roc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); initialize_wifi_devices(); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 82; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 63 ? 4000 : 0) + (call == 72 ? 200 : 0) + (call == 74 ? 3000 : 0) + (call == 75 ? 3000 : 0) + (call == 76 ? 300 : 0) + (call == 77 ? 300 : 0) + (call == 78 ? 300 : 0) + (call == 79 ? 3000 : 0) + (call == 80 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[56] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x200000000040 = 0x200000000000; *(uint32_t*)0x200000000048 = 5; *(uint32_t*)0x20000000004c = 0; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0109207, /*arg=*/0x200000000040ul); break; case 1: memcpy((void*)0x200000000080, "/dev/dri/controlD#\000", 19); res = -1; res = syz_open_dev(/*dev=*/0x200000000080, /*id=*/3, /*flags=O_SYNC|O_DIRECT|O_APPEND*/0x105400); if (res != -1) r[0] = res; break; case 2: *(uint32_t*)0x200000000100 = 1; *(uint64_t*)0x200000000108 = 0x2000000000c0; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0106426, /*arg=*/0x200000000100ul); for (int i = 0; i < 4; i++) { syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0106426, /*arg=*/0x200000000100ul); } if (res != -1) r[1] = *(uint32_t*)0x2000000000c0; break; case 3: *(uint32_t*)0x2000000001c0 = r[1]; *(uint64_t*)0x2000000001c8 = 0x200000000140; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x4010641c, /*arg=*/0x2000000001c0ul); break; case 4: *(uint32_t*)0x200000000200 = 0; *(uint32_t*)0x200000000204 = 0; *(uint32_t*)0x20000000020c = 0; *(uint32_t*)0x200000000210 = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc01464a6, /*arg=*/0x200000000200ul); if (res != -1) r[2] = *(uint32_t*)0x200000000208; break; case 5: *(uint32_t*)0x200000000240 = 0; *(uint32_t*)0x200000000244 = 0; *(uint32_t*)0x20000000024c = 0; *(uint32_t*)0x200000000250 = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc01464a6, /*arg=*/0x200000000240ul); if (res != -1) r[3] = *(uint32_t*)0x200000000248; break; case 6: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0086465, /*arg=*/0x200000000280ul); if (res != -1) r[4] = *(uint32_t*)0x200000000280; break; case 7: *(uint64_t*)0x200000000300 = 0x2000000002c0; *(uint32_t*)0x2000000002c0 = 0; *(uint32_t*)0x2000000002c4 = 0; *(uint32_t*)0x2000000002c8 = 0; *(uint32_t*)0x2000000002cc = 0; *(uint32_t*)0x2000000002d0 = 0; *(uint32_t*)0x2000000002d4 = 0; *(uint32_t*)0x2000000002d8 = 0; *(uint32_t*)0x2000000002dc = 0; *(uint32_t*)0x200000000308 = 8; *(uint32_t*)0x20000000030c = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc06864a1, /*arg=*/0x200000000300ul); if (res != -1) r[5] = *(uint32_t*)0x200000000310; break; case 8: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0086465, /*arg=*/0x200000000380ul); if (res != -1) r[6] = *(uint32_t*)0x200000000380; break; case 9: *(uint32_t*)0x2000000009c0 = 0; *(uint32_t*)0x2000000009c4 = 6; *(uint64_t*)0x2000000009c8 = 0x2000000003c0; *(uint32_t*)0x2000000003c0 = r[2]; *(uint32_t*)0x2000000003c4 = r[3]; *(uint32_t*)0x2000000003c8 = r[4]; *(uint32_t*)0x2000000003cc = r[5]; *(uint32_t*)0x2000000003d0 = r[6]; *(uint32_t*)0x2000000003d4 = 0; *(uint64_t*)0x2000000009d0 = 0x200000000400; *(uint32_t*)0x200000000400 = 7; *(uint32_t*)0x200000000404 = 0x80; *(uint64_t*)0x2000000009d8 = 0x200000000940; *(uint32_t*)0x200000000940 = 0; *(uint32_t*)0x200000000944 = 0; *(uint32_t*)0x200000000948 = 0; *(uint32_t*)0x20000000094c = 0; *(uint32_t*)0x200000000950 = 0; *(uint32_t*)0x200000000954 = 0; *(uint64_t*)0x2000000009e0 = 0x200000000980; *(uint64_t*)0x200000000980 = 0xff; *(uint64_t*)0x200000000988 = 0xfffffffffffffffb; *(uint64_t*)0x200000000990 = 9; *(uint64_t*)0x200000000998 = 0x100; *(uint64_t*)0x2000000009a0 = 4; *(uint64_t*)0x2000000009a8 = 0x10000; *(uint64_t*)0x2000000009b0 = 0xfff; *(uint64_t*)0x2000000009b8 = 0x484; *(uint64_t*)0x2000000009e8 = 0; *(uint64_t*)0x2000000009f0 = 0x73ca1ec4; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc03864bc, /*arg=*/0x2000000009c0ul); break; case 10: *(uint8_t*)0x200000000000 = 8; *(uint8_t*)0x200000000001 = 2; *(uint8_t*)0x200000000002 = 0x11; *(uint8_t*)0x200000000003 = 0; *(uint8_t*)0x200000000004 = 0; *(uint8_t*)0x200000000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xe, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 6, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); memset((void*)0x200000000044, 255, 6); *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 1; memcpy((void*)0x200000000050, "\x01\xab\xb5\xa4\x2e\x6e", 6); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 5, 4, 12); *(uint8_t*)0x200000000058 = 7; *(uint8_t*)0x200000000059 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 2, 6); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x1b); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memset((void*)0x2000000000c0, 1, 6); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/6, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_bprm_check_security\000", 28); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xd1\xa2\x22\xa1\x13\xaf\xa5\x09\x37\xeb\x93\xa6\x9f\x4a\x6d\xae\xb1\xc5\x11\x85\x97\x3f\xcb\xcd\x8a\xc1\x51\x1f\xee\x51\x66\xf0\xa2\xd7\xb1\x07\xca\x8b\xa7\x4b\x42\xac\x08\x04\x22\xe3\xe2\x6c\x8f\xd0\x70\x7d\x33\x52\xf3\xe0\x46\x7c\x44\x6d\x0f\xd5\x9f\xdc\x79\x62\x04\xde\xb5\x20\xc9\xf3\x9c\xeb\x06\xb1\x2c\x5d\xec\x1f\x8d\x80\x43\x5d\x3a\x95\x31\xb3\xc8\xc6\x3e\xca\x16\x67\x0b\x0b\xe3\x27\x76\x98\x48\x5a\x45\xd9\x1a\x47\x37\xcd\xc1\x7c\x96\x06\x54\x23\x34\x8e\x49\x7b\x47\x3b\x96\xcd\x4d\x87\x0b\x36\x08\x09\xcf\xb9\x63\x1f\x7a\x2c\xda\xdf\x25\xba\xad\xe0\xa0\x28\xdf\xa8\x48\x75\xee\xae\xa7\x10\xf4\x4e\xe0\xc6\x0b\xe3\x1d\x07\x66\x79\x21\x37\x5c\xbf\x5e\x90\x56\x5a\x75\x94\xd7\x8c\x49\xee\x1a\x77\x3a\x21\x69\x6e\x3e\x0f\x6e\x9d\x5a\x9c\xc8\x26\x1a\x51\x99\x02\x69\xf0\x6e\x56\x42\xa8\x10\x55\xab\x67", 202); memcpy((void*)0x2000000002c0, "\x4c\xe6\x39\xfa\xe6\xa5\xb1\xdb\xfb\x9b\x05\xcd\xf4\x4c\x3b\x14\xdf\x7c\x00\x1e\xf8\x93\x1a\x51\x17\xea\x1b\xa1\x75\xc0\xa1\xe0\x80\x6d\xec\x26\xa6\x1e\x38\xc8\xb3\x55\xe6\x33\x4a\xab\x16\x93\x6f\x3b\x93\x88\xce\x1e\x11\x57\x87\xf0\xa1\x64\xe9\x87\xd9\xe1\x33\x9b\xbb\xdc\x21\x47\x94\x03\x32\x2c\xf6\xc7\xb5\x5d\xaf\xea\x9c\xf5\x27\xb3\x25\x32\xbe\x38\xa2\xf0\x55\x79\x07\xe3\x57\xb0\x5e\x19\x86\x22\x78\x88\xaa\xc6\xcc\x43\xa9\xe5\xea\x5e\x3c\x09\x3b\x69\x3d\x4d\x13\xb3\x78\xac\x22\x43", 122); res = -1; res = syz_clone(/*flags=CLONE_NEWNET|CLONE_NEWCGROUP|CLONE_VM*/0x42000100, /*stack=*/0x200000000140, /*stack_len=*/0xca, /*parentid=*/0x200000000240, /*childtid=*/0x200000000280, /*tls=*/0x2000000002c0); if (res != -1) r[7] = res; break; case 14: memcpy((void*)0x2000000004c0, "syz0\000", 5); res = syscall(__NR_openat, /*fd=*/(intptr_t)-1, /*file=*/0x2000000004c0ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[8] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x8000; *(uint64_t*)0x200000000508 = 0x200000000340; *(uint64_t*)0x200000000510 = 0x200000000380; *(uint64_t*)0x200000000518 = 0x2000000003c0; *(uint32_t*)0x200000000520 = 0x3d; *(uint64_t*)0x200000000528 = 0x200000000400; *(uint64_t*)0x200000000530 = 0x36; *(uint64_t*)0x200000000538 = 0x200000000440; *(uint64_t*)0x200000000540 = 0x200000000480; *(uint32_t*)0x200000000480 = r[7]; *(uint32_t*)0x200000000484 = r[7]; *(uint32_t*)0x200000000488 = r[7]; *(uint32_t*)0x20000000048c = r[7]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = r[8]; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[9] = res; r[10] = *(uint32_t*)0x200000000340; r[11] = *(uint32_t*)0x200000000380; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000000740 = 5; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000000740ul); if (res != -1) r[12] = res; break; case 18: memset((void*)0x200000002900, 0, 32); *(uint16_t*)0x200000002920 = 7; *(uint32_t*)0x200000002924 = 0x7eb; *(uint32_t*)0x200000002928 = 0xd8c; *(uint64_t*)0x200000002930 = 6; *(uint64_t*)0x200000002938 = 0x65c7; *(uint32_t*)0x200000002940 = r[7]; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0481273, /*arg=*/0x200000002900ul); if (res != -1) r[13] = *(uint32_t*)0x200000002940; break; case 19: *(uint32_t*)0x200000002c00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000002b00ul, /*optlen=*/0x200000002c00ul); if (res != -1) r[14] = *(uint32_t*)0x200000002b34; break; case 20: *(uint32_t*)0x200000002dc0 = 7; *(uint32_t*)0x200000002dc4 = 0xee00; *(uint32_t*)0x200000002dc8 = 0xee01; *(uint32_t*)0x200000002dcc = 3; *(uint32_t*)0x200000002dd0 = 1; *(uint32_t*)0x200000002dd4 = 2; *(uint16_t*)0x200000002dd8 = 0x100; *(uint32_t*)0x200000002ddc = 8; *(uint64_t*)0x200000002de0 = 1; *(uint64_t*)0x200000002de8 = 8; *(uint64_t*)0x200000002df0 = 0; *(uint32_t*)0x200000002df8 = r[9]; *(uint32_t*)0x200000002dfc = r[9]; *(uint16_t*)0x200000002e00 = 0x8000; *(uint16_t*)0x200000002e02 = 0; *(uint64_t*)0x200000002e08 = 0x200000002c40; memcpy((void*)0x200000002c40, "\x04\xdb\xcb\x20\x9f\x35\xe5\xdd\xfd\xb1\xb3\xb7\xa7\x41\xcb\x0d\xa9\xe7\xb4\xa9\x7e\x26\xe4\xd6\x4c\xa5\x56\x0a\xd3\xea\x50\xd5\x19\xbb\xf0\x49\xc3\x13\x51\x11\xc4\xde\x1f\x36\xb6\xb3\x08\xbb\xd0\x28\xe4\x49\x5d\x46\xed\x83\x93\xe7\x59\xfd\x0a\x3a\x8a\x87\xf1\xdb\x87\x49\xda\x45\xe9\xa5\xf9\x99\xf3\xe7\x4d\x92\x0c\xe2\x0c\x4d\x2b\xfe\x9c\xa7\x2e\x5f\xae\xa3\x4e\x25\x4e\xbb\x9c\xa9", 96); *(uint64_t*)0x200000002e10 = 0x200000002cc0; memcpy((void*)0x200000002cc0, "\x9e\x74\x6e\x3d\x21\x9f\x0d\xf0\xdb\x9f\x4d\xac\x0a\xfe\x9f\xc6\xa3\xef\x5f\xca\xb6\x05\x8f\x83\xfa\x7c\xff\x2a\x82\xd2\x0c\x2e\x4f\x57\x52\x59\xea\xbb\xe0\x67\x34\x84\x3f\x87\x1e\x50\xf4\xd4\x7b\xd6\x2e\xad\x38\xd7\xbe\x8c\xe3\x0b\x95\x11\x52\x85\xd1\x6a\xbc\x71\x8c\x0d\xa4\x82\xb9\x0f\x24\x29\x9f\x30\x17\xce\x2a\x53\x6d\xab\x65\x9a\xca\x91\xd1\xcf\x68\x91\x07\x44\x81\x50\xe4\x56\x6a\xbf\x4c\x05\x7b\xde\x3c\x37\x82\x36\xa3\x78\x10\x59\xcc\x80\x08\x67\x30\x9f\xb2\x08\xab\x69\xfe\x7d\x3f\xff\x31\x19\x8f\x36\x33\x05\x53\x9b\xa5\xa1\x74\x23\xbd\x83\x45\xe1\x0a\x25\x07\xad\xfd\x0b\x0d\xf3\x10\xc3\x34\x82\xd2\xcc\x9c\x9b\xa7\xbf\x80\xc8\xc7\xe2\x15\x9c\x09\xd9\x40\x2b\x1d\x7c\xa8\x8f\x84\xe7\xb4\xce\xb8\xa1\x93\xec\xe6\xdd\x5f\xaa\x70\x42\x9f\xba\xc4\xf1\x02\x0c\x76\x67\x30\x2d\x4a\x57\xab\x63\x7f\x35\xff\xe4\x2e\x58\x59\x3f\xe3\xec\xe0\x7b\x5d\x63\x7e\xf6\xd9\x73\x34\x22\x57\xfe\x2c\x5b\x11\x69\x39\x99\x09\xba\x6d\x36\x9f\xde", 234); res = syscall(__NR_shmctl, /*shmid=*/0xfffffffd, /*cmd=*/0xdul, /*buf=*/0x200000002dc0ul); if (res != -1) { r[15] = *(uint32_t*)0x200000002dc8; r[16] = *(uint32_t*)0x200000002dfc; } break; case 21: memcpy((void*)0x200000002ec0, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x200000002ec0ul, /*statbuf=*/0x200000002f00ul, /*flag=*/0ul); if (res != -1) r[17] = *(uint32_t*)0x200000002f18; break; case 22: memcpy((void*)0x200000002f80, "./file1\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000002f80ul, /*statbuf=*/0x200000002fc0ul); if (res != -1) r[18] = *(uint32_t*)0x200000002fdc; break; case 23: memcpy((void*)0x2000000031c0, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x2000000031c0ul, /*statbuf=*/0x200000003200ul, /*flag=AT_SYMLINK_FOLLOW*/0x400ul); if (res != -1) r[19] = *(uint32_t*)0x200000003218; break; case 24: *(uint32_t*)0x200000004380 = 0x8000; *(uint32_t*)0x200000004384 = 0; *(uint32_t*)0x200000004388 = -1; *(uint32_t*)0x20000000438c = 0xfffffbff; *(uint32_t*)0x200000004390 = 0xff; *(uint32_t*)0x200000004394 = 7; *(uint16_t*)0x200000004398 = 5; *(uint32_t*)0x20000000439c = 0x3ff; *(uint64_t*)0x2000000043a0 = 5; *(uint64_t*)0x2000000043a8 = 0xffffffffffff05c3; *(uint64_t*)0x2000000043b0 = 0xffffffff; *(uint32_t*)0x2000000043b8 = 0x10000; *(uint32_t*)0x2000000043bc = r[7]; *(uint16_t*)0x2000000043c0 = 6; *(uint16_t*)0x2000000043c2 = 0; *(uint64_t*)0x2000000043c8 = 0x200000003280; memcpy((void*)0x200000003280, "\x97\x6f\xf3\x42\x90\xbd\x8b\xc7\xa7\xcb\xfc\x2a\x01\xcd\x57\xbb\x3f\xef\x9e\xfb\x98\x36\x92\x3f\xea\xb6\xb2\x20\x96\xe6\xa7\xf3\x05\xb4\xa4\x72\x5f\x36\x2d\x86\xba\x08\xa3\x46\xf5\xad\x87\x65\x1b\x24\x79\x4b\x4e\xe5\x81\x3e\x05\x57\xb0\xef\x0a\x7c\x19\xb1\xea\xfe\xf2\xa1\x69\x09\xab\xb9\xc8\x55\xec\x45\x36\xad\xac\x1b\x48\x2e\x8e\x5a\x1d\xc4\x78\xa0\x25\xfe\xb8\xb6\x30\x4b\xdc\xd4\x75\xb1\xd9\x17\xa5\xb6\xc9\xd2\x7a\x6b\x48\x58\xcb\xa4\xd2\x53\x01\xfe\x26\x1b\xf1\x23\x13\xf6\xe8\x22\x4f\xc5\xab\x0b\xb2\xfd\x40\x41\x04\xdd\xef\xc2\xf2\x7a\x36\xd9\xd1\x0e\xca\xc7\x92\x9d\xb5\xff\xc1\xdf\x4c\x6f\xb6\xe5\x63\x70\x20\xab\xf5\xe6\x50\x43\x10\xab\x6d\xe6\x59\xb6\x56\xce\xe8\xad\x04\xd0\x46\x75\x6d\xda\xe3\x3d\x8d\x22\x38\x54\xdc\x8c\x31\x83\x92\x48\x2c\xb9\x91\x82\x78\x24\xf4\x0d\xaf\x98\xda\x16\x6c\x91\x6d\xbb\x8c\x15\x6c\x42\x19\x7b\x66\x4d\x75\x90\xe6\xd2\xcf\x4e\xa3\x28\x0f\x84\x05\x1c\x9e\xe3\x11\x41\x42\xdb\x27\x53\x6b\xcd\x98\x3f\x17\x0f\x22\x1c\x15\xda\xe9\xa1\x1a\x52\xe8\x42\x53\x66\x3e\xa4\x30\x8f", 254); *(uint64_t*)0x2000000043d0 = 0x200000003380; memcpy((void*)0x200000003380, "\x2c\x9f\x8f\x38\x8d\x23\x3b\x4f\x05\x4c\xde\x11\x35\x8e\xb6\x32\xfe\xac\x99\x15\x72\x36\xe3\x70\xad\x09\xea\x7b\x82\xba\x57\x85\xb9\xe9\xaf\xa9\xe6\x86\xa6\x2a\x5d\x2d\x53\xe4\x78\xad\x6b\xdc\x5f\xff\xb6\x47\xb0\x83\x5e\x14\x74\x19\x66\x7c\x9a\x11\x6d\x7d\xc9\x62\x8b\x1e\x9f\x7f\x66\x53\x3e\x8e\x73\x6b\x4a\x65\x9a\x78\x4c\x61\x0d\xa8\xc5\x00\x10\xc4\xad\x47\xec\xbb\x1e\xb2\xee\x6a\xa0\xb4\x90\x90\xe7\x09\x13\x8a\xb2\xd1\x71\xe1\xdb\xdd\x6e\x86\x53\xe0\x62\x12\x39\x1e\x7d\xc1\xb2\x8b\xdd\x23\x12\x94\x24\x50\x0d\xcd\x83\x43\xba\x19\x8c\x60\xcd\x97\x01\xaf\x62\xb4\x66\x2b\x08\x2d\xdc\x55\xe8\x14\x9d\x60\x89\x1c\x65\x0e\x77\x47\x55\xfc\x3a\x0d\x10\x0f\xf0\xbc\x67\x6b\x46\x6e\x3d\xec\x52\xca\x77\xd2\xc4\xce\x10\x3f\xc4\x4b\xb5\x63\xb3\xc1\x82\xcf\x2f\x65\x54\x13\x03\xd2\xd2\x9f\xcb\xf5\xa3\xf4\x22\x88\xf8\xfe\x1c\x23\x6c\x3e\x12\x17\x0e\x7a\xc6\x00\xc5\x26\x5c\xc5\x97\x4e\x25\x59\x7f\x04\x9e\x9c\x01\x5c\x76\xde\xc0\xd7\xcd\x29\x79\xcc\xe1\x23\xad\x64\x72\x97\x95\x8c\x9d\x7d\xfb\xc3\x6a\xfc\x2a\xe4\xb9\xd2\xc0\x9a\xc1\x72\xa0\x4d\xac\xff\xae\x8a\x50\x21\x9a\x4e\xc4\xad\xf0\x6f\xf8\x07\x47\xd4\x0c\x46\xdd\xc0\x76\x4a\xf4\xd7\x78\x28\x07\xb8\xf1\x4f\xb7\x97\xb2\x78\x0b\xb6\x8e\x6b\x2a\x95\xdd\xe5\x08\xf4\x06\x3c\x65\xd8\x71\x43\xff\x24\x66\xfe\x29\xff\x3a\xfa\x65\x20\x2a\x99\x24\x0c\x57\x99\x0e\x20\xc5\xf3\x4a\x95\xbd\x81\x35\x72\xf4\x7d\x8d\x48\x2d\xb3\xfc\xeb\x9f\x1c\x54\xc8\xa8\xdd\x63\x32\xe8\x3f\xa3\x9d\x66\x51\xc7\xb7\x8f\xa9\x71\xee\x88\x75\x6e\x2e\x5a\x3f\xb0\x29\xc7\x7a\x48\xfd\x41\x64\xf1\x07\xc8\x82\xd1\x74\x3b\xf8\x52\xc1\x48\x66\xa4\x37\xca\x56\xd1\xd2\xd1\x99\xf9\x3f\x75\x87\x19\xd2\x29\x3c\x58\x91\xb7\x7e\x86\x0b\x2b\x7c\x66\x51\x29\xfb\xce\x45\x5e\x93\xce\x66\xb6\x75\x61\x9b\xbb\x23\x62\x9d\x2b\xc8\x68\x2e\xd4\x69\x5d\x8c\x6a\xfe\x25\x6d\x37\x2f\x9f\xed\x83\x9d\xe5\xb5\xf6\x8d\x1d\x30\xcf\xfb\x1a\x4e\x74\x02\xb9\x55\x11\x29\xed\xc4\xc2\xde\xec\x8c\x16\x71\x4e\xa3\x09\xcf\x20\xac\x7f\x17\xf5\xfd\x3c\xb9\x7b\xfb\xff\x2d\xd3\x62\x16\xb8\xf7\x34\x03\x60\x7b\x4e\xcb\x2d\xc4\x24\x48\xee\xd5\x6f\xb2\x32\x66\xbd\x0f\xdf\x7e\xee\x43\xf3\x4b\xe3\x70\x6e\xcc\x70\x59\x27\xad\xa3\xd8\x4f\x94\xd8\xa2\x89\x8c\xe0\x0d\xe3\x69\xc6\x07\x55\x2f\x69\x94\xec\x15\xf6\x6c\xe6\x5c\x49\x52\xe3\x05\x81\xed\xe4\x6a\x20\x33\x58\x9d\x2c\x28\x99\x4b\xda\x05\x31\x94\x39\x19\xe3\x01\xa6\xd8\x18\x7d\xa7\xb4\x98\x96\x6a\xf1\xfe\x3e\x41\x0e\x5c\x16\x7a\xfb\x13\x3b\x3e\x5e\x40\xdb\x61\x87\x03\x97\x7b\x24\x00\x2f\x62\x11\x83\xb6\x1a\x6b\x68\x03\x01\x38\x7e\x2d\x89\x56\x5f\x0f\x62\xde\x82\x55\x16\xd3\x49\xc1\x74\xc0\x79\x24\xf4\xa8\xdf\xfb\x28\x17\x09\xe9\x97\xaf\x6d\xa5\xa6\x2a\x95\x49\x69\xb5\x33\x5f\x30\x74\xf2\x40\x02\x45\xa7\x7b\x19\x51\x31\xd2\x6c\xe4\x3e\x17\xc3\xa2\x01\xa5\xb8\x51\x8f\x8f\x96\x1f\x2b\xe9\xd1\x70\xc6\xf5\xb2\xb2\x36\xa3\x94\x45\x6e\x57\x7b\xad\xa3\x30\x7f\x4e\xaa\x8e\x03\x52\xbb\x59\x50\x37\xe7\xf3\x0f\x5d\xdb\xdf\x01\x4b\xa5\xb6\xf3\xce\xe6\xaf\x1f\xd4\x74\x4f\xd0\xbb\xac\x1e\x2c\xe2\x98\x53\xc7\x22\x95\x6d\xa7\xde\x4e\x3f\xb9\x24\x18\x20\xb0\x58\x6f\xfa\x29\xda\x5b\x6c\xdd\x12\xda\x1a\x04\x18\x64\x3b\x4b\xa9\x6b\xb4\x32\x42\x14\x6f\x6c\x0a\x33\x98\x0b\x93\x85\xda\x28\x3a\x2a\x05\x2b\x8c\x20\x1f\x42\x39\xf9\x57\xfe\xa5\xf2\x3e\xfc\xd5\xad\x3b\xb0\x76\xab\xee\x60\xce\x46\x7e\xae\x68\x05\xe1\x86\xe9\x74\x93\x42\x80\xa2\x67\xdb\xf7\x32\x0c\xb9\x0f\xe9\x32\x2b\xdb\x6c\xe8\x09\xbd\x35\xb4\x13\x0b\xe8\x71\x19\x04\x7e\xfd\x75\x5c\xc7\x47\x74\x3e\x6d\xa5\x1b\x24\xaf\x5c\x01\x66\x1b\xe2\xf8\x13\xce\xf7\xd7\xed\x9b\x61\xe8\x3e\x0d\xca\x2c\x82\x21\x52\x5b\x28\x15\x70\x27\x6a\x59\x58\xc2\x61\x49\x29\x79\x4c\x2d\x55\xa6\xb1\x5d\x17\x01\xb1\x96\x1a\x07\x8e\xde\xff\x50\xe0\xeb\x0e\x02\xd9\xb1\xd4\x02\x65\x7c\xe2\x5b\xda\xaf\x91\x0b\xa4\x54\x94\x83\x63\x1a\x54\x89\xca\x98\xfe\x97\x9c\x54\xc7\x40\x0c\x9c\xc6\x8f\xed\x1a\xb0\x0c\x40\x2f\x49\xd3\x6c\x4d\x7b\x2f\xb2\x73\xf3\x92\xae\xd4\xf8\xde\xf2\x56\xd4\x09\xe5\x0d\x26\xe7\x25\x1f\x91\xb9\xf5\xbc\xd8\xe8\x42\x02\xe5\x20\xcb\x7f\xe4\x34\x74\x4f\xe3\xa8\x83\x1c\x1a\xf1\xeb\x20\xa8\xf8\x85\x79\xab\x19\x26\x8d\x7e\xef\xc6\xdc\xd8\xc9\x4e\x3b\x68\x96\xe3\x36\xe0\xf7\x38\xaa\x24\x4c\x2d\xbe\xc1\x23\x24\xa8\xa1\xca\x70\xe0\x40\xd0\x7a\x79\x00\xf7\x6f\x0b\x09\xe0\xfa\xab\x42\x44\xd5\x68\xc0\x03\x09\xb8\xf3\x11\x57\xd9\x17\x88\xc8\x71\xd6\x16\xd0\x57\x2a\x26\xf9\xbf\x40\xb2\xff\x8f\x03\x4d\xd9\x64\x6f\xb1\x3e\xba\xd2\x95\x1f\xb7\xa9\xea\x55\x09\x21\x13\x59\x75\x9f\xa4\x95\x72\x2e\x0c\xe6\xe2\x4b\x48\xe3\xd2\xa1\xec\x69\x39\x83\x80\x40\xd0\x0c\xb9\x08\xd9\xed\xaf\xa8\xc3\x84\x57\x54\xbd\x5b\xe9\x0f\x6f\x92\xcc\x70\x33\x8b\x3b\x1f\xc0\x72\xcf\x26\x82\x74\x03\x71\xca\xed\xd8\x0f\xec\xe8\x59\xb1\x58\x7f\x04\x14\x7f\x50\xc5\xa9\xbe\x92\x7b\x5d\x51\xae\x42\x8a\x1c\x7e\x4b\x59\x4e\xc2\x42\xa0\xda\xb9\x05\x81\x74\x24\x28\xe5\xdb\x58\xac\x1a\xe3\x24\x96\xf3\x71\x19\x82\x0a\xe2\x95\xa3\xdf\x7a\x95\x50\x9d\x05\xd7\x5c\xd7\x78\xb5\x4e\x44\xa3\x17\xeb\x90\x1c\x7c\xc2\x8f\xf7\x4a\xb5\x3b\x6f\x4f\xb4\xad\xe0\xfc\x4a\xf2\xbe\x36\xd7\x60\x47\x6c\xa8\x53\xa7\x82\xe7\x61\x4a\x13\x3a\x99\xf1\xe5\xf0\xf1\x2b\x9a\x95\x8e\x70\x25\x0f\xc9\xbd\xb8\x98\xdb\xe3\x4d\x8e\xe3\x2b\x23\xee\x9f\x01\x92\xfd\x4b\xf8\xf9\x62\x2e\xdd\x9f\x7a\xca\xf4\xf4\xb9\x26\x73\xcc\xff\x23\x22\x7c\x94\x13\x22\x71\x73\x5a\xc8\x3d\xe7\x39\xc8\x5c\xee\x73\xab\xf9\x4e\xa2\xfd\x0e\x5b\x9c\x54\xfb\x7a\x2b\xc8\x77\x1e\xdf\xe9\xba\x3e\xb7\x0d\xcc\xe5\x6f\x78\x90\xaa\x8a\x20\x28\xe6\xd3\x18\xec\x23\x4b\x52\x56\x26\xe2\x46\x0c\x4d\x00\x7e\x74\xf7\xad\x40\x68\x01\x5a\x50\x32\xfb\x6f\xc5\x53\xb2\x7f\xaf\x76\x46\x71\x22\x2e\xf4\xb3\x98\x04\xe3\x00\xd9\xa5\x8e\xb4\xd9\xdb\x9f\x3f\xe2\x01\x27\xda\xad\xee\x11\x78\x74\xff\x95\xe3\x67\x6e\x37\xbf\xae\x30\x61\xe9\x5a\x71\xe9\x7b\x15\xe2\x43\x49\xf0\x78\x56\xde\xf1\x73\xd2\xce\x45\x9a\xff\xa7\x7c\x5b\x47\xf8\xb6\x77\xa1\x65\x8f\x7d\x89\xaf\x72\x25\x3c\x80\x0e\x62\xce\x2b\x11\xf4\xbd\x83\x7f\xe9\x80\xf0\x2d\x4f\x97\x19\xc0\xfe\x48\x45\x4f\x72\x80\x9d\xed\xda\xa9\x72\xd6\x52\x82\xec\xff\xee\x15\x69\xa2\xa5\x37\x70\x96\xff\x3f\x01\x00\x44\xe7\x1b\xe8\xba\xab\xfe\x65\xe9\x9b\xe1\x03\x86\xad\xa7\x0a\xbf\xe8\x6e\x7a\x4f\xfa\x87\x53\xf8\x62\xd2\x70\x4c\xec\xeb\x6d\xf3\x4a\x6d\xd4\x86\x75\x44\x1f\x7c\xca\x63\x5e\x40\x1c\xb2\x30\x6d\x17\x26\xe1\xc3\xc0\x42\x66\x41\x9e\x99\x11\x88\xe7\x7c\xdf\xe9\xe0\xaa\x13\xc7\x61\x07\xa2\xa2\x7f\x72\x16\xb4\x2a\x69\x0c\x00\x63\xc9\x2f\xd2\x22\xf4\x5f\xb0\x82\x0d\x04\x64\xef\x0b\x7a\xe6\x51\x5e\x81\x74\xc7\xf9\x0f\xfd\xec\x6d\xc2\x91\x3d\x5a\xd1\xfe\xb8\x06\x17\x70\x16\x23\x36\x3a\x4e\x73\x51\x07\xb3\x00\x23\x1c\xa5\x62\x4a\xdd\xf0\x83\xe0\x75\xac\xa1\xd1\x8d\x95\xc0\x1b\x73\x57\xa4\x11\x8f\xc4\x92\xc0\x7f\xf1\xc0\x71\x1a\x9e\x00\xbd\x78\xff\x8e\x43\x1d\x7a\xf6\x74\xdc\xe5\x58\x32\xf4\x59\x01\xf2\x35\xb7\x82\x4e\x8a\xd0\xed\x0d\x8d\x67\xf7\xff\x61\x2f\xf1\xec\xa7\x4a\x4d\xea\xc7\x21\xfd\x1c\x85\x98\x0d\x87\xdb\xc8\xdb\xef\x59\xf3\x75\x47\x20\xf0\xb9\x26\xc2\x5e\x84\xb1\xd7\x60\x5c\x50\x5f\x8e\x75\x03\x8f\xa2\x9f\x38\xcb\xfc\x97\x71\x2f\x92\x44\x75\x85\xa4\x54\x75\xa9\x0d\xb7\xd8\x1c\xe2\xb4\x29\x29\xfa\x6a\xe4\xa6\x79\x05\x60\x02\x5f\xe0\x57\x7a\xb5\x23\x58\xf0\xb0\x98\x80\x04\x58\x66\x6b\xad\x64\x69\x91\xe1\x46\xec\x90\x45\x11\xca\x26\x55\x18\x36\x31\xbd\xf0\xd5\x40\x58\x79\xd6\xf6\x99\x32\xc8\x44\x19\x0e\x2d\x91\x6a\x7a\xe6\x5d\xa2\x87\xac\xf8\x01\x20\x96\x48\x80\x0a\x1d\xfe\x3e\x9b\x38\xf7\xb5\x86\x41\xb0\xfc\x18\x04\xf9\xa2\x79\xd8\xf4\xc8\x03\xd0\x56\x56\x50\x60\x6f\x60\xa7\xe9\x9f\xe4\x61\xab\x36\xd7\x25\xca\x76\x46\x11\xcc\x20\x3f\xfd\xe0\xf0\x6a\xd8\x7c\xf9\x16\x02\x38\x1f\x1e\xc7\xaa\x25\x5b\x6d\x21\xa8\x5f\xe2\xe3\x2a\x06\x0f\x18\xb5\x33\x85\x47\x6d\xb4\x36\x91\x9f\x9e\xe6\x99\x57\x04\x04\x63\x50\xe0\x98\xce\x1e\x66\xa1\xb8\x32\x8f\xce\x20\xe1\xf8\xc9\x8c\xef\xae\xf2\x9c\xba\xc0\xbd\x9c\x0f\x19\x14\x53\x8a\xbd\x48\x43\x6e\x92\xbb\xcf\x12\x71\xac\x66\xce\xd7\xa5\x30\x13\xf8\x15\xf0\x15\xf3\x61\x80\xe3\x23\xac\x82\x47\x12\x8a\x91\x59\x38\xc8\x9f\x71\x13\x32\xd9\x75\x89\x35\x18\x0e\xea\xc8\xb8\xc9\xf9\x9f\x9f\x30\x6d\x34\x81\xb3\xa6\x8b\xf9\x61\x33\x60\x68\x1a\x92\x43\x7c\x7b\xd8\x0a\xdf\x98\x99\x09\x3f\x32\x86\xfd\x18\x54\x0a\x8c\x74\x25\x10\xdb\x91\xe4\x8a\x12\x55\xdb\xcd\x21\x8f\xe7\xa3\x4c\x50\x58\xad\x59\xa6\x96\x2a\xbf\xf5\x32\x7f\xac\xd4\xc2\xb3\xa5\x1a\xe1\x33\x47\xd5\x6a\x19\xf4\x84\xef\x62\xd5\x27\x99\xff\xe8\x02\xc9\xfe\xdc\xf9\xc0\x76\x89\x60\x18\xdb\x33\xcf\x2b\xd9\xb0\xca\x59\xde\x3f\x74\x87\xa2\x73\xf7\xe8\xcb\x6d\x09\x0b\x14\xa8\x3d\xdd\x2f\x26\x1d\x41\xf0\xfd\x19\x48\xe0\xbe\x62\x92\x9f\xc6\x68\xb9\xf1\x37\x53\xe6\x1d\x08\xb1\xa8\x87\x52\xdb\xfa\x31\x5e\x79\xc2\xd8\x18\x81\x19\x0d\x2b\x6a\xd3\x3a\xd8\xac\x03\x6e\x5a\x22\xb5\xea\x82\x25\xea\x41\x0e\x9e\x8e\xbf\x86\xc4\xa7\xea\x49\x76\x59\x53\xcd\x96\xd0\x54\x31\x15\x7a\x80\x48\xfa\x61\xb8\x0b\xa6\x06\xcf\x53\xaf\x83\x49\xcf\xad\xb8\x95\x59\xfd\xf2\x04\xed\x28\x3d\x71\xbb\xf7\x00\xa9\xcc\x37\x82\x60\x78\x96\xc8\x51\xb7\x58\x40\x5b\x00\x7e\x61\x50\xcc\x7e\x65\x86\xde\xbd\xa1\x2a\x1c\x4b\x2b\x63\x66\xb3\x87\x96\x23\xcf\x9e\xed\x75\xd5\x6f\x4a\xbc\xa9\x15\x1e\xb5\x04\x67\x0a\x4a\x51\x8c\x66\x8e\xd9\x48\x8d\x8b\x5f\x1f\x21\x2e\xa6\x9c\x51\xa7\x49\x72\x60\xc2\xa4\x85\x94\x88\xb7\x59\x60\x31\x3d\xd3\xf2\x9b\xfb\x75\xea\x09\x4b\xa3\x25\xf7\x9a\x02\x8d\x07\xdb\xf2\x13\x7b\xfe\xfd\x26\x1b\x0c\x56\x09\xa1\x69\xd5\xf1\xbb\xe1\x81\x5f\x06\xae\x4e\x26\xf5\xf3\xf4\xb3\x6c\xcc\xdd\x3f\xb7\xf8\xad\xcb\x76\x45\xe3\x7e\xd7\xd9\xb6\x3c\x9e\x21\xcd\xc5\x95\x4e\x28\x52\xbb\xfe\xe5\xbc\x30\xa9\x78\x39\x91\x89\xe6\x3b\x92\x69\x9d\x81\x0c\x58\x9d\x61\xd0\xcd\x0c\x6b\xf4\xff\xb8\x92\x53\x7e\x0e\xf1\x88\x7d\x1e\xa0\x47\x29\x0f\xf6\x09\x58\x4a\x00\xde\xc7\x98\xf8\xe7\x2e\x06\xc1\xbe\x83\x99\xea\x06\x9f\xd1\x3c\xaf\x0e\x1b\x4c\xd6\x6f\x84\xe2\x68\x69\x16\x7d\x54\xb8\xc4\x3c\x96\x7b\x27\x0b\xd8\x56\x1f\x99\xdc\x84\x02\x42\x23\x40\x2c\xe0\x95\x7d\x93\xe8\x58\x2b\xb8\xf4\x58\x3c\xc2\x64\x88\x61\xfc\x56\x2f\xc2\x10\x2a\x32\x6e\x92\x1a\x41\x8f\xd5\x18\xce\x63\x6e\x4e\x3e\xdc\x36\xfd\x89\xbc\xa2\x5a\xdd\x71\xac\xcb\x89\xd7\x77\x07\x05\x26\xd9\xcf\x72\x74\xdd\x48\x69\x09\xc3\xb1\x42\xd2\x7f\xb0\xab\xd4\x67\xbe\x27\xc3\x6e\x84\x87\