85\x50\x6c\x71\xed\xf7\x98\x2a\xef\x07\x4e\x1a\x04\xed\x46\xa7\x22\x1b\xeb\x11\xdb\x3c\x3c\x4e\x30\x76\x74\x56\xdd\x39\x5e\x3f\x22\xc0\x48\xb0\x69\x53\x3b\x1e\x34\x7c\x20\x56\x5a\x74\x6f\xbf\x07\x86\xba\x75\x13\x98\xd2\x26\xbb\x58\x3c\xdb\xc7\x89\xa1\xe7\x8c\x07\x5e\x8b\x53\x5c\x17\xbe\x36\x42\x77\x96\x51\xaa\x33\x56\xc9\x28\xbd\x60\x1c\x6f\x70\x4e\x79\x96\x85\x21\x03\x67\x21\x90\x89\xf2\x41\xc9\x36\x52\xaf\xb3\xf0\x57\x9b\xa4\x73\xea\xdc\x1c\x5a\xab\x58\x9b\x61\x8c\x80\x1d\x71\x1e\xaf\x00\xd9\xef\x73\xa3\xa6\x3f\xaa\x06\x92\xd7\x66\x2c\x6e\x61\xd7\x73\x00\x97\xb1\x1a\x9e\x98\x95\x76\x35\x33\xe3\xb8\x25\xb5\xeb\x65\x48\x11\xe8\x0b\x6e\x67\x13\x6d\x6e\x6e\xc1\xbd\xf2\x3e\x34\x7a\xc0\xdc\x50\xd8\x45\xa0\x2f\xb1\x1e\x87\x64\xc7\xcb\xd1\x98\xf8\x03\x7c\xe9\xcc\x4d\x38\x88\xcf\x50\x9e\xf9\xe5\x5b\xa5\x67\xd5\x00\x89\xc6\x9a\x6f\xc2\xa1\x02\x90\x88\xe4\xbb\x86\x60\x6f\x25\xd8\x65\x51\x28\x65\x74\x23\xce\xfb\xec\x47\xff\x5c\xee\x05\xb6\x1c\x35\xe4\x7c\xe9\x2d\xd8\x5b\x86\xaa\x83\xfc\x3d\x37\x06\x9d\xba\x58\x32\x77\x9e\x04\x79\x7e\xe4\x51\x0f\x3e\x86\x0a\x5d\xb6\xc4\x1a\x6c\xfc\xc4\xf2\x7a\x9b\x90\x54\x91\xfa\x56\x0b\xc4\x9a\x1d\xec\x70\xf9\xb6\x9a\xe6\x93\x62\x97\x3a\x12\x3e\x07\xf5\x41\xac\x3a\x3a\x94\x31\x60\xd3\xd6\x31\x40\x49\xc9\x53\x1a\x1f\x72\xb7\x4c\x1c\xc5\xc0\x31\x7f\xcc\x7b\x45\xd8\xf1\xdd\x92\x36\x2b\x1e\xc0\x73\x8a\xd5\xc8\xd9\x9e\x9f\xf4\x4d\x3d\xb2\x41\xe1\x31\x5d\x0f\x14\x48\xe6\xf1\x00\xa5\xdb\x6f\xd5\x71\x5c\xa0\x46\x22\x13\x41\x64\x53\x38\x71\x50\x0e\xde\x0f\x2d\x35\x8b\x31\xf8\x56\x36\x32\x80\xb9\x92\xe4\x9b\xa8\xe5\x92\x09\xbd\x91\x8e\x11\xff\xe3\x27\xd9\x73\xb2\xbc\x54\x53\x7f\x54\x07\x30\x17\x85\x6f\x0b\xb7\x68\x22\x47\x57\x6a\xf4\xd2\x7d\x8b\xe2\x61\x1f\x90\xad\x38\x4f\x11\xde\x84\x7c\x24\x73\x4b\x74\x7f\xfe\x2e\x5c\x85\x49\x00\x9f\xb1\x19\x8b\xce\x2f\xb0\x48\x4f\xc6\x68\xaa\x28\x85\xc7\xc0\x15\x38\x5e\x2b\x58\x8c\x95\x0f\xde\xca\xdf\x30\xad\xf6\x5a\x71\xf5\x64\xe0\xfa\x93\x72\x4b\x8d\xe0\xac\xab\x7c\x3f\xaa\xad\x13\x84\x8e\xbf\x7d\x70\xbb\xc4\x47\xd6\xd9\xdd\xb4\x6a\xf6\x31\xb0\x8e\x4c\x34\xf4\xaa\xbd\xa8\xe5\x0d\x9f\x73\xc3\xff\x3a\x60\x03\x81\xa7\xf8\x4a\xac\x18\xaf\x41\x87\xd1\xbc\x18\x73\x14\xb2\x40\x38\x7f\x29\xeb\xe8\x32\x8a\xce\x89\x65\x43\xb2\x3f\x8d\xb1\x20\x1d\x51\xee\x90\x42\x43\x65\x78\xd1\x27\x3c\x9b\x97\x4b\x27\xfc\x9b\x71\x71\xf4\x39\x11\x17\x54\x1d\xc8\xe8\xe5\x82\xef\x9d\xeb\x11\x60\x6d\x49\x35\x57\x7d\x13\xe3\x91\x2f\x98\x7d\xac\x22\xe1\x4c\x7c\xab\xf8\xdb\x41\x3a\xc7\x96\x38\x1f\x3d\x45\x01\x5c\xe6\x1e\xa3\xb7\x37\x63\xd2\x02\xdb\xe1\x18\xbe\x06\xe7\xd0\xf6\x24\x5c\x71\x81\x86\x14\x81\x21\xba\x61\x19\x2e\x62\xb2\xac\x87\x52\xcb\xa6\xf2\x87\x3f\x4c\x59\xae\x40\xb8\xb9\xc5\x15\xcd\x6a\xd8\x88\x84\x0e\x65\x7a\x11\x47\xa8\xb0\x96\x12\x3d\x73\x8e\x1c\xc1\xb5\xeb\xbe\xec\x6f\x15\xcb\x10\x42\xed\xda\x5c\xf7\xa5\xb2\xb0\xa0\x71\xa2\x68\x77\xbe\xed\xaa\x9e\x24\x32\xef\x85\xf7\x2a\xbc\xeb\x7c\xcd\x73\x36\x27\xcb\x12\xd4\xcf\xe3\xd9\xc9\xd8\x85\xa0\xb0\x89\xdb\x05\x6b\x02\x92\x28\xe6\x45\xf7\x4d\x92\x84\x69\x5b\x08\xa6\x7f\x7f\x92\x28\xe9\x80\xc0\xc3\x64\xd0\x31\x2b\x10\xf6\x25\x6c\x9a\x2d\xe4\x83\x29\x32\xb6\x98\x97\xd0\xf2\x9f\x70\xf1\x8d\xde\x25\x7a\x94\xd9\x6e\xc7\x6d\x71\x67\x3e\x95\x98\x32\x64\x7f\x6a\x74\x45\x82\x35\xe8\x00\xdf\x80\xb7\x18\xbe\xdb\xe9\xb2\xca\xfe\x1a\x98\xad\x89\x34\x1a\x56\x6d\x20\xca\x13\xaf\xb2\x89\x85\x6f\x79\x53\x05\x66\x12\x60\x65\x19\x27\x99\x89\x9c\x02\x43\x31\x7f\xee\x5b\x22\x11\x6d\x9d\xfe\xa0\xc4\x25\x1d\x89\x8d\x57\x44\x43\xd8\x0c\x4d\xaf\xd5\x61\x65\xf2\xcf\xb5\xa2\xdb\x62\xe7\xfc\xb9\x78\x70\xea\x56\xdd\xca\x1c\x27\x32\x75\x48\x09\x9b\x79\xd3\x8f\x9d\x6d\xd2\x4a\x65\x65\x73\x1b\x2a\xfc\x0d\xdc\x12\xa3\x5f\x96\x05\xb2\xe7\xe7\x57\x53\xfa\xab\xe2\x81\x7d\xd1\x1e\x3f\x9f\xe7\x6c\xb2\xb8\xbf\x18\xd4\xf4\x19\xaa\x96\x58\x4c\xf9\x89\x99\xfc\x0f\xe4\x2e\x54\xb0\xe7\x9d\xfd\xd4\xc5\x7f\x55\xc0\x7a\xd1\xca\x33\xa4\xde\x6f\xba\xa7\x80\x18\x5e\x36\xfc\x3e\xc7\xc5\xf1\x04\xc5\xda\xda\xc7\xcc\xcb\xba\xcc\x5a\xbe\x21\x7e\x4e\x61\xef\x6c\x36\x60\x57\xd1\xcf\xb1\xa5\xde\x8c\x75\x68\xda\xd7\x69\xc8\x8a\xfd\x8e\xc1\xbf\x56\x11\x7c\xed\x76\x0e\xd3\x01\x90\x21\xc3\x2b\xed\xd7\xea\x87\xfb\x67\x0c\xa3\x24\x84\x61\xdf\x64\x60\x07\x04\xf1\x16\x51\x58\xcf\x9d\xb2\xb5\xc6\xf4\x56\x3b\x9f\x10\xa3\xa6\x69\xf3\xa9\x45\x21\xbe\x8e\xd5\x1c\x90\xc4\x5c\x59\x48\x9c\xde\x96\xcc\xd1\x18\x44\xc6\xca\xbf\xb1\x65\x0e\x19\x4c\xdf\x17\xaa\xf8\xad\x0b\xf9\x17\x14\xc7\x02\xea\x60\x75\xc0\xc3\x36\x18\x44\xec\xea\x0f\xc9\xad\xe8\x3a\x42\xcd\x91\x8f\xbb\x4c\x90\x90\x66\x73\x98\x18\xcb\xf7\x7a\x3d\x71\x64\xc3\x60\x7d\x8c\x0e\xfe\x3c\x8e\x85\x24\xfd\xf1\x5d\x33\x21\x0b\x43\xca\x55\x1b\x9a\x67\x26\xa5\x60\xa2\x74\x24\x66\x2f\x5f\xd9\x72\x02\xf9\x2a\xb8\xca\xc1\x20\xdf\xb1\x37\xc3\x36\x8c\xaf\xb7\xc1\x48\x35\xd8\xad\x15\xd1\x8b\x3e\xc4\xfe\x3c\x74\x1b\xe3\x90\x65\x71\x1a\xbc\x30\xa0\x0d\x31\xa2\x09\x36\xd2\xfb\x66\x23\xb1\x27\x42\x7b\x2d\x46\x05\x45\xf4\xeb\x25\x68\x1b\x46\x1f\xbc\x3a\x1a\xc6\xdb\x3b\xdf\x1d\x89\x02\x97\x76\xe0\x4b\x9c\xbf\x3e\x1e\x46\x07\xf3\x63\x23\x36\x73\x8b\xd9\x5c\xfc\x81\x2d\xe5\xe8\x2e\x0c\x6a\xa8\xd0\x19\x07\xe1\xf3\x75\xac\xb1\x80\x10\x69\x5e\xa3\xa2\x42\xd2\xb3\x60\xee\xd6\xf0\x77\xa0\x08\x68\x06\xa8\x8e\x2b\xe9\x9d\xef\xc3\x46\x0d\x81\x17\x5d\xec\xb6\x97\x3e\x54\xe7\xff\x1c\x29\x14\x8f\x04\xd1\xa9\x6c\x68\xd4\x3f\x03\x6e\xc2\xe4\xa5\x4b\xeb\x80\xf8\x8b\x8c\x71\x1a\xa0\x1a\x74\x57\xf5\x8d\x72\xaf\xe5\x68\x49\xfd\x09\xd2\x77\xe3\x01\xce\x64\x40\x2b\x0b\xc2\x0d\x43\xea\x78\x74\x54\x86\x97\x2a\x8b\xd6\xf5\x79\xd8\xd8\x2b\xd3\x1c\x8c\x86\xb7\xe8\xa3\xb2\x72\xd1\x6d\x38\xfc\x64\x80\xd2\x13\xc0\x30\x00\xad\xda\x6e\xb5\xe0\x08\x71\x87\x92\x64\xeb\xa4\xb0\xf9\x5c\x92\xe1\x0b\x79\x73\x81\x11\xba\x0c\xfd\xd1\xde\xeb\x39\xc9\x1e\xb4\x07\xe5\x98\x81\xbf\x53\xea\xd7\x8f\x7a\xd3\x50\x29\xec\x22\xb5\x83\xaf\x27\x44\x15\x25\x46\xc3\x98\x28\x50\xb4\x49\x41\x5e\x4b\x79\x0a\x2d\x03\x2c\xae\x50\x31\x9c\x3a\x15\xe0\x09\xae\xee\xfe\x71\x00\x73\x78\x19\x7e\x51\xdf\x97\x37\xee\x36\xd9\x54\x03\xa5\x62\x2a\x00\x7e\xb5\xdf\x41\x02\x33\x37\x6e\x51\x31\x82\x24\x62\x54\x0e\x6e\xbb\xf6\xd4\xe2\xdc\x46\xbe\xb7\xea\x3b\x2c\x22\x19\x97\xc2\xba\x3c\x26\x73\xc1\xb4\x4f\x7c\xd8\xc8\x6a\xac\xdd\x89\xe8\x70\x00\x73\x93\xab\x35\xc4\x85\x74\x29\x13\xf4\xfc\xef\x3c\x5c\x4d\x5c\xfe\xba\x1e\xcb\x50\xef\x05\x03\x7d\x54\xaa\x3f\x5e\x69\x94\x11\x40\x26\xf5\xcd\xa7\x5e\x18\x56\xb3\x1e\xfc\x5b\xf0\xda\x81\x09\x97\x84\x46\x30\xa0\x0a\xbd\x3a\x1c\xa3\xc6\xc9\x39\xe1\xe7\xf7\xc2\xd1\x71\x71\xea\x26\xfc\xd3\x1a\xe7\x17\xc0\x40\xb3\xc5\x94\xcf\x06\xa5\xc1\x25\x76\xbc\x18\x82\xd1\xe0\x45\x7a\x99\x38\x7f\x74\x6f\x15\x12\xd1\x5c\x86\x7c\xfd\xaf\x35\xfb\xf0\xe6\xbe\xec\x95\xc8\xc4\x2a\x3d\xd6\xae\x19\x47\xc6\x69\xfc\xd0\x10\x50\x80\xd8\xa9\x89\x4d\x93\x45\x21\x39\x08\x35\x74\x56\xb5\xdb\x7d\xea\x0f\x3f\x53\x29\xff\xd3\xc8\x90\x8f\x50\x47\xe3\x6a\x94\x1f\x90\x91\x2e\xcb\x4c\x01\xec\x56\x7c\xbe\xb0\x9f\xad\xe5\xec\x9b\xf4\x14\x2e\x24\xef\xf3\xac\xd2\x6b\x1d\x46\xd9\xfc\xab\xdb\x09\x70\xa1\x9b\x45\x79\x47\xab\xda\xac\x79\xa3\x69\x2b\x7a\x0d\x70\x3c\x02\xfd\x3d\x7c\x43\x3d\xcb\x59\xf9\x79\xa3\xa9\x1e\x3f\xc9\x50\xa5\xdf\x58\x54\x65\x69\x63\x97\x47\xc4\x34\x7c\x4e\x1a\x1f\xd0\x8f\x9a\xa8\x0c\xa5\x12\xd3\x6e\x6f\xac\x84\x61\xfa\xc7\xac\x93\x46\x7b\xea\x71\xfd\x28\x6b\x5f\x69\x2d\xdb\xc6\x99\xb9\x88\x7d\x31\x15\x9d\xe1\x07\xc0\xec\x97\xdb\x3b\x37\x77\x1c\x82\x61\x92\x51\xe9\xe0\x87\xe7\x97\x0e\xc1\x3e\x97\x1a\x85\x7a\x3d\x87\x1d\x13\xd8\x9d\xd6\x18\x43\x1d\x57\x75\xf9\x25\xf0\xbe\x14\x11\xf4\x94\x70\xe1\x42\xb1\xce\xef\xa6\x69\x28\x0d\x6e\x9a\x52\xe8\xc8\xeb\x38\x7d\x22\xf2\xfa\x8f\x5b\x77\xbd\x2a\xea\x73\xa0\xa2\x9c\x84\x47\xa6\xad\x29\x2b\x1e\x4b\x44\x6c\x6e\xd0\x08\xc0\xa6\xba\x97\xd1\x5b\xcb\xaa\x10\xb1\x6d\x7b\x1a\xd9\x49\x8b\xf5\xb8\x68\x59\xfd\x9c\x03\x2e\xab\x98\x93\xbe\x93\xb1\xe9\xf4\x5c\x9d\xc1\x9a\x78\xc4\xfe\xa5\x89\xd3\x93\xe8\xed\x9d\xbe\x54\xbf\xad\xf5\xcd\x11\x0e\xb7\x6a\x2a\xdf\x8b\x9d\xd2\x3a\xc0\x57\xbf\x1a\xb6\xba\x1d\x04\xc0\xc6\xda\xc4\x82\x50\xda\x3d\x25\x64\xce\x90\x4d\x67\xe6\x9c\x5d\xec\x58\x2d\xa5\x7e\xde\x76\xd9\xaa\x85\x49\xbf\x50\xa9\x0d\xcc\x0c\xab\x97\x7f\x5d\x73\x00\xfc\x0d\x86\x86\xe3\xbe\x13\xb8\x4a\x7a\x14\x1b\xb7\x92\xc3\x97\x58\xb0\x04\xd8\x4a\x0f\xf8\xc9\x30\xe4\xe0\x3c\xb3\xc1\x34\xe6\xe9\x00\xfe\x41\x64\xe5\xb5\xe0\x6b\xa4\xce\x62\x87\xb7\xb0\x0a\xcf\xdb\x05\xf4\xaf\xc0\xf4\xcb\x1b\x0e\x38\x3e\x4b\x69\x17\x1b\xda\x38\x9a\x2d\x00\x96\xb0\x67\x7d\x79\x3f\xaf\x22\x70\x2f\x3e\xdc\xda\x47\x82\xdf\x48\x30\x2a\xe3\xba\x1e\x05\x60\xf2\xc1\xbc\x7c\xda\x89\xac\x42\x14\xe8\xba\x79\x1c\xd6\xfb\x08\x92\xa1\x1b\x3f\x87\x81\xcf\x4d\x1b\x07\x31\x95\x92\x2d\xa6\xb7\x11\x16\x05\x96\x56\x0b\x53\x5c\x5c\x97\x6e\x42\xa8\x66\x24\xa3\x4f\x74\xac\x66\x46\xc0\xfd\xa0\x57\xa3\x13\xf7\x9d\x2e\x2f\x9c\x9f\xee\xab\xcd\x39\x9c\xd2\xe7\xe0\x8c\x9f\x02\x29\xc2\x66\x64\x8c\x78\x75\xca\x23\x0c\xfe\x4f\xed\x9f\x2d\x3d\x0d\xeb\xe6\xb5\x36\x85\x5c\xeb\xcb\xdb\x54\x60\x92\x0c\xea\xae\x25\xa1\x5c\xee\x7a\x00\xae\xdd\x72\x19\x53\x7d\xfc\x72\xd3\x33\x2d\x26\x43\x61\x5c\x7e\x17\xb5\x5a\x90\x3f\x8f\x25\xd0\x2f\xd6\x1d\x4c\x56\xc2\x32\x85\xd5\x2e\x0c\x23\xbb\x25\x16\x2b\x10\xd9\x33\x9b\x72\x74\x6b\xe7\xda\x47\xe9\xfa\x05\x22\x69\xda\xf6\xa0\x12\x2d\xe4\x9f\xb4\xd2\xc9\xb5\xd7\x8b\x70\x96\x23\x11\x3c\xb7\x1d\x42\xa5\xab\x08\xda\xa6\x01\xec\xd0\x94\x6a\x79\xda\x44\xcb\x1c\x3a\x5c\xfb\x64\x60\xe2\xcb\xd5\x9b\xf3\x56\x93\x09\xa4\xd4\x17\x77\x39\x80\xcd\x90\xad\xb6\xab\xe4\x75\x95\x4b\x05\x6e\x12\xc7\xe9\xe4\xb7\xef\xd2\x43\x96\xe7\xa9\xd6\x2f\xfe\xd4\x2c\xaa\xba\x45\x98\xa8\x9b\x14\xd8\x5d\x1c\xa3\x97\x27\xbf\xa0\x85\x90\x4c\x1e\xb5\x4d\x24\x27\x3d\x0a\x97\xfa\x59\x3b\xdd\xbc\xf4\x60\x8c\xef\x45\x6a\xb4\x17\x03\x16\x07\x33\x15\x16\xc8\x05\x79\x2e\xbd\xfd\x8d\x10\xe5\xed\xdc\x9f\x50\xdf\x88\x85\x71\xf9\x79\x75\x03\x94\xfe\xff\xdf\x87\xeb\xc9\xe8\xa8\x53\x4f\x89\x37\x2a\xfa\x8e\xac\xf0\x6d\x34\xb9\x74\x25\x0a\xc1\xba\xe5\xc0\x7e\x63\xb7\x46\x47\x19\xdb\x5e\xb1\x69\x34\xde\x34\x01\x93\xbf\xce\xe2\xdf\x0b\xfd\x92\x50\xdd\x44\xf3\xf7\x3e\xb4\xa4\x3f\x99\x0f\x2e\xdc\xa9\xb5\xfd\xd4\xac\xa4\xea\x21\x7e\x14\xb6\xd7\xc5\xa3\x20\xfd\x5e\x4c\x72\x88\xcd\xcb\x4e\x20\x76\x00\x4a\xd6\x61\x81\x9b\xda\xe6\xcf\xba\xd2\xdc\x0b\xce\x61\x23\xc4\x8b\x14\x23\xb2\x2e\x3f\x85\xcc\x2f\x31\x07\x1d\xd1\xcf\xa3\x87\xbc\xa0\x9a\x2d\xd9\x9c\x29\xe6\xc0\xcd\x8d\x51\x90\x1d\x74\x85\x81\x3d\xa7\x32\xc9\xa7\xe2\xfc\xcd\x42\x7d\x43\x9b\xfe\xc1\x07\x87\x4f\x87\x7e\x9b\x0a\xa5\xe1\xbd\xad\xd5\xa1\x85\x47\x99\x65\xe9\x5a\x3c\x2f\x66\x91\x2d\x44\x1c\xb7\x5e\x44\x69\x57\x3b\xf5\xa4\xc5\x3f\x58\xd2\x7a\xbd\x5e\x68\x42\x2a\xef\xce\x50\x1c\x6d\x8d\x95\x42\xb6\x1e\xa6\xbf\xd6\xfd\x2b\x6b\x33\x6c\x89\x61\xf4\xee\xa7\x20\x88\xd0\x69\x70\x89\xd1\x76\x82\x0a\x10\x3d\x09\xd9\x5f\x3e\xf0\xbd\x28\x98\x2e\xef\x77\xfc\x1b\xbf\xe7\xde\x1b\xfb\xe3\xd5\x0a\x93\x21\x88\x66\xfc\x48\xf6\x28\x01\xc7\x15\x39\x7d\xdf\x1f\x36\xd9\x77\xf2\xb5\xb2\xb7\x6f\x2e\x1d\x64\xc6\x10\x6a\x88\x9b\x80\xb4\x1b\xe5\x19\x94\x0c\xe2\x2f\xf0\x36\x4f\xaf\xb7\x03\xcf\xcd\x7b\xf7\x80\x8e\x41\x50\xac\x7d\x7a\xf1\xf0\xb5\xae\x82\x1c\x9b\xf1\x63\x74\x0d\xb1\xb5\xa3\x66\xe2\xdb\x4a\x02\x92\x10\x00\xd6\x07\x52\xd7\x43\xcd\x58\x4c\x48\x59\x0a\x31\xe2\x7c\xb4\x0d\x7a\xd8\x9a\xbd\x2c\x8e\xe8\x11\x76\x78\x98\x88\xbc\x48\xe8\x2a\x63\x00\x84\xc5\x9d\x4d\x34\x46\x4a\x52\xd5\xf2\x6d\x22\x14\x79\xb4\x51\xef\x3c\x2a\x6c\x81\x66\xb6\x64\x09\x9d\xaa\xf8\xe7\x4e\xac\x84\xdc\xfe\x3e\x86\xd5\x3b\xcd\x3b\x2f\x03\x37\xc8\x03\x7d\xb0\x7b\x65\xf7\xcd\x26\x5d\x2a\xc1\x95\xf8\xf5\x8e\x00\x96\xac\x1f\xb6\x54\xb9\x57\xfc\xa3\xef\x32\xab\xcf\x91\x6b\x55\x8b\xff\x85\x4d\x09\x9a\x2c\x9f\xb8\x88\x9f\x39\x8b\x53\x51\x41\x17\x0e\xa0\x36\xf9\xe5\xa7\xa2\xfe\x1d\x14\xf4\xa5\xa6\xdb\x8c\x03\xb0\xa7\x7f\x6e\x3b\xe9\x64\x81\x05\x06\x11\x35\x59\x59\xf6\x5e\x67\x81\x64\x54\xed\xa4\xcd\x84\x36\xd6\x64\xd6\xe6\xd9\xfc\x2f\xf2\x48\x95\x92\x3f\x10\x67\x70\x45\x8d\xc8\x75\x93\xc3\x91\x91\x2e\xda\x79\xa6\xe8\x71\x4b\xb4\x37\xc8\x6b\x97\xae\xbe\x10\xad\xde\xf3\x62\x84\x32\x38\x4e\x5a\x52\x83\x06\x7a\x80\x69\xa8\x92\x47\x3c\x05\x44\x68\x03\xce\xe1\x31\x09\x6d\xfb\xcd\x4a\x08\xf3\xe0\x8b\xc1\xdb\x84\x70\xd3\xab\x04\xc4\x80\x91\xf8\x24\xcb\xc4\x4a\x22\x15\x1f\x21\x71\x9a\xc2\x9b\x90\x43\x82\x2b\x29\x8b\x17\x82\xfa\x4f\x7d\x55\x6c\x41\xcc\x38\xd4\x34\x22\xf3\xda\x35\xcb\x3e\x45\xa5\xd2\x29\x6a\x1c\xfc\x1c\xcb\xeb\x9e\xa3\x49\x77\x2d\xa9\xa8\xc6\xb7\xca\x0d\xb7\x29\x92\xf8\xb4\x86\xb4\x26\x6f\xb6\xd4\x47\x96\x30\xfa\x39\xbd\xbd\x5f\xaa\xaa\x5b\x47\x51\x4f\x37\x80\x5e\xdb\x61\x85\xb3\x3b\x5b\x82\xdf\xb8\x5d\xad\x17\xed\x9f\xc8\x20\xd1\x78\xc4\x43\x3f\xae\x2b\xf5\x0f\xb5\x6f\xf5\xd8\xd7\xf7\x2e\xbb\x91\x3b\x88\x12\xce\x80\xfb\x00\x0c\xf3\x56\xf6\x69\xae\xb2\xb4\x8c\x8f\x67\x5c\xd0\xc0\xa5\x71\x08\x2f\xdb\x0e\xe1\xb1\x3b\x7a\xd2\x23\xcb\x68\x6f\x8b\x6e\xa5\x11\x19\x2c\x5d\xca\xab\xe2\x70\x26\x50\x37\xb7\xa7\xff\x48\xa1\x10\xf6\x60\xe0\x45\xe6\xe5\x1d\x6f\xfa\xce\x61\x7a\x5a\xd8\x5c\xac\x70\x4c\xc2\x57\x6b\x22\xaf\x27\xbf\x84\x2c\x1f\xce\x89\xf7\x1f\xb1\x88\x68\x57\xd1\x87\xad\xf3\x64\x47\xda\x8e\xde\x27\x97\xbb\xb4\x1b\x4b\xa5\xf0\x94\x11\x09\x44\x08\x35\x7a\xc6\x86\xf0\x90\xdc\x75\x58\x4f\xb2\xd0\x0d\x6e\xb5\xf1\xd5\x45\x63\x3c\x1a\xab\x04\xa6\xa9\x47\xe4\x9e\xb4\x5a\x0a\x73\xe7\xd0\xc6\xc4\xac\x5f\xac\xf4\x08\xa0\xcf\xde\x43\x9d\x86\x1d\xba\x90\xea\x9c\x57\x58\xbb\xa9\x09\xaa\x4d\x5b\x71\x42\x32\x07\x23\xb0\xfb\x55\x38\xfa\x33\x5e\x62\xd1\x4b\xf3\x60\x8a\xeb\xbd\x76\xff\x2b\x0d\x01\x3a\x4d\x5a\x4d\x46\xfb\x24\xa0\x47\x46\x0b\x5d\x63\xa6\x0d\xea\xa4\x3c\x63\xa9\x8b\x51\xc5\xaa\x0b\x3d\xac\xef\x60\x23\x41\x86\xf4\x5e\xd9\x61\x4f\x0e\x88\xb0\xb3\xa4\x53\x0c\x88\xa3\xdb\xea\xea\x40\x29\xcc\xfb\x1a\xa0\xbb\x8e\xa4\x52\x2c\x51\x25\xa3\x8d\x97\x72\xb7\xde\x03\x3a\xf7\xb2\x81\x2e\x89\xbd\x58\x19\xd2\xd0\xf3\x7a\x15\x6b\x70\x1e\xff\xa2\xf0\xb7\xfc\xe9\xc2\x87\x24\xae\x0e\xb3\x27\xc2\x5c\x8e\x36\x18\x78\x10\xaa\xa1\xa3\x3c\xc6\x9e\xa8\x48\xe1\x2f\xda\x7a\x27\x48\x67\xf4\x77\x95\xe1\x68\x95\x41\x96\x9e\xf7\xf6\x8d\x65\x9c\x3a\xd6\xc7\xf6\x72\x51\xac\x05\xa8\xee\x17\xc5\xd7\xc2\xdc\xb9\x2b\x4a\x54\x5f\x3d\xb5\xbf\x08\x14\x4a\x71\xf2\x9f\x76\xf7\x07\x81\x92\x9b\x06\x45\xf7\xa2\xd3\xcc\x3e\x97\x40\x1f\xfc\x4c\x70\x02\x4d\xf3\xa8\x8a\x3b\x80\xd8\xbb\x4a\xe9\xd2\xd4\xc0\xd1\x17\x24\xfa\x12\x82\x76\x0b\x1c\xc8\x12\x00\x84\x01\xd6\x9b\x8f\x79\x31\xf3\x6a\x72\xe3\x2c\x5d\x8f\x3a\x3f\x23\x3e\x86\x36\x7b\x48\x85\x2c\x0f\xd2\xd1\xf2\x59\x55\x34\x06\x16\xcb\x57\xe7\x9d\xb0\xe0\xa3\x7b\x81\x62\x76\x34\x02\xd0\xb8\x64\xdb\xf0\xa9\x0d\x50\x37\xc8\x8e\xba\x9f\xa8\x09\x98\x08\xcf\x84\x56\x4d\x2e\xd2\xbd\x00\x24\xb7\x19\xb7\x62\x28\x27\x9e\xe3\xc9\x07\x27\xf3\xae\x67\xe5\xcc\x7d\xd7\x6e\x8a\xf1\x67\xc4\xb1\x1e\xe9\xf1\xe3\x49\x5e\x05\x06\x1f\xe5\x20\x44\x5c\xd8\xfe\xdd\xc4\x76\xf5\x0b\x40\xbf\x73\xe4\xf9\xc1\x4e\x49\x1c\x11\x42\x30\xe1\xea\xe5\x87\xac\x01\xaf\x7d\x8e\xe5\xb2\x50\x51\xcd\x58\x85\x19\xe9\xcc\x3f\xb7\xb4\x30\x9d\x2a\x74\xb9\x48\x6d\x31\x80\xf6\x5f\x02\x5f\x43\xbb\x6a\x98\x9e\x2c\x4b\x05\x23\x83\xf4\x24\x4c\xbf\x36\x81\xf8\xfb\x4b\x9f\x0c\xab\x34\x26\xc0\xd6\x78\x4a\xb0\x8c\x76\xce\xee\xbc\x21\x2e\x76\x5f\xd9\xc5\xf2\x4c\xad\x12\x9b\x44\x0e\x2f\x85\x74\x90\x45\xbb\xb1\xb0\x30\xfd\x5b\x31\x10\x44\x25\x80\xd4\x51\xb2\x71\xd9\xa4\x5d\x04\x75\xd1\x66\x47\xe4\xe6\x6b\xf4\x0a\xcb\xde\xbc\x97\x53\x85\xaa\x50\x89\x83\x22\xe8\xb2\xaa\xca\x18\xba\xa6\xee\x86\x1f\xc9\x74\xfc\xd0\xe3\x79\x75\x82\x4c\x47\x58\x42\xbd\x3f\xa1\xf1\x78\x97\x92\xb2\xb6\x54\xaf\xeb\xc7\x8b\x95\x57\xbe\x28\x3c\xe9\x74\xea\x60\xb0\x1a\xf1\x11\xe8\x22\x62\x70\x47\x7c\xaf\xba\x24\xac\xb1\xfb\x28\xfc\x25\x92\xad\x2e\xbc\x2b\xa3\x7a\x1b\xbf\xed\xba\x63\x00\x02\xe4\x23\x43\x0d\x76\x2d\x9e\x31\xcd\x86\x17\x0a\x98\x9e\xe9\x7e\x26\xd4\x87\x4b\xd7\xd1\xa8\xf7\xd2\xf2\x04\x6c\xe9\x37\x68\x59\x27\x49\xbf\x7f\x5b\x28\x93\x3f\x3f\xba\xa1\x38\x0d\x42\x96\x1b\x9a\x94\xd2\x31\x3c\x26\x47\x40\xfe\xa1\x49\x5f\xa2\x6f\xc0\x7a\x56\x1e\x4b\x90\x8b\x2e\x30\xe0\xac\x4d\x48\xf6\x89\xeb\x49\x58\x5d\x3b\x72\x95\xe8\xc2\x75\x1d\x05\x62\xc0\x6d\x49\x19\xd5\xdd\x8a\xf3\x26\xde\xd0\xc1\x51\x6e\xcc\x6c\x1d\x3c\xf1\x39\xd3\xa9\xfe\x6e\xde\x64\x76\x8c\x31\x9b\x98\xb7\xda\x44\x5f\xd7\x85\x4b\x64\x64\x0f\xbd\x67\x6b\x7a\x09\xe5\x6e\xa2\x5c\xff\x1d\x31\xde\xc4\x1d\xa0\x8c\xb1\xb0\x7e\x4d\x84\x16\x81\xfc\xb7\x9a\x72\xb7\x22\x0a\x3f\xc3\x6c\xe8\xdc\x63\x88\xca\xea\xea\x4f\xff\xa7\xb2\x98\x05\xef\x2d\xc8\x9a\xcf\x85\xf2\x27\x24\x8b\xca\x1b\x8c\xb8\x1e\xc4\xb9\x86\xa9\xa1\x58\x7e\x57\xe1\xc5\x4d\x16\x3b\xc6\xa9\xd6\x8c\x67\x8c\x48\x24\x09\x35\xfb\xe9\x89\xf5\x50\xb5\x4c\x51\xba\xcb\x9f\x21\xde\x67\x01\x8d\x5e\x3f\xba\xd7\xef\xba\xe1\x03\x83\xe6\x2f\xa9\x29\x41\x5e\xbd\xb7\x7f\xfc\xad\xcc\x36\xec\x7c\x01\xb7\x6f\x7c\x80\x02\x7d\xfc\xba\x9e\x15\xd2\x6f\x30\x6e\x1d\xcb\xf6\x24\xc8\x0f\x4d\xc9\x2e\xab\xfe\x7a\x81\x7d\x7b\xcb\x47\x0d\x60\x13\xaa\x89\x5e\x08\x24\x40\x57\x1e\x14\x3f\xbb\x2a\xc1\xaf\x5b\x4f\xd6\x4b\xb2\x0f\x31\xef\x1f\x5e\x1d\xb9\x6f\xb8\xca\x1e\x6b\x4d\x36\x0d\x2c\xd0\x55\x91\x36\x6a\xd7\x1a\x41\x17\xc9\x12\x5f\xee\xd0\xe6\xd9\x5c\x03\x9d\xac\x71\x00\x0f\x40\x4d\x71\x80\xfb\x1e\x3b\x9d\x10\xb6\x24\x84\xeb\x2e\x3d\x45\xb8\xa4\xc6\x44\x4e\xa5\x44\xc7\xc1\xa4\x9b\xcd\xd1\x72\x3c\x22\x12\x7e\x2f\x81\xfc\x4c\xa3\xda\x6b\x97\x71\x5a\x0c\x9c\xd3\x05\xae\x21\xa1\x5c\xa6\x95\xf1\xa7\x4d\xf2\x26\x0a\x95\xec\x30\x42\xb1\x6d\x83\xab\x1d\xa2\xba\x76\x7d\xf0\x36\x01\xb4\xb3\xab\x71\x71\xe2\xe0\xe8\xa2\x00\x9f\xc6\xcb\x2c\x98\xcd\x20\x68\x17\x36\x55\x22\x2b\xa6\xbc\x51\xaf\x64\x49\x93\xcb\xd1\x92\x33\xd0\xc0\xf1\xdb\x62\x30\x69\x74\x45\xfd\x77\x8f\x14\xa0\x85\x57\x25\x26\xdb\x2d\x12\x56\xe8\x27\xac\x9b\x77\xa9\x7e\xc6\x41\xa5\x3a\xa5\x80\xb3\xa7\x83\xcb\x0f\xc5\xa1\xb3\xb9\xb3\xff\x38\xe4\x18\xdb\x65\x8b\x48\x4a\x68\xcc\x9a\x9e\x33\x0d\x3d\x7a\x4e\xd2\x82\x58\x1d\xc0\x6f\x9e\xe9\x6a\x1a\x46\x98\xbc\x23\xeb\x41\xbe\xde\x47\x6c\x00\x52\x96\x40\x79\x71\x0f\x68\x8f\x87\x6d\x4c\xef\xf2\x19\x0f\x2d\x81\x9b\xbd\x4c\xdb\x36\x1f\xb5\xc6\x4d\x7c\x41\x93\xff\x9f\x6b\x44\xb2\xc1\x43\x71\x39\xbc\xfa\x8c\xe0\xa9\x43\x0a\xce\xb4\x98\xb4\xf0\xb0\x19\x7b\xf3\x39\xd0\x4b\x70\x51\x23\x24\x3b\x1a\x44\xfc\xec\x56\x6d\x64\xfe\x85\x0b\x29\x89\xb5\xb7\x09\x9e\xf9\xbf\x74\x46\x07\x46\xf6\x0c\x46\x07\x89\x16\x89\x58\x17\x75\xad\x12\xcc\x0f\x04\xce\x01\x6c\x5b\x01\xe4\x55\x6e\x09\x80\x7e\xb8\x2e\x19\xc4\x54\x2e\x88\xca\x22\xac\x95\x13\xa4\x6b\x3e\x43\xc5\x28\x77\xc0\xa8\x37\x20\x1f\xd8\x2e\x9f\x74\x53\x8b\x75\x1c\x8b\x0a\xca\xbf\x1e\xb2\x8a\x7d\xec\x9b\xf6\x98\xc1\x22\xfd\xc5\x46\x4f\x6c\xd4\x0e\x81\xd0\x60\x18\x3a\xf8\x04\xea\x5c\x5a\x51\x09\xfe\x21\x9a\x85\x21\xc7\x3b\x95\xe4\x2b\x82\xac\xd6\x93\xa8\x45\x3c\x40\xc7\x40\x27\xdc\xb1\x78\x81\x75\x83\x42\xe2\x56\x42\x58\xb9\xf1\x2f\xf6\x75\xd9\x5c\x1a\xc4\x2e\x94\x47\x3e\x5d\xd5\x18\x38\xd6\xb1\xc2\x8f\x7b\xae\x7e\x16\x41\x7e\xea\x23\x33\x18\x83\x17\x23\x4d\x3a\x96\x94\x35\x6d\xb9\xff\x64\x9e\xda\x9d\x9d\xe4\xd6\xdf\x34\x57\x70\x13\xbc\x9f\x17\x14\x04\xb0\x8f\xd4\x19\x0d\x15\xd7\xde\xfe\xcd\xc1\x95\x19\x9d\x8a\x71\xf6\x41\x40\xa8\x65\x61\xe8\x4c\x3b\xde\x2a\x43\x37\xac\x14\x05\x08\x54\x31\x4d\xe0\xa3\xef\x2a\xe2\x6a\x6c\xb3\x97\x79\xb1\x0b\xdd\x57\x10\x41\xba\x31\x99\x6c\x60\x2c\x99\x7e\x70\x35\x8a\xe9\x86\x23\x92\x55\xa9\x37\x10\xf2\x11\x1e\x7c\xb1\xc8\xb3\xb7\x28\x03\x37\x34\x85\x6a\x41\xcd\xd5\x5a\xb2\xcf\x54\x15\x6b\x48\xe1\x34\x9e\x97\xd3\x9f\x6f\xc1\x27\x5f\xdb\x19\xb3\x7c\x8c\xf0\x04\xb3\x8c\xc3\xef\x37\x83\x4c\x85\x12\x8b\x3c\xb5\x9b\x77\x3d\xcc\x7d\x7b\x85\x80\x5b\x8f\x3b\xd6\xae\x79\x1e\xfa\x7c\xdb\xcc\x4b\xe5\x53\x9b\xb6\x6a\xfd\x8a\xc5\xde\x59\x50\x9b\x34\x10\x20\xe1\xc6\xff\x67\xb6\x6a\x0c\x94\xbb\x79\x53\x49\x92\x05\xb3\x07\xca\x77\x27\x7f\x6c\xcf\x39\x80\x1e\xe6\x28\xfb\x33\xd2\x07\x3f\x38\x1e\x80\xdc\x41\xc9\xe7\x99\xe7\x5c\x31\xcf\x2a\xa4\x9f\x8b\x0a\x6f\x73\x24\x08\xaf\xdc\x65\x0f\xd2\xb0\xec\x57\x4d\x50\xc6\xe2\x48\xf2\xaf\xcf\xb8\xf8\x20\x79\xb2\x62\x55\x47\xdb\x16\xe4\x61\xe6\x01\x59\x88\x3a\xaf\xbe\xdf\x9e\xe9\xfa\xde\xc8\x39\x8b\x91\x98\x6f\x9a\x8e\x79\x47\x06\x49\xa9\x9d\x6e\x8b\x4c\xb3\xb7\x99\x5b\xd5\xb6\xaf\x47\x20\x6b\xbf\x06\xaa\x69\x38\x3e\x97\x63\xcb\x17\x31\xe7\xc1\x5b\x0d\xe4\xb3\x5c\x00\x80\xdd\xfc\xeb\xac\x4d\xea\x21\x30\x96\xd8\x29\xed\x58\xf7\x7c\x09\xa0\xc0\xd4\xf3\x00\xdd\x5f\xaf\x2e\x01\x2a\xcf\x83\xd7\x7b\x73\x32\x3a\x93\x21\xcc\xa8\x64\x6b\xfe\x55\xfc\xce\x50\x6c\x82\x2e\xe4\x40\x4f\x20\x03\x18\xf6\x50\x44\xb3\xec\xdd\x8a\x21\x35\xe8\xee\x0a\xdb\xb8\xc4\x22\xc8\x9d\x37\x3e\xe4\x21\x82\x6b\xd1\x14\xd5\xae\x08\x6c\x9a\x47\xbe\x5a\x78\x88\xec\x74\xfc\x9e\x8d\x7e\x75\x85\xe6\xe8\x8f\xef\xa1\xb6\xa0\xc5\x57\x7b\x91\x43\x13\x77\xa3\x05\xa6\x65\x81\x02\xef\xf2\x95\x75\xde\x43\x92\x0b\xd4\x66\x96\xa2\xbd\x26\xa9\x39\xde\x74\x15\xc8\x36\x1c\x98\x89\x7b\xc0\xa4\x93\xe9\x08\x76\xd4\xf7\xa6\x38\x9a\xe9\xfe\xd4\x4d\x6e\xf2\x1e\xdf\x68\x1a\xe3\xa3\x5d\xc4\xa2\x6a\x40\xa7\x41\x1e\x7d\x51\xa8\x58\x43\x13\xdf\x95\xe4\x8f\xb0\x12\x79\x9b\x83\xc2\x5c\x2d\xd8\xf2\x43\xe9\x88\x05\x46\xb8\xf5\x1e\x25\xcc\x2f\xfa\x83\xc3\x6d\x81\xd3\x1b\xce\xbe\x40\x53\x62\x87\x5c\x49\x43\x00\x66\x24\x90\xc3\xf4\xbb\x38\x68\x2b\x17\xe0\xcb\xb9\x0e\x47\x70\x86\x4e\xe6\x0c\xc1\x36\xfa\x7b\xb2\x17\x0f\x69\x39\x4f\x62\x35\xe0\x07\x83\xfc\x6c\x2c\xab\x09\x74\x07\xff\xf9\x31\xbf\xa7\x42\xd7\xae\xfe\xf3\x3d\x69\x96\x70\x1d\x39\xb4\xad\xfb\x76\x28\xee\x8c\xb2\x76\x5a\xc0\x39\x92\xdb\x7b\xfd\x93\x04\xe1\x5f\x27\xf3\xea\x37\x12\x49\x4e\x98\xd1\x5b\x7c\x7e\x78\x14\x2d\xdb\xcc\x1e\x2d\x18\x47\x81\xcb\xc1\x17\x45\x59\x9e\xb5\xa6\x9b\x39\x18\x69\x4b\x78\x20\x9b\x1e\xe1\xc1\x18\x54\x15\x7e\xda\x2e\x0f\x03\xed\xd8\x84\xab\x4f\x60\x13\x4a\xf1\x58\xff\x15\xa9\x22\x59\xd4\x29\x37\x0c\xef\xab\x10\xcf\x6f\xb2\x82\xf7\x60\xd8\xd5\x4a\x8d\xb0\xc0\xc4\x3f\x56\xbc\xcf\x68\xb8\x37\x74\x5d\xd6\x42\xb3\x9d\x44\xdb\x29\x7b\x01\xeb\x9f\x5b\x48\xd1\xb1\x14\x84\x8a\x5d\x7c\x74\xa2\x2e\x3c\x30\x84\xee\xbc\x02\x98\xe7\xdd\xbb\xe6\x6e\x10\x5f\x89\x23\x8e\x96\x1d\x34\x98\x5f\x29\xde\x20\x31\xa5\x17\x56\xba\x3c\x77\xce\x83\x24\x8e\xf8\x32\x30\x9b\xf9\xad\x9d\x3f\x79\xdd\x12\xf7\x62\xe9\x12\x25\xb0\x87\x6c\xfc\x22\x02\xb2\xe0\x46\x82\x43\x16\xc8\x20\x88\x9e\x93\xf6\x3e\xad\x22\x9c\x08\x7b\x2f\x6c\xfc\x99\xf7\x97\x02\x2c\xda\xb8\x45\x6d\xe0\xc7\x64\xa0\x6a\x79\x40\xb0\xf2\x85\x98\xcb\xa5\x6d\xa0\xbb\xc7\xeb\xce\x48\x22\x12\x21\x37\x54\xd3\xc3\x4f\x74\x9e\xb9\x43\xbf\xf8\x1a\xab\x71\x0a\x98\x1e\x89\x15\xd8\x9f\x50\x98\xca\xa6\x74\x63\x6b\xda\x15\x11\xe9\x6b\x7a\xb0\xe6\x51\xd1\x01\x75\x09\x76\xda\x0b\x2a\x08\xc5\x61\x76", 8192); *(uint32_t*)0x20004bc0 = 0x20003680; *(uint32_t*)0x20003680 = 0x50; *(uint32_t*)0x20003684 = 0; *(uint64_t*)0x20003688 = 0; *(uint32_t*)0x20003690 = 7; *(uint32_t*)0x20003694 = 0x22; *(uint32_t*)0x20003698 = 6; *(uint32_t*)0x2000369c = 0x60; *(uint16_t*)0x200036a0 = 5; *(uint16_t*)0x200036a2 = 0x48; *(uint32_t*)0x200036a4 = 0x80000001; *(uint32_t*)0x200036a8 = 7; *(uint16_t*)0x200036ac = 0; *(uint16_t*)0x200036ae = 0; memset((void*)0x200036b0, 0, 32); *(uint32_t*)0x20004bc4 = 0x20003700; *(uint32_t*)0x20003700 = 0x18; *(uint32_t*)0x20003704 = 0; *(uint64_t*)0x20003708 = 0xfffe; *(uint64_t*)0x20003710 = 0x200; *(uint32_t*)0x20004bc8 = 0x20003740; *(uint32_t*)0x20003740 = 0x18; *(uint32_t*)0x20003744 = 0; *(uint64_t*)0x20003748 = 4; *(uint64_t*)0x20003750 = 0x8000; *(uint32_t*)0x20004bcc = 0x20003780; *(uint32_t*)0x20003780 = 0x18; *(uint32_t*)0x20003784 = 0; *(uint64_t*)0x20003788 = 0; *(uint32_t*)0x20003790 = 8; *(uint32_t*)0x20003794 = 0; *(uint32_t*)0x20004bd0 = 0x200037c0; *(uint32_t*)0x200037c0 = 0x18; *(uint32_t*)0x200037c4 = 0; *(uint64_t*)0x200037c8 = 0x80000001; *(uint32_t*)0x200037d0 = 5; *(uint32_t*)0x200037d4 = 0; *(uint32_t*)0x20004bd4 = 0x20003800; *(uint32_t*)0x20003800 = 0x28; *(uint32_t*)0x20003804 = 0; *(uint64_t*)0x20003808 = 0; *(uint64_t*)0x20003810 = 0x19; *(uint64_t*)0x20003818 = 0x200; *(uint32_t*)0x20003820 = 3; *(uint32_t*)0x20003824 = -1; *(uint32_t*)0x20004bd8 = 0x20003840; *(uint32_t*)0x20003840 = 0x60; *(uint32_t*)0x20003844 = 0xfffffffe; *(uint64_t*)0x20003848 = 0xfffffffffffffffe; *(uint64_t*)0x20003850 = 4; *(uint64_t*)0x20003858 = 0x80000001; *(uint64_t*)0x20003860 = 1; *(uint64_t*)0x20003868 = 0x52b8; *(uint64_t*)0x20003870 = 7; *(uint32_t*)0x20003878 = 0; *(uint32_t*)0x2000387c = 0xfffffffa; *(uint32_t*)0x20003880 = 0x1ff; *(uint32_t*)0x20003884 = 0; memset((void*)0x20003888, 0, 24); *(uint32_t*)0x20004bdc = 0x200038c0; *(uint32_t*)0x200038c0 = 0x18; *(uint32_t*)0x200038c4 = 0xffffffda; *(uint64_t*)0x200038c8 = 0x1f; *(uint32_t*)0x200038d0 = 9; *(uint32_t*)0x200038d4 = 0; *(uint32_t*)0x20004be0 = 0x20003900; *(uint32_t*)0x20003900 = 0x11; *(uint32_t*)0x20003904 = 0xfffffffe; *(uint64_t*)0x20003908 = 0x4588; memset((void*)0x20003910, 0, 1); *(uint32_t*)0x20004be4 = 0x20003940; *(uint32_t*)0x20003940 = 0x20; *(uint32_t*)0x20003944 = 0; *(uint64_t*)0x20003948 = 0x100000000; *(uint64_t*)0x20003950 = 0; *(uint32_t*)0x20003958 = 0x18; *(uint32_t*)0x2000395c = 0; *(uint32_t*)0x20004be8 = 0x200039c0; *(uint32_t*)0x200039c0 = 0x78; *(uint32_t*)0x200039c4 = 0; *(uint64_t*)0x200039c8 = 7; *(uint64_t*)0x200039d0 = 4; *(uint32_t*)0x200039d8 = 6; *(uint32_t*)0x200039dc = 0; *(uint64_t*)0x200039e0 = 0; *(uint64_t*)0x200039e8 = 7; *(uint64_t*)0x200039f0 = 8; *(uint64_t*)0x200039f8 = 0x10001; *(uint64_t*)0x20003a00 = 1; *(uint64_t*)0x20003a08 = 0x509; *(uint32_t*)0x20003a10 = 0x80; *(uint32_t*)0x20003a14 = 3; *(uint32_t*)0x20003a18 = 1; *(uint32_t*)0x20003a1c = 0xc000; *(uint32_t*)0x20003a20 = 5; *(uint32_t*)0x20003a24 = r[6]; *(uint32_t*)0x20003a28 = 0xee00; *(uint32_t*)0x20003a2c = 7; *(uint32_t*)0x20003a30 = 9; *(uint32_t*)0x20003a34 = 0; *(uint32_t*)0x20004bec = 0x20003e80; *(uint32_t*)0x20003e80 = 0x90; *(uint32_t*)0x20003e84 = 0; *(uint64_t*)0x20003e88 = 8; *(uint64_t*)0x20003e90 = 6; *(uint64_t*)0x20003e98 = 3; *(uint64_t*)0x20003ea0 = 0xcd0; *(uint64_t*)0x20003ea8 = 0x7fffffff; *(uint32_t*)0x20003eb0 = 5; *(uint32_t*)0x20003eb4 = 1; *(uint64_t*)0x20003eb8 = 5; *(uint64_t*)0x20003ec0 = 5; *(uint64_t*)0x20003ec8 = 0xf34; *(uint64_t*)0x20003ed0 = 0x86; *(uint64_t*)0x20003ed8 = 6; *(uint64_t*)0x20003ee0 = 2; *(uint32_t*)0x20003ee8 = 0xab8c; *(uint32_t*)0x20003eec = 0; *(uint32_t*)0x20003ef0 = 5; *(uint32_t*)0x20003ef4 = 0x8000; *(uint32_t*)0x20003ef8 = 9; *(uint32_t*)0x20003efc = 0xee00; *(uint32_t*)0x20003f00 = r[9]; *(uint32_t*)0x20003f04 = 0x1000; *(uint32_t*)0x20003f08 = 0x1000; *(uint32_t*)0x20003f0c = 0; *(uint32_t*)0x20004bf0 = 0x20003f40; *(uint32_t*)0x20003f40 = 0xd0; *(uint32_t*)0x20003f44 = 0; *(uint64_t*)0x20003f48 = 0xffffffffffffffbc; *(uint64_t*)0x20003f50 = 0; *(uint64_t*)0x20003f58 = 2; *(uint32_t*)0x20003f60 = 6; *(uint32_t*)0x20003f64 = 3; memset((void*)0x20003f68, 2, 6); *(uint64_t*)0x20003f70 = 0; *(uint64_t*)0x20003f78 = 0; *(uint32_t*)0x20003f80 = 0; *(uint32_t*)0x20003f84 = 9; *(uint64_t*)0x20003f88 = 2; *(uint64_t*)0x20003f90 = 0x100000001; *(uint32_t*)0x20003f98 = 0x17; *(uint32_t*)0x20003f9c = 0xffff; memcpy((void*)0x20003fa0, "bpf_lsm_socket_recvmsg\000", 23); *(uint64_t*)0x20003fb8 = 0; *(uint64_t*)0x20003fc0 = 0x401; *(uint32_t*)0x20003fc8 = 0xf; *(uint32_t*)0x20003fcc = 0xfffffff9; memcpy((void*)0x20003fd0, "&,$:+)\357&\\)/$$[}", 15); *(uint64_t*)0x20003fe0 = 6; *(uint64_t*)0x20003fe8 = 1; *(uint32_t*)0x20003ff0 = 0x17; *(uint32_t*)0x20003ff4 = 0x1f; memcpy((void*)0x20003ff8, "bpf_lsm_socket_recvmsg\000", 23); *(uint32_t*)0x20004bf4 = 0x20004440; *(uint32_t*)0x20004440 = 0x508; *(uint32_t*)0x20004444 = 0; *(uint64_t*)0x20004448 = 2; *(uint64_t*)0x20004450 = 4; *(uint64_t*)0x20004458 = 1; *(uint64_t*)0x20004460 = 5; *(uint64_t*)0x20004468 = 0x80000000; *(uint32_t*)0x20004470 = 3; *(uint32_t*)0x20004474 = 0xffffffec; *(uint64_t*)0x20004478 = 2; *(uint64_t*)0x20004480 = 3; *(uint64_t*)0x20004488 = 0x20; *(uint64_t*)0x20004490 = 0x100000001; *(uint64_t*)0x20004498 = 0x80; *(uint64_t*)0x200044a0 = 0xffffffffffffffe1; *(uint32_t*)0x200044a8 = 0x9e41; *(uint32_t*)0x200044ac = 0x1f; *(uint32_t*)0x200044b0 = 0xf0f6; *(uint32_t*)0x200044b4 = 0xc000; *(uint32_t*)0x200044b8 = 0x401; *(uint32_t*)0x200044bc = 0xee01; *(uint32_t*)0x200044c0 = 0xee00; *(uint32_t*)0x200044c4 = 0x400000; *(uint32_t*)0x200044c8 = 0x800; *(uint32_t*)0x200044cc = 0; *(uint64_t*)0x200044d0 = 3; *(uint64_t*)0x200044d8 = 7; *(uint32_t*)0x200044e0 = 6; *(uint32_t*)0x200044e4 = 0xfffffffe; memset((void*)0x200044e8, 187, 6); *(uint64_t*)0x200044f0 = 1; *(uint64_t*)0x200044f8 = 2; *(uint64_t*)0x20004500 = 0x10001; *(uint64_t*)0x20004508 = 0; *(uint32_t*)0x20004510 = 5; *(uint32_t*)0x20004514 = 0; *(uint64_t*)0x20004518 = 3; *(uint64_t*)0x20004520 = 0x8000; *(uint64_t*)0x20004528 = 9; *(uint64_t*)0x20004530 = 0x80000001; *(uint64_t*)0x20004538 = 0x100; *(uint64_t*)0x20004540 = 5; *(uint32_t*)0x20004548 = 0xf06; *(uint32_t*)0x2000454c = 0x932b; *(uint32_t*)0x20004550 = 2; *(uint32_t*)0x20004554 = 0x1000; *(uint32_t*)0x20004558 = 5; *(uint32_t*)0x2000455c = 0xee01; *(uint32_t*)0x20004560 = -1; *(uint32_t*)0x20004564 = 5; *(uint32_t*)0x20004568 = 1; *(uint32_t*)0x2000456c = 0; *(uint64_t*)0x20004570 = 5; *(uint64_t*)0x20004578 = 9; *(uint32_t*)0x20004580 = 2; *(uint32_t*)0x20004584 = 2; memcpy((void*)0x20004588, "*)", 2); *(uint64_t*)0x20004590 = 1; *(uint64_t*)0x20004598 = 0; *(uint64_t*)0x200045a0 = 0xcc3; *(uint64_t*)0x200045a8 = 4; *(uint32_t*)0x200045b0 = 0x101; *(uint32_t*)0x200045b4 = 3; *(uint64_t*)0x200045b8 = 2; *(uint64_t*)0x200045c0 = 1; *(uint64_t*)0x200045c8 = 1; *(uint64_t*)0x200045d0 = 0x113; *(uint64_t*)0x200045d8 = 1; *(uint64_t*)0x200045e0 = 3; *(uint32_t*)0x200045e8 = 0xd36; *(uint32_t*)0x200045ec = 0x8c12; *(uint32_t*)0x200045f0 = 0xfffffffc; *(uint32_t*)0x200045f4 = 0x1000; *(uint32_t*)0x200045f8 = 0xfffffffc; *(uint32_t*)0x200045fc = 0xee01; *(uint32_t*)0x20004600 = r[10]; *(uint32_t*)0x20004604 = 9; *(uint32_t*)0x20004608 = 0xacd; *(uint32_t*)0x2000460c = 0; *(uint64_t*)0x20004610 = 3; *(uint64_t*)0x20004618 = 0x97; *(uint32_t*)0x20004620 = 6; *(uint32_t*)0x20004624 = 9; memcpy((void*)0x20004628, "wlan1\000", 6); *(uint64_t*)0x20004630 = 1; *(uint64_t*)0x20004638 = 2; *(uint64_t*)0x20004640 = 8; *(uint64_t*)0x20004648 = 0x8000; *(uint32_t*)0x20004650 = 9; *(uint32_t*)0x20004654 = 0; *(uint64_t*)0x20004658 = 1; *(uint64_t*)0x20004660 = 0x200; *(uint64_t*)0x20004668 = 0xff; *(uint64_t*)0x20004670 = 0x100000001; *(uint64_t*)0x20004678 = 0x30000; *(uint64_t*)0x20004680 = 9; *(uint32_t*)0x20004688 = 3; *(uint32_t*)0x2000468c = 6; *(uint32_t*)0x20004690 = 0x7f; *(uint32_t*)0x20004694 = 0x8000; *(uint32_t*)0x20004698 = 0x101; *(uint32_t*)0x2000469c = r[11]; *(uint32_t*)0x200046a0 = 0xee00; *(uint32_t*)0x200046a4 = 0x10000; *(uint32_t*)0x200046a8 = 9; *(uint32_t*)0x200046ac = 0; *(uint64_t*)0x200046b0 = 3; *(uint64_t*)0x200046b8 = 0; *(uint32_t*)0x200046c0 = 2; *(uint32_t*)0x200046c4 = 0x401; memcpy((void*)0x200046c8, "b@", 2); *(uint64_t*)0x200046d0 = 4; *(uint64_t*)0x200046d8 = 1; *(uint64_t*)0x200046e0 = 0; *(uint64_t*)0x200046e8 = 5; *(uint32_t*)0x200046f0 = 4; *(uint32_t*)0x200046f4 = 0x101; *(uint64_t*)0x200046f8 = 1; *(uint64_t*)0x20004700 = 5; *(uint64_t*)0x20004708 = 1; *(uint64_t*)0x20004710 = 0x10000; *(uint64_t*)0x20004718 = 7; *(uint64_t*)0x20004720 = 8; *(uint32_t*)0x20004728 = 5; *(uint32_t*)0x2000472c = 5; *(uint32_t*)0x20004730 = 0x4010000; *(uint32_t*)0x20004734 = 0x8000; *(uint32_t*)0x20004738 = 0x4d800000; *(uint32_t*)0x2000473c = 0; *(uint32_t*)0x20004740 = 0xee01; *(uint32_t*)0x20004744 = 6; *(uint32_t*)0x20004748 = 7; *(uint32_t*)0x2000474c = 0; *(uint64_t*)0x20004750 = 2; *(uint64_t*)0x20004758 = 0x61; *(uint32_t*)0x20004760 = 0; *(uint32_t*)0x20004764 = 0; *(uint64_t*)0x20004768 = 7; *(uint64_t*)0x20004770 = 0; *(uint64_t*)0x20004778 = 5; *(uint64_t*)0x20004780 = 5; *(uint32_t*)0x20004788 = 0; *(uint32_t*)0x2000478c = 0x3ff; *(uint64_t*)0x20004790 = 0; *(uint64_t*)0x20004798 = 0xfffffffffffffff7; *(uint64_t*)0x200047a0 = 1; *(uint64_t*)0x200047a8 = 0x80; *(uint64_t*)0x200047b0 = 0x100000001; *(uint64_t*)0x200047b8 = 0x401; *(uint32_t*)0x200047c0 = 0xd49d; *(uint32_t*)0x200047c4 = 0x80; *(uint32_t*)0x200047c8 = 1; *(uint32_t*)0x200047cc = 0x6000; *(uint32_t*)0x200047d0 = 0x8b; *(uint32_t*)0x200047d4 = r[12]; *(uint32_t*)0x200047d8 = 0xee01; *(uint32_t*)0x200047dc = 0x8001; *(uint32_t*)0x200047e0 = 0; *(uint32_t*)0x200047e4 = 0; *(uint64_t*)0x200047e8 = 6; *(uint64_t*)0x200047f0 = 0x200; *(uint32_t*)0x200047f8 = 1; *(uint32_t*)0x200047fc = 0xfffffff8; memset((void*)0x20004800, 41, 1); *(uint64_t*)0x20004808 = 0; *(uint64_t*)0x20004810 = 3; *(uint64_t*)0x20004818 = 8; *(uint64_t*)0x20004820 = 0x81; *(uint32_t*)0x20004828 = 6; *(uint32_t*)0x2000482c = 5; *(uint64_t*)0x20004830 = 1; *(uint64_t*)0x20004838 = 8; *(uint64_t*)0x20004840 = 7; *(uint64_t*)0x20004848 = 5; *(uint64_t*)0x20004850 = 8; *(uint64_t*)0x20004858 = 1; *(uint32_t*)0x20004860 = 5; *(uint32_t*)0x20004864 = 0x90c555ad; *(uint32_t*)0x20004868 = 0; *(uint32_t*)0x2000486c = 0xc000; *(uint32_t*)0x20004870 = 0x800; *(uint32_t*)0x20004874 = 0xee00; *(uint32_t*)0x20004878 = 0xee01; *(uint32_t*)0x2000487c = 0xf98d; *(uint32_t*)0x20004880 = 0x20; *(uint32_t*)0x20004884 = 0; *(uint64_t*)0x20004888 = 4; *(uint64_t*)0x20004890 = 4; *(uint32_t*)0x20004898 = 5; *(uint32_t*)0x2000489c = 1; memcpy((void*)0x200048a0, "\\U\302-^", 5); *(uint64_t*)0x200048a8 = 1; *(uint64_t*)0x200048b0 = 0; *(uint64_t*)0x200048b8 = 2; *(uint64_t*)0x200048c0 = 6; *(uint32_t*)0x200048c8 = 0; *(uint32_t*)0x200048cc = 0xb5e; *(uint64_t*)0x200048d0 = 4; *(uint64_t*)0x200048d8 = 0x12; *(uint64_t*)0x200048e0 = 0xe87; *(uint64_t*)0x200048e8 = 7; *(uint64_t*)0x200048f0 = 1; *(uint64_t*)0x200048f8 = 0xfffffffffffffffe; *(uint32_t*)0x20004900 = 0xfffffffd; *(uint32_t*)0x20004904 = 7; *(uint32_t*)0x20004908 = 0x401; *(uint32_t*)0x2000490c = 0xa000; *(uint32_t*)0x20004910 = 0x8ee; *(uint32_t*)0x20004914 = r[13]; *(uint32_t*)0x20004918 = 0; *(uint32_t*)0x2000491c = 0x8236; *(uint32_t*)0x20004920 = 0x3c89862b; *(uint32_t*)0x20004924 = 0; *(uint64_t*)0x20004928 = 4; *(uint64_t*)0x20004930 = 0xfffffffffffffbf7; *(uint32_t*)0x20004938 = 6; *(uint32_t*)0x2000493c = 4; memset((void*)0x20004940, 2, 6); *(uint32_t*)0x20004bf8 = 0x20004ac0; *(uint32_t*)0x20004ac0 = 0xa0; *(uint32_t*)0x20004ac4 = 0xffffffda; *(uint64_t*)0x20004ac8 = 2; *(uint64_t*)0x20004ad0 = 1; *(uint64_t*)0x20004ad8 = 3; *(uint64_t*)0x20004ae0 = 0xff; *(uint64_t*)0x20004ae8 = 0x401; *(uint32_t*)0x20004af0 = 9; *(uint32_t*)0x20004af4 = 0x1000; *(uint64_t*)0x20004af8 = 1; *(uint64_t*)0x20004b00 = 0xfff; *(uint64_t*)0x20004b08 = 0x733; *(uint64_t*)0x20004b10 = 0; *(uint64_t*)0x20004b18 = 7; *(uint64_t*)0x20004b20 = 0x7fff; *(uint32_t*)0x20004b28 = 4; *(uint32_t*)0x20004b2c = 0x1f; *(uint32_t*)0x20004b30 = 0x1f; *(uint32_t*)0x20004b34 = 0; *(uint32_t*)0x20004b38 = 1; *(uint32_t*)0x20004b3c = r[14]; *(uint32_t*)0x20004b40 = r[15]; *(uint32_t*)0x20004b44 = 0x9eb; *(uint32_t*)0x20004b48 = 1; *(uint32_t*)0x20004b4c = 0; *(uint64_t*)0x20004b50 = 0; *(uint32_t*)0x20004b58 = 0x1c; *(uint32_t*)0x20004b5c = 0; *(uint32_t*)0x20004bfc = 0x20004b80; *(uint32_t*)0x20004b80 = 0x20; *(uint32_t*)0x20004b84 = 0xfffffffe; *(uint64_t*)0x20004b88 = 0xa87; *(uint32_t*)0x20004b90 = 0x1ff; *(uint32_t*)0x20004b94 = 0; *(uint32_t*)0x20004b98 = 0x10001; *(uint32_t*)0x20004b9c = 4; syz_fuse_handle_req(r[5], 0x20001680, 0x2000, 0x20004bc0); break; case 25: memcpy((void*)0x20004c40, "/dev/autofs\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20004c40, 0, 0); if (res != -1) r[16] = res; break; case 26: memcpy((void*)0x20004c00, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004c00, r[16]); break; case 27: syz_init_net_socket(0x24, 2, 0); break; case 28: res = syscall(__NR_mmap, 0x20ffe000, 0x1000, 0x300000a, 0x10, (intptr_t)r[16], 0); if (res != -1) r[17] = res; break; case 29: res = -1; res = syz_io_uring_complete(r[17]); if (res != -1) r[18] = res; break; case 30: *(uint32_t*)0x20004c84 = 0xcaa6; *(uint32_t*)0x20004c88 = 4; *(uint32_t*)0x20004c8c = 3; *(uint32_t*)0x20004c90 = 0x276; *(uint32_t*)0x20004c98 = r[18]; memset((void*)0x20004c9c, 0, 12); res = -1; res = syz_io_uring_setup(0x3a9b, 0x20004c80, 0x20ffe000, 0x20ffe000, 0x20004d00, 0x20004d40); if (res != -1) r[19] = *(uint64_t*)0x20004d00; break; case 31: *(uint8_t*)0x20005080 = 2; *(uint8_t*)0x20005081 = 5; *(uint16_t*)0x20005082 = 0; *(uint32_t*)0x20005084 = 7; *(uint64_t*)0x20005088 = 0; *(uint32_t*)0x20005090 = 0x20005040; *(uint32_t*)0x20005040 = 0x20004d80; memcpy((void*)0x20004d80, "\x8f\x8c\x61\xba\x2d\x93\x00\x6a\xad\xbd\x12\xa3\xa0\x8f\x14\x6f\x7d\xad\xf6\xfc\xaf\x91\x37\x0d\x8c\xdb\xb1\x04\x73\xcf\xc4\x73\x7f\xc2\x92\x0f\x76\x1e\x5f\x9f\x43\xac\x7c\x94\xff\x2d\x84\xa3\xf6", 49); *(uint32_t*)0x20005044 = 0x31; *(uint32_t*)0x20005048 = 0x20004dc0; memcpy((void*)0x20004dc0, "\xe7\x9e\x60\x9c\xaf\x0b\x11\x3f\x2e\x3a\x9b\x6e\xd9\xa5\x19\x7b\xd4\xc9\xef\x3a\xbe\xe6\xff\x37\x2b\x06\x77\xf9\x80\xef\x46\x16\x5c\x07\x1e\xc9\xa7\xe4\xb8\xe1\x18\xc9\x5c\x2b\x5f\x73\x3b\x29\xc5\x0f\x1e\x5d\xf4\xf1\x83\x7e\x9a\x29\x62\xcd\x24\x1c\x43\xd7\xa6\x05\x87\x87\x49\x91\x9d\x2d\x93\x2d\x22\x01\x0e\x4c\x8c\x29\xce\x60\x28\xdc\x71\xe2\x3c\x5e\xc2\xb4\xf3\xbb\x38\xb2\xe7\xc3\xbe\xaf\x83\xc8\x87\xa4\x5f\x16\xea\x87\x84\x2b\x70\x02\xc7\x51\x33\x97\x83\x5d\x37\x55\x89\xd6\x4e\x9c\x8d\x0d\xaa\x7c\x70\x99\x74\xdd\xc9\x35\x14\x51\x90\xba\xc6\xe8\xd3\x12\x38\xd5\xad\x70\x37\x7e\x03\xb1\x11\x15\x46\xf8\xa8\x3a\x2d\x7e\x3f\xc5\x50\x40\x8a\x22\x7e\x6a\xb5\x58\x33\x1d\xe5", 169); *(uint32_t*)0x2000504c = 0xa9; *(uint32_t*)0x20005050 = 0x20004e80; memcpy((void*)0x20004e80, "\x1f\xe1\xd0\xa7\xea\x42\xed\x60\xeb\x83\x79\xf5\x5f\xba\x5f\x10\x8d\xa4\x23\x32\x88\xe8\xa8\xbb\xac\xc0", 26); *(uint32_t*)0x20005054 = 0x1a; *(uint32_t*)0x20005058 = 0x20004ec0; memcpy((void*)0x20004ec0, "\x1d\x5a\x7e\x02\x0f\x94\xe9\xee\xe2\x41\x5c\xca\x5e\xb6\x04\x5c\xc9\xf8\x17\xf1\xd3\x27\x5b\xa9\x49\x67\x7e\xe2\xca\x23\x57\xb7\x4e\x67\xc6\xd4\xdd\xfb\xe8\xe8\xc0\xc6\xfd\xcd\x23\x52\xdd\x30\x1f\xf3\x0f\x0e\xbc\x2b\x58\xf2\xc6\x9c\x3f\x80\x32\xff\x0d\x4a\x2d\x2d\x40\x0c\x3d\x07\x91\x4d\x83\x5b\x62\x18\xc2\xeb\x25\x72\x4b\x42\x6a\x88\x8b\x28\x22\xd4\x94\x5b\x35\xf2\xd1\x45\x9d\x91\x5e\x2b\x2d\x66\x54\x1a\xf5\x2b\xdb\xbe\x1a\xd5\x17\x51\x5e\x01\xb8\x29\x0e\x65\x44\x43\xa6\x7b\xec\x3d\x0b\x03\xfc\x10\xb9\x0b\x49\xc3\xd3\x35\x93\xe0\x63\xbd\x0d\xf7\x24\x94\xb2\x2b\xfc\x39\x1f\x6b\x29\x6a\x68\x73\x5e\xea\xac\x4f\xb5\x50\xbe\x4b\xee\xab\xb7\x4d\x7c\xa7\x71\x39\x24\x8c\xf8\x00\x3e\x4f\xa6\x39\x54\xc2\xe5\xc6\x8e\x48\xb1\xf5\x9b\x31\x62\xa9\xa3\xb0\x20\x77\x1f\x7c\x1a\xff\x6d\x7d\xe5\x7b\x40\xfc\xb5\x90\x02\xf2\x70\x9e\xd2\xe1\x2d\x50\xa3\xed\xad\xc2\xc5\x5d\xe6\x63\x4c\x8e\x91\xdd\x8c\xd2\x8f\xaf\x3b\x52", 228); *(uint32_t*)0x2000505c = 0xe4; *(uint32_t*)0x20005060 = 0x20004fc0; memcpy((void*)0x20004fc0, "\x3d\xc5\x00\x79\x39\x36\x84\xee\x15\x45\x62\x33\xe2\xe4\xb4\x7d\x0d\x76\x16\xa6\xfb\xb0\x80\x55\x93\x1c\x40\x0e\x66\xd6\xee\x83\x07\xc9\x88\xdb\x68\xc3\xa5\x68\x73\xe4\xc9\x4c\x21\x0c\xee\x63\xaa\x53\xee\x80\x94\x7c\x56\x44\xcf\xfd\x0e\xe8\x09\xb4\x55\x4e\xf3\xd3\xd5\xd4\xb6\x26\x80\x40\xd6\x6c\xba\x34\xc7\xb8\x64\x5a\xbf\xe3\x69\x6e\x04\x1f\xe1\x3f", 88); *(uint32_t*)0x20005064 = 0x58; *(uint32_t*)0x20005094 = 5; *(uint32_t*)0x20005098 = 1; *(uint64_t*)0x2000509c = 0; *(uint16_t*)0x200050a4 = 0; *(uint16_t*)0x200050a6 = 0; memset((void*)0x200050a8, 0, 20); syz_io_uring_submit(r[19], 0, 0x20005080, 0x100); break; case 32: memcpy((void*)0x200050c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 0, 0); if (res != -1) r[20] = res; break; case 33: memcpy((void*)0x20005100, "/dev/dlm-monitor\000", 17); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0, 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x20005180 = 0; *(uint32_t*)0x20005184 = 0x20005140; memcpy((void*)0x20005140, "\x45\xcf\x83\xe3\x48\x27\xda\xe7\x0d\x9c\x50\xf6\x76\xf5\x23\xb0\xce\x6b\xee\x88\x95\x2b\xaa\xc1\xa7\x22\x08\x87\x52\x1e\x1e\x10\x25\x01\x84\xda\xba\xaa\x4f\xbf\x9e\x94\x34\x9f\x11\x48\xde\xe8\x23\x8a", 50); *(uint32_t*)0x20005188 = 0x32; *(uint64_t*)0x200051c0 = 1; *(uint64_t*)0x200051c8 = 0; syz_kvm_setup_cpu(r[20], r[21], 0x20fe8000, 0x20005180, 1, 0, 0x200051c0, 1); break; case 35: *(uint32_t*)0x20005200 = 1; syz_memcpy_off(r[17], 0x114, 0x20005200, 0, 4); break; case 36: memcpy((void*)0x20005240, "adfs\000", 5); memcpy((void*)0x20005280, "./file0\000", 8); *(uint32_t*)0x20005980 = 0x200052c0; *(uint32_t*)0x20005984 = 0; *(uint32_t*)0x20005988 = 4; *(uint32_t*)0x2000598c = 0x20005300; memcpy((void*)0x20005300, "\x85\x86\xcf\xf1\x20\x29\xeb\x8a\xd7\x6f\x62\x61\xd1\xfe\x9c\x2d\xf9\x7d\x6b\x50\x47\xf7\x02\x21\xce\x7c\x26\xe1\xad\x05\x00\x96\xdb\x75\xff\x7f\xfd\x7b\x4d\xad\x59\xf5\xe0\x70\x72\x3e\x8a\x2c\xea\x44\x66\x02\xed\x86\xda\x15\x97\x5f\x4f\x9d\xad\x43\x55\xf1\x7d\x14\x41\xf9\xc1\xd9\x72\x1e\x8b\xc2\x69\xc9\x1b\x43\x93\x4b\xb3\x82\x3e\xba\x88\x0d\xe0\x1b\x58\x6e\x0d\x59\x2f\xc9\x78\x08\x48\x12\xa5\xdd\x94\x0d\x6e\xa6\x1e\x46\xee\x9f\x1d\x53\xe0\xd3\x15\x5c\x2c\x34\x94\x6c\xa2\x86\xd6\x46\x39\x8a\x4d\x60\xb5\x6e\x48\x64\x4c\xe4\x21\xd5\x3a\x65\xfc\x50\x46\x80\x60\x1a\x0c\xb3\xb7\x8c\xdc\x3d\x14\xd0\xf9\xf7\x54\xd8\x8a\x4c\x5d\x80\xc2\x68\x1a\xca\x64\xa4\x79\x3f\x17\xd0\xf8\xa5\xb8\xdc\x82\x0f\xda\xde\xe2\xee\x87\xd4\x20\x50\x17\x22\x86\xe4\xb3\x71\xea\xc4\x97\xbf\x74\x67\x89\x0a\x47\x2d\x76\x6a\x44\x2a\x56\xa6\xe7\x5b\xc3\x9b\xa4\xed\xab\x5a\x0c\xb1\x1e\xb6\x6a\x24\x7a\x2f\x3c\xa7\xd1\x8c\xbe\x8b\xd7\x51\x6b\x2d\x99\xc7\x63\xd8\xc2\x3d\x75\x3c\x13\x93\x7a\xb9\x9b\x57\x8e\x42\xf3\x59\x27\x5e\x86", 251); *(uint32_t*)0x20005990 = 0xfb; *(uint32_t*)0x20005994 = 5; *(uint32_t*)0x20005998 = 0x20005400; memcpy((void*)0x20005400, "\x0f\x55\x3c\x28\xb9\x84\x2c\x44\x67\x4a\xbe\x34\x85\x6e\x72\xa4\x02\xea\xf0\x8e\xa7\xd1\x06\x18\x6b\x17\xf1\xd3\xf0\x0d\xcb\xcb\x5f\x98\xa1\xea\xe4\xb0\xe4\x94\xda\x0d\x44\xfa\x94\x91\x73\x67\x47\x8f\x2e\x39\xce\x84\x35\xb1\x32\xa5\x70\xec\x78\xc1\xb1\xd8\x59\xab\x65\x21\x68\xbe\xc9\x15\x6c\xc5\xb4\x54\x3f\x05\x71\xd2\xa7\x5d\x3a\xd0\x3f\x49\x0c\x0f\xc9\x32\x51\xf6\xab\x57\xf0\x1c\xf6\x22\x83\xd4\x2e\xec\x0a\xbb\x18\x61\x48\xb0\x5e\xf5\x5f\x8d\xe1\xa2\xeb\x7c\x16\x22\xfc\x6d\x3a\xc2\x74\xf1\x0a\x07\x54\x56\x33\x98\xef\xc9\x33\x5a\xea\x31\x06\x1c\xf4\xbb\x64\xd4\x4f\x87\xc6\x15\xc9\x9b\x3e\xca\x46\xdd\xc2\xce\x68\xeb\x2b\x78\x0c\x54\xbb\x6a\x1a\x20\x94\x7e\x16\xcb\xc6\xf7\xfa\x07\x12\xd0\xb1\x2e\x66\x5a\x21\x4c\x35\x02\x15\x4e\x5b\x8d\xda\x8b\x01\xdf\x53\xc8\x1b\x2d\xa2\xc9\x2b\x75\x73\x50\x6b\x17\x5a\x34\xba\x1d\xda\x39\x95\x4f\x36\xf0\xff\x6e\xbe\xfe\xee\x31\x32\x68\x13\x42\x2c\xb4\xd5\x3b\x47\xc6\xfe\x65\xf3\x33\x26\x98\xd9\xe3\xd7\x76", 238); *(uint32_t*)0x2000599c = 0xee; *(uint32_t*)0x200059a0 = 0xfff; *(uint32_t*)0x200059a4 = 0x20005500; memcpy((void*)0x20005500, "\xab\xff\x9c\x24\x82\xd9\x64\x89\xf0\xaf\xbe\x08\x5d\xae\xe1\xe2\xbd\x8a\x30\x00\xaf\x21\xe5\xb4\xaa\x0d\x2e\x66\x62\x29\x3d\x5f\xe6\xee\xb6\x0a\x5c\xc8\xb9\x0e\x84\xed\xe0\xd2\x13\x18\x68\x8e\x28\x5d\xef\x54\xcb\x67\x80\xab\xfd\xcb\x64\xc7\x00\xda\x5e\x87\x75\xbb\x60\xd0\x19\x2a\x5f\x81\x13\xa7\x0d\xdb\x16\x27\x08\x7f\x7b\xb8\xf2\x32\xf8\x0a\x12\x0e\x21\x4e\xf3\x1c\x38\x57\x11\xf4\xb1\x2a\xfd\x9a\x02\x4f\xc4\x8c\x41\xc3\xc8\x87\x25\x5a\x17\xb8\x6f\x70\x9a\x30\xee\x23\xa5\xd5\x5c\x6c\x3e\x19\x86\xf6\xfd\x69\x30\x9d\xc6\x66\x48\x46\x39\x6a\x5f\x0c\xde\x1e\x38\x2a\x70\x18\xdc\xde\xac\x00\xff\x1e\xf5\x4b\xbb\x58\x20\x1f\xc9\xdf\xcb\xba\x39\xcf\xb4\x5f\x49\xac\xe1\xe9\x90\x81\x88", 171); *(uint32_t*)0x200059a8 = 0xab; *(uint32_t*)0x200059ac = 0x80000001; *(uint32_t*)0x200059b0 = 0x200055c0; memcpy((void*)0x200055c0, "\xfb\x36\xdf\xfb\x4a\x0e\x43\x77\xfa\x3b\xed\xec\x23\x25\xf5\xc0\x73", 17); *(uint32_t*)0x200059b4 = 0x11; *(uint32_t*)0x200059b8 = 1; *(uint32_t*)0x200059bc = 0x20005600; memcpy((void*)0x20005600, "\x8f\xf2\x54\x48\x04\xed\x79\xe1\xbb\x5f\x17\x3b\x80\xfd\xb0\x9a\x44\x4f\x02\xbb\xac\xda\xb8\x77\x10\xa3\x03\x82\x27\x1d\xb7\x25\x70\x55\xfb\xbe\x05\x7f\x4e\x4b\x3e\x1b\xcb\xcf\x08\xf1\xea\x0b\x41\xbe\x53\x3d\x7d\x7f\x84\x19\x9c\x4c\xf2\x41\xe2\xbc\x3c\xeb\xf6\x80\xf5\xc2\x64\x88\x82\xab\xfe\x61\xbb\x52\x11\xc4\xcf\x0f\x1f\x80\x35\xc6\x96\x2e\x74\xf5\x97\x6e\x95\x4c\x3d\xb5\x54\x5b\xdc\xcc\x6e\x67\xb6\x8d\xd6\x12", 104); *(uint32_t*)0x200059c0 = 0x68; *(uint32_t*)0x200059c4 = 0x7f; *(uint32_t*)0x200059c8 = 0x20005680; memcpy((void*)0x20005680, "\xca\x83\x8d\x09\x57\x9a\x97\x26\x57\x26\x0b\x82\x4f\x36\x91\x61\xc8\x3d\x36\x49\xb2\x30\x9d\xe4\xac\xa5\x19\x1c\x6a\x35\x50\xce\x70\x4f\x66\x06\xba\xc0\xf1\x10\x25\x63\x01\x1d\x76\x8b\x1c\xd5\xbd\x83\x56\x5b\xfb\xe9\x31\x1f\x71\xc2\x69\x8f\x2b\xb4\x57\x2e\xf6\x60\x2f\x24\x87\x62\x6e\x21\xfc\xef\x70\x34\xf5\x0e\x28\xfd\x36\xdb\x92\x43\x3d\xe1\xc0\xfb\xd9\xba\xa0\xb2\xef\x3b\x17\xec\xbd\x5f\x21\x4a\x81\x4f\x99\x79\xc0\xcf\xce\xa5\x66\xbd\x41\x87\x88\xa9\xe0\x26\xff\x83\x08\x9e\x4e\x1e\xb4\x91\xee\xbb\x58\x2e\x84\xc6\xd9\x56\xe1\xf8\xd4\xbd\x53\x27\xfc\xf2\x6d\x92\x18\xa6\xe7\x45\xa9\x04\x84\x6d\xa6\x1e\x69\x70\xe7\xc3\xf8\xf6\x77\x7e\xb2\xee\xc1\x82\xc6\x62\x6a\xeb\xc2\xb4\x6d\x6e\x18\xec\x79\xce\x9f\x3a\x34\xc2\xc9\xce\x74\xdc\xe5\xf3\x8a\x49\x3c\xe7\x52\x63\x3b\x9c\xd8\x81\xd3\xe7\x39\x77\xb7\x28\x20\x8b\x73\x0c\x0a\xa0\xbf\xd4\x1f\x03\x74\x79\x8c\x2b\x6c\xfd\x20\xa8\x3d\xde\x88\x21\xf8\x96\x43\x1d\xf1\x62\x0e\xac\xdd\xb4\x84\x6d\x3f\x67\x98\x3b\x95", 241); *(uint32_t*)0x200059cc = 0xf1; *(uint32_t*)0x200059d0 = 2; *(uint32_t*)0x200059d4 = 0x20005780; memcpy((void*)0x20005780, "\xb5\x49\xcf\xe1\x8d\xeb\x45\x5b\x4a\x8b\x6d\x56\xe7\xc0\x3f\x25\x10\x24\x21\x7c\xf4\x27\xc0\x90\x56\xbd\xb6\xb4\xa1\x31\x7e\x6f\x9c\xd5\x3e\xce\x2f\x2e\xe6\x8e\x7d\x73\xe9\x36\xe6\xd7\xb3\x76\x48\x35\x95\xc8\xdb\x72\x92\xff\xb0\x52\x0c\xf0\x37\xba\x70\x12\xf5\xd9\x0d\x0e\x4b\xdc\xed\x46\x13\x1d\x6a\x44\x12\x05\x46\xfa\xd8\x7f\x47\x56\x70\xfe\xc8\x6f\x97\x84\x88\x8d\x14\xdc\x2e\xd6\xa1\xa7\xed\x3c\x98\xbd\x0e\x03\x5c\xbd\x50\x4d\xa4\x0e\xfb\xeb\x5a\x5b\xcd\x48\xc0\xca\x51\x3f\xf5\x3d\xda\xda\x3c\xb4\x47\xa4\x8b\xce\xf0\x1d\x98\x83\xf6\x99\x99\x7c\x5a\x0b\x24\x99\x86\x58\x62\xdb\x5f\x78\x5a\x75\xe1\xb3\x46\x3d\x35\x4a\xf1\x12\xe7\xf8\x62\x28\x83\x68\x30\x86\x19\x0f\xa4\x50\x76\x46\xcb\xea\xb5\xed", 176); *(uint32_t*)0x200059d8 = 0xb0; *(uint32_t*)0x200059dc = 1; *(uint32_t*)0x200059e0 = 0x20005840; memcpy((void*)0x20005840, "\xa2\xee\xca\xca\xa0\x2f\xc7\x61\x89\xe0\x0e\x6f\xc5\x8f\x38\xb5\x59\x99\x59\x73\x03\x76\x28\x17\x21\xbe\xcf\x84\x0c\xd1\x2b\x23\x0c\x2d\xc8\x4b\x7f\x5f\xe5\xe3\x70\x57\xb3\x73\x2f\xcf\xeb", 47); *(uint32_t*)0x200059e4 = 0x2f; *(uint32_t*)0x200059e8 = 4; *(uint32_t*)0x200059ec = 0x20005880; memcpy((void*)0x20005880, "\x35\xed\x9c\x85\x4f\x54\x2b\xa3\xa5\x6e\x7b\x75\x40\x9a\x31\x97\xd3\x1e\x6e\xc3\x19\x34\x81\x1d\xd9\xab\xe8\x3e\x50\xa0\x60\xea\x25\x99\x4c\xb3\x37\x70\xed\x99\xb2\x5c\x9b\x56\x08\x91\xec\xa4\x33\xfe\x5b\xf1\xe0\x2d\x13\x66\x00\x68\x7e\xe4\x93\x3b\x35\x38\xbb\xce\xca\x61\xde\xb8\xfb\x0a\x1a\x25\x67\x84\x3f\xd8\x71\xb9\x91\xd5\x14\x32\x9a\x46\x5a\x97\xeb\x92\x12\x35\x76\xe8\x3a\x65\x2c\x51\xdf\xa8\x41\x17\xc2\x62\xa7\xb8\xba\xb4\x7b\xd3\xf8\x1b\x24\xd3\x3e\x68\x7f\x39\x26\x50\x02\xef\x92\xf2\x24\x8d\xe0\x27\xac\x02\x85\xfc\xad\x2a\x3c\x73\x2a\x1e\xd7\x40\x93\x07\x03\x7e\x41\xf3\xa7\x90\x74\x77\x38\x7d\x11\x99\xc1\x8e\x5c\x43\x95\x9b\x2e\xc4\x6c\x07\x8c\xec\x67\xa8\xb5\x59\xb3\x1c\xef\xd8\x56\xf4\x56\xb9\xf8\x1b\xcc\x6a\x8b\x2c\xb1\xa4\xd8\x14\x75\x62\xbd\xac\x60\x34\xe3\xe8\xd3\x5d\x79\x76\x59\x84\x4f\xea\x36\x94\xb3\x28\x8c\xe6\x8f\xa8\xf9\x86\xbf\x2f\xba\x03\xec\x01\x10\x15\x4b\xef\xc8\x40\x22\x58\xaf\xb3\xd5\x83\xd0\xbf\x3d\x02\x79\x80\x73\x86\x7f\xc6\x66\x40\x72\x60\x72\xc8\x2a", 249); *(uint32_t*)0x200059f0 = 0xf9; *(uint32_t*)0x200059f4 = 0x1ff; memset((void*)0x20005a00, 37, 1); *(uint8_t*)0x20005a01 = 0x2c; memcpy((void*)0x20005a02, "seclabel", 8); *(uint8_t*)0x20005a0a = 0x2c; memcpy((void*)0x20005a0b, "permit_directio", 15); *(uint8_t*)0x20005a1a = 0x2c; memcpy((void*)0x20005a1b, "mask", 4); *(uint8_t*)0x20005a1f = 0x3d; memcpy((void*)0x20005a20, "^MAY_EXEC", 9); *(uint8_t*)0x20005a29 = 0x2c; memcpy((void*)0x20005a2a, "subj_role", 9); *(uint8_t*)0x20005a33 = 0x3d; memset((void*)0x20005a34, 125, 1); *(uint8_t*)0x20005a35 = 0x2c; memcpy((void*)0x20005a36, "mask", 4); *(uint8_t*)0x20005a3a = 0x3d; memcpy((void*)0x20005a3b, "^MAY_APPEND", 11); *(uint8_t*)0x20005a46 = 0x2c; memcpy((void*)0x20005a47, "fsname", 6); *(uint8_t*)0x20005a4d = 0x3d; memcpy((void*)0x20005a4e, "&%]", 3); *(uint8_t*)0x20005a51 = 0x2c; memcpy((void*)0x20005a52, "measure", 7); *(uint8_t*)0x20005a59 = 0x2c; *(uint8_t*)0x20005a5a = 0; syz_mount_image(0x20005240, 0x20005280, 5, 0xa, 0x20005980, 0, 0x20005a00); break; case 37: memcpy((void*)0x20005a80, "/dev/i2c-#\000", 11); syz_open_dev(0x20005a80, 6, 0x40000); break; case 38: memcpy((void*)0x20005ac0, "net/raw6\000", 9); syz_open_procfs(-1, 0x20005ac0); break; case 39: syz_open_pts(r[16], 0x583000); break; case 40: *(uint32_t*)0x20006cc0 = 0x20005b00; memcpy((void*)0x20005b00, "\xa8\x95\xc3\x0e\xdc\x07\x29\x77\x23\xa4\xae\xa8\x02\x03\x46\x22\xd1\xbb\xb8\x5b\x4a\xe3\x62\x8a\xfc\x2d\x4e\x10\x93\x45\x50\xa9\xd9\x2f\x12\xa5\x1b\x9f\x5b\x3a\x7b\x59\x6b\x59\xb9\x9b\x4b\x2a\xca\xed\xda\x32\xb8\x3b\xdc\x26\x3c\x53\xaa\x10\x11\x4a\x14\x9a\x4d\x7a\x4f\x0c\x40\xb9\x46\x15\x9b\x37\x43\x96\xfb\x6c\xd1\x87\x34\xea\x5c\x3a\x51\x92\x78\x62\x22\xda\x89\xf4\x21\x3b\x5d\x9d\x02\x77\x99\xda\x36\xd6\x8b\xd5\x10\xf5\x37\x85\x5c\xe1\x0d\x3b\x84\x39\xc2\x23\x77\x40\xea\x75\x41\x47\x8a\x81\xf9\xf9\x2a\xdc\xeb\x51\x00\x36\x6d\xcc\xf1\x49\xcc\x4c\x59\x79\x69\x59\xba\x5d\x85\xa5\x0d\x0d\xd7\x29\x41\xa0\xea\xbb\xe7\xa9\xdd\x9f\xe5\x08\x50\x11\x3f\x5e\x2d\x05\x5e\x1b\xbc\xd6\x67\xda\xf7\x36\x3e\x02\x7d\x7c\x66\x67\x8d\xad\x2a\xdd\x62\xb5", 186); *(uint32_t*)0x20006cc4 = 0xba; *(uint32_t*)0x20006cc8 = 4; *(uint32_t*)0x20006ccc = 0x20005bc0; memcpy((void*)0x20005bc0, "\xf2\x29\xf5\x8b\x9f\xef\x91\xf7\x17\x85\x23\xf0\x41\xa4\x96\x75\x89\x92\x46\x80\xbf\x4d\xc3\x4a\x52\xd8\xf7\xf8\x43\x60\x83\xae\xe9\x4a\xb7\x4f\x03\x69\xf7\x40\x3a\x8c\x26\xb7\x2f\xd4\x4b\x48\x8f\xe5\x9c\x61\x6c\x8a\x1c\xae\x29\x9c\x49\x0e\xb1\x5f\x98\xf8\xf4\x9d\xf3\x35\x02\xcc\xfd\x38\x26\x5f\x6d\x18\x65\x78\xa7\x1b\x92\xba\x5c\x5b\x90\x3f\x9a\x64\xbc\x56\x0a\x43\x59\x0b\xd7\x0f\x76\xef\xb7\xb6\x3b\xc3\x90\x9e\x63\x2d\xb6\x8f\x77\xd9\x8b\xdf\x12\xeb\xe1\x70\x7d\x7d\x14\x36\x85\x74\x90\xc1\x3d\xdb\x23\x9c\x83\x7f\xaf\x46\xea\xd6\x23\x81\xd4\x3f\x3d\x23\x46\xc1\xfc\xd5\xb2\xa7\xa1\xeb\xe9\xfa\x5d\xd7\xfd\xde\xfc\x50\xb0\xe7\xa5\x7f\x50\x0e\x2f\x79\xba\x11\xb1\x89\x72\xdc\x78\x87\x14\x60\xeb\x7e\x2a\x24\x9b\x60\x32\x83\xb5\x12\x83\x20\x55\x5c\x9d\x74\x14\x3e\x02\x7b\xb5\xca\x08\xb4\x62\xae\xbf\x58\x24\x43\x87\x55\x6d\x71\x86\x80\xc4\xa3\x74\x59\xdd", 215); *(uint32_t*)0x20006cd0 = 0xd7; *(uint32_t*)0x20006cd4 = 0x3ff; *(uint32_t*)0x20006cd8 = 0x20005cc0; memcpy((void*)0x20005cc0, "\x79\xfb\xc7\x05\xf3\xf5\xab\x2b\x17\x6d\x8c\x81\xf1\x15\x48\xc5\xfd\x71\x74\x41\x15\xd9\xbc\x95\x33\x2f\xeb\x2a\xe2\x6c\xd3\xb6\xa5\x08\x4c\xf6\x35\xa6\xb1\x9d\x91\x6f\x68\x3e\xbe\x24\x01\x80\xc6\xbb\x6a\x18\xe3\x4f\xa2\x67\x7a\xe7\x45\x61\xf3\xbb\x25\x09\xfc\x09\x59\xad\xc1\x32\xae\x36\x12\x7c\x31\x9f\xcb\x4a\x80\xb0\x25\x1d\xed\xee\xe6\x56\x0f\xd7\x02\x22\x1e\x14\x43\x66\x85\xc7\xfa\x2f\x3a\xf3\x6f\xda\x9d\x69\xd0\x44\xc1\x6a\x77\xe8\x22\xf9\x8b\xf6\x5c\xd4\x58\x33\x54\x4b\xa6\xbd\x06\xb8\x3a\xd7\x8b\x10\x49\xf1\xbc\xdb\x9b\xce\xc0\x47\x38\xa8\x6c\xa3\x7b\x88\x95\x3d\xe3\x54\x9b\x6e\x3a\x4c\x2f\x31\xbd\xd4\xce\xde\xe3\x7b\x70\x3b\x8e\xd6\xd1\x1c\x38\xff\x03\x0a\x10\x18\xaf\xae\xbe\x05\x38\xed\x70\x4b\xbe\x63\x10\xa0\xde\xa9\x43\x05\x66\x65\x29\x01\x69\x92\x99\xc1\x84\xa8\x15\x60\x1e\x01\x86\xa6\xe1\xff\x97\xd2\xb9\x60\x38\xab\x59\x13\xdc\x44\x0e\xde\xd7\x83\x6f\xbd\xd7\xbd\x39\x1a\x90\xcf\x40\x3a\xbb\x6d\xfe\x0f\x7d\xdd\xda\xf1\xa7\xc7\x3f\x02\x19\x35\x33\xf0\xa7\x2e\xf1\xb5\x58\xcf\x69\x6f\x57\x22\xa3\xe8\xc0\x92\xc1\x7d\xe9\x8a\xf4\x15\xf4\x0a\xfc\x1f\xfe\x0d\x7c\x7d\x0f\xb4\x4d\x59\x7e\x55\x18\x86\xb4\x0b\x8e\xc7\xde\x8f\x18\xbf\x5e\xd7\xa7\x4a\xcd\xeb\xe9\xb2\xcc\xb9\x8c\xcd\x37\x1d\xf0\x0d\x78\xc9\x7f\x8d\xe0\xab\xe7\xf8\x28\x13\x68\x61\x68\x9b\x0f\x53\x80\xfd\x28\x36\x09\x2c\x1b\xee\xc0\xf4\x51\x9e\x1b\x50\x40\xca\x17\x09\xe0\x83\xee\x61\x1d\x6a\x1e\xbc\x5a\xd1\x85\xd3\x9b\x91\xef\x84\x4a\xf3\x4d\x02\x13\xe6\x3e\xdd\x19\x54\x53\x46\xe3\x01\x2d\x61\xbd\xe7\x1d\x4d\x3c\x52\xcd\x21\x01\xd4\x57\xac\xc0\x15\x23\x81\x81\xfc\xc4\xe9\x2a\x6b\xd1\xc9\xae\x47\x5d\xd0\x4d\x15\xa3\x90\x71\x7c\x29\x5e\x18\x13\x1f\x30\xa1\xb0\x03\xfe\x36\x7f\x88\x9b\xa4\x9e\xd8\x32\x8d\x69\xbd\xe3\x8b\xfd\xb3\x2e\xc4\xff\x21\x2b\x38\x3d\xa6\x54\xad\x2d\xa7\x59\x26\x60\x0d\x56\xfd\x2c\x8a\x64\x81\xc0\x2f\x0d\xd9\x04\x08\xb0\x1d\xcb\xdd\xd0\x1c\xfb\x4c\xf6\x1c\x14\xe8\xaf\xc5\xda\x58\x91\xe9\x3a\x0b\x6f\xe1\x2f\x50\xf0\x62\x94\xd6\x6c\xe3\x71\x0c\x8e\x13\xe7\x97\x62\x9c\x4b\x05\x71\x40\xbd\xb8\xcf\xa3\x84\x83\x0e\x9e\x18\xcc\xcb\x63\xc2\x82\xc9\x7b\x1e\xc7\xcb\xaf\xc5\xf4\x96\xf2\xb0\x30\x53\xf8\x55\x8f\x62\x7e\xaa\x78\x46\x62\xf2\xf4\xf1\x5b\xac\x06\xa3\x8d\xcc\x8c\x3f\x2e\x07\x6b\x2f\xdf\x8b\x62\x2c\x93\xa2\x27\xc9\x0d\x42\xe4\xfa\x38\xda\xcd\x82\xfd\x6c\xd2\x21\x15\x29\x41\x4c\x5c\xf3\x88\x2d\x94\x87\x42\x42\x59\xa6\x51\x4c\x56\xf0\xb7\xd6\x0c\x95\xd3\x44\xa0\x9d\x90\xe7\xdd\x8f\xf0\x73\x21\xd7\xe7\xae\x03\xba\xc6\xde\x0f\xd3\x79\x9a\x8c\x34\xd7\xaa\x3e\x4c\xe7\xcd\x99\x98\x03\x64\xc6\x60\xcc\x09\x97\x46\x15\x2a\x07\xfb\xc0\x26\xfc\x89\x0a\x7a\x57\xf2\x8d\xce\xea\xcd\xc2\x36\x60\xc0\xf8\x59\x2d\x86\xd0\x8d\x99\x64\x4b\x67\x51\xa5\x53\x16\x2b\xa1\x03\x83\xda\x49\x1e\xfc\x3d\x33\xae\xd8\x95\x2b\x8f\x51\xcf\x6c\xfa\x84\xae\x5c\x9d\x76\x89\x8b\xf5\xe8\x09\x90\x8b\xdb\xf8\xcf\x63\x38\xf5\xbe\x2f\x5b\x1e\xa8\x17\x44\xbe\x7e\x72\x68\xc4\x9e\x49\x30\x50\x89\x23\xe6\x39\xd9\xf4\x84\x59\x7f\xc2\x0e\x69\x58\xa2\x69\xe1\x66\xec\x09\xd1\xb7\xe2\xa8\xf7\xfd\x83\xc5\x34\x64\xc3\xa1\xac\xc4\x84\xeb\x5f\x9d\xe1\x05\x9d\xa0\x45\xda\x6c\xf6\x63\x07\x9e\x2b\x22\xd7\x8e\x78\xbd\xbc\xda\xb3\x9c\x33\xbc\x5c\x1d\x05\xb8\xd4\x0e\x40\x2c\x8b\xbf\xa5\x74\xf2\xcb\x5a\xfb\x1c\xb1\x99\xe5\x91\x17\x13\x0b\x94\x0a\x96\x48\xe8\x98\xd5\xf0\xf2\x7f\xc0\x04\xc6\x78\xe5\x52\x0a\x4c\x79\x0e\xb7\x0e\xd2\xea\x6a\x60\x61\xe4\x9d\x12\x24\x35\xf3\x48\xcc\x92\x7b\x49\xad\x13\xbd\xf1\x80\x4e\x75\x28\xbc\x1e\x3b\xb6\x33\xf8\xb2\x76\xbb\xbb\xad\x12\x5a\xbe\xcd\x28\x94\xc2\x89\x28\x85\xfc\xd1\x9a\xed\x92\x20\xe4\x63\x2c\x13\x6f\x14\x37\x8e\x29\x91\x20\x40\x40\x65\x71\x1d\xdb\xff\x8d\xf8\x70\xab\xae\x93\x4b\xb5\xbb\x64\xff\xa2\xf7\x3f\x18\xb1\x33\x74\x53\x8a\x08\x37\x9d\x74\xc7\x12\xe0\x2a\x97\xc8\x5b\x08\xad\xae\x84\xf9\xc4\xa2\x91\x66\x56\x12\x9a\xa4\xb5\x46\xf1\x43\x4e\xf1\x53\xff\x7f\x2c\x94\xcb\x42\xb3\xe7\xea\x23\x54\x40\x95\x15\x9e\xe0\xe8\x69\xd7\x8d\x08\xce\x48\x6d\xa4\x30\x4b\x15\x47\x3a\x23\x1f\xec\x42\x3c\xf5\x53\x96\x8c\xa0\x74\x3c\x1c\x4b\x09\x45\x73\x0b\xa4\xe3\xfd\xc3\x1f\xf0\x2a\x48\x70\x56\xc7\x29\xef\x7f\x84\xf6\x5e\x85\xfb\x16\xfa\xbb\x17\x2d\x24\x75\x38\x62\xf9\x20\x34\x60\x28\x8a\x37\xcf\x6e\x6f\x5b\x84\xd1\xd8\x1f\x24\x27\x07\xbf\x57\x5b\x15\x34\xcd\x6b\xea\x81\x0d\xc3\x94\xca\xb3\x1b\x32\x43\x38\x8f\x01\x5b\x99\x98\xaa\x7c\xa3\xe8\x26\xd9\xec\xcd\x95\x32\x87\x33\x28\xf3\x43\xcf\x71\xa0\x79\x82\x0f\xfc\x61\x60\xef\x55\xb7\xda\x7a\x29\x76\x2f\xea\x1b\x45\x22\xb9\x81\xcc\xfd\xac\xea\x0f\x52\xe2\xed\xc3\xec\x50\x16\x89\xe8\xc5\xe0\x88\x54\x43\xd1\x3e\xa4\xda\xe6\x07\x65\xf9\xed\x48\x68\x6b\xeb\x01\x0b\xb0\x4e\x2f\xa7\x3f\x3a\xd0\x8a\x77\xf0\xc2\xf5\x9a\x99\xc4\x72\x30\xb8\x52\x9d\x1b\xa2\xbd\x09\x1d\x83\x6d\xd3\x08\x99\xe7\xe8\x41\x71\xf2\xa8\x86\x7b\x16\x49\x22\x8e\x85\x15\xcb\x39\x8b\x75\xa5\xbc\xa2\xe7\x11\x4a\x7a\xf7\x1b\x18\x5f\x37\x1b\x4f\x9f\x68\x9e\x81\xf2\x25\x97\x54\x89\x6f\xf5\x46\x85\xbc\x7b\x9c\xf5\xf5\xfd\x14\xd0\x63\xd2\xf8\xc6\x20\xff\x19\x5e\x26\x36\x0a\x21\xd9\x2d\x19\x02\xa7\x48\x35\xe0\x25\x4f\xe4\x73\x75\xa0\xf1\x71\x11\xd1\x45\x9d\x77\xdf\xcf\x0a\xdf\x21\x59\xc2\x00\x35\x35\x75\x78\x90\x15\x01\xa4\x09\x2e\x64\x14\xc5\x43\x41\x73\x11\x5a\x4a\x03\x39\x9d\x81\x34\x91\x33\xd3\xac\x25\x4b\x69\xfd\x90\x6f\xbc\x11\x56\xbe\xaa\xea\xb3\x7f\x1f\xd9\xfe\xfa\x37\x7c\xa1\x3b\x58\x19\xe5\x36\x1a\x75\x03\x2d\x78\x8c\xe9\x5c\xe9\xd1\x61\xdd\xfa\x04\xa5\x55\x29\x71\x68\xf6\xe0\xf3\x17\x6c\x8b\x0c\x41\xc8\x42\xce\x33\x81\x3b\x59\xeb\x0a\x9c\x3b\xcd\xf4\x65\xad\xe6\xd2\x9d\x0e\x25\x74\x41\x16\x77\x5b\x2f\x14\xd0\x30\xf5\xb2\x18\x1c\x89\x6a\x29\xcf\xc2\x9d\xcb\x9f\xaa\x9e\xa0\xed\x4a\x45\x45\xe2\xe5\x41\x29\x51\x12\x6b\x30\x99\x8b\x7b\x58\xc4\x47\x44\x84\x1d\x85\xe7\x9c\xc7\x61\x3b\x3b\x4a\xd0\x18\x72\x10\xc5\xb3\xe8\x19\x59\xc9\x38\xa8\x9e\xa5\xa7\x68\x1b\xcc\xc0\x2c\x55\x58\x3d\x69\xfa\xcc\x86\x53\x95\x27\x9c\xce\x47\xa8\xc4\x6c\x3b\x99\xd3\xbc\xba\xda\xea\xce\x79\xc1\x22\xc8\x7e\x72\xa9\x91\xd3\x1a\xe5\x2e\xa9\x5d\x35\xc6\x16\xb5\xae\xbf\xd9\x86\x40\x90\x33\x18\xdc\x60\x00\x21\x08\x6c\x28\x07\xf1\xfc\x8a\xe7\x61\x40\x7f\xcf\x43\x11\x09\xaf\xd1\x9e\xc4\xb0\x3a\x94\xeb\x9c\x89\x4f\x86\x6b\xb4\xb9\xa3\xa5\x86\x24\xcf\xa6\xae\x7d\x44\xd2\xf2\x02\x83\x5a\xc9\x90\x3d\x23\x26\x14\x0f\xc5\x47\x9b\x94\xba\x27\x5f\xe8\xf6\xba\x03\x9d\x98\xf5\x8d\x9c\x00\x60\x26\xff\x15\x5f\x0d\x36\x8c\x51\xd0\x05\xd2\xaf\x37\xa6\x14\xc1\x41\x88\xed\x22\x6c\x9f\x67\xc7\xb7\x83\x93\x3d\x05\x23\x5c\xb2\xf8\x81\x0f\x18\x89\xd1\x26\xed\xac\xe7\x40\x78\xb0\xf9\x0c\x6f\x2c\x16\xd0\x1d\x60\xdd\xe2\xd4\x6a\xb8\xc2\x53\x2a\xe0\xc1\x54\x01\x05\x57\x52\xfb\x19\xdb\xe5\x49\xcc\xbe\x43\x85\x9c\xcb\x4d\x47\xc9\x9e\x6f\x54\x02\xce\xd2\x3d\x44\x90\x29\x80\x2a\xd7\xd2\x99\x0b\x94\x1f\xad\xb0\xde\x10\xf9\xfe\x17\x84\x61\xe1\x14\xc7\xca\x31\x36\xf7\xfb\xad\x6e\x1d\x71\xeb\x1a\x1a\x24\xfb\x89\x2e\x7f\x1a\x41\xb9\xeb\x92\xd5\xb0\x4a\x79\x49\x1e\xef\x83\x18\xce\x1d\x98\x06\xe7\x06\x4e\x0f\xda\x0a\x66\xa7\xb6\x95\xa6\x78\x15\x60\xba\x98\xbf\x4d\x54\x00\x79\x5b\x11\xfe\xab\x29\x73\x53\xa7\x2a\x2d\x78\x5f\xf2\xfa\x3f\x06\xe6\x39\x5a\xab\x65\x6e\x55\xef\x7f\x49\x51\x76\x03\x86\xcd\xb1\xa1\xd2\x30\xda\x5b\x09\x44\xa9\xaf\x05\xa7\x6b\xce\x13\x88\x69\x2a\xfa\x4b\x21\xc3\x46\x4a\x2b\x50\xdd\x0d\x2a\x0f\x64\x51\xa4\x3f\x2e\x48\x62\x29\x0b\xe1\xf1\x29\x74\x60\xeb\x51\x39\x9f\xa9\x68\xf8\xdc\xa4\x19\x39\xa6\x19\xd1\x0a\x8a\x01\xad\x1b\x64\x93\xb0\xf8\x9a\xad\xc5\xf0\x6f\xf9\x26\x46\xff\x2f\xbd\x33\x6c\x97\x73\xa9\x33\xeb\xb1\xde\xee\x49\xa2\x67\xd8\xd1\x95\xe1\x3f\x58\x39\xc9\x54\xd8\xda\x7c\x02\x2c\xbd\xd8\xa2\x68\xdb\x8a\x06\x5c\x63\x24\x77\x56\x79\x54\x03\x3b\xd3\x40\xdb\x14\x5f\xd4\xee\x3c\x1e\x6e\xf1\x5f\xd4\x5e\x72\xf5\x27\xad\x2b\xa3\xbb\xf8\xa9\x4b\xa2\x5a\x23\x7c\xed\x70\x50\x4b\x6d\x20\xc8\x99\xa6\xd1\xa4\x09\x2b\x57\x2a\xc7\x44\xf6\x2e\x04\x4b\x25\xf4\xf1\x09\x7e\x12\xbc\x0b\xfd\xa3\x6c\xad\xd3\x4a\x0a\xa7\xbd\x49\xa3\x82\x08\xee\x36\x60\x3f\x1e\x9c\x56\x7d\xe6\x94\xcb\xba\xe7\x36\x1e\x99\x79\xa8\x4d\x58\x9f\xbd\x5f\x05\xfa\x73\xfe\x31\x68\x37\xdd\xb9\x67\x2c\x63\x75\x90\x77\x79\x33\x71\x17\xbf\xfe\x5a\x85\x09\x93\x99\xe3\x5e\x9c\x3a\x50\xbe\x94\xa4\xed\x33\xa5\x86\x3d\xa7\x37\x7e\x5c\x8b\xce\xd5\x22\x0d\xa0\xaa\x9f\xc0\x97\xbc\x61\x3b\xb7\x6e\xe7\x0b\x6a\x0b\xd9\x78\x01\xb0\xad\xc5\x7b\xc6\xd3\xc0\x26\x51\xf1\x64\xf7\x80\x9f\xb7\xeb\xe2\x18\x73\xf9\xa1\x7a\x65\xa8\x38\x0e\x5f\x1a\x18\x17\xdb\xea\x2e\xa9\x6f\x9b\x1e\xf1\xbe\x6c\x1f\xcd\x53\xc6\x2e\xa2\xba\xce\xe8\x66\xf3\x57\x4b\x1a\x35\xc5\xf8\xc5\x93\xd2\x01\x07\xd6\xcd\xe2\x6c\x84\x0e\xa8\x3f\xae\x8d\x77\x7e\xa1\x22\x7b\xd1\xaf\x62\x19\x83\x35\x3e\xf0\x27\x57\x01\x96\xf8\xfb\xdf\x4f\x79\xa7\x81\x2b\x7f\x71\x8f\xca\xa5\xec\x35\x53\x97\x9a\x86\x4b\x8c\x65\x3e\x9c\x9e\xcf\x8e\x68\x3b\xfc\x55\x8e\xf2\xd9\xb7\x64\x7e\xfc\xd5\xbe\x98\xf4\x3d\x0d\x38\xd9\x47\x4a\x7a\x50\x74\x0a\x5a\x23\x02\x31\x92\xd4\x5b\x43\x34\x38\x0e\x99\x5b\x8d\xbe\x94\x30\xea\xa1\xa8\x26\x85\x5b\x3d\x7e\xc2\x2f\x6c\xbe\xa4\x4b\x75\x53\x66\xba\x42\x76\x21\x77\xdb\xa9\x80\x65\xdc\x59\xef\x23\x92\x49\x7c\x17\xd2\xe8\x99\x23\x0c\xe3\x4f\xfa\x7f\xc2\x75\x0c\x9b\x25\x5a\x2b\x53\x42\x3d\x9c\xa1\xbd\x3a\xab\x8b\xa4\x71\xf3\x9f\x10\xa2\x50\x05\x0a\x22\x54\x1e\x08\x35\xe8\xa3\x93\xe1\x76\x20\x9c\x31\xd2\x5b\x6e\x1f\x69\x9c\x82\xeb\x15\x55\xf0\x47\xa6\xe8\xf9\x1d\x97\xcf\x2a\xba\x02\x50\xa7\xf3\x11\x67\xb8\x61\x54\x89\xfb\x5c\x90\xcf\xce\x45\xcc\x63\xcd\x21\xd0\x01\x5b\x58\x0c\xae\x16\x45\x2f\x01\x43\xd3\x0c\xb9\xee\xce\x66\x21\x93\x1f\x5d\xc5\x42\x8b\x2f\x92\x58\xd7\xe8\xfb\x10\xec\xfe\x72\x06\x06\xad\x71\x94\x11\x10\xbd\x67\xaf\x44\xce\x4e\xa0\x03\x77\x99\x97\xc4\xac\x5c\x11\x1b\x77\x91\x71\x2b\x79\x76\x52\x37\xf7\xa2\x79\xec\x43\x3f\x18\xfa\x8e\x69\x60\x43\x68\x00\x8c\xa9\xa5\xd6\x26\x44\x41\x79\x84\x88\x72\x54\xf4\xd1\x7a\x1c\xdf\x8b\xde\xbc\x90\x76\x2a\x64\xc5\x0c\x58\x6d\xa8\x59\x8f\x15\x56\x61\xe9\x3f\xea\x74\x65\x29\x6f\x6c\xce\xe5\xdf\xf3\x6c\xcb\x6c\x46\xdf\xbd\x24\x84\x60\xbb\x39\x12\x4c\xd3\xf9\xac\x2c\xd9\x16\x77\x66\xd2\x24\xe2\x97\x6f\xac\xed\xcd\x65\xff\x28\xc4\x18\x08\xc9\x8c\xcf\xe3\x1b\xa1\xef\xa8\x69\xf5\x16\xb6\xfc\x8b\x3a\x7d\x6f\xa1\xfb\xc8\xe1\x82\x67\xa8\xef\x0c\xfa\x96\xc4\xc6\xc8\xdb\xf9\x45\x21\x1d\x98\x89\x89\x95\xab\x76\xc1\x63\x06\x35\x47\x8f\xde\xb5\xb7\xfc\x9b\xba\xe3\x07\xd0\x54\x50\x2f\x17\x45\x27\x87\x47\xa5\xae\x90\x85\xe2\xce\x6f\x7b\xdd\x02\x2c\x68\x0d\x1f\x8a\xda\x4c\xb6\x30\x66\x42\x3f\x77\x04\x2b\x9a\xe4\xa1\x38\x6f\x41\x6c\xb9\xb4\x11\x00\x12\xe8\x00\x57\x04\xcd\xff\xae\x04\x41\x86\x89\xfd\x64\xd1\xe8\x83\x27\x49\xb7\x46\xc1\x41\x2e\x91\xc3\x81\x68\x4a\x80\x30\x5a\xad\x84\xd6\x2f\x1c\xc5\xfd\x5d\x26\xa2\x47\x6b\x5b\xfe\xd4\xdc\xcf\x7f\x35\xbb\xb0\x7e\xff\x6c\xa5\x09\x05\x0f\xea\x82\x04\xa3\x9d\x25\x5e\xc1\xc8\x3d\x0d\x38\xff\x3a\x9d\xa4\x28\x5b\x99\xf9\x8b\xfa\x2a\xfb\x12\x01\x63\x01\xbd\xce\xa9\xc4\xb8\x05\xf0\x3f\x5c\x1d\x64\xb2\x31\xe2\xf0\x12\xc3\x39\x88\xfe\x59\x31\x82\xbe\x19\xe5\x33\xae\x72\x4b\xc5\xf3\x74\xc5\xdb\x4e\x26\x7d\x11\xeb\x7c\x3b\xf6\x51\xd8\x53\xf4\x87\x32\x1b\x59\xe3\xc5\x80\xe0\x9f\x55\x10\x1d\x52\x95\x81\x12\xea\xd4\x84\xda\xac\x70\x62\xb2\x74\x5b\x3e\xf0\xd8\x6c\x3f\xf4\xc9\xcd\xb0\x4e\x5c\x61\x26\x56\x2f\xa8\x07\x2d\x44\x08\xc5\xa4\x1f\x38\x88\x90\x0c\x61\x7b\xb3\x2c\x60\x7e\x3c\x67\x88\x01\x37\xa4\xfd\xa0\x0f\x25\x73\x96\x95\x27\xf3\xac\x8b\xc7\x3d\x4a\x1c\xa6\x3a\x6e\x55\x28\x3a\x43\x75\x90\xcb\xa5\x84\xaf\xf7\xda\xab\x6d\x95\x08\x57\xf3\x06\x4a\xfa\x06\xd8\x49\x89\xb1\xf1\xfe\x7a\x07\x11\x8d\x84\x67\x33\x3b\xd9\xc3\xb0\xbf\x57\x4a\xec\xc5\xbd\xf1\x85\x88\x69\xc0\x2f\x2e\xc1\xad\x26\x6d\x13\x54\x99\x41\x6a\xa1\x6c\x3e\xec\x12\x2d\x6e\x57\x70\xf9\x26\x77\x4e\xc2\x69\x15\x5f\x36\xc7\xab\x25\xfc\x2c\xf6\x51\xf6\xde\x56\x32\x9e\x3c\x2f\x9a\xdf\x11\xb8\x9c\x5b\xa3\xa4\xbd\xd6\xed\x16\x04\xe6\x6a\x80\x50\x14\x98\x1b\x6c\xc8\x4b\xd7\x8d\x9e\xf9\xb5\x2e\x8f\x0e\x09\x70\x05\x21\x0a\x9e\x00\x81\x68\x47\x0f\xd1\x2a\x2c\x3e\xe6\x0d\x1c\xef\x8c\x35\xca\x58\xd8\x62\xb6\x81\xe7\x4c\xf6\x0b\x08\xca\xeb\x22\xaf\x37\xfb\x04\x5f\xdf\xf3\x53\x2a\xf6\xf1\x16\x22\x90\x93\x42\x15\xc8\x52\xe8\xbd\x41\xbe\x48\x8d\x56\x6e\xe2\x49\x7e\x6d\xfe\x85\x52\x50\x85\x3e\x6c\x24\xde\x6e\x0a\xab\xbc\xf5\xc5\x7b\xea\x60\x2e\x80\x82\x97\xa6\xf3\xee\xdf\xc7\x62\x2c\x60\x10\x6f\xe5\xac\x3c\x2c\x18\xf1\x9d\x80\x93\x6e\x13\x85\xb1\xb1\x1f\x34\x34\x8e\xe9\x79\x4b\x4c\xef\x18\x55\xcf\xea\x0b\x4c\x67\xf4\xa3\x6f\x69\xe6\xee\xe3\x98\x1a\xf6\xe3\x2c\xbf\xd7\x9b\x36\xf6\x48\x7f\x51\xe6\xbc\xfb\x5e\x25\x0c\xff\x78\x92\x52\x15\xf6\x02\x6f\x86\x9e\xd1\xe3\xc3\xea\x65\x9c\xf5\x80\xb3\x7f\xc8\xa8\xfb\x06\x41\x8f\xfd\x26\x63\xfb\x1c\x5b\x2a\x58\xae\x63\x44\x83\x89\x84\xb9\x60\x81\xae\xe1\x4d\xc7\x4a\x36\xbb\x18\x8a\x15\xfc\x47\xa0\xe8\xfb\x1d\xa2\xc9\x29\x09\x12\x53\x00\xf6\xcc\x9f\xf2\x81\x5a\x86\xbd\x0f\x51\xd3\x8c\xb1\xd9\x20\x65\x5a\x34\x34\xca\xa4\x3c\xba\x6a\xeb\x04\x53\x8b\x0a\xe6\xfc\x4d\xf1\x42\x9f\xca\x0c\xb9\xbf\x55\x05\xd5\x21\xd9\x4c\xea\x75\x9f\x50\xb9\xfc\x8f\xbd\x0d\xb1\x8b\xaa\x08\x03\xd1\x6a\xec\x6e\x59\x88\x70\xed\x80\x14\x9f\xdf\x70\xf5\x7f\x4b\x89\x32\x0f\x3a\x57\x17\x68\xbb\x09\x66\xf0\x8e\x6a\x1a\x93\xfa\xd9\x3b\xaf\x72\x88\xe6\xa6\x6f\x15\x8e\x35\x9d\x47\x24\xb3\xd5\xec\x61\xde\xe3\xa6\x4e\x1e\xab\xf0\x82\x7e\xa7\x9c\x2a\x7b\xac\x1f\x37\xf8\x1f\x09\x69\x1d\xad\x1f\xf6\x82\x49\x93\x25\xe7\x85\x73\xd6\x03\x10\x52\x92\xf8\x44\x1c\x72\xd4\xa8\x6e\xab\x95\x5e\x9a\xb0\xb6\x66\xc7\x1c\x86\xd1\x77\xa5\x94\xfa\x10\xdd\x0f\xf6\x5d\x38\x6c\x54\x4c\x21\xc3\x5e\x41\xef\x27\xbe\xc9\x4d\xab\x6f\xc3\x38\x70\x06\x01\x7e\x54\x59\xad\x20\xca\xcd\x5a\xfe\x56\x1f\xad\xd3\x80\x4b\xef\x50\xfe\x91\x09\xc0\xcf\x20\xd5\xfb\x32\x0a\x19\x19\x0e\xa3\x23\xc5\xbb\x45\x6d\xc7\x33\x8e\xd1\x9b\x5e\xa1\x17\x27\x7c\xda\x66\xbf\x37\x65\x7b\x27\x86\x25\xc9\x86\xf5\x44\x77\x75\xba\xf7\xc2\x83\x56\xd4\x31\xa3\x82\x0e\x3e\x24\x57\xe5\x3e\xba\xd4\xb7\xd8\xb0\xee\xa6\x4b\x5f\x17\x62\xdd\xb1\x16\x9b\xce\x93\x8a\x22\xaa\x17\x4b\x33\xaf\xd2\xb6\xca\x3f\xd2\x1e\x40\x2c\x4e\xba\xa6\x53\x97\xde\x07\x5d\xbc\x91\x41\x29\x16\x35\x04\xe2\x86\x72\x57\x89\xf3\xea\xfb\x66\x30\x29\x4c\x9e\x9e\xd8\x76\x5b\x41\x64\x12\xe6\xa7\x4a\xda\x02\xdf\x4b\x66\x8b\x95\xf1\xab\x41\xda\x29\xee\x91\x8a\xb5\xa5\xea\xa3\x45\x01\x47\x07\x76\x36\x9e\x96\x12\x9c\x89\x8c\xcc\x10\xef\x66\xa2\xce\xb8\xb4\xed\xfe\xad\x79\xff\xd8\x98\xd5\xde\x2d\xb4\x60\x87\x9f\xb2\x3b\x2a\xfc\x14\x66\x47\xc9\x49\x36\xa7\x03\xbb\x3c\xe5\x0f\x7e\x5e\x7d\xbf\xe7\x29\x57\xea\x5c\x48\x9e\x01\x0f\x08\x95\x84\xe0\x69\xaf\xf5\x3e\x8e\x03\xe1\x5c\xb8\x33\xa9\x61\x0a\xe7\xa9\xc2\x62\xc5\xcd\x37\x1b\x81\xf9\xaa\xbb\x03\x0d\xdd\xae\xed\xad\x10\x19\xd2\xe9\xdb\xe7\x17\xde\x10\xad\x3a\x49\x1e\x29\x0b\x2b\xfc\xda\x80\xed\xc5\xa1\xc1\x60\x12\x52\x7c\x5f\xa2\x79\xa6\x7c\x5d\x01\x13\x24\xa7\x9a\xad\x7c\xb7\xa9\x76\x6c\x64\xa1\xfc\xc2\x78\x4b\xe7\xab\x91\x2f\x7d\x4c\xc5\x71\x0c\x9e\x5a\x1f\x97\xf0\x0b\xb8\x69\x8d\x5f\x6e\x58\xe6\xb6\x9a\x1e\x8c\xcb\x7a\x22\xd3\xf4\xfb\x1f\xb6\x0a\x4b\xb9\x4d\x49\x2b\xc5\xe4\xa8\xbb\xe6\xb5\x34\xc1\x75\x00\x01\x6a\x89\x0a\xd5\x29\xdf\xf4\x2f\xb5\x13\x45\xc7\x65\x35\x1a\x5d\x87\x79\x12\x54\xb7\xdc\x62\x90\xe2\x76\xf1\xc2\xd8\xf7\x82\xcb\x2d\xbd\x2e\x70\x13\x09\xe6\x43\x06\x19\x25\x69\x40\x67\x02\x7f\x6d\x95\x65\x09\xb2\x47\x3c\x5b\x5c\x66\x08\x76\xdd\x69\x7e\x5d\x1b\xfb\x8e\x48\xc5\xbe\x80\x4a\x27\x5d\xb0\xed\x4c\x5a\x02\x40\x85\x93\x60\x8e\xcb\x2c\x97\x1d\xa8\x25\xf8\xd4\x8d\xd6\xc6\x4b\x98\xef\x9e\x28\x52\xd1\x6e\xea\xc2\x12\x13\x4a\xba\x3e\xfb\x67\x00\xd5\xa0\x52\xba\x23\x27\x18\x5a\x1c\x56\x05\xfe\xa9\x07\xf1\xf7\x63\xaf\x01\xc5\x03\xa7\x67\x00\x97\x00\x9f\x73\x63\x88\x31\xed\x01\x8b\xc8\x03\x27\x49\x37\x97\xa7\x2f\xce\x75\x38\xb2\x2e\x16\xfe\x27\x48\xc9\x66\xf3\x8f\x5b\x56\x89\xd8\x8c\xc6\xf2\x21\xd4\x06\x21\x47\x2d\x5a\x5a\x40\xa1\x72\x9e\x51\xe3\x60\xf4\xc4\xc9\xb1\x13\xf3\x0b\x96\x99\xd2\x77\x21\x14\x27\xf3\x60\xae\xd4\x5e\x01\x74\x98\x3d\x7a\xed\x11\xf8\x9b\x0c\xa0\x87\x41\x44\xe3\xfd\x83\xca\x6d\x88\xcf\x4d\x8d\x81\xde\x61\x3d\xb7\x27\x2d\xc5\xcf\x74\x5a\x65\x0b\xf3\xcc\xad\x96\x48\x7d\xd2\x4b\x1a\xcc\x8a\x8b\x96\xa9\x9d\x48\xbc\xcf\xa4\x78\xdc\xbb\xb0\x66\xcb\x8f\x19\x0f\x0d\xac\xcf\x91\x6f\x4d\xbc\x63\x44\xe5\xe0\x26\x07\x4d\x42\xd9\x62\xdf\xd2\x8b\x1d\x57\x8a\x17\x07\x3f\x78\xb7\x1d\x6f\xf7\x85\x25\x80\xb1\xc6\xe8\x3b\x8a\xc5\x15\x58\x49\xc1\x26\xa6\xbc\x54\x24\x6d\x15\xf7\x59\x92\x9c\x72\xbf\x44\xba\x8c\x78\x38\x12\xe7\x3d\xa5\xa6\x94\xf9\x6d\x52\x00\xf1\x9c\x82\x0c\x8c\x86\x51\xfb\x2b\xe7\xf7\x6c\xd2\x8a\x54\xae\xea\x4f\x0e\x09\x92\xb8\x4d\xbd\xef\x78\x92\x13\x4e\x37\x9f\x14\x0f\xb0\xb1\x22\x30\x99\x3d\xcc\x13\xbc\x48\x9c\x94\x26\x07\x63\xc1\xa8\xec\xf7\xaa\xeb\xe1\x1a\xe6\xf4\x39\xb7", 4096); *(uint32_t*)0x20006cdc = 0x1000; *(uint32_t*)0x20006ce0 = 0x34; syz_read_part_table(0xb0, 3, 0x20006cc0); break; case 41: *(uint8_t*)0x20006d00 = 0x12; *(uint8_t*)0x20006d01 = 1; *(uint16_t*)0x20006d02 = 0x201; *(uint8_t*)0x20006d04 = 0x10; *(uint8_t*)0x20006d05 = 0x2a; *(uint8_t*)0x20006d06 = 0xdc; *(uint8_t*)0x20006d07 = -1; *(uint16_t*)0x20006d08 = 0x781; *(uint16_t*)0x20006d0a = 5; *(uint16_t*)0x20006d0c = 5; *(uint8_t*)0x20006d0e = 1; *(uint8_t*)0x20006d0f = 2; *(uint8_t*)0x20006d10 = 3; *(uint8_t*)0x20006d11 = 1; *(uint8_t*)0x20006d12 = 9; *(uint8_t*)0x20006d13 = 2; *(uint16_t*)0x20006d14 = 0x71c; *(uint8_t*)0x20006d16 = 3; *(uint8_t*)0x20006d17 = 9; *(uint8_t*)0x20006d18 = 3; *(uint8_t*)0x20006d19 = 0x50; *(uint8_t*)0x20006d1a = -1; *(uint8_t*)0x20006d1b = 9; *(uint8_t*)0x20006d1c = 4; *(uint8_t*)0x20006d1d = 0x34; *(uint8_t*)0x20006d1e = 9; *(uint8_t*)0x20006d1f = 0xc; *(uint8_t*)0x20006d20 = 0x2d; *(uint8_t*)0x20006d21 = 0xe7; *(uint8_t*)0x20006d22 = 0xd6; *(uint8_t*)0x20006d23 = 0xc4; *(uint8_t*)0x20006d24 = 0xa; *(uint8_t*)0x20006d25 = 0x24; *(uint8_t*)0x20006d26 = 6; *(uint8_t*)0x20006d27 = 0; *(uint8_t*)0x20006d28 = 0; memcpy((void*)0x20006d29, "\x9e\x3d\xd8\x3f\x5e", 5); *(uint8_t*)0x20006d2e = 5; *(uint8_t*)0x20006d2f = 0x24; *(uint8_t*)0x20006d30 = 0; *(uint16_t*)0x20006d31 = 2; *(uint8_t*)0x20006d33 = 0xd; *(uint8_t*)0x20006d34 = 0x24; *(uint8_t*)0x20006d35 = 0xf; *(uint8_t*)0x20006d36 = 1; *(uint32_t*)0x20006d37 = 0x40; *(uint16_t*)0x20006d3b = 5; *(uint16_t*)0x20006d3d = 0x101; *(uint8_t*)0x20006d3f = 5; *(uint8_t*)0x20006d40 = 8; *(uint8_t*)0x20006d41 = 0x24; *(uint8_t*)0x20006d42 = 0x1c; *(uint16_t*)0x20006d43 = 0x1000; *(uint8_t*)0x20006d45 = 2; *(uint16_t*)0x20006d46 = 8; *(uint8_t*)0x20006d48 = 7; *(uint8_t*)0x20006d49 = 0x24; *(uint8_t*)0x20006d4a = 0x14; *(uint16_t*)0x20006d4b = 0x8671; *(uint16_t*)0x20006d4d = 0; *(uint8_t*)0x20006d4f = 0xc; *(uint8_t*)0x20006d50 = 0x24; *(uint8_t*)0x20006d51 = 0x1b; *(uint16_t*)0x20006d52 = 0xfffd; *(uint16_t*)0x20006d54 = 9; *(uint8_t*)0x20006d56 = 0; *(uint8_t*)0x20006d57 = 5; *(uint16_t*)0x20006d58 = 0x100; *(uint8_t*)0x20006d5a = 0x5f; *(uint8_t*)0x20006d5b = 5; *(uint8_t*)0x20006d5c = 0x24; *(uint8_t*)0x20006d5d = 0x15; *(uint16_t*)0x20006d5e = 0x40; *(uint8_t*)0x20006d60 = 7; *(uint8_t*)0x20006d61 = 0x24; *(uint8_t*)0x20006d62 = 0xa; *(uint8_t*)0x20006d63 = 0; *(uint8_t*)0x20006d64 = 1; *(uint8_t*)0x20006d65 = 4; *(uint8_t*)0x20006d66 = 1; *(uint8_t*)0x20006d67 = 7; *(uint8_t*)0x20006d68 = 0x24; *(uint8_t*)0x20006d69 = 0x14; *(uint16_t*)0x20006d6a = 0xff81; *(uint16_t*)0x20006d6c = 0x9c6f; *(uint8_t*)0x20006d6e = 9; *(uint8_t*)0x20006d6f = 5; *(uint8_t*)0x20006d70 = 0x80; *(uint8_t*)0x20006d71 = 0x14; *(uint16_t*)0x20006d72 = 0x10; *(uint8_t*)0x20006d74 = 0x15; *(uint8_t*)0x20006d75 = 0x1f; *(uint8_t*)0x20006d76 = 8; *(uint8_t*)0x20006d77 = 7; *(uint8_t*)0x20006d78 = 0x25; *(uint8_t*)0x20006d79 = 1; *(uint8_t*)0x20006d7a = 0x80; *(uint8_t*)0x20006d7b = 0; *(uint16_t*)0x20006d7c = 0; *(uint8_t*)0x20006d7e = 9; *(uint8_t*)0x20006d7f = 5; *(uint8_t*)0x20006d80 = 0x8b; *(uint8_t*)0x20006d81 = 0; *(uint16_t*)0x20006d82 = 0x7ff; *(uint8_t*)0x20006d84 = 0xed; *(uint8_t*)0x20006d85 = 1; *(uint8_t*)0x20006d86 = 2; *(uint8_t*)0x20006d87 = 9; *(uint8_t*)0x20006d88 = 5; *(uint8_t*)0x20006d89 = 8; *(uint8_t*)0x20006d8a = 4; *(uint16_t*)0x20006d8b = 0x200; *(uint8_t*)0x20006d8d = 0x81; *(uint8_t*)0x20006d8e = 6; *(uint8_t*)0x20006d8f = 2; *(uint8_t*)0x20006d90 = 0xeb; *(uint8_t*)0x20006d91 = 1; memcpy((void*)0x20006d92, "\x8c\x3f\x63\x08\x61\x54\x14\x1f\x73\x9f\x28\x70\xd3\xa8\x18\x84\x90\x5e\x8c\x3f\xf7\xeb\x64\x25\x08\x52\x04\x07\x7b\x41\x02\xc3\xd8\x1b\xfd\xf4\xb2\x62\xfa\x95\xb2\x68\x56\x12\x28\xb7\x47\xfc\xa9\x1f\x5f\xde\xb5\x92\xb3\x79\xd6\x6a\x5f\x1d\x2d\x1d\x73\x5f\xd0\x2b\x3b\x24\x02\xd0\x34\x0f\xcc\x8a\xc6\xc5\x44\x72\x0c\xb5\x96\x00\x8a\x93\xb0\x20\x2c\xb8\xf9\x55\x83\x44\xcb\x20\x0e\x0b\x4b\x52\xaa\xd1\xe7\x0d\x9c\x00\x49\xff\x2a\x6b\x54\x6e\x35\x02\xbc\x88\x1f\x3e\xb6\x55\xaa\x81\x7a\x2a\x3f\xd9\x5a\xd1\xbe\xa6\x8a\xb0\x48\xc1\xa4\x3e\xd3\x45\x8b\x67\x4c\x27\xdf\x09\x05\x68\xc3\x71\xa9\xe0\x0c\xbc\x2b\x59\x7a\x73\x0a\x18\x64\x44\x75\x83\xe3\x0b\x8b\x9d\x27\x74\xd8\x84\x57\x53\x11\x84\x3a\x18\xbf\xe0\x05\x2b\x40\x47\x14\xc7\x22\x76\x63\x42\xb2\x26\xc4\xfe\x8e\x87\xee\x44\x82\x50\xc3\xb3\x66\x8a\xb5\x07\x45\xe0\xfb\xb6\xe9\x69\xe6\xb4\x9b\x9b\x85\x28\xce\x81\xdf\xaa\x24\xe1\x43\x80\x72\xd0\x7d\x6e\x92\x60\x2a\x39\x05\x35\xf6", 233); *(uint8_t*)0x20006e7b = 9; *(uint8_t*)0x20006e7c = 5; *(uint8_t*)0x20006e7d = 0xc; *(uint8_t*)0x20006e7e = 8; *(uint16_t*)0x20006e7f = 0x40; *(uint8_t*)0x20006e81 = 1; *(uint8_t*)0x20006e82 = 5; *(uint8_t*)0x20006e83 = 0x20; *(uint8_t*)0x20006e84 = 9; *(uint8_t*)0x20006e85 = 5; *(uint8_t*)0x20006e86 = 7; *(uint8_t*)0x20006e87 = 0x10; *(uint16_t*)0x20006e88 = 8; *(uint8_t*)0x20006e8a = 0xbc; *(uint8_t*)0x20006e8b = 0; *(uint8_t*)0x20006e8c = 7; *(uint8_t*)0x20006e8d = 7; *(uint8_t*)0x20006e8e = 0x25; *(uint8_t*)0x20006e8f = 1; *(uint8_t*)0x20006e90 = 1; *(uint8_t*)0x20006e91 = 5; *(uint16_t*)0x20006e92 = 9; *(uint8_t*)0x20006e94 = 0xd4; *(uint8_t*)0x20006e95 = 0x22; memcpy((void*)0x20006e96, "\x70\xc2\x39\x55\xe1\xd1\x6c\xde\xf4\x16\xbc\xb1\x38\x10\x89\x67\xf0\xe9\xac\x2c\x09\x6f\xe9\x36\x2b\x99\xec\x6c\x19\x8d\x2f\x0f\x04\x46\xce\x29\x33\x28\x44\xfd\x54\x6d\x23\x23\xe7\xf9\xd7\xb2\x71\x3c\x1f\x92\xb9\x0b\x44\x81\xbf\x8d\x4e\xa3\x4e\xa8\x32\x1b\x58\x5d\xb5\xf3\xcc\x6f\x63\xfc\x9e\xe5\x43\xe8\x6c\x15\x76\x9e\x08\xa2\x12\xc2\xff\xb0\x23\x7d\xef\xb1\xa2\x82\x28\xe9\x99\xfa\xbf\x37\x33\xa2\x7b\x82\x87\x03\xfa\xaa\xc0\x53\xd4\x4f\xe7\xa6\x6d\x7a\x27\x8e\x31\xf1\x5d\x65\xed\xb3\x49\xb1\x57\xa7\x99\xd9\x22\xf0\xc9\x70\xf9\x8b\x35\xb7\x56\x50\x79\x31\x23\xe0\x57\x52\xd7\x4d\xdb\x89\xf0\xfc\xc0\x47\x98\x22\xa0\xf8\x33\xf4\x34\x3a\x70\x54\x8b\x3b\x4c\x80\x57\x4b\xe7\xcf\xdd\x59\xdb\x69\xce\x1e\xfc\x24\xca\x44\xee\x31\x66\x09\xf5\x8c\xa5\xa3\x0d\xee\x0b\x59\xe1\x66\x8f\x24\x8c\x19\x6a\xe1\xc0\x22\xa1\x99\x95\x59\x54\x30\xfe\xa4", 210); *(uint8_t*)0x20006f68 = 9; *(uint8_t*)0x20006f69 = 5; *(uint8_t*)0x20006f6a = 0x87; *(uint8_t*)0x20006f6b = 3; *(uint16_t*)0x20006f6c = 8; *(uint8_t*)0x20006f6e = 0x80; *(uint8_t*)0x20006f6f = 7; *(uint8_t*)0x20006f70 = 6; *(uint8_t*)0x20006f71 = 0x56; *(uint8_t*)0x20006f72 = 4; memcpy((void*)0x20006f73, "\xf7\x8a\x35\x66\x75\xcf\xfa\x2d\xe9\x45\x39\x19\x4a\xfa\xb8\x60\x3f\xe5\xe4\x12\x02\x1b\xa9\x37\xdf\x8f\x49\x6c\xe2\xc0\x54\x31\x48\xf0\x9b\x19\xeb\xbc\x05\x09\x1f\xcc\x32\xe0\xbd\xde\x44\x1d\x7c\xca\xa5\xcc\x26\xfb\x69\x6b\xd6\x7b\x38\x30\xbf\x3e\x57\x30\xfb\x3f\xe5\xee\x89\x15\x6b\xd1\xd2\xfa\x10\x1e\x6c\x39\x06\x8a\xf8\xc2\xae\x87", 84); *(uint8_t*)0x20006fc7 = 9; *(uint8_t*)0x20006fc8 = 5; *(uint8_t*)0x20006fc9 = 0x89; *(uint8_t*)0x20006fca = 0; *(uint16_t*)0x20006fcb = 0x20; *(uint8_t*)0x20006fcd = 0x20; *(uint8_t*)0x20006fce = 0x81; *(uint8_t*)0x20006fcf = 8; *(uint8_t*)0x20006fd0 = 9; *(uint8_t*)0x20006fd1 = 5; *(uint8_t*)0x20006fd2 = 0xe; *(uint8_t*)0x20006fd3 = 3; *(uint16_t*)0x20006fd4 = 8; *(uint8_t*)0x20006fd6 = 1; *(uint8_t*)0x20006fd7 = 0x20; *(uint8_t*)0x20006fd8 = 2; *(uint8_t*)0x20006fd9 = 7; *(uint8_t*)0x20006fda = 0x25; *(uint8_t*)0x20006fdb = 1; *(uint8_t*)0x20006fdc = 2; *(uint8_t*)0x20006fdd = 0x43; *(uint16_t*)0x20006fde = 0x234; *(uint8_t*)0x20006fe0 = 9; *(uint8_t*)0x20006fe1 = 5; *(uint8_t*)0x20006fe2 = 2; *(uint8_t*)0x20006fe3 = 0; *(uint16_t*)0x20006fe4 = 0x3ff; *(uint8_t*)0x20006fe6 = 3; *(uint8_t*)0x20006fe7 = 5; *(uint8_t*)0x20006fe8 = 7; *(uint8_t*)0x20006fe9 = 0x34; *(uint8_t*)0x20006fea = 8; memcpy((void*)0x20006feb, "\xb6\xa1\x21\xb4\x6c\xab\xce\x4e\x36\x1f\x21\x04\xdc\xf2\x66\x3e\x40\x2e\xe0\x4f\xaa\x90\xdd\x18\xa9\x18\xe4\x64\x2e\xaa\x6a\x71\x61\x92\xf8\xbc\x32\xf3\x21\xce\x9e\xb5\x48\x90\x4d\x87\xd7\xbd\xad\x56", 50); *(uint8_t*)0x2000701d = 0xac; *(uint8_t*)0x2000701e = 0x30; memcpy((void*)0x2000701f, "\x1a\x5d\x30\xc7\xd1\x38\x43\xb0\x14\x69\x43\xb2\xe6\x76\x87\xf3\x14\x70\x19\xdb\x1c\xa1\xa3\xc7\xe4\x8d\x70\x0f\x65\x5b\xea\x7f\x42\x69\x2c\x5a\x87\xa6\xb9\x1d\x03\xa6\xd4\x90\x5f\xbb\x18\xb7\x60\x28\xc9\x02\xf7\xcc\x3f\x0c\x05\x6d\x87\xd0\xfb\xc1\x2f\x32\x15\x02\x22\xa7\xda\xd7\x02\x3b\xc4\x5a\xb2\x5c\x72\xaa\x3a\xd2\x6e\x8d\xfd\x8d\x36\x54\x64\x00\x38\x39\x6a\xa3\x55\xf0\x69\xf7\xa9\xe7\x62\xb8\x5d\xca\x0a\x81\xa7\xd7\xc3\x7d\x25\x9d\x0f\x2a\x63\x1a\x6a\xbc\x4e\x36\xfb\xa2\x01\xdc\x67\x7f\xc7\xb2\xc2\x81\x90\xe9\x15\x23\x55\x3c\xfb\x1b\xbf\x46\x2d\x9d\x05\x7c\x31\x91\x0a\xd3\x9c\x35\x7c\xd2\xdd\x1c\x3f\x22\xc6\x04\xad\x6c\x92\x3f\xae\xe4\xc1\x3d\xb3\xfe\x35\x03\x75\xcc", 170); *(uint8_t*)0x200070c9 = 9; *(uint8_t*)0x200070ca = 5; *(uint8_t*)0x200070cb = 0xc; *(uint8_t*)0x200070cc = 0; *(uint16_t*)0x200070cd = 0x10; *(uint8_t*)0x200070cf = 0x7f; *(uint8_t*)0x200070d0 = 0x56; *(uint8_t*)0x200070d1 = 0x83; *(uint8_t*)0x200070d2 = 9; *(uint8_t*)0x200070d3 = 5; *(uint8_t*)0x200070d4 = 0x47; *(uint8_t*)0x200070d5 = 0; *(uint16_t*)0x200070d6 = 0x3ff; *(uint8_t*)0x200070d8 = 0xbb; *(uint8_t*)0x200070d9 = 7; *(uint8_t*)0x200070da = 3; *(uint8_t*)0x200070db = 0x6b; *(uint8_t*)0x200070dc = 0x30; memcpy((void*)0x200070dd, "\x6a\x80\x65\xc0\xee\x1f\xa7\x2b\xb9\xfa\xb4\x98\xb5\x65\xe8\x56\x09\x0e\x0a\xd4\xcb\x9a\x07\x2e\x09\x95\x26\x4b\x93\x5b\xed\x49\x10\xdd\xe6\xe4\xa1\x1f\xf9\x37\x42\x38\x3c\xba\x0c\x51\xa1\xf1\xcf\x69\x5a\xa3\x94\xa5\xf4\x86\x83\x63\xe9\x86\x26\x05\x69\xba\x8b\xe8\x24\x37\xcc\x58\xdb\x1e\xe8\x8c\xe5\x10\x13\x08\x93\x8e\xdb\xd9\x82\x07\x54\x62\xcf\x0b\xba\x05\xbb\x0d\x7a\xe5\x50\x92\xa2\x86\x2e\xe6\xe6\x43\x0e\x22\xf7", 105); *(uint8_t*)0x20007146 = 0x41; *(uint8_t*)0x20007147 = 0x21; memcpy((void*)0x20007148, "\x0a\xcd\x9c\x77\x43\xc7\x50\x9f\x5e\xb8\x98\x78\x4f\x87\x67\xf3\x85\xa0\xe1\xc7\xf1\x02\xc9\xad\xca\xd6\xd8\x1f\xb4\x19\x3e\x88\xcb\x2f\x6c\x39\x36\xee\x2e\xf3\xda\xe6\x1f\x58\x32\x25\x93\xd9\xbe\xea\xfc\xc0\x91\x5c\x86\xfc\x3a\x72\xf0\x42\x6c\x83\xf3", 63); *(uint8_t*)0x20007187 = 9; *(uint8_t*)0x20007188 = 5; *(uint8_t*)0x20007189 = 6; *(uint8_t*)0x2000718a = 4; *(uint16_t*)0x2000718b = 0x400; *(uint8_t*)0x2000718d = 0x20; *(uint8_t*)0x2000718e = 0x74; *(uint8_t*)0x2000718f = 5; *(uint8_t*)0x20007190 = 9; *(uint8_t*)0x20007191 = 4; *(uint8_t*)0x20007192 = 0x26; *(uint8_t*)0x20007193 = 0xab; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 0xf1; *(uint8_t*)0x20007197 = 0xcb; *(uint8_t*)0x20007198 = 9; *(uint8_t*)0x20007199 = 9; *(uint8_t*)0x2000719a = 5; *(uint8_t*)0x2000719b = 1; *(uint8_t*)0x2000719c = 0; *(uint16_t*)0x2000719d = 0x200; *(uint8_t*)0x2000719f = 5; *(uint8_t*)0x200071a0 = 1; *(uint8_t*)0x200071a1 = 1; *(uint8_t*)0x200071a2 = 9; *(uint8_t*)0x200071a3 = 5; *(uint8_t*)0x200071a4 = 0xb; *(uint8_t*)0x200071a5 = 4; *(uint16_t*)0x200071a6 = 0x20; *(uint8_t*)0x200071a8 = 1; *(uint8_t*)0x200071a9 = 2; *(uint8_t*)0x200071aa = 4; *(uint8_t*)0x200071ab = 0xda; *(uint8_t*)0x200071ac = 0x14; memcpy((void*)0x200071ad, "\x10\xf1\x6e\x37\x96\xfb\xe3\x35\xb5\x64\xb2\x94\x16\x03\x1e\x12\xd2\x6f\x4d\x53\xe2\x37\xca\x3c\xb1\xe0\x49\x17\x03\x35\xd6\x31\x43\x24\x69\xcf\x8e\x2b\x20\x7d\x62\x28\x3f\x3b\x91\xf4\xd6\x31\x54\xbc\xe3\x5f\xae\xb8\x7b\x51\xd3\x0b\x38\x87\x6c\x38\xb3\x1a\xcc\x34\x7b\xe6\x77\x93\xe5\x6a\x17\x84\xeb\x29\xa7\xdd\xab\x72\xe7\x36\xee\xcd\x3b\x4e\x98\xbc\xe7\xb1\x70\xab\x68\x7e\x6f\x31\xf5\xe9\xf3\xf9\x6e\x31\x03\x2d\x3b\xf9\x47\x6e\xef\x54\xf3\x54\xc6\xef\xc0\x0d\xa3\x9a\x69\x5e\xc1\xc0\x95\x25\x4c\xb4\x16\xbd\xc5\x74\xd4\xfb\x6a\xdb\xec\xa9\x9b\x77\x50\x8d\x6c\x6f\x79\x1c\x2c\xfc\x29\xae\x3e\xcc\xea\x73\xc1\x36\x27\xd9\x38\x07\xaf\x1a\x7d\x34\x92\x52\x0e\xd1\xf1\x53\x32\x7d\x85\x75\x37\xf5\x56\x29\x4b\xdd\xdd\x98\x8b\xae\x73\x22\x6a\x48\xc4\xca\xb9\x63\xd3\xd8\xc2\x26\x95\x1b\x21\xa7\xc3\x13\x8d\xe5\x5b\x8d\x0e\x1f\x0b\xcd\x77\x66\x3a\xe8\xbf\xe2\x0f\x44", 216); *(uint8_t*)0x20007285 = 7; *(uint8_t*)0x20007286 = 0x25; *(uint8_t*)0x20007287 = 1; *(uint8_t*)0x20007288 = 0x83; *(uint8_t*)0x20007289 = 5; *(uint16_t*)0x2000728a = 9; *(uint8_t*)0x2000728c = 9; *(uint8_t*)0x2000728d = 5; *(uint8_t*)0x2000728e = 5; *(uint8_t*)0x2000728f = 2; *(uint16_t*)0x20007290 = 0x40; *(uint8_t*)0x20007292 = 0x2c; *(uint8_t*)0x20007293 = 0xd4; *(uint8_t*)0x20007294 = 2; *(uint8_t*)0x20007295 = 7; *(uint8_t*)0x20007296 = 0x25; *(uint8_t*)0x20007297 = 1; *(uint8_t*)0x20007298 = 2; *(uint8_t*)0x20007299 = 3; *(uint16_t*)0x2000729a = 7; *(uint8_t*)0x2000729c = 9; *(uint8_t*)0x2000729d = 5; *(uint8_t*)0x2000729e = 0xa; *(uint8_t*)0x2000729f = 2; *(uint16_t*)0x200072a0 = 0x400; *(uint8_t*)0x200072a2 = 0xd0; *(uint8_t*)0x200072a3 = 1; *(uint8_t*)0x200072a4 = 6; *(uint8_t*)0x200072a5 = 9; *(uint8_t*)0x200072a6 = 5; *(uint8_t*)0x200072a7 = 0xe; *(uint8_t*)0x200072a8 = 8; *(uint16_t*)0x200072a9 = 0x40; *(uint8_t*)0x200072ab = 0x40; *(uint8_t*)0x200072ac = -1; *(uint8_t*)0x200072ad = 0xb0; *(uint8_t*)0x200072ae = 9; *(uint8_t*)0x200072af = 4; *(uint8_t*)0x200072b0 = 0x6c; *(uint8_t*)0x200072b1 = 8; *(uint8_t*)0x200072b2 = 2; *(uint8_t*)0x200072b3 = 0x59; *(uint8_t*)0x200072b4 = 0x51; *(uint8_t*)0x200072b5 = 0xd5; *(uint8_t*)0x200072b6 = 1; *(uint8_t*)0x200072b7 = 8; *(uint8_t*)0x200072b8 = 0x24; *(uint8_t*)0x200072b9 = 6; *(uint8_t*)0x200072ba = 0; *(uint8_t*)0x200072bb = 1; memcpy((void*)0x200072bc, "\xb2\xbd\x60", 3); *(uint8_t*)0x200072bf = 5; *(uint8_t*)0x200072c0 = 0x24; *(uint8_t*)0x200072c1 = 0; *(uint16_t*)0x200072c2 = 5; *(uint8_t*)0x200072c4 = 0xd; *(uint8_t*)0x200072c5 = 0x24; *(uint8_t*)0x200072c6 = 0xf; *(uint8_t*)0x200072c7 = 1; *(uint32_t*)0x200072c8 = 0xfffffffd; *(uint16_t*)0x200072cc = 0xfff; *(uint16_t*)0x200072ce = 0x63; *(uint8_t*)0x200072d0 = 0xdb; *(uint8_t*)0x200072d1 = 6; *(uint8_t*)0x200072d2 = 0x24; *(uint8_t*)0x200072d3 = 0x1a; *(uint16_t*)0x200072d4 = 8; *(uint8_t*)0x200072d6 = 8; *(uint8_t*)0x200072d7 = 0xf7; *(uint8_t*)0x200072d8 = 0x24; *(uint8_t*)0x200072d9 = 0x13; *(uint8_t*)0x200072da = 0x19; memcpy((void*)0x200072db, "\x18\x9c\xde\xa8\x5c\x89\x2f\xe7\x36\xd9\x9d\x2a\xe8\x35\x70\x5d\xdc\x39\x07\x36\x3c\x57\xda\x1f\xc0\x03\x3a\xb2\x67\x42\x02\x2a\xb0\xaf\x75\x16\xc0\x54\x5f\x0f\xc3\xec\xaa\x07\x28\x22\x9f\x95\xfd\x5d\x2e\xbc\xe5\xc9\x8d\xbb\xa6\x22\x21\x53\xe2\xce\x70\xbf\xea\xd3\x2d\x5d\x59\x14\x6f\x0d\xd6\x79\x85\x20\x07\xb1\x3a\xc9\xd1\x6d\x48\xf9\x48\x4d\x61\x92\xe7\x9c\x88\x07\x9f\x8c\xd3\xbd\x1a\x37\x40\xf3\xa8\xf0\xfd\x1d\x57\xa1\x0b\xf4\x1c\xf8\xc4\x5a\x79\xab\x1a\x96\x9c\x9a\x6a\x83\xbf\x31\x57\x1b\xce\x54\x2e\x8f\xcf\xa6\x76\x1e\xbf\xa9\x24\xe1\xeb\x05\xd3\xaf\x5b\x36\x44\xc3\x04\x02\x80\xca\x59\x73\x7d\x89\xc0\xca\xa8\xbd\x9d\x56\xc9\x21\x78\xb8\x2b\x20\x78\xe4\x39\x75\xf1\x5e\x6f\x0b\x6f\xa1\xd0\xcd\x81\x95\x21\x15\x4d\x23\x6a\xa6\xa8\x5e\x50\xf3\xf0\x53\x1f\x61\x92\xe5\xc4\xba\x8a\x2d\x50\x6f\x74\x47\x80\x74\x7c\xbb\x9e\xe6\x72\x32\x98\xb7\x2b\x71\x3b\x52\xbe\x54\x83\x5f\xcc\x04\x90\x6c\x65\x8c\xe6\x1f\x16\xf9\x5a\x6c\x43\x79\x88\xdf\x23\x9c\x43\x0f\xf4\x7d\xb7", 243); *(uint8_t*)0x200073ce = 6; *(uint8_t*)0x200073cf = 0x24; *(uint8_t*)0x200073d0 = 6; *(uint8_t*)0x200073d1 = 0; *(uint8_t*)0x200073d2 = 0; memset((void*)0x200073d3, 163, 1); *(uint8_t*)0x200073d4 = 5; *(uint8_t*)0x200073d5 = 0x24; *(uint8_t*)0x200073d6 = 0; *(uint16_t*)0x200073d7 = 0xf85b; *(uint8_t*)0x200073d9 = 0xd; *(uint8_t*)0x200073da = 0x24; *(uint8_t*)0x200073db = 0xf; *(uint8_t*)0x200073dc = 1; *(uint32_t*)0x200073dd = 0; *(uint16_t*)0x200073e1 = 7; *(uint16_t*)0x200073e3 = 2; *(uint8_t*)0x200073e5 = 0x40; *(uint8_t*)0x200073e6 = 9; *(uint8_t*)0x200073e7 = 5; *(uint8_t*)0x200073e8 = 0xf; *(uint8_t*)0x200073e9 = 4; *(uint16_t*)0x200073ea = 0; *(uint8_t*)0x200073ec = 0x81; *(uint8_t*)0x200073ed = 0xe8; *(uint8_t*)0x200073ee = 2; *(uint8_t*)0x200073ef = 7; *(uint8_t*)0x200073f0 = 0x25; *(uint8_t*)0x200073f1 = 1; *(uint8_t*)0x200073f2 = 0; *(uint8_t*)0x200073f3 = 0x51; *(uint16_t*)0x200073f4 = 0xbf81; *(uint8_t*)0x200073f6 = 7; *(uint8_t*)0x200073f7 = 0x25; *(uint8_t*)0x200073f8 = 1; *(uint8_t*)0x200073f9 = 0x80; *(uint8_t*)0x200073fa = 0xb; *(uint16_t*)0x200073fb = 0x8001; *(uint8_t*)0x200073fd = 9; *(uint8_t*)0x200073fe = 5; *(uint8_t*)0x200073ff = 6; *(uint8_t*)0x20007400 = 0; *(uint16_t*)0x20007401 = 0x10; *(uint8_t*)0x20007403 = 0x7f; *(uint8_t*)0x20007404 = 0; *(uint8_t*)0x20007405 = 0x80; *(uint8_t*)0x20007406 = 0x28; *(uint8_t*)0x20007407 = 0xa; memcpy((void*)0x20007408, "\x61\xdf\x67\xa6\x24\x85\x90\x52\xdf\x59\x3a\x22\x58\xbc\x97\x0f\xe4\x30\x4a\x8f\x89\x9a\xc0\x40\xd9\xfc\x35\x0e\xd5\xe6\x36\x60\xa7\x6a\x96\xae\xa7\xa3", 38); *(uint32_t*)0x200076c0 = 0xa; *(uint32_t*)0x200076c4 = 0x20007440; *(uint8_t*)0x20007440 = 0xa; *(uint8_t*)0x20007441 = 6; *(uint16_t*)0x20007442 = 0x300; *(uint8_t*)0x20007444 = 8; *(uint8_t*)0x20007445 = 1; *(uint8_t*)0x20007446 = 9; *(uint8_t*)0x20007447 = 8; *(uint8_t*)0x20007448 = 0x81; *(uint8_t*)0x20007449 = 0; *(uint32_t*)0x200076c8 = 0x133; *(uint32_t*)0x200076cc = 0x20007480; *(uint8_t*)0x20007480 = 5; *(uint8_t*)0x20007481 = 0xf; *(uint16_t*)0x20007482 = 0x133; *(uint8_t*)0x20007484 = 6; *(uint8_t*)0x20007485 = 0xb; *(uint8_t*)0x20007486 = 0x10; *(uint8_t*)0x20007487 = 1; *(uint8_t*)0x20007488 = 2; *(uint16_t*)0x20007489 = 0x74; *(uint8_t*)0x2000748b = -1; *(uint8_t*)0x2000748c = -1; *(uint16_t*)0x2000748d = 0; *(uint8_t*)0x2000748f = 7; *(uint8_t*)0x20007490 = 0xb; *(uint8_t*)0x20007491 = 0x10; *(uint8_t*)0x20007492 = 1; *(uint8_t*)0x20007493 = 8; *(uint16_t*)0x20007494 = 0x43; *(uint8_t*)0x20007496 = 4; *(uint8_t*)0x20007497 = 3; *(uint16_t*)0x20007498 = 6; *(uint8_t*)0x2000749a = 0x21; *(uint8_t*)0x2000749b = 7; *(uint8_t*)0x2000749c = 0x10; *(uint8_t*)0x2000749d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000749e, 0xa, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200074a0, 0x3b4d, 0, 16); *(uint8_t*)0x200074a2 = 0xb; *(uint8_t*)0x200074a3 = 0x10; *(uint8_t*)0x200074a4 = 1; *(uint8_t*)0x200074a5 = 0; *(uint16_t*)0x200074a6 = 0x2c; *(uint8_t*)0x200074a8 = 7; *(uint8_t*)0x200074a9 = 2; *(uint16_t*)0x200074aa = 1; *(uint8_t*)0x200074ac = 0x2f; *(uint8_t*)0x200074ad = 3; *(uint8_t*)0x200074ae = 0x10; *(uint8_t*)0x200074af = 0xb; *(uint8_t*)0x200074b0 = 3; *(uint8_t*)0x200074b1 = 0x10; *(uint8_t*)0x200074b2 = 3; memcpy((void*)0x200074b3, "\xb3\x5e\x85\x2c\x50\x01\x47\x88\x0f\xa2\xf6\xdc\xc5\xd4\xe1\x6a\x59\xdf\x9b\xff\x5d\x44\xac\x9f\x66\x80\xa3\x1b\x1e\xbc\xe7\xf4\xd4\xaf\xe6\xd2\xae\x93\xf6\xee\xe7\x9b\x70\x3b\x03\xf7\xa0\xeb\xea\x72\xbd\xc3\xca\x70\xde\xd4\x50\xbe\xde\xc4\x2d\x31\xbe\xce\xd3\x62\x5c\x6b\xfa\x5d\xc9\x89\x7b\x68\xa4\xe8\xb1\xa5\x4b\x94\x44\xb8\x5a\x77\xd5\x2e\xfe\xa0\x2e\x84\x04\x5a\x2c\x51\xaf\x22\x59\x6a\x4c\x59\xa4\x3c\x59\x0c\x4d\x13\x69\xd2\x29\xdb\x0f\x22\x8b\x73\x9b\x41\x41\x9c\x00\x70\x82\x19\xac\x07\x58\x5d\xca\xde\xd8\x82\x0f\x6f\xe0\xb3\x5e\x74\x96\xca\x59\xeb\xd9\x3c\x1c\xfb\xec\xa8\x66\x69\x28\x61\x3f\xb0\x84\xcb\x1a\xd9\x30\xcf\xed\x80\xa0\x24\xb8\x03\xfc\x94\x96\x7f\x08\xd7\x31\xd0\x64\x7c\xee\x07\x3e\x55\x84\x4b\x99\x78\xae\x60\x35\x86\x5f\xd9\x89\x91\xfb\x7a\x5f\xa3\xf0\x05\x29\xe8\x1f\x1d\x3b\x85\x3a\x0d\xb0\x41\xea\xa3\x77\x7b\xa1\x0f\xe7\x53\x67\x4a\x69\x8c\xd3\x89\xbf\x5b\xca\x62\x6c\xb8\xc7\xbf\x9b\x71\x15\x0d\x57\x2d\x07\xd9\xa1\x18\x55\xa4\x19\xfb\x02\x12\xd9\xa5\xbf\x2c\x33\x60\x35\x7c\xf9\x42\x51\x1f", 256); *(uint32_t*)0x200076d0 = 2; *(uint32_t*)0x200076d4 = 0x97; *(uint32_t*)0x200076d8 = 0x200075c0; *(uint8_t*)0x200075c0 = 0x97; *(uint8_t*)0x200075c1 = 3; memcpy((void*)0x200075c2, "\x79\x53\x36\x52\x48\x59\x08\x84\x74\x50\xe4\x34\xba\xbd\x9e\x7b\x78\x39\x25\xf4\x78\xb3\xb3\x5c\x0a\x4e\x6a\xa0\xa1\xe8\xf7\x8e\x37\xf1\xd5\x66\x6f\xe8\x7b\x28\xdf\x9b\x77\x34\xfd\xd1\x41\xb3\xc7\x8a\x19\x03\x1e\xff\xd7\x29\xa3\x6c\x0c\xf9\xfa\xe5\xc5\x89\xa1\xa9\x88\x6b\x78\xf6\x6c\x73\x91\xbd\x44\x3c\xc6\xb3\xab\x5b\x4a\xcd\xeb\x5a\xcf\x4a\x0d\x36\x35\x9e\x74\x9d\xf3\x7c\xcf\x92\xc5\x0e\x84\x5f\xce\x93\xe4\xc6\x11\xf0\xfb\x55\x9f\x5b\x2f\x8b\x72\xba\xb3\xb8\xa9\x17\x79\xcd\x78\x20\x4d\x67\xa1\x83\x18\x75\x60\xeb\x91\x2c\x0f\x9d\xd2\x7f\x40\x2f\x1d\xec\xdc\x61\x44\x4d\x37\x02\xbf\x05\xcf", 149); *(uint32_t*)0x200076dc = 4; *(uint32_t*)0x200076e0 = 0x20007680; *(uint8_t*)0x20007680 = 4; *(uint8_t*)0x20007681 = 3; *(uint16_t*)0x20007682 = 0x4ff; syz_usb_connect(5, 0x72e, 0x20006d00, 0x200076c0); break; case 42: *(uint8_t*)0x20007700 = 0x12; *(uint8_t*)0x20007701 = 1; *(uint16_t*)0x20007702 = 0x200; *(uint8_t*)0x20007704 = -1; *(uint8_t*)0x20007705 = -1; *(uint8_t*)0x20007706 = -1; *(uint8_t*)0x20007707 = 0x40; *(uint16_t*)0x20007708 = 0xcf3; *(uint16_t*)0x2000770a = 0x9271; *(uint16_t*)0x2000770c = 0x108; *(uint8_t*)0x2000770e = 1; *(uint8_t*)0x2000770f = 2; *(uint8_t*)0x20007710 = 3; *(uint8_t*)0x20007711 = 1; *(uint8_t*)0x20007712 = 9; *(uint8_t*)0x20007713 = 2; *(uint16_t*)0x20007714 = 0x48; *(uint8_t*)0x20007716 = 1; *(uint8_t*)0x20007717 = 1; *(uint8_t*)0x20007718 = 0; *(uint8_t*)0x20007719 = 0x80; *(uint8_t*)0x2000771a = 0xfa; *(uint8_t*)0x2000771b = 9; *(uint8_t*)0x2000771c = 4; *(uint8_t*)0x2000771d = 0; *(uint8_t*)0x2000771e = 0; *(uint8_t*)0x2000771f = 6; *(uint8_t*)0x20007720 = -1; *(uint8_t*)0x20007721 = 0; *(uint8_t*)0x20007722 = 0; *(uint8_t*)0x20007723 = 0; *(uint8_t*)0x20007724 = 9; *(uint8_t*)0x20007725 = 5; *(uint8_t*)0x20007726 = 1; *(uint8_t*)0x20007727 = 2; *(uint16_t*)0x20007728 = 0x200; *(uint8_t*)0x2000772a = 0; *(uint8_t*)0x2000772b = 0; *(uint8_t*)0x2000772c = 0; *(uint8_t*)0x2000772d = 9; *(uint8_t*)0x2000772e = 5; *(uint8_t*)0x2000772f = 0x82; *(uint8_t*)0x20007730 = 2; *(uint16_t*)0x20007731 = 0x200; *(uint8_t*)0x20007733 = 0; *(uint8_t*)0x20007734 = 0; *(uint8_t*)0x20007735 = 0; *(uint8_t*)0x20007736 = 9; *(uint8_t*)0x20007737 = 5; *(uint8_t*)0x20007738 = 0x83; *(uint8_t*)0x20007739 = 3; *(uint16_t*)0x2000773a = 0x40; *(uint8_t*)0x2000773c = 1; *(uint8_t*)0x2000773d = 0; *(uint8_t*)0x2000773e = 0; *(uint8_t*)0x2000773f = 9; *(uint8_t*)0x20007740 = 5; *(uint8_t*)0x20007741 = 4; *(uint8_t*)0x20007742 = 3; *(uint16_t*)0x20007743 = 0x40; *(uint8_t*)0x20007745 = 1; *(uint8_t*)0x20007746 = 0; *(uint8_t*)0x20007747 = 0; *(uint8_t*)0x20007748 = 9; *(uint8_t*)0x20007749 = 5; *(uint8_t*)0x2000774a = 5; *(uint8_t*)0x2000774b = 2; *(uint16_t*)0x2000774c = 0x200; *(uint8_t*)0x2000774e = 0; *(uint8_t*)0x2000774f = 0; *(uint8_t*)0x20007750 = 0; *(uint8_t*)0x20007751 = 9; *(uint8_t*)0x20007752 = 5; *(uint8_t*)0x20007753 = 6; *(uint8_t*)0x20007754 = 2; *(uint16_t*)0x20007755 = 0x200; *(uint8_t*)0x20007757 = 0; *(uint8_t*)0x20007758 = 0; *(uint8_t*)0x20007759 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007700, 0); if (res != -1) r[22] = res; break; case 43: *(uint32_t*)0x20007900 = 0x18; *(uint32_t*)0x20007904 = 0x20007780; *(uint8_t*)0x20007780 = 0x40; *(uint8_t*)0x20007781 = 0x22; *(uint32_t*)0x20007782 = 0x1f; *(uint8_t*)0x20007786 = 0x1f; *(uint8_t*)0x20007787 = 0x22; memcpy((void*)0x20007788, "\xa7\x84\x14\x03\xaf\xd7\xdd\xbd\xb6\xce\x9d\xac\xfb\x6c\xdb\xe2\x9f\xbe\x4e\x58\xb5\x5f\xec\x11\x7d\xe5\x6e\xd6\xa5", 29); *(uint32_t*)0x20007908 = 0x200077c0; *(uint8_t*)0x200077c0 = 0; *(uint8_t*)0x200077c1 = 3; *(uint32_t*)0x200077c2 = 0x5a; *(uint8_t*)0x200077c6 = 0x5a; *(uint8_t*)0x200077c7 = 3; memcpy((void*)0x200077c8, "\xb5\x1f\xa7\x5c\xe1\x57\x5d\xa7\x9a\xa4\x1f\xd1\x55\x72\x84\x98\xbc\x7e\x4f\x85\xd1\x9d\x23\x94\x31\x4e\x63\x81\xf5\xe6\xb0\xe7\x86\xc3\xff\x70\x5c\xb7\x18\x44\x87\xf3\x50\x94\x03\x01\x78\xbc\x29\x1a\x39\x80\xfa\x0b\x83\x90\x8b\x7f\xe1\xcb\x24\x59\xda\xa1\x30\x8f\xa2\xfb\xda\x94\xa9\x8c\xa7\x13\x4b\xc9\x86\x48\x7b\xae\x15\x76\x66\x36\xe0\x85\x2c\x7a", 88); *(uint32_t*)0x2000790c = 0x20007840; *(uint8_t*)0x20007840 = 0; *(uint8_t*)0x20007841 = 0xf; *(uint32_t*)0x20007842 = 0x1b; *(uint8_t*)0x20007846 = 5; *(uint8_t*)0x20007847 = 0xf; *(uint16_t*)0x20007848 = 0x1b; *(uint8_t*)0x2000784a = 2; *(uint8_t*)0x2000784b = 0xb; *(uint8_t*)0x2000784c = 0x10; *(uint8_t*)0x2000784d = 1; *(uint8_t*)0x2000784e = 0xc; *(uint16_t*)0x2000784f = 0x82; *(uint8_t*)0x20007851 = 0; *(uint8_t*)0x20007852 = 0x85; *(uint16_t*)0x20007853 = 8; *(uint8_t*)0x20007855 = 1; *(uint8_t*)0x20007856 = 0xb; *(uint8_t*)0x20007857 = 0x10; *(uint8_t*)0x20007858 = 1; *(uint8_t*)0x20007859 = 0xc; *(uint16_t*)0x2000785a = 0x48; *(uint8_t*)0x2000785c = 0; *(uint8_t*)0x2000785d = 0x80; *(uint16_t*)0x2000785e = 0xfffa; *(uint8_t*)0x20007860 = 0x81; *(uint32_t*)0x20007910 = 0x20007880; *(uint8_t*)0x20007880 = 0x20; *(uint8_t*)0x20007881 = 0x29; *(uint32_t*)0x20007882 = 0xf; *(uint8_t*)0x20007886 = 0xf; *(uint8_t*)0x20007887 = 0x29; *(uint8_t*)0x20007888 = 9; *(uint16_t*)0x20007889 = 2; *(uint8_t*)0x2000788b = 4; *(uint8_t*)0x2000788c = 2; memcpy((void*)0x2000788d, "\x7e\x46\x1a\xb4", 4); memcpy((void*)0x20007891, "gg]\a", 4); *(uint32_t*)0x20007914 = 0x200078c0; *(uint8_t*)0x200078c0 = 0x20; *(uint8_t*)0x200078c1 = 0x2a; *(uint32_t*)0x200078c2 = 0xc; *(uint8_t*)0x200078c6 = 0xc; *(uint8_t*)0x200078c7 = 0x2a; *(uint8_t*)0x200078c8 = 9; *(uint16_t*)0x200078c9 = 3; *(uint8_t*)0x200078cb = 0x3f; *(uint8_t*)0x200078cc = 0x20; *(uint8_t*)0x200078cd = 0x40; *(uint16_t*)0x200078ce = 0; *(uint16_t*)0x200078d0 = 0xef; *(uint32_t*)0x20007dc0 = 0x44; *(uint32_t*)0x20007dc4 = 0x20007940; *(uint8_t*)0x20007940 = 0x40; *(uint8_t*)0x20007941 = 0xc; *(uint32_t*)0x20007942 = 0xb6; memcpy((void*)0x20007946, "\xdf\x1d\x88\x07\xad\xaa\x37\x6e\xc1\x64\xfe\x68\x6f\x79\x1f\xc7\x26\x8a\x85\xc4\x68\x00\x84\x23\xc3\x5b\xf0\xda\x6f\x10\xce\x0b\x3c\x7f\x80\xe6\x73\x52\xd8\x06\x3e\x95\x24\xfb\x3d\x91\xa1\xd4\x42\xb8\x5d\x35\x12\x88\xc6\x0b\xad\xef\x73\x69\x49\x4e\xfa\x50\x12\x97\x89\x30\xb8\x81\x7b\xb1\x3f\xba\x0f\x30\x74\x16\x86\x14\x57\x22\x13\x22\x13\x60\x27\xa9\x86\x82\xf3\xa5\xc9\x18\x06\xd4\x90\xc5\x1e\xf5\x1c\xe6\xc9\xe9\xc8\x08\x7e\x54\x7f\xc2\xcf\xe5\x67\xbf\xbf\x3e\x65\xf9\x7c\x5e\x79\xd6\x87\x06\x92\x2d\x2c\x08\x4e\xe8\x94\xea\xf1\x2a\x3c\x0b\x2e\x1e\xf8\x94\xdf\xf8\x6d\x07\x92\xfd\x11\xf5\x15\x2f\x67\x32\x1b\x9d\xb3\x6a\x02\xb7\xb0\x93\x5e\x74\x24\xcb\xd6\xb2\x86\xc5\x5c\x8c\xf0\xf0\xf4\x94\x9f\xd2\x1b\x22\x67\x5e\xb0\x60", 182); *(uint32_t*)0x20007dc8 = 0x20007a00; *(uint8_t*)0x20007a00 = 0; *(uint8_t*)0x20007a01 = 0xa; *(uint32_t*)0x20007a02 = 1; *(uint8_t*)0x20007a06 = 9; *(uint32_t*)0x20007dcc = 0x20007a40; *(uint8_t*)0x20007a40 = 0; *(uint8_t*)0x20007a41 = 8; *(uint32_t*)0x20007a42 = 1; *(uint8_t*)0x20007a46 = 6; *(uint32_t*)0x20007dd0 = 0x20007a80; *(uint8_t*)0x20007a80 = 0x20; *(uint8_t*)0x20007a81 = 0; *(uint32_t*)0x20007a82 = 4; *(uint16_t*)0x20007a86 = 1; *(uint16_t*)0x20007a88 = 3; *(uint32_t*)0x20007dd4 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0x20; *(uint8_t*)0x20007ac1 = 0; *(uint32_t*)0x20007ac2 = 4; *(uint16_t*)0x20007ac6 = 0x160; *(uint16_t*)0x20007ac8 = 1; *(uint32_t*)0x20007dd8 = 0x20007b00; *(uint8_t*)0x20007b00 = 0x40; *(uint8_t*)0x20007b01 = 7; *(uint32_t*)0x20007b02 = 2; *(uint16_t*)0x20007b06 = 3; *(uint32_t*)0x20007ddc = 0x20007b40; *(uint8_t*)0x20007b40 = 0x40; *(uint8_t*)0x20007b41 = 9; *(uint32_t*)0x20007b42 = 1; *(uint8_t*)0x20007b46 = 3; *(uint32_t*)0x20007de0 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x40; *(uint8_t*)0x20007b81 = 0xb; *(uint32_t*)0x20007b82 = 2; memcpy((void*)0x20007b86, "\x9e\xfe", 2); *(uint32_t*)0x20007de4 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 0xf; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 4; *(uint32_t*)0x20007de8 = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 0x13; *(uint32_t*)0x20007c02 = 6; memset((void*)0x20007c06, 0, 6); *(uint32_t*)0x20007dec = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0x17; *(uint32_t*)0x20007c42 = 6; memset((void*)0x20007c46, 170, 5); *(uint8_t*)0x20007c4b = 0xbb; *(uint32_t*)0x20007df0 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0x19; *(uint32_t*)0x20007c82 = 2; memcpy((void*)0x20007c86, "vw", 2); *(uint32_t*)0x20007df4 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x1a; *(uint32_t*)0x20007cc2 = 2; *(uint16_t*)0x20007cc6 = 1; *(uint32_t*)0x20007df8 = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x1c; *(uint32_t*)0x20007d02 = 1; *(uint8_t*)0x20007d06 = 6; *(uint32_t*)0x20007dfc = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x1e; *(uint32_t*)0x20007d42 = 1; *(uint8_t*)0x20007d46 = 0x7e; *(uint32_t*)0x20007e00 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x21; *(uint32_t*)0x20007d82 = 1; *(uint8_t*)0x20007d86 = 2; syz_usb_control_io(r[22], 0x20007900, 0x20007dc0); break; case 44: *(uint8_t*)0x20007e40 = 0x12; *(uint8_t*)0x20007e41 = 1; *(uint16_t*)0x20007e42 = 0x200; *(uint8_t*)0x20007e44 = -1; *(uint8_t*)0x20007e45 = -1; *(uint8_t*)0x20007e46 = -1; *(uint8_t*)0x20007e47 = 0x40; *(uint16_t*)0x20007e48 = 0xcf3; *(uint16_t*)0x20007e4a = 0x9271; *(uint16_t*)0x20007e4c = 0x108; *(uint8_t*)0x20007e4e = 1; *(uint8_t*)0x20007e4f = 2; *(uint8_t*)0x20007e50 = 3; *(uint8_t*)0x20007e51 = 1; *(uint8_t*)0x20007e52 = 9; *(uint8_t*)0x20007e53 = 2; *(uint16_t*)0x20007e54 = 0x48; *(uint8_t*)0x20007e56 = 1; *(uint8_t*)0x20007e57 = 1; *(uint8_t*)0x20007e58 = 0; *(uint8_t*)0x20007e59 = 0x80; *(uint8_t*)0x20007e5a = 0xfa; *(uint8_t*)0x20007e5b = 9; *(uint8_t*)0x20007e5c = 4; *(uint8_t*)0x20007e5d = 0; *(uint8_t*)0x20007e5e = 0; *(uint8_t*)0x20007e5f = 6; *(uint8_t*)0x20007e60 = -1; *(uint8_t*)0x20007e61 = 0; *(uint8_t*)0x20007e62 = 0; *(uint8_t*)0x20007e63 = 0; *(uint8_t*)0x20007e64 = 9; *(uint8_t*)0x20007e65 = 5; *(uint8_t*)0x20007e66 = 1; *(uint8_t*)0x20007e67 = 2; *(uint16_t*)0x20007e68 = 0x200; *(uint8_t*)0x20007e6a = 0; *(uint8_t*)0x20007e6b = 0; *(uint8_t*)0x20007e6c = 0; *(uint8_t*)0x20007e6d = 9; *(uint8_t*)0x20007e6e = 5; *(uint8_t*)0x20007e6f = 0x82; *(uint8_t*)0x20007e70 = 2; *(uint16_t*)0x20007e71 = 0x200; *(uint8_t*)0x20007e73 = 0; *(uint8_t*)0x20007e74 = 0; *(uint8_t*)0x20007e75 = 0; *(uint8_t*)0x20007e76 = 9; *(uint8_t*)0x20007e77 = 5; *(uint8_t*)0x20007e78 = 0x83; *(uint8_t*)0x20007e79 = 3; *(uint16_t*)0x20007e7a = 0x40; *(uint8_t*)0x20007e7c = 1; *(uint8_t*)0x20007e7d = 0; *(uint8_t*)0x20007e7e = 0; *(uint8_t*)0x20007e7f = 9; *(uint8_t*)0x20007e80 = 5; *(uint8_t*)0x20007e81 = 4; *(uint8_t*)0x20007e82 = 3; *(uint16_t*)0x20007e83 = 0x40; *(uint8_t*)0x20007e85 = 1; *(uint8_t*)0x20007e86 = 0; *(uint8_t*)0x20007e87 = 0; *(uint8_t*)0x20007e88 = 9; *(uint8_t*)0x20007e89 = 5; *(uint8_t*)0x20007e8a = 5; *(uint8_t*)0x20007e8b = 2; *(uint16_t*)0x20007e8c = 0x200; *(uint8_t*)0x20007e8e = 0; *(uint8_t*)0x20007e8f = 0; *(uint8_t*)0x20007e90 = 0; *(uint8_t*)0x20007e91 = 9; *(uint8_t*)0x20007e92 = 5; *(uint8_t*)0x20007e93 = 6; *(uint8_t*)0x20007e94 = 2; *(uint16_t*)0x20007e95 = 0x200; *(uint8_t*)0x20007e97 = 0; *(uint8_t*)0x20007e98 = 0; *(uint8_t*)0x20007e99 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007e40, 0); if (res != -1) r[23] = res; break; case 45: syz_usb_disconnect(r[23]); break; case 46: *(uint8_t*)0x20007ec0 = 0x12; *(uint8_t*)0x20007ec1 = 1; *(uint16_t*)0x20007ec2 = 0x389; *(uint8_t*)0x20007ec4 = 2; *(uint8_t*)0x20007ec5 = 0; *(uint8_t*)0x20007ec6 = 0; *(uint8_t*)0x20007ec7 = 0x70; *(uint16_t*)0x20007ec8 = 0x525; *(uint16_t*)0x20007eca = 0xa4a1; *(uint16_t*)0x20007ecc = 0x40; *(uint8_t*)0x20007ece = 1; *(uint8_t*)0x20007ecf = 2; *(uint8_t*)0x20007ed0 = 3; *(uint8_t*)0x20007ed1 = 1; *(uint8_t*)0x20007ed2 = 9; *(uint8_t*)0x20007ed3 = 2; *(uint16_t*)0x20007ed4 = 0x6a; *(uint8_t*)0x20007ed6 = 2; *(uint8_t*)0x20007ed7 = 1; *(uint8_t*)0x20007ed8 = -1; *(uint8_t*)0x20007ed9 = 0x90; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 9; *(uint8_t*)0x20007edc = 4; *(uint8_t*)0x20007edd = 0; *(uint8_t*)0x20007ede = 0; *(uint8_t*)0x20007edf = 1; *(uint8_t*)0x20007ee0 = 2; *(uint8_t*)0x20007ee1 = 0xd; *(uint8_t*)0x20007ee2 = 0; *(uint8_t*)0x20007ee3 = 0; *(uint8_t*)0x20007ee4 = 6; *(uint8_t*)0x20007ee5 = 0x24; *(uint8_t*)0x20007ee6 = 6; *(uint8_t*)0x20007ee7 = 0; *(uint8_t*)0x20007ee8 = 1; memset((void*)0x20007ee9, 166, 1); *(uint8_t*)0x20007eea = 5; *(uint8_t*)0x20007eeb = 0x24; *(uint8_t*)0x20007eec = 0; *(uint16_t*)0x20007eed = 8; *(uint8_t*)0x20007eef = 0xd; *(uint8_t*)0x20007ef0 = 0x24; *(uint8_t*)0x20007ef1 = 0xf; *(uint8_t*)0x20007ef2 = 1; *(uint32_t*)0x20007ef3 = 0x9ff; *(uint16_t*)0x20007ef7 = 0x6000; *(uint16_t*)0x20007ef9 = 5; *(uint8_t*)0x20007efb = 0xb5; *(uint8_t*)0x20007efc = 6; *(uint8_t*)0x20007efd = 0x24; *(uint8_t*)0x20007efe = 0x1a; *(uint16_t*)0x20007eff = 0xdd; *(uint8_t*)0x20007f01 = 0x32; *(uint8_t*)0x20007f02 = 5; *(uint8_t*)0x20007f03 = 0x24; *(uint8_t*)0x20007f04 = 1; *(uint8_t*)0x20007f05 = 2; *(uint8_t*)0x20007f06 = 0x95; *(uint8_t*)0x20007f07 = 8; *(uint8_t*)0x20007f08 = 0x24; *(uint8_t*)0x20007f09 = 0x1c; *(uint16_t*)0x20007f0a = 7; *(uint8_t*)0x20007f0c = 0x40; *(uint16_t*)0x20007f0d = 1; *(uint8_t*)0x20007f0f = 9; *(uint8_t*)0x20007f10 = 5; *(uint8_t*)0x20007f11 = 0x81; *(uint8_t*)0x20007f12 = 3; *(uint16_t*)0x20007f13 = 0x10; *(uint8_t*)0x20007f15 = 0x21; *(uint8_t*)0x20007f16 = 2; *(uint8_t*)0x20007f17 = 0xc4; *(uint8_t*)0x20007f18 = 9; *(uint8_t*)0x20007f19 = 4; *(uint8_t*)0x20007f1a = 1; *(uint8_t*)0x20007f1b = 0; *(uint8_t*)0x20007f1c = 0; *(uint8_t*)0x20007f1d = 2; *(uint8_t*)0x20007f1e = 0xd; *(uint8_t*)0x20007f1f = 0; *(uint8_t*)0x20007f20 = 0; *(uint8_t*)0x20007f21 = 9; *(uint8_t*)0x20007f22 = 4; *(uint8_t*)0x20007f23 = 1; *(uint8_t*)0x20007f24 = 1; *(uint8_t*)0x20007f25 = 2; *(uint8_t*)0x20007f26 = 2; *(uint8_t*)0x20007f27 = 0xd; *(uint8_t*)0x20007f28 = 0; *(uint8_t*)0x20007f29 = 0; *(uint8_t*)0x20007f2a = 9; *(uint8_t*)0x20007f2b = 5; *(uint8_t*)0x20007f2c = 0x82; *(uint8_t*)0x20007f2d = 2; *(uint16_t*)0x20007f2e = 8; *(uint8_t*)0x20007f30 = 1; *(uint8_t*)0x20007f31 = 1; *(uint8_t*)0x20007f32 = 0x4e; *(uint8_t*)0x20007f33 = 9; *(uint8_t*)0x20007f34 = 5; *(uint8_t*)0x20007f35 = 3; *(uint8_t*)0x20007f36 = 2; *(uint16_t*)0x20007f37 = 8; *(uint8_t*)0x20007f39 = 0x81; *(uint8_t*)0x20007f3a = 9; *(uint8_t*)0x20007f3b = 0x48; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f40; *(uint8_t*)0x20007f40 = 0xa; *(uint8_t*)0x20007f41 = 6; *(uint16_t*)0x20007f42 = 0x200; *(uint8_t*)0x20007f44 = 3; *(uint8_t*)0x20007f45 = 0x40; *(uint8_t*)0x20007f46 = 1; *(uint8_t*)0x20007f47 = 0x40; *(uint8_t*)0x20007f48 = 0x68; *(uint8_t*)0x20007f49 = 0; *(uint32_t*)0x20008288 = 0x72; *(uint32_t*)0x2000828c = 0x20007f80; *(uint8_t*)0x20007f80 = 5; *(uint8_t*)0x20007f81 = 0xf; *(uint16_t*)0x20007f82 = 0x72; *(uint8_t*)0x20007f84 = 6; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x10; *(uint8_t*)0x20007f87 = 0xa; *(uint8_t*)0x20007f88 = 0x7f; STORE_BY_BITMASK(uint32_t, , 0x20007f89, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007f89, 4, 5, 27); *(uint16_t*)0x20007f8d = 0; *(uint16_t*)0x20007f8f = 0x101; *(uint32_t*)0x20007f91 = 0xf; *(uint32_t*)0x20007f95 = 0xc000; *(uint32_t*)0x20007f99 = 0x4100; *(uint32_t*)0x20007f9d = 0xc000; *(uint32_t*)0x20007fa1 = 0; *(uint8_t*)0x20007fa5 = 0x18; *(uint8_t*)0x20007fa6 = 0x10; *(uint8_t*)0x20007fa7 = 0xa; *(uint8_t*)0x20007fa8 = 5; STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 0x3f, 5, 27); *(uint16_t*)0x20007fad = 0xf; *(uint16_t*)0x20007faf = 9; *(uint32_t*)0x20007fb1 = 0x3f00; *(uint32_t*)0x20007fb5 = 0xff0030; *(uint32_t*)0x20007fb9 = 0xff0000; *(uint8_t*)0x20007fbd = 0xc; *(uint8_t*)0x20007fbe = 0x10; *(uint8_t*)0x20007fbf = 0xa; *(uint8_t*)0x20007fc0 = 9; STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 3, 5, 27); *(uint16_t*)0x20007fc5 = 0xf00; *(uint16_t*)0x20007fc7 = 4; *(uint8_t*)0x20007fc9 = 0x14; *(uint8_t*)0x20007fca = 0x10; *(uint8_t*)0x20007fcb = 4; *(uint8_t*)0x20007fcc = 0xfc; memcpy((void*)0x20007fcd, "\x11\xd5\xf9\x90\x68\xe5\x06\x8a\x1e\x42\xe2\xbf\x00\x0e\x22\x1f", 16); *(uint8_t*)0x20007fdd = 0xb; *(uint8_t*)0x20007fde = 0x10; *(uint8_t*)0x20007fdf = 1; *(uint8_t*)0x20007fe0 = 2; *(uint16_t*)0x20007fe1 = 0; *(uint8_t*)0x20007fe3 = 2; *(uint8_t*)0x20007fe4 = 0; *(uint16_t*)0x20007fe5 = 0x80; *(uint8_t*)0x20007fe7 = 1; *(uint8_t*)0x20007fe8 = 0xa; *(uint8_t*)0x20007fe9 = 0x10; *(uint8_t*)0x20007fea = 3; *(uint8_t*)0x20007feb = 2; *(uint16_t*)0x20007fec = 0; *(uint8_t*)0x20007fee = 3; *(uint8_t*)0x20007fef = 0x3f; *(uint16_t*)0x20007ff0 = 8; *(uint32_t*)0x20008290 = 8; *(uint32_t*)0x20008294 = 4; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 4; *(uint8_t*)0x20008001 = 3; *(uint16_t*)0x20008002 = 0x2001; *(uint32_t*)0x2000829c = 4; *(uint32_t*)0x200082a0 = 0x20008040; *(uint8_t*)0x20008040 = 4; *(uint8_t*)0x20008041 = 3; *(uint16_t*)0x20008042 = 0x43f; *(uint32_t*)0x200082a4 = 0x2a; *(uint32_t*)0x200082a8 = 0x20008080; *(uint8_t*)0x20008080 = 0x2a; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x5e\x74\x60\xeb\x32\xa6\xb9\x6b\xd2\xff\x9f\xf3\xa4\x96\x20\x85\x33\x64\xce\xf4\xb1\x18\x00\x34\xbb\xee\x7b\xde\xb3\x75\x3e\xc4\x7a\x7b\x68\x43\x60\x04\xdf\xa3", 40); *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x200080c0; *(uint8_t*)0x200080c0 = 4; *(uint8_t*)0x200080c1 = 3; *(uint16_t*)0x200080c2 = 0x406; *(uint32_t*)0x200082b4 = 4; *(uint32_t*)0x200082b8 = 0x20008100; *(uint8_t*)0x20008100 = 4; *(uint8_t*)0x20008101 = 3; *(uint16_t*)0x20008102 = 0x200a; *(uint32_t*)0x200082bc = 0x83; *(uint32_t*)0x200082c0 = 0x20008140; *(uint8_t*)0x20008140 = 0x83; *(uint8_t*)0x20008141 = 3; memcpy((void*)0x20008142, "\x98\xbf\xbe\xd5\xf0\x2f\x05\x41\x39\x3b\x27\x16\x3c\x18\xab\xa0\xf8\xd6\xc9\x06\x9a\xe8\xed\x73\x2f\x7b\x8b\x4f\xd0\x40\x72\x65\x12\x57\x2b\x20\x49\x34\x98\xb0\x80\xe9\x6c\x74\x09\xc1\xff\x22\x2c\xbf\xe8\xfc\x73\x9a\x7a\x6e\xb7\x01\xa8\x12\x5f\x18\xaf\x24\xcd\xab\xbf\xb5\x2c\xc6\x66\xcf\x12\x04\xb6\xbf\x96\x51\x4a\xca\x5b\x04\x75\xe2\x1d\xaf\xca\xaf\xfc\xd8\xd5\x84\xec\xa6\x93\x9d\x81\x5d\xc4\xc9\x74\x72\x7a\x2f\xba\x78\xd5\x04\x4d\x9e\x9f\x08\xe3\x5c\x9e\x2b\xf4\x70\xf4\x66\xac\xca\xa1\x30\x1f\xac\x54\xbc\xff", 129); *(uint32_t*)0x200082c4 = 4; *(uint32_t*)0x200082c8 = 0x20008200; *(uint8_t*)0x20008200 = 4; *(uint8_t*)0x20008201 = 3; *(uint16_t*)0x20008202 = 0x1627; *(uint32_t*)0x200082cc = 0x39; *(uint32_t*)0x200082d0 = 0x20008240; *(uint8_t*)0x20008240 = 0x39; *(uint8_t*)0x20008241 = 3; memcpy((void*)0x20008242, "\xaa\x56\xbf\x40\x48\xdd\x06\xe2\x84\x5d\x2e\x04\xdf\x75\xb3\x91\xf7\x66\x46\x3f\x09\x54\x05\x32\x21\xac\x36\xe1\xdb\x6f\xe5\x09\xc0\x5b\x86\xc7\x76\xd2\x0f\xfc\x6a\xc3\xd9\x93\x49\x32\x2b\x40\x0a\xea\x39\x4c\xd6\x71\x9c", 55); res = -1; res = syz_usb_connect(6, 0x7c, 0x20007ec0, 0x20008280); if (res != -1) r[24] = res; break; case 47: syz_usb_ep_read(r[24], 0x75, 0xa5, 0x20008300); break; case 48: memcpy((void*)0x200083c0, "\xdb\x88\x55\x99\xb6\x0a\xec\x82\xad\x70\xcd\xb2\x88\x6a\x2e\x73\xe2\xf0\x44\x7d\xdd\x5d\xea\xaa\x15\xf5\x6b\x76\xab\x58\x04\xb9\xf8\x6f\x60\xdf\x6b\x12\xcb\xc1\xe5\x90\x6d\x23\x88\x89\xda\x54\x4d\x9b\x56\x52\xf6\x0b\xfc\x34\xa1\x08\xdf\xfd\xff\xa9\xae\x90\x46\x14\xe2\xbf\x15\xce\x0c\x34\x9a\xea\x15\x51\xb7\x54\x4b\x69\xbd\x2b\xde\x8f\x82\xe1\x8d\x42\xba\x16\x71\x80\xb1\xa6\xa4\xd1\x18\x44\x31\x2c\x11\x6e\xe0\xb8\x5f\xca\x52\xa1\x1e\xc9\xf3\x7a\xcd\x32\x3e\xb2\x87\xc8\xb3\xc4\xff\xdb\xca\xaa\x32\x9d\xf9\x20\xe0\xf7\xdf\xaa\xcc\xc1\x7f\xd5\xff\x16\xf0\x39\xc6\x93\xcd\xfc\xdf\xae\x81\x52\x9a\x02\xcc\x97\x3d\x8e\x50\x20\x09\x3c\x1b\x68\xe8\x8a\x82\x7e\x23\x0b\x28\x44\x88\x99\xb9\x61\x75\x52\xb1\xdd\x9b\x41\x2b\x34\xde\xec\x9a\x93\xfd\x08\x82\x3a\xeb\xf3\x54\xe2\x38\xd0\x4d\xca\x95\x7a\x50\xaa\x9a\xb1\x8a\x30\x46\x0e\x24\x55\xe3\xfd\x16\x41\x09\xcd\x4a\x85\x7b\x99\xd2\x23\xb2\x18\x31\xca\x29\x2d\x1b\x0c\xd7\x7f\xbf\xe2\x63\xf7\xca\x57\xee\x3a\x70\xa8\xfd\xd4\x89\xcb\x7f", 245); syz_usb_ep_write(r[22], 0, 0xf5, 0x200083c0); break; case 49: syz_usbip_server_init(1); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :126:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :113:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :108:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor181229653 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/5 (1.51s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) (fail_nth: 1) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000080)={r0, 0x3ff}, &(0x7f00000000c0)=0x8) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='cpu.stat\x00', 0x0, 0x0) ioctl$BLKROGET(r2, 0x125e, &(0x7f0000000140)) r3 = signalfd4(r2, &(0x7f0000000180)={[0x5, 0x4]}, 0x8, 0x80800) sendmsg$NL80211_CMD_UPDATE_OWE_INFO(r3, &(0x7f0000000500)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x20002011}, 0xc, &(0x7f00000004c0)={&(0x7f0000000200)={0x29c, 0x0, 0x8, 0x70bd29, 0x25dfdbff, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x46, 0x2a, [@erp={0x2a, 0x1, {0x0, 0x1, 0x1}}, @channel_switch={0x25, 0x3, {0x1, 0x95, 0xcb}}, @peer_mgmt={0x75, 0x16, {0x1, 0x401, @void, @val=0x37, @val="02011bf2907bddcbfaf4d0d9d319cb38"}}, @mesh_chsw={0x76, 0x6, {0x7f, 0x3, 0x6, 0x2050}}, @link_id={0x65, 0x12, {@from_mac=@device_b, @broadcast, @device_b}}, @chsw_timing={0x68, 0x4, {0x9, 0x81}}]}, @NL80211_ATTR_IE={0xcc, 0x2a, [@cf={0x4, 0x6, {0x1, 0x1, 0x100, 0x8000}}, @ext_channel_switch={0x3c, 0x4, {0x0, 0x7, 0xac, 0x6}}, @supported_rates={0x1, 0x6, [{0x6}, {0xc, 0x1}, {0x3f, 0x1}, {0x9}, {0x16}, {0x24}]}, @prep={0x83, 0x25, @ext={{}, 0xff, 0x3f, @device_a, 0x1f, @broadcast, 0x0, 0x6, @device_b, 0x6}}, @measure_req={0x26, 0x44, {0x4, 0x7, 0x8, "2ef531b7be2dde42fc395f76447c92879c4d9511182ee077cb102d54d8e9bd0376741affce00728e65cefb04cacd7c82880f113d4a79378bfd5c8d752bd251e31b"}}, @ht={0x2d, 0x1a, {0x482, 0x1, 0x1, 0x0, {0x5, 0x3f, 0x0, 0x80, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x400, 0x5, 0x56}}, @mic={0x8c, 0x10, {0x9b2, "e74338ed57a9", @short="4dbe86f39565408a"}}, @rann={0x7e, 0x15, {{0x1, 0x9}, 0xc0, 0x40, @device_a, 0x7fff, 0x6, 0xff}}]}, @NL80211_ATTR_IE={0x148, 0x2a, [@rann={0x7e, 0x15, {{0x0, 0x2}, 0x0, 0x8, @device_a, 0x1ff, 0x3, 0x3}}, @preq={0x82, 0x30, @not_ext={{}, 0x3, 0xf7, 0x8, @device_a, 0xae, "", 0x71a4, 0x2, 0x2, [{{0x0, 0x0, 0x1}, @device_b}, {{}, @device_b, 0x6}]}}, @mesh_config={0x71, 0x7, {0x1, 0x1, 0x1, 0x0, 0x0, 0xfb, 0x25}}, @ibss={0x6, 0x2, 0x1fc}, @fast_bss_trans={0x37, 0xe6, {0x7, 0x5, "5f3964d8629adf1c06ecdf8987bb845b", "c5d2bb2459d5ba0e8d1de04e57374f6227210ea404eb95465fa1e2e09c7c17d4", "2781c876157d6988a5dc1efde5e5d8d7fdfb3dad871989497060e2d72d3afa38", [{0x3, 0x1, "ce"}, {0x1, 0x25, "d5a7640b4fb5df22e725130f6f006c487342cb847e2cbe0e36b141aa91f7f41d6b13482c1d"}, {0x4, 0x26, "a1d5f67474fa123100046dc2695e3bbda6dee8657f032e087504156eba2f54bf2f31cd5b78d5"}, {0x3, 0x25, "ae36258ad7f04d6a213024ac426fba3da69e74ab662fbb9d28448099946cbbf9b8f921f8e0"}, {0x2, 0x19, "69ad29c66f47f87c5349ab5f16a1e8030e7c0b21db8bc4bee4"}]}}, @peer_mgmt={0x75, 0x4, {0x0, 0x0, @void, @void, @void}}]}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x4b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x43}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x11}]}, 0x29c}, 0x1, 0x0, 0x0, 0x40000}, 0x80) r4 = openat$irnet(0xffffff9c, &(0x7f0000000540), 0x189000, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f0000000580)=[@in6={0xa, 0x4e20, 0x80000000, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x81}, @in6={0xa, 0x4e24, 0x3, @mcast1}], 0x38) openat2$dir(0xffffff9c, &(0x7f00000005c0)='./file0\x00', &(0x7f0000000600)={0x101000, 0x182, 0x4}, 0x18) setsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f0000000640)=@sack_info={r1, 0x7, 0x20}, 0xc) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@data_frame={@no_qos=@type01={{0x0, 0x2, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, {0x7}, @device_b, @from_mac=@broadcast, @device_b, {0x7, 0x40}}, @a_msdu=[{@device_a, @device_b, 0x89, "a374cb1e56d79e5a647d9f9d7ebb099ca75e920a720ce76551c26bb86842da48ec22636f2ee20001359b8e2fb376ba32d07425dd1b9b9b4ff7a3539a5eeb99a447a58fec224cacb7d6e5f0cc9099904c92fd37746afc1cbd2b8b102a3fe4af78d5fa729590f1e5035f470a44321e924787a4666e21a4ca5cbd1256c170217cd6967ad7236d2f702e24"}, {@broadcast, @device_a, 0x1000, ""}]}, 0x10c0) syz_80211_join_ibss(&(0x7f0000001100)='wlan1\x00', &(0x7f0000001140)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000001180)='bpf_lsm_socket_recvmsg\x00') syz_emit_ethernet(0x35b, &(0x7f00000011c0)={@multicast, @multicast, @void, {@mpls_uc={0x8847, {[{0x2}], @ipv4=@gre={{0x11, 0x4, 0x1, 0x7, 0x349, 0x68, 0x0, 0x6, 0x2f, 0x0, @remote, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@lsrr={0x83, 0x1b, 0x6e, [@local, @broadcast, @loopback, @multicast1, @initdev={0xac, 0x1e, 0x0, 0x0}, @dev={0xac, 0x14, 0x14, 0xc}]}, @end, @lsrr={0x83, 0x13, 0xb4, [@multicast1, @private=0xa010100, @remote, @multicast1]}]}}, {{0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x880b, 0xf7, 0x2, [0x0, 0x1f], "c2150837371931ae3bab975586d95914c9773f748be9a8a3a19fe297783946f87cf48cb1483b1b52713f5b2c61255adbc108b86ef5471c54a9338b8573e1f632742ac011cf327a15e84e165e1588ab664b81d2498c54b50574e54aba3cf97bb1ae75911fd5ad4851fa1421715163917c9258d782a401fdfd12f1b51c5fbef8bd854f084ca2db2d46c7ee8b3b429e9c2dd5200572c54b9956e0bce7e10ae21f398f9db9c7e5fe8c67da417265c2e5c4074c97b404e840e0705b4154275e83551ac4328eae261c5d86e08cd40fbdb3a9d5fdcf6ba0ba4549aa7405fafe1367186578ec8cb827c887cc919c3a926daa592a4edb5150bfd380"}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, [0x0, 0x3], "a0437805682464ebade1f7bc908a4fb8fe0d2cbd6c705201920234d09c1819942d4534d78830cc26b67fa8b9bf41331cf464dba472a58870852fa852e628157fd8b5d1d6835454fb3aedae74305ed0c45b79ff50beb7405c"}, {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x86dd, [0xf0, 0x4], "7caa4b32feb81faa052cba4e34663ac59d2ed14a1e13701fdffe0c346ddae941fc7a2623c24d7a0b85a042492bf692148b57ddaf3b577a52fca2c4c68131f7bd98fa18e48551c8eecb9d3be00868430c3a25bc3569876946d43e6eb2b903b359a813c4ba89e6d970d3d4523fd219f45ff44df25838"}, {0x8, 0x88be, 0x2, {{0x8, 0x1, 0x9, 0x3, 0x0, 0x3, 0x3, 0x4}, 0x1, {0x4}}}, {0x8, 0x22eb, 0x3, {{0x5, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x81}, 0x2, {0x1ff, 0x6, 0x0, 0x7, 0x0, 0x1, 0x2, 0x1, 0x1}}}, {0x8, 0x6558, 0x3, "35b802485048e00654ea02f811d2f99e610c98af70faf08b416472e3e0bbd45e35631db45124b3b77db1699442696b52c13ae2bf33fb3973a1d570c20b2a5b4d8b9a260bb385dcba6f2ccdaf52d5a0a4c2c39422acd9f8b911a20ba0d03a6e796927d057cf487cc459623fa76fb89989080999bf9b3ab3f6e3f319849238b9d2dea6ac5b66c4b632b76084b3fbfee0fc6215f5b274246d30cd41e07638413a2d65b80fde92db56faa4160868cd0b008bfcf18d9c54be76cf39248d298318581d7a8be2fe09849d5cfd2cd105c8dd8c0fd7c5f27bed33374f70e3173b413dd37ecff631f2f44c6640a43a358b6eff14540f"}}}}}}}, &(0x7f0000001540)={0x1, 0x2, [0xfbe, 0xc0a, 0x501, 0x489]}) syz_emit_vhci(&(0x7f0000001580)=@HCI_ACLDATA_PKT={0x2, {0xc8, 0x2, 0x1, 0x32}, @l2cap_cid_signaling={{0x2e}, [@l2cap_create_chan_rsp={{0xd, 0x3, 0x8}, {0x6, 0x1, 0x31, 0x7}}, @l2cap_conn_req={{0x2, 0x5, 0x4}, {0x3fc, 0x6}}, @l2cap_info_rsp={{0xb, 0x1f, 0x4}, {0xb476, 0x1d}}, @l2cap_info_req={{0xa, 0xfc, 0x2}, {0x1}}, @l2cap_cmd_rej_unk={{0x1, 0x4, 0x2}}, @l2cap_info_req={{0xa, 0x8, 0x2}, {0x9e}}]}}, 0x37) syz_execute_func(&(0x7f00000015c0)="660f72d501df5fd6c4c1f96f9f52e40000dff2da36660f3a62c08cc4c11d583ce8660f3a0a450df0c4e121752360") syz_extract_tcp_res(&(0x7f0000001600), 0x1e21, 0x1) r5 = openat$cuse(0xffffff9c, &(0x7f0000001640), 0x2, 0x0) ioctl$NS_GET_OWNER_UID(0xffffffffffffffff, 0xb704, &(0x7f0000003980)=0x0) clock_gettime(0x0, &(0x7f0000003e00)={0x0, 0x0}) recvmmsg$unix(0xffffffffffffffff, &(0x7f0000003dc0)=[{{&(0x7f0000003a40)=@abs, 0x6e, &(0x7f0000003d40)=[{&(0x7f0000003ac0)=""/37, 0x25}, {&(0x7f0000003b00)=""/107, 0x6b}, {&(0x7f0000003b80)=""/47, 0x2f}, {&(0x7f0000003bc0)=""/162, 0xa2}, {&(0x7f0000003c80)=""/189, 0xbd}], 0x5, &(0x7f0000003d80)=[@cred={{0x18}}, @cred={{0x18, 0x1, 0x2, {0x0, 0x0, 0x0}}}], 0x30}}], 0x1, 0x10202, &(0x7f0000003e40)={r7, r8+10000000}) lstat(&(0x7f0000004040)='./file0\x00', &(0x7f0000004080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004100)={{{@in6=@initdev, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast1}}, &(0x7f0000004200)=0xe4) statx(0xffffffffffffff9c, &(0x7f0000004240)='./file0\x00', 0x4000, 0x400, &(0x7f0000004280)={0x0, 0x0, 0x0, 0x0, 0x0}) lstat(&(0x7f0000004380)='./file0\x00', &(0x7f00000043c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000004980)={{{@in6=@dev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@private2}}, &(0x7f0000004a80)=0xe4) r15 = getegid() syz_fuse_handle_req(r5, &(0x7f0000001680)="", 0x2000, &(0x7f0000004bc0)={&(0x7f0000003680)={0x50, 0x0, 0x0, {0x7, 0x22, 0x6, 0x60, 0x5, 0x48, 0x80000001, 0x7}}, &(0x7f0000003700)={0x18, 0x0, 0xfffe, {0x200}}, &(0x7f0000003740)={0x18, 0x0, 0x4, {0x8000}}, &(0x7f0000003780)={0x18, 0x0, 0x0, {0x8}}, &(0x7f00000037c0)={0x18, 0x0, 0x80000001, {0x5}}, &(0x7f0000003800)={0x28, 0x0, 0x0, {{0x19, 0x200, 0x3, 0xffffffffffffffff}}}, &(0x7f0000003840)={0x60, 0xfffffffffffffffe, 0xfffffffffffffffe, {{0x4, 0x80000001, 0x1, 0x52b8, 0x7, 0x0, 0xfffffffa, 0x1ff}}}, &(0x7f00000038c0)={0x18, 0xffffffffffffffda, 0x1f, {0x9}}, &(0x7f0000003900)={0x11, 0xfffffffffffffffe, 0x4588, {'\x00'}}, &(0x7f0000003940)={0x20, 0x0, 0x100000000, {0x0, 0x18}}, &(0x7f00000039c0)={0x78, 0x0, 0x7, {0x4, 0x6, 0x0, {0x0, 0x7, 0x8, 0x10001, 0x1, 0x509, 0x80, 0x3, 0x1, 0xc000, 0x5, r6, 0xee00, 0x7, 0x9}}}, &(0x7f0000003e80)={0x90, 0x0, 0x8, {0x6, 0x3, 0xcd0, 0x7fffffff, 0x5, 0x1, {0x5, 0x5, 0xf34, 0x86, 0x6, 0x2, 0xab8c, 0x0, 0x5, 0x8000, 0x9, 0xee00, r9, 0x1000, 0x1000}}}, &(0x7f0000003f40)={0xd0, 0x0, 0xffffffffffffffbc, [{0x0, 0x2, 0x6, 0x3, '\x02\x02\x02\x02\x02\x02'}, {0x0, 0x0, 0x0, 0x9}, {0x2, 0x100000001, 0x17, 0xffff, 'bpf_lsm_socket_recvmsg\x00'}, {0x0, 0x401, 0xf, 0xfffffff9, '&,$:+)\xef&\\)/$$[}'}, {0x6, 0x1, 0x17, 0x1f, 'bpf_lsm_socket_recvmsg\x00'}]}, &(0x7f0000004440)={0x508, 0x0, 0x2, [{{0x4, 0x1, 0x5, 0x80000000, 0x3, 0xffffffec, {0x2, 0x3, 0x20, 0x100000001, 0x80, 0xffffffffffffffe1, 0x9e41, 0x1f, 0xf0f6, 0xc000, 0x401, 0xee01, 0xee00, 0x400000, 0x800}}, {0x3, 0x7, 0x6, 0xfffffffe, '\xbb\xbb\xbb\xbb\xbb\xbb'}}, {{0x1, 0x2, 0x10001, 0x0, 0x5, 0x0, {0x3, 0x8000, 0x9, 0x80000001, 0x100, 0x5, 0xf06, 0x932b, 0x2, 0x1000, 0x5, 0xee01, 0xffffffffffffffff, 0x5, 0x1}}, {0x5, 0x9, 0x2, 0x2, '*)'}}, {{0x1, 0x0, 0xcc3, 0x4, 0x101, 0x3, {0x2, 0x1, 0x1, 0x113, 0x1, 0x3, 0xd36, 0x8c12, 0xfffffffc, 0x1000, 0xfffffffc, 0xee01, r10, 0x9, 0xacd}}, {0x3, 0x97, 0x6, 0x9, 'wlan1\x00'}}, {{0x1, 0x2, 0x8, 0x8000, 0x9, 0x0, {0x1, 0x200, 0xff, 0x100000001, 0x30000, 0x9, 0x3, 0x6, 0x7f, 0x8000, 0x101, r11, 0xee00, 0x10000, 0x9}}, {0x3, 0x0, 0x2, 0x401, 'b@'}}, {{0x4, 0x1, 0x0, 0x5, 0x4, 0x101, {0x1, 0x5, 0x1, 0x10000, 0x7, 0x8, 0x5, 0x5, 0x4010000, 0x8000, 0x4d800000, 0x0, 0xee01, 0x6, 0x7}}, {0x2, 0x61}}, {{0x7, 0x0, 0x5, 0x5, 0x0, 0x3ff, {0x0, 0xfffffffffffffff7, 0x1, 0x80, 0x100000001, 0x401, 0xd49d, 0x80, 0x1, 0x6000, 0x8b, r12, 0xee01, 0x8001}}, {0x6, 0x200, 0x1, 0xfffffff8, ')'}}, {{0x0, 0x3, 0x8, 0x81, 0x6, 0x5, {0x1, 0x8, 0x7, 0x5, 0x8, 0x1, 0x5, 0x90c555ad, 0x0, 0xc000, 0x800, 0xee00, 0xee01, 0xf98d, 0x20}}, {0x4, 0x4, 0x5, 0x1, '\\U\xc2-^'}}, {{0x1, 0x0, 0x2, 0x6, 0x0, 0xb5e, {0x4, 0x12, 0xe87, 0x7, 0x1, 0xfffffffffffffffe, 0xfffffffd, 0x7, 0x401, 0xa000, 0x8ee, r13, 0x0, 0x8236, 0x3c89862b}}, {0x4, 0xfffffffffffffbf7, 0x6, 0x4, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004ac0)={0xa0, 0xffffffffffffffda, 0x2, {{0x1, 0x3, 0xff, 0x401, 0x9, 0x1000, {0x1, 0xfff, 0x733, 0x0, 0x7, 0x7fff, 0x4, 0x1f, 0x1f, 0x0, 0x1, r14, r15, 0x9eb, 0x1}}, {0x0, 0x1c}}}, &(0x7f0000004b80)={0x20, 0xfffffffffffffffe, 0xa87, {0x1ff, 0x0, 0x10001, 0x4}}}) r16 = openat$autofs(0xffffff9c, &(0x7f0000004c40), 0x0, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000004c00), r16) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r17 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x300000a, 0x10, r16, 0x0) r18 = syz_io_uring_complete(r17) syz_io_uring_setup(0x3a9b, &(0x7f0000004c80)={0x0, 0xcaa6, 0x4, 0x3, 0x276, 0x0, r18}, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000004d00)=0x0, &(0x7f0000004d40)) syz_io_uring_submit(r19, 0x0, &(0x7f0000005080)=@IORING_OP_WRITEV={0x2, 0x5, 0x0, @fd_index=0x7, 0x0, &(0x7f0000005040)=[{&(0x7f0000004d80)="8f8c61ba2d93006aadbd12a3a08f146f7dadf6fcaf91370d8cdbb10473cfc4737fc2920f761e5f9f43ac7c94ff2d84a3f6", 0x31}, {&(0x7f0000004dc0)="e79e609caf0b113f2e3a9b6ed9a5197bd4c9ef3abee6ff372b0677f980ef46165c071ec9a7e4b8e118c95c2b5f733b29c50f1e5df4f1837e9a2962cd241c43d7a605878749919d2d932d22010e4c8c29ce6028dc71e23c5ec2b4f3bb38b2e7c3beaf83c887a45f16ea87842b7002c7513397835d375589d64e9c8d0daa7c709974ddc935145190bac6e8d31238d5ad70377e03b1111546f8a83a2d7e3fc550408a227e6ab558331de5", 0xa9}, {&(0x7f0000004e80)="1fe1d0a7ea42ed60eb8379f55fba5f108da4233288e8a8bbacc0", 0x1a}, {&(0x7f0000004ec0)="1d5a7e020f94e9eee2415cca5eb6045cc9f817f1d3275ba949677ee2ca2357b74e67c6d4ddfbe8e8c0c6fdcd2352dd301ff30f0ebc2b58f2c69c3f8032ff0d4a2d2d400c3d07914d835b6218c2eb25724b426a888b2822d4945b35f2d1459d915e2b2d66541af52bdbbe1ad517515e01b8290e654443a67bec3d0b03fc10b90b49c3d33593e063bd0df72494b22bfc391f6b296a68735eeaac4fb550be4beeabb74d7ca77139248cf8003e4fa63954c2e5c68e48b1f59b3162a9a3b020771f7c1aff6d7de57b40fcb59002f2709ed2e12d50a3edadc2c55de6634c8e91dd8cd28faf3b52", 0xe4}, {&(0x7f0000004fc0)="3dc50079393684ee15456233e2e4b47d0d7616a6fbb08055931c400e66d6ee8307c988db68c3a56873e4c94c210cee63aa53ee80947c5644cffd0ee809b4554ef3d3d5d4b6268040d66cba34c7b8645abfe3696e041fe13f", 0x58}], 0x5, 0x1}, 0x100) r20 = openat$selinux_policy(0xffffff9c, &(0x7f00000050c0), 0x0, 0x0) r21 = openat$dlm_monitor(0xffffff9c, &(0x7f0000005100), 0x0, 0x0) syz_kvm_setup_cpu$arm64(r20, r21, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005180)=[{0x0, &(0x7f0000005140)="45cf83e34827dae70d9c50f676f523b0ce6bee88952baac1a7220887521e1e10250184dabaaa4fbf9e94349f1148dee8238a", 0x32}], 0x1, 0x0, &(0x7f00000051c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r17, 0x114, &(0x7f0000005200)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005240), &(0x7f0000005280)='./file0\x00', 0x5, 0xa, &(0x7f0000005980)=[{&(0x7f00000052c0), 0x0, 0x4}, {&(0x7f0000005300)="8586cff12029eb8ad76f6261d1fe9c2df97d6b5047f70221ce7c26e1ad050096db75ff7ffd7b4dad59f5e070723e8a2cea446602ed86da15975f4f9dad4355f17d1441f9c1d9721e8bc269c91b43934bb3823eba880de01b586e0d592fc978084812a5dd940d6ea61e46ee9f1d53e0d3155c2c34946ca286d646398a4d60b56e48644ce421d53a65fc504680601a0cb3b78cdc3d14d0f9f754d88a4c5d80c2681aca64a4793f17d0f8a5b8dc820fdadee2ee87d42050172286e4b371eac497bf7467890a472d766a442a56a6e75bc39ba4edab5a0cb11eb66a247a2f3ca7d18cbe8bd7516b2d99c763d8c23d753c13937ab99b578e42f359275e86", 0xfb, 0x5}, {&(0x7f0000005400)="0f553c28b9842c44674abe34856e72a402eaf08ea7d106186b17f1d3f00dcbcb5f98a1eae4b0e494da0d44fa94917367478f2e39ce8435b132a570ec78c1b1d859ab652168bec9156cc5b4543f0571d2a75d3ad03f490c0fc93251f6ab57f01cf62283d42eec0abb186148b05ef55f8de1a2eb7c1622fc6d3ac274f10a0754563398efc9335aea31061cf4bb64d44f87c615c99b3eca46ddc2ce68eb2b780c54bb6a1a20947e16cbc6f7fa0712d0b12e665a214c3502154e5b8dda8b01df53c81b2da2c92b7573506b175a34ba1dda39954f36f0ff6ebefeee31326813422cb4d53b47c6fe65f3332698d9e3d776", 0xee, 0xfff}, {&(0x7f0000005500)="abff9c2482d96489f0afbe085daee1e2bd8a3000af21e5b4aa0d2e6662293d5fe6eeb60a5cc8b90e84ede0d21318688e285def54cb6780abfdcb64c700da5e8775bb60d0192a5f8113a70ddb1627087f7bb8f232f80a120e214ef31c385711f4b12afd9a024fc48c41c3c887255a17b86f709a30ee23a5d55c6c3e1986f6fd69309dc6664846396a5f0cde1e382a7018dcdeac00ff1ef54bbb58201fc9dfcbba39cfb45f49ace1e9908188", 0xab, 0x80000001}, {&(0x7f00000055c0)="fb36dffb4a0e4377fa3bedec2325f5c073", 0x11, 0x1}, {&(0x7f0000005600)="8ff2544804ed79e1bb5f173b80fdb09a444f02bbacdab87710a30382271db7257055fbbe057f4e4b3e1bcbcf08f1ea0b41be533d7d7f84199c4cf241e2bc3cebf680f5c2648882abfe61bb5211c4cf0f1f8035c6962e74f5976e954c3db5545bdccc6e67b68dd612", 0x68, 0x7f}, {&(0x7f0000005680)="ca838d09579a972657260b824f369161c83d3649b2309de4aca5191c6a3550ce704f6606bac0f1102563011d768b1cd5bd83565bfbe9311f71c2698f2bb4572ef6602f2487626e21fcef7034f50e28fd36db92433de1c0fbd9baa0b2ef3b17ecbd5f214a814f9979c0cfcea566bd418788a9e026ff83089e4e1eb491eebb582e84c6d956e1f8d4bd5327fcf26d9218a6e745a904846da61e6970e7c3f8f6777eb2eec182c6626aebc2b46d6e18ec79ce9f3a34c2c9ce74dce5f38a493ce752633b9cd881d3e73977b728208b730c0aa0bfd41f0374798c2b6cfd20a83dde8821f896431df1620eacddb4846d3f67983b95", 0xf1, 0x2}, {&(0x7f0000005780)="b549cfe18deb455b4a8b6d56e7c03f251024217cf427c09056bdb6b4a1317e6f9cd53ece2f2ee68e7d73e936e6d7b376483595c8db7292ffb0520cf037ba7012f5d90d0e4bdced46131d6a44120546fad87f475670fec86f9784888d14dc2ed6a1a7ed3c98bd0e035cbd504da40efbeb5a5bcd48c0ca513ff53ddada3cb447a48bcef01d9883f699997c5a0b2499865862db5f785a75e1b3463d354af112e7f8622883683086190fa4507646cbeab5ed", 0xb0, 0x1}, {&(0x7f0000005840)="a2eecacaa02fc76189e00e6fc58f38b5599959730376281721becf840cd12b230c2dc84b7f5fe5e37057b3732fcfeb", 0x2f, 0x4}, {&(0x7f0000005880)="35ed9c854f542ba3a56e7b75409a3197d31e6ec31934811dd9abe83e50a060ea25994cb33770ed99b25c9b560891eca433fe5bf1e02d136600687ee4933b3538bbceca61deb8fb0a1a2567843fd871b991d514329a465a97eb92123576e83a652c51dfa84117c262a7b8bab47bd3f81b24d33e687f39265002ef92f2248de027ac0285fcad2a3c732a1ed7409307037e41f3a7907477387d1199c18e5c43959b2ec46c078cec67a8b559b31cefd856f456b9f81bcc6a8b2cb1a4d8147562bdac6034e3e8d35d797659844fea3694b3288ce68fa8f986bf2fba03ec0110154befc8402258afb3d583d0bf3d02798073867fc66640726072c82a", 0xf9, 0x1ff}], 0x0, &(0x7f0000005a00)={[{'%'}], [{@seclabel}, {@permit_directio}, {@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@subj_role={'subj_role', 0x3d, '}'}}, {@mask={'mask', 0x3d, '^MAY_APPEND'}}, {@fsname={'fsname', 0x3d, '&%]'}}, {@measure}]}) syz_open_dev$I2C(&(0x7f0000005a80), 0x6, 0x40000) syz_open_procfs(0xffffffffffffffff, &(0x7f0000005ac0)='net/raw6\x00') syz_open_pts(r16, 0x583000) syz_read_part_table(0xb0, 0x3, &(0x7f0000006cc0)=[{&(0x7f0000005b00)="a895c30edc07297723a4aea802034622d1bbb85b4ae3628afc2d4e10934550a9d92f12a51b9f5b3a7b596b59b99b4b2acaedda32b83bdc263c53aa10114a149a4d7a4f0c40b946159b374396fb6cd18734ea5c3a5192786222da89f4213b5d9d027799da36d68bd510f537855ce10d3b8439c2237740ea7541478a81f9f92adceb5100366dccf149cc4c59796959ba5d85a50d0dd72941a0eabbe7a9dd9fe50850113f5e2d055e1bbcd667daf7363e027d7c66678dad2add62b5", 0xba, 0x4}, {&(0x7f0000005bc0)="f229f58b9fef91f7178523f041a4967589924680bf4dc34a52d8f7f8436083aee94ab74f0369f7403a8c26b72fd44b488fe59c616c8a1cae299c490eb15f98f8f49df33502ccfd38265f6d186578a71b92ba5c5b903f9a64bc560a43590bd70f76efb7b63bc3909e632db68f77d98bdf12ebe1707d7d1436857490c13ddb239c837faf46ead62381d43f3d2346c1fcd5b2a7a1ebe9fa5dd7fddefc50b0e7a57f500e2f79ba11b18972dc78871460eb7e2a249b603283b5128320555c9d74143e027bb5ca08b462aebf58244387556d718680c4a37459dd", 0xd7, 0x3ff}, {&(0x7f0000005cc0)="", 0x1000, 0x34}]) syz_usb_connect(0x5, 0x72e, &(0x7f0000006d00)={{0x12, 0x1, 0x201, 0x10, 0x2a, 0xdc, 0xff, 0x781, 0x5, 0x5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x71c, 0x3, 0x9, 0x3, 0x50, 0xff, [{{0x9, 0x4, 0x34, 0x9, 0xc, 0x2d, 0xe7, 0xd6, 0xc4, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "9e3dd83f5e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x40, 0x5, 0x101, 0x5}, [@mbim_extended={0x8, 0x24, 0x1c, 0x1000, 0x2, 0x8}, @dmm={0x7, 0x24, 0x14, 0x8671}, @mbim={0xc, 0x24, 0x1b, 0xfffd, 0x9, 0x0, 0x5, 0x100, 0x5f}, @obex={0x5, 0x24, 0x15, 0x40}, @network_terminal={0x7, 0x24, 0xa, 0x0, 0x1, 0x4, 0x1}, @dmm={0x7, 0x24, 0x14, 0xff81, 0x9c6f}]}], [{{0x9, 0x5, 0x80, 0x14, 0x10, 0x15, 0x1f, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x80}]}}, {{0x9, 0x5, 0x8b, 0x0, 0x7ff, 0xed, 0x1, 0x2}}, {{0x9, 0x5, 0x8, 0x4, 0x200, 0x81, 0x6, 0x2, [@generic={0xeb, 0x1, "8c3f63086154141f739f2870d3a81884905e8c3ff7eb6425085204077b4102c3d81bfdf4b262fa95b268561228b747fca91f5fdeb592b379d66a5f1d2d1d735fd02b3b2402d0340fcc8ac6c544720cb596008a93b0202cb8f9558344cb200e0b4b52aad1e70d9c0049ff2a6b546e3502bc881f3eb655aa817a2a3fd95ad1bea68ab048c1a43ed3458b674c27df090568c371a9e00cbc2b597a730a1864447583e30b8b9d2774d884575311843a18bfe0052b404714c722766342b226c4fe8e87ee448250c3b3668ab50745e0fbb6e969e6b49b9b8528ce81dfaa24e1438072d07d6e92602a390535f6"}]}}, {{0x9, 0x5, 0xc, 0x8, 0x40, 0x1, 0x5, 0x20}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xbc, 0x0, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x5, 0x9}, @generic={0xd4, 0x22, "70c23955e1d16cdef416bcb138108967f0e9ac2c096fe9362b99ec6c198d2f0f0446ce29332844fd546d2323e7f9d7b2713c1f92b90b4481bf8d4ea34ea8321b585db5f3cc6f63fc9ee543e86c15769e08a212c2ffb0237defb1a28228e999fabf3733a27b828703faaac053d44fe7a66d7a278e31f15d65edb349b157a799d922f0c970f98b35b75650793123e05752d74ddb89f0fcc0479822a0f833f4343a70548b3b4c80574be7cfdd59db69ce1efc24ca44ee316609f58ca5a30dee0b59e1668f248c196ae1c022a19995595430fea4"}]}}, {{0x9, 0x5, 0x87, 0x3, 0x8, 0x80, 0x7, 0x6, [@generic={0x56, 0x4, "f78a356675cffa2de94539194afab8603fe5e412021ba937df8f496ce2c0543148f09b19ebbc05091fcc32e0bdde441d7ccaa5cc26fb696bd67b3830bf3e5730fb3fe5ee89156bd1d2fa101e6c39068af8c2ae87"}]}}, {{0x9, 0x5, 0x89, 0x0, 0x20, 0x20, 0x81, 0x8}}, {{0x9, 0x5, 0xe, 0x3, 0x8, 0x1, 0x20, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x43, 0x234}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x3, 0x5, 0x7, [@generic={0x34, 0x8, "b6a121b46cabce4e361f2104dcf2663e402ee04faa90dd18a918e4642eaa6a716192f8bc32f321ce9eb548904d87d7bdad56"}, @generic={0xac, 0x30, "1a5d30c7d13843b0146943b2e67687f3147019db1ca1a3c7e48d700f655bea7f42692c5a87a6b91d03a6d4905fbb18b76028c902f7cc3f0c056d87d0fbc12f32150222a7dad7023bc45ab25c72aa3ad26e8dfd8d3654640038396aa355f069f7a9e762b85dca0a81a7d7c37d259d0f2a631a6abc4e36fba201dc677fc7b2c28190e91523553cfb1bbf462d9d057c31910ad39c357cd2dd1c3f22c604ad6c923faee4c13db3fe350375cc"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x10, 0x7f, 0x56, 0x83}}, {{0x9, 0x5, 0x1f645c4d20962547, 0x0, 0x3ff, 0xbb, 0x7, 0x3, [@generic={0x6b, 0x30, "6a8065c0ee1fa72bb9fab498b565e856090e0ad4cb9a072e0995264b935bed4910dde6e4a11ff93742383cba0c51a1f1cf695aa394a5f4868363e986260569ba8be82437cc58db1ee88ce5101308938edbd982075462cf0bba05bb0d7ae55092a2862ee6e6430e22f7"}, @generic={0x41, 0x21, "0acd9c7743c7509f5eb898784f8767f385a0e1c7f102c9adcad6d81fb4193e88cb2f6c3936ee2ef3dae61f58322593d9beeafcc0915c86fc3a72f0426c83f3"}]}}, {{0x9, 0x5, 0x6, 0x4, 0x400, 0x20, 0x74, 0x5}}]}}, {{0x9, 0x4, 0x26, 0xab, 0x5, 0x3, 0xf1, 0xcb, 0x9, [], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x5, 0x1, 0x1}}, {{0x9, 0x5, 0xb, 0x4, 0x20, 0x1, 0x2, 0x4, [@generic={0xda, 0x14, "10f16e3796fbe335b564b29416031e12d26f4d53e237ca3cb1e049170335d631432469cf8e2b207d62283f3b91f4d63154bce35faeb87b51d30b38876c38b31acc347be67793e56a1784eb29a7ddab72e736eecd3b4e98bce7b170ab687e6f31f5e9f3f96e31032d3bf9476eef54f354c6efc00da39a695ec1c095254cb416bdc574d4fb6adbeca99b77508d6c6f791c2cfc29ae3eccea73c13627d93807af1a7d3492520ed1f153327d857537f556294bdddd988bae73226a48c4cab963d3d8c226951b21a7c3138de55b8d0e1f0bcd77663ae8bfe20f44"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x5, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x40, 0x2c, 0xd4, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0xa, 0x2, 0x400, 0xd0, 0x1, 0x6}}, {{0x9, 0x5, 0xe, 0x8, 0x40, 0x40, 0xff, 0xb0}}]}}, {{0x9, 0x4, 0x6c, 0x8, 0x2, 0x59, 0x51, 0xd5, 0x1, [@cdc_ncm={{0x8, 0x24, 0x6, 0x0, 0x1, "b2bd60"}, {0x5, 0x24, 0x0, 0x5}, {0xd, 0x24, 0xf, 0x1, 0xfffffffd, 0xfff, 0x63, 0xdb}, {0x6, 0x24, 0x1a, 0x8, 0x8}, [@mdlm_detail={0xf7, 0x24, 0x13, 0x19, "189cdea85c892fe736d99d2ae835705ddc3907363c57da1fc0033ab26742022ab0af7516c0545f0fc3ecaa0728229f95fd5d2ebce5c98dbba6222153e2ce70bfead32d5d59146f0dd679852007b13ac9d16d48f9484d6192e79c88079f8cd3bd1a3740f3a8f0fd1d57a10bf41cf8c45a79ab1a969c9a6a83bf31571bce542e8fcfa6761ebfa924e1eb05d3af5b3644c3040280ca59737d89c0caa8bd9d56c92178b82b2078e43975f15e6f0b6fa1d0cd819521154d236aa6a85e50f3f0531f6192e5c4ba8a2d506f744780747cbb9ee6723298b72b713b52be54835fcc04906c658ce61f16f95a6c437988df239c430ff47db7"}]}, @cdc_ecm={{0x6, 0x24, 0x6, 0x0, 0x0, "a3"}, {0x5, 0x24, 0x0, 0xf85b}, {0xd, 0x24, 0xf, 0x1, 0x0, 0x7, 0x2, 0x40}}], [{{0x9, 0x5, 0xf, 0x4, 0x0, 0x81, 0xe8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x51, 0xbf81}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xb, 0x8001}]}}, {{0x9, 0x5, 0x6, 0x0, 0x10, 0x7f, 0x0, 0x80, [@generic={0x28, 0xa, "61df67a624859052df593a2258bc970fe4304a8f899ac040d9fc350ed5e63660a76a96aea7a3"}]}}]}}]}}]}}, &(0x7f00000076c0)={0xa, &(0x7f0000007440)={0xa, 0x6, 0x300, 0x8, 0x1, 0x9, 0x8, 0x81}, 0x133, &(0x7f0000007480)={0x5, 0xf, 0x133, 0x6, [@wireless={0xb, 0x10, 0x1, 0x2, 0x74, 0xff, 0xff, 0x0, 0x7}, @wireless={0xb, 0x10, 0x1, 0x8, 0x43, 0x4, 0x3, 0x6, 0x21}, @ext_cap={0x7, 0x10, 0x2, 0xa, 0x5, 0x6, 0x3b4d}, @wireless={0xb, 0x10, 0x1, 0x0, 0x2c, 0x7, 0x2, 0x1, 0x2f}, @ptm_cap={0x3}, @generic={0x103, 0x10, 0x3, "b35e852c500147880fa2f6dcc5d4e16a59df9bff5d44ac9f6680a31b1ebce7f4d4afe6d2ae93f6eee79b703b03f7a0ebea72bdc3ca70ded450bedec42d31beced3625c6bfa5dc9897b68a4e8b1a54b9444b85a77d52efea02e84045a2c51af22596a4c59a43c590c4d1369d229db0f228b739b41419c00708219ac07585dcaded8820f6fe0b35e7496ca59ebd93c1cfbeca8666928613fb084cb1ad930cfed80a024b803fc94967f08d731d0647cee073e55844b9978ae6035865fd98991fb7a5fa3f00529e81f1d3b853a0db041eaa3777ba10fe753674a698cd389bf5bca626cb8c7bf9b71150d572d07d9a11855a419fb0212d9a5bf2c3360357cf942511f"}]}, 0x2, [{0x97, &(0x7f00000075c0)=@string={0x97, 0x3, "79533652485908847450e434babd9e7b783925f478b3b35c0a4e6aa0a1e8f78e37f1d5666fe87b28df9b7734fdd141b3c78a19031effd729a36c0cf9fae5c589a1a9886b78f66c7391bd443cc6b3ab5b4acdeb5acf4a0d36359e749df37ccf92c50e845fce93e4c611f0fb559f5b2f8b72bab3b8a91779cd78204d67a183187560eb912c0f9dd27f402f1decdc61444d3702bf05cf"}}, {0x4, &(0x7f0000007680)=@lang_id={0x4, 0x3, 0x4ff}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007700)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f0000007900)={0x18, &(0x7f0000007780)={0x40, 0x22, 0x1f, {0x1f, 0x22, "a7841403afd7ddbdb6ce9dacfb6cdbe29fbe4e58b55fec117de56ed6a5"}}, &(0x7f00000077c0)={0x0, 0x3, 0x5a, @string={0x5a, 0x3, "b51fa75ce1575da79aa41fd155728498bc7e4f85d19d2394314e6381f5e6b0e786c3ff705cb7184487f35094030178bc291a3980fa0b83908b7fe1cb2459daa1308fa2fbda94a98ca7134bc986487bae15766636e0852c7a"}}, &(0x7f0000007840)={0x0, 0xf, 0x1b, {0x5, 0xf, 0x1b, 0x2, [@wireless={0xb, 0x10, 0x1, 0xc, 0x82, 0x0, 0x85, 0x8, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x48, 0x0, 0x80, 0xfffa, 0x81}]}}, &(0x7f0000007880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x2, 0x4, 0x2, "7e461ab4", 'gg]\a'}}, &(0x7f00000078c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x9, 0x3, 0x3f, 0x20, 0x40, 0x0, 0xef}}}, &(0x7f0000007dc0)={0x44, &(0x7f0000007940)={0x40, 0xc, 0xb6, "df1d8807adaa376ec164fe686f791fc7268a85c468008423c35bf0da6f10ce0b3c7f80e67352d8063e9524fb3d91a1d442b85d351288c60badef7369494efa5012978930b8817bb13fba0f307416861457221322136027a98682f3a5c91806d490c51ef51ce6c9e9c8087e547fc2cfe567bfbf3e65f97c5e79d68706922d2c084ee894eaf12a3c0b2e1ef894dff86d0792fd11f5152f67321b9db36a02b7b0935e7424cbd6b286c55c8cf0f0f4949fd21b22675eb060"}, &(0x7f0000007a00)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000007a40)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000007a80)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000007ac0)={0x20, 0x0, 0x4, {0x160, 0x1}}, &(0x7f0000007b00)={0x40, 0x7, 0x2, 0x3}, &(0x7f0000007b40)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000007b80)={0x40, 0xb, 0x2, "9efe"}, &(0x7f0000007bc0)={0x40, 0xf, 0x2, 0x4}, &(0x7f0000007c00)={0x40, 0x13, 0x6}, &(0x7f0000007c40)={0x40, 0x17, 0x6, @remote}, &(0x7f0000007c80)={0x40, 0x19, 0x2, 'vw'}, &(0x7f0000007cc0)={0x40, 0x1a, 0x2, 0x1}, &(0x7f0000007d00)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007d40)={0x40, 0x1e, 0x1, 0x7e}, &(0x7f0000007d80)={0x40, 0x21, 0x1, 0x2}}) r23 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007e40)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ncm(0x6, 0x7c, &(0x7f0000007ec0)={{0x12, 0x1, 0x389, 0x2, 0x0, 0x0, 0x70, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6a, 0x2, 0x1, 0xff, 0x90, 0x5, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, "a6"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9ff, 0x6000, 0x5, 0xb5}, {0x6, 0x24, 0x1a, 0xdd, 0x32}, [@call_mgmt={0x5, 0x24, 0x1, 0x2, 0x95}, @mbim_extended={0x8, 0x24, 0x1c, 0x7, 0x40, 0x1}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x21, 0x2, 0xc4}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0x1, 0x1, 0x4e}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x81, 0x9, 0x48}}}}}}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f40)={0xa, 0x6, 0x200, 0x3, 0x40, 0x1, 0x40, 0x68}, 0x72, &(0x7f0000007f80)={0x5, 0xf, 0x72, 0x6, [@ssp_cap={0x20, 0x10, 0xa, 0x7f, 0x5, 0x4, 0x0, 0x101, [0xf, 0xc000, 0x4100, 0xc000, 0x0]}, @ssp_cap={0x18, 0x10, 0xa, 0x5, 0x3, 0x3f, 0xf, 0x9, [0x3f00, 0xff0030, 0xff0000]}, @ssp_cap={0xc, 0x10, 0xa, 0x9, 0x0, 0x3, 0xf00, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0xfc, "11d5f99068e5068a1e42e2bf000e221f"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x0, 0x2, 0x0, 0x80, 0x1}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x0, 0x3, 0x3f, 0x8}]}, 0x8, [{0x4, &(0x7f0000008000)=@lang_id={0x4, 0x3, 0x2001}}, {0x4, &(0x7f0000008040)=@lang_id={0x4, 0x3, 0x43f}}, {0x2a, &(0x7f0000008080)=@string={0x2a, 0x3, "5e7460eb32a6b96bd2ff9ff3a49620853364cef4b1180034bbee7bdeb3753ec47a7b68436004dfa3"}}, {0x4, &(0x7f00000080c0)=@lang_id={0x4, 0x3, 0x406}}, {0x4, &(0x7f0000008100)=@lang_id={0x4, 0x3, 0x200a}}, {0x83, &(0x7f0000008140)=@string={0x83, 0x3, "98bfbed5f02f0541393b27163c18aba0f8d6c9069ae8ed732f7b8b4fd040726512572b20493498b080e96c7409c1ff222cbfe8fc739a7a6eb701a8125f18af24cdabbfb52cc666cf1204b6bf96514aca5b0475e21dafcaaffcd8d584eca6939d815dc4c974727a2fba78d5044d9e9f08e35c9e2bf470f466accaa1301fac54bcff"}}, {0x4, &(0x7f0000008200)=@lang_id={0x4, 0x3, 0x1627}}, {0x39, &(0x7f0000008240)=@string={0x39, 0x3, "aa56bf4048dd06e2845d2e04df75b391f766463f0954053221ac36e1db6fe509c05b86c776d20ffc6ac3d99349322b400aea394cd6719c"}}]}) syz_usb_ep_read(r24, 0x75, 0xa5, &(0x7f0000008300)=""/165) syz_usb_ep_write(r22, 0x0, 0xf5, &(0x7f00000083c0)="db885599b60aec82ad70cdb2886a2e73e2f0447ddd5deaaa15f56b76ab5804b9f86f60df6b12cbc1e5906d238889da544d9b5652f60bfc34a108dffdffa9ae904614e2bf15ce0c349aea1551b7544b69bd2bde8f82e18d42ba167180b1a6a4d11844312c116ee0b85fca52a11ec9f37acd323eb287c8b3c4ffdbcaaa329df920e0f7dfaaccc17fd5ff16f039c693cdfcdfae81529a02cc973d8e5020093c1b68e88a827e230b28448899b9617552b1dd9b412b34deec9a93fd08823aebf354e238d04dca957a50aa9ab18a30460e2455e3fd164109cd4a857b99d223b21831ca292d1b0cd77fbfe263f7ca57ee3a70a8fdd489cb7f") syz_usbip_server_init(0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 39 ? 50 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 3000 : 0) + (call == 46 ? 300 : 0) + (call == 47 ? 3000 : 0) + (call == 48 ? 300 : 0) + (call == 49 ? 3000 : 0) + (call == 50 ? 300 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_clock_gettime #define __NR_clock_gettime 265 #endif #ifndef __NR_getegid #define __NR_getegid 50 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_openat2 #define __NR_openat2 437 #endif #ifndef __NR_recvmmsg #define __NR_recvmmsg 337 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_signalfd4 #define __NR_signalfd4 327 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[25] = {0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000040 = 8; inject_fault(1); res = syscall(__NR_getsockopt, -1, 0x84, 0x14, 0x20000000, 0x20000040); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000080 = r[0]; *(uint32_t*)0x20000084 = 0x3ff; *(uint32_t*)0x200000c0 = 8; res = syscall(__NR_getsockopt, -1, 0x84, 0x13, 0x20000080, 0x200000c0); if (res != -1) r[1] = *(uint32_t*)0x20000080; break; case 2: memcpy((void*)0x20000100, "cpu.stat\000", 9); res = syscall(__NR_openat, -1, 0x20000100, 0, 0); if (res != -1) r[2] = res; break; case 3: syscall(__NR_ioctl, (intptr_t)r[2], 0x125e, 0x20000140); break; case 4: *(uint32_t*)0x20000180 = 5; *(uint32_t*)0x20000184 = 4; res = syscall(__NR_signalfd4, (intptr_t)r[2], 0x20000180, 8, 0x80800); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000500 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x10; *(uint16_t*)0x200001c2 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = 0x20002011; *(uint32_t*)0x20000504 = 0xc; *(uint32_t*)0x20000508 = 0x200004c0; *(uint32_t*)0x200004c0 = 0x20000200; *(uint32_t*)0x20000200 = 0x29c; *(uint16_t*)0x20000204 = 0; *(uint16_t*)0x20000206 = 8; *(uint32_t*)0x20000208 = 0x70bd29; *(uint32_t*)0x2000020c = 0x25dfdbff; *(uint8_t*)0x20000210 = 0x87; *(uint8_t*)0x20000211 = 0; *(uint16_t*)0x20000212 = 0; *(uint16_t*)0x20000214 = 8; *(uint16_t*)0x20000216 = 3; *(uint32_t*)0x20000218 = 0; *(uint16_t*)0x2000021c = 0x46; *(uint16_t*)0x2000021e = 0x2a; *(uint8_t*)0x20000220 = 0x2a; *(uint8_t*)0x20000221 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 3, 5); *(uint8_t*)0x20000223 = 0x25; *(uint8_t*)0x20000224 = 3; *(uint8_t*)0x20000225 = 1; *(uint8_t*)0x20000226 = 0x95; *(uint8_t*)0x20000227 = 0xcb; *(uint8_t*)0x20000228 = 0x75; *(uint8_t*)0x20000229 = 0x16; *(uint16_t*)0x2000022a = 1; *(uint16_t*)0x2000022c = 0x401; *(uint16_t*)0x2000022e = 0x37; memcpy((void*)0x20000230, "\x02\x01\x1b\xf2\x90\x7b\xdd\xcb\xfa\xf4\xd0\xd9\xd3\x19\xcb\x38", 16); *(uint8_t*)0x20000240 = 0x76; *(uint8_t*)0x20000241 = 6; *(uint8_t*)0x20000242 = 0x7f; *(uint8_t*)0x20000243 = 3; *(uint16_t*)0x20000244 = 6; *(uint16_t*)0x20000246 = 0x2050; *(uint8_t*)0x20000248 = 0x65; *(uint8_t*)0x20000249 = 0x12; *(uint8_t*)0x2000024a = 8; *(uint8_t*)0x2000024b = 2; *(uint8_t*)0x2000024c = 0x11; *(uint8_t*)0x2000024d = 0; *(uint8_t*)0x2000024e = 0; *(uint8_t*)0x2000024f = 1; memset((void*)0x20000250, 255, 6); *(uint8_t*)0x20000256 = 8; *(uint8_t*)0x20000257 = 2; *(uint8_t*)0x20000258 = 0x11; *(uint8_t*)0x20000259 = 0; *(uint8_t*)0x2000025a = 0; *(uint8_t*)0x2000025b = 1; *(uint8_t*)0x2000025c = 0x68; *(uint8_t*)0x2000025d = 4; *(uint16_t*)0x2000025e = 9; *(uint16_t*)0x20000260 = 0x81; *(uint16_t*)0x20000264 = 0xcc; *(uint16_t*)0x20000266 = 0x2a; *(uint8_t*)0x20000268 = 4; *(uint8_t*)0x20000269 = 6; *(uint8_t*)0x2000026a = 1; *(uint8_t*)0x2000026b = 1; *(uint16_t*)0x2000026c = 0x100; *(uint16_t*)0x2000026e = 0x8000; *(uint8_t*)0x20000270 = 0x3c; *(uint8_t*)0x20000271 = 4; *(uint8_t*)0x20000272 = 0; *(uint8_t*)0x20000273 = 7; *(uint8_t*)0x20000274 = 0xac; *(uint8_t*)0x20000275 = 6; *(uint8_t*)0x20000276 = 1; *(uint8_t*)0x20000277 = 6; STORE_BY_BITMASK(uint8_t, , 0x20000278, 6, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000278, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x20000279, 0xc, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000279, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 0x3f, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 9, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0x16, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0x24, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0, 7, 1); *(uint8_t*)0x2000027e = 0x83; *(uint8_t*)0x2000027f = 0x25; STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 0, 6); STORE_BY_BITMASK(uint8_t, , 0x20000280, 1, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 7, 1); *(uint8_t*)0x20000281 = -1; *(uint8_t*)0x20000282 = 0x3f; *(uint8_t*)0x20000283 = 8; *(uint8_t*)0x20000284 = 2; *(uint8_t*)0x20000285 = 0x11; *(uint8_t*)0x20000286 = 0; *(uint8_t*)0x20000287 = 0; *(uint8_t*)0x20000288 = 0; *(uint32_t*)0x20000289 = 0x1f; memset((void*)0x2000028d, 255, 6); *(uint32_t*)0x20000293 = 0; *(uint32_t*)0x20000297 = 6; *(uint8_t*)0x2000029b = 8; *(uint8_t*)0x2000029c = 2; *(uint8_t*)0x2000029d = 0x11; *(uint8_t*)0x2000029e = 0; *(uint8_t*)0x2000029f = 0; *(uint8_t*)0x200002a0 = 1; *(uint32_t*)0x200002a1 = 6; *(uint8_t*)0x200002a5 = 0x26; *(uint8_t*)0x200002a6 = 0x44; *(uint8_t*)0x200002a7 = 4; *(uint8_t*)0x200002a8 = 7; *(uint8_t*)0x200002a9 = 8; memcpy((void*)0x200002aa, "\x2e\xf5\x31\xb7\xbe\x2d\xde\x42\xfc\x39\x5f\x76\x44\x7c\x92\x87\x9c\x4d\x95\x11\x18\x2e\xe0\x77\xcb\x10\x2d\x54\xd8\xe9\xbd\x03\x76\x74\x1a\xff\xce\x00\x72\x8e\x65\xce\xfb\x04\xca\xcd\x7c\x82\x88\x0f\x11\x3d\x4a\x79\x37\x8b\xfd\x5c\x8d\x75\x2b\xd2\x51\xe3\x1b", 65); *(uint8_t*)0x200002eb = 0x2d; *(uint8_t*)0x200002ec = 0x1a; *(uint16_t*)0x200002ed = 0x482; STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 2, 3); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 0, 5, 3); *(uint64_t*)0x200002f0 = 5; STORE_BY_BITMASK(uint64_t, , 0x200002f8, 0x3f, 0, 13); STORE_BY_BITMASK(uint64_t, , 0x200002f9, 0, 5, 3); STORE_BY_BITMASK(uint64_t, , 0x200002fa, 0x80, 0, 10); STORE_BY_BITMASK(uint64_t, , 0x200002fb, 0, 2, 6); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 2, 2); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 5, 27); *(uint16_t*)0x20000300 = 0x400; *(uint32_t*)0x20000302 = 5; *(uint8_t*)0x20000306 = 0x56; *(uint8_t*)0x20000307 = 0x8c; *(uint8_t*)0x20000308 = 0x10; *(uint16_t*)0x20000309 = 0x9b2; memcpy((void*)0x2000030b, "\xe7\x43\x38\xed\x57\xa9", 6); memcpy((void*)0x20000311, "\x4d\xbe\x86\xf3\x95\x65\x40\x8a", 8); *(uint8_t*)0x20000319 = 0x7e; *(uint8_t*)0x2000031a = 0x15; STORE_BY_BITMASK(uint8_t, , 0x2000031b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000031b, 9, 1, 7); *(uint8_t*)0x2000031c = 0xc0; *(uint8_t*)0x2000031d = 0x40; *(uint8_t*)0x2000031e = 8; *(uint8_t*)0x2000031f = 2; *(uint8_t*)0x20000320 = 0x11; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0; *(uint8_t*)0x20000323 = 0; *(uint32_t*)0x20000324 = 0x7fff; *(uint32_t*)0x20000328 = 6; *(uint32_t*)0x2000032c = 0xff; *(uint16_t*)0x20000330 = 0x148; *(uint16_t*)0x20000332 = 0x2a; *(uint8_t*)0x20000334 = 0x7e; *(uint8_t*)0x20000335 = 0x15; STORE_BY_BITMASK(uint8_t, , 0x20000336, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000336, 2, 1, 7); *(uint8_t*)0x20000337 = 0; *(uint8_t*)0x20000338 = 8; *(uint8_t*)0x20000339 = 8; *(uint8_t*)0x2000033a = 2; *(uint8_t*)0x2000033b = 0x11; *(uint8_t*)0x2000033c = 0; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0; *(uint32_t*)0x2000033f = 0x1ff; *(uint32_t*)0x20000343 = 3; *(uint32_t*)0x20000347 = 3; *(uint8_t*)0x2000034b = 0x82; *(uint8_t*)0x2000034c = 0x30; STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 3, 3); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 7, 1); *(uint8_t*)0x2000034e = 3; *(uint8_t*)0x2000034f = 0xf7; *(uint32_t*)0x20000350 = 8; *(uint8_t*)0x20000354 = 8; *(uint8_t*)0x20000355 = 2; *(uint8_t*)0x20000356 = 0x11; *(uint8_t*)0x20000357 = 0; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 0; *(uint32_t*)0x2000035a = 0xae; *(uint32_t*)0x2000035e = 0x71a4; *(uint32_t*)0x20000362 = 2; *(uint8_t*)0x20000366 = 2; STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 3, 5); *(uint8_t*)0x20000368 = 8; *(uint8_t*)0x20000369 = 2; *(uint8_t*)0x2000036a = 0x11; *(uint8_t*)0x2000036b = 0; *(uint8_t*)0x2000036c = 0; *(uint8_t*)0x2000036d = 1; *(uint32_t*)0x2000036e = 0; STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 3, 5); *(uint8_t*)0x20000373 = 8; *(uint8_t*)0x20000374 = 2; *(uint8_t*)0x20000375 = 0x11; *(uint8_t*)0x20000376 = 0; *(uint8_t*)0x20000377 = 0; *(uint8_t*)0x20000378 = 1; *(uint32_t*)0x20000379 = 6; *(uint8_t*)0x2000037d = 0x71; *(uint8_t*)0x2000037e = 7; *(uint8_t*)0x2000037f = 1; *(uint8_t*)0x20000380 = 1; *(uint8_t*)0x20000381 = 1; *(uint8_t*)0x20000382 = 0; *(uint8_t*)0x20000383 = 0; *(uint8_t*)0x20000384 = 0xfb; *(uint8_t*)0x20000385 = 0x25; *(uint8_t*)0x20000386 = 6; *(uint8_t*)0x20000387 = 2; *(uint16_t*)0x20000388 = 0x1fc; *(uint8_t*)0x2000038a = 0x37; *(uint8_t*)0x2000038b = 0xe6; *(uint8_t*)0x2000038c = 7; *(uint8_t*)0x2000038d = 5; memcpy((void*)0x2000038e, "\x5f\x39\x64\xd8\x62\x9a\xdf\x1c\x06\xec\xdf\x89\x87\xbb\x84\x5b", 16); memcpy((void*)0x2000039e, "\xc5\xd2\xbb\x24\x59\xd5\xba\x0e\x8d\x1d\xe0\x4e\x57\x37\x4f\x62\x27\x21\x0e\xa4\x04\xeb\x95\x46\x5f\xa1\xe2\xe0\x9c\x7c\x17\xd4", 32); memcpy((void*)0x200003be, "\x27\x81\xc8\x76\x15\x7d\x69\x88\xa5\xdc\x1e\xfd\xe5\xe5\xd8\xd7\xfd\xfb\x3d\xad\x87\x19\x89\x49\x70\x60\xe2\xd7\x2d\x3a\xfa\x38", 32); *(uint8_t*)0x200003de = 3; *(uint8_t*)0x200003df = 1; memset((void*)0x200003e0, 206, 1); *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0x25; memcpy((void*)0x200003e3, "\xd5\xa7\x64\x0b\x4f\xb5\xdf\x22\xe7\x25\x13\x0f\x6f\x00\x6c\x48\x73\x42\xcb\x84\x7e\x2c\xbe\x0e\x36\xb1\x41\xaa\x91\xf7\xf4\x1d\x6b\x13\x48\x2c\x1d", 37); *(uint8_t*)0x20000408 = 4; *(uint8_t*)0x20000409 = 0x26; memcpy((void*)0x2000040a, "\xa1\xd5\xf6\x74\x74\xfa\x12\x31\x00\x04\x6d\xc2\x69\x5e\x3b\xbd\xa6\xde\xe8\x65\x7f\x03\x2e\x08\x75\x04\x15\x6e\xba\x2f\x54\xbf\x2f\x31\xcd\x5b\x78\xd5", 38); *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 0x25; memcpy((void*)0x20000432, "\xae\x36\x25\x8a\xd7\xf0\x4d\x6a\x21\x30\x24\xac\x42\x6f\xba\x3d\xa6\x9e\x74\xab\x66\x2f\xbb\x9d\x28\x44\x80\x99\x94\x6c\xbb\xf9\xb8\xf9\x21\xf8\xe0", 37); *(uint8_t*)0x20000457 = 2; *(uint8_t*)0x20000458 = 0x19; memcpy((void*)0x20000459, "\x69\xad\x29\xc6\x6f\x47\xf8\x7c\x53\x49\xab\x5f\x16\xa1\xe8\x03\x0e\x7c\x0b\x21\xdb\x8b\xc4\xbe\xe4", 25); *(uint8_t*)0x20000472 = 0x75; *(uint8_t*)0x20000473 = 4; *(uint16_t*)0x20000474 = 0; *(uint16_t*)0x20000476 = 0; *(uint16_t*)0x20000478 = 6; *(uint16_t*)0x2000047a = 0x48; *(uint16_t*)0x2000047c = 0x4b; *(uint16_t*)0x20000480 = 6; *(uint16_t*)0x20000482 = 0x48; *(uint16_t*)0x20000484 = 0x43; *(uint16_t*)0x20000488 = 0xa; *(uint16_t*)0x2000048a = 6; *(uint8_t*)0x2000048c = 8; *(uint8_t*)0x2000048d = 2; *(uint8_t*)0x2000048e = 0x11; *(uint8_t*)0x2000048f = 0; *(uint8_t*)0x20000490 = 0; *(uint8_t*)0x20000491 = 1; *(uint16_t*)0x20000494 = 6; *(uint16_t*)0x20000496 = 0x48; *(uint16_t*)0x20000498 = 0x11; *(uint32_t*)0x200004c4 = 0x29c; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = 0x40000; syscall(__NR_sendmsg, (intptr_t)r[3], 0x20000500, 0x80); break; case 6: memcpy((void*)0x20000540, "/dev/irnet\000", 11); res = syscall(__NR_openat, 0xffffff9c, 0x20000540, 0x189000, 0); if (res != -1) r[4] = res; break; case 7: *(uint16_t*)0x20000580 = 0xa; *(uint16_t*)0x20000582 = htobe16(0x4e20); *(uint32_t*)0x20000584 = htobe32(0x80000000); *(uint8_t*)0x20000588 = 0xfe; *(uint8_t*)0x20000589 = 0x88; memset((void*)0x2000058a, 0, 12); *(uint8_t*)0x20000596 = 0; *(uint8_t*)0x20000597 = 1; *(uint32_t*)0x20000598 = 0x81; *(uint16_t*)0x2000059c = 0xa; *(uint16_t*)0x2000059e = htobe16(0x4e24); *(uint32_t*)0x200005a0 = htobe32(3); *(uint8_t*)0x200005a4 = -1; *(uint8_t*)0x200005a5 = 1; memset((void*)0x200005a6, 0, 13); *(uint8_t*)0x200005b3 = 1; *(uint32_t*)0x200005b4 = 0; syscall(__NR_setsockopt, (intptr_t)r[4], 0x84, 0x6b, 0x20000580, 0x38); break; case 8: memcpy((void*)0x200005c0, "./file0\000", 8); *(uint64_t*)0x20000600 = 0x101000; *(uint64_t*)0x20000608 = 0x182; *(uint64_t*)0x20000610 = 4; syscall(__NR_openat2, 0xffffff9c, 0x200005c0, 0x20000600, 0x18); break; case 9: *(uint32_t*)0x20000640 = r[1]; *(uint32_t*)0x20000644 = 7; *(uint32_t*)0x20000648 = 0x20; syscall(__NR_setsockopt, -1, 0x84, 0x10, 0x20000640, 0xc); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 6, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 7, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); *(uint8_t*)0x20000044 = 8; *(uint8_t*)0x20000045 = 2; *(uint8_t*)0x20000046 = 0x11; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 1; memset((void*)0x2000004a, 255, 6); *(uint8_t*)0x20000050 = 8; *(uint8_t*)0x20000051 = 2; *(uint8_t*)0x20000052 = 0x11; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x20000056, 7, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0x40, 4, 12); *(uint8_t*)0x20000058 = 8; *(uint8_t*)0x20000059 = 2; *(uint8_t*)0x2000005a = 0x11; *(uint8_t*)0x2000005b = 0; *(uint8_t*)0x2000005c = 0; *(uint8_t*)0x2000005d = 0; *(uint8_t*)0x2000005e = 8; *(uint8_t*)0x2000005f = 2; *(uint8_t*)0x20000060 = 0x11; *(uint8_t*)0x20000061 = 0; *(uint8_t*)0x20000062 = 0; *(uint8_t*)0x20000063 = 1; *(uint16_t*)0x20000064 = 0x89; memcpy((void*)0x20000066, "\xa3\x74\xcb\x1e\x56\xd7\x9e\x5a\x64\x7d\x9f\x9d\x7e\xbb\x09\x9c\xa7\x5e\x92\x0a\x72\x0c\xe7\x65\x51\xc2\x6b\xb8\x68\x42\xda\x48\xec\x22\x63\x6f\x2e\xe2\x00\x01\x35\x9b\x8e\x2f\xb3\x76\xba\x32\xd0\x74\x25\xdd\x1b\x9b\x9b\x4f\xf7\xa3\x53\x9a\x5e\xeb\x99\xa4\x47\xa5\x8f\xec\x22\x4c\xac\xb7\xd6\xe5\xf0\xcc\x90\x99\x90\x4c\x92\xfd\x37\x74\x6a\xfc\x1c\xbd\x2b\x8b\x10\x2a\x3f\xe4\xaf\x78\xd5\xfa\x72\x95\x90\xf1\xe5\x03\x5f\x47\x0a\x44\x32\x1e\x92\x47\x87\xa4\x66\x6e\x21\xa4\xca\x5c\xbd\x12\x56\xc1\x70\x21\x7c\xd6\x96\x7a\xd7\x23\x6d\x2f\x70\x2e\x24", 137); memset((void*)0x200000f0, 255, 6); *(uint8_t*)0x200000f6 = 8; *(uint8_t*)0x200000f7 = 2; *(uint8_t*)0x200000f8 = 0x11; *(uint8_t*)0x200000f9 = 0; *(uint8_t*)0x200000fa = 0; *(uint8_t*)0x200000fb = 0; *(uint16_t*)0x200000fc = 0x1000; memcpy((void*)0x200000fe, "\x2b\xc8\xbe\xd3\xad\xe3\x14\x70\x49\x10\xb6\xee\x62\x4c\xfe\x54\xbe\xbe\x1b\x4b\x09\xba\x79\x5c\x51\x1c\xd0\xe7\x64\x85\x8a\x68\x8e\x31\x7f\x9f\x28\x73\xd1\x87\xb6\x5f\x7d\x6d\xed\x9b\x4b\x7e\xf7\xf8\x67\xd6\x5d\x32\x18\xdc\x1a\x2a\xd2\x4b\x5c\xb3\xe4\xe0\x78\x49\xf7\x08\x5c\x63\x7a\xe4\x51\x0c\x2c\x14\x43\x80\x0a\xc4\x4d\xdf\x23\xec\x3e\x00\xa0\xa2\xd2\x6d\xcf\x4e\x4f\x20\x9d\x20\xf1\xe6\x58\x29\x0a\xb4\x3a\x3f\xa2\x4e\xe8\xdc\xd4\x84\xc6\x23\xbd\xc9\x86\xb8\xea\x88\xd4\x32\x74\xe2\x06\xb9\xbe\x4c\xdf\xcc\x94\x5b\x09\x3d\x09\x37\xd9\x4f\x8f\x98\x7c\x5c\x5e\xd4\x8a\xc9\x95\x14\xb5\x45\xd0\xcb\x74\x20\x36\xae\xd4\x98\xba\xe8\x0b\xb1\xee\x39\x5e\x8e\x0a\x67\x7d\xaa\xed\x22\xdd\xc1\x60\x4d\x14\x83\x5d\xbc\x28\xc4\x3c\x64\xb1\x18\x76\x57\x4f\x8d\x89\x70\x56\x23\xf7\xf0\x78\xc5\x01\x7c\x92\xcd\x46\xaf\xf0\x81\x1e\x9b\x98\x91\x25\x06\xb3\x45\x00\x64\x0f\x97\x91\xe3\x08\x1d\x1f\xd1\x78\xc2\x13\x05\x93\x45\xba\x63\x17\x7e\xa9\xb9\x3f\xfa\x53\x06\xe2\x06\xb5\xa2\x94\x02\x25\x21\xec\x6a\xaf\x8e\x26\xd0\xb5\xbd\x00\x32\x59\x76\xa0\xb1\xe0\xff\x75\x4e\x4b\x48\x91\xd3\x68\x8e\x0b\xea\x0a\xc6\xd8\x11\x2e\x04\xfb\xe6\x06\x8e\xc0\x3f\x4b\x66\x5e\xfa\x12\xe3\xf2\xe6\xc9\xd3\x1e\xb4\x45\x83\xa9\xac\x92\xdd\x3a\xb3\xf3\x4d\xb1\x15\xe9\xcf\x42\xf0\x97\x41\x9c\xb5\x94\x9e\xb7\x40\x3d\x44\x95\x90\x0b\x52\xc9\x55\x83\x70\xe2\xf1\xff\x76\xa9\xde\xd5\x3e\x26\x79\x3b\xf9\x39\x76\xe9\x6a\xc7\x14\x07\x47\x89\xe8\xbd\xb1\xc4\xca\x56\x2b\x51\x50\x2b\x46\x8f\x89\x54\x39\x83\x0f\x91\x5a\x5d\x8a\x50\xff\x73\xa4\x9f\xa4\x29\x3b\xfc\x35\x48\x68\x51\xea\x8d\x5c\x76\x13\x7c\x5e\x2f\xc9\xca\x45\xa3\x8c\x94\x28\xbe\x30\xf5\x03\x59\xb2\xcb\x3f\x9d\xbc\x76\x7d\x63\xf4\x19\xf5\xe7\x6c\xe5\xfb\xb6\x1e\xde\xb1\xbe\xb7\xa3\x7c\x60\xc6\x01\x1b\x56\xb8\x57\x49\x63\x42\x5a\x95\x6d\x40\x1f\x70\x3a\x19\xe9\xac\xe4\x68\x65\x41\xdd\x31\x32\xf5\xaa\x85\xae\x6d\xb1\xb7\xdd\x6d\xad\x9b\x65\x43\xe3\x57\x53\x31\x28\xab\x2c\x90\x1e\x9d\x56\xa2\x2e\xcd\x64\x45\x50\x72\x71\xf6\xfc\xe2\xa5\x74\xd5\x87\x13\x53\x0a\xff\x28\xf7\xb4\xe8\x46\x17\x80\xdf\x54\xce\x2a\x06\x7c\x9c\x38\x85\x17\xb9\xe0\x40\xbc\x88\xba\xa7\x31\x79\x6b\x13\xa8\x9a\xd7\xa0\x1c\x30\x9e\x02\x4b\x22\x06\x21\x2e\x81\xa0\xf8\x27\x9c\x36\x9c\xc4\x0f\x85\x99\x01\x18\xa3\x31\x1a\xd1\x69\x8a\x4b\x0d\x73\xe7\xde\x65\x7c\x5a\xc4\x04\xb7\xa5\xcb\xb3\xf1\xc5\xfc\xcc\xfa\x7b\xf2\x17\x83\x0b\x73\x0d\x4d\x54\x54\xf2\x76\x04\xc0\x34\x16\xd3\xbe\x6c\xb3\x78\x81\x3a\x84\xa7\x29\x26\xc4\xd4\x3d\xd5\xa7\x94\x11\xd3\x5c\x4f\x69\x82\x87\xa0\x59\x29\x60\x05\x9c\x48\xa6\xd9\xfc\xce\x84\xd0\x88\xa2\x6d\xfb\x2e\xf3\x0e\xde\xa2\x11\x41\x11\xfa\x86\xfd\x22\x87\x2a\x03\x1d\x11\x16\xd7\x48\xb3\x3f\x61\xb9\xc1\xea\x8e\x8f\xf0\x96\x89\x01\x14\x27\xf8\x88\x6c\x0c\x71\xb6\x38\x51\x67\xd4\x97\x1d\x4b\xc9\xd1\xb9\xfe\x6d\xb9\x66\xd5\x0b\x59\x24\xfb\x56\xc1\xb1\x1f\x8e\x05\xf2\x9c\xfd\xe7\xf3\x02\xaf\xe1\x61\xfd\x9d\x82\xfc\xe3\x55\x1d\xf3\xf4\x01\x3d\xa7\x76\x6a\x21\x4f\xc9\xb1\x64\xa6\xd8\xb0\x3f\x6c\xba\x91\x84\x72\xc9\xb7\xd8\x6e\x7a\xbd\xa7\xe3\xc9\xa4\x07\x8a\x64\xa9\x66\xec\xb6\xe4\x13\x34\x11\xc4\x93\xa7\xa5\xd1\x7b\x60\x5d\xe1\x39\x01\x8d\x69\x8d\x32\x5e\x31\x93\x34\x39\x5d\xa0\xb5\x1b\x3e\x89\xd9\x59\x61\x49\x53\x1e\x92\x58\x32\xe0\x0a\x35\xbb\xea\xc1\x37\xa0\x8a\x4f\x66\x1d\xad\x30\xd0\x92\xd1\xf6\xa3\x4c\x1d\x38\x89\x4d\xa3\xea\xe2\xc4\x74\x95\x30\x92\xfb\xac\x4f\x39\xa2\xe1\x4d\x5e\x13\x06\x2c\x98\xc8\x93\xd9\x6e\xbd\xf7\x9f\x1e\xba\xd3\xcb\xb1\x6f\x8f\x7d\x17\x39\x70\x75\x23\x9b\x74\x25\x09\xb0\x76\x37\x1a\xaa\xb7\x85\x9e\x6b\x29\xc7\xcd\x83\x15\x7b\x91\xb4\xd0\xbf\x47\x9c\x7f\xa5\x3f\xd8\x57\x35\x6f\x11\x47\xdf\xa5\x90\xbf\xff\xae\x2c\x99\xbf\xc6\xa1\xa3\x84\xce\x26\x16\xa7\xc0\xd1\x49\x91\x95\x5f\xf2\x27\xe3\x55\x40\x13\x1e\x6c\x9f\xd2\xa5\xb5\x8f\x88\xf1\x83\xf6\x4a\xcc\x3d\x58\xe4\x73\x07\x6b\xf3\x14\x9d\xa2\x66\x42\x4b\x98\x2f\x73\x4a\xa0\x4b\x81\x88\x13\xdd\xd9\x01\x88\x56\x76\x17\x99\xd5\xb0\x50\x4c\xa7\xec\xf7\xae\x17\x59\x2c\x1f\x0c\x78\x4d\x60\x39\x31\x61\x71\x42\x21\xa1\x0d\x90\x19\x28\x3c\x6a\x8f\x92\x03\xc7\x97\x63\x45\x0f\x94\x70\xa3\xf5\xe2\xf9\x4e\xb9\x42\xa2\xbe\xba\x32\x21\x46\xfc\x44\x9f\x40\x22\x6b\x7f\x7d\x9e\x4d\x58\x9c\xdf\xc9\x53\xef\x76\x51\x5e\x48\x4d\xdb\x27\x5e\xfd\x8f\xb9\xe4\xb3\xf1\x75\xb9\xc6\x00\x74\x58\xce\xdb\xcf\x05\xeb\x6e\x42\xbe\xa2\x26\x85\x50\x87\x02\xb7\x8e\x77\xe6\x72\xc7\x2f\xe4\x3c\xef\x92\x49\x74\x00\x61\xf8\x3d\xfd\x86\xc1\xe9\x73\xda\xb8\x1a\x08\x30\x32\x37\xe5\x8c\x2d\x75\xa1\x21\x25\xc0\xb6\x34\x58\x5e\x3b\xfe\xe0\x81\x0e\xaa\x59\x4d\x12\xc5\xca\x25\x36\x6f\x04\x37\x86\x48\x5e\x57\xf5\xf9\x30\xcb\xcd\xee\x90\x1c\x59\x10\x0e\xbb\xc6\xe8\x23\xa1\xb7\x4b\xcd\xef\xb1\x96\x1b\x89\xdb\x6d\xf5\xe4\x61\x8e\x2b\xd8\xd9\x6f\xd8\xa1\x2b\x18\x48\x2f\xdc\xcd\x72\x95\x0a\xfe\x3c\x20\x66\xa7\x3c\x73\xf1\xca\x99\x86\xce\x15\x8c\x10\x52\x0a\xab\xee\xc9\x4d\x61\x72\xc0\x92\x48\xaa\x76\xc3\x9f\xc5\x42\x63\xfd\x44\xbf\x93\x68\x1b\x30\x92\xb8\xe8\xdb\x78\x0d\xd6\x5c\x6c\x8b\xc3\xb4\x23\xd2\x21\xe1\x3d\x3e\xde\x9d\xd0\xfc\x4f\x14\x68\x5a\x80\xd8\xee\x14\xe8\x26\xa2\x25\x38\xcf\x31\x4d\x8a\x48\xe6\x37\x54\xe8\x9b\x45\x3f\xb2\x23\x68\x62\xdc\x7c\xcc\x49\x53\xee\x56\x26\x54\xdb\x98\x95\x85\xca\xee\x6b\x65\x5b\x2b\xf9\xdb\x0f\x22\x06\xb8\x63\x48\x0d\x71\xfa\x21\xd9\x38\xe4\x73\x58\xb2\xc0\xda\x20\x14\xa1\x95\xdf\x64\x3b\xe9\xd8\x0e\x52\x00\x3e\x9b\x45\xb1\x8f\xf7\xb6\xaa\x56\x92\x4b\xc2\xdc\x0c\xad\x61\xd9\x63\x0e\x6b\xd8\xea\xf7\x60\xb3\xf7\xfb\x31\x77\xf7\x3a\xf8\x9b\x15\x5e\x0d\x06\x1c\xe3\x2b\x9d\x45\x88\xeb\x6a\x4f\x60\x91\x9c\x2e\x3d\x41\xf6\xca\x8d\x31\xfe\xf0\x02\x7e\x06\xf9\xb7\xc2\xc2\xec\x6e\x5c\x12\x14\x42\xe4\xb7\xee\xc7\xe1\x09\xaf\x0f\xc8\x65\x80\xda\x66\xf0\xb0\x28\xd9\x3a\x00\x88\xd8\x52\x53\xfa\x9b\x5e\x21\xe4\x95\x53\x71\x4a\x1d\xc3\x92\xfd\xb3\x54\x13\x29\x10\xe0\xc6\x25\x03\xc0\x09\x6c\x6b\x85\xf1\x64\xbb\x2a\x7d\x3b\xe1\x79\xc1\xa3\xc7\xcf\xf9\xd4\x64\x34\x13\x10\x84\x6c\x51\x7f\x85\x1b\x8e\x69\x43\x1c\x64\xed\xe9\xd5\x97\xc9\x43\xbf\xe2\x91\x6d\x56\x4a\xe1\xcf\x27\x0c\x8c\x16\x7e\x96\xc1\x46\x88\xa7\x23\x15\x8d\x7b\x9c\x45\xe3\xf8\x24\x34\x19\x00\x86\xcd\xfe\xde\x4b\xfd\x95\x0f\xda\x09\xfe\x05\xa6\x14\x2b\x90\xe7\x73\x6e\xca\x65\x91\x40\xb2\x2b\x3c\x77\x67\x06\x07\xe5\x11\x58\xd9\xf7\xea\xcd\xff\xc2\x93\x20\x2b\xaf\x0b\xc7\xe2\x04\x89\x99\x68\x91\xd1\xa7\xa6\xc3\x28\x4e\x5a\xc3\x51\x39\xec\x5b\xeb\x4a\xfb\xa9\x2f\xaf\xfb\x0d\x2e\x62\x10\x26\xc7\x01\x99\x43\xf7\xbe\x68\x09\xe5\x87\x9f\x60\x78\xcd\xa7\x22\xd1\x19\x57\xb7\xe7\xac\x74\xff\x47\x9b\x3f\x65\xa0\xfb\x71\xb1\xe8\x7e\x67\x03\xa9\xda\xf4\x7f\x31\x3a\xdc\xb6\x56\x47\x7f\x53\x03\x60\x83\x6b\xc0\xb0\x07\x68\x09\x9d\xb9\x2d\x7b\xf7\x90\x31\x6c\x1c\xec\x79\x4c\xcc\x29\xdc\x04\x88\x71\xa6\x75\xdd\xe3\x16\xd9\x14\xb7\x3c\x85\xc9\x96\xe7\xf4\x1e\x52\x86\x07\xa7\x60\xb7\x78\xb3\xe0\x68\xb1\xe7\xfb\xa0\x81\x37\x36\x8a\xf0\x6b\x59\x96\xb5\x69\x87\x1b\x4a\x54\xe7\x27\x2e\xcc\x44\x18\x10\xf9\x5c\xe8\x4c\x37\xe1\x0d\xa6\x16\x24\x71\x5f\xd5\x99\x1c\x77\xa2\x24\xd5\x7a\x53\x22\x77\xf9\xdd\x36\xbb\xdc\x56\xb7\x0b\x64\xed\xc0\x38\x15\x94\xb9\xb6\xc3\x28\xe5\x9d\xd0\xf0\x4d\x34\x3f\x6d\x82\x86\x72\xd9\x7c\xc8\x15\xb1\x4b\x22\xf5\x9d\x08\x76\x1b\xa7\x75\x1e\x52\xd1\xc5\x5f\x32\x49\xb6\xaa\xcc\x51\xe1\x07\x94\x4b\xfa\x70\xa5\x42\x19\x06\xf5\x29\x6d\x41\x84\x57\x75\xe3\x4a\x5d\x1a\x06\xc4\xc8\x79\xc7\x78\x5a\x03\x50\xba\x89\x93\x41\x25\x90\x64\xea\x42\x74\xe2\x13\x96\x41\x82\x44\x0a\xdf\x7e\x02\x30\xb3\x12\x0e\xe6\x23\x5b\xce\x98\x29\x28\x99\x79\x2c\xff\x10\x75\x88\xe3\xe9\x15\xdc\xe9\xbf\xe6\x1c\xf6\x37\x3a\x33\x11\xe7\x47\xaf\x21\x8f\xbd\x16\x58\x09\xdb\x4f\x0e\x51\x7b\x13\xe5\x92\x53\xf7\x21\xc6\x8c\x80\x14\xed\xce\x97\x45\x5a\xda\x5c\x33\xb7\xc6\x79\x4d\x38\xb7\x4b\x6d\xf4\x65\xe1\x89\x40\x4c\x7d\xf5\x6b\xee\x55\x18\xa5\xd2\x02\xfb\x50\xb5\x36\xa5\x37\x2e\x04\xc7\x0d\xec\x26\x6c\xdb\xcc\x83\x6b\x49\x88\x47\xa6\xa3\x94\x56\xf7\xb5\x94\x73\x80\x4a\xae\xd9\x66\xd7\x64\xe2\x5f\xf2\xda\x79\xd3\x4c\xe9\xfe\x72\x75\x7a\xe0\x07\xcd\xa3\x35\xbf\x37\x87\xc0\x68\x72\x55\x51\xef\x27\x76\x7d\x35\xd2\x0f\x24\x1d\x1d\x29\x21\x97\x85\x8a\xd4\xb4\x38\x18\x5e\x0a\x10\x3e\xdb\xe6\xe5\xca\xa4\xbb\x37\xe5\xcb\xdd\x71\x61\xee\xce\xb9\x3f\x9c\x7a\x39\x97\x6b\x4e\x6e\x19\xd5\xc1\xf3\xd0\x8f\x9d\x0f\xc6\xc9\x05\x5f\x4b\x05\x7d\xce\x9c\x1e\x67\x7e\x8b\xbe\x56\xb7\xc4\xed\x73\x34\xe5\xad\xcb\xa2\xaa\x5b\x1b\xf4\x45\x0a\x76\x2d\x16\x7a\x95\xbf\xc1\x09\x72\x04\x4c\x8d\x79\x7e\xf3\xad\x9d\x10\x91\xbb\x1a\xe5\xe1\x28\xe0\xdd\x22\xf4\xb7\x70\x77\x59\xf2\x79\xd4\xdd\xc9\x2a\x68\x1f\x6c\xf9\x9e\x75\x96\x0a\x32\x1b\x3d\x5b\x55\x66\x28\x07\xe5\x77\xc2\x0e\xea\x7f\x87\xe8\x8f\x29\x07\x79\xa6\x59\x8b\xc1\x9c\xcb\x74\xc3\x13\x83\x27\x88\x95\xc5\xfc\x6a\x62\xb5\x46\xf8\x1f\x7b\xd6\x78\xb2\x7f\xa6\x2d\x8d\x6f\x85\x9d\x86\x37\x29\x16\x01\x81\x20\x5b\x06\x20\x3c\x9f\x72\xa3\xa6\x59\x3f\x61\x8a\xb9\xef\x48\x8a\x24\xce\xfe\x7c\xdf\xa6\x6b\x46\xf3\x0f\x1d\x3f\x8a\xbe\xce\x64\x40\xdb\x93\x48\x3d\xf5\x23\x3b\x52\xf6\xfc\x47\xee\x3f\xd3\xbb\x98\xb0\x06\x24\x68\xc9\x16\xdc\x0f\xb1\x59\x62\x90\x2c\xb7\x30\x29\x93\x69\x51\x75\xd5\xfd\x4b\xc7\x7e\xab\x9e\xc8\xd4\x40\xee\xe3\x6a\xe6\x83\x5c\x43\x62\xf7\x81\x9f\x39\x01\x21\xa6\x9b\xc7\x0d\x63\x6e\xea\x8d\x4d\xd0\x9b\x90\xda\xd5\xc2\xdb\x03\x1d\x2b\xc3\xdf\x45\x82\x56\x24\x41\x56\x80\xa0\x3b\x3d\xfc\x71\xce\xf6\x3f\xda\x72\x6b\x76\x5d\x58\xab\xe8\x63\xad\xf0\x34\x2b\x8f\x1e\x8e\xc8\xf8\x07\xb3\xb5\x6d\xcc\xfd\xcd\xe8\x5f\xd2\x0a\x7e\xc9\x43\x44\xcf\x31\x95\x48\x67\x81\x70\x0b\x4c\x35\x72\x15\x78\x14\xd7\xf1\x0d\xc6\x8e\x13\xad\x64\x61\x39\x77\x58\xea\xd6\x2e\x5c\x20\x4b\xa5\x7b\x2a\x4a\xf4\x22\x08\x2a\x1f\xff\xbf\xc8\x70\x96\x88\xa1\x13\x93\xe9\xdc\xf8\x7b\x6f\xa4\x0b\x10\xf4\x58\xc6\x7e\x56\x5a\xe4\xf0\x2c\x2b\xa9\x30\xfd\xa2\x13\x9b\x0f\x18\x12\xaf\xbe\x21\x2e\x89\xeb\x51\x0e\x8d\x74\xc4\x65\x05\x00\x82\xb2\xbd\xfc\x09\x17\x6a\xe9\xa1\x70\x82\x1c\xde\x09\x7c\x33\xf5\x7f\x83\x50\x0f\x18\x2f\x23\xc2\xcd\x71\x3f\x82\x68\xfa\x04\xe5\xee\x58\x00\xad\xb1\xe8\x91\xbc\x90\x2b\x2c\x10\x05\x55\x79\xbe\xd0\xb6\xac\xef\xfc\x22\x06\x54\x4e\x2d\x17\xa1\x04\x4e\xc2\x01\x24\x66\x0f\x90\xd2\xcc\xb1\xe9\xdd\x04\xab\xa7\xf6\xb3\x3d\xec\x5f\x6f\xf6\xa2\xe1\xa1\x09\xc1\x43\xf2\xb0\xa8\x08\xeb\xeb\x45\xca\xac\xdc\x39\x82\x8b\x55\x5e\x3f\xb3\xad\xb7\x44\x71\x30\x26\x6d\xa8\xb3\x33\xd0\x4a\xb7\x11\xb9\x1a\x23\xd8\x81\x78\x57\x31\xfb\xd2\xc0\x37\x60\x8f\x31\x2f\x8b\x18\xba\x63\x00\x2d\x17\x75\x44\x1a\xdf\x3d\x4c\xe8\xe5\x56\x64\x26\x4e\x1d\x22\xe4\x78\xf4\x93\x01\x74\xdf\xb8\x1f\x7e\x31\xeb\x3f\xdb\x22\xeb\x06\x88\xf3\xa1\x04\x54\x18\xf9\x08\x4a\xf4\x52\x78\xc0\x4b\xf1\x32\x00\x17\xd0\xb0\xfa\xa2\xcf\x7e\x27\x7d\xe2\x66\xa3\xfd\xb4\xb0\xf0\x55\x25\x9d\x76\xf5\x0c\x99\x4c\xba\xe7\x03\xe8\xd1\x30\x7f\x4b\xc5\x45\x3f\x32\xa7\x08\x92\x1f\xa8\x33\xb0\x3f\x5d\x18\x40\xf5\xa1\x24\x69\x29\xb1\x75\xd9\x35\x37\xa1\xd7\x46\x78\x38\xd2\x5d\x19\x8b\x17\xfb\x4b\x9a\xac\x7d\x99\xee\x1f\x1e\x2f\xdf\x4a\xe7\x28\x62\x90\xe0\xf1\xc0\x88\xe2\x43\x94\xea\x57\xf9\xa7\x33\xe4\x53\x62\x79\x22\xc5\xa6\x23\x62\x3f\xff\x29\xc6\xa5\xab\x6f\xdf\x7b\xa7\xfd\x43\x80\x34\x9a\x77\xbb\xc4\x09\xd1\x86\x9b\xc7\xf2\x45\x32\x94\xca\x2f\x17\x85\xb8\xcc\x50\xb8\x8f\xcc\xe8\xfc\x6d\x3d\xd7\x9c\x19\x8e\x36\xff\x5a\x21\x6e\x7a\x8a\xe3\xd1\x0d\xb5\xbe\x0c\xbb\x76\x17\xdf\x80\x14\xac\x68\x9c\x31\x11\x32\xc1\xdb\x34\xd0\xee\x7a\xdb\xb6\x62\x32\xc1\xa4\x32\xc2\xca\xf7\xcf\x30\xff\x8b\xad\x84\x46\x7c\x0e\x40\xda\x4d\x0b\x10\x20\x1f\x6f\xb8\x2b\xec\x94\x83\xc7\x5b\xc8\x59\x48\x0c\x9b\xca\x13\xc5\x90\x5a\xcf\xa5\x6e\xad\x48\x8f\xc2\xbd\xe3\xa2\x2c\xa4\xfa\xbc\xea\xb9\xb9\xe3\x77\x6b\x5a\x62\x14\x63\xe1\x29\x6d\xde\x15\x24\x0d\xac\x24\xbb\xaf\x67\xc2\x03\x86\x55\x1a\x8f\xe3\x52\x96\x0e\xcd\x36\x1d\x42\x94\x90\x3f\x25\x25\xa3\x68\xd3\x63\x07\xde\x3a\xb0\x21\xbe\x4b\x64\x77\xe8\x61\x82\xf6\xa5\x65\xcf\x67\x95\xc2\x64\xaa\xda\xe3\xd3\x07\x2b\xae\xbc\x48\x8c\x74\x30\x7e\x27\xbc\xea\x4a\x74\x6b\x67\xad\xf8\xe2\x0a\x21\x9c\xb9\x11\xe2\x93\xad\xaa\xe8\xd5\x2e\x63\x08\x09\x11\x29\xc0\x2a\xfd\x50\x59\x95\x88\xc9\x20\x15\x85\x82\xdb\x85\x6c\xeb\xd3\xd6\x65\x9d\x14\x77\xf9\x66\xfb\x54\xe9\xea\x1b\x36\x59\x90\xff\x5b\xba\x6f\xce\xd2\xb5\x9f\xc8\xa6\xf9\xfd\x57\x28\x70\x61\xc5\x21\xeb\xc1\xac\xe5\x21\xab\xe0\x04\xf5\xf0\xb5\xf8\xb9\x02\xd6\xc7\x5a\xc5\x7d\xf5\xd2\xe9\x7f\x1f\xfa\xd3\xa5\x31\xf9\x1f\xa1\xcb\xa4\x8b\x58\x93\x5f\x05\x03\x35\x41\x5d\xca\x8e\x46\x02\x43\xe2\x1e\xa7\x1f\x99\x0c\x37\xa6\xc9\x8c\xd1\x9c\x2c\xc3\x47\x1e\xc2\xec\xd0\x42\xc8\x20\x71\x8d\x00\xb6\x37\x9d\x80\x69\x83\x62\x8e\x08\x64\xad\x14\x6e\xe1\x70\xdc\x91\xfc\x25\x55\x94\x0d\xb1\x36\x4c\xb7\x43\xc0\xc7\x03\x7d\xba\x3e\x9b\x10\x8f\xea\x98\x84\x01\xd5\x52\xd4\xac\xe6\xa8\x30\x83\x65\xc0\xb1\xed\xe6\xb8\x73\xa2\x94\xd6\x25\x23\x86\x55\x33\x1a\xcd\x6e\xe2\x38\x0d\xba\x98\x0e\x35\xb2\xbb\xd4\x0f\x65\xfe\x32\xef\x03\xcb\xf0\xcf\x57\x55\x2e\x81\x8e\xc6\x07\x0c\x52\x25\x66\xd8\x2a\xa2\xc4\xd0\x46\xd9\x5b\xcb\xb4\xed\x89\x7a\x3b\x59\x3d\xdc\x57\xb3\xbf\x4b\x2d\xee\x34\xcb\x50\x53\x69\x2e\x45\xde\xec\x78\xbf\x7f\xa7\x00\x2c\xfe\x74\x15\x7a\x5d\xd4\xc5\xae\xc1\xb9\x86\x28\x06\xd8\x88\x39\xa6\xa3\x91\xa0\x4d\x0d\x46\x78\x1e\x45\xb3\xfb\x78\xe7\x1e\xb9\xa6\xba\xda\x4d\x6e\x45\xf6\x45\x2c\x41\x93\x1c\x91\x23\xc8\x78\x38\x32\x0b\xf9\xcd\xe6\x13\xab\x41\xec\x0f\x23\xaf\xcc\x01\xa6\x98\x66\xf8\x32\x39\xe5\xb7\x7e\xc5\x6c\x1b\xf1\x3c\x4f\xa5\x37\x9b\xc5\xe6\x78\xf4\x5c\x3f\xb9\x12\xe1\xaf\xdb\xc4\x66\xba\xdb\x62\x36\xb5\xfb\x85\x00\xc7\x43\x58\x65\xae\x64\x22\x70\xb2\xa9\x42\x43\x0b\xe5\x4d\xca\x09\xec\xb2\x4e\xc6\xd0\x51\xd0\xc6\x3b\x02\xe2\xcc\xbe\x57\xdd\x90\x12\xb7\xc0\x95\x80\x67\xb4\x06\x21\x50\xb3\x47\x98\x31\x96\x11\xdb\x1f\x48\x79\xaa\x8b\x5b\x55\xee\x2f\x20\xb0\xd7\x9a\x14\xcd\x7c\xc1\x8a\x76\xb4\xb3\xf0\x0f\xff\x45\xec\x9d\x07\x64\x07\x6d\xc1\xdc\x00\x72\xe0\x9b\x67\x4f\x18\x7a\x18\xd4\x57\xa1\x1c\xf2\xb6\x54\xbf\xc8\x51\xb5\x5f\x46\x4d\x95\xe5\x1a\x45\xd2\xda\x43\xc7\x90\xeb\xc7\x72\xca\x27\xb8\x28\xa0\x61\xca\x4b\xa2\x8c\x98\x67\x22\xcb\xd4\x86\x73\x32\x87\x8e\x2a\x7b\x87\x6f\xaf\xaa\x74\x34\xf4\x3c\xb4\x48\xb2\x16\xd4\xae\x0e\x18\xa1\xaa\x66\x77\x76\xdb\x69\x99\x9b\xe0\x81\x82\x2d\x56\x47\x8e\x57\x68\x10\x6b\xa1\xfb\xcb\x04\x4d\x16\x68\x2c\xfe\x2b\xa1\x7a\x06\x99\x7f\x88\xbd\x68\x36\x69\xaa\x2a\xe4\xd9\x6a\x15\x5e\x0b\x8a\x41\xe3\x31\xa9\xa0\x20\x0f\x15\x9a\x47\x40\xe0\x11\x04\xad\x63\x89\x21\x8a\xd1\x5d\x1f\xac\x53\xbd\x1b\x91\xd7\x23\x43\x52\x78\xdb\xc5\xe7\x90\xa0\x54\xf3\xcf\x24\xfa\x4e\x78\x66\x62\x99\x15\x40\x0e\x7d\x25\x60\xcf\x97\x64\x8b\x60\x31\x52\x8d\xb2\xc7\xd4\xca\x72\x7f\x67\xc2\x97\x42\x4f\xc9\x9a\x7b\x01\xb1\x04\xfc\xb2\xd9\xb8\x02\x6a\xd1\x92\xac\x4c\x1d\xf8\xc2\x31\x8b\x5d\xee\xa4\x79\xa3\x78\x89\x71\x17\xac\xb1\x4a\x79\x21\xb7\xdd\xe8\xaa\x78\xc5\x8d\x04\x7f\x90\xfb\x1a\x1c\x1e\xdb\x84\x7b\xf7\xba\xd3\xab\x09\x6b\xf9\x19\xd1\xb1\x03\xe7\x40\x43\xfa\xf3\x52\xe1\x63\x94\xbc\xa1\x71\x3e\x14\x8b\x69\xd2\x0e\x0c\x5f\xae\x6e\xdb\x67\xe9\x16\x20\xc2\x8d\x7f\xb7\x0b\xf7\x66\xd2\x1e\xe3\xa9\xdc\x9d\x4a\xc7\x5a\x41\xbc\xb3\xa3\x22\xe7\xec\xc8\x5e\x34\x6a\x5f\xed\x19\x0d\x0c\x69\x8f\x15\x22\x60\x67\xe5\x15\x5e\xcb\x0b\x8f\xff\xcd\x5c\x1c\x95\x52\xa5\xb8\x5a\xfc\x66\x36\x98\xcf\x47\x50\xa3\xee\xc6\xcd\xec\xcc\xaa\xf6\x37\x08\x7e\x18\x8f\x3c\xc5\x65\x7c\x40\x12\x3c\x20\xd1\xa0\x2e\xbb\x08\x18\x07\x38\x83\x53\x5a\x22\x09\xcc\xa0\x8c\xdb\xe3\xce\x0f\x94\x4d\xef\xb4\x1f\x43\x70\x29\xc0\x78\xcb\x5e\x6c\x03\xde\xfc\x67\xc9\x59\x92\x6d\xcf\x45\xd0\xfe\xb6\xf2\x4f\xcf\xaf\x49\x97\x6b\xd3\x64\x1c\xbe\xd6\x97\x58\xcc\xd5\xaf\x8b\x95\x52\x59\xda\x1c\xd6\xfd\x82\x87\x1f\x09\xf3\x3a\x63\x4d\x54\xf5\x44\xa6\x82\x93\xdc\x73\x7f\xea\xf8\x48\x8c\x15\x42\x0f\x69\xc4\x93\x04\x2a\x5e\xe1\xed\x63\xf3\x39\xe4\x10\xf5\x80\xc0\xcb\xad\xab\xbe\xa2\xcf\xfb\xea\xf9\x68\xca\xf2\x56\x20\xde\x5f\x5b\xf7\x4e\xdd\x33\x9d\xed\x9a\x1f\x58\x53\xa2\xcf\x22\x6d\x21\xcd\xbd\x91\x72\xab\xf5\xe0\x85\x95\x60\xdd\x2e\x70\xce\x31\x0a\x33\x3d\x72\x36\x60\x67\x09\xb1\xf5\xa3\x35\x95\xec\x49\xe1\x87\xaa\x5d\xf0\x63\x51\x39\x23\xdf\xd2\x9b\xb1\x51\xa8\x25\x40\xf4\xb0\xd4\x45\x40\x4c\x8c\x5e\x1b\xd8\x40\x33\x5c\x23\x35\x7c\x5e\x6b\x1c\xdb\xfb\x1c\xcd\x72\x47\x1e\x4d\x63\x8b\x10\xc5\xb4\x22\xd9\xe6\x51\x9f\x98\x15\x1a\xd5\x25\x5e\x10\xf7\x2c\x07\x32\x63\x8a\x57\x2e\xa6\x2a\x3a\x98\xcd\x86\xb0\x49\x5f\x24\xfb\x90\xe3\xbf\xa3\x21\x6a\xbf\x88\xbd\xdd\x5f\xdc\xd1\xab\x7f\xc2\x13\xed\x7f\xe7\x62\x8b\xf5\x2e\xd3\x3f\xbf\x61\x24\xb5\x24\x6e\xab\x59\x38\xf4\xfd\xae\xa3\x96\x08\x7f\x76\x43\x49\xbe\xf8\x99\x6f\x22\x40\x92\x60\x40\x93\x44\x19\xdf\x2e\x40\x7b\xe7\xe6\x7a\x64\x2d\x69\x2b\x39\x49\xe4\x78\xed\x55\x92\x72\x06\x64\xee\xc0\xdd\x41\x50\x87\x61\x57\xa6\xf1\x85", 4096); syz_80211_inject_frame(0x20000000, 0x20000040, 0x10c0); break; case 11: memcpy((void*)0x20001100, "wlan1\000", 6); memset((void*)0x20001140, 2, 6); syz_80211_join_ibss(0x20001100, 0x20001140, 6, 2); break; case 12: memcpy((void*)0x20001180, "bpf_lsm_socket_recvmsg\000", 23); syz_btf_id_by_name(0x20001180); break; case 13: memcpy((void*)0x200015c0, "\x66\x0f\x72\xd5\x01\xdf\x5f\xd6\xc4\xc1\xf9\x6f\x9f\x52\xe4\x00\x00\xdf\xf2\xda\x36\x66\x0f\x3a\x62\xc0\x8c\xc4\xc1\x1d\x58\x3c\xe8\x66\x0f\x3a\x0a\x45\x0d\xf0\xc4\xe1\x21\x75\x23\x60", 46); syz_execute_func(0x200015c0); break; case 14: memcpy((void*)0x20001640, "/dev/cuse\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20001640, 2, 0); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_ioctl, -1, 0xb704, 0x20003980); if (res != -1) r[6] = *(uint32_t*)0x20003980; break; case 16: res = syscall(__NR_clock_gettime, 0, 0x20003e00); if (res != -1) { r[7] = *(uint32_t*)0x20003e00; r[8] = *(uint32_t*)0x20003e04; } break; case 17: *(uint32_t*)0x20003dc0 = 0x20003a40; *(uint32_t*)0x20003dc4 = 0x6e; *(uint32_t*)0x20003dc8 = 0x20003d40; *(uint32_t*)0x20003d40 = 0x20003ac0; *(uint32_t*)0x20003d44 = 0x25; *(uint32_t*)0x20003d48 = 0x20003b00; *(uint32_t*)0x20003d4c = 0x6b; *(uint32_t*)0x20003d50 = 0x20003b80; *(uint32_t*)0x20003d54 = 0x2f; *(uint32_t*)0x20003d58 = 0x20003bc0; *(uint32_t*)0x20003d5c = 0xa2; *(uint32_t*)0x20003d60 = 0x20003c80; *(uint32_t*)0x20003d64 = 0xbd; *(uint32_t*)0x20003dcc = 5; *(uint32_t*)0x20003dd0 = 0x20003d80; *(uint32_t*)0x20003dd4 = 0x30; *(uint32_t*)0x20003dd8 = 0; *(uint32_t*)0x20003ddc = 0; *(uint32_t*)0x20003e40 = r[7]; *(uint32_t*)0x20003e44 = r[8]+10000000; res = syscall(__NR_recvmmsg, -1, 0x20003dc0, 1, 0x10202, 0x20003e40); if (res != -1) r[9] = *(uint32_t*)0x20003dac; break; case 18: memcpy((void*)0x20004040, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004040, 0x20004080); if (res != -1) r[10] = *(uint32_t*)0x20004094; break; case 19: *(uint32_t*)0x20004200 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004100, 0x20004200); if (res != -1) r[11] = *(uint32_t*)0x20004134; break; case 20: memcpy((void*)0x20004240, "./file0\000", 8); res = syscall(__NR_statx, 0xffffff9c, 0x20004240, 0x4000, 0x400, 0x20004280); if (res != -1) r[12] = *(uint32_t*)0x20004294; break; case 21: memcpy((void*)0x20004380, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004380, 0x200043c0); if (res != -1) r[13] = *(uint32_t*)0x200043d0; break; case 22: *(uint32_t*)0x20004a80 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x11, 0x20004980, 0x20004a80); if (res != -1) r[14] = *(uint32_t*)0x200049b4; break; case 23: res = syscall(__NR_getegid); if (res != -1) r[15] = res; break; case 24: memcpy((void*)0x20001680, "\x47\xa8\x4c\x3d\x9c\xa1\xd1\xb4\xb2\x5b\x6d\xa5\xc6\xdd\x9f\x48\xac\x0b\x1a\x50\x14\x5d\x57\xaa\x24\x4d\xc1\xbb\x1a\x54\x1c\x93\x16\x0d\x23\xf1\xcb\xf0\x3d\x77\x7a\x21\xe7\xd1\xf0\xf2\x61\x38\x37\xc0\xe0\x5d\x6f\x4b\xc9\x98\xb1\xdd\x5e\xc7\x6e\x06\x98\x26\xfc\x47\xb4\xa0\x81\x6b\x5a\x85\x9c\x9a\x8a\x42\x88\xf2\xe7\x17\x88\x66\x28\x3d\x96\x7a\x95\x12\x2a\xb3\x8c\x64\xe1\xd6\xc0\x50\x57\x2b\xdd\x7c\x98\x27\x13\xb5\xb3\x7a\x79\xe2\xdb\xe0\x8a\x6a\x9b\xd3\xd6\xfd\x57\x96\x04\xac\x48\x7b\x65\x2b\xee\x18\x03\x90\xe3\x66\x8f\x2a\xad\xa1\x71\x7a\x5b\x2a\x21\xcb\x84\xb3\xb9\xa8\xb5\x97\x78\x4c\x01\x15\xc8\xf2\xc0\x87\x08\xd9\xa2\x26\xd6\xf5\x89\x02\xad\x29\xf3\x78\x4f\x64\x80\x06\x9d\x25\xe0\xec\x46\xc3\x78\x10\x92\x3b\xbe\x2d\xac\x50\x43\x85\x6a\x11\xb7\xb9\x8c\x43\x29\x4e\xf4\xc2\xbf\xda\x08\xb0\x4e\xe5\x41\x06\x26\xcb\x64\x95\x7c\xf1\xee\xa3\xd3\xf0\x07\xd6\x95\x83\xbc\xde\xbf\x40\x22\xf8\x5f\x65\x23\x73\xa5\x90\x36\xb6\x2b\x4a\x3e\x9d\xef\xe6\x05\xa9\x89\x2e\x57\x18\xcb\x6f\xc9\xde\x81\xc2\x47\x9e\xf9\x5a\x13\xf8\xca\x78\x9f\x4b\x2a\xc5\xeb\x89\x7f\xab\xbe\xbc\x00\x46\xd8\xe2\x35\xeb\xbf\x54\xa5\x6a\xac\xd1\x40\xae\x4c\xfb\x41\x1b\x9c\x15\x18\xe6\x2f\xa8\x7a\x98\x76\xaf\xc8\x9e\xd8\xa4\xba\x24\xd8\xb9\xef\x13\x39\xf4\xf7\x94\xce\xc9\x86\x51\xe7\xd9\x4d\xdd\x25\x99\x88\xa7\xa4\xf7\x99\xb0\x88\x9c\x16\x80\xd3\x90\xba\x62\x53\xff\x66\xa1\x82\xea\x2c\xf0\x6b\x6f\xd9\xab\x07\xa8\x7f\x69\x7c\x33\x1c\x9a\x83\x25\x64\xec\xab\x23\x83\x84\xff\xef\x50\xc2\x49\xcb\xf1\x1f\x7f\x40\xec\xd4\x4b\x94\x5b\xd5\x7c\x59\x9b\xa3\xd8\x8c\x0b\xe3\x5a\xdd\xf5\xb5\x83\x7b\x18\x8d\x64\xe2\x49\xce\x31\x50\x66\x98\xbd\x73\x75\x46\x53\x04\xd2\x0e\xb3\x80\x23\x26\xb3\x52\x8b\xcb\xe6\xee\x11\x0e\x57\x82\x1c\xcb\x89\x9f\x5e\xee\xce\xc6\x04\xc3\xa5\xe5\x93\x8a\x3a\x94\x26\x60\x99\x2d\x67\x6b\x81\xc5\xaf\x74\x70\x17\x6d\x72\xd7\xc6\xa9\xd6\xc4\x12\x1b\x57\x11\xb1\x6e\xe1\x19\xb5\x77\x64\xd7\xfd\x6d\xfc\xb5\xa3\x9c\x1b\xc9\x7e\x5c\x5f\x5d\xc1\x02\x5a\x5e\xcc\xa4\x8b\x65\xaf\xb8\x7a\x55\x83\xcf\x17\x96\x90\x98\xae\xc3\xb1\xb9\x29\x1f\x77\x5e\xd6\xa5\xa7\x10\xf7\x3e\x32\xef\x7a\x0e\x8c\x84\xff\x56\x54\x51\x44\xca\x50\x4b\x81\x97\xa9\x19\x6c\x9b\x68\xa4\xb5\x7a\xba\xd8\x19\xff\x6f\x6f\x99\x16\x3f\xa3\xe2\x76\x27\x84\x84\xae\xf1\xe2\x87\x84\x1f\x45\x72\x06\x2d\xa6\x77\xf0\xe1\x47\xb9\x33\x58\xe5\xad\x7a\x50\xaf\x84\x2c\xad\xbf\xf4\x19\x2d\xfb\x2f\x98\xcd\xc8\xd8\x78\xd0\xf7\xf3\x5b\x31\xa2\xe8\x03\xce\xa2\xc3\xa2\x87\x8d\x46\x9c\x9a\xa7\xb2\xde\x1e\x8b\xfd\xa5\x1e\xcb\x47\x51\xcd\x86\x1f\xb2\x29\x3e\x37\xeb\x98\x82\xbb\x97\xcf\x70\x45\x3f\x19\x44\x6c\x56\x5f\xd8\x14\x11\x4b\x30\x2a\x4b\xc5\xb6\x42\xa7\x6c\x4c\xfd\xdb\x0f\x4c\xeb\x41\xca\x29\xbe\x4d\x35\x58\x77\x55\xd2\xe8\xe1\xf4\x2e\x97\x1b\x38\x3f\xdf\xd0\xcb\xef\x9f\x5d\x50\x3c\x72\x0a\x3e\x3b\xb8\xb4\x09\x7d\x69\xa7\x20\x82\x35\xa8\x2f\x6a\x75\x1f\x3e\x26\xf2\xe1\x40\x3e\x0d\xa6\x3f\xed\x0f\xa0\x42\x74\x0d\xf1\xd6\x1c\x98\x85\x72\xc8\xad\x71\x1f\x20\x41\x0e\x02\xb3\x2b\x1e\xe7\xf4\x18\xfd\x0c\xc6\x57\xe9\xde\x33\x28\x8e\xc8\x39\x57\x56\xc4\x7e\x16\xd4\xab\x5e\xd7\xca\x4c\x1e\x53\xad\x65\x08\xd5\x8f\x70\xdf\x85\x7d\x41\x89\x09\xe8\x13\x44\xb7\x56\x4e\x00\x64\xa4\x9a\x1d\xb8\xa3\x33\xfc\x60\x9b\xcb\x51\x11\xef\x10\x0e\x0e\xde\x88\xf4\x9f\x3f\x43\x56\x84\x21\x1d\xea\x4d\xe5\xbc\xa1\x85\x3c\xae\x7b\x60\x5e\x3c\xea\x2f\xab\xb8\x0b\xaa\x41\x62\x6d\x31\x04\x7f\xe3\x85\x69\xe6\xab\xbd\xdc\x2e\x1c\x2b\x85\x56\x23\x3f\xeb\x57\x04\x7f\x06\x9d\xf8\x1d\x88\xd2\x9b\xf0\x42\xce\x92\x28\xdb\xd1\x43\x49\x97\x3e\x86\xf7\x8d\x72\x82\x7a\x60\x80\xa2\xce\x65\x29\xd1\x85\x66\x07\x84\x89\x37\xcf\xe5\xcd\x17\x42\x93\xe9\x22\x34\xcb\x0f\x6e\xdf\x65\x30\xf8\x6b\x60\x6e\x48\xe9\xfa\x3e\x1d\x25\x45\x73\x12\x08\x08\xe0\xff\xf3\xd2\x16\x9d\x1c\xf4\x4a\x71\x96\x64\xb7\xf0\xe3\xda\x7b\xb1\x5b\x64\xb6\x2c\x07\x10\x34\x3c\xe1\x5b\xd0\x1a\x05\x64\x2f\x4a\x3f\xa5\x9b\xa6\x05\xd0\xa6\xef\x3e\x5a\xd6\x3c\xd9\x6d\x69\x14\xca\xa4\x06\x34\x98\x7f\x2d\xbe\xeb\x30\x46\x72\x22\x2d\x12\x58\x3b\x9b\xc3\x8c\xf9\xde\x18\xe5\x7d\xe1\x00\xf2\x63\x67\x7d\x31\xec\x37\xae\xa6\xf0\x4b\x81\x5d\x6f\x4e\x8c\xd5\x70\x81\x0d\xaa\xee\xb1\x41\xdc\x0f\xeb\x60\x0a\xa8\x4f\x4a\xfc\xc3\xbd\x6d\x2e\x4d\x69\xe9\xdc\x4d\xc4\xf7\xa4\x56\x74\xa3\x2a\x62\xd4\x14\x43\x7c\x3a\xa4\x51\x84\xb6\x6c\xe5\x69\x49\x91\x28\xbb\xa0\x6e\x38\x62\x74\x28\xd5\x01\x2c\x65\x1f\x8f\xf6\xd5\xb8\xf5\xbb\xbb\x5b\x1f\x8b\xe6\x03\x89\x58\xbd\x4f\xbb\x0b\xdb\xbe\x1f\x3f\x44\x8d\x78\x5d\x97\x10\xf0\x1b\xe8\x87\x87\x4f\xfa\x1b\xfa\x7e\x5a\x81\x8e\xe7\x46\x4b\xfc\xb5\xf9\xe4\x92\x68\xfb\xbd\x39\x8d\x73\x2c\x15\x57\x9a\x46\x97\x1f\xd7\xf2\x2c\x1c\xc4\xe1\x41\x57\xf2\x92\xf6\x16\x38\xf4\x1a\x58\xbc\xcd\xd4\x98\x6b\x9c\xa6\xab\x66\xff\x5f\x53\x6a\x7b\x09\x25\x1a\x6d\x41\x7a\x3e\x15\x9b\x85\xdd\x21\xd9\xb2\x19\xa1\xa1\xce\xa8\xb9\x6d\xd4\xca\xa0\xc0\xc8\xfd\xf9\x2d\xef\x01\xaf\x6b\xe5\xcc\xc2\x42\x8e\x57\x13\x22\x85\xc3\x7e\x80\xfd\x28\x58\xb4\x94\x57\xd1\xd6\x89\x0e\xae\x38\x90\x62\xd5\x68\x0a\xec\xec\x74\x8c\xef\x59\x18\x7d\x91\xc1\xd4\x5b\x29\x00\xe3\x3b\xe9\x46\x4e\xdc\xeb\x83\x1e\xc4\x44\x57\xbe\x52\x57\x5e\x1d\xf1\xde\x6a\xf9\x45\xdb\xf3\xf5\xc9\xcd\x41\xbd\x8c\x26\xcb\x66\x45\xae\x03\x78\xd9\x2d\x75\x8b\x07\x69\xc5\x15\x4f\x52\xd8\x9a\x8e\x0e\x91\x18\x82\xf6\x9e\x46\x61\x04\x53\x79\x2c\x64\x8e\xb0\x82\x11\x19\x47\xc2\xe3\x35\xcb\x48\x56\xe4\x69\x6f\x7a\x53\x31\x8c\xda\xe6\xc5\x91\xa7\x42\x02\x02\xcf\x03\xf0\x69\x12\x8e\x58\xa3\x82\x2a\x89\x2d\x4b\x4d\x14\xa7\xf3\xe2\x7f\x4c\xa5\x9a\x8e\x47\x1a\xaf\x3c\xe1\xaf\x81\xce\xd1\xdf\x87\x1d\xf6\x09\x91\xac\xcc\x0a\xfc\x19\xc6\xaa\x58\x67\x0d\xcc\x3c\xa4\x04\x66\x6e\xc5\x46\x3e\x95\x4c\x60\x59\x94\x01\x4a\x0b\x2e\xb9\x99\x28\x3e\x7d\x26\x46\xab\x55\xa5\xfe\x5f\xe7\xcb\x5b\x07\x38\xc5\x79\x10\x7c\x43\xfc\xf5\x95\xa0\x95\x6a\x49\x35\xf6\xa7\x86\xd6\x56\x1f\x0b\x09\x94\xcc\xe9\x3b\x29\x9a\x50\xc6\xe4\x24\xc1\x59\x62\x0b\x3d\x05\x37\x6f\xc4\xe0\xb9\xff\xbd\xec\xdb\x67\x98\xdd\x51\xd0\x94\x1d\x31\xcf\x41\x93\xc0\x9d\x05\x8c\x25\x96\x99\x19\x12\x35\x01\xfa\x5e\xa8\xfb\x82\xf9\x80\xa3\x5b\xf0\x15\x32\xc2\xc8\x31\xba\x35\x22\x2f\x80\x5d\xae\x24\x25\x27\xeb\x71\x27\x05\x53\x94\x60\x52\x84\xd2\x40\x8c\xfa\x10\xc9\x92\xd6\x4d\x60\x9e\x52\x4b\x30\x34\x8f\xfa\x5e\x44\xb7\x72\x57\xad\xba\xb0\x1c\x38\x3e\x81\x2f\x1d\x71\xb6\x13\xad\x16\x0e\xd1\x5c\x21\x6f\x2a\x45\x9a\x91\x7d\x35\x34\x14\x62\xbf\x72\x35\xf9\x1d\x9d\xdd\xc1\xe2\x40\x2f\x32\xb7\xb7\xa9\x98\x74\x81\xce\x66\x11\xbb\x78\x12\x7b\xc8\xb6\xef\xf4\x19\xd3\xc4\xdd\x77\x25\x24\x02\xf4\x32\x6a\x6e\x9a\xff\xc5\x06\x49\x73\x75\x0a\x8b\xba\x9b\xa1\x7d\x64\x64\x8c\xf7\x93\x4b\xd0\x24\x29\x9b\x9d\xec\x58\xd1\x18\xcd\xa3\x44\x8a\x25\x56\xfa\x96\xa8\x57\xc0\x10\x6a\x00\xcd\x0a\x38\x2f\x10\xb8\x47\xe3\xa8\x69\x97\xc2\x4b\xb8\x46\xc3\xdd\x93\x72\xc6\xcf\x28\xd1\x8b\xb2\xa6\xfc\x48\xd7\xba\xc5\x8d\x56\xbc\x84\x50\xc3\xf4\x20\x99\x9b\x63\x47\x86\x4d\x52\xf0\x50\x75\x24\xf4\x16\xe6\xcb\x64\xce\x7c\xa2\x1a\x85\xe8\xd2\xc2\xb1\xe9\x4b\xe2\xde\xa3\x1c\xda\xf1\xf3\x83\x50\x34\x24\xbe\xc4\x4c\x68\xb9\xa9\x14\xf4\x0b\x0a\x66\x27\x2f\x64\xc9\xef\x19\x85\xed\xb9\xca\x6e\x66\xee\x8c\xac\x08\x4b\x39\xef\x78\x01\xb7\x50\xce\x19\x0f\xf8\x96\xc1\x99\xc1\x27\x85\x24\xb1\x2b\x54\x9a\xcb\xf0\x9f\x63\x3d\x87\xf7\x04\x27\x2d\x47\x79\xf3\x25\xa1\xe9\x45\x67\xe5\x93\x32\x97\x15\x5e\x98\x7f\x3b\x32\xe3\xfa\xdf\x2a\x06\xfa\x01\xaf\xc0\xdc\x35\xdf\xb7\xbe\x7f\x57\x76\x26\x4a\x6b\x7f\xec\x98\xdf\x0a\x5a\xff\x8c\x1a\x02\x9b\x6a\x22\xa9\xa0\x51\x18\x8b\xb2\x8b\xdf\x72\x38\xea\xe3\x24\x6a\x1b\xfd\x05\x86\x84\xf7\xa0\x93\xaa\x68\x79\xcb\x6a\xda\xe5\xa7\xcd\x5e\x12\x19\xa0\xd1\x6d\xee\xf1\x44\xb2\xbe\x90\x39\x01\x44\x74\x0a\xc2\x4d\xa3\x80\x17\xc1\x05\x66\x92\xb3\xb6\x65\x92\x21\x5a\x62\x3d\xac\x91\x3b\x33\xb9\xd5\x6b\x47\xcf\xa9\x18\xd6\xd9\x0c\xaf\xf0\x1a\xa4\x45\x35\x49\x23\xef\xa1\x9e\x8b\x0c\x79\x70\x82\x50\x5d\x54\xf2\xfa\x48\xc5\xad\x96\x63\x2f\xe1\xb6\x2a\x2e\x34\xd0\x85\x76\x22\x07\xd9\x35\x4a\x9f\x03\x9d\x68\x8e\xaf\xe1\xb5\x12\x83\x67\xfd\xd3\xbe\x22\x55\xac\x11\x0d\xf0\x5d\x10\x9b\x86\x9f\x33\x4b\x93\x2b\x29\xbe\xb6\x87\x87\xe2\x0a\x8a\x9f\x37\x31\x18\x9c\x95\x7e\x53\xc6\x96\x73\xe8\x63\xae\x1d\x49\x88\x8d\x6e\xda\xb9\x6e\xed\x78\x6c\xb8\x14\xd1\xa6\x2b\x68\x9c\x29\x4c\x48\x2e\x84\x19\x96\x22\x99\x04\x10\xb6\x7f\x6d\x18\xb8\xcd\x31\x19\xf1\x9a\x66\x7d\x34\x1b\xb7\x83\x88\xff\xe1\x5a\x0f\x64\x32\x7f\xe9\xb8\x06\x5b\xe9\x03\x54\xc1\xfa\xcb\x74\x66\x2e\x2d\x9c\x6d\x02\x24\x8d\xa0\xc8\x0c\x87\x26\x45\x59\xf6\x48\x15\xb8\xb9\xdd\xff\x72\xa9\x44\xeb\x23\x48\x88\xf5\x3d\x1c\xc8\xbe\xd4\x38\xbd\x99\xa2\x07\x4f\x75\x3d\xb2\x9e\xfd\x06\x78\x8c\x7f\x44\x76\xef\xee\x3e\x92\x80\x94\xc0\x32\x6a\xf8\xc9\x17\x1d\xb6\x0b\x1a\x37\xc7\xbd\x56\xd1\x13\x29\x1a\xa9\xa2\x60\xea\xfc\x12\x68\x1e\xb6\x2b\x1e\x70\x63\xb1\x51\x73\xe2\x74\x90\xd8\x4d\x47\xe3\xc7\x56\x6e\xc4\xfc\x1e\xc6\x35\x50\x57\xb2\x2c\x2a\x0f\xd9\x4b\x8d\x90\xb6\x48\x64\x9c\x73\xac\x46\x04\x9c\x01\x1d\x67\x41\xfb\x6d\x89\x56\x14\x3b\xcb\x17\x1f\x4b\xba\xdf\x01\xd1\xca\xe0\x7c\x31\x78\xa8\x46\x90\x01\xdc\xa3\x7a\xb3\xae\x03\x90\x95\xfb\xda\x7f\x05\xdf\xad\x20\x53\x55\xa5\xd6\xef\xf8\xf0\x9c\x32\x47\x58\xa7\x44\xde\x5f\x43\xb6\x94\xf8\x34\xf6\xe5\x98\x3f\x2a\xee\x32\x09\xce\xf4\x63\x54\xdb\x41\x30\x5a\x09\x3a\xb7\x8c\x80\xa8\xfb\x2e\x8a\xb7\xb1\x73\x33\x7b\xcf\x29\x3c\x65\x94\x9a\x4c\x01\x37\x8c\x94\xce\x7c\xd7\x09\xe7\x98\xbe\xf8\x27\x9d\x4a\xd1\xe7\x34\x6f\x4b\x9f\xda\x6d\x29\x2f\x1e\x66\x99\x62\x2c\x1b\xbc\x4b\x02\xe8\x83\xb3\x0e\x77\xcb\xa7\x51\xbc\xfd\xd6\xef\xd6\x7f\xcc\x56\x5c\x00\x36\xf1\x3e\x13\x8d\x81\xd6\xf5\x8d\x34\xe6\xa2\x51\x61\xf2\xa8\x56\x00\x29\xf9\x12\x05\x32\x40\x1f\xb6\xd7\xdd\xef\x43\xf9\xea\xe9\xee\x3c\xd2\x3f\x14\xa1\xf0\x26\xf4\x0a\x9f\xba\xc6\xbe\x6a\x15\x90\x27\xd7\xe8\x7a\x53\x65\x01\x0d\x27\xb0\x9d\xf1\x3d\xfd\x32\xa7\xe7\x5d\xcc\x14\xd9\xda\x85\xd8\x40\xa1\xbb\x91\xbf\x95\xdd\x75\x89\xef\x4f\x4a\x30\x7d\x3c\x74\x1d\xf2\x50\xe3\x4d\xe9\xff\x0f\x15\x15\xa9\x79\xc1\x2f\xca\xea\x17\x0d\x34\x44\x67\x8b\x96\x3c\xcc\x5b\x3c\x06\x56\xaf\x7e\x67\x6b\xf7\x4d\xe9\xc8\xcc\x9c\x70\xb5\x0c\x38\x06\x10\x8f\x6c\x9e\x92\x0a\xcc\x25\xf1\x3c\x3b\xf5\xe9\x10\x18\x9e\xa8\xe0\x46\x61\xb9\xf6\x27\x1d\x34\xe2\x42\x8b\x3f\x5c\x86\x0f\x7a\x41\x37\xc7\x9a\xb4\x09\x20\x64\x56\x34\xf9\x03\x89\xec\xde\x1b\x23\x98\x84\x24\x4c\xa3\x5e\xb5\x59\x2b\x48\x56\x4f\x23\x07\xde\xf1\x6c\x6a\x99\x43\xab\xd7\x30\xff\x0f\x2d\xd4\x7b\x0d\xb1\x19\xc8\x40\x03\xfc\x29\xfc\xe3\xed\x9f\x17\x35\x7a\xab\xc7\x09\xed\x6a\x09\x34\x8d\xa8\xe2\x82\xbb\x0f\x7e\xeb\x6d\x98\x53\xed\xd5\xee\x21\x45\x36\xa5\x5c\x83\x34\x01\x20\x48\x8d\xca\x92\x3e\xc5\xa4\x61\x84\x0d\x20\x07\x5a\xc5\x37\xba\xa4\xdf\xb7\x80\x46\x96\xa8\x9c\xb9\x9c\x82\xcc\x9e\xa9\x21\x2c\x70\x97\x4c\x93\x16\x16\xe9\xbf\x8c\xce\x8f\xaa\x21\x5d\xea\x85\x50\x6c\x71\xed\xf7\x98\x2a\xef\x07\x4e\x1a\x04\xed\x46\xa7\x22\x1b\xeb\x11\xdb\x3c\x3c\x4e\x30\x76\x74\x56\xdd\x39\x5e\x3f\x22\xc0\x48\xb0\x69\x53\x3b\x1e\x34\x7c\x20\x56\x5a\x74\x6f\xbf\x07\x86\xba\x75\x13\x98\xd2\x26\xbb\x58\x3c\xdb\xc7\x89\xa1\xe7\x8c\x07\x5e\x8b\x53\x5c\x17\xbe\x36\x42\x77\x96\x51\xaa\x33\x56\xc9\x28\xbd\x60\x1c\x6f\x70\x4e\x79\x96\x85\x21\x03\x67\x21\x90\x89\xf2\x41\xc9\x36\x52\xaf\xb3\xf0\x57\x9b\xa4\x73\xea\xdc\x1c\x5a\xab\x58\x9b\x61\x8c\x80\x1d\x71\x1e\xaf\x00\xd9\xef\x73\xa3\xa6\x3f\xaa\x06\x92\xd7\x66\x2c\x6e\x61\xd7\x73\x00\x97\xb1\x1a\x9e\x98\x95\x76\x35\x33\xe3\xb8\x25\xb5\xeb\x65\x48\x11\xe8\x0b\x6e\x67\x13\x6d\x6e\x6e\xc1\xbd\xf2\x3e\x34\x7a\xc0\xdc\x50\xd8\x45\xa0\x2f\xb1\x1e\x87\x64\xc7\xcb\xd1\x98\xf8\x03\x7c\xe9\xcc\x4d\x38\x88\xcf\x50\x9e\xf9\xe5\x5b\xa5\x67\xd5\x00\x89\xc6\x9a\x6f\xc2\xa1\x02\x90\x88\xe4\xbb\x86\x60\x6f\x25\xd8\x65\x51\x28\x65\x74\x23\xce\xfb\xec\x47\xff\x5c\xee\x05\xb6\x1c\x35\xe4\x7c\xe9\x2d\xd8\x5b\x86\xaa\x83\xfc\x3d\x37\x06\x9d\xba\x58\x32\x77\x9e\x04\x79\x7e\xe4\x51\x0f\x3e\x86\x0a\x5d\xb6\xc4\x1a\x6c\xfc\xc4\xf2\x7a\x9b\x90\x54\x91\xfa\x56\x0b\xc4\x9a\x1d\xec\x70\xf9\xb6\x9a\xe6\x93\x62\x97\x3a\x12\x3e\x07\xf5\x41\xac\x3a\x3a\x94\x31\x60\xd3\xd6\x31\x40\x49\xc9\x53\x1a\x1f\x72\xb7\x4c\x1c\xc5\xc0\x31\x7f\xcc\x7b\x45\xd8\xf1\xdd\x92\x36\x2b\x1e\xc0\x73\x8a\xd5\xc8\xd9\x9e\x9f\xf4\x4d\x3d\xb2\x41\xe1\x31\x5d\x0f\x14\x48\xe6\xf1\x00\xa5\xdb\x6f\xd5\x71\x5c\xa0\x46\x22\x13\x41\x64\x53\x38\x71\x50\x0e\xde\x0f\x2d\x35\x8b\x31\xf8\x56\x36\x32\x80\xb9\x92\xe4\x9b\xa8\xe5\x92\x09\xbd\x91\x8e\x11\xff\xe3\x27\xd9\x73\xb2\xbc\x54\x53\x7f\x54\x07\x30\x17\x85\x6f\x0b\xb7\x68\x22\x47\x57\x6a\xf4\xd2\x7d\x8b\xe2\x61\x1f\x90\xad\x38\x4f\x11\xde\x84\x7c\x24\x73\x4b\x74\x7f\xfe\x2e\x5c\x85\x49\x00\x9f\xb1\x19\x8b\xce\x2f\xb0\x48\x4f\xc6\x68\xaa\x28\x85\xc7\xc0\x15\x38\x5e\x2b\x58\x8c\x95\x0f\xde\xca\xdf\x30\xad\xf6\x5a\x71\xf5\x64\xe0\xfa\x93\x72\x4b\x8d\xe0\xac\xab\x7c\x3f\xaa\xad\x13\x84\x8e\xbf\x7d\x70\xbb\xc4\x47\xd6\xd9\xdd\xb4\x6a\xf6\x31\xb0\x8e\x4c\x34\xf4\xaa\xbd\xa8\xe5\x0d\x9f\x73\xc3\xff\x3a\x60\x03\x81\xa7\xf8\x4a\xac\x18\xaf\x41\x87\xd1\xbc\x18\x73\x14\xb2\x40\x38\x7f\x29\xeb\xe8\x32\x8a\xce\x89\x65\x43\xb2\x3f\x8d\xb1\x20\x1d\x51\xee\x90\x42\x43\x65\x78\xd1\x27\x3c\x9b\x97\x4b\x27\xfc\x9b\x71\x71\xf4\x39\x11\x17\x54\x1d\xc8\xe8\xe5\x82\xef\x9d\xeb\x11\x60\x6d\x49\x35\x57\x7d\x13\xe3\x91\x2f\x98\x7d\xac\x22\xe1\x4c\x7c\xab\xf8\xdb\x41\x3a\xc7\x96\x38\x1f\x3d\x45\x01\x5c\xe6\x1e\xa3\xb7\x37\x63\xd2\x02\xdb\xe1\x18\xbe\x06\xe7\xd0\xf6\x24\x5c\x71\x81\x86\x14\x81\x21\xba\x61\x19\x2e\x62\xb2\xac\x87\x52\xcb\xa6\xf2\x87\x3f\x4c\x59\xae\x40\xb8\xb9\xc5\x15\xcd\x6a\xd8\x88\x84\x0e\x65\x7a\x11\x47\xa8\xb0\x96\x12\x3d\x73\x8e\x1c\xc1\xb5\xeb\xbe\xec\x6f\x15\xcb\x10\x42\xed\xda\x5c\xf7\xa5\xb2\xb0\xa0\x71\xa2\x68\x77\xbe\xed\xaa\x9e\x24\x32\xef\x85\xf7\x2a\xbc\xeb\x7c\xcd\x73\x36\x27\xcb\x12\xd4\xcf\xe3\xd9\xc9\xd8\x85\xa0\xb0\x89\xdb\x05\x6b\x02\x92\x28\xe6\x45\xf7\x4d\x92\x84\x69\x5b\x08\xa6\x7f\x7f\x92\x28\xe9\x80\xc0\xc3\x64\xd0\x31\x2b\x10\xf6\x25\x6c\x9a\x2d\xe4\x83\x29\x32\xb6\x98\x97\xd0\xf2\x9f\x70\xf1\x8d\xde\x25\x7a\x94\xd9\x6e\xc7\x6d\x71\x67\x3e\x95\x98\x32\x64\x7f\x6a\x74\x45\x82\x35\xe8\x00\xdf\x80\xb7\x18\xbe\xdb\xe9\xb2\xca\xfe\x1a\x98\xad\x89\x34\x1a\x56\x6d\x20\xca\x13\xaf\xb2\x89\x85\x6f\x79\x53\x05\x66\x12\x60\x65\x19\x27\x99\x89\x9c\x02\x43\x31\x7f\xee\x5b\x22\x11\x6d\x9d\xfe\xa0\xc4\x25\x1d\x89\x8d\x57\x44\x43\xd8\x0c\x4d\xaf\xd5\x61\x65\xf2\xcf\xb5\xa2\xdb\x62\xe7\xfc\xb9\x78\x70\xea\x56\xdd\xca\x1c\x27\x32\x75\x48\x09\x9b\x79\xd3\x8f\x9d\x6d\xd2\x4a\x65\x65\x73\x1b\x2a\xfc\x0d\xdc\x12\xa3\x5f\x96\x05\xb2\xe7\xe7\x57\x53\xfa\xab\xe2\x81\x7d\xd1\x1e\x3f\x9f\xe7\x6c\xb2\xb8\xbf\x18\xd4\xf4\x19\xaa\x96\x58\x4c\xf9\x89\x99\xfc\x0f\xe4\x2e\x54\xb0\xe7\x9d\xfd\xd4\xc5\x7f\x55\xc0\x7a\xd1\xca\x33\xa4\xde\x6f\xba\xa7\x80\x18\x5e\x36\xfc\x3e\xc7\xc5\xf1\x04\xc5\xda\xda\xc7\xcc\xcb\xba\xcc\x5a\xbe\x21\x7e\x4e\x61\xef\x6c\x36\x60\x57\xd1\xcf\xb1\xa5\xde\x8c\x75\x68\xda\xd7\x69\xc8\x8a\xfd\x8e\xc1\xbf\x56\x11\x7c\xed\x76\x0e\xd3\x01\x90\x21\xc3\x2b\xed\xd7\xea\x87\xfb\x67\x0c\xa3\x24\x84\x61\xdf\x64\x60\x07\x04\xf1\x16\x51\x58\xcf\x9d\xb2\xb5\xc6\xf4\x56\x3b\x9f\x10\xa3\xa6\x69\xf3\xa9\x45\x21\xbe\x8e\xd5\x1c\x90\xc4\x5c\x59\x48\x9c\xde\x96\xcc\xd1\x18\x44\xc6\xca\xbf\xb1\x65\x0e\x19\x4c\xdf\x17\xaa\xf8\xad\x0b\xf9\x17\x14\xc7\x02\xea\x60\x75\xc0\xc3\x36\x18\x44\xec\xea\x0f\xc9\xad\xe8\x3a\x42\xcd\x91\x8f\xbb\x4c\x90\x90\x66\x73\x98\x18\xcb\xf7\x7a\x3d\x71\x64\xc3\x60\x7d\x8c\x0e\xfe\x3c\x8e\x85\x24\xfd\xf1\x5d\x33\x21\x0b\x43\xca\x55\x1b\x9a\x67\x26\xa5\x60\xa2\x74\x24\x66\x2f\x5f\xd9\x72\x02\xf9\x2a\xb8\xca\xc1\x20\xdf\xb1\x37\xc3\x36\x8c\xaf\xb7\xc1\x48\x35\xd8\xad\x15\xd1\x8b\x3e\xc4\xfe\x3c\x74\x1b\xe3\x90\x65\x71\x1a\xbc\x30\xa0\x0d\x31\xa2\x09\x36\xd2\xfb\x66\x23\xb1\x27\x42\x7b\x2d\x46\x05\x45\xf4\xeb\x25\x68\x1b\x46\x1f\xbc\x3a\x1a\xc6\xdb\x3b\xdf\x1d\x89\x02\x97\x76\xe0\x4b\x9c\xbf\x3e\x1e\x46\x07\xf3\x63\x23\x36\x73\x8b\xd9\x5c\xfc\x81\x2d\xe5\xe8\x2e\x0c\x6a\xa8\xd0\x19\x07\xe1\xf3\x75\xac\xb1\x80\x10\x69\x5e\xa3\xa2\x42\xd2\xb3\x60\xee\xd6\xf0\x77\xa0\x08\x68\x06\xa8\x8e\x2b\xe9\x9d\xef\xc3\x46\x0d\x81\x17\x5d\xec\xb6\x97\x3e\x54\xe7\xff\x1c\x29\x14\x8f\x04\xd1\xa9\x6c\x68\xd4\x3f\x03\x6e\xc2\xe4\xa5\x4b\xeb\x80\xf8\x8b\x8c\x71\x1a\xa0\x1a\x74\x57\xf5\x8d\x72\xaf\xe5\x68\x49\xfd\x09\xd2\x77\xe3\x01\xce\x64\x40\x2b\x0b\xc2\x0d\x43\xea\x78\x74\x54\x86\x97\x2a\x8b\xd6\xf5\x79\xd8\xd8\x2b\xd3\x1c\x8c\x86\xb7\xe8\xa3\xb2\x72\xd1\x6d\x38\xfc\x64\x80\xd2\x13\xc0\x30\x00\xad\xda\x6e\xb5\xe0\x08\x71\x87\x92\x64\xeb\xa4\xb0\xf9\x5c\x92\xe1\x0b\x79\x73\x81\x11\xba\x0c\xfd\xd1\xde\xeb\x39\xc9\x1e\xb4\x07\xe5\x98\x81\xbf\x53\xea\xd7\x8f\x7a\xd3\x50\x29\xec\x22\xb5\x83\xaf\x27\x44\x15\x25\x46\xc3\x98\x28\x50\xb4\x49\x41\x5e\x4b\x79\x0a\x2d\x03\x2c\xae\x50\x31\x9c\x3a\x15\xe0\x09\xae\xee\xfe\x71\x00\x73\x78\x19\x7e\x51\xdf\x97\x37\xee\x36\xd9\x54\x03\xa5\x62\x2a\x00\x7e\xb5\xdf\x41\x02\x33\x37\x6e\x51\x31\x82\x24\x62\x54\x0e\x6e\xbb\xf6\xd4\xe2\xdc\x46\xbe\xb7\xea\x3b\x2c\x22\x19\x97\xc2\xba\x3c\x26\x73\xc1\xb4\x4f\x7c\xd8\xc8\x6a\xac\xdd\x89\xe8\x70\x00\x73\x93\xab\x35\xc4\x85\x74\x29\x13\xf4\xfc\xef\x3c\x5c\x4d\x5c\xfe\xba\x1e\xcb\x50\xef\x05\x03\x7d\x54\xaa\x3f\x5e\x69\x94\x11\x40\x26\xf5\xcd\xa7\x5e\x18\x56\xb3\x1e\xfc\x5b\xf0\xda\x81\x09\x97\x84\x46\x30\xa0\x0a\xbd\x3a\x1c\xa3\xc6\xc9\x39\xe1\xe7\xf7\xc2\xd1\x71\x71\xea\x26\xfc\xd3\x1a\xe7\x17\xc0\x40\xb3\xc5\x94\xcf\x06\xa5\xc1\x25\x76\xbc\x18\x82\xd1\xe0\x45\x7a\x99\x38\x7f\x74\x6f\x15\x12\xd1\x5c\x86\x7c\xfd\xaf\x35\xfb\xf0\xe6\xbe\xec\x95\xc8\xc4\x2a\x3d\xd6\xae\x19\x47\xc6\x69\xfc\xd0\x10\x50\x80\xd8\xa9\x89\x4d\x93\x45\x21\x39\x08\x35\x74\x56\xb5\xdb\x7d\xea\x0f\x3f\x53\x29\xff\xd3\xc8\x90\x8f\x50\x47\xe3\x6a\x94\x1f\x90\x91\x2e\xcb\x4c\x01\xec\x56\x7c\xbe\xb0\x9f\xad\xe5\xec\x9b\xf4\x14\x2e\x24\xef\xf3\xac\xd2\x6b\x1d\x46\xd9\xfc\xab\xdb\x09\x70\xa1\x9b\x45\x79\x47\xab\xda\xac\x79\xa3\x69\x2b\x7a\x0d\x70\x3c\x02\xfd\x3d\x7c\x43\x3d\xcb\x59\xf9\x79\xa3\xa9\x1e\x3f\xc9\x50\xa5\xdf\x58\x54\x65\x69\x63\x97\x47\xc4\x34\x7c\x4e\x1a\x1f\xd0\x8f\x9a\xa8\x0c\xa5\x12\xd3\x6e\x6f\xac\x84\x61\xfa\xc7\xac\x93\x46\x7b\xea\x71\xfd\x28\x6b\x5f\x69\x2d\xdb\xc6\x99\xb9\x88\x7d\x31\x15\x9d\xe1\x07\xc0\xec\x97\xdb\x3b\x37\x77\x1c\x82\x61\x92\x51\xe9\xe0\x87\xe7\x97\x0e\xc1\x3e\x97\x1a\x85\x7a\x3d\x87\x1d\x13\xd8\x9d\xd6\x18\x43\x1d\x57\x75\xf9\x25\xf0\xbe\x14\x11\xf4\x94\x70\xe1\x42\xb1\xce\xef\xa6\x69\x28\x0d\x6e\x9a\x52\xe8\xc8\xeb\x38\x7d\x22\xf2\xfa\x8f\x5b\x77\xbd\x2a\xea\x73\xa0\xa2\x9c\x84\x47\xa6\xad\x29\x2b\x1e\x4b\x44\x6c\x6e\xd0\x08\xc0\xa6\xba\x97\xd1\x5b\xcb\xaa\x10\xb1\x6d\x7b\x1a\xd9\x49\x8b\xf5\xb8\x68\x59\xfd\x9c\x03\x2e\xab\x98\x93\xbe\x93\xb1\xe9\xf4\x5c\x9d\xc1\x9a\x78\xc4\xfe\xa5\x89\xd3\x93\xe8\xed\x9d\xbe\x54\xbf\xad\xf5\xcd\x11\x0e\xb7\x6a\x2a\xdf\x8b\x9d\xd2\x3a\xc0\x57\xbf\x1a\xb6\xba\x1d\x04\xc0\xc6\xda\xc4\x82\x50\xda\x3d\x25\x64\xce\x90\x4d\x67\xe6\x9c\x5d\xec\x58\x2d\xa5\x7e\xde\x76\xd9\xaa\x85\x49\xbf\x50\xa9\x0d\xcc\x0c\xab\x97\x7f\x5d\x73\x00\xfc\x0d\x86\x86\xe3\xbe\x13\xb8\x4a\x7a\x14\x1b\xb7\x92\xc3\x97\x58\xb0\x04\xd8\x4a\x0f\xf8\xc9\x30\xe4\xe0\x3c\xb3\xc1\x34\xe6\xe9\x00\xfe\x41\x64\xe5\xb5\xe0\x6b\xa4\xce\x62\x87\xb7\xb0\x0a\xcf\xdb\x05\xf4\xaf\xc0\xf4\xcb\x1b\x0e\x38\x3e\x4b\x69\x17\x1b\xda\x38\x9a\x2d\x00\x96\xb0\x67\x7d\x79\x3f\xaf\x22\x70\x2f\x3e\xdc\xda\x47\x82\xdf\x48\x30\x2a\xe3\xba\x1e\x05\x60\xf2\xc1\xbc\x7c\xda\x89\xac\x42\x14\xe8\xba\x79\x1c\xd6\xfb\x08\x92\xa1\x1b\x3f\x87\x81\xcf\x4d\x1b\x07\x31\x95\x92\x2d\xa6\xb7\x11\x16\x05\x96\x56\x0b\x53\x5c\x5c\x97\x6e\x42\xa8\x66\x24\xa3\x4f\x74\xac\x66\x46\xc0\xfd\xa0\x57\xa3\x13\xf7\x9d\x2e\x2f\x9c\x9f\xee\xab\xcd\x39\x9c\xd2\xe7\xe0\x8c\x9f\x02\x29\xc2\x66\x64\x8c\x78\x75\xca\x23\x0c\xfe\x4f\xed\x9f\x2d\x3d\x0d\xeb\xe6\xb5\x36\x85\x5c\xeb\xcb\xdb\x54\x60\x92\x0c\xea\xae\x25\xa1\x5c\xee\x7a\x00\xae\xdd\x72\x19\x53\x7d\xfc\x72\xd3\x33\x2d\x26\x43\x61\x5c\x7e\x17\xb5\x5a\x90\x3f\x8f\x25\xd0\x2f\xd6\x1d\x4c\x56\xc2\x32\x85\xd5\x2e\x0c\x23\xbb\x25\x16\x2b\x10\xd9\x33\x9b\x72\x74\x6b\xe7\xda\x47\xe9\xfa\x05\x22\x69\xda\xf6\xa0\x12\x2d\xe4\x9f\xb4\xd2\xc9\xb5\xd7\x8b\x70\x96\x23\x11\x3c\xb7\x1d\x42\xa5\xab\x08\xda\xa6\x01\xec\xd0\x94\x6a\x79\xda\x44\xcb\x1c\x3a\x5c\xfb\x64\x60\xe2\xcb\xd5\x9b\xf3\x56\x93\x09\xa4\xd4\x17\x77\x39\x80\xcd\x90\xad\xb6\xab\xe4\x75\x95\x4b\x05\x6e\x12\xc7\xe9\xe4\xb7\xef\xd2\x43\x96\xe7\xa9\xd6\x2f\xfe\xd4\x2c\xaa\xba\x45\x98\xa8\x9b\x14\xd8\x5d\x1c\xa3\x97\x27\xbf\xa0\x85\x90\x4c\x1e\xb5\x4d\x24\x27\x3d\x0a\x97\xfa\x59\x3b\xdd\xbc\xf4\x60\x8c\xef\x45\x6a\xb4\x17\x03\x16\x07\x33\x15\x16\xc8\x05\x79\x2e\xbd\xfd\x8d\x10\xe5\xed\xdc\x9f\x50\xdf\x88\x85\x71\xf9\x79\x75\x03\x94\xfe\xff\xdf\x87\xeb\xc9\xe8\xa8\x53\x4f\x89\x37\x2a\xfa\x8e\xac\xf0\x6d\x34\xb9\x74\x25\x0a\xc1\xba\xe5\xc0\x7e\x63\xb7\x46\x47\x19\xdb\x5e\xb1\x69\x34\xde\x34\x01\x93\xbf\xce\xe2\xdf\x0b\xfd\x92\x50\xdd\x44\xf3\xf7\x3e\xb4\xa4\x3f\x99\x0f\x2e\xdc\xa9\xb5\xfd\xd4\xac\xa4\xea\x21\x7e\x14\xb6\xd7\xc5\xa3\x20\xfd\x5e\x4c\x72\x88\xcd\xcb\x4e\x20\x76\x00\x4a\xd6\x61\x81\x9b\xda\xe6\xcf\xba\xd2\xdc\x0b\xce\x61\x23\xc4\x8b\x14\x23\xb2\x2e\x3f\x85\xcc\x2f\x31\x07\x1d\xd1\xcf\xa3\x87\xbc\xa0\x9a\x2d\xd9\x9c\x29\xe6\xc0\xcd\x8d\x51\x90\x1d\x74\x85\x81\x3d\xa7\x32\xc9\xa7\xe2\xfc\xcd\x42\x7d\x43\x9b\xfe\xc1\x07\x87\x4f\x87\x7e\x9b\x0a\xa5\xe1\xbd\xad\xd5\xa1\x85\x47\x99\x65\xe9\x5a\x3c\x2f\x66\x91\x2d\x44\x1c\xb7\x5e\x44\x69\x57\x3b\xf5\xa4\xc5\x3f\x58\xd2\x7a\xbd\x5e\x68\x42\x2a\xef\xce\x50\x1c\x6d\x8d\x95\x42\xb6\x1e\xa6\xbf\xd6\xfd\x2b\x6b\x33\x6c\x89\x61\xf4\xee\xa7\x20\x88\xd0\x69\x70\x89\xd1\x76\x82\x0a\x10\x3d\x09\xd9\x5f\x3e\xf0\xbd\x28\x98\x2e\xef\x77\xfc\x1b\xbf\xe7\xde\x1b\xfb\xe3\xd5\x0a\x93\x21\x88\x66\xfc\x48\xf6\x28\x01\xc7\x15\x39\x7d\xdf\x1f\x36\xd9\x77\xf2\xb5\xb2\xb7\x6f\x2e\x1d\x64\xc6\x10\x6a\x88\x9b\x80\xb4\x1b\xe5\x19\x94\x0c\xe2\x2f\xf0\x36\x4f\xaf\xb7\x03\xcf\xcd\x7b\xf7\x80\x8e\x41\x50\xac\x7d\x7a\xf1\xf0\xb5\xae\x82\x1c\x9b\xf1\x63\x74\x0d\xb1\xb5\xa3\x66\xe2\xdb\x4a\x02\x92\x10\x00\xd6\x07\x52\xd7\x43\xcd\x58\x4c\x48\x59\x0a\x31\xe2\x7c\xb4\x0d\x7a\xd8\x9a\xbd\x2c\x8e\xe8\x11\x76\x78\x98\x88\xbc\x48\xe8\x2a\x63\x00\x84\xc5\x9d\x4d\x34\x46\x4a\x52\xd5\xf2\x6d\x22\x14\x79\xb4\x51\xef\x3c\x2a\x6c\x81\x66\xb6\x64\x09\x9d\xaa\xf8\xe7\x4e\xac\x84\xdc\xfe\x3e\x86\xd5\x3b\xcd\x3b\x2f\x03\x37\xc8\x03\x7d\xb0\x7b\x65\xf7\xcd\x26\x5d\x2a\xc1\x95\xf8\xf5\x8e\x00\x96\xac\x1f\xb6\x54\xb9\x57\xfc\xa3\xef\x32\xab\xcf\x91\x6b\x55\x8b\xff\x85\x4d\x09\x9a\x2c\x9f\xb8\x88\x9f\x39\x8b\x53\x51\x41\x17\x0e\xa0\x36\xf9\xe5\xa7\xa2\xfe\x1d\x14\xf4\xa5\xa6\xdb\x8c\x03\xb0\xa7\x7f\x6e\x3b\xe9\x64\x81\x05\x06\x11\x35\x59\x59\xf6\x5e\x67\x81\x64\x54\xed\xa4\xcd\x84\x36\xd6\x64\xd6\xe6\xd9\xfc\x2f\xf2\x48\x95\x92\x3f\x10\x67\x70\x45\x8d\xc8\x75\x93\xc3\x91\x91\x2e\xda\x79\xa6\xe8\x71\x4b\xb4\x37\xc8\x6b\x97\xae\xbe\x10\xad\xde\xf3\x62\x84\x32\x38\x4e\x5a\x52\x83\x06\x7a\x80\x69\xa8\x92\x47\x3c\x05\x44\x68\x03\xce\xe1\x31\x09\x6d\xfb\xcd\x4a\x08\xf3\xe0\x8b\xc1\xdb\x84\x70\xd3\xab\x04\xc4\x80\x91\xf8\x24\xcb\xc4\x4a\x22\x15\x1f\x21\x71\x9a\xc2\x9b\x90\x43\x82\x2b\x29\x8b\x17\x82\xfa\x4f\x7d\x55\x6c\x41\xcc\x38\xd4\x34\x22\xf3\xda\x35\xcb\x3e\x45\xa5\xd2\x29\x6a\x1c\xfc\x1c\xcb\xeb\x9e\xa3\x49\x77\x2d\xa9\xa8\xc6\xb7\xca\x0d\xb7\x29\x92\xf8\xb4\x86\xb4\x26\x6f\xb6\xd4\x47\x96\x30\xfa\x39\xbd\xbd\x5f\xaa\xaa\x5b\x47\x51\x4f\x37\x80\x5e\xdb\x61\x85\xb3\x3b\x5b\x82\xdf\xb8\x5d\xad\x17\xed\x9f\xc8\x20\xd1\x78\xc4\x43\x3f\xae\x2b\xf5\x0f\xb5\x6f\xf5\xd8\xd7\xf7\x2e\xbb\x91\x3b\x88\x12\xce\x80\xfb\x00\x0c\xf3\x56\xf6\x69\xae\xb2\xb4\x8c\x8f\x67\x5c\xd0\xc0\xa5\x71\x08\x2f\xdb\x0e\xe1\xb1\x3b\x7a\xd2\x23\xcb\x68\x6f\x8b\x6e\xa5\x11\x19\x2c\x5d\xca\xab\xe2\x70\x26\x50\x37\xb7\xa7\xff\x48\xa1\x10\xf6\x60\xe0\x45\xe6\xe5\x1d\x6f\xfa\xce\x61\x7a\x5a\xd8\x5c\xac\x70\x4c\xc2\x57\x6b\x22\xaf\x27\xbf\x84\x2c\x1f\xce\x89\xf7\x1f\xb1\x88\x68\x57\xd1\x87\xad\xf3\x64\x47\xda\x8e\xde\x27\x97\xbb\xb4\x1b\x4b\xa5\xf0\x94\x11\x09\x44\x08\x35\x7a\xc6\x86\xf0\x90\xdc\x75\x58\x4f\xb2\xd0\x0d\x6e\xb5\xf1\xd5\x45\x63\x3c\x1a\xab\x04\xa6\xa9\x47\xe4\x9e\xb4\x5a\x0a\x73\xe7\xd0\xc6\xc4\xac\x5f\xac\xf4\x08\xa0\xcf\xde\x43\x9d\x86\x1d\xba\x90\xea\x9c\x57\x58\xbb\xa9\x09\xaa\x4d\x5b\x71\x42\x32\x07\x23\xb0\xfb\x55\x38\xfa\x33\x5e\x62\xd1\x4b\xf3\x60\x8a\xeb\xbd\x76\xff\x2b\x0d\x01\x3a\x4d\x5a\x4d\x46\xfb\x24\xa0\x47\x46\x0b\x5d\x63\xa6\x0d\xea\xa4\x3c\x63\xa9\x8b\x51\xc5\xaa\x0b\x3d\xac\xef\x60\x23\x41\x86\xf4\x5e\xd9\x61\x4f\x0e\x88\xb0\xb3\xa4\x53\x0c\x88\xa3\xdb\xea\xea\x40\x29\xcc\xfb\x1a\xa0\xbb\x8e\xa4\x52\x2c\x51\x25\xa3\x8d\x97\x72\xb7\xde\x03\x3a\xf7\xb2\x81\x2e\x89\xbd\x58\x19\xd2\xd0\xf3\x7a\x15\x6b\x70\x1e\xff\xa2\xf0\xb7\xfc\xe9\xc2\x87\x24\xae\x0e\xb3\x27\xc2\x5c\x8e\x36\x18\x78\x10\xaa\xa1\xa3\x3c\xc6\x9e\xa8\x48\xe1\x2f\xda\x7a\x27\x48\x67\xf4\x77\x95\xe1\x68\x95\x41\x96\x9e\xf7\xf6\x8d\x65\x9c\x3a\xd6\xc7\xf6\x72\x51\xac\x05\xa8\xee\x17\xc5\xd7\xc2\xdc\xb9\x2b\x4a\x54\x5f\x3d\xb5\xbf\x08\x14\x4a\x71\xf2\x9f\x76\xf7\x07\x81\x92\x9b\x06\x45\xf7\xa2\xd3\xcc\x3e\x97\x40\x1f\xfc\x4c\x70\x02\x4d\xf3\xa8\x8a\x3b\x80\xd8\xbb\x4a\xe9\xd2\xd4\xc0\xd1\x17\x24\xfa\x12\x82\x76\x0b\x1c\xc8\x12\x00\x84\x01\xd6\x9b\x8f\x79\x31\xf3\x6a\x72\xe3\x2c\x5d\x8f\x3a\x3f\x23\x3e\x86\x36\x7b\x48\x85\x2c\x0f\xd2\xd1\xf2\x59\x55\x34\x06\x16\xcb\x57\xe7\x9d\xb0\xe0\xa3\x7b\x81\x62\x76\x34\x02\xd0\xb8\x64\xdb\xf0\xa9\x0d\x50\x37\xc8\x8e\xba\x9f\xa8\x09\x98\x08\xcf\x84\x56\x4d\x2e\xd2\xbd\x00\x24\xb7\x19\xb7\x62\x28\x27\x9e\xe3\xc9\x07\x27\xf3\xae\x67\xe5\xcc\x7d\xd7\x6e\x8a\xf1\x67\xc4\xb1\x1e\xe9\xf1\xe3\x49\x5e\x05\x06\x1f\xe5\x20\x44\x5c\xd8\xfe\xdd\xc4\x76\xf5\x0b\x40\xbf\x73\xe4\xf9\xc1\x4e\x49\x1c\x11\x42\x30\xe1\xea\xe5\x87\xac\x01\xaf\x7d\x8e\xe5\xb2\x50\x51\xcd\x58\x85\x19\xe9\xcc\x3f\xb7\xb4\x30\x9d\x2a\x74\xb9\x48\x6d\x31\x80\xf6\x5f\x02\x5f\x43\xbb\x6a\x98\x9e\x2c\x4b\x05\x23\x83\xf4\x24\x4c\xbf\x36\x81\xf8\xfb\x4b\x9f\x0c\xab\x34\x26\xc0\xd6\x78\x4a\xb0\x8c\x76\xce\xee\xbc\x21\x2e\x76\x5f\xd9\xc5\xf2\x4c\xad\x12\x9b\x44\x0e\x2f\x85\x74\x90\x45\xbb\xb1\xb0\x30\xfd\x5b\x31\x10\x44\x25\x80\xd4\x51\xb2\x71\xd9\xa4\x5d\x04\x75\xd1\x66\x47\xe4\xe6\x6b\xf4\x0a\xcb\xde\xbc\x97\x53\x85\xaa\x50\x89\x83\x22\xe8\xb2\xaa\xca\x18\xba\xa6\xee\x86\x1f\xc9\x74\xfc\xd0\xe3\x79\x75\x82\x4c\x47\x58\x42\xbd\x3f\xa1\xf1\x78\x97\x92\xb2\xb6\x54\xaf\xeb\xc7\x8b\x95\x57\xbe\x28\x3c\xe9\x74\xea\x60\xb0\x1a\xf1\x11\xe8\x22\x62\x70\x47\x7c\xaf\xba\x24\xac\xb1\xfb\x28\xfc\x25\x92\xad\x2e\xbc\x2b\xa3\x7a\x1b\xbf\xed\xba\x63\x00\x02\xe4\x23\x43\x0d\x76\x2d\x9e\x31\xcd\x86\x17\x0a\x98\x9e\xe9\x7e\x26\xd4\x87\x4b\xd7\xd1\xa8\xf7\xd2\xf2\x04\x6c\xe9\x37\x68\x59\x27\x49\xbf\x7f\x5b\x28\x93\x3f\x3f\xba\xa1\x38\x0d\x42\x96\x1b\x9a\x94\xd2\x31\x3c\x26\x47\x40\xfe\xa1\x49\x5f\xa2\x6f\xc0\x7a\x56\x1e\x4b\x90\x8b\x2e\x30\xe0\xac\x4d\x48\xf6\x89\xeb\x49\x58\x5d\x3b\x72\x95\xe8\xc2\x75\x1d\x05\x62\xc0\x6d\x49\x19\xd5\xdd\x8a\xf3\x26\xde\xd0\xc1\x51\x6e\xcc\x6c\x1d\x3c\xf1\x39\xd3\xa9\xfe\x6e\xde\x64\x76\x8c\x31\x9b\x98\xb7\xda\x44\x5f\xd7\x85\x4b\x64\x64\x0f\xbd\x67\x6b\x7a\x09\xe5\x6e\xa2\x5c\xff\x1d\x31\xde\xc4\x1d\xa0\x8c\xb1\xb0\x7e\x4d\x84\x16\x81\xfc\xb7\x9a\x72\xb7\x22\x0a\x3f\xc3\x6c\xe8\xdc\x63\x88\xca\xea\xea\x4f\xff\xa7\xb2\x98\x05\xef\x2d\xc8\x9a\xcf\x85\xf2\x27\x24\x8b\xca\x1b\x8c\xb8\x1e\xc4\xb9\x86\xa9\xa1\x58\x7e\x57\xe1\xc5\x4d\x16\x3b\xc6\xa9\xd6\x8c\x67\x8c\x48\x24\x09\x35\xfb\xe9\x89\xf5\x50\xb5\x4c\x51\xba\xcb\x9f\x21\xde\x67\x01\x8d\x5e\x3f\xba\xd7\xef\xba\xe1\x03\x83\xe6\x2f\xa9\x29\x41\x5e\xbd\xb7\x7f\xfc\xad\xcc\x36\xec\x7c\x01\xb7\x6f\x7c\x80\x02\x7d\xfc\xba\x9e\x15\xd2\x6f\x30\x6e\x1d\xcb\xf6\x24\xc8\x0f\x4d\xc9\x2e\xab\xfe\x7a\x81\x7d\x7b\xcb\x47\x0d\x60\x13\xaa\x89\x5e\x08\x24\x40\x57\x1e\x14\x3f\xbb\x2a\xc1\xaf\x5b\x4f\xd6\x4b\xb2\x0f\x31\xef\x1f\x5e\x1d\xb9\x6f\xb8\xca\x1e\x6b\x4d\x36\x0d\x2c\xd0\x55\x91\x36\x6a\xd7\x1a\x41\x17\xc9\x12\x5f\xee\xd0\xe6\xd9\x5c\x03\x9d\xac\x71\x00\x0f\x40\x4d\x71\x80\xfb\x1e\x3b\x9d\x10\xb6\x24\x84\xeb\x2e\x3d\x45\xb8\xa4\xc6\x44\x4e\xa5\x44\xc7\xc1\xa4\x9b\xcd\xd1\x72\x3c\x22\x12\x7e\x2f\x81\xfc\x4c\xa3\xda\x6b\x97\x71\x5a\x0c\x9c\xd3\x05\xae\x21\xa1\x5c\xa6\x95\xf1\xa7\x4d\xf2\x26\x0a\x95\xec\x30\x42\xb1\x6d\x83\xab\x1d\xa2\xba\x76\x7d\xf0\x36\x01\xb4\xb3\xab\x71\x71\xe2\xe0\xe8\xa2\x00\x9f\xc6\xcb\x2c\x98\xcd\x20\x68\x17\x36\x55\x22\x2b\xa6\xbc\x51\xaf\x64\x49\x93\xcb\xd1\x92\x33\xd0\xc0\xf1\xdb\x62\x30\x69\x74\x45\xfd\x77\x8f\x14\xa0\x85\x57\x25\x26\xdb\x2d\x12\x56\xe8\x27\xac\x9b\x77\xa9\x7e\xc6\x41\xa5\x3a\xa5\x80\xb3\xa7\x83\xcb\x0f\xc5\xa1\xb3\xb9\xb3\xff\x38\xe4\x18\xdb\x65\x8b\x48\x4a\x68\xcc\x9a\x9e\x33\x0d\x3d\x7a\x4e\xd2\x82\x58\x1d\xc0\x6f\x9e\xe9\x6a\x1a\x46\x98\xbc\x23\xeb\x41\xbe\xde\x47\x6c\x00\x52\x96\x40\x79\x71\x0f\x68\x8f\x87\x6d\x4c\xef\xf2\x19\x0f\x2d\x81\x9b\xbd\x4c\xdb\x36\x1f\xb5\xc6\x4d\x7c\x41\x93\xff\x9f\x6b\x44\xb2\xc1\x43\x71\x39\xbc\xfa\x8c\xe0\xa9\x43\x0a\xce\xb4\x98\xb4\xf0\xb0\x19\x7b\xf3\x39\xd0\x4b\x70\x51\x23\x24\x3b\x1a\x44\xfc\xec\x56\x6d\x64\xfe\x85\x0b\x29\x89\xb5\xb7\x09\x9e\xf9\xbf\x74\x46\x07\x46\xf6\x0c\x46\x07\x89\x16\x89\x58\x17\x75\xad\x12\xcc\x0f\x04\xce\x01\x6c\x5b\x01\xe4\x55\x6e\x09\x80\x7e\xb8\x2e\x19\xc4\x54\x2e\x88\xca\x22\xac\x95\x13\xa4\x6b\x3e\x43\xc5\x28\x77\xc0\xa8\x37\x20\x1f\xd8\x2e\x9f\x74\x53\x8b\x75\x1c\x8b\x0a\xca\xbf\x1e\xb2\x8a\x7d\xec\x9b\xf6\x98\xc1\x22\xfd\xc5\x46\x4f\x6c\xd4\x0e\x81\xd0\x60\x18\x3a\xf8\x04\xea\x5c\x5a\x51\x09\xfe\x21\x9a\x85\x21\xc7\x3b\x95\xe4\x2b\x82\xac\xd6\x93\xa8\x45\x3c\x40\xc7\x40\x27\xdc\xb1\x78\x81\x75\x83\x42\xe2\x56\x42\x58\xb9\xf1\x2f\xf6\x75\xd9\x5c\x1a\xc4\x2e\x94\x47\x3e\x5d\xd5\x18\x38\xd6\xb1\xc2\x8f\x7b\xae\x7e\x16\x41\x7e\xea\x23\x33\x18\x83\x17\x23\x4d\x3a\x96\x94\x35\x6d\xb9\xff\x64\x9e\xda\x9d\x9d\xe4\xd6\xdf\x34\x57\x70\x13\xbc\x9f\x17\x14\x04\xb0\x8f\xd4\x19\x0d\x15\xd7\xde\xfe\xcd\xc1\x95\x19\x9d\x8a\x71\xf6\x41\x40\xa8\x65\x61\xe8\x4c\x3b\xde\x2a\x43\x37\xac\x14\x05\x08\x54\x31\x4d\xe0\xa3\xef\x2a\xe2\x6a\x6c\xb3\x97\x79\xb1\x0b\xdd\x57\x10\x41\xba\x31\x99\x6c\x60\x2c\x99\x7e\x70\x35\x8a\xe9\x86\x23\x92\x55\xa9\x37\x10\xf2\x11\x1e\x7c\xb1\xc8\xb3\xb7\x28\x03\x37\x34\x85\x6a\x41\xcd\xd5\x5a\xb2\xcf\x54\x15\x6b\x48\xe1\x34\x9e\x97\xd3\x9f\x6f\xc1\x27\x5f\xdb\x19\xb3\x7c\x8c\xf0\x04\xb3\x8c\xc3\xef\x37\x83\x4c\x85\x12\x8b\x3c\xb5\x9b\x77\x3d\xcc\x7d\x7b\x85\x80\x5b\x8f\x3b\xd6\xae\x79\x1e\xfa\x7c\xdb\xcc\x4b\xe5\x53\x9b\xb6\x6a\xfd\x8a\xc5\xde\x59\x50\x9b\x34\x10\x20\xe1\xc6\xff\x67\xb6\x6a\x0c\x94\xbb\x79\x53\x49\x92\x05\xb3\x07\xca\x77\x27\x7f\x6c\xcf\x39\x80\x1e\xe6\x28\xfb\x33\xd2\x07\x3f\x38\x1e\x80\xdc\x41\xc9\xe7\x99\xe7\x5c\x31\xcf\x2a\xa4\x9f\x8b\x0a\x6f\x73\x24\x08\xaf\xdc\x65\x0f\xd2\xb0\xec\x57\x4d\x50\xc6\xe2\x48\xf2\xaf\xcf\xb8\xf8\x20\x79\xb2\x62\x55\x47\xdb\x16\xe4\x61\xe6\x01\x59\x88\x3a\xaf\xbe\xdf\x9e\xe9\xfa\xde\xc8\x39\x8b\x91\x98\x6f\x9a\x8e\x79\x47\x06\x49\xa9\x9d\x6e\x8b\x4c\xb3\xb7\x99\x5b\xd5\xb6\xaf\x47\x20\x6b\xbf\x06\xaa\x69\x38\x3e\x97\x63\xcb\x17\x31\xe7\xc1\x5b\x0d\xe4\xb3\x5c\x00\x80\xdd\xfc\xeb\xac\x4d\xea\x21\x30\x96\xd8\x29\xed\x58\xf7\x7c\x09\xa0\xc0\xd4\xf3\x00\xdd\x5f\xaf\x2e\x01\x2a\xcf\x83\xd7\x7b\x73\x32\x3a\x93\x21\xcc\xa8\x64\x6b\xfe\x55\xfc\xce\x50\x6c\x82\x2e\xe4\x40\x4f\x20\x03\x18\xf6\x50\x44\xb3\xec\xdd\x8a\x21\x35\xe8\xee\x0a\xdb\xb8\xc4\x22\xc8\x9d\x37\x3e\xe4\x21\x82\x6b\xd1\x14\xd5\xae\x08\x6c\x9a\x47\xbe\x5a\x78\x88\xec\x74\xfc\x9e\x8d\x7e\x75\x85\xe6\xe8\x8f\xef\xa1\xb6\xa0\xc5\x57\x7b\x91\x43\x13\x77\xa3\x05\xa6\x65\x81\x02\xef\xf2\x95\x75\xde\x43\x92\x0b\xd4\x66\x96\xa2\xbd\x26\xa9\x39\xde\x74\x15\xc8\x36\x1c\x98\x89\x7b\xc0\xa4\x93\xe9\x08\x76\xd4\xf7\xa6\x38\x9a\xe9\xfe\xd4\x4d\x6e\xf2\x1e\xdf\x68\x1a\xe3\xa3\x5d\xc4\xa2\x6a\x40\xa7\x41\x1e\x7d\x51\xa8\x58\x43\x13\xdf\x95\xe4\x8f\xb0\x12\x79\x9b\x83\xc2\x5c\x2d\xd8\xf2\x43\xe9\x88\x05\x46\xb8\xf5\x1e\x25\xcc\x2f\xfa\x83\xc3\x6d\x81\xd3\x1b\xce\xbe\x40\x53\x62\x87\x5c\x49\x43\x00\x66\x24\x90\xc3\xf4\xbb\x38\x68\x2b\x17\xe0\xcb\xb9\x0e\x47\x70\x86\x4e\xe6\x0c\xc1\x36\xfa\x7b\xb2\x17\x0f\x69\x39\x4f\x62\x35\xe0\x07\x83\xfc\x6c\x2c\xab\x09\x74\x07\xff\xf9\x31\xbf\xa7\x42\xd7\xae\xfe\xf3\x3d\x69\x96\x70\x1d\x39\xb4\xad\xfb\x76\x28\xee\x8c\xb2\x76\x5a\xc0\x39\x92\xdb\x7b\xfd\x93\x04\xe1\x5f\x27\xf3\xea\x37\x12\x49\x4e\x98\xd1\x5b\x7c\x7e\x78\x14\x2d\xdb\xcc\x1e\x2d\x18\x47\x81\xcb\xc1\x17\x45\x59\x9e\xb5\xa6\x9b\x39\x18\x69\x4b\x78\x20\x9b\x1e\xe1\xc1\x18\x54\x15\x7e\xda\x2e\x0f\x03\xed\xd8\x84\xab\x4f\x60\x13\x4a\xf1\x58\xff\x15\xa9\x22\x59\xd4\x29\x37\x0c\xef\xab\x10\xcf\x6f\xb2\x82\xf7\x60\xd8\xd5\x4a\x8d\xb0\xc0\xc4\x3f\x56\xbc\xcf\x68\xb8\x37\x74\x5d\xd6\x42\xb3\x9d\x44\xdb\x29\x7b\x01\xeb\x9f\x5b\x48\xd1\xb1\x14\x84\x8a\x5d\x7c\x74\xa2\x2e\x3c\x30\x84\xee\xbc\x02\x98\xe7\xdd\xbb\xe6\x6e\x10\x5f\x89\x23\x8e\x96\x1d\x34\x98\x5f\x29\xde\x20\x31\xa5\x17\x56\xba\x3c\x77\xce\x83\x24\x8e\xf8\x32\x30\x9b\xf9\xad\x9d\x3f\x79\xdd\x12\xf7\x62\xe9\x12\x25\xb0\x87\x6c\xfc\x22\x02\xb2\xe0\x46\x82\x43\x16\xc8\x20\x88\x9e\x93\xf6\x3e\xad\x22\x9c\x08\x7b\x2f\x6c\xfc\x99\xf7\x97\x02\x2c\xda\xb8\x45\x6d\xe0\xc7\x64\xa0\x6a\x79\x40\xb0\xf2\x85\x98\xcb\xa5\x6d\xa0\xbb\xc7\xeb\xce\x48\x22\x12\x21\x37\x54\xd3\xc3\x4f\x74\x9e\xb9\x43\xbf\xf8\x1a\xab\x71\x0a\x98\x1e\x89\x15\xd8\x9f\x50\x98\xca\xa6\x74\x63\x6b\xda\x15\x11\xe9\x6b\x7a\xb0\xe6\x51\xd1\x01\x75\x09\x76\xda\x0b\x2a\x08\xc5\x61\x76", 8192); *(uint32_t*)0x20004bc0 = 0x20003680; *(uint32_t*)0x20003680 = 0x50; *(uint32_t*)0x20003684 = 0; *(uint64_t*)0x20003688 = 0; *(uint32_t*)0x20003690 = 7; *(uint32_t*)0x20003694 = 0x22; *(uint32_t*)0x20003698 = 6; *(uint32_t*)0x2000369c = 0x60; *(uint16_t*)0x200036a0 = 5; *(uint16_t*)0x200036a2 = 0x48; *(uint32_t*)0x200036a4 = 0x80000001; *(uint32_t*)0x200036a8 = 7; *(uint16_t*)0x200036ac = 0; *(uint16_t*)0x200036ae = 0; memset((void*)0x200036b0, 0, 32); *(uint32_t*)0x20004bc4 = 0x20003700; *(uint32_t*)0x20003700 = 0x18; *(uint32_t*)0x20003704 = 0; *(uint64_t*)0x20003708 = 0xfffe; *(uint64_t*)0x20003710 = 0x200; *(uint32_t*)0x20004bc8 = 0x20003740; *(uint32_t*)0x20003740 = 0x18; *(uint32_t*)0x20003744 = 0; *(uint64_t*)0x20003748 = 4; *(uint64_t*)0x20003750 = 0x8000; *(uint32_t*)0x20004bcc = 0x20003780; *(uint32_t*)0x20003780 = 0x18; *(uint32_t*)0x20003784 = 0; *(uint64_t*)0x20003788 = 0; *(uint32_t*)0x20003790 = 8; *(uint32_t*)0x20003794 = 0; *(uint32_t*)0x20004bd0 = 0x200037c0; *(uint32_t*)0x200037c0 = 0x18; *(uint32_t*)0x200037c4 = 0; *(uint64_t*)0x200037c8 = 0x80000001; *(uint32_t*)0x200037d0 = 5; *(uint32_t*)0x200037d4 = 0; *(uint32_t*)0x20004bd4 = 0x20003800; *(uint32_t*)0x20003800 = 0x28; *(uint32_t*)0x20003804 = 0; *(uint64_t*)0x20003808 = 0; *(uint64_t*)0x20003810 = 0x19; *(uint64_t*)0x20003818 = 0x200; *(uint32_t*)0x20003820 = 3; *(uint32_t*)0x20003824 = -1; *(uint32_t*)0x20004bd8 = 0x20003840; *(uint32_t*)0x20003840 = 0x60; *(uint32_t*)0x20003844 = 0xfffffffe; *(uint64_t*)0x20003848 = 0xfffffffffffffffe; *(uint64_t*)0x20003850 = 4; *(uint64_t*)0x20003858 = 0x80000001; *(uint64_t*)0x20003860 = 1; *(uint64_t*)0x20003868 = 0x52b8; *(uint64_t*)0x20003870 = 7; *(uint32_t*)0x20003878 = 0; *(uint32_t*)0x2000387c = 0xfffffffa; *(uint32_t*)0x20003880 = 0x1ff; *(uint32_t*)0x20003884 = 0; memset((void*)0x20003888, 0, 24); *(uint32_t*)0x20004bdc = 0x200038c0; *(uint32_t*)0x200038c0 = 0x18; *(uint32_t*)0x200038c4 = 0xffffffda; *(uint64_t*)0x200038c8 = 0x1f; *(uint32_t*)0x200038d0 = 9; *(uint32_t*)0x200038d4 = 0; *(uint32_t*)0x20004be0 = 0x20003900; *(uint32_t*)0x20003900 = 0x11; *(uint32_t*)0x20003904 = 0xfffffffe; *(uint64_t*)0x20003908 = 0x4588; memset((void*)0x20003910, 0, 1); *(uint32_t*)0x20004be4 = 0x20003940; *(uint32_t*)0x20003940 = 0x20; *(uint32_t*)0x20003944 = 0; *(uint64_t*)0x20003948 = 0x100000000; *(uint64_t*)0x20003950 = 0; *(uint32_t*)0x20003958 = 0x18; *(uint32_t*)0x2000395c = 0; *(uint32_t*)0x20004be8 = 0x200039c0; *(uint32_t*)0x200039c0 = 0x78; *(uint32_t*)0x200039c4 = 0; *(uint64_t*)0x200039c8 = 7; *(uint64_t*)0x200039d0 = 4; *(uint32_t*)0x200039d8 = 6; *(uint32_t*)0x200039dc = 0; *(uint64_t*)0x200039e0 = 0; *(uint64_t*)0x200039e8 = 7; *(uint64_t*)0x200039f0 = 8; *(uint64_t*)0x200039f8 = 0x10001; *(uint64_t*)0x20003a00 = 1; *(uint64_t*)0x20003a08 = 0x509; *(uint32_t*)0x20003a10 = 0x80; *(uint32_t*)0x20003a14 = 3; *(uint32_t*)0x20003a18 = 1; *(uint32_t*)0x20003a1c = 0xc000; *(uint32_t*)0x20003a20 = 5; *(uint32_t*)0x20003a24 = r[6]; *(uint32_t*)0x20003a28 = 0xee00; *(uint32_t*)0x20003a2c = 7; *(uint32_t*)0x20003a30 = 9; *(uint32_t*)0x20003a34 = 0; *(uint32_t*)0x20004bec = 0x20003e80; *(uint32_t*)0x20003e80 = 0x90; *(uint32_t*)0x20003e84 = 0; *(uint64_t*)0x20003e88 = 8; *(uint64_t*)0x20003e90 = 6; *(uint64_t*)0x20003e98 = 3; *(uint64_t*)0x20003ea0 = 0xcd0; *(uint64_t*)0x20003ea8 = 0x7fffffff; *(uint32_t*)0x20003eb0 = 5; *(uint32_t*)0x20003eb4 = 1; *(uint64_t*)0x20003eb8 = 5; *(uint64_t*)0x20003ec0 = 5; *(uint64_t*)0x20003ec8 = 0xf34; *(uint64_t*)0x20003ed0 = 0x86; *(uint64_t*)0x20003ed8 = 6; *(uint64_t*)0x20003ee0 = 2; *(uint32_t*)0x20003ee8 = 0xab8c; *(uint32_t*)0x20003eec = 0; *(uint32_t*)0x20003ef0 = 5; *(uint32_t*)0x20003ef4 = 0x8000; *(uint32_t*)0x20003ef8 = 9; *(uint32_t*)0x20003efc = 0xee00; *(uint32_t*)0x20003f00 = r[9]; *(uint32_t*)0x20003f04 = 0x1000; *(uint32_t*)0x20003f08 = 0x1000; *(uint32_t*)0x20003f0c = 0; *(uint32_t*)0x20004bf0 = 0x20003f40; *(uint32_t*)0x20003f40 = 0xd0; *(uint32_t*)0x20003f44 = 0; *(uint64_t*)0x20003f48 = 0xffffffffffffffbc; *(uint64_t*)0x20003f50 = 0; *(uint64_t*)0x20003f58 = 2; *(uint32_t*)0x20003f60 = 6; *(uint32_t*)0x20003f64 = 3; memset((void*)0x20003f68, 2, 6); *(uint64_t*)0x20003f70 = 0; *(uint64_t*)0x20003f78 = 0; *(uint32_t*)0x20003f80 = 0; *(uint32_t*)0x20003f84 = 9; *(uint64_t*)0x20003f88 = 2; *(uint64_t*)0x20003f90 = 0x100000001; *(uint32_t*)0x20003f98 = 0x17; *(uint32_t*)0x20003f9c = 0xffff; memcpy((void*)0x20003fa0, "bpf_lsm_socket_recvmsg\000", 23); *(uint64_t*)0x20003fb8 = 0; *(uint64_t*)0x20003fc0 = 0x401; *(uint32_t*)0x20003fc8 = 0xf; *(uint32_t*)0x20003fcc = 0xfffffff9; memcpy((void*)0x20003fd0, "&,$:+)\357&\\)/$$[}", 15); *(uint64_t*)0x20003fe0 = 6; *(uint64_t*)0x20003fe8 = 1; *(uint32_t*)0x20003ff0 = 0x17; *(uint32_t*)0x20003ff4 = 0x1f; memcpy((void*)0x20003ff8, "bpf_lsm_socket_recvmsg\000", 23); *(uint32_t*)0x20004bf4 = 0x20004440; *(uint32_t*)0x20004440 = 0x508; *(uint32_t*)0x20004444 = 0; *(uint64_t*)0x20004448 = 2; *(uint64_t*)0x20004450 = 4; *(uint64_t*)0x20004458 = 1; *(uint64_t*)0x20004460 = 5; *(uint64_t*)0x20004468 = 0x80000000; *(uint32_t*)0x20004470 = 3; *(uint32_t*)0x20004474 = 0xffffffec; *(uint64_t*)0x20004478 = 2; *(uint64_t*)0x20004480 = 3; *(uint64_t*)0x20004488 = 0x20; *(uint64_t*)0x20004490 = 0x100000001; *(uint64_t*)0x20004498 = 0x80; *(uint64_t*)0x200044a0 = 0xffffffffffffffe1; *(uint32_t*)0x200044a8 = 0x9e41; *(uint32_t*)0x200044ac = 0x1f; *(uint32_t*)0x200044b0 = 0xf0f6; *(uint32_t*)0x200044b4 = 0xc000; *(uint32_t*)0x200044b8 = 0x401; *(uint32_t*)0x200044bc = 0xee01; *(uint32_t*)0x200044c0 = 0xee00; *(uint32_t*)0x200044c4 = 0x400000; *(uint32_t*)0x200044c8 = 0x800; *(uint32_t*)0x200044cc = 0; *(uint64_t*)0x200044d0 = 3; *(uint64_t*)0x200044d8 = 7; *(uint32_t*)0x200044e0 = 6; *(uint32_t*)0x200044e4 = 0xfffffffe; memset((void*)0x200044e8, 187, 6); *(uint64_t*)0x200044f0 = 1; *(uint64_t*)0x200044f8 = 2; *(uint64_t*)0x20004500 = 0x10001; *(uint64_t*)0x20004508 = 0; *(uint32_t*)0x20004510 = 5; *(uint32_t*)0x20004514 = 0; *(uint64_t*)0x20004518 = 3; *(uint64_t*)0x20004520 = 0x8000; *(uint64_t*)0x20004528 = 9; *(uint64_t*)0x20004530 = 0x80000001; *(uint64_t*)0x20004538 = 0x100; *(uint64_t*)0x20004540 = 5; *(uint32_t*)0x20004548 = 0xf06; *(uint32_t*)0x2000454c = 0x932b; *(uint32_t*)0x20004550 = 2; *(uint32_t*)0x20004554 = 0x1000; *(uint32_t*)0x20004558 = 5; *(uint32_t*)0x2000455c = 0xee01; *(uint32_t*)0x20004560 = -1; *(uint32_t*)0x20004564 = 5; *(uint32_t*)0x20004568 = 1; *(uint32_t*)0x2000456c = 0; *(uint64_t*)0x20004570 = 5; *(uint64_t*)0x20004578 = 9; *(uint32_t*)0x20004580 = 2; *(uint32_t*)0x20004584 = 2; memcpy((void*)0x20004588, "*)", 2); *(uint64_t*)0x20004590 = 1; *(uint64_t*)0x20004598 = 0; *(uint64_t*)0x200045a0 = 0xcc3; *(uint64_t*)0x200045a8 = 4; *(uint32_t*)0x200045b0 = 0x101; *(uint32_t*)0x200045b4 = 3; *(uint64_t*)0x200045b8 = 2; *(uint64_t*)0x200045c0 = 1; *(uint64_t*)0x200045c8 = 1; *(uint64_t*)0x200045d0 = 0x113; *(uint64_t*)0x200045d8 = 1; *(uint64_t*)0x200045e0 = 3; *(uint32_t*)0x200045e8 = 0xd36; *(uint32_t*)0x200045ec = 0x8c12; *(uint32_t*)0x200045f0 = 0xfffffffc; *(uint32_t*)0x200045f4 = 0x1000; *(uint32_t*)0x200045f8 = 0xfffffffc; *(uint32_t*)0x200045fc = 0xee01; *(uint32_t*)0x20004600 = r[10]; *(uint32_t*)0x20004604 = 9; *(uint32_t*)0x20004608 = 0xacd; *(uint32_t*)0x2000460c = 0; *(uint64_t*)0x20004610 = 3; *(uint64_t*)0x20004618 = 0x97; *(uint32_t*)0x20004620 = 6; *(uint32_t*)0x20004624 = 9; memcpy((void*)0x20004628, "wlan1\000", 6); *(uint64_t*)0x20004630 = 1; *(uint64_t*)0x20004638 = 2; *(uint64_t*)0x20004640 = 8; *(uint64_t*)0x20004648 = 0x8000; *(uint32_t*)0x20004650 = 9; *(uint32_t*)0x20004654 = 0; *(uint64_t*)0x20004658 = 1; *(uint64_t*)0x20004660 = 0x200; *(uint64_t*)0x20004668 = 0xff; *(uint64_t*)0x20004670 = 0x100000001; *(uint64_t*)0x20004678 = 0x30000; *(uint64_t*)0x20004680 = 9; *(uint32_t*)0x20004688 = 3; *(uint32_t*)0x2000468c = 6; *(uint32_t*)0x20004690 = 0x7f; *(uint32_t*)0x20004694 = 0x8000; *(uint32_t*)0x20004698 = 0x101; *(uint32_t*)0x2000469c = r[11]; *(uint32_t*)0x200046a0 = 0xee00; *(uint32_t*)0x200046a4 = 0x10000; *(uint32_t*)0x200046a8 = 9; *(uint32_t*)0x200046ac = 0; *(uint64_t*)0x200046b0 = 3; *(uint64_t*)0x200046b8 = 0; *(uint32_t*)0x200046c0 = 2; *(uint32_t*)0x200046c4 = 0x401; memcpy((void*)0x200046c8, "b@", 2); *(uint64_t*)0x200046d0 = 4; *(uint64_t*)0x200046d8 = 1; *(uint64_t*)0x200046e0 = 0; *(uint64_t*)0x200046e8 = 5; *(uint32_t*)0x200046f0 = 4; *(uint32_t*)0x200046f4 = 0x101; *(uint64_t*)0x200046f8 = 1; *(uint64_t*)0x20004700 = 5; *(uint64_t*)0x20004708 = 1; *(uint64_t*)0x20004710 = 0x10000; *(uint64_t*)0x20004718 = 7; *(uint64_t*)0x20004720 = 8; *(uint32_t*)0x20004728 = 5; *(uint32_t*)0x2000472c = 5; *(uint32_t*)0x20004730 = 0x4010000; *(uint32_t*)0x20004734 = 0x8000; *(uint32_t*)0x20004738 = 0x4d800000; *(uint32_t*)0x2000473c = 0; *(uint32_t*)0x20004740 = 0xee01; *(uint32_t*)0x20004744 = 6; *(uint32_t*)0x20004748 = 7; *(uint32_t*)0x2000474c = 0; *(uint64_t*)0x20004750 = 2; *(uint64_t*)0x20004758 = 0x61; *(uint32_t*)0x20004760 = 0; *(uint32_t*)0x20004764 = 0; *(uint64_t*)0x20004768 = 7; *(uint64_t*)0x20004770 = 0; *(uint64_t*)0x20004778 = 5; *(uint64_t*)0x20004780 = 5; *(uint32_t*)0x20004788 = 0; *(uint32_t*)0x2000478c = 0x3ff; *(uint64_t*)0x20004790 = 0; *(uint64_t*)0x20004798 = 0xfffffffffffffff7; *(uint64_t*)0x200047a0 = 1; *(uint64_t*)0x200047a8 = 0x80; *(uint64_t*)0x200047b0 = 0x100000001; *(uint64_t*)0x200047b8 = 0x401; *(uint32_t*)0x200047c0 = 0xd49d; *(uint32_t*)0x200047c4 = 0x80; *(uint32_t*)0x200047c8 = 1; *(uint32_t*)0x200047cc = 0x6000; *(uint32_t*)0x200047d0 = 0x8b; *(uint32_t*)0x200047d4 = r[12]; *(uint32_t*)0x200047d8 = 0xee01; *(uint32_t*)0x200047dc = 0x8001; *(uint32_t*)0x200047e0 = 0; *(uint32_t*)0x200047e4 = 0; *(uint64_t*)0x200047e8 = 6; *(uint64_t*)0x200047f0 = 0x200; *(uint32_t*)0x200047f8 = 1; *(uint32_t*)0x200047fc = 0xfffffff8; memset((void*)0x20004800, 41, 1); *(uint64_t*)0x20004808 = 0; *(uint64_t*)0x20004810 = 3; *(uint64_t*)0x20004818 = 8; *(uint64_t*)0x20004820 = 0x81; *(uint32_t*)0x20004828 = 6; *(uint32_t*)0x2000482c = 5; *(uint64_t*)0x20004830 = 1; *(uint64_t*)0x20004838 = 8; *(uint64_t*)0x20004840 = 7; *(uint64_t*)0x20004848 = 5; *(uint64_t*)0x20004850 = 8; *(uint64_t*)0x20004858 = 1; *(uint32_t*)0x20004860 = 5; *(uint32_t*)0x20004864 = 0x90c555ad; *(uint32_t*)0x20004868 = 0; *(uint32_t*)0x2000486c = 0xc000; *(uint32_t*)0x20004870 = 0x800; *(uint32_t*)0x20004874 = 0xee00; *(uint32_t*)0x20004878 = 0xee01; *(uint32_t*)0x2000487c = 0xf98d; *(uint32_t*)0x20004880 = 0x20; *(uint32_t*)0x20004884 = 0; *(uint64_t*)0x20004888 = 4; *(uint64_t*)0x20004890 = 4; *(uint32_t*)0x20004898 = 5; *(uint32_t*)0x2000489c = 1; memcpy((void*)0x200048a0, "\\U\302-^", 5); *(uint64_t*)0x200048a8 = 1; *(uint64_t*)0x200048b0 = 0; *(uint64_t*)0x200048b8 = 2; *(uint64_t*)0x200048c0 = 6; *(uint32_t*)0x200048c8 = 0; *(uint32_t*)0x200048cc = 0xb5e; *(uint64_t*)0x200048d0 = 4; *(uint64_t*)0x200048d8 = 0x12; *(uint64_t*)0x200048e0 = 0xe87; *(uint64_t*)0x200048e8 = 7; *(uint64_t*)0x200048f0 = 1; *(uint64_t*)0x200048f8 = 0xfffffffffffffffe; *(uint32_t*)0x20004900 = 0xfffffffd; *(uint32_t*)0x20004904 = 7; *(uint32_t*)0x20004908 = 0x401; *(uint32_t*)0x2000490c = 0xa000; *(uint32_t*)0x20004910 = 0x8ee; *(uint32_t*)0x20004914 = r[13]; *(uint32_t*)0x20004918 = 0; *(uint32_t*)0x2000491c = 0x8236; *(uint32_t*)0x20004920 = 0x3c89862b; *(uint32_t*)0x20004924 = 0; *(uint64_t*)0x20004928 = 4; *(uint64_t*)0x20004930 = 0xfffffffffffffbf7; *(uint32_t*)0x20004938 = 6; *(uint32_t*)0x2000493c = 4; memset((void*)0x20004940, 2, 6); *(uint32_t*)0x20004bf8 = 0x20004ac0; *(uint32_t*)0x20004ac0 = 0xa0; *(uint32_t*)0x20004ac4 = 0xffffffda; *(uint64_t*)0x20004ac8 = 2; *(uint64_t*)0x20004ad0 = 1; *(uint64_t*)0x20004ad8 = 3; *(uint64_t*)0x20004ae0 = 0xff; *(uint64_t*)0x20004ae8 = 0x401; *(uint32_t*)0x20004af0 = 9; *(uint32_t*)0x20004af4 = 0x1000; *(uint64_t*)0x20004af8 = 1; *(uint64_t*)0x20004b00 = 0xfff; *(uint64_t*)0x20004b08 = 0x733; *(uint64_t*)0x20004b10 = 0; *(uint64_t*)0x20004b18 = 7; *(uint64_t*)0x20004b20 = 0x7fff; *(uint32_t*)0x20004b28 = 4; *(uint32_t*)0x20004b2c = 0x1f; *(uint32_t*)0x20004b30 = 0x1f; *(uint32_t*)0x20004b34 = 0; *(uint32_t*)0x20004b38 = 1; *(uint32_t*)0x20004b3c = r[14]; *(uint32_t*)0x20004b40 = r[15]; *(uint32_t*)0x20004b44 = 0x9eb; *(uint32_t*)0x20004b48 = 1; *(uint32_t*)0x20004b4c = 0; *(uint64_t*)0x20004b50 = 0; *(uint32_t*)0x20004b58 = 0x1c; *(uint32_t*)0x20004b5c = 0; *(uint32_t*)0x20004bfc = 0x20004b80; *(uint32_t*)0x20004b80 = 0x20; *(uint32_t*)0x20004b84 = 0xfffffffe; *(uint64_t*)0x20004b88 = 0xa87; *(uint32_t*)0x20004b90 = 0x1ff; *(uint32_t*)0x20004b94 = 0; *(uint32_t*)0x20004b98 = 0x10001; *(uint32_t*)0x20004b9c = 4; syz_fuse_handle_req(r[5], 0x20001680, 0x2000, 0x20004bc0); break; case 25: memcpy((void*)0x20004c40, "/dev/autofs\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20004c40, 0, 0); if (res != -1) r[16] = res; break; case 26: memcpy((void*)0x20004c00, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004c00, r[16]); break; case 27: syz_init_net_socket(0x24, 2, 0); break; case 28: res = syscall(__NR_mmap, 0x20ffe000, 0x1000, 0x300000a, 0x10, (intptr_t)r[16], 0); if (res != -1) r[17] = res; break; case 29: res = -1; res = syz_io_uring_complete(r[17]); if (res != -1) r[18] = res; break; case 30: *(uint32_t*)0x20004c84 = 0xcaa6; *(uint32_t*)0x20004c88 = 4; *(uint32_t*)0x20004c8c = 3; *(uint32_t*)0x20004c90 = 0x276; *(uint32_t*)0x20004c98 = r[18]; memset((void*)0x20004c9c, 0, 12); res = -1; res = syz_io_uring_setup(0x3a9b, 0x20004c80, 0x20ffe000, 0x20ffe000, 0x20004d00, 0x20004d40); if (res != -1) r[19] = *(uint64_t*)0x20004d00; break; case 31: *(uint8_t*)0x20005080 = 2; *(uint8_t*)0x20005081 = 5; *(uint16_t*)0x20005082 = 0; *(uint32_t*)0x20005084 = 7; *(uint64_t*)0x20005088 = 0; *(uint32_t*)0x20005090 = 0x20005040; *(uint32_t*)0x20005040 = 0x20004d80; memcpy((void*)0x20004d80, "\x8f\x8c\x61\xba\x2d\x93\x00\x6a\xad\xbd\x12\xa3\xa0\x8f\x14\x6f\x7d\xad\xf6\xfc\xaf\x91\x37\x0d\x8c\xdb\xb1\x04\x73\xcf\xc4\x73\x7f\xc2\x92\x0f\x76\x1e\x5f\x9f\x43\xac\x7c\x94\xff\x2d\x84\xa3\xf6", 49); *(uint32_t*)0x20005044 = 0x31; *(uint32_t*)0x20005048 = 0x20004dc0; memcpy((void*)0x20004dc0, "\xe7\x9e\x60\x9c\xaf\x0b\x11\x3f\x2e\x3a\x9b\x6e\xd9\xa5\x19\x7b\xd4\xc9\xef\x3a\xbe\xe6\xff\x37\x2b\x06\x77\xf9\x80\xef\x46\x16\x5c\x07\x1e\xc9\xa7\xe4\xb8\xe1\x18\xc9\x5c\x2b\x5f\x73\x3b\x29\xc5\x0f\x1e\x5d\xf4\xf1\x83\x7e\x9a\x29\x62\xcd\x24\x1c\x43\xd7\xa6\x05\x87\x87\x49\x91\x9d\x2d\x93\x2d\x22\x01\x0e\x4c\x8c\x29\xce\x60\x28\xdc\x71\xe2\x3c\x5e\xc2\xb4\xf3\xbb\x38\xb2\xe7\xc3\xbe\xaf\x83\xc8\x87\xa4\x5f\x16\xea\x87\x84\x2b\x70\x02\xc7\x51\x33\x97\x83\x5d\x37\x55\x89\xd6\x4e\x9c\x8d\x0d\xaa\x7c\x70\x99\x74\xdd\xc9\x35\x14\x51\x90\xba\xc6\xe8\xd3\x12\x38\xd5\xad\x70\x37\x7e\x03\xb1\x11\x15\x46\xf8\xa8\x3a\x2d\x7e\x3f\xc5\x50\x40\x8a\x22\x7e\x6a\xb5\x58\x33\x1d\xe5", 169); *(uint32_t*)0x2000504c = 0xa9; *(uint32_t*)0x20005050 = 0x20004e80; memcpy((void*)0x20004e80, "\x1f\xe1\xd0\xa7\xea\x42\xed\x60\xeb\x83\x79\xf5\x5f\xba\x5f\x10\x8d\xa4\x23\x32\x88\xe8\xa8\xbb\xac\xc0", 26); *(uint32_t*)0x20005054 = 0x1a; *(uint32_t*)0x20005058 = 0x20004ec0; memcpy((void*)0x20004ec0, "\x1d\x5a\x7e\x02\x0f\x94\xe9\xee\xe2\x41\x5c\xca\x5e\xb6\x04\x5c\xc9\xf8\x17\xf1\xd3\x27\x5b\xa9\x49\x67\x7e\xe2\xca\x23\x57\xb7\x4e\x67\xc6\xd4\xdd\xfb\xe8\xe8\xc0\xc6\xfd\xcd\x23\x52\xdd\x30\x1f\xf3\x0f\x0e\xbc\x2b\x58\xf2\xc6\x9c\x3f\x80\x32\xff\x0d\x4a\x2d\x2d\x40\x0c\x3d\x07\x91\x4d\x83\x5b\x62\x18\xc2\xeb\x25\x72\x4b\x42\x6a\x88\x8b\x28\x22\xd4\x94\x5b\x35\xf2\xd1\x45\x9d\x91\x5e\x2b\x2d\x66\x54\x1a\xf5\x2b\xdb\xbe\x1a\xd5\x17\x51\x5e\x01\xb8\x29\x0e\x65\x44\x43\xa6\x7b\xec\x3d\x0b\x03\xfc\x10\xb9\x0b\x49\xc3\xd3\x35\x93\xe0\x63\xbd\x0d\xf7\x24\x94\xb2\x2b\xfc\x39\x1f\x6b\x29\x6a\x68\x73\x5e\xea\xac\x4f\xb5\x50\xbe\x4b\xee\xab\xb7\x4d\x7c\xa7\x71\x39\x24\x8c\xf8\x00\x3e\x4f\xa6\x39\x54\xc2\xe5\xc6\x8e\x48\xb1\xf5\x9b\x31\x62\xa9\xa3\xb0\x20\x77\x1f\x7c\x1a\xff\x6d\x7d\xe5\x7b\x40\xfc\xb5\x90\x02\xf2\x70\x9e\xd2\xe1\x2d\x50\xa3\xed\xad\xc2\xc5\x5d\xe6\x63\x4c\x8e\x91\xdd\x8c\xd2\x8f\xaf\x3b\x52", 228); *(uint32_t*)0x2000505c = 0xe4; *(uint32_t*)0x20005060 = 0x20004fc0; memcpy((void*)0x20004fc0, "\x3d\xc5\x00\x79\x39\x36\x84\xee\x15\x45\x62\x33\xe2\xe4\xb4\x7d\x0d\x76\x16\xa6\xfb\xb0\x80\x55\x93\x1c\x40\x0e\x66\xd6\xee\x83\x07\xc9\x88\xdb\x68\xc3\xa5\x68\x73\xe4\xc9\x4c\x21\x0c\xee\x63\xaa\x53\xee\x80\x94\x7c\x56\x44\xcf\xfd\x0e\xe8\x09\xb4\x55\x4e\xf3\xd3\xd5\xd4\xb6\x26\x80\x40\xd6\x6c\xba\x34\xc7\xb8\x64\x5a\xbf\xe3\x69\x6e\x04\x1f\xe1\x3f", 88); *(uint32_t*)0x20005064 = 0x58; *(uint32_t*)0x20005094 = 5; *(uint32_t*)0x20005098 = 1; *(uint64_t*)0x2000509c = 0; *(uint16_t*)0x200050a4 = 0; *(uint16_t*)0x200050a6 = 0; memset((void*)0x200050a8, 0, 20); syz_io_uring_submit(r[19], 0, 0x20005080, 0x100); break; case 32: memcpy((void*)0x200050c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 0, 0); if (res != -1) r[20] = res; break; case 33: memcpy((void*)0x20005100, "/dev/dlm-monitor\000", 17); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0, 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x20005180 = 0; *(uint32_t*)0x20005184 = 0x20005140; memcpy((void*)0x20005140, "\x45\xcf\x83\xe3\x48\x27\xda\xe7\x0d\x9c\x50\xf6\x76\xf5\x23\xb0\xce\x6b\xee\x88\x95\x2b\xaa\xc1\xa7\x22\x08\x87\x52\x1e\x1e\x10\x25\x01\x84\xda\xba\xaa\x4f\xbf\x9e\x94\x34\x9f\x11\x48\xde\xe8\x23\x8a", 50); *(uint32_t*)0x20005188 = 0x32; *(uint64_t*)0x200051c0 = 1; *(uint64_t*)0x200051c8 = 0; syz_kvm_setup_cpu(r[20], r[21], 0x20fe8000, 0x20005180, 1, 0, 0x200051c0, 1); break; case 35: *(uint32_t*)0x20005200 = 1; syz_memcpy_off(r[17], 0x114, 0x20005200, 0, 4); break; case 36: memcpy((void*)0x20005240, "adfs\000", 5); memcpy((void*)0x20005280, "./file0\000", 8); *(uint32_t*)0x20005980 = 0x200052c0; *(uint32_t*)0x20005984 = 0; *(uint32_t*)0x20005988 = 4; *(uint32_t*)0x2000598c = 0x20005300; memcpy((void*)0x20005300, "\x85\x86\xcf\xf1\x20\x29\xeb\x8a\xd7\x6f\x62\x61\xd1\xfe\x9c\x2d\xf9\x7d\x6b\x50\x47\xf7\x02\x21\xce\x7c\x26\xe1\xad\x05\x00\x96\xdb\x75\xff\x7f\xfd\x7b\x4d\xad\x59\xf5\xe0\x70\x72\x3e\x8a\x2c\xea\x44\x66\x02\xed\x86\xda\x15\x97\x5f\x4f\x9d\xad\x43\x55\xf1\x7d\x14\x41\xf9\xc1\xd9\x72\x1e\x8b\xc2\x69\xc9\x1b\x43\x93\x4b\xb3\x82\x3e\xba\x88\x0d\xe0\x1b\x58\x6e\x0d\x59\x2f\xc9\x78\x08\x48\x12\xa5\xdd\x94\x0d\x6e\xa6\x1e\x46\xee\x9f\x1d\x53\xe0\xd3\x15\x5c\x2c\x34\x94\x6c\xa2\x86\xd6\x46\x39\x8a\x4d\x60\xb5\x6e\x48\x64\x4c\xe4\x21\xd5\x3a\x65\xfc\x50\x46\x80\x60\x1a\x0c\xb3\xb7\x8c\xdc\x3d\x14\xd0\xf9\xf7\x54\xd8\x8a\x4c\x5d\x80\xc2\x68\x1a\xca\x64\xa4\x79\x3f\x17\xd0\xf8\xa5\xb8\xdc\x82\x0f\xda\xde\xe2\xee\x87\xd4\x20\x50\x17\x22\x86\xe4\xb3\x71\xea\xc4\x97\xbf\x74\x67\x89\x0a\x47\x2d\x76\x6a\x44\x2a\x56\xa6\xe7\x5b\xc3\x9b\xa4\xed\xab\x5a\x0c\xb1\x1e\xb6\x6a\x24\x7a\x2f\x3c\xa7\xd1\x8c\xbe\x8b\xd7\x51\x6b\x2d\x99\xc7\x63\xd8\xc2\x3d\x75\x3c\x13\x93\x7a\xb9\x9b\x57\x8e\x42\xf3\x59\x27\x5e\x86", 251); *(uint32_t*)0x20005990 = 0xfb; *(uint32_t*)0x20005994 = 5; *(uint32_t*)0x20005998 = 0x20005400; memcpy((void*)0x20005400, "\x0f\x55\x3c\x28\xb9\x84\x2c\x44\x67\x4a\xbe\x34\x85\x6e\x72\xa4\x02\xea\xf0\x8e\xa7\xd1\x06\x18\x6b\x17\xf1\xd3\xf0\x0d\xcb\xcb\x5f\x98\xa1\xea\xe4\xb0\xe4\x94\xda\x0d\x44\xfa\x94\x91\x73\x67\x47\x8f\x2e\x39\xce\x84\x35\xb1\x32\xa5\x70\xec\x78\xc1\xb1\xd8\x59\xab\x65\x21\x68\xbe\xc9\x15\x6c\xc5\xb4\x54\x3f\x05\x71\xd2\xa7\x5d\x3a\xd0\x3f\x49\x0c\x0f\xc9\x32\x51\xf6\xab\x57\xf0\x1c\xf6\x22\x83\xd4\x2e\xec\x0a\xbb\x18\x61\x48\xb0\x5e\xf5\x5f\x8d\xe1\xa2\xeb\x7c\x16\x22\xfc\x6d\x3a\xc2\x74\xf1\x0a\x07\x54\x56\x33\x98\xef\xc9\x33\x5a\xea\x31\x06\x1c\xf4\xbb\x64\xd4\x4f\x87\xc6\x15\xc9\x9b\x3e\xca\x46\xdd\xc2\xce\x68\xeb\x2b\x78\x0c\x54\xbb\x6a\x1a\x20\x94\x7e\x16\xcb\xc6\xf7\xfa\x07\x12\xd0\xb1\x2e\x66\x5a\x21\x4c\x35\x02\x15\x4e\x5b\x8d\xda\x8b\x01\xdf\x53\xc8\x1b\x2d\xa2\xc9\x2b\x75\x73\x50\x6b\x17\x5a\x34\xba\x1d\xda\x39\x95\x4f\x36\xf0\xff\x6e\xbe\xfe\xee\x31\x32\x68\x13\x42\x2c\xb4\xd5\x3b\x47\xc6\xfe\x65\xf3\x33\x26\x98\xd9\xe3\xd7\x76", 238); *(uint32_t*)0x2000599c = 0xee; *(uint32_t*)0x200059a0 = 0xfff; *(uint32_t*)0x200059a4 = 0x20005500; memcpy((void*)0x20005500, "\xab\xff\x9c\x24\x82\xd9\x64\x89\xf0\xaf\xbe\x08\x5d\xae\xe1\xe2\xbd\x8a\x30\x00\xaf\x21\xe5\xb4\xaa\x0d\x2e\x66\x62\x29\x3d\x5f\xe6\xee\xb6\x0a\x5c\xc8\xb9\x0e\x84\xed\xe0\xd2\x13\x18\x68\x8e\x28\x5d\xef\x54\xcb\x67\x80\xab\xfd\xcb\x64\xc7\x00\xda\x5e\x87\x75\xbb\x60\xd0\x19\x2a\x5f\x81\x13\xa7\x0d\xdb\x16\x27\x08\x7f\x7b\xb8\xf2\x32\xf8\x0a\x12\x0e\x21\x4e\xf3\x1c\x38\x57\x11\xf4\xb1\x2a\xfd\x9a\x02\x4f\xc4\x8c\x41\xc3\xc8\x87\x25\x5a\x17\xb8\x6f\x70\x9a\x30\xee\x23\xa5\xd5\x5c\x6c\x3e\x19\x86\xf6\xfd\x69\x30\x9d\xc6\x66\x48\x46\x39\x6a\x5f\x0c\xde\x1e\x38\x2a\x70\x18\xdc\xde\xac\x00\xff\x1e\xf5\x4b\xbb\x58\x20\x1f\xc9\xdf\xcb\xba\x39\xcf\xb4\x5f\x49\xac\xe1\xe9\x90\x81\x88", 171); *(uint32_t*)0x200059a8 = 0xab; *(uint32_t*)0x200059ac = 0x80000001; *(uint32_t*)0x200059b0 = 0x200055c0; memcpy((void*)0x200055c0, "\xfb\x36\xdf\xfb\x4a\x0e\x43\x77\xfa\x3b\xed\xec\x23\x25\xf5\xc0\x73", 17); *(uint32_t*)0x200059b4 = 0x11; *(uint32_t*)0x200059b8 = 1; *(uint32_t*)0x200059bc = 0x20005600; memcpy((void*)0x20005600, "\x8f\xf2\x54\x48\x04\xed\x79\xe1\xbb\x5f\x17\x3b\x80\xfd\xb0\x9a\x44\x4f\x02\xbb\xac\xda\xb8\x77\x10\xa3\x03\x82\x27\x1d\xb7\x25\x70\x55\xfb\xbe\x05\x7f\x4e\x4b\x3e\x1b\xcb\xcf\x08\xf1\xea\x0b\x41\xbe\x53\x3d\x7d\x7f\x84\x19\x9c\x4c\xf2\x41\xe2\xbc\x3c\xeb\xf6\x80\xf5\xc2\x64\x88\x82\xab\xfe\x61\xbb\x52\x11\xc4\xcf\x0f\x1f\x80\x35\xc6\x96\x2e\x74\xf5\x97\x6e\x95\x4c\x3d\xb5\x54\x5b\xdc\xcc\x6e\x67\xb6\x8d\xd6\x12", 104); *(uint32_t*)0x200059c0 = 0x68; *(uint32_t*)0x200059c4 = 0x7f; *(uint32_t*)0x200059c8 = 0x20005680; memcpy((void*)0x20005680, "\xca\x83\x8d\x09\x57\x9a\x97\x26\x57\x26\x0b\x82\x4f\x36\x91\x61\xc8\x3d\x36\x49\xb2\x30\x9d\xe4\xac\xa5\x19\x1c\x6a\x35\x50\xce\x70\x4f\x66\x06\xba\xc0\xf1\x10\x25\x63\x01\x1d\x76\x8b\x1c\xd5\xbd\x83\x56\x5b\xfb\xe9\x31\x1f\x71\xc2\x69\x8f\x2b\xb4\x57\x2e\xf6\x60\x2f\x24\x87\x62\x6e\x21\xfc\xef\x70\x34\xf5\x0e\x28\xfd\x36\xdb\x92\x43\x3d\xe1\xc0\xfb\xd9\xba\xa0\xb2\xef\x3b\x17\xec\xbd\x5f\x21\x4a\x81\x4f\x99\x79\xc0\xcf\xce\xa5\x66\xbd\x41\x87\x88\xa9\xe0\x26\xff\x83\x08\x9e\x4e\x1e\xb4\x91\xee\xbb\x58\x2e\x84\xc6\xd9\x56\xe1\xf8\xd4\xbd\x53\x27\xfc\xf2\x6d\x92\x18\xa6\xe7\x45\xa9\x04\x84\x6d\xa6\x1e\x69\x70\xe7\xc3\xf8\xf6\x77\x7e\xb2\xee\xc1\x82\xc6\x62\x6a\xeb\xc2\xb4\x6d\x6e\x18\xec\x79\xce\x9f\x3a\x34\xc2\xc9\xce\x74\xdc\xe5\xf3\x8a\x49\x3c\xe7\x52\x63\x3b\x9c\xd8\x81\xd3\xe7\x39\x77\xb7\x28\x20\x8b\x73\x0c\x0a\xa0\xbf\xd4\x1f\x03\x74\x79\x8c\x2b\x6c\xfd\x20\xa8\x3d\xde\x88\x21\xf8\x96\x43\x1d\xf1\x62\x0e\xac\xdd\xb4\x84\x6d\x3f\x67\x98\x3b\x95", 241); *(uint32_t*)0x200059cc = 0xf1; *(uint32_t*)0x200059d0 = 2; *(uint32_t*)0x200059d4 = 0x20005780; memcpy((void*)0x20005780, "\xb5\x49\xcf\xe1\x8d\xeb\x45\x5b\x4a\x8b\x6d\x56\xe7\xc0\x3f\x25\x10\x24\x21\x7c\xf4\x27\xc0\x90\x56\xbd\xb6\xb4\xa1\x31\x7e\x6f\x9c\xd5\x3e\xce\x2f\x2e\xe6\x8e\x7d\x73\xe9\x36\xe6\xd7\xb3\x76\x48\x35\x95\xc8\xdb\x72\x92\xff\xb0\x52\x0c\xf0\x37\xba\x70\x12\xf5\xd9\x0d\x0e\x4b\xdc\xed\x46\x13\x1d\x6a\x44\x12\x05\x46\xfa\xd8\x7f\x47\x56\x70\xfe\xc8\x6f\x97\x84\x88\x8d\x14\xdc\x2e\xd6\xa1\xa7\xed\x3c\x98\xbd\x0e\x03\x5c\xbd\x50\x4d\xa4\x0e\xfb\xeb\x5a\x5b\xcd\x48\xc0\xca\x51\x3f\xf5\x3d\xda\xda\x3c\xb4\x47\xa4\x8b\xce\xf0\x1d\x98\x83\xf6\x99\x99\x7c\x5a\x0b\x24\x99\x86\x58\x62\xdb\x5f\x78\x5a\x75\xe1\xb3\x46\x3d\x35\x4a\xf1\x12\xe7\xf8\x62\x28\x83\x68\x30\x86\x19\x0f\xa4\x50\x76\x46\xcb\xea\xb5\xed", 176); *(uint32_t*)0x200059d8 = 0xb0; *(uint32_t*)0x200059dc = 1; *(uint32_t*)0x200059e0 = 0x20005840; memcpy((void*)0x20005840, "\xa2\xee\xca\xca\xa0\x2f\xc7\x61\x89\xe0\x0e\x6f\xc5\x8f\x38\xb5\x59\x99\x59\x73\x03\x76\x28\x17\x21\xbe\xcf\x84\x0c\xd1\x2b\x23\x0c\x2d\xc8\x4b\x7f\x5f\xe5\xe3\x70\x57\xb3\x73\x2f\xcf\xeb", 47); *(uint32_t*)0x200059e4 = 0x2f; *(uint32_t*)0x200059e8 = 4; *(uint32_t*)0x200059ec = 0x20005880; memcpy((void*)0x20005880, "\x35\xed\x9c\x85\x4f\x54\x2b\xa3\xa5\x6e\x7b\x75\x40\x9a\x31\x97\xd3\x1e\x6e\xc3\x19\x34\x81\x1d\xd9\xab\xe8\x3e\x50\xa0\x60\xea\x25\x99\x4c\xb3\x37\x70\xed\x99\xb2\x5c\x9b\x56\x08\x91\xec\xa4\x33\xfe\x5b\xf1\xe0\x2d\x13\x66\x00\x68\x7e\xe4\x93\x3b\x35\x38\xbb\xce\xca\x61\xde\xb8\xfb\x0a\x1a\x25\x67\x84\x3f\xd8\x71\xb9\x91\xd5\x14\x32\x9a\x46\x5a\x97\xeb\x92\x12\x35\x76\xe8\x3a\x65\x2c\x51\xdf\xa8\x41\x17\xc2\x62\xa7\xb8\xba\xb4\x7b\xd3\xf8\x1b\x24\xd3\x3e\x68\x7f\x39\x26\x50\x02\xef\x92\xf2\x24\x8d\xe0\x27\xac\x02\x85\xfc\xad\x2a\x3c\x73\x2a\x1e\xd7\x40\x93\x07\x03\x7e\x41\xf3\xa7\x90\x74\x77\x38\x7d\x11\x99\xc1\x8e\x5c\x43\x95\x9b\x2e\xc4\x6c\x07\x8c\xec\x67\xa8\xb5\x59\xb3\x1c\xef\xd8\x56\xf4\x56\xb9\xf8\x1b\xcc\x6a\x8b\x2c\xb1\xa4\xd8\x14\x75\x62\xbd\xac\x60\x34\xe3\xe8\xd3\x5d\x79\x76\x59\x84\x4f\xea\x36\x94\xb3\x28\x8c\xe6\x8f\xa8\xf9\x86\xbf\x2f\xba\x03\xec\x01\x10\x15\x4b\xef\xc8\x40\x22\x58\xaf\xb3\xd5\x83\xd0\xbf\x3d\x02\x79\x80\x73\x86\x7f\xc6\x66\x40\x72\x60\x72\xc8\x2a", 249); *(uint32_t*)0x200059f0 = 0xf9; *(uint32_t*)0x200059f4 = 0x1ff; memset((void*)0x20005a00, 37, 1); *(uint8_t*)0x20005a01 = 0x2c; memcpy((void*)0x20005a02, "seclabel", 8); *(uint8_t*)0x20005a0a = 0x2c; memcpy((void*)0x20005a0b, "permit_directio", 15); *(uint8_t*)0x20005a1a = 0x2c; memcpy((void*)0x20005a1b, "mask", 4); *(uint8_t*)0x20005a1f = 0x3d; memcpy((void*)0x20005a20, "^MAY_EXEC", 9); *(uint8_t*)0x20005a29 = 0x2c; memcpy((void*)0x20005a2a, "subj_role", 9); *(uint8_t*)0x20005a33 = 0x3d; memset((void*)0x20005a34, 125, 1); *(uint8_t*)0x20005a35 = 0x2c; memcpy((void*)0x20005a36, "mask", 4); *(uint8_t*)0x20005a3a = 0x3d; memcpy((void*)0x20005a3b, "^MAY_APPEND", 11); *(uint8_t*)0x20005a46 = 0x2c; memcpy((void*)0x20005a47, "fsname", 6); *(uint8_t*)0x20005a4d = 0x3d; memcpy((void*)0x20005a4e, "&%]", 3); *(uint8_t*)0x20005a51 = 0x2c; memcpy((void*)0x20005a52, "measure", 7); *(uint8_t*)0x20005a59 = 0x2c; *(uint8_t*)0x20005a5a = 0; syz_mount_image(0x20005240, 0x20005280, 5, 0xa, 0x20005980, 0, 0x20005a00); break; case 37: memcpy((void*)0x20005a80, "/dev/i2c-#\000", 11); syz_open_dev(0x20005a80, 6, 0x40000); break; case 38: memcpy((void*)0x20005ac0, "net/raw6\000", 9); syz_open_procfs(-1, 0x20005ac0); break; case 39: syz_open_pts(r[16], 0x583000); break; case 40: *(uint32_t*)0x20006cc0 = 0x20005b00; memcpy((void*)0x20005b00, "\xa8\x95\xc3\x0e\xdc\x07\x29\x77\x23\xa4\xae\xa8\x02\x03\x46\x22\xd1\xbb\xb8\x5b\x4a\xe3\x62\x8a\xfc\x2d\x4e\x10\x93\x45\x50\xa9\xd9\x2f\x12\xa5\x1b\x9f\x5b\x3a\x7b\x59\x6b\x59\xb9\x9b\x4b\x2a\xca\xed\xda\x32\xb8\x3b\xdc\x26\x3c\x53\xaa\x10\x11\x4a\x14\x9a\x4d\x7a\x4f\x0c\x40\xb9\x46\x15\x9b\x37\x43\x96\xfb\x6c\xd1\x87\x34\xea\x5c\x3a\x51\x92\x78\x62\x22\xda\x89\xf4\x21\x3b\x5d\x9d\x02\x77\x99\xda\x36\xd6\x8b\xd5\x10\xf5\x37\x85\x5c\xe1\x0d\x3b\x84\x39\xc2\x23\x77\x40\xea\x75\x41\x47\x8a\x81\xf9\xf9\x2a\xdc\xeb\x51\x00\x36\x6d\xcc\xf1\x49\xcc\x4c\x59\x79\x69\x59\xba\x5d\x85\xa5\x0d\x0d\xd7\x29\x41\xa0\xea\xbb\xe7\xa9\xdd\x9f\xe5\x08\x50\x11\x3f\x5e\x2d\x05\x5e\x1b\xbc\xd6\x67\xda\xf7\x36\x3e\x02\x7d\x7c\x66\x67\x8d\xad\x2a\xdd\x62\xb5", 186); *(uint32_t*)0x20006cc4 = 0xba; *(uint32_t*)0x20006cc8 = 4; *(uint32_t*)0x20006ccc = 0x20005bc0; memcpy((void*)0x20005bc0, "\xf2\x29\xf5\x8b\x9f\xef\x91\xf7\x17\x85\x23\xf0\x41\xa4\x96\x75\x89\x92\x46\x80\xbf\x4d\xc3\x4a\x52\xd8\xf7\xf8\x43\x60\x83\xae\xe9\x4a\xb7\x4f\x03\x69\xf7\x40\x3a\x8c\x26\xb7\x2f\xd4\x4b\x48\x8f\xe5\x9c\x61\x6c\x8a\x1c\xae\x29\x9c\x49\x0e\xb1\x5f\x98\xf8\xf4\x9d\xf3\x35\x02\xcc\xfd\x38\x26\x5f\x6d\x18\x65\x78\xa7\x1b\x92\xba\x5c\x5b\x90\x3f\x9a\x64\xbc\x56\x0a\x43\x59\x0b\xd7\x0f\x76\xef\xb7\xb6\x3b\xc3\x90\x9e\x63\x2d\xb6\x8f\x77\xd9\x8b\xdf\x12\xeb\xe1\x70\x7d\x7d\x14\x36\x85\x74\x90\xc1\x3d\xdb\x23\x9c\x83\x7f\xaf\x46\xea\xd6\x23\x81\xd4\x3f\x3d\x23\x46\xc1\xfc\xd5\xb2\xa7\xa1\xeb\xe9\xfa\x5d\xd7\xfd\xde\xfc\x50\xb0\xe7\xa5\x7f\x50\x0e\x2f\x79\xba\x11\xb1\x89\x72\xdc\x78\x87\x14\x60\xeb\x7e\x2a\x24\x9b\x60\x32\x83\xb5\x12\x83\x20\x55\x5c\x9d\x74\x14\x3e\x02\x7b\xb5\xca\x08\xb4\x62\xae\xbf\x58\x24\x43\x87\x55\x6d\x71\x86\x80\xc4\xa3\x74\x59\xdd", 215); *(uint32_t*)0x20006cd0 = 0xd7; *(uint32_t*)0x20006cd4 = 0x3ff; *(uint32_t*)0x20006cd8 = 0x20005cc0; memcpy((void*)0x20005cc0, "\x79\xfb\xc7\x05\xf3\xf5\xab\x2b\x17\x6d\x8c\x81\xf1\x15\x48\xc5\xfd\x71\x74\x41\x15\xd9\xbc\x95\x33\x2f\xeb\x2a\xe2\x6c\xd3\xb6\xa5\x08\x4c\xf6\x35\xa6\xb1\x9d\x91\x6f\x68\x3e\xbe\x24\x01\x80\xc6\xbb\x6a\x18\xe3\x4f\xa2\x67\x7a\xe7\x45\x61\xf3\xbb\x25\x09\xfc\x09\x59\xad\xc1\x32\xae\x36\x12\x7c\x31\x9f\xcb\x4a\x80\xb0\x25\x1d\xed\xee\xe6\x56\x0f\xd7\x02\x22\x1e\x14\x43\x66\x85\xc7\xfa\x2f\x3a\xf3\x6f\xda\x9d\x69\xd0\x44\xc1\x6a\x77\xe8\x22\xf9\x8b\xf6\x5c\xd4\x58\x33\x54\x4b\xa6\xbd\x06\xb8\x3a\xd7\x8b\x10\x49\xf1\xbc\xdb\x9b\xce\xc0\x47\x38\xa8\x6c\xa3\x7b\x88\x95\x3d\xe3\x54\x9b\x6e\x3a\x4c\x2f\x31\xbd\xd4\xce\xde\xe3\x7b\x70\x3b\x8e\xd6\xd1\x1c\x38\xff\x03\x0a\x10\x18\xaf\xae\xbe\x05\x38\xed\x70\x4b\xbe\x63\x10\xa0\xde\xa9\x43\x05\x66\x65\x29\x01\x69\x92\x99\xc1\x84\xa8\x15\x60\x1e\x01\x86\xa6\xe1\xff\x97\xd2\xb9\x60\x38\xab\x59\x13\xdc\x44\x0e\xde\xd7\x83\x6f\xbd\xd7\xbd\x39\x1a\x90\xcf\x40\x3a\xbb\x6d\xfe\x0f\x7d\xdd\xda\xf1\xa7\xc7\x3f\x02\x19\x35\x33\xf0\xa7\x2e\xf1\xb5\x58\xcf\x69\x6f\x57\x22\xa3\xe8\xc0\x92\xc1\x7d\xe9\x8a\xf4\x15\xf4\x0a\xfc\x1f\xfe\x0d\x7c\x7d\x0f\xb4\x4d\x59\x7e\x55\x18\x86\xb4\x0b\x8e\xc7\xde\x8f\x18\xbf\x5e\xd7\xa7\x4a\xcd\xeb\xe9\xb2\xcc\xb9\x8c\xcd\x37\x1d\xf0\x0d\x78\xc9\x7f\x8d\xe0\xab\xe7\xf8\x28\x13\x68\x61\x68\x9b\x0f\x53\x80\xfd\x28\x36\x09\x2c\x1b\xee\xc0\xf4\x51\x9e\x1b\x50\x40\xca\x17\x09\xe0\x83\xee\x61\x1d\x6a\x1e\xbc\x5a\xd1\x85\xd3\x9b\x91\xef\x84\x4a\xf3\x4d\x02\x13\xe6\x3e\xdd\x19\x54\x53\x46\xe3\x01\x2d\x61\xbd\xe7\x1d\x4d\x3c\x52\xcd\x21\x01\xd4\x57\xac\xc0\x15\x23\x81\x81\xfc\xc4\xe9\x2a\x6b\xd1\xc9\xae\x47\x5d\xd0\x4d\x15\xa3\x90\x71\x7c\x29\x5e\x18\x13\x1f\x30\xa1\xb0\x03\xfe\x36\x7f\x88\x9b\xa4\x9e\xd8\x32\x8d\x69\xbd\xe3\x8b\xfd\xb3\x2e\xc4\xff\x21\x2b\x38\x3d\xa6\x54\xad\x2d\xa7\x59\x26\x60\x0d\x56\xfd\x2c\x8a\x64\x81\xc0\x2f\x0d\xd9\x04\x08\xb0\x1d\xcb\xdd\xd0\x1c\xfb\x4c\xf6\x1c\x14\xe8\xaf\xc5\xda\x58\x91\xe9\x3a\x0b\x6f\xe1\x2f\x50\xf0\x62\x94\xd6\x6c\xe3\x71\x0c\x8e\x13\xe7\x97\x62\x9c\x4b\x05\x71\x40\xbd\xb8\xcf\xa3\x84\x83\x0e\x9e\x18\xcc\xcb\x63\xc2\x82\xc9\x7b\x1e\xc7\xcb\xaf\xc5\xf4\x96\xf2\xb0\x30\x53\xf8\x55\x8f\x62\x7e\xaa\x78\x46\x62\xf2\xf4\xf1\x5b\xac\x06\xa3\x8d\xcc\x8c\x3f\x2e\x07\x6b\x2f\xdf\x8b\x62\x2c\x93\xa2\x27\xc9\x0d\x42\xe4\xfa\x38\xda\xcd\x82\xfd\x6c\xd2\x21\x15\x29\x41\x4c\x5c\xf3\x88\x2d\x94\x87\x42\x42\x59\xa6\x51\x4c\x56\xf0\xb7\xd6\x0c\x95\xd3\x44\xa0\x9d\x90\xe7\xdd\x8f\xf0\x73\x21\xd7\xe7\xae\x03\xba\xc6\xde\x0f\xd3\x79\x9a\x8c\x34\xd7\xaa\x3e\x4c\xe7\xcd\x99\x98\x03\x64\xc6\x60\xcc\x09\x97\x46\x15\x2a\x07\xfb\xc0\x26\xfc\x89\x0a\x7a\x57\xf2\x8d\xce\xea\xcd\xc2\x36\x60\xc0\xf8\x59\x2d\x86\xd0\x8d\x99\x64\x4b\x67\x51\xa5\x53\x16\x2b\xa1\x03\x83\xda\x49\x1e\xfc\x3d\x33\xae\xd8\x95\x2b\x8f\x51\xcf\x6c\xfa\x84\xae\x5c\x9d\x76\x89\x8b\xf5\xe8\x09\x90\x8b\xdb\xf8\xcf\x63\x38\xf5\xbe\x2f\x5b\x1e\xa8\x17\x44\xbe\x7e\x72\x68\xc4\x9e\x49\x30\x50\x89\x23\xe6\x39\xd9\xf4\x84\x59\x7f\xc2\x0e\x69\x58\xa2\x69\xe1\x66\xec\x09\xd1\xb7\xe2\xa8\xf7\xfd\x83\xc5\x34\x64\xc3\xa1\xac\xc4\x84\xeb\x5f\x9d\xe1\x05\x9d\xa0\x45\xda\x6c\xf6\x63\x07\x9e\x2b\x22\xd7\x8e\x78\xbd\xbc\xda\xb3\x9c\x33\xbc\x5c\x1d\x05\xb8\xd4\x0e\x40\x2c\x8b\xbf\xa5\x74\xf2\xcb\x5a\xfb\x1c\xb1\x99\xe5\x91\x17\x13\x0b\x94\x0a\x96\x48\xe8\x98\xd5\xf0\xf2\x7f\xc0\x04\xc6\x78\xe5\x52\x0a\x4c\x79\x0e\xb7\x0e\xd2\xea\x6a\x60\x61\xe4\x9d\x12\x24\x35\xf3\x48\xcc\x92\x7b\x49\xad\x13\xbd\xf1\x80\x4e\x75\x28\xbc\x1e\x3b\xb6\x33\xf8\xb2\x76\xbb\xbb\xad\x12\x5a\xbe\xcd\x28\x94\xc2\x89\x28\x85\xfc\xd1\x9a\xed\x92\x20\xe4\x63\x2c\x13\x6f\x14\x37\x8e\x29\x91\x20\x40\x40\x65\x71\x1d\xdb\xff\x8d\xf8\x70\xab\xae\x93\x4b\xb5\xbb\x64\xff\xa2\xf7\x3f\x18\xb1\x33\x74\x53\x8a\x08\x37\x9d\x74\xc7\x12\xe0\x2a\x97\xc8\x5b\x08\xad\xae\x84\xf9\xc4\xa2\x91\x66\x56\x12\x9a\xa4\xb5\x46\xf1\x43\x4e\xf1\x53\xff\x7f\x2c\x94\xcb\x42\xb3\xe7\xea\x23\x54\x40\x95\x15\x9e\xe0\xe8\x69\xd7\x8d\x08\xce\x48\x6d\xa4\x30\x4b\x15\x47\x3a\x23\x1f\xec\x42\x3c\xf5\x53\x96\x8c\xa0\x74\x3c\x1c\x4b\x09\x45\x73\x0b\xa4\xe3\xfd\xc3\x1f\xf0\x2a\x48\x70\x56\xc7\x29\xef\x7f\x84\xf6\x5e\x85\xfb\x16\xfa\xbb\x17\x2d\x24\x75\x38\x62\xf9\x20\x34\x60\x28\x8a\x37\xcf\x6e\x6f\x5b\x84\xd1\xd8\x1f\x24\x27\x07\xbf\x57\x5b\x15\x34\xcd\x6b\xea\x81\x0d\xc3\x94\xca\xb3\x1b\x32\x43\x38\x8f\x01\x5b\x99\x98\xaa\x7c\xa3\xe8\x26\xd9\xec\xcd\x95\x32\x87\x33\x28\xf3\x43\xcf\x71\xa0\x79\x82\x0f\xfc\x61\x60\xef\x55\xb7\xda\x7a\x29\x76\x2f\xea\x1b\x45\x22\xb9\x81\xcc\xfd\xac\xea\x0f\x52\xe2\xed\xc3\xec\x50\x16\x89\xe8\xc5\xe0\x88\x54\x43\xd1\x3e\xa4\xda\xe6\x07\x65\xf9\xed\x48\x68\x6b\xeb\x01\x0b\xb0\x4e\x2f\xa7\x3f\x3a\xd0\x8a\x77\xf0\xc2\xf5\x9a\x99\xc4\x72\x30\xb8\x52\x9d\x1b\xa2\xbd\x09\x1d\x83\x6d\xd3\x08\x99\xe7\xe8\x41\x71\xf2\xa8\x86\x7b\x16\x49\x22\x8e\x85\x15\xcb\x39\x8b\x75\xa5\xbc\xa2\xe7\x11\x4a\x7a\xf7\x1b\x18\x5f\x37\x1b\x4f\x9f\x68\x9e\x81\xf2\x25\x97\x54\x89\x6f\xf5\x46\x85\xbc\x7b\x9c\xf5\xf5\xfd\x14\xd0\x63\xd2\xf8\xc6\x20\xff\x19\x5e\x26\x36\x0a\x21\xd9\x2d\x19\x02\xa7\x48\x35\xe0\x25\x4f\xe4\x73\x75\xa0\xf1\x71\x11\xd1\x45\x9d\x77\xdf\xcf\x0a\xdf\x21\x59\xc2\x00\x35\x35\x75\x78\x90\x15\x01\xa4\x09\x2e\x64\x14\xc5\x43\x41\x73\x11\x5a\x4a\x03\x39\x9d\x81\x34\x91\x33\xd3\xac\x25\x4b\x69\xfd\x90\x6f\xbc\x11\x56\xbe\xaa\xea\xb3\x7f\x1f\xd9\xfe\xfa\x37\x7c\xa1\x3b\x58\x19\xe5\x36\x1a\x75\x03\x2d\x78\x8c\xe9\x5c\xe9\xd1\x61\xdd\xfa\x04\xa5\x55\x29\x71\x68\xf6\xe0\xf3\x17\x6c\x8b\x0c\x41\xc8\x42\xce\x33\x81\x3b\x59\xeb\x0a\x9c\x3b\xcd\xf4\x65\xad\xe6\xd2\x9d\x0e\x25\x74\x41\x16\x77\x5b\x2f\x14\xd0\x30\xf5\xb2\x18\x1c\x89\x6a\x29\xcf\xc2\x9d\xcb\x9f\xaa\x9e\xa0\xed\x4a\x45\x45\xe2\xe5\x41\x29\x51\x12\x6b\x30\x99\x8b\x7b\x58\xc4\x47\x44\x84\x1d\x85\xe7\x9c\xc7\x61\x3b\x3b\x4a\xd0\x18\x72\x10\xc5\xb3\xe8\x19\x59\xc9\x38\xa8\x9e\xa5\xa7\x68\x1b\xcc\xc0\x2c\x55\x58\x3d\x69\xfa\xcc\x86\x53\x95\x27\x9c\xce\x47\xa8\xc4\x6c\x3b\x99\xd3\xbc\xba\xda\xea\xce\x79\xc1\x22\xc8\x7e\x72\xa9\x91\xd3\x1a\xe5\x2e\xa9\x5d\x35\xc6\x16\xb5\xae\xbf\xd9\x86\x40\x90\x33\x18\xdc\x60\x00\x21\x08\x6c\x28\x07\xf1\xfc\x8a\xe7\x61\x40\x7f\xcf\x43\x11\x09\xaf\xd1\x9e\xc4\xb0\x3a\x94\xeb\x9c\x89\x4f\x86\x6b\xb4\xb9\xa3\xa5\x86\x24\xcf\xa6\xae\x7d\x44\xd2\xf2\x02\x83\x5a\xc9\x90\x3d\x23\x26\x14\x0f\xc5\x47\x9b\x94\xba\x27\x5f\xe8\xf6\xba\x03\x9d\x98\xf5\x8d\x9c\x00\x60\x26\xff\x15\x5f\x0d\x36\x8c\x51\xd0\x05\xd2\xaf\x37\xa6\x14\xc1\x41\x88\xed\x22\x6c\x9f\x67\xc7\xb7\x83\x93\x3d\x05\x23\x5c\xb2\xf8\x81\x0f\x18\x89\xd1\x26\xed\xac\xe7\x40\x78\xb0\xf9\x0c\x6f\x2c\x16\xd0\x1d\x60\xdd\xe2\xd4\x6a\xb8\xc2\x53\x2a\xe0\xc1\x54\x01\x05\x57\x52\xfb\x19\xdb\xe5\x49\xcc\xbe\x43\x85\x9c\xcb\x4d\x47\xc9\x9e\x6f\x54\x02\xce\xd2\x3d\x44\x90\x29\x80\x2a\xd7\xd2\x99\x0b\x94\x1f\xad\xb0\xde\x10\xf9\xfe\x17\x84\x61\xe1\x14\xc7\xca\x31\x36\xf7\xfb\xad\x6e\x1d\x71\xeb\x1a\x1a\x24\xfb\x89\x2e\x7f\x1a\x41\xb9\xeb\x92\xd5\xb0\x4a\x79\x49\x1e\xef\x83\x18\xce\x1d\x98\x06\xe7\x06\x4e\x0f\xda\x0a\x66\xa7\xb6\x95\xa6\x78\x15\x60\xba\x98\xbf\x4d\x54\x00\x79\x5b\x11\xfe\xab\x29\x73\x53\xa7\x2a\x2d\x78\x5f\xf2\xfa\x3f\x06\xe6\x39\x5a\xab\x65\x6e\x55\xef\x7f\x49\x51\x76\x03\x86\xcd\xb1\xa1\xd2\x30\xda\x5b\x09\x44\xa9\xaf\x05\xa7\x6b\xce\x13\x88\x69\x2a\xfa\x4b\x21\xc3\x46\x4a\x2b\x50\xdd\x0d\x2a\x0f\x64\x51\xa4\x3f\x2e\x48\x62\x29\x0b\xe1\xf1\x29\x74\x60\xeb\x51\x39\x9f\xa9\x68\xf8\xdc\xa4\x19\x39\xa6\x19\xd1\x0a\x8a\x01\xad\x1b\x64\x93\xb0\xf8\x9a\xad\xc5\xf0\x6f\xf9\x26\x46\xff\x2f\xbd\x33\x6c\x97\x73\xa9\x33\xeb\xb1\xde\xee\x49\xa2\x67\xd8\xd1\x95\xe1\x3f\x58\x39\xc9\x54\xd8\xda\x7c\x02\x2c\xbd\xd8\xa2\x68\xdb\x8a\x06\x5c\x63\x24\x77\x56\x79\x54\x03\x3b\xd3\x40\xdb\x14\x5f\xd4\xee\x3c\x1e\x6e\xf1\x5f\xd4\x5e\x72\xf5\x27\xad\x2b\xa3\xbb\xf8\xa9\x4b\xa2\x5a\x23\x7c\xed\x70\x50\x4b\x6d\x20\xc8\x99\xa6\xd1\xa4\x09\x2b\x57\x2a\xc7\x44\xf6\x2e\x04\x4b\x25\xf4\xf1\x09\x7e\x12\xbc\x0b\xfd\xa3\x6c\xad\xd3\x4a\x0a\xa7\xbd\x49\xa3\x82\x08\xee\x36\x60\x3f\x1e\x9c\x56\x7d\xe6\x94\xcb\xba\xe7\x36\x1e\x99\x79\xa8\x4d\x58\x9f\xbd\x5f\x05\xfa\x73\xfe\x31\x68\x37\xdd\xb9\x67\x2c\x63\x75\x90\x77\x79\x33\x71\x17\xbf\xfe\x5a\x85\x09\x93\x99\xe3\x5e\x9c\x3a\x50\xbe\x94\xa4\xed\x33\xa5\x86\x3d\xa7\x37\x7e\x5c\x8b\xce\xd5\x22\x0d\xa0\xaa\x9f\xc0\x97\xbc\x61\x3b\xb7\x6e\xe7\x0b\x6a\x0b\xd9\x78\x01\xb0\xad\xc5\x7b\xc6\xd3\xc0\x26\x51\xf1\x64\xf7\x80\x9f\xb7\xeb\xe2\x18\x73\xf9\xa1\x7a\x65\xa8\x38\x0e\x5f\x1a\x18\x17\xdb\xea\x2e\xa9\x6f\x9b\x1e\xf1\xbe\x6c\x1f\xcd\x53\xc6\x2e\xa2\xba\xce\xe8\x66\xf3\x57\x4b\x1a\x35\xc5\xf8\xc5\x93\xd2\x01\x07\xd6\xcd\xe2\x6c\x84\x0e\xa8\x3f\xae\x8d\x77\x7e\xa1\x22\x7b\xd1\xaf\x62\x19\x83\x35\x3e\xf0\x27\x57\x01\x96\xf8\xfb\xdf\x4f\x79\xa7\x81\x2b\x7f\x71\x8f\xca\xa5\xec\x35\x53\x97\x9a\x86\x4b\x8c\x65\x3e\x9c\x9e\xcf\x8e\x68\x3b\xfc\x55\x8e\xf2\xd9\xb7\x64\x7e\xfc\xd5\xbe\x98\xf4\x3d\x0d\x38\xd9\x47\x4a\x7a\x50\x74\x0a\x5a\x23\x02\x31\x92\xd4\x5b\x43\x34\x38\x0e\x99\x5b\x8d\xbe\x94\x30\xea\xa1\xa8\x26\x85\x5b\x3d\x7e\xc2\x2f\x6c\xbe\xa4\x4b\x75\x53\x66\xba\x42\x76\x21\x77\xdb\xa9\x80\x65\xdc\x59\xef\x23\x92\x49\x7c\x17\xd2\xe8\x99\x23\x0c\xe3\x4f\xfa\x7f\xc2\x75\x0c\x9b\x25\x5a\x2b\x53\x42\x3d\x9c\xa1\xbd\x3a\xab\x8b\xa4\x71\xf3\x9f\x10\xa2\x50\x05\x0a\x22\x54\x1e\x08\x35\xe8\xa3\x93\xe1\x76\x20\x9c\x31\xd2\x5b\x6e\x1f\x69\x9c\x82\xeb\x15\x55\xf0\x47\xa6\xe8\xf9\x1d\x97\xcf\x2a\xba\x02\x50\xa7\xf3\x11\x67\xb8\x61\x54\x89\xfb\x5c\x90\xcf\xce\x45\xcc\x63\xcd\x21\xd0\x01\x5b\x58\x0c\xae\x16\x45\x2f\x01\x43\xd3\x0c\xb9\xee\xce\x66\x21\x93\x1f\x5d\xc5\x42\x8b\x2f\x92\x58\xd7\xe8\xfb\x10\xec\xfe\x72\x06\x06\xad\x71\x94\x11\x10\xbd\x67\xaf\x44\xce\x4e\xa0\x03\x77\x99\x97\xc4\xac\x5c\x11\x1b\x77\x91\x71\x2b\x79\x76\x52\x37\xf7\xa2\x79\xec\x43\x3f\x18\xfa\x8e\x69\x60\x43\x68\x00\x8c\xa9\xa5\xd6\x26\x44\x41\x79\x84\x88\x72\x54\xf4\xd1\x7a\x1c\xdf\x8b\xde\xbc\x90\x76\x2a\x64\xc5\x0c\x58\x6d\xa8\x59\x8f\x15\x56\x61\xe9\x3f\xea\x74\x65\x29\x6f\x6c\xce\xe5\xdf\xf3\x6c\xcb\x6c\x46\xdf\xbd\x24\x84\x60\xbb\x39\x12\x4c\xd3\xf9\xac\x2c\xd9\x16\x77\x66\xd2\x24\xe2\x97\x6f\xac\xed\xcd\x65\xff\x28\xc4\x18\x08\xc9\x8c\xcf\xe3\x1b\xa1\xef\xa8\x69\xf5\x16\xb6\xfc\x8b\x3a\x7d\x6f\xa1\xfb\xc8\xe1\x82\x67\xa8\xef\x0c\xfa\x96\xc4\xc6\xc8\xdb\xf9\x45\x21\x1d\x98\x89\x89\x95\xab\x76\xc1\x63\x06\x35\x47\x8f\xde\xb5\xb7\xfc\x9b\xba\xe3\x07\xd0\x54\x50\x2f\x17\x45\x27\x87\x47\xa5\xae\x90\x85\xe2\xce\x6f\x7b\xdd\x02\x2c\x68\x0d\x1f\x8a\xda\x4c\xb6\x30\x66\x42\x3f\x77\x04\x2b\x9a\xe4\xa1\x38\x6f\x41\x6c\xb9\xb4\x11\x00\x12\xe8\x00\x57\x04\xcd\xff\xae\x04\x41\x86\x89\xfd\x64\xd1\xe8\x83\x27\x49\xb7\x46\xc1\x41\x2e\x91\xc3\x81\x68\x4a\x80\x30\x5a\xad\x84\xd6\x2f\x1c\xc5\xfd\x5d\x26\xa2\x47\x6b\x5b\xfe\xd4\xdc\xcf\x7f\x35\xbb\xb0\x7e\xff\x6c\xa5\x09\x05\x0f\xea\x82\x04\xa3\x9d\x25\x5e\xc1\xc8\x3d\x0d\x38\xff\x3a\x9d\xa4\x28\x5b\x99\xf9\x8b\xfa\x2a\xfb\x12\x01\x63\x01\xbd\xce\xa9\xc4\xb8\x05\xf0\x3f\x5c\x1d\x64\xb2\x31\xe2\xf0\x12\xc3\x39\x88\xfe\x59\x31\x82\xbe\x19\xe5\x33\xae\x72\x4b\xc5\xf3\x74\xc5\xdb\x4e\x26\x7d\x11\xeb\x7c\x3b\xf6\x51\xd8\x53\xf4\x87\x32\x1b\x59\xe3\xc5\x80\xe0\x9f\x55\x10\x1d\x52\x95\x81\x12\xea\xd4\x84\xda\xac\x70\x62\xb2\x74\x5b\x3e\xf0\xd8\x6c\x3f\xf4\xc9\xcd\xb0\x4e\x5c\x61\x26\x56\x2f\xa8\x07\x2d\x44\x08\xc5\xa4\x1f\x38\x88\x90\x0c\x61\x7b\xb3\x2c\x60\x7e\x3c\x67\x88\x01\x37\xa4\xfd\xa0\x0f\x25\x73\x96\x95\x27\xf3\xac\x8b\xc7\x3d\x4a\x1c\xa6\x3a\x6e\x55\x28\x3a\x43\x75\x90\xcb\xa5\x84\xaf\xf7\xda\xab\x6d\x95\x08\x57\xf3\x06\x4a\xfa\x06\xd8\x49\x89\xb1\xf1\xfe\x7a\x07\x11\x8d\x84\x67\x33\x3b\xd9\xc3\xb0\xbf\x57\x4a\xec\xc5\xbd\xf1\x85\x88\x69\xc0\x2f\x2e\xc1\xad\x26\x6d\x13\x54\x99\x41\x6a\xa1\x6c\x3e\xec\x12\x2d\x6e\x57\x70\xf9\x26\x77\x4e\xc2\x69\x15\x5f\x36\xc7\xab\x25\xfc\x2c\xf6\x51\xf6\xde\x56\x32\x9e\x3c\x2f\x9a\xdf\x11\xb8\x9c\x5b\xa3\xa4\xbd\xd6\xed\x16\x04\xe6\x6a\x80\x50\x14\x98\x1b\x6c\xc8\x4b\xd7\x8d\x9e\xf9\xb5\x2e\x8f\x0e\x09\x70\x05\x21\x0a\x9e\x00\x81\x68\x47\x0f\xd1\x2a\x2c\x3e\xe6\x0d\x1c\xef\x8c\x35\xca\x58\xd8\x62\xb6\x81\xe7\x4c\xf6\x0b\x08\xca\xeb\x22\xaf\x37\xfb\x04\x5f\xdf\xf3\x53\x2a\xf6\xf1\x16\x22\x90\x93\x42\x15\xc8\x52\xe8\xbd\x41\xbe\x48\x8d\x56\x6e\xe2\x49\x7e\x6d\xfe\x85\x52\x50\x85\x3e\x6c\x24\xde\x6e\x0a\xab\xbc\xf5\xc5\x7b\xea\x60\x2e\x80\x82\x97\xa6\xf3\xee\xdf\xc7\x62\x2c\x60\x10\x6f\xe5\xac\x3c\x2c\x18\xf1\x9d\x80\x93\x6e\x13\x85\xb1\xb1\x1f\x34\x34\x8e\xe9\x79\x4b\x4c\xef\x18\x55\xcf\xea\x0b\x4c\x67\xf4\xa3\x6f\x69\xe6\xee\xe3\x98\x1a\xf6\xe3\x2c\xbf\xd7\x9b\x36\xf6\x48\x7f\x51\xe6\xbc\xfb\x5e\x25\x0c\xff\x78\x92\x52\x15\xf6\x02\x6f\x86\x9e\xd1\xe3\xc3\xea\x65\x9c\xf5\x80\xb3\x7f\xc8\xa8\xfb\x06\x41\x8f\xfd\x26\x63\xfb\x1c\x5b\x2a\x58\xae\x63\x44\x83\x89\x84\xb9\x60\x81\xae\xe1\x4d\xc7\x4a\x36\xbb\x18\x8a\x15\xfc\x47\xa0\xe8\xfb\x1d\xa2\xc9\x29\x09\x12\x53\x00\xf6\xcc\x9f\xf2\x81\x5a\x86\xbd\x0f\x51\xd3\x8c\xb1\xd9\x20\x65\x5a\x34\x34\xca\xa4\x3c\xba\x6a\xeb\x04\x53\x8b\x0a\xe6\xfc\x4d\xf1\x42\x9f\xca\x0c\xb9\xbf\x55\x05\xd5\x21\xd9\x4c\xea\x75\x9f\x50\xb9\xfc\x8f\xbd\x0d\xb1\x8b\xaa\x08\x03\xd1\x6a\xec\x6e\x59\x88\x70\xed\x80\x14\x9f\xdf\x70\xf5\x7f\x4b\x89\x32\x0f\x3a\x57\x17\x68\xbb\x09\x66\xf0\x8e\x6a\x1a\x93\xfa\xd9\x3b\xaf\x72\x88\xe6\xa6\x6f\x15\x8e\x35\x9d\x47\x24\xb3\xd5\xec\x61\xde\xe3\xa6\x4e\x1e\xab\xf0\x82\x7e\xa7\x9c\x2a\x7b\xac\x1f\x37\xf8\x1f\x09\x69\x1d\xad\x1f\xf6\x82\x49\x93\x25\xe7\x85\x73\xd6\x03\x10\x52\x92\xf8\x44\x1c\x72\xd4\xa8\x6e\xab\x95\x5e\x9a\xb0\xb6\x66\xc7\x1c\x86\xd1\x77\xa5\x94\xfa\x10\xdd\x0f\xf6\x5d\x38\x6c\x54\x4c\x21\xc3\x5e\x41\xef\x27\xbe\xc9\x4d\xab\x6f\xc3\x38\x70\x06\x01\x7e\x54\x59\xad\x20\xca\xcd\x5a\xfe\x56\x1f\xad\xd3\x80\x4b\xef\x50\xfe\x91\x09\xc0\xcf\x20\xd5\xfb\x32\x0a\x19\x19\x0e\xa3\x23\xc5\xbb\x45\x6d\xc7\x33\x8e\xd1\x9b\x5e\xa1\x17\x27\x7c\xda\x66\xbf\x37\x65\x7b\x27\x86\x25\xc9\x86\xf5\x44\x77\x75\xba\xf7\xc2\x83\x56\xd4\x31\xa3\x82\x0e\x3e\x24\x57\xe5\x3e\xba\xd4\xb7\xd8\xb0\xee\xa6\x4b\x5f\x17\x62\xdd\xb1\x16\x9b\xce\x93\x8a\x22\xaa\x17\x4b\x33\xaf\xd2\xb6\xca\x3f\xd2\x1e\x40\x2c\x4e\xba\xa6\x53\x97\xde\x07\x5d\xbc\x91\x41\x29\x16\x35\x04\xe2\x86\x72\x57\x89\xf3\xea\xfb\x66\x30\x29\x4c\x9e\x9e\xd8\x76\x5b\x41\x64\x12\xe6\xa7\x4a\xda\x02\xdf\x4b\x66\x8b\x95\xf1\xab\x41\xda\x29\xee\x91\x8a\xb5\xa5\xea\xa3\x45\x01\x47\x07\x76\x36\x9e\x96\x12\x9c\x89\x8c\xcc\x10\xef\x66\xa2\xce\xb8\xb4\xed\xfe\xad\x79\xff\xd8\x98\xd5\xde\x2d\xb4\x60\x87\x9f\xb2\x3b\x2a\xfc\x14\x66\x47\xc9\x49\x36\xa7\x03\xbb\x3c\xe5\x0f\x7e\x5e\x7d\xbf\xe7\x29\x57\xea\x5c\x48\x9e\x01\x0f\x08\x95\x84\xe0\x69\xaf\xf5\x3e\x8e\x03\xe1\x5c\xb8\x33\xa9\x61\x0a\xe7\xa9\xc2\x62\xc5\xcd\x37\x1b\x81\xf9\xaa\xbb\x03\x0d\xdd\xae\xed\xad\x10\x19\xd2\xe9\xdb\xe7\x17\xde\x10\xad\x3a\x49\x1e\x29\x0b\x2b\xfc\xda\x80\xed\xc5\xa1\xc1\x60\x12\x52\x7c\x5f\xa2\x79\xa6\x7c\x5d\x01\x13\x24\xa7\x9a\xad\x7c\xb7\xa9\x76\x6c\x64\xa1\xfc\xc2\x78\x4b\xe7\xab\x91\x2f\x7d\x4c\xc5\x71\x0c\x9e\x5a\x1f\x97\xf0\x0b\xb8\x69\x8d\x5f\x6e\x58\xe6\xb6\x9a\x1e\x8c\xcb\x7a\x22\xd3\xf4\xfb\x1f\xb6\x0a\x4b\xb9\x4d\x49\x2b\xc5\xe4\xa8\xbb\xe6\xb5\x34\xc1\x75\x00\x01\x6a\x89\x0a\xd5\x29\xdf\xf4\x2f\xb5\x13\x45\xc7\x65\x35\x1a\x5d\x87\x79\x12\x54\xb7\xdc\x62\x90\xe2\x76\xf1\xc2\xd8\xf7\x82\xcb\x2d\xbd\x2e\x70\x13\x09\xe6\x43\x06\x19\x25\x69\x40\x67\x02\x7f\x6d\x95\x65\x09\xb2\x47\x3c\x5b\x5c\x66\x08\x76\xdd\x69\x7e\x5d\x1b\xfb\x8e\x48\xc5\xbe\x80\x4a\x27\x5d\xb0\xed\x4c\x5a\x02\x40\x85\x93\x60\x8e\xcb\x2c\x97\x1d\xa8\x25\xf8\xd4\x8d\xd6\xc6\x4b\x98\xef\x9e\x28\x52\xd1\x6e\xea\xc2\x12\x13\x4a\xba\x3e\xfb\x67\x00\xd5\xa0\x52\xba\x23\x27\x18\x5a\x1c\x56\x05\xfe\xa9\x07\xf1\xf7\x63\xaf\x01\xc5\x03\xa7\x67\x00\x97\x00\x9f\x73\x63\x88\x31\xed\x01\x8b\xc8\x03\x27\x49\x37\x97\xa7\x2f\xce\x75\x38\xb2\x2e\x16\xfe\x27\x48\xc9\x66\xf3\x8f\x5b\x56\x89\xd8\x8c\xc6\xf2\x21\xd4\x06\x21\x47\x2d\x5a\x5a\x40\xa1\x72\x9e\x51\xe3\x60\xf4\xc4\xc9\xb1\x13\xf3\x0b\x96\x99\xd2\x77\x21\x14\x27\xf3\x60\xae\xd4\x5e\x01\x74\x98\x3d\x7a\xed\x11\xf8\x9b\x0c\xa0\x87\x41\x44\xe3\xfd\x83\xca\x6d\x88\xcf\x4d\x8d\x81\xde\x61\x3d\xb7\x27\x2d\xc5\xcf\x74\x5a\x65\x0b\xf3\xcc\xad\x96\x48\x7d\xd2\x4b\x1a\xcc\x8a\x8b\x96\xa9\x9d\x48\xbc\xcf\xa4\x78\xdc\xbb\xb0\x66\xcb\x8f\x19\x0f\x0d\xac\xcf\x91\x6f\x4d\xbc\x63\x44\xe5\xe0\x26\x07\x4d\x42\xd9\x62\xdf\xd2\x8b\x1d\x57\x8a\x17\x07\x3f\x78\xb7\x1d\x6f\xf7\x85\x25\x80\xb1\xc6\xe8\x3b\x8a\xc5\x15\x58\x49\xc1\x26\xa6\xbc\x54\x24\x6d\x15\xf7\x59\x92\x9c\x72\xbf\x44\xba\x8c\x78\x38\x12\xe7\x3d\xa5\xa6\x94\xf9\x6d\x52\x00\xf1\x9c\x82\x0c\x8c\x86\x51\xfb\x2b\xe7\xf7\x6c\xd2\x8a\x54\xae\xea\x4f\x0e\x09\x92\xb8\x4d\xbd\xef\x78\x92\x13\x4e\x37\x9f\x14\x0f\xb0\xb1\x22\x30\x99\x3d\xcc\x13\xbc\x48\x9c\x94\x26\x07\x63\xc1\xa8\xec\xf7\xaa\xeb\xe1\x1a\xe6\xf4\x39\xb7", 4096); *(uint32_t*)0x20006cdc = 0x1000; *(uint32_t*)0x20006ce0 = 0x34; syz_read_part_table(0xb0, 3, 0x20006cc0); break; case 41: *(uint8_t*)0x20006d00 = 0x12; *(uint8_t*)0x20006d01 = 1; *(uint16_t*)0x20006d02 = 0x201; *(uint8_t*)0x20006d04 = 0x10; *(uint8_t*)0x20006d05 = 0x2a; *(uint8_t*)0x20006d06 = 0xdc; *(uint8_t*)0x20006d07 = -1; *(uint16_t*)0x20006d08 = 0x781; *(uint16_t*)0x20006d0a = 5; *(uint16_t*)0x20006d0c = 5; *(uint8_t*)0x20006d0e = 1; *(uint8_t*)0x20006d0f = 2; *(uint8_t*)0x20006d10 = 3; *(uint8_t*)0x20006d11 = 1; *(uint8_t*)0x20006d12 = 9; *(uint8_t*)0x20006d13 = 2; *(uint16_t*)0x20006d14 = 0x71c; *(uint8_t*)0x20006d16 = 3; *(uint8_t*)0x20006d17 = 9; *(uint8_t*)0x20006d18 = 3; *(uint8_t*)0x20006d19 = 0x50; *(uint8_t*)0x20006d1a = -1; *(uint8_t*)0x20006d1b = 9; *(uint8_t*)0x20006d1c = 4; *(uint8_t*)0x20006d1d = 0x34; *(uint8_t*)0x20006d1e = 9; *(uint8_t*)0x20006d1f = 0xc; *(uint8_t*)0x20006d20 = 0x2d; *(uint8_t*)0x20006d21 = 0xe7; *(uint8_t*)0x20006d22 = 0xd6; *(uint8_t*)0x20006d23 = 0xc4; *(uint8_t*)0x20006d24 = 0xa; *(uint8_t*)0x20006d25 = 0x24; *(uint8_t*)0x20006d26 = 6; *(uint8_t*)0x20006d27 = 0; *(uint8_t*)0x20006d28 = 0; memcpy((void*)0x20006d29, "\x9e\x3d\xd8\x3f\x5e", 5); *(uint8_t*)0x20006d2e = 5; *(uint8_t*)0x20006d2f = 0x24; *(uint8_t*)0x20006d30 = 0; *(uint16_t*)0x20006d31 = 2; *(uint8_t*)0x20006d33 = 0xd; *(uint8_t*)0x20006d34 = 0x24; *(uint8_t*)0x20006d35 = 0xf; *(uint8_t*)0x20006d36 = 1; *(uint32_t*)0x20006d37 = 0x40; *(uint16_t*)0x20006d3b = 5; *(uint16_t*)0x20006d3d = 0x101; *(uint8_t*)0x20006d3f = 5; *(uint8_t*)0x20006d40 = 8; *(uint8_t*)0x20006d41 = 0x24; *(uint8_t*)0x20006d42 = 0x1c; *(uint16_t*)0x20006d43 = 0x1000; *(uint8_t*)0x20006d45 = 2; *(uint16_t*)0x20006d46 = 8; *(uint8_t*)0x20006d48 = 7; *(uint8_t*)0x20006d49 = 0x24; *(uint8_t*)0x20006d4a = 0x14; *(uint16_t*)0x20006d4b = 0x8671; *(uint16_t*)0x20006d4d = 0; *(uint8_t*)0x20006d4f = 0xc; *(uint8_t*)0x20006d50 = 0x24; *(uint8_t*)0x20006d51 = 0x1b; *(uint16_t*)0x20006d52 = 0xfffd; *(uint16_t*)0x20006d54 = 9; *(uint8_t*)0x20006d56 = 0; *(uint8_t*)0x20006d57 = 5; *(uint16_t*)0x20006d58 = 0x100; *(uint8_t*)0x20006d5a = 0x5f; *(uint8_t*)0x20006d5b = 5; *(uint8_t*)0x20006d5c = 0x24; *(uint8_t*)0x20006d5d = 0x15; *(uint16_t*)0x20006d5e = 0x40; *(uint8_t*)0x20006d60 = 7; *(uint8_t*)0x20006d61 = 0x24; *(uint8_t*)0x20006d62 = 0xa; *(uint8_t*)0x20006d63 = 0; *(uint8_t*)0x20006d64 = 1; *(uint8_t*)0x20006d65 = 4; *(uint8_t*)0x20006d66 = 1; *(uint8_t*)0x20006d67 = 7; *(uint8_t*)0x20006d68 = 0x24; *(uint8_t*)0x20006d69 = 0x14; *(uint16_t*)0x20006d6a = 0xff81; *(uint16_t*)0x20006d6c = 0x9c6f; *(uint8_t*)0x20006d6e = 9; *(uint8_t*)0x20006d6f = 5; *(uint8_t*)0x20006d70 = 0x80; *(uint8_t*)0x20006d71 = 0x14; *(uint16_t*)0x20006d72 = 0x10; *(uint8_t*)0x20006d74 = 0x15; *(uint8_t*)0x20006d75 = 0x1f; *(uint8_t*)0x20006d76 = 8; *(uint8_t*)0x20006d77 = 7; *(uint8_t*)0x20006d78 = 0x25; *(uint8_t*)0x20006d79 = 1; *(uint8_t*)0x20006d7a = 0x80; *(uint8_t*)0x20006d7b = 0; *(uint16_t*)0x20006d7c = 0; *(uint8_t*)0x20006d7e = 9; *(uint8_t*)0x20006d7f = 5; *(uint8_t*)0x20006d80 = 0x8b; *(uint8_t*)0x20006d81 = 0; *(uint16_t*)0x20006d82 = 0x7ff; *(uint8_t*)0x20006d84 = 0xed; *(uint8_t*)0x20006d85 = 1; *(uint8_t*)0x20006d86 = 2; *(uint8_t*)0x20006d87 = 9; *(uint8_t*)0x20006d88 = 5; *(uint8_t*)0x20006d89 = 8; *(uint8_t*)0x20006d8a = 4; *(uint16_t*)0x20006d8b = 0x200; *(uint8_t*)0x20006d8d = 0x81; *(uint8_t*)0x20006d8e = 6; *(uint8_t*)0x20006d8f = 2; *(uint8_t*)0x20006d90 = 0xeb; *(uint8_t*)0x20006d91 = 1; memcpy((void*)0x20006d92, "\x8c\x3f\x63\x08\x61\x54\x14\x1f\x73\x9f\x28\x70\xd3\xa8\x18\x84\x90\x5e\x8c\x3f\xf7\xeb\x64\x25\x08\x52\x04\x07\x7b\x41\x02\xc3\xd8\x1b\xfd\xf4\xb2\x62\xfa\x95\xb2\x68\x56\x12\x28\xb7\x47\xfc\xa9\x1f\x5f\xde\xb5\x92\xb3\x79\xd6\x6a\x5f\x1d\x2d\x1d\x73\x5f\xd0\x2b\x3b\x24\x02\xd0\x34\x0f\xcc\x8a\xc6\xc5\x44\x72\x0c\xb5\x96\x00\x8a\x93\xb0\x20\x2c\xb8\xf9\x55\x83\x44\xcb\x20\x0e\x0b\x4b\x52\xaa\xd1\xe7\x0d\x9c\x00\x49\xff\x2a\x6b\x54\x6e\x35\x02\xbc\x88\x1f\x3e\xb6\x55\xaa\x81\x7a\x2a\x3f\xd9\x5a\xd1\xbe\xa6\x8a\xb0\x48\xc1\xa4\x3e\xd3\x45\x8b\x67\x4c\x27\xdf\x09\x05\x68\xc3\x71\xa9\xe0\x0c\xbc\x2b\x59\x7a\x73\x0a\x18\x64\x44\x75\x83\xe3\x0b\x8b\x9d\x27\x74\xd8\x84\x57\x53\x11\x84\x3a\x18\xbf\xe0\x05\x2b\x40\x47\x14\xc7\x22\x76\x63\x42\xb2\x26\xc4\xfe\x8e\x87\xee\x44\x82\x50\xc3\xb3\x66\x8a\xb5\x07\x45\xe0\xfb\xb6\xe9\x69\xe6\xb4\x9b\x9b\x85\x28\xce\x81\xdf\xaa\x24\xe1\x43\x80\x72\xd0\x7d\x6e\x92\x60\x2a\x39\x05\x35\xf6", 233); *(uint8_t*)0x20006e7b = 9; *(uint8_t*)0x20006e7c = 5; *(uint8_t*)0x20006e7d = 0xc; *(uint8_t*)0x20006e7e = 8; *(uint16_t*)0x20006e7f = 0x40; *(uint8_t*)0x20006e81 = 1; *(uint8_t*)0x20006e82 = 5; *(uint8_t*)0x20006e83 = 0x20; *(uint8_t*)0x20006e84 = 9; *(uint8_t*)0x20006e85 = 5; *(uint8_t*)0x20006e86 = 7; *(uint8_t*)0x20006e87 = 0x10; *(uint16_t*)0x20006e88 = 8; *(uint8_t*)0x20006e8a = 0xbc; *(uint8_t*)0x20006e8b = 0; *(uint8_t*)0x20006e8c = 7; *(uint8_t*)0x20006e8d = 7; *(uint8_t*)0x20006e8e = 0x25; *(uint8_t*)0x20006e8f = 1; *(uint8_t*)0x20006e90 = 1; *(uint8_t*)0x20006e91 = 5; *(uint16_t*)0x20006e92 = 9; *(uint8_t*)0x20006e94 = 0xd4; *(uint8_t*)0x20006e95 = 0x22; memcpy((void*)0x20006e96, "\x70\xc2\x39\x55\xe1\xd1\x6c\xde\xf4\x16\xbc\xb1\x38\x10\x89\x67\xf0\xe9\xac\x2c\x09\x6f\xe9\x36\x2b\x99\xec\x6c\x19\x8d\x2f\x0f\x04\x46\xce\x29\x33\x28\x44\xfd\x54\x6d\x23\x23\xe7\xf9\xd7\xb2\x71\x3c\x1f\x92\xb9\x0b\x44\x81\xbf\x8d\x4e\xa3\x4e\xa8\x32\x1b\x58\x5d\xb5\xf3\xcc\x6f\x63\xfc\x9e\xe5\x43\xe8\x6c\x15\x76\x9e\x08\xa2\x12\xc2\xff\xb0\x23\x7d\xef\xb1\xa2\x82\x28\xe9\x99\xfa\xbf\x37\x33\xa2\x7b\x82\x87\x03\xfa\xaa\xc0\x53\xd4\x4f\xe7\xa6\x6d\x7a\x27\x8e\x31\xf1\x5d\x65\xed\xb3\x49\xb1\x57\xa7\x99\xd9\x22\xf0\xc9\x70\xf9\x8b\x35\xb7\x56\x50\x79\x31\x23\xe0\x57\x52\xd7\x4d\xdb\x89\xf0\xfc\xc0\x47\x98\x22\xa0\xf8\x33\xf4\x34\x3a\x70\x54\x8b\x3b\x4c\x80\x57\x4b\xe7\xcf\xdd\x59\xdb\x69\xce\x1e\xfc\x24\xca\x44\xee\x31\x66\x09\xf5\x8c\xa5\xa3\x0d\xee\x0b\x59\xe1\x66\x8f\x24\x8c\x19\x6a\xe1\xc0\x22\xa1\x99\x95\x59\x54\x30\xfe\xa4", 210); *(uint8_t*)0x20006f68 = 9; *(uint8_t*)0x20006f69 = 5; *(uint8_t*)0x20006f6a = 0x87; *(uint8_t*)0x20006f6b = 3; *(uint16_t*)0x20006f6c = 8; *(uint8_t*)0x20006f6e = 0x80; *(uint8_t*)0x20006f6f = 7; *(uint8_t*)0x20006f70 = 6; *(uint8_t*)0x20006f71 = 0x56; *(uint8_t*)0x20006f72 = 4; memcpy((void*)0x20006f73, "\xf7\x8a\x35\x66\x75\xcf\xfa\x2d\xe9\x45\x39\x19\x4a\xfa\xb8\x60\x3f\xe5\xe4\x12\x02\x1b\xa9\x37\xdf\x8f\x49\x6c\xe2\xc0\x54\x31\x48\xf0\x9b\x19\xeb\xbc\x05\x09\x1f\xcc\x32\xe0\xbd\xde\x44\x1d\x7c\xca\xa5\xcc\x26\xfb\x69\x6b\xd6\x7b\x38\x30\xbf\x3e\x57\x30\xfb\x3f\xe5\xee\x89\x15\x6b\xd1\xd2\xfa\x10\x1e\x6c\x39\x06\x8a\xf8\xc2\xae\x87", 84); *(uint8_t*)0x20006fc7 = 9; *(uint8_t*)0x20006fc8 = 5; *(uint8_t*)0x20006fc9 = 0x89; *(uint8_t*)0x20006fca = 0; *(uint16_t*)0x20006fcb = 0x20; *(uint8_t*)0x20006fcd = 0x20; *(uint8_t*)0x20006fce = 0x81; *(uint8_t*)0x20006fcf = 8; *(uint8_t*)0x20006fd0 = 9; *(uint8_t*)0x20006fd1 = 5; *(uint8_t*)0x20006fd2 = 0xe; *(uint8_t*)0x20006fd3 = 3; *(uint16_t*)0x20006fd4 = 8; *(uint8_t*)0x20006fd6 = 1; *(uint8_t*)0x20006fd7 = 0x20; *(uint8_t*)0x20006fd8 = 2; *(uint8_t*)0x20006fd9 = 7; *(uint8_t*)0x20006fda = 0x25; *(uint8_t*)0x20006fdb = 1; *(uint8_t*)0x20006fdc = 2; *(uint8_t*)0x20006fdd = 0x43; *(uint16_t*)0x20006fde = 0x234; *(uint8_t*)0x20006fe0 = 9; *(uint8_t*)0x20006fe1 = 5; *(uint8_t*)0x20006fe2 = 2; *(uint8_t*)0x20006fe3 = 0; *(uint16_t*)0x20006fe4 = 0x3ff; *(uint8_t*)0x20006fe6 = 3; *(uint8_t*)0x20006fe7 = 5; *(uint8_t*)0x20006fe8 = 7; *(uint8_t*)0x20006fe9 = 0x34; *(uint8_t*)0x20006fea = 8; memcpy((void*)0x20006feb, "\xb6\xa1\x21\xb4\x6c\xab\xce\x4e\x36\x1f\x21\x04\xdc\xf2\x66\x3e\x40\x2e\xe0\x4f\xaa\x90\xdd\x18\xa9\x18\xe4\x64\x2e\xaa\x6a\x71\x61\x92\xf8\xbc\x32\xf3\x21\xce\x9e\xb5\x48\x90\x4d\x87\xd7\xbd\xad\x56", 50); *(uint8_t*)0x2000701d = 0xac; *(uint8_t*)0x2000701e = 0x30; memcpy((void*)0x2000701f, "\x1a\x5d\x30\xc7\xd1\x38\x43\xb0\x14\x69\x43\xb2\xe6\x76\x87\xf3\x14\x70\x19\xdb\x1c\xa1\xa3\xc7\xe4\x8d\x70\x0f\x65\x5b\xea\x7f\x42\x69\x2c\x5a\x87\xa6\xb9\x1d\x03\xa6\xd4\x90\x5f\xbb\x18\xb7\x60\x28\xc9\x02\xf7\xcc\x3f\x0c\x05\x6d\x87\xd0\xfb\xc1\x2f\x32\x15\x02\x22\xa7\xda\xd7\x02\x3b\xc4\x5a\xb2\x5c\x72\xaa\x3a\xd2\x6e\x8d\xfd\x8d\x36\x54\x64\x00\x38\x39\x6a\xa3\x55\xf0\x69\xf7\xa9\xe7\x62\xb8\x5d\xca\x0a\x81\xa7\xd7\xc3\x7d\x25\x9d\x0f\x2a\x63\x1a\x6a\xbc\x4e\x36\xfb\xa2\x01\xdc\x67\x7f\xc7\xb2\xc2\x81\x90\xe9\x15\x23\x55\x3c\xfb\x1b\xbf\x46\x2d\x9d\x05\x7c\x31\x91\x0a\xd3\x9c\x35\x7c\xd2\xdd\x1c\x3f\x22\xc6\x04\xad\x6c\x92\x3f\xae\xe4\xc1\x3d\xb3\xfe\x35\x03\x75\xcc", 170); *(uint8_t*)0x200070c9 = 9; *(uint8_t*)0x200070ca = 5; *(uint8_t*)0x200070cb = 0xc; *(uint8_t*)0x200070cc = 0; *(uint16_t*)0x200070cd = 0x10; *(uint8_t*)0x200070cf = 0x7f; *(uint8_t*)0x200070d0 = 0x56; *(uint8_t*)0x200070d1 = 0x83; *(uint8_t*)0x200070d2 = 9; *(uint8_t*)0x200070d3 = 5; *(uint8_t*)0x200070d4 = 0x47; *(uint8_t*)0x200070d5 = 0; *(uint16_t*)0x200070d6 = 0x3ff; *(uint8_t*)0x200070d8 = 0xbb; *(uint8_t*)0x200070d9 = 7; *(uint8_t*)0x200070da = 3; *(uint8_t*)0x200070db = 0x6b; *(uint8_t*)0x200070dc = 0x30; memcpy((void*)0x200070dd, "\x6a\x80\x65\xc0\xee\x1f\xa7\x2b\xb9\xfa\xb4\x98\xb5\x65\xe8\x56\x09\x0e\x0a\xd4\xcb\x9a\x07\x2e\x09\x95\x26\x4b\x93\x5b\xed\x49\x10\xdd\xe6\xe4\xa1\x1f\xf9\x37\x42\x38\x3c\xba\x0c\x51\xa1\xf1\xcf\x69\x5a\xa3\x94\xa5\xf4\x86\x83\x63\xe9\x86\x26\x05\x69\xba\x8b\xe8\x24\x37\xcc\x58\xdb\x1e\xe8\x8c\xe5\x10\x13\x08\x93\x8e\xdb\xd9\x82\x07\x54\x62\xcf\x0b\xba\x05\xbb\x0d\x7a\xe5\x50\x92\xa2\x86\x2e\xe6\xe6\x43\x0e\x22\xf7", 105); *(uint8_t*)0x20007146 = 0x41; *(uint8_t*)0x20007147 = 0x21; memcpy((void*)0x20007148, "\x0a\xcd\x9c\x77\x43\xc7\x50\x9f\x5e\xb8\x98\x78\x4f\x87\x67\xf3\x85\xa0\xe1\xc7\xf1\x02\xc9\xad\xca\xd6\xd8\x1f\xb4\x19\x3e\x88\xcb\x2f\x6c\x39\x36\xee\x2e\xf3\xda\xe6\x1f\x58\x32\x25\x93\xd9\xbe\xea\xfc\xc0\x91\x5c\x86\xfc\x3a\x72\xf0\x42\x6c\x83\xf3", 63); *(uint8_t*)0x20007187 = 9; *(uint8_t*)0x20007188 = 5; *(uint8_t*)0x20007189 = 6; *(uint8_t*)0x2000718a = 4; *(uint16_t*)0x2000718b = 0x400; *(uint8_t*)0x2000718d = 0x20; *(uint8_t*)0x2000718e = 0x74; *(uint8_t*)0x2000718f = 5; *(uint8_t*)0x20007190 = 9; *(uint8_t*)0x20007191 = 4; *(uint8_t*)0x20007192 = 0x26; *(uint8_t*)0x20007193 = 0xab; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 0xf1; *(uint8_t*)0x20007197 = 0xcb; *(uint8_t*)0x20007198 = 9; *(uint8_t*)0x20007199 = 9; *(uint8_t*)0x2000719a = 5; *(uint8_t*)0x2000719b = 1; *(uint8_t*)0x2000719c = 0; *(uint16_t*)0x2000719d = 0x200; *(uint8_t*)0x2000719f = 5; *(uint8_t*)0x200071a0 = 1; *(uint8_t*)0x200071a1 = 1; *(uint8_t*)0x200071a2 = 9; *(uint8_t*)0x200071a3 = 5; *(uint8_t*)0x200071a4 = 0xb; *(uint8_t*)0x200071a5 = 4; *(uint16_t*)0x200071a6 = 0x20; *(uint8_t*)0x200071a8 = 1; *(uint8_t*)0x200071a9 = 2; *(uint8_t*)0x200071aa = 4; *(uint8_t*)0x200071ab = 0xda; *(uint8_t*)0x200071ac = 0x14; memcpy((void*)0x200071ad, "\x10\xf1\x6e\x37\x96\xfb\xe3\x35\xb5\x64\xb2\x94\x16\x03\x1e\x12\xd2\x6f\x4d\x53\xe2\x37\xca\x3c\xb1\xe0\x49\x17\x03\x35\xd6\x31\x43\x24\x69\xcf\x8e\x2b\x20\x7d\x62\x28\x3f\x3b\x91\xf4\xd6\x31\x54\xbc\xe3\x5f\xae\xb8\x7b\x51\xd3\x0b\x38\x87\x6c\x38\xb3\x1a\xcc\x34\x7b\xe6\x77\x93\xe5\x6a\x17\x84\xeb\x29\xa7\xdd\xab\x72\xe7\x36\xee\xcd\x3b\x4e\x98\xbc\xe7\xb1\x70\xab\x68\x7e\x6f\x31\xf5\xe9\xf3\xf9\x6e\x31\x03\x2d\x3b\xf9\x47\x6e\xef\x54\xf3\x54\xc6\xef\xc0\x0d\xa3\x9a\x69\x5e\xc1\xc0\x95\x25\x4c\xb4\x16\xbd\xc5\x74\xd4\xfb\x6a\xdb\xec\xa9\x9b\x77\x50\x8d\x6c\x6f\x79\x1c\x2c\xfc\x29\xae\x3e\xcc\xea\x73\xc1\x36\x27\xd9\x38\x07\xaf\x1a\x7d\x34\x92\x52\x0e\xd1\xf1\x53\x32\x7d\x85\x75\x37\xf5\x56\x29\x4b\xdd\xdd\x98\x8b\xae\x73\x22\x6a\x48\xc4\xca\xb9\x63\xd3\xd8\xc2\x26\x95\x1b\x21\xa7\xc3\x13\x8d\xe5\x5b\x8d\x0e\x1f\x0b\xcd\x77\x66\x3a\xe8\xbf\xe2\x0f\x44", 216); *(uint8_t*)0x20007285 = 7; *(uint8_t*)0x20007286 = 0x25; *(uint8_t*)0x20007287 = 1; *(uint8_t*)0x20007288 = 0x83; *(uint8_t*)0x20007289 = 5; *(uint16_t*)0x2000728a = 9; *(uint8_t*)0x2000728c = 9; *(uint8_t*)0x2000728d = 5; *(uint8_t*)0x2000728e = 5; *(uint8_t*)0x2000728f = 2; *(uint16_t*)0x20007290 = 0x40; *(uint8_t*)0x20007292 = 0x2c; *(uint8_t*)0x20007293 = 0xd4; *(uint8_t*)0x20007294 = 2; *(uint8_t*)0x20007295 = 7; *(uint8_t*)0x20007296 = 0x25; *(uint8_t*)0x20007297 = 1; *(uint8_t*)0x20007298 = 2; *(uint8_t*)0x20007299 = 3; *(uint16_t*)0x2000729a = 7; *(uint8_t*)0x2000729c = 9; *(uint8_t*)0x2000729d = 5; *(uint8_t*)0x2000729e = 0xa; *(uint8_t*)0x2000729f = 2; *(uint16_t*)0x200072a0 = 0x400; *(uint8_t*)0x200072a2 = 0xd0; *(uint8_t*)0x200072a3 = 1; *(uint8_t*)0x200072a4 = 6; *(uint8_t*)0x200072a5 = 9; *(uint8_t*)0x200072a6 = 5; *(uint8_t*)0x200072a7 = 0xe; *(uint8_t*)0x200072a8 = 8; *(uint16_t*)0x200072a9 = 0x40; *(uint8_t*)0x200072ab = 0x40; *(uint8_t*)0x200072ac = -1; *(uint8_t*)0x200072ad = 0xb0; *(uint8_t*)0x200072ae = 9; *(uint8_t*)0x200072af = 4; *(uint8_t*)0x200072b0 = 0x6c; *(uint8_t*)0x200072b1 = 8; *(uint8_t*)0x200072b2 = 2; *(uint8_t*)0x200072b3 = 0x59; *(uint8_t*)0x200072b4 = 0x51; *(uint8_t*)0x200072b5 = 0xd5; *(uint8_t*)0x200072b6 = 1; *(uint8_t*)0x200072b7 = 8; *(uint8_t*)0x200072b8 = 0x24; *(uint8_t*)0x200072b9 = 6; *(uint8_t*)0x200072ba = 0; *(uint8_t*)0x200072bb = 1; memcpy((void*)0x200072bc, "\xb2\xbd\x60", 3); *(uint8_t*)0x200072bf = 5; *(uint8_t*)0x200072c0 = 0x24; *(uint8_t*)0x200072c1 = 0; *(uint16_t*)0x200072c2 = 5; *(uint8_t*)0x200072c4 = 0xd; *(uint8_t*)0x200072c5 = 0x24; *(uint8_t*)0x200072c6 = 0xf; *(uint8_t*)0x200072c7 = 1; *(uint32_t*)0x200072c8 = 0xfffffffd; *(uint16_t*)0x200072cc = 0xfff; *(uint16_t*)0x200072ce = 0x63; *(uint8_t*)0x200072d0 = 0xdb; *(uint8_t*)0x200072d1 = 6; *(uint8_t*)0x200072d2 = 0x24; *(uint8_t*)0x200072d3 = 0x1a; *(uint16_t*)0x200072d4 = 8; *(uint8_t*)0x200072d6 = 8; *(uint8_t*)0x200072d7 = 0xf7; *(uint8_t*)0x200072d8 = 0x24; *(uint8_t*)0x200072d9 = 0x13; *(uint8_t*)0x200072da = 0x19; memcpy((void*)0x200072db, "\x18\x9c\xde\xa8\x5c\x89\x2f\xe7\x36\xd9\x9d\x2a\xe8\x35\x70\x5d\xdc\x39\x07\x36\x3c\x57\xda\x1f\xc0\x03\x3a\xb2\x67\x42\x02\x2a\xb0\xaf\x75\x16\xc0\x54\x5f\x0f\xc3\xec\xaa\x07\x28\x22\x9f\x95\xfd\x5d\x2e\xbc\xe5\xc9\x8d\xbb\xa6\x22\x21\x53\xe2\xce\x70\xbf\xea\xd3\x2d\x5d\x59\x14\x6f\x0d\xd6\x79\x85\x20\x07\xb1\x3a\xc9\xd1\x6d\x48\xf9\x48\x4d\x61\x92\xe7\x9c\x88\x07\x9f\x8c\xd3\xbd\x1a\x37\x40\xf3\xa8\xf0\xfd\x1d\x57\xa1\x0b\xf4\x1c\xf8\xc4\x5a\x79\xab\x1a\x96\x9c\x9a\x6a\x83\xbf\x31\x57\x1b\xce\x54\x2e\x8f\xcf\xa6\x76\x1e\xbf\xa9\x24\xe1\xeb\x05\xd3\xaf\x5b\x36\x44\xc3\x04\x02\x80\xca\x59\x73\x7d\x89\xc0\xca\xa8\xbd\x9d\x56\xc9\x21\x78\xb8\x2b\x20\x78\xe4\x39\x75\xf1\x5e\x6f\x0b\x6f\xa1\xd0\xcd\x81\x95\x21\x15\x4d\x23\x6a\xa6\xa8\x5e\x50\xf3\xf0\x53\x1f\x61\x92\xe5\xc4\xba\x8a\x2d\x50\x6f\x74\x47\x80\x74\x7c\xbb\x9e\xe6\x72\x32\x98\xb7\x2b\x71\x3b\x52\xbe\x54\x83\x5f\xcc\x04\x90\x6c\x65\x8c\xe6\x1f\x16\xf9\x5a\x6c\x43\x79\x88\xdf\x23\x9c\x43\x0f\xf4\x7d\xb7", 243); *(uint8_t*)0x200073ce = 6; *(uint8_t*)0x200073cf = 0x24; *(uint8_t*)0x200073d0 = 6; *(uint8_t*)0x200073d1 = 0; *(uint8_t*)0x200073d2 = 0; memset((void*)0x200073d3, 163, 1); *(uint8_t*)0x200073d4 = 5; *(uint8_t*)0x200073d5 = 0x24; *(uint8_t*)0x200073d6 = 0; *(uint16_t*)0x200073d7 = 0xf85b; *(uint8_t*)0x200073d9 = 0xd; *(uint8_t*)0x200073da = 0x24; *(uint8_t*)0x200073db = 0xf; *(uint8_t*)0x200073dc = 1; *(uint32_t*)0x200073dd = 0; *(uint16_t*)0x200073e1 = 7; *(uint16_t*)0x200073e3 = 2; *(uint8_t*)0x200073e5 = 0x40; *(uint8_t*)0x200073e6 = 9; *(uint8_t*)0x200073e7 = 5; *(uint8_t*)0x200073e8 = 0xf; *(uint8_t*)0x200073e9 = 4; *(uint16_t*)0x200073ea = 0; *(uint8_t*)0x200073ec = 0x81; *(uint8_t*)0x200073ed = 0xe8; *(uint8_t*)0x200073ee = 2; *(uint8_t*)0x200073ef = 7; *(uint8_t*)0x200073f0 = 0x25; *(uint8_t*)0x200073f1 = 1; *(uint8_t*)0x200073f2 = 0; *(uint8_t*)0x200073f3 = 0x51; *(uint16_t*)0x200073f4 = 0xbf81; *(uint8_t*)0x200073f6 = 7; *(uint8_t*)0x200073f7 = 0x25; *(uint8_t*)0x200073f8 = 1; *(uint8_t*)0x200073f9 = 0x80; *(uint8_t*)0x200073fa = 0xb; *(uint16_t*)0x200073fb = 0x8001; *(uint8_t*)0x200073fd = 9; *(uint8_t*)0x200073fe = 5; *(uint8_t*)0x200073ff = 6; *(uint8_t*)0x20007400 = 0; *(uint16_t*)0x20007401 = 0x10; *(uint8_t*)0x20007403 = 0x7f; *(uint8_t*)0x20007404 = 0; *(uint8_t*)0x20007405 = 0x80; *(uint8_t*)0x20007406 = 0x28; *(uint8_t*)0x20007407 = 0xa; memcpy((void*)0x20007408, "\x61\xdf\x67\xa6\x24\x85\x90\x52\xdf\x59\x3a\x22\x58\xbc\x97\x0f\xe4\x30\x4a\x8f\x89\x9a\xc0\x40\xd9\xfc\x35\x0e\xd5\xe6\x36\x60\xa7\x6a\x96\xae\xa7\xa3", 38); *(uint32_t*)0x200076c0 = 0xa; *(uint32_t*)0x200076c4 = 0x20007440; *(uint8_t*)0x20007440 = 0xa; *(uint8_t*)0x20007441 = 6; *(uint16_t*)0x20007442 = 0x300; *(uint8_t*)0x20007444 = 8; *(uint8_t*)0x20007445 = 1; *(uint8_t*)0x20007446 = 9; *(uint8_t*)0x20007447 = 8; *(uint8_t*)0x20007448 = 0x81; *(uint8_t*)0x20007449 = 0; *(uint32_t*)0x200076c8 = 0x133; *(uint32_t*)0x200076cc = 0x20007480; *(uint8_t*)0x20007480 = 5; *(uint8_t*)0x20007481 = 0xf; *(uint16_t*)0x20007482 = 0x133; *(uint8_t*)0x20007484 = 6; *(uint8_t*)0x20007485 = 0xb; *(uint8_t*)0x20007486 = 0x10; *(uint8_t*)0x20007487 = 1; *(uint8_t*)0x20007488 = 2; *(uint16_t*)0x20007489 = 0x74; *(uint8_t*)0x2000748b = -1; *(uint8_t*)0x2000748c = -1; *(uint16_t*)0x2000748d = 0; *(uint8_t*)0x2000748f = 7; *(uint8_t*)0x20007490 = 0xb; *(uint8_t*)0x20007491 = 0x10; *(uint8_t*)0x20007492 = 1; *(uint8_t*)0x20007493 = 8; *(uint16_t*)0x20007494 = 0x43; *(uint8_t*)0x20007496 = 4; *(uint8_t*)0x20007497 = 3; *(uint16_t*)0x20007498 = 6; *(uint8_t*)0x2000749a = 0x21; *(uint8_t*)0x2000749b = 7; *(uint8_t*)0x2000749c = 0x10; *(uint8_t*)0x2000749d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000749e, 0xa, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200074a0, 0x3b4d, 0, 16); *(uint8_t*)0x200074a2 = 0xb; *(uint8_t*)0x200074a3 = 0x10; *(uint8_t*)0x200074a4 = 1; *(uint8_t*)0x200074a5 = 0; *(uint16_t*)0x200074a6 = 0x2c; *(uint8_t*)0x200074a8 = 7; *(uint8_t*)0x200074a9 = 2; *(uint16_t*)0x200074aa = 1; *(uint8_t*)0x200074ac = 0x2f; *(uint8_t*)0x200074ad = 3; *(uint8_t*)0x200074ae = 0x10; *(uint8_t*)0x200074af = 0xb; *(uint8_t*)0x200074b0 = 3; *(uint8_t*)0x200074b1 = 0x10; *(uint8_t*)0x200074b2 = 3; memcpy((void*)0x200074b3, "\xb3\x5e\x85\x2c\x50\x01\x47\x88\x0f\xa2\xf6\xdc\xc5\xd4\xe1\x6a\x59\xdf\x9b\xff\x5d\x44\xac\x9f\x66\x80\xa3\x1b\x1e\xbc\xe7\xf4\xd4\xaf\xe6\xd2\xae\x93\xf6\xee\xe7\x9b\x70\x3b\x03\xf7\xa0\xeb\xea\x72\xbd\xc3\xca\x70\xde\xd4\x50\xbe\xde\xc4\x2d\x31\xbe\xce\xd3\x62\x5c\x6b\xfa\x5d\xc9\x89\x7b\x68\xa4\xe8\xb1\xa5\x4b\x94\x44\xb8\x5a\x77\xd5\x2e\xfe\xa0\x2e\x84\x04\x5a\x2c\x51\xaf\x22\x59\x6a\x4c\x59\xa4\x3c\x59\x0c\x4d\x13\x69\xd2\x29\xdb\x0f\x22\x8b\x73\x9b\x41\x41\x9c\x00\x70\x82\x19\xac\x07\x58\x5d\xca\xde\xd8\x82\x0f\x6f\xe0\xb3\x5e\x74\x96\xca\x59\xeb\xd9\x3c\x1c\xfb\xec\xa8\x66\x69\x28\x61\x3f\xb0\x84\xcb\x1a\xd9\x30\xcf\xed\x80\xa0\x24\xb8\x03\xfc\x94\x96\x7f\x08\xd7\x31\xd0\x64\x7c\xee\x07\x3e\x55\x84\x4b\x99\x78\xae\x60\x35\x86\x5f\xd9\x89\x91\xfb\x7a\x5f\xa3\xf0\x05\x29\xe8\x1f\x1d\x3b\x85\x3a\x0d\xb0\x41\xea\xa3\x77\x7b\xa1\x0f\xe7\x53\x67\x4a\x69\x8c\xd3\x89\xbf\x5b\xca\x62\x6c\xb8\xc7\xbf\x9b\x71\x15\x0d\x57\x2d\x07\xd9\xa1\x18\x55\xa4\x19\xfb\x02\x12\xd9\xa5\xbf\x2c\x33\x60\x35\x7c\xf9\x42\x51\x1f", 256); *(uint32_t*)0x200076d0 = 2; *(uint32_t*)0x200076d4 = 0x97; *(uint32_t*)0x200076d8 = 0x200075c0; *(uint8_t*)0x200075c0 = 0x97; *(uint8_t*)0x200075c1 = 3; memcpy((void*)0x200075c2, "\x79\x53\x36\x52\x48\x59\x08\x84\x74\x50\xe4\x34\xba\xbd\x9e\x7b\x78\x39\x25\xf4\x78\xb3\xb3\x5c\x0a\x4e\x6a\xa0\xa1\xe8\xf7\x8e\x37\xf1\xd5\x66\x6f\xe8\x7b\x28\xdf\x9b\x77\x34\xfd\xd1\x41\xb3\xc7\x8a\x19\x03\x1e\xff\xd7\x29\xa3\x6c\x0c\xf9\xfa\xe5\xc5\x89\xa1\xa9\x88\x6b\x78\xf6\x6c\x73\x91\xbd\x44\x3c\xc6\xb3\xab\x5b\x4a\xcd\xeb\x5a\xcf\x4a\x0d\x36\x35\x9e\x74\x9d\xf3\x7c\xcf\x92\xc5\x0e\x84\x5f\xce\x93\xe4\xc6\x11\xf0\xfb\x55\x9f\x5b\x2f\x8b\x72\xba\xb3\xb8\xa9\x17\x79\xcd\x78\x20\x4d\x67\xa1\x83\x18\x75\x60\xeb\x91\x2c\x0f\x9d\xd2\x7f\x40\x2f\x1d\xec\xdc\x61\x44\x4d\x37\x02\xbf\x05\xcf", 149); *(uint32_t*)0x200076dc = 4; *(uint32_t*)0x200076e0 = 0x20007680; *(uint8_t*)0x20007680 = 4; *(uint8_t*)0x20007681 = 3; *(uint16_t*)0x20007682 = 0x4ff; syz_usb_connect(5, 0x72e, 0x20006d00, 0x200076c0); break; case 42: *(uint8_t*)0x20007700 = 0x12; *(uint8_t*)0x20007701 = 1; *(uint16_t*)0x20007702 = 0x200; *(uint8_t*)0x20007704 = -1; *(uint8_t*)0x20007705 = -1; *(uint8_t*)0x20007706 = -1; *(uint8_t*)0x20007707 = 0x40; *(uint16_t*)0x20007708 = 0xcf3; *(uint16_t*)0x2000770a = 0x9271; *(uint16_t*)0x2000770c = 0x108; *(uint8_t*)0x2000770e = 1; *(uint8_t*)0x2000770f = 2; *(uint8_t*)0x20007710 = 3; *(uint8_t*)0x20007711 = 1; *(uint8_t*)0x20007712 = 9; *(uint8_t*)0x20007713 = 2; *(uint16_t*)0x20007714 = 0x48; *(uint8_t*)0x20007716 = 1; *(uint8_t*)0x20007717 = 1; *(uint8_t*)0x20007718 = 0; *(uint8_t*)0x20007719 = 0x80; *(uint8_t*)0x2000771a = 0xfa; *(uint8_t*)0x2000771b = 9; *(uint8_t*)0x2000771c = 4; *(uint8_t*)0x2000771d = 0; *(uint8_t*)0x2000771e = 0; *(uint8_t*)0x2000771f = 6; *(uint8_t*)0x20007720 = -1; *(uint8_t*)0x20007721 = 0; *(uint8_t*)0x20007722 = 0; *(uint8_t*)0x20007723 = 0; *(uint8_t*)0x20007724 = 9; *(uint8_t*)0x20007725 = 5; *(uint8_t*)0x20007726 = 1; *(uint8_t*)0x20007727 = 2; *(uint16_t*)0x20007728 = 0x200; *(uint8_t*)0x2000772a = 0; *(uint8_t*)0x2000772b = 0; *(uint8_t*)0x2000772c = 0; *(uint8_t*)0x2000772d = 9; *(uint8_t*)0x2000772e = 5; *(uint8_t*)0x2000772f = 0x82; *(uint8_t*)0x20007730 = 2; *(uint16_t*)0x20007731 = 0x200; *(uint8_t*)0x20007733 = 0; *(uint8_t*)0x20007734 = 0; *(uint8_t*)0x20007735 = 0; *(uint8_t*)0x20007736 = 9; *(uint8_t*)0x20007737 = 5; *(uint8_t*)0x20007738 = 0x83; *(uint8_t*)0x20007739 = 3; *(uint16_t*)0x2000773a = 0x40; *(uint8_t*)0x2000773c = 1; *(uint8_t*)0x2000773d = 0; *(uint8_t*)0x2000773e = 0; *(uint8_t*)0x2000773f = 9; *(uint8_t*)0x20007740 = 5; *(uint8_t*)0x20007741 = 4; *(uint8_t*)0x20007742 = 3; *(uint16_t*)0x20007743 = 0x40; *(uint8_t*)0x20007745 = 1; *(uint8_t*)0x20007746 = 0; *(uint8_t*)0x20007747 = 0; *(uint8_t*)0x20007748 = 9; *(uint8_t*)0x20007749 = 5; *(uint8_t*)0x2000774a = 5; *(uint8_t*)0x2000774b = 2; *(uint16_t*)0x2000774c = 0x200; *(uint8_t*)0x2000774e = 0; *(uint8_t*)0x2000774f = 0; *(uint8_t*)0x20007750 = 0; *(uint8_t*)0x20007751 = 9; *(uint8_t*)0x20007752 = 5; *(uint8_t*)0x20007753 = 6; *(uint8_t*)0x20007754 = 2; *(uint16_t*)0x20007755 = 0x200; *(uint8_t*)0x20007757 = 0; *(uint8_t*)0x20007758 = 0; *(uint8_t*)0x20007759 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007700, 0); if (res != -1) r[22] = res; break; case 43: *(uint32_t*)0x20007900 = 0x18; *(uint32_t*)0x20007904 = 0x20007780; *(uint8_t*)0x20007780 = 0x40; *(uint8_t*)0x20007781 = 0x22; *(uint32_t*)0x20007782 = 0x1f; *(uint8_t*)0x20007786 = 0x1f; *(uint8_t*)0x20007787 = 0x22; memcpy((void*)0x20007788, "\xa7\x84\x14\x03\xaf\xd7\xdd\xbd\xb6\xce\x9d\xac\xfb\x6c\xdb\xe2\x9f\xbe\x4e\x58\xb5\x5f\xec\x11\x7d\xe5\x6e\xd6\xa5", 29); *(uint32_t*)0x20007908 = 0x200077c0; *(uint8_t*)0x200077c0 = 0; *(uint8_t*)0x200077c1 = 3; *(uint32_t*)0x200077c2 = 0x5a; *(uint8_t*)0x200077c6 = 0x5a; *(uint8_t*)0x200077c7 = 3; memcpy((void*)0x200077c8, "\xb5\x1f\xa7\x5c\xe1\x57\x5d\xa7\x9a\xa4\x1f\xd1\x55\x72\x84\x98\xbc\x7e\x4f\x85\xd1\x9d\x23\x94\x31\x4e\x63\x81\xf5\xe6\xb0\xe7\x86\xc3\xff\x70\x5c\xb7\x18\x44\x87\xf3\x50\x94\x03\x01\x78\xbc\x29\x1a\x39\x80\xfa\x0b\x83\x90\x8b\x7f\xe1\xcb\x24\x59\xda\xa1\x30\x8f\xa2\xfb\xda\x94\xa9\x8c\xa7\x13\x4b\xc9\x86\x48\x7b\xae\x15\x76\x66\x36\xe0\x85\x2c\x7a", 88); *(uint32_t*)0x2000790c = 0x20007840; *(uint8_t*)0x20007840 = 0; *(uint8_t*)0x20007841 = 0xf; *(uint32_t*)0x20007842 = 0x1b; *(uint8_t*)0x20007846 = 5; *(uint8_t*)0x20007847 = 0xf; *(uint16_t*)0x20007848 = 0x1b; *(uint8_t*)0x2000784a = 2; *(uint8_t*)0x2000784b = 0xb; *(uint8_t*)0x2000784c = 0x10; *(uint8_t*)0x2000784d = 1; *(uint8_t*)0x2000784e = 0xc; *(uint16_t*)0x2000784f = 0x82; *(uint8_t*)0x20007851 = 0; *(uint8_t*)0x20007852 = 0x85; *(uint16_t*)0x20007853 = 8; *(uint8_t*)0x20007855 = 1; *(uint8_t*)0x20007856 = 0xb; *(uint8_t*)0x20007857 = 0x10; *(uint8_t*)0x20007858 = 1; *(uint8_t*)0x20007859 = 0xc; *(uint16_t*)0x2000785a = 0x48; *(uint8_t*)0x2000785c = 0; *(uint8_t*)0x2000785d = 0x80; *(uint16_t*)0x2000785e = 0xfffa; *(uint8_t*)0x20007860 = 0x81; *(uint32_t*)0x20007910 = 0x20007880; *(uint8_t*)0x20007880 = 0x20; *(uint8_t*)0x20007881 = 0x29; *(uint32_t*)0x20007882 = 0xf; *(uint8_t*)0x20007886 = 0xf; *(uint8_t*)0x20007887 = 0x29; *(uint8_t*)0x20007888 = 9; *(uint16_t*)0x20007889 = 2; *(uint8_t*)0x2000788b = 4; *(uint8_t*)0x2000788c = 2; memcpy((void*)0x2000788d, "\x7e\x46\x1a\xb4", 4); memcpy((void*)0x20007891, "gg]\a", 4); *(uint32_t*)0x20007914 = 0x200078c0; *(uint8_t*)0x200078c0 = 0x20; *(uint8_t*)0x200078c1 = 0x2a; *(uint32_t*)0x200078c2 = 0xc; *(uint8_t*)0x200078c6 = 0xc; *(uint8_t*)0x200078c7 = 0x2a; *(uint8_t*)0x200078c8 = 9; *(uint16_t*)0x200078c9 = 3; *(uint8_t*)0x200078cb = 0x3f; *(uint8_t*)0x200078cc = 0x20; *(uint8_t*)0x200078cd = 0x40; *(uint16_t*)0x200078ce = 0; *(uint16_t*)0x200078d0 = 0xef; *(uint32_t*)0x20007dc0 = 0x44; *(uint32_t*)0x20007dc4 = 0x20007940; *(uint8_t*)0x20007940 = 0x40; *(uint8_t*)0x20007941 = 0xc; *(uint32_t*)0x20007942 = 0xb6; memcpy((void*)0x20007946, "\xdf\x1d\x88\x07\xad\xaa\x37\x6e\xc1\x64\xfe\x68\x6f\x79\x1f\xc7\x26\x8a\x85\xc4\x68\x00\x84\x23\xc3\x5b\xf0\xda\x6f\x10\xce\x0b\x3c\x7f\x80\xe6\x73\x52\xd8\x06\x3e\x95\x24\xfb\x3d\x91\xa1\xd4\x42\xb8\x5d\x35\x12\x88\xc6\x0b\xad\xef\x73\x69\x49\x4e\xfa\x50\x12\x97\x89\x30\xb8\x81\x7b\xb1\x3f\xba\x0f\x30\x74\x16\x86\x14\x57\x22\x13\x22\x13\x60\x27\xa9\x86\x82\xf3\xa5\xc9\x18\x06\xd4\x90\xc5\x1e\xf5\x1c\xe6\xc9\xe9\xc8\x08\x7e\x54\x7f\xc2\xcf\xe5\x67\xbf\xbf\x3e\x65\xf9\x7c\x5e\x79\xd6\x87\x06\x92\x2d\x2c\x08\x4e\xe8\x94\xea\xf1\x2a\x3c\x0b\x2e\x1e\xf8\x94\xdf\xf8\x6d\x07\x92\xfd\x11\xf5\x15\x2f\x67\x32\x1b\x9d\xb3\x6a\x02\xb7\xb0\x93\x5e\x74\x24\xcb\xd6\xb2\x86\xc5\x5c\x8c\xf0\xf0\xf4\x94\x9f\xd2\x1b\x22\x67\x5e\xb0\x60", 182); *(uint32_t*)0x20007dc8 = 0x20007a00; *(uint8_t*)0x20007a00 = 0; *(uint8_t*)0x20007a01 = 0xa; *(uint32_t*)0x20007a02 = 1; *(uint8_t*)0x20007a06 = 9; *(uint32_t*)0x20007dcc = 0x20007a40; *(uint8_t*)0x20007a40 = 0; *(uint8_t*)0x20007a41 = 8; *(uint32_t*)0x20007a42 = 1; *(uint8_t*)0x20007a46 = 6; *(uint32_t*)0x20007dd0 = 0x20007a80; *(uint8_t*)0x20007a80 = 0x20; *(uint8_t*)0x20007a81 = 0; *(uint32_t*)0x20007a82 = 4; *(uint16_t*)0x20007a86 = 1; *(uint16_t*)0x20007a88 = 3; *(uint32_t*)0x20007dd4 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0x20; *(uint8_t*)0x20007ac1 = 0; *(uint32_t*)0x20007ac2 = 4; *(uint16_t*)0x20007ac6 = 0x160; *(uint16_t*)0x20007ac8 = 1; *(uint32_t*)0x20007dd8 = 0x20007b00; *(uint8_t*)0x20007b00 = 0x40; *(uint8_t*)0x20007b01 = 7; *(uint32_t*)0x20007b02 = 2; *(uint16_t*)0x20007b06 = 3; *(uint32_t*)0x20007ddc = 0x20007b40; *(uint8_t*)0x20007b40 = 0x40; *(uint8_t*)0x20007b41 = 9; *(uint32_t*)0x20007b42 = 1; *(uint8_t*)0x20007b46 = 3; *(uint32_t*)0x20007de0 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x40; *(uint8_t*)0x20007b81 = 0xb; *(uint32_t*)0x20007b82 = 2; memcpy((void*)0x20007b86, "\x9e\xfe", 2); *(uint32_t*)0x20007de4 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 0xf; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 4; *(uint32_t*)0x20007de8 = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 0x13; *(uint32_t*)0x20007c02 = 6; memset((void*)0x20007c06, 0, 6); *(uint32_t*)0x20007dec = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0x17; *(uint32_t*)0x20007c42 = 6; memset((void*)0x20007c46, 170, 5); *(uint8_t*)0x20007c4b = 0xbb; *(uint32_t*)0x20007df0 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0x19; *(uint32_t*)0x20007c82 = 2; memcpy((void*)0x20007c86, "vw", 2); *(uint32_t*)0x20007df4 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x1a; *(uint32_t*)0x20007cc2 = 2; *(uint16_t*)0x20007cc6 = 1; *(uint32_t*)0x20007df8 = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x1c; *(uint32_t*)0x20007d02 = 1; *(uint8_t*)0x20007d06 = 6; *(uint32_t*)0x20007dfc = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x1e; *(uint32_t*)0x20007d42 = 1; *(uint8_t*)0x20007d46 = 0x7e; *(uint32_t*)0x20007e00 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x21; *(uint32_t*)0x20007d82 = 1; *(uint8_t*)0x20007d86 = 2; syz_usb_control_io(r[22], 0x20007900, 0x20007dc0); break; case 44: *(uint8_t*)0x20007e40 = 0x12; *(uint8_t*)0x20007e41 = 1; *(uint16_t*)0x20007e42 = 0x200; *(uint8_t*)0x20007e44 = -1; *(uint8_t*)0x20007e45 = -1; *(uint8_t*)0x20007e46 = -1; *(uint8_t*)0x20007e47 = 0x40; *(uint16_t*)0x20007e48 = 0xcf3; *(uint16_t*)0x20007e4a = 0x9271; *(uint16_t*)0x20007e4c = 0x108; *(uint8_t*)0x20007e4e = 1; *(uint8_t*)0x20007e4f = 2; *(uint8_t*)0x20007e50 = 3; *(uint8_t*)0x20007e51 = 1; *(uint8_t*)0x20007e52 = 9; *(uint8_t*)0x20007e53 = 2; *(uint16_t*)0x20007e54 = 0x48; *(uint8_t*)0x20007e56 = 1; *(uint8_t*)0x20007e57 = 1; *(uint8_t*)0x20007e58 = 0; *(uint8_t*)0x20007e59 = 0x80; *(uint8_t*)0x20007e5a = 0xfa; *(uint8_t*)0x20007e5b = 9; *(uint8_t*)0x20007e5c = 4; *(uint8_t*)0x20007e5d = 0; *(uint8_t*)0x20007e5e = 0; *(uint8_t*)0x20007e5f = 6; *(uint8_t*)0x20007e60 = -1; *(uint8_t*)0x20007e61 = 0; *(uint8_t*)0x20007e62 = 0; *(uint8_t*)0x20007e63 = 0; *(uint8_t*)0x20007e64 = 9; *(uint8_t*)0x20007e65 = 5; *(uint8_t*)0x20007e66 = 1; *(uint8_t*)0x20007e67 = 2; *(uint16_t*)0x20007e68 = 0x200; *(uint8_t*)0x20007e6a = 0; *(uint8_t*)0x20007e6b = 0; *(uint8_t*)0x20007e6c = 0; *(uint8_t*)0x20007e6d = 9; *(uint8_t*)0x20007e6e = 5; *(uint8_t*)0x20007e6f = 0x82; *(uint8_t*)0x20007e70 = 2; *(uint16_t*)0x20007e71 = 0x200; *(uint8_t*)0x20007e73 = 0; *(uint8_t*)0x20007e74 = 0; *(uint8_t*)0x20007e75 = 0; *(uint8_t*)0x20007e76 = 9; *(uint8_t*)0x20007e77 = 5; *(uint8_t*)0x20007e78 = 0x83; *(uint8_t*)0x20007e79 = 3; *(uint16_t*)0x20007e7a = 0x40; *(uint8_t*)0x20007e7c = 1; *(uint8_t*)0x20007e7d = 0; *(uint8_t*)0x20007e7e = 0; *(uint8_t*)0x20007e7f = 9; *(uint8_t*)0x20007e80 = 5; *(uint8_t*)0x20007e81 = 4; *(uint8_t*)0x20007e82 = 3; *(uint16_t*)0x20007e83 = 0x40; *(uint8_t*)0x20007e85 = 1; *(uint8_t*)0x20007e86 = 0; *(uint8_t*)0x20007e87 = 0; *(uint8_t*)0x20007e88 = 9; *(uint8_t*)0x20007e89 = 5; *(uint8_t*)0x20007e8a = 5; *(uint8_t*)0x20007e8b = 2; *(uint16_t*)0x20007e8c = 0x200; *(uint8_t*)0x20007e8e = 0; *(uint8_t*)0x20007e8f = 0; *(uint8_t*)0x20007e90 = 0; *(uint8_t*)0x20007e91 = 9; *(uint8_t*)0x20007e92 = 5; *(uint8_t*)0x20007e93 = 6; *(uint8_t*)0x20007e94 = 2; *(uint16_t*)0x20007e95 = 0x200; *(uint8_t*)0x20007e97 = 0; *(uint8_t*)0x20007e98 = 0; *(uint8_t*)0x20007e99 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007e40, 0); if (res != -1) r[23] = res; break; case 45: syz_usb_disconnect(r[23]); break; case 46: *(uint8_t*)0x20007ec0 = 0x12; *(uint8_t*)0x20007ec1 = 1; *(uint16_t*)0x20007ec2 = 0x389; *(uint8_t*)0x20007ec4 = 2; *(uint8_t*)0x20007ec5 = 0; *(uint8_t*)0x20007ec6 = 0; *(uint8_t*)0x20007ec7 = 0x70; *(uint16_t*)0x20007ec8 = 0x525; *(uint16_t*)0x20007eca = 0xa4a1; *(uint16_t*)0x20007ecc = 0x40; *(uint8_t*)0x20007ece = 1; *(uint8_t*)0x20007ecf = 2; *(uint8_t*)0x20007ed0 = 3; *(uint8_t*)0x20007ed1 = 1; *(uint8_t*)0x20007ed2 = 9; *(uint8_t*)0x20007ed3 = 2; *(uint16_t*)0x20007ed4 = 0x6a; *(uint8_t*)0x20007ed6 = 2; *(uint8_t*)0x20007ed7 = 1; *(uint8_t*)0x20007ed8 = -1; *(uint8_t*)0x20007ed9 = 0x90; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 9; *(uint8_t*)0x20007edc = 4; *(uint8_t*)0x20007edd = 0; *(uint8_t*)0x20007ede = 0; *(uint8_t*)0x20007edf = 1; *(uint8_t*)0x20007ee0 = 2; *(uint8_t*)0x20007ee1 = 0xd; *(uint8_t*)0x20007ee2 = 0; *(uint8_t*)0x20007ee3 = 0; *(uint8_t*)0x20007ee4 = 6; *(uint8_t*)0x20007ee5 = 0x24; *(uint8_t*)0x20007ee6 = 6; *(uint8_t*)0x20007ee7 = 0; *(uint8_t*)0x20007ee8 = 1; memset((void*)0x20007ee9, 166, 1); *(uint8_t*)0x20007eea = 5; *(uint8_t*)0x20007eeb = 0x24; *(uint8_t*)0x20007eec = 0; *(uint16_t*)0x20007eed = 8; *(uint8_t*)0x20007eef = 0xd; *(uint8_t*)0x20007ef0 = 0x24; *(uint8_t*)0x20007ef1 = 0xf; *(uint8_t*)0x20007ef2 = 1; *(uint32_t*)0x20007ef3 = 0x9ff; *(uint16_t*)0x20007ef7 = 0x6000; *(uint16_t*)0x20007ef9 = 5; *(uint8_t*)0x20007efb = 0xb5; *(uint8_t*)0x20007efc = 6; *(uint8_t*)0x20007efd = 0x24; *(uint8_t*)0x20007efe = 0x1a; *(uint16_t*)0x20007eff = 0xdd; *(uint8_t*)0x20007f01 = 0x32; *(uint8_t*)0x20007f02 = 5; *(uint8_t*)0x20007f03 = 0x24; *(uint8_t*)0x20007f04 = 1; *(uint8_t*)0x20007f05 = 2; *(uint8_t*)0x20007f06 = 0x95; *(uint8_t*)0x20007f07 = 8; *(uint8_t*)0x20007f08 = 0x24; *(uint8_t*)0x20007f09 = 0x1c; *(uint16_t*)0x20007f0a = 7; *(uint8_t*)0x20007f0c = 0x40; *(uint16_t*)0x20007f0d = 1; *(uint8_t*)0x20007f0f = 9; *(uint8_t*)0x20007f10 = 5; *(uint8_t*)0x20007f11 = 0x81; *(uint8_t*)0x20007f12 = 3; *(uint16_t*)0x20007f13 = 0x10; *(uint8_t*)0x20007f15 = 0x21; *(uint8_t*)0x20007f16 = 2; *(uint8_t*)0x20007f17 = 0xc4; *(uint8_t*)0x20007f18 = 9; *(uint8_t*)0x20007f19 = 4; *(uint8_t*)0x20007f1a = 1; *(uint8_t*)0x20007f1b = 0; *(uint8_t*)0x20007f1c = 0; *(uint8_t*)0x20007f1d = 2; *(uint8_t*)0x20007f1e = 0xd; *(uint8_t*)0x20007f1f = 0; *(uint8_t*)0x20007f20 = 0; *(uint8_t*)0x20007f21 = 9; *(uint8_t*)0x20007f22 = 4; *(uint8_t*)0x20007f23 = 1; *(uint8_t*)0x20007f24 = 1; *(uint8_t*)0x20007f25 = 2; *(uint8_t*)0x20007f26 = 2; *(uint8_t*)0x20007f27 = 0xd; *(uint8_t*)0x20007f28 = 0; *(uint8_t*)0x20007f29 = 0; *(uint8_t*)0x20007f2a = 9; *(uint8_t*)0x20007f2b = 5; *(uint8_t*)0x20007f2c = 0x82; *(uint8_t*)0x20007f2d = 2; *(uint16_t*)0x20007f2e = 8; *(uint8_t*)0x20007f30 = 1; *(uint8_t*)0x20007f31 = 1; *(uint8_t*)0x20007f32 = 0x4e; *(uint8_t*)0x20007f33 = 9; *(uint8_t*)0x20007f34 = 5; *(uint8_t*)0x20007f35 = 3; *(uint8_t*)0x20007f36 = 2; *(uint16_t*)0x20007f37 = 8; *(uint8_t*)0x20007f39 = 0x81; *(uint8_t*)0x20007f3a = 9; *(uint8_t*)0x20007f3b = 0x48; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f40; *(uint8_t*)0x20007f40 = 0xa; *(uint8_t*)0x20007f41 = 6; *(uint16_t*)0x20007f42 = 0x200; *(uint8_t*)0x20007f44 = 3; *(uint8_t*)0x20007f45 = 0x40; *(uint8_t*)0x20007f46 = 1; *(uint8_t*)0x20007f47 = 0x40; *(uint8_t*)0x20007f48 = 0x68; *(uint8_t*)0x20007f49 = 0; *(uint32_t*)0x20008288 = 0x72; *(uint32_t*)0x2000828c = 0x20007f80; *(uint8_t*)0x20007f80 = 5; *(uint8_t*)0x20007f81 = 0xf; *(uint16_t*)0x20007f82 = 0x72; *(uint8_t*)0x20007f84 = 6; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x10; *(uint8_t*)0x20007f87 = 0xa; *(uint8_t*)0x20007f88 = 0x7f; STORE_BY_BITMASK(uint32_t, , 0x20007f89, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007f89, 4, 5, 27); *(uint16_t*)0x20007f8d = 0; *(uint16_t*)0x20007f8f = 0x101; *(uint32_t*)0x20007f91 = 0xf; *(uint32_t*)0x20007f95 = 0xc000; *(uint32_t*)0x20007f99 = 0x4100; *(uint32_t*)0x20007f9d = 0xc000; *(uint32_t*)0x20007fa1 = 0; *(uint8_t*)0x20007fa5 = 0x18; *(uint8_t*)0x20007fa6 = 0x10; *(uint8_t*)0x20007fa7 = 0xa; *(uint8_t*)0x20007fa8 = 5; STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 0x3f, 5, 27); *(uint16_t*)0x20007fad = 0xf; *(uint16_t*)0x20007faf = 9; *(uint32_t*)0x20007fb1 = 0x3f00; *(uint32_t*)0x20007fb5 = 0xff0030; *(uint32_t*)0x20007fb9 = 0xff0000; *(uint8_t*)0x20007fbd = 0xc; *(uint8_t*)0x20007fbe = 0x10; *(uint8_t*)0x20007fbf = 0xa; *(uint8_t*)0x20007fc0 = 9; STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 3, 5, 27); *(uint16_t*)0x20007fc5 = 0xf00; *(uint16_t*)0x20007fc7 = 4; *(uint8_t*)0x20007fc9 = 0x14; *(uint8_t*)0x20007fca = 0x10; *(uint8_t*)0x20007fcb = 4; *(uint8_t*)0x20007fcc = 0xfc; memcpy((void*)0x20007fcd, "\x11\xd5\xf9\x90\x68\xe5\x06\x8a\x1e\x42\xe2\xbf\x00\x0e\x22\x1f", 16); *(uint8_t*)0x20007fdd = 0xb; *(uint8_t*)0x20007fde = 0x10; *(uint8_t*)0x20007fdf = 1; *(uint8_t*)0x20007fe0 = 2; *(uint16_t*)0x20007fe1 = 0; *(uint8_t*)0x20007fe3 = 2; *(uint8_t*)0x20007fe4 = 0; *(uint16_t*)0x20007fe5 = 0x80; *(uint8_t*)0x20007fe7 = 1; *(uint8_t*)0x20007fe8 = 0xa; *(uint8_t*)0x20007fe9 = 0x10; *(uint8_t*)0x20007fea = 3; *(uint8_t*)0x20007feb = 2; *(uint16_t*)0x20007fec = 0; *(uint8_t*)0x20007fee = 3; *(uint8_t*)0x20007fef = 0x3f; *(uint16_t*)0x20007ff0 = 8; *(uint32_t*)0x20008290 = 8; *(uint32_t*)0x20008294 = 4; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 4; *(uint8_t*)0x20008001 = 3; *(uint16_t*)0x20008002 = 0x2001; *(uint32_t*)0x2000829c = 4; *(uint32_t*)0x200082a0 = 0x20008040; *(uint8_t*)0x20008040 = 4; *(uint8_t*)0x20008041 = 3; *(uint16_t*)0x20008042 = 0x43f; *(uint32_t*)0x200082a4 = 0x2a; *(uint32_t*)0x200082a8 = 0x20008080; *(uint8_t*)0x20008080 = 0x2a; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x5e\x74\x60\xeb\x32\xa6\xb9\x6b\xd2\xff\x9f\xf3\xa4\x96\x20\x85\x33\x64\xce\xf4\xb1\x18\x00\x34\xbb\xee\x7b\xde\xb3\x75\x3e\xc4\x7a\x7b\x68\x43\x60\x04\xdf\xa3", 40); *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x200080c0; *(uint8_t*)0x200080c0 = 4; *(uint8_t*)0x200080c1 = 3; *(uint16_t*)0x200080c2 = 0x406; *(uint32_t*)0x200082b4 = 4; *(uint32_t*)0x200082b8 = 0x20008100; *(uint8_t*)0x20008100 = 4; *(uint8_t*)0x20008101 = 3; *(uint16_t*)0x20008102 = 0x200a; *(uint32_t*)0x200082bc = 0x83; *(uint32_t*)0x200082c0 = 0x20008140; *(uint8_t*)0x20008140 = 0x83; *(uint8_t*)0x20008141 = 3; memcpy((void*)0x20008142, "\x98\xbf\xbe\xd5\xf0\x2f\x05\x41\x39\x3b\x27\x16\x3c\x18\xab\xa0\xf8\xd6\xc9\x06\x9a\xe8\xed\x73\x2f\x7b\x8b\x4f\xd0\x40\x72\x65\x12\x57\x2b\x20\x49\x34\x98\xb0\x80\xe9\x6c\x74\x09\xc1\xff\x22\x2c\xbf\xe8\xfc\x73\x9a\x7a\x6e\xb7\x01\xa8\x12\x5f\x18\xaf\x24\xcd\xab\xbf\xb5\x2c\xc6\x66\xcf\x12\x04\xb6\xbf\x96\x51\x4a\xca\x5b\x04\x75\xe2\x1d\xaf\xca\xaf\xfc\xd8\xd5\x84\xec\xa6\x93\x9d\x81\x5d\xc4\xc9\x74\x72\x7a\x2f\xba\x78\xd5\x04\x4d\x9e\x9f\x08\xe3\x5c\x9e\x2b\xf4\x70\xf4\x66\xac\xca\xa1\x30\x1f\xac\x54\xbc\xff", 129); *(uint32_t*)0x200082c4 = 4; *(uint32_t*)0x200082c8 = 0x20008200; *(uint8_t*)0x20008200 = 4; *(uint8_t*)0x20008201 = 3; *(uint16_t*)0x20008202 = 0x1627; *(uint32_t*)0x200082cc = 0x39; *(uint32_t*)0x200082d0 = 0x20008240; *(uint8_t*)0x20008240 = 0x39; *(uint8_t*)0x20008241 = 3; memcpy((void*)0x20008242, "\xaa\x56\xbf\x40\x48\xdd\x06\xe2\x84\x5d\x2e\x04\xdf\x75\xb3\x91\xf7\x66\x46\x3f\x09\x54\x05\x32\x21\xac\x36\xe1\xdb\x6f\xe5\x09\xc0\x5b\x86\xc7\x76\xd2\x0f\xfc\x6a\xc3\xd9\x93\x49\x32\x2b\x40\x0a\xea\x39\x4c\xd6\x71\x9c", 55); res = -1; res = syz_usb_connect(6, 0x7c, 0x20007ec0, 0x20008280); if (res != -1) r[24] = res; break; case 47: syz_usb_ep_read(r[24], 0x75, 0xa5, 0x20008300); break; case 48: memcpy((void*)0x200083c0, "\xdb\x88\x55\x99\xb6\x0a\xec\x82\xad\x70\xcd\xb2\x88\x6a\x2e\x73\xe2\xf0\x44\x7d\xdd\x5d\xea\xaa\x15\xf5\x6b\x76\xab\x58\x04\xb9\xf8\x6f\x60\xdf\x6b\x12\xcb\xc1\xe5\x90\x6d\x23\x88\x89\xda\x54\x4d\x9b\x56\x52\xf6\x0b\xfc\x34\xa1\x08\xdf\xfd\xff\xa9\xae\x90\x46\x14\xe2\xbf\x15\xce\x0c\x34\x9a\xea\x15\x51\xb7\x54\x4b\x69\xbd\x2b\xde\x8f\x82\xe1\x8d\x42\xba\x16\x71\x80\xb1\xa6\xa4\xd1\x18\x44\x31\x2c\x11\x6e\xe0\xb8\x5f\xca\x52\xa1\x1e\xc9\xf3\x7a\xcd\x32\x3e\xb2\x87\xc8\xb3\xc4\xff\xdb\xca\xaa\x32\x9d\xf9\x20\xe0\xf7\xdf\xaa\xcc\xc1\x7f\xd5\xff\x16\xf0\x39\xc6\x93\xcd\xfc\xdf\xae\x81\x52\x9a\x02\xcc\x97\x3d\x8e\x50\x20\x09\x3c\x1b\x68\xe8\x8a\x82\x7e\x23\x0b\x28\x44\x88\x99\xb9\x61\x75\x52\xb1\xdd\x9b\x41\x2b\x34\xde\xec\x9a\x93\xfd\x08\x82\x3a\xeb\xf3\x54\xe2\x38\xd0\x4d\xca\x95\x7a\x50\xaa\x9a\xb1\x8a\x30\x46\x0e\x24\x55\xe3\xfd\x16\x41\x09\xcd\x4a\x85\x7b\x99\xd2\x23\xb2\x18\x31\xca\x29\x2d\x1b\x0c\xd7\x7f\xbf\xe2\x63\xf7\xca\x57\xee\x3a\x70\xa8\xfd\xd4\x89\xcb\x7f", 245); syz_usb_ep_write(r[22], 0, 0xf5, 0x200083c0); break; case 49: syz_usbip_server_init(1); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :126:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :113:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :108:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor734303467 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/19 (1.52s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:true DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) (fail_nth: 1) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000080)={r0, 0x3ff}, &(0x7f00000000c0)=0x8) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='cpu.stat\x00', 0x0, 0x0) ioctl$BLKROGET(r2, 0x125e, &(0x7f0000000140)) r3 = signalfd4(r2, &(0x7f0000000180)={[0x5, 0x4]}, 0x8, 0x80800) sendmsg$NL80211_CMD_UPDATE_OWE_INFO(r3, &(0x7f0000000500)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x20002011}, 0xc, &(0x7f00000004c0)={&(0x7f0000000200)={0x29c, 0x0, 0x8, 0x70bd29, 0x25dfdbff, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x46, 0x2a, [@erp={0x2a, 0x1, {0x0, 0x1, 0x1}}, @channel_switch={0x25, 0x3, {0x1, 0x95, 0xcb}}, @peer_mgmt={0x75, 0x16, {0x1, 0x401, @void, @val=0x37, @val="02011bf2907bddcbfaf4d0d9d319cb38"}}, @mesh_chsw={0x76, 0x6, {0x7f, 0x3, 0x6, 0x2050}}, @link_id={0x65, 0x12, {@from_mac=@device_b, @broadcast, @device_b}}, @chsw_timing={0x68, 0x4, {0x9, 0x81}}]}, @NL80211_ATTR_IE={0xcc, 0x2a, [@cf={0x4, 0x6, {0x1, 0x1, 0x100, 0x8000}}, @ext_channel_switch={0x3c, 0x4, {0x0, 0x7, 0xac, 0x6}}, @supported_rates={0x1, 0x6, [{0x6}, {0xc, 0x1}, {0x3f, 0x1}, {0x9}, {0x16}, {0x24}]}, @prep={0x83, 0x25, @ext={{}, 0xff, 0x3f, @device_a, 0x1f, @broadcast, 0x0, 0x6, @device_b, 0x6}}, @measure_req={0x26, 0x44, {0x4, 0x7, 0x8, "2ef531b7be2dde42fc395f76447c92879c4d9511182ee077cb102d54d8e9bd0376741affce00728e65cefb04cacd7c82880f113d4a79378bfd5c8d752bd251e31b"}}, @ht={0x2d, 0x1a, {0x482, 0x1, 0x1, 0x0, {0x5, 0x3f, 0x0, 0x80, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x400, 0x5, 0x56}}, @mic={0x8c, 0x10, {0x9b2, "e74338ed57a9", @short="4dbe86f39565408a"}}, @rann={0x7e, 0x15, {{0x1, 0x9}, 0xc0, 0x40, @device_a, 0x7fff, 0x6, 0xff}}]}, @NL80211_ATTR_IE={0x148, 0x2a, [@rann={0x7e, 0x15, {{0x0, 0x2}, 0x0, 0x8, @device_a, 0x1ff, 0x3, 0x3}}, @preq={0x82, 0x30, @not_ext={{}, 0x3, 0xf7, 0x8, @device_a, 0xae, "", 0x71a4, 0x2, 0x2, [{{0x0, 0x0, 0x1}, @device_b}, {{}, @device_b, 0x6}]}}, @mesh_config={0x71, 0x7, {0x1, 0x1, 0x1, 0x0, 0x0, 0xfb, 0x25}}, @ibss={0x6, 0x2, 0x1fc}, @fast_bss_trans={0x37, 0xe6, {0x7, 0x5, "5f3964d8629adf1c06ecdf8987bb845b", "c5d2bb2459d5ba0e8d1de04e57374f6227210ea404eb95465fa1e2e09c7c17d4", "2781c876157d6988a5dc1efde5e5d8d7fdfb3dad871989497060e2d72d3afa38", [{0x3, 0x1, "ce"}, {0x1, 0x25, "d5a7640b4fb5df22e725130f6f006c487342cb847e2cbe0e36b141aa91f7f41d6b13482c1d"}, {0x4, 0x26, "a1d5f67474fa123100046dc2695e3bbda6dee8657f032e087504156eba2f54bf2f31cd5b78d5"}, {0x3, 0x25, "ae36258ad7f04d6a213024ac426fba3da69e74ab662fbb9d28448099946cbbf9b8f921f8e0"}, {0x2, 0x19, "69ad29c66f47f87c5349ab5f16a1e8030e7c0b21db8bc4bee4"}]}}, @peer_mgmt={0x75, 0x4, {0x0, 0x0, @void, @void, @void}}]}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x4b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x43}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x11}]}, 0x29c}, 0x1, 0x0, 0x0, 0x40000}, 0x80) r4 = openat$irnet(0xffffff9c, &(0x7f0000000540), 0x189000, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f0000000580)=[@in6={0xa, 0x4e20, 0x80000000, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x81}, @in6={0xa, 0x4e24, 0x3, @mcast1}], 0x38) openat2$dir(0xffffff9c, &(0x7f00000005c0)='./file0\x00', &(0x7f0000000600)={0x101000, 0x182, 0x4}, 0x18) setsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f0000000640)=@sack_info={r1, 0x7, 0x20}, 0xc) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@data_frame={@no_qos=@type01={{0x0, 0x2, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, {0x7}, @device_b, @from_mac=@broadcast, @device_b, {0x7, 0x40}}, @a_msdu=[{@device_a, @device_b, 0x89, "a374cb1e56d79e5a647d9f9d7ebb099ca75e920a720ce76551c26bb86842da48ec22636f2ee20001359b8e2fb376ba32d07425dd1b9b9b4ff7a3539a5eeb99a447a58fec224cacb7d6e5f0cc9099904c92fd37746afc1cbd2b8b102a3fe4af78d5fa729590f1e5035f470a44321e924787a4666e21a4ca5cbd1256c170217cd6967ad7236d2f702e24"}, {@broadcast, @device_a, 0x1000, ""}]}, 0x10c0) syz_80211_join_ibss(&(0x7f0000001100)='wlan1\x00', &(0x7f0000001140)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000001180)='bpf_lsm_socket_recvmsg\x00') syz_emit_ethernet(0x35b, &(0x7f00000011c0)={@multicast, @multicast, @void, {@mpls_uc={0x8847, {[{0x2}], @ipv4=@gre={{0x11, 0x4, 0x1, 0x7, 0x349, 0x68, 0x0, 0x6, 0x2f, 0x0, @remote, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@lsrr={0x83, 0x1b, 0x6e, [@local, @broadcast, @loopback, @multicast1, @initdev={0xac, 0x1e, 0x0, 0x0}, @dev={0xac, 0x14, 0x14, 0xc}]}, @end, @lsrr={0x83, 0x13, 0xb4, [@multicast1, @private=0xa010100, @remote, @multicast1]}]}}, {{0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x880b, 0xf7, 0x2, [0x0, 0x1f], "c2150837371931ae3bab975586d95914c9773f748be9a8a3a19fe297783946f87cf48cb1483b1b52713f5b2c61255adbc108b86ef5471c54a9338b8573e1f632742ac011cf327a15e84e165e1588ab664b81d2498c54b50574e54aba3cf97bb1ae75911fd5ad4851fa1421715163917c9258d782a401fdfd12f1b51c5fbef8bd854f084ca2db2d46c7ee8b3b429e9c2dd5200572c54b9956e0bce7e10ae21f398f9db9c7e5fe8c67da417265c2e5c4074c97b404e840e0705b4154275e83551ac4328eae261c5d86e08cd40fbdb3a9d5fdcf6ba0ba4549aa7405fafe1367186578ec8cb827c887cc919c3a926daa592a4edb5150bfd380"}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, [0x0, 0x3], "a0437805682464ebade1f7bc908a4fb8fe0d2cbd6c705201920234d09c1819942d4534d78830cc26b67fa8b9bf41331cf464dba472a58870852fa852e628157fd8b5d1d6835454fb3aedae74305ed0c45b79ff50beb7405c"}, {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x86dd, [0xf0, 0x4], "7caa4b32feb81faa052cba4e34663ac59d2ed14a1e13701fdffe0c346ddae941fc7a2623c24d7a0b85a042492bf692148b57ddaf3b577a52fca2c4c68131f7bd98fa18e48551c8eecb9d3be00868430c3a25bc3569876946d43e6eb2b903b359a813c4ba89e6d970d3d4523fd219f45ff44df25838"}, {0x8, 0x88be, 0x2, {{0x8, 0x1, 0x9, 0x3, 0x0, 0x3, 0x3, 0x4}, 0x1, {0x4}}}, {0x8, 0x22eb, 0x3, {{0x5, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x81}, 0x2, {0x1ff, 0x6, 0x0, 0x7, 0x0, 0x1, 0x2, 0x1, 0x1}}}, {0x8, 0x6558, 0x3, "35b802485048e00654ea02f811d2f99e610c98af70faf08b416472e3e0bbd45e35631db45124b3b77db1699442696b52c13ae2bf33fb3973a1d570c20b2a5b4d8b9a260bb385dcba6f2ccdaf52d5a0a4c2c39422acd9f8b911a20ba0d03a6e796927d057cf487cc459623fa76fb89989080999bf9b3ab3f6e3f319849238b9d2dea6ac5b66c4b632b76084b3fbfee0fc6215f5b274246d30cd41e07638413a2d65b80fde92db56faa4160868cd0b008bfcf18d9c54be76cf39248d298318581d7a8be2fe09849d5cfd2cd105c8dd8c0fd7c5f27bed33374f70e3173b413dd37ecff631f2f44c6640a43a358b6eff14540f"}}}}}}}, &(0x7f0000001540)={0x1, 0x2, [0xfbe, 0xc0a, 0x501, 0x489]}) syz_emit_vhci(&(0x7f0000001580)=@HCI_ACLDATA_PKT={0x2, {0xc8, 0x2, 0x1, 0x32}, @l2cap_cid_signaling={{0x2e}, [@l2cap_create_chan_rsp={{0xd, 0x3, 0x8}, {0x6, 0x1, 0x31, 0x7}}, @l2cap_conn_req={{0x2, 0x5, 0x4}, {0x3fc, 0x6}}, @l2cap_info_rsp={{0xb, 0x1f, 0x4}, {0xb476, 0x1d}}, @l2cap_info_req={{0xa, 0xfc, 0x2}, {0x1}}, @l2cap_cmd_rej_unk={{0x1, 0x4, 0x2}}, @l2cap_info_req={{0xa, 0x8, 0x2}, {0x9e}}]}}, 0x37) syz_execute_func(&(0x7f00000015c0)="660f72d501df5fd6c4c1f96f9f52e40000dff2da36660f3a62c08cc4c11d583ce8660f3a0a450df0c4e121752360") syz_extract_tcp_res(&(0x7f0000001600), 0x1e21, 0x1) r5 = openat$cuse(0xffffff9c, &(0x7f0000001640), 0x2, 0x0) ioctl$NS_GET_OWNER_UID(0xffffffffffffffff, 0xb704, &(0x7f0000003980)=0x0) clock_gettime(0x0, &(0x7f0000003e00)={0x0, 0x0}) recvmmsg$unix(0xffffffffffffffff, &(0x7f0000003dc0)=[{{&(0x7f0000003a40)=@abs, 0x6e, &(0x7f0000003d40)=[{&(0x7f0000003ac0)=""/37, 0x25}, {&(0x7f0000003b00)=""/107, 0x6b}, {&(0x7f0000003b80)=""/47, 0x2f}, {&(0x7f0000003bc0)=""/162, 0xa2}, {&(0x7f0000003c80)=""/189, 0xbd}], 0x5, &(0x7f0000003d80)=[@cred={{0x18}}, @cred={{0x18, 0x1, 0x2, {0x0, 0x0, 0x0}}}], 0x30}}], 0x1, 0x10202, &(0x7f0000003e40)={r7, r8+10000000}) lstat(&(0x7f0000004040)='./file0\x00', &(0x7f0000004080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004100)={{{@in6=@initdev, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast1}}, &(0x7f0000004200)=0xe4) statx(0xffffffffffffff9c, &(0x7f0000004240)='./file0\x00', 0x4000, 0x400, &(0x7f0000004280)={0x0, 0x0, 0x0, 0x0, 0x0}) lstat(&(0x7f0000004380)='./file0\x00', &(0x7f00000043c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000004980)={{{@in6=@dev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@private2}}, &(0x7f0000004a80)=0xe4) r15 = getegid() syz_fuse_handle_req(r5, &(0x7f0000001680)="", 0x2000, &(0x7f0000004bc0)={&(0x7f0000003680)={0x50, 0x0, 0x0, {0x7, 0x22, 0x6, 0x60, 0x5, 0x48, 0x80000001, 0x7}}, &(0x7f0000003700)={0x18, 0x0, 0xfffe, {0x200}}, &(0x7f0000003740)={0x18, 0x0, 0x4, {0x8000}}, &(0x7f0000003780)={0x18, 0x0, 0x0, {0x8}}, &(0x7f00000037c0)={0x18, 0x0, 0x80000001, {0x5}}, &(0x7f0000003800)={0x28, 0x0, 0x0, {{0x19, 0x200, 0x3, 0xffffffffffffffff}}}, &(0x7f0000003840)={0x60, 0xfffffffffffffffe, 0xfffffffffffffffe, {{0x4, 0x80000001, 0x1, 0x52b8, 0x7, 0x0, 0xfffffffa, 0x1ff}}}, &(0x7f00000038c0)={0x18, 0xffffffffffffffda, 0x1f, {0x9}}, &(0x7f0000003900)={0x11, 0xfffffffffffffffe, 0x4588, {'\x00'}}, &(0x7f0000003940)={0x20, 0x0, 0x100000000, {0x0, 0x18}}, &(0x7f00000039c0)={0x78, 0x0, 0x7, {0x4, 0x6, 0x0, {0x0, 0x7, 0x8, 0x10001, 0x1, 0x509, 0x80, 0x3, 0x1, 0xc000, 0x5, r6, 0xee00, 0x7, 0x9}}}, &(0x7f0000003e80)={0x90, 0x0, 0x8, {0x6, 0x3, 0xcd0, 0x7fffffff, 0x5, 0x1, {0x5, 0x5, 0xf34, 0x86, 0x6, 0x2, 0xab8c, 0x0, 0x5, 0x8000, 0x9, 0xee00, r9, 0x1000, 0x1000}}}, &(0x7f0000003f40)={0xd0, 0x0, 0xffffffffffffffbc, [{0x0, 0x2, 0x6, 0x3, '\x02\x02\x02\x02\x02\x02'}, {0x0, 0x0, 0x0, 0x9}, {0x2, 0x100000001, 0x17, 0xffff, 'bpf_lsm_socket_recvmsg\x00'}, {0x0, 0x401, 0xf, 0xfffffff9, '&,$:+)\xef&\\)/$$[}'}, {0x6, 0x1, 0x17, 0x1f, 'bpf_lsm_socket_recvmsg\x00'}]}, &(0x7f0000004440)={0x508, 0x0, 0x2, [{{0x4, 0x1, 0x5, 0x80000000, 0x3, 0xffffffec, {0x2, 0x3, 0x20, 0x100000001, 0x80, 0xffffffffffffffe1, 0x9e41, 0x1f, 0xf0f6, 0xc000, 0x401, 0xee01, 0xee00, 0x400000, 0x800}}, {0x3, 0x7, 0x6, 0xfffffffe, '\xbb\xbb\xbb\xbb\xbb\xbb'}}, {{0x1, 0x2, 0x10001, 0x0, 0x5, 0x0, {0x3, 0x8000, 0x9, 0x80000001, 0x100, 0x5, 0xf06, 0x932b, 0x2, 0x1000, 0x5, 0xee01, 0xffffffffffffffff, 0x5, 0x1}}, {0x5, 0x9, 0x2, 0x2, '*)'}}, {{0x1, 0x0, 0xcc3, 0x4, 0x101, 0x3, {0x2, 0x1, 0x1, 0x113, 0x1, 0x3, 0xd36, 0x8c12, 0xfffffffc, 0x1000, 0xfffffffc, 0xee01, r10, 0x9, 0xacd}}, {0x3, 0x97, 0x6, 0x9, 'wlan1\x00'}}, {{0x1, 0x2, 0x8, 0x8000, 0x9, 0x0, {0x1, 0x200, 0xff, 0x100000001, 0x30000, 0x9, 0x3, 0x6, 0x7f, 0x8000, 0x101, r11, 0xee00, 0x10000, 0x9}}, {0x3, 0x0, 0x2, 0x401, 'b@'}}, {{0x4, 0x1, 0x0, 0x5, 0x4, 0x101, {0x1, 0x5, 0x1, 0x10000, 0x7, 0x8, 0x5, 0x5, 0x4010000, 0x8000, 0x4d800000, 0x0, 0xee01, 0x6, 0x7}}, {0x2, 0x61}}, {{0x7, 0x0, 0x5, 0x5, 0x0, 0x3ff, {0x0, 0xfffffffffffffff7, 0x1, 0x80, 0x100000001, 0x401, 0xd49d, 0x80, 0x1, 0x6000, 0x8b, r12, 0xee01, 0x8001}}, {0x6, 0x200, 0x1, 0xfffffff8, ')'}}, {{0x0, 0x3, 0x8, 0x81, 0x6, 0x5, {0x1, 0x8, 0x7, 0x5, 0x8, 0x1, 0x5, 0x90c555ad, 0x0, 0xc000, 0x800, 0xee00, 0xee01, 0xf98d, 0x20}}, {0x4, 0x4, 0x5, 0x1, '\\U\xc2-^'}}, {{0x1, 0x0, 0x2, 0x6, 0x0, 0xb5e, {0x4, 0x12, 0xe87, 0x7, 0x1, 0xfffffffffffffffe, 0xfffffffd, 0x7, 0x401, 0xa000, 0x8ee, r13, 0x0, 0x8236, 0x3c89862b}}, {0x4, 0xfffffffffffffbf7, 0x6, 0x4, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004ac0)={0xa0, 0xffffffffffffffda, 0x2, {{0x1, 0x3, 0xff, 0x401, 0x9, 0x1000, {0x1, 0xfff, 0x733, 0x0, 0x7, 0x7fff, 0x4, 0x1f, 0x1f, 0x0, 0x1, r14, r15, 0x9eb, 0x1}}, {0x0, 0x1c}}}, &(0x7f0000004b80)={0x20, 0xfffffffffffffffe, 0xa87, {0x1ff, 0x0, 0x10001, 0x4}}}) r16 = openat$autofs(0xffffff9c, &(0x7f0000004c40), 0x0, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000004c00), r16) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r17 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x300000a, 0x10, r16, 0x0) r18 = syz_io_uring_complete(r17) syz_io_uring_setup(0x3a9b, &(0x7f0000004c80)={0x0, 0xcaa6, 0x4, 0x3, 0x276, 0x0, r18}, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000004d00)=0x0, &(0x7f0000004d40)) syz_io_uring_submit(r19, 0x0, &(0x7f0000005080)=@IORING_OP_WRITEV={0x2, 0x5, 0x0, @fd_index=0x7, 0x0, &(0x7f0000005040)=[{&(0x7f0000004d80)="8f8c61ba2d93006aadbd12a3a08f146f7dadf6fcaf91370d8cdbb10473cfc4737fc2920f761e5f9f43ac7c94ff2d84a3f6", 0x31}, {&(0x7f0000004dc0)="e79e609caf0b113f2e3a9b6ed9a5197bd4c9ef3abee6ff372b0677f980ef46165c071ec9a7e4b8e118c95c2b5f733b29c50f1e5df4f1837e9a2962cd241c43d7a605878749919d2d932d22010e4c8c29ce6028dc71e23c5ec2b4f3bb38b2e7c3beaf83c887a45f16ea87842b7002c7513397835d375589d64e9c8d0daa7c709974ddc935145190bac6e8d31238d5ad70377e03b1111546f8a83a2d7e3fc550408a227e6ab558331de5", 0xa9}, {&(0x7f0000004e80)="1fe1d0a7ea42ed60eb8379f55fba5f108da4233288e8a8bbacc0", 0x1a}, {&(0x7f0000004ec0)="1d5a7e020f94e9eee2415cca5eb6045cc9f817f1d3275ba949677ee2ca2357b74e67c6d4ddfbe8e8c0c6fdcd2352dd301ff30f0ebc2b58f2c69c3f8032ff0d4a2d2d400c3d07914d835b6218c2eb25724b426a888b2822d4945b35f2d1459d915e2b2d66541af52bdbbe1ad517515e01b8290e654443a67bec3d0b03fc10b90b49c3d33593e063bd0df72494b22bfc391f6b296a68735eeaac4fb550be4beeabb74d7ca77139248cf8003e4fa63954c2e5c68e48b1f59b3162a9a3b020771f7c1aff6d7de57b40fcb59002f2709ed2e12d50a3edadc2c55de6634c8e91dd8cd28faf3b52", 0xe4}, {&(0x7f0000004fc0)="3dc50079393684ee15456233e2e4b47d0d7616a6fbb08055931c400e66d6ee8307c988db68c3a56873e4c94c210cee63aa53ee80947c5644cffd0ee809b4554ef3d3d5d4b6268040d66cba34c7b8645abfe3696e041fe13f", 0x58}], 0x5, 0x1}, 0x100) r20 = openat$selinux_policy(0xffffff9c, &(0x7f00000050c0), 0x0, 0x0) r21 = openat$dlm_monitor(0xffffff9c, &(0x7f0000005100), 0x0, 0x0) syz_kvm_setup_cpu$arm64(r20, r21, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005180)=[{0x0, &(0x7f0000005140)="45cf83e34827dae70d9c50f676f523b0ce6bee88952baac1a7220887521e1e10250184dabaaa4fbf9e94349f1148dee8238a", 0x32}], 0x1, 0x0, &(0x7f00000051c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r17, 0x114, &(0x7f0000005200)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005240), &(0x7f0000005280)='./file0\x00', 0x5, 0xa, &(0x7f0000005980)=[{&(0x7f00000052c0), 0x0, 0x4}, {&(0x7f0000005300)="8586cff12029eb8ad76f6261d1fe9c2df97d6b5047f70221ce7c26e1ad050096db75ff7ffd7b4dad59f5e070723e8a2cea446602ed86da15975f4f9dad4355f17d1441f9c1d9721e8bc269c91b43934bb3823eba880de01b586e0d592fc978084812a5dd940d6ea61e46ee9f1d53e0d3155c2c34946ca286d646398a4d60b56e48644ce421d53a65fc504680601a0cb3b78cdc3d14d0f9f754d88a4c5d80c2681aca64a4793f17d0f8a5b8dc820fdadee2ee87d42050172286e4b371eac497bf7467890a472d766a442a56a6e75bc39ba4edab5a0cb11eb66a247a2f3ca7d18cbe8bd7516b2d99c763d8c23d753c13937ab99b578e42f359275e86", 0xfb, 0x5}, {&(0x7f0000005400)="0f553c28b9842c44674abe34856e72a402eaf08ea7d106186b17f1d3f00dcbcb5f98a1eae4b0e494da0d44fa94917367478f2e39ce8435b132a570ec78c1b1d859ab652168bec9156cc5b4543f0571d2a75d3ad03f490c0fc93251f6ab57f01cf62283d42eec0abb186148b05ef55f8de1a2eb7c1622fc6d3ac274f10a0754563398efc9335aea31061cf4bb64d44f87c615c99b3eca46ddc2ce68eb2b780c54bb6a1a20947e16cbc6f7fa0712d0b12e665a214c3502154e5b8dda8b01df53c81b2da2c92b7573506b175a34ba1dda39954f36f0ff6ebefeee31326813422cb4d53b47c6fe65f3332698d9e3d776", 0xee, 0xfff}, {&(0x7f0000005500)="abff9c2482d96489f0afbe085daee1e2bd8a3000af21e5b4aa0d2e6662293d5fe6eeb60a5cc8b90e84ede0d21318688e285def54cb6780abfdcb64c700da5e8775bb60d0192a5f8113a70ddb1627087f7bb8f232f80a120e214ef31c385711f4b12afd9a024fc48c41c3c887255a17b86f709a30ee23a5d55c6c3e1986f6fd69309dc6664846396a5f0cde1e382a7018dcdeac00ff1ef54bbb58201fc9dfcbba39cfb45f49ace1e9908188", 0xab, 0x80000001}, {&(0x7f00000055c0)="fb36dffb4a0e4377fa3bedec2325f5c073", 0x11, 0x1}, {&(0x7f0000005600)="8ff2544804ed79e1bb5f173b80fdb09a444f02bbacdab87710a30382271db7257055fbbe057f4e4b3e1bcbcf08f1ea0b41be533d7d7f84199c4cf241e2bc3cebf680f5c2648882abfe61bb5211c4cf0f1f8035c6962e74f5976e954c3db5545bdccc6e67b68dd612", 0x68, 0x7f}, {&(0x7f0000005680)="ca838d09579a972657260b824f369161c83d3649b2309de4aca5191c6a3550ce704f6606bac0f1102563011d768b1cd5bd83565bfbe9311f71c2698f2bb4572ef6602f2487626e21fcef7034f50e28fd36db92433de1c0fbd9baa0b2ef3b17ecbd5f214a814f9979c0cfcea566bd418788a9e026ff83089e4e1eb491eebb582e84c6d956e1f8d4bd5327fcf26d9218a6e745a904846da61e6970e7c3f8f6777eb2eec182c6626aebc2b46d6e18ec79ce9f3a34c2c9ce74dce5f38a493ce752633b9cd881d3e73977b728208b730c0aa0bfd41f0374798c2b6cfd20a83dde8821f896431df1620eacddb4846d3f67983b95", 0xf1, 0x2}, {&(0x7f0000005780)="b549cfe18deb455b4a8b6d56e7c03f251024217cf427c09056bdb6b4a1317e6f9cd53ece2f2ee68e7d73e936e6d7b376483595c8db7292ffb0520cf037ba7012f5d90d0e4bdced46131d6a44120546fad87f475670fec86f9784888d14dc2ed6a1a7ed3c98bd0e035cbd504da40efbeb5a5bcd48c0ca513ff53ddada3cb447a48bcef01d9883f699997c5a0b2499865862db5f785a75e1b3463d354af112e7f8622883683086190fa4507646cbeab5ed", 0xb0, 0x1}, {&(0x7f0000005840)="a2eecacaa02fc76189e00e6fc58f38b5599959730376281721becf840cd12b230c2dc84b7f5fe5e37057b3732fcfeb", 0x2f, 0x4}, {&(0x7f0000005880)="35ed9c854f542ba3a56e7b75409a3197d31e6ec31934811dd9abe83e50a060ea25994cb33770ed99b25c9b560891eca433fe5bf1e02d136600687ee4933b3538bbceca61deb8fb0a1a2567843fd871b991d514329a465a97eb92123576e83a652c51dfa84117c262a7b8bab47bd3f81b24d33e687f39265002ef92f2248de027ac0285fcad2a3c732a1ed7409307037e41f3a7907477387d1199c18e5c43959b2ec46c078cec67a8b559b31cefd856f456b9f81bcc6a8b2cb1a4d8147562bdac6034e3e8d35d797659844fea3694b3288ce68fa8f986bf2fba03ec0110154befc8402258afb3d583d0bf3d02798073867fc66640726072c82a", 0xf9, 0x1ff}], 0x0, &(0x7f0000005a00)={[{'%'}], [{@seclabel}, {@permit_directio}, {@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@subj_role={'subj_role', 0x3d, '}'}}, {@mask={'mask', 0x3d, '^MAY_APPEND'}}, {@fsname={'fsname', 0x3d, '&%]'}}, {@measure}]}) syz_open_dev$I2C(&(0x7f0000005a80), 0x6, 0x40000) syz_open_procfs(0xffffffffffffffff, &(0x7f0000005ac0)='net/raw6\x00') syz_open_pts(r16, 0x583000) syz_read_part_table(0xb0, 0x3, &(0x7f0000006cc0)=[{&(0x7f0000005b00)="a895c30edc07297723a4aea802034622d1bbb85b4ae3628afc2d4e10934550a9d92f12a51b9f5b3a7b596b59b99b4b2acaedda32b83bdc263c53aa10114a149a4d7a4f0c40b946159b374396fb6cd18734ea5c3a5192786222da89f4213b5d9d027799da36d68bd510f537855ce10d3b8439c2237740ea7541478a81f9f92adceb5100366dccf149cc4c59796959ba5d85a50d0dd72941a0eabbe7a9dd9fe50850113f5e2d055e1bbcd667daf7363e027d7c66678dad2add62b5", 0xba, 0x4}, {&(0x7f0000005bc0)="f229f58b9fef91f7178523f041a4967589924680bf4dc34a52d8f7f8436083aee94ab74f0369f7403a8c26b72fd44b488fe59c616c8a1cae299c490eb15f98f8f49df33502ccfd38265f6d186578a71b92ba5c5b903f9a64bc560a43590bd70f76efb7b63bc3909e632db68f77d98bdf12ebe1707d7d1436857490c13ddb239c837faf46ead62381d43f3d2346c1fcd5b2a7a1ebe9fa5dd7fddefc50b0e7a57f500e2f79ba11b18972dc78871460eb7e2a249b603283b5128320555c9d74143e027bb5ca08b462aebf58244387556d718680c4a37459dd", 0xd7, 0x3ff}, {&(0x7f0000005cc0)="", 0x1000, 0x34}]) syz_usb_connect(0x5, 0x72e, &(0x7f0000006d00)={{0x12, 0x1, 0x201, 0x10, 0x2a, 0xdc, 0xff, 0x781, 0x5, 0x5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x71c, 0x3, 0x9, 0x3, 0x50, 0xff, [{{0x9, 0x4, 0x34, 0x9, 0xc, 0x2d, 0xe7, 0xd6, 0xc4, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "9e3dd83f5e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x40, 0x5, 0x101, 0x5}, [@mbim_extended={0x8, 0x24, 0x1c, 0x1000, 0x2, 0x8}, @dmm={0x7, 0x24, 0x14, 0x8671}, @mbim={0xc, 0x24, 0x1b, 0xfffd, 0x9, 0x0, 0x5, 0x100, 0x5f}, @obex={0x5, 0x24, 0x15, 0x40}, @network_terminal={0x7, 0x24, 0xa, 0x0, 0x1, 0x4, 0x1}, @dmm={0x7, 0x24, 0x14, 0xff81, 0x9c6f}]}], [{{0x9, 0x5, 0x80, 0x14, 0x10, 0x15, 0x1f, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x80}]}}, {{0x9, 0x5, 0x8b, 0x0, 0x7ff, 0xed, 0x1, 0x2}}, {{0x9, 0x5, 0x8, 0x4, 0x200, 0x81, 0x6, 0x2, [@generic={0xeb, 0x1, "8c3f63086154141f739f2870d3a81884905e8c3ff7eb6425085204077b4102c3d81bfdf4b262fa95b268561228b747fca91f5fdeb592b379d66a5f1d2d1d735fd02b3b2402d0340fcc8ac6c544720cb596008a93b0202cb8f9558344cb200e0b4b52aad1e70d9c0049ff2a6b546e3502bc881f3eb655aa817a2a3fd95ad1bea68ab048c1a43ed3458b674c27df090568c371a9e00cbc2b597a730a1864447583e30b8b9d2774d884575311843a18bfe0052b404714c722766342b226c4fe8e87ee448250c3b3668ab50745e0fbb6e969e6b49b9b8528ce81dfaa24e1438072d07d6e92602a390535f6"}]}}, {{0x9, 0x5, 0xc, 0x8, 0x40, 0x1, 0x5, 0x20}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xbc, 0x0, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x5, 0x9}, @generic={0xd4, 0x22, "70c23955e1d16cdef416bcb138108967f0e9ac2c096fe9362b99ec6c198d2f0f0446ce29332844fd546d2323e7f9d7b2713c1f92b90b4481bf8d4ea34ea8321b585db5f3cc6f63fc9ee543e86c15769e08a212c2ffb0237defb1a28228e999fabf3733a27b828703faaac053d44fe7a66d7a278e31f15d65edb349b157a799d922f0c970f98b35b75650793123e05752d74ddb89f0fcc0479822a0f833f4343a70548b3b4c80574be7cfdd59db69ce1efc24ca44ee316609f58ca5a30dee0b59e1668f248c196ae1c022a19995595430fea4"}]}}, {{0x9, 0x5, 0x87, 0x3, 0x8, 0x80, 0x7, 0x6, [@generic={0x56, 0x4, "f78a356675cffa2de94539194afab8603fe5e412021ba937df8f496ce2c0543148f09b19ebbc05091fcc32e0bdde441d7ccaa5cc26fb696bd67b3830bf3e5730fb3fe5ee89156bd1d2fa101e6c39068af8c2ae87"}]}}, {{0x9, 0x5, 0x89, 0x0, 0x20, 0x20, 0x81, 0x8}}, {{0x9, 0x5, 0xe, 0x3, 0x8, 0x1, 0x20, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x43, 0x234}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x3, 0x5, 0x7, [@generic={0x34, 0x8, "b6a121b46cabce4e361f2104dcf2663e402ee04faa90dd18a918e4642eaa6a716192f8bc32f321ce9eb548904d87d7bdad56"}, @generic={0xac, 0x30, "1a5d30c7d13843b0146943b2e67687f3147019db1ca1a3c7e48d700f655bea7f42692c5a87a6b91d03a6d4905fbb18b76028c902f7cc3f0c056d87d0fbc12f32150222a7dad7023bc45ab25c72aa3ad26e8dfd8d3654640038396aa355f069f7a9e762b85dca0a81a7d7c37d259d0f2a631a6abc4e36fba201dc677fc7b2c28190e91523553cfb1bbf462d9d057c31910ad39c357cd2dd1c3f22c604ad6c923faee4c13db3fe350375cc"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x10, 0x7f, 0x56, 0x83}}, {{0x9, 0x5, 0x1f645c4d20962547, 0x0, 0x3ff, 0xbb, 0x7, 0x3, [@generic={0x6b, 0x30, "6a8065c0ee1fa72bb9fab498b565e856090e0ad4cb9a072e0995264b935bed4910dde6e4a11ff93742383cba0c51a1f1cf695aa394a5f4868363e986260569ba8be82437cc58db1ee88ce5101308938edbd982075462cf0bba05bb0d7ae55092a2862ee6e6430e22f7"}, @generic={0x41, 0x21, "0acd9c7743c7509f5eb898784f8767f385a0e1c7f102c9adcad6d81fb4193e88cb2f6c3936ee2ef3dae61f58322593d9beeafcc0915c86fc3a72f0426c83f3"}]}}, {{0x9, 0x5, 0x6, 0x4, 0x400, 0x20, 0x74, 0x5}}]}}, {{0x9, 0x4, 0x26, 0xab, 0x5, 0x3, 0xf1, 0xcb, 0x9, [], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x5, 0x1, 0x1}}, {{0x9, 0x5, 0xb, 0x4, 0x20, 0x1, 0x2, 0x4, [@generic={0xda, 0x14, "10f16e3796fbe335b564b29416031e12d26f4d53e237ca3cb1e049170335d631432469cf8e2b207d62283f3b91f4d63154bce35faeb87b51d30b38876c38b31acc347be67793e56a1784eb29a7ddab72e736eecd3b4e98bce7b170ab687e6f31f5e9f3f96e31032d3bf9476eef54f354c6efc00da39a695ec1c095254cb416bdc574d4fb6adbeca99b77508d6c6f791c2cfc29ae3eccea73c13627d93807af1a7d3492520ed1f153327d857537f556294bdddd988bae73226a48c4cab963d3d8c226951b21a7c3138de55b8d0e1f0bcd77663ae8bfe20f44"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x5, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x40, 0x2c, 0xd4, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0xa, 0x2, 0x400, 0xd0, 0x1, 0x6}}, {{0x9, 0x5, 0xe, 0x8, 0x40, 0x40, 0xff, 0xb0}}]}}, {{0x9, 0x4, 0x6c, 0x8, 0x2, 0x59, 0x51, 0xd5, 0x1, [@cdc_ncm={{0x8, 0x24, 0x6, 0x0, 0x1, "b2bd60"}, {0x5, 0x24, 0x0, 0x5}, {0xd, 0x24, 0xf, 0x1, 0xfffffffd, 0xfff, 0x63, 0xdb}, {0x6, 0x24, 0x1a, 0x8, 0x8}, [@mdlm_detail={0xf7, 0x24, 0x13, 0x19, "189cdea85c892fe736d99d2ae835705ddc3907363c57da1fc0033ab26742022ab0af7516c0545f0fc3ecaa0728229f95fd5d2ebce5c98dbba6222153e2ce70bfead32d5d59146f0dd679852007b13ac9d16d48f9484d6192e79c88079f8cd3bd1a3740f3a8f0fd1d57a10bf41cf8c45a79ab1a969c9a6a83bf31571bce542e8fcfa6761ebfa924e1eb05d3af5b3644c3040280ca59737d89c0caa8bd9d56c92178b82b2078e43975f15e6f0b6fa1d0cd819521154d236aa6a85e50f3f0531f6192e5c4ba8a2d506f744780747cbb9ee6723298b72b713b52be54835fcc04906c658ce61f16f95a6c437988df239c430ff47db7"}]}, @cdc_ecm={{0x6, 0x24, 0x6, 0x0, 0x0, "a3"}, {0x5, 0x24, 0x0, 0xf85b}, {0xd, 0x24, 0xf, 0x1, 0x0, 0x7, 0x2, 0x40}}], [{{0x9, 0x5, 0xf, 0x4, 0x0, 0x81, 0xe8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x51, 0xbf81}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xb, 0x8001}]}}, {{0x9, 0x5, 0x6, 0x0, 0x10, 0x7f, 0x0, 0x80, [@generic={0x28, 0xa, "61df67a624859052df593a2258bc970fe4304a8f899ac040d9fc350ed5e63660a76a96aea7a3"}]}}]}}]}}]}}, &(0x7f00000076c0)={0xa, &(0x7f0000007440)={0xa, 0x6, 0x300, 0x8, 0x1, 0x9, 0x8, 0x81}, 0x133, &(0x7f0000007480)={0x5, 0xf, 0x133, 0x6, [@wireless={0xb, 0x10, 0x1, 0x2, 0x74, 0xff, 0xff, 0x0, 0x7}, @wireless={0xb, 0x10, 0x1, 0x8, 0x43, 0x4, 0x3, 0x6, 0x21}, @ext_cap={0x7, 0x10, 0x2, 0xa, 0x5, 0x6, 0x3b4d}, @wireless={0xb, 0x10, 0x1, 0x0, 0x2c, 0x7, 0x2, 0x1, 0x2f}, @ptm_cap={0x3}, @generic={0x103, 0x10, 0x3, "b35e852c500147880fa2f6dcc5d4e16a59df9bff5d44ac9f6680a31b1ebce7f4d4afe6d2ae93f6eee79b703b03f7a0ebea72bdc3ca70ded450bedec42d31beced3625c6bfa5dc9897b68a4e8b1a54b9444b85a77d52efea02e84045a2c51af22596a4c59a43c590c4d1369d229db0f228b739b41419c00708219ac07585dcaded8820f6fe0b35e7496ca59ebd93c1cfbeca8666928613fb084cb1ad930cfed80a024b803fc94967f08d731d0647cee073e55844b9978ae6035865fd98991fb7a5fa3f00529e81f1d3b853a0db041eaa3777ba10fe753674a698cd389bf5bca626cb8c7bf9b71150d572d07d9a11855a419fb0212d9a5bf2c3360357cf942511f"}]}, 0x2, [{0x97, &(0x7f00000075c0)=@string={0x97, 0x3, "79533652485908847450e434babd9e7b783925f478b3b35c0a4e6aa0a1e8f78e37f1d5666fe87b28df9b7734fdd141b3c78a19031effd729a36c0cf9fae5c589a1a9886b78f66c7391bd443cc6b3ab5b4acdeb5acf4a0d36359e749df37ccf92c50e845fce93e4c611f0fb559f5b2f8b72bab3b8a91779cd78204d67a183187560eb912c0f9dd27f402f1decdc61444d3702bf05cf"}}, {0x4, &(0x7f0000007680)=@lang_id={0x4, 0x3, 0x4ff}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007700)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f0000007900)={0x18, &(0x7f0000007780)={0x40, 0x22, 0x1f, {0x1f, 0x22, "a7841403afd7ddbdb6ce9dacfb6cdbe29fbe4e58b55fec117de56ed6a5"}}, &(0x7f00000077c0)={0x0, 0x3, 0x5a, @string={0x5a, 0x3, "b51fa75ce1575da79aa41fd155728498bc7e4f85d19d2394314e6381f5e6b0e786c3ff705cb7184487f35094030178bc291a3980fa0b83908b7fe1cb2459daa1308fa2fbda94a98ca7134bc986487bae15766636e0852c7a"}}, &(0x7f0000007840)={0x0, 0xf, 0x1b, {0x5, 0xf, 0x1b, 0x2, [@wireless={0xb, 0x10, 0x1, 0xc, 0x82, 0x0, 0x85, 0x8, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x48, 0x0, 0x80, 0xfffa, 0x81}]}}, &(0x7f0000007880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x2, 0x4, 0x2, "7e461ab4", 'gg]\a'}}, &(0x7f00000078c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x9, 0x3, 0x3f, 0x20, 0x40, 0x0, 0xef}}}, &(0x7f0000007dc0)={0x44, &(0x7f0000007940)={0x40, 0xc, 0xb6, "df1d8807adaa376ec164fe686f791fc7268a85c468008423c35bf0da6f10ce0b3c7f80e67352d8063e9524fb3d91a1d442b85d351288c60badef7369494efa5012978930b8817bb13fba0f307416861457221322136027a98682f3a5c91806d490c51ef51ce6c9e9c8087e547fc2cfe567bfbf3e65f97c5e79d68706922d2c084ee894eaf12a3c0b2e1ef894dff86d0792fd11f5152f67321b9db36a02b7b0935e7424cbd6b286c55c8cf0f0f4949fd21b22675eb060"}, &(0x7f0000007a00)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000007a40)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000007a80)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000007ac0)={0x20, 0x0, 0x4, {0x160, 0x1}}, &(0x7f0000007b00)={0x40, 0x7, 0x2, 0x3}, &(0x7f0000007b40)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000007b80)={0x40, 0xb, 0x2, "9efe"}, &(0x7f0000007bc0)={0x40, 0xf, 0x2, 0x4}, &(0x7f0000007c00)={0x40, 0x13, 0x6}, &(0x7f0000007c40)={0x40, 0x17, 0x6, @remote}, &(0x7f0000007c80)={0x40, 0x19, 0x2, 'vw'}, &(0x7f0000007cc0)={0x40, 0x1a, 0x2, 0x1}, &(0x7f0000007d00)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007d40)={0x40, 0x1e, 0x1, 0x7e}, &(0x7f0000007d80)={0x40, 0x21, 0x1, 0x2}}) r23 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007e40)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ncm(0x6, 0x7c, &(0x7f0000007ec0)={{0x12, 0x1, 0x389, 0x2, 0x0, 0x0, 0x70, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6a, 0x2, 0x1, 0xff, 0x90, 0x5, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, "a6"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9ff, 0x6000, 0x5, 0xb5}, {0x6, 0x24, 0x1a, 0xdd, 0x32}, [@call_mgmt={0x5, 0x24, 0x1, 0x2, 0x95}, @mbim_extended={0x8, 0x24, 0x1c, 0x7, 0x40, 0x1}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x21, 0x2, 0xc4}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0x1, 0x1, 0x4e}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x81, 0x9, 0x48}}}}}}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f40)={0xa, 0x6, 0x200, 0x3, 0x40, 0x1, 0x40, 0x68}, 0x72, &(0x7f0000007f80)={0x5, 0xf, 0x72, 0x6, [@ssp_cap={0x20, 0x10, 0xa, 0x7f, 0x5, 0x4, 0x0, 0x101, [0xf, 0xc000, 0x4100, 0xc000, 0x0]}, @ssp_cap={0x18, 0x10, 0xa, 0x5, 0x3, 0x3f, 0xf, 0x9, [0x3f00, 0xff0030, 0xff0000]}, @ssp_cap={0xc, 0x10, 0xa, 0x9, 0x0, 0x3, 0xf00, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0xfc, "11d5f99068e5068a1e42e2bf000e221f"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x0, 0x2, 0x0, 0x80, 0x1}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x0, 0x3, 0x3f, 0x8}]}, 0x8, [{0x4, &(0x7f0000008000)=@lang_id={0x4, 0x3, 0x2001}}, {0x4, &(0x7f0000008040)=@lang_id={0x4, 0x3, 0x43f}}, {0x2a, &(0x7f0000008080)=@string={0x2a, 0x3, "5e7460eb32a6b96bd2ff9ff3a49620853364cef4b1180034bbee7bdeb3753ec47a7b68436004dfa3"}}, {0x4, &(0x7f00000080c0)=@lang_id={0x4, 0x3, 0x406}}, {0x4, &(0x7f0000008100)=@lang_id={0x4, 0x3, 0x200a}}, {0x83, &(0x7f0000008140)=@string={0x83, 0x3, "98bfbed5f02f0541393b27163c18aba0f8d6c9069ae8ed732f7b8b4fd040726512572b20493498b080e96c7409c1ff222cbfe8fc739a7a6eb701a8125f18af24cdabbfb52cc666cf1204b6bf96514aca5b0475e21dafcaaffcd8d584eca6939d815dc4c974727a2fba78d5044d9e9f08e35c9e2bf470f466accaa1301fac54bcff"}}, {0x4, &(0x7f0000008200)=@lang_id={0x4, 0x3, 0x1627}}, {0x39, &(0x7f0000008240)=@string={0x39, 0x3, "aa56bf4048dd06e2845d2e04df75b391f766463f0954053221ac36e1db6fe509c05b86c776d20ffc6ac3d99349322b400aea394cd6719c"}}]}) syz_usb_ep_read(r24, 0x75, 0xa5, &(0x7f0000008300)=""/165) syz_usb_ep_write(r22, 0x0, 0xf5, &(0x7f00000083c0)="db885599b60aec82ad70cdb2886a2e73e2f0447ddd5deaaa15f56b76ab5804b9f86f60df6b12cbc1e5906d238889da544d9b5652f60bfc34a108dffdffa9ae904614e2bf15ce0c349aea1551b7544b69bd2bde8f82e18d42ba167180b1a6a4d11844312c116ee0b85fca52a11ec9f37acd323eb287c8b3c4ffdbcaaa329df920e0f7dfaaccc17fd5ff16f039c693cdfcdfae81529a02cc973d8e5020093c1b68e88a827e230b28448899b9617552b1dd9b412b34deec9a93fd08823aebf354e238d04dca957a50aa9ab18a30460e2455e3fd164109cd4a857b99d223b21831ca292d1b0cd77fbfe263f7ca57ee3a70a8fdd489cb7f") syz_usbip_server_init(0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define KCSAN_DEBUGFS_FILE "/sys/kernel/debug/kcsan" static void setup_kcsan() { if (!write_file(KCSAN_DEBUGFS_FILE, "on")) exit(1); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 39 ? 