xcc\xda\x73\xad\x0c\x89\xad\xec\xd3\x6a\x08\xc3\x7c\xe1\x5b\x87\x6f\xd2\x12\x1a\x7b\x0d\x11\xbd\xe8\x67\x59\xee\xb6\x62\x87\xb4\x4c\x61\xce\xd7\xf7\x4a\x14\x30\x44\xae\x80\x58\x69\xd3\x1a\x1b\x1c\x44\xb8\x15\x0d\x8d\x63\x0d\xeb\xff\x9e\x95\xc3\x11\x87\xb7\x74\x44\x1f\xa8\x13\x7c\x08\xca\x31\x6a\xb7\x78\x15\x99\x17\xdf\xbe\xec\x94\x52\x9d\x3a\x12\xc1\x6b\x9f\x39\xc4\xd7\x79\x44\xe6\xf1\x6c\xf9\xb8\x19\xf9\xd8\xa4\x2e\xe7\x32\x91\xed\x84\xe2\xd5\x84\xb3\x05\xae\xb7\x99\xc2\xcd\x76\xf3\xaf\xd7\xe8\x26\xbe\xf0\xb7\x71\x59\xbb\x4d\xad\x11\x39\xea\xa9\xcd\xe7\xbb\xfd\xca\x74\x0a\xdd\xb5\x11\xeb\x8b\x91\xd5\x48\xe1\x8d\x7c\xd6\x91\xdc\xe8\x57\x83\x82\xec\xd0\x9e\xad\x35\x6f\x85\xa4\xac\xee\x4b\xb8\xb1\x93\x42\xc7\x48\xad\x97\x04\xb1\x1e\x1d\x9b\x02\xc0\x21\x8c\xa3\xe7\x99\xab\x80\x01\x70\x52\xfd\xd6\x6e\x91\x01\xa0\x0b\x76\x57\xeb\xdc\x89\xcd\x42\x53\x34\xa9\x16\xdf\x19\xdb\xda\xf6\xe4\xf6\x3b\xc0\x34\x92\x91\x3c\x86\xd0\x58\xea\x61\x68\x5d\xf7\x7a\x06\xe0\xdf\x07\xed\x3f\xc1\xf9\x2d\xf0\x67\xe8\x6d\x00\x33\x64\x0c\x10\xf4\x0c\x27\x9c\x26\x4c\x47\x7b\x28\x99\xd4\xa2\x44\xb6\x7e\xe8\x84\xe5\x19\xb4\xdb\xdc\x5d\x6f\x1c\x3a\xb6\x7c\x12\x3a\x59\x79\x74\xbf\x3a\x57\xec\xc9\x09\xbe\x91\x33\x91\x70\x17\xdb\x1d\x7c\x9e\x19\x26\x18\x52\x4a\x93\x92\x95\x7a\xfe\xbe\xef\xb2\xd8\xbc\x47\x61\x03\x40\x70\xf4\x17\x95\x82\x22\x6e\x34\xb1\x86\x5d\x26\xbe\x00\xc9\xbd\x31\x32\x0c\x31\x3c\xb5\x09\x05\x7c\x27\xf1\x27\x4c\x78\xf4\x71\xbf\x69\xb8\x5d\xbd\x47\x82\x37\x38\x3b\xe8\x6c\x86\xf4\xb0\x11\x7a\x2b\x15\x78\x20\x83\x2d\x07\xd8\x8d\x2e\x78\xa9\xab\xa0\xb0\x45\xa1\x9d\xbf\x8a\x6f\xae\xd4\x0e\x41\xca\x47\xc0\x13\xc2\x90\x3e\x69\xf2\xba\x49\xb0\x7b\x36\xe1\xf3\xbd\x69\xbd\x4a\x82\xef\x2a\x42\x8a\x83\x13\x57\xd2\x5f\x55\x68\xb6\x9e\x94\x22\xa3\xba\x95\x33\xfb\x5e\xc2\x40\xa3\x91\xaa\x7b\x61\x2a\xcd\xd3\x50\x2f\xe9\x29\x6d\x4f\xa0\x2a\xf3\x9f\x21\xf1\x59\xaf\x52\x8d\xaa\x38\x94\xc3\xd1\x0b\xc8\xf7\x0f\x20\x41\x53\xa0\x66\xe1\xe6\xe1\x17\x42\x32\xfc\x42\x0e\xc6\x47\xe2\x9b\xb4\x68\x8f\x26\xc7\xd4\x63\xcd\xeb\x95\xeb\xa4\xc0\xd1\xed\x3f\x5f\xe4\x1d\x5e\x34\xc0\xb2\x7b\x58\x74\x54\xfb\x40\x3e\x8c\x9a\x0f\xe9\x0f\x53\x17\x4d\x54\x7d\xbc\xca\xdb\x64\x81\xc4\x8c\x97\x9c\xf3\x41\x4d\x0d\x47\x16\x0a\x0b\x9f\x6d\x9a\x4f\xa8\x48\x96\x53\xca\x2e\x92\x42\x23\xa8\xa5\x2b\xa6\x3f\xbc\x1a\xf0\x34\xcb\xf4\x4c\xca\x47\x28\xf0\x9e\x1f\x57\x70\x6d\x61\x07\xee\xdc\x06\x59\xbb\x9c\x6d\x8a\x33\x83\xf1\x1c\xc8\x7e\x53\xaa\xe6\xdc\xb8\x38\x53\x37\x9a\x6c\x0d\x53\x6b\x1e\x06\x77\x3a\xff\x31\xea\x60\x03\x97\xc4\x3a\x66\xf3\x02\x83\x7d\x52\x1f\xb6\xab\xfd\xe5\xbe\xed\x88\x49\x3a\x5e\xec\xfb\x26\xab\x6f\xc3\xf8\x79\xec\x01\x21\xf3\xaa\x73\x30\xbf\xb8\x2d\x14\x52\x8d\x9c\x5e\x20\x33\xc0\x5c\xc6\xb6\x0f\x66\x69\x27\x3f\x99\x09\x9a\x5d\x72\xc2\xc5\x14\x4d\xc0\xb2\xaa\xfe\x0f\xe7\xbd\x01\xeb\xae\x29\xbc\xd8\x2f\x4c\xa4\x3c\x5a\x22\x97\x4c\x3c\x9d\x92\x3a\x62\xe3\x90\x53\x2e\x27\x74\x80\x00\x15\x30\x7b\x8a\xea\xf1\xb7\xa0\x61\xfe\x77\x13\x1a\x5e\x12\xa9\xcb\x09\x0e\xda\x58\x4a\xcd\xad\x7b\xd8\xaf\xb2\x0d\xea\xb6\x5d\x7d\x1c\xf3\xd1\x6c\xa8\x18\x7a\xde\xd0\x8a\x9d\xd9\xbf\x83\x0c\xeb\x11\x13\x97\x72\x11\x03\x5b\x1a\x90\x51\xae\x1c\xa5\xf1\xf3\x26\xe4\xa6\xe2\x57\xb6\x2d\x77\x92\xef\xfd\x00\x5f\x18\x3d\xf7\x82\xba\xd3\x19\xbd\xa6\x7a\x92\x38\x6c\x66\x22\xd0\x02\xee\x87\xcf\xcb\x1a\x4f\x9b\x4b\xb4\x21\x7e\x86\x75\x29\x9f\x2d\x8c\x8f\x8a\x63\x24\xd3\x60\x2f\x76\x83\x90\xa1\x24\x78\xe7\xaf\xd2\xd5\x2c\xd2\x35\x67\xb1\x98\x4d\x48\xd8\x55\xcf\x07\x21\x40\x12\x6a\xb0\xa8\x94\x27\x59\xcf\x38\x98\xf1\x18\x28\x4d\x2a\x93\x37\x21\xd7\x1d\xb4\x20\xe8\x30\xc8\x8e\x23\xb1\xf0\x7b\x44\x25\xb9\x7d\x0b\x83\x74\xbd\xe0\xcb\x8c\x3b\xe3\x52\x47\x1c\x15\xc0\xdb\x69\x27\x62\x61\x76\x3f\x46\xba\x3d\x04\x3e\xf6\x37\xdc\xb3\xf9\xb0\xf2\xd4\x34\x00\x29\x22\x2b\xe8\x10\xbf\xcc\x54\xe4\x47\xb9\xed\x75\x0f\x2f\x27\x59\x71\xa6\x3a\xd6\x12\x7b\xc7\x42\x3c\x3f\xe8\xfe\x22\xf2\x81\xa7\x27\xb9\x49\x6b\x70\x3f\x0f\x68\x87\x8c\xa8\xe1\x17\x48\x5e\xb7\xc8\xa7\xb3\x82\x66\xbd\x5a\x07\xb5\xa2\xf8\xa9\xc0\xd0\x2c\xcf\x8c\x8f\x76\x2b\xd1\xad\x4b\x21\x5b\x29\x59\x69\xdf\xcb\x9f\x19\xc1\x3d\x88\xf7\x2b\x54\xe5\x94\x00\xa7\x20\x1a\xc7\x9f\xe2\xfc\xaf\x32\x9c\x8e\x35\xa3\xea\xf2\x41\x76\x21\xa0\x0e\xb5\xcd\x2d\xa5\x0c\x61\x1d\x5b\x33\xe3\x59\x97\x07\x1b\xc1\xfa\x35\xd6\xcc\x81\x24\x7c\x17\xbc\xe3\x9d\x22\x51\x72\xed\x4a\x10\x64\x0c\xad\x81\x78\x86\x5b\x30\x7b\x86\x63\x23\xa2\x55\x69\xb6\xad\x32\x92\xcd\x47\xf7\x30\x44\xce\x58\xc4\x54\x96\x1c\xb5\x52\x37\x88\xa1\x4c\xc4\x62\x28\x51\x73\x12\xb7\x47\x93\xf0\x33\x60\x92\xe7\xe3\x0a\x0d\xa1\x43\x18\x94\x5c\xa2\x31\x29\x22\xbd\xc8\xf6\xe9\xa4\x15\x99\x13\xfd\x72\xdc\xb4\xe4\xc7\x87\x79\x6e\xe4\x65\xca\x2b\xf4\xcf\x36\x28\x72\x5a\x39\x11\x97\xef\xe8\x10\x4e\xa7\x1c\x63\x0b\x72\xcc\xf8\xfe\x42\x7b\xe8\x0a\x0c\xa6\xb1\x4f\x53\xff\x96\x97\xb6\x27\x9f\x0b\x2c\xd2\x3e\x35\x6f\x95\x1d\x7c\x08\xb7\xf1\x46\xeb\xaa\x3c\xba\xa6\xa9\x0d\x1d\x9a\xf1\x87\xe2\x1c\x82\x93\x77\x78\x1d\x75\xd5\x44\x66\x28\x45\xd4\x03\x22\x65\x16\xf4\x05\x24\x79\xd8\xff\x17\x6e\x24\xce\x55\x10\xd6\xe3\x3f\x04\x43\x84\x62\x38\x6b\xab\xfc\x53\xbe\x7c\xfb\x60\x15\x29\x69\x79\xfe\x41\x22\x19\x2c\xd4\x4b\x04\x6e\xa7\xe7\x12\x38\xc0\xd3\x06\x0a\x38\x22\x5b\x9a\xfa\xba\xf1\x69\x33\x54\xb3\x52\x1e\x2a\xaf\x5d\xe3\xe8\x5e\x5c\x58\x67\x65\xef\x8e\x2f\x9c\x98\xb8\xed\x4a\x53\x5f\x67\x08\xf0\xf1\x71\x89\x5b\x57\xda\x98\x1c\x4b\x3d\x85\x1f\xc7\x83\x22\x85\x7b\x8f\xcf\xfd\xfc\x34\xfa\x3e\xf6\x58\xea\xbd\x56\x7b\x2f\xf3\x5f\x0a\xe2\x88\x70\x1a\x81\x1f\x72\x5c\x87\x19\xda\xab\x47\x25\xc7\xba\xe2\xa7\x17\x48\x61\x81\x2e\xc8\xe9\xa9\x99\xa4\xa7\xdf\xf3\x79\x00\x8f\xb7\xa9\x3b\xb9\xd5\xda\x43\xea\x9e\x10\x81\x9f\x91\x41\x19\xf4\x74\xdf\x29\xac\xdc\x90\xe1\xb4\x90\x1f\xa8\xd2\x80\x63\x94\xad\xb6\xd3\x4f\x56\x44\x89\x34\x00\x15\xdf\x15\x4d\xbd\x9e\x9b\xfa\x66\x9e\x27\x7a\x4c\x35\x22\x07\x4c\xda\x8f\x03\x6e\x1c\x76\x2a\x2a\xba\xdf\x38\x78\xe7\xb7\x05\x98\xe4\xdf\x8f\x7d\x6e\x13\x4e\x13\x50\x9f\x1f\x3e\xb2\xa4\x61\x87\x2a\xde\xdc\xc3\x64\x07\xd0\x3d\x45\x3e\x71\x0f\x3b\x03\x05\xb3\x5c\x06\x9b\xcf\x65\x50\x88\x8b\xe2\xc3\xdf\x87\x96\x22\xf7\xc0\x91\x60\x5c\x2b\x47\x33\x84\xe4\xaa\xbf\x37\x38\x45\xb6\x43\x89\x3e\xa0\x3c\xa9\xa2\x33\x2f\x72\x76\xab\x52\xea\x5e\x69\xa3\x20\x6d\x0b\x29\xec\xa1\x9f\xe9\xb5\x61\xd5\x87\x48\xf0\xfb\x5f\x7c\xde\x5d\x32\xad\x76\x81\x33\xa5\x73\x3d\xb2\x74\x11\xac\x56\x84\x9c\x31\xc9\xcc\x98\x77\xcd\x77\x1a\xd8\x7d\xb0\x01\x4b\x01\x1c\x07\x1a\x8a\x57\xaf\xcc\x91\x11\xfa\xd2\x41", 4096); res = syscall(__NR_shmctl, /*shmid=*/0xfffffffa, /*cmd=*/0x19, /*buf=*/0x200000004380ul); if (res != -1) r[20] = *(uint32_t*)0x200000004388; break; case 25: memcpy((void*)0x200000004400, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x200000004400ul, /*statbuf=*/0x200000004440ul, /*flag=AT_SYMLINK_FOLLOW*/0x400ul); if (res != -1) r[21] = *(uint32_t*)0x200000004458; break; case 26: *(uint32_t*)0x2000000046c0 = 0x89d; *(uint32_t*)0x2000000046c4 = 0; *(uint32_t*)0x2000000046c8 = 0xee01; *(uint32_t*)0x2000000046cc = 3; *(uint32_t*)0x2000000046d0 = 0; *(uint32_t*)0x2000000046d4 = 1; *(uint16_t*)0x2000000046d8 = 0x7fff; *(uint32_t*)0x2000000046dc = 8; *(uint64_t*)0x2000000046e0 = 0xe40; *(uint64_t*)0x2000000046e8 = 0x7fffffffffffffff; *(uint64_t*)0x2000000046f0 = 5; *(uint32_t*)0x2000000046f8 = r[7]; *(uint32_t*)0x2000000046fc = r[11]; *(uint16_t*)0x200000004700 = 6; *(uint16_t*)0x200000004702 = 0; *(uint64_t*)0x200000004708 = 0x2000000044c0; memcpy((void*)0x2000000044c0, "\xab\x56\x1a\xab\x77\xc5\x83\xce\x98\x5b\x97\x83\xd9\x6b\x5e\x4e\x38\x24\xcb\x30\x26\xda\x2e\xfe\xe0\x10\x1d\x24\xcc\x3c\x6b\x58\xc7\x96\x6f\x22\x6c\x27\x69\x9f\x3d\xc1\x5a\x33\x04\x86\x26\x22\xef\xda\x37\xf5\x7e\x57\x97\xf7\x36\xc4\x82\xb3\x34\xc0\xdb\x10\x39\x38\x2a\x78\x92\x8d\x47\x08\x28\x2c\x72\xdc\x71\x40\x25\xc2\xcc\xa6\xfe\xf3\x0b\x64\xfb\x05\x0e\xe5\x84\x5b\x12\x53\x79\x9b\x15\x94\x0b\x96\x71\x16\x83\x9e\x00\x75\x33\x0d\xa8\xaf\x7e\xe9\xa5\xb5\x2c\x57\x68\xfb\xf0\x2f\x31\x54\x71\xe6\xd7\xac\x77\x80\xee\xdc\xf5\x6d\xab\x90\x44\x17\x64\xc1\x05\x3f\x95\xa9\xe9\x4f\xee\xc9\xea\x2b\x68\x20\xf3\xbe\x40\xe3\x4d\xcf\xbf\xe7\x1b\x03\x37\x8a\x75\x1c\x0e\x0f\xd0\x4f\xcd\xa9\x24\x05\x00\x48\xf5\x17\x08\x50\x35\x00\x60\x92\x35\xcc\x75\xd2\x99\xee\xd6\x6d\x2a\xc9\x58\x3e\x91\xdd\x31\xb9\xcf\xe3\xaf\x5c\x24\x89\xc2\x04\x01\x4b\x7a\x74\x54\x9d\x85\xc8\xe8\xdb\xac\xeb\x63\x88\xf2\x45\xc2\x62\x98\x6d\x6b\x26\xea\xdd\x8f\xcb\x38\x58\x7b\x69\x8b\x3c\x59\xfd\xf6\x3a\x82\xc6\x43\xdb\x5a\xa1\x79\x14\xbf\xa0", 252); *(uint64_t*)0x200000004710 = 0x2000000045c0; memcpy((void*)0x2000000045c0, "\xbe\x29\x01\x74\xf8\xce\x0f\x04\x91\x1d\x69\xba\xda\xe0\xbf\x37\xc4\xfa\x5b\x15\xfa\x3b\x18\x83\xef\x70\x70\x38\x44\x4d\xe4\xae\xf3\xa7\x3f\x33\x83\x48\x0e\x83\x0d\xdb\x75\x62\x43\xc2\x97\x09\xee\xdf\x69\x74\xed\xf3\xbe\x9d\xf1\x36\x37\xb4\x8e\xd1\x4e\xdc\x03\xd7\x24\x3b\xdb\x53\xfd\x99\xe2\xee\xa6\x02\x56\x93\xad\x07\x01\xb8\x2c\xa3\x8d\xd6\xd0\x8c\xda\x9e\x31\x03\x1d\xcc\x02\xff\xa5\x43\x84\xc4\xaa\x7d\x87\x0f\x8b\x1a\xb9\xff\x5c\x0e\x74\x4c\xef\x60\xad\x54\x18\xd5\xa3\xb9\xec\xdf\x09\xa5\x4a\x1d\x9b\x12\xb1\x0e\xcd\x3b\xcc\x7b\xfe\x6e\xc0\x2b\x56\x8d\xaf\x99\xa5\x9c\xa9\x2b\x8a\x9e\xec\x61\x2f\x38\x29\xa0\x8c\x44\xfd\x4b\x27\x61\x1d\xa5\x90\x8b\x59\x1f\x34\x0e\x23\xf5\xba\x2a\xdb\x1e\x29\xe8\x9f\x28\xf5\xf2\x51\x43\x79\xe4\x54\x62\xdb\xc3\x0a\x72\x02\xbb\x25\xc1\x9a\xc6\x14\x89\x11\x9c\x4a\x8a\xae\xa4\x00\x0a\xac\x82\x81\xc3\xd4\x26\xd8\xa0\x82\xb7\xdc\x78\xf5\x7a\x12\xa5\xc6\x35\x62", 225); res = syscall(__NR_shmctl, /*shmid=*/0xe, /*cmd=*/3ul, /*buf=*/0x2000000046c0ul); if (res != -1) r[22] = *(uint32_t*)0x2000000046c8; break; case 27: res = syscall(__NR_fstat, /*fd=*/r[10], /*statbuf=*/0x200000004740ul); if (res != -1) r[23] = *(uint32_t*)0x20000000475c; break; case 28: *(uint32_t*)0x200000004840 = 8; *(uint32_t*)0x200000004844 = 0; *(uint32_t*)0x200000004848 = 0xee01; *(uint32_t*)0x20000000484c = 0; *(uint32_t*)0x200000004850 = 4; *(uint32_t*)0x200000004854 = 2; *(uint16_t*)0x200000004858 = 5; *(uint64_t*)0x200000004860 = 0x2000000047c0; *(uint8_t*)0x2000000047c0 = 4; *(uint64_t*)0x200000004868 = 0x200000004800; *(uint8_t*)0x200000004800 = 5; *(uint64_t*)0x200000004870 = 4; *(uint64_t*)0x200000004878 = 6; *(uint64_t*)0x200000004880 = 0; *(uint64_t*)0x200000004888 = 8; *(uint64_t*)0x200000004890 = 0xac0; *(uint16_t*)0x200000004898 = 3; *(uint16_t*)0x20000000489a = 0x401; *(uint16_t*)0x20000000489c = 2; *(uint32_t*)0x2000000048a0 = 0x400; *(uint32_t*)0x2000000048a4 = 7; res = syscall(__NR_msgctl, /*msqid=*/8, /*cmd=*/3ul, /*buf=*/0x200000004840ul); if (res != -1) { r[24] = *(uint32_t*)0x200000004844; r[25] = *(uint32_t*)0x200000004848; } break; case 29: res = syscall(__NR_getegid); if (res != -1) r[26] = res; break; case 30: *(uint32_t*)0x200000004980 = 7; *(uint32_t*)0x200000004984 = 0xee00; *(uint32_t*)0x200000004988 = -1; *(uint32_t*)0x20000000498c = 1; *(uint32_t*)0x200000004990 = 0x972; *(uint32_t*)0x200000004994 = 2; *(uint16_t*)0x200000004998 = 6; *(uint32_t*)0x20000000499c = 7; *(uint64_t*)0x2000000049a0 = 6; *(uint64_t*)0x2000000049a8 = 0xb9; *(uint64_t*)0x2000000049b0 = 8; *(uint32_t*)0x2000000049b8 = r[7]; *(uint32_t*)0x2000000049bc = 5; *(uint16_t*)0x2000000049c0 = 0x83; *(uint16_t*)0x2000000049c2 = 0; *(uint64_t*)0x2000000049c8 = 0x2000000048c0; memcpy((void*)0x2000000048c0, "\x41\x66\xdd\x81\x28\x46\x69\xcc\x65\x29\xe5\xa0\xef\x08\x1d\x37\x0a\x00\x72\x2e\x0c\x77\x00\xe4\x84\x17\x7e\x27\x29\xe5\x5d\x1f\xe0\xf7\x56\x46\x90\x88\x13\x82\xa8\x50\xb3\xb8\xd6\x19\x5e\xa5\xd0\x32\xed\xc9\x98\x53\x5f\xc7\x87\x92\x8a\xb4\xa3\xb1\x89\x15\x40\xd2\x46\xd4\x0d\xaa\x7a\x5f\xd7\xdb\x2b\xd6\xc9\x9b\x3f\x2a\x7e\x51\x4d\x00\x69\xf2\xbf\xb4\x85\xd9\xe0\x8e\x67\xc4\x68\x24\xc2\xe7\x04\xff\xa0\x43\x1e\x1c\x20\x43\x29\x72\xad\xef\x08\x49\x21\xd4", 114); *(uint64_t*)0x2000000049d0 = 0x200000004940; memcpy((void*)0x200000004940, "\x3c\x67\x3d\x0f\x3b\xdb\xe2\x04\x83\xbd\x0e\xf8\xf8\xa2\xc8\x65\xbb\x81\x7c\x75\xa3\x55\x5f\x98\xda\xdf\x18\xfb\x4d\x80\x5b\xd3\x39\xd5\x71\x7d\xef\xd4\x70\xce", 40); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0xeul, /*buf=*/0x200000004980ul); if (res != -1) r[27] = *(uint32_t*)0x200000004984; break; case 31: *(uint32_t*)0x200000004a80 = 0x80000001; *(uint32_t*)0x200000004a84 = 0; *(uint32_t*)0x200000004a88 = 0; *(uint32_t*)0x200000004a8c = 0x8b; *(uint32_t*)0x200000004a90 = 0x4000000; *(uint32_t*)0x200000004a94 = 0xe206; *(uint16_t*)0x200000004a98 = 0x366d; *(uint64_t*)0x200000004aa0 = 0x200000004a00; *(uint8_t*)0x200000004a00 = 5; *(uint64_t*)0x200000004aa8 = 0x200000004a40; *(uint8_t*)0x200000004a40 = 7; *(uint64_t*)0x200000004ab0 = 0xb5; *(uint64_t*)0x200000004ab8 = 0x5a; *(uint64_t*)0x200000004ac0 = 4; *(uint64_t*)0x200000004ac8 = 0x7fffffff; *(uint64_t*)0x200000004ad0 = 2; *(uint16_t*)0x200000004ad8 = 0x4d49; *(uint16_t*)0x200000004ada = 0; *(uint16_t*)0x200000004adc = 2; *(uint32_t*)0x200000004ae0 = r[9]; *(uint32_t*)0x200000004ae4 = r[11]; res = syscall(__NR_msgctl, /*msqid=*/0xff, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[28] = *(uint32_t*)0x200000004a88; break; case 32: *(uint32_t*)0x200000004b40 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000004b00ul, /*optlen=*/0x200000004b40ul); if (res != -1) r[29] = *(uint32_t*)0x200000004b04; break; case 33: *(uint32_t*)0x200000004c00 = 9; *(uint32_t*)0x200000004c04 = 0; *(uint32_t*)0x200000004c08 = -1; *(uint32_t*)0x200000004c0c = 0; *(uint32_t*)0x200000004c10 = 1; *(uint32_t*)0x200000004c14 = 5; *(uint16_t*)0x200000004c18 = 3; *(uint64_t*)0x200000004c20 = 0x200000004b80; *(uint8_t*)0x200000004b80 = 9; *(uint64_t*)0x200000004c28 = 0x200000004bc0; *(uint8_t*)0x200000004bc0 = 0x10; *(uint64_t*)0x200000004c30 = 0x93e; *(uint64_t*)0x200000004c38 = 0xb4; *(uint64_t*)0x200000004c40 = 0x7fffffffffffffff; *(uint64_t*)0x200000004c48 = 2; *(uint64_t*)0x200000004c50 = 8; *(uint16_t*)0x200000004c58 = 8; *(uint16_t*)0x200000004c5a = 0x77; *(uint16_t*)0x200000004c5c = 0x10; *(uint32_t*)0x200000004c60 = 0xa711; *(uint32_t*)0x200000004c64 = 0xd; res = syscall(__NR_msgctl, /*msqid=*/9, /*cmd=*/0xbul, /*buf=*/0x200000004c00ul); if (res != -1) r[30] = *(uint32_t*)0x200000004c08; break; case 34: res = syscall(__NR_getresuid, /*ruid=*/0x200000004c80ul, /*euid=*/0x200000004cc0ul, /*suid=*/0x200000004d00ul); if (res != -1) r[31] = *(uint32_t*)0x200000004cc0; break; case 35: memcpy((void*)0x200000004d40, "./file0\000", 8); res = syscall(__NR_statx, /*fd=*/(intptr_t)-1, /*file=*/0x200000004d40ul, /*flags=AT_NO_AUTOMOUNT*/0x800ul, /*mask=STATX_NLINK*/4ul, /*statxbuf=*/0x200000004d80ul); if (res != -1) r[32] = *(uint32_t*)0x200000004d98; break; case 36: *(uint32_t*)0x200000004f00 = 8; *(uint32_t*)0x200000004f04 = 0; *(uint32_t*)0x200000004f08 = 0xee01; *(uint32_t*)0x200000004f0c = 6; *(uint32_t*)0x200000004f10 = 0x1000; *(uint32_t*)0x200000004f14 = 0x3ff; *(uint16_t*)0x200000004f18 = 2; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 7; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 0x95; *(uint64_t*)0x200000004f30 = 3; *(uint64_t*)0x200000004f38 = 3; *(uint64_t*)0x200000004f40 = 6; *(uint64_t*)0x200000004f48 = 0x8001; *(uint64_t*)0x200000004f50 = 0x7f; *(uint16_t*)0x200000004f58 = 5; *(uint16_t*)0x200000004f5a = 3; *(uint16_t*)0x200000004f5c = 0xc; *(uint32_t*)0x200000004f60 = r[7]; *(uint32_t*)0x200000004f64 = 9; res = syscall(__NR_msgctl, /*msqid=*/9, /*cmd=*/0xdul, /*buf=*/0x200000004f00ul); if (res != -1) r[33] = *(uint32_t*)0x200000004f04; break; case 37: *(uint32_t*)0x200000005040 = 1; *(uint32_t*)0x200000005044 = 0; *(uint32_t*)0x200000005048 = 0xee00; *(uint32_t*)0x20000000504c = 2; *(uint32_t*)0x200000005050 = 8; *(uint32_t*)0x200000005054 = 0xfffffff8; *(uint16_t*)0x200000005058 = 2; *(uint32_t*)0x20000000505c = 2; *(uint64_t*)0x200000005060 = 6; *(uint64_t*)0x200000005068 = 0xb; *(uint64_t*)0x200000005070 = 0x100000001; *(uint32_t*)0x200000005078 = r[11]; *(uint32_t*)0x20000000507c = 0xc; *(uint16_t*)0x200000005080 = 8; *(uint16_t*)0x200000005082 = 0; *(uint64_t*)0x200000005088 = 0x200000004f80; *(uint64_t*)0x200000005090 = 0x200000004fc0; memcpy((void*)0x200000004fc0, "\x4f\x52\x5e\x34\x0c\xd5\xa8\x6e\x08\x81\x81\x48\x10\xa2\xa9\x1a\x15\xb1\xd5\xd1\x4f\x4a\x79\xd1\x4d\xde\x31\x8e\xef\xbd\xd8\xe8\xe7\x28\xd4\x13\x18\x7e\xde\x4f\xd0\x69\xfc\x17\x3d\x33\xf2\x51\x93\x66\x58\xb9\x70\x95\x9c\xdd\x1a\x15\xbc\xc3\xc2\x6a\xd7\x6b\x38\xa5\xbe\x0c\x00\x53\x2a\xc5\x25\x4d\x63\x2a\x2d\x80\x03\x57\xde\x96\xe6\xf2\xf7\x84\x16\x88\x31\x49\x22\xa5\xeb\x15\x30\xe0\xb7\x35\x2c\xa6\x06\x39\xdb\x76\x97\x14\x2d\xe2\xaa\x07\xc7\xc6\xa7", 113); res = syscall(__NR_shmctl, /*shmid=*/7, /*cmd=*/3ul, /*buf=*/0x200000005040ul); if (res != -1) r[34] = *(uint32_t*)0x200000005048; break; case 38: *(uint32_t*)0x2000000051c0 = 0x20000000; *(uint32_t*)0x2000000051c4 = -1; *(uint32_t*)0x2000000051c8 = 0; *(uint32_t*)0x2000000051cc = 0x60000000; *(uint32_t*)0x2000000051d0 = 5; *(uint32_t*)0x2000000051d4 = 0xb; *(uint16_t*)0x2000000051d8 = 4; *(uint32_t*)0x2000000051dc = 7; *(uint64_t*)0x2000000051e0 = 0x68b; *(uint64_t*)0x2000000051e8 = 0x19; *(uint64_t*)0x2000000051f0 = 0xfffffffffffffff8; *(uint32_t*)0x2000000051f8 = 0; *(uint32_t*)0x2000000051fc = r[9]; *(uint16_t*)0x200000005200 = 0xc90; *(uint16_t*)0x200000005202 = 0; *(uint64_t*)0x200000005208 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\x39\x0c\xeb\x0f\x41\x0c\x00\x25\x27\xeb\x3b\x46\xb1\x0c\x24\x49\x71\x04\x20\x0a\x43\xcd\xd5\x23\xe8\xa7\x27\x86\xcf\x59\x38\x0b\xde\x52\x4c\xb5\x95\x56\xd5\xb2\x56\xca\xe0\x7e\x34\x3b\x52\xbe\xb1\x8b\x62\xea\xb0\x7c\x44\x5e\xef\xcb\x35\xda\xbf\x18\x6e\xf8\x40\x41\x7c\x40\x8f\x79\xb7\x4a\xa6\xed\x33\x3f\x94\x62\xac\xfc\x1d\xb1\x46\xb6\x67\xa8\x96\x29\x92\xf2\x0a\xf8\x6d\x7c\x20\x38\x50\x25\xa7\x4f\x90\x71\xc7\x98\x44\x53\x6c\xb7\xac\x8f\x88\x65\xfe\xd4\xa5\x7d\x02\x2b\xea\xf6\x18\xbd\xcc\x65\x09\xc5\xbe\x81\x03\x7e\x58\x4a\xbb\x6e\xa9\xb8\xcf\x0d\x2e\x17\x5f\xcb\xfe\x9b\xda\x36\x68\xd7\x52\x68\xcb\x86\x05\xfe\xc3\xba\x1b\xb1\xe6\xc2\x76\xa1\x49\x29\xc3\x46\x0e\x16\x93\x45\x8f\x22\x61\x23\x52\xdb\x6a\x3e\xfa\x4d\x7c\x74\x83\xd2", 184); *(uint64_t*)0x200000005210 = 0x200000005180; memcpy((void*)0x200000005180, "\x35\x8f\x28\x87\x0b\xec\xbb", 7); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0ul, /*buf=*/0x2000000051c0ul); if (res != -1) r[35] = *(uint32_t*)0x2000000051c4; break; case 39: memcpy((void*)0x200000005240, "./file1\000", 8); *(uint64_t*)0x200000005280 = 4; *(uint64_t*)0x200000005288 = 4; *(uint64_t*)0x200000005290 = 0x100000001; *(uint32_t*)0x200000005298 = 0xc49; *(uint32_t*)0x20000000529c = 0; *(uint32_t*)0x2000000052a0 = 0xee01; *(uint32_t*)0x2000000052a4 = 0; *(uint64_t*)0x2000000052a8 = 0x101; *(uint64_t*)0x2000000052b0 = 0x8000000000000001; *(uint64_t*)0x2000000052b8 = 0xfffffffffffffff8; *(uint64_t*)0x2000000052c0 = 7; *(uint64_t*)0x2000000052c8 = 0; *(uint64_t*)0x2000000052d0 = 8; *(uint64_t*)0x2000000052d8 = 0x8001; *(uint64_t*)0x2000000052e0 = 5; *(uint64_t*)0x2000000052e8 = 8; *(uint64_t*)0x2000000052f0 = 9; memset((void*)0x2000000052f8, 0, 24); res = syscall(__NR_newfstatat, /*dfd=*/(intptr_t)-1, /*filename=*/0x200000005240ul, /*statbuf=*/0x200000005280ul, /*flag=*/6); if (res != -1) r[36] = *(uint32_t*)0x2000000052a0; break; case 40: *(uint32_t*)0x200000005380 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000005340ul, /*optlen=*/0x200000005380ul); if (res != -1) r[37] = *(uint32_t*)0x200000005344; break; case 41: *(uint32_t*)0x200000005440 = 9; *(uint32_t*)0x200000005444 = -1; *(uint32_t*)0x200000005448 = 0; *(uint32_t*)0x20000000544c = 1; *(uint32_t*)0x200000005450 = 0; *(uint32_t*)0x200000005454 = 0xabc2; *(uint16_t*)0x200000005458 = 0x100; *(uint64_t*)0x200000005460 = 0x2000000053c0; *(uint8_t*)0x2000000053c0 = 0xe; *(uint64_t*)0x200000005468 = 0x200000005400; *(uint8_t*)0x200000005400 = 7; *(uint64_t*)0x200000005470 = 8; *(uint64_t*)0x200000005478 = 0xa2; *(uint64_t*)0x200000005480 = 0xf3; *(uint64_t*)0x200000005488 = 4; *(uint64_t*)0x200000005490 = 6; *(uint16_t*)0x200000005498 = 5; *(uint16_t*)0x20000000549a = 0xd7c4; *(uint16_t*)0x20000000549c = 0x80; *(uint32_t*)0x2000000054a0 = r[9]; *(uint32_t*)0x2000000054a4 = r[7]; res = syscall(__NR_msgctl, /*msqid=*/0x10000, /*cmd=*/1, /*buf=*/0x200000005440ul); if (res != -1) r[38] = *(uint32_t*)0x200000005448; break; case 42: memcpy((void*)0x200000005b40, "./file0\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000005b40ul, /*statbuf=*/0x200000005b80ul); if (res != -1) r[39] = *(uint32_t*)0x200000005b98; break; case 43: memcpy((void*)0x200000005c00, "./file0\000", 8); res = syscall(__NR_statx, /*fd=*/0xffffff9c, /*file=*/0x200000005c00ul, /*flags=AT_SYMLINK_NOFOLLOW*/0x100ul, /*mask=STATX_INO*/0x100ul, /*statxbuf=*/0x200000005c40ul); if (res != -1) r[40] = *(uint32_t*)0x200000005c58; break; case 44: *(uint32_t*)0x200000005e80 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000005e40ul, /*optlen=*/0x200000005e80ul); if (res != -1) r[41] = *(uint32_t*)0x200000005e48; break; case 45: memcpy((void*)0x200000000780, "\x68\xf4\xb9\xc0\x22\x24\x5b\x56\x0b\x41\x94\x27\xc3\xc5\x6d\xc4\xee\x17\xcd\x42\x2a\xc4\x81\xd8\xd2\xdc\x27\xc0\xc2\x4a\xdf\x78\x20\x96\x47\x7e\x5b\x7a\x14\x77\x33\xcc\xa0\xee\xd7\xce\xd0\xab\xb0\x3e\xcf\xa0\xf8\x3e\x91\x42\x28\xec\x4e\x01\x9a\x38\x46\x8e\x2e\x4e\xe4\xed\xbd\xa0\x23\x53\xee\x9a\x4c\x10\x63\x39\xd7\xb1\x18\xa3\x0e\x93\xe6\xde\x45\x52\x28\x8a\xfe\x03\x2a\xf1\xf8\x97\xef\x39\xce\x14\x0c\xb1\xd4\x52\x64\x41\x33\x19\x9f\x16\x65\x3b\x92\x15\xc3\x7f\x78\xf1\x92\x75\x2d\x03\x1c\x64\x28\xd7\x35\x62\x11\x49\xde\x62\x43\xa0\xab\x6f\xc4\x65\x28\xb0\xa0\xe2\xd6\x4e\x65\xec\xd9\xe1\x34\x09\xab\xd5\xe7\x30\x39\xdd\x00\xe0\x88\x05\xe5\x1a\xdf\x3a\x85\x99\xd9\x9d\x69\xf2\x37\x75\x04\x4d\x38\x40\x23\x4f\x1d\xb0\x89\xfb\x09\x87\xd6\x45\xec\x25\xf4\xad\x3e\xee\xb9\x60\x4d\x1f\x2a\xb6\x9f\xc3\xbf\x83\x15\xbf\x2e\x7b\x91\x88\x6d\x2a\x6f\x50\x71\xb6\x6f\xe5\x04\x8b\x6b\x65\x44\x12\x90\x05\x07\x34\x0d\xd1\xad\xd2\x74\x48\xea\x31\x68\x5b\x4e\x86\x7c\x68\xc9\xb5\x51\xdf\x24\x6b\x90\xd0\xd0\xfd\x9a\xf8\xdf\xc6\x47\xfc\xe7\xc3\x77\xaa\x36\x48\x62\xff\x02\x43\xff\xd0\x47\x47\xb9\x45\xba\xa3\x7d\x75\x5c\x23\x60\x92\xb3\xac\x7a\xac\xf6\x12\xa4\x03\x26\xde\x09\x06\x32\x12\xae\xe8\x6e\x16\x3a\xaa\xff\xfd\x8a\xde\xe4\xb5\x15\x46\x5c\xc9\x19\xc1\x51\x3d\xc7\xc9\x67\x8e\xe6\x48\x3f\xc3\xfc\x68\xb8\x84\xa9\xcc\x60\x4f\x36\x23\x86\xfe\xeb\x1a\x7e\xfb\xd4\x1d\x42\x62\x7f\x06\xfb\xf6\xcf\x91\x3a\xca\xee\x58\x4d\xa6\x05\x0c\xd6\xf4\x9a\xb9\x6e\xde\x69\x21\x6b\x0a\xca\x34\x99\x94\x7b\x02\xf1\xb6\x23\x24\x5d\x4c\xc5\xdf\xb5\xbc\x7c\x28\xc4\xf7\x77\x33\xc3\x33\x0d\x49\xbb\x25\xce\x9b\x47\x97\x8b\x57\x6c\x20\xe1\xc4\xd8\xb6\xee\x1d\xdb\x2c\x80\xeb\x99\xa3\x53\x69\x68\xaa\xf2\xf0\x1b\xa3\x14\x2d\x6d\x71\x39\xf4\x7a\xd8\x71\x32\x7d\x9e\xb2\xfc\x36\x4b\xb4\x2c\xb6\x0a\x57\x2c\x71\xd1\xa1\x3f\x94\x05\x6c\x72\x7a\xd8\x0d\xbc\x0b\x38\x03\xd3\xed\x00\x7c\xdf\xbd\xc6\xf9\x86\x84\x5b\x23\x96\x71\x23\x3e\xbe\x9c\x97\x3b\xcd\x86\x53\xc3\x73\x2e\x52\x51\x64\x09\x02\x0f\x4b\xd0\x51\x64\x90\x93\x29\xcf\x8b\x09\xd5\x7b\xc4\x9f\xdf\xc9\xc9\x6e\xe7\x8b\x92\xbd\xc6\xe8\x65\xb5\x61\x95\xbf\x29\x87\xb6\xb4\xad\xff\x61\x96\xf3\x7f\xfd\x8d\xe5\x10\x80\x0b\x32\x8e\xd7\xbf\x86\xae\x6d\x4f\xb1\xd8\xe8\x3d\x1c\x8c\xc9\x3c\x12\x7d\xfb\x65\x89\xd7\xe6\x1a\xd8\x55\x9c\x87\x00\x74\x19\x88\xa0\x6c\x4b\x3a\x03\xee\x3e\x95\x69\xf7\x95\xd7\xf1\x43\x3c\xdb\x52\x0e\xb4\x51\xc3\x51\xc2\x30\x13\xc8\xb6\x00\x7d\x14\x7d\x24\xdd\x1d\x52\xfa\x5b\x0e\x40\x54\x0f\x38\xbc\xf7\x41\x9e\xb9\x8a\x47\x90\x1e\x93\x57\xa7\x8e\xdc\x70\x1a\xe8\x2f\xd0\x58\xcd\x6d\x96\x96\x9f\x2c\x6b\x4b\x82\xea\xca\xe1\x12\xd6\x7d\x06\x2d\x56\xf0\xfe\x3b\x9c\xae\x85\x67\x2c\x67\x94\x97\x70\x72\x54\x76\x35\x35\x09\x27\x69\xd3\x8d\x26\xb9\xa6\x51\x0d\x9f\x64\xfb\x09\xdc\xb7\x28\x3d\xe4\x25\x70\x54\x6b\x0c\x76\x3e\xd8\xcf\x60\xf5\x3d\xb8\x6b\x75\x63\xe5\x72\x6f\x61\x6c\x4b\xb2\xbe\xae\x0a\x9e\x18\x6e\xea\x24\xf6\x42\xd7\x0d\x34\x54\x57\x84\xe4\x63\x0d\x4e\x3a\xc0\x28\x9c\x2c\xaa\x22\x62\x8e\x29\x9b\x29\x3d\x27\x30\xca\xe7\xfb\x99\xd4\xde\xa0\x73\xe5\xa0\xba\x5f\x34\xf7\x7d\xd9\x28\x38\x95\x43\xe0\x0f\x2b\x59\x56\x49\xab\x73\x64\x54\x25\xe2\x73\xe4\xb6\xd7\x54\xcd\x17\xa6\x27\xae\xe1\xda\x76\x71\x60\xbf\xe8\x6b\x04\x16\xad\xaa\x61\xeb\xee\x1b\xf7\x40\x9f\x28\x44\x85\xd4\x3f\x8f\x48\x4d\x05\x3a\x17\x36\xda\x79\x21\x28\x59\xf4\x8b\x71\xce\xc7\x7e\xe2\x3f\x77\x1a\xdc\xed\x4f\xe5\x26\x49\x59\x75\xbd\x04\xba\x08\xc7\x99\xc0\x7f\x57\x08\x4a\xbb\xd6\xba\x42\x81\x14\x0d\xd8\xec\x06\x93\x18\x0a\x4d\xaa\xf4\x8b\x72\xed\x48\xdf\x13\x7f\x68\xdd\xed\x9a\x41\x14\x54\xfa\xf8\x8d\xad\x18\x1a\xa2\x30\x6c\x36\xc1\x3c\x15\xa5\xfc\xaa\xb5\xbb\x79\x20\x1b\x41\x7f\x40\x3c\x83\xd0\x41\x9e\x29\xf6\x2a\x66\xa0\xe0\x27\x6f\x9f\x96\xc8\x7f\x94\xb7\xc8\xa3\x2b\x94\xce\xa7\xef\x64\xfc\x4f\xf4\x1b\x21\xd6\x84\x6c\x2d\xad\x67\xbf\xa8\xa4\xb5\x7a\x6e\x50\x01\xe4\x02\x05\xd3\x86\xba\x77\xae\x13\xc9\xa1\x12\x12\x83\x15\xcd\x6a\x1a\x64\x1b\x22\x8d\xe0\x6e\xb0\xa7\x09\xf5\xe7\x4d\xa4\x75\xd2\x2f\xfc\x65\x33\xc9\xd9\xb2\xbe\x00\xd2\x2b\xcc\x8b\x47\x18\x70\x56\x09\x60\x8e\xc3\xe4\xc4\x35\x79\xcf\xae\x0b\x60\x02\xf3\x15\x4d\xa6\x14\x7b\x85\x6d\x82\xf3\xdc\x4d\x4b\xac\x4f\x50\x9b\x91\x07\x96\xaa\xce\x37\x5a\xe7\x9c\x8b\xd3\xe7\x5d\x70\x9a\xa0\xd9\x0e\x29\xef\x0e\x03\xc6\x9f\xb8\xe5\xbc\xb3\x4e\x4c\xf1\x4a\x6e\x7c\xf4\xa4\x08\xe9\x9a\xab\xdd\xca\xab\xe1\xf0\xc7\x23\x83\x67\x1b\x45\x63\xcd\x06\xea\x9c\x75\xe5\xbc\x2e\x3c\x95\x56\xac\x45\xf0\x7b\xd0\xd6\xc9\xb3\x91\xdb\xaa\x70\x17\x1e\x71\x30\x1f\xd5\x39\x5d\xe3\x83\xd1\x35\x81\x4c\x12\x14\xce\x33\x20\x8c\x1b\xd8\x40\x3e\x94\x8f\xa0\xb3\x93\x79\xa1\x40\x29\xf1\x19\x58\xfe\xc9\xeb\x46\x0e\x3f\x9c\x73\x49\xaf\x63\x06\xd2\xe0\xca\xc9\xa4\xe4\xde\x43\xe9\x31\x27\xc6\xec\x8b\x17\x82\x0a\x57\x00\x21\x8f\x5b\x08\xe0\xa8\xce\x0a\x44\x8d\x68\x8c\x94\x5d\x36\xb7\x19\xb2\xdc\x71\x1a\x8d\x48\x09\x8b\xf4\xed\xc5\xe2\x6f\xa5\x64\x7a\x64\x72\x40\xff\xf4\xd7\x66\x88\xbc\xa7\x13\xb8\xdd\x71\x72\xaf\xef\xba\x6e\x4a\x95\xf1\x1a\x11\x1e\x3c\xf0\x39\xbb\xfa\x41\x53\x6d\x9a\xd7\xb0\xfb\xbb\x4f\xf8\x2c\xf1\x9a\x72\xeb\x07\xbd\xca\xab\xa2\x29\x1f\xfa\xa0\xd0\x77\x5f\x1a\xeb\x68\x66\xc2\x3c\xfd\x9c\x8e\xa6\x8c\x13\x87\xf8\x97\x72\xea\xef\x20\x20\xbc\xaa\xc5\xfe\xfd\xf1\x04\xce\x51\x60\xaa\xdd\xd6\x5f\xe9\xc4\x89\x85\x1f\xb0\x90\xce\xbf\x02\x20\x32\x1d\xcc\x57\xfd\xf7\x1e\x9a\x1c\x1e\xa5\x3f\xf1\x7d\x13\x13\x04\x46\x9e\xad\xed\x3a\x14\x38\x33\xaf\xff\x98\xa9\x3c\x1c\x41\x34\x94\xbc\x0d\x6c\xf3\x47\x0b\x2e\xee\x53\x4d\x4f\x17\xde\x37\xac\xa7\x5d\x82\x16\x9f\x1b\x63\x34\x12\x30\xd4\x7e\x85\xbe\xb0\xe6\xf5\x0c\xe7\x25\x56\xe3\x7b\x73\x96\x12\x92\xb9\xf0\x34\x38\x51\xe9\xdc\xa9\xfb\xf4\xee\x45\xa5\x81\x4b\x04\x44\x44\x54\x41\x3a\x01\x9f\x82\x94\x98\x81\xc8\x1a\x5d\xdd\xd2\x09\x7a\x8e\x5c\x45\xd6\x8b\x80\x8a\xdc\x27\xfa\x3a\xbe\x55\x16\xb2\xa5\xc1\xcc\x71\x9e\xe0\xc9\x79\x66\x68\x31\xa1\x5a\x96\x4d\x5f\xc2\xe8\x70\x68\xcb\xc4\xe4\x70\xd6\x4f\x34\xf0\xfa\x9a\xc7\xe9\x4a\x06\x93\xdc\x21\x96\x42\x97\xb9\x6d\xe2\x93\xad\x5a\x77\xf2\xa8\xdc\xe2\x71\xa8\x9d\x10\xa1\x0b\x45\x8a\x8a\x8c\x52\x1f\x27\xa5\x0c\xd2\x06\xbf\x0e\xc9\xf2\xab\xb3\xdc\x16\x82\xd3\xad\xd7\x5b\x81\x3c\x59\x79\xef\x56\x58\x3b\x52\x12\x77\x5d\x61\x73\x22\xbd\xd7\xc3\x44\xfb\x0c\x2d\xc1\xdb\xcc\x63\x12\x31\x19\xbd\x65\x2a\xf9\x41\x35\x5f\x56\x1b\x8f\xa4\x9b\x8e\x0c\xab\xa9\x00\x02\xc4\x8b\x88\xc8\x0e\xbe\xa6\x77\x71\xfb\x47\x9f\x52\x89\xca\xf5\xea\xe1\x8f\x01\xa0\xcd\x74\x60\xf3\xde\x6c\x3f\x92\xf1\xd4\x3b\x56\xb0\xdd\xed\xb7\x05\x9e\x7f\x18\x06\x9f\x80\x4b\x20\x56\xa2\x0a\xcb\xdf\x25\xf8\xca\x36\xdc\x1a\xff\xa8\x0e\x22\x03\xa0\xf3\x63\x92\x63\xa4\x2e\x9b\x3a\xd0\x61\x4c\x6b\xb3\xcf\xa4\x37\x6b\x28\x54\xf6\x0b\xcd\x92\x97\xbb\x0c\xb4\x54\x16\x13\x6f\x21\xbc\xa9\xfe\x38\xfe\xf0\xa1\xc2\x65\xae\x42\x3b\x36\xef\xf0\xc7\xf9\xe8\x4d\x3e\xdc\xe5\xdf\x6a\x2e\x76\x89\x49\xec\x9d\xc4\xf9\x18\x6c\x48\x95\x46\xe2\x4c\x71\x3d\xb9\x19\xbd\x51\xe6\x04\x45\x92\x83\x7c\x8b\x7f\x03\x7a\x8b\x3a\x90\x84\xd9\x61\xc0\x2f\xd0\xaa\x42\x45\xba\xa5\xe9\x17\xd7\xf9\x3f\x09\x6f\xc0\x0c\xd3\xda\x05\x7e\xda\xa7\x47\x6f\x9a\x38\x83\xc1\xab\x86\x3a\x91\x77\x46\xbd\x00\xe8\x78\x55\xbb\x58\x00\x16\x74\xec\x10\x54\x2e\x70\x30\x63\x10\xd7\x33\x99\xf3\x4a\x25\x4c\xfd\x03\xb4\xfd\xa6\xde\xdc\x8d\x7f\x2a\x8c\x81\xe6\xe1\x7b\xea\xb6\x71\x0a\x2c\x2a\x39\xd3\x8d\xaf\x05\xe0\x4e\x38\xe9\xd1\x0f\x30\x81\x31\xde\x76\xa3\x59\xbd\x59\x01\x5f\xc9\xf1\x07\x69\xd3\x6c\x16\x0d\x3e\xfb\x66\x17\x4a\x97\xb6\xa5\x99\xe7\x4b\xae\xdf\x33\x6c\x3d\x9b\x0c\xed\x61\x7b\xf0\xa5\x30\x88\x2d\x91\x68\xe6\x4b\xfb\x9c\x36\xea\x35\x1a\xf4\x36\xf7\x80\x54\x4c\xd1\xf0\x06\xe5\xdb\x43\x9d\x1c\xd9\xc6\xe2\xb5\x91\xc3\x76\x98\xe3\xb9\x56\xfd\xd6\xa9\x6d\x0c\x1f\xf5\xa5\xc2\xb4\xf2\x0e\x82\x04\xfa\x23\x94\xeb\xd1\x8b\x63\x60\x72\xf7\x6d\x49\x87\x13\xd7\x25\x8f\x8f\xda\xa7\xd1\x73\xbb\x52\x61\x9e\xcf\xbd\x03\x7e\x9d\x9e\x8e\xfd\x79\xe7\x76\xea\x36\x88\x99\x04\x15\x29\x81\xd3\x98\xf3\x4b\x5e\x75\x82\xb7\x37\x3f\xeb\x13\x10\xf6\xa3\xf4\x3d\xa3\x65\x62\x11\x58\x1c\x4d\xcf\x82\xbb\x82\xcb\x51\x34\x62\x80\x8c\xea\x9f\xe2\x1d\x0c\xf8\x70\x74\x53\xe9\xc1\xde\x7a\x96\xa3\x82\x92\x12\xcb\xe8\x85\xaf\xf1\x0c\x11\x17\x1f\x5a\xbf\x14\xa8\xe6\xf2\x2f\xd0\x04\x8a\xc5\xe4\x18\x63\x80\xc1\x4c\x5c\x2d\x4f\xe1\x3b\xe2\xdd\x3e\x6f\x26\xcf\xa9\x45\x22\xd6\x25\xdc\x49\xd1\x79\xbc\xc4\x8c\xb4\x2e\xa4\x0e\x94\xf3\x3d\x9e\x76\xef\x92\x57\x46\xcb\x52\x51\x39\xea\x62\x05\xc6\xf1\x22\x1d\x93\x42\xe2\x02\xe5\x7b\x81\x8a\x7d\x12\x14\xde\x38\xee\x95\x02\x99\x3b\x73\x08\x66\x02\xa9\x75\x19\xf6\xa0\x99\x90\x1b\x8d\xbd\x57\x6a\xbd\x64\xa8\xb1\x3d\x5a\x93\x0f\x82\xc0\x6f\xb9\xc5\xbc\xfc\x2d\xff\xa9\x77\x83\xea\xa3\x38\x5e\x72\xf9\x98\x5d\x57\xd7\xcc\xf9\x3b\x7c\x60\x79\x92\xcb\xd2\x49\xed\x74\xb6\xda\x3f\xf1\xdc\xf6\xc7\x23\xcc\xb3\x72\x5e\xf1\x8b\xe3\x54\x16\x0d\x21\xb9\x31\x4a\x7d\x01\xcc\x29\x7c\x6b\x1f\xdc\x8a\x24\x14\x2e\x55\x5d\xd8\xfd\x4a\x28\xe0\x4c\x85\x83\x6e\x46\xe6\x63\x64\x90\x8e\xb8\x4f\xac\xaa\xbb\x83\x3b\x1d\xa7\x03\x19\x67\xc1\x0b\x8c\x2a\xa3\xcf\xf4\x4f\x7a\x9d\xcf\xd0\x66\x5d\x1e\x90\xd9\x3b\xe0\xdf\x77\xa2\x5a\x48\x23\xd8\xdd\x35\xc3\x5d\xc4\xcf\x1c\x73\xba\x26\xab\x20\x47\x3f\x30\x12\x23\xa6\xac\x96\x72\x22\x0b\xe0\x95\x0f\x92\xbf\x16\x79\x87\x45\x44\xf8\xc1\x0e\x23\xbc\x9e\xe1\xd4\x0a\x00\x6c\x98\x9b\xf9\x88\x50\x20\xa6\x5a\x4e\x76\x63\xa8\x11\x7b\xec\x09\xe2\xa2\x10\x9c\x52\x78\x9b\xf7\xfb\xc0\x0c\xd3\xef\xd7\xa6\x52\xb1\x5c\x4c\x4c\x05\xf6\x54\x11\x8e\x90\x64\x3e\x64\x9d\x7f\xe4\x31\x95\x7b\x6f\x1d\xc5\x92\x5b\xa9\xab\x6f\xd8\xa1\xf6\xa0\xf8\x3a\x8a\x51\x9c\x1d\xfe\x42\x36\x03\x4c\xa5\x56\x7e\xac\x95\xea\x12\x91\x2e\x60\x67\x18\x1d\x61\x29\x4b\xcf\x09\xc1\x7f\x9d\x94\x8a\x03\xb0\xaf\xcd\xfd\x3a\x5d\x47\x0d\x28\x9e\x4b\x47\x44\xe6\x88\xae\xe6\x8b\xf2\x6d\xa0\x15\x43\x8a\x9c\x33\x6b\xea\x06\xdd\xad\x48\x74\x65\x32\x89\xc3\x4c\x03\x27\x64\x18\x0f\x97\x98\xf3\x3c\xc0\xb8\x2b\x36\x87\xdf\x74\xfe\xca\xde\xba\x2e\x58\xb9\x70\xd6\xe4\x65\x4d\x7b\x09\xb0\xd8\x5c\x78\x96\x12\x76\xa9\x45\x03\x09\x85\x77\xba\x49\x32\xd1\x7e\x0a\x7d\xd1\x98\x7e\x85\xc4\xaf\xcf\x01\xf6\x8d\x74\x42\x03\x82\x46\xb6\x84\x9b\xd1\x6f\xe0\x35\x93\x6b\xe7\x5e\x56\x26\xcd\x3d\x06\x8b\x9d\xf9\x30\x85\xa1\x2b\x95\x69\xcb\x27\xd3\x01\xca\xaf\x2f\x4f\x33\x7c\xe6\xb1\x94\xf4\xa8\x5a\x17\x55\xa2\xb3\x80\x53\x67\xe5\xde\x5e\x41\x34\xdf\x4f\xc3\x94\x16\x25\xd4\x41\x71\xa9\x84\x0e\xf2\x26\x7a\xd8\x1f\x2a\xee\x6c\x34\xec\xd3\xae\x96\x28\x12\x85\xb5\x4f\xbc\x21\x72\x90\xfe\x1f\x46\x75\xfe\x64\xd1\xb8\x44\xcb\x43\xc7\x55\xba\x29\xda\xb5\x31\xe8\x37\xec\xe7\x14\x60\x09\xfe\x04\xb7\x27\x25\x7b\xfa\x7a\xd4\x18\x0e\x82\xe9\xad\x17\x0a\x9a\xb7\x81\xef\xc1\x50\x60\x0c\xe3\x70\x43\xcc\xee\x03\xcc\xfb\xe7\x65\x09\xd6\x3f\xf8\xf2\x18\x62\x73\x6a\x43\x45\x57\x8c\x87\xf8\xf4\x14\x2c\x97\xa4\x7a\xdd\x5c\x7d\x6d\x73\x59\xb2\x69\x01\x55\xa1\x1c\xdb\xe9\xbe\x34\x79\xe0\xf4\xb2\xdd\x44\xa6\x8a\x78\x48\x51\x8d\x55\x89\x7e\x49\xbf\xaf\x2e\xef\xe6\xbc\x06\xd5\x60\xe2\x5f\x52\xad\x12\x31\xd4\x66\x44\x27\xba\xd4\xab\xa0\xd6\x15\x98\x5a\xfa\x47\xeb\xaf\x24\x2d\x3b\x8c\x16\x8a\xd5\x9c\xc0\x5a\x1c\xe7\x50\xd7\x32\xa6\x72\x03\xb3\xfc\xfa\xa4\xed\x6b\x2f\xf0\x04\x15\x2e\xef\x56\x52\xbe\xea\x4c\x62\x70\x20\x3f\x15\x4c\x70\xbb\x6c\x5f\xda\xc2\x4b\xd7\xfc\xb6\x38\x9b\xd1\xb5\x17\x59\x20\x5b\xa1\xaa\x1b\xea\xb6\xec\xa9\x97\x36\xf4\xa4\x3f\x21\xa6\x39\x53\x64\x61\xd2\x43\x8a\x91\x3e\xd0\x3b\x63\xdb\x26\x21\xc6\x3a\xcb\x49\x6e\xec\xf9\x83\x8b\xfa\x7f\x18\x52\x43\x7b\x45\x8b\x10\x46\x19\x7e\x51\x1e\xa8\x14\x79\x69\x09\x04\xbc\x3a\x0b\xb4\xb9\xec\xc0\x96\x2e\x33\xc4\xcd\xd9\x21\xf8\x24\xab\xc2\xc1\x95\x88\x61\x3e\xfd\xee\x01\xdb\x70\x1a\xe5\x44\x0c\xdd\x98\x7d\x86\x83\x14\xdf\x9a\xc7\xba\xe5\x92\x74\x02\x1a\x5d\x06\x43\xf8\xd1\xd3\xa9\x7b\x8c\x8b\xf0\x2e\xe9\xfc\x05\x6c\xc1\x64\x72\x48\x51\x43\x5f\x90\x76\x85\xc3\x49\xdb\x94\x29\xfe\xc6\xe2\xdf\x3c\x53\x4d\x94\xcc\xe4\xec\xd2\xea\x55\xd7\x2a\xa8\x82\x64\xc8\x6a\x40\xfa\x66\x93\x06\xb9\x5b\xcd\xef\xca\xf5\x4f\x11\x77\x70\xa0\x4f\x35\xe7\x21\xf2\x84\xf6\x81\xb9\xd3\x11\x4c\x4b\xed\x29\xf2\x09\x22\x06\x38\xde\xfe\x43\xfc\x43\x66\x95\xa5\x8e\xd3\xf2\x0d\xc9\x21\xe4\xa2\x1c\x79\xe5\x80\x39\x27\xde\xeb\x5a\x14\xc5\x32\xe3\xcd\x83\xba\x32\x98\x1c\x19\x2e\x20\xe9\x3e\xef\x67\x44\x02\xaf\xba\x8d\x37\x81\x19\xf6\x34\xff\x06\x5f\xb2\x94\xf9\xe3\x8c\x19\x74\xd4\xd3\x7c\xf6\x73\xb5\x87\x97\xb5\xe2\x6e\x22\xb0\x29\x16\x23\xff\x15\xd0\x02\xd5\x5a\x8d\xd0\x0f\xe4\xb1\xfd\x54\x17\x7d\x1f\xd0\x65\xda\x0b\x17\x47\x93\x16\xb5\x8a\x84\x95\xac\xa4\x2c\x44\x0b\x63\xc8\xf4\xb1\xa9\x53\x8d\xf1\x0c\x8c\x95\x46\xfd\x8c\x41\x95\xe1\xea\xed\x31\x54\x3b\x80\x61\xc8\x60\x2a\x89\x77\x12\x3f\x56\xe5\xf1\x1c\xd0\x5f\x5a\x36\xa4\x48\xcc\x25\x75\x71\xf0\xe5\xbb\xde\x25\xae\x82\xf5\x83\xcb\x31\x3a\xe7\xbf\x5d\xec\xe5\x6b\x61\x73\x21\xcf\xa6\x0a\xa9\x27\x8a\x28\xee\x9f\x78\xec\x7d\xdf\xc5\xd0\xf6\x65\xab\x1a\x1d\x55\x31\xf2\x40\x6f\xfa\x9b\x5a\xd6\xf9\xae\x4c\x98\xf8\x54\x47\xfb\xdb\x9e\xfc\x2a\xb3\x98\x80\x1e\x90\x5c\x22\x9e\x16\xad\x9f\x87\xbf\x61\x95\x6a\x78\x29\x73\x3f\xff\x1d\xbb\x2c\x35\x55\x48\xc4\xe3\x03\xd1\xfb\x25\x87\xab\xea\xed\x69\x11\xb3\xd5\x57\x8d\x9d\x43\x55\x19\x3a\xf1\xf6\xee\xf1\x87\x0f\x0f\x1d\xf7\x36\x15\xa5\xd9\xff\xe9\xd4\x2b\x7f\x94\xc2\x15\xf9\xce\xb4\x1d\x60\x5e\x95\xa5\x4b\x5f\xb3\xc6\x2f\x34\x39\x6f\x9f\x95\x1c\x56\x50\x92\x0f\x15\x9c\x1c\x33\x0e\xcf\x7b\xf7\x0b\x1b\x8d\x0a\x97\x3f\xf4\xaf\x34\x4e\x99\x50\xff\xb9\xed\xfc\xd3\x26\x81\x8e\x28\x47\x1c\xcc\xbf\x70\xb7\x1a\xc2\x86\x3e\xaf\x7e\xf9\x5d\xbc\xb2\xf9\x88\xc8\x5c\x26\x6f\x86\x99\x14\x71\x99\x06\x21\x3c\x0d\xb1\x8a\x4a\x47\x12\xb0\x2f\x72\x01\xdc\x95\x30\x5a\x3a\x53\x1f\x46\x6f\x94\x9f\xef\x61\x2c\xcc\xaa\x93\x6d\x47\xae\xf4\xbb\xad\x39\x08\x50\xf2\xb8\xfd\x99\x15\x42\xe3\x98\x6d\xe1\x00\x00\xdb\xd2\xbc\x09\xf1\x6c\x99\xed\x0b\x46\x1c\xab\x44\x4a\x1d\xb0\x69\x38\x14\x34\x54\x07\x95\x15\x0d\xe1\x24\x27\xb1\xb5\xd0\x60\x1a\x52\x32\x04\x28\x3f\xdd\x6b\x69\xe4\x03\xfd\xc3\xf9\x44\x21\x14\x0d\xbf\x94\x86\x5f\x35\xaf\x7a\x7b\xae\x55\x47\x97\x8f\xdd\x80\x5c\xc5\x2d\x68\xf4\xff\x49\xbe\xec\x49\x20\xe2\x5d\x8e\x4a\x23\x7a\x86\xc7\x85\xcc\xcc\x3f\x2e\xe7\xff\xac\x88\x1e\x99\xe5\x76\x12\xc8\xc9\x4b\xde\x40\x09\x15\xf3\xf7\x5b\x54\x65\x79\xf4\x01\xe2\xbe\x54\x93\x09\x04\xb9\x8c\x82\x42\x39\x4d\x81\xfe\x94\xd2\x67\xd3\xca\x3e\xa3\xa0\xe1\xc9\x10\x7e\xcc\x29\x8e\xfa\xe6\xa1\x9e\x73\x37\x88\x3e\x27\xaf\x27\x1e\x06\x29\x9a\xcc\x75\x59\xf0\xea\x46\x1b\x87\x5e\x27\x13\x8c\xd3\x5e\x04\x63\x19\xfe\x9f\x83\x8c\x51\x13\x05\xfc\x80\x3c\xc2\x43\x09\xdb\xf3\x35\xb2\x25\xc5\x8b\x6c\xae\xb2\x72\x4e\x44\xa9\x27\x8c\xa8\x23\x51\x9a\x72\x43\x3c\xeb\x21\x66\xb4\xb7\x3a\x35\xb9\x7d\xe2\xf5\x54\x38\xb9\x58\x26\xe0\xab\x34\x85\x01\x18\x73\x75\xb0\x96\x23\x67\xdb\x53\x49\x53\x46\x76\xf3\x52\x83\x5a\x10\x59\xc3\x07\x42\x1b\x2b\xeb\x2e\x63\xc0\xa0\x06\xd5\x27\x1f\x49\x3e\x59\x06\x98\x82\xb1\x03\xd5\x36\x60\x8d\x18\xd6\x1e\x97\x42\x22\xc4\x3b\x7c\xa9\x25\x29\xc8\xb0\xcc\x2a\xe9\xdf\x8c\x2b\xc2\xb2\x0d\x68\x33\x14\x7e\xc4\x11\xc4\xa5\xbf\xf5\x34\xcc\x72\xb2\x67\x71\x45\x92\xa4\xe4\x32\x52\x68\x49\x40\xf5\x4e\xbf\x5f\x39\xf2\x8d\xee\xab\x2c\x89\xab\xad\xdf\xb6\xfc\xd2\xb1\xc0\x25\xbf\x30\xdc\x2e\xdb\xc0\x82\x3c\xcd\x19\xfe\x52\xf9\xc0\xb3\x8c\x9c\x1a\xcd\x6b\x0e\xfc\x3f\x68\x8b\x80\xbb\xef\x54\x73\xcd\xdf\x82\x02\x70\xd7\x21\x24\x5c\xdf\xa0\x1b\xff\x14\x85\x86\x49\x74\xb4\x28\xdd\x19\x33\xfb\xce\x96\x8d\x27\xae\xce\xa5\xdd\xa0\xca\x95\x61\x91\x9d\x5d\x85\xb0\x98\xfc\x4f\x3e\xfb\xf7\xea\xd3\x91\x28\x51\x92\x46\x28\xb8\x88\xa2\x8e\x46\x32\x0a\xfe\x8a\x30\x22\x39\x14\x7f\x48\xf2\xcc\x2a\xb2\x74\xdb\x1a\xee\x56\x5b\x15\xba\x2d\xb8\x32\xfa\x63\x03\x44\xd0\x1c\xfb\xa1\x12\x87\xb2\x5c\x22\x6f\x28\xbc\x4e\xbe\x1d\x20\x4e\x90\xa3\x9a\x81\xc6\xb2\x13\x6b\x01\x64\xed\xb6\x51\x94\xea\x55\x10\xa9\xb9\xef\xc0\xd0\xa2\x35\x26\x42\xf0\xa8\xa2\x3e\xf4\xe6\xeb\x89\x48\xf5\xab\x42\xeb\xd4\x5a\xc9\x46\xbf\xdb\x68\x9c\xba\x13\x76\x7f\x8d\x5f\x77\x8c\x42\xe2\xd0\x7d\x08\x84\x91\xe0\x6d\xb5\xcf\xbe\x29\xea\x3f\x45\xa4\x31\x57\x94\x5d\x41\x9d\xe6\x32\xdb\x52\xfa\x13\x3d\x99\x0e\xfe\x2c\x9e\x47\x3e\xc3\x6d\x68\x9d\x0b\x81\x58\x45\xaf\x57\x61\x98\x1d\x46\xd5\xb9\xf3\x86\x5f\x91\x6b\x5b\xb9\x3c\xf8\xf2\xe8\xd4\xa1\x1c\x8a\xfa\xcf\xac\x2c\x64\x7e\x6a\xe9\xa8\x69\x6c\x9e\xcb\x6b\xdb\xdb\x21\x79\xf9\x71\xeb\x75\xe1\x4d\x52\x59\x8e\xd6\xc1\x6e\xc1\x42\x7e\x21\xdf\x5c\x5a\xbb\xbd\x85\xe4\x2f\x32\xdf\x37\xc4\x85\xff\x33\xd0\x65\x45\x71\xec\x60\xaf\x86\x74\xba\x35\xc3\xef\x62\x7d\x24\xb1\xc2\xd8\x4f\xf2\x52\x54\x16\xc2\xa4\x26\x5f\xb6\xde\x81\x73\xfa\xec\xcf\xd3\x13\x83\x16\xc4\xc7\xc3\x29\x01\x79\x28\xfe\x1b\x64\xc2\x9d\xfe\xb4\x57\x0f\x7d\xe9\x3f\x94\x46\x15\x31\x6f\xd3\xae\x6c\xc1\x2b\x94\x33\x2f\xad\xf7\x5b\x15\xa1\x3d\x6f\xf2\x7f\x7c\x61\x98\x17\x37\xef\xc6\xdf\xb5\x28\x94\x25\x32\xee\xf5\xe5\xdc\xb8\x03\xc1\xed\x04\xda\x23\xbf\xee\x62\x3a\x89\x08\x8d\x87\x83\xc7\xed\xda\x3f\x56\xc5\x40\x4e\xe7\xe4\x2f\x09\x85\x47\x53\xc1\xa0\xdd\x78\x72\x3c\x9c\x4e\xf1\x2c\x7e\xad\x18\x63\xa5\x3a\xf4\x8d\x8d\x61\x45\x7f\x24\x32\xff\xae\xbb\x35\x6a\x6e\x78\xa1\x59\x1f\x04\x24\xaa\xa1\xf0\x25\xdd\xa1\x7a\x7b\x5e\xae\x39\x89\xb2\x7a\x57\x3f\x59\xbb\xfe\x2f\x99\x3f\xb1\x82\x73\xdc\x35\x6a\xa5\x9e\xc1\xb2\xf1\x51\xf8\x4b\x97\x33\xb2\x71\xf1\xe0\x4d\x17\xd4\x1e\x72\x8e\xf5\x2c\xfb\xc0\x11\x1f\x12\x32\x13\xfb\x22\x23\x7d\x81\xb0\x02\x9b\xdf\xf7\x01\x7f\x87\x03\xe1\xee\x30\x17\x58\xca\x9e\x22\x39\x9c\x42\x0b\x36\x31\xe5\xb9\x98\x73\x7c\x2a\x75\x93\x9f\xa4\x6d\x1e\x61\x7d\x7b\x19\xfb\xa4\x91\x9e\x35\xca\x92\xd8\xb5\x97\x98\xda\x36\xa0\xa5\xd4\x34\x1a\x6e\xb5\x7d\x51\x29\x51\x3a\x6e\x86\x2e\xa9\x4f\x27\xc7\x83\xc9\xe6\x8f\x93\x0d\x5d\x33\x7c\x28\x9d\xed\x11\xd5\x10\x84\x7a\x50\xc6\x1c\x47\x94\x0c\x17\xa3\x2b\x28\x7f\x70\x46\x64\xf1\xb6\x1e\x16\x48\x85\x08\x91\xf8\x0a\x4b\x61\x47\x93\x48\xb4\x34\x40\xd0\xc9\xc9\x1b\x89\x25\x7a\x4a\xf7\x25\x3e\xe5\xbe\x6b\xbd\x56\xf2\x29\x86\xc3\x8b\x53\x6b\x8d\x50\x00\x10\x2c\xff\xd1\x0d\x93\x80\x8b\x8b\x1c\x4e\xb5\x3f\x0c\x69\x7c\x21\x71\x61\xc4\xcb\x7e\x09\x1d\x43\x88\xce\x3a\x20\xeb\x53\x51\x53\x8c\x2a\xf3\xa9\x06\xe6\xac\x66\x4a\x5d\x08\x3e\x39\x5e\xaa\x5d\xe7\x91\xac\xe4\x5b\xd0\x2b\x5e\x26\xbd\x36\xbe\x79\x6e\x95\xc7\x44\x22\xb7\xd8\xf0\x0c\x7b\xdf\x4b\x64\x8a\x1e\x9c\xcf\x68\xe9\x12\xab\xbf\xff\x3c\x74\xd8\xc5\x63\x85\xd7\xa8\x9a\x84\xad\x3c\x39\x46\xa3\x8e\x82\x08\x0c\x3b\x38\xa0\x29\x80\x70\xd8\x85\x04\x75\xb9\x5b\x37\x9d\x62\xf5\x02\x91\x03\xa7\xb4\x5d\xef\x66\xd2\x5a\x08\xe2\x41\xc4\x2c\x34\x38\x82\x8e\x59\xf5\xb1\xd1\xfd\x8c\x97\x56\x49\xd0\x3f\xe3\xe5\x36\xba\xba\xed\xe3\xfc\x3c\xaf\xef\x77\xa7\x2c\xd2\x7b\x94\xc1\xd7\x74\xef\xbe\x19\x37\x47\x02\xf3\x93\x72\x98\x98\xbd\x09\xbc\x8a\x40\x77\x20\xd6\x7e\x9f\xed\xf0\x18\x52\xb8\x93\x66\x4e\x35\xc2\x6b\xb4\x86\x56\xa5\x68\x9e\x7e\x3a\x63\x2e\x9e\x5a\x3b\xbe\x87\x5e\xc6\xb5\xeb\x73\xfe\xe6\xe6\x05\x54\x75\x96\xd0\xed\xe3\x9c\x48\xb9\xd9\xf6\x3d\x7b\x38\xc1\xf6\x19\xbc\x6f\x69\x03\xc0\x2c\x47\x40\x3a\xe8\x53\x9a\xea\x78\x93\xfb\x81\x10\xe4\xb5\xa9\x07\x08\x36\x85\x3f\x3a\x61\x64\x83\x27\xf0\xc6\x95\x37\x94\xfa\xb3\x89\x37\xb2\x78\xdc\x0a\x1e\xd3\x31\xef\x4a\x03\x60\xc4\x1f\x4f\xb3\x5b\x7c\xa6\xe1\x17\xe7\x85\x83\x3a\x22\x4f\xbe\xa8\x24\x1c\x59\xc9\xd9\x6a\xd6\x50\x95\x9a\x23\xc7\x47\xd4\x78\x81\x02\x1a\x53\x0c\x9a\xee\xc1\x3b\x5b\x99\xa2\x68\xe2\xa6\x3a\x2b\x96\x84\x6c\xd3\xe8\x52\x0c\x77\x0f\xbe\xaf\x52\xf9\xa6\xe3\x6b\x7d\x5e\x0d\xb7\x46\x78\x86\x13\xf6\xea\xd8\x87\x38\xd0\x0c\x30\x20\x6f\xe0\x72\x95\xb7\x0e\xd2\x1e\x05\x28\xa7\xb9\x09\xf3\xd2\xcc\x64\x7b\x33\x5d\xc7\xb9\x82\x99\x07\xc3\x80\xe5\x83\xbb\x40\x8a\xe2\x71\x0b\x40\xd4\x4d\xf1\x2a\xb9\x8a\xc6\xf0\x88\x82\xc2\x57\xc2\x6b\x25\x60\x8b\xa5\xaf\x2e\x00\xe7\xc3\x3e\x60\x84\xec\x86\xa2\x25\x8c\xc3\xdc\x8b\xc6\x3c\x2e\xef\x54\x83\xb8\xaa\xef\x1c\xb7\xad\x63\xf4\xa2\x86\x80\x3a\xcc\xe8\x1a\xd1\x40\x97\x47\x3c\x65\xd9\xc3\x7f\x25\x78\xde\x04\xe1\x8a\x71\x95\x14\x58\xf2\xae\x3a\xb1\xd4\x5a\x54\x8f\xe1\x1d\x47\x64\x80\x6e\x71\x3b\x62\x8c\x19\x67\xda\x91\x8e\x8e\xd6\x55\x6e\x61\x9b\xee\xf0\x8a\xd8\xb9\x3d\x7d\x70\x91\x74\x57\xd9\xc8\x94\xc7\xbb\xc3\x04\xda\xca\x44\x3d\x14\x65\x6a\x02\x68\xd7\x4e\x76\x58\x37\x74\x41\xe5\xfd\xb1\x41\x48\x96\x4f\x56\xa3\x05\x8a\x8e\x1a\x95\xe1\x00\x22\x77\x0d\xa5\x57\x44\x53\x87\xf2\x42\x5e\x7b\xcd\x38\x6e\x62\x1f\x88\x71\x3f\xa5\x7f\x44\x24\x62\xfc\x8f\x7a\x58\x8f\x84\x9e\xc7\xa1\x08\xc6\xa5\xa7\x77\x28\x3f\xc2\x4c\x87\x98\x74\x76\x75\x26\xc5\xb6\xb2\xd2\x22\x12\xf4\xbb\x88\x98\x81\x1f\x73\x1e\x78\xb0\x01\xae\x05\x2c\x47\xd8\x32\xcb\xd8\x67\x83\x14\xcc\x31\x3f\xb6\xb9\x96\x6b\xcd\xe9\xb1\xce\x15\xb9\x2f\x05\x97\xd5\x8b\x15\xd9\x1e\x31\xf2\x21\xb2\xf1\xd6\x35\x4e\x49\xde\x2a\x7a\x58\xd5\x8f\x36\x1f\xd6\x47\xfc\x29\xdc\xa3\xb5\xda\x3c\x64\x49\xc5\x2c\xfc\x5b\x87\xbb\x48\x43\xce\xfb\x10\x52\xeb\x68\x47\x8b\x51\xc1\x68\x91\x28\xbe\x43\x4f\x0d\x34\xb5\x11\xcb\xb1\xe8\x4b\x8b\x21\x1a\x9f\xf1\xae\xba\x55\x18\x52\x91\xed\x53\x95\xd4\xca\x5b\x96\x6d\xcb\x7f\xbf\xf4\x32\xb9\x31\xf6\x76\x6a\x9b\x37\xd3\x41\xd5\xf8\x3d\x29\x69\xf4\x9f\xb8\x57\x91\x3f\xd0\x94\xee\x91\x53\xe9\x05\xfd\x3a\x00\x08\x25\xf4\xc9\xd5\x91\xca\xe9\xe1\xfa\x33\xab\xf9\x46\x63\xfa\xb4\x9e\x46\x0f\x13\x44\xca\xe1\xe6\x80\x4f\x2a\x53\x10\x8c\xb0\xf2\x9b\xbc\x0f\x6a\x07\x56\x88\xd9\x87\xd6\xcf\x7c\xa3\x85\x10\x08\xfd\x82\xc3\x55\x89\xec\x90\xe3\x90\x2c\xb1\xed\x05\x13\x55\x5e\x30\x3b\x91\x02\x2a\x04\x54\x94\x8a\xa7\xd8\x66\xdf\xb4\xb9\x7f\xdf\x67\x98\xbe\x4c\x74\x22\x76\xd9\x9f\x68\x53\x70\xa9\x10\xfc\x2b\xe7\xb2\x89\xa4\x45\x73\x78\x5e\x09\xad\x0a\x20\x79\x40\xea\x85\x9b\xef\xff\xd9\x5c\xc9\x70\x69\x77\x7e\x3d\xd0\x50\x62\x61\xa8\xed\xb9\x4a\xb2\x5d\xea\xbd\x37\x1b\xf0\xe8\xdb\xd5\xf0\x35\xa7\x53\x87\x1f\xaa\x53\x52\xcd\xdf\xa9\x04\x96\xdc\x39\x85\xff\xbc\xa1\xb3\x12\x90\xe7\xeb\x46\x0c\x20\x92\x01\x26\xbb\x8c\xa9\x30\x4e\x35\x53\xb3\x74\x8a\x8f\x5d\xf0\xa8\x97\x7a\xb9\x94\x72\x8f\xbb\x54\x0e\x07\x3c\xc3\xf0\x80\x5b\x5d\xf2\x88\x00\x08\x31\xd8\x06\x1c\x06\xd4\x16\xf4\x58\xa2\x54\x7f\xf4\xe6\x03\x6d\xe1\x18\x1c\xd1\xd4\x2a\xf4\x16\x15\xba\x4e\x16\xd6\xf7\xae\xf1\xcb\x34\x06\x07\x22\x21\x2f\xf5\x61\x27\x5b\xc4\x97\x4f\x00\x94\x8f\x54\x2a\x5e\x06\xbf\x40\xb8\x57\x2d\xf1\xd8\xd6\x8b\xa0\x60\x8d\xcb\x02\x7f\x8f\x11\xc0\xb9\x3e\x65\xb2\xde\x9a\x16\xfe\x11\x5e\xa9\x40\xcd\x90\x4e\x11\xb2\xfb\xb7\xc0\xe6\x72\x90\x76\x65\x73\x72\xc1\x34\xee\x6f\xe8\xe0\xfa\x6f\x9c\x2e\xc1\x2b\xde\x36\xe4\x62\x52\x12\xa4\x72\xd1\x50\x10\x51\x01\x68\x14\x79\x1e\x7a\x2f\xef\xbf\xca\x68\x58\x98\x65\xf0\x83\x7a\x32\xb1\x20\x1c\x32\x29\x10\x54\xbf\x71\x87\xe0\x3c\xde\x3a\xdd\x7a\x33\x98\xae\xbe\x76\x67\x2e\x4f\x8a\xd8\x1a\x9e\xab\xec\x9f\xef\xab\xbb\x62\xc1\xd7\x3a\xdc\x3e\xf5\x8a\x68\x77\x5f\x51\x6a\x99\xf5\x4a\x75\xa7\xa7\xb5\x30\xdf\xfc\xa8\x2d\x2b\x22\x2c\x99\x3b\x78\x5a\x1a\x7b\x6f\x7a\xcc\xb5\x84\xae\x25\xab\xe1\x51\x7d\x70\xa6\x9f\xa2\xdf\x2c\x77\xe4\xe0\x75\x5e\x18\x7f\x60\xbc\x82\x46\x58\xb8\xd8\x8d\xaf\xbc\x24\x0a\xbe\xec\x34\x93\xfd\xad\xd6\xa1\xa9\x46\x80\xe5\xdb\x4b\xc1\x86\x2c\x75\x8a\x51\x90\x21\xc0\x12\x17\x89\xf4\xcd\xf1\xe2\xa7\x1c\xd5\x36\xda\xae\xc9\xe4\xb7\x2e\x9e\x25\xd9\x25\x1f\xd3\xee\x51\x1f\x1e\x08\x1f\x90\x6d\x90\xdd\x4d\xf5\xce\xf6\xed\xf4\x11\xaa\xbc\xfd\x5d\x93\x3e\x26\x53\x58\x1f\x1f\x0a\x49\xd8\x5d\x50\x3a\xb0\xf1\x28\x87\x43\xa8\xef\x59\x69\xfe\x4a\xe3\xaf\x9a\xff\xb7\x90\x5a\xc3\xa9\x04\xca\x86\xcd\x7e\x8c\xc5\xb9\x66\x77\xfb\xd2\xbb\xe3\xe3\xe6\x7d\x56\x4e\x2d\xb1\xf1\x4f\x6a\x98\x2d\xa3\xb7\xab\x59\x0a\x1f\xb4\x3c\x44\x95\x6c\xeb\x95\xd2\xd5\x9d\xb9\xe3\x51\x75\x06\xc0\xe1\x64\x3a\x07\x66\x4f\x7a\x27\x9f\x23\xb9\x94\x5c\x32\x42\x79\x60\x24\x2e\x74\x78\x14\x1a\xd1\xd1\x70\x1f\x68\x03\x3b\x69\xc7\xbd\x2d\x64\x31\x8b\xbf\x48\xa0\x5a\x32\x77\x99\x56\xe1\x61\xf4\x26\x82\xbc\x1c\x93\x30\xcb\x6a\xbf\x5a\xfd\x31\xc8\xe1\x1a\x4b\x07\x8b\x03\x57\x9e\x09\x9f\xd3\xd8\xe3\x47\x33\x0a\x01\xfd\xc2\xb5\xca\x05\x00\x1a\x2d\x13\x9a\x5b\xd7\x12\x8a\x02\xf9\xd1\x9b\x85\x81\xba\xd0\xe1\x4f\xaf\x9f\x0a\x13\x2a\x6d\x85\xbb\xd2\x91\xde\x69\x6a\x8c\x67\xd2\xf8\xc3\x13\x4a\xac\x24\xe4\x1b\xb5\xa4\xfd\x74\x2c\x13\x71\xf9\xa8\xe1\x8e\xc9\x05\x0b\x39\x8a\x60\x48\x88\xab\x12\xa8\xed\xec\x79\x29\x74\x45\x6a\xc6\xc6\x29\x89\xa7\x8d\x72\xe8\x4e\x0b\xd7\xaa\xd9\xe1\xc0\x86\x01\xe2\x07\x0a\x4f\x2b\xb1\x00\x91\x04\x08\x82\x78\x26\x3c\x2a\x64\x5d\x31\x87\xed\xf1\x2f\xcf\xeb\xd3\xd8\xb3\x7d\xd8\x93\xb2\x5e\x41\xed\xb5\x18\x08\x9e\x06\xe1\xe2\x6a\x07\x7b\xbc\xb6\xb7\x06\x8c\xa7\x4e\x1c\x4b\x59\x49\x7a\xb4\x81\xfa\xa7\xd1\x83\x49\xd0\xfd\xaf\xf9\xf8\xa0\xcb\x6c\x24\x25\x60\xe3\x1a\x9f\x9e\x34\xc6\xd8\xda\x4e\x6b\x47\x10\x00\xdc\xe4\x6d\x80\x25\x27\x00\xfb\xbf\xa3\x92\x2d\x5d\xee\xd3\x3d\x10\x92\x06\xaf\x07\xf3\xa2\xa3\x48\xa6\x1c\xec\x80\xdf\x13\x02\xc9\x8b\x76\x25\x79\x7a\x11\x3e\xb0\xb7\x14\xee\x64\x7f\x7d\x13\xd6\xc1\x02\x25\xbc\x12\x1b\x66\x66\x08\x3f\xc1\x5b\x63\xc2\xb0\x7e\x48\x71\x67\xb0\xcd\x11\x6c\xa2\xa3\x99\x32\x2b\x9c\x08\xf4\x18\xd1\xbd\x83\xcf\xc3\x97\xad\xaf\x8b\xa2\x67\xed\x46\x30\xfc\xb6\x20\x37\x60\x3c\xaa\xaf\x96\x83\x12\xe3\x35\xaf\xd6\x63\xfc\xed\x69\x90\x0e\x25\x07\x39\x63\xb5\x45\x9f\x59\x7d\x7e\x7e\x58\x16\x47\xc9\x94\xd0\xfd\xef\x88\xa1\xae\x4c\x92\x14\xf6\x68\x0e\x21\x5e\xe6\xa1\x50\x97\xbe\xa9\x01\xb4\x67\xb5\x82\x75\x22\xe6\x8b\x02\x07\x68\xe8\xa3\x40\xfa\xee