50 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 3000 : 0) + (call == 46 ? 300 : 0) + (call == 47 ? 3000 : 0) + (call == 48 ? 300 : 0) + (call == 49 ? 3000 : 0) + (call == 50 ? 300 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_clock_gettime #define __NR_clock_gettime 265 #endif #ifndef __NR_getegid #define __NR_getegid 50 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_openat2 #define __NR_openat2 437 #endif #ifndef __NR_recvmmsg #define __NR_recvmmsg 337 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_signalfd4 #define __NR_signalfd4 327 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[25] = {0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000040 = 8; inject_fault(1); res = syscall(__NR_getsockopt, -1, 0x84, 0x14, 0x20000000, 0x20000040); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000080 = r[0]; *(uint32_t*)0x20000084 = 0x3ff; *(uint32_t*)0x200000c0 = 8; res = syscall(__NR_getsockopt, -1, 0x84, 0x13, 0x20000080, 0x200000c0); if (res != -1) r[1] = *(uint32_t*)0x20000080; break; case 2: memcpy((void*)0x20000100, "cpu.stat\000", 9); res = syscall(__NR_openat, -1, 0x20000100, 0, 0); if (res != -1) r[2] = res; break; case 3: syscall(__NR_ioctl, (intptr_t)r[2], 0x125e, 0x20000140); break; case 4: *(uint32_t*)0x20000180 = 5; *(uint32_t*)0x20000184 = 4; res = syscall(__NR_signalfd4, (intptr_t)r[2], 0x20000180, 8, 0x80800); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000500 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x10; *(uint16_t*)0x200001c2 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = 0x20002011; *(uint32_t*)0x20000504 = 0xc; *(uint32_t*)0x20000508 = 0x200004c0; *(uint32_t*)0x200004c0 = 0x20000200; *(uint32_t*)0x20000200 = 0x29c; *(uint16_t*)0x20000204 = 0; *(uint16_t*)0x20000206 = 8; *(uint32_t*)0x20000208 = 0x70bd29; *(uint32_t*)0x2000020c = 0x25dfdbff; *(uint8_t*)0x20000210 = 0x87; *(uint8_t*)0x20000211 = 0; *(uint16_t*)0x20000212 = 0; *(uint16_t*)0x20000214 = 8; *(uint16_t*)0x20000216 = 3; *(uint32_t*)0x20000218 = 0; *(uint16_t*)0x2000021c = 0x46; *(uint16_t*)0x2000021e = 0x2a; *(uint8_t*)0x20000220 = 0x2a; *(uint8_t*)0x20000221 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 3, 5); *(uint8_t*)0x20000223 = 0x25; *(uint8_t*)0x20000224 = 3; *(uint8_t*)0x20000225 = 1; *(uint8_t*)0x20000226 = 0x95; *(uint8_t*)0x20000227 = 0xcb; *(uint8_t*)0x20000228 = 0x75; *(uint8_t*)0x20000229 = 0x16; *(uint16_t*)0x2000022a = 1; *(uint16_t*)0x2000022c = 0x401; *(uint16_t*)0x2000022e = 0x37; memcpy((void*)0x20000230, "\x02\x01\x1b\xf2\x90\x7b\xdd\xcb\xfa\xf4\xd0\xd9\xd3\x19\xcb\x38", 16); *(uint8_t*)0x20000240 = 0x76; *(uint8_t*)0x20000241 = 6; *(uint8_t*)0x20000242 = 0x7f; *(uint8_t*)0x20000243 = 3; *(uint16_t*)0x20000244 = 6; *(uint16_t*)0x20000246 = 0x2050; *(uint8_t*)0x20000248 = 0x65; *(uint8_t*)0x20000249 = 0x12; *(uint8_t*)0x2000024a = 8; *(uint8_t*)0x2000024b = 2; *(uint8_t*)0x2000024c = 0x11; *(uint8_t*)0x2000024d = 0; *(uint8_t*)0x2000024e = 0; *(uint8_t*)0x2000024f = 1; memset((void*)0x20000250, 255, 6); *(uint8_t*)0x20000256 = 8; *(uint8_t*)0x20000257 = 2; *(uint8_t*)0x20000258 = 0x11; *(uint8_t*)0x20000259 = 0; *(uint8_t*)0x2000025a = 0; *(uint8_t*)0x2000025b = 1; *(uint8_t*)0x2000025c = 0x68; *(uint8_t*)0x2000025d = 4; *(uint16_t*)0x2000025e = 9; *(uint16_t*)0x20000260 = 0x81; *(uint16_t*)0x20000264 = 0xcc; *(uint16_t*)0x20000266 = 0x2a; *(uint8_t*)0x20000268 = 4; *(uint8_t*)0x20000269 = 6; *(uint8_t*)0x2000026a = 1; *(uint8_t*)0x2000026b = 1; *(uint16_t*)0x2000026c = 0x100; *(uint16_t*)0x2000026e = 0x8000; *(uint8_t*)0x20000270 = 0x3c; *(uint8_t*)0x20000271 = 4; *(uint8_t*)0x20000272 = 0; *(uint8_t*)0x20000273 = 7; *(uint8_t*)0x20000274 = 0xac; *(uint8_t*)0x20000275 = 6; *(uint8_t*)0x20000276 = 1; *(uint8_t*)0x20000277 = 6; STORE_BY_BITMASK(uint8_t, , 0x20000278, 6, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000278, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x20000279, 0xc, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000279, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 0x3f, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 9, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0x16, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0x24, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0, 7, 1); *(uint8_t*)0x2000027e = 0x83; *(uint8_t*)0x2000027f = 0x25; STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 0, 6); STORE_BY_BITMASK(uint8_t, , 0x20000280, 1, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 7, 1); *(uint8_t*)0x20000281 = -1; *(uint8_t*)0x20000282 = 0x3f; *(uint8_t*)0x20000283 = 8; *(uint8_t*)0x20000284 = 2; *(uint8_t*)0x20000285 = 0x11; *(uint8_t*)0x20000286 = 0; *(uint8_t*)0x20000287 = 0; *(uint8_t*)0x20000288 = 0; *(uint32_t*)0x20000289 = 0x1f; memset((void*)0x2000028d, 255, 6); *(uint32_t*)0x20000293 = 0; *(uint32_t*)0x20000297 = 6; *(uint8_t*)0x2000029b = 8; *(uint8_t*)0x2000029c = 2; *(uint8_t*)0x2000029d = 0x11; *(uint8_t*)0x2000029e = 0; *(uint8_t*)0x2000029f = 0; *(uint8_t*)0x200002a0 = 1; *(uint32_t*)0x200002a1 = 6; *(uint8_t*)0x200002a5 = 0x26; *(uint8_t*)0x200002a6 = 0x44; *(uint8_t*)0x200002a7 = 4; *(uint8_t*)0x200002a8 = 7; *(uint8_t*)0x200002a9 = 8; memcpy((void*)0x200002aa, "\x2e\xf5\x31\xb7\xbe\x2d\xde\x42\xfc\x39\x5f\x76\x44\x7c\x92\x87\x9c\x4d\x95\x11\x18\x2e\xe0\x77\xcb\x10\x2d\x54\xd8\xe9\xbd\x03\x76\x74\x1a\xff\xce\x00\x72\x8e\x65\xce\xfb\x04\xca\xcd\x7c\x82\x88\x0f\x11\x3d\x4a\x79\x37\x8b\xfd\x5c\x8d\x75\x2b\xd2\x51\xe3\x1b", 65); *(uint8_t*)0x200002eb = 0x2d; *(uint8_t*)0x200002ec = 0x1a; *(uint16_t*)0x200002ed = 0x482; STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 2, 3); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 0, 5, 3); *(uint64_t*)0x200002f0 = 5; STORE_BY_BITMASK(uint64_t, , 0x200002f8, 0x3f, 0, 13); STORE_BY_BITMASK(uint64_t, , 0x200002f9, 0, 5, 3); STORE_BY_BITMASK(uint64_t, , 0x200002fa, 0x80, 0, 10); STORE_BY_BITMASK(uint64_t, , 0x200002fb, 0, 2, 6); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 2, 2); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 5, 27); *(uint16_t*)0x20000300 = 0x400; *(uint32_t*)0x20000302 = 5; *(uint8_t*)0x20000306 = 0x56; *(uint8_t*)0x20000307 = 0x8c; *(uint8_t*)0x20000308 = 0x10; *(uint16_t*)0x20000309 = 0x9b2; memcpy((void*)0x2000030b, "\xe7\x43\x38\xed\x57\xa9", 6); memcpy((void*)0x20000311, "\x4d\xbe\x86\xf3\x95\x65\x40\x8a", 8); *(uint8_t*)0x20000319 = 0x7e; *(uint8_t*)0x2000031a = 0x15; STORE_BY_BITMASK(uint8_t, , 0x2000031b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000031b, 9, 1, 7); *(uint8_t*)0x2000031c = 0xc0; *(uint8_t*)0x2000031d = 0x40; *(uint8_t*)0x2000031e = 8; *(uint8_t*)0x2000031f = 2; *(uint8_t*)0x20000320 = 0x11; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0; *(uint8_t*)0x20000323 = 0; *(uint32_t*)0x20000324 = 0x7fff; *(uint32_t*)0x20000328 = 6; *(uint32_t*)0x2000032c = 0xff; *(uint16_t*)0x20000330 = 0x148; *(uint16_t*)0x20000332 = 0x2a; *(uint8_t*)0x20000334 = 0x7e; *(uint8_t*)0x20000335 = 0x15; STORE_BY_BITMASK(uint8_t, , 0x20000336, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000336, 2, 1, 7); *(uint8_t*)0x20000337 = 0; *(uint8_t*)0x20000338 = 8; *(uint8_t*)0x20000339 = 8; *(uint8_t*)0x2000033a = 2; *(uint8_t*)0x2000033b = 0x11; *(uint8_t*)0x2000033c = 0; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0; *(uint32_t*)0x2000033f = 0x1ff; *(uint32_t*)0x20000343 = 3; *(uint32_t*)0x20000347 = 3; *(uint8_t*)0x2000034b = 0x82; *(uint8_t*)0x2000034c = 0x30; STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 3, 3); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 7, 1); *(uint8_t*)0x2000034e = 3; *(uint8_t*)0x2000034f = 0xf7; *(uint32_t*)0x20000350 = 8; *(uint8_t*)0x20000354 = 8; *(uint8_t*)0x20000355 = 2; *(uint8_t*)0x20000356 = 0x11; *(uint8_t*)0x20000357 = 0; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 0; *(uint32_t*)0x2000035a = 0xae; *(uint32_t*)0x2000035e = 0x71a4; *(uint32_t*)0x20000362 = 2; *(uint8_t*)0x20000366 = 2; STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 3, 5); *(uint8_t*)0x20000368 = 8; *(uint8_t*)0x20000369 = 2; *(uint8_t*)0x2000036a = 0x11; *(uint8_t*)0x2000036b = 0; *(uint8_t*)0x2000036c = 0; *(uint8_t*)0x2000036d = 1; *(uint32_t*)0x2000036e = 0; STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 3, 5); *(uint8_t*)0x20000373 = 8; *(uint8_t*)0x20000374 = 2; *(uint8_t*)0x20000375 = 0x11; *(uint8_t*)0x20000376 = 0; *(uint8_t*)0x20000377 = 0; *(uint8_t*)0x20000378 = 1; *(uint32_t*)0x20000379 = 6; *(uint8_t*)0x2000037d = 0x71; *(uint8_t*)0x2000037e = 7; *(uint8_t*)0x2000037f = 1; *(uint8_t*)0x20000380 = 1; *(uint8_t*)0x20000381 = 1; *(uint8_t*)0x20000382 = 0; *(uint8_t*)0x20000383 = 0; *(uint8_t*)0x20000384 = 0xfb; *(uint8_t*)0x20000385 = 0x25; *(uint8_t*)0x20000386 = 6; *(uint8_t*)0x20000387 = 2; *(uint16_t*)0x20000388 = 0x1fc; *(uint8_t*)0x2000038a = 0x37; *(uint8_t*)0x2000038b = 0xe6; *(uint8_t*)0x2000038c = 7; *(uint8_t*)0x2000038d = 5; memcpy((void*)0x2000038e, "\x5f\x39\x64\xd8\x62\x9a\xdf\x1c\x06\xec\xdf\x89\x87\xbb\x84\x5b", 16); memcpy((void*)0x2000039e, "\xc5\xd2\xbb\x24\x59\xd5\xba\x0e\x8d\x1d\xe0\x4e\x57\x37\x4f\x62\x27\x21\x0e\xa4\x04\xeb\x95\x46\x5f\xa1\xe2\xe0\x9c\x7c\x17\xd4", 32); memcpy((void*)0x200003be, "\x27\x81\xc8\x76\x15\x7d\x69\x88\xa5\xdc\x1e\xfd\xe5\xe5\xd8\xd7\xfd\xfb\x3d\xad\x87\x19\x89\x49\x70\x60\xe2\xd7\x2d\x3a\xfa\x38", 32); *(uint8_t*)0x200003de = 3; *(uint8_t*)0x200003df = 1; memset((void*)0x200003e0, 206, 1); *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0x25; memcpy((void*)0x200003e3, "\xd5\xa7\x64\x0b\x4f\xb5\xdf\x22\xe7\x25\x13\x0f\x6f\x00\x6c\x48\x73\x42\xcb\x84\x7e\x2c\xbe\x0e\x36\xb1\x41\xaa\x91\xf7\xf4\x1d\x6b\x13\x48\x2c\x1d", 37); *(uint8_t*)0x20000408 = 4; *(uint8_t*)0x20000409 = 0x26; memcpy((void*)0x2000040a, "\xa1\xd5\xf6\x74\x74\xfa\x12\x31\x00\x04\x6d\xc2\x69\x5e\x3b\xbd\xa6\xde\xe8\x65\x7f\x03\x2e\x08\x75\x04\x15\x6e\xba\x2f\x54\xbf\x2f\x31\xcd\x5b\x78\xd5", 38); *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 0x25; memcpy((void*)0x20000432, "\xae\x36\x25\x8a\xd7\xf0\x4d\x6a\x21\x30\x24\xac\x42\x6f\xba\x3d\xa6\x9e\x74\xab\x66\x2f\xbb\x9d\x28\x44\x80\x99\x94\x6c\xbb\xf9\xb8\xf9\x21\xf8\xe0", 37); *(uint8_t*)0x20000457 = 2; *(uint8_t*)0x20000458 = 0x19; memcpy((void*)0x20000459, "\x69\xad\x29\xc6\x6f\x47\xf8\x7c\x53\x49\xab\x5f\x16\xa1\xe8\x03\x0e\x7c\x0b\x21\xdb\x8b\xc4\xbe\xe4", 25); *(uint8_t*)0x20000472 = 0x75; *(uint8_t*)0x20000473 = 4; *(uint16_t*)0x20000474 = 0; *(uint16_t*)0x20000476 = 0; *(uint16_t*)0x20000478 = 6; *(uint16_t*)0x2000047a = 0x48; *(uint16_t*)0x2000047c = 0x4b; *(uint16_t*)0x20000480 = 6; *(uint16_t*)0x20000482 = 0x48; *(uint16_t*)0x20000484 = 0x43; *(uint16_t*)0x20000488 = 0xa; *(uint16_t*)0x2000048a = 6; *(uint8_t*)0x2000048c = 8; *(uint8_t*)0x2000048d = 2; *(uint8_t*)0x2000048e = 0x11; *(uint8_t*)0x2000048f = 0; *(uint8_t*)0x20000490 = 0; *(uint8_t*)0x20000491 = 1; *(uint16_t*)0x20000494 = 6; *(uint16_t*)0x20000496 = 0x48; *(uint16_t*)0x20000498 = 0x11; *(uint32_t*)0x200004c4 = 0x29c; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = 0x40000; syscall(__NR_sendmsg, (intptr_t)r[3], 0x20000500, 0x80); break; case 6: memcpy((void*)0x20000540, "/dev/irnet\000", 11); res = syscall(__NR_openat, 0xffffff9c, 0x20000540, 0x189000, 0); if (res != -1) r[4] = res; break; case 7: *(uint16_t*)0x20000580 = 0xa; *(uint16_t*)0x20000582 = htobe16(0x4e20); *(uint32_t*)0x20000584 = htobe32(0x80000000); *(uint8_t*)0x20000588 = 0xfe; *(uint8_t*)0x20000589 = 0x88; memset((void*)0x2000058a, 0, 12); *(uint8_t*)0x20000596 = 0; *(uint8_t*)0x20000597 = 1; *(uint32_t*)0x20000598 = 0x81; *(uint16_t*)0x2000059c = 0xa; *(uint16_t*)0x2000059e = htobe16(0x4e24); *(uint32_t*)0x200005a0 = htobe32(3); *(uint8_t*)0x200005a4 = -1; *(uint8_t*)0x200005a5 = 1; memset((void*)0x200005a6, 0, 13); *(uint8_t*)0x200005b3 = 1; *(uint32_t*)0x200005b4 = 0; syscall(__NR_setsockopt, (intptr_t)r[4], 0x84, 0x6b, 0x20000580, 0x38); break; case 8: memcpy((void*)0x200005c0, "./file0\000", 8); *(uint64_t*)0x20000600 = 0x101000; *(uint64_t*)0x20000608 = 0x182; *(uint64_t*)0x20000610 = 4; syscall(__NR_openat2, 0xffffff9c, 0x200005c0, 0x20000600, 0x18); break; case 9: *(uint32_t*)0x20000640 = r[1]; *(uint32_t*)0x20000644 = 7; *(uint32_t*)0x20000648 = 0x20; syscall(__NR_setsockopt, -1, 0x84, 0x10, 0x20000640, 0xc); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 6, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 7, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); *(uint8_t*)0x20000044 = 8; *(uint8_t*)0x20000045 = 2; *(uint8_t*)0x20000046 = 0x11; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 1; memset((void*)0x2000004a, 255, 6); *(uint8_t*)0x20000050 = 8; *(uint8_t*)0x20000051 = 2; *(uint8_t*)0x20000052 = 0x11; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x20000056, 7, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0x40, 4, 12); *(uint8_t*)0x20000058 = 8; *(uint8_t*)0x20000059 = 2; *(uint8_t*)0x2000005a = 0x11; *(uint8_t*)0x2000005b = 0; *(uint8_t*)0x2000005c = 0; *(uint8_t*)0x2000005d = 0; *(uint8_t*)0x2000005e = 8; *(uint8_t*)0x2000005f = 2; *(uint8_t*)0x20000060 = 0x11; *(uint8_t*)0x20000061 = 0; *(uint8_t*)0x20000062 = 0; *(uint8_t*)0x20000063 = 1; *(uint16_t*)0x20000064 = 0x89; memcpy((void*)0x20000066, "\xa3\x74\xcb\x1e\x56\xd7\x9e\x5a\x64\x7d\x9f\x9d\x7e\xbb\x09\x9c\xa7\x5e\x92\x0a\x72\x0c\xe7\x65\x51\xc2\x6b\xb8\x68\x42\xda\x48\xec\x22\x63\x6f\x2e\xe2\x00\x01\x35\x9b\x8e\x2f\xb3\x76\xba\x32\xd0\x74\x25\xdd\x1b\x9b\x9b\x4f\xf7\xa3\x53\x9a\x5e\xeb\x99\xa4\x47\xa5\x8f\xec\x22\x4c\xac\xb7\xd6\xe5\xf0\xcc\x90\x99\x90\x4c\x92\xfd\x37\x74\x6a\xfc\x1c\xbd\x2b\x8b\x10\x2a\x3f\xe4\xaf\x78\xd5\xfa\x72\x95\x90\xf1\xe5\x03\x5f\x47\x0a\x44\x32\x1e\x92\x47\x87\xa4\x66\x6e\x21\xa4\xca\x5c\xbd\x12\x56\xc1\x70\x21\x7c\xd6\x96\x7a\xd7\x23\x6d\x2f\x70\x2e\x24", 137); memset((void*)0x200000f0, 255, 6); *(uint8_t*)0x200000f6 = 8; *(uint8_t*)0x200000f7 = 2; *(uint8_t*)0x200000f8 = 0x11; *(uint8_t*)0x200000f9 = 0; *(uint8_t*)0x200000fa = 0; *(uint8_t*)0x200000fb = 0; *(uint16_t*)0x200000fc = 0x1000; memcpy((void*)0x200000fe, "\x2b\xc8\xbe\xd3\xad\xe3\x14\x70\x49\x10\xb6\xee\x62\x4c\xfe\x54\xbe\xbe\x1b\x4b\x09\xba\x79\x5c\x51\x1c\xd0\xe7\x64\x85\x8a\x68\x8e\x31\x7f\x9f\x28\x73\xd1\x87\xb6\x5f\x7d\x6d\xed\x9b\x4b\x7e\xf7\xf8\x67\xd6\x5d\x32\x18\xdc\x1a\x2a\xd2\x4b\x5c\xb3\xe4\xe0\x78\x49\xf7\x08\x5c\x63\x7a\xe4\x51\x0c\x2c\x14\x43\x80\x0a\xc4\x4d\xdf\x23\xec\x3e\x00\xa0\xa2\xd2\x6d\xcf\x4e\x4f\x20\x9d\x20\xf1\xe6\x58\x29\x0a\xb4\x3a\x3f\xa2\x4e\xe8\xdc\xd4\x84\xc6\x23\xbd\xc9\x86\xb8\xea\x88\xd4\x32\x74\xe2\x06\xb9\xbe\x4c\xdf\xcc\x94\x5b\x09\x3d\x09\x37\xd9\x4f\x8f\x98\x7c\x5c\x5e\xd4\x8a\xc9\x95\x14\xb5\x45\xd0\xcb\x74\x20\x36\xae\xd4\x98\xba\xe8\x0b\xb1\xee\x39\x5e\x8e\x0a\x67\x7d\xaa\xed\x22\xdd\xc1\x60\x4d\x14\x83\x5d\xbc\x28\xc4\x3c\x64\xb1\x18\x76\x57\x4f\x8d\x89\x70\x56\x23\xf7\xf0\x78\xc5\x01\x7c\x92\xcd\x46\xaf\xf0\x81\x1e\x9b\x98\x91\x25\x06\xb3\x45\x00\x64\x0f\x97\x91\xe3\x08\x1d\x1f\xd1\x78\xc2\x13\x05\x93\x45\xba\x63\x17\x7e\xa9\xb9\x3f\xfa\x53\x06\xe2\x06\xb5\xa2\x94\x02\x25\x21\xec\x6a\xaf\x8e\x26\xd0\xb5\xbd\x00\x32\x59\x76\xa0\xb1\xe0\xff\x75\x4e\x4b\x48\x91\xd3\x68\x8e\x0b\xea\x0a\xc6\xd8\x11\x2e\x04\xfb\xe6\x06\x8e\xc0\x3f\x4b\x66\x5e\xfa\x12\xe3\xf2\xe6\xc9\xd3\x1e\xb4\x45\x83\xa9\xac\x92\xdd\x3a\xb3\xf3\x4d\xb1\x15\xe9\xcf\x42\xf0\x97\x41\x9c\xb5\x94\x9e\xb7\x40\x3d\x44\x95\x90\x0b\x52\xc9\x55\x83\x70\xe2\xf1\xff\x76\xa9\xde\xd5\x3e\x26\x79\x3b\xf9\x39\x76\xe9\x6a\xc7\x14\x07\x47\x89\xe8\xbd\xb1\xc4\xca\x56\x2b\x51\x50\x2b\x46\x8f\x89\x54\x39\x83\x0f\x91\x5a\x5d\x8a\x50\xff\x73\xa4\x9f\xa4\x29\x3b\xfc\x35\x48\x68\x51\xea\x8d\x5c\x76\x13\x7c\x5e\x2f\xc9\xca\x45\xa3\x8c\x94\x28\xbe\x30\xf5\x03\x59\xb2\xcb\x3f\x9d\xbc\x76\x7d\x63\xf4\x19\xf5\xe7\x6c\xe5\xfb\xb6\x1e\xde\xb1\xbe\xb7\xa3\x7c\x60\xc6\x01\x1b\x56\xb8\x57\x49\x63\x42\x5a\x95\x6d\x40\x1f\x70\x3a\x19\xe9\xac\xe4\x68\x65\x41\xdd\x31\x32\xf5\xaa\x85\xae\x6d\xb1\xb7\xdd\x6d\xad\x9b\x65\x43\xe3\x57\x53\x31\x28\xab\x2c\x90\x1e\x9d\x56\xa2\x2e\xcd\x64\x45\x50\x72\x71\xf6\xfc\xe2\xa5\x74\xd5\x87\x13\x53\x0a\xff\x28\xf7\xb4\xe8\x46\x17\x80\xdf\x54\xce\x2a\x06\x7c\x9c\x38\x85\x17\xb9\xe0\x40\xbc\x88\xba\xa7\x31\x79\x6b\x13\xa8\x9a\xd7\xa0\x1c\x30\x9e\x02\x4b\x22\x06\x21\x2e\x81\xa0\xf8\x27\x9c\x36\x9c\xc4\x0f\x85\x99\x01\x18\xa3\x31\x1a\xd1\x69\x8a\x4b\x0d\x73\xe7\xde\x65\x7c\x5a\xc4\x04\xb7\xa5\xcb\xb3\xf1\xc5\xfc\xcc\xfa\x7b\xf2\x17\x83\x0b\x73\x0d\x4d\x54\x54\xf2\x76\x04\xc0\x34\x16\xd3\xbe\x6c\xb3\x78\x81\x3a\x84\xa7\x29\x26\xc4\xd4\x3d\xd5\xa7\x94\x11\xd3\x5c\x4f\x69\x82\x87\xa0\x59\x29\x60\x05\x9c\x48\xa6\xd9\xfc\xce\x84\xd0\x88\xa2\x6d\xfb\x2e\xf3\x0e\xde\xa2\x11\x41\x11\xfa\x86\xfd\x22\x87\x2a\x03\x1d\x11\x16\xd7\x48\xb3\x3f\x61\xb9\xc1\xea\x8e\x8f\xf0\x96\x89\x01\x14\x27\xf8\x88\x6c\x0c\x71\xb6\x38\x51\x67\xd4\x97\x1d\x4b\xc9\xd1\xb9\xfe\x6d\xb9\x66\xd5\x0b\x59\x24\xfb\x56\xc1\xb1\x1f\x8e\x05\xf2\x9c\xfd\xe7\xf3\x02\xaf\xe1\x61\xfd\x9d\x82\xfc\xe3\x55\x1d\xf3\xf4\x01\x3d\xa7\x76\x6a\x21\x4f\xc9\xb1\x64\xa6\xd8\xb0\x3f\x6c\xba\x91\x84\x72\xc9\xb7\xd8\x6e\x7a\xbd\xa7\xe3\xc9\xa4\x07\x8a\x64\xa9\x66\xec\xb6\xe4\x13\x34\x11\xc4\x93\xa7\xa5\xd1\x7b\x60\x5d\xe1\x39\x01\x8d\x69\x8d\x32\x5e\x31\x93\x34\x39\x5d\xa0\xb5\x1b\x3e\x89\xd9\x59\x61\x49\x53\x1e\x92\x58\x32\xe0\x0a\x35\xbb\xea\xc1\x37\xa0\x8a\x4f\x66\x1d\xad\x30\xd0\x92\xd1\xf6\xa3\x4c\x1d\x38\x89\x4d\xa3\xea\xe2\xc4\x74\x95\x30\x92\xfb\xac\x4f\x39\xa2\xe1\x4d\x5e\x13\x06\x2c\x98\xc8\x93\xd9\x6e\xbd\xf7\x9f\x1e\xba\xd3\xcb\xb1\x6f\x8f\x7d\x17\x39\x70\x75\x23\x9b\x74\x25\x09\xb0\x76\x37\x1a\xaa\xb7\x85\x9e\x6b\x29\xc7\xcd\x83\x15\x7b\x91\xb4\xd0\xbf\x47\x9c\x7f\xa5\x3f\xd8\x57\x35\x6f\x11\x47\xdf\xa5\x90\xbf\xff\xae\x2c\x99\xbf\xc6\xa1\xa3\x84\xce\x26\x16\xa7\xc0\xd1\x49\x91\x95\x5f\xf2\x27\xe3\x55\x40\x13\x1e\x6c\x9f\xd2\xa5\xb5\x8f\x88\xf1\x83\xf6\x4a\xcc\x3d\x58\xe4\x73\x07\x6b\xf3\x14\x9d\xa2\x66\x42\x4b\x98\x2f\x73\x4a\xa0\x4b\x81\x88\x13\xdd\xd9\x01\x88\x56\x76\x17\x99\xd5\xb0\x50\x4c\xa7\xec\xf7\xae\x17\x59\x2c\x1f\x0c\x78\x4d\x60\x39\x31\x61\x71\x42\x21\xa1\x0d\x90\x19\x28\x3c\x6a\x8f\x92\x03\xc7\x97\x63\x45\x0f\x94\x70\xa3\xf5\xe2\xf9\x4e\xb9\x42\xa2\xbe\xba\x32\x21\x46\xfc\x44\x9f\x40\x22\x6b\x7f\x7d\x9e\x4d\x58\x9c\xdf\xc9\x53\xef\x76\x51\x5e\x48\x4d\xdb\x27\x5e\xfd\x8f\xb9\xe4\xb3\xf1\x75\xb9\xc6\x00\x74\x58\xce\xdb\xcf\x05\xeb\x6e\x42\xbe\xa2\x26\x85\x50\x87\x02\xb7\x8e\x77\xe6\x72\xc7\x2f\xe4\x3c\xef\x92\x49\x74\x00\x61\xf8\x3d\xfd\x86\xc1\xe9\x73\xda\xb8\x1a\x08\x30\x32\x37\xe5\x8c\x2d\x75\xa1\x21\x25\xc0\xb6\x34\x58\x5e\x3b\xfe\xe0\x81\x0e\xaa\x59\x4d\x12\xc5\xca\x25\x36\x6f\x04\x37\x86\x48\x5e\x57\xf5\xf9\x30\xcb\xcd\xee\x90\x1c\x59\x10\x0e\xbb\xc6\xe8\x23\xa1\xb7\x4b\xcd\xef\xb1\x96\x1b\x89\xdb\x6d\xf5\xe4\x61\x8e\x2b\xd8\xd9\x6f\xd8\xa1\x2b\x18\x48\x2f\xdc\xcd\x72\x95\x0a\xfe\x3c\x20\x66\xa7\x3c\x73\xf1\xca\x99\x86\xce\x15\x8c\x10\x52\x0a\xab\xee\xc9\x4d\x61\x72\xc0\x92\x48\xaa\x76\xc3\x9f\xc5\x42\x63\xfd\x44\xbf\x93\x68\x1b\x30\x92\xb8\xe8\xdb\x78\x0d\xd6\x5c\x6c\x8b\xc3\xb4\x23\xd2\x21\xe1\x3d\x3e\xde\x9d\xd0\xfc\x4f\x14\x68\x5a\x80\xd8\xee\x14\xe8\x26\xa2\x25\x38\xcf\x31\x4d\x8a\x48\xe6\x37\x54\xe8\x9b\x45\x3f\xb2\x23\x68\x62\xdc\x7c\xcc\x49\x53\xee\x56\x26\x54\xdb\x98\x95\x85\xca\xee\x6b\x65\x5b\x2b\xf9\xdb\x0f\x22\x06\xb8\x63\x48\x0d\x71\xfa\x21\xd9\x38\xe4\x73\x58\xb2\xc0\xda\x20\x14\xa1\x95\xdf\x64\x3b\xe9\xd8\x0e\x52\x00\x3e\x9b\x45\xb1\x8f\xf7\xb6\xaa\x56\x92\x4b\xc2\xdc\x0c\xad\x61\xd9\x63\x0e\x6b\xd8\xea\xf7\x60\xb3\xf7\xfb\x31\x77\xf7\x3a\xf8\x9b\x15\x5e\x0d\x06\x1c\xe3\x2b\x9d\x45\x88\xeb\x6a\x4f\x60\x91\x9c\x2e\x3d\x41\xf6\xca\x8d\x31\xfe\xf0\x02\x7e\x06\xf9\xb7\xc2\xc2\xec\x6e\x5c\x12\x14\x42\xe4\xb7\xee\xc7\xe1\x09\xaf\x0f\xc8\x65\x80\xda\x66\xf0\xb0\x28\xd9\x3a\x00\x88\xd8\x52\x53\xfa\x9b\x5e\x21\xe4\x95\x53\x71\x4a\x1d\xc3\x92\xfd\xb3\x54\x13\x29\x10\xe0\xc6\x25\x03\xc0\x09\x6c\x6b\x85\xf1\x64\xbb\x2a\x7d\x3b\xe1\x79\xc1\xa3\xc7\xcf\xf9\xd4\x64\x34\x13\x10\x84\x6c\x51\x7f\x85\x1b\x8e\x69\x43\x1c\x64\xed\xe9\xd5\x97\xc9\x43\xbf\xe2\x91\x6d\x56\x4a\xe1\xcf\x27\x0c\x8c\x16\x7e\x96\xc1\x46\x88\xa7\x23\x15\x8d\x7b\x9c\x45\xe3\xf8\x24\x34\x19\x00\x86\xcd\xfe\xde\x4b\xfd\x95\x0f\xda\x09\xfe\x05\xa6\x14\x2b\x90\xe7\x73\x6e\xca\x65\x91\x40\xb2\x2b\x3c\x77\x67\x06\x07\xe5\x11\x58\xd9\xf7\xea\xcd\xff\xc2\x93\x20\x2b\xaf\x0b\xc7\xe2\x04\x89\x99\x68\x91\xd1\xa7\xa6\xc3\x28\x4e\x5a\xc3\x51\x39\xec\x5b\xeb\x4a\xfb\xa9\x2f\xaf\xfb\x0d\x2e\x62\x10\x26\xc7\x01\x99\x43\xf7\xbe\x68\x09\xe5\x87\x9f\x60\x78\xcd\xa7\x22\xd1\x19\x57\xb7\xe7\xac\x74\xff\x47\x9b\x3f\x65\xa0\xfb\x71\xb1\xe8\x7e\x67\x03\xa9\xda\xf4\x7f\x31\x3a\xdc\xb6\x56\x47\x7f\x53\x03\x60\x83\x6b\xc0\xb0\x07\x68\x09\x9d\xb9\x2d\x7b\xf7\x90\x31\x6c\x1c\xec\x79\x4c\xcc\x29\xdc\x04\x88\x71\xa6\x75\xdd\xe3\x16\xd9\x14\xb7\x3c\x85\xc9\x96\xe7\xf4\x1e\x52\x86\x07\xa7\x60\xb7\x78\xb3\xe0\x68\xb1\xe7\xfb\xa0\x81\x37\x36\x8a\xf0\x6b\x59\x96\xb5\x69\x87\x1b\x4a\x54\xe7\x27\x2e\xcc\x44\x18\x10\xf9\x5c\xe8\x4c\x37\xe1\x0d\xa6\x16\x24\x71\x5f\xd5\x99\x1c\x77\xa2\x24\xd5\x7a\x53\x22\x77\xf9\xdd\x36\xbb\xdc\x56\xb7\x0b\x64\xed\xc0\x38\x15\x94\xb9\xb6\xc3\x28\xe5\x9d\xd0\xf0\x4d\x34\x3f\x6d\x82\x86\x72\xd9\x7c\xc8\x15\xb1\x4b\x22\xf5\x9d\x08\x76\x1b\xa7\x75\x1e\x52\xd1\xc5\x5f\x32\x49\xb6\xaa\xcc\x51\xe1\x07\x94\x4b\xfa\x70\xa5\x42\x19\x06\xf5\x29\x6d\x41\x84\x57\x75\xe3\x4a\x5d\x1a\x06\xc4\xc8\x79\xc7\x78\x5a\x03\x50\xba\x89\x93\x41\x25\x90\x64\xea\x42\x74\xe2\x13\x96\x41\x82\x44\x0a\xdf\x7e\x02\x30\xb3\x12\x0e\xe6\x23\x5b\xce\x98\x29\x28\x99\x79\x2c\xff\x10\x75\x88\xe3\xe9\x15\xdc\xe9\xbf\xe6\x1c\xf6\x37\x3a\x33\x11\xe7\x47\xaf\x21\x8f\xbd\x16\x58\x09\xdb\x4f\x0e\x51\x7b\x13\xe5\x92\x53\xf7\x21\xc6\x8c\x80\x14\xed\xce\x97\x45\x5a\xda\x5c\x33\xb7\xc6\x79\x4d\x38\xb7\x4b\x6d\xf4\x65\xe1\x89\x40\x4c\x7d\xf5\x6b\xee\x55\x18\xa5\xd2\x02\xfb\x50\xb5\x36\xa5\x37\x2e\x04\xc7\x0d\xec\x26\x6c\xdb\xcc\x83\x6b\x49\x88\x47\xa6\xa3\x94\x56\xf7\xb5\x94\x73\x80\x4a\xae\xd9\x66\xd7\x64\xe2\x5f\xf2\xda\x79\xd3\x4c\xe9\xfe\x72\x75\x7a\xe0\x07\xcd\xa3\x35\xbf\x37\x87\xc0\x68\x72\x55\x51\xef\x27\x76\x7d\x35\xd2\x0f\x24\x1d\x1d\x29\x21\x97\x85\x8a\xd4\xb4\x38\x18\x5e\x0a\x10\x3e\xdb\xe6\xe5\xca\xa4\xbb\x37\xe5\xcb\xdd\x71\x61\xee\xce\xb9\x3f\x9c\x7a\x39\x97\x6b\x4e\x6e\x19\xd5\xc1\xf3\xd0\x8f\x9d\x0f\xc6\xc9\x05\x5f\x4b\x05\x7d\xce\x9c\x1e\x67\x7e\x8b\xbe\x56\xb7\xc4\xed\x73\x34\xe5\xad\xcb\xa2\xaa\x5b\x1b\xf4\x45\x0a\x76\x2d\x16\x7a\x95\xbf\xc1\x09\x72\x04\x4c\x8d\x79\x7e\xf3\xad\x9d\x10\x91\xbb\x1a\xe5\xe1\x28\xe0\xdd\x22\xf4\xb7\x70\x77\x59\xf2\x79\xd4\xdd\xc9\x2a\x68\x1f\x6c\xf9\x9e\x75\x96\x0a\x32\x1b\x3d\x5b\x55\x66\x28\x07\xe5\x77\xc2\x0e\xea\x7f\x87\xe8\x8f\x29\x07\x79\xa6\x59\x8b\xc1\x9c\xcb\x74\xc3\x13\x83\x27\x88\x95\xc5\xfc\x6a\x62\xb5\x46\xf8\x1f\x7b\xd6\x78\xb2\x7f\xa6\x2d\x8d\x6f\x85\x9d\x86\x37\x29\x16\x01\x81\x20\x5b\x06\x20\x3c\x9f\x72\xa3\xa6\x59\x3f\x61\x8a\xb9\xef\x48\x8a\x24\xce\xfe\x7c\xdf\xa6\x6b\x46\xf3\x0f\x1d\x3f\x8a\xbe\xce\x64\x40\xdb\x93\x48\x3d\xf5\x23\x3b\x52\xf6\xfc\x47\xee\x3f\xd3\xbb\x98\xb0\x06\x24\x68\xc9\x16\xdc\x0f\xb1\x59\x62\x90\x2c\xb7\x30\x29\x93\x69\x51\x75\xd5\xfd\x4b\xc7\x7e\xab\x9e\xc8\xd4\x40\xee\xe3\x6a\xe6\x83\x5c\x43\x62\xf7\x81\x9f\x39\x01\x21\xa6\x9b\xc7\x0d\x63\x6e\xea\x8d\x4d\xd0\x9b\x90\xda\xd5\xc2\xdb\x03\x1d\x2b\xc3\xdf\x45\x82\x56\x24\x41\x56\x80\xa0\x3b\x3d\xfc\x71\xce\xf6\x3f\xda\x72\x6b\x76\x5d\x58\xab\xe8\x63\xad\xf0\x34\x2b\x8f\x1e\x8e\xc8\xf8\x07\xb3\xb5\x6d\xcc\xfd\xcd\xe8\x5f\xd2\x0a\x7e\xc9\x43\x44\xcf\x31\x95\x48\x67\x81\x70\x0b\x4c\x35\x72\x15\x78\x14\xd7\xf1\x0d\xc6\x8e\x13\xad\x64\x61\x39\x77\x58\xea\xd6\x2e\x5c\x20\x4b\xa5\x7b\x2a\x4a\xf4\x22\x08\x2a\x1f\xff\xbf\xc8\x70\x96\x88\xa1\x13\x93\xe9\xdc\xf8\x7b\x6f\xa4\x0b\x10\xf4\x58\xc6\x7e\x56\x5a\xe4\xf0\x2c\x2b\xa9\x30\xfd\xa2\x13\x9b\x0f\x18\x12\xaf\xbe\x21\x2e\x89\xeb\x51\x0e\x8d\x74\xc4\x65\x05\x00\x82\xb2\xbd\xfc\x09\x17\x6a\xe9\xa1\x70\x82\x1c\xde\x09\x7c\x33\xf5\x7f\x83\x50\x0f\x18\x2f\x23\xc2\xcd\x71\x3f\x82\x68\xfa\x04\xe5\xee\x58\x00\xad\xb1\xe8\x91\xbc\x90\x2b\x2c\x10\x05\x55\x79\xbe\xd0\xb6\xac\xef\xfc\x22\x06\x54\x4e\x2d\x17\xa1\x04\x4e\xc2\x01\x24\x66\x0f\x90\xd2\xcc\xb1\xe9\xdd\x04\xab\xa7\xf6\xb3\x3d\xec\x5f\x6f\xf6\xa2\xe1\xa1\x09\xc1\x43\xf2\xb0\xa8\x08\xeb\xeb\x45\xca\xac\xdc\x39\x82\x8b\x55\x5e\x3f\xb3\xad\xb7\x44\x71\x30\x26\x6d\xa8\xb3\x33\xd0\x4a\xb7\x11\xb9\x1a\x23\xd8\x81\x78\x57\x31\xfb\xd2\xc0\x37\x60\x8f\x31\x2f\x8b\x18\xba\x63\x00\x2d\x17\x75\x44\x1a\xdf\x3d\x4c\xe8\xe5\x56\x64\x26\x4e\x1d\x22\xe4\x78\xf4\x93\x01\x74\xdf\xb8\x1f\x7e\x31\xeb\x3f\xdb\x22\xeb\x06\x88\xf3\xa1\x04\x54\x18\xf9\x08\x4a\xf4\x52\x78\xc0\x4b\xf1\x32\x00\x17\xd0\xb0\xfa\xa2\xcf\x7e\x27\x7d\xe2\x66\xa3\xfd\xb4\xb0\xf0\x55\x25\x9d\x76\xf5\x0c\x99\x4c\xba\xe7\x03\xe8\xd1\x30\x7f\x4b\xc5\x45\x3f\x32\xa7\x08\x92\x1f\xa8\x33\xb0\x3f\x5d\x18\x40\xf5\xa1\x24\x69\x29\xb1\x75\xd9\x35\x37\xa1\xd7\x46\x78\x38\xd2\x5d\x19\x8b\x17\xfb\x4b\x9a\xac\x7d\x99\xee\x1f\x1e\x2f\xdf\x4a\xe7\x28\x62\x90\xe0\xf1\xc0\x88\xe2\x43\x94\xea\x57\xf9\xa7\x33\xe4\x53\x62\x79\x22\xc5\xa6\x23\x62\x3f\xff\x29\xc6\xa5\xab\x6f\xdf\x7b\xa7\xfd\x43\x80\x34\x9a\x77\xbb\xc4\x09\xd1\x86\x9b\xc7\xf2\x45\x32\x94\xca\x2f\x17\x85\xb8\xcc\x50\xb8\x8f\xcc\xe8\xfc\x6d\x3d\xd7\x9c\x19\x8e\x36\xff\x5a\x21\x6e\x7a\x8a\xe3\xd1\x0d\xb5\xbe\x0c\xbb\x76\x17\xdf\x80\x14\xac\x68\x9c\x31\x11\x32\xc1\xdb\x34\xd0\xee\x7a\xdb\xb6\x62\x32\xc1\xa4\x32\xc2\xca\xf7\xcf\x30\xff\x8b\xad\x84\x46\x7c\x0e\x40\xda\x4d\x0b\x10\x20\x1f\x6f\xb8\x2b\xec\x94\x83\xc7\x5b\xc8\x59\x48\x0c\x9b\xca\x13\xc5\x90\x5a\xcf\xa5\x6e\xad\x48\x8f\xc2\xbd\xe3\xa2\x2c\xa4\xfa\xbc\xea\xb9\xb9\xe3\x77\x6b\x5a\x62\x14\x63\xe1\x29\x6d\xde\x15\x24\x0d\xac\x24\xbb\xaf\x67\xc2\x03\x86\x55\x1a\x8f\xe3\x52\x96\x0e\xcd\x36\x1d\x42\x94\x90\x3f\x25\x25\xa3\x68\xd3\x63\x07\xde\x3a\xb0\x21\xbe\x4b\x64\x77\xe8\x61\x82\xf6\xa5\x65\xcf\x67\x95\xc2\x64\xaa\xda\xe3\xd3\x07\x2b\xae\xbc\x48\x8c\x74\x30\x7e\x27\xbc\xea\x4a\x74\x6b\x67\xad\xf8\xe2\x0a\x21\x9c\xb9\x11\xe2\x93\xad\xaa\xe8\xd5\x2e\x63\x08\x09\x11\x29\xc0\x2a\xfd\x50\x59\x95\x88\xc9\x20\x15\x85\x82\xdb\x85\x6c\xeb\xd3\xd6\x65\x9d\x14\x77\xf9\x66\xfb\x54\xe9\xea\x1b\x36\x59\x90\xff\x5b\xba\x6f\xce\xd2\xb5\x9f\xc8\xa6\xf9\xfd\x57\x28\x70\x61\xc5\x21\xeb\xc1\xac\xe5\x21\xab\xe0\x04\xf5\xf0\xb5\xf8\xb9\x02\xd6\xc7\x5a\xc5\x7d\xf5\xd2\xe9\x7f\x1f\xfa\xd3\xa5\x31\xf9\x1f\xa1\xcb\xa4\x8b\x58\x93\x5f\x05\x03\x35\x41\x5d\xca\x8e\x46\x02\x43\xe2\x1e\xa7\x1f\x99\x0c\x37\xa6\xc9\x8c\xd1\x9c\x2c\xc3\x47\x1e\xc2\xec\xd0\x42\xc8\x20\x71\x8d\x00\xb6\x37\x9d\x80\x69\x83\x62\x8e\x08\x64\xad\x14\x6e\xe1\x70\xdc\x91\xfc\x25\x55\x94\x0d\xb1\x36\x4c\xb7\x43\xc0\xc7\x03\x7d\xba\x3e\x9b\x10\x8f\xea\x98\x84\x01\xd5\x52\xd4\xac\xe6\xa8\x30\x83\x65\xc0\xb1\xed\xe6\xb8\x73\xa2\x94\xd6\x25\x23\x86\x55\x33\x1a\xcd\x6e\xe2\x38\x0d\xba\x98\x0e\x35\xb2\xbb\xd4\x0f\x65\xfe\x32\xef\x03\xcb\xf0\xcf\x57\x55\x2e\x81\x8e\xc6\x07\x0c\x52\x25\x66\xd8\x2a\xa2\xc4\xd0\x46\xd9\x5b\xcb\xb4\xed\x89\x7a\x3b\x59\x3d\xdc\x57\xb3\xbf\x4b\x2d\xee\x34\xcb\x50\x53\x69\x2e\x45\xde\xec\x78\xbf\x7f\xa7\x00\x2c\xfe\x74\x15\x7a\x5d\xd4\xc5\xae\xc1\xb9\x86\x28\x06\xd8\x88\x39\xa6\xa3\x91\xa0\x4d\x0d\x46\x78\x1e\x45\xb3\xfb\x78\xe7\x1e\xb9\xa6\xba\xda\x4d\x6e\x45\xf6\x45\x2c\x41\x93\x1c\x91\x23\xc8\x78\x38\x32\x0b\xf9\xcd\xe6\x13\xab\x41\xec\x0f\x23\xaf\xcc\x01\xa6\x98\x66\xf8\x32\x39\xe5\xb7\x7e\xc5\x6c\x1b\xf1\x3c\x4f\xa5\x37\x9b\xc5\xe6\x78\xf4\x5c\x3f\xb9\x12\xe1\xaf\xdb\xc4\x66\xba\xdb\x62\x36\xb5\xfb\x85\x00\xc7\x43\x58\x65\xae\x64\x22\x70\xb2\xa9\x42\x43\x0b\xe5\x4d\xca\x09\xec\xb2\x4e\xc6\xd0\x51\xd0\xc6\x3b\x02\xe2\xcc\xbe\x57\xdd\x90\x12\xb7\xc0\x95\x80\x67\xb4\x06\x21\x50\xb3\x47\x98\x31\x96\x11\xdb\x1f\x48\x79\xaa\x8b\x5b\x55\xee\x2f\x20\xb0\xd7\x9a\x14\xcd\x7c\xc1\x8a\x76\xb4\xb3\xf0\x0f\xff\x45\xec\x9d\x07\x64\x07\x6d\xc1\xdc\x00\x72\xe0\x9b\x67\x4f\x18\x7a\x18\xd4\x57\xa1\x1c\xf2\xb6\x54\xbf\xc8\x51\xb5\x5f\x46\x4d\x95\xe5\x1a\x45\xd2\xda\x43\xc7\x90\xeb\xc7\x72\xca\x27\xb8\x28\xa0\x61\xca\x4b\xa2\x8c\x98\x67\x22\xcb\xd4\x86\x73\x32\x87\x8e\x2a\x7b\x87\x6f\xaf\xaa\x74\x34\xf4\x3c\xb4\x48\xb2\x16\xd4\xae\x0e\x18\xa1\xaa\x66\x77\x76\xdb\x69\x99\x9b\xe0\x81\x82\x2d\x56\x47\x8e\x57\x68\x10\x6b\xa1\xfb\xcb\x04\x4d\x16\x68\x2c\xfe\x2b\xa1\x7a\x06\x99\x7f\x88\xbd\x68\x36\x69\xaa\x2a\xe4\xd9\x6a\x15\x5e\x0b\x8a\x41\xe3\x31\xa9\xa0\x20\x0f\x15\x9a\x47\x40\xe0\x11\x04\xad\x63\x89\x21\x8a\xd1\x5d\x1f\xac\x53\xbd\x1b\x91\xd7\x23\x43\x52\x78\xdb\xc5\xe7\x90\xa0\x54\xf3\xcf\x24\xfa\x4e\x78\x66\x62\x99\x15\x40\x0e\x7d\x25\x60\xcf\x97\x64\x8b\x60\x31\x52\x8d\xb2\xc7\xd4\xca\x72\x7f\x67\xc2\x97\x42\x4f\xc9\x9a\x7b\x01\xb1\x04\xfc\xb2\xd9\xb8\x02\x6a\xd1\x92\xac\x4c\x1d\xf8\xc2\x31\x8b\x5d\xee\xa4\x79\xa3\x78\x89\x71\x17\xac\xb1\x4a\x79\x21\xb7\xdd\xe8\xaa\x78\xc5\x8d\x04\x7f\x90\xfb\x1a\x1c\x1e\xdb\x84\x7b\xf7\xba\xd3\xab\x09\x6b\xf9\x19\xd1\xb1\x03\xe7\x40\x43\xfa\xf3\x52\xe1\x63\x94\xbc\xa1\x71\x3e\x14\x8b\x69\xd2\x0e\x0c\x5f\xae\x6e\xdb\x67\xe9\x16\x20\xc2\x8d\x7f\xb7\x0b\xf7\x66\xd2\x1e\xe3\xa9\xdc\x9d\x4a\xc7\x5a\x41\xbc\xb3\xa3\x22\xe7\xec\xc8\x5e\x34\x6a\x5f\xed\x19\x0d\x0c\x69\x8f\x15\x22\x60\x67\xe5\x15\x5e\xcb\x0b\x8f\xff\xcd\x5c\x1c\x95\x52\xa5\xb8\x5a\xfc\x66\x36\x98\xcf\x47\x50\xa3\xee\xc6\xcd\xec\xcc\xaa\xf6\x37\x08\x7e\x18\x8f\x3c\xc5\x65\x7c\x40\x12\x3c\x20\xd1\xa0\x2e\xbb\x08\x18\x07\x38\x83\x53\x5a\x22\x09\xcc\xa0\x8c\xdb\xe3\xce\x0f\x94\x4d\xef\xb4\x1f\x43\x70\x29\xc0\x78\xcb\x5e\x6c\x03\xde\xfc\x67\xc9\x59\x92\x6d\xcf\x45\xd0\xfe\xb6\xf2\x4f\xcf\xaf\x49\x97\x6b\xd3\x64\x1c\xbe\xd6\x97\x58\xcc\xd5\xaf\x8b\x95\x52\x59\xda\x1c\xd6\xfd\x82\x87\x1f\x09\xf3\x3a\x63\x4d\x54\xf5\x44\xa6\x82\x93\xdc\x73\x7f\xea\xf8\x48\x8c\x15\x42\x0f\x69\xc4\x93\x04\x2a\x5e\xe1\xed\x63\xf3\x39\xe4\x10\xf5\x80\xc0\xcb\xad\xab\xbe\xa2\xcf\xfb\xea\xf9\x68\xca\xf2\x56\x20\xde\x5f\x5b\xf7\x4e\xdd\x33\x9d\xed\x9a\x1f\x58\x53\xa2\xcf\x22\x6d\x21\xcd\xbd\x91\x72\xab\xf5\xe0\x85\x95\x60\xdd\x2e\x70\xce\x31\x0a\x33\x3d\x72\x36\x60\x67\x09\xb1\xf5\xa3\x35\x95\xec\x49\xe1\x87\xaa\x5d\xf0\x63\x51\x39\x23\xdf\xd2\x9b\xb1\x51\xa8\x25\x40\xf4\xb0\xd4\x45\x40\x4c\x8c\x5e\x1b\xd8\x40\x33\x5c\x23\x35\x7c\x5e\x6b\x1c\xdb\xfb\x1c\xcd\x72\x47\x1e\x4d\x63\x8b\x10\xc5\xb4\x22\xd9\xe6\x51\x9f\x98\x15\x1a\xd5\x25\x5e\x10\xf7\x2c\x07\x32\x63\x8a\x57\x2e\xa6\x2a\x3a\x98\xcd\x86\xb0\x49\x5f\x24\xfb\x90\xe3\xbf\xa3\x21\x6a\xbf\x88\xbd\xdd\x5f\xdc\xd1\xab\x7f\xc2\x13\xed\x7f\xe7\x62\x8b\xf5\x2e\xd3\x3f\xbf\x61\x24\xb5\x24\x6e\xab\x59\x38\xf4\xfd\xae\xa3\x96\x08\x7f\x76\x43\x49\xbe\xf8\x99\x6f\x22\x40\x92\x60\x40\x93\x44\x19\xdf\x2e\x40\x7b\xe7\xe6\x7a\x64\x2d\x69\x2b\x39\x49\xe4\x78\xed\x55\x92\x72\x06\x64\xee\xc0\xdd\x41\x50\x87\x61\x57\xa6\xf1\x85", 4096); syz_80211_inject_frame(0x20000000, 0x20000040, 0x10c0); break; case 11: memcpy((void*)0x20001100, "wlan1\000", 6); memset((void*)0x20001140, 2, 6); syz_80211_join_ibss(0x20001100, 0x20001140, 6, 2); break; case 12: memcpy((void*)0x20001180, "bpf_lsm_socket_recvmsg\000", 23); syz_btf_id_by_name(0x20001180); break; case 13: memcpy((void*)0x200015c0, "\x66\x0f\x72\xd5\x01\xdf\x5f\xd6\xc4\xc1\xf9\x6f\x9f\x52\xe4\x00\x00\xdf\xf2\xda\x36\x66\x0f\x3a\x62\xc0\x8c\xc4\xc1\x1d\x58\x3c\xe8\x66\x0f\x3a\x0a\x45\x0d\xf0\xc4\xe1\x21\x75\x23\x60", 46); syz_execute_func(0x200015c0); break; case 14: memcpy((void*)0x20001640, "/dev/cuse\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20001640, 2, 0); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_ioctl, -1, 0xb704, 0x20003980); if (res != -1) r[6] = *(uint32_t*)0x20003980; break; case 16: res = syscall(__NR_clock_gettime, 0, 0x20003e00); if (res != -1) { r[7] = *(uint32_t*)0x20003e00; r[8] = *(uint32_t*)0x20003e04; } break; case 17: *(uint32_t*)0x20003dc0 = 0x20003a40; *(uint32_t*)0x20003dc4 = 0x6e; *(uint32_t*)0x20003dc8 = 0x20003d40; *(uint32_t*)0x20003d40 = 0x20003ac0; *(uint32_t*)0x20003d44 = 0x25; *(uint32_t*)0x20003d48 = 0x20003b00; *(uint32_t*)0x20003d4c = 0x6b; *(uint32_t*)0x20003d50 = 0x20003b80; *(uint32_t*)0x20003d54 = 0x2f; *(uint32_t*)0x20003d58 = 0x20003bc0; *(uint32_t*)0x20003d5c = 0xa2; *(uint32_t*)0x20003d60 = 0x20003c80; *(uint32_t*)0x20003d64 = 0xbd; *(uint32_t*)0x20003dcc = 5; *(uint32_t*)0x20003dd0 = 0x20003d80; *(uint32_t*)0x20003dd4 = 0x30; *(uint32_t*)0x20003dd8 = 0; *(uint32_t*)0x20003ddc = 0; *(uint32_t*)0x20003e40 = r[7]; *(uint32_t*)0x20003e44 = r[8]+10000000; res = syscall(__NR_recvmmsg, -1, 0x20003dc0, 1, 0x10202, 0x20003e40); if (res != -1) r[9] = *(uint32_t*)0x20003dac; break; case 18: memcpy((void*)0x20004040, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004040, 0x20004080); if (res != -1) r[10] = *(uint32_t*)0x20004094; break; case 19: *(uint32_t*)0x20004200 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004100, 0x20004200); if (res != -1) r[11] = *(uint32_t*)0x20004134; break; case 20: memcpy((void*)0x20004240, "./file0\000", 8); res = syscall(__NR_statx, 0xffffff9c, 0x20004240, 0x4000, 0x400, 0x20004280); if (res != -1) r[12] = *(uint32_t*)0x20004294; break; case 21: memcpy((void*)0x20004380, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004380, 0x200043c0); if (res != -1) r[13] = *(uint32_t*)0x200043d0; break; case 22: *(uint32_t*)0x20004a80 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x11, 0x20004980, 0x20004a80); if (res != -1) r[14] = *(uint32_t*)0x200049b4; break; case 23: res = syscall(__NR_getegid); if (res != -1) r[15] = res; break; case 24: memcpy((void*)0x20001680, "\x47\xa8\x4c\x3d\x9c\xa1\xd1\xb4\xb2\x5b\x6d\xa5\xc6\xdd\x9f\x48\xac\x0b\x1a\x50\x14\x5d\x57\xaa\x24\x4d\xc1\xbb\x1a\x54\x1c\x93\x16\x0d\x23\xf1\xcb\xf0\x3d\x77\x7a\x21\xe7\xd1\xf0\xf2\x61\x38\x37\xc0\xe0\x5d\x6f\x4b\xc9\x98\xb1\xdd\x5e\xc7\x6e\x06\x98\x26\xfc\x47\xb4\xa0\x81\x6b\x5a\x85\x9c\x9a\x8a\x42\x88\xf2\xe7\x17\x88\x66\x28\x3d\x96\x7a\x95\x12\x2a\xb3\x8c\x64\xe1\xd6\xc0\x50\x57\x2b\xdd\x7c\x98\x27\x13\xb5\xb3\x7a\x79\xe2\xdb\xe0\x8a\x6a\x9b\xd3\xd6\xfd\x57\x96\x04\xac\x48\x7b\x65\x2b\xee\x18\x03\x90\xe3\x66\x8f\x2a\xad\xa1\x71\x7a\x5b\x2a\x21\xcb\x84\xb3\xb9\xa8\xb5\x97\x78\x4c\x01\x15\xc8\xf2\xc0\x87\x08\xd9\xa2\x26\xd6\xf5\x89\x02\xad\x29\xf3\x78\x4f\x64\x80\x06\x9d\x25\xe0\xec\x46\xc3\x78\x10\x92\x3b\xbe\x2d\xac\x50\x43\x85\x6a\x11\xb7\xb9\x8c\x43\x29\x4e\xf4\xc2\xbf\xda\x08\xb0\x4e\xe5\x41\x06\x26\xcb\x64\x95\x7c\xf1\xee\xa3\xd3\xf0\x07\xd6\x95\x83\xbc\xde\xbf\x40\x22\xf8\x5f\x65\x23\x73\xa5\x90\x36\xb6\x2b\x4a\x3e\x9d\xef\xe6\x05\xa9\x89\x2e\x57\x18\xcb\x6f\xc9\xde\x81\xc2\x47\x9e\xf9\x5a\x13\xf8\xca\x78\x9f\x4b\x2a\xc5\xeb\x89\x7f\xab\xbe\xbc\x00\x46\xd8\xe2\x35\xeb\xbf\x54\xa5\x6a\xac\xd1\x40\xae\x4c\xfb\x41\x1b\x9c\x15\x18\xe6\x2f\xa8\x7a\x98\x76\xaf\xc8\x9e\xd8\xa4\xba\x24\xd8\xb9\xef\x13\x39\xf4\xf7\x94\xce\xc9\x86\x51\xe7\xd9\x4d\xdd\x25\x99\x88\xa7\xa4\xf7\x99\xb0\x88\x9c\x16\x80\xd3\x90\xba\x62\x53\xff\x66\xa1\x82\xea\x2c\xf0\x6b\x6f\xd9\xab\x07\xa8\x7f\x69\x7c\x33\x1c\x9a\x83\x25\x64\xec\xab\x23\x83\x84\xff\xef\x50\xc2\x49\xcb\xf1\x1f\x7f\x40\xec\xd4\x4b\x94\x5b\xd5\x7c\x59\x9b\xa3\xd8\x8c\x0b\xe3\x5a\xdd\xf5\xb5\x83\x7b\x18\x8d\x64\xe2\x49\xce\x31\x50\x66\x98\xbd\x73\x75\x46\x53\x04\xd2\x0e\xb3\x80\x23\x26\xb3\x52\x8b\xcb\xe6\xee\x11\x0e\x57\x82\x1c\xcb\x89\x9f\x5e\xee\xce\xc6\x04\xc3\xa5\xe5\x93\x8a\x3a\x94\x26\x60\x99\x2d\x67\x6b\x81\xc5\xaf\x74\x70\x17\x6d\x72\xd7\xc6\xa9\xd6\xc4\x12\x1b\x57\x11\xb1\x6e\xe1\x19\xb5\x77\x64\xd7\xfd\x6d\xfc\xb5\xa3\x9c\x1b\xc9\x7e\x5c\x5f\x5d\xc1\x02\x5a\x5e\xcc\xa4\x8b\x65\xaf\xb8\x7a\x55\x83\xcf\x17\x96\x90\x98\xae\xc3\xb1\xb9\x29\x1f\x77\x5e\xd6\xa5\xa7\x10\xf7\x3e\x32\xef\x7a\x0e\x8c\x84\xff\x56\x54\x51\x44\xca\x50\x4b\x81\x97\xa9\x19\x6c\x9b\x68\xa4\xb5\x7a\xba\xd8\x19\xff\x6f\x6f\x99\x16\x3f\xa3\xe2\x76\x27\x84\x84\xae\xf1\xe2\x87\x84\x1f\x45\x72\x06\x2d\xa6\x77\xf0\xe1\x47\xb9\x33\x58\xe5\xad\x7a\x50\xaf\x84\x2c\xad\xbf\xf4\x19\x2d\xfb\x2f\x98\xcd\xc8\xd8\x78\xd0\xf7\xf3\x5b\x31\xa2\xe8\x03\xce\xa2\xc3\xa2\x87\x8d\x46\x9c\x9a\xa7\xb2\xde\x1e\x8b\xfd\xa5\x1e\xcb\x47\x51\xcd\x86\x1f\xb2\x29\x3e\x37\xeb\x98\x82\xbb\x97\xcf\x70\x45\x3f\x19\x44\x6c\x56\x5f\xd8\x14\x11\x4b\x30\x2a\x4b\xc5\xb6\x42\xa7\x6c\x4c\xfd\xdb\x0f\x4c\xeb\x41\xca\x29\xbe\x4d\x35\x58\x77\x55\xd2\xe8\xe1\xf4\x2e\x97\x1b\x38\x3f\xdf\xd0\xcb\xef\x9f\x5d\x50\x3c\x72\x0a\x3e\x3b\xb8\xb4\x09\x7d\x69\xa7\x20\x82\x35\xa8\x2f\x6a\x75\x1f\x3e\x26\xf2\xe1\x40\x3e\x0d\xa6\x3f\xed\x0f\xa0\x42\x74\x0d\xf1\xd6\x1c\x98\x85\x72\xc8\xad\x71\x1f\x20\x41\x0e\x02\xb3\x2b\x1e\xe7\xf4\x18\xfd\x0c\xc6\x57\xe9\xde\x33\x28\x8e\xc8\x39\x57\x56\xc4\x7e\x16\xd4\xab\x5e\xd7\xca\x4c\x1e\x53\xad\x65\x08\xd5\x8f\x70\xdf\x85\x7d\x41\x89\x09\xe8\x13\x44\xb7\x56\x4e\x00\x64\xa4\x9a\x1d\xb8\xa3\x33\xfc\x60\x9b\xcb\x51\x11\xef\x10\x0e\x0e\xde\x88\xf4\x9f\x3f\x43\x56\x84\x21\x1d\xea\x4d\xe5\xbc\xa1\x85\x3c\xae\x7b\x60\x5e\x3c\xea\x2f\xab\xb8\x0b\xaa\x41\x62\x6d\x31\x04\x7f\xe3\x85\x69\xe6\xab\xbd\xdc\x2e\x1c\x2b\x85\x56\x23\x3f\xeb\x57\x04\x7f\x06\x9d\xf8\x1d\x88\xd2\x9b\xf0\x42\xce\x92\x28\xdb\xd1\x43\x49\x97\x3e\x86\xf7\x8d\x72\x82\x7a\x60\x80\xa2\xce\x65\x29\xd1\x85\x66\x07\x84\x89\x37\xcf\xe5\xcd\x17\x42\x93\xe9\x22\x34\xcb\x0f\x6e\xdf\x65\x30\xf8\x6b\x60\x6e\x48\xe9\xfa\x3e\x1d\x25\x45\x73\x12\x08\x08\xe0\xff\xf3\xd2\x16\x9d\x1c\xf4\x4a\x71\x96\x64\xb7\xf0\xe3\xda\x7b\xb1\x5b\x64\xb6\x2c\x07\x10\x34\x3c\xe1\x5b\xd0\x1a\x05\x64\x2f\x4a\x3f\xa5\x9b\xa6\x05\xd0\xa6\xef\x3e\x5a\xd6\x3c\xd9\x6d\x69\x14\xca\xa4\x06\x34\x98\x7f\x2d\xbe\xeb\x30\x46\x72\x22\x2d\x12\x58\x3b\x9b\xc3\x8c\xf9\xde\x18\xe5\x7d\xe1\x00\xf2\x63\x67\x7d\x31\xec\x37\xae\xa6\xf0\x4b\x81\x5d\x6f\x4e\x8c\xd5\x70\x81\x0d\xaa\xee\xb1\x41\xdc\x0f\xeb\x60\x0a\xa8\x4f\x4a\xfc\xc3\xbd\x6d\x2e\x4d\x69\xe9\xdc\x4d\xc4\xf7\xa4\x56\x74\xa3\x2a\x62\xd4\x14\x43\x7c\x3a\xa4\x51\x84\xb6\x6c\xe5\x69\x49\x91\x28\xbb\xa0\x6e\x38\x62\x74\x28\xd5\x01\x2c\x65\x1f\x8f\xf6\xd5\xb8\xf5\xbb\xbb\x5b\x1f\x8b\xe6\x03\x89\x58\xbd\x4f\xbb\x0b\xdb\xbe\x1f\x3f\x44\x8d\x78\x5d\x97\x10\xf0\x1b\xe8\x87\x87\x4f\xfa\x1b\xfa\x7e\x5a\x81\x8e\xe7\x46\x4b\xfc\xb5\xf9\xe4\x92\x68\xfb\xbd\x39\x8d\x73\x2c\x15\x57\x9a\x46\x97\x1f\xd7\xf2\x2c\x1c\xc4\xe1\x41\x57\xf2\x92\xf6\x16\x38\xf4\x1a\x58\xbc\xcd\xd4\x98\x6b\x9c\xa6\xab\x66\xff\x5f\x53\x6a\x7b\x09\x25\x1a\x6d\x41\x7a\x3e\x15\x9b\x85\xdd\x21\xd9\xb2\x19\xa1\xa1\xce\xa8\xb9\x6d\xd4\xca\xa0\xc0\xc8\xfd\xf9\x2d\xef\x01\xaf\x6b\xe5\xcc\xc2\x42\x8e\x57\x13\x22\x85\xc3\x7e\x80\xfd\x28\x58\xb4\x94\x57\xd1\xd6\x89\x0e\xae\x38\x90\x62\xd5\x68\x0a\xec\xec\x74\x8c\xef\x59\x18\x7d\x91\xc1\xd4\x5b\x29\x00\xe3\x3b\xe9\x46\x4e\xdc\xeb\x83\x1e\xc4\x44\x57\xbe\x52\x57\x5e\x1d\xf1\xde\x6a\xf9\x45\xdb\xf3\xf5\xc9\xcd\x41\xbd\x8c\x26\xcb\x66\x45\xae\x03\x78\xd9\x2d\x75\x8b\x07\x69\xc5\x15\x4f\x52\xd8\x9a\x8e\x0e\x91\x18\x82\xf6\x9e\x46\x61\x04\x53\x79\x2c\x64\x8e\xb0\x82\x11\x19\x47\xc2\xe3\x35\xcb\x48\x56\xe4\x69\x6f\x7a\x53\x31\x8c\xda\xe6\xc5\x91\xa7\x42\x02\x02\xcf\x03\xf0\x69\x12\x8e\x58\xa3\x82\x2a\x89\x2d\x4b\x4d\x14\xa7\xf3\xe2\x7f\x4c\xa5\x9a\x8e\x47\x1a\xaf\x3c\xe1\xaf\x81\xce\xd1\xdf\x87\x1d\xf6\x09\x91\xac\xcc\x0a\xfc\x19\xc6\xaa\x58\x67\x0d\xcc\x3c\xa4\x04\x66\x6e\xc5\x46\x3e\x95\x4c\x60\x59\x94\x01\x4a\x0b\x2e\xb9\x99\x28\x3e\x7d\x26\x46\xab\x55\xa5\xfe\x5f\xe7\xcb\x5b\x07\x38\xc5\x79\x10\x7c\x43\xfc\xf5\x95\xa0\x95\x6a\x49\x35\xf6\xa7\x86\xd6\x56\x1f\x0b\x09\x94\xcc\xe9\x3b\x29\x9a\x50\xc6\xe4\x24\xc1\x59\x62\x0b\x3d\x05\x37\x6f\xc4\xe0\xb9\xff\xbd\xec\xdb\x67\x98\xdd\x51\xd0\x94\x1d\x31\xcf\x41\x93\xc0\x9d\x05\x8c\x25\x96\x99\x19\x12\x35\x01\xfa\x5e\xa8\xfb\x82\xf9\x80\xa3\x5b\xf0\x15\x32\xc2\xc8\x31\xba\x35\x22\x2f\x80\x5d\xae\x24\x25\x27\xeb\x71\x27\x05\x53\x94\x60\x52\x84\xd2\x40\x8c\xfa\x10\xc9\x92\xd6\x4d\x60\x9e\x52\x4b\x30\x34\x8f\xfa\x5e\x44\xb7\x72\x57\xad\xba\xb0\x1c\x38\x3e\x81\x2f\x1d\x71\xb6\x13\xad\x16\x0e\xd1\x5c\x21\x6f\x2a\x45\x9a\x91\x7d\x35\x34\x14\x62\xbf\x72\x35\xf9\x1d\x9d\xdd\xc1\xe2\x40\x2f\x32\xb7\xb7\xa9\x98\x74\x81\xce\x66\x11\xbb\x78\x12\x7b\xc8\xb6\xef\xf4\x19\xd3\xc4\xdd\x77\x25\x24\x02\xf4\x32\x6a\x6e\x9a\xff\xc5\x06\x49\x73\x75\x0a\x8b\xba\x9b\xa1\x7d\x64\x64\x8c\xf7\x93\x4b\xd0\x24\x29\x9b\x9d\xec\x58\xd1\x18\xcd\xa3\x44\x8a\x25\x56\xfa\x96\xa8\x57\xc0\x10\x6a\x00\xcd\x0a\x38\x2f\x10\xb8\x47\xe3\xa8\x69\x97\xc2\x4b\xb8\x46\xc3\xdd\x93\x72\xc6\xcf\x28\xd1\x8b\xb2\xa6\xfc\x48\xd7\xba\xc5\x8d\x56\xbc\x84\x50\xc3\xf4\x20\x99\x9b\x63\x47\x86\x4d\x52\xf0\x50\x75\x24\xf4\x16\xe6\xcb\x64\xce\x7c\xa2\x1a\x85\xe8\xd2\xc2\xb1\xe9\x4b\xe2\xde\xa3\x1c\xda\xf1\xf3\x83\x50\x34\x24\xbe\xc4\x4c\x68\xb9\xa9\x14\xf4\x0b\x0a\x66\x27\x2f\x64\xc9\xef\x19\x85\xed\xb9\xca\x6e\x66\xee\x8c\xac\x08\x4b\x39\xef\x78\x01\xb7\x50\xce\x19\x0f\xf8\x96\xc1\x99\xc1\x27\x85\x24\xb1\x2b\x54\x9a\xcb\xf0\x9f\x63\x3d\x87\xf7\x04\x27\x2d\x47\x79\xf3\x25\xa1\xe9\x45\x67\xe5\x93\x32\x97\x15\x5e\x98\x7f\x3b\x32\xe3\xfa\xdf\x2a\x06\xfa\x01\xaf\xc0\xdc\x35\xdf\xb7\xbe\x7f\x57\x76\x26\x4a\x6b\x7f\xec\x98\xdf\x0a\x5a\xff\x8c\x1a\x02\x9b\x6a\x22\xa9\xa0\x51\x18\x8b\xb2\x8b\xdf\x72\x38\xea\xe3\x24\x6a\x1b\xfd\x05\x86\x84\xf7\xa0\x93\xaa\x68\x79\xcb\x6a\xda\xe5\xa7\xcd\x5e\x12\x19\xa0\xd1\x6d\xee\xf1\x44\xb2\xbe\x90\x39\x01\x44\x74\x0a\xc2\x4d\xa3\x80\x17\xc1\x05\x66\x92\xb3\xb6\x65\x92\x21\x5a\x62\x3d\xac\x91\x3b\x33\xb9\xd5\x6b\x47\xcf\xa9\x18\xd6\xd9\x0c\xaf\xf0\x1a\xa4\x45\x35\x49\x23\xef\xa1\x9e\x8b\x0c\x79\x70\x82\x50\x5d\x54\xf2\xfa\x48\xc5\xad\x96\x63\x2f\xe1\xb6\x2a\x2e\x34\xd0\x85\x76\x22\x07\xd9\x35\x4a\x9f\x03\x9d\x68\x8e\xaf\xe1\xb5\x12\x83\x67\xfd\xd3\xbe\x22\x55\xac\x11\x0d\xf0\x5d\x10\x9b\x86\x9f\x33\x4b\x93\x2b\x29\xbe\xb6\x87\x87\xe2\x0a\x8a\x9f\x37\x31\x18\x9c\x95\x7e\x53\xc6\x96\x73\xe8\x63\xae\x1d\x49\x88\x8d\x6e\xda\xb9\x6e\xed\x78\x6c\xb8\x14\xd1\xa6\x2b\x68\x9c\x29\x4c\x48\x2e\x84\x19\x96\x22\x99\x04\x10\xb6\x7f\x6d\x18\xb8\xcd\x31\x19\xf1\x9a\x66\x7d\x34\x1b\xb7\x83\x88\xff\xe1\x5a\x0f\x64\x32\x7f\xe9\xb8\x06\x5b\xe9\x03\x54\xc1\xfa\xcb\x74\x66\x2e\x2d\x9c\x6d\x02\x24\x8d\xa0\xc8\x0c\x87\x26\x45\x59\xf6\x48\x15\xb8\xb9\xdd\xff\x72\xa9\x44\xeb\x23\x48\x88\xf5\x3d\x1c\xc8\xbe\xd4\x38\xbd\x99\xa2\x07\x4f\x75\x3d\xb2\x9e\xfd\x06\x78\x8c\x7f\x44\x76\xef\xee\x3e\x92\x80\x94\xc0\x32\x6a\xf8\xc9\x17\x1d\xb6\x0b\x1a\x37\xc7\xbd\x56\xd1\x13\x29\x1a\xa9\xa2\x60\xea\xfc\x12\x68\x1e\xb6\x2b\x1e\x70\x63\xb1\x51\x73\xe2\x74\x90\xd8\x4d\x47\xe3\xc7\x56\x6e\xc4\xfc\x1e\xc6\x35\x50\x57\xb2\x2c\x2a\x0f\xd9\x4b\x8d\x90\xb6\x48\x64\x9c\x73\xac\x46\x04\x9c\x01\x1d\x67\x41\xfb\x6d\x89\x56\x14\x3b\xcb\x17\x1f\x4b\xba\xdf\x01\xd1\xca\xe0\x7c\x31\x78\xa8\x46\x90\x01\xdc\xa3\x7a\xb3\xae\x03\x90\x95\xfb\xda\x7f\x05\xdf\xad\x20\x53\x55\xa5\xd6\xef\xf8\xf0\x9c\x32\x47\x58\xa7\x44\xde\x5f\x43\xb6\x94\xf8\x34\xf6\xe5\x98\x3f\x2a\xee\x32\x09\xce\xf4\x63\x54\xdb\x41\x30\x5a\x09\x3a\xb7\x8c\x80\xa8\xfb\x2e\x8a\xb7\xb1\x73\x33\x7b\xcf\x29\x3c\x65\x94\x9a\x4c\x01\x37\x8c\x94\xce\x7c\xd7\x09\xe7\x98\xbe\xf8\x27\x9d\x4a\xd1\xe7\x34\x6f\x4b\x9f\xda\x6d\x29\x2f\x1e\x66\x99\x62\x2c\x1b\xbc\x4b\x02\xe8\x83\xb3\x0e\x77\xcb\xa7\x51\xbc\xfd\xd6\xef\xd6\x7f\xcc\x56\x5c\x00\x36\xf1\x3e\x13\x8d\x81\xd6\xf5\x8d\x34\xe6\xa2\x51\x61\xf2\xa8\x56\x00\x29\xf9\x12\x05\x32\x40\x1f\xb6\xd7\xdd\xef\x43\xf9\xea\xe9\xee\x3c\xd2\x3f\x14\xa1\xf0\x26\xf4\x0a\x9f\xba\xc6\xbe\x6a\x15\x90\x27\xd7\xe8\x7a\x53\x65\x01\x0d\x27\xb0\x9d\xf1\x3d\xfd\x32\xa7\xe7\x5d\xcc\x14\xd9\xda\x85\xd8\x40\xa1\xbb\x91\xbf\x95\xdd\x75\x89\xef\x4f\x4a\x30\x7d\x3c\x74\x1d\xf2\x50\xe3\x4d\xe9\xff\x0f\x15\x15\xa9\x79\xc1\x2f\xca\xea\x17\x0d\x34\x44\x67\x8b\x96\x3c\xcc\x5b\x3c\x06\x56\xaf\x7e\x67\x6b\xf7\x4d\xe9\xc8\xcc\x9c\x70\xb5\x0c\x38\x06\x10\x8f\x6c\x9e\x92\x0a\xcc\x25\xf1\x3c\x3b\xf5\xe9\x10\x18\x9e\xa8\xe0\x46\x61\xb9\xf6\x27\x1d\x34\xe2\x42\x8b\x3f\x5c\x86\x0f\x7a\x41\x37\xc7\x9a\xb4\x09\x20\x64\x56\x34\xf9\x03\x89\xec\xde\x1b\x23\x98\x84\x24\x4c\xa3\x5e\xb5\x59\x2b\x48\x56\x4f\x23\x07\xde\xf1\x6c\x6a\x99\x43\xab\xd7\x30\xff\x0f\x2d\xd4\x7b\x0d\xb1\x19\xc8\x40\x03\xfc\x29\xfc\xe3\xed\x9f\x17\x35\x7a\xab\xc7\x09\xed\x6a\x09\x34\x8d\xa8\xe2\x82\xbb\x0f\x7e\xeb\x6d\x98\x53\xed\xd5\xee\x21\x45\x36\xa5\x5c\x83\x34\x01\x20\x48\x8d\xca\x92\x3e\xc5\xa4\x61\x84\x0d\x20\x07\x5a\xc5\x37\xba\xa4\xdf\xb7\x80\x46\x96\xa8\x9c\xb9\x9c\x82\xcc\x9e\xa9\x21\x2c\x70\x97\x4c\x93\x16\x16\xe9\xbf\x8c\xce\x8f\xaa\x21\x5d\xea\x85\x50\x6c\x71\xed\xf7\x98\x2a\xef\x07\x4e\x1a\x04\xed\x46\xa7\x22\x1b\xeb\x11\xdb\x3c\x3c\x4e\x30\x76\x74\x56\xdd\x39\x5e\x3f\x22\xc0\x48\xb0\x69\x53\x3b\x1e\x34\x7c\x20\x56\x5a\x74\x6f\xbf\x07\x86\xba\x75\x13\x98\xd2\x26\xbb\x58\x3c\xdb\xc7\x89\xa1\xe7\x8c\x07\x5e\x8b\x53\x5c\x17\xbe\x36\x42\x77\x96\x51\xaa\x33\x56\xc9\x28\xbd\x60\x1c\x6f\x70\x4e\x79\x96\x85\x21\x03\x67\x21\x90\x89\xf2\x41\xc9\x36\x52\xaf\xb3\xf0\x57\x9b\xa4\x73\xea\xdc\x1c\x5a\xab\x58\x9b\x61\x8c\x80\x1d\x71\x1e\xaf\x00\xd9\xef\x73\xa3\xa6\x3f\xaa\x06\x92\xd7\x66\x2c\x6e\x61\xd7\x73\x00\x97\xb1\x1a\x9e\x98\x95\x76\x35\x33\xe3\xb8\x25\xb5\xeb\x65\x48\x11\xe8\x0b\x6e\x67\x13\x6d\x6e\x6e\xc1\xbd\xf2\x3e\x34\x7a\xc0\xdc\x50\xd8\x45\xa0\x2f\xb1\x1e\x87\x64\xc7\xcb\xd1\x98\xf8\x03\x7c\xe9\xcc\x4d\x38\x88\xcf\x50\x9e\xf9\xe5\x5b\xa5\x67\xd5\x00\x89\xc6\x9a\x6f\xc2\xa1\x02\x90\x88\xe4\xbb\x86\x60\x6f\x25\xd8\x65\x51\x28\x65\x74\x23\xce\xfb\xec\x47\xff\x5c\xee\x05\xb6\x1c\x35\xe4\x7c\xe9\x2d\xd8\x5b\x86\xaa\x83\xfc\x3d\x37\x06\x9d\xba\x58\x32\x77\x9e\x04\x79\x7e\xe4\x51\x0f\x3e\x86\x0a\x5d\xb6\xc4\x1a\x6c\xfc\xc4\xf2\x7a\x9b\x90\x54\x91\xfa\x56\x0b\xc4\x9a\x1d\xec\x70\xf9\xb6\x9a\xe6\x93\x62\x97\x3a\x12\x3e\x07\xf5\x41\xac\x3a\x3a\x94\x31\x60\xd3\xd6\x31\x40\x49\xc9\x53\x1a\x1f\x72\xb7\x4c\x1c\xc5\xc0\x31\x7f\xcc\x7b\x45\xd8\xf1\xdd\x92\x36\x2b\x1e\xc0\x73\x8a\xd5\xc8\xd9\x9e\x9f\xf4\x4d\x3d\xb2\x41\xe1\x31\x5d\x0f\x14\x48\xe6\xf1\x00\xa5\xdb\x6f\xd5\x71\x5c\xa0\x46\x22\x13\x41\x64\x53\x38\x71\x50\x0e\xde\x0f\x2d\x35\x8b\x31\xf8\x56\x36\x32\x80\xb9\x92\xe4\x9b\xa8\xe5\x92\x09\xbd\x91\x8e\x11\xff\xe3\x27\xd9\x73\xb2\xbc\x54\x53\x7f\x54\x07\x30\x17\x85\x6f\x0b\xb7\x68\x22\x47\x57\x6a\xf4\xd2\x7d\x8b\xe2\x61\x1f\x90\xad\x38\x4f\x11\xde\x84\x7c\x24\x73\x4b\x74\x7f\xfe\x2e\x5c\x85\x49\x00\x9f\xb1\x19\x8b\xce\x2f\xb0\x48\x4f\xc6\x68\xaa\x28\x85\xc7\xc0\x15\x38\x5e\x2b\x58\x8c\x95\x0f\xde\xca\xdf\x30\xad\xf6\x5a\x71\xf5\x64\xe0\xfa\x93\x72\x4b\x8d\xe0\xac\xab\x7c\x3f\xaa\xad\x13\x84\x8e\xbf\x7d\x70\xbb\xc4\x47\xd6\xd9\xdd\xb4\x6a\xf6\x31\xb0\x8e\x4c\x34\xf4\xaa\xbd\xa8\xe5\x0d\x9f\x73\xc3\xff\x3a\x60\x03\x81\xa7\xf8\x4a\xac\x18\xaf\x41\x87\xd1\xbc\x18\x73\x14\xb2\x40\x38\x7f\x29\xeb\xe8\x32\x8a\xce\x89\x65\x43\xb2\x3f\x8d\xb1\x20\x1d\x51\xee\x90\x42\x43\x65\x78\xd1\x27\x3c\x9b\x97\x4b\x27\xfc\x9b\x71\x71\xf4\x39\x11\x17\x54\x1d\xc8\xe8\xe5\x82\xef\x9d\xeb\x11\x60\x6d\x49\x35\x57\x7d\x13\xe3\x91\x2f\x98\x7d\xac\x22\xe1\x4c\x7c\xab\xf8\xdb\x41\x3a\xc7\x96\x38\x1f\x3d\x45\x01\x5c\xe6\x1e\xa3\xb7\x37\x63\xd2\x02\xdb\xe1\x18\xbe\x06\xe7\xd0\xf6\x24\x5c\x71\x81\x86\x14\x81\x21\xba\x61\x19\x2e\x62\xb2\xac\x87\x52\xcb\xa6\xf2\x87\x3f\x4c\x59\xae\x40\xb8\xb9\xc5\x15\xcd\x6a\xd8\x88\x84\x0e\x65\x7a\x11\x47\xa8\xb0\x96\x12\x3d\x73\x8e\x1c\xc1\xb5\xeb\xbe\xec\x6f\x15\xcb\x10\x42\xed\xda\x5c\xf7\xa5\xb2\xb0\xa0\x71\xa2\x68\x77\xbe\xed\xaa\x9e\x24\x32\xef\x85\xf7\x2a\xbc\xeb\x7c\xcd\x73\x36\x27\xcb\x12\xd4\xcf\xe3\xd9\xc9\xd8\x85\xa0\xb0\x89\xdb\x05\x6b\x02\x92\x28\xe6\x45\xf7\x4d\x92\x84\x69\x5b\x08\xa6\x7f\x7f\x92\x28\xe9\x80\xc0\xc3\x64\xd0\x31\x2b\x10\xf6\x25\x6c\x9a\x2d\xe4\x83\x29\x32\xb6\x98\x97\xd0\xf2\x9f\x70\xf1\x8d\xde\x25\x7a\x94\xd9\x6e\xc7\x6d\x71\x67\x3e\x95\x98\x32\x64\x7f\x6a\x74\x45\x82\x35\xe8\x00\xdf\x80\xb7\x18\xbe\xdb\xe9\xb2\xca\xfe\x1a\x98\xad\x89\x34\x1a\x56\x6d\x20\xca\x13\xaf\xb2\x89\x85\x6f\x79\x53\x05\x66\x12\x60\x65\x19\x27\x99\x89\x9c\x02\x43\x31\x7f\xee\x5b\x22\x11\x6d\x9d\xfe\xa0\xc4\x25\x1d\x89\x8d\x57\x44\x43\xd8\x0c\x4d\xaf\xd5\x61\x65\xf2\xcf\xb5\xa2\xdb\x62\xe7\xfc\xb9\x78\x70\xea\x56\xdd\xca\x1c\x27\x32\x75\x48\x09\x9b\x79\xd3\x8f\x9d\x6d\xd2\x4a\x65\x65\x73\x1b\x2a\xfc\x0d\xdc\x12\xa3\x5f\x96\x05\xb2\xe7\xe7\x57\x53\xfa\xab\xe2\x81\x7d\xd1\x1e\x3f\x9f\xe7\x6c\xb2\xb8\xbf\x18\xd4\xf4\x19\xaa\x96\x58\x4c\xf9\x89\x99\xfc\x0f\xe4\x2e\x54\xb0\xe7\x9d\xfd\xd4\xc5\x7f\x55\xc0\x7a\xd1\xca\x33\xa4\xde\x6f\xba\xa7\x80\x18\x5e\x36\xfc\x3e\xc7\xc5\xf1\x04\xc5\xda\xda\xc7\xcc\xcb\xba\xcc\x5a\xbe\x21\x7e\x4e\x61\xef\x6c\x36\x60\x57\xd1\xcf\xb1\xa5\xde\x8c\x75\x68\xda\xd7\x69\xc8\x8a\xfd\x8e\xc1\xbf\x56\x11\x7c\xed\x76\x0e\xd3\x01\x90\x21\xc3\x2b\xed\xd7\xea\x87\xfb\x67\x0c\xa3\x24\x84\x61\xdf\x64\x60\x07\x04\xf1\x16\x51\x58\xcf\x9d\xb2\xb5\xc6\xf4\x56\x3b\x9f\x10\xa3\xa6\x69\xf3\xa9\x45\x21\xbe\x8e\xd5\x1c\x90\xc4\x5c\x59\x48\x9c\xde\x96\xcc\xd1\x18\x44\xc6\xca\xbf\xb1\x65\x0e\x19\x4c\xdf\x17\xaa\xf8\xad\x0b\xf9\x17\x14\xc7\x02\xea\x60\x75\xc0\xc3\x36\x18\x44\xec\xea\x0f\xc9\xad\xe8\x3a\x42\xcd\x91\x8f\xbb\x4c\x90\x90\x66\x73\x98\x18\xcb\xf7\x7a\x3d\x71\x64\xc3\x60\x7d\x8c\x0e\xfe\x3c\x8e\x85\x24\xfd\xf1\x5d\x33\x21\x0b\x43\xca\x55\x1b\x9a\x67\x26\xa5\x60\xa2\x74\x24\x66\x2f\x5f\xd9\x72\x02\xf9\x2a\xb8\xca\xc1\x20\xdf\xb1\x37\xc3\x36\x8c\xaf\xb7\xc1\x48\x35\xd8\xad\x15\xd1\x8b\x3e\xc4\xfe\x3c\x74\x1b\xe3\x90\x65\x71\x1a\xbc\x30\xa0\x0d\x31\xa2\x09\x36\xd2\xfb\x66\x23\xb1\x27\x42\x7b\x2d\x46\x05\x45\xf4\xeb\x25\x68\x1b\x46\x1f\xbc\x3a\x1a\xc6\xdb\x3b\xdf\x1d\x89\x02\x97\x76\xe0\x4b\x9c\xbf\x3e\x1e\x46\x07\xf3\x63\x23\x36\x73\x8b\xd9\x5c\xfc\x81\x2d\xe5\xe8\x2e\x0c\x6a\xa8\xd0\x19\x07\xe1\xf3\x75\xac\xb1\x80\x10\x69\x5e\xa3\xa2\x42\xd2\xb3\x60\xee\xd6\xf0\x77\xa0\x08\x68\x06\xa8\x8e\x2b\xe9\x9d\xef\xc3\x46\x0d\x81\x17\x5d\xec\xb6\x97\x3e\x54\xe7\xff\x1c\x29\x14\x8f\x04\xd1\xa9\x6c\x68\xd4\x3f\x03\x6e\xc2\xe4\xa5\x4b\xeb\x80\xf8\x8b\x8c\x71\x1a\xa0\x1a\x74\x57\xf5\x8d\x72\xaf\xe5\x68\x49\xfd\x09\xd2\x77\xe3\x01\xce\x64\x40\x2b\x0b\xc2\x0d\x43\xea\x78\x74\x54\x86\x97\x2a\x8b\xd6\xf5\x79\xd8\xd8\x2b\xd3\x1c\x8c\x86\xb7\xe8\xa3\xb2\x72\xd1\x6d\x38\xfc\x64\x80\xd2\x13\xc0\x30\x00\xad\xda\x6e\xb5\xe0\x08\x71\x87\x92\x64\xeb\xa4\xb0\xf9\x5c\x92\xe1\x0b\x79\x73\x81\x11\xba\x0c\xfd\xd1\xde\xeb\x39\xc9\x1e\xb4\x07\xe5\x98\x81\xbf\x53\xea\xd7\x8f\x7a\xd3\x50\x29\xec\x22\xb5\x83\xaf\x27\x44\x15\x25\x46\xc3\x98\x28\x50\xb4\x49\x41\x5e\x4b\x79\x0a\x2d\x03\x2c\xae\x50\x31\x9c\x3a\x15\xe0\x09\xae\xee\xfe\x71\x00\x73\x78\x19\x7e\x51\xdf\x97\x37\xee\x36\xd9\x54\x03\xa5\x62\x2a\x00\x7e\xb5\xdf\x41\x02\x33\x37\x6e\x51\x31\x82\x24\x62\x54\x0e\x6e\xbb\xf6\xd4\xe2\xdc\x46\xbe\xb7\xea\x3b\x2c\x22\x19\x97\xc2\xba\x3c\x26\x73\xc1\xb4\x4f\x7c\xd8\xc8\x6a\xac\xdd\x89\xe8\x70\x00\x73\x93\xab\x35\xc4\x85\x74\x29\x13\xf4\xfc\xef\x3c\x5c\x4d\x5c\xfe\xba\x1e\xcb\x50\xef\x05\x03\x7d\x54\xaa\x3f\x5e\x69\x94\x11\x40\x26\xf5\xcd\xa7\x5e\x18\x56\xb3\x1e\xfc\x5b\xf0\xda\x81\x09\x97\x84\x46\x30\xa0\x0a\xbd\x3a\x1c\xa3\xc6\xc9\x39\xe1\xe7\xf7\xc2\xd1\x71\x71\xea\x26\xfc\xd3\x1a\xe7\x17\xc0\x40\xb3\xc5\x94\xcf\x06\xa5\xc1\x25\x76\xbc\x18\x82\xd1\xe0\x45\x7a\x99\x38\x7f\x74\x6f\x15\x12\xd1\x5c\x86\x7c\xfd\xaf\x35\xfb\xf0\xe6\xbe\xec\x95\xc8\xc4\x2a\x3d\xd6\xae\x19\x47\xc6\x69\xfc\xd0\x10\x50\x80\xd8\xa9\x89\x4d\x93\x45\x21\x39\x08\x35\x74\x56\xb5\xdb\x7d\xea\x0f\x3f\x53\x29\xff\xd3\xc8\x90\x8f\x50\x47\xe3\x6a\x94\x1f\x90\x91\x2e\xcb\x4c\x01\xec\x56\x7c\xbe\xb0\x9f\xad\xe5\xec\x9b\xf4\x14\x2e\x24\xef\xf3\xac\xd2\x6b\x1d\x46\xd9\xfc\xab\xdb\x09\x70\xa1\x9b\x45\x79\x47\xab\xda\xac\x79\xa3\x69\x2b\x7a\x0d\x70\x3c\x02\xfd\x3d\x7c\x43\x3d\xcb\x59\xf9\x79\xa3\xa9\x1e\x3f\xc9\x50\xa5\xdf\x58\x54\x65\x69\x63\x97\x47\xc4\x34\x7c\x4e\x1a\x1f\xd0\x8f\x9a\xa8\x0c\xa5\x12\xd3\x6e\x6f\xac\x84\x61\xfa\xc7\xac\x93\x46\x7b\xea\x71\xfd\x28\x6b\x5f\x69\x2d\xdb\xc6\x99\xb9\x88\x7d\x31\x15\x9d\xe1\x07\xc0\xec\x97\xdb\x3b\x37\x77\x1c\x82\x61\x92\x51\xe9\xe0\x87\xe7\x97\x0e\xc1\x3e\x97\x1a\x85\x7a\x3d\x87\x1d\x13\xd8\x9d\xd6\x18\x43\x1d\x57\x75\xf9\x25\xf0\xbe\x14\x11\xf4\x94\x70\xe1\x42\xb1\xce\xef\xa6\x69\x28\x0d\x6e\x9a\x52\xe8\xc8\xeb\x38\x7d\x22\xf2\xfa\x8f\x5b\x77\xbd\x2a\xea\x73\xa0\xa2\x9c\x84\x47\xa6\xad\x29\x2b\x1e\x4b\x44\x6c\x6e\xd0\x08\xc0\xa6\xba\x97\xd1\x5b\xcb\xaa\x10\xb1\x6d\x7b\x1a\xd9\x49\x8b\xf5\xb8\x68\x59\xfd\x9c\x03\x2e\xab\x98\x93\xbe\x93\xb1\xe9\xf4\x5c\x9d\xc1\x9a\x78\xc4\xfe\xa5\x89\xd3\x93\xe8\xed\x9d\xbe\x54\xbf\xad\xf5\xcd\x11\x0e\xb7\x6a\x2a\xdf\x8b\x9d\xd2\x3a\xc0\x57\xbf\x1a\xb6\xba\x1d\x04\xc0\xc6\xda\xc4\x82\x50\xda\x3d\x25\x64\xce\x90\x4d\x67\xe6\x9c\x5d\xec\x58\x2d\xa5\x7e\xde\x76\xd9\xaa\x85\x49\xbf\x50\xa9\x0d\xcc\x0c\xab\x97\x7f\x5d\x73\x00\xfc\x0d\x86\x86\xe3\xbe\x13\xb8\x4a\x7a\x14\x1b\xb7\x92\xc3\x97\x58\xb0\x04\xd8\x4a\x0f\xf8\xc9\x30\xe4\xe0\x3c\xb3\xc1\x34\xe6\xe9\x00\xfe\x41\x64\xe5\xb5\xe0\x6b\xa4\xce\x62\x87\xb7\xb0\x0a\xcf\xdb\x05\xf4\xaf\xc0\xf4\xcb\x1b\x0e\x38\x3e\x4b\x69\x17\x1b\xda\x38\x9a\x2d\x00\x96\xb0\x67\x7d\x79\x3f\xaf\x22\x70\x2f\x3e\xdc\xda\x47\x82\xdf\x48\x30\x2a\xe3\xba\x1e\x05\x60\xf2\xc1\xbc\x7c\xda\x89\xac\x42\x14\xe8\xba\x79\x1c\xd6\xfb\x08\x92\xa1\x1b\x3f\x87\x81\xcf\x4d\x1b\x07\x31\x95\x92\x2d\xa6\xb7\x11\x16\x05\x96\x56\x0b\x53\x5c\x5c\x97\x6e\x42\xa8\x66\x24\xa3\x4f\x74\xac\x66\x46\xc0\xfd\xa0\x57\xa3\x13\xf7\x9d\x2e\x2f\x9c\x9f\xee\xab\xcd\x39\x9c\xd2\xe7\xe0\x8c\x9f\x02\x29\xc2\x66\x64\x8c\x78\x75\xca\x23\x0c\xfe\x4f\xed\x9f\x2d\x3d\x0d\xeb\xe6\xb5\x36\x85\x5c\xeb\xcb\xdb\x54\x60\x92\x0c\xea\xae\x25\xa1\x5c\xee\x7a\x00\xae\xdd\x72\x19\x53\x7d\xfc\x72\xd3\x33\x2d\x26\x43\x61\x5c\x7e\x17\xb5\x5a\x90\x3f\x8f\x25\xd0\x2f\xd6\x1d\x4c\x56\xc2\x32\x85\xd5\x2e\x0c\x23\xbb\x25\x16\x2b\x10\xd9\x33\x9b\x72\x74\x6b\xe7\xda\x47\xe9\xfa\x05\x22\x69\xda\xf6\xa0\x12\x2d\xe4\x9f\xb4\xd2\xc9\xb5\xd7\x8b\x70\x96\x23\x11\x3c\xb7\x1d\x42\xa5\xab\x08\xda\xa6\x01\xec\xd0\x94\x6a\x79\xda\x44\xcb\x1c\x3a\x5c\xfb\x64\x60\xe2\xcb\xd5\x9b\xf3\x56\x93\x09\xa4\xd4\x17\x77\x39\x80\xcd\x90\xad\xb6\xab\xe4\x75\x95\x4b\x05\x6e\x12\xc7\xe9\xe4\xb7\xef\xd2\x43\x96\xe7\xa9\xd6\x2f\xfe\xd4\x2c\xaa\xba\x45\x98\xa8\x9b\x14\xd8\x5d\x1c\xa3\x97\x27\xbf\xa0\x85\x90\x4c\x1e\xb5\x4d\x24\x27\x3d\x0a\x97\xfa\x59\x3b\xdd\xbc\xf4\x60\x8c\xef\x45\x6a\xb4\x17\x03\x16\x07\x33\x15\x16\xc8\x05\x79\x2e\xbd\xfd\x8d\x10\xe5\xed\xdc\x9f\x50\xdf\x88\x85\x71\xf9\x79\x75\x03\x94\xfe\xff\xdf\x87\xeb\xc9\xe8\xa8\x53\x4f\x89\x37\x2a\xfa\x8e\xac\xf0\x6d\x34\xb9\x74\x25\x0a\xc1\xba\xe5\xc0\x7e\x63\xb7\x46\x47\x19\xdb\x5e\xb1\x69\x34\xde\x34\x01\x93\xbf\xce\xe2\xdf\x0b\xfd\x92\x50\xdd\x44\xf3\xf7\x3e\xb4\xa4\x3f\x99\x0f\x2e\xdc\xa9\xb5\xfd\xd4\xac\xa4\xea\x21\x7e\x14\xb6\xd7\xc5\xa3\x20\xfd\x5e\x4c\x72\x88\xcd\xcb\x4e\x20\x76\x00\x4a\xd6\x61\x81\x9b\xda\xe6\xcf\xba\xd2\xdc\x0b\xce\x61\x23\xc4\x8b\x14\x23\xb2\x2e\x3f\x85\xcc\x2f\x31\x07\x1d\xd1\xcf\xa3\x87\xbc\xa0\x9a\x2d\xd9\x9c\x29\xe6\xc0\xcd\x8d\x51\x90\x1d\x74\x85\x81\x3d\xa7\x32\xc9\xa7\xe2\xfc\xcd\x42\x7d\x43\x9b\xfe\xc1\x07\x87\x4f\x87\x7e\x9b\x0a\xa5\xe1\xbd\xad\xd5\xa1\x85\x47\x99\x65\xe9\x5a\x3c\x2f\x66\x91\x2d\x44\x1c\xb7\x5e\x44\x69\x57\x3b\xf5\xa4\xc5\x3f\x58\xd2\x7a\xbd\x5e\x68\x42\x2a\xef\xce\x50\x1c\x6d\x8d\x95\x42\xb6\x1e\xa6\xbf\xd6\xfd\x2b\x6b\x33\x6c\x89\x61\xf4\xee\xa7\x20\x88\xd0\x69\x70\x89\xd1\x76\x82\x0a\x10\x3d\x09\xd9\x5f\x3e\xf0\xbd\x28\x98\x2e\xef\x77\xfc\x1b\xbf\xe7\xde\x1b\xfb\xe3\xd5\x0a\x93\x21\x88\x66\xfc\x48\xf6\x28\x01\xc7\x15\x39\x7d\xdf\x1f\x36\xd9\x77\xf2\xb5\xb2\xb7\x6f\x2e\x1d\x64\xc6\x10\x6a\x88\x9b\x80\xb4\x1b\xe5\x19\x94\x0c\xe2\x2f\xf0\x36\x4f\xaf\xb7\x03\xcf\xcd\x7b\xf7\x80\x8e\x41\x50\xac\x7d\x7a\xf1\xf0\xb5\xae\x82\x1c\x9b\xf1\x63\x74\x0d\xb1\xb5\xa3\x66\xe2\xdb\x4a\x02\x92\x10\x00\xd6\x07\x52\xd7\x43\xcd\x58\x4c\x48\x59\x0a\x31\xe2\x7c\xb4\x0d\x7a\xd8\x9a\xbd\x2c\x8e\xe8\x11\x76\x78\x98\x88\xbc\x48\xe8\x2a\x63\x00\x84\xc5\x9d\x4d\x34\x46\x4a\x52\xd5\xf2\x6d\x22\x14\x79\xb4\x51\xef\x3c\x2a\x6c\x81\x66\xb6\x64\x09\x9d\xaa\xf8\xe7\x4e\xac\x84\xdc\xfe\x3e\x86\xd5\x3b\xcd\x3b\x2f\x03\x37\xc8\x03\x7d\xb0\x7b\x65\xf7\xcd\x26\x5d\x2a\xc1\x95\xf8\xf5\x8e\x00\x96\xac\x1f\xb6\x54\xb9\x57\xfc\xa3\xef\x32\xab\xcf\x91\x6b\x55\x8b\xff\x85\x4d\x09\x9a\x2c\x9f\xb8\x88\x9f\x39\x8b\x53\x51\x41\x17\x0e\xa0\x36\xf9\xe5\xa7\xa2\xfe\x1d\x14\xf4\xa5\xa6\xdb\x8c\x03\xb0\xa7\x7f\x6e\x3b\xe9\x64\x81\x05\x06\x11\x35\x59\x59\xf6\x5e\x67\x81\x64\x54\xed\xa4\xcd\x84\x36\xd6\x64\xd6\xe6\xd9\xfc\x2f\xf2\x48\x95\x92\x3f\x10\x67\x70\x45\x8d\xc8\x75\x93\xc3\x91\x91\x2e\xda\x79\xa6\xe8\x71\x4b\xb4\x37\xc8\x6b\x97\xae\xbe\x10\xad\xde\xf3\x62\x84\x32\x38\x4e\x5a\x52\x83\x06\x7a\x80\x69\xa8\x92\x47\x3c\x05\x44\x68\x03\xce\xe1\x31\x09\x6d\xfb\xcd\x4a\x08\xf3\xe0\x8b\xc1\xdb\x84\x70\xd3\xab\x04\xc4\x80\x91\xf8\x24\xcb\xc4\x4a\x22\x15\x1f\x21\x71\x9a\xc2\x9b\x90\x43\x82\x2b\x29\x8b\x17\x82\xfa\x4f\x7d\x55\x6c\x41\xcc\x38\xd4\x34\x22\xf3\xda\x35\xcb\x3e\x45\xa5\xd2\x29\x6a\x1c\xfc\x1c\xcb\xeb\x9e\xa3\x49\x77\x2d\xa9\xa8\xc6\xb7\xca\x0d\xb7\x29\x92\xf8\xb4\x86\xb4\x26\x6f\xb6\xd4\x47\x96\x30\xfa\x39\xbd\xbd\x5f\xaa\xaa\x5b\x47\x51\x4f\x37\x80\x5e\xdb\x61\x85\xb3\x3b\x5b\x82\xdf\xb8\x5d\xad\x17\xed\x9f\xc8\x20\xd1\x78\xc4\x43\x3f\xae\x2b\xf5\x0f\xb5\x6f\xf5\xd8\xd7\xf7\x2e\xbb\x91\x3b\x88\x12\xce\x80\xfb\x00\x0c\xf3\x56\xf6\x69\xae\xb2\xb4\x8c\x8f\x67\x5c\xd0\xc0\xa5\x71\x08\x2f\xdb\x0e\xe1\xb1\x3b\x7a\xd2\x23\xcb\x68\x6f\x8b\x6e\xa5\x11\x19\x2c\x5d\xca\xab\xe2\x70\x26\x50\x37\xb7\xa7\xff\x48\xa1\x10\xf6\x60\xe0\x45\xe6\xe5\x1d\x6f\xfa\xce\x61\x7a\x5a\xd8\x5c\xac\x70\x4c\xc2\x57\x6b\x22\xaf\x27\xbf\x84\x2c\x1f\xce\x89\xf7\x1f\xb1\x88\x68\x57\xd1\x87\xad\xf3\x64\x47\xda\x8e\xde\x27\x97\xbb\xb4\x1b\x4b\xa5\xf0\x94\x11\x09\x44\x08\x35\x7a\xc6\x86\xf0\x90\xdc\x75\x58\x4f\xb2\xd0\x0d\x6e\xb5\xf1\xd5\x45\x63\x3c\x1a\xab\x04\xa6\xa9\x47\xe4\x9e\xb4\x5a\x0a\x73\xe7\xd0\xc6\xc4\xac\x5f\xac\xf4\x08\xa0\xcf\xde\x43\x9d\x86\x1d\xba\x90\xea\x9c\x57\x58\xbb\xa9\x09\xaa\x4d\x5b\x71\x42\x32\x07\x23\xb0\xfb\x55\x38\xfa\x33\x5e\x62\xd1\x4b\xf3\x60\x8a\xeb\xbd\x76\xff\x2b\x0d\x01\x3a\x4d\x5a\x4d\x46\xfb\x24\xa0\x47\x46\x0b\x5d\x63\xa6\x0d\xea\xa4\x3c\x63\xa9\x8b\x51\xc5\xaa\x0b\x3d\xac\xef\x60\x23\x41\x86\xf4\x5e\xd9\x61\x4f\x0e\x88\xb0\xb3\xa4\x53\x0c\x88\xa3\xdb\xea\xea\x40\x29\xcc\xfb\x1a\xa0\xbb\x8e\xa4\x52\x2c\x51\x25\xa3\x8d\x97\x72\xb7\xde\x03\x3a\xf7\xb2\x81\x2e\x89\xbd\x58\x19\xd2\xd0\xf3\x7a\x15\x6b\x70\x1e\xff\xa2\xf0\xb7\xfc\xe9\xc2\x87\x24\xae\x0e\xb3\x27\xc2\x5c\x8e\x36\x18\x78\x10\xaa\xa1\xa3\x3c\xc6\x9e\xa8\x48\xe1\x2f\xda\x7a\x27\x48\x67\xf4\x77\x95\xe1\x68\x95\x41\x96\x9e\xf7\xf6\x8d\x65\x9c\x3a\xd6\xc7\xf6\x72\x51\xac\x05\xa8\xee\x17\xc5\xd7\xc2\xdc\xb9\x2b\x4a\x54\x5f\x3d\xb5\xbf\x08\x14\x4a\x71\xf2\x9f\x76\xf7\x07\x81\x92\x9b\x06\x45\xf7\xa2\xd3\xcc\x3e\x97\x40\x1f\xfc\x4c\x70\x02\x4d\xf3\xa8\x8a\x3b\x80\xd8\xbb\x4a\xe9\xd2\xd4\xc0\xd1\x17\x24\xfa\x12\x82\x76\x0b\x1c\xc8\x12\x00\x84\x01\xd6\x9b\x8f\x79\x31\xf3\x6a\x72\xe3\x2c\x5d\x8f\x3a\x3f\x23\x3e\x86\x36\x7b\x48\x85\x2c\x0f\xd2\xd1\xf2\x59\x55\x34\x06\x16\xcb\x57\xe7\x9d\xb0\xe0\xa3\x7b\x81\x62\x76\x34\x02\xd0\xb8\x64\xdb\xf0\xa9\x0d\x50\x37\xc8\x8e\xba\x9f\xa8\x09\x98\x08\xcf\x84\x56\x4d\x2e\xd2\xbd\x00\x24\xb7\x19\xb7\x62\x28\x27\x9e\xe3\xc9\x07\x27\xf3\xae\x67\xe5\xcc\x7d\xd7\x6e\x8a\xf1\x67\xc4\xb1\x1e\xe9\xf1\xe3\x49\x5e\x05\x06\x1f\xe5\x20\x44\x5c\xd8\xfe\xdd\xc4\x76\xf5\x0b\x40\xbf\x73\xe4\xf9\xc1\x4e\x49\x1c\x11\x42\x30\xe1\xea\xe5\x87\xac\x01\xaf\x7d\x8e\xe5\xb2\x50\x51\xcd\x58\x85\x19\xe9\xcc\x3f\xb7\xb4\x30\x9d\x2a\x74\xb9\x48\x6d\x31\x80\xf6\x5f\x02\x5f\x43\xbb\x6a\x98\x9e\x2c\x4b\x05\x23\x83\xf4\x24\x4c\xbf\x36\x81\xf8\xfb\x4b\x9f\x0c\xab\x34\x26\xc0\xd6\x78\x4a\xb0\x8c\x76\xce\xee\xbc\x21\x2e\x76\x5f\xd9\xc5\xf2\x4c\xad\x12\x9b\x44\x0e\x2f\x85\x74\x90\x45\xbb\xb1\xb0\x30\xfd\x5b\x31\x10\x44\x25\x80\xd4\x51\xb2\x71\xd9\xa4\x5d\x04\x75\xd1\x66\x47\xe4\xe6\x6b\xf4\x0a\xcb\xde\xbc\x97\x53\x85\xaa\x50\x89\x83\x22\xe8\xb2\xaa\xca\x18\xba\xa6\xee\x86\x1f\xc9\x74\xfc\xd0\xe3\x79\x75\x82\x4c\x47\x58\x42\xbd\x3f\xa1\xf1\x78\x97\x92\xb2\xb6\x54\xaf\xeb\xc7\x8b\x95\x57\xbe\x28\x3c\xe9\x74\xea\x60\xb0\x1a\xf1\x11\xe8\x22\x62\x70\x47\x7c\xaf\xba\x24\xac\xb1\xfb\x28\xfc\x25\x92\xad\x2e\xbc\x2b\xa3\x7a\x1b\xbf\xed\xba\x63\x00\x02\xe4\x23\x43\x0d\x76\x2d\x9e\x31\xcd\x86\x17\x0a\x98\x9e\xe9\x7e\x26\xd4\x87\x4b\xd7\xd1\xa8\xf7\xd2\xf2\x04\x6c\xe9\x37\x68\x59\x27\x49\xbf\x7f\x5b\x28\x93\x3f\x3f\xba\xa1\x38\x0d\x42\x96\x1b\x9a\x94\xd2\x31\x3c\x26\x47\x40\xfe\xa1\x49\x5f\xa2\x6f\xc0\x7a\x56\x1e\x4b\x90\x8b\x2e\x30\xe0\xac\x4d\x48\xf6\x89\xeb\x49\x58\x5d\x3b\x72\x95\xe8\xc2\x75\x1d\x05\x62\xc0\x6d\x49\x19\xd5\xdd\x8a\xf3\x26\xde\xd0\xc1\x51\x6e\xcc\x6c\x1d\x3c\xf1\x39\xd3\xa9\xfe\x6e\xde\x64\x76\x8c\x31\x9b\x98\xb7\xda\x44\x5f\xd7\x85\x4b\x64\x64\x0f\xbd\x67\x6b\x7a\x09\xe5\x6e\xa2\x5c\xff\x1d\x31\xde\xc4\x1d\xa0\x8c\xb1\xb0\x7e\x4d\x84\x16\x81\xfc\xb7\x9a\x72\xb7\x22\x0a\x3f\xc3\x6c\xe8\xdc\x63\x88\xca\xea\xea\x4f\xff\xa7\xb2\x98\x05\xef\x2d\xc8\x9a\xcf\x85\xf2\x27\x24\x8b\xca\x1b\x8c\xb8\x1e\xc4\xb9\x86\xa9\xa1\x58\x7e\x57\xe1\xc5\x4d\x16\x3b\xc6\xa9\xd6\x8c\x67\x8c\x48\x24\x09\x35\xfb\xe9\x89\xf5\x50\xb5\x4c\x51\xba\xcb\x9f\x21\xde\x67\x01\x8d\x5e\x3f\xba\xd7\xef\xba\xe1\x03\x83\xe6\x2f\xa9\x29\x41\x5e\xbd\xb7\x7f\xfc\xad\xcc\x36\xec\x7c\x01\xb7\x6f\x7c\x80\x02\x7d\xfc\xba\x9e\x15\xd2\x6f\x30\x6e\x1d\xcb\xf6\x24\xc8\x0f\x4d\xc9\x2e\xab\xfe\x7a\x81\x7d\x7b\xcb\x47\x0d\x60\x13\xaa\x89\x5e\x08\x24\x40\x57\x1e\x14\x3f\xbb\x2a\xc1\xaf\x5b\x4f\xd6\x4b\xb2\x0f\x31\xef\x1f\x5e\x1d\xb9\x6f\xb8\xca\x1e\x6b\x4d\x36\x0d\x2c\xd0\x55\x91\x36\x6a\xd7\x1a\x41\x17\xc9\x12\x5f\xee\xd0\xe6\xd9\x5c\x03\x9d\xac\x71\x00\x0f\x40\x4d\x71\x80\xfb\x1e\x3b\x9d\x10\xb6\x24\x84\xeb\x2e\x3d\x45\xb8\xa4\xc6\x44\x4e\xa5\x44\xc7\xc1\xa4\x9b\xcd\xd1\x72\x3c\x22\x12\x7e\x2f\x81\xfc\x4c\xa3\xda\x6b\x97\x71\x5a\x0c\x9c\xd3\x05\xae\x21\xa1\x5c\xa6\x95\xf1\xa7\x4d\xf2\x26\x0a\x95\xec\x30\x42\xb1\x6d\x83\xab\x1d\xa2\xba\x76\x7d\xf0\x36\x01\xb4\xb3\xab\x71\x71\xe2\xe0\xe8\xa2\x00\x9f\xc6\xcb\x2c\x98\xcd\x20\x68\x17\x36\x55\x22\x2b\xa6\xbc\x51\xaf\x64\x49\x93\xcb\xd1\x92\x33\xd0\xc0\xf1\xdb\x62\x30\x69\x74\x45\xfd\x77\x8f\x14\xa0\x85\x57\x25\x26\xdb\x2d\x12\x56\xe8\x27\xac\x9b\x77\xa9\x7e\xc6\x41\xa5\x3a\xa5\x80\xb3\xa7\x83\xcb\x0f\xc5\xa1\xb3\xb9\xb3\xff\x38\xe4\x18\xdb\x65\x8b\x48\x4a\x68\xcc\x9a\x9e\x33\x0d\x3d\x7a\x4e\xd2\x82\x58\x1d\xc0\x6f\x9e\xe9\x6a\x1a\x46\x98\xbc\x23\xeb\x41\xbe\xde\x47\x6c\x00\x52\x96\x40\x79\x71\x0f\x68\x8f\x87\x6d\x4c\xef\xf2\x19\x0f\x2d\x81\x9b\xbd\x4c\xdb\x36\x1f\xb5\xc6\x4d\x7c\x41\x93\xff\x9f\x6b\x44\xb2\xc1\x43\x71\x39\xbc\xfa\x8c\xe0\xa9\x43\x0a\xce\xb4\x98\xb4\xf0\xb0\x19\x7b\xf3\x39\xd0\x4b\x70\x51\x23\x24\x3b\x1a\x44\xfc\xec\x56\x6d\x64\xfe\x85\x0b\x29\x89\xb5\xb7\x09\x9e\xf9\xbf\x74\x46\x07\x46\xf6\x0c\x46\x07\x89\x16\x89\x58\x17\x75\xad\x12\xcc\x0f\x04\xce\x01\x6c\x5b\x01\xe4\x55\x6e\x09\x80\x7e\xb8\x2e\x19\xc4\x54\x2e\x88\xca\x22\xac\x95\x13\xa4\x6b\x3e\x43\xc5\x28\x77\xc0\xa8\x37\x20\x1f\xd8\x2e\x9f\x74\x53\x8b\x75\x1c\x8b\x0a\xca\xbf\x1e\xb2\x8a\x7d\xec\x9b\xf6\x98\xc1\x22\xfd\xc5\x46\x4f\x6c\xd4\x0e\x81\xd0\x60\x18\x3a\xf8\x04\xea\x5c\x5a\x51\x09\xfe\x21\x9a\x85\x21\xc7\x3b\x95\xe4\x2b\x82\xac\xd6\x93\xa8\x45\x3c\x40\xc7\x40\x27\xdc\xb1\x78\x81\x75\x83\x42\xe2\x56\x42\x58\xb9\xf1\x2f\xf6\x75\xd9\x5c\x1a\xc4\x2e\x94\x47\x3e\x5d\xd5\x18\x38\xd6\xb1\xc2\x8f\x7b\xae\x7e\x16\x41\x7e\xea\x23\x33\x18\x83\x17\x23\x4d\x3a\x96\x94\x35\x6d\xb9\xff\x64\x9e\xda\x9d\x9d\xe4\xd6\xdf\x34\x57\x70\x13\xbc\x9f\x17\x14\x04\xb0\x8f\xd4\x19\x0d\x15\xd7\xde\xfe\xcd\xc1\x95\x19\x9d\x8a\x71\xf6\x41\x40\xa8\x65\x61\xe8\x4c\x3b\xde\x2a\x43\x37\xac\x14\x05\x08\x54\x31\x4d\xe0\xa3\xef\x2a\xe2\x6a\x6c\xb3\x97\x79\xb1\x0b\xdd\x57\x10\x41\xba\x31\x99\x6c\x60\x2c\x99\x7e\x70\x35\x8a\xe9\x86\x23\x92\x55\xa9\x37\x10\xf2\x11\x1e\x7c\xb1\xc8\xb3\xb7\x28\x03\x37\x34\x85\x6a\x41\xcd\xd5\x5a\xb2\xcf\x54\x15\x6b\x48\xe1\x34\x9e\x97\xd3\x9f\x6f\xc1\x27\x5f\xdb\x19\xb3\x7c\x8c\xf0\x04\xb3\x8c\xc3\xef\x37\x83\x4c\x85\x12\x8b\x3c\xb5\x9b\x77\x3d\xcc\x7d\x7b\x85\x80\x5b\x8f\x3b\xd6\xae\x79\x1e\xfa\x7c\xdb\xcc\x4b\xe5\x53\x9b\xb6\x6a\xfd\x8a\xc5\xde\x59\x50\x9b\x34\x10\x20\xe1\xc6\xff\x67\xb6\x6a\x0c\x94\xbb\x79\x53\x49\x92\x05\xb3\x07\xca\x77\x27\x7f\x6c\xcf\x39\x80\x1e\xe6\x28\xfb\x33\xd2\x07\x3f\x38\x1e\x80\xdc\x41\xc9\xe7\x99\xe7\x5c\x31\xcf\x2a\xa4\x9f\x8b\x0a\x6f\x73\x24\x08\xaf\xdc\x65\x0f\xd2\xb0\xec\x57\x4d\x50\xc6\xe2\x48\xf2\xaf\xcf\xb8\xf8\x20\x79\xb2\x62\x55\x47\xdb\x16\xe4\x61\xe6\x01\x59\x88\x3a\xaf\xbe\xdf\x9e\xe9\xfa\xde\xc8\x39\x8b\x91\x98\x6f\x9a\x8e\x79\x47\x06\x49\xa9\x9d\x6e\x8b\x4c\xb3\xb7\x99\x5b\xd5\xb6\xaf\x47\x20\x6b\xbf\x06\xaa\x69\x38\x3e\x97\x63\xcb\x17\x31\xe7\xc1\x5b\x0d\xe4\xb3\x5c\x00\x80\xdd\xfc\xeb\xac\x4d\xea\x21\x30\x96\xd8\x29\xed\x58\xf7\x7c\x09\xa0\xc0\xd4\xf3\x00\xdd\x5f\xaf\x2e\x01\x2a\xcf\x83\xd7\x7b\x73\x32\x3a\x93\x21\xcc\xa8\x64\x6b\xfe\x55\xfc\xce\x50\x6c\x82\x2e\xe4\x40\x4f\x20\x03\x18\xf6\x50\x44\xb3\xec\xdd\x8a\x21\x35\xe8\xee\x0a\xdb\xb8\xc4\x22\xc8\x9d\x37\x3e\xe4\x21\x82\x6b\xd1\x14\xd5\xae\x08\x6c\x9a\x47\xbe\x5a\x78\x88\xec\x74\xfc\x9e\x8d\x7e\x75\x85\xe6\xe8\x8f\xef\xa1\xb6\xa0\xc5\x57\x7b\x91\x43\x13\x77\xa3\x05\xa6\x65\x81\x02\xef\xf2\x95\x75\xde\x43\x92\x0b\xd4\x66\x96\xa2\xbd\x26\xa9\x39\xde\x74\x15\xc8\x36\x1c\x98\x89\x7b\xc0\xa4\x93\xe9\x08\x76\xd4\xf7\xa6\x38\x9a\xe9\xfe\xd4\x4d\x6e\xf2\x1e\xdf\x68\x1a\xe3\xa3\x5d\xc4\xa2\x6a\x40\xa7\x41\x1e\x7d\x51\xa8\x58\x43\x13\xdf\x95\xe4\x8f\xb0\x12\x79\x9b\x83\xc2\x5c\x2d\xd8\xf2\x43\xe9\x88\x05\x46\xb8\xf5\x1e\x25\xcc\x2f\xfa\x83\xc3\x6d\x81\xd3\x1b\xce\xbe\x40\x53\x62\x87\x5c\x49\x43\x00\x66\x24\x90\xc3\xf4\xbb\x38\x68\x2b\x17\xe0\xcb\xb9\x0e\x47\x70\x86\x4e\xe6\x0c\xc1\x36\xfa\x7b\xb2\x17\x0f\x69\x39\x4f\x62\x35\xe0\x07\x83\xfc\x6c\x2c\xab\x09\x74\x07\xff\xf9\x31\xbf\xa7\x42\xd7\xae\xfe\xf3\x3d\x69\x96\x70\x1d\x39\xb4\xad\xfb\x76\x28\xee\x8c\xb2\x76\x5a\xc0\x39\x92\xdb\x7b\xfd\x93\x04\xe1\x5f\x27\xf3\xea\x37\x12\x49\x4e\x98\xd1\x5b\x7c\x7e\x78\x14\x2d\xdb\xcc\x1e\x2d\x18\x47\x81\xcb\xc1\x17\x45\x59\x9e\xb5\xa6\x9b\x39\x18\x69\x4b\x78\x20\x9b\x1e\xe1\xc1\x18\x54\x15\x7e\xda\x2e\x0f\x03\xed\xd8\x84\xab\x4f\x60\x13\x4a\xf1\x58\xff\x15\xa9\x22\x59\xd4\x29\x37\x0c\xef\xab\x10\xcf\x6f\xb2\x82\xf7\x60\xd8\xd5\x4a\x8d\xb0\xc0\xc4\x3f\x56\xbc\xcf\x68\xb8\x37\x74\x5d\xd6\x42\xb3\x9d\x44\xdb\x29\x7b\x01\xeb\x9f\x5b\x48\xd1\xb1\x14\x84\x8a\x5d\x7c\x74\xa2\x2e\x3c\x30\x84\xee\xbc\x02\x98\xe7\xdd\xbb\xe6\x6e\x10\x5f\x89\x23\x8e\x96\x1d\x34\x98\x5f\x29\xde\x20\x31\xa5\x17\x56\xba\x3c\x77\xce\x83\x24\x8e\xf8\x32\x30\x9b\xf9\xad\x9d\x3f\x79\xdd\x12\xf7\x62\xe9\x12\x25\xb0\x87\x6c\xfc\x22\x02\xb2\xe0\x46\x82\x43\x16\xc8\x20\x88\x9e\x93\xf6\x3e\xad\x22\x9c\x08\x7b\x2f\x6c\xfc\x99\xf7\x97\x02\x2c\xda\xb8\x45\x6d\xe0\xc7\x64\xa0\x6a\x79\x40\xb0\xf2\x85\x98\xcb\xa5\x6d\xa0\xbb\xc7\xeb\xce\x48\x22\x12\x21\x37\x54\xd3\xc3\x4f\x74\x9e\xb9\x43\xbf\xf8\x1a\xab\x71\x0a\x98\x1e\x89\x15\xd8\x9f\x50\x98\xca\xa6\x74\x63\x6b\xda\x15\x11\xe9\x6b\x7a\xb0\xe6\x51\xd1\x01\x75\x09\x76\xda\x0b\x2a\x08\xc5\x61\x76", 8192); *(uint32_t*)0x20004bc0 = 0x20003680; *(uint32_t*)0x20003680 = 0x50; *(uint32_t*)0x20003684 = 0; *(uint64_t*)0x20003688 = 0; *(uint32_t*)0x20003690 = 7; *(uint32_t*)0x20003694 = 0x22; *(uint32_t*)0x20003698 = 6; *(uint32_t*)0x2000369c = 0x60; *(uint16_t*)0x200036a0 = 5; *(uint16_t*)0x200036a2 = 0x48; *(uint32_t*)0x200036a4 = 0x80000001; *(uint32_t*)0x200036a8 = 7; *(uint16_t*)0x200036ac = 0; *(uint16_t*)0x200036ae = 0; memset((void*)0x200036b0, 0, 32); *(uint32_t*)0x20004bc4 = 0x20003700; *(uint32_t*)0x20003700 = 0x18; *(uint32_t*)0x20003704 = 0; *(uint64_t*)0x20003708 = 0xfffe; *(uint64_t*)0x20003710 = 0x200; *(uint32_t*)0x20004bc8 = 0x20003740; *(uint32_t*)0x20003740 = 0x18; *(uint32_t*)0x20003744 = 0; *(uint64_t*)0x20003748 = 4; *(uint64_t*)0x20003750 = 0x8000; *(uint32_t*)0x20004bcc = 0x20003780; *(uint32_t*)0x20003780 = 0x18; *(uint32_t*)0x20003784 = 0; *(uint64_t*)0x20003788 = 0; *(uint32_t*)0x20003790 = 8; *(uint32_t*)0x20003794 = 0; *(uint32_t*)0x20004bd0 = 0x200037c0; *(uint32_t*)0x200037c0 = 0x18; *(uint32_t*)0x200037c4 = 0; *(uint64_t*)0x200037c8 = 0x80000001; *(uint32_t*)0x200037d0 = 5; *(uint32_t*)0x200037d4 = 0; *(uint32_t*)0x20004bd4 = 0x20003800; *(uint32_t*)0x20003800 = 0x28; *(uint32_t*)0x20003804 = 0; *(uint64_t*)0x20003808 = 0; *(uint64_t*)0x20003810 = 0x19; *(uint64_t*)0x20003818 = 0x200; *(uint32_t*)0x20003820 = 3; *(uint32_t*)0x20003824 = -1; *(uint32_t*)0x20004bd8 = 0x20003840; *(uint32_t*)0x20003840 = 0x60; *(uint32_t*)0x20003844 = 0xfffffffe; *(uint64_t*)0x20003848 = 0xfffffffffffffffe; *(uint64_t*)0x20003850 = 4; *(uint64_t*)0x20003858 = 0x80000001; *(uint64_t*)0x20003860 = 1; *(uint64_t*)0x20003868 = 0x52b8; *(uint64_t*)0x20003870 = 7; *(uint32_t*)0x20003878 = 0; *(uint32_t*)0x2000387c = 0xfffffffa; *(uint32_t*)0x20003880 = 0x1ff; *(uint32_t*)0x20003884 = 0; memset((void*)0x20003888, 0, 24); *(uint32_t*)0x20004bdc = 0x200038c0; *(uint32_t*)0x200038c0 = 0x18; *(uint32_t*)0x200038c4 = 0xffffffda; *(uint64_t*)0x200038c8 = 0x1f; *(uint32_t*)0x200038d0 = 9; *(uint32_t*)0x200038d4 = 0; *(uint32_t*)0x20004be0 = 0x20003900; *(uint32_t*)0x20003900 = 0x11; *(uint32_t*)0x20003904 = 0xfffffffe; *(uint64_t*)0x20003908 = 0x4588; memset((void*)0x20003910, 0, 1); *(uint32_t*)0x20004be4 = 0x20003940; *(uint32_t*)0x20003940 = 0x20; *(uint32_t*)0x20003944 = 0; *(uint64_t*)0x20003948 = 0x100000000; *(uint64_t*)0x20003950 = 0; *(uint32_t*)0x20003958 = 0x18; *(uint32_t*)0x2000395c = 0; *(uint32_t*)0x20004be8 = 0x200039c0; *(uint32_t*)0x200039c0 = 0x78; *(uint32_t*)0x200039c4 = 0; *(uint64_t*)0x200039c8 = 7; *(uint64_t*)0x200039d0 = 4; *(uint32_t*)0x200039d8 = 6; *(uint32_t*)0x200039dc = 0; *(uint64_t*)0x200039e0 = 0; *(uint64_t*)0x200039e8 = 7; *(uint64_t*)0x200039f0 = 8; *(uint64_t*)0x200039f8 = 0x10001; *(uint64_t*)0x20003a00 = 1; *(uint64_t*)0x20003a08 = 0x509; *(uint32_t*)0x20003a10 = 0x80; *(uint32_t*)0x20003a14 = 3; *(uint32_t*)0x20003a18 = 1; *(uint32_t*)0x20003a1c = 0xc000; *(uint32_t*)0x20003a20 = 5; *(uint32_t*)0x20003a24 = r[6]; *(uint32_t*)0x20003a28 = 0xee00; *(uint32_t*)0x20003a2c = 7; *(uint32_t*)0x20003a30 = 9; *(uint32_t*)0x20003a34 = 0; *(uint32_t*)0x20004bec = 0x20003e80; *(uint32_t*)0x20003e80 = 0x90; *(uint32_t*)0x20003e84 = 0; *(uint64_t*)0x20003e88 = 8; *(uint64_t*)0x20003e90 = 6; *(uint64_t*)0x20003e98 = 3; *(uint64_t*)0x20003ea0 = 0xcd0; *(uint64_t*)0x20003ea8 = 0x7fffffff; *(uint32_t*)0x20003eb0 = 5; *(uint32_t*)0x20003eb4 = 1; *(uint64_t*)0x20003eb8 = 5; *(uint64_t*)0x20003ec0 = 5; *(uint64_t*)0x20003ec8 = 0xf34; *(uint64_t*)0x20003ed0 = 0x86; *(uint64_t*)0x20003ed8 = 6; *(uint64_t*)0x20003ee0 = 2; *(uint32_t*)0x20003ee8 = 0xab8c; *(uint32_t*)0x20003eec = 0; *(uint32_t*)0x20003ef0 = 5; *(uint32_t*)0x20003ef4 = 0x8000; *(uint32_t*)0x20003ef8 = 9; *(uint32_t*)0x20003efc = 0xee00; *(uint32_t*)0x20003f00 = r[9]; *(uint32_t*)0x20003f04 = 0x1000; *(uint32_t*)0x20003f08 = 0x1000; *(uint32_t*)0x20003f0c = 0; *(uint32_t*)0x20004bf0 = 0x20003f40; *(uint32_t*)0x20003f40 = 0xd0; *(uint32_t*)0x20003f44 = 0; *(uint64_t*)0x20003f48 = 0xffffffffffffffbc; *(uint64_t*)0x20003f50 = 0; *(uint64_t*)0x20003f58 = 2; *(uint32_t*)0x20003f60 = 6; *(uint32_t*)0x20003f64 = 3; memset((void*)0x20003f68, 2, 6); *(uint64_t*)0x20003f70 = 0; *(uint64_t*)0x20003f78 = 0; *(uint32_t*)0x20003f80 = 0; *(uint32_t*)0x20003f84 = 9; *(uint64_t*)0x20003f88 = 2; *(uint64_t*)0x20003f90 = 0x100000001; *(uint32_t*)0x20003f98 = 0x17; *(uint32_t*)0x20003f9c = 0xffff; memcpy((void*)0x20003fa0, "bpf_lsm_socket_recvmsg\000", 23); *(uint64_t*)0x20003fb8 = 0; *(uint64_t*)0x20003fc0 = 0x401; *(uint32_t*)0x20003fc8 = 0xf; *(uint32_t*)0x20003fcc = 0xfffffff9; memcpy((void*)0x20003fd0, "&,$:+)\357&\\)/$$[}", 15); *(uint64_t*)0x20003fe0 = 6; *(uint64_t*)0x20003fe8 = 1; *(uint32_t*)0x20003ff0 = 0x17; *(uint32_t*)0x20003ff4 = 0x1f; memcpy((void*)0x20003ff8, "bpf_lsm_socket_recvmsg\000", 23); *(uint32_t*)0x20004bf4 = 0x20004440; *(uint32_t*)0x20004440 = 0x508; *(uint32_t*)0x20004444 = 0; *(uint64_t*)0x20004448 = 2; *(uint64_t*)0x20004450 = 4; *(uint64_t*)0x20004458 = 1; *(uint64_t*)0x20004460 = 5; *(uint64_t*)0x20004468 = 0x80000000; *(uint32_t*)0x20004470 = 3; *(uint32_t*)0x20004474 = 0xffffffec; *(uint64_t*)0x20004478 = 2; *(uint64_t*)0x20004480 = 3; *(uint64_t*)0x20004488 = 0x20; *(uint64_t*)0x20004490 = 0x100000001; *(uint64_t*)0x20004498 = 0x80; *(uint64_t*)0x200044a0 = 0xffffffffffffffe1; *(uint32_t*)0x200044a8 = 0x9e41; *(uint32_t*)0x200044ac = 0x1f; *(uint32_t*)0x200044b0 = 0xf0f6; *(uint32_t*)0x200044b4 = 0xc000; *(uint32_t*)0x200044b8 = 0x401; *(uint32_t*)0x200044bc = 0xee01; *(uint32_t*)0x200044c0 = 0xee00; *(uint32_t*)0x200044c4 = 0x400000; *(uint32_t*)0x200044c8 = 0x800; *(uint32_t*)0x200044cc = 0; *(uint64_t*)0x200044d0 = 3; *(uint64_t*)0x200044d8 = 7; *(uint32_t*)0x200044e0 = 6; *(uint32_t*)0x200044e4 = 0xfffffffe; memset((void*)0x200044e8, 187, 6); *(uint64_t*)0x200044f0 = 1; *(uint64_t*)0x200044f8 = 2; *(uint64_t*)0x20004500 = 0x10001; *(uint64_t*)0x20004508 = 0; *(uint32_t*)0x20004510 = 5; *(uint32_t*)0x20004514 = 0; *(uint64_t*)0x20004518 = 3; *(uint64_t*)0x20004520 = 0x8000; *(uint64_t*)0x20004528 = 9; *(uint64_t*)0x20004530 = 0x80000001; *(uint64_t*)0x20004538 = 0x100; *(uint64_t*)0x20004540 = 5; *(uint32_t*)0x20004548 = 0xf06; *(uint32_t*)0x2000454c = 0x932b; *(uint32_t*)0x20004550 = 2; *(uint32_t*)0x20004554 = 0x1000; *(uint32_t*)0x20004558 = 5; *(uint32_t*)0x2000455c = 0xee01; *(uint32_t*)0x20004560 = -1; *(uint32_t*)0x20004564 = 5; *(uint32_t*)0x20004568 = 1; *(uint32_t*)0x2000456c = 0; *(uint64_t*)0x20004570 = 5; *(uint64_t*)0x20004578 = 9; *(uint32_t*)0x20004580 = 2; *(uint32_t*)0x20004584 = 2; memcpy((void*)0x20004588, "*)", 2); *(uint64_t*)0x20004590 = 1; *(uint64_t*)0x20004598 = 0; *(uint64_t*)0x200045a0 = 0xcc3; *(uint64_t*)0x200045a8 = 4; *(uint32_t*)0x200045b0 = 0x101; *(uint32_t*)0x200045b4 = 3; *(uint64_t*)0x200045b8 = 2; *(uint64_t*)0x200045c0 = 1; *(uint64_t*)0x200045c8 = 1; *(uint64_t*)0x200045d0 = 0x113; *(uint64_t*)0x200045d8 = 1; *(uint64_t*)0x200045e0 = 3; *(uint32_t*)0x200045e8 = 0xd36; *(uint32_t*)0x200045ec = 0x8c12; *(uint32_t*)0x200045f0 = 0xfffffffc; *(uint32_t*)0x200045f4 = 0x1000; *(uint32_t*)0x200045f8 = 0xfffffffc; *(uint32_t*)0x200045fc = 0xee01; *(uint32_t*)0x20004600 = r[10]; *(uint32_t*)0x20004604 = 9; *(uint32_t*)0x20004608 = 0xacd; *(uint32_t*)0x2000460c = 0; *(uint64_t*)0x20004610 = 3; *(uint64_t*)0x20004618 = 0x97; *(uint32_t*)0x20004620 = 6; *(uint32_t*)0x20004624 = 9; memcpy((void*)0x20004628, "wlan1\000", 6); *(uint64_t*)0x20004630 = 1; *(uint64_t*)0x20004638 = 2; *(uint64_t*)0x20004640 = 8; *(uint64_t*)0x20004648 = 0x8000; *(uint32_t*)0x20004650 = 9; *(uint32_t*)0x20004654 = 0; *(uint64_t*)0x20004658 = 1; *(uint64_t*)0x20004660 = 0x200; *(uint64_t*)0x20004668 = 0xff; *(uint64_t*)0x20004670 = 0x100000001; *(uint64_t*)0x20004678 = 0x30000; *(uint64_t*)0x20004680 = 9; *(uint32_t*)0x20004688 = 3; *(uint32_t*)0x2000468c = 6; *(uint32_t*)0x20004690 = 0x7f; *(uint32_t*)0x20004694 = 0x8000; *(uint32_t*)0x20004698 = 0x101; *(uint32_t*)0x2000469c = r[11]; *(uint32_t*)0x200046a0 = 0xee00; *(uint32_t*)0x200046a4 = 0x10000; *(uint32_t*)0x200046a8 = 9; *(uint32_t*)0x200046ac = 0; *(uint64_t*)0x200046b0 = 3; *(uint64_t*)0x200046b8 = 0; *(uint32_t*)0x200046c0 = 2; *(uint32_t*)0x200046c4 = 0x401; memcpy((void*)0x200046c8, "b@", 2); *(uint64_t*)0x200046d0 = 4; *(uint64_t*)0x200046d8 = 1; *(uint64_t*)0x200046e0 = 0; *(uint64_t*)0x200046e8 = 5; *(uint32_t*)0x200046f0 = 4; *(uint32_t*)0x200046f4 = 0x101; *(uint64_t*)0x200046f8 = 1; *(uint64_t*)0x20004700 = 5; *(uint64_t*)0x20004708 = 1; *(uint64_t*)0x20004710 = 0x10000; *(uint64_t*)0x20004718 = 7; *(uint64_t*)0x20004720 = 8; *(uint32_t*)0x20004728 = 5; *(uint32_t*)0x2000472c = 5; *(uint32_t*)0x20004730 = 0x4010000; *(uint32_t*)0x20004734 = 0x8000; *(uint32_t*)0x20004738 = 0x4d800000; *(uint32_t*)0x2000473c = 0; *(uint32_t*)0x20004740 = 0xee01; *(uint32_t*)0x20004744 = 6; *(uint32_t*)0x20004748 = 7; *(uint32_t*)0x2000474c = 0; *(uint64_t*)0x20004750 = 2; *(uint64_t*)0x20004758 = 0x61; *(uint32_t*)0x20004760 = 0; *(uint32_t*)0x20004764 = 0; *(uint64_t*)0x20004768 = 7; *(uint64_t*)0x20004770 = 0; *(uint64_t*)0x20004778 = 5; *(uint64_t*)0x20004780 = 5; *(uint32_t*)0x20004788 = 0; *(uint32_t*)0x2000478c = 0x3ff; *(uint64_t*)0x20004790 = 0; *(uint64_t*)0x20004798 = 0xfffffffffffffff7; *(uint64_t*)0x200047a0 = 1; *(uint64_t*)0x200047a8 = 0x80; *(uint64_t*)0x200047b0 = 0x100000001; *(uint64_t*)0x200047b8 = 0x401; *(uint32_t*)0x200047c0 = 0xd49d; *(uint32_t*)0x200047c4 = 0x80; *(uint32_t*)0x200047c8 = 1; *(uint32_t*)0x200047cc = 0x6000; *(uint32_t*)0x200047d0 = 0x8b; *(uint32_t*)0x200047d4 = r[12]; *(uint32_t*)0x200047d8 = 0xee01; *(uint32_t*)0x200047dc = 0x8001; *(uint32_t*)0x200047e0 = 0; *(uint32_t*)0x200047e4 = 0; *(uint64_t*)0x200047e8 = 6; *(uint64_t*)0x200047f0 = 0x200; *(uint32_t*)0x200047f8 = 1; *(uint32_t*)0x200047fc = 0xfffffff8; memset((void*)0x20004800, 41, 1); *(uint64_t*)0x20004808 = 0; *(uint64_t*)0x20004810 = 3; *(uint64_t*)0x20004818 = 8; *(uint64_t*)0x20004820 = 0x81; *(uint32_t*)0x20004828 = 6; *(uint32_t*)0x2000482c = 5; *(uint64_t*)0x20004830 = 1; *(uint64_t*)0x20004838 = 8; *(uint64_t*)0x20004840 = 7; *(uint64_t*)0x20004848 = 5; *(uint64_t*)0x20004850 = 8; *(uint64_t*)0x20004858 = 1; *(uint32_t*)0x20004860 = 5; *(uint32_t*)0x20004864 = 0x90c555ad; *(uint32_t*)0x20004868 = 0; *(uint32_t*)0x2000486c = 0xc000; *(uint32_t*)0x20004870 = 0x800; *(uint32_t*)0x20004874 = 0xee00; *(uint32_t*)0x20004878 = 0xee01; *(uint32_t*)0x2000487c = 0xf98d; *(uint32_t*)0x20004880 = 0x20; *(uint32_t*)0x20004884 = 0; *(uint64_t*)0x20004888 = 4; *(uint64_t*)0x20004890 = 4; *(uint32_t*)0x20004898 = 5; *(uint32_t*)0x2000489c = 1; memcpy((void*)0x200048a0, "\\U\302-^", 5); *(uint64_t*)0x200048a8 = 1; *(uint64_t*)0x200048b0 = 0; *(uint64_t*)0x200048b8 = 2; *(uint64_t*)0x200048c0 = 6; *(uint32_t*)0x200048c8 = 0; *(uint32_t*)0x200048cc = 0xb5e; *(uint64_t*)0x200048d0 = 4; *(uint64_t*)0x200048d8 = 0x12; *(uint64_t*)0x200048e0 = 0xe87; *(uint64_t*)0x200048e8 = 7; *(uint64_t*)0x200048f0 = 1; *(uint64_t*)0x200048f8 = 0xfffffffffffffffe; *(uint32_t*)0x20004900 = 0xfffffffd; *(uint32_t*)0x20004904 = 7; *(uint32_t*)0x20004908 = 0x401; *(uint32_t*)0x2000490c = 0xa000; *(uint32_t*)0x20004910 = 0x8ee; *(uint32_t*)0x20004914 = r[13]; *(uint32_t*)0x20004918 = 0; *(uint32_t*)0x2000491c = 0x8236; *(uint32_t*)0x20004920 = 0x3c89862b; *(uint32_t*)0x20004924 = 0; *(uint64_t*)0x20004928 = 4; *(uint64_t*)0x20004930 = 0xfffffffffffffbf7; *(uint32_t*)0x20004938 = 6; *(uint32_t*)0x2000493c = 4; memset((void*)0x20004940, 2, 6); *(uint32_t*)0x20004bf8 = 0x20004ac0; *(uint32_t*)0x20004ac0 = 0xa0; *(uint32_t*)0x20004ac4 = 0xffffffda; *(uint64_t*)0x20004ac8 = 2; *(uint64_t*)0x20004ad0 = 1; *(uint64_t*)0x20004ad8 = 3; *(uint64_t*)0x20004ae0 = 0xff; *(uint64_t*)0x20004ae8 = 0x401; *(uint32_t*)0x20004af0 = 9; *(uint32_t*)0x20004af4 = 0x1000; *(uint64_t*)0x20004af8 = 1; *(uint64_t*)0x20004b00 = 0xfff; *(uint64_t*)0x20004b08 = 0x733; *(uint64_t*)0x20004b10 = 0; *(uint64_t*)0x20004b18 = 7; *(uint64_t*)0x20004b20 = 0x7fff; *(uint32_t*)0x20004b28 = 4; *(uint32_t*)0x20004b2c = 0x1f; *(uint32_t*)0x20004b30 = 0x1f; *(uint32_t*)0x20004b34 = 0; *(uint32_t*)0x20004b38 = 1; *(uint32_t*)0x20004b3c = r[14]; *(uint32_t*)0x20004b40 = r[15]; *(uint32_t*)0x20004b44 = 0x9eb; *(uint32_t*)0x20004b48 = 1; *(uint32_t*)0x20004b4c = 0; *(uint64_t*)0x20004b50 = 0; *(uint32_t*)0x20004b58 = 0x1c; *(uint32_t*)0x20004b5c = 0; *(uint32_t*)0x20004bfc = 0x20004b80; *(uint32_t*)0x20004b80 = 0x20; *(uint32_t*)0x20004b84 = 0xfffffffe; *(uint64_t*)0x20004b88 = 0xa87; *(uint32_t*)0x20004b90 = 0x1ff; *(uint32_t*)0x20004b94 = 0; *(uint32_t*)0x20004b98 = 0x10001; *(uint32_t*)0x20004b9c = 4; syz_fuse_handle_req(r[5], 0x20001680, 0x2000, 0x20004bc0); break; case 25: memcpy((void*)0x20004c40, "/dev/autofs\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20004c40, 0, 0); if (res != -1) r[16] = res; break; case 26: memcpy((void*)0x20004c00, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004c00, r[16]); break; case 27: syz_init_net_socket(0x24, 2, 0); break; case 28: res = syscall(__NR_mmap, 0x20ffe000, 0x1000, 0x300000a, 0x10, (intptr_t)r[16], 0); if (res != -1) r[17] = res; break; case 29: res = -1; res = syz_io_uring_complete(r[17]); if (res != -1) r[18] = res; break; case 30: *(uint32_t*)0x20004c84 = 0xcaa6; *(uint32_t*)0x20004c88 = 4; *(uint32_t*)0x20004c8c = 3; *(uint32_t*)0x20004c90 = 0x276; *(uint32_t*)0x20004c98 = r[18]; memset((void*)0x20004c9c, 0, 12); res = -1; res = syz_io_uring_setup(0x3a9b, 0x20004c80, 0x20ffe000, 0x20ffe000, 0x20004d00, 0x20004d40); if (res != -1) r[19] = *(uint64_t*)0x20004d00; break; case 31: *(uint8_t*)0x20005080 = 2; *(uint8_t*)0x20005081 = 5; *(uint16_t*)0x20005082 = 0; *(uint32_t*)0x20005084 = 7; *(uint64_t*)0x20005088 = 0; *(uint32_t*)0x20005090 = 0x20005040; *(uint32_t*)0x20005040 = 0x20004d80; memcpy((void*)0x20004d80, "\x8f\x8c\x61\xba\x2d\x93\x00\x6a\xad\xbd\x12\xa3\xa0\x8f\x14\x6f\x7d\xad\xf6\xfc\xaf\x91\x37\x0d\x8c\xdb\xb1\x04\x73\xcf\xc4\x73\x7f\xc2\x92\x0f\x76\x1e\x5f\x9f\x43\xac\x7c\x94\xff\x2d\x84\xa3\xf6", 49); *(uint32_t*)0x20005044 = 0x31; *(uint32_t*)0x20005048 = 0x20004dc0; memcpy((void*)0x20004dc0, "\xe7\x9e\x60\x9c\xaf\x0b\x11\x3f\x2e\x3a\x9b\x6e\xd9\xa5\x19\x7b\xd4\xc9\xef\x3a\xbe\xe6\xff\x37\x2b\x06\x77\xf9\x80\xef\x46\x16\x5c\x07\x1e\xc9\xa7\xe4\xb8\xe1\x18\xc9\x5c\x2b\x5f\x73\x3b\x29\xc5\x0f\x1e\x5d\xf4\xf1\x83\x7e\x9a\x29\x62\xcd\x24\x1c\x43\xd7\xa6\x05\x87\x87\x49\x91\x9d\x2d\x93\x2d\x22\x01\x0e\x4c\x8c\x29\xce\x60\x28\xdc\x71\xe2\x3c\x5e\xc2\xb4\xf3\xbb\x38\xb2\xe7\xc3\xbe\xaf\x83\xc8\x87\xa4\x5f\x16\xea\x87\x84\x2b\x70\x02\xc7\x51\x33\x97\x83\x5d\x37\x55\x89\xd6\x4e\x9c\x8d\x0d\xaa\x7c\x70\x99\x74\xdd\xc9\x35\x14\x51\x90\xba\xc6\xe8\xd3\x12\x38\xd5\xad\x70\x37\x7e\x03\xb1\x11\x15\x46\xf8\xa8\x3a\x2d\x7e\x3f\xc5\x50\x40\x8a\x22\x7e\x6a\xb5\x58\x33\x1d\xe5", 169); *(uint32_t*)0x2000504c = 0xa9; *(uint32_t*)0x20005050 = 0x20004e80; memcpy((void*)0x20004e80, "\x1f\xe1\xd0\xa7\xea\x42\xed\x60\xeb\x83\x79\xf5\x5f\xba\x5f\x10\x8d\xa4\x23\x32\x88\xe8\xa8\xbb\xac\xc0", 26); *(uint32_t*)0x20005054 = 0x1a; *(uint32_t*)0x20005058 = 0x20004ec0; memcpy((void*)0x20004ec0, "\x1d\x5a\x7e\x02\x0f\x94\xe9\xee\xe2\x41\x5c\xca\x5e\xb6\x04\x5c\xc9\xf8\x17\xf1\xd3\x27\x5b\xa9\x49\x67\x7e\xe2\xca\x23\x57\xb7\x4e\x67\xc6\xd4\xdd\xfb\xe8\xe8\xc0\xc6\xfd\xcd\x23\x52\xdd\x30\x1f\xf3\x0f\x0e\xbc\x2b\x58\xf2\xc6\x9c\x3f\x80\x32\xff\x0d\x4a\x2d\x2d\x40\x0c\x3d\x07\x91\x4d\x83\x5b\x62\x18\xc2\xeb\x25\x72\x4b\x42\x6a\x88\x8b\x28\x22\xd4\x94\x5b\x35\xf2\xd1\x45\x9d\x91\x5e\x2b\x2d\x66\x54\x1a\xf5\x2b\xdb\xbe\x1a\xd5\x17\x51\x5e\x01\xb8\x29\x0e\x65\x44\x43\xa6\x7b\xec\x3d\x0b\x03\xfc\x10\xb9\x0b\x49\xc3\xd3\x35\x93\xe0\x63\xbd\x0d\xf7\x24\x94\xb2\x2b\xfc\x39\x1f\x6b\x29\x6a\x68\x73\x5e\xea\xac\x4f\xb5\x50\xbe\x4b\xee\xab\xb7\x4d\x7c\xa7\x71\x39\x24\x8c\xf8\x00\x3e\x4f\xa6\x39\x54\xc2\xe5\xc6\x8e\x48\xb1\xf5\x9b\x31\x62\xa9\xa3\xb0\x20\x77\x1f\x7c\x1a\xff\x6d\x7d\xe5\x7b\x40\xfc\xb5\x90\x02\xf2\x70\x9e\xd2\xe1\x2d\x50\xa3\xed\xad\xc2\xc5\x5d\xe6\x63\x4c\x8e\x91\xdd\x8c\xd2\x8f\xaf\x3b\x52", 228); *(uint32_t*)0x2000505c = 0xe4; *(uint32_t*)0x20005060 = 0x20004fc0; memcpy((void*)0x20004fc0, "\x3d\xc5\x00\x79\x39\x36\x84\xee\x15\x45\x62\x33\xe2\xe4\xb4\x7d\x0d\x76\x16\xa6\xfb\xb0\x80\x55\x93\x1c\x40\x0e\x66\xd6\xee\x83\x07\xc9\x88\xdb\x68\xc3\xa5\x68\x73\xe4\xc9\x4c\x21\x0c\xee\x63\xaa\x53\xee\x80\x94\x7c\x56\x44\xcf\xfd\x0e\xe8\x09\xb4\x55\x4e\xf3\xd3\xd5\xd4\xb6\x26\x80\x40\xd6\x6c\xba\x34\xc7\xb8\x64\x5a\xbf\xe3\x69\x6e\x04\x1f\xe1\x3f", 88); *(uint32_t*)0x20005064 = 0x58; *(uint32_t*)0x20005094 = 5; *(uint32_t*)0x20005098 = 1; *(uint64_t*)0x2000509c = 0; *(uint16_t*)0x200050a4 = 0; *(uint16_t*)0x200050a6 = 0; memset((void*)0x200050a8, 0, 20); syz_io_uring_submit(r[19], 0, 0x20005080, 0x100); break; case 32: memcpy((void*)0x200050c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 0, 0); if (res != -1) r[20] = res; break; case 33: memcpy((void*)0x20005100, "/dev/dlm-monitor\000", 17); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0, 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x20005180 = 0; *(uint32_t*)0x20005184 = 0x20005140; memcpy((void*)0x20005140, "\x45\xcf\x83\xe3\x48\x27\xda\xe7\x0d\x9c\x50\xf6\x76\xf5\x23\xb0\xce\x6b\xee\x88\x95\x2b\xaa\xc1\xa7\x22\x08\x87\x52\x1e\x1e\x10\x25\x01\x84\xda\xba\xaa\x4f\xbf\x9e\x94\x34\x9f\x11\x48\xde\xe8\x23\x8a", 50); *(uint32_t*)0x20005188 = 0x32; *(uint64_t*)0x200051c0 = 1; *(uint64_t*)0x200051c8 = 0; syz_kvm_setup_cpu(r[20], r[21], 0x20fe8000, 0x20005180, 1, 0, 0x200051c0, 1); break; case 35: *(uint32_t*)0x20005200 = 1; syz_memcpy_off(r[17], 0x114, 0x20005200, 0, 4); break; case 36: memcpy((void*)0x20005240, "adfs\000", 5); memcpy((void*)0x20005280, "./file0\000", 8); *(uint32_t*)0x20005980 = 0x200052c0; *(uint32_t*)0x20005984 = 0; *(uint32_t*)0x20005988 = 4; *(uint32_t*)0x2000598c = 0x20005300; memcpy((void*)0x20005300, "\x85\x86\xcf\xf1\x20\x29\xeb\x8a\xd7\x6f\x62\x61\xd1\xfe\x9c\x2d\xf9\x7d\x6b\x50\x47\xf7\x02\x21\xce\x7c\x26\xe1\xad\x05\x00\x96\xdb\x75\xff\x7f\xfd\x7b\x4d\xad\x59\xf5\xe0\x70\x72\x3e\x8a\x2c\xea\x44\x66\x02\xed\x86\xda\x15\x97\x5f\x4f\x9d\xad\x43\x55\xf1\x7d\x14\x41\xf9\xc1\xd9\x72\x1e\x8b\xc2\x69\xc9\x1b\x43\x93\x4b\xb3\x82\x3e\xba\x88\x0d\xe0\x1b\x58\x6e\x0d\x59\x2f\xc9\x78\x08\x48\x12\xa5\xdd\x94\x0d\x6e\xa6\x1e\x46\xee\x9f\x1d\x53\xe0\xd3\x15\x5c\x2c\x34\x94\x6c\xa2\x86\xd6\x46\x39\x8a\x4d\x60\xb5\x6e\x48\x64\x4c\xe4\x21\xd5\x3a\x65\xfc\x50\x46\x80\x60\x1a\x0c\xb3\xb7\x8c\xdc\x3d\x14\xd0\xf9\xf7\x54\xd8\x8a\x4c\x5d\x80\xc2\x68\x1a\xca\x64\xa4\x79\x3f\x17\xd0\xf8\xa5\xb8\xdc\x82\x0f\xda\xde\xe2\xee\x87\xd4\x20\x50\x17\x22\x86\xe4\xb3\x71\xea\xc4\x97\xbf\x74\x67\x89\x0a\x47\x2d\x76\x6a\x44\x2a\x56\xa6\xe7\x5b\xc3\x9b\xa4\xed\xab\x5a\x0c\xb1\x1e\xb6\x6a\x24\x7a\x2f\x3c\xa7\xd1\x8c\xbe\x8b\xd7\x51\x6b\x2d\x99\xc7\x63\xd8\xc2\x3d\x75\x3c\x13\x93\x7a\xb9\x9b\x57\x8e\x42\xf3\x59\x27\x5e\x86", 251); *(uint32_t*)0x20005990 = 0xfb; *(uint32_t*)0x20005994 = 5; *(uint32_t*)0x20005998 = 0x20005400; memcpy((void*)0x20005400, "\x0f\x55\x3c\x28\xb9\x84\x2c\x44\x67\x4a\xbe\x34\x85\x6e\x72\xa4\x02\xea\xf0\x8e\xa7\xd1\x06\x18\x6b\x17\xf1\xd3\xf0\x0d\xcb\xcb\x5f\x98\xa1\xea\xe4\xb0\xe4\x94\xda\x0d\x44\xfa\x94\x91\x73\x67\x47\x8f\x2e\x39\xce\x84\x35\xb1\x32\xa5\x70\xec\x78\xc1\xb1\xd8\x59\xab\x65\x21\x68\xbe\xc9\x15\x6c\xc5\xb4\x54\x3f\x05\x71\xd2\xa7\x5d\x3a\xd0\x3f\x49\x0c\x0f\xc9\x32\x51\xf6\xab\x57\xf0\x1c\xf6\x22\x83\xd4\x2e\xec\x0a\xbb\x18\x61\x48\xb0\x5e\xf5\x5f\x8d\xe1\xa2\xeb\x7c\x16\x22\xfc\x6d\x3a\xc2\x74\xf1\x0a\x07\x54\x56\x33\x98\xef\xc9\x33\x5a\xea\x31\x06\x1c\xf4\xbb\x64\xd4\x4f\x87\xc6\x15\xc9\x9b\x3e\xca\x46\xdd\xc2\xce\x68\xeb\x2b\x78\x0c\x54\xbb\x6a\x1a\x20\x94\x7e\x16\xcb\xc6\xf7\xfa\x07\x12\xd0\xb1\x2e\x66\x5a\x21\x4c\x35\x02\x15\x4e\x5b\x8d\xda\x8b\x01\xdf\x53\xc8\x1b\x2d\xa2\xc9\x2b\x75\x73\x50\x6b\x17\x5a\x34\xba\x1d\xda\x39\x95\x4f\x36\xf0\xff\x6e\xbe\xfe\xee\x31\x32\x68\x13\x42\x2c\xb4\xd5\x3b\x47\xc6\xfe\x65\xf3\x33\x26\x98\xd9\xe3\xd7\x76", 238); *(uint32_t*)0x2000599c = 0xee; *(uint32_t*)0x200059a0 = 0xfff; *(uint32_t*)0x200059a4 = 0x20005500; memcpy((void*)0x20005500, "\xab\xff\x9c\x24\x82\xd9\x64\x89\xf0\xaf\xbe\x08\x5d\xae\xe1\xe2\xbd\x8a\x30\x00\xaf\x21\xe5\xb4\xaa\x0d\x2e\x66\x62\x29\x3d\x5f\xe6\xee\xb6\x0a\x5c\xc8\xb9\x0e\x84\xed\xe0\xd2\x13\x18\x68\x8e\x28\x5d\xef\x54\xcb\x67\x80\xab\xfd\xcb\x64\xc7\x00\xda\x5e\x87\x75\xbb\x60\xd0\x19\x2a\x5f\x81\x13\xa7\x0d\xdb\x16\x27\x08\x7f\x7b\xb8\xf2\x32\xf8\x0a\x12\x0e\x21\x4e\xf3\x1c\x38\x57\x11\xf4\xb1\x2a\xfd\x9a\x02\x4f\xc4\x8c\x41\xc3\xc8\x87\x25\x5a\x17\xb8\x6f\x70\x9a\x30\xee\x23\xa5\xd5\x5c\x6c\x3e\x19\x86\xf6\xfd\x69\x30\x9d\xc6\x66\x48\x46\x39\x6a\x5f\x0c\xde\x1e\x38\x2a\x70\x18\xdc\xde\xac\x00\xff\x1e\xf5\x4b\xbb\x58\x20\x1f\xc9\xdf\xcb\xba\x39\xcf\xb4\x5f\x49\xac\xe1\xe9\x90\x81\x88", 171); *(uint32_t*)0x200059a8 = 0xab; *(uint32_t*)0x200059ac = 0x80000001; *(uint32_t*)0x200059b0 = 0x200055c0; memcpy((void*)0x200055c0, "\xfb\x36\xdf\xfb\x4a\x0e\x43\x77\xfa\x3b\xed\xec\x23\x25\xf5\xc0\x73", 17); *(uint32_t*)0x200059b4 = 0x11; *(uint32_t*)0x200059b8 = 1; *(uint32_t*)0x200059bc = 0x20005600; memcpy((void*)0x20005600, "\x8f\xf2\x54\x48\x04\xed\x79\xe1\xbb\x5f\x17\x3b\x80\xfd\xb0\x9a\x44\x4f\x02\xbb\xac\xda\xb8\x77\x10\xa3\x03\x82\x27\x1d\xb7\x25\x70\x55\xfb\xbe\x05\x7f\x4e\x4b\x3e\x1b\xcb\xcf\x08\xf1\xea\x0b\x41\xbe\x53\x3d\x7d\x7f\x84\x19\x9c\x4c\xf2\x41\xe2\xbc\x3c\xeb\xf6\x80\xf5\xc2\x64\x88\x82\xab\xfe\x61\xbb\x52\x11\xc4\xcf\x0f\x1f\x80\x35\xc6\x96\x2e\x74\xf5\x97\x6e\x95\x4c\x3d\xb5\x54\x5b\xdc\xcc\x6e\x67\xb6\x8d\xd6\x12", 104); *(uint32_t*)0x200059c0 = 0x68; *(uint32_t*)0x200059c4 = 0x7f; *(uint32_t*)0x200059c8 = 0x20005680; memcpy((void*)0x20005680, "\xca\x83\x8d\x09\x57\x9a\x97\x26\x57\x26\x0b\x82\x4f\x36\x91\x61\xc8\x3d\x36\x49\xb2\x30\x9d\xe4\xac\xa5\x19\x1c\x6a\x35\x50\xce\x70\x4f\x66\x06\xba\xc0\xf1\x10\x25\x63\x01\x1d\x76\x8b\x1c\xd5\xbd\x83\x56\x5b\xfb\xe9\x31\x1f\x71\xc2\x69\x8f\x2b\xb4\x57\x2e\xf6\x60\x2f\x24\x87\x62\x6e\x21\xfc\xef\x70\x34\xf5\x0e\x28\xfd\x36\xdb\x92\x43\x3d\xe1\xc0\xfb\xd9\xba\xa0\xb2\xef\x3b\x17\xec\xbd\x5f\x21\x4a\x81\x4f\x99\x79\xc0\xcf\xce\xa5\x66\xbd\x41\x87\x88\xa9\xe0\x26\xff\x83\x08\x9e\x4e\x1e\xb4\x91\xee\xbb\x58\x2e\x84\xc6\xd9\x56\xe1\xf8\xd4\xbd\x53\x27\xfc\xf2\x6d\x92\x18\xa6\xe7\x45\xa9\x04\x84\x6d\xa6\x1e\x69\x70\xe7\xc3\xf8\xf6\x77\x7e\xb2\xee\xc1\x82\xc6\x62\x6a\xeb\xc2\xb4\x6d\x6e\x18\xec\x79\xce\x9f\x3a\x34\xc2\xc9\xce\x74\xdc\xe5\xf3\x8a\x49\x3c\xe7\x52\x63\x3b\x9c\xd8\x81\xd3\xe7\x39\x77\xb7\x28\x20\x8b\x73\x0c\x0a\xa0\xbf\xd4\x1f\x03\x74\x79\x8c\x2b\x6c\xfd\x20\xa8\x3d\xde\x88\x21\xf8\x96\x43\x1d\xf1\x62\x0e\xac\xdd\xb4\x84\x6d\x3f\x67\x98\x3b\x95", 241); *(uint32_t*)0x200059cc = 0xf1; *(uint32_t*)0x200059d0 = 2; *(uint32_t*)0x200059d4 = 0x20005780; memcpy((void*)0x20005780, "\xb5\x49\xcf\xe1\x8d\xeb\x45\x5b\x4a\x8b\x6d\x56\xe7\xc0\x3f\x25\x10\x24\x21\x7c\xf4\x27\xc0\x90\x56\xbd\xb6\xb4\xa1\x31\x7e\x6f\x9c\xd5\x3e\xce\x2f\x2e\xe6\x8e\x7d\x73\xe9\x36\xe6\xd7\xb3\x76\x48\x35\x95\xc8\xdb\x72\x92\xff\xb0\x52\x0c\xf0\x37\xba\x70\x12\xf5\xd9\x0d\x0e\x4b\xdc\xed\x46\x13\x1d\x6a\x44\x12\x05\x46\xfa\xd8\x7f\x47\x56\x70\xfe\xc8\x6f\x97\x84\x88\x8d\x14\xdc\x2e\xd6\xa1\xa7\xed\x3c\x98\xbd\x0e\x03\x5c\xbd\x50\x4d\xa4\x0e\xfb\xeb\x5a\x5b\xcd\x48\xc0\xca\x51\x3f\xf5\x3d\xda\xda\x3c\xb4\x47\xa4\x8b\xce\xf0\x1d\x98\x83\xf6\x99\x99\x7c\x5a\x0b\x24\x99\x86\x58\x62\xdb\x5f\x78\x5a\x75\xe1\xb3\x46\x3d\x35\x4a\xf1\x12\xe7\xf8\x62\x28\x83\x68\x30\x86\x19\x0f\xa4\x50\x76\x46\xcb\xea\xb5\xed", 176); *(uint32_t*)0x200059d8 = 0xb0; *(uint32_t*)0x200059dc = 1; *(uint32_t*)0x200059e0 = 0x20005840; memcpy((void*)0x20005840, "\xa2\xee\xca\xca\xa0\x2f\xc7\x61\x89\xe0\x0e\x6f\xc5\x8f\x38\xb5\x59\x99\x59\x73\x03\x76\x28\x17\x21\xbe\xcf\x84\x0c\xd1\x2b\x23\x0c\x2d\xc8\x4b\x7f\x5f\xe5\xe3\x70\x57\xb3\x73\x2f\xcf\xeb", 47); *(uint32_t*)0x200059e4 = 0x2f; *(uint32_t*)0x200059e8 = 4; *(uint32_t*)0x200059ec = 0x20005880; memcpy((void*)0x20005880, "\x35\xed\x9c\x85\x4f\x54\x2b\xa3\xa5\x6e\x7b\x75\x40\x9a\x31\x97\xd3\x1e\x6e\xc3\x19\x34\x81\x1d\xd9\xab\xe8\x3e\x50\xa0\x60\xea\x25\x99\x4c\xb3\x37\x70\xed\x99\xb2\x5c\x9b\x56\x08\x91\xec\xa4\x33\xfe\x5b\xf1\xe0\x2d\x13\x66\x00\x68\x7e\xe4\x93\x3b\x35\x38\xbb\xce\xca\x61\xde\xb8\xfb\x0a\x1a\x25\x67\x84\x3f\xd8\x71\xb9\x91\xd5\x14\x32\x9a\x46\x5a\x97\xeb\x92\x12\x35\x76\xe8\x3a\x65\x2c\x51\xdf\xa8\x41\x17\xc2\x62\xa7\xb8\xba\xb4\x7b\xd3\xf8\x1b\x24\xd3\x3e\x68\x7f\x39\x26\x50\x02\xef\x92\xf2\x24\x8d\xe0\x27\xac\x02\x85\xfc\xad\x2a\x3c\x73\x2a\x1e\xd7\x40\x93\x07\x03\x7e\x41\xf3\xa7\x90\x74\x77\x38\x7d\x11\x99\xc1\x8e\x5c\x43\x95\x9b\x2e\xc4\x6c\x07\x8c\xec\x67\xa8\xb5\x59\xb3\x1c\xef\xd8\x56\xf4\x56\xb9\xf8\x1b\xcc\x6a\x8b\x2c\xb1\xa4\xd8\x14\x75\x62\xbd\xac\x60\x34\xe3\xe8\xd3\x5d\x79\x76\x59\x84\x4f\xea\x36\x94\xb3\x28\x8c\xe6\x8f\xa8\xf9\x86\xbf\x2f\xba\x03\xec\x01\x10\x15\x4b\xef\xc8\x40\x22\x58\xaf\xb3\xd5\x83\xd0\xbf\x3d\x02\x79\x80\x73\x86\x7f\xc6\x66\x40\x72\x60\x72\xc8\x2a", 249); *(uint32_t*)0x200059f0 = 0xf9; *(uint32_t*)0x200059f4 = 0x1ff; memset((void*)0x20005a00, 37, 1); *(uint8_t*)0x20005a01 = 0x2c; memcpy((void*)0x20005a02, "seclabel", 8); *(uint8_t*)0x20005a0a = 0x2c; memcpy((void*)0x20005a0b, "permit_directio", 15); *(uint8_t*)0x20005a1a = 0x2c; memcpy((void*)0x20005a1b, "mask", 4); *(uint8_t*)0x20005a1f = 0x3d; memcpy((void*)0x20005a20, "^MAY_EXEC", 9); *(uint8_t*)0x20005a29 = 0x2c; memcpy((void*)0x20005a2a, "subj_role", 9); *(uint8_t*)0x20005a33 = 0x3d; memset((void*)0x20005a34, 125, 1); *(uint8_t*)0x20005a35 = 0x2c; memcpy((void*)0x20005a36, "mask", 4); *(uint8_t*)0x20005a3a = 0x3d; memcpy((void*)0x20005a3b, "^MAY_APPEND", 11); *(uint8_t*)0x20005a46 = 0x2c; memcpy((void*)0x20005a47, "fsname", 6); *(uint8_t*)0x20005a4d = 0x3d; memcpy((void*)0x20005a4e, "&%]", 3); *(uint8_t*)0x20005a51 = 0x2c; memcpy((void*)0x20005a52, "measure", 7); *(uint8_t*)0x20005a59 = 0x2c; *(uint8_t*)0x20005a5a = 0; syz_mount_image(0x20005240, 0x20005280, 5, 0xa, 0x20005980, 0, 0x20005a00); break; case 37: memcpy((void*)0x20005a80, "/dev/i2c-#\000", 11); syz_open_dev(0x20005a80, 6, 0x40000); break; case 38: memcpy((void*)0x20005ac0, "net/raw6\000", 9); syz_open_procfs(-1, 0x20005ac0); break; case 39: syz_open_pts(r[16], 0x583000); break; case 40: *(uint32_t*)0x20006cc0 = 0x20005b00; memcpy((void*)0x20005b00, "\xa8\x95\xc3\x0e\xdc\x07\x29\x77\x23\xa4\xae\xa8\x02\x03\x46\x22\xd1\xbb\xb8\x5b\x4a\xe3\x62\x8a\xfc\x2d\x4e\x10\x93\x45\x50\xa9\xd9\x2f\x12\xa5\x1b\x9f\x5b\x3a\x7b\x59\x6b\x59\xb9\x9b\x4b\x2a\xca\xed\xda\x32\xb8\x3b\xdc\x26\x3c\x53\xaa\x10\x11\x4a\x14\x9a\x4d\x7a\x4f\x0c\x40\xb9\x46\x15\x9b\x37\x43\x96\xfb\x6c\xd1\x87\x34\xea\x5c\x3a\x51\x92\x78\x62\x22\xda\x89\xf4\x21\x3b\x5d\x9d\x02\x77\x99\xda\x36\xd6\x8b\xd5\x10\xf5\x37\x85\x5c\xe1\x0d\x3b\x84\x39\xc2\x23\x77\x40\xea\x75\x41\x47\x8a\x81\xf9\xf9\x2a\xdc\xeb\x51\x00\x36\x6d\xcc\xf1\x49\xcc\x4c\x59\x79\x69\x59\xba\x5d\x85\xa5\x0d\x0d\xd7\x29\x41\xa0\xea\xbb\xe7\xa9\xdd\x9f\xe5\x08\x50\x11\x3f\x5e\x2d\x05\x5e\x1b\xbc\xd6\x67\xda\xf7\x36\x3e\x02\x7d\x7c\x66\x67\x8d\xad\x2a\xdd\x62\xb5", 186); *(uint32_t*)0x20006cc4 = 0xba; *(uint32_t*)0x20006cc8 = 4; *(uint32_t*)0x20006ccc = 0x20005bc0; memcpy((void*)0x20005bc0, "\xf2\x29\xf5\x8b\x9f\xef\x91\xf7\x17\x85\x23\xf0\x41\xa4\x96\x75\x89\x92\x46\x80\xbf\x4d\xc3\x4a\x52\xd8\xf7\xf8\x43\x60\x83\xae\xe9\x4a\xb7\x4f\x03\x69\xf7\x40\x3a\x8c\x26\xb7\x2f\xd4\x4b\x48\x8f\xe5\x9c\x61\x6c\x8a\x1c\xae\x29\x9c\x49\x0e\xb1\x5f\x98\xf8\xf4\x9d\xf3\x35\x02\xcc\xfd\x38\x26\x5f\x6d\x18\x65\x78\xa7\x1b\x92\xba\x5c\x5b\x90\x3f\x9a\x64\xbc\x56\x0a\x43\x59\x0b\xd7\x0f\x76\xef\xb7\xb6\x3b\xc3\x90\x9e\x63\x2d\xb6\x8f\x77\xd9\x8b\xdf\x12\xeb\xe1\x70\x7d\x7d\x14\x36\x85\x74\x90\xc1\x3d\xdb\x23\x9c\x83\x7f\xaf\x46\xea\xd6\x23\x81\xd4\x3f\x3d\x23\x46\xc1\xfc\xd5\xb2\xa7\xa1\xeb\xe9\xfa\x5d\xd7\xfd\xde\xfc\x50\xb0\xe7\xa5\x7f\x50\x0e\x2f\x79\xba\x11\xb1\x89\x72\xdc\x78\x87\x14\x60\xeb\x7e\x2a\x24\x9b\x60\x32\x83\xb5\x12\x83\x20\x55\x5c\x9d\x74\x14\x3e\x02\x7b\xb5\xca\x08\xb4\x62\xae\xbf\x58\x24\x43\x87\x55\x6d\x71\x86\x80\xc4\xa3\x74\x59\xdd", 215); *(uint32_t*)0x20006cd0 = 0xd7; *(uint32_t*)0x20006cd4 = 0x3ff; *(uint32_t*)0x20006cd8 = 0x20005cc0; memcpy((void*)0x20005cc0, "\x79\xfb\xc7\x05\xf3\xf5\xab\x2b\x17\x6d\x8c\x81\xf1\x15\x48\xc5\xfd\x71\x74\x41\x15\xd9\xbc\x95\x33\x2f\xeb\x2a\xe2\x6c\xd3\xb6\xa5\x08\x4c\xf6\x35\xa6\xb1\x9d\x91\x6f\x68\x3e\xbe\x24\x01\x80\xc6\xbb\x6a\x18\xe3\x4f\xa2\x67\x7a\xe7\x45\x61\xf3\xbb\x25\x09\xfc\x09\x59\xad\xc1\x32\xae\x36\x12\x7c\x31\x9f\xcb\x4a\x80\xb0\x25\x1d\xed\xee\xe6\x56\x0f\xd7\x02\x22\x1e\x14\x43\x66\x85\xc7\xfa\x2f\x3a\xf3\x6f\xda\x9d\x69\xd0\x44\xc1\x6a\x77\xe8\x22\xf9\x8b\xf6\x5c\xd4\x58\x33\x54\x4b\xa6\xbd\x06\xb8\x3a\xd7\x8b\x10\x49\xf1\xbc\xdb\x9b\xce\xc0\x47\x38\xa8\x6c\xa3\x7b\x88\x95\x3d\xe3\x54\x9b\x6e\x3a\x4c\x2f\x31\xbd\xd4\xce\xde\xe3\x7b\x70\x3b\x8e\xd6\xd1\x1c\x38\xff\x03\x0a\x10\x18\xaf\xae\xbe\x05\x38\xed\x70\x4b\xbe\x63\x10\xa0\xde\xa9\x43\x05\x66\x65\x29\x01\x69\x92\x99\xc1\x84\xa8\x15\x60\x1e\x01\x86\xa6\xe1\xff\x97\xd2\xb9\x60\x38\xab\x59\x13\xdc\x44\x0e\xde\xd7\x83\x6f\xbd\xd7\xbd\x39\x1a\x90\xcf\x40\x3a\xbb\x6d\xfe\x0f\x7d\xdd\xda\xf1\xa7\xc7\x3f\x02\x19\x35\x33\xf0\xa7\x2e\xf1\xb5\x58\xcf\x69\x6f\x57\x22\xa3\xe8\xc0\x92\xc1\x7d\xe9\x8a\xf4\x15\xf4\x0a\xfc\x1f\xfe\x0d\x7c\x7d\x0f\xb4\x4d\x59\x7e\x55\x18\x86\xb4\x0b\x8e\xc7\xde\x8f\x18\xbf\x5e\xd7\xa7\x4a\xcd\xeb\xe9\xb2\xcc\xb9\x8c\xcd\x37\x1d\xf0\x0d\x78\xc9\x7f\x8d\xe0\xab\xe7\xf8\x28\x13\x68\x61\x68\x9b\x0f\x53\x80\xfd\x28\x36\x09\x2c\x1b\xee\xc0\xf4\x51\x9e\x1b\x50\x40\xca\x17\x09\xe0\x83\xee\x61\x1d\x6a\x1e\xbc\x5a\xd1\x85\xd3\x9b\x91\xef\x84\x4a\xf3\x4d\x02\x13\xe6\x3e\xdd\x19\x54\x53\x46\xe3\x01\x2d\x61\xbd\xe7\x1d\x4d\x3c\x52\xcd\x21\x01\xd4\x57\xac\xc0\x15\x23\x81\x81\xfc\xc4\xe9\x2a\x6b\xd1\xc9\xae\x47\x5d\xd0\x4d\x15\xa3\x90\x71\x7c\x29\x5e\x18\x13\x1f\x30\xa1\xb0\x03\xfe\x36\x7f\x88\x9b\xa4\x9e\xd8\x32\x8d\x69\xbd\xe3\x8b\xfd\xb3\x2e\xc4\xff\x21\x2b\x38\x3d\xa6\x54\xad\x2d\xa7\x59\x26\x60\x0d\x56\xfd\x2c\x8a\x64\x81\xc0\x2f\x0d\xd9\x04\x08\xb0\x1d\xcb\xdd\xd0\x1c\xfb\x4c\xf6\x1c\x14\xe8\xaf\xc5\xda\x58\x91\xe9\x3a\x0b\x6f\xe1\x2f\x50\xf0\x62\x94\xd6\x6c\xe3\x71\x0c\x8e\x13\xe7\x97\x62\x9c\x4b\x05\x71\x40\xbd\xb8\xcf\xa3\x84\x83\x0e\x9e\x18\xcc\xcb\x63\xc2\x82\xc9\x7b\x1e\xc7\xcb\xaf\xc5\xf4\x96\xf2\xb0\x30\x53\xf8\x55\x8f\x62\x7e\xaa\x78\x46\x62\xf2\xf4\xf1\x5b\xac\x06\xa3\x8d\xcc\x8c\x3f\x2e\x07\x6b\x2f\xdf\x8b\x62\x2c\x93\xa2\x27\xc9\x0d\x42\xe4\xfa\x38\xda\xcd\x82\xfd\x6c\xd2\x21\x15\x29\x41\x4c\x5c\xf3\x88\x2d\x94\x87\x42\x42\x59\xa6\x51\x4c\x56\xf0\xb7\xd6\x0c\x95\xd3\x44\xa0\x9d\x90\xe7\xdd\x8f\xf0\x73\x21\xd7\xe7\xae\x03\xba\xc6\xde\x0f\xd3\x79\x9a\x8c\x34\xd7\xaa\x3e\x4c\xe7\xcd\x99\x98\x03\x64\xc6\x60\xcc\x09\x97\x46\x15\x2a\x07\xfb\xc0\x26\xfc\x89\x0a\x7a\x57\xf2\x8d\xce\xea\xcd\xc2\x36\x60\xc0\xf8\x59\x2d\x86\xd0\x8d\x99\x64\x4b\x67\x51\xa5\x53\x16\x2b\xa1\x03\x83\xda\x49\x1e\xfc\x3d\x33\xae\xd8\x95\x2b\x8f\x51\xcf\x6c\xfa\x84\xae\x5c\x9d\x76\x89\x8b\xf5\xe8\x09\x90\x8b\xdb\xf8\xcf\x63\x38\xf5\xbe\x2f\x5b\x1e\xa8\x17\x44\xbe\x7e\x72\x68\xc4\x9e\x49\x30\x50\x89\x23\xe6\x39\xd9\xf4\x84\x59\x7f\xc2\x0e\x69\x58\xa2\x69\xe1\x66\xec\x09\xd1\xb7\xe2\xa8\xf7\xfd\x83\xc5\x34\x64\xc3\xa1\xac\xc4\x84\xeb\x5f\x9d\xe1\x05\x9d\xa0\x45\xda\x6c\xf6\x63\x07\x9e\x2b\x22\xd7\x8e\x78\xbd\xbc\xda\xb3\x9c\x33\xbc\x5c\x1d\x05\xb8\xd4\x0e\x40\x2c\x8b\xbf\xa5\x74\xf2\xcb\x5a\xfb\x1c\xb1\x99\xe5\x91\x17\x13\x0b\x94\x0a\x96\x48\xe8\x98\xd5\xf0\xf2\x7f\xc0\x04\xc6\x78\xe5\x52\x0a\x4c\x79\x0e\xb7\x0e\xd2\xea\x6a\x60\x61\xe4\x9d\x12\x24\x35\xf3\x48\xcc\x92\x7b\x49\xad\x13\xbd\xf1\x80\x4e\x75\x28\xbc\x1e\x3b\xb6\x33\xf8\xb2\x76\xbb\xbb\xad\x12\x5a\xbe\xcd\x28\x94\xc2\x89\x28\x85\xfc\xd1\x9a\xed\x92\x20\xe4\x63\x2c\x13\x6f\x14\x37\x8e\x29\x91\x20\x40\x40\x65\x71\x1d\xdb\xff\x8d\xf8\x70\xab\xae\x93\x4b\xb5\xbb\x64\xff\xa2\xf7\x3f\x18\xb1\x33\x74\x53\x8a\x08\x37\x9d\x74\xc7\x12\xe0\x2a\x97\xc8\x5b\x08\xad\xae\x84\xf9\xc4\xa2\x91\x66\x56\x12\x9a\xa4\xb5\x46\xf1\x43\x4e\xf1\x53\xff\x7f\x2c\x94\xcb\x42\xb3\xe7\xea\x23\x54\x40\x95\x15\x9e\xe0\xe8\x69\xd7\x8d\x08\xce\x48\x6d\xa4\x30\x4b\x15\x47\x3a\x23\x1f\xec\x42\x3c\xf5\x53\x96\x8c\xa0\x74\x3c\x1c\x4b\x09\x45\x73\x0b\xa4\xe3\xfd\xc3\x1f\xf0\x2a\x48\x70\x56\xc7\x29\xef\x7f\x84\xf6\x5e\x85\xfb\x16\xfa\xbb\x17\x2d\x24\x75\x38\x62\xf9\x20\x34\x60\x28\x8a\x37\xcf\x6e\x6f\x5b\x84\xd1\xd8\x1f\x24\x27\x07\xbf\x57\x5b\x15\x34\xcd\x6b\xea\x81\x0d\xc3\x94\xca\xb3\x1b\x32\x43\x38\x8f\x01\x5b\x99\x98\xaa\x7c\xa3\xe8\x26\xd9\xec\xcd\x95\x32\x87\x33\x28\xf3\x43\xcf\x71\xa0\x79\x82\x0f\xfc\x61\x60\xef\x55\xb7\xda\x7a\x29\x76\x2f\xea\x1b\x45\x22\xb9\x81\xcc\xfd\xac\xea\x0f\x52\xe2\xed\xc3\xec\x50\x16\x89\xe8\xc5\xe0\x88\x54\x43\xd1\x3e\xa4\xda\xe6\x07\x65\xf9\xed\x48\x68\x6b\xeb\x01\x0b\xb0\x4e\x2f\xa7\x3f\x3a\xd0\x8a\x77\xf0\xc2\xf5\x9a\x99\xc4\x72\x30\xb8\x52\x9d\x1b\xa2\xbd\x09\x1d\x83\x6d\xd3\x08\x99\xe7\xe8\x41\x71\xf2\xa8\x86\x7b\x16\x49\x22\x8e\x85\x15\xcb\x39\x8b\x75\xa5\xbc\xa2\xe7\x11\x4a\x7a\xf7\x1b\x18\x5f\x37\x1b\x4f\x9f\x68\x9e\x81\xf2\x25\x97\x54\x89\x6f\xf5\x46\x85\xbc\x7b\x9c\xf5\xf5\xfd\x14\xd0\x63\xd2\xf8\xc6\x20\xff\x19\x5e\x26\x36\x0a\x21\xd9\x2d\x19\x02\xa7\x48\x35\xe0\x25\x4f\xe4\x73\x75\xa0\xf1\x71\x11\xd1\x45\x9d\x77\xdf\xcf\x0a\xdf\x21\x59\xc2\x00\x35\x35\x75\x78\x90\x15\x01\xa4\x09\x2e\x64\x14\xc5\x43\x41\x73\x11\x5a\x4a\x03\x39\x9d\x81\x34\x91\x33\xd3\xac\x25\x4b\x69\xfd\x90\x6f\xbc\x11\x56\xbe\xaa\xea\xb3\x7f\x1f\xd9\xfe\xfa\x37\x7c\xa1\x3b\x58\x19\xe5\x36\x1a\x75\x03\x2d\x78\x8c\xe9\x5c\xe9\xd1\x61\xdd\xfa\x04\xa5\x55\x29\x71\x68\xf6\xe0\xf3\x17\x6c\x8b\x0c\x41\xc8\x42\xce\x33\x81\x3b\x59\xeb\x0a\x9c\x3b\xcd\xf4\x65\xad\xe6\xd2\x9d\x0e\x25\x74\x41\x16\x77\x5b\x2f\x14\xd0\x30\xf5\xb2\x18\x1c\x89\x6a\x29\xcf\xc2\x9d\xcb\x9f\xaa\x9e\xa0\xed\x4a\x45\x45\xe2\xe5\x41\x29\x51\x12\x6b\x30\x99\x8b\x7b\x58\xc4\x47\x44\x84\x1d\x85\xe7\x9c\xc7\x61\x3b\x3b\x4a\xd0\x18\x72\x10\xc5\xb3\xe8\x19\x59\xc9\x38\xa8\x9e\xa5\xa7\x68\x1b\xcc\xc0\x2c\x55\x58\x3d\x69\xfa\xcc\x86\x53\x95\x27\x9c\xce\x47\xa8\xc4\x6c\x3b\x99\xd3\xbc\xba\xda\xea\xce\x79\xc1\x22\xc8\x7e\x72\xa9\x91\xd3\x1a\xe5\x2e\xa9\x5d\x35\xc6\x16\xb5\xae\xbf\xd9\x86\x40\x90\x33\x18\xdc\x60\x00\x21\x08\x6c\x28\x07\xf1\xfc\x8a\xe7\x61\x40\x7f\xcf\x43\x11\x09\xaf\xd1\x9e\xc4\xb0\x3a\x94\xeb\x9c\x89\x4f\x86\x6b\xb4\xb9\xa3\xa5\x86\x24\xcf\xa6\xae\x7d\x44\xd2\xf2\x02\x83\x5a\xc9\x90\x3d\x23\x26\x14\x0f\xc5\x47\x9b\x94\xba\x27\x5f\xe8\xf6\xba\x03\x9d\x98\xf5\x8d\x9c\x00\x60\x26\xff\x15\x5f\x0d\x36\x8c\x51\xd0\x05\xd2\xaf\x37\xa6\x14\xc1\x41\x88\xed\x22\x6c\x9f\x67\xc7\xb7\x83\x93\x3d\x05\x23\x5c\xb2\xf8\x81\x0f\x18\x89\xd1\x26\xed\xac\xe7\x40\x78\xb0\xf9\x0c\x6f\x2c\x16\xd0\x1d\x60\xdd\xe2\xd4\x6a\xb8\xc2\x53\x2a\xe0\xc1\x54\x01\x05\x57\x52\xfb\x19\xdb\xe5\x49\xcc\xbe\x43\x85\x9c\xcb\x4d\x47\xc9\x9e\x6f\x54\x02\xce\xd2\x3d\x44\x90\x29\x80\x2a\xd7\xd2\x99\x0b\x94\x1f\xad\xb0\xde\x10\xf9\xfe\x17\x84\x61\xe1\x14\xc7\xca\x31\x36\xf7\xfb\xad\x6e\x1d\x71\xeb\x1a\x1a\x24\xfb\x89\x2e\x7f\x1a\x41\xb9\xeb\x92\xd5\xb0\x4a\x79\x49\x1e\xef\x83\x18\xce\x1d\x98\x06\xe7\x06\x4e\x0f\xda\x0a\x66\xa7\xb6\x95\xa6\x78\x15\x60\xba\x98\xbf\x4d\x54\x00\x79\x5b\x11\xfe\xab\x29\x73\x53\xa7\x2a\x2d\x78\x5f\xf2\xfa\x3f\x06\xe6\x39\x5a\xab\x65\x6e\x55\xef\x7f\x49\x51\x76\x03\x86\xcd\xb1\xa1\xd2\x30\xda\x5b\x09\x44\xa9\xaf\x05\xa7\x6b\xce\x13\x88\x69\x2a\xfa\x4b\x21\xc3\x46\x4a\x2b\x50\xdd\x0d\x2a\x0f\x64\x51\xa4\x3f\x2e\x48\x62\x29\x0b\xe1\xf1\x29\x74\x60\xeb\x51\x39\x9f\xa9\x68\xf8\xdc\xa4\x19\x39\xa6\x19\xd1\x0a\x8a\x01\xad\x1b\x64\x93\xb0\xf8\x9a\xad\xc5\xf0\x6f\xf9\x26\x46\xff\x2f\xbd\x33\x6c\x97\x73\xa9\x33\xeb\xb1\xde\xee\x49\xa2\x67\xd8\xd1\x95\xe1\x3f\x58\x39\xc9\x54\xd8\xda\x7c\x02\x2c\xbd\xd8\xa2\x68\xdb\x8a\x06\x5c\x63\x24\x77\x56\x79\x54\x03\x3b\xd3\x40\xdb\x14\x5f\xd4\xee\x3c\x1e\x6e\xf1\x5f\xd4\x5e\x72\xf5\x27\xad\x2b\xa3\xbb\xf8\xa9\x4b\xa2\x5a\x23\x7c\xed\x70\x50\x4b\x6d\x20\xc8\x99\xa6\xd1\xa4\x09\x2b\x57\x2a\xc7\x44\xf6\x2e\x04\x4b\x25\xf4\xf1\x09\x7e\x12\xbc\x0b\xfd\xa3\x6c\xad\xd3\x4a\x0a\xa7\xbd\x49\xa3\x82\x08\xee\x36\x60\x3f\x1e\x9c\x56\x7d\xe6\x94\xcb\xba\xe7\x36\x1e\x99\x79\xa8\x4d\x58\x9f\xbd\x5f\x05\xfa\x73\xfe\x31\x68\x37\xdd\xb9\x67\x2c\x63\x75\x90\x77\x79\x33\x71\x17\xbf\xfe\x5a\x85\x09\x93\x99\xe3\x5e\x9c\x3a\x50\xbe\x94\xa4\xed\x33\xa5\x86\x3d\xa7\x37\x7e\x5c\x8b\xce\xd5\x22\x0d\xa0\xaa\x9f\xc0\x97\xbc\x61\x3b\xb7\x6e\xe7\x0b\x6a\x0b\xd9\x78\x01\xb0\xad\xc5\x7b\xc6\xd3\xc0\x26\x51\xf1\x64\xf7\x80\x9f\xb7\xeb\xe2\x18\x73\xf9\xa1\x7a\x65\xa8\x38\x0e\x5f\x1a\x18\x17\xdb\xea\x2e\xa9\x6f\x9b\x1e\xf1\xbe\x6c\x1f\xcd\x53\xc6\x2e\xa2\xba\xce\xe8\x66\xf3\x57\x4b\x1a\x35\xc5\xf8\xc5\x93\xd2\x01\x07\xd6\xcd\xe2\x6c\x84\x0e\xa8\x3f\xae\x8d\x77\x7e\xa1\x22\x7b\xd1\xaf\x62\x19\x83\x35\x3e\xf0\x27\x57\x01\x96\xf8\xfb\xdf\x4f\x79\xa7\x81\x2b\x7f\x71\x8f\xca\xa5\xec\x35\x53\x97\x9a\x86\x4b\x8c\x65\x3e\x9c\x9e\xcf\x8e\x68\x3b\xfc\x55\x8e\xf2\xd9\xb7\x64\x7e\xfc\xd5\xbe\x98\xf4\x3d\x0d\x38\xd9\x47\x4a\x7a\x50\x74\x0a\x5a\x23\x02\x31\x92\xd4\x5b\x43\x34\x38\x0e\x99\x5b\x8d\xbe\x94\x30\xea\xa1\xa8\x26\x85\x5b\x3d\x7e\xc2\x2f\x6c\xbe\xa4\x4b\x75\x53\x66\xba\x42\x76\x21\x77\xdb\xa9\x80\x65\xdc\x59\xef\x23\x92\x49\x7c\x17\xd2\xe8\x99\x23\x0c\xe3\x4f\xfa\x7f\xc2\x75\x0c\x9b\x25\x5a\x2b\x53\x42\x3d\x9c\xa1\xbd\x3a\xab\x8b\xa4\x71\xf3\x9f\x10\xa2\x50\x05\x0a\x22\x54\x1e\x08\x35\xe8\xa3\x93\xe1\x76\x20\x9c\x31\xd2\x5b\x6e\x1f\x69\x9c\x82\xeb\x15\x55\xf0\x47\xa6\xe8\xf9\x1d\x97\xcf\x2a\xba\x02\x50\xa7\xf3\x11\x67\xb8\x61\x54\x89\xfb\x5c\x90\xcf\xce\x45\xcc\x63\xcd\x21\xd0\x01\x5b\x58\x0c\xae\x16\x45\x2f\x01\x43\xd3\x0c\xb9\xee\xce\x66\x21\x93\x1f\x5d\xc5\x42\x8b\x2f\x92\x58\xd7\xe8\xfb\x10\xec\xfe\x72\x06\x06\xad\x71\x94\x11\x10\xbd\x67\xaf\x44\xce\x4e\xa0\x03\x77\x99\x97\xc4\xac\x5c\x11\x1b\x77\x91\x71\x2b\x79\x76\x52\x37\xf7\xa2\x79\xec\x43\x3f\x18\xfa\x8e\x69\x60\x43\x68\x00\x8c\xa9\xa5\xd6\x26\x44\x41\x79\x84\x88\x72\x54\xf4\xd1\x7a\x1c\xdf\x8b\xde\xbc\x90\x76\x2a\x64\xc5\x0c\x58\x6d\xa8\x59\x8f\x15\x56\x61\xe9\x3f\xea\x74\x65\x29\x6f\x6c\xce\xe5\xdf\xf3\x6c\xcb\x6c\x46\xdf\xbd\x24\x84\x60\xbb\x39\x12\x4c\xd3\xf9\xac\x2c\xd9\x16\x77\x66\xd2\x24\xe2\x97\x6f\xac\xed\xcd\x65\xff\x28\xc4\x18\x08\xc9\x8c\xcf\xe3\x1b\xa1\xef\xa8\x69\xf5\x16\xb6\xfc\x8b\x3a\x7d\x6f\xa1\xfb\xc8\xe1\x82\x67\xa8\xef\x0c\xfa\x96\xc4\xc6\xc8\xdb\xf9\x45\x21\x1d\x98\x89\x89\x95\xab\x76\xc1\x63\x06\x35\x47\x8f\xde\xb5\xb7\xfc\x9b\xba\xe3\x07\xd0\x54\x50\x2f\x17\x45\x27\x87\x47\xa5\xae\x90\x85\xe2\xce\x6f\x7b\xdd\x02\x2c\x68\x0d\x1f\x8a\xda\x4c\xb6\x30\x66\x42\x3f\x77\x04\x2b\x9a\xe4\xa1\x38\x6f\x41\x6c\xb9\xb4\x11\x00\x12\xe8\x00\x57\x04\xcd\xff\xae\x04\x41\x86\x89\xfd\x64\xd1\xe8\x83\x27\x49\xb7\x46\xc1\x41\x2e\x91\xc3\x81\x68\x4a\x80\x30\x5a\xad\x84\xd6\x2f\x1c\xc5\xfd\x5d\x26\xa2\x47\x6b\x5b\xfe\xd4\xdc\xcf\x7f\x35\xbb\xb0\x7e\xff\x6c\xa5\x09\x05\x0f\xea\x82\x04\xa3\x9d\x25\x5e\xc1\xc8\x3d\x0d\x38\xff\x3a\x9d\xa4\x28\x5b\x99\xf9\x8b\xfa\x2a\xfb\x12\x01\x63\x01\xbd\xce\xa9\xc4\xb8\x05\xf0\x3f\x5c\x1d\x64\xb2\x31\xe2\xf0\x12\xc3\x39\x88\xfe\x59\x31\x82\xbe\x19\xe5\x33\xae\x72\x4b\xc5\xf3\x74\xc5\xdb\x4e\x26\x7d\x11\xeb\x7c\x3b\xf6\x51\xd8\x53\xf4\x87\x32\x1b\x59\xe3\xc5\x80\xe0\x9f\x55\x10\x1d\x52\x95\x81\x12\xea\xd4\x84\xda\xac\x70\x62\xb2\x74\x5b\x3e\xf0\xd8\x6c\x3f\xf4\xc9\xcd\xb0\x4e\x5c\x61\x26\x56\x2f\xa8\x07\x2d\x44\x08\xc5\xa4\x1f\x38\x88\x90\x0c\x61\x7b\xb3\x2c\x60\x7e\x3c\x67\x88\x01\x37\xa4\xfd\xa0\x0f\x25\x73\x96\x95\x27\xf3\xac\x8b\xc7\x3d\x4a\x1c\xa6\x3a\x6e\x55\x28\x3a\x43\x75\x90\xcb\xa5\x84\xaf\xf7\xda\xab\x6d\x95\x08\x57\xf3\x06\x4a\xfa\x06\xd8\x49\x89\xb1\xf1\xfe\x7a\x07\x11\x8d\x84\x67\x33\x3b\xd9\xc3\xb0\xbf\x57\x4a\xec\xc5\xbd\xf1\x85\x88\x69\xc0\x2f\x2e\xc1\xad\x26\x6d\x13\x54\x99\x41\x6a\xa1\x6c\x3e\xec\x12\x2d\x6e\x57\x70\xf9\x26\x77\x4e\xc2\x69\x15\x5f\x36\xc7\xab\x25\xfc\x2c\xf6\x51\xf6\xde\x56\x32\x9e\x3c\x2f\x9a\xdf\x11\xb8\x9c\x5b\xa3\xa4\xbd\xd6\xed\x16\x04\xe6\x6a\x80\x50\x14\x98\x1b\x6c\xc8\x4b\xd7\x8d\x9e\xf9\xb5\x2e\x8f\x0e\x09\x70\x05\x21\x0a\x9e\x00\x81\x68\x47\x0f\xd1\x2a\x2c\x3e\xe6\x0d\x1c\xef\x8c\x35\xca\x58\xd8\x62\xb6\x81\xe7\x4c\xf6\x0b\x08\xca\xeb\x22\xaf\x37\xfb\x04\x5f\xdf\xf3\x53\x2a\xf6\xf1\x16\x22\x90\x93\x42\x15\xc8\x52\xe8\xbd\x41\xbe\x48\x8d\x56\x6e\xe2\x49\x7e\x6d\xfe\x85\x52\x50\x85\x3e\x6c\x24\xde\x6e\x0a\xab\xbc\xf5\xc5\x7b\xea\x60\x2e\x80\x82\x97\xa6\xf3\xee\xdf\xc7\x62\x2c\x60\x10\x6f\xe5\xac\x3c\x2c\x18\xf1\x9d\x80\x93\x6e\x13\x85\xb1\xb1\x1f\x34\x34\x8e\xe9\x79\x4b\x4c\xef\x18\x55\xcf\xea\x0b\x4c\x67\xf4\xa3\x6f\x69\xe6\xee\xe3\x98\x1a\xf6\xe3\x2c\xbf\xd7\x9b\x36\xf6\x48\x7f\x51\xe6\xbc\xfb\x5e\x25\x0c\xff\x78\x92\x52\x15\xf6\x02\x6f\x86\x9e\xd1\xe3\xc3\xea\x65\x9c\xf5\x80\xb3\x7f\xc8\xa8\xfb\x06\x41\x8f\xfd\x26\x63\xfb\x1c\x5b\x2a\x58\xae\x63\x44\x83\x89\x84\xb9\x60\x81\xae\xe1\x4d\xc7\x4a\x36\xbb\x18\x8a\x15\xfc\x47\xa0\xe8\xfb\x1d\xa2\xc9\x29\x09\x12\x53\x00\xf6\xcc\x9f\xf2\x81\x5a\x86\xbd\x0f\x51\xd3\x8c\xb1\xd9\x20\x65\x5a\x34\x34\xca\xa4\x3c\xba\x6a\xeb\x04\x53\x8b\x0a\xe6\xfc\x4d\xf1\x42\x9f\xca\x0c\xb9\xbf\x55\x05\xd5\x21\xd9\x4c\xea\x75\x9f\x50\xb9\xfc\x8f\xbd\x0d\xb1\x8b\xaa\x08\x03\xd1\x6a\xec\x6e\x59\x88\x70\xed\x80\x14\x9f\xdf\x70\xf5\x7f\x4b\x89\x32\x0f\x3a\x57\x17\x68\xbb\x09\x66\xf0\x8e\x6a\x1a\x93\xfa\xd9\x3b\xaf\x72\x88\xe6\xa6\x6f\x15\x8e\x35\x9d\x47\x24\xb3\xd5\xec\x61\xde\xe3\xa6\x4e\x1e\xab\xf0\x82\x7e\xa7\x9c\x2a\x7b\xac\x1f\x37\xf8\x1f\x09\x69\x1d\xad\x1f\xf6\x82\x49\x93\x25\xe7\x85\x73\xd6\x03\x10\x52\x92\xf8\x44\x1c\x72\xd4\xa8\x6e\xab\x95\x5e\x9a\xb0\xb6\x66\xc7\x1c\x86\xd1\x77\xa5\x94\xfa\x10\xdd\x0f\xf6\x5d\x38\x6c\x54\x4c\x21\xc3\x5e\x41\xef\x27\xbe\xc9\x4d\xab\x6f\xc3\x38\x70\x06\x01\x7e\x54\x59\xad\x20\xca\xcd\x5a\xfe\x56\x1f\xad\xd3\x80\x4b\xef\x50\xfe\x91\x09\xc0\xcf\x20\xd5\xfb\x32\x0a\x19\x19\x0e\xa3\x23\xc5\xbb\x45\x6d\xc7\x33\x8e\xd1\x9b\x5e\xa1\x17\x27\x7c\xda\x66\xbf\x37\x65\x7b\x27\x86\x25\xc9\x86\xf5\x44\x77\x75\xba\xf7\xc2\x83\x56\xd4\x31\xa3\x82\x0e\x3e\x24\x57\xe5\x3e\xba\xd4\xb7\xd8\xb0\xee\xa6\x4b\x5f\x17\x62\xdd\xb1\x16\x9b\xce\x93\x8a\x22\xaa\x17\x4b\x33\xaf\xd2\xb6\xca\x3f\xd2\x1e\x40\x2c\x4e\xba\xa6\x53\x97\xde\x07\x5d\xbc\x91\x41\x29\x16\x35\x04\xe2\x86\x72\x57\x89\xf3\xea\xfb\x66\x30\x29\x4c\x9e\x9e\xd8\x76\x5b\x41\x64\x12\xe6\xa7\x4a\xda\x02\xdf\x4b\x66\x8b\x95\xf1\xab\x41\xda\x29\xee\x91\x8a\xb5\xa5\xea\xa3\x45\x01\x47\x07\x76\x36\x9e\x96\x12\x9c\x89\x8c\xcc\x10\xef\x66\xa2\xce\xb8\xb4\xed\xfe\xad\x79\xff\xd8\x98\xd5\xde\x2d\xb4\x60\x87\x9f\xb2\x3b\x2a\xfc\x14\x66\x47\xc9\x49\x36\xa7\x03\xbb\x3c\xe5\x0f\x7e\x5e\x7d\xbf\xe7\x29\x57\xea\x5c\x48\x9e\x01\x0f\x08\x95\x84\xe0\x69\xaf\xf5\x3e\x8e\x03\xe1\x5c\xb8\x33\xa9\x61\x0a\xe7\xa9\xc2\x62\xc5\xcd\x37\x1b\x81\xf9\xaa\xbb\x03\x0d\xdd\xae\xed\xad\x10\x19\xd2\xe9\xdb\xe7\x17\xde\x10\xad\x3a\x49\x1e\x29\x0b\x2b\xfc\xda\x80\xed\xc5\xa1\xc1\x60\x12\x52\x7c\x5f\xa2\x79\xa6\x7c\x5d\x01\x13\x24\xa7\x9a\xad\x7c\xb7\xa9\x76\x6c\x64\xa1\xfc\xc2\x78\x4b\xe7\xab\x91\x2f\x7d\x4c\xc5\x71\x0c\x9e\x5a\x1f\x97\xf0\x0b\xb8\x69\x8d\x5f\x6e\x58\xe6\xb6\x9a\x1e\x8c\xcb\x7a\x22\xd3\xf4\xfb\x1f\xb6\x0a\x4b\xb9\x4d\x49\x2b\xc5\xe4\xa8\xbb\xe6\xb5\x34\xc1\x75\x00\x01\x6a\x89\x0a\xd5\x29\xdf\xf4\x2f\xb5\x13\x45\xc7\x65\x35\x1a\x5d\x87\x79\x12\x54\xb7\xdc\x62\x90\xe2\x76\xf1\xc2\xd8\xf7\x82\xcb\x2d\xbd\x2e\x70\x13\x09\xe6\x43\x06\x19\x25\x69\x40\x67\x02\x7f\x6d\x95\x65\x09\xb2\x47\x3c\x5b\x5c\x66\x08\x76\xdd\x69\x7e\x5d\x1b\xfb\x8e\x48\xc5\xbe\x80\x4a\x27\x5d\xb0\xed\x4c\x5a\x02\x40\x85\x93\x60\x8e\xcb\x2c\x97\x1d\xa8\x25\xf8\xd4\x8d\xd6\xc6\x4b\x98\xef\x9e\x28\x52\xd1\x6e\xea\xc2\x12\x13\x4a\xba\x3e\xfb\x67\x00\xd5\xa0\x52\xba\x23\x27\x18\x5a\x1c\x56\x05\xfe\xa9\x07\xf1\xf7\x63\xaf\x01\xc5\x03\xa7\x67\x00\x97\x00\x9f\x73\x63\x88\x31\xed\x01\x8b\xc8\x03\x27\x49\x37\x97\xa7\x2f\xce\x75\x38\xb2\x2e\x16\xfe\x27\x48\xc9\x66\xf3\x8f\x5b\x56\x89\xd8\x8c\xc6\xf2\x21\xd4\x06\x21\x47\x2d\x5a\x5a\x40\xa1\x72\x9e\x51\xe3\x60\xf4\xc4\xc9\xb1\x13\xf3\x0b\x96\x99\xd2\x77\x21\x14\x27\xf3\x60\xae\xd4\x5e\x01\x74\x98\x3d\x7a\xed\x11\xf8\x9b\x0c\xa0\x87\x41\x44\xe3\xfd\x83\xca\x6d\x88\xcf\x4d\x8d\x81\xde\x61\x3d\xb7\x27\x2d\xc5\xcf\x74\x5a\x65\x0b\xf3\xcc\xad\x96\x48\x7d\xd2\x4b\x1a\xcc\x8a\x8b\x96\xa9\x9d\x48\xbc\xcf\xa4\x78\xdc\xbb\xb0\x66\xcb\x8f\x19\x0f\x0d\xac\xcf\x91\x6f\x4d\xbc\x63\x44\xe5\xe0\x26\x07\x4d\x42\xd9\x62\xdf\xd2\x8b\x1d\x57\x8a\x17\x07\x3f\x78\xb7\x1d\x6f\xf7\x85\x25\x80\xb1\xc6\xe8\x3b\x8a\xc5\x15\x58\x49\xc1\x26\xa6\xbc\x54\x24\x6d\x15\xf7\x59\x92\x9c\x72\xbf\x44\xba\x8c\x78\x38\x12\xe7\x3d\xa5\xa6\x94\xf9\x6d\x52\x00\xf1\x9c\x82\x0c\x8c\x86\x51\xfb\x2b\xe7\xf7\x6c\xd2\x8a\x54\xae\xea\x4f\x0e\x09\x92\xb8\x4d\xbd\xef\x78\x92\x13\x4e\x37\x9f\x14\x0f\xb0\xb1\x22\x30\x99\x3d\xcc\x13\xbc\x48\x9c\x94\x26\x07\x63\xc1\xa8\xec\xf7\xaa\xeb\xe1\x1a\xe6\xf4\x39\xb7", 4096); *(uint32_t*)0x20006cdc = 0x1000; *(uint32_t*)0x20006ce0 = 0x34; syz_read_part_table(0xb0, 3, 0x20006cc0); break; case 41: *(uint8_t*)0x20006d00 = 0x12; *(uint8_t*)0x20006d01 = 1; *(uint16_t*)0x20006d02 = 0x201; *(uint8_t*)0x20006d04 = 0x10; *(uint8_t*)0x20006d05 = 0x2a; *(uint8_t*)0x20006d06 = 0xdc; *(uint8_t*)0x20006d07 = -1; *(uint16_t*)0x20006d08 = 0x781; *(uint16_t*)0x20006d0a = 5; *(uint16_t*)0x20006d0c = 5; *(uint8_t*)0x20006d0e = 1; *(uint8_t*)0x20006d0f = 2; *(uint8_t*)0x20006d10 = 3; *(uint8_t*)0x20006d11 = 1; *(uint8_t*)0x20006d12 = 9; *(uint8_t*)0x20006d13 = 2; *(uint16_t*)0x20006d14 = 0x71c; *(uint8_t*)0x20006d16 = 3; *(uint8_t*)0x20006d17 = 9; *(uint8_t*)0x20006d18 = 3; *(uint8_t*)0x20006d19 = 0x50; *(uint8_t*)0x20006d1a = -1; *(uint8_t*)0x20006d1b = 9; *(uint8_t*)0x20006d1c = 4; *(uint8_t*)0x20006d1d = 0x34; *(uint8_t*)0x20006d1e = 9; *(uint8_t*)0x20006d1f = 0xc; *(uint8_t*)0x20006d20 = 0x2d; *(uint8_t*)0x20006d21 = 0xe7; *(uint8_t*)0x20006d22 = 0xd6; *(uint8_t*)0x20006d23 = 0xc4; *(uint8_t*)0x20006d24 = 0xa; *(uint8_t*)0x20006d25 = 0x24; *(uint8_t*)0x20006d26 = 6; *(uint8_t*)0x20006d27 = 0; *(uint8_t*)0x20006d28 = 0; memcpy((void*)0x20006d29, "\x9e\x3d\xd8\x3f\x5e", 5); *(uint8_t*)0x20006d2e = 5; *(uint8_t*)0x20006d2f = 0x24; *(uint8_t*)0x20006d30 = 0; *(uint16_t*)0x20006d31 = 2; *(uint8_t*)0x20006d33 = 0xd; *(uint8_t*)0x20006d34 = 0x24; *(uint8_t*)0x20006d35 = 0xf; *(uint8_t*)0x20006d36 = 1; *(uint32_t*)0x20006d37 = 0x40; *(uint16_t*)0x20006d3b = 5; *(uint16_t*)0x20006d3d = 0x101; *(uint8_t*)0x20006d3f = 5; *(uint8_t*)0x20006d40 = 8; *(uint8_t*)0x20006d41 = 0x24; *(uint8_t*)0x20006d42 = 0x1c; *(uint16_t*)0x20006d43 = 0x1000; *(uint8_t*)0x20006d45 = 2; *(uint16_t*)0x20006d46 = 8; *(uint8_t*)0x20006d48 = 7; *(uint8_t*)0x20006d49 = 0x24; *(uint8_t*)0x20006d4a = 0x14; *(uint16_t*)0x20006d4b = 0x8671; *(uint16_t*)0x20006d4d = 0; *(uint8_t*)0x20006d4f = 0xc; *(uint8_t*)0x20006d50 = 0x24; *(uint8_t*)0x20006d51 = 0x1b; *(uint16_t*)0x20006d52 = 0xfffd; *(uint16_t*)0x20006d54 = 9; *(uint8_t*)0x20006d56 = 0; *(uint8_t*)0x20006d57 = 5; *(uint16_t*)0x20006d58 = 0x100; *(uint8_t*)0x20006d5a = 0x5f; *(uint8_t*)0x20006d5b = 5; *(uint8_t*)0x20006d5c = 0x24; *(uint8_t*)0x20006d5d = 0x15; *(uint16_t*)0x20006d5e = 0x40; *(uint8_t*)0x20006d60 = 7; *(uint8_t*)0x20006d61 = 0x24; *(uint8_t*)0x20006d62 = 0xa; *(uint8_t*)0x20006d63 = 0; *(uint8_t*)0x20006d64 = 1; *(uint8_t*)0x20006d65 = 4; *(uint8_t*)0x20006d66 = 1; *(uint8_t*)0x20006d67 = 7; *(uint8_t*)0x20006d68 = 0x24; *(uint8_t*)0x20006d69 = 0x14; *(uint16_t*)0x20006d6a = 0xff81; *(uint16_t*)0x20006d6c = 0x9c6f; *(uint8_t*)0x20006d6e = 9; *(uint8_t*)0x20006d6f = 5; *(uint8_t*)0x20006d70 = 0x80; *(uint8_t*)0x20006d71 = 0x14; *(uint16_t*)0x20006d72 = 0x10; *(uint8_t*)0x20006d74 = 0x15; *(uint8_t*)0x20006d75 = 0x1f; *(uint8_t*)0x20006d76 = 8; *(uint8_t*)0x20006d77 = 7; *(uint8_t*)0x20006d78 = 0x25; *(uint8_t*)0x20006d79 = 1; *(uint8_t*)0x20006d7a = 0x80; *(uint8_t*)0x20006d7b = 0; *(uint16_t*)0x20006d7c = 0; *(uint8_t*)0x20006d7e = 9; *(uint8_t*)0x20006d7f = 5; *(uint8_t*)0x20006d80 = 0x8b; *(uint8_t*)0x20006d81 = 0; *(uint16_t*)0x20006d82 = 0x7ff; *(uint8_t*)0x20006d84 = 0xed; *(uint8_t*)0x20006d85 = 1; *(uint8_t*)0x20006d86 = 2; *(uint8_t*)0x20006d87 = 9; *(uint8_t*)0x20006d88 = 5; *(uint8_t*)0x20006d89 = 8; *(uint8_t*)0x20006d8a = 4; *(uint16_t*)0x20006d8b = 0x200; *(uint8_t*)0x20006d8d = 0x81; *(uint8_t*)0x20006d8e = 6; *(uint8_t*)0x20006d8f = 2; *(uint8_t*)0x20006d90 = 0xeb; *(uint8_t*)0x20006d91 = 1; memcpy((void*)0x20006d92, "\x8c\x3f\x63\x08\x61\x54\x14\x1f\x73\x9f\x28\x70\xd3\xa8\x18\x84\x90\x5e\x8c\x3f\xf7\xeb\x64\x25\x08\x52\x04\x07\x7b\x41\x02\xc3\xd8\x1b\xfd\xf4\xb2\x62\xfa\x95\xb2\x68\x56\x12\x28\xb7\x47\xfc\xa9\x1f\x5f\xde\xb5\x92\xb3\x79\xd6\x6a\x5f\x1d\x2d\x1d\x73\x5f\xd0\x2b\x3b\x24\x02\xd0\x34\x0f\xcc\x8a\xc6\xc5\x44\x72\x0c\xb5\x96\x00\x8a\x93\xb0\x20\x2c\xb8\xf9\x55\x83\x44\xcb\x20\x0e\x0b\x4b\x52\xaa\xd1\xe7\x0d\x9c\x00\x49\xff\x2a\x6b\x54\x6e\x35\x02\xbc\x88\x1f\x3e\xb6\x55\xaa\x81\x7a\x2a\x3f\xd9\x5a\xd1\xbe\xa6\x8a\xb0\x48\xc1\xa4\x3e\xd3\x45\x8b\x67\x4c\x27\xdf\x09\x05\x68\xc3\x71\xa9\xe0\x0c\xbc\x2b\x59\x7a\x73\x0a\x18\x64\x44\x75\x83\xe3\x0b\x8b\x9d\x27\x74\xd8\x84\x57\x53\x11\x84\x3a\x18\xbf\xe0\x05\x2b\x40\x47\x14\xc7\x22\x76\x63\x42\xb2\x26\xc4\xfe\x8e\x87\xee\x44\x82\x50\xc3\xb3\x66\x8a\xb5\x07\x45\xe0\xfb\xb6\xe9\x69\xe6\xb4\x9b\x9b\x85\x28\xce\x81\xdf\xaa\x24\xe1\x43\x80\x72\xd0\x7d\x6e\x92\x60\x2a\x39\x05\x35\xf6", 233); *(uint8_t*)0x20006e7b = 9; *(uint8_t*)0x20006e7c = 5; *(uint8_t*)0x20006e7d = 0xc; *(uint8_t*)0x20006e7e = 8; *(uint16_t*)0x20006e7f = 0x40; *(uint8_t*)0x20006e81 = 1; *(uint8_t*)0x20006e82 = 5; *(uint8_t*)0x20006e83 = 0x20; *(uint8_t*)0x20006e84 = 9; *(uint8_t*)0x20006e85 = 5; *(uint8_t*)0x20006e86 = 7; *(uint8_t*)0x20006e87 = 0x10; *(uint16_t*)0x20006e88 = 8; *(uint8_t*)0x20006e8a = 0xbc; *(uint8_t*)0x20006e8b = 0; *(uint8_t*)0x20006e8c = 7; *(uint8_t*)0x20006e8d = 7; *(uint8_t*)0x20006e8e = 0x25; *(uint8_t*)0x20006e8f = 1; *(uint8_t*)0x20006e90 = 1; *(uint8_t*)0x20006e91 = 5; *(uint16_t*)0x20006e92 = 9; *(uint8_t*)0x20006e94 = 0xd4; *(uint8_t*)0x20006e95 = 0x22; memcpy((void*)0x20006e96, "\x70\xc2\x39\x55\xe1\xd1\x6c\xde\xf4\x16\xbc\xb1\x38\x10\x89\x67\xf0\xe9\xac\x2c\x09\x6f\xe9\x36\x2b\x99\xec\x6c\x19\x8d\x2f\x0f\x04\x46\xce\x29\x33\x28\x44\xfd\x54\x6d\x23\x23\xe7\xf9\xd7\xb2\x71\x3c\x1f\x92\xb9\x0b\x44\x81\xbf\x8d\x4e\xa3\x4e\xa8\x32\x1b\x58\x5d\xb5\xf3\xcc\x6f\x63\xfc\x9e\xe5\x43\xe8\x6c\x15\x76\x9e\x08\xa2\x12\xc2\xff\xb0\x23\x7d\xef\xb1\xa2\x82\x28\xe9\x99\xfa\xbf\x37\x33\xa2\x7b\x82\x87\x03\xfa\xaa\xc0\x53\xd4\x4f\xe7\xa6\x6d\x7a\x27\x8e\x31\xf1\x5d\x65\xed\xb3\x49\xb1\x57\xa7\x99\xd9\x22\xf0\xc9\x70\xf9\x8b\x35\xb7\x56\x50\x79\x31\x23\xe0\x57\x52\xd7\x4d\xdb\x89\xf0\xfc\xc0\x47\x98\x22\xa0\xf8\x33\xf4\x34\x3a\x70\x54\x8b\x3b\x4c\x80\x57\x4b\xe7\xcf\xdd\x59\xdb\x69\xce\x1e\xfc\x24\xca\x44\xee\x31\x66\x09\xf5\x8c\xa5\xa3\x0d\xee\x0b\x59\xe1\x66\x8f\x24\x8c\x19\x6a\xe1\xc0\x22\xa1\x99\x95\x59\x54\x30\xfe\xa4", 210); *(uint8_t*)0x20006f68 = 9; *(uint8_t*)0x20006f69 = 5; *(uint8_t*)0x20006f6a = 0x87; *(uint8_t*)0x20006f6b = 3; *(uint16_t*)0x20006f6c = 8; *(uint8_t*)0x20006f6e = 0x80; *(uint8_t*)0x20006f6f = 7; *(uint8_t*)0x20006f70 = 6; *(uint8_t*)0x20006f71 = 0x56; *(uint8_t*)0x20006f72 = 4; memcpy((void*)0x20006f73, "\xf7\x8a\x35\x66\x75\xcf\xfa\x2d\xe9\x45\x39\x19\x4a\xfa\xb8\x60\x3f\xe5\xe4\x12\x02\x1b\xa9\x37\xdf\x8f\x49\x6c\xe2\xc0\x54\x31\x48\xf0\x9b\x19\xeb\xbc\x05\x09\x1f\xcc\x32\xe0\xbd\xde\x44\x1d\x7c\xca\xa5\xcc\x26\xfb\x69\x6b\xd6\x7b\x38\x30\xbf\x3e\x57\x30\xfb\x3f\xe5\xee\x89\x15\x6b\xd1\xd2\xfa\x10\x1e\x6c\x39\x06\x8a\xf8\xc2\xae\x87", 84); *(uint8_t*)0x20006fc7 = 9; *(uint8_t*)0x20006fc8 = 5; *(uint8_t*)0x20006fc9 = 0x89; *(uint8_t*)0x20006fca = 0; *(uint16_t*)0x20006fcb = 0x20; *(uint8_t*)0x20006fcd = 0x20; *(uint8_t*)0x20006fce = 0x81; *(uint8_t*)0x20006fcf = 8; *(uint8_t*)0x20006fd0 = 9; *(uint8_t*)0x20006fd1 = 5; *(uint8_t*)0x20006fd2 = 0xe; *(uint8_t*)0x20006fd3 = 3; *(uint16_t*)0x20006fd4 = 8; *(uint8_t*)0x20006fd6 = 1; *(uint8_t*)0x20006fd7 = 0x20; *(uint8_t*)0x20006fd8 = 2; *(uint8_t*)0x20006fd9 = 7; *(uint8_t*)0x20006fda = 0x25; *(uint8_t*)0x20006fdb = 1; *(uint8_t*)0x20006fdc = 2; *(uint8_t*)0x20006fdd = 0x43; *(uint16_t*)0x20006fde = 0x234; *(uint8_t*)0x20006fe0 = 9; *(uint8_t*)0x20006fe1 = 5; *(uint8_t*)0x20006fe2 = 2; *(uint8_t*)0x20006fe3 = 0; *(uint16_t*)0x20006fe4 = 0x3ff; *(uint8_t*)0x20006fe6 = 3; *(uint8_t*)0x20006fe7 = 5; *(uint8_t*)0x20006fe8 = 7; *(uint8_t*)0x20006fe9 = 0x34; *(uint8_t*)0x20006fea = 8; memcpy((void*)0x20006feb, "\xb6\xa1\x21\xb4\x6c\xab\xce\x4e\x36\x1f\x21\x04\xdc\xf2\x66\x3e\x40\x2e\xe0\x4f\xaa\x90\xdd\x18\xa9\x18\xe4\x64\x2e\xaa\x6a\x71\x61\x92\xf8\xbc\x32\xf3\x21\xce\x9e\xb5\x48\x90\x4d\x87\xd7\xbd\xad\x56", 50); *(uint8_t*)0x2000701d = 0xac; *(uint8_t*)0x2000701e = 0x30; memcpy((void*)0x2000701f, "\x1a\x5d\x30\xc7\xd1\x38\x43\xb0\x14\x69\x43\xb2\xe6\x76\x87\xf3\x14\x70\x19\xdb\x1c\xa1\xa3\xc7\xe4\x8d\x70\x0f\x65\x5b\xea\x7f\x42\x69\x2c\x5a\x87\xa6\xb9\x1d\x03\xa6\xd4\x90\x5f\xbb\x18\xb7\x60\x28\xc9\x02\xf7\xcc\x3f\x0c\x05\x6d\x87\xd0\xfb\xc1\x2f\x32\x15\x02\x22\xa7\xda\xd7\x02\x3b\xc4\x5a\xb2\x5c\x72\xaa\x3a\xd2\x6e\x8d\xfd\x8d\x36\x54\x64\x00\x38\x39\x6a\xa3\x55\xf0\x69\xf7\xa9\xe7\x62\xb8\x5d\xca\x0a\x81\xa7\xd7\xc3\x7d\x25\x9d\x0f\x2a\x63\x1a\x6a\xbc\x4e\x36\xfb\xa2\x01\xdc\x67\x7f\xc7\xb2\xc2\x81\x90\xe9\x15\x23\x55\x3c\xfb\x1b\xbf\x46\x2d\x9d\x05\x7c\x31\x91\x0a\xd3\x9c\x35\x7c\xd2\xdd\x1c\x3f\x22\xc6\x04\xad\x6c\x92\x3f\xae\xe4\xc1\x3d\xb3\xfe\x35\x03\x75\xcc", 170); *(uint8_t*)0x200070c9 = 9; *(uint8_t*)0x200070ca = 5; *(uint8_t*)0x200070cb = 0xc; *(uint8_t*)0x200070cc = 0; *(uint16_t*)0x200070cd = 0x10; *(uint8_t*)0x200070cf = 0x7f; *(uint8_t*)0x200070d0 = 0x56; *(uint8_t*)0x200070d1 = 0x83; *(uint8_t*)0x200070d2 = 9; *(uint8_t*)0x200070d3 = 5; *(uint8_t*)0x200070d4 = 0x47; *(uint8_t*)0x200070d5 = 0; *(uint16_t*)0x200070d6 = 0x3ff; *(uint8_t*)0x200070d8 = 0xbb; *(uint8_t*)0x200070d9 = 7; *(uint8_t*)0x200070da = 3; *(uint8_t*)0x200070db = 0x6b; *(uint8_t*)0x200070dc = 0x30; memcpy((void*)0x200070dd, "\x6a\x80\x65\xc0\xee\x1f\xa7\x2b\xb9\xfa\xb4\x98\xb5\x65\xe8\x56\x09\x0e\x0a\xd4\xcb\x9a\x07\x2e\x09\x95\x26\x4b\x93\x5b\xed\x49\x10\xdd\xe6\xe4\xa1\x1f\xf9\x37\x42\x38\x3c\xba\x0c\x51\xa1\xf1\xcf\x69\x5a\xa3\x94\xa5\xf4\x86\x83\x63\xe9\x86\x26\x05\x69\xba\x8b\xe8\x24\x37\xcc\x58\xdb\x1e\xe8\x8c\xe5\x10\x13\x08\x93\x8e\xdb\xd9\x82\x07\x54\x62\xcf\x0b\xba\x05\xbb\x0d\x7a\xe5\x50\x92\xa2\x86\x2e\xe6\xe6\x43\x0e\x22\xf7", 105); *(uint8_t*)0x20007146 = 0x41; *(uint8_t*)0x20007147 = 0x21; memcpy((void*)0x20007148, "\x0a\xcd\x9c\x77\x43\xc7\x50\x9f\x5e\xb8\x98\x78\x4f\x87\x67\xf3\x85\xa0\xe1\xc7\xf1\x02\xc9\xad\xca\xd6\xd8\x1f\xb4\x19\x3e\x88\xcb\x2f\x6c\x39\x36\xee\x2e\xf3\xda\xe6\x1f\x58\x32\x25\x93\xd9\xbe\xea\xfc\xc0\x91\x5c\x86\xfc\x3a\x72\xf0\x42\x6c\x83\xf3", 63); *(uint8_t*)0x20007187 = 9; *(uint8_t*)0x20007188 = 5; *(uint8_t*)0x20007189 = 6; *(uint8_t*)0x2000718a = 4; *(uint16_t*)0x2000718b = 0x400; *(uint8_t*)0x2000718d = 0x20; *(uint8_t*)0x2000718e = 0x74; *(uint8_t*)0x2000718f = 5; *(uint8_t*)0x20007190 = 9; *(uint8_t*)0x20007191 = 4; *(uint8_t*)0x20007192 = 0x26; *(uint8_t*)0x20007193 = 0xab; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 0xf1; *(uint8_t*)0x20007197 = 0xcb; *(uint8_t*)0x20007198 = 9; *(uint8_t*)0x20007199 = 9; *(uint8_t*)0x2000719a = 5; *(uint8_t*)0x2000719b = 1; *(uint8_t*)0x2000719c = 0; *(uint16_t*)0x2000719d = 0x200; *(uint8_t*)0x2000719f = 5; *(uint8_t*)0x200071a0 = 1; *(uint8_t*)0x200071a1 = 1; *(uint8_t*)0x200071a2 = 9; *(uint8_t*)0x200071a3 = 5; *(uint8_t*)0x200071a4 = 0xb; *(uint8_t*)0x200071a5 = 4; *(uint16_t*)0x200071a6 = 0x20; *(uint8_t*)0x200071a8 = 1; *(uint8_t*)0x200071a9 = 2; *(uint8_t*)0x200071aa = 4; *(uint8_t*)0x200071ab = 0xda; *(uint8_t*)0x200071ac = 0x14; memcpy((void*)0x200071ad, "\x10\xf1\x6e\x37\x96\xfb\xe3\x35\xb5\x64\xb2\x94\x16\x03\x1e\x12\xd2\x6f\x4d\x53\xe2\x37\xca\x3c\xb1\xe0\x49\x17\x03\x35\xd6\x31\x43\x24\x69\xcf\x8e\x2b\x20\x7d\x62\x28\x3f\x3b\x91\xf4\xd6\x31\x54\xbc\xe3\x5f\xae\xb8\x7b\x51\xd3\x0b\x38\x87\x6c\x38\xb3\x1a\xcc\x34\x7b\xe6\x77\x93\xe5\x6a\x17\x84\xeb\x29\xa7\xdd\xab\x72\xe7\x36\xee\xcd\x3b\x4e\x98\xbc\xe7\xb1\x70\xab\x68\x7e\x6f\x31\xf5\xe9\xf3\xf9\x6e\x31\x03\x2d\x3b\xf9\x47\x6e\xef\x54\xf3\x54\xc6\xef\xc0\x0d\xa3\x9a\x69\x5e\xc1\xc0\x95\x25\x4c\xb4\x16\xbd\xc5\x74\xd4\xfb\x6a\xdb\xec\xa9\x9b\x77\x50\x8d\x6c\x6f\x79\x1c\x2c\xfc\x29\xae\x3e\xcc\xea\x73\xc1\x36\x27\xd9\x38\x07\xaf\x1a\x7d\x34\x92\x52\x0e\xd1\xf1\x53\x32\x7d\x85\x75\x37\xf5\x56\x29\x4b\xdd\xdd\x98\x8b\xae\x73\x22\x6a\x48\xc4\xca\xb9\x63\xd3\xd8\xc2\x26\x95\x1b\x21\xa7\xc3\x13\x8d\xe5\x5b\x8d\x0e\x1f\x0b\xcd\x77\x66\x3a\xe8\xbf\xe2\x0f\x44", 216); *(uint8_t*)0x20007285 = 7; *(uint8_t*)0x20007286 = 0x25; *(uint8_t*)0x20007287 = 1; *(uint8_t*)0x20007288 = 0x83; *(uint8_t*)0x20007289 = 5; *(uint16_t*)0x2000728a = 9; *(uint8_t*)0x2000728c = 9; *(uint8_t*)0x2000728d = 5; *(uint8_t*)0x2000728e = 5; *(uint8_t*)0x2000728f = 2; *(uint16_t*)0x20007290 = 0x40; *(uint8_t*)0x20007292 = 0x2c; *(uint8_t*)0x20007293 = 0xd4; *(uint8_t*)0x20007294 = 2; *(uint8_t*)0x20007295 = 7; *(uint8_t*)0x20007296 = 0x25; *(uint8_t*)0x20007297 = 1; *(uint8_t*)0x20007298 = 2; *(uint8_t*)0x20007299 = 3; *(uint16_t*)0x2000729a = 7; *(uint8_t*)0x2000729c = 9; *(uint8_t*)0x2000729d = 5; *(uint8_t*)0x2000729e = 0xa; *(uint8_t*)0x2000729f = 2; *(uint16_t*)0x200072a0 = 0x400; *(uint8_t*)0x200072a2 = 0xd0; *(uint8_t*)0x200072a3 = 1; *(uint8_t*)0x200072a4 = 6; *(uint8_t*)0x200072a5 = 9; *(uint8_t*)0x200072a6 = 5; *(uint8_t*)0x200072a7 = 0xe; *(uint8_t*)0x200072a8 = 8; *(uint16_t*)0x200072a9 = 0x40; *(uint8_t*)0x200072ab = 0x40; *(uint8_t*)0x200072ac = -1; *(uint8_t*)0x200072ad = 0xb0; *(uint8_t*)0x200072ae = 9; *(uint8_t*)0x200072af = 4; *(uint8_t*)0x200072b0 = 0x6c; *(uint8_t*)0x200072b1 = 8; *(uint8_t*)0x200072b2 = 2; *(uint8_t*)0x200072b3 = 0x59; *(uint8_t*)0x200072b4 = 0x51; *(uint8_t*)0x200072b5 = 0xd5; *(uint8_t*)0x200072b6 = 1; *(uint8_t*)0x200072b7 = 8; *(uint8_t*)0x200072b8 = 0x24; *(uint8_t*)0x200072b9 = 6; *(uint8_t*)0x200072ba = 0; *(uint8_t*)0x200072bb = 1; memcpy((void*)0x200072bc, "\xb2\xbd\x60", 3); *(uint8_t*)0x200072bf = 5; *(uint8_t*)0x200072c0 = 0x24; *(uint8_t*)0x200072c1 = 0; *(uint16_t*)0x200072c2 = 5; *(uint8_t*)0x200072c4 = 0xd; *(uint8_t*)0x200072c5 = 0x24; *(uint8_t*)0x200072c6 = 0xf; *(uint8_t*)0x200072c7 = 1; *(uint32_t*)0x200072c8 = 0xfffffffd; *(uint16_t*)0x200072cc = 0xfff; *(uint16_t*)0x200072ce = 0x63; *(uint8_t*)0x200072d0 = 0xdb; *(uint8_t*)0x200072d1 = 6; *(uint8_t*)0x200072d2 = 0x24; *(uint8_t*)0x200072d3 = 0x1a; *(uint16_t*)0x200072d4 = 8; *(uint8_t*)0x200072d6 = 8; *(uint8_t*)0x200072d7 = 0xf7; *(uint8_t*)0x200072d8 = 0x24; *(uint8_t*)0x200072d9 = 0x13; *(uint8_t*)0x200072da = 0x19; memcpy((void*)0x200072db, "\x18\x9c\xde\xa8\x5c\x89\x2f\xe7\x36\xd9\x9d\x2a\xe8\x35\x70\x5d\xdc\x39\x07\x36\x3c\x57\xda\x1f\xc0\x03\x3a\xb2\x67\x42\x02\x2a\xb0\xaf\x75\x16\xc0\x54\x5f\x0f\xc3\xec\xaa\x07\x28\x22\x9f\x95\xfd\x5d\x2e\xbc\xe5\xc9\x8d\xbb\xa6\x22\x21\x53\xe2\xce\x70\xbf\xea\xd3\x2d\x5d\x59\x14\x6f\x0d\xd6\x79\x85\x20\x07\xb1\x3a\xc9\xd1\x6d\x48\xf9\x48\x4d\x61\x92\xe7\x9c\x88\x07\x9f\x8c\xd3\xbd\x1a\x37\x40\xf3\xa8\xf0\xfd\x1d\x57\xa1\x0b\xf4\x1c\xf8\xc4\x5a\x79\xab\x1a\x96\x9c\x9a\x6a\x83\xbf\x31\x57\x1b\xce\x54\x2e\x8f\xcf\xa6\x76\x1e\xbf\xa9\x24\xe1\xeb\x05\xd3\xaf\x5b\x36\x44\xc3\x04\x02\x80\xca\x59\x73\x7d\x89\xc0\xca\xa8\xbd\x9d\x56\xc9\x21\x78\xb8\x2b\x20\x78\xe4\x39\x75\xf1\x5e\x6f\x0b\x6f\xa1\xd0\xcd\x81\x95\x21\x15\x4d\x23\x6a\xa6\xa8\x5e\x50\xf3\xf0\x53\x1f\x61\x92\xe5\xc4\xba\x8a\x2d\x50\x6f\x74\x47\x80\x74\x7c\xbb\x9e\xe6\x72\x32\x98\xb7\x2b\x71\x3b\x52\xbe\x54\x83\x5f\xcc\x04\x90\x6c\x65\x8c\xe6\x1f\x16\xf9\x5a\x6c\x43\x79\x88\xdf\x23\x9c\x43\x0f\xf4\x7d\xb7", 243); *(uint8_t*)0x200073ce = 6; *(uint8_t*)0x200073cf = 0x24; *(uint8_t*)0x200073d0 = 6; *(uint8_t*)0x200073d1 = 0; *(uint8_t*)0x200073d2 = 0; memset((void*)0x200073d3, 163, 1); *(uint8_t*)0x200073d4 = 5; *(uint8_t*)0x200073d5 = 0x24; *(uint8_t*)0x200073d6 = 0; *(uint16_t*)0x200073d7 = 0xf85b; *(uint8_t*)0x200073d9 = 0xd; *(uint8_t*)0x200073da = 0x24; *(uint8_t*)0x200073db = 0xf; *(uint8_t*)0x200073dc = 1; *(uint32_t*)0x200073dd = 0; *(uint16_t*)0x200073e1 = 7; *(uint16_t*)0x200073e3 = 2; *(uint8_t*)0x200073e5 = 0x40; *(uint8_t*)0x200073e6 = 9; *(uint8_t*)0x200073e7 = 5; *(uint8_t*)0x200073e8 = 0xf; *(uint8_t*)0x200073e9 = 4; *(uint16_t*)0x200073ea = 0; *(uint8_t*)0x200073ec = 0x81; *(uint8_t*)0x200073ed = 0xe8; *(uint8_t*)0x200073ee = 2; *(uint8_t*)0x200073ef = 7; *(uint8_t*)0x200073f0 = 0x25; *(uint8_t*)0x200073f1 = 1; *(uint8_t*)0x200073f2 = 0; *(uint8_t*)0x200073f3 = 0x51; *(uint16_t*)0x200073f4 = 0xbf81; *(uint8_t*)0x200073f6 = 7; *(uint8_t*)0x200073f7 = 0x25; *(uint8_t*)0x200073f8 = 1; *(uint8_t*)0x200073f9 = 0x80; *(uint8_t*)0x200073fa = 0xb; *(uint16_t*)0x200073fb = 0x8001; *(uint8_t*)0x200073fd = 9; *(uint8_t*)0x200073fe = 5; *(uint8_t*)0x200073ff = 6; *(uint8_t*)0x20007400 = 0; *(uint16_t*)0x20007401 = 0x10; *(uint8_t*)0x20007403 = 0x7f; *(uint8_t*)0x20007404 = 0; *(uint8_t*)0x20007405 = 0x80; *(uint8_t*)0x20007406 = 0x28; *(uint8_t*)0x20007407 = 0xa; memcpy((void*)0x20007408, "\x61\xdf\x67\xa6\x24\x85\x90\x52\xdf\x59\x3a\x22\x58\xbc\x97\x0f\xe4\x30\x4a\x8f\x89\x9a\xc0\x40\xd9\xfc\x35\x0e\xd5\xe6\x36\x60\xa7\x6a\x96\xae\xa7\xa3", 38); *(uint32_t*)0x200076c0 = 0xa; *(uint32_t*)0x200076c4 = 0x20007440; *(uint8_t*)0x20007440 = 0xa; *(uint8_t*)0x20007441 = 6; *(uint16_t*)0x20007442 = 0x300; *(uint8_t*)0x20007444 = 8; *(uint8_t*)0x20007445 = 1; *(uint8_t*)0x20007446 = 9; *(uint8_t*)0x20007447 = 8; *(uint8_t*)0x20007448 = 0x81; *(uint8_t*)0x20007449 = 0; *(uint32_t*)0x200076c8 = 0x133; *(uint32_t*)0x200076cc = 0x20007480; *(uint8_t*)0x20007480 = 5; *(uint8_t*)0x20007481 = 0xf; *(uint16_t*)0x20007482 = 0x133; *(uint8_t*)0x20007484 = 6; *(uint8_t*)0x20007485 = 0xb; *(uint8_t*)0x20007486 = 0x10; *(uint8_t*)0x20007487 = 1; *(uint8_t*)0x20007488 = 2; *(uint16_t*)0x20007489 = 0x74; *(uint8_t*)0x2000748b = -1; *(uint8_t*)0x2000748c = -1; *(uint16_t*)0x2000748d = 0; *(uint8_t*)0x2000748f = 7; *(uint8_t*)0x20007490 = 0xb; *(uint8_t*)0x20007491 = 0x10; *(uint8_t*)0x20007492 = 1; *(uint8_t*)0x20007493 = 8; *(uint16_t*)0x20007494 = 0x43; *(uint8_t*)0x20007496 = 4; *(uint8_t*)0x20007497 = 3; *(uint16_t*)0x20007498 = 6; *(uint8_t*)0x2000749a = 0x21; *(uint8_t*)0x2000749b = 7; *(uint8_t*)0x2000749c = 0x10; *(uint8_t*)0x2000749d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000749e, 0xa, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200074a0, 0x3b4d, 0, 16); *(uint8_t*)0x200074a2 = 0xb; *(uint8_t*)0x200074a3 = 0x10; *(uint8_t*)0x200074a4 = 1; *(uint8_t*)0x200074a5 = 0; *(uint16_t*)0x200074a6 = 0x2c; *(uint8_t*)0x200074a8 = 7; *(uint8_t*)0x200074a9 = 2; *(uint16_t*)0x200074aa = 1; *(uint8_t*)0x200074ac = 0x2f; *(uint8_t*)0x200074ad = 3; *(uint8_t*)0x200074ae = 0x10; *(uint8_t*)0x200074af = 0xb; *(uint8_t*)0x200074b0 = 3; *(uint8_t*)0x200074b1 = 0x10; *(uint8_t*)0x200074b2 = 3; memcpy((void*)0x200074b3, "\xb3\x5e\x85\x2c\x50\x01\x47\x88\x0f\xa2\xf6\xdc\xc5\xd4\xe1\x6a\x59\xdf\x9b\xff\x5d\x44\xac\x9f\x66\x80\xa3\x1b\x1e\xbc\xe7\xf4\xd4\xaf\xe6\xd2\xae\x93\xf6\xee\xe7\x9b\x70\x3b\x03\xf7\xa0\xeb\xea\x72\xbd\xc3\xca\x70\xde\xd4\x50\xbe\xde\xc4\x2d\x31\xbe\xce\xd3\x62\x5c\x6b\xfa\x5d\xc9\x89\x7b\x68\xa4\xe8\xb1\xa5\x4b\x94\x44\xb8\x5a\x77\xd5\x2e\xfe\xa0\x2e\x84\x04\x5a\x2c\x51\xaf\x22\x59\x6a\x4c\x59\xa4\x3c\x59\x0c\x4d\x13\x69\xd2\x29\xdb\x0f\x22\x8b\x73\x9b\x41\x41\x9c\x00\x70\x82\x19\xac\x07\x58\x5d\xca\xde\xd8\x82\x0f\x6f\xe0\xb3\x5e\x74\x96\xca\x59\xeb\xd9\x3c\x1c\xfb\xec\xa8\x66\x69\x28\x61\x3f\xb0\x84\xcb\x1a\xd9\x30\xcf\xed\x80\xa0\x24\xb8\x03\xfc\x94\x96\x7f\x08\xd7\x31\xd0\x64\x7c\xee\x07\x3e\x55\x84\x4b\x99\x78\xae\x60\x35\x86\x5f\xd9\x89\x91\xfb\x7a\x5f\xa3\xf0\x05\x29\xe8\x1f\x1d\x3b\x85\x3a\x0d\xb0\x41\xea\xa3\x77\x7b\xa1\x0f\xe7\x53\x67\x4a\x69\x8c\xd3\x89\xbf\x5b\xca\x62\x6c\xb8\xc7\xbf\x9b\x71\x15\x0d\x57\x2d\x07\xd9\xa1\x18\x55\xa4\x19\xfb\x02\x12\xd9\xa5\xbf\x2c\x33\x60\x35\x7c\xf9\x42\x51\x1f", 256); *(uint32_t*)0x200076d0 = 2; *(uint32_t*)0x200076d4 = 0x97; *(uint32_t*)0x200076d8 = 0x200075c0; *(uint8_t*)0x200075c0 = 0x97; *(uint8_t*)0x200075c1 = 3; memcpy((void*)0x200075c2, "\x79\x53\x36\x52\x48\x59\x08\x84\x74\x50\xe4\x34\xba\xbd\x9e\x7b\x78\x39\x25\xf4\x78\xb3\xb3\x5c\x0a\x4e\x6a\xa0\xa1\xe8\xf7\x8e\x37\xf1\xd5\x66\x6f\xe8\x7b\x28\xdf\x9b\x77\x34\xfd\xd1\x41\xb3\xc7\x8a\x19\x03\x1e\xff\xd7\x29\xa3\x6c\x0c\xf9\xfa\xe5\xc5\x89\xa1\xa9\x88\x6b\x78\xf6\x6c\x73\x91\xbd\x44\x3c\xc6\xb3\xab\x5b\x4a\xcd\xeb\x5a\xcf\x4a\x0d\x36\x35\x9e\x74\x9d\xf3\x7c\xcf\x92\xc5\x0e\x84\x5f\xce\x93\xe4\xc6\x11\xf0\xfb\x55\x9f\x5b\x2f\x8b\x72\xba\xb3\xb8\xa9\x17\x79\xcd\x78\x20\x4d\x67\xa1\x83\x18\x75\x60\xeb\x91\x2c\x0f\x9d\xd2\x7f\x40\x2f\x1d\xec\xdc\x61\x44\x4d\x37\x02\xbf\x05\xcf", 149); *(uint32_t*)0x200076dc = 4; *(uint32_t*)0x200076e0 = 0x20007680; *(uint8_t*)0x20007680 = 4; *(uint8_t*)0x20007681 = 3; *(uint16_t*)0x20007682 = 0x4ff; syz_usb_connect(5, 0x72e, 0x20006d00, 0x200076c0); break; case 42: *(uint8_t*)0x20007700 = 0x12; *(uint8_t*)0x20007701 = 1; *(uint16_t*)0x20007702 = 0x200; *(uint8_t*)0x20007704 = -1; *(uint8_t*)0x20007705 = -1; *(uint8_t*)0x20007706 = -1; *(uint8_t*)0x20007707 = 0x40; *(uint16_t*)0x20007708 = 0xcf3; *(uint16_t*)0x2000770a = 0x9271; *(uint16_t*)0x2000770c = 0x108; *(uint8_t*)0x2000770e = 1; *(uint8_t*)0x2000770f = 2; *(uint8_t*)0x20007710 = 3; *(uint8_t*)0x20007711 = 1; *(uint8_t*)0x20007712 = 9; *(uint8_t*)0x20007713 = 2; *(uint16_t*)0x20007714 = 0x48; *(uint8_t*)0x20007716 = 1; *(uint8_t*)0x20007717 = 1; *(uint8_t*)0x20007718 = 0; *(uint8_t*)0x20007719 = 0x80; *(uint8_t*)0x2000771a = 0xfa; *(uint8_t*)0x2000771b = 9; *(uint8_t*)0x2000771c = 4; *(uint8_t*)0x2000771d = 0; *(uint8_t*)0x2000771e = 0; *(uint8_t*)0x2000771f = 6; *(uint8_t*)0x20007720 = -1; *(uint8_t*)0x20007721 = 0; *(uint8_t*)0x20007722 = 0; *(uint8_t*)0x20007723 = 0; *(uint8_t*)0x20007724 = 9; *(uint8_t*)0x20007725 = 5; *(uint8_t*)0x20007726 = 1; *(uint8_t*)0x20007727 = 2; *(uint16_t*)0x20007728 = 0x200; *(uint8_t*)0x2000772a = 0; *(uint8_t*)0x2000772b = 0; *(uint8_t*)0x2000772c = 0; *(uint8_t*)0x2000772d = 9; *(uint8_t*)0x2000772e = 5; *(uint8_t*)0x2000772f = 0x82; *(uint8_t*)0x20007730 = 2; *(uint16_t*)0x20007731 = 0x200; *(uint8_t*)0x20007733 = 0; *(uint8_t*)0x20007734 = 0; *(uint8_t*)0x20007735 = 0; *(uint8_t*)0x20007736 = 9; *(uint8_t*)0x20007737 = 5; *(uint8_t*)0x20007738 = 0x83; *(uint8_t*)0x20007739 = 3; *(uint16_t*)0x2000773a = 0x40; *(uint8_t*)0x2000773c = 1; *(uint8_t*)0x2000773d = 0; *(uint8_t*)0x2000773e = 0; *(uint8_t*)0x2000773f = 9; *(uint8_t*)0x20007740 = 5; *(uint8_t*)0x20007741 = 4; *(uint8_t*)0x20007742 = 3; *(uint16_t*)0x20007743 = 0x40; *(uint8_t*)0x20007745 = 1; *(uint8_t*)0x20007746 = 0; *(uint8_t*)0x20007747 = 0; *(uint8_t*)0x20007748 = 9; *(uint8_t*)0x20007749 = 5; *(uint8_t*)0x2000774a = 5; *(uint8_t*)0x2000774b = 2; *(uint16_t*)0x2000774c = 0x200; *(uint8_t*)0x2000774e = 0; *(uint8_t*)0x2000774f = 0; *(uint8_t*)0x20007750 = 0; *(uint8_t*)0x20007751 = 9; *(uint8_t*)0x20007752 = 5; *(uint8_t*)0x20007753 = 6; *(uint8_t*)0x20007754 = 2; *(uint16_t*)0x20007755 = 0x200; *(uint8_t*)0x20007757 = 0; *(uint8_t*)0x20007758 = 0; *(uint8_t*)0x20007759 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007700, 0); if (res != -1) r[22] = res; break; case 43: *(uint32_t*)0x20007900 = 0x18; *(uint32_t*)0x20007904 = 0x20007780; *(uint8_t*)0x20007780 = 0x40; *(uint8_t*)0x20007781 = 0x22; *(uint32_t*)0x20007782 = 0x1f; *(uint8_t*)0x20007786 = 0x1f; *(uint8_t*)0x20007787 = 0x22; memcpy((void*)0x20007788, "\xa7\x84\x14\x03\xaf\xd7\xdd\xbd\xb6\xce\x9d\xac\xfb\x6c\xdb\xe2\x9f\xbe\x4e\x58\xb5\x5f\xec\x11\x7d\xe5\x6e\xd6\xa5", 29); *(uint32_t*)0x20007908 = 0x200077c0; *(uint8_t*)0x200077c0 = 0; *(uint8_t*)0x200077c1 = 3; *(uint32_t*)0x200077c2 = 0x5a; *(uint8_t*)0x200077c6 = 0x5a; *(uint8_t*)0x200077c7 = 3; memcpy((void*)0x200077c8, "\xb5\x1f\xa7\x5c\xe1\x57\x5d\xa7\x9a\xa4\x1f\xd1\x55\x72\x84\x98\xbc\x7e\x4f\x85\xd1\x9d\x23\x94\x31\x4e\x63\x81\xf5\xe6\xb0\xe7\x86\xc3\xff\x70\x5c\xb7\x18\x44\x87\xf3\x50\x94\x03\x01\x78\xbc\x29\x1a\x39\x80\xfa\x0b\x83\x90\x8b\x7f\xe1\xcb\x24\x59\xda\xa1\x30\x8f\xa2\xfb\xda\x94\xa9\x8c\xa7\x13\x4b\xc9\x86\x48\x7b\xae\x15\x76\x66\x36\xe0\x85\x2c\x7a", 88); *(uint32_t*)0x2000790c = 0x20007840; *(uint8_t*)0x20007840 = 0; *(uint8_t*)0x20007841 = 0xf; *(uint32_t*)0x20007842 = 0x1b; *(uint8_t*)0x20007846 = 5; *(uint8_t*)0x20007847 = 0xf; *(uint16_t*)0x20007848 = 0x1b; *(uint8_t*)0x2000784a = 2; *(uint8_t*)0x2000784b = 0xb; *(uint8_t*)0x2000784c = 0x10; *(uint8_t*)0x2000784d = 1; *(uint8_t*)0x2000784e = 0xc; *(uint16_t*)0x2000784f = 0x82; *(uint8_t*)0x20007851 = 0; *(uint8_t*)0x20007852 = 0x85; *(uint16_t*)0x20007853 = 8; *(uint8_t*)0x20007855 = 1; *(uint8_t*)0x20007856 = 0xb; *(uint8_t*)0x20007857 = 0x10; *(uint8_t*)0x20007858 = 1; *(uint8_t*)0x20007859 = 0xc; *(uint16_t*)0x2000785a = 0x48; *(uint8_t*)0x2000785c = 0; *(uint8_t*)0x2000785d = 0x80; *(uint16_t*)0x2000785e = 0xfffa; *(uint8_t*)0x20007860 = 0x81; *(uint32_t*)0x20007910 = 0x20007880; *(uint8_t*)0x20007880 = 0x20; *(uint8_t*)0x20007881 = 0x29; *(uint32_t*)0x20007882 = 0xf; *(uint8_t*)0x20007886 = 0xf; *(uint8_t*)0x20007887 = 0x29; *(uint8_t*)0x20007888 = 9; *(uint16_t*)0x20007889 = 2; *(uint8_t*)0x2000788b = 4; *(uint8_t*)0x2000788c = 2; memcpy((void*)0x2000788d, "\x7e\x46\x1a\xb4", 4); memcpy((void*)0x20007891, "gg]\a", 4); *(uint32_t*)0x20007914 = 0x200078c0; *(uint8_t*)0x200078c0 = 0x20; *(uint8_t*)0x200078c1 = 0x2a; *(uint32_t*)0x200078c2 = 0xc; *(uint8_t*)0x200078c6 = 0xc; *(uint8_t*)0x200078c7 = 0x2a; *(uint8_t*)0x200078c8 = 9; *(uint16_t*)0x200078c9 = 3; *(uint8_t*)0x200078cb = 0x3f; *(uint8_t*)0x200078cc = 0x20; *(uint8_t*)0x200078cd = 0x40; *(uint16_t*)0x200078ce = 0; *(uint16_t*)0x200078d0 = 0xef; *(uint32_t*)0x20007dc0 = 0x44; *(uint32_t*)0x20007dc4 = 0x20007940; *(uint8_t*)0x20007940 = 0x40; *(uint8_t*)0x20007941 = 0xc; *(uint32_t*)0x20007942 = 0xb6; memcpy((void*)0x20007946, "\xdf\x1d\x88\x07\xad\xaa\x37\x6e\xc1\x64\xfe\x68\x6f\x79\x1f\xc7\x26\x8a\x85\xc4\x68\x00\x84\x23\xc3\x5b\xf0\xda\x6f\x10\xce\x0b\x3c\x7f\x80\xe6\x73\x52\xd8\x06\x3e\x95\x24\xfb\x3d\x91\xa1\xd4\x42\xb8\x5d\x35\x12\x88\xc6\x0b\xad\xef\x73\x69\x49\x4e\xfa\x50\x12\x97\x89\x30\xb8\x81\x7b\xb1\x3f\xba\x0f\x30\x74\x16\x86\x14\x57\x22\x13\x22\x13\x60\x27\xa9\x86\x82\xf3\xa5\xc9\x18\x06\xd4\x90\xc5\x1e\xf5\x1c\xe6\xc9\xe9\xc8\x08\x7e\x54\x7f\xc2\xcf\xe5\x67\xbf\xbf\x3e\x65\xf9\x7c\x5e\x79\xd6\x87\x06\x92\x2d\x2c\x08\x4e\xe8\x94\xea\xf1\x2a\x3c\x0b\x2e\x1e\xf8\x94\xdf\xf8\x6d\x07\x92\xfd\x11\xf5\x15\x2f\x67\x32\x1b\x9d\xb3\x6a\x02\xb7\xb0\x93\x5e\x74\x24\xcb\xd6\xb2\x86\xc5\x5c\x8c\xf0\xf0\xf4\x94\x9f\xd2\x1b\x22\x67\x5e\xb0\x60", 182); *(uint32_t*)0x20007dc8 = 0x20007a00; *(uint8_t*)0x20007a00 = 0; *(uint8_t*)0x20007a01 = 0xa; *(uint32_t*)0x20007a02 = 1; *(uint8_t*)0x20007a06 = 9; *(uint32_t*)0x20007dcc = 0x20007a40; *(uint8_t*)0x20007a40 = 0; *(uint8_t*)0x20007a41 = 8; *(uint32_t*)0x20007a42 = 1; *(uint8_t*)0x20007a46 = 6; *(uint32_t*)0x20007dd0 = 0x20007a80; *(uint8_t*)0x20007a80 = 0x20; *(uint8_t*)0x20007a81 = 0; *(uint32_t*)0x20007a82 = 4; *(uint16_t*)0x20007a86 = 1; *(uint16_t*)0x20007a88 = 3; *(uint32_t*)0x20007dd4 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0x20; *(uint8_t*)0x20007ac1 = 0; *(uint32_t*)0x20007ac2 = 4; *(uint16_t*)0x20007ac6 = 0x160; *(uint16_t*)0x20007ac8 = 1; *(uint32_t*)0x20007dd8 = 0x20007b00; *(uint8_t*)0x20007b00 = 0x40; *(uint8_t*)0x20007b01 = 7; *(uint32_t*)0x20007b02 = 2; *(uint16_t*)0x20007b06 = 3; *(uint32_t*)0x20007ddc = 0x20007b40; *(uint8_t*)0x20007b40 = 0x40; *(uint8_t*)0x20007b41 = 9; *(uint32_t*)0x20007b42 = 1; *(uint8_t*)0x20007b46 = 3; *(uint32_t*)0x20007de0 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x40; *(uint8_t*)0x20007b81 = 0xb; *(uint32_t*)0x20007b82 = 2; memcpy((void*)0x20007b86, "\x9e\xfe", 2); *(uint32_t*)0x20007de4 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 0xf; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 4; *(uint32_t*)0x20007de8 = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 0x13; *(uint32_t*)0x20007c02 = 6; memset((void*)0x20007c06, 0, 6); *(uint32_t*)0x20007dec = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0x17; *(uint32_t*)0x20007c42 = 6; memset((void*)0x20007c46, 170, 5); *(uint8_t*)0x20007c4b = 0xbb; *(uint32_t*)0x20007df0 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0x19; *(uint32_t*)0x20007c82 = 2; memcpy((void*)0x20007c86, "vw", 2); *(uint32_t*)0x20007df4 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x1a; *(uint32_t*)0x20007cc2 = 2; *(uint16_t*)0x20007cc6 = 1; *(uint32_t*)0x20007df8 = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x1c; *(uint32_t*)0x20007d02 = 1; *(uint8_t*)0x20007d06 = 6; *(uint32_t*)0x20007dfc = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x1e; *(uint32_t*)0x20007d42 = 1; *(uint8_t*)0x20007d46 = 0x7e; *(uint32_t*)0x20007e00 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x21; *(uint32_t*)0x20007d82 = 1; *(uint8_t*)0x20007d86 = 2; syz_usb_control_io(r[22], 0x20007900, 0x20007dc0); break; case 44: *(uint8_t*)0x20007e40 = 0x12; *(uint8_t*)0x20007e41 = 1; *(uint16_t*)0x20007e42 = 0x200; *(uint8_t*)0x20007e44 = -1; *(uint8_t*)0x20007e45 = -1; *(uint8_t*)0x20007e46 = -1; *(uint8_t*)0x20007e47 = 0x40; *(uint16_t*)0x20007e48 = 0xcf3; *(uint16_t*)0x20007e4a = 0x9271; *(uint16_t*)0x20007e4c = 0x108; *(uint8_t*)0x20007e4e = 1; *(uint8_t*)0x20007e4f = 2; *(uint8_t*)0x20007e50 = 3; *(uint8_t*)0x20007e51 = 1; *(uint8_t*)0x20007e52 = 9; *(uint8_t*)0x20007e53 = 2; *(uint16_t*)0x20007e54 = 0x48; *(uint8_t*)0x20007e56 = 1; *(uint8_t*)0x20007e57 = 1; *(uint8_t*)0x20007e58 = 0; *(uint8_t*)0x20007e59 = 0x80; *(uint8_t*)0x20007e5a = 0xfa; *(uint8_t*)0x20007e5b = 9; *(uint8_t*)0x20007e5c = 4; *(uint8_t*)0x20007e5d = 0; *(uint8_t*)0x20007e5e = 0; *(uint8_t*)0x20007e5f = 6; *(uint8_t*)0x20007e60 = -1; *(uint8_t*)0x20007e61 = 0; *(uint8_t*)0x20007e62 = 0; *(uint8_t*)0x20007e63 = 0; *(uint8_t*)0x20007e64 = 9; *(uint8_t*)0x20007e65 = 5; *(uint8_t*)0x20007e66 = 1; *(uint8_t*)0x20007e67 = 2; *(uint16_t*)0x20007e68 = 0x200; *(uint8_t*)0x20007e6a = 0; *(uint8_t*)0x20007e6b = 0; *(uint8_t*)0x20007e6c = 0; *(uint8_t*)0x20007e6d = 9; *(uint8_t*)0x20007e6e = 5; *(uint8_t*)0x20007e6f = 0x82; *(uint8_t*)0x20007e70 = 2; *(uint16_t*)0x20007e71 = 0x200; *(uint8_t*)0x20007e73 = 0; *(uint8_t*)0x20007e74 = 0; *(uint8_t*)0x20007e75 = 0; *(uint8_t*)0x20007e76 = 9; *(uint8_t*)0x20007e77 = 5; *(uint8_t*)0x20007e78 = 0x83; *(uint8_t*)0x20007e79 = 3; *(uint16_t*)0x20007e7a = 0x40; *(uint8_t*)0x20007e7c = 1; *(uint8_t*)0x20007e7d = 0; *(uint8_t*)0x20007e7e = 0; *(uint8_t*)0x20007e7f = 9; *(uint8_t*)0x20007e80 = 5; *(uint8_t*)0x20007e81 = 4; *(uint8_t*)0x20007e82 = 3; *(uint16_t*)0x20007e83 = 0x40; *(uint8_t*)0x20007e85 = 1; *(uint8_t*)0x20007e86 = 0; *(uint8_t*)0x20007e87 = 0; *(uint8_t*)0x20007e88 = 9; *(uint8_t*)0x20007e89 = 5; *(uint8_t*)0x20007e8a = 5; *(uint8_t*)0x20007e8b = 2; *(uint16_t*)0x20007e8c = 0x200; *(uint8_t*)0x20007e8e = 0; *(uint8_t*)0x20007e8f = 0; *(uint8_t*)0x20007e90 = 0; *(uint8_t*)0x20007e91 = 9; *(uint8_t*)0x20007e92 = 5; *(uint8_t*)0x20007e93 = 6; *(uint8_t*)0x20007e94 = 2; *(uint16_t*)0x20007e95 = 0x200; *(uint8_t*)0x20007e97 = 0; *(uint8_t*)0x20007e98 = 0; *(uint8_t*)0x20007e99 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007e40, 0); if (res != -1) r[23] = res; break; case 45: syz_usb_disconnect(r[23]); break; case 46: *(uint8_t*)0x20007ec0 = 0x12; *(uint8_t*)0x20007ec1 = 1; *(uint16_t*)0x20007ec2 = 0x389; *(uint8_t*)0x20007ec4 = 2; *(uint8_t*)0x20007ec5 = 0; *(uint8_t*)0x20007ec6 = 0; *(uint8_t*)0x20007ec7 = 0x70; *(uint16_t*)0x20007ec8 = 0x525; *(uint16_t*)0x20007eca = 0xa4a1; *(uint16_t*)0x20007ecc = 0x40; *(uint8_t*)0x20007ece = 1; *(uint8_t*)0x20007ecf = 2; *(uint8_t*)0x20007ed0 = 3; *(uint8_t*)0x20007ed1 = 1; *(uint8_t*)0x20007ed2 = 9; *(uint8_t*)0x20007ed3 = 2; *(uint16_t*)0x20007ed4 = 0x6a; *(uint8_t*)0x20007ed6 = 2; *(uint8_t*)0x20007ed7 = 1; *(uint8_t*)0x20007ed8 = -1; *(uint8_t*)0x20007ed9 = 0x90; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 9; *(uint8_t*)0x20007edc = 4; *(uint8_t*)0x20007edd = 0; *(uint8_t*)0x20007ede = 0; *(uint8_t*)0x20007edf = 1; *(uint8_t*)0x20007ee0 = 2; *(uint8_t*)0x20007ee1 = 0xd; *(uint8_t*)0x20007ee2 = 0; *(uint8_t*)0x20007ee3 = 0; *(uint8_t*)0x20007ee4 = 6; *(uint8_t*)0x20007ee5 = 0x24; *(uint8_t*)0x20007ee6 = 6; *(uint8_t*)0x20007ee7 = 0; *(uint8_t*)0x20007ee8 = 1; memset((void*)0x20007ee9, 166, 1); *(uint8_t*)0x20007eea = 5; *(uint8_t*)0x20007eeb = 0x24; *(uint8_t*)0x20007eec = 0; *(uint16_t*)0x20007eed = 8; *(uint8_t*)0x20007eef = 0xd; *(uint8_t*)0x20007ef0 = 0x24; *(uint8_t*)0x20007ef1 = 0xf; *(uint8_t*)0x20007ef2 = 1; *(uint32_t*)0x20007ef3 = 0x9ff; *(uint16_t*)0x20007ef7 = 0x6000; *(uint16_t*)0x20007ef9 = 5; *(uint8_t*)0x20007efb = 0xb5; *(uint8_t*)0x20007efc = 6; *(uint8_t*)0x20007efd = 0x24; *(uint8_t*)0x20007efe = 0x1a; *(uint16_t*)0x20007eff = 0xdd; *(uint8_t*)0x20007f01 = 0x32; *(uint8_t*)0x20007f02 = 5; *(uint8_t*)0x20007f03 = 0x24; *(uint8_t*)0x20007f04 = 1; *(uint8_t*)0x20007f05 = 2; *(uint8_t*)0x20007f06 = 0x95; *(uint8_t*)0x20007f07 = 8; *(uint8_t*)0x20007f08 = 0x24; *(uint8_t*)0x20007f09 = 0x1c; *(uint16_t*)0x20007f0a = 7; *(uint8_t*)0x20007f0c = 0x40; *(uint16_t*)0x20007f0d = 1; *(uint8_t*)0x20007f0f = 9; *(uint8_t*)0x20007f10 = 5; *(uint8_t*)0x20007f11 = 0x81; *(uint8_t*)0x20007f12 = 3; *(uint16_t*)0x20007f13 = 0x10; *(uint8_t*)0x20007f15 = 0x21; *(uint8_t*)0x20007f16 = 2; *(uint8_t*)0x20007f17 = 0xc4; *(uint8_t*)0x20007f18 = 9; *(uint8_t*)0x20007f19 = 4; *(uint8_t*)0x20007f1a = 1; *(uint8_t*)0x20007f1b = 0; *(uint8_t*)0x20007f1c = 0; *(uint8_t*)0x20007f1d = 2; *(uint8_t*)0x20007f1e = 0xd; *(uint8_t*)0x20007f1f = 0; *(uint8_t*)0x20007f20 = 0; *(uint8_t*)0x20007f21 = 9; *(uint8_t*)0x20007f22 = 4; *(uint8_t*)0x20007f23 = 1; *(uint8_t*)0x20007f24 = 1; *(uint8_t*)0x20007f25 = 2; *(uint8_t*)0x20007f26 = 2; *(uint8_t*)0x20007f27 = 0xd; *(uint8_t*)0x20007f28 = 0; *(uint8_t*)0x20007f29 = 0; *(uint8_t*)0x20007f2a = 9; *(uint8_t*)0x20007f2b = 5; *(uint8_t*)0x20007f2c = 0x82; *(uint8_t*)0x20007f2d = 2; *(uint16_t*)0x20007f2e = 8; *(uint8_t*)0x20007f30 = 1; *(uint8_t*)0x20007f31 = 1; *(uint8_t*)0x20007f32 = 0x4e; *(uint8_t*)0x20007f33 = 9; *(uint8_t*)0x20007f34 = 5; *(uint8_t*)0x20007f35 = 3; *(uint8_t*)0x20007f36 = 2; *(uint16_t*)0x20007f37 = 8; *(uint8_t*)0x20007f39 = 0x81; *(uint8_t*)0x20007f3a = 9; *(uint8_t*)0x20007f3b = 0x48; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f40; *(uint8_t*)0x20007f40 = 0xa; *(uint8_t*)0x20007f41 = 6; *(uint16_t*)0x20007f42 = 0x200; *(uint8_t*)0x20007f44 = 3; *(uint8_t*)0x20007f45 = 0x40; *(uint8_t*)0x20007f46 = 1; *(uint8_t*)0x20007f47 = 0x40; *(uint8_t*)0x20007f48 = 0x68; *(uint8_t*)0x20007f49 = 0; *(uint32_t*)0x20008288 = 0x72; *(uint32_t*)0x2000828c = 0x20007f80; *(uint8_t*)0x20007f80 = 5; *(uint8_t*)0x20007f81 = 0xf; *(uint16_t*)0x20007f82 = 0x72; *(uint8_t*)0x20007f84 = 6; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x10; *(uint8_t*)0x20007f87 = 0xa; *(uint8_t*)0x20007f88 = 0x7f; STORE_BY_BITMASK(uint32_t, , 0x20007f89, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007f89, 4, 5, 27); *(uint16_t*)0x20007f8d = 0; *(uint16_t*)0x20007f8f = 0x101; *(uint32_t*)0x20007f91 = 0xf; *(uint32_t*)0x20007f95 = 0xc000; *(uint32_t*)0x20007f99 = 0x4100; *(uint32_t*)0x20007f9d = 0xc000; *(uint32_t*)0x20007fa1 = 0; *(uint8_t*)0x20007fa5 = 0x18; *(uint8_t*)0x20007fa6 = 0x10; *(uint8_t*)0x20007fa7 = 0xa; *(uint8_t*)0x20007fa8 = 5; STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 0x3f, 5, 27); *(uint16_t*)0x20007fad = 0xf; *(uint16_t*)0x20007faf = 9; *(uint32_t*)0x20007fb1 = 0x3f00; *(uint32_t*)0x20007fb5 = 0xff0030; *(uint32_t*)0x20007fb9 = 0xff0000; *(uint8_t*)0x20007fbd = 0xc; *(uint8_t*)0x20007fbe = 0x10; *(uint8_t*)0x20007fbf = 0xa; *(uint8_t*)0x20007fc0 = 9; STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 3, 5, 27); *(uint16_t*)0x20007fc5 = 0xf00; *(uint16_t*)0x20007fc7 = 4; *(uint8_t*)0x20007fc9 = 0x14; *(uint8_t*)0x20007fca = 0x10; *(uint8_t*)0x20007fcb = 4; *(uint8_t*)0x20007fcc = 0xfc; memcpy((void*)0x20007fcd, "\x11\xd5\xf9\x90\x68\xe5\x06\x8a\x1e\x42\xe2\xbf\x00\x0e\x22\x1f", 16); *(uint8_t*)0x20007fdd = 0xb; *(uint8_t*)0x20007fde = 0x10; *(uint8_t*)0x20007fdf = 1; *(uint8_t*)0x20007fe0 = 2; *(uint16_t*)0x20007fe1 = 0; *(uint8_t*)0x20007fe3 = 2; *(uint8_t*)0x20007fe4 = 0; *(uint16_t*)0x20007fe5 = 0x80; *(uint8_t*)0x20007fe7 = 1; *(uint8_t*)0x20007fe8 = 0xa; *(uint8_t*)0x20007fe9 = 0x10; *(uint8_t*)0x20007fea = 3; *(uint8_t*)0x20007feb = 2; *(uint16_t*)0x20007fec = 0; *(uint8_t*)0x20007fee = 3; *(uint8_t*)0x20007fef = 0x3f; *(uint16_t*)0x20007ff0 = 8; *(uint32_t*)0x20008290 = 8; *(uint32_t*)0x20008294 = 4; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 4; *(uint8_t*)0x20008001 = 3; *(uint16_t*)0x20008002 = 0x2001; *(uint32_t*)0x2000829c = 4; *(uint32_t*)0x200082a0 = 0x20008040; *(uint8_t*)0x20008040 = 4; *(uint8_t*)0x20008041 = 3; *(uint16_t*)0x20008042 = 0x43f; *(uint32_t*)0x200082a4 = 0x2a; *(uint32_t*)0x200082a8 = 0x20008080; *(uint8_t*)0x20008080 = 0x2a; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x5e\x74\x60\xeb\x32\xa6\xb9\x6b\xd2\xff\x9f\xf3\xa4\x96\x20\x85\x33\x64\xce\xf4\xb1\x18\x00\x34\xbb\xee\x7b\xde\xb3\x75\x3e\xc4\x7a\x7b\x68\x43\x60\x04\xdf\xa3", 40); *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x200080c0; *(uint8_t*)0x200080c0 = 4; *(uint8_t*)0x200080c1 = 3; *(uint16_t*)0x200080c2 = 0x406; *(uint32_t*)0x200082b4 = 4; *(uint32_t*)0x200082b8 = 0x20008100; *(uint8_t*)0x20008100 = 4; *(uint8_t*)0x20008101 = 3; *(uint16_t*)0x20008102 = 0x200a; *(uint32_t*)0x200082bc = 0x83; *(uint32_t*)0x200082c0 = 0x20008140; *(uint8_t*)0x20008140 = 0x83; *(uint8_t*)0x20008141 = 3; memcpy((void*)0x20008142, "\x98\xbf\xbe\xd5\xf0\x2f\x05\x41\x39\x3b\x27\x16\x3c\x18\xab\xa0\xf8\xd6\xc9\x06\x9a\xe8\xed\x73\x2f\x7b\x8b\x4f\xd0\x40\x72\x65\x12\x57\x2b\x20\x49\x34\x98\xb0\x80\xe9\x6c\x74\x09\xc1\xff\x22\x2c\xbf\xe8\xfc\x73\x9a\x7a\x6e\xb7\x01\xa8\x12\x5f\x18\xaf\x24\xcd\xab\xbf\xb5\x2c\xc6\x66\xcf\x12\x04\xb6\xbf\x96\x51\x4a\xca\x5b\x04\x75\xe2\x1d\xaf\xca\xaf\xfc\xd8\xd5\x84\xec\xa6\x93\x9d\x81\x5d\xc4\xc9\x74\x72\x7a\x2f\xba\x78\xd5\x04\x4d\x9e\x9f\x08\xe3\x5c\x9e\x2b\xf4\x70\xf4\x66\xac\xca\xa1\x30\x1f\xac\x54\xbc\xff", 129); *(uint32_t*)0x200082c4 = 4; *(uint32_t*)0x200082c8 = 0x20008200; *(uint8_t*)0x20008200 = 4; *(uint8_t*)0x20008201 = 3; *(uint16_t*)0x20008202 = 0x1627; *(uint32_t*)0x200082cc = 0x39; *(uint32_t*)0x200082d0 = 0x20008240; *(uint8_t*)0x20008240 = 0x39; *(uint8_t*)0x20008241 = 3; memcpy((void*)0x20008242, "\xaa\x56\xbf\x40\x48\xdd\x06\xe2\x84\x5d\x2e\x04\xdf\x75\xb3\x91\xf7\x66\x46\x3f\x09\x54\x05\x32\x21\xac\x36\xe1\xdb\x6f\xe5\x09\xc0\x5b\x86\xc7\x76\xd2\x0f\xfc\x6a\xc3\xd9\x93\x49\x32\x2b\x40\x0a\xea\x39\x4c\xd6\x71\x9c", 55); res = -1; res = syz_usb_connect(6, 0x7c, 0x20007ec0, 0x20008280); if (res != -1) r[24] = res; break; case 47: syz_usb_ep_read(r[24], 0x75, 0xa5, 0x20008300); break; case 48: memcpy((void*)0x200083c0, "\xdb\x88\x55\x99\xb6\x0a\xec\x82\xad\x70\xcd\xb2\x88\x6a\x2e\x73\xe2\xf0\x44\x7d\xdd\x5d\xea\xaa\x15\xf5\x6b\x76\xab\x58\x04\xb9\xf8\x6f\x60\xdf\x6b\x12\xcb\xc1\xe5\x90\x6d\x23\x88\x89\xda\x54\x4d\x9b\x56\x52\xf6\x0b\xfc\x34\xa1\x08\xdf\xfd\xff\xa9\xae\x90\x46\x14\xe2\xbf\x15\xce\x0c\x34\x9a\xea\x15\x51\xb7\x54\x4b\x69\xbd\x2b\xde\x8f\x82\xe1\x8d\x42\xba\x16\x71\x80\xb1\xa6\xa4\xd1\x18\x44\x31\x2c\x11\x6e\xe0\xb8\x5f\xca\x52\xa1\x1e\xc9\xf3\x7a\xcd\x32\x3e\xb2\x87\xc8\xb3\xc4\xff\xdb\xca\xaa\x32\x9d\xf9\x20\xe0\xf7\xdf\xaa\xcc\xc1\x7f\xd5\xff\x16\xf0\x39\xc6\x93\xcd\xfc\xdf\xae\x81\x52\x9a\x02\xcc\x97\x3d\x8e\x50\x20\x09\x3c\x1b\x68\xe8\x8a\x82\x7e\x23\x0b\x28\x44\x88\x99\xb9\x61\x75\x52\xb1\xdd\x9b\x41\x2b\x34\xde\xec\x9a\x93\xfd\x08\x82\x3a\xeb\xf3\x54\xe2\x38\xd0\x4d\xca\x95\x7a\x50\xaa\x9a\xb1\x8a\x30\x46\x0e\x24\x55\xe3\xfd\x16\x41\x09\xcd\x4a\x85\x7b\x99\xd2\x23\xb2\x18\x31\xca\x29\x2d\x1b\x0c\xd7\x7f\xbf\xe2\x63\xf7\xca\x57\xee\x3a\x70\xa8\xfd\xd4\x89\xcb\x7f", 245); syz_usb_ep_write(r[22], 0, 0xf5, 0x200083c0); break; case 49: syz_usbip_server_init(1); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); setup_kcsan(); use_temporary_dir(); do_sandbox_none(); return 0; } :126:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :113:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :108:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor353096112 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/21 (1.52s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) (fail_nth: 1) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000080)={r0, 0x3ff}, &(0x7f00000000c0)=0x8) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='cpu.stat\x00', 0x0, 0x0) ioctl$BLKROGET(r2, 0x125e, &(0x7f0000000140)) r3 = signalfd4(r2, &(0x7f0000000180)={[0x5, 0x4]}, 0x8, 0x80800) sendmsg$NL80211_CMD_UPDATE_OWE_INFO(r3, &(0x7f0000000500)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x20002011}, 0xc, &(0x7f00000004c0)={&(0x7f0000000200)={0x29c, 0x0, 0x8, 0x70bd29, 0x25dfdbff, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x46, 0x2a, [@erp={0x2a, 0x1, {0x0, 0x1, 0x1}}, @channel_switch={0x25, 0x3, {0x1, 0x95, 0xcb}}, @peer_mgmt={0x75, 0x16, {0x1, 0x401, @void, @val=0x37, @val="02011bf2907bddcbfaf4d0d9d319cb38"}}, @mesh_chsw={0x76, 0x6, {0x7f, 0x3, 0x6, 0x2050}}, @link_id={0x65, 0x12, {@from_mac=@device_b, @broadcast, @device_b}}, @chsw_timing={0x68, 0x4, {0x9, 0x81}}]}, @NL80211_ATTR_IE={0xcc, 0x2a, [@cf={0x4, 0x6, {0x1, 0x1, 0x100, 0x8000}}, @ext_channel_switch={0x3c, 0x4, {0x0, 0x7, 0xac, 0x6}}, @supported_rates={0x1, 0x6, [{0x6}, {0xc, 0x1}, {0x3f, 0x1}, {0x9}, {0x16}, {0x24}]}, @prep={0x83, 0x25, @ext={{}, 0xff, 0x3f, @device_a, 0x1f, @broadcast, 0x0, 0x6, @device_b, 0x6}}, @measure_req={0x26, 0x44, {0x4, 0x7, 0x8, "2ef531b7be2dde42fc395f76447c92879c4d9511182ee077cb102d54d8e9bd0376741affce00728e65cefb04cacd7c82880f113d4a79378bfd5c8d752bd251e31b"}}, @ht={0x2d, 0x1a, {0x482, 0x1, 0x1, 0x0, {0x5, 0x3f, 0x0, 0x80, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x400, 0x5, 0x56}}, @mic={0x8c, 0x10, {0x9b2, "e74338ed57a9", @short="4dbe86f39565408a"}}, @rann={0x7e, 0x15, {{0x1, 0x9}, 0xc0, 0x40, @device_a, 0x7fff, 0x6, 0xff}}]}, @NL80211_ATTR_IE={0x148, 0x2a, [@rann={0x7e, 0x15, {{0x0, 0x2}, 0x0, 0x8, @device_a, 0x1ff, 0x3, 0x3}}, @preq={0x82, 0x30, @not_ext={{}, 0x3, 0xf7, 0x8, @device_a, 0xae, "", 0x71a4, 0x2, 0x2, [{{0x0, 0x0, 0x1}, @device_b}, {{}, @device_b, 0x6}]}}, @mesh_config={0x71, 0x7, {0x1, 0x1, 0x1, 0x0, 0x0, 0xfb, 0x25}}, @ibss={0x6, 0x2, 0x1fc}, @fast_bss_trans={0x37, 0xe6, {0x7, 0x5, "5f3964d8629adf1c06ecdf8987bb845b", "c5d2bb2459d5ba0e8d1de04e57374f6227210ea404eb95465fa1e2e09c7c17d4", "2781c876157d6988a5dc1efde5e5d8d7fdfb3dad871989497060e2d72d3afa38", [{0x3, 0x1, "ce"}, {0x1, 0x25, "d5a7640b4fb5df22e725130f6f006c487342cb847e2cbe0e36b141aa91f7f41d6b13482c1d"}, {0x4, 0x26, "a1d5f67474fa123100046dc2695e3bbda6dee8657f032e087504156eba2f54bf2f31cd5b78d5"}, {0x3, 0x25, "ae36258ad7f04d6a213024ac426fba3da69e74ab662fbb9d28448099946cbbf9b8f921f8e0"}, {0x2, 0x19, "69ad29c66f47f87c5349ab5f16a1e8030e7c0b21db8bc4bee4"}]}}, @peer_mgmt={0x75, 0x4, {0x0, 0x0, @void, @void, @void}}]}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x4b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x43}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x11}]}, 0x29c}, 0x1, 0x0, 0x0, 0x40000}, 0x80) r4 = openat$irnet(0xffffff9c, &(0x7f0000000540), 0x189000, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f0000000580)=[@in6={0xa, 0x4e20, 0x80000000, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x81}, @in6={0xa, 0x4e24, 0x3, @mcast1}], 0x38) openat2$dir(0xffffff9c, &(0x7f00000005c0)='./file0\x00', &(0x7f0000000600)={0x101000, 0x182, 0x4}, 0x18) setsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f0000000640)=@sack_info={r1, 0x7, 0x20}, 0xc) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@data_frame={@no_qos=@type01={{0x0, 0x2, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, {0x7}, @device_b, @from_mac=@broadcast, @device_b, {0x7, 0x40}}, @a_msdu=[{@device_a, @device_b, 0x89, "a374cb1e56d79e5a647d9f9d7ebb099ca75e920a720ce76551c26bb86842da48ec22636f2ee20001359b8e2fb376ba32d07425dd1b9b9b4ff7a3539a5eeb99a447a58fec224cacb7d6e5f0cc9099904c92fd37746afc1cbd2b8b102a3fe4af78d5fa729590f1e5035f470a44321e924787a4666e21a4ca5cbd1256c170217cd6967ad7236d2f702e24"}, {@broadcast, @device_a, 0x1000, "2bc8bed3ade314704910b6ee624cfe54bebe1b4b09ba795c511cd0e764858a688e317f9f2873d187b65f7d6ded9b4b7ef7f867d65d3218dc1a2ad24b5cb3e4e07849f7085c637ae4510c2c1443800ac44ddf23ec3e00a0a2d26dcf4e4f209d20f1e658290ab43a3fa24ee8dcd484c623bdc986b8ea88d43274e206b9be4cdfcc945b093d0937d94f8f987c5c5ed48ac99514b545d0cb742036aed498bae80bb1ee395e8e0a677daaed22ddc1604d14835dbc28c43c64b11876574f8d89705623f7f078c5017c92cd46aff0811e9b98912506b34500640f9791e3081d1fd178c213059345ba63177ea9b93ffa5306e206b5a294022521ec6aaf8e26d0b5bd00325976a0b1e0ff754e4b4891d3688e0bea0ac6d8112e04fbe6068ec03f4b665efa12e3f2e6c9d31eb44583a9ac92dd3ab3f34db115e9cf42f097419cb5949eb7403d4495900b52c9558370e2f1ff76a9ded53e26793bf93976e96ac714074789e8bdb1c4ca562b51502b468f895439830f915a5d8a50ff73a49fa4293bfc35486851ea8d5c76137c5e2fc9ca45a38c9428be30f50359b2cb3f9dbc767d63f419f5e76ce5fbb61edeb1beb7a37c60c6011b56b8574963425a956d401f703a19e9ace4686541dd3132f5aa85ae6db1b7dd6dad9b6543e357533128ab2c901e9d56a22ecd6445507271f6fce2a574d58713530aff28f7b4e8461780df54ce2a067c9c388517b9e040bc88baa731796b13a89ad7a01c309e024b2206212e81a0f8279c369cc40f85990118a3311ad1698a4b0d73e7de657c5ac404b7a5cbb3f1c5fcccfa7bf217830b730d4d5454f27604c03416d3be6cb378813a84a72926c4d43dd5a79411d35c4f698287a0592960059c48a6d9fcce84d088a26dfb2ef30edea2114111fa86fd22872a031d1116d748b33f61b9c1ea8e8ff09689011427f8886c0c71b6385167d4971d4bc9d1b9fe6db966d50b5924fb56c1b11f8e05f29cfde7f302afe161fd9d82fce3551df3f4013da7766a214fc9b164a6d8b03f6cba918472c9b7d86e7abda7e3c9a4078a64a966ecb6e4133411c493a7a5d17b605de139018d698d325e319334395da0b51b3e89d9596149531e925832e00a35bbeac137a08a4f661dad30d092d1f6a34c1d38894da3eae2c474953092fbac4f39a2e14d5e13062c98c893d96ebdf79f1ebad3cbb16f8f7d17397075239b742509b076371aaab7859e6b29c7cd83157b91b4d0bf479c7fa53fd857356f1147dfa590bfffae2c99bfc6a1a384ce2616a7c0d14991955ff227e35540131e6c9fd2a5b58f88f183f64acc3d58e473076bf3149da266424b982f734aa04b818813ddd9018856761799d5b0504ca7ecf7ae17592c1f0c784d60393161714221a10d9019283c6a8f9203c79763450f9470a3f5e2f94eb942a2beba322146fc449f40226b7f7d9e4d589cdfc953ef76515e484ddb275efd8fb9e4b3f175b9c6007458cedbcf05eb6e42bea22685508702b78e77e672c72fe43cef9249740061f83dfd86c1e973dab81a08303237e58c2d75a12125c0b634585e3bfee0810eaa594d12c5ca25366f043786485e57f5f930cbcdee901c59100ebbc6e823a1b74bcdefb1961b89db6df5e4618e2bd8d96fd8a12b18482fdccd72950afe3c2066a73c73f1ca9986ce158c10520aabeec94d6172c09248aa76c39fc54263fd44bf93681b3092b8e8db780dd65c6c8bc3b423d221e13d3ede9dd0fc4f14685a80d8ee14e826a22538cf314d8a48e63754e89b453fb2236862dc7ccc4953ee562654db989585caee6b655b2bf9db0f2206b863480d71fa21d938e47358b2c0da2014a195df643be9d80e52003e9b45b18ff7b6aa56924bc2dc0cad61d9630e6bd8eaf760b3f7fb3177f73af89b155e0d061ce32b9d4588eb6a4f60919c2e3d41f6ca8d31fef0027e06f9b7c2c2ec6e5c121442e4b7eec7e109af0fc86580da66f0b028d93a0088d85253fa9b5e21e49553714a1dc392fdb354132910e0c62503c0096c6b85f164bb2a7d3be179c1a3c7cff9d464341310846c517f851b8e69431c64ede9d597c943bfe2916d564ae1cf270c8c167e96c14688a723158d7b9c45e3f82434190086cdfede4bfd950fda09fe05a6142b90e7736eca659140b22b3c77670607e51158d9f7eacdffc293202baf0bc7e20489996891d1a7a6c3284e5ac35139ec5beb4afba92faffb0d2e621026c7019943f7be6809e5879f6078cda722d11957b7e7ac74ff479b3f65a0fb71b1e87e6703a9daf47f313adcb656477f530360836bc0b00768099db92d7bf790316c1cec794ccc29dc048871a675dde316d914b73c85c996e7f41e528607a760b778b3e068b1e7fba08137368af06b5996b569871b4a54e7272ecc441810f95ce84c37e10da61624715fd5991c77a224d57a532277f9dd36bbdc56b70b64edc0381594b9b6c328e59dd0f04d343f6d828672d97cc815b14b22f59d08761ba7751e52d1c55f3249b6aacc51e107944bfa70a5421906f5296d41845775e34a5d1a06c4c879c7785a0350ba899341259064ea4274e213964182440adf7e0230b3120ee6235bce98292899792cff107588e3e915dce9bfe61cf6373a3311e747af218fbd165809db4f0e517b13e59253f721c68c8014edce97455ada5c33b7c6794d38b74b6df465e189404c7df56bee5518a5d202fb50b536a5372e04c70dec266cdbcc836b498847a6a39456f7b59473804aaed966d764e25ff2da79d34ce9fe72757ae007cda335bf3787c068725551ef27767d35d20f241d1d292197858ad4b438185e0a103edbe6e5caa4bb37e5cbdd7161eeceb93f9c7a39976b4e6e19d5c1f3d08f9d0fc6c9055f4b057dce9c1e677e8bbe56b7c4ed7334e5adcba2aa5b1bf4450a762d167a95bfc10972044c8d797ef3ad9d1091bb1ae5e128e0dd22f4b7707759f279d4ddc92a681f6cf99e75960a321b3d5b55662807e577c20eea7f87e88f290779a6598bc19ccb74c31383278895c5fc6a62b546f81f7bd678b27fa62d8d6f859d863729160181205b06203c9f72a3a6593f618ab9ef488a24cefe7cdfa66b46f30f1d3f8abece6440db93483df5233b52f6fc47ee3fd3bb98b0062468c916dc0fb15962902cb7302993695175d5fd4bc77eab9ec8d440eee36ae6835c4362f7819f390121a69bc70d636eea8d4dd09b90dad5c2db031d2bc3df45825624415680a03b3dfc71cef63fda726b765d58abe863adf0342b8f1e8ec8f807b3b56dccfdcde85fd20a7ec94344cf3195486781700b4c3572157814d7f10dc68e13ad6461397758ead62e5c204ba57b2a4af422082a1fffbfc8709688a11393e9dcf87b6fa40b10f458c67e565ae4f02c2ba930fda2139b0f1812afbe212e89eb510e8d74c465050082b2bdfc09176ae9a170821cde097c33f57f83500f182f23c2cd713f8268fa04e5ee5800adb1e891bc902b2c10055579bed0b6aceffc2206544e2d17a1044ec20124660f90d2ccb1e9dd04aba7f6b33dec5f6ff6a2e1a109c143f2b0a808ebeb45caacdc39828b555e3fb3adb7447130266da8b333d04ab711b91a23d881785731fbd2c037608f312f8b18ba63002d1775441adf3d4ce8e55664264e1d22e478f4930174dfb81f7e31eb3fdb22eb0688f3a1045418f9084af45278c04bf1320017d0b0faa2cf7e277de266a3fdb4b0f055259d76f50c994cbae703e8d1307f4bc5453f32a708921fa833b03f5d1840f5a1246929b175d93537a1d7467838d25d198b17fb4b9aac7d99ee1f1e2fdf4ae7286290e0f1c088e24394ea57f9a733e453627922c5a623623fff29c6a5ab6fdf7ba7fd4380349a77bbc409d1869bc7f2453294ca2f1785b8cc50b88fcce8fc6d3dd79c198e36ff5a216e7a8ae3d10db5be0cbb7617df8014ac689c311132c1db34d0ee7adbb66232c1a432c2caf7cf30ff8bad84467c0e40da4d0b10201f6fb82bec9483c75bc859480c9bca13c5905acfa56ead488fc2bde3a22ca4fabceab9b9e3776b5a621463e1296dde15240dac24bbaf67c20386551a8fe352960ecd361d4294903f2525a368d36307de3ab021be4b6477e86182f6a565cf6795c264aadae3d3072baebc488c74307e27bcea4a746b67adf8e20a219cb911e293adaae8d52e6308091129c02afd50599588c920158582db856cebd3d6659d1477f966fb54e9ea1b365990ff5bba6fced2b59fc8a6f9fd57287061c521ebc1ace521abe004f5f0b5f8b902d6c75ac57df5d2e97f1ffad3a531f91fa1cba48b58935f050335415dca8e460243e21ea71f990c37a6c98cd19c2cc3471ec2ecd042c820718d00b6379d806983628e0864ad146ee170dc91fc2555940db1364cb743c0c7037dba3e9b108fea988401d552d4ace6a8308365c0b1ede6b873a294d625238655331acd6ee2380dba980e35b2bbd40f65fe32ef03cbf0cf57552e818ec6070c522566d82aa2c4d046d95bcbb4ed897a3b593ddc57b3bf4b2dee34cb5053692e45deec78bf7fa7002cfe74157a5dd4c5aec1b9862806d88839a6a391a04d0d46781e45b3fb78e71eb9a6bada4d6e45f6452c41931c9123c87838320bf9cde613ab41ec0f23afcc01a69866f83239e5b77ec56c1bf13c4fa5379bc5e678f45c3fb912e1afdbc466badb6236b5fb8500c7435865ae642270b2a942430be54dca09ecb24ec6d051d0c63b02e2ccbe57dd9012b7c0958067b4062150b34798319611db1f4879aa8b5b55ee2f20b0d79a14cd7cc18a76b4b3f00fff45ec9d0764076dc1dc0072e09b674f187a18d457a11cf2b654bfc851b55f464d95e51a45d2da43c790ebc772ca27b828a061ca4ba28c986722cbd4867332878e2a7b876fafaa7434f43cb448b216d4ae0e18a1aa667776db69999be081822d56478e5768106ba1fbcb044d16682cfe2ba17a06997f88bd683669aa2ae4d96a155e0b8a41e331a9a0200f159a4740e01104ad6389218ad15d1fac53bd1b91d723435278dbc5e790a054f3cf24fa4e7866629915400e7d2560cf97648b6031528db2c7d4ca727f67c297424fc99a7b01b104fcb2d9b8026ad192ac4c1df8c2318b5deea479a378897117acb14a7921b7dde8aa78c58d047f90fb1a1c1edb847bf7bad3ab096bf919d1b103e74043faf352e16394bca1713e148b69d20e0c5fae6edb67e91620c28d7fb70bf766d21ee3a9dc9d4ac75a41bcb3a322e7ecc85e346a5fed190d0c698f15226067e5155ecb0b8fffcd5c1c9552a5b85afc663698cf4750a3eec6cdecccaaf637087e188f3cc5657c40123c20d1a02ebb0818073883535a2209cca08cdbe3ce0f944defb41f437029c078cb5e6c03defc67c959926dcf45d0feb6f24fcfaf49976bd3641cbed69758ccd5af8b955259da1cd6fd82871f09f33a634d54f544a68293dc737feaf8488c15420f69c493042a5ee1ed63f339e410f580c0cbadabbea2cffbeaf968caf25620de5f5bf74edd339ded9a1f5853a2cf226d21cdbd9172abf5e0859560dd2e70ce310a333d7236606709b1f5a33595ec49e187aa5df063513923dfd29bb151a82540f4b0d445404c8c5e1bd840335c23357c5e6b1cdbfb1ccd72471e4d638b10c5b422d9e6519f98151ad5255e10f72c0732638a572ea62a3a98cd86b0495f24fb90e3bfa3216abf88bddd5fdcd1ab7fc213ed7fe7628bf52ed33fbf6124b5246eab5938f4fdaea396087f764349bef8996f2240926040934419df2e407be7e67a642d692b3949e478ed5592720664eec0dd4150876157a6f185"}]}, 0x10c0) syz_80211_join_ibss(&(0x7f0000001100)='wlan1\x00', &(0x7f0000001140)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000001180)='bpf_lsm_socket_recvmsg\x00') syz_emit_ethernet(0x35b, &(0x7f00000011c0)={@multicast, @multicast, @void, {@mpls_uc={0x8847, {[{0x2}], @ipv4=@gre={{0x11, 0x4, 0x1, 0x7, 0x349, 0x68, 0x0, 0x6, 0x2f, 0x0, @remote, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@lsrr={0x83, 0x1b, 0x6e, [@local, @broadcast, @loopback, @multicast1, @initdev={0xac, 0x1e, 0x0, 0x0}, @dev={0xac, 0x14, 0x14, 0xc}]}, @end, @lsrr={0x83, 0x13, 0xb4, [@multicast1, @private=0xa010100, @remote, @multicast1]}]}}, {{0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x880b, 0xf7, 0x2, [0x0, 0x1f], "c2150837371931ae3bab975586d95914c9773f748be9a8a3a19fe297783946f87cf48cb1483b1b52713f5b2c61255adbc108b86ef5471c54a9338b8573e1f632742ac011cf327a15e84e165e1588ab664b81d2498c54b50574e54aba3cf97bb1ae75911fd5ad4851fa1421715163917c9258d782a401fdfd12f1b51c5fbef8bd854f084ca2db2d46c7ee8b3b429e9c2dd5200572c54b9956e0bce7e10ae21f398f9db9c7e5fe8c67da417265c2e5c4074c97b404e840e0705b4154275e83551ac4328eae261c5d86e08cd40fbdb3a9d5fdcf6ba0ba4549aa7405fafe1367186578ec8cb827c887cc919c3a926daa592a4edb5150bfd380"}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, [0x0, 0x3], "a0437805682464ebade1f7bc908a4fb8fe0d2cbd6c705201920234d09c1819942d4534d78830cc26b67fa8b9bf41331cf464dba472a58870852fa852e628157fd8b5d1d6835454fb3aedae74305ed0c45b79ff50beb7405c"}, {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x86dd, [0xf0, 0x4], "7caa4b32feb81faa052cba4e34663ac59d2ed14a1e13701fdffe0c346ddae941fc7a2623c24d7a0b85a042492bf692148b57ddaf3b577a52fca2c4c68131f7bd98fa18e48551c8eecb9d3be00868430c3a25bc3569876946d43e6eb2b903b359a813c4ba89e6d970d3d4523fd219f45ff44df25838"}, {0x8, 0x88be, 0x2, {{0x8, 0x1, 0x9, 0x3, 0x0, 0x3, 0x3, 0x4}, 0x1, {0x4}}}, {0x8, 0x22eb, 0x3, {{0x5, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x81}, 0x2, {0x1ff, 0x6, 0x0, 0x7, 0x0, 0x1, 0x2, 0x1, 0x1}}}, {0x8, 0x6558, 0x3, "35b802485048e00654ea02f811d2f99e610c98af70faf08b416472e3e0bbd45e35631db45124b3b77db1699442696b52c13ae2bf33fb3973a1d570c20b2a5b4d8b9a260bb385dcba6f2ccdaf52d5a0a4c2c39422acd9f8b911a20ba0d03a6e796927d057cf487cc459623fa76fb89989080999bf9b3ab3f6e3f319849238b9d2dea6ac5b66c4b632b76084b3fbfee0fc6215f5b274246d30cd41e07638413a2d65b80fde92db56faa4160868cd0b008bfcf18d9c54be76cf39248d298318581d7a8be2fe09849d5cfd2cd105c8dd8c0fd7c5f27bed33374f70e3173b413dd37ecff631f2f44c6640a43a358b6eff14540f"}}}}}}}, &(0x7f0000001540)={0x1, 0x2, [0xfbe, 0xc0a, 0x501, 0x489]}) syz_emit_vhci(&(0x7f0000001580)=@HCI_ACLDATA_PKT={0x2, {0xc8, 0x2, 0x1, 0x32}, @l2cap_cid_signaling={{0x2e}, [@l2cap_create_chan_rsp={{0xd, 0x3, 0x8}, {0x6, 0x1, 0x31, 0x7}}, @l2cap_conn_req={{0x2, 0x5, 0x4}, {0x3fc, 0x6}}, @l2cap_info_rsp={{0xb, 0x1f, 0x4}, {0xb476, 0x1d}}, @l2cap_info_req={{0xa, 0xfc, 0x2}, {0x1}}, @l2cap_cmd_rej_unk={{0x1, 0x4, 0x2}}, @l2cap_info_req={{0xa, 0x8, 0x2}, {0x9e}}]}}, 0x37) syz_execute_func(&(0x7f00000015c0)="660f72d501df5fd6c4c1f96f9f52e40000dff2da36660f3a62c08cc4c11d583ce8660f3a0a450df0c4e121752360") syz_extract_tcp_res(&(0x7f0000001600), 0x1e21, 0x1) r5 = openat$cuse(0xffffff9c, &(0x7f0000001640), 0x2, 0x0) ioctl$NS_GET_OWNER_UID(0xffffffffffffffff, 0xb704, &(0x7f0000003980)=0x0) clock_gettime(0x0, &(0x7f0000003e00)={0x0, 0x0}) recvmmsg$unix(0xffffffffffffffff, &(0x7f0000003dc0)=[{{&(0x7f0000003a40)=@abs, 0x6e, &(0x7f0000003d40)=[{&(0x7f0000003ac0)=""/37, 0x25}, {&(0x7f0000003b00)=""/107, 0x6b}, {&(0x7f0000003b80)=""/47, 0x2f}, {&(0x7f0000003bc0)=""/162, 0xa2}, {&(0x7f0000003c80)=""/189, 0xbd}], 0x5, &(0x7f0000003d80)=[@cred={{0x18}}, @cred={{0x18, 0x1, 0x2, {0x0, 0x0, 0x0}}}], 0x30}}], 0x1, 0x10202, &(0x7f0000003e40)={r7, r8+10000000}) lstat(&(0x7f0000004040)='./file0\x00', &(0x7f0000004080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004100)={{{@in6=@initdev, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast1}}, &(0x7f0000004200)=0xe4) statx(0xffffffffffffff9c, &(0x7f0000004240)='./file0\x00', 0x4000, 0x400, &(0x7f0000004280)={0x0, 0x0, 0x0, 0x0, 0x0}) lstat(&(0x7f0000004380)='./file0\x00', &(0x7f00000043c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000004980)={{{@in6=@dev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@private2}}, &(0x7f0000004a80)=0xe4) r15 = getegid() syz_fuse_handle_req(r5, &(0x7f0000001680)="", 0x2000, &(0x7f0000004bc0)={&(0x7f0000003680)={0x50, 0x0, 0x0, {0x7, 0x22, 0x6, 0x60, 0x5, 0x48, 0x80000001, 0x7}}, &(0x7f0000003700)={0x18, 0x0, 0xfffe, {0x200}}, &(0x7f0000003740)={0x18, 0x0, 0x4, {0x8000}}, &(0x7f0000003780)={0x18, 0x0, 0x0, {0x8}}, &(0x7f00000037c0)={0x18, 0x0, 0x80000001, {0x5}}, &(0x7f0000003800)={0x28, 0x0, 0x0, {{0x19, 0x200, 0x3, 0xffffffffffffffff}}}, &(0x7f0000003840)={0x60, 0xfffffffffffffffe, 0xfffffffffffffffe, {{0x4, 0x80000001, 0x1, 0x52b8, 0x7, 0x0, 0xfffffffa, 0x1ff}}}, &(0x7f00000038c0)={0x18, 0xffffffffffffffda, 0x1f, {0x9}}, &(0x7f0000003900)={0x11, 0xfffffffffffffffe, 0x4588, {'\x00'}}, &(0x7f0000003940)={0x20, 0x0, 0x100000000, {0x0, 0x18}}, &(0x7f00000039c0)={0x78, 0x0, 0x7, {0x4, 0x6, 0x0, {0x0, 0x7, 0x8, 0x10001, 0x1, 0x509, 0x80, 0x3, 0x1, 0xc000, 0x5, r6, 0xee00, 0x7, 0x9}}}, &(0x7f0000003e80)={0x90, 0x0, 0x8, {0x6, 0x3, 0xcd0, 0x7fffffff, 0x5, 0x1, {0x5, 0x5, 0xf34, 0x86, 0x6, 0x2, 0xab8c, 0x0, 0x5, 0x8000, 0x9, 0xee00, r9, 0x1000, 0x1000}}}, &(0x7f0000003f40)={0xd0, 0x0, 0xffffffffffffffbc, [{0x0, 0x2, 0x6, 0x3, '\x02\x02\x02\x02\x02\x02'}, {0x0, 0x0, 0x0, 0x9}, {0x2, 0x100000001, 0x17, 0xffff, 'bpf_lsm_socket_recvmsg\x00'}, {0x0, 0x401, 0xf, 0xfffffff9, '&,$:+)\xef&\\)/$$[}'}, {0x6, 0x1, 0x17, 0x1f, 'bpf_lsm_socket_recvmsg\x00'}]}, &(0x7f0000004440)={0x508, 0x0, 0x2, [{{0x4, 0x1, 0x5, 0x80000000, 0x3, 0xffffffec, {0x2, 0x3, 0x20, 0x100000001, 0x80, 0xffffffffffffffe1, 0x9e41, 0x1f, 0xf0f6, 0xc000, 0x401, 0xee01, 0xee00, 0x400000, 0x800}}, {0x3, 0x7, 0x6, 0xfffffffe, '\xbb\xbb\xbb\xbb\xbb\xbb'}}, {{0x1, 0x2, 0x10001, 0x0, 0x5, 0x0, {0x3, 0x8000, 0x9, 0x80000001, 0x100, 0x5, 0xf06, 0x932b, 0x2, 0x1000, 0x5, 0xee01, 0xffffffffffffffff, 0x5, 0x1}}, {0x5, 0x9, 0x2, 0x2, '*)'}}, {{0x1, 0x0, 0xcc3, 0x4, 0x101, 0x3, {0x2, 0x1, 0x1, 0x113, 0x1, 0x3, 0xd36, 0x8c12, 0xfffffffc, 0x1000, 0xfffffffc, 0xee01, r10, 0x9, 0xacd}}, {0x3, 0x97, 0x6, 0x9, 'wlan1\x00'}}, {{0x1, 0x2, 0x8, 0x8000, 0x9, 0x0, {0x1, 0x200, 0xff, 0x100000001, 0x30000, 0x9, 0x3, 0x6, 0x7f, 0x8000, 0x101, r11, 0xee00, 0x10000, 0x9}}, {0x3, 0x0, 0x2, 0x401, 'b@'}}, {{0x4, 0x1, 0x0, 0x5, 0x4, 0x101, {0x1, 0x5, 0x1, 0x10000, 0x7, 0x8, 0x5, 0x5, 0x4010000, 0x8000, 0x4d800000, 0x0, 0xee01, 0x6, 0x7}}, {0x2, 0x61}}, {{0x7, 0x0, 0x5, 0x5, 0x0, 0x3ff, {0x0, 0xfffffffffffffff7, 0x1, 0x80, 0x100000001, 0x401, 0xd49d, 0x80, 0x1, 0x6000, 0x8b, r12, 0xee01, 0x8001}}, {0x6, 0x200, 0x1, 0xfffffff8, ')'}}, {{0x0, 0x3, 0x8, 0x81, 0x6, 0x5, {0x1, 0x8, 0x7, 0x5, 0x8, 0x1, 0x5, 0x90c555ad, 0x0, 0xc000, 0x800, 0xee00, 0xee01, 0xf98d, 0x20}}, {0x4, 0x4, 0x5, 0x1, '\\U\xc2-^'}}, {{0x1, 0x0, 0x2, 0x6, 0x0, 0xb5e, {0x4, 0x12, 0xe87, 0x7, 0x1, 0xfffffffffffffffe, 0xfffffffd, 0x7, 0x401, 0xa000, 0x8ee, r13, 0x0, 0x8236, 0x3c89862b}}, {0x4, 0xfffffffffffffbf7, 0x6, 0x4, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004ac0)={0xa0, 0xffffffffffffffda, 0x2, {{0x1, 0x3, 0xff, 0x401, 0x9, 0x1000, {0x1, 0xfff, 0x733, 0x0, 0x7, 0x7fff, 0x4, 0x1f, 0x1f, 0x0, 0x1, r14, r15, 0x9eb, 0x1}}, {0x0, 0x1c}}}, &(0x7f0000004b80)={0x20, 0xfffffffffffffffe, 0xa87, {0x1ff, 0x0, 0x10001, 0x4}}}) r16 = openat$autofs(0xffffff9c, &(0x7f0000004c40), 0x0, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000004c00), r16) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r17 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x300000a, 0x10, r16, 0x0) r18 = syz_io_uring_complete(r17) syz_io_uring_setup(0x3a9b, &(0x7f0000004c80)={0x0, 0xcaa6, 0x4, 0x3, 0x276, 0x0, r18}, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000004d00)=0x0, &(0x7f0000004d40)) syz_io_uring_submit(r19, 0x0, &(0x7f0000005080)=@IORING_OP_WRITEV={0x2, 0x5, 0x0, @fd_index=0x7, 0x0, &(0x7f0000005040)=[{&(0x7f0000004d80)="8f8c61ba2d93006aadbd12a3a08f146f7dadf6fcaf91370d8cdbb10473cfc4737fc2920f761e5f9f43ac7c94ff2d84a3f6", 0x31}, {&(0x7f0000004dc0)="e79e609caf0b113f2e3a9b6ed9a5197bd4c9ef3abee6ff372b0677f980ef46165c071ec9a7e4b8e118c95c2b5f733b29c50f1e5df4f1837e9a2962cd241c43d7a605878749919d2d932d22010e4c8c29ce6028dc71e23c5ec2b4f3bb38b2e7c3beaf83c887a45f16ea87842b7002c7513397835d375589d64e9c8d0daa7c709974ddc935145190bac6e8d31238d5ad70377e03b1111546f8a83a2d7e3fc550408a227e6ab558331de5", 0xa9}, {&(0x7f0000004e80)="1fe1d0a7ea42ed60eb8379f55fba5f108da4233288e8a8bbacc0", 0x1a}, {&(0x7f0000004ec0)="1d5a7e020f94e9eee2415cca5eb6045cc9f817f1d3275ba949677ee2ca2357b74e67c6d4ddfbe8e8c0c6fdcd2352dd301ff30f0ebc2b58f2c69c3f8032ff0d4a2d2d400c3d07914d835b6218c2eb25724b426a888b2822d4945b35f2d1459d915e2b2d66541af52bdbbe1ad517515e01b8290e654443a67bec3d0b03fc10b90b49c3d33593e063bd0df72494b22bfc391f6b296a68735eeaac4fb550be4beeabb74d7ca77139248cf8003e4fa63954c2e5c68e48b1f59b3162a9a3b020771f7c1aff6d7de57b40fcb59002f2709ed2e12d50a3edadc2c55de6634c8e91dd8cd28faf3b52", 0xe4}, {&(0x7f0000004fc0)="3dc50079393684ee15456233e2e4b47d0d7616a6fbb08055931c400e66d6ee8307c988db68c3a56873e4c94c210cee63aa53ee80947c5644cffd0ee809b4554ef3d3d5d4b6268040d66cba34c7b8645abfe3696e041fe13f", 0x58}], 0x5, 0x1}, 0x100) r20 = openat$selinux_policy(0xffffff9c, &(0x7f00000050c0), 0x0, 0x0) r21 = openat$dlm_monitor(0xffffff9c, &(0x7f0000005100), 0x0, 0x0) syz_kvm_setup_cpu$arm64(r20, r21, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005180)=[{0x0, &(0x7f0000005140)="45cf83e34827dae70d9c50f676f523b0ce6bee88952baac1a7220887521e1e10250184dabaaa4fbf9e94349f1148dee8238a", 0x32}], 0x1, 0x0, &(0x7f00000051c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r17, 0x114, &(0x7f0000005200)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005240), &(0x7f0000005280)='./file0\x00', 0x5, 0xa, &(0x7f0000005980)=[{&(0x7f00000052c0), 0x0, 0x4}, {&(0x7f0000005300)="8586cff12029eb8ad76f6261d1fe9c2df97d6b5047f70221ce7c26e1ad050096db75ff7ffd7b4dad59f5e070723e8a2cea446602ed86da15975f4f9dad4355f17d1441f9c1d9721e8bc269c91b43934bb3823eba880de01b586e0d592fc978084812a5dd940d6ea61e46ee9f1d53e0d3155c2c34946ca286d646398a4d60b56e48644ce421d53a65fc504680601a0cb3b78cdc3d14d0f9f754d88a4c5d80c2681aca64a4793f17d0f8a5b8dc820fdadee2ee87d42050172286e4b371eac497bf7467890a472d766a442a56a6e75bc39ba4edab5a0cb11eb66a247a2f3ca7d18cbe8bd7516b2d99c763d8c23d753c13937ab99b578e42f359275e86", 0xfb, 0x5}, {&(0x7f0000005400)="0f553c28b9842c44674abe34856e72a402eaf08ea7d106186b17f1d3f00dcbcb5f98a1eae4b0e494da0d44fa94917367478f2e39ce8435b132a570ec78c1b1d859ab652168bec9156cc5b4543f0571d2a75d3ad03f490c0fc93251f6ab57f01cf62283d42eec0abb186148b05ef55f8de1a2eb7c1622fc6d3ac274f10a0754563398efc9335aea31061cf4bb64d44f87c615c99b3eca46ddc2ce68eb2b780c54bb6a1a20947e16cbc6f7fa0712d0b12e665a214c3502154e5b8dda8b01df53c81b2da2c92b7573506b175a34ba1dda39954f36f0ff6ebefeee31326813422cb4d53b47c6fe65f3332698d9e3d776", 0xee, 0xfff}, {&(0x7f0000005500)="abff9c2482d96489f0afbe085daee1e2bd8a3000af21e5b4aa0d2e6662293d5fe6eeb60a5cc8b90e84ede0d21318688e285def54cb6780abfdcb64c700da5e8775bb60d0192a5f8113a70ddb1627087f7bb8f232f80a120e214ef31c385711f4b12afd9a024fc48c41c3c887255a17b86f709a30ee23a5d55c6c3e1986f6fd69309dc6664846396a5f0cde1e382a7018dcdeac00ff1ef54bbb58201fc9dfcbba39cfb45f49ace1e9908188", 0xab, 0x80000001}, {&(0x7f00000055c0)="fb36dffb4a0e4377fa3bedec2325f5c073", 0x11, 0x1}, {&(0x7f0000005600)="8ff2544804ed79e1bb5f173b80fdb09a444f02bbacdab87710a30382271db7257055fbbe057f4e4b3e1bcbcf08f1ea0b41be533d7d7f84199c4cf241e2bc3cebf680f5c2648882abfe61bb5211c4cf0f1f8035c6962e74f5976e954c3db5545bdccc6e67b68dd612", 0x68, 0x7f}, {&(0x7f0000005680)="ca838d09579a972657260b824f369161c83d3649b2309de4aca5191c6a3550ce704f6606bac0f1102563011d768b1cd5bd83565bfbe9311f71c2698f2bb4572ef6602f2487626e21fcef7034f50e28fd36db92433de1c0fbd9baa0b2ef3b17ecbd5f214a814f9979c0cfcea566bd418788a9e026ff83089e4e1eb491eebb582e84c6d956e1f8d4bd5327fcf26d9218a6e745a904846da61e6970e7c3f8f6777eb2eec182c6626aebc2b46d6e18ec79ce9f3a34c2c9ce74dce5f38a493ce752633b9cd881d3e73977b728208b730c0aa0bfd41f0374798c2b6cfd20a83dde8821f896431df1620eacddb4846d3f67983b95", 0xf1, 0x2}, {&(0x7f0000005780)="b549cfe18deb455b4a8b6d56e7c03f251024217cf427c09056bdb6b4a1317e6f9cd53ece2f2ee68e7d73e936e6d7b376483595c8db7292ffb0520cf037ba7012f5d90d0e4bdced46131d6a44120546fad87f475670fec86f9784888d14dc2ed6a1a7ed3c98bd0e035cbd504da40efbeb5a5bcd48c0ca513ff53ddada3cb447a48bcef01d9883f699997c5a0b2499865862db5f785a75e1b3463d354af112e7f8622883683086190fa4507646cbeab5ed", 0xb0, 0x1}, {&(0x7f0000005840)="a2eecacaa02fc76189e00e6fc58f38b5599959730376281721becf840cd12b230c2dc84b7f5fe5e37057b3732fcfeb", 0x2f, 0x4}, {&(0x7f0000005880)="35ed9c854f542ba3a56e7b75409a3197d31e6ec31934811dd9abe83e50a060ea25994cb33770ed99b25c9b560891eca433fe5bf1e02d136600687ee4933b3538bbceca61deb8fb0a1a2567843fd871b991d514329a465a97eb92123576e83a652c51dfa84117c262a7b8bab47bd3f81b24d33e687f39265002ef92f2248de027ac0285fcad2a3c732a1ed7409307037e41f3a7907477387d1199c18e5c43959b2ec46c078cec67a8b559b31cefd856f456b9f81bcc6a8b2cb1a4d8147562bdac6034e3e8d35d797659844fea3694b3288ce68fa8f986bf2fba03ec0110154befc8402258afb3d583d0bf3d02798073867fc66640726072c82a", 0xf9, 0x1ff}], 0x0, &(0x7f0000005a00)={[{'%'}], [{@seclabel}, {@permit_directio}, {@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@subj_role={'subj_role', 0x3d, '}'}}, {@mask={'mask', 0x3d, '^MAY_APPEND'}}, {@fsname={'fsname', 0x3d, '&%]'}}, {@measure}]}) syz_open_dev$I2C(&(0x7f0000005a80), 0x6, 0x40000) syz_open_procfs(0xffffffffffffffff, &(0x7f0000005ac0)='net/raw6\x00') syz_open_pts(r16, 0x583000) syz_read_part_table(0xb0, 0x3, &(0x7f0000006cc0)=[{&(0x7f0000005b00)="a895c30edc07297723a4aea802034622d1bbb85b4ae3628afc2d4e10934550a9d92f12a51b9f5b3a7b596b59b99b4b2acaedda32b83bdc263c53aa10114a149a4d7a4f0c40b946159b374396fb6cd18734ea5c3a5192786222da89f4213b5d9d027799da36d68bd510f537855ce10d3b8439c2237740ea7541478a81f9f92adceb5100366dccf149cc4c59796959ba5d85a50d0dd72941a0eabbe7a9dd9fe50850113f5e2d055e1bbcd667daf7363e027d7c66678dad2add62b5", 0xba, 0x4}, {&(0x7f0000005bc0)="f229f58b9fef91f7178523f041a4967589924680bf4dc34a52d8f7f8436083aee94ab74f0369f7403a8c26b72fd44b488fe59c616c8a1cae299c490eb15f98f8f49df33502ccfd38265f6d186578a71b92ba5c5b903f9a64bc560a43590bd70f76efb7b63bc3909e632db68f77d98bdf12ebe1707d7d1436857490c13ddb239c837faf46ead62381d43f3d2346c1fcd5b2a7a1ebe9fa5dd7fddefc50b0e7a57f500e2f79ba11b18972dc78871460eb7e2a249b603283b5128320555c9d74143e027bb5ca08b462aebf58244387556d718680c4a37459dd", 0xd7, 0x3ff}, {&(0x7f0000005cc0)="", 0x1000, 0x34}]) syz_usb_connect(0x5, 0x72e, &(0x7f0000006d00)={{0x12, 0x1, 0x201, 0x10, 0x2a, 0xdc, 0xff, 0x781, 0x5, 0x5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x71c, 0x3, 0x9, 0x3, 0x50, 0xff, [{{0x9, 0x4, 0x34, 0x9, 0xc, 0x2d, 0xe7, 0xd6, 0xc4, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "9e3dd83f5e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x40, 0x5, 0x101, 0x5}, [@mbim_extended={0x8, 0x24, 0x1c, 0x1000, 0x2, 0x8}, @dmm={0x7, 0x24, 0x14, 0x8671}, @mbim={0xc, 0x24, 0x1b, 0xfffd, 0x9, 0x0, 0x5, 0x100, 0x5f}, @obex={0x5, 0x24, 0x15, 0x40}, @network_terminal={0x7, 0x24, 0xa, 0x0, 0x1, 0x4, 0x1}, @dmm={0x7, 0x24, 0x14, 0xff81, 0x9c6f}]}], [{{0x9, 0x5, 0x80, 0x14, 0x10, 0x15, 0x1f, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x80}]}}, {{0x9, 0x5, 0x8b, 0x0, 0x7ff, 0xed, 0x1, 0x2}}, {{0x9, 0x5, 0x8, 0x4, 0x200, 0x81, 0x6, 0x2, [@generic={0xeb, 0x1, "8c3f63086154141f739f2870d3a81884905e8c3ff7eb6425085204077b4102c3d81bfdf4b262fa95b268561228b747fca91f5fdeb592b379d66a5f1d2d1d735fd02b3b2402d0340fcc8ac6c544720cb596008a93b0202cb8f9558344cb200e0b4b52aad1e70d9c0049ff2a6b546e3502bc881f3eb655aa817a2a3fd95ad1bea68ab048c1a43ed3458b674c27df090568c371a9e00cbc2b597a730a1864447583e30b8b9d2774d884575311843a18bfe0052b404714c722766342b226c4fe8e87ee448250c3b3668ab50745e0fbb6e969e6b49b9b8528ce81dfaa24e1438072d07d6e92602a390535f6"}]}}, {{0x9, 0x5, 0xc, 0x8, 0x40, 0x1, 0x5, 0x20}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xbc, 0x0, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x5, 0x9}, @generic={0xd4, 0x22, "70c23955e1d16cdef416bcb138108967f0e9ac2c096fe9362b99ec6c198d2f0f0446ce29332844fd546d2323e7f9d7b2713c1f92b90b4481bf8d4ea34ea8321b585db5f3cc6f63fc9ee543e86c15769e08a212c2ffb0237defb1a28228e999fabf3733a27b828703faaac053d44fe7a66d7a278e31f15d65edb349b157a799d922f0c970f98b35b75650793123e05752d74ddb89f0fcc0479822a0f833f4343a70548b3b4c80574be7cfdd59db69ce1efc24ca44ee316609f58ca5a30dee0b59e1668f248c196ae1c022a19995595430fea4"}]}}, {{0x9, 0x5, 0x87, 0x3, 0x8, 0x80, 0x7, 0x6, [@generic={0x56, 0x4, "f78a356675cffa2de94539194afab8603fe5e412021ba937df8f496ce2c0543148f09b19ebbc05091fcc32e0bdde441d7ccaa5cc26fb696bd67b3830bf3e5730fb3fe5ee89156bd1d2fa101e6c39068af8c2ae87"}]}}, {{0x9, 0x5, 0x89, 0x0, 0x20, 0x20, 0x81, 0x8}}, {{0x9, 0x5, 0xe, 0x3, 0x8, 0x1, 0x20, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x43, 0x234}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x3, 0x5, 0x7, [@generic={0x34, 0x8, "b6a121b46cabce4e361f2104dcf2663e402ee04faa90dd18a918e4642eaa6a716192f8bc32f321ce9eb548904d87d7bdad56"}, @generic={0xac, 0x30, "1a5d30c7d13843b0146943b2e67687f3147019db1ca1a3c7e48d700f655bea7f42692c5a87a6b91d03a6d4905fbb18b76028c902f7cc3f0c056d87d0fbc12f32150222a7dad7023bc45ab25c72aa3ad26e8dfd8d3654640038396aa355f069f7a9e762b85dca0a81a7d7c37d259d0f2a631a6abc4e36fba201dc677fc7b2c28190e91523553cfb1bbf462d9d057c31910ad39c357cd2dd1c3f22c604ad6c923faee4c13db3fe350375cc"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x10, 0x7f, 0x56, 0x83}}, {{0x9, 0x5, 0x1f645c4d20962547, 0x0, 0x3ff, 0xbb, 0x7, 0x3, [@generic={0x6b, 0x30, "6a8065c0ee1fa72bb9fab498b565e856090e0ad4cb9a072e0995264b935bed4910dde6e4a11ff93742383cba0c51a1f1cf695aa394a5f4868363e986260569ba8be82437cc58db1ee88ce5101308938edbd982075462cf0bba05bb0d7ae55092a2862ee6e6430e22f7"}, @generic={0x41, 0x21, "0acd9c7743c7509f5eb898784f8767f385a0e1c7f102c9adcad6d81fb4193e88cb2f6c3936ee2ef3dae61f58322593d9beeafcc0915c86fc3a72f0426c83f3"}]}}, {{0x9, 0x5, 0x6, 0x4, 0x400, 0x20, 0x74, 0x5}}]}}, {{0x9, 0x4, 0x26, 0xab, 0x5, 0x3, 0xf1, 0xcb, 0x9, [], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x5, 0x1, 0x1}}, {{0x9, 0x5, 0xb, 0x4, 0x20, 0x1, 0x2, 0x4, [@generic={0xda, 0x14, "10f16e3796fbe335b564b29416031e12d26f4d53e237ca3cb1e049170335d631432469cf8e2b207d62283f3b91f4d63154bce35faeb87b51d30b38876c38b31acc347be67793e56a1784eb29a7ddab72e736eecd3b4e98bce7b170ab687e6f31f5e9f3f96e31032d3bf9476eef54f354c6efc00da39a695ec1c095254cb416bdc574d4fb6adbeca99b77508d6c6f791c2cfc29ae3eccea73c13627d93807af1a7d3492520ed1f153327d857537f556294bdddd988bae73226a48c4cab963d3d8c226951b21a7c3138de55b8d0e1f0bcd77663ae8bfe20f44"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x5, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x40, 0x2c, 0xd4, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0xa, 0x2, 0x400, 0xd0, 0x1, 0x6}}, {{0x9, 0x5, 0xe, 0x8, 0x40, 0x40, 0xff, 0xb0}}]}}, {{0x9, 0x4, 0x6c, 0x8, 0x2, 0x59, 0x51, 0xd5, 0x1, [@cdc_ncm={{0x8, 0x24, 0x6, 0x0, 0x1, "b2bd60"}, {0x5, 0x24, 0x0, 0x5}, {0xd, 0x24, 0xf, 0x1, 0xfffffffd, 0xfff, 0x63, 0xdb}, {0x6, 0x24, 0x1a, 0x8, 0x8}, [@mdlm_detail={0xf7, 0x24, 0x13, 0x19, "189cdea85c892fe736d99d2ae835705ddc3907363c57da1fc0033ab26742022ab0af7516c0545f0fc3ecaa0728229f95fd5d2ebce5c98dbba6222153e2ce70bfead32d5d59146f0dd679852007b13ac9d16d48f9484d6192e79c88079f8cd3bd1a3740f3a8f0fd1d57a10bf41cf8c45a79ab1a969c9a6a83bf31571bce542e8fcfa6761ebfa924e1eb05d3af5b3644c3040280ca59737d89c0caa8bd9d56c92178b82b2078e43975f15e6f0b6fa1d0cd819521154d236aa6a85e50f3f0531f6192e5c4ba8a2d506f744780747cbb9ee6723298b72b713b52be54835fcc04906c658ce61f16f95a6c437988df239c430ff47db7"}]}, @cdc_ecm={{0x6, 0x24, 0x6, 0x0, 0x0, "a3"}, {0x5, 0x24, 0x0, 0xf85b}, {0xd, 0x24, 0xf, 0x1, 0x0, 0x7, 0x2, 0x40}}], [{{0x9, 0x5, 0xf, 0x4, 0x0, 0x81, 0xe8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x51, 0xbf81}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xb, 0x8001}]}}, {{0x9, 0x5, 0x6, 0x0, 0x10, 0x7f, 0x0, 0x80, [@generic={0x28, 0xa, "61df67a624859052df593a2258bc970fe4304a8f899ac040d9fc350ed5e63660a76a96aea7a3"}]}}]}}]}}]}}, &(0x7f00000076c0)={0xa, &(0x7f0000007440)={0xa, 0x6, 0x300, 0x8, 0x1, 0x9, 0x8, 0x81}, 0x133, &(0x7f0000007480)={0x5, 0xf, 0x133, 0x6, [@wireless={0xb, 0x10, 0x1, 0x2, 0x74, 0xff, 0xff, 0x0, 0x7}, @wireless={0xb, 0x10, 0x1, 0x8, 0x43, 0x4, 0x3, 0x6, 0x21}, @ext_cap={0x7, 0x10, 0x2, 0xa, 0x5, 0x6, 0x3b4d}, @wireless={0xb, 0x10, 0x1, 0x0, 0x2c, 0x7, 0x2, 0x1, 0x2f}, @ptm_cap={0x3}, @generic={0x103, 0x10, 0x3, "b35e852c500147880fa2f6dcc5d4e16a59df9bff5d44ac9f6680a31b1ebce7f4d4afe6d2ae93f6eee79b703b03f7a0ebea72bdc3ca70ded450bedec42d31beced3625c6bfa5dc9897b68a4e8b1a54b9444b85a77d52efea02e84045a2c51af22596a4c59a43c590c4d1369d229db0f228b739b41419c00708219ac07585dcaded8820f6fe0b35e7496ca59ebd93c1cfbeca8666928613fb084cb1ad930cfed80a024b803fc94967f08d731d0647cee073e55844b9978ae6035865fd98991fb7a5fa3f00529e81f1d3b853a0db041eaa3777ba10fe753674a698cd389bf5bca626cb8c7bf9b71150d572d07d9a11855a419fb0212d9a5bf2c3360357cf942511f"}]}, 0x2, [{0x97, &(0x7f00000075c0)=@string={0x97, 0x3, "79533652485908847450e434babd9e7b783925f478b3b35c0a4e6aa0a1e8f78e37f1d5666fe87b28df9b7734fdd141b3c78a19031effd729a36c0cf9fae5c589a1a9886b78f66c7391bd443cc6b3ab5b4acdeb5acf4a0d36359e749df37ccf92c50e845fce93e4c611f0fb559f5b2f8b72bab3b8a91779cd78204d67a183187560eb912c0f9dd27f402f1decdc61444d3702bf05cf"}}, {0x4, &(0x7f0000007680)=@lang_id={0x4, 0x3, 0x4ff}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007700)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f0000007900)={0x18, &(0x7f0000007780)={0x40, 0x22, 0x1f, {0x1f, 0x22, "a7841403afd7ddbdb6ce9dacfb6cdbe29fbe4e58b55fec117de56ed6a5"}}, &(0x7f00000077c0)={0x0, 0x3, 0x5a, @string={0x5a, 0x3, "b51fa75ce1575da79aa41fd155728498bc7e4f85d19d2394314e6381f5e6b0e786c3ff705cb7184487f35094030178bc291a3980fa0b83908b7fe1cb2459daa1308fa2fbda94a98ca7134bc986487bae15766636e0852c7a"}}, &(0x7f0000007840)={0x0, 0xf, 0x1b, {0x5, 0xf, 0x1b, 0x2, [@wireless={0xb, 0x10, 0x1, 0xc, 0x82, 0x0, 0x85, 0x8, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x48, 0x0, 0x80, 0xfffa, 0x81}]}}, &(0x7f0000007880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x2, 0x4, 0x2, "7e461ab4", 'gg]\a'}}, &(0x7f00000078c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x9, 0x3, 0x3f, 0x20, 0x40, 0x0, 0xef}}}, &(0x7f0000007dc0)={0x44, &(0x7f0000007940)={0x40, 0xc, 0xb6, "df1d8807adaa376ec164fe686f791fc7268a85c468008423c35bf0da6f10ce0b3c7f80e67352d8063e9524fb3d91a1d442b85d351288c60badef7369494efa5012978930b8817bb13fba0f307416861457221322136027a98682f3a5c91806d490c51ef51ce6c9e9c8087e547fc2cfe567bfbf3e65f97c5e79d68706922d2c084ee894eaf12a3c0b2e1ef894dff86d0792fd11f5152f67321b9db36a02b7b0935e7424cbd6b286c55c8cf0f0f4949fd21b22675eb060"}, &(0x7f0000007a00)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000007a40)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000007a80)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000007ac0)={0x20, 0x0, 0x4, {0x160, 0x1}}, &(0x7f0000007b00)={0x40, 0x7, 0x2, 0x3}, &(0x7f0000007b40)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000007b80)={0x40, 0xb, 0x2, "9efe"}, &(0x7f0000007bc0)={0x40, 0xf, 0x2, 0x4}, &(0x7f0000007c00)={0x40, 0x13, 0x6}, &(0x7f0000007c40)={0x40, 0x17, 0x6, @remote}, &(0x7f0000007c80)={0x40, 0x19, 0x2, 'vw'}, &(0x7f0000007cc0)={0x40, 0x1a, 0x2, 0x1}, &(0x7f0000007d00)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007d40)={0x40, 0x1e, 0x1, 0x7e}, &(0x7f0000007d80)={0x40, 0x21, 0x1, 0x2}}) r23 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007e40)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ncm(0x6, 0x7c, &(0x7f0000007ec0)={{0x12, 0x1, 0x389, 0x2, 0x0, 0x0, 0x70, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6a, 0x2, 0x1, 0xff, 0x90, 0x5, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, "a6"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9ff, 0x6000, 0x5, 0xb5}, {0x6, 0x24, 0x1a, 0xdd, 0x32}, [@call_mgmt={0x5, 0x24, 0x1, 0x2, 0x95}, @mbim_extended={0x8, 0x24, 0x1c, 0x7, 0x40, 0x1}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x21, 0x2, 0xc4}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0x1, 0x1, 0x4e}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x81, 0x9, 0x48}}}}}}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f40)={0xa, 0x6, 0x200, 0x3, 0x40, 0x1, 0x40, 0x68}, 0x72, &(0x7f0000007f80)={0x5, 0xf, 0x72, 0x6, [@ssp_cap={0x20, 0x10, 0xa, 0x7f, 0x5, 0x4, 0x0, 0x101, [0xf, 0xc000, 0x4100, 0xc000, 0x0]}, @ssp_cap={0x18, 0x10, 0xa, 0x5, 0x3, 0x3f, 0xf, 0x9, [0x3f00, 0xff0030, 0xff0000]}, @ssp_cap={0xc, 0x10, 0xa, 0x9, 0x0, 0x3, 0xf00, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0xfc, "11d5f99068e5068a1e42e2bf000e221f"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x0, 0x2, 0x0, 0x80, 0x1}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x0, 0x3, 0x3f, 0x8}]}, 0x8, [{0x4, &(0x7f0000008000)=@lang_id={0x4, 0x3, 0x2001}}, {0x4, &(0x7f0000008040)=@lang_id={0x4, 0x3, 0x43f}}, {0x2a, &(0x7f0000008080)=@string={0x2a, 0x3, "5e7460eb32a6b96bd2ff9ff3a49620853364cef4b1180034bbee7bdeb3753ec47a7b68436004dfa3"}}, {0x4, &(0x7f00000080c0)=@lang_id={0x4, 0x3, 0x406}}, {0x4, &(0x7f0000008100)=@lang_id={0x4, 0x3, 0x200a}}, {0x83, &(0x7f0000008140)=@string={0x83, 0x3, "98bfbed5f02f0541393b27163c18aba0f8d6c9069ae8ed732f7b8b4fd040726512572b20493498b080e96c7409c1ff222cbfe8fc739a7a6eb701a8125f18af24cdabbfb52cc666cf1204b6bf96514aca5b0475e21dafcaaffcd8d584eca6939d815dc4c974727a2fba78d5044d9e9f08e35c9e2bf470f466accaa1301fac54bcff"}}, {0x4, &(0x7f0000008200)=@lang_id={0x4, 0x3, 0x1627}}, {0x39, &(0x7f0000008240)=@string={0x39, 0x3, "aa56bf4048dd06e2845d2e04df75b391f766463f0954053221ac36e1db6fe509c05b86c776d20ffc6ac3d99349322b400aea394cd6719c"}}]}) syz_usb_ep_read(r24, 0x75, 0xa5, &(0x7f0000008300)=""/165) syz_usb_ep_write(r22, 0x0, 0xf5, &(0x7f00000083c0)="db885599b60aec82ad70cdb2886a2e73e2f0447ddd5deaaa15f56b76ab5804b9f86f60df6b12cbc1e5906d238889da544d9b5652f60bfc34a108dffdffa9ae904614e2bf15ce0c349aea1551b7544b69bd2bde8f82e18d42ba167180b1a6a4d11844312c116ee0b85fca52a11ec9f37acd323eb287c8b3c4ffdbcaaa329df920e0f7dfaaccc17fd5ff16f039c693cdfcdfae81529a02cc973d8e5020093c1b68e88a827e230b28448899b9617552b1dd9b412b34deec9a93fd08823aebf354e238d04dca957a50aa9ab18a30460e2455e3fd164109cd4a857b99d223b21831ca292d1b0cd77fbfe263f7ca57ee3a70a8fdd489cb7f") syz_usbip_server_init(0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } static void setup_usb() { if (chmod("/dev/raw-gadget", 0666)) exit(1); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 39 ? 50 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 3000 : 0) + (call == 46 ? 300 : 0) + (call == 47 ? 3000 : 0) + (call == 48 ? 300 : 0) + (call == 49 ? 3000 : 0) + (call == 50 ? 300 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_clock_gettime #define __NR_clock_gettime 265 #endif #ifndef __NR_getegid #define __NR_getegid 50 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_openat2 #define __NR_openat2 437 #endif #ifndef __NR_recvmmsg #define __NR_recvmmsg 337 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_signalfd4 #define __NR_signalfd4 327 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[25] = {0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000040 = 8; inject_fault(1); res = syscall(__NR_getsockopt, -1, 0x84, 0x14, 0x20000000, 0x20000040); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000080 = r[0]; *(uint32_t*)0x20000084 = 0x3ff; *(uint32_t*)0x200000c0 = 8; res = syscall(__NR_getsockopt, -1, 0x84, 0x13, 0x20000080, 0x200000c0); if (res != -1) r[1] = *(uint32_t*)0x20000080; break; case 2: memcpy((void*)0x20000100, "cpu.stat\000", 9); res = syscall(__NR_openat, -1, 0x20000100, 0, 0); if (res != -1) r[2] = res; break; case 3: syscall(__NR_ioctl, (intptr_t)r[2], 0x125e, 0x20000140); break; case 4: *(uint32_t*)0x20000180 = 5; *(uint32_t*)0x20000184 = 4; res = syscall(__NR_signalfd4, (intptr_t)r[2], 0x20000180, 8, 0x80800); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000500 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x10; *(uint16_t*)0x200001c2 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = 0x20002011; *(uint32_t*)0x20000504 = 0xc; *(uint32_t*)0x20000508 = 0x200004c0; *(uint32_t*)0x200004c0 = 0x20000200; *(uint32_t*)0x20000200 = 0x29c; *(uint16_t*)0x20000204 = 0; *(uint16_t*)0x20000206 = 8; *(uint32_t*)0x20000208 = 0x70bd29; *(uint32_t*)0x2000020c = 0x25dfdbff; *(uint8_t*)0x20000210 = 0x87; *(uint8_t*)0x20000211 = 0; *(uint16_t*)0x20000212 = 0; *(uint16_t*)0x20000214 = 8; *(uint16_t*)0x20000216 = 3; *(uint32_t*)0x20000218 = 0; *(uint16_t*)0x2000021c = 0x46; *(uint16_t*)0x2000021e = 0x2a; *(uint8_t*)0x20000220 = 0x2a; *(uint8_t*)0x20000221 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 3, 5); *(uint8_t*)0x20000223 = 0x25; *(uint8_t*)0x20000224 = 3; *(uint8_t*)0x20000225 = 1; *(uint8_t*)0x20000226 = 0x95; *(uint8_t*)0x20000227 = 0xcb; *(uint8_t*)0x20000228 = 0x75; *(uint8_t*)0x20000229 = 0x16; *(uint16_t*)0x2000022a = 1; *(uint16_t*)0x2000022c = 0x401; *(uint16_t*)0x2000022e = 0x37; memcpy((void*)0x20000230, "\x02\x01\x1b\xf2\x90\x7b\xdd\xcb\xfa\xf4\xd0\xd9\xd3\x19\xcb\x38", 16); *(uint8_t*)0x20000240 = 0x76; *(uint8_t*)0x20000241 = 6; *(uint8_t*)0x20000242 = 0x7f; *(uint8_t*)0x20000243 = 3; *(uint16_t*)0x20000244 = 6; *(uint16_t*)0x20000246 = 0x2050; *(uint8_t*)0x20000248 = 0x65; *(uint8_t*)0x20000249 = 0x12; *(uint8_t*)0x2000024a = 8; *(uint8_t*)0x2000024b = 2; *(uint8_t*)0x2000024c = 0x11; *(uint8_t*)0x2000024d = 0; *(uint8_t*)0x2000024e = 0; *(uint8_t*)0x2000024f = 1; memset((void*)0x20000250, 255, 6); *(uint8_t*)0x20000256 = 8; *(uint8_t*)0x20000257 = 2; *(uint8_t*)0x20000258 = 0x11; *(uint8_t*)0x20000259 = 0; *(uint8_t*)0x2000025a = 0; *(uint8_t*)0x2000025b = 1; *(uint8_t*)0x2000025c = 0x68; *(uint8_t*)0x2000025d = 4; *(uint16_t*)0x2000025e = 9; *(uint16_t*)0x20000260 = 0x81; *(uint16_t*)0x20000264 = 0xcc; *(uint16_t*)0x20000266 = 0x2a; *(uint8_t*)0x20000268 = 4; *(uint8_t*)0x20000269 = 6; *(uint8_t*)0x2000026a = 1; *(uint8_t*)0x2000026b = 1; *(uint16_t*)0x2000026c = 0x100; *(uint16_t*)0x2000026e = 0x8000; *(uint8_t*)0x20000270 = 0x3c; *(uint8_t*)0x20000271 = 4; *(uint8_t*)0x20000272 = 0; *(uint8_t*)0x20000273 = 7; *(uint8_t*)0x20000274 = 0xac; *(uint8_t*)0x20000275 = 6; *(uint8_t*)0x20000276 = 1; *(uint8_t*)0x20000277 = 6; STORE_BY_BITMASK(uint8_t, , 0x20000278, 6, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000278, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x20000279, 0xc, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000279, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 0x3f, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 9, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0x16, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0x24, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0, 7, 1); *(uint8_t*)0x2000027e = 0x83; *(uint8_t*)0x2000027f = 0x25; STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 0, 6); STORE_BY_BITMASK(uint8_t, , 0x20000280, 1, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 7, 1); *(uint8_t*)0x20000281 = -1; *(uint8_t*)0x20000282 = 0x3f; *(uint8_t*)0x20000283 = 8; *(uint8_t*)0x20000284 = 2; *(uint8_t*)0x20000285 = 0x11; *(uint8_t*)0x20000286 = 0; *(uint8_t*)0x20000287 = 0; *(uint8_t*)0x20000288 = 0; *(uint32_t*)0x20000289 = 0x1f; memset((void*)0x2000028d, 255, 6); *(uint32_t*)0x20000293 = 0; *(uint32_t*)0x20000297 = 6; *(uint8_t*)0x2000029b = 8; *(uint8_t*)0x2000029c = 2; *(uint8_t*)0x2000029d = 0x11; *(uint8_t*)0x2000029e = 0; *(uint8_t*)0x2000029f = 0; *(uint8_t*)0x200002a0 = 1; *(uint32_t*)0x200002a1 = 6; *(uint8_t*)0x200002a5 = 0x26; *(uint8_t*)0x200002a6 = 0x44; *(uint8_t*)0x200002a7 = 4; *(uint8_t*)0x200002a8 = 7; *(uint8_t*)0x200002a9 = 8; memcpy((void*)0x200002aa, "\x2e\xf5\x31\xb7\xbe\x2d\xde\x42\xfc\x39\x5f\x76\x44\x7c\x92\x87\x9c\x4d\x95\x11\x18\x2e\xe0\x77\xcb\x10\x2d\x54\xd8\xe9\xbd\x03\x76\x74\x1a\xff\xce\x00\x72\x8e\x65\xce\xfb\x04\xca\xcd\x7c\x82\x88\x0f\x11\x3d\x4a\x79\x37\x8b\xfd\x5c\x8d\x75\x2b\xd2\x51\xe3\x1b", 65); *(uint8_t*)0x200002eb = 0x2d; *(uint8_t*)0x200002ec = 0x1a; *(uint16_t*)0x200002ed = 0x482; STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 2, 3); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 0, 5, 3); *(uint64_t*)0x200002f0 = 5; STORE_BY_BITMASK(uint64_t, , 0x200002f8, 0x3f, 0, 13); STORE_BY_BITMASK(uint64_t, , 0x200002f9, 0, 5, 3); STORE_BY_BITMASK(uint64_t, , 0x200002fa, 0x80, 0, 10); STORE_BY_BITMASK(uint64_t, , 0x200002fb, 0, 2, 6); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 2, 2); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 5, 27); *(uint16_t*)0x20000300 = 0x400; *(uint32_t*)0x20000302 = 5; *(uint8_t*)0x20000306 = 0x56; *(uint8_t*)0x20000307 = 0x8c; *(uint8_t*)0x20000308 = 0x10; *(uint16_t*)0x20000309 = 0x9b2; memcpy((void*)0x2000030b, "\xe7\x43\x38\xed\x57\xa9", 6); memcpy((void*)0x20000311, "\x4d\xbe\x86\xf3\x95\x65\x40\x8a", 8); *(uint8_t*)0x20000319 = 0x7e; *(uint8_t*)0x2000031a = 0x15; STORE_BY_BITMASK(uint8_t, , 0x2000031b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000031b, 9, 1, 7); *(uint8_t*)0x2000031c = 0xc0; *(uint8_t*)0x2000031d = 0x40; *(uint8_t*)0x2000031e = 8; *(uint8_t*)0x2000031f = 2; *(uint8_t*)0x20000320 = 0x11; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0; *(uint8_t*)0x20000323 = 0; *(uint32_t*)0x20000324 = 0x7fff; *(uint32_t*)0x20000328 = 6; *(uint32_t*)0x2000032c = 0xff; *(uint16_t*)0x20000330 = 0x148; *(uint16_t*)0x20000332 = 0x2a; *(uint8_t*)0x20000334 = 0x7e; *(uint8_t*)0x20000335 = 0x15; STORE_BY_BITMASK(uint8_t, , 0x20000336, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000336, 2, 1, 7); *(uint8_t*)0x20000337 = 0; *(uint8_t*)0x20000338 = 8; *(uint8_t*)0x20000339 = 8; *(uint8_t*)0x2000033a = 2; *(uint8_t*)0x2000033b = 0x11; *(uint8_t*)0x2000033c = 0; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0; *(uint32_t*)0x2000033f = 0x1ff; *(uint32_t*)0x20000343 = 3; *(uint32_t*)0x20000347 = 3; *(uint8_t*)0x2000034b = 0x82; *(uint8_t*)0x2000034c = 0x30; STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 3, 3); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 7, 1); *(uint8_t*)0x2000034e = 3; *(uint8_t*)0x2000034f = 0xf7; *(uint32_t*)0x20000350 = 8; *(uint8_t*)0x20000354 = 8; *(uint8_t*)0x20000355 = 2; *(uint8_t*)0x20000356 = 0x11; *(uint8_t*)0x20000357 = 0; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 0; *(uint32_t*)0x2000035a = 0xae; *(uint32_t*)0x2000035e = 0x71a4; *(uint32_t*)0x20000362 = 2; *(uint8_t*)0x20000366 = 2; STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 3, 5); *(uint8_t*)0x20000368 = 8; *(uint8_t*)0x20000369 = 2; *(uint8_t*)0x2000036a = 0x11; *(uint8_t*)0x2000036b = 0; *(uint8_t*)0x2000036c = 0; *(uint8_t*)0x2000036d = 1; *(uint32_t*)0x2000036e = 0; STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 3, 5); *(uint8_t*)0x20000373 = 8; *(uint8_t*)0x20000374 = 2; *(uint8_t*)0x20000375 = 0x11; *(uint8_t*)0x20000376 = 0; *(uint8_t*)0x20000377 = 0; *(uint8_t*)0x20000378 = 1; *(uint32_t*)0x20000379 = 6; *(uint8_t*)0x2000037d = 0x71; *(uint8_t*)0x2000037e = 7; *(uint8_t*)0x2000037f = 1; *(uint8_t*)0x20000380 = 1; *(uint8_t*)0x20000381 = 1; *(uint8_t*)0x20000382 = 0; *(uint8_t*)0x20000383 = 0; *(uint8_t*)0x20000384 = 0xfb; *(uint8_t*)0x20000385 = 0x25; *(uint8_t*)0x20000386 = 6; *(uint8_t*)0x20000387 = 2; *(uint16_t*)0x20000388 = 0x1fc; *(uint8_t*)0x2000038a = 0x37; *(uint8_t*)0x2000038b = 0xe6; *(uint8_t*)0x2000038c = 7; *(uint8_t*)0x2000038d = 5; memcpy((void*)0x2000038e, "\x5f\x39\x64\xd8\x62\x9a\xdf\x1c\x06\xec\xdf\x89\x87\xbb\x84\x5b", 16); memcpy((void*)0x2000039e, "\xc5\xd2\xbb\x24\x59\xd5\xba\x0e\x8d\x1d\xe0\x4e\x57\x37\x4f\x62\x27\x21\x0e\xa4\x04\xeb\x95\x46\x5f\xa1\xe2\xe0\x9c\x7c\x17\xd4", 32); memcpy((void*)0x200003be, "\x27\x81\xc8\x76\x15\x7d\x69\x88\xa5\xdc\x1e\xfd\xe5\xe5\xd8\xd7\xfd\xfb\x3d\xad\x87\x19\x89\x49\x70\x60\xe2\xd7\x2d\x3a\xfa\x38", 32); *(uint8_t*)0x200003de = 3; *(uint8_t*)0x200003df = 1; memset((void*)0x200003e0, 206, 1); *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0x25; memcpy((void*)0x200003e3, "\xd5\xa7\x64\x0b\x4f\xb5\xdf\x22\xe7\x25\x13\x0f\x6f\x00\x6c\x48\x73\x42\xcb\x84\x7e\x2c\xbe\x0e\x36\xb1\x41\xaa\x91\xf7\xf4\x1d\x6b\x13\x48\x2c\x1d", 37); *(uint8_t*)0x20000408 = 4; *(uint8_t*)0x20000409 = 0x26; memcpy((void*)0x2000040a, "\xa1\xd5\xf6\x74\x74\xfa\x12\x31\x00\x04\x6d\xc2\x69\x5e\x3b\xbd\xa6\xde\xe8\x65\x7f\x03\x2e\x08\x75\x04\x15\x6e\xba\x2f\x54\xbf\x2f\x31\xcd\x5b\x78\xd5", 38); *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 0x25; memcpy((void*)0x20000432, "\xae\x36\x25\x8a\xd7\xf0\x4d\x6a\x21\x30\x24\xac\x42\x6f\xba\x3d\xa6\x9e\x74\xab\x66\x2f\xbb\x9d\x28\x44\x80\x99\x94\x6c\xbb\xf9\xb8\xf9\x21\xf8\xe0", 37); *(uint8_t*)0x20000457 = 2; *(uint8_t*)0x20000458 = 0x19; memcpy((void*)0x20000459, "\x69\xad\x29\xc6\x6f\x47\xf8\x7c\x53\x49\xab\x5f\x16\xa1\xe8\x03\x0e\x7c\x0b\x21\xdb\x8b\xc4\xbe\xe4", 25); *(uint8_t*)0x20000472 = 0x75; *(uint8_t*)0x20000473 = 4; *(uint16_t*)0x20000474 = 0; *(uint16_t*)0x20000476 = 0; *(uint16_t*)0x20000478 = 6; *(uint16_t*)0x2000047a = 0x48; *(uint16_t*)0x2000047c = 0x4b; *(uint16_t*)0x20000480 = 6; *(uint16_t*)0x20000482 = 0x48; *(uint16_t*)0x20000484 = 0x43; *(uint16_t*)0x20000488 = 0xa; *(uint16_t*)0x2000048a = 6; *(uint8_t*)0x2000048c = 8; *(uint8_t*)0x2000048d = 2; *(uint8_t*)0x2000048e = 0x11; *(uint8_t*)0x2000048f = 0; *(uint8_t*)0x20000490 = 0; *(uint8_t*)0x20000491 = 1; *(uint16_t*)0x20000494 = 6; *(uint16_t*)0x20000496 = 0x48; *(uint16_t*)0x20000498 = 0x11; *(uint32_t*)0x200004c4 = 0x29c; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = 0x40000; syscall(__NR_sendmsg, (intptr_t)r[3], 0x20000500, 0x80); break; case 6: memcpy((void*)0x20000540, "/dev/irnet\000", 11); res = syscall(__NR_openat, 0xffffff9c, 0x20000540, 0x189000, 0); if (res != -1) r[4] = res; break; case 7: *(uint16_t*)0x20000580 = 0xa; *(uint16_t*)0x20000582 = htobe16(0x4e20); *(uint32_t*)0x20000584 = htobe32(0x80000000); *(uint8_t*)0x20000588 = 0xfe; *(uint8_t*)0x20000589 = 0x88; memset((void*)0x2000058a, 0, 12); *(uint8_t*)0x20000596 = 0; *(uint8_t*)0x20000597 = 1; *(uint32_t*)0x20000598 = 0x81; *(uint16_t*)0x2000059c = 0xa; *(uint16_t*)0x2000059e = htobe16(0x4e24); *(uint32_t*)0x200005a0 = htobe32(3); *(uint8_t*)0x200005a4 = -1; *(uint8_t*)0x200005a5 = 1; memset((void*)0x200005a6, 0, 13); *(uint8_t*)0x200005b3 = 1; *(uint32_t*)0x200005b4 = 0; syscall(__NR_setsockopt, (intptr_t)r[4], 0x84, 0x6b, 0x20000580, 0x38); break; case 8: memcpy((void*)0x200005c0, "./file0\000", 8); *(uint64_t*)0x20000600 = 0x101000; *(uint64_t*)0x20000608 = 0x182; *(uint64_t*)0x20000610 = 4; syscall(__NR_openat2, 0xffffff9c, 0x200005c0, 0x20000600, 0x18); break; case 9: *(uint32_t*)0x20000640 = r[1]; *(uint32_t*)0x20000644 = 7; *(uint32_t*)0x20000648 = 0x20; syscall(__NR_setsockopt, -1, 0x84, 0x10, 0x20000640, 0xc); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 6, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 7, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); *(uint8_t*)0x20000044 = 8; *(uint8_t*)0x20000045 = 2; *(uint8_t*)0x20000046 = 0x11; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 1; memset((void*)0x2000004a, 255, 6); *(uint8_t*)0x20000050 = 8; *(uint8_t*)0x20000051 = 2; *(uint8_t*)0x20000052 = 0x11; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x20000056, 7, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0x40, 4, 12); *(uint8_t*)0x20000058 = 8; *(uint8_t*)0x20000059 = 2; *(uint8_t*)0x2000005a = 0x11; *(uint8_t*)0x2000005b = 0; *(uint8_t*)0x2000005c = 0; *(uint8_t*)0x2000005d = 0; *(uint8_t*)0x2000005e = 8; *(uint8_t*)0x2000005f = 2; *(uint8_t*)0x20000060 = 0x11; *(uint8_t*)0x20000061 = 0; *(uint8_t*)0x20000062 = 0; *(uint8_t*)0x20000063 = 1; *(uint16_t*)0x20000064 = 0x89; memcpy((void*)0x20000066, "\xa3\x74\xcb\x1e\x56\xd7\x9e\x5a\x64\x7d\x9f\x9d\x7e\xbb\x09\x9c\xa7\x5e\x92\x0a\x72\x0c\xe7\x65\x51\xc2\x6b\xb8\x68\x42\xda\x48\xec\x22\x63\x6f\x2e\xe2\x00\x01\x35\x9b\x8e\x2f\xb3\x76\xba\x32\xd0\x74\x25\xdd\x1b\x9b\x9b\x4f\xf7\xa3\x53\x9a\x5e\xeb\x99\xa4\x47\xa5\x8f\xec\x22\x4c\xac\xb7\xd6\xe5\xf0\xcc\x90\x99\x90\x4c\x92\xfd\x37\x74\x6a\xfc\x1c\xbd\x2b\x8b\x10\x2a\x3f\xe4\xaf\x78\xd5\xfa\x72\x95\x90\xf1\xe5\x03\x5f\x47\x0a\x44\x32\x1e\x92\x47\x87\xa4\x66\x6e\x21\xa4\xca\x5c\xbd\x12\x56\xc1\x70\x21\x7c\xd6\x96\x7a\xd7\x23\x6d\x2f\x70\x2e\x24", 137); memset((void*)0x200000f0, 255, 6); *(uint8_t*)0x200000f6 = 8; *(uint8_t*)0x200000f7 = 2; *(uint8_t*)0x200000f8 = 0x11; *(uint8_t*)0x200000f9 = 0; *(uint8_t*)0x200000fa = 0; *(uint8_t*)0x200000fb = 0; *(uint16_t*)0x200000fc = 0x1000; memcpy((void*)0x200000fe, "\x2b\xc8\xbe\xd3\xad\xe3\x14\x70\x49\x10\xb6\xee\x62\x4c\xfe\x54\xbe\xbe\x1b\x4b\x09\xba\x79\x5c\x51\x1c\xd0\xe7\x64\x85\x8a\x68\x8e\x31\x7f\x9f\x28\x73\xd1\x87\xb6\x5f\x7d\x6d\xed\x9b\x4b\x7e\xf7\xf8\x67\xd6\x5d\x32\x18\xdc\x1a\x2a\xd2\x4b\x5c\xb3\xe4\xe0\x78\x49\xf7\x08\x5c\x63\x7a\xe4\x51\x0c\x2c\x14\x43\x80\x0a\xc4\x4d\xdf\x23\xec\x3e\x00\xa0\xa2\xd2\x6d\xcf\x4e\x4f\x20\x9d\x20\xf1\xe6\x58\x29\x0a\xb4\x3a\x3f\xa2\x4e\xe8\xdc\xd4\x84\xc6\x23\xbd\xc9\x86\xb8\xea\x88\xd4\x32\x74\xe2\x06\xb9\xbe\x4c\xdf\xcc\x94\x5b\x09\x3d\x09\x37\xd9\x4f\x8f\x98\x7c\x5c\x5e\xd4\x8a\xc9\x95\x14\xb5\x45\xd0\xcb\x74\x20\x36\xae\xd4\x98\xba\xe8\x0b\xb1\xee\x39\x5e\x8e\x0a\x67\x7d\xaa\xed\x22\xdd\xc1\x60\x4d\x14\x83\x5d\xbc\x28\xc4\x3c\x64\xb1\x18\x76\x57\x4f\x8d\x89\x70\x56\x23\xf7\xf0\x78\xc5\x01\x7c\x92\xcd\x46\xaf\xf0\x81\x1e\x9b\x98\x91\x25\x06\xb3\x45\x00\x64\x0f\x97\x91\xe3\x08\x1d\x1f\xd1\x78\xc2\x13\x05\x93\x45\xba\x63\x17\x7e\xa9\xb9\x3f\xfa\x53\x06\xe2\x06\xb5\xa2\x94\x02\x25\x21\xec\x6a\xaf\x8e\x26\xd0\xb5\xbd\x00\x32\x59\x76\xa0\xb1\xe0\xff\x75\x4e\x4b\x48\x91\xd3\x68\x8e\x0b\xea\x0a\xc6\xd8\x11\x2e\x04\xfb\xe6\x06\x8e\xc0\x3f\x4b\x66\x5e\xfa\x12\xe3\xf2\xe6\xc9\xd3\x1e\xb4\x45\x83\xa9\xac\x92\xdd\x3a\xb3\xf3\x4d\xb1\x15\xe9\xcf\x42\xf0\x97\x41\x9c\xb5\x94\x9e\xb7\x40\x3d\x44\x95\x90\x0b\x52\xc9\x55\x83\x70\xe2\xf1\xff\x76\xa9\xde\xd5\x3e\x26\x79\x3b\xf9\x39\x76\xe9\x6a\xc7\x14\x07\x47\x89\xe8\xbd\xb1\xc4\xca\x56\x2b\x51\x50\x2b\x46\x8f\x89\x54\x39\x83\x0f\x91\x5a\x5d\x8a\x50\xff\x73\xa4\x9f\xa4\x29\x3b\xfc\x35\x48\x68\x51\xea\x8d\x5c\x76\x13\x7c\x5e\x2f\xc9\xca\x45\xa3\x8c\x94\x28\xbe\x30\xf5\x03\x59\xb2\xcb\x3f\x9d\xbc\x76\x7d\x63\xf4\x19\xf5\xe7\x6c\xe5\xfb\xb6\x1e\xde\xb1\xbe\xb7\xa3\x7c\x60\xc6\x01\x1b\x56\xb8\x57\x49\x63\x42\x5a\x95\x6d\x40\x1f\x70\x3a\x19\xe9\xac\xe4\x68\x65\x41\xdd\x31\x32\xf5\xaa\x85\xae\x6d\xb1\xb7\xdd\x6d\xad\x9b\x65\x43\xe3\x57\x53\x31\x28\xab\x2c\x90\x1e\x9d\x56\xa2\x2e\xcd\x64\x45\x50\x72\x71\xf6\xfc\xe2\xa5\x74\xd5\x87\x13\x53\x0a\xff\x28\xf7\xb4\xe8\x46\x17\x80\xdf\x54\xce\x2a\x06\x7c\x9c\x38\x85\x17\xb9\xe0\x40\xbc\x88\xba\xa7\x31\x79\x6b\x13\xa8\x9a\xd7\xa0\x1c\x30\x9e\x02\x4b\x22\x06\x21\x2e\x81\xa0\xf8\x27\x9c\x36\x9c\xc4\x0f\x85\x99\x01\x18\xa3\x31\x1a\xd1\x69\x8a\x4b\x0d\x73\xe7\xde\x65\x7c\x5a\xc4\x04\xb7\xa5\xcb\xb3\xf1\xc5\xfc\xcc\xfa\x7b\xf2\x17\x83\x0b\x73\x0d\x4d\x54\x54\xf2\x76\x04\xc0\x34\x16\xd3\xbe\x6c\xb3\x78\x81\x3a\x84\xa7\x29\x26\xc4\xd4\x3d\xd5\xa7\x94\x11\xd3\x5c\x4f\x69\x82\x87\xa0\x59\x29\x60\x05\x9c\x48\xa6\xd9\xfc\xce\x84\xd0\x88\xa2\x6d\xfb\x2e\xf3\x0e\xde\xa2\x11\x41\x11\xfa\x86\xfd\x22\x87\x2a\x03\x1d\x11\x16\xd7\x48\xb3\x3f\x61\xb9\xc1\xea\x8e\x8f\xf0\x96\x89\x01\x14\x27\xf8\x88\x6c\x0c\x71\xb6\x38\x51\x67\xd4\x97\x1d\x4b\xc9\xd1\xb9\xfe\x6d\xb9\x66\xd5\x0b\x59\x24\xfb\x56\xc1\xb1\x1f\x8e\x05\xf2\x9c\xfd\xe7\xf3\x02\xaf\xe1\x61\xfd\x9d\x82\xfc\xe3\x55\x1d\xf3\xf4\x01\x3d\xa7\x76\x6a\x21\x4f\xc9\xb1\x64\xa6\xd8\xb0\x3f\x6c\xba\x91\x84\x72\xc9\xb7\xd8\x6e\x7a\xbd\xa7\xe3\xc9\xa4\x07\x8a\x64\xa9\x66\xec\xb6\xe4\x13\x34\x11\xc4\x93\xa7\xa5\xd1\x7b\x60\x5d\xe1\x39\x01\x8d\x69\x8d\x32\x5e\x31\x93\x34\x39\x5d\xa0\xb5\x1b\x3e\x89\xd9\x59\x61\x49\x53\x1e\x92\x58\x32\xe0\x0a\x35\xbb\xea\xc1\x37\xa0\x8a\x4f\x66\x1d\xad\x30\xd0\x92\xd1\xf6\xa3\x4c\x1d\x38\x89\x4d\xa3\xea\xe2\xc4\x74\x95\x30\x92\xfb\xac\x4f\x39\xa2\xe1\x4d\x5e\x13\x06\x2c\x98\xc8\x93\xd9\x6e\xbd\xf7\x9f\x1e\xba\xd3\xcb\xb1\x6f\x8f\x7d\x17\x39\x70\x75\x23\x9b\x74\x25\x09\xb0\x76\x37\x1a\xaa\xb7\x85\x9e\x6b\x29\xc7\xcd\x83\x15\x7b\x91\xb4\xd0\xbf\x47\x9c\x7f\xa5\x3f\xd8\x57\x35\x6f\x11\x47\xdf\xa5\x90\xbf\xff\xae\x2c\x99\xbf\xc6\xa1\xa3\x84\xce\x26\x16\xa7\xc0\xd1\x49\x91\x95\x5f\xf2\x27\xe3\x55\x40\x13\x1e\x6c\x9f\xd2\xa5\xb5\x8f\x88\xf1\x83\xf6\x4a\xcc\x3d\x58\xe4\x73\x07\x6b\xf3\x14\x9d\xa2\x66\x42\x4b\x98\x2f\x73\x4a\xa0\x4b\x81\x88\x13\xdd\xd9\x01\x88\x56\x76\x17\x99\xd5\xb0\x50\x4c\xa7\xec\xf7\xae\x17\x59\x2c\x1f\x0c\x78\x4d\x60\x39\x31\x61\x71\x42\x21\xa1\x0d\x90\x19\x28\x3c\x6a\x8f\x92\x03\xc7\x97\x63\x45\x0f\x94\x70\xa3\xf5\xe2\xf9\x4e\xb9\x42\xa2\xbe\xba\x32\x21\x46\xfc\x44\x9f\x40\x22\x6b\x7f\x7d\x9e\x4d\x58\x9c\xdf\xc9\x53\xef\x76\x51\x5e\x48\x4d\xdb\x27\x5e\xfd\x8f\xb9\xe4\xb3\xf1\x75\xb9\xc6\x00\x74\x58\xce\xdb\xcf\x05\xeb\x6e\x42\xbe\xa2\x26\x85\x50\x87\x02\xb7\x8e\x77\xe6\x72\xc7\x2f\xe4\x3c\xef\x92\x49\x74\x00\x61\xf8\x3d\xfd\x86\xc1\xe9\x73\xda\xb8\x1a\x08\x30\x32\x37\xe5\x8c\x2d\x75\xa1\x21\x25\xc0\xb6\x34\x58\x5e\x3b\xfe\xe0\x81\x0e\xaa\x59\x4d\x12\xc5\xca\x25\x36\x6f\x04\x37\x86\x48\x5e\x57\xf5\xf9\x30\xcb\xcd\xee\x90\x1c\x59\x10\x0e\xbb\xc6\xe8\x23\xa1\xb7\x4b\xcd\xef\xb1\x96\x1b\x89\xdb\x6d\xf5\xe4\x61\x8e\x2b\xd8\xd9\x6f\xd8\xa1\x2b\x18\x48\x2f\xdc\xcd\x72\x95\x0a\xfe\x3c\x20\x66\xa7\x3c\x73\xf1\xca\x99\x86\xce\x15\x8c\x10\x52\x0a\xab\xee\xc9\x4d\x61\x72\xc0\x92\x48\xaa\x76\xc3\x9f\xc5\x42\x63\xfd\x44\xbf\x93\x68\x1b\x30\x92\xb8\xe8\xdb\x78\x0d\xd6\x5c\x6c\x8b\xc3\xb4\x23\xd2\x21\xe1\x3d\x3e\xde\x9d\xd0\xfc\x4f\x14\x68\x5a\x80\xd8\xee\x14\xe8\x26\xa2\x25\x38\xcf\x31\x4d\x8a\x48\xe6\x37\x54\xe8\x9b\x45\x3f\xb2\x23\x68\x62\xdc\x7c\xcc\x49\x53\xee\x56\x26\x54\xdb\x98\x95\x85\xca\xee\x6b\x65\x5b\x2b\xf9\xdb\x0f\x22\x06\xb8\x63\x48\x0d\x71\xfa\x21\xd9\x38\xe4\x73\x58\xb2\xc0\xda\x20\x14\xa1\x95\xdf\x64\x3b\xe9\xd8\x0e\x52\x00\x3e\x9b\x45\xb1\x8f\xf7\xb6\xaa\x56\x92\x4b\xc2\xdc\x0c\xad\x61\xd9\x63\x0e\x6b\xd8\xea\xf7\x60\xb3\xf7\xfb\x31\x77\xf7\x3a\xf8\x9b\x15\x5e\x0d\x06\x1c\xe3\x2b\x9d\x45\x88\xeb\x6a\x4f\x60\x91\x9c\x2e\x3d\x41\xf6\xca\x8d\x31\xfe\xf0\x02\x7e\x06\xf9\xb7\xc2\xc2\xec\x6e\x5c\x12\x14\x42\xe4\xb7\xee\xc7\xe1\x09\xaf\x0f\xc8\x65\x80\xda\x66\xf0\xb0\x28\xd9\x3a\x00\x88\xd8\x52\x53\xfa\x9b\x5e\x21\xe4\x95\x53\x71\x4a\x1d\xc3\x92\xfd\xb3\x54\x13\x29\x10\xe0\xc6\x25\x03\xc0\x09\x6c\x6b\x85\xf1\x64\xbb\x2a\x7d\x3b\xe1\x79\xc1\xa3\xc7\xcf\xf9\xd4\x64\x34\x13\x10\x84\x6c\x51\x7f\x85\x1b\x8e\x69\x43\x1c\x64\xed\xe9\xd5\x97\xc9\x43\xbf\xe2\x91\x6d\x56\x4a\xe1\xcf\x27\x0c\x8c\x16\x7e\x96\xc1\x46\x88\xa7\x23\x15\x8d\x7b\x9c\x45\xe3\xf8\x24\x34\x19\x00\x86\xcd\xfe\xde\x4b\xfd\x95\x0f\xda\x09\xfe\x05\xa6\x14\x2b\x90\xe7\x73\x6e\xca\x65\x91\x40\xb2\x2b\x3c\x77\x67\x06\x07\xe5\x11\x58\xd9\xf7\xea\xcd\xff\xc2\x93\x20\x2b\xaf\x0b\xc7\xe2\x04\x89\x99\x68\x91\xd1\xa7\xa6\xc3\x28\x4e\x5a\xc3\x51\x39\xec\x5b\xeb\x4a\xfb\xa9\x2f\xaf\xfb\x0d\x2e\x62\x10\x26\xc7\x01\x99\x43\xf7\xbe\x68\x09\xe5\x87\x9f\x60\x78\xcd\xa7\x22\xd1\x19\x57\xb7\xe7\xac\x74\xff\x47\x9b\x3f\x65\xa0\xfb\x71\xb1\xe8\x7e\x67\x03\xa9\xda\xf4\x7f\x31\x3a\xdc\xb6\x56\x47\x7f\x53\x03\x60\x83\x6b\xc0\xb0\x07\x68\x09\x9d\xb9\x2d\x7b\xf7\x90\x31\x6c\x1c\xec\x79\x4c\xcc\x29\xdc\x04\x88\x71\xa6\x75\xdd\xe3\x16\xd9\x14\xb7\x3c\x85\xc9\x96\xe7\xf4\x1e\x52\x86\x07\xa7\x60\xb7\x78\xb3\xe0\x68\xb1\xe7\xfb\xa0\x81\x37\x36\x8a\xf0\x6b\x59\x96\xb5\x69\x87\x1b\x4a\x54\xe7\x27\x2e\xcc\x44\x18\x10\xf9\x5c\xe8\x4c\x37\xe1\x0d\xa6\x16\x24\x71\x5f\xd5\x99\x1c\x77\xa2\x24\xd5\x7a\x53\x22\x77\xf9\xdd\x36\xbb\xdc\x56\xb7\x0b\x64\xed\xc0\x38\x15\x94\xb9\xb6\xc3\x28\xe5\x9d\xd0\xf0\x4d\x34\x3f\x6d\x82\x86\x72\xd9\x7c\xc8\x15\xb1\x4b\x22\xf5\x9d\x08\x76\x1b\xa7\x75\x1e\x52\xd1\xc5\x5f\x32\x49\xb6\xaa\xcc\x51\xe1\x07\x94\x4b\xfa\x70\xa5\x42\x19\x06\xf5\x29\x6d\x41\x84\x57\x75\xe3\x4a\x5d\x1a\x06\xc4\xc8\x79\xc7\x78\x5a\x03\x50\xba\x89\x93\x41\x25\x90\x64\xea\x42\x74\xe2\x13\x96\x41\x82\x44\x0a\xdf\x7e\x02\x30\xb3\x12\x0e\xe6\x23\x5b\xce\x98\x29\x28\x99\x79\x2c\xff\x10\x75\x88\xe3\xe9\x15\xdc\xe9\xbf\xe6\x1c\xf6\x37\x3a\x33\x11\xe7\x47\xaf\x21\x8f\xbd\x16\x58\x09\xdb\x4f\x0e\x51\x7b\x13\xe5\x92\x53\xf7\x21\xc6\x8c\x80\x14\xed\xce\x97\x45\x5a\xda\x5c\x33\xb7\xc6\x79\x4d\x38\xb7\x4b\x6d\xf4\x65\xe1\x89\x40\x4c\x7d\xf5\x6b\xee\x55\x18\xa5\xd2\x02\xfb\x50\xb5\x36\xa5\x37\x2e\x04\xc7\x0d\xec\x26\x6c\xdb\xcc\x83\x6b\x49\x88\x47\xa6\xa3\x94\x56\xf7\xb5\x94\x73\x80\x4a\xae\xd9\x66\xd7\x64\xe2\x5f\xf2\xda\x79\xd3\x4c\xe9\xfe\x72\x75\x7a\xe0\x07\xcd\xa3\x35\xbf\x37\x87\xc0\x68\x72\x55\x51\xef\x27\x76\x7d\x35\xd2\x0f\x24\x1d\x1d\x29\x21\x97\x85\x8a\xd4\xb4\x38\x18\x5e\x0a\x10\x3e\xdb\xe6\xe5\xca\xa4\xbb\x37\xe5\xcb\xdd\x71\x61\xee\xce\xb9\x3f\x9c\x7a\x39\x97\x6b\x4e\x6e\x19\xd5\xc1\xf3\xd0\x8f\x9d\x0f\xc6\xc9\x05\x5f\x4b\x05\x7d\xce\x9c\x1e\x67\x7e\x8b\xbe\x56\xb7\xc4\xed\x73\x34\xe5\xad\xcb\xa2\xaa\x5b\x1b\xf4\x45\x0a\x76\x2d\x16\x7a\x95\xbf\xc1\x09\x72\x04\x4c\x8d\x79\x7e\xf3\xad\x9d\x10\x91\xbb\x1a\xe5\xe1\x28\xe0\xdd\x22\xf4\xb7\x70\x77\x59\xf2\x79\xd4\xdd\xc9\x2a\x68\x1f\x6c\xf9\x9e\x75\x96\x0a\x32\x1b\x3d\x5b\x55\x66\x28\x07\xe5\x77\xc2\x0e\xea\x7f\x87\xe8\x8f\x29\x07\x79\xa6\x59\x8b\xc1\x9c\xcb\x74\xc3\x13\x83\x27\x88\x95\xc5\xfc\x6a\x62\xb5\x46\xf8\x1f\x7b\xd6\x78\xb2\x7f\xa6\x2d\x8d\x6f\x85\x9d\x86\x37\x29\x16\x01\x81\x20\x5b\x06\x20\x3c\x9f\x72\xa3\xa6\x59\x3f\x61\x8a\xb9\xef\x48\x8a\x24\xce\xfe\x7c\xdf\xa6\x6b\x46\xf3\x0f\x1d\x3f\x8a\xbe\xce\x64\x40\xdb\x93\x48\x3d\xf5\x23\x3b\x52\xf6\xfc\x47\xee\x3f\xd3\xbb\x98\xb0\x06\x24\x68\xc9\x16\xdc\x0f\xb1\x59\x62\x90\x2c\xb7\x30\x29\x93\x69\x51\x75\xd5\xfd\x4b\xc7\x7e\xab\x9e\xc8\xd4\x40\xee\xe3\x6a\xe6\x83\x5c\x43\x62\xf7\x81\x9f\x39\x01\x21\xa6\x9b\xc7\x0d\x63\x6e\xea\x8d\x4d\xd0\x9b\x90\xda\xd5\xc2\xdb\x03\x1d\x2b\xc3\xdf\x45\x82\x56\x24\x41\x56\x80\xa0\x3b\x3d\xfc\x71\xce\xf6\x3f\xda\x72\x6b\x76\x5d\x58\xab\xe8\x63\xad\xf0\x34\x2b\x8f\x1e\x8e\xc8\xf8\x07\xb3\xb5\x6d\xcc\xfd\xcd\xe8\x5f\xd2\x0a\x7e\xc9\x43\x44\xcf\x31\x95\x48\x67\x81\x70\x0b\x4c\x35\x72\x15\x78\x14\xd7\xf1\x0d\xc6\x8e\x13\xad\x64\x61\x39\x77\x58\xea\xd6\x2e\x5c\x20\x4b\xa5\x7b\x2a\x4a\xf4\x22\x08\x2a\x1f\xff\xbf\xc8\x70\x96\x88\xa1\x13\x93\xe9\xdc\xf8\x7b\x6f\xa4\x0b\x10\xf4\x58\xc6\x7e\x56\x5a\xe4\xf0\x2c\x2b\xa9\x30\xfd\xa2\x13\x9b\x0f\x18\x12\xaf\xbe\x21\x2e\x89\xeb\x51\x0e\x8d\x74\xc4\x65\x05\x00\x82\xb2\xbd\xfc\x09\x17\x6a\xe9\xa1\x70\x82\x1c\xde\x09\x7c\x33\xf5\x7f\x83\x50\x0f\x18\x2f\x23\xc2\xcd\x71\x3f\x82\x68\xfa\x04\xe5\xee\x58\x00\xad\xb1\xe8\x91\xbc\x90\x2b\x2c\x10\x05\x55\x79\xbe\xd0\xb6\xac\xef\xfc\x22\x06\x54\x4e\x2d\x17\xa1\x04\x4e\xc2\x01\x24\x66\x0f\x90\xd2\xcc\xb1\xe9\xdd\x04\xab\xa7\xf6\xb3\x3d\xec\x5f\x6f\xf6\xa2\xe1\xa1\x09\xc1\x43\xf2\xb0\xa8\x08\xeb\xeb\x45\xca\xac\xdc\x39\x82\x8b\x55\x5e\x3f\xb3\xad\xb7\x44\x71\x30\x26\x6d\xa8\xb3\x33\xd0\x4a\xb7\x11\xb9\x1a\x23\xd8\x81\x78\x57\x31\xfb\xd2\xc0\x37\x60\x8f\x31\x2f\x8b\x18\xba\x63\x00\x2d\x17\x75\x44\x1a\xdf\x3d\x4c\xe8\xe5\x56\x64\x26\x4e\x1d\x22\xe4\x78\xf4\x93\x01\x74\xdf\xb8\x1f\x7e\x31\xeb\x3f\xdb\x22\xeb\x06\x88\xf3\xa1\x04\x54\x18\xf9\x08\x4a\xf4\x52\x78\xc0\x4b\xf1\x32\x00\x17\xd0\xb0\xfa\xa2\xcf\x7e\x27\x7d\xe2\x66\xa3\xfd\xb4\xb0\xf0\x55\x25\x9d\x76\xf5\x0c\x99\x4c\xba\xe7\x03\xe8\xd1\x30\x7f\x4b\xc5\x45\x3f\x32\xa7\x08\x92\x1f\xa8\x33\xb0\x3f\x5d\x18\x40\xf5\xa1\x24\x69\x29\xb1\x75\xd9\x35\x37\xa1\xd7\x46\x78\x38\xd2\x5d\x19\x8b\x17\xfb\x4b\x9a\xac\x7d\x99\xee\x1f\x1e\x2f\xdf\x4a\xe7\x28\x62\x90\xe0\xf1\xc0\x88\xe2\x43\x94\xea\x57\xf9\xa7\x33\xe4\x53\x62\x79\x22\xc5\xa6\x23\x62\x3f\xff\x29\xc6\xa5\xab\x6f\xdf\x7b\xa7\xfd\x43\x80\x34\x9a\x77\xbb\xc4\x09\xd1\x86\x9b\xc7\xf2\x45\x32\x94\xca\x2f\x17\x85\xb8\xcc\x50\xb8\x8f\xcc\xe8\xfc\x6d\x3d\xd7\x9c\x19\x8e\x36\xff\x5a\x21\x6e\x7a\x8a\xe3\xd1\x0d\xb5\xbe\x0c\xbb\x76\x17\xdf\x80\x14\xac\x68\x9c\x31\x11\x32\xc1\xdb\x34\xd0\xee\x7a\xdb\xb6\x62\x32\xc1\xa4\x32\xc2\xca\xf7\xcf\x30\xff\x8b\xad\x84\x46\x7c\x0e\x40\xda\x4d\x0b\x10\x20\x1f\x6f\xb8\x2b\xec\x94\x83\xc7\x5b\xc8\x59\x48\x0c\x9b\xca\x13\xc5\x90\x5a\xcf\xa5\x6e\xad\x48\x8f\xc2\xbd\xe3\xa2\x2c\xa4\xfa\xbc\xea\xb9\xb9\xe3\x77\x6b\x5a\x62\x14\x63\xe1\x29\x6d\xde\x15\x24\x0d\xac\x24\xbb\xaf\x67\xc2\x03\x86\x55\x1a\x8f\xe3\x52\x96\x0e\xcd\x36\x1d\x42\x94\x90\x3f\x25\x25\xa3\x68\xd3\x63\x07\xde\x3a\xb0\x21\xbe\x4b\x64\x77\xe8\x61\x82\xf6\xa5\x65\xcf\x67\x95\xc2\x64\xaa\xda\xe3\xd3\x07\x2b\xae\xbc\x48\x8c\x74\x30\x7e\x27\xbc\xea\x4a\x74\x6b\x67\xad\xf8\xe2\x0a\x21\x9c\xb9\x11\xe2\x93\xad\xaa\xe8\xd5\x2e\x63\x08\x09\x11\x29\xc0\x2a\xfd\x50\x59\x95\x88\xc9\x20\x15\x85\x82\xdb\x85\x6c\xeb\xd3\xd6\x65\x9d\x14\x77\xf9\x66\xfb\x54\xe9\xea\x1b\x36\x59\x90\xff\x5b\xba\x6f\xce\xd2\xb5\x9f\xc8\xa6\xf9\xfd\x57\x28\x70\x61\xc5\x21\xeb\xc1\xac\xe5\x21\xab\xe0\x04\xf5\xf0\xb5\xf8\xb9\x02\xd6\xc7\x5a\xc5\x7d\xf5\xd2\xe9\x7f\x1f\xfa\xd3\xa5\x31\xf9\x1f\xa1\xcb\xa4\x8b\x58\x93\x5f\x05\x03\x35\x41\x5d\xca\x8e\x46\x02\x43\xe2\x1e\xa7\x1f\x99\x0c\x37\xa6\xc9\x8c\xd1\x9c\x2c\xc3\x47\x1e\xc2\xec\xd0\x42\xc8\x20\x71\x8d\x00\xb6\x37\x9d\x80\x69\x83\x62\x8e\x08\x64\xad\x14\x6e\xe1\x70\xdc\x91\xfc\x25\x55\x94\x0d\xb1\x36\x4c\xb7\x43\xc0\xc7\x03\x7d\xba\x3e\x9b\x10\x8f\xea\x98\x84\x01\xd5\x52\xd4\xac\xe6\xa8\x30\x83\x65\xc0\xb1\xed\xe6\xb8\x73\xa2\x94\xd6\x25\x23\x86\x55\x33\x1a\xcd\x6e\xe2\x38\x0d\xba\x98\x0e\x35\xb2\xbb\xd4\x0f\x65\xfe\x32\xef\x03\xcb\xf0\xcf\x57\x55\x2e\x81\x8e\xc6\x07\x0c\x52\x25\x66\xd8\x2a\xa2\xc4\xd0\x46\xd9\x5b\xcb\xb4\xed\x89\x7a\x3b\x59\x3d\xdc\x57\xb3\xbf\x4b\x2d\xee\x34\xcb\x50\x53\x69\x2e\x45\xde\xec\x78\xbf\x7f\xa7\x00\x2c\xfe\x74\x15\x7a\x5d\xd4\xc5\xae\xc1\xb9\x86\x28\x06\xd8\x88\x39\xa6\xa3\x91\xa0\x4d\x0d\x46\x78\x1e\x45\xb3\xfb\x78\xe7\x1e\xb9\xa6\xba\xda\x4d\x6e\x45\xf6\x45\x2c\x41\x93\x1c\x91\x23\xc8\x78\x38\x32\x0b\xf9\xcd\xe6\x13\xab\x41\xec\x0f\x23\xaf\xcc\x01\xa6\x98\x66\xf8\x32\x39\xe5\xb7\x7e\xc5\x6c\x1b\xf1\x3c\x4f\xa5\x37\x9b\xc5\xe6\x78\xf4\x5c\x3f\xb9\x12\xe1\xaf\xdb\xc4\x66\xba\xdb\x62\x36\xb5\xfb\x85\x00\xc7\x43\x58\x65\xae\x64\x22\x70\xb2\xa9\x42\x43\x0b\xe5\x4d\xca\x09\xec\xb2\x4e\xc6\xd0\x51\xd0\xc6\x3b\x02\xe2\xcc\xbe\x57\xdd\x90\x12\xb7\xc0\x95\x80\x67\xb4\x06\x21\x50\xb3\x47\x98\x31\x96\x11\xdb\x1f\x48\x79\xaa\x8b\x5b\x55\xee\x2f\x20\xb0\xd7\x9a\x14\xcd\x7c\xc1\x8a\x76\xb4\xb3\xf0\x0f\xff\x45\xec\x9d\x07\x64\x07\x6d\xc1\xdc\x00\x72\xe0\x9b\x67\x4f\x18\x7a\x18\xd4\x57\xa1\x1c\xf2\xb6\x54\xbf\xc8\x51\xb5\x5f\x46\x4d\x95\xe5\x1a\x45\xd2\xda\x43\xc7\x90\xeb\xc7\x72\xca\x27\xb8\x28\xa0\x61\xca\x4b\xa2\x8c\x98\x67\x22\xcb\xd4\x86\x73\x32\x87\x8e\x2a\x7b\x87\x6f\xaf\xaa\x74\x34\xf4\x3c\xb4\x48\xb2\x16\xd4\xae\x0e\x18\xa1\xaa\x66\x77\x76\xdb\x69\x99\x9b\xe0\x81\x82\x2d\x56\x47\x8e\x57\x68\x10\x6b\xa1\xfb\xcb\x04\x4d\x16\x68\x2c\xfe\x2b\xa1\x7a\x06\x99\x7f\x88\xbd\x68\x36\x69\xaa\x2a\xe4\xd9\x6a\x15\x5e\x0b\x8a\x41\xe3\x31\xa9\xa0\x20\x0f\x15\x9a\x47\x40\xe0\x11\x04\xad\x63\x89\x21\x8a\xd1\x5d\x1f\xac\x53\xbd\x1b\x91\xd7\x23\x43\x52\x78\xdb\xc5\xe7\x90\xa0\x54\xf3\xcf\x24\xfa\x4e\x78\x66\x62\x99\x15\x40\x0e\x7d\x25\x60\xcf\x97\x64\x8b\x60\x31\x52\x8d\xb2\xc7\xd4\xca\x72\x7f\x67\xc2\x97\x42\x4f\xc9\x9a\x7b\x01\xb1\x04\xfc\xb2\xd9\xb8\x02\x6a\xd1\x92\xac\x4c\x1d\xf8\xc2\x31\x8b\x5d\xee\xa4\x79\xa3\x78\x89\x71\x17\xac\xb1\x4a\x79\x21\xb7\xdd\xe8\xaa\x78\xc5\x8d\x04\x7f\x90\xfb\x1a\x1c\x1e\xdb\x84\x7b\xf7\xba\xd3\xab\x09\x6b\xf9\x19\xd1\xb1\x03\xe7\x40\x43\xfa\xf3\x52\xe1\x63\x94\xbc\xa1\x71\x3e\x14\x8b\x69\xd2\x0e\x0c\x5f\xae\x6e\xdb\x67\xe9\x16\x20\xc2\x8d\x7f\xb7\x0b\xf7\x66\xd2\x1e\xe3\xa9\xdc\x9d\x4a\xc7\x5a\x41\xbc\xb3\xa3\x22\xe7\xec\xc8\x5e\x34\x6a\x5f\xed\x19\x0d\x0c\x69\x8f\x15\x22\x60\x67\xe5\x15\x5e\xcb\x0b\x8f\xff\xcd\x5c\x1c\x95\x52\xa5\xb8\x5a\xfc\x66\x36\x98\xcf\x47\x50\xa3\xee\xc6\xcd\xec\xcc\xaa\xf6\x37\x08\x7e\x18\x8f\x3c\xc5\x65\x7c\x40\x12\x3c\x20\xd1\xa0\x2e\xbb\x08\x18\x07\x38\x83\x53\x5a\x22\x09\xcc\xa0\x8c\xdb\xe3\xce\x0f\x94\x4d\xef\xb4\x1f\x43\x70\x29\xc0\x78\xcb\x5e\x6c\x03\xde\xfc\x67\xc9\x59\x92\x6d\xcf\x45\xd0\xfe\xb6\xf2\x4f\xcf\xaf\x49\x97\x6b\xd3\x64\x1c\xbe\xd6\x97\x58\xcc\xd5\xaf\x8b\x95\x52\x59\xda\x1c\xd6\xfd\x82\x87\x1f\x09\xf3\x3a\x63\x4d\x54\xf5\x44\xa6\x82\x93\xdc\x73\x7f\xea\xf8\x48\x8c\x15\x42\x0f\x69\xc4\x93\x04\x2a\x5e\xe1\xed\x63\xf3\x39\xe4\x10\xf5\x80\xc0\xcb\xad\xab\xbe\xa2\xcf\xfb\xea\xf9\x68\xca\xf2\x56\x20\xde\x5f\x5b\xf7\x4e\xdd\x33\x9d\xed\x9a\x1f\x58\x53\xa2\xcf\x22\x6d\x21\xcd\xbd\x91\x72\xab\xf5\xe0\x85\x95\x60\xdd\x2e\x70\xce\x31\x0a\x33\x3d\x72\x36\x60\x67\x09\xb1\xf5\xa3\x35\x95\xec\x49\xe1\x87\xaa\x5d\xf0\x63\x51\x39\x23\xdf\xd2\x9b\xb1\x51\xa8\x25\x40\xf4\xb0\xd4\x45\x40\x4c\x8c\x5e\x1b\xd8\x40\x33\x5c\x23\x35\x7c\x5e\x6b\x1c\xdb\xfb\x1c\xcd\x72\x47\x1e\x4d\x63\x8b\x10\xc5\xb4\x22\xd9\xe6\x51\x9f\x98\x15\x1a\xd5\x25\x5e\x10\xf7\x2c\x07\x32\x63\x8a\x57\x2e\xa6\x2a\x3a\x98\xcd\x86\xb0\x49\x5f\x24\xfb\x90\xe3\xbf\xa3\x21\x6a\xbf\x88\xbd\xdd\x5f\xdc\xd1\xab\x7f\xc2\x13\xed\x7f\xe7\x62\x8b\xf5\x2e\xd3\x3f\xbf\x61\x24\xb5\x24\x6e\xab\x59\x38\xf4\xfd\xae\xa3\x96\x08\x7f\x76\x43\x49\xbe\xf8\x99\x6f\x22\x40\x92\x60\x40\x93\x44\x19\xdf\x2e\x40\x7b\xe7\xe6\x7a\x64\x2d\x69\x2b\x39\x49\xe4\x78\xed\x55\x92\x72\x06\x64\xee\xc0\xdd\x41\x50\x87\x61\x57\xa6\xf1\x85", 4096); syz_80211_inject_frame(0x20000000, 0x20000040, 0x10c0); break; case 11: memcpy((void*)0x20001100, "wlan1\000", 6); memset((void*)0x20001140, 2, 6); syz_80211_join_ibss(0x20001100, 0x20001140, 6, 2); break; case 12: memcpy((void*)0x20001180, "bpf_lsm_socket_recvmsg\000", 23); syz_btf_id_by_name(0x20001180); break; case 13: memcpy((void*)0x200015c0, "\x66\x0f\x72\xd5\x01\xdf\x5f\xd6\xc4\xc1\xf9\x6f\x9f\x52\xe4\x00\x00\xdf\xf2\xda\x36\x66\x0f\x3a\x62\xc0\x8c\xc4\xc1\x1d\x58\x3c\xe8\x66\x0f\x3a\x0a\x45\x0d\xf0\xc4\xe1\x21\x75\x23\x60", 46); syz_execute_func(0x200015c0); break; case 14: memcpy((void*)0x20001640, "/dev/cuse\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20001640, 2, 0); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_ioctl, -1, 0xb704, 0x20003980); if (res != -1) r[6] = *(uint32_t*)0x20003980; break; case 16: res = syscall(__NR_clock_gettime, 0, 0x20003e00); if (res != -1) { r[7] = *(uint32_t*)0x20003e00; r[8] = *(uint32_t*)0x20003e04; } break; case 17: *(uint32_t*)0x20003dc0 = 0x20003a40; *(uint32_t*)0x20003dc4 = 0x6e; *(uint32_t*)0x20003dc8 = 0x20003d40; *(uint32_t*)0x20003d40 = 0x20003ac0; *(uint32_t*)0x20003d44 = 0x25; *(uint32_t*)0x20003d48 = 0x20003b00; *(uint32_t*)0x20003d4c = 0x6b; *(uint32_t*)0x20003d50 = 0x20003b80; *(uint32_t*)0x20003d54 = 0x2f; *(uint32_t*)0x20003d58 = 0x20003bc0; *(uint32_t*)0x20003d5c = 0xa2; *(uint32_t*)0x20003d60 = 0x20003c80; *(uint32_t*)0x20003d64 = 0xbd; *(uint32_t*)0x20003dcc = 5; *(uint32_t*)0x20003dd0 = 0x20003d80; *(uint32_t*)0x20003dd4 = 0x30; *(uint32_t*)0x20003dd8 = 0; *(uint32_t*)0x20003ddc = 0; *(uint32_t*)0x20003e40 = r[7]; *(uint32_t*)0x20003e44 = r[8]+10000000; res = syscall(__NR_recvmmsg, -1, 0x20003dc0, 1, 0x10202, 0x20003e40); if (res != -1) r[9] = *(uint32_t*)0x20003dac; break; case 18: memcpy((void*)0x20004040, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004040, 0x20004080); if (res != -1) r[10] = *(uint32_t*)0x20004094; break; case 19: *(uint32_t*)0x20004200 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004100, 0x20004200); if (res != -1) r[11] = *(uint32_t*)0x20004134; break; case 20: memcpy((void*)0x20004240, "./file0\000", 8); res = syscall(__NR_statx, 0xffffff9c, 0x20004240, 0x4000, 0x400, 0x20004280); if (res != -1) r[12] = *(uint32_t*)0x20004294; break; case 21: memcpy((void*)0x20004380, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004380, 0x200043c0); if (res != -1) r[13] = *(uint32_t*)0x200043d0; break; case 22: *(uint32_t*)0x20004a80 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x11, 0x20004980, 0x20004a80); if (res != -1) r[14] = *(uint32_t*)0x200049b4; break; case 23: res = syscall(__NR_getegid); if (res != -1) r[15] = res; break; case 24: memcpy((void*)0x20001680, "\x47\xa8\x4c\x3d\x9c\xa1\xd1\xb4\xb2\x5b\x6d\xa5\xc6\xdd\x9f\x48\xac\x0b\x1a\x50\x14\x5d\x57\xaa\x24\x4d\xc1\xbb\x1a\x54\x1c\x93\x16\x0d\x23\xf1\xcb\xf0\x3d\x77\x7a\x21\xe7\xd1\xf0\xf2\x61\x38\x37\xc0\xe0\x5d\x6f\x4b\xc9\x98\xb1\xdd\x5e\xc7\x6e\x06\x98\x26\xfc\x47\xb4\xa0\x81\x6b\x5a\x85\x9c\x9a\x8a\x42\x88\xf2\xe7\x17\x88\x66\x28\x3d\x96\x7a\x95\x12\x2a\xb3\x8c\x64\xe1\xd6\xc0\x50\x57\x2b\xdd\x7c\x98\x27\x13\xb5\xb3\x7a\x79\xe2\xdb\xe0\x8a\x6a\x9b\xd3\xd6\xfd\x57\x96\x04\xac\x48\x7b\x65\x2b\xee\x18\x03\x90\xe3\x66\x8f\x2a\xad\xa1\x71\x7a\x5b\x2a\x21\xcb\x84\xb3\xb9\xa8\xb5\x97\x78\x4c\x01\x15\xc8\xf2\xc0\x87\x08\xd9\xa2\x26\xd6\xf5\x89\x02\xad\x29\xf3\x78\x4f\x64\x80\x06\x9d\x25\xe0\xec\x46\xc3\x78\x10\x92\x3b\xbe\x2d\xac\x50\x43\x85\x6a\x11\xb7\xb9\x8c\x43\x29\x4e\xf4\xc2\xbf\xda\x08\xb0\x4e\xe5\x41\x06\x26\xcb\x64\x95\x7c\xf1\xee\xa3\xd3\xf0\x07\xd6\x95\x83\xbc\xde\xbf\x40\x22\xf8\x5f\x65\x23\x73\xa5\x90\x36\xb6\x2b\x4a\x3e\x9d\xef\xe6\x05\xa9\x89\x2e\x57\x18\xcb\x6f\xc9\xde\x81\xc2\x47\x9e\xf9\x5a\x13\xf8\xca\x78\x9f\x4b\x2a\xc5\xeb\x89\x7f\xab\xbe\xbc\x00\x46\xd8\xe2\x35\xeb\xbf\x54\xa5\x6a\xac\xd1\x40\xae\x4c\xfb\x41\x1b\x9c\x15\x18\xe6\x2f\xa8\x7a\x98\x76\xaf\xc8\x9e\xd8\xa4\xba\x24\xd8\xb9\xef\x13\x39\xf4\xf7\x94\xce\xc9\x86\x51\xe7\xd9\x4d\xdd\x25\x99\x88\xa7\xa4\xf7\x99\xb0\x88\x9c\x16\x80\xd3\x90\xba\x62\x53\xff\x66\xa1\x82\xea\x2c\xf0\x6b\x6f\xd9\xab\x07\xa8\x7f\x69\x7c\x33\x1c\x9a\x83\x25\x64\xec\xab\x23\x83\x84\xff\xef\x50\xc2\x49\xcb\xf1\x1f\x7f\x40\xec\xd4\x4b\x94\x5b\xd5\x7c\x59\x9b\xa3\xd8\x8c\x0b\xe3\x5a\xdd\xf5\xb5\x83\x7b\x18\x8d\x64\xe2\x49\xce\x31\x50\x66\x98\xbd\x73\x75\x46\x53\x04\xd2\x0e\xb3\x80\x23\x26\xb3\x52\x8b\xcb\xe6\xee\x11\x0e\x57\x82\x1c\xcb\x89\x9f\x5e\xee\xce\xc6\x04\xc3\xa5\xe5\x93\x8a\x3a\x94\x26\x60\x99\x2d\x67\x6b\x81\xc5\xaf\x74\x70\x17\x6d\x72\xd7\xc6\xa9\xd6\xc4\x12\x1b\x57\x11\xb1\x6e\xe1\x19\xb5\x77\x64\xd7\xfd\x6d\xfc\xb5\xa3\x9c\x1b\xc9\x7e\x5c\x5f\x5d\xc1\x02\x5a\x5e\xcc\xa4\x8b\x65\xaf\xb8\x7a\x55\x83\xcf\x17\x96\x90\x98\xae\xc3\xb1\xb9\x29\x1f\x77\x5e\xd6\xa5\xa7\x10\xf7\x3e\x32\xef\x7a\x0e\x8c\x84\xff\x56\x54\x51\x44\xca\x50\x4b\x81\x97\xa9\x19\x6c\x9b\x68\xa4\xb5\x7a\xba\xd8\x19\xff\x6f\x6f\x99\x16\x3f\xa3\xe2\x76\x27\x84\x84\xae\xf1\xe2\x87\x84\x1f\x45\x72\x06\x2d\xa6\x77\xf0\xe1\x47\xb9\x33\x58\xe5\xad\x7a\x50\xaf\x84\x2c\xad\xbf\xf4\x19\x2d\xfb\x2f\x98\xcd\xc8\xd8\x78\xd0\xf7\xf3\x5b\x31\xa2\xe8\x03\xce\xa2\xc3\xa2\x87\x8d\x46\x9c\x9a\xa7\xb2\xde\x1e\x8b\xfd\xa5\x1e\xcb\x47\x51\xcd\x86\x1f\xb2\x29\x3e\x37\xeb\x98\x82\xbb\x97\xcf\x70\x45\x3f\x19\x44\x6c\x56\x5f\xd8\x14\x11\x4b\x30\x2a\x4b\xc5\xb6\x42\xa7\x6c\x4c\xfd\xdb\x0f\x4c\xeb\x41\xca\x29\xbe\x4d\x35\x58\x77\x55\xd2\xe8\xe1\xf4\x2e\x97\x1b\x38\x3f\xdf\xd0\xcb\xef\x9f\x5d\x50\x3c\x72\x0a\x3e\x3b\xb8\xb4\x09\x7d\x69\xa7\x20\x82\x35\xa8\x2f\x6a\x75\x1f\x3e\x26\xf2\xe1\x40\x3e\x0d\xa6\x3f\xed\x0f\xa0\x42\x74\x0d\xf1\xd6\x1c\x98\x85\x72\xc8\xad\x71\x1f\x20\x41\x0e\x02\xb3\x2b\x1e\xe7\xf4\x18\xfd\x0c\xc6\x57\xe9\xde\x33\x28\x8e\xc8\x39\x57\x56\xc4\x7e\x16\xd4\xab\x5e\xd7\xca\x4c\x1e\x53\xad\x65\x08\xd5\x8f\x70\xdf\x85\x7d\x41\x89\x09\xe8\x13\x44\xb7\x56\x4e\x00\x64\xa4\x9a\x1d\xb8\xa3\x33\xfc\x60\x9b\xcb\x51\x11\xef\x10\x0e\x0e\xde\x88\xf4\x9f\x3f\x43\x56\x84\x21\x1d\xea\x4d\xe5\xbc\xa1\x85\x3c\xae\x7b\x60\x5e\x3c\xea\x2f\xab\xb8\x0b\xaa\x41\x62\x6d\x31\x04\x7f\xe3\x85\x69\xe6\xab\xbd\xdc\x2e\x1c\x2b\x85\x56\x23\x3f\xeb\x57\x04\x7f\x06\x9d\xf8\x1d\x88\xd2\x9b\xf0\x42\xce\x92\x28\xdb\xd1\x43\x49\x97\x3e\x86\xf7\x8d\x72\x82\x7a\x60\x80\xa2\xce\x65\x29\xd1\x85\x66\x07\x84\x89\x37\xcf\xe5\xcd\x17\x42\x93\xe9\x22\x34\xcb\x0f\x6e\xdf\x65\x30\xf8\x6b\x60\x6e\x48\xe9\xfa\x3e\x1d\x25\x45\x73\x12\x08\x08\xe0\xff\xf3\xd2\x16\x9d\x1c\xf4\x4a\x71\x96\x64\xb7\xf0\xe3\xda\x7b\xb1\x5b\x64\xb6\x2c\x07\x10\x34\x3c\xe1\x5b\xd0\x1a\x05\x64\x2f\x4a\x3f\xa5\x9b\xa6\x05\xd0\xa6\xef\x3e\x5a\xd6\x3c\xd9\x6d\x69\x14\xca\xa4\x06\x34\x98\x7f\x2d\xbe\xeb\x30\x46\x72\x22\x2d\x12\x58\x3b\x9b\xc3\x8c\xf9\xde\x18\xe5\x7d\xe1\x00\xf2\x63\x67\x7d\x31\xec\x37\xae\xa6\xf0\x4b\x81\x5d\x6f\x4e\x8c\xd5\x70\x81\x0d\xaa\xee\xb1\x41\xdc\x0f\xeb\x60\x0a\xa8\x4f\x4a\xfc\xc3\xbd\x6d\x2e\x4d\x69\xe9\xdc\x4d\xc4\xf7\xa4\x56\x74\xa3\x2a\x62\xd4\x14\x43\x7c\x3a\xa4\x51\x84\xb6\x6c\xe5\x69\x49\x91\x28\xbb\xa0\x6e\x38\x62\x74\x28\xd5\x01\x2c\x65\x1f\x8f\xf6\xd5\xb8\xf5\xbb\xbb\x5b\x1f\x8b\xe6\x03\x89\x58\xbd\x4f\xbb\x0b\xdb\xbe\x1f\x3f\x44\x8d\x78\x5d\x97\x10\xf0\x1b\xe8\x87\x87\x4f\xfa\x1b\xfa\x7e\x5a\x81\x8e\xe7\x46\x4b\xfc\xb5\xf9\xe4\x92\x68\xfb\xbd\x39\x8d\x73\x2c\x15\x57\x9a\x46\x97\x1f\xd7\xf2\x2c\x1c\xc4\xe1\x41\x57\xf2\x92\xf6\x16\x38\xf4\x1a\x58\xbc\xcd\xd4\x98\x6b\x9c\xa6\xab\x66\xff\x5f\x53\x6a\x7b\x09\x25\x1a\x6d\x41\x7a\x3e\x15\x9b\x85\xdd\x21\xd9\xb2\x19\xa1\xa1\xce\xa8\xb9\x6d\xd4\xca\xa0\xc0\xc8\xfd\xf9\x2d\xef\x01\xaf\x6b\xe5\xcc\xc2\x42\x8e\x57\x13\x22\x85\xc3\x7e\x80\xfd\x28\x58\xb4\x94\x57\xd1\xd6\x89\x0e\xae\x38\x90\x62\xd5\x68\x0a\xec\xec\x74\x8c\xef\x59\x18\x7d\x91\xc1\xd4\x5b\x29\x00\xe3\x3b\xe9\x46\x4e\xdc\xeb\x83\x1e\xc4\x44\x57\xbe\x52\x57\x5e\x1d\xf1\xde\x6a\xf9\x45\xdb\xf3\xf5\xc9\xcd\x41\xbd\x8c\x26\xcb\x66\x45\xae\x03\x78\xd9\x2d\x75\x8b\x07\x69\xc5\x15\x4f\x52\xd8\x9a\x8e\x0e\x91\x18\x82\xf6\x9e\x46\x61\x04\x53\x79\x2c\x64\x8e\xb0\x82\x11\x19\x47\xc2\xe3\x35\xcb\x48\x56\xe4\x69\x6f\x7a\x53\x31\x8c\xda\xe6\xc5\x91\xa7\x42\x02\x02\xcf\x03\xf0\x69\x12\x8e\x58\xa3\x82\x2a\x89\x2d\x4b\x4d\x14\xa7\xf3\xe2\x7f\x4c\xa5\x9a\x8e\x47\x1a\xaf\x3c\xe1\xaf\x81\xce\xd1\xdf\x87\x1d\xf6\x09\x91\xac\xcc\x0a\xfc\x19\xc6\xaa\x58\x67\x0d\xcc\x3c\xa4\x04\x66\x6e\xc5\x46\x3e\x95\x4c\x60\x59\x94\x01\x4a\x0b\x2e\xb9\x99\x28\x3e\x7d\x26\x46\xab\x55\xa5\xfe\x5f\xe7\xcb\x5b\x07\x38\xc5\x79\x10\x7c\x43\xfc\xf5\x95\xa0\x95\x6a\x49\x35\xf6\xa7\x86\xd6\x56\x1f\x0b\x09\x94\xcc\xe9\x3b\x29\x9a\x50\xc6\xe4\x24\xc1\x59\x62\x0b\x3d\x05\x37\x6f\xc4\xe0\xb9\xff\xbd\xec\xdb\x67\x98\xdd\x51\xd0\x94\x1d\x31\xcf\x41\x93\xc0\x9d\x05\x8c\x25\x96\x99\x19\x12\x35\x01\xfa\x5e\xa8\xfb\x82\xf9\x80\xa3\x5b\xf0\x15\x32\xc2\xc8\x31\xba\x35\x22\x2f\x80\x5d\xae\x24\x25\x27\xeb\x71\x27\x05\x53\x94\x60\x52\x84\xd2\x40\x8c\xfa\x10\xc9\x92\xd6\x4d\x60\x9e\x52\x4b\x30\x34\x8f\xfa\x5e\x44\xb7\x72\x57\xad\xba\xb0\x1c\x38\x3e\x81\x2f\x1d\x71\xb6\x13\xad\x16\x0e\xd1\x5c\x21\x6f\x2a\x45\x9a\x91\x7d\x35\x34\x14\x62\xbf\x72\x35\xf9\x1d\x9d\xdd\xc1\xe2\x40\x2f\x32\xb7\xb7\xa9\x98\x74\x81\xce\x66\x11\xbb\x78\x12\x7b\xc8\xb6\xef\xf4\x19\xd3\xc4\xdd\x77\x25\x24\x02\xf4\x32\x6a\x6e\x9a\xff\xc5\x06\x49\x73\x75\x0a\x8b\xba\x9b\xa1\x7d\x64\x64\x8c\xf7\x93\x4b\xd0\x24\x29\x9b\x9d\xec\x58\xd1\x18\xcd\xa3\x44\x8a\x25\x56\xfa\x96\xa8\x57\xc0\x10\x6a\x00\xcd\x0a\x38\x2f\x10\xb8\x47\xe3\xa8\x69\x97\xc2\x4b\xb8\x46\xc3\xdd\x93\x72\xc6\xcf\x28\xd1\x8b\xb2\xa6\xfc\x48\xd7\xba\xc5\x8d\x56\xbc\x84\x50\xc3\xf4\x20\x99\x9b\x63\x47\x86\x4d\x52\xf0\x50\x75\x24\xf4\x16\xe6\xcb\x64\xce\x7c\xa2\x1a\x85\xe8\xd2\xc2\xb1\xe9\x4b\xe2\xde\xa3\x1c\xda\xf1\xf3\x83\x50\x34\x24\xbe\xc4\x4c\x68\xb9\xa9\x14\xf4\x0b\x0a\x66\x27\x2f\x64\xc9\xef\x19\x85\xed\xb9\xca\x6e\x66\xee\x8c\xac\x08\x4b\x39\xef\x78\x01\xb7\x50\xce\x19\x0f\xf8\x96\xc1\x99\xc1\x27\x85\x24\xb1\x2b\x54\x9a\xcb\xf0\x9f\x63\x3d\x87\xf7\x04\x27\x2d\x47\x79\xf3\x25\xa1\xe9\x45\x67\xe5\x93\x32\x97\x15\x5e\x98\x7f\x3b\x32\xe3\xfa\xdf\x2a\x06\xfa\x01\xaf\xc0\xdc\x35\xdf\xb7\xbe\x7f\x57\x76\x26\x4a\x6b\x7f\xec\x98\xdf\x0a\x5a\xff\x8c\x1a\x02\x9b\x6a\x22\xa9\xa0\x51\x18\x8b\xb2\x8b\xdf\x72\x38\xea\xe3\x24\x6a\x1b\xfd\x05\x86\x84\xf7\xa0\x93\xaa\x68\x79\xcb\x6a\xda\xe5\xa7\xcd\x5e\x12\x19\xa0\xd1\x6d\xee\xf1\x44\xb2\xbe\x90\x39\x01\x44\x74\x0a\xc2\x4d\xa3\x80\x17\xc1\x05\x66\x92\xb3\xb6\x65\x92\x21\x5a\x62\x3d\xac\x91\x3b\x33\xb9\xd5\x6b\x47\xcf\xa9\x18\xd6\xd9\x0c\xaf\xf0\x1a\xa4\x45\x35\x49\x23\xef\xa1\x9e\x8b\x0c\x79\x70\x82\x50\x5d\x54\xf2\xfa\x48\xc5\xad\x96\x63\x2f\xe1\xb6\x2a\x2e\x34\xd0\x85\x76\x22\x07\xd9\x35\x4a\x9f\x03\x9d\x68\x8e\xaf\xe1\xb5\x12\x83\x67\xfd\xd3\xbe\x22\x55\xac\x11\x0d\xf0\x5d\x10\x9b\x86\x9f\x33\x4b\x93\x2b\x29\xbe\xb6\x87\x87\xe2\x0a\x8a\x9f\x37\x31\x18\x9c\x95\x7e\x53\xc6\x96\x73\xe8\x63\xae\x1d\x49\x88\x8d\x6e\xda\xb9\x6e\xed\x78\x6c\xb8\x14\xd1\xa6\x2b\x68\x9c\x29\x4c\x48\x2e\x84\x19\x96\x22\x99\x04\x10\xb6\x7f\x6d\x18\xb8\xcd\x31\x19\xf1\x9a\x66\x7d\x34\x1b\xb7\x83\x88\xff\xe1\x5a\x0f\x64\x32\x7f\xe9\xb8\x06\x5b\xe9\x03\x54\xc1\xfa\xcb\x74\x66\x2e\x2d\x9c\x6d\x02\x24\x8d\xa0\xc8\x0c\x87\x26\x45\x59\xf6\x48\x15\xb8\xb9\xdd\xff\x72\xa9\x44\xeb\x23\x48\x88\xf5\x3d\x1c\xc8\xbe\xd4\x38\xbd\x99\xa2\x07\x4f\x75\x3d\xb2\x9e\xfd\x06\x78\x8c\x7f\x44\x76\xef\xee\x3e\x92\x80\x94\xc0\x32\x6a\xf8\xc9\x17\x1d\xb6\x0b\x1a\x37\xc7\xbd\x56\xd1\x13\x29\x1a\xa9\xa2\x60\xea\xfc\x12\x68\x1e\xb6\x2b\x1e\x70\x63\xb1\x51\x73\xe2\x74\x90\xd8\x4d\x47\xe3\xc7\x56\x6e\xc4\xfc\x1e\xc6\x35\x50\x57\xb2\x2c\x2a\x0f\xd9\x4b\x8d\x90\xb6\x48\x64\x9c\x73\xac\x46\x04\x9c\x01\x1d\x67\x41\xfb\x6d\x89\x56\x14\x3b\xcb\x17\x1f\x4b\xba\xdf\x01\xd1\xca\xe0\x7c\x31\x78\xa8\x46\x90\x01\xdc\xa3\x7a\xb3\xae\x03\x90\x95\xfb\xda\x7f\x05\xdf\xad\x20\x53\x55\xa5\xd6\xef\xf8\xf0\x9c\x32\x47\x58\xa7\x44\xde\x5f\x43\xb6\x94\xf8\x34\xf6\xe5\x98\x3f\x2a\xee\x32\x09\xce\xf4\x63\x54\xdb\x41\x30\x5a\x09\x3a\xb7\x8c\x80\xa8\xfb\x2e\x8a\xb7\xb1\x73\x33\x7b\xcf\x29\x3c\x65\x94\x9a\x4c\x01\x37\x8c\x94\xce\x7c\xd7\x09\xe7\x98\xbe\xf8\x27\x9d\x4a\xd1\xe7\x34\x6f\x4b\x9f\xda\x6d\x29\x2f\x1e\x66\x99\x62\x2c\x1b\xbc\x4b\x02\xe8\x83\xb3\x0e\x77\xcb\xa7\x51\xbc\xfd\xd6\xef\xd6\x7f\xcc\x56\x5c\x00\x36\xf1\x3e\x13\x8d\x81\xd6\xf5\x8d\x34\xe6\xa2\x51\x61\xf2\xa8\x56\x00\x29\xf9\x12\x05\x32\x40\x1f\xb6\xd7\xdd\xef\x43\xf9\xea\xe9\xee\x3c\xd2\x3f\x14\xa1\xf0\x26\xf4\x0a\x9f\xba\xc6\xbe\x6a\x15\x90\x27\xd7\xe8\x7a\x53\x65\x01\x0d\x27\xb0\x9d\xf1\x3d\xfd\x32\xa7\xe7\x5d\xcc\x14\xd9\xda\x85\xd8\x40\xa1\xbb\x91\xbf\x95\xdd\x75\x89\xef\x4f\x4a\x30\x7d\x3c\x74\x1d\xf2\x50\xe3\x4d\xe9\xff\x0f\x15\x15\xa9\x79\xc1\x2f\xca\xea\x17\x0d\x34\x44\x67\x8b\x96\x3c\xcc\x5b\x3c\x06\x56\xaf\x7e\x67\x6b\xf7\x4d\xe9\xc8\xcc\x9c\x70\xb5\x0c\x38\x06\x10\x8f\x6c\x9e\x92\x0a\xcc\x25\xf1\x3c\x3b\xf5\xe9\x10\x18\x9e\xa8\xe0\x46\x61\xb9\xf6\x27\x1d\x34\xe2\x42\x8b\x3f\x5c\x86\x0f\x7a\x41\x37\xc7\x9a\xb4\x09\x20\x64\x56\x34\xf9\x03\x89\xec\xde\x1b\x23\x98\x84\x24\x4c\xa3\x5e\xb5\x59\x2b\x48\x56\x4f\x23\x07\xde\xf1\x6c\x6a\x99\x43\xab\xd7\x30\xff\x0f\x2d\xd4\x7b\x0d\xb1\x19\xc8\x40\x03\xfc\x29\xfc\xe3\xed\x9f\x17\x35\x7a\xab\xc7\x09\xed\x6a\x09\x34\x8d\xa8\xe2\x82\xbb\x0f\x7e\xeb\x6d\x98\x53\xed\xd5\xee\x21\x45\x36\xa5\x5c\x83\x34\x01\x20\x48\x8d\xca\x92\x3e\xc5\xa4\x61\x84\x0d\x20\x07\x5a\xc5\x37\xba\xa4\xdf\xb7\x80\x46\x96\xa8\x9c\xb9\x9c\x82\xcc\x9e\xa9\x21\x2c\x70\x97\x4c\x93\x16\x16\xe9\xbf\x8c\xce\x8f\xaa\x21\x5d\xea\x85\x50\x6c\x71\xed\xf7\x98\x2a\xef\x07\x4e\x1a\x04\xed\x46\xa7\x22\x1b\xeb\x11\xdb\x3c\x3c\x4e\x30\x76\x74\x56\xdd\x39\x5e\x3f\x22\xc0\x48\xb0\x69\x53\x3b\x1e\x34\x7c\x20\x56\x5a\x74\x6f\xbf\x07\x86\xba\x75\x13\x98\xd2\x26\xbb\x58\x3c\xdb\xc7\x89\xa1\xe7\x8c\x07\x5e\x8b\x53\x5c\x17\xbe\x36\x42\x77\x96\x51\xaa\x33\x56\xc9\x28\xbd\x60\x1c\x6f\x70\x4e\x79\x96\x85\x21\x03\x67\x21\x90\x89\xf2\x41\xc9\x36\x52\xaf\xb3\xf0\x57\x9b\xa4\x73\xea\xdc\x1c\x5a\xab\x58\x9b\x61\x8c\x80\x1d\x71\x1e\xaf\x00\xd9\xef\x73\xa3\xa6\x3f\xaa\x06\x92\xd7\x66\x2c\x6e\x61\xd7\x73\x00\x97\xb1\x1a\x9e\x98\x95\x76\x35\x33\xe3\xb8\x25\xb5\xeb\x65\x48\x11\xe8\x0b\x6e\x67\x13\x6d\x6e\x6e\xc1\xbd\xf2\x3e\x34\x7a\xc0\xdc\x50\xd8\x45\xa0\x2f\xb1\x1e\x87\x64\xc7\xcb\xd1\x98\xf8\x03\x7c\xe9\xcc\x4d\x38\x88\xcf\x50\x9e\xf9\xe5\x5b\xa5\x67\xd5\x00\x89\xc6\x9a\x6f\xc2\xa1\x02\x90\x88\xe4\xbb\x86\x60\x6f\x25\xd8\x65\x51\x28\x65\x74\x23\xce\xfb\xec\x47\xff\x5c\xee\x05\xb6\x1c\x35\xe4\x7c\xe9\x2d\xd8\x5b\x86\xaa\x83\xfc\x3d\x37\x06\x9d\xba\x58\x32\x77\x9e\x04\x79\x7e\xe4\x51\x0f\x3e\x86\x0a\x5d\xb6\xc4\x1a\x6c\xfc\xc4\xf2\x7a\x9b\x90\x54\x91\xfa\x56\x0b\xc4\x9a\x1d\xec\x70\xf9\xb6\x9a\xe6\x93\x62\x97\x3a\x12\x3e\x07\xf5\x41\xac\x3a\x3a\x94\x31\x60\xd3\xd6\x31\x40\x49\xc9\x53\x1a\x1f\x72\xb7\x4c\x1c\xc5\xc0\x31\x7f\xcc\x7b\x45\xd8\xf1\xdd\x92\x36\x2b\x1e\xc0\x73\x8a\xd5\xc8\xd9\x9e\x9f\xf4\x4d\x3d\xb2\x41\xe1\x31\x5d\x0f\x14\x48\xe6\xf1\x00\xa5\xdb\x6f\xd5\x71\x5c\xa0\x46\x22\x13\x41\x64\x53\x38\x71\x50\x0e\xde\x0f\x2d\x35\x8b\x31\xf8\x56\x36\x32\x80\xb9\x92\xe4\x9b\xa8\xe5\x92\x09\xbd\x91\x8e\x11\xff\xe3\x27\xd9\x73\xb2\xbc\x54\x53\x7f\x54\x07\x30\x17\x85\x6f\x0b\xb7\x68\x22\x47\x57\x6a\xf4\xd2\x7d\x8b\xe2\x61\x1f\x90\xad\x38\x4f\x11\xde\x84\x7c\x24\x73\x4b\x74\x7f\xfe\x2e\x5c\x85\x49\x00\x9f\xb1\x19\x8b\xce\x2f\xb0\x48\x4f\xc6\x68\xaa\x28\x85\xc7\xc0\x15\x38\x5e\x2b\x58\x8c\x95\x0f\xde\xca\xdf\x30\xad\xf6\x5a\x71\xf5\x64\xe0\xfa\x93\x72\x4b\x8d\xe0\xac\xab\x7c\x3f\xaa\xad\x13\x84\x8e\xbf\x7d\x70\xbb\xc4\x47\xd6\xd9\xdd\xb4\x6a\xf6\x31\xb0\x8e\x4c\x34\xf4\xaa\xbd\xa8\xe5\x0d\x9f\x73\xc3\xff\x3a\x60\x03\x81\xa7\xf8\x4a\xac\x18\xaf\x41\x87\xd1\xbc\x18\x73\x14\xb2\x40\x38\x7f\x29\xeb\xe8\x32\x8a\xce\x89\x65\x43\xb2\x3f\x8d\xb1\x20\x1d\x51\xee\x90\x42\x43\x65\x78\xd1\x27\x3c\x9b\x97\x4b\x27\xfc\x9b\x71\x71\xf4\x39\x11\x17\x54\x1d\xc8\xe8\xe5\x82\xef\x9d\xeb\x11\x60\x6d\x49\x35\x57\x7d\x13\xe3\x91\x2f\x98\x7d\xac\x22\xe1\x4c\x7c\xab\xf8\xdb\x41\x3a\xc7\x96\x38\x1f\x3d\x45\x01\x5c\xe6\x1e\xa3\xb7\x37\x63\xd2\x02\xdb\xe1\x18\xbe\x06\xe7\xd0\xf6\x24\x5c\x71\x81\x86\x14\x81\x21\xba\x61\x19\x2e\x62\xb2\xac\x87\x52\xcb\xa6\xf2\x87\x3f\x4c\x59\xae\x40\xb8\xb9\xc5\x15\xcd\x6a\xd8\x88\x84\x0e\x65\x7a\x11\x47\xa8\xb0\x96\x12\x3d\x73\x8e\x1c\xc1\xb5\xeb\xbe\xec\x6f\x15\xcb\x10\x42\xed\xda\x5c\xf7\xa5\xb2\xb0\xa0\x71\xa2\x68\x77\xbe\xed\xaa\x9e\x24\x32\xef\x85\xf7\x2a\xbc\xeb\x7c\xcd\x73\x36\x27\xcb\x12\xd4\xcf\xe3\xd9\xc9\xd8\x85\xa0\xb0\x89\xdb\x05\x6b\x02\x92\x28\xe6\x45\xf7\x4d\x92\x84\x69\x5b\x08\xa6\x7f\x7f\x92\x28\xe9\x80\xc0\xc3\x64\xd0\x31\x2b\x10\xf6\x25\x6c\x9a\x2d\xe4\x83\x29\x32\xb6\x98\x97\xd0\xf2\x9f\x70\xf1\x8d\xde\x25\x7a\x94\xd9\x6e\xc7\x6d\x71\x67\x3e\x95\x98\x32\x64\x7f\x6a\x74\x45\x82\x35\xe8\x00\xdf\x80\xb7\x18\xbe\xdb\xe9\xb2\xca\xfe\x1a\x98\xad\x89\x34\x1a\x56\x6d\x20\xca\x13\xaf\xb2\x89\x85\x6f\x79\x53\x05\x66\x12\x60\x65\x19\x27\x99\x89\x9c\x02\x43\x31\x7f\xee\x5b\x22\x11\x6d\x9d\xfe\xa0\xc4\x25\x1d\x89\x8d\x57\x44\x43\xd8\x0c\x4d\xaf\xd5\x61\x65\xf2\xcf\xb5\xa2\xdb\x62\xe7\xfc\xb9\x78\x70\xea\x56\xdd\xca\x1c\x27\x32\x75\x48\x09\x9b\x79\xd3\x8f\x9d\x6d\xd2\x4a\x65\x65\x73\x1b\x2a\xfc\x0d\xdc\x12\xa3\x5f\x96\x05\xb2\xe7\xe7\x57\x53\xfa\xab\xe2\x81\x7d\xd1\x1e\x3f\x9f\xe7\x6c\xb2\xb8\xbf\x18\xd4\xf4\x19\xaa\x96\x58\x4c\xf9\x89\x99\xfc\x0f\xe4\x2e\x54\xb0\xe7\x9d\xfd\xd4\xc5\x7f\x55\xc0\x7a\xd1\xca\x33\xa4\xde\x6f\xba\xa7\x80\x18\x5e\x36\xfc\x3e\xc7\xc5\xf1\x04\xc5\xda\xda\xc7\xcc\xcb\xba\xcc\x5a\xbe\x21\x7e\x4e\x61\xef\x6c\x36\x60\x57\xd1\xcf\xb1\xa5\xde\x8c\x75\x68\xda\xd7\x69\xc8\x8a\xfd\x8e\xc1\xbf\x56\x11\x7c\xed\x76\x0e\xd3\x01\x90\x21\xc3\x2b\xed\xd7\xea\x87\xfb\x67\x0c\xa3\x24\x84\x61\xdf\x64\x60\x07\x04\xf1\x16\x51\x58\xcf\x9d\xb2\xb5\xc6\xf4\x56\x3b\x9f\x10\xa3\xa6\x69\xf3\xa9\x45\x21\xbe\x8e\xd5\x1c\x90\xc4\x5c\x59\x48\x9c\xde\x96\xcc\xd1\x18\x44\xc6\xca\xbf\xb1\x65\x0e\x19\x4c\xdf\x17\xaa\xf8\xad\x0b\xf9\x17\x14\xc7\x02\xea\x60\x75\xc0\xc3\x36\x18\x44\xec\xea\x0f\xc9\xad\xe8\x3a\x42\xcd\x91\x8f\xbb\x4c\x90\x90\x66\x73\x98\x18\xcb\xf7\x7a\x3d\x71\x64\xc3\x60\x7d\x8c\x0e\xfe\x3c\x8e\x85\x24\xfd\xf1\x5d\x33\x21\x0b\x43\xca\x55\x1b\x9a\x67\x26\xa5\x60\xa2\x74\x24\x66\x2f\x5f\xd9\x72\x02\xf9\x2a\xb8\xca\xc1\x20\xdf\xb1\x37\xc3\x36\x8c\xaf\xb7\xc1\x48\x35\xd8\xad\x15\xd1\x8b\x3e\xc4\xfe\x3c\x74\x1b\xe3\x90\x65\x71\x1a\xbc\x30\xa0\x0d\x31\xa2\x09\x36\xd2\xfb\x66\x23\xb1\x27\x42\x7b\x2d\x46\x05\x45\xf4\xeb\x25\x68\x1b\x46\x1f\xbc\x3a\x1a\xc6\xdb\x3b\xdf\x1d\x89\x02\x97\x76\xe0\x4b\x9c\xbf\x3e\x1e\x46\x07\xf3\x63\x23\x36\x73\x8b\xd9\x5c\xfc\x81\x2d\xe5\xe8\x2e\x0c\x6a\xa8\xd0\x19\x07\xe1\xf3\x75\xac\xb1\x80\x10\x69\x5e\xa3\xa2\x42\xd2\xb3\x60\xee\xd6\xf0\x77\xa0\x08\x68\x06\xa8\x8e\x2b\xe9\x9d\xef\xc3\x46\x0d\x81\x17\x5d\xec\xb6\x97\x3e\x54\xe7\xff\x1c\x29\x14\x8f\x04\xd1\xa9\x6c\x68\xd4\x3f\x03\x6e\xc2\xe4\xa5\x4b\xeb\x80\xf8\x8b\x8c\x71\x1a\xa0\x1a\x74\x57\xf5\x8d\x72\xaf\xe5\x68\x49\xfd\x09\xd2\x77\xe3\x01\xce\x64\x40\x2b\x0b\xc2\x0d\x43\xea\x78\x74\x54\x86\x97\x2a\x8b\xd6\xf5\x79\xd8\xd8\x2b\xd3\x1c\x8c\x86\xb7\xe8\xa3\xb2\x72\xd1\x6d\x38\xfc\x64\x80\xd2\x13\xc0\x30\x00\xad\xda\x6e\xb5\xe0\x08\x71\x87\x92\x64\xeb\xa4\xb0\xf9\x5c\x92\xe1\x0b\x79\x73\x81\x11\xba\x0c\xfd\xd1\xde\xeb\x39\xc9\x1e\xb4\x07\xe5\x98\x81\xbf\x53\xea\xd7\x8f\x7a\xd3\x50\x29\xec\x22\xb5\x83\xaf\x27\x44\x15\x25\x46\xc3\x98\x28\x50\xb4\x49\x41\x5e\x4b\x79\x0a\x2d\x03\x2c\xae\x50\x31\x9c\x3a\x15\xe0\x09\xae\xee\xfe\x71\x00\x73\x78\x19\x7e\x51\xdf\x97\x37\xee\x36\xd9\x54\x03\xa5\x62\x2a\x00\x7e\xb5\xdf\x41\x02\x33\x37\x6e\x51\x31\x82\x24\x62\x54\x0e\x6e\xbb\xf6\xd4\xe2\xdc\x46\xbe\xb7\xea\x3b\x2c\x22\x19\x97\xc2\xba\x3c\x26\x73\xc1\xb4\x4f\x7c\xd8\xc8\x6a\xac\xdd\x89\xe8\x70\x00\x73\x93\xab\x35\xc4\x85\x74\x29\x13\xf4\xfc\xef\x3c\x5c\x4d\x5c\xfe\xba\x1e\xcb\x50\xef\x05\x03\x7d\x54\xaa\x3f\x5e\x69\x94\x11\x40\x26\xf5\xcd\xa7\x5e\x18\x56\xb3\x1e\xfc\x5b\xf0\xda\x81\x09\x97\x84\x46\x30\xa0\x0a\xbd\x3a\x1c\xa3\xc6\xc9\x39\xe1\xe7\xf7\xc2\xd1\x71\x71\xea\x26\xfc\xd3\x1a\xe7\x17\xc0\x40\xb3\xc5\x94\xcf\x06\xa5\xc1\x25\x76\xbc\x18\x82\xd1\xe0\x45\x7a\x99\x38\x7f\x74\x6f\x15\x12\xd1\x5c\x86\x7c\xfd\xaf\x35\xfb\xf0\xe6\xbe\xec\x95\xc8\xc4\x2a\x3d\xd6\xae\x19\x47\xc6\x69\xfc\xd0\x10\x50\x80\xd8\xa9\x89\x4d\x93\x45\x21\x39\x08\x35\x74\x56\xb5\xdb\x7d\xea\x0f\x3f\x53\x29\xff\xd3\xc8\x90\x8f\x50\x47\xe3\x6a\x94\x1f\x90\x91\x2e\xcb\x4c\x01\xec\x56\x7c\xbe\xb0\x9f\xad\xe5\xec\x9b\xf4\x14\x2e\x24\xef\xf3\xac\xd2\x6b\x1d\x46\xd9\xfc\xab\xdb\x09\x70\xa1\x9b\x45\x79\x47\xab\xda\xac\x79\xa3\x69\x2b\x7a\x0d\x70\x3c\x02\xfd\x3d\x7c\x43\x3d\xcb\x59\xf9\x79\xa3\xa9\x1e\x3f\xc9\x50\xa5\xdf\x58\x54\x65\x69\x63\x97\x47\xc4\x34\x7c\x4e\x1a\x1f\xd0\x8f\x9a\xa8\x0c\xa5\x12\xd3\x6e\x6f\xac\x84\x61\xfa\xc7\xac\x93\x46\x7b\xea\x71\xfd\x28\x6b\x5f\x69\x2d\xdb\xc6\x99\xb9\x88\x7d\x31\x15\x9d\xe1\x07\xc0\xec\x97\xdb\x3b\x37\x77\x1c\x82\x61\x92\x51\xe9\xe0\x87\xe7\x97\x0e\xc1\x3e\x97\x1a\x85\x7a\x3d\x87\x1d\x13\xd8\x9d\xd6\x18\x43\x1d\x57\x75\xf9\x25\xf0\xbe\x14\x11\xf4\x94\x70\xe1\x42\xb1\xce\xef\xa6\x69\x28\x0d\x6e\x9a\x52\xe8\xc8\xeb\x38\x7d\x22\xf2\xfa\x8f\x5b\x77\xbd\x2a\xea\x73\xa0\xa2\x9c\x84\x47\xa6\xad\x29\x2b\x1e\x4b\x44\x6c\x6e\xd0\x08\xc0\xa6\xba\x97\xd1\x5b\xcb\xaa\x10\xb1\x6d\x7b\x1a\xd9\x49\x8b\xf5\xb8\x68\x59\xfd\x9c\x03\x2e\xab\x98\x93\xbe\x93\xb1\xe9\xf4\x5c\x9d\xc1\x9a\x78\xc4\xfe\xa5\x89\xd3\x93\xe8\xed\x9d\xbe\x54\xbf\xad\xf5\xcd\x11\x0e\xb7\x6a\x2a\xdf\x8b\x9d\xd2\x3a\xc0\x57\xbf\x1a\xb6\xba\x1d\x04\xc0\xc6\xda\xc4\x82\x50\xda\x3d\x25\x64\xce\x90\x4d\x67\xe6\x9c\x5d\xec\x58\x2d\xa5\x7e\xde\x76\xd9\xaa\x85\x49\xbf\x50\xa9\x0d\xcc\x0c\xab\x97\x7f\x5d\x73\x00\xfc\x0d\x86\x86\xe3\xbe\x13\xb8\x4a\x7a\x14\x1b\xb7\x92\xc3\x97\x58\xb0\x04\xd8\x4a\x0f\xf8\xc9\x30\xe4\xe0\x3c\xb3\xc1\x34\xe6\xe9\x00\xfe\x41\x64\xe5\xb5\xe0\x6b\xa4\xce\x62\x87\xb7\xb0\x0a\xcf\xdb\x05\xf4\xaf\xc0\xf4\xcb\x1b\x0e\x38\x3e\x4b\x69\x17\x1b\xda\x38\x9a\x2d\x00\x96\xb0\x67\x7d\x79\x3f\xaf\x22\x70\x2f\x3e\xdc\xda\x47\x82\xdf\x48\x30\x2a\xe3\xba\x1e\x05\x60\xf2\xc1\xbc\x7c\xda\x89\xac\x42\x14\xe8\xba\x79\x1c\xd6\xfb\x08\x92\xa1\x1b\x3f\x87\x81\xcf\x4d\x1b\x07\x31\x95\x92\x2d\xa6\xb7\x11\x16\x05\x96\x56\x0b\x53\x5c\x5c\x97\x6e\x42\xa8\x66\x24\xa3\x4f\x74\xac\x66\x46\xc0\xfd\xa0\x57\xa3\x13\xf7\x9d\x2e\x2f\x9c\x9f\xee\xab\xcd\x39\x9c\xd2\xe7\xe0\x8c\x9f\x02\x29\xc2\x66\x64\x8c\x78\x75\xca\x23\x0c\xfe\x4f\xed\x9f\x2d\x3d\x0d\xeb\xe6\xb5\x36\x85\x5c\xeb\xcb\xdb\x54\x60\x92\x0c\xea\xae\x25\xa1\x5c\xee\x7a\x00\xae\xdd\x72\x19\x53\x7d\xfc\x72\xd3\x33\x2d\x26\x43\x61\x5c\x7e\x17\xb5\x5a\x90\x3f\x8f\x25\xd0\x2f\xd6\x1d\x4c\x56\xc2\x32\x85\xd5\x2e\x0c\x23\xbb\x25\x16\x2b\x10\xd9\x33\x9b\x72\x74\x6b\xe7\xda\x47\xe9\xfa\x05\x22\x69\xda\xf6\xa0\x12\x2d\xe4\x9f\xb4\xd2\xc9\xb5\xd7\x8b\x70\x96\x23\x11\x3c\xb7\x1d\x42\xa5\xab\x08\xda\xa6\x01\xec\xd0\x94\x6a\x79\xda\x44\xcb\x1c\x3a\x5c\xfb\x64\x60\xe2\xcb\xd5\x9b\xf3\x56\x93\x09\xa4\xd4\x17\x77\x39\x80\xcd\x90\xad\xb6\xab\xe4\x75\x95\x4b\x05\x6e\x12\xc7\xe9\xe4\xb7\xef\xd2\x43\x96\xe7\xa9\xd6\x2f\xfe\xd4\x2c\xaa\xba\x45\x98\xa8\x9b\x14\xd8\x5d\x1c\xa3\x97\x27\xbf\xa0\x85\x90\x4c\x1e\xb5\x4d\x24\x27\x3d\x0a\x97\xfa\x59\x3b\xdd\xbc\xf4\x60\x8c\xef\x45\x6a\xb4\x17\x03\x16\x07\x33\x15\x16\xc8\x05\x79\x2e\xbd\xfd\x8d\x10\xe5\xed\xdc\x9f\x50\xdf\x88\x85\x71\xf9\x79\x75\x03\x94\xfe\xff\xdf\x87\xeb\xc9\xe8\xa8\x53\x4f\x89\x37\x2a\xfa\x8e\xac\xf0\x6d\x34\xb9\x74\x25\x0a\xc1\xba\xe5\xc0\x7e\x63\xb7\x46\x47\x19\xdb\x5e\xb1\x69\x34\xde\x34\x01\x93\xbf\xce\xe2\xdf\x0b\xfd\x92\x50\xdd\x44\xf3\xf7\x3e\xb4\xa4\x3f\x99\x0f\x2e\xdc\xa9\xb5\xfd\xd4\xac\xa4\xea\x21\x7e\x14\xb6\xd7\xc5\xa3\x20\xfd\x5e\x4c\x72\x88\xcd\xcb\x4e\x20\x76\x00\x4a\xd6\x61\x81\x9b\xda\xe6\xcf\xba\xd2\xdc\x0b\xce\x61\x23\xc4\x8b\x14\x23\xb2\x2e\x3f\x85\xcc\x2f\x31\x07\x1d\xd1\xcf\xa3\x87\xbc\xa0\x9a\x2d\xd9\x9c\x29\xe6\xc0\xcd\x8d\x51\x90\x1d\x74\x85\x81\x3d\xa7\x32\xc9\xa7\xe2\xfc\xcd\x42\x7d\x43\x9b\xfe\xc1\x07\x87\x4f\x87\x7e\x9b\x0a\xa5\xe1\xbd\xad\xd5\xa1\x85\x47\x99\x65\xe9\x5a\x3c\x2f\x66\x91\x2d\x44\x1c\xb7\x5e\x44\x69\x57\x3b\xf5\xa4\xc5\x3f\x58\xd2\x7a\xbd\x5e\x68\x42\x2a\xef\xce\x50\x1c\x6d\x8d\x95\x42\xb6\x1e\xa6\xbf\xd6\xfd\x2b\x6b\x33\x6c\x89\x61\xf4\xee\xa7\x20\x88\xd0\x69\x70\x89\xd1\x76\x82\x0a\x10\x3d\x09\xd9\x5f\x3e\xf0\xbd\x28\x98\x2e\xef\x77\xfc\x1b\xbf\xe7\xde\x1b\xfb\xe3\xd5\x0a\x93\x21\x88\x66\xfc\x48\xf6\x28\x01\xc7\x15\x39\x7d\xdf\x1f\x36\xd9\x77\xf2\xb5\xb2\xb7\x6f\x2e\x1d\x64\xc6\x10\x6a\x88\x9b\x80\xb4\x1b\xe5\x19\x94\x0c\xe2\x2f\xf0\x36\x4f\xaf\xb7\x03\xcf\xcd\x7b\xf7\x80\x8e\x41\x50\xac\x7d\x7a\xf1\xf0\xb5\xae\x82\x1c\x9b\xf1\x63\x74\x0d\xb1\xb5\xa3\x66\xe2\xdb\x4a\x02\x92\x10\x00\xd6\x07\x52\xd7\x43\xcd\x58\x4c\x48\x59\x0a\x31\xe2\x7c\xb4\x0d\x7a\xd8\x9a\xbd\x2c\x8e\xe8\x11\x76\x78\x98\x88\xbc\x48\xe8\x2a\x63\x00\x84\xc5\x9d\x4d\x34\x46\x4a\x52\xd5\xf2\x6d\x22\x14\x79\xb4\x51\xef\x3c\x2a\x6c\x81\x66\xb6\x64\x09\x9d\xaa\xf8\xe7\x4e\xac\x84\xdc\xfe\x3e\x86\xd5\x3b\xcd\x3b\x2f\x03\x37\xc8\x03\x7d\xb0\x7b\x65\xf7\xcd\x26\x5d\x2a\xc1\x95\xf8\xf5\x8e\x00\x96\xac\x1f\xb6\x54\xb9\x57\xfc\xa3\xef\x32\xab\xcf\x91\x6b\x55\x8b\xff\x85\x4d\x09\x9a\x2c\x9f\xb8\x88\x9f\x39\x8b\x53\x51\x41\x17\x0e\xa0\x36\xf9\xe5\xa7\xa2\xfe\x1d\x14\xf4\xa5\xa6\xdb\x8c\x03\xb0\xa7\x7f\x6e\x3b\xe9\x64\x81\x05\x06\x11\x35\x59\x59\xf6\x5e\x67\x81\x64\x54\xed\xa4\xcd\x84\x36\xd6\x64\xd6\xe6\xd9\xfc\x2f\xf2\x48\x95\x92\x3f\x10\x67\x70\x45\x8d\xc8\x75\x93\xc3\x91\x91\x2e\xda\x79\xa6\xe8\x71\x4b\xb4\x37\xc8\x6b\x97\xae\xbe\x10\xad\xde\xf3\x62\x84\x32\x38\x4e\x5a\x52\x83\x06\x7a\x80\x69\xa8\x92\x47\x3c\x05\x44\x68\x03\xce\xe1\x31\x09\x6d\xfb\xcd\x4a\x08\xf3\xe0\x8b\xc1\xdb\x84\x70\xd3\xab\x04\xc4\x80\x91\xf8\x24\xcb\xc4\x4a\x22\x15\x1f\x21\x71\x9a\xc2\x9b\x90\x43\x82\x2b\x29\x8b\x17\x82\xfa\x4f\x7d\x55\x6c\x41\xcc\x38\xd4\x34\x22\xf3\xda\x35\xcb\x3e\x45\xa5\xd2\x29\x6a\x1c\xfc\x1c\xcb\xeb\x9e\xa3\x49\x77\x2d\xa9\xa8\xc6\xb7\xca\x0d\xb7\x29\x92\xf8\xb4\x86\xb4\x26\x6f\xb6\xd4\x47\x96\x30\xfa\x39\xbd\xbd\x5f\xaa\xaa\x5b\x47\x51\x4f\x37\x80\x5e\xdb\x61\x85\xb3\x3b\x5b\x82\xdf\xb8\x5d\xad\x17\xed\x9f\xc8\x20\xd1\x78\xc4\x43\x3f\xae\x2b\xf5\x0f\xb5\x6f\xf5\xd8\xd7\xf7\x2e\xbb\x91\x3b\x88\x12\xce\x80\xfb\x00\x0c\xf3\x56\xf6\x69\xae\xb2\xb4\x8c\x8f\x67\x5c\xd0\xc0\xa5\x71\x08\x2f\xdb\x0e\xe1\xb1\x3b\x7a\xd2\x23\xcb\x68\x6f\x8b\x6e\xa5\x11\x19\x2c\x5d\xca\xab\xe2\x70\x26\x50\x37\xb7\xa7\xff\x48\xa1\x10\xf6\x60\xe0\x45\xe6\xe5\x1d\x6f\xfa\xce\x61\x7a\x5a\xd8\x5c\xac\x70\x4c\xc2\x57\x6b\x22\xaf\x27\xbf\x84\x2c\x1f\xce\x89\xf7\x1f\xb1\x88\x68\x57\xd1\x87\xad\xf3\x64\x47\xda\x8e\xde\x27\x97\xbb\xb4\x1b\x4b\xa5\xf0\x94\x11\x09\x44\x08\x35\x7a\xc6\x86\xf0\x90\xdc\x75\x58\x4f\xb2\xd0\x0d\x6e\xb5\xf1\xd5\x45\x63\x3c\x1a\xab\x04\xa6\xa9\x47\xe4\x9e\xb4\x5a\x0a\x73\xe7\xd0\xc6\xc4\xac\x5f\xac\xf4\x08\xa0\xcf\xde\x43\x9d\x86\x1d\xba\x90\xea\x9c\x57\x58\xbb\xa9\x09\xaa\x4d\x5b\x71\x42\x32\x07\x23\xb0\xfb\x55\x38\xfa\x33\x5e\x62\xd1\x4b\xf3\x60\x8a\xeb\xbd\x76\xff\x2b\x0d\x01\x3a\x4d\x5a\x4d\x46\xfb\x24\xa0\x47\x46\x0b\x5d\x63\xa6\x0d\xea\xa4\x3c\x63\xa9\x8b\x51\xc5\xaa\x0b\x3d\xac\xef\x60\x23\x41\x86\xf4\x5e\xd9\x61\x4f\x0e\x88\xb0\xb3\xa4\x53\x0c\x88\xa3\xdb\xea\xea\x40\x29\xcc\xfb\x1a\xa0\xbb\x8e\xa4\x52\x2c\x51\x25\xa3\x8d\x97\x72\xb7\xde\x03\x3a\xf7\xb2\x81\x2e\x89\xbd\x58\x19\xd2\xd0\xf3\x7a\x15\x6b\x70\x1e\xff\xa2\xf0\xb7\xfc\xe9\xc2\x87\x24\xae\x0e\xb3\x27\xc2\x5c\x8e\x36\x18\x78\x10\xaa\xa1\xa3\x3c\xc6\x9e\xa8\x48\xe1\x2f\xda\x7a\x27\x48\x67\xf4\x77\x95\xe1\x68\x95\x41\x96\x9e\xf7\xf6\x8d\x65\x9c\x3a\xd6\xc7\xf6\x72\x51\xac\x05\xa8\xee\x17\xc5\xd7\xc2\xdc\xb9\x2b\x4a\x54\x5f\x3d\xb5\xbf\x08\x14\x4a\x71\xf2\x9f\x76\xf7\x07\x81\x92\x9b\x06\x45\xf7\xa2\xd3\xcc\x3e\x97\x40\x1f\xfc\x4c\x70\x02\x4d\xf3\xa8\x8a\x3b\x80\xd8\xbb\x4a\xe9\xd2\xd4\xc0\xd1\x17\x24\xfa\x12\x82\x76\x0b\x1c\xc8\x12\x00\x84\x01\xd6\x9b\x8f\x79\x31\xf3\x6a\x72\xe3\x2c\x5d\x8f\x3a\x3f\x23\x3e\x86\x36\x7b\x48\x85\x2c\x0f\xd2\xd1\xf2\x59\x55\x34\x06\x16\xcb\x57\xe7\x9d\xb0\xe0\xa3\x7b\x81\x62\x76\x34\x02\xd0\xb8\x64\xdb\xf0\xa9\x0d\x50\x37\xc8\x8e\xba\x9f\xa8\x09\x98\x08\xcf\x84\x56\x4d\x2e\xd2\xbd\x00\x24\xb7\x19\xb7\x62\x28\x27\x9e\xe3\xc9\x07\x27\xf3\xae\x67\xe5\xcc\x7d\xd7\x6e\x8a\xf1\x67\xc4\xb1\x1e\xe9\xf1\xe3\x49\x5e\x05\x06\x1f\xe5\x20\x44\x5c\xd8\xfe\xdd\xc4\x76\xf5\x0b\x40\xbf\x73\xe4\xf9\xc1\x4e\x49\x1c\x11\x42\x30\xe1\xea\xe5\x87\xac\x01\xaf\x7d\x8e\xe5\xb2\x50\x51\xcd\x58\x85\x19\xe9\xcc\x3f\xb7\xb4\x30\x9d\x2a\x74\xb9\x48\x6d\x31\x80\xf6\x5f\x02\x5f\x43\xbb\x6a\x98\x9e\x2c\x4b\x05\x23\x83\xf4\x24\x4c\xbf\x36\x81\xf8\xfb\x4b\x9f\x0c\xab\x34\x26\xc0\xd6\x78\x4a\xb0\x8c\x76\xce\xee\xbc\x21\x2e\x76\x5f\xd9\xc5\xf2\x4c\xad\x12\x9b\x44\x0e\x2f\x85\x74\x90\x45\xbb\xb1\xb0\x30\xfd\x5b\x31\x10\x44\x25\x80\xd4\x51\xb2\x71\xd9\xa4\x5d\x04\x75\xd1\x66\x47\xe4\xe6\x6b\xf4\x0a\xcb\xde\xbc\x97\x53\x85\xaa\x50\x89\x83\x22\xe8\xb2\xaa\xca\x18\xba\xa6\xee\x86\x1f\xc9\x74\xfc\xd0\xe3\x79\x75\x82\x4c\x47\x58\x42\xbd\x3f\xa1\xf1\x78\x97\x92\xb2\xb6\x54\xaf\xeb\xc7\x8b\x95\x57\xbe\x28\x3c\xe9\x74\xea\x60\xb0\x1a\xf1\x11\xe8\x22\x62\x70\x47\x7c\xaf\xba\x24\xac\xb1\xfb\x28\xfc\x25\x92\xad\x2e\xbc\x2b\xa3\x7a\x1b\xbf\xed\xba\x63\x00\x02\xe4\x23\x43\x0d\x76\x2d\x9e\x31\xcd\x86\x17\x0a\x98\x9e\xe9\x7e\x26\xd4\x87\x4b\xd7\xd1\xa8\xf7\xd2\xf2\x04\x6c\xe9\x37\x68\x59\x27\x49\xbf\x7f\x5b\x28\x93\x3f\x3f\xba\xa1\x38\x0d\x42\x96\x1b\x9a\x94\xd2\x31\x3c\x26\x47\x40\xfe\xa1\x49\x5f\xa2\x6f\xc0\x7a\x56\x1e\x4b\x90\x8b\x2e\x30\xe0\xac\x4d\x48\xf6\x89\xeb\x49\x58\x5d\x3b\x72\x95\xe8\xc2\x75\x1d\x05\x62\xc0\x6d\x49\x19\xd5\xdd\x8a\xf3\x26\xde\xd0\xc1\x51\x6e\xcc\x6c\x1d\x3c\xf1\x39\xd3\xa9\xfe\x6e\xde\x64\x76\x8c\x31\x9b\x98\xb7\xda\x44\x5f\xd7\x85\x4b\x64\x64\x0f\xbd\x67\x6b\x7a\x09\xe5\x6e\xa2\x5c\xff\x1d\x31\xde\xc4\x1d\xa0\x8c\xb1\xb0\x7e\x4d\x84\x16\x81\xfc\xb7\x9a\x72\xb7\x22\x0a\x3f\xc3\x6c\xe8\xdc\x63\x88\xca\xea\xea\x4f\xff\xa7\xb2\x98\x05\xef\x2d\xc8\x9a\xcf\x85\xf2\x27\x24\x8b\xca\x1b\x8c\xb8\x1e\xc4\xb9\x86\xa9\xa1\x58\x7e\x57\xe1\xc5\x4d\x16\x3b\xc6\xa9\xd6\x8c\x67\x8c\x48\x24\x09\x35\xfb\xe9\x89\xf5\x50\xb5\x4c\x51\xba\xcb\x9f\x21\xde\x67\x01\x8d\x5e\x3f\xba\xd7\xef\xba\xe1\x03\x83\xe6\x2f\xa9\x29\x41\x5e\xbd\xb7\x7f\xfc\xad\xcc\x36\xec\x7c\x01\xb7\x6f\x7c\x80\x02\x7d\xfc\xba\x9e\x15\xd2\x6f\x30\x6e\x1d\xcb\xf6\x24\xc8\x0f\x4d\xc9\x2e\xab\xfe\x7a\x81\x7d\x7b\xcb\x47\x0d\x60\x13\xaa\x89\x5e\x08\x24\x40\x57\x1e\x14\x3f\xbb\x2a\xc1\xaf\x5b\x4f\xd6\x4b\xb2\x0f\x31\xef\x1f\x5e\x1d\xb9\x6f\xb8\xca\x1e\x6b\x4d\x36\x0d\x2c\xd0\x55\x91\x36\x6a\xd7\x1a\x41\x17\xc9\x12\x5f\xee\xd0\xe6\xd9\x5c\x03\x9d\xac\x71\x00\x0f\x40\x4d\x71\x80\xfb\x1e\x3b\x9d\x10\xb6\x24\x84\xeb\x2e\x3d\x45\xb8\xa4\xc6\x44\x4e\xa5\x44\xc7\xc1\xa4\x9b\xcd\xd1\x72\x3c\x22\x12\x7e\x2f\x81\xfc\x4c\xa3\xda\x6b\x97\x71\x5a\x0c\x9c\xd3\x05\xae\x21\xa1\x5c\xa6\x95\xf1\xa7\x4d\xf2\x26\x0a\x95\xec\x30\x42\xb1\x6d\x83\xab\x1d\xa2\xba\x76\x7d\xf0\x36\x01\xb4\xb3\xab\x71\x71\xe2\xe0\xe8\xa2\x00\x9f\xc6\xcb\x2c\x98\xcd\x20\x68\x17\x36\x55\x22\x2b\xa6\xbc\x51\xaf\x64\x49\x93\xcb\xd1\x92\x33\xd0\xc0\xf1\xdb\x62\x30\x69\x74\x45\xfd\x77\x8f\x14\xa0\x85\x57\x25\x26\xdb\x2d\x12\x56\xe8\x27\xac\x9b\x77\xa9\x7e\xc6\x41\xa5\x3a\xa5\x80\xb3\xa7\x83\xcb\x0f\xc5\xa1\xb3\xb9\xb3\xff\x38\xe4\x18\xdb\x65\x8b\x48\x4a\x68\xcc\x9a\x9e\x33\x0d\x3d\x7a\x4e\xd2\x82\x58\x1d\xc0\x6f\x9e\xe9\x6a\x1a\x46\x98\xbc\x23\xeb\x41\xbe\xde\x47\x6c\x00\x52\x96\x40\x79\x71\x0f\x68\x8f\x87\x6d\x4c\xef\xf2\x19\x0f\x2d\x81\x9b\xbd\x4c\xdb\x36\x1f\xb5\xc6\x4d\x7c\x41\x93\xff\x9f\x6b\x44\xb2\xc1\x43\x71\x39\xbc\xfa\x8c\xe0\xa9\x43\x0a\xce\xb4\x98\xb4\xf0\xb0\x19\x7b\xf3\x39\xd0\x4b\x70\x51\x23\x24\x3b\x1a\x44\xfc\xec\x56\x6d\x64\xfe\x85\x0b\x29\x89\xb5\xb7\x09\x9e\xf9\xbf\x74\x46\x07\x46\xf6\x0c\x46\x07\x89\x16\x89\x58\x17\x75\xad\x12\xcc\x0f\x04\xce\x01\x6c\x5b\x01\xe4\x55\x6e\x09\x80\x7e\xb8\x2e\x19\xc4\x54\x2e\x88\xca\x22\xac\x95\x13\xa4\x6b\x3e\x43\xc5\x28\x77\xc0\xa8\x37\x20\x1f\xd8\x2e\x9f\x74\x53\x8b\x75\x1c\x8b\x0a\xca\xbf\x1e\xb2\x8a\x7d\xec\x9b\xf6\x98\xc1\x22\xfd\xc5\x46\x4f\x6c\xd4\x0e\x81\xd0\x60\x18\x3a\xf8\x04\xea\x5c\x5a\x51\x09\xfe\x21\x9a\x85\x21\xc7\x3b\x95\xe4\x2b\x82\xac\xd6\x93\xa8\x45\x3c\x40\xc7\x40\x27\xdc\xb1\x78\x81\x75\x83\x42\xe2\x56\x42\x58\xb9\xf1\x2f\xf6\x75\xd9\x5c\x1a\xc4\x2e\x94\x47\x3e\x5d\xd5\x18\x38\xd6\xb1\xc2\x8f\x7b\xae\x7e\x16\x41\x7e\xea\x23\x33\x18\x83\x17\x23\x4d\x3a\x96\x94\x35\x6d\xb9\xff\x64\x9e\xda\x9d\x9d\xe4\xd6\xdf\x34\x57\x70\x13\xbc\x9f\x17\x14\x04\xb0\x8f\xd4\x19\x0d\x15\xd7\xde\xfe\xcd\xc1\x95\x19\x9d\x8a\x71\xf6\x41\x40\xa8\x65\x61\xe8\x4c\x3b\xde\x2a\x43\x37\xac\x14\x05\x08\x54\x31\x4d\xe0\xa3\xef\x2a\xe2\x6a\x6c\xb3\x97\x79\xb1\x0b\xdd\x57\x10\x41\xba\x31\x99\x6c\x60\x2c\x99\x7e\x70\x35\x8a\xe9\x86\x23\x92\x55\xa9\x37\x10\xf2\x11\x1e\x7c\xb1\xc8\xb3\xb7\x28\x03\x37\x34\x85\x6a\x41\xcd\xd5\x5a\xb2\xcf\x54\x15\x6b\x48\xe1\x34\x9e\x97\xd3\x9f\x6f\xc1\x27\x5f\xdb\x19\xb3\x7c\x8c\xf0\x04\xb3\x8c\xc3\xef\x37\x83\x4c\x85\x12\x8b\x3c\xb5\x9b\x77\x3d\xcc\x7d\x7b\x85\x80\x5b\x8f\x3b\xd6\xae\x79\x1e\xfa\x7c\xdb\xcc\x4b\xe5\x53\x9b\xb6\x6a\xfd\x8a\xc5\xde\x59\x50\x9b\x34\x10\x20\xe1\xc6\xff\x67\xb6\x6a\x0c\x94\xbb\x79\x53\x49\x92\x05\xb3\x07\xca\x77\x27\x7f\x6c\xcf\x39\x80\x1e\xe6\x28\xfb\x33\xd2\x07\x3f\x38\x1e\x80\xdc\x41\xc9\xe7\x99\xe7\x5c\x31\xcf\x2a\xa4\x9f\x8b\x0a\x6f\x73\x24\x08\xaf\xdc\x65\x0f\xd2\xb0\xec\x57\x4d\x50\xc6\xe2\x48\xf2\xaf\xcf\xb8\xf8\x20\x79\xb2\x62\x55\x47\xdb\x16\xe4\x61\xe6\x01\x59\x88\x3a\xaf\xbe\xdf\x9e\xe9\xfa\xde\xc8\x39\x8b\x91\x98\x6f\x9a\x8e\x79\x47\x06\x49\xa9\x9d\x6e\x8b\x4c\xb3\xb7\x99\x5b\xd5\xb6\xaf\x47\x20\x6b\xbf\x06\xaa\x69\x38\x3e\x97\x63\xcb\x17\x31\xe7\xc1\x5b\x0d\xe4\xb3\x5c\x00\x80\xdd\xfc\xeb\xac\x4d\xea\x21\x30\x96\xd8\x29\xed\x58\xf7\x7c\x09\xa0\xc0\xd4\xf3\x00\xdd\x5f\xaf\x2e\x01\x2a\xcf\x83\xd7\x7b\x73\x32\x3a\x93\x21\xcc\xa8\x64\x6b\xfe\x55\xfc\xce\x50\x6c\x82\x2e\xe4\x40\x4f\x20\x03\x18\xf6\x50\x44\xb3\xec\xdd\x8a\x21\x35\xe8\xee\x0a\xdb\xb8\xc4\x22\xc8\x9d\x37\x3e\xe4\x21\x82\x6b\xd1\x14\xd5\xae\x08\x6c\x9a\x47\xbe\x5a\x78\x88\xec\x74\xfc\x9e\x8d\x7e\x75\x85\xe6\xe8\x8f\xef\xa1\xb6\xa0\xc5\x57\x7b\x91\x43\x13\x77\xa3\x05\xa6\x65\x81\x02\xef\xf2\x95\x75\xde\x43\x92\x0b\xd4\x66\x96\xa2\xbd\x26\xa9\x39\xde\x74\x15\xc8\x36\x1c\x98\x89\x7b\xc0\xa4\x93\xe9\x08\x76\xd4\xf7\xa6\x38\x9a\xe9\xfe\xd4\x4d\x6e\xf2\x1e\xdf\x68\x1a\xe3\xa3\x5d\xc4\xa2\x6a\x40\xa7\x41\x1e\x7d\x51\xa8\x58\x43\x13\xdf\x95\xe4\x8f\xb0\x12\x79\x9b\x83\xc2\x5c\x2d\xd8\xf2\x43\xe9\x88\x05\x46\xb8\xf5\x1e\x25\xcc\x2f\xfa\x83\xc3\x6d\x81\xd3\x1b\xce\xbe\x40\x53\x62\x87\x5c\x49\x43\x00\x66\x24\x90\xc3\xf4\xbb\x38\x68\x2b\x17\xe0\xcb\xb9\x0e\x47\x70\x86\x4e\xe6\x0c\xc1\x36\xfa\x7b\xb2\x17\x0f\x69\x39\x4f\x62\x35\xe0\x07\x83\xfc\x6c\x2c\xab\x09\x74\x07\xff\xf9\x31\xbf\xa7\x42\xd7\xae\xfe\xf3\x3d\x69\x96\x70\x1d\x39\xb4\xad\xfb\x76\x28\xee\x8c\xb2\x76\x5a\xc0\x39\x92\xdb\x7b\xfd\x93\x04\xe1\x5f\x27\xf3\xea\x37\x12\x49\x4e\x98\xd1\x5b\x7c\x7e\x78\x14\x2d\xdb\xcc\x1e\x2d\x18\x47\x81\xcb\xc1\x17\x45\x59\x9e\xb5\xa6\x9b\x39\x18\x69\x4b\x78\x20\x9b\x1e\xe1\xc1\x18\x54\x15\x7e\xda\x2e\x0f\x03\xed\xd8\x84\xab\x4f\x60\x13\x4a\xf1\x58\xff\x15\xa9\x22\x59\xd4\x29\x37\x0c\xef\xab\x10\xcf\x6f\xb2\x82\xf7\x60\xd8\xd5\x4a\x8d\xb0\xc0\xc4\x3f\x56\xbc\xcf\x68\xb8\x37\x74\x5d\xd6\x42\xb3\x9d\x44\xdb\x29\x7b\x01\xeb\x9f\x5b\x48\xd1\xb1\x14\x84\x8a\x5d\x7c\x74\xa2\x2e\x3c\x30\x84\xee\xbc\x02\x98\xe7\xdd\xbb\xe6\x6e\x10\x5f\x89\x23\x8e\x96\x1d\x34\x98\x5f\x29\xde\x20\x31\xa5\x17\x56\xba\x3c\x77\xce\x83\x24\x8e\xf8\x32\x30\x9b\xf9\xad\x9d\x3f\x79\xdd\x12\xf7\x62\xe9\x12\x25\xb0\x87\x6c\xfc\x22\x02\xb2\xe0\x46\x82\x43\x16\xc8\x20\x88\x9e\x93\xf6\x3e\xad\x22\x9c\x08\x7b\x2f\x6c\xfc\x99\xf7\x97\x02\x2c\xda\xb8\x45\x6d\xe0\xc7\x64\xa0\x6a\x79\x40\xb0\xf2\x85\x98\xcb\xa5\x6d\xa0\xbb\xc7\xeb\xce\x48\x22\x12\x21\x37\x54\xd3\xc3\x4f\x74\x9e\xb9\x43\xbf\xf8\x1a\xab\x71\x0a\x98\x1e\x89\x15\xd8\x9f\x50\x98\xca\xa6\x74\x63\x6b\xda\x15\x11\xe9\x6b\x7a\xb0\xe6\x51\xd1\x01\x75\x09\x76\xda\x0b\x2a\x08\xc5\x61\x76", 8192); *(uint32_t*)0x20004bc0 = 0x20003680; *(uint32_t*)0x20003680 = 0x50; *(uint32_t*)0x20003684 = 0; *(uint64_t*)0x20003688 = 0; *(uint32_t*)0x20003690 = 7; *(uint32_t*)0x20003694 = 0x22; *(uint32_t*)0x20003698 = 6; *(uint32_t*)0x2000369c = 0x60; *(uint16_t*)0x200036a0 = 5; *(uint16_t*)0x200036a2 = 0x48; *(uint32_t*)0x200036a4 = 0x80000001; *(uint32_t*)0x200036a8 = 7; *(uint16_t*)0x200036ac = 0; *(uint16_t*)0x200036ae = 0; memset((void*)0x200036b0, 0, 32); *(uint32_t*)0x20004bc4 = 0x20003700; *(uint32_t*)0x20003700 = 0x18; *(uint32_t*)0x20003704 = 0; *(uint64_t*)0x20003708 = 0xfffe; *(uint64_t*)0x20003710 = 0x200; *(uint32_t*)0x20004bc8 = 0x20003740; *(uint32_t*)0x20003740 = 0x18; *(uint32_t*)0x20003744 = 0; *(uint64_t*)0x20003748 = 4; *(uint64_t*)0x20003750 = 0x8000; *(uint32_t*)0x20004bcc = 0x20003780; *(uint32_t*)0x20003780 = 0x18; *(uint32_t*)0x20003784 = 0; *(uint64_t*)0x20003788 = 0; *(uint32_t*)0x20003790 = 8; *(uint32_t*)0x20003794 = 0; *(uint32_t*)0x20004bd0 = 0x200037c0; *(uint32_t*)0x200037c0 = 0x18; *(uint32_t*)0x200037c4 = 0; *(uint64_t*)0x200037c8 = 0x80000001; *(uint32_t*)0x200037d0 = 5; *(uint32_t*)0x200037d4 = 0; *(uint32_t*)0x20004bd4 = 0x20003800; *(uint32_t*)0x20003800 = 0x28; *(uint32_t*)0x20003804 = 0; *(uint64_t*)0x20003808 = 0; *(uint64_t*)0x20003810 = 0x19; *(uint64_t*)0x20003818 = 0x200; *(uint32_t*)0x20003820 = 3; *(uint32_t*)0x20003824 = -1; *(uint32_t*)0x20004bd8 = 0x20003840; *(uint32_t*)0x20003840 = 0x60; *(uint32_t*)0x20003844 = 0xfffffffe; *(uint64_t*)0x20003848 = 0xfffffffffffffffe; *(uint64_t*)0x20003850 = 4; *(uint64_t*)0x20003858 = 0x80000001; *(uint64_t*)0x20003860 = 1; *(uint64_t*)0x20003868 = 0x52b8; *(uint64_t*)0x20003870 = 7; *(uint32_t*)0x20003878 = 0; *(uint32_t*)0x2000387c = 0xfffffffa; *(uint32_t*)0x20003880 = 0x1ff; *(uint32_t*)0x20003884 = 0; memset((void*)0x20003888, 0, 24); *(uint32_t*)0x20004bdc = 0x200038c0; *(uint32_t*)0x200038c0 = 0x18; *(uint32_t*)0x200038c4 = 0xffffffda; *(uint64_t*)0x200038c8 = 0x1f; *(uint32_t*)0x200038d0 = 9; *(uint32_t*)0x200038d4 = 0; *(uint32_t*)0x20004be0 = 0x20003900; *(uint32_t*)0x20003900 = 0x11; *(uint32_t*)0x20003904 = 0xfffffffe; *(uint64_t*)0x20003908 = 0x4588; memset((void*)0x20003910, 0, 1); *(uint32_t*)0x20004be4 = 0x20003940; *(uint32_t*)0x20003940 = 0x20; *(uint32_t*)0x20003944 = 0; *(uint64_t*)0x20003948 = 0x100000000; *(uint64_t*)0x20003950 = 0; *(uint32_t*)0x20003958 = 0x18; *(uint32_t*)0x2000395c = 0; *(uint32_t*)0x20004be8 = 0x200039c0; *(uint32_t*)0x200039c0 = 0x78; *(uint32_t*)0x200039c4 = 0; *(uint64_t*)0x200039c8 = 7; *(uint64_t*)0x200039d0 = 4; *(uint32_t*)0x200039d8 = 6; *(uint32_t*)0x200039dc = 0; *(uint64_t*)0x200039e0 = 0; *(uint64_t*)0x200039e8 = 7; *(uint64_t*)0x200039f0 = 8; *(uint64_t*)0x200039f8 = 0x10001; *(uint64_t*)0x20003a00 = 1; *(uint64_t*)0x20003a08 = 0x509; *(uint32_t*)0x20003a10 = 0x80; *(uint32_t*)0x20003a14 = 3; *(uint32_t*)0x20003a18 = 1; *(uint32_t*)0x20003a1c = 0xc000; *(uint32_t*)0x20003a20 = 5; *(uint32_t*)0x20003a24 = r[6]; *(uint32_t*)0x20003a28 = 0xee00; *(uint32_t*)0x20003a2c = 7; *(uint32_t*)0x20003a30 = 9; *(uint32_t*)0x20003a34 = 0; *(uint32_t*)0x20004bec = 0x20003e80; *(uint32_t*)0x20003e80 = 0x90; *(uint32_t*)0x20003e84 = 0; *(uint64_t*)0x20003e88 = 8; *(uint64_t*)0x20003e90 = 6; *(uint64_t*)0x20003e98 = 3; *(uint64_t*)0x20003ea0 = 0xcd0; *(uint64_t*)0x20003ea8 = 0x7fffffff; *(uint32_t*)0x20003eb0 = 5; *(uint32_t*)0x20003eb4 = 1; *(uint64_t*)0x20003eb8 = 5; *(uint64_t*)0x20003ec0 = 5; *(uint64_t*)0x20003ec8 = 0xf34; *(uint64_t*)0x20003ed0 = 0x86; *(uint64_t*)0x20003ed8 = 6; *(uint64_t*)0x20003ee0 = 2; *(uint32_t*)0x20003ee8 = 0xab8c; *(uint32_t*)0x20003eec = 0; *(uint32_t*)0x20003ef0 = 5; *(uint32_t*)0x20003ef4 = 0x8000; *(uint32_t*)0x20003ef8 = 9; *(uint32_t*)0x20003efc = 0xee00; *(uint32_t*)0x20003f00 = r[9]; *(uint32_t*)0x20003f04 = 0x1000; *(uint32_t*)0x20003f08 = 0x1000; *(uint32_t*)0x20003f0c = 0; *(uint32_t*)0x20004bf0 = 0x20003f40; *(uint32_t*)0x20003f40 = 0xd0; *(uint32_t*)0x20003f44 = 0; *(uint64_t*)0x20003f48 = 0xffffffffffffffbc; *(uint64_t*)0x20003f50 = 0; *(uint64_t*)0x20003f58 = 2; *(uint32_t*)0x20003f60 = 6; *(uint32_t*)0x20003f64 = 3; memset((void*)0x20003f68, 2, 6); *(uint64_t*)0x20003f70 = 0; *(uint64_t*)0x20003f78 = 0; *(uint32_t*)0x20003f80 = 0; *(uint32_t*)0x20003f84 = 9; *(uint64_t*)0x20003f88 = 2; *(uint64_t*)0x20003f90 = 0x100000001; *(uint32_t*)0x20003f98 = 0x17; *(uint32_t*)0x20003f9c = 0xffff; memcpy((void*)0x20003fa0, "bpf_lsm_socket_recvmsg\000", 23); *(uint64_t*)0x20003fb8 = 0; *(uint64_t*)0x20003fc0 = 0x401; *(uint32_t*)0x20003fc8 = 0xf; *(uint32_t*)0x20003fcc = 0xfffffff9; memcpy((void*)0x20003fd0, "&,$:+)\357&\\)/$$[}", 15); *(uint64_t*)0x20003fe0 = 6; *(uint64_t*)0x20003fe8 = 1; *(uint32_t*)0x20003ff0 = 0x17; *(uint32_t*)0x20003ff4 = 0x1f; memcpy((void*)0x20003ff8, "bpf_lsm_socket_recvmsg\000", 23); *(uint32_t*)0x20004bf4 = 0x20004440; *(uint32_t*)0x20004440 = 0x508; *(uint32_t*)0x20004444 = 0; *(uint64_t*)0x20004448 = 2; *(uint64_t*)0x20004450 = 4; *(uint64_t*)0x20004458 = 1; *(uint64_t*)0x20004460 = 5; *(uint64_t*)0x20004468 = 0x80000000; *(uint32_t*)0x20004470 = 3; *(uint32_t*)0x20004474 = 0xffffffec; *(uint64_t*)0x20004478 = 2; *(uint64_t*)0x20004480 = 3; *(uint64_t*)0x20004488 = 0x20; *(uint64_t*)0x20004490 = 0x100000001; *(uint64_t*)0x20004498 = 0x80; *(uint64_t*)0x200044a0 = 0xffffffffffffffe1; *(uint32_t*)0x200044a8 = 0x9e41; *(uint32_t*)0x200044ac = 0x1f; *(uint32_t*)0x200044b0 = 0xf0f6; *(uint32_t*)0x200044b4 = 0xc000; *(uint32_t*)0x200044b8 = 0x401; *(uint32_t*)0x200044bc = 0xee01; *(uint32_t*)0x200044c0 = 0xee00; *(uint32_t*)0x200044c4 = 0x400000; *(uint32_t*)0x200044c8 = 0x800; *(uint32_t*)0x200044cc = 0; *(uint64_t*)0x200044d0 = 3; *(uint64_t*)0x200044d8 = 7; *(uint32_t*)0x200044e0 = 6; *(uint32_t*)0x200044e4 = 0xfffffffe; memset((void*)0x200044e8, 187, 6); *(uint64_t*)0x200044f0 = 1; *(uint64_t*)0x200044f8 = 2; *(uint64_t*)0x20004500 = 0x10001; *(uint64_t*)0x20004508 = 0; *(uint32_t*)0x20004510 = 5; *(uint32_t*)0x20004514 = 0; *(uint64_t*)0x20004518 = 3; *(uint64_t*)0x20004520 = 0x8000; *(uint64_t*)0x20004528 = 9; *(uint64_t*)0x20004530 = 0x80000001; *(uint64_t*)0x20004538 = 0x100; *(uint64_t*)0x20004540 = 5; *(uint32_t*)0x20004548 = 0xf06; *(uint32_t*)0x2000454c = 0x932b; *(uint32_t*)0x20004550 = 2; *(uint32_t*)0x20004554 = 0x1000; *(uint32_t*)0x20004558 = 5; *(uint32_t*)0x2000455c = 0xee01; *(uint32_t*)0x20004560 = -1; *(uint32_t*)0x20004564 = 5; *(uint32_t*)0x20004568 = 1; *(uint32_t*)0x2000456c = 0; *(uint64_t*)0x20004570 = 5; *(uint64_t*)0x20004578 = 9; *(uint32_t*)0x20004580 = 2; *(uint32_t*)0x20004584 = 2; memcpy((void*)0x20004588, "*)", 2); *(uint64_t*)0x20004590 = 1; *(uint64_t*)0x20004598 = 0; *(uint64_t*)0x200045a0 = 0xcc3; *(uint64_t*)0x200045a8 = 4; *(uint32_t*)0x200045b0 = 0x101; *(uint32_t*)0x200045b4 = 3; *(uint64_t*)0x200045b8 = 2; *(uint64_t*)0x200045c0 = 1; *(uint64_t*)0x200045c8 = 1; *(uint64_t*)0x200045d0 = 0x113; *(uint64_t*)0x200045d8 = 1; *(uint64_t*)0x200045e0 = 3; *(uint32_t*)0x200045e8 = 0xd36; *(uint32_t*)0x200045ec = 0x8c12; *(uint32_t*)0x200045f0 = 0xfffffffc; *(uint32_t*)0x200045f4 = 0x1000; *(uint32_t*)0x200045f8 = 0xfffffffc; *(uint32_t*)0x200045fc = 0xee01; *(uint32_t*)0x20004600 = r[10]; *(uint32_t*)0x20004604 = 9; *(uint32_t*)0x20004608 = 0xacd; *(uint32_t*)0x2000460c = 0; *(uint64_t*)0x20004610 = 3; *(uint64_t*)0x20004618 = 0x97; *(uint32_t*)0x20004620 = 6; *(uint32_t*)0x20004624 = 9; memcpy((void*)0x20004628, "wlan1\000", 6); *(uint64_t*)0x20004630 = 1; *(uint64_t*)0x20004638 = 2; *(uint64_t*)0x20004640 = 8; *(uint64_t*)0x20004648 = 0x8000; *(uint32_t*)0x20004650 = 9; *(uint32_t*)0x20004654 = 0; *(uint64_t*)0x20004658 = 1; *(uint64_t*)0x20004660 = 0x200; *(uint64_t*)0x20004668 = 0xff; *(uint64_t*)0x20004670 = 0x100000001; *(uint64_t*)0x20004678 = 0x30000; *(uint64_t*)0x20004680 = 9; *(uint32_t*)0x20004688 = 3; *(uint32_t*)0x2000468c = 6; *(uint32_t*)0x20004690 = 0x7f; *(uint32_t*)0x20004694 = 0x8000; *(uint32_t*)0x20004698 = 0x101; *(uint32_t*)0x2000469c = r[11]; *(uint32_t*)0x200046a0 = 0xee00; *(uint32_t*)0x200046a4 = 0x10000; *(uint32_t*)0x200046a8 = 9; *(uint32_t*)0x200046ac = 0; *(uint64_t*)0x200046b0 = 3; *(uint64_t*)0x200046b8 = 0; *(uint32_t*)0x200046c0 = 2; *(uint32_t*)0x200046c4 = 0x401; memcpy((void*)0x200046c8, "b@", 2); *(uint64_t*)0x200046d0 = 4; *(uint64_t*)0x200046d8 = 1; *(uint64_t*)0x200046e0 = 0; *(uint64_t*)0x200046e8 = 5; *(uint32_t*)0x200046f0 = 4; *(uint32_t*)0x200046f4 = 0x101; *(uint64_t*)0x200046f8 = 1; *(uint64_t*)0x20004700 = 5; *(uint64_t*)0x20004708 = 1; *(uint64_t*)0x20004710 = 0x10000; *(uint64_t*)0x20004718 = 7; *(uint64_t*)0x20004720 = 8; *(uint32_t*)0x20004728 = 5; *(uint32_t*)0x2000472c = 5; *(uint32_t*)0x20004730 = 0x4010000; *(uint32_t*)0x20004734 = 0x8000; *(uint32_t*)0x20004738 = 0x4d800000; *(uint32_t*)0x2000473c = 0; *(uint32_t*)0x20004740 = 0xee01; *(uint32_t*)0x20004744 = 6; *(uint32_t*)0x20004748 = 7; *(uint32_t*)0x2000474c = 0; *(uint64_t*)0x20004750 = 2; *(uint64_t*)0x20004758 = 0x61; *(uint32_t*)0x20004760 = 0; *(uint32_t*)0x20004764 = 0; *(uint64_t*)0x20004768 = 7; *(uint64_t*)0x20004770 = 0; *(uint64_t*)0x20004778 = 5; *(uint64_t*)0x20004780 = 5; *(uint32_t*)0x20004788 = 0; *(uint32_t*)0x2000478c = 0x3ff; *(uint64_t*)0x20004790 = 0; *(uint64_t*)0x20004798 = 0xfffffffffffffff7; *(uint64_t*)0x200047a0 = 1; *(uint64_t*)0x200047a8 = 0x80; *(uint64_t*)0x200047b0 = 0x100000001; *(uint64_t*)0x200047b8 = 0x401; *(uint32_t*)0x200047c0 = 0xd49d; *(uint32_t*)0x200047c4 = 0x80; *(uint32_t*)0x200047c8 = 1; *(uint32_t*)0x200047cc = 0x6000; *(uint32_t*)0x200047d0 = 0x8b; *(uint32_t*)0x200047d4 = r[12]; *(uint32_t*)0x200047d8 = 0xee01; *(uint32_t*)0x200047dc = 0x8001; *(uint32_t*)0x200047e0 = 0; *(uint32_t*)0x200047e4 = 0; *(uint64_t*)0x200047e8 = 6; *(uint64_t*)0x200047f0 = 0x200; *(uint32_t*)0x200047f8 = 1; *(uint32_t*)0x200047fc = 0xfffffff8; memset((void*)0x20004800, 41, 1); *(uint64_t*)0x20004808 = 0; *(uint64_t*)0x20004810 = 3; *(uint64_t*)0x20004818 = 8; *(uint64_t*)0x20004820 = 0x81; *(uint32_t*)0x20004828 = 6; *(uint32_t*)0x2000482c = 5; *(uint64_t*)0x20004830 = 1; *(uint64_t*)0x20004838 = 8; *(uint64_t*)0x20004840 = 7; *(uint64_t*)0x20004848 = 5; *(uint64_t*)0x20004850 = 8; *(uint64_t*)0x20004858 = 1; *(uint32_t*)0x20004860 = 5; *(uint32_t*)0x20004864 = 0x90c555ad; *(uint32_t*)0x20004868 = 0; *(uint32_t*)0x2000486c = 0xc000; *(uint32_t*)0x20004870 = 0x800; *(uint32_t*)0x20004874 = 0xee00; *(uint32_t*)0x20004878 = 0xee01; *(uint32_t*)0x2000487c = 0xf98d; *(uint32_t*)0x20004880 = 0x20; *(uint32_t*)0x20004884 = 0; *(uint64_t*)0x20004888 = 4; *(uint64_t*)0x20004890 = 4; *(uint32_t*)0x20004898 = 5; *(uint32_t*)0x2000489c = 1; memcpy((void*)0x200048a0, "\\U\302-^", 5); *(uint64_t*)0x200048a8 = 1; *(uint64_t*)0x200048b0 = 0; *(uint64_t*)0x200048b8 = 2; *(uint64_t*)0x200048c0 = 6; *(uint32_t*)0x200048c8 = 0; *(uint32_t*)0x200048cc = 0xb5e; *(uint64_t*)0x200048d0 = 4; *(uint64_t*)0x200048d8 = 0x12; *(uint64_t*)0x200048e0 = 0xe87; *(uint64_t*)0x200048e8 = 7; *(uint64_t*)0x200048f0 = 1; *(uint64_t*)0x200048f8 = 0xfffffffffffffffe; *(uint32_t*)0x20004900 = 0xfffffffd; *(uint32_t*)0x20004904 = 7; *(uint32_t*)0x20004908 = 0x401; *(uint32_t*)0x2000490c = 0xa000; *(uint32_t*)0x20004910 = 0x8ee; *(uint32_t*)0x20004914 = r[13]; *(uint32_t*)0x20004918 = 0; *(uint32_t*)0x2000491c = 0x8236; *(uint32_t*)0x20004920 = 0x3c89862b; *(uint32_t*)0x20004924 = 0; *(uint64_t*)0x20004928 = 4; *(uint64_t*)0x20004930 = 0xfffffffffffffbf7; *(uint32_t*)0x20004938 = 6; *(uint32_t*)0x2000493c = 4; memset((void*)0x20004940, 2, 6); *(uint32_t*)0x20004bf8 = 0x20004ac0; *(uint32_t*)0x20004ac0 = 0xa0; *(uint32_t*)0x20004ac4 = 0xffffffda; *(uint64_t*)0x20004ac8 = 2; *(uint64_t*)0x20004ad0 = 1; *(uint64_t*)0x20004ad8 = 3; *(uint64_t*)0x20004ae0 = 0xff; *(uint64_t*)0x20004ae8 = 0x401; *(uint32_t*)0x20004af0 = 9; *(uint32_t*)0x20004af4 = 0x1000; *(uint64_t*)0x20004af8 = 1; *(uint64_t*)0x20004b00 = 0xfff; *(uint64_t*)0x20004b08 = 0x733; *(uint64_t*)0x20004b10 = 0; *(uint64_t*)0x20004b18 = 7; *(uint64_t*)0x20004b20 = 0x7fff; *(uint32_t*)0x20004b28 = 4; *(uint32_t*)0x20004b2c = 0x1f; *(uint32_t*)0x20004b30 = 0x1f; *(uint32_t*)0x20004b34 = 0; *(uint32_t*)0x20004b38 = 1; *(uint32_t*)0x20004b3c = r[14]; *(uint32_t*)0x20004b40 = r[15]; *(uint32_t*)0x20004b44 = 0x9eb; *(uint32_t*)0x20004b48 = 1; *(uint32_t*)0x20004b4c = 0; *(uint64_t*)0x20004b50 = 0; *(uint32_t*)0x20004b58 = 0x1c; *(uint32_t*)0x20004b5c = 0; *(uint32_t*)0x20004bfc = 0x20004b80; *(uint32_t*)0x20004b80 = 0x20; *(uint32_t*)0x20004b84 = 0xfffffffe; *(uint64_t*)0x20004b88 = 0xa87; *(uint32_t*)0x20004b90 = 0x1ff; *(uint32_t*)0x20004b94 = 0; *(uint32_t*)0x20004b98 = 0x10001; *(uint32_t*)0x20004b9c = 4; syz_fuse_handle_req(r[5], 0x20001680, 0x2000, 0x20004bc0); break; case 25: memcpy((void*)0x20004c40, "/dev/autofs\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20004c40, 0, 0); if (res != -1) r[16] = res; break; case 26: memcpy((void*)0x20004c00, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004c00, r[16]); break; case 27: syz_init_net_socket(0x24, 2, 0); break; case 28: res = syscall(__NR_mmap, 0x20ffe000, 0x1000, 0x300000a, 0x10, (intptr_t)r[16], 0); if (res != -1) r[17] = res; break; case 29: res = -1; res = syz_io_uring_complete(r[17]); if (res != -1) r[18] = res; break; case 30: *(uint32_t*)0x20004c84 = 0xcaa6; *(uint32_t*)0x20004c88 = 4; *(uint32_t*)0x20004c8c = 3; *(uint32_t*)0x20004c90 = 0x276; *(uint32_t*)0x20004c98 = r[18]; memset((void*)0x20004c9c, 0, 12); res = -1; res = syz_io_uring_setup(0x3a9b, 0x20004c80, 0x20ffe000, 0x20ffe000, 0x20004d00, 0x20004d40); if (res != -1) r[19] = *(uint64_t*)0x20004d00; break; case 31: *(uint8_t*)0x20005080 = 2; *(uint8_t*)0x20005081 = 5; *(uint16_t*)0x20005082 = 0; *(uint32_t*)0x20005084 = 7; *(uint64_t*)0x20005088 = 0; *(uint32_t*)0x20005090 = 0x20005040; *(uint32_t*)0x20005040 = 0x20004d80; memcpy((void*)0x20004d80, "\x8f\x8c\x61\xba\x2d\x93\x00\x6a\xad\xbd\x12\xa3\xa0\x8f\x14\x6f\x7d\xad\xf6\xfc\xaf\x91\x37\x0d\x8c\xdb\xb1\x04\x73\xcf\xc4\x73\x7f\xc2\x92\x0f\x76\x1e\x5f\x9f\x43\xac\x7c\x94\xff\x2d\x84\xa3\xf6", 49); *(uint32_t*)0x20005044 = 0x31; *(uint32_t*)0x20005048 = 0x20004dc0; memcpy((void*)0x20004dc0, "\xe7\x9e\x60\x9c\xaf\x0b\x11\x3f\x2e\x3a\x9b\x6e\xd9\xa5\x19\x7b\xd4\xc9\xef\x3a\xbe\xe6\xff\x37\x2b\x06\x77\xf9\x80\xef\x46\x16\x5c\x07\x1e\xc9\xa7\xe4\xb8\xe1\x18\xc9\x5c\x2b\x5f\x73\x3b\x29\xc5\x0f\x1e\x5d\xf4\xf1\x83\x7e\x9a\x29\x62\xcd\x24\x1c\x43\xd7\xa6\x05\x87\x87\x49\x91\x9d\x2d\x93\x2d\x22\x01\x0e\x4c\x8c\x29\xce\x60\x28\xdc\x71\xe2\x3c\x5e\xc2\xb4\xf3\xbb\x38\xb2\xe7\xc3\xbe\xaf\x83\xc8\x87\xa4\x5f\x16\xea\x87\x84\x2b\x70\x02\xc7\x51\x33\x97\x83\x5d\x37\x55\x89\xd6\x4e\x9c\x8d\x0d\xaa\x7c\x70\x99\x74\xdd\xc9\x35\x14\x51\x90\xba\xc6\xe8\xd3\x12\x38\xd5\xad\x70\x37\x7e\x03\xb1\x11\x15\x46\xf8\xa8\x3a\x2d\x7e\x3f\xc5\x50\x40\x8a\x22\x7e\x6a\xb5\x58\x33\x1d\xe5", 169); *(uint32_t*)0x2000504c = 0xa9; *(uint32_t*)0x20005050 = 0x20004e80; memcpy((void*)0x20004e80, "\x1f\xe1\xd0\xa7\xea\x42\xed\x60\xeb\x83\x79\xf5\x5f\xba\x5f\x10\x8d\xa4\x23\x32\x88\xe8\xa8\xbb\xac\xc0", 26); *(uint32_t*)0x20005054 = 0x1a; *(uint32_t*)0x20005058 = 0x20004ec0; memcpy((void*)0x20004ec0, "\x1d\x5a\x7e\x02\x0f\x94\xe9\xee\xe2\x41\x5c\xca\x5e\xb6\x04\x5c\xc9\xf8\x17\xf1\xd3\x27\x5b\xa9\x49\x67\x7e\xe2\xca\x23\x57\xb7\x4e\x67\xc6\xd4\xdd\xfb\xe8\xe8\xc0\xc6\xfd\xcd\x23\x52\xdd\x30\x1f\xf3\x0f\x0e\xbc\x2b\x58\xf2\xc6\x9c\x3f\x80\x32\xff\x0d\x4a\x2d\x2d\x40\x0c\x3d\x07\x91\x4d\x83\x5b\x62\x18\xc2\xeb\x25\x72\x4b\x42\x6a\x88\x8b\x28\x22\xd4\x94\x5b\x35\xf2\xd1\x45\x9d\x91\x5e\x2b\x2d\x66\x54\x1a\xf5\x2b\xdb\xbe\x1a\xd5\x17\x51\x5e\x01\xb8\x29\x0e\x65\x44\x43\xa6\x7b\xec\x3d\x0b\x03\xfc\x10\xb9\x0b\x49\xc3\xd3\x35\x93\xe0\x63\xbd\x0d\xf7\x24\x94\xb2\x2b\xfc\x39\x1f\x6b\x29\x6a\x68\x73\x5e\xea\xac\x4f\xb5\x50\xbe\x4b\xee\xab\xb7\x4d\x7c\xa7\x71\x39\x24\x8c\xf8\x00\x3e\x4f\xa6\x39\x54\xc2\xe5\xc6\x8e\x48\xb1\xf5\x9b\x31\x62\xa9\xa3\xb0\x20\x77\x1f\x7c\x1a\xff\x6d\x7d\xe5\x7b\x40\xfc\xb5\x90\x02\xf2\x70\x9e\xd2\xe1\x2d\x50\xa3\xed\xad\xc2\xc5\x5d\xe6\x63\x4c\x8e\x91\xdd\x8c\xd2\x8f\xaf\x3b\x52", 228); *(uint32_t*)0x2000505c = 0xe4; *(uint32_t*)0x20005060 = 0x20004fc0; memcpy((void*)0x20004fc0, "\x3d\xc5\x00\x79\x39\x36\x84\xee\x15\x45\x62\x33\xe2\xe4\xb4\x7d\x0d\x76\x16\xa6\xfb\xb0\x80\x55\x93\x1c\x40\x0e\x66\xd6\xee\x83\x07\xc9\x88\xdb\x68\xc3\xa5\x68\x73\xe4\xc9\x4c\x21\x0c\xee\x63\xaa\x53\xee\x80\x94\x7c\x56\x44\xcf\xfd\x0e\xe8\x09\xb4\x55\x4e\xf3\xd3\xd5\xd4\xb6\x26\x80\x40\xd6\x6c\xba\x34\xc7\xb8\x64\x5a\xbf\xe3\x69\x6e\x04\x1f\xe1\x3f", 88); *(uint32_t*)0x20005064 = 0x58; *(uint32_t*)0x20005094 = 5; *(uint32_t*)0x20005098 = 1; *(uint64_t*)0x2000509c = 0; *(uint16_t*)0x200050a4 = 0; *(uint16_t*)0x200050a6 = 0; memset((void*)0x200050a8, 0, 20); syz_io_uring_submit(r[19], 0, 0x20005080, 0x100); break; case 32: memcpy((void*)0x200050c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 0, 0); if (res != -1) r[20] = res; break; case 33: memcpy((void*)0x20005100, "/dev/dlm-monitor\000", 17); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0, 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x20005180 = 0; *(uint32_t*)0x20005184 = 0x20005140; memcpy((void*)0x20005140, "\x45\xcf\x83\xe3\x48\x27\xda\xe7\x0d\x9c\x50\xf6\x76\xf5\x23\xb0\xce\x6b\xee\x88\x95\x2b\xaa\xc1\xa7\x22\x08\x87\x52\x1e\x1e\x10\x25\x01\x84\xda\xba\xaa\x4f\xbf\x9e\x94\x34\x9f\x11\x48\xde\xe8\x23\x8a", 50); *(uint32_t*)0x20005188 = 0x32; *(uint64_t*)0x200051c0 = 1; *(uint64_t*)0x200051c8 = 0; syz_kvm_setup_cpu(r[20], r[21], 0x20fe8000, 0x20005180, 1, 0, 0x200051c0, 1); break; case 35: *(uint32_t*)0x20005200 = 1; syz_memcpy_off(r[17], 0x114, 0x20005200, 0, 4); break; case 36: memcpy((void*)0x20005240, "adfs\000", 5); memcpy((void*)0x20005280, "./file0\000", 8); *(uint32_t*)0x20005980 = 0x200052c0; *(uint32_t*)0x20005984 = 0; *(uint32_t*)0x20005988 = 4; *(uint32_t*)0x2000598c = 0x20005300; memcpy((void*)0x20005300, "\x85\x86\xcf\xf1\x20\x29\xeb\x8a\xd7\x6f\x62\x61\xd1\xfe\x9c\x2d\xf9\x7d\x6b\x50\x47\xf7\x02\x21\xce\x7c\x26\xe1\xad\x05\x00\x96\xdb\x75\xff\x7f\xfd\x7b\x4d\xad\x59\xf5\xe0\x70\x72\x3e\x8a\x2c\xea\x44\x66\x02\xed\x86\xda\x15\x97\x5f\x4f\x9d\xad\x43\x55\xf1\x7d\x14\x41\xf9\xc1\xd9\x72\x1e\x8b\xc2\x69\xc9\x1b\x43\x93\x4b\xb3\x82\x3e\xba\x88\x0d\xe0\x1b\x58\x6e\x0d\x59\x2f\xc9\x78\x08\x48\x12\xa5\xdd\x94\x0d\x6e\xa6\x1e\x46\xee\x9f\x1d\x53\xe0\xd3\x15\x5c\x2c\x34\x94\x6c\xa2\x86\xd6\x46\x39\x8a\x4d\x60\xb5\x6e\x48\x64\x4c\xe4\x21\xd5\x3a\x65\xfc\x50\x46\x80\x60\x1a\x0c\xb3\xb7\x8c\xdc\x3d\x14\xd0\xf9\xf7\x54\xd8\x8a\x4c\x5d\x80\xc2\x68\x1a\xca\x64\xa4\x79\x3f\x17\xd0\xf8\xa5\xb8\xdc\x82\x0f\xda\xde\xe2\xee\x87\xd4\x20\x50\x17\x22\x86\xe4\xb3\x71\xea\xc4\x97\xbf\x74\x67\x89\x0a\x47\x2d\x76\x6a\x44\x2a\x56\xa6\xe7\x5b\xc3\x9b\xa4\xed\xab\x5a\x0c\xb1\x1e\xb6\x6a\x24\x7a\x2f\x3c\xa7\xd1\x8c\xbe\x8b\xd7\x51\x6b\x2d\x99\xc7\x63\xd8\xc2\x3d\x75\x3c\x13\x93\x7a\xb9\x9b\x57\x8e\x42\xf3\x59\x27\x5e\x86", 251); *(uint32_t*)0x20005990 = 0xfb; *(uint32_t*)0x20005994 = 5; *(uint32_t*)0x20005998 = 0x20005400; memcpy((void*)0x20005400, "\x0f\x55\x3c\x28\xb9\x84\x2c\x44\x67\x4a\xbe\x34\x85\x6e\x72\xa4\x02\xea\xf0\x8e\xa7\xd1\x06\x18\x6b\x17\xf1\xd3\xf0\x0d\xcb\xcb\x5f\x98\xa1\xea\xe4\xb0\xe4\x94\xda\x0d\x44\xfa\x94\x91\x73\x67\x47\x8f\x2e\x39\xce\x84\x35\xb1\x32\xa5\x70\xec\x78\xc1\xb1\xd8\x59\xab\x65\x21\x68\xbe\xc9\x15\x6c\xc5\xb4\x54\x3f\x05\x71\xd2\xa7\x5d\x3a\xd0\x3f\x49\x0c\x0f\xc9\x32\x51\xf6\xab\x57\xf0\x1c\xf6\x22\x83\xd4\x2e\xec\x0a\xbb\x18\x61\x48\xb0\x5e\xf5\x5f\x8d\xe1\xa2\xeb\x7c\x16\x22\xfc\x6d\x3a\xc2\x74\xf1\x0a\x07\x54\x56\x33\x98\xef\xc9\x33\x5a\xea\x31\x06\x1c\xf4\xbb\x64\xd4\x4f\x87\xc6\x15\xc9\x9b\x3e\xca\x46\xdd\xc2\xce\x68\xeb\x2b\x78\x0c\x54\xbb\x6a\x1a\x20\x94\x7e\x16\xcb\xc6\xf7\xfa\x07\x12\xd0\xb1\x2e\x66\x5a\x21\x4c\x35\x02\x15\x4e\x5b\x8d\xda\x8b\x01\xdf\x53\xc8\x1b\x2d\xa2\xc9\x2b\x75\x73\x50\x6b\x17\x5a\x34\xba\x1d\xda\x39\x95\x4f\x36\xf0\xff\x6e\xbe\xfe\xee\x31\x32\x68\x13\x42\x2c\xb4\xd5\x3b\x47\xc6\xfe\x65\xf3\x33\x26\x98\xd9\xe3\xd7\x76", 238); *(uint32_t*)0x2000599c = 0xee; *(uint32_t*)0x200059a0 = 0xfff; *(uint32_t*)0x200059a4 = 0x20005500; memcpy((void*)0x20005500, "\xab\xff\x9c\x24\x82\xd9\x64\x89\xf0\xaf\xbe\x08\x5d\xae\xe1\xe2\xbd\x8a\x30\x00\xaf\x21\xe5\xb4\xaa\x0d\x2e\x66\x62\x29\x3d\x5f\xe6\xee\xb6\x0a\x5c\xc8\xb9\x0e\x84\xed\xe0\xd2\x13\x18\x68\x8e\x28\x5d\xef\x54\xcb\x67\x80\xab\xfd\xcb\x64\xc7\x00\xda\x5e\x87\x75\xbb\x60\xd0\x19\x2a\x5f\x81\x13\xa7\x0d\xdb\x16\x27\x08\x7f\x7b\xb8\xf2\x32\xf8\x0a\x12\x0e\x21\x4e\xf3\x1c\x38\x57\x11\xf4\xb1\x2a\xfd\x9a\x02\x4f\xc4\x8c\x41\xc3\xc8\x87\x25\x5a\x17\xb8\x6f\x70\x9a\x30\xee\x23\xa5\xd5\x5c\x6c\x3e\x19\x86\xf6\xfd\x69\x30\x9d\xc6\x66\x48\x46\x39\x6a\x5f\x0c\xde\x1e\x38\x2a\x70\x18\xdc\xde\xac\x00\xff\x1e\xf5\x4b\xbb\x58\x20\x1f\xc9\xdf\xcb\xba\x39\xcf\xb4\x5f\x49\xac\xe1\xe9\x90\x81\x88", 171); *(uint32_t*)0x200059a8 = 0xab; *(uint32_t*)0x200059ac = 0x80000001; *(uint32_t*)0x200059b0 = 0x200055c0; memcpy((void*)0x200055c0, "\xfb\x36\xdf\xfb\x4a\x0e\x43\x77\xfa\x3b\xed\xec\x23\x25\xf5\xc0\x73", 17); *(uint32_t*)0x200059b4 = 0x11; *(uint32_t*)0x200059b8 = 1; *(uint32_t*)0x200059bc = 0x20005600; memcpy((void*)0x20005600, "\x8f\xf2\x54\x48\x04\xed\x79\xe1\xbb\x5f\x17\x3b\x80\xfd\xb0\x9a\x44\x4f\x02\xbb\xac\xda\xb8\x77\x10\xa3\x03\x82\x27\x1d\xb7\x25\x70\x55\xfb\xbe\x05\x7f\x4e\x4b\x3e\x1b\xcb\xcf\x08\xf1\xea\x0b\x41\xbe\x53\x3d\x7d\x7f\x84\x19\x9c\x4c\xf2\x41\xe2\xbc\x3c\xeb\xf6\x80\xf5\xc2\x64\x88\x82\xab\xfe\x61\xbb\x52\x11\xc4\xcf\x0f\x1f\x80\x35\xc6\x96\x2e\x74\xf5\x97\x6e\x95\x4c\x3d\xb5\x54\x5b\xdc\xcc\x6e\x67\xb6\x8d\xd6\x12", 104); *(uint32_t*)0x200059c0 = 0x68; *(uint32_t*)0x200059c4 = 0x7f; *(uint32_t*)0x200059c8 = 0x20005680; memcpy((void*)0x20005680, "\xca\x83\x8d\x09\x57\x9a\x97\x26\x57\x26\x0b\x82\x4f\x36\x91\x61\xc8\x3d\x36\x49\xb2\x30\x9d\xe4\xac\xa5\x19\x1c\x6a\x35\x50\xce\x70\x4f\x66\x06\xba\xc0\xf1\x10\x25\x63\x01\x1d\x76\x8b\x1c\xd5\xbd\x83\x56\x5b\xfb\xe9\x31\x1f\x71\xc2\x69\x8f\x2b\xb4\x57\x2e\xf6\x60\x2f\x24\x87\x62\x6e\x21\xfc\xef\x70\x34\xf5\x0e\x28\xfd\x36\xdb\x92\x43\x3d\xe1\xc0\xfb\xd9\xba\xa0\xb2\xef\x3b\x17\xec\xbd\x5f\x21\x4a\x81\x4f\x99\x79\xc0\xcf\xce\xa5\x66\xbd\x41\x87\x88\xa9\xe0\x26\xff\x83\x08\x9e\x4e\x1e\xb4\x91\xee\xbb\x58\x2e\x84\xc6\xd9\x56\xe1\xf8\xd4\xbd\x53\x27\xfc\xf2\x6d\x92\x18\xa6\xe7\x45\xa9\x04\x84\x6d\xa6\x1e\x69\x70\xe7\xc3\xf8\xf6\x77\x7e\xb2\xee\xc1\x82\xc6\x62\x6a\xeb\xc2\xb4\x6d\x6e\x18\xec\x79\xce\x9f\x3a\x34\xc2\xc9\xce\x74\xdc\xe5\xf3\x8a\x49\x3c\xe7\x52\x63\x3b\x9c\xd8\x81\xd3\xe7\x39\x77\xb7\x28\x20\x8b\x73\x0c\x0a\xa0\xbf\xd4\x1f\x03\x74\x79\x8c\x2b\x6c\xfd\x20\xa8\x3d\xde\x88\x21\xf8\x96\x43\x1d\xf1\x62\x0e\xac\xdd\xb4\x84\x6d\x3f\x67\x98\x3b\x95", 241); *(uint32_t*)0x200059cc = 0xf1; *(uint32_t*)0x200059d0 = 2; *(uint32_t*)0x200059d4 = 0x20005780; memcpy((void*)0x20005780, "\xb5\x49\xcf\xe1\x8d\xeb\x45\x5b\x4a\x8b\x6d\x56\xe7\xc0\x3f\x25\x10\x24\x21\x7c\xf4\x27\xc0\x90\x56\xbd\xb6\xb4\xa1\x31\x7e\x6f\x9c\xd5\x3e\xce\x2f\x2e\xe6\x8e\x7d\x73\xe9\x36\xe6\xd7\xb3\x76\x48\x35\x95\xc8\xdb\x72\x92\xff\xb0\x52\x0c\xf0\x37\xba\x70\x12\xf5\xd9\x0d\x0e\x4b\xdc\xed\x46\x13\x1d\x6a\x44\x12\x05\x46\xfa\xd8\x7f\x47\x56\x70\xfe\xc8\x6f\x97\x84\x88\x8d\x14\xdc\x2e\xd6\xa1\xa7\xed\x3c\x98\xbd\x0e\x03\x5c\xbd\x50\x4d\xa4\x0e\xfb\xeb\x5a\x5b\xcd\x48\xc0\xca\x51\x3f\xf5\x3d\xda\xda\x3c\xb4\x47\xa4\x8b\xce\xf0\x1d\x98\x83\xf6\x99\x99\x7c\x5a\x0b\x24\x99\x86\x58\x62\xdb\x5f\x78\x5a\x75\xe1\xb3\x46\x3d\x35\x4a\xf1\x12\xe7\xf8\x62\x28\x83\x68\x30\x86\x19\x0f\xa4\x50\x76\x46\xcb\xea\xb5\xed", 176); *(uint32_t*)0x200059d8 = 0xb0; *(uint32_t*)0x200059dc = 1; *(uint32_t*)0x200059e0 = 0x20005840; memcpy((void*)0x20005840, "\xa2\xee\xca\xca\xa0\x2f\xc7\x61\x89\xe0\x0e\x6f\xc5\x8f\x38\xb5\x59\x99\x59\x73\x03\x76\x28\x17\x21\xbe\xcf\x84\x0c\xd1\x2b\x23\x0c\x2d\xc8\x4b\x7f\x5f\xe5\xe3\x70\x57\xb3\x73\x2f\xcf\xeb", 47); *(uint32_t*)0x200059e4 = 0x2f; *(uint32_t*)0x200059e8 = 4; *(uint32_t*)0x200059ec = 0x20005880; memcpy((void*)0x20005880, "\x35\xed\x9c\x85\x4f\x54\x2b\xa3\xa5\x6e\x7b\x75\x40\x9a\x31\x97\xd3\x1e\x6e\xc3\x19\x34\x81\x1d\xd9\xab\xe8\x3e\x50\xa0\x60\xea\x25\x99\x4c\xb3\x37\x70\xed\x99\xb2\x5c\x9b\x56\x08\x91\xec\xa4\x33\xfe\x5b\xf1\xe0\x2d\x13\x66\x00\x68\x7e\xe4\x93\x3b\x35\x38\xbb\xce\xca\x61\xde\xb8\xfb\x0a\x1a\x25\x67\x84\x3f\xd8\x71\xb9\x91\xd5\x14\x32\x9a\x46\x5a\x97\xeb\x92\x12\x35\x76\xe8\x3a\x65\x2c\x51\xdf\xa8\x41\x17\xc2\x62\xa7\xb8\xba\xb4\x7b\xd3\xf8\x1b\x24\xd3\x3e\x68\x7f\x39\x26\x50\x02\xef\x92\xf2\x24\x8d\xe0\x27\xac\x02\x85\xfc\xad\x2a\x3c\x73\x2a\x1e\xd7\x40\x93\x07\x03\x7e\x41\xf3\xa7\x90\x74\x77\x38\x7d\x11\x99\xc1\x8e\x5c\x43\x95\x9b\x2e\xc4\x6c\x07\x8c\xec\x67\xa8\xb5\x59\xb3\x1c\xef\xd8\x56\xf4\x56\xb9\xf8\x1b\xcc\x6a\x8b\x2c\xb1\xa4\xd8\x14\x75\x62\xbd\xac\x60\x34\xe3\xe8\xd3\x5d\x79\x76\x59\x84\x4f\xea\x36\x94\xb3\x28\x8c\xe6\x8f\xa8\xf9\x86\xbf\x2f\xba\x03\xec\x01\x10\x15\x4b\xef\xc8\x40\x22\x58\xaf\xb3\xd5\x83\xd0\xbf\x3d\x02\x79\x80\x73\x86\x7f\xc6\x66\x40\x72\x60\x72\xc8\x2a", 249); *(uint32_t*)0x200059f0 = 0xf9; *(uint32_t*)0x200059f4 = 0x1ff; memset((void*)0x20005a00, 37, 1); *(uint8_t*)0x20005a01 = 0x2c; memcpy((void*)0x20005a02, "seclabel", 8); *(uint8_t*)0x20005a0a = 0x2c; memcpy((void*)0x20005a0b, "permit_directio", 15); *(uint8_t*)0x20005a1a = 0x2c; memcpy((void*)0x20005a1b, "mask", 4); *(uint8_t*)0x20005a1f = 0x3d; memcpy((void*)0x20005a20, "^MAY_EXEC", 9); *(uint8_t*)0x20005a29 = 0x2c; memcpy((void*)0x20005a2a, "subj_role", 9); *(uint8_t*)0x20005a33 = 0x3d; memset((void*)0x20005a34, 125, 1); *(uint8_t*)0x20005a35 = 0x2c; memcpy((void*)0x20005a36, "mask", 4); *(uint8_t*)0x20005a3a = 0x3d; memcpy((void*)0x20005a3b, "^MAY_APPEND", 11); *(uint8_t*)0x20005a46 = 0x2c; memcpy((void*)0x20005a47, "fsname", 6); *(uint8_t*)0x20005a4d = 0x3d; memcpy((void*)0x20005a4e, "&%]", 3); *(uint8_t*)0x20005a51 = 0x2c; memcpy((void*)0x20005a52, "measure", 7); *(uint8_t*)0x20005a59 = 0x2c; *(uint8_t*)0x20005a5a = 0; syz_mount_image(0x20005240, 0x20005280, 5, 0xa, 0x20005980, 0, 0x20005a00); break; case 37: memcpy((void*)0x20005a80, "/dev/i2c-#\000", 11); syz_open_dev(0x20005a80, 6, 0x40000); break; case 38: memcpy((void*)0x20005ac0, "net/raw6\000", 9); syz_open_procfs(-1, 0x20005ac0); break; case 39: syz_open_pts(r[16], 0x583000); break; case 40: *(uint32_t*)0x20006cc0 = 0x20005b00; memcpy((void*)0x20005b00, "\xa8\x95\xc3\x0e\xdc\x07\x29\x77\x23\xa4\xae\xa8\x02\x03\x46\x22\xd1\xbb\xb8\x5b\x4a\xe3\x62\x8a\xfc\x2d\x4e\x10\x93\x45\x50\xa9\xd9\x2f\x12\xa5\x1b\x9f\x5b\x3a\x7b\x59\x6b\x59\xb9\x9b\x4b\x2a\xca\xed\xda\x32\xb8\x3b\xdc\x26\x3c\x53\xaa\x10\x11\x4a\x14\x9a\x4d\x7a\x4f\x0c\x40\xb9\x46\x15\x9b\x37\x43\x96\xfb\x6c\xd1\x87\x34\xea\x5c\x3a\x51\x92\x78\x62\x22\xda\x89\xf4\x21\x3b\x5d\x9d\x02\x77\x99\xda\x36\xd6\x8b\xd5\x10\xf5\x37\x85\x5c\xe1\x0d\x3b\x84\x39\xc2\x23\x77\x40\xea\x75\x41\x47\x8a\x81\xf9\xf9\x2a\xdc\xeb\x51\x00\x36\x6d\xcc\xf1\x49\xcc\x4c\x59\x79\x69\x59\xba\x5d\x85\xa5\x0d\x0d\xd7\x29\x41\xa0\xea\xbb\xe7\xa9\xdd\x9f\xe5\x08\x50\x11\x3f\x5e\x2d\x05\x5e\x1b\xbc\xd6\x67\xda\xf7\x36\x3e\x02\x7d\x7c\x66\x67\x8d\xad\x2a\xdd\x62\xb5", 186); *(uint32_t*)0x20006cc4 = 0xba; *(uint32_t*)0x20006cc8 = 4; *(uint32_t*)0x20006ccc = 0x20005bc0; memcpy((void*)0x20005bc0, "\xf2\x29\xf5\x8b\x9f\xef\x91\xf7\x17\x85\x23\xf0\x41\xa4\x96\x75\x89\x92\x46\x80\xbf\x4d\xc3\x4a\x52\xd8\xf7\xf8\x43\x60\x83\xae\xe9\x4a\xb7\x4f\x03\x69\xf7\x40\x3a\x8c\x26\xb7\x2f\xd4\x4b\x48\x8f\xe5\x9c\x61\x6c\x8a\x1c\xae\x29\x9c\x49\x0e\xb1\x5f\x98\xf8\xf4\x9d\xf3\x35\x02\xcc\xfd\x38\x26\x5f\x6d\x18\x65\x78\xa7\x1b\x92\xba\x5c\x5b\x90\x3f\x9a\x64\xbc\x56\x0a\x43\x59\x0b\xd7\x0f\x76\xef\xb7\xb6\x3b\xc3\x90\x9e\x63\x2d\xb6\x8f\x77\xd9\x8b\xdf\x12\xeb\xe1\x70\x7d\x7d\x14\x36\x85\x74\x90\xc1\x3d\xdb\x23\x9c\x83\x7f\xaf\x46\xea\xd6\x23\x81\xd4\x3f\x3d\x23\x46\xc1\xfc\xd5\xb2\xa7\xa1\xeb\xe9\xfa\x5d\xd7\xfd\xde\xfc\x50\xb0\xe7\xa5\x7f\x50\x0e\x2f\x79\xba\x11\xb1\x89\x72\xdc\x78\x87\x14\x60\xeb\x7e\x2a\x24\x9b\x60\x32\x83\xb5\x12\x83\x20\x55\x5c\x9d\x74\x14\x3e\x02\x7b\xb5\xca\x08\xb4\x62\xae\xbf\x58\x24\x43\x87\x55\x6d\x71\x86\x80\xc4\xa3\x74\x59\xdd", 215); *(uint32_t*)0x20006cd0 = 0xd7; *(uint32_t*)0x20006cd4 = 0x3ff; *(uint32_t*)0x20006cd8 = 