\x75\xec\xd4\x6a\xf9\x0a\xe3\x8e\xed\xad\xb6\xd7\x51\xc5\xa1\xfc\x5f\xfb\x86\x6a\x0c\xad\xf8\x59\x49\xdd\x96\x31\x34\x4a\x46\xe9\x50\x91\xc5\x85\x9a\xc7\xd0\x78\x31\x53\xbe\x8f\xc8\x9a\x1a\xdf\xd4\xcc\x3f\x45\x3a\xc8\xb1\x1d\x6b\xd6\x37\xf9\x5e\x63\xd2\x8c\x3c\x66\x55\x17\x00\x02\x88\xe7\xa0\x8e\xa7\x1a\x7a\xc0\xd5\x69\xee\x05\xcf\x8a\x66\x31\xa9\xba\x1a\xf4\x56\xd0\x0f\xb0\x49\xf1\xc3\x36\x6e\x8d\x92\x9b\x68\x20\xfb\xef\xb6\x58\x83\x77\x3b\xac\xb1\xcb\x1a\x71\x05\xdd\x2c\xa6\x0e\xdd\xe9\x5f\xa2\xf3\x5a\x34\xa3\x69\xc5\xf0\x4b\x65\xe0\x81\x56\x50\x2f\x8c\xf1\x76\xe4\xf9\x93\x9a\xfb\x6b\xba\xcd\xab\xc5\xc8\x11\x6d\xbd\xe9\xb6\xd2\x12\xbf\x12\x5f\x76\x97\xa8\x57\x1d\x69\xde\x44\x3d\x4d\x86\xf4\xbe\x17\xa9\x59\x14\x8f\xd6\x10\x5a\x67\x4c\xe5\x23\xf3\x7c\x2c\x09\xe1\xce\x1c\xc7\x12\x74\xa4\x75\xca\x3b\x09\x31\xad\xca\x18\x99\xbf\x7b\xaa\xf2\xdc\x3a\x94\x88\xad\xb1\x30\x68\x57\x7e\xd2\xba\x96\xa7\x93\x7f\xff\x3a\x9a\xeb\x46\x12\x34\x53\x2a\xfb\x21\x50\x83\xc8\x97\x99\xa0\xfa\xc0\xad\x2a\xfe\xba\x7a\x33\xde\xf1\xb3\x02\xb1\x2a\x6a\x4d\x7a\x22\x01\xb9\x15\xa2\xc3\xbf\xb5\xcb\xfc\xe7\x46\x88\x5a\xec\xb3\xdb\xc4\xde\x9c\x4d\xc1\xea\x7c\x33\x26\xb7\x31\x8c\x65\xd3\x76\x3a\x5f\x2b\x42\xa0\xa9\x7b\xe0\x6e\x2a\x04\x06\x36\xc2\xfa\xc7\xdb\x42\x72\xd9\x35\x4d\x59\xcd\xa5\x54\x6a\x34\x15\xc8\xf0\x4c\x70\x9e\x0a\xe4\xff\xac\x3e\xc8\x29\x99\xb5\xc5\x0e\xe2\x8a\xe8\x51\x93\xbe\x4a\x68\x88\xdb\x01\xc1\xb7\x70\xf8\x54\xfa\x3b\x66\xc2\xad\xc2\x9c\x6c\x7c\x0d\x3a\x15\xa7\x22\x4b\x23\x5f\xbc\x61\x86\x3b\xf9\xaf\x6d\x8e\xeb\x35\xd6\x7d\x99\x66\xe3\x22\x0f\x0b\xbf\x0e\x10\x15\x58\xa6\x15\x59\xf9\xe6\xdb\xf2\x86\x11\x4a\x94\xe0\x95\x03\x50\xf7\x01\x0f\x3a\x46\xe1\xa9\x8c\x93\x9b\x37\x27\xf1\xd1\x25\xab\x2c\x0c\x5c\x1d\x7c\xab\xec\x0d\x7e\xa6\x86\x97\x84\x3c\x8a\xe9\x03\x6c\x3d\x48\x46\x98\x50\x44\x07\x48\xe7\xcc\xe6\xa2\x60\x16\x54\xd8\xc5\x97\xc5\xd2\x26\xcd\x4f\xfb\xda\x15\x3e\x2f\xec\xf0\xb5\x83\x43\xeb\x7a\xcf\xae\xae\xe0\x29\x70\xf0\x11\x56\x8a\xd2\x6e\x43\x83\xbe\xe5\xda\xf9\x58\x02\xf7\x42\xb0\xb8\xe3\x5d\xad\xc2\x01\x64\x97\x9d\xc4\xea\xb6\xf3\x33\xa2\x94\x12\x91\x6b\xae\xcd\x7d\x11\xe1\x8d\x7d\x56\x6a\x9f\x70\x9a\x49\x31\x43\x39\x19\x51\x4c\x73\x56\x39\xde\xdf\x1d\xf6\x5e\xbd\xe8\xa1\x45\x55\xec\xc2\x54\xfa\x4e\x31\x79\xc6\x11\xaf\x0a\xe3\x2c\x8c\x81\x29\xc0\x13\x9e\x99\x04\x82\x1c\x76\x97\x1b\x2d\x2b\x08\xe8\x39\x28\x14\x29\xcc\x0b\x02\xcf\x5a\xbc\x1f\xb7\x8a\xea\xd7\xd7\x72\xa6\x72\xcd\xa2\xec\x38\xb6\x9f\x85\x8a\x30\x07\xed\x6d\x77\x3e\x41\x75\x21\xb9\x4e\x7c\xfd\x21\xb3\xf7\x63\x61\xa8\x33\xbf\x0c\x8a\x58\xcd\xa1\xc7\x53\x23\x65\x38\xe7\xd1\xbe\x27\x8c\xda\xb7\x8f\xb7\x3f\x36\x28\x06\x15\xaa\x49\xd8\xab\x1d\xea\xc1\x29\x2b\xe4\x48\x0f\xb6\x09\xe7\xe6\x36\x4c\x30\x0a\x86\x13\xd3\x7c\x80\x24\xaa\x6a\x72\xc1\xe4\xa3\x34\xe7\x78\x17\xf9\xcd\xe0\xe1\x0c\xc5\x7b\x7c\x3b\xbc\xa5\x0f\x40\xe1\x5b\x9a\x10\x42\xef\xb7\x80\x2c\x40\x41\x86\xe4\x79\xf5\xf7\x63\x6a\xb5\x0d\x26\x14\x73\xf5\x80\x4a\x75\xf6\xcb\x1f\xcb\x69\x3c\xec\xbe\x9a\x61\xbb\x96\x95\x80\x1c\x7c\xa6\xf9\x27\xe4\x0e\x6a\xa9\x1a\x9a\xf7\x1c\xb5\xd9\x67\xf7\x90\x57\xf9\x55\xd0\xa4\xed\x58\xce\x99\x9f\x9a\xcd\x21\xc1\xa1\xea\x10\x88\x59\x56\xb4\x6e\x44\xca\x83\x0a\xb2\xee\x7a\xdd\x50\xd2\xc1\xfa\x3d\xea\x6f\x4c\x73\x31\xb1\xe5\x3f\xbe\xfc\x7e\x42\x4a\xff\x17\x8c\xef\xf9\x5a\x89\x10\xd3\x99\x52\x70\x4e\xf7\x85\x54\x19\xd3\xcc\x08\xc7\x20\x59\x90\xaf\x44\x7e\x18\xd3\x94\x5d\x13\x3e\x99\xba\x55\x06\xe5\x0e\x31\xbb\x28\xeb\xb5\x13\x37\xe3\x8e\x5d\xab\xfd\xb6\xd2\x0b\xe6\x8a\x04\x05\x0d\xd9\x91\x87\x48\x36\x8d\x58\xb8\x34\x9e\xe6\x0d\xe4\x1d\xbb\xc8\x32\x55\xdb\x8e\x36\x0c\x35\x81\xa3\xb5\x52\x3f\x5c\x36\xd7\xe2\x93\xeb\x4e\x2b\x01\x49\x82\x36\x7e\x28\x6c\x6f\xaa\xcc\x85\x03\xcf\x4d\x91\xc4\x04\x98\x04\xce\x5a\x7f\xde\x5f\xa1\x9c\x6a\x5b\x5f\x33\x0f\xe3\xf4\x4d\x7f\x33\x80\x9b\xfc\x5b\x13\x95\x6f\x64\x66\x3a\xcb\x8c\x32\x46\x73\x82\x9c\x13\x2d\x3c\x73\x52\x5f\x8f\x8e\xa3\xa8\x32\xf8\x89\x75\xd1\x4c\x31\x8c\x05\xbb\x56\x72\xc8\x2b\xb0\x2f\x9a\xcf\x2d\xbc\xba\xf6\x8e\x5e\x47\x8d\xc5\x19\xe5\x22\x84\x0b\xd8\xf0\x8b\x50\xc5\x06\xa7\x5b\xc2\xfd\x09\x2e\x41\x51\x99\xe5\x77\x1d\x8c\xe0\x3f\x08\x8e\x9b\xfd\x45\x51\xc2\xe8\xee\xdb\x85\x93\x03\xed\x75\x76\x01\xbd\xb1\x6b\xff\x54\x31\x23\xd7\x57\x0a\xc5\x0d\x28\x58\xcf\xf2\xa7\xf9\x75\x8c\xb2\x4f\xf0\x55\x4f\x91\x31\x29\x97\x58\xc0\x10\x11\x3d\x9b\x6f\x0b\xc7\x24\x6f\xab\xec\x33\xc5\x8d\xea\x92\x5b\x9e\xa7\x3a\xb3\x81\xc4\xaa\xa8\xfb\x21\x65\xc9\xd7\xd8\xb8\xa7\x01\x20\x22\x50\xd3\x60\xfc\x61\x75\x80\x56\x5e\x78\xd5\x36\x7e\x3f\xbc\xd8\x41\xd4\x50\x3a\x7c\x20\xc2\x05\x60\xa0\x3e\x39\x7b\x0d\x3c\xab\x57\x25\x4d\x36\x51\x12\xaa\xd9\x95\xa9\xe3\x91\x96\x14\xbc\xdc\x6c\xa2\x05\x5d\x0d\x87\x42\x9e\xe3\x30\x5a\x67\xfa\x69\xc6\x02\x4a\x3f\x63\x64\x64\xbc\xab\x62\xc9\x9a\x4d\x04\x53\xf5\xbf\x87\x9c\xd5\xd4\x6e\x3c\xf7\x61\xbb\x91\x10\x9b\xd3\x28\x16\x9f\x95\xe9\x8b\x74\x42\xcd\x05\xa5\xdd\x86\xe1\x85\x36\xd2\x05\x26\x2c\x62\x00\x02\xe7\xa3\xa8\xaf\xed\x46\x81\xc2\x71\xa3\x4f\x0b\x90\x9d\x1c\x86\x1f\x9c\x18\xfc\x76\xd3\xbf\xdd\x99\x37\x85\x18\x5d\xc3\xe2\xe3\x4d\x7f\xba\x68\x6e\xd0\xf7\x33\xd1\x65\x40\x67\x0a\x65\x77\x86\x42\x10\x07\xcc\x1a\x8f\xf9\x72\x36\xfb\x53\xd8\x66\x49\x11\xdc\xaa\xc2\x75\x43\x50\xea\xde\x70\x83\x74\xef\x06\xb2\xf6\x12\x32\xa3\xf5\xb4\x57\x01\xcf\xc0\x92\x84\xb6\xe3\x18\x4c\x7c\x41\x43\xe9\xa3\x04\x98\x4c\x4b\xf1\xa1\x4e\xc7\x55\x11\xaf\x82\xb2\xc6\xc3\xe6\xd5\x99\x07\x28\xf4\xb7\x24\x29\x4d\xfe\xfc\x35\xd1\xc7\x5d\xb9\xef\xc7\x69\xda\xbf\xb5\xcf\xa0\xc5\x48\xc2\xd5\xaa\x9e\x79\x84\x10\xf2\xb2\xbd\xc3\x2d\xa9\x5c\x94\x5a\xee\xbb\xf0\x6e\x2d\x1e\x22\x17\x6b\x66\xe7\xd2\x2b\xeb\xed\x83\x87\x5b\x4c\x86\x3e\xb5\x5a\x71\x94\xc7\x5b\xde\x29\xa8\xc7\x81\x6e\x5c\x3c\x65\x0c\x32\xcf\x54\xf5\xd9\xac\x35\xd3\x8b\xf1\x9e\xcd\xb0\x05\xf4\x76\xab\x05\x0d\x96\xb7\xb7\xfc\x62\x2f\x1a\xc3\x57\xb2\x8f\xbd\x7c\x38\xf8\x1a\xbf\xa0\x63\x55\xa3\x0b\x38\x03\xf0\x42\xc4\xc0\x8a\x82\x74\xda\xf0\x18\x3c\x0e\x52\xa6\x34\xfd\x29\x9a\xee\x99\x4d\xd3\x55\x4e\xdb\x6a\xdf\x99\xba\xd5\xb9\x13\x0b\x49\x1e\xc9\x35\x3c\x7f\x36\xe5\xfa\x7c\x02\x66\x27\xf6\x8f\x67\xc7\x75\xfe\x19\x0a\xeb\x43\xfe\xbf\x56\xf5\x5b\xc1\xa4\xf5\xc2\x29\x48\xe5\xb2\x9a\x11\x7f\x6d\x06\xd4\xc6\x8e\x51\x44\x9f\x08\xa6\xd0\xd2\xe6\x75\x20\xeb\xc0\x67\x0e\x2d\xf3\xd2\xf7\xae\xeb\xfb\xb8\x76\x43\xe5\x8d\x01\x76\x96\x5d\x60\x0d\x97\xa2\x2c\x7a\x05\x56\xa2\xc0\x47\x9d\xe6\x4f\x8b\x44\x92\xdf\xb5\x42\xe8\xd3\xa3\xef\x09\x6f\x99\xd3\x9e\x67\x7a\x07\xac\x97\xdc\x25\x9d\x9f\x75\x9b\x98\xe9\x47\xf1\xae\x8a\x92\x78\xb9\xbd\xcb\x85\x10\xfb\x06\x64\x12\x18\xf7\x9f\x67\xe4\xf5\xba\xff\xbe\x5d\x3c\xc3\x8e\x14\x98\x93\x8c\x55\x09\xa3\xf6\x9f\x32\x39\x2f\x66\x0e\x00\x59\x43\xed\x14\x45\x85\x29\xe8\x25\x93\xbf\xb6\xc4\xd3\xe4\x63\x10\x3a\xab\x3c\xdc\x8d\x46\x8c\x9a\x2c\x20\x1b\xee\x3a\xe6\x63\xf0\x79\x24\x60\xd4\xb7\x1e\x03\x1a\x83\xc3\x3f\x91\x72\x33\x2b\x51\x4f\x74\xb0\x9c\x72\xcd\x6a\xd7\x6e\x90\x6f\xa4\x64\x4f\x3c\x14\x2b\x12\x8c\x1f\xf2\xb8\x4e\x79\x37\x75\x99\xd4\xe2\xc7\x11\x45\xc4\x92\xff\x3d\xab\x44\x79\x3b\x90\x56\x75\x89\x5f\xe3\xdf\x54\x4f\xe7\x25\xea\x5f\x7d\x2f\xe3\x85\x4d\x70\x30\xce\x91\x95\x7f\xad\x4f\x7b\xd7\xbd\x7f\x1d\x1a\x16\x54\xe3\xfc\xd0\xed\xf9\xda\xa7\x2b\xd9\x62\xd6\xb6\x4d\x0d\x99\x0d\x5a\x48\x50\x80\x2b\x92\x97\xfe\xb6\x22\xaa\xfc\xcc\x10\x7e\xa2\xa8\xee\xa4\xf0\xda\x89\x94\x1b\x12\xa0\xec\x1b\xfd\x72\xa2\xed\x44\xff\xf9\xf8\x24\x11\xec\xfe\x9f\x19\xeb\x95\x7b\x48\xf8\x59\xce\x04\x5d\xa2\x33\xc9\x96\x8b\x76\x3e\xd9\x44\x13\xba\x0f\x68\xdd\xca\x65\xce\xa0\xab\xb6\x87\x3c\x89\x29\x02\x41\x6f\x5e\xad\xd9\x11\xd8\x44\x2f\x03\x16\xfb\xde\xa9\xf1\x14\x0b\x3e\x83\x05\xaf\xb5\x10\xa3\xec\x59\x0c\xe2\x0f\xd5\x8d\x3b\xf0\x51\xc2\x66\x3e\x74\xae\x64\xee\xb9\xa1\x46\x3c\x88\x41\xac\x0b\x72\xb7\x32\xb7\xef\x12\x7f\x5a\x7d\x9a\x87\xd6\xb8\x49\x1e\x75\x33\x17\x35\x0d\x7d\x1a\xe5\x93\xe6\xc2\x00\x6f\x23\xb2\x27\x4d\xb5\x8e\xe3\x44\x45\x3c\x38\xe2\x99\xc1\x41\x82\x1a\xc4\x7e\x88\xdd\xd9\x38\x93\xdf\x56\xba\xf5\x01\xfc\xed\xee\x34\xac\x65\x7f\x27\x9a\x9c\x39\xcc\x38", 8192); *(uint64_t*)0x200000006000 = 0x200000002780; *(uint32_t*)0x200000002780 = 0x50; *(uint32_t*)0x200000002784 = 0; *(uint64_t*)0x200000002788 = 0xf48; *(uint32_t*)0x200000002790 = 7; *(uint32_t*)0x200000002794 = 0x2d; *(uint32_t*)0x200000002798 = 0xfffffff7; *(uint32_t*)0x20000000279c = 0x10820000; *(uint16_t*)0x2000000027a0 = 9; *(uint16_t*)0x2000000027a2 = 0xa42; *(uint32_t*)0x2000000027a4 = 0x7e; *(uint32_t*)0x2000000027a8 = 1; *(uint16_t*)0x2000000027ac = 0; *(uint16_t*)0x2000000027ae = 0; *(uint32_t*)0x2000000027b0 = 2; *(uint32_t*)0x2000000027b4 = 0; memset((void*)0x2000000027b8, 0, 24); *(uint64_t*)0x200000006008 = 0x200000002800; *(uint32_t*)0x200000002800 = 0x18; *(uint32_t*)0x200000002804 = 0; *(uint64_t*)0x200000002808 = 0x200; *(uint64_t*)0x200000002810 = 5; *(uint64_t*)0x200000006010 = 0x200000002840; *(uint32_t*)0x200000002840 = 0x18; *(uint32_t*)0x200000002844 = 0; *(uint64_t*)0x200000002848 = 0x3ff; *(uint64_t*)0x200000002850 = 1; *(uint64_t*)0x200000006018 = 0x200000002880; *(uint32_t*)0x200000002880 = 0x18; *(uint32_t*)0x200000002884 = 0xffffffda; *(uint64_t*)0x200000002888 = 7; *(uint32_t*)0x200000002890 = 0xc6a; *(uint32_t*)0x200000002894 = 0; *(uint64_t*)0x200000006020 = 0x2000000028c0; *(uint32_t*)0x2000000028c0 = 0x18; *(uint32_t*)0x2000000028c4 = 0; *(uint64_t*)0x2000000028c8 = 3; *(uint32_t*)0x2000000028d0 = 0; *(uint32_t*)0x2000000028d4 = 0; *(uint64_t*)0x200000006028 = 0x200000002980; *(uint32_t*)0x200000002980 = 0x28; *(uint32_t*)0x200000002984 = 0; *(uint64_t*)0x200000002988 = 0xfffffffffffffff8; *(uint64_t*)0x200000002990 = 0x1ff; *(uint64_t*)0x200000002998 = 6; *(uint32_t*)0x2000000029a0 = 2; *(uint32_t*)0x2000000029a4 = r[13]; *(uint64_t*)0x200000006030 = 0x2000000029c0; *(uint32_t*)0x2000000029c0 = 0x60; *(uint32_t*)0x2000000029c4 = 0; *(uint64_t*)0x2000000029c8 = 0xf; *(uint64_t*)0x2000000029d0 = 0; *(uint64_t*)0x2000000029d8 = 4; *(uint64_t*)0x2000000029e0 = 0xb0e; *(uint64_t*)0x2000000029e8 = 1; *(uint64_t*)0x2000000029f0 = 6; *(uint32_t*)0x2000000029f8 = 7; *(uint32_t*)0x2000000029fc = 0x40b4; *(uint32_t*)0x200000002a00 = 0x2594; *(uint32_t*)0x200000002a04 = 0; memset((void*)0x200000002a08, 0, 24); *(uint64_t*)0x200000006038 = 0x200000002a40; *(uint32_t*)0x200000002a40 = 0x18; *(uint32_t*)0x200000002a44 = 0; *(uint64_t*)0x200000002a48 = 0x75aeeeb5; *(uint32_t*)0x200000002a50 = 0xc; *(uint32_t*)0x200000002a54 = 0; *(uint64_t*)0x200000006040 = 0x200000002a80; *(uint32_t*)0x200000002a80 = 0x11; *(uint32_t*)0x200000002a84 = 0; *(uint64_t*)0x200000002a88 = 0xc0000000000; memset((void*)0x200000002a90, 0, 1); *(uint64_t*)0x200000006048 = 0x200000002ac0; *(uint32_t*)0x200000002ac0 = 0x20; *(uint32_t*)0x200000002ac4 = 0; *(uint64_t*)0x200000002ac8 = 4; *(uint64_t*)0x200000002ad0 = 0; *(uint32_t*)0x200000002ad8 = 5; *(uint32_t*)0x200000002adc = 0; *(uint64_t*)0x200000006050 = 0x200000002e40; *(uint32_t*)0x200000002e40 = 0x78; *(uint32_t*)0x200000002e44 = 0; *(uint64_t*)0x200000002e48 = 6; *(uint64_t*)0x200000002e50 = 8; *(uint32_t*)0x200000002e58 = 8; *(uint32_t*)0x200000002e5c = 0; *(uint64_t*)0x200000002e60 = 0; *(uint64_t*)0x200000002e68 = 0xa2; *(uint64_t*)0x200000002e70 = 0x101; *(uint64_t*)0x200000002e78 = 0x279; *(uint64_t*)0x200000002e80 = 6; *(uint64_t*)0x200000002e88 = 4; *(uint32_t*)0x200000002e90 = 6; *(uint32_t*)0x200000002e94 = 6; *(uint32_t*)0x200000002e98 = 0x580; *(uint32_t*)0x200000002e9c = 0x8000; *(uint32_t*)0x200000002ea0 = 8; *(uint32_t*)0x200000002ea4 = r[14]; *(uint32_t*)0x200000002ea8 = r[15]; *(uint32_t*)0x200000002eac = 2; *(uint32_t*)0x200000002eb0 = 2; *(uint32_t*)0x200000002eb4 = 0; *(uint64_t*)0x200000006058 = 0x200000003040; *(uint32_t*)0x200000003040 = 0x90; *(uint32_t*)0x200000003044 = 0; *(uint64_t*)0x200000003048 = 4; *(uint64_t*)0x200000003050 = 4; *(uint64_t*)0x200000003058 = 3; *(uint64_t*)0x200000003060 = 1; *(uint64_t*)0x200000003068 = 9; *(uint32_t*)0x200000003070 = 0; *(uint32_t*)0x200000003074 = 0; *(uint64_t*)0x200000003078 = 6; *(uint64_t*)0x200000003080 = 0xf84; *(uint64_t*)0x200000003088 = 0xffff; *(uint64_t*)0x200000003090 = 9; *(uint64_t*)0x200000003098 = 6; *(uint64_t*)0x2000000030a0 = 7; *(uint32_t*)0x2000000030a8 = 0x4f; *(uint32_t*)0x2000000030ac = 0x8e; *(uint32_t*)0x2000000030b0 = 8; *(uint32_t*)0x2000000030b4 = 0xa000; *(uint32_t*)0x2000000030b8 = 0x401; *(uint32_t*)0x2000000030bc = r[17]; *(uint32_t*)0x2000000030c0 = r[18]; *(uint32_t*)0x2000000030c4 = 0; *(uint32_t*)0x2000000030c8 = 0x3674; *(uint32_t*)0x2000000030cc = 0; *(uint64_t*)0x200000006060 = 0x200000003100; *(uint32_t*)0x200000003100 = 0x88; *(uint32_t*)0x200000003104 = 0xffffffda; *(uint64_t*)0x200000003108 = 0x7fffffffffffffff; *(uint64_t*)0x200000003110 = 3; *(uint64_t*)0x200000003118 = 7; *(uint32_t*)0x200000003120 = 1; *(uint32_t*)0x200000003124 = 4; memset((void*)0x200000003128, 0, 1); *(uint64_t*)0x200000003130 = 1; *(uint64_t*)0x200000003138 = 5; *(uint32_t*)0x200000003140 = 1; *(uint32_t*)0x200000003144 = 0xfffffffc; memset((void*)0x200000003148, 0, 1); *(uint64_t*)0x200000003150 = 6; *(uint64_t*)0x200000003158 = 5; *(uint32_t*)0x200000003160 = 0; *(uint32_t*)0x200000003164 = 0x98; *(uint64_t*)0x200000003168 = 0; *(uint64_t*)0x200000003170 = 8; *(uint32_t*)0x200000003178 = 1; *(uint32_t*)0x20000000317c = 0x1000; memset((void*)0x200000003180, 91, 1); *(uint64_t*)0x200000006068 = 0x2000000054c0; *(uint32_t*)0x2000000054c0 = 0x648; *(uint32_t*)0x2000000054c4 = 0; *(uint64_t*)0x2000000054c8 = 1; *(uint64_t*)0x2000000054d0 = 0; *(uint64_t*)0x2000000054d8 = 3; *(uint64_t*)0x2000000054e0 = 9; *(uint64_t*)0x2000000054e8 = 5; *(uint32_t*)0x2000000054f0 = 0xa; *(uint32_t*)0x2000000054f4 = 2; *(uint64_t*)0x2000000054f8 = 1; *(uint64_t*)0x200000005500 = 9; *(uint64_t*)0x200000005508 = 1; *(uint64_t*)0x200000005510 = 0x7fff; *(uint64_t*)0x200000005518 = 4; *(uint64_t*)0x200000005520 = 1; *(uint32_t*)0x200000005528 = 6; *(uint32_t*)0x20000000552c = 7; *(uint32_t*)0x200000005530 = 3; *(uint32_t*)0x200000005534 = 0xc000; *(uint32_t*)0x200000005538 = 3; *(uint32_t*)0x20000000553c = r[19]; *(uint32_t*)0x200000005540 = r[20]; *(uint32_t*)0x200000005544 = 0x71a5; *(uint32_t*)0x200000005548 = 5; *(uint32_t*)0x20000000554c = 0; *(uint64_t*)0x200000005550 = 3; *(uint64_t*)0x200000005558 = 0x911; *(uint32_t*)0x200000005560 = 9; *(uint32_t*)0x200000005564 = 7; memcpy((void*)0x200000005568, "(--]!}}.:", 9); *(uint64_t*)0x200000005578 = 5; *(uint64_t*)0x200000005580 = 1; *(uint64_t*)0x200000005588 = 2; *(uint64_t*)0x200000005590 = -1; *(uint32_t*)0x200000005598 = 8; *(uint32_t*)0x20000000559c = 1; *(uint64_t*)0x2000000055a0 = 5; *(uint64_t*)0x2000000055a8 = 0x10; *(uint64_t*)0x2000000055b0 = 0xf91; *(uint64_t*)0x2000000055b8 = 7; *(uint64_t*)0x2000000055c0 = 0; *(uint64_t*)0x2000000055c8 = 7; *(uint32_t*)0x2000000055d0 = 4; *(uint32_t*)0x2000000055d4 = 0x4a; *(uint32_t*)0x2000000055d8 = 6; *(uint32_t*)0x2000000055dc = 0x6000; *(uint32_t*)0x2000000055e0 = 9; *(uint32_t*)0x2000000055e4 = r[21]; *(uint32_t*)0x2000000055e8 = r[22]; *(uint32_t*)0x2000000055ec = 6; *(uint32_t*)0x2000000055f0 = 5; *(uint32_t*)0x2000000055f4 = 0; *(uint64_t*)0x2000000055f8 = 0; *(uint64_t*)0x200000005600 = 2; *(uint32_t*)0x200000005608 = 0; *(uint32_t*)0x20000000560c = 0x401; *(uint64_t*)0x200000005610 = 0; *(uint64_t*)0x200000005618 = 3; *(uint64_t*)0x200000005620 = 0; *(uint64_t*)0x200000005628 = 0x401; *(uint32_t*)0x200000005630 = 4; *(uint32_t*)0x200000005634 = 0x3ff; *(uint64_t*)0x200000005638 = 1; *(uint64_t*)0x200000005640 = 1; *(uint64_t*)0x200000005648 = 0xbc; *(uint64_t*)0x200000005650 = 7; *(uint64_t*)0x200000005658 = 8; *(uint64_t*)0x200000005660 = 7; *(uint32_t*)0x200000005668 = 0xffff; *(uint32_t*)0x20000000566c = 6; *(uint32_t*)0x200000005670 = 0x7f; *(uint32_t*)0x200000005674 = 0x8000; *(uint32_t*)0x200000005678 = 1; *(uint32_t*)0x20000000567c = 0xee01; *(uint32_t*)0x200000005680 = r[23]; *(uint32_t*)0x200000005684 = 0x233d; *(uint32_t*)0x200000005688 = 4; *(uint32_t*)0x20000000568c = 0; *(uint64_t*)0x200000005690 = 3; *(uint64_t*)0x200000005698 = 6; *(uint32_t*)0x2000000056a0 = 5; *(uint32_t*)0x2000000056a4 = 7; memcpy((void*)0x2000000056a8, "syz0\000", 5); *(uint64_t*)0x2000000056b0 = 2; *(uint64_t*)0x2000000056b8 = 2; *(uint64_t*)0x2000000056c0 = 7; *(uint64_t*)0x2000000056c8 = 0x80; *(uint32_t*)0x2000000056d0 = 4; *(uint32_t*)0x2000000056d4 = 0xdb; *(uint64_t*)0x2000000056d8 = 3; *(uint64_t*)0x2000000056e0 = 3; *(uint64_t*)0x2000000056e8 = 0x7fff; *(uint64_t*)0x2000000056f0 = 9; *(uint64_t*)0x2000000056f8 = 0; *(uint64_t*)0x200000005700 = 0xa8; *(uint32_t*)0x200000005708 = 0x1000; *(uint32_t*)0x20000000570c = 0x1f3; *(uint32_t*)0x200000005710 = 0xfff0; *(uint32_t*)0x200000005714 = 0x6000; *(uint32_t*)0x200000005718 = 4; *(uint32_t*)0x20000000571c = r[24]; *(uint32_t*)0x200000005720 = r[26]; *(uint32_t*)0x200000005724 = 0xccb2; *(uint32_t*)0x200000005728 = 9; *(uint32_t*)0x20000000572c = 0; *(uint64_t*)0x200000005730 = 6; *(uint64_t*)0x200000005738 = 2; *(uint32_t*)0x200000005740 = 6; *(uint32_t*)0x200000005744 = 7; memset((void*)0x200000005748, 1, 6); *(uint64_t*)0x200000005750 = 4; *(uint64_t*)0x200000005758 = 1; *(uint64_t*)0x200000005760 = 0x100000000; *(uint64_t*)0x200000005768 = 5; *(uint32_t*)0x200000005770 = 0; *(uint32_t*)0x200000005774 = 6; *(uint64_t*)0x200000005778 = 1; *(uint64_t*)0x200000005780 = 0x401; *(uint64_t*)0x200000005788 = 1; *(uint64_t*)0x200000005790 = 2; *(uint64_t*)0x200000005798 = 0xf; *(uint64_t*)0x2000000057a0 = 5; *(uint32_t*)0x2000000057a8 = 0x100; *(uint32_t*)0x2000000057ac = 3; *(uint32_t*)0x2000000057b0 = 0; *(uint32_t*)0x2000000057b4 = 0x2000; *(uint32_t*)0x2000000057b8 = 0; *(uint32_t*)0x2000000057bc = r[27]; *(uint32_t*)0x2000000057c0 = r[28]; *(uint32_t*)0x2000000057c4 = 7; *(uint32_t*)0x2000000057c8 = 8; *(uint32_t*)0x2000000057cc = 0; *(uint64_t*)0x2000000057d0 = 4; *(uint64_t*)0x2000000057d8 = 3; *(uint32_t*)0x2000000057e0 = 6; *(uint32_t*)0x2000000057e4 = 0xffff; memset((void*)0x2000000057e8, 1, 6); *(uint64_t*)0x2000000057f0 = 6; *(uint64_t*)0x2000000057f8 = 2; *(uint64_t*)0x200000005800 = 6; *(uint64_t*)0x200000005808 = 9; *(uint32_t*)0x200000005810 = 2; *(uint32_t*)0x200000005814 = 2; *(uint64_t*)0x200000005818 = 1; *(uint64_t*)0x200000005820 = 0xb51; *(uint64_t*)0x200000005828 = 0x7fffffff; *(uint64_t*)0x200000005830 = 5; *(uint64_t*)0x200000005838 = 0x8b89; *(uint64_t*)0x200000005840 = 0x2800; *(uint32_t*)0x200000005848 = 0x800; *(uint32_t*)0x20000000584c = 6; *(uint32_t*)0x200000005850 = 4; *(uint32_t*)0x200000005854 = 0x8000; *(uint32_t*)0x200000005858 = 3; *(uint32_t*)0x20000000585c = r[29]; *(uint32_t*)0x200000005860 = r[30]; *(uint32_t*)0x200000005864 = 0x80; *(uint32_t*)0x200000005868 = 3; *(uint32_t*)0x20000000586c = 0; *(uint64_t*)0x200000005870 = 0; *(uint64_t*)0x200000005878 = 6; *(uint32_t*)0x200000005880 = 0; *(uint32_t*)0x200000005884 = 0xef; *(uint64_t*)0x200000005888 = 2; *(uint64_t*)0x200000005890 = 1; *(uint64_t*)0x200000005898 = 5; *(uint64_t*)0x2000000058a0 = 0xfff; *(uint32_t*)0x2000000058a8 = 0x582; *(uint32_t*)0x2000000058ac = 0x15; *(uint64_t*)0x2000000058b0 = 2; *(uint64_t*)0x2000000058b8 = 0xbb; *(uint64_t*)0x2000000058c0 = 7; *(uint64_t*)0x2000000058c8 = 0x52a; *(uint64_t*)0x2000000058d0 = 1; *(uint64_t*)0x2000000058d8 = 5; *(uint32_t*)0x2000000058e0 = 0x98; *(uint32_t*)0x2000000058e4 = 5; *(uint32_t*)0x2000000058e8 = 3; *(uint32_t*)0x2000000058ec = 0x5000; *(uint32_t*)0x2000000058f0 = 6; *(uint32_t*)0x2000000058f4 = r[31]; *(uint32_t*)0x2000000058f8 = r[32]; *(uint32_t*)0x2000000058fc = 6; *(uint32_t*)0x200000005900 = 0xffff; *(uint32_t*)0x200000005904 = 0; *(uint64_t*)0x200000005908 = 6; *(uint64_t*)0x200000005910 = 0x3ff; *(uint32_t*)0x200000005918 = 2; *(uint32_t*)0x20000000591c = 8; memcpy((void*)0x200000005920, "*&", 2); *(uint64_t*)0x200000005928 = 2; *(uint64_t*)0x200000005930 = 2; *(uint64_t*)0x200000005938 = 0x3ff; *(uint64_t*)0x200000005940 = 3; *(uint32_t*)0x200000005948 = 2; *(uint32_t*)0x20000000594c = 0xfffffff8; *(uint64_t*)0x200000005950 = 3; *(uint64_t*)0x200000005958 = 0x8a; *(uint64_t*)0x200000005960 = 5; *(uint64_t*)0x200000005968 = 8; *(uint64_t*)0x200000005970 = 1; *(uint64_t*)0x200000005978 = 0; *(uint32_t*)0x200000005980 = 0x7fff; *(uint32_t*)0x200000005984 = 8; *(uint32_t*)0x200000005988 = 0xfffffffb; *(uint32_t*)0x20000000598c = 0xc000; *(uint32_t*)0x200000005990 = 0x8000; *(uint32_t*)0x200000005994 = r[33]; *(uint32_t*)0x200000005998 = r[34]; *(uint32_t*)0x20000000599c = 0x5c5; *(uint32_t*)0x2000000059a0 = 0x8d0d; *(uint32_t*)0x2000000059a4 = 0; *(uint64_t*)0x2000000059a8 = 6; *(uint64_t*)0x2000000059b0 = 0xd; *(uint32_t*)0x2000000059b8 = 6; *(uint32_t*)0x2000000059bc = -1; memcpy((void*)0x2000000059c0, "wlan1\000", 6); *(uint64_t*)0x2000000059c8 = 6; *(uint64_t*)0x2000000059d0 = 1; *(uint64_t*)0x2000000059d8 = 5; *(uint64_t*)0x2000000059e0 = 0xee; *(uint32_t*)0x2000000059e8 = 8; *(uint32_t*)0x2000000059ec = 4; *(uint64_t*)0x2000000059f0 = 1; *(uint64_t*)0x2000000059f8 = 0x200; *(uint64_t*)0x200000005a00 = 0x80000000; *(uint64_t*)0x200000005a08 = 0xb81c; *(uint64_t*)0x200000005a10 = 0x7ff; *(uint64_t*)0x200000005a18 = 0x400; *(uint32_t*)0x200000005a20 = 0x122; *(uint32_t*)0x200000005a24 = 0x400; *(uint32_t*)0x200000005a28 = 0x689f; *(uint32_t*)0x200000005a2c = 0xa000; *(uint32_t*)0x200000005a30 = 0xfffffffc; *(uint32_t*)0x200000005a34 = r[35]; *(uint32_t*)0x200000005a38 = r[36]; *(uint32_t*)0x200000005a3c = 0x1000; *(uint32_t*)0x200000005a40 = 1; *(uint32_t*)0x200000005a44 = 0; *(uint64_t*)0x200000005a48 = 4; *(uint64_t*)0x200000005a50 = 9; *(uint32_t*)0x200000005a58 = 6; *(uint32_t*)0x200000005a5c = 0xfffffffa; memcpy((void*)0x200000005a60, "wlan1\000", 6); *(uint64_t*)0x200000005a68 = 1; *(uint64_t*)0x200000005a70 = 1; *(uint64_t*)0x200000005a78 = 6; *(uint64_t*)0x200000005a80 = 0; *(uint32_t*)0x200000005a88 = 0xf; *(uint32_t*)0x200000005a8c = 0x80000001; *(uint64_t*)0x200000005a90 = 0; *(uint64_t*)0x200000005a98 = 0xb8f; *(uint64_t*)0x200000005aa0 = 0x57c; *(uint64_t*)0x200000005aa8 = 8; *(uint64_t*)0x200000005ab0 = 0x600; *(uint64_t*)0x200000005ab8 = 0x4c44; *(uint32_t*)0x200000005ac0 = 0xc833; *(uint32_t*)0x200000005ac4 = 5; *(uint32_t*)0x200000005ac8 = 3; *(uint32_t*)0x200000005acc = 0xa000; *(uint32_t*)0x200000005ad0 = 0xfffffff9; *(uint32_t*)0x200000005ad4 = r[37]; *(uint32_t*)0x200000005ad8 = r[38]; *(uint32_t*)0x200000005adc = 6; *(uint32_t*)0x200000005ae0 = 2; *(uint32_t*)0x200000005ae4 = 0; *(uint64_t*)0x200000005ae8 = 3; *(uint64_t*)0x200000005af0 = 4; *(uint32_t*)0x200000005af8 = 6; *(uint32_t*)0x200000005afc = 3; memcpy((void*)0x200000005b00, ":-)@\\[", 6); *(uint64_t*)0x200000006070 = 0x200000005d40; *(uint32_t*)0x200000005d40 = 0xa0; *(uint32_t*)0x200000005d44 = 0; *(uint64_t*)0x200000005d48 = 1; *(uint64_t*)0x200000005d50 = 2; *(uint64_t*)0x200000005d58 = 3; *(uint64_t*)0x200000005d60 = 0x100000000; *(uint64_t*)0x200000005d68 = 8; *(uint32_t*)0x200000005d70 = 5; *(uint32_t*)0x200000005d74 = 9; *(uint64_t*)0x200000005d78 = 2; *(uint64_t*)0x200000005d80 = 0x7fffffffffffffff; *(uint64_t*)0x200000005d88 = 2; *(uint64_t*)0x200000005d90 = 0x7f; *(uint64_t*)0x200000005d98 = 0x7ff; *(uint64_t*)0x200000005da0 = 4; *(uint32_t*)0x200000005da8 = 0; *(uint32_t*)0x200000005dac = 2; *(uint32_t*)0x200000005db0 = 1; *(uint32_t*)0x200000005db4 = 0x2000; *(uint32_t*)0x200000005db8 = 0x7ff; *(uint32_t*)0x200000005dbc = r[39]; *(uint32_t*)0x200000005dc0 = r[40]; *(uint32_t*)0x200000005dc4 = 4; *(uint32_t*)0x200000005dc8 = 8; *(uint32_t*)0x200000005dcc = 0; *(uint64_t*)0x200000005dd0 = 0; *(uint32_t*)0x200000005dd8 = 0xd; *(uint32_t*)0x200000005ddc = 0; *(uint64_t*)0x200000006078 = 0x200000005e00; *(uint32_t*)0x200000005e00 = 0x20; *(uint32_t*)0x200000005e04 = 0; *(uint64_t*)0x200000005e08 = 0x10000; *(uint32_t*)0x200000005e10 = 9; *(uint32_t*)0x200000005e14 = 0; *(uint32_t*)0x200000005e18 = 1; *(uint32_t*)0x200000005e1c = 0xfffffffd; *(uint64_t*)0x200000006080 = 0x200000005ec0; *(uint32_t*)0x200000005ec0 = 0x130; *(uint32_t*)0x200000005ec4 = 0xfffffffe; *(uint64_t*)0x200000005ec8 = 0x1000; *(uint64_t*)0x200000005ed0 = 6; *(uint32_t*)0x200000005ed8 = 3; *(uint32_t*)0x200000005edc = 0; memset((void*)0x200000005ee0, 0, 16); *(uint32_t*)0x200000005ef0 = 1; *(uint32_t*)0x200000005ef4 = 0xc6d; *(uint64_t*)0x200000005ef8 = 0xfffffffffffffffc; *(uint32_t*)0x200000005f00 = 0x8000; *(uint32_t*)0x200000005f04 = 0; *(uint32_t*)0x200000005f08 = r[41]; *(uint16_t*)0x200000005f0c = 0x1000; memset((void*)0x200000005f0e, 0, 2); *(uint64_t*)0x200000005f10 = 0; *(uint64_t*)0x200000005f18 = 7; *(uint64_t*)0x200000005f20 = 3; *(uint64_t*)0x200000005f28 = 4; *(uint64_t*)0x200000005f30 = 0xa; *(uint32_t*)0x200000005f38 = 7; *(uint32_t*)0x200000005f3c = 0; *(uint64_t*)0x200000005f40 = 1; *(uint32_t*)0x200000005f48 = 0x905a; *(uint32_t*)0x200000005f4c = 0; *(uint64_t*)0x200000005f50 = 8; *(uint32_t*)0x200000005f58 = 0x81; *(uint32_t*)0x200000005f5c = 0; *(uint64_t*)0x200000005f60 = 8; *(uint32_t*)0x200000005f68 = 2; *(uint32_t*)0x200000005f6c = 0; *(uint32_t*)0x200000005f70 = 0x10001; *(uint32_t*)0x200000005f74 = 0x7ff; *(uint32_t*)0x200000005f78 = 1; *(uint32_t*)0x200000005f7c = -1; memset((void*)0x200000005f80, 0, 112); syz_fuse_handle_req(/*fd=*/r[12], /*buf=*/0x200000000780, /*len=*/0x2000, /*res=*/0x200000006000); break; case 46: memcpy((void*)0x2000000060c0, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x2000000060c0, /*fd=*/r[12]); break; case 47: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 48: *(uint32_t*)0x200000006104 = 0x45f9; *(uint32_t*)0x200000006108 = 0x1000; *(uint32_t*)0x20000000610c = 0; *(uint32_t*)0x200000006110 = 0xd3; *(uint32_t*)0x200000006118 = r[12]; memset((void*)0x20000000611c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x50db, /*params=*/0x200000006100, /*ring_ptr=*/0x200000006180, /*sqes_ptr=*/0x2000000061c0); if (res != -1) r[42] = *(uint64_t*)0x200000006180; break; case 49: res = -1; res = syz_io_uring_complete(/*ring_ptr=*/r[42]); if (res != -1) r[43] = res; break; case 50: *(uint32_t*)0x200000006204 = 0x25a5; *(uint32_t*)0x200000006208 = 0; *(uint32_t*)0x20000000620c = 2; *(uint32_t*)0x200000006210 = 0x2b0; *(uint32_t*)0x200000006218 = r[43]; memset((void*)0x20000000621c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x539f, /*params=*/0x200000006200, /*ring_ptr=*/0x200000006280, /*sqes_ptr=*/0x2000000062c0); if (res != -1) { r[44] = res; r[45] = *(uint64_t*)0x2000000062c0; } break; case 51: res = syscall(__NR_io_uring_register, /*fd=*/r[44], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[46] = res; break; case 52: *(uint8_t*)0x200000006380 = 0x26; *(uint8_t*)0x200000006381 = 0; *(uint16_t*)0x200000006382 = 0; *(uint32_t*)0x200000006384 = r[43]; *(uint64_t*)0x200000006388 = 0x200000006300; memcpy((void*)0x200000006300, "./file0\000", 8); *(uint64_t*)0x200000006390 = 0x200000006340; memcpy((void*)0x200000006340, "./file0\000", 8); *(uint32_t*)0x200000006398 = 0; *(uint32_t*)0x20000000639c = 0; *(uint64_t*)0x2000000063a0 = 0; *(uint16_t*)0x2000000063a8 = 0; *(uint16_t*)0x2000000063aa = r[46]; memset((void*)0x2000000063ac, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[42], /*sqes_ptr=*/r[45], /*sqe=*/0x200000006380); break; case 53: memcpy((void*)0x2000000063c0, "SEG6\000", 5); memcpy((void*)0x200000006480, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xc7\xc6\xd5\x63\x96\xba\x64\x55\x9a\x2b\xfe\x12\xe1\x77\x9d\x16\x11\x66\x21\x3e\xe3\xdf\x8a\x88\x66\x07\x35\xda\xdb\xfa\x0e\xe9\x3d\x2b\xbf\x11\x3a\x5d\x2f\x84\x04\x14\xbb\x6a\x83\x5c\x8b\x46\x64\xc1\x62\x58\xd8\x0a\xca\x5d\x75\xc4\xb0\xf7\xb9\xf4\x81\xb3\x2b\x05\x6b\x25\x00\xcd\x38\xd5\xf7\x45\xb2\xca\x6f\x42\x3c\x76\xec\xb5\x4c\x20\xdf\x71\xf3\x7e\x74\xa7\xc3\x31\xe0\x86\x7f\x00\x00\x00\x00\x00\x00\x00\x00", 144); syz_kfuzztest_run(/*name=*/0x2000000063c0, /*data=*/0x200000006400, /*len=*/0x90, /*buf=*/0x200000006480); break; case 54: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[43], /*usermem=*/0x200000bfe000); if (res != -1) r[47] = res; break; case 55: *(uint64_t*)0x200000016780 = 0; *(uint64_t*)0x200000016788 = 0x200000016480; *(uint64_t*)0x200000016480 = 0x6a; *(uint64_t*)0x200000016488 = 0x28; *(uint64_t*)0x200000016490 = 0x351c; *(uint64_t*)0x200000016498 = 2; *(uint64_t*)0x2000000164a0 = 3; *(uint64_t*)0x2000000164a8 = 0x6a; *(uint64_t*)0x2000000164b0 = 0x28; *(uint64_t*)0x2000000164b8 = 0xbe7d; *(uint64_t*)0x2000000164c0 = 2; *(uint64_t*)0x2000000164c8 = 8; *(uint64_t*)0x2000000164d0 = 0x180; *(uint64_t*)0x2000000164d8 = 0x38; *(uint64_t*)0x2000000164e0 = 3; *(uint64_t*)0x2000000164e8 = 0xf10c; *(uint64_t*)0x2000000164f0 = 5; *(uint64_t*)0x2000000164f8 = 0x90; *(uint64_t*)0x200000016500 = 2; *(uint64_t*)0x200000016508 = 0x6a; *(uint64_t*)0x200000016510 = 0x28; *(uint64_t*)0x200000016518 = 0x4c98; *(uint64_t*)0x200000016520 = 6; *(uint64_t*)0x200000016528 = 0x59fe; *(uint64_t*)0x200000016530 = 0x136; *(uint64_t*)0x200000016538 = 0xa8; *(uint64_t*)0x200000016540 = 3; *(uint64_t*)0x200000016548 = 2; *(uint64_t*)0x200000016550 = 0x12c; *(uint64_t*)0x200000016558 = 0x18; *(uint64_t*)0x200000016560 = 0; *(uint64_t*)0x200000016568 = 0x154; *(uint64_t*)0x200000016570 = 0x38; *(uint64_t*)0x200000016578 = 2; *(uint64_t*)0x200000016580 = 0x280d; *(uint64_t*)0x200000016588 = 0x2e0; *(uint64_t*)0x200000016590 = 4; *(uint64_t*)0x200000016598 = 0xfffffffffffffff8; *(uint64_t*)0x2000000165a0 = 0x65; *(uint64_t*)0x2000000165a8 = 0x20; *(uint64_t*)0x2000000165b0 = 0x285; *(uint64_t*)0x2000000165b8 = 7; *(uint64_t*)0x2000000165c0 = 0; *(uint64_t*)0x2000000165c8 = 0x18; *(uint64_t*)0x2000000165d0 = 5; *(uint64_t*)0x2000000165d8 = 0x17f; *(uint64_t*)0x2000000165e0 = 0x10; *(uint64_t*)0x2000000165e8 = 0x67; *(uint64_t*)0x2000000165f0 = 0x20; *(uint64_t*)0x2000000165f8 = 4; *(uint64_t*)0x200000016600 = 4; *(uint64_t*)0x200000016608 = 0x66; *(uint64_t*)0x200000016610 = 0x18; *(uint64_t*)0x200000016618 = 0x2e6; *(uint64_t*)0x200000016620 = 0; *(uint64_t*)0x200000016628 = 0x18; *(uint64_t*)0x200000016630 = 0xe; *(uint64_t*)0x200000016638 = 0x12f; *(uint64_t*)0x200000016640 = 0x18; *(uint64_t*)0x200000016648 = 3; *(uint64_t*)0x200000016650 = 0x154; *(uint64_t*)0x200000016658 = 0x38; *(uint64_t*)0x200000016660 = 0; *(uint64_t*)0x200000016668 = 0x6404; *(uint64_t*)0x200000016670 = 0x10; *(uint64_t*)0x200000016678 = 0xfffffffffffffff7; *(uint64_t*)0x200000016680 = 0xe; *(uint64_t*)0x200000016688 = 0x12c; *(uint64_t*)0x200000016690 = 0x18; *(uint64_t*)0x200000016698 = 0; *(uint64_t*)0x2000000166a0 = 0x130; *(uint64_t*)0x2000000166a8 = 0x18; *(uint64_t*)0x2000000166b0 = 3; *(uint64_t*)0x2000000166b8 = 0x182; *(uint64_t*)0x2000000166c0 = 0x18; *(uint64_t*)0x2000000166c8 = 3; *(uint64_t*)0x2000000166d0 = 0x12e; *(uint64_t*)0x2000000166d8 = 0x63; *(uint64_t*)0x2000000166e0 = 2; memcpy((void*)0x2000000166e8, "\x2e\x0f\x01\x71\x33\xc4\x21\x6a\xc2\xc0\x00\x66\xba\xf8\x0c\xb8\x6e\x89\x7c\x81\xef\x66\xba\xfc\x0c\x66\xb8\xaf\x0b\x66\xef\x42\x0f\x01\xc3\x36\x01\xe3\x12\xec\x0f\x00\xde\xc7\x44\x24\x00\x7a\x00\x00\x00\xc7\x44\x24\x02\x0b\x00\x00\x00\xff\x1c\x24\x40\x0f\xa1\xc4\x43\x31\x4a\x89\x0a\x00\x00\x00\x0b", 75); *(uint64_t*)0x200000016733 = 0x17e; *(uint64_t*)0x20000001673b = 0x10; *(uint64_t*)0x200000016790 = 0x2c3; syz_kvm_add_vcpu(/*vm=*/r[47], /*text=*/0x200000016780); break; case 56: res = syscall(__NR_mmap, /*addr=*/0x200000cbe000ul, /*len=*/0ul, /*prot=PROT_SEM|PROT_READ|PROT_EXEC*/0xdul, /*flags=MAP_SYNC*/0x80000ul, /*cpufd=*/r[12], /*offset=*/0ul); if (res != -1) r[48] = res; break; case 57: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[48], /*exitcode=*/4); break; case 58: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[44], /*run=*/r[48], /*exitcode=*/3); break; case 59: res = syscall(__NR_ioctl, /*fd=*/r[12], /*cmd=*/0xae01, /*type=*/0x20ul); if (res != -1) r[49] = res; break; case 60: *(uint64_t*)0x200000016a40 = 0; *(uint64_t*)0x200000016a48 = 0x2000000167c0; memcpy((void*)0x2000000167c0, "\x00\x00\x00\x3d\x00\x00\x08\x61\x04\x00\x08\x79\x00\x00\x08\x65\x0c\x00\x08\x61\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\xd0\x04\x9c\x63\x24\x6b\xc0\x7f\xfa\xcd\xdf\xfe\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x04\x00\x63\x60\x26\x9f\xe1\x7f\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x3c\x02\x63\x60\x42\x00\x00\x44\xf5\x00\x90\x07\xd6\xdb\x8b\xef\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2a\x00\xb5\x62\x00\x01\xc0\x3e\x00\x00\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2a\x00\xb5\x62\x73\x6f\xc0\x3e\xa7\xf7\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2e\x00\xb5\x62\x90\x5e\xc0\x3e\xe0\x10\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x32\x00\xb5\x62\x00\x00\xc0\x3e\xe0\xd1\xd6\x62\x00\x00\xd5\x92\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x2a\x00\x84\x60\x22\x00\x00\x44\x8f\xed\x9f\xf3\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xef\x63\x60\xb5\xad\x80\x3c\xca\x82\x84\x60\x04\x00\x84\x78\xea\x5e\x84\x64\xa2\xe8\x84\x60\xf1\x67\xa0\x3c\xbe\xe3\xa5\x60\x04\x00\xa5\x78\xa5\x57\xa5\x64\x55\x46\xa5\x60\x03\xf4\xc0\x3c\xb4\x87\xc6\x60\x04\x00\xc6\x78\x73\xed\xc6\x64\x15\x51\xc6\x60\x1d\xe9\xe0\x3c\xe4\xa0\xe7\x60\x04\x00\xe7\x78\xd8\x84\xe7\x64\x25\x76\xe7\x60\x08\x70\x00\x3d\xee\xf7\x08\x61\x04\x00\x08\x79\x1f\x72\x08\x65\x67\x40\x08\x61\x7f\xc5\x20\x3d\x5d\xc6\x29\x61\x04\x00\x29\x79\x7f\x83\x29\x65\x31\xe8\x29\x61\xec\x4b\x40\x3d\xd8\xc0\x4a\x61\x04\x00\x4a\x79\xe3\xf4\x4a\x65\x76\xa0\x4a\x61\x42\x00\x00\x44\xc7\xdd\x79\x12\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x08\xef\x63\x60\xae\x15\x80\x3c\x96\x74\x84\x60\x04\x00\x84\x78\x48\x29\x84\x64\xf2\x7b\x84\x60\xfb\x2b\xa0\x3c\x3a\x84\xa5\x60\x04\x00\xa5\x78\x66\xdf\xa5\x64\x0e\x85\xa5\x60\x94\x21\xc0\x3c\x54\x4c\xc6\x60\x04\x00\xc6\x78\x8e\xd8\xc6\x64\x2d\x18\xc6\x60\x27\x15\xe0\x3c\x98\x77\xe7\x60\x04\x00\xe7\x78\x52\x7a\xe7\x64\x4a\x11\xe7\x60\xb2\x21\x00\x3d\x41\x62\x08\x61\x04\x00\x08\x79\xf6\x1f\x08\x65\xaa\x6f\x08\x61\x00\xf5\x20\x3d\x4c\x23\x29\x61\x04\x00\x29\x79\xda\x1a\x29\x65\x95\xbf\x29\x61\x93\xf7\x40\x3d\xde\x99\x4a\x61\x04\x00\x4a\x79\x5e\xe8\x4a\x65\xa0\x51\x4a\x61\xd5\x0a\x60\x3d\x34\xf9\x6b\x61\x04\x00\x6b\x79\x21\x19\x6b\x65\xab\x4f\x6b\x61\x22\x00\x00\x44", 632); *(uint64_t*)0x200000016a50 = 0x278; *(uint64_t*)0x200000016a80 = 1; *(uint64_t*)0x200000016a88 = 0xfff; syz_kvm_setup_cpu(/*fd=*/r[49], /*cpufd=*/r[43], /*usermem=*/0x200000e17000, /*text=*/0x200000016a40, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_PID1|KVM_SETUP_PPC64_DR|KVM_SETUP_PPC64_LE*/0x15, /*opts=*/0x200000016a80, /*nopt=*/1); break; case 61: syz_kvm_setup_syzos_vm(/*fd=*/r[49], /*usermem=*/0x200000c00000); break; case 62: *(uint32_t*)0x200000016ac0 = 1; syz_memcpy_off(/*ring_ptr=*/r[42], /*flag_off=*/0, /*src=*/0x200000016ac0, /*src_off=*/0, /*nbytes=*/4); break; case 63: memcpy((void*)0x200000016b00, "adfs\000", 5); memcpy((void*)0x200000016b40, "./file1\000", 8); memcpy((void*)0x200000016b80, "ownmask", 7); *(uint8_t*)0x200000016b87 = 0x3d; sprintf((char*)0x200000016b88, "%023llo", (long long)9); *(uint8_t*)0x200000016b9f = 0x2c; memcpy((void*)0x200000016ba0, "uid", 3); *(uint8_t*)0x200000016ba3 = 0x3d; sprintf((char*)0x200000016ba4, "0x%016llx", (long long)r[39]); *(uint8_t*)0x200000016bb6 = 0x2c; memcpy((void*)0x200000016bb7, "gid", 3); *(uint8_t*)0x200000016bba = 0x3d; sprintf((char*)0x200000016bbb, "0x%016llx", (long long)r[25]); *(uint8_t*)0x200000016bcd = 0x2c; memcpy((void*)0x200000016bce, "ftsuffix", 8); *(uint8_t*)0x200000016bd6 = 0x3d; sprintf((char*)0x200000016bd7, "%020llu", (long long)0x1b2a); *(uint8_t*)0x200000016beb = 0x2c; memcpy((void*)0x200000016bec, "ftsuffix", 8); *(uint8_t*)0x200000016bf4 = 0x3d; sprintf((char*)0x200000016bf5, "%020llu", (long long)0x95); *(uint8_t*)0x200000016c09 = 0x2c; memcpy((void*)0x200000016c0a, "ftsuffix", 8); *(uint8_t*)0x200000016c12 = 0x3d; sprintf((char*)0x200000016c13, "%020llu", (long long)2); *(uint8_t*)0x200000016c27 = 0x2c; memcpy((void*)0x200000016c28, "uid<", 4); sprintf((char*)0x200000016c2c, "%020llu", (long long)r[37]); *(uint8_t*)0x200000016c40 = 0x2c; memcpy((void*)0x200000016c41, "subj_type", 9); *(uint8_t*)0x200000016c4a = 0x3d; *(uint8_t*)0x200000016c4b = 0x2c; *(uint8_t*)0x200000016c4c = 0; memcpy((void*)0x200000016c80, "\x78\x9c\xaa\xdc\xf4\xa2\x4b\x38\x63\x9f\x59\xe2\xe9\x04\x2f\xd9\xe2\xfd\x35\x7c\xef\xfe\x5d\x53\x6f\xe4\x7b\xf4\xfb\xd7\xb9\x0b\x80\x00\x00\x00\xff\xff\xcf\xbb\x0f\xa9", 42); syz_mount_image(/*fs=*/0x200000016b00, /*dir=*/0x200000016b40, /*flags=MS_STRICTATIME|MS_NODIRATIME|MS_MANDLOCK*/0x1000840, /*opts=*/0x200000016b80, /*chdir=*/1, /*size=*/0x2a, /*img=*/0x200000016c80); break; case 64: memcpy((void*)0x200000016cc0, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000016cc0, /*id=*/9, /*flags=O_SYNC|O_NONBLOCK|O_DIRECT|FASYNC|O_APPEND*/0x107c00); break; case 65: *(uint64_t*)0x200000016d00 = 2; *(uint64_t*)0x200000016d08 = 0x27e; *(uint64_t*)0x200000016d10 = 5; *(uint64_t*)0x200000016d18 = 2; *(uint64_t*)0x200000016d20 = 6; *(uint64_t*)0x200000016d28 = 0; *(uint64_t*)0x200000016d30 = 6; *(uint64_t*)0x200000016d38 = 5; *(uint64_t*)0x200000016d40 = 0xd; *(uint64_t*)0x200000016d48 = 0x7ea2; *(uint64_t*)0x200000016d50 = -1; res = syscall(__NR_clone3, /*uargs=*/0x200000016d00ul, /*size=*/0x90c4ul); if (res != -1) r[50] = res; break; case 66: memcpy((void*)0x200000016d80, "fdinfo/3\000", 9); syz_open_procfs(/*pid=*/r[50], /*file=*/0x200000016d80); break; case 67: res = -1; res = syz_open_dev(/*dev=*/0xc, /*major=*/2, /*minor=*/0x15); if (res != -1) r[51] = res; break; case 68: syz_open_pts(/*fd=*/r[51], /*flags=O_LARGEFILE|O_APPEND*/0x8400); break; case 69: syz_pidfd_open(/*pid=*/r[16], /*flags=*/0); break; case 70: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[52] = res; break; case 71: syz_pkey_set(/*key=*/r[52], /*val=PKEY_DISABLE_ACCESS*/1); break; case 72: memcpy((void*)0x200000016dc0, "\x78\x9c\x00\x57\x00\xa8\xff\xa9\x39\xee\x13\x04\xaa\x50\xcd\x48\x33\xb8\x65\x54\x02\x70\xbc\x48\xb9\xef\x5c\xce\x86\x6e\x69\xf5\x3f\xe3\x70\x79\x19\x0f\x3f\x49\xf2\x84\x00\x94\x95\xb6\x1a\x19\x72\xde\x93\x27\x27\x1b\x79\xad\xc1\x51\xcb\xcb\x51\xac\xc1\x0f\x46\x30\xf6\xa3\xaf\xbc\xa6\x66\xa2\x9e\xa2\x84\xe6\x6b\x43\x3f\x69\x17\xae\x0c\x2e\x70\x88\xf3\xbb\xe3\xc8\x15\xd3\xf5\x01\x00\x00\xff\xff\x03\x4a\x2a\xb4", 103); syz_read_part_table(/*size=*/0x67, /*img=*/0x200000016dc0); break; case 73: syz_socket_connect_nvme_tcp(); break; case 74: *(uint8_t*)0x200000016e40 = 0x12; *(uint8_t*)0x200000016e41 = 1; *(uint16_t*)0x200000016e42 = 0x300; *(uint8_t*)0x200000016e44 = 0x42; *(uint8_t*)0x200000016e45 = 0x66; *(uint8_t*)0x200000016e46 = 0x24; *(uint8_t*)0x200000016e47 = 8; *(uint16_t*)0x200000016e48 = 0x2357; *(uint16_t*)0x200000016e4a = 0x9000; *(uint16_t*)0x200000016e4c = 0x8c65; *(uint8_t*)0x200000016e4e = 1; *(uint8_t*)0x200000016e4f = 2; *(uint8_t*)0x200000016e50 = 3; *(uint8_t*)0x200000016e51 = 1; *(uint8_t*)0x200000016e52 = 9; *(uint8_t*)0x200000016e53 = 2; *(uint16_t*)0x200000016e54 = 0x82e; *(uint8_t*)0x200000016e56 = 3; *(uint8_t*)0x200000016e57 = 0x7f; *(uint8_t*)0x200000016e58 = 2; *(uint8_t*)0x200000016e59 = 0x20; *(uint8_t*)0x200000016e5a = 5; *(uint8_t*)0x200000016e5b = 9; *(uint8_t*)0x200000016e5c = 4; *(uint8_t*)0x200000016e5d = 0xce; *(uint8_t*)0x200000016e5e = 7; *(uint8_t*)0x200000016e5f = 0xf; *(uint8_t*)0x200000016e60 = 0xaf; *(uint8_t*)0x200000016e61 = 0xe8; *(uint8_t*)0x200000016e62 = 0x6e; *(uint8_t*)0x200000016e63 = 0; *(uint8_t*)0x200000016e64 = 0xa; *(uint8_t*)0x200000016e65 = 0x24; *(uint8_t*)0x200000016e66 = 1; *(uint16_t*)0x200000016e67 = 0x7ff; *(uint8_t*)0x200000016e69 = 6; *(uint8_t*)0x200000016e6a = 2; *(uint8_t*)0x200000016e6b = 1; *(uint8_t*)0x200000016e6c = 2; *(uint8_t*)0x200000016e6d = 7; *(uint8_t*)0x200000016e6e = 0x24; *(uint8_t*)0x200000016e6f = 7; *(uint8_t*)0x200000016e70 = 4; *(uint16_t*)0x200000016e71 = 4; *(uint8_t*)0x200000016e73 = 1; *(uint8_t*)0x200000016e74 = 7; *(uint8_t*)0x200000016e75 = 0x24; *(uint8_t*)0x200000016e76 = 6; *(uint8_t*)0x200000016e77 = 0; *(uint8_t*)0x200000016e78 = 1; memcpy((void*)0x200000016e79, "\xa3\x4e", 2); *(uint8_t*)0x200000016e7b = 5; *(uint8_t*)0x200000016e7c = 0x24; *(uint8_t*)0x200000016e7d = 0; *(uint16_t*)0x200000016e7e = 2; *(uint8_t*)0x200000016e80 = 0xd; *(uint8_t*)0x200000016e81 = 0x24; *(uint8_t*)0x200000016e82 = 0xf; *(uint8_t*)0x200000016e83 = 1; *(uint32_t*)0x200000016e84 = 0x7fffffff; *(uint16_t*)0x200000016e88 = 0; *(uint16_t*)0x200000016e8a = 7; *(uint8_t*)0x200000016e8c = 8; *(uint8_t*)0x200000016e8d = 6; *(uint8_t*)0x200000016e8e = 0x24; *(uint8_t*)0x200000016e8f = 0x1a; *(uint16_t*)0x200000016e90 = 9; *(uint8_t*)0x200000016e92 = 4; *(uint8_t*)0x200000016e93 = 0xd8; *(uint8_t*)0x200000016e94 = 0x24; *(uint8_t*)0x200000016e95 = 0x13; *(uint8_t*)0x200000016e96 = 1; memcpy((void*)0x200000016e97, "\xfc\xb6\x4e\x07\xcb\xc6\x13\xee\x0f\xb4\x7b\x17\x2d\x8c\xb2\x54\x90\xf7\xd0\x8d\xca\x4c\x04\xf2\x48\xb0\xd2\xc6\xc5\xd4\xfd\x13\xc9\x0c\x33\x7d\xbf\xe0\x45\x78\x3c\xe1\xee\x13\x99\xfa\x76\xc1\x4b\x25\xf5\xc3\x38\xb0\x41\x83\x3f\x78\x7b\x77\x6e\x0c\x3c\x25\x51\x89\xf0\x69\x4e\x73\x1c\xc1\xed\xd1\x26\x9d\xee\x99\xee\xd0\x4d\x16\xaf\x2a\xe0\xf1\x24\x51\x00\x06\xa6\x42\x80\xfb\xf1\xac\x11\x46\xbe\xee\x98\x58\x83\x56\x6c\x16\x9a\xbf\xf0\x9e\x46\x01\x8c\x5d\xdf\xdc\xef\xb4\xc0\x6a\x46\x26\xf8\xee\xb2\x1b\x61\x8f\xe7\x0a\xdf\x76\xc2\x04\xc1\xa9\x30\x5d\x06\xd9\x08\x52\xb6\x06\xa0\x69\x8c\x66\x78\x28\x0d\x48\x29\xc7\x81\x71\x52\x6b\x7c\xf0\xcf\x95\xca\xb7\xe3\xaf\xb3\xb5\x8f\xcf\xaf\x6d\x70\xeb\x43\x33\x47\xfb\xae\x12\x94\xb2\x88\xb8\xd3\x39\xb3\xd7\x8f\xdb\xc0\xf2\x27\x90\x7a\xaa\x92\x1c\xa3\x02\x6e\x4c\x5c\xe3\x42\x11\xe3\xc9\x07\xb4\x2c\xa6", 212); *(uint8_t*)0x200000016f6b = 8; *(uint8_t*)0x200000016f6c = 0x24; *(uint8_t*)0x200000016f6d = 0x1c; *(uint16_t*)0x200000016f6e = 0xfff; *(uint8_t*)0x200000016f70 = 1; *(uint16_t*)0x200000016f71 = 0xf51; *(uint8_t*)0x200000016f73 = 8; *(uint8_t*)0x200000016f74 = 0x24; *(uint8_t*)0x200000016f75 = 0x1c; *(uint16_t*)0x200000016f76 = 0x80; *(uint8_t*)0x200000016f78 = 2; *(uint16_t*)0x200000016f79 = 0x7f; *(uint8_t*)0x200000016f7b = 5; *(uint8_t*)0x200000016f7c = 0x24; *(uint8_t*)0x200000016f7d = 0x15; *(uint16_t*)0x200000016f7e = 0x4d; *(uint8_t*)0x200000016f80 = 8; *(uint8_t*)0x200000016f81 = 0x24; *(uint8_t*)0x200000016f82 = 0x1c; *(uint16_t*)0x200000016f83 = 0xbf26; *(uint8_t*)0x200000016f85 = 0x10; *(uint16_t*)0x200000016f86 = 0x7806; *(uint8_t*)0x200000016f88 = 9; *(uint8_t*)0x200000016f89 = 5; *(uint8_t*)0x200000016f8a = 1; *(uint8_t*)0x200000016f8b = 0; *(uint16_t*)0x200000016f8c = 0x200; *(uint8_t*)0x200000016f8e = 6; *(uint8_t*)0x200000016f8f = 0x40; *(uint8_t*)0x200000016f90 = 0xb; *(uint8_t*)0x200000016f91 = 7; *(uint8_t*)0x200000016f92 = 0x25; *(uint8_t*)0x200000016f93 = 1; *(uint8_t*)0x200000016f94 = 3; *(uint8_t*)0x200000016f95 = 4; *(uint16_t*)0x200000016f96 = 8; *(uint8_t*)0x200000016f98 = 0xe8; *(uint8_t*)0x200000016f99 = 0x30; memcpy((void*)0x200000016f9a, "\x68\x84\x9f\x67\xc9\x80\x33\xbf\xdc\x9b\xc6\x7c\x70\x6e\x68\x9f\x08\xda\x2d\x58\x7b\x66\x8f\x1f\x67\x6b\xbb\xc3\x8f\x71\xf6\x8c\x01\x29\x15\x9b\x91\x2f\x32\x88\xaf\x2d\x8f\x5b\x2a\x9e\x6a\x41\x6c\x8e\x34\x45\xc3\x33\xdf\x5f\x70\x08\x23\x36\x83\xc6\x74\x20\x84\x56\xcf\xcb\x7a\x59\x8f\xd1\x43\x0b\x9b\xb5\x5e\x9b\x6f\xbf\x6c\xd0\x79\x7f\xfd\xb4\x8e\x94\xa2\xbb\x0a\x7b\x92\x4d\xc3\xfe\x2c\x8b\x37\xff\x8b\x6d\x67\xa0\x55\x1a\x58\x2d\x71\x34\x54\xdc\x2f\x82\x9c\x5f\xa9\xbb\x41\x05\x3a\x7b\x74\xb6\x01\xc8\xab\x84\x54\xe2\xd4\x8d\x21\x3e\xb4\xf8\x73\xd9\x69\x31\x19\xcf\x01\xd9\x77\x9a\xfa\xa2\x61\xbd\x19\xf8\x4e\x39\x98\xa2\x7c\xc2\x7f\xdb\xaa\x15\x46\x7c\xd6\xf5\x44\x2a\xec\x6c\x7d\x12\x86\x17\x46\xb6\xba\xb7\xb9\x37\x01\xf0\x11\xde\x1e\x99\x5c\x1c\x20\x4b\x4c\x26\x80\x50\x3a\x47\xba\xd8\x6f\xa4\x29\xcf\x00\xde\xd4\x82\x39\xfb\x55\x5a\xb9\x80\x87\xed\xea\xee\xba\x89\xb1\x4d\xad\x51\xb1\x99\x3c\x25\xe6\x01\x09\xbf", 230); *(uint8_t*)0x200000017080 = 9; *(uint8_t*)0x200000017081 = 5; *(uint8_t*)0x200000017082 = 0xa; *(uint8_t*)0x200000017083 = 1; *(uint16_t*)0x200000017084 = 0x40; *(uint8_t*)0x200000017086 = 0xf7; *(uint8_t*)0x200000017087 = 2; *(uint8_t*)0x200000017088 = 5; *(uint8_t*)0x200000017089 = 9; *(uint8_t*)0x20000001708a = 5; *(uint8_t*)0x20000001708b = 5; *(uint8_t*)0x20000001708c = 0x10; *(uint16_t*)0x20000001708d = 0x3ff; *(uint8_t*)0x20000001708f = 7; *(uint8_t*)0x200000017090 = 0x14; *(uint8_t*)0x200000017091 = 0; *(uint8_t*)0x200000017092 = 9; *(uint8_t*)0x200000017093 = 5; *(uint8_t*)0x200000017094 = 0xe; *(uint8_t*)0x200000017095 = 0x10; *(uint16_t*)0x200000017096 = 0x200; *(uint8_t*)0x200000017098 = 0xc7; *(uint8_t*)0x200000017099 = 0x46; *(uint8_t*)0x20000001709a = 2; *(uint8_t*)0x20000001709b = 9; *(uint8_t*)0x20000001709c = 5; *(uint8_t*)0x20000001709d = 0xd; *(uint8_t*)0x20000001709e = 0xa; *(uint16_t*)0x20000001709f = 0x10; *(uint8_t*)0x2000000170a1 = 0x40; *(uint8_t*)0x2000000170a2 = 8; *(uint8_t*)0x2000000170a3 = 2; *(uint8_t*)0x2000000170a4 = 7; *(uint8_t*)0x2000000170a5 = 0x25; *(uint8_t*)0x2000000170a6 = 1; *(uint8_t*)0x2000000170a7 = 0x82; *(uint8_t*)0x2000000170a8 = 1; *(uint16_t*)0x2000000170a9 = 7; *(uint8_t*)0x2000000170ab = 9; *(uint8_t*)0x2000000170ac = 5; *(uint8_t*)0x2000000170ad = 8; *(uint8_t*)0x2000000170ae = 2; *(uint16_t*)0x2000000170af = 0x3ff; *(uint8_t*)0x2000000170b1 = 0x10; *(uint8_t*)0x2000000170b2 = 9; *(uint8_t*)0x2000000170b3 = 8; *(uint8_t*)0x2000000170b4 = 0xf8; *(uint8_t*)0x2000000170b5 = 