0x20005cc0; memcpy((void*)0x20005cc0, "\x79\xfb\xc7\x05\xf3\xf5\xab\x2b\x17\x6d\x8c\x81\xf1\x15\x48\xc5\xfd\x71\x74\x41\x15\xd9\xbc\x95\x33\x2f\xeb\x2a\xe2\x6c\xd3\xb6\xa5\x08\x4c\xf6\x35\xa6\xb1\x9d\x91\x6f\x68\x3e\xbe\x24\x01\x80\xc6\xbb\x6a\x18\xe3\x4f\xa2\x67\x7a\xe7\x45\x61\xf3\xbb\x25\x09\xfc\x09\x59\xad\xc1\x32\xae\x36\x12\x7c\x31\x9f\xcb\x4a\x80\xb0\x25\x1d\xed\xee\xe6\x56\x0f\xd7\x02\x22\x1e\x14\x43\x66\x85\xc7\xfa\x2f\x3a\xf3\x6f\xda\x9d\x69\xd0\x44\xc1\x6a\x77\xe8\x22\xf9\x8b\xf6\x5c\xd4\x58\x33\x54\x4b\xa6\xbd\x06\xb8\x3a\xd7\x8b\x10\x49\xf1\xbc\xdb\x9b\xce\xc0\x47\x38\xa8\x6c\xa3\x7b\x88\x95\x3d\xe3\x54\x9b\x6e\x3a\x4c\x2f\x31\xbd\xd4\xce\xde\xe3\x7b\x70\x3b\x8e\xd6\xd1\x1c\x38\xff\x03\x0a\x10\x18\xaf\xae\xbe\x05\x38\xed\x70\x4b\xbe\x63\x10\xa0\xde\xa9\x43\x05\x66\x65\x29\x01\x69\x92\x99\xc1\x84\xa8\x15\x60\x1e\x01\x86\xa6\xe1\xff\x97\xd2\xb9\x60\x38\xab\x59\x13\xdc\x44\x0e\xde\xd7\x83\x6f\xbd\xd7\xbd\x39\x1a\x90\xcf\x40\x3a\xbb\x6d\xfe\x0f\x7d\xdd\xda\xf1\xa7\xc7\x3f\x02\x19\x35\x33\xf0\xa7\x2e\xf1\xb5\x58\xcf\x69\x6f\x57\x22\xa3\xe8\xc0\x92\xc1\x7d\xe9\x8a\xf4\x15\xf4\x0a\xfc\x1f\xfe\x0d\x7c\x7d\x0f\xb4\x4d\x59\x7e\x55\x18\x86\xb4\x0b\x8e\xc7\xde\x8f\x18\xbf\x5e\xd7\xa7\x4a\xcd\xeb\xe9\xb2\xcc\xb9\x8c\xcd\x37\x1d\xf0\x0d\x78\xc9\x7f\x8d\xe0\xab\xe7\xf8\x28\x13\x68\x61\x68\x9b\x0f\x53\x80\xfd\x28\x36\x09\x2c\x1b\xee\xc0\xf4\x51\x9e\x1b\x50\x40\xca\x17\x09\xe0\x83\xee\x61\x1d\x6a\x1e\xbc\x5a\xd1\x85\xd3\x9b\x91\xef\x84\x4a\xf3\x4d\x02\x13\xe6\x3e\xdd\x19\x54\x53\x46\xe3\x01\x2d\x61\xbd\xe7\x1d\x4d\x3c\x52\xcd\x21\x01\xd4\x57\xac\xc0\x15\x23\x81\x81\xfc\xc4\xe9\x2a\x6b\xd1\xc9\xae\x47\x5d\xd0\x4d\x15\xa3\x90\x71\x7c\x29\x5e\x18\x13\x1f\x30\xa1\xb0\x03\xfe\x36\x7f\x88\x9b\xa4\x9e\xd8\x32\x8d\x69\xbd\xe3\x8b\xfd\xb3\x2e\xc4\xff\x21\x2b\x38\x3d\xa6\x54\xad\x2d\xa7\x59\x26\x60\x0d\x56\xfd\x2c\x8a\x64\x81\xc0\x2f\x0d\xd9\x04\x08\xb0\x1d\xcb\xdd\xd0\x1c\xfb\x4c\xf6\x1c\x14\xe8\xaf\xc5\xda\x58\x91\xe9\x3a\x0b\x6f\xe1\x2f\x50\xf0\x62\x94\xd6\x6c\xe3\x71\x0c\x8e\x13\xe7\x97\x62\x9c\x4b\x05\x71\x40\xbd\xb8\xcf\xa3\x84\x83\x0e\x9e\x18\xcc\xcb\x63\xc2\x82\xc9\x7b\x1e\xc7\xcb\xaf\xc5\xf4\x96\xf2\xb0\x30\x53\xf8\x55\x8f\x62\x7e\xaa\x78\x46\x62\xf2\xf4\xf1\x5b\xac\x06\xa3\x8d\xcc\x8c\x3f\x2e\x07\x6b\x2f\xdf\x8b\x62\x2c\x93\xa2\x27\xc9\x0d\x42\xe4\xfa\x38\xda\xcd\x82\xfd\x6c\xd2\x21\x15\x29\x41\x4c\x5c\xf3\x88\x2d\x94\x87\x42\x42\x59\xa6\x51\x4c\x56\xf0\xb7\xd6\x0c\x95\xd3\x44\xa0\x9d\x90\xe7\xdd\x8f\xf0\x73\x21\xd7\xe7\xae\x03\xba\xc6\xde\x0f\xd3\x79\x9a\x8c\x34\xd7\xaa\x3e\x4c\xe7\xcd\x99\x98\x03\x64\xc6\x60\xcc\x09\x97\x46\x15\x2a\x07\xfb\xc0\x26\xfc\x89\x0a\x7a\x57\xf2\x8d\xce\xea\xcd\xc2\x36\x60\xc0\xf8\x59\x2d\x86\xd0\x8d\x99\x64\x4b\x67\x51\xa5\x53\x16\x2b\xa1\x03\x83\xda\x49\x1e\xfc\x3d\x33\xae\xd8\x95\x2b\x8f\x51\xcf\x6c\xfa\x84\xae\x5c\x9d\x76\x89\x8b\xf5\xe8\x09\x90\x8b\xdb\xf8\xcf\x63\x38\xf5\xbe\x2f\x5b\x1e\xa8\x17\x44\xbe\x7e\x72\x68\xc4\x9e\x49\x30\x50\x89\x23\xe6\x39\xd9\xf4\x84\x59\x7f\xc2\x0e\x69\x58\xa2\x69\xe1\x66\xec\x09\xd1\xb7\xe2\xa8\xf7\xfd\x83\xc5\x34\x64\xc3\xa1\xac\xc4\x84\xeb\x5f\x9d\xe1\x05\x9d\xa0\x45\xda\x6c\xf6\x63\x07\x9e\x2b\x22\xd7\x8e\x78\xbd\xbc\xda\xb3\x9c\x33\xbc\x5c\x1d\x05\xb8\xd4\x0e\x40\x2c\x8b\xbf\xa5\x74\xf2\xcb\x5a\xfb\x1c\xb1\x99\xe5\x91\x17\x13\x0b\x94\x0a\x96\x48\xe8\x98\xd5\xf0\xf2\x7f\xc0\x04\xc6\x78\xe5\x52\x0a\x4c\x79\x0e\xb7\x0e\xd2\xea\x6a\x60\x61\xe4\x9d\x12\x24\x35\xf3\x48\xcc\x92\x7b\x49\xad\x13\xbd\xf1\x80\x4e\x75\x28\xbc\x1e\x3b\xb6\x33\xf8\xb2\x76\xbb\xbb\xad\x12\x5a\xbe\xcd\x28\x94\xc2\x89\x28\x85\xfc\xd1\x9a\xed\x92\x20\xe4\x63\x2c\x13\x6f\x14\x37\x8e\x29\x91\x20\x40\x40\x65\x71\x1d\xdb\xff\x8d\xf8\x70\xab\xae\x93\x4b\xb5\xbb\x64\xff\xa2\xf7\x3f\x18\xb1\x33\x74\x53\x8a\x08\x37\x9d\x74\xc7\x12\xe0\x2a\x97\xc8\x5b\x08\xad\xae\x84\xf9\xc4\xa2\x91\x66\x56\x12\x9a\xa4\xb5\x46\xf1\x43\x4e\xf1\x53\xff\x7f\x2c\x94\xcb\x42\xb3\xe7\xea\x23\x54\x40\x95\x15\x9e\xe0\xe8\x69\xd7\x8d\x08\xce\x48\x6d\xa4\x30\x4b\x15\x47\x3a\x23\x1f\xec\x42\x3c\xf5\x53\x96\x8c\xa0\x74\x3c\x1c\x4b\x09\x45\x73\x0b\xa4\xe3\xfd\xc3\x1f\xf0\x2a\x48\x70\x56\xc7\x29\xef\x7f\x84\xf6\x5e\x85\xfb\x16\xfa\xbb\x17\x2d\x24\x75\x38\x62\xf9\x20\x34\x60\x28\x8a\x37\xcf\x6e\x6f\x5b\x84\xd1\xd8\x1f\x24\x27\x07\xbf\x57\x5b\x15\x34\xcd\x6b\xea\x81\x0d\xc3\x94\xca\xb3\x1b\x32\x43\x38\x8f\x01\x5b\x99\x98\xaa\x7c\xa3\xe8\x26\xd9\xec\xcd\x95\x32\x87\x33\x28\xf3\x43\xcf\x71\xa0\x79\x82\x0f\xfc\x61\x60\xef\x55\xb7\xda\x7a\x29\x76\x2f\xea\x1b\x45\x22\xb9\x81\xcc\xfd\xac\xea\x0f\x52\xe2\xed\xc3\xec\x50\x16\x89\xe8\xc5\xe0\x88\x54\x43\xd1\x3e\xa4\xda\xe6\x07\x65\xf9\xed\x48\x68\x6b\xeb\x01\x0b\xb0\x4e\x2f\xa7\x3f\x3a\xd0\x8a\x77\xf0\xc2\xf5\x9a\x99\xc4\x72\x30\xb8\x52\x9d\x1b\xa2\xbd\x09\x1d\x83\x6d\xd3\x08\x99\xe7\xe8\x41\x71\xf2\xa8\x86\x7b\x16\x49\x22\x8e\x85\x15\xcb\x39\x8b\x75\xa5\xbc\xa2\xe7\x11\x4a\x7a\xf7\x1b\x18\x5f\x37\x1b\x4f\x9f\x68\x9e\x81\xf2\x25\x97\x54\x89\x6f\xf5\x46\x85\xbc\x7b\x9c\xf5\xf5\xfd\x14\xd0\x63\xd2\xf8\xc6\x20\xff\x19\x5e\x26\x36\x0a\x21\xd9\x2d\x19\x02\xa7\x48\x35\xe0\x25\x4f\xe4\x73\x75\xa0\xf1\x71\x11\xd1\x45\x9d\x77\xdf\xcf\x0a\xdf\x21\x59\xc2\x00\x35\x35\x75\x78\x90\x15\x01\xa4\x09\x2e\x64\x14\xc5\x43\x41\x73\x11\x5a\x4a\x03\x39\x9d\x81\x34\x91\x33\xd3\xac\x25\x4b\x69\xfd\x90\x6f\xbc\x11\x56\xbe\xaa\xea\xb3\x7f\x1f\xd9\xfe\xfa\x37\x7c\xa1\x3b\x58\x19\xe5\x36\x1a\x75\x03\x2d\x78\x8c\xe9\x5c\xe9\xd1\x61\xdd\xfa\x04\xa5\x55\x29\x71\x68\xf6\xe0\xf3\x17\x6c\x8b\x0c\x41\xc8\x42\xce\x33\x81\x3b\x59\xeb\x0a\x9c\x3b\xcd\xf4\x65\xad\xe6\xd2\x9d\x0e\x25\x74\x41\x16\x77\x5b\x2f\x14\xd0\x30\xf5\xb2\x18\x1c\x89\x6a\x29\xcf\xc2\x9d\xcb\x9f\xaa\x9e\xa0\xed\x4a\x45\x45\xe2\xe5\x41\x29\x51\x12\x6b\x30\x99\x8b\x7b\x58\xc4\x47\x44\x84\x1d\x85\xe7\x9c\xc7\x61\x3b\x3b\x4a\xd0\x18\x72\x10\xc5\xb3\xe8\x19\x59\xc9\x38\xa8\x9e\xa5\xa7\x68\x1b\xcc\xc0\x2c\x55\x58\x3d\x69\xfa\xcc\x86\x53\x95\x27\x9c\xce\x47\xa8\xc4\x6c\x3b\x99\xd3\xbc\xba\xda\xea\xce\x79\xc1\x22\xc8\x7e\x72\xa9\x91\xd3\x1a\xe5\x2e\xa9\x5d\x35\xc6\x16\xb5\xae\xbf\xd9\x86\x40\x90\x33\x18\xdc\x60\x00\x21\x08\x6c\x28\x07\xf1\xfc\x8a\xe7\x61\x40\x7f\xcf\x43\x11\x09\xaf\xd1\x9e\xc4\xb0\x3a\x94\xeb\x9c\x89\x4f\x86\x6b\xb4\xb9\xa3\xa5\x86\x24\xcf\xa6\xae\x7d\x44\xd2\xf2\x02\x83\x5a\xc9\x90\x3d\x23\x26\x14\x0f\xc5\x47\x9b\x94\xba\x27\x5f\xe8\xf6\xba\x03\x9d\x98\xf5\x8d\x9c\x00\x60\x26\xff\x15\x5f\x0d\x36\x8c\x51\xd0\x05\xd2\xaf\x37\xa6\x14\xc1\x41\x88\xed\x22\x6c\x9f\x67\xc7\xb7\x83\x93\x3d\x05\x23\x5c\xb2\xf8\x81\x0f\x18\x89\xd1\x26\xed\xac\xe7\x40\x78\xb0\xf9\x0c\x6f\x2c\x16\xd0\x1d\x60\xdd\xe2\xd4\x6a\xb8\xc2\x53\x2a\xe0\xc1\x54\x01\x05\x57\x52\xfb\x19\xdb\xe5\x49\xcc\xbe\x43\x85\x9c\xcb\x4d\x47\xc9\x9e\x6f\x54\x02\xce\xd2\x3d\x44\x90\x29\x80\x2a\xd7\xd2\x99\x0b\x94\x1f\xad\xb0\xde\x10\xf9\xfe\x17\x84\x61\xe1\x14\xc7\xca\x31\x36\xf7\xfb\xad\x6e\x1d\x71\xeb\x1a\x1a\x24\xfb\x89\x2e\x7f\x1a\x41\xb9\xeb\x92\xd5\xb0\x4a\x79\x49\x1e\xef\x83\x18\xce\x1d\x98\x06\xe7\x06\x4e\x0f\xda\x0a\x66\xa7\xb6\x95\xa6\x78\x15\x60\xba\x98\xbf\x4d\x54\x00\x79\x5b\x11\xfe\xab\x29\x73\x53\xa7\x2a\x2d\x78\x5f\xf2\xfa\x3f\x06\xe6\x39\x5a\xab\x65\x6e\x55\xef\x7f\x49\x51\x76\x03\x86\xcd\xb1\xa1\xd2\x30\xda\x5b\x09\x44\xa9\xaf\x05\xa7\x6b\xce\x13\x88\x69\x2a\xfa\x4b\x21\xc3\x46\x4a\x2b\x50\xdd\x0d\x2a\x0f\x64\x51\xa4\x3f\x2e\x48\x62\x29\x0b\xe1\xf1\x29\x74\x60\xeb\x51\x39\x9f\xa9\x68\xf8\xdc\xa4\x19\x39\xa6\x19\xd1\x0a\x8a\x01\xad\x1b\x64\x93\xb0\xf8\x9a\xad\xc5\xf0\x6f\xf9\x26\x46\xff\x2f\xbd\x33\x6c\x97\x73\xa9\x33\xeb\xb1\xde\xee\x49\xa2\x67\xd8\xd1\x95\xe1\x3f\x58\x39\xc9\x54\xd8\xda\x7c\x02\x2c\xbd\xd8\xa2\x68\xdb\x8a\x06\x5c\x63\x24\x77\x56\x79\x54\x03\x3b\xd3\x40\xdb\x14\x5f\xd4\xee\x3c\x1e\x6e\xf1\x5f\xd4\x5e\x72\xf5\x27\xad\x2b\xa3\xbb\xf8\xa9\x4b\xa2\x5a\x23\x7c\xed\x70\x50\x4b\x6d\x20\xc8\x99\xa6\xd1\xa4\x09\x2b\x57\x2a\xc7\x44\xf6\x2e\x04\x4b\x25\xf4\xf1\x09\x7e\x12\xbc\x0b\xfd\xa3\x6c\xad\xd3\x4a\x0a\xa7\xbd\x49\xa3\x82\x08\xee\x36\x60\x3f\x1e\x9c\x56\x7d\xe6\x94\xcb\xba\xe7\x36\x1e\x99\x79\xa8\x4d\x58\x9f\xbd\x5f\x05\xfa\x73\xfe\x31\x68\x37\xdd\xb9\x67\x2c\x63\x75\x90\x77\x79\x33\x71\x17\xbf\xfe\x5a\x85\x09\x93\x99\xe3\x5e\x9c\x3a\x50\xbe\x94\xa4\xed\x33\xa5\x86\x3d\xa7\x37\x7e\x5c\x8b\xce\xd5\x22\x0d\xa0\xaa\x9f\xc0\x97\xbc\x61\x3b\xb7\x6e\xe7\x0b\x6a\x0b\xd9\x78\x01\xb0\xad\xc5\x7b\xc6\xd3\xc0\x26\x51\xf1\x64\xf7\x80\x9f\xb7\xeb\xe2\x18\x73\xf9\xa1\x7a\x65\xa8\x38\x0e\x5f\x1a\x18\x17\xdb\xea\x2e\xa9\x6f\x9b\x1e\xf1\xbe\x6c\x1f\xcd\x53\xc6\x2e\xa2\xba\xce\xe8\x66\xf3\x57\x4b\x1a\x35\xc5\xf8\xc5\x93\xd2\x01\x07\xd6\xcd\xe2\x6c\x84\x0e\xa8\x3f\xae\x8d\x77\x7e\xa1\x22\x7b\xd1\xaf\x62\x19\x83\x35\x3e\xf0\x27\x57\x01\x96\xf8\xfb\xdf\x4f\x79\xa7\x81\x2b\x7f\x71\x8f\xca\xa5\xec\x35\x53\x97\x9a\x86\x4b\x8c\x65\x3e\x9c\x9e\xcf\x8e\x68\x3b\xfc\x55\x8e\xf2\xd9\xb7\x64\x7e\xfc\xd5\xbe\x98\xf4\x3d\x0d\x38\xd9\x47\x4a\x7a\x50\x74\x0a\x5a\x23\x02\x31\x92\xd4\x5b\x43\x34\x38\x0e\x99\x5b\x8d\xbe\x94\x30\xea\xa1\xa8\x26\x85\x5b\x3d\x7e\xc2\x2f\x6c\xbe\xa4\x4b\x75\x53\x66\xba\x42\x76\x21\x77\xdb\xa9\x80\x65\xdc\x59\xef\x23\x92\x49\x7c\x17\xd2\xe8\x99\x23\x0c\xe3\x4f\xfa\x7f\xc2\x75\x0c\x9b\x25\x5a\x2b\x53\x42\x3d\x9c\xa1\xbd\x3a\xab\x8b\xa4\x71\xf3\x9f\x10\xa2\x50\x05\x0a\x22\x54\x1e\x08\x35\xe8\xa3\x93\xe1\x76\x20\x9c\x31\xd2\x5b\x6e\x1f\x69\x9c\x82\xeb\x15\x55\xf0\x47\xa6\xe8\xf9\x1d\x97\xcf\x2a\xba\x02\x50\xa7\xf3\x11\x67\xb8\x61\x54\x89\xfb\x5c\x90\xcf\xce\x45\xcc\x63\xcd\x21\xd0\x01\x5b\x58\x0c\xae\x16\x45\x2f\x01\x43\xd3\x0c\xb9\xee\xce\x66\x21\x93\x1f\x5d\xc5\x42\x8b\x2f\x92\x58\xd7\xe8\xfb\x10\xec\xfe\x72\x06\x06\xad\x71\x94\x11\x10\xbd\x67\xaf\x44\xce\x4e\xa0\x03\x77\x99\x97\xc4\xac\x5c\x11\x1b\x77\x91\x71\x2b\x79\x76\x52\x37\xf7\xa2\x79\xec\x43\x3f\x18\xfa\x8e\x69\x60\x43\x68\x00\x8c\xa9\xa5\xd6\x26\x44\x41\x79\x84\x88\x72\x54\xf4\xd1\x7a\x1c\xdf\x8b\xde\xbc\x90\x76\x2a\x64\xc5\x0c\x58\x6d\xa8\x59\x8f\x15\x56\x61\xe9\x3f\xea\x74\x65\x29\x6f\x6c\xce\xe5\xdf\xf3\x6c\xcb\x6c\x46\xdf\xbd\x24\x84\x60\xbb\x39\x12\x4c\xd3\xf9\xac\x2c\xd9\x16\x77\x66\xd2\x24\xe2\x97\x6f\xac\xed\xcd\x65\xff\x28\xc4\x18\x08\xc9\x8c\xcf\xe3\x1b\xa1\xef\xa8\x69\xf5\x16\xb6\xfc\x8b\x3a\x7d\x6f\xa1\xfb\xc8\xe1\x82\x67\xa8\xef\x0c\xfa\x96\xc4\xc6\xc8\xdb\xf9\x45\x21\x1d\x98\x89\x89\x95\xab\x76\xc1\x63\x06\x35\x47\x8f\xde\xb5\xb7\xfc\x9b\xba\xe3\x07\xd0\x54\x50\x2f\x17\x45\x27\x87\x47\xa5\xae\x90\x85\xe2\xce\x6f\x7b\xdd\x02\x2c\x68\x0d\x1f\x8a\xda\x4c\xb6\x30\x66\x42\x3f\x77\x04\x2b\x9a\xe4\xa1\x38\x6f\x41\x6c\xb9\xb4\x11\x00\x12\xe8\x00\x57\x04\xcd\xff\xae\x04\x41\x86\x89\xfd\x64\xd1\xe8\x83\x27\x49\xb7\x46\xc1\x41\x2e\x91\xc3\x81\x68\x4a\x80\x30\x5a\xad\x84\xd6\x2f\x1c\xc5\xfd\x5d\x26\xa2\x47\x6b\x5b\xfe\xd4\xdc\xcf\x7f\x35\xbb\xb0\x7e\xff\x6c\xa5\x09\x05\x0f\xea\x82\x04\xa3\x9d\x25\x5e\xc1\xc8\x3d\x0d\x38\xff\x3a\x9d\xa4\x28\x5b\x99\xf9\x8b\xfa\x2a\xfb\x12\x01\x63\x01\xbd\xce\xa9\xc4\xb8\x05\xf0\x3f\x5c\x1d\x64\xb2\x31\xe2\xf0\x12\xc3\x39\x88\xfe\x59\x31\x82\xbe\x19\xe5\x33\xae\x72\x4b\xc5\xf3\x74\xc5\xdb\x4e\x26\x7d\x11\xeb\x7c\x3b\xf6\x51\xd8\x53\xf4\x87\x32\x1b\x59\xe3\xc5\x80\xe0\x9f\x55\x10\x1d\x52\x95\x81\x12\xea\xd4\x84\xda\xac\x70\x62\xb2\x74\x5b\x3e\xf0\xd8\x6c\x3f\xf4\xc9\xcd\xb0\x4e\x5c\x61\x26\x56\x2f\xa8\x07\x2d\x44\x08\xc5\xa4\x1f\x38\x88\x90\x0c\x61\x7b\xb3\x2c\x60\x7e\x3c\x67\x88\x01\x37\xa4\xfd\xa0\x0f\x25\x73\x96\x95\x27\xf3\xac\x8b\xc7\x3d\x4a\x1c\xa6\x3a\x6e\x55\x28\x3a\x43\x75\x90\xcb\xa5\x84\xaf\xf7\xda\xab\x6d\x95\x08\x57\xf3\x06\x4a\xfa\x06\xd8\x49\x89\xb1\xf1\xfe\x7a\x07\x11\x8d\x84\x67\x33\x3b\xd9\xc3\xb0\xbf\x57\x4a\xec\xc5\xbd\xf1\x85\x88\x69\xc0\x2f\x2e\xc1\xad\x26\x6d\x13\x54\x99\x41\x6a\xa1\x6c\x3e\xec\x12\x2d\x6e\x57\x70\xf9\x26\x77\x4e\xc2\x69\x15\x5f\x36\xc7\xab\x25\xfc\x2c\xf6\x51\xf6\xde\x56\x32\x9e\x3c\x2f\x9a\xdf\x11\xb8\x9c\x5b\xa3\xa4\xbd\xd6\xed\x16\x04\xe6\x6a\x80\x50\x14\x98\x1b\x6c\xc8\x4b\xd7\x8d\x9e\xf9\xb5\x2e\x8f\x0e\x09\x70\x05\x21\x0a\x9e\x00\x81\x68\x47\x0f\xd1\x2a\x2c\x3e\xe6\x0d\x1c\xef\x8c\x35\xca\x58\xd8\x62\xb6\x81\xe7\x4c\xf6\x0b\x08\xca\xeb\x22\xaf\x37\xfb\x04\x5f\xdf\xf3\x53\x2a\xf6\xf1\x16\x22\x90\x93\x42\x15\xc8\x52\xe8\xbd\x41\xbe\x48\x8d\x56\x6e\xe2\x49\x7e\x6d\xfe\x85\x52\x50\x85\x3e\x6c\x24\xde\x6e\x0a\xab\xbc\xf5\xc5\x7b\xea\x60\x2e\x80\x82\x97\xa6\xf3\xee\xdf\xc7\x62\x2c\x60\x10\x6f\xe5\xac\x3c\x2c\x18\xf1\x9d\x80\x93\x6e\x13\x85\xb1\xb1\x1f\x34\x34\x8e\xe9\x79\x4b\x4c\xef\x18\x55\xcf\xea\x0b\x4c\x67\xf4\xa3\x6f\x69\xe6\xee\xe3\x98\x1a\xf6\xe3\x2c\xbf\xd7\x9b\x36\xf6\x48\x7f\x51\xe6\xbc\xfb\x5e\x25\x0c\xff\x78\x92\x52\x15\xf6\x02\x6f\x86\x9e\xd1\xe3\xc3\xea\x65\x9c\xf5\x80\xb3\x7f\xc8\xa8\xfb\x06\x41\x8f\xfd\x26\x63\xfb\x1c\x5b\x2a\x58\xae\x63\x44\x83\x89\x84\xb9\x60\x81\xae\xe1\x4d\xc7\x4a\x36\xbb\x18\x8a\x15\xfc\x47\xa0\xe8\xfb\x1d\xa2\xc9\x29\x09\x12\x53\x00\xf6\xcc\x9f\xf2\x81\x5a\x86\xbd\x0f\x51\xd3\x8c\xb1\xd9\x20\x65\x5a\x34\x34\xca\xa4\x3c\xba\x6a\xeb\x04\x53\x8b\x0a\xe6\xfc\x4d\xf1\x42\x9f\xca\x0c\xb9\xbf\x55\x05\xd5\x21\xd9\x4c\xea\x75\x9f\x50\xb9\xfc\x8f\xbd\x0d\xb1\x8b\xaa\x08\x03\xd1\x6a\xec\x6e\x59\x88\x70\xed\x80\x14\x9f\xdf\x70\xf5\x7f\x4b\x89\x32\x0f\x3a\x57\x17\x68\xbb\x09\x66\xf0\x8e\x6a\x1a\x93\xfa\xd9\x3b\xaf\x72\x88\xe6\xa6\x6f\x15\x8e\x35\x9d\x47\x24\xb3\xd5\xec\x61\xde\xe3\xa6\x4e\x1e\xab\xf0\x82\x7e\xa7\x9c\x2a\x7b\xac\x1f\x37\xf8\x1f\x09\x69\x1d\xad\x1f\xf6\x82\x49\x93\x25\xe7\x85\x73\xd6\x03\x10\x52\x92\xf8\x44\x1c\x72\xd4\xa8\x6e\xab\x95\x5e\x9a\xb0\xb6\x66\xc7\x1c\x86\xd1\x77\xa5\x94\xfa\x10\xdd\x0f\xf6\x5d\x38\x6c\x54\x4c\x21\xc3\x5e\x41\xef\x27\xbe\xc9\x4d\xab\x6f\xc3\x38\x70\x06\x01\x7e\x54\x59\xad\x20\xca\xcd\x5a\xfe\x56\x1f\xad\xd3\x80\x4b\xef\x50\xfe\x91\x09\xc0\xcf\x20\xd5\xfb\x32\x0a\x19\x19\x0e\xa3\x23\xc5\xbb\x45\x6d\xc7\x33\x8e\xd1\x9b\x5e\xa1\x17\x27\x7c\xda\x66\xbf\x37\x65\x7b\x27\x86\x25\xc9\x86\xf5\x44\x77\x75\xba\xf7\xc2\x83\x56\xd4\x31\xa3\x82\x0e\x3e\x24\x57\xe5\x3e\xba\xd4\xb7\xd8\xb0\xee\xa6\x4b\x5f\x17\x62\xdd\xb1\x16\x9b\xce\x93\x8a\x22\xaa\x17\x4b\x33\xaf\xd2\xb6\xca\x3f\xd2\x1e\x40\x2c\x4e\xba\xa6\x53\x97\xde\x07\x5d\xbc\x91\x41\x29\x16\x35\x04\xe2\x86\x72\x57\x89\xf3\xea\xfb\x66\x30\x29\x4c\x9e\x9e\xd8\x76\x5b\x41\x64\x12\xe6\xa7\x4a\xda\x02\xdf\x4b\x66\x8b\x95\xf1\xab\x41\xda\x29\xee\x91\x8a\xb5\xa5\xea\xa3\x45\x01\x47\x07\x76\x36\x9e\x96\x12\x9c\x89\x8c\xcc\x10\xef\x66\xa2\xce\xb8\xb4\xed\xfe\xad\x79\xff\xd8\x98\xd5\xde\x2d\xb4\x60\x87\x9f\xb2\x3b\x2a\xfc\x14\x66\x47\xc9\x49\x36\xa7\x03\xbb\x3c\xe5\x0f\x7e\x5e\x7d\xbf\xe7\x29\x57\xea\x5c\x48\x9e\x01\x0f\x08\x95\x84\xe0\x69\xaf\xf5\x3e\x8e\x03\xe1\x5c\xb8\x33\xa9\x61\x0a\xe7\xa9\xc2\x62\xc5\xcd\x37\x1b\x81\xf9\xaa\xbb\x03\x0d\xdd\xae\xed\xad\x10\x19\xd2\xe9\xdb\xe7\x17\xde\x10\xad\x3a\x49\x1e\x29\x0b\x2b\xfc\xda\x80\xed\xc5\xa1\xc1\x60\x12\x52\x7c\x5f\xa2\x79\xa6\x7c\x5d\x01\x13\x24\xa7\x9a\xad\x7c\xb7\xa9\x76\x6c\x64\xa1\xfc\xc2\x78\x4b\xe7\xab\x91\x2f\x7d\x4c\xc5\x71\x0c\x9e\x5a\x1f\x97\xf0\x0b\xb8\x69\x8d\x5f\x6e\x58\xe6\xb6\x9a\x1e\x8c\xcb\x7a\x22\xd3\xf4\xfb\x1f\xb6\x0a\x4b\xb9\x4d\x49\x2b\xc5\xe4\xa8\xbb\xe6\xb5\x34\xc1\x75\x00\x01\x6a\x89\x0a\xd5\x29\xdf\xf4\x2f\xb5\x13\x45\xc7\x65\x35\x1a\x5d\x87\x79\x12\x54\xb7\xdc\x62\x90\xe2\x76\xf1\xc2\xd8\xf7\x82\xcb\x2d\xbd\x2e\x70\x13\x09\xe6\x43\x06\x19\x25\x69\x40\x67\x02\x7f\x6d\x95\x65\x09\xb2\x47\x3c\x5b\x5c\x66\x08\x76\xdd\x69\x7e\x5d\x1b\xfb\x8e\x48\xc5\xbe\x80\x4a\x27\x5d\xb0\xed\x4c\x5a\x02\x40\x85\x93\x60\x8e\xcb\x2c\x97\x1d\xa8\x25\xf8\xd4\x8d\xd6\xc6\x4b\x98\xef\x9e\x28\x52\xd1\x6e\xea\xc2\x12\x13\x4a\xba\x3e\xfb\x67\x00\xd5\xa0\x52\xba\x23\x27\x18\x5a\x1c\x56\x05\xfe\xa9\x07\xf1\xf7\x63\xaf\x01\xc5\x03\xa7\x67\x00\x97\x00\x9f\x73\x63\x88\x31\xed\x01\x8b\xc8\x03\x27\x49\x37\x97\xa7\x2f\xce\x75\x38\xb2\x2e\x16\xfe\x27\x48\xc9\x66\xf3\x8f\x5b\x56\x89\xd8\x8c\xc6\xf2\x21\xd4\x06\x21\x47\x2d\x5a\x5a\x40\xa1\x72\x9e\x51\xe3\x60\xf4\xc4\xc9\xb1\x13\xf3\x0b\x96\x99\xd2\x77\x21\x14\x27\xf3\x60\xae\xd4\x5e\x01\x74\x98\x3d\x7a\xed\x11\xf8\x9b\x0c\xa0\x87\x41\x44\xe3\xfd\x83\xca\x6d\x88\xcf\x4d\x8d\x81\xde\x61\x3d\xb7\x27\x2d\xc5\xcf\x74\x5a\x65\x0b\xf3\xcc\xad\x96\x48\x7d\xd2\x4b\x1a\xcc\x8a\x8b\x96\xa9\x9d\x48\xbc\xcf\xa4\x78\xdc\xbb\xb0\x66\xcb\x8f\x19\x0f\x0d\xac\xcf\x91\x6f\x4d\xbc\x63\x44\xe5\xe0\x26\x07\x4d\x42\xd9\x62\xdf\xd2\x8b\x1d\x57\x8a\x17\x07\x3f\x78\xb7\x1d\x6f\xf7\x85\x25\x80\xb1\xc6\xe8\x3b\x8a\xc5\x15\x58\x49\xc1\x26\xa6\xbc\x54\x24\x6d\x15\xf7\x59\x92\x9c\x72\xbf\x44\xba\x8c\x78\x38\x12\xe7\x3d\xa5\xa6\x94\xf9\x6d\x52\x00\xf1\x9c\x82\x0c\x8c\x86\x51\xfb\x2b\xe7\xf7\x6c\xd2\x8a\x54\xae\xea\x4f\x0e\x09\x92\xb8\x4d\xbd\xef\x78\x92\x13\x4e\x37\x9f\x14\x0f\xb0\xb1\x22\x30\x99\x3d\xcc\x13\xbc\x48\x9c\x94\x26\x07\x63\xc1\xa8\xec\xf7\xaa\xeb\xe1\x1a\xe6\xf4\x39\xb7", 4096); *(uint32_t*)0x20006cdc = 0x1000; *(uint32_t*)0x20006ce0 = 0x34; syz_read_part_table(0xb0, 3, 0x20006cc0); break; case 41: *(uint8_t*)0x20006d00 = 0x12; *(uint8_t*)0x20006d01 = 1; *(uint16_t*)0x20006d02 = 0x201; *(uint8_t*)0x20006d04 = 0x10; *(uint8_t*)0x20006d05 = 0x2a; *(uint8_t*)0x20006d06 = 0xdc; *(uint8_t*)0x20006d07 = -1; *(uint16_t*)0x20006d08 = 0x781; *(uint16_t*)0x20006d0a = 5; *(uint16_t*)0x20006d0c = 5; *(uint8_t*)0x20006d0e = 1; *(uint8_t*)0x20006d0f = 2; *(uint8_t*)0x20006d10 = 3; *(uint8_t*)0x20006d11 = 1; *(uint8_t*)0x20006d12 = 9; *(uint8_t*)0x20006d13 = 2; *(uint16_t*)0x20006d14 = 0x71c; *(uint8_t*)0x20006d16 = 3; *(uint8_t*)0x20006d17 = 9; *(uint8_t*)0x20006d18 = 3; *(uint8_t*)0x20006d19 = 0x50; *(uint8_t*)0x20006d1a = -1; *(uint8_t*)0x20006d1b = 9; *(uint8_t*)0x20006d1c = 4; *(uint8_t*)0x20006d1d = 0x34; *(uint8_t*)0x20006d1e = 9; *(uint8_t*)0x20006d1f = 0xc; *(uint8_t*)0x20006d20 = 0x2d; *(uint8_t*)0x20006d21 = 0xe7; *(uint8_t*)0x20006d22 = 0xd6; *(uint8_t*)0x20006d23 = 0xc4; *(uint8_t*)0x20006d24 = 0xa; *(uint8_t*)0x20006d25 = 0x24; *(uint8_t*)0x20006d26 = 6; *(uint8_t*)0x20006d27 = 0; *(uint8_t*)0x20006d28 = 0; memcpy((void*)0x20006d29, "\x9e\x3d\xd8\x3f\x5e", 5); *(uint8_t*)0x20006d2e = 5; *(uint8_t*)0x20006d2f = 0x24; *(uint8_t*)0x20006d30 = 0; *(uint16_t*)0x20006d31 = 2; *(uint8_t*)0x20006d33 = 0xd; *(uint8_t*)0x20006d34 = 0x24; *(uint8_t*)0x20006d35 = 0xf; *(uint8_t*)0x20006d36 = 1; *(uint32_t*)0x20006d37 = 0x40; *(uint16_t*)0x20006d3b = 5; *(uint16_t*)0x20006d3d = 0x101; *(uint8_t*)0x20006d3f = 5; *(uint8_t*)0x20006d40 = 8; *(uint8_t*)0x20006d41 = 0x24; *(uint8_t*)0x20006d42 = 0x1c; *(uint16_t*)0x20006d43 = 0x1000; *(uint8_t*)0x20006d45 = 2; *(uint16_t*)0x20006d46 = 8; *(uint8_t*)0x20006d48 = 7; *(uint8_t*)0x20006d49 = 0x24; *(uint8_t*)0x20006d4a = 0x14; *(uint16_t*)0x20006d4b = 0x8671; *(uint16_t*)0x20006d4d = 0; *(uint8_t*)0x20006d4f = 0xc; *(uint8_t*)0x20006d50 = 0x24; *(uint8_t*)0x20006d51 = 0x1b; *(uint16_t*)0x20006d52 = 0xfffd; *(uint16_t*)0x20006d54 = 9; *(uint8_t*)0x20006d56 = 0; *(uint8_t*)0x20006d57 = 5; *(uint16_t*)0x20006d58 = 0x100; *(uint8_t*)0x20006d5a = 0x5f; *(uint8_t*)0x20006d5b = 5; *(uint8_t*)0x20006d5c = 0x24; *(uint8_t*)0x20006d5d = 0x15; *(uint16_t*)0x20006d5e = 0x40; *(uint8_t*)0x20006d60 = 7; *(uint8_t*)0x20006d61 = 0x24; *(uint8_t*)0x20006d62 = 0xa; *(uint8_t*)0x20006d63 = 0; *(uint8_t*)0x20006d64 = 1; *(uint8_t*)0x20006d65 = 4; *(uint8_t*)0x20006d66 = 1; *(uint8_t*)0x20006d67 = 7; *(uint8_t*)0x20006d68 = 0x24; *(uint8_t*)0x20006d69 = 0x14; *(uint16_t*)0x20006d6a = 0xff81; *(uint16_t*)0x20006d6c = 0x9c6f; *(uint8_t*)0x20006d6e = 9; *(uint8_t*)0x20006d6f = 5; *(uint8_t*)0x20006d70 = 0x80; *(uint8_t*)0x20006d71 = 0x14; *(uint16_t*)0x20006d72 = 0x10; *(uint8_t*)0x20006d74 = 0x15; *(uint8_t*)0x20006d75 = 0x1f; *(uint8_t*)0x20006d76 = 8; *(uint8_t*)0x20006d77 = 7; *(uint8_t*)0x20006d78 = 0x25; *(uint8_t*)0x20006d79 = 1; *(uint8_t*)0x20006d7a = 0x80; *(uint8_t*)0x20006d7b = 0; *(uint16_t*)0x20006d7c = 0; *(uint8_t*)0x20006d7e = 9; *(uint8_t*)0x20006d7f = 5; *(uint8_t*)0x20006d80 = 0x8b; *(uint8_t*)0x20006d81 = 0; *(uint16_t*)0x20006d82 = 0x7ff; *(uint8_t*)0x20006d84 = 0xed; *(uint8_t*)0x20006d85 = 1; *(uint8_t*)0x20006d86 = 2; *(uint8_t*)0x20006d87 = 9; *(uint8_t*)0x20006d88 = 5; *(uint8_t*)0x20006d89 = 8; *(uint8_t*)0x20006d8a = 4; *(uint16_t*)0x20006d8b = 0x200; *(uint8_t*)0x20006d8d = 0x81; *(uint8_t*)0x20006d8e = 6; *(uint8_t*)0x20006d8f = 2; *(uint8_t*)0x20006d90 = 0xeb; *(uint8_t*)0x20006d91 = 1; memcpy((void*)0x20006d92, "\x8c\x3f\x63\x08\x61\x54\x14\x1f\x73\x9f\x28\x70\xd3\xa8\x18\x84\x90\x5e\x8c\x3f\xf7\xeb\x64\x25\x08\x52\x04\x07\x7b\x41\x02\xc3\xd8\x1b\xfd\xf4\xb2\x62\xfa\x95\xb2\x68\x56\x12\x28\xb7\x47\xfc\xa9\x1f\x5f\xde\xb5\x92\xb3\x79\xd6\x6a\x5f\x1d\x2d\x1d\x73\x5f\xd0\x2b\x3b\x24\x02\xd0\x34\x0f\xcc\x8a\xc6\xc5\x44\x72\x0c\xb5\x96\x00\x8a\x93\xb0\x20\x2c\xb8\xf9\x55\x83\x44\xcb\x20\x0e\x0b\x4b\x52\xaa\xd1\xe7\x0d\x9c\x00\x49\xff\x2a\x6b\x54\x6e\x35\x02\xbc\x88\x1f\x3e\xb6\x55\xaa\x81\x7a\x2a\x3f\xd9\x5a\xd1\xbe\xa6\x8a\xb0\x48\xc1\xa4\x3e\xd3\x45\x8b\x67\x4c\x27\xdf\x09\x05\x68\xc3\x71\xa9\xe0\x0c\xbc\x2b\x59\x7a\x73\x0a\x18\x64\x44\x75\x83\xe3\x0b\x8b\x9d\x27\x74\xd8\x84\x57\x53\x11\x84\x3a\x18\xbf\xe0\x05\x2b\x40\x47\x14\xc7\x22\x76\x63\x42\xb2\x26\xc4\xfe\x8e\x87\xee\x44\x82\x50\xc3\xb3\x66\x8a\xb5\x07\x45\xe0\xfb\xb6\xe9\x69\xe6\xb4\x9b\x9b\x85\x28\xce\x81\xdf\xaa\x24\xe1\x43\x80\x72\xd0\x7d\x6e\x92\x60\x2a\x39\x05\x35\xf6", 233); *(uint8_t*)0x20006e7b = 9; *(uint8_t*)0x20006e7c = 5; *(uint8_t*)0x20006e7d = 0xc; *(uint8_t*)0x20006e7e = 8; *(uint16_t*)0x20006e7f = 0x40; *(uint8_t*)0x20006e81 = 1; *(uint8_t*)0x20006e82 = 5; *(uint8_t*)0x20006e83 = 0x20; *(uint8_t*)0x20006e84 = 9; *(uint8_t*)0x20006e85 = 5; *(uint8_t*)0x20006e86 = 7; *(uint8_t*)0x20006e87 = 0x10; *(uint16_t*)0x20006e88 = 8; *(uint8_t*)0x20006e8a = 0xbc; *(uint8_t*)0x20006e8b = 0; *(uint8_t*)0x20006e8c = 7; *(uint8_t*)0x20006e8d = 7; *(uint8_t*)0x20006e8e = 0x25; *(uint8_t*)0x20006e8f = 1; *(uint8_t*)0x20006e90 = 1; *(uint8_t*)0x20006e91 = 5; *(uint16_t*)0x20006e92 = 9; *(uint8_t*)0x20006e94 = 0xd4; *(uint8_t*)0x20006e95 = 0x22; memcpy((void*)0x20006e96, "\x70\xc2\x39\x55\xe1\xd1\x6c\xde\xf4\x16\xbc\xb1\x38\x10\x89\x67\xf0\xe9\xac\x2c\x09\x6f\xe9\x36\x2b\x99\xec\x6c\x19\x8d\x2f\x0f\x04\x46\xce\x29\x33\x28\x44\xfd\x54\x6d\x23\x23\xe7\xf9\xd7\xb2\x71\x3c\x1f\x92\xb9\x0b\x44\x81\xbf\x8d\x4e\xa3\x4e\xa8\x32\x1b\x58\x5d\xb5\xf3\xcc\x6f\x63\xfc\x9e\xe5\x43\xe8\x6c\x15\x76\x9e\x08\xa2\x12\xc2\xff\xb0\x23\x7d\xef\xb1\xa2\x82\x28\xe9\x99\xfa\xbf\x37\x33\xa2\x7b\x82\x87\x03\xfa\xaa\xc0\x53\xd4\x4f\xe7\xa6\x6d\x7a\x27\x8e\x31\xf1\x5d\x65\xed\xb3\x49\xb1\x57\xa7\x99\xd9\x22\xf0\xc9\x70\xf9\x8b\x35\xb7\x56\x50\x79\x31\x23\xe0\x57\x52\xd7\x4d\xdb\x89\xf0\xfc\xc0\x47\x98\x22\xa0\xf8\x33\xf4\x34\x3a\x70\x54\x8b\x3b\x4c\x80\x57\x4b\xe7\xcf\xdd\x59\xdb\x69\xce\x1e\xfc\x24\xca\x44\xee\x31\x66\x09\xf5\x8c\xa5\xa3\x0d\xee\x0b\x59\xe1\x66\x8f\x24\x8c\x19\x6a\xe1\xc0\x22\xa1\x99\x95\x59\x54\x30\xfe\xa4", 210); *(uint8_t*)0x20006f68 = 9; *(uint8_t*)0x20006f69 = 5; *(uint8_t*)0x20006f6a = 0x87; *(uint8_t*)0x20006f6b = 3; *(uint16_t*)0x20006f6c = 8; *(uint8_t*)0x20006f6e = 0x80; *(uint8_t*)0x20006f6f = 7; *(uint8_t*)0x20006f70 = 6; *(uint8_t*)0x20006f71 = 0x56; *(uint8_t*)0x20006f72 = 4; memcpy((void*)0x20006f73, "\xf7\x8a\x35\x66\x75\xcf\xfa\x2d\xe9\x45\x39\x19\x4a\xfa\xb8\x60\x3f\xe5\xe4\x12\x02\x1b\xa9\x37\xdf\x8f\x49\x6c\xe2\xc0\x54\x31\x48\xf0\x9b\x19\xeb\xbc\x05\x09\x1f\xcc\x32\xe0\xbd\xde\x44\x1d\x7c\xca\xa5\xcc\x26\xfb\x69\x6b\xd6\x7b\x38\x30\xbf\x3e\x57\x30\xfb\x3f\xe5\xee\x89\x15\x6b\xd1\xd2\xfa\x10\x1e\x6c\x39\x06\x8a\xf8\xc2\xae\x87", 84); *(uint8_t*)0x20006fc7 = 9; *(uint8_t*)0x20006fc8 = 5; *(uint8_t*)0x20006fc9 = 0x89; *(uint8_t*)0x20006fca = 0; *(uint16_t*)0x20006fcb = 0x20; *(uint8_t*)0x20006fcd = 0x20; *(uint8_t*)0x20006fce = 0x81; *(uint8_t*)0x20006fcf = 8; *(uint8_t*)0x20006fd0 = 9; *(uint8_t*)0x20006fd1 = 5; *(uint8_t*)0x20006fd2 = 0xe; *(uint8_t*)0x20006fd3 = 3; *(uint16_t*)0x20006fd4 = 8; *(uint8_t*)0x20006fd6 = 1; *(uint8_t*)0x20006fd7 = 0x20; *(uint8_t*)0x20006fd8 = 2; *(uint8_t*)0x20006fd9 = 7; *(uint8_t*)0x20006fda = 0x25; *(uint8_t*)0x20006fdb = 1; *(uint8_t*)0x20006fdc = 2; *(uint8_t*)0x20006fdd = 0x43; *(uint16_t*)0x20006fde = 0x234; *(uint8_t*)0x20006fe0 = 9; *(uint8_t*)0x20006fe1 = 5; *(uint8_t*)0x20006fe2 = 2; *(uint8_t*)0x20006fe3 = 0; *(uint16_t*)0x20006fe4 = 0x3ff; *(uint8_t*)0x20006fe6 = 3; *(uint8_t*)0x20006fe7 = 5; *(uint8_t*)0x20006fe8 = 7; *(uint8_t*)0x20006fe9 = 0x34; *(uint8_t*)0x20006fea = 8; memcpy((void*)0x20006feb, "\xb6\xa1\x21\xb4\x6c\xab\xce\x4e\x36\x1f\x21\x04\xdc\xf2\x66\x3e\x40\x2e\xe0\x4f\xaa\x90\xdd\x18\xa9\x18\xe4\x64\x2e\xaa\x6a\x71\x61\x92\xf8\xbc\x32\xf3\x21\xce\x9e\xb5\x48\x90\x4d\x87\xd7\xbd\xad\x56", 50); *(uint8_t*)0x2000701d = 0xac; *(uint8_t*)0x2000701e = 0x30; memcpy((void*)0x2000701f, "\x1a\x5d\x30\xc7\xd1\x38\x43\xb0\x14\x69\x43\xb2\xe6\x76\x87\xf3\x14\x70\x19\xdb\x1c\xa1\xa3\xc7\xe4\x8d\x70\x0f\x65\x5b\xea\x7f\x42\x69\x2c\x5a\x87\xa6\xb9\x1d\x03\xa6\xd4\x90\x5f\xbb\x18\xb7\x60\x28\xc9\x02\xf7\xcc\x3f\x0c\x05\x6d\x87\xd0\xfb\xc1\x2f\x32\x15\x02\x22\xa7\xda\xd7\x02\x3b\xc4\x5a\xb2\x5c\x72\xaa\x3a\xd2\x6e\x8d\xfd\x8d\x36\x54\x64\x00\x38\x39\x6a\xa3\x55\xf0\x69\xf7\xa9\xe7\x62\xb8\x5d\xca\x0a\x81\xa7\xd7\xc3\x7d\x25\x9d\x0f\x2a\x63\x1a\x6a\xbc\x4e\x36\xfb\xa2\x01\xdc\x67\x7f\xc7\xb2\xc2\x81\x90\xe9\x15\x23\x55\x3c\xfb\x1b\xbf\x46\x2d\x9d\x05\x7c\x31\x91\x0a\xd3\x9c\x35\x7c\xd2\xdd\x1c\x3f\x22\xc6\x04\xad\x6c\x92\x3f\xae\xe4\xc1\x3d\xb3\xfe\x35\x03\x75\xcc", 170); *(uint8_t*)0x200070c9 = 9; *(uint8_t*)0x200070ca = 5; *(uint8_t*)0x200070cb = 0xc; *(uint8_t*)0x200070cc = 0; *(uint16_t*)0x200070cd = 0x10; *(uint8_t*)0x200070cf = 0x7f; *(uint8_t*)0x200070d0 = 0x56; *(uint8_t*)0x200070d1 = 0x83; *(uint8_t*)0x200070d2 = 9; *(uint8_t*)0x200070d3 = 5; *(uint8_t*)0x200070d4 = 0x47; *(uint8_t*)0x200070d5 = 0; *(uint16_t*)0x200070d6 = 0x3ff; *(uint8_t*)0x200070d8 = 0xbb; *(uint8_t*)0x200070d9 = 7; *(uint8_t*)0x200070da = 3; *(uint8_t*)0x200070db = 0x6b; *(uint8_t*)0x200070dc = 0x30; memcpy((void*)0x200070dd, "\x6a\x80\x65\xc0\xee\x1f\xa7\x2b\xb9\xfa\xb4\x98\xb5\x65\xe8\x56\x09\x0e\x0a\xd4\xcb\x9a\x07\x2e\x09\x95\x26\x4b\x93\x5b\xed\x49\x10\xdd\xe6\xe4\xa1\x1f\xf9\x37\x42\x38\x3c\xba\x0c\x51\xa1\xf1\xcf\x69\x5a\xa3\x94\xa5\xf4\x86\x83\x63\xe9\x86\x26\x05\x69\xba\x8b\xe8\x24\x37\xcc\x58\xdb\x1e\xe8\x8c\xe5\x10\x13\x08\x93\x8e\xdb\xd9\x82\x07\x54\x62\xcf\x0b\xba\x05\xbb\x0d\x7a\xe5\x50\x92\xa2\x86\x2e\xe6\xe6\x43\x0e\x22\xf7", 105); *(uint8_t*)0x20007146 = 0x41; *(uint8_t*)0x20007147 = 0x21; memcpy((void*)0x20007148, "\x0a\xcd\x9c\x77\x43\xc7\x50\x9f\x5e\xb8\x98\x78\x4f\x87\x67\xf3\x85\xa0\xe1\xc7\xf1\x02\xc9\xad\xca\xd6\xd8\x1f\xb4\x19\x3e\x88\xcb\x2f\x6c\x39\x36\xee\x2e\xf3\xda\xe6\x1f\x58\x32\x25\x93\xd9\xbe\xea\xfc\xc0\x91\x5c\x86\xfc\x3a\x72\xf0\x42\x6c\x83\xf3", 63); *(uint8_t*)0x20007187 = 9; *(uint8_t*)0x20007188 = 5; *(uint8_t*)0x20007189 = 6; *(uint8_t*)0x2000718a = 4; *(uint16_t*)0x2000718b = 0x400; *(uint8_t*)0x2000718d = 0x20; *(uint8_t*)0x2000718e = 0x74; *(uint8_t*)0x2000718f = 5; *(uint8_t*)0x20007190 = 9; *(uint8_t*)0x20007191 = 4; *(uint8_t*)0x20007192 = 0x26; *(uint8_t*)0x20007193 = 0xab; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 0xf1; *(uint8_t*)0x20007197 = 0xcb; *(uint8_t*)0x20007198 = 9; *(uint8_t*)0x20007199 = 9; *(uint8_t*)0x2000719a = 5; *(uint8_t*)0x2000719b = 1; *(uint8_t*)0x2000719c = 0; *(uint16_t*)0x2000719d = 0x200; *(uint8_t*)0x2000719f = 5; *(uint8_t*)0x200071a0 = 1; *(uint8_t*)0x200071a1 = 1; *(uint8_t*)0x200071a2 = 9; *(uint8_t*)0x200071a3 = 5; *(uint8_t*)0x200071a4 = 0xb; *(uint8_t*)0x200071a5 = 4; *(uint16_t*)0x200071a6 = 0x20; *(uint8_t*)0x200071a8 = 1; *(uint8_t*)0x200071a9 = 2; *(uint8_t*)0x200071aa = 4; *(uint8_t*)0x200071ab = 0xda; *(uint8_t*)0x200071ac = 0x14; memcpy((void*)0x200071ad, "\x10\xf1\x6e\x37\x96\xfb\xe3\x35\xb5\x64\xb2\x94\x16\x03\x1e\x12\xd2\x6f\x4d\x53\xe2\x37\xca\x3c\xb1\xe0\x49\x17\x03\x35\xd6\x31\x43\x24\x69\xcf\x8e\x2b\x20\x7d\x62\x28\x3f\x3b\x91\xf4\xd6\x31\x54\xbc\xe3\x5f\xae\xb8\x7b\x51\xd3\x0b\x38\x87\x6c\x38\xb3\x1a\xcc\x34\x7b\xe6\x77\x93\xe5\x6a\x17\x84\xeb\x29\xa7\xdd\xab\x72\xe7\x36\xee\xcd\x3b\x4e\x98\xbc\xe7\xb1\x70\xab\x68\x7e\x6f\x31\xf5\xe9\xf3\xf9\x6e\x31\x03\x2d\x3b\xf9\x47\x6e\xef\x54\xf3\x54\xc6\xef\xc0\x0d\xa3\x9a\x69\x5e\xc1\xc0\x95\x25\x4c\xb4\x16\xbd\xc5\x74\xd4\xfb\x6a\xdb\xec\xa9\x9b\x77\x50\x8d\x6c\x6f\x79\x1c\x2c\xfc\x29\xae\x3e\xcc\xea\x73\xc1\x36\x27\xd9\x38\x07\xaf\x1a\x7d\x34\x92\x52\x0e\xd1\xf1\x53\x32\x7d\x85\x75\x37\xf5\x56\x29\x4b\xdd\xdd\x98\x8b\xae\x73\x22\x6a\x48\xc4\xca\xb9\x63\xd3\xd8\xc2\x26\x95\x1b\x21\xa7\xc3\x13\x8d\xe5\x5b\x8d\x0e\x1f\x0b\xcd\x77\x66\x3a\xe8\xbf\xe2\x0f\x44", 216); *(uint8_t*)0x20007285 = 7; *(uint8_t*)0x20007286 = 0x25; *(uint8_t*)0x20007287 = 1; *(uint8_t*)0x20007288 = 0x83; *(uint8_t*)0x20007289 = 5; *(uint16_t*)0x2000728a = 9; *(uint8_t*)0x2000728c = 9; *(uint8_t*)0x2000728d = 5; *(uint8_t*)0x2000728e = 5; *(uint8_t*)0x2000728f = 2; *(uint16_t*)0x20007290 = 0x40; *(uint8_t*)0x20007292 = 0x2c; *(uint8_t*)0x20007293 = 0xd4; *(uint8_t*)0x20007294 = 2; *(uint8_t*)0x20007295 = 7; *(uint8_t*)0x20007296 = 0x25; *(uint8_t*)0x20007297 = 1; *(uint8_t*)0x20007298 = 2; *(uint8_t*)0x20007299 = 3; *(uint16_t*)0x2000729a = 7; *(uint8_t*)0x2000729c = 9; *(uint8_t*)0x2000729d = 5; *(uint8_t*)0x2000729e = 0xa; *(uint8_t*)0x2000729f = 2; *(uint16_t*)0x200072a0 = 0x400; *(uint8_t*)0x200072a2 = 0xd0; *(uint8_t*)0x200072a3 = 1; *(uint8_t*)0x200072a4 = 6; *(uint8_t*)0x200072a5 = 9; *(uint8_t*)0x200072a6 = 5; *(uint8_t*)0x200072a7 = 0xe; *(uint8_t*)0x200072a8 = 8; *(uint16_t*)0x200072a9 = 0x40; *(uint8_t*)0x200072ab = 0x40; *(uint8_t*)0x200072ac = -1; *(uint8_t*)0x200072ad = 0xb0; *(uint8_t*)0x200072ae = 9; *(uint8_t*)0x200072af = 4; *(uint8_t*)0x200072b0 = 0x6c; *(uint8_t*)0x200072b1 = 8; *(uint8_t*)0x200072b2 = 2; *(uint8_t*)0x200072b3 = 0x59; *(uint8_t*)0x200072b4 = 0x51; *(uint8_t*)0x200072b5 = 0xd5; *(uint8_t*)0x200072b6 = 1; *(uint8_t*)0x200072b7 = 8; *(uint8_t*)0x200072b8 = 0x24; *(uint8_t*)0x200072b9 = 6; *(uint8_t*)0x200072ba = 0; *(uint8_t*)0x200072bb = 1; memcpy((void*)0x200072bc, "\xb2\xbd\x60", 3); *(uint8_t*)0x200072bf = 5; *(uint8_t*)0x200072c0 = 0x24; *(uint8_t*)0x200072c1 = 0; *(uint16_t*)0x200072c2 = 5; *(uint8_t*)0x200072c4 = 0xd; *(uint8_t*)0x200072c5 = 0x24; *(uint8_t*)0x200072c6 = 0xf; *(uint8_t*)0x200072c7 = 1; *(uint32_t*)0x200072c8 = 0xfffffffd; *(uint16_t*)0x200072cc = 0xfff; *(uint16_t*)0x200072ce = 0x63; *(uint8_t*)0x200072d0 = 0xdb; *(uint8_t*)0x200072d1 = 6; *(uint8_t*)0x200072d2 = 0x24; *(uint8_t*)0x200072d3 = 0x1a; *(uint16_t*)0x200072d4 = 8; *(uint8_t*)0x200072d6 = 8; *(uint8_t*)0x200072d7 = 0xf7; *(uint8_t*)0x200072d8 = 0x24; *(uint8_t*)0x200072d9 = 0x13; *(uint8_t*)0x200072da = 0x19; memcpy((void*)0x200072db, "\x18\x9c\xde\xa8\x5c\x89\x2f\xe7\x36\xd9\x9d\x2a\xe8\x35\x70\x5d\xdc\x39\x07\x36\x3c\x57\xda\x1f\xc0\x03\x3a\xb2\x67\x42\x02\x2a\xb0\xaf\x75\x16\xc0\x54\x5f\x0f\xc3\xec\xaa\x07\x28\x22\x9f\x95\xfd\x5d\x2e\xbc\xe5\xc9\x8d\xbb\xa6\x22\x21\x53\xe2\xce\x70\xbf\xea\xd3\x2d\x5d\x59\x14\x6f\x0d\xd6\x79\x85\x20\x07\xb1\x3a\xc9\xd1\x6d\x48\xf9\x48\x4d\x61\x92\xe7\x9c\x88\x07\x9f\x8c\xd3\xbd\x1a\x37\x40\xf3\xa8\xf0\xfd\x1d\x57\xa1\x0b\xf4\x1c\xf8\xc4\x5a\x79\xab\x1a\x96\x9c\x9a\x6a\x83\xbf\x31\x57\x1b\xce\x54\x2e\x8f\xcf\xa6\x76\x1e\xbf\xa9\x24\xe1\xeb\x05\xd3\xaf\x5b\x36\x44\xc3\x04\x02\x80\xca\x59\x73\x7d\x89\xc0\xca\xa8\xbd\x9d\x56\xc9\x21\x78\xb8\x2b\x20\x78\xe4\x39\x75\xf1\x5e\x6f\x0b\x6f\xa1\xd0\xcd\x81\x95\x21\x15\x4d\x23\x6a\xa6\xa8\x5e\x50\xf3\xf0\x53\x1f\x61\x92\xe5\xc4\xba\x8a\x2d\x50\x6f\x74\x47\x80\x74\x7c\xbb\x9e\xe6\x72\x32\x98\xb7\x2b\x71\x3b\x52\xbe\x54\x83\x5f\xcc\x04\x90\x6c\x65\x8c\xe6\x1f\x16\xf9\x5a\x6c\x43\x79\x88\xdf\x23\x9c\x43\x0f\xf4\x7d\xb7", 243); *(uint8_t*)0x200073ce = 6; *(uint8_t*)0x200073cf = 0x24; *(uint8_t*)0x200073d0 = 6; *(uint8_t*)0x200073d1 = 0; *(uint8_t*)0x200073d2 = 0; memset((void*)0x200073d3, 163, 1); *(uint8_t*)0x200073d4 = 5; *(uint8_t*)0x200073d5 = 0x24; *(uint8_t*)0x200073d6 = 0; *(uint16_t*)0x200073d7 = 0xf85b; *(uint8_t*)0x200073d9 = 0xd; *(uint8_t*)0x200073da = 0x24; *(uint8_t*)0x200073db = 0xf; *(uint8_t*)0x200073dc = 1; *(uint32_t*)0x200073dd = 0; *(uint16_t*)0x200073e1 = 7; *(uint16_t*)0x200073e3 = 2; *(uint8_t*)0x200073e5 = 0x40; *(uint8_t*)0x200073e6 = 9; *(uint8_t*)0x200073e7 = 5; *(uint8_t*)0x200073e8 = 0xf; *(uint8_t*)0x200073e9 = 4; *(uint16_t*)0x200073ea = 0; *(uint8_t*)0x200073ec = 0x81; *(uint8_t*)0x200073ed = 0xe8; *(uint8_t*)0x200073ee = 2; *(uint8_t*)0x200073ef = 7; *(uint8_t*)0x200073f0 = 0x25; *(uint8_t*)0x200073f1 = 1; *(uint8_t*)0x200073f2 = 0; *(uint8_t*)0x200073f3 = 0x51; *(uint16_t*)0x200073f4 = 0xbf81; *(uint8_t*)0x200073f6 = 7; *(uint8_t*)0x200073f7 = 0x25; *(uint8_t*)0x200073f8 = 1; *(uint8_t*)0x200073f9 = 0x80; *(uint8_t*)0x200073fa = 0xb; *(uint16_t*)0x200073fb = 0x8001; *(uint8_t*)0x200073fd = 9; *(uint8_t*)0x200073fe = 5; *(uint8_t*)0x200073ff = 6; *(uint8_t*)0x20007400 = 0; *(uint16_t*)0x20007401 = 0x10; *(uint8_t*)0x20007403 = 0x7f; *(uint8_t*)0x20007404 = 0; *(uint8_t*)0x20007405 = 0x80; *(uint8_t*)0x20007406 = 0x28; *(uint8_t*)0x20007407 = 0xa; memcpy((void*)0x20007408, "\x61\xdf\x67\xa6\x24\x85\x90\x52\xdf\x59\x3a\x22\x58\xbc\x97\x0f\xe4\x30\x4a\x8f\x89\x9a\xc0\x40\xd9\xfc\x35\x0e\xd5\xe6\x36\x60\xa7\x6a\x96\xae\xa7\xa3", 38); *(uint32_t*)0x200076c0 = 0xa; *(uint32_t*)0x200076c4 = 0x20007440; *(uint8_t*)0x20007440 = 0xa; *(uint8_t*)0x20007441 = 6; *(uint16_t*)0x20007442 = 0x300; *(uint8_t*)0x20007444 = 8; *(uint8_t*)0x20007445 = 1; *(uint8_t*)0x20007446 = 9; *(uint8_t*)0x20007447 = 8; *(uint8_t*)0x20007448 = 0x81; *(uint8_t*)0x20007449 = 0; *(uint32_t*)0x200076c8 = 0x133; *(uint32_t*)0x200076cc = 0x20007480; *(uint8_t*)0x20007480 = 5; *(uint8_t*)0x20007481 = 0xf; *(uint16_t*)0x20007482 = 0x133; *(uint8_t*)0x20007484 = 6; *(uint8_t*)0x20007485 = 0xb; *(uint8_t*)0x20007486 = 0x10; *(uint8_t*)0x20007487 = 1; *(uint8_t*)0x20007488 = 2; *(uint16_t*)0x20007489 = 0x74; *(uint8_t*)0x2000748b = -1; *(uint8_t*)0x2000748c = -1; *(uint16_t*)0x2000748d = 0; *(uint8_t*)0x2000748f = 7; *(uint8_t*)0x20007490 = 0xb; *(uint8_t*)0x20007491 = 0x10; *(uint8_t*)0x20007492 = 1; *(uint8_t*)0x20007493 = 8; *(uint16_t*)0x20007494 = 0x43; *(uint8_t*)0x20007496 = 4; *(uint8_t*)0x20007497 = 3; *(uint16_t*)0x20007498 = 6; *(uint8_t*)0x2000749a = 0x21; *(uint8_t*)0x2000749b = 7; *(uint8_t*)0x2000749c = 0x10; *(uint8_t*)0x2000749d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000749e, 0xa, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200074a0, 0x3b4d, 0, 16); *(uint8_t*)0x200074a2 = 0xb; *(uint8_t*)0x200074a3 = 0x10; *(uint8_t*)0x200074a4 = 1; *(uint8_t*)0x200074a5 = 0; *(uint16_t*)0x200074a6 = 0x2c; *(uint8_t*)0x200074a8 = 7; *(uint8_t*)0x200074a9 = 2; *(uint16_t*)0x200074aa = 1; *(uint8_t*)0x200074ac = 0x2f; *(uint8_t*)0x200074ad = 3; *(uint8_t*)0x200074ae = 0x10; *(uint8_t*)0x200074af = 0xb; *(uint8_t*)0x200074b0 = 3; *(uint8_t*)0x200074b1 = 0x10; *(uint8_t*)0x200074b2 = 3; memcpy((void*)0x200074b3, "\xb3\x5e\x85\x2c\x50\x01\x47\x88\x0f\xa2\xf6\xdc\xc5\xd4\xe1\x6a\x59\xdf\x9b\xff\x5d\x44\xac\x9f\x66\x80\xa3\x1b\x1e\xbc\xe7\xf4\xd4\xaf\xe6\xd2\xae\x93\xf6\xee\xe7\x9b\x70\x3b\x03\xf7\xa0\xeb\xea\x72\xbd\xc3\xca\x70\xde\xd4\x50\xbe\xde\xc4\x2d\x31\xbe\xce\xd3\x62\x5c\x6b\xfa\x5d\xc9\x89\x7b\x68\xa4\xe8\xb1\xa5\x4b\x94\x44\xb8\x5a\x77\xd5\x2e\xfe\xa0\x2e\x84\x04\x5a\x2c\x51\xaf\x22\x59\x6a\x4c\x59\xa4\x3c\x59\x0c\x4d\x13\x69\xd2\x29\xdb\x0f\x22\x8b\x73\x9b\x41\x41\x9c\x00\x70\x82\x19\xac\x07\x58\x5d\xca\xde\xd8\x82\x0f\x6f\xe0\xb3\x5e\x74\x96\xca\x59\xeb\xd9\x3c\x1c\xfb\xec\xa8\x66\x69\x28\x61\x3f\xb0\x84\xcb\x1a\xd9\x30\xcf\xed\x80\xa0\x24\xb8\x03\xfc\x94\x96\x7f\x08\xd7\x31\xd0\x64\x7c\xee\x07\x3e\x55\x84\x4b\x99\x78\xae\x60\x35\x86\x5f\xd9\x89\x91\xfb\x7a\x5f\xa3\xf0\x05\x29\xe8\x1f\x1d\x3b\x85\x3a\x0d\xb0\x41\xea\xa3\x77\x7b\xa1\x0f\xe7\x53\x67\x4a\x69\x8c\xd3\x89\xbf\x5b\xca\x62\x6c\xb8\xc7\xbf\x9b\x71\x15\x0d\x57\x2d\x07\xd9\xa1\x18\x55\xa4\x19\xfb\x02\x12\xd9\xa5\xbf\x2c\x33\x60\x35\x7c\xf9\x42\x51\x1f", 256); *(uint32_t*)0x200076d0 = 2; *(uint32_t*)0x200076d4 = 0x97; *(uint32_t*)0x200076d8 = 0x200075c0; *(uint8_t*)0x200075c0 = 0x97; *(uint8_t*)0x200075c1 = 3; memcpy((void*)0x200075c2, "\x79\x53\x36\x52\x48\x59\x08\x84\x74\x50\xe4\x34\xba\xbd\x9e\x7b\x78\x39\x25\xf4\x78\xb3\xb3\x5c\x0a\x4e\x6a\xa0\xa1\xe8\xf7\x8e\x37\xf1\xd5\x66\x6f\xe8\x7b\x28\xdf\x9b\x77\x34\xfd\xd1\x41\xb3\xc7\x8a\x19\x03\x1e\xff\xd7\x29\xa3\x6c\x0c\xf9\xfa\xe5\xc5\x89\xa1\xa9\x88\x6b\x78\xf6\x6c\x73\x91\xbd\x44\x3c\xc6\xb3\xab\x5b\x4a\xcd\xeb\x5a\xcf\x4a\x0d\x36\x35\x9e\x74\x9d\xf3\x7c\xcf\x92\xc5\x0e\x84\x5f\xce\x93\xe4\xc6\x11\xf0\xfb\x55\x9f\x5b\x2f\x8b\x72\xba\xb3\xb8\xa9\x17\x79\xcd\x78\x20\x4d\x67\xa1\x83\x18\x75\x60\xeb\x91\x2c\x0f\x9d\xd2\x7f\x40\x2f\x1d\xec\xdc\x61\x44\x4d\x37\x02\xbf\x05\xcf", 149); *(uint32_t*)0x200076dc = 4; *(uint32_t*)0x200076e0 = 0x20007680; *(uint8_t*)0x20007680 = 4; *(uint8_t*)0x20007681 = 3; *(uint16_t*)0x20007682 = 0x4ff; syz_usb_connect(5, 0x72e, 0x20006d00, 0x200076c0); break; case 42: *(uint8_t*)0x20007700 = 0x12; *(uint8_t*)0x20007701 = 1; *(uint16_t*)0x20007702 = 0x200; *(uint8_t*)0x20007704 = -1; *(uint8_t*)0x20007705 = -1; *(uint8_t*)0x20007706 = -1; *(uint8_t*)0x20007707 = 0x40; *(uint16_t*)0x20007708 = 0xcf3; *(uint16_t*)0x2000770a = 0x9271; *(uint16_t*)0x2000770c = 0x108; *(uint8_t*)0x2000770e = 1; *(uint8_t*)0x2000770f = 2; *(uint8_t*)0x20007710 = 3; *(uint8_t*)0x20007711 = 1; *(uint8_t*)0x20007712 = 9; *(uint8_t*)0x20007713 = 2; *(uint16_t*)0x20007714 = 0x48; *(uint8_t*)0x20007716 = 1; *(uint8_t*)0x20007717 = 1; *(uint8_t*)0x20007718 = 0; *(uint8_t*)0x20007719 = 0x80; *(uint8_t*)0x2000771a = 0xfa; *(uint8_t*)0x2000771b = 9; *(uint8_t*)0x2000771c = 4; *(uint8_t*)0x2000771d = 0; *(uint8_t*)0x2000771e = 0; *(uint8_t*)0x2000771f = 6; *(uint8_t*)0x20007720 = -1; *(uint8_t*)0x20007721 = 0; *(uint8_t*)0x20007722 = 0; *(uint8_t*)0x20007723 = 0; *(uint8_t*)0x20007724 = 9; *(uint8_t*)0x20007725 = 5; *(uint8_t*)0x20007726 = 1; *(uint8_t*)0x20007727 = 2; *(uint16_t*)0x20007728 = 0x200; *(uint8_t*)0x2000772a = 0; *(uint8_t*)0x2000772b = 0; *(uint8_t*)0x2000772c = 0; *(uint8_t*)0x2000772d = 9; *(uint8_t*)0x2000772e = 5; *(uint8_t*)0x2000772f = 0x82; *(uint8_t*)0x20007730 = 2; *(uint16_t*)0x20007731 = 0x200; *(uint8_t*)0x20007733 = 0; *(uint8_t*)0x20007734 = 0; *(uint8_t*)0x20007735 = 0; *(uint8_t*)0x20007736 = 9; *(uint8_t*)0x20007737 = 5; *(uint8_t*)0x20007738 = 0x83; *(uint8_t*)0x20007739 = 3; *(uint16_t*)0x2000773a = 0x40; *(uint8_t*)0x2000773c = 1; *(uint8_t*)0x2000773d = 0; *(uint8_t*)0x2000773e = 0; *(uint8_t*)0x2000773f = 9; *(uint8_t*)0x20007740 = 5; *(uint8_t*)0x20007741 = 4; *(uint8_t*)0x20007742 = 3; *(uint16_t*)0x20007743 = 0x40; *(uint8_t*)0x20007745 = 1; *(uint8_t*)0x20007746 = 0; *(uint8_t*)0x20007747 = 0; *(uint8_t*)0x20007748 = 9; *(uint8_t*)0x20007749 = 5; *(uint8_t*)0x2000774a = 5; *(uint8_t*)0x2000774b = 2; *(uint16_t*)0x2000774c = 0x200; *(uint8_t*)0x2000774e = 0; *(uint8_t*)0x2000774f = 0; *(uint8_t*)0x20007750 = 0; *(uint8_t*)0x20007751 = 9; *(uint8_t*)0x20007752 = 5; *(uint8_t*)0x20007753 = 6; *(uint8_t*)0x20007754 = 2; *(uint16_t*)0x20007755 = 0x200; *(uint8_t*)0x20007757 = 0; *(uint8_t*)0x20007758 = 0; *(uint8_t*)0x20007759 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007700, 0); if (res != -1) r[22] = res; break; case 43: *(uint32_t*)0x20007900 = 0x18; *(uint32_t*)0x20007904 = 0x20007780; *(uint8_t*)0x20007780 = 0x40; *(uint8_t*)0x20007781 = 0x22; *(uint32_t*)0x20007782 = 0x1f; *(uint8_t*)0x20007786 = 0x1f; *(uint8_t*)0x20007787 = 0x22; memcpy((void*)0x20007788, "\xa7\x84\x14\x03\xaf\xd7\xdd\xbd\xb6\xce\x9d\xac\xfb\x6c\xdb\xe2\x9f\xbe\x4e\x58\xb5\x5f\xec\x11\x7d\xe5\x6e\xd6\xa5", 29); *(uint32_t*)0x20007908 = 0x200077c0; *(uint8_t*)0x200077c0 = 0; *(uint8_t*)0x200077c1 = 3; *(uint32_t*)0x200077c2 = 0x5a; *(uint8_t*)0x200077c6 = 0x5a; *(uint8_t*)0x200077c7 = 3; memcpy((void*)0x200077c8, "\xb5\x1f\xa7\x5c\xe1\x57\x5d\xa7\x9a\xa4\x1f\xd1\x55\x72\x84\x98\xbc\x7e\x4f\x85\xd1\x9d\x23\x94\x31\x4e\x63\x81\xf5\xe6\xb0\xe7\x86\xc3\xff\x70\x5c\xb7\x18\x44\x87\xf3\x50\x94\x03\x01\x78\xbc\x29\x1a\x39\x80\xfa\x0b\x83\x90\x8b\x7f\xe1\xcb\x24\x59\xda\xa1\x30\x8f\xa2\xfb\xda\x94\xa9\x8c\xa7\x13\x4b\xc9\x86\x48\x7b\xae\x15\x76\x66\x36\xe0\x85\x2c\x7a", 88); *(uint32_t*)0x2000790c = 0x20007840; *(uint8_t*)0x20007840 = 0; *(uint8_t*)0x20007841 = 0xf; *(uint32_t*)0x20007842 = 0x1b; *(uint8_t*)0x20007846 = 5; *(uint8_t*)0x20007847 = 0xf; *(uint16_t*)0x20007848 = 0x1b; *(uint8_t*)0x2000784a = 2; *(uint8_t*)0x2000784b = 0xb; *(uint8_t*)0x2000784c = 0x10; *(uint8_t*)0x2000784d = 1; *(uint8_t*)0x2000784e = 0xc; *(uint16_t*)0x2000784f = 0x82; *(uint8_t*)0x20007851 = 0; *(uint8_t*)0x20007852 = 0x85; *(uint16_t*)0x20007853 = 8; *(uint8_t*)0x20007855 = 1; *(uint8_t*)0x20007856 = 0xb; *(uint8_t*)0x20007857 = 0x10; *(uint8_t*)0x20007858 = 1; *(uint8_t*)0x20007859 = 0xc; *(uint16_t*)0x2000785a = 0x48; *(uint8_t*)0x2000785c = 0; *(uint8_t*)0x2000785d = 0x80; *(uint16_t*)0x2000785e = 0xfffa; *(uint8_t*)0x20007860 = 0x81; *(uint32_t*)0x20007910 = 0x20007880; *(uint8_t*)0x20007880 = 0x20; *(uint8_t*)0x20007881 = 0x29; *(uint32_t*)0x20007882 = 0xf; *(uint8_t*)0x20007886 = 0xf; *(uint8_t*)0x20007887 = 0x29; *(uint8_t*)0x20007888 = 9; *(uint16_t*)0x20007889 = 2; *(uint8_t*)0x2000788b = 4; *(uint8_t*)0x2000788c = 2; memcpy((void*)0x2000788d, "\x7e\x46\x1a\xb4", 4); memcpy((void*)0x20007891, "gg]\a", 4); *(uint32_t*)0x20007914 = 0x200078c0; *(uint8_t*)0x200078c0 = 0x20; *(uint8_t*)0x200078c1 = 0x2a; *(uint32_t*)0x200078c2 = 0xc; *(uint8_t*)0x200078c6 = 0xc; *(uint8_t*)0x200078c7 = 0x2a; *(uint8_t*)0x200078c8 = 9; *(uint16_t*)0x200078c9 = 3; *(uint8_t*)0x200078cb = 0x3f; *(uint8_t*)0x200078cc = 0x20; *(uint8_t*)0x200078cd = 0x40; *(uint16_t*)0x200078ce = 0; *(uint16_t*)0x200078d0 = 0xef; *(uint32_t*)0x20007dc0 = 0x44; *(uint32_t*)0x20007dc4 = 0x20007940; *(uint8_t*)0x20007940 = 0x40; *(uint8_t*)0x20007941 = 0xc; *(uint32_t*)0x20007942 = 0xb6; memcpy((void*)0x20007946, "\xdf\x1d\x88\x07\xad\xaa\x37\x6e\xc1\x64\xfe\x68\x6f\x79\x1f\xc7\x26\x8a\x85\xc4\x68\x00\x84\x23\xc3\x5b\xf0\xda\x6f\x10\xce\x0b\x3c\x7f\x80\xe6\x73\x52\xd8\x06\x3e\x95\x24\xfb\x3d\x91\xa1\xd4\x42\xb8\x5d\x35\x12\x88\xc6\x0b\xad\xef\x73\x69\x49\x4e\xfa\x50\x12\x97\x89\x30\xb8\x81\x7b\xb1\x3f\xba\x0f\x30\x74\x16\x86\x14\x57\x22\x13\x22\x13\x60\x27\xa9\x86\x82\xf3\xa5\xc9\x18\x06\xd4\x90\xc5\x1e\xf5\x1c\xe6\xc9\xe9\xc8\x08\x7e\x54\x7f\xc2\xcf\xe5\x67\xbf\xbf\x3e\x65\xf9\x7c\x5e\x79\xd6\x87\x06\x92\x2d\x2c\x08\x4e\xe8\x94\xea\xf1\x2a\x3c\x0b\x2e\x1e\xf8\x94\xdf\xf8\x6d\x07\x92\xfd\x11\xf5\x15\x2f\x67\x32\x1b\x9d\xb3\x6a\x02\xb7\xb0\x93\x5e\x74\x24\xcb\xd6\xb2\x86\xc5\x5c\x8c\xf0\xf0\xf4\x94\x9f\xd2\x1b\x22\x67\x5e\xb0\x60", 182); *(uint32_t*)0x20007dc8 = 0x20007a00; *(uint8_t*)0x20007a00 = 0; *(uint8_t*)0x20007a01 = 0xa; *(uint32_t*)0x20007a02 = 1; *(uint8_t*)0x20007a06 = 9; *(uint32_t*)0x20007dcc = 0x20007a40; *(uint8_t*)0x20007a40 = 0; *(uint8_t*)0x20007a41 = 8; *(uint32_t*)0x20007a42 = 1; *(uint8_t*)0x20007a46 = 6; *(uint32_t*)0x20007dd0 = 0x20007a80; *(uint8_t*)0x20007a80 = 0x20; *(uint8_t*)0x20007a81 = 0; *(uint32_t*)0x20007a82 = 4; *(uint16_t*)0x20007a86 = 1; *(uint16_t*)0x20007a88 = 3; *(uint32_t*)0x20007dd4 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0x20; *(uint8_t*)0x20007ac1 = 0; *(uint32_t*)0x20007ac2 = 4; *(uint16_t*)0x20007ac6 = 0x160; *(uint16_t*)0x20007ac8 = 1; *(uint32_t*)0x20007dd8 = 0x20007b00; *(uint8_t*)0x20007b00 = 0x40; *(uint8_t*)0x20007b01 = 7; *(uint32_t*)0x20007b02 = 2; *(uint16_t*)0x20007b06 = 3; *(uint32_t*)0x20007ddc = 0x20007b40; *(uint8_t*)0x20007b40 = 0x40; *(uint8_t*)0x20007b41 = 9; *(uint32_t*)0x20007b42 = 1; *(uint8_t*)0x20007b46 = 3; *(uint32_t*)0x20007de0 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x40; *(uint8_t*)0x20007b81 = 0xb; *(uint32_t*)0x20007b82 = 2; memcpy((void*)0x20007b86, "\x9e\xfe", 2); *(uint32_t*)0x20007de4 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 0xf; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 4; *(uint32_t*)0x20007de8 = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 0x13; *(uint32_t*)0x20007c02 = 6; memset((void*)0x20007c06, 0, 6); *(uint32_t*)0x20007dec = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0x17; *(uint32_t*)0x20007c42 = 6; memset((void*)0x20007c46, 170, 5); *(uint8_t*)0x20007c4b = 0xbb; *(uint32_t*)0x20007df0 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0x19; *(uint32_t*)0x20007c82 = 2; memcpy((void*)0x20007c86, "vw", 2); *(uint32_t*)0x20007df4 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x1a; *(uint32_t*)0x20007cc2 = 2; *(uint16_t*)0x20007cc6 = 1; *(uint32_t*)0x20007df8 = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x1c; *(uint32_t*)0x20007d02 = 1; *(uint8_t*)0x20007d06 = 6; *(uint32_t*)0x20007dfc = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x1e; *(uint32_t*)0x20007d42 = 1; *(uint8_t*)0x20007d46 = 0x7e; *(uint32_t*)0x20007e00 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x21; *(uint32_t*)0x20007d82 = 1; *(uint8_t*)0x20007d86 = 2; syz_usb_control_io(r[22], 0x20007900, 0x20007dc0); break; case 44: *(uint8_t*)0x20007e40 = 0x12; *(uint8_t*)0x20007e41 = 1; *(uint16_t*)0x20007e42 = 0x200; *(uint8_t*)0x20007e44 = -1; *(uint8_t*)0x20007e45 = -1; *(uint8_t*)0x20007e46 = -1; *(uint8_t*)0x20007e47 = 0x40; *(uint16_t*)0x20007e48 = 0xcf3; *(uint16_t*)0x20007e4a = 0x9271; *(uint16_t*)0x20007e4c = 0x108; *(uint8_t*)0x20007e4e = 1; *(uint8_t*)0x20007e4f = 2; *(uint8_t*)0x20007e50 = 3; *(uint8_t*)0x20007e51 = 1; *(uint8_t*)0x20007e52 = 9; *(uint8_t*)0x20007e53 = 2; *(uint16_t*)0x20007e54 = 0x48; *(uint8_t*)0x20007e56 = 1; *(uint8_t*)0x20007e57 = 1; *(uint8_t*)0x20007e58 = 0; *(uint8_t*)0x20007e59 = 0x80; *(uint8_t*)0x20007e5a = 0xfa; *(uint8_t*)0x20007e5b = 9; *(uint8_t*)0x20007e5c = 4; *(uint8_t*)0x20007e5d = 0; *(uint8_t*)0x20007e5e = 0; *(uint8_t*)0x20007e5f = 6; *(uint8_t*)0x20007e60 = -1; *(uint8_t*)0x20007e61 = 0; *(uint8_t*)0x20007e62 = 0; *(uint8_t*)0x20007e63 = 0; *(uint8_t*)0x20007e64 = 9; *(uint8_t*)0x20007e65 = 5; *(uint8_t*)0x20007e66 = 1; *(uint8_t*)0x20007e67 = 2; *(uint16_t*)0x20007e68 = 0x200; *(uint8_t*)0x20007e6a = 0; *(uint8_t*)0x20007e6b = 0; *(uint8_t*)0x20007e6c = 0; *(uint8_t*)0x20007e6d = 9; *(uint8_t*)0x20007e6e = 5; *(uint8_t*)0x20007e6f = 0x82; *(uint8_t*)0x20007e70 = 2; *(uint16_t*)0x20007e71 = 0x200; *(uint8_t*)0x20007e73 = 0; *(uint8_t*)0x20007e74 = 0; *(uint8_t*)0x20007e75 = 0; *(uint8_t*)0x20007e76 = 9; *(uint8_t*)0x20007e77 = 5; *(uint8_t*)0x20007e78 = 0x83; *(uint8_t*)0x20007e79 = 3; *(uint16_t*)0x20007e7a = 0x40; *(uint8_t*)0x20007e7c = 1; *(uint8_t*)0x20007e7d = 0; *(uint8_t*)0x20007e7e = 0; *(uint8_t*)0x20007e7f = 9; *(uint8_t*)0x20007e80 = 5; *(uint8_t*)0x20007e81 = 4; *(uint8_t*)0x20007e82 = 3; *(uint16_t*)0x20007e83 = 0x40; *(uint8_t*)0x20007e85 = 1; *(uint8_t*)0x20007e86 = 0; *(uint8_t*)0x20007e87 = 0; *(uint8_t*)0x20007e88 = 9; *(uint8_t*)0x20007e89 = 5; *(uint8_t*)0x20007e8a = 5; *(uint8_t*)0x20007e8b = 2; *(uint16_t*)0x20007e8c = 0x200; *(uint8_t*)0x20007e8e = 0; *(uint8_t*)0x20007e8f = 0; *(uint8_t*)0x20007e90 = 0; *(uint8_t*)0x20007e91 = 9; *(uint8_t*)0x20007e92 = 5; *(uint8_t*)0x20007e93 = 6; *(uint8_t*)0x20007e94 = 2; *(uint16_t*)0x20007e95 = 0x200; *(uint8_t*)0x20007e97 = 0; *(uint8_t*)0x20007e98 = 0; *(uint8_t*)0x20007e99 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007e40, 0); if (res != -1) r[23] = res; break; case 45: syz_usb_disconnect(r[23]); break; case 46: *(uint8_t*)0x20007ec0 = 0x12; *(uint8_t*)0x20007ec1 = 1; *(uint16_t*)0x20007ec2 = 0x389; *(uint8_t*)0x20007ec4 = 2; *(uint8_t*)0x20007ec5 = 0; *(uint8_t*)0x20007ec6 = 0; *(uint8_t*)0x20007ec7 = 0x70; *(uint16_t*)0x20007ec8 = 0x525; *(uint16_t*)0x20007eca = 0xa4a1; *(uint16_t*)0x20007ecc = 0x40; *(uint8_t*)0x20007ece = 1; *(uint8_t*)0x20007ecf = 2; *(uint8_t*)0x20007ed0 = 3; *(uint8_t*)0x20007ed1 = 1; *(uint8_t*)0x20007ed2 = 9; *(uint8_t*)0x20007ed3 = 2; *(uint16_t*)0x20007ed4 = 0x6a; *(uint8_t*)0x20007ed6 = 2; *(uint8_t*)0x20007ed7 = 1; *(uint8_t*)0x20007ed8 = -1; *(uint8_t*)0x20007ed9 = 0x90; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 9; *(uint8_t*)0x20007edc = 4; *(uint8_t*)0x20007edd = 0; *(uint8_t*)0x20007ede = 0; *(uint8_t*)0x20007edf = 1; *(uint8_t*)0x20007ee0 = 2; *(uint8_t*)0x20007ee1 = 0xd; *(uint8_t*)0x20007ee2 = 0; *(uint8_t*)0x20007ee3 = 0; *(uint8_t*)0x20007ee4 = 6; *(uint8_t*)0x20007ee5 = 0x24; *(uint8_t*)0x20007ee6 = 6; *(uint8_t*)0x20007ee7 = 0; *(uint8_t*)0x20007ee8 = 1; memset((void*)0x20007ee9, 166, 1); *(uint8_t*)0x20007eea = 5; *(uint8_t*)0x20007eeb = 0x24; *(uint8_t*)0x20007eec = 0; *(uint16_t*)0x20007eed = 8; *(uint8_t*)0x20007eef = 0xd; *(uint8_t*)0x20007ef0 = 0x24; *(uint8_t*)0x20007ef1 = 0xf; *(uint8_t*)0x20007ef2 = 1; *(uint32_t*)0x20007ef3 = 0x9ff; *(uint16_t*)0x20007ef7 = 0x6000; *(uint16_t*)0x20007ef9 = 5; *(uint8_t*)0x20007efb = 0xb5; *(uint8_t*)0x20007efc = 6; *(uint8_t*)0x20007efd = 0x24; *(uint8_t*)0x20007efe = 0x1a; *(uint16_t*)0x20007eff = 0xdd; *(uint8_t*)0x20007f01 = 0x32; *(uint8_t*)0x20007f02 = 5; *(uint8_t*)0x20007f03 = 0x24; *(uint8_t*)0x20007f04 = 1; *(uint8_t*)0x20007f05 = 2; *(uint8_t*)0x20007f06 = 0x95; *(uint8_t*)0x20007f07 = 8; *(uint8_t*)0x20007f08 = 0x24; *(uint8_t*)0x20007f09 = 0x1c; *(uint16_t*)0x20007f0a = 7; *(uint8_t*)0x20007f0c = 0x40; *(uint16_t*)0x20007f0d = 1; *(uint8_t*)0x20007f0f = 9; *(uint8_t*)0x20007f10 = 5; *(uint8_t*)0x20007f11 = 0x81; *(uint8_t*)0x20007f12 = 3; *(uint16_t*)0x20007f13 = 0x10; *(uint8_t*)0x20007f15 = 0x21; *(uint8_t*)0x20007f16 = 2; *(uint8_t*)0x20007f17 = 0xc4; *(uint8_t*)0x20007f18 = 9; *(uint8_t*)0x20007f19 = 4; *(uint8_t*)0x20007f1a = 1; *(uint8_t*)0x20007f1b = 0; *(uint8_t*)0x20007f1c = 0; *(uint8_t*)0x20007f1d = 2; *(uint8_t*)0x20007f1e = 0xd; *(uint8_t*)0x20007f1f = 0; *(uint8_t*)0x20007f20 = 0; *(uint8_t*)0x20007f21 = 9; *(uint8_t*)0x20007f22 = 4; *(uint8_t*)0x20007f23 = 1; *(uint8_t*)0x20007f24 = 1; *(uint8_t*)0x20007f25 = 2; *(uint8_t*)0x20007f26 = 2; *(uint8_t*)0x20007f27 = 0xd; *(uint8_t*)0x20007f28 = 0; *(uint8_t*)0x20007f29 = 0; *(uint8_t*)0x20007f2a = 9; *(uint8_t*)0x20007f2b = 5; *(uint8_t*)0x20007f2c = 0x82; *(uint8_t*)0x20007f2d = 2; *(uint16_t*)0x20007f2e = 8; *(uint8_t*)0x20007f30 = 1; *(uint8_t*)0x20007f31 = 1; *(uint8_t*)0x20007f32 = 0x4e; *(uint8_t*)0x20007f33 = 9; *(uint8_t*)0x20007f34 = 5; *(uint8_t*)0x20007f35 = 3; *(uint8_t*)0x20007f36 = 2; *(uint16_t*)0x20007f37 = 8; *(uint8_t*)0x20007f39 = 0x81; *(uint8_t*)0x20007f3a = 9; *(uint8_t*)0x20007f3b = 0x48; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f40; *(uint8_t*)0x20007f40 = 0xa; *(uint8_t*)0x20007f41 = 6; *(uint16_t*)0x20007f42 = 0x200; *(uint8_t*)0x20007f44 = 3; *(uint8_t*)0x20007f45 = 0x40; *(uint8_t*)0x20007f46 = 1; *(uint8_t*)0x20007f47 = 0x40; *(uint8_t*)0x20007f48 = 0x68; *(uint8_t*)0x20007f49 = 0; *(uint32_t*)0x20008288 = 0x72; *(uint32_t*)0x2000828c = 0x20007f80; *(uint8_t*)0x20007f80 = 5; *(uint8_t*)0x20007f81 = 0xf; *(uint16_t*)0x20007f82 = 0x72; *(uint8_t*)0x20007f84 = 6; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x10; *(uint8_t*)0x20007f87 = 0xa; *(uint8_t*)0x20007f88 = 0x7f; STORE_BY_BITMASK(uint32_t, , 0x20007f89, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007f89, 4, 5, 27); *(uint16_t*)0x20007f8d = 0; *(uint16_t*)0x20007f8f = 0x101; *(uint32_t*)0x20007f91 = 0xf; *(uint32_t*)0x20007f95 = 0xc000; *(uint32_t*)0x20007f99 = 0x4100; *(uint32_t*)0x20007f9d = 0xc000; *(uint32_t*)0x20007fa1 = 0; *(uint8_t*)0x20007fa5 = 0x18; *(uint8_t*)0x20007fa6 = 0x10; *(uint8_t*)0x20007fa7 = 0xa; *(uint8_t*)0x20007fa8 = 5; STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 0x3f, 5, 27); *(uint16_t*)0x20007fad = 0xf; *(uint16_t*)0x20007faf = 9; *(uint32_t*)0x20007fb1 = 0x3f00; *(uint32_t*)0x20007fb5 = 0xff0030; *(uint32_t*)0x20007fb9 = 0xff0000; *(uint8_t*)0x20007fbd = 0xc; *(uint8_t*)0x20007fbe = 0x10; *(uint8_t*)0x20007fbf = 0xa; *(uint8_t*)0x20007fc0 = 9; STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 3, 5, 27); *(uint16_t*)0x20007fc5 = 0xf00; *(uint16_t*)0x20007fc7 = 4; *(uint8_t*)0x20007fc9 = 0x14; *(uint8_t*)0x20007fca = 0x10; *(uint8_t*)0x20007fcb = 4; *(uint8_t*)0x20007fcc = 0xfc; memcpy((void*)0x20007fcd, "\x11\xd5\xf9\x90\x68\xe5\x06\x8a\x1e\x42\xe2\xbf\x00\x0e\x22\x1f", 16); *(uint8_t*)0x20007fdd = 0xb; *(uint8_t*)0x20007fde = 0x10; *(uint8_t*)0x20007fdf = 1; *(uint8_t*)0x20007fe0 = 2; *(uint16_t*)0x20007fe1 = 0; *(uint8_t*)0x20007fe3 = 2; *(uint8_t*)0x20007fe4 = 0; *(uint16_t*)0x20007fe5 = 0x80; *(uint8_t*)0x20007fe7 = 1; *(uint8_t*)0x20007fe8 = 0xa; *(uint8_t*)0x20007fe9 = 0x10; *(uint8_t*)0x20007fea = 3; *(uint8_t*)0x20007feb = 2; *(uint16_t*)0x20007fec = 0; *(uint8_t*)0x20007fee = 3; *(uint8_t*)0x20007fef = 0x3f; *(uint16_t*)0x20007ff0 = 8; *(uint32_t*)0x20008290 = 8; *(uint32_t*)0x20008294 = 4; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 4; *(uint8_t*)0x20008001 = 3; *(uint16_t*)0x20008002 = 0x2001; *(uint32_t*)0x2000829c = 4; *(uint32_t*)0x200082a0 = 0x20008040; *(uint8_t*)0x20008040 = 4; *(uint8_t*)0x20008041 = 3; *(uint16_t*)0x20008042 = 0x43f; *(uint32_t*)0x200082a4 = 0x2a; *(uint32_t*)0x200082a8 = 0x20008080; *(uint8_t*)0x20008080 = 0x2a; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x5e\x74\x60\xeb\x32\xa6\xb9\x6b\xd2\xff\x9f\xf3\xa4\x96\x20\x85\x33\x64\xce\xf4\xb1\x18\x00\x34\xbb\xee\x7b\xde\xb3\x75\x3e\xc4\x7a\x7b\x68\x43\x60\x04\xdf\xa3", 40); *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x200080c0; *(uint8_t*)0x200080c0 = 4; *(uint8_t*)0x200080c1 = 3; *(uint16_t*)0x200080c2 = 0x406; *(uint32_t*)0x200082b4 = 4; *(uint32_t*)0x200082b8 = 0x20008100; *(uint8_t*)0x20008100 = 4; *(uint8_t*)0x20008101 = 3; *(uint16_t*)0x20008102 = 0x200a; *(uint32_t*)0x200082bc = 0x83; *(uint32_t*)0x200082c0 = 0x20008140; *(uint8_t*)0x20008140 = 0x83; *(uint8_t*)0x20008141 = 3; memcpy((void*)0x20008142, "\x98\xbf\xbe\xd5\xf0\x2f\x05\x41\x39\x3b\x27\x16\x3c\x18\xab\xa0\xf8\xd6\xc9\x06\x9a\xe8\xed\x73\x2f\x7b\x8b\x4f\xd0\x40\x72\x65\x12\x57\x2b\x20\x49\x34\x98\xb0\x80\xe9\x6c\x74\x09\xc1\xff\x22\x2c\xbf\xe8\xfc\x73\x9a\x7a\x6e\xb7\x01\xa8\x12\x5f\x18\xaf\x24\xcd\xab\xbf\xb5\x2c\xc6\x66\xcf\x12\x04\xb6\xbf\x96\x51\x4a\xca\x5b\x04\x75\xe2\x1d\xaf\xca\xaf\xfc\xd8\xd5\x84\xec\xa6\x93\x9d\x81\x5d\xc4\xc9\x74\x72\x7a\x2f\xba\x78\xd5\x04\x4d\x9e\x9f\x08\xe3\x5c\x9e\x2b\xf4\x70\xf4\x66\xac\xca\xa1\x30\x1f\xac\x54\xbc\xff", 129); *(uint32_t*)0x200082c4 = 4; *(uint32_t*)0x200082c8 = 0x20008200; *(uint8_t*)0x20008200 = 4; *(uint8_t*)0x20008201 = 3; *(uint16_t*)0x20008202 = 0x1627; *(uint32_t*)0x200082cc = 0x39; *(uint32_t*)0x200082d0 = 0x20008240; *(uint8_t*)0x20008240 = 0x39; *(uint8_t*)0x20008241 = 3; memcpy((void*)0x20008242, "\xaa\x56\xbf\x40\x48\xdd\x06\xe2\x84\x5d\x2e\x04\xdf\x75\xb3\x91\xf7\x66\x46\x3f\x09\x54\x05\x32\x21\xac\x36\xe1\xdb\x6f\xe5\x09\xc0\x5b\x86\xc7\x76\xd2\x0f\xfc\x6a\xc3\xd9\x93\x49\x32\x2b\x40\x0a\xea\x39\x4c\xd6\x71\x9c", 55); res = -1; res = syz_usb_connect(6, 0x7c, 0x20007ec0, 0x20008280); if (res != -1) r[24] = res; break; case 47: syz_usb_ep_read(r[24], 0x75, 0xa5, 0x20008300); break; case 48: memcpy((void*)0x200083c0, "\xdb\x88\x55\x99\xb6\x0a\xec\x82\xad\x70\xcd\xb2\x88\x6a\x2e\x73\xe2\xf0\x44\x7d\xdd\x5d\xea\xaa\x15\xf5\x6b\x76\xab\x58\x04\xb9\xf8\x6f\x60\xdf\x6b\x12\xcb\xc1\xe5\x90\x6d\x23\x88\x89\xda\x54\x4d\x9b\x56\x52\xf6\x0b\xfc\x34\xa1\x08\xdf\xfd\xff\xa9\xae\x90\x46\x14\xe2\xbf\x15\xce\x0c\x34\x9a\xea\x15\x51\xb7\x54\x4b\x69\xbd\x2b\xde\x8f\x82\xe1\x8d\x42\xba\x16\x71\x80\xb1\xa6\xa4\xd1\x18\x44\x31\x2c\x11\x6e\xe0\xb8\x5f\xca\x52\xa1\x1e\xc9\xf3\x7a\xcd\x32\x3e\xb2\x87\xc8\xb3\xc4\xff\xdb\xca\xaa\x32\x9d\xf9\x20\xe0\xf7\xdf\xaa\xcc\xc1\x7f\xd5\xff\x16\xf0\x39\xc6\x93\xcd\xfc\xdf\xae\x81\x52\x9a\x02\xcc\x97\x3d\x8e\x50\x20\x09\x3c\x1b\x68\xe8\x8a\x82\x7e\x23\x0b\x28\x44\x88\x99\xb9\x61\x75\x52\xb1\xdd\x9b\x41\x2b\x34\xde\xec\x9a\x93\xfd\x08\x82\x3a\xeb\xf3\x54\xe2\x38\xd0\x4d\xca\x95\x7a\x50\xaa\x9a\xb1\x8a\x30\x46\x0e\x24\x55\xe3\xfd\x16\x41\x09\xcd\x4a\x85\x7b\x99\xd2\x23\xb2\x18\x31\xca\x29\x2d\x1b\x0c\xd7\x7f\xbf\xe2\x63\xf7\xca\x57\xee\x3a\x70\xa8\xfd\xd4\x89\xcb\x7f", 245); syz_usb_ep_write(r[22], 0, 0xf5, 0x200083c0); break; case 49: syz_usbip_server_init(1); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); setup_usb(); use_temporary_dir(); do_sandbox_none(); return 0; } :126:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :113:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :108:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor900639943 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/12 (1.53s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:true NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) (fail_nth: 1) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000080)={r0, 0x3ff}, &(0x7f00000000c0)=0x8) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='cpu.stat\x00', 0x0, 0x0) ioctl$BLKROGET(r2, 0x125e, &(0x7f0000000140)) r3 = signalfd4(r2, &(0x7f0000000180)={[0x5, 0x4]}, 0x8, 0x80800) sendmsg$NL80211_CMD_UPDATE_OWE_INFO(r3, &(0x7f0000000500)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x20002011}, 0xc, &(0x7f00000004c0)={&(0x7f0000000200)={0x29c, 0x0, 0x8, 0x70bd29, 0x25dfdbff, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x46, 0x2a, [@erp={0x2a, 0x1, {0x0, 0x1, 0x1}}, @channel_switch={0x25, 0x3, {0x1, 0x95, 0xcb}}, @peer_mgmt={0x75, 0x16, {0x1, 0x401, @void, @val=0x37, @val="02011bf2907bddcbfaf4d0d9d319cb38"}}, @mesh_chsw={0x76, 0x6, {0x7f, 0x3, 0x6, 0x2050}}, @link_id={0x65, 0x12, {@from_mac=@device_b, @broadcast, @device_b}}, @chsw_timing={0x68, 0x4, {0x9, 0x81}}]}, @NL80211_ATTR_IE={0xcc, 0x2a, [@cf={0x4, 0x6, {0x1, 0x1, 0x100, 0x8000}}, @ext_channel_switch={0x3c, 0x4, {0x0, 0x7, 0xac, 0x6}}, @supported_rates={0x1, 0x6, [{0x6}, {0xc, 0x1}, {0x3f, 0x1}, {0x9}, {0x16}, {0x24}]}, @prep={0x83, 0x25, @ext={{}, 0xff, 0x3f, @device_a, 0x1f, @broadcast, 0x0, 0x6, @device_b, 0x6}}, @measure_req={0x26, 0x44, {0x4, 0x7, 0x8, "2ef531b7be2dde42fc395f76447c92879c4d9511182ee077cb102d54d8e9bd0376741affce00728e65cefb04cacd7c82880f113d4a79378bfd5c8d752bd251e31b"}}, @ht={0x2d, 0x1a, {0x482, 0x1, 0x1, 0x0, {0x5, 0x3f, 0x0, 0x80, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x400, 0x5, 0x56}}, @mic={0x8c, 0x10, {0x9b2, "e74338ed57a9", @short="4dbe86f39565408a"}}, @rann={0x7e, 0x15, {{0x1, 0x9}, 0xc0, 0x40, @device_a, 0x7fff, 0x6, 0xff}}]}, @NL80211_ATTR_IE={0x148, 0x2a, [@rann={0x7e, 0x15, {{0x0, 0x2}, 0x0, 0x8, @device_a, 0x1ff, 0x3, 0x3}}, @preq={0x82, 0x30, @not_ext={{}, 0x3, 0xf7, 0x8, @device_a, 0xae, "", 0x71a4, 0x2, 0x2, [{{0x0, 0x0, 0x1}, @device_b}, {{}, @device_b, 0x6}]}}, @mesh_config={0x71, 0x7, {0x1, 0x1, 0x1, 0x0, 0x0, 0xfb, 0x25}}, @ibss={0x6, 0x2, 0x1fc}, @fast_bss_trans={0x37, 0xe6, {0x7, 0x5, "5f3964d8629adf1c06ecdf8987bb845b", "c5d2bb2459d5ba0e8d1de04e57374f6227210ea404eb95465fa1e2e09c7c17d4", "2781c876157d6988a5dc1efde5e5d8d7fdfb3dad871989497060e2d72d3afa38", [{0x3, 0x1, "ce"}, {0x1, 0x25, "d5a7640b4fb5df22e725130f6f006c487342cb847e2cbe0e36b141aa91f7f41d6b13482c1d"}, {0x4, 0x26, "a1d5f67474fa123100046dc2695e3bbda6dee8657f032e087504156eba2f54bf2f31cd5b78d5"}, {0x3, 0x25, "ae36258ad7f04d6a213024ac426fba3da69e74ab662fbb9d28448099946cbbf9b8f921f8e0"}, {0x2, 0x19, "69ad29c66f47f87c5349ab5f16a1e8030e7c0b21db8bc4bee4"}]}}, @peer_mgmt={0x75, 0x4, {0x0, 0x0, @void, @void, @void}}]}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x4b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x43}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x11}]}, 0x29c}, 0x1, 0x0, 0x0, 0x40000}, 0x80) r4 = openat$irnet(0xffffff9c, &(0x7f0000000540), 0x189000, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f0000000580)=[@in6={0xa, 0x4e20, 0x80000000, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x81}, @in6={0xa, 0x4e24, 0x3, @mcast1}], 0x38) openat2$dir(0xffffff9c, &(0x7f00000005c0)='./file0\x00', &(0x7f0000000600)={0x101000, 0x182, 0x4}, 0x18) setsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f0000000640)=@sack_info={r1, 0x7, 0x20}, 0xc) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@data_frame={@no_qos=@type01={{0x0, 0x2, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, {0x7}, @device_b, @from_mac=@broadcast, @device_b, {0x7, 0x40}}, @a_msdu=[{@device_a, @device_b, 0x89, "a374cb1e56d79e5a647d9f9d7ebb099ca75e920a720ce76551c26bb86842da48ec22636f2ee20001359b8e2fb376ba32d07425dd1b9b9b4ff7a3539a5eeb99a447a58fec224cacb7d6e5f0cc9099904c92fd37746afc1cbd2b8b102a3fe4af78d5fa729590f1e5035f470a44321e924787a4666e21a4ca5cbd1256c170217cd6967ad7236d2f702e24"}, {@broadcast, @device_a, 0x1000, ""}]}, 0x10c0) syz_80211_join_ibss(&(0x7f0000001100)='wlan1\x00', &(0x7f0000001140)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000001180)='bpf_lsm_socket_recvmsg\x00') syz_emit_ethernet(0x35b, &(0x7f00000011c0)={@multicast, @multicast, @void, {@mpls_uc={0x8847, {[{0x2}], @ipv4=@gre={{0x11, 0x4, 0x1, 0x7, 0x349, 0x68, 0x0, 0x6, 0x2f, 0x0, @remote, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@lsrr={0x83, 0x1b, 0x6e, [@local, @broadcast, @loopback, @multicast1, @initdev={0xac, 0x1e, 0x0, 0x0}, @dev={0xac, 0x14, 0x14, 0xc}]}, @end, @lsrr={0x83, 0x13, 0xb4, [@multicast1, @private=0xa010100, @remote, @multicast1]}]}}, {{0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x880b, 0xf7, 0x2, [0x0, 0x1f], "c2150837371931ae3bab975586d95914c9773f748be9a8a3a19fe297783946f87cf48cb1483b1b52713f5b2c61255adbc108b86ef5471c54a9338b8573e1f632742ac011cf327a15e84e165e1588ab664b81d2498c54b50574e54aba3cf97bb1ae75911fd5ad4851fa1421715163917c9258d782a401fdfd12f1b51c5fbef8bd854f084ca2db2d46c7ee8b3b429e9c2dd5200572c54b9956e0bce7e10ae21f398f9db9c7e5fe8c67da417265c2e5c4074c97b404e840e0705b4154275e83551ac4328eae261c5d86e08cd40fbdb3a9d5fdcf6ba0ba4549aa7405fafe1367186578ec8cb827c887cc919c3a926daa592a4edb5150bfd380"}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, [0x0, 0x3], "a0437805682464ebade1f7bc908a4fb8fe0d2cbd6c705201920234d09c1819942d4534d78830cc26b67fa8b9bf41331cf464dba472a58870852fa852e628157fd8b5d1d6835454fb3aedae74305ed0c45b79ff50beb7405c"}, {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x86dd, [0xf0, 0x4], "7caa4b32feb81faa052cba4e34663ac59d2ed14a1e13701fdffe0c346ddae941fc7a2623c24d7a0b85a042492bf692148b57ddaf3b577a52fca2c4c68131f7bd98fa18e48551c8eecb9d3be00868430c3a25bc3569876946d43e6eb2b903b359a813c4ba89e6d970d3d4523fd219f45ff44df25838"}, {0x8, 0x88be, 0x2, {{0x8, 0x1, 0x9, 0x3, 0x0, 0x3, 0x3, 0x4}, 0x1, {0x4}}}, {0x8, 0x22eb, 0x3, {{0x5, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x81}, 0x2, {0x1ff, 0x6, 0x0, 0x7, 0x0, 0x1, 0x2, 0x1, 0x1}}}, {0x8, 0x6558, 0x3, "35b802485048e00654ea02f811d2f99e610c98af70faf08b416472e3e0bbd45e35631db45124b3b77db1699442696b52c13ae2bf33fb3973a1d570c20b2a5b4d8b9a260bb385dcba6f2ccdaf52d5a0a4c2c39422acd9f8b911a20ba0d03a6e796927d057cf487cc459623fa76fb89989080999bf9b3ab3f6e3f319849238b9d2dea6ac5b66c4b632b76084b3fbfee0fc6215f5b274246d30cd41e07638413a2d65b80fde92db56faa4160868cd0b008bfcf18d9c54be76cf39248d298318581d7a8be2fe09849d5cfd2cd105c8dd8c0fd7c5f27bed33374f70e3173b413dd37ecff631f2f44c6640a43a358b6eff14540f"}}}}}}}, &(0x7f0000001540)={0x1, 0x2, [0xfbe, 0xc0a, 0x501, 0x489]}) syz_emit_vhci(&(0x7f0000001580)=@HCI_ACLDATA_PKT={0x2, {0xc8, 0x2, 0x1, 0x32}, @l2cap_cid_signaling={{0x2e}, [@l2cap_create_chan_rsp={{0xd, 0x3, 0x8}, {0x6, 0x1, 0x31, 0x7}}, @l2cap_conn_req={{0x2, 0x5, 0x4}, {0x3fc, 0x6}}, @l2cap_info_rsp={{0xb, 0x1f, 0x4}, {0xb476, 0x1d}}, @l2cap_info_req={{0xa, 0xfc, 0x2}, {0x1}}, @l2cap_cmd_rej_unk={{0x1, 0x4, 0x2}}, @l2cap_info_req={{0xa, 0x8, 0x2}, {0x9e}}]}}, 0x37) syz_execute_func(&(0x7f00000015c0)="660f72d501df5fd6c4c1f96f9f52e40000dff2da36660f3a62c08cc4c11d583ce8660f3a0a450df0c4e121752360") syz_extract_tcp_res(&(0x7f0000001600), 0x1e21, 0x1) r5 = openat$cuse(0xffffff9c, &(0x7f0000001640), 0x2, 0x0) ioctl$NS_GET_OWNER_UID(0xffffffffffffffff, 0xb704, &(0x7f0000003980)=0x0) clock_gettime(0x0, &(0x7f0000003e00)={0x0, 0x0}) recvmmsg$unix(0xffffffffffffffff, &(0x7f0000003dc0)=[{{&(0x7f0000003a40)=@abs, 0x6e, &(0x7f0000003d40)=[{&(0x7f0000003ac0)=""/37, 0x25}, {&(0x7f0000003b00)=""/107, 0x6b}, {&(0x7f0000003b80)=""/47, 0x2f}, {&(0x7f0000003bc0)=""/162, 0xa2}, {&(0x7f0000003c80)=""/189, 0xbd}], 0x5, &(0x7f0000003d80)=[@cred={{0x18}}, @cred={{0x18, 0x1, 0x2, {0x0, 0x0, 0x0}}}], 0x30}}], 0x1, 0x10202, &(0x7f0000003e40)={r7, r8+10000000}) lstat(&(0x7f0000004040)='./file0\x00', &(0x7f0000004080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004100)={{{@in6=@initdev, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast1}}, &(0x7f0000004200)=0xe4) statx(0xffffffffffffff9c, &(0x7f0000004240)='./file0\x00', 0x4000, 0x400, &(0x7f0000004280)={0x0, 0x0, 0x0, 0x0, 0x0}) lstat(&(0x7f0000004380)='./file0\x00', &(0x7f00000043c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000004980)={{{@in6=@dev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@private2}}, &(0x7f0000004a80)=0xe4) r15 = getegid() syz_fuse_handle_req(r5, &(0x7f0000001680)="", 0x2000, &(0x7f0000004bc0)={&(0x7f0000003680)={0x50, 0x0, 0x0, {0x7, 0x22, 0x6, 0x60, 0x5, 0x48, 0x80000001, 0x7}}, &(0x7f0000003700)={0x18, 0x0, 0xfffe, {0x200}}, &(0x7f0000003740)={0x18, 0x0, 0x4, {0x8000}}, &(0x7f0000003780)={0x18, 0x0, 0x0, {0x8}}, &(0x7f00000037c0)={0x18, 0x0, 0x80000001, {0x5}}, &(0x7f0000003800)={0x28, 0x0, 0x0, {{0x19, 0x200, 0x3, 0xffffffffffffffff}}}, &(0x7f0000003840)={0x60, 0xfffffffffffffffe, 0xfffffffffffffffe, {{0x4, 0x80000001, 0x1, 0x52b8, 0x7, 0x0, 0xfffffffa, 0x1ff}}}, &(0x7f00000038c0)={0x18, 0xffffffffffffffda, 0x1f, {0x9}}, &(0x7f0000003900)={0x11, 0xfffffffffffffffe, 0x4588, {'\x00'}}, &(0x7f0000003940)={0x20, 0x0, 0x100000000, {0x0, 0x18}}, &(0x7f00000039c0)={0x78, 0x0, 0x7, {0x4, 0x6, 0x0, {0x0, 0x7, 0x8, 0x10001, 0x1, 0x509, 0x80, 0x3, 0x1, 0xc000, 0x5, r6, 0xee00, 0x7, 0x9}}}, &(0x7f0000003e80)={0x90, 0x0, 0x8, {0x6, 0x3, 0xcd0, 0x7fffffff, 0x5, 0x1, {0x5, 0x5, 0xf34, 0x86, 0x6, 0x2, 0xab8c, 0x0, 0x5, 0x8000, 0x9, 0xee00, r9, 0x1000, 0x1000}}}, &(0x7f0000003f40)={0xd0, 0x0, 0xffffffffffffffbc, [{0x0, 0x2, 0x6, 0x3, '\x02\x02\x02\x02\x02\x02'}, {0x0, 0x0, 0x0, 0x9}, {0x2, 0x100000001, 0x17, 0xffff, 'bpf_lsm_socket_recvmsg\x00'}, {0x0, 0x401, 0xf, 0xfffffff9, '&,$:+)\xef&\\)/$$[}'}, {0x6, 0x1, 0x17, 0x1f, 'bpf_lsm_socket_recvmsg\x00'}]}, &(0x7f0000004440)={0x508, 0x0, 0x2, [{{0x4, 0x1, 0x5, 0x80000000, 0x3, 0xffffffec, {0x2, 0x3, 0x20, 0x100000001, 0x80, 0xffffffffffffffe1, 0x9e41, 0x1f, 0xf0f6, 0xc000, 0x401, 0xee01, 0xee00, 0x400000, 0x800}}, {0x3, 0x7, 0x6, 0xfffffffe, '\xbb\xbb\xbb\xbb\xbb\xbb'}}, {{0x1, 0x2, 0x10001, 0x0, 0x5, 0x0, {0x3, 0x8000, 0x9, 0x80000001, 0x100, 0x5, 0xf06, 0x932b, 0x2, 0x1000, 0x5, 0xee01, 0xffffffffffffffff, 0x5, 0x1}}, {0x5, 0x9, 0x2, 0x2, '*)'}}, {{0x1, 0x0, 0xcc3, 0x4, 0x101, 0x3, {0x2, 0x1, 0x1, 0x113, 0x1, 0x3, 0xd36, 0x8c12, 0xfffffffc, 0x1000, 0xfffffffc, 0xee01, r10, 0x9, 0xacd}}, {0x3, 0x97, 0x6, 0x9, 'wlan1\x00'}}, {{0x1, 0x2, 0x8, 0x8000, 0x9, 0x0, {0x1, 0x200, 0xff, 0x100000001, 0x30000, 0x9, 0x3, 0x6, 0x7f, 0x8000, 0x101, r11, 0xee00, 0x10000, 0x9}}, {0x3, 0x0, 0x2, 0x401, 'b@'}}, {{0x4, 0x1, 0x0, 0x5, 0x4, 0x101, {0x1, 0x5, 0x1, 0x10000, 0x7, 0x8, 0x5, 0x5, 0x4010000, 0x8000, 0x4d800000, 0x0, 0xee01, 0x6, 0x7}}, {0x2, 0x61}}, {{0x7, 0x0, 0x5, 0x5, 0x0, 0x3ff, {0x0, 0xfffffffffffffff7, 0x1, 0x80, 0x100000001, 0x401, 0xd49d, 0x80, 0x1, 0x6000, 0x8b, r12, 0xee01, 0x8001}}, {0x6, 0x200, 0x1, 0xfffffff8, ')'}}, {{0x0, 0x3, 0x8, 0x81, 0x6, 0x5, {0x1, 0x8, 0x7, 0x5, 0x8, 0x1, 0x5, 0x90c555ad, 0x0, 0xc000, 0x800, 0xee00, 0xee01, 0xf98d, 0x20}}, {0x4, 0x4, 0x5, 0x1, '\\U\xc2-^'}}, {{0x1, 0x0, 0x2, 0x6, 0x0, 0xb5e, {0x4, 0x12, 0xe87, 0x7, 0x1, 0xfffffffffffffffe, 0xfffffffd, 0x7, 0x401, 0xa000, 0x8ee, r13, 0x0, 0x8236, 0x3c89862b}}, {0x4, 0xfffffffffffffbf7, 0x6, 0x4, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004ac0)={0xa0, 0xffffffffffffffda, 0x2, {{0x1, 0x3, 0xff, 0x401, 0x9, 0x1000, {0x1, 0xfff, 0x733, 0x0, 0x7, 0x7fff, 0x4, 0x1f, 0x1f, 0x0, 0x1, r14, r15, 0x9eb, 0x1}}, {0x0, 0x1c}}}, &(0x7f0000004b80)={0x20, 0xfffffffffffffffe, 0xa87, {0x1ff, 0x0, 0x10001, 0x4}}}) r16 = openat$autofs(0xffffff9c, &(0x7f0000004c40), 0x0, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000004c00), r16) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r17 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x300000a, 0x10, r16, 0x0) r18 = syz_io_uring_complete(r17) syz_io_uring_setup(0x3a9b, &(0x7f0000004c80)={0x0, 0xcaa6, 0x4, 0x3, 0x276, 0x0, r18}, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000004d00)=0x0, &(0x7f0000004d40)) syz_io_uring_submit(r19, 0x0, &(0x7f0000005080)=@IORING_OP_WRITEV={0x2, 0x5, 0x0, @fd_index=0x7, 0x0, &(0x7f0000005040)=[{&(0x7f0000004d80)="8f8c61ba2d93006aadbd12a3a08f146f7dadf6fcaf91370d8cdbb10473cfc4737fc2920f761e5f9f43ac7c94ff2d84a3f6", 0x31}, {&(0x7f0000004dc0)="e79e609caf0b113f2e3a9b6ed9a5197bd4c9ef3abee6ff372b0677f980ef46165c071ec9a7e4b8e118c95c2b5f733b29c50f1e5df4f1837e9a2962cd241c43d7a605878749919d2d932d22010e4c8c29ce6028dc71e23c5ec2b4f3bb38b2e7c3beaf83c887a45f16ea87842b7002c7513397835d375589d64e9c8d0daa7c709974ddc935145190bac6e8d31238d5ad70377e03b1111546f8a83a2d7e3fc550408a227e6ab558331de5", 0xa9}, {&(0x7f0000004e80)="1fe1d0a7ea42ed60eb8379f55fba5f108da4233288e8a8bbacc0", 0x1a}, {&(0x7f0000004ec0)="1d5a7e020f94e9eee2415cca5eb6045cc9f817f1d3275ba949677ee2ca2357b74e67c6d4ddfbe8e8c0c6fdcd2352dd301ff30f0ebc2b58f2c69c3f8032ff0d4a2d2d400c3d07914d835b6218c2eb25724b426a888b2822d4945b35f2d1459d915e2b2d66541af52bdbbe1ad517515e01b8290e654443a67bec3d0b03fc10b90b49c3d33593e063bd0df72494b22bfc391f6b296a68735eeaac4fb550be4beeabb74d7ca77139248cf8003e4fa63954c2e5c68e48b1f59b3162a9a3b020771f7c1aff6d7de57b40fcb59002f2709ed2e12d50a3edadc2c55de6634c8e91dd8cd28faf3b52", 0xe4}, {&(0x7f0000004fc0)="3dc50079393684ee15456233e2e4b47d0d7616a6fbb08055931c400e66d6ee8307c988db68c3a56873e4c94c210cee63aa53ee80947c5644cffd0ee809b4554ef3d3d5d4b6268040d66cba34c7b8645abfe3696e041fe13f", 0x58}], 0x5, 0x1}, 0x100) r20 = openat$selinux_policy(0xffffff9c, &(0x7f00000050c0), 0x0, 0x0) r21 = openat$dlm_monitor(0xffffff9c, &(0x7f0000005100), 0x0, 0x0) syz_kvm_setup_cpu$arm64(r20, r21, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005180)=[{0x0, &(0x7f0000005140)="45cf83e34827dae70d9c50f676f523b0ce6bee88952baac1a7220887521e1e10250184dabaaa4fbf9e94349f1148dee8238a", 0x32}], 0x1, 0x0, &(0x7f00000051c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r17, 0x114, &(0x7f0000005200)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005240), &(0x7f0000005280)='./file0\x00', 0x5, 0xa, &(0x7f0000005980)=[{&(0x7f00000052c0), 0x0, 0x4}, {&(0x7f0000005300)="8586cff12029eb8ad76f6261d1fe9c2df97d6b5047f70221ce7c26e1ad050096db75ff7ffd7b4dad59f5e070723e8a2cea446602ed86da15975f4f9dad4355f17d1441f9c1d9721e8bc269c91b43934bb3823eba880de01b586e0d592fc978084812a5dd940d6ea61e46ee9f1d53e0d3155c2c34946ca286d646398a4d60b56e48644ce421d53a65fc504680601a0cb3b78cdc3d14d0f9f754d88a4c5d80c2681aca64a4793f17d0f8a5b8dc820fdadee2ee87d42050172286e4b371eac497bf7467890a472d766a442a56a6e75bc39ba4edab5a0cb11eb66a247a2f3ca7d18cbe8bd7516b2d99c763d8c23d753c13937ab99b578e42f359275e86", 0xfb, 0x5}, {&(0x7f0000005400)="0f553c28b9842c44674abe34856e72a402eaf08ea7d106186b17f1d3f00dcbcb5f98a1eae4b0e494da0d44fa94917367478f2e39ce8435b132a570ec78c1b1d859ab652168bec9156cc5b4543f0571d2a75d3ad03f490c0fc93251f6ab57f01cf62283d42eec0abb186148b05ef55f8de1a2eb7c1622fc6d3ac274f10a0754563398efc9335aea31061cf4bb64d44f87c615c99b3eca46ddc2ce68eb2b780c54bb6a1a20947e16cbc6f7fa0712d0b12e665a214c3502154e5b8dda8b01df53c81b2da2c92b7573506b175a34ba1dda39954f36f0ff6ebefeee31326813422cb4d53b47c6fe65f3332698d9e3d776", 0xee, 0xfff}, {&(0x7f0000005500)="abff9c2482d96489f0afbe085daee1e2bd8a3000af21e5b4aa0d2e6662293d5fe6eeb60a5cc8b90e84ede0d21318688e285def54cb6780abfdcb64c700da5e8775bb60d0192a5f8113a70ddb1627087f7bb8f232f80a120e214ef31c385711f4b12afd9a024fc48c41c3c887255a17b86f709a30ee23a5d55c6c3e1986f6fd69309dc6664846396a5f0cde1e382a7018dcdeac00ff1ef54bbb58201fc9dfcbba39cfb45f49ace1e9908188", 0xab, 0x80000001}, {&(0x7f00000055c0)="fb36dffb4a0e4377fa3bedec2325f5c073", 0x11, 0x1}, {&(0x7f0000005600)="8ff2544804ed79e1bb5f173b80fdb09a444f02bbacdab87710a30382271db7257055fbbe057f4e4b3e1bcbcf08f1ea0b41be533d7d7f84199c4cf241e2bc3cebf680f5c2648882abfe61bb5211c4cf0f1f8035c6962e74f5976e954c3db5545bdccc6e67b68dd612", 0x68, 0x7f}, {&(0x7f0000005680)="ca838d09579a972657260b824f369161c83d3649b2309de4aca5191c6a3550ce704f6606bac0f1102563011d768b1cd5bd83565bfbe9311f71c2698f2bb4572ef6602f2487626e21fcef7034f50e28fd36db92433de1c0fbd9baa0b2ef3b17ecbd5f214a814f9979c0cfcea566bd418788a9e026ff83089e4e1eb491eebb582e84c6d956e1f8d4bd5327fcf26d9218a6e745a904846da61e6970e7c3f8f6777eb2eec182c6626aebc2b46d6e18ec79ce9f3a34c2c9ce74dce5f38a493ce752633b9cd881d3e73977b728208b730c0aa0bfd41f0374798c2b6cfd20a83dde8821f896431df1620eacddb4846d3f67983b95", 0xf1, 0x2}, {&(0x7f0000005780)="b549cfe18deb455b4a8b6d56e7c03f251024217cf427c09056bdb6b4a1317e6f9cd53ece2f2ee68e7d73e936e6d7b376483595c8db7292ffb0520cf037ba7012f5d90d0e4bdced46131d6a44120546fad87f475670fec86f9784888d14dc2ed6a1a7ed3c98bd0e035cbd504da40efbeb5a5bcd48c0ca513ff53ddada3cb447a48bcef01d9883f699997c5a0b2499865862db5f785a75e1b3463d354af112e7f8622883683086190fa4507646cbeab5ed", 0xb0, 0x1}, {&(0x7f0000005840)="a2eecacaa02fc76189e00e6fc58f38b5599959730376281721becf840cd12b230c2dc84b7f5fe5e37057b3732fcfeb", 0x2f, 0x4}, {&(0x7f0000005880)="35ed9c854f542ba3a56e7b75409a3197d31e6ec31934811dd9abe83e50a060ea25994cb33770ed99b25c9b560891eca433fe5bf1e02d136600687ee4933b3538bbceca61deb8fb0a1a2567843fd871b991d514329a465a97eb92123576e83a652c51dfa84117c262a7b8bab47bd3f81b24d33e687f39265002ef92f2248de027ac0285fcad2a3c732a1ed7409307037e41f3a7907477387d1199c18e5c43959b2ec46c078cec67a8b559b31cefd856f456b9f81bcc6a8b2cb1a4d8147562bdac6034e3e8d35d797659844fea3694b3288ce68fa8f986bf2fba03ec0110154befc8402258afb3d583d0bf3d02798073867fc66640726072c82a", 0xf9, 0x1ff}], 0x0, &(0x7f0000005a00)={[{'%'}], [{@seclabel}, {@permit_directio}, {@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@subj_role={'subj_role', 0x3d, '}'}}, {@mask={'mask', 0x3d, '^MAY_APPEND'}}, {@fsname={'fsname', 0x3d, '&%]'}}, {@measure}]}) syz_open_dev$I2C(&(0x7f0000005a80), 0x6, 0x40000) syz_open_procfs(0xffffffffffffffff, &(0x7f0000005ac0)='net/raw6\x00') syz_open_pts(r16, 0x583000) syz_read_part_table(0xb0, 0x3, &(0x7f0000006cc0)=[{&(0x7f0000005b00)="a895c30edc07297723a4aea802034622d1bbb85b4ae3628afc2d4e10934550a9d92f12a51b9f5b3a7b596b59b99b4b2acaedda32b83bdc263c53aa10114a149a4d7a4f0c40b946159b374396fb6cd18734ea5c3a5192786222da89f4213b5d9d027799da36d68bd510f537855ce10d3b8439c2237740ea7541478a81f9f92adceb5100366dccf149cc4c59796959ba5d85a50d0dd72941a0eabbe7a9dd9fe50850113f5e2d055e1bbcd667daf7363e027d7c66678dad2add62b5", 0xba, 0x4}, {&(0x7f0000005bc0)="f229f58b9fef91f7178523f041a4967589924680bf4dc34a52d8f7f8436083aee94ab74f0369f7403a8c26b72fd44b488fe59c616c8a1cae299c490eb15f98f8f49df33502ccfd38265f6d186578a71b92ba5c5b903f9a64bc560a43590bd70f76efb7b63bc3909e632db68f77d98bdf12ebe1707d7d1436857490c13ddb239c837faf46ead62381d43f3d2346c1fcd5b2a7a1ebe9fa5dd7fddefc50b0e7a57f500e2f79ba11b18972dc78871460eb7e2a249b603283b5128320555c9d74143e027bb5ca08b462aebf58244387556d718680c4a37459dd", 0xd7, 0x3ff}, {&(0x7f0000005cc0)="", 0x1000, 0x34}]) syz_usb_connect(0x5, 0x72e, &(0x7f0000006d00)={{0x12, 0x1, 0x201, 0x10, 0x2a, 0xdc, 0xff, 0x781, 0x5, 0x5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x71c, 0x3, 0x9, 0x3, 0x50, 0xff, [{{0x9, 0x4, 0x34, 0x9, 0xc, 0x2d, 0xe7, 0xd6, 0xc4, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "9e3dd83f5e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x40, 0x5, 0x101, 0x5}, [@mbim_extended={0x8, 0x24, 0x1c, 0x1000, 0x2, 0x8}, @dmm={0x7, 0x24, 0x14, 0x8671}, @mbim={0xc, 0x24, 0x1b, 0xfffd, 0x9, 0x0, 0x5, 0x100, 0x5f}, @obex={0x5, 0x24, 0x15, 0x40}, @network_terminal={0x7, 0x24, 0xa, 0x0, 0x1, 0x4, 0x1}, @dmm={0x7, 0x24, 0x14, 0xff81, 0x9c6f}]}], [{{0x9, 0x5, 0x80, 0x14, 0x10, 0x15, 0x1f, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x80}]}}, {{0x9, 0x5, 0x8b, 0x0, 0x7ff, 0xed, 0x1, 0x2}}, {{0x9, 0x5, 0x8, 0x4, 0x200, 0x81, 0x6, 0x2, [@generic={0xeb, 0x1, "8c3f63086154141f739f2870d3a81884905e8c3ff7eb6425085204077b4102c3d81bfdf4b262fa95b268561228b747fca91f5fdeb592b379d66a5f1d2d1d735fd02b3b2402d0340fcc8ac6c544720cb596008a93b0202cb8f9558344cb200e0b4b52aad1e70d9c0049ff2a6b546e3502bc881f3eb655aa817a2a3fd95ad1bea68ab048c1a43ed3458b674c27df090568c371a9e00cbc2b597a730a1864447583e30b8b9d2774d884575311843a18bfe0052b404714c722766342b226c4fe8e87ee448250c3b3668ab50745e0fbb6e969e6b49b9b8528ce81dfaa24e1438072d07d6e92602a390535f6"}]}}, {{0x9, 0x5, 0xc, 0x8, 0x40, 0x1, 0x5, 0x20}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xbc, 0x0, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x5, 0x9}, @generic={0xd4, 0x22, "70c23955e1d16cdef416bcb138108967f0e9ac2c096fe9362b99ec6c198d2f0f0446ce29332844fd546d2323e7f9d7b2713c1f92b90b4481bf8d4ea34ea8321b585db5f3cc6f63fc9ee543e86c15769e08a212c2ffb0237defb1a28228e999fabf3733a27b828703faaac053d44fe7a66d7a278e31f15d65edb349b157a799d922f0c970f98b35b75650793123e05752d74ddb89f0fcc0479822a0f833f4343a70548b3b4c80574be7cfdd59db69ce1efc24ca44ee316609f58ca5a30dee0b59e1668f248c196ae1c022a19995595430fea4"}]}}, {{0x9, 0x5, 0x87, 0x3, 0x8, 0x80, 0x7, 0x6, [@generic={0x56, 0x4, "f78a356675cffa2de94539194afab8603fe5e412021ba937df8f496ce2c0543148f09b19ebbc05091fcc32e0bdde441d7ccaa5cc26fb696bd67b3830bf3e5730fb3fe5ee89156bd1d2fa101e6c39068af8c2ae87"}]}}, {{0x9, 0x5, 0x89, 0x0, 0x20, 0x20, 0x81, 0x8}}, {{0x9, 0x5, 0xe, 0x3, 0x8, 0x1, 0x20, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x43, 0x234}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x3, 0x5, 0x7, [@generic={0x34, 0x8, "b6a121b46cabce4e361f2104dcf2663e402ee04faa90dd18a918e4642eaa6a716192f8bc32f321ce9eb548904d87d7bdad56"}, @generic={0xac, 0x30, "1a5d30c7d13843b0146943b2e67687f3147019db1ca1a3c7e48d700f655bea7f42692c5a87a6b91d03a6d4905fbb18b76028c902f7cc3f0c056d87d0fbc12f32150222a7dad7023bc45ab25c72aa3ad26e8dfd8d3654640038396aa355f069f7a9e762b85dca0a81a7d7c37d259d0f2a631a6abc4e36fba201dc677fc7b2c28190e91523553cfb1bbf462d9d057c31910ad39c357cd2dd1c3f22c604ad6c923faee4c13db3fe350375cc"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x10, 0x7f, 0x56, 0x83}}, {{0x9, 0x5, 0x1f645c4d20962547, 0x0, 0x3ff, 0xbb, 0x7, 0x3, [@generic={0x6b, 0x30, "6a8065c0ee1fa72bb9fab498b565e856090e0ad4cb9a072e0995264b935bed4910dde6e4a11ff93742383cba0c51a1f1cf695aa394a5f4868363e986260569ba8be82437cc58db1ee88ce5101308938edbd982075462cf0bba05bb0d7ae55092a2862ee6e6430e22f7"}, @generic={0x41, 0x21, "0acd9c7743c7509f5eb898784f8767f385a0e1c7f102c9adcad6d81fb4193e88cb2f6c3936ee2ef3dae61f58322593d9beeafcc0915c86fc3a72f0426c83f3"}]}}, {{0x9, 0x5, 0x6, 0x4, 0x400, 0x20, 0x74, 0x5}}]}}, {{0x9, 0x4, 0x26, 0xab, 0x5, 0x3, 0xf1, 0xcb, 0x9, [], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x5, 0x1, 0x1}}, {{0x9, 0x5, 0xb, 0x4, 0x20, 0x1, 0x2, 0x4, [@generic={0xda, 0x14, "10f16e3796fbe335b564b29416031e12d26f4d53e237ca3cb1e049170335d631432469cf8e2b207d62283f3b91f4d63154bce35faeb87b51d30b38876c38b31acc347be67793e56a1784eb29a7ddab72e736eecd3b4e98bce7b170ab687e6f31f5e9f3f96e31032d3bf9476eef54f354c6efc00da39a695ec1c095254cb416bdc574d4fb6adbeca99b77508d6c6f791c2cfc29ae3eccea73c13627d93807af1a7d3492520ed1f153327d857537f556294bdddd988bae73226a48c4cab963d3d8c226951b21a7c3138de55b8d0e1f0bcd77663ae8bfe20f44"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x5, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x40, 0x2c, 0xd4, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0xa, 0x2, 0x400, 0xd0, 0x1, 0x6}}, {{0x9, 0x5, 0xe, 0x8, 0x40, 0x40, 0xff, 0xb0}}]}}, {{0x9, 0x4, 0x6c, 0x8, 0x2, 0x59, 0x51, 0xd5, 0x1, [@cdc_ncm={{0x8, 0x24, 0x6, 0x0, 0x1, "b2bd60"}, {0x5, 0x24, 0x0, 0x5}, {0xd, 0x24, 0xf, 0x1, 0xfffffffd, 0xfff, 0x63, 0xdb}, {0x6, 0x24, 0x1a, 0x8, 0x8}, [@mdlm_detail={0xf7, 0x24, 0x13, 0x19, "189cdea85c892fe736d99d2ae835705ddc3907363c57da1fc0033ab26742022ab0af7516c0545f0fc3ecaa0728229f95fd5d2ebce5c98dbba6222153e2ce70bfead32d5d59146f0dd679852007b13ac9d16d48f9484d6192e79c88079f8cd3bd1a3740f3a8f0fd1d57a10bf41cf8c45a79ab1a969c9a6a83bf31571bce542e8fcfa6761ebfa924e1eb05d3af5b3644c3040280ca59737d89c0caa8bd9d56c92178b82b2078e43975f15e6f0b6fa1d0cd819521154d236aa6a85e50f3f0531f6192e5c4ba8a2d506f744780747cbb9ee6723298b72b713b52be54835fcc04906c658ce61f16f95a6c437988df239c430ff47db7"}]}, @cdc_ecm={{0x6, 0x24, 0x6, 0x0, 0x0, "a3"}, {0x5, 0x24, 0x0, 0xf85b}, {0xd, 0x24, 0xf, 0x1, 0x0, 0x7, 0x2, 0x40}}], [{{0x9, 0x5, 0xf, 0x4, 0x0, 0x81, 0xe8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x51, 0xbf81}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xb, 0x8001}]}}, {{0x9, 0x5, 0x6, 0x0, 0x10, 0x7f, 0x0, 0x80, [@generic={0x28, 0xa, "61df67a624859052df593a2258bc970fe4304a8f899ac040d9fc350ed5e63660a76a96aea7a3"}]}}]}}]}}]}}, &(0x7f00000076c0)={0xa, &(0x7f0000007440)={0xa, 0x6, 0x300, 0x8, 0x1, 0x9, 0x8, 0x81}, 0x133, &(0x7f0000007480)={0x5, 0xf, 0x133, 0x6, [@wireless={0xb, 0x10, 0x1, 0x2, 0x74, 0xff, 0xff, 0x0, 0x7}, @wireless={0xb, 0x10, 0x1, 0x8, 0x43, 0x4, 0x3, 0x6, 0x21}, @ext_cap={0x7, 0x10, 0x2, 0xa, 0x5, 0x6, 0x3b4d}, @wireless={0xb, 0x10, 0x1, 0x0, 0x2c, 0x7, 0x2, 0x1, 0x2f}, @ptm_cap={0x3}, @generic={0x103, 0x10, 0x3, "b35e852c500147880fa2f6dcc5d4e16a59df9bff5d44ac9f6680a31b1ebce7f4d4afe6d2ae93f6eee79b703b03f7a0ebea72bdc3ca70ded450bedec42d31beced3625c6bfa5dc9897b68a4e8b1a54b9444b85a77d52efea02e84045a2c51af22596a4c59a43c590c4d1369d229db0f228b739b41419c00708219ac07585dcaded8820f6fe0b35e7496ca59ebd93c1cfbeca8666928613fb084cb1ad930cfed80a024b803fc94967f08d731d0647cee073e55844b9978ae6035865fd98991fb7a5fa3f00529e81f1d3b853a0db041eaa3777ba10fe753674a698cd389bf5bca626cb8c7bf9b71150d572d07d9a11855a419fb0212d9a5bf2c3360357cf942511f"}]}, 0x2, [{0x97, &(0x7f00000075c0)=@string={0x97, 0x3, "79533652485908847450e434babd9e7b783925f478b3b35c0a4e6aa0a1e8f78e37f1d5666fe87b28df9b7734fdd141b3c78a19031effd729a36c0cf9fae5c589a1a9886b78f66c7391bd443cc6b3ab5b4acdeb5acf4a0d36359e749df37ccf92c50e845fce93e4c611f0fb559f5b2f8b72bab3b8a91779cd78204d67a183187560eb912c0f9dd27f402f1decdc61444d3702bf05cf"}}, {0x4, &(0x7f0000007680)=@lang_id={0x4, 0x3, 0x4ff}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007700)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f0000007900)={0x18, &(0x7f0000007780)={0x40, 0x22, 0x1f, {0x1f, 0x22, "a7841403afd7ddbdb6ce9dacfb6cdbe29fbe4e58b55fec117de56ed6a5"}}, &(0x7f00000077c0)={0x0, 0x3, 0x5a, @string={0x5a, 0x3, "b51fa75ce1575da79aa41fd155728498bc7e4f85d19d2394314e6381f5e6b0e786c3ff705cb7184487f35094030178bc291a3980fa0b83908b7fe1cb2459daa1308fa2fbda94a98ca7134bc986487bae15766636e0852c7a"}}, &(0x7f0000007840)={0x0, 0xf, 0x1b, {0x5, 0xf, 0x1b, 0x2, [@wireless={0xb, 0x10, 0x1, 0xc, 0x82, 0x0, 0x85, 0x8, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x48, 0x0, 0x80, 0xfffa, 0x81}]}}, &(0x7f0000007880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x2, 0x4, 0x2, "7e461ab4", 'gg]\a'}}, &(0x7f00000078c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x9, 0x3, 0x3f, 0x20, 0x40, 0x0, 0xef}}}, &(0x7f0000007dc0)={0x44, &(0x7f0000007940)={0x40, 0xc, 0xb6, "df1d8807adaa376ec164fe686f791fc7268a85c468008423c35bf0da6f10ce0b3c7f80e67352d8063e9524fb3d91a1d442b85d351288c60badef7369494efa5012978930b8817bb13fba0f307416861457221322136027a98682f3a5c91806d490c51ef51ce6c9e9c8087e547fc2cfe567bfbf3e65f97c5e79d68706922d2c084ee894eaf12a3c0b2e1ef894dff86d0792fd11f5152f67321b9db36a02b7b0935e7424cbd6b286c55c8cf0f0f4949fd21b22675eb060"}, &(0x7f0000007a00)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000007a40)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000007a80)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000007ac0)={0x20, 0x0, 0x4, {0x160, 0x1}}, &(0x7f0000007b00)={0x40, 0x7, 0x2, 0x3}, &(0x7f0000007b40)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000007b80)={0x40, 0xb, 0x2, "9efe"}, &(0x7f0000007bc0)={0x40, 0xf, 0x2, 0x4}, &(0x7f0000007c00)={0x40, 0x13, 0x6}, &(0x7f0000007c40)={0x40, 0x17, 0x6, @remote}, &(0x7f0000007c80)={0x40, 0x19, 0x2, 'vw'}, &(0x7f0000007cc0)={0x40, 0x1a, 0x2, 0x1}, &(0x7f0000007d00)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007d40)={0x40, 0x1e, 0x1, 0x7e}, &(0x7f0000007d80)={0x40, 0x21, 0x1, 0x2}}) r23 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007e40)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ncm(0x6, 0x7c, &(0x7f0000007ec0)={{0x12, 0x1, 0x389, 0x2, 0x0, 0x0, 0x70, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6a, 0x2, 0x1, 0xff, 0x90, 0x5, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, "a6"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9ff, 0x6000, 0x5, 0xb5}, {0x6, 0x24, 0x1a, 0xdd, 0x32}, [@call_mgmt={0x5, 0x24, 0x1, 0x2, 0x95}, @mbim_extended={0x8, 0x24, 0x1c, 0x7, 0x40, 0x1}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x21, 0x2, 0xc4}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0x1, 0x1, 0x4e}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x81, 0x9, 0x48}}}}}}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f40)={0xa, 0x6, 0x200, 0x3, 0x40, 0x1, 0x40, 0x68}, 0x72, &(0x7f0000007f80)={0x5, 0xf, 0x72, 0x6, [@ssp_cap={0x20, 0x10, 0xa, 0x7f, 0x5, 0x4, 0x0, 0x101, [0xf, 0xc000, 0x4100, 0xc000, 0x0]}, @ssp_cap={0x18, 0x10, 0xa, 0x5, 0x3, 0x3f, 0xf, 0x9, [0x3f00, 0xff0030, 0xff0000]}, @ssp_cap={0xc, 0x10, 0xa, 0x9, 0x0, 0x3, 0xf00, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0xfc, "11d5f99068e5068a1e42e2bf000e221f"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x0, 0x2, 0x0, 0x80, 0x1}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x0, 0x3, 0x3f, 0x8}]}, 0x8, [{0x4, &(0x7f0000008000)=@lang_id={0x4, 0x3, 0x2001}}, {0x4, &(0x7f0000008040)=@lang_id={0x4, 0x3, 0x43f}}, {0x2a, &(0x7f0000008080)=@string={0x2a, 0x3, "5e7460eb32a6b96bd2ff9ff3a49620853364cef4b1180034bbee7bdeb3753ec47a7b68436004dfa3"}}, {0x4, &(0x7f00000080c0)=@lang_id={0x4, 0x3, 0x406}}, {0x4, &(0x7f0000008100)=@lang_id={0x4, 0x3, 0x200a}}, {0x83, &(0x7f0000008140)=@string={0x83, 0x3, "98bfbed5f02f0541393b27163c18aba0f8d6c9069ae8ed732f7b8b4fd040726512572b20493498b080e96c7409c1ff222cbfe8fc739a7a6eb701a8125f18af24cdabbfb52cc666cf1204b6bf96514aca5b0475e21dafcaaffcd8d584eca6939d815dc4c974727a2fba78d5044d9e9f08e35c9e2bf470f466accaa1301fac54bcff"}}, {0x4, &(0x7f0000008200)=@lang_id={0x4, 0x3, 0x1627}}, {0x39, &(0x7f0000008240)=@string={0x39, 0x3, "aa56bf4048dd06e2845d2e04df75b391f766463f0954053221ac36e1db6fe509c05b86c776d20ffc6ac3d99349322b400aea394cd6719c"}}]}) syz_usb_ep_read(r24, 0x75, 0xa5, &(0x7f0000008300)=""/165) syz_usb_ep_write(r22, 0x0, 0xf5, &(0x7f00000083c0)="db885599b60aec82ad70cdb2886a2e73e2f0447ddd5deaaa15f56b76ab5804b9f86f60df6b12cbc1e5906d238889da544d9b5652f60bfc34a108dffdffa9ae904614e2bf15ce0c349aea1551b7544b69bd2bde8f82e18d42ba167180b1a6a4d11844312c116ee0b85fca52a11ec9f37acd323eb287c8b3c4ffdbcaaa329df920e0f7dfaaccc17fd5ff16f039c693cdfcdfae81529a02cc973d8e5020093c1b68e88a827e230b28448899b9617552b1dd9b412b34deec9a93fd08823aebf354e238d04dca957a50aa9ab18a30460e2455e3fd164109cd4a857b99d223b21831ca292d1b0cd77fbfe263f7ca57ee3a70a8fdd489cb7f") syz_usbip_server_init(0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define KMEMLEAK_FILE "/sys/kernel/debug/kmemleak" static void setup_leak() { if (!write_file(KMEMLEAK_FILE, "scan")) exit(1); sleep(5); if (!write_file(KMEMLEAK_FILE, "scan")) exit(1); if (!write_file(KMEMLEAK_FILE, "clear")) exit(1); } static void check_leaks(void) { int fd = open(KMEMLEAK_FILE, O_RDWR); if (fd == -1) exit(1); uint64_t start = current_time_ms(); if (write(fd, "scan", 4) != 4) exit(1); sleep(1); while (current_time_ms() - start < 4 * 1000) sleep(1); if (write(fd, "scan", 4) != 4) exit(1); static char buf[128 << 10]; ssize_t n = read(fd, buf, sizeof(buf) - 1); if (n < 0) exit(1); int nleaks = 0; if (n != 0) { sleep(1); if (write(fd, "scan", 4) != 4) exit(1); if (lseek(fd, 0, SEEK_SET) < 0) exit(1); n = read(fd, buf, sizeof(buf) - 1); if (n < 0) exit(1); buf[n] = 0; char* pos = buf; char* end = buf + n; while (pos < end) { char* next = strstr(pos + 1, "unreferenced object"); if (!next) next = end; char prev = *next; *next = 0; fprintf(stderr, "BUG: memory leak\n%s\n", pos); *next = prev; pos = next; nleaks++; } } if (write(fd, "clear", 5) != 5) exit(1); close(fd); if (nleaks) exit(1); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 39 ? 50 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 3000 : 0) + (call == 46 ? 300 : 0) + (call == 47 ? 3000 : 0) + (call == 48 ? 300 : 0) + (call == 49 ? 3000 : 0) + (call == 50 ? 300 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); check_leaks(); } } #ifndef __NR_clock_gettime #define __NR_clock_gettime 265 #endif #ifndef __NR_getegid #define __NR_getegid 50 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_openat2 #define __NR_openat2 437 #endif #ifndef __NR_recvmmsg #define __NR_recvmmsg 337 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_signalfd4 #define __NR_signalfd4 327 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[25] = {0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000040 = 8; inject_fault(1); res = syscall(__NR_getsockopt, -1, 0x84, 0x14, 0x20000000, 0x20000040); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000080 = r[0]; *(uint32_t*)0x20000084 = 0x3ff; *(uint32_t*)0x200000c0 = 8; res = syscall(__NR_getsockopt, -1, 0x84, 0x13, 0x20000080, 0x200000c0); if (res != -1) r[1] = *(uint32_t*)0x20000080; break; case 2: memcpy((void*)0x20000100, "cpu.stat\000", 9); res = syscall(__NR_openat, -1, 0x20000100, 0, 0); if (res != -1) r[2] = res; break; case 3: syscall(__NR_ioctl, (intptr_t)r[2], 0x125e, 0x20000140); break; case 4: *(uint32_t*)0x20000180 = 5; *(uint32_t*)0x20000184 = 4; res = syscall(__NR_signalfd4, (intptr_t)r[2], 0x20000180, 8, 0x80800); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000500 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x10; *(uint16_t*)0x200001c2 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = 0x20002011; *(uint32_t*)0x20000504 = 0xc; *(uint32_t*)0x20000508 = 0x200004c0; *(uint32_t*)0x200004c0 = 0x20000200; *(uint32_t*)0x20000200 = 0x29c; *(uint16_t*)0x20000204 = 0; *(uint16_t*)0x20000206 = 8; *(uint32_t*)0x20000208 = 0x70bd29; *(uint32_t*)0x2000020c = 0x25dfdbff; *(uint8_t*)0x20000210 = 0x87; *(uint8_t*)0x20000211 = 0; *(uint16_t*)0x20000212 = 0; *(uint16_t*)0x20000214 = 8; *(uint16_t*)0x20000216 = 3; *(uint32_t*)0x20000218 = 0; *(uint16_t*)0x2000021c = 0x46; *(uint16_t*)0x2000021e = 0x2a; *(uint8_t*)0x20000220 = 0x2a; *(uint8_t*)0x20000221 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 3, 5); *(uint8_t*)0x20000223 = 0x25; *(uint8_t*)0x20000224 = 3; *(uint8_t*)0x20000225 = 1; *(uint8_t*)0x20000226 = 0x95; *(uint8_t*)0x20000227 = 0xcb; *(uint8_t*)0x20000228 = 0x75; *(uint8_t*)0x20000229 = 0x16; *(uint16_t*)0x2000022a = 1; *(uint16_t*)0x2000022c = 0x401; *(uint16_t*)0x2000022e = 0x37; memcpy((void*)0x20000230, "\x02\x01\x1b\xf2\x90\x7b\xdd\xcb\xfa\xf4\xd0\xd9\xd3\x19\xcb\x38", 16); *(uint8_t*)0x20000240 = 0x76; *(uint8_t*)0x20000241 = 6; *(uint8_t*)0x20000242 = 0x7f; *(uint8_t*)0x20000243 = 3; *(uint16_t*)0x20000244 = 6; *(uint16_t*)0x20000246 = 0x2050; *(uint8_t*)0x20000248 = 0x65; *(uint8_t*)0x20000249 = 0x12; *(uint8_t*)0x2000024a = 8; *(uint8_t*)0x2000024b = 2; *(uint8_t*)0x2000024c = 0x11; *(uint8_t*)0x2000024d = 0; *(uint8_t*)0x2000024e = 0; *(uint8_t*)0x2000024f = 1; memset((void*)0x20000250, 255, 6); *(uint8_t*)0x20000256 = 8; *(uint8_t*)0x20000257 = 2; *(uint8_t*)0x20000258 = 0x11; *(uint8_t*)0x20000259 = 0; *(uint8_t*)0x2000025a = 0; *(uint8_t*)0x2000025b = 1; *(uint8_t*)0x2000025c = 0x68; *(uint8_t*)0x2000025d = 4; *(uint16_t*)0x2000025e = 9; *(uint16_t*)0x20000260 = 0x81; *(uint16_t*)0x20000264 = 0xcc; *(uint16_t*)0x20000266 = 0x2a; *(uint8_t*)0x20000268 = 4; *(uint8_t*)0x20000269 = 6; *(uint8_t*)0x2000026a = 1; *(uint8_t*)0x2000026b = 1; *(uint16_t*)0x2000026c = 0x100; *(uint16_t*)0x2000026e = 0x8000; *(uint8_t*)0x20000270 = 0x3c; *(uint8_t*)0x20000271 = 4; *(uint8_t*)0x20000272 = 0; *(uint8_t*)0x20000273 = 7; *(uint8_t*)0x20000274 = 0xac; *(uint8_t*)0x20000275 = 6; *(uint8_t*)0x20000276 = 1; *(uint8_t*)0x20000277 = 6; STORE_BY_BITMASK(uint8_t, , 0x20000278, 6, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000278, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x20000279, 0xc, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000279, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 0x3f, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 9, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0x16, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0x24, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0, 7, 1); *(uint8_t*)0x2000027e = 0x83; *(uint8_t*)0x2000027f = 0x25; STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 0, 6); STORE_BY_BITMASK(uint8_t, , 0x20000280, 1, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 7, 1); *(uint8_t*)0x20000281 = -1; *(uint8_t*)0x20000282 = 0x3f; *(uint8_t*)0x20000283 = 8; *(uint8_t*)0x20000284 = 2; *(uint8_t*)0x20000285 = 0x11; *(uint8_t*)0x20000286 = 0; *(uint8_t*)0x20000287 = 0; *(uint8_t*)0x20000288 = 0; *(uint32_t*)0x20000289 = 0x1f; memset((void*)0x2000028d, 255, 6); *(uint32_t*)0x20000293 = 0; *(uint32_t*)0x20000297 = 6; *(uint8_t*)0x2000029b = 8; *(uint8_t*)0x2000029c = 2; *(uint8_t*)0x2000029d = 0x11; *(uint8_t*)0x2000029e = 0; *(uint8_t*)0x2000029f = 0; *(uint8_t*)0x200002a0 = 1; *(uint32_t*)0x200002a1 = 6; *(uint8_t*)0x200002a5 = 0x26; *(uint8_t*)0x200002a6 = 0x44; *(uint8_t*)0x200002a7 = 4; *(uint8_t*)0x200002a8 = 7; *(uint8_t*)0x200002a9 = 8; memcpy((void*)0x200002aa, "\x2e\xf5\x31\xb7\xbe\x2d\xde\x42\xfc\x39\x5f\x76\x44\x7c\x92\x87\x9c\x4d\x95\x11\x18\x2e\xe0\x77\xcb\x10\x2d\x54\xd8\xe9\xbd\x03\x76\x74\x1a\xff\xce\x00\x72\x8e\x65\xce\xfb\x04\xca\xcd\x7c\x82\x88\x0f\x11\x3d\x4a\x79\x37\x8b\xfd\x5c\x8d\x75\x2b\xd2\x51\xe3\x1b", 65); *(uint8_t*)0x200002eb = 0x2d; *(uint8_t*)0x200002ec = 0x1a; *(uint16_t*)0x200002ed = 0x482; STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 2, 3); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 0, 5, 3); *(uint64_t*)0x200002f0 = 5; STORE_BY_BITMASK(uint64_t, , 0x200002f8, 0x3f, 0, 13); STORE_BY_BITMASK(uint64_t, , 0x200002f9, 0, 5, 3); STORE_BY_BITMASK(uint64_t, , 0x200002fa, 0x80, 0, 10); STORE_BY_BITMASK(uint64_t, , 0x200002fb, 0, 2, 6); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 2, 2); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 5, 27); *(uint16_t*)0x20000300 = 0x400; *(uint32_t*)0x20000302 = 5; *(uint8_t*)0x20000306 = 0x56; *(uint8_t*)0x20000307 = 0x8c; *(uint8_t*)0x20000308 = 0x10; *(uint16_t*)0x20000309 = 0x9b2; memcpy((void*)0x2000030b, "\xe7\x43\x38\xed\x57\xa9", 6); memcpy((void*)0x20000311, "\x4d\xbe\x86\xf3\x95\x65\x40\x8a", 8); *(uint8_t*)0x20000319 = 0x7e; *(uint8_t*)0x2000031a = 0x15; STORE_BY_BITMASK(uint8_t, , 0x2000031b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000031b, 9, 1, 7); *(uint8_t*)0x2000031c = 0xc0; *(uint8_t*)0x2000031d = 0x40; *(uint8_t*)0x2000031e = 8; *(uint8_t*)0x2000031f = 2; *(uint8_t*)0x20000320 = 0x11; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0; *(uint8_t*)0x20000323 = 0; *(uint32_t*)0x20000324 = 0x7fff; *(uint32_t*)0x20000328 = 6; *(uint32_t*)0x2000032c = 0xff; *(uint16_t*)0x20000330 = 0x148; *(uint16_t*)0x20000332 = 0x2a; *(uint8_t*)0x20000334 = 0x7e; *(uint8_t*)0x20000335 = 0x15; STORE_BY_BITMASK(uint8_t, , 0x20000336, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000336, 2, 1, 7); *(uint8_t*)0x20000337 = 0; *(uint8_t*)0x20000338 = 8; *(uint8_t*)0x20000339 = 8; *(uint8_t*)0x2000033a = 2; *(uint8_t*)0x2000033b = 0x11; *(uint8_t*)0x2000033c = 0; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0; *(uint32_t*)0x2000033f = 0x1ff; *(uint32_t*)0x20000343 = 3; *(uint32_t*)0x20000347 = 3; *(uint8_t*)0x2000034b = 0x82; *(uint8_t*)0x2000034c = 0x30; STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 3, 3); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 7, 1); *(uint8_t*)0x2000034e = 3; *(uint8_t*)0x2000034f = 0xf7; *(uint32_t*)0x20000350 = 8; *(uint8_t*)0x20000354 = 8; *(uint8_t*)0x20000355 = 2; *(uint8_t*)0x20000356 = 0x11; *(uint8_t*)0x20000357 = 0; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 0; *(uint32_t*)0x2000035a = 0xae; *(uint32_t*)0x2000035e = 0x71a4; *(uint32_t*)0x20000362 = 2; *(uint8_t*)0x20000366 = 2; STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 3, 5); *(uint8_t*)0x20000368 = 8; *(uint8_t*)0x20000369 = 2; *(uint8_t*)0x2000036a = 0x11; *(uint8_t*)0x2000036b = 0; *(uint8_t*)0x2000036c = 0; *(uint8_t*)0x2000036d = 1; *(uint32_t*)0x2000036e = 0; STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 3, 5); *(uint8_t*)0x20000373 = 8; *(uint8_t*)0x20000374 = 2; *(uint8_t*)0x20000375 = 0x11; *(uint8_t*)0x20000376 = 0; *(uint8_t*)0x20000377 = 0; *(uint8_t*)0x20000378 = 1; *(uint32_t*)0x20000379 = 6; *(uint8_t*)0x2000037d = 0x71; *(uint8_t*)0x2000037e = 7; *(uint8_t*)0x2000037f = 1; *(uint8_t*)0x20000380 = 1; *(uint8_t*)0x20000381 = 1; *(uint8_t*)0x20000382 = 0; *(uint8_t*)0x20000383 = 0; *(uint8_t*)0x20000384 = 0xfb; *(uint8_t*)0x20000385 = 0x25; *(uint8_t*)0x20000386 = 6; *(uint8_t*)0x20000387 = 2; *(uint16_t*)0x20000388 = 0x1fc; *(uint8_t*)0x2000038a = 0x37; *(uint8_t*)0x2000038b = 0xe6; *(uint8_t*)0x2000038c = 7; *(uint8_t*)0x2000038d = 5; memcpy((void*)0x2000038e, "\x5f\x39\x64\xd8\x62\x9a\xdf\x1c\x06\xec\xdf\x89\x87\xbb\x84\x5b", 16); memcpy((void*)0x2000039e, "\xc5\xd2\xbb\x24\x59\xd5\xba\x0e\x8d\x1d\xe0\x4e\x57\x37\x4f\x62\x27\x21\x0e\xa4\x04\xeb\x95\x46\x5f\xa1\xe2\xe0\x9c\x7c\x17\xd4", 32); memcpy((void*)0x200003be, "\x27\x81\xc8\x76\x15\x7d\x69\x88\xa5\xdc\x1e\xfd\xe5\xe5\xd8\xd7\xfd\xfb\x3d\xad\x87\x19\x89\x49\x70\x60\xe2\xd7\x2d\x3a\xfa\x38", 32); *(uint8_t*)0x200003de = 3; *(uint8_t*)0x200003df = 1; memset((void*)0x200003e0, 206, 1); *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0x25; memcpy((void*)0x200003e3, "\xd5\xa7\x64\x0b\x4f\xb5\xdf\x22\xe7\x25\x13\x0f\x6f\x00\x6c\x48\x73\x42\xcb\x84\x7e\x2c\xbe\x0e\x36\xb1\x41\xaa\x91\xf7\xf4\x1d\x6b\x13\x48\x2c\x1d", 37); *(uint8_t*)0x20000408 = 4; *(uint8_t*)0x20000409 = 0x26; memcpy((void*)0x2000040a, "\xa1\xd5\xf6\x74\x74\xfa\x12\x31\x00\x04\x6d\xc2\x69\x5e\x3b\xbd\xa6\xde\xe8\x65\x7f\x03\x2e\x08\x75\x04\x15\x6e\xba\x2f\x54\xbf\x2f\x31\xcd\x5b\x78\xd5", 38); *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 0x25; memcpy((void*)0x20000432, "\xae\x36\x25\x8a\xd7\xf0\x4d\x6a\x21\x30\x24\xac\x42\x6f\xba\x3d\xa6\x9e\x74\xab\x66\x2f\xbb\x9d\x28\x44\x80\x99\x94\x6c\xbb\xf9\xb8\xf9\x21\xf8\xe0", 37); *(uint8_t*)0x20000457 = 2; *(uint8_t*)0x20000458 = 0x19; memcpy((void*)0x20000459, "\x69\xad\x29\xc6\x6f\x47\xf8\x7c\x53\x49\xab\x5f\x16\xa1\xe8\x03\x0e\x7c\x0b\x21\xdb\x8b\xc4\xbe\xe4", 25); *(uint8_t*)0x20000472 = 0x75; *(uint8_t*)0x20000473 = 4; *(uint16_t*)0x20000474 = 0; *(uint16_t*)0x20000476 = 0; *(uint16_t*)0x20000478 = 6; *(uint16_t*)0x2000047a = 0x48; *(uint16_t*)0x2000047c = 0x4b; *(uint16_t*)0x20000480 = 6; *(uint16_t*)0x20000482 = 0x48; *(uint16_t*)0x20000484 = 0x43; *(uint16_t*)0x20000488 = 0xa; *(uint16_t*)0x2000048a = 6; *(uint8_t*)0x2000048c = 8; *(uint8_t*)0x2000048d = 2; *(uint8_t*)0x2000048e = 0x11; *(uint8_t*)0x2000048f = 0; *(uint8_t*)0x20000490 = 0; *(uint8_t*)0x20000491 = 1; *(uint16_t*)0x20000494 = 6; *(uint16_t*)0x20000496 = 0x48; *(uint16_t*)0x20000498 = 0x11; *(uint32_t*)0x200004c4 = 0x29c; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = 0x40000; syscall(__NR_sendmsg, (intptr_t)r[3], 0x20000500, 0x80); break; case 6: memcpy((void*)0x20000540, "/dev/irnet\000", 11); res = syscall(__NR_openat, 0xffffff9c, 0x20000540, 0x189000, 0); if (res != -1) r[4] = res; break; case 7: *(uint16_t*)0x20000580 = 0xa; *(uint16_t*)0x20000582 = htobe16(0x4e20); *(uint32_t*)0x20000584 = htobe32(0x80000000); *(uint8_t*)0x20000588 = 0xfe; *(uint8_t*)0x20000589 = 0x88; memset((void*)0x2000058a, 0, 12); *(uint8_t*)0x20000596 = 0; *(uint8_t*)0x20000597 = 1; *(uint32_t*)0x20000598 = 0x81; *(uint16_t*)0x2000059c = 0xa; *(uint16_t*)0x2000059e = htobe16(0x4e24); *(uint32_t*)0x200005a0 = htobe32(3); *(uint8_t*)0x200005a4 = -1; *(uint8_t*)0x200005a5 = 1; memset((void*)0x200005a6, 0, 13); *(uint8_t*)0x200005b3 = 1; *(uint32_t*)0x200005b4 = 0; syscall(__NR_setsockopt, (intptr_t)r[4], 0x84, 0x6b, 0x20000580, 0x38); break; case 8: memcpy((void*)0x200005c0, "./file0\000", 8); *(uint64_t*)0x20000600 = 0x101000; *(uint64_t*)0x20000608 = 0x182; *(uint64_t*)0x20000610 = 4; syscall(__NR_openat2, 0xffffff9c, 0x200005c0, 0x20000600, 0x18); break; case 9: *(uint32_t*)0x20000640 = r[1]; *(uint32_t*)0x20000644 = 7; *(uint32_t*)0x20000648 = 0x20; syscall(__NR_setsockopt, -1, 0x84, 0x10, 0x20000640, 0xc); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 6, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 7, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); *(uint8_t*)0x20000044 = 8; *(uint8_t*)0x20000045 = 2; *(uint8_t*)0x20000046 = 0x11; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 1; memset((void*)0x2000004a, 255, 6); *(uint8_t*)0x20000050 = 8; *(uint8_t*)0x20000051 = 2; *(uint8_t*)0x20000052 = 0x11; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x20000056, 7, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0x40, 4, 12); *(uint8_t*)0x20000058 = 8; *(uint8_t*)0x20000059 = 2; *(uint8_t*)0x2000005a = 0x11; *(uint8_t*)0x2000005b = 0; *(uint8_t*)0x2000005c = 0; *(uint8_t*)0x2000005d = 0; *(uint8_t*)0x2000005e = 8; *(uint8_t*)0x2000005f = 2; *(uint8_t*)0x20000060 = 0x11; *(uint8_t*)0x20000061 = 0; *(uint8_t*)0x20000062 = 0; *(uint8_t*)0x20000063 = 1; *(uint16_t*)0x20000064 = 0x89; memcpy((void*)0x20000066, "\xa3\x74\xcb\x1e\x56\xd7\x9e\x5a\x64\x7d\x9f\x9d\x7e\xbb\x09\x9c\xa7\x5e\x92\x0a\x72\x0c\xe7\x65\x51\xc2\x6b\xb8\x68\x42\xda\x48\xec\x22\x63\x6f\x2e\xe2\x00\x01\x35\x9b\x8e\x2f\xb3\x76\xba\x32\xd0\x74\x25\xdd\x1b\x9b\x9b\x4f\xf7\xa3\x53\x9a\x5e\xeb\x99\xa4\x47\xa5\x8f\xec\x22\x4c\xac\xb7\xd6\xe5\xf0\xcc\x90\x99\x90\x4c\x92\xfd\x37\x74\x6a\xfc\x1c\xbd\x2b\x8b\x10\x2a\x3f\xe4\xaf\x78\xd5\xfa\x72\x95\x90\xf1\xe5\x03\x5f\x47\x0a\x44\x32\x1e\x92\x47\x87\xa4\x66\x6e\x21\xa4\xca\x5c\xbd\x12\x56\xc1\x70\x21\x7c\xd6\x96\x7a\xd7\x23\x6d\x2f\x70\x2e\x24", 137); memset((void*)0x200000f0, 255, 6); *(uint8_t*)0x200000f6 = 8; *(uint8_t*)0x200000f7 = 2; *(uint8_t*)0x200000f8 = 0x11; *(uint8_t*)0x200000f9 = 0; *(uint8_t*)0x200000fa = 0; *(uint8_t*)0x200000fb = 0; *(uint16_t*)0x200000fc = 0x1000; memcpy((void*)0x200000fe, "\x2b\xc8\xbe\xd3\xad\xe3\x14\x70\x49\x10\xb6\xee\x62\x4c\xfe\x54\xbe\xbe\x1b\x4b\x09\xba\x79\x5c\x51\x1c\xd0\xe7\x64\x85\x8a\x68\x8e\x31\x7f\x9f\x28\x73\xd1\x87\xb6\x5f\x7d\x6d\xed\x9b\x4b\x7e\xf7\xf8\x67\xd6\x5d\x32\x18\xdc\x1a\x2a\xd2\x4b\x5c\xb3\xe4\xe0\x78\x49\xf7\x08\x5c\x63\x7a\xe4\x51\x0c\x2c\x14\x43\x80\x0a\xc4\x4d\xdf\x23\xec\x3e\x00\xa0\xa2\xd2\x6d\xcf\x4e\x4f\x20\x9d\x20\xf1\xe6\x58\x29\x0a\xb4\x3a\x3f\xa2\x4e\xe8\xdc\xd4\x84\xc6\x23\xbd\xc9\x86\xb8\xea\x88\xd4\x32\x74\xe2\x06\xb9\xbe\x4c\xdf\xcc\x94\x5b\x09\x3d\x09\x37\xd9\x4f\x8f\x98\x7c\x5c\x5e\xd4\x8a\xc9\x95\x14\xb5\x45\xd0\xcb\x74\x20\x36\xae\xd4\x98\xba\xe8\x0b\xb1\xee\x39\x5e\x8e\x0a\x67\x7d\xaa\xed\x22\xdd\xc1\x60\x4d\x14\x83\x5d\xbc\x28\xc4\x3c\x64\xb1\x18\x76\x57\x4f\x8d\x89\x70\x56\x23\xf7\xf0\x78\xc5\x01\x7c\x92\xcd\x46\xaf\xf0\x81\x1e\x9b\x98\x91\x25\x06\xb3\x45\x00\x64\x0f\x97\x91\xe3\x08\x1d\x1f\xd1\x78\xc2\x13\x05\x93\x45\xba\x63\x17\x7e\xa9\xb9\x3f\xfa\x53\x06\xe2\x06\xb5\xa2\x94\x02\x25\x21\xec\x6a\xaf\x8e\x26\xd0\xb5\xbd\x00\x32\x59\x76\xa0\xb1\xe0\xff\x75\x4e\x4b\x48\x91\xd3\x68\x8e\x0b\xea\x0a\xc6\xd8\x11\x2e\x04\xfb\xe6\x06\x8e\xc0\x3f\x4b\x66\x5e\xfa\x12\xe3\xf2\xe6\xc9\xd3\x1e\xb4\x45\x83\xa9\xac\x92\xdd\x3a\xb3\xf3\x4d\xb1\x15\xe9\xcf\x42\xf0\x97\x41\x9c\xb5\x94\x9e\xb7\x40\x3d\x44\x95\x90\x0b\x52\xc9\x55\x83\x70\xe2\xf1\xff\x76\xa9\xde\xd5\x3e\x26\x79\x3b\xf9\x39\x76\xe9\x6a\xc7\x14\x07\x47\x89\xe8\xbd\xb1\xc4\xca\x56\x2b\x51\x50\x2b\x46\x8f\x89\x54\x39\x83\x0f\x91\x5a\x5d\x8a\x50\xff\x73\xa4\x9f\xa4\x29\x3b\xfc\x35\x48\x68\x51\xea\x8d\x5c\x76\x13\x7c\x5e\x2f\xc9\xca\x45\xa3\x8c\x94\x28\xbe\x30\xf5\x03\x59\xb2\xcb\x3f\x9d\xbc\x76\x7d\x63\xf4\x19\xf5\xe7\x6c\xe5\xfb\xb6\x1e\xde\xb1\xbe\xb7\xa3\x7c\x60\xc6\x01\x1b\x56\xb8\x57\x49\x63\x42\x5a\x95\x6d\x40\x1f\x70\x3a\x19\xe9\xac\xe4\x68\x65\x41\xdd\x31\x32\xf5\xaa\x85\xae\x6d\xb1\xb7\xdd\x6d\xad\x9b\x65\x43\xe3\x57\x53\x31\x28\xab\x2c\x90\x1e\x9d\x56\xa2\x2e\xcd\x64\x45\x50\x72\x71\xf6\xfc\xe2\xa5\x74\xd5\x87\x13\x53\x0a\xff\x28\xf7\xb4\xe8\x46\x17\x80\xdf\x54\xce\x2a\x06\x7c\x9c\x38\x85\x17\xb9\xe0\x40\xbc\x88\xba\xa7\x31\x79\x6b\x13\xa8\x9a\xd7\xa0\x1c\x30\x9e\x02\x4b\x22\x06\x21\x2e\x81\xa0\xf8\x27\x9c\x36\x9c\xc4\x0f\x85\x99\x01\x18\xa3\x31\x1a\xd1\x69\x8a\x4b\x0d\x73\xe7\xde\x65\x7c\x5a\xc4\x04\xb7\xa5\xcb\xb3\xf1\xc5\xfc\xcc\xfa\x7b\xf2\x17\x83\x0b\x73\x0d\x4d\x54\x54\xf2\x76\x04\xc0\x34\x16\xd3\xbe\x6c\xb3\x78\x81\x3a\x84\xa7\x29\x26\xc4\xd4\x3d\xd5\xa7\x94\x11\xd3\x5c\x4f\x69\x82\x87\xa0\x59\x29\x60\x05\x9c\x48\xa6\xd9\xfc\xce\x84\xd0\x88\xa2\x6d\xfb\x2e\xf3\x0e\xde\xa2\x11\x41\x11\xfa\x86\xfd\x22\x87\x2a\x03\x1d\x11\x16\xd7\x48\xb3\x3f\x61\xb9\xc1\xea\x8e\x8f\xf0\x96\x89\x01\x14\x27\xf8\x88\x6c\x0c\x71\xb6\x38\x51\x67\xd4\x97\x1d\x4b\xc9\xd1\xb9\xfe\x6d\xb9\x66\xd5\x0b\x59\x24\xfb\x56\xc1\xb1\x1f\x8e\x05\xf2\x9c\xfd\xe7\xf3\x02\xaf\xe1\x61\xfd\x9d\x82\xfc\xe3\x55\x1d\xf3\xf4\x01\x3d\xa7\x76\x6a\x21\x4f\xc9\xb1\x64\xa6\xd8\xb0\x3f\x6c\xba\x91\x84\x72\xc9\xb7\xd8\x6e\x7a\xbd\xa7\xe3\xc9\xa4\x07\x8a\x64\xa9\x66\xec\xb6\xe4\x13\x34\x11\xc4\x93\xa7\xa5\xd1\x7b\x60\x5d\xe1\x39\x01\x8d\x69\x8d\x32\x5e\x31\x93\x34\x39\x5d\xa0\xb5\x1b\x3e\x89\xd9\x59\x61\x49\x53\x1e\x92\x58\x32\xe0\x0a\x35\xbb\xea\xc1\x37\xa0\x8a\x4f\x66\x1d\xad\x30\xd0\x92\xd1\xf6\xa3\x4c\x1d\x38\x89\x4d\xa3\xea\xe2\xc4\x74\x95\x30\x92\xfb\xac\x4f\x39\xa2\xe1\x4d\x5e\x13\x06\x2c\x98\xc8\x93\xd9\x6e\xbd\xf7\x9f\x1e\xba\xd3\xcb\xb1\x6f\x8f\x7d\x17\x39\x70\x75\x23\x9b\x74\x25\x09\xb0\x76\x37\x1a\xaa\xb7\x85\x9e\x6b\x29\xc7\xcd\x83\x15\x7b\x91\xb4\xd0\xbf\x47\x9c\x7f\xa5\x3f\xd8\x57\x35\x6f\x11\x47\xdf\xa5\x90\xbf\xff\xae\x2c\x99\xbf\xc6\xa1\xa3\x84\xce\x26\x16\xa7\xc0\xd1\x49\x91\x95\x5f\xf2\x27\xe3\x55\x40\x13\x1e\x6c\x9f\xd2\xa5\xb5\x8f\x88\xf1\x83\xf6\x4a\xcc\x3d\x58\xe4\x73\x07\x6b\xf3\x14\x9d\xa2\x66\x42\x4b\x98\x2f\x73\x4a\xa0\x4b\x81\x88\x13\xdd\xd9\x01\x88\x56\x76\x17\x99\xd5\xb0\x50\x4c\xa7\xec\xf7\xae\x17\x59\x2c\x1f\x0c\x78\x4d\x60\x39\x31\x61\x71\x42\x21\xa1\x0d\x90\x19\x28\x3c\x6a\x8f\x92\x03\xc7\x97\x63\x45\x0f\x94\x70\xa3\xf5\xe2\xf9\x4e\xb9\x42\xa2\xbe\xba\x32\x21\x46\xfc\x44\x9f\x40\x22\x6b\x7f\x7d\x9e\x4d\x58\x9c\xdf\xc9\x53\xef\x76\x51\x5e\x48\x4d\xdb\x27\x5e\xfd\x8f\xb9\xe4\xb3\xf1\x75\xb9\xc6\x00\x74\x58\xce\xdb\xcf\x05\xeb\x6e\x42\xbe\xa2\x26\x85\x50\x87\x02\xb7\x8e\x77\xe6\x72\xc7\x2f\xe4\x3c\xef\x92\x49\x74\x00\x61\xf8\x3d\xfd\x86\xc1\xe9\x73\xda\xb8\x1a\x08\x30\x32\x37\xe5\x8c\x2d\x75\xa1\x21\x25\xc0\xb6\x34\x58\x5e\x3b\xfe\xe0\x81\x0e\xaa\x59\x4d\x12\xc5\xca\x25\x36\x6f\x04\x37\x86\x48\x5e\x57\xf5\xf9\x30\xcb\xcd\xee\x90\x1c\x59\x10\x0e\xbb\xc6\xe8\x23\xa1\xb7\x4b\xcd\xef\xb1\x96\x1b\x89\xdb\x6d\xf5\xe4\x61\x8e\x2b\xd8\xd9\x6f\xd8\xa1\x2b\x18\x48\x2f\xdc\xcd\x72\x95\x0a\xfe\x3c\x20\x66\xa7\x3c\x73\xf1\xca\x99\x86\xce\x15\x8c\x10\x52\x0a\xab\xee\xc9\x4d\x61\x72\xc0\x92\x48\xaa\x76\xc3\x9f\xc5\x42\x63\xfd\x44\xbf\x93\x68\x1b\x30\x92\xb8\xe8\xdb\x78\x0d\xd6\x5c\x6c\x8b\xc3\xb4\x23\xd2\x21\xe1\x3d\x3e\xde\x9d\xd0\xfc\x4f\x14\x68\x5a\x80\xd8\xee\x14\xe8\x26\xa2\x25\x38\xcf\x31\x4d\x8a\x48\xe6\x37\x54\xe8\x9b\x45\x3f\xb2\x23\x68\x62\xdc\x7c\xcc\x49\x53\xee\x56\x26\x54\xdb\x98\x95\x85\xca\xee\x6b\x65\x5b\x2b\xf9\xdb\x0f\x22\x06\xb8\x63\x48\x0d\x71\xfa\x21\xd9\x38\xe4\x73\x58\xb2\xc0\xda\x20\x14\xa1\x95\xdf\x64\x3b\xe9\xd8\x0e\x52\x00\x3e\x9b\x45\xb1\x8f\xf7\xb6\xaa\x56\x92\x4b\xc2\xdc\x0c\xad\x61\xd9\x63\x0e\x6b\xd8\xea\xf7\x60\xb3\xf7\xfb\x31\x77\xf7\x3a\xf8\x9b\x15\x5e\x0d\x06\x1c\xe3\x2b\x9d\x45\x88\xeb\x6a\x4f\x60\x91\x9c\x2e\x3d\x41\xf6\xca\x8d\x31\xfe\xf0\x02\x7e\x06\xf9\xb7\xc2\xc2\xec\x6e\x5c\x12\x14\x42\xe4\xb7\xee\xc7\xe1\x09\xaf\x0f\xc8\x65\x80\xda\x66\xf0\xb0\x28\xd9\x3a\x00\x88\xd8\x52\x53\xfa\x9b\x5e\x21\xe4\x95\x53\x71\x4a\x1d\xc3\x92\xfd\xb3\x54\x13\x29\x10\xe0\xc6\x25\x03\xc0\x09\x6c\x6b\x85\xf1\x64\xbb\x2a\x7d\x3b\xe1\x79\xc1\xa3\xc7\xcf\xf9\xd4\x64\x34\x13\x10\x84\x6c\x51\x7f\x85\x1b\x8e\x69\x43\x1c\x64\xed\xe9\xd5\x97\xc9\x43\xbf\xe2\x91\x6d\x56\x4a\xe1\xcf\x27\x0c\x8c\x16\x7e\x96\xc1\x46\x88\xa7\x23\x15\x8d\x7b\x9c\x45\xe3\xf8\x24\x34\x19\x00\x86\xcd\xfe\xde\x4b\xfd\x95\x0f\xda\x09\xfe\x05\xa6\x14\x2b\x90\xe7\x73\x6e\xca\x65\x91\x40\xb2\x2b\x3c\x77\x67\x06\x07\xe5\x11\x58\xd9\xf7\xea\xcd\xff\xc2\x93\x20\x2b\xaf\x0b\xc7\xe2\x04\x89\x99\x68\x91\xd1\xa7\xa6\xc3\x28\x4e\x5a\xc3\x51\x39\xec\x5b\xeb\x4a\xfb\xa9\x2f\xaf\xfb\x0d\x2e\x62\x10\x26\xc7\x01\x99\x43\xf7\xbe\x68\x09\xe5\x87\x9f\x60\x78\xcd\xa7\x22\xd1\x19\x57\xb7\xe7\xac\x74\xff\x47\x9b\x3f\x65\xa0\xfb\x71\xb1\xe8\x7e\x67\x03\xa9\xda\xf4\x7f\x31\x3a\xdc\xb6\x56\x47\x7f\x53\x03\x60\x83\x6b\xc0\xb0\x07\x68\x09\x9d\xb9\x2d\x7b\xf7\x90\x31\x6c\x1c\xec\x79\x4c\xcc\x29\xdc\x04\x88\x71\xa6\x75\xdd\xe3\x16\xd9\x14\xb7\x3c\x85\xc9\x96\xe7\xf4\x1e\x52\x86\x07\xa7\x60\xb7\x78\xb3\xe0\x68\xb1\xe7\xfb\xa0\x81\x37\x36\x8a\xf0\x6b\x59\x96\xb5\x69\x87\x1b\x4a\x54\xe7\x27\x2e\xcc\x44\x18\x10\xf9\x5c\xe8\x4c\x37\xe1\x0d\xa6\x16\x24\x71\x5f\xd5\x99\x1c\x77\xa2\x24\xd5\x7a\x53\x22\x77\xf9\xdd\x36\xbb\xdc\x56\xb7\x0b\x64\xed\xc0\x38\x15\x94\xb9\xb6\xc3\x28\xe5\x9d\xd0\xf0\x4d\x34\x3f\x6d\x82\x86\x72\xd9\x7c\xc8\x15\xb1\x4b\x22\xf5\x9d\x08\x76\x1b\xa7\x75\x1e\x52\xd1\xc5\x5f\x32\x49\xb6\xaa\xcc\x51\xe1\x07\x94\x4b\xfa\x70\xa5\x42\x19\x06\xf5\x29\x6d\x41\x84\x57\x75\xe3\x4a\x5d\x1a\x06\xc4\xc8\x79\xc7\x78\x5a\x03\x50\xba\x89\x93\x41\x25\x90\x64\xea\x42\x74\xe2\x13\x96\x41\x82\x44\x0a\xdf\x7e\x02\x30\xb3\x12\x0e\xe6\x23\x5b\xce\x98\x29\x28\x99\x79\x2c\xff\x10\x75\x88\xe3\xe9\x15\xdc\xe9\xbf\xe6\x1c\xf6\x37\x3a\x33\x11\xe7\x47\xaf\x21\x8f\xbd\x16\x58\x09\xdb\x4f\x0e\x51\x7b\x13\xe5\x92\x53\xf7\x21\xc6\x8c\x80\x14\xed\xce\x97\x45\x5a\xda\x5c\x33\xb7\xc6\x79\x4d\x38\xb7\x4b\x6d\xf4\x65\xe1\x89\x40\x4c\x7d\xf5\x6b\xee\x55\x18\xa5\xd2\x02\xfb\x50\xb5\x36\xa5\x37\x2e\x04\xc7\x0d\xec\x26\x6c\xdb\xcc\x83\x6b\x49\x88\x47\xa6\xa3\x94\x56\xf7\xb5\x94\x73\x80\x4a\xae\xd9\x66\xd7\x64\xe2\x5f\xf2\xda\x79\xd3\x4c\xe9\xfe\x72\x75\x7a\xe0\x07\xcd\xa3\x35\xbf\x37\x87\xc0\x68\x72\x55\x51\xef\x27\x76\x7d\x35\xd2\x0f\x24\x1d\x1d\x29\x21\x97\x85\x8a\xd4\xb4\x38\x18\x5e\x0a\x10\x3e\xdb\xe6\xe5\xca\xa4\xbb\x37\xe5\xcb\xdd\x71\x61\xee\xce\xb9\x3f\x9c\x7a\x39\x97\x6b\x4e\x6e\x19\xd5\xc1\xf3\xd0\x8f\x9d\x0f\xc6\xc9\x05\x5f\x4b\x05\x7d\xce\x9c\x1e\x67\x7e\x8b\xbe\x56\xb7\xc4\xed\x73\x34\xe5\xad\xcb\xa2\xaa\x5b\x1b\xf4\x45\x0a\x76\x2d\x16\x7a\x95\xbf\xc1\x09\x72\x04\x4c\x8d\x79\x7e\xf3\xad\x9d\x10\x91\xbb\x1a\xe5\xe1\x28\xe0\xdd\x22\xf4\xb7\x70\x77\x59\xf2\x79\xd4\xdd\xc9\x2a\x68\x1f\x6c\xf9\x9e\x75\x96\x0a\x32\x1b\x3d\x5b\x55\x66\x28\x07\xe5\x77\xc2\x0e\xea\x7f\x87\xe8\x8f\x29\x07\x79\xa6\x59\x8b\xc1\x9c\xcb\x74\xc3\x13\x83\x27\x88\x95\xc5\xfc\x6a\x62\xb5\x46\xf8\x1f\x7b\xd6\x78\xb2\x7f\xa6\x2d\x8d\x6f\x85\x9d\x86\x37\x29\x16\x01\x81\x20\x5b\x06\x20\x3c\x9f\x72\xa3\xa6\x59\x3f\x61\x8a\xb9\xef\x48\x8a\x24\xce\xfe\x7c\xdf\xa6\x6b\x46\xf3\x0f\x1d\x3f\x8a\xbe\xce\x64\x40\xdb\x93\x48\x3d\xf5\x23\x3b\x52\xf6\xfc\x47\xee\x3f\xd3\xbb\x98\xb0\x06\x24\x68\xc9\x16\xdc\x0f\xb1\x59\x62\x90\x2c\xb7\x30\x29\x93\x69\x51\x75\xd5\xfd\x4b\xc7\x7e\xab\x9e\xc8\xd4\x40\xee\xe3\x6a\xe6\x83\x5c\x43\x62\xf7\x81\x9f\x39\x01\x21\xa6\x9b\xc7\x0d\x63\x6e\xea\x8d\x4d\xd0\x9b\x90\xda\xd5\xc2\xdb\x03\x1d\x2b\xc3\xdf\x45\x82\x56\x24\x41\x56\x80\xa0\x3b\x3d\xfc\x71\xce\xf6\x3f\xda\x72\x6b\x76\x5d\x58\xab\xe8\x63\xad\xf0\x34\x2b\x8f\x1e\x8e\xc8\xf8\x07\xb3\xb5\x6d\xcc\xfd\xcd\xe8\x5f\xd2\x0a\x7e\xc9\x43\x44\xcf\x31\x95\x48\x67\x81\x70\x0b\x4c\x35\x72\x15\x78\x14\xd7\xf1\x0d\xc6\x8e\x13\xad\x64\x61\x39\x77\x58\xea\xd6\x2e\x5c\x20\x4b\xa5\x7b\x2a\x4a\xf4\x22\x08\x2a\x1f\xff\xbf\xc8\x70\x96\x88\xa1\x13\x93\xe9\xdc\xf8\x7b\x6f\xa4\x0b\x10\xf4\x58\xc6\x7e\x56\x5a\xe4\xf0\x2c\x2b\xa9\x30\xfd\xa2\x13\x9b\x0f\x18\x12\xaf\xbe\x21\x2e\x89\xeb\x51\x0e\x8d\x74\xc4\x65\x05\x00\x82\xb2\xbd\xfc\x09\x17\x6a\xe9\xa1\x70\x82\x1c\xde\x09\x7c\x33\xf5\x7f\x83\x50\x0f\x18\x2f\x23\xc2\xcd\x71\x3f\x82\x68\xfa\x04\xe5\xee\x58\x00\xad\xb1\xe8\x91\xbc\x90\x2b\x2c\x10\x05\x55\x79\xbe\xd0\xb6\xac\xef\xfc\x22\x06\x54\x4e\x2d\x17\xa1\x04\x4e\xc2\x01\x24\x66\x0f\x90\xd2\xcc\xb1\xe9\xdd\x04\xab\xa7\xf6\xb3\x3d\xec\x5f\x6f\xf6\xa2\xe1\xa1\x09\xc1\x43\xf2\xb0\xa8\x08\xeb\xeb\x45\xca\xac\xdc\x39\x82\x8b\x55\x5e\x3f\xb3\xad\xb7\x44\x71\x30\x26\x6d\xa8\xb3\x33\xd0\x4a\xb7\x11\xb9\x1a\x23\xd8\x81\x78\x57\x31\xfb\xd2\xc0\x37\x60\x8f\x31\x2f\x8b\x18\xba\x63\x00\x2d\x17\x75\x44\x1a\xdf\x3d\x4c\xe8\xe5\x56\x64\x26\x4e\x1d\x22\xe4\x78\xf4\x93\x01\x74\xdf\xb8\x1f\x7e\x31\xeb\x3f\xdb\x22\xeb\x06\x88\xf3\xa1\x04\x54\x18\xf9\x08\x4a\xf4\x52\x78\xc0\x4b\xf1\x32\x00\x17\xd0\xb0\xfa\xa2\xcf\x7e\x27\x7d\xe2\x66\xa3\xfd\xb4\xb0\xf0\x55\x25\x9d\x76\xf5\x0c\x99\x4c\xba\xe7\x03\xe8\xd1\x30\x7f\x4b\xc5\x45\x3f\x32\xa7\x08\x92\x1f\xa8\x33\xb0\x3f\x5d\x18\x40\xf5\xa1\x24\x69\x29\xb1\x75\xd9\x35\x37\xa1\xd7\x46\x78\x38\xd2\x5d\x19\x8b\x17\xfb\x4b\x9a\xac\x7d\x99\xee\x1f\x1e\x2f\xdf\x4a\xe7\x28\x62\x90\xe0\xf1\xc0\x88\xe2\x43\x94\xea\x57\xf9\xa7\x33\xe4\x53\x62\x79\x22\xc5\xa6\x23\x62\x3f\xff\x29\xc6\xa5\xab\x6f\xdf\x7b\xa7\xfd\x43\x80\x34\x9a\x77\xbb\xc4\x09\xd1\x86\x9b\xc7\xf2\x45\x32\x94\xca\x2f\x17\x85\xb8\xcc\x50\xb8\x8f\xcc\xe8\xfc\x6d\x3d\xd7\x9c\x19\x8e\x36\xff\x5a\x21\x6e\x7a\x8a\xe3\xd1\x0d\xb5\xbe\x0c\xbb\x76\x17\xdf\x80\x14\xac\x68\x9c\x31\x11\x32\xc1\xdb\x34\xd0\xee\x7a\xdb\xb6\x62\x32\xc1\xa4\x32\xc2\xca\xf7\xcf\x30\xff\x8b\xad\x84\x46\x7c\x0e\x40\xda\x4d\x0b\x10\x20\x1f\x6f\xb8\x2b\xec\x94\x83\xc7\x5b\xc8\x59\x48\x0c\x9b\xca\x13\xc5\x90\x5a\xcf\xa5\x6e\xad\x48\x8f\xc2\xbd\xe3\xa2\x2c\xa4\xfa\xbc\xea\xb9\xb9\xe3\x77\x6b\x5a\x62\x14\x63\xe1\x29\x6d\xde\x15\x24\x0d\xac\x24\xbb\xaf\x67\xc2\x03\x86\x55\x1a\x8f\xe3\x52\x96\x0e\xcd\x36\x1d\x42\x94\x90\x3f\x25\x25\xa3\x68\xd3\x63\x07\xde\x3a\xb0\x21\xbe\x4b\x64\x77\xe8\x61\x82\xf6\xa5\x65\xcf\x67\x95\xc2\x64\xaa\xda\xe3\xd3\x07\x2b\xae\xbc\x48\x8c\x74\x30\x7e\x27\xbc\xea\x4a\x74\x6b\x67\xad\xf8\xe2\x0a\x21\x9c\xb9\x11\xe2\x93\xad\xaa\xe8\xd5\x2e\x63\x08\x09\x11\x29\xc0\x2a\xfd\x50\x59\x95\x88\xc9\x20\x15\x85\x82\xdb\x85\x6c\xeb\xd3\xd6\x65\x9d\x14\x77\xf9\x66\xfb\x54\xe9\xea\x1b\x36\x59\x90\xff\x5b\xba\x6f\xce\xd2\xb5\x9f\xc8\xa6\xf9\xfd\x57\x28\x70\x61\xc5\x21\xeb\xc1\xac\xe5\x21\xab\xe0\x04\xf5\xf0\xb5\xf8\xb9\x02\xd6\xc7\x5a\xc5\x7d\xf5\xd2\xe9\x7f\x1f\xfa\xd3\xa5\x31\xf9\x1f\xa1\xcb\xa4\x8b\x58\x93\x5f\x05\x03\x35\x41\x5d\xca\x8e\x46\x02\x43\xe2\x1e\xa7\x1f\x99\x0c\x37\xa6\xc9\x8c\xd1\x9c\x2c\xc3\x47\x1e\xc2\xec\xd0\x42\xc8\x20\x71\x8d\x00\xb6\x37\x9d\x80\x69\x83\x62\x8e\x08\x64\xad\x14\x6e\xe1\x70\xdc\x91\xfc\x25\x55\x94\x0d\xb1\x36\x4c\xb7\x43\xc0\xc7\x03\x7d\xba\x3e\x9b\x10\x8f\xea\x98\x84\x01\xd5\x52\xd4\xac\xe6\xa8\x30\x83\x65\xc0\xb1\xed\xe6\xb8\x73\xa2\x94\xd6\x25\x23\x86\x55\x33\x1a\xcd\x6e\xe2\x38\x0d\xba\x98\x0e\x35\xb2\xbb\xd4\x0f\x65\xfe\x32\xef\x03\xcb\xf0\xcf\x57\x55\x2e\x81\x8e\xc6\x07\x0c\x52\x25\x66\xd8\x2a\xa2\xc4\xd0\x46\xd9\x5b\xcb\xb4\xed\x89\x7a\x3b\x59\x3d\xdc\x57\xb3\xbf\x4b\x2d\xee\x34\xcb\x50\x53\x69\x2e\x45\xde\xec\x78\xbf\x7f\xa7\x00\x2c\xfe\x74\x15\x7a\x5d\xd4\xc5\xae\xc1\xb9\x86\x28\x06\xd8\x88\x39\xa6\xa3\x91\xa0\x4d\x0d\x46\x78\x1e\x45\xb3\xfb\x78\xe7\x1e\xb9\xa6\xba\xda\x4d\x6e\x45\xf6\x45\x2c\x41\x93\x1c\x91\x23\xc8\x78\x38\x32\x0b\xf9\xcd\xe6\x13\xab\x41\xec\x0f\x23\xaf\xcc\x01\xa6\x98\x66\xf8\x32\x39\xe5\xb7\x7e\xc5\x6c\x1b\xf1\x3c\x4f\xa5\x37\x9b\xc5\xe6\x78\xf4\x5c\x3f\xb9\x12\xe1\xaf\xdb\xc4\x66\xba\xdb\x62\x36\xb5\xfb\x85\x00\xc7\x43\x58\x65\xae\x64\x22\x70\xb2\xa9\x42\x43\x0b\xe5\x4d\xca\x09\xec\xb2\x4e\xc6\xd0\x51\xd0\xc6\x3b\x02\xe2\xcc\xbe\x57\xdd\x90\x12\xb7\xc0\x95\x80\x67\xb4\x06\x21\x50\xb3\x47\x98\x31\x96\x11\xdb\x1f\x48\x79\xaa\x8b\x5b\x55\xee\x2f\x20\xb0\xd7\x9a\x14\xcd\x7c\xc1\x8a\x76\xb4\xb3\xf0\x0f\xff\x45\xec\x9d\x07\x64\x07\x6d\xc1\xdc\x00\x72\xe0\x9b\x67\x4f\x18\x7a\x18\xd4\x57\xa1\x1c\xf2\xb6\x54\xbf\xc8\x51\xb5\x5f\x46\x4d\x95\xe5\x1a\x45\xd2\xda\x43\xc7\x90\xeb\xc7\x72\xca\x27\xb8\x28\xa0\x61\xca\x4b\xa2\x8c\x98\x67\x22\xcb\xd4\x86\x73\x32\x87\x8e\x2a\x7b\x87\x6f\xaf\xaa\x74\x34\xf4\x3c\xb4\x48\xb2\x16\xd4\xae\x0e\x18\xa1\xaa\x66\x77\x76\xdb\x69\x99\x9b\xe0\x81\x82\x2d\x56\x47\x8e\x57\x68\x10\x6b\xa1\xfb\xcb\x04\x4d\x16\x68\x2c\xfe\x2b\xa1\x7a\x06\x99\x7f\x88\xbd\x68\x36\x69\xaa\x2a\xe4\xd9\x6a\x15\x5e\x0b\x8a\x41\xe3\x31\xa9\xa0\x20\x0f\x15\x9a\x47\x40\xe0\x11\x04\xad\x63\x89\x21\x8a\xd1\x5d\x1f\xac\x53\xbd\x1b\x91\xd7\x23\x43\x52\x78\xdb\xc5\xe7\x90\xa0\x54\xf3\xcf\x24\xfa\x4e\x78\x66\x62\x99\x15\x40\x0e\x7d\x25\x60\xcf\x97\x64\x8b\x60\x31\x52\x8d\xb2\xc7\xd4\xca\x72\x7f\x67\xc2\x97\x42\x4f\xc9\x9a\x7b\x01\xb1\x04\xfc\xb2\xd9\xb8\x02\x6a\xd1\x92\xac\x4c\x1d\xf8\xc2\x31\x8b\x5d\xee\xa4\x79\xa3\x78\x89\x71\x17\xac\xb1\x4a\x79\x21\xb7\xdd\xe8\xaa\x78\xc5\x8d\x04\x7f\x90\xfb\x1a\x1c\x1e\xdb\x84\x7b\xf7\xba\xd3\xab\x09\x6b\xf9\x19\xd1\xb1\x03\xe7\x40\x43\xfa\xf3\x52\xe1\x63\x94\xbc\xa1\x71\x3e\x14\x8b\x69\xd2\x0e\x0c\x5f\xae\x6e\xdb\x67\xe9\x16\x20\xc2\x8d\x7f\xb7\x0b\xf7\x66\xd2\x1e\xe3\xa9\xdc\x9d\x4a\xc7\x5a\x41\xbc\xb3\xa3\x22\xe7\xec\xc8\x5e\x34\x6a\x5f\xed\x19\x0d\x0c\x69\x8f\x15\x22\x60\x67\xe5\x15\x5e\xcb\x0b\x8f\xff\xcd\x5c\x1c\x95\x52\xa5\xb8\x5a\xfc\x66\x36\x98\xcf\x47\x50\xa3\xee\xc6\xcd\xec\xcc\xaa\xf6\x37\x08\x7e\x18\x8f\x3c\xc5\x65\x7c\x40\x12\x3c\x20\xd1\xa0\x2e\xbb\x08\x18\x07\x38\x83\x53\x5a\x22\x09\xcc\xa0\x8c\xdb\xe3\xce\x0f\x94\x4d\xef\xb4\x1f\x43\x70\x29\xc0\x78\xcb\x5e\x6c\x03\xde\xfc\x67\xc9\x59\x92\x6d\xcf\x45\xd0\xfe\xb6\xf2\x4f\xcf\xaf\x49\x97\x6b\xd3\x64\x1c\xbe\xd6\x97\x58\xcc\xd5\xaf\x8b\x95\x52\x59\xda\x1c\xd6\xfd\x82\x87\x1f\x09\xf3\x3a\x63\x4d\x54\xf5\x44\xa6\x82\x93\xdc\x73\x7f\xea\xf8\x48\x8c\x15\x42\x0f\x69\xc4\x93\x04\x2a\x5e\xe1\xed\x63\xf3\x39\xe4\x10\xf5\x80\xc0\xcb\xad\xab\xbe\xa2\xcf\xfb\xea\xf9\x68\xca\xf2\x56\x20\xde\x5f\x5b\xf7\x4e\xdd\x33\x9d\xed\x9a\x1f\x58\x53\xa2\xcf\x22\x6d\x21\xcd\xbd\x91\x72\xab\xf5\xe0\x85\x95\x60\xdd\x2e\x70\xce\x31\x0a\x33\x3d\x72\x36\x60\x67\x09\xb1\xf5\xa3\x35\x95\xec\x49\xe1\x87\xaa\x5d\xf0\x63\x51\x39\x23\xdf\xd2\x9b\xb1\x51\xa8\x25\x40\xf4\xb0\xd4\x45\x40\x4c\x8c\x5e\x1b\xd8\x40\x33\x5c\x23\x35\x7c\x5e\x6b\x1c\xdb\xfb\x1c\xcd\x72\x47\x1e\x4d\x63\x8b\x10\xc5\xb4\x22\xd9\xe6\x51\x9f\x98\x15\x1a\xd5\x25\x5e\x10\xf7\x2c\x07\x32\x63\x8a\x57\x2e\xa6\x2a\x3a\x98\xcd\x86\xb0\x49\x5f\x24\xfb\x90\xe3\xbf\xa3\x21\x6a\xbf\x88\xbd\xdd\x5f\xdc\xd1\xab\x7f\xc2\x13\xed\x7f\xe7\x62\x8b\xf5\x2e\xd3\x3f\xbf\x61\x24\xb5\x24\x6e\xab\x59\x38\xf4\xfd\xae\xa3\x96\x08\x7f\x76\x43\x49\xbe\xf8\x99\x6f\x22\x40\x92\x60\x40\x93\x44\x19\xdf\x2e\x40\x7b\xe7\xe6\x7a\x64\x2d\x69\x2b\x39\x49\xe4\x78\xed\x55\x92\x72\x06\x64\xee\xc0\xdd\x41\x50\x87\x61\x57\xa6\xf1\x85", 4096); syz_80211_inject_frame(0x20000000, 0x20000040, 0x10c0); break; case 11: memcpy((void*)0x20001100, "wlan1\000", 6); memset((void*)0x20001140, 2, 6); syz_80211_join_ibss(0x20001100, 0x20001140, 6, 2); break; case 12: memcpy((void*)0x20001180, "bpf_lsm_socket_recvmsg\000", 23); syz_btf_id_by_name(0x20001180); break; case 13: memcpy((void*)0x200015c0, "\x66\x0f\x72\xd5\x01\xdf\x5f\xd6\xc4\xc1\xf9\x6f\x9f\x52\xe4\x00\x00\xdf\xf2\xda\x36\x66\x0f\x3a\x62\xc0\x8c\xc4\xc1\x1d\x58\x3c\xe8\x66\x0f\x3a\x0a\x45\x0d\xf0\xc4\xe1\x21\x75\x23\x60", 46); syz_execute_func(0x200015c0); break; case 14: memcpy((void*)0x20001640, "/dev/cuse\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20001640, 2, 0); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_ioctl, -1, 0xb704, 0x20003980); if (res != -1) r[6] = *(uint32_t*)0x20003980; break; case 16: res = syscall(__NR_clock_gettime, 0, 0x20003e00); if (res != -1) { r[7] = *(uint32_t*)0x20003e00; r[8] = *(uint32_t*)0x20003e04; } break; case 17: *(uint32_t*)0x20003dc0 = 0x20003a40; *(uint32_t*)0x20003dc4 = 0x6e; *(uint32_t*)0x20003dc8 = 0x20003d40; *(uint32_t*)0x20003d40 = 0x20003ac0; *(uint32_t*)0x20003d44 = 0x25; *(uint32_t*)0x20003d48 = 0x20003b00; *(uint32_t*)0x20003d4c = 0x6b; *(uint32_t*)0x20003d50 = 0x20003b80; *(uint32_t*)0x20003d54 = 0x2f; *(uint32_t*)0x20003d58 = 0x20003bc0; *(uint32_t*)0x20003d5c = 0xa2; *(uint32_t*)0x20003d60 = 0x20003c80; *(uint32_t*)0x20003d64 = 0xbd; *(uint32_t*)0x20003dcc = 5; *(uint32_t*)0x20003dd0 = 0x20003d80; *(uint32_t*)0x20003dd4 = 0x30; *(uint32_t*)0x20003dd8 = 0; *(uint32_t*)0x20003ddc = 0; *(uint32_t*)0x20003e40 = r[7]; *(uint32_t*)0x20003e44 = r[8]+10000000; res = syscall(__NR_recvmmsg, -1, 0x20003dc0, 1, 0x10202, 0x20003e40); if (res != -1) r[9] = *(uint32_t*)0x20003dac; break; case 18: memcpy((void*)0x20004040, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004040, 0x20004080); if (res != -1) r[10] = *(uint32_t*)0x20004094; break; case 19: *(uint32_t*)0x20004200 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004100, 0x20004200); if (res != -1) r[11] = *(uint32_t*)0x20004134; break; case 20: memcpy((void*)0x20004240, "./file0\000", 8); res = syscall(__NR_statx, 0xffffff9c, 0x20004240, 0x4000, 0x400, 0x20004280); if (res != -1) r[12] = *(uint32_t*)0x20004294; break; case 21: memcpy((void*)0x20004380, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004380, 0x200043c0); if (res != -1) r[13] = *(uint32_t*)0x200043d0; break; case 22: *(uint32_t*)0x20004a80 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x11, 0x20004980, 0x20004a80); if (res != -1) r[14] = *(uint32_t*)0x200049b4; break; case 23: res = syscall(__NR_getegid); if (res != -1) r[15] = res; break; case 24: memcpy((void*)0x20001680, "\x47\xa8\x4c\x3d\x9c\xa1\xd1\xb4\xb2\x5b\x6d\xa5\xc6\xdd\x9f\x48\xac\x0b\x1a\x50\x14\x5d\x57\xaa\x24\x4d\xc1\xbb\x1a\x54\x1c\x93\x16\x0d\x23\xf1\xcb\xf0\x3d\x77\x7a\x21\xe7\xd1\xf0\xf2\x61\x38\x37\xc0\xe0\x5d\x6f\x4b\xc9\x98\xb1\xdd\x5e\xc7\x6e\x06\x98\x26\xfc\x47\xb4\xa0\x81\x6b\x5a\x85\x9c\x9a\x8a\x42\x88\xf2\xe7\x17\x88\x66\x28\x3d\x96\x7a\x95\x12\x2a\xb3\x8c\x64\xe1\xd6\xc0\x50\x57\x2b\xdd\x7c\x98\x27\x13\xb5\xb3\x7a\x79\xe2\xdb\xe0\x8a\x6a\x9b\xd3\xd6\xfd\x57\x96\x04\xac\x48\x7b\x65\x2b\xee\x18\x03\x90\xe3\x66\x8f\x2a\xad\xa1\x71\x7a\x5b\x2a\x21\xcb\x84\xb3\xb9\xa8\xb5\x97\x78\x4c\x01\x15\xc8\xf2\xc0\x87\x08\xd9\xa2\x26\xd6\xf5\x89\x02\xad\x29\xf3\x78\x4f\x64\x80\x06\x9d\x25\xe0\xec\x46\xc3\x78\x10\x92\x3b\xbe\x2d\xac\x50\x43\x85\x6a\x11\xb7\xb9\x8c\x43\x29\x4e\xf4\xc2\xbf\xda\x08\xb0\x4e\xe5\x41\x06\x26\xcb\x64\x95\x7c\xf1\xee\xa3\xd3\xf0\x07\xd6\x95\x83\xbc\xde\xbf\x40\x22\xf8\x5f\x65\x23\x73\xa5\x90\x36\xb6\x2b\x4a\x3e\x9d\xef\xe6\x05\xa9\x89\x2e\x57\x18\xcb\x6f\xc9\xde\x81\xc2\x47\x9e\xf9\x5a\x13\xf8\xca\x78\x9f\x4b\x2a\xc5\xeb\x89\x7f\xab\xbe\xbc\x00\x46\xd8\xe2\x35\xeb\xbf\x54\xa5\x6a\xac\xd1\x40\xae\x4c\xfb\x41\x1b\x9c\x15\x18\xe6\x2f\xa8\x7a\x98\x76\xaf\xc8\x9e\xd8\xa4\xba\x24\xd8\xb9\xef\x13\x39\xf4\xf7\x94\xce\xc9\x86\x51\xe7\xd9\x4d\xdd\x25\x99\x88\xa7\xa4\xf7\x99\xb0\x88\x9c\x16\x80\xd3\x90\xba\x62\x53\xff\x66\xa1\x82\xea\x2c\xf0\x6b\x6f\xd9\xab\x07\xa8\x7f\x69\x7c\x33\x1c\x9a\x83\x25\x64\xec\xab\x23\x83\x84\xff\xef\x50\xc2\x49\xcb\xf1\x1f\x7f\x40\xec\xd4\x4b\x94\x5b\xd5\x7c\x59\x9b\xa3\xd8\x8c\x0b\xe3\x5a\xdd\xf5\xb5\x83\x7b\x18\x8d\x64\xe2\x49\xce\x31\x50\x66\x98\xbd\x73\x75\x46\x53\x04\xd2\x0e\xb3\x80\x23\x26\xb3\x52\x8b\xcb\xe6\xee\x11\x0e\x57\x82\x1c\xcb\x89\x9f\x5e\xee\xce\xc6\x04\xc3\xa5\xe5\x93\x8a\x3a\x94\x26\x60\x99\x2d\x67\x6b\x81\xc5\xaf\x74\x70\x17\x6d\x72\xd7\xc6\xa9\xd6\xc4\x12\x1b\x57\x11\xb1\x6e\xe1\x19\xb5\x77\x64\xd7\xfd\x6d\xfc\xb5\xa3\x9c\x1b\xc9\x7e\x5c\x5f\x5d\xc1\x02\x5a\x5e\xcc\xa4\x8b\x65\xaf\xb8\x7a\x55\x83\xcf\x17\x96\x90\x98\xae\xc3\xb1\xb9\x29\x1f\x77\x5e\xd6\xa5\xa7\x10\xf7\x3e\x32\xef\x7a\x0e\x8c\x84\xff\x56\x54\x51\x44\xca\x50\x4b\x81\x97\xa9\x19\x6c\x9b\x68\xa4\xb5\x7a\xba\xd8\x19\xff\x6f\x6f\x99\x16\x3f\xa3\xe2\x76\x27\x84\x84\xae\xf1\xe2\x87\x84\x1f\x45\x72\x06\x2d\xa6\x77\xf0\xe1\x47\xb9\x33\x58\xe5\xad\x7a\x50\xaf\x84\x2c\xad\xbf\xf4\x19\x2d\xfb\x2f\x98\xcd\xc8\xd8\x78\xd0\xf7\xf3\x5b\x31\xa2\xe8\x03\xce\xa2\xc3\xa2\x87\x8d\x46\x9c\x9a\xa7\xb2\xde\x1e\x8b\xfd\xa5\x1e\xcb\x47\x51\xcd\x86\x1f\xb2\x29\x3e\x37\xeb\x98\x82\xbb\x97\xcf\x70\x45\x3f\x19\x44\x6c\x56\x5f\xd8\x14\x11\x4b\x30\x2a\x4b\xc5\xb6\x42\xa7\x6c\x4c\xfd\xdb\x0f\x4c\xeb\x41\xca\x29\xbe\x4d\x35\x58\x77\x55\xd2\xe8\xe1\xf4\x2e\x97\x1b\x38\x3f\xdf\xd0\xcb\xef\x9f\x5d\x50\x3c\x72\x0a\x3e\x3b\xb8\xb4\x09\x7d\x69\xa7\x20\x82\x35\xa8\x2f\x6a\x75\x1f\x3e\x26\xf2\xe1\x40\x3e\x0d\xa6\x3f\xed\x0f\xa0\x42\x74\x0d\xf1\xd6\x1c\x98\x85\x72\xc8\xad\x71\x1f\x20\x41\x0e\x02\xb3\x2b\x1e\xe7\xf4\x18\xfd\x0c\xc6\x57\xe9\xde\x33\x28\x8e\xc8\x39\x57\x56\xc4\x7e\x16\xd4\xab\x5e\xd7\xca\x4c\x1e\x53\xad\x65\x08\xd5\x8f\x70\xdf\x85\x7d\x41\x89\x09\xe8\x13\x44\xb7\x56\x4e\x00\x64\xa4\x9a\x1d\xb8\xa3\x33\xfc\x60\x9b\xcb\x51\x11\xef\x10\x0e\x0e\xde\x88\xf4\x9f\x3f\x43\x56\x84\x21\x1d\xea\x4d\xe5\xbc\xa1\x85\x3c\xae\x7b\x60\x5e\x3c\xea\x2f\xab\xb8\x0b\xaa\x41\x62\x6d\x31\x04\x7f\xe3\x85\x69\xe6\xab\xbd\xdc\x2e\x1c\x2b\x85\x56\x23\x3f\xeb\x57\x04\x7f\x06\x9d\xf8\x1d\x88\xd2\x9b\xf0\x42\xce\x92\x28\xdb\xd1\x43\x49\x97\x3e\x86\xf7\x8d\x72\x82\x7a\x60\x80\xa2\xce\x65\x29\xd1\x85\x66\x07\x84\x89\x37\xcf\xe5\xcd\x17\x42\x93\xe9\x22\x34\xcb\x0f\x6e\xdf\x65\x30\xf8\x6b\x60\x6e\x48\xe9\xfa\x3e\x1d\x25\x45\x73\x12\x08\x08\xe0\xff\xf3\xd2\x16\x9d\x1c\xf4\x4a\x71\x96\x64\xb7\xf0\xe3\xda\x7b\xb1\x5b\x64\xb6\x2c\x07\x10\x34\x3c\xe1\x5b\xd0\x1a\x05\x64\x2f\x4a\x3f\xa5\x9b\xa6\x05\xd0\xa6\xef\x3e\x5a\xd6\x3c\xd9\x6d\x69\x14\xca\xa4\x06\x34\x98\x7f\x2d\xbe\xeb\x30\x46\x72\x22\x2d\x12\x58\x3b\x9b\xc3\x8c\xf9\xde\x18\xe5\x7d\xe1\x00\xf2\x63\x67\x7d\x31\xec\x37\xae\xa6\xf0\x4b\x81\x5d\x6f\x4e\x8c\xd5\x70\x81\x0d\xaa\xee\xb1\x41\xdc\x0f\xeb\x60\x0a\xa8\x4f\x4a\xfc\xc3\xbd\x6d\x2e\x4d\x69\xe9\xdc\x4d\xc4\xf7\xa4\x56\x74\xa3\x2a\x62\xd4\x14\x43\x7c\x3a\xa4\x51\x84\xb6\x6c\xe5\x69\x49\x91\x28\xbb\xa0\x6e\x38\x62\x74\x28\xd5\x01\x2c\x65\x1f\x8f\xf6\xd5\xb8\xf5\xbb\xbb\x5b\x1f\x8b\xe6\x03\x89\x58\xbd\x4f\xbb\x0b\xdb\xbe\x1f\x3f\x44\x8d\x78\x5d\x97\x10\xf0\x1b\xe8\x87\x87\x4f\xfa\x1b\xfa\x7e\x5a\x81\x8e\xe7\x46\x4b\xfc\xb5\xf9\xe4\x92\x68\xfb\xbd\x39\x8d\x73\x2c\x15\x57\x9a\x46\x97\x1f\xd7\xf2\x2c\x1c\xc4\xe1\x41\x57\xf2\x92\xf6\x16\x38\xf4\x1a\x58\xbc\xcd\xd4\x98\x6b\x9c\xa6\xab\x66\xff\x5f\x53\x6a\x7b\x09\x25\x1a\x6d\x41\x7a\x3e\x15\x9b\x85\xdd\x21\xd9\xb2\x19\xa1\xa1\xce\xa8\xb9\x6d\xd4\xca\xa0\xc0\xc8\xfd\xf9\x2d\xef\x01\xaf\x6b\xe5\xcc\xc2\x42\x8e\x57\x13\x22\x85\xc3\x7e\x80\xfd\x28\x58\xb4\x94\x57\xd1\xd6\x89\x0e\xae\x38\x90\x62\xd5\x68\x0a\xec\xec\x74\x8c\xef\x59\x18\x7d\x91\xc1\xd4\x5b\x29\x00\xe3\x3b\xe9\x46\x4e\xdc\xeb\x83\x1e\xc4\x44\x57\xbe\x52\x57\x5e\x1d\xf1\xde\x6a\xf9\x45\xdb\xf3\xf5\xc9\xcd\x41\xbd\x8c\x26\xcb\x66\x45\xae\x03\x78\xd9\x2d\x75\x8b\x07\x69\xc5\x15\x4f\x52\xd8\x9a\x8e\x0e\x91\x18\x82\xf6\x9e\x46\x61\x04\x53\x79\x2c\x64\x8e\xb0\x82\x11\x19\x47\xc2\xe3\x35\xcb\x48\x56\xe4\x69\x6f\x7a\x53\x31\x8c\xda\xe6\xc5\x91\xa7\x42\x02\x02\xcf\x03\xf0\x69\x12\x8e\x58\xa3\x82\x2a\x89\x2d\x4b\x4d\x14\xa7\xf3\xe2\x7f\x4c\xa5\x9a\x8e\x47\x1a\xaf\x3c\xe1\xaf\x81\xce\xd1\xdf\x87\x1d\xf6\x09\x91\xac\xcc\x0a\xfc\x19\xc6\xaa\x58\x67\x0d\xcc\x3c\xa4\x04\x66\x6e\xc5\x46\x3e\x95\x4c\x60\x59\x94\x01\x4a\x0b\x2e\xb9\x99\x28\x3e\x7d\x26\x46\xab\x55\xa5\xfe\x5f\xe7\xcb\x5b\x07\x38\xc5\x79\x10\x7c\x43\xfc\xf5\x95\xa0\x95\x6a\x49\x35\xf6\xa7\x86\xd6\x56\x1f\x0b\x09\x94\xcc\xe9\x3b\x29\x9a\x50\xc6\xe4\x24\xc1\x59\x62\x0b\x3d\x05\x37\x6f\xc4\xe0\xb9\xff\xbd\xec\xdb\x67\x98\xdd\x51\xd0\x94\x1d\x31\xcf\x41\x93\xc0\x9d\x05\x8c\x25\x96\x99\x19\x12\x35\x01\xfa\x5e\xa8\xfb\x82\xf9\x80\xa3\x5b\xf0\x15\x32\xc2\xc8\x31\xba\x35\x22\x2f\x80\x5d\xae\x24\x25\x27\xeb\x71\x27\x05\x53\x94\x60\x52\x84\xd2\x40\x8c\xfa\x10\xc9\x92\xd6\x4d\x60\x9e\x52\x4b\x30\x34\x8f\xfa\x5e\x44\xb7\x72\x57\xad\xba\xb0\x1c\x38\x3e\x81\x2f\x1d\x71\xb6\x13\xad\x16\x0e\xd1\x5c\x21\x6f\x2a\x45\x9a\x91\x7d\x35\x34\x14\x62\xbf\x72\x35\xf9\x1d\x9d\xdd\xc1\xe2\x40\x2f\x32\xb7\xb7\xa9\x98\x74\x81\xce\x66\x11\xbb\x78\x12\x7b\xc8\xb6\xef\xf4\x19\xd3\xc4\xdd\x77\x25\x24\x02\xf4\x32\x6a\x6e\x9a\xff\xc5\x06\x49\x73\x75\x0a\x8b\xba\x9b\xa1\x7d\x64\x64\x8c\xf7\x93\x4b\xd0\x24\x29\x9b\x9d\xec\x58\xd1\x18\xcd\xa3\x44\x8a\x25\x56\xfa\x96\xa8\x57\xc0\x10\x6a\x00\xcd\x0a\x38\x2f\x10\xb8\x47\xe3\xa8\x69\x97\xc2\x4b\xb8\x46\xc3\xdd\x93\x72\xc6\xcf\x28\xd1\x8b\xb2\xa6\xfc\x48\xd7\xba\xc5\x8d\x56\xbc\x84\x50\xc3\xf4\x20\x99\x9b\x63\x47\x86\x4d\x52\xf0\x50\x75\x24\xf4\x16\xe6\xcb\x64\xce\x7c\xa2\x1a\x85\xe8\xd2\xc2\xb1\xe9\x4b\xe2\xde\xa3\x1c\xda\xf1\xf3\x83\x50\x34\x24\xbe\xc4\x4c\x68\xb9\xa9\x14\xf4\x0b\x0a\x66\x27\x2f\x64\xc9\xef\x19\x85\xed\xb9\xca\x6e\x66\xee\x8c\xac\x08\x4b\x39\xef\x78\x01\xb7\x50\xce\x19\x0f\xf8\x96\xc1\x99\xc1\x27\x85\x24\xb1\x2b\x54\x9a\xcb\xf0\x9f\x63\x3d\x87\xf7\x04\x27\x2d\x47\x79\xf3\x25\xa1\xe9\x45\x67\xe5\x93\x32\x97\x15\x5e\x98\x7f\x3b\x32\xe3\xfa\xdf\x2a\x06\xfa\x01\xaf\xc0\xdc\x35\xdf\xb7\xbe\x7f\x57\x76\x26\x4a\x6b\x7f\xec\x98\xdf\x0a\x5a\xff\x8c\x1a\x02\x9b\x6a\x22\xa9\xa0\x51\x18\x8b\xb2\x8b\xdf\x72\x38\xea\xe3\x24\x6a\x1b\xfd\x05\x86\x84\xf7\xa0\x93\xaa\x68\x79\xcb\x6a\xda\xe5\xa7\xcd\x5e\x12\x19\xa0\xd1\x6d\xee\xf1\x44\xb2\xbe\x90\x39\x01\x44\x74\x0a\xc2\x4d\xa3\x80\x17\xc1\x05\x66\x92\xb3\xb6\x65\x92\x21\x5a\x62\x3d\xac\x91\x3b\x33\xb9\xd5\x6b\x47\xcf\xa9\x18\xd6\xd9\x0c\xaf\xf0\x1a\xa4\x45\x35\x49\x23\xef\xa1\x9e\x8b\x0c\x79\x70\x82\x50\x5d\x54\xf2\xfa\x48\xc5\xad\x96\x63\x2f\xe1\xb6\x2a\x2e\x34\xd0\x85\x76\x22\x07\xd9\x35\x4a\x9f\x03\x9d\x68\x8e\xaf\xe1\xb5\x12\x83\x67\xfd\xd3\xbe\x22\x55\xac\x11\x0d\xf0\x5d\x10\x9b\x86\x9f\x33\x4b\x93\x2b\x29\xbe\xb6\x87\x87\xe2\x0a\x8a\x9f\x37\x31\x18\x9c\x95\x7e\x53\xc6\x96\x73\xe8\x63\xae\x1d\x49\x88\x8d\x6e\xda\xb9\x6e\xed\x78\x6c\xb8\x14\xd1\xa6\x2b\x68\x9c\x29\x4c\x48\x2e\x84\x19\x96\x22\x99\x04\x10\xb6\x7f\x6d\x18\xb8\xcd\x31\x19\xf1\x9a\x66\x7d\x34\x1b\xb7\x83\x88\xff\xe1\x5a\x0f\x64\x32\x7f\xe9\xb8\x06\x5b\xe9\x03\x54\xc1\xfa\xcb\x74\x66\x2e\x2d\x9c\x6d\x02\x24\x8d\xa0\xc8\x0c\x87\x26\x45\x59\xf6\x48\x15\xb8\xb9\xdd\xff\x72\xa9\x44\xeb\x23\x48\x88\xf5\x3d\x1c\xc8\xbe\xd4\x38\xbd\x99\xa2\x07\x4f\x75\x3d\xb2\x9e\xfd\x06\x78\x8c\x7f\x44\x76\xef\xee\x3e\x92\x80\x94\xc0\x32\x6a\xf8\xc9\x17\x1d\xb6\x0b\x1a\x37\xc7\xbd\x56\xd1\x13\x29\x1a\xa9\xa2\x60\xea\xfc\x12\x68\x1e\xb6\x2b\x1e\x70\x63\xb1\x51\x73\xe2\x74\x90\xd8\x4d\x47\xe3\xc7\x56\x6e\xc4\xfc\x1e\xc6\x35\x50\x57\xb2\x2c\x2a\x0f\xd9\x4b\x8d\x90\xb6\x48\x64\x9c\x73\xac\x46\x04\x9c\x01\x1d\x67\x41\xfb\x6d\x89\x56\x14\x3b\xcb\x17\x1f\x4b\xba\xdf\x01\xd1\xca\xe0\x7c\x31\x78\xa8\x46\x90\x01\xdc\xa3\x7a\xb3\xae\x03\x90\x95\xfb\xda\x7f\x05\xdf\xad\x20\x53\x55\xa5\xd6\xef\xf8\xf0\x9c\x32\x47\x58\xa7\x44\xde\x5f\x43\xb6\x94\xf8\x34\xf6\xe5\x98\x3f\x2a\xee\x32\x09\xce\xf4\x63\x54\xdb\x41\x30\x5a\x09\x3a\xb7\x8c\x80\xa8\xfb\x2e\x8a\xb7\xb1\x73\x33\x7b\xcf\x29\x3c\x65\x94\x9a\x4c\x01\x37\x8c\x94\xce\x7c\xd7\x09\xe7\x98\xbe\xf8\x27\x9d\x4a\xd1\xe7\x34\x6f\x4b\x9f\xda\x6d\x29\x2f\x1e\x66\x99\x62\x2c\x1b\xbc\x4b\x02\xe8\x83\xb3\x0e\x77\xcb\xa7\x51\xbc\xfd\xd6\xef\xd6\x7f\xcc\x56\x5c\x00\x36\xf1\x3e\x13\x8d\x81\xd6\xf5\x8d\x34\xe6\xa2\x51\x61\xf2\xa8\x56\x00\x29\xf9\x12\x05\x32\x40\x1f\xb6\xd7\xdd\xef\x43\xf9\xea\xe9\xee\x3c\xd2\x3f\x14\xa1\xf0\x26\xf4\x0a\x9f\xba\xc6\xbe\x6a\x15\x90\x27\xd7\xe8\x7a\x53\x65\x01\x0d\x27\xb0\x9d\xf1\x3d\xfd\x32\xa7\xe7\x5d\xcc\x14\xd9\xda\x85\xd8\x40\xa1\xbb\x91\xbf\x95\xdd\x75\x89\xef\x4f\x4a\x30\x7d\x3c\x74\x1d\xf2\x50\xe3\x4d\xe9\xff\x0f\x15\x15\xa9\x79\xc1\x2f\xca\xea\x17\x0d\x34\x44\x67\x8b\x96\x3c\xcc\x5b\x3c\x06\x56\xaf\x7e\x67\x6b\xf7\x4d\xe9\xc8\xcc\x9c\x70\xb5\x0c\x38\x06\x10\x8f\x6c\x9e\x92\x0a\xcc\x25\xf1\x3c\x3b\xf5\xe9\x10\x18\x9e\xa8\xe0\x46\x61\xb9\xf6\x27\x1d\x34\xe2\x42\x8b\x3f\x5c\x86\x0f\x7a\x41\x37\xc7\x9a\xb4\x09\x20\x64\x56\x34\xf9\x03\x89\xec\xde\x1b\x23\x98\x84\x24\x4c\xa3\x5e\xb5\x59\x2b\x48\x56\x4f\x23\x07\xde\xf1\x6c\x6a\x99\x43\xab\xd7\x30\xff\x0f\x2d\xd4\x7b\x0d\xb1\x19\xc8\x40\x03\xfc\x29\xfc\xe3\xed\x9f\x17\x35\x7a\xab\xc7\x09\xed\x6a\x09\x34\x8d\xa8\xe2\x82\xbb\x0f\x7e\xeb\x6d\x98\x53\xed\xd5\xee\x21\x45\x36\xa5\x5c\x83\x34\x01\x20\x48\x8d\xca\x92\x3e\xc5\xa4\x61\x84\x0d\x20\x07\x5a\xc5\x37\xba\xa4\xdf\xb7\x80\x46\x96\xa8\x9c\xb9\x9c\x82\xcc\x9e\xa9\x21\x2c\x70\x97\x4c\x93\x16\x16\xe9\xbf\x8c\xce\x8f\xaa\x21\x5d\xea\x85\x50\x6c\x71\xed\xf7\x98\x2a\xef\x07\x4e\x1a\x04\xed\x46\xa7\x22\x1b\xeb\x11\xdb\x3c\x3c\x4e\x30\x76\x74\x56\xdd\x39\x5e\x3f\x22\xc0\x48\xb0\x69\x53\x3b\x1e\x34\x7c\x20\x56\x5a\x74\x6f\xbf\x07\x86\xba\x75\x13\x98\xd2\x26\xbb\x58\x3c\xdb\xc7\x89\xa1\xe7\x8c\x07\x5e\x8b\x53\x5c\x17\xbe\x36\x42\x77\x96\x51\xaa\x33\x56\xc9\x28\xbd\x60\x1c\x6f\x70\x4e\x79\x96\x85\x21\x03\x67\x21\x90\x89\xf2\x41\xc9\x36\x52\xaf\xb3\xf0\x57\x9b\xa4\x73\xea\xdc\x1c\x5a\xab\x58\x9b\x61\x8c\x80\x1d\x71\x1e\xaf\x00\xd9\xef\x73\xa3\xa6\x3f\xaa\x06\x92\xd7\x66\x2c\x6e\x61\xd7\x73\x00\x97\xb1\x1a\x9e\x98\x95\x76\x35\x33\xe3\xb8\x25\xb5\xeb\x65\x48\x11\xe8\x0b\x6e\x67\x13\x6d\x6e\x6e\xc1\xbd\xf2\x3e\x34\x7a\xc0\xdc\x50\xd8\x45\xa0\x2f\xb1\x1e\x87\x64\xc7\xcb\xd1\x98\xf8\x03\x7c\xe9\xcc\x4d\x38\x88\xcf\x50\x9e\xf9\xe5\x5b\xa5\x67\xd5\x00\x89\xc6\x9a\x6f\xc2\xa1\x02\x90\x88\xe4\xbb\x86\x60\x6f\x25\xd8\x65\x51\x28\x65\x74\x23\xce\xfb\xec\x47\xff\x5c\xee\x05\xb6\x1c\x35\xe4\x7c\xe9\x2d\xd8\x5b\x86\xaa\x83\xfc\x3d\x37\x06\x9d\xba\x58\x32\x77\x9e\x04\x79\x7e\xe4\x51\x0f\x3e\x86\x0a\x5d\xb6\xc4\x1a\x6c\xfc\xc4\xf2\x7a\x9b\x90\x54\x91\xfa\x56\x0b\xc4\x9a\x1d\xec\x70\xf9\xb6\x9a\xe6\x93\x62\x97\x3a\x12\x3e\x07\xf5\x41\xac\x3a\x3a\x94\x31\x60\xd3\xd6\x31\x40\x49\xc9\x53\x1a\x1f\x72\xb7\x4c\x1c\xc5\xc0\x31\x7f\xcc\x7b\x45\xd8\xf1\xdd\x92\x36\x2b\x1e\xc0\x73\x8a\xd5\xc8\xd9\x9e\x9f\xf4\x4d\x3d\xb2\x41\xe1\x31\x5d\x0f\x14\x48\xe6\xf1\x00\xa5\xdb\x6f\xd5\x71\x5c\xa0\x46\x22\x13\x41\x64\x53\x38\x71\x50\x0e\xde\x0f\x2d\x35\x8b\x31\xf8\x56\x36\x32\x80\xb9\x92\xe4\x9b\xa8\xe5\x92\x09\xbd\x91\x8e\x11\xff\xe3\x27\xd9\x73\xb2\xbc\x54\x53\x7f\x54\x07\x30\x17\x85\x6f\x0b\xb7\x68\x22\x47\x57\x6a\xf4\xd2\x7d\x8b\xe2\x61\x1f\x90\xad\x38\x4f\x11\xde\x84\x7c\x24\x73\x4b\x74\x7f\xfe\x2e\x5c\x85\x49\x00\x9f\xb1\x19\x8b\xce\x2f\xb0\x48\x4f\xc6\x68\xaa\x28\x85\xc7\xc0\x15\x38\x5e\x2b\x58\x8c\x95\x0f\xde\xca\xdf\x30\xad\xf6\x5a\x71\xf5\x64\xe0\xfa\x93\x72\x4b\x8d\xe0\xac\xab\x7c\x3f\xaa\xad\x13\x84\x8e\xbf\x7d\x70\xbb\xc4\x47\xd6\xd9\xdd\xb4\x6a\xf6\x31\xb0\x8e\x4c\x34\xf4\xaa\xbd\xa8\xe5\x0d\x9f\x73\xc3\xff\x3a\x60\x03\x81\xa7\xf8\x4a\xac\x18\xaf\x41\x87\xd1\xbc\x18\x73\x14\xb2\x40\x38\x7f\x29\xeb\xe8\x32\x8a\xce\x89\x65\x43\xb2\x3f\x8d\xb1\x20\x1d\x51\xee\x90\x42\x43\x65\x78\xd1\x27\x3c\x9b\x97\x4b\x27\xfc\x9b\x71\x71\xf4\x39\x11\x17\x54\x1d\xc8\xe8\xe5\x82\xef\x9d\xeb\x11\x60\x6d\x49\x35\x57\x7d\x13\xe3\x91\x2f\x98\x7d\xac\x22\xe1\x4c\x7c\xab\xf8\xdb\x41\x3a\xc7\x96\x38\x1f\x3d\x45\x01\x5c\xe6\x1e\xa3\xb7\x37\x63\xd2\x02\xdb\xe1\x18\xbe\x06\xe7\xd0\xf6\x24\x5c\x71\x81\x86\x14\x81\x21\xba\x61\x19\x2e\x62\xb2\xac\x87\x52\xcb\xa6\xf2\x87\x3f\x4c\x59\xae\x40\xb8\xb9\xc5\x15\xcd\x6a\xd8\x88\x84\x0e\x65\x7a\x11\x47\xa8\xb0\x96\x12\x3d\x73\x8e\x1c\xc1\xb5\xeb\xbe\xec\x6f\x15\xcb\x10\x42\xed\xda\x5c\xf7\xa5\xb2\xb0\xa0\x71\xa2\x68\x77\xbe\xed\xaa\x9e\x24\x32\xef\x85\xf7\x2a\xbc\xeb\x7c\xcd\x73\x36\x27\xcb\x12\xd4\xcf\xe3\xd9\xc9\xd8\x85\xa0\xb0\x89\xdb\x05\x6b\x02\x92\x28\xe6\x45\xf7\x4d\x92\x84\x69\x5b\x08\xa6\x7f\x7f\x92\x28\xe9\x80\xc0\xc3\x64\xd0\x31\x2b\x10\xf6\x25\x6c\x9a\x2d\xe4\x83\x29\x32\xb6\x98\x97\xd0\xf2\x9f\x70\xf1\x8d\xde\x25\x7a\x94\xd9\x6e\xc7\x6d\x71\x67\x3e\x95\x98\x32\x64\x7f\x6a\x74\x45\x82\x35\xe8\x00\xdf\x80\xb7\x18\xbe\xdb\xe9\xb2\xca\xfe\x1a\x98\xad\x89\x34\x1a\x56\x6d\x20\xca\x13\xaf\xb2\x89\x85\x6f\x79\x53\x05\x66\x12\x60\x65\x19\x27\x99\x89\x9c\x02\x43\x31\x7f\xee\x5b\x22\x11\x6d\x9d\xfe\xa0\xc4\x25\x1d\x89\x8d\x57\x44\x43\xd8\x0c\x4d\xaf\xd5\x61\x65\xf2\xcf\xb5\xa2\xdb\x62\xe7\xfc\xb9\x78\x70\xea\x56\xdd\xca\x1c\x27\x32\x75\x48\x09\x9b\x79\xd3\x8f\x9d\x6d\xd2\x4a\x65\x65\x73\x1b\x2a\xfc\x0d\xdc\x12\xa3\x5f\x96\x05\xb2\xe7\xe7\x57\x53\xfa\xab\xe2\x81\x7d\xd1\x1e\x3f\x9f\xe7\x6c\xb2\xb8\xbf\x18\xd4\xf4\x19\xaa\x96\x58\x4c\xf9\x89\x99\xfc\x0f\xe4\x2e\x54\xb0\xe7\x9d\xfd\xd4\xc5\x7f\x55\xc0\x7a\xd1\xca\x33\xa4\xde\x6f\xba\xa7\x80\x18\x5e\x36\xfc\x3e\xc7\xc5\xf1\x04\xc5\xda\xda\xc7\xcc\xcb\xba\xcc\x5a\xbe\x21\x7e\x4e\x61\xef\x6c\x36\x60\x57\xd1\xcf\xb1\xa5\xde\x8c\x75\x68\xda\xd7\x69\xc8\x8a\xfd\x8e\xc1\xbf\x56\x11\x7c\xed\x76\x0e\xd3\x01\x90\x21\xc3\x2b\xed\xd7\xea\x87\xfb\x67\x0c\xa3\x24\x84\x61\xdf\x64\x60\x07\x04\xf1\x16\x51\x58\xcf\x9d\xb2\xb5\xc6\xf4\x56\x3b\x9f\x10\xa3\xa6\x69\xf3\xa9\x45\x21\xbe\x8e\xd5\x1c\x90\xc4\x5c\x59\x48\x9c\xde\x96\xcc\xd1\x18\x44\xc6\xca\xbf\xb1\x65\x0e\x19\x4c\xdf\x17\xaa\xf8\xad\x0b\xf9\x17\x14\xc7\x02\xea\x60\x75\xc0\xc3\x36\x18\x44\xec\xea\x0f\xc9\xad\xe8\x3a\x42\xcd\x91\x8f\xbb\x4c\x90\x90\x66\x73\x98\x18\xcb\xf7\x7a\x3d\x71\x64\xc3\x60\x7d\x8c\x0e\xfe\x3c\x8e\x85\x24\xfd\xf1\x5d\x33\x21\x0b\x43\xca\x55\x1b\x9a\x67\x26\xa5\x60\xa2\x74\x24\x66\x2f\x5f\xd9\x72\x02\xf9\x2a\xb8\xca\xc1\x20\xdf\xb1\x37\xc3\x36\x8c\xaf\xb7\xc1\x48\x35\xd8\xad\x15\xd1\x8b\x3e\xc4\xfe\x3c\x74\x1b\xe3\x90\x65\x71\x1a\xbc\x30\xa0\x0d\x31\xa2\x09\x36\xd2\xfb\x66\x23\xb1\x27\x42\x7b\x2d\x46\x05\x45\xf4\xeb\x25\x68\x1b\x46\x1f\xbc\x3a\x1a\xc6\xdb\x3b\xdf\x1d\x89\x02\x97\x76\xe0\x4b\x9c\xbf\x3e\x1e\x46\x07\xf3\x63\x23\x36\x73\x8b\xd9\x5c\xfc\x81\x2d\xe5\xe8\x2e\x0c\x6a\xa8\xd0\x19\x07\xe1\xf3\x75\xac\xb1\x80\x10\x69\x5e\xa3\xa2\x42\xd2\xb3\x60\xee\xd6\xf0\x77\xa0\x08\x68\x06\xa8\x8e\x2b\xe9\x9d\xef\xc3\x46\x0d\x81\x17\x5d\xec\xb6\x97\x3e\x54\xe7\xff\x1c\x29\x14\x8f\x04\xd1\xa9\x6c\x68\xd4\x3f\x03\x6e\xc2\xe4\xa5\x4b\xeb\x80\xf8\x8b\x8c\x71\x1a\xa0\x1a\x74\x57\xf5\x8d\x72\xaf\xe5\x68\x49\xfd\x09\xd2\x77\xe3\x01\xce\x64\x40\x2b\x0b\xc2\x0d\x43\xea\x78\x74\x54\x86\x97\x2a\x8b\xd6\xf5\x79\xd8\xd8\x2b\xd3\x1c\x8c\x86\xb7\xe8\xa3\xb2\x72\xd1\x6d\x38\xfc\x64\x80\xd2\x13\xc0\x30\x00\xad\xda\x6e\xb5\xe0\x08\x71\x87\x92\x64\xeb\xa4\xb0\xf9\x5c\x92\xe1\x0b\x79\x73\x81\x11\xba\x0c\xfd\xd1\xde\xeb\x39\xc9\x1e\xb4\x07\xe5\x98\x81\xbf\x53\xea\xd7\x8f\x7a\xd3\x50\x29\xec\x22\xb5\x83\xaf\x27\x44\x15\x25\x46\xc3\x98\x28\x50\xb4\x49\x41\x5e\x4b\x79\x0a\x2d\x03\x2c\xae\x50\x31\x9c\x3a\x15\xe0\x09\xae\xee\xfe\x71\x00\x73\x78\x19\x7e\x51\xdf\x97\x37\xee\x36\xd9\x54\x03\xa5\x62\x2a\x00\x7e\xb5\xdf\x41\x02\x33\x37\x6e\x51\x31\x82\x24\x62\x54\x0e\x6e\xbb\xf6\xd4\xe2\xdc\x46\xbe\xb7\xea\x3b\x2c\x22\x19\x97\xc2\xba\x3c\x26\x73\xc1\xb4\x4f\x7c\xd8\xc8\x6a\xac\xdd\x89\xe8\x70\x00\x73\x93\xab\x35\xc4\x85\x74\x29\x13\xf4\xfc\xef\x3c\x5c\x4d\x5c\xfe\xba\x1e\xcb\x50\xef\x05\x03\x7d\x54\xaa\x3f\x5e\x69\x94\x11\x40\x26\xf5\xcd\xa7\x5e\x18\x56\xb3\x1e\xfc\x5b\xf0\xda\x81\x09\x97\x84\x46\x30\xa0\x0a\xbd\x3a\x1c\xa3\xc6\xc9\x39\xe1\xe7\xf7\xc2\xd1\x71\x71\xea\x26\xfc\xd3\x1a\xe7\x17\xc0\x40\xb3\xc5\x94\xcf\x06\xa5\xc1\x25\x76\xbc\x18\x82\xd1\xe0\x45\x7a\x99\x38\x7f\x74\x6f\x15\x12\xd1\x5c\x86\x7c\xfd\xaf\x35\xfb\xf0\xe6\xbe\xec\x95\xc8\xc4\x2a\x3d\xd6\xae\x19\x47\xc6\x69\xfc\xd0\x10\x50\x80\xd8\xa9\x89\x4d\x93\x45\x21\x39\x08\x35\x74\x56\xb5\xdb\x7d\xea\x0f\x3f\x53\x29\xff\xd3\xc8\x90\x8f\x50\x47\xe3\x6a\x94\x1f\x90\x91\x2e\xcb\x4c\x01\xec\x56\x7c\xbe\xb0\x9f\xad\xe5\xec\x9b\xf4\x14\x2e\x24\xef\xf3\xac\xd2\x6b\x1d\x46\xd9\xfc\xab\xdb\x09\x70\xa1\x9b\x45\x79\x47\xab\xda\xac\x79\xa3\x69\x2b\x7a\x0d\x70\x3c\x02\xfd\x3d\x7c\x43\x3d\xcb\x59\xf9\x79\xa3\xa9\x1e\x3f\xc9\x50\xa5\xdf\x58\x54\x65\x69\x63\x97\x47\xc4\x34\x7c\x4e\x1a\x1f\xd0\x8f\x9a\xa8\x0c\xa5\x12\xd3\x6e\x6f\xac\x84\x61\xfa\xc7\xac\x93\x46\x7b\xea\x71\xfd\x28\x6b\x5f\x69\x2d\xdb\xc6\x99\xb9\x88\x7d\x31\x15\x9d\xe1\x07\xc0\xec\x97\xdb\x3b\x37\x77\x1c\x82\x61\x92\x51\xe9\xe0\x87\xe7\x97\x0e\xc1\x3e\x97\x1a\x85\x7a\x3d\x87\x1d\x13\xd8\x9d\xd6\x18\x43\x1d\x57\x75\xf9\x25\xf0\xbe\x14\x11\xf4\x94\x70\xe1\x42\xb1\xce\xef\xa6\x69\x28\x0d\x6e\x9a\x52\xe8\xc8\xeb\x38\x7d\x22\xf2\xfa\x8f\x5b\x77\xbd\x2a\xea\x73\xa0\xa2\x9c\x84\x47\xa6\xad\x29\x2b\x1e\x4b\x44\x6c\x6e\xd0\x08\xc0\xa6\xba\x97\xd1\x5b\xcb\xaa\x10\xb1\x6d\x7b\x1a\xd9\x49\x8b\xf5\xb8\x68\x59\xfd\x9c\x03\x2e\xab\x98\x93\xbe\x93\xb1\xe9\xf4\x5c\x9d\xc1\x9a\x78\xc4\xfe\xa5\x89\xd3\x93\xe8\xed\x9d\xbe\x54\xbf\xad\xf5\xcd\x11\x0e\xb7\x6a\x2a\xdf\x8b\x9d\xd2\x3a\xc0\x57\xbf\x1a\xb6\xba\x1d\x04\xc0\xc6\xda\xc4\x82\x50\xda\x3d\x25\x64\xce\x90\x4d\x67\xe6\x9c\x5d\xec\x58\x2d\xa5\x7e\xde\x76\xd9\xaa\x85\x49\xbf\x50\xa9\x0d\xcc\x0c\xab\x97\x7f\x5d\x73\x00\xfc\x0d\x86\x86\xe3\xbe\x13\xb8\x4a\x7a\x14\x1b\xb7\x92\xc3\x97\x58\xb0\x04\xd8\x4a\x0f\xf8\xc9\x30\xe4\xe0\x3c\xb3\xc1\x34\xe6\xe9\x00\xfe\x41\x64\xe5\xb5\xe0\x6b\xa4\xce\x62\x87\xb7\xb0\x0a\xcf\xdb\x05\xf4\xaf\xc0\xf4\xcb\x1b\x0e\x38\x3e\x4b\x69\x17\x1b\xda\x38\x9a\x2d\x00\x96\xb0\x67\x7d\x79\x3f\xaf\x22\x70\x2f\x3e\xdc\xda\x47\x82\xdf\x48\x30\x2a\xe3\xba\x1e\x05\x60\xf2\xc1\xbc\x7c\xda\x89\xac\x42\x14\xe8\xba\x79\x1c\xd6\xfb\x08\x92\xa1\x1b\x3f\x87\x81\xcf\x4d\x1b\x07\x31\x95\x92\x2d\xa6\xb7\x11\x16\x05\x96\x56\x0b\x53\x5c\x5c\x97\x6e\x42\xa8\x66\x24\xa3\x4f\x74\xac\x66\x46\xc0\xfd\xa0\x57\xa3\x13\xf7\x9d\x2e\x2f\x9c\x9f\xee\xab\xcd\x39\x9c\xd2\xe7\xe0\x8c\x9f\x02\x29\xc2\x66\x64\x8c\x78\x75\xca\x23\x0c\xfe\x4f\xed\x9f\x2d\x3d\x0d\xeb\xe6\xb5\x36\x85\x5c\xeb\xcb\xdb\x54\x60\x92\x0c\xea\xae\x25\xa1\x5c\xee\x7a\x00\xae\xdd\x72\x19\x53\x7d\xfc\x72\xd3\x33\x2d\x26\x43\x61\x5c\x7e\x17\xb5\x5a\x90\x3f\x8f\x25\xd0\x2f\xd6\x1d\x4c\x56\xc2\x32\x85\xd5\x2e\x0c\x23\xbb\x25\x16\x2b\x10\xd9\x33\x9b\x72\x74\x6b\xe7\xda\x47\xe9\xfa\x05\x22\x69\xda\xf6\xa0\x12\x2d\xe4\x9f\xb4\xd2\xc9\xb5\xd7\x8b\x70\x96\x23\x11\x3c\xb7\x1d\x42\xa5\xab\x08\xda\xa6\x01\xec\xd0\x94\x6a\x79\xda\x44\xcb\x1c\x3a\x5c\xfb\x64\x60\xe2\xcb\xd5\x9b\xf3\x56\x93\x09\xa4\xd4\x17\x77\x39\x80\xcd\x90\xad\xb6\xab\xe4\x75\x95\x4b\x05\x6e\x12\xc7\xe9\xe4\xb7\xef\xd2\x43\x96\xe7\xa9\xd6\x2f\xfe\xd4\x2c\xaa\xba\x45\x98\xa8\x9b\x14\xd8\x5d\x1c\xa3\x97\x27\xbf\xa0\x85\x90\x4c\x1e\xb5\x4d\x24\x27\x3d\x0a\x97\xfa\x59\x3b\xdd\xbc\xf4\x60\x8c\xef\x45\x6a\xb4\x17\x03\x16\x07\x33\x15\x16\xc8\x05\x79\x2e\xbd\xfd\x8d\x10\xe5\xed\xdc\x9f\x50\xdf\x88\x85\x71\xf9\x79\x75\x03\x94\xfe\xff\xdf\x87\xeb\xc9\xe8\xa8\x53\x4f\x89\x37\x2a\xfa\x8e\xac\xf0\x6d\x34\xb9\x74\x25\x0a\xc1\xba\xe5\xc0\x7e\x63\xb7\x46\x47\x19\xdb\x5e\xb1\x69\x34\xde\x34\x01\x93\xbf\xce\xe2\xdf\x0b\xfd\x92\x50\xdd\x44\xf3\xf7\x3e\xb4\xa4\x3f\x99\x0f\x2e\xdc\xa9\xb5\xfd\xd4\xac\xa4\xea\x21\x7e\x14\xb6\xd7\xc5\xa3\x20\xfd\x5e\x4c\x72\x88\xcd\xcb\x4e\x20\x76\x00\x4a\xd6\x61\x81\x9b\xda\xe6\xcf\xba\xd2\xdc\x0b\xce\x61\x23\xc4\x8b\x14\x23\xb2\x2e\x3f\x85\xcc\x2f\x31\x07\x1d\xd1\xcf\xa3\x87\xbc\xa0\x9a\x2d\xd9\x9c\x29\xe6\xc0\xcd\x8d\x51\x90\x1d\x74\x85\x81\x3d\xa7\x32\xc9\xa7\xe2\xfc\xcd\x42\x7d\x43\x9b\xfe\xc1\x07\x87\x4f\x87\x7e\x9b\x0a\xa5\xe1\xbd\xad\xd5\xa1\x85\x47\x99\x65\xe9\x5a\x3c\x2f\x66\x91\x2d\x44\x1c\xb7\x5e\x44\x69\x57\x3b\xf5\xa4\xc5\x3f\x58\xd2\x7a\xbd\x5e\x68\x42\x2a\xef\xce\x50\x1c\x6d\x8d\x95\x42\xb6\x1e\xa6\xbf\xd6\xfd\x2b\x6b\x33\x6c\x89\x61\xf4\xee\xa7\x20\x88\xd0\x69\x70\x89\xd1\x76\x82\x0a\x10\x3d\x09\xd9\x5f\x3e\xf0\xbd\x28\x98\x2e\xef\x77\xfc\x1b\xbf\xe7\xde\x1b\xfb\xe3\xd5\x0a\x93\x21\x88\x66\xfc\x48\xf6\x28\x01\xc7\x15\x39\x7d\xdf\x1f\x36\xd9\x77\xf2\xb5\xb2\xb7\x6f\x2e\x1d\x64\xc6\x10\x6a\x88\x9b\x80\xb4\x1b\xe5\x19\x94\x0c\xe2\x2f\xf0\x36\x4f\xaf\xb7\x03\xcf\xcd\x7b\xf7\x80\x8e\x41\x50\xac\x7d\x7a\xf1\xf0\xb5\xae\x82\x1c\x9b\xf1\x63\x74\x0d\xb1\xb5\xa3\x66\xe2\xdb\x4a\x02\x92\x10\x00\xd6\x07\x52\xd7\x43\xcd\x58\x4c\x48\x59\x0a\x31\xe2\x7c\xb4\x0d\x7a\xd8\x9a\xbd\x2c\x8e\xe8\x11\x76\x78\x98\x88\xbc\x48\xe8\x2a\x63\x00\x84\xc5\x9d\x4d\x34\x46\x4a\x52\xd5\xf2\x6d\x22\x14\x79\xb4\x51\xef\x3c\x2a\x6c\x81\x66\xb6\x64\x09\x9d\xaa\xf8\xe7\x4e\xac\x84\xdc\xfe\x3e\x86\xd5\x3b\xcd\x3b\x2f\x03\x37\xc8\x03\x7d\xb0\x7b\x65\xf7\xcd\x26\x5d\x2a\xc1\x95\xf8\xf5\x8e\x00\x96\xac\x1f\xb6\x54\xb9\x57\xfc\xa3\xef\x32\xab\xcf\x91\x6b\x55\x8b\xff\x85\x4d\x09\x9a\x2c\x9f\xb8\x88\x9f\x39\x8b\x53\x51\x41\x17\x0e\xa0\x36\xf9\xe5\xa7\xa2\xfe\x1d\x14\xf4\xa5\xa6\xdb\x8c\x03\xb0\xa7\x7f\x6e\x3b\xe9\x64\x81\x05\x06\x11\x35\x59\x59\xf6\x5e\x67\x81\x64\x54\xed\xa4\xcd\x84\x36\xd6\x64\xd6\xe6\xd9\xfc\x2f\xf2\x48\x95\x92\x3f\x10\x67\x70\x45\x8d\xc8\x75\x93\xc3\x91\x91\x2e\xda\x79\xa6\xe8\x71\x4b\xb4\x37\xc8\x6b\x97\xae\xbe\x10\xad\xde\xf3\x62\x84\x32\x38\x4e\x5a\x52\x83\x06\x7a\x80\x69\xa8\x92\x47\x3c\x05\x44\x68\x03\xce\xe1\x31\x09\x6d\xfb\xcd\x4a\x08\xf3\xe0\x8b\xc1\xdb\x84\x70\xd3\xab\x04\xc4\x80\x91\xf8\x24\xcb\xc4\x4a\x22\x15\x1f\x21\x71\x9a\xc2\x9b\x90\x43\x82\x2b\x29\x8b\x17\x82\xfa\x4f\x7d\x55\x6c\x41\xcc\x38\xd4\x34\x22\xf3\xda\x35\xcb\x3e\x45\xa5\xd2\x29\x6a\x1c\xfc\x1c\xcb\xeb\x9e\xa3\x49\x77\x2d\xa9\xa8\xc6\xb7\xca\x0d\xb7\x29\x92\xf8\xb4\x86\xb4\x26\x6f\xb6\xd4\x47\x96\x30\xfa\x39\xbd\xbd\x5f\xaa\xaa\x5b\x47\x51\x4f\x37\x80\x5e\xdb\x61\x85\xb3\x3b\x5b\x82\xdf\xb8\x5d\xad\x17\xed\x9f\xc8\x20\xd1\x78\xc4\x43\x3f\xae\x2b\xf5\x0f\xb5\x6f\xf5\xd8\xd7\xf7\x2e\xbb\x91\x3b\x88\x12\xce\x80\xfb\x00\x0c\xf3\x56\xf6\x69\xae\xb2\xb4\x8c\x8f\x67\x5c\xd0\xc0\xa5\x71\x08\x2f\xdb\x0e\xe1\xb1\x3b\x7a\xd2\x23\xcb\x68\x6f\x8b\x6e\xa5\x11\x19\x2c\x5d\xca\xab\xe2\x70\x26\x50\x37\xb7\xa7\xff\x48\xa1\x10\xf6\x60\xe0\x45\xe6\xe5\x1d\x6f\xfa\xce\x61\x7a\x5a\xd8\x5c\xac\x70\x4c\xc2\x57\x6b\x22\xaf\x27\xbf\x84\x2c\x1f\xce\x89\xf7\x1f\xb1\x88\x68\x57\xd1\x87\xad\xf3\x64\x47\xda\x8e\xde\x27\x97\xbb\xb4\x1b\x4b\xa5\xf0\x94\x11\x09\x44\x08\x35\x7a\xc6\x86\xf0\x90\xdc\x75\x58\x4f\xb2\xd0\x0d\x6e\xb5\xf1\xd5\x45\x63\x3c\x1a\xab\x04\xa6\xa9\x47\xe4\x9e\xb4\x5a\x0a\x73\xe7\xd0\xc6\xc4\xac\x5f\xac\xf4\x08\xa0\xcf\xde\x43\x9d\x86\x1d\xba\x90\xea\x9c\x57\x58\xbb\xa9\x09\xaa\x4d\x5b\x71\x42\x32\x07\x23\xb0\xfb\x55\x38\xfa\x33\x5e\x62\xd1\x4b\xf3\x60\x8a\xeb\xbd\x76\xff\x2b\x0d\x01\x3a\x4d\x5a\x4d\x46\xfb\x24\xa0\x47\x46\x0b\x5d\x63\xa6\x0d\xea\xa4\x3c\x63\xa9\x8b\x51\xc5\xaa\x0b\x3d\xac\xef\x60\x23\x41\x86\xf4\x5e\xd9\x61\x4f\x0e\x88\xb0\xb3\xa4\x53\x0c\x88\xa3\xdb\xea\xea\x40\x29\xcc\xfb\x1a\xa0\xbb\x8e\xa4\x52\x2c\x51\x25\xa3\x8d\x97\x72\xb7\xde\x03\x3a\xf7\xb2\x81\x2e\x89\xbd\x58\x19\xd2\xd0\xf3\x7a\x15\x6b\x70\x1e\xff\xa2\xf0\xb7\xfc\xe9\xc2\x87\x24\xae\x0e\xb3\x27\xc2\x5c\x8e\x36\x18\x78\x10\xaa\xa1\xa3\x3c\xc6\x9e\xa8\x48\xe1\x2f\xda\x7a\x27\x48\x67\xf4\x77\x95\xe1\x68\x95\x41\x96\x9e\xf7\xf6\x8d\x65\x9c\x3a\xd6\xc7\xf6\x72\x51\xac\x05\xa8\xee\x17\xc5\xd7\xc2\xdc\xb9\x2b\x4a\x54\x5f\x3d\xb5\xbf\x08\x14\x4a\x71\xf2\x9f\x76\xf7\x07\x81\x92\x9b\x06\x45\xf7\xa2\xd3\xcc\x3e\x97\x40\x1f\xfc\x4c\x70\x02\x4d\xf3\xa8\x8a\x3b\x80\xd8\xbb\x4a\xe9\xd2\xd4\xc0\xd1\x17\x24\xfa\x12\x82\x76\x0b\x1c\xc8\x12\x00\x84\x01\xd6\x9b\x8f\x79\x31\xf3\x6a\x72\xe3\x2c\x5d\x8f\x3a\x3f\x23\x3e\x86\x36\x7b\x48\x85\x2c\x0f\xd2\xd1\xf2\x59\x55\x34\x06\x16\xcb\x57\xe7\x9d\xb0\xe0\xa3\x7b\x81\x62\x76\x34\x02\xd0\xb8\x64\xdb\xf0\xa9\x0d\x50\x37\xc8\x8e\xba\x9f\xa8\x09\x98\x08\xcf\x84\x56\x4d\x2e\xd2\xbd\x00\x24\xb7\x19\xb7\x62\x28\x27\x9e\xe3\xc9\x07\x27\xf3\xae\x67\xe5\xcc\x7d\xd7\x6e\x8a\xf1\x67\xc4\xb1\x1e\xe9\xf1\xe3\x49\x5e\x05\x06\x1f\xe5\x20\x44\x5c\xd8\xfe\xdd\xc4\x76\xf5\x0b\x40\xbf\x73\xe4\xf9\xc1\x4e\x49\x1c\x11\x42\x30\xe1\xea\xe5\x87\xac\x01\xaf\x7d\x8e\xe5\xb2\x50\x51\xcd\x58\x85\x19\xe9\xcc\x3f\xb7\xb4\x30\x9d\x2a\x74\xb9\x48\x6d\x31\x80\xf6\x5f\x02\x5f\x43\xbb\x6a\x98\x9e\x2c\x4b\x05\x23\x83\xf4\x24\x4c\xbf\x36\x81\xf8\xfb\x4b\x9f\x0c\xab\x34\x26\xc0\xd6\x78\x4a\xb0\x8c\x76\xce\xee\xbc\x21\x2e\x76\x5f\xd9\xc5\xf2\x4c\xad\x12\x9b\x44\x0e\x2f\x85\x74\x90\x45\xbb\xb1\xb0\x30\xfd\x5b\x31\x10\x44\x25\x80\xd4\x51\xb2\x71\xd9\xa4\x5d\x04\x75\xd1\x66\x47\xe4\xe6\x6b\xf4\x0a\xcb\xde\xbc\x97\x53\x85\xaa\x50\x89\x83\x22\xe8\xb2\xaa\xca\x18\xba\xa6\xee\x86\x1f\xc9\x74\xfc\xd0\xe3\x79\x75\x82\x4c\x47\x58\x42\xbd\x3f\xa1\xf1\x78\x97\x92\xb2\xb6\x54\xaf\xeb\xc7\x8b\x95\x57\xbe\x28\x3c\xe9\x74\xea\x60\xb0\x1a\xf1\x11\xe8\x22\x62\x70\x47\x7c\xaf\xba\x24\xac\xb1\xfb\x28\xfc\x25\x92\xad\x2e\xbc\x2b\xa3\x7a\x1b\xbf\xed\xba\x63\x00\x02\xe4\x23\x43\x0d\x76\x2d\x9e\x31\xcd\x86\x17\x0a\x98\x9e\xe9\x7e\x26\xd4\x87\x4b\xd7\xd1\xa8\xf7\xd2\xf2\x04\x6c\xe9\x37\x68\x59\x27\x49\xbf\x7f\x5b\x28\x93\x3f\x3f\xba\xa1\x38\x0d\x42\x96\x1b\x9a\x94\xd2\x31\x3c\x26\x47\x40\xfe\xa1\x49\x5f\xa2\x6f\xc0\x7a\x56\x1e\x4b\x90\x8b\x2e\x30\xe0\xac\x4d\x48\xf6\x89\xeb\x49\x58\x5d\x3b\x72\x95\xe8\xc2\x75\x1d\x05\x62\xc0\x6d\x49\x19\xd5\xdd\x8a\xf3\x26\xde\xd0\xc1\x51\x6e\xcc\x6c\x1d\x3c\xf1\x39\xd3\xa9\xfe\x6e\xde\x64\x76\x8c\x31\x9b\x98\xb7\xda\x44\x5f\xd7\x85\x4b\x64\x64\x0f\xbd\x67\x6b\x7a\x09\xe5\x6e\xa2\x5c\xff\x1d\x31\xde\xc4\x1d\xa0\x8c\xb1\xb0\x7e\x4d\x84\x16\x81\xfc\xb7\x9a\x72\xb7\x22\x0a\x3f\xc3\x6c\xe8\xdc\x63\x88\xca\xea\xea\x4f\xff\xa7\xb2\x98\x05\xef\x2d\xc8\x9a\xcf\x85\xf2\x27\x24\x8b\xca\x1b\x8c\xb8\x1e\xc4\xb9\x86\xa9\xa1\x58\x7e\x57\xe1\xc5\x4d\x16\x3b\xc6\xa9\xd6\x8c\x67\x8c\x48\x24\x09\x35\xfb\xe9\x89\xf5\x50\xb5\x4c\x51\xba\xcb\x9f\x21\xde\x67\x01\x8d\x5e\x3f\xba\xd7\xef\xba\xe1\x03\x83\xe6\x2f\xa9\x29\x41\x5e\xbd\xb7\x7f\xfc\xad\xcc\x36\xec\x7c\x01\xb7\x6f\x7c\x80\x02\x7d\xfc\xba\x9e\x15\xd2\x6f\x30\x6e\x1d\xcb\xf6\x24\xc8\x0f\x4d\xc9\x2e\xab\xfe\x7a\x81\x7d\x7b\xcb\x47\x0d\x60\x13\xaa\x89\x5e\x08\x24\x40\x57\x1e\x14\x3f\xbb\x2a\xc1\xaf\x5b\x4f\xd6\x4b\xb2\x0f\x31\xef\x1f\x5e\x1d\xb9\x6f\xb8\xca\x1e\x6b\x4d\x36\x0d\x2c\xd0\x55\x91\x36\x6a\xd7\x1a\x41\x17\xc9\x12\x5f\xee\xd0\xe6\xd9\x5c\x03\x9d\xac\x71\x00\x0f\x40\x4d\x71\x80\xfb\x1e\x3b\x9d\x10\xb6\x24\x84\xeb\x2e\x3d\x45\xb8\xa4\xc6\x44\x4e\xa5\x44\xc7\xc1\xa4\x9b\xcd\xd1\x72\x3c\x22\x12\x7e\x2f\x81\xfc\x4c\xa3\xda\x6b\x97\x71\x5a\x0c\x9c\xd3\x05\xae\x21\xa1\x5c\xa6\x95\xf1\xa7\x4d\xf2\x26\x0a\x95\xec\x30\x42\xb1\x6d\x83\xab\x1d\xa2\xba\x76\x7d\xf0\x36\x01\xb4\xb3\xab\x71\x71\xe2\xe0\xe8\xa2\x00\x9f\xc6\xcb\x2c\x98\xcd\x20\x68\x17\x36\x55\x22\x2b\xa6\xbc\x51\xaf\x64\x49\x93\xcb\xd1\x92\x33\xd0\xc0\xf1\xdb\x62\x30\x69\x74\x45\xfd\x77\x8f\x14\xa0\x85\x57\x25\x26\xdb\x2d\x12\x56\xe8\x27\xac\x9b\x77\xa9\x7e\xc6\x41\xa5\x3a\xa5\x80\xb3\xa7\x83\xcb\x0f\xc5\xa1\xb3\xb9\xb3\xff\x38\xe4\x18\xdb\x65\x8b\x48\x4a\x68\xcc\x9a\x9e\x33\x0d\x3d\x7a\x4e\xd2\x82\x58\x1d\xc0\x6f\x9e\xe9\x6a\x1a\x46\x98\xbc\x23\xeb\x41\xbe\xde\x47\x6c\x00\x52\x96\x40\x79\x71\x0f\x68\x8f\x87\x6d\x4c\xef\xf2\x19\x0f\x2d\x81\x9b\xbd\x4c\xdb\x36\x1f\xb5\xc6\x4d\x7c\x41\x93\xff\x9f\x6b\x44\xb2\xc1\x43\x71\x39\xbc\xfa\x8c\xe0\xa9\x43\x0a\xce\xb4\x98\xb4\xf0\xb0\x19\x7b\xf3\x39\xd0\x4b\x70\x51\x23\x24\x3b\x1a\x44\xfc\xec\x56\x6d\x64\xfe\x85\x0b\x29\x89\xb5\xb7\x09\x9e\xf9\xbf\x74\x46\x07\x46\xf6\x0c\x46\x07\x89\x16\x89\x58\x17\x75\xad\x12\xcc\x0f\x04\xce\x01\x6c\x5b\x01\xe4\x55\x6e\x09\x80\x7e\xb8\x2e\x19\xc4\x54\x2e\x88\xca\x22\xac\x95\x13\xa4\x6b\x3e\x43\xc5\x28\x77\xc0\xa8\x37\x20\x1f\xd8\x2e\x9f\x74\x53\x8b\x75\x1c\x8b\x0a\xca\xbf\x1e\xb2\x8a\x7d\xec\x9b\xf6\x98\xc1\x22\xfd\xc5\x46\x4f\x6c\xd4\x0e\x81\xd0\x60\x18\x3a\xf8\x04\xea\x5c\x5a\x51\x09\xfe\x21\x9a\x85\x21\xc7\x3b\x95\xe4\x2b\x82\xac\xd6\x93\xa8\x45\x3c\x40\xc7\x40\x27\xdc\xb1\x78\x81\x75\x83\x42\xe2\x56\x42\x58\xb9\xf1\x2f\xf6\x75\xd9\x5c\x1a\xc4\x2e\x94\x47\x3e\x5d\xd5\x18\x38\xd6\xb1\xc2\x8f\x7b\xae\x7e\x16\x41\x7e\xea\x23\x33\x18\x83\x17\x23\x4d\x3a\x96\x94\x35\x6d\xb9\xff\x64\x9e\xda\x9d\x9d\xe4\xd6\xdf\x34\x57\x70\x13\xbc\x9f\x17\x14\x04\xb0\x8f\xd4\x19\x0d\x15\xd7\xde\xfe\xcd\xc1\x95\x19\x9d\x8a\x71\xf6\x41\x40\xa8\x65\x61\xe8\x4c\x3b\xde\x2a\x43\x37\xac\x14\x05\x08\x54\x31\x4d\xe0\xa3\xef\x2a\xe2\x6a\x6c\xb3\x97\x79\xb1\x0b\xdd\x57\x10\x41\xba\x31\x99\x6c\x60\x2c\x99\x7e\x70\x35\x8a\xe9\x86\x23\x92\x55\xa9\x37\x10\xf2\x11\x1e\x7c\xb1\xc8\xb3\xb7\x28\x03\x37\x34\x85\x6a\x41\xcd\xd5\x5a\xb2\xcf\x54\x15\x6b\x48\xe1\x34\x9e\x97\xd3\x9f\x6f\xc1\x27\x5f\xdb\x19\xb3\x7c\x8c\xf0\x04\xb3\x8c\xc3\xef\x37\x83\x4c\x85\x12\x8b\x3c\xb5\x9b\x77\x3d\xcc\x7d\x7b\x85\x80\x5b\x8f\x3b\xd6\xae\x79\x1e\xfa\x7c\xdb\xcc\x4b\xe5\x53\x9b\xb6\x6a\xfd\x8a\xc5\xde\x59\x50\x9b\x34\x10\x20\xe1\xc6\xff\x67\xb6\x6a\x0c\x94\xbb\x79\x53\x49\x92\x05\xb3\x07\xca\x77\x27\x7f\x6c\xcf\x39\x80\x1e\xe6\x28\xfb\x33\xd2\x07\x3f\x38\x1e\x80\xdc\x41\xc9\xe7\x99\xe7\x5c\x31\xcf\x2a\xa4\x9f\x8b\x0a\x6f\x73\x24\x08\xaf\xdc\x65\x0f\xd2\xb0\xec\x57\x4d\x50\xc6\xe2\x48\xf2\xaf\xcf\xb8\xf8\x20\x79\xb2\x62\x55\x47\xdb\x16\xe4\x61\xe6\x01\x59\x88\x3a\xaf\xbe\xdf\x9e\xe9\xfa\xde\xc8\x39\x8b\x91\x98\x6f\x9a\x8e\x79\x47\x06\x49\xa9\x9d\x6e\x8b\x4c\xb3\xb7\x99\x5b\xd5\xb6\xaf\x47\x20\x6b\xbf\x06\xaa\x69\x38\x3e\x97\x63\xcb\x17\x31\xe7\xc1\x5b\x0d\xe4\xb3\x5c\x00\x80\xdd\xfc\xeb\xac\x4d\xea\x21\x30\x96\xd8\x29\xed\x58\xf7\x7c\x09\xa0\xc0\xd4\xf3\x00\xdd\x5f\xaf\x2e\x01\x2a\xcf\x83\xd7\x7b\x73\x32\x3a\x93\x21\xcc\xa8\x64\x6b\xfe\x55\xfc\xce\x50\x6c\x82\x2e\xe4\x40\x4f\x20\x03\x18\xf6\x50\x44\xb3\xec\xdd\x8a\x21\x35\xe8\xee\x0a\xdb\xb8\xc4\x22\xc8\x9d\x37\x3e\xe4\x21\x82\x6b\xd1\x14\xd5\xae\x08\x6c\x9a\x47\xbe\x5a\x78\x88\xec\x74\xfc\x9e\x8d\x7e\x75\x85\xe6\xe8\x8f\xef\xa1\xb6\xa0\xc5\x57\x7b\x91\x43\x13\x77\xa3\x05\xa6\x65\x81\x02\xef\xf2\x95\x75\xde\x43\x92\x0b\xd4\x66\x96\xa2\xbd\x26\xa9\x39\xde\x74\x15\xc8\x36\x1c\x98\x89\x7b\xc0\xa4\x93\xe9\x08\x76\xd4\xf7\xa6\x38\x9a\xe9\xfe\xd4\x4d\x6e\xf2\x1e\xdf\x68\x1a\xe3\xa3\x5d\xc4\xa2\x6a\x40\xa7\x41\x1e\x7d\x51\xa8\x58\x43\x13\xdf\x95\xe4\x8f\xb0\x12\x79\x9b\x83\xc2\x5c\x2d\xd8\xf2\x43\xe9\x88\x05\x46\xb8\xf5\x1e\x25\xcc\x2f\xfa\x83\xc3\x6d\x81\xd3\x1b\xce\xbe\x40\x53\x62\x87\x5c\x49\x43\x00\x66\x24\x90\xc3\xf4\xbb\x38\x68\x2b\x17\xe0\xcb\xb9\x0e\x47\x70\x86\x4e\xe6\x0c\xc1\x36\xfa\x7b\xb2\x17\x0f\x69\x39\x4f\x62\x35\xe0\x07\x83\xfc\x6c\x2c\xab\x09\x74\x07\xff\xf9\x31\xbf\xa7\x42\xd7\xae\xfe\xf3\x3d\x69\x96\x70\x1d\x39\xb4\xad\xfb\x76\x28\xee\x8c\xb2\x76\x5a\xc0\x39\x92\xdb\x7b\xfd\x93\x04\xe1\x5f\x27\xf3\xea\x37\x12\x49\x4e\x98\xd1\x5b\x7c\x7e\x78\x14\x2d\xdb\xcc\x1e\x2d\x18\x47\x81\xcb\xc1\x17\x45\x59\x9e\xb5\xa6\x9b\x39\x18\x69\x4b\x78\x20\x9b\x1e\xe1\xc1\x18\x54\x15\x7e\xda\x2e\x0f\x03\xed\xd8\x84\xab\x4f\x60\x13\x4a\xf1\x58\xff\x15\xa9\x22\x59\xd4\x29\x37\x0c\xef\xab\x10\xcf\x6f\xb2\x82\xf7\x60\xd8\xd5\x4a\x8d\xb0\xc0\xc4\x3f\x56\xbc\xcf\x68\xb8\x37\x74\x5d\xd6\x42\xb3\x9d\x44\xdb\x29\x7b\x01\xeb\x9f\x5b\x48\xd1\xb1\x14\x84\x8a\x5d\x7c\x74\xa2\x2e\x3c\x30\x84\xee\xbc\x02\x98\xe7\xdd\xbb\xe6\x6e\x10\x5f\x89\x23\x8e\x96\x1d\x34\x98\x5f\x29\xde\x20\x31\xa5\x17\x56\xba\x3c\x77\xce\x83\x24\x8e\xf8\x32\x30\x9b\xf9\xad\x9d\x3f\x79\xdd\x12\xf7\x62\xe9\x12\x25\xb0\x87\x6c\xfc\x22\x02\xb2\xe0\x46\x82\x43\x16\xc8\x20\x88\x9e\x93\xf6\x3e\xad\x22\x9c\x08\x7b\x2f\x6c\xfc\x99\xf7\x97\x02\x2c\xda\xb8\x45\x6d\xe0\xc7\x64\xa0\x6a\x79\x40\xb0\xf2\x85\x98\xcb\xa5\x6d\xa0\xbb\xc7\xeb\xce\x48\x22\x12\x21\x37\x54\xd3\xc3\x4f\x74\x9e\xb9\x43\xbf\xf8\x1a\xab\x71\x0a\x98\x1e\x89\x15\xd8\x9f\x50\x98\xca\xa6\x74\x63\x6b\xda\x15\x11\xe9\x6b\x7a\xb0\xe6\x51\xd1\x01\x75\x09\x76\xda\x0b\x2a\x08\xc5\x61\x76", 8192); *(uint32_t*)0x20004bc0 = 0x20003680; *(uint32_t*)0x20003680 = 0x50; *(uint32_t*)0x20003684 = 0; *(uint64_t*)0x20003688 = 0; *(uint32_t*)0x20003690 = 7; *(uint32_t*)0x20003694 = 0x22; *(uint32_t*)0x20003698 = 6; *(uint32_t*)0x2000369c = 0x60; *(uint16_t*)0x200036a0 = 5; *(uint16_t*)0x200036a2 = 0x48; *(uint32_t*)0x200036a4 = 0x80000001; *(uint32_t*)0x200036a8 = 7; *(uint16_t*)0x200036ac = 0; *(uint16_t*)0x200036ae = 0; memset((void*)0x200036b0, 0, 32); *(uint32_t*)0x20004bc4 = 0x20003700; *(uint32_t*)0x20003700 = 0x18; *(uint32_t*)0x20003704 = 0; *(uint64_t*)0x20003708 = 0xfffe; *(uint64_t*)0x20003710 = 0x200; *(uint32_t*)0x20004bc8 = 0x20003740; *(uint32_t*)0x20003740 = 0x18; *(uint32_t*)0x20003744 = 0; *(uint64_t*)0x20003748 = 4; *(uint64_t*)0x20003750 = 0x8000; *(uint32_t*)0x20004bcc = 0x20003780; *(uint32_t*)0x20003780 = 0x18; *(uint32_t*)0x20003784 = 0; *(uint64_t*)0x20003788 = 0; *(uint32_t*)0x20003790 = 8; *(uint32_t*)0x20003794 = 0; *(uint32_t*)0x20004bd0 = 0x200037c0; *(uint32_t*)0x200037c0 = 0x18; *(uint32_t*)0x200037c4 = 0; *(uint64_t*)0x200037c8 = 0x80000001; *(uint32_t*)0x200037d0 = 5; *(uint32_t*)0x200037d4 = 0; *(uint32_t*)0x20004bd4 = 0x20003800; *(uint32_t*)0x20003800 = 0x28; *(uint32_t*)0x20003804 = 0; *(uint64_t*)0x20003808 = 0; *(uint64_t*)0x20003810 = 0x19; *(uint64_t*)0x20003818 = 0x200; *(uint32_t*)0x20003820 = 3; *(uint32_t*)0x20003824 = -1; *(uint32_t*)0x20004bd8 = 0x20003840; *(uint32_t*)0x20003840 = 0x60; *(uint32_t*)0x20003844 = 0xfffffffe; *(uint64_t*)0x20003848 = 0xfffffffffffffffe; *(uint64_t*)0x20003850 = 4; *(uint64_t*)0x20003858 = 0x80000001; *(uint64_t*)0x20003860 = 1; *(uint64_t*)0x20003868 = 0x52b8; *(uint64_t*)0x20003870 = 7; *(uint32_t*)0x20003878 = 0; *(uint32_t*)0x2000387c = 0xfffffffa; *(uint32_t*)0x20003880 = 0x1ff; *(uint32_t*)0x20003884 = 0; memset((void*)0x20003888, 0, 24); *(uint32_t*)0x20004bdc = 0x200038c0; *(uint32_t*)0x200038c0 = 0x18; *(uint32_t*)0x200038c4 = 0xffffffda; *(uint64_t*)0x200038c8 = 0x1f; *(uint32_t*)0x200038d0 = 9; *(uint32_t*)0x200038d4 = 0; *(uint32_t*)0x20004be0 = 0x20003900; *(uint32_t*)0x20003900 = 0x11; *(uint32_t*)0x20003904 = 0xfffffffe; *(uint64_t*)0x20003908 = 0x4588; memset((void*)0x20003910, 0, 1); *(uint32_t*)0x20004be4 = 0x20003940; *(uint32_t*)0x20003940 = 0x20; *(uint32_t*)0x20003944 = 0; *(uint64_t*)0x20003948 = 0x100000000; *(uint64_t*)0x20003950 = 0; *(uint32_t*)0x20003958 = 0x18; *(uint32_t*)0x2000395c = 0; *(uint32_t*)0x20004be8 = 0x200039c0; *(uint32_t*)0x200039c0 = 0x78; *(uint32_t*)0x200039c4 = 0; *(uint64_t*)0x200039c8 = 7; *(uint64_t*)0x200039d0 = 4; *(uint32_t*)0x200039d8 = 6; *(uint32_t*)0x200039dc = 0; *(uint64_t*)0x200039e0 = 0; *(uint64_t*)0x200039e8 = 7; *(uint64_t*)0x200039f0 = 8; *(uint64_t*)0x200039f8 = 0x10001; *(uint64_t*)0x20003a00 = 1; *(uint64_t*)0x20003a08 = 0x509; *(uint32_t*)0x20003a10 = 0x80; *(uint32_t*)0x20003a14 = 3; *(uint32_t*)0x20003a18 = 1; *(uint32_t*)0x20003a1c = 0xc000; *(uint32_t*)0x20003a20 = 5; *(uint32_t*)0x20003a24 = r[6]; *(uint32_t*)0x20003a28 = 0xee00; *(uint32_t*)0x20003a2c = 7; *(uint32_t*)0x20003a30 = 9; *(uint32_t*)0x20003a34 = 0; *(uint32_t*)0x20004bec = 0x20003e80; *(uint32_t*)0x20003e80 = 0x90; *(uint32_t*)0x20003e84 = 0; *(uint64_t*)0x20003e88 = 8; *(uint64_t*)0x20003e90 = 6; *(uint64_t*)0x20003e98 = 3; *(uint64_t*)0x20003ea0 = 0xcd0; *(uint64_t*)0x20003ea8 = 0x7fffffff; *(uint32_t*)0x20003eb0 = 5; *(uint32_t*)0x20003eb4 = 1; *(uint64_t*)0x20003eb8 = 5; *(uint64_t*)0x20003ec0 = 5; *(uint64_t*)0x20003ec8 = 0xf34; *(uint64_t*)0x20003ed0 = 0x86; *(uint64_t*)0x20003ed8 = 6; *(uint64_t*)0x20003ee0 = 2; *(uint32_t*)0x20003ee8 = 0xab8c; *(uint32_t*)0x20003eec = 0; *(uint32_t*)0x20003ef0 = 5; *(uint32_t*)0x20003ef4 = 0x8000; *(uint32_t*)0x20003ef8 = 9; *(uint32_t*)0x20003efc = 0xee00; *(uint32_t*)0x20003f00 = r[9]; *(uint32_t*)0x20003f04 = 0x1000; *(uint32_t*)0x20003f08 = 0x1000; *(uint32_t*)0x20003f0c = 0; *(uint32_t*)0x20004bf0 = 0x20003f40; *(uint32_t*)0x20003f40 = 0xd0; *(uint32_t*)0x20003f44 = 0; *(uint64_t*)0x20003f48 = 0xffffffffffffffbc; *(uint64_t*)0x20003f50 = 0; *(uint64_t*)0x20003f58 = 2; *(uint32_t*)0x20003f60 = 6; *(uint32_t*)0x20003f64 = 3; memset((void*)0x20003f68, 2, 6); *(uint64_t*)0x20003f70 = 0; *(uint64_t*)0x20003f78 = 0; *(uint32_t*)0x20003f80 = 0; *(uint32_t*)0x20003f84 = 9; *(uint64_t*)0x20003f88 = 2; *(uint64_t*)0x20003f90 = 0x100000001; *(uint32_t*)0x20003f98 = 0x17; *(uint32_t*)0x20003f9c = 0xffff; memcpy((void*)0x20003fa0, "bpf_lsm_socket_recvmsg\000", 23); *(uint64_t*)0x20003fb8 = 0; *(uint64_t*)0x20003fc0 = 0x401; *(uint32_t*)0x20003fc8 = 0xf; *(uint32_t*)0x20003fcc = 0xfffffff9; memcpy((void*)0x20003fd0, "&,$:+)\357&\\)/$$[}", 15); *(uint64_t*)0x20003fe0 = 6; *(uint64_t*)0x20003fe8 = 1; *(uint32_t*)0x20003ff0 = 0x17; *(uint32_t*)0x20003ff4 = 0x1f; memcpy((void*)0x20003ff8, "bpf_lsm_socket_recvmsg\000", 23); *(uint32_t*)0x20004bf4 = 0x20004440; *(uint32_t*)0x20004440 = 0x508; *(uint32_t*)0x20004444 = 0; *(uint64_t*)0x20004448 = 2; *(uint64_t*)0x20004450 = 4; *(uint64_t*)0x20004458 = 1; *(uint64_t*)0x20004460 = 5; *(uint64_t*)0x20004468 = 0x80000000; *(uint32_t*)0x20004470 = 3; *(uint32_t*)0x20004474 = 0xffffffec; *(uint64_t*)0x20004478 = 2; *(uint64_t*)0x20004480 = 3; *(uint64_t*)0x20004488 = 0x20; *(uint64_t*)0x20004490 = 0x100000001; *(uint64_t*)0x20004498 = 0x80; *(uint64_t*)0x200044a0 = 0xffffffffffffffe1; *(uint32_t*)0x200044a8 = 0x9e41; *(uint32_t*)0x200044ac = 0x1f; *(uint32_t*)0x200044b0 = 0xf0f6; *(uint32_t*)0x200044b4 = 0xc000; *(uint32_t*)0x200044b8 = 0x401; *(uint32_t*)0x200044bc = 0xee01; *(uint32_t*)0x200044c0 = 0xee00; *(uint32_t*)0x200044c4 = 0x400000; *(uint32_t*)0x200044c8 = 0x800; *(uint32_t*)0x200044cc = 0; *(uint64_t*)0x200044d0 = 3; *(uint64_t*)0x200044d8 = 7; *(uint32_t*)0x200044e0 = 6; *(uint32_t*)0x200044e4 = 0xfffffffe; memset((void*)0x200044e8, 187, 6); *(uint64_t*)0x200044f0 = 1; *(uint64_t*)0x200044f8 = 2; *(uint64_t*)0x20004500 = 0x10001; *(uint64_t*)0x20004508 = 0; *(uint32_t*)0x20004510 = 5; *(uint32_t*)0x20004514 = 0; *(uint64_t*)0x20004518 = 3; *(uint64_t*)0x20004520 = 0x8000; *(uint64_t*)0x20004528 = 9; *(uint64_t*)0x20004530 = 0x80000001; *(uint64_t*)0x20004538 = 0x100; *(uint64_t*)0x20004540 = 5; *(uint32_t*)0x20004548 = 0xf06; *(uint32_t*)0x2000454c = 0x932b; *(uint32_t*)0x20004550 = 2; *(uint32_t*)0x20004554 = 0x1000; *(uint32_t*)0x20004558 = 5; *(uint32_t*)0x2000455c = 0xee01; *(uint32_t*)0x20004560 = -1; *(uint32_t*)0x20004564 = 5; *(uint32_t*)0x20004568 = 1; *(uint32_t*)0x2000456c = 0; *(uint64_t*)0x20004570 = 5; *(uint64_t*)0x20004578 = 9; *(uint32_t*)0x20004580 = 2; *(uint32_t*)0x20004584 = 2; memcpy((void*)0x20004588, "*)", 2); *(uint64_t*)0x20004590 = 1; *(uint64_t*)0x20004598 = 0; *(uint64_t*)0x200045a0 = 0xcc3; *(uint64_t*)0x200045a8 = 4; *(uint32_t*)0x200045b0 = 0x101; *(uint32_t*)0x200045b4 = 3; *(uint64_t*)0x200045b8 = 2; *(uint64_t*)0x200045c0 = 1; *(uint64_t*)0x200045c8 = 1; *(uint64_t*)0x200045d0 = 0x113; *(uint64_t*)0x200045d8 = 1; *(uint64_t*)0x200045e0 = 3; *(uint32_t*)0x200045e8 = 0xd36; *(uint32_t*)0x200045ec = 0x8c12; *(uint32_t*)0x200045f0 = 0xfffffffc; *(uint32_t*)0x200045f4 = 0x1000; *(uint32_t*)0x200045f8 = 0xfffffffc; *(uint32_t*)0x200045fc = 0xee01; *(uint32_t*)0x20004600 = r[10]; *(uint32_t*)0x20004604 = 9; *(uint32_t*)0x20004608 = 0xacd; *(uint32_t*)0x2000460c = 0; *(uint64_t*)0x20004610 = 3; *(uint64_t*)0x20004618 = 0x97; *(uint32_t*)0x20004620 = 6; *(uint32_t*)0x20004624 = 9; memcpy((void*)0x20004628, "wlan1\000", 6); *(uint64_t*)0x20004630 = 1; *(uint64_t*)0x20004638 = 2; *(uint64_t*)0x20004640 = 8; *(uint64_t*)0x20004648 = 0x8000; *(uint32_t*)0x20004650 = 9; *(uint32_t*)0x20004654 = 0; *(uint64_t*)0x20004658 = 1; *(uint64_t*)0x20004660 = 0x200; *(uint64_t*)0x20004668 = 0xff; *(uint64_t*)0x20004670 = 0x100000001; *(uint64_t*)0x20004678 = 0x30000; *(uint64_t*)0x20004680 = 9; *(uint32_t*)0x20004688 = 3; *(uint32_t*)0x2000468c = 6; *(uint32_t*)0x20004690 = 0x7f; *(uint32_t*)0x20004694 = 0x8000; *(uint32_t*)0x20004698 = 0x101; *(uint32_t*)0x2000469c = r[11]; *(uint32_t*)0x200046a0 = 0xee00; *(uint32_t*)0x200046a4 = 0x10000; *(uint32_t*)0x200046a8 = 9; *(uint32_t*)0x200046ac = 0; *(uint64_t*)0x200046b0 = 3; *(uint64_t*)0x200046b8 = 0; *(uint32_t*)0x200046c0 = 2; *(uint32_t*)0x200046c4 = 0x401; memcpy((void*)0x200046c8, "b@", 2); *(uint64_t*)0x200046d0 = 4; *(uint64_t*)0x200046d8 = 1; *(uint64_t*)0x200046e0 = 0; *(uint64_t*)0x200046e8 = 5; *(uint32_t*)0x200046f0 = 4; *(uint32_t*)0x200046f4 = 0x101; *(uint64_t*)0x200046f8 = 1; *(uint64_t*)0x20004700 = 5; *(uint64_t*)0x20004708 = 1; *(uint64_t*)0x20004710 = 0x10000; *(uint64_t*)0x20004718 = 7; *(uint64_t*)0x20004720 = 8; *(uint32_t*)0x20004728 = 5; *(uint32_t*)0x2000472c = 5; *(uint32_t*)0x20004730 = 0x4010000; *(uint32_t*)0x20004734 = 0x8000; *(uint32_t*)0x20004738 = 0x4d800000; *(uint32_t*)0x2000473c = 0; *(uint32_t*)0x20004740 = 0xee01; *(uint32_t*)0x20004744 = 6; *(uint32_t*)0x20004748 = 7; *(uint32_t*)0x2000474c = 0; *(uint64_t*)0x20004750 = 2; *(uint64_t*)0x20004758 = 0x61; *(uint32_t*)0x20004760 = 0; *(uint32_t*)0x20004764 = 0; *(uint64_t*)0x20004768 = 7; *(uint64_t*)0x20004770 = 0; *(uint64_t*)0x20004778 = 5; *(uint64_t*)0x20004780 = 5; *(uint32_t*)0x20004788 = 0; *(uint32_t*)0x2000478c = 0x3ff; *(uint64_t*)0x20004790 = 0; *(uint64_t*)0x20004798 = 0xfffffffffffffff7; *(uint64_t*)0x200047a0 = 1; *(uint64_t*)0x200047a8 = 0x80; *(uint64_t*)0x200047b0 = 0x100000001; *(uint64_t*)0x200047b8 = 0x401; *(uint32_t*)0x200047c0 = 0xd49d; *(uint32_t*)0x200047c4 = 0x80; *(uint32_t*)0x200047c8 = 1; *(uint32_t*)0x200047cc = 0x6000; *(uint32_t*)0x200047d0 = 0x8b; *(uint32_t*)0x200047d4 = r[12]; *(uint32_t*)0x200047d8 = 0xee01; *(uint32_t*)0x200047dc = 0x8001; *(uint32_t*)0x200047e0 = 0; *(uint32_t*)0x200047e4 = 0; *(uint64_t*)0x200047e8 = 6; *(uint64_t*)0x200047f0 = 0x200; *(uint32_t*)0x200047f8 = 1; *(uint32_t*)0x200047fc = 0xfffffff8; memset((void*)0x20004800, 41, 1); *(uint64_t*)0x20004808 = 0; *(uint64_t*)0x20004810 = 3; *(uint64_t*)0x20004818 = 8; *(uint64_t*)0x20004820 = 0x81; *(uint32_t*)0x20004828 = 6; *(uint32_t*)0x2000482c = 5; *(uint64_t*)0x20004830 = 1; *(uint64_t*)0x20004838 = 8; *(uint64_t*)0x20004840 = 7; *(uint64_t*)0x20004848 = 5; *(uint64_t*)0x20004850 = 8; *(uint64_t*)0x20004858 = 1; *(uint32_t*)0x20004860 = 5; *(uint32_t*)0x20004864 = 0x90c555ad; *(uint32_t*)0x20004868 = 0; *(uint32_t*)0x2000486c = 0xc000; *(uint32_t*)0x20004870 = 0x800; *(uint32_t*)0x20004874 = 0xee00; *(uint32_t*)0x20004878 = 0xee01; *(uint32_t*)0x2000487c = 0xf98d; *(uint32_t*)0x20004880 = 0x20; *(uint32_t*)0x20004884 = 0; *(uint64_t*)0x20004888 = 4; *(uint64_t*)0x20004890 = 4; *(uint32_t*)0x20004898 = 5; *(uint32_t*)0x2000489c = 1; memcpy((void*)0x200048a0, "\\U\302-^", 5); *(uint64_t*)0x200048a8 = 1; *(uint64_t*)0x200048b0 = 0; *(uint64_t*)0x200048b8 = 2; *(uint64_t*)0x200048c0 = 6; *(uint32_t*)0x200048c8 = 0; *(uint32_t*)0x200048cc = 0xb5e; *(uint64_t*)0x200048d0 = 4; *(uint64_t*)0x200048d8 = 0x12; *(uint64_t*)0x200048e0 = 0xe87; *(uint64_t*)0x200048e8 = 7; *(uint64_t*)0x200048f0 = 1; *(uint64_t*)0x200048f8 = 0xfffffffffffffffe; *(uint32_t*)0x20004900 = 0xfffffffd; *(uint32_t*)0x20004904 = 7; *(uint32_t*)0x20004908 = 0x401; *(uint32_t*)0x2000490c = 0xa000; *(uint32_t*)0x20004910 = 0x8ee; *(uint32_t*)0x20004914 = r[13]; *(uint32_t*)0x20004918 = 0; *(uint32_t*)0x2000491c = 0x8236; *(uint32_t*)0x20004920 = 0x3c89862b; *(uint32_t*)0x20004924 = 0; *(uint64_t*)0x20004928 = 4; *(uint64_t*)0x20004930 = 0xfffffffffffffbf7; *(uint32_t*)0x20004938 = 6; *(uint32_t*)0x2000493c = 4; memset((void*)0x20004940, 2, 6); *(uint32_t*)0x20004bf8 = 0x20004ac0; *(uint32_t*)0x20004ac0 = 0xa0; *(uint32_t*)0x20004ac4 = 0xffffffda; *(uint64_t*)0x20004ac8 = 2; *(uint64_t*)0x20004ad0 = 1; *(uint64_t*)0x20004ad8 = 3; *(uint64_t*)0x20004ae0 = 0xff; *(uint64_t*)0x20004ae8 = 0x401; *(uint32_t*)0x20004af0 = 9; *(uint32_t*)0x20004af4 = 0x1000; *(uint64_t*)0x20004af8 = 1; *(uint64_t*)0x20004b00 = 0xfff; *(uint64_t*)0x20004b08 = 0x733; *(uint64_t*)0x20004b10 = 0; *(uint64_t*)0x20004b18 = 7; *(uint64_t*)0x20004b20 = 0x7fff; *(uint32_t*)0x20004b28 = 4; *(uint32_t*)0x20004b2c = 0x1f; *(uint32_t*)0x20004b30 = 0x1f; *(uint32_t*)0x20004b34 = 0; *(uint32_t*)0x20004b38 = 1; *(uint32_t*)0x20004b3c = r[14]; *(uint32_t*)0x20004b40 = r[15]; *(uint32_t*)0x20004b44 = 0x9eb; *(uint32_t*)0x20004b48 = 1; *(uint32_t*)0x20004b4c = 0; *(uint64_t*)0x20004b50 = 0; *(uint32_t*)0x20004b58 = 0x1c; *(uint32_t*)0x20004b5c = 0; *(uint32_t*)0x20004bfc = 0x20004b80; *(uint32_t*)0x20004b80 = 0x20; *(uint32_t*)0x20004b84 = 0xfffffffe; *(uint64_t*)0x20004b88 = 0xa87; *(uint32_t*)0x20004b90 = 0x1ff; *(uint32_t*)0x20004b94 = 0; *(uint32_t*)0x20004b98 = 0x10001; *(uint32_t*)0x20004b9c = 4; syz_fuse_handle_req(r[5], 0x20001680, 0x2000, 0x20004bc0); break; case 25: memcpy((void*)0x20004c40, "/dev/autofs\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20004c40, 0, 0); if (res != -1) r[16] = res; break; case 26: memcpy((void*)0x20004c00, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004c00, r[16]); break; case 27: syz_init_net_socket(0x24, 2, 0); break; case 28: res = syscall(__NR_mmap, 0x20ffe000, 0x1000, 0x300000a, 0x10, (intptr_t)r[16], 0); if (res != -1) r[17] = res; break; case 29: res = -1; res = syz_io_uring_complete(r[17]); if (res != -1) r[18] = res; break; case 30: *(uint32_t*)0x20004c84 = 0xcaa6; *(uint32_t*)0x20004c88 = 4; *(uint32_t*)0x20004c8c = 3; *(uint32_t*)0x20004c90 = 0x276; *(uint32_t*)0x20004c98 = r[18]; memset((void*)0x20004c9c, 0, 12); res = -1; res = syz_io_uring_setup(0x3a9b, 0x20004c80, 0x20ffe000, 0x20ffe000, 0x20004d00, 0x20004d40); if (res != -1) r[19] = *(uint64_t*)0x20004d00; break; case 31: *(uint8_t*)0x20005080 = 2; *(uint8_t*)0x20005081 = 5; *(uint16_t*)0x20005082 = 0; *(uint32_t*)0x20005084 = 7; *(uint64_t*)0x20005088 = 0; *(uint32_t*)0x20005090 = 0x20005040; *(uint32_t*)0x20005040 = 0x20004d80; memcpy((void*)0x20004d80, "\x8f\x8c\x61\xba\x2d\x93\x00\x6a\xad\xbd\x12\xa3\xa0\x8f\x14\x6f\x7d\xad\xf6\xfc\xaf\x91\x37\x0d\x8c\xdb\xb1\x04\x73\xcf\xc4\x73\x7f\xc2\x92\x0f\x76\x1e\x5f\x9f\x43\xac\x7c\x94\xff\x2d\x84\xa3\xf6", 49); *(uint32_t*)0x20005044 = 0x31; *(uint32_t*)0x20005048 = 0x20004dc0; memcpy((void*)0x20004dc0, "\xe7\x9e\x60\x9c\xaf\x0b\x11\x3f\x2e\x3a\x9b\x6e\xd9\xa5\x19\x7b\xd4\xc9\xef\x3a\xbe\xe6\xff\x37\x2b\x06\x77\xf9\x80\xef\x46\x16\x5c\x07\x1e\xc9\xa7\xe4\xb8\xe1\x18\xc9\x5c\x2b\x5f\x73\x3b\x29\xc5\x0f\x1e\x5d\xf4\xf1\x83\x7e\x9a\x29\x62\xcd\x24\x1c\x43\xd7\xa6\x05\x87\x87\x49\x91\x9d\x2d\x93\x2d\x22\x01\x0e\x4c\x8c\x29\xce\x60\x28\xdc\x71\xe2\x3c\x5e\xc2\xb4\xf3\xbb\x38\xb2\xe7\xc3\xbe\xaf\x83\xc8\x87\xa4\x5f\x16\xea\x87\x84\x2b\x70\x02\xc7\x51\x33\x97\x83\x5d\x37\x55\x89\xd6\x4e\x9c\x8d\x0d\xaa\x7c\x70\x99\x74\xdd\xc9\x35\x14\x51\x90\xba\xc6\xe8\xd3\x12\x38\xd5\xad\x70\x37\x7e\x03\xb1\x11\x15\x46\xf8\xa8\x3a\x2d\x7e\x3f\xc5\x50\x40\x8a\x22\x7e\x6a\xb5\x58\x33\x1d\xe5", 169); *(uint32_t*)0x2000504c = 0xa9; *(uint32_t*)0x20005050 = 0x20004e80; memcpy((void*)0x20004e80, "\x1f\xe1\xd0\xa7\xea\x42\xed\x60\xeb\x83\x79\xf5\x5f\xba\x5f\x10\x8d\xa4\x23\x32\x88\xe8\xa8\xbb\xac\xc0", 26); *(uint32_t*)0x20005054 = 0x1a; *(uint32_t*)0x20005058 = 0x20004ec0; memcpy((void*)0x20004ec0, "\x1d\x5a\x7e\x02\x0f\x94\xe9\xee\xe2\x41\x5c\xca\x5e\xb6\x04\x5c\xc9\xf8\x17\xf1\xd3\x27\x5b\xa9\x49\x67\x7e\xe2\xca\x23\x57\xb7\x4e\x67\xc6\xd4\xdd\xfb\xe8\xe8\xc0\xc6\xfd\xcd\x23\x52\xdd\x30\x1f\xf3\x0f\x0e\xbc\x2b\x58\xf2\xc6\x9c\x3f\x80\x32\xff\x0d\x4a\x2d\x2d\x40\x0c\x3d\x07\x91\x4d\x83\x5b\x62\x18\xc2\xeb\x25\x72\x4b\x42\x6a\x88\x8b\x28\x22\xd4\x94\x5b\x35\xf2\xd1\x45\x9d\x91\x5e\x2b\x2d\x66\x54\x1a\xf5\x2b\xdb\xbe\x1a\xd5\x17\x51\x5e\x01\xb8\x29\x0e\x65\x44\x43\xa6\x7b\xec\x3d\x0b\x03\xfc\x10\xb9\x0b\x49\xc3\xd3\x35\x93\xe0\x63\xbd\x0d\xf7\x24\x94\xb2\x2b\xfc\x39\x1f\x6b\x29\x6a\x68\x73\x5e\xea\xac\x4f\xb5\x50\xbe\x4b\xee\xab\xb7\x4d\x7c\xa7\x71\x39\x24\x8c\xf8\x00\x3e\x4f\xa6\x39\x54\xc2\xe5\xc6\x8e\x48\xb1\xf5\x9b\x31\x62\xa9\xa3\xb0\x20\x77\x1f\x7c\x1a\xff\x6d\x7d\xe5\x7b\x40\xfc\xb5\x90\x02\xf2\x70\x9e\xd2\xe1\x2d\x50\xa3\xed\xad\xc2\xc5\x5d\xe6\x63\x4c\x8e\x91\xdd\x8c\xd2\x8f\xaf\x3b\x52", 228); *(uint32_t*)0x2000505c = 0xe4; *(uint32_t*)0x20005060 = 0x20004fc0; memcpy((void*)0x20004fc0, "\x3d\xc5\x00\x79\x39\x36\x84\xee\x15\x45\x62\x33\xe2\xe4\xb4\x7d\x0d\x76\x16\xa6\xfb\xb0\x80\x55\x93\x1c\x40\x0e\x66\xd6\xee\x83\x07\xc9\x88\xdb\x68\xc3\xa5\x68\x73\xe4\xc9\x4c\x21\x0c\xee\x63\xaa\x53\xee\x80\x94\x7c\x56\x44\xcf\xfd\x0e\xe8\x09\xb4\x55\x4e\xf3\xd3\xd5\xd4\xb6\x26\x80\x40\xd6\x6c\xba\x34\xc7\xb8\x64\x5a\xbf\xe3\x69\x6e\x04\x1f\xe1\x3f", 88); *(uint32_t*)0x20005064 = 0x58; *(uint32_t*)0x20005094 = 5; *(uint32_t*)0x20005098 = 1; *(uint64_t*)0x2000509c = 0; *(uint16_t*)0x200050a4 = 0; *(uint16_t*)0x200050a6 = 0; memset((void*)0x200050a8, 0, 20); syz_io_uring_submit(r[19], 0, 0x20005080, 0x100); break; case 32: memcpy((void*)0x200050c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 0, 0); if (res != -1) r[20] = res; break; case 33: memcpy((void*)0x20005100, "/dev/dlm-monitor\000", 17); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0, 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x20005180 = 0; *(uint32_t*)0x20005184 = 0x20005140; memcpy((void*)0x20005140, "\x45\xcf\x83\xe3\x48\x27\xda\xe7\x0d\x9c\x50\xf6\x76\xf5\x23\xb0\xce\x6b\xee\x88\x95\x2b\xaa\xc1\xa7\x22\x08\x87\x52\x1e\x1e\x10\x25\x01\x84\xda\xba\xaa\x4f\xbf\x9e\x94\x34\x9f\x11\x48\xde\xe8\x23\x8a", 50); *(uint32_t*)0x20005188 = 0x32; *(uint64_t*)0x200051c0 = 1; *(uint64_t*)0x200051c8 = 0; syz_kvm_setup_cpu(r[20], r[21], 0x20fe8000, 0x20005180, 1, 0, 0x200051c0, 1); break; case 35: *(uint32_t*)0x20005200 = 1; syz_memcpy_off(r[17], 0x114, 0x20005200, 0, 4); break; case 36: memcpy((void*)0x20005240, "adfs\000", 5); memcpy((void*)0x20005280, "./file0\000", 8); *(uint32_t*)0x20005980 = 0x200052c0; *(uint32_t*)0x20005984 = 0; *(uint32_t*)0x20005988 = 4; *(uint32_t*)0x2000598c = 0x20005300; memcpy((void*)0x20005300, "\x85\x86\xcf\xf1\x20\x29\xeb\x8a\xd7\x6f\x62\x61\xd1\xfe\x9c\x2d\xf9\x7d\x6b\x50\x47\xf7\x02\x21\xce\x7c\x26\xe1\xad\x05\x00\x96\xdb\x75\xff\x7f\xfd\x7b\x4d\xad\x59\xf5\xe0\x70\x72\x3e\x8a\x2c\xea\x44\x66\x02\xed\x86\xda\x15\x97\x5f\x4f\x9d\xad\x43\x55\xf1\x7d\x14\x41\xf9\xc1\xd9\x72\x1e\x8b\xc2\x69\xc9\x1b\x43\x93\x4b\xb3\x82\x3e\xba\x88\x0d\xe0\x1b\x58\x6e\x0d\x59\x2f\xc9\x78\x08\x48\x12\xa5\xdd\x94\x0d\x6e\xa6\x1e\x46\xee\x9f\x1d\x53\xe0\xd3\x15\x5c\x2c\x34\x94\x6c\xa2\x86\xd6\x46\x39\x8a\x4d\x60\xb5\x6e\x48\x64\x4c\xe4\x21\xd5\x3a\x65\xfc\x50\x46\x80\x60\x1a\x0c\xb3\xb7\x8c\xdc\x3d\x14\xd0\xf9\xf7\x54\xd8\x8a\x4c\x5d\x80\xc2\x68\x1a\xca\x64\xa4\x79\x3f\x17\xd0\xf8\xa5\xb8\xdc\x82\x0f\xda\xde\xe2\xee\x87\xd4\x20\x50\x17\x22\x86\xe4\xb3\x71\xea\xc4\x97\xbf\x74\x67\x89\x0a\x47\x2d\x76\x6a\x44\x2a\x56\xa6\xe7\x5b\xc3\x9b\xa4\xed\xab\x5a\x0c\xb1\x1e\xb6\x6a\x24\x7a\x2f\x3c\xa7\xd1\x8c\xbe\x8b\xd7\x51\x6b\x2d\x99\xc7\x63\xd8\xc2\x3d\x75\x3c\x13\x93\x7a\xb9\x9b\x57\x8e\x42\xf3\x59\x27\x5e\x86", 251); *(uint32_t*)0x20005990 = 0xfb; *(uint32_t*)0x20005994 = 5; *(uint32_t*)0x20005998 = 0x20005400; memcpy((void*)0x20005400, "\x0f\x55\x3c\x28\xb9\x84\x2c\x44\x67\x4a\xbe\x34\x85\x6e\x72\xa4\x02\xea\xf0\x8e\xa7\xd1\x06\x18\x6b\x17\xf1\xd3\xf0\x0d\xcb\xcb\x5f\x98\xa1\xea\xe4\xb0\xe4\x94\xda\x0d\x44\xfa\x94\x91\x73\x67\x47\x8f\x2e\x39\xce\x84\x35\xb1\x32\xa5\x70\xec\x78\xc1\xb1\xd8\x59\xab\x65\x21\x68\xbe\xc9\x15\x6c\xc5\xb4\x54\x3f\x05\x71\xd2\xa7\x5d\x3a\xd0\x3f\x49\x0c\x0f\xc9\x32\x51\xf6\xab\x57\xf0\x1c\xf6\x22\x83\xd4\x2e\xec\x0a\xbb\x18\x61\x48\xb0\x5e\xf5\x5f\x8d\xe1\xa2\xeb\x7c\x16\x22\xfc\x6d\x3a\xc2\x74\xf1\x0a\x07\x54\x56\x33\x98\xef\xc9\x33\x5a\xea\x31\x06\x1c\xf4\xbb\x64\xd4\x4f\x87\xc6\x15\xc9\x9b\x3e\xca\x46\xdd\xc2\xce\x68\xeb\x2b\x78\x0c\x54\xbb\x6a\x1a\x20\x94\x7e\x16\xcb\xc6\xf7\xfa\x07\x12\xd0\xb1\x2e\x66\x5a\x21\x4c\x35\x02\x15\x4e\x5b\x8d\xda\x8b\x01\xdf\x53\xc8\x1b\x2d\xa2\xc9\x2b\x75\x73\x50\x6b\x17\x5a\x34\xba\x1d\xda\x39\x95\x4f\x36\xf0\xff\x6e\xbe\xfe\xee\x31\x32\x68\x13\x42\x2c\xb4\xd5\x3b\x47\xc6\xfe\x65\xf3\x33\x26\x98\xd9\xe3\xd7\x76", 238); *(uint32_t*)0x2000599c = 0xee; *(uint32_t*)0x200059a0 = 0xfff; *(uint32_t*)0x200059a4 = 0x20005500; memcpy((void*)0x20005500, "\xab\xff\x9c\x24\x82\xd9\x64\x89\xf0\xaf\xbe\x08\x5d\xae\xe1\xe2\xbd\x8a\x30\x00\xaf\x21\xe5\xb4\xaa\x0d\x2e\x66\x62\x29\x3d\x5f\xe6\xee\xb6\x0a\x5c\xc8\xb9\x0e\x84\xed\xe0\xd2\x13\x18\x68\x8e\x28\x5d\xef\x54\xcb\x67\x80\xab\xfd\xcb\x64\xc7\x00\xda\x5e\x87\x75\xbb\x60\xd0\x19\x2a\x5f\x81\x13\xa7\x0d\xdb\x16\x27\x08\x7f\x7b\xb8\xf2\x32\xf8\x0a\x12\x0e\x21\x4e\xf3\x1c\x38\x57\x11\xf4\xb1\x2a\xfd\x9a\x02\x4f\xc4\x8c\x41\xc3\xc8\x87\x25\x5a\x17\xb8\x6f\x70\x9a\x30\xee\x23\xa5\xd5\x5c\x6c\x3e\x19\x86\xf6\xfd\x69\x30\x9d\xc6\x66\x48\x46\x39\x6a\x5f\x0c\xde\x1e\x38\x2a\x70\x18\xdc\xde\xac\x00\xff\x1e\xf5\x4b\xbb\x58\x20\x1f\xc9\xdf\xcb\xba\x39\xcf\xb4\x5f\x49\xac\xe1\xe9\x90\x81\x88", 171); *(uint32_t*)0x200059a8 = 0xab; *(uint32_t*)0x200059ac = 0x80000001; *(uint32_t*)0x200059b0 = 0x200055c0; memcpy((void*)0x200055c0, "\xfb\x36\xdf\xfb\x4a\x0e\x43\x77\xfa\x3b\xed\xec\x23\x25\xf5\xc0\x73", 17); *(uint32_t*)0x200059b4 = 0x11; *(uint32_t*)0x200059b8 = 1; *(uint32_t*)0x200059bc = 0x20005600; memcpy((void*)0x20005600, "\x8f\xf2\x54\x48\x04\xed\x79\xe1\xbb\x5f\x17\x3b\x80\xfd\xb0\x9a\x44\x4f\x02\xbb\xac\xda\xb8\x77\x10\xa3\x03\x82\x27\x1d\xb7\x25\x70\x55\xfb\xbe\x05\x7f\x4e\x4b\x3e\x1b\xcb\xcf\x08\xf1\xea\x0b\x41\xbe\x53\x3d\x7d\x7f\x84\x19\x9c\x4c\xf2\x41\xe2\xbc\x3c\xeb\xf6\x80\xf5\xc2\x64\x88\x82\xab\xfe\x61\xbb\x52\x11\xc4\xcf\x0f\x1f\x80\x35\xc6\x96\x2e\x74\xf5\x97\x6e\x95\x4c\x3d\xb5\x54\x5b\xdc\xcc\x6e\x67\xb6\x8d\xd6\x12", 104); *(uint32_t*)0x200059c0 = 0x68; *(uint32_t*)0x200059c4 = 0x7f; *(uint32_t*)0x200059c8 = 0x20005680; memcpy((void*)0x20005680, "\xca\x83\x8d\x09\x57\x9a\x97\x26\x57\x26\x0b\x82\x4f\x36\x91\x61\xc8\x3d\x36\x49\xb2\x30\x9d\xe4\xac\xa5\x19\x1c\x6a\x35\x50\xce\x70\x4f\x66\x06\xba\xc0\xf1\x10\x25\x63\x01\x1d\x76\x8b\x1c\xd5\xbd\x83\x56\x5b\xfb\xe9\x31\x1f\x71\xc2\x69\x8f\x2b\xb4\x57\x2e\xf6\x60\x2f\x24\x87\x62\x6e\x21\xfc\xef\x70\x34\xf5\x0e\x28\xfd\x36\xdb\x92\x43\x3d\xe1\xc0\xfb\xd9\xba\xa0\xb2\xef\x3b\x17\xec\xbd\x5f\x21\x4a\x81\x4f\x99\x79\xc0\xcf\xce\xa5\x66\xbd\x41\x87\x88\xa9\xe0\x26\xff\x83\x08\x9e\x4e\x1e\xb4\x91\xee\xbb\x58\x2e\x84\xc6\xd9\x56\xe1\xf8\xd4\xbd\x53\x27\xfc\xf2\x6d\x92\x18\xa6\xe7\x45\xa9\x04\x84\x6d\xa6\x1e\x69\x70\xe7\xc3\xf8\xf6\x77\x7e\xb2\xee\xc1\x82\xc6\x62\x6a\xeb\xc2\xb4\x6d\x6e\x18\xec\x79\xce\x9f\x3a\x34\xc2\xc9\xce\x74\xdc\xe5\xf3\x8a\x49\x3c\xe7\x52\x63\x3b\x9c\xd8\x81\xd3\xe7\x39\x77\xb7\x28\x20\x8b\x73\x0c\x0a\xa0\xbf\xd4\x1f\x03\x74\x79\x8c\x2b\x6c\xfd\x20\xa8\x3d\xde\x88\x21\xf8\x96\x43\x1d\xf1\x62\x0e\xac\xdd\xb4\x84\x6d\x3f\x67\x98\x3b\x95", 241); *(uint32_t*)0x200059cc = 0xf1; *(uint32_t*)0x200059d0 = 2; *(uint32_t*)0x200059d4 = 0x20005780; memcpy((void*)0x20005780, "\xb5\x49\xcf\xe1\x8d\xeb\x45\x5b\x4a\x8b\x6d\x56\xe7\xc0\x3f\x25\x10\x24\x21\x7c\xf4\x27\xc0\x90\x56\xbd\xb6\xb4\xa1\x31\x7e\x6f\x9c\xd5\x3e\xce\x2f\x2e\xe6\x8e\x7d\x73\xe9\x36\xe6\xd7\xb3\x76\x48\x35\x95\xc8\xdb\x72\x92\xff\xb0\x52\x0c\xf0\x37\xba\x70\x12\xf5\xd9\x0d\x0e\x4b\xdc\xed\x46\x13\x1d\x6a\x44\x12\x05\x46\xfa\xd8\x7f\x47\x56\x70\xfe\xc8\x6f\x97\x84\x88\x8d\x14\xdc\x2e\xd6\xa1\xa7\xed\x3c\x98\xbd\x0e\x03\x5c\xbd\x50\x4d\xa4\x0e\xfb\xeb\x5a\x5b\xcd\x48\xc0\xca\x51\x3f\xf5\x3d\xda\xda\x3c\xb4\x47\xa4\x8b\xce\xf0\x1d\x98\x83\xf6\x99\x99\x7c\x5a\x0b\x24\x99\x86\x58\x62\xdb\x5f\x78\x5a\x75\xe1\xb3\x46\x3d\x35\x4a\xf1\x12\xe7\xf8\x62\x28\x83\x68\x30\x86\x19\x0f\xa4\x50\x76\x46\xcb\xea\xb5\xed", 176); *(uint32_t*)0x200059d8 = 0xb0; *(uint32_t*)0x200059dc = 1; *(uint32_t*)0x200059e0 = 0x20005840; memcpy((void*)0x20005840, "\xa2\xee\xca\xca\xa0\x2f\xc7\x61\x89\xe0\x0e\x6f\xc5\x8f\x38\xb5\x59\x99\x59\x73\x03\x76\x28\x17\x21\xbe\xcf\x84\x0c\xd1\x2b\x23\x0c\x2d\xc8\x4b\x7f\x5f\xe5\xe3\x70\x57\xb3\x73\x2f\xcf\xeb", 47); *(uint32_t*)0x200059e4 = 0x2f; *(uint32_t*)0x200059e8 = 4; *(uint32_t*)0x200059ec = 0x20005880; memcpy((void*)0x20005880, "\x35\xed\x9c\x85\x4f\x54\x2b\xa3\xa5\x6e\x7b\x75\x40\x9a\x31\x97\xd3\x1e\x6e\xc3\x19\x34\x81\x1d\xd9\xab\xe8\x3e\x50\xa0\x60\xea\x25\x99\x4c\xb3\x37\x70\xed\x99\xb2\x5c\x9b\x56\x08\x91\xec\xa4\x33\xfe\x5b\xf1\xe0\x2d\x13\x66\x00\x68\x7e\xe4\x93\x3b\x35\x38\xbb\xce\xca\x61\xde\xb8\xfb\x0a\x1a\x25\x67\x84\x3f\xd8\x71\xb9\x91\xd5\x14\x32\x9a\x46\x5a\x97\xeb\x92\x12\x35\x76\xe8\x3a\x65\x2c\x51\xdf\xa8\x41\x17\xc2\x62\xa7\xb8\xba\xb4\x7b\xd3\xf8\x1b\x24\xd3\x3e\x68\x7f\x39\x26\x50\x02\xef\x92\xf2\x24\x8d\xe0\x27\xac\x02\x85\xfc\xad\x2a\x3c\x73\x2a\x1e\xd7\x40\x93\x07\x03\x7e\x41\xf3\xa7\x90\x74\x77\x38\x7d\x11\x99\xc1\x8e\x5c\x43\x95\x9b\x2e\xc4\x6c\x07\x8c\xec\x67\xa8\xb5\x59\xb3\x1c\xef\xd8\x56\xf4\x56\xb9\xf8\x1b\xcc\x6a\x8b\x2c\xb1\xa4\xd8\x14\x75\x62\xbd\xac\x60\x34\xe3\xe8\xd3\x5d\x79\x76\x59\x84\x4f\xea\x36\x94\xb3\x28\x8c\xe6\x8f\xa8\xf9\x86\xbf\x2f\xba\x03\xec\x01\x10\x15\x4b\xef\xc8\x40\x22\x58\xaf\xb3\xd5\x83\xd0\xbf\x3d\x02\x79\x80\x73\x86\x7f\xc6\x66\x40\x72\x60\x72\xc8\x2a", 249); *(uint32_t*)0x200059f0 = 0xf9; *(uint32_t*)0x200059f4 = 0x1ff; memset((void*)0x20005a00, 37, 1); *(uint8_t*)0x20005a01 = 0x2c; memcpy((void*)0x20005a02, "seclabel", 8); *(uint8_t*)0x20005a0a = 0x2c; memcpy((void*)0x20005a0b, "permit_directio", 15); *(uint8_t*)0x20005a1a = 0x2c; memcpy((void*)0x20005a1b, "mask", 4); *(uint8_t*)0x20005a1f = 0x3d; memcpy((void*)0x20005a20, "^MAY_EXEC", 9); *(uint8_t*)0x20005a29 = 0x2c; memcpy((void*)0x20005a2a, "subj_role", 9); *(uint8_t*)0x20005a33 = 0x3d; memset((void*)0x20005a34, 125, 1); *(uint8_t*)0x20005a35 = 0x2c; memcpy((void*)0x20005a36, "mask", 4); *(uint8_t*)0x20005a3a = 0x3d; memcpy((void*)0x20005a3b, "^MAY_APPEND", 11); *(uint8_t*)0x20005a46 = 0x2c; memcpy((void*)0x20005a47, "fsname", 6); *(uint8_t*)0x20005a4d = 0x3d; memcpy((void*)0x20005a4e, "&%]", 3); *(uint8_t*)0x20005a51 = 0x2c; memcpy((void*)0x20005a52, "measure", 7); *(uint8_t*)0x20005a59 = 0x2c; *(uint8_t*)0x20005a5a = 0; syz_mount_image(0x20005240, 0x20005280, 5, 0xa, 0x20005980, 0, 0x20005a00); break; case 37: memcpy((void*)0x20005a80, "/dev/i2c-#\000", 11); syz_open_dev(0x20005a80, 6, 0x40000); break; case 38: memcpy((void*)0x20005ac0, "net/raw6\000", 9); syz_open_procfs(-1, 0x20005ac0); break; case 39: syz_open_pts(r[16], 0x583000); break; case 40: *(uint32_t*)0x20006cc0 = 0x20005b00; memcpy((void*)0x20005b00, "\xa8\x95\xc3\x0e\xdc\x07\x29\x77\x23\xa4\xae\xa8\x02\x03\x46\x22\xd1\xbb\xb8\x5b\x4a\xe3\x62\x8a\xfc\x2d\x4e\x10\x93\x45\x50\xa9\xd9\x2f\x12\xa5\x1b\x9f\x5b\x3a\x7b\x59\x6b\x59\xb9\x9b\x4b\x2a\xca\xed\xda\x32\xb8\x3b\xdc\x26\x3c\x53\xaa\x10\x11\x4a\x14\x9a\x4d\x7a\x4f\x0c\x40\xb9\x46\x15\x9b\x37\x43\x96\xfb\x6c\xd1\x87\x34\xea\x5c\x3a\x51\x92\x78\x62\x22\xda\x89\xf4\x21\x3b\x5d\x9d\x02\x77\x99\xda\x36\xd6\x8b\xd5\x10\xf5\x37\x85\x5c\xe1\x0d\x3b\x84\x39\xc2\x23\x77\x40\xea\x75\x41\x47\x8a\x81\xf9\xf9\x2a\xdc\xeb\x51\x00\x36\x6d\xcc\xf1\x49\xcc\x4c\x59\x79\x69\x59\xba\x5d\x85\xa5\x0d\x0d\xd7\x29\x41\xa0\xea\xbb\xe7\xa9\xdd\x9f\xe5\x08\x50\x11\x3f\x5e\x2d\x05\x5e\x1b\xbc\xd6\x67\xda\xf7\x36\x3e\x02\x7d\x7c\x66\x67\x8d\xad\x2a\xdd\x62\xb5", 186); *(uint32_t*)0x20006cc4 = 0xba; *(uint32_t*)0x20006cc8 = 4; *(uint32_t*)0x20006ccc = 0x20005bc0; memcpy((void*)0x20005bc0, "\xf2\x29\xf5\x8b\x9f\xef\x91\xf7\x17\x85\x23\xf0\x41\xa4\x96\x75\x89\x92\x46\x80\xbf\x4d\xc3\x4a\x52\xd8\xf7\xf8\x43\x60\x83\xae\xe9\x4a\xb7\x4f\x03\x69\xf7\x40\x3a\x8c\x26\xb7\x2f\xd4\x4b\x48\x8f\xe5\x9c\x61\x6c\x8a\x1c\xae\x29\x9c\x49\x0e\xb1\x5f\x98\xf8\xf4\x9d\xf3\x35\x02\xcc\xfd\x38\x26\x5f\x6d\x18\x65\x78\xa7\x1b\x92\xba\x5c\x5b\x90\x3f\x9a\x64\xbc\x56\x0a\x43\x59\x0b\xd7\x0f\x76\xef\xb7\xb6\x3b\xc3\x90\x9e\x63\x2d\xb6\x8f\x77\xd9\x8b\xdf\x12\xeb\xe1\x70\x7d\x7d\x14\x36\x85\x74\x90\xc1\x3d\xdb\x23\x9c\x83\x7f\xaf\x46\xea\xd6\x23\x81\xd4\x3f\x3d\x23\x46\xc1\xfc\xd5\xb2\xa7\xa1\xeb\xe9\xfa\x5d\xd7\xfd\xde\xfc\x50\xb0\xe7\xa5\x7f\x50\x0e\x2f\x79\xba\x11\xb1\x89\x72\xdc\x78\x87\x14\x60\xeb\x7e\x2a\x24\x9b\x60\x32\x83\xb5\x12\x83\x20\x55\x5c\x9d\x74\x14\x3e\x02\x7b\xb5\xca\x08\xb4\x62\xae\xbf\x58\x24\x43\x87\x55\x6d\x71\x86\x80\xc4\xa3\x74\x59\xdd", 215); *(uint32_t*)0x20006cd0 = 0xd7; *(uint32_t*)0x20006cd4 = 0x3ff; *(uint32_t*)0x20006cd8 = 0x20005cc0; memcpy((void*)0x20005cc0, "\x79\xfb\xc7\x05\xf3\xf5\xab\x2b\x17\x6d\x8c\x81\xf1\x15\x48\xc5\xfd\x71\x74\x41\x15\xd9\xbc\x95\x33\x2f\xeb\x2a\xe2\x6c\xd3\xb6\xa5\x08\x4c\xf6\x35\xa6\xb1\x9d\x91\x6f\x68\x3e\xbe\x24\x01\x80\xc6\xbb\x6a\x18\xe3\x4f\xa2\x67\x7a\xe7\x45\x61\xf3\xbb\x25\x09\xfc\x09\x59\xad\xc1\x32\xae\x36\x12\x7c\x31\x9f\xcb\x4a\x80\xb0\x25\x1d\xed\xee\xe6\x56\x0f\xd7\x02\x22\x1e\x14\x43\x66\x85\xc7\xfa\x2f\x3a\xf3\x6f\xda\x9d\x69\xd0\x44\xc1\x6a\x77\xe8\x22\xf9\x8b\xf6\x5c\xd4\x58\x33\x54\x4b\xa6\xbd\x06\xb8\x3a\xd7\x8b\x10\x49\xf1\xbc\xdb\x9b\xce\xc0\x47\x38\xa8\x6c\xa3\x7b\x88\x95\x3d\xe3\x54\x9b\x6e\x3a\x4c\x2f\x31\xbd\xd4\xce\xde\xe3\x7b\x70\x3b\x8e\xd6\xd1\x1c\x38\xff\x03\x0a\x10\x18\xaf\xae\xbe\x05\x38\xed\x70\x4b\xbe\x63\x10\xa0\xde\xa9\x43\x05\x66\x65\x29\x01\x69\x92\x99\xc1\x84\xa8\x15\x60\x1e\x01\x86\xa6\xe1\xff\x97\xd2\xb9\x60\x38\xab\x59\x13\xdc\x44\x0e\xde\xd7\x83\x6f\xbd\xd7\xbd\x39\x1a\x90\xcf\x40\x3a\xbb\x6d\xfe\x0f\x7d\xdd\xda\xf1\xa7\xc7\x3f\x02\x19\x35\x33\xf0\xa7\x2e\xf1\xb5\x58\xcf\x69\x6f\x57\x22\xa3\xe8\xc0\x92\xc1\x7d\xe9\x8a\xf4\x15\xf4\x0a\xfc\x1f\xfe\x0d\x7c\x7d\x0f\xb4\x4d\x59\x7e\x55\x18\x86\xb4\x0b\x8e\xc7\xde\x8f\x18\xbf\x5e\xd7\xa7\x4a\xcd\xeb\xe9\xb2\xcc\xb9\x8c\xcd\x37\x1d\xf0\x0d\x78\xc9\x7f\x8d\xe0\xab\xe7\xf8\x28\x13\x68\x61\x68\x9b\x0f\x53\x80\xfd\x28\x36\x09\x2c\x1b\xee\xc0\xf4\x51\x9e\x1b\x50\x40\xca\x17\x09\xe0\x83\xee\x61\x1d\x6a\x1e\xbc\x5a\xd1\x85\xd3\x9b\x91\xef\x84\x4a\xf3\x4d\x02\x13\xe6\x3e\xdd\x19\x54\x53\x46\xe3\x01\x2d\x61\xbd\xe7\x1d\x4d\x3c\x52\xcd\x21\x01\xd4\x57\xac\xc0\x15\x23\x81\x81\xfc\xc4\xe9\x2a\x6b\xd1\xc9\xae\x47\x5d\xd0\x4d\x15\xa3\x90\x71\x7c\x29\x5e\x18\x13\x1f\x30\xa1\xb0\x03\xfe\x36\x7f\x88\x9b\xa4\x9e\xd8\x32\x8d\x69\xbd\xe3\x8b\xfd\xb3\x2e\xc4\xff\x21\x2b\x38\x3d\xa6\x54\xad\x2d\xa7\x59\x26\x60\x0d\x56\xfd\x2c\x8a\x64\x81\xc0\x2f\x0d\xd9\x04\x08\xb0\x1d\xcb\xdd\xd0\x1c\xfb\x4c\xf6\x1c\x14\xe8\xaf\xc5\xda\x58\x91\xe9\x3a\x0b\x6f\xe1\x2f\x50\xf0\x62\x94\xd6\x6c\xe3\x71\x0c\x8e\x13\xe7\x97\x62\x9c\x4b\x05\x71\x40\xbd\xb8\xcf\xa3\x84\x83\x0e\x9e\x18\xcc\xcb\x63\xc2\x82\xc9\x7b\x1e\xc7\xcb\xaf\xc5\xf4\x96\xf2\xb0\x30\x53\xf8\x55\x8f\x62\x7e\xaa\x78\x46\x62\xf2\xf4\xf1\x5b\xac\x06\xa3\x8d\xcc\x8c\x3f\x2e\x07\x6b\x2f\xdf\x8b\x62\x2c\x93\xa2\x27\xc9\x0d\x42\xe4\xfa\x38\xda\xcd\x82\xfd\x6c\xd2\x21\x15\x29\x41\x4c\x5c\xf3\x88\x2d\x94\x87\x42\x42\x59\xa6\x51\x4c\x56\xf0\xb7\xd6\x0c\x95\xd3\x44\xa0\x9d\x90\xe7\xdd\x8f\xf0\x73\x21\xd7\xe7\xae\x03\xba\xc6\xde\x0f\xd3\x79\x9a\x8c\x34\xd7\xaa\x3e\x4c\xe7\xcd\x99\x98\x03\x64\xc6\x60\xcc\x09\x97\x46\x15\x2a\x07\xfb\xc0\x26\xfc\x89\x0a\x7a\x57\xf2\x8d\xce\xea\xcd\xc2\x36\x60\xc0\xf8\x59\x2d\x86\xd0\x8d\x99\x64\x4b\x67\x51\xa5\x53\x16\x2b\xa1\x03\x83\xda\x49\x1e\xfc\x3d\x33\xae\xd8\x95\x2b\x8f\x51\xcf\x6c\xfa\x84\xae\x5c\x9d\x76\x89\x8b\xf5\xe8\x09\x90\x8b\xdb\xf8\xcf\x63\x38\xf5\xbe\x2f\x5b\x1e\xa8\x17\x44\xbe\x7e\x72\x68\xc4\x9e\x49\x30\x50\x89\x23\xe6\x39\xd9\xf4\x84\x59\x7f\xc2\x0e\x69\x58\xa2\x69\xe1\x66\xec\x09\xd1\xb7\xe2\xa8\xf7\xfd\x83\xc5\x34\x64\xc3\xa1\xac\xc4\x84\xeb\x5f\x9d\xe1\x05\x9d\xa0\x45\xda\x6c\xf6\x63\x07\x9e\x2b\x22\xd7\x8e\x78\xbd\xbc\xda\xb3\x9c\x33\xbc\x5c\x1d\x05\xb8\xd4\x0e\x40\x2c\x8b\xbf\xa5\x74\xf2\xcb\x5a\xfb\x1c\xb1\x99\xe5\x91\x17\x13\x0b\x94\x0a\x96\x48\xe8\x98\xd5\xf0\xf2\x7f\xc0\x04\xc6\x78\xe5\x52\x0a\x4c\x79\x0e\xb7\x0e\xd2\xea\x6a\x60\x61\xe4\x9d\x12\x24\x35\xf3\x48\xcc\x92\x7b\x49\xad\x13\xbd\xf1\x80\x4e\x75\x28\xbc\x1e\x3b\xb6\x33\xf8\xb2\x76\xbb\xbb\xad\x12\x5a\xbe\xcd\x28\x94\xc2\x89\x28\x85\xfc\xd1\x9a\xed\x92\x20\xe4\x63\x2c\x13\x6f\x14\x37\x8e\x29\x91\x20\x40\x40\x65\x71\x1d\xdb\xff\x8d\xf8\x70\xab\xae\x93\x4b\xb5\xbb\x64\xff\xa2\xf7\x3f\x18\xb1\x33\x74\x53\x8a\x08\x37\x9d\x74\xc7\x12\xe0\x2a\x97\xc8\x5b\x08\xad\xae\x84\xf9\xc4\xa2\x91\x66\x56\x12\x9a\xa4\xb5\x46\xf1\x43\x4e\xf1\x53\xff\x7f\x2c\x94\xcb\x42\xb3\xe7\xea\x23\x54\x40\x95\x15\x9e\xe0\xe8\x69\xd7\x8d\x08\xce\x48\x6d\xa4\x30\x4b\x15\x47\x3a\x23\x1f\xec\x42\x3c\xf5\x53\x96\x8c\xa0\x74\x3c\x1c\x4b\x09\x45\x73\x0b\xa4\xe3\xfd\xc3\x1f\xf0\x2a\x48\x70\x56\xc7\x29\xef\x7f\x84\xf6\x5e\x85\xfb\x16\xfa\xbb\x17\x2d\x24\x75\x38\x62\xf9\x20\x34\x60\x28\x8a\x37\xcf\x6e\x6f\x5b\x84\xd1\xd8\x1f\x24\x27\x07\xbf\x57\x5b\x15\x34\xcd\x6b\xea\x81\x0d\xc3\x94\xca\xb3\x1b\x32\x43\x38\x8f\x01\x5b\x99\x98\xaa\x7c\xa3\xe8\x26\xd9\xec\xcd\x95\x32\x87\x33\x28\xf3\x43\xcf\x71\xa0\x79\x82\x0f\xfc\x61\x60\xef\x55\xb7\xda\x7a\x29\x76\x2f\xea\x1b\x45\x22\xb9\x81\xcc\xfd\xac\xea\x0f\x52\xe2\xed\xc3\xec\x50\x16\x89\xe8\xc5\xe0\x88\x54\x43\xd1\x3e\xa4\xda\xe6\x07\x65\xf9\xed\x48\x68\x6b\xeb\x01\x0b\xb0\x4e\x2f\xa7\x3f\x3a\xd0\x8a\x77\xf0\xc2\xf5\x9a\x99\xc4\x72\x30\xb8\x52\x9d\x1b\xa2\xbd\x09\x1d\x83\x6d\xd3\x08\x99\xe7\xe8\x41\x71\xf2\xa8\x86\x7b\x16\x49\x22\x8e\x85\x15\xcb\x39\x8b\x75\xa5\xbc\xa2\xe7\x11\x4a\x7a\xf7\x1b\x18\x5f\x37\x1b\x4f\x9f\x68\x9e\x81\xf2\x25\x97\x54\x89\x6f\xf5\x46\x85\xbc\x7b\x9c\xf5\xf5\xfd\x14\xd0\x63\xd2\xf8\xc6\x20\xff\x19\x5e\x26\x36\x0a\x21\xd9\x2d\x19\x02\xa7\x48\x35\xe0\x25\x4f\xe4\x73\x75\xa0\xf1\x71\x11\xd1\x45\x9d\x77\xdf\xcf\x0a\xdf\x21\x59\xc2\x00\x35\x35\x75\x78\x90\x15\x01\xa4\x09\x2e\x64\x14\xc5\x43\x41\x73\x11\x5a\x4a\x03\x39\x9d\x81\x34\x91\x33\xd3\xac\x25\x4b\x69\xfd\x90\x6f\xbc\x11\x56\xbe\xaa\xea\xb3\x7f\x1f\xd9\xfe\xfa\x37\x7c\xa1\x3b\x58\x19\xe5\x36\x1a\x75\x03\x2d\x78\x8c\xe9\x5c\xe9\xd1\x61\xdd\xfa\x04\xa5\x55\x29\x71\x68\xf6\xe0\xf3\x17\x6c\x8b\x0c\x41\xc8\x42\xce\x33\x81\x3b\x59\xeb\x0a\x9c\x3b\xcd\xf4\x65\xad\xe6\xd2\x9d\x0e\x25\x74\x41\x16\x77\x5b\x2f\x14\xd0\x30\xf5\xb2\x18\x1c\x89\x6a\x29\xcf\xc2\x9d\xcb\x9f\xaa\x9e\xa0\xed\x4a\x45\x45\xe2\xe5\x41\x29\x51\x12\x6b\x30\x99\x8b\x7b\x58\xc4\x47\x44\x84\x1d\x85\xe7\x9c\xc7\x61\x3b\x3b\x4a\xd0\x18\x72\x10\xc5\xb3\xe8\x19\x59\xc9\x38\xa8\x9e\xa5\xa7\x68\x1b\xcc\xc0\x2c\x55\x58\x3d\x69\xfa\xcc\x86\x53\x95\x27\x9c\xce\x47\xa8\xc4\x6c\x3b\x99\xd3\xbc\xba\xda\xea\xce\x79\xc1\x22\xc8\x7e\x72\xa9\x91\xd3\x1a\xe5\x2e\xa9\x5d\x35\xc6\x16\xb5\xae\xbf\xd9\x86\x40\x90\x33\x18\xdc\x60\x00\x21\x08\x6c\x28\x07\xf1\xfc\x8a\xe7\x61\x40\x7f\xcf\x43\x11\x09\xaf\xd1\x9e\xc4\xb0\x3a\x94\xeb\x9c\x89\x4f\x86\x6b\xb4\xb9\xa3\xa5\x86\x24\xcf\xa6\xae\x7d\x44\xd2\xf2\x02\x83\x5a\xc9\x90\x3d\x23\x26\x14\x0f\xc5\x47\x9b\x94\xba\x27\x5f\xe8\xf6\xba\x03\x9d\x98\xf5\x8d\x9c\x00\x60\x26\xff\x15\x5f\x0d\x36\x8c\x51\xd0\x05\xd2\xaf\x37\xa6\x14\xc1\x41\x88\xed\x22\x6c\x9f\x67\xc7\xb7\x83\x93\x3d\x05\x23\x5c\xb2\xf8\x81\x0f\x18\x89\xd1\x26\xed\xac\xe7\x40\x78\xb0\xf9\x0c\x6f\x2c\x16\xd0\x1d\x60\xdd\xe2\xd4\x6a\xb8\xc2\x53\x2a\xe0\xc1\x54\x01\x05\x57\x52\xfb\x19\xdb\xe5\x49\xcc\xbe\x43\x85\x9c\xcb\x4d\x47\xc9\x9e\x6f\x54\x02\xce\xd2\x3d\x44\x90\x29\x80\x2a\xd7\xd2\x99\x0b\x94\x1f\xad\xb0\xde\x10\xf9\xfe\x17\x84\x61\xe1\x14\xc7\xca\x31\x36\xf7\xfb\xad\x6e\x1d\x71\xeb\x1a\x1a\x24\xfb\x89\x2e\x7f\x1a\x41\xb9\xeb\x92\xd5\xb0\x4a\x79\x49\x1e\xef\x83\x18\xce\x1d\x98\x06\xe7\x06\x4e\x0f\xda\x0a\x66\xa7\xb6\x95\xa6\x78\x15\x60\xba\x98\xbf\x4d\x54\x00\x79\x5b\x11\xfe\xab\x29\x73\x53\xa7\x2a\x2d\x78\x5f\xf2\xfa\x3f\x06\xe6\x39\x5a\xab\x65\x6e\x55\xef\x7f\x49\x51\x76\x03\x86\xcd\xb1\xa1\xd2\x30\xda\x5b\x09\x44\xa9\xaf\x05\xa7\x6b\xce\x13\x88\x69\x2a\xfa\x4b\x21\xc3\x46\x4a\x2b\x50\xdd\x0d\x2a\x0f\x64\x51\xa4\x3f\x2e\x48\x62\x29\x0b\xe1\xf1\x29\x74\x60\xeb\x51\x39\x9f\xa9\x68\xf8\xdc\xa4\x19\x39\xa6\x19\xd1\x0a\x8a\x01\xad\x1b\x64\x93\xb0\xf8\x9a\xad\xc5\xf0\x6f\xf9\x26\x46\xff\x2f\xbd\x33\x6c\x97\x73\xa9\x33\xeb\xb1\xde\xee\x49\xa2\x67\xd8\xd1\x95\xe1\x3f\x58\x39\xc9\x54\xd8\xda\x7c\x02\x2c\xbd\xd8\xa2\x68\xdb\x8a\x06\x5c\x63\x24\x77\x56\x79\x54\x03\x3b\xd3\x40\xdb\x14\x5f\xd4\xee\x3c\x1e\x6e\xf1\x5f\xd4\x5e\x72\xf5\x27\xad\x2b\xa3\xbb\xf8\xa9\x4b\xa2\x5a\x23\x7c\xed\x70\x50\x4b\x6d\x20\xc8\x99\xa6\xd1\xa4\x09\x2b\x57\x2a\xc7\x44\xf6\x2e\x04\x4b\x25\xf4\xf1\x09\x7e\x12\xbc\x0b\xfd\xa3\x6c\xad\xd3\x4a\x0a\xa7\xbd\x49\xa3\x82\x08\xee\x36\x60\x3f\x1e\x9c\x56\x7d\xe6\x94\xcb\xba\xe7\x36\x1e\x99\x79\xa8\x4d\x58\x9f\xbd\x5f\x05\xfa\x73\xfe\x31\x68\x37\xdd\xb9\x67\x2c\x63\x75\x90\x77\x79\x33\x71\x17\xbf\xfe\x5a\x85\x09\x93\x99\xe3\x5e\x9c\x3a\x50\xbe\x94\xa4\xed\x33\xa5\x86\x3d\xa7\x37\x7e\x5c\x8b\xce\xd5\x22\x0d\xa0\xaa\x9f\xc0\x97\xbc\x61\x3b\xb7\x6e\xe7\x0b\x6a\x0b\xd9\x78\x01\xb0\xad\xc5\x7b\xc6\xd3\xc0\x26\x51\xf1\x64\xf7\x80\x9f\xb7\xeb\xe2\x18\x73\xf9\xa1\x7a\x65\xa8\x38\x0e\x5f\x1a\x18\x17\xdb\xea\x2e\xa9\x6f\x9b\x1e\xf1\xbe\x6c\x1f\xcd\x53\xc6\x2e\xa2\xba\xce\xe8\x66\xf3\x57\x4b\x1a\x35\xc5\xf8\xc5\x93\xd2\x01\x07\xd6\xcd\xe2\x6c\x84\x0e\xa8\x3f\xae\x8d\x77\x7e\xa1\x22\x7b\xd1\xaf\x62\x19\x83\x35\x3e\xf0\x27\x57\x01\x96\xf8\xfb\xdf\x4f\x79\xa7\x81\x2b\x7f\x71\x8f\xca\xa5\xec\x35\x53\x97\x9a\x86\x4b\x8c\x65\x3e\x9c\x9e\xcf\x8e\x68\x3b\xfc\x55\x8e\xf2\xd9\xb7\x64\x7e\xfc\xd5\xbe\x98\xf4\x3d\x0d\x38\xd9\x47\x4a\x7a\x50\x74\x0a\x5a\x23\x02\x31\x92\xd4\x5b\x43\x34\x38\x0e\x99\x5b\x8d\xbe\x94\x30\xea\xa1\xa8\x26\x85\x5b\x3d\x7e\xc2\x2f\x6c\xbe\xa4\x4b\x75\x53\x66\xba\x42\x76\x21\x77\xdb\xa9\x80\x65\xdc\x59\xef\x23\x92\x49\x7c\x17\xd2\xe8\x99\x23\x0c\xe3\x4f\xfa\x7f\xc2\x75\x0c\x9b\x25\x5a\x2b\x53\x42\x3d\x9c\xa1\xbd\x3a\xab\x8b\xa4\x71\xf3\x9f\x10\xa2\x50\x05\x0a\x22\x54\x1e\x08\x35\xe8\xa3\x93\xe1\x76\x20\x9c\x31\xd2\x5b\x6e\x1f\x69\x9c\x82\xeb\x15\x55\xf0\x47\xa6\xe8\xf9\x1d\x97\xcf\x2a\xba\x02\x50\xa7\xf3\x11\x67\xb8\x61\x54\x89\xfb\x5c\x90\xcf\xce\x45\xcc\x63\xcd\x21\xd0\x01\x5b\x58\x0c\xae\x16\x45\x2f\x01\x43\xd3\x0c\xb9\xee\xce\x66\x21\x93\x1f\x5d\xc5\x42\x8b\x2f\x92\x58\xd7\xe8\xfb\x10\xec\xfe\x72\x06\x06\xad\x71\x94\x11\x10\xbd\x67\xaf\x44\xce\x4e\xa0\x03\x77\x99\x97\xc4\xac\x5c\x11\x1b\x77\x91\x71\x2b\x79\x76\x52\x37\xf7\xa2\x79\xec\x43\x3f\x18\xfa\x8e\x69\x60\x43\x68\x00\x8c\xa9\xa5\xd6\x26\x44\x41\x79\x84\x88\x72\x54\xf4\xd1\x7a\x1c\xdf\x8b\xde\xbc\x90\x76\x2a\x64\xc5\x0c\x58\x6d\xa8\x59\x8f\x15\x56\x61\xe9\x3f\xea\x74\x65\x29\x6f\x6c\xce\xe5\xdf\xf3\x6c\xcb\x6c\x46\xdf\xbd\x24\x84\x60\xbb\x39\x12\x4c\xd3\xf9\xac\x2c\xd9\x16\x77\x66\xd2\x24\xe2\x97\x6f\xac\xed\xcd\x65\xff\x28\xc4\x18\x08\xc9\x8c\xcf\xe3\x1b\xa1\xef\xa8\x69\xf5\x16\xb6\xfc\x8b\x3a\x7d\x6f\xa1\xfb\xc8\xe1\x82\x67\xa8\xef\x0c\xfa\x96\xc4\xc6\xc8\xdb\xf9\x45\x21\x1d\x98\x89\x89\x95\xab\x76\xc1\x63\x06\x35\x47\x8f\xde\xb5\xb7\xfc\x9b\xba\xe3\x07\xd0\x54\x50\x2f\x17\x45\x27\x87\x47\xa5\xae\x90\x85\xe2\xce\x6f\x7b\xdd\x02\x2c\x68\x0d\x1f\x8a\xda\x4c\xb6\x30\x66\x42\x3f\x77\x04\x2b\x9a\xe4\xa1\x38\x6f\x41\x6c\xb9\xb4\x11\x00\x12\xe8\x00\x57\x04\xcd\xff\xae\x04\x41\x86\x89\xfd\x64\xd1\xe8\x83\x27\x49\xb7\x46\xc1\x41\x2e\x91\xc3\x81\x68\x4a\x80\x30\x5a\xad\x84\xd6\x2f\x1c\xc5\xfd\x5d\x26\xa2\x47\x6b\x5b\xfe\xd4\xdc\xcf\x7f\x35\xbb\xb0\x7e\xff\x6c\xa5\x09\x05\x0f\xea\x82\x04\xa3\x9d\x25\x5e\xc1\xc8\x3d\x0d\x38\xff\x3a\x9d\xa4\x28\x5b\x99\xf9\x8b\xfa\x2a\xfb\x12\x01\x63\x01\xbd\xce\xa9\xc4\xb8\x05\xf0\x3f\x5c\x1d\x64\xb2\x31\xe2\xf0\x12\xc3\x39\x88\xfe\x59\x31\x82\xbe\x19\xe5\x33\xae\x72\x4b\xc5\xf3\x74\xc5\xdb\x4e\x26\x7d\x11\xeb\x7c\x3b\xf6\x51\xd8\x53\xf4\x87\x32\x1b\x59\xe3\xc5\x80\xe0\x9f\x55\x10\x1d\x52\x95\x81\x12\xea\xd4\x84\xda\xac\x70\x62\xb2\x74\x5b\x3e\xf0\xd8\x6c\x3f\xf4\xc9\xcd\xb0\x4e\x5c\x61\x26\x56\x2f\xa8\x07\x2d\x44\x08\xc5\xa4\x1f\x38\x88\x90\x0c\x61\x7b\xb3\x2c\x60\x7e\x3c\x67\x88\x01\x37\xa4\xfd\xa0\x0f\x25\x73\x96\x95\x27\xf3\xac\x8b\xc7\x3d\x4a\x1c\xa6\x3a\x6e\x55\x28\x3a\x43\x75\x90\xcb\xa5\x84\xaf\xf7\xda\xab\x6d\x95\x08\x57\xf3\x06\x4a\xfa\x06\xd8\x49\x89\xb1\xf1\xfe\x7a\x07\x11\x8d\x84\x67\x33\x3b\xd9\xc3\xb0\xbf\x57\x4a\xec\xc5\xbd\xf1\x85\x88\x69\xc0\x2f\x2e\xc1\xad\x26\x6d\x13\x54\x99\x41\x6a\xa1\x6c\x3e\xec\x12\x2d\x6e\x57\x70\xf9\x26\x77\x4e\xc2\x69\x15\x5f\x36\xc7\xab\x25\xfc\x2c\xf6\x51\xf6\xde\x56\x32\x9e\x3c\x2f\x9a\xdf\x11\xb8\x9c\x5b\xa3\xa4\xbd\xd6\xed\x16\x04\xe6\x6a\x80\x50\x14\x98\x1b\x6c\xc8\x4b\xd7\x8d\x9e\xf9\xb5\x2e\x8f\x0e\x09\x70\x05\x21\x0a\x9e\x00\x81\x68\x47\x0f\xd1\x2a\x2c\x3e\xe6\x0d\x1c\xef\x8c\x35\xca\x58\xd8\x62\xb6\x81\xe7\x4c\xf6\x0b\x08\xca\xeb\x22\xaf\x37\xfb\x04\x5f\xdf\xf3\x53\x2a\xf6\xf1\x16\x22\x90\x93\x42\x15\xc8\x52\xe8\xbd\x41\xbe\x48\x8d\x56\x6e\xe2\x49\x7e\x6d\xfe\x85\x52\x50\x85\x3e\x6c\x24\xde\x6e\x0a\xab\xbc\xf5\xc5\x7b\xea\x60\x2e\x80\x82\x97\xa6\xf3\xee\xdf\xc7\x62\x2c\x60\x10\x6f\xe5\xac\x3c\x2c\x18\xf1\x9d\x80\x93\x6e\x13\x85\xb1\xb1\x1f\x34\x34\x8e\xe9\x79\x4b\x4c\xef\x18\x55\xcf\xea\x0b\x4c\x67\xf4\xa3\x6f\x69\xe6\xee\xe3\x98\x1a\xf6\xe3\x2c\xbf\xd7\x9b\x36\xf6\x48\x7f\x51\xe6\xbc\xfb\x5e\x25\x0c\xff\x78\x92\x52\x15\xf6\x02\x6f\x86\x9e\xd1\xe3\xc3\xea\x65\x9c\xf5\x80\xb3\x7f\xc8\xa8\xfb\x06\x41\x8f\xfd\x26\x63\xfb\x1c\x5b\x2a\x58\xae\x63\x44\x83\x89\x84\xb9\x60\x81\xae\xe1\x4d\xc7\x4a\x36\xbb\x18\x8a\x15\xfc\x47\xa0\xe8\xfb\x1d\xa2\xc9\x29\x09\x12\x53\x00\xf6\xcc\x9f\xf2\x81\x5a\x86\xbd\x0f\x51\xd3\x8c\xb1\xd9\x20\x65\x5a\x34\x34\xca\xa4\x3c\xba\x6a\xeb\x04\x53\x8b\x0a\xe6\xfc\x4d\xf1\x42\x9f\xca\x0c\xb9\xbf\x55\x05\xd5\x21\xd9\x4c\xea\x75\x9f\x50\xb9\xfc\x8f\xbd\x0d\xb1\x8b\xaa\x08\x03\xd1\x6a\xec\x6e\x59\x88\x70\xed\x80\x14\x9f\xdf\x70\xf5\x7f\x4b\x89\x32\x0f\x3a\x57\x17\x68\xbb\x09\x66\xf0\x8e\x6a\x1a\x93\xfa\xd9\x3b\xaf\x72\x88\xe6\xa6\x6f\x15\x8e\x35\x9d\x47\x24\xb3\xd5\xec\x61\xde\xe3\xa6\x4e\x1e\xab\xf0\x82\x7e\xa7\x9c\x2a\x7b\xac\x1f\x37\xf8\x1f\x09\x69\x1d\xad\x1f\xf6\x82\x49\x93\x25\xe7\x85\x73\xd6\x03\x10\x52\x92\xf8\x44\x1c\x72\xd4\xa8\x6e\xab\x95\x5e\x9a\xb0\xb6\x66\xc7\x1c\x86\xd1\x77\xa5\x94\xfa\x10\xdd\x0f\xf6\x5d\x38\x6c\x54\x4c\x21\xc3\x5e\x41\xef\x27\xbe\xc9\x4d\xab\x6f\xc3\x38\x70\x06\x01\x7e\x54\x59\xad\x20\xca\xcd\x5a\xfe\x56\x1f\xad\xd3\x80\x4b\xef\x50\xfe\x91\x09\xc0\xcf\x20\xd5\xfb\x32\x0a\x19\x19\x0e\xa3\x23\xc5\xbb\x45\x6d\xc7\x33\x8e\xd1\x9b\x5e\xa1\x17\x27\x7c\xda\x66\xbf\x37\x65\x7b\x27\x86\x25\xc9\x86\xf5\x44\x77\x75\xba\xf7\xc2\x83\x56\xd4\x31\xa3\x82\x0e\x3e\x24\x57\xe5\x3e\xba\xd4\xb7\xd8\xb0\xee\xa6\x4b\x5f\x17\x62\xdd\xb1\x16\x9b\xce\x93\x8a\x22\xaa\x17\x4b\x33\xaf\xd2\xb6\xca\x3f\xd2\x1e\x40\x2c\x4e\xba\xa6\x53\x97\xde\x07\x5d\xbc\x91\x41\x29\x16\x35\x04\xe2\x86\x72\x57\x89\xf3\xea\xfb\x66\x30\x29\x4c\x9e\x9e\xd8\x76\x5b\x41\x64\x12\xe6\xa7\x4a\xda\x02\xdf\x4b\x66\x8b\x95\xf1\xab\x41\xda\x29\xee\x91\x8a\xb5\xa5\xea\xa3\x45\x01\x47\x07\x76\x36\x9e\x96\x12\x9c\x89\x8c\xcc\x10\xef\x66\xa2\xce\xb8\xb4\xed\xfe\xad\x79\xff\xd8\x98\xd5\xde\x2d\xb4\x60\x87\x9f\xb2\x3b\x2a\xfc\x14\x66\x47\xc9\x49\x36\xa7\x03\xbb\x3c\xe5\x0f\x7e\x5e\x7d\xbf\xe7\x29\x57\xea\x5c\x48\x9e\x01\x0f\x08\x95\x84\xe0\x69\xaf\xf5\x3e\x8e\x03\xe1\x5c\xb8\x33\xa9\x61\x0a\xe7\xa9\xc2\x62\xc5\xcd\x37\x1b\x81\xf9\xaa\xbb\x03\x0d\xdd\xae\xed\xad\x10\x19\xd2\xe9\xdb\xe7\x17\xde\x10\xad\x3a\x49\x1e\x29\x0b\x2b\xfc\xda\x80\xed\xc5\xa1\xc1\x60\x12\x52\x7c\x5f\xa2\x79\xa6\x7c\x5d\x01\x13\x24\xa7\x9a\xad\x7c\xb7\xa9\x76\x6c\x64\xa1\xfc\xc2\x78\x4b\xe7\xab\x91\x2f\x7d\x4c\xc5\x71\x0c\x9e\x5a\x1f\x97\xf0\x0b\xb8\x69\x8d\x5f\x6e\x58\xe6\xb6\x9a\x1e\x8c\xcb\x7a\x22\xd3\xf4\xfb\x1f\xb6\x0a\x4b\xb9\x4d\x49\x2b\xc5\xe4\xa8\xbb\xe6\xb5\x34\xc1\x75\x00\x01\x6a\x89\x0a\xd5\x29\xdf\xf4\x2f\xb5\x13\x45\xc7\x65\x35\x1a\x5d\x87\x79\x12\x54\xb7\xdc\x62\x90\xe2\x76\xf1\xc2\xd8\xf7\x82\xcb\x2d\xbd\x2e\x70\x13\x09\xe6\x43\x06\x19\x25\x69\x40\x67\x02\x7f\x6d\x95\x65\x09\xb2\x47\x3c\x5b\x5c\x66\x08\x76\xdd\x69\x7e\x5d\x1b\xfb\x8e\x48\xc5\xbe\x80\x4a\x27\x5d\xb0\xed\x4c\x5a\x02\x40\x85\x93\x60\x8e\xcb\x2c\x97\x1d\xa8\x25\xf8\xd4\x8d\xd6\xc6\x4b\x98\xef\x9e\x28\x52\xd1\x6e\xea\xc2\x12\x13\x4a\xba\x3e\xfb\x67\x00\xd5\xa0\x52\xba\x23\x27\x18\x5a\x1c\x56\x05\xfe\xa9\x07\xf1\xf7\x63\xaf\x01\xc5\x03\xa7\x67\x00\x97\x00\x9f\x73\x63\x88\x31\xed\x01\x8b\xc8\x03\x27\x49\x37\x97\xa7\x2f\xce\x75\x38\xb2\x2e\x16\xfe\x27\x48\xc9\x66\xf3\x8f\x5b\x56\x89\xd8\x8c\xc6\xf2\x21\xd4\x06\x21\x47\x2d\x5a\x5a\x40\xa1\x72\x9e\x51\xe3\x60\xf4\xc4\xc9\xb1\x13\xf3\x0b\x96\x99\xd2\x77\x21\x14\x27\xf3\x60\xae\xd4\x5e\x01\x74\x98\x3d\x7a\xed\x11\xf8\x9b\x0c\xa0\x87\x41\x44\xe3\xfd\x83\xca\x6d\x88\xcf\x4d\x8d\x81\xde\x61\x3d\xb7\x27\x2d\xc5\xcf\x74\x5a\x65\x0b\xf3\xcc\xad\x96\x48\x7d\xd2\x4b\x1a\xcc\x8a\x8b\x96\xa9\x9d\x48\xbc\xcf\xa4\x78\xdc\xbb\xb0\x66\xcb\x8f\x19\x0f\x0d\xac\xcf\x91\x6f\x4d\xbc\x63\x44\xe5\xe0\x26\x07\x4d\x42\xd9\x62\xdf\xd2\x8b\x1d\x57\x8a\x17\x07\x3f\x78\xb7\x1d\x6f\xf7\x85\x25\x80\xb1\xc6\xe8\x3b\x8a\xc5\x15\x58\x49\xc1\x26\xa6\xbc\x54\x24\x6d\x15\xf7\x59\x92\x9c\x72\xbf\x44\xba\x8c\x78\x38\x12\xe7\x3d\xa5\xa6\x94\xf9\x6d\x52\x00\xf1\x9c\x82\x0c\x8c\x86\x51\xfb\x2b\xe7\xf7\x6c\xd2\x8a\x54\xae\xea\x4f\x0e\x09\x92\xb8\x4d\xbd\xef\x78\x92\x13\x4e\x37\x9f\x14\x0f\xb0\xb1\x22\x30\x99\x3d\xcc\x13\xbc\x48\x9c\x94\x26\x07\x63\xc1\xa8\xec\xf7\xaa\xeb\xe1\x1a\xe6\xf4\x39\xb7", 4096); *(uint32_t*)0x20006cdc = 0x1000; *(uint32_t*)0x20006ce0 = 0x34; syz_read_part_table(0xb0, 3, 0x20006cc0); break; case 41: *(uint8_t*)0x20006d00 = 0x12; *(uint8_t*)0x20006d01 = 1; *(uint16_t*)0x20006d02 = 0x201; *(uint8_t*)0x20006d04 = 0x10; *(uint8_t*)0x20006d05 = 0x2a; *(uint8_t*)0x20006d06 = 0xdc; *(uint8_t*)0x20006d07 = -1; *(uint16_t*)0x20006d08 = 0x781; *(uint16_t*)0x20006d0a = 5; *(uint16_t*)0x20006d0c = 5; *(uint8_t*)0x20006d0e = 1; *(uint8_t*)0x20006d0f = 2; *(uint8_t*)0x20006d10 = 3; *(uint8_t*)0x20006d11 = 1; *(uint8_t*)0x20006d12 = 9; *(uint8_t*)0x20006d13 = 2; *(uint16_t*)0x20006d14 = 0x71c; *(uint8_t*)0x20006d16 = 3; *(uint8_t*)0x20006d17 = 9; *(uint8_t*)0x20006d18 = 3; *(uint8_t*)0x20006d19 = 0x50; *(uint8_t*)0x20006d1a = -1; *(uint8_t*)0x20006d1b = 9; *(uint8_t*)0x20006d1c = 4; *(uint8_t*)0x20006d1d = 0x34; *(uint8_t*)0x20006d1e = 9; *(uint8_t*)0x20006d1f = 0xc; *(uint8_t*)0x20006d20 = 0x2d; *(uint8_t*)0x20006d21 = 0xe7; *(uint8_t*)0x20006d22 = 0xd6; *(uint8_t*)0x20006d23 = 0xc4; *(uint8_t*)0x20006d24 = 0xa; *(uint8_t*)0x20006d25 = 0x24; *(uint8_t*)0x20006d26 = 6; *(uint8_t*)0x20006d27 = 0; *(uint8_t*)0x20006d28 = 0; memcpy((void*)0x20006d29, "\x9e\x3d\xd8\x3f\x5e", 5); *(uint8_t*)0x20006d2e = 5; *(uint8_t*)0x20006d2f = 0x24; *(uint8_t*)0x20006d30 = 0; *(uint16_t*)0x20006d31 = 2; *(uint8_t*)0x20006d33 = 0xd; *(uint8_t*)0x20006d34 = 0x24; *(uint8_t*)0x20006d35 = 0xf; *(uint8_t*)0x20006d36 = 1; *(uint32_t*)0x20006d37 = 0x40; *(uint16_t*)0x20006d3b = 5; *(uint16_t*)0x20006d3d = 0x101; *(uint8_t*)0x20006d3f = 5; *(uint8_t*)0x20006d40 = 8; *(uint8_t*)0x20006d41 = 0x24; *(uint8_t*)0x20006d42 = 0x1c; *(uint16_t*)0x20006d43 = 0x1000; *(uint8_t*)0x20006d45 = 2; *(uint16_t*)0x20006d46 = 8; *(uint8_t*)0x20006d48 = 7; *(uint8_t*)0x20006d49 = 0x24; *(uint8_t*)0x20006d4a = 0x14; *(uint16_t*)0x20006d4b = 0x8671; *(uint16_t*)0x20006d4d = 0; *(uint8_t*)0x20006d4f = 0xc; *(uint8_t*)0x20006d50 = 0x24; *(uint8_t*)0x20006d51 = 0x1b; *(uint16_t*)0x20006d52 = 0xfffd; *(uint16_t*)0x20006d54 = 9; *(uint8_t*)0x20006d56 = 0; *(uint8_t*)0x20006d57 = 5; *(uint16_t*)0x20006d58 = 0x100; *(uint8_t*)0x20006d5a = 0x5f; *(uint8_t*)0x20006d5b = 5; *(uint8_t*)0x20006d5c = 0x24; *(uint8_t*)0x20006d5d = 0x15; *(uint16_t*)0x20006d5e = 0x40; *(uint8_t*)0x20006d60 = 7; *(uint8_t*)0x20006d61 = 0x24; *(uint8_t*)0x20006d62 = 0xa; *(uint8_t*)0x20006d63 = 0; *(uint8_t*)0x20006d64 = 1; *(uint8_t*)0x20006d65 = 4; *(uint8_t*)0x20006d66 = 1; *(uint8_t*)0x20006d67 = 7; *(uint8_t*)0x20006d68 = 0x24; *(uint8_t*)0x20006d69 = 0x14; *(uint16_t*)0x20006d6a = 0xff81; *(uint16_t*)0x20006d6c = 0x9c6f; *(uint8_t*)0x20006d6e = 9; *(uint8_t*)0x20006d6f = 5; *(uint8_t*)0x20006d70 = 0x80; *(uint8_t*)0x20006d71 = 0x14; *(uint16_t*)0x20006d72 = 0x10; *(uint8_t*)0x20006d74 = 0x15; *(uint8_t*)0x20006d75 = 0x1f; *(uint8_t*)0x20006d76 = 8; *(uint8_t*)0x20006d77 = 7; *(uint8_t*)0x20006d78 = 0x25; *(uint8_t*)0x20006d79 = 1; *(uint8_t*)0x20006d7a = 0x80; *(uint8_t*)0x20006d7b = 0; *(uint16_t*)0x20006d7c = 0; *(uint8_t*)0x20006d7e = 9; *(uint8_t*)0x20006d7f = 5; *(uint8_t*)0x20006d80 = 0x8b; *(uint8_t*)0x20006d81 = 0; *(uint16_t*)0x20006d82 = 0x7ff; *(uint8_t*)0x20006d84 = 0xed; *(uint8_t*)0x20006d85 = 1; *(uint8_t*)0x20006d86 = 2; *(uint8_t*)0x20006d87 = 9; *(uint8_t*)0x20006d88 = 5; *(uint8_t*)0x20006d89 = 8; *(uint8_t*)0x20006d8a = 4; *(uint16_t*)0x20006d8b = 0x200; *(uint8_t*)0x20006d8d = 0x81; *(uint8_t*)0x20006d8e = 6; *(uint8_t*)0x20006d8f = 2; *(uint8_t*)0x20006d90 = 0xeb; *(uint8_t*)0x20006d91 = 1; memcpy((void*)0x20006d92, "\x8c\x3f\x63\x08\x61\x54\x14\x1f\x73\x9f\x28\x70\xd3\xa8\x18\x84\x90\x5e\x8c\x3f\xf7\xeb\x64\x25\x08\x52\x04\x07\x7b\x41\x02\xc3\xd8\x1b\xfd\xf4\xb2\x62\xfa\x95\xb2\x68\x56\x12\x28\xb7\x47\xfc\xa9\x1f\x5f\xde\xb5\x92\xb3\x79\xd6\x6a\x5f\x1d\x2d\x1d\x73\x5f\xd0\x2b\x3b\x24\x02\xd0\x34\x0f\xcc\x8a\xc6\xc5\x44\x72\x0c\xb5\x96\x00\x8a\x93\xb0\x20\x2c\xb8\xf9\x55\x83\x44\xcb\x20\x0e\x0b\x4b\x52\xaa\xd1\xe7\x0d\x9c\x00\x49\xff\x2a\x6b\x54\x6e\x35\x02\xbc\x88\x1f\x3e\xb6\x55\xaa\x81\x7a\x2a\x3f\xd9\x5a\xd1\xbe\xa6\x8a\xb0\x48\xc1\xa4\x3e\xd3\x45\x8b\x67\x4c\x27\xdf\x09\x05\x68\xc3\x71\xa9\xe0\x0c\xbc\x2b\x59\x7a\x73\x0a\x18\x64\x44\x75\x83\xe3\x0b\x8b\x9d\x27\x74\xd8\x84\x57\x53\x11\x84\x3a\x18\xbf\xe0\x05\x2b\x40\x47\x14\xc7\x22\x76\x63\x42\xb2\x26\xc4\xfe\x8e\x87\xee\x44\x82\x50\xc3\xb3\x66\x8a\xb5\x07\x45\xe0\xfb\xb6\xe9\x69\xe6\xb4\x9b\x9b\x85\x28\xce\x81\xdf\xaa\x24\xe1\x43\x80\x72\xd0\x7d\x6e\x92\x60\x2a\x39\x05\x35\xf6", 233); *(uint8_t*)0x20006e7b = 9; *(uint8_t*)0x20006e7c = 5; *(uint8_t*)0x20006e7d = 0xc; *(uint8_t*)0x20006e7e = 8; *(uint16_t*)0x20006e7f = 0x40; *(uint8_t*)0x20006e81 = 1; *(uint8_t*)0x20006e82 = 5; *(uint8_t*)0x20006e83 = 0x20; *(uint8_t*)0x20006e84 = 9; *(uint8_t*)0x20006e85 = 5; *(uint8_t*)0x20006e86 = 7; *(uint8_t*)0x20006e87 = 0x10; *(uint16_t*)0x20006e88 = 8; *(uint8_t*)0x20006e8a = 0xbc; *(uint8_t*)0x20006e8b = 0; *(uint8_t*)0x20006e8c = 7; *(uint8_t*)0x20006e8d = 7; *(uint8_t*)0x20006e8e = 0x25; *(uint8_t*)0x20006e8f = 1; *(uint8_t*)0x20006e90 = 1; *(uint8_t*)0x20006e91 = 5; *(uint16_t*)0x20006e92 = 9; *(uint8_t*)0x20006e94 = 0xd4; *(uint8_t*)0x20006e95 = 0x22; memcpy((void*)0x20006e96, "\x70\xc2\x39\x55\xe1\xd1\x6c\xde\xf4\x16\xbc\xb1\x38\x10\x89\x67\xf0\xe9\xac\x2c\x09\x6f\xe9\x36\x2b\x99\xec\x6c\x19\x8d\x2f\x0f\x04\x46\xce\x29\x33\x28\x44\xfd\x54\x6d\x23\x23\xe7\xf9\xd7\xb2\x71\x3c\x1f\x92\xb9\x0b\x44\x81\xbf\x8d\x4e\xa3\x4e\xa8\x32\x1b\x58\x5d\xb5\xf3\xcc\x6f\x63\xfc\x9e\xe5\x43\xe8\x6c\x15\x76\x9e\x08\xa2\x12\xc2\xff\xb0\x23\x7d\xef\xb1\xa2\x82\x28\xe9\x99\xfa\xbf\x37\x33\xa2\x7b\x82\x87\x03\xfa\xaa\xc0\x53\xd4\x4f\xe7\xa6\x6d\x7a\x27\x8e\x31\xf1\x5d\x65\xed\xb3\x49\xb1\x57\xa7\x99\xd9\x22\xf0\xc9\x70\xf9\x8b\x35\xb7\x56\x50\x79\x31\x23\xe0\x57\x52\xd7\x4d\xdb\x89\xf0\xfc\xc0\x47\x98\x22\xa0\xf8\x33\xf4\x34\x3a\x70\x54\x8b\x3b\x4c\x80\x57\x4b\xe7\xcf\xdd\x59\xdb\x69\xce\x1e\xfc\x24\xca\x44\xee\x31\x66\x09\xf5\x8c\xa5\xa3\x0d\xee\x0b\x59\xe1\x66\x8f\x24\x8c\x19\x6a\xe1\xc0\x22\xa1\x99\x95\x59\x54\x30\xfe\xa4", 210); *(uint8_t*)0x20006f68 = 9; *(uint8_t*)0x20006f69 = 5; *(uint8_t*)0x20006f6a = 0x87; *(uint8_t*)0x20006f6b = 3; *(uint16_t*)0x20006f6c = 8; *(uint8_t*)0x20006f6e = 0x80; *(uint8_t*)0x20006f6f = 7; *(uint8_t*)0x20006f70 = 6; *(uint8_t*)0x20006f71 = 0x56; *(uint8_t*)0x20006f72 = 4; memcpy((void*)0x20006f73, "\xf7\x8a\x35\x66\x75\xcf\xfa\x2d\xe9\x45\x39\x19\x4a\xfa\xb8\x60\x3f\xe5\xe4\x12\x02\x1b\xa9\x37\xdf\x8f\x49\x6c\xe2\xc0\x54\x31\x48\xf0\x9b\x19\xeb\xbc\x05\x09\x1f\xcc\x32\xe0\xbd\xde\x44\x1d\x7c\xca\xa5\xcc\x26\xfb\x69\x6b\xd6\x7b\x38\x30\xbf\x3e\x57\x30\xfb\x3f\xe5\xee\x89\x15\x6b\xd1\xd2\xfa\x10\x1e\x6c\x39\x06\x8a\xf8\xc2\xae\x87", 84); *(uint8_t*)0x20006fc7 = 9; *(uint8_t*)0x20006fc8 = 5; *(uint8_t*)0x20006fc9 = 0x89; *(uint8_t*)0x20006fca = 0; *(uint16_t*)0x20006fcb = 0x20; *(uint8_t*)0x20006fcd = 0x20; *(uint8_t*)0x20006fce = 0x81; *(uint8_t*)0x20006fcf = 8; *(uint8_t*)0x20006fd0 = 9; *(uint8_t*)0x20006fd1 = 5; *(uint8_t*)0x20006fd2 = 0xe; *(uint8_t*)0x20006fd3 = 3; *(uint16_t*)0x20006fd4 = 8; *(uint8_t*)0x20006fd6 = 1; *(uint8_t*)0x20006fd7 = 0x20; *(uint8_t*)0x20006fd8 = 2; *(uint8_t*)0x20006fd9 = 7; *(uint8_t*)0x20006fda = 0x25; *(uint8_t*)0x20006fdb = 1; *(uint8_t*)0x20006fdc = 2; *(uint8_t*)0x20006fdd = 0x43; *(uint16_t*)0x20006fde = 0x234; *(uint8_t*)0x20006fe0 = 9; *(uint8_t*)0x20006fe1 = 5; *(uint8_t*)0x20006fe2 = 2; *(uint8_t*)0x20006fe3 = 0; *(uint16_t*)0x20006fe4 = 0x3ff; *(uint8_t*)0x20006fe6 = 3; *(uint8_t*)0x20006fe7 = 5; *(uint8_t*)0x20006fe8 = 7; *(uint8_t*)0x20006fe9 = 0x34; *(uint8_t*)0x20006fea = 8; memcpy((void*)0x20006feb, "\xb6\xa1\x21\xb4\x6c\xab\xce\x4e\x36\x1f\x21\x04\xdc\xf2\x66\x3e\x40\x2e\xe0\x4f\xaa\x90\xdd\x18\xa9\x18\xe4\x64\x2e\xaa\x6a\x71\x61\x92\xf8\xbc\x32\xf3\x21\xce\x9e\xb5\x48\x90\x4d\x87\xd7\xbd\xad\x56", 50); *(uint8_t*)0x2000701d = 0xac; *(uint8_t*)0x2000701e = 0x30; memcpy((void*)0x2000701f, "\x1a\x5d\x30\xc7\xd1\x38\x43\xb0\x14\x69\x43\xb2\xe6\x76\x87\xf3\x14\x70\x19\xdb\x1c\xa1\xa3\xc7\xe4\x8d\x70\x0f\x65\x5b\xea\x7f\x42\x69\x2c\x5a\x87\xa6\xb9\x1d\x03\xa6\xd4\x90\x5f\xbb\x18\xb7\x60\x28\xc9\x02\xf7\xcc\x3f\x0c\x05\x6d\x87\xd0\xfb\xc1\x2f\x32\x15\x02\x22\xa7\xda\xd7\x02\x3b\xc4\x5a\xb2\x5c\x72\xaa\x3a\xd2\x6e\x8d\xfd\x8d\x36\x54\x64\x00\x38\x39\x6a\xa3\x55\xf0\x69\xf7\xa9\xe7\x62\xb8\x5d\xca\x0a\x81\xa7\xd7\xc3\x7d\x25\x9d\x0f\x2a\x63\x1a\x6a\xbc\x4e\x36\xfb\xa2\x01\xdc\x67\x7f\xc7\xb2\xc2\x81\x90\xe9\x15\x23\x55\x3c\xfb\x1b\xbf\x46\x2d\x9d\x05\x7c\x31\x91\x0a\xd3\x9c\x35\x7c\xd2\xdd\x1c\x3f\x22\xc6\x04\xad\x6c\x92\x3f\xae\xe4\xc1\x3d\xb3\xfe\x35\x03\x75\xcc", 170); *(uint8_t*)0x200070c9 = 9; *(uint8_t*)0x200070ca = 5; *(uint8_t*)0x200070cb = 0xc; *(uint8_t*)0x200070cc = 0; *(uint16_t*)0x200070cd = 0x10; *(uint8_t*)0x200070cf = 0x7f; *(uint8_t*)0x200070d0 = 0x56; *(uint8_t*)0x200070d1 = 0x83; *(uint8_t*)0x200070d2 = 9; *(uint8_t*)0x200070d3 = 5; *(uint8_t*)0x200070d4 = 0x47; *(uint8_t*)0x200070d5 = 0; *(uint16_t*)0x200070d6 = 0x3ff; *(uint8_t*)0x200070d8 = 0xbb; *(uint8_t*)0x200070d9 = 7; *(uint8_t*)0x200070da = 3; *(uint8_t*)0x200070db = 0x6b; *(uint8_t*)0x200070dc = 0x30; memcpy((void*)0x200070dd, "\x6a\x80\x65\xc0\xee\x1f\xa7\x2b\xb9\xfa\xb4\x98\xb5\x65\xe8\x56\x09\x0e\x0a\xd4\xcb\x9a\x07\x2e\x09\x95\x26\x4b\x93\x5b\xed\x49\x10\xdd\xe6\xe4\xa1\x1f\xf9\x37\x42\x38\x3c\xba\x0c\x51\xa1\xf1\xcf\x69\x5a\xa3\x94\xa5\xf4\x86\x83\x63\xe9\x86\x26\x05\x69\xba\x8b\xe8\x24\x37\xcc\x58\xdb\x1e\xe8\x8c\xe5\x10\x13\x08\x93\x8e\xdb\xd9\x82\x07\x54\x62\xcf\x0b\xba\x05\xbb\x0d\x7a\xe5\x50\x92\xa2\x86\x2e\xe6\xe6\x43\x0e\x22\xf7", 105); *(uint8_t*)0x20007146 = 0x41; *(uint8_t*)0x20007147 = 0x21; memcpy((void*)0x20007148, "\x0a\xcd\x9c\x77\x43\xc7\x50\x9f\x5e\xb8\x98\x78\x4f\x87\x67\xf3\x85\xa0\xe1\xc7\xf1\x02\xc9\xad\xca\xd6\xd8\x1f\xb4\x19\x3e\x88\xcb\x2f\x6c\x39\x36\xee\x2e\xf3\xda\xe6\x1f\x58\x32\x25\x93\xd9\xbe\xea\xfc\xc0\x91\x5c\x86\xfc\x3a\x72\xf0\x42\x6c\x83\xf3", 63); *(uint8_t*)0x20007187 = 9; *(uint8_t*)0x20007188 = 5; *(uint8_t*)0x20007189 = 6; *(uint8_t*)0x2000718a = 4; *(uint16_t*)0x2000718b = 0x400; *(uint8_t*)0x2000718d = 0x20; *(uint8_t*)0x2000718e = 0x74; *(uint8_t*)0x2000718f = 5; *(uint8_t*)0x20007190 = 9; *(uint8_t*)0x20007191 = 4; *(uint8_t*)0x20007192 = 0x26; *(uint8_t*)0x20007193 = 0xab; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 0xf1; *(uint8_t*)0x20007197 = 0xcb; *(uint8_t*)0x20007198 = 9; *(uint8_t*)0x20007199 = 9; *(uint8_t*)0x2000719a = 5; *(uint8_t*)0x2000719b = 1; *(uint8_t*)0x2000719c = 0; *(uint16_t*)0x2000719d = 0x200; *(uint8_t*)0x2000719f = 5; *(uint8_t*)0x200071a0 = 1; *(uint8_t*)0x200071a1 = 1; *(uint8_t*)0x200071a2 = 9; *(uint8_t*)0x200071a3 = 5; *(uint8_t*)0x200071a4 = 0xb; *(uint8_t*)0x200071a5 = 4; *(uint16_t*)0x200071a6 = 0x20; *(uint8_t*)0x200071a8 = 1; *(uint8_t*)0x200071a9 = 2; *(uint8_t*)0x200071aa = 4; *(uint8_t*)0x200071ab = 0xda; *(uint8_t*)0x200071ac = 0x14; memcpy((void*)0x200071ad, "\x10\xf1\x6e\x37\x96\xfb\xe3\x35\xb5\x64\xb2\x94\x16\x03\x1e\x12\xd2\x6f\x4d\x53\xe2\x37\xca\x3c\xb1\xe0\x49\x17\x03\x35\xd6\x31\x43\x24\x69\xcf\x8e\x2b\x20\x7d\x62\x28\x3f\x3b\x91\xf4\xd6\x31\x54\xbc\xe3\x5f\xae\xb8\x7b\x51\xd3\x0b\x38\x87\x6c\x38\xb3\x1a\xcc\x34\x7b\xe6\x77\x93\xe5\x6a\x17\x84\xeb\x29\xa7\xdd\xab\x72\xe7\x36\xee\xcd\x3b\x4e\x98\xbc\xe7\xb1\x70\xab\x68\x7e\x6f\x31\xf5\xe9\xf3\xf9\x6e\x31\x03\x2d\x3b\xf9\x47\x6e\xef\x54\xf3\x54\xc6\xef\xc0\x0d\xa3\x9a\x69\x5e\xc1\xc0\x95\x25\x4c\xb4\x16\xbd\xc5\x74\xd4\xfb\x6a\xdb\xec\xa9\x9b\x77\x50\x8d\x6c\x6f\x79\x1c\x2c\xfc\x29\xae\x3e\xcc\xea\x73\xc1\x36\x27\xd9\x38\x07\xaf\x1a\x7d\x34\x92\x52\x0e\xd1\xf1\x53\x32\x7d\x85\x75\x37\xf5\x56\x29\x4b\xdd\xdd\x98\x8b\xae\x73\x22\x6a\x48\xc4\xca\xb9\x63\xd3\xd8\xc2\x26\x95\x1b\x21\xa7\xc3\x13\x8d\xe5\x5b\x8d\x0e\x1f\x0b\xcd\x77\x66\x3a\xe8\xbf\xe2\x0f\x44", 216); *(uint8_t*)0x20007285 = 7; *(uint8_t*)0x20007286 = 0x25; *(uint8_t*)0x20007287 = 1; *(uint8_t*)0x20007288 = 0x83; *(uint8_t*)0x20007289 = 5; *(uint16_t*)0x2000728a = 9; *(uint8_t*)0x2000728c = 9; *(uint8_t*)0x2000728d = 5; *(uint8_t*)0x2000728e = 5; *(uint8_t*)0x2000728f = 2; *(uint16_t*)0x20007290 = 0x40; *(uint8_t*)0x20007292 = 0x2c; *(uint8_t*)0x20007293 = 0xd4; *(uint8_t*)0x20007294 = 2; *(uint8_t*)0x20007295 = 7; *(uint8_t*)0x20007296 = 0x25; *(uint8_t*)0x20007297 = 1; *(uint8_t*)0x20007298 = 2; *(uint8_t*)0x20007299 = 3; *(uint16_t*)0x2000729a = 7; *(uint8_t*)0x2000729c = 9; *(uint8_t*)0x2000729d = 5; *(uint8_t*)0x2000729e = 0xa; *(uint8_t*)0x2000729f = 2; *(uint16_t*)0x200072a0 = 0x400; *(uint8_t*)0x200072a2 = 0xd0; *(uint8_t*)0x200072a3 = 1; *(uint8_t*)0x200072a4 = 6; *(uint8_t*)0x200072a5 = 9; *(uint8_t*)0x200072a6 = 5; *(uint8_t*)0x200072a7 = 0xe; *(uint8_t*)0x200072a8 = 8; *(uint16_t*)0x200072a9 = 0x40; *(uint8_t*)0x200072ab = 0x40; *(uint8_t*)0x200072ac = -1; *(uint8_t*)0x200072ad = 0xb0; *(uint8_t*)0x200072ae = 9; *(uint8_t*)0x200072af = 4; *(uint8_t*)0x200072b0 = 0x6c; *(uint8_t*)0x200072b1 = 8; *(uint8_t*)0x200072b2 = 2; *(uint8_t*)0x200072b3 = 0x59; *(uint8_t*)0x200072b4 = 0x51; *(uint8_t*)0x200072b5 = 0xd5; *(uint8_t*)0x200072b6 = 1; *(uint8_t*)0x200072b7 = 8; *(uint8_t*)0x200072b8 = 0x24; *(uint8_t*)0x200072b9 = 6; *(uint8_t*)0x200072ba = 0; *(uint8_t*)0x200072bb = 1; memcpy((void*)0x200072bc, "\xb2\xbd\x60", 3); *(uint8_t*)0x200072bf = 5; *(uint8_t*)0x200072c0 = 0x24; *(uint8_t*)0x200072c1 = 0; *(uint16_t*)0x200072c2 = 5; *(uint8_t*)0x200072c4 = 0xd; *(uint8_t*)0x200072c5 = 0x24; *(uint8_t*)0x200072c6 = 0xf; *(uint8_t*)0x200072c7 = 1; *(uint32_t*)0x200072c8 = 0xfffffffd; *(uint16_t*)0x200072cc = 0xfff; *(uint16_t*)0x200072ce = 0x63; *(uint8_t*)0x200072d0 = 0xdb; *(uint8_t*)0x200072d1 = 6; *(uint8_t*)0x200072d2 = 0x24; *(uint8_t*)0x200072d3 = 0x1a; *(uint16_t*)0x200072d4 = 8; *(uint8_t*)0x200072d6 = 8; *(uint8_t*)0x200072d7 = 0xf7; *(uint8_t*)0x200072d8 = 0x24; *(uint8_t*)0x200072d9 = 0x13; *(uint8_t*)0x200072da = 0x19; memcpy((void*)0x200072db, "\x18\x9c\xde\xa8\x5c\x89\x2f\xe7\x36\xd9\x9d\x2a\xe8\x35\x70\x5d\xdc\x39\x07\x36\x3c\x57\xda\x1f\xc0\x03\x3a\xb2\x67\x42\x02\x2a\xb0\xaf\x75\x16\xc0\x54\x5f\x0f\xc3\xec\xaa\x07\x28\x22\x9f\x95\xfd\x5d\x2e\xbc\xe5\xc9\x8d\xbb\xa6\x22\x21\x53\xe2\xce\x70\xbf\xea\xd3\x2d\x5d\x59\x14\x6f\x0d\xd6\x79\x85\x20\x07\xb1\x3a\xc9\xd1\x6d\x48\xf9\x48\x4d\x61\x92\xe7\x9c\x88\x07\x9f\x8c\xd3\xbd\x1a\x37\x40\xf3\xa8\xf0\xfd\x1d\x57\xa1\x0b\xf4\x1c\xf8\xc4\x5a\x79\xab\x1a\x96\x9c\x9a\x6a\x83\xbf\x31\x57\x1b\xce\x54\x2e\x8f\xcf\xa6\x76\x1e\xbf\xa9\x24\xe1\xeb\x05\xd3\xaf\x5b\x36\x44\xc3\x04\x02\x80\xca\x59\x73\x7d\x89\xc0\xca\xa8\xbd\x9d\x56\xc9\x21\x78\xb8\x2b\x20\x78\xe4\x39\x75\xf1\x5e\x6f\x0b\x6f\xa1\xd0\xcd\x81\x95\x21\x15\x4d\x23\x6a\xa6\xa8\x5e\x50\xf3\xf0\x53\x1f\x61\x92\xe5\xc4\xba\x8a\x2d\x50\x6f\x74\x47\x80\x74\x7c\xbb\x9e\xe6\x72\x32\x98\xb7\x2b\x71\x3b\x52\xbe\x54\x83\x5f\xcc\x04\x90\x6c\x65\x8c\xe6\x1f\x16\xf9\x5a\x6c\x43\x79\x88\xdf\x23\x9c\x43\x0f\xf4\x7d\xb7", 243); *(uint8_t*)0x200073ce = 6; *(uint8_t*)0x200073cf = 0x24; *(uint8_t*)0x200073d0 = 6; *(uint8_t*)0x200073d1 = 0; *(uint8_t*)0x200073d2 = 0; memset((void*)0x200073d3, 163, 1); *(uint8_t*)0x200073d4 = 5; *(uint8_t*)0x200073d5 = 0x24; *(uint8_t*)0x200073d6 = 0; *(uint16_t*)0x200073d7 = 0xf85b; *(uint8_t*)0x200073d9 = 0xd; *(uint8_t*)0x200073da = 0x24; *(uint8_t*)0x200073db = 0xf; *(uint8_t*)0x200073dc = 1; *(uint32_t*)0x200073dd = 0; *(uint16_t*)0x200073e1 = 7; *(uint16_t*)0x200073e3 = 2; *(uint8_t*)0x200073e5 = 0x40; *(uint8_t*)0x200073e6 = 9; *(uint8_t*)0x200073e7 = 5; *(uint8_t*)0x200073e8 = 0xf; *(uint8_t*)0x200073e9 = 4; *(uint16_t*)0x200073ea = 0; *(uint8_t*)0x200073ec = 0x81; *(uint8_t*)0x200073ed = 0xe8; *(uint8_t*)0x200073ee = 2; *(uint8_t*)0x200073ef = 7; *(uint8_t*)0x200073f0 = 0x25; *(uint8_t*)0x200073f1 = 1; *(uint8_t*)0x200073f2 = 0; *(uint8_t*)0x200073f3 = 0x51; *(uint16_t*)0x200073f4 = 0xbf81; *(uint8_t*)0x200073f6 = 7; *(uint8_t*)0x200073f7 = 0x25; *(uint8_t*)0x200073f8 = 1; *(uint8_t*)0x200073f9 = 0x80; *(uint8_t*)0x200073fa = 0xb; *(uint16_t*)0x200073fb = 0x8001; *(uint8_t*)0x200073fd = 9; *(uint8_t*)0x200073fe = 5; *(uint8_t*)0x200073ff = 6; *(uint8_t*)0x20007400 = 0; *(uint16_t*)0x20007401 = 0x10; *(uint8_t*)0x20007403 = 0x7f; *(uint8_t*)0x20007404 = 0; *(uint8_t*)0x20007405 = 0x80; *(uint8_t*)0x20007406 = 0x28; *(uint8_t*)0x20007407 = 0xa; memcpy((void*)0x20007408, "\x61\xdf\x67\xa6\x24\x85\x90\x52\xdf\x59\x3a\x22\x58\xbc\x97\x0f\xe4\x30\x4a\x8f\x89\x9a\xc0\x40\xd9\xfc\x35\x0e\xd5\xe6\x36\x60\xa7\x6a\x96\xae\xa7\xa3", 38); *(uint32_t*)0x200076c0 = 0xa; *(uint32_t*)0x200076c4 = 0x20007440; *(uint8_t*)0x20007440 = 0xa; *(uint8_t*)0x20007441 = 6; *(uint16_t*)0x20007442 = 0x300; *(uint8_t*)0x20007444 = 8; *(uint8_t*)0x20007445 = 1; *(uint8_t*)0x20007446 = 9; *(uint8_t*)0x20007447 = 8; *(uint8_t*)0x20007448 = 0x81; *(uint8_t*)0x20007449 = 0; *(uint32_t*)0x200076c8 = 0x133; *(uint32_t*)0x200076cc = 0x20007480; *(uint8_t*)0x20007480 = 5; *(uint8_t*)0x20007481 = 0xf; *(uint16_t*)0x20007482 = 0x133; *(uint8_t*)0x20007484 = 6; *(uint8_t*)0x20007485 = 0xb; *(uint8_t*)0x20007486 = 0x10; *(uint8_t*)0x20007487 = 1; *(uint8_t*)0x20007488 = 2; *(uint16_t*)0x20007489 = 0x74; *(uint8_t*)0x2000748b = -1; *(uint8_t*)0x2000748c = -1; *(uint16_t*)0x2000748d = 0; *(uint8_t*)0x2000748f = 7; *(uint8_t*)0x20007490 = 0xb; *(uint8_t*)0x20007491 = 0x10; *(uint8_t*)0x20007492 = 1; *(uint8_t*)0x20007493 = 8; *(uint16_t*)0x20007494 = 0x43; *(uint8_t*)0x20007496 = 4; *(uint8_t*)0x20007497 = 3; *(uint16_t*)0x20007498 = 6; *(uint8_t*)0x2000749a = 0x21; *(uint8_t*)0x2000749b = 7; *(uint8_t*)0x2000749c = 0x10; *(uint8_t*)0x2000749d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000749e, 0xa, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200074a0, 0x3b4d, 0, 16); *(uint8_t*)0x200074a2 = 0xb; *(uint8_t*)0x200074a3 = 0x10; *(uint8_t*)0x200074a4 = 1; *(uint8_t*)0x200074a5 = 0; *(uint16_t*)0x200074a6 = 0x2c; *(uint8_t*)0x200074a8 = 7; *(uint8_t*)0x200074a9 = 2; *(uint16_t*)0x200074aa = 1; *(uint8_t*)0x200074ac = 0x2f; *(uint8_t*)0x200074ad = 3; *(uint8_t*)0x200074ae = 0x10; *(uint8_t*)0x200074af = 0xb; *(uint8_t*)0x200074b0 = 3; *(uint8_t*)0x200074b1 = 0x10; *(uint8_t*)0x200074b2 = 3; memcpy((void*)0x200074b3, "\xb3\x5e\x85\x2c\x50\x01\x47\x88\x0f\xa2\xf6\xdc\xc5\xd4\xe1\x6a\x59\xdf\x9b\xff\x5d\x44\xac\x9f\x66\x80\xa3\x1b\x1e\xbc\xe7\xf4\xd4\xaf\xe6\xd2\xae\x93\xf6\xee\xe7\x9b\x70\x3b\x03\xf7\xa0\xeb\xea\x72\xbd\xc3\xca\x70\xde\xd4\x50\xbe\xde\xc4\x2d\x31\xbe\xce\xd3\x62\x5c\x6b\xfa\x5d\xc9\x89\x7b\x68\xa4\xe8\xb1\xa5\x4b\x94\x44\xb8\x5a\x77\xd5\x2e\xfe\xa0\x2e\x84\x04\x5a\x2c\x51\xaf\x22\x59\x6a\x4c\x59\xa4\x3c\x59\x0c\x4d\x13\x69\xd2\x29\xdb\x0f\x22\x8b\x73\x9b\x41\x41\x9c\x00\x70\x82\x19\xac\x07\x58\x5d\xca\xde\xd8\x82\x0f\x6f\xe0\xb3\x5e\x74\x96\xca\x59\xeb\xd9\x3c\x1c\xfb\xec\xa8\x66\x69\x28\x61\x3f\xb0\x84\xcb\x1a\xd9\x30\xcf\xed\x80\xa0\x24\xb8\x03\xfc\x94\x96\x7f\x08\xd7\x31\xd0\x64\x7c\xee\x07\x3e\x55\x84\x4b\x99\x78\xae\x60\x35\x86\x5f\xd9\x89\x91\xfb\x7a\x5f\xa3\xf0\x05\x29\xe8\x1f\x1d\x3b\x85\x3a\x0d\xb0\x41\xea\xa3\x77\x7b\xa1\x0f\xe7\x53\x67\x4a\x69\x8c\xd3\x89\xbf\x5b\xca\x62\x6c\xb8\xc7\xbf\x9b\x71\x15\x0d\x57\x2d\x07\xd9\xa1\x18\x55\xa4\x19\xfb\x02\x12\xd9\xa5\xbf\x2c\x33\x60\x35\x7c\xf9\x42\x51\x1f", 256); *(uint32_t*)0x200076d0 = 2; *(uint32_t*)0x200076d4 = 0x97; *(uint32_t*)0x200076d8 = 0x200075c0; *(uint8_t*)0x200075c0 = 0x97; *(uint8_t*)0x200075c1 = 3; memcpy((void*)0x200075c2, "\x79\x53\x36\x52\x48\x59\x08\x84\x74\x50\xe4\x34\xba\xbd\x9e\x7b\x78\x39\x25\xf4\x78\xb3\xb3\x5c\x0a\x4e\x6a\xa0\xa1\xe8\xf7\x8e\x37\xf1\xd5\x66\x6f\xe8\x7b\x28\xdf\x9b\x77\x34\xfd\xd1\x41\xb3\xc7\x8a\x19\x03\x1e\xff\xd7\x29\xa3\x6c\x0c\xf9\xfa\xe5\xc5\x89\xa1\xa9\x88\x6b\x78\xf6\x6c\x73\x91\xbd\x44\x3c\xc6\xb3\xab\x5b\x4a\xcd\xeb\x5a\xcf\x4a\x0d\x36\x35\x9e\x74\x9d\xf3\x7c\xcf\x92\xc5\x0e\x84\x5f\xce\x93\xe4\xc6\x11\xf0\xfb\x55\x9f\x5b\x2f\x8b\x72\xba\xb3\xb8\xa9\x17\x79\xcd\x78\x20\x4d\x67\xa1\x83\x18\x75\x60\xeb\x91\x2c\x0f\x9d\xd2\x7f\x40\x2f\x1d\xec\xdc\x61\x44\x4d\x37\x02\xbf\x05\xcf", 149); *(uint32_t*)0x200076dc = 4; *(uint32_t*)0x200076e0 = 0x20007680; *(uint8_t*)0x20007680 = 4; *(uint8_t*)0x20007681 = 3; *(uint16_t*)0x20007682 = 0x4ff; syz_usb_connect(5, 0x72e, 0x20006d00, 0x200076c0); break; case 42: *(uint8_t*)0x20007700 = 0x12; *(uint8_t*)0x20007701 = 1; *(uint16_t*)0x20007702 = 0x200; *(uint8_t*)0x20007704 = -1; *(uint8_t*)0x20007705 = -1; *(uint8_t*)0x20007706 = -1; *(uint8_t*)0x20007707 = 0x40; *(uint16_t*)0x20007708 = 0xcf3; *(uint16_t*)0x2000770a = 0x9271; *(uint16_t*)0x2000770c = 0x108; *(uint8_t*)0x2000770e = 1; *(uint8_t*)0x2000770f = 2; *(uint8_t*)0x20007710 = 3; *(uint8_t*)0x20007711 = 1; *(uint8_t*)0x20007712 = 9; *(uint8_t*)0x20007713 = 2; *(uint16_t*)0x20007714 = 0x48; *(uint8_t*)0x20007716 = 1; *(uint8_t*)0x20007717 = 1; *(uint8_t*)0x20007718 = 0; *(uint8_t*)0x20007719 = 0x80; *(uint8_t*)0x2000771a = 0xfa; *(uint8_t*)0x2000771b = 9; *(uint8_t*)0x2000771c = 4; *(uint8_t*)0x2000771d = 0; *(uint8_t*)0x2000771e = 0; *(uint8_t*)0x2000771f = 6; *(uint8_t*)0x20007720 = -1; *(uint8_t*)0x20007721 = 0; *(uint8_t*)0x20007722 = 0; *(uint8_t*)0x20007723 = 0; *(uint8_t*)0x20007724 = 9; *(uint8_t*)0x20007725 = 5; *(uint8_t*)0x20007726 = 1; *(uint8_t*)0x20007727 = 2; *(uint16_t*)0x20007728 = 0x200; *(uint8_t*)0x2000772a = 0; *(uint8_t*)0x2000772b = 0; *(uint8_t*)0x2000772c = 0; *(uint8_t*)0x2000772d = 9; *(uint8_t*)0x2000772e = 5; *(uint8_t*)0x2000772f = 0x82; *(uint8_t*)0x20007730 = 2; *(uint16_t*)0x20007731 = 0x200; *(uint8_t*)0x20007733 = 0; *(uint8_t*)0x20007734 = 0; *(uint8_t*)0x20007735 = 0; *(uint8_t*)0x20007736 = 9; *(uint8_t*)0x20007737 = 5; *(uint8_t*)0x20007738 = 0x83; *(uint8_t*)0x20007739 = 3; *(uint16_t*)0x2000773a = 0x40; *(uint8_t*)0x2000773c = 1; *(uint8_t*)0x2000773d = 0; *(uint8_t*)0x2000773e = 0; *(uint8_t*)0x2000773f = 9; *(uint8_t*)0x20007740 = 5; *(uint8_t*)0x20007741 = 4; *(uint8_t*)0x20007742 = 3; *(uint16_t*)0x20007743 = 0x40; *(uint8_t*)0x20007745 = 1; *(uint8_t*)0x20007746 = 0; *(uint8_t*)0x20007747 = 0; *(uint8_t*)0x20007748 = 9; *(uint8_t*)0x20007749 = 5; *(uint8_t*)0x2000774a = 5; *(uint8_t*)0x2000774b = 2; *(uint16_t*)0x2000774c = 0x200; *(uint8_t*)0x2000774e = 0; *(uint8_t*)0x2000774f = 0; *(uint8_t*)0x20007750 = 0; *(uint8_t*)0x20007751 = 9; *(uint8_t*)0x20007752 = 5; *(uint8_t*)0x20007753 = 6; *(uint8_t*)0x20007754 = 2; *(uint16_t*)0x20007755 = 0x200; *(uint8_t*)0x20007757 = 0; *(uint8_t*)0x20007758 = 0; *(uint8_t*)0x20007759 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007700, 0); if (res != -1) r[22] = res; break; case 43: *(uint32_t*)0x20007900 = 0x18; *(uint32_t*)0x20007904 = 0x20007780; *(uint8_t*)0x20007780 = 0x40; *(uint8_t*)0x20007781 = 0x22; *(uint32_t*)0x20007782 = 0x1f; *(uint8_t*)0x20007786 = 0x1f; *(uint8_t*)0x20007787 = 0x22; memcpy((void*)0x20007788, "\xa7\x84\x14\x03\xaf\xd7\xdd\xbd\xb6\xce\x9d\xac\xfb\x6c\xdb\xe2\x9f\xbe\x4e\x58\xb5\x5f\xec\x11\x7d\xe5\x6e\xd6\xa5", 29); *(uint32_t*)0x20007908 = 0x200077c0; *(uint8_t*)0x200077c0 = 0; *(uint8_t*)0x200077c1 = 3; *(uint32_t*)0x200077c2 = 0x5a; *(uint8_t*)0x200077c6 = 0x5a; *(uint8_t*)0x200077c7 = 3; memcpy((void*)0x200077c8, "\xb5\x1f\xa7\x5c\xe1\x57\x5d\xa7\x9a\xa4\x1f\xd1\x55\x72\x84\x98\xbc\x7e\x4f\x85\xd1\x9d\x23\x94\x31\x4e\x63\x81\xf5\xe6\xb0\xe7\x86\xc3\xff\x70\x5c\xb7\x18\x44\x87\xf3\x50\x94\x03\x01\x78\xbc\x29\x1a\x39\x80\xfa\x0b\x83\x90\x8b\x7f\xe1\xcb\x24\x59\xda\xa1\x30\x8f\xa2\xfb\xda\x94\xa9\x8c\xa7\x13\x4b\xc9\x86\x48\x7b\xae\x15\x76\x66\x36\xe0\x85\x2c\x7a", 88); *(uint32_t*)0x2000790c = 0x20007840; *(uint8_t*)0x20007840 = 0; *(uint8_t*)0x20007841 = 0xf; *(uint32_t*)0x20007842 = 0x1b; *(uint8_t*)0x20007846 = 5; *(uint8_t*)0x20007847 = 0xf; *(uint16_t*)0x20007848 = 0x1b; *(uint8_t*)0x2000784a = 2; *(uint8_t*)0x2000784b = 0xb; *(uint8_t*)0x2000784c = 0x10; *(uint8_t*)0x2000784d = 1; *(uint8_t*)0x2000784e = 0xc; *(uint16_t*)0x2000784f = 0x82; *(uint8_t*)0x20007851 = 0; *(uint8_t*)0x20007852 = 0x85; *(uint16_t*)0x20007853 = 8; *(uint8_t*)0x20007855 = 1; *(uint8_t*)0x20007856 = 0xb; *(uint8_t*)0x20007857 = 0x10; *(uint8_t*)0x20007858 = 1; *(uint8_t*)0x20007859 = 0xc; *(uint16_t*)0x2000785a = 0x48; *(uint8_t*)0x2000785c = 0; *(uint8_t*)0x2000785d = 0x80; *(uint16_t*)0x2000785e = 0xfffa; *(uint8_t*)0x20007860 = 0x81; *(uint32_t*)0x20007910 = 0x20007880; *(uint8_t*)0x20007880 = 0x20; *(uint8_t*)0x20007881 = 0x29; *(uint32_t*)0x20007882 = 0xf; *(uint8_t*)0x20007886 = 0xf; *(uint8_t*)0x20007887 = 0x29; *(uint8_t*)0x20007888 = 9; *(uint16_t*)0x20007889 = 2; *(uint8_t*)0x2000788b = 4; *(uint8_t*)0x2000788c = 2; memcpy((void*)0x2000788d, "\x7e\x46\x1a\xb4", 4); memcpy((void*)0x20007891, "gg]\a", 4); *(uint32_t*)0x20007914 = 0x200078c0; *(uint8_t*)0x200078c0 = 0x20; *(uint8_t*)0x200078c1 = 0x2a; *(uint32_t*)0x200078c2 = 0xc; *(uint8_t*)0x200078c6 = 0xc; *(uint8_t*)0x200078c7 = 0x2a; *(uint8_t*)0x200078c8 = 9; *(uint16_t*)0x200078c9 = 3; *(uint8_t*)0x200078cb = 0x3f; *(uint8_t*)0x200078cc = 0x20; *(uint8_t*)0x200078cd = 0x40; *(uint16_t*)0x200078ce = 0; *(uint16_t*)0x200078d0 = 0xef; *(uint32_t*)0x20007dc0 = 0x44; *(uint32_t*)0x20007dc4 = 0x20007940; *(uint8_t*)0x20007940 = 0x40; *(uint8_t*)0x20007941 = 0xc; *(uint32_t*)0x20007942 = 0xb6; memcpy((void*)0x20007946, "\xdf\x1d\x88\x07\xad\xaa\x37\x6e\xc1\x64\xfe\x68\x6f\x79\x1f\xc7\x26\x8a\x85\xc4\x68\x00\x84\x23\xc3\x5b\xf0\xda\x6f\x10\xce\x0b\x3c\x7f\x80\xe6\x73\x52\xd8\x06\x3e\x95\x24\xfb\x3d\x91\xa1\xd4\x42\xb8\x5d\x35\x12\x88\xc6\x0b\xad\xef\x73\x69\x49\x4e\xfa\x50\x12\x97\x89\x30\xb8\x81\x7b\xb1\x3f\xba\x0f\x30\x74\x16\x86\x14\x57\x22\x13\x22\x13\x60\x27\xa9\x86\x82\xf3\xa5\xc9\x18\x06\xd4\x90\xc5\x1e\xf5\x1c\xe6\xc9\xe9\xc8\x08\x7e\x54\x7f\xc2\xcf\xe5\x67\xbf\xbf\x3e\x65\xf9\x7c\x5e\x79\xd6\x87\x06\x92\x2d\x2c\x08\x4e\xe8\x94\xea\xf1\x2a\x3c\x0b\x2e\x1e\xf8\x94\xdf\xf8\x6d\x07\x92\xfd\x11\xf5\x15\x2f\x67\x32\x1b\x9d\xb3\x6a\x02\xb7\xb0\x93\x5e\x74\x24\xcb\xd6\xb2\x86\xc5\x5c\x8c\xf0\xf0\xf4\x94\x9f\xd2\x1b\x22\x67\x5e\xb0\x60", 182); *(uint32_t*)0x20007dc8 = 0x20007a00; *(uint8_t*)0x20007a00 = 0; *(uint8_t*)0x20007a01 = 0xa; *(uint32_t*)0x20007a02 = 1; *(uint8_t*)0x20007a06 = 9; *(uint32_t*)0x20007dcc = 0x20007a40; *(uint8_t*)0x20007a40 = 0; *(uint8_t*)0x20007a41 = 8; *(uint32_t*)0x20007a42 = 1; *(uint8_t*)0x20007a46 = 6; *(uint32_t*)0x20007dd0 = 0x20007a80; *(uint8_t*)0x20007a80 = 0x20; *(uint8_t*)0x20007a81 = 0; *(uint32_t*)0x20007a82 = 4; *(uint16_t*)0x20007a86 = 1; *(uint16_t*)0x20007a88 = 3; *(uint32_t*)0x20007dd4 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0x20; *(uint8_t*)0x20007ac1 = 0; *(uint32_t*)0x20007ac2 = 4; *(uint16_t*)0x20007ac6 = 0x160; *(uint16_t*)0x20007ac8 = 1; *(uint32_t*)0x20007dd8 = 0x20007b00; *(uint8_t*)0x20007b00 = 0x40; *(uint8_t*)0x20007b01 = 7; *(uint32_t*)0x20007b02 = 2; *(uint16_t*)0x20007b06 = 3; *(uint32_t*)0x20007ddc = 0x20007b40; *(uint8_t*)0x20007b40 = 0x40; *(uint8_t*)0x20007b41 = 9; *(uint32_t*)0x20007b42 = 1; *(uint8_t*)0x20007b46 = 3; *(uint32_t*)0x20007de0 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x40; *(uint8_t*)0x20007b81 = 0xb; *(uint32_t*)0x20007b82 = 2; memcpy((void*)0x20007b86, "\x9e\xfe", 2); *(uint32_t*)0x20007de4 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 0xf; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 4; *(uint32_t*)0x20007de8 = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 0x13; *(uint32_t*)0x20007c02 = 6; memset((void*)0x20007c06, 0, 6); *(uint32_t*)0x20007dec = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0x17; *(uint32_t*)0x20007c42 = 6; memset((void*)0x20007c46, 170, 5); *(uint8_t*)0x20007c4b = 0xbb; *(uint32_t*)0x20007df0 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0x19; *(uint32_t*)0x20007c82 = 2; memcpy((void*)0x20007c86, "vw", 2); *(uint32_t*)0x20007df4 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x1a; *(uint32_t*)0x20007cc2 = 2; *(uint16_t*)0x20007cc6 = 1; *(uint32_t*)0x20007df8 = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x1c; *(uint32_t*)0x20007d02 = 1; *(uint8_t*)0x20007d06 = 6; *(uint32_t*)0x20007dfc = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x1e; *(uint32_t*)0x20007d42 = 1; *(uint8_t*)0x20007d46 = 0x7e; *(uint32_t*)0x20007e00 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x21; *(uint32_t*)0x20007d82 = 1; *(uint8_t*)0x20007d86 = 2; syz_usb_control_io(r[22], 0x20007900, 0x20007dc0); break; case 44: *(uint8_t*)0x20007e40 = 0x12; *(uint8_t*)0x20007e41 = 1; *(uint16_t*)0x20007e42 = 0x200; *(uint8_t*)0x20007e44 = -1; *(uint8_t*)0x20007e45 = -1; *(uint8_t*)0x20007e46 = -1; *(uint8_t*)0x20007e47 = 0x40; *(uint16_t*)0x20007e48 = 0xcf3; *(uint16_t*)0x20007e4a = 0x9271; *(uint16_t*)0x20007e4c = 0x108; *(uint8_t*)0x20007e4e = 1; *(uint8_t*)0x20007e4f = 2; *(uint8_t*)0x20007e50 = 3; *(uint8_t*)0x20007e51 = 1; *(uint8_t*)0x20007e52 = 9; *(uint8_t*)0x20007e53 = 2; *(uint16_t*)0x20007e54 = 0x48; *(uint8_t*)0x20007e56 = 1; *(uint8_t*)0x20007e57 = 1; *(uint8_t*)0x20007e58 = 0; *(uint8_t*)0x20007e59 = 0x80; *(uint8_t*)0x20007e5a = 0xfa; *(uint8_t*)0x20007e5b = 9; *(uint8_t*)0x20007e5c = 4; *(uint8_t*)0x20007e5d = 0; *(uint8_t*)0x20007e5e = 0; *(uint8_t*)0x20007e5f = 6; *(uint8_t*)0x20007e60 = -1; *(uint8_t*)0x20007e61 = 0; *(uint8_t*)0x20007e62 = 0; *(uint8_t*)0x20007e63 = 0; *(uint8_t*)0x20007e64 = 9; *(uint8_t*)0x20007e65 = 5; *(uint8_t*)0x20007e66 = 1; *(uint8_t*)0x20007e67 = 2; *(uint16_t*)0x20007e68 = 0x200; *(uint8_t*)0x20007e6a = 0; *(uint8_t*)0x20007e6b = 0; *(uint8_t*)0x20007e6c = 0; *(uint8_t*)0x20007e6d = 9; *(uint8_t*)0x20007e6e = 5; *(uint8_t*)0x20007e6f = 0x82; *(uint8_t*)0x20007e70 = 2; *(uint16_t*)0x20007e71 = 0x200; *(uint8_t*)0x20007e73 = 0; *(uint8_t*)0x20007e74 = 0; *(uint8_t*)0x20007e75 = 0; *(uint8_t*)0x20007e76 = 9; *(uint8_t*)0x20007e77 = 5; *(uint8_t*)0x20007e78 = 0x83; *(uint8_t*)0x20007e79 = 3; *(uint16_t*)0x20007e7a = 0x40; *(uint8_t*)0x20007e7c = 1; *(uint8_t*)0x20007e7d = 0; *(uint8_t*)0x20007e7e = 0; *(uint8_t*)0x20007e7f = 9; *(uint8_t*)0x20007e80 = 5; *(uint8_t*)0x20007e81 = 4; *(uint8_t*)0x20007e82 = 3; *(uint16_t*)0x20007e83 = 0x40; *(uint8_t*)0x20007e85 = 1; *(uint8_t*)0x20007e86 = 0; *(uint8_t*)0x20007e87 = 0; *(uint8_t*)0x20007e88 = 9; *(uint8_t*)0x20007e89 = 5; *(uint8_t*)0x20007e8a = 5; *(uint8_t*)0x20007e8b = 2; *(uint16_t*)0x20007e8c = 0x200; *(uint8_t*)0x20007e8e = 0; *(uint8_t*)0x20007e8f = 0; *(uint8_t*)0x20007e90 = 0; *(uint8_t*)0x20007e91 = 9; *(uint8_t*)0x20007e92 = 5; *(uint8_t*)0x20007e93 = 6; *(uint8_t*)0x20007e94 = 2; *(uint16_t*)0x20007e95 = 0x200; *(uint8_t*)0x20007e97 = 0; *(uint8_t*)0x20007e98 = 0; *(uint8_t*)0x20007e99 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007e40, 0); if (res != -1) r[23] = res; break; case 45: syz_usb_disconnect(r[23]); break; case 46: *(uint8_t*)0x20007ec0 = 0x12; *(uint8_t*)0x20007ec1 = 1; *(uint16_t*)0x20007ec2 = 0x389; *(uint8_t*)0x20007ec4 = 2; *(uint8_t*)0x20007ec5 = 0; *(uint8_t*)0x20007ec6 = 0; *(uint8_t*)0x20007ec7 = 0x70; *(uint16_t*)0x20007ec8 = 0x525; *(uint16_t*)0x20007eca = 0xa4a1; *(uint16_t*)0x20007ecc = 0x40; *(uint8_t*)0x20007ece = 1; *(uint8_t*)0x20007ecf = 2; *(uint8_t*)0x20007ed0 = 3; *(uint8_t*)0x20007ed1 = 1; *(uint8_t*)0x20007ed2 = 9; *(uint8_t*)0x20007ed3 = 2; *(uint16_t*)0x20007ed4 = 0x6a; *(uint8_t*)0x20007ed6 = 2; *(uint8_t*)0x20007ed7 = 1; *(uint8_t*)0x20007ed8 = -1; *(uint8_t*)0x20007ed9 = 0x90; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 9; *(uint8_t*)0x20007edc = 4; *(uint8_t*)0x20007edd = 0; *(uint8_t*)0x20007ede = 0; *(uint8_t*)0x20007edf = 1; *(uint8_t*)0x20007ee0 = 2; *(uint8_t*)0x20007ee1 = 0xd; *(uint8_t*)0x20007ee2 = 0; *(uint8_t*)0x20007ee3 = 0; *(uint8_t*)0x20007ee4 = 6; *(uint8_t*)0x20007ee5 = 0x24; *(uint8_t*)0x20007ee6 = 6; *(uint8_t*)0x20007ee7 = 0; *(uint8_t*)0x20007ee8 = 1; memset((void*)0x20007ee9, 166, 1); *(uint8_t*)0x20007eea = 5; *(uint8_t*)0x20007eeb = 0x24; *(uint8_t*)0x20007eec = 0; *(uint16_t*)0x20007eed = 8; *(uint8_t*)0x20007eef = 0xd; *(uint8_t*)0x20007ef0 = 0x24; *(uint8_t*)0x20007ef1 = 0xf; *(uint8_t*)0x20007ef2 = 1; *(uint32_t*)0x20007ef3 = 0x9ff; *(uint16_t*)0x20007ef7 = 0x6000; *(uint16_t*)0x20007ef9 = 5; *(uint8_t*)0x20007efb = 0xb5; *(uint8_t*)0x20007efc = 6; *(uint8_t*)0x20007efd = 0x24; *(uint8_t*)0x20007efe = 0x1a; *(uint16_t*)0x20007eff = 0xdd; *(uint8_t*)0x20007f01 = 0x32; *(uint8_t*)0x20007f02 = 5; *(uint8_t*)0x20007f03 = 0x24; *(uint8_t*)0x20007f04 = 1; *(uint8_t*)0x20007f05 = 2; *(uint8_t*)0x20007f06 = 0x95; *(uint8_t*)0x20007f07 = 8; *(uint8_t*)0x20007f08 = 0x24; *(uint8_t*)0x20007f09 = 0x1c; *(uint16_t*)0x20007f0a = 7; *(uint8_t*)0x20007f0c = 0x40; *(uint16_t*)0x20007f0d = 1; *(uint8_t*)0x20007f0f = 9; *(uint8_t*)0x20007f10 = 5; *(uint8_t*)0x20007f11 = 0x81; *(uint8_t*)0x20007f12 = 3; *(uint16_t*)0x20007f13 = 0x10; *(uint8_t*)0x20007f15 = 0x21; *(uint8_t*)0x20007f16 = 2; *(uint8_t*)0x20007f17 = 0xc4; *(uint8_t*)0x20007f18 = 9; *(uint8_t*)0x20007f19 = 4; *(uint8_t*)0x20007f1a = 1; *(uint8_t*)0x20007f1b = 0; *(uint8_t*)0x20007f1c = 0; *(uint8_t*)0x20007f1d = 2; *(uint8_t*)0x20007f1e = 0xd; *(uint8_t*)0x20007f1f = 0; *(uint8_t*)0x20007f20 = 0; *(uint8_t*)0x20007f21 = 9; *(uint8_t*)0x20007f22 = 4; *(uint8_t*)0x20007f23 = 1; *(uint8_t*)0x20007f24 = 1; *(uint8_t*)0x20007f25 = 2; *(uint8_t*)0x20007f26 = 2; *(uint8_t*)0x20007f27 = 0xd; *(uint8_t*)0x20007f28 = 0; *(uint8_t*)0x20007f29 = 0; *(uint8_t*)0x20007f2a = 9; *(uint8_t*)0x20007f2b = 5; *(uint8_t*)0x20007f2c = 0x82; *(uint8_t*)0x20007f2d = 2; *(uint16_t*)0x20007f2e = 8; *(uint8_t*)0x20007f30 = 1; *(uint8_t*)0x20007f31 = 1; *(uint8_t*)0x20007f32 = 0x4e; *(uint8_t*)0x20007f33 = 9; *(uint8_t*)0x20007f34 = 5; *(uint8_t*)0x20007f35 = 3; *(uint8_t*)0x20007f36 = 2; *(uint16_t*)0x20007f37 = 8; *(uint8_t*)0x20007f39 = 0x81; *(uint8_t*)0x20007f3a = 9; *(uint8_t*)0x20007f3b = 0x48; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f40; *(uint8_t*)0x20007f40 = 0xa; *(uint8_t*)0x20007f41 = 6; *(uint16_t*)0x20007f42 = 0x200; *(uint8_t*)0x20007f44 = 3; *(uint8_t*)0x20007f45 = 0x40; *(uint8_t*)0x20007f46 = 1; *(uint8_t*)0x20007f47 = 0x40; *(uint8_t*)0x20007f48 = 0x68; *(uint8_t*)0x20007f49 = 0; *(uint32_t*)0x20008288 = 0x72; *(uint32_t*)0x2000828c = 0x20007f80; *(uint8_t*)0x20007f80 = 5; *(uint8_t*)0x20007f81 = 0xf; *(uint16_t*)0x20007f82 = 0x72; *(uint8_t*)0x20007f84 = 6; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x10; *(uint8_t*)0x20007f87 = 0xa; *(uint8_t*)0x20007f88 = 0x7f; STORE_BY_BITMASK(uint32_t, , 0x20007f89, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007f89, 4, 5, 27); *(uint16_t*)0x20007f8d = 0; *(uint16_t*)0x20007f8f = 0x101; *(uint32_t*)0x20007f91 = 0xf; *(uint32_t*)0x20007f95 = 0xc000; *(uint32_t*)0x20007f99 = 0x4100; *(uint32_t*)0x20007f9d = 0xc000; *(uint32_t*)0x20007fa1 = 0; *(uint8_t*)0x20007fa5 = 0x18; *(uint8_t*)0x20007fa6 = 0x10; *(uint8_t*)0x20007fa7 = 0xa; *(uint8_t*)0x20007fa8 = 5; STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 0x3f, 5, 27); *(uint16_t*)0x20007fad = 0xf; *(uint16_t*)0x20007faf = 9; *(uint32_t*)0x20007fb1 = 0x3f00; *(uint32_t*)0x20007fb5 = 0xff0030; *(uint32_t*)0x20007fb9 = 0xff0000; *(uint8_t*)0x20007fbd = 0xc; *(uint8_t*)0x20007fbe = 0x10; *(uint8_t*)0x20007fbf = 0xa; *(uint8_t*)0x20007fc0 = 9; STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 3, 5, 27); *(uint16_t*)0x20007fc5 = 0xf00; *(uint16_t*)0x20007fc7 = 4; *(uint8_t*)0x20007fc9 = 0x14; *(uint8_t*)0x20007fca = 0x10; *(uint8_t*)0x20007fcb = 4; *(uint8_t*)0x20007fcc = 0xfc; memcpy((void*)0x20007fcd, "\x11\xd5\xf9\x90\x68\xe5\x06\x8a\x1e\x42\xe2\xbf\x00\x0e\x22\x1f", 16); *(uint8_t*)0x20007fdd = 0xb; *(uint8_t*)0x20007fde = 0x10; *(uint8_t*)0x20007fdf = 1; *(uint8_t*)0x20007fe0 = 2; *(uint16_t*)0x20007fe1 = 0; *(uint8_t*)0x20007fe3 = 2; *(uint8_t*)0x20007fe4 = 0; *(uint16_t*)0x20007fe5 = 0x80; *(uint8_t*)0x20007fe7 = 1; *(uint8_t*)0x20007fe8 = 0xa; *(uint8_t*)0x20007fe9 = 0x10; *(uint8_t*)0x20007fea = 3; *(uint8_t*)0x20007feb = 2; *(uint16_t*)0x20007fec = 0; *(uint8_t*)0x20007fee = 3; *(uint8_t*)0x20007fef = 0x3f; *(uint16_t*)0x20007ff0 = 8; *(uint32_t*)0x20008290 = 8; *(uint32_t*)0x20008294 = 4; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 4; *(uint8_t*)0x20008001 = 3; *(uint16_t*)0x20008002 = 0x2001; *(uint32_t*)0x2000829c = 4; *(uint32_t*)0x200082a0 = 0x20008040; *(uint8_t*)0x20008040 = 4; *(uint8_t*)0x20008041 = 3; *(uint16_t*)0x20008042 = 0x43f; *(uint32_t*)0x200082a4 = 0x2a; *(uint32_t*)0x200082a8 = 0x20008080; *(uint8_t*)0x20008080 = 0x2a; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x5e\x74\x60\xeb\x32\xa6\xb9\x6b\xd2\xff\x9f\xf3\xa4\x96\x20\x85\x33\x64\xce\xf4\xb1\x18\x00\x34\xbb\xee\x7b\xde\xb3\x75\x3e\xc4\x7a\x7b\x68\x43\x60\x04\xdf\xa3", 40); *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x200080c0; *(uint8_t*)0x200080c0 = 4; *(uint8_t*)0x200080c1 = 3; *(uint16_t*)0x200080c2 = 0x406; *(uint32_t*)0x200082b4 = 4; *(uint32_t*)0x200082b8 = 0x20008100; *(uint8_t*)0x20008100 = 4; *(uint8_t*)0x20008101 = 3; *(uint16_t*)0x20008102 = 0x200a; *(uint32_t*)0x200082bc = 0x83; *(uint32_t*)0x200082c0 = 0x20008140; *(uint8_t*)0x20008140 = 0x83; *(uint8_t*)0x20008141 = 3; memcpy((void*)0x20008142, "\x98\xbf\xbe\xd5\xf0\x2f\x05\x41\x39\x3b\x27\x16\x3c\x18\xab\xa0\xf8\xd6\xc9\x06\x9a\xe8\xed\x73\x2f\x7b\x8b\x4f\xd0\x40\x72\x65\x12\x57\x2b\x20\x49\x34\x98\xb0\x80\xe9\x6c\x74\x09\xc1\xff\x22\x2c\xbf\xe8\xfc\x73\x9a\x7a\x6e\xb7\x01\xa8\x12\x5f\x18\xaf\x24\xcd\xab\xbf\xb5\x2c\xc6\x66\xcf\x12\x04\xb6\xbf\x96\x51\x4a\xca\x5b\x04\x75\xe2\x1d\xaf\xca\xaf\xfc\xd8\xd5\x84\xec\xa6\x93\x9d\x81\x5d\xc4\xc9\x74\x72\x7a\x2f\xba\x78\xd5\x04\x4d\x9e\x9f\x08\xe3\x5c\x9e\x2b\xf4\x70\xf4\x66\xac\xca\xa1\x30\x1f\xac\x54\xbc\xff", 129); *(uint32_t*)0x200082c4 = 4; *(uint32_t*)0x200082c8 = 0x20008200; *(uint8_t*)0x20008200 = 4; *(uint8_t*)0x20008201 = 3; *(uint16_t*)0x20008202 = 0x1627; *(uint32_t*)0x200082cc = 0x39; *(uint32_t*)0x200082d0 = 0x20008240; *(uint8_t*)0x20008240 = 0x39; *(uint8_t*)0x20008241 = 3; memcpy((void*)0x20008242, "\xaa\x56\xbf\x40\x48\xdd\x06\xe2\x84\x5d\x2e\x04\xdf\x75\xb3\x91\xf7\x66\x46\x3f\x09\x54\x05\x32\x21\xac\x36\xe1\xdb\x6f\xe5\x09\xc0\x5b\x86\xc7\x76\xd2\x0f\xfc\x6a\xc3\xd9\x93\x49\x32\x2b\x40\x0a\xea\x39\x4c\xd6\x71\x9c", 55); res = -1; res = syz_usb_connect(6, 0x7c, 0x20007ec0, 0x20008280); if (res != -1) r[24] = res; break; case 47: syz_usb_ep_read(r[24], 0x75, 0xa5, 0x20008300); break; case 48: memcpy((void*)0x200083c0, "\xdb\x88\x55\x99\xb6\x0a\xec\x82\xad\x70\xcd\xb2\x88\x6a\x2e\x73\xe2\xf0\x44\x7d\xdd\x5d\xea\xaa\x15\xf5\x6b\x76\xab\x58\x04\xb9\xf8\x6f\x60\xdf\x6b\x12\xcb\xc1\xe5\x90\x6d\x23\x88\x89\xda\x54\x4d\x9b\x56\x52\xf6\x0b\xfc\x34\xa1\x08\xdf\xfd\xff\xa9\xae\x90\x46\x14\xe2\xbf\x15\xce\x0c\x34\x9a\xea\x15\x51\xb7\x54\x4b\x69\xbd\x2b\xde\x8f\x82\xe1\x8d\x42\xba\x16\x71\x80\xb1\xa6\xa4\xd1\x18\x44\x31\x2c\x11\x6e\xe0\xb8\x5f\xca\x52\xa1\x1e\xc9\xf3\x7a\xcd\x32\x3e\xb2\x87\xc8\xb3\xc4\xff\xdb\xca\xaa\x32\x9d\xf9\x20\xe0\xf7\xdf\xaa\xcc\xc1\x7f\xd5\xff\x16\xf0\x39\xc6\x93\xcd\xfc\xdf\xae\x81\x52\x9a\x02\xcc\x97\x3d\x8e\x50\x20\x09\x3c\x1b\x68\xe8\x8a\x82\x7e\x23\x0b\x28\x44\x88\x99\xb9\x61\x75\x52\xb1\xdd\x9b\x41\x2b\x34\xde\xec\x9a\x93\xfd\x08\x82\x3a\xeb\xf3\x54\xe2\x38\xd0\x4d\xca\x95\x7a\x50\xaa\x9a\xb1\x8a\x30\x46\x0e\x24\x55\xe3\xfd\x16\x41\x09\xcd\x4a\x85\x7b\x99\xd2\x23\xb2\x18\x31\xca\x29\x2d\x1b\x0c\xd7\x7f\xbf\xe2\x63\xf7\xca\x57\xee\x3a\x70\xa8\xfd\xd4\x89\xcb\x7f", 245); syz_usb_ep_write(r[22], 0, 0xf5, 0x200083c0); break; case 49: syz_usbip_server_init(1); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_leak(); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :126:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :113:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :108:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor410024460 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/8 (1.54s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) (fail_nth: 1) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000080)={r0, 0x3ff}, &(0x7f00000000c0)=0x8) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='cpu.stat\x00', 0x0, 0x0) ioctl$BLKROGET(r2, 0x125e, &(0x7f0000000140)) r3 = signalfd4(r2, &(0x7f0000000180)={[0x5, 0x4]}, 0x8, 0x80800) sendmsg$NL80211_CMD_UPDATE_OWE_INFO(r3, &(0x7f0000000500)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x20002011}, 0xc, &(0x7f00000004c0)={&(0x7f0000000200)={0x29c, 0x0, 0x8, 0x70bd29, 0x25dfdbff, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x46, 0x2a, [@erp={0x2a, 0x1, {0x0, 0x1, 0x1}}, @channel_switch={0x25, 0x3, {0x1, 0x95, 0xcb}}, @peer_mgmt={0x75, 0x16, {0x1, 0x401, @void, @val=0x37, @val="02011bf2907bddcbfaf4d0d9d319cb38"}}, @mesh_chsw={0x76, 0x6, {0x7f, 0x3, 0x6, 0x2050}}, @link_id={0x65, 0x12, {@from_mac=@device_b, @broadcast, @device_b}}, @chsw_timing={0x68, 0x4, {0x9, 0x81}}]}, @NL80211_ATTR_IE={0xcc, 0x2a, [@cf={0x4, 0x6, {0x1, 0x1, 0x100, 0x8000}}, @ext_channel_switch={0x3c, 0x4, {0x0, 0x7, 0xac, 0x6}}, @supported_rates={0x1, 0x6, [{0x6}, {0xc, 0x1}, {0x3f, 0x1}, {0x9}, {0x16}, {0x24}]}, @prep={0x83, 0x25, @ext={{}, 0xff, 0x3f, @device_a, 0x1f, @broadcast, 0x0, 0x6, @device_b, 0x6}}, @measure_req={0x26, 0x44, {0x4, 0x7, 0x8, "2ef531b7be2dde42fc395f76447c92879c4d9511182ee077cb102d54d8e9bd0376741affce00728e65cefb04cacd7c82880f113d4a79378bfd5c8d752bd251e31b"}}, @ht={0x2d, 0x1a, {0x482, 0x1, 0x1, 0x0, {0x5, 0x3f, 0x0, 0x80, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x400, 0x5, 0x56}}, @mic={0x8c, 0x10, {0x9b2, "e74338ed57a9", @short="4dbe86f39565408a"}}, @rann={0x7e, 0x15, {{0x1, 0x9}, 0xc0, 0x40, @device_a, 0x7fff, 0x6, 0xff}}]}, @NL80211_ATTR_IE={0x148, 0x2a, [@rann={0x7e, 0x15, {{0x0, 0x2}, 0x0, 0x8, @device_a, 0x1ff, 0x3, 0x3}}, @preq={0x82, 0x30, @not_ext={{}, 0x3, 0xf7, 0x8, @device_a, 0xae, "", 0x71a4, 0x2, 0x2, [{{0x0, 0x0, 0x1}, @device_b}, {{}, @device_b, 0x6}]}}, @mesh_config={0x71, 0x7, {0x1, 0x1, 0x1, 0x0, 0x0, 0xfb, 0x25}}, @ibss={0x6, 0x2, 0x1fc}, @fast_bss_trans={0x37, 0xe6, {0x7, 0x5, "5f3964d8629adf1c06ecdf8987bb845b", "c5d2bb2459d5ba0e8d1de04e57374f6227210ea404eb95465fa1e2e09c7c17d4", "2781c876157d6988a5dc1efde5e5d8d7fdfb3dad871989497060e2d72d3afa38", [{0x3, 0x1, "ce"}, {0x1, 0x25, "d5a7640b4fb5df22e725130f6f006c487342cb847e2cbe0e36b141aa91f7f41d6b13482c1d"}, {0x4, 0x26, "a1d5f67474fa123100046dc2695e3bbda6dee8657f032e087504156eba2f54bf2f31cd5b78d5"}, {0x3, 0x25, "ae36258ad7f04d6a213024ac426fba3da69e74ab662fbb9d28448099946cbbf9b8f921f8e0"}, {0x2, 0x19, "69ad29c66f47f87c5349ab5f16a1e8030e7c0b21db8bc4bee4"}]}}, @peer_mgmt={0x75, 0x4, {0x0, 0x0, @void, @void, @void}}]}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x4b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x43}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x11}]}, 0x29c}, 0x1, 0x0, 0x0, 0x40000}, 0x80) r4 = openat$irnet(0xffffff9c, &(0x7f0000000540), 0x189000, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f0000000580)=[@in6={0xa, 0x4e20, 0x80000000, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x81}, @in6={0xa, 0x4e24, 0x3, @mcast1}], 0x38) openat2$dir(0xffffff9c, &(0x7f00000005c0)='./file0\x00', &(0x7f0000000600)={0x101000, 0x182, 0x4}, 0x18) setsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f0000000640)=@sack_info={r1, 0x7, 0x20}, 0xc) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@data_frame={@no_qos=@type01={{0x0, 0x2, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, {0x7}, @device_b, @from_mac=@broadcast, @device_b, {0x7, 0x40}}, @a_msdu=[{@device_a, @device_b, 0x89, "a374cb1e56d79e5a647d9f9d7ebb099ca75e920a720ce76551c26bb86842da48ec22636f2ee20001359b8e2fb376ba32d07425dd1b9b9b4ff7a3539a5eeb99a447a58fec224cacb7d6e5f0cc9099904c92fd37746afc1cbd2b8b102a3fe4af78d5fa729590f1e5035f470a44321e924787a4666e21a4ca5cbd1256c170217cd6967ad7236d2f702e24"}, {@broadcast, @device_a, 0x1000, ""}]}, 0x10c0) syz_80211_join_ibss(&(0x7f0000001100)='wlan1\x00', &(0x7f0000001140)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000001180)='bpf_lsm_socket_recvmsg\x00') syz_emit_ethernet(0x35b, &(0x7f00000011c0)={@multicast, @multicast, @void, {@mpls_uc={0x8847, {[{0x2}], @ipv4=@gre={{0x11, 0x4, 0x1, 0x7, 0x349, 0x68, 0x0, 0x6, 0x2f, 0x0, @remote, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@lsrr={0x83, 0x1b, 0x6e, [@local, @broadcast, @loopback, @multicast1, @initdev={0xac, 0x1e, 0x0, 0x0}, @dev={0xac, 0x14, 0x14, 0xc}]}, @end, @lsrr={0x83, 0x13, 0xb4, [@multicast1, @private=0xa010100, @remote, @multicast1]}]}}, {{0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x880b, 0xf7, 0x2, [0x0, 0x1f], "c2150837371931ae3bab975586d95914c9773f748be9a8a3a19fe297783946f87cf48cb1483b1b52713f5b2c61255adbc108b86ef5471c54a9338b8573e1f632742ac011cf327a15e84e165e1588ab664b81d2498c54b50574e54aba3cf97bb1ae75911fd5ad4851fa1421715163917c9258d782a401fdfd12f1b51c5fbef8bd854f084ca2db2d46c7ee8b3b429e9c2dd5200572c54b9956e0bce7e10ae21f398f9db9c7e5fe8c67da417265c2e5c4074c97b404e840e0705b4154275e83551ac4328eae261c5d86e08cd40fbdb3a9d5fdcf6ba0ba4549aa7405fafe1367186578ec8cb827c887cc919c3a926daa592a4edb5150bfd380"}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, [0x0, 0x3], "a0437805682464ebade1f7bc908a4fb8fe0d2cbd6c705201920234d09c1819942d4534d78830cc26b67fa8b9bf41331cf464dba472a58870852fa852e628157fd8b5d1d6835454fb3aedae74305ed0c45b79ff50beb7405c"}, {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x86dd, [0xf0, 0x4], "7caa4b32feb81faa052cba4e34663ac59d2ed14a1e13701fdffe0c346ddae941fc7a2623c24d7a0b85a042492bf692148b57ddaf3b577a52fca2c4c68131f7bd98fa18e48551c8eecb9d3be00868430c3a25bc3569876946d43e6eb2b903b359a813c4ba89e6d970d3d4523fd219f45ff44df25838"}, {0x8, 0x88be, 0x2, {{0x8, 0x1, 0x9, 0x3, 0x0, 0x3, 0x3, 0x4}, 0x1, {0x4}}}, {0x8, 0x22eb, 0x3, {{0x5, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x81}, 0x2, {0x1ff, 0x6, 0x0, 0x7, 0x0, 0x1, 0x2, 0x1, 0x1}}}, {0x8, 0x6558, 0x3, "35b802485048e00654ea02f811d2f99e610c98af70faf08b416472e3e0bbd45e35631db45124b3b77db1699442696b52c13ae2bf33fb3973a1d570c20b2a5b4d8b9a260bb385dcba6f2ccdaf52d5a0a4c2c39422acd9f8b911a20ba0d03a6e796927d057cf487cc459623fa76fb89989080999bf9b3ab3f6e3f319849238b9d2dea6ac5b66c4b632b76084b3fbfee0fc6215f5b274246d30cd41e07638413a2d65b80fde92db56faa4160868cd0b008bfcf18d9c54be76cf39248d298318581d7a8be2fe09849d5cfd2cd105c8dd8c0fd7c5f27bed33374f70e3173b413dd37ecff631f2f44c6640a43a358b6eff14540f"}}}}}}}, &(0x7f0000001540)={0x1, 0x2, [0xfbe, 0xc0a, 0x501, 0x489]}) syz_emit_vhci(&(0x7f0000001580)=@HCI_ACLDATA_PKT={0x2, {0xc8, 0x2, 0x1, 0x32}, @l2cap_cid_signaling={{0x2e}, [@l2cap_create_chan_rsp={{0xd, 0x3, 0x8}, {0x6, 0x1, 0x31, 0x7}}, @l2cap_conn_req={{0x2, 0x5, 0x4}, {0x3fc, 0x6}}, @l2cap_info_rsp={{0xb, 0x1f, 0x4}, {0xb476, 0x1d}}, @l2cap_info_req={{0xa, 0xfc, 0x2}, {0x1}}, @l2cap_cmd_rej_unk={{0x1, 0x4, 0x2}}, @l2cap_info_req={{0xa, 0x8, 0x2}, {0x9e}}]}}, 0x37) syz_execute_func(&(0x7f00000015c0)="660f72d501df5fd6c4c1f96f9f52e40000dff2da36660f3a62c08cc4c11d583ce8660f3a0a450df0c4e121752360") syz_extract_tcp_res(&(0x7f0000001600), 0x1e21, 0x1) r5 = openat$cuse(0xffffff9c, &(0x7f0000001640), 0x2, 0x0) ioctl$NS_GET_OWNER_UID(0xffffffffffffffff, 0xb704, &(0x7f0000003980)=0x0) clock_gettime(0x0, &(0x7f0000003e00)={0x0, 0x0}) recvmmsg$unix(0xffffffffffffffff, &(0x7f0000003dc0)=[{{&(0x7f0000003a40)=@abs, 0x6e, &(0x7f0000003d40)=[{&(0x7f0000003ac0)=""/37, 0x25}, {&(0x7f0000003b00)=""/107, 0x6b}, {&(0x7f0000003b80)=""/47, 0x2f}, {&(0x7f0000003bc0)=""/162, 0xa2}, {&(0x7f0000003c80)=""/189, 0xbd}], 0x5, &(0x7f0000003d80)=[@cred={{0x18}}, @cred={{0x18, 0x1, 0x2, {0x0, 0x0, 0x0}}}], 0x30}}], 0x1, 0x10202, &(0x7f0000003e40)={r7, r8+10000000}) lstat(&(0x7f0000004040)='./file0\x00', &(0x7f0000004080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004100)={{{@in6=@initdev, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast1}}, &(0x7f0000004200)=0xe4) statx(0xffffffffffffff9c, &(0x7f0000004240)='./file0\x00', 0x4000, 0x400, &(0x7f0000004280)={0x0, 0x0, 0x0, 0x0, 0x0}) lstat(&(0x7f0000004380)='./file0\x00', &(0x7f00000043c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000004980)={{{@in6=@dev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@private2}}, &(0x7f0000004a80)=0xe4) r15 = getegid() syz_fuse_handle_req(r5, &(0x7f0000001680)="", 0x2000, &(0x7f0000004bc0)={&(0x7f0000003680)={0x50, 0x0, 0x0, {0x7, 0x22, 0x6, 0x60, 0x5, 0x48, 0x80000001, 0x7}}, &(0x7f0000003700)={0x18, 0x0, 0xfffe, {0x200}}, &(0x7f0000003740)={0x18, 0x0, 0x4, {0x8000}}, &(0x7f0000003780)={0x18, 0x0, 0x0, {0x8}}, &(0x7f00000037c0)={0x18, 0x0, 0x80000001, {0x5}}, &(0x7f0000003800)={0x28, 0x0, 0x0, {{0x19, 0x200, 0x3, 0xffffffffffffffff}}}, &(0x7f0000003840)={0x60, 0xfffffffffffffffe, 0xfffffffffffffffe, {{0x4, 0x80000001, 0x1, 0x52b8, 0x7, 0x0, 0xfffffffa, 0x1ff}}}, &(0x7f00000038c0)={0x18, 0xffffffffffffffda, 0x1f, {0x9}}, &(0x7f0000003900)={0x11, 0xfffffffffffffffe, 0x4588, {'\x00'}}, &(0x7f0000003940)={0x20, 0x0, 0x100000000, {0x0, 0x18}}, &(0x7f00000039c0)={0x78, 0x0, 0x7, {0x4, 0x6, 0x0, {0x0, 0x7, 0x8, 0x10001, 0x1, 0x509, 0x80, 0x3, 0x1, 0xc000, 0x5, r6, 0xee00, 0x7, 0x9}}}, &(0x7f0000003e80)={0x90, 0x0, 0x8, {0x6, 0x3, 0xcd0, 0x7fffffff, 0x5, 0x1, {0x5, 0x5, 0xf34, 0x86, 0x6, 0x2, 0xab8c, 0x0, 0x5, 0x8000, 0x9, 0xee00, r9, 0x1000, 0x1000}}}, &(0x7f0000003f40)={0xd0, 0x0, 0xffffffffffffffbc, [{0x0, 0x2, 0x6, 0x3, '\x02\x02\x02\x02\x02\x02'}, {0x0, 0x0, 0x0, 0x9}, {0x2, 0x100000001, 0x17, 0xffff, 'bpf_lsm_socket_recvmsg\x00'}, {0x0, 0x401, 0xf, 0xfffffff9, '&,$:+)\xef&\\)/$$[}'}, {0x6, 0x1, 0x17, 0x1f, 'bpf_lsm_socket_recvmsg\x00'}]}, &(0x7f0000004440)={0x508, 0x0, 0x2, [{{0x4, 0x1, 0x5, 0x80000000, 0x3, 0xffffffec, {0x2, 0x3, 0x20, 0x100000001, 0x80, 0xffffffffffffffe1, 0x9e41, 0x1f, 0xf0f6, 0xc000, 0x401, 0xee01, 0xee00, 0x400000, 0x800}}, {0x3, 0x7, 0x6, 0xfffffffe, '\xbb\xbb\xbb\xbb\xbb\xbb'}}, {{0x1, 0x2, 0x10001, 0x0, 0x5, 0x0, {0x3, 0x8000, 0x9, 0x80000001, 0x100, 0x5, 0xf06, 0x932b, 0x2, 0x1000, 0x5, 0xee01, 0xffffffffffffffff, 0x5, 0x1}}, {0x5, 0x9, 0x2, 0x2, '*)'}}, {{0x1, 0x0, 0xcc3, 0x4, 0x101, 0x3, {0x2, 0x1, 0x1, 0x113, 0x1, 0x3, 0xd36, 0x8c12, 0xfffffffc, 0x1000, 0xfffffffc, 0xee01, r10, 0x9, 0xacd}}, {0x3, 0x97, 0x6, 0x9, 'wlan1\x00'}}, {{0x1, 0x2, 0x8, 0x8000, 0x9, 0x0, {0x1, 0x200, 0xff, 0x100000001, 0x30000, 0x9, 0x3, 0x6, 0x7f, 0x8000, 0x101, r11, 0xee00, 0x10000, 0x9}}, {0x3, 0x0, 0x2, 0x401, 'b@'}}, {{0x4, 0x1, 0x0, 0x5, 0x4, 0x101, {0x1, 0x5, 0x1, 0x10000, 0x7, 0x8, 0x5, 0x5, 0x4010000, 0x8000, 0x4d800000, 0x0, 0xee01, 0x6, 0x7}}, {0x2, 0x61}}, {{0x7, 0x0, 0x5, 0x5, 0x0, 0x3ff, {0x0, 0xfffffffffffffff7, 0x1, 0x80, 0x100000001, 0x401, 0xd49d, 0x80, 0x1, 0x6000, 0x8b, r12, 0xee01, 0x8001}}, {0x6, 0x200, 0x1, 0xfffffff8, ')'}}, {{0x0, 0x3, 0x8, 0x81, 0x6, 0x5, {0x1, 0x8, 0x7, 0x5, 0x8, 0x1, 0x5, 0x90c555ad, 0x0, 0xc000, 0x800, 0xee00, 0xee01, 0xf98d, 0x20}}, {0x4, 0x4, 0x5, 0x1, '\\U\xc2-^'}}, {{0x1, 0x0, 0x2, 0x6, 0x0, 0xb5e, {0x4, 0x12, 0xe87, 0x7, 0x1, 0xfffffffffffffffe, 0xfffffffd, 0x7, 0x401, 0xa000, 0x8ee, r13, 0x0, 0x8236, 0x3c89862b}}, {0x4, 0xfffffffffffffbf7, 0x6, 0x4, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004ac0)={0xa0, 0xffffffffffffffda, 0x2, {{0x1, 0x3, 0xff, 0x401, 0x9, 0x1000, {0x1, 0xfff, 0x733, 0x0, 0x7, 0x7fff, 0x4, 0x1f, 0x1f, 0x0, 0x1, r14, r15, 0x9eb, 0x1}}, {0x0, 0x1c}}}, &(0x7f0000004b80)={0x20, 0xfffffffffffffffe, 0xa87, {0x1ff, 0x0, 0x10001, 0x4}}}) r16 = openat$autofs(0xffffff9c, &(0x7f0000004c40), 0x0, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000004c00), r16) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r17 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x300000a, 0x10, r16, 0x0) r18 = syz_io_uring_complete(r17) syz_io_uring_setup(0x3a9b, &(0x7f0000004c80)={0x0, 0xcaa6, 0x4, 0x3, 0x276, 0x0, r18}, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000004d00)=0x0, &(0x7f0000004d40)) syz_io_uring_submit(r19, 0x0, &(0x7f0000005080)=@IORING_OP_WRITEV={0x2, 0x5, 0x0, @fd_index=0x7, 0x0, &(0x7f0000005040)=[{&(0x7f0000004d80)="8f8c61ba2d93006aadbd12a3a08f146f7dadf6fcaf91370d8cdbb10473cfc4737fc2920f761e5f9f43ac7c94ff2d84a3f6", 0x31}, {&(0x7f0000004dc0)="e79e609caf0b113f2e3a9b6ed9a5197bd4c9ef3abee6ff372b0677f980ef46165c071ec9a7e4b8e118c95c2b5f733b29c50f1e5df4f1837e9a2962cd241c43d7a605878749919d2d932d22010e4c8c29ce6028dc71e23c5ec2b4f3bb38b2e7c3beaf83c887a45f16ea87842b7002c7513397835d375589d64e9c8d0daa7c709974ddc935145190bac6e8d31238d5ad70377e03b1111546f8a83a2d7e3fc550408a227e6ab558331de5", 0xa9}, {&(0x7f0000004e80)="1fe1d0a7ea42ed60eb8379f55fba5f108da4233288e8a8bbacc0", 0x1a}, {&(0x7f0000004ec0)="1d5a7e020f94e9eee2415cca5eb6045cc9f817f1d3275ba949677ee2ca2357b74e67c6d4ddfbe8e8c0c6fdcd2352dd301ff30f0ebc2b58f2c69c3f8032ff0d4a2d2d400c3d07914d835b6218c2eb25724b426a888b2822d4945b35f2d1459d915e2b2d66541af52bdbbe1ad517515e01b8290e654443a67bec3d0b03fc10b90b49c3d33593e063bd0df72494b22bfc391f6b296a68735eeaac4fb550be4beeabb74d7ca77139248cf8003e4fa63954c2e5c68e48b1f59b3162a9a3b020771f7c1aff6d7de57b40fcb59002f2709ed2e12d50a3edadc2c55de6634c8e91dd8cd28faf3b52", 0xe4}, {&(0x7f0000004fc0)="3dc50079393684ee15456233e2e4b47d0d7616a6fbb08055931c400e66d6ee8307c988db68c3a56873e4c94c210cee63aa53ee80947c5644cffd0ee809b4554ef3d3d5d4b6268040d66cba34c7b8645abfe3696e041fe13f", 0x58}], 0x5, 0x1}, 0x100) r20 = openat$selinux_policy(0xffffff9c, &(0x7f00000050c0), 0x0, 0x0) r21 = openat$dlm_monitor(0xffffff9c, &(0x7f0000005100), 0x0, 0x0) syz_kvm_setup_cpu$arm64(r20, r21, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005180)=[{0x0, &(0x7f0000005140)="45cf83e34827dae70d9c50f676f523b0ce6bee88952baac1a7220887521e1e10250184dabaaa4fbf9e94349f1148dee8238a", 0x32}], 0x1, 0x0, &(0x7f00000051c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r17, 0x114, &(0x7f0000005200)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005240), &(0x7f0000005280)='./file0\x00', 0x5, 0xa, &(0x7f0000005980)=[{&(0x7f00000052c0), 0x0, 0x4}, {&(0x7f0000005300)="8586cff12029eb8ad76f6261d1fe9c2df97d6b5047f70221ce7c26e1ad050096db75ff7ffd7b4dad59f5e070723e8a2cea446602ed86da15975f4f9dad4355f17d1441f9c1d9721e8bc269c91b43934bb3823eba880de01b586e0d592fc978084812a5dd940d6ea61e46ee9f1d53e0d3155c2c34946ca286d646398a4d60b56e48644ce421d53a65fc504680601a0cb3b78cdc3d14d0f9f754d88a4c5d80c2681aca64a4793f17d0f8a5b8dc820fdadee2ee87d42050172286e4b371eac497bf7467890a472d766a442a56a6e75bc39ba4edab5a0cb11eb66a247a2f3ca7d18cbe8bd7516b2d99c763d8c23d753c13937ab99b578e42f359275e86", 0xfb, 0x5}, {&(0x7f0000005400)="0f553c28b9842c44674abe34856e72a402eaf08ea7d106186b17f1d3f00dcbcb5f98a1eae4b0e494da0d44fa94917367478f2e39ce8435b132a570ec78c1b1d859ab652168bec9156cc5b4543f0571d2a75d3ad03f490c0fc93251f6ab57f01cf62283d42eec0abb186148b05ef55f8de1a2eb7c1622fc6d3ac274f10a0754563398efc9335aea31061cf4bb64d44f87c615c99b3eca46ddc2ce68eb2b780c54bb6a1a20947e16cbc6f7fa0712d0b12e665a214c3502154e5b8dda8b01df53c81b2da2c92b7573506b175a34ba1dda39954f36f0ff6ebefeee31326813422cb4d53b47c6fe65f3332698d9e3d776", 0xee, 0xfff}, {&(0x7f0000005500)="abff9c2482d96489f0afbe085daee1e2bd8a3000af21e5b4aa0d2e6662293d5fe6eeb60a5cc8b90e84ede0d21318688e285def54cb6780abfdcb64c700da5e8775bb60d0192a5f8113a70ddb1627087f7bb8f232f80a120e214ef31c385711f4b12afd9a024fc48c41c3c887255a17b86f709a30ee23a5d55c6c3e1986f6fd69309dc6664846396a5f0cde1e382a7018dcdeac00ff1ef54bbb58201fc9dfcbba39cfb45f49ace1e9908188", 0xab, 0x80000001}, {&(0x7f00000055c0)="fb36dffb4a0e4377fa3bedec2325f5c073", 0x11, 0x1}, {&(0x7f0000005600)="8ff2544804ed79e1bb5f173b80fdb09a444f02bbacdab87710a30382271db7257055fbbe057f4e4b3e1bcbcf08f1ea0b41be533d7d7f84199c4cf241e2bc3cebf680f5c2648882abfe61bb5211c4cf0f1f8035c6962e74f5976e954c3db5545bdccc6e67b68dd612", 0x68, 0x7f}, {&(0x7f0000005680)="ca838d09579a972657260b824f369161c83d3649b2309de4aca5191c6a3550ce704f6606bac0f1102563011d768b1cd5bd83565bfbe9311f71c2698f2bb4572ef6602f2487626e21fcef7034f50e28fd36db92433de1c0fbd9baa0b2ef3b17ecbd5f214a814f9979c0cfcea566bd418788a9e026ff83089e4e1eb491eebb582e84c6d956e1f8d4bd5327fcf26d9218a6e745a904846da61e6970e7c3f8f6777eb2eec182c6626aebc2b46d6e18ec79ce9f3a34c2c9ce74dce5f38a493ce752633b9cd881d3e73977b728208b730c0aa0bfd41f0374798c2b6cfd20a83dde8821f896431df1620eacddb4846d3f67983b95", 0xf1, 0x2}, {&(0x7f0000005780)="b549cfe18deb455b4a8b6d56e7c03f251024217cf427c09056bdb6b4a1317e6f9cd53ece2f2ee68e7d73e936e6d7b376483595c8db7292ffb0520cf037ba7012f5d90d0e4bdced46131d6a44120546fad87f475670fec86f9784888d14dc2ed6a1a7ed3c98bd0e035cbd504da40efbeb5a5bcd48c0ca513ff53ddada3cb447a48bcef01d9883f699997c5a0b2499865862db5f785a75e1b3463d354af112e7f8622883683086190fa4507646cbeab5ed", 0xb0, 0x1}, {&(0x7f0000005840)="a2eecacaa02fc76189e00e6fc58f38b5599959730376281721becf840cd12b230c2dc84b7f5fe5e37057b3732fcfeb", 0x2f, 0x4}, {&(0x7f0000005880)="35ed9c854f542ba3a56e7b75409a3197d31e6ec31934811dd9abe83e50a060ea25994cb33770ed99b25c9b560891eca433fe5bf1e02d136600687ee4933b3538bbceca61deb8fb0a1a2567843fd871b991d514329a465a97eb92123576e83a652c51dfa84117c262a7b8bab47bd3f81b24d33e687f39265002ef92f2248de027ac0285fcad2a3c732a1ed7409307037e41f3a7907477387d1199c18e5c43959b2ec46c078cec67a8b559b31cefd856f456b9f81bcc6a8b2cb1a4d8147562bdac6034e3e8d35d797659844fea3694b3288ce68fa8f986bf2fba03ec0110154befc8402258afb3d583d0bf3d02798073867fc66640726072c82a", 0xf9, 0x1ff}], 0x0, &(0x7f0000005a00)={[{'%'}], [{@seclabel}, {@permit_directio}, {@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@subj_role={'subj_role', 0x3d, '}'}}, {@mask={'mask', 0x3d, '^MAY_APPEND'}}, {@fsname={'fsname', 0x3d, '&%]'}}, {@measure}]}) syz_open_dev$I2C(&(0x7f0000005a80), 0x6, 0x40000) syz_open_procfs(0xffffffffffffffff, &(0x7f0000005ac0)='net/raw6\x00') syz_open_pts(r16, 0x583000) syz_read_part_table(0xb0, 0x3, &(0x7f0000006cc0)=[{&(0x7f0000005b00)="a895c30edc07297723a4aea802034622d1bbb85b4ae3628afc2d4e10934550a9d92f12a51b9f5b3a7b596b59b99b4b2acaedda32b83bdc263c53aa10114a149a4d7a4f0c40b946159b374396fb6cd18734ea5c3a5192786222da89f4213b5d9d027799da36d68bd510f537855ce10d3b8439c2237740ea7541478a81f9f92adceb5100366dccf149cc4c59796959ba5d85a50d0dd72941a0eabbe7a9dd9fe50850113f5e2d055e1bbcd667daf7363e027d7c66678dad2add62b5", 0xba, 0x4}, {&(0x7f0000005bc0)="f229f58b9fef91f7178523f041a4967589924680bf4dc34a52d8f7f8436083aee94ab74f0369f7403a8c26b72fd44b488fe59c616c8a1cae299c490eb15f98f8f49df33502ccfd38265f6d186578a71b92ba5c5b903f9a64bc560a43590bd70f76efb7b63bc3909e632db68f77d98bdf12ebe1707d7d1436857490c13ddb239c837faf46ead62381d43f3d2346c1fcd5b2a7a1ebe9fa5dd7fddefc50b0e7a57f500e2f79ba11b18972dc78871460eb7e2a249b603283b5128320555c9d74143e027bb5ca08b462aebf58244387556d718680c4a37459dd", 0xd7, 0x3ff}, {&(0x7f0000005cc0)="", 0x1000, 0x34}]) syz_usb_connect(0x5, 0x72e, &(0x7f0000006d00)={{0x12, 0x1, 0x201, 0x10, 0x2a, 0xdc, 0xff, 0x781, 0x5, 0x5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x71c, 0x3, 0x9, 0x3, 0x50, 0xff, [{{0x9, 0x4, 0x34, 0x9, 0xc, 0x2d, 0xe7, 0xd6, 0xc4, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "9e3dd83f5e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x40, 0x5, 0x101, 0x5}, [@mbim_extended={0x8, 0x24, 0x1c, 0x1000, 0x2, 0x8}, @dmm={0x7, 0x24, 0x14, 0x8671}, @mbim={0xc, 0x24, 0x1b, 0xfffd, 0x9, 0x0, 0x5, 0x100, 0x5f}, @obex={0x5, 0x24, 0x15, 0x40}, @network_terminal={0x7, 0x24, 0xa, 0x0, 0x1, 0x4, 0x1}, @dmm={0x7, 0x24, 0x14, 0xff81, 0x9c6f}]}], [{{0x9, 0x5, 0x80, 0x14, 0x10, 0x15, 0x1f, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x80}]}}, {{0x9, 0x5, 0x8b, 0x0, 0x7ff, 0xed, 0x1, 0x2}}, {{0x9, 0x5, 0x8, 0x4, 0x200, 0x81, 0x6, 0x2, [@generic={0xeb, 0x1, "8c3f63086154141f739f2870d3a81884905e8c3ff7eb6425085204077b4102c3d81bfdf4b262fa95b268561228b747fca91f5fdeb592b379d66a5f1d2d1d735fd02b3b2402d0340fcc8ac6c544720cb596008a93b0202cb8f9558344cb200e0b4b52aad1e70d9c0049ff2a6b546e3502bc881f3eb655aa817a2a3fd95ad1bea68ab048c1a43ed3458b674c27df090568c371a9e00cbc2b597a730a1864447583e30b8b9d2774d884575311843a18bfe0052b404714c722766342b226c4fe8e87ee448250c3b3668ab50745e0fbb6e969e6b49b9b8528ce81dfaa24e1438072d07d6e92602a390535f6"}]}}, {{0x9, 0x5, 0xc, 0x8, 0x40, 0x1, 0x5, 0x20}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xbc, 0x0, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x5, 0x9}, @generic={0xd4, 0x22, "70c23955e1d16cdef416bcb138108967f0e9ac2c096fe9362b99ec6c198d2f0f0446ce29332844fd546d2323e7f9d7b2713c1f92b90b4481bf8d4ea34ea8321b585db5f3cc6f63fc9ee543e86c15769e08a212c2ffb0237defb1a28228e999fabf3733a27b828703faaac053d44fe7a66d7a278e31f15d65edb349b157a799d922f0c970f98b35b75650793123e05752d74ddb89f0fcc0479822a0f833f4343a70548b3b4c80574be7cfdd59db69ce1efc24ca44ee316609f58ca5a30dee0b59e1668f248c196ae1c022a19995595430fea4"}]}}, {{0x9, 0x5, 0x87, 0x3, 0x8, 0x80, 0x7, 0x6, [@generic={0x56, 0x4, "f78a356675cffa2de94539194afab8603fe5e412021ba937df8f496ce2c0543148f09b19ebbc05091fcc32e0bdde441d7ccaa5cc26fb696bd67b3830bf3e5730fb3fe5ee89156bd1d2fa101e6c39068af8c2ae87"}]}}, {{0x9, 0x5, 0x89, 0x0, 0x20, 0x20, 0x81, 0x8}}, {{0x9, 0x5, 0xe, 0x3, 0x8, 0x1, 0x20, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x43, 0x234}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x3, 0x5, 0x7, [@generic={0x34, 0x8, "b6a121b46cabce4e361f2104dcf2663e402ee04faa90dd18a918e4642eaa6a716192f8bc32f321ce9eb548904d87d7bdad56"}, @generic={0xac, 0x30, "1a5d30c7d13843b0146943b2e67687f3147019db1ca1a3c7e48d700f655bea7f42692c5a87a6b91d03a6d4905fbb18b76028c902f7cc3f0c056d87d0fbc12f32150222a7dad7023bc45ab25c72aa3ad26e8dfd8d3654640038396aa355f069f7a9e762b85dca0a81a7d7c37d259d0f2a631a6abc4e36fba201dc677fc7b2c28190e91523553cfb1bbf462d9d057c31910ad39c357cd2dd1c3f22c604ad6c923faee4c13db3fe350375cc"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x10, 0x7f, 0x56, 0x83}}, {{0x9, 0x5, 0x1f645c4d20962547, 0x0, 0x3ff, 0xbb, 0x7, 0x3, [@generic={0x6b, 0x30, "6a8065c0ee1fa72bb9fab498b565e856090e0ad4cb9a072e0995264b935bed4910dde6e4a11ff93742383cba0c51a1f1cf695aa394a5f4868363e986260569ba8be82437cc58db1ee88ce5101308938edbd982075462cf0bba05bb0d7ae55092a2862ee6e6430e22f7"}, @generic={0x41, 0x21, "0acd9c7743c7509f5eb898784f8767f385a0e1c7f102c9adcad6d81fb4193e88cb2f6c3936ee2ef3dae61f58322593d9beeafcc0915c86fc3a72f0426c83f3"}]}}, {{0x9, 0x5, 0x6, 0x4, 0x400, 0x20, 0x74, 0x5}}]}}, {{0x9, 0x4, 0x26, 0xab, 0x5, 0x3, 0xf1, 0xcb, 0x9, [], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x5, 0x1, 0x1}}, {{0x9, 0x5, 0xb, 0x4, 0x20, 0x1, 0x2, 0x4, [@generic={0xda, 0x14, "10f16e3796fbe335b564b29416031e12d26f4d53e237ca3cb1e049170335d631432469cf8e2b207d62283f3b91f4d63154bce35faeb87b51d30b38876c38b31acc347be67793e56a1784eb29a7ddab72e736eecd3b4e98bce7b170ab687e6f31f5e9f3f96e31032d3bf9476eef54f354c6efc00da39a695ec1c095254cb416bdc574d4fb6adbeca99b77508d6c6f791c2cfc29ae3eccea73c13627d93807af1a7d3492520ed1f153327d857537f556294bdddd988bae73226a48c4cab963d3d8c226951b21a7c3138de55b8d0e1f0bcd77663ae8bfe20f44"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x5, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x40, 0x2c, 0xd4, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0xa, 0x2, 0x400, 0xd0, 0x1, 0x6}}, {{0x9, 0x5, 0xe, 0x8, 0x40, 0x40, 0xff, 0xb0}}]}}, {{0x9, 0x4, 0x6c, 0x8, 0x2, 0x59, 0x51, 0xd5, 0x1, [@cdc_ncm={{0x8, 0x24, 0x6, 0x0, 0x1, "b2bd60"}, {0x5, 0x24, 0x0, 0x5}, {0xd, 0x24, 0xf, 0x1, 0xfffffffd, 0xfff, 0x63, 0xdb}, {0x6, 0x24, 0x1a, 0x8, 0x8}, [@mdlm_detail={0xf7, 0x24, 0x13, 0x19, "189cdea85c892fe736d99d2ae835705ddc3907363c57da1fc0033ab26742022ab0af7516c0545f0fc3ecaa0728229f95fd5d2ebce5c98dbba6222153e2ce70bfead32d5d59146f0dd679852007b13ac9d16d48f9484d6192e79c88079f8cd3bd1a3740f3a8f0fd1d57a10bf41cf8c45a79ab1a969c9a6a83bf31571bce542e8fcfa6761ebfa924e1eb05d3af5b3644c3040280ca59737d89c0caa8bd9d56c92178b82b2078e43975f15e6f0b6fa1d0cd819521154d236aa6a85e50f3f0531f6192e5c4ba8a2d506f744780747cbb9ee6723298b72b713b52be54835fcc04906c658ce61f16f95a6c437988df239c430ff47db7"}]}, @cdc_ecm={{0x6, 0x24, 0x6, 0x0, 0x0, "a3"}, {0x5, 0x24, 0x0, 0xf85b}, {0xd, 0x24, 0xf, 0x1, 0x0, 0x7, 0x2, 0x40}}], [{{0x9, 0x5, 0xf, 0x4, 0x0, 0x81, 0xe8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x51, 0xbf81}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xb, 0x8001}]}}, {{0x9, 0x5, 0x6, 0x0, 0x10, 0x7f, 0x0, 0x80, [@generic={0x28, 0xa, "61df67a624859052df593a2258bc970fe4304a8f899ac040d9fc350ed5e63660a76a96aea7a3"}]}}]}}]}}]}}, &(0x7f00000076c0)={0xa, &(0x7f0000007440)={0xa, 0x6, 0x300, 0x8, 0x1, 0x9, 0x8, 0x81}, 0x133, &(0x7f0000007480)={0x5, 0xf, 0x133, 0x6, [@wireless={0xb, 0x10, 0x1, 0x2, 0x74, 0xff, 0xff, 0x0, 0x7}, @wireless={0xb, 0x10, 0x1, 0x8, 0x43, 0x4, 0x3, 0x6, 0x21}, @ext_cap={0x7, 0x10, 0x2, 0xa, 0x5, 0x6, 0x3b4d}, @wireless={0xb, 0x10, 0x1, 0x0, 0x2c, 0x7, 0x2, 0x1, 0x2f}, @ptm_cap={0x3}, @generic={0x103, 0x10, 0x3, "b35e852c500147880fa2f6dcc5d4e16a59df9bff5d44ac9f6680a31b1ebce7f4d4afe6d2ae93f6eee79b703b03f7a0ebea72bdc3ca70ded450bedec42d31beced3625c6bfa5dc9897b68a4e8b1a54b9444b85a77d52efea02e84045a2c51af22596a4c59a43c590c4d1369d229db0f228b739b41419c00708219ac07585dcaded8820f6fe0b35e7496ca59ebd93c1cfbeca8666928613fb084cb1ad930cfed80a024b803fc94967f08d731d0647cee073e55844b9978ae6035865fd98991fb7a5fa3f00529e81f1d3b853a0db041eaa3777ba10fe753674a698cd389bf5bca626cb8c7bf9b71150d572d07d9a11855a419fb0212d9a5bf2c3360357cf942511f"}]}, 0x2, [{0x97, &(0x7f00000075c0)=@string={0x97, 0x3, "79533652485908847450e434babd9e7b783925f478b3b35c0a4e6aa0a1e8f78e37f1d5666fe87b28df9b7734fdd141b3c78a19031effd729a36c0cf9fae5c589a1a9886b78f66c7391bd443cc6b3ab5b4acdeb5acf4a0d36359e749df37ccf92c50e845fce93e4c611f0fb559f5b2f8b72bab3b8a91779cd78204d67a183187560eb912c0f9dd27f402f1decdc61444d3702bf05cf"}}, {0x4, &(0x7f0000007680)=@lang_id={0x4, 0x3, 0x4ff}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007700)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f0000007900)={0x18, &(0x7f0000007780)={0x40, 0x22, 0x1f, {0x1f, 0x22, "a7841403afd7ddbdb6ce9dacfb6cdbe29fbe4e58b55fec117de56ed6a5"}}, &(0x7f00000077c0)={0x0, 0x3, 0x5a, @string={0x5a, 0x3, "b51fa75ce1575da79aa41fd155728498bc7e4f85d19d2394314e6381f5e6b0e786c3ff705cb7184487f35094030178bc291a3980fa0b83908b7fe1cb2459daa1308fa2fbda94a98ca7134bc986487bae15766636e0852c7a"}}, &(0x7f0000007840)={0x0, 0xf, 0x1b, {0x5, 0xf, 0x1b, 0x2, [@wireless={0xb, 0x10, 0x1, 0xc, 0x82, 0x0, 0x85, 0x8, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x48, 0x0, 0x80, 0xfffa, 0x81}]}}, &(0x7f0000007880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x2, 0x4, 0x2, "7e461ab4", 'gg]\a'}}, &(0x7f00000078c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x9, 0x3, 0x3f, 0x20, 0x40, 0x0, 0xef}}}, &(0x7f0000007dc0)={0x44, &(0x7f0000007940)={0x40, 0xc, 0xb6, "df1d8807adaa376ec164fe686f791fc7268a85c468008423c35bf0da6f10ce0b3c7f80e67352d8063e9524fb3d91a1d442b85d351288c60badef7369494efa5012978930b8817bb13fba0f307416861457221322136027a98682f3a5c91806d490c51ef51ce6c9e9c8087e547fc2cfe567bfbf3e65f97c5e79d68706922d2c084ee894eaf12a3c0b2e1ef894dff86d0792fd11f5152f67321b9db36a02b7b0935e7424cbd6b286c55c8cf0f0f4949fd21b22675eb060"}, &(0x7f0000007a00)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000007a40)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000007a80)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000007ac0)={0x20, 0x0, 0x4, {0x160, 0x1}}, &(0x7f0000007b00)={0x40, 0x7, 0x2, 0x3}, &(0x7f0000007b40)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000007b80)={0x40, 0xb, 0x2, "9efe"}, &(0x7f0000007bc0)={0x40, 0xf, 0x2, 0x4}, &(0x7f0000007c00)={0x40, 0x13, 0x6}, &(0x7f0000007c40)={0x40, 0x17, 0x6, @remote}, &(0x7f0000007c80)={0x40, 0x19, 0x2, 'vw'}, &(0x7f0000007cc0)={0x40, 0x1a, 0x2, 0x1}, &(0x7f0000007d00)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007d40)={0x40, 0x1e, 0x1, 0x7e}, &(0x7f0000007d80)={0x40, 0x21, 0x1, 0x2}}) r23 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007e40)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ncm(0x6, 0x7c, &(0x7f0000007ec0)={{0x12, 0x1, 0x389, 0x2, 0x0, 0x0, 0x70, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6a, 0x2, 0x1, 0xff, 0x90, 0x5, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, "a6"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9ff, 0x6000, 0x5, 0xb5}, {0x6, 0x24, 0x1a, 0xdd, 0x32}, [@call_mgmt={0x5, 0x24, 0x1, 0x2, 0x95}, @mbim_extended={0x8, 0x24, 0x1c, 0x7, 0x40, 0x1}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x21, 0x2, 0xc4}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0x1, 0x1, 0x4e}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x81, 0x9, 0x48}}}}}}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f40)={0xa, 0x6, 0x200, 0x3, 0x40, 0x1, 0x40, 0x68}, 0x72, &(0x7f0000007f80)={0x5, 0xf, 0x72, 0x6, [@ssp_cap={0x20, 0x10, 0xa, 0x7f, 0x5, 0x4, 0x0, 0x101, [0xf, 0xc000, 0x4100, 0xc000, 0x0]}, @ssp_cap={0x18, 0x10, 0xa, 0x5, 0x3, 0x3f, 0xf, 0x9, [0x3f00, 0xff0030, 0xff0000]}, @ssp_cap={0xc, 0x10, 0xa, 0x9, 0x0, 0x3, 0xf00, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0xfc, "11d5f99068e5068a1e42e2bf000e221f"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x0, 0x2, 0x0, 0x80, 0x1}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x0, 0x3, 0x3f, 0x8}]}, 0x8, [{0x4, &(0x7f0000008000)=@lang_id={0x4, 0x3, 0x2001}}, {0x4, &(0x7f0000008040)=@lang_id={0x4, 0x3, 0x43f}}, {0x2a, &(0x7f0000008080)=@string={0x2a, 0x3, "5e7460eb32a6b96bd2ff9ff3a49620853364cef4b1180034bbee7bdeb3753ec47a7b68436004dfa3"}}, {0x4, &(0x7f00000080c0)=@lang_id={0x4, 0x3, 0x406}}, {0x4, &(0x7f0000008100)=@lang_id={0x4, 0x3, 0x200a}}, {0x83, &(0x7f0000008140)=@string={0x83, 0x3, "98bfbed5f02f0541393b27163c18aba0f8d6c9069ae8ed732f7b8b4fd040726512572b20493498b080e96c7409c1ff222cbfe8fc739a7a6eb701a8125f18af24cdabbfb52cc666cf1204b6bf96514aca5b0475e21dafcaaffcd8d584eca6939d815dc4c974727a2fba78d5044d9e9f08e35c9e2bf470f466accaa1301fac54bcff"}}, {0x4, &(0x7f0000008200)=@lang_id={0x4, 0x3, 0x1627}}, {0x39, &(0x7f0000008240)=@string={0x39, 0x3, "aa56bf4048dd06e2845d2e04df75b391f766463f0954053221ac36e1db6fe509c05b86c776d20ffc6ac3d99349322b400aea394cd6719c"}}]}) syz_usb_ep_read(r24, 0x75, 0xa5, &(0x7f0000008300)=""/165) syz_usb_ep_write(r22, 0x0, 0xf5, &(0x7f00000083c0)="db885599b60aec82ad70cdb2886a2e73e2f0447ddd5deaaa15f56b76ab5804b9f86f60df6b12cbc1e5906d238889da544d9b5652f60bfc34a108dffdffa9ae904614e2bf15ce0c349aea1551b7544b69bd2bde8f82e18d42ba167180b1a6a4d11844312c116ee0b85fca52a11ec9f37acd323eb287c8b3c4ffdbcaaa329df920e0f7dfaaccc17fd5ff16f039c693cdfcdfae81529a02cc973d8e5020093c1b68e88a827e230b28448899b9617552b1dd9b412b34deec9a93fd08823aebf354e238d04dca957a50aa9ab18a30460e2455e3fd164109cd4a857b99d223b21831ca292d1b0cd77fbfe263f7ca57ee3a70a8fdd489cb7f") syz_usbip_server_init(0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { return syscall(__NR_socket, domain, type, proto); } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 39 ? 50 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 3000 : 0) + (call == 46 ? 300 : 0) + (call == 47 ? 3000 : 0) + (call == 48 ? 300 : 0) + (call == 49 ? 3000 : 0) + (call == 50 ? 300 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_clock_gettime #define __NR_clock_gettime 265 #endif #ifndef __NR_getegid #define __NR_getegid 50 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_openat2 #define __NR_openat2 437 #endif #ifndef __NR_recvmmsg #define __NR_recvmmsg 337 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_signalfd4 #define __NR_signalfd4 327 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[25] = {0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000040 = 8; inject_fault(1); res = syscall(__NR_getsockopt, -1, 0x84, 0x14, 0x20000000, 0x20000040); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000080 = r[0]; *(uint32_t*)0x20000084 = 0x3ff; *(uint32_t*)0x200000c0 = 8; res = syscall(__NR_getsockopt, -1, 0x84, 0x13, 0x20000080, 0x200000c0); if (res != -1) r[1] = *(uint32_t*)0x20000080; break; case 2: memcpy((void*)0x20000100, "cpu.stat\000", 9); res = syscall(__NR_openat, -1, 0x20000100, 0, 0); if (res != -1) r[2] = res; break; case 3: syscall(__NR_ioctl, (intptr_t)r[2], 0x125e, 0x20000140); break; case 4: *(uint32_t*)0x20000180 = 5; *(uint32_t*)0x20000184 = 4; res = syscall(__NR_signalfd4, (intptr_t)r[2], 0x20000180, 8, 0x80800); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000500 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x10; *(uint16_t*)0x200001c2 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = 0x20002011; *(uint32_t*)0x20000504 = 0xc; *(uint32_t*)0x20000508 = 0x200004c0; *(uint32_t*)0x200004c0 = 0x20000200; *(uint32_t*)0x20000200 = 0x29c; *(uint16_t*)0x20000204 = 0; *(uint16_t*)0x20000206 = 8; *(uint32_t*)0x20000208 = 0x70bd29; *(uint32_t*)0x2000020c = 0x25dfdbff; *(uint8_t*)0x20000210 = 0x87; *(uint8_t*)0x20000211 = 0; *(uint16_t*)0x20000212 = 0; *(uint16_t*)0x20000214 = 8; *(uint16_t*)0x20000216 = 3; *(uint32_t*)0x20000218 = 0; *(uint16_t*)0x2000021c = 0x46; *(uint16_t*)0x2000021e = 0x2a; *(uint8_t*)0x20000220 = 0x2a; *(uint8_t*)0x20000221 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 3, 5); *(uint8_t*)0x20000223 = 0x25; *(uint8_t*)0x20000224 = 3; *(uint8_t*)0x20000225 = 1; *(uint8_t*)0x20000226 = 0x95; *(uint8_t*)0x20000227 = 0xcb; *(uint8_t*)0x20000228 = 0x75; *(uint8_t*)0x20000229 = 0x16; *(uint16_t*)0x2000022a = 1; *(uint16_t*)0x2000022c = 0x401; *(uint16_t*)0x2000022e = 0x37; memcpy((void*)0x20000230, "\x02\x01\x1b\xf2\x90\x7b\xdd\xcb\xfa\xf4\xd0\xd9\xd3\x19\xcb\x38", 16); *(uint8_t*)0x20000240 = 0x76; *(uint8_t*)0x20000241 = 6; *(uint8_t*)0x20000242 = 0x7f; *(uint8_t*)0x20000243 = 3; *(uint16_t*)0x20000244 = 6; *(uint16_t*)0x20000246 = 0x2050; *(uint8_t*)0x20000248 = 0x65; *(uint8_t*)0x20000249 = 0x12; *(uint8_t*)0x2000024a = 8; *(uint8_t*)0x2000024b = 2; *(uint8_t*)0x2000024c = 0x11; *(uint8_t*)0x2000024d = 0; *(uint8_t*)0x2000024e = 0; *(uint8_t*)0x2000024f = 1; memset((void*)0x20000250, 255, 6); *(uint8_t*)0x20000256 = 8; *(uint8_t*)0x20000257 = 2; *(uint8_t*)0x20000258 = 0x11; *(uint8_t*)0x20000259 = 0; *(uint8_t*)0x2000025a = 0; *(uint8_t*)0x2000025b = 1; *(uint8_t*)0x2000025c = 0x68; *(uint8_t*)0x2000025d = 4; *(uint16_t*)0x2000025e = 9; *(uint16_t*)0x20000260 = 0x81; *(uint16_t*)0x20000264 = 0xcc; *(uint16_t*)0x20000266 = 0x2a; *(uint8_t*)0x20000268 = 4; *(uint8_t*)0x20000269 = 6; *(uint8_t*)0x2000026a = 1; *(uint8_t*)0x2000026b = 1; *(uint16_t*)0x2000026c = 0x100; *(uint16_t*)0x2000026e = 0x8000; *(uint8_t*)0x20000270 = 0x3c; *(uint8_t*)0x20000271 = 4; *(uint8_t*)0x20000272 = 0; *(uint8_t*)0x20000273 = 7; *(uint8_t*)0x20000274 = 0xac; *(uint8_t*)0x20000275 = 6; *(uint8_t*)0x20000276 = 1; *(uint8_t*)0x20000277 = 6; STORE_BY_BITMASK(uint8_t, , 0x20000278, 6, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000278, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x20000279, 0xc, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000279, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 0x3f, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 9, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0x16, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0x24, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0, 7, 1); *(uint8_t*)0x2000027e = 0x83; *(uint8_t*)0x2000027f = 0x25; STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 0, 6); STORE_BY_BITMASK(uint8_t, , 0x20000280, 1, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 7, 1); *(uint8_t*)0x20000281 = -1; *(uint8_t*)0x20000282 = 0x3f; *(uint8_t*)0x20000283 = 8; *(uint8_t*)0x20000284 = 2; *(uint8_t*)0x20000285 = 0x11; *(uint8_t*)0x20000286 = 0; *(uint8_t*)0x20000287 = 0; *(uint8_t*)0x20000288 = 0; *(uint32_t*)0x20000289 = 0x1f; memset((void*)0x2000028d, 255, 6); *(uint32_t*)0x20000293 = 0; *(uint32_t*)0x20000297 = 6; *(uint8_t*)0x2000029b = 8; *(uint8_t*)0x2000029c = 2; *(uint8_t*)0x2000029d = 0x11; *(uint8_t*)0x2000029e = 0; *(uint8_t*)0x2000029f = 0; *(uint8_t*)0x200002a0 = 1; *(uint32_t*)0x200002a1 = 6; *(uint8_t*)0x200002a5 = 0x26; *(uint8_t*)0x200002a6 = 0x44; *(uint8_t*)0x200002a7 = 4; *(uint8_t*)0x200002a8 = 7; *(uint8_t*)0x200002a9 = 8; memcpy((void*)0x200002aa, "\x2e\xf5\x31\xb7\xbe\x2d\xde\x42\xfc\x39\x5f\x76\x44\x7c\x92\x87\x9c\x4d\x95\x11\x18\x2e\xe0\x77\xcb\x10\x2d\x54\xd8\xe9\xbd\x03\x76\x74\x1a\xff\xce\x00\x72\x8e\x65\xce\xfb\x04\xca\xcd\x7c\x82\x88\x0f\x11\x3d\x4a\x79\x37\x8b\xfd\x5c\x8d\x75\x2b\xd2\x51\xe3\x1b", 65); *(uint8_t*)0x200002eb = 0x2d; *(uint8_t*)0x200002ec = 0x1a; *(uint16_t*)0x200002ed = 0x482; STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 2, 3); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 0, 5, 3); *(uint64_t*)0x200002f0 = 5; STORE_BY_BITMASK(uint64_t, , 0x200002f8, 0x3f, 0, 13); STORE_BY_BITMASK(uint64_t, , 0x200002f9, 0, 5, 3); STORE_BY_BITMASK(uint64_t, , 0x200002fa, 0x80, 0, 10); STORE_BY_BITMASK(uint64_t, , 0x200002fb, 0, 2, 6); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 2, 2); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 5, 27); *(uint16_t*)0x20000300 = 0x400; *(uint32_t*)0x20000302 = 5; *(uint8_t*)0x20000306 = 0x56; *(uint8_t*)0x20000307 = 0x8c; *(uint8_t*)0x20000308 = 0x10; *(uint16_t*)0x20000309 = 0x9b2; memcpy((void*)0x2000030b, "\xe7\x43\x38\xed\x57\xa9", 6); memcpy((void*)0x20000311, "\x4d\xbe\x86\xf3\x95\x65\x40\x8a", 8); *(uint8_t*)0x20000319 = 0x7e; *(uint8_t*)0x2000031a = 0x15; STORE_BY_BITMASK(uint8_t, , 0x2000031b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000031b, 9, 1, 7); *(uint8_t*)0x2000031c = 0xc0; *(uint8_t*)0x2000031d = 0x40; *(uint8_t*)0x2000031e = 8; *(uint8_t*)0x2000031f = 2; *(uint8_t*)0x20000320 = 0x11; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0; *(uint8_t*)0x20000323 = 0; *(uint32_t*)0x20000324 = 0x7fff; *(uint32_t*)0x20000328 = 6; *(uint32_t*)0x2000032c = 0xff; *(uint16_t*)0x20000330 = 0x148; *(uint16_t*)0x20000332 = 0x2a; *(uint8_t*)0x20000334 = 0x7e; *(uint8_t*)0x20000335 = 0x15; STORE_BY_BITMASK(uint8_t, , 0x20000336, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000336, 2, 1, 7); *(uint8_t*)0x20000337 = 0; *(uint8_t*)0x20000338 = 8; *(uint8_t*)0x20000339 = 8; *(uint8_t*)0x2000033a = 2; *(uint8_t*)0x2000033b = 0x11; *(uint8_t*)0x2000033c = 0; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0; *(uint32_t*)0x2000033f = 0x1ff; *(uint32_t*)0x20000343 = 3; *(uint32_t*)0x20000347 = 3; *(uint8_t*)0x2000034b = 0x82; *(uint8_t*)0x2000034c = 0x30; STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 3, 3); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 7, 1); *(uint8_t*)0x2000034e = 3; *(uint8_t*)0x2000034f = 0xf7; *(uint32_t*)0x20000350 = 8; *(uint8_t*)0x20000354 = 8; *(uint8_t*)0x20000355 = 2; *(uint8_t*)0x20000356 = 0x11; *(uint8_t*)0x20000357 = 0; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 0; *(uint32_t*)0x2000035a = 0xae; *(uint32_t*)0x2000035e = 0x71a4; *(uint32_t*)0x20000362 = 2; *(uint8_t*)0x20000366 = 2; STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 3, 5); *(uint8_t*)0x20000368 = 8; *(uint8_t*)0x20000369 = 2; *(uint8_t*)0x2000036a = 0x11; *(uint8_t*)0x2000036b = 0; *(uint8_t*)0x2000036c = 0; *(uint8_t*)0x2000036d = 1; *(uint32_t*)0x2000036e = 0; STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 3, 5); *(uint8_t*)0x20000373 = 8; *(uint8_t*)0x20000374 = 2; *(uint8_t*)0x20000375 = 0x11; *(uint8_t*)0x20000376 = 0; *(uint8_t*)0x20000377 = 0; *(uint8_t*)0x20000378 = 1; *(uint32_t*)0x20000379 = 6; *(uint8_t*)0x2000037d = 0x71; *(uint8_t*)0x2000037e = 7; *(uint8_t*)0x2000037f = 1; *(uint8_t*)0x20000380 = 1; *(uint8_t*)0x20000381 = 1; *(uint8_t*)0x20000382 = 0; *(uint8_t*)0x20000383 = 0; *(uint8_t*)0x20000384 = 0xfb; *(uint8_t*)0x20000385 = 0x25; *(uint8_t*)0x20000386 = 6; *(uint8_t*)0x20000387 = 2; *(uint16_t*)0x20000388 = 0x1fc; *(uint8_t*)0x2000038a = 0x37; *(uint8_t*)0x2000038b = 0xe6; *(uint8_t*)0x2000038c = 7; *(uint8_t*)0x2000038d = 5; memcpy((void*)0x2000038e, "\x5f\x39\x64\xd8\x62\x9a\xdf\x1c\x06\xec\xdf\x89\x87\xbb\x84\x5b", 16); memcpy((void*)0x2000039e, "\xc5\xd2\xbb\x24\x59\xd5\xba\x0e\x8d\x1d\xe0\x4e\x57\x37\x4f\x62\x27\x21\x0e\xa4\x04\xeb\x95\x46\x5f\xa1\xe2\xe0\x9c\x7c\x17\xd4", 32); memcpy((void*)0x200003be, "\x27\x81\xc8\x76\x15\x7d\x69\x88\xa5\xdc\x1e\xfd\xe5\xe5\xd8\xd7\xfd\xfb\x3d\xad\x87\x19\x89\x49\x70\x60\xe2\xd7\x2d\x3a\xfa\x38", 32); *(uint8_t*)0x200003de = 3; *(uint8_t*)0x200003df = 1; memset((void*)0x200003e0, 206, 1); *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0x25; memcpy((void*)0x200003e3, "\xd5\xa7\x64\x0b\x4f\xb5\xdf\x22\xe7\x25\x13\x0f\x6f\x00\x6c\x48\x73\x42\xcb\x84\x7e\x2c\xbe\x0e\x36\xb1\x41\xaa\x91\xf7\xf4\x1d\x6b\x13\x48\x2c\x1d", 37); *(uint8_t*)0x20000408 = 4; *(uint8_t*)0x20000409 = 0x26; memcpy((void*)0x2000040a, "\xa1\xd5\xf6\x74\x74\xfa\x12\x31\x00\x04\x6d\xc2\x69\x5e\x3b\xbd\xa6\xde\xe8\x65\x7f\x03\x2e\x08\x75\x04\x15\x6e\xba\x2f\x54\xbf\x2f\x31\xcd\x5b\x78\xd5", 38); *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 0x25; memcpy((void*)0x20000432, "\xae\x36\x25\x8a\xd7\xf0\x4d\x6a\x21\x30\x24\xac\x42\x6f\xba\x3d\xa6\x9e\x74\xab\x66\x2f\xbb\x9d\x28\x44\x80\x99\x94\x6c\xbb\xf9\xb8\xf9\x21\xf8\xe0", 37); *(uint8_t*)0x20000457 = 2; *(uint8_t*)0x20000458 = 0x19; memcpy((void*)0x20000459, "\x69\xad\x29\xc6\x6f\x47\xf8\x7c\x53\x49\xab\x5f\x16\xa1\xe8\x03\x0e\x7c\x0b\x21\xdb\x8b\xc4\xbe\xe4", 25); *(uint8_t*)0x20000472 = 0x75; *(uint8_t*)0x20000473 = 4; *(uint16_t*)0x20000474 = 0; *(uint16_t*)0x20000476 = 0; *(uint16_t*)0x20000478 = 6; *(uint16_t*)0x2000047a = 0x48; *(uint16_t*)0x2000047c = 0x4b; *(uint16_t*)0x20000480 = 6; *(uint16_t*)0x20000482 = 0x48; *(uint16_t*)0x20000484 = 0x43; *(uint16_t*)0x20000488 = 0xa; *(uint16_t*)0x2000048a = 6; *(uint8_t*)0x2000048c = 8; *(uint8_t*)0x2000048d = 2; *(uint8_t*)0x2000048e = 0x11; *(uint8_t*)0x2000048f = 0; *(uint8_t*)0x20000490 = 0; *(uint8_t*)0x20000491 = 1; *(uint16_t*)0x20000494 = 6; *(uint16_t*)0x20000496 = 0x48; *(uint16_t*)0x20000498 = 0x11; *(uint32_t*)0x200004c4 = 0x29c; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = 0x40000; syscall(__NR_sendmsg, (intptr_t)r[3], 0x20000500, 0x80); break; case 6: memcpy((void*)0x20000540, "/dev/irnet\000", 11); res = syscall(__NR_openat, 0xffffff9c, 0x20000540, 0x189000, 0); if (res != -1) r[4] = res; break; case 7: *(uint16_t*)0x20000580 = 0xa; *(uint16_t*)0x20000582 = htobe16(0x4e20); *(uint32_t*)0x20000584 = htobe32(0x80000000); *(uint8_t*)0x20000588 = 0xfe; *(uint8_t*)0x20000589 = 0x88; memset((void*)0x2000058a, 0, 12); *(uint8_t*)0x20000596 = 0; *(uint8_t*)0x20000597 = 1; *(uint32_t*)0x20000598 = 0x81; *(uint16_t*)0x2000059c = 0xa; *(uint16_t*)0x2000059e = htobe16(0x4e24); *(uint32_t*)0x200005a0 = htobe32(3); *(uint8_t*)0x200005a4 = -1; *(uint8_t*)0x200005a5 = 1; memset((void*)0x200005a6, 0, 13); *(uint8_t*)0x200005b3 = 1; *(uint32_t*)0x200005b4 = 0; syscall(__NR_setsockopt, (intptr_t)r[4], 0x84, 0x6b, 0x20000580, 0x38); break; case 8: memcpy((void*)0x200005c0, "./file0\000", 8); *(uint64_t*)0x20000600 = 0x101000; *(uint64_t*)0x20000608 = 0x182; *(uint64_t*)0x20000610 = 4; syscall(__NR_openat2, 0xffffff9c, 0x200005c0, 0x20000600, 0x18); break; case 9: *(uint32_t*)0x20000640 = r[1]; *(uint32_t*)0x20000644 = 7; *(uint32_t*)0x20000648 = 0x20; syscall(__NR_setsockopt, -1, 0x84, 0x10, 0x20000640, 0xc); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 6, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 7, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); *(uint8_t*)0x20000044 = 8; *(uint8_t*)0x20000045 = 2; *(uint8_t*)0x20000046 = 0x11; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 1; memset((void*)0x2000004a, 255, 6); *(uint8_t*)0x20000050 = 8; *(uint8_t*)0x20000051 = 2; *(uint8_t*)0x20000052 = 0x11; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x20000056, 7, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0x40, 4, 12); *(uint8_t*)0x20000058 = 8; *(uint8_t*)0x20000059 = 2; *(uint8_t*)0x2000005a = 0x11; *(uint8_t*)0x2000005b = 0; *(uint8_t*)0x2000005c = 0; *(uint8_t*)0x2000005d = 0; *(uint8_t*)0x2000005e = 8; *(uint8_t*)0x2000005f = 2; *(uint8_t*)0x20000060 = 0x11; *(uint8_t*)0x20000061 = 0; *(uint8_t*)0x20000062 = 0; *(uint8_t*)0x20000063 = 1; *(uint16_t*)0x20000064 = 0x89; memcpy((void*)0x20000066, "\xa3\x74\xcb\x1e\x56\xd7\x9e\x5a\x64\x7d\x9f\x9d\x7e\xbb\x09\x9c\xa7\x5e\x92\x0a\x72\x0c\xe7\x65\x51\xc2\x6b\xb8\x68\x42\xda\x48\xec\x22\x63\x6f\x2e\xe2\x00\x01\x35\x9b\x8e\x2f\xb3\x76\xba\x32\xd0\x74\x25\xdd\x1b\x9b\x9b\x4f\xf7\xa3\x53\x9a\x5e\xeb\x99\xa4\x47\xa5\x8f\xec\x22\x4c\xac\xb7\xd6\xe5\xf0\xcc\x90\x99\x90\x4c\x92\xfd\x37\x74\x6a\xfc\x1c\xbd\x2b\x8b\x10\x2a\x3f\xe4\xaf\x78\xd5\xfa\x72\x95\x90\xf1\xe5\x03\x5f\x47\x0a\x44\x32\x1e\x92\x47\x87\xa4\x66\x6e\x21\xa4\xca\x5c\xbd\x12\x56\xc1\x70\x21\x7c\xd6\x96\x7a\xd7\x23\x6d\x2f\x70\x2e\x24", 137); memset((void*)0x200000f0, 255, 6); *(uint8_t*)0x200000f6 = 8; *(uint8_t*)0x200000f7 = 2; *(uint8_t*)0x200000f8 = 0x11; *(uint8_t*)0x200000f9 = 0; *(uint8_t*)0x200000fa = 0; *(uint8_t*)0x200000fb = 0; *(uint16_t*)0x200000fc = 0x1000; memcpy((void*)0x200000fe, "\x2b\xc8\xbe\xd3\xad\xe3\x14\x70\x49\x10\xb6\xee\x62\x4c\xfe\x54\xbe\xbe\x1b\x4b\x09\xba\x79\x5c\x51\x1c\xd0\xe7\x64\x85\x8a\x68\x8e\x31\x7f\x9f\x28\x73\xd1\x87\xb6\x5f\x7d\x6d\xed\x9b\x4b\x7e\xf7\xf8\x67\xd6\x5d\x32\x18\xdc\x1a\x2a\xd2\x4b\x5c\xb3\xe4\xe0\x78\x49\xf7\x08\x5c\x63\x7a\xe4\x51\x0c\x2c\x14\x43\x80\x0a\xc4\x4d\xdf\x23\xec\x3e\x00\xa0\xa2\xd2\x6d\xcf\x4e\x4f\x20\x9d\x20\xf1\xe6\x58\x29\x0a\xb4\x3a\x3f\xa2\x4e\xe8\xdc\xd4\x84\xc6\x23\xbd\xc9\x86\xb8\xea\x88\xd4\x32\x74\xe2\x06\xb9\xbe\x4c\xdf\xcc\x94\x5b\x09\x3d\x09\x37\xd9\x4f\x8f\x98\x7c\x5c\x5e\xd4\x8a\xc9\x95\x14\xb5\x45\xd0\xcb\x74\x20\x36\xae\xd4\x98\xba\xe8\x0b\xb1\xee\x39\x5e\x8e\x0a\x67\x7d\xaa\xed\x22\xdd\xc1\x60\x4d\x14\x83\x5d\xbc\x28\xc4\x3c\x64\xb1\x18\x76\x57\x4f\x8d\x89\x70\x56\x23\xf7\xf0\x78\xc5\x01\x7c\x92\xcd\x46\xaf\xf0\x81\x1e\x9b\x98\x91\x25\x06\xb3\x45\x00\x64\x0f\x97\x91\xe3\x08\x1d\x1f\xd1\x78\xc2\x13\x05\x93\x45\xba\x63\x17\x7e\xa9\xb9\x3f\xfa\x53\x06\xe2\x06\xb5\xa2\x94\x02\x25\x21\xec\x6a\xaf\x8e\x26\xd0\xb5\xbd\x00\x32\x59\x76\xa0\xb1\xe0\xff\x75\x4e\x4b\x48\x91\xd3\x68\x8e\x0b\xea\x0a\xc6\xd8\x11\x2e\x04\xfb\xe6\x06\x8e\xc0\x3f\x4b\x66\x5e\xfa\x12\xe3\xf2\xe6\xc9\xd3\x1e\xb4\x45\x83\xa9\xac\x92\xdd\x3a\xb3\xf3\x4d\xb1\x15\xe9\xcf\x42\xf0\x97\x41\x9c\xb5\x94\x9e\xb7\x40\x3d\x44\x95\x90\x0b\x52\xc9\x55\x83\x70\xe2\xf1\xff\x76\xa9\xde\xd5\x3e\x26\x79\x3b\xf9\x39\x76\xe9\x6a\xc7\x14\x07\x47\x89\xe8\xbd\xb1\xc4\xca\x56\x2b\x51\x50\x2b\x46\x8f\x89\x54\x39\x83\x0f\x91\x5a\x5d\x8a\x50\xff\x73\xa4\x9f\xa4\x29\x3b\xfc\x35\x48\x68\x51\xea\x8d\x5c\x76\x13\x7c\x5e\x2f\xc9\xca\x45\xa3\x8c\x94\x28\xbe\x30\xf5\x03\x59\xb2\xcb\x3f\x9d\xbc\x76\x7d\x63\xf4\x19\xf5\xe7\x6c\xe5\xfb\xb6\x1e\xde\xb1\xbe\xb7\xa3\x7c\x60\xc6\x01\x1b\x56\xb8\x57\x49\x63\x42\x5a\x95\x6d\x40\x1f\x70\x3a\x19\xe9\xac\xe4\x68\x65\x41\xdd\x31\x32\xf5\xaa\x85\xae\x6d\xb1\xb7\xdd\x6d\xad\x9b\x65\x43\xe3\x57\x53\x31\x28\xab\x2c\x90\x1e\x9d\x56\xa2\x2e\xcd\x64\x45\x50\x72\x71\xf6\xfc\xe2\xa5\x74\xd5\x87\x13\x53\x0a\xff\x28\xf7\xb4\xe8\x46\x17\x80\xdf\x54\xce\x2a\x06\x7c\x9c\x38\x85\x17\xb9\xe0\x40\xbc\x88\xba\xa7\x31\x79\x6b\x13\xa8\x9a\xd7\xa0\x1c\x30\x9e\x02\x4b\x22\x06\x21\x2e\x81\xa0\xf8\x27\x9c\x36\x9c\xc4\x0f\x85\x99\x01\x18\xa3\x31\x1a\xd1\x69\x8a\x4b\x0d\x73\xe7\xde\x65\x7c\x5a\xc4\x04\xb7\xa5\xcb\xb3\xf1\xc5\xfc\xcc\xfa\x7b\xf2\x17\x83\x0b\x73\x0d\x4d\x54\x54\xf2\x76\x04\xc0\x34\x16\xd3\xbe\x6c\xb3\x78\x81\x3a\x84\xa7\x29\x26\xc4\xd4\x3d\xd5\xa7\x94\x11\xd3\x5c\x4f\x69\x82\x87\xa0\x59\x29\x60\x05\x9c\x48\xa6\xd9\xfc\xce\x84\xd0\x88\xa2\x6d\xfb\x2e\xf3\x0e\xde\xa2\x11\x41\x11\xfa\x86\xfd\x22\x87\x2a\x03\x1d\x11\x16\xd7\x48\xb3\x3f\x61\xb9\xc1\xea\x8e\x8f\xf0\x96\x89\x01\x14\x27\xf8\x88\x6c\x0c\x71\xb6\x38\x51\x67\xd4\x97\x1d\x4b\xc9\xd1\xb9\xfe\x6d\xb9\x66\xd5\x0b\x59\x24\xfb\x56\xc1\xb1\x1f\x8e\x05\xf2\x9c\xfd\xe7\xf3\x02\xaf\xe1\x61\xfd\x9d\x82\xfc\xe3\x55\x1d\xf3\xf4\x01\x3d\xa7\x76\x6a\x21\x4f\xc9\xb1\x64\xa6\xd8\xb0\x3f\x6c\xba\x91\x84\x72\xc9\xb7\xd8\x6e\x7a\xbd\xa7\xe3\xc9\xa4\x07\x8a\x64\xa9\x66\xec\xb6\xe4\x13\x34\x11\xc4\x93\xa7\xa5\xd1\x7b\x60\x5d\xe1\x39\x01\x8d\x69\x8d\x32\x5e\x31\x93\x34\x39\x5d\xa0\xb5\x1b\x3e\x89\xd9\x59\x61\x49\x53\x1e\x92\x58\x32\xe0\x0a\x35\xbb\xea\xc1\x37\xa0\x8a\x4f\x66\x1d\xad\x30\xd0\x92\xd1\xf6\xa3\x4c\x1d\x38\x89\x4d\xa3\xea\xe2\xc4\x74\x95\x30\x92\xfb\xac\x4f\x39\xa2\xe1\x4d\x5e\x13\x06\x2c\x98\xc8\x93\xd9\x6e\xbd\xf7\x9f\x1e\xba\xd3\xcb\xb1\x6f\x8f\x7d\x17\x39\x70\x75\x23\x9b\x74\x25\x09\xb0\x76\x37\x1a\xaa\xb7\x85\x9e\x6b\x29\xc7\xcd\x83\x15\x7b\x91\xb4\xd0\xbf\x47\x9c\x7f\xa5\x3f\xd8\x57\x35\x6f\x11\x47\xdf\xa5\x90\xbf\xff\xae\x2c\x99\xbf\xc6\xa1\xa3\x84\xce\x26\x16\xa7\xc0\xd1\x49\x91\x95\x5f\xf2\x27\xe3\x55\x40\x13\x1e\x6c\x9f\xd2\xa5\xb5\x8f\x88\xf1\x83\xf6\x4a\xcc\x3d\x58\xe4\x73\x07\x6b\xf3\x14\x9d\xa2\x66\x42\x4b\x98\x2f\x73\x4a\xa0\x4b\x81\x88\x13\xdd\xd9\x01\x88\x56\x76\x17\x99\xd5\xb0\x50\x4c\xa7\xec\xf7\xae\x17\x59\x2c\x1f\x0c\x78\x4d\x60\x39\x31\x61\x71\x42\x21\xa1\x0d\x90\x19\x28\x3c\x6a\x8f\x92\x03\xc7\x97\x63\x45\x0f\x94\x70\xa3\xf5\xe2\xf9\x4e\xb9\x42\xa2\xbe\xba\x32\x21\x46\xfc\x44\x9f\x40\x22\x6b\x7f\x7d\x9e\x4d\x58\x9c\xdf\xc9\x53\xef\x76\x51\x5e\x48\x4d\xdb\x27\x5e\xfd\x8f\xb9\xe4\xb3\xf1\x75\xb9\xc6\x00\x74\x58\xce\xdb\xcf\x05\xeb\x6e\x42\xbe\xa2\x26\x85\x50\x87\x02\xb7\x8e\x77\xe6\x72\xc7\x2f\xe4\x3c\xef\x92\x49\x74\x00\x61\xf8\x3d\xfd\x86\xc1\xe9\x73\xda\xb8\x1a\x08\x30\x32\x37\xe5\x8c\x2d\x75\xa1\x21\x25\xc0\xb6\x34\x58\x5e\x3b\xfe\xe0\x81\x0e\xaa\x59\x4d\x12\xc5\xca\x25\x36\x6f\x04\x37\x86\x48\x5e\x57\xf5\xf9\x30\xcb\xcd\xee\x90\x1c\x59\x10\x0e\xbb\xc6\xe8\x23\xa1\xb7\x4b\xcd\xef\xb1\x96\x1b\x89\xdb\x6d\xf5\xe4\x61\x8e\x2b\xd8\xd9\x6f\xd8\xa1\x2b\x18\x48\x2f\xdc\xcd\x72\x95\x0a\xfe\x3c\x20\x66\xa7\x3c\x73\xf1\xca\x99\x86\xce\x15\x8c\x10\x52\x0a\xab\xee\xc9\x4d\x61\x72\xc0\x92\x48\xaa\x76\xc3\x9f\xc5\x42\x63\xfd\x44\xbf\x93\x68\x1b\x30\x92\xb8\xe8\xdb\x78\x0d\xd6\x5c\x6c\x8b\xc3\xb4\x23\xd2\x21\xe1\x3d\x3e\xde\x9d\xd0\xfc\x4f\x14\x68\x5a\x80\xd8\xee\x14\xe8\x26\xa2\x25\x38\xcf\x31\x4d\x8a\x48\xe6\x37\x54\xe8\x9b\x45\x3f\xb2\x23\x68\x62\xdc\x7c\xcc\x49\x53\xee\x56\x26\x54\xdb\x98\x95\x85\xca\xee\x6b\x65\x5b\x2b\xf9\xdb\x0f\x22\x06\xb8\x63\x48\x0d\x71\xfa\x21\xd9\x38\xe4\x73\x58\xb2\xc0\xda\x20\x14\xa1\x95\xdf\x64\x3b\xe9\xd8\x0e\x52\x00\x3e\x9b\x45\xb1\x8f\xf7\xb6\xaa\x56\x92\x4b\xc2\xdc\x0c\xad\x61\xd9\x63\x0e\x6b\xd8\xea\xf7\x60\xb3\xf7\xfb\x31\x77\xf7\x3a\xf8\x9b\x15\x5e\x0d\x06\x1c\xe3\x2b\x9d\x45\x88\xeb\x6a\x4f\x60\x91\x9c\x2e\x3d\x41\xf6\xca\x8d\x31\xfe\xf0\x02\x7e\x06\xf9\xb7\xc2\xc2\xec\x6e\x5c\x12\x14\x42\xe4\xb7\xee\xc7\xe1\x09\xaf\x0f\xc8\x65\x80\xda\x66\xf0\xb0\x28\xd9\x3a\x00\x88\xd8\x52\x53\xfa\x9b\x5e\x21\xe4\x95\x53\x71\x4a\x1d\xc3\x92\xfd\xb3\x54\x13\x29\x10\xe0\xc6\x25\x03\xc0\x09\x6c\x6b\x85\xf1\x64\xbb\x2a\x7d\x3b\xe1\x79\xc1\xa3\xc7\xcf\xf9\xd4\x64\x34\x13\x10\x84\x6c\x51\x7f\x85\x1b\x8e\x69\x43\x1c\x64\xed\xe9\xd5\x97\xc9\x43\xbf\xe2\x91\x6d\x56\x4a\xe1\xcf\x27\x0c\x8c\x16\x7e\x96\xc1\x46\x88\xa7\x23\x15\x8d\x7b\x9c\x45\xe3\xf8\x24\x34\x19\x00\x86\xcd\xfe\xde\x4b\xfd\x95\x0f\xda\x09\xfe\x05\xa6\x14\x2b\x90\xe7\x73\x6e\xca\x65\x91\x40\xb2\x2b\x3c\x77\x67\x06\x07\xe5\x11\x58\xd9\xf7\xea\xcd\xff\xc2\x93\x20\x2b\xaf\x0b\xc7\xe2\x04\x89\x99\x68\x91\xd1\xa7\xa6\xc3\x28\x4e\x5a\xc3\x51\x39\xec\x5b\xeb\x4a\xfb\xa9\x2f\xaf\xfb\x0d\x2e\x62\x10\x26\xc7\x01\x99\x43\xf7\xbe\x68\x09\xe5\x87\x9f\x60\x78\xcd\xa7\x22\xd1\x19\x57\xb7\xe7\xac\x74\xff\x47\x9b\x3f\x65\xa0\xfb\x71\xb1\xe8\x7e\x67\x03\xa9\xda\xf4\x7f\x31\x3a\xdc\xb6\x56\x47\x7f\x53\x03\x60\x83\x6b\xc0\xb0\x07\x68\x09\x9d\xb9\x2d\x7b\xf7\x90\x31\x6c\x1c\xec\x79\x4c\xcc\x29\xdc\x04\x88\x71\xa6\x75\xdd\xe3\x16\xd9\x14\xb7\x3c\x85\xc9\x96\xe7\xf4\x1e\x52\x86\x07\xa7\x60\xb7\x78\xb3\xe0\x68\xb1\xe7\xfb\xa0\x81\x37\x36\x8a\xf0\x6b\x59\x96\xb5\x69\x87\x1b\x4a\x54\xe7\x27\x2e\xcc\x44\x18\x10\xf9\x5c\xe8\x4c\x37\xe1\x0d\xa6\x16\x24\x71\x5f\xd5\x99\x1c\x77\xa2\x24\xd5\x7a\x53\x22\x77\xf9\xdd\x36\xbb\xdc\x56\xb7\x0b\x64\xed\xc0\x38\x15\x94\xb9\xb6\xc3\x28\xe5\x9d\xd0\xf0\x4d\x34\x3f\x6d\x82\x86\x72\xd9\x7c\xc8\x15\xb1\x4b\x22\xf5\x9d\x08\x76\x1b\xa7\x75\x1e\x52\xd1\xc5\x5f\x32\x49\xb6\xaa\xcc\x51\xe1\x07\x94\x4b\xfa\x70\xa5\x42\x19\x06\xf5\x29\x6d\x41\x84\x57\x75\xe3\x4a\x5d\x1a\x06\xc4\xc8\x79\xc7\x78\x5a\x03\x50\xba\x89\x93\x41\x25\x90\x64\xea\x42\x74\xe2\x13\x96\x41\x82\x44\x0a\xdf\x7e\x02\x30\xb3\x12\x0e\xe6\x23\x5b\xce\x98\x29\x28\x99\x79\x2c\xff\x10\x75\x88\xe3\xe9\x15\xdc\xe9\xbf\xe6\x1c\xf6\x37\x3a\x33\x11\xe7\x47\xaf\x21\x8f\xbd\x16\x58\x09\xdb\x4f\x0e\x51\x7b\x13\xe5\x92\x53\xf7\x21\xc6\x8c\x80\x14\xed\xce\x97\x45\x5a\xda\x5c\x33\xb7\xc6\x79\x4d\x38\xb7\x4b\x6d\xf4\x65\xe1\x89\x40\x4c\x7d\xf5\x6b\xee\x55\x18\xa5\xd2\x02\xfb\x50\xb5\x36\xa5\x37\x2e\x04\xc7\x0d\xec\x26\x6c\xdb\xcc\x83\x6b\x49\x88\x47\xa6\xa3\x94\x56\xf7\xb5\x94\x73\x80\x4a\xae\xd9\x66\xd7\x64\xe2\x5f\xf2\xda\x79\xd3\x4c\xe9\xfe\x72\x75\x7a\xe0\x07\xcd\xa3\x35\xbf\x37\x87\xc0\x68\x72\x55\x51\xef\x27\x76\x7d\x35\xd2\x0f\x24\x1d\x1d\x29\x21\x97\x85\x8a\xd4\xb4\x38\x18\x5e\x0a\x10\x3e\xdb\xe6\xe5\xca\xa4\xbb\x37\xe5\xcb\xdd\x71\x61\xee\xce\xb9\x3f\x9c\x7a\x39\x97\x6b\x4e\x6e\x19\xd5\xc1\xf3\xd0\x8f\x9d\x0f\xc6\xc9\x05\x5f\x4b\x05\x7d\xce\x9c\x1e\x67\x7e\x8b\xbe\x56\xb7\xc4\xed\x73\x34\xe5\xad\xcb\xa2\xaa\x5b\x1b\xf4\x45\x0a\x76\x2d\x16\x7a\x95\xbf\xc1\x09\x72\x04\x4c\x8d\x79\x7e\xf3\xad\x9d\x10\x91\xbb\x1a\xe5\xe1\x28\xe0\xdd\x22\xf4\xb7\x70\x77\x59\xf2\x79\xd4\xdd\xc9\x2a\x68\x1f\x6c\xf9\x9e\x75\x96\x0a\x32\x1b\x3d\x5b\x55\x66\x28\x07\xe5\x77\xc2\x0e\xea\x7f\x87\xe8\x8f\x29\x07\x79\xa6\x59\x8b\xc1\x9c\xcb\x74\xc3\x13\x83\x27\x88\x95\xc5\xfc\x6a\x62\xb5\x46\xf8\x1f\x7b\xd6\x78\xb2\x7f\xa6\x2d\x8d\x6f\x85\x9d\x86\x37\x29\x16\x01\x81\x20\x5b\x06\x20\x3c\x9f\x72\xa3\xa6\x59\x3f\x61\x8a\xb9\xef\x48\x8a\x24\xce\xfe\x7c\xdf\xa6\x6b\x46\xf3\x0f\x1d\x3f\x8a\xbe\xce\x64\x40\xdb\x93\x48\x3d\xf5\x23\x3b\x52\xf6\xfc\x47\xee\x3f\xd3\xbb\x98\xb0\x06\x24\x68\xc9\x16\xdc\x0f\xb1\x59\x62\x90\x2c\xb7\x30\x29\x93\x69\x51\x75\xd5\xfd\x4b\xc7\x7e\xab\x9e\xc8\xd4\x40\xee\xe3\x6a\xe6\x83\x5c\x43\x62\xf7\x81\x9f\x39\x01\x21\xa6\x9b\xc7\x0d\x63\x6e\xea\x8d\x4d\xd0\x9b\x90\xda\xd5\xc2\xdb\x03\x1d\x2b\xc3\xdf\x45\x82\x56\x24\x41\x56\x80\xa0\x3b\x3d\xfc\x71\xce\xf6\x3f\xda\x72\x6b\x76\x5d\x58\xab\xe8\x63\xad\xf0\x34\x2b\x8f\x1e\x8e\xc8\xf8\x07\xb3\xb5\x6d\xcc\xfd\xcd\xe8\x5f\xd2\x0a\x7e\xc9\x43\x44\xcf\x31\x95\x48\x67\x81\x70\x0b\x4c\x35\x72\x15\x78\x14\xd7\xf1\x0d\xc6\x8e\x13\xad\x64\x61\x39\x77\x58\xea\xd6\x2e\x5c\x20\x4b\xa5\x7b\x2a\x4a\xf4\x22\x08\x2a\x1f\xff\xbf\xc8\x70\x96\x88\xa1\x13\x93\xe9\xdc\xf8\x7b\x6f\xa4\x0b\x10\xf4\x58\xc6\x7e\x56\x5a\xe4\xf0\x2c\x2b\xa9\x30\xfd\xa2\x13\x9b\x0f\x18\x12\xaf\xbe\x21\x2e\x89\xeb\x51\x0e\x8d\x74\xc4\x65\x05\x00\x82\xb2\xbd\xfc\x09\x17\x6a\xe9\xa1\x70\x82\x1c\xde\x09\x7c\x33\xf5\x7f\x83\x50\x0f\x18\x2f\x23\xc2\xcd\x71\x3f\x82\x68\xfa\x04\xe5\xee\x58\x00\xad\xb1\xe8\x91\xbc\x90\x2b\x2c\x10\x05\x55\x79\xbe\xd0\xb6\xac\xef\xfc\x22\x06\x54\x4e\x2d\x17\xa1\x04\x4e\xc2\x01\x24\x66\x0f\x90\xd2\xcc\xb1\xe9\xdd\x04\xab\xa7\xf6\xb3\x3d\xec\x5f\x6f\xf6\xa2\xe1\xa1\x09\xc1\x43\xf2\xb0\xa8\x08\xeb\xeb\x45\xca\xac\xdc\x39\x82\x8b\x55\x5e\x3f\xb3\xad\xb7\x44\x71\x30\x26\x6d\xa8\xb3\x33\xd0\x4a\xb7\x11\xb9\x1a\x23\xd8\x81\x78\x57\x31\xfb\xd2\xc0\x37\x60\x8f\x31\x2f\x8b\x18\xba\x63\x00\x2d\x17\x75\x44\x1a\xdf\x3d\x4c\xe8\xe5\x56\x64\x26\x4e\x1d\x22\xe4\x78\xf4\x93\x01\x74\xdf\xb8\x1f\x7e\x31\xeb\x3f\xdb\x22\xeb\x06\x88\xf3\xa1\x04\x54\x18\xf9\x08\x4a\xf4\x52\x78\xc0\x4b\xf1\x32\x00\x17\xd0\xb0\xfa\xa2\xcf\x7e\x27\x7d\xe2\x66\xa3\xfd\xb4\xb0\xf0\x55\x25\x9d\x76\xf5\x0c\x99\x4c\xba\xe7\x03\xe8\xd1\x30\x7f\x4b\xc5\x45\x3f\x32\xa7\x08\x92\x1f\xa8\x33\xb0\x3f\x5d\x18\x40\xf5\xa1\x24\x69\x29\xb1\x75\xd9\x35\x37\xa1\xd7\x46\x78\x38\xd2\x5d\x19\x8b\x17\xfb\x4b\x9a\xac\x7d\x99\xee\x1f\x1e\x2f\xdf\x4a\xe7\x28\x62\x90\xe0\xf1\xc0\x88\xe2\x43\x94\xea\x57\xf9\xa7\x33\xe4\x53\x62\x79\x22\xc5\xa6\x23\x62\x3f\xff\x29\xc6\xa5\xab\x6f\xdf\x7b\xa7\xfd\x43\x80\x34\x9a\x77\xbb\xc4\x09\xd1\x86\x9b\xc7\xf2\x45\x32\x94\xca\x2f\x17\x85\xb8\xcc\x50\xb8\x8f\xcc\xe8\xfc\x6d\x3d\xd7\x9c\x19\x8e\x36\xff\x5a\x21\x6e\x7a\x8a\xe3\xd1\x0d\xb5\xbe\x0c\xbb\x76\x17\xdf\x80\x14\xac\x68\x9c\x31\x11\x32\xc1\xdb\x34\xd0\xee\x7a\xdb\xb6\x62\x32\xc1\xa4\x32\xc2\xca\xf7\xcf\x30\xff\x8b\xad\x84\x46\x7c\x0e\x40\xda\x4d\x0b\x10\x20\x1f\x6f\xb8\x2b\xec\x94\x83\xc7\x5b\xc8\x59\x48\x0c\x9b\xca\x13\xc5\x90\x5a\xcf\xa5\x6e\xad\x48\x8f\xc2\xbd\xe3\xa2\x2c\xa4\xfa\xbc\xea\xb9\xb9\xe3\x77\x6b\x5a\x62\x14\x63\xe1\x29\x6d\xde\x15\x24\x0d\xac\x24\xbb\xaf\x67\xc2\x03\x86\x55\x1a\x8f\xe3\x52\x96\x0e\xcd\x36\x1d\x42\x94\x90\x3f\x25\x25\xa3\x68\xd3\x63\x07\xde\x3a\xb0\x21\xbe\x4b\x64\x77\xe8\x61\x82\xf6\xa5\x65\xcf\x67\x95\xc2\x64\xaa\xda\xe3\xd3\x07\x2b\xae\xbc\x48\x8c\x74\x30\x7e\x27\xbc\xea\x4a\x74\x6b\x67\xad\xf8\xe2\x0a\x21\x9c\xb9\x11\xe2\x93\xad\xaa\xe8\xd5\x2e\x63\x08\x09\x11\x29\xc0\x2a\xfd\x50\x59\x95\x88\xc9\x20\x15\x85\x82\xdb\x85\x6c\xeb\xd3\xd6\x65\x9d\x14\x77\xf9\x66\xfb\x54\xe9\xea\x1b\x36\x59\x90\xff\x5b\xba\x6f\xce\xd2\xb5\x9f\xc8\xa6\xf9\xfd\x57\x28\x70\x61\xc5\x21\xeb\xc1\xac\xe5\x21\xab\xe0\x04\xf5\xf0\xb5\xf8\xb9\x02\xd6\xc7\x5a\xc5\x7d\xf5\xd2\xe9\x7f\x1f\xfa\xd3\xa5\x31\xf9\x1f\xa1\xcb\xa4\x8b\x58\x93\x5f\x05\x03\x35\x41\x5d\xca\x8e\x46\x02\x43\xe2\x1e\xa7\x1f\x99\x0c\x37\xa6\xc9\x8c\xd1\x9c\x2c\xc3\x47\x1e\xc2\xec\xd0\x42\xc8\x20\x71\x8d\x00\xb6\x37\x9d\x80\x69\x83\x62\x8e\x08\x64\xad\x14\x6e\xe1\x70\xdc\x91\xfc\x25\x55\x94\x0d\xb1\x36\x4c\xb7\x43\xc0\xc7\x03\x7d\xba\x3e\x9b\x10\x8f\xea\x98\x84\x01\xd5\x52\xd4\xac\xe6\xa8\x30\x83\x65\xc0\xb1\xed\xe6\xb8\x73\xa2\x94\xd6\x25\x23\x86\x55\x33\x1a\xcd\x6e\xe2\x38\x0d\xba\x98\x0e\x35\xb2\xbb\xd4\x0f\x65\xfe\x32\xef\x03\xcb\xf0\xcf\x57\x55\x2e\x81\x8e\xc6\x07\x0c\x52\x25\x66\xd8\x2a\xa2\xc4\xd0\x46\xd9\x5b\xcb\xb4\xed\x89\x7a\x3b\x59\x3d\xdc\x57\xb3\xbf\x4b\x2d\xee\x34\xcb\x50\x53\x69\x2e\x45\xde\xec\x78\xbf\x7f\xa7\x00\x2c\xfe\x74\x15\x7a\x5d\xd4\xc5\xae\xc1\xb9\x86\x28\x06\xd8\x88\x39\xa6\xa3\x91\xa0\x4d\x0d\x46\x78\x1e\x45\xb3\xfb\x78\xe7\x1e\xb9\xa6\xba\xda\x4d\x6e\x45\xf6\x45\x2c\x41\x93\x1c\x91\x23\xc8\x78\x38\x32\x0b\xf9\xcd\xe6\x13\xab\x41\xec\x0f\x23\xaf\xcc\x01\xa6\x98\x66\xf8\x32\x39\xe5\xb7\x7e\xc5\x6c\x1b\xf1\x3c\x4f\xa5\x37\x9b\xc5\xe6\x78\xf4\x5c\x3f\xb9\x12\xe1\xaf\xdb\xc4\x66\xba\xdb\x62\x36\xb5\xfb\x85\x00\xc7\x43\x58\x65\xae\x64\x22\x70\xb2\xa9\x42\x43\x0b\xe5\x4d\xca\x09\xec\xb2\x4e\xc6\xd0\x51\xd0\xc6\x3b\x02\xe2\xcc\xbe\x57\xdd\x90\x12\xb7\xc0\x95\x80\x67\xb4\x06\x21\x50\xb3\x47\x98\x31\x96\x11\xdb\x1f\x48\x79\xaa\x8b\x5b\x55\xee\x2f\x20\xb0\xd7\x9a\x14\xcd\x7c\xc1\x8a\x76\xb4\xb3\xf0\x0f\xff\x45\xec\x9d\x07\x64\x07\x6d\xc1\xdc\x00\x72\xe0\x9b\x67\x4f\x18\x7a\x18\xd4\x57\xa1\x1c\xf2\xb6\x54\xbf\xc8\x51\xb5\x5f\x46\x4d\x95\xe5\x1a\x45\xd2\xda\x43\xc7\x90\xeb\xc7\x72\xca\x27\xb8\x28\xa0\x61\xca\x4b\xa2\x8c\x98\x67\x22\xcb\xd4\x86\x73\x32\x87\x8e\x2a\x7b\x87\x6f\xaf\xaa\x74\x34\xf4\x3c\xb4\x48\xb2\x16\xd4\xae\x0e\x18\xa1\xaa\x66\x77\x76\xdb\x69\x99\x9b\xe0\x81\x82\x2d\x56\x47\x8e\x57\x68\x10\x6b\xa1\xfb\xcb\x04\x4d\x16\x68\x2c\xfe\x2b\xa1\x7a\x06\x99\x7f\x88\xbd\x68\x36\x69\xaa\x2a\xe4\xd9\x6a\x15\x5e\x0b\x8a\x41\xe3\x31\xa9\xa0\x20\x0f\x15\x9a\x47\x40\xe0\x11\x04\xad\x63\x89\x21\x8a\xd1\x5d\x1f\xac\x53\xbd\x1b\x91\xd7\x23\x43\x52\x78\xdb\xc5\xe7\x90\xa0\x54\xf3\xcf\x24\xfa\x4e\x78\x66\x62\x99\x15\x40\x0e\x7d\x25\x60\xcf\x97\x64\x8b\x60\x31\x52\x8d\xb2\xc7\xd4\xca\x72\x7f\x67\xc2\x97\x42\x4f\xc9\x9a\x7b\x01\xb1\x04\xfc\xb2\xd9\xb8\x02\x6a\xd1\x92\xac\x4c\x1d\xf8\xc2\x31\x8b\x5d\xee\xa4\x79\xa3\x78\x89\x71\x17\xac\xb1\x4a\x79\x21\xb7\xdd\xe8\xaa\x78\xc5\x8d\x04\x7f\x90\xfb\x1a\x1c\x1e\xdb\x84\x7b\xf7\xba\xd3\xab\x09\x6b\xf9\x19\xd1\xb1\x03\xe7\x40\x43\xfa\xf3\x52\xe1\x63\x94\xbc\xa1\x71\x3e\x14\x8b\x69\xd2\x0e\x0c\x5f\xae\x6e\xdb\x67\xe9\x16\x20\xc2\x8d\x7f\xb7\x0b\xf7\x66\xd2\x1e\xe3\xa9\xdc\x9d\x4a\xc7\x5a\x41\xbc\xb3\xa3\x22\xe7\xec\xc8\x5e\x34\x6a\x5f\xed\x19\x0d\x0c\x69\x8f\x15\x22\x60\x67\xe5\x15\x5e\xcb\x0b\x8f\xff\xcd\x5c\x1c\x95\x52\xa5\xb8\x5a\xfc\x66\x36\x98\xcf\x47\x50\xa3\xee\xc6\xcd\xec\xcc\xaa\xf6\x37\x08\x7e\x18\x8f\x3c\xc5\x65\x7c\x40\x12\x3c\x20\xd1\xa0\x2e\xbb\x08\x18\x07\x38\x83\x53\x5a\x22\x09\xcc\xa0\x8c\xdb\xe3\xce\x0f\x94\x4d\xef\xb4\x1f\x43\x70\x29\xc0\x78\xcb\x5e\x6c\x03\xde\xfc\x67\xc9\x59\x92\x6d\xcf\x45\xd0\xfe\xb6\xf2\x4f\xcf\xaf\x49\x97\x6b\xd3\x64\x1c\xbe\xd6\x97\x58\xcc\xd5\xaf\x8b\x95\x52\x59\xda\x1c\xd6\xfd\x82\x87\x1f\x09\xf3\x3a\x63\x4d\x54\xf5\x44\xa6\x82\x93\xdc\x73\x7f\xea\xf8\x48\x8c\x15\x42\x0f\x69\xc4\x93\x04\x2a\x5e\xe1\xed\x63\xf3\x39\xe4\x10\xf5\x80\xc0\xcb\xad\xab\xbe\xa2\xcf\xfb\xea\xf9\x68\xca\xf2\x56\x20\xde\x5f\x5b\xf7\x4e\xdd\x33\x9d\xed\x9a\x1f\x58\x53\xa2\xcf\x22\x6d\x21\xcd\xbd\x91\x72\xab\xf5\xe0\x85\x95\x60\xdd\x2e\x70\xce\x31\x0a\x33\x3d\x72\x36\x60\x67\x09\xb1\xf5\xa3\x35\x95\xec\x49\xe1\x87\xaa\x5d\xf0\x63\x51\x39\x23\xdf\xd2\x9b\xb1\x51\xa8\x25\x40\xf4\xb0\xd4\x45\x40\x4c\x8c\x5e\x1b\xd8\x40\x33\x5c\x23\x35\x7c\x5e\x6b\x1c\xdb\xfb\x1c\xcd\x72\x47\x1e\x4d\x63\x8b\x10\xc5\xb4\x22\xd9\xe6\x51\x9f\x98\x15\x1a\xd5\x25\x5e\x10\xf7\x2c\x07\x32\x63\x8a\x57\x2e\xa6\x2a\x3a\x98\xcd\x86\xb0\x49\x5f\x24\xfb\x90\xe3\xbf\xa3\x21\x6a\xbf\x88\xbd\xdd\x5f\xdc\xd1\xab\x7f\xc2\x13\xed\x7f\xe7\x62\x8b\xf5\x2e\xd3\x3f\xbf\x61\x24\xb5\x24\x6e\xab\x59\x38\xf4\xfd\xae\xa3\x96\x08\x7f\x76\x43\x49\xbe\xf8\x99\x6f\x22\x40\x92\x60\x40\x93\x44\x19\xdf\x2e\x40\x7b\xe7\xe6\x7a\x64\x2d\x69\x2b\x39\x49\xe4\x78\xed\x55\x92\x72\x06\x64\xee\xc0\xdd\x41\x50\x87\x61\x57\xa6\xf1\x85", 4096); syz_80211_inject_frame(0x20000000, 0x20000040, 0x10c0); break; case 11: memcpy((void*)0x20001100, "wlan1\000", 6); memset((void*)0x20001140, 2, 6); syz_80211_join_ibss(0x20001100, 0x20001140, 6, 2); break; case 12: memcpy((void*)0x20001180, "bpf_lsm_socket_recvmsg\000", 23); syz_btf_id_by_name(0x20001180); break; case 13: memcpy((void*)0x200015c0, "\x66\x0f\x72\xd5\x01\xdf\x5f\xd6\xc4\xc1\xf9\x6f\x9f\x52\xe4\x00\x00\xdf\xf2\xda\x36\x66\x0f\x3a\x62\xc0\x8c\xc4\xc1\x1d\x58\x3c\xe8\x66\x0f\x3a\x0a\x45\x0d\xf0\xc4\xe1\x21\x75\x23\x60", 46); syz_execute_func(0x200015c0); break; case 14: memcpy((void*)0x20001640, "/dev/cuse\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20001640, 2, 0); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_ioctl, -1, 0xb704, 0x20003980); if (res != -1) r[6] = *(uint32_t*)0x20003980; break; case 16: res = syscall(__NR_clock_gettime, 0, 0x20003e00); if (res != -1) { r[7] = *(uint32_t*)0x20003e00; r[8] = *(uint32_t*)0x20003e04; } break; case 17: *(uint32_t*)0x20003dc0 = 0x20003a40; *(uint32_t*)0x20003dc4 = 0x6e; *(uint32_t*)0x20003dc8 = 0x20003d40; *(uint32_t*)0x20003d40 = 0x20003ac0; *(uint32_t*)0x20003d44 = 0x25; *(uint32_t*)0x20003d48 = 0x20003b00; *(uint32_t*)0x20003d4c = 0x6b; *(uint32_t*)0x20003d50 = 0x20003b80; *(uint32_t*)0x20003d54 = 0x2f; *(uint32_t*)0x20003d58 = 0x20003bc0; *(uint32_t*)0x20003d5c = 0xa2; *(uint32_t*)0x20003d60 = 0x20003c80; *(uint32_t*)0x20003d64 = 0xbd; *(uint32_t*)0x20003dcc = 5; *(uint32_t*)0x20003dd0 = 0x20003d80; *(uint32_t*)0x20003dd4 = 0x30; *(uint32_t*)0x20003dd8 = 0; *(uint32_t*)0x20003ddc = 0; *(uint32_t*)0x20003e40 = r[7]; *(uint32_t*)0x20003e44 = r[8]+10000000; res = syscall(__NR_recvmmsg, -1, 0x20003dc0, 1, 0x10202, 0x20003e40); if (res != -1) r[9] = *(uint32_t*)0x20003dac; break; case 18: memcpy((void*)0x20004040, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004040, 0x20004080); if (res != -1) r[10] = *(uint32_t*)0x20004094; break; case 19: *(uint32_t*)0x20004200 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004100, 0x20004200); if (res != -1) r[11] = *(uint32_t*)0x20004134; break; case 20: memcpy((void*)0x20004240, "./file0\000", 8); res = syscall(__NR_statx, 0xffffff9c, 0x20004240, 0x4000, 0x400, 0x20004280); if (res != -1) r[12] = *(uint32_t*)0x20004294; break; case 21: memcpy((void*)0x20004380, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004380, 0x200043c0); if (res != -1) r[13] = *(uint32_t*)0x200043d0; break; case 22: *(uint32_t*)0x20004a80 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x11, 0x20004980, 0x20004a80); if (res != -1) r[14] = *(uint32_t*)0x200049b4; break; case 23: res = syscall(__NR_getegid); if (res != -1) r[15] = res; break; case 24: memcpy((void*)0x20001680, "\x47\xa8\x4c\x3d\x9c\xa1\xd1\xb4\xb2\x5b\x6d\xa5\xc6\xdd\x9f\x48\xac\x0b\x1a\x50\x14\x5d\x57\xaa\x24\x4d\xc1\xbb\x1a\x54\x1c\x93\x16\x0d\x23\xf1\xcb\xf0\x3d\x77\x7a\x21\xe7\xd1\xf0\xf2\x61\x38\x37\xc0\xe0\x5d\x6f\x4b\xc9\x98\xb1\xdd\x5e\xc7\x6e\x06\x98\x26\xfc\x47\xb4\xa0\x81\x6b\x5a\x85\x9c\x9a\x8a\x42\x88\xf2\xe7\x17\x88\x66\x28\x3d\x96\x7a\x95\x12\x2a\xb3\x8c\x64\xe1\xd6\xc0\x50\x57\x2b\xdd\x7c\x98\x27\x13\xb5\xb3\x7a\x79\xe2\xdb\xe0\x8a\x6a\x9b\xd3\xd6\xfd\x57\x96\x04\xac\x48\x7b\x65\x2b\xee\x18\x03\x90\xe3\x66\x8f\x2a\xad\xa1\x71\x7a\x5b\x2a\x21\xcb\x84\xb3\xb9\xa8\xb5\x97\x78\x4c\x01\x15\xc8\xf2\xc0\x87\x08\xd9\xa2\x26\xd6\xf5\x89\x02\xad\x29\xf3\x78\x4f\x64\x80\x06\x9d\x25\xe0\xec\x46\xc3\x78\x10\x92\x3b\xbe\x2d\xac\x50\x43\x85\x6a\x11\xb7\xb9\x8c\x43\x29\x4e\xf4\xc2\xbf\xda\x08\xb0\x4e\xe5\x41\x06\x26\xcb\x64\x95\x7c\xf1\xee\xa3\xd3\xf0\x07\xd6\x95\x83\xbc\xde\xbf\x40\x22\xf8\x5f\x65\x23\x73\xa5\x90\x36\xb6\x2b\x4a\x3e\x9d\xef\xe6\x05\xa9\x89\x2e\x57\x18\xcb\x6f\xc9\xde\x81\xc2\x47\x9e\xf9\x5a\x13\xf8\xca\x78\x9f\x4b\x2a\xc5\xeb\x89\x7f\xab\xbe\xbc\x00\x46\xd8\xe2\x35\xeb\xbf\x54\xa5\x6a\xac\xd1\x40\xae\x4c\xfb\x41\x1b\x9c\x15\x18\xe6\x2f\xa8\x7a\x98\x76\xaf\xc8\x9e\xd8\xa4\xba\x24\xd8\xb9\xef\x13\x39\xf4\xf7\x94\xce\xc9\x86\x51\xe7\xd9\x4d\xdd\x25\x99\x88\xa7\xa4\xf7\x99\xb0\x88\x9c\x16\x80\xd3\x90\xba\x62\x53\xff\x66\xa1\x82\xea\x2c\xf0\x6b\x6f\xd9\xab\x07\xa8\x7f\x69\x7c\x33\x1c\x9a\x83\x25\x64\xec\xab\x23\x83\x84\xff\xef\x50\xc2\x49\xcb\xf1\x1f\x7f\x40\xec\xd4\x4b\x94\x5b\xd5\x7c\x59\x9b\xa3\xd8\x8c\x0b\xe3\x5a\xdd\xf5\xb5\x83\x7b\x18\x8d\x64\xe2\x49\xce\x31\x50\x66\x98\xbd\x73\x75\x46\x53\x04\xd2\x0e\xb3\x80\x23\x26\xb3\x52\x8b\xcb\xe6\xee\x11\x0e\x57\x82\x1c\xcb\x89\x9f\x5e\xee\xce\xc6\x04\xc3\xa5\xe5\x93\x8a\x3a\x94\x26\x60\x99\x2d\x67\x6b\x81\xc5\xaf\x74\x70\x17\x6d\x72\xd7\xc6\xa9\xd6\xc4\x12\x1b\x57\x11\xb1\x6e\xe1\x19\xb5\x77\x64\xd7\xfd\x6d\xfc\xb5\xa3\x9c\x1b\xc9\x7e\x5c\x5f\x5d\xc1\x02\x5a\x5e\xcc\xa4\x8b\x65\xaf\xb8\x7a\x55\x83\xcf\x17\x96\x90\x98\xae\xc3\xb1\xb9\x29\x1f\x77\x5e\xd6\xa5\xa7\x10\xf7\x3e\x32\xef\x7a\x0e\x8c\x84\xff\x56\x54\x51\x44\xca\x50\x4b\x81\x97\xa9\x19\x6c\x9b\x68\xa4\xb5\x7a\xba\xd8\x19\xff\x6f\x6f\x99\x16\x3f\xa3\xe2\x76\x27\x84\x84\xae\xf1\xe2\x87\x84\x1f\x45\x72\x06\x2d\xa6\x77\xf0\xe1\x47\xb9\x33\x58\xe5\xad\x7a\x50\xaf\x84\x2c\xad\xbf\xf4\x19\x2d\xfb\x2f\x98\xcd\xc8\xd8\x78\xd0\xf7\xf3\x5b\x31\xa2\xe8\x03\xce\xa2\xc3\xa2\x87\x8d\x46\x9c\x9a\xa7\xb2\xde\x1e\x8b\xfd\xa5\x1e\xcb\x47\x51\xcd\x86\x1f\xb2\x29\x3e\x37\xeb\x98\x82\xbb\x97\xcf\x70\x45\x3f\x19\x44\x6c\x56\x5f\xd8\x14\x11\x4b\x30\x2a\x4b\xc5\xb6\x42\xa7\x6c\x4c\xfd\xdb\x0f\x4c\xeb\x41\xca\x29\xbe\x4d\x35\x58\x77\x55\xd2\xe8\xe1\xf4\x2e\x97\x1b\x38\x3f\xdf\xd0\xcb\xef\x9f\x5d\x50\x3c\x72\x0a\x3e\x3b\xb8\xb4\x09\x7d\x69\xa7\x20\x82\x35\xa8\x2f\x6a\x75\x1f\x3e\x26\xf2\xe1\x40\x3e\x0d\xa6\x3f\xed\x0f\xa0\x42\x74\x0d\xf1\xd6\x1c\x98\x85\x72\xc8\xad\x71\x1f\x20\x41\x0e\x02\xb3\x2b\x1e\xe7\xf4\x18\xfd\x0c\xc6\x57\xe9\xde\x33\x28\x8e\xc8\x39\x57\x56\xc4\x7e\x16\xd4\xab\x5e\xd7\xca\x4c\x1e\x53\xad\x65\x08\xd5\x8f\x70\xdf\x85\x7d\x41\x89\x09\xe8\x13\x44\xb7\x56\x4e\x00\x64\xa4\x9a\x1d\xb8\xa3\x33\xfc\x60\x9b\xcb\x51\x11\xef\x10\x0e\x0e\xde\x88\xf4\x9f\x3f\x43\x56\x84\x21\x1d\xea\x4d\xe5\xbc\xa1\x85\x3c\xae\x7b\x60\x5e\x3c\xea\x2f\xab\xb8\x0b\xaa\x41\x62\x6d\x31\x04\x7f\xe3\x85\x69\xe6\xab\xbd\xdc\x2e\x1c\x2b\x85\x56\x23\x3f\xeb\x57\x04\x7f\x06\x9d\xf8\x1d\x88\xd2\x9b\xf0\x42\xce\x92\x28\xdb\xd1\x43\x49\x97\x3e\x86\xf7\x8d\x72\x82\x7a\x60\x80\xa2\xce\x65\x29\xd1\x85\x66\x07\x84\x89\x37\xcf\xe5\xcd\x17\x42\x93\xe9\x22\x34\xcb\x0f\x6e\xdf\x65\x30\xf8\x6b\x60\x6e\x48\xe9\xfa\x3e\x1d\x25\x45\x73\x12\x08\x08\xe0\xff\xf3\xd2\x16\x9d\x1c\xf4\x4a\x71\x96\x64\xb7\xf0\xe3\xda\x7b\xb1\x5b\x64\xb6\x2c\x07\x10\x34\x3c\xe1\x5b\xd0\x1a\x05\x64\x2f\x4a\x3f\xa5\x9b\xa6\x05\xd0\xa6\xef\x3e\x5a\xd6\x3c\xd9\x6d\x69\x14\xca\xa4\x06\x34\x98\x7f\x2d\xbe\xeb\x30\x46\x72\x22\x2d\x12\x58\x3b\x9b\xc3\x8c\xf9\xde\x18\xe5\x7d\xe1\x00\xf2\x63\x67\x7d\x31\xec\x37\xae\xa6\xf0\x4b\x81\x5d\x6f\x4e\x8c\xd5\x70\x81\x0d\xaa\xee\xb1\x41\xdc\x0f\xeb\x60\x0a\xa8\x4f\x4a\xfc\xc3\xbd\x6d\x2e\x4d\x69\xe9\xdc\x4d\xc4\xf7\xa4\x56\x74\xa3\x2a\x62\xd4\x14\x43\x7c\x3a\xa4\x51\x84\xb6\x6c\xe5\x69\x49\x91\x28\xbb\xa0\x6e\x38\x62\x74\x28\xd5\x01\x2c\x65\x1f\x8f\xf6\xd5\xb8\xf5\xbb\xbb\x5b\x1f\x8b\xe6\x03\x89\x58\xbd\x4f\xbb\x0b\xdb\xbe\x1f\x3f\x44\x8d\x78\x5d\x97\x10\xf0\x1b\xe8\x87\x87\x4f\xfa\x1b\xfa\x7e\x5a\x81\x8e\xe7\x46\x4b\xfc\xb5\xf9\xe4\x92\x68\xfb\xbd\x39\x8d\x73\x2c\x15\x57\x9a\x46\x97\x1f\xd7\xf2\x2c\x1c\xc4\xe1\x41\x57\xf2\x92\xf6\x16\x38\xf4\x1a\x58\xbc\xcd\xd4\x98\x6b\x9c\xa6\xab\x66\xff\x5f\x53\x6a\x7b\x09\x25\x1a\x6d\x41\x7a\x3e\x15\x9b\x85\xdd\x21\xd9\xb2\x19\xa1\xa1\xce\xa8\xb9\x6d\xd4\xca\xa0\xc0\xc8\xfd\xf9\x2d\xef\x01\xaf\x6b\xe5\xcc\xc2\x42\x8e\x57\x13\x22\x85\xc3\x7e\x80\xfd\x28\x58\xb4\x94\x57\xd1\xd6\x89\x0e\xae\x38\x90\x62\xd5\x68\x0a\xec\xec\x74\x8c\xef\x59\x18\x7d\x91\xc1\xd4\x5b\x29\x00\xe3\x3b\xe9\x46\x4e\xdc\xeb\x83\x1e\xc4\x44\x57\xbe\x52\x57\x5e\x1d\xf1\xde\x6a\xf9\x45\xdb\xf3\xf5\xc9\xcd\x41\xbd\x8c\x26\xcb\x66\x45\xae\x03\x78\xd9\x2d\x75\x8b\x07\x69\xc5\x15\x4f\x52\xd8\x9a\x8e\x0e\x91\x18\x82\xf6\x9e\x46\x61\x04\x53\x79\x2c\x64\x8e\xb0\x82\x11\x19\x47\xc2\xe3\x35\xcb\x48\x56\xe4\x69\x6f\x7a\x53\x31\x8c\xda\xe6\xc5\x91\xa7\x42\x02\x02\xcf\x03\xf0\x69\x12\x8e\x58\xa3\x82\x2a\x89\x2d\x4b\x4d\x14\xa7\xf3\xe2\x7f\x4c\xa5\x9a\x8e\x47\x1a\xaf\x3c\xe1\xaf\x81\xce\xd1\xdf\x87\x1d\xf6\x09\x91\xac\xcc\x0a\xfc\x19\xc6\xaa\x58\x67\x0d\xcc\x3c\xa4\x04\x66\x6e\xc5\x46\x3e\x95\x4c\x60\x59\x94\x01\x4a\x0b\x2e\xb9\x99\x28\x3e\x7d\x26\x46\xab\x55\xa5\xfe\x5f\xe7\xcb\x5b\x07\x38\xc5\x79\x10\x7c\x43\xfc\xf5\x95\xa0\x95\x6a\x49\x35\xf6\xa7\x86\xd6\x56\x1f\x0b\x09\x94\xcc\xe9\x3b\x29\x9a\x50\xc6\xe4\x24\xc1\x59\x62\x0b\x3d\x05\x37\x6f\xc4\xe0\xb9\xff\xbd\xec\xdb\x67\x98\xdd\x51\xd0\x94\x1d\x31\xcf\x41\x93\xc0\x9d\x05\x8c\x25\x96\x99\x19\x12\x35\x01\xfa\x5e\xa8\xfb\x82\xf9\x80\xa3\x5b\xf0\x15\x32\xc2\xc8\x31\xba\x35\x22\x2f\x80\x5d\xae\x24\x25\x27\xeb\x71\x27\x05\x53\x94\x60\x52\x84\xd2\x40\x8c\xfa\x10\xc9\x92\xd6\x4d\x60\x9e\x52\x4b\x30\x34\x8f\xfa\x5e\x44\xb7\x72\x57\xad\xba\xb0\x1c\x38\x3e\x81\x2f\x1d\x71\xb6\x13\xad\x16\x0e\xd1\x5c\x21\x6f\x2a\x45\x9a\x91\x7d\x35\x34\x14\x62\xbf\x72\x35\xf9\x1d\x9d\xdd\xc1\xe2\x40\x2f\x32\xb7\xb7\xa9\x98\x74\x81\xce\x66\x11\xbb\x78\x12\x7b\xc8\xb6\xef\xf4\x19\xd3\xc4\xdd\x77\x25\x24\x02\xf4\x32\x6a\x6e\x9a\xff\xc5\x06\x49\x73\x75\x0a\x8b\xba\x9b\xa1\x7d\x64\x64\x8c\xf7\x93\x4b\xd0\x24\x29\x9b\x9d\xec\x58\xd1\x18\xcd\xa3\x44\x8a\x25\x56\xfa\x96\xa8\x57\xc0\x10\x6a\x00\xcd\x0a\x38\x2f\x10\xb8\x47\xe3\xa8\x69\x97\xc2\x4b\xb8\x46\xc3\xdd\x93\x72\xc6\xcf\x28\xd1\x8b\xb2\xa6\xfc\x48\xd7\xba\xc5\x8d\x56\xbc\x84\x50\xc3\xf4\x20\x99\x9b\x63\x47\x86\x4d\x52\xf0\x50\x75\x24\xf4\x16\xe6\xcb\x64\xce\x7c\xa2\x1a\x85\xe8\xd2\xc2\xb1\xe9\x4b\xe2\xde\xa3\x1c\xda\xf1\xf3\x83\x50\x34\x24\xbe\xc4\x4c\x68\xb9\xa9\x14\xf4\x0b\x0a\x66\x27\x2f\x64\xc9\xef\x19\x85\xed\xb9\xca\x6e\x66\xee\x8c\xac\x08\x4b\x39\xef\x78\x01\xb7\x50\xce\x19\x0f\xf8\x96\xc1\x99\xc1\x27\x85\x24\xb1\x2b\x54\x9a\xcb\xf0\x9f\x63\x3d\x87\xf7\x04\x27\x2d\x47\x79\xf3\x25\xa1\xe9\x45\x67\xe5\x93\x32\x97\x15\x5e\x98\x7f\x3b\x32\xe3\xfa\xdf\x2a\x06\xfa\x01\xaf\xc0\xdc\x35\xdf\xb7\xbe\x7f\x57\x76\x26\x4a\x6b\x7f\xec\x98\xdf\x0a\x5a\xff\x8c\x1a\x02\x9b\x6a\x22\xa9\xa0\x51\x18\x8b\xb2\x8b\xdf\x72\x38\xea\xe3\x24\x6a\x1b\xfd\x05\x86\x84\xf7\xa0\x93\xaa\x68\x79\xcb\x6a\xda\xe5\xa7\xcd\x5e\x12\x19\xa0\xd1\x6d\xee\xf1\x44\xb2\xbe\x90\x39\x01\x44\x74\x0a\xc2\x4d\xa3\x80\x17\xc1\x05\x66\x92\xb3\xb6\x65\x92\x21\x5a\x62\x3d\xac\x91\x3b\x33\xb9\xd5\x6b\x47\xcf\xa9\x18\xd6\xd9\x0c\xaf\xf0\x1a\xa4\x45\x35\x49\x23\xef\xa1\x9e\x8b\x0c\x79\x70\x82\x50\x5d\x54\xf2\xfa\x48\xc5\xad\x96\x63\x2f\xe1\xb6\x2a\x2e\x34\xd0\x85\x76\x22\x07\xd9\x35\x4a\x9f\x03\x9d\x68\x8e\xaf\xe1\xb5\x12\x83\x67\xfd\xd3\xbe\x22\x55\xac\x11\x0d\xf0\x5d\x10\x9b\x86\x9f\x33\x4b\x93\x2b\x29\xbe\xb6\x87\x87\xe2\x0a\x8a\x9f\x37\x31\x18\x9c\x95\x7e\x53\xc6\x96\x73\xe8\x63\xae\x1d\x49\x88\x8d\x6e\xda\xb9\x6e\xed\x78\x6c\xb8\x14\xd1\xa6\x2b\x68\x9c\x29\x4c\x48\x2e\x84\x19\x96\x22\x99\x04\x10\xb6\x7f\x6d\x18\xb8\xcd\x31\x19\xf1\x9a\x66\x7d\x34\x1b\xb7\x83\x88\xff\xe1\x5a\x0f\x64\x32\x7f\xe9\xb8\x06\x5b\xe9\x03\x54\xc1\xfa\xcb\x74\x66\x2e\x2d\x9c\x6d\x02\x24\x8d\xa0\xc8\x0c\x87\x26\x45\x59\xf6\x48\x15\xb8\xb9\xdd\xff\x72\xa9\x44\xeb\x23\x48\x88\xf5\x3d\x1c\xc8\xbe\xd4\x38\xbd\x99\xa2\x07\x4f\x75\x3d\xb2\x9e\xfd\x06\x78\x8c\x7f\x44\x76\xef\xee\x3e\x92\x80\x94\xc0\x32\x6a\xf8\xc9\x17\x1d\xb6\x0b\x1a\x37\xc7\xbd\x56\xd1\x13\x29\x1a\xa9\xa2\x60\xea\xfc\x12\x68\x1e\xb6\x2b\x1e\x70\x63\xb1\x51\x73\xe2\x74\x90\xd8\x4d\x47\xe3\xc7\x56\x6e\xc4\xfc\x1e\xc6\x35\x50\x57\xb2\x2c\x2a\x0f\xd9\x4b\x8d\x90\xb6\x48\x64\x9c\x73\xac\x46\x04\x9c\x01\x1d\x67\x41\xfb\x6d\x89\x56\x14\x3b\xcb\x17\x1f\x4b\xba\xdf\x01\xd1\xca\xe0\x7c\x31\x78\xa8\x46\x90\x01\xdc\xa3\x7a\xb3\xae\x03\x90\x95\xfb\xda\x7f\x05\xdf\xad\x20\x53\x55\xa5\xd6\xef\xf8\xf0\x9c\x32\x47\x58\xa7\x44\xde\x5f\x43\xb6\x94\xf8\x34\xf6\xe5\x98\x3f\x2a\xee\x32\x09\xce\xf4\x63\x54\xdb\x41\x30\x5a\x09\x3a\xb7\x8c\x80\xa8\xfb\x2e\x8a\xb7\xb1\x73\x33\x7b\xcf\x29\x3c\x65\x94\x9a\x4c\x01\x37\x8c\x94\xce\x7c\xd7\x09\xe7\x98\xbe\xf8\x27\x9d\x4a\xd1\xe7\x34\x6f\x4b\x9f\xda\x6d\x29\x2f\x1e\x66\x99\x62\x2c\x1b\xbc\x4b\x02\xe8\x83\xb3\x0e\x77\xcb\xa7\x51\xbc\xfd\xd6\xef\xd6\x7f\xcc\x56\x5c\x00\x36\xf1\x3e\x13\x8d\x81\xd6\xf5\x8d\x34\xe6\xa2\x51\x61\xf2\xa8\x56\x00\x29\xf9\x12\x05\x32\x40\x1f\xb6\xd7\xdd\xef\x43\xf9\xea\xe9\xee\x3c\xd2\x3f\x14\xa1\xf0\x26\xf4\x0a\x9f\xba\xc6\xbe\x6a\x15\x90\x27\xd7\xe8\x7a\x53\x65\x01\x0d\x27\xb0\x9d\xf1\x3d\xfd\x32\xa7\xe7\x5d\xcc\x14\xd9\xda\x85\xd8\x40\xa1\xbb\x91\xbf\x95\xdd\x75\x89\xef\x4f\x4a\x30\x7d\x3c\x74\x1d\xf2\x50\xe3\x4d\xe9\xff\x0f\x15\x15\xa9\x79\xc1\x2f\xca\xea\x17\x0d\x34\x44\x67\x8b\x96\x3c\xcc\x5b\x3c\x06\x56\xaf\x7e\x67\x6b\xf7\x4d\xe9\xc8\xcc\x9c\x70\xb5\x0c\x38\x06\x10\x8f\x6c\x9e\x92\x0a\xcc\x25\xf1\x3c\x3b\xf5\xe9\x10\x18\x9e\xa8\xe0\x46\x61\xb9\xf6\x27\x1d\x34\xe2\x42\x8b\x3f\x5c\x86\x0f\x7a\x41\x37\xc7\x9a\xb4\x09\x20\x64\x56\x34\xf9\x03\x89\xec\xde\x1b\x23\x98\x84\x24\x4c\xa3\x5e\xb5\x59\x2b\x48\x56\x4f\x23\x07\xde\xf1\x6c\x6a\x99\x43\xab\xd7\x30\xff\x0f\x2d\xd4\x7b\x0d\xb1\x19\xc8\x40\x03\xfc\x29\xfc\xe3\xed\x9f\x17\x35\x7a\xab\xc7\x09\xed\x6a\x09\x34\x8d\xa8\xe2\x82\xbb\x0f\x7e\xeb\x6d\x98\x53\xed\xd5\xee\x21\x45\x36\xa5\x5c\x83\x34\x01\x20\x48\x8d\xca\x92\x3e\xc5\xa4\x61\x84\x0d\x20\x07\x5a\xc5\x37\xba\xa4\xdf\xb7\x80\x46\x96\xa8\x9c\xb9\x9c\x82\xcc\x9e\xa9\x21\x2c\x70\x97\x4c\x93\x16\x16\xe9\xbf\x8c\xce\x8f\xaa\x21\x5d\xea\x85\x50\x6c\x71\xed\xf7\x98\x2a\xef\x07\x4e\x1a\x04\xed\x46\xa7\x22\x1b\xeb\x11\xdb\x3c\x3c\x4e\x30\x76\x74\x56\xdd\x39\x5e\x3f\x22\xc0\x48\xb0\x69\x53\x3b\x1e\x34\x7c\x20\x56\x5a\x74\x6f\xbf\x07\x86\xba\x75\x13\x98\xd2\x26\xbb\x58\x3c\xdb\xc7\x89\xa1\xe7\x8c\x07\x5e\x8b\x53\x5c\x17\xbe\x36\x42\x77\x96\x51\xaa\x33\x56\xc9\x28\xbd\x60\x1c\x6f\x70\x4e\x79\x96\x85\x21\x03\x67\x21\x90\x89\xf2\x41\xc9\x36\x52\xaf\xb3\xf0\x57\x9b\xa4\x73\xea\xdc\x1c\x5a\xab\x58\x9b\x61\x8c\x80\x1d\x71\x1e\xaf\x00\xd9\xef\x73\xa3\xa6\x3f\xaa\x06\x92\xd7\x66\x2c\x6e\x61\xd7\x73\x00\x97\xb1\x1a\x9e\x98\x95\x76\x35\x33\xe3\xb8\x25\xb5\xeb\x65\x48\x11\xe8\x0b\x6e\x67\x13\x6d\x6e\x6e\xc1\xbd\xf2\x3e\x34\x7a\xc0\xdc\x50\xd8\x45\xa0\x2f\xb1\x1e\x87\x64\xc7\xcb\xd1\x98\xf8\x03\x7c\xe9\xcc\x4d\x38\x88\xcf\x50\x9e\xf9\xe5\x5b\xa5\x67\xd5\x00\x89\xc6\x9a\x6f\xc2\xa1\x02\x90\x88\xe4\xbb\x86\x60\x6f\x25\xd8\x65\x51\x28\x65\x74\x23\xce\xfb\xec\x47\xff\x5c\xee\x05\xb6\x1c\x35\xe4\x7c\xe9\x2d\xd8\x5b\x86\xaa\x83\xfc\x3d\x37\x06\x9d\xba\x58\x32\x77\x9e\x04\x79\x7e\xe4\x51\x0f\x3e\x86\x0a\x5d\xb6\xc4\x1a\x6c\xfc\xc4\xf2\x7a\x9b\x90\x54\x91\xfa\x56\x0b\xc4\x9a\x1d\xec\x70\xf9\xb6\x9a\xe6\x93\x62\x97\x3a\x12\x3e\x07\xf5\x41\xac\x3a\x3a\x94\x31\x60\xd3\xd6\x31\x40\x49\xc9\x53\x1a\x1f\x72\xb7\x4c\x1c\xc5\xc0\x31\x7f\xcc\x7b\x45\xd8\xf1\xdd\x92\x36\x2b\x1e\xc0\x73\x8a\xd5\xc8\xd9\x9e\x9f\xf4\x4d\x3d\xb2\x41\xe1\x31\x5d\x0f\x14\x48\xe6\xf1\x00\xa5\xdb\x6f\xd5\x71\x5c\xa0\x46\x22\x13\x41\x64\x53\x38\x71\x50\x0e\xde\x0f\x2d\x35\x8b\x31\xf8\x56\x36\x32\x80\xb9\x92\xe4\x9b\xa8\xe5\x92\x09\xbd\x91\x8e\x11\xff\xe3\x27\xd9\x73\xb2\xbc\x54\x53\x7f\x54\x07\x30\x17\x85\x6f\x0b\xb7\x68\x22\x47\x57\x6a\xf4\xd2\x7d\x8b\xe2\x61\x1f\x90\xad\x38\x4f\x11\xde\x84\x7c\x24\x73\x4b\x74\x7f\xfe\x2e\x5c\x85\x49\x00\x9f\xb1\x19\x8b\xce\x2f\xb0\x48\x4f\xc6\x68\xaa\x28\x85\xc7\xc0\x15\x38\x5e\x2b\x58\x8c\x95\x0f\xde\xca\xdf\x30\xad\xf6\x5a\x71\xf5\x64\xe0\xfa\x93\x72\x4b\x8d\xe0\xac\xab\x7c\x3f\xaa\xad\x13\x84\x8e\xbf\x7d\x70\xbb\xc4\x47\xd6\xd9\xdd\xb4\x6a\xf6\x31\xb0\x8e\x4c\x34\xf4\xaa\xbd\xa8\xe5\x0d\x9f\x73\xc3\xff\x3a\x60\x03\x81\xa7\xf8\x4a\xac\x18\xaf\x41\x87\xd1\xbc\x18\x73\x14\xb2\x40\x38\x7f\x29\xeb\xe8\x32\x8a\xce\x89\x65\x43\xb2\x3f\x8d\xb1\x20\x1d\x51\xee\x90\x42\x43\x65\x78\xd1\x27\x3c\x9b\x97\x4b\x27\xfc\x9b\x71\x71\xf4\x39\x11\x17\x54\x1d\xc8\xe8\xe5\x82\xef\x9d\xeb\x11\x60\x6d\x49\x35\x57\x7d\x13\xe3\x91\x2f\x98\x7d\xac\x22\xe1\x4c\x7c\xab\xf8\xdb\x41\x3a\xc7\x96\x38\x1f\x3d\x45\x01\x5c\xe6\x1e\xa3\xb7\x37\x63\xd2\x02\xdb\xe1\x18\xbe\x06\xe7\xd0\xf6\x24\x5c\x71\x81\x86\x14\x81\x21\xba\x61\x19\x2e\x62\xb2\xac\x87\x52\xcb\xa6\xf2\x87\x3f\x4c\x59\xae\x40\xb8\xb9\xc5\x15\xcd\x6a\xd8\x88\x84\x0e\x65\x7a\x11\x47\xa8\xb0\x96\x12\x3d\x73\x8e\x1c\xc1\xb5\xeb\xbe\xec\x6f\x15\xcb\x10\x42\xed\xda\x5c\xf7\xa5\xb2\xb0\xa0\x71\xa2\x68\x77\xbe\xed\xaa\x9e\x24\x32\xef\x85\xf7\x2a\xbc\xeb\x7c\xcd\x73\x36\x27\xcb\x12\xd4\xcf\xe3\xd9\xc9\xd8\x85\xa0\xb0\x89\xdb\x05\x6b\x02\x92\x28\xe6\x45\xf7\x4d\x92\x84\x69\x5b\x08\xa6\x7f\x7f\x92\x28\xe9\x80\xc0\xc3\x64\xd0\x31\x2b\x10\xf6\x25\x6c\x9a\x2d\xe4\x83\x29\x32\xb6\x98\x97\xd0\xf2\x9f\x70\xf1\x8d\xde\x25\x7a\x94\xd9\x6e\xc7\x6d\x71\x67\x3e\x95\x98\x32\x64\x7f\x6a\x74\x45\x82\x35\xe8\x00\xdf\x80\xb7\x18\xbe\xdb\xe9\xb2\xca\xfe\x1a\x98\xad\x89\x34\x1a\x56\x6d\x20\xca\x13\xaf\xb2\x89\x85\x6f\x79\x53\x05\x66\x12\x60\x65\x19\x27\x99\x89\x9c\x02\x43\x31\x7f\xee\x5b\x22\x11\x6d\x9d\xfe\xa0\xc4\x25\x1d\x89\x8d\x57\x44\x43\xd8\x0c\x4d\xaf\xd5\x61\x65\xf2\xcf\xb5\xa2\xdb\x62\xe7\xfc\xb9\x78\x70\xea\x56\xdd\xca\x1c\x27\x32\x75\x48\x09\x9b\x79\xd3\x8f\x9d\x6d\xd2\x4a\x65\x65\x73\x1b\x2a\xfc\x0d\xdc\x12\xa3\x5f\x96\x05\xb2\xe7\xe7\x57\x53\xfa\xab\xe2\x81\x7d\xd1\x1e\x3f\x9f\xe7\x6c\xb2\xb8\xbf\x18\xd4\xf4\x19\xaa\x96\x58\x4c\xf9\x89\x99\xfc\x0f\xe4\x2e\x54\xb0\xe7\x9d\xfd\xd4\xc5\x7f\x55\xc0\x7a\xd1\xca\x33\xa4\xde\x6f\xba\xa7\x80\x18\x5e\x36\xfc\x3e\xc7\xc5\xf1\x04\xc5\xda\xda\xc7\xcc\xcb\xba\xcc\x5a\xbe\x21\x7e\x4e\x61\xef\x6c\x36\x60\x57\xd1\xcf\xb1\xa5\xde\x8c\x75\x68\xda\xd7\x69\xc8\x8a\xfd\x8e\xc1\xbf\x56\x11\x7c\xed\x76\x0e\xd3\x01\x90\x21\xc3\x2b\xed\xd7\xea\x87\xfb\x67\x0c\xa3\x24\x84\x61\xdf\x64\x60\x07\x04\xf1\x16\x51\x58\xcf\x9d\xb2\xb5\xc6\xf4\x56\x3b\x9f\x10\xa3\xa6\x69\xf3\xa9\x45\x21\xbe\x8e\xd5\x1c\x90\xc4\x5c\x59\x48\x9c\xde\x96\xcc\xd1\x18\x44\xc6\xca\xbf\xb1\x65\x0e\x19\x4c\xdf\x17\xaa\xf8\xad\x0b\xf9\x17\x14\xc7\x02\xea\x60\x75\xc0\xc3\x36\x18\x44\xec\xea\x0f\xc9\xad\xe8\x3a\x42\xcd\x91\x8f\xbb\x4c\x90\x90\x66\x73\x98\x18\xcb\xf7\x7a\x3d\x71\x64\xc3\x60\x7d\x8c\x0e\xfe\x3c\x8e\x85\x24\xfd\xf1\x5d\x33\x21\x0b\x43\xca\x55\x1b\x9a\x67\x26\xa5\x60\xa2\x74\x24\x66\x2f\x5f\xd9\x72\x02\xf9\x2a\xb8\xca\xc1\x20\xdf\xb1\x37\xc3\x36\x8c\xaf\xb7\xc1\x48\x35\xd8\xad\x15\xd1\x8b\x3e\xc4\xfe\x3c\x74\x1b\xe3\x90\x65\x71\x1a\xbc\x30\xa0\x0d\x31\xa2\x09\x36\xd2\xfb\x66\x23\xb1\x27\x42\x7b\x2d\x46\x05\x45\xf4\xeb\x25\x68\x1b\x46\x1f\xbc\x3a\x1a\xc6\xdb\x3b\xdf\x1d\x89\x02\x97\x76\xe0\x4b\x9c\xbf\x3e\x1e\x46\x07\xf3\x63\x23\x36\x73\x8b\xd9\x5c\xfc\x81\x2d\xe5\xe8\x2e\x0c\x6a\xa8\xd0\x19\x07\xe1\xf3\x75\xac\xb1\x80\x10\x69\x5e\xa3\xa2\x42\xd2\xb3\x60\xee\xd6\xf0\x77\xa0\x08\x68\x06\xa8\x8e\x2b\xe9\x9d\xef\xc3\x46\x0d\x81\x17\x5d\xec\xb6\x97\x3e\x54\xe7\xff\x1c\x29\x14\x8f\x04\xd1\xa9\x6c\x68\xd4\x3f\x03\x6e\xc2\xe4\xa5\x4b\xeb\x80\xf8\x8b\x8c\x71\x1a\xa0\x1a\x74\x57\xf5\x8d\x72\xaf\xe5\x68\x49\xfd\x09\xd2\x77\xe3\x01\xce\x64\x40\x2b\x0b\xc2\x0d\x43\xea\x78\x74\x54\x86\x97\x2a\x8b\xd6\xf5\x79\xd8\xd8\x2b\xd3\x1c\x8c\x86\xb7\xe8\xa3\xb2\x72\xd1\x6d\x38\xfc\x64\x80\xd2\x13\xc0\x30\x00\xad\xda\x6e\xb5\xe0\x08\x71\x87\x92\x64\xeb\xa4\xb0\xf9\x5c\x92\xe1\x0b\x79\x73\x81\x11\xba\x0c\xfd\xd1\xde\xeb\x39\xc9\x1e\xb4\x07\xe5\x98\x81\xbf\x53\xea\xd7\x8f\x7a\xd3\x50\x29\xec\x22\xb5\x83\xaf\x27\x44\x15\x25\x46\xc3\x98\x28\x50\xb4\x49\x41\x5e\x4b\x79\x0a\x2d\x03\x2c\xae\x50\x31\x9c\x3a\x15\xe0\x09\xae\xee\xfe\x71\x00\x73\x78\x19\x7e\x51\xdf\x97\x37\xee\x36\xd9\x54\x03\xa5\x62\x2a\x00\x7e\xb5\xdf\x41\x02\x33\x37\x6e\x51\x31\x82\x24\x62\x54\x0e\x6e\xbb\xf6\xd4\xe2\xdc\x46\xbe\xb7\xea\x3b\x2c\x22\x19\x97\xc2\xba\x3c\x26\x73\xc1\xb4\x4f\x7c\xd8\xc8\x6a\xac\xdd\x89\xe8\x70\x00\x73\x93\xab\x35\xc4\x85\x74\x29\x13\xf4\xfc\xef\x3c\x5c\x4d\x5c\xfe\xba\x1e\xcb\x50\xef\x05\x03\x7d\x54\xaa\x3f\x5e\x69\x94\x11\x40\x26\xf5\xcd\xa7\x5e\x18\x56\xb3\x1e\xfc\x5b\xf0\xda\x81\x09\x97\x84\x46\x30\xa0\x0a\xbd\x3a\x1c\xa3\xc6\xc9\x39\xe1\xe7\xf7\xc2\xd1\x71\x71\xea\x26\xfc\xd3\x1a\xe7\x17\xc0\x40\xb3\xc5\x94\xcf\x06\xa5\xc1\x25\x76\xbc\x18\x82\xd1\xe0\x45\x7a\x99\x38\x7f\x74\x6f\x15\x12\xd1\x5c\x86\x7c\xfd\xaf\x35\xfb\xf0\xe6\xbe\xec\x95\xc8\xc4\x2a\x3d\xd6\xae\x19\x47\xc6\x69\xfc\xd0\x10\x50\x80\xd8\xa9\x89\x4d\x93\x45\x21\x39\x08\x35\x74\x56\xb5\xdb\x7d\xea\x0f\x3f\x53\x29\xff\xd3\xc8\x90\x8f\x50\x47\xe3\x6a\x94\x1f\x90\x91\x2e\xcb\x4c\x01\xec\x56\x7c\xbe\xb0\x9f\xad\xe5\xec\x9b\xf4\x14\x2e\x24\xef\xf3\xac\xd2\x6b\x1d\x46\xd9\xfc\xab\xdb\x09\x70\xa1\x9b\x45\x79\x47\xab\xda\xac\x79\xa3\x69\x2b\x7a\x0d\x70\x3c\x02\xfd\x3d\x7c\x43\x3d\xcb\x59\xf9\x79\xa3\xa9\x1e\x3f\xc9\x50\xa5\xdf\x58\x54\x65\x69\x63\x97\x47\xc4\x34\x7c\x4e\x1a\x1f\xd0\x8f\x9a\xa8\x0c\xa5\x12\xd3\x6e\x6f\xac\x84\x61\xfa\xc7\xac\x93\x46\x7b\xea\x71\xfd\x28\x6b\x5f\x69\x2d\xdb\xc6\x99\xb9\x88\x7d\x31\x15\x9d\xe1\x07\xc0\xec\x97\xdb\x3b\x37\x77\x1c\x82\x61\x92\x51\xe9\xe0\x87\xe7\x97\x0e\xc1\x3e\x97\x1a\x85\x7a\x3d\x87\x1d\x13\xd8\x9d\xd6\x18\x43\x1d\x57\x75\xf9\x25\xf0\xbe\x14\x11\xf4\x94\x70\xe1\x42\xb1\xce\xef\xa6\x69\x28\x0d\x6e\x9a\x52\xe8\xc8\xeb\x38\x7d\x22\xf2\xfa\x8f\x5b\x77\xbd\x2a\xea\x73\xa0\xa2\x9c\x84\x47\xa6\xad\x29\x2b\x1e\x4b\x44\x6c\x6e\xd0\x08\xc0\xa6\xba\x97\xd1\x5b\xcb\xaa\x10\xb1\x6d\x7b\x1a\xd9\x49\x8b\xf5\xb8\x68\x59\xfd\x9c\x03\x2e\xab\x98\x93\xbe\x93\xb1\xe9\xf4\x5c\x9d\xc1\x9a\x78\xc4\xfe\xa5\x89\xd3\x93\xe8\xed\x9d\xbe\x54\xbf\xad\xf5\xcd\x11\x0e\xb7\x6a\x2a\xdf\x8b\x9d\xd2\x3a\xc0\x57\xbf\x1a\xb6\xba\x1d\x04\xc0\xc6\xda\xc4\x82\x50\xda\x3d\x25\x64\xce\x90\x4d\x67\xe6\x9c\x5d\xec\x58\x2d\xa5\x7e\xde\x76\xd9\xaa\x85\x49\xbf\x50\xa9\x0d\xcc\x0c\xab\x97\x7f\x5d\x73\x00\xfc\x0d\x86\x86\xe3\xbe\x13\xb8\x4a\x7a\x14\x1b\xb7\x92\xc3\x97\x58\xb0\x04\xd8\x4a\x0f\xf8\xc9\x30\xe4\xe0\x3c\xb3\xc1\x34\xe6\xe9\x00\xfe\x41\x64\xe5\xb5\xe0\x6b\xa4\xce\x62\x87\xb7\xb0\x0a\xcf\xdb\x05\xf4\xaf\xc0\xf4\xcb\x1b\x0e\x38\x3e\x4b\x69\x17\x1b\xda\x38\x9a\x2d\x00\x96\xb0\x67\x7d\x79\x3f\xaf\x22\x70\x2f\x3e\xdc\xda\x47\x82\xdf\x48\x30\x2a\xe3\xba\x1e\x05\x60\xf2\xc1\xbc\x7c\xda\x89\xac\x42\x14\xe8\xba\x79\x1c\xd6\xfb\x08\x92\xa1\x1b\x3f\x87\x81\xcf\x4d\x1b\x07\x31\x95\x92\x2d\xa6\xb7\x11\x16\x05\x96\x56\x0b\x53\x5c\x5c\x97\x6e\x42\xa8\x66\x24\xa3\x4f\x74\xac\x66\x46\xc0\xfd\xa0\x57\xa3\x13\xf7\x9d\x2e\x2f\x9c\x9f\xee\xab\xcd\x39\x9c\xd2\xe7\xe0\x8c\x9f\x02\x29\xc2\x66\x64\x8c\x78\x75\xca\x23\x0c\xfe\x4f\xed\x9f\x2d\x3d\x0d\xeb\xe6\xb5\x36\x85\x5c\xeb\xcb\xdb\x54\x60\x92\x0c\xea\xae\x25\xa1\x5c\xee\x7a\x00\xae\xdd\x72\x19\x53\x7d\xfc\x72\xd3\x33\x2d\x26\x43\x61\x5c\x7e\x17\xb5\x5a\x90\x3f\x8f\x25\xd0\x2f\xd6\x1d\x4c\x56\xc2\x32\x85\xd5\x2e\x0c\x23\xbb\x25\x16\x2b\x10\xd9\x33\x9b\x72\x74\x6b\xe7\xda\x47\xe9\xfa\x05\x22\x69\xda\xf6\xa0\x12\x2d\xe4\x9f\xb4\xd2\xc9\xb5\xd7\x8b\x70\x96\x23\x11\x3c\xb7\x1d\x42\xa5\xab\x08\xda\xa6\x01\xec\xd0\x94\x6a\x79\xda\x44\xcb\x1c\x3a\x5c\xfb\x64\x60\xe2\xcb\xd5\x9b\xf3\x56\x93\x09\xa4\xd4\x17\x77\x39\x80\xcd\x90\xad\xb6\xab\xe4\x75\x95\x4b\x05\x6e\x12\xc7\xe9\xe4\xb7\xef\xd2\x43\x96\xe7\xa9\xd6\x2f\xfe\xd4\x2c\xaa\xba\x45\x98\xa8\x9b\x14\xd8\x5d\x1c\xa3\x97\x27\xbf\xa0\x85\x90\x4c\x1e\xb5\x4d\x24\x27\x3d\x0a\x97\xfa\x59\x3b\xdd\xbc\xf4\x60\x8c\xef\x45\x6a\xb4\x17\x03\x16\x07\x33\x15\x16\xc8\x05\x79\x2e\xbd\xfd\x8d\x10\xe5\xed\xdc\x9f\x50\xdf\x88\x85\x71\xf9\x79\x75\x03\x94\xfe\xff\xdf\x87\xeb\xc9\xe8\xa8\x53\x4f\x89\x37\x2a\xfa\x8e\xac\xf0\x6d\x34\xb9\x74\x25\x0a\xc1\xba\xe5\xc0\x7e\x63\xb7\x46\x47\x19\xdb\x5e\xb1\x69\x34\xde\x34\x01\x93\xbf\xce\xe2\xdf\x0b\xfd\x92\x50\xdd\x44\xf3\xf7\x3e\xb4\xa4\x3f\x99\x0f\x2e\xdc\xa9\xb5\xfd\xd4\xac\xa4\xea\x21\x7e\x14\xb6\xd7\xc5\xa3\x20\xfd\x5e\x4c\x72\x88\xcd\xcb\x4e\x20\x76\x00\x4a\xd6\x61\x81\x9b\xda\xe6\xcf\xba\xd2\xdc\x0b\xce\x61\x23\xc4\x8b\x14\x23\xb2\x2e\x3f\x85\xcc\x2f\x31\x07\x1d\xd1\xcf\xa3\x87\xbc\xa0\x9a\x2d\xd9\x9c\x29\xe6\xc0\xcd\x8d\x51\x90\x1d\x74\x85\x81\x3d\xa7\x32\xc9\xa7\xe2\xfc\xcd\x42\x7d\x43\x9b\xfe\xc1\x07\x87\x4f\x87\x7e\x9b\x0a\xa5\xe1\xbd\xad\xd5\xa1\x85\x47\x99\x65\xe9\x5a\x3c\x2f\x66\x91\x2d\x44\x1c\xb7\x5e\x44\x69\x57\x3b\xf5\xa4\xc5\x3f\x58\xd2\x7a\xbd\x5e\x68\x42\x2a\xef\xce\x50\x1c\x6d\x8d\x95\x42\xb6\x1e\xa6\xbf\xd6\xfd\x2b\x6b\x33\x6c\x89\x61\xf4\xee\xa7\x20\x88\xd0\x69\x70\x89\xd1\x76\x82\x0a\x10\x3d\x09\xd9\x5f\x3e\xf0\xbd\x28\x98\x2e\xef\x77\xfc\x1b\xbf\xe7\xde\x1b\xfb\xe3\xd5\x0a\x93\x21\x88\x66\xfc\x48\xf6\x28\x01\xc7\x15\x39\x7d\xdf\x1f\x36\xd9\x77\xf2\xb5\xb2\xb7\x6f\x2e\x1d\x64\xc6\x10\x6a\x88\x9b\x80\xb4\x1b\xe5\x19\x94\x0c\xe2\x2f\xf0\x36\x4f\xaf\xb7\x03\xcf\xcd\x7b\xf7\x80\x8e\x41\x50\xac\x7d\x7a\xf1\xf0\xb5\xae\x82\x1c\x9b\xf1\x63\x74\x0d\xb1\xb5\xa3\x66\xe2\xdb\x4a\x02\x92\x10\x00\xd6\x07\x52\xd7\x43\xcd\x58\x4c\x48\x59\x0a\x31\xe2\x7c\xb4\x0d\x7a\xd8\x9a\xbd\x2c\x8e\xe8\x11\x76\x78\x98\x88\xbc\x48\xe8\x2a\x63\x00\x84\xc5\x9d\x4d\x34\x46\x4a\x52\xd5\xf2\x6d\x22\x14\x79\xb4\x51\xef\x3c\x2a\x6c\x81\x66\xb6\x64\x09\x9d\xaa\xf8\xe7\x4e\xac\x84\xdc\xfe\x3e\x86\xd5\x3b\xcd\x3b\x2f\x03\x37\xc8\x03\x7d\xb0\x7b\x65\xf7\xcd\x26\x5d\x2a\xc1\x95\xf8\xf5\x8e\x00\x96\xac\x1f\xb6\x54\xb9\x57\xfc\xa3\xef\x32\xab\xcf\x91\x6b\x55\x8b\xff\x85\x4d\x09\x9a\x2c\x9f\xb8\x88\x9f\x39\x8b\x53\x51\x41\x17\x0e\xa0\x36\xf9\xe5\xa7\xa2\xfe\x1d\x14\xf4\xa5\xa6\xdb\x8c\x03\xb0\xa7\x7f\x6e\x3b\xe9\x64\x81\x05\x06\x11\x35\x59\x59\xf6\x5e\x67\x81\x64\x54\xed\xa4\xcd\x84\x36\xd6\x64\xd6\xe6\xd9\xfc\x2f\xf2\x48\x95\x92\x3f\x10\x67\x70\x45\x8d\xc8\x75\x93\xc3\x91\x91\x2e\xda\x79\xa6\xe8\x71\x4b\xb4\x37\xc8\x6b\x97\xae\xbe\x10\xad\xde\xf3\x62\x84\x32\x38\x4e\x5a\x52\x83\x06\x7a\x80\x69\xa8\x92\x47\x3c\x05\x44\x68\x03\xce\xe1\x31\x09\x6d\xfb\xcd\x4a\x08\xf3\xe0\x8b\xc1\xdb\x84\x70\xd3\xab\x04\xc4\x80\x91\xf8\x24\xcb\xc4\x4a\x22\x15\x1f\x21\x71\x9a\xc2\x9b\x90\x43\x82\x2b\x29\x8b\x17\x82\xfa\x4f\x7d\x55\x6c\x41\xcc\x38\xd4\x34\x22\xf3\xda\x35\xcb\x3e\x45\xa5\xd2\x29\x6a\x1c\xfc\x1c\xcb\xeb\x9e\xa3\x49\x77\x2d\xa9\xa8\xc6\xb7\xca\x0d\xb7\x29\x92\xf8\xb4\x86\xb4\x26\x6f\xb6\xd4\x47\x96\x30\xfa\x39\xbd\xbd\x5f\xaa\xaa\x5b\x47\x51\x4f\x37\x80\x5e\xdb\x61\x85\xb3\x3b\x5b\x82\xdf\xb8\x5d\xad\x17\xed\x9f\xc8\x20\xd1\x78\xc4\x43\x3f\xae\x2b\xf5\x0f\xb5\x6f\xf5\xd8\xd7\xf7\x2e\xbb\x91\x3b\x88\x12\xce\x80\xfb\x00\x0c\xf3\x56\xf6\x69\xae\xb2\xb4\x8c\x8f\x67\x5c\xd0\xc0\xa5\x71\x08\x2f\xdb\x0e\xe1\xb1\x3b\x7a\xd2\x23\xcb\x68\x6f\x8b\x6e\xa5\x11\x19\x2c\x5d\xca\xab\xe2\x70\x26\x50\x37\xb7\xa7\xff\x48\xa1\x10\xf6\x60\xe0\x45\xe6\xe5\x1d\x6f\xfa\xce\x61\x7a\x5a\xd8\x5c\xac\x70\x4c\xc2\x57\x6b\x22\xaf\x27\xbf\x84\x2c\x1f\xce\x89\xf7\x1f\xb1\x88\x68\x57\xd1\x87\xad\xf3\x64\x47\xda\x8e\xde\x27\x97\xbb\xb4\x1b\x4b\xa5\xf0\x94\x11\x09\x44\x08\x35\x7a\xc6\x86\xf0\x90\xdc\x75\x58\x4f\xb2\xd0\x0d\x6e\xb5\xf1\xd5\x45\x63\x3c\x1a\xab\x04\xa6\xa9\x47\xe4\x9e\xb4\x5a\x0a\x73\xe7\xd0\xc6\xc4\xac\x5f\xac\xf4\x08\xa0\xcf\xde\x43\x9d\x86\x1d\xba\x90\xea\x9c\x57\x58\xbb\xa9\x09\xaa\x4d\x5b\x71\x42\x32\x07\x23\xb0\xfb\x55\x38\xfa\x33\x5e\x62\xd1\x4b\xf3\x60\x8a\xeb\xbd\x76\xff\x2b\x0d\x01\x3a\x4d\x5a\x4d\x46\xfb\x24\xa0\x47\x46\x0b\x5d\x63\xa6\x0d\xea\xa4\x3c\x63\xa9\x8b\x51\xc5\xaa\x0b\x3d\xac\xef\x60\x23\x41\x86\xf4\x5e\xd9\x61\x4f\x0e\x88\xb0\xb3\xa4\x53\x0c\x88\xa3\xdb\xea\xea\x40\x29\xcc\xfb\x1a\xa0\xbb\x8e\xa4\x52\x2c\x51\x25\xa3\x8d\x97\x72\xb7\xde\x03\x3a\xf7\xb2\x81\x2e\x89\xbd\x58\x19\xd2\xd0\xf3\x7a\x15\x6b\x70\x1e\xff\xa2\xf0\xb7\xfc\xe9\xc2\x87\x24\xae\x0e\xb3\x27\xc2\x5c\x8e\x36\x18\x78\x10\xaa\xa1\xa3\x3c\xc6\x9e\xa8\x48\xe1\x2f\xda\x7a\x27\x48\x67\xf4\x77\x95\xe1\x68\x95\x41\x96\x9e\xf7\xf6\x8d\x65\x9c\x3a\xd6\xc7\xf6\x72\x51\xac\x05\xa8\xee\x17\xc5\xd7\xc2\xdc\xb9\x2b\x4a\x54\x5f\x3d\xb5\xbf\x08\x14\x4a\x71\xf2\x9f\x76\xf7\x07\x81\x92\x9b\x06\x45\xf7\xa2\xd3\xcc\x3e\x97\x40\x1f\xfc\x4c\x70\x02\x4d\xf3\xa8\x8a\x3b\x80\xd8\xbb\x4a\xe9\xd2\xd4\xc0\xd1\x17\x24\xfa\x12\x82\x76\x0b\x1c\xc8\x12\x00\x84\x01\xd6\x9b\x8f\x79\x31\xf3\x6a\x72\xe3\x2c\x5d\x8f\x3a\x3f\x23\x3e\x86\x36\x7b\x48\x85\x2c\x0f\xd2\xd1\xf2\x59\x55\x34\x06\x16\xcb\x57\xe7\x9d\xb0\xe0\xa3\x7b\x81\x62\x76\x34\x02\xd0\xb8\x64\xdb\xf0\xa9\x0d\x50\x37\xc8\x8e\xba\x9f\xa8\x09\x98\x08\xcf\x84\x56\x4d\x2e\xd2\xbd\x00\x24\xb7\x19\xb7\x62\x28\x27\x9e\xe3\xc9\x07\x27\xf3\xae\x67\xe5\xcc\x7d\xd7\x6e\x8a\xf1\x67\xc4\xb1\x1e\xe9\xf1\xe3\x49\x5e\x05\x06\x1f\xe5\x20\x44\x5c\xd8\xfe\xdd\xc4\x76\xf5\x0b\x40\xbf\x73\xe4\xf9\xc1\x4e\x49\x1c\x11\x42\x30\xe1\xea\xe5\x87\xac\x01\xaf\x7d\x8e\xe5\xb2\x50\x51\xcd\x58\x85\x19\xe9\xcc\x3f\xb7\xb4\x30\x9d\x2a\x74\xb9\x48\x6d\x31\x80\xf6\x5f\x02\x5f\x43\xbb\x6a\x98\x9e\x2c\x4b\x05\x23\x83\xf4\x24\x4c\xbf\x36\x81\xf8\xfb\x4b\x9f\x0c\xab\x34\x26\xc0\xd6\x78\x4a\xb0\x8c\x76\xce\xee\xbc\x21\x2e\x76\x5f\xd9\xc5\xf2\x4c\xad\x12\x9b\x44\x0e\x2f\x85\x74\x90\x45\xbb\xb1\xb0\x30\xfd\x5b\x31\x10\x44\x25\x80\xd4\x51\xb2\x71\xd9\xa4\x5d\x04\x75\xd1\x66\x47\xe4\xe6\x6b\xf4\x0a\xcb\xde\xbc\x97\x53\x85\xaa\x50\x89\x83\x22\xe8\xb2\xaa\xca\x18\xba\xa6\xee\x86\x1f\xc9\x74\xfc\xd0\xe3\x79\x75\x82\x4c\x47\x58\x42\xbd\x3f\xa1\xf1\x78\x97\x92\xb2\xb6\x54\xaf\xeb\xc7\x8b\x95\x57\xbe\x28\x3c\xe9\x74\xea\x60\xb0\x1a\xf1\x11\xe8\x22\x62\x70\x47\x7c\xaf\xba\x24\xac\xb1\xfb\x28\xfc\x25\x92\xad\x2e\xbc\x2b\xa3\x7a\x1b\xbf\xed\xba\x63\x00\x02\xe4\x23\x43\x0d\x76\x2d\x9e\x31\xcd\x86\x17\x0a\x98\x9e\xe9\x7e\x26\xd4\x87\x4b\xd7\xd1\xa8\xf7\xd2\xf2\x04\x6c\xe9\x37\x68\x59\x27\x49\xbf\x7f\x5b\x28\x93\x3f\x3f\xba\xa1\x38\x0d\x42\x96\x1b\x9a\x94\xd2\x31\x3c\x26\x47\x40\xfe\xa1\x49\x5f\xa2\x6f\xc0\x7a\x56\x1e\x4b\x90\x8b\x2e\x30\xe0\xac\x4d\x48\xf6\x89\xeb\x49\x58\x5d\x3b\x72\x95\xe8\xc2\x75\x1d\x05\x62\xc0\x6d\x49\x19\xd5\xdd\x8a\xf3\x26\xde\xd0\xc1\x51\x6e\xcc\x6c\x1d\x3c\xf1\x39\xd3\xa9\xfe\x6e\xde\x64\x76\x8c\x31\x9b\x98\xb7\xda\x44\x5f\xd7\x85\x4b\x64\x64\x0f\xbd\x67\x6b\x7a\x09\xe5\x6e\xa2\x5c\xff\x1d\x31\xde\xc4\x1d\xa0\x8c\xb1\xb0\x7e\x4d\x84\x16\x81\xfc\xb7\x9a\x72\xb7\x22\x0a\x3f\xc3\x6c\xe8\xdc\x63\x88\xca\xea\xea\x4f\xff\xa7\xb2\x98\x05\xef\x2d\xc8\x9a\xcf\x85\xf2\x27\x24\x8b\xca\x1b\x8c\xb8\x1e\xc4\xb9\x86\xa9\xa1\x58\x7e\x57\xe1\xc5\x4d\x16\x3b\xc6\xa9\xd6\x8c\x67\x8c\x48\x24\x09\x35\xfb\xe9\x89\xf5\x50\xb5\x4c\x51\xba\xcb\x9f\x21\xde\x67\x01\x8d\x5e\x3f\xba\xd7\xef\xba\xe1\x03\x83\xe6\x2f\xa9\x29\x41\x5e\xbd\xb7\x7f\xfc\xad\xcc\x36\xec\x7c\x01\xb7\x6f\x7c\x80\x02\x7d\xfc\xba\x9e\x15\xd2\x6f\x30\x6e\x1d\xcb\xf6\x24\xc8\x0f\x4d\xc9\x2e\xab\xfe\x7a\x81\x7d\x7b\xcb\x47\x0d\x60\x13\xaa\x89\x5e\x08\x24\x40\x57\x1e\x14\x3f\xbb\x2a\xc1\xaf\x5b\x4f\xd6\x4b\xb2\x0f\x31\xef\x1f\x5e\x1d\xb9\x6f\xb8\xca\x1e\x6b\x4d\x36\x0d\x2c\xd0\x55\x91\x36\x6a\xd7\x1a\x41\x17\xc9\x12\x5f\xee\xd0\xe6\xd9\x5c\x03\x9d\xac\x71\x00\x0f\x40\x4d\x71\x80\xfb\x1e\x3b\x9d\x10\xb6\x24\x84\xeb\x2e\x3d\x45\xb8\xa4\xc6\x44\x4e\xa5\x44\xc7\xc1\xa4\x9b\xcd\xd1\x72\x3c\x22\x12\x7e\x2f\x81\xfc\x4c\xa3\xda\x6b\x97\x71\x5a\x0c\x9c\xd3\x05\xae\x21\xa1\x5c\xa6\x95\xf1\xa7\x4d\xf2\x26\x0a\x95\xec\x30\x42\xb1\x6d\x83\xab\x1d\xa2\xba\x76\x7d\xf0\x36\x01\xb4\xb3\xab\x71\x71\xe2\xe0\xe8\xa2\x00\x9f\xc6\xcb\x2c\x98\xcd\x20\x68\x17\x36\x55\x22\x2b\xa6\xbc\x51\xaf\x64\x49\x93\xcb\xd1\x92\x33\xd0\xc0\xf1\xdb\x62\x30\x69\x74\x45\xfd\x77\x8f\x14\xa0\x85\x57\x25\x26\xdb\x2d\x12\x56\xe8\x27\xac\x9b\x77\xa9\x7e\xc6\x41\xa5\x3a\xa5\x80\xb3\xa7\x83\xcb\x0f\xc5\xa1\xb3\xb9\xb3\xff\x38\xe4\x18\xdb\x65\x8b\x48\x4a\x68\xcc\x9a\x9e\x33\x0d\x3d\x7a\x4e\xd2\x82\x58\x1d\xc0\x6f\x9e\xe9\x6a\x1a\x46\x98\xbc\x23\xeb\x41\xbe\xde\x47\x6c\x00\x52\x96\x40\x79\x71\x0f\x68\x8f\x87\x6d\x4c\xef\xf2\x19\x0f\x2d\x81\x9b\xbd\x4c\xdb\x36\x1f\xb5\xc6\x4d\x7c\x41\x93\xff\x9f\x6b\x44\xb2\xc1\x43\x71\x39\xbc\xfa\x8c\xe0\xa9\x43\x0a\xce\xb4\x98\xb4\xf0\xb0\x19\x7b\xf3\x39\xd0\x4b\x70\x51\x23\x24\x3b\x1a\x44\xfc\xec\x56\x6d\x64\xfe\x85\x0b\x29\x89\xb5\xb7\x09\x9e\xf9\xbf\x74\x46\x07\x46\xf6\x0c\x46\x07\x89\x16\x89\x58\x17\x75\xad\x12\xcc\x0f\x04\xce\x01\x6c\x5b\x01\xe4\x55\x6e\x09\x80\x7e\xb8\x2e\x19\xc4\x54\x2e\x88\xca\x22\xac\x95\x13\xa4\x6b\x3e\x43\xc5\x28\x77\xc0\xa8\x37\x20\x1f\xd8\x2e\x9f\x74\x53\x8b\x75\x1c\x8b\x0a\xca\xbf\x1e\xb2\x8a\x7d\xec\x9b\xf6\x98\xc1\x22\xfd\xc5\x46\x4f\x6c\xd4\x0e\x81\xd0\x60\x18\x3a\xf8\x04\xea\x5c\x5a\x51\x09\xfe\x21\x9a\x85\x21\xc7\x3b\x95\xe4\x2b\x82\xac\xd6\x93\xa8\x45\x3c\x40\xc7\x40\x27\xdc\xb1\x78\x81\x75\x83\x42\xe2\x56\x42\x58\xb9\xf1\x2f\xf6\x75\xd9\x5c\x1a\xc4\x2e\x94\x47\x3e\x5d\xd5\x18\x38\xd6\xb1\xc2\x8f\x7b\xae\x7e\x16\x41\x7e\xea\x23\x33\x18\x83\x17\x23\x4d\x3a\x96\x94\x35\x6d\xb9\xff\x64\x9e\xda\x9d\x9d\xe4\xd6\xdf\x34\x57\x70\x13\xbc\x9f\x17\x14\x04\xb0\x8f\xd4\x19\x0d\x15\xd7\xde\xfe\xcd\xc1\x95\x19\x9d\x8a\x71\xf6\x41\x40\xa8\x65\x61\xe8\x4c\x3b\xde\x2a\x43\x37\xac\x14\x05\x08\x54\x31\x4d\xe0\xa3\xef\x2a\xe2\x6a\x6c\xb3\x97\x79\xb1\x0b\xdd\x57\x10\x41\xba\x31\x99\x6c\x60\x2c\x99\x7e\x70\x35\x8a\xe9\x86\x23\x92\x55\xa9\x37\x10\xf2\x11\x1e\x7c\xb1\xc8\xb3\xb7\x28\x03\x37\x34\x85\x6a\x41\xcd\xd5\x5a\xb2\xcf\x54\x15\x6b\x48\xe1\x34\x9e\x97\xd3\x9f\x6f\xc1\x27\x5f\xdb\x19\xb3\x7c\x8c\xf0\x04\xb3\x8c\xc3\xef\x37\x83\x4c\x85\x12\x8b\x3c\xb5\x9b\x77\x3d\xcc\x7d\x7b\x85\x80\x5b\x8f\x3b\xd6\xae\x79\x1e\xfa\x7c\xdb\xcc\x4b\xe5\x53\x9b\xb6\x6a\xfd\x8a\xc5\xde\x59\x50\x9b\x34\x10\x20\xe1\xc6\xff\x67\xb6\x6a\x0c\x94\xbb\x79\x53\x49\x92\x05\xb3\x07\xca\x77\x27\x7f\x6c\xcf\x39\x80\x1e\xe6\x28\xfb\x33\xd2\x07\x3f\x38\x1e\x80\xdc\x41\xc9\xe7\x99\xe7\x5c\x31\xcf\x2a\xa4\x9f\x8b\x0a\x6f\x73\x24\x08\xaf\xdc\x65\x0f\xd2\xb0\xec\x57\x4d\x50\xc6\xe2\x48\xf2\xaf\xcf\xb8\xf8\x20\x79\xb2\x62\x55\x47\xdb\x16\xe4\x61\xe6\x01\x59\x88\x3a\xaf\xbe\xdf\x9e\xe9\xfa\xde\xc8\x39\x8b\x91\x98\x6f\x9a\x8e\x79\x47\x06\x49\xa9\x9d\x6e\x8b\x4c\xb3\xb7\x99\x5b\xd5\xb6\xaf\x47\x20\x6b\xbf\x06\xaa\x69\x38\x3e\x97\x63\xcb\x17\x31\xe7\xc1\x5b\x0d\xe4\xb3\x5c\x00\x80\xdd\xfc\xeb\xac\x4d\xea\x21\x30\x96\xd8\x29\xed\x58\xf7\x7c\x09\xa0\xc0\xd4\xf3\x00\xdd\x5f\xaf\x2e\x01\x2a\xcf\x83\xd7\x7b\x73\x32\x3a\x93\x21\xcc\xa8\x64\x6b\xfe\x55\xfc\xce\x50\x6c\x82\x2e\xe4\x40\x4f\x20\x03\x18\xf6\x50\x44\xb3\xec\xdd\x8a\x21\x35\xe8\xee\x0a\xdb\xb8\xc4\x22\xc8\x9d\x37\x3e\xe4\x21\x82\x6b\xd1\x14\xd5\xae\x08\x6c\x9a\x47\xbe\x5a\x78\x88\xec\x74\xfc\x9e\x8d\x7e\x75\x85\xe6\xe8\x8f\xef\xa1\xb6\xa0\xc5\x57\x7b\x91\x43\x13\x77\xa3\x05\xa6\x65\x81\x02\xef\xf2\x95\x75\xde\x43\x92\x0b\xd4\x66\x96\xa2\xbd\x26\xa9\x39\xde\x74\x15\xc8\x36\x1c\x98\x89\x7b\xc0\xa4\x93\xe9\x08\x76\xd4\xf7\xa6\x38\x9a\xe9\xfe\xd4\x4d\x6e\xf2\x1e\xdf\x68\x1a\xe3\xa3\x5d\xc4\xa2\x6a\x40\xa7\x41\x1e\x7d\x51\xa8\x58\x43\x13\xdf\x95\xe4\x8f\xb0\x12\x79\x9b\x83\xc2\x5c\x2d\xd8\xf2\x43\xe9\x88\x05\x46\xb8\xf5\x1e\x25\xcc\x2f\xfa\x83\xc3\x6d\x81\xd3\x1b\xce\xbe\x40\x53\x62\x87\x5c\x49\x43\x00\x66\x24\x90\xc3\xf4\xbb\x38\x68\x2b\x17\xe0\xcb\xb9\x0e\x47\x70\x86\x4e\xe6\x0c\xc1\x36\xfa\x7b\xb2\x17\x0f\x69\x39\x4f\x62\x35\xe0\x07\x83\xfc\x6c\x2c\xab\x09\x74\x07\xff\xf9\x31\xbf\xa7\x42\xd7\xae\xfe\xf3\x3d\x69\x96\x70\x1d\x39\xb4\xad\xfb\x76\x28\xee\x8c\xb2\x76\x5a\xc0\x39\x92\xdb\x7b\xfd\x93\x04\xe1\x5f\x27\xf3\xea\x37\x12\x49\x4e\x98\xd1\x5b\x7c\x7e\x78\x14\x2d\xdb\xcc\x1e\x2d\x18\x47\x81\xcb\xc1\x17\x45\x59\x9e\xb5\xa6\x9b\x39\x18\x69\x4b\x78\x20\x9b\x1e\xe1\xc1\x18\x54\x15\x7e\xda\x2e\x0f\x03\xed\xd8\x84\xab\x4f\x60\x13\x4a\xf1\x58\xff\x15\xa9\x22\x59\xd4\x29\x37\x0c\xef\xab\x10\xcf\x6f\xb2\x82\xf7\x60\xd8\xd5\x4a\x8d\xb0\xc0\xc4\x3f\x56\xbc\xcf\x68\xb8\x37\x74\x5d\xd6\x42\xb3\x9d\x44\xdb\x29\x7b\x01\xeb\x9f\x5b\x48\xd1\xb1\x14\x84\x8a\x5d\x7c\x74\xa2\x2e\x3c\x30\x84\xee\xbc\x02\x98\xe7\xdd\xbb\xe6\x6e\x10\x5f\x89\x23\x8e\x96\x1d\x34\x98\x5f\x29\xde\x20\x31\xa5\x17\x56\xba\x3c\x77\xce\x83\x24\x8e\xf8\x32\x30\x9b\xf9\xad\x9d\x3f\x79\xdd\x12\xf7\x62\xe9\x12\x25\xb0\x87\x6c\xfc\x22\x02\xb2\xe0\x46\x82\x43\x16\xc8\x20\x88\x9e\x93\xf6\x3e\xad\x22\x9c\x08\x7b\x2f\x6c\xfc\x99\xf7\x97\x02\x2c\xda\xb8\x45\x6d\xe0\xc7\x64\xa0\x6a\x79\x40\xb0\xf2\x85\x98\xcb\xa5\x6d\xa0\xbb\xc7\xeb\xce\x48\x22\x12\x21\x37\x54\xd3\xc3\x4f\x74\x9e\xb9\x43\xbf\xf8\x1a\xab\x71\x0a\x98\x1e\x89\x15\xd8\x9f\x50\x98\xca\xa6\x74\x63\x6b\xda\x15\x11\xe9\x6b\x7a\xb0\xe6\x51\xd1\x01\x75\x09\x76\xda\x0b\x2a\x08\xc5\x61\x76", 8192); *(uint32_t*)0x20004bc0 = 0x20003680; *(uint32_t*)0x20003680 = 0x50; *(uint32_t*)0x20003684 = 0; *(uint64_t*)0x20003688 = 0; *(uint32_t*)0x20003690 = 7; *(uint32_t*)0x20003694 = 0x22; *(uint32_t*)0x20003698 = 6; *(uint32_t*)0x2000369c = 0x60; *(uint16_t*)0x200036a0 = 5; *(uint16_t*)0x200036a2 = 0x48; *(uint32_t*)0x200036a4 = 0x80000001; *(uint32_t*)0x200036a8 = 7; *(uint16_t*)0x200036ac = 0; *(uint16_t*)0x200036ae = 0; memset((void*)0x200036b0, 0, 32); *(uint32_t*)0x20004bc4 = 0x20003700; *(uint32_t*)0x20003700 = 0x18; *(uint32_t*)0x20003704 = 0; *(uint64_t*)0x20003708 = 0xfffe; *(uint64_t*)0x20003710 = 0x200; *(uint32_t*)0x20004bc8 = 0x20003740; *(uint32_t*)0x20003740 = 0x18; *(uint32_t*)0x20003744 = 0; *(uint64_t*)0x20003748 = 4; *(uint64_t*)0x20003750 = 0x8000; *(uint32_t*)0x20004bcc = 0x20003780; *(uint32_t*)0x20003780 = 0x18; *(uint32_t*)0x20003784 = 0; *(uint64_t*)0x20003788 = 0; *(uint32_t*)0x20003790 = 8; *(uint32_t*)0x20003794 = 0; *(uint32_t*)0x20004bd0 = 0x200037c0; *(uint32_t*)0x200037c0 = 0x18; *(uint32_t*)0x200037c4 = 0; *(uint64_t*)0x200037c8 = 0x80000001; *(uint32_t*)0x200037d0 = 5; *(uint32_t*)0x200037d4 = 0; *(uint32_t*)0x20004bd4 = 0x20003800; *(uint32_t*)0x20003800 = 0x28; *(uint32_t*)0x20003804 = 0; *(uint64_t*)0x20003808 = 0; *(uint64_t*)0x20003810 = 0x19; *(uint64_t*)0x20003818 = 0x200; *(uint32_t*)0x20003820 = 3; *(uint32_t*)0x20003824 = -1; *(uint32_t*)0x20004bd8 = 0x20003840; *(uint32_t*)0x20003840 = 0x60; *(uint32_t*)0x20003844 = 0xfffffffe; *(uint64_t*)0x20003848 = 0xfffffffffffffffe; *(uint64_t*)0x20003850 = 4; *(uint64_t*)0x20003858 = 0x80000001; *(uint64_t*)0x20003860 = 1; *(uint64_t*)0x20003868 = 0x52b8; *(uint64_t*)0x20003870 = 7; *(uint32_t*)0x20003878 = 0; *(uint32_t*)0x2000387c = 0xfffffffa; *(uint32_t*)0x20003880 = 0x1ff; *(uint32_t*)0x20003884 = 0; memset((void*)0x20003888, 0, 24); *(uint32_t*)0x20004bdc = 0x200038c0; *(uint32_t*)0x200038c0 = 0x18; *(uint32_t*)0x200038c4 = 0xffffffda; *(uint64_t*)0x200038c8 = 0x1f; *(uint32_t*)0x200038d0 = 9; *(uint32_t*)0x200038d4 = 0; *(uint32_t*)0x20004be0 = 0x20003900; *(uint32_t*)0x20003900 = 0x11; *(uint32_t*)0x20003904 = 0xfffffffe; *(uint64_t*)0x20003908 = 0x4588; memset((void*)0x20003910, 0, 1); *(uint32_t*)0x20004be4 = 0x20003940; *(uint32_t*)0x20003940 = 0x20; *(uint32_t*)0x20003944 = 0; *(uint64_t*)0x20003948 = 0x100000000; *(uint64_t*)0x20003950 = 0; *(uint32_t*)0x20003958 = 0x18; *(uint32_t*)0x2000395c = 0; *(uint32_t*)0x20004be8 = 0x200039c0; *(uint32_t*)0x200039c0 = 0x78; *(uint32_t*)0x200039c4 = 0; *(uint64_t*)0x200039c8 = 7; *(uint64_t*)0x200039d0 = 4; *(uint32_t*)0x200039d8 = 6; *(uint32_t*)0x200039dc = 0; *(uint64_t*)0x200039e0 = 0; *(uint64_t*)0x200039e8 = 7; *(uint64_t*)0x200039f0 = 8; *(uint64_t*)0x200039f8 = 0x10001; *(uint64_t*)0x20003a00 = 1; *(uint64_t*)0x20003a08 = 0x509; *(uint32_t*)0x20003a10 = 0x80; *(uint32_t*)0x20003a14 = 3; *(uint32_t*)0x20003a18 = 1; *(uint32_t*)0x20003a1c = 0xc000; *(uint32_t*)0x20003a20 = 5; *(uint32_t*)0x20003a24 = r[6]; *(uint32_t*)0x20003a28 = 0xee00; *(uint32_t*)0x20003a2c = 7; *(uint32_t*)0x20003a30 = 9; *(uint32_t*)0x20003a34 = 0; *(uint32_t*)0x20004bec = 0x20003e80; *(uint32_t*)0x20003e80 = 0x90; *(uint32_t*)0x20003e84 = 0; *(uint64_t*)0x20003e88 = 8; *(uint64_t*)0x20003e90 = 6; *(uint64_t*)0x20003e98 = 3; *(uint64_t*)0x20003ea0 = 0xcd0; *(uint64_t*)0x20003ea8 = 0x7fffffff; *(uint32_t*)0x20003eb0 = 5; *(uint32_t*)0x20003eb4 = 1; *(uint64_t*)0x20003eb8 = 5; *(uint64_t*)0x20003ec0 = 5; *(uint64_t*)0x20003ec8 = 0xf34; *(uint64_t*)0x20003ed0 = 0x86; *(uint64_t*)0x20003ed8 = 6; *(uint64_t*)0x20003ee0 = 2; *(uint32_t*)0x20003ee8 = 0xab8c; *(uint32_t*)0x20003eec = 0; *(uint32_t*)0x20003ef0 = 5; *(uint32_t*)0x20003ef4 = 0x8000; *(uint32_t*)0x20003ef8 = 9; *(uint32_t*)0x20003efc = 0xee00; *(uint32_t*)0x20003f00 = r[9]; *(uint32_t*)0x20003f04 = 0x1000; *(uint32_t*)0x20003f08 = 0x1000; *(uint32_t*)0x20003f0c = 0; *(uint32_t*)0x20004bf0 = 0x20003f40; *(uint32_t*)0x20003f40 = 0xd0; *(uint32_t*)0x20003f44 = 0; *(uint64_t*)0x20003f48 = 0xffffffffffffffbc; *(uint64_t*)0x20003f50 = 0; *(uint64_t*)0x20003f58 = 2; *(uint32_t*)0x20003f60 = 6; *(uint32_t*)0x20003f64 = 3; memset((void*)0x20003f68, 2, 6); *(uint64_t*)0x20003f70 = 0; *(uint64_t*)0x20003f78 = 0; *(uint32_t*)0x20003f80 = 0; *(uint32_t*)0x20003f84 = 9; *(uint64_t*)0x20003f88 = 2; *(uint64_t*)0x20003f90 = 0x100000001; *(uint32_t*)0x20003f98 = 0x17; *(uint32_t*)0x20003f9c = 0xffff; memcpy((void*)0x20003fa0, "bpf_lsm_socket_recvmsg\000", 23); *(uint64_t*)0x20003fb8 = 0; *(uint64_t*)0x20003fc0 = 0x401; *(uint32_t*)0x20003fc8 = 0xf; *(uint32_t*)0x20003fcc = 0xfffffff9; memcpy((void*)0x20003fd0, "&,$:+)\357&\\)/$$[}", 15); *(uint64_t*)0x20003fe0 = 6; *(uint64_t*)0x20003fe8 = 1; *(uint32_t*)0x20003ff0 = 0x17; *(uint32_t*)0x20003ff4 = 0x1f; memcpy((void*)0x20003ff8, "bpf_lsm_socket_recvmsg\000", 23); *(uint32_t*)0x20004bf4 = 0x20004440; *(uint32_t*)0x20004440 = 0x508; *(uint32_t*)0x20004444 = 0; *(uint64_t*)0x20004448 = 2; *(uint64_t*)0x20004450 = 4; *(uint64_t*)0x20004458 = 1; *(uint64_t*)0x20004460 = 5; *(uint64_t*)0x20004468 = 0x80000000; *(uint32_t*)0x20004470 = 3; *(uint32_t*)0x20004474 = 0xffffffec; *(uint64_t*)0x20004478 = 2; *(uint64_t*)0x20004480 = 3; *(uint64_t*)0x20004488 = 0x20; *(uint64_t*)0x20004490 = 0x100000001; *(uint64_t*)0x20004498 = 0x80; *(uint64_t*)0x200044a0 = 0xffffffffffffffe1; *(uint32_t*)0x200044a8 = 0x9e41; *(uint32_t*)0x200044ac = 0x1f; *(uint32_t*)0x200044b0 = 0xf0f6; *(uint32_t*)0x200044b4 = 0xc000; *(uint32_t*)0x200044b8 = 0x401; *(uint32_t*)0x200044bc = 0xee01; *(uint32_t*)0x200044c0 = 0xee00; *(uint32_t*)0x200044c4 = 0x400000; *(uint32_t*)0x200044c8 = 0x800; *(uint32_t*)0x200044cc = 0; *(uint64_t*)0x200044d0 = 3; *(uint64_t*)0x200044d8 = 7; *(uint32_t*)0x200044e0 = 6; *(uint32_t*)0x200044e4 = 0xfffffffe; memset((void*)0x200044e8, 187, 6); *(uint64_t*)0x200044f0 = 1; *(uint64_t*)0x200044f8 = 2; *(uint64_t*)0x20004500 = 0x10001; *(uint64_t*)0x20004508 = 0; *(uint32_t*)0x20004510 = 5; *(uint32_t*)0x20004514 = 0; *(uint64_t*)0x20004518 = 3; *(uint64_t*)0x20004520 = 0x8000; *(uint64_t*)0x20004528 = 9; *(uint64_t*)0x20004530 = 0x80000001; *(uint64_t*)0x20004538 = 0x100; *(uint64_t*)0x20004540 = 5; *(uint32_t*)0x20004548 = 0xf06; *(uint32_t*)0x2000454c = 0x932b; *(uint32_t*)0x20004550 = 2; *(uint32_t*)0x20004554 = 0x1000; *(uint32_t*)0x20004558 = 5; *(uint32_t*)0x2000455c = 0xee01; *(uint32_t*)0x20004560 = -1; *(uint32_t*)0x20004564 = 5; *(uint32_t*)0x20004568 = 1; *(uint32_t*)0x2000456c = 0; *(uint64_t*)0x20004570 = 5; *(uint64_t*)0x20004578 = 9; *(uint32_t*)0x20004580 = 2; *(uint32_t*)0x20004584 = 2; memcpy((void*)0x20004588, "*)", 2); *(uint64_t*)0x20004590 = 1; *(uint64_t*)0x20004598 = 0; *(uint64_t*)0x200045a0 = 0xcc3; *(uint64_t*)0x200045a8 = 4; *(uint32_t*)0x200045b0 = 0x101; *(uint32_t*)0x200045b4 = 3; *(uint64_t*)0x200045b8 = 2; *(uint64_t*)0x200045c0 = 1; *(uint64_t*)0x200045c8 = 1; *(uint64_t*)0x200045d0 = 0x113; *(uint64_t*)0x200045d8 = 1; *(uint64_t*)0x200045e0 = 3; *(uint32_t*)0x200045e8 = 0xd36; *(uint32_t*)0x200045ec = 0x8c12; *(uint32_t*)0x200045f0 = 0xfffffffc; *(uint32_t*)0x200045f4 = 0x1000; *(uint32_t*)0x200045f8 = 0xfffffffc; *(uint32_t*)0x200045fc = 0xee01; *(uint32_t*)0x20004600 = r[10]; *(uint32_t*)0x20004604 = 9; *(uint32_t*)0x20004608 = 0xacd; *(uint32_t*)0x2000460c = 0; *(uint64_t*)0x20004610 = 3; *(uint64_t*)0x20004618 = 0x97; *(uint32_t*)0x20004620 = 6; *(uint32_t*)0x20004624 = 9; memcpy((void*)0x20004628, "wlan1\000", 6); *(uint64_t*)0x20004630 = 1; *(uint64_t*)0x20004638 = 2; *(uint64_t*)0x20004640 = 8; *(uint64_t*)0x20004648 = 0x8000; *(uint32_t*)0x20004650 = 9; *(uint32_t*)0x20004654 = 0; *(uint64_t*)0x20004658 = 1; *(uint64_t*)0x20004660 = 0x200; *(uint64_t*)0x20004668 = 0xff; *(uint64_t*)0x20004670 = 0x100000001; *(uint64_t*)0x20004678 = 0x30000; *(uint64_t*)0x20004680 = 9; *(uint32_t*)0x20004688 = 3; *(uint32_t*)0x2000468c = 6; *(uint32_t*)0x20004690 = 0x7f; *(uint32_t*)0x20004694 = 0x8000; *(uint32_t*)0x20004698 = 0x101; *(uint32_t*)0x2000469c = r[11]; *(uint32_t*)0x200046a0 = 0xee00; *(uint32_t*)0x200046a4 = 0x10000; *(uint32_t*)0x200046a8 = 9; *(uint32_t*)0x200046ac = 0; *(uint64_t*)0x200046b0 = 3; *(uint64_t*)0x200046b8 = 0; *(uint32_t*)0x200046c0 = 2; *(uint32_t*)0x200046c4 = 0x401; memcpy((void*)0x200046c8, "b@", 2); *(uint64_t*)0x200046d0 = 4; *(uint64_t*)0x200046d8 = 1; *(uint64_t*)0x200046e0 = 0; *(uint64_t*)0x200046e8 = 5; *(uint32_t*)0x200046f0 = 4; *(uint32_t*)0x200046f4 = 0x101; *(uint64_t*)0x200046f8 = 1; *(uint64_t*)0x20004700 = 5; *(uint64_t*)0x20004708 = 1; *(uint64_t*)0x20004710 = 0x10000; *(uint64_t*)0x20004718 = 7; *(uint64_t*)0x20004720 = 8; *(uint32_t*)0x20004728 = 5; *(uint32_t*)0x2000472c = 5; *(uint32_t*)0x20004730 = 0x4010000; *(uint32_t*)0x20004734 = 0x8000; *(uint32_t*)0x20004738 = 0x4d800000; *(uint32_t*)0x2000473c = 0; *(uint32_t*)0x20004740 = 0xee01; *(uint32_t*)0x20004744 = 6; *(uint32_t*)0x20004748 = 7; *(uint32_t*)0x2000474c = 0; *(uint64_t*)0x20004750 = 2; *(uint64_t*)0x20004758 = 0x61; *(uint32_t*)0x20004760 = 0; *(uint32_t*)0x20004764 = 0; *(uint64_t*)0x20004768 = 7; *(uint64_t*)0x20004770 = 0; *(uint64_t*)0x20004778 = 5; *(uint64_t*)0x20004780 = 5; *(uint32_t*)0x20004788 = 0; *(uint32_t*)0x2000478c = 0x3ff; *(uint64_t*)0x20004790 = 0; *(uint64_t*)0x20004798 = 0xfffffffffffffff7; *(uint64_t*)0x200047a0 = 1; *(uint64_t*)0x200047a8 = 0x80; *(uint64_t*)0x200047b0 = 0x100000001; *(uint64_t*)0x200047b8 = 0x401; *(uint32_t*)0x200047c0 = 0xd49d; *(uint32_t*)0x200047c4 = 0x80; *(uint32_t*)0x200047c8 = 1; *(uint32_t*)0x200047cc = 0x6000; *(uint32_t*)0x200047d0 = 0x8b; *(uint32_t*)0x200047d4 = r[12]; *(uint32_t*)0x200047d8 = 0xee01; *(uint32_t*)0x200047dc = 0x8001; *(uint32_t*)0x200047e0 = 0; *(uint32_t*)0x200047e4 = 0; *(uint64_t*)0x200047e8 = 6; *(uint64_t*)0x200047f0 = 0x200; *(uint32_t*)0x200047f8 = 1; *(uint32_t*)0x200047fc = 0xfffffff8; memset((void*)0x20004800, 41, 1); *(uint64_t*)0x20004808 = 0; *(uint64_t*)0x20004810 = 3; *(uint64_t*)0x20004818 = 8; *(uint64_t*)0x20004820 = 0x81; *(uint32_t*)0x20004828 = 6; *(uint32_t*)0x2000482c = 5; *(uint64_t*)0x20004830 = 1; *(uint64_t*)0x20004838 = 8; *(uint64_t*)0x20004840 = 7; *(uint64_t*)0x20004848 = 5; *(uint64_t*)0x20004850 = 8; *(uint64_t*)0x20004858 = 1; *(uint32_t*)0x20004860 = 5; *(uint32_t*)0x20004864 = 0x90c555ad; *(uint32_t*)0x20004868 = 0; *(uint32_t*)0x2000486c = 0xc000; *(uint32_t*)0x20004870 = 0x800; *(uint32_t*)0x20004874 = 0xee00; *(uint32_t*)0x20004878 = 0xee01; *(uint32_t*)0x2000487c = 0xf98d; *(uint32_t*)0x20004880 = 0x20; *(uint32_t*)0x20004884 = 0; *(uint64_t*)0x20004888 = 4; *(uint64_t*)0x20004890 = 4; *(uint32_t*)0x20004898 = 5; *(uint32_t*)0x2000489c = 1; memcpy((void*)0x200048a0, "\\U\302-^", 5); *(uint64_t*)0x200048a8 = 1; *(uint64_t*)0x200048b0 = 0; *(uint64_t*)0x200048b8 = 2; *(uint64_t*)0x200048c0 = 6; *(uint32_t*)0x200048c8 = 0; *(uint32_t*)0x200048cc = 0xb5e; *(uint64_t*)0x200048d0 = 4; *(uint64_t*)0x200048d8 = 0x12; *(uint64_t*)0x200048e0 = 0xe87; *(uint64_t*)0x200048e8 = 7; *(uint64_t*)0x200048f0 = 1; *(uint64_t*)0x200048f8 = 0xfffffffffffffffe; *(uint32_t*)0x20004900 = 0xfffffffd; *(uint32_t*)0x20004904 = 7; *(uint32_t*)0x20004908 = 0x401; *(uint32_t*)0x2000490c = 0xa000; *(uint32_t*)0x20004910 = 0x8ee; *(uint32_t*)0x20004914 = r[13]; *(uint32_t*)0x20004918 = 0; *(uint32_t*)0x2000491c = 0x8236; *(uint32_t*)0x20004920 = 0x3c89862b; *(uint32_t*)0x20004924 = 0; *(uint64_t*)0x20004928 = 4; *(uint64_t*)0x20004930 = 0xfffffffffffffbf7; *(uint32_t*)0x20004938 = 6; *(uint32_t*)0x2000493c = 4; memset((void*)0x20004940, 2, 6); *(uint32_t*)0x20004bf8 = 0x20004ac0; *(uint32_t*)0x20004ac0 = 0xa0; *(uint32_t*)0x20004ac4 = 0xffffffda; *(uint64_t*)0x20004ac8 = 2; *(uint64_t*)0x20004ad0 = 1; *(uint64_t*)0x20004ad8 = 3; *(uint64_t*)0x20004ae0 = 0xff; *(uint64_t*)0x20004ae8 = 0x401; *(uint32_t*)0x20004af0 = 9; *(uint32_t*)0x20004af4 = 0x1000; *(uint64_t*)0x20004af8 = 1; *(uint64_t*)0x20004b00 = 0xfff; *(uint64_t*)0x20004b08 = 0x733; *(uint64_t*)0x20004b10 = 0; *(uint64_t*)0x20004b18 = 7; *(uint64_t*)0x20004b20 = 0x7fff; *(uint32_t*)0x20004b28 = 4; *(uint32_t*)0x20004b2c = 0x1f; *(uint32_t*)0x20004b30 = 0x1f; *(uint32_t*)0x20004b34 = 0; *(uint32_t*)0x20004b38 = 1; *(uint32_t*)0x20004b3c = r[14]; *(uint32_t*)0x20004b40 = r[15]; *(uint32_t*)0x20004b44 = 0x9eb; *(uint32_t*)0x20004b48 = 1; *(uint32_t*)0x20004b4c = 0; *(uint64_t*)0x20004b50 = 0; *(uint32_t*)0x20004b58 = 0x1c; *(uint32_t*)0x20004b5c = 0; *(uint32_t*)0x20004bfc = 0x20004b80; *(uint32_t*)0x20004b80 = 0x20; *(uint32_t*)0x20004b84 = 0xfffffffe; *(uint64_t*)0x20004b88 = 0xa87; *(uint32_t*)0x20004b90 = 0x1ff; *(uint32_t*)0x20004b94 = 0; *(uint32_t*)0x20004b98 = 0x10001; *(uint32_t*)0x20004b9c = 4; syz_fuse_handle_req(r[5], 0x20001680, 0x2000, 0x20004bc0); break; case 25: memcpy((void*)0x20004c40, "/dev/autofs\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20004c40, 0, 0); if (res != -1) r[16] = res; break; case 26: memcpy((void*)0x20004c00, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004c00, r[16]); break; case 27: syz_init_net_socket(0x24, 2, 0); break; case 28: res = syscall(__NR_mmap, 0x20ffe000, 0x1000, 0x300000a, 0x10, (intptr_t)r[16], 0); if (res != -1) r[17] = res; break; case 29: res = -1; res = syz_io_uring_complete(r[17]); if (res != -1) r[18] = res; break; case 30: *(uint32_t*)0x20004c84 = 0xcaa6; *(uint32_t*)0x20004c88 = 4; *(uint32_t*)0x20004c8c = 3; *(uint32_t*)0x20004c90 = 0x276; *(uint32_t*)0x20004c98 = r[18]; memset((void*)0x20004c9c, 0, 12); res = -1; res = syz_io_uring_setup(0x3a9b, 0x20004c80, 0x20ffe000, 0x20ffe000, 0x20004d00, 0x20004d40); if (res != -1) r[19] = *(uint64_t*)0x20004d00; break; case 31: *(uint8_t*)0x20005080 = 2; *(uint8_t*)0x20005081 = 5; *(uint16_t*)0x20005082 = 0; *(uint32_t*)0x20005084 = 7; *(uint64_t*)0x20005088 = 0; *(uint32_t*)0x20005090 = 0x20005040; *(uint32_t*)0x20005040 = 0x20004d80; memcpy((void*)0x20004d80, "\x8f\x8c\x61\xba\x2d\x93\x00\x6a\xad\xbd\x12\xa3\xa0\x8f\x14\x6f\x7d\xad\xf6\xfc\xaf\x91\x37\x0d\x8c\xdb\xb1\x04\x73\xcf\xc4\x73\x7f\xc2\x92\x0f\x76\x1e\x5f\x9f\x43\xac\x7c\x94\xff\x2d\x84\xa3\xf6", 49); *(uint32_t*)0x20005044 = 0x31; *(uint32_t*)0x20005048 = 0x20004dc0; memcpy((void*)0x20004dc0, "\xe7\x9e\x60\x9c\xaf\x0b\x11\x3f\x2e\x3a\x9b\x6e\xd9\xa5\x19\x7b\xd4\xc9\xef\x3a\xbe\xe6\xff\x37\x2b\x06\x77\xf9\x80\xef\x46\x16\x5c\x07\x1e\xc9\xa7\xe4\xb8\xe1\x18\xc9\x5c\x2b\x5f\x73\x3b\x29\xc5\x0f\x1e\x5d\xf4\xf1\x83\x7e\x9a\x29\x62\xcd\x24\x1c\x43\xd7\xa6\x05\x87\x87\x49\x91\x9d\x2d\x93\x2d\x22\x01\x0e\x4c\x8c\x29\xce\x60\x28\xdc\x71\xe2\x3c\x5e\xc2\xb4\xf3\xbb\x38\xb2\xe7\xc3\xbe\xaf\x83\xc8\x87\xa4\x5f\x16\xea\x87\x84\x2b\x70\x02\xc7\x51\x33\x97\x83\x5d\x37\x55\x89\xd6\x4e\x9c\x8d\x0d\xaa\x7c\x70\x99\x74\xdd\xc9\x35\x14\x51\x90\xba\xc6\xe8\xd3\x12\x38\xd5\xad\x70\x37\x7e\x03\xb1\x11\x15\x46\xf8\xa8\x3a\x2d\x7e\x3f\xc5\x50\x40\x8a\x22\x7e\x6a\xb5\x58\x33\x1d\xe5", 169); *(uint32_t*)0x2000504c = 0xa9; *(uint32_t*)0x20005050 = 0x20004e80; memcpy((void*)0x20004e80, "\x1f\xe1\xd0\xa7\xea\x42\xed\x60\xeb\x83\x79\xf5\x5f\xba\x5f\x10\x8d\xa4\x23\x32\x88\xe8\xa8\xbb\xac\xc0", 26); *(uint32_t*)0x20005054 = 0x1a; *(uint32_t*)0x20005058 = 0x20004ec0; memcpy((void*)0x20004ec0, "\x1d\x5a\x7e\x02\x0f\x94\xe9\xee\xe2\x41\x5c\xca\x5e\xb6\x04\x5c\xc9\xf8\x17\xf1\xd3\x27\x5b\xa9\x49\x67\x7e\xe2\xca\x23\x57\xb7\x4e\x67\xc6\xd4\xdd\xfb\xe8\xe8\xc0\xc6\xfd\xcd\x23\x52\xdd\x30\x1f\xf3\x0f\x0e\xbc\x2b\x58\xf2\xc6\x9c\x3f\x80\x32\xff\x0d\x4a\x2d\x2d\x40\x0c\x3d\x07\x91\x4d\x83\x5b\x62\x18\xc2\xeb\x25\x72\x4b\x42\x6a\x88\x8b\x28\x22\xd4\x94\x5b\x35\xf2\xd1\x45\x9d\x91\x5e\x2b\x2d\x66\x54\x1a\xf5\x2b\xdb\xbe\x1a\xd5\x17\x51\x5e\x01\xb8\x29\x0e\x65\x44\x43\xa6\x7b\xec\x3d\x0b\x03\xfc\x10\xb9\x0b\x49\xc3\xd3\x35\x93\xe0\x63\xbd\x0d\xf7\x24\x94\xb2\x2b\xfc\x39\x1f\x6b\x29\x6a\x68\x73\x5e\xea\xac\x4f\xb5\x50\xbe\x4b\xee\xab\xb7\x4d\x7c\xa7\x71\x39\x24\x8c\xf8\x00\x3e\x4f\xa6\x39\x54\xc2\xe5\xc6\x8e\x48\xb1\xf5\x9b\x31\x62\xa9\xa3\xb0\x20\x77\x1f\x7c\x1a\xff\x6d\x7d\xe5\x7b\x40\xfc\xb5\x90\x02\xf2\x70\x9e\xd2\xe1\x2d\x50\xa3\xed\xad\xc2\xc5\x5d\xe6\x63\x4c\x8e\x91\xdd\x8c\xd2\x8f\xaf\x3b\x52", 228); *(uint32_t*)0x2000505c = 0xe4; *(uint32_t*)0x20005060 = 0x20004fc0; memcpy((void*)0x20004fc0, "\x3d\xc5\x00\x79\x39\x36\x84\xee\x15\x45\x62\x33\xe2\xe4\xb4\x7d\x0d\x76\x16\xa6\xfb\xb0\x80\x55\x93\x1c\x40\x0e\x66\xd6\xee\x83\x07\xc9\x88\xdb\x68\xc3\xa5\x68\x73\xe4\xc9\x4c\x21\x0c\xee\x63\xaa\x53\xee\x80\x94\x7c\x56\x44\xcf\xfd\x0e\xe8\x09\xb4\x55\x4e\xf3\xd3\xd5\xd4\xb6\x26\x80\x40\xd6\x6c\xba\x34\xc7\xb8\x64\x5a\xbf\xe3\x69\x6e\x04\x1f\xe1\x3f", 88); *(uint32_t*)0x20005064 = 0x58; *(uint32_t*)0x20005094 = 5; *(uint32_t*)0x20005098 = 1; *(uint64_t*)0x2000509c = 0; *(uint16_t*)0x200050a4 = 0; *(uint16_t*)0x200050a6 = 0; memset((void*)0x200050a8, 0, 20); syz_io_uring_submit(r[19], 0, 0x20005080, 0x100); break; case 32: memcpy((void*)0x200050c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 0, 0); if (res != -1) r[20] = res; break; case 33: memcpy((void*)0x20005100, "/dev/dlm-monitor\000", 17); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0, 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x20005180 = 0; *(uint32_t*)0x20005184 = 0x20005140; memcpy((void*)0x20005140, "\x45\xcf\x83\xe3\x48\x27\xda\xe7\x0d\x9c\x50\xf6\x76\xf5\x23\xb0\xce\x6b\xee\x88\x95\x2b\xaa\xc1\xa7\x22\x08\x87\x52\x1e\x1e\x10\x25\x01\x84\xda\xba\xaa\x4f\xbf\x9e\x94\x34\x9f\x11\x48\xde\xe8\x23\x8a", 50); *(uint32_t*)0x20005188 = 0x32; *(uint64_t*)0x200051c0 = 1; *(uint64_t*)0x200051c8 = 0; syz_kvm_setup_cpu(r[20], r[21], 0x20fe8000, 0x20005180, 1, 0, 0x200051c0, 1); break; case 35: *(uint32_t*)0x20005200 = 1; syz_memcpy_off(r[17], 0x114, 0x20005200, 0, 4); break; case 36: memcpy((void*)0x20005240, "adfs\000", 5); memcpy((void*)0x20005280, "./file0\000", 8); *(uint32_t*)0x20005980 = 0x200052c0; *(uint32_t*)0x20005984 = 0; *(uint32_t*)0x20005988 = 4; *(uint32_t*)0x2000598c = 0x20005300; memcpy((void*)0x20005300, "\x85\x86\xcf\xf1\x20\x29\xeb\x8a\xd7\x6f\x62\x61\xd1\xfe\x9c\x2d\xf9\x7d\x6b\x50\x47\xf7\x02\x21\xce\x7c\x26\xe1\xad\x05\x00\x96\xdb\x75\xff\x7f\xfd\x7b\x4d\xad\x59\xf5\xe0\x70\x72\x3e\x8a\x2c\xea\x44\x66\x02\xed\x86\xda\x15\x97\x5f\x4f\x9d\xad\x43\x55\xf1\x7d\x14\x41\xf9\xc1\xd9\x72\x1e\x8b\xc2\x69\xc9\x1b\x43\x93\x4b\xb3\x82\x3e\xba\x88\x0d\xe0\x1b\x58\x6e\x0d\x59\x2f\xc9\x78\x08\x48\x12\xa5\xdd\x94\x0d\x6e\xa6\x1e\x46\xee\x9f\x1d\x53\xe0\xd3\x15\x5c\x2c\x34\x94\x6c\xa2\x86\xd6\x46\x39\x8a\x4d\x60\xb5\x6e\x48\x64\x4c\xe4\x21\xd5\x3a\x65\xfc\x50\x46\x80\x60\x1a\x0c\xb3\xb7\x8c\xdc\x3d\x14\xd0\xf9\xf7\x54\xd8\x8a\x4c\x5d\x80\xc2\x68\x1a\xca\x64\xa4\x79\x3f\x17\xd0\xf8\xa5\xb8\xdc\x82\x0f\xda\xde\xe2\xee\x87\xd4\x20\x50\x17\x22\x86\xe4\xb3\x71\xea\xc4\x97\xbf\x74\x67\x89\x0a\x47\x2d\x76\x6a\x44\x2a\x56\xa6\xe7\x5b\xc3\x9b\xa4\xed\xab\x5a\x0c\xb1\x1e\xb6\x6a\x24\x7a\x2f\x3c\xa7\xd1\x8c\xbe\x8b\xd7\x51\x6b\x2d\x99\xc7\x63\xd8\xc2\x3d\x75\x3c\x13\x93\x7a\xb9\x9b\x57\x8e\x42\xf3\x59\x27\x5e\x86", 251); *(uint32_t*)0x20005990 = 0xfb; *(uint32_t*)0x20005994 = 5; *(uint32_t*)0x20005998 = 0x20005400; memcpy((void*)0x20005400, "\x0f\x55\x3c\x28\xb9\x84\x2c\x44\x67\x4a\xbe\x34\x85\x6e\x72\xa4\x02\xea\xf0\x8e\xa7\xd1\x06\x18\x6b\x17\xf1\xd3\xf0\x0d\xcb\xcb\x5f\x98\xa1\xea\xe4\xb0\xe4\x94\xda\x0d\x44\xfa\x94\x91\x73\x67\x47\x8f\x2e\x39\xce\x84\x35\xb1\x32\xa5\x70\xec\x78\xc1\xb1\xd8\x59\xab\x65\x21\x68\xbe\xc9\x15\x6c\xc5\xb4\x54\x3f\x05\x71\xd2\xa7\x5d\x3a\xd0\x3f\x49\x0c\x0f\xc9\x32\x51\xf6\xab\x57\xf0\x1c\xf6\x22\x83\xd4\x2e\xec\x0a\xbb\x18\x61\x48\xb0\x5e\xf5\x5f\x8d\xe1\xa2\xeb\x7c\x16\x22\xfc\x6d\x3a\xc2\x74\xf1\x0a\x07\x54\x56\x33\x98\xef\xc9\x33\x5a\xea\x31\x06\x1c\xf4\xbb\x64\xd4\x4f\x87\xc6\x15\xc9\x9b\x3e\xca\x46\xdd\xc2\xce\x68\xeb\x2b\x78\x0c\x54\xbb\x6a\x1a\x20\x94\x7e\x16\xcb\xc6\xf7\xfa\x07\x12\xd0\xb1\x2e\x66\x5a\x21\x4c\x35\x02\x15\x4e\x5b\x8d\xda\x8b\x01\xdf\x53\xc8\x1b\x2d\xa2\xc9\x2b\x75\x73\x50\x6b\x17\x5a\x34\xba\x1d\xda\x39\x95\x4f\x36\xf0\xff\x6e\xbe\xfe\xee\x31\x32\x68\x13\x42\x2c\xb4\xd5\x3b\x47\xc6\xfe\x65\xf3\x33\x26\x98\xd9\xe3\xd7\x76", 238); *(uint32_t*)0x2000599c = 0xee; *(uint32_t*)0x200059a0 = 0xfff; *(uint32_t*)0x200059a4 = 0x20005500; memcpy((void*)0x20005500, "\xab\xff\x9c\x24\x82\xd9\x64\x89\xf0\xaf\xbe\x08\x5d\xae\xe1\xe2\xbd\x8a\x30\x00\xaf\x21\xe5\xb4\xaa\x0d\x2e\x66\x62\x29\x3d\x5f\xe6\xee\xb6\x0a\x5c\xc8\xb9\x0e\x84\xed\xe0\xd2\x13\x18\x68\x8e\x28\x5d\xef\x54\xcb\x67\x80\xab\xfd\xcb\x64\xc7\x00\xda\x5e\x87\x75\xbb\x60\xd0\x19\x2a\x5f\x81\x13\xa7\x0d\xdb\x16\x27\x08\x7f\x7b\xb8\xf2\x32\xf8\x0a\x12\x0e\x21\x4e\xf3\x1c\x38\x57\x11\xf4\xb1\x2a\xfd\x9a\x02\x4f\xc4\x8c\x41\xc3\xc8\x87\x25\x5a\x17\xb8\x6f\x70\x9a\x30\xee\x23\xa5\xd5\x5c\x6c\x3e\x19\x86\xf6\xfd\x69\x30\x9d\xc6\x66\x48\x46\x39\x6a\x5f\x0c\xde\x1e\x38\x2a\x70\x18\xdc\xde\xac\x00\xff\x1e\xf5\x4b\xbb\x58\x20\x1f\xc9\xdf\xcb\xba\x39\xcf\xb4\x5f\x49\xac\xe1\xe9\x90\x81\x88", 171); *(uint32_t*)0x200059a8 = 0xab; *(uint32_t*)0x200059ac = 0x80000001; *(uint32_t*)0x200059b0 = 0x200055c0; memcpy((void*)0x200055c0, "\xfb\x36\xdf\xfb\x4a\x0e\x43\x77\xfa\x3b\xed\xec\x23\x25\xf5\xc0\x73", 17); *(uint32_t*)0x200059b4 = 0x11; *(uint32_t*)0x200059b8 = 1; *(uint32_t*)0x200059bc = 0x20005600; memcpy((void*)0x20005600, "\x8f\xf2\x54\x48\x04\xed\x79\xe1\xbb\x5f\x17\x3b\x80\xfd\xb0\x9a\x44\x4f\x02\xbb\xac\xda\xb8\x77\x10\xa3\x03\x82\x27\x1d\xb7\x25\x70\x55\xfb\xbe\x05\x7f\x4e\x4b\x3e\x1b\xcb\xcf\x08\xf1\xea\x0b\x41\xbe\x53\x3d\x7d\x7f\x84\x19\x9c\x4c\xf2\x41\xe2\xbc\x3c\xeb\xf6\x80\xf5\xc2\x64\x88\x82\xab\xfe\x61\xbb\x52\x11\xc4\xcf\x0f\x1f\x80\x35\xc6\x96\x2e\x74\xf5\x97\x6e\x95\x4c\x3d\xb5\x54\x5b\xdc\xcc\x6e\x67\xb6\x8d\xd6\x12", 104); *(uint32_t*)0x200059c0 = 0x68; *(uint32_t*)0x200059c4 = 0x7f; *(uint32_t*)0x200059c8 = 0x20005680; memcpy((void*)0x20005680, "\xca\x83\x8d\x09\x57\x9a\x97\x26\x57\x26\x0b\x82\x4f\x36\x91\x61\xc8\x3d\x36\x49\xb2\x30\x9d\xe4\xac\xa5\x19\x1c\x6a\x35\x50\xce\x70\x4f\x66\x06\xba\xc0\xf1\x10\x25\x63\x01\x1d\x76\x8b\x1c\xd5\xbd\x83\x56\x5b\xfb\xe9\x31\x1f\x71\xc2\x69\x8f\x2b\xb4\x57\x2e\xf6\x60\x2f\x24\x87\x62\x6e\x21\xfc\xef\x70\x34\xf5\x0e\x28\xfd\x36\xdb\x92\x43\x3d\xe1\xc0\xfb\xd9\xba\xa0\xb2\xef\x3b\x17\xec\xbd\x5f\x21\x4a\x81\x4f\x99\x79\xc0\xcf\xce\xa5\x66\xbd\x41\x87\x88\xa9\xe0\x26\xff\x83\x08\x9e\x4e\x1e\xb4\x91\xee\xbb\x58\x2e\x84\xc6\xd9\x56\xe1\xf8\xd4\xbd\x53\x27\xfc\xf2\x6d\x92\x18\xa6\xe7\x45\xa9\x04\x84\x6d\xa6\x1e\x69\x70\xe7\xc3\xf8\xf6\x77\x7e\xb2\xee\xc1\x82\xc6\x62\x6a\xeb\xc2\xb4\x6d\x6e\x18\xec\x79\xce\x9f\x3a\x34\xc2\xc9\xce\x74\xdc\xe5\xf3\x8a\x49\x3c\xe7\x52\x63\x3b\x9c\xd8\x81\xd3\xe7\x39\x77\xb7\x28\x20\x8b\x73\x0c\x0a\xa0\xbf\xd4\x1f\x03\x74\x79\x8c\x2b\x6c\xfd\x20\xa8\x3d\xde\x88\x21\xf8\x96\x43\x1d\xf1\x62\x0e\xac\xdd\xb4\x84\x6d\x3f\x67\x98\x3b\x95", 241); *(uint32_t*)0x200059cc = 0xf1; *(uint32_t*)0x200059d0 = 2; *(uint32_t*)0x200059d4 = 0x20005780; memcpy((void*)0x20005780, "\xb5\x49\xcf\xe1\x8d\xeb\x45\x5b\x4a\x8b\x6d\x56\xe7\xc0\x3f\x25\x10\x24\x21\x7c\xf4\x27\xc0\x90\x56\xbd\xb6\xb4\xa1\x31\x7e\x6f\x9c\xd5\x3e\xce\x2f\x2e\xe6\x8e\x7d\x73\xe9\x36\xe6\xd7\xb3\x76\x48\x35\x95\xc8\xdb\x72\x92\xff\xb0\x52\x0c\xf0\x37\xba\x70\x12\xf5\xd9\x0d\x0e\x4b\xdc\xed\x46\x13\x1d\x6a\x44\x12\x05\x46\xfa\xd8\x7f\x47\x56\x70\xfe\xc8\x6f\x97\x84\x88\x8d\x14\xdc\x2e\xd6\xa1\xa7\xed\x3c\x98\xbd\x0e\x03\x5c\xbd\x50\x4d\xa4\x0e\xfb\xeb\x5a\x5b\xcd\x48\xc0\xca\x51\x3f\xf5\x3d\xda\xda\x3c\xb4\x47\xa4\x8b\xce\xf0\x1d\x98\x83\xf6\x99\x99\x7c\x5a\x0b\x24\x99\x86\x58\x62\xdb\x5f\x78\x5a\x75\xe1\xb3\x46\x3d\x35\x4a\xf1\x12\xe7\xf8\x62\x28\x83\x68\x30\x86\x19\x0f\xa4\x50\x76\x46\xcb\xea\xb5\xed", 176); *(uint32_t*)0x200059d8 = 0xb0; *(uint32_t*)0x200059dc = 1; *(uint32_t*)0x200059e0 = 0x20005840; memcpy((void*)0x20005840, "\xa2\xee\xca\xca\xa0\x2f\xc7\x61\x89\xe0\x0e\x6f\xc5\x8f\x38\xb5\x59\x99\x59\x73\x03\x76\x28\x17\x21\xbe\xcf\x84\x0c\xd1\x2b\x23\x0c\x2d\xc8\x4b\x7f\x5f\xe5\xe3\x70\x57\xb3\x73\x2f\xcf\xeb", 47); *(uint32_t*)0x200059e4 = 0x2f; *(uint32_t*)0x200059e8 = 4; *(uint32_t*)0x200059ec = 0x20005880; memcpy((void*)0x20005880, "\x35\xed\x9c\x85\x4f\x54\x2b\xa3\xa5\x6e\x7b\x75\x40\x9a\x31\x97\xd3\x1e\x6e\xc3\x19\x34\x81\x1d\xd9\xab\xe8\x3e\x50\xa0\x60\xea\x25\x99\x4c\xb3\x37\x70\xed\x99\xb2\x5c\x9b\x56\x08\x91\xec\xa4\x33\xfe\x5b\xf1\xe0\x2d\x13\x66\x00\x68\x7e\xe4\x93\x3b\x35\x38\xbb\xce\xca\x61\xde\xb8\xfb\x0a\x1a\x25\x67\x84\x3f\xd8\x71\xb9\x91\xd5\x14\x32\x9a\x46\x5a\x97\xeb\x92\x12\x35\x76\xe8\x3a\x65\x2c\x51\xdf\xa8\x41\x17\xc2\x62\xa7\xb8\xba\xb4\x7b\xd3\xf8\x1b\x24\xd3\x3e\x68\x7f\x39\x26\x50\x02\xef\x92\xf2\x24\x8d\xe0\x27\xac\x02\x85\xfc\xad\x2a\x3c\x73\x2a\x1e\xd7\x40\x93\x07\x03\x7e\x41\xf3\xa7\x90\x74\x77\x38\x7d\x11\x99\xc1\x8e\x5c\x43\x95\x9b\x2e\xc4\x6c\x07\x8c\xec\x67\xa8\xb5\x59\xb3\x1c\xef\xd8\x56\xf4\x56\xb9\xf8\x1b\xcc\x6a\x8b\x2c\xb1\xa4\xd8\x14\x75\x62\xbd\xac\x60\x34\xe3\xe8\xd3\x5d\x79\x76\x59\x84\x4f\xea\x36\x94\xb3\x28\x8c\xe6\x8f\xa8\xf9\x86\xbf\x2f\xba\x03\xec\x01\x10\x15\x4b\xef\xc8\x40\x22\x58\xaf\xb3\xd5\x83\xd0\xbf\x3d\x02\x79\x80\x73\x86\x7f\xc6\x66\x40\x72\x60\x72\xc8\x2a", 249); *(uint32_t*)0x200059f0 = 0xf9; *(uint32_t*)0x200059f4 = 0x1ff; memset((void*)0x20005a00, 37, 1); *(uint8_t*)0x20005a01 = 0x2c; memcpy((void*)0x20005a02, "seclabel", 8); *(uint8_t*)0x20005a0a = 0x2c; memcpy((void*)0x20005a0b, "permit_directio", 15); *(uint8_t*)0x20005a1a = 0x2c; memcpy((void*)0x20005a1b, "mask", 4); *(uint8_t*)0x20005a1f = 0x3d; memcpy((void*)0x20005a20, "^MAY_EXEC", 9); *(uint8_t*)0x20005a29 = 0x2c; memcpy((void*)0x20005a2a, "subj_role", 9); *(uint8_t*)0x20005a33 = 0x3d; memset((void*)0x20005a34, 125, 1); *(uint8_t*)0x20005a35 = 0x2c; memcpy((void*)0x20005a36, "mask", 4); *(uint8_t*)0x20005a3a = 0x3d; memcpy((void*)0x20005a3b, "^MAY_APPEND", 11); *(uint8_t*)0x20005a46 = 0x2c; memcpy((void*)0x20005a47, "fsname", 6); *(uint8_t*)0x20005a4d = 0x3d; memcpy((void*)0x20005a4e, "&%]", 3); *(uint8_t*)0x20005a51 = 0x2c; memcpy((void*)0x20005a52, "measure", 7); *(uint8_t*)0x20005a59 = 0x2c; *(uint8_t*)0x20005a5a = 0; syz_mount_image(0x20005240, 0x20005280, 5, 0xa, 0x20005980, 0, 0x20005a00); break; case 37: memcpy((void*)0x20005a80, "/dev/i2c-#\000", 11); syz_open_dev(0x20005a80, 6, 0x40000); break; case 38: memcpy((void*)0x20005ac0, "net/raw6\000", 9); syz_open_procfs(-1, 0x20005ac0); break; case 39: syz_open_pts(r[16], 0x583000); break; case 40: *(uint32_t*)0x20006cc0 = 0x20005b00; memcpy((void*)0x20005b00, "\xa8\x95\xc3\x0e\xdc\x07\x29\x77\x23\xa4\xae\xa8\x02\x03\x46\x22\xd1\xbb\xb8\x5b\x4a\xe3\x62\x8a\xfc\x2d\x4e\x10\x93\x45\x50\xa9\xd9\x2f\x12\xa5\x1b\x9f\x5b\x3a\x7b\x59\x6b\x59\xb9\x9b\x4b\x2a\xca\xed\xda\x32\xb8\x3b\xdc\x26\x3c\x53\xaa\x10\x11\x4a\x14\x9a\x4d\x7a\x4f\x0c\x40\xb9\x46\x15\x9b\x37\x43\x96\xfb\x6c\xd1\x87\x34\xea\x5c\x3a\x51\x92\x78\x62\x22\xda\x89\xf4\x21\x3b\x5d\x9d\x02\x77\x99\xda\x36\xd6\x8b\xd5\x10\xf5\x37\x85\x5c\xe1\x0d\x3b\x84\x39\xc2\x23\x77\x40\xea\x75\x41\x47\x8a\x81\xf9\xf9\x2a\xdc\xeb\x51\x00\x36\x6d\xcc\xf1\x49\xcc\x4c\x59\x79\x69\x59\xba\x5d\x85\xa5\x0d\x0d\xd7\x29\x41\xa0\xea\xbb\xe7\xa9\xdd\x9f\xe5\x08\x50\x11\x3f\x5e\x2d\x05\x5e\x1b\xbc\xd6\x67\xda\xf7\x36\x3e\x02\x7d\x7c\x66\x67\x8d\xad\x2a\xdd\x62\xb5", 186); *(uint32_t*)0x20006cc4 = 0xba; *(uint32_t*)0x20006cc8 = 4; *(uint32_t*)0x20006ccc = 0x20005bc0; memcpy((void*)0x20005bc0, "\xf2\x29\xf5\x8b\x9f\xef\x91\xf7\x17\x85\x23\xf0\x41\xa4\x96\x75\x89\x92\x46\x80\xbf\x4d\xc3\x4a\x52\xd8\xf7\xf8\x43\x60\x83\xae\xe9\x4a\xb7\x4f\x03\x69\xf7\x40\x3a\x8c\x26\xb7\x2f\xd4\x4b\x48\x8f\xe5\x9c\x61\x6c\x8a\x1c\xae\x29\x9c\x49\x0e\xb1\x5f\x98\xf8\xf4\x9d\xf3\x35\x02\xcc\xfd\x38\x26\x5f\x6d\x18\x65\x78\xa7\x1b\x92\xba\x5c\x5b\x90\x3f\x9a\x64\xbc\x56\x0a\x43\x59\x0b\xd7\x0f\x76\xef\xb7\xb6\x3b\xc3\x90\x9e\x63\x2d\xb6\x8f\x77\xd9\x8b\xdf\x12\xeb\xe1\x70\x7d\x7d\x14\x36\x85\x74\x90\xc1\x3d\xdb\x23\x9c\x83\x7f\xaf\x46\xea\xd6\x23\x81\xd4\x3f\x3d\x23\x46\xc1\xfc\xd5\xb2\xa7\xa1\xeb\xe9\xfa\x5d\xd7\xfd\xde\xfc\x50\xb0\xe7\xa5\x7f\x50\x0e\x2f\x79\xba\x11\xb1\x89\x72\xdc\x78\x87\x14\x60\xeb\x7e\x2a\x24\x9b\x60\x32\x83\xb5\x12\x83\x20\x55\x5c\x9d\x74\x14\x3e\x02\x7b\xb5\xca\x08\xb4\x62\xae\xbf\x58\x24\x43\x87\x55\x6d\x71\x86\x80\xc4\xa3\x74\x59\xdd", 215); *(uint32_t*)0x20006cd0 = 0xd7; *(uint32_t*)0x20006cd4 = 0x3ff; *(uint32_t*)0x20006cd8 = 0x20005cc0; memcpy((void*)0x20005cc0, "\x79\xfb\xc7\x05\xf3\xf5\xab\x2b\x17\x6d\x8c\x81\xf1\x15\x48\xc5\xfd\x71\x74\x41\x15\xd9\xbc\x95\x33\x2f\xeb\x2a\xe2\x6c\xd3\xb6\xa5\x08\x4c\xf6\x35\xa6\xb1\x9d\x91\x6f\x68\x3e\xbe\x24\x01\x80\xc6\xbb\x6a\x18\xe3\x4f\xa2\x67\x7a\xe7\x45\x61\xf3\xbb\x25\x09\xfc\x09\x59\xad\xc1\x32\xae\x36\x12\x7c\x31\x9f\xcb\x4a\x80\xb0\x25\x1d\xed\xee\xe6\x56\x0f\xd7\x02\x22\x1e\x14\x43\x66\x85\xc7\xfa\x2f\x3a\xf3\x6f\xda\x9d\x69\xd0\x44\xc1\x6a\x77\xe8\x22\xf9\x8b\xf6\x5c\xd4\x58\x33\x54\x4b\xa6\xbd\x06\xb8\x3a\xd7\x8b\x10\x49\xf1\xbc\xdb\x9b\xce\xc0\x47\x38\xa8\x6c\xa3\x7b\x88\x95\x3d\xe3\x54\x9b\x6e\x3a\x4c\x2f\x31\xbd\xd4\xce\xde\xe3\x7b\x70\x3b\x8e\xd6\xd1\x1c\x38\xff\x03\x0a\x10\x18\xaf\xae\xbe\x05\x38\xed\x70\x4b\xbe\x63\x10\xa0\xde\xa9\x43\x05\x66\x65\x29\x01\x69\x92\x99\xc1\x84\xa8\x15\x60\x1e\x01\x86\xa6\xe1\xff\x97\xd2\xb9\x60\x38\xab\x59\x13\xdc\x44\x0e\xde\xd7\x83\x6f\xbd\xd7\xbd\x39\x1a\x90\xcf\x40\x3a\xbb\x6d\xfe\x0f\x7d\xdd\xda\xf1\xa7\xc7\x3f\x02\x19\x35\x33\xf0\xa7\x2e\xf1\xb5\x58\xcf\x69\x6f\x57\x22\xa3\xe8\xc0\x92\xc1\x7d\xe9\x8a\xf4\x15\xf4\x0a\xfc\x1f\xfe\x0d\x7c\x7d\x0f\xb4\x4d\x59\x7e\x55\x18\x86\xb4\x0b\x8e\xc7\xde\x8f\x18\xbf\x5e\xd7\xa7\x4a\xcd\xeb\xe9\xb2\xcc\xb9\x8c\xcd\x37\x1d\xf0\x0d\x78\xc9\x7f\x8d\xe0\xab\xe7\xf8\x28\x13\x68\x61\x68\x9b\x0f\x53\x80\xfd\x28\x36\x09\x2c\x1b\xee\xc0\xf4\x51\x9e\x1b\x50\x40\xca\x17\x09\xe0\x83\xee\x61\x1d\x6a\x1e\xbc\x5a\xd1\x85\xd3\x9b\x91\xef\x84\x4a\xf3\x4d\x02\x13\xe6\x3e\xdd\x19\x54\x53\x46\xe3\x01\x2d\x61\xbd\xe7\x1d\x4d\x3c\x52\xcd\x21\x01\xd4\x57\xac\xc0\x15\x23\x81\x81\xfc\xc4\xe9\x2a\x6b\xd1\xc9\xae\x47\x5d\xd0\x4d\x15\xa3\x90\x71\x7c\x29\x5e\x18\x13\x1f\x30\xa1\xb0\x03\xfe\x36\x7f\x88\x9b\xa4\x9e\xd8\x32\x8d\x69\xbd\xe3\x8b\xfd\xb3\x2e\xc4\xff\x21\x2b\x38\x3d\xa6\x54\xad\x2d\xa7\x59\x26\x60\x0d\x56\xfd\x2c\x8a\x64\x81\xc0\x2f\x0d\xd9\x04\x08\xb0\x1d\xcb\xdd\xd0\x1c\xfb\x4c\xf6\x1c\x14\xe8\xaf\xc5\xda\x58\x91\xe9\x3a\x0b\x6f\xe1\x2f\x50\xf0\x62\x94\xd6\x6c\xe3\x71\x0c\x8e\x13\xe7\x97\x62\x9c\x4b\x05\x71\x40\xbd\xb8\xcf\xa3\x84\x83\x0e\x9e\x18\xcc\xcb\x63\xc2\x82\xc9\x7b\x1e\xc7\xcb\xaf\xc5\xf4\x96\xf2\xb0\x30\x53\xf8\x55\x8f\x62\x7e\xaa\x78\x46\x62\xf2\xf4\xf1\x5b\xac\x06\xa3\x8d\xcc\x8c\x3f\x2e\x07\x6b\x2f\xdf\x8b\x62\x2c\x93\xa2\x27\xc9\x0d\x42\xe4\xfa\x38\xda\xcd\x82\xfd\x6c\xd2\x21\x15\x29\x41\x4c\x5c\xf3\x88\x2d\x94\x87\x42\x42\x59\xa6\x51\x4c\x56\xf0\xb7\xd6\x0c\x95\xd3\x44\xa0\x9d\x90\xe7\xdd\x8f\xf0\x73\x21\xd7\xe7\xae\x03\xba\xc6\xde\x0f\xd3\x79\x9a\x8c\x34\xd7\xaa\x3e\x4c\xe7\xcd\x99\x98\x03\x64\xc6\x60\xcc\x09\x97\x46\x15\x2a\x07\xfb\xc0\x26\xfc\x89\x0a\x7a\x57\xf2\x8d\xce\xea\xcd\xc2\x36\x60\xc0\xf8\x59\x2d\x86\xd0\x8d\x99\x64\x4b\x67\x51\xa5\x53\x16\x2b\xa1\x03\x83\xda\x49\x1e\xfc\x3d\x33\xae\xd8\x95\x2b\x8f\x51\xcf\x6c\xfa\x84\xae\x5c\x9d\x76\x89\x8b\xf5\xe8\x09\x90\x8b\xdb\xf8\xcf\x63\x38\xf5\xbe\x2f\x5b\x1e\xa8\x17\x44\xbe\x7e\x72\x68\xc4\x9e\x49\x30\x50\x89\x23\xe6\x39\xd9\xf4\x84\x59\x7f\xc2\x0e\x69\x58\xa2\x69\xe1\x66\xec\x09\xd1\xb7\xe2\xa8\xf7\xfd\x83\xc5\x34\x64\xc3\xa1\xac\xc4\x84\xeb\x5f\x9d\xe1\x05\x9d\xa0\x45\xda\x6c\xf6\x63\x07\x9e\x2b\x22\xd7\x8e\x78\xbd\xbc\xda\xb3\x9c\x33\xbc\x5c\x1d\x05\xb8\xd4\x0e\x40\x2c\x8b\xbf\xa5\x74\xf2\xcb\x5a\xfb\x1c\xb1\x99\xe5\x91\x17\x13\x0b\x94\x0a\x96\x48\xe8\x98\xd5\xf0\xf2\x7f\xc0\x04\xc6\x78\xe5\x52\x0a\x4c\x79\x0e\xb7\x0e\xd2\xea\x6a\x60\x61\xe4\x9d\x12\x24\x35\xf3\x48\xcc\x92\x7b\x49\xad\x13\xbd\xf1\x80\x4e\x75\x28\xbc\x1e\x3b\xb6\x33\xf8\xb2\x76\xbb\xbb\xad\x12\x5a\xbe\xcd\x28\x94\xc2\x89\x28\x85\xfc\xd1\x9a\xed\x92\x20\xe4\x63\x2c\x13\x6f\x14\x37\x8e\x29\x91\x20\x40\x40\x65\x71\x1d\xdb\xff\x8d\xf8\x70\xab\xae\x93\x4b\xb5\xbb\x64\xff\xa2\xf7\x3f\x18\xb1\x33\x74\x53\x8a\x08\x37\x9d\x74\xc7\x12\xe0\x2a\x97\xc8\x5b\x08\xad\xae\x84\xf9\xc4\xa2\x91\x66\x56\x12\x9a\xa4\xb5\x46\xf1\x43\x4e\xf1\x53\xff\x7f\x2c\x94\xcb\x42\xb3\xe7\xea\x23\x54\x40\x95\x15\x9e\xe0\xe8\x69\xd7\x8d\x08\xce\x48\x6d\xa4\x30\x4b\x15\x47\x3a\x23\x1f\xec\x42\x3c\xf5\x53\x96\x8c\xa0\x74\x3c\x1c\x4b\x09\x45\x73\x0b\xa4\xe3\xfd\xc3\x1f\xf0\x2a\x48\x70\x56\xc7\x29\xef\x7f\x84\xf6\x5e\x85\xfb\x16\xfa\xbb\x17\x2d\x24\x75\x38\x62\xf9\x20\x34\x60\x28\x8a\x37\xcf\x6e\x6f\x5b\x84\xd1\xd8\x1f\x24\x27\x07\xbf\x57\x5b\x15\x34\xcd\x6b\xea\x81\x0d\xc3\x94\xca\xb3\x1b\x32\x43\x38\x8f\x01\x5b\x99\x98\xaa\x7c\xa3\xe8\x26\xd9\xec\xcd\x95\x32\x87\x33\x28\xf3\x43\xcf\x71\xa0\x79\x82\x0f\xfc\x61\x60\xef\x55\xb7\xda\x7a\x29\x76\x2f\xea\x1b\x45\x22\xb9\x81\xcc\xfd\xac\xea\x0f\x52\xe2\xed\xc3\xec\x50\x16\x89\xe8\xc5\xe0\x88\x54\x43\xd1\x3e\xa4\xda\xe6\x07\x65\xf9\xed\x48\x68\x6b\xeb\x01\x0b\xb0\x4e\x2f\xa7\x3f\x3a\xd0\x8a\x77\xf0\xc2\xf5\x9a\x99\xc4\x72\x30\xb8\x52\x9d\x1b\xa2\xbd\x09\x1d\x83\x6d\xd3\x08\x99\xe7\xe8\x41\x71\xf2\xa8\x86\x7b\x16\x49\x22\x8e\x85\x15\xcb\x39\x8b\x75\xa5\xbc\xa2\xe7\x11\x4a\x7a\xf7\x1b\x18\x5f\x37\x1b\x4f\x9f\x68\x9e\x81\xf2\x25\x97\x54\x89\x6f\xf5\x46\x85\xbc\x7b\x9c\xf5\xf5\xfd\x14\xd0\x63\xd2\xf8\xc6\x20\xff\x19\x5e\x26\x36\x0a\x21\xd9\x2d\x19\x02\xa7\x48\x35\xe0\x25\x4f\xe4\x73\x75\xa0\xf1\x71\x11\xd1\x45\x9d\x77\xdf\xcf\x0a\xdf\x21\x59\xc2\x00\x35\x35\x75\x78\x90\x15\x01\xa4\x09\x2e\x64\x14\xc5\x43\x41\x73\x11\x5a\x4a\x03\x39\x9d\x81\x34\x91\x33\xd3\xac\x25\x4b\x69\xfd\x90\x6f\xbc\x11\x56\xbe\xaa\xea\xb3\x7f\x1f\xd9\xfe\xfa\x37\x7c\xa1\x3b\x58\x19\xe5\x36\x1a\x75\x03\x2d\x78\x8c\xe9\x5c\xe9\xd1\x61\xdd\xfa\x04\xa5\x55\x29\x71\x68\xf6\xe0\xf3\x17\x6c\x8b\x0c\x41\xc8\x42\xce\x33\x81\x3b\x59\xeb\x0a\x9c\x3b\xcd\xf4\x65\xad\xe6\xd2\x9d\x0e\x25\x74\x41\x16\x77\x5b\x2f\x14\xd0\x30\xf5\xb2\x18\x1c\x89\x6a\x29\xcf\xc2\x9d\xcb\x9f\xaa\x9e\xa0\xed\x4a\x45\x45\xe2\xe5\x41\x29\x51\x12\x6b\x30\x99\x8b\x7b\x58\xc4\x47\x44\x84\x1d\x85\xe7\x9c\xc7\x61\x3b\x3b\x4a\xd0\x18\x72\x10\xc5\xb3\xe8\x19\x59\xc9\x38\xa8\x9e\xa5\xa7\x68\x1b\xcc\xc0\x2c\x55\x58\x3d\x69\xfa\xcc\x86\x53\x95\x27\x9c\xce\x47\xa8\xc4\x6c\x3b\x99\xd3\xbc\xba\xda\xea\xce\x79\xc1\x22\xc8\x7e\x72\xa9\x91\xd3\x1a\xe5\x2e\xa9\x5d\x35\xc6\x16\xb5\xae\xbf\xd9\x86\x40\x90\x33\x18\xdc\x60\x00\x21\x08\x6c\x28\x07\xf1\xfc\x8a\xe7\x61\x40\x7f\xcf\x43\x11\x09\xaf\xd1\x9e\xc4\xb0\x3a\x94\xeb\x9c\x89\x4f\x86\x6b\xb4\xb9\xa3\xa5\x86\x24\xcf\xa6\xae\x7d\x44\xd2\xf2\x02\x83\x5a\xc9\x90\x3d\x23\x26\x14\x0f\xc5\x47\x9b\x94\xba\x27\x5f\xe8\xf6\xba\x03\x9d\x98\xf5\x8d\x9c\x00\x60\x26\xff\x15\x5f\x0d\x36\x8c\x51\xd0\x05\xd2\xaf\x37\xa6\x14\xc1\x41\x88\xed\x22\x6c\x9f\x67\xc7\xb7\x83\x93\x3d\x05\x23\x5c\xb2\xf8\x81\x0f\x18\x89\xd1\x26\xed\xac\xe7\x40\x78\xb0\xf9\x0c\x6f\x2c\x16\xd0\x1d\x60\xdd\xe2\xd4\x6a\xb8\xc2\x53\x2a\xe0\xc1\x54\x01\x05\x57\x52\xfb\x19\xdb\xe5\x49\xcc\xbe\x43\x85\x9c\xcb\x4d\x47\xc9\x9e\x6f\x54\x02\xce\xd2\x3d\x44\x90\x29\x80\x2a\xd7\xd2\x99\x0b\x94\x1f\xad\xb0\xde\x10\xf9\xfe\x17\x84\x61\xe1\x14\xc7\xca\x31\x36\xf7\xfb\xad\x6e\x1d\x71\xeb\x1a\x1a\x24\xfb\x89\x2e\x7f\x1a\x41\xb9\xeb\x92\xd5\xb0\x4a\x79\x49\x1e\xef\x83\x18\xce\x1d\x98\x06\xe7\x06\x4e\x0f\xda\x0a\x66\xa7\xb6\x95\xa6\x78\x15\x60\xba\x98\xbf\x4d\x54\x00\x79\x5b\x11\xfe\xab\x29\x73\x53\xa7\x2a\x2d\x78\x5f\xf2\xfa\x3f\x06\xe6\x39\x5a\xab\x65\x6e\x55\xef\x7f\x49\x51\x76\x03\x86\xcd\xb1\xa1\xd2\x30\xda\x5b\x09\x44\xa9\xaf\x05\xa7\x6b\xce\x13\x88\x69\x2a\xfa\x4b\x21\xc3\x46\x4a\x2b\x50\xdd\x0d\x2a\x0f\x64\x51\xa4\x3f\x2e\x48\x62\x29\x0b\xe1\xf1\x29\x74\x60\xeb\x51\x39\x9f\xa9\x68\xf8\xdc\xa4\x19\x39\xa6\x19\xd1\x0a\x8a\x01\xad\x1b\x64\x93\xb0\xf8\x9a\xad\xc5\xf0\x6f\xf9\x26\x46\xff\x2f\xbd\x33\x6c\x97\x73\xa9\x33\xeb\xb1\xde\xee\x49\xa2\x67\xd8\xd1\x95\xe1\x3f\x58\x39\xc9\x54\xd8\xda\x7c\x02\x2c\xbd\xd8\xa2\x68\xdb\x8a\x06\x5c\x63\x24\x77\x56\x79\x54\x03\x3b\xd3\x40\xdb\x14\x5f\xd4\xee\x3c\x1e\x6e\xf1\x5f\xd4\x5e\x72\xf5\x27\xad\x2b\xa3\xbb\xf8\xa9\x4b\xa2\x5a\x23\x7c\xed\x70\x50\x4b\x6d\x20\xc8\x99\xa6\xd1\xa4\x09\x2b\x57\x2a\xc7\x44\xf6\x2e\x04\x4b\x25\xf4\xf1\x09\x7e\x12\xbc\x0b\xfd\xa3\x6c\xad\xd3\x4a\x0a\xa7\xbd\x49\xa3\x82\x08\xee\x36\x60\x3f\x1e\x9c\x56\x7d\xe6\x94\xcb\xba\xe7\x36\x1e\x99\x79\xa8\x4d\x58\x9f\xbd\x5f\x05\xfa\x73\xfe\x31\x68\x37\xdd\xb9\x67\x2c\x63\x75\x90\x77\x79\x33\x71\x17\xbf\xfe\x5a\x85\x09\x93\x99\xe3\x5e\x9c\x3a\x50\xbe\x94\xa4\xed\x33\xa5\x86\x3d\xa7\x37\x7e\x5c\x8b\xce\xd5\x22\x0d\xa0\xaa\x9f\xc0\x97\xbc\x61\x3b\xb7\x6e\xe7\x0b\x6a\x0b\xd9\x78\x01\xb0\xad\xc5\x7b\xc6\xd3\xc0\x26\x51\xf1\x64\xf7\x80\x9f\xb7\xeb\xe2\x18\x73\xf9\xa1\x7a\x65\xa8\x38\x0e\x5f\x1a\x18\x17\xdb\xea\x2e\xa9\x6f\x9b\x1e\xf1\xbe\x6c\x1f\xcd\x53\xc6\x2e\xa2\xba\xce\xe8\x66\xf3\x57\x4b\x1a\x35\xc5\xf8\xc5\x93\xd2\x01\x07\xd6\xcd\xe2\x6c\x84\x0e\xa8\x3f\xae\x8d\x77\x7e\xa1\x22\x7b\xd1\xaf\x62\x19\x83\x35\x3e\xf0\x27\x57\x01\x96\xf8\xfb\xdf\x4f\x79\xa7\x81\x2b\x7f\x71\x8f\xca\xa5\xec\x35\x53\x97\x9a\x86\x4b\x8c\x65\x3e\x9c\x9e\xcf\x8e\x68\x3b\xfc\x55\x8e\xf2\xd9\xb7\x64\x7e\xfc\xd5\xbe\x98\xf4\x3d\x0d\x38\xd9\x47\x4a\x7a\x50\x74\x0a\x5a\x23\x02\x31\x92\xd4\x5b\x43\x34\x38\x0e\x99\x5b\x8d\xbe\x94\x30\xea\xa1\xa8\x26\x85\x5b\x3d\x7e\xc2\x2f\x6c\xbe\xa4\x4b\x75\x53\x66\xba\x42\x76\x21\x77\xdb\xa9\x80\x65\xdc\x59\xef\x23\x92\x49\x7c\x17\xd2\xe8\x99\x23\x0c\xe3\x4f\xfa\x7f\xc2\x75\x0c\x9b\x25\x5a\x2b\x53\x42\x3d\x9c\xa1\xbd\x3a\xab\x8b\xa4\x71\xf3\x9f\x10\xa2\x50\x05\x0a\x22\x54\x1e\x08\x35\xe8\xa3\x93\xe1\x76\x20\x9c\x31\xd2\x5b\x6e\x1f\x69\x9c\x82\xeb\x15\x55\xf0\x47\xa6\xe8\xf9\x1d\x97\xcf\x2a\xba\x02\x50\xa7\xf3\x11\x67\xb8\x61\x54\x89\xfb\x5c\x90\xcf\xce\x45\xcc\x63\xcd\x21\xd0\x01\x5b\x58\x0c\xae\x16\x45\x2f\x01\x43\xd3\x0c\xb9\xee\xce\x66\x21\x93\x1f\x5d\xc5\x42\x8b\x2f\x92\x58\xd7\xe8\xfb\x10\xec\xfe\x72\x06\x06\xad\x71\x94\x11\x10\xbd\x67\xaf\x44\xce\x4e\xa0\x03\x77\x99\x97\xc4\xac\x5c\x11\x1b\x77\x91\x71\x2b\x79\x76\x52\x37\xf7\xa2\x79\xec\x43\x3f\x18\xfa\x8e\x69\x60\x43\x68\x00\x8c\xa9\xa5\xd6\x26\x44\x41\x79\x84\x88\x72\x54\xf4\xd1\x7a\x1c\xdf\x8b\xde\xbc\x90\x76\x2a\x64\xc5\x0c\x58\x6d\xa8\x59\x8f\x15\x56\x61\xe9\x3f\xea\x74\x65\x29\x6f\x6c\xce\xe5\xdf\xf3\x6c\xcb\x6c\x46\xdf\xbd\x24\x84\x60\xbb\x39\x12\x4c\xd3\xf9\xac\x2c\xd9\x16\x77\x66\xd2\x24\xe2\x97\x6f\xac\xed\xcd\x65\xff\x28\xc4\x18\x08\xc9\x8c\xcf\xe3\x1b\xa1\xef\xa8\x69\xf5\x16\xb6\xfc\x8b\x3a\x7d\x6f\xa1\xfb\xc8\xe1\x82\x67\xa8\xef\x0c\xfa\x96\xc4\xc6\xc8\xdb\xf9\x45\x21\x1d\x98\x89\x89\x95\xab\x76\xc1\x63\x06\x35\x47\x8f\xde\xb5\xb7\xfc\x9b\xba\xe3\x07\xd0\x54\x50\x2f\x17\x45\x27\x87\x47\xa5\xae\x90\x85\xe2\xce\x6f\x7b\xdd\x02\x2c\x68\x0d\x1f\x8a\xda\x4c\xb6\x30\x66\x42\x3f\x77\x04\x2b\x9a\xe4\xa1\x38\x6f\x41\x6c\xb9\xb4\x11\x00\x12\xe8\x00\x57\x04\xcd\xff\xae\x04\x41\x86\x89\xfd\x64\xd1\xe8\x83\x27\x49\xb7\x46\xc1\x41\x2e\x91\xc3\x81\x68\x4a\x80\x30\x5a\xad\x84\xd6\x2f\x1c\xc5\xfd\x5d\x26\xa2\x47\x6b\x5b\xfe\xd4\xdc\xcf\x7f\x35\xbb\xb0\x7e\xff\x6c\xa5\x09\x05\x0f\xea\x82\x04\xa3\x9d\x25\x5e\xc1\xc8\x3d\x0d\x38\xff\x3a\x9d\xa4\x28\x5b\x99\xf9\x8b\xfa\x2a\xfb\x12\x01\x63\x01\xbd\xce\xa9\xc4\xb8\x05\xf0\x3f\x5c\x1d\x64\xb2\x31\xe2\xf0\x12\xc3\x39\x88\xfe\x59\x31\x82\xbe\x19\xe5\x33\xae\x72\x4b\xc5\xf3\x74\xc5\xdb\x4e\x26\x7d\x11\xeb\x7c\x3b\xf6\x51\xd8\x53\xf4\x87\x32\x1b\x59\xe3\xc5\x80\xe0\x9f\x55\x10\x1d\x52\x95\x81\x12\xea\xd4\x84\xda\xac\x70\x62\xb2\x74\x5b\x3e\xf0\xd8\x6c\x3f\xf4\xc9\xcd\xb0\x4e\x5c\x61\x26\x56\x2f\xa8\x07\x2d\x44\x08\xc5\xa4\x1f\x38\x88\x90\x0c\x61\x7b\xb3\x2c\x60\x7e\x3c\x67\x88\x01\x37\xa4\xfd\xa0\x0f\x25\x73\x96\x95\x27\xf3\xac\x8b\xc7\x3d\x4a\x1c\xa6\x3a\x6e\x55\x28\x3a\x43\x75\x90\xcb\xa5\x84\xaf\xf7\xda\xab\x6d\x95\x08\x57\xf3\x06\x4a\xfa\x06\xd8\x49\x89\xb1\xf1\xfe\x7a\x07\x11\x8d\x84\x67\x33\x3b\xd9\xc3\xb0\xbf\x57\x4a\xec\xc5\xbd\xf1\x85\x88\x69\xc0\x2f\x2e\xc1\xad\x26\x6d\x13\x54\x99\x41\x6a\xa1\x6c\x3e\xec\x12\x2d\x6e\x57\x70\xf9\x26\x77\x4e\xc2\x69\x15\x5f\x36\xc7\xab\x25\xfc\x2c\xf6\x51\xf6\xde\x56\x32\x9e\x3c\x2f\x9a\xdf\x11\xb8\x9c\x5b\xa3\xa4\xbd\xd6\xed\x16\x04\xe6\x6a\x80\x50\x14\x98\x1b\x6c\xc8\x4b\xd7\x8d\x9e\xf9\xb5\x2e\x8f\x0e\x09\x70\x05\x21\x0a\x9e\x00\x81\x68\x47\x0f\xd1\x2a\x2c\x3e\xe6\x0d\x1c\xef\x8c\x35\xca\x58\xd8\x62\xb6\x81\xe7\x4c\xf6\x0b\x08\xca\xeb\x22\xaf\x37\xfb\x04\x5f\xdf\xf3\x53\x2a\xf6\xf1\x16\x22\x90\x93\x42\x15\xc8\x52\xe8\xbd\x41\xbe\x48\x8d\x56\x6e\xe2\x49\x7e\x6d\xfe\x85\x52\x50\x85\x3e\x6c\x24\xde\x6e\x0a\xab\xbc\xf5\xc5\x7b\xea\x60\x2e\x80\x82\x97\xa6\xf3\xee\xdf\xc7\x62\x2c\x60\x10\x6f\xe5\xac\x3c\x2c\x18\xf1\x9d\x80\x93\x6e\x13\x85\xb1\xb1\x1f\x34\x34\x8e\xe9\x79\x4b\x4c\xef\x18\x55\xcf\xea\x0b\x4c\x67\xf4\xa3\x6f\x69\xe6\xee\xe3\x98\x1a\xf6\xe3\x2c\xbf\xd7\x9b\x36\xf6\x48\x7f\x51\xe6\xbc\xfb\x5e\x25\x0c\xff\x78\x92\x52\x15\xf6\x02\x6f\x86\x9e\xd1\xe3\xc3\xea\x65\x9c\xf5\x80\xb3\x7f\xc8\xa8\xfb\x06\x41\x8f\xfd\x26\x63\xfb\x1c\x5b\x2a\x58\xae\x63\x44\x83\x89\x84\xb9\x60\x81\xae\xe1\x4d\xc7\x4a\x36\xbb\x18\x8a\x15\xfc\x47\xa0\xe8\xfb\x1d\xa2\xc9\x29\x09\x12\x53\x00\xf6\xcc\x9f\xf2\x81\x5a\x86\xbd\x0f\x51\xd3\x8c\xb1\xd9\x20\x65\x5a\x34\x34\xca\xa4\x3c\xba\x6a\xeb\x04\x53\x8b\x0a\xe6\xfc\x4d\xf1\x42\x9f\xca\x0c\xb9\xbf\x55\x05\xd5\x21\xd9\x4c\xea\x75\x9f\x50\xb9\xfc\x8f\xbd\x0d\xb1\x8b\xaa\x08\x03\xd1\x6a\xec\x6e\x59\x88\x70\xed\x80\x14\x9f\xdf\x70\xf5\x7f\x4b\x89\x32\x0f\x3a\x57\x17\x68\xbb\x09\x66\xf0\x8e\x6a\x1a\x93\xfa\xd9\x3b\xaf\x72\x88\xe6\xa6\x6f\x15\x8e\x35\x9d\x47\x24\xb3\xd5\xec\x61\xde\xe3\xa6\x4e\x1e\xab\xf0\x82\x7e\xa7\x9c\x2a\x7b\xac\x1f\x37\xf8\x1f\x09\x69\x1d\xad\x1f\xf6\x82\x49\x93\x25\xe7\x85\x73\xd6\x03\x10\x52\x92\xf8\x44\x1c\x72\xd4\xa8\x6e\xab\x95\x5e\x9a\xb0\xb6\x66\xc7\x1c\x86\xd1\x77\xa5\x94\xfa\x10\xdd\x0f\xf6\x5d\x38\x6c\x54\x4c\x21\xc3\x5e\x41\xef\x27\xbe\xc9\x4d\xab\x6f\xc3\x38\x70\x06\x01\x7e\x54\x59\xad\x20\xca\xcd\x5a\xfe\x56\x1f\xad\xd3\x80\x4b\xef\x50\xfe\x91\x09\xc0\xcf\x20\xd5\xfb\x32\x0a\x19\x19\x0e\xa3\x23\xc5\xbb\x45\x6d\xc7\x33\x8e\xd1\x9b\x5e\xa1\x17\x27\x7c\xda\x66\xbf\x37\x65\x7b\x27\x86\x25\xc9\x86\xf5\x44\x77\x75\xba\xf7\xc2\x83\x56\xd4\x31\xa3\x82\x0e\x3e\x24\x57\xe5\x3e\xba\xd4\xb7\xd8\xb0\xee\xa6\x4b\x5f\x17\x62\xdd\xb1\x16\x9b\xce\x93\x8a\x22\xaa\x17\x4b\x33\xaf\xd2\xb6\xca\x3f\xd2\x1e\x40\x2c\x4e\xba\xa6\x53\x97\xde\x07\x5d\xbc\x91\x41\x29\x16\x35\x04\xe2\x86\x72\x57\x89\xf3\xea\xfb\x66\x30\x29\x4c\x9e\x9e\xd8\x76\x5b\x41\x64\x12\xe6\xa7\x4a\xda\x02\xdf\x4b\x66\x8b\x95\xf1\xab\x41\xda\x29\xee\x91\x8a\xb5\xa5\xea\xa3\x45\x01\x47\x07\x76\x36\x9e\x96\x12\x9c\x89\x8c\xcc\x10\xef\x66\xa2\xce\xb8\xb4\xed\xfe\xad\x79\xff\xd8\x98\xd5\xde\x2d\xb4\x60\x87\x9f\xb2\x3b\x2a\xfc\x14\x66\x47\xc9\x49\x36\xa7\x03\xbb\x3c\xe5\x0f\x7e\x5e\x7d\xbf\xe7\x29\x57\xea\x5c\x48\x9e\x01\x0f\x08\x95\x84\xe0\x69\xaf\xf5\x3e\x8e\x03\xe1\x5c\xb8\x33\xa9\x61\x0a\xe7\xa9\xc2\x62\xc5\xcd\x37\x1b\x81\xf9\xaa\xbb\x03\x0d\xdd\xae\xed\xad\x10\x19\xd2\xe9\xdb\xe7\x17\xde\x10\xad\x3a\x49\x1e\x29\x0b\x2b\xfc\xda\x80\xed\xc5\xa1\xc1\x60\x12\x52\x7c\x5f\xa2\x79\xa6\x7c\x5d\x01\x13\x24\xa7\x9a\xad\x7c\xb7\xa9\x76\x6c\x64\xa1\xfc\xc2\x78\x4b\xe7\xab\x91\x2f\x7d\x4c\xc5\x71\x0c\x9e\x5a\x1f\x97\xf0\x0b\xb8\x69\x8d\x5f\x6e\x58\xe6\xb6\x9a\x1e\x8c\xcb\x7a\x22\xd3\xf4\xfb\x1f\xb6\x0a\x4b\xb9\x4d\x49\x2b\xc5\xe4\xa8\xbb\xe6\xb5\x34\xc1\x75\x00\x01\x6a\x89\x0a\xd5\x29\xdf\xf4\x2f\xb5\x13\x45\xc7\x65\x35\x1a\x5d\x87\x79\x12\x54\xb7\xdc\x62\x90\xe2\x76\xf1\xc2\xd8\xf7\x82\xcb\x2d\xbd\x2e\x70\x13\x09\xe6\x43\x06\x19\x25\x69\x40\x67\x02\x7f\x6d\x95\x65\x09\xb2\x47\x3c\x5b\x5c\x66\x08\x76\xdd\x69\x7e\x5d\x1b\xfb\x8e\x48\xc5\xbe\x80\x4a\x27\x5d\xb0\xed\x4c\x5a\x02\x40\x85\x93\x60\x8e\xcb\x2c\x97\x1d\xa8\x25\xf8\xd4\x8d\xd6\xc6\x4b\x98\xef\x9e\x28\x52\xd1\x6e\xea\xc2\x12\x13\x4a\xba\x3e\xfb\x67\x00\xd5\xa0\x52\xba\x23\x27\x18\x5a\x1c\x56\x05\xfe\xa9\x07\xf1\xf7\x63\xaf\x01\xc5\x03\xa7\x67\x00\x97\x00\x9f\x73\x63\x88\x31\xed\x01\x8b\xc8\x03\x27\x49\x37\x97\xa7\x2f\xce\x75\x38\xb2\x2e\x16\xfe\x27\x48\xc9\x66\xf3\x8f\x5b\x56\x89\xd8\x8c\xc6\xf2\x21\xd4\x06\x21\x47\x2d\x5a\x5a\x40\xa1\x72\x9e\x51\xe3\x60\xf4\xc4\xc9\xb1\x13\xf3\x0b\x96\x99\xd2\x77\x21\x14\x27\xf3\x60\xae\xd4\x5e\x01\x74\x98\x3d\x7a\xed\x11\xf8\x9b\x0c\xa0\x87\x41\x44\xe3\xfd\x83\xca\x6d\x88\xcf\x4d\x8d\x81\xde\x61\x3d\xb7\x27\x2d\xc5\xcf\x74\x5a\x65\x0b\xf3\xcc\xad\x96\x48\x7d\xd2\x4b\x1a\xcc\x8a\x8b\x96\xa9\x9d\x48\xbc\xcf\xa4\x78\xdc\xbb\xb0\x66\xcb\x8f\x19\x0f\x0d\xac\xcf\x91\x6f\x4d\xbc\x63\x44\xe5\xe0\x26\x07\x4d\x42\xd9\x62\xdf\xd2\x8b\x1d\x57\x8a\x17\x07\x3f\x78\xb7\x1d\x6f\xf7\x85\x25\x80\xb1\xc6\xe8\x3b\x8a\xc5\x15\x58\x49\xc1\x26\xa6\xbc\x54\x24\x6d\x15\xf7\x59\x92\x9c\x72\xbf\x44\xba\x8c\x78\x38\x12\xe7\x3d\xa5\xa6\x94\xf9\x6d\x52\x00\xf1\x9c\x82\x0c\x8c\x86\x51\xfb\x2b\xe7\xf7\x6c\xd2\x8a\x54\xae\xea\x4f\x0e\x09\x92\xb8\x4d\xbd\xef\x78\x92\x13\x4e\x37\x9f\x14\x0f\xb0\xb1\x22\x30\x99\x3d\xcc\x13\xbc\x48\x9c\x94\x26\x07\x63\xc1\xa8\xec\xf7\xaa\xeb\xe1\x1a\xe6\xf4\x39\xb7", 4096); *(uint32_t*)0x20006cdc = 0x1000; *(uint32_t*)0x20006ce0 = 0x34; syz_read_part_table(0xb0, 3, 0x20006cc0); break; case 41: *(uint8_t*)0x20006d00 = 0x12; *(uint8_t*)0x20006d01 = 1; *(uint16_t*)0x20006d02 = 0x201; *(uint8_t*)0x20006d04 = 0x10; *(uint8_t*)0x20006d05 = 0x2a; *(uint8_t*)0x20006d06 = 0xdc; *(uint8_t*)0x20006d07 = -1; *(uint16_t*)0x20006d08 = 0x781; *(uint16_t*)0x20006d0a = 5; *(uint16_t*)0x20006d0c = 5; *(uint8_t*)0x20006d0e = 1; *(uint8_t*)0x20006d0f = 2; *(uint8_t*)0x20006d10 = 3; *(uint8_t*)0x20006d11 = 1; *(uint8_t*)0x20006d12 = 9; *(uint8_t*)0x20006d13 = 2; *(uint16_t*)0x20006d14 = 0x71c; *(uint8_t*)0x20006d16 = 3; *(uint8_t*)0x20006d17 = 9; *(uint8_t*)0x20006d18 = 3; *(uint8_t*)0x20006d19 = 0x50; *(uint8_t*)0x20006d1a = -1; *(uint8_t*)0x20006d1b = 9; *(uint8_t*)0x20006d1c = 4; *(uint8_t*)0x20006d1d = 0x34; *(uint8_t*)0x20006d1e = 9; *(uint8_t*)0x20006d1f = 0xc; *(uint8_t*)0x20006d20 = 0x2d; *(uint8_t*)0x20006d21 = 0xe7; *(uint8_t*)0x20006d22 = 0xd6; *(uint8_t*)0x20006d23 = 0xc4; *(uint8_t*)0x20006d24 = 0xa; *(uint8_t*)0x20006d25 = 0x24; *(uint8_t*)0x20006d26 = 6; *(uint8_t*)0x20006d27 = 0; *(uint8_t*)0x20006d28 = 0; memcpy((void*)0x20006d29, "\x9e\x3d\xd8\x3f\x5e", 5); *(uint8_t*)0x20006d2e = 5; *(uint8_t*)0x20006d2f = 0x24; *(uint8_t*)0x20006d30 = 0; *(uint16_t*)0x20006d31 = 2; *(uint8_t*)0x20006d33 = 0xd; *(uint8_t*)0x20006d34 = 0x24; *(uint8_t*)0x20006d35 = 0xf; *(uint8_t*)0x20006d36 = 1; *(uint32_t*)0x20006d37 = 0x40; *(uint16_t*)0x20006d3b = 5; *(uint16_t*)0x20006d3d = 0x101; *(uint8_t*)0x20006d3f = 5; *(uint8_t*)0x20006d40 = 8; *(uint8_t*)0x20006d41 = 0x24; *(uint8_t*)0x20006d42 = 0x1c; *(uint16_t*)0x20006d43 = 0x1000; *(uint8_t*)0x20006d45 = 2; *(uint16_t*)0x20006d46 = 8; *(uint8_t*)0x20006d48 = 7; *(uint8_t*)0x20006d49 = 0x24; *(uint8_t*)0x20006d4a = 0x14; *(uint16_t*)0x20006d4b = 0x8671; *(uint16_t*)0x20006d4d = 0; *(uint8_t*)0x20006d4f = 0xc; *(uint8_t*)0x20006d50 = 0x24; *(uint8_t*)0x20006d51 = 0x1b; *(uint16_t*)0x20006d52 = 0xfffd; *(uint16_t*)0x20006d54 = 9; *(uint8_t*)0x20006d56 = 0; *(uint8_t*)0x20006d57 = 5; *(uint16_t*)0x20006d58 = 0x100; *(uint8_t*)0x20006d5a = 0x5f; *(uint8_t*)0x20006d5b = 5; *(uint8_t*)0x20006d5c = 0x24; *(uint8_t*)0x20006d5d = 0x15; *(uint16_t*)0x20006d5e = 0x40; *(uint8_t*)0x20006d60 = 7; *(uint8_t*)0x20006d61 = 0x24; *(uint8_t*)0x20006d62 = 0xa; *(uint8_t*)0x20006d63 = 0; *(uint8_t*)0x20006d64 = 1; *(uint8_t*)0x20006d65 = 4; *(uint8_t*)0x20006d66 = 1; *(uint8_t*)0x20006d67 = 7; *(uint8_t*)0x20006d68 = 0x24; *(uint8_t*)0x20006d69 = 0x14; *(uint16_t*)0x20006d6a = 0xff81; *(uint16_t*)0x20006d6c = 0x9c6f; *(uint8_t*)0x20006d6e = 9; *(uint8_t*)0x20006d6f = 5; *(uint8_t*)0x20006d70 = 0x80; *(uint8_t*)0x20006d71 = 0x14; *(uint16_t*)0x20006d72 = 0x10; *(uint8_t*)0x20006d74 = 0x15; *(uint8_t*)0x20006d75 = 0x1f; *(uint8_t*)0x20006d76 = 8; *(uint8_t*)0x20006d77 = 7; *(uint8_t*)0x20006d78 = 0x25; *(uint8_t*)0x20006d79 = 1; *(uint8_t*)0x20006d7a = 0x80; *(uint8_t*)0x20006d7b = 0; *(uint16_t*)0x20006d7c = 0; *(uint8_t*)0x20006d7e = 9; *(uint8_t*)0x20006d7f = 5; *(uint8_t*)0x20006d80 = 0x8b; *(uint8_t*)0x20006d81 = 0; *(uint16_t*)0x20006d82 = 0x7ff; *(uint8_t*)0x20006d84 = 0xed; *(uint8_t*)0x20006d85 = 1; *(uint8_t*)0x20006d86 = 2; *(uint8_t*)0x20006d87 = 9; *(uint8_t*)0x20006d88 = 5; *(uint8_t*)0x20006d89 = 8; *(uint8_t*)0x20006d8a = 4; *(uint16_t*)0x20006d8b = 0x200; *(uint8_t*)0x20006d8d = 0x81; *(uint8_t*)0x20006d8e = 6; *(uint8_t*)0x20006d8f = 2; *(uint8_t*)0x20006d90 = 0xeb; *(uint8_t*)0x20006d91 = 1; memcpy((void*)0x20006d92, "\x8c\x3f\x63\x08\x61\x54\x14\x1f\x73\x9f\x28\x70\xd3\xa8\x18\x84\x90\x5e\x8c\x3f\xf7\xeb\x64\x25\x08\x52\x04\x07\x7b\x41\x02\xc3\xd8\x1b\xfd\xf4\xb2\x62\xfa\x95\xb2\x68\x56\x12\x28\xb7\x47\xfc\xa9\x1f\x5f\xde\xb5\x92\xb3\x79\xd6\x6a\x5f\x1d\x2d\x1d\x73\x5f\xd0\x2b\x3b\x24\x02\xd0\x34\x0f\xcc\x8a\xc6\xc5\x44\x72\x0c\xb5\x96\x00\x8a\x93\xb0\x20\x2c\xb8\xf9\x55\x83\x44\xcb\x20\x0e\x0b\x4b\x52\xaa\xd1\xe7\x0d\x9c\x00\x49\xff\x2a\x6b\x54\x6e\x35\x02\xbc\x88\x1f\x3e\xb6\x55\xaa\x81\x7a\x2a\x3f\xd9\x5a\xd1\xbe\xa6\x8a\xb0\x48\xc1\xa4\x3e\xd3\x45\x8b\x67\x4c\x27\xdf\x09\x05\x68\xc3\x71\xa9\xe0\x0c\xbc\x2b\x59\x7a\x73\x0a\x18\x64\x44\x75\x83\xe3\x0b\x8b\x9d\x27\x74\xd8\x84\x57\x53\x11\x84\x3a\x18\xbf\xe0\x05\x2b\x40\x47\x14\xc7\x22\x76\x63\x42\xb2\x26\xc4\xfe\x8e\x87\xee\x44\x82\x50\xc3\xb3\x66\x8a\xb5\x07\x45\xe0\xfb\xb6\xe9\x69\xe6\xb4\x9b\x9b\x85\x28\xce\x81\xdf\xaa\x24\xe1\x43\x80\x72\xd0\x7d\x6e\x92\x60\x2a\x39\x05\x35\xf6", 233); *(uint8_t*)0x20006e7b = 9; *(uint8_t*)0x20006e7c = 5; *(uint8_t*)0x20006e7d = 0xc; *(uint8_t*)0x20006e7e = 8; *(uint16_t*)0x20006e7f = 0x40; *(uint8_t*)0x20006e81 = 1; *(uint8_t*)0x20006e82 = 5; *(uint8_t*)0x20006e83 = 0x20; *(uint8_t*)0x20006e84 = 9; *(uint8_t*)0x20006e85 = 5; *(uint8_t*)0x20006e86 = 7; *(uint8_t*)0x20006e87 = 0x10; *(uint16_t*)0x20006e88 = 8; *(uint8_t*)0x20006e8a = 0xbc; *(uint8_t*)0x20006e8b = 0; *(uint8_t*)0x20006e8c = 7; *(uint8_t*)0x20006e8d = 7; *(uint8_t*)0x20006e8e = 0x25; *(uint8_t*)0x20006e8f = 1; *(uint8_t*)0x20006e90 = 1; *(uint8_t*)0x20006e91 = 5; *(uint16_t*)0x20006e92 = 9; *(uint8_t*)0x20006e94 = 0xd4; *(uint8_t*)0x20006e95 = 0x22; memcpy((void*)0x20006e96, "\x70\xc2\x39\x55\xe1\xd1\x6c\xde\xf4\x16\xbc\xb1\x38\x10\x89\x67\xf0\xe9\xac\x2c\x09\x6f\xe9\x36\x2b\x99\xec\x6c\x19\x8d\x2f\x0f\x04\x46\xce\x29\x33\x28\x44\xfd\x54\x6d\x23\x23\xe7\xf9\xd7\xb2\x71\x3c\x1f\x92\xb9\x0b\x44\x81\xbf\x8d\x4e\xa3\x4e\xa8\x32\x1b\x58\x5d\xb5\xf3\xcc\x6f\x63\xfc\x9e\xe5\x43\xe8\x6c\x15\x76\x9e\x08\xa2\x12\xc2\xff\xb0\x23\x7d\xef\xb1\xa2\x82\x28\xe9\x99\xfa\xbf\x37\x33\xa2\x7b\x82\x87\x03\xfa\xaa\xc0\x53\xd4\x4f\xe7\xa6\x6d\x7a\x27\x8e\x31\xf1\x5d\x65\xed\xb3\x49\xb1\x57\xa7\x99\xd9\x22\xf0\xc9\x70\xf9\x8b\x35\xb7\x56\x50\x79\x31\x23\xe0\x57\x52\xd7\x4d\xdb\x89\xf0\xfc\xc0\x47\x98\x22\xa0\xf8\x33\xf4\x34\x3a\x70\x54\x8b\x3b\x4c\x80\x57\x4b\xe7\xcf\xdd\x59\xdb\x69\xce\x1e\xfc\x24\xca\x44\xee\x31\x66\x09\xf5\x8c\xa5\xa3\x0d\xee\x0b\x59\xe1\x66\x8f\x24\x8c\x19\x6a\xe1\xc0\x22\xa1\x99\x95\x59\x54\x30\xfe\xa4", 210); *(uint8_t*)0x20006f68 = 9; *(uint8_t*)0x20006f69 = 5; *(uint8_t*)0x20006f6a = 0x87; *(uint8_t*)0x20006f6b = 3; *(uint16_t*)0x20006f6c = 8; *(uint8_t*)0x20006f6e = 0x80; *(uint8_t*)0x20006f6f = 7; *(uint8_t*)0x20006f70 = 6; *(uint8_t*)0x20006f71 = 0x56; *(uint8_t*)0x20006f72 = 4; memcpy((void*)0x20006f73, "\xf7\x8a\x35\x66\x75\xcf\xfa\x2d\xe9\x45\x39\x19\x4a\xfa\xb8\x60\x3f\xe5\xe4\x12\x02\x1b\xa9\x37\xdf\x8f\x49\x6c\xe2\xc0\x54\x31\x48\xf0\x9b\x19\xeb\xbc\x05\x09\x1f\xcc\x32\xe0\xbd\xde\x44\x1d\x7c\xca\xa5\xcc\x26\xfb\x69\x6b\xd6\x7b\x38\x30\xbf\x3e\x57\x30\xfb\x3f\xe5\xee\x89\x15\x6b\xd1\xd2\xfa\x10\x1e\x6c\x39\x06\x8a\xf8\xc2\xae\x87", 84); *(uint8_t*)0x20006fc7 = 9; *(uint8_t*)0x20006fc8 = 5; *(uint8_t*)0x20006fc9 = 0x89; *(uint8_t*)0x20006fca = 0; *(uint16_t*)0x20006fcb = 0x20; *(uint8_t*)0x20006fcd = 0x20; *(uint8_t*)0x20006fce = 0x81; *(uint8_t*)0x20006fcf = 8; *(uint8_t*)0x20006fd0 = 9; *(uint8_t*)0x20006fd1 = 5; *(uint8_t*)0x20006fd2 = 0xe; *(uint8_t*)0x20006fd3 = 3; *(uint16_t*)0x20006fd4 = 8; *(uint8_t*)0x20006fd6 = 1; *(uint8_t*)0x20006fd7 = 0x20; *(uint8_t*)0x20006fd8 = 2; *(uint8_t*)0x20006fd9 = 7; *(uint8_t*)0x20006fda = 0x25; *(uint8_t*)0x20006fdb = 1; *(uint8_t*)0x20006fdc = 2; *(uint8_t*)0x20006fdd = 0x43; *(uint16_t*)0x20006fde = 0x234; *(uint8_t*)0x20006fe0 = 9; *(uint8_t*)0x20006fe1 = 5; *(uint8_t*)0x20006fe2 = 2; *(uint8_t*)0x20006fe3 = 0; *(uint16_t*)0x20006fe4 = 0x3ff; *(uint8_t*)0x20006fe6 = 3; *(uint8_t*)0x20006fe7 = 5; *(uint8_t*)0x20006fe8 = 7; *(uint8_t*)0x20006fe9 = 0x34; *(uint8_t*)0x20006fea = 8; memcpy((void*)0x20006feb, "\xb6\xa1\x21\xb4\x6c\xab\xce\x4e\x36\x1f\x21\x04\xdc\xf2\x66\x3e\x40\x2e\xe0\x4f\xaa\x90\xdd\x18\xa9\x18\xe4\x64\x2e\xaa\x6a\x71\x61\x92\xf8\xbc\x32\xf3\x21\xce\x9e\xb5\x48\x90\x4d\x87\xd7\xbd\xad\x56", 50); *(uint8_t*)0x2000701d = 0xac; *(uint8_t*)0x2000701e = 0x30; memcpy((void*)0x2000701f, "\x1a\x5d\x30\xc7\xd1\x38\x43\xb0\x14\x69\x43\xb2\xe6\x76\x87\xf3\x14\x70\x19\xdb\x1c\xa1\xa3\xc7\xe4\x8d\x70\x0f\x65\x5b\xea\x7f\x42\x69\x2c\x5a\x87\xa6\xb9\x1d\x03\xa6\xd4\x90\x5f\xbb\x18\xb7\x60\x28\xc9\x02\xf7\xcc\x3f\x0c\x05\x6d\x87\xd0\xfb\xc1\x2f\x32\x15\x02\x22\xa7\xda\xd7\x02\x3b\xc4\x5a\xb2\x5c\x72\xaa\x3a\xd2\x6e\x8d\xfd\x8d\x36\x54\x64\x00\x38\x39\x6a\xa3\x55\xf0\x69\xf7\xa9\xe7\x62\xb8\x5d\xca\x0a\x81\xa7\xd7\xc3\x7d\x25\x9d\x0f\x2a\x63\x1a\x6a\xbc\x4e\x36\xfb\xa2\x01\xdc\x67\x7f\xc7\xb2\xc2\x81\x90\xe9\x15\x23\x55\x3c\xfb\x1b\xbf\x46\x2d\x9d\x05\x7c\x31\x91\x0a\xd3\x9c\x35\x7c\xd2\xdd\x1c\x3f\x22\xc6\x04\xad\x6c\x92\x3f\xae\xe4\xc1\x3d\xb3\xfe\x35\x03\x75\xcc", 170); *(uint8_t*)0x200070c9 = 9; *(uint8_t*)0x200070ca = 5; *(uint8_t*)0x200070cb = 0xc; *(uint8_t*)0x200070cc = 0; *(uint16_t*)0x200070cd = 0x10; *(uint8_t*)0x200070cf = 0x7f; *(uint8_t*)0x200070d0 = 0x56; *(uint8_t*)0x200070d1 = 0x83; *(uint8_t*)0x200070d2 = 9; *(uint8_t*)0x200070d3 = 5; *(uint8_t*)0x200070d4 = 0x47; *(uint8_t*)0x200070d5 = 0; *(uint16_t*)0x200070d6 = 0x3ff; *(uint8_t*)0x200070d8 = 0xbb; *(uint8_t*)0x200070d9 = 7; *(uint8_t*)0x200070da = 3; *(uint8_t*)0x200070db = 0x6b; *(uint8_t*)0x200070dc = 0x30; memcpy((void*)0x200070dd, "\x6a\x80\x65\xc0\xee\x1f\xa7\x2b\xb9\xfa\xb4\x98\xb5\x65\xe8\x56\x09\x0e\x0a\xd4\xcb\x9a\x07\x2e\x09\x95\x26\x4b\x93\x5b\xed\x49\x10\xdd\xe6\xe4\xa1\x1f\xf9\x37\x42\x38\x3c\xba\x0c\x51\xa1\xf1\xcf\x69\x5a\xa3\x94\xa5\xf4\x86\x83\x63\xe9\x86\x26\x05\x69\xba\x8b\xe8\x24\x37\xcc\x58\xdb\x1e\xe8\x8c\xe5\x10\x13\x08\x93\x8e\xdb\xd9\x82\x07\x54\x62\xcf\x0b\xba\x05\xbb\x0d\x7a\xe5\x50\x92\xa2\x86\x2e\xe6\xe6\x43\x0e\x22\xf7", 105); *(uint8_t*)0x20007146 = 0x41; *(uint8_t*)0x20007147 = 0x21; memcpy((void*)0x20007148, "\x0a\xcd\x9c\x77\x43\xc7\x50\x9f\x5e\xb8\x98\x78\x4f\x87\x67\xf3\x85\xa0\xe1\xc7\xf1\x02\xc9\xad\xca\xd6\xd8\x1f\xb4\x19\x3e\x88\xcb\x2f\x6c\x39\x36\xee\x2e\xf3\xda\xe6\x1f\x58\x32\x25\x93\xd9\xbe\xea\xfc\xc0\x91\x5c\x86\xfc\x3a\x72\xf0\x42\x6c\x83\xf3", 63); *(uint8_t*)0x20007187 = 9; *(uint8_t*)0x20007188 = 5; *(uint8_t*)0x20007189 = 6; *(uint8_t*)0x2000718a = 4; *(uint16_t*)0x2000718b = 0x400; *(uint8_t*)0x2000718d = 0x20; *(uint8_t*)0x2000718e = 0x74; *(uint8_t*)0x2000718f = 5; *(uint8_t*)0x20007190 = 9; *(uint8_t*)0x20007191 = 4; *(uint8_t*)0x20007192 = 0x26; *(uint8_t*)0x20007193 = 0xab; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 0xf1; *(uint8_t*)0x20007197 = 0xcb; *(uint8_t*)0x20007198 = 9; *(uint8_t*)0x20007199 = 9; *(uint8_t*)0x2000719a = 5; *(uint8_t*)0x2000719b = 1; *(uint8_t*)0x2000719c = 0; *(uint16_t*)0x2000719d = 0x200; *(uint8_t*)0x2000719f = 5; *(uint8_t*)0x200071a0 = 1; *(uint8_t*)0x200071a1 = 1; *(uint8_t*)0x200071a2 = 9; *(uint8_t*)0x200071a3 = 5; *(uint8_t*)0x200071a4 = 0xb; *(uint8_t*)0x200071a5 = 4; *(uint16_t*)0x200071a6 = 0x20; *(uint8_t*)0x200071a8 = 1; *(uint8_t*)0x200071a9 = 2; *(uint8_t*)0x200071aa = 4; *(uint8_t*)0x200071ab = 0xda; *(uint8_t*)0x200071ac = 0x14; memcpy((void*)0x200071ad, "\x10\xf1\x6e\x37\x96\xfb\xe3\x35\xb5\x64\xb2\x94\x16\x03\x1e\x12\xd2\x6f\x4d\x53\xe2\x37\xca\x3c\xb1\xe0\x49\x17\x03\x35\xd6\x31\x43\x24\x69\xcf\x8e\x2b\x20\x7d\x62\x28\x3f\x3b\x91\xf4\xd6\x31\x54\xbc\xe3\x5f\xae\xb8\x7b\x51\xd3\x0b\x38\x87\x6c\x38\xb3\x1a\xcc\x34\x7b\xe6\x77\x93\xe5\x6a\x17\x84\xeb\x29\xa7\xdd\xab\x72\xe7\x36\xee\xcd\x3b\x4e\x98\xbc\xe7\xb1\x70\xab\x68\x7e\x6f\x31\xf5\xe9\xf3\xf9\x6e\x31\x03\x2d\x3b\xf9\x47\x6e\xef\x54\xf3\x54\xc6\xef\xc0\x0d\xa3\x9a\x69\x5e\xc1\xc0\x95\x25\x4c\xb4\x16\xbd\xc5\x74\xd4\xfb\x6a\xdb\xec\xa9\x9b\x77\x50\x8d\x6c\x6f\x79\x1c\x2c\xfc\x29\xae\x3e\xcc\xea\x73\xc1\x36\x27\xd9\x38\x07\xaf\x1a\x7d\x34\x92\x52\x0e\xd1\xf1\x53\x32\x7d\x85\x75\x37\xf5\x56\x29\x4b\xdd\xdd\x98\x8b\xae\x73\x22\x6a\x48\xc4\xca\xb9\x63\xd3\xd8\xc2\x26\x95\x1b\x21\xa7\xc3\x13\x8d\xe5\x5b\x8d\x0e\x1f\x0b\xcd\x77\x66\x3a\xe8\xbf\xe2\x0f\x44", 216); *(uint8_t*)0x20007285 = 7; *(uint8_t*)0x20007286 = 0x25; *(uint8_t*)0x20007287 = 1; *(uint8_t*)0x20007288 = 0x83; *(uint8_t*)0x20007289 = 5; *(uint16_t*)0x2000728a = 9; *(uint8_t*)0x2000728c = 9; *(uint8_t*)0x2000728d = 5; *(uint8_t*)0x2000728e = 5; *(uint8_t*)0x2000728f = 2; *(uint16_t*)0x20007290 = 0x40; *(uint8_t*)0x20007292 = 0x2c; *(uint8_t*)0x20007293 = 0xd4; *(uint8_t*)0x20007294 = 2; *(uint8_t*)0x20007295 = 7; *(uint8_t*)0x20007296 = 0x25; *(uint8_t*)0x20007297 = 1; *(uint8_t*)0x20007298 = 2; *(uint8_t*)0x20007299 = 3; *(uint16_t*)0x2000729a = 7; *(uint8_t*)0x2000729c = 9; *(uint8_t*)0x2000729d = 5; *(uint8_t*)0x2000729e = 0xa; *(uint8_t*)0x2000729f = 2; *(uint16_t*)0x200072a0 = 0x400; *(uint8_t*)0x200072a2 = 0xd0; *(uint8_t*)0x200072a3 = 1; *(uint8_t*)0x200072a4 = 6; *(uint8_t*)0x200072a5 = 9; *(uint8_t*)0x200072a6 = 5; *(uint8_t*)0x200072a7 = 0xe; *(uint8_t*)0x200072a8 = 8; *(uint16_t*)0x200072a9 = 0x40; *(uint8_t*)0x200072ab = 0x40; *(uint8_t*)0x200072ac = -1; *(uint8_t*)0x200072ad = 0xb0; *(uint8_t*)0x200072ae = 9; *(uint8_t*)0x200072af = 4; *(uint8_t*)0x200072b0 = 0x6c; *(uint8_t*)0x200072b1 = 8; *(uint8_t*)0x200072b2 = 2; *(uint8_t*)0x200072b3 = 0x59; *(uint8_t*)0x200072b4 = 0x51; *(uint8_t*)0x200072b5 = 0xd5; *(uint8_t*)0x200072b6 = 1; *(uint8_t*)0x200072b7 = 8; *(uint8_t*)0x200072b8 = 0x24; *(uint8_t*)0x200072b9 = 6; *(uint8_t*)0x200072ba = 0; *(uint8_t*)0x200072bb = 1; memcpy((void*)0x200072bc, "\xb2\xbd\x60", 3); *(uint8_t*)0x200072bf = 5; *(uint8_t*)0x200072c0 = 0x24; *(uint8_t*)0x200072c1 = 0; *(uint16_t*)0x200072c2 = 5; *(uint8_t*)0x200072c4 = 0xd; *(uint8_t*)0x200072c5 = 0x24; *(uint8_t*)0x200072c6 = 0xf; *(uint8_t*)0x200072c7 = 1; *(uint32_t*)0x200072c8 = 0xfffffffd; *(uint16_t*)0x200072cc = 0xfff; *(uint16_t*)0x200072ce = 0x63; *(uint8_t*)0x200072d0 = 0xdb; *(uint8_t*)0x200072d1 = 6; *(uint8_t*)0x200072d2 = 0x24; *(uint8_t*)0x200072d3 = 0x1a; *(uint16_t*)0x200072d4 = 8; *(uint8_t*)0x200072d6 = 8; *(uint8_t*)0x200072d7 = 0xf7; *(uint8_t*)0x200072d8 = 0x24; *(uint8_t*)0x200072d9 = 0x13; *(uint8_t*)0x200072da = 0x19; memcpy((void*)0x200072db, "\x18\x9c\xde\xa8\x5c\x89\x2f\xe7\x36\xd9\x9d\x2a\xe8\x35\x70\x5d\xdc\x39\x07\x36\x3c\x57\xda\x1f\xc0\x03\x3a\xb2\x67\x42\x02\x2a\xb0\xaf\x75\x16\xc0\x54\x5f\x0f\xc3\xec\xaa\x07\x28\x22\x9f\x95\xfd\x5d\x2e\xbc\xe5\xc9\x8d\xbb\xa6\x22\x21\x53\xe2\xce\x70\xbf\xea\xd3\x2d\x5d\x59\x14\x6f\x0d\xd6\x79\x85\x20\x07\xb1\x3a\xc9\xd1\x6d\x48\xf9\x48\x4d\x61\x92\xe7\x9c\x88\x07\x9f\x8c\xd3\xbd\x1a\x37\x40\xf3\xa8\xf0\xfd\x1d\x57\xa1\x0b\xf4\x1c\xf8\xc4\x5a\x79\xab\x1a\x96\x9c\x9a\x6a\x83\xbf\x31\x57\x1b\xce\x54\x2e\x8f\xcf\xa6\x76\x1e\xbf\xa9\x24\xe1\xeb\x05\xd3\xaf\x5b\x36\x44\xc3\x04\x02\x80\xca\x59\x73\x7d\x89\xc0\xca\xa8\xbd\x9d\x56\xc9\x21\x78\xb8\x2b\x20\x78\xe4\x39\x75\xf1\x5e\x6f\x0b\x6f\xa1\xd0\xcd\x81\x95\x21\x15\x4d\x23\x6a\xa6\xa8\x5e\x50\xf3\xf0\x53\x1f\x61\x92\xe5\xc4\xba\x8a\x2d\x50\x6f\x74\x47\x80\x74\x7c\xbb\x9e\xe6\x72\x32\x98\xb7\x2b\x71\x3b\x52\xbe\x54\x83\x5f\xcc\x04\x90\x6c\x65\x8c\xe6\x1f\x16\xf9\x5a\x6c\x43\x79\x88\xdf\x23\x9c\x43\x0f\xf4\x7d\xb7", 243); *(uint8_t*)0x200073ce = 6; *(uint8_t*)0x200073cf = 0x24; *(uint8_t*)0x200073d0 = 6; *(uint8_t*)0x200073d1 = 0; *(uint8_t*)0x200073d2 = 0; memset((void*)0x200073d3, 163, 1); *(uint8_t*)0x200073d4 = 5; *(uint8_t*)0x200073d5 = 0x24; *(uint8_t*)0x200073d6 = 0; *(uint16_t*)0x200073d7 = 0xf85b; *(uint8_t*)0x200073d9 = 0xd; *(uint8_t*)0x200073da = 0x24; *(uint8_t*)0x200073db = 0xf; *(uint8_t*)0x200073dc = 1; *(uint32_t*)0x200073dd = 0; *(uint16_t*)0x200073e1 = 7; *(uint16_t*)0x200073e3 = 2; *(uint8_t*)0x200073e5 = 0x40; *(uint8_t*)0x200073e6 = 9; *(uint8_t*)0x200073e7 = 5; *(uint8_t*)0x200073e8 = 0xf; *(uint8_t*)0x200073e9 = 4; *(uint16_t*)0x200073ea = 0; *(uint8_t*)0x200073ec = 0x81; *(uint8_t*)0x200073ed = 0xe8; *(uint8_t*)0x200073ee = 2; *(uint8_t*)0x200073ef = 7; *(uint8_t*)0x200073f0 = 0x25; *(uint8_t*)0x200073f1 = 1; *(uint8_t*)0x200073f2 = 0; *(uint8_t*)0x200073f3 = 0x51; *(uint16_t*)0x200073f4 = 0xbf81; *(uint8_t*)0x200073f6 = 7; *(uint8_t*)0x200073f7 = 0x25; *(uint8_t*)0x200073f8 = 1; *(uint8_t*)0x200073f9 = 0x80; *(uint8_t*)0x200073fa = 0xb; *(uint16_t*)0x200073fb = 0x8001; *(uint8_t*)0x200073fd = 9; *(uint8_t*)0x200073fe = 5; *(uint8_t*)0x200073ff = 6; *(uint8_t*)0x20007400 = 0; *(uint16_t*)0x20007401 = 0x10; *(uint8_t*)0x20007403 = 0x7f; *(uint8_t*)0x20007404 = 0; *(uint8_t*)0x20007405 = 0x80; *(uint8_t*)0x20007406 = 0x28; *(uint8_t*)0x20007407 = 0xa; memcpy((void*)0x20007408, "\x61\xdf\x67\xa6\x24\x85\x90\x52\xdf\x59\x3a\x22\x58\xbc\x97\x0f\xe4\x30\x4a\x8f\x89\x9a\xc0\x40\xd9\xfc\x35\x0e\xd5\xe6\x36\x60\xa7\x6a\x96\xae\xa7\xa3", 38); *(uint32_t*)0x200076c0 = 0xa; *(uint32_t*)0x200076c4 = 0x20007440; *(uint8_t*)0x20007440 = 0xa; *(uint8_t*)0x20007441 = 6; *(uint16_t*)0x20007442 = 0x300; *(uint8_t*)0x20007444 = 8; *(uint8_t*)0x20007445 = 1; *(uint8_t*)0x20007446 = 9; *(uint8_t*)0x20007447 = 8; *(uint8_t*)0x20007448 = 0x81; *(uint8_t*)0x20007449 = 0; *(uint32_t*)0x200076c8 = 0x133; *(uint32_t*)0x200076cc = 0x20007480; *(uint8_t*)0x20007480 = 5; *(uint8_t*)0x20007481 = 0xf; *(uint16_t*)0x20007482 = 0x133; *(uint8_t*)0x20007484 = 6; *(uint8_t*)0x20007485 = 0xb; *(uint8_t*)0x20007486 = 0x10; *(uint8_t*)0x20007487 = 1; *(uint8_t*)0x20007488 = 2; *(uint16_t*)0x20007489 = 0x74; *(uint8_t*)0x2000748b = -1; *(uint8_t*)0x2000748c = -1; *(uint16_t*)0x2000748d = 0; *(uint8_t*)0x2000748f = 7; *(uint8_t*)0x20007490 = 0xb; *(uint8_t*)0x20007491 = 0x10; *(uint8_t*)0x20007492 = 1; *(uint8_t*)0x20007493 = 8; *(uint16_t*)0x20007494 = 0x43; *(uint8_t*)0x20007496 = 4; *(uint8_t*)0x20007497 = 3; *(uint16_t*)0x20007498 = 6; *(uint8_t*)0x2000749a = 0x21; *(uint8_t*)0x2000749b = 7; *(uint8_t*)0x2000749c = 0x10; *(uint8_t*)0x2000749d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000749e, 0xa, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200074a0, 0x3b4d, 0, 16); *(uint8_t*)0x200074a2 = 0xb; *(uint8_t*)0x200074a3 = 0x10; *(uint8_t*)0x200074a4 = 1; *(uint8_t*)0x200074a5 = 0; *(uint16_t*)0x200074a6 = 0x2c; *(uint8_t*)0x200074a8 = 7; *(uint8_t*)0x200074a9 = 2; *(uint16_t*)0x200074aa = 1; *(uint8_t*)0x200074ac = 0x2f; *(uint8_t*)0x200074ad = 3; *(uint8_t*)0x200074ae = 0x10; *(uint8_t*)0x200074af = 0xb; *(uint8_t*)0x200074b0 = 3; *(uint8_t*)0x200074b1 = 0x10; *(uint8_t*)0x200074b2 = 3; memcpy((void*)0x200074b3, "\xb3\x5e\x85\x2c\x50\x01\x47\x88\x0f\xa2\xf6\xdc\xc5\xd4\xe1\x6a\x59\xdf\x9b\xff\x5d\x44\xac\x9f\x66\x80\xa3\x1b\x1e\xbc\xe7\xf4\xd4\xaf\xe6\xd2\xae\x93\xf6\xee\xe7\x9b\x70\x3b\x03\xf7\xa0\xeb\xea\x72\xbd\xc3\xca\x70\xde\xd4\x50\xbe\xde\xc4\x2d\x31\xbe\xce\xd3\x62\x5c\x6b\xfa\x5d\xc9\x89\x7b\x68\xa4\xe8\xb1\xa5\x4b\x94\x44\xb8\x5a\x77\xd5\x2e\xfe\xa0\x2e\x84\x04\x5a\x2c\x51\xaf\x22\x59\x6a\x4c\x59\xa4\x3c\x59\x0c\x4d\x13\x69\xd2\x29\xdb\x0f\x22\x8b\x73\x9b\x41\x41\x9c\x00\x70\x82\x19\xac\x07\x58\x5d\xca\xde\xd8\x82\x0f\x6f\xe0\xb3\x5e\x74\x96\xca\x59\xeb\xd9\x3c\x1c\xfb\xec\xa8\x66\x69\x28\x61\x3f\xb0\x84\xcb\x1a\xd9\x30\xcf\xed\x80\xa0\x24\xb8\x03\xfc\x94\x96\x7f\x08\xd7\x31\xd0\x64\x7c\xee\x07\x3e\x55\x84\x4b\x99\x78\xae\x60\x35\x86\x5f\xd9\x89\x91\xfb\x7a\x5f\xa3\xf0\x05\x29\xe8\x1f\x1d\x3b\x85\x3a\x0d\xb0\x41\xea\xa3\x77\x7b\xa1\x0f\xe7\x53\x67\x4a\x69\x8c\xd3\x89\xbf\x5b\xca\x62\x6c\xb8\xc7\xbf\x9b\x71\x15\x0d\x57\x2d\x07\xd9\xa1\x18\x55\xa4\x19\xfb\x02\x12\xd9\xa5\xbf\x2c\x33\x60\x35\x7c\xf9\x42\x51\x1f", 256); *(uint32_t*)0x200076d0 = 2; *(uint32_t*)0x200076d4 = 0x97; *(uint32_t*)0x200076d8 = 0x200075c0; *(uint8_t*)0x200075c0 = 0x97; *(uint8_t*)0x200075c1 = 3; memcpy((void*)0x200075c2, "\x79\x53\x36\x52\x48\x59\x08\x84\x74\x50\xe4\x34\xba\xbd\x9e\x7b\x78\x39\x25\xf4\x78\xb3\xb3\x5c\x0a\x4e\x6a\xa0\xa1\xe8\xf7\x8e\x37\xf1\xd5\x66\x6f\xe8\x7b\x28\xdf\x9b\x77\x34\xfd\xd1\x41\xb3\xc7\x8a\x19\x03\x1e\xff\xd7\x29\xa3\x6c\x0c\xf9\xfa\xe5\xc5\x89\xa1\xa9\x88\x6b\x78\xf6\x6c\x73\x91\xbd\x44\x3c\xc6\xb3\xab\x5b\x4a\xcd\xeb\x5a\xcf\x4a\x0d\x36\x35\x9e\x74\x9d\xf3\x7c\xcf\x92\xc5\x0e\x84\x5f\xce\x93\xe4\xc6\x11\xf0\xfb\x55\x9f\x5b\x2f\x8b\x72\xba\xb3\xb8\xa9\x17\x79\xcd\x78\x20\x4d\x67\xa1\x83\x18\x75\x60\xeb\x91\x2c\x0f\x9d\xd2\x7f\x40\x2f\x1d\xec\xdc\x61\x44\x4d\x37\x02\xbf\x05\xcf", 149); *(uint32_t*)0x200076dc = 4; *(uint32_t*)0x200076e0 = 0x20007680; *(uint8_t*)0x20007680 = 4; *(uint8_t*)0x20007681 = 3; *(uint16_t*)0x20007682 = 0x4ff; syz_usb_connect(5, 0x72e, 0x20006d00, 0x200076c0); break; case 42: *(uint8_t*)0x20007700 = 0x12; *(uint8_t*)0x20007701 = 1; *(uint16_t*)0x20007702 = 0x200; *(uint8_t*)0x20007704 = -1; *(uint8_t*)0x20007705 = -1; *(uint8_t*)0x20007706 = -1; *(uint8_t*)0x20007707 = 0x40; *(uint16_t*)0x20007708 = 0xcf3; *(uint16_t*)0x2000770a = 0x9271; *(uint16_t*)0x2000770c = 0x108; *(uint8_t*)0x2000770e = 1; *(uint8_t*)0x2000770f = 2; *(uint8_t*)0x20007710 = 3; *(uint8_t*)0x20007711 = 1; *(uint8_t*)0x20007712 = 9; *(uint8_t*)0x20007713 = 2; *(uint16_t*)0x20007714 = 0x48; *(uint8_t*)0x20007716 = 1; *(uint8_t*)0x20007717 = 1; *(uint8_t*)0x20007718 = 0; *(uint8_t*)0x20007719 = 0x80; *(uint8_t*)0x2000771a = 0xfa; *(uint8_t*)0x2000771b = 9; *(uint8_t*)0x2000771c = 4; *(uint8_t*)0x2000771d = 0; *(uint8_t*)0x2000771e = 0; *(uint8_t*)0x2000771f = 6; *(uint8_t*)0x20007720 = -1; *(uint8_t*)0x20007721 = 0; *(uint8_t*)0x20007722 = 0; *(uint8_t*)0x20007723 = 0; *(uint8_t*)0x20007724 = 9; *(uint8_t*)0x20007725 = 5; *(uint8_t*)0x20007726 = 1; *(uint8_t*)0x20007727 = 2; *(uint16_t*)0x20007728 = 0x200; *(uint8_t*)0x2000772a = 0; *(uint8_t*)0x2000772b = 0; *(uint8_t*)0x2000772c = 0; *(uint8_t*)0x2000772d = 9; *(uint8_t*)0x2000772e = 5; *(uint8_t*)0x2000772f = 0x82; *(uint8_t*)0x20007730 = 2; *(uint16_t*)0x20007731 = 0x200; *(uint8_t*)0x20007733 = 0; *(uint8_t*)0x20007734 = 0; *(uint8_t*)0x20007735 = 0; *(uint8_t*)0x20007736 = 9; *(uint8_t*)0x20007737 = 5; *(uint8_t*)0x20007738 = 0x83; *(uint8_t*)0x20007739 = 3; *(uint16_t*)0x2000773a = 0x40; *(uint8_t*)0x2000773c = 1; *(uint8_t*)0x2000773d = 0; *(uint8_t*)0x2000773e = 0; *(uint8_t*)0x2000773f = 9; *(uint8_t*)0x20007740 = 5; *(uint8_t*)0x20007741 = 4; *(uint8_t*)0x20007742 = 3; *(uint16_t*)0x20007743 = 0x40; *(uint8_t*)0x20007745 = 1; *(uint8_t*)0x20007746 = 0; *(uint8_t*)0x20007747 = 0; *(uint8_t*)0x20007748 = 9; *(uint8_t*)0x20007749 = 5; *(uint8_t*)0x2000774a = 5; *(uint8_t*)0x2000774b = 2; *(uint16_t*)0x2000774c = 0x200; *(uint8_t*)0x2000774e = 0; *(uint8_t*)0x2000774f = 0; *(uint8_t*)0x20007750 = 0; *(uint8_t*)0x20007751 = 9; *(uint8_t*)0x20007752 = 5; *(uint8_t*)0x20007753 = 6; *(uint8_t*)0x20007754 = 2; *(uint16_t*)0x20007755 = 0x200; *(uint8_t*)0x20007757 = 0; *(uint8_t*)0x20007758 = 0; *(uint8_t*)0x20007759 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007700, 0); if (res != -1) r[22] = res; break; case 43: *(uint32_t*)0x20007900 = 0x18; *(uint32_t*)0x20007904 = 0x20007780; *(uint8_t*)0x20007780 = 0x40; *(uint8_t*)0x20007781 = 0x22; *(uint32_t*)0x20007782 = 0x1f; *(uint8_t*)0x20007786 = 0x1f; *(uint8_t*)0x20007787 = 0x22; memcpy((void*)0x20007788, "\xa7\x84\x14\x03\xaf\xd7\xdd\xbd\xb6\xce\x9d\xac\xfb\x6c\xdb\xe2\x9f\xbe\x4e\x58\xb5\x5f\xec\x11\x7d\xe5\x6e\xd6\xa5", 29); *(uint32_t*)0x20007908 = 0x200077c0; *(uint8_t*)0x200077c0 = 0; *(uint8_t*)0x200077c1 = 3; *(uint32_t*)0x200077c2 = 0x5a; *(uint8_t*)0x200077c6 = 0x5a; *(uint8_t*)0x200077c7 = 3; memcpy((void*)0x200077c8, "\xb5\x1f\xa7\x5c\xe1\x57\x5d\xa7\x9a\xa4\x1f\xd1\x55\x72\x84\x98\xbc\x7e\x4f\x85\xd1\x9d\x23\x94\x31\x4e\x63\x81\xf5\xe6\xb0\xe7\x86\xc3\xff\x70\x5c\xb7\x18\x44\x87\xf3\x50\x94\x03\x01\x78\xbc\x29\x1a\x39\x80\xfa\x0b\x83\x90\x8b\x7f\xe1\xcb\x24\x59\xda\xa1\x30\x8f\xa2\xfb\xda\x94\xa9\x8c\xa7\x13\x4b\xc9\x86\x48\x7b\xae\x15\x76\x66\x36\xe0\x85\x2c\x7a", 88); *(uint32_t*)0x2000790c = 0x20007840; *(uint8_t*)0x20007840 = 0; *(uint8_t*)0x20007841 = 0xf; *(uint32_t*)0x20007842 = 0x1b; *(uint8_t*)0x20007846 = 5; *(uint8_t*)0x20007847 = 0xf; *(uint16_t*)0x20007848 = 0x1b; *(uint8_t*)0x2000784a = 2; *(uint8_t*)0x2000784b = 0xb; *(uint8_t*)0x2000784c = 0x10; *(uint8_t*)0x2000784d = 1; *(uint8_t*)0x2000784e = 0xc; *(uint16_t*)0x2000784f = 0x82; *(uint8_t*)0x20007851 = 0; *(uint8_t*)0x20007852 = 0x85; *(uint16_t*)0x20007853 = 8; *(uint8_t*)0x20007855 = 1; *(uint8_t*)0x20007856 = 0xb; *(uint8_t*)0x20007857 = 0x10; *(uint8_t*)0x20007858 = 1; *(uint8_t*)0x20007859 = 0xc; *(uint16_t*)0x2000785a = 0x48; *(uint8_t*)0x2000785c = 0; *(uint8_t*)0x2000785d = 0x80; *(uint16_t*)0x2000785e = 0xfffa; *(uint8_t*)0x20007860 = 0x81; *(uint32_t*)0x20007910 = 0x20007880; *(uint8_t*)0x20007880 = 0x20; *(uint8_t*)0x20007881 = 0x29; *(uint32_t*)0x20007882 = 0xf; *(uint8_t*)0x20007886 = 0xf; *(uint8_t*)0x20007887 = 0x29; *(uint8_t*)0x20007888 = 9; *(uint16_t*)0x20007889 = 2; *(uint8_t*)0x2000788b = 4; *(uint8_t*)0x2000788c = 2; memcpy((void*)0x2000788d, "\x7e\x46\x1a\xb4", 4); memcpy((void*)0x20007891, "gg]\a", 4); *(uint32_t*)0x20007914 = 0x200078c0; *(uint8_t*)0x200078c0 = 0x20; *(uint8_t*)0x200078c1 = 0x2a; *(uint32_t*)0x200078c2 = 0xc; *(uint8_t*)0x200078c6 = 0xc; *(uint8_t*)0x200078c7 = 0x2a; *(uint8_t*)0x200078c8 = 9; *(uint16_t*)0x200078c9 = 3; *(uint8_t*)0x200078cb = 0x3f; *(uint8_t*)0x200078cc = 0x20; *(uint8_t*)0x200078cd = 0x40; *(uint16_t*)0x200078ce = 0; *(uint16_t*)0x200078d0 = 0xef; *(uint32_t*)0x20007dc0 = 0x44; *(uint32_t*)0x20007dc4 = 0x20007940; *(uint8_t*)0x20007940 = 0x40; *(uint8_t*)0x20007941 = 0xc; *(uint32_t*)0x20007942 = 0xb6; memcpy((void*)0x20007946, "\xdf\x1d\x88\x07\xad\xaa\x37\x6e\xc1\x64\xfe\x68\x6f\x79\x1f\xc7\x26\x8a\x85\xc4\x68\x00\x84\x23\xc3\x5b\xf0\xda\x6f\x10\xce\x0b\x3c\x7f\x80\xe6\x73\x52\xd8\x06\x3e\x95\x24\xfb\x3d\x91\xa1\xd4\x42\xb8\x5d\x35\x12\x88\xc6\x0b\xad\xef\x73\x69\x49\x4e\xfa\x50\x12\x97\x89\x30\xb8\x81\x7b\xb1\x3f\xba\x0f\x30\x74\x16\x86\x14\x57\x22\x13\x22\x13\x60\x27\xa9\x86\x82\xf3\xa5\xc9\x18\x06\xd4\x90\xc5\x1e\xf5\x1c\xe6\xc9\xe9\xc8\x08\x7e\x54\x7f\xc2\xcf\xe5\x67\xbf\xbf\x3e\x65\xf9\x7c\x5e\x79\xd6\x87\x06\x92\x2d\x2c\x08\x4e\xe8\x94\xea\xf1\x2a\x3c\x0b\x2e\x1e\xf8\x94\xdf\xf8\x6d\x07\x92\xfd\x11\xf5\x15\x2f\x67\x32\x1b\x9d\xb3\x6a\x02\xb7\xb0\x93\x5e\x74\x24\xcb\xd6\xb2\x86\xc5\x5c\x8c\xf0\xf0\xf4\x94\x9f\xd2\x1b\x22\x67\x5e\xb0\x60", 182); *(uint32_t*)0x20007dc8 = 0x20007a00; *(uint8_t*)0x20007a00 = 0; *(uint8_t*)0x20007a01 = 0xa; *(uint32_t*)0x20007a02 = 1; *(uint8_t*)0x20007a06 = 9; *(uint32_t*)0x20007dcc = 0x20007a40; *(uint8_t*)0x20007a40 = 0; *(uint8_t*)0x20007a41 = 8; *(uint32_t*)0x20007a42 = 1; *(uint8_t*)0x20007a46 = 6; *(uint32_t*)0x20007dd0 = 0x20007a80; *(uint8_t*)0x20007a80 = 0x20; *(uint8_t*)0x20007a81 = 0; *(uint32_t*)0x20007a82 = 4; *(uint16_t*)0x20007a86 = 1; *(uint16_t*)0x20007a88 = 3; *(uint32_t*)0x20007dd4 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0x20; *(uint8_t*)0x20007ac1 = 0; *(uint32_t*)0x20007ac2 = 4; *(uint16_t*)0x20007ac6 = 0x160; *(uint16_t*)0x20007ac8 = 1; *(uint32_t*)0x20007dd8 = 0x20007b00; *(uint8_t*)0x20007b00 = 0x40; *(uint8_t*)0x20007b01 = 7; *(uint32_t*)0x20007b02 = 2; *(uint16_t*)0x20007b06 = 3; *(uint32_t*)0x20007ddc = 0x20007b40; *(uint8_t*)0x20007b40 = 0x40; *(uint8_t*)0x20007b41 = 9; *(uint32_t*)0x20007b42 = 1; *(uint8_t*)0x20007b46 = 3; *(uint32_t*)0x20007de0 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x40; *(uint8_t*)0x20007b81 = 0xb; *(uint32_t*)0x20007b82 = 2; memcpy((void*)0x20007b86, "\x9e\xfe", 2); *(uint32_t*)0x20007de4 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 0xf; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 4; *(uint32_t*)0x20007de8 = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 0x13; *(uint32_t*)0x20007c02 = 6; memset((void*)0x20007c06, 0, 6); *(uint32_t*)0x20007dec = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0x17; *(uint32_t*)0x20007c42 = 6; memset((void*)0x20007c46, 170, 5); *(uint8_t*)0x20007c4b = 0xbb; *(uint32_t*)0x20007df0 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0x19; *(uint32_t*)0x20007c82 = 2; memcpy((void*)0x20007c86, "vw", 2); *(uint32_t*)0x20007df4 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x1a; *(uint32_t*)0x20007cc2 = 2; *(uint16_t*)0x20007cc6 = 1; *(uint32_t*)0x20007df8 = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x1c; *(uint32_t*)0x20007d02 = 1; *(uint8_t*)0x20007d06 = 6; *(uint32_t*)0x20007dfc = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x1e; *(uint32_t*)0x20007d42 = 1; *(uint8_t*)0x20007d46 = 0x7e; *(uint32_t*)0x20007e00 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x21; *(uint32_t*)0x20007d82 = 1; *(uint8_t*)0x20007d86 = 2; syz_usb_control_io(r[22], 0x20007900, 0x20007dc0); break; case 44: *(uint8_t*)0x20007e40 = 0x12; *(uint8_t*)0x20007e41 = 1; *(uint16_t*)0x20007e42 = 0x200; *(uint8_t*)0x20007e44 = -1; *(uint8_t*)0x20007e45 = -1; *(uint8_t*)0x20007e46 = -1; *(uint8_t*)0x20007e47 = 0x40; *(uint16_t*)0x20007e48 = 0xcf3; *(uint16_t*)0x20007e4a = 0x9271; *(uint16_t*)0x20007e4c = 0x108; *(uint8_t*)0x20007e4e = 1; *(uint8_t*)0x20007e4f = 2; *(uint8_t*)0x20007e50 = 3; *(uint8_t*)0x20007e51 = 1; *(uint8_t*)0x20007e52 = 9; *(uint8_t*)0x20007e53 = 2; *(uint16_t*)0x20007e54 = 0x48; *(uint8_t*)0x20007e56 = 1; *(uint8_t*)0x20007e57 = 1; *(uint8_t*)0x20007e58 = 0; *(uint8_t*)0x20007e59 = 0x80; *(uint8_t*)0x20007e5a = 0xfa; *(uint8_t*)0x20007e5b = 9; *(uint8_t*)0x20007e5c = 4; *(uint8_t*)0x20007e5d = 0; *(uint8_t*)0x20007e5e = 0; *(uint8_t*)0x20007e5f = 6; *(uint8_t*)0x20007e60 = -1; *(uint8_t*)0x20007e61 = 0; *(uint8_t*)0x20007e62 = 0; *(uint8_t*)0x20007e63 = 0; *(uint8_t*)0x20007e64 = 9; *(uint8_t*)0x20007e65 = 5; *(uint8_t*)0x20007e66 = 1; *(uint8_t*)0x20007e67 = 2; *(uint16_t*)0x20007e68 = 0x200; *(uint8_t*)0x20007e6a = 0; *(uint8_t*)0x20007e6b = 0; *(uint8_t*)0x20007e6c = 0; *(uint8_t*)0x20007e6d = 9; *(uint8_t*)0x20007e6e = 5; *(uint8_t*)0x20007e6f = 0x82; *(uint8_t*)0x20007e70 = 2; *(uint16_t*)0x20007e71 = 0x200; *(uint8_t*)0x20007e73 = 0; *(uint8_t*)0x20007e74 = 0; *(uint8_t*)0x20007e75 = 0; *(uint8_t*)0x20007e76 = 9; *(uint8_t*)0x20007e77 = 5; *(uint8_t*)0x20007e78 = 0x83; *(uint8_t*)0x20007e79 = 3; *(uint16_t*)0x20007e7a = 0x40; *(uint8_t*)0x20007e7c = 1; *(uint8_t*)0x20007e7d = 0; *(uint8_t*)0x20007e7e = 0; *(uint8_t*)0x20007e7f = 9; *(uint8_t*)0x20007e80 = 5; *(uint8_t*)0x20007e81 = 4; *(uint8_t*)0x20007e82 = 3; *(uint16_t*)0x20007e83 = 0x40; *(uint8_t*)0x20007e85 = 1; *(uint8_t*)0x20007e86 = 0; *(uint8_t*)0x20007e87 = 0; *(uint8_t*)0x20007e88 = 9; *(uint8_t*)0x20007e89 = 5; *(uint8_t*)0x20007e8a = 5; *(uint8_t*)0x20007e8b = 2; *(uint16_t*)0x20007e8c = 0x200; *(uint8_t*)0x20007e8e = 0; *(uint8_t*)0x20007e8f = 0; *(uint8_t*)0x20007e90 = 0; *(uint8_t*)0x20007e91 = 9; *(uint8_t*)0x20007e92 = 5; *(uint8_t*)0x20007e93 = 6; *(uint8_t*)0x20007e94 = 2; *(uint16_t*)0x20007e95 = 0x200; *(uint8_t*)0x20007e97 = 0; *(uint8_t*)0x20007e98 = 0; *(uint8_t*)0x20007e99 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007e40, 0); if (res != -1) r[23] = res; break; case 45: syz_usb_disconnect(r[23]); break; case 46: *(uint8_t*)0x20007ec0 = 0x12; *(uint8_t*)0x20007ec1 = 1; *(uint16_t*)0x20007ec2 = 0x389; *(uint8_t*)0x20007ec4 = 2; *(uint8_t*)0x20007ec5 = 0; *(uint8_t*)0x20007ec6 = 0; *(uint8_t*)0x20007ec7 = 0x70; *(uint16_t*)0x20007ec8 = 0x525; *(uint16_t*)0x20007eca = 0xa4a1; *(uint16_t*)0x20007ecc = 0x40; *(uint8_t*)0x20007ece = 1; *(uint8_t*)0x20007ecf = 2; *(uint8_t*)0x20007ed0 = 3; *(uint8_t*)0x20007ed1 = 1; *(uint8_t*)0x20007ed2 = 9; *(uint8_t*)0x20007ed3 = 2; *(uint16_t*)0x20007ed4 = 0x6a; *(uint8_t*)0x20007ed6 = 2; *(uint8_t*)0x20007ed7 = 1; *(uint8_t*)0x20007ed8 = -1; *(uint8_t*)0x20007ed9 = 0x90; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 9; *(uint8_t*)0x20007edc = 4; *(uint8_t*)0x20007edd = 0; *(uint8_t*)0x20007ede = 0; *(uint8_t*)0x20007edf = 1; *(uint8_t*)0x20007ee0 = 2; *(uint8_t*)0x20007ee1 = 0xd; *(uint8_t*)0x20007ee2 = 0; *(uint8_t*)0x20007ee3 = 0; *(uint8_t*)0x20007ee4 = 6; *(uint8_t*)0x20007ee5 = 0x24; *(uint8_t*)0x20007ee6 = 6; *(uint8_t*)0x20007ee7 = 0; *(uint8_t*)0x20007ee8 = 1; memset((void*)0x20007ee9, 166, 1); *(uint8_t*)0x20007eea = 5; *(uint8_t*)0x20007eeb = 0x24; *(uint8_t*)0x20007eec = 0; *(uint16_t*)0x20007eed = 8; *(uint8_t*)0x20007eef = 0xd; *(uint8_t*)0x20007ef0 = 0x24; *(uint8_t*)0x20007ef1 = 0xf; *(uint8_t*)0x20007ef2 = 1; *(uint32_t*)0x20007ef3 = 0x9ff; *(uint16_t*)0x20007ef7 = 0x6000; *(uint16_t*)0x20007ef9 = 5; *(uint8_t*)0x20007efb = 0xb5; *(uint8_t*)0x20007efc = 6; *(uint8_t*)0x20007efd = 0x24; *(uint8_t*)0x20007efe = 0x1a; *(uint16_t*)0x20007eff = 0xdd; *(uint8_t*)0x20007f01 = 0x32; *(uint8_t*)0x20007f02 = 5; *(uint8_t*)0x20007f03 = 0x24; *(uint8_t*)0x20007f04 = 1; *(uint8_t*)0x20007f05 = 2; *(uint8_t*)0x20007f06 = 0x95; *(uint8_t*)0x20007f07 = 8; *(uint8_t*)0x20007f08 = 0x24; *(uint8_t*)0x20007f09 = 0x1c; *(uint16_t*)0x20007f0a = 7; *(uint8_t*)0x20007f0c = 0x40; *(uint16_t*)0x20007f0d = 1; *(uint8_t*)0x20007f0f = 9; *(uint8_t*)0x20007f10 = 5; *(uint8_t*)0x20007f11 = 0x81; *(uint8_t*)0x20007f12 = 3; *(uint16_t*)0x20007f13 = 0x10; *(uint8_t*)0x20007f15 = 0x21; *(uint8_t*)0x20007f16 = 2; *(uint8_t*)0x20007f17 = 0xc4; *(uint8_t*)0x20007f18 = 9; *(uint8_t*)0x20007f19 = 4; *(uint8_t*)0x20007f1a = 1; *(uint8_t*)0x20007f1b = 0; *(uint8_t*)0x20007f1c = 0; *(uint8_t*)0x20007f1d = 2; *(uint8_t*)0x20007f1e = 0xd; *(uint8_t*)0x20007f1f = 0; *(uint8_t*)0x20007f20 = 0; *(uint8_t*)0x20007f21 = 9; *(uint8_t*)0x20007f22 = 4; *(uint8_t*)0x20007f23 = 1; *(uint8_t*)0x20007f24 = 1; *(uint8_t*)0x20007f25 = 2; *(uint8_t*)0x20007f26 = 2; *(uint8_t*)0x20007f27 = 0xd; *(uint8_t*)0x20007f28 = 0; *(uint8_t*)0x20007f29 = 0; *(uint8_t*)0x20007f2a = 9; *(uint8_t*)0x20007f2b = 5; *(uint8_t*)0x20007f2c = 0x82; *(uint8_t*)0x20007f2d = 2; *(uint16_t*)0x20007f2e = 8; *(uint8_t*)0x20007f30 = 1; *(uint8_t*)0x20007f31 = 1; *(uint8_t*)0x20007f32 = 0x4e; *(uint8_t*)0x20007f33 = 9; *(uint8_t*)0x20007f34 = 5; *(uint8_t*)0x20007f35 = 3; *(uint8_t*)0x20007f36 = 2; *(uint16_t*)0x20007f37 = 8; *(uint8_t*)0x20007f39 = 0x81; *(uint8_t*)0x20007f3a = 9; *(uint8_t*)0x20007f3b = 0x48; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f40; *(uint8_t*)0x20007f40 = 0xa; *(uint8_t*)0x20007f41 = 6; *(uint16_t*)0x20007f42 = 0x200; *(uint8_t*)0x20007f44 = 3; *(uint8_t*)0x20007f45 = 0x40; *(uint8_t*)0x20007f46 = 1; *(uint8_t*)0x20007f47 = 0x40; *(uint8_t*)0x20007f48 = 0x68; *(uint8_t*)0x20007f49 = 0; *(uint32_t*)0x20008288 = 0x72; *(uint32_t*)0x2000828c = 0x20007f80; *(uint8_t*)0x20007f80 = 5; *(uint8_t*)0x20007f81 = 0xf; *(uint16_t*)0x20007f82 = 0x72; *(uint8_t*)0x20007f84 = 6; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x10; *(uint8_t*)0x20007f87 = 0xa; *(uint8_t*)0x20007f88 = 0x7f; STORE_BY_BITMASK(uint32_t, , 0x20007f89, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007f89, 4, 5, 27); *(uint16_t*)0x20007f8d = 0; *(uint16_t*)0x20007f8f = 0x101; *(uint32_t*)0x20007f91 = 0xf; *(uint32_t*)0x20007f95 = 0xc000; *(uint32_t*)0x20007f99 = 0x4100; *(uint32_t*)0x20007f9d = 0xc000; *(uint32_t*)0x20007fa1 = 0; *(uint8_t*)0x20007fa5 = 0x18; *(uint8_t*)0x20007fa6 = 0x10; *(uint8_t*)0x20007fa7 = 0xa; *(uint8_t*)0x20007fa8 = 5; STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 0x3f, 5, 27); *(uint16_t*)0x20007fad = 0xf; *(uint16_t*)0x20007faf = 9; *(uint32_t*)0x20007fb1 = 0x3f00; *(uint32_t*)0x20007fb5 = 0xff0030; *(uint32_t*)0x20007fb9 = 0xff0000; *(uint8_t*)0x20007fbd = 0xc; *(uint8_t*)0x20007fbe = 0x10; *(uint8_t*)0x20007fbf = 0xa; *(uint8_t*)0x20007fc0 = 9; STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 3, 5, 27); *(uint16_t*)0x20007fc5 = 0xf00; *(uint16_t*)0x20007fc7 = 4; *(uint8_t*)0x20007fc9 = 0x14; *(uint8_t*)0x20007fca = 0x10; *(uint8_t*)0x20007fcb = 4; *(uint8_t*)0x20007fcc = 0xfc; memcpy((void*)0x20007fcd, "\x11\xd5\xf9\x90\x68\xe5\x06\x8a\x1e\x42\xe2\xbf\x00\x0e\x22\x1f", 16); *(uint8_t*)0x20007fdd = 0xb; *(uint8_t*)0x20007fde = 0x10; *(uint8_t*)0x20007fdf = 1; *(uint8_t*)0x20007fe0 = 2; *(uint16_t*)0x20007fe1 = 0; *(uint8_t*)0x20007fe3 = 2; *(uint8_t*)0x20007fe4 = 0; *(uint16_t*)0x20007fe5 = 0x80; *(uint8_t*)0x20007fe7 = 1; *(uint8_t*)0x20007fe8 = 0xa; *(uint8_t*)0x20007fe9 = 0x10; *(uint8_t*)0x20007fea = 3; *(uint8_t*)0x20007feb = 2; *(uint16_t*)0x20007fec = 0; *(uint8_t*)0x20007fee = 3; *(uint8_t*)0x20007fef = 0x3f; *(uint16_t*)0x20007ff0 = 8; *(uint32_t*)0x20008290 = 8; *(uint32_t*)0x20008294 = 4; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 4; *(uint8_t*)0x20008001 = 3; *(uint16_t*)0x20008002 = 0x2001; *(uint32_t*)0x2000829c = 4; *(uint32_t*)0x200082a0 = 0x20008040; *(uint8_t*)0x20008040 = 4; *(uint8_t*)0x20008041 = 3; *(uint16_t*)0x20008042 = 0x43f; *(uint32_t*)0x200082a4 = 0x2a; *(uint32_t*)0x200082a8 = 0x20008080; *(uint8_t*)0x20008080 = 0x2a; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x5e\x74\x60\xeb\x32\xa6\xb9\x6b\xd2\xff\x9f\xf3\xa4\x96\x20\x85\x33\x64\xce\xf4\xb1\x18\x00\x34\xbb\xee\x7b\xde\xb3\x75\x3e\xc4\x7a\x7b\x68\x43\x60\x04\xdf\xa3", 40); *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x200080c0; *(uint8_t*)0x200080c0 = 4; *(uint8_t*)0x200080c1 = 3; *(uint16_t*)0x200080c2 = 0x406; *(uint32_t*)0x200082b4 = 4; *(uint32_t*)0x200082b8 = 0x20008100; *(uint8_t*)0x20008100 = 4; *(uint8_t*)0x20008101 = 3; *(uint16_t*)0x20008102 = 0x200a; *(uint32_t*)0x200082bc = 0x83; *(uint32_t*)0x200082c0 = 0x20008140; *(uint8_t*)0x20008140 = 0x83; *(uint8_t*)0x20008141 = 3; memcpy((void*)0x20008142, "\x98\xbf\xbe\xd5\xf0\x2f\x05\x41\x39\x3b\x27\x16\x3c\x18\xab\xa0\xf8\xd6\xc9\x06\x9a\xe8\xed\x73\x2f\x7b\x8b\x4f\xd0\x40\x72\x65\x12\x57\x2b\x20\x49\x34\x98\xb0\x80\xe9\x6c\x74\x09\xc1\xff\x22\x2c\xbf\xe8\xfc\x73\x9a\x7a\x6e\xb7\x01\xa8\x12\x5f\x18\xaf\x24\xcd\xab\xbf\xb5\x2c\xc6\x66\xcf\x12\x04\xb6\xbf\x96\x51\x4a\xca\x5b\x04\x75\xe2\x1d\xaf\xca\xaf\xfc\xd8\xd5\x84\xec\xa6\x93\x9d\x81\x5d\xc4\xc9\x74\x72\x7a\x2f\xba\x78\xd5\x04\x4d\x9e\x9f\x08\xe3\x5c\x9e\x2b\xf4\x70\xf4\x66\xac\xca\xa1\x30\x1f\xac\x54\xbc\xff", 129); *(uint32_t*)0x200082c4 = 4; *(uint32_t*)0x200082c8 = 0x20008200; *(uint8_t*)0x20008200 = 4; *(uint8_t*)0x20008201 = 3; *(uint16_t*)0x20008202 = 0x1627; *(uint32_t*)0x200082cc = 0x39; *(uint32_t*)0x200082d0 = 0x20008240; *(uint8_t*)0x20008240 = 0x39; *(uint8_t*)0x20008241 = 3; memcpy((void*)0x20008242, "\xaa\x56\xbf\x40\x48\xdd\x06\xe2\x84\x5d\x2e\x04\xdf\x75\xb3\x91\xf7\x66\x46\x3f\x09\x54\x05\x32\x21\xac\x36\xe1\xdb\x6f\xe5\x09\xc0\x5b\x86\xc7\x76\xd2\x0f\xfc\x6a\xc3\xd9\x93\x49\x32\x2b\x40\x0a\xea\x39\x4c\xd6\x71\x9c", 55); res = -1; res = syz_usb_connect(6, 0x7c, 0x20007ec0, 0x20008280); if (res != -1) r[24] = res; break; case 47: syz_usb_ep_read(r[24], 0x75, 0xa5, 0x20008300); break; case 48: memcpy((void*)0x200083c0, "\xdb\x88\x55\x99\xb6\x0a\xec\x82\xad\x70\xcd\xb2\x88\x6a\x2e\x73\xe2\xf0\x44\x7d\xdd\x5d\xea\xaa\x15\xf5\x6b\x76\xab\x58\x04\xb9\xf8\x6f\x60\xdf\x6b\x12\xcb\xc1\xe5\x90\x6d\x23\x88\x89\xda\x54\x4d\x9b\x56\x52\xf6\x0b\xfc\x34\xa1\x08\xdf\xfd\xff\xa9\xae\x90\x46\x14\xe2\xbf\x15\xce\x0c\x34\x9a\xea\x15\x51\xb7\x54\x4b\x69\xbd\x2b\xde\x8f\x82\xe1\x8d\x42\xba\x16\x71\x80\xb1\xa6\xa4\xd1\x18\x44\x31\x2c\x11\x6e\xe0\xb8\x5f\xca\x52\xa1\x1e\xc9\xf3\x7a\xcd\x32\x3e\xb2\x87\xc8\xb3\xc4\xff\xdb\xca\xaa\x32\x9d\xf9\x20\xe0\xf7\xdf\xaa\xcc\xc1\x7f\xd5\xff\x16\xf0\x39\xc6\x93\xcd\xfc\xdf\xae\x81\x52\x9a\x02\xcc\x97\x3d\x8e\x50\x20\x09\x3c\x1b\x68\xe8\x8a\x82\x7e\x23\x0b\x28\x44\x88\x99\xb9\x61\x75\x52\xb1\xdd\x9b\x41\x2b\x34\xde\xec\x9a\x93\xfd\x08\x82\x3a\xeb\xf3\x54\xe2\x38\xd0\x4d\xca\x95\x7a\x50\xaa\x9a\xb1\x8a\x30\x46\x0e\x24\x55\xe3\xfd\x16\x41\x09\xcd\x4a\x85\x7b\x99\xd2\x23\xb2\x18\x31\xca\x29\x2d\x1b\x0c\xd7\x7f\xbf\xe2\x63\xf7\xca\x57\xee\x3a\x70\xa8\xfd\xd4\x89\xcb\x7f", 245); syz_usb_ep_write(r[22], 0, 0xf5, 0x200083c0); break; case 49: syz_usbip_server_init(1); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); use_temporary_dir(); loop(); return 0; } :122:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :109:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :104:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor366695396 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/24 (1.57s) csource_test.go:118: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} program: getsockopt$inet_sctp6_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) (fail_nth: 1) getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000080)={r0, 0x3ff}, &(0x7f00000000c0)=0x8) r2 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='cpu.stat\x00', 0x0, 0x0) ioctl$BLKROGET(r2, 0x125e, &(0x7f0000000140)) r3 = signalfd4(r2, &(0x7f0000000180)={[0x5, 0x4]}, 0x8, 0x80800) sendmsg$NL80211_CMD_UPDATE_OWE_INFO(r3, &(0x7f0000000500)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x20002011}, 0xc, &(0x7f00000004c0)={&(0x7f0000000200)={0x29c, 0x0, 0x8, 0x70bd29, 0x25dfdbff, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x46, 0x2a, [@erp={0x2a, 0x1, {0x0, 0x1, 0x1}}, @channel_switch={0x25, 0x3, {0x1, 0x95, 0xcb}}, @peer_mgmt={0x75, 0x16, {0x1, 0x401, @void, @val=0x37, @val="02011bf2907bddcbfaf4d0d9d319cb38"}}, @mesh_chsw={0x76, 0x6, {0x7f, 0x3, 0x6, 0x2050}}, @link_id={0x65, 0x12, {@from_mac=@device_b, @broadcast, @device_b}}, @chsw_timing={0x68, 0x4, {0x9, 0x81}}]}, @NL80211_ATTR_IE={0xcc, 0x2a, [@cf={0x4, 0x6, {0x1, 0x1, 0x100, 0x8000}}, @ext_channel_switch={0x3c, 0x4, {0x0, 0x7, 0xac, 0x6}}, @supported_rates={0x1, 0x6, [{0x6}, {0xc, 0x1}, {0x3f, 0x1}, {0x9}, {0x16}, {0x24}]}, @prep={0x83, 0x25, @ext={{}, 0xff, 0x3f, @device_a, 0x1f, @broadcast, 0x0, 0x6, @device_b, 0x6}}, @measure_req={0x26, 0x44, {0x4, 0x7, 0x8, "2ef531b7be2dde42fc395f76447c92879c4d9511182ee077cb102d54d8e9bd0376741affce00728e65cefb04cacd7c82880f113d4a79378bfd5c8d752bd251e31b"}}, @ht={0x2d, 0x1a, {0x482, 0x1, 0x1, 0x0, {0x5, 0x3f, 0x0, 0x80, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x400, 0x5, 0x56}}, @mic={0x8c, 0x10, {0x9b2, "e74338ed57a9", @short="4dbe86f39565408a"}}, @rann={0x7e, 0x15, {{0x1, 0x9}, 0xc0, 0x40, @device_a, 0x7fff, 0x6, 0xff}}]}, @NL80211_ATTR_IE={0x148, 0x2a, [@rann={0x7e, 0x15, {{0x0, 0x2}, 0x0, 0x8, @device_a, 0x1ff, 0x3, 0x3}}, @preq={0x82, 0x30, @not_ext={{}, 0x3, 0xf7, 0x8, @device_a, 0xae, "", 0x71a4, 0x2, 0x2, [{{0x0, 0x0, 0x1}, @device_b}, {{}, @device_b, 0x6}]}}, @mesh_config={0x71, 0x7, {0x1, 0x1, 0x1, 0x0, 0x0, 0xfb, 0x25}}, @ibss={0x6, 0x2, 0x1fc}, @fast_bss_trans={0x37, 0xe6, {0x7, 0x5, "5f3964d8629adf1c06ecdf8987bb845b", "c5d2bb2459d5ba0e8d1de04e57374f6227210ea404eb95465fa1e2e09c7c17d4", "2781c876157d6988a5dc1efde5e5d8d7fdfb3dad871989497060e2d72d3afa38", [{0x3, 0x1, "ce"}, {0x1, 0x25, "d5a7640b4fb5df22e725130f6f006c487342cb847e2cbe0e36b141aa91f7f41d6b13482c1d"}, {0x4, 0x26, "a1d5f67474fa123100046dc2695e3bbda6dee8657f032e087504156eba2f54bf2f31cd5b78d5"}, {0x3, 0x25, "ae36258ad7f04d6a213024ac426fba3da69e74ab662fbb9d28448099946cbbf9b8f921f8e0"}, {0x2, 0x19, "69ad29c66f47f87c5349ab5f16a1e8030e7c0b21db8bc4bee4"}]}}, @peer_mgmt={0x75, 0x4, {0x0, 0x0, @void, @void, @void}}]}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x4b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x43}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x11}]}, 0x29c}, 0x1, 0x0, 0x0, 0x40000}, 0x80) r4 = openat$irnet(0xffffff9c, &(0x7f0000000540), 0x189000, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(r4, 0x84, 0x6b, &(0x7f0000000580)=[@in6={0xa, 0x4e20, 0x80000000, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x81}, @in6={0xa, 0x4e24, 0x3, @mcast1}], 0x38) openat2$dir(0xffffff9c, &(0x7f00000005c0)='./file0\x00', &(0x7f0000000600)={0x101000, 0x182, 0x4}, 0x18) setsockopt$inet_sctp_SCTP_DELAYED_SACK(0xffffffffffffffff, 0x84, 0x10, &(0x7f0000000640)=@sack_info={r1, 0x7, 0x20}, 0xc) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@data_frame={@no_qos=@type01={{0x0, 0x2, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, {0x7}, @device_b, @from_mac=@broadcast, @device_b, {0x7, 0x40}}, @a_msdu=[{@device_a, @device_b, 0x89, "a374cb1e56d79e5a647d9f9d7ebb099ca75e920a720ce76551c26bb86842da48ec22636f2ee20001359b8e2fb376ba32d07425dd1b9b9b4ff7a3539a5eeb99a447a58fec224cacb7d6e5f0cc9099904c92fd37746afc1cbd2b8b102a3fe4af78d5fa729590f1e5035f470a44321e924787a4666e21a4ca5cbd1256c170217cd6967ad7236d2f702e24"}, {@broadcast, @device_a, 0x1000, ""}]}, 0x10c0) syz_80211_join_ibss(&(0x7f0000001100)='wlan1\x00', &(0x7f0000001140)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000001180)='bpf_lsm_socket_recvmsg\x00') syz_emit_ethernet(0x35b, &(0x7f00000011c0)={@multicast, @multicast, @void, {@mpls_uc={0x8847, {[{0x2}], @ipv4=@gre={{0x11, 0x4, 0x1, 0x7, 0x349, 0x68, 0x0, 0x6, 0x2f, 0x0, @remote, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@lsrr={0x83, 0x1b, 0x6e, [@local, @broadcast, @loopback, @multicast1, @initdev={0xac, 0x1e, 0x0, 0x0}, @dev={0xac, 0x14, 0x14, 0xc}]}, @end, @lsrr={0x83, 0x13, 0xb4, [@multicast1, @private=0xa010100, @remote, @multicast1]}]}}, {{0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x880b, 0xf7, 0x2, [0x0, 0x1f], "c2150837371931ae3bab975586d95914c9773f748be9a8a3a19fe297783946f87cf48cb1483b1b52713f5b2c61255adbc108b86ef5471c54a9338b8573e1f632742ac011cf327a15e84e165e1588ab664b81d2498c54b50574e54aba3cf97bb1ae75911fd5ad4851fa1421715163917c9258d782a401fdfd12f1b51c5fbef8bd854f084ca2db2d46c7ee8b3b429e9c2dd5200572c54b9956e0bce7e10ae21f398f9db9c7e5fe8c67da417265c2e5c4074c97b404e840e0705b4154275e83551ac4328eae261c5d86e08cd40fbdb3a9d5fdcf6ba0ba4549aa7405fafe1367186578ec8cb827c887cc919c3a926daa592a4edb5150bfd380"}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, [0x0, 0x3], "a0437805682464ebade1f7bc908a4fb8fe0d2cbd6c705201920234d09c1819942d4534d78830cc26b67fa8b9bf41331cf464dba472a58870852fa852e628157fd8b5d1d6835454fb3aedae74305ed0c45b79ff50beb7405c"}, {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x86dd, [0xf0, 0x4], "7caa4b32feb81faa052cba4e34663ac59d2ed14a1e13701fdffe0c346ddae941fc7a2623c24d7a0b85a042492bf692148b57ddaf3b577a52fca2c4c68131f7bd98fa18e48551c8eecb9d3be00868430c3a25bc3569876946d43e6eb2b903b359a813c4ba89e6d970d3d4523fd219f45ff44df25838"}, {0x8, 0x88be, 0x2, {{0x8, 0x1, 0x9, 0x3, 0x0, 0x3, 0x3, 0x4}, 0x1, {0x4}}}, {0x8, 0x22eb, 0x3, {{0x5, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x81}, 0x2, {0x1ff, 0x6, 0x0, 0x7, 0x0, 0x1, 0x2, 0x1, 0x1}}}, {0x8, 0x6558, 0x3, "35b802485048e00654ea02f811d2f99e610c98af70faf08b416472e3e0bbd45e35631db45124b3b77db1699442696b52c13ae2bf33fb3973a1d570c20b2a5b4d8b9a260bb385dcba6f2ccdaf52d5a0a4c2c39422acd9f8b911a20ba0d03a6e796927d057cf487cc459623fa76fb89989080999bf9b3ab3f6e3f319849238b9d2dea6ac5b66c4b632b76084b3fbfee0fc6215f5b274246d30cd41e07638413a2d65b80fde92db56faa4160868cd0b008bfcf18d9c54be76cf39248d298318581d7a8be2fe09849d5cfd2cd105c8dd8c0fd7c5f27bed33374f70e3173b413dd37ecff631f2f44c6640a43a358b6eff14540f"}}}}}}}, &(0x7f0000001540)={0x1, 0x2, [0xfbe, 0xc0a, 0x501, 0x489]}) syz_emit_vhci(&(0x7f0000001580)=@HCI_ACLDATA_PKT={0x2, {0xc8, 0x2, 0x1, 0x32}, @l2cap_cid_signaling={{0x2e}, [@l2cap_create_chan_rsp={{0xd, 0x3, 0x8}, {0x6, 0x1, 0x31, 0x7}}, @l2cap_conn_req={{0x2, 0x5, 0x4}, {0x3fc, 0x6}}, @l2cap_info_rsp={{0xb, 0x1f, 0x4}, {0xb476, 0x1d}}, @l2cap_info_req={{0xa, 0xfc, 0x2}, {0x1}}, @l2cap_cmd_rej_unk={{0x1, 0x4, 0x2}}, @l2cap_info_req={{0xa, 0x8, 0x2}, {0x9e}}]}}, 0x37) syz_execute_func(&(0x7f00000015c0)="660f72d501df5fd6c4c1f96f9f52e40000dff2da36660f3a62c08cc4c11d583ce8660f3a0a450df0c4e121752360") syz_extract_tcp_res(&(0x7f0000001600), 0x1e21, 0x1) r5 = openat$cuse(0xffffff9c, &(0x7f0000001640), 0x2, 0x0) ioctl$NS_GET_OWNER_UID(0xffffffffffffffff, 0xb704, &(0x7f0000003980)=0x0) clock_gettime(0x0, &(0x7f0000003e00)={0x0, 0x0}) recvmmsg$unix(0xffffffffffffffff, &(0x7f0000003dc0)=[{{&(0x7f0000003a40)=@abs, 0x6e, &(0x7f0000003d40)=[{&(0x7f0000003ac0)=""/37, 0x25}, {&(0x7f0000003b00)=""/107, 0x6b}, {&(0x7f0000003b80)=""/47, 0x2f}, {&(0x7f0000003bc0)=""/162, 0xa2}, {&(0x7f0000003c80)=""/189, 0xbd}], 0x5, &(0x7f0000003d80)=[@cred={{0x18}}, @cred={{0x18, 0x1, 0x2, {0x0, 0x0, 0x0}}}], 0x30}}], 0x1, 0x10202, &(0x7f0000003e40)={r7, r8+10000000}) lstat(&(0x7f0000004040)='./file0\x00', &(0x7f0000004080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000004100)={{{@in6=@initdev, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in6=@mcast1}}, &(0x7f0000004200)=0xe4) statx(0xffffffffffffff9c, &(0x7f0000004240)='./file0\x00', 0x4000, 0x400, &(0x7f0000004280)={0x0, 0x0, 0x0, 0x0, 0x0}) lstat(&(0x7f0000004380)='./file0\x00', &(0x7f00000043c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000004980)={{{@in6=@dev, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@private2}}, &(0x7f0000004a80)=0xe4) r15 = getegid() syz_fuse_handle_req(r5, &(0x7f0000001680)="", 0x2000, &(0x7f0000004bc0)={&(0x7f0000003680)={0x50, 0x0, 0x0, {0x7, 0x22, 0x6, 0x60, 0x5, 0x48, 0x80000001, 0x7}}, &(0x7f0000003700)={0x18, 0x0, 0xfffe, {0x200}}, &(0x7f0000003740)={0x18, 0x0, 0x4, {0x8000}}, &(0x7f0000003780)={0x18, 0x0, 0x0, {0x8}}, &(0x7f00000037c0)={0x18, 0x0, 0x80000001, {0x5}}, &(0x7f0000003800)={0x28, 0x0, 0x0, {{0x19, 0x200, 0x3, 0xffffffffffffffff}}}, &(0x7f0000003840)={0x60, 0xfffffffffffffffe, 0xfffffffffffffffe, {{0x4, 0x80000001, 0x1, 0x52b8, 0x7, 0x0, 0xfffffffa, 0x1ff}}}, &(0x7f00000038c0)={0x18, 0xffffffffffffffda, 0x1f, {0x9}}, &(0x7f0000003900)={0x11, 0xfffffffffffffffe, 0x4588, {'\x00'}}, &(0x7f0000003940)={0x20, 0x0, 0x100000000, {0x0, 0x18}}, &(0x7f00000039c0)={0x78, 0x0, 0x7, {0x4, 0x6, 0x0, {0x0, 0x7, 0x8, 0x10001, 0x1, 0x509, 0x80, 0x3, 0x1, 0xc000, 0x5, r6, 0xee00, 0x7, 0x9}}}, &(0x7f0000003e80)={0x90, 0x0, 0x8, {0x6, 0x3, 0xcd0, 0x7fffffff, 0x5, 0x1, {0x5, 0x5, 0xf34, 0x86, 0x6, 0x2, 0xab8c, 0x0, 0x5, 0x8000, 0x9, 0xee00, r9, 0x1000, 0x1000}}}, &(0x7f0000003f40)={0xd0, 0x0, 0xffffffffffffffbc, [{0x0, 0x2, 0x6, 0x3, '\x02\x02\x02\x02\x02\x02'}, {0x0, 0x0, 0x0, 0x9}, {0x2, 0x100000001, 0x17, 0xffff, 'bpf_lsm_socket_recvmsg\x00'}, {0x0, 0x401, 0xf, 0xfffffff9, '&,$:+)\xef&\\)/$$[}'}, {0x6, 0x1, 0x17, 0x1f, 'bpf_lsm_socket_recvmsg\x00'}]}, &(0x7f0000004440)={0x508, 0x0, 0x2, [{{0x4, 0x1, 0x5, 0x80000000, 0x3, 0xffffffec, {0x2, 0x3, 0x20, 0x100000001, 0x80, 0xffffffffffffffe1, 0x9e41, 0x1f, 0xf0f6, 0xc000, 0x401, 0xee01, 0xee00, 0x400000, 0x800}}, {0x3, 0x7, 0x6, 0xfffffffe, '\xbb\xbb\xbb\xbb\xbb\xbb'}}, {{0x1, 0x2, 0x10001, 0x0, 0x5, 0x0, {0x3, 0x8000, 0x9, 0x80000001, 0x100, 0x5, 0xf06, 0x932b, 0x2, 0x1000, 0x5, 0xee01, 0xffffffffffffffff, 0x5, 0x1}}, {0x5, 0x9, 0x2, 0x2, '*)'}}, {{0x1, 0x0, 0xcc3, 0x4, 0x101, 0x3, {0x2, 0x1, 0x1, 0x113, 0x1, 0x3, 0xd36, 0x8c12, 0xfffffffc, 0x1000, 0xfffffffc, 0xee01, r10, 0x9, 0xacd}}, {0x3, 0x97, 0x6, 0x9, 'wlan1\x00'}}, {{0x1, 0x2, 0x8, 0x8000, 0x9, 0x0, {0x1, 0x200, 0xff, 0x100000001, 0x30000, 0x9, 0x3, 0x6, 0x7f, 0x8000, 0x101, r11, 0xee00, 0x10000, 0x9}}, {0x3, 0x0, 0x2, 0x401, 'b@'}}, {{0x4, 0x1, 0x0, 0x5, 0x4, 0x101, {0x1, 0x5, 0x1, 0x10000, 0x7, 0x8, 0x5, 0x5, 0x4010000, 0x8000, 0x4d800000, 0x0, 0xee01, 0x6, 0x7}}, {0x2, 0x61}}, {{0x7, 0x0, 0x5, 0x5, 0x0, 0x3ff, {0x0, 0xfffffffffffffff7, 0x1, 0x80, 0x100000001, 0x401, 0xd49d, 0x80, 0x1, 0x6000, 0x8b, r12, 0xee01, 0x8001}}, {0x6, 0x200, 0x1, 0xfffffff8, ')'}}, {{0x0, 0x3, 0x8, 0x81, 0x6, 0x5, {0x1, 0x8, 0x7, 0x5, 0x8, 0x1, 0x5, 0x90c555ad, 0x0, 0xc000, 0x800, 0xee00, 0xee01, 0xf98d, 0x20}}, {0x4, 0x4, 0x5, 0x1, '\\U\xc2-^'}}, {{0x1, 0x0, 0x2, 0x6, 0x0, 0xb5e, {0x4, 0x12, 0xe87, 0x7, 0x1, 0xfffffffffffffffe, 0xfffffffd, 0x7, 0x401, 0xa000, 0x8ee, r13, 0x0, 0x8236, 0x3c89862b}}, {0x4, 0xfffffffffffffbf7, 0x6, 0x4, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004ac0)={0xa0, 0xffffffffffffffda, 0x2, {{0x1, 0x3, 0xff, 0x401, 0x9, 0x1000, {0x1, 0xfff, 0x733, 0x0, 0x7, 0x7fff, 0x4, 0x1f, 0x1f, 0x0, 0x1, r14, r15, 0x9eb, 0x1}}, {0x0, 0x1c}}}, &(0x7f0000004b80)={0x20, 0xfffffffffffffffe, 0xa87, {0x1ff, 0x0, 0x10001, 0x4}}}) r16 = openat$autofs(0xffffff9c, &(0x7f0000004c40), 0x0, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000004c00), r16) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r17 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x300000a, 0x10, r16, 0x0) r18 = syz_io_uring_complete(r17) syz_io_uring_setup(0x3a9b, &(0x7f0000004c80)={0x0, 0xcaa6, 0x4, 0x3, 0x276, 0x0, r18}, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000ffe000/0x1000)=nil, &(0x7f0000004d00)=0x0, &(0x7f0000004d40)) syz_io_uring_submit(r19, 0x0, &(0x7f0000005080)=@IORING_OP_WRITEV={0x2, 0x5, 0x0, @fd_index=0x7, 0x0, &(0x7f0000005040)=[{&(0x7f0000004d80)="8f8c61ba2d93006aadbd12a3a08f146f7dadf6fcaf91370d8cdbb10473cfc4737fc2920f761e5f9f43ac7c94ff2d84a3f6", 0x31}, {&(0x7f0000004dc0)="e79e609caf0b113f2e3a9b6ed9a5197bd4c9ef3abee6ff372b0677f980ef46165c071ec9a7e4b8e118c95c2b5f733b29c50f1e5df4f1837e9a2962cd241c43d7a605878749919d2d932d22010e4c8c29ce6028dc71e23c5ec2b4f3bb38b2e7c3beaf83c887a45f16ea87842b7002c7513397835d375589d64e9c8d0daa7c709974ddc935145190bac6e8d31238d5ad70377e03b1111546f8a83a2d7e3fc550408a227e6ab558331de5", 0xa9}, {&(0x7f0000004e80)="1fe1d0a7ea42ed60eb8379f55fba5f108da4233288e8a8bbacc0", 0x1a}, {&(0x7f0000004ec0)="1d5a7e020f94e9eee2415cca5eb6045cc9f817f1d3275ba949677ee2ca2357b74e67c6d4ddfbe8e8c0c6fdcd2352dd301ff30f0ebc2b58f2c69c3f8032ff0d4a2d2d400c3d07914d835b6218c2eb25724b426a888b2822d4945b35f2d1459d915e2b2d66541af52bdbbe1ad517515e01b8290e654443a67bec3d0b03fc10b90b49c3d33593e063bd0df72494b22bfc391f6b296a68735eeaac4fb550be4beeabb74d7ca77139248cf8003e4fa63954c2e5c68e48b1f59b3162a9a3b020771f7c1aff6d7de57b40fcb59002f2709ed2e12d50a3edadc2c55de6634c8e91dd8cd28faf3b52", 0xe4}, {&(0x7f0000004fc0)="3dc50079393684ee15456233e2e4b47d0d7616a6fbb08055931c400e66d6ee8307c988db68c3a56873e4c94c210cee63aa53ee80947c5644cffd0ee809b4554ef3d3d5d4b6268040d66cba34c7b8645abfe3696e041fe13f", 0x58}], 0x5, 0x1}, 0x100) r20 = openat$selinux_policy(0xffffff9c, &(0x7f00000050c0), 0x0, 0x0) r21 = openat$dlm_monitor(0xffffff9c, &(0x7f0000005100), 0x0, 0x0) syz_kvm_setup_cpu$arm64(r20, r21, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000005180)=[{0x0, &(0x7f0000005140)="45cf83e34827dae70d9c50f676f523b0ce6bee88952baac1a7220887521e1e10250184dabaaa4fbf9e94349f1148dee8238a", 0x32}], 0x1, 0x0, &(0x7f00000051c0)=[@featur2], 0x1) syz_memcpy_off$IO_URING_METADATA_FLAGS(r17, 0x114, &(0x7f0000005200)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000005240), &(0x7f0000005280)='./file0\x00', 0x5, 0xa, &(0x7f0000005980)=[{&(0x7f00000052c0), 0x0, 0x4}, {&(0x7f0000005300)="8586cff12029eb8ad76f6261d1fe9c2df97d6b5047f70221ce7c26e1ad050096db75ff7ffd7b4dad59f5e070723e8a2cea446602ed86da15975f4f9dad4355f17d1441f9c1d9721e8bc269c91b43934bb3823eba880de01b586e0d592fc978084812a5dd940d6ea61e46ee9f1d53e0d3155c2c34946ca286d646398a4d60b56e48644ce421d53a65fc504680601a0cb3b78cdc3d14d0f9f754d88a4c5d80c2681aca64a4793f17d0f8a5b8dc820fdadee2ee87d42050172286e4b371eac497bf7467890a472d766a442a56a6e75bc39ba4edab5a0cb11eb66a247a2f3ca7d18cbe8bd7516b2d99c763d8c23d753c13937ab99b578e42f359275e86", 0xfb, 0x5}, {&(0x7f0000005400)="0f553c28b9842c44674abe34856e72a402eaf08ea7d106186b17f1d3f00dcbcb5f98a1eae4b0e494da0d44fa94917367478f2e39ce8435b132a570ec78c1b1d859ab652168bec9156cc5b4543f0571d2a75d3ad03f490c0fc93251f6ab57f01cf62283d42eec0abb186148b05ef55f8de1a2eb7c1622fc6d3ac274f10a0754563398efc9335aea31061cf4bb64d44f87c615c99b3eca46ddc2ce68eb2b780c54bb6a1a20947e16cbc6f7fa0712d0b12e665a214c3502154e5b8dda8b01df53c81b2da2c92b7573506b175a34ba1dda39954f36f0ff6ebefeee31326813422cb4d53b47c6fe65f3332698d9e3d776", 0xee, 0xfff}, {&(0x7f0000005500)="abff9c2482d96489f0afbe085daee1e2bd8a3000af21e5b4aa0d2e6662293d5fe6eeb60a5cc8b90e84ede0d21318688e285def54cb6780abfdcb64c700da5e8775bb60d0192a5f8113a70ddb1627087f7bb8f232f80a120e214ef31c385711f4b12afd9a024fc48c41c3c887255a17b86f709a30ee23a5d55c6c3e1986f6fd69309dc6664846396a5f0cde1e382a7018dcdeac00ff1ef54bbb58201fc9dfcbba39cfb45f49ace1e9908188", 0xab, 0x80000001}, {&(0x7f00000055c0)="fb36dffb4a0e4377fa3bedec2325f5c073", 0x11, 0x1}, {&(0x7f0000005600)="8ff2544804ed79e1bb5f173b80fdb09a444f02bbacdab87710a30382271db7257055fbbe057f4e4b3e1bcbcf08f1ea0b41be533d7d7f84199c4cf241e2bc3cebf680f5c2648882abfe61bb5211c4cf0f1f8035c6962e74f5976e954c3db5545bdccc6e67b68dd612", 0x68, 0x7f}, {&(0x7f0000005680)="ca838d09579a972657260b824f369161c83d3649b2309de4aca5191c6a3550ce704f6606bac0f1102563011d768b1cd5bd83565bfbe9311f71c2698f2bb4572ef6602f2487626e21fcef7034f50e28fd36db92433de1c0fbd9baa0b2ef3b17ecbd5f214a814f9979c0cfcea566bd418788a9e026ff83089e4e1eb491eebb582e84c6d956e1f8d4bd5327fcf26d9218a6e745a904846da61e6970e7c3f8f6777eb2eec182c6626aebc2b46d6e18ec79ce9f3a34c2c9ce74dce5f38a493ce752633b9cd881d3e73977b728208b730c0aa0bfd41f0374798c2b6cfd20a83dde8821f896431df1620eacddb4846d3f67983b95", 0xf1, 0x2}, {&(0x7f0000005780)="b549cfe18deb455b4a8b6d56e7c03f251024217cf427c09056bdb6b4a1317e6f9cd53ece2f2ee68e7d73e936e6d7b376483595c8db7292ffb0520cf037ba7012f5d90d0e4bdced46131d6a44120546fad87f475670fec86f9784888d14dc2ed6a1a7ed3c98bd0e035cbd504da40efbeb5a5bcd48c0ca513ff53ddada3cb447a48bcef01d9883f699997c5a0b2499865862db5f785a75e1b3463d354af112e7f8622883683086190fa4507646cbeab5ed", 0xb0, 0x1}, {&(0x7f0000005840)="a2eecacaa02fc76189e00e6fc58f38b5599959730376281721becf840cd12b230c2dc84b7f5fe5e37057b3732fcfeb", 0x2f, 0x4}, {&(0x7f0000005880)="35ed9c854f542ba3a56e7b75409a3197d31e6ec31934811dd9abe83e50a060ea25994cb33770ed99b25c9b560891eca433fe5bf1e02d136600687ee4933b3538bbceca61deb8fb0a1a2567843fd871b991d514329a465a97eb92123576e83a652c51dfa84117c262a7b8bab47bd3f81b24d33e687f39265002ef92f2248de027ac0285fcad2a3c732a1ed7409307037e41f3a7907477387d1199c18e5c43959b2ec46c078cec67a8b559b31cefd856f456b9f81bcc6a8b2cb1a4d8147562bdac6034e3e8d35d797659844fea3694b3288ce68fa8f986bf2fba03ec0110154befc8402258afb3d583d0bf3d02798073867fc66640726072c82a", 0xf9, 0x1ff}], 0x0, &(0x7f0000005a00)={[{'%'}], [{@seclabel}, {@permit_directio}, {@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@subj_role={'subj_role', 0x3d, '}'}}, {@mask={'mask', 0x3d, '^MAY_APPEND'}}, {@fsname={'fsname', 0x3d, '&%]'}}, {@measure}]}) syz_open_dev$I2C(&(0x7f0000005a80), 0x6, 0x40000) syz_open_procfs(0xffffffffffffffff, &(0x7f0000005ac0)='net/raw6\x00') syz_open_pts(r16, 0x583000) syz_read_part_table(0xb0, 0x3, &(0x7f0000006cc0)=[{&(0x7f0000005b00)="a895c30edc07297723a4aea802034622d1bbb85b4ae3628afc2d4e10934550a9d92f12a51b9f5b3a7b596b59b99b4b2acaedda32b83bdc263c53aa10114a149a4d7a4f0c40b946159b374396fb6cd18734ea5c3a5192786222da89f4213b5d9d027799da36d68bd510f537855ce10d3b8439c2237740ea7541478a81f9f92adceb5100366dccf149cc4c59796959ba5d85a50d0dd72941a0eabbe7a9dd9fe50850113f5e2d055e1bbcd667daf7363e027d7c66678dad2add62b5", 0xba, 0x4}, {&(0x7f0000005bc0)="f229f58b9fef91f7178523f041a4967589924680bf4dc34a52d8f7f8436083aee94ab74f0369f7403a8c26b72fd44b488fe59c616c8a1cae299c490eb15f98f8f49df33502ccfd38265f6d186578a71b92ba5c5b903f9a64bc560a43590bd70f76efb7b63bc3909e632db68f77d98bdf12ebe1707d7d1436857490c13ddb239c837faf46ead62381d43f3d2346c1fcd5b2a7a1ebe9fa5dd7fddefc50b0e7a57f500e2f79ba11b18972dc78871460eb7e2a249b603283b5128320555c9d74143e027bb5ca08b462aebf58244387556d718680c4a37459dd", 0xd7, 0x3ff}, {&(0x7f0000005cc0)="", 0x1000, 0x34}]) syz_usb_connect(0x5, 0x72e, &(0x7f0000006d00)={{0x12, 0x1, 0x201, 0x10, 0x2a, 0xdc, 0xff, 0x781, 0x5, 0x5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x71c, 0x3, 0x9, 0x3, 0x50, 0xff, [{{0x9, 0x4, 0x34, 0x9, 0xc, 0x2d, 0xe7, 0xd6, 0xc4, [@cdc_ecm={{0xa, 0x24, 0x6, 0x0, 0x0, "9e3dd83f5e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x40, 0x5, 0x101, 0x5}, [@mbim_extended={0x8, 0x24, 0x1c, 0x1000, 0x2, 0x8}, @dmm={0x7, 0x24, 0x14, 0x8671}, @mbim={0xc, 0x24, 0x1b, 0xfffd, 0x9, 0x0, 0x5, 0x100, 0x5f}, @obex={0x5, 0x24, 0x15, 0x40}, @network_terminal={0x7, 0x24, 0xa, 0x0, 0x1, 0x4, 0x1}, @dmm={0x7, 0x24, 0x14, 0xff81, 0x9c6f}]}], [{{0x9, 0x5, 0x80, 0x14, 0x10, 0x15, 0x1f, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x80}]}}, {{0x9, 0x5, 0x8b, 0x0, 0x7ff, 0xed, 0x1, 0x2}}, {{0x9, 0x5, 0x8, 0x4, 0x200, 0x81, 0x6, 0x2, [@generic={0xeb, 0x1, "8c3f63086154141f739f2870d3a81884905e8c3ff7eb6425085204077b4102c3d81bfdf4b262fa95b268561228b747fca91f5fdeb592b379d66a5f1d2d1d735fd02b3b2402d0340fcc8ac6c544720cb596008a93b0202cb8f9558344cb200e0b4b52aad1e70d9c0049ff2a6b546e3502bc881f3eb655aa817a2a3fd95ad1bea68ab048c1a43ed3458b674c27df090568c371a9e00cbc2b597a730a1864447583e30b8b9d2774d884575311843a18bfe0052b404714c722766342b226c4fe8e87ee448250c3b3668ab50745e0fbb6e969e6b49b9b8528ce81dfaa24e1438072d07d6e92602a390535f6"}]}}, {{0x9, 0x5, 0xc, 0x8, 0x40, 0x1, 0x5, 0x20}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xbc, 0x0, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x5, 0x9}, @generic={0xd4, 0x22, "70c23955e1d16cdef416bcb138108967f0e9ac2c096fe9362b99ec6c198d2f0f0446ce29332844fd546d2323e7f9d7b2713c1f92b90b4481bf8d4ea34ea8321b585db5f3cc6f63fc9ee543e86c15769e08a212c2ffb0237defb1a28228e999fabf3733a27b828703faaac053d44fe7a66d7a278e31f15d65edb349b157a799d922f0c970f98b35b75650793123e05752d74ddb89f0fcc0479822a0f833f4343a70548b3b4c80574be7cfdd59db69ce1efc24ca44ee316609f58ca5a30dee0b59e1668f248c196ae1c022a19995595430fea4"}]}}, {{0x9, 0x5, 0x87, 0x3, 0x8, 0x80, 0x7, 0x6, [@generic={0x56, 0x4, "f78a356675cffa2de94539194afab8603fe5e412021ba937df8f496ce2c0543148f09b19ebbc05091fcc32e0bdde441d7ccaa5cc26fb696bd67b3830bf3e5730fb3fe5ee89156bd1d2fa101e6c39068af8c2ae87"}]}}, {{0x9, 0x5, 0x89, 0x0, 0x20, 0x20, 0x81, 0x8}}, {{0x9, 0x5, 0xe, 0x3, 0x8, 0x1, 0x20, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x43, 0x234}]}}, {{0x9, 0x5, 0x2, 0x0, 0x3ff, 0x3, 0x5, 0x7, [@generic={0x34, 0x8, "b6a121b46cabce4e361f2104dcf2663e402ee04faa90dd18a918e4642eaa6a716192f8bc32f321ce9eb548904d87d7bdad56"}, @generic={0xac, 0x30, "1a5d30c7d13843b0146943b2e67687f3147019db1ca1a3c7e48d700f655bea7f42692c5a87a6b91d03a6d4905fbb18b76028c902f7cc3f0c056d87d0fbc12f32150222a7dad7023bc45ab25c72aa3ad26e8dfd8d3654640038396aa355f069f7a9e762b85dca0a81a7d7c37d259d0f2a631a6abc4e36fba201dc677fc7b2c28190e91523553cfb1bbf462d9d057c31910ad39c357cd2dd1c3f22c604ad6c923faee4c13db3fe350375cc"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x10, 0x7f, 0x56, 0x83}}, {{0x9, 0x5, 0x1f645c4d20962547, 0x0, 0x3ff, 0xbb, 0x7, 0x3, [@generic={0x6b, 0x30, "6a8065c0ee1fa72bb9fab498b565e856090e0ad4cb9a072e0995264b935bed4910dde6e4a11ff93742383cba0c51a1f1cf695aa394a5f4868363e986260569ba8be82437cc58db1ee88ce5101308938edbd982075462cf0bba05bb0d7ae55092a2862ee6e6430e22f7"}, @generic={0x41, 0x21, "0acd9c7743c7509f5eb898784f8767f385a0e1c7f102c9adcad6d81fb4193e88cb2f6c3936ee2ef3dae61f58322593d9beeafcc0915c86fc3a72f0426c83f3"}]}}, {{0x9, 0x5, 0x6, 0x4, 0x400, 0x20, 0x74, 0x5}}]}}, {{0x9, 0x4, 0x26, 0xab, 0x5, 0x3, 0xf1, 0xcb, 0x9, [], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x5, 0x1, 0x1}}, {{0x9, 0x5, 0xb, 0x4, 0x20, 0x1, 0x2, 0x4, [@generic={0xda, 0x14, "10f16e3796fbe335b564b29416031e12d26f4d53e237ca3cb1e049170335d631432469cf8e2b207d62283f3b91f4d63154bce35faeb87b51d30b38876c38b31acc347be67793e56a1784eb29a7ddab72e736eecd3b4e98bce7b170ab687e6f31f5e9f3f96e31032d3bf9476eef54f354c6efc00da39a695ec1c095254cb416bdc574d4fb6adbeca99b77508d6c6f791c2cfc29ae3eccea73c13627d93807af1a7d3492520ed1f153327d857537f556294bdddd988bae73226a48c4cab963d3d8c226951b21a7c3138de55b8d0e1f0bcd77663ae8bfe20f44"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x5, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x40, 0x2c, 0xd4, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0xa, 0x2, 0x400, 0xd0, 0x1, 0x6}}, {{0x9, 0x5, 0xe, 0x8, 0x40, 0x40, 0xff, 0xb0}}]}}, {{0x9, 0x4, 0x6c, 0x8, 0x2, 0x59, 0x51, 0xd5, 0x1, [@cdc_ncm={{0x8, 0x24, 0x6, 0x0, 0x1, "b2bd60"}, {0x5, 0x24, 0x0, 0x5}, {0xd, 0x24, 0xf, 0x1, 0xfffffffd, 0xfff, 0x63, 0xdb}, {0x6, 0x24, 0x1a, 0x8, 0x8}, [@mdlm_detail={0xf7, 0x24, 0x13, 0x19, "189cdea85c892fe736d99d2ae835705ddc3907363c57da1fc0033ab26742022ab0af7516c0545f0fc3ecaa0728229f95fd5d2ebce5c98dbba6222153e2ce70bfead32d5d59146f0dd679852007b13ac9d16d48f9484d6192e79c88079f8cd3bd1a3740f3a8f0fd1d57a10bf41cf8c45a79ab1a969c9a6a83bf31571bce542e8fcfa6761ebfa924e1eb05d3af5b3644c3040280ca59737d89c0caa8bd9d56c92178b82b2078e43975f15e6f0b6fa1d0cd819521154d236aa6a85e50f3f0531f6192e5c4ba8a2d506f744780747cbb9ee6723298b72b713b52be54835fcc04906c658ce61f16f95a6c437988df239c430ff47db7"}]}, @cdc_ecm={{0x6, 0x24, 0x6, 0x0, 0x0, "a3"}, {0x5, 0x24, 0x0, 0xf85b}, {0xd, 0x24, 0xf, 0x1, 0x0, 0x7, 0x2, 0x40}}], [{{0x9, 0x5, 0xf, 0x4, 0x0, 0x81, 0xe8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x51, 0xbf81}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0xb, 0x8001}]}}, {{0x9, 0x5, 0x6, 0x0, 0x10, 0x7f, 0x0, 0x80, [@generic={0x28, 0xa, "61df67a624859052df593a2258bc970fe4304a8f899ac040d9fc350ed5e63660a76a96aea7a3"}]}}]}}]}}]}}, &(0x7f00000076c0)={0xa, &(0x7f0000007440)={0xa, 0x6, 0x300, 0x8, 0x1, 0x9, 0x8, 0x81}, 0x133, &(0x7f0000007480)={0x5, 0xf, 0x133, 0x6, [@wireless={0xb, 0x10, 0x1, 0x2, 0x74, 0xff, 0xff, 0x0, 0x7}, @wireless={0xb, 0x10, 0x1, 0x8, 0x43, 0x4, 0x3, 0x6, 0x21}, @ext_cap={0x7, 0x10, 0x2, 0xa, 0x5, 0x6, 0x3b4d}, @wireless={0xb, 0x10, 0x1, 0x0, 0x2c, 0x7, 0x2, 0x1, 0x2f}, @ptm_cap={0x3}, @generic={0x103, 0x10, 0x3, "b35e852c500147880fa2f6dcc5d4e16a59df9bff5d44ac9f6680a31b1ebce7f4d4afe6d2ae93f6eee79b703b03f7a0ebea72bdc3ca70ded450bedec42d31beced3625c6bfa5dc9897b68a4e8b1a54b9444b85a77d52efea02e84045a2c51af22596a4c59a43c590c4d1369d229db0f228b739b41419c00708219ac07585dcaded8820f6fe0b35e7496ca59ebd93c1cfbeca8666928613fb084cb1ad930cfed80a024b803fc94967f08d731d0647cee073e55844b9978ae6035865fd98991fb7a5fa3f00529e81f1d3b853a0db041eaa3777ba10fe753674a698cd389bf5bca626cb8c7bf9b71150d572d07d9a11855a419fb0212d9a5bf2c3360357cf942511f"}]}, 0x2, [{0x97, &(0x7f00000075c0)=@string={0x97, 0x3, "79533652485908847450e434babd9e7b783925f478b3b35c0a4e6aa0a1e8f78e37f1d5666fe87b28df9b7734fdd141b3c78a19031effd729a36c0cf9fae5c589a1a9886b78f66c7391bd443cc6b3ab5b4acdeb5acf4a0d36359e749df37ccf92c50e845fce93e4c611f0fb559f5b2f8b72bab3b8a91779cd78204d67a183187560eb912c0f9dd27f402f1decdc61444d3702bf05cf"}}, {0x4, &(0x7f0000007680)=@lang_id={0x4, 0x3, 0x4ff}}]}) r22 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007700)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r22, &(0x7f0000007900)={0x18, &(0x7f0000007780)={0x40, 0x22, 0x1f, {0x1f, 0x22, "a7841403afd7ddbdb6ce9dacfb6cdbe29fbe4e58b55fec117de56ed6a5"}}, &(0x7f00000077c0)={0x0, 0x3, 0x5a, @string={0x5a, 0x3, "b51fa75ce1575da79aa41fd155728498bc7e4f85d19d2394314e6381f5e6b0e786c3ff705cb7184487f35094030178bc291a3980fa0b83908b7fe1cb2459daa1308fa2fbda94a98ca7134bc986487bae15766636e0852c7a"}}, &(0x7f0000007840)={0x0, 0xf, 0x1b, {0x5, 0xf, 0x1b, 0x2, [@wireless={0xb, 0x10, 0x1, 0xc, 0x82, 0x0, 0x85, 0x8, 0x1}, @wireless={0xb, 0x10, 0x1, 0xc, 0x48, 0x0, 0x80, 0xfffa, 0x81}]}}, &(0x7f0000007880)={0x20, 0x29, 0xf, {0xf, 0x29, 0x9, 0x2, 0x4, 0x2, "7e461ab4", 'gg]\a'}}, &(0x7f00000078c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x9, 0x3, 0x3f, 0x20, 0x40, 0x0, 0xef}}}, &(0x7f0000007dc0)={0x44, &(0x7f0000007940)={0x40, 0xc, 0xb6, "df1d8807adaa376ec164fe686f791fc7268a85c468008423c35bf0da6f10ce0b3c7f80e67352d8063e9524fb3d91a1d442b85d351288c60badef7369494efa5012978930b8817bb13fba0f307416861457221322136027a98682f3a5c91806d490c51ef51ce6c9e9c8087e547fc2cfe567bfbf3e65f97c5e79d68706922d2c084ee894eaf12a3c0b2e1ef894dff86d0792fd11f5152f67321b9db36a02b7b0935e7424cbd6b286c55c8cf0f0f4949fd21b22675eb060"}, &(0x7f0000007a00)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000007a40)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000007a80)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000007ac0)={0x20, 0x0, 0x4, {0x160, 0x1}}, &(0x7f0000007b00)={0x40, 0x7, 0x2, 0x3}, &(0x7f0000007b40)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000007b80)={0x40, 0xb, 0x2, "9efe"}, &(0x7f0000007bc0)={0x40, 0xf, 0x2, 0x4}, &(0x7f0000007c00)={0x40, 0x13, 0x6}, &(0x7f0000007c40)={0x40, 0x17, 0x6, @remote}, &(0x7f0000007c80)={0x40, 0x19, 0x2, 'vw'}, &(0x7f0000007cc0)={0x40, 0x1a, 0x2, 0x1}, &(0x7f0000007d00)={0x40, 0x1c, 0x1, 0x6}, &(0x7f0000007d40)={0x40, 0x1e, 0x1, 0x7e}, &(0x7f0000007d80)={0x40, 0x21, 0x1, 0x2}}) r23 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007e40)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_disconnect(r23) r24 = syz_usb_connect$cdc_ncm(0x6, 0x7c, &(0x7f0000007ec0)={{0x12, 0x1, 0x389, 0x2, 0x0, 0x0, 0x70, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6a, 0x2, 0x1, 0xff, 0x90, 0x5, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, "a6"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9ff, 0x6000, 0x5, 0xb5}, {0x6, 0x24, 0x1a, 0xdd, 0x32}, [@call_mgmt={0x5, 0x24, 0x1, 0x2, 0x95}, @mbim_extended={0x8, 0x24, 0x1c, 0x7, 0x40, 0x1}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x21, 0x2, 0xc4}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0x1, 0x1, 0x4e}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x81, 0x9, 0x48}}}}}}}]}}, &(0x7f0000008280)={0xa, &(0x7f0000007f40)={0xa, 0x6, 0x200, 0x3, 0x40, 0x1, 0x40, 0x68}, 0x72, &(0x7f0000007f80)={0x5, 0xf, 0x72, 0x6, [@ssp_cap={0x20, 0x10, 0xa, 0x7f, 0x5, 0x4, 0x0, 0x101, [0xf, 0xc000, 0x4100, 0xc000, 0x0]}, @ssp_cap={0x18, 0x10, 0xa, 0x5, 0x3, 0x3f, 0xf, 0x9, [0x3f00, 0xff0030, 0xff0000]}, @ssp_cap={0xc, 0x10, 0xa, 0x9, 0x0, 0x3, 0xf00, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0xfc, "11d5f99068e5068a1e42e2bf000e221f"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x0, 0x2, 0x0, 0x80, 0x1}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x0, 0x3, 0x3f, 0x8}]}, 0x8, [{0x4, &(0x7f0000008000)=@lang_id={0x4, 0x3, 0x2001}}, {0x4, &(0x7f0000008040)=@lang_id={0x4, 0x3, 0x43f}}, {0x2a, &(0x7f0000008080)=@string={0x2a, 0x3, "5e7460eb32a6b96bd2ff9ff3a49620853364cef4b1180034bbee7bdeb3753ec47a7b68436004dfa3"}}, {0x4, &(0x7f00000080c0)=@lang_id={0x4, 0x3, 0x406}}, {0x4, &(0x7f0000008100)=@lang_id={0x4, 0x3, 0x200a}}, {0x83, &(0x7f0000008140)=@string={0x83, 0x3, "98bfbed5f02f0541393b27163c18aba0f8d6c9069ae8ed732f7b8b4fd040726512572b20493498b080e96c7409c1ff222cbfe8fc739a7a6eb701a8125f18af24cdabbfb52cc666cf1204b6bf96514aca5b0475e21dafcaaffcd8d584eca6939d815dc4c974727a2fba78d5044d9e9f08e35c9e2bf470f466accaa1301fac54bcff"}}, {0x4, &(0x7f0000008200)=@lang_id={0x4, 0x3, 0x1627}}, {0x39, &(0x7f0000008240)=@string={0x39, 0x3, "aa56bf4048dd06e2845d2e04df75b391f766463f0954053221ac36e1db6fe509c05b86c776d20ffc6ac3d99349322b400aea394cd6719c"}}]}) syz_usb_ep_read(r24, 0x75, 0xa5, &(0x7f0000008300)=""/165) syz_usb_ep_write(r22, 0x0, 0xf5, &(0x7f00000083c0)="db885599b60aec82ad70cdb2886a2e73e2f0447ddd5deaaa15f56b76ab5804b9f86f60df6b12cbc1e5906d238889da544d9b5652f60bfc34a108dffdffa9ae904614e2bf15ce0c349aea1551b7544b69bd2bde8f82e18d42ba167180b1a6a4d11844312c116ee0b85fca52a11ec9f37acd323eb287c8b3c4ffdbcaaa329df920e0f7dfaaccc17fd5ff16f039c693cdfcdfae81529a02cc973d8e5020093c1b68e88a827e230b28448899b9617552b1dd9b412b34deec9a93fd08823aebf354e238d04dca957a50aa9ab18a30460e2455e3fd164109cd4a857b99d223b21831ca292d1b0cd77fbfe263f7ca57ee3a70a8fdd489cb7f") syz_usbip_server_init(0x1) csource_test.go:119: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static void netlink_nest(struct nlmsg* nlmsg, int typ) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_type = typ; nlmsg->pos += sizeof(*attr); nlmsg->nested[nlmsg->nesting++] = attr; } static void netlink_done(struct nlmsg* nlmsg) { struct nlattr* attr = nlmsg->nested[--nlmsg->nesting]; attr->nla_len = nlmsg->pos - (char*)attr; } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static void netlink_add_device_impl(struct nlmsg* nlmsg, const char* type, const char* name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); netlink_init(nlmsg, RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); if (name) netlink_attr(nlmsg, IFLA_IFNAME, name, strlen(name)); netlink_nest(nlmsg, IFLA_LINKINFO); netlink_attr(nlmsg, IFLA_INFO_KIND, type, strlen(type)); } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static struct nlmsg nlmsg; const int kInitNetNsFd = 239; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 } #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 } #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define sys_io_uring_setup 425 static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(sys_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) exit(1); int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { bool dofail = false; int fd = sock_arg; if (fd < 0) { dofail = true; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, dofail); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs) { if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (size_t i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) { int err = 0, loopfd = -1; size = fs_image_segment_check(size, nsegs, segs); int memfd = syscall(sys_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (size_t i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } *memfd_p = memfd; *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int err = 0, res = -1, loopfd = -1, memfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); close(memfd); } errno = err; return res; } static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } #define NL802154_CMD_SET_SHORT_ADDR 11 #define NL802154_ATTR_IFINDEX 3 #define NL802154_ATTR_SHORT_ADDR 10 static void setup_802154() { int sock_route = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock_route == -1) exit(1); int sock_generic = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock_generic < 0) exit(1); int nl802154_family_id = netlink_query_family_id(&nlmsg, sock_generic, "nl802154", true); for (int i = 0; i < 2; i++) { char devname[] = "wpan0"; devname[strlen(devname) - 1] += i; uint64_t hwaddr = 0xaaaaaaaaaaaa0002 + (i << 8); uint16_t shortaddr = 0xaaa0 + i; int ifindex = if_nametoindex(devname); struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL802154_CMD_SET_SHORT_ADDR; netlink_init(&nlmsg, nl802154_family_id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, NL802154_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(&nlmsg, NL802154_ATTR_SHORT_ADDR, &shortaddr, sizeof(shortaddr)); int err = netlink_send(&nlmsg, sock_generic); if (err < 0) { } netlink_device_change(&nlmsg, sock_route, devname, true, 0, &hwaddr, sizeof(hwaddr), 0); if (i == 0) { netlink_add_device_impl(&nlmsg, "lowpan", "lowpan0"); netlink_done(&nlmsg); netlink_attr(&nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(&nlmsg, sock_route); if (err < 0) { } } } close(sock_route); close(sock_generic); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", true); int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 53; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 39 ? 50 : 0) + (call == 44 ? 3000 : 0) + (call == 45 ? 3000 : 0) + (call == 46 ? 300 : 0) + (call == 47 ? 3000 : 0) + (call == 48 ? 300 : 0) + (call == 49 ? 3000 : 0) + (call == 50 ? 