1; memcpy((void*)0x2000000170b6, "\x87\x09\xda\xe6\x27\x40\x78\x00\x19\x13\xce\x2e\xfb\xcb\x79\xab\x11\x33\xba\xa4\xf7\xe0\x7b\x3b\x2c\x7f\xf7\x03\x89\xe9\x02\xb3\x68\x4a\x95\xa2\x99\x97\xf2\xd2\x0f\xf4\xaf\x27\x0d\x19\xa8\xe0\xb4\xf2\x4d\xf5\x12\xa7\x98\x1b\x5c\xc2\x17\x94\x1c\xc5\x5d\x0e\xe5\x27\x77\xd5\x46\x9f\x8d\x59\xa8\xb5\xb4\xa6\xe4\xfe\x8c\x2c\x94\x50\xb4\x7d\x31\x53\xab\x98\xf8\xe2\x5d\x69\x98\x73\xd3\xbd\xb2\x64\x00\x75\x12\x3c\x4c\x4b\xf2\x70\xdb\x5a\x2e\x30\xc4\x78\xe7\x5e\x0e\x80\xac\xa0\xd4\x1a\xf7\x46\xe3\xef\xb5\x98\xb2\xdb\xec\x64\x7a\xbd\x39\x7b\x0e\xfb\xb2\xe7\x44\x23\x8a\x48\xce\xfe\x42\x99\xf4\x83\x85\xe7\x4d\x32\x5b\xa5\x2c\x15\xb1\x68\x23\x4a\x99\x6d\x32\x57\xea\xab\x4f\xef\xcb\xa6\xb8\x98\xc9\x1d\xd9\x9e\x0c\x08\x0a\x10\x19\x11\x84\xea\x55\x2c\x28\x22\x3c\x35\xe6\x3e\xa9\x40\x68\x88\xa9\x47\x59\xad\x4c\x30\xba\xec\x3d\x37\xbc\x12\x62\x8f\x39\xfd\x0e\x1e\xa1\x66\x51\x22\xb4\xa0\x4a\xde\xc0\xd9\x63\x24\x21\xac\x75\x18\x85\x1c\x5c\x92\x56\xa3\x3e\x29\x12\x01\xa3\xaf\x1a\xf8\xdf\x0a", 246); *(uint8_t*)0x2000000171ac = 0x66; *(uint8_t*)0x2000000171ad = 4; memcpy((void*)0x2000000171ae, "\xe2\x4a\xf3\x93\x66\xd6\xcc\x5b\x86\x03\x79\x36\x7e\x9b\x5a\xf9\x12\x38\xa8\xad\x60\xd4\xd3\x33\x0b\x86\x61\x5c\x23\x8b\x9a\xdc\x15\x0c\xa8\xd4\xd8\x9f\x34\x7c\xef\xed\x35\x02\xf2\xa6\x46\x69\xec\x10\xc9\x35\x2c\xc3\xf0\x0b\xb7\xbf\xff\x70\xa3\x40\x70\x24\x7f\x37\x2f\xd5\x6b\x34\x8f\x50\xf9\x45\x09\x03\x89\x94\xdf\x69\x9d\xd0\xbd\x1e\x0f\x29\x14\x24\x50\x2d\x0a\xbf\xa2\x75\xdf\x94\xab\x99\x68\x6b", 100); *(uint8_t*)0x200000017212 = 9; *(uint8_t*)0x200000017213 = 5; *(uint8_t*)0x200000017214 = 3; *(uint8_t*)0x200000017215 = 3; *(uint16_t*)0x200000017216 = 0x20; *(uint8_t*)0x200000017218 = 0x10; *(uint8_t*)0x200000017219 = 6; *(uint8_t*)0x20000001721a = 4; *(uint8_t*)0x20000001721b = 7; *(uint8_t*)0x20000001721c = 0x25; *(uint8_t*)0x20000001721d = 1; *(uint8_t*)0x20000001721e = 0; *(uint8_t*)0x20000001721f = 2; *(uint16_t*)0x200000017220 = 0xf; *(uint8_t*)0x200000017222 = 9; *(uint8_t*)0x200000017223 = 5; *(uint8_t*)0x200000017224 = 0xa; *(uint8_t*)0x200000017225 = 0x10; *(uint16_t*)0x200000017226 = 0x20; *(uint8_t*)0x200000017228 = 2; *(uint8_t*)0x200000017229 = 0x6a; *(uint8_t*)0x20000001722a = 0x9c; *(uint8_t*)0x20000001722b = 9; *(uint8_t*)0x20000001722c = 5; *(uint8_t*)0x20000001722d = 6; *(uint8_t*)0x20000001722e = 0; *(uint16_t*)0x20000001722f = 8; *(uint8_t*)0x200000017231 = 0xa6; *(uint8_t*)0x200000017232 = 0; *(uint8_t*)0x200000017233 = 3; *(uint8_t*)0x200000017234 = 9; *(uint8_t*)0x200000017235 = 5; *(uint8_t*)0x200000017236 = 0xe; *(uint8_t*)0x200000017237 = 0x10; *(uint16_t*)0x200000017238 = 0x400; *(uint8_t*)0x20000001723a = 8; *(uint8_t*)0x20000001723b = 6; *(uint8_t*)0x20000001723c = 2; *(uint8_t*)0x20000001723d = 7; *(uint8_t*)0x20000001723e = 0x25; *(uint8_t*)0x20000001723f = 1; *(uint8_t*)0x200000017240 = 0x80; *(uint8_t*)0x200000017241 = 0x80; *(uint16_t*)0x200000017242 = 0xfffe; *(uint8_t*)0x200000017244 = 7; *(uint8_t*)0x200000017245 = 0x25; *(uint8_t*)0x200000017246 = 1; *(uint8_t*)0x200000017247 = 0; *(uint8_t*)0x200000017248 = 8; *(uint16_t*)0x200000017249 = 6; *(uint8_t*)0x20000001724b = 9; *(uint8_t*)0x20000001724c = 5; *(uint8_t*)0x20000001724d = 2; *(uint8_t*)0x20000001724e = 0xc; *(uint16_t*)0x20000001724f = 0x20; *(uint8_t*)0x200000017251 = 7; *(uint8_t*)0x200000017252 = 0xfe; *(uint8_t*)0x200000017253 = 1; *(uint8_t*)0x200000017254 = 7; *(uint8_t*)0x200000017255 = 0x25; *(uint8_t*)0x200000017256 = 1; *(uint8_t*)0x200000017257 = 2; *(uint8_t*)0x200000017258 = 3; *(uint16_t*)0x200000017259 = 7; *(uint8_t*)0x20000001725b = 9; *(uint8_t*)0x20000001725c = 5; *(uint8_t*)0x20000001725d = 8; *(uint8_t*)0x20000001725e = 0; *(uint16_t*)0x20000001725f = 0x20; *(uint8_t*)0x200000017261 = 5; *(uint8_t*)0x200000017262 = 7; *(uint8_t*)0x200000017263 = 0; *(uint8_t*)0x200000017264 = 9; *(uint8_t*)0x200000017265 = 5; *(uint8_t*)0x200000017266 = 5; *(uint8_t*)0x200000017267 = 0x10; *(uint16_t*)0x200000017268 = 0x400; *(uint8_t*)0x20000001726a = 0x94; *(uint8_t*)0x20000001726b = 9; *(uint8_t*)0x20000001726c = 7; *(uint8_t*)0x20000001726d = 0xdd; *(uint8_t*)0x20000001726e = 0x30; memcpy((void*)0x20000001726f, "\x77\x86\x7e\xa8\x5d\x1b\x66\xca\x1b\x83\x5f\x1f\xfe\x80\xb4\xe1\x5a\x42\x97\xfd\x75\x06\x0e\x9c\xa4\xa2\x1e\x38\x5a\xda\xb0\x95\x08\x05\x1d\xd6\x10\x5e\xaa\x7c\xdc\xec\xdc\xc3\x20\xbc\x7f\x95\x6e\xeb\x82\x39\x4f\xee\xae\x2b\x09\xc0\x99\x0c\x54\x43\x3f\x37\x34\xda\x18\xcc\xf1\x3f\x5f\xcc\x5b\xb3\x2e\xb3\xbb\x6b\x06\x2a\x28\x29\x89\x58\x2d\x89\x8d\x9e\x25\xf9\x7d\x5d\x39\x27\xfb\xc2\x2c\x45\x90\x49\x83\x86\x0e\xb6\x1e\xaf\xd3\x4b\x54\xed\x2c\xc8\xb5\x5c\xf1\x97\xd3\x1b\xbb\x18\x10\x63\x60\xad\x77\x24\x0c\x1f\x44\xfd\x50\xf1\xa9\x44\xb9\xf5\x55\x7f\x95\xe9\x45\x13\xb0\xad\x4d\x60\x79\xe1\x5e\x8d\x3b\x43\x01\x02\x7d\xec\xe5\xa5\xba\x84\x88\xa2\x65\xab\x30\x67\xce\x7d\x0f\x2d\x5a\xd3\x11\x7b\xdd\xf0\x68\xf5\x91\xf6\x1d\x66\x46\xf9\x6a\x37\x72\xbb\x1d\x88\x07\xba\x9d\xd6\xd7\xa0\xbe\xec\xb2\x72\x98\xc3\xf0\x90\xb2\xb7\xed\x72\x97\x9d\x14\xde\xae\x68\x5d\x25\x0f\x2c\xc0", 219); *(uint8_t*)0x20000001734a = 7; *(uint8_t*)0x20000001734b = 0x25; *(uint8_t*)0x20000001734c = 1; *(uint8_t*)0x20000001734d = 2; *(uint8_t*)0x20000001734e = 0x81; *(uint16_t*)0x20000001734f = 0x70; *(uint8_t*)0x200000017351 = 9; *(uint8_t*)0x200000017352 = 5; *(uint8_t*)0x200000017353 = 5; *(uint8_t*)0x200000017354 = 0; *(uint16_t*)0x200000017355 = 0x3ff; *(uint8_t*)0x200000017357 = 7; *(uint8_t*)0x200000017358 = 0; *(uint8_t*)0x200000017359 = 0xd5; *(uint8_t*)0x20000001735a = 9; *(uint8_t*)0x20000001735b = 5; *(uint8_t*)0x20000001735c = 0xc; *(uint8_t*)0x20000001735d = 0; *(uint16_t*)0x20000001735e = 0x40; *(uint8_t*)0x200000017360 = 0; *(uint8_t*)0x200000017361 = 0xb; *(uint8_t*)0x200000017362 = 6; *(uint8_t*)0x200000017363 = 7; *(uint8_t*)0x200000017364 = 0x25; *(uint8_t*)0x200000017365 = 1; *(uint8_t*)0x200000017366 = 0x80; *(uint8_t*)0x200000017367 = 0xc4; *(uint16_t*)0x200000017368 = 0x6e; *(uint8_t*)0x20000001736a = 0xe; *(uint8_t*)0x20000001736b = 0xd; memcpy((void*)0x20000001736c, "\x36\xcb\x58\xaf\xca\x23\xd3\xe3\xcd\x43\x84\x0a", 12); *(uint8_t*)0x200000017378 = 9; *(uint8_t*)0x200000017379 = 4; *(uint8_t*)0x20000001737a = 0x8c; *(uint8_t*)0x20000001737b = 0; *(uint8_t*)0x20000001737c = 0xc; *(uint8_t*)0x20000001737d = 0x77; *(uint8_t*)0x20000001737e = 0x71; *(uint8_t*)0x20000001737f = 0x4d; *(uint8_t*)0x200000017380 = -1; *(uint8_t*)0x200000017381 = 0xb; *(uint8_t*)0x200000017382 = 0x24; *(uint8_t*)0x200000017383 = 6; *(uint8_t*)0x200000017384 = 0; *(uint8_t*)0x200000017385 = 0; memcpy((void*)0x200000017386, "\x37\x87\x90\x73\x85\x59", 6); *(uint8_t*)0x20000001738c = 5; *(uint8_t*)0x20000001738d = 0x24; *(uint8_t*)0x20000001738e = 0; *(uint16_t*)0x20000001738f = 0xdd; *(uint8_t*)0x200000017391 = 0xd; *(uint8_t*)0x200000017392 = 0x24; *(uint8_t*)0x200000017393 = 0xf; *(uint8_t*)0x200000017394 = 1; *(uint32_t*)0x200000017395 = 5; *(uint16_t*)0x200000017399 = 0x926; *(uint16_t*)0x20000001739b = 1; *(uint8_t*)0x20000001739d = 5; *(uint8_t*)0x20000001739e = 0x15; *(uint8_t*)0x20000001739f = 0x24; *(uint8_t*)0x2000000173a0 = 0x12; *(uint16_t*)0x2000000173a1 = 7; *(uint64_t*)0x2000000173a3 = 0x14f5e048ba817a3; *(uint64_t*)0x2000000173ab = 0x2a397ecbffc007a6; *(uint8_t*)0x2000000173b3 = 0x10; *(uint8_t*)0x2000000173b4 = 0x24; *(uint8_t*)0x2000000173b5 = 7; *(uint8_t*)0x2000000173b6 = 0xf; *(uint16_t*)0x2000000173b7 = 0x47f; *(uint16_t*)0x2000000173b9 = 7; *(uint16_t*)0x2000000173bb = 5; *(uint16_t*)0x2000000173bd = 0xa5a; *(uint16_t*)0x2000000173bf = 0xf25d; *(uint16_t*)0x2000000173c1 = 0x10; *(uint8_t*)0x2000000173c3 = 6; *(uint8_t*)0x2000000173c4 = 0x24; *(uint8_t*)0x2000000173c5 = 0x1a; *(uint16_t*)0x2000000173c6 = 0x100; *(uint8_t*)0x2000000173c8 = 1; *(uint8_t*)0x2000000173c9 = 6; *(uint8_t*)0x2000000173ca = 0x24; *(uint8_t*)0x2000000173cb = 7; *(uint8_t*)0x2000000173cc = 9; *(uint16_t*)0x2000000173cd = 0x81; *(uint8_t*)0x2000000173cf = 0xe; *(uint8_t*)0x2000000173d0 = 0x24; *(uint8_t*)0x2000000173d1 = 7; *(uint8_t*)0x2000000173d2 = 0x10; *(uint16_t*)0x2000000173d3 = 0x3a; *(uint16_t*)0x2000000173d5 = 0x1400; *(uint16_t*)0x2000000173d7 = 1; *(uint16_t*)0x2000000173d9 = 3; *(uint16_t*)0x2000000173db = 8; *(uint8_t*)0x2000000173dd = 0xa; *(uint8_t*)0x2000000173de = 0x24; *(uint8_t*)0x2000000173df = 1; *(uint16_t*)0x2000000173e0 = 0x80; *(uint8_t*)0x2000000173e2 = 0x80; *(uint8_t*)0x2000000173e3 = 2; *(uint8_t*)0x2000000173e4 = 1; *(uint8_t*)0x2000000173e5 = 2; *(uint8_t*)0x2000000173e6 = 9; *(uint8_t*)0x2000000173e7 = 5; *(uint8_t*)0x2000000173e8 = 5; *(uint8_t*)0x2000000173e9 = 8; *(uint16_t*)0x2000000173ea = 0x200; *(uint8_t*)0x2000000173ec = 0x39; *(uint8_t*)0x2000000173ed = 3; *(uint8_t*)0x2000000173ee = 2; *(uint8_t*)0x2000000173ef = 9; *(uint8_t*)0x2000000173f0 = 5; *(uint8_t*)0x2000000173f1 = 0; *(uint8_t*)0x2000000173f2 = 1; *(uint16_t*)0x2000000173f3 = 0x10; *(uint8_t*)0x2000000173f5 = 0x6c; *(uint8_t*)0x2000000173f6 = 9; *(uint8_t*)0x2000000173f7 = 4; *(uint8_t*)0x2000000173f8 = 0xec; *(uint8_t*)0x2000000173f9 = 0xc; memcpy((void*)0x2000000173fa, "\xcd\x0d\x3c\xe6\xb7\x5c\x2b\x01\xf9\x7f\xcb\x20\xad\xf4\xd9\x9a\x5a\x62\x76\xa0\xa0\x71\x7a\x5c\xbd\xaa\xe5\xbd\xe2\x28\x6c\x78\xf2\x3e\xc6\x52\x7f\xe1\x49\x0d\x74\xcc\xaf\x86\xba\xe7\x1c\x98\x79\xa2\x2f\xb0\x98\xf7\x98\x41\x5a\x42\x10\xa0\x98\xcc\x4d\x76\x58\x35\x30\x19\x71\x89\x91\xbb\x6a\x8d\x77\xa8\xe7\xb5\xd4\x50\x74\x04\xe9\x6f\xf4\x56\x14\xcb\x5c\xda\xd6\x98\x5e\x76\xee\xc5\x2f\xa7\x07\x74\xa8\x0c\xe5\x40\x7b\x62\xd0\x10\x51\x26\x2f\x81\x36\xaa\x68\xc2\x2e\xa4\x11\x5b\x5e\x27\x65\x3c\x40\xa8\x1c\xff\x49\xa1\x3b\xf7\x9d\x59\x9e\x1e\xea\x6f\x2a\xb7\x89\x7c\x71\x65\xb3\x6c\xb6\x83\xa8\x7a\xe0\x79\xd8\xff\x5f\x45\x0d\xdf\xf5\x3f\x2a\x7a\x04\x2d\x07\x32\xf9\x35\x7c\xe2\x3f\xb6\xa1\x31\x0f\x95\x84\xd8\xa7\x55\x7b\x65\x49\x36\xd9\x7d\x49\xbe\x79\x7a\x56\x53\x02\xd1\xe6\x15\xa7\x00\x61\x10\x1f\x01\xcb\x75\x33\x3e\xd4\xfc\x3f\xb9\x83\xe3\x0f\x49\x04\x19\x5e\x25\x3a\x3a\xdd\x43\xbd\x06\x97\x94\xbc\xac\xe6\x38\x63\xb8\xc5\x5b", 234); *(uint8_t*)0x2000000174e4 = 0x31; *(uint8_t*)0x2000000174e5 = 0xe; memcpy((void*)0x2000000174e6, "\xa6\x77\x2f\x60\x53\xbb\xf3\xfb\xcc\x2e\x4b\x92\x79\x4d\xf7\x00\xa7\x49\x93\x08\xd0\x2d\xa8\x07\xf6\x4c\x0b\xb6\xa2\xdf\x53\x5b\x93\x9a\xf7\xa1\xa2\xe9\x86\x82\xe0\x84\x01\x9d\x17\xff\x1e", 47); *(uint8_t*)0x200000017515 = 9; *(uint8_t*)0x200000017516 = 5; *(uint8_t*)0x200000017517 = 7; *(uint8_t*)0x200000017518 = 3; *(uint16_t*)0x200000017519 = 0x400; *(uint8_t*)0x20000001751b = 0xf8; *(uint8_t*)0x20000001751c = 0; *(uint8_t*)0x20000001751d = 3; *(uint8_t*)0x20000001751e = 7; *(uint8_t*)0x20000001751f = 0x25; *(uint8_t*)0x200000017520 = 1; *(uint8_t*)0x200000017521 = 2; *(uint8_t*)0x200000017522 = 5; *(uint16_t*)0x200000017523 = 0x1d2; *(uint8_t*)0x200000017525 = 9; *(uint8_t*)0x200000017526 = 5; *(uint8_t*)0x200000017527 = 0; *(uint8_t*)0x200000017528 = 7; *(uint16_t*)0x200000017529 = 0x400; *(uint8_t*)0x20000001752b = 0x7f; *(uint8_t*)0x20000001752c = 0xf9; *(uint8_t*)0x20000001752d = 0x27; *(uint8_t*)0x20000001752e = 7; *(uint8_t*)0x20000001752f = 0x25; *(uint8_t*)0x200000017530 = 1; *(uint8_t*)0x200000017531 = 0x81; *(uint8_t*)0x200000017532 = 5; *(uint16_t*)0x200000017533 = 0xb57; *(uint8_t*)0x200000017535 = 0x43; *(uint8_t*)0x200000017536 = 0x1a; memcpy((void*)0x200000017537, "\xcb\x18\x23\x8b\x9b\xb4\xf2\xcf\x09\xa9\xe5\x12\xee\x72\x99\x83\x74\x21\xb4\xde\xa8\x53\x0c\x6a\x24\xf7\x22\x29\xb4\xc3\x80\x3d\xb0\xb8\x15\x9c\x4f\xc1\xd0\xc5\x12\xc3\x67\x06\xf7\x26\x52\x83\x9a\xb6\x87\x70\x8e\x60\x65\x3b\xc8\x55\xf3\xef\xc0\x19\x1d\x44\xce", 65); *(uint8_t*)0x200000017578 = 9; *(uint8_t*)0x200000017579 = 5; *(uint8_t*)0x20000001757a = 1; *(uint8_t*)0x20000001757b = 0; *(uint16_t*)0x20000001757c = 0x10; *(uint8_t*)0x20000001757e = 0x5e; *(uint8_t*)0x20000001757f = 1; *(uint8_t*)0x200000017580 = 0x33; *(uint8_t*)0x200000017581 = 7; *(uint8_t*)0x200000017582 = 0x25; *(uint8_t*)0x200000017583 = 1; *(uint8_t*)0x200000017584 = 0x81; *(uint8_t*)0x200000017585 = 0; *(uint16_t*)0x200000017586 = 2; *(uint8_t*)0x200000017588 = 0xa; *(uint8_t*)0x200000017589 = 0xd; memcpy((void*)0x20000001758a, "\x0e\xa8\x35\xcf\x6f\x98\x97\xdd", 8); *(uint8_t*)0x200000017592 = 9; *(uint8_t*)0x200000017593 = 5; *(uint8_t*)0x200000017594 = 2; *(uint8_t*)0x200000017595 = 1; *(uint16_t*)0x200000017596 = 8; *(uint8_t*)0x200000017598 = 8; *(uint8_t*)0x200000017599 = 7; *(uint8_t*)0x20000001759a = 2; *(uint8_t*)0x20000001759b = 7; *(uint8_t*)0x20000001759c = 0x25; *(uint8_t*)0x20000001759d = 1; *(uint8_t*)0x20000001759e = 0x50; *(uint8_t*)0x20000001759f = 0x40; *(uint16_t*)0x2000000175a0 = 0xc590; *(uint8_t*)0x2000000175a2 = 7; *(uint8_t*)0x2000000175a3 = 0x25; *(uint8_t*)0x2000000175a4 = 1; *(uint8_t*)0x2000000175a5 = 3; *(uint8_t*)0x2000000175a6 = 2; *(uint16_t*)0x2000000175a7 = 4; *(uint8_t*)0x2000000175a9 = 9; *(uint8_t*)0x2000000175aa = 5; *(uint8_t*)0x2000000175ab = 2; *(uint8_t*)0x2000000175ac = 2; *(uint16_t*)0x2000000175ad = 0x400; *(uint8_t*)0x2000000175af = 6; *(uint8_t*)0x2000000175b0 = 6; *(uint8_t*)0x2000000175b1 = 7; *(uint8_t*)0x2000000175b2 = 9; *(uint8_t*)0x2000000175b3 = 5; *(uint8_t*)0x2000000175b4 = 2; *(uint8_t*)0x2000000175b5 = 3; *(uint16_t*)0x2000000175b6 = 0x200; *(uint8_t*)0x2000000175b8 = 0xe; *(uint8_t*)0x2000000175b9 = 4; *(uint8_t*)0x2000000175ba = 4; *(uint8_t*)0x2000000175bb = 5; *(uint8_t*)0x2000000175bc = 0x11; memcpy((void*)0x2000000175bd, "\xb9\xf5\xe7", 3); *(uint8_t*)0x2000000175c0 = 7; *(uint8_t*)0x2000000175c1 = 0x25; *(uint8_t*)0x2000000175c2 = 1; *(uint8_t*)0x2000000175c3 = 0x40; *(uint8_t*)0x2000000175c4 = 6; *(uint16_t*)0x2000000175c5 = 6; *(uint8_t*)0x2000000175c7 = 9; *(uint8_t*)0x2000000175c8 = 5; *(uint8_t*)0x2000000175c9 = 3; *(uint8_t*)0x2000000175ca = 0x10; *(uint16_t*)0x2000000175cb = 0; *(uint8_t*)0x2000000175cd = 0x8a; *(uint8_t*)0x2000000175ce = 7; *(uint8_t*)0x2000000175cf = 8; *(uint8_t*)0x2000000175d0 = 7; *(uint8_t*)0x2000000175d1 = 0x25; *(uint8_t*)0x2000000175d2 = 1; *(uint8_t*)0x2000000175d3 = 0x81; *(uint8_t*)0x2000000175d4 = 9; *(uint16_t*)0x2000000175d5 = 4; *(uint8_t*)0x2000000175d7 = 7; *(uint8_t*)0x2000000175d8 = 0x25; *(uint8_t*)0x2000000175d9 = 1; *(uint8_t*)0x2000000175da = 3; *(uint8_t*)0x2000000175db = 0x73; *(uint16_t*)0x2000000175dc = 0x1ff; *(uint8_t*)0x2000000175de = 9; *(uint8_t*)0x2000000175df = 5; *(uint8_t*)0x2000000175e0 = 3; *(uint8_t*)0x2000000175e1 = 2; *(uint16_t*)0x2000000175e2 = 0x40; *(uint8_t*)0x2000000175e4 = 4; *(uint8_t*)0x2000000175e5 = 8; *(uint8_t*)0x2000000175e6 = 4; *(uint8_t*)0x2000000175e7 = 7; *(uint8_t*)0x2000000175e8 = 0x25; *(uint8_t*)0x2000000175e9 = 1; *(uint8_t*)0x2000000175ea = 0; *(uint8_t*)0x2000000175eb = 0; *(uint16_t*)0x2000000175ec = 0xd; *(uint8_t*)0x2000000175ee = 9; *(uint8_t*)0x2000000175ef = 5; *(uint8_t*)0x2000000175f0 = 6; *(uint8_t*)0x2000000175f1 = 0x10; *(uint16_t*)0x2000000175f2 = 0x200; *(uint8_t*)0x2000000175f4 = 3; *(uint8_t*)0x2000000175f5 = 7; *(uint8_t*)0x2000000175f6 = 0; *(uint8_t*)0x2000000175f7 = 0x4e; *(uint8_t*)0x2000000175f8 = 0x21; memcpy((void*)0x2000000175f9, "\xde\x21\x8d\xdf\x30\x78\xa6\xfb\xd8\x6d\x42\x57\x31\x33\x4b\xc4\x6c\xce\x8c\xf5\x19\xb9\xce\xf7\xc4\x17\x70\x3a\xc6\xb7\xc8\xd9\x19\xdf\x45\xea\x16\xb8\x08\x90\x69\xbb\xf3\x4f\x03\xab\xe7\x52\xc1\xee\x7d\x7e\x03\xa0\x86\x37\xbc\xdc\x17\xd4\xcf\x34\xc2\x75\x6e\xda\x9f\xbf\x09\xfd\xfc\xfc\xa3\x05\x28\x59", 76); *(uint8_t*)0x200000017645 = 9; *(uint8_t*)0x200000017646 = 5; *(uint8_t*)0x200000017647 = 7; *(uint8_t*)0x200000017648 = 2; *(uint16_t*)0x200000017649 = 0x400; *(uint8_t*)0x20000001764b = 6; *(uint8_t*)0x20000001764c = 8; *(uint8_t*)0x20000001764d = 0; *(uint8_t*)0x20000001764e = 9; *(uint8_t*)0x20000001764f = 4; *(uint8_t*)0x200000017650 = 0xb9; *(uint8_t*)0x200000017651 = 8; *(uint8_t*)0x200000017652 = 3; *(uint8_t*)0x200000017653 = 0x5b; *(uint8_t*)0x200000017654 = 0x5d; *(uint8_t*)0x200000017655 = 0x4c; *(uint8_t*)0x200000017656 = 0xbf; *(uint8_t*)0x200000017657 = 9; *(uint8_t*)0x200000017658 = 5; *(uint8_t*)0x200000017659 = 5; *(uint8_t*)0x20000001765a = 0; *(uint16_t*)0x20000001765b = 0x400; *(uint8_t*)0x20000001765d = 9; *(uint8_t*)0x20000001765e = 5; *(uint8_t*)0x20000001765f = 0; *(uint8_t*)0x200000017660 = 9; *(uint8_t*)0x200000017661 = 5; *(uint8_t*)0x200000017662 = 0xe; *(uint8_t*)0x200000017663 = 4; *(uint16_t*)0x200000017664 = 0x10; *(uint8_t*)0x200000017666 = 0xf9; *(uint8_t*)0x200000017667 = 0xea; *(uint8_t*)0x200000017668 = 2; *(uint8_t*)0x200000017669 = 9; *(uint8_t*)0x20000001766a = 5; *(uint8_t*)0x20000001766b = 6; *(uint8_t*)0x20000001766c = 0x10; *(uint16_t*)0x20000001766d = 0x20; *(uint8_t*)0x20000001766f = 0xee; *(uint8_t*)0x200000017670 = 0xbf; *(uint8_t*)0x200000017671 = 4; *(uint8_t*)0x200000017672 = 7; *(uint8_t*)0x200000017673 = 0x25; *(uint8_t*)0x200000017674 = 1; *(uint8_t*)0x200000017675 = 0; *(uint8_t*)0x200000017676 = 9; *(uint16_t*)0x200000017677 = 0xc7; *(uint8_t*)0x200000017679 = 7; *(uint8_t*)0x20000001767a = 0x25; *(uint8_t*)0x20000001767b = 1; *(uint8_t*)0x20000001767c = 0x80; *(uint8_t*)0x20000001767d = 5; *(uint16_t*)0x20000001767e = 6; *(uint32_t*)0x200000017780 = 0xa; *(uint64_t*)0x200000017784 = 0x200000017680; *(uint8_t*)0x200000017680 = 0xa; *(uint8_t*)0x200000017681 = 6; *(uint16_t*)0x200000017682 = 0x300; *(uint8_t*)0x200000017684 = 8; *(uint8_t*)0x200000017685 = 4; *(uint8_t*)0x200000017686 = 4; *(uint8_t*)0x200000017687 = 0x10; *(uint8_t*)0x200000017688 = 3; *(uint8_t*)0x200000017689 = 0; *(uint32_t*)0x20000001778c = 5; *(uint64_t*)0x200000017790 = 0x2000000176c0; *(uint8_t*)0x2000000176c0 = 5; *(uint8_t*)0x2000000176c1 = 0xf; *(uint16_t*)0x2000000176c2 = 5; *(uint8_t*)0x2000000176c4 = 0; *(uint32_t*)0x200000017798 = 2; *(uint32_t*)0x20000001779c = 4; *(uint64_t*)0x2000000177a0 = 0x200000017700; *(uint8_t*)0x200000017700 = 4; *(uint8_t*)0x200000017701 = 3; *(uint16_t*)0x200000017702 = 0x41c; *(uint32_t*)0x2000000177a8 = 4; *(uint64_t*)0x2000000177ac = 0x200000017740; *(uint8_t*)0x200000017740 = 4; *(uint8_t*)0x200000017741 = 3; *(uint16_t*)0x200000017742 = 0x425; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0x840, /*dev=*/0x200000016e40, /*conn_descs=*/0x200000017780); if (res != -1) r[53] = res; break; case 75: *(uint8_t*)0x2000000177c0 = 0x12; *(uint8_t*)0x2000000177c1 = 1; *(uint16_t*)0x2000000177c2 = 0x200; *(uint8_t*)0x2000000177c4 = -1; *(uint8_t*)0x2000000177c5 = -1; *(uint8_t*)0x2000000177c6 = -1; *(uint8_t*)0x2000000177c7 = 0x40; *(uint16_t*)0x2000000177c8 = 0xcf3; *(uint16_t*)0x2000000177ca = 0x9271; *(uint16_t*)0x2000000177cc = 0x108; *(uint8_t*)0x2000000177ce = 1; *(uint8_t*)0x2000000177cf = 2; *(uint8_t*)0x2000000177d0 = 3; *(uint8_t*)0x2000000177d1 = 1; *(uint8_t*)0x2000000177d2 = 9; *(uint8_t*)0x2000000177d3 = 2; *(uint16_t*)0x2000000177d4 = 0x48; *(uint8_t*)0x2000000177d6 = 1; *(uint8_t*)0x2000000177d7 = 1; *(uint8_t*)0x2000000177d8 = 0; *(uint8_t*)0x2000000177d9 = 0x80; *(uint8_t*)0x2000000177da = 0xfa; *(uint8_t*)0x2000000177db = 9; *(uint8_t*)0x2000000177dc = 4; *(uint8_t*)0x2000000177dd = 0; *(uint8_t*)0x2000000177de = 0; *(uint8_t*)0x2000000177df = 6; *(uint8_t*)0x2000000177e0 = -1; *(uint8_t*)0x2000000177e1 = 0; *(uint8_t*)0x2000000177e2 = 0; *(uint8_t*)0x2000000177e3 = 0; *(uint8_t*)0x2000000177e4 = 9; *(uint8_t*)0x2000000177e5 = 5; *(uint8_t*)0x2000000177e6 = 1; *(uint8_t*)0x2000000177e7 = 2; *(uint16_t*)0x2000000177e8 = 0x200; *(uint8_t*)0x2000000177ea = 0; *(uint8_t*)0x2000000177eb = 0; *(uint8_t*)0x2000000177ec = 0; *(uint8_t*)0x2000000177ed = 9; *(uint8_t*)0x2000000177ee = 5; *(uint8_t*)0x2000000177ef = 0x82; *(uint8_t*)0x2000000177f0 = 2; *(uint16_t*)0x2000000177f1 = 0x200; *(uint8_t*)0x2000000177f3 = 0; *(uint8_t*)0x2000000177f4 = 0; *(uint8_t*)0x2000000177f5 = 0; *(uint8_t*)0x2000000177f6 = 9; *(uint8_t*)0x2000000177f7 = 5; *(uint8_t*)0x2000000177f8 = 0x83; *(uint8_t*)0x2000000177f9 = 3; *(uint16_t*)0x2000000177fa = 0x40; *(uint8_t*)0x2000000177fc = 1; *(uint8_t*)0x2000000177fd = 0; *(uint8_t*)0x2000000177fe = 0; *(uint8_t*)0x2000000177ff = 9; *(uint8_t*)0x200000017800 = 5; *(uint8_t*)0x200000017801 = 4; *(uint8_t*)0x200000017802 = 3; *(uint16_t*)0x200000017803 = 0x40; *(uint8_t*)0x200000017805 = 1; *(uint8_t*)0x200000017806 = 0; *(uint8_t*)0x200000017807 = 0; *(uint8_t*)0x200000017808 = 9; *(uint8_t*)0x200000017809 = 5; *(uint8_t*)0x20000001780a = 5; *(uint8_t*)0x20000001780b = 2; *(uint16_t*)0x20000001780c = 0x200; *(uint8_t*)0x20000001780e = 0; *(uint8_t*)0x20000001780f = 0; *(uint8_t*)0x200000017810 = 0; *(uint8_t*)0x200000017811 = 9; *(uint8_t*)0x200000017812 = 5; *(uint8_t*)0x200000017813 = 6; *(uint8_t*)0x200000017814 = 2; *(uint16_t*)0x200000017815 = 0x200; *(uint8_t*)0x200000017817 = 0; *(uint8_t*)0x200000017818 = 0; *(uint8_t*)0x200000017819 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x2000000177c0, /*conn_descs=*/0); if (res != -1) r[54] = res; break; case 76: *(uint32_t*)0x200000017a80 = 0x2c; *(uint64_t*)0x200000017a84 = 0x200000017840; *(uint8_t*)0x200000017840 = 0; *(uint8_t*)0x200000017841 = 1; *(uint32_t*)0x200000017842 = 0x101; *(uint8_t*)0x200000017846 = 1; *(uint8_t*)0x200000017847 = 0xa; memcpy((void*)0x200000017848, "\x36\x81\xdb\x17\x60\xf4\x76\xd1\x61\xe6\x33\x1a\xf0\x01\xdf\xf2\x60\xea\x6b\x4a\x4c\xea\x60\x97\xec\xb1\x95\x8b\x59\xfa\xab\x7a\x90\x28\x48\xc2\x62\xa0\xbb\x7b\xb0\x04\xa6\x45\x44\x44\xf3\x91\x14\x41\x63\x99\xcc\x7a\x71\xe7\x15\x47\xc5\x6a\x02\xf1\x33\x90\x7f\x22\xc3\xf1\x2c\xed\x90\xa4\xd6\xae\x9f\xf8\xfd\x98\xb3\xe7\xcd\x83\xd8\x74\x5c\x64\x92\x89\xb5\xfd\x78\xf7\x06\x85\x9e\x15\x21\x48\xd7\x6f\x8f\x0d\x0f\xa0\x49\x83\x43\x65\xbe\x85\xce\x2b\x50\x35\x87\x58\xa9\x0b\x57\x33\x9c\x87\x44\x57\x41\x0a\xe2\x77\xd2\xb1\x18\xf3\x84\x27\xa9\x32\xa2\xc7\xca\xcc\x09\xae\xd3\xee\x57\x30\x79\x3f\x36\xdc\xe0\xed\x57\xb9\xc6\x5f\xf6\x3c\x7e\xb7\xeb\xbf\xeb\xe9\x09\x4e\x08\x53\x05\x1b\x9f\x3d\xfa\xf6\xc2\xab\x61\x26\x5b\x3a\xf1\xf3\x48\x72\x56\x9f\xf3\xe0\x4b\x2e\xc1\xef\x09\xa3\x69\x2a\x88\x29\x2f\xfa\x38\xb8\x51\xe6\xfe\x03\x1a\x70\xa5\x51\xe8\x84\x4b\x16\xd1\x38\xce\x12\x6c\xe0\x41\x95\x71\xf4\x34\x9a\xee\x23\x7a\x2b\xf6\xfc\x52\xcb\x78\xf2\x6f\x30\xc9\x36\x90\x2d\x7f\x29\xd3\xa5\x61\x5d\xad\x86\xe4\xc6\x9c\xa0\x3f", 255); *(uint64_t*)0x200000017a8c = 0x200000017980; *(uint8_t*)0x200000017980 = 0; *(uint8_t*)0x200000017981 = 3; *(uint32_t*)0x200000017982 = 4; *(uint8_t*)0x200000017986 = 4; *(uint8_t*)0x200000017987 = 3; *(uint16_t*)0x200000017988 = 0x4c0a; *(uint64_t*)0x200000017a94 = 0x2000000179c0; *(uint8_t*)0x2000000179c0 = 0; *(uint8_t*)0x2000000179c1 = 0xf; *(uint32_t*)0x2000000179c2 = 5; *(uint8_t*)0x2000000179c6 = 5; *(uint8_t*)0x2000000179c7 = 0xf; *(uint16_t*)0x2000000179c8 = 5; *(uint8_t*)0x2000000179ca = 0; *(uint64_t*)0x200000017a9c = 0x200000017a00; *(uint8_t*)0x200000017a00 = 0x20; *(uint8_t*)0x200000017a01 = 0x29; *(uint32_t*)0x200000017a02 = 0xf; *(uint8_t*)0x200000017a06 = 0xf; *(uint8_t*)0x200000017a07 = 0x29; *(uint8_t*)0x200000017a08 = 0xeb; *(uint16_t*)0x200000017a09 = 0x10; *(uint8_t*)0x200000017a0b = 0x81; *(uint8_t*)0x200000017a0c = 0xc; memcpy((void*)0x200000017a0d, "\xe7\x67\x46\xf0", 4); memcpy((void*)0x200000017a11, "\xf1\x92\x76\xa0", 4); *(uint64_t*)0x200000017aa4 = 0x200000017a40; *(uint8_t*)0x200000017a40 = 0x20; *(uint8_t*)0x200000017a41 = 0x2a; *(uint32_t*)0x200000017a42 = 0xc; *(uint8_t*)0x200000017a46 = 0xc; *(uint8_t*)0x200000017a47 = 0x2a; *(uint8_t*)0x200000017a48 = 0xd; *(uint16_t*)0x200000017a49 = 2; *(uint8_t*)0x200000017a4b = 8; *(uint8_t*)0x200000017a4c = 0xe; *(uint8_t*)0x200000017a4d = 7; *(uint16_t*)0x200000017a4e = 8; *(uint16_t*)0x200000017a50 = 0x515; *(uint32_t*)0x200000017ec0 = 0x84; *(uint64_t*)0x200000017ec4 = 0x200000017ac0; *(uint8_t*)0x200000017ac0 = 0x40; *(uint8_t*)0x200000017ac1 = 0x17; *(uint32_t*)0x200000017ac2 = 0x1e; memcpy((void*)0x200000017ac6, "\x63\xfd\x64\x0c\x63\xa3\xd4\x0d\x56\xed\xf6\x4a\xcb\x10\x36\xdf\x01\xc3\x7d\xff\x2b\x11\xb8\xbd\x6d\xce\x4f\x20\xb2\xce", 30); *(uint64_t*)0x200000017ecc = 0x200000017b00; *(uint8_t*)0x200000017b00 = 0; *(uint8_t*)0x200000017b01 = 0xa; *(uint32_t*)0x200000017b02 = 1; *(uint8_t*)0x200000017b06 = 0xfd; *(uint64_t*)0x200000017ed4 = 0x200000017b40; *(uint8_t*)0x200000017b40 = 0; *(uint8_t*)0x200000017b41 = 8; *(uint32_t*)0x200000017b42 = 1; *(uint8_t*)0x200000017b46 = 5; *(uint64_t*)0x200000017edc = 0x200000017b80; *(uint8_t*)0x200000017b80 = 0x20; *(uint8_t*)0x200000017b81 = 0; *(uint32_t*)0x200000017b82 = 4; *(uint16_t*)0x200000017b86 = 1; *(uint16_t*)0x200000017b88 = 1; *(uint64_t*)0x200000017ee4 = 0x200000017bc0; *(uint8_t*)0x200000017bc0 = 0x20; *(uint8_t*)0x200000017bc1 = 0; *(uint32_t*)0x200000017bc2 = 8; *(uint16_t*)0x200000017bc6 = 0x80; *(uint16_t*)0x200000017bc8 = 1; *(uint32_t*)0x200000017bca = 0xf00f; *(uint64_t*)0x200000017eec = 0x200000017c00; *(uint8_t*)0x200000017c00 = 0x40; *(uint8_t*)0x200000017c01 = 7; *(uint32_t*)0x200000017c02 = 2; *(uint16_t*)0x200000017c06 = 2; *(uint64_t*)0x200000017ef4 = 0x200000017c40; *(uint8_t*)0x200000017c40 = 0x40; *(uint8_t*)0x200000017c41 = 9; *(uint32_t*)0x200000017c42 = 1; *(uint8_t*)0x200000017c46 = 6; *(uint64_t*)0x200000017efc = 0x200000017c80; *(uint8_t*)0x200000017c80 = 0x40; *(uint8_t*)0x200000017c81 = 0xb; *(uint32_t*)0x200000017c82 = 2; memcpy((void*)0x200000017c86, "\xdd\x91", 2); *(uint64_t*)0x200000017f04 = 0x200000017cc0; *(uint8_t*)0x200000017cc0 = 0x40; *(uint8_t*)0x200000017cc1 = 0xf; *(uint32_t*)0x200000017cc2 = 2; *(uint16_t*)0x200000017cc6 = 1; *(uint64_t*)0x200000017f0c = 0x200000017d00; *(uint8_t*)0x200000017d00 = 0x40; *(uint8_t*)0x200000017d01 = 0x13; *(uint32_t*)0x200000017d02 = 6; memset((void*)0x200000017d06, 187, 6); *(uint64_t*)0x200000017f14 = 0x200000017d40; *(uint8_t*)0x200000017d40 = 0x40; *(uint8_t*)0x200000017d41 = 0x17; *(uint32_t*)0x200000017d42 = 6; memset((void*)0x200000017d46, 170, 5); *(uint8_t*)0x200000017d4b = 0xaa; *(uint64_t*)0x200000017f1c = 0x200000017d80; *(uint8_t*)0x200000017d80 = 0x40; *(uint8_t*)0x200000017d81 = 0x19; *(uint32_t*)0x200000017d82 = 2; memcpy((void*)0x200000017d86, "\x73\xdc", 2); *(uint64_t*)0x200000017f24 = 0x200000017dc0; *(uint8_t*)0x200000017dc0 = 0x40; *(uint8_t*)0x200000017dc1 = 0x1a; *(uint32_t*)0x200000017dc2 = 2; *(uint16_t*)0x200000017dc6 = 8; *(uint64_t*)0x200000017f2c = 0x200000017e00; *(uint8_t*)0x200000017e00 = 0x40; *(uint8_t*)0x200000017e01 = 0x1c; *(uint32_t*)0x200000017e02 = 1; *(uint8_t*)0x200000017e06 = 0x81; *(uint64_t*)0x200000017f34 = 0x200000017e40; *(uint8_t*)0x200000017e40 = 0x40; *(uint8_t*)0x200000017e41 = 0x1e; *(uint32_t*)0x200000017e42 = 1; *(uint8_t*)0x200000017e46 = 0; *(uint64_t*)0x200000017f3c = 0x200000017e80; *(uint8_t*)0x200000017e80 = 0x40; *(uint8_t*)0x200000017e81 = 0x21; *(uint32_t*)0x200000017e82 = 1; *(uint8_t*)0x200000017e86 = 0x7f; syz_usb_control_io(/*fd=*/r[53], /*descs=*/0x200000017a80, /*resps=*/0x200000017ec0); break; case 77: syz_usb_disconnect(/*fd=*/r[53]); break; case 78: syz_usb_ep_read(/*fd=*/r[54], /*ep=*/0xb, /*len=*/0x6c, /*data=*/0x200000017f80); break; case 79: *(uint8_t*)0x200000018000 = 0x12; *(uint8_t*)0x200000018001 = 1; *(uint16_t*)0x200000018002 = 0x201; *(uint8_t*)0x200000018004 = 0; *(uint8_t*)0x200000018005 = 0; *(uint8_t*)0x200000018006 = 0; *(uint8_t*)0x200000018007 = 0x40; *(uint16_t*)0x200000018008 = 0x3f0; *(uint16_t*)0x20000001800a = 4; *(uint16_t*)0x20000001800c = 0x40; *(uint8_t*)0x20000001800e = 1; *(uint8_t*)0x20000001800f = 2; *(uint8_t*)0x200000018010 = 3; *(uint8_t*)0x200000018011 = 1; *(uint8_t*)0x200000018012 = 9; *(uint8_t*)0x200000018013 = 2; *(uint16_t*)0x200000018014 = 0x24; *(uint8_t*)0x200000018016 = 1; *(uint8_t*)0x200000018017 = 1; *(uint8_t*)0x200000018018 = 0xba; *(uint8_t*)0x200000018019 = 0x80; *(uint8_t*)0x20000001801a = 1; *(uint8_t*)0x20000001801b = 9; *(uint8_t*)0x20000001801c = 4; *(uint8_t*)0x20000001801d = 0; *(uint8_t*)0x20000001801e = 7; *(uint8_t*)0x20000001801f = 1; *(uint8_t*)0x200000018020 = 7; *(uint8_t*)0x200000018021 = 1; *(uint8_t*)0x200000018022 = 3; *(uint8_t*)0x200000018023 = 5; *(uint8_t*)0x200000018024 = 9; *(uint8_t*)0x200000018025 = 5; *(uint8_t*)0x200000018026 = 1; *(uint8_t*)0x200000018027 = 2; *(uint16_t*)0x200000018028 = 8; *(uint8_t*)0x20000001802a = 4; *(uint8_t*)0x20000001802b = 2; *(uint8_t*)0x20000001802c = 0xc9; *(uint8_t*)0x20000001802d = 9; *(uint8_t*)0x20000001802e = 5; *(uint8_t*)0x20000001802f = 0x82; *(uint8_t*)0x200000018030 = 2; *(uint16_t*)0x200000018031 = 0x20; *(uint8_t*)0x200000018033 = 0xfb; *(uint8_t*)0x200000018034 = 1; *(uint8_t*)0x200000018035 = 0xf; *(uint32_t*)0x200000018180 = 0xa; *(uint64_t*)0x200000018184 = 0x200000018040; *(uint8_t*)0x200000018040 = 0xa; *(uint8_t*)0x200000018041 = 6; *(uint16_t*)0x200000018042 = 0x300; *(uint8_t*)0x200000018044 = 0x4c; *(uint8_t*)0x200000018045 = 3; *(uint8_t*)0x200000018046 = 0x7f; *(uint8_t*)0x200000018047 = 0x20; *(uint8_t*)0x200000018048 = 0x81; *(uint8_t*)0x200000018049 = 0; *(uint32_t*)0x20000001818c = 0x2b; *(uint64_t*)0x200000018190 = 0x200000018080; *(uint8_t*)0x200000018080 = 5; *(uint8_t*)0x200000018081 = 0xf; *(uint16_t*)0x200000018082 = 0x2b; *(uint8_t*)0x200000018084 = 4; *(uint8_t*)0x200000018085 = 0xb; *(uint8_t*)0x200000018086 = 0x10; *(uint8_t*)0x200000018087 = 1; *(uint8_t*)0x200000018088 = 0xc; *(uint16_t*)0x200000018089 = 0x2c; *(uint8_t*)0x20000001808b = 6; *(uint8_t*)0x20000001808c = 0x60; *(uint16_t*)0x20000001808d = 0x64; *(uint8_t*)0x20000001808f = 4; *(uint8_t*)0x200000018090 = 0xa; *(uint8_t*)0x200000018091 = 0x10; *(uint8_t*)0x200000018092 = 3; *(uint8_t*)0x200000018093 = 0; *(uint16_t*)0x200000018094 = 6; *(uint8_t*)0x200000018096 = 7; *(uint8_t*)0x200000018097 = 1; *(uint16_t*)0x200000018098 = 0x680; *(uint8_t*)0x20000001809a = 7; *(uint8_t*)0x20000001809b = 0x10; *(uint8_t*)0x20000001809c = 2; STORE_BY_BITMASK(uint32_t, , 0x20000001809d, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20000001809e, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001809e, 2, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001809f, 3, 0, 16); *(uint8_t*)0x2000000180a1 = 0xa; *(uint8_t*)0x2000000180a2 = 0x10; *(uint8_t*)0x2000000180a3 = 3; *(uint8_t*)0x2000000180a4 = 0; *(uint16_t*)0x2000000180a5 = 0xc; *(uint8_t*)0x2000000180a7 = 5; *(uint8_t*)0x2000000180a8 = 0xd4; *(uint16_t*)0x2000000180a9 = 0x21bb; *(uint32_t*)0x200000018198 = 2; *(uint32_t*)0x20000001819c = 0x55; *(uint64_t*)0x2000000181a0 = 0x2000000180c0; *(uint8_t*)0x2000000180c0 = 0x55; *(uint8_t*)0x2000000180c1 = 3; memcpy((void*)0x2000000180c2, "\x8a\x42\x34\x83\x1e\x88\x88\xae\xdd\x9a\xd2\x2d\x4f\x28\x93\x8c\xda\x9a\xa9\xa9\x00\x03\x7c\x31\x1c\xae\x82\xfd\x23\x1c\xaa\x31\x27\x95\xc2\xb2\xf7\x47\xf7\xbe\xdc\x80\x7a\x10\x65\x2d\xcf\x37\x9d\xa0\x7e\xbe\x96\x35\x31\x02\x75\xc1\xf0\xed\x95\x6d\xa6\x4d\xf9\x8a\xf4\xea\x23\x9c\x45\x2a\xa8\x5b\x31\x1b\x94\xd4\x71\xe9\xd3\x42\x3a", 83); *(uint32_t*)0x2000000181a8 = 4; *(uint64_t*)0x2000000181ac = 0x200000018140; *(uint8_t*)0x200000018140 = 4; *(uint8_t*)0x200000018141 = 3; *(uint16_t*)0x200000018142 = 0x83e; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_FULL*/2, /*dev_len=*/0x36, /*dev=*/0x200000018000, /*conn_descs=*/0x200000018180); if (res != -1) r[55] = res; break; case 80: memcpy((void*)0x2000000181c0, "\xc9\xde\x81\xd2\xb7\xfd\x1d\x65\x61\x0b\x40\x83\xb8\x98\x28\xa1\xee\xb3\xc1\xfe\x78\xe8\x02\xb8\x7b\xca\xd5\x22\x05\xe7\xf4\xd5\x77\x30\x25\xc8\xc9\x2c\xf0\x09\x17\x1f\x12\x78\x8a\xa9\xaf\xbf\x01\x67\x11\x26\x93\xc5\x62\x5e\xec\xd4\x33\xf1\xb0\xed\x30\xd3\xef\x61\x94\xf9\xaf\xe3\x63\xc1\x33\x4d\xf3\x56\xe2\x61\xdc\x73\xf0\x7c\xac\x0e\x40\xa0\x34\x8c\x52\x25\x7f\x14\xf9\xa9\xf6\x0d\x56\x98\x35\x20\x69\xee\xd4\x6e\xf1\x0f\x4a\x97\xb1\x56\x0f\x76\x05\xb0\xaa\x63\x19\x49\xaf\x14\x35\x4c\x1a\xca\xbb\x76\x86\x09\xd1\x22\x46\x6f\x68\x49\x10\x29\x36\xf4\x00\x1d\x18\x01\x5d\xf4\x28\x57\x0b\x6e\x59\x75\x9b\x75\xe7\x23\xb1\xe6\x12\x80\x0b\x56\xea\x89\xa5\x5d\x2c\x63\x78", 167); syz_usb_ep_write(/*fd=*/r[55], /*ep=*/4, /*len=*/0xa7, /*data=*/0x2000000181c0); break; case 81: syz_usbip_server_init(/*speed=USB_SPEED_SUPER*/5); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6301:17: error: '__NR_socketcall' undeclared (first use in this function) :6301:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor2802133985 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/13 (1.23s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:true NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$MON_IOCX_MFETCH(0xffffffffffffffff, 0xc0109207, &(0x7f0000000040)={&(0x7f0000000000)=[0x0, 0x0, 0x0, 0x0, 0x0], 0x5}) (fail_nth: 1) r0 = syz_open_dev$dricontrol(&(0x7f0000000080), 0x3, 0x105400) (async) ioctl$DRM_IOCTL_RES_CTX(0xffffffffffffffff, 0xc0106426, &(0x7f0000000100)={0x1, &(0x7f00000000c0)=[{0x0}]}) (rerun: 4) ioctl$DRM_IOCTL_SET_SAREA_CTX(r0, 0x4010641c, &(0x7f00000001c0)={r1, &(0x7f0000000140)=""/106}) ioctl$DRM_IOCTL_MODE_GETENCODER(r0, 0xc01464a6, &(0x7f0000000200)={0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_MODE_GETENCODER(r0, 0xc01464a6, &(0x7f0000000240)={0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID(0xffffffffffffffff, 0xc0086465, &(0x7f0000000280)={0x0}) ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f0000000300)={&(0x7f00000002c0)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x8, 0x0, 0x0}) ioctl$DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID(0xffffffffffffffff, 0xc0086465, &(0x7f0000000380)={0x0}) ioctl$DRM_IOCTL_MODE_ATOMIC(r0, 0xc03864bc, &(0x7f00000009c0)={0x0, 0x6, &(0x7f00000003c0)=[r2, r3, r4, r5, r6, 0x0], &(0x7f0000000400)=[0x7, 0x80], &(0x7f0000000940)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000980)=[0xff, 0xfffffffffffffffb, 0x9, 0x100, 0x4, 0x10000, 0xfff, 0x484], 0x0, 0x73ca1ec4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@action_no_ack={{{0x0, 0x0, 0xe, 0x0, 0x0, 0x1, 0x1, 0x0, 0x1}, {0x6}, @broadcast, @device_b, @random="01abb5a42e6e", {0x0, 0x5}}, @smps={0x7, 0x1, {0x1, 0x1}}}, 0x1b) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_bprm_check_security\x00') r7 = syz_clone(0x42000100, &(0x7f0000000140)="d1a222a113afa50937eb93a69f4a6daeb1c51185973fcbcd8ac1511fee5166f0a2d7b107ca8ba74b42ac080422e3e26c8fd0707d3352f3e0467c446d0fd59fdc796204deb520c9f39ceb06b12c5dec1f8d80435d3a9531b3c8c63eca16670b0be3277698485a45d91a4737cdc17c96065423348e497b473b96cd4d870b360809cfb9631f7a2cdadf25baade0a028dfa84875eeaea710f44ee0c60be31d07667921375cbf5e90565a7594d78c49ee1a773a21696e3e0f6e9d5a9cc8261a51990269f06e5642a81055ab67", 0xca, &(0x7f0000000240), &(0x7f0000000280), &(0x7f00000002c0)="4ce639fae6a5b1dbfb9b05cdf44c3b14df7c001ef8931a5117ea1ba175c0a1e0806dec26a61e38c8b355e6334aab16936f3b9388ce1e115787f0a164e987d9e1339bbbdc21479403322cf6c7b55dafea9cf527b32532be38a2f0557907e357b05e1986227888aac6cc43a9e5ea5e3c093b693d4d13b378ac2243") r8 = openat$cgroup(0xffffffffffffffff, &(0x7f00000004c0)='syz0\x00', 0x200002, 0x0) r9 = syz_clone3(&(0x7f0000000500)={0x8000, &(0x7f0000000340)=0xffffffffffffffff, &(0x7f0000000380)=0x0, &(0x7f00000003c0), {0x3d}, &(0x7f0000000400)=""/54, 0x36, &(0x7f0000000440)=""/57, &(0x7f0000000480)=[r7, r7, r7, r7], 0x4, {r8}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x98, &(0x7f00000005c0)={@remote, @empty, @void, {@llc_tr={0x11, {@llc={0x0, 0x4, "d4f0", "3855a5dee3a80835452966b4819b8e62fe420ebc741cb5df2368e0d83b02a44133dda9714f0ae883ab9c1c66c38864627043bb1cb645f8ca7ee26fb421090e98e576724d716c681bc3e802709219450517396e0b82978a08ba9cd791a977b9971dfcc61a5318a165f4fccd530654e11d54ca4f12b28362bee6c70bcfa1ce0d983864306cf6ad"}}}}}, &(0x7f0000000680)={0x0, 0x1, [0xf2e, 0xb2e, 0xcd, 0xc93]}) syz_emit_vhci(&(0x7f00000006c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x2, 0x12}, @l2cap_cid_le_signaling={{0xe}, @l2cap_le_conn_rsp={{0x15, 0x3, 0xa}, {0x1, 0x1, 0x0, 0xb, 0x9b9d}}}}, 0x17) syz_extract_tcp_res(&(0x7f0000000700), 0x8001, 0x7fff) r12 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000000740)=0x5) ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f0000002900)={'\x00', 0x7, 0x7eb, 0xd8c, 0x6, 0x65c7, r7}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000002b00)={{{@in6=@loopback, @in6=@ipv4={""/10, ""/2, @local}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@multicast1}}, &(0x7f0000002c00)=0xe8) shmctl$auto_SHM_STAT(0xfffffffd, 0xd, &(0x7f0000002dc0)={{0x7, 0xee00, 0xee01, 0x3, 0x1, 0x2, 0x100}, 0x8, 0x1, 0x8, 0x0, @inferred=r9, @inferred=r9, 0x8000, 0x0, &(0x7f0000002c40)="04dbcb209f35e5ddfdb1b3b7a741cb0da9e7b4a97e26e4d64ca5560ad3ea50d519bbf049c3135111c4de1f36b6b308bbd028e4495d46ed8393e759fd0a3a8a87f1db8749da45e9a5f999f3e74d920ce20c4d2bfe9ca72e5faea34e254ebb9ca9", &(0x7f0000002cc0)="9e746e3d219f0df0db9f4dac0afe9fc6a3ef5fcab6058f83fa7cff2a82d20c2e4f575259eabbe06734843f871e50f4d47bd62ead38d7be8ce30b95115285d16abc718c0da482b90f24299f3017ce2a536dab659aca91d1cf689107448150e4566abf4c057bde3c378236a3781059cc800867309fb208ab69fe7d3fff31198f363305539ba5a17423bd8345e10a2507adfd0b0df310c33482d2cc9c9ba7bf80c8c7e2159c09d9402b1d7ca88f84e7b4ceb8a193ece6dd5faa70429fbac4f1020c7667302d4a57ab637f35ffe42e58593fe3ece07b5d637ef6d973342257fe2c5b1169399909ba6d369fde"}) newfstatat(0xffffffffffffff9c, &(0x7f0000002ec0)='./file0\x00', &(0x7f0000002f00)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x0) lstat(&(0x7f0000002f80)='./file1\x00', &(0x7f0000002fc0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) newfstatat(0xffffffffffffff9c, &(0x7f00000031c0)='./file0\x00', &(0x7f0000003200)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x400) shmctl$auto(0xfffffffa, 0x19, &(0x7f0000004380)={{0x8000, 0x0, 0xffffffffffffffff, 0xfffffbff, 0xff, 0x7, 0x5}, 0x3ff, 0x5, 0xffffffffffff05c3, 0xffffffff, @raw=0x10000, @inferred=r7, 0x6, 0x0, &(0x7f0000003280)="976ff34290bd8bc7a7cbfc2a01cd57bb3fef9efb9836923feab6b22096e6a7f305b4a4725f362d86ba08a346f5ad87651b24794b4ee5813e0557b0ef0a7c19b1eafef2a16909abb9c855ec4536adac1b482e8e5a1dc478a025feb8b6304bdcd475b1d917a5b6c9d27a6b4858cba4d25301fe261bf12313f6e8224fc5ab0bb2fd404104ddefc2f27a36d9d10ecac7929db5ffc1df4c6fb6e5637020abf5e6504310ab6de659b656cee8ad04d046756ddae33d8d223854dc8c318392482cb991827824f40daf98da166c916dbb8c156c42197b664d7590e6d2cf4ea3280f84051c9ee3114142db27536bcd983f170f221c15dae9a11a52e84253663ea4308f", &(0x7f0000003380)="2c9f8f388d233b4f054cde11358eb632feac99157236e370ad09ea7b82ba5785b9e9afa9e686a62a5d2d53e478ad6bdc5fffb647b0835e147419667c9a116d7dc9628b1e9f7f66533e8e736b4a659a784c610da8c50010c4ad47ecbb1eb2ee6aa0b49090e709138ab2d171e1dbdd6e8653e06212391e7dc1b28bdd23129424500dcd8343ba198c60cd9701af62b4662b082ddc55e8149d60891c650e774755fc3a0d100ff0bc676b466e3dec52ca77d2c4ce103fc44bb563b3c182cf2f65541303d2d29fcbf5a3f42288f8fe1c236c3e12170e7ac600c5265cc5974e25597f049e9c015c76dec0d7cd2979cce123ad647297958c9d7dfbc36afc2ae4b9d2c09ac172a04dacffae8a50219a4ec4adf06ff80747d40c46ddc0764af4d7782807b8f14fb797b2780bb68e6b2a95dde508f4063c65d87143ff2466fe29ff3afa65202a99240c57990e20c5f34a95bd813572f47d8d482db3fceb9f1c54c8a8dd6332e83fa39d6651c7b78fa971ee88756e2e5a3fb029c77a48fd4164f107c882d1743bf852c14866a437ca56d1d2d199f93f758719d2293c5891b77e860b2b7c665129fbce455e93ce66b675619bbb23629d2bc8682ed4695d8c6afe256d372f9fed839de5b5f68d1d30cffb1a4e7402b9551129edc4c2deec8c16714ea309cf20ac7f17f5fd3cb97bfbff2dd36216b8f73403607b4ecb2dc42448eed56fb23266bd0fdf7eee43f34be3706ecc705927ada3d84f94d8a2898ce00de369c607552f6994ec15f66ce65c4952e30581ede46a2033589d2c28994bda0531943919e301a6d8187da7b498966af1fe3e410e5c167afb133b3e5e40db618703977b24002f621183b61a6b680301387e2d89565f0f62de825516d349c174c07924f4a8dffb281709e997af6da5a62a954969b5335f3074f2400245a77b195131d26ce43e17c3a201a5b8518f8f961f2be9d170c6f5b2b236a394456e577bada3307f4eaa8e0352bb595037e7f30f5ddbdf014ba5b6f3cee6af1fd4744fd0bbac1e2ce29853c722956da7de4e3fb9241820b0586ffa29da5b6cdd12da1a0418643b4ba96bb43242146f6c0a33980b9385da283a2a052b8c201f4239f957fea5f23efcd5ad3bb076abee60ce467eae6805e186e974934280a267dbf7320cb90fe9322bdb6ce809bd35b4130be87119047efd755cc747743e6da51b24af5c01661be2f813cef7d7ed9b61e83e0dca2c8221525b281570276a5958c2614929794c2d55a6b15d1701b1961a078edeff50e0eb0e02d9b1d402657ce25bdaaf910ba4549483631a5489ca98fe979c54c7400c9cc68fed1ab00c402f49d36c4d7b2fb273f392aed4f8def256d409e50d26e7251f91b9f5bcd8e84202e520cb7fe434744fe3a8831c1af1eb20a8f88579ab19268d7eefc6dcd8c94e3b6896e336e0f738aa244c2dbec12324a8a1ca70e040d07a7900f76f0b09e0faab4244d568c00309b8f31157d91788c871d616d0572a26f9bf40b2ff8f034dd9646fb13ebad2951fb7a9ea5509211359759fa495722e0ce6e24b48e3d2a1ec6939838040d00cb908d9edafa8c3845754bd5be90f6f92cc70338b3b1fc072cf2682740371caedd80fece859b1587f04147f50c5a9be927b5d51ae428a1c7e4b594ec242a0dab90581742428e5db58ac1ae32496f37119820ae295a3df7a95509d05d75cd778b54e44a317eb901c7cc28ff74ab53b6f4fb4ade0fc4af2be36d760476ca853a782e7614a133a99f1e5f0f12b9a958e70250fc9bdb898dbe34d8ee32b23ee9f0192fd4bf8f9622edd9f7acaf4f4b92673ccff23227c94132271735ac83de739c85cee73abf94ea2fd0e5b9c54fb7a2bc8771edfe9ba3eb70dcce56f7890aa8a2028e6d318ec234b525626e2460c4d007e74f7ad4068015a5032fb6fc553b27faf764671222ef4b39804e300d9a58eb4d9db9f3fe20127daadee117874ff95e3676e37bfae3061e95a71e97b15e24349f07856def173d2ce459affa77c5b47f8b677a1658f7d89af72253c800e62ce2b11f4bd837fe980f02d4f9719c0fe48454f72809deddaa972d65282ecffee1569a2a5377096ff3f010044e71be8baabfe65e99be10386ada70abfe86e7a4ffa8753f862d2704ceceb6df34a6dd48675441f7cca635e401cb2306d1726e1c3c04266419e991188e77cdfe9e0aa13c76107a2a27f7216b42a690c0063c92fd222f45fb0820d0464ef0b7ae6515e8174c7f90ffdec6dc2913d5ad1feb80617701623363a4e735107b300231ca5624addf083e075aca1d18d95c01b7357a4118fc492c07ff1c0711a9e00bd78ff8e431d7af674dce55832f45901f235b7824e8ad0ed0d8d67f7ff612ff1eca74a4deac721fd1c85980d87dbc8dbef59f3754720f0b926c25e84b1d7605c505f8e75038fa29f38cbfc97712f92447585a45475a90db7d81ce2b42929fa6ae4a6790560025fe0577ab52358f0b098800458666bad646991e146ec904511ca2655183631bdf0d5405879d6f69932c844190e2d916a7ae65da287acf801209648800a1dfe3e9b38f7b58641b0fc1804f9a279d8f4c803d0565650606f60a7e99fe461ab36d725ca764611cc203ffde0f06ad87cf91602381f1ec7aa255b6d21a85fe2e32a060f18b53385476db436919f9ee6995704046350e098ce1e66a1b8328fce20e1f8c98cefaef29cbac0bd9c0f1914538abd48436e92bbcf1271ac66ced7a53013f815f015f36180e323ac8247128a915938c89f711332d9758935180eeac8b8c9f99f9f306d3481b3a68bf9613360681a92437c7bd80adf9899093f3286fd18540a8c742510db91e48a1255dbcd218fe7a34c5058ad59a6962abff5327facd4c2b3a51ae13347d56a19f484ef62d52799ffe802c9fedcf9c076896018db33cf2bd9b0ca59de3f7487a273f7e8cb6d090b14a83ddd2f261d41f0fd1948e0be62929fc668b9f13753e61d08b1a88752dbfa315e79c2d81881190d2b6ad33ad8ac036e5a22b5ea8225ea410e9e8ebf86c4a7ea49765953cd96d05431157a8048fa61b80ba606cf53af8349cfadb89559fdf204ed283d71bbf700a9cc3782607896c851b758405b007e6150cc7e6586debda12a1c4b2b6366b3879623cf9eed75d56f4abca9151eb504670a4a518c668ed9488d8b5f1f212ea69c51a7497260c2a4859488b75960313dd3f29bfb75ea094ba325f79a028d07dbf2137bfefd261b0c5609a169d5f1bbe1815f06ae4e26f5f3f4b36cccdd3fb7f8adcb7645e37ed7d9b63c9e21cdc5954e2852bbfee5bc30a978399189e63b92699d810c589d61d0cd0c6bf4ffb892537e0ef1887d1ea047290ff609584a00dec798f8e72e06c1be8399ea069fd13caf0e1b4cd66f84e26869167d54b8c43c967b270bd8561f99dc84024223402ce0957d93e8582bb8f4583cc2648861fc562fc2102a326e921a418fd518ce636e4e3edc36fd89bca25add71accb89d777070526d9cf7274dd486909c3b142d27fb0abd467be27c36e8487ccda73ad0c89adecd36a08c37ce15b876fd2121a7b0d11bde86759eeb66287b44c61ced7f74a143044ae805869d31a1b1c44b8150d8d630debff9e95c31187b774441fa8137c08ca316ab778159917dfbeec94529d3a12c16b9f39c4d77944e6f16cf9b819f9d8a42ee73291ed84e2d584b305aeb799c2cd76f3afd7e826bef0b77159bb4dad1139eaa9cde7bbfdca740addb511eb8b91d548e18d7cd691dce8578382ecd09ead356f85a4acee4bb8b19342c748ad9704b11e1d9b02c0218ca3e799ab80017052fdd66e9101a00b7657ebdc89cd425334a916df19dbdaf6e4f63bc03492913c86d058ea61685df77a06e0df07ed3fc1f92df067e86d0033640c10f40c279c264c477b2899d4a244b67ee884e519b4dbdc5d6f1c3ab67c123a597974bf3a57ecc909be9133917017db1d7c9e192618524a9392957afebeefb2d8bc4761034070f4179582226e34b1865d26be00c9bd31320c313cb509057c27f1274c78f471bf69b85dbd478237383be86c86f4b0117a2b157820832d07d88d2e78a9aba0b045a19dbf8a6faed40e41ca47c013c2903e69f2ba49b07b36e1f3bd69bd4a82ef2a428a831357d25f5568b69e9422a3ba9533fb5ec240a391aa7b612acdd3502fe9296d4fa02af39f21f159af528daa3894c3d10bc8f70f204153a066e1e6e1174232fc420ec647e29bb4688f26c7d463cdeb95eba4c0d1ed3f5fe41d5e34c0b27b587454fb403e8c9a0fe90f53174d547dbccadb6481c48c979cf3414d0d47160a0b9f6d9a4fa8489653ca2e924223a8a52ba63fbc1af034cbf44cca4728f09e1f57706d6107eedc0659bb9c6d8a3383f11cc87e53aae6dcb83853379a6c0d536b1e06773aff31ea600397c43a66f302837d521fb6abfde5beed88493a5eecfb26ab6fc3f879ec0121f3aa7330bfb82d14528d9c5e2033c05cc6b60f6669273f99099a5d72c2c5144dc0b2aafe0fe7bd01ebae29bcd82f4ca43c5a22974c3c9d923a62e390532e2774800015307b8aeaf1b7a061fe77131a5e12a9cb090eda584acdad7bd8afb20deab65d7d1cf3d16ca8187aded08a9dd9bf830ceb1113977211035b1a9051ae1ca5f1f326e4a6e257b62d7792effd005f183df782bad319bda67a92386c6622d002ee87cfcb1a4f9b4bb4217e8675299f2d8c8f8a6324d3602f768390a12478e7afd2d52cd23567b1984d48d855cf072140126ab0a8942759cf3898f118284d2a933721d71db420e830c88e23b1f07b4425b97d0b8374bde0cb8c3be352471c15c0db69276261763f46ba3d043ef637dcb3f9b0f2d4340029222be810bfcc54e447b9ed750f2f275971a63ad6127bc7423c3fe8fe22f281a727b9496b703f0f68878ca8e117485eb7c8a7b38266bd5a07b5a2f8a9c0d02ccf8c8f762bd1ad4b215b295969dfcb9f19c13d88f72b54e59400a7201ac79fe2fcaf329c8e35a3eaf2417621a00eb5cd2da50c611d5b33e35997071bc1fa35d6cc81247c17bce39d225172ed4a10640cad8178865b307b866323a25569b6ad3292cd47f73044ce58c454961cb5523788a14cc46228517312b74793f0336092e7e30a0da14318945ca2312922bdc8f6e9a4159913fd72dcb4e4c787796ee465ca2bf4cf3628725a391197efe8104ea71c630b72ccf8fe427be80a0ca6b14f53ff9697b6279f0b2cd23e356f951d7c08b7f146ebaa3cbaa6a90d1d9af187e21c829377781d75d544662845d403226516f4052479d8ff176e24ce5510d6e33f04438462386babfc53be7cfb6015296979fe4122192cd44b046ea7e71238c0d3060a38225b9afabaf1693354b3521e2aaf5de3e85e5c586765ef8e2f9c98b8ed4a535f6708f0f171895b57da981c4b3d851fc78322857b8fcffdfc34fa3ef658eabd567b2ff35f0ae288701a811f725c8719daab4725c7bae2a7174861812ec8e9a999a4a7dff379008fb7a93bb9d5da43ea9e10819f914119f474df29acdc90e1b4901fa8d2806394adb6d34f564489340015df154dbd9e9bfa669e277a4c3522074cda8f036e1c762a2abadf3878e7b70598e4df8f7d6e134e13509f1f3eb2a461872adedcc36407d03d453e710f3b0305b35c069bcf6550888be2c3df879622f7c091605c2b473384e4aabf373845b643893ea03ca9a2332f7276ab52ea5e69a3206d0b29eca19fe9b561d58748f0fb5f7cde5d32ad768133a5733db27411ac56849c31c9cc9877cd771ad87db0014b011c071a8a57afcc9111fad241"}) newfstatat(0xffffffffffffff9c, &(0x7f0000004400)='./file0\x00', &(0x7f0000004440)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x400) shmctl$auto_IPC_INFO(0xe, 0x3, &(0x7f00000046c0)={{0x89d, 0x0, 0xee01, 0x3, 0x0, 0x1, 0x7fff}, 0x8, 0xe40, 0x7fffffffffffffff, 0x5, @inferred=r7, @inferred=r11, 0x6, 0x0, &(0x7f00000044c0)="ab561aab77c583ce985b9783d96b5e4e3824cb3026da2efee0101d24cc3c6b58c7966f226c27699f3dc15a3304862622efda37f57e5797f736c482b334c0db1039382a78928d4708282c72dc714025c2cca6fef30b64fb050ee5845b1253799b15940b967116839e0075330da8af7ee9a5b52c5768fbf02f315471e6d7ac7780eedcf56dab90441764c1053f95a9e94feec9ea2b6820f3be40e34dcfbfe71b03378a751c0e0fd04fcda924050048f51708503500609235cc75d299eed66d2ac9583e91dd31b9cfe3af5c2489c204014b7a74549d85c8e8dbaceb6388f245c262986d6b26eadd8fcb38587b698b3c59fdf63a82c643db5aa17914bfa0", &(0x7f00000045c0)="be290174f8ce0f04911d69badae0bf37c4fa5b15fa3b1883ef707038444de4aef3a73f3383480e830ddb756243c29709eedf6974edf3be9df13637b48ed14edc03d7243bdb53fd99e2eea6025693ad0701b82ca38dd6d08cda9e31031dcc02ffa54384c4aa7d870f8b1ab9ff5c0e744cef60ad5418d5a3b9ecdf09a54a1d9b12b10ecd3bcc7bfe6ec02b568daf99a59ca92b8a9eec612f3829a08c44fd4b27611da5908b591f340e23f5ba2adb1e29e89f28f5f2514379e45462dbc30a7202bb25c19ac61489119c4a8aaea4000aac8281c3d426d8a082b7dc78f57a12a5c63562"}) fstat(r10, &(0x7f0000004740)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) msgctl$auto_IPC_INFO(0x8, 0x3, &(0x7f0000004840)={{0x8, 0x0, 0xee01, 0x0, 0x4, 0x2, 0x5}, &(0x7f00000047c0)=0x4, &(0x7f0000004800)=0x5, 0x4, 0x6, 0x0, 0x8, 0xac0, 0x3, 0x401, 0x2, @raw=0x400, @raw=0x7}) r26 = getegid() shmctl$auto_SHM_INFO(0x9, 0xe, &(0x7f0000004980)={{0x7, 0xee00, 0xffffffffffffffff, 0x1, 0x972, 0x2, 0x6}, 0x7, 0x6, 0xb9, 0x8, @inferred=r7, @raw=0x5, 0x83, 0x0, &(0x7f00000048c0)="4166dd81284669cc6529e5a0ef081d370a00722e0c7700e484177e2729e55d1fe0f7564690881382a850b3b8d6195ea5d032edc998535fc787928ab4a3b1891540d246d40daa7a5fd7db2bd6c99b3f2a7e514d0069f2bfb485d9e08e67c46824c2e704ffa0431e1c20432972adef084921d4", &(0x7f0000004940)="3c673d0f3bdbe20483bd0ef8f8a2c865bb817c75a3555f98dadf18fb4d805bd339d5717defd470ce"}) msgctl$auto_MSG_INFO(0xff, 0xc, &(0x7f0000004a80)={{0x80000001, 0x0, 0x0, 0x8b, 0x4000000, 0xe206, 0x366d}, &(0x7f0000004a00)=0x5, &(0x7f0000004a40)=0x7, 0xb5, 0x5a, 0x4, 0x7fffffff, 0x2, 0x4d49, 0x0, 0x2, @inferred=r9, @inferred=r11}) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000004b00)={0x0, 0x0}, &(0x7f0000004b40)=0xc) msgctl$auto_MSG_STAT(0x9, 0xb, &(0x7f0000004c00)={{0x9, 0x0, 0xffffffffffffffff, 0x0, 0x1, 0x5, 0x3}, &(0x7f0000004b80)=0x9, &(0x7f0000004bc0)=0x10, 0x93e, 0xb4, 0x7fffffffffffffff, 0x2, 0x8, 0x8, 0x77, 0x10, @raw=0xa711, @raw=0xd}) getresuid(&(0x7f0000004c80), &(0x7f0000004cc0)=0x0, &(0x7f0000004d00)) statx(0xffffffffffffffff, &(0x7f0000004d40)='./file0\x00', 0x800, 0x4, &(0x7f0000004d80)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) msgctl$auto_MSG_STAT_ANY(0x9, 0xd, &(0x7f0000004f00)={{0x8, 0x0, 0xee01, 0x6, 0x1000, 0x3ff, 0x2}, &(0x7f0000004e80)=0x7, &(0x7f0000004ec0)=0x95, 0x3, 0x3, 0x6, 0x8001, 0x7f, 0x5, 0x3, 0xc, @inferred=r7, @raw=0x9}) shmctl$auto_IPC_INFO(0x7, 0x3, &(0x7f0000005040)={{0x1, 0x0, 0xee00, 0x2, 0x8, 0xfffffff8, 0x2}, 0x2, 0x6, 0xb, 0x100000001, @inferred=r11, @raw=0xc, 0x8, 0x0, &(0x7f0000004f80), &(0x7f0000004fc0)="4f525e340cd5a86e0881814810a2a91a15b1d5d14f4a79d14dde318eefbdd8e8e728d413187ede4fd069fc173d33f251936658b970959cdd1a15bcc3c26ad76b38a5be0c00532ac5254d632a2d800357de96e6f2f7841688314922a5eb1530e0b7352ca60639db7697142de2aa07c7c6a7"}) shmctl$auto_IPC_RMID(0x9, 0x0, &(0x7f00000051c0)={{0x20000000, 0xffffffffffffffff, 0x0, 0x60000000, 0x5, 0xb, 0x4}, 0x7, 0x68b, 0x19, 0xfffffffffffffff8, @raw, @inferred=r9, 0xc90, 0x0, &(0x7f00000050c0)="390ceb0f410c002527eb3b46b10c24497104200a43cdd523e8a72786cf59380bde524cb59556d5b256cae07e343b52beb18b62eab07c445eefcb35dabf186ef840417c408f79b74aa6ed333f9462acfc1db146b667a8962992f20af86d7c20385025a74f9071c79844536cb7ac8f8865fed4a57d022beaf618bdcc6509c5be81037e584abb6ea9b8cf0d2e175fcbfe9bda3668d75268cb8605fec3ba1bb1e6c276a14929c3460e1693458f22612352db6a3efa4d7c7483d2", &(0x7f0000005180)="358f28870becbb"}) newfstatat$auto(0xffffffffffffffff, &(0x7f0000005240)='./file1\x00', &(0x7f0000005280)={0x4, 0x4, 0x100000001, 0xc49, 0x0, 0xee01, 0x0, 0x101, 0x8000000000000001, 0xfffffffffffffff8, 0x7, 0x0, 0x8, 0x8001, 0x5, 0x8, 0x9}, 0x6) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000005340)={0x0, 0x0}, &(0x7f0000005380)=0xc) msgctl$auto(0x10000, 0x1, &(0x7f0000005440)={{0x9, 0xffffffffffffffff, 0x0, 0x1, 0x0, 0xabc2, 0x100}, &(0x7f00000053c0)=0xe, &(0x7f0000005400)=0x7, 0x8, 0xa2, 0xf3, 0x4, 0x6, 0x5, 0xd7c4, 0x80, @inferred=r9, @inferred=r7}) lstat(&(0x7f0000005b40)='./file0\x00', &(0x7f0000005b80)={0x0, 0x0, 0x0, 0x0, 0x0}) statx(0xffffffffffffff9c, &(0x7f0000005c00)='./file0\x00', 0x100, 0x100, &(0x7f0000005c40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000005e40)={0x0, 0x0, 0x0}, &(0x7f0000005e80)=0xc) syz_fuse_handle_req(r12, &(0x7f0000000780)="68f4b9c022245b560b419427c3c56dc4ee17cd422ac481d8d2dc27c0c24adf782096477e5b7a147733cca0eed7ced0abb03ecfa0f83e914228ec4e019a38468e2e4ee4edbda02353ee9a4c106339d7b118a30e93e6de4552288afe032af1f897ef39ce140cb1d452644133199f16653b9215c37f78f192752d031c6428d735621149de6243a0ab6fc46528b0a0e2d64e65ecd9e13409abd5e73039dd00e08805e51adf3a8599d99d69f23775044d3840234f1db089fb0987d645ec25f4ad3eeeb9604d1f2ab69fc3bf8315bf2e7b91886d2a6f5071b66fe5048b6b654412900507340dd1add27448ea31685b4e867c68c9b551df246b90d0d0fd9af8dfc647fce7c377aa364862ff0243ffd04747b945baa37d755c236092b3ac7aacf612a40326de09063212aee86e163aaafffd8adee4b515465cc919c1513dc7c9678ee6483fc3fc68b884a9cc604f362386feeb1a7efbd41d42627f06fbf6cf913acaee584da6050cd6f49ab96ede69216b0aca3499947b02f1b623245d4cc5dfb5bc7c28c4f77733c3330d49bb25ce9b47978b576c20e1c4d8b6ee1ddb2c80eb99a3536968aaf2f01ba3142d6d7139f47ad871327d9eb2fc364bb42cb60a572c71d1a13f94056c727ad80dbc0b3803d3ed007cdfbdc6f986845b239671233ebe9c973bcd8653c3732e52516409020f4bd05164909329cf8b09d57bc49fdfc9c96ee78b92bdc6e865b56195bf2987b6b4adff6196f37ffd8de510800b328ed7bf86ae6d4fb1d8e83d1c8cc93c127dfb6589d7e61ad8559c8700741988a06c4b3a03ee3e9569f795d7f1433cdb520eb451c351c23013c8b6007d147d24dd1d52fa5b0e40540f38bcf7419eb98a47901e9357a78edc701ae82fd058cd6d96969f2c6b4b82eacae112d67d062d56f0fe3b9cae85672c679497707254763535092769d38d26b9a6510d9f64fb09dcb7283de42570546b0c763ed8cf60f53db86b7563e5726f616c4bb2beae0a9e186eea24f642d70d34545784e4630d4e3ac0289c2caa22628e299b293d2730cae7fb99d4dea073e5a0ba5f34f77dd928389543e00f2b595649ab73645425e273e4b6d754cd17a627aee1da767160bfe86b0416adaa61ebee1bf7409f284485d43f8f484d053a1736da79212859f48b71cec77ee23f771adced4fe526495975bd04ba08c799c07f57084abbd6ba4281140dd8ec0693180a4daaf48b72ed48df137f68dded9a411454faf88dad181aa2306c36c13c15a5fcaab5bb79201b417f403c83d0419e29f62a66a0e0276f9f96c87f94b7c8a32b94cea7ef64fc4ff41b21d6846c2dad67bfa8a4b57a6e5001e40205d386ba77ae13c9a112128315cd6a1a641b228de06eb0a709f5e74da475d22ffc6533c9d9b2be00d22bcc8b4718705609608ec3e4c43579cfae0b6002f3154da6147b856d82f3dc4d4bac4f509b910796aace375ae79c8bd3e75d709aa0d90e29ef0e03c69fb8e5bcb34e4cf14a6e7cf4a408e99aabddcaabe1f0c72383671b4563cd06ea9c75e5bc2e3c9556ac45f07bd0d6c9b391dbaa70171e71301fd5395de383d135814c1214ce33208c1bd8403e948fa0b39379a14029f11958fec9eb460e3f9c7349af6306d2e0cac9a4e4de43e93127c6ec8b17820a5700218f5b08e0a8ce0a448d688c945d36b719b2dc711a8d48098bf4edc5e26fa5647a647240fff4d76688bca713b8dd7172afefba6e4a95f11a111e3cf039bbfa41536d9ad7b0fbbb4ff82cf19a72eb07bdcaaba2291ffaa0d0775f1aeb6866c23cfd9c8ea68c1387f89772eaef2020bcaac5fefdf104ce5160aaddd65fe9c489851fb090cebf0220321dcc57fdf71e9a1c1ea53ff17d131304469eaded3a143833afff98a93c1c413494bc0d6cf3470b2eee534d4f17de37aca75d82169f1b63341230d47e85beb0e6f50ce72556e37b73961292b9f0343851e9dca9fbf4ee45a5814b04444454413a019f82949881c81a5dddd2097a8e5c45d68b808adc27fa3abe5516b2a5c1cc719ee0c979666831a15a964d5fc2e87068cbc4e470d64f34f0fa9ac7e94a0693dc21964297b96de293ad5a77f2a8dce271a89d10a10b458a8a8c521f27a50cd206bf0ec9f2abb3dc1682d3add75b813c5979ef56583b5212775d617322bdd7c344fb0c2dc1dbcc63123119bd652af941355f561b8fa49b8e0caba90002c48b88c80ebea67771fb479f5289caf5eae18f01a0cd7460f3de6c3f92f1d43b56b0ddedb7059e7f18069f804b2056a20acbdf25f8ca36dc1affa80e2203a0f3639263a42e9b3ad0614c6bb3cfa4376b2854f60bcd9297bb0cb45416136f21bca9fe38fef0a1c265ae423b36eff0c7f9e84d3edce5df6a2e768949ec9dc4f9186c489546e24c713db919bd51e6044592837c8b7f037a8b3a9084d961c02fd0aa4245baa5e917d7f93f096fc00cd3da057edaa7476f9a3883c1ab863a917746bd00e87855bb58001674ec10542e70306310d73399f34a254cfd03b4fda6dedc8d7f2a8c81e6e17beab6710a2c2a39d38daf05e04e38e9d10f308131de76a359bd59015fc9f10769d36c160d3efb66174a97b6a599e74baedf336c3d9b0ced617bf0a530882d9168e64bfb9c36ea351af436f780544cd1f006e5db439d1cd9c6e2b591c37698e3b956fdd6a96d0c1ff5a5c2b4f20e8204fa2394ebd18b636072f76d498713d7258f8fdaa7d173bb52619ecfbd037e9d9e8efd79e776ea36889904152981d398f34b5e7582b7373feb1310f6a3f43da3656211581c4dcf82bb82cb513462808cea9fe21d0cf8707453e9c1de7a96a3829212cbe885aff10c11171f5abf14a8e6f22fd0048ac5e4186380c14c5c2d4fe13be2dd3e6f26cfa94522d625dc49d179bcc48cb42ea40e94f33d9e76ef925746cb525139ea6205c6f1221d9342e202e57b818a7d1214de38ee9502993b73086602a97519f6a099901b8dbd576abd64a8b13d5a930f82c06fb9c5bcfc2dffa97783eaa3385e72f9985d57d7ccf93b7c607992cbd249ed74b6da3ff1dcf6c723ccb3725ef18be354160d21b9314a7d01cc297c6b1fdc8a24142e555dd8fd4a28e04c85836e46e66364908eb84facaabb833b1da7031967c10b8c2aa3cff44f7a9dcfd0665d1e90d93be0df77a25a4823d8dd35c35dc4cf1c73ba26ab20473f301223a6ac9672220be0950f92bf1679874544f8c10e23bc9ee1d40a006c989bf9885020a65a4e7663a8117bec09e2a2109c52789bf7fbc00cd3efd7a652b15c4c4c05f654118e90643e649d7fe431957b6f1dc5925ba9ab6fd8a1f6a0f83a8a519c1dfe4236034ca5567eac95ea12912e6067181d61294bcf09c17f9d948a03b0afcdfd3a5d470d289e4b4744e688aee68bf26da015438a9c336bea06ddad4874653289c34c032764180f9798f33cc0b82b3687df74fecadeba2e58b970d6e4654d7b09b0d85c78961276a94503098577ba4932d17e0a7dd1987e85c4afcf01f68d7442038246b6849bd16fe035936be75e5626cd3d068b9df93085a12b9569cb27d301caaf2f4f337ce6b194f4a85a1755a2b3805367e5de5e4134df4fc3941625d44171a9840ef2267ad81f2aee6c34ecd3ae96281285b54fbc217290fe1f4675fe64d1b844cb43c755ba29dab531e837ece7146009fe04b727257bfa7ad4180e82e9ad170a9ab781efc150600ce37043ccee03ccfbe76509d63ff8f21862736a4345578c87f8f4142c97a47add5c7d6d7359b2690155a11cdbe9be3479e0f4b2dd44a68a7848518d55897e49bfaf2eefe6bc06d560e25f52ad1231d4664427bad4aba0d615985afa47ebaf242d3b8c168ad59cc05a1ce750d732a67203b3fcfaa4ed6b2ff004152eef5652beea4c6270203f154c70bb6c5fdac24bd7fcb6389bd1b51759205ba1aa1beab6eca99736f4a43f21a639536461d2438a913ed03b63db2621c63acb496eecf9838bfa7f1852437b458b1046197e511ea81479690904bc3a0bb4b9ecc0962e33c4cdd921f824abc2c19588613efdee01db701ae5440cdd987d868314df9ac7bae59274021a5d0643f8d1d3a97b8c8bf02ee9fc056cc164724851435f907685c349db9429fec6e2df3c534d94cce4ecd2ea55d72aa88264c86a40fa669306b95bcdefcaf54f117770a04f35e721f284f681b9d3114c4bed29f209220638defe43fc436695a58ed3f20dc921e4a21c79e5803927deeb5a14c532e3cd83ba32981c192e20e93eef674402afba8d378119f634ff065fb294f9e38c1974d4d37cf673b58797b5e26e22b0291623ff15d002d55a8dd00fe4b1fd54177d1fd065da0b17479316b58a8495aca42c440b63c8f4b1a9538df10c8c9546fd8c4195e1eaed31543b8061c8602a8977123f56e5f11cd05f5a36a448cc257571f0e5bbde25ae82f583cb313ae7bf5dece56b617321cfa60aa9278a28ee9f78ec7ddfc5d0f665ab1a1d5531f2406ffa9b5ad6f9ae4c98f85447fbdb9efc2ab398801e905c229e16ad9f87bf61956a7829733fff1dbb2c355548c4e303d1fb2587abeaed6911b3d5578d9d4355193af1f6eef1870f0f1df73615a5d9ffe9d42b7f94c215f9ceb41d605e95a54b5fb3c62f34396f9f951c5650920f159c1c330ecf7bf70b1b8d0a973ff4af344e9950ffb9edfcd326818e28471cccbf70b71ac2863eaf7ef95dbcb2f988c85c266f869914719906213c0db18a4a4712b02f7201dc95305a3a531f466f949fef612cccaa936d47aef4bbad390850f2b8fd991542e3986de10000dbd2bc09f16c99ed0b461cab444a1db069381434540795150de12427b1b5d0601a523204283fdd6b69e403fdc3f94421140dbf94865f35af7a7bae5547978fdd805cc52d68f4ff49beec4920e25d8e4a237a86c785cccc3f2ee7ffac881e99e57612c8c94bde400915f3f75b546579f401e2be54930904b98c8242394d81fe94d267d3ca3ea3a0e1c9107ecc298efae6a19e7337883e27af271e06299acc7559f0ea461b875e27138cd35e046319fe9f838c511305fc803cc24309dbf335b225c58b6caeb2724e44a9278ca823519a72433ceb2166b4b73a35b97de2f55438b95826e0ab348501187375b0962367db5349534676f352835a1059c307421b2beb2e63c0a006d5271f493e59069882b103d536608d18d61e974222c43b7ca92529c8b0cc2ae9df8c2bc2b20d6833147ec411c4a5bff534cc72b267714592a4e43252684940f54ebf5f39f28deeab2c89abaddfb6fcd2b1c025bf30dc2edbc0823ccd19fe52f9c0b38c9c1acd6b0efc3f688b80bbef5473cddf820270d721245cdfa01bff1485864974b428dd1933fbce968d27aecea5dda0ca9561919d5d85b098fc4f3efbf7ead3912851924628b888a28e46320afe8a302239147f48f2cc2ab274db1aee565b15ba2db832fa630344d01cfba11287b25c226f28bc4ebe1d204e90a39a81c6b2136b0164edb65194ea5510a9b9efc0d0a2352642f0a8a23ef4e6eb8948f5ab42ebd45ac946bfdb689cba13767f8d5f778c42e2d07d088491e06db5cfbe29ea3f45a43157945d419de632db52fa133d990efe2c9e473ec36d689d0b815845af5761981d46d5b9f3865f916b5bb93cf8f2e8d4a11c8afacfac2c647e6ae9a8696c9ecb6bdbdb2179f971eb75e14d52598ed6c16ec1427e21df5c5abbbd85e42f32df37c485ff33d0654571ec60af8674ba35c3ef627d24b1c2d84ff2525416c2a4265fb6de8173faeccfd3138316c4c7c329017928fe1b64c29dfeb4570f7de93f944615316fd3ae6cc12b94332fadf75b15a13d6ff27f7c61981737efc6dfb528942532eef5e5dcb803c1ed04da23bfee623a89088d8783c7edda3f56c5404ee7e42f09854753c1a0dd78723c9c4ef12c7ead1863a53af48d8d61457f2432ffaebb356a6e78a1591f0424aaa1f025dda17a7b5eae3989b27a573f59bbfe2f993fb18273dc356aa59ec1b2f151f84b9733b271f1e04d17d41e728ef52cfbc0111f123213fb22237d81b0029bdff7017f8703e1ee301758ca9e22399c420b3631e5b998737c2a75939fa46d1e617d7b19fba4919e35ca92d8b59798da36a0a5d4341a6eb57d5129513a6e862ea94f27c783c9e68f930d5d337c289ded11d510847a50c61c47940c17a32b287f704664f1b61e1648850891f80a4b61479348b43440d0c9c91b89257a4af7253ee5be6bbd56f22986c38b536b8d5000102cffd10d93808b8b1c4eb53f0c697c217161c4cb7e091d4388ce3a20eb5351538c2af3a906e6ac664a5d083e395eaa5de791ace45bd02b5e26bd36be796e95c74422b7d8f00c7bdf4b648a1e9ccf68e912abbfff3c74d8c56385d7a89a84ad3c3946a38e82080c3b38a0298070d8850475b95b379d62f5029103a7b45def66d25a08e241c42c3438828e59f5b1d1fd8c975649d03fe3e536babaede3fc3cafef77a72cd27b94c1d774efbe19374702f393729898bd09bc8a407720d67e9fedf01852b893664e35c26bb48656a5689e7e3a632e9e5a3bbe875ec6b5eb73fee6e605547596d0ede39c48b9d9f63d7b38c1f619bc6f6903c02c47403ae8539aea7893fb8110e4b5a9070836853f3a61648327f0c6953794fab38937b278dc0a1ed331ef4a0360c41f4fb35b7ca6e117e785833a224fbea8241c59c9d96ad650959a23c747d47881021a530c9aeec13b5b99a268e2a63a2b96846cd3e8520c770fbeaf52f9a6e36b7d5e0db746788613f6ead88738d00c30206fe07295b70ed21e0528a7b909f3d2cc647b335dc7b9829907c380e583bb408ae2710b40d44df12ab98ac6f08882c257c26b25608ba5af2e00e7c33e6084ec86a2258cc3dc8bc63c2eef5483b8aaef1cb7ad63f4a286803acce81ad14097473c65d9c37f2578de04e18a71951458f2ae3ab1d45a548fe11d4764806e713b628c1967da918e8ed6556e619beef08ad8b93d7d70917457d9c894c7bbc304daca443d14656a0268d74e7658377441e5fdb14148964f56a3058a8e1a95e10022770da557445387f2425e7bcd386e621f88713fa57f442462fc8f7a588f849ec7a108c6a5a777283fc24c879874767526c5b6b2d22212f4bb8898811f731e78b001ae052c47d832cbd8678314cc313fb6b9966bcde9b1ce15b92f0597d58b15d91e31f221b2f1d6354e49de2a7a58d58f361fd647fc29dca3b5da3c6449c52cfc5b87bb4843cefb1052eb68478b51c1689128be434f0d34b511cbb1e84b8b211a9ff1aeba55185291ed5395d4ca5b966dcb7fbff432b931f6766a9b37d341d5f83d2969f49fb857913fd094ee9153e905fd3a000825f4c9d591cae9e1fa33abf94663fab49e460f1344cae1e6804f2a53108cb0f29bbc0f6a075688d987d6cf7ca3851008fd82c35589ec90e3902cb1ed0513555e303b91022a0454948aa7d866dfb4b97fdf6798be4c742276d99f685370a910fc2be7b289a44573785e09ad0a207940ea859befffd95cc97069777e3dd0506261a8edb94ab25deabd371bf0e8dbd5f035a753871faa5352cddfa90496dc3985ffbca1b31290e7eb460c20920126bb8ca9304e3553b3748a8f5df0a8977ab994728fbb540e073cc3f0805b5df288000831d8061c06d416f458a2547ff4e6036de1181cd1d42af41615ba4e16d6f7aef1cb34060722212ff561275bc4974f00948f542a5e06bf40b8572df1d8d68ba0608dcb027f8f11c0b93e65b2de9a16fe115ea940cd904e11b2fbb7c0e6729076657372c134ee6fe8e0fa6f9c2ec12bde36e4625212a472d1501051016814791e7a2fefbfca68589865f0837a32b1201c32291054bf7187e03cde3add7a3398aebe76672e4f8ad81a9eabec9fefabbb62c1d73adc3ef58a68775f516a99f54a75a7a7b530dffca82d2b222c993b785a1a7b6f7accb584ae25abe1517d70a69fa2df2c77e4e0755e187f60bc824658b8d88dafbc240abeec3493fdadd6a1a94680e5db4bc1862c758a519021c0121789f4cdf1e2a71cd536daaec9e4b72e9e25d9251fd3ee511f1e081f906d90dd4df5cef6edf411aabcfd5d933e2653581f1f0a49d85d503ab0f1288743a8ef5969fe4ae3af9affb7905ac3a904ca86cd7e8cc5b96677fbd2bbe3e3e67d564e2db1f14f6a982da3b7ab590a1fb43c44956ceb95d2d59db9e3517506c0e1643a07664f7a279f23b9945c32427960242e7478141ad1d1701f68033b69c7bd2d64318bbf48a05a32779956e161f42682bc1c9330cb6abf5afd31c8e11a4b078b03579e099fd3d8e347330a01fdc2b5ca05001a2d139a5bd7128a02f9d19b8581bad0e14faf9f0a132a6d85bbd291de696a8c67d2f8c3134aac24e41bb5a4fd742c1371f9a8e18ec9050b398a604888ab12a8edec792974456ac6c62989a78d72e84e0bd7aad9e1c08601e2070a4f2bb1009104088278263c2a645d3187edf12fcfebd3d8b37dd893b25e41edb518089e06e1e26a077bbcb6b7068ca74e1c4b59497ab481faa7d18349d0fdaff9f8a0cb6c242560e31a9f9e34c6d8da4e6b471000dce46d80252700fbbfa3922d5deed33d109206af07f3a2a348a61cec80df1302c98b7625797a113eb0b714ee647f7d13d6c10225bc121b6666083fc15b63c2b07e487167b0cd116ca2a399322b9c08f418d1bd83cfc397adaf8ba267ed4630fcb62037603caaaf968312e335afd663fced69900e25073963b5459f597d7e7e581647c994d0fdef88a1ae4c9214f6680e215ee6a15097bea901b467b5827522e68b020768e8a340faee75ecd46af90ae38eedadb6d751c5a1fc5ffb866a0cadf85949dd9631344a46e95091c5859ac7d0783153be8fc89a1adfd4cc3f453ac8b11d6bd637f95e63d28c3c665517000288e7a08ea71a7ac0d569ee05cf8a6631a9ba1af456d00fb049f1c3366e8d929b6820fbefb65883773bacb1cb1a7105dd2ca60edde95fa2f35a34a369c5f04b65e08156502f8cf176e4f9939afb6bbacdabc5c8116dbde9b6d212bf125f7697a8571d69de443d4d86f4be17a959148fd6105a674ce523f37c2c09e1ce1cc71274a475ca3b0931adca1899bf7baaf2dc3a9488adb13068577ed2ba96a7937fff3a9aeb461234532afb215083c89799a0fac0ad2afeba7a33def1b302b12a6a4d7a2201b915a2c3bfb5cbfce746885aecb3dbc4de9c4dc1ea7c3326b7318c65d3763a5f2b42a0a97be06e2a040636c2fac7db4272d9354d59cda5546a3415c8f04c709e0ae4ffac3ec82999b5c50ee28ae85193be4a6888db01c1b770f854fa3b66c2adc29c6c7c0d3a15a7224b235fbc61863bf9af6d8eeb35d67d9966e3220f0bbf0e101558a61559f9e6dbf286114a94e0950350f7010f3a46e1a98c939b3727f1d125ab2c0c5c1d7cabec0d7ea68697843c8ae9036c3d48469850440748e7cce6a2601654d8c597c5d226cd4ffbda153e2fecf0b58343eb7acfaeaee02970f011568ad26e4383bee5daf95802f742b0b8e35dadc20164979dc4eab6f333a29412916baecd7d11e18d7d566a9f709a4931433919514c735639dedf1df65ebde8a14555ecc254fa4e3179c611af0ae32c8c8129c0139e9904821c76971b2d2b08e839281429cc0b02cf5abc1fb78aead7d772a672cda2ec38b69f858a3007ed6d773e417521b94e7cfd21b3f76361a833bf0c8a58cda1c753236538e7d1be278cdab78fb73f36280615aa49d8ab1deac1292be4480fb609e7e6364c300a8613d37c8024aa6a72c1e4a334e77817f9cde0e10cc57b7c3bbca50f40e15b9a1042efb7802c404186e479f5f7636ab50d261473f5804a75f6cb1fcb693cecbe9a61bb9695801c7ca6f927e40e6aa91a9af71cb5d967f79057f955d0a4ed58ce999f9acd21c1a1ea10885956b46e44ca830ab2ee7add50d2c1fa3dea6f4c7331b1e53fbefc7e424aff178ceff95a8910d39952704ef7855419d3cc08c7205990af447e18d3945d133e99ba5506e50e31bb28ebb51337e38e5dabfdb6d20be68a04050dd9918748368d58b8349ee60de41dbbc83255db8e360c3581a3b5523f5c36d7e293eb4e2b014982367e286c6faacc8503cf4d91c4049804ce5a7fde5fa19c6a5b5f330fe3f44d7f33809bfc5b13956f64663acb8c324673829c132d3c73525f8f8ea3a832f88975d14c318c05bb5672c82bb02f9acf2dbcbaf68e5e478dc519e522840bd8f08b50c506a75bc2fd092e415199e5771d8ce03f088e9bfd4551c2e8eedb859303ed757601bdb16bff543123d7570ac50d2858cff2a7f9758cb24ff0554f9131299758c010113d9b6f0bc7246fabec33c58dea925b9ea73ab381c4aaa8fb2165c9d7d8b8a701202250d360fc617580565e78d5367e3fbcd841d4503a7c20c20560a03e397b0d3cab57254d365112aad995a9e3919614bcdc6ca2055d0d87429ee3305a67fa69c6024a3f636464bcab62c99a4d0453f5bf879cd5d46e3cf761bb91109bd328169f95e98b7442cd05a5dd86e18536d205262c620002e7a3a8afed4681c271a34f0b909d1c861f9c18fc76d3bfdd993785185dc3e2e34d7fba686ed0f733d16540670a657786421007cc1a8ff97236fb53d8664911dcaac2754350eade708374ef06b2f61232a3f5b45701cfc09284b6e3184c7c4143e9a304984c4bf1a14ec75511af82b2c6c3e6d5990728f4b724294dfefc35d1c75db9efc769dabfb5cfa0c548c2d5aa9e798410f2b2bdc32da95c945aeebbf06e2d1e22176b66e7d22bebed83875b4c863eb55a7194c75bde29a8c7816e5c3c650c32cf54f5d9ac35d38bf19ecdb005f476ab050d96b7b7fc622f1ac357b28fbd7c38f81abfa06355a30b3803f042c4c08a8274daf0183c0e52a634fd299aee994dd3554edb6adf99bad5b9130b491ec9353c7f36e5fa7c026627f68f67c775fe190aeb43febf56f55bc1a4f5c22948e5b29a117f6d06d4c68e51449f08a6d0d2e67520ebc0670e2df3d2f7aeebfbb87643e58d0176965d600d97a22c7a0556a2c0479de64f8b4492dfb542e8d3a3ef096f99d39e677a07ac97dc259d9f759b98e947f1ae8a9278b9bdcb8510fb06641218f79f67e4f5baffbe5d3cc38e1498938c5509a3f69f32392f660e005943ed14458529e82593bfb6c4d3e463103aab3cdc8d468c9a2c201bee3ae663f0792460d4b71e031a83c33f9172332b514f74b09c72cd6ad76e906fa4644f3c142b128c1ff2b84e79377599d4e2c71145c492ff3dab44793b905675895fe3df544fe725ea5f7d2fe3854d7030ce91957fad4f7bd7bd7f1d1a1654e3fcd0edf9daa72bd962d6b64d0d990d5a4850802b9297feb622aafccc107ea2a8eea4f0da89941b12a0ec1bfd72a2ed44fff9f82411ecfe9f19eb957b48f859ce045da233c9968b763ed94413ba0f68ddca65cea0abb6873c892902416f5eadd911d8442f0316fbdea9f1140b3e8305afb510a3ec590ce20fd58d3bf051c2663e74ae64eeb9a1463c8841ac0b72b732b7ef127f5a7d9a87d6b8491e753317350d7d1ae593e6c2006f23b2274db58ee344453c38e299c141821ac47e88ddd93893df56baf501fcedee34ac657f279a9c39cc38", 0x2000, &(0x7f0000006000)={&(0x7f0000002780)={0x50, 0x0, 0xf48, {0x7, 0x2d, 0xfffffff7, 0x10820000, 0x9, 0xa42, 0x7e, 0x1, 0x0, 0x0, 0x2}}, &(0x7f0000002800)={0x18, 0x0, 0x200, {0x5}}, &(0x7f0000002840)={0x18, 0x0, 0x3ff, {0x1}}, &(0x7f0000002880)={0x18, 0xffffffffffffffda, 0x7, {0xc6a}}, &(0x7f00000028c0)={0x18, 0x0, 0x3}, &(0x7f0000002980)={0x28, 0x0, 0xfffffffffffffff8, {{0x1ff, 0x6, 0x2, r13}}}, &(0x7f00000029c0)={0x60, 0x0, 0xf, {{0x0, 0x4, 0xb0e, 0x1, 0x6, 0x7, 0x40b4, 0x2594}}}, &(0x7f0000002a40)={0x18, 0x0, 0x75aeeeb5, {0xc}}, &(0x7f0000002a80)={0x11, 0x0, 0xc0000000000, {'\x00'}}, &(0x7f0000002ac0)={0x20, 0x0, 0x4, {0x0, 0x5}}, &(0x7f0000002e40)={0x78, 0x0, 0x6, {0x8, 0x8, 0x0, {0x0, 0xa2, 0x101, 0x279, 0x6, 0x4, 0x6, 0x6, 0x580, 0x8000, 0x8, r14, r15, 0x2, 0x2}}}, &(0x7f0000003040)={0x90, 0x0, 0x4, {0x4, 0x3, 0x1, 0x9, 0x0, 0x0, {0x6, 0xf84, 0xffff, 0x9, 0x6, 0x7, 0x4f, 0x8e, 0x8, 0xa000, 0x401, r17, r18, 0x0, 0x3674}}}, &(0x7f0000003100)={0x88, 0xffffffffffffffda, 0x7fffffffffffffff, [{0x3, 0x7, 0x1, 0x4, '\x00'}, {0x1, 0x5, 0x1, 0xfffffffc, '\x00'}, {0x6, 0x5, 0x0, 0x98}, {0x0, 0x8, 0x1, 0x1000, '['}]}, &(0x7f00000054c0)={0x648, 0x0, 0x1, [{{0x0, 0x3, 0