300 : 0) + (call == 51 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_clock_gettime #define __NR_clock_gettime 265 #endif #ifndef __NR_getegid #define __NR_getegid 50 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_lstat #define __NR_lstat 107 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_openat2 #define __NR_openat2 437 #endif #ifndef __NR_recvmmsg #define __NR_recvmmsg 337 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_signalfd4 #define __NR_signalfd4 327 #endif #ifndef __NR_statx #define __NR_statx 383 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[25] = {0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x20000040 = 8; inject_fault(1); res = syscall(__NR_getsockopt, -1, 0x84, 0x14, 0x20000000, 0x20000040); if (res != -1) r[0] = *(uint32_t*)0x20000000; break; case 1: *(uint32_t*)0x20000080 = r[0]; *(uint32_t*)0x20000084 = 0x3ff; *(uint32_t*)0x200000c0 = 8; res = syscall(__NR_getsockopt, -1, 0x84, 0x13, 0x20000080, 0x200000c0); if (res != -1) r[1] = *(uint32_t*)0x20000080; break; case 2: memcpy((void*)0x20000100, "cpu.stat\000", 9); res = syscall(__NR_openat, -1, 0x20000100, 0, 0); if (res != -1) r[2] = res; break; case 3: syscall(__NR_ioctl, (intptr_t)r[2], 0x125e, 0x20000140); break; case 4: *(uint32_t*)0x20000180 = 5; *(uint32_t*)0x20000184 = 4; res = syscall(__NR_signalfd4, (intptr_t)r[2], 0x20000180, 8, 0x80800); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000500 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x10; *(uint16_t*)0x200001c2 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = 0x20002011; *(uint32_t*)0x20000504 = 0xc; *(uint32_t*)0x20000508 = 0x200004c0; *(uint32_t*)0x200004c0 = 0x20000200; *(uint32_t*)0x20000200 = 0x29c; *(uint16_t*)0x20000204 = 0; *(uint16_t*)0x20000206 = 8; *(uint32_t*)0x20000208 = 0x70bd29; *(uint32_t*)0x2000020c = 0x25dfdbff; *(uint8_t*)0x20000210 = 0x87; *(uint8_t*)0x20000211 = 0; *(uint16_t*)0x20000212 = 0; *(uint16_t*)0x20000214 = 8; *(uint16_t*)0x20000216 = 3; *(uint32_t*)0x20000218 = 0; *(uint16_t*)0x2000021c = 0x46; *(uint16_t*)0x2000021e = 0x2a; *(uint8_t*)0x20000220 = 0x2a; *(uint8_t*)0x20000221 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000222, 0, 3, 5); *(uint8_t*)0x20000223 = 0x25; *(uint8_t*)0x20000224 = 3; *(uint8_t*)0x20000225 = 1; *(uint8_t*)0x20000226 = 0x95; *(uint8_t*)0x20000227 = 0xcb; *(uint8_t*)0x20000228 = 0x75; *(uint8_t*)0x20000229 = 0x16; *(uint16_t*)0x2000022a = 1; *(uint16_t*)0x2000022c = 0x401; *(uint16_t*)0x2000022e = 0x37; memcpy((void*)0x20000230, "\x02\x01\x1b\xf2\x90\x7b\xdd\xcb\xfa\xf4\xd0\xd9\xd3\x19\xcb\x38", 16); *(uint8_t*)0x20000240 = 0x76; *(uint8_t*)0x20000241 = 6; *(uint8_t*)0x20000242 = 0x7f; *(uint8_t*)0x20000243 = 3; *(uint16_t*)0x20000244 = 6; *(uint16_t*)0x20000246 = 0x2050; *(uint8_t*)0x20000248 = 0x65; *(uint8_t*)0x20000249 = 0x12; *(uint8_t*)0x2000024a = 8; *(uint8_t*)0x2000024b = 2; *(uint8_t*)0x2000024c = 0x11; *(uint8_t*)0x2000024d = 0; *(uint8_t*)0x2000024e = 0; *(uint8_t*)0x2000024f = 1; memset((void*)0x20000250, 255, 6); *(uint8_t*)0x20000256 = 8; *(uint8_t*)0x20000257 = 2; *(uint8_t*)0x20000258 = 0x11; *(uint8_t*)0x20000259 = 0; *(uint8_t*)0x2000025a = 0; *(uint8_t*)0x2000025b = 1; *(uint8_t*)0x2000025c = 0x68; *(uint8_t*)0x2000025d = 4; *(uint16_t*)0x2000025e = 9; *(uint16_t*)0x20000260 = 0x81; *(uint16_t*)0x20000264 = 0xcc; *(uint16_t*)0x20000266 = 0x2a; *(uint8_t*)0x20000268 = 4; *(uint8_t*)0x20000269 = 6; *(uint8_t*)0x2000026a = 1; *(uint8_t*)0x2000026b = 1; *(uint16_t*)0x2000026c = 0x100; *(uint16_t*)0x2000026e = 0x8000; *(uint8_t*)0x20000270 = 0x3c; *(uint8_t*)0x20000271 = 4; *(uint8_t*)0x20000272 = 0; *(uint8_t*)0x20000273 = 7; *(uint8_t*)0x20000274 = 0xac; *(uint8_t*)0x20000275 = 6; *(uint8_t*)0x20000276 = 1; *(uint8_t*)0x20000277 = 6; STORE_BY_BITMASK(uint8_t, , 0x20000278, 6, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000278, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x20000279, 0xc, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20000279, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 0x3f, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027a, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 9, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027b, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0x16, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027c, 0, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0x24, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x2000027d, 0, 7, 1); *(uint8_t*)0x2000027e = 0x83; *(uint8_t*)0x2000027f = 0x25; STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 0, 6); STORE_BY_BITMASK(uint8_t, , 0x20000280, 1, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000280, 0, 7, 1); *(uint8_t*)0x20000281 = -1; *(uint8_t*)0x20000282 = 0x3f; *(uint8_t*)0x20000283 = 8; *(uint8_t*)0x20000284 = 2; *(uint8_t*)0x20000285 = 0x11; *(uint8_t*)0x20000286 = 0; *(uint8_t*)0x20000287 = 0; *(uint8_t*)0x20000288 = 0; *(uint32_t*)0x20000289 = 0x1f; memset((void*)0x2000028d, 255, 6); *(uint32_t*)0x20000293 = 0; *(uint32_t*)0x20000297 = 6; *(uint8_t*)0x2000029b = 8; *(uint8_t*)0x2000029c = 2; *(uint8_t*)0x2000029d = 0x11; *(uint8_t*)0x2000029e = 0; *(uint8_t*)0x2000029f = 0; *(uint8_t*)0x200002a0 = 1; *(uint32_t*)0x200002a1 = 6; *(uint8_t*)0x200002a5 = 0x26; *(uint8_t*)0x200002a6 = 0x44; *(uint8_t*)0x200002a7 = 4; *(uint8_t*)0x200002a8 = 7; *(uint8_t*)0x200002a9 = 8; memcpy((void*)0x200002aa, "\x2e\xf5\x31\xb7\xbe\x2d\xde\x42\xfc\x39\x5f\x76\x44\x7c\x92\x87\x9c\x4d\x95\x11\x18\x2e\xe0\x77\xcb\x10\x2d\x54\xd8\xe9\xbd\x03\x76\x74\x1a\xff\xce\x00\x72\x8e\x65\xce\xfb\x04\xca\xcd\x7c\x82\x88\x0f\x11\x3d\x4a\x79\x37\x8b\xfd\x5c\x8d\x75\x2b\xd2\x51\xe3\x1b", 65); *(uint8_t*)0x200002eb = 0x2d; *(uint8_t*)0x200002ec = 0x1a; *(uint16_t*)0x200002ed = 0x482; STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 1, 2, 3); STORE_BY_BITMASK(uint8_t, , 0x200002ef, 0, 5, 3); *(uint64_t*)0x200002f0 = 5; STORE_BY_BITMASK(uint64_t, , 0x200002f8, 0x3f, 0, 13); STORE_BY_BITMASK(uint64_t, , 0x200002f9, 0, 5, 3); STORE_BY_BITMASK(uint64_t, , 0x200002fa, 0x80, 0, 10); STORE_BY_BITMASK(uint64_t, , 0x200002fb, 0, 2, 6); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 2, 2); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 1, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200002fc, 0, 5, 27); *(uint16_t*)0x20000300 = 0x400; *(uint32_t*)0x20000302 = 5; *(uint8_t*)0x20000306 = 0x56; *(uint8_t*)0x20000307 = 0x8c; *(uint8_t*)0x20000308 = 0x10; *(uint16_t*)0x20000309 = 0x9b2; memcpy((void*)0x2000030b, "\xe7\x43\x38\xed\x57\xa9", 6); memcpy((void*)0x20000311, "\x4d\xbe\x86\xf3\x95\x65\x40\x8a", 8); *(uint8_t*)0x20000319 = 0x7e; *(uint8_t*)0x2000031a = 0x15; STORE_BY_BITMASK(uint8_t, , 0x2000031b, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000031b, 9, 1, 7); *(uint8_t*)0x2000031c = 0xc0; *(uint8_t*)0x2000031d = 0x40; *(uint8_t*)0x2000031e = 8; *(uint8_t*)0x2000031f = 2; *(uint8_t*)0x20000320 = 0x11; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0; *(uint8_t*)0x20000323 = 0; *(uint32_t*)0x20000324 = 0x7fff; *(uint32_t*)0x20000328 = 6; *(uint32_t*)0x2000032c = 0xff; *(uint16_t*)0x20000330 = 0x148; *(uint16_t*)0x20000332 = 0x2a; *(uint8_t*)0x20000334 = 0x7e; *(uint8_t*)0x20000335 = 0x15; STORE_BY_BITMASK(uint8_t, , 0x20000336, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000336, 2, 1, 7); *(uint8_t*)0x20000337 = 0; *(uint8_t*)0x20000338 = 8; *(uint8_t*)0x20000339 = 8; *(uint8_t*)0x2000033a = 2; *(uint8_t*)0x2000033b = 0x11; *(uint8_t*)0x2000033c = 0; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0; *(uint32_t*)0x2000033f = 0x1ff; *(uint32_t*)0x20000343 = 3; *(uint32_t*)0x20000347 = 3; *(uint8_t*)0x2000034b = 0x82; *(uint8_t*)0x2000034c = 0x30; STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 3, 3); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x2000034d, 0, 7, 1); *(uint8_t*)0x2000034e = 3; *(uint8_t*)0x2000034f = 0xf7; *(uint32_t*)0x20000350 = 8; *(uint8_t*)0x20000354 = 8; *(uint8_t*)0x20000355 = 2; *(uint8_t*)0x20000356 = 0x11; *(uint8_t*)0x20000357 = 0; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 0; *(uint32_t*)0x2000035a = 0xae; *(uint32_t*)0x2000035e = 0x71a4; *(uint32_t*)0x20000362 = 2; *(uint8_t*)0x20000366 = 2; STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000367, 0, 3, 5); *(uint8_t*)0x20000368 = 8; *(uint8_t*)0x20000369 = 2; *(uint8_t*)0x2000036a = 0x11; *(uint8_t*)0x2000036b = 0; *(uint8_t*)0x2000036c = 0; *(uint8_t*)0x2000036d = 1; *(uint32_t*)0x2000036e = 0; STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000372, 0, 3, 5); *(uint8_t*)0x20000373 = 8; *(uint8_t*)0x20000374 = 2; *(uint8_t*)0x20000375 = 0x11; *(uint8_t*)0x20000376 = 0; *(uint8_t*)0x20000377 = 0; *(uint8_t*)0x20000378 = 1; *(uint32_t*)0x20000379 = 6; *(uint8_t*)0x2000037d = 0x71; *(uint8_t*)0x2000037e = 7; *(uint8_t*)0x2000037f = 1; *(uint8_t*)0x20000380 = 1; *(uint8_t*)0x20000381 = 1; *(uint8_t*)0x20000382 = 0; *(uint8_t*)0x20000383 = 0; *(uint8_t*)0x20000384 = 0xfb; *(uint8_t*)0x20000385 = 0x25; *(uint8_t*)0x20000386 = 6; *(uint8_t*)0x20000387 = 2; *(uint16_t*)0x20000388 = 0x1fc; *(uint8_t*)0x2000038a = 0x37; *(uint8_t*)0x2000038b = 0xe6; *(uint8_t*)0x2000038c = 7; *(uint8_t*)0x2000038d = 5; memcpy((void*)0x2000038e, "\x5f\x39\x64\xd8\x62\x9a\xdf\x1c\x06\xec\xdf\x89\x87\xbb\x84\x5b", 16); memcpy((void*)0x2000039e, "\xc5\xd2\xbb\x24\x59\xd5\xba\x0e\x8d\x1d\xe0\x4e\x57\x37\x4f\x62\x27\x21\x0e\xa4\x04\xeb\x95\x46\x5f\xa1\xe2\xe0\x9c\x7c\x17\xd4", 32); memcpy((void*)0x200003be, "\x27\x81\xc8\x76\x15\x7d\x69\x88\xa5\xdc\x1e\xfd\xe5\xe5\xd8\xd7\xfd\xfb\x3d\xad\x87\x19\x89\x49\x70\x60\xe2\xd7\x2d\x3a\xfa\x38", 32); *(uint8_t*)0x200003de = 3; *(uint8_t*)0x200003df = 1; memset((void*)0x200003e0, 206, 1); *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0x25; memcpy((void*)0x200003e3, "\xd5\xa7\x64\x0b\x4f\xb5\xdf\x22\xe7\x25\x13\x0f\x6f\x00\x6c\x48\x73\x42\xcb\x84\x7e\x2c\xbe\x0e\x36\xb1\x41\xaa\x91\xf7\xf4\x1d\x6b\x13\x48\x2c\x1d", 37); *(uint8_t*)0x20000408 = 4; *(uint8_t*)0x20000409 = 0x26; memcpy((void*)0x2000040a, "\xa1\xd5\xf6\x74\x74\xfa\x12\x31\x00\x04\x6d\xc2\x69\x5e\x3b\xbd\xa6\xde\xe8\x65\x7f\x03\x2e\x08\x75\x04\x15\x6e\xba\x2f\x54\xbf\x2f\x31\xcd\x5b\x78\xd5", 38); *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 0x25; memcpy((void*)0x20000432, "\xae\x36\x25\x8a\xd7\xf0\x4d\x6a\x21\x30\x24\xac\x42\x6f\xba\x3d\xa6\x9e\x74\xab\x66\x2f\xbb\x9d\x28\x44\x80\x99\x94\x6c\xbb\xf9\xb8\xf9\x21\xf8\xe0", 37); *(uint8_t*)0x20000457 = 2; *(uint8_t*)0x20000458 = 0x19; memcpy((void*)0x20000459, "\x69\xad\x29\xc6\x6f\x47\xf8\x7c\x53\x49\xab\x5f\x16\xa1\xe8\x03\x0e\x7c\x0b\x21\xdb\x8b\xc4\xbe\xe4", 25); *(uint8_t*)0x20000472 = 0x75; *(uint8_t*)0x20000473 = 4; *(uint16_t*)0x20000474 = 0; *(uint16_t*)0x20000476 = 0; *(uint16_t*)0x20000478 = 6; *(uint16_t*)0x2000047a = 0x48; *(uint16_t*)0x2000047c = 0x4b; *(uint16_t*)0x20000480 = 6; *(uint16_t*)0x20000482 = 0x48; *(uint16_t*)0x20000484 = 0x43; *(uint16_t*)0x20000488 = 0xa; *(uint16_t*)0x2000048a = 6; *(uint8_t*)0x2000048c = 8; *(uint8_t*)0x2000048d = 2; *(uint8_t*)0x2000048e = 0x11; *(uint8_t*)0x2000048f = 0; *(uint8_t*)0x20000490 = 0; *(uint8_t*)0x20000491 = 1; *(uint16_t*)0x20000494 = 6; *(uint16_t*)0x20000496 = 0x48; *(uint16_t*)0x20000498 = 0x11; *(uint32_t*)0x200004c4 = 0x29c; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = 0x40000; syscall(__NR_sendmsg, (intptr_t)r[3], 0x20000500, 0x80); break; case 6: memcpy((void*)0x20000540, "/dev/irnet\000", 11); res = syscall(__NR_openat, 0xffffff9c, 0x20000540, 0x189000, 0); if (res != -1) r[4] = res; break; case 7: *(uint16_t*)0x20000580 = 0xa; *(uint16_t*)0x20000582 = htobe16(0x4e20); *(uint32_t*)0x20000584 = htobe32(0x80000000); *(uint8_t*)0x20000588 = 0xfe; *(uint8_t*)0x20000589 = 0x88; memset((void*)0x2000058a, 0, 12); *(uint8_t*)0x20000596 = 0; *(uint8_t*)0x20000597 = 1; *(uint32_t*)0x20000598 = 0x81; *(uint16_t*)0x2000059c = 0xa; *(uint16_t*)0x2000059e = htobe16(0x4e24); *(uint32_t*)0x200005a0 = htobe32(3); *(uint8_t*)0x200005a4 = -1; *(uint8_t*)0x200005a5 = 1; memset((void*)0x200005a6, 0, 13); *(uint8_t*)0x200005b3 = 1; *(uint32_t*)0x200005b4 = 0; syscall(__NR_setsockopt, (intptr_t)r[4], 0x84, 0x6b, 0x20000580, 0x38); break; case 8: memcpy((void*)0x200005c0, "./file0\000", 8); *(uint64_t*)0x20000600 = 0x101000; *(uint64_t*)0x20000608 = 0x182; *(uint64_t*)0x20000610 = 4; syscall(__NR_openat2, 0xffffff9c, 0x200005c0, 0x20000600, 0x18); break; case 9: *(uint32_t*)0x20000640 = r[1]; *(uint32_t*)0x20000644 = 7; *(uint32_t*)0x20000648 = 0x20; syscall(__NR_setsockopt, -1, 0x84, 0x10, 0x20000640, 0xc); break; case 10: *(uint8_t*)0x20000000 = 8; *(uint8_t*)0x20000001 = 2; *(uint8_t*)0x20000002 = 0x11; *(uint8_t*)0x20000003 = 0; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 2, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000040, 6, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000042, 7, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000043, 0, 7, 1); *(uint8_t*)0x20000044 = 8; *(uint8_t*)0x20000045 = 2; *(uint8_t*)0x20000046 = 0x11; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 1; memset((void*)0x2000004a, 255, 6); *(uint8_t*)0x20000050 = 8; *(uint8_t*)0x20000051 = 2; *(uint8_t*)0x20000052 = 0x11; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x20000056, 7, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000056, 0x40, 4, 12); *(uint8_t*)0x20000058 = 8; *(uint8_t*)0x20000059 = 2; *(uint8_t*)0x2000005a = 0x11; *(uint8_t*)0x2000005b = 0; *(uint8_t*)0x2000005c = 0; *(uint8_t*)0x2000005d = 0; *(uint8_t*)0x2000005e = 8; *(uint8_t*)0x2000005f = 2; *(uint8_t*)0x20000060 = 0x11; *(uint8_t*)0x20000061 = 0; *(uint8_t*)0x20000062 = 0; *(uint8_t*)0x20000063 = 1; *(uint16_t*)0x20000064 = 0x89; memcpy((void*)0x20000066, "\xa3\x74\xcb\x1e\x56\xd7\x9e\x5a\x64\x7d\x9f\x9d\x7e\xbb\x09\x9c\xa7\x5e\x92\x0a\x72\x0c\xe7\x65\x51\xc2\x6b\xb8\x68\x42\xda\x48\xec\x22\x63\x6f\x2e\xe2\x00\x01\x35\x9b\x8e\x2f\xb3\x76\xba\x32\xd0\x74\x25\xdd\x1b\x9b\x9b\x4f\xf7\xa3\x53\x9a\x5e\xeb\x99\xa4\x47\xa5\x8f\xec\x22\x4c\xac\xb7\xd6\xe5\xf0\xcc\x90\x99\x90\x4c\x92\xfd\x37\x74\x6a\xfc\x1c\xbd\x2b\x8b\x10\x2a\x3f\xe4\xaf\x78\xd5\xfa\x72\x95\x90\xf1\xe5\x03\x5f\x47\x0a\x44\x32\x1e\x92\x47\x87\xa4\x66\x6e\x21\xa4\xca\x5c\xbd\x12\x56\xc1\x70\x21\x7c\xd6\x96\x7a\xd7\x23\x6d\x2f\x70\x2e\x24", 137); memset((void*)0x200000f0, 255, 6); *(uint8_t*)0x200000f6 = 8; *(uint8_t*)0x200000f7 = 2; *(uint8_t*)0x200000f8 = 0x11; *(uint8_t*)0x200000f9 = 0; *(uint8_t*)0x200000fa = 0; *(uint8_t*)0x200000fb = 0; *(uint16_t*)0x200000fc = 0x1000; memcpy((void*)0x200000fe, "\x2b\xc8\xbe\xd3\xad\xe3\x14\x70\x49\x10\xb6\xee\x62\x4c\xfe\x54\xbe\xbe\x1b\x4b\x09\xba\x79\x5c\x51\x1c\xd0\xe7\x64\x85\x8a\x68\x8e\x31\x7f\x9f\x28\x73\xd1\x87\xb6\x5f\x7d\x6d\xed\x9b\x4b\x7e\xf7\xf8\x67\xd6\x5d\x32\x18\xdc\x1a\x2a\xd2\x4b\x5c\xb3\xe4\xe0\x78\x49\xf7\x08\x5c\x63\x7a\xe4\x51\x0c\x2c\x14\x43\x80\x0a\xc4\x4d\xdf\x23\xec\x3e\x00\xa0\xa2\xd2\x6d\xcf\x4e\x4f\x20\x9d\x20\xf1\xe6\x58\x29\x0a\xb4\x3a\x3f\xa2\x4e\xe8\xdc\xd4\x84\xc6\x23\xbd\xc9\x86\xb8\xea\x88\xd4\x32\x74\xe2\x06\xb9\xbe\x4c\xdf\xcc\x94\x5b\x09\x3d\x09\x37\xd9\x4f\x8f\x98\x7c\x5c\x5e\xd4\x8a\xc9\x95\x14\xb5\x45\xd0\xcb\x74\x20\x36\xae\xd4\x98\xba\xe8\x0b\xb1\xee\x39\x5e\x8e\x0a\x67\x7d\xaa\xed\x22\xdd\xc1\x60\x4d\x14\x83\x5d\xbc\x28\xc4\x3c\x64\xb1\x18\x76\x57\x4f\x8d\x89\x70\x56\x23\xf7\xf0\x78\xc5\x01\x7c\x92\xcd\x46\xaf\xf0\x81\x1e\x9b\x98\x91\x25\x06\xb3\x45\x00\x64\x0f\x97\x91\xe3\x08\x1d\x1f\xd1\x78\xc2\x13\x05\x93\x45\xba\x63\x17\x7e\xa9\xb9\x3f\xfa\x53\x06\xe2\x06\xb5\xa2\x94\x02\x25\x21\xec\x6a\xaf\x8e\x26\xd0\xb5\xbd\x00\x32\x59\x76\xa0\xb1\xe0\xff\x75\x4e\x4b\x48\x91\xd3\x68\x8e\x0b\xea\x0a\xc6\xd8\x11\x2e\x04\xfb\xe6\x06\x8e\xc0\x3f\x4b\x66\x5e\xfa\x12\xe3\xf2\xe6\xc9\xd3\x1e\xb4\x45\x83\xa9\xac\x92\xdd\x3a\xb3\xf3\x4d\xb1\x15\xe9\xcf\x42\xf0\x97\x41\x9c\xb5\x94\x9e\xb7\x40\x3d\x44\x95\x90\x0b\x52\xc9\x55\x83\x70\xe2\xf1\xff\x76\xa9\xde\xd5\x3e\x26\x79\x3b\xf9\x39\x76\xe9\x6a\xc7\x14\x07\x47\x89\xe8\xbd\xb1\xc4\xca\x56\x2b\x51\x50\x2b\x46\x8f\x89\x54\x39\x83\x0f\x91\x5a\x5d\x8a\x50\xff\x73\xa4\x9f\xa4\x29\x3b\xfc\x35\x48\x68\x51\xea\x8d\x5c\x76\x13\x7c\x5e\x2f\xc9\xca\x45\xa3\x8c\x94\x28\xbe\x30\xf5\x03\x59\xb2\xcb\x3f\x9d\xbc\x76\x7d\x63\xf4\x19\xf5\xe7\x6c\xe5\xfb\xb6\x1e\xde\xb1\xbe\xb7\xa3\x7c\x60\xc6\x01\x1b\x56\xb8\x57\x49\x63\x42\x5a\x95\x6d\x40\x1f\x70\x3a\x19\xe9\xac\xe4\x68\x65\x41\xdd\x31\x32\xf5\xaa\x85\xae\x6d\xb1\xb7\xdd\x6d\xad\x9b\x65\x43\xe3\x57\x53\x31\x28\xab\x2c\x90\x1e\x9d\x56\xa2\x2e\xcd\x64\x45\x50\x72\x71\xf6\xfc\xe2\xa5\x74\xd5\x87\x13\x53\x0a\xff\x28\xf7\xb4\xe8\x46\x17\x80\xdf\x54\xce\x2a\x06\x7c\x9c\x38\x85\x17\xb9\xe0\x40\xbc\x88\xba\xa7\x31\x79\x6b\x13\xa8\x9a\xd7\xa0\x1c\x30\x9e\x02\x4b\x22\x06\x21\x2e\x81\xa0\xf8\x27\x9c\x36\x9c\xc4\x0f\x85\x99\x01\x18\xa3\x31\x1a\xd1\x69\x8a\x4b\x0d\x73\xe7\xde\x65\x7c\x5a\xc4\x04\xb7\xa5\xcb\xb3\xf1\xc5\xfc\xcc\xfa\x7b\xf2\x17\x83\x0b\x73\x0d\x4d\x54\x54\xf2\x76\x04\xc0\x34\x16\xd3\xbe\x6c\xb3\x78\x81\x3a\x84\xa7\x29\x26\xc4\xd4\x3d\xd5\xa7\x94\x11\xd3\x5c\x4f\x69\x82\x87\xa0\x59\x29\x60\x05\x9c\x48\xa6\xd9\xfc\xce\x84\xd0\x88\xa2\x6d\xfb\x2e\xf3\x0e\xde\xa2\x11\x41\x11\xfa\x86\xfd\x22\x87\x2a\x03\x1d\x11\x16\xd7\x48\xb3\x3f\x61\xb9\xc1\xea\x8e\x8f\xf0\x96\x89\x01\x14\x27\xf8\x88\x6c\x0c\x71\xb6\x38\x51\x67\xd4\x97\x1d\x4b\xc9\xd1\xb9\xfe\x6d\xb9\x66\xd5\x0b\x59\x24\xfb\x56\xc1\xb1\x1f\x8e\x05\xf2\x9c\xfd\xe7\xf3\x02\xaf\xe1\x61\xfd\x9d\x82\xfc\xe3\x55\x1d\xf3\xf4\x01\x3d\xa7\x76\x6a\x21\x4f\xc9\xb1\x64\xa6\xd8\xb0\x3f\x6c\xba\x91\x84\x72\xc9\xb7\xd8\x6e\x7a\xbd\xa7\xe3\xc9\xa4\x07\x8a\x64\xa9\x66\xec\xb6\xe4\x13\x34\x11\xc4\x93\xa7\xa5\xd1\x7b\x60\x5d\xe1\x39\x01\x8d\x69\x8d\x32\x5e\x31\x93\x34\x39\x5d\xa0\xb5\x1b\x3e\x89\xd9\x59\x61\x49\x53\x1e\x92\x58\x32\xe0\x0a\x35\xbb\xea\xc1\x37\xa0\x8a\x4f\x66\x1d\xad\x30\xd0\x92\xd1\xf6\xa3\x4c\x1d\x38\x89\x4d\xa3\xea\xe2\xc4\x74\x95\x30\x92\xfb\xac\x4f\x39\xa2\xe1\x4d\x5e\x13\x06\x2c\x98\xc8\x93\xd9\x6e\xbd\xf7\x9f\x1e\xba\xd3\xcb\xb1\x6f\x8f\x7d\x17\x39\x70\x75\x23\x9b\x74\x25\x09\xb0\x76\x37\x1a\xaa\xb7\x85\x9e\x6b\x29\xc7\xcd\x83\x15\x7b\x91\xb4\xd0\xbf\x47\x9c\x7f\xa5\x3f\xd8\x57\x35\x6f\x11\x47\xdf\xa5\x90\xbf\xff\xae\x2c\x99\xbf\xc6\xa1\xa3\x84\xce\x26\x16\xa7\xc0\xd1\x49\x91\x95\x5f\xf2\x27\xe3\x55\x40\x13\x1e\x6c\x9f\xd2\xa5\xb5\x8f\x88\xf1\x83\xf6\x4a\xcc\x3d\x58\xe4\x73\x07\x6b\xf3\x14\x9d\xa2\x66\x42\x4b\x98\x2f\x73\x4a\xa0\x4b\x81\x88\x13\xdd\xd9\x01\x88\x56\x76\x17\x99\xd5\xb0\x50\x4c\xa7\xec\xf7\xae\x17\x59\x2c\x1f\x0c\x78\x4d\x60\x39\x31\x61\x71\x42\x21\xa1\x0d\x90\x19\x28\x3c\x6a\x8f\x92\x03\xc7\x97\x63\x45\x0f\x94\x70\xa3\xf5\xe2\xf9\x4e\xb9\x42\xa2\xbe\xba\x32\x21\x46\xfc\x44\x9f\x40\x22\x6b\x7f\x7d\x9e\x4d\x58\x9c\xdf\xc9\x53\xef\x76\x51\x5e\x48\x4d\xdb\x27\x5e\xfd\x8f\xb9\xe4\xb3\xf1\x75\xb9\xc6\x00\x74\x58\xce\xdb\xcf\x05\xeb\x6e\x42\xbe\xa2\x26\x85\x50\x87\x02\xb7\x8e\x77\xe6\x72\xc7\x2f\xe4\x3c\xef\x92\x49\x74\x00\x61\xf8\x3d\xfd\x86\xc1\xe9\x73\xda\xb8\x1a\x08\x30\x32\x37\xe5\x8c\x2d\x75\xa1\x21\x25\xc0\xb6\x34\x58\x5e\x3b\xfe\xe0\x81\x0e\xaa\x59\x4d\x12\xc5\xca\x25\x36\x6f\x04\x37\x86\x48\x5e\x57\xf5\xf9\x30\xcb\xcd\xee\x90\x1c\x59\x10\x0e\xbb\xc6\xe8\x23\xa1\xb7\x4b\xcd\xef\xb1\x96\x1b\x89\xdb\x6d\xf5\xe4\x61\x8e\x2b\xd8\xd9\x6f\xd8\xa1\x2b\x18\x48\x2f\xdc\xcd\x72\x95\x0a\xfe\x3c\x20\x66\xa7\x3c\x73\xf1\xca\x99\x86\xce\x15\x8c\x10\x52\x0a\xab\xee\xc9\x4d\x61\x72\xc0\x92\x48\xaa\x76\xc3\x9f\xc5\x42\x63\xfd\x44\xbf\x93\x68\x1b\x30\x92\xb8\xe8\xdb\x78\x0d\xd6\x5c\x6c\x8b\xc3\xb4\x23\xd2\x21\xe1\x3d\x3e\xde\x9d\xd0\xfc\x4f\x14\x68\x5a\x80\xd8\xee\x14\xe8\x26\xa2\x25\x38\xcf\x31\x4d\x8a\x48\xe6\x37\x54\xe8\x9b\x45\x3f\xb2\x23\x68\x62\xdc\x7c\xcc\x49\x53\xee\x56\x26\x54\xdb\x98\x95\x85\xca\xee\x6b\x65\x5b\x2b\xf9\xdb\x0f\x22\x06\xb8\x63\x48\x0d\x71\xfa\x21\xd9\x38\xe4\x73\x58\xb2\xc0\xda\x20\x14\xa1\x95\xdf\x64\x3b\xe9\xd8\x0e\x52\x00\x3e\x9b\x45\xb1\x8f\xf7\xb6\xaa\x56\x92\x4b\xc2\xdc\x0c\xad\x61\xd9\x63\x0e\x6b\xd8\xea\xf7\x60\xb3\xf7\xfb\x31\x77\xf7\x3a\xf8\x9b\x15\x5e\x0d\x06\x1c\xe3\x2b\x9d\x45\x88\xeb\x6a\x4f\x60\x91\x9c\x2e\x3d\x41\xf6\xca\x8d\x31\xfe\xf0\x02\x7e\x06\xf9\xb7\xc2\xc2\xec\x6e\x5c\x12\x14\x42\xe4\xb7\xee\xc7\xe1\x09\xaf\x0f\xc8\x65\x80\xda\x66\xf0\xb0\x28\xd9\x3a\x00\x88\xd8\x52\x53\xfa\x9b\x5e\x21\xe4\x95\x53\x71\x4a\x1d\xc3\x92\xfd\xb3\x54\x13\x29\x10\xe0\xc6\x25\x03\xc0\x09\x6c\x6b\x85\xf1\x64\xbb\x2a\x7d\x3b\xe1\x79\xc1\xa3\xc7\xcf\xf9\xd4\x64\x34\x13\x10\x84\x6c\x51\x7f\x85\x1b\x8e\x69\x43\x1c\x64\xed\xe9\xd5\x97\xc9\x43\xbf\xe2\x91\x6d\x56\x4a\xe1\xcf\x27\x0c\x8c\x16\x7e\x96\xc1\x46\x88\xa7\x23\x15\x8d\x7b\x9c\x45\xe3\xf8\x24\x34\x19\x00\x86\xcd\xfe\xde\x4b\xfd\x95\x0f\xda\x09\xfe\x05\xa6\x14\x2b\x90\xe7\x73\x6e\xca\x65\x91\x40\xb2\x2b\x3c\x77\x67\x06\x07\xe5\x11\x58\xd9\xf7\xea\xcd\xff\xc2\x93\x20\x2b\xaf\x0b\xc7\xe2\x04\x89\x99\x68\x91\xd1\xa7\xa6\xc3\x28\x4e\x5a\xc3\x51\x39\xec\x5b\xeb\x4a\xfb\xa9\x2f\xaf\xfb\x0d\x2e\x62\x10\x26\xc7\x01\x99\x43\xf7\xbe\x68\x09\xe5\x87\x9f\x60\x78\xcd\xa7\x22\xd1\x19\x57\xb7\xe7\xac\x74\xff\x47\x9b\x3f\x65\xa0\xfb\x71\xb1\xe8\x7e\x67\x03\xa9\xda\xf4\x7f\x31\x3a\xdc\xb6\x56\x47\x7f\x53\x03\x60\x83\x6b\xc0\xb0\x07\x68\x09\x9d\xb9\x2d\x7b\xf7\x90\x31\x6c\x1c\xec\x79\x4c\xcc\x29\xdc\x04\x88\x71\xa6\x75\xdd\xe3\x16\xd9\x14\xb7\x3c\x85\xc9\x96\xe7\xf4\x1e\x52\x86\x07\xa7\x60\xb7\x78\xb3\xe0\x68\xb1\xe7\xfb\xa0\x81\x37\x36\x8a\xf0\x6b\x59\x96\xb5\x69\x87\x1b\x4a\x54\xe7\x27\x2e\xcc\x44\x18\x10\xf9\x5c\xe8\x4c\x37\xe1\x0d\xa6\x16\x24\x71\x5f\xd5\x99\x1c\x77\xa2\x24\xd5\x7a\x53\x22\x77\xf9\xdd\x36\xbb\xdc\x56\xb7\x0b\x64\xed\xc0\x38\x15\x94\xb9\xb6\xc3\x28\xe5\x9d\xd0\xf0\x4d\x34\x3f\x6d\x82\x86\x72\xd9\x7c\xc8\x15\xb1\x4b\x22\xf5\x9d\x08\x76\x1b\xa7\x75\x1e\x52\xd1\xc5\x5f\x32\x49\xb6\xaa\xcc\x51\xe1\x07\x94\x4b\xfa\x70\xa5\x42\x19\x06\xf5\x29\x6d\x41\x84\x57\x75\xe3\x4a\x5d\x1a\x06\xc4\xc8\x79\xc7\x78\x5a\x03\x50\xba\x89\x93\x41\x25\x90\x64\xea\x42\x74\xe2\x13\x96\x41\x82\x44\x0a\xdf\x7e\x02\x30\xb3\x12\x0e\xe6\x23\x5b\xce\x98\x29\x28\x99\x79\x2c\xff\x10\x75\x88\xe3\xe9\x15\xdc\xe9\xbf\xe6\x1c\xf6\x37\x3a\x33\x11\xe7\x47\xaf\x21\x8f\xbd\x16\x58\x09\xdb\x4f\x0e\x51\x7b\x13\xe5\x92\x53\xf7\x21\xc6\x8c\x80\x14\xed\xce\x97\x45\x5a\xda\x5c\x33\xb7\xc6\x79\x4d\x38\xb7\x4b\x6d\xf4\x65\xe1\x89\x40\x4c\x7d\xf5\x6b\xee\x55\x18\xa5\xd2\x02\xfb\x50\xb5\x36\xa5\x37\x2e\x04\xc7\x0d\xec\x26\x6c\xdb\xcc\x83\x6b\x49\x88\x47\xa6\xa3\x94\x56\xf7\xb5\x94\x73\x80\x4a\xae\xd9\x66\xd7\x64\xe2\x5f\xf2\xda\x79\xd3\x4c\xe9\xfe\x72\x75\x7a\xe0\x07\xcd\xa3\x35\xbf\x37\x87\xc0\x68\x72\x55\x51\xef\x27\x76\x7d\x35\xd2\x0f\x24\x1d\x1d\x29\x21\x97\x85\x8a\xd4\xb4\x38\x18\x5e\x0a\x10\x3e\xdb\xe6\xe5\xca\xa4\xbb\x37\xe5\xcb\xdd\x71\x61\xee\xce\xb9\x3f\x9c\x7a\x39\x97\x6b\x4e\x6e\x19\xd5\xc1\xf3\xd0\x8f\x9d\x0f\xc6\xc9\x05\x5f\x4b\x05\x7d\xce\x9c\x1e\x67\x7e\x8b\xbe\x56\xb7\xc4\xed\x73\x34\xe5\xad\xcb\xa2\xaa\x5b\x1b\xf4\x45\x0a\x76\x2d\x16\x7a\x95\xbf\xc1\x09\x72\x04\x4c\x8d\x79\x7e\xf3\xad\x9d\x10\x91\xbb\x1a\xe5\xe1\x28\xe0\xdd\x22\xf4\xb7\x70\x77\x59\xf2\x79\xd4\xdd\xc9\x2a\x68\x1f\x6c\xf9\x9e\x75\x96\x0a\x32\x1b\x3d\x5b\x55\x66\x28\x07\xe5\x77\xc2\x0e\xea\x7f\x87\xe8\x8f\x29\x07\x79\xa6\x59\x8b\xc1\x9c\xcb\x74\xc3\x13\x83\x27\x88\x95\xc5\xfc\x6a\x62\xb5\x46\xf8\x1f\x7b\xd6\x78\xb2\x7f\xa6\x2d\x8d\x6f\x85\x9d\x86\x37\x29\x16\x01\x81\x20\x5b\x06\x20\x3c\x9f\x72\xa3\xa6\x59\x3f\x61\x8a\xb9\xef\x48\x8a\x24\xce\xfe\x7c\xdf\xa6\x6b\x46\xf3\x0f\x1d\x3f\x8a\xbe\xce\x64\x40\xdb\x93\x48\x3d\xf5\x23\x3b\x52\xf6\xfc\x47\xee\x3f\xd3\xbb\x98\xb0\x06\x24\x68\xc9\x16\xdc\x0f\xb1\x59\x62\x90\x2c\xb7\x30\x29\x93\x69\x51\x75\xd5\xfd\x4b\xc7\x7e\xab\x9e\xc8\xd4\x40\xee\xe3\x6a\xe6\x83\x5c\x43\x62\xf7\x81\x9f\x39\x01\x21\xa6\x9b\xc7\x0d\x63\x6e\xea\x8d\x4d\xd0\x9b\x90\xda\xd5\xc2\xdb\x03\x1d\x2b\xc3\xdf\x45\x82\x56\x24\x41\x56\x80\xa0\x3b\x3d\xfc\x71\xce\xf6\x3f\xda\x72\x6b\x76\x5d\x58\xab\xe8\x63\xad\xf0\x34\x2b\x8f\x1e\x8e\xc8\xf8\x07\xb3\xb5\x6d\xcc\xfd\xcd\xe8\x5f\xd2\x0a\x7e\xc9\x43\x44\xcf\x31\x95\x48\x67\x81\x70\x0b\x4c\x35\x72\x15\x78\x14\xd7\xf1\x0d\xc6\x8e\x13\xad\x64\x61\x39\x77\x58\xea\xd6\x2e\x5c\x20\x4b\xa5\x7b\x2a\x4a\xf4\x22\x08\x2a\x1f\xff\xbf\xc8\x70\x96\x88\xa1\x13\x93\xe9\xdc\xf8\x7b\x6f\xa4\x0b\x10\xf4\x58\xc6\x7e\x56\x5a\xe4\xf0\x2c\x2b\xa9\x30\xfd\xa2\x13\x9b\x0f\x18\x12\xaf\xbe\x21\x2e\x89\xeb\x51\x0e\x8d\x74\xc4\x65\x05\x00\x82\xb2\xbd\xfc\x09\x17\x6a\xe9\xa1\x70\x82\x1c\xde\x09\x7c\x33\xf5\x7f\x83\x50\x0f\x18\x2f\x23\xc2\xcd\x71\x3f\x82\x68\xfa\x04\xe5\xee\x58\x00\xad\xb1\xe8\x91\xbc\x90\x2b\x2c\x10\x05\x55\x79\xbe\xd0\xb6\xac\xef\xfc\x22\x06\x54\x4e\x2d\x17\xa1\x04\x4e\xc2\x01\x24\x66\x0f\x90\xd2\xcc\xb1\xe9\xdd\x04\xab\xa7\xf6\xb3\x3d\xec\x5f\x6f\xf6\xa2\xe1\xa1\x09\xc1\x43\xf2\xb0\xa8\x08\xeb\xeb\x45\xca\xac\xdc\x39\x82\x8b\x55\x5e\x3f\xb3\xad\xb7\x44\x71\x30\x26\x6d\xa8\xb3\x33\xd0\x4a\xb7\x11\xb9\x1a\x23\xd8\x81\x78\x57\x31\xfb\xd2\xc0\x37\x60\x8f\x31\x2f\x8b\x18\xba\x63\x00\x2d\x17\x75\x44\x1a\xdf\x3d\x4c\xe8\xe5\x56\x64\x26\x4e\x1d\x22\xe4\x78\xf4\x93\x01\x74\xdf\xb8\x1f\x7e\x31\xeb\x3f\xdb\x22\xeb\x06\x88\xf3\xa1\x04\x54\x18\xf9\x08\x4a\xf4\x52\x78\xc0\x4b\xf1\x32\x00\x17\xd0\xb0\xfa\xa2\xcf\x7e\x27\x7d\xe2\x66\xa3\xfd\xb4\xb0\xf0\x55\x25\x9d\x76\xf5\x0c\x99\x4c\xba\xe7\x03\xe8\xd1\x30\x7f\x4b\xc5\x45\x3f\x32\xa7\x08\x92\x1f\xa8\x33\xb0\x3f\x5d\x18\x40\xf5\xa1\x24\x69\x29\xb1\x75\xd9\x35\x37\xa1\xd7\x46\x78\x38\xd2\x5d\x19\x8b\x17\xfb\x4b\x9a\xac\x7d\x99\xee\x1f\x1e\x2f\xdf\x4a\xe7\x28\x62\x90\xe0\xf1\xc0\x88\xe2\x43\x94\xea\x57\xf9\xa7\x33\xe4\x53\x62\x79\x22\xc5\xa6\x23\x62\x3f\xff\x29\xc6\xa5\xab\x6f\xdf\x7b\xa7\xfd\x43\x80\x34\x9a\x77\xbb\xc4\x09\xd1\x86\x9b\xc7\xf2\x45\x32\x94\xca\x2f\x17\x85\xb8\xcc\x50\xb8\x8f\xcc\xe8\xfc\x6d\x3d\xd7\x9c\x19\x8e\x36\xff\x5a\x21\x6e\x7a\x8a\xe3\xd1\x0d\xb5\xbe\x0c\xbb\x76\x17\xdf\x80\x14\xac\x68\x9c\x31\x11\x32\xc1\xdb\x34\xd0\xee\x7a\xdb\xb6\x62\x32\xc1\xa4\x32\xc2\xca\xf7\xcf\x30\xff\x8b\xad\x84\x46\x7c\x0e\x40\xda\x4d\x0b\x10\x20\x1f\x6f\xb8\x2b\xec\x94\x83\xc7\x5b\xc8\x59\x48\x0c\x9b\xca\x13\xc5\x90\x5a\xcf\xa5\x6e\xad\x48\x8f\xc2\xbd\xe3\xa2\x2c\xa4\xfa\xbc\xea\xb9\xb9\xe3\x77\x6b\x5a\x62\x14\x63\xe1\x29\x6d\xde\x15\x24\x0d\xac\x24\xbb\xaf\x67\xc2\x03\x86\x55\x1a\x8f\xe3\x52\x96\x0e\xcd\x36\x1d\x42\x94\x90\x3f\x25\x25\xa3\x68\xd3\x63\x07\xde\x3a\xb0\x21\xbe\x4b\x64\x77\xe8\x61\x82\xf6\xa5\x65\xcf\x67\x95\xc2\x64\xaa\xda\xe3\xd3\x07\x2b\xae\xbc\x48\x8c\x74\x30\x7e\x27\xbc\xea\x4a\x74\x6b\x67\xad\xf8\xe2\x0a\x21\x9c\xb9\x11\xe2\x93\xad\xaa\xe8\xd5\x2e\x63\x08\x09\x11\x29\xc0\x2a\xfd\x50\x59\x95\x88\xc9\x20\x15\x85\x82\xdb\x85\x6c\xeb\xd3\xd6\x65\x9d\x14\x77\xf9\x66\xfb\x54\xe9\xea\x1b\x36\x59\x90\xff\x5b\xba\x6f\xce\xd2\xb5\x9f\xc8\xa6\xf9\xfd\x57\x28\x70\x61\xc5\x21\xeb\xc1\xac\xe5\x21\xab\xe0\x04\xf5\xf0\xb5\xf8\xb9\x02\xd6\xc7\x5a\xc5\x7d\xf5\xd2\xe9\x7f\x1f\xfa\xd3\xa5\x31\xf9\x1f\xa1\xcb\xa4\x8b\x58\x93\x5f\x05\x03\x35\x41\x5d\xca\x8e\x46\x02\x43\xe2\x1e\xa7\x1f\x99\x0c\x37\xa6\xc9\x8c\xd1\x9c\x2c\xc3\x47\x1e\xc2\xec\xd0\x42\xc8\x20\x71\x8d\x00\xb6\x37\x9d\x80\x69\x83\x62\x8e\x08\x64\xad\x14\x6e\xe1\x70\xdc\x91\xfc\x25\x55\x94\x0d\xb1\x36\x4c\xb7\x43\xc0\xc7\x03\x7d\xba\x3e\x9b\x10\x8f\xea\x98\x84\x01\xd5\x52\xd4\xac\xe6\xa8\x30\x83\x65\xc0\xb1\xed\xe6\xb8\x73\xa2\x94\xd6\x25\x23\x86\x55\x33\x1a\xcd\x6e\xe2\x38\x0d\xba\x98\x0e\x35\xb2\xbb\xd4\x0f\x65\xfe\x32\xef\x03\xcb\xf0\xcf\x57\x55\x2e\x81\x8e\xc6\x07\x0c\x52\x25\x66\xd8\x2a\xa2\xc4\xd0\x46\xd9\x5b\xcb\xb4\xed\x89\x7a\x3b\x59\x3d\xdc\x57\xb3\xbf\x4b\x2d\xee\x34\xcb\x50\x53\x69\x2e\x45\xde\xec\x78\xbf\x7f\xa7\x00\x2c\xfe\x74\x15\x7a\x5d\xd4\xc5\xae\xc1\xb9\x86\x28\x06\xd8\x88\x39\xa6\xa3\x91\xa0\x4d\x0d\x46\x78\x1e\x45\xb3\xfb\x78\xe7\x1e\xb9\xa6\xba\xda\x4d\x6e\x45\xf6\x45\x2c\x41\x93\x1c\x91\x23\xc8\x78\x38\x32\x0b\xf9\xcd\xe6\x13\xab\x41\xec\x0f\x23\xaf\xcc\x01\xa6\x98\x66\xf8\x32\x39\xe5\xb7\x7e\xc5\x6c\x1b\xf1\x3c\x4f\xa5\x37\x9b\xc5\xe6\x78\xf4\x5c\x3f\xb9\x12\xe1\xaf\xdb\xc4\x66\xba\xdb\x62\x36\xb5\xfb\x85\x00\xc7\x43\x58\x65\xae\x64\x22\x70\xb2\xa9\x42\x43\x0b\xe5\x4d\xca\x09\xec\xb2\x4e\xc6\xd0\x51\xd0\xc6\x3b\x02\xe2\xcc\xbe\x57\xdd\x90\x12\xb7\xc0\x95\x80\x67\xb4\x06\x21\x50\xb3\x47\x98\x31\x96\x11\xdb\x1f\x48\x79\xaa\x8b\x5b\x55\xee\x2f\x20\xb0\xd7\x9a\x14\xcd\x7c\xc1\x8a\x76\xb4\xb3\xf0\x0f\xff\x45\xec\x9d\x07\x64\x07\x6d\xc1\xdc\x00\x72\xe0\x9b\x67\x4f\x18\x7a\x18\xd4\x57\xa1\x1c\xf2\xb6\x54\xbf\xc8\x51\xb5\x5f\x46\x4d\x95\xe5\x1a\x45\xd2\xda\x43\xc7\x90\xeb\xc7\x72\xca\x27\xb8\x28\xa0\x61\xca\x4b\xa2\x8c\x98\x67\x22\xcb\xd4\x86\x73\x32\x87\x8e\x2a\x7b\x87\x6f\xaf\xaa\x74\x34\xf4\x3c\xb4\x48\xb2\x16\xd4\xae\x0e\x18\xa1\xaa\x66\x77\x76\xdb\x69\x99\x9b\xe0\x81\x82\x2d\x56\x47\x8e\x57\x68\x10\x6b\xa1\xfb\xcb\x04\x4d\x16\x68\x2c\xfe\x2b\xa1\x7a\x06\x99\x7f\x88\xbd\x68\x36\x69\xaa\x2a\xe4\xd9\x6a\x15\x5e\x0b\x8a\x41\xe3\x31\xa9\xa0\x20\x0f\x15\x9a\x47\x40\xe0\x11\x04\xad\x63\x89\x21\x8a\xd1\x5d\x1f\xac\x53\xbd\x1b\x91\xd7\x23\x43\x52\x78\xdb\xc5\xe7\x90\xa0\x54\xf3\xcf\x24\xfa\x4e\x78\x66\x62\x99\x15\x40\x0e\x7d\x25\x60\xcf\x97\x64\x8b\x60\x31\x52\x8d\xb2\xc7\xd4\xca\x72\x7f\x67\xc2\x97\x42\x4f\xc9\x9a\x7b\x01\xb1\x04\xfc\xb2\xd9\xb8\x02\x6a\xd1\x92\xac\x4c\x1d\xf8\xc2\x31\x8b\x5d\xee\xa4\x79\xa3\x78\x89\x71\x17\xac\xb1\x4a\x79\x21\xb7\xdd\xe8\xaa\x78\xc5\x8d\x04\x7f\x90\xfb\x1a\x1c\x1e\xdb\x84\x7b\xf7\xba\xd3\xab\x09\x6b\xf9\x19\xd1\xb1\x03\xe7\x40\x43\xfa\xf3\x52\xe1\x63\x94\xbc\xa1\x71\x3e\x14\x8b\x69\xd2\x0e\x0c\x5f\xae\x6e\xdb\x67\xe9\x16\x20\xc2\x8d\x7f\xb7\x0b\xf7\x66\xd2\x1e\xe3\xa9\xdc\x9d\x4a\xc7\x5a\x41\xbc\xb3\xa3\x22\xe7\xec\xc8\x5e\x34\x6a\x5f\xed\x19\x0d\x0c\x69\x8f\x15\x22\x60\x67\xe5\x15\x5e\xcb\x0b\x8f\xff\xcd\x5c\x1c\x95\x52\xa5\xb8\x5a\xfc\x66\x36\x98\xcf\x47\x50\xa3\xee\xc6\xcd\xec\xcc\xaa\xf6\x37\x08\x7e\x18\x8f\x3c\xc5\x65\x7c\x40\x12\x3c\x20\xd1\xa0\x2e\xbb\x08\x18\x07\x38\x83\x53\x5a\x22\x09\xcc\xa0\x8c\xdb\xe3\xce\x0f\x94\x4d\xef\xb4\x1f\x43\x70\x29\xc0\x78\xcb\x5e\x6c\x03\xde\xfc\x67\xc9\x59\x92\x6d\xcf\x45\xd0\xfe\xb6\xf2\x4f\xcf\xaf\x49\x97\x6b\xd3\x64\x1c\xbe\xd6\x97\x58\xcc\xd5\xaf\x8b\x95\x52\x59\xda\x1c\xd6\xfd\x82\x87\x1f\x09\xf3\x3a\x63\x4d\x54\xf5\x44\xa6\x82\x93\xdc\x73\x7f\xea\xf8\x48\x8c\x15\x42\x0f\x69\xc4\x93\x04\x2a\x5e\xe1\xed\x63\xf3\x39\xe4\x10\xf5\x80\xc0\xcb\xad\xab\xbe\xa2\xcf\xfb\xea\xf9\x68\xca\xf2\x56\x20\xde\x5f\x5b\xf7\x4e\xdd\x33\x9d\xed\x9a\x1f\x58\x53\xa2\xcf\x22\x6d\x21\xcd\xbd\x91\x72\xab\xf5\xe0\x85\x95\x60\xdd\x2e\x70\xce\x31\x0a\x33\x3d\x72\x36\x60\x67\x09\xb1\xf5\xa3\x35\x95\xec\x49\xe1\x87\xaa\x5d\xf0\x63\x51\x39\x23\xdf\xd2\x9b\xb1\x51\xa8\x25\x40\xf4\xb0\xd4\x45\x40\x4c\x8c\x5e\x1b\xd8\x40\x33\x5c\x23\x35\x7c\x5e\x6b\x1c\xdb\xfb\x1c\xcd\x72\x47\x1e\x4d\x63\x8b\x10\xc5\xb4\x22\xd9\xe6\x51\x9f\x98\x15\x1a\xd5\x25\x5e\x10\xf7\x2c\x07\x32\x63\x8a\x57\x2e\xa6\x2a\x3a\x98\xcd\x86\xb0\x49\x5f\x24\xfb\x90\xe3\xbf\xa3\x21\x6a\xbf\x88\xbd\xdd\x5f\xdc\xd1\xab\x7f\xc2\x13\xed\x7f\xe7\x62\x8b\xf5\x2e\xd3\x3f\xbf\x61\x24\xb5\x24\x6e\xab\x59\x38\xf4\xfd\xae\xa3\x96\x08\x7f\x76\x43\x49\xbe\xf8\x99\x6f\x22\x40\x92\x60\x40\x93\x44\x19\xdf\x2e\x40\x7b\xe7\xe6\x7a\x64\x2d\x69\x2b\x39\x49\xe4\x78\xed\x55\x92\x72\x06\x64\xee\xc0\xdd\x41\x50\x87\x61\x57\xa6\xf1\x85", 4096); syz_80211_inject_frame(0x20000000, 0x20000040, 0x10c0); break; case 11: memcpy((void*)0x20001100, "wlan1\000", 6); memset((void*)0x20001140, 2, 6); syz_80211_join_ibss(0x20001100, 0x20001140, 6, 2); break; case 12: memcpy((void*)0x20001180, "bpf_lsm_socket_recvmsg\000", 23); syz_btf_id_by_name(0x20001180); break; case 13: memcpy((void*)0x200015c0, "\x66\x0f\x72\xd5\x01\xdf\x5f\xd6\xc4\xc1\xf9\x6f\x9f\x52\xe4\x00\x00\xdf\xf2\xda\x36\x66\x0f\x3a\x62\xc0\x8c\xc4\xc1\x1d\x58\x3c\xe8\x66\x0f\x3a\x0a\x45\x0d\xf0\xc4\xe1\x21\x75\x23\x60", 46); syz_execute_func(0x200015c0); break; case 14: memcpy((void*)0x20001640, "/dev/cuse\000", 10); res = syscall(__NR_openat, 0xffffff9c, 0x20001640, 2, 0); if (res != -1) r[5] = res; break; case 15: res = syscall(__NR_ioctl, -1, 0xb704, 0x20003980); if (res != -1) r[6] = *(uint32_t*)0x20003980; break; case 16: res = syscall(__NR_clock_gettime, 0, 0x20003e00); if (res != -1) { r[7] = *(uint32_t*)0x20003e00; r[8] = *(uint32_t*)0x20003e04; } break; case 17: *(uint32_t*)0x20003dc0 = 0x20003a40; *(uint32_t*)0x20003dc4 = 0x6e; *(uint32_t*)0x20003dc8 = 0x20003d40; *(uint32_t*)0x20003d40 = 0x20003ac0; *(uint32_t*)0x20003d44 = 0x25; *(uint32_t*)0x20003d48 = 0x20003b00; *(uint32_t*)0x20003d4c = 0x6b; *(uint32_t*)0x20003d50 = 0x20003b80; *(uint32_t*)0x20003d54 = 0x2f; *(uint32_t*)0x20003d58 = 0x20003bc0; *(uint32_t*)0x20003d5c = 0xa2; *(uint32_t*)0x20003d60 = 0x20003c80; *(uint32_t*)0x20003d64 = 0xbd; *(uint32_t*)0x20003dcc = 5; *(uint32_t*)0x20003dd0 = 0x20003d80; *(uint32_t*)0x20003dd4 = 0x30; *(uint32_t*)0x20003dd8 = 0; *(uint32_t*)0x20003ddc = 0; *(uint32_t*)0x20003e40 = r[7]; *(uint32_t*)0x20003e44 = r[8]+10000000; res = syscall(__NR_recvmmsg, -1, 0x20003dc0, 1, 0x10202, 0x20003e40); if (res != -1) r[9] = *(uint32_t*)0x20003dac; break; case 18: memcpy((void*)0x20004040, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004040, 0x20004080); if (res != -1) r[10] = *(uint32_t*)0x20004094; break; case 19: *(uint32_t*)0x20004200 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x10, 0x20004100, 0x20004200); if (res != -1) r[11] = *(uint32_t*)0x20004134; break; case 20: memcpy((void*)0x20004240, "./file0\000", 8); res = syscall(__NR_statx, 0xffffff9c, 0x20004240, 0x4000, 0x400, 0x20004280); if (res != -1) r[12] = *(uint32_t*)0x20004294; break; case 21: memcpy((void*)0x20004380, "./file0\000", 8); res = syscall(__NR_lstat, 0x20004380, 0x200043c0); if (res != -1) r[13] = *(uint32_t*)0x200043d0; break; case 22: *(uint32_t*)0x20004a80 = 0xe4; res = syscall(__NR_getsockopt, -1, 0, 0x11, 0x20004980, 0x20004a80); if (res != -1) r[14] = *(uint32_t*)0x200049b4; break; case 23: res = syscall(__NR_getegid); if (res != -1) r[15] = res; break; case 24: memcpy((void*)0x20001680, "\x47\xa8\x4c\x3d\x9c\xa1\xd1\xb4\xb2\x5b\x6d\xa5\xc6\xdd\x9f\x48\xac\x0b\x1a\x50\x14\x5d\x57\xaa\x24\x4d\xc1\xbb\x1a\x54\x1c\x93\x16\x0d\x23\xf1\xcb\xf0\x3d\x77\x7a\x21\xe7\xd1\xf0\xf2\x61\x38\x37\xc0\xe0\x5d\x6f\x4b\xc9\x98\xb1\xdd\x5e\xc7\x6e\x06\x98\x26\xfc\x47\xb4\xa0\x81\x6b\x5a\x85\x9c\x9a\x8a\x42\x88\xf2\xe7\x17\x88\x66\x28\x3d\x96\x7a\x95\x12\x2a\xb3\x8c\x64\xe1\xd6\xc0\x50\x57\x2b\xdd\x7c\x98\x27\x13\xb5\xb3\x7a\x79\xe2\xdb\xe0\x8a\x6a\x9b\xd3\xd6\xfd\x57\x96\x04\xac\x48\x7b\x65\x2b\xee\x18\x03\x90\xe3\x66\x8f\x2a\xad\xa1\x71\x7a\x5b\x2a\x21\xcb\x84\xb3\xb9\xa8\xb5\x97\x78\x4c\x01\x15\xc8\xf2\xc0\x87\x08\xd9\xa2\x26\xd6\xf5\x89\x02\xad\x29\xf3\x78\x4f\x64\x80\x06\x9d\x25\xe0\xec\x46\xc3\x78\x10\x92\x3b\xbe\x2d\xac\x50\x43\x85\x6a\x11\xb7\xb9\x8c\x43\x29\x4e\xf4\xc2\xbf\xda\x08\xb0\x4e\xe5\x41\x06\x26\xcb\x64\x95\x7c\xf1\xee\xa3\xd3\xf0\x07\xd6\x95\x83\xbc\xde\xbf\x40\x22\xf8\x5f\x65\x23\x73\xa5\x90\x36\xb6\x2b\x4a\x3e\x9d\xef\xe6\x05\xa9\x89\x2e\x57\x18\xcb\x6f\xc9\xde\x81\xc2\x47\x9e\xf9\x5a\x13\xf8\xca\x78\x9f\x4b\x2a\xc5\xeb\x89\x7f\xab\xbe\xbc\x00\x46\xd8\xe2\x35\xeb\xbf\x54\xa5\x6a\xac\xd1\x40\xae\x4c\xfb\x41\x1b\x9c\x15\x18\xe6\x2f\xa8\x7a\x98\x76\xaf\xc8\x9e\xd8\xa4\xba\x24\xd8\xb9\xef\x13\x39\xf4\xf7\x94\xce\xc9\x86\x51\xe7\xd9\x4d\xdd\x25\x99\x88\xa7\xa4\xf7\x99\xb0\x88\x9c\x16\x80\xd3\x90\xba\x62\x53\xff\x66\xa1\x82\xea\x2c\xf0\x6b\x6f\xd9\xab\x07\xa8\x7f\x69\x7c\x33\x1c\x9a\x83\x25\x64\xec\xab\x23\x83\x84\xff\xef\x50\xc2\x49\xcb\xf1\x1f\x7f\x40\xec\xd4\x4b\x94\x5b\xd5\x7c\x59\x9b\xa3\xd8\x8c\x0b\xe3\x5a\xdd\xf5\xb5\x83\x7b\x18\x8d\x64\xe2\x49\xce\x31\x50\x66\x98\xbd\x73\x75\x46\x53\x04\xd2\x0e\xb3\x80\x23\x26\xb3\x52\x8b\xcb\xe6\xee\x11\x0e\x57\x82\x1c\xcb\x89\x9f\x5e\xee\xce\xc6\x04\xc3\xa5\xe5\x93\x8a\x3a\x94\x26\x60\x99\x2d\x67\x6b\x81\xc5\xaf\x74\x70\x17\x6d\x72\xd7\xc6\xa9\xd6\xc4\x12\x1b\x57\x11\xb1\x6e\xe1\x19\xb5\x77\x64\xd7\xfd\x6d\xfc\xb5\xa3\x9c\x1b\xc9\x7e\x5c\x5f\x5d\xc1\x02\x5a\x5e\xcc\xa4\x8b\x65\xaf\xb8\x7a\x55\x83\xcf\x17\x96\x90\x98\xae\xc3\xb1\xb9\x29\x1f\x77\x5e\xd6\xa5\xa7\x10\xf7\x3e\x32\xef\x7a\x0e\x8c\x84\xff\x56\x54\x51\x44\xca\x50\x4b\x81\x97\xa9\x19\x6c\x9b\x68\xa4\xb5\x7a\xba\xd8\x19\xff\x6f\x6f\x99\x16\x3f\xa3\xe2\x76\x27\x84\x84\xae\xf1\xe2\x87\x84\x1f\x45\x72\x06\x2d\xa6\x77\xf0\xe1\x47\xb9\x33\x58\xe5\xad\x7a\x50\xaf\x84\x2c\xad\xbf\xf4\x19\x2d\xfb\x2f\x98\xcd\xc8\xd8\x78\xd0\xf7\xf3\x5b\x31\xa2\xe8\x03\xce\xa2\xc3\xa2\x87\x8d\x46\x9c\x9a\xa7\xb2\xde\x1e\x8b\xfd\xa5\x1e\xcb\x47\x51\xcd\x86\x1f\xb2\x29\x3e\x37\xeb\x98\x82\xbb\x97\xcf\x70\x45\x3f\x19\x44\x6c\x56\x5f\xd8\x14\x11\x4b\x30\x2a\x4b\xc5\xb6\x42\xa7\x6c\x4c\xfd\xdb\x0f\x4c\xeb\x41\xca\x29\xbe\x4d\x35\x58\x77\x55\xd2\xe8\xe1\xf4\x2e\x97\x1b\x38\x3f\xdf\xd0\xcb\xef\x9f\x5d\x50\x3c\x72\x0a\x3e\x3b\xb8\xb4\x09\x7d\x69\xa7\x20\x82\x35\xa8\x2f\x6a\x75\x1f\x3e\x26\xf2\xe1\x40\x3e\x0d\xa6\x3f\xed\x0f\xa0\x42\x74\x0d\xf1\xd6\x1c\x98\x85\x72\xc8\xad\x71\x1f\x20\x41\x0e\x02\xb3\x2b\x1e\xe7\xf4\x18\xfd\x0c\xc6\x57\xe9\xde\x33\x28\x8e\xc8\x39\x57\x56\xc4\x7e\x16\xd4\xab\x5e\xd7\xca\x4c\x1e\x53\xad\x65\x08\xd5\x8f\x70\xdf\x85\x7d\x41\x89\x09\xe8\x13\x44\xb7\x56\x4e\x00\x64\xa4\x9a\x1d\xb8\xa3\x33\xfc\x60\x9b\xcb\x51\x11\xef\x10\x0e\x0e\xde\x88\xf4\x9f\x3f\x43\x56\x84\x21\x1d\xea\x4d\xe5\xbc\xa1\x85\x3c\xae\x7b\x60\x5e\x3c\xea\x2f\xab\xb8\x0b\xaa\x41\x62\x6d\x31\x04\x7f\xe3\x85\x69\xe6\xab\xbd\xdc\x2e\x1c\x2b\x85\x56\x23\x3f\xeb\x57\x04\x7f\x06\x9d\xf8\x1d\x88\xd2\x9b\xf0\x42\xce\x92\x28\xdb\xd1\x43\x49\x97\x3e\x86\xf7\x8d\x72\x82\x7a\x60\x80\xa2\xce\x65\x29\xd1\x85\x66\x07\x84\x89\x37\xcf\xe5\xcd\x17\x42\x93\xe9\x22\x34\xcb\x0f\x6e\xdf\x65\x30\xf8\x6b\x60\x6e\x48\xe9\xfa\x3e\x1d\x25\x45\x73\x12\x08\x08\xe0\xff\xf3\xd2\x16\x9d\x1c\xf4\x4a\x71\x96\x64\xb7\xf0\xe3\xda\x7b\xb1\x5b\x64\xb6\x2c\x07\x10\x34\x3c\xe1\x5b\xd0\x1a\x05\x64\x2f\x4a\x3f\xa5\x9b\xa6\x05\xd0\xa6\xef\x3e\x5a\xd6\x3c\xd9\x6d\x69\x14\xca\xa4\x06\x34\x98\x7f\x2d\xbe\xeb\x30\x46\x72\x22\x2d\x12\x58\x3b\x9b\xc3\x8c\xf9\xde\x18\xe5\x7d\xe1\x00\xf2\x63\x67\x7d\x31\xec\x37\xae\xa6\xf0\x4b\x81\x5d\x6f\x4e\x8c\xd5\x70\x81\x0d\xaa\xee\xb1\x41\xdc\x0f\xeb\x60\x0a\xa8\x4f\x4a\xfc\xc3\xbd\x6d\x2e\x4d\x69\xe9\xdc\x4d\xc4\xf7\xa4\x56\x74\xa3\x2a\x62\xd4\x14\x43\x7c\x3a\xa4\x51\x84\xb6\x6c\xe5\x69\x49\x91\x28\xbb\xa0\x6e\x38\x62\x74\x28\xd5\x01\x2c\x65\x1f\x8f\xf6\xd5\xb8\xf5\xbb\xbb\x5b\x1f\x8b\xe6\x03\x89\x58\xbd\x4f\xbb\x0b\xdb\xbe\x1f\x3f\x44\x8d\x78\x5d\x97\x10\xf0\x1b\xe8\x87\x87\x4f\xfa\x1b\xfa\x7e\x5a\x81\x8e\xe7\x46\x4b\xfc\xb5\xf9\xe4\x92\x68\xfb\xbd\x39\x8d\x73\x2c\x15\x57\x9a\x46\x97\x1f\xd7\xf2\x2c\x1c\xc4\xe1\x41\x57\xf2\x92\xf6\x16\x38\xf4\x1a\x58\xbc\xcd\xd4\x98\x6b\x9c\xa6\xab\x66\xff\x5f\x53\x6a\x7b\x09\x25\x1a\x6d\x41\x7a\x3e\x15\x9b\x85\xdd\x21\xd9\xb2\x19\xa1\xa1\xce\xa8\xb9\x6d\xd4\xca\xa0\xc0\xc8\xfd\xf9\x2d\xef\x01\xaf\x6b\xe5\xcc\xc2\x42\x8e\x57\x13\x22\x85\xc3\x7e\x80\xfd\x28\x58\xb4\x94\x57\xd1\xd6\x89\x0e\xae\x38\x90\x62\xd5\x68\x0a\xec\xec\x74\x8c\xef\x59\x18\x7d\x91\xc1\xd4\x5b\x29\x00\xe3\x3b\xe9\x46\x4e\xdc\xeb\x83\x1e\xc4\x44\x57\xbe\x52\x57\x5e\x1d\xf1\xde\x6a\xf9\x45\xdb\xf3\xf5\xc9\xcd\x41\xbd\x8c\x26\xcb\x66\x45\xae\x03\x78\xd9\x2d\x75\x8b\x07\x69\xc5\x15\x4f\x52\xd8\x9a\x8e\x0e\x91\x18\x82\xf6\x9e\x46\x61\x04\x53\x79\x2c\x64\x8e\xb0\x82\x11\x19\x47\xc2\xe3\x35\xcb\x48\x56\xe4\x69\x6f\x7a\x53\x31\x8c\xda\xe6\xc5\x91\xa7\x42\x02\x02\xcf\x03\xf0\x69\x12\x8e\x58\xa3\x82\x2a\x89\x2d\x4b\x4d\x14\xa7\xf3\xe2\x7f\x4c\xa5\x9a\x8e\x47\x1a\xaf\x3c\xe1\xaf\x81\xce\xd1\xdf\x87\x1d\xf6\x09\x91\xac\xcc\x0a\xfc\x19\xc6\xaa\x58\x67\x0d\xcc\x3c\xa4\x04\x66\x6e\xc5\x46\x3e\x95\x4c\x60\x59\x94\x01\x4a\x0b\x2e\xb9\x99\x28\x3e\x7d\x26\x46\xab\x55\xa5\xfe\x5f\xe7\xcb\x5b\x07\x38\xc5\x79\x10\x7c\x43\xfc\xf5\x95\xa0\x95\x6a\x49\x35\xf6\xa7\x86\xd6\x56\x1f\x0b\x09\x94\xcc\xe9\x3b\x29\x9a\x50\xc6\xe4\x24\xc1\x59\x62\x0b\x3d\x05\x37\x6f\xc4\xe0\xb9\xff\xbd\xec\xdb\x67\x98\xdd\x51\xd0\x94\x1d\x31\xcf\x41\x93\xc0\x9d\x05\x8c\x25\x96\x99\x19\x12\x35\x01\xfa\x5e\xa8\xfb\x82\xf9\x80\xa3\x5b\xf0\x15\x32\xc2\xc8\x31\xba\x35\x22\x2f\x80\x5d\xae\x24\x25\x27\xeb\x71\x27\x05\x53\x94\x60\x52\x84\xd2\x40\x8c\xfa\x10\xc9\x92\xd6\x4d\x60\x9e\x52\x4b\x30\x34\x8f\xfa\x5e\x44\xb7\x72\x57\xad\xba\xb0\x1c\x38\x3e\x81\x2f\x1d\x71\xb6\x13\xad\x16\x0e\xd1\x5c\x21\x6f\x2a\x45\x9a\x91\x7d\x35\x34\x14\x62\xbf\x72\x35\xf9\x1d\x9d\xdd\xc1\xe2\x40\x2f\x32\xb7\xb7\xa9\x98\x74\x81\xce\x66\x11\xbb\x78\x12\x7b\xc8\xb6\xef\xf4\x19\xd3\xc4\xdd\x77\x25\x24\x02\xf4\x32\x6a\x6e\x9a\xff\xc5\x06\x49\x73\x75\x0a\x8b\xba\x9b\xa1\x7d\x64\x64\x8c\xf7\x93\x4b\xd0\x24\x29\x9b\x9d\xec\x58\xd1\x18\xcd\xa3\x44\x8a\x25\x56\xfa\x96\xa8\x57\xc0\x10\x6a\x00\xcd\x0a\x38\x2f\x10\xb8\x47\xe3\xa8\x69\x97\xc2\x4b\xb8\x46\xc3\xdd\x93\x72\xc6\xcf\x28\xd1\x8b\xb2\xa6\xfc\x48\xd7\xba\xc5\x8d\x56\xbc\x84\x50\xc3\xf4\x20\x99\x9b\x63\x47\x86\x4d\x52\xf0\x50\x75\x24\xf4\x16\xe6\xcb\x64\xce\x7c\xa2\x1a\x85\xe8\xd2\xc2\xb1\xe9\x4b\xe2\xde\xa3\x1c\xda\xf1\xf3\x83\x50\x34\x24\xbe\xc4\x4c\x68\xb9\xa9\x14\xf4\x0b\x0a\x66\x27\x2f\x64\xc9\xef\x19\x85\xed\xb9\xca\x6e\x66\xee\x8c\xac\x08\x4b\x39\xef\x78\x01\xb7\x50\xce\x19\x0f\xf8\x96\xc1\x99\xc1\x27\x85\x24\xb1\x2b\x54\x9a\xcb\xf0\x9f\x63\x3d\x87\xf7\x04\x27\x2d\x47\x79\xf3\x25\xa1\xe9\x45\x67\xe5\x93\x32\x97\x15\x5e\x98\x7f\x3b\x32\xe3\xfa\xdf\x2a\x06\xfa\x01\xaf\xc0\xdc\x35\xdf\xb7\xbe\x7f\x57\x76\x26\x4a\x6b\x7f\xec\x98\xdf\x0a\x5a\xff\x8c\x1a\x02\x9b\x6a\x22\xa9\xa0\x51\x18\x8b\xb2\x8b\xdf\x72\x38\xea\xe3\x24\x6a\x1b\xfd\x05\x86\x84\xf7\xa0\x93\xaa\x68\x79\xcb\x6a\xda\xe5\xa7\xcd\x5e\x12\x19\xa0\xd1\x6d\xee\xf1\x44\xb2\xbe\x90\x39\x01\x44\x74\x0a\xc2\x4d\xa3\x80\x17\xc1\x05\x66\x92\xb3\xb6\x65\x92\x21\x5a\x62\x3d\xac\x91\x3b\x33\xb9\xd5\x6b\x47\xcf\xa9\x18\xd6\xd9\x0c\xaf\xf0\x1a\xa4\x45\x35\x49\x23\xef\xa1\x9e\x8b\x0c\x79\x70\x82\x50\x5d\x54\xf2\xfa\x48\xc5\xad\x96\x63\x2f\xe1\xb6\x2a\x2e\x34\xd0\x85\x76\x22\x07\xd9\x35\x4a\x9f\x03\x9d\x68\x8e\xaf\xe1\xb5\x12\x83\x67\xfd\xd3\xbe\x22\x55\xac\x11\x0d\xf0\x5d\x10\x9b\x86\x9f\x33\x4b\x93\x2b\x29\xbe\xb6\x87\x87\xe2\x0a\x8a\x9f\x37\x31\x18\x9c\x95\x7e\x53\xc6\x96\x73\xe8\x63\xae\x1d\x49\x88\x8d\x6e\xda\xb9\x6e\xed\x78\x6c\xb8\x14\xd1\xa6\x2b\x68\x9c\x29\x4c\x48\x2e\x84\x19\x96\x22\x99\x04\x10\xb6\x7f\x6d\x18\xb8\xcd\x31\x19\xf1\x9a\x66\x7d\x34\x1b\xb7\x83\x88\xff\xe1\x5a\x0f\x64\x32\x7f\xe9\xb8\x06\x5b\xe9\x03\x54\xc1\xfa\xcb\x74\x66\x2e\x2d\x9c\x6d\x02\x24\x8d\xa0\xc8\x0c\x87\x26\x45\x59\xf6\x48\x15\xb8\xb9\xdd\xff\x72\xa9\x44\xeb\x23\x48\x88\xf5\x3d\x1c\xc8\xbe\xd4\x38\xbd\x99\xa2\x07\x4f\x75\x3d\xb2\x9e\xfd\x06\x78\x8c\x7f\x44\x76\xef\xee\x3e\x92\x80\x94\xc0\x32\x6a\xf8\xc9\x17\x1d\xb6\x0b\x1a\x37\xc7\xbd\x56\xd1\x13\x29\x1a\xa9\xa2\x60\xea\xfc\x12\x68\x1e\xb6\x2b\x1e\x70\x63\xb1\x51\x73\xe2\x74\x90\xd8\x4d\x47\xe3\xc7\x56\x6e\xc4\xfc\x1e\xc6\x35\x50\x57\xb2\x2c\x2a\x0f\xd9\x4b\x8d\x90\xb6\x48\x64\x9c\x73\xac\x46\x04\x9c\x01\x1d\x67\x41\xfb\x6d\x89\x56\x14\x3b\xcb\x17\x1f\x4b\xba\xdf\x01\xd1\xca\xe0\x7c\x31\x78\xa8\x46\x90\x01\xdc\xa3\x7a\xb3\xae\x03\x90\x95\xfb\xda\x7f\x05\xdf\xad\x20\x53\x55\xa5\xd6\xef\xf8\xf0\x9c\x32\x47\x58\xa7\x44\xde\x5f\x43\xb6\x94\xf8\x34\xf6\xe5\x98\x3f\x2a\xee\x32\x09\xce\xf4\x63\x54\xdb\x41\x30\x5a\x09\x3a\xb7\x8c\x80\xa8\xfb\x2e\x8a\xb7\xb1\x73\x33\x7b\xcf\x29\x3c\x65\x94\x9a\x4c\x01\x37\x8c\x94\xce\x7c\xd7\x09\xe7\x98\xbe\xf8\x27\x9d\x4a\xd1\xe7\x34\x6f\x4b\x9f\xda\x6d\x29\x2f\x1e\x66\x99\x62\x2c\x1b\xbc\x4b\x02\xe8\x83\xb3\x0e\x77\xcb\xa7\x51\xbc\xfd\xd6\xef\xd6\x7f\xcc\x56\x5c\x00\x36\xf1\x3e\x13\x8d\x81\xd6\xf5\x8d\x34\xe6\xa2\x51\x61\xf2\xa8\x56\x00\x29\xf9\x12\x05\x32\x40\x1f\xb6\xd7\xdd\xef\x43\xf9\xea\xe9\xee\x3c\xd2\x3f\x14\xa1\xf0\x26\xf4\x0a\x9f\xba\xc6\xbe\x6a\x15\x90\x27\xd7\xe8\x7a\x53\x65\x01\x0d\x27\xb0\x9d\xf1\x3d\xfd\x32\xa7\xe7\x5d\xcc\x14\xd9\xda\x85\xd8\x40\xa1\xbb\x91\xbf\x95\xdd\x75\x89\xef\x4f\x4a\x30\x7d\x3c\x74\x1d\xf2\x50\xe3\x4d\xe9\xff\x0f\x15\x15\xa9\x79\xc1\x2f\xca\xea\x17\x0d\x34\x44\x67\x8b\x96\x3c\xcc\x5b\x3c\x06\x56\xaf\x7e\x67\x6b\xf7\x4d\xe9\xc8\xcc\x9c\x70\xb5\x0c\x38\x06\x10\x8f\x6c\x9e\x92\x0a\xcc\x25\xf1\x3c\x3b\xf5\xe9\x10\x18\x9e\xa8\xe0\x46\x61\xb9\xf6\x27\x1d\x34\xe2\x42\x8b\x3f\x5c\x86\x0f\x7a\x41\x37\xc7\x9a\xb4\x09\x20\x64\x56\x34\xf9\x03\x89\xec\xde\x1b\x23\x98\x84\x24\x4c\xa3\x5e\xb5\x59\x2b\x48\x56\x4f\x23\x07\xde\xf1\x6c\x6a\x99\x43\xab\xd7\x30\xff\x0f\x2d\xd4\x7b\x0d\xb1\x19\xc8\x40\x03\xfc\x29\xfc\xe3\xed\x9f\x17\x35\x7a\xab\xc7\x09\xed\x6a\x09\x34\x8d\xa8\xe2\x82\xbb\x0f\x7e\xeb\x6d\x98\x53\xed\xd5\xee\x21\x45\x36\xa5\x5c\x83\x34\x01\x20\x48\x8d\xca\x92\x3e\xc5\xa4\x61\x84\x0d\x20\x07\x5a\xc5\x37\xba\xa4\xdf\xb7\x80\x46\x96\xa8\x9c\xb9\x9c\x82\xcc\x9e\xa9\x21\x2c\x70\x97\x4c\x93\x16\x16\xe9\xbf\x8c\xce\x8f\xaa\x21\x5d\xea\x85\x50\x6c\x71\xed\xf7\x98\x2a\xef\x07\x4e\x1a\x04\xed\x46\xa7\x22\x1b\xeb\x11\xdb\x3c\x3c\x4e\x30\x76\x74\x56\xdd\x39\x5e\x3f\x22\xc0\x48\xb0\x69\x53\x3b\x1e\x34\x7c\x20\x56\x5a\x74\x6f\xbf\x07\x86\xba\x75\x13\x98\xd2\x26\xbb\x58\x3c\xdb\xc7\x89\xa1\xe7\x8c\x07\x5e\x8b\x53\x5c\x17\xbe\x36\x42\x77\x96\x51\xaa\x33\x56\xc9\x28\xbd\x60\x1c\x6f\x70\x4e\x79\x96\x85\x21\x03\x67\x21\x90\x89\xf2\x41\xc9\x36\x52\xaf\xb3\xf0\x57\x9b\xa4\x73\xea\xdc\x1c\x5a\xab\x58\x9b\x61\x8c\x80\x1d\x71\x1e\xaf\x00\xd9\xef\x73\xa3\xa6\x3f\xaa\x06\x92\xd7\x66\x2c\x6e\x61\xd7\x73\x00\x97\xb1\x1a\x9e\x98\x95\x76\x35\x33\xe3\xb8\x25\xb5\xeb\x65\x48\x11\xe8\x0b\x6e\x67\x13\x6d\x6e\x6e\xc1\xbd\xf2\x3e\x34\x7a\xc0\xdc\x50\xd8\x45\xa0\x2f\xb1\x1e\x87\x64\xc7\xcb\xd1\x98\xf8\x03\x7c\xe9\xcc\x4d\x38\x88\xcf\x50\x9e\xf9\xe5\x5b\xa5\x67\xd5\x00\x89\xc6\x9a\x6f\xc2\xa1\x02\x90\x88\xe4\xbb\x86\x60\x6f\x25\xd8\x65\x51\x28\x65\x74\x23\xce\xfb\xec\x47\xff\x5c\xee\x05\xb6\x1c\x35\xe4\x7c\xe9\x2d\xd8\x5b\x86\xaa\x83\xfc\x3d\x37\x06\x9d\xba\x58\x32\x77\x9e\x04\x79\x7e\xe4\x51\x0f\x3e\x86\x0a\x5d\xb6\xc4\x1a\x6c\xfc\xc4\xf2\x7a\x9b\x90\x54\x91\xfa\x56\x0b\xc4\x9a\x1d\xec\x70\xf9\xb6\x9a\xe6\x93\x62\x97\x3a\x12\x3e\x07\xf5\x41\xac\x3a\x3a\x94\x31\x60\xd3\xd6\x31\x40\x49\xc9\x53\x1a\x1f\x72\xb7\x4c\x1c\xc5\xc0\x31\x7f\xcc\x7b\x45\xd8\xf1\xdd\x92\x36\x2b\x1e\xc0\x73\x8a\xd5\xc8\xd9\x9e\x9f\xf4\x4d\x3d\xb2\x41\xe1\x31\x5d\x0f\x14\x48\xe6\xf1\x00\xa5\xdb\x6f\xd5\x71\x5c\xa0\x46\x22\x13\x41\x64\x53\x38\x71\x50\x0e\xde\x0f\x2d\x35\x8b\x31\xf8\x56\x36\x32\x80\xb9\x92\xe4\x9b\xa8\xe5\x92\x09\xbd\x91\x8e\x11\xff\xe3\x27\xd9\x73\xb2\xbc\x54\x53\x7f\x54\x07\x30\x17\x85\x6f\x0b\xb7\x68\x22\x47\x57\x6a\xf4\xd2\x7d\x8b\xe2\x61\x1f\x90\xad\x38\x4f\x11\xde\x84\x7c\x24\x73\x4b\x74\x7f\xfe\x2e\x5c\x85\x49\x00\x9f\xb1\x19\x8b\xce\x2f\xb0\x48\x4f\xc6\x68\xaa\x28\x85\xc7\xc0\x15\x38\x5e\x2b\x58\x8c\x95\x0f\xde\xca\xdf\x30\xad\xf6\x5a\x71\xf5\x64\xe0\xfa\x93\x72\x4b\x8d\xe0\xac\xab\x7c\x3f\xaa\xad\x13\x84\x8e\xbf\x7d\x70\xbb\xc4\x47\xd6\xd9\xdd\xb4\x6a\xf6\x31\xb0\x8e\x4c\x34\xf4\xaa\xbd\xa8\xe5\x0d\x9f\x73\xc3\xff\x3a\x60\x03\x81\xa7\xf8\x4a\xac\x18\xaf\x41\x87\xd1\xbc\x18\x73\x14\xb2\x40\x38\x7f\x29\xeb\xe8\x32\x8a\xce\x89\x65\x43\xb2\x3f\x8d\xb1\x20\x1d\x51\xee\x90\x42\x43\x65\x78\xd1\x27\x3c\x9b\x97\x4b\x27\xfc\x9b\x71\x71\xf4\x39\x11\x17\x54\x1d\xc8\xe8\xe5\x82\xef\x9d\xeb\x11\x60\x6d\x49\x35\x57\x7d\x13\xe3\x91\x2f\x98\x7d\xac\x22\xe1\x4c\x7c\xab\xf8\xdb\x41\x3a\xc7\x96\x38\x1f\x3d\x45\x01\x5c\xe6\x1e\xa3\xb7\x37\x63\xd2\x02\xdb\xe1\x18\xbe\x06\xe7\xd0\xf6\x24\x5c\x71\x81\x86\x14\x81\x21\xba\x61\x19\x2e\x62\xb2\xac\x87\x52\xcb\xa6\xf2\x87\x3f\x4c\x59\xae\x40\xb8\xb9\xc5\x15\xcd\x6a\xd8\x88\x84\x0e\x65\x7a\x11\x47\xa8\xb0\x96\x12\x3d\x73\x8e\x1c\xc1\xb5\xeb\xbe\xec\x6f\x15\xcb\x10\x42\xed\xda\x5c\xf7\xa5\xb2\xb0\xa0\x71\xa2\x68\x77\xbe\xed\xaa\x9e\x24\x32\xef\x85\xf7\x2a\xbc\xeb\x7c\xcd\x73\x36\x27\xcb\x12\xd4\xcf\xe3\xd9\xc9\xd8\x85\xa0\xb0\x89\xdb\x05\x6b\x02\x92\x28\xe6\x45\xf7\x4d\x92\x84\x69\x5b\x08\xa6\x7f\x7f\x92\x28\xe9\x80\xc0\xc3\x64\xd0\x31\x2b\x10\xf6\x25\x6c\x9a\x2d\xe4\x83\x29\x32\xb6\x98\x97\xd0\xf2\x9f\x70\xf1\x8d\xde\x25\x7a\x94\xd9\x6e\xc7\x6d\x71\x67\x3e\x95\x98\x32\x64\x7f\x6a\x74\x45\x82\x35\xe8\x00\xdf\x80\xb7\x18\xbe\xdb\xe9\xb2\xca\xfe\x1a\x98\xad\x89\x34\x1a\x56\x6d\x20\xca\x13\xaf\xb2\x89\x85\x6f\x79\x53\x05\x66\x12\x60\x65\x19\x27\x99\x89\x9c\x02\x43\x31\x7f\xee\x5b\x22\x11\x6d\x9d\xfe\xa0\xc4\x25\x1d\x89\x8d\x57\x44\x43\xd8\x0c\x4d\xaf\xd5\x61\x65\xf2\xcf\xb5\xa2\xdb\x62\xe7\xfc\xb9\x78\x70\xea\x56\xdd\xca\x1c\x27\x32\x75\x48\x09\x9b\x79\xd3\x8f\x9d\x6d\xd2\x4a\x65\x65\x73\x1b\x2a\xfc\x0d\xdc\x12\xa3\x5f\x96\x05\xb2\xe7\xe7\x57\x53\xfa\xab\xe2\x81\x7d\xd1\x1e\x3f\x9f\xe7\x6c\xb2\xb8\xbf\x18\xd4\xf4\x19\xaa\x96\x58\x4c\xf9\x89\x99\xfc\x0f\xe4\x2e\x54\xb0\xe7\x9d\xfd\xd4\xc5\x7f\x55\xc0\x7a\xd1\xca\x33\xa4\xde\x6f\xba\xa7\x80\x18\x5e\x36\xfc\x3e\xc7\xc5\xf1\x04\xc5\xda\xda\xc7\xcc\xcb\xba\xcc\x5a\xbe\x21\x7e\x4e\x61\xef\x6c\x36\x60\x57\xd1\xcf\xb1\xa5\xde\x8c\x75\x68\xda\xd7\x69\xc8\x8a\xfd\x8e\xc1\xbf\x56\x11\x7c\xed\x76\x0e\xd3\x01\x90\x21\xc3\x2b\xed\xd7\xea\x87\xfb\x67\x0c\xa3\x24\x84\x61\xdf\x64\x60\x07\x04\xf1\x16\x51\x58\xcf\x9d\xb2\xb5\xc6\xf4\x56\x3b\x9f\x10\xa3\xa6\x69\xf3\xa9\x45\x21\xbe\x8e\xd5\x1c\x90\xc4\x5c\x59\x48\x9c\xde\x96\xcc\xd1\x18\x44\xc6\xca\xbf\xb1\x65\x0e\x19\x4c\xdf\x17\xaa\xf8\xad\x0b\xf9\x17\x14\xc7\x02\xea\x60\x75\xc0\xc3\x36\x18\x44\xec\xea\x0f\xc9\xad\xe8\x3a\x42\xcd\x91\x8f\xbb\x4c\x90\x90\x66\x73\x98\x18\xcb\xf7\x7a\x3d\x71\x64\xc3\x60\x7d\x8c\x0e\xfe\x3c\x8e\x85\x24\xfd\xf1\x5d\x33\x21\x0b\x43\xca\x55\x1b\x9a\x67\x26\xa5\x60\xa2\x74\x24\x66\x2f\x5f\xd9\x72\x02\xf9\x2a\xb8\xca\xc1\x20\xdf\xb1\x37\xc3\x36\x8c\xaf\xb7\xc1\x48\x35\xd8\xad\x15\xd1\x8b\x3e\xc4\xfe\x3c\x74\x1b\xe3\x90\x65\x71\x1a\xbc\x30\xa0\x0d\x31\xa2\x09\x36\xd2\xfb\x66\x23\xb1\x27\x42\x7b\x2d\x46\x05\x45\xf4\xeb\x25\x68\x1b\x46\x1f\xbc\x3a\x1a\xc6\xdb\x3b\xdf\x1d\x89\x02\x97\x76\xe0\x4b\x9c\xbf\x3e\x1e\x46\x07\xf3\x63\x23\x36\x73\x8b\xd9\x5c\xfc\x81\x2d\xe5\xe8\x2e\x0c\x6a\xa8\xd0\x19\x07\xe1\xf3\x75\xac\xb1\x80\x10\x69\x5e\xa3\xa2\x42\xd2\xb3\x60\xee\xd6\xf0\x77\xa0\x08\x68\x06\xa8\x8e\x2b\xe9\x9d\xef\xc3\x46\x0d\x81\x17\x5d\xec\xb6\x97\x3e\x54\xe7\xff\x1c\x29\x14\x8f\x04\xd1\xa9\x6c\x68\xd4\x3f\x03\x6e\xc2\xe4\xa5\x4b\xeb\x80\xf8\x8b\x8c\x71\x1a\xa0\x1a\x74\x57\xf5\x8d\x72\xaf\xe5\x68\x49\xfd\x09\xd2\x77\xe3\x01\xce\x64\x40\x2b\x0b\xc2\x0d\x43\xea\x78\x74\x54\x86\x97\x2a\x8b\xd6\xf5\x79\xd8\xd8\x2b\xd3\x1c\x8c\x86\xb7\xe8\xa3\xb2\x72\xd1\x6d\x38\xfc\x64\x80\xd2\x13\xc0\x30\x00\xad\xda\x6e\xb5\xe0\x08\x71\x87\x92\x64\xeb\xa4\xb0\xf9\x5c\x92\xe1\x0b\x79\x73\x81\x11\xba\x0c\xfd\xd1\xde\xeb\x39\xc9\x1e\xb4\x07\xe5\x98\x81\xbf\x53\xea\xd7\x8f\x7a\xd3\x50\x29\xec\x22\xb5\x83\xaf\x27\x44\x15\x25\x46\xc3\x98\x28\x50\xb4\x49\x41\x5e\x4b\x79\x0a\x2d\x03\x2c\xae\x50\x31\x9c\x3a\x15\xe0\x09\xae\xee\xfe\x71\x00\x73\x78\x19\x7e\x51\xdf\x97\x37\xee\x36\xd9\x54\x03\xa5\x62\x2a\x00\x7e\xb5\xdf\x41\x02\x33\x37\x6e\x51\x31\x82\x24\x62\x54\x0e\x6e\xbb\xf6\xd4\xe2\xdc\x46\xbe\xb7\xea\x3b\x2c\x22\x19\x97\xc2\xba\x3c\x26\x73\xc1\xb4\x4f\x7c\xd8\xc8\x6a\xac\xdd\x89\xe8\x70\x00\x73\x93\xab\x35\xc4\x85\x74\x29\x13\xf4\xfc\xef\x3c\x5c\x4d\x5c\xfe\xba\x1e\xcb\x50\xef\x05\x03\x7d\x54\xaa\x3f\x5e\x69\x94\x11\x40\x26\xf5\xcd\xa7\x5e\x18\x56\xb3\x1e\xfc\x5b\xf0\xda\x81\x09\x97\x84\x46\x30\xa0\x0a\xbd\x3a\x1c\xa3\xc6\xc9\x39\xe1\xe7\xf7\xc2\xd1\x71\x71\xea\x26\xfc\xd3\x1a\xe7\x17\xc0\x40\xb3\xc5\x94\xcf\x06\xa5\xc1\x25\x76\xbc\x18\x82\xd1\xe0\x45\x7a\x99\x38\x7f\x74\x6f\x15\x12\xd1\x5c\x86\x7c\xfd\xaf\x35\xfb\xf0\xe6\xbe\xec\x95\xc8\xc4\x2a\x3d\xd6\xae\x19\x47\xc6\x69\xfc\xd0\x10\x50\x80\xd8\xa9\x89\x4d\x93\x45\x21\x39\x08\x35\x74\x56\xb5\xdb\x7d\xea\x0f\x3f\x53\x29\xff\xd3\xc8\x90\x8f\x50\x47\xe3\x6a\x94\x1f\x90\x91\x2e\xcb\x4c\x01\xec\x56\x7c\xbe\xb0\x9f\xad\xe5\xec\x9b\xf4\x14\x2e\x24\xef\xf3\xac\xd2\x6b\x1d\x46\xd9\xfc\xab\xdb\x09\x70\xa1\x9b\x45\x79\x47\xab\xda\xac\x79\xa3\x69\x2b\x7a\x0d\x70\x3c\x02\xfd\x3d\x7c\x43\x3d\xcb\x59\xf9\x79\xa3\xa9\x1e\x3f\xc9\x50\xa5\xdf\x58\x54\x65\x69\x63\x97\x47\xc4\x34\x7c\x4e\x1a\x1f\xd0\x8f\x9a\xa8\x0c\xa5\x12\xd3\x6e\x6f\xac\x84\x61\xfa\xc7\xac\x93\x46\x7b\xea\x71\xfd\x28\x6b\x5f\x69\x2d\xdb\xc6\x99\xb9\x88\x7d\x31\x15\x9d\xe1\x07\xc0\xec\x97\xdb\x3b\x37\x77\x1c\x82\x61\x92\x51\xe9\xe0\x87\xe7\x97\x0e\xc1\x3e\x97\x1a\x85\x7a\x3d\x87\x1d\x13\xd8\x9d\xd6\x18\x43\x1d\x57\x75\xf9\x25\xf0\xbe\x14\x11\xf4\x94\x70\xe1\x42\xb1\xce\xef\xa6\x69\x28\x0d\x6e\x9a\x52\xe8\xc8\xeb\x38\x7d\x22\xf2\xfa\x8f\x5b\x77\xbd\x2a\xea\x73\xa0\xa2\x9c\x84\x47\xa6\xad\x29\x2b\x1e\x4b\x44\x6c\x6e\xd0\x08\xc0\xa6\xba\x97\xd1\x5b\xcb\xaa\x10\xb1\x6d\x7b\x1a\xd9\x49\x8b\xf5\xb8\x68\x59\xfd\x9c\x03\x2e\xab\x98\x93\xbe\x93\xb1\xe9\xf4\x5c\x9d\xc1\x9a\x78\xc4\xfe\xa5\x89\xd3\x93\xe8\xed\x9d\xbe\x54\xbf\xad\xf5\xcd\x11\x0e\xb7\x6a\x2a\xdf\x8b\x9d\xd2\x3a\xc0\x57\xbf\x1a\xb6\xba\x1d\x04\xc0\xc6\xda\xc4\x82\x50\xda\x3d\x25\x64\xce\x90\x4d\x67\xe6\x9c\x5d\xec\x58\x2d\xa5\x7e\xde\x76\xd9\xaa\x85\x49\xbf\x50\xa9\x0d\xcc\x0c\xab\x97\x7f\x5d\x73\x00\xfc\x0d\x86\x86\xe3\xbe\x13\xb8\x4a\x7a\x14\x1b\xb7\x92\xc3\x97\x58\xb0\x04\xd8\x4a\x0f\xf8\xc9\x30\xe4\xe0\x3c\xb3\xc1\x34\xe6\xe9\x00\xfe\x41\x64\xe5\xb5\xe0\x6b\xa4\xce\x62\x87\xb7\xb0\x0a\xcf\xdb\x05\xf4\xaf\xc0\xf4\xcb\x1b\x0e\x38\x3e\x4b\x69\x17\x1b\xda\x38\x9a\x2d\x00\x96\xb0\x67\x7d\x79\x3f\xaf\x22\x70\x2f\x3e\xdc\xda\x47\x82\xdf\x48\x30\x2a\xe3\xba\x1e\x05\x60\xf2\xc1\xbc\x7c\xda\x89\xac\x42\x14\xe8\xba\x79\x1c\xd6\xfb\x08\x92\xa1\x1b\x3f\x87\x81\xcf\x4d\x1b\x07\x31\x95\x92\x2d\xa6\xb7\x11\x16\x05\x96\x56\x0b\x53\x5c\x5c\x97\x6e\x42\xa8\x66\x24\xa3\x4f\x74\xac\x66\x46\xc0\xfd\xa0\x57\xa3\x13\xf7\x9d\x2e\x2f\x9c\x9f\xee\xab\xcd\x39\x9c\xd2\xe7\xe0\x8c\x9f\x02\x29\xc2\x66\x64\x8c\x78\x75\xca\x23\x0c\xfe\x4f\xed\x9f\x2d\x3d\x0d\xeb\xe6\xb5\x36\x85\x5c\xeb\xcb\xdb\x54\x60\x92\x0c\xea\xae\x25\xa1\x5c\xee\x7a\x00\xae\xdd\x72\x19\x53\x7d\xfc\x72\xd3\x33\x2d\x26\x43\x61\x5c\x7e\x17\xb5\x5a\x90\x3f\x8f\x25\xd0\x2f\xd6\x1d\x4c\x56\xc2\x32\x85\xd5\x2e\x0c\x23\xbb\x25\x16\x2b\x10\xd9\x33\x9b\x72\x74\x6b\xe7\xda\x47\xe9\xfa\x05\x22\x69\xda\xf6\xa0\x12\x2d\xe4\x9f\xb4\xd2\xc9\xb5\xd7\x8b\x70\x96\x23\x11\x3c\xb7\x1d\x42\xa5\xab\x08\xda\xa6\x01\xec\xd0\x94\x6a\x79\xda\x44\xcb\x1c\x3a\x5c\xfb\x64\x60\xe2\xcb\xd5\x9b\xf3\x56\x93\x09\xa4\xd4\x17\x77\x39\x80\xcd\x90\xad\xb6\xab\xe4\x75\x95\x4b\x05\x6e\x12\xc7\xe9\xe4\xb7\xef\xd2\x43\x96\xe7\xa9\xd6\x2f\xfe\xd4\x2c\xaa\xba\x45\x98\xa8\x9b\x14\xd8\x5d\x1c\xa3\x97\x27\xbf\xa0\x85\x90\x4c\x1e\xb5\x4d\x24\x27\x3d\x0a\x97\xfa\x59\x3b\xdd\xbc\xf4\x60\x8c\xef\x45\x6a\xb4\x17\x03\x16\x07\x33\x15\x16\xc8\x05\x79\x2e\xbd\xfd\x8d\x10\xe5\xed\xdc\x9f\x50\xdf\x88\x85\x71\xf9\x79\x75\x03\x94\xfe\xff\xdf\x87\xeb\xc9\xe8\xa8\x53\x4f\x89\x37\x2a\xfa\x8e\xac\xf0\x6d\x34\xb9\x74\x25\x0a\xc1\xba\xe5\xc0\x7e\x63\xb7\x46\x47\x19\xdb\x5e\xb1\x69\x34\xde\x34\x01\x93\xbf\xce\xe2\xdf\x0b\xfd\x92\x50\xdd\x44\xf3\xf7\x3e\xb4\xa4\x3f\x99\x0f\x2e\xdc\xa9\xb5\xfd\xd4\xac\xa4\xea\x21\x7e\x14\xb6\xd7\xc5\xa3\x20\xfd\x5e\x4c\x72\x88\xcd\xcb\x4e\x20\x76\x00\x4a\xd6\x61\x81\x9b\xda\xe6\xcf\xba\xd2\xdc\x0b\xce\x61\x23\xc4\x8b\x14\x23\xb2\x2e\x3f\x85\xcc\x2f\x31\x07\x1d\xd1\xcf\xa3\x87\xbc\xa0\x9a\x2d\xd9\x9c\x29\xe6\xc0\xcd\x8d\x51\x90\x1d\x74\x85\x81\x3d\xa7\x32\xc9\xa7\xe2\xfc\xcd\x42\x7d\x43\x9b\xfe\xc1\x07\x87\x4f\x87\x7e\x9b\x0a\xa5\xe1\xbd\xad\xd5\xa1\x85\x47\x99\x65\xe9\x5a\x3c\x2f\x66\x91\x2d\x44\x1c\xb7\x5e\x44\x69\x57\x3b\xf5\xa4\xc5\x3f\x58\xd2\x7a\xbd\x5e\x68\x42\x2a\xef\xce\x50\x1c\x6d\x8d\x95\x42\xb6\x1e\xa6\xbf\xd6\xfd\x2b\x6b\x33\x6c\x89\x61\xf4\xee\xa7\x20\x88\xd0\x69\x70\x89\xd1\x76\x82\x0a\x10\x3d\x09\xd9\x5f\x3e\xf0\xbd\x28\x98\x2e\xef\x77\xfc\x1b\xbf\xe7\xde\x1b\xfb\xe3\xd5\x0a\x93\x21\x88\x66\xfc\x48\xf6\x28\x01\xc7\x15\x39\x7d\xdf\x1f\x36\xd9\x77\xf2\xb5\xb2\xb7\x6f\x2e\x1d\x64\xc6\x10\x6a\x88\x9b\x80\xb4\x1b\xe5\x19\x94\x0c\xe2\x2f\xf0\x36\x4f\xaf\xb7\x03\xcf\xcd\x7b\xf7\x80\x8e\x41\x50\xac\x7d\x7a\xf1\xf0\xb5\xae\x82\x1c\x9b\xf1\x63\x74\x0d\xb1\xb5\xa3\x66\xe2\xdb\x4a\x02\x92\x10\x00\xd6\x07\x52\xd7\x43\xcd\x58\x4c\x48\x59\x0a\x31\xe2\x7c\xb4\x0d\x7a\xd8\x9a\xbd\x2c\x8e\xe8\x11\x76\x78\x98\x88\xbc\x48\xe8\x2a\x63\x00\x84\xc5\x9d\x4d\x34\x46\x4a\x52\xd5\xf2\x6d\x22\x14\x79\xb4\x51\xef\x3c\x2a\x6c\x81\x66\xb6\x64\x09\x9d\xaa\xf8\xe7\x4e\xac\x84\xdc\xfe\x3e\x86\xd5\x3b\xcd\x3b\x2f\x03\x37\xc8\x03\x7d\xb0\x7b\x65\xf7\xcd\x26\x5d\x2a\xc1\x95\xf8\xf5\x8e\x00\x96\xac\x1f\xb6\x54\xb9\x57\xfc\xa3\xef\x32\xab\xcf\x91\x6b\x55\x8b\xff\x85\x4d\x09\x9a\x2c\x9f\xb8\x88\x9f\x39\x8b\x53\x51\x41\x17\x0e\xa0\x36\xf9\xe5\xa7\xa2\xfe\x1d\x14\xf4\xa5\xa6\xdb\x8c\x03\xb0\xa7\x7f\x6e\x3b\xe9\x64\x81\x05\x06\x11\x35\x59\x59\xf6\x5e\x67\x81\x64\x54\xed\xa4\xcd\x84\x36\xd6\x64\xd6\xe6\xd9\xfc\x2f\xf2\x48\x95\x92\x3f\x10\x67\x70\x45\x8d\xc8\x75\x93\xc3\x91\x91\x2e\xda\x79\xa6\xe8\x71\x4b\xb4\x37\xc8\x6b\x97\xae\xbe\x10\xad\xde\xf3\x62\x84\x32\x38\x4e\x5a\x52\x83\x06\x7a\x80\x69\xa8\x92\x47\x3c\x05\x44\x68\x03\xce\xe1\x31\x09\x6d\xfb\xcd\x4a\x08\xf3\xe0\x8b\xc1\xdb\x84\x70\xd3\xab\x04\xc4\x80\x91\xf8\x24\xcb\xc4\x4a\x22\x15\x1f\x21\x71\x9a\xc2\x9b\x90\x43\x82\x2b\x29\x8b\x17\x82\xfa\x4f\x7d\x55\x6c\x41\xcc\x38\xd4\x34\x22\xf3\xda\x35\xcb\x3e\x45\xa5\xd2\x29\x6a\x1c\xfc\x1c\xcb\xeb\x9e\xa3\x49\x77\x2d\xa9\xa8\xc6\xb7\xca\x0d\xb7\x29\x92\xf8\xb4\x86\xb4\x26\x6f\xb6\xd4\x47\x96\x30\xfa\x39\xbd\xbd\x5f\xaa\xaa\x5b\x47\x51\x4f\x37\x80\x5e\xdb\x61\x85\xb3\x3b\x5b\x82\xdf\xb8\x5d\xad\x17\xed\x9f\xc8\x20\xd1\x78\xc4\x43\x3f\xae\x2b\xf5\x0f\xb5\x6f\xf5\xd8\xd7\xf7\x2e\xbb\x91\x3b\x88\x12\xce\x80\xfb\x00\x0c\xf3\x56\xf6\x69\xae\xb2\xb4\x8c\x8f\x67\x5c\xd0\xc0\xa5\x71\x08\x2f\xdb\x0e\xe1\xb1\x3b\x7a\xd2\x23\xcb\x68\x6f\x8b\x6e\xa5\x11\x19\x2c\x5d\xca\xab\xe2\x70\x26\x50\x37\xb7\xa7\xff\x48\xa1\x10\xf6\x60\xe0\x45\xe6\xe5\x1d\x6f\xfa\xce\x61\x7a\x5a\xd8\x5c\xac\x70\x4c\xc2\x57\x6b\x22\xaf\x27\xbf\x84\x2c\x1f\xce\x89\xf7\x1f\xb1\x88\x68\x57\xd1\x87\xad\xf3\x64\x47\xda\x8e\xde\x27\x97\xbb\xb4\x1b\x4b\xa5\xf0\x94\x11\x09\x44\x08\x35\x7a\xc6\x86\xf0\x90\xdc\x75\x58\x4f\xb2\xd0\x0d\x6e\xb5\xf1\xd5\x45\x63\x3c\x1a\xab\x04\xa6\xa9\x47\xe4\x9e\xb4\x5a\x0a\x73\xe7\xd0\xc6\xc4\xac\x5f\xac\xf4\x08\xa0\xcf\xde\x43\x9d\x86\x1d\xba\x90\xea\x9c\x57\x58\xbb\xa9\x09\xaa\x4d\x5b\x71\x42\x32\x07\x23\xb0\xfb\x55\x38\xfa\x33\x5e\x62\xd1\x4b\xf3\x60\x8a\xeb\xbd\x76\xff\x2b\x0d\x01\x3a\x4d\x5a\x4d\x46\xfb\x24\xa0\x47\x46\x0b\x5d\x63\xa6\x0d\xea\xa4\x3c\x63\xa9\x8b\x51\xc5\xaa\x0b\x3d\xac\xef\x60\x23\x41\x86\xf4\x5e\xd9\x61\x4f\x0e\x88\xb0\xb3\xa4\x53\x0c\x88\xa3\xdb\xea\xea\x40\x29\xcc\xfb\x1a\xa0\xbb\x8e\xa4\x52\x2c\x51\x25\xa3\x8d\x97\x72\xb7\xde\x03\x3a\xf7\xb2\x81\x2e\x89\xbd\x58\x19\xd2\xd0\xf3\x7a\x15\x6b\x70\x1e\xff\xa2\xf0\xb7\xfc\xe9\xc2\x87\x24\xae\x0e\xb3\x27\xc2\x5c\x8e\x36\x18\x78\x10\xaa\xa1\xa3\x3c\xc6\x9e\xa8\x48\xe1\x2f\xda\x7a\x27\x48\x67\xf4\x77\x95\xe1\x68\x95\x41\x96\x9e\xf7\xf6\x8d\x65\x9c\x3a\xd6\xc7\xf6\x72\x51\xac\x05\xa8\xee\x17\xc5\xd7\xc2\xdc\xb9\x2b\x4a\x54\x5f\x3d\xb5\xbf\x08\x14\x4a\x71\xf2\x9f\x76\xf7\x07\x81\x92\x9b\x06\x45\xf7\xa2\xd3\xcc\x3e\x97\x40\x1f\xfc\x4c\x70\x02\x4d\xf3\xa8\x8a\x3b\x80\xd8\xbb\x4a\xe9\xd2\xd4\xc0\xd1\x17\x24\xfa\x12\x82\x76\x0b\x1c\xc8\x12\x00\x84\x01\xd6\x9b\x8f\x79\x31\xf3\x6a\x72\xe3\x2c\x5d\x8f\x3a\x3f\x23\x3e\x86\x36\x7b\x48\x85\x2c\x0f\xd2\xd1\xf2\x59\x55\x34\x06\x16\xcb\x57\xe7\x9d\xb0\xe0\xa3\x7b\x81\x62\x76\x34\x02\xd0\xb8\x64\xdb\xf0\xa9\x0d\x50\x37\xc8\x8e\xba\x9f\xa8\x09\x98\x08\xcf\x84\x56\x4d\x2e\xd2\xbd\x00\x24\xb7\x19\xb7\x62\x28\x27\x9e\xe3\xc9\x07\x27\xf3\xae\x67\xe5\xcc\x7d\xd7\x6e\x8a\xf1\x67\xc4\xb1\x1e\xe9\xf1\xe3\x49\x5e\x05\x06\x1f\xe5\x20\x44\x5c\xd8\xfe\xdd\xc4\x76\xf5\x0b\x40\xbf\x73\xe4\xf9\xc1\x4e\x49\x1c\x11\x42\x30\xe1\xea\xe5\x87\xac\x01\xaf\x7d\x8e\xe5\xb2\x50\x51\xcd\x58\x85\x19\xe9\xcc\x3f\xb7\xb4\x30\x9d\x2a\x74\xb9\x48\x6d\x31\x80\xf6\x5f\x02\x5f\x43\xbb\x6a\x98\x9e\x2c\x4b\x05\x23\x83\xf4\x24\x4c\xbf\x36\x81\xf8\xfb\x4b\x9f\x0c\xab\x34\x26\xc0\xd6\x78\x4a\xb0\x8c\x76\xce\xee\xbc\x21\x2e\x76\x5f\xd9\xc5\xf2\x4c\xad\x12\x9b\x44\x0e\x2f\x85\x74\x90\x45\xbb\xb1\xb0\x30\xfd\x5b\x31\x10\x44\x25\x80\xd4\x51\xb2\x71\xd9\xa4\x5d\x04\x75\xd1\x66\x47\xe4\xe6\x6b\xf4\x0a\xcb\xde\xbc\x97\x53\x85\xaa\x50\x89\x83\x22\xe8\xb2\xaa\xca\x18\xba\xa6\xee\x86\x1f\xc9\x74\xfc\xd0\xe3\x79\x75\x82\x4c\x47\x58\x42\xbd\x3f\xa1\xf1\x78\x97\x92\xb2\xb6\x54\xaf\xeb\xc7\x8b\x95\x57\xbe\x28\x3c\xe9\x74\xea\x60\xb0\x1a\xf1\x11\xe8\x22\x62\x70\x47\x7c\xaf\xba\x24\xac\xb1\xfb\x28\xfc\x25\x92\xad\x2e\xbc\x2b\xa3\x7a\x1b\xbf\xed\xba\x63\x00\x02\xe4\x23\x43\x0d\x76\x2d\x9e\x31\xcd\x86\x17\x0a\x98\x9e\xe9\x7e\x26\xd4\x87\x4b\xd7\xd1\xa8\xf7\xd2\xf2\x04\x6c\xe9\x37\x68\x59\x27\x49\xbf\x7f\x5b\x28\x93\x3f\x3f\xba\xa1\x38\x0d\x42\x96\x1b\x9a\x94\xd2\x31\x3c\x26\x47\x40\xfe\xa1\x49\x5f\xa2\x6f\xc0\x7a\x56\x1e\x4b\x90\x8b\x2e\x30\xe0\xac\x4d\x48\xf6\x89\xeb\x49\x58\x5d\x3b\x72\x95\xe8\xc2\x75\x1d\x05\x62\xc0\x6d\x49\x19\xd5\xdd\x8a\xf3\x26\xde\xd0\xc1\x51\x6e\xcc\x6c\x1d\x3c\xf1\x39\xd3\xa9\xfe\x6e\xde\x64\x76\x8c\x31\x9b\x98\xb7\xda\x44\x5f\xd7\x85\x4b\x64\x64\x0f\xbd\x67\x6b\x7a\x09\xe5\x6e\xa2\x5c\xff\x1d\x31\xde\xc4\x1d\xa0\x8c\xb1\xb0\x7e\x4d\x84\x16\x81\xfc\xb7\x9a\x72\xb7\x22\x0a\x3f\xc3\x6c\xe8\xdc\x63\x88\xca\xea\xea\x4f\xff\xa7\xb2\x98\x05\xef\x2d\xc8\x9a\xcf\x85\xf2\x27\x24\x8b\xca\x1b\x8c\xb8\x1e\xc4\xb9\x86\xa9\xa1\x58\x7e\x57\xe1\xc5\x4d\x16\x3b\xc6\xa9\xd6\x8c\x67\x8c\x48\x24\x09\x35\xfb\xe9\x89\xf5\x50\xb5\x4c\x51\xba\xcb\x9f\x21\xde\x67\x01\x8d\x5e\x3f\xba\xd7\xef\xba\xe1\x03\x83\xe6\x2f\xa9\x29\x41\x5e\xbd\xb7\x7f\xfc\xad\xcc\x36\xec\x7c\x01\xb7\x6f\x7c\x80\x02\x7d\xfc\xba\x9e\x15\xd2\x6f\x30\x6e\x1d\xcb\xf6\x24\xc8\x0f\x4d\xc9\x2e\xab\xfe\x7a\x81\x7d\x7b\xcb\x47\x0d\x60\x13\xaa\x89\x5e\x08\x24\x40\x57\x1e\x14\x3f\xbb\x2a\xc1\xaf\x5b\x4f\xd6\x4b\xb2\x0f\x31\xef\x1f\x5e\x1d\xb9\x6f\xb8\xca\x1e\x6b\x4d\x36\x0d\x2c\xd0\x55\x91\x36\x6a\xd7\x1a\x41\x17\xc9\x12\x5f\xee\xd0\xe6\xd9\x5c\x03\x9d\xac\x71\x00\x0f\x40\x4d\x71\x80\xfb\x1e\x3b\x9d\x10\xb6\x24\x84\xeb\x2e\x3d\x45\xb8\xa4\xc6\x44\x4e\xa5\x44\xc7\xc1\xa4\x9b\xcd\xd1\x72\x3c\x22\x12\x7e\x2f\x81\xfc\x4c\xa3\xda\x6b\x97\x71\x5a\x0c\x9c\xd3\x05\xae\x21\xa1\x5c\xa6\x95\xf1\xa7\x4d\xf2\x26\x0a\x95\xec\x30\x42\xb1\x6d\x83\xab\x1d\xa2\xba\x76\x7d\xf0\x36\x01\xb4\xb3\xab\x71\x71\xe2\xe0\xe8\xa2\x00\x9f\xc6\xcb\x2c\x98\xcd\x20\x68\x17\x36\x55\x22\x2b\xa6\xbc\x51\xaf\x64\x49\x93\xcb\xd1\x92\x33\xd0\xc0\xf1\xdb\x62\x30\x69\x74\x45\xfd\x77\x8f\x14\xa0\x85\x57\x25\x26\xdb\x2d\x12\x56\xe8\x27\xac\x9b\x77\xa9\x7e\xc6\x41\xa5\x3a\xa5\x80\xb3\xa7\x83\xcb\x0f\xc5\xa1\xb3\xb9\xb3\xff\x38\xe4\x18\xdb\x65\x8b\x48\x4a\x68\xcc\x9a\x9e\x33\x0d\x3d\x7a\x4e\xd2\x82\x58\x1d\xc0\x6f\x9e\xe9\x6a\x1a\x46\x98\xbc\x23\xeb\x41\xbe\xde\x47\x6c\x00\x52\x96\x40\x79\x71\x0f\x68\x8f\x87\x6d\x4c\xef\xf2\x19\x0f\x2d\x81\x9b\xbd\x4c\xdb\x36\x1f\xb5\xc6\x4d\x7c\x41\x93\xff\x9f\x6b\x44\xb2\xc1\x43\x71\x39\xbc\xfa\x8c\xe0\xa9\x43\x0a\xce\xb4\x98\xb4\xf0\xb0\x19\x7b\xf3\x39\xd0\x4b\x70\x51\x23\x24\x3b\x1a\x44\xfc\xec\x56\x6d\x64\xfe\x85\x0b\x29\x89\xb5\xb7\x09\x9e\xf9\xbf\x74\x46\x07\x46\xf6\x0c\x46\x07\x89\x16\x89\x58\x17\x75\xad\x12\xcc\x0f\x04\xce\x01\x6c\x5b\x01\xe4\x55\x6e\x09\x80\x7e\xb8\x2e\x19\xc4\x54\x2e\x88\xca\x22\xac\x95\x13\xa4\x6b\x3e\x43\xc5\x28\x77\xc0\xa8\x37\x20\x1f\xd8\x2e\x9f\x74\x53\x8b\x75\x1c\x8b\x0a\xca\xbf\x1e\xb2\x8a\x7d\xec\x9b\xf6\x98\xc1\x22\xfd\xc5\x46\x4f\x6c\xd4\x0e\x81\xd0\x60\x18\x3a\xf8\x04\xea\x5c\x5a\x51\x09\xfe\x21\x9a\x85\x21\xc7\x3b\x95\xe4\x2b\x82\xac\xd6\x93\xa8\x45\x3c\x40\xc7\x40\x27\xdc\xb1\x78\x81\x75\x83\x42\xe2\x56\x42\x58\xb9\xf1\x2f\xf6\x75\xd9\x5c\x1a\xc4\x2e\x94\x47\x3e\x5d\xd5\x18\x38\xd6\xb1\xc2\x8f\x7b\xae\x7e\x16\x41\x7e\xea\x23\x33\x18\x83\x17\x23\x4d\x3a\x96\x94\x35\x6d\xb9\xff\x64\x9e\xda\x9d\x9d\xe4\xd6\xdf\x34\x57\x70\x13\xbc\x9f\x17\x14\x04\xb0\x8f\xd4\x19\x0d\x15\xd7\xde\xfe\xcd\xc1\x95\x19\x9d\x8a\x71\xf6\x41\x40\xa8\x65\x61\xe8\x4c\x3b\xde\x2a\x43\x37\xac\x14\x05\x08\x54\x31\x4d\xe0\xa3\xef\x2a\xe2\x6a\x6c\xb3\x97\x79\xb1\x0b\xdd\x57\x10\x41\xba\x31\x99\x6c\x60\x2c\x99\x7e\x70\x35\x8a\xe9\x86\x23\x92\x55\xa9\x37\x10\xf2\x11\x1e\x7c\xb1\xc8\xb3\xb7\x28\x03\x37\x34\x85\x6a\x41\xcd\xd5\x5a\xb2\xcf\x54\x15\x6b\x48\xe1\x34\x9e\x97\xd3\x9f\x6f\xc1\x27\x5f\xdb\x19\xb3\x7c\x8c\xf0\x04\xb3\x8c\xc3\xef\x37\x83\x4c\x85\x12\x8b\x3c\xb5\x9b\x77\x3d\xcc\x7d\x7b\x85\x80\x5b\x8f\x3b\xd6\xae\x79\x1e\xfa\x7c\xdb\xcc\x4b\xe5\x53\x9b\xb6\x6a\xfd\x8a\xc5\xde\x59\x50\x9b\x34\x10\x20\xe1\xc6\xff\x67\xb6\x6a\x0c\x94\xbb\x79\x53\x49\x92\x05\xb3\x07\xca\x77\x27\x7f\x6c\xcf\x39\x80\x1e\xe6\x28\xfb\x33\xd2\x07\x3f\x38\x1e\x80\xdc\x41\xc9\xe7\x99\xe7\x5c\x31\xcf\x2a\xa4\x9f\x8b\x0a\x6f\x73\x24\x08\xaf\xdc\x65\x0f\xd2\xb0\xec\x57\x4d\x50\xc6\xe2\x48\xf2\xaf\xcf\xb8\xf8\x20\x79\xb2\x62\x55\x47\xdb\x16\xe4\x61\xe6\x01\x59\x88\x3a\xaf\xbe\xdf\x9e\xe9\xfa\xde\xc8\x39\x8b\x91\x98\x6f\x9a\x8e\x79\x47\x06\x49\xa9\x9d\x6e\x8b\x4c\xb3\xb7\x99\x5b\xd5\xb6\xaf\x47\x20\x6b\xbf\x06\xaa\x69\x38\x3e\x97\x63\xcb\x17\x31\xe7\xc1\x5b\x0d\xe4\xb3\x5c\x00\x80\xdd\xfc\xeb\xac\x4d\xea\x21\x30\x96\xd8\x29\xed\x58\xf7\x7c\x09\xa0\xc0\xd4\xf3\x00\xdd\x5f\xaf\x2e\x01\x2a\xcf\x83\xd7\x7b\x73\x32\x3a\x93\x21\xcc\xa8\x64\x6b\xfe\x55\xfc\xce\x50\x6c\x82\x2e\xe4\x40\x4f\x20\x03\x18\xf6\x50\x44\xb3\xec\xdd\x8a\x21\x35\xe8\xee\x0a\xdb\xb8\xc4\x22\xc8\x9d\x37\x3e\xe4\x21\x82\x6b\xd1\x14\xd5\xae\x08\x6c\x9a\x47\xbe\x5a\x78\x88\xec\x74\xfc\x9e\x8d\x7e\x75\x85\xe6\xe8\x8f\xef\xa1\xb6\xa0\xc5\x57\x7b\x91\x43\x13\x77\xa3\x05\xa6\x65\x81\x02\xef\xf2\x95\x75\xde\x43\x92\x0b\xd4\x66\x96\xa2\xbd\x26\xa9\x39\xde\x74\x15\xc8\x36\x1c\x98\x89\x7b\xc0\xa4\x93\xe9\x08\x76\xd4\xf7\xa6\x38\x9a\xe9\xfe\xd4\x4d\x6e\xf2\x1e\xdf\x68\x1a\xe3\xa3\x5d\xc4\xa2\x6a\x40\xa7\x41\x1e\x7d\x51\xa8\x58\x43\x13\xdf\x95\xe4\x8f\xb0\x12\x79\x9b\x83\xc2\x5c\x2d\xd8\xf2\x43\xe9\x88\x05\x46\xb8\xf5\x1e\x25\xcc\x2f\xfa\x83\xc3\x6d\x81\xd3\x1b\xce\xbe\x40\x53\x62\x87\x5c\x49\x43\x00\x66\x24\x90\xc3\xf4\xbb\x38\x68\x2b\x17\xe0\xcb\xb9\x0e\x47\x70\x86\x4e\xe6\x0c\xc1\x36\xfa\x7b\xb2\x17\x0f\x69\x39\x4f\x62\x35\xe0\x07\x83\xfc\x6c\x2c\xab\x09\x74\x07\xff\xf9\x31\xbf\xa7\x42\xd7\xae\xfe\xf3\x3d\x69\x96\x70\x1d\x39\xb4\xad\xfb\x76\x28\xee\x8c\xb2\x76\x5a\xc0\x39\x92\xdb\x7b\xfd\x93\x04\xe1\x5f\x27\xf3\xea\x37\x12\x49\x4e\x98\xd1\x5b\x7c\x7e\x78\x14\x2d\xdb\xcc\x1e\x2d\x18\x47\x81\xcb\xc1\x17\x45\x59\x9e\xb5\xa6\x9b\x39\x18\x69\x4b\x78\x20\x9b\x1e\xe1\xc1\x18\x54\x15\x7e\xda\x2e\x0f\x03\xed\xd8\x84\xab\x4f\x60\x13\x4a\xf1\x58\xff\x15\xa9\x22\x59\xd4\x29\x37\x0c\xef\xab\x10\xcf\x6f\xb2\x82\xf7\x60\xd8\xd5\x4a\x8d\xb0\xc0\xc4\x3f\x56\xbc\xcf\x68\xb8\x37\x74\x5d\xd6\x42\xb3\x9d\x44\xdb\x29\x7b\x01\xeb\x9f\x5b\x48\xd1\xb1\x14\x84\x8a\x5d\x7c\x74\xa2\x2e\x3c\x30\x84\xee\xbc\x02\x98\xe7\xdd\xbb\xe6\x6e\x10\x5f\x89\x23\x8e\x96\x1d\x34\x98\x5f\x29\xde\x20\x31\xa5\x17\x56\xba\x3c\x77\xce\x83\x24\x8e\xf8\x32\x30\x9b\xf9\xad\x9d\x3f\x79\xdd\x12\xf7\x62\xe9\x12\x25\xb0\x87\x6c\xfc\x22\x02\xb2\xe0\x46\x82\x43\x16\xc8\x20\x88\x9e\x93\xf6\x3e\xad\x22\x9c\x08\x7b\x2f\x6c\xfc\x99\xf7\x97\x02\x2c\xda\xb8\x45\x6d\xe0\xc7\x64\xa0\x6a\x79\x40\xb0\xf2\x85\x98\xcb\xa5\x6d\xa0\xbb\xc7\xeb\xce\x48\x22\x12\x21\x37\x54\xd3\xc3\x4f\x74\x9e\xb9\x43\xbf\xf8\x1a\xab\x71\x0a\x98\x1e\x89\x15\xd8\x9f\x50\x98\xca\xa6\x74\x63\x6b\xda\x15\x11\xe9\x6b\x7a\xb0\xe6\x51\xd1\x01\x75\x09\x76\xda\x0b\x2a\x08\xc5\x61\x76", 8192); *(uint32_t*)0x20004bc0 = 0x20003680; *(uint32_t*)0x20003680 = 0x50; *(uint32_t*)0x20003684 = 0; *(uint64_t*)0x20003688 = 0; *(uint32_t*)0x20003690 = 7; *(uint32_t*)0x20003694 = 0x22; *(uint32_t*)0x20003698 = 6; *(uint32_t*)0x2000369c = 0x60; *(uint16_t*)0x200036a0 = 5; *(uint16_t*)0x200036a2 = 0x48; *(uint32_t*)0x200036a4 = 0x80000001; *(uint32_t*)0x200036a8 = 7; *(uint16_t*)0x200036ac = 0; *(uint16_t*)0x200036ae = 0; memset((void*)0x200036b0, 0, 32); *(uint32_t*)0x20004bc4 = 0x20003700; *(uint32_t*)0x20003700 = 0x18; *(uint32_t*)0x20003704 = 0; *(uint64_t*)0x20003708 = 0xfffe; *(uint64_t*)0x20003710 = 0x200; *(uint32_t*)0x20004bc8 = 0x20003740; *(uint32_t*)0x20003740 = 0x18; *(uint32_t*)0x20003744 = 0; *(uint64_t*)0x20003748 = 4; *(uint64_t*)0x20003750 = 0x8000; *(uint32_t*)0x20004bcc = 0x20003780; *(uint32_t*)0x20003780 = 0x18; *(uint32_t*)0x20003784 = 0; *(uint64_t*)0x20003788 = 0; *(uint32_t*)0x20003790 = 8; *(uint32_t*)0x20003794 = 0; *(uint32_t*)0x20004bd0 = 0x200037c0; *(uint32_t*)0x200037c0 = 0x18; *(uint32_t*)0x200037c4 = 0; *(uint64_t*)0x200037c8 = 0x80000001; *(uint32_t*)0x200037d0 = 5; *(uint32_t*)0x200037d4 = 0; *(uint32_t*)0x20004bd4 = 0x20003800; *(uint32_t*)0x20003800 = 0x28; *(uint32_t*)0x20003804 = 0; *(uint64_t*)0x20003808 = 0; *(uint64_t*)0x20003810 = 0x19; *(uint64_t*)0x20003818 = 0x200; *(uint32_t*)0x20003820 = 3; *(uint32_t*)0x20003824 = -1; *(uint32_t*)0x20004bd8 = 0x20003840; *(uint32_t*)0x20003840 = 0x60; *(uint32_t*)0x20003844 = 0xfffffffe; *(uint64_t*)0x20003848 = 0xfffffffffffffffe; *(uint64_t*)0x20003850 = 4; *(uint64_t*)0x20003858 = 0x80000001; *(uint64_t*)0x20003860 = 1; *(uint64_t*)0x20003868 = 0x52b8; *(uint64_t*)0x20003870 = 7; *(uint32_t*)0x20003878 = 0; *(uint32_t*)0x2000387c = 0xfffffffa; *(uint32_t*)0x20003880 = 0x1ff; *(uint32_t*)0x20003884 = 0; memset((void*)0x20003888, 0, 24); *(uint32_t*)0x20004bdc = 0x200038c0; *(uint32_t*)0x200038c0 = 0x18; *(uint32_t*)0x200038c4 = 0xffffffda; *(uint64_t*)0x200038c8 = 0x1f; *(uint32_t*)0x200038d0 = 9; *(uint32_t*)0x200038d4 = 0; *(uint32_t*)0x20004be0 = 0x20003900; *(uint32_t*)0x20003900 = 0x11; *(uint32_t*)0x20003904 = 0xfffffffe; *(uint64_t*)0x20003908 = 0x4588; memset((void*)0x20003910, 0, 1); *(uint32_t*)0x20004be4 = 0x20003940; *(uint32_t*)0x20003940 = 0x20; *(uint32_t*)0x20003944 = 0; *(uint64_t*)0x20003948 = 0x100000000; *(uint64_t*)0x20003950 = 0; *(uint32_t*)0x20003958 = 0x18; *(uint32_t*)0x2000395c = 0; *(uint32_t*)0x20004be8 = 0x200039c0; *(uint32_t*)0x200039c0 = 0x78; *(uint32_t*)0x200039c4 = 0; *(uint64_t*)0x200039c8 = 7; *(uint64_t*)0x200039d0 = 4; *(uint32_t*)0x200039d8 = 6; *(uint32_t*)0x200039dc = 0; *(uint64_t*)0x200039e0 = 0; *(uint64_t*)0x200039e8 = 7; *(uint64_t*)0x200039f0 = 8; *(uint64_t*)0x200039f8 = 0x10001; *(uint64_t*)0x20003a00 = 1; *(uint64_t*)0x20003a08 = 0x509; *(uint32_t*)0x20003a10 = 0x80; *(uint32_t*)0x20003a14 = 3; *(uint32_t*)0x20003a18 = 1; *(uint32_t*)0x20003a1c = 0xc000; *(uint32_t*)0x20003a20 = 5; *(uint32_t*)0x20003a24 = r[6]; *(uint32_t*)0x20003a28 = 0xee00; *(uint32_t*)0x20003a2c = 7; *(uint32_t*)0x20003a30 = 9; *(uint32_t*)0x20003a34 = 0; *(uint32_t*)0x20004bec = 0x20003e80; *(uint32_t*)0x20003e80 = 0x90; *(uint32_t*)0x20003e84 = 0; *(uint64_t*)0x20003e88 = 8; *(uint64_t*)0x20003e90 = 6; *(uint64_t*)0x20003e98 = 3; *(uint64_t*)0x20003ea0 = 0xcd0; *(uint64_t*)0x20003ea8 = 0x7fffffff; *(uint32_t*)0x20003eb0 = 5; *(uint32_t*)0x20003eb4 = 1; *(uint64_t*)0x20003eb8 = 5; *(uint64_t*)0x20003ec0 = 5; *(uint64_t*)0x20003ec8 = 0xf34; *(uint64_t*)0x20003ed0 = 0x86; *(uint64_t*)0x20003ed8 = 6; *(uint64_t*)0x20003ee0 = 2; *(uint32_t*)0x20003ee8 = 0xab8c; *(uint32_t*)0x20003eec = 0; *(uint32_t*)0x20003ef0 = 5; *(uint32_t*)0x20003ef4 = 0x8000; *(uint32_t*)0x20003ef8 = 9; *(uint32_t*)0x20003efc = 0xee00; *(uint32_t*)0x20003f00 = r[9]; *(uint32_t*)0x20003f04 = 0x1000; *(uint32_t*)0x20003f08 = 0x1000; *(uint32_t*)0x20003f0c = 0; *(uint32_t*)0x20004bf0 = 0x20003f40; *(uint32_t*)0x20003f40 = 0xd0; *(uint32_t*)0x20003f44 = 0; *(uint64_t*)0x20003f48 = 0xffffffffffffffbc; *(uint64_t*)0x20003f50 = 0; *(uint64_t*)0x20003f58 = 2; *(uint32_t*)0x20003f60 = 6; *(uint32_t*)0x20003f64 = 3; memset((void*)0x20003f68, 2, 6); *(uint64_t*)0x20003f70 = 0; *(uint64_t*)0x20003f78 = 0; *(uint32_t*)0x20003f80 = 0; *(uint32_t*)0x20003f84 = 9; *(uint64_t*)0x20003f88 = 2; *(uint64_t*)0x20003f90 = 0x100000001; *(uint32_t*)0x20003f98 = 0x17; *(uint32_t*)0x20003f9c = 0xffff; memcpy((void*)0x20003fa0, "bpf_lsm_socket_recvmsg\000", 23); *(uint64_t*)0x20003fb8 = 0; *(uint64_t*)0x20003fc0 = 0x401; *(uint32_t*)0x20003fc8 = 0xf; *(uint32_t*)0x20003fcc = 0xfffffff9; memcpy((void*)0x20003fd0, "&,$:+)\357&\\)/$$[}", 15); *(uint64_t*)0x20003fe0 = 6; *(uint64_t*)0x20003fe8 = 1; *(uint32_t*)0x20003ff0 = 0x17; *(uint32_t*)0x20003ff4 = 0x1f; memcpy((void*)0x20003ff8, "bpf_lsm_socket_recvmsg\000", 23); *(uint32_t*)0x20004bf4 = 0x20004440; *(uint32_t*)0x20004440 = 0x508; *(uint32_t*)0x20004444 = 0; *(uint64_t*)0x20004448 = 2; *(uint64_t*)0x20004450 = 4; *(uint64_t*)0x20004458 = 1; *(uint64_t*)0x20004460 = 5; *(uint64_t*)0x20004468 = 0x80000000; *(uint32_t*)0x20004470 = 3; *(uint32_t*)0x20004474 = 0xffffffec; *(uint64_t*)0x20004478 = 2; *(uint64_t*)0x20004480 = 3; *(uint64_t*)0x20004488 = 0x20; *(uint64_t*)0x20004490 = 0x100000001; *(uint64_t*)0x20004498 = 0x80; *(uint64_t*)0x200044a0 = 0xffffffffffffffe1; *(uint32_t*)0x200044a8 = 0x9e41; *(uint32_t*)0x200044ac = 0x1f; *(uint32_t*)0x200044b0 = 0xf0f6; *(uint32_t*)0x200044b4 = 0xc000; *(uint32_t*)0x200044b8 = 0x401; *(uint32_t*)0x200044bc = 0xee01; *(uint32_t*)0x200044c0 = 0xee00; *(uint32_t*)0x200044c4 = 0x400000; *(uint32_t*)0x200044c8 = 0x800; *(uint32_t*)0x200044cc = 0; *(uint64_t*)0x200044d0 = 3; *(uint64_t*)0x200044d8 = 7; *(uint32_t*)0x200044e0 = 6; *(uint32_t*)0x200044e4 = 0xfffffffe; memset((void*)0x200044e8, 187, 6); *(uint64_t*)0x200044f0 = 1; *(uint64_t*)0x200044f8 = 2; *(uint64_t*)0x20004500 = 0x10001; *(uint64_t*)0x20004508 = 0; *(uint32_t*)0x20004510 = 5; *(uint32_t*)0x20004514 = 0; *(uint64_t*)0x20004518 = 3; *(uint64_t*)0x20004520 = 0x8000; *(uint64_t*)0x20004528 = 9; *(uint64_t*)0x20004530 = 0x80000001; *(uint64_t*)0x20004538 = 0x100; *(uint64_t*)0x20004540 = 5; *(uint32_t*)0x20004548 = 0xf06; *(uint32_t*)0x2000454c = 0x932b; *(uint32_t*)0x20004550 = 2; *(uint32_t*)0x20004554 = 0x1000; *(uint32_t*)0x20004558 = 5; *(uint32_t*)0x2000455c = 0xee01; *(uint32_t*)0x20004560 = -1; *(uint32_t*)0x20004564 = 5; *(uint32_t*)0x20004568 = 1; *(uint32_t*)0x2000456c = 0; *(uint64_t*)0x20004570 = 5; *(uint64_t*)0x20004578 = 9; *(uint32_t*)0x20004580 = 2; *(uint32_t*)0x20004584 = 2; memcpy((void*)0x20004588, "*)", 2); *(uint64_t*)0x20004590 = 1; *(uint64_t*)0x20004598 = 0; *(uint64_t*)0x200045a0 = 0xcc3; *(uint64_t*)0x200045a8 = 4; *(uint32_t*)0x200045b0 = 0x101; *(uint32_t*)0x200045b4 = 3; *(uint64_t*)0x200045b8 = 2; *(uint64_t*)0x200045c0 = 1; *(uint64_t*)0x200045c8 = 1; *(uint64_t*)0x200045d0 = 0x113; *(uint64_t*)0x200045d8 = 1; *(uint64_t*)0x200045e0 = 3; *(uint32_t*)0x200045e8 = 0xd36; *(uint32_t*)0x200045ec = 0x8c12; *(uint32_t*)0x200045f0 = 0xfffffffc; *(uint32_t*)0x200045f4 = 0x1000; *(uint32_t*)0x200045f8 = 0xfffffffc; *(uint32_t*)0x200045fc = 0xee01; *(uint32_t*)0x20004600 = r[10]; *(uint32_t*)0x20004604 = 9; *(uint32_t*)0x20004608 = 0xacd; *(uint32_t*)0x2000460c = 0; *(uint64_t*)0x20004610 = 3; *(uint64_t*)0x20004618 = 0x97; *(uint32_t*)0x20004620 = 6; *(uint32_t*)0x20004624 = 9; memcpy((void*)0x20004628, "wlan1\000", 6); *(uint64_t*)0x20004630 = 1; *(uint64_t*)0x20004638 = 2; *(uint64_t*)0x20004640 = 8; *(uint64_t*)0x20004648 = 0x8000; *(uint32_t*)0x20004650 = 9; *(uint32_t*)0x20004654 = 0; *(uint64_t*)0x20004658 = 1; *(uint64_t*)0x20004660 = 0x200; *(uint64_t*)0x20004668 = 0xff; *(uint64_t*)0x20004670 = 0x100000001; *(uint64_t*)0x20004678 = 0x30000; *(uint64_t*)0x20004680 = 9; *(uint32_t*)0x20004688 = 3; *(uint32_t*)0x2000468c = 6; *(uint32_t*)0x20004690 = 0x7f; *(uint32_t*)0x20004694 = 0x8000; *(uint32_t*)0x20004698 = 0x101; *(uint32_t*)0x2000469c = r[11]; *(uint32_t*)0x200046a0 = 0xee00; *(uint32_t*)0x200046a4 = 0x10000; *(uint32_t*)0x200046a8 = 9; *(uint32_t*)0x200046ac = 0; *(uint64_t*)0x200046b0 = 3; *(uint64_t*)0x200046b8 = 0; *(uint32_t*)0x200046c0 = 2; *(uint32_t*)0x200046c4 = 0x401; memcpy((void*)0x200046c8, "b@", 2); *(uint64_t*)0x200046d0 = 4; *(uint64_t*)0x200046d8 = 1; *(uint64_t*)0x200046e0 = 0; *(uint64_t*)0x200046e8 = 5; *(uint32_t*)0x200046f0 = 4; *(uint32_t*)0x200046f4 = 0x101; *(uint64_t*)0x200046f8 = 1; *(uint64_t*)0x20004700 = 5; *(uint64_t*)0x20004708 = 1; *(uint64_t*)0x20004710 = 0x10000; *(uint64_t*)0x20004718 = 7; *(uint64_t*)0x20004720 = 8; *(uint32_t*)0x20004728 = 5; *(uint32_t*)0x2000472c = 5; *(uint32_t*)0x20004730 = 0x4010000; *(uint32_t*)0x20004734 = 0x8000; *(uint32_t*)0x20004738 = 0x4d800000; *(uint32_t*)0x2000473c = 0; *(uint32_t*)0x20004740 = 0xee01; *(uint32_t*)0x20004744 = 6; *(uint32_t*)0x20004748 = 7; *(uint32_t*)0x2000474c = 0; *(uint64_t*)0x20004750 = 2; *(uint64_t*)0x20004758 = 0x61; *(uint32_t*)0x20004760 = 0; *(uint32_t*)0x20004764 = 0; *(uint64_t*)0x20004768 = 7; *(uint64_t*)0x20004770 = 0; *(uint64_t*)0x20004778 = 5; *(uint64_t*)0x20004780 = 5; *(uint32_t*)0x20004788 = 0; *(uint32_t*)0x2000478c = 0x3ff; *(uint64_t*)0x20004790 = 0; *(uint64_t*)0x20004798 = 0xfffffffffffffff7; *(uint64_t*)0x200047a0 = 1; *(uint64_t*)0x200047a8 = 0x80; *(uint64_t*)0x200047b0 = 0x100000001; *(uint64_t*)0x200047b8 = 0x401; *(uint32_t*)0x200047c0 = 0xd49d; *(uint32_t*)0x200047c4 = 0x80; *(uint32_t*)0x200047c8 = 1; *(uint32_t*)0x200047cc = 0x6000; *(uint32_t*)0x200047d0 = 0x8b; *(uint32_t*)0x200047d4 = r[12]; *(uint32_t*)0x200047d8 = 0xee01; *(uint32_t*)0x200047dc = 0x8001; *(uint32_t*)0x200047e0 = 0; *(uint32_t*)0x200047e4 = 0; *(uint64_t*)0x200047e8 = 6; *(uint64_t*)0x200047f0 = 0x200; *(uint32_t*)0x200047f8 = 1; *(uint32_t*)0x200047fc = 0xfffffff8; memset((void*)0x20004800, 41, 1); *(uint64_t*)0x20004808 = 0; *(uint64_t*)0x20004810 = 3; *(uint64_t*)0x20004818 = 8; *(uint64_t*)0x20004820 = 0x81; *(uint32_t*)0x20004828 = 6; *(uint32_t*)0x2000482c = 5; *(uint64_t*)0x20004830 = 1; *(uint64_t*)0x20004838 = 8; *(uint64_t*)0x20004840 = 7; *(uint64_t*)0x20004848 = 5; *(uint64_t*)0x20004850 = 8; *(uint64_t*)0x20004858 = 1; *(uint32_t*)0x20004860 = 5; *(uint32_t*)0x20004864 = 0x90c555ad; *(uint32_t*)0x20004868 = 0; *(uint32_t*)0x2000486c = 0xc000; *(uint32_t*)0x20004870 = 0x800; *(uint32_t*)0x20004874 = 0xee00; *(uint32_t*)0x20004878 = 0xee01; *(uint32_t*)0x2000487c = 0xf98d; *(uint32_t*)0x20004880 = 0x20; *(uint32_t*)0x20004884 = 0; *(uint64_t*)0x20004888 = 4; *(uint64_t*)0x20004890 = 4; *(uint32_t*)0x20004898 = 5; *(uint32_t*)0x2000489c = 1; memcpy((void*)0x200048a0, "\\U\302-^", 5); *(uint64_t*)0x200048a8 = 1; *(uint64_t*)0x200048b0 = 0; *(uint64_t*)0x200048b8 = 2; *(uint64_t*)0x200048c0 = 6; *(uint32_t*)0x200048c8 = 0; *(uint32_t*)0x200048cc = 0xb5e; *(uint64_t*)0x200048d0 = 4; *(uint64_t*)0x200048d8 = 0x12; *(uint64_t*)0x200048e0 = 0xe87; *(uint64_t*)0x200048e8 = 7; *(uint64_t*)0x200048f0 = 1; *(uint64_t*)0x200048f8 = 0xfffffffffffffffe; *(uint32_t*)0x20004900 = 0xfffffffd; *(uint32_t*)0x20004904 = 7; *(uint32_t*)0x20004908 = 0x401; *(uint32_t*)0x2000490c = 0xa000; *(uint32_t*)0x20004910 = 0x8ee; *(uint32_t*)0x20004914 = r[13]; *(uint32_t*)0x20004918 = 0; *(uint32_t*)0x2000491c = 0x8236; *(uint32_t*)0x20004920 = 0x3c89862b; *(uint32_t*)0x20004924 = 0; *(uint64_t*)0x20004928 = 4; *(uint64_t*)0x20004930 = 0xfffffffffffffbf7; *(uint32_t*)0x20004938 = 6; *(uint32_t*)0x2000493c = 4; memset((void*)0x20004940, 2, 6); *(uint32_t*)0x20004bf8 = 0x20004ac0; *(uint32_t*)0x20004ac0 = 0xa0; *(uint32_t*)0x20004ac4 = 0xffffffda; *(uint64_t*)0x20004ac8 = 2; *(uint64_t*)0x20004ad0 = 1; *(uint64_t*)0x20004ad8 = 3; *(uint64_t*)0x20004ae0 = 0xff; *(uint64_t*)0x20004ae8 = 0x401; *(uint32_t*)0x20004af0 = 9; *(uint32_t*)0x20004af4 = 0x1000; *(uint64_t*)0x20004af8 = 1; *(uint64_t*)0x20004b00 = 0xfff; *(uint64_t*)0x20004b08 = 0x733; *(uint64_t*)0x20004b10 = 0; *(uint64_t*)0x20004b18 = 7; *(uint64_t*)0x20004b20 = 0x7fff; *(uint32_t*)0x20004b28 = 4; *(uint32_t*)0x20004b2c = 0x1f; *(uint32_t*)0x20004b30 = 0x1f; *(uint32_t*)0x20004b34 = 0; *(uint32_t*)0x20004b38 = 1; *(uint32_t*)0x20004b3c = r[14]; *(uint32_t*)0x20004b40 = r[15]; *(uint32_t*)0x20004b44 = 0x9eb; *(uint32_t*)0x20004b48 = 1; *(uint32_t*)0x20004b4c = 0; *(uint64_t*)0x20004b50 = 0; *(uint32_t*)0x20004b58 = 0x1c; *(uint32_t*)0x20004b5c = 0; *(uint32_t*)0x20004bfc = 0x20004b80; *(uint32_t*)0x20004b80 = 0x20; *(uint32_t*)0x20004b84 = 0xfffffffe; *(uint64_t*)0x20004b88 = 0xa87; *(uint32_t*)0x20004b90 = 0x1ff; *(uint32_t*)0x20004b94 = 0; *(uint32_t*)0x20004b98 = 0x10001; *(uint32_t*)0x20004b9c = 4; syz_fuse_handle_req(r[5], 0x20001680, 0x2000, 0x20004bc0); break; case 25: memcpy((void*)0x20004c40, "/dev/autofs\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20004c40, 0, 0); if (res != -1) r[16] = res; break; case 26: memcpy((void*)0x20004c00, "SEG6\000", 5); syz_genetlink_get_family_id(0x20004c00, r[16]); break; case 27: syz_init_net_socket(0x24, 2, 0); break; case 28: res = syscall(__NR_mmap, 0x20ffe000, 0x1000, 0x300000a, 0x10, (intptr_t)r[16], 0); if (res != -1) r[17] = res; break; case 29: res = -1; res = syz_io_uring_complete(r[17]); if (res != -1) r[18] = res; break; case 30: *(uint32_t*)0x20004c84 = 0xcaa6; *(uint32_t*)0x20004c88 = 4; *(uint32_t*)0x20004c8c = 3; *(uint32_t*)0x20004c90 = 0x276; *(uint32_t*)0x20004c98 = r[18]; memset((void*)0x20004c9c, 0, 12); res = -1; res = syz_io_uring_setup(0x3a9b, 0x20004c80, 0x20ffe000, 0x20ffe000, 0x20004d00, 0x20004d40); if (res != -1) r[19] = *(uint64_t*)0x20004d00; break; case 31: *(uint8_t*)0x20005080 = 2; *(uint8_t*)0x20005081 = 5; *(uint16_t*)0x20005082 = 0; *(uint32_t*)0x20005084 = 7; *(uint64_t*)0x20005088 = 0; *(uint32_t*)0x20005090 = 0x20005040; *(uint32_t*)0x20005040 = 0x20004d80; memcpy((void*)0x20004d80, "\x8f\x8c\x61\xba\x2d\x93\x00\x6a\xad\xbd\x12\xa3\xa0\x8f\x14\x6f\x7d\xad\xf6\xfc\xaf\x91\x37\x0d\x8c\xdb\xb1\x04\x73\xcf\xc4\x73\x7f\xc2\x92\x0f\x76\x1e\x5f\x9f\x43\xac\x7c\x94\xff\x2d\x84\xa3\xf6", 49); *(uint32_t*)0x20005044 = 0x31; *(uint32_t*)0x20005048 = 0x20004dc0; memcpy((void*)0x20004dc0, "\xe7\x9e\x60\x9c\xaf\x0b\x11\x3f\x2e\x3a\x9b\x6e\xd9\xa5\x19\x7b\xd4\xc9\xef\x3a\xbe\xe6\xff\x37\x2b\x06\x77\xf9\x80\xef\x46\x16\x5c\x07\x1e\xc9\xa7\xe4\xb8\xe1\x18\xc9\x5c\x2b\x5f\x73\x3b\x29\xc5\x0f\x1e\x5d\xf4\xf1\x83\x7e\x9a\x29\x62\xcd\x24\x1c\x43\xd7\xa6\x05\x87\x87\x49\x91\x9d\x2d\x93\x2d\x22\x01\x0e\x4c\x8c\x29\xce\x60\x28\xdc\x71\xe2\x3c\x5e\xc2\xb4\xf3\xbb\x38\xb2\xe7\xc3\xbe\xaf\x83\xc8\x87\xa4\x5f\x16\xea\x87\x84\x2b\x70\x02\xc7\x51\x33\x97\x83\x5d\x37\x55\x89\xd6\x4e\x9c\x8d\x0d\xaa\x7c\x70\x99\x74\xdd\xc9\x35\x14\x51\x90\xba\xc6\xe8\xd3\x12\x38\xd5\xad\x70\x37\x7e\x03\xb1\x11\x15\x46\xf8\xa8\x3a\x2d\x7e\x3f\xc5\x50\x40\x8a\x22\x7e\x6a\xb5\x58\x33\x1d\xe5", 169); *(uint32_t*)0x2000504c = 0xa9; *(uint32_t*)0x20005050 = 0x20004e80; memcpy((void*)0x20004e80, "\x1f\xe1\xd0\xa7\xea\x42\xed\x60\xeb\x83\x79\xf5\x5f\xba\x5f\x10\x8d\xa4\x23\x32\x88\xe8\xa8\xbb\xac\xc0", 26); *(uint32_t*)0x20005054 = 0x1a; *(uint32_t*)0x20005058 = 0x20004ec0; memcpy((void*)0x20004ec0, "\x1d\x5a\x7e\x02\x0f\x94\xe9\xee\xe2\x41\x5c\xca\x5e\xb6\x04\x5c\xc9\xf8\x17\xf1\xd3\x27\x5b\xa9\x49\x67\x7e\xe2\xca\x23\x57\xb7\x4e\x67\xc6\xd4\xdd\xfb\xe8\xe8\xc0\xc6\xfd\xcd\x23\x52\xdd\x30\x1f\xf3\x0f\x0e\xbc\x2b\x58\xf2\xc6\x9c\x3f\x80\x32\xff\x0d\x4a\x2d\x2d\x40\x0c\x3d\x07\x91\x4d\x83\x5b\x62\x18\xc2\xeb\x25\x72\x4b\x42\x6a\x88\x8b\x28\x22\xd4\x94\x5b\x35\xf2\xd1\x45\x9d\x91\x5e\x2b\x2d\x66\x54\x1a\xf5\x2b\xdb\xbe\x1a\xd5\x17\x51\x5e\x01\xb8\x29\x0e\x65\x44\x43\xa6\x7b\xec\x3d\x0b\x03\xfc\x10\xb9\x0b\x49\xc3\xd3\x35\x93\xe0\x63\xbd\x0d\xf7\x24\x94\xb2\x2b\xfc\x39\x1f\x6b\x29\x6a\x68\x73\x5e\xea\xac\x4f\xb5\x50\xbe\x4b\xee\xab\xb7\x4d\x7c\xa7\x71\x39\x24\x8c\xf8\x00\x3e\x4f\xa6\x39\x54\xc2\xe5\xc6\x8e\x48\xb1\xf5\x9b\x31\x62\xa9\xa3\xb0\x20\x77\x1f\x7c\x1a\xff\x6d\x7d\xe5\x7b\x40\xfc\xb5\x90\x02\xf2\x70\x9e\xd2\xe1\x2d\x50\xa3\xed\xad\xc2\xc5\x5d\xe6\x63\x4c\x8e\x91\xdd\x8c\xd2\x8f\xaf\x3b\x52", 228); *(uint32_t*)0x2000505c = 0xe4; *(uint32_t*)0x20005060 = 0x20004fc0; memcpy((void*)0x20004fc0, "\x3d\xc5\x00\x79\x39\x36\x84\xee\x15\x45\x62\x33\xe2\xe4\xb4\x7d\x0d\x76\x16\xa6\xfb\xb0\x80\x55\x93\x1c\x40\x0e\x66\xd6\xee\x83\x07\xc9\x88\xdb\x68\xc3\xa5\x68\x73\xe4\xc9\x4c\x21\x0c\xee\x63\xaa\x53\xee\x80\x94\x7c\x56\x44\xcf\xfd\x0e\xe8\x09\xb4\x55\x4e\xf3\xd3\xd5\xd4\xb6\x26\x80\x40\xd6\x6c\xba\x34\xc7\xb8\x64\x5a\xbf\xe3\x69\x6e\x04\x1f\xe1\x3f", 88); *(uint32_t*)0x20005064 = 0x58; *(uint32_t*)0x20005094 = 5; *(uint32_t*)0x20005098 = 1; *(uint64_t*)0x2000509c = 0; *(uint16_t*)0x200050a4 = 0; *(uint16_t*)0x200050a6 = 0; memset((void*)0x200050a8, 0, 20); syz_io_uring_submit(r[19], 0, 0x20005080, 0x100); break; case 32: memcpy((void*)0x200050c0, "/selinux/policy\000", 16); res = syscall(__NR_openat, 0xffffff9c, 0x200050c0, 0, 0); if (res != -1) r[20] = res; break; case 33: memcpy((void*)0x20005100, "/dev/dlm-monitor\000", 17); res = syscall(__NR_openat, 0xffffff9c, 0x20005100, 0, 0); if (res != -1) r[21] = res; break; case 34: *(uint32_t*)0x20005180 = 0; *(uint32_t*)0x20005184 = 0x20005140; memcpy((void*)0x20005140, "\x45\xcf\x83\xe3\x48\x27\xda\xe7\x0d\x9c\x50\xf6\x76\xf5\x23\xb0\xce\x6b\xee\x88\x95\x2b\xaa\xc1\xa7\x22\x08\x87\x52\x1e\x1e\x10\x25\x01\x84\xda\xba\xaa\x4f\xbf\x9e\x94\x34\x9f\x11\x48\xde\xe8\x23\x8a", 50); *(uint32_t*)0x20005188 = 0x32; *(uint64_t*)0x200051c0 = 1; *(uint64_t*)0x200051c8 = 0; syz_kvm_setup_cpu(r[20], r[21], 0x20fe8000, 0x20005180, 1, 0, 0x200051c0, 1); break; case 35: *(uint32_t*)0x20005200 = 1; syz_memcpy_off(r[17], 0x114, 0x20005200, 0, 4); break; case 36: memcpy((void*)0x20005240, "adfs\000", 5); memcpy((void*)0x20005280, "./file0\000", 8); *(uint32_t*)0x20005980 = 0x200052c0; *(uint32_t*)0x20005984 = 0; *(uint32_t*)0x20005988 = 4; *(uint32_t*)0x2000598c = 0x20005300; memcpy((void*)0x20005300, "\x85\x86\xcf\xf1\x20\x29\xeb\x8a\xd7\x6f\x62\x61\xd1\xfe\x9c\x2d\xf9\x7d\x6b\x50\x47\xf7\x02\x21\xce\x7c\x26\xe1\xad\x05\x00\x96\xdb\x75\xff\x7f\xfd\x7b\x4d\xad\x59\xf5\xe0\x70\x72\x3e\x8a\x2c\xea\x44\x66\x02\xed\x86\xda\x15\x97\x5f\x4f\x9d\xad\x43\x55\xf1\x7d\x14\x41\xf9\xc1\xd9\x72\x1e\x8b\xc2\x69\xc9\x1b\x43\x93\x4b\xb3\x82\x3e\xba\x88\x0d\xe0\x1b\x58\x6e\x0d\x59\x2f\xc9\x78\x08\x48\x12\xa5\xdd\x94\x0d\x6e\xa6\x1e\x46\xee\x9f\x1d\x53\xe0\xd3\x15\x5c\x2c\x34\x94\x6c\xa2\x86\xd6\x46\x39\x8a\x4d\x60\xb5\x6e\x48\x64\x4c\xe4\x21\xd5\x3a\x65\xfc\x50\x46\x80\x60\x1a\x0c\xb3\xb7\x8c\xdc\x3d\x14\xd0\xf9\xf7\x54\xd8\x8a\x4c\x5d\x80\xc2\x68\x1a\xca\x64\xa4\x79\x3f\x17\xd0\xf8\xa5\xb8\xdc\x82\x0f\xda\xde\xe2\xee\x87\xd4\x20\x50\x17\x22\x86\xe4\xb3\x71\xea\xc4\x97\xbf\x74\x67\x89\x0a\x47\x2d\x76\x6a\x44\x2a\x56\xa6\xe7\x5b\xc3\x9b\xa4\xed\xab\x5a\x0c\xb1\x1e\xb6\x6a\x24\x7a\x2f\x3c\xa7\xd1\x8c\xbe\x8b\xd7\x51\x6b\x2d\x99\xc7\x63\xd8\xc2\x3d\x75\x3c\x13\x93\x7a\xb9\x9b\x57\x8e\x42\xf3\x59\x27\x5e\x86", 251); *(uint32_t*)0x20005990 = 0xfb; *(uint32_t*)0x20005994 = 5; *(uint32_t*)0x20005998 = 0x20005400; memcpy((void*)0x20005400, "\x0f\x55\x3c\x28\xb9\x84\x2c\x44\x67\x4a\xbe\x34\x85\x6e\x72\xa4\x02\xea\xf0\x8e\xa7\xd1\x06\x18\x6b\x17\xf1\xd3\xf0\x0d\xcb\xcb\x5f\x98\xa1\xea\xe4\xb0\xe4\x94\xda\x0d\x44\xfa\x94\x91\x73\x67\x47\x8f\x2e\x39\xce\x84\x35\xb1\x32\xa5\x70\xec\x78\xc1\xb1\xd8\x59\xab\x65\x21\x68\xbe\xc9\x15\x6c\xc5\xb4\x54\x3f\x05\x71\xd2\xa7\x5d\x3a\xd0\x3f\x49\x0c\x0f\xc9\x32\x51\xf6\xab\x57\xf0\x1c\xf6\x22\x83\xd4\x2e\xec\x0a\xbb\x18\x61\x48\xb0\x5e\xf5\x5f\x8d\xe1\xa2\xeb\x7c\x16\x22\xfc\x6d\x3a\xc2\x74\xf1\x0a\x07\x54\x56\x33\x98\xef\xc9\x33\x5a\xea\x31\x06\x1c\xf4\xbb\x64\xd4\x4f\x87\xc6\x15\xc9\x9b\x3e\xca\x46\xdd\xc2\xce\x68\xeb\x2b\x78\x0c\x54\xbb\x6a\x1a\x20\x94\x7e\x16\xcb\xc6\xf7\xfa\x07\x12\xd0\xb1\x2e\x66\x5a\x21\x4c\x35\x02\x15\x4e\x5b\x8d\xda\x8b\x01\xdf\x53\xc8\x1b\x2d\xa2\xc9\x2b\x75\x73\x50\x6b\x17\x5a\x34\xba\x1d\xda\x39\x95\x4f\x36\xf0\xff\x6e\xbe\xfe\xee\x31\x32\x68\x13\x42\x2c\xb4\xd5\x3b\x47\xc6\xfe\x65\xf3\x33\x26\x98\xd9\xe3\xd7\x76", 238); *(uint32_t*)0x2000599c = 0xee; *(uint32_t*)0x200059a0 = 0xfff; *(uint32_t*)0x200059a4 = 0x20005500; memcpy((void*)0x20005500, "\xab\xff\x9c\x24\x82\xd9\x64\x89\xf0\xaf\xbe\x08\x5d\xae\xe1\xe2\xbd\x8a\x30\x00\xaf\x21\xe5\xb4\xaa\x0d\x2e\x66\x62\x29\x3d\x5f\xe6\xee\xb6\x0a\x5c\xc8\xb9\x0e\x84\xed\xe0\xd2\x13\x18\x68\x8e\x28\x5d\xef\x54\xcb\x67\x80\xab\xfd\xcb\x64\xc7\x00\xda\x5e\x87\x75\xbb\x60\xd0\x19\x2a\x5f\x81\x13\xa7\x0d\xdb\x16\x27\x08\x7f\x7b\xb8\xf2\x32\xf8\x0a\x12\x0e\x21\x4e\xf3\x1c\x38\x57\x11\xf4\xb1\x2a\xfd\x9a\x02\x4f\xc4\x8c\x41\xc3\xc8\x87\x25\x5a\x17\xb8\x6f\x70\x9a\x30\xee\x23\xa5\xd5\x5c\x6c\x3e\x19\x86\xf6\xfd\x69\x30\x9d\xc6\x66\x48\x46\x39\x6a\x5f\x0c\xde\x1e\x38\x2a\x70\x18\xdc\xde\xac\x00\xff\x1e\xf5\x4b\xbb\x58\x20\x1f\xc9\xdf\xcb\xba\x39\xcf\xb4\x5f\x49\xac\xe1\xe9\x90\x81\x88", 171); *(uint32_t*)0x200059a8 = 0xab; *(uint32_t*)0x200059ac = 0x80000001; *(uint32_t*)0x200059b0 = 0x200055c0; memcpy((void*)0x200055c0, "\xfb\x36\xdf\xfb\x4a\x0e\x43\x77\xfa\x3b\xed\xec\x23\x25\xf5\xc0\x73", 17); *(uint32_t*)0x200059b4 = 0x11; *(uint32_t*)0x200059b8 = 1; *(uint32_t*)0x200059bc = 0x20005600; memcpy((void*)0x20005600, "\x8f\xf2\x54\x48\x04\xed\x79\xe1\xbb\x5f\x17\x3b\x80\xfd\xb0\x9a\x44\x4f\x02\xbb\xac\xda\xb8\x77\x10\xa3\x03\x82\x27\x1d\xb7\x25\x70\x55\xfb\xbe\x05\x7f\x4e\x4b\x3e\x1b\xcb\xcf\x08\xf1\xea\x0b\x41\xbe\x53\x3d\x7d\x7f\x84\x19\x9c\x4c\xf2\x41\xe2\xbc\x3c\xeb\xf6\x80\xf5\xc2\x64\x88\x82\xab\xfe\x61\xbb\x52\x11\xc4\xcf\x0f\x1f\x80\x35\xc6\x96\x2e\x74\xf5\x97\x6e\x95\x4c\x3d\xb5\x54\x5b\xdc\xcc\x6e\x67\xb6\x8d\xd6\x12", 104); *(uint32_t*)0x200059c0 = 0x68; *(uint32_t*)0x200059c4 = 0x7f; *(uint32_t*)0x200059c8 = 0x20005680; memcpy((void*)0x20005680, "\xca\x83\x8d\x09\x57\x9a\x97\x26\x57\x26\x0b\x82\x4f\x36\x91\x61\xc8\x3d\x36\x49\xb2\x30\x9d\xe4\xac\xa5\x19\x1c\x6a\x35\x50\xce\x70\x4f\x66\x06\xba\xc0\xf1\x10\x25\x63\x01\x1d\x76\x8b\x1c\xd5\xbd\x83\x56\x5b\xfb\xe9\x31\x1f\x71\xc2\x69\x8f\x2b\xb4\x57\x2e\xf6\x60\x2f\x24\x87\x62\x6e\x21\xfc\xef\x70\x34\xf5\x0e\x28\xfd\x36\xdb\x92\x43\x3d\xe1\xc0\xfb\xd9\xba\xa0\xb2\xef\x3b\x17\xec\xbd\x5f\x21\x4a\x81\x4f\x99\x79\xc0\xcf\xce\xa5\x66\xbd\x41\x87\x88\xa9\xe0\x26\xff\x83\x08\x9e\x4e\x1e\xb4\x91\xee\xbb\x58\x2e\x84\xc6\xd9\x56\xe1\xf8\xd4\xbd\x53\x27\xfc\xf2\x6d\x92\x18\xa6\xe7\x45\xa9\x04\x84\x6d\xa6\x1e\x69\x70\xe7\xc3\xf8\xf6\x77\x7e\xb2\xee\xc1\x82\xc6\x62\x6a\xeb\xc2\xb4\x6d\x6e\x18\xec\x79\xce\x9f\x3a\x34\xc2\xc9\xce\x74\xdc\xe5\xf3\x8a\x49\x3c\xe7\x52\x63\x3b\x9c\xd8\x81\xd3\xe7\x39\x77\xb7\x28\x20\x8b\x73\x0c\x0a\xa0\xbf\xd4\x1f\x03\x74\x79\x8c\x2b\x6c\xfd\x20\xa8\x3d\xde\x88\x21\xf8\x96\x43\x1d\xf1\x62\x0e\xac\xdd\xb4\x84\x6d\x3f\x67\x98\x3b\x95", 241); *(uint32_t*)0x200059cc = 0xf1; *(uint32_t*)0x200059d0 = 2; *(uint32_t*)0x200059d4 = 0x20005780; memcpy((void*)0x20005780, "\xb5\x49\xcf\xe1\x8d\xeb\x45\x5b\x4a\x8b\x6d\x56\xe7\xc0\x3f\x25\x10\x24\x21\x7c\xf4\x27\xc0\x90\x56\xbd\xb6\xb4\xa1\x31\x7e\x6f\x9c\xd5\x3e\xce\x2f\x2e\xe6\x8e\x7d\x73\xe9\x36\xe6\xd7\xb3\x76\x48\x35\x95\xc8\xdb\x72\x92\xff\xb0\x52\x0c\xf0\x37\xba\x70\x12\xf5\xd9\x0d\x0e\x4b\xdc\xed\x46\x13\x1d\x6a\x44\x12\x05\x46\xfa\xd8\x7f\x47\x56\x70\xfe\xc8\x6f\x97\x84\x88\x8d\x14\xdc\x2e\xd6\xa1\xa7\xed\x3c\x98\xbd\x0e\x03\x5c\xbd\x50\x4d\xa4\x0e\xfb\xeb\x5a\x5b\xcd\x48\xc0\xca\x51\x3f\xf5\x3d\xda\xda\x3c\xb4\x47\xa4\x8b\xce\xf0\x1d\x98\x83\xf6\x99\x99\x7c\x5a\x0b\x24\x99\x86\x58\x62\xdb\x5f\x78\x5a\x75\xe1\xb3\x46\x3d\x35\x4a\xf1\x12\xe7\xf8\x62\x28\x83\x68\x30\x86\x19\x0f\xa4\x50\x76\x46\xcb\xea\xb5\xed", 176); *(uint32_t*)0x200059d8 = 0xb0; *(uint32_t*)0x200059dc = 1; *(uint32_t*)0x200059e0 = 0x20005840; memcpy((void*)0x20005840, "\xa2\xee\xca\xca\xa0\x2f\xc7\x61\x89\xe0\x0e\x6f\xc5\x8f\x38\xb5\x59\x99\x59\x73\x03\x76\x28\x17\x21\xbe\xcf\x84\x0c\xd1\x2b\x23\x0c\x2d\xc8\x4b\x7f\x5f\xe5\xe3\x70\x57\xb3\x73\x2f\xcf\xeb", 47); *(uint32_t*)0x200059e4 = 0x2f; *(uint32_t*)0x200059e8 = 4; *(uint32_t*)0x200059ec = 0x20005880; memcpy((void*)0x20005880, "\x35\xed\x9c\x85\x4f\x54\x2b\xa3\xa5\x6e\x7b\x75\x40\x9a\x31\x97\xd3\x1e\x6e\xc3\x19\x34\x81\x1d\xd9\xab\xe8\x3e\x50\xa0\x60\xea\x25\x99\x4c\xb3\x37\x70\xed\x99\xb2\x5c\x9b\x56\x08\x91\xec\xa4\x33\xfe\x5b\xf1\xe0\x2d\x13\x66\x00\x68\x7e\xe4\x93\x3b\x35\x38\xbb\xce\xca\x61\xde\xb8\xfb\x0a\x1a\x25\x67\x84\x3f\xd8\x71\xb9\x91\xd5\x14\x32\x9a\x46\x5a\x97\xeb\x92\x12\x35\x76\xe8\x3a\x65\x2c\x51\xdf\xa8\x41\x17\xc2\x62\xa7\xb8\xba\xb4\x7b\xd3\xf8\x1b\x24\xd3\x3e\x68\x7f\x39\x26\x50\x02\xef\x92\xf2\x24\x8d\xe0\x27\xac\x02\x85\xfc\xad\x2a\x3c\x73\x2a\x1e\xd7\x40\x93\x07\x03\x7e\x41\xf3\xa7\x90\x74\x77\x38\x7d\x11\x99\xc1\x8e\x5c\x43\x95\x9b\x2e\xc4\x6c\x07\x8c\xec\x67\xa8\xb5\x59\xb3\x1c\xef\xd8\x56\xf4\x56\xb9\xf8\x1b\xcc\x6a\x8b\x2c\xb1\xa4\xd8\x14\x75\x62\xbd\xac\x60\x34\xe3\xe8\xd3\x5d\x79\x76\x59\x84\x4f\xea\x36\x94\xb3\x28\x8c\xe6\x8f\xa8\xf9\x86\xbf\x2f\xba\x03\xec\x01\x10\x15\x4b\xef\xc8\x40\x22\x58\xaf\xb3\xd5\x83\xd0\xbf\x3d\x02\x79\x80\x73\x86\x7f\xc6\x66\x40\x72\x60\x72\xc8\x2a", 249); *(uint32_t*)0x200059f0 = 0xf9; *(uint32_t*)0x200059f4 = 0x1ff; memset((void*)0x20005a00, 37, 1); *(uint8_t*)0x20005a01 = 0x2c; memcpy((void*)0x20005a02, "seclabel", 8); *(uint8_t*)0x20005a0a = 0x2c; memcpy((void*)0x20005a0b, "permit_directio", 15); *(uint8_t*)0x20005a1a = 0x2c; memcpy((void*)0x20005a1b, "mask", 4); *(uint8_t*)0x20005a1f = 0x3d; memcpy((void*)0x20005a20, "^MAY_EXEC", 9); *(uint8_t*)0x20005a29 = 0x2c; memcpy((void*)0x20005a2a, "subj_role", 9); *(uint8_t*)0x20005a33 = 0x3d; memset((void*)0x20005a34, 125, 1); *(uint8_t*)0x20005a35 = 0x2c; memcpy((void*)0x20005a36, "mask", 4); *(uint8_t*)0x20005a3a = 0x3d; memcpy((void*)0x20005a3b, "^MAY_APPEND", 11); *(uint8_t*)0x20005a46 = 0x2c; memcpy((void*)0x20005a47, "fsname", 6); *(uint8_t*)0x20005a4d = 0x3d; memcpy((void*)0x20005a4e, "&%]", 3); *(uint8_t*)0x20005a51 = 0x2c; memcpy((void*)0x20005a52, "measure", 7); *(uint8_t*)0x20005a59 = 0x2c; *(uint8_t*)0x20005a5a = 0; syz_mount_image(0x20005240, 0x20005280, 5, 0xa, 0x20005980, 0, 0x20005a00); break; case 37: memcpy((void*)0x20005a80, "/dev/i2c-#\000", 11); syz_open_dev(0x20005a80, 6, 0x40000); break; case 38: memcpy((void*)0x20005ac0, "net/raw6\000", 9); syz_open_procfs(-1, 0x20005ac0); break; case 39: syz_open_pts(r[16], 0x583000); break; case 40: *(uint32_t*)0x20006cc0 = 0x20005b00; memcpy((void*)0x20005b00, "\xa8\x95\xc3\x0e\xdc\x07\x29\x77\x23\xa4\xae\xa8\x02\x03\x46\x22\xd1\xbb\xb8\x5b\x4a\xe3\x62\x8a\xfc\x2d\x4e\x10\x93\x45\x50\xa9\xd9\x2f\x12\xa5\x1b\x9f\x5b\x3a\x7b\x59\x6b\x59\xb9\x9b\x4b\x2a\xca\xed\xda\x32\xb8\x3b\xdc\x26\x3c\x53\xaa\x10\x11\x4a\x14\x9a\x4d\x7a\x4f\x0c\x40\xb9\x46\x15\x9b\x37\x43\x96\xfb\x6c\xd1\x87\x34\xea\x5c\x3a\x51\x92\x78\x62\x22\xda\x89\xf4\x21\x3b\x5d\x9d\x02\x77\x99\xda\x36\xd6\x8b\xd5\x10\xf5\x37\x85\x5c\xe1\x0d\x3b\x84\x39\xc2\x23\x77\x40\xea\x75\x41\x47\x8a\x81\xf9\xf9\x2a\xdc\xeb\x51\x00\x36\x6d\xcc\xf1\x49\xcc\x4c\x59\x79\x69\x59\xba\x5d\x85\xa5\x0d\x0d\xd7\x29\x41\xa0\xea\xbb\xe7\xa9\xdd\x9f\xe5\x08\x50\x11\x3f\x5e\x2d\x05\x5e\x1b\xbc\xd6\x67\xda\xf7\x36\x3e\x02\x7d\x7c\x66\x67\x8d\xad\x2a\xdd\x62\xb5", 186); *(uint32_t*)0x20006cc4 = 0xba; *(uint32_t*)0x20006cc8 = 4; *(uint32_t*)0x20006ccc = 0x20005bc0; memcpy((void*)0x20005bc0, "\xf2\x29\xf5\x8b\x9f\xef\x91\xf7\x17\x85\x23\xf0\x41\xa4\x96\x75\x89\x92\x46\x80\xbf\x4d\xc3\x4a\x52\xd8\xf7\xf8\x43\x60\x83\xae\xe9\x4a\xb7\x4f\x03\x69\xf7\x40\x3a\x8c\x26\xb7\x2f\xd4\x4b\x48\x8f\xe5\x9c\x61\x6c\x8a\x1c\xae\x29\x9c\x49\x0e\xb1\x5f\x98\xf8\xf4\x9d\xf3\x35\x02\xcc\xfd\x38\x26\x5f\x6d\x18\x65\x78\xa7\x1b\x92\xba\x5c\x5b\x90\x3f\x9a\x64\xbc\x56\x0a\x43\x59\x0b\xd7\x0f\x76\xef\xb7\xb6\x3b\xc3\x90\x9e\x63\x2d\xb6\x8f\x77\xd9\x8b\xdf\x12\xeb\xe1\x70\x7d\x7d\x14\x36\x85\x74\x90\xc1\x3d\xdb\x23\x9c\x83\x7f\xaf\x46\xea\xd6\x23\x81\xd4\x3f\x3d\x23\x46\xc1\xfc\xd5\xb2\xa7\xa1\xeb\xe9\xfa\x5d\xd7\xfd\xde\xfc\x50\xb0\xe7\xa5\x7f\x50\x0e\x2f\x79\xba\x11\xb1\x89\x72\xdc\x78\x87\x14\x60\xeb\x7e\x2a\x24\x9b\x60\x32\x83\xb5\x12\x83\x20\x55\x5c\x9d\x74\x14\x3e\x02\x7b\xb5\xca\x08\xb4\x62\xae\xbf\x58\x24\x43\x87\x55\x6d\x71\x86\x80\xc4\xa3\x74\x59\xdd", 215); *(uint32_t*)0x20006cd0 = 0xd7; *(uint32_t*)0x20006cd4 = 0x3ff; *(uint32_t*)0x20006cd8 = 0x20005cc0; memcpy((void*)0x20005cc0, "\x79\xfb\xc7\x05\xf3\xf5\xab\x2b\x17\x6d\x8c\x81\xf1\x15\x48\xc5\xfd\x71\x74\x41\x15\xd9\xbc\x95\x33\x2f\xeb\x2a\xe2\x6c\xd3\xb6\xa5\x08\x4c\xf6\x35\xa6\xb1\x9d\x91\x6f\x68\x3e\xbe\x24\x01\x80\xc6\xbb\x6a\x18\xe3\x4f\xa2\x67\x7a\xe7\x45\x61\xf3\xbb\x25\x09\xfc\x09\x59\xad\xc1\x32\xae\x36\x12\x7c\x31\x9f\xcb\x4a\x80\xb0\x25\x1d\xed\xee\xe6\x56\x0f\xd7\x02\x22\x1e\x14\x43\x66\x85\xc7\xfa\x2f\x3a\xf3\x6f\xda\x9d\x69\xd0\x44\xc1\x6a\x77\xe8\x22\xf9\x8b\xf6\x5c\xd4\x58\x33\x54\x4b\xa6\xbd\x06\xb8\x3a\xd7\x8b\x10\x49\xf1\xbc\xdb\x9b\xce\xc0\x47\x38\xa8\x6c\xa3\x7b\x88\x95\x3d\xe3\x54\x9b\x6e\x3a\x4c\x2f\x31\xbd\xd4\xce\xde\xe3\x7b\x70\x3b\x8e\xd6\xd1\x1c\x38\xff\x03\x0a\x10\x18\xaf\xae\xbe\x05\x38\xed\x70\x4b\xbe\x63\x10\xa0\xde\xa9\x43\x05\x66\x65\x29\x01\x69\x92\x99\xc1\x84\xa8\x15\x60\x1e\x01\x86\xa6\xe1\xff\x97\xd2\xb9\x60\x38\xab\x59\x13\xdc\x44\x0e\xde\xd7\x83\x6f\xbd\xd7\xbd\x39\x1a\x90\xcf\x40\x3a\xbb\x6d\xfe\x0f\x7d\xdd\xda\xf1\xa7\xc7\x3f\x02\x19\x35\x33\xf0\xa7\x2e\xf1\xb5\x58\xcf\x69\x6f\x57\x22\xa3\xe8\xc0\x92\xc1\x7d\xe9\x8a\xf4\x15\xf4\x0a\xfc\x1f\xfe\x0d\x7c\x7d\x0f\xb4\x4d\x59\x7e\x55\x18\x86\xb4\x0b\x8e\xc7\xde\x8f\x18\xbf\x5e\xd7\xa7\x4a\xcd\xeb\xe9\xb2\xcc\xb9\x8c\xcd\x37\x1d\xf0\x0d\x78\xc9\x7f\x8d\xe0\xab\xe7\xf8\x28\x13\x68\x61\x68\x9b\x0f\x53\x80\xfd\x28\x36\x09\x2c\x1b\xee\xc0\xf4\x51\x9e\x1b\x50\x40\xca\x17\x09\xe0\x83\xee\x61\x1d\x6a\x1e\xbc\x5a\xd1\x85\xd3\x9b\x91\xef\x84\x4a\xf3\x4d\x02\x13\xe6\x3e\xdd\x19\x54\x53\x46\xe3\x01\x2d\x61\xbd\xe7\x1d\x4d\x3c\x52\xcd\x21\x01\xd4\x57\xac\xc0\x15\x23\x81\x81\xfc\xc4\xe9\x2a\x6b\xd1\xc9\xae\x47\x5d\xd0\x4d\x15\xa3\x90\x71\x7c\x29\x5e\x18\x13\x1f\x30\xa1\xb0\x03\xfe\x36\x7f\x88\x9b\xa4\x9e\xd8\x32\x8d\x69\xbd\xe3\x8b\xfd\xb3\x2e\xc4\xff\x21\x2b\x38\x3d\xa6\x54\xad\x2d\xa7\x59\x26\x60\x0d\x56\xfd\x2c\x8a\x64\x81\xc0\x2f\x0d\xd9\x04\x08\xb0\x1d\xcb\xdd\xd0\x1c\xfb\x4c\xf6\x1c\x14\xe8\xaf\xc5\xda\x58\x91\xe9\x3a\x0b\x6f\xe1\x2f\x50\xf0\x62\x94\xd6\x6c\xe3\x71\x0c\x8e\x13\xe7\x97\x62\x9c\x4b\x05\x71\x40\xbd\xb8\xcf\xa3\x84\x83\x0e\x9e\x18\xcc\xcb\x63\xc2\x82\xc9\x7b\x1e\xc7\xcb\xaf\xc5\xf4\x96\xf2\xb0\x30\x53\xf8\x55\x8f\x62\x7e\xaa\x78\x46\x62\xf2\xf4\xf1\x5b\xac\x06\xa3\x8d\xcc\x8c\x3f\x2e\x07\x6b\x2f\xdf\x8b\x62\x2c\x93\xa2\x27\xc9\x0d\x42\xe4\xfa\x38\xda\xcd\x82\xfd\x6c\xd2\x21\x15\x29\x41\x4c\x5c\xf3\x88\x2d\x94\x87\x42\x42\x59\xa6\x51\x4c\x56\xf0\xb7\xd6\x0c\x95\xd3\x44\xa0\x9d\x90\xe7\xdd\x8f\xf0\x73\x21\xd7\xe7\xae\x03\xba\xc6\xde\x0f\xd3\x79\x9a\x8c\x34\xd7\xaa\x3e\x4c\xe7\xcd\x99\x98\x03\x64\xc6\x60\xcc\x09\x97\x46\x15\x2a\x07\xfb\xc0\x26\xfc\x89\x0a\x7a\x57\xf2\x8d\xce\xea\xcd\xc2\x36\x60\xc0\xf8\x59\x2d\x86\xd0\x8d\x99\x64\x4b\x67\x51\xa5\x53\x16\x2b\xa1\x03\x83\xda\x49\x1e\xfc\x3d\x33\xae\xd8\x95\x2b\x8f\x51\xcf\x6c\xfa\x84\xae\x5c\x9d\x76\x89\x8b\xf5\xe8\x09\x90\x8b\xdb\xf8\xcf\x63\x38\xf5\xbe\x2f\x5b\x1e\xa8\x17\x44\xbe\x7e\x72\x68\xc4\x9e\x49\x30\x50\x89\x23\xe6\x39\xd9\xf4\x84\x59\x7f\xc2\x0e\x69\x58\xa2\x69\xe1\x66\xec\x09\xd1\xb7\xe2\xa8\xf7\xfd\x83\xc5\x34\x64\xc3\xa1\xac\xc4\x84\xeb\x5f\x9d\xe1\x05\x9d\xa0\x45\xda\x6c\xf6\x63\x07\x9e\x2b\x22\xd7\x8e\x78\xbd\xbc\xda\xb3\x9c\x33\xbc\x5c\x1d\x05\xb8\xd4\x0e\x40\x2c\x8b\xbf\xa5\x74\xf2\xcb\x5a\xfb\x1c\xb1\x99\xe5\x91\x17\x13\x0b\x94\x0a\x96\x48\xe8\x98\xd5\xf0\xf2\x7f\xc0\x04\xc6\x78\xe5\x52\x0a\x4c\x79\x0e\xb7\x0e\xd2\xea\x6a\x60\x61\xe4\x9d\x12\x24\x35\xf3\x48\xcc\x92\x7b\x49\xad\x13\xbd\xf1\x80\x4e\x75\x28\xbc\x1e\x3b\xb6\x33\xf8\xb2\x76\xbb\xbb\xad\x12\x5a\xbe\xcd\x28\x94\xc2\x89\x28\x85\xfc\xd1\x9a\xed\x92\x20\xe4\x63\x2c\x13\x6f\x14\x37\x8e\x29\x91\x20\x40\x40\x65\x71\x1d\xdb\xff\x8d\xf8\x70\xab\xae\x93\x4b\xb5\xbb\x64\xff\xa2\xf7\x3f\x18\xb1\x33\x74\x53\x8a\x08\x37\x9d\x74\xc7\x12\xe0\x2a\x97\xc8\x5b\x08\xad\xae\x84\xf9\xc4\xa2\x91\x66\x56\x12\x9a\xa4\xb5\x46\xf1\x43\x4e\xf1\x53\xff\x7f\x2c\x94\xcb\x42\xb3\xe7\xea\x23\x54\x40\x95\x15\x9e\xe0\xe8\x69\xd7\x8d\x08\xce\x48\x6d\xa4\x30\x4b\x15\x47\x3a\x23\x1f\xec\x42\x3c\xf5\x53\x96\x8c\xa0\x74\x3c\x1c\x4b\x09\x45\x73\x0b\xa4\xe3\xfd\xc3\x1f\xf0\x2a\x48\x70\x56\xc7\x29\xef\x7f\x84\xf6\x5e\x85\xfb\x16\xfa\xbb\x17\x2d\x24\x75\x38\x62\xf9\x20\x34\x60\x28\x8a\x37\xcf\x6e\x6f\x5b\x84\xd1\xd8\x1f\x24\x27\x07\xbf\x57\x5b\x15\x34\xcd\x6b\xea\x81\x0d\xc3\x94\xca\xb3\x1b\x32\x43\x38\x8f\x01\x5b\x99\x98\xaa\x7c\xa3\xe8\x26\xd9\xec\xcd\x95\x32\x87\x33\x28\xf3\x43\xcf\x71\xa0\x79\x82\x0f\xfc\x61\x60\xef\x55\xb7\xda\x7a\x29\x76\x2f\xea\x1b\x45\x22\xb9\x81\xcc\xfd\xac\xea\x0f\x52\xe2\xed\xc3\xec\x50\x16\x89\xe8\xc5\xe0\x88\x54\x43\xd1\x3e\xa4\xda\xe6\x07\x65\xf9\xed\x48\x68\x6b\xeb\x01\x0b\xb0\x4e\x2f\xa7\x3f\x3a\xd0\x8a\x77\xf0\xc2\xf5\x9a\x99\xc4\x72\x30\xb8\x52\x9d\x1b\xa2\xbd\x09\x1d\x83\x6d\xd3\x08\x99\xe7\xe8\x41\x71\xf2\xa8\x86\x7b\x16\x49\x22\x8e\x85\x15\xcb\x39\x8b\x75\xa5\xbc\xa2\xe7\x11\x4a\x7a\xf7\x1b\x18\x5f\x37\x1b\x4f\x9f\x68\x9e\x81\xf2\x25\x97\x54\x89\x6f\xf5\x46\x85\xbc\x7b\x9c\xf5\xf5\xfd\x14\xd0\x63\xd2\xf8\xc6\x20\xff\x19\x5e\x26\x36\x0a\x21\xd9\x2d\x19\x02\xa7\x48\x35\xe0\x25\x4f\xe4\x73\x75\xa0\xf1\x71\x11\xd1\x45\x9d\x77\xdf\xcf\x0a\xdf\x21\x59\xc2\x00\x35\x35\x75\x78\x90\x15\x01\xa4\x09\x2e\x64\x14\xc5\x43\x41\x73\x11\x5a\x4a\x03\x39\x9d\x81\x34\x91\x33\xd3\xac\x25\x4b\x69\xfd\x90\x6f\xbc\x11\x56\xbe\xaa\xea\xb3\x7f\x1f\xd9\xfe\xfa\x37\x7c\xa1\x3b\x58\x19\xe5\x36\x1a\x75\x03\x2d\x78\x8c\xe9\x5c\xe9\xd1\x61\xdd\xfa\x04\xa5\x55\x29\x71\x68\xf6\xe0\xf3\x17\x6c\x8b\x0c\x41\xc8\x42\xce\x33\x81\x3b\x59\xeb\x0a\x9c\x3b\xcd\xf4\x65\xad\xe6\xd2\x9d\x0e\x25\x74\x41\x16\x77\x5b\x2f\x14\xd0\x30\xf5\xb2\x18\x1c\x89\x6a\x29\xcf\xc2\x9d\xcb\x9f\xaa\x9e\xa0\xed\x4a\x45\x45\xe2\xe5\x41\x29\x51\x12\x6b\x30\x99\x8b\x7b\x58\xc4\x47\x44\x84\x1d\x85\xe7\x9c\xc7\x61\x3b\x3b\x4a\xd0\x18\x72\x10\xc5\xb3\xe8\x19\x59\xc9\x38\xa8\x9e\xa5\xa7\x68\x1b\xcc\xc0\x2c\x55\x58\x3d\x69\xfa\xcc\x86\x53\x95\x27\x9c\xce\x47\xa8\xc4\x6c\x3b\x99\xd3\xbc\xba\xda\xea\xce\x79\xc1\x22\xc8\x7e\x72\xa9\x91\xd3\x1a\xe5\x2e\xa9\x5d\x35\xc6\x16\xb5\xae\xbf\xd9\x86\x40\x90\x33\x18\xdc\x60\x00\x21\x08\x6c\x28\x07\xf1\xfc\x8a\xe7\x61\x40\x7f\xcf\x43\x11\x09\xaf\xd1\x9e\xc4\xb0\x3a\x94\xeb\x9c\x89\x4f\x86\x6b\xb4\xb9\xa3\xa5\x86\x24\xcf\xa6\xae\x7d\x44\xd2\xf2\x02\x83\x5a\xc9\x90\x3d\x23\x26\x14\x0f\xc5\x47\x9b\x94\xba\x27\x5f\xe8\xf6\xba\x03\x9d\x98\xf5\x8d\x9c\x00\x60\x26\xff\x15\x5f\x0d\x36\x8c\x51\xd0\x05\xd2\xaf\x37\xa6\x14\xc1\x41\x88\xed\x22\x6c\x9f\x67\xc7\xb7\x83\x93\x3d\x05\x23\x5c\xb2\xf8\x81\x0f\x18\x89\xd1\x26\xed\xac\xe7\x40\x78\xb0\xf9\x0c\x6f\x2c\x16\xd0\x1d\x60\xdd\xe2\xd4\x6a\xb8\xc2\x53\x2a\xe0\xc1\x54\x01\x05\x57\x52\xfb\x19\xdb\xe5\x49\xcc\xbe\x43\x85\x9c\xcb\x4d\x47\xc9\x9e\x6f\x54\x02\xce\xd2\x3d\x44\x90\x29\x80\x2a\xd7\xd2\x99\x0b\x94\x1f\xad\xb0\xde\x10\xf9\xfe\x17\x84\x61\xe1\x14\xc7\xca\x31\x36\xf7\xfb\xad\x6e\x1d\x71\xeb\x1a\x1a\x24\xfb\x89\x2e\x7f\x1a\x41\xb9\xeb\x92\xd5\xb0\x4a\x79\x49\x1e\xef\x83\x18\xce\x1d\x98\x06\xe7\x06\x4e\x0f\xda\x0a\x66\xa7\xb6\x95\xa6\x78\x15\x60\xba\x98\xbf\x4d\x54\x00\x79\x5b\x11\xfe\xab\x29\x73\x53\xa7\x2a\x2d\x78\x5f\xf2\xfa\x3f\x06\xe6\x39\x5a\xab\x65\x6e\x55\xef\x7f\x49\x51\x76\x03\x86\xcd\xb1\xa1\xd2\x30\xda\x5b\x09\x44\xa9\xaf\x05\xa7\x6b\xce\x13\x88\x69\x2a\xfa\x4b\x21\xc3\x46\x4a\x2b\x50\xdd\x0d\x2a\x0f\x64\x51\xa4\x3f\x2e\x48\x62\x29\x0b\xe1\xf1\x29\x74\x60\xeb\x51\x39\x9f\xa9\x68\xf8\xdc\xa4\x19\x39\xa6\x19\xd1\x0a\x8a\x01\xad\x1b\x64\x93\xb0\xf8\x9a\xad\xc5\xf0\x6f\xf9\x26\x46\xff\x2f\xbd\x33\x6c\x97\x73\xa9\x33\xeb\xb1\xde\xee\x49\xa2\x67\xd8\xd1\x95\xe1\x3f\x58\x39\xc9\x54\xd8\xda\x7c\x02\x2c\xbd\xd8\xa2\x68\xdb\x8a\x06\x5c\x63\x24\x77\x56\x79\x54\x03\x3b\xd3\x40\xdb\x14\x5f\xd4\xee\x3c\x1e\x6e\xf1\x5f\xd4\x5e\x72\xf5\x27\xad\x2b\xa3\xbb\xf8\xa9\x4b\xa2\x5a\x23\x7c\xed\x70\x50\x4b\x6d\x20\xc8\x99\xa6\xd1\xa4\x09\x2b\x57\x2a\xc7\x44\xf6\x2e\x04\x4b\x25\xf4\xf1\x09\x7e\x12\xbc\x0b\xfd\xa3\x6c\xad\xd3\x4a\x0a\xa7\xbd\x49\xa3\x82\x08\xee\x36\x60\x3f\x1e\x9c\x56\x7d\xe6\x94\xcb\xba\xe7\x36\x1e\x99\x79\xa8\x4d\x58\x9f\xbd\x5f\x05\xfa\x73\xfe\x31\x68\x37\xdd\xb9\x67\x2c\x63\x75\x90\x77\x79\x33\x71\x17\xbf\xfe\x5a\x85\x09\x93\x99\xe3\x5e\x9c\x3a\x50\xbe\x94\xa4\xed\x33\xa5\x86\x3d\xa7\x37\x7e\x5c\x8b\xce\xd5\x22\x0d\xa0\xaa\x9f\xc0\x97\xbc\x61\x3b\xb7\x6e\xe7\x0b\x6a\x0b\xd9\x78\x01\xb0\xad\xc5\x7b\xc6\xd3\xc0\x26\x51\xf1\x64\xf7\x80\x9f\xb7\xeb\xe2\x18\x73\xf9\xa1\x7a\x65\xa8\x38\x0e\x5f\x1a\x18\x17\xdb\xea\x2e\xa9\x6f\x9b\x1e\xf1\xbe\x6c\x1f\xcd\x53\xc6\x2e\xa2\xba\xce\xe8\x66\xf3\x57\x4b\x1a\x35\xc5\xf8\xc5\x93\xd2\x01\x07\xd6\xcd\xe2\x6c\x84\x0e\xa8\x3f\xae\x8d\x77\x7e\xa1\x22\x7b\xd1\xaf\x62\x19\x83\x35\x3e\xf0\x27\x57\x01\x96\xf8\xfb\xdf\x4f\x79\xa7\x81\x2b\x7f\x71\x8f\xca\xa5\xec\x35\x53\x97\x9a\x86\x4b\x8c\x65\x3e\x9c\x9e\xcf\x8e\x68\x3b\xfc\x55\x8e\xf2\xd9\xb7\x64\x7e\xfc\xd5\xbe\x98\xf4\x3d\x0d\x38\xd9\x47\x4a\x7a\x50\x74\x0a\x5a\x23\x02\x31\x92\xd4\x5b\x43\x34\x38\x0e\x99\x5b\x8d\xbe\x94\x30\xea\xa1\xa8\x26\x85\x5b\x3d\x7e\xc2\x2f\x6c\xbe\xa4\x4b\x75\x53\x66\xba\x42\x76\x21\x77\xdb\xa9\x80\x65\xdc\x59\xef\x23\x92\x49\x7c\x17\xd2\xe8\x99\x23\x0c\xe3\x4f\xfa\x7f\xc2\x75\x0c\x9b\x25\x5a\x2b\x53\x42\x3d\x9c\xa1\xbd\x3a\xab\x8b\xa4\x71\xf3\x9f\x10\xa2\x50\x05\x0a\x22\x54\x1e\x08\x35\xe8\xa3\x93\xe1\x76\x20\x9c\x31\xd2\x5b\x6e\x1f\x69\x9c\x82\xeb\x15\x55\xf0\x47\xa6\xe8\xf9\x1d\x97\xcf\x2a\xba\x02\x50\xa7\xf3\x11\x67\xb8\x61\x54\x89\xfb\x5c\x90\xcf\xce\x45\xcc\x63\xcd\x21\xd0\x01\x5b\x58\x0c\xae\x16\x45\x2f\x01\x43\xd3\x0c\xb9\xee\xce\x66\x21\x93\x1f\x5d\xc5\x42\x8b\x2f\x92\x58\xd7\xe8\xfb\x10\xec\xfe\x72\x06\x06\xad\x71\x94\x11\x10\xbd\x67\xaf\x44\xce\x4e\xa0\x03\x77\x99\x97\xc4\xac\x5c\x11\x1b\x77\x91\x71\x2b\x79\x76\x52\x37\xf7\xa2\x79\xec\x43\x3f\x18\xfa\x8e\x69\x60\x43\x68\x00\x8c\xa9\xa5\xd6\x26\x44\x41\x79\x84\x88\x72\x54\xf4\xd1\x7a\x1c\xdf\x8b\xde\xbc\x90\x76\x2a\x64\xc5\x0c\x58\x6d\xa8\x59\x8f\x15\x56\x61\xe9\x3f\xea\x74\x65\x29\x6f\x6c\xce\xe5\xdf\xf3\x6c\xcb\x6c\x46\xdf\xbd\x24\x84\x60\xbb\x39\x12\x4c\xd3\xf9\xac\x2c\xd9\x16\x77\x66\xd2\x24\xe2\x97\x6f\xac\xed\xcd\x65\xff\x28\xc4\x18\x08\xc9\x8c\xcf\xe3\x1b\xa1\xef\xa8\x69\xf5\x16\xb6\xfc\x8b\x3a\x7d\x6f\xa1\xfb\xc8\xe1\x82\x67\xa8\xef\x0c\xfa\x96\xc4\xc6\xc8\xdb\xf9\x45\x21\x1d\x98\x89\x89\x95\xab\x76\xc1\x63\x06\x35\x47\x8f\xde\xb5\xb7\xfc\x9b\xba\xe3\x07\xd0\x54\x50\x2f\x17\x45\x27\x87\x47\xa5\xae\x90\x85\xe2\xce\x6f\x7b\xdd\x02\x2c\x68\x0d\x1f\x8a\xda\x4c\xb6\x30\x66\x42\x3f\x77\x04\x2b\x9a\xe4\xa1\x38\x6f\x41\x6c\xb9\xb4\x11\x00\x12\xe8\x00\x57\x04\xcd\xff\xae\x04\x41\x86\x89\xfd\x64\xd1\xe8\x83\x27\x49\xb7\x46\xc1\x41\x2e\x91\xc3\x81\x68\x4a\x80\x30\x5a\xad\x84\xd6\x2f\x1c\xc5\xfd\x5d\x26\xa2\x47\x6b\x5b\xfe\xd4\xdc\xcf\x7f\x35\xbb\xb0\x7e\xff\x6c\xa5\x09\x05\x0f\xea\x82\x04\xa3\x9d\x25\x5e\xc1\xc8\x3d\x0d\x38\xff\x3a\x9d\xa4\x28\x5b\x99\xf9\x8b\xfa\x2a\xfb\x12\x01\x63\x01\xbd\xce\xa9\xc4\xb8\x05\xf0\x3f\x5c\x1d\x64\xb2\x31\xe2\xf0\x12\xc3\x39\x88\xfe\x59\x31\x82\xbe\x19\xe5\x33\xae\x72\x4b\xc5\xf3\x74\xc5\xdb\x4e\x26\x7d\x11\xeb\x7c\x3b\xf6\x51\xd8\x53\xf4\x87\x32\x1b\x59\xe3\xc5\x80\xe0\x9f\x55\x10\x1d\x52\x95\x81\x12\xea\xd4\x84\xda\xac\x70\x62\xb2\x74\x5b\x3e\xf0\xd8\x6c\x3f\xf4\xc9\xcd\xb0\x4e\x5c\x61\x26\x56\x2f\xa8\x07\x2d\x44\x08\xc5\xa4\x1f\x38\x88\x90\x0c\x61\x7b\xb3\x2c\x60\x7e\x3c\x67\x88\x01\x37\xa4\xfd\xa0\x0f\x25\x73\x96\x95\x27\xf3\xac\x8b\xc7\x3d\x4a\x1c\xa6\x3a\x6e\x55\x28\x3a\x43\x75\x90\xcb\xa5\x84\xaf\xf7\xda\xab\x6d\x95\x08\x57\xf3\x06\x4a\xfa\x06\xd8\x49\x89\xb1\xf1\xfe\x7a\x07\x11\x8d\x84\x67\x33\x3b\xd9\xc3\xb0\xbf\x57\x4a\xec\xc5\xbd\xf1\x85\x88\x69\xc0\x2f\x2e\xc1\xad\x26\x6d\x13\x54\x99\x41\x6a\xa1\x6c\x3e\xec\x12\x2d\x6e\x57\x70\xf9\x26\x77\x4e\xc2\x69\x15\x5f\x36\xc7\xab\x25\xfc\x2c\xf6\x51\xf6\xde\x56\x32\x9e\x3c\x2f\x9a\xdf\x11\xb8\x9c\x5b\xa3\xa4\xbd\xd6\xed\x16\x04\xe6\x6a\x80\x50\x14\x98\x1b\x6c\xc8\x4b\xd7\x8d\x9e\xf9\xb5\x2e\x8f\x0e\x09\x70\x05\x21\x0a\x9e\x00\x81\x68\x47\x0f\xd1\x2a\x2c\x3e\xe6\x0d\x1c\xef\x8c\x35\xca\x58\xd8\x62\xb6\x81\xe7\x4c\xf6\x0b\x08\xca\xeb\x22\xaf\x37\xfb\x04\x5f\xdf\xf3\x53\x2a\xf6\xf1\x16\x22\x90\x93\x42\x15\xc8\x52\xe8\xbd\x41\xbe\x48\x8d\x56\x6e\xe2\x49\x7e\x6d\xfe\x85\x52\x50\x85\x3e\x6c\x24\xde\x6e\x0a\xab\xbc\xf5\xc5\x7b\xea\x60\x2e\x80\x82\x97\xa6\xf3\xee\xdf\xc7\x62\x2c\x60\x10\x6f\xe5\xac\x3c\x2c\x18\xf1\x9d\x80\x93\x6e\x13\x85\xb1\xb1\x1f\x34\x34\x8e\xe9\x79\x4b\x4c\xef\x18\x55\xcf\xea\x0b\x4c\x67\xf4\xa3\x6f\x69\xe6\xee\xe3\x98\x1a\xf6\xe3\x2c\xbf\xd7\x9b\x36\xf6\x48\x7f\x51\xe6\xbc\xfb\x5e\x25\x0c\xff\x78\x92\x52\x15\xf6\x02\x6f\x86\x9e\xd1\xe3\xc3\xea\x65\x9c\xf5\x80\xb3\x7f\xc8\xa8\xfb\x06\x41\x8f\xfd\x26\x63\xfb\x1c\x5b\x2a\x58\xae\x63\x44\x83\x89\x84\xb9\x60\x81\xae\xe1\x4d\xc7\x4a\x36\xbb\x18\x8a\x15\xfc\x47\xa0\xe8\xfb\x1d\xa2\xc9\x29\x09\x12\x53\x00\xf6\xcc\x9f\xf2\x81\x5a\x86\xbd\x0f\x51\xd3\x8c\xb1\xd9\x20\x65\x5a\x34\x34\xca\xa4\x3c\xba\x6a\xeb\x04\x53\x8b\x0a\xe6\xfc\x4d\xf1\x42\x9f\xca\x0c\xb9\xbf\x55\x05\xd5\x21\xd9\x4c\xea\x75\x9f\x50\xb9\xfc\x8f\xbd\x0d\xb1\x8b\xaa\x08\x03\xd1\x6a\xec\x6e\x59\x88\x70\xed\x80\x14\x9f\xdf\x70\xf5\x7f\x4b\x89\x32\x0f\x3a\x57\x17\x68\xbb\x09\x66\xf0\x8e\x6a\x1a\x93\xfa\xd9\x3b\xaf\x72\x88\xe6\xa6\x6f\x15\x8e\x35\x9d\x47\x24\xb3\xd5\xec\x61\xde\xe3\xa6\x4e\x1e\xab\xf0\x82\x7e\xa7\x9c\x2a\x7b\xac\x1f\x37\xf8\x1f\x09\x69\x1d\xad\x1f\xf6\x82\x49\x93\x25\xe7\x85\x73\xd6\x03\x10\x52\x92\xf8\x44\x1c\x72\xd4\xa8\x6e\xab\x95\x5e\x9a\xb0\xb6\x66\xc7\x1c\x86\xd1\x77\xa5\x94\xfa\x10\xdd\x0f\xf6\x5d\x38\x6c\x54\x4c\x21\xc3\x5e\x41\xef\x27\xbe\xc9\x4d\xab\x6f\xc3\x38\x70\x06\x01\x7e\x54\x59\xad\x20\xca\xcd\x5a\xfe\x56\x1f\xad\xd3\x80\x4b\xef\x50\xfe\x91\x09\xc0\xcf\x20\xd5\xfb\x32\x0a\x19\x19\x0e\xa3\x23\xc5\xbb\x45\x6d\xc7\x33\x8e\xd1\x9b\x5e\xa1\x17\x27\x7c\xda\x66\xbf\x37\x65\x7b\x27\x86\x25\xc9\x86\xf5\x44\x77\x75\xba\xf7\xc2\x83\x56\xd4\x31\xa3\x82\x0e\x3e\x24\x57\xe5\x3e\xba\xd4\xb7\xd8\xb0\xee\xa6\x4b\x5f\x17\x62\xdd\xb1\x16\x9b\xce\x93\x8a\x22\xaa\x17\x4b\x33\xaf\xd2\xb6\xca\x3f\xd2\x1e\x40\x2c\x4e\xba\xa6\x53\x97\xde\x07\x5d\xbc\x91\x41\x29\x16\x35\x04\xe2\x86\x72\x57\x89\xf3\xea\xfb\x66\x30\x29\x4c\x9e\x9e\xd8\x76\x5b\x41\x64\x12\xe6\xa7\x4a\xda\x02\xdf\x4b\x66\x8b\x95\xf1\xab\x41\xda\x29\xee\x91\x8a\xb5\xa5\xea\xa3\x45\x01\x47\x07\x76\x36\x9e\x96\x12\x9c\x89\x8c\xcc\x10\xef\x66\xa2\xce\xb8\xb4\xed\xfe\xad\x79\xff\xd8\x98\xd5\xde\x2d\xb4\x60\x87\x9f\xb2\x3b\x2a\xfc\x14\x66\x47\xc9\x49\x36\xa7\x03\xbb\x3c\xe5\x0f\x7e\x5e\x7d\xbf\xe7\x29\x57\xea\x5c\x48\x9e\x01\x0f\x08\x95\x84\xe0\x69\xaf\xf5\x3e\x8e\x03\xe1\x5c\xb8\x33\xa9\x61\x0a\xe7\xa9\xc2\x62\xc5\xcd\x37\x1b\x81\xf9\xaa\xbb\x03\x0d\xdd\xae\xed\xad\x10\x19\xd2\xe9\xdb\xe7\x17\xde\x10\xad\x3a\x49\x1e\x29\x0b\x2b\xfc\xda\x80\xed\xc5\xa1\xc1\x60\x12\x52\x7c\x5f\xa2\x79\xa6\x7c\x5d\x01\x13\x24\xa7\x9a\xad\x7c\xb7\xa9\x76\x6c\x64\xa1\xfc\xc2\x78\x4b\xe7\xab\x91\x2f\x7d\x4c\xc5\x71\x0c\x9e\x5a\x1f\x97\xf0\x0b\xb8\x69\x8d\x5f\x6e\x58\xe6\xb6\x9a\x1e\x8c\xcb\x7a\x22\xd3\xf4\xfb\x1f\xb6\x0a\x4b\xb9\x4d\x49\x2b\xc5\xe4\xa8\xbb\xe6\xb5\x34\xc1\x75\x00\x01\x6a\x89\x0a\xd5\x29\xdf\xf4\x2f\xb5\x13\x45\xc7\x65\x35\x1a\x5d\x87\x79\x12\x54\xb7\xdc\x62\x90\xe2\x76\xf1\xc2\xd8\xf7\x82\xcb\x2d\xbd\x2e\x70\x13\x09\xe6\x43\x06\x19\x25\x69\x40\x67\x02\x7f\x6d\x95\x65\x09\xb2\x47\x3c\x5b\x5c\x66\x08\x76\xdd\x69\x7e\x5d\x1b\xfb\x8e\x48\xc5\xbe\x80\x4a\x27\x5d\xb0\xed\x4c\x5a\x02\x40\x85\x93\x60\x8e\xcb\x2c\x97\x1d\xa8\x25\xf8\xd4\x8d\xd6\xc6\x4b\x98\xef\x9e\x28\x52\xd1\x6e\xea\xc2\x12\x13\x4a\xba\x3e\xfb\x67\x00\xd5\xa0\x52\xba\x23\x27\x18\x5a\x1c\x56\x05\xfe\xa9\x07\xf1\xf7\x63\xaf\x01\xc5\x03\xa7\x67\x00\x97\x00\x9f\x73\x63\x88\x31\xed\x01\x8b\xc8\x03\x27\x49\x37\x97\xa7\x2f\xce\x75\x38\xb2\x2e\x16\xfe\x27\x48\xc9\x66\xf3\x8f\x5b\x56\x89\xd8\x8c\xc6\xf2\x21\xd4\x06\x21\x47\x2d\x5a\x5a\x40\xa1\x72\x9e\x51\xe3\x60\xf4\xc4\xc9\xb1\x13\xf3\x0b\x96\x99\xd2\x77\x21\x14\x27\xf3\x60\xae\xd4\x5e\x01\x74\x98\x3d\x7a\xed\x11\xf8\x9b\x0c\xa0\x87\x41\x44\xe3\xfd\x83\xca\x6d\x88\xcf\x4d\x8d\x81\xde\x61\x3d\xb7\x27\x2d\xc5\xcf\x74\x5a\x65\x0b\xf3\xcc\xad\x96\x48\x7d\xd2\x4b\x1a\xcc\x8a\x8b\x96\xa9\x9d\x48\xbc\xcf\xa4\x78\xdc\xbb\xb0\x66\xcb\x8f\x19\x0f\x0d\xac\xcf\x91\x6f\x4d\xbc\x63\x44\xe5\xe0\x26\x07\x4d\x42\xd9\x62\xdf\xd2\x8b\x1d\x57\x8a\x17\x07\x3f\x78\xb7\x1d\x6f\xf7\x85\x25\x80\xb1\xc6\xe8\x3b\x8a\xc5\x15\x58\x49\xc1\x26\xa6\xbc\x54\x24\x6d\x15\xf7\x59\x92\x9c\x72\xbf\x44\xba\x8c\x78\x38\x12\xe7\x3d\xa5\xa6\x94\xf9\x6d\x52\x00\xf1\x9c\x82\x0c\x8c\x86\x51\xfb\x2b\xe7\xf7\x6c\xd2\x8a\x54\xae\xea\x4f\x0e\x09\x92\xb8\x4d\xbd\xef\x78\x92\x13\x4e\x37\x9f\x14\x0f\xb0\xb1\x22\x30\x99\x3d\xcc\x13\xbc\x48\x9c\x94\x26\x07\x63\xc1\xa8\xec\xf7\xaa\xeb\xe1\x1a\xe6\xf4\x39\xb7", 4096); *(uint32_t*)0x20006cdc = 0x1000; *(uint32_t*)0x20006ce0 = 0x34; syz_read_part_table(0xb0, 3, 0x20006cc0); break; case 41: *(uint8_t*)0x20006d00 = 0x12; *(uint8_t*)0x20006d01 = 1; *(uint16_t*)0x20006d02 = 0x201; *(uint8_t*)0x20006d04 = 0x10; *(uint8_t*)0x20006d05 = 0x2a; *(uint8_t*)0x20006d06 = 0xdc; *(uint8_t*)0x20006d07 = -1; *(uint16_t*)0x20006d08 = 0x781; *(uint16_t*)0x20006d0a = 5; *(uint16_t*)0x20006d0c = 5; *(uint8_t*)0x20006d0e = 1; *(uint8_t*)0x20006d0f = 2; *(uint8_t*)0x20006d10 = 3; *(uint8_t*)0x20006d11 = 1; *(uint8_t*)0x20006d12 = 9; *(uint8_t*)0x20006d13 = 2; *(uint16_t*)0x20006d14 = 0x71c; *(uint8_t*)0x20006d16 = 3; *(uint8_t*)0x20006d17 = 9; *(uint8_t*)0x20006d18 = 3; *(uint8_t*)0x20006d19 = 0x50; *(uint8_t*)0x20006d1a = -1; *(uint8_t*)0x20006d1b = 9; *(uint8_t*)0x20006d1c = 4; *(uint8_t*)0x20006d1d = 0x34; *(uint8_t*)0x20006d1e = 9; *(uint8_t*)0x20006d1f = 0xc; *(uint8_t*)0x20006d20 = 0x2d; *(uint8_t*)0x20006d21 = 0xe7; *(uint8_t*)0x20006d22 = 0xd6; *(uint8_t*)0x20006d23 = 0xc4; *(uint8_t*)0x20006d24 = 0xa; *(uint8_t*)0x20006d25 = 0x24; *(uint8_t*)0x20006d26 = 6; *(uint8_t*)0x20006d27 = 0; *(uint8_t*)0x20006d28 = 0; memcpy((void*)0x20006d29, "\x9e\x3d\xd8\x3f\x5e", 5); *(uint8_t*)0x20006d2e = 5; *(uint8_t*)0x20006d2f = 0x24; *(uint8_t*)0x20006d30 = 0; *(uint16_t*)0x20006d31 = 2; *(uint8_t*)0x20006d33 = 0xd; *(uint8_t*)0x20006d34 = 0x24; *(uint8_t*)0x20006d35 = 0xf; *(uint8_t*)0x20006d36 = 1; *(uint32_t*)0x20006d37 = 0x40; *(uint16_t*)0x20006d3b = 5; *(uint16_t*)0x20006d3d = 0x101; *(uint8_t*)0x20006d3f = 5; *(uint8_t*)0x20006d40 = 8; *(uint8_t*)0x20006d41 = 0x24; *(uint8_t*)0x20006d42 = 0x1c; *(uint16_t*)0x20006d43 = 0x1000; *(uint8_t*)0x20006d45 = 2; *(uint16_t*)0x20006d46 = 8; *(uint8_t*)0x20006d48 = 7; *(uint8_t*)0x20006d49 = 0x24; *(uint8_t*)0x20006d4a = 0x14; *(uint16_t*)0x20006d4b = 0x8671; *(uint16_t*)0x20006d4d = 0; *(uint8_t*)0x20006d4f = 0xc; *(uint8_t*)0x20006d50 = 0x24; *(uint8_t*)0x20006d51 = 0x1b; *(uint16_t*)0x20006d52 = 0xfffd; *(uint16_t*)0x20006d54 = 9; *(uint8_t*)0x20006d56 = 0; *(uint8_t*)0x20006d57 = 5; *(uint16_t*)0x20006d58 = 0x100; *(uint8_t*)0x20006d5a = 0x5f; *(uint8_t*)0x20006d5b = 5; *(uint8_t*)0x20006d5c = 0x24; *(uint8_t*)0x20006d5d = 0x15; *(uint16_t*)0x20006d5e = 0x40; *(uint8_t*)0x20006d60 = 7; *(uint8_t*)0x20006d61 = 0x24; *(uint8_t*)0x20006d62 = 0xa; *(uint8_t*)0x20006d63 = 0; *(uint8_t*)0x20006d64 = 1; *(uint8_t*)0x20006d65 = 4; *(uint8_t*)0x20006d66 = 1; *(uint8_t*)0x20006d67 = 7; *(uint8_t*)0x20006d68 = 0x24; *(uint8_t*)0x20006d69 = 0x14; *(uint16_t*)0x20006d6a = 0xff81; *(uint16_t*)0x20006d6c = 0x9c6f; *(uint8_t*)0x20006d6e = 9; *(uint8_t*)0x20006d6f = 5; *(uint8_t*)0x20006d70 = 0x80; *(uint8_t*)0x20006d71 = 0x14; *(uint16_t*)0x20006d72 = 0x10; *(uint8_t*)0x20006d74 = 0x15; *(uint8_t*)0x20006d75 = 0x1f; *(uint8_t*)0x20006d76 = 8; *(uint8_t*)0x20006d77 = 7; *(uint8_t*)0x20006d78 = 0x25; *(uint8_t*)0x20006d79 = 1; *(uint8_t*)0x20006d7a = 0x80; *(uint8_t*)0x20006d7b = 0; *(uint16_t*)0x20006d7c = 0; *(uint8_t*)0x20006d7e = 9; *(uint8_t*)0x20006d7f = 5; *(uint8_t*)0x20006d80 = 0x8b; *(uint8_t*)0x20006d81 = 0; *(uint16_t*)0x20006d82 = 0x7ff; *(uint8_t*)0x20006d84 = 0xed; *(uint8_t*)0x20006d85 = 1; *(uint8_t*)0x20006d86 = 2; *(uint8_t*)0x20006d87 = 9; *(uint8_t*)0x20006d88 = 5; *(uint8_t*)0x20006d89 = 8; *(uint8_t*)0x20006d8a = 4; *(uint16_t*)0x20006d8b = 0x200; *(uint8_t*)0x20006d8d = 0x81; *(uint8_t*)0x20006d8e = 6; *(uint8_t*)0x20006d8f = 2; *(uint8_t*)0x20006d90 = 0xeb; *(uint8_t*)0x20006d91 = 1; memcpy((void*)0x20006d92, "\x8c\x3f\x63\x08\x61\x54\x14\x1f\x73\x9f\x28\x70\xd3\xa8\x18\x84\x90\x5e\x8c\x3f\xf7\xeb\x64\x25\x08\x52\x04\x07\x7b\x41\x02\xc3\xd8\x1b\xfd\xf4\xb2\x62\xfa\x95\xb2\x68\x56\x12\x28\xb7\x47\xfc\xa9\x1f\x5f\xde\xb5\x92\xb3\x79\xd6\x6a\x5f\x1d\x2d\x1d\x73\x5f\xd0\x2b\x3b\x24\x02\xd0\x34\x0f\xcc\x8a\xc6\xc5\x44\x72\x0c\xb5\x96\x00\x8a\x93\xb0\x20\x2c\xb8\xf9\x55\x83\x44\xcb\x20\x0e\x0b\x4b\x52\xaa\xd1\xe7\x0d\x9c\x00\x49\xff\x2a\x6b\x54\x6e\x35\x02\xbc\x88\x1f\x3e\xb6\x55\xaa\x81\x7a\x2a\x3f\xd9\x5a\xd1\xbe\xa6\x8a\xb0\x48\xc1\xa4\x3e\xd3\x45\x8b\x67\x4c\x27\xdf\x09\x05\x68\xc3\x71\xa9\xe0\x0c\xbc\x2b\x59\x7a\x73\x0a\x18\x64\x44\x75\x83\xe3\x0b\x8b\x9d\x27\x74\xd8\x84\x57\x53\x11\x84\x3a\x18\xbf\xe0\x05\x2b\x40\x47\x14\xc7\x22\x76\x63\x42\xb2\x26\xc4\xfe\x8e\x87\xee\x44\x82\x50\xc3\xb3\x66\x8a\xb5\x07\x45\xe0\xfb\xb6\xe9\x69\xe6\xb4\x9b\x9b\x85\x28\xce\x81\xdf\xaa\x24\xe1\x43\x80\x72\xd0\x7d\x6e\x92\x60\x2a\x39\x05\x35\xf6", 233); *(uint8_t*)0x20006e7b = 9; *(uint8_t*)0x20006e7c = 5; *(uint8_t*)0x20006e7d = 0xc; *(uint8_t*)0x20006e7e = 8; *(uint16_t*)0x20006e7f = 0x40; *(uint8_t*)0x20006e81 = 1; *(uint8_t*)0x20006e82 = 5; *(uint8_t*)0x20006e83 = 0x20; *(uint8_t*)0x20006e84 = 9; *(uint8_t*)0x20006e85 = 5; *(uint8_t*)0x20006e86 = 7; *(uint8_t*)0x20006e87 = 0x10; *(uint16_t*)0x20006e88 = 8; *(uint8_t*)0x20006e8a = 0xbc; *(uint8_t*)0x20006e8b = 0; *(uint8_t*)0x20006e8c = 7; *(uint8_t*)0x20006e8d = 7; *(uint8_t*)0x20006e8e = 0x25; *(uint8_t*)0x20006e8f = 1; *(uint8_t*)0x20006e90 = 1; *(uint8_t*)0x20006e91 = 5; *(uint16_t*)0x20006e92 = 9; *(uint8_t*)0x20006e94 = 0xd4; *(uint8_t*)0x20006e95 = 0x22; memcpy((void*)0x20006e96, "\x70\xc2\x39\x55\xe1\xd1\x6c\xde\xf4\x16\xbc\xb1\x38\x10\x89\x67\xf0\xe9\xac\x2c\x09\x6f\xe9\x36\x2b\x99\xec\x6c\x19\x8d\x2f\x0f\x04\x46\xce\x29\x33\x28\x44\xfd\x54\x6d\x23\x23\xe7\xf9\xd7\xb2\x71\x3c\x1f\x92\xb9\x0b\x44\x81\xbf\x8d\x4e\xa3\x4e\xa8\x32\x1b\x58\x5d\xb5\xf3\xcc\x6f\x63\xfc\x9e\xe5\x43\xe8\x6c\x15\x76\x9e\x08\xa2\x12\xc2\xff\xb0\x23\x7d\xef\xb1\xa2\x82\x28\xe9\x99\xfa\xbf\x37\x33\xa2\x7b\x82\x87\x03\xfa\xaa\xc0\x53\xd4\x4f\xe7\xa6\x6d\x7a\x27\x8e\x31\xf1\x5d\x65\xed\xb3\x49\xb1\x57\xa7\x99\xd9\x22\xf0\xc9\x70\xf9\x8b\x35\xb7\x56\x50\x79\x31\x23\xe0\x57\x52\xd7\x4d\xdb\x89\xf0\xfc\xc0\x47\x98\x22\xa0\xf8\x33\xf4\x34\x3a\x70\x54\x8b\x3b\x4c\x80\x57\x4b\xe7\xcf\xdd\x59\xdb\x69\xce\x1e\xfc\x24\xca\x44\xee\x31\x66\x09\xf5\x8c\xa5\xa3\x0d\xee\x0b\x59\xe1\x66\x8f\x24\x8c\x19\x6a\xe1\xc0\x22\xa1\x99\x95\x59\x54\x30\xfe\xa4", 210); *(uint8_t*)0x20006f68 = 9; *(uint8_t*)0x20006f69 = 5; *(uint8_t*)0x20006f6a = 0x87; *(uint8_t*)0x20006f6b = 3; *(uint16_t*)0x20006f6c = 8; *(uint8_t*)0x20006f6e = 0x80; *(uint8_t*)0x20006f6f = 7; *(uint8_t*)0x20006f70 = 6; *(uint8_t*)0x20006f71 = 0x56; *(uint8_t*)0x20006f72 = 4; memcpy((void*)0x20006f73, "\xf7\x8a\x35\x66\x75\xcf\xfa\x2d\xe9\x45\x39\x19\x4a\xfa\xb8\x60\x3f\xe5\xe4\x12\x02\x1b\xa9\x37\xdf\x8f\x49\x6c\xe2\xc0\x54\x31\x48\xf0\x9b\x19\xeb\xbc\x05\x09\x1f\xcc\x32\xe0\xbd\xde\x44\x1d\x7c\xca\xa5\xcc\x26\xfb\x69\x6b\xd6\x7b\x38\x30\xbf\x3e\x57\x30\xfb\x3f\xe5\xee\x89\x15\x6b\xd1\xd2\xfa\x10\x1e\x6c\x39\x06\x8a\xf8\xc2\xae\x87", 84); *(uint8_t*)0x20006fc7 = 9; *(uint8_t*)0x20006fc8 = 5; *(uint8_t*)0x20006fc9 = 0x89; *(uint8_t*)0x20006fca = 0; *(uint16_t*)0x20006fcb = 0x20; *(uint8_t*)0x20006fcd = 0x20; *(uint8_t*)0x20006fce = 0x81; *(uint8_t*)0x20006fcf = 8; *(uint8_t*)0x20006fd0 = 9; *(uint8_t*)0x20006fd1 = 5; *(uint8_t*)0x20006fd2 = 0xe; *(uint8_t*)0x20006fd3 = 3; *(uint16_t*)0x20006fd4 = 8; *(uint8_t*)0x20006fd6 = 1; *(uint8_t*)0x20006fd7 = 0x20; *(uint8_t*)0x20006fd8 = 2; *(uint8_t*)0x20006fd9 = 7; *(uint8_t*)0x20006fda = 0x25; *(uint8_t*)0x20006fdb = 1; *(uint8_t*)0x20006fdc = 2; *(uint8_t*)0x20006fdd = 0x43; *(uint16_t*)0x20006fde = 0x234; *(uint8_t*)0x20006fe0 = 9; *(uint8_t*)0x20006fe1 = 5; *(uint8_t*)0x20006fe2 = 2; *(uint8_t*)0x20006fe3 = 0; *(uint16_t*)0x20006fe4 = 0x3ff; *(uint8_t*)0x20006fe6 = 3; *(uint8_t*)0x20006fe7 = 5; *(uint8_t*)0x20006fe8 = 7; *(uint8_t*)0x20006fe9 = 0x34; *(uint8_t*)0x20006fea = 8; memcpy((void*)0x20006feb, "\xb6\xa1\x21\xb4\x6c\xab\xce\x4e\x36\x1f\x21\x04\xdc\xf2\x66\x3e\x40\x2e\xe0\x4f\xaa\x90\xdd\x18\xa9\x18\xe4\x64\x2e\xaa\x6a\x71\x61\x92\xf8\xbc\x32\xf3\x21\xce\x9e\xb5\x48\x90\x4d\x87\xd7\xbd\xad\x56", 50); *(uint8_t*)0x2000701d = 0xac; *(uint8_t*)0x2000701e = 0x30; memcpy((void*)0x2000701f, "\x1a\x5d\x30\xc7\xd1\x38\x43\xb0\x14\x69\x43\xb2\xe6\x76\x87\xf3\x14\x70\x19\xdb\x1c\xa1\xa3\xc7\xe4\x8d\x70\x0f\x65\x5b\xea\x7f\x42\x69\x2c\x5a\x87\xa6\xb9\x1d\x03\xa6\xd4\x90\x5f\xbb\x18\xb7\x60\x28\xc9\x02\xf7\xcc\x3f\x0c\x05\x6d\x87\xd0\xfb\xc1\x2f\x32\x15\x02\x22\xa7\xda\xd7\x02\x3b\xc4\x5a\xb2\x5c\x72\xaa\x3a\xd2\x6e\x8d\xfd\x8d\x36\x54\x64\x00\x38\x39\x6a\xa3\x55\xf0\x69\xf7\xa9\xe7\x62\xb8\x5d\xca\x0a\x81\xa7\xd7\xc3\x7d\x25\x9d\x0f\x2a\x63\x1a\x6a\xbc\x4e\x36\xfb\xa2\x01\xdc\x67\x7f\xc7\xb2\xc2\x81\x90\xe9\x15\x23\x55\x3c\xfb\x1b\xbf\x46\x2d\x9d\x05\x7c\x31\x91\x0a\xd3\x9c\x35\x7c\xd2\xdd\x1c\x3f\x22\xc6\x04\xad\x6c\x92\x3f\xae\xe4\xc1\x3d\xb3\xfe\x35\x03\x75\xcc", 170); *(uint8_t*)0x200070c9 = 9; *(uint8_t*)0x200070ca = 5; *(uint8_t*)0x200070cb = 0xc; *(uint8_t*)0x200070cc = 0; *(uint16_t*)0x200070cd = 0x10; *(uint8_t*)0x200070cf = 0x7f; *(uint8_t*)0x200070d0 = 0x56; *(uint8_t*)0x200070d1 = 0x83; *(uint8_t*)0x200070d2 = 9; *(uint8_t*)0x200070d3 = 5; *(uint8_t*)0x200070d4 = 0x47; *(uint8_t*)0x200070d5 = 0; *(uint16_t*)0x200070d6 = 0x3ff; *(uint8_t*)0x200070d8 = 0xbb; *(uint8_t*)0x200070d9 = 7; *(uint8_t*)0x200070da = 3; *(uint8_t*)0x200070db = 0x6b; *(uint8_t*)0x200070dc = 0x30; memcpy((void*)0x200070dd, "\x6a\x80\x65\xc0\xee\x1f\xa7\x2b\xb9\xfa\xb4\x98\xb5\x65\xe8\x56\x09\x0e\x0a\xd4\xcb\x9a\x07\x2e\x09\x95\x26\x4b\x93\x5b\xed\x49\x10\xdd\xe6\xe4\xa1\x1f\xf9\x37\x42\x38\x3c\xba\x0c\x51\xa1\xf1\xcf\x69\x5a\xa3\x94\xa5\xf4\x86\x83\x63\xe9\x86\x26\x05\x69\xba\x8b\xe8\x24\x37\xcc\x58\xdb\x1e\xe8\x8c\xe5\x10\x13\x08\x93\x8e\xdb\xd9\x82\x07\x54\x62\xcf\x0b\xba\x05\xbb\x0d\x7a\xe5\x50\x92\xa2\x86\x2e\xe6\xe6\x43\x0e\x22\xf7", 105); *(uint8_t*)0x20007146 = 0x41; *(uint8_t*)0x20007147 = 0x21; memcpy((void*)0x20007148, "\x0a\xcd\x9c\x77\x43\xc7\x50\x9f\x5e\xb8\x98\x78\x4f\x87\x67\xf3\x85\xa0\xe1\xc7\xf1\x02\xc9\xad\xca\xd6\xd8\x1f\xb4\x19\x3e\x88\xcb\x2f\x6c\x39\x36\xee\x2e\xf3\xda\xe6\x1f\x58\x32\x25\x93\xd9\xbe\xea\xfc\xc0\x91\x5c\x86\xfc\x3a\x72\xf0\x42\x6c\x83\xf3", 63); *(uint8_t*)0x20007187 = 9; *(uint8_t*)0x20007188 = 5; *(uint8_t*)0x20007189 = 6; *(uint8_t*)0x2000718a = 4; *(uint16_t*)0x2000718b = 0x400; *(uint8_t*)0x2000718d = 0x20; *(uint8_t*)0x2000718e = 0x74; *(uint8_t*)0x2000718f = 5; *(uint8_t*)0x20007190 = 9; *(uint8_t*)0x20007191 = 4; *(uint8_t*)0x20007192 = 0x26; *(uint8_t*)0x20007193 = 0xab; *(uint8_t*)0x20007194 = 5; *(uint8_t*)0x20007195 = 3; *(uint8_t*)0x20007196 = 0xf1; *(uint8_t*)0x20007197 = 0xcb; *(uint8_t*)0x20007198 = 9; *(uint8_t*)0x20007199 = 9; *(uint8_t*)0x2000719a = 5; *(uint8_t*)0x2000719b = 1; *(uint8_t*)0x2000719c = 0; *(uint16_t*)0x2000719d = 0x200; *(uint8_t*)0x2000719f = 5; *(uint8_t*)0x200071a0 = 1; *(uint8_t*)0x200071a1 = 1; *(uint8_t*)0x200071a2 = 9; *(uint8_t*)0x200071a3 = 5; *(uint8_t*)0x200071a4 = 0xb; *(uint8_t*)0x200071a5 = 4; *(uint16_t*)0x200071a6 = 0x20; *(uint8_t*)0x200071a8 = 1; *(uint8_t*)0x200071a9 = 2; *(uint8_t*)0x200071aa = 4; *(uint8_t*)0x200071ab = 0xda; *(uint8_t*)0x200071ac = 0x14; memcpy((void*)0x200071ad, "\x10\xf1\x6e\x37\x96\xfb\xe3\x35\xb5\x64\xb2\x94\x16\x03\x1e\x12\xd2\x6f\x4d\x53\xe2\x37\xca\x3c\xb1\xe0\x49\x17\x03\x35\xd6\x31\x43\x24\x69\xcf\x8e\x2b\x20\x7d\x62\x28\x3f\x3b\x91\xf4\xd6\x31\x54\xbc\xe3\x5f\xae\xb8\x7b\x51\xd3\x0b\x38\x87\x6c\x38\xb3\x1a\xcc\x34\x7b\xe6\x77\x93\xe5\x6a\x17\x84\xeb\x29\xa7\xdd\xab\x72\xe7\x36\xee\xcd\x3b\x4e\x98\xbc\xe7\xb1\x70\xab\x68\x7e\x6f\x31\xf5\xe9\xf3\xf9\x6e\x31\x03\x2d\x3b\xf9\x47\x6e\xef\x54\xf3\x54\xc6\xef\xc0\x0d\xa3\x9a\x69\x5e\xc1\xc0\x95\x25\x4c\xb4\x16\xbd\xc5\x74\xd4\xfb\x6a\xdb\xec\xa9\x9b\x77\x50\x8d\x6c\x6f\x79\x1c\x2c\xfc\x29\xae\x3e\xcc\xea\x73\xc1\x36\x27\xd9\x38\x07\xaf\x1a\x7d\x34\x92\x52\x0e\xd1\xf1\x53\x32\x7d\x85\x75\x37\xf5\x56\x29\x4b\xdd\xdd\x98\x8b\xae\x73\x22\x6a\x48\xc4\xca\xb9\x63\xd3\xd8\xc2\x26\x95\x1b\x21\xa7\xc3\x13\x8d\xe5\x5b\x8d\x0e\x1f\x0b\xcd\x77\x66\x3a\xe8\xbf\xe2\x0f\x44", 216); *(uint8_t*)0x20007285 = 7; *(uint8_t*)0x20007286 = 0x25; *(uint8_t*)0x20007287 = 1; *(uint8_t*)0x20007288 = 0x83; *(uint8_t*)0x20007289 = 5; *(uint16_t*)0x2000728a = 9; *(uint8_t*)0x2000728c = 9; *(uint8_t*)0x2000728d = 5; *(uint8_t*)0x2000728e = 5; *(uint8_t*)0x2000728f = 2; *(uint16_t*)0x20007290 = 0x40; *(uint8_t*)0x20007292 = 0x2c; *(uint8_t*)0x20007293 = 0xd4; *(uint8_t*)0x20007294 = 2; *(uint8_t*)0x20007295 = 7; *(uint8_t*)0x20007296 = 0x25; *(uint8_t*)0x20007297 = 1; *(uint8_t*)0x20007298 = 2; *(uint8_t*)0x20007299 = 3; *(uint16_t*)0x2000729a = 7; *(uint8_t*)0x2000729c = 9; *(uint8_t*)0x2000729d = 5; *(uint8_t*)0x2000729e = 0xa; *(uint8_t*)0x2000729f = 2; *(uint16_t*)0x200072a0 = 0x400; *(uint8_t*)0x200072a2 = 0xd0; *(uint8_t*)0x200072a3 = 1; *(uint8_t*)0x200072a4 = 6; *(uint8_t*)0x200072a5 = 9; *(uint8_t*)0x200072a6 = 5; *(uint8_t*)0x200072a7 = 0xe; *(uint8_t*)0x200072a8 = 8; *(uint16_t*)0x200072a9 = 0x40; *(uint8_t*)0x200072ab = 0x40; *(uint8_t*)0x200072ac = -1; *(uint8_t*)0x200072ad = 0xb0; *(uint8_t*)0x200072ae = 9; *(uint8_t*)0x200072af = 4; *(uint8_t*)0x200072b0 = 0x6c; *(uint8_t*)0x200072b1 = 8; *(uint8_t*)0x200072b2 = 2; *(uint8_t*)0x200072b3 = 0x59; *(uint8_t*)0x200072b4 = 0x51; *(uint8_t*)0x200072b5 = 0xd5; *(uint8_t*)0x200072b6 = 1; *(uint8_t*)0x200072b7 = 8; *(uint8_t*)0x200072b8 = 0x24; *(uint8_t*)0x200072b9 = 6; *(uint8_t*)0x200072ba = 0; *(uint8_t*)0x200072bb = 1; memcpy((void*)0x200072bc, "\xb2\xbd\x60", 3); *(uint8_t*)0x200072bf = 5; *(uint8_t*)0x200072c0 = 0x24; *(uint8_t*)0x200072c1 = 0; *(uint16_t*)0x200072c2 = 5; *(uint8_t*)0x200072c4 = 0xd; *(uint8_t*)0x200072c5 = 0x24; *(uint8_t*)0x200072c6 = 0xf; *(uint8_t*)0x200072c7 = 1; *(uint32_t*)0x200072c8 = 0xfffffffd; *(uint16_t*)0x200072cc = 0xfff; *(uint16_t*)0x200072ce = 0x63; *(uint8_t*)0x200072d0 = 0xdb; *(uint8_t*)0x200072d1 = 6; *(uint8_t*)0x200072d2 = 0x24; *(uint8_t*)0x200072d3 = 0x1a; *(uint16_t*)0x200072d4 = 8; *(uint8_t*)0x200072d6 = 8; *(uint8_t*)0x200072d7 = 0xf7; *(uint8_t*)0x200072d8 = 0x24; *(uint8_t*)0x200072d9 = 0x13; *(uint8_t*)0x200072da = 0x19; memcpy((void*)0x200072db, "\x18\x9c\xde\xa8\x5c\x89\x2f\xe7\x36\xd9\x9d\x2a\xe8\x35\x70\x5d\xdc\x39\x07\x36\x3c\x57\xda\x1f\xc0\x03\x3a\xb2\x67\x42\x02\x2a\xb0\xaf\x75\x16\xc0\x54\x5f\x0f\xc3\xec\xaa\x07\x28\x22\x9f\x95\xfd\x5d\x2e\xbc\xe5\xc9\x8d\xbb\xa6\x22\x21\x53\xe2\xce\x70\xbf\xea\xd3\x2d\x5d\x59\x14\x6f\x0d\xd6\x79\x85\x20\x07\xb1\x3a\xc9\xd1\x6d\x48\xf9\x48\x4d\x61\x92\xe7\x9c\x88\x07\x9f\x8c\xd3\xbd\x1a\x37\x40\xf3\xa8\xf0\xfd\x1d\x57\xa1\x0b\xf4\x1c\xf8\xc4\x5a\x79\xab\x1a\x96\x9c\x9a\x6a\x83\xbf\x31\x57\x1b\xce\x54\x2e\x8f\xcf\xa6\x76\x1e\xbf\xa9\x24\xe1\xeb\x05\xd3\xaf\x5b\x36\x44\xc3\x04\x02\x80\xca\x59\x73\x7d\x89\xc0\xca\xa8\xbd\x9d\x56\xc9\x21\x78\xb8\x2b\x20\x78\xe4\x39\x75\xf1\x5e\x6f\x0b\x6f\xa1\xd0\xcd\x81\x95\x21\x15\x4d\x23\x6a\xa6\xa8\x5e\x50\xf3\xf0\x53\x1f\x61\x92\xe5\xc4\xba\x8a\x2d\x50\x6f\x74\x47\x80\x74\x7c\xbb\x9e\xe6\x72\x32\x98\xb7\x2b\x71\x3b\x52\xbe\x54\x83\x5f\xcc\x04\x90\x6c\x65\x8c\xe6\x1f\x16\xf9\x5a\x6c\x43\x79\x88\xdf\x23\x9c\x43\x0f\xf4\x7d\xb7", 243); *(uint8_t*)0x200073ce = 6; *(uint8_t*)0x200073cf = 0x24; *(uint8_t*)0x200073d0 = 6; *(uint8_t*)0x200073d1 = 0; *(uint8_t*)0x200073d2 = 0; memset((void*)0x200073d3, 163, 1); *(uint8_t*)0x200073d4 = 5; *(uint8_t*)0x200073d5 = 0x24; *(uint8_t*)0x200073d6 = 0; *(uint16_t*)0x200073d7 = 0xf85b; *(uint8_t*)0x200073d9 = 0xd; *(uint8_t*)0x200073da = 0x24; *(uint8_t*)0x200073db = 0xf; *(uint8_t*)0x200073dc = 1; *(uint32_t*)0x200073dd = 0; *(uint16_t*)0x200073e1 = 7; *(uint16_t*)0x200073e3 = 2; *(uint8_t*)0x200073e5 = 0x40; *(uint8_t*)0x200073e6 = 9; *(uint8_t*)0x200073e7 = 5; *(uint8_t*)0x200073e8 = 0xf; *(uint8_t*)0x200073e9 = 4; *(uint16_t*)0x200073ea = 0; *(uint8_t*)0x200073ec = 0x81; *(uint8_t*)0x200073ed = 0xe8; *(uint8_t*)0x200073ee = 2; *(uint8_t*)0x200073ef = 7; *(uint8_t*)0x200073f0 = 0x25; *(uint8_t*)0x200073f1 = 1; *(uint8_t*)0x200073f2 = 0; *(uint8_t*)0x200073f3 = 0x51; *(uint16_t*)0x200073f4 = 0xbf81; *(uint8_t*)0x200073f6 = 7; *(uint8_t*)0x200073f7 = 0x25; *(uint8_t*)0x200073f8 = 1; *(uint8_t*)0x200073f9 = 0x80; *(uint8_t*)0x200073fa = 0xb; *(uint16_t*)0x200073fb = 0x8001; *(uint8_t*)0x200073fd = 9; *(uint8_t*)0x200073fe = 5; *(uint8_t*)0x200073ff = 6; *(uint8_t*)0x20007400 = 0; *(uint16_t*)0x20007401 = 0x10; *(uint8_t*)0x20007403 = 0x7f; *(uint8_t*)0x20007404 = 0; *(uint8_t*)0x20007405 = 0x80; *(uint8_t*)0x20007406 = 0x28; *(uint8_t*)0x20007407 = 0xa; memcpy((void*)0x20007408, "\x61\xdf\x67\xa6\x24\x85\x90\x52\xdf\x59\x3a\x22\x58\xbc\x97\x0f\xe4\x30\x4a\x8f\x89\x9a\xc0\x40\xd9\xfc\x35\x0e\xd5\xe6\x36\x60\xa7\x6a\x96\xae\xa7\xa3", 38); *(uint32_t*)0x200076c0 = 0xa; *(uint32_t*)0x200076c4 = 0x20007440; *(uint8_t*)0x20007440 = 0xa; *(uint8_t*)0x20007441 = 6; *(uint16_t*)0x20007442 = 0x300; *(uint8_t*)0x20007444 = 8; *(uint8_t*)0x20007445 = 1; *(uint8_t*)0x20007446 = 9; *(uint8_t*)0x20007447 = 8; *(uint8_t*)0x20007448 = 0x81; *(uint8_t*)0x20007449 = 0; *(uint32_t*)0x200076c8 = 0x133; *(uint32_t*)0x200076cc = 0x20007480; *(uint8_t*)0x20007480 = 5; *(uint8_t*)0x20007481 = 0xf; *(uint16_t*)0x20007482 = 0x133; *(uint8_t*)0x20007484 = 6; *(uint8_t*)0x20007485 = 0xb; *(uint8_t*)0x20007486 = 0x10; *(uint8_t*)0x20007487 = 1; *(uint8_t*)0x20007488 = 2; *(uint16_t*)0x20007489 = 0x74; *(uint8_t*)0x2000748b = -1; *(uint8_t*)0x2000748c = -1; *(uint16_t*)0x2000748d = 0; *(uint8_t*)0x2000748f = 7; *(uint8_t*)0x20007490 = 0xb; *(uint8_t*)0x20007491 = 0x10; *(uint8_t*)0x20007492 = 1; *(uint8_t*)0x20007493 = 8; *(uint16_t*)0x20007494 = 0x43; *(uint8_t*)0x20007496 = 4; *(uint8_t*)0x20007497 = 3; *(uint16_t*)0x20007498 = 6; *(uint8_t*)0x2000749a = 0x21; *(uint8_t*)0x2000749b = 7; *(uint8_t*)0x2000749c = 0x10; *(uint8_t*)0x2000749d = 2; STORE_BY_BITMASK(uint32_t, , 0x2000749e, 0xa, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000749f, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200074a0, 0x3b4d, 0, 16); *(uint8_t*)0x200074a2 = 0xb; *(uint8_t*)0x200074a3 = 0x10; *(uint8_t*)0x200074a4 = 1; *(uint8_t*)0x200074a5 = 0; *(uint16_t*)0x200074a6 = 0x2c; *(uint8_t*)0x200074a8 = 7; *(uint8_t*)0x200074a9 = 2; *(uint16_t*)0x200074aa = 1; *(uint8_t*)0x200074ac = 0x2f; *(uint8_t*)0x200074ad = 3; *(uint8_t*)0x200074ae = 0x10; *(uint8_t*)0x200074af = 0xb; *(uint8_t*)0x200074b0 = 3; *(uint8_t*)0x200074b1 = 0x10; *(uint8_t*)0x200074b2 = 3; memcpy((void*)0x200074b3, "\xb3\x5e\x85\x2c\x50\x01\x47\x88\x0f\xa2\xf6\xdc\xc5\xd4\xe1\x6a\x59\xdf\x9b\xff\x5d\x44\xac\x9f\x66\x80\xa3\x1b\x1e\xbc\xe7\xf4\xd4\xaf\xe6\xd2\xae\x93\xf6\xee\xe7\x9b\x70\x3b\x03\xf7\xa0\xeb\xea\x72\xbd\xc3\xca\x70\xde\xd4\x50\xbe\xde\xc4\x2d\x31\xbe\xce\xd3\x62\x5c\x6b\xfa\x5d\xc9\x89\x7b\x68\xa4\xe8\xb1\xa5\x4b\x94\x44\xb8\x5a\x77\xd5\x2e\xfe\xa0\x2e\x84\x04\x5a\x2c\x51\xaf\x22\x59\x6a\x4c\x59\xa4\x3c\x59\x0c\x4d\x13\x69\xd2\x29\xdb\x0f\x22\x8b\x73\x9b\x41\x41\x9c\x00\x70\x82\x19\xac\x07\x58\x5d\xca\xde\xd8\x82\x0f\x6f\xe0\xb3\x5e\x74\x96\xca\x59\xeb\xd9\x3c\x1c\xfb\xec\xa8\x66\x69\x28\x61\x3f\xb0\x84\xcb\x1a\xd9\x30\xcf\xed\x80\xa0\x24\xb8\x03\xfc\x94\x96\x7f\x08\xd7\x31\xd0\x64\x7c\xee\x07\x3e\x55\x84\x4b\x99\x78\xae\x60\x35\x86\x5f\xd9\x89\x91\xfb\x7a\x5f\xa3\xf0\x05\x29\xe8\x1f\x1d\x3b\x85\x3a\x0d\xb0\x41\xea\xa3\x77\x7b\xa1\x0f\xe7\x53\x67\x4a\x69\x8c\xd3\x89\xbf\x5b\xca\x62\x6c\xb8\xc7\xbf\x9b\x71\x15\x0d\x57\x2d\x07\xd9\xa1\x18\x55\xa4\x19\xfb\x02\x12\xd9\xa5\xbf\x2c\x33\x60\x35\x7c\xf9\x42\x51\x1f", 256); *(uint32_t*)0x200076d0 = 2; *(uint32_t*)0x200076d4 = 0x97; *(uint32_t*)0x200076d8 = 0x200075c0; *(uint8_t*)0x200075c0 = 0x97; *(uint8_t*)0x200075c1 = 3; memcpy((void*)0x200075c2, "\x79\x53\x36\x52\x48\x59\x08\x84\x74\x50\xe4\x34\xba\xbd\x9e\x7b\x78\x39\x25\xf4\x78\xb3\xb3\x5c\x0a\x4e\x6a\xa0\xa1\xe8\xf7\x8e\x37\xf1\xd5\x66\x6f\xe8\x7b\x28\xdf\x9b\x77\x34\xfd\xd1\x41\xb3\xc7\x8a\x19\x03\x1e\xff\xd7\x29\xa3\x6c\x0c\xf9\xfa\xe5\xc5\x89\xa1\xa9\x88\x6b\x78\xf6\x6c\x73\x91\xbd\x44\x3c\xc6\xb3\xab\x5b\x4a\xcd\xeb\x5a\xcf\x4a\x0d\x36\x35\x9e\x74\x9d\xf3\x7c\xcf\x92\xc5\x0e\x84\x5f\xce\x93\xe4\xc6\x11\xf0\xfb\x55\x9f\x5b\x2f\x8b\x72\xba\xb3\xb8\xa9\x17\x79\xcd\x78\x20\x4d\x67\xa1\x83\x18\x75\x60\xeb\x91\x2c\x0f\x9d\xd2\x7f\x40\x2f\x1d\xec\xdc\x61\x44\x4d\x37\x02\xbf\x05\xcf", 149); *(uint32_t*)0x200076dc = 4; *(uint32_t*)0x200076e0 = 0x20007680; *(uint8_t*)0x20007680 = 4; *(uint8_t*)0x20007681 = 3; *(uint16_t*)0x20007682 = 0x4ff; syz_usb_connect(5, 0x72e, 0x20006d00, 0x200076c0); break; case 42: *(uint8_t*)0x20007700 = 0x12; *(uint8_t*)0x20007701 = 1; *(uint16_t*)0x20007702 = 0x200; *(uint8_t*)0x20007704 = -1; *(uint8_t*)0x20007705 = -1; *(uint8_t*)0x20007706 = -1; *(uint8_t*)0x20007707 = 0x40; *(uint16_t*)0x20007708 = 0xcf3; *(uint16_t*)0x2000770a = 0x9271; *(uint16_t*)0x2000770c = 0x108; *(uint8_t*)0x2000770e = 1; *(uint8_t*)0x2000770f = 2; *(uint8_t*)0x20007710 = 3; *(uint8_t*)0x20007711 = 1; *(uint8_t*)0x20007712 = 9; *(uint8_t*)0x20007713 = 2; *(uint16_t*)0x20007714 = 0x48; *(uint8_t*)0x20007716 = 1; *(uint8_t*)0x20007717 = 1; *(uint8_t*)0x20007718 = 0; *(uint8_t*)0x20007719 = 0x80; *(uint8_t*)0x2000771a = 0xfa; *(uint8_t*)0x2000771b = 9; *(uint8_t*)0x2000771c = 4; *(uint8_t*)0x2000771d = 0; *(uint8_t*)0x2000771e = 0; *(uint8_t*)0x2000771f = 6; *(uint8_t*)0x20007720 = -1; *(uint8_t*)0x20007721 = 0; *(uint8_t*)0x20007722 = 0; *(uint8_t*)0x20007723 = 0; *(uint8_t*)0x20007724 = 9; *(uint8_t*)0x20007725 = 5; *(uint8_t*)0x20007726 = 1; *(uint8_t*)0x20007727 = 2; *(uint16_t*)0x20007728 = 0x200; *(uint8_t*)0x2000772a = 0; *(uint8_t*)0x2000772b = 0; *(uint8_t*)0x2000772c = 0; *(uint8_t*)0x2000772d = 9; *(uint8_t*)0x2000772e = 5; *(uint8_t*)0x2000772f = 0x82; *(uint8_t*)0x20007730 = 2; *(uint16_t*)0x20007731 = 0x200; *(uint8_t*)0x20007733 = 0; *(uint8_t*)0x20007734 = 0; *(uint8_t*)0x20007735 = 0; *(uint8_t*)0x20007736 = 9; *(uint8_t*)0x20007737 = 5; *(uint8_t*)0x20007738 = 0x83; *(uint8_t*)0x20007739 = 3; *(uint16_t*)0x2000773a = 0x40; *(uint8_t*)0x2000773c = 1; *(uint8_t*)0x2000773d = 0; *(uint8_t*)0x2000773e = 0; *(uint8_t*)0x2000773f = 9; *(uint8_t*)0x20007740 = 5; *(uint8_t*)0x20007741 = 4; *(uint8_t*)0x20007742 = 3; *(uint16_t*)0x20007743 = 0x40; *(uint8_t*)0x20007745 = 1; *(uint8_t*)0x20007746 = 0; *(uint8_t*)0x20007747 = 0; *(uint8_t*)0x20007748 = 9; *(uint8_t*)0x20007749 = 5; *(uint8_t*)0x2000774a = 5; *(uint8_t*)0x2000774b = 2; *(uint16_t*)0x2000774c = 0x200; *(uint8_t*)0x2000774e = 0; *(uint8_t*)0x2000774f = 0; *(uint8_t*)0x20007750 = 0; *(uint8_t*)0x20007751 = 9; *(uint8_t*)0x20007752 = 5; *(uint8_t*)0x20007753 = 6; *(uint8_t*)0x20007754 = 2; *(uint16_t*)0x20007755 = 0x200; *(uint8_t*)0x20007757 = 0; *(uint8_t*)0x20007758 = 0; *(uint8_t*)0x20007759 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007700, 0); if (res != -1) r[22] = res; break; case 43: *(uint32_t*)0x20007900 = 0x18; *(uint32_t*)0x20007904 = 0x20007780; *(uint8_t*)0x20007780 = 0x40; *(uint8_t*)0x20007781 = 0x22; *(uint32_t*)0x20007782 = 0x1f; *(uint8_t*)0x20007786 = 0x1f; *(uint8_t*)0x20007787 = 0x22; memcpy((void*)0x20007788, "\xa7\x84\x14\x03\xaf\xd7\xdd\xbd\xb6\xce\x9d\xac\xfb\x6c\xdb\xe2\x9f\xbe\x4e\x58\xb5\x5f\xec\x11\x7d\xe5\x6e\xd6\xa5", 29); *(uint32_t*)0x20007908 = 0x200077c0; *(uint8_t*)0x200077c0 = 0; *(uint8_t*)0x200077c1 = 3; *(uint32_t*)0x200077c2 = 0x5a; *(uint8_t*)0x200077c6 = 0x5a; *(uint8_t*)0x200077c7 = 3; memcpy((void*)0x200077c8, "\xb5\x1f\xa7\x5c\xe1\x57\x5d\xa7\x9a\xa4\x1f\xd1\x55\x72\x84\x98\xbc\x7e\x4f\x85\xd1\x9d\x23\x94\x31\x4e\x63\x81\xf5\xe6\xb0\xe7\x86\xc3\xff\x70\x5c\xb7\x18\x44\x87\xf3\x50\x94\x03\x01\x78\xbc\x29\x1a\x39\x80\xfa\x0b\x83\x90\x8b\x7f\xe1\xcb\x24\x59\xda\xa1\x30\x8f\xa2\xfb\xda\x94\xa9\x8c\xa7\x13\x4b\xc9\x86\x48\x7b\xae\x15\x76\x66\x36\xe0\x85\x2c\x7a", 88); *(uint32_t*)0x2000790c = 0x20007840; *(uint8_t*)0x20007840 = 0; *(uint8_t*)0x20007841 = 0xf; *(uint32_t*)0x20007842 = 0x1b; *(uint8_t*)0x20007846 = 5; *(uint8_t*)0x20007847 = 0xf; *(uint16_t*)0x20007848 = 0x1b; *(uint8_t*)0x2000784a = 2; *(uint8_t*)0x2000784b = 0xb; *(uint8_t*)0x2000784c = 0x10; *(uint8_t*)0x2000784d = 1; *(uint8_t*)0x2000784e = 0xc; *(uint16_t*)0x2000784f = 0x82; *(uint8_t*)0x20007851 = 0; *(uint8_t*)0x20007852 = 0x85; *(uint16_t*)0x20007853 = 8; *(uint8_t*)0x20007855 = 1; *(uint8_t*)0x20007856 = 0xb; *(uint8_t*)0x20007857 = 0x10; *(uint8_t*)0x20007858 = 1; *(uint8_t*)0x20007859 = 0xc; *(uint16_t*)0x2000785a = 0x48; *(uint8_t*)0x2000785c = 0; *(uint8_t*)0x2000785d = 0x80; *(uint16_t*)0x2000785e = 0xfffa; *(uint8_t*)0x20007860 = 0x81; *(uint32_t*)0x20007910 = 0x20007880; *(uint8_t*)0x20007880 = 0x20; *(uint8_t*)0x20007881 = 0x29; *(uint32_t*)0x20007882 = 0xf; *(uint8_t*)0x20007886 = 0xf; *(uint8_t*)0x20007887 = 0x29; *(uint8_t*)0x20007888 = 9; *(uint16_t*)0x20007889 = 2; *(uint8_t*)0x2000788b = 4; *(uint8_t*)0x2000788c = 2; memcpy((void*)0x2000788d, "\x7e\x46\x1a\xb4", 4); memcpy((void*)0x20007891, "gg]\a", 4); *(uint32_t*)0x20007914 = 0x200078c0; *(uint8_t*)0x200078c0 = 0x20; *(uint8_t*)0x200078c1 = 0x2a; *(uint32_t*)0x200078c2 = 0xc; *(uint8_t*)0x200078c6 = 0xc; *(uint8_t*)0x200078c7 = 0x2a; *(uint8_t*)0x200078c8 = 9; *(uint16_t*)0x200078c9 = 3; *(uint8_t*)0x200078cb = 0x3f; *(uint8_t*)0x200078cc = 0x20; *(uint8_t*)0x200078cd = 0x40; *(uint16_t*)0x200078ce = 0; *(uint16_t*)0x200078d0 = 0xef; *(uint32_t*)0x20007dc0 = 0x44; *(uint32_t*)0x20007dc4 = 0x20007940; *(uint8_t*)0x20007940 = 0x40; *(uint8_t*)0x20007941 = 0xc; *(uint32_t*)0x20007942 = 0xb6; memcpy((void*)0x20007946, "\xdf\x1d\x88\x07\xad\xaa\x37\x6e\xc1\x64\xfe\x68\x6f\x79\x1f\xc7\x26\x8a\x85\xc4\x68\x00\x84\x23\xc3\x5b\xf0\xda\x6f\x10\xce\x0b\x3c\x7f\x80\xe6\x73\x52\xd8\x06\x3e\x95\x24\xfb\x3d\x91\xa1\xd4\x42\xb8\x5d\x35\x12\x88\xc6\x0b\xad\xef\x73\x69\x49\x4e\xfa\x50\x12\x97\x89\x30\xb8\x81\x7b\xb1\x3f\xba\x0f\x30\x74\x16\x86\x14\x57\x22\x13\x22\x13\x60\x27\xa9\x86\x82\xf3\xa5\xc9\x18\x06\xd4\x90\xc5\x1e\xf5\x1c\xe6\xc9\xe9\xc8\x08\x7e\x54\x7f\xc2\xcf\xe5\x67\xbf\xbf\x3e\x65\xf9\x7c\x5e\x79\xd6\x87\x06\x92\x2d\x2c\x08\x4e\xe8\x94\xea\xf1\x2a\x3c\x0b\x2e\x1e\xf8\x94\xdf\xf8\x6d\x07\x92\xfd\x11\xf5\x15\x2f\x67\x32\x1b\x9d\xb3\x6a\x02\xb7\xb0\x93\x5e\x74\x24\xcb\xd6\xb2\x86\xc5\x5c\x8c\xf0\xf0\xf4\x94\x9f\xd2\x1b\x22\x67\x5e\xb0\x60", 182); *(uint32_t*)0x20007dc8 = 0x20007a00; *(uint8_t*)0x20007a00 = 0; *(uint8_t*)0x20007a01 = 0xa; *(uint32_t*)0x20007a02 = 1; *(uint8_t*)0x20007a06 = 9; *(uint32_t*)0x20007dcc = 0x20007a40; *(uint8_t*)0x20007a40 = 0; *(uint8_t*)0x20007a41 = 8; *(uint32_t*)0x20007a42 = 1; *(uint8_t*)0x20007a46 = 6; *(uint32_t*)0x20007dd0 = 0x20007a80; *(uint8_t*)0x20007a80 = 0x20; *(uint8_t*)0x20007a81 = 0; *(uint32_t*)0x20007a82 = 4; *(uint16_t*)0x20007a86 = 1; *(uint16_t*)0x20007a88 = 3; *(uint32_t*)0x20007dd4 = 0x20007ac0; *(uint8_t*)0x20007ac0 = 0x20; *(uint8_t*)0x20007ac1 = 0; *(uint32_t*)0x20007ac2 = 4; *(uint16_t*)0x20007ac6 = 0x160; *(uint16_t*)0x20007ac8 = 1; *(uint32_t*)0x20007dd8 = 0x20007b00; *(uint8_t*)0x20007b00 = 0x40; *(uint8_t*)0x20007b01 = 7; *(uint32_t*)0x20007b02 = 2; *(uint16_t*)0x20007b06 = 3; *(uint32_t*)0x20007ddc = 0x20007b40; *(uint8_t*)0x20007b40 = 0x40; *(uint8_t*)0x20007b41 = 9; *(uint32_t*)0x20007b42 = 1; *(uint8_t*)0x20007b46 = 3; *(uint32_t*)0x20007de0 = 0x20007b80; *(uint8_t*)0x20007b80 = 0x40; *(uint8_t*)0x20007b81 = 0xb; *(uint32_t*)0x20007b82 = 2; memcpy((void*)0x20007b86, "\x9e\xfe", 2); *(uint32_t*)0x20007de4 = 0x20007bc0; *(uint8_t*)0x20007bc0 = 0x40; *(uint8_t*)0x20007bc1 = 0xf; *(uint32_t*)0x20007bc2 = 2; *(uint16_t*)0x20007bc6 = 4; *(uint32_t*)0x20007de8 = 0x20007c00; *(uint8_t*)0x20007c00 = 0x40; *(uint8_t*)0x20007c01 = 0x13; *(uint32_t*)0x20007c02 = 6; memset((void*)0x20007c06, 0, 6); *(uint32_t*)0x20007dec = 0x20007c40; *(uint8_t*)0x20007c40 = 0x40; *(uint8_t*)0x20007c41 = 0x17; *(uint32_t*)0x20007c42 = 6; memset((void*)0x20007c46, 170, 5); *(uint8_t*)0x20007c4b = 0xbb; *(uint32_t*)0x20007df0 = 0x20007c80; *(uint8_t*)0x20007c80 = 0x40; *(uint8_t*)0x20007c81 = 0x19; *(uint32_t*)0x20007c82 = 2; memcpy((void*)0x20007c86, "vw", 2); *(uint32_t*)0x20007df4 = 0x20007cc0; *(uint8_t*)0x20007cc0 = 0x40; *(uint8_t*)0x20007cc1 = 0x1a; *(uint32_t*)0x20007cc2 = 2; *(uint16_t*)0x20007cc6 = 1; *(uint32_t*)0x20007df8 = 0x20007d00; *(uint8_t*)0x20007d00 = 0x40; *(uint8_t*)0x20007d01 = 0x1c; *(uint32_t*)0x20007d02 = 1; *(uint8_t*)0x20007d06 = 6; *(uint32_t*)0x20007dfc = 0x20007d40; *(uint8_t*)0x20007d40 = 0x40; *(uint8_t*)0x20007d41 = 0x1e; *(uint32_t*)0x20007d42 = 1; *(uint8_t*)0x20007d46 = 0x7e; *(uint32_t*)0x20007e00 = 0x20007d80; *(uint8_t*)0x20007d80 = 0x40; *(uint8_t*)0x20007d81 = 0x21; *(uint32_t*)0x20007d82 = 1; *(uint8_t*)0x20007d86 = 2; syz_usb_control_io(r[22], 0x20007900, 0x20007dc0); break; case 44: *(uint8_t*)0x20007e40 = 0x12; *(uint8_t*)0x20007e41 = 1; *(uint16_t*)0x20007e42 = 0x200; *(uint8_t*)0x20007e44 = -1; *(uint8_t*)0x20007e45 = -1; *(uint8_t*)0x20007e46 = -1; *(uint8_t*)0x20007e47 = 0x40; *(uint16_t*)0x20007e48 = 0xcf3; *(uint16_t*)0x20007e4a = 0x9271; *(uint16_t*)0x20007e4c = 0x108; *(uint8_t*)0x20007e4e = 1; *(uint8_t*)0x20007e4f = 2; *(uint8_t*)0x20007e50 = 3; *(uint8_t*)0x20007e51 = 1; *(uint8_t*)0x20007e52 = 9; *(uint8_t*)0x20007e53 = 2; *(uint16_t*)0x20007e54 = 0x48; *(uint8_t*)0x20007e56 = 1; *(uint8_t*)0x20007e57 = 1; *(uint8_t*)0x20007e58 = 0; *(uint8_t*)0x20007e59 = 0x80; *(uint8_t*)0x20007e5a = 0xfa; *(uint8_t*)0x20007e5b = 9; *(uint8_t*)0x20007e5c = 4; *(uint8_t*)0x20007e5d = 0; *(uint8_t*)0x20007e5e = 0; *(uint8_t*)0x20007e5f = 6; *(uint8_t*)0x20007e60 = -1; *(uint8_t*)0x20007e61 = 0; *(uint8_t*)0x20007e62 = 0; *(uint8_t*)0x20007e63 = 0; *(uint8_t*)0x20007e64 = 9; *(uint8_t*)0x20007e65 = 5; *(uint8_t*)0x20007e66 = 1; *(uint8_t*)0x20007e67 = 2; *(uint16_t*)0x20007e68 = 0x200; *(uint8_t*)0x20007e6a = 0; *(uint8_t*)0x20007e6b = 0; *(uint8_t*)0x20007e6c = 0; *(uint8_t*)0x20007e6d = 9; *(uint8_t*)0x20007e6e = 5; *(uint8_t*)0x20007e6f = 0x82; *(uint8_t*)0x20007e70 = 2; *(uint16_t*)0x20007e71 = 0x200; *(uint8_t*)0x20007e73 = 0; *(uint8_t*)0x20007e74 = 0; *(uint8_t*)0x20007e75 = 0; *(uint8_t*)0x20007e76 = 9; *(uint8_t*)0x20007e77 = 5; *(uint8_t*)0x20007e78 = 0x83; *(uint8_t*)0x20007e79 = 3; *(uint16_t*)0x20007e7a = 0x40; *(uint8_t*)0x20007e7c = 1; *(uint8_t*)0x20007e7d = 0; *(uint8_t*)0x20007e7e = 0; *(uint8_t*)0x20007e7f = 9; *(uint8_t*)0x20007e80 = 5; *(uint8_t*)0x20007e81 = 4; *(uint8_t*)0x20007e82 = 3; *(uint16_t*)0x20007e83 = 0x40; *(uint8_t*)0x20007e85 = 1; *(uint8_t*)0x20007e86 = 0; *(uint8_t*)0x20007e87 = 0; *(uint8_t*)0x20007e88 = 9; *(uint8_t*)0x20007e89 = 5; *(uint8_t*)0x20007e8a = 5; *(uint8_t*)0x20007e8b = 2; *(uint16_t*)0x20007e8c = 0x200; *(uint8_t*)0x20007e8e = 0; *(uint8_t*)0x20007e8f = 0; *(uint8_t*)0x20007e90 = 0; *(uint8_t*)0x20007e91 = 9; *(uint8_t*)0x20007e92 = 5; *(uint8_t*)0x20007e93 = 6; *(uint8_t*)0x20007e94 = 2; *(uint16_t*)0x20007e95 = 0x200; *(uint8_t*)0x20007e97 = 0; *(uint8_t*)0x20007e98 = 0; *(uint8_t*)0x20007e99 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x20007e40, 0); if (res != -1) r[23] = res; break; case 45: syz_usb_disconnect(r[23]); break; case 46: *(uint8_t*)0x20007ec0 = 0x12; *(uint8_t*)0x20007ec1 = 1; *(uint16_t*)0x20007ec2 = 0x389; *(uint8_t*)0x20007ec4 = 2; *(uint8_t*)0x20007ec5 = 0; *(uint8_t*)0x20007ec6 = 0; *(uint8_t*)0x20007ec7 = 0x70; *(uint16_t*)0x20007ec8 = 0x525; *(uint16_t*)0x20007eca = 0xa4a1; *(uint16_t*)0x20007ecc = 0x40; *(uint8_t*)0x20007ece = 1; *(uint8_t*)0x20007ecf = 2; *(uint8_t*)0x20007ed0 = 3; *(uint8_t*)0x20007ed1 = 1; *(uint8_t*)0x20007ed2 = 9; *(uint8_t*)0x20007ed3 = 2; *(uint16_t*)0x20007ed4 = 0x6a; *(uint8_t*)0x20007ed6 = 2; *(uint8_t*)0x20007ed7 = 1; *(uint8_t*)0x20007ed8 = -1; *(uint8_t*)0x20007ed9 = 0x90; *(uint8_t*)0x20007eda = 5; *(uint8_t*)0x20007edb = 9; *(uint8_t*)0x20007edc = 4; *(uint8_t*)0x20007edd = 0; *(uint8_t*)0x20007ede = 0; *(uint8_t*)0x20007edf = 1; *(uint8_t*)0x20007ee0 = 2; *(uint8_t*)0x20007ee1 = 0xd; *(uint8_t*)0x20007ee2 = 0; *(uint8_t*)0x20007ee3 = 0; *(uint8_t*)0x20007ee4 = 6; *(uint8_t*)0x20007ee5 = 0x24; *(uint8_t*)0x20007ee6 = 6; *(uint8_t*)0x20007ee7 = 0; *(uint8_t*)0x20007ee8 = 1; memset((void*)0x20007ee9, 166, 1); *(uint8_t*)0x20007eea = 5; *(uint8_t*)0x20007eeb = 0x24; *(uint8_t*)0x20007eec = 0; *(uint16_t*)0x20007eed = 8; *(uint8_t*)0x20007eef = 0xd; *(uint8_t*)0x20007ef0 = 0x24; *(uint8_t*)0x20007ef1 = 0xf; *(uint8_t*)0x20007ef2 = 1; *(uint32_t*)0x20007ef3 = 0x9ff; *(uint16_t*)0x20007ef7 = 0x6000; *(uint16_t*)0x20007ef9 = 5; *(uint8_t*)0x20007efb = 0xb5; *(uint8_t*)0x20007efc = 6; *(uint8_t*)0x20007efd = 0x24; *(uint8_t*)0x20007efe = 0x1a; *(uint16_t*)0x20007eff = 0xdd; *(uint8_t*)0x20007f01 = 0x32; *(uint8_t*)0x20007f02 = 5; *(uint8_t*)0x20007f03 = 0x24; *(uint8_t*)0x20007f04 = 1; *(uint8_t*)0x20007f05 = 2; *(uint8_t*)0x20007f06 = 0x95; *(uint8_t*)0x20007f07 = 8; *(uint8_t*)0x20007f08 = 0x24; *(uint8_t*)0x20007f09 = 0x1c; *(uint16_t*)0x20007f0a = 7; *(uint8_t*)0x20007f0c = 0x40; *(uint16_t*)0x20007f0d = 1; *(uint8_t*)0x20007f0f = 9; *(uint8_t*)0x20007f10 = 5; *(uint8_t*)0x20007f11 = 0x81; *(uint8_t*)0x20007f12 = 3; *(uint16_t*)0x20007f13 = 0x10; *(uint8_t*)0x20007f15 = 0x21; *(uint8_t*)0x20007f16 = 2; *(uint8_t*)0x20007f17 = 0xc4; *(uint8_t*)0x20007f18 = 9; *(uint8_t*)0x20007f19 = 4; *(uint8_t*)0x20007f1a = 1; *(uint8_t*)0x20007f1b = 0; *(uint8_t*)0x20007f1c = 0; *(uint8_t*)0x20007f1d = 2; *(uint8_t*)0x20007f1e = 0xd; *(uint8_t*)0x20007f1f = 0; *(uint8_t*)0x20007f20 = 0; *(uint8_t*)0x20007f21 = 9; *(uint8_t*)0x20007f22 = 4; *(uint8_t*)0x20007f23 = 1; *(uint8_t*)0x20007f24 = 1; *(uint8_t*)0x20007f25 = 2; *(uint8_t*)0x20007f26 = 2; *(uint8_t*)0x20007f27 = 0xd; *(uint8_t*)0x20007f28 = 0; *(uint8_t*)0x20007f29 = 0; *(uint8_t*)0x20007f2a = 9; *(uint8_t*)0x20007f2b = 5; *(uint8_t*)0x20007f2c = 0x82; *(uint8_t*)0x20007f2d = 2; *(uint16_t*)0x20007f2e = 8; *(uint8_t*)0x20007f30 = 1; *(uint8_t*)0x20007f31 = 1; *(uint8_t*)0x20007f32 = 0x4e; *(uint8_t*)0x20007f33 = 9; *(uint8_t*)0x20007f34 = 5; *(uint8_t*)0x20007f35 = 3; *(uint8_t*)0x20007f36 = 2; *(uint16_t*)0x20007f37 = 8; *(uint8_t*)0x20007f39 = 0x81; *(uint8_t*)0x20007f3a = 9; *(uint8_t*)0x20007f3b = 0x48; *(uint32_t*)0x20008280 = 0xa; *(uint32_t*)0x20008284 = 0x20007f40; *(uint8_t*)0x20007f40 = 0xa; *(uint8_t*)0x20007f41 = 6; *(uint16_t*)0x20007f42 = 0x200; *(uint8_t*)0x20007f44 = 3; *(uint8_t*)0x20007f45 = 0x40; *(uint8_t*)0x20007f46 = 1; *(uint8_t*)0x20007f47 = 0x40; *(uint8_t*)0x20007f48 = 0x68; *(uint8_t*)0x20007f49 = 0; *(uint32_t*)0x20008288 = 0x72; *(uint32_t*)0x2000828c = 0x20007f80; *(uint8_t*)0x20007f80 = 5; *(uint8_t*)0x20007f81 = 0xf; *(uint16_t*)0x20007f82 = 0x72; *(uint8_t*)0x20007f84 = 6; *(uint8_t*)0x20007f85 = 0x20; *(uint8_t*)0x20007f86 = 0x10; *(uint8_t*)0x20007f87 = 0xa; *(uint8_t*)0x20007f88 = 0x7f; STORE_BY_BITMASK(uint32_t, , 0x20007f89, 5, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007f89, 4, 5, 27); *(uint16_t*)0x20007f8d = 0; *(uint16_t*)0x20007f8f = 0x101; *(uint32_t*)0x20007f91 = 0xf; *(uint32_t*)0x20007f95 = 0xc000; *(uint32_t*)0x20007f99 = 0x4100; *(uint32_t*)0x20007f9d = 0xc000; *(uint32_t*)0x20007fa1 = 0; *(uint8_t*)0x20007fa5 = 0x18; *(uint8_t*)0x20007fa6 = 0x10; *(uint8_t*)0x20007fa7 = 0xa; *(uint8_t*)0x20007fa8 = 5; STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fa9, 0x3f, 5, 27); *(uint16_t*)0x20007fad = 0xf; *(uint16_t*)0x20007faf = 9; *(uint32_t*)0x20007fb1 = 0x3f00; *(uint32_t*)0x20007fb5 = 0xff0030; *(uint32_t*)0x20007fb9 = 0xff0000; *(uint8_t*)0x20007fbd = 0xc; *(uint8_t*)0x20007fbe = 0x10; *(uint8_t*)0x20007fbf = 0xa; *(uint8_t*)0x20007fc0 = 9; STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20007fc1, 3, 5, 27); *(uint16_t*)0x20007fc5 = 0xf00; *(uint16_t*)0x20007fc7 = 4; *(uint8_t*)0x20007fc9 = 0x14; *(uint8_t*)0x20007fca = 0x10; *(uint8_t*)0x20007fcb = 4; *(uint8_t*)0x20007fcc = 0xfc; memcpy((void*)0x20007fcd, "\x11\xd5\xf9\x90\x68\xe5\x06\x8a\x1e\x42\xe2\xbf\x00\x0e\x22\x1f", 16); *(uint8_t*)0x20007fdd = 0xb; *(uint8_t*)0x20007fde = 0x10; *(uint8_t*)0x20007fdf = 1; *(uint8_t*)0x20007fe0 = 2; *(uint16_t*)0x20007fe1 = 0; *(uint8_t*)0x20007fe3 = 2; *(uint8_t*)0x20007fe4 = 0; *(uint16_t*)0x20007fe5 = 0x80; *(uint8_t*)0x20007fe7 = 1; *(uint8_t*)0x20007fe8 = 0xa; *(uint8_t*)0x20007fe9 = 0x10; *(uint8_t*)0x20007fea = 3; *(uint8_t*)0x20007feb = 2; *(uint16_t*)0x20007fec = 0; *(uint8_t*)0x20007fee = 3; *(uint8_t*)0x20007fef = 0x3f; *(uint16_t*)0x20007ff0 = 8; *(uint32_t*)0x20008290 = 8; *(uint32_t*)0x20008294 = 4; *(uint32_t*)0x20008298 = 0x20008000; *(uint8_t*)0x20008000 = 4; *(uint8_t*)0x20008001 = 3; *(uint16_t*)0x20008002 = 0x2001; *(uint32_t*)0x2000829c = 4; *(uint32_t*)0x200082a0 = 0x20008040; *(uint8_t*)0x20008040 = 4; *(uint8_t*)0x20008041 = 3; *(uint16_t*)0x20008042 = 0x43f; *(uint32_t*)0x200082a4 = 0x2a; *(uint32_t*)0x200082a8 = 0x20008080; *(uint8_t*)0x20008080 = 0x2a; *(uint8_t*)0x20008081 = 3; memcpy((void*)0x20008082, "\x5e\x74\x60\xeb\x32\xa6\xb9\x6b\xd2\xff\x9f\xf3\xa4\x96\x20\x85\x33\x64\xce\xf4\xb1\x18\x00\x34\xbb\xee\x7b\xde\xb3\x75\x3e\xc4\x7a\x7b\x68\x43\x60\x04\xdf\xa3", 40); *(uint32_t*)0x200082ac = 4; *(uint32_t*)0x200082b0 = 0x200080c0; *(uint8_t*)0x200080c0 = 4; *(uint8_t*)0x200080c1 = 3; *(uint16_t*)0x200080c2 = 0x406; *(uint32_t*)0x200082b4 = 4; *(uint32_t*)0x200082b8 = 0x20008100; *(uint8_t*)0x20008100 = 4; *(uint8_t*)0x20008101 = 3; *(uint16_t*)0x20008102 = 0x200a; *(uint32_t*)0x200082bc = 0x83; *(uint32_t*)0x200082c0 = 0x20008140; *(uint8_t*)0x20008140 = 0x83; *(uint8_t*)0x20008141 = 3; memcpy((void*)0x20008142, "\x98\xbf\xbe\xd5\xf0\x2f\x05\x41\x39\x3b\x27\x16\x3c\x18\xab\xa0\xf8\xd6\xc9\x06\x9a\xe8\xed\x73\x2f\x7b\x8b\x4f\xd0\x40\x72\x65\x12\x57\x2b\x20\x49\x34\x98\xb0\x80\xe9\x6c\x74\x09\xc1\xff\x22\x2c\xbf\xe8\xfc\x73\x9a\x7a\x6e\xb7\x01\xa8\x12\x5f\x18\xaf\x24\xcd\xab\xbf\xb5\x2c\xc6\x66\xcf\x12\x04\xb6\xbf\x96\x51\x4a\xca\x5b\x04\x75\xe2\x1d\xaf\xca\xaf\xfc\xd8\xd5\x84\xec\xa6\x93\x9d\x81\x5d\xc4\xc9\x74\x72\x7a\x2f\xba\x78\xd5\x04\x4d\x9e\x9f\x08\xe3\x5c\x9e\x2b\xf4\x70\xf4\x66\xac\xca\xa1\x30\x1f\xac\x54\xbc\xff", 129); *(uint32_t*)0x200082c4 = 4; *(uint32_t*)0x200082c8 = 0x20008200; *(uint8_t*)0x20008200 = 4; *(uint8_t*)0x20008201 = 3; *(uint16_t*)0x20008202 = 0x1627; *(uint32_t*)0x200082cc = 0x39; *(uint32_t*)0x200082d0 = 0x20008240; *(uint8_t*)0x20008240 = 0x39; *(uint8_t*)0x20008241 = 3; memcpy((void*)0x20008242, "\xaa\x56\xbf\x40\x48\xdd\x06\xe2\x84\x5d\x2e\x04\xdf\x75\xb3\x91\xf7\x66\x46\x3f\x09\x54\x05\x32\x21\xac\x36\xe1\xdb\x6f\xe5\x09\xc0\x5b\x86\xc7\x76\xd2\x0f\xfc\x6a\xc3\xd9\x93\x49\x32\x2b\x40\x0a\xea\x39\x4c\xd6\x71\x9c", 55); res = -1; res = syz_usb_connect(6, 0x7c, 0x20007ec0, 0x20008280); if (res != -1) r[24] = res; break; case 47: syz_usb_ep_read(r[24], 0x75, 0xa5, 0x20008300); break; case 48: memcpy((void*)0x200083c0, "\xdb\x88\x55\x99\xb6\x0a\xec\x82\xad\x70\xcd\xb2\x88\x6a\x2e\x73\xe2\xf0\x44\x7d\xdd\x5d\xea\xaa\x15\xf5\x6b\x76\xab\x58\x04\xb9\xf8\x6f\x60\xdf\x6b\x12\xcb\xc1\xe5\x90\x6d\x23\x88\x89\xda\x54\x4d\x9b\x56\x52\xf6\x0b\xfc\x34\xa1\x08\xdf\xfd\xff\xa9\xae\x90\x46\x14\xe2\xbf\x15\xce\x0c\x34\x9a\xea\x15\x51\xb7\x54\x4b\x69\xbd\x2b\xde\x8f\x82\xe1\x8d\x42\xba\x16\x71\x80\xb1\xa6\xa4\xd1\x18\x44\x31\x2c\x11\x6e\xe0\xb8\x5f\xca\x52\xa1\x1e\xc9\xf3\x7a\xcd\x32\x3e\xb2\x87\xc8\xb3\xc4\xff\xdb\xca\xaa\x32\x9d\xf9\x20\xe0\xf7\xdf\xaa\xcc\xc1\x7f\xd5\xff\x16\xf0\x39\xc6\x93\xcd\xfc\xdf\xae\x81\x52\x9a\x02\xcc\x97\x3d\x8e\x50\x20\x09\x3c\x1b\x68\xe8\x8a\x82\x7e\x23\x0b\x28\x44\x88\x99\xb9\x61\x75\x52\xb1\xdd\x9b\x41\x2b\x34\xde\xec\x9a\x93\xfd\x08\x82\x3a\xeb\xf3\x54\xe2\x38\xd0\x4d\xca\x95\x7a\x50\xaa\x9a\xb1\x8a\x30\x46\x0e\x24\x55\xe3\xfd\x16\x41\x09\xcd\x4a\x85\x7b\x99\xd2\x23\xb2\x18\x31\xca\x29\x2d\x1b\x0c\xd7\x7f\xbf\xe2\x63\xf7\xca\x57\xee\x3a\x70\xa8\xfd\xd4\x89\xcb\x7f", 245); syz_usb_ep_write(r[22], 0, 0xf5, 0x200083c0); break; case 49: syz_usbip_server_init(1); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_fault(); setup_802154(); use_temporary_dir(); do_sandbox_none(); return 0; } :126:17: error: 'csum_inet_digest' defined but not used [-Werror=unused-function] :113:13: error: 'csum_inet_update' defined but not used [-Werror=unused-function] :108:13: error: 'csum_inet_init' defined but not used [-Werror=unused-function] cc1: all warnings being treated as errors compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor907203718 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -Wno-overflow] --- FAIL: TestGenerate/linux/386/28 (1.58s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/22 (1.58s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/25 (1.59s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/10 (1.59s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/15 (1.61s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/7 (1.62s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/2 (1.62s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/30 (1.62s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/16 (1.63s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/23 (1.67s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/29 (1.68s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/26 (1.72s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/3 (1.81s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/9 (1.90s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/6 (1.90s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/20 (1.95s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/11 (1.96s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/18 (1.97s) csource_test.go:116: --- FAIL: TestGenerate/linux/386/14 (2.11s) csource_test.go:116: FAIL FAIL github.com/google/syzkaller/pkg/csource 39.503s ok github.com/google/syzkaller/pkg/db (cached) ? github.com/google/syzkaller/pkg/debugtracer [no test files] ok github.com/google/syzkaller/pkg/email (cached) ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ok github.com/google/syzkaller/pkg/host 25.233s ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ? github.com/google/syzkaller/pkg/ifuzz/iset [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files] ok github.com/google/syzkaller/pkg/instance 0.581s ok github.com/google/syzkaller/pkg/ipc (cached) ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kconfig 0.626s ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig 0.688s ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report (cached) ok github.com/google/syzkaller/pkg/repro 0.117s ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 42.577s ok github.com/google/syzkaller/pkg/serializer (cached) ? github.com/google/syzkaller/pkg/signal [no test files] ok github.com/google/syzkaller/pkg/symbolizer (cached) ok github.com/google/syzkaller/pkg/tool (cached) ok github.com/google/syzkaller/pkg/vcs (cached) ok github.com/google/syzkaller/prog 8.970s ok github.com/google/syzkaller/prog/test 4.357s ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/darwin [no test files] ? github.com/google/syzkaller/sys/darwin/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ok github.com/google/syzkaller/sys/linux 0.117s ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ok github.com/google/syzkaller/sys/openbsd 0.033s ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ok github.com/google/syzkaller/syz-ci 0.947s ok github.com/google/syzkaller/syz-fuzzer (cached) ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state 0.095s ok github.com/google/syzkaller/syz-manager 0.867s ? github.com/google/syzkaller/syz-runner [no test files] ok github.com/google/syzkaller/syz-verifier 0.093s ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-build [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ? github.com/google/syzkaller/tools/syz-imagegen [no test files] ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ok github.com/google/syzkaller/tools/syz-kconf (cached) ok github.com/google/syzkaller/tools/syz-linter (cached) ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-reprolist [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser 0.016s ok github.com/google/syzkaller/tools/syz-trace2syz/proggen 0.282s ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm 8.091s ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated (cached) ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ok github.com/google/syzkaller/vm/vmimpl (cached) ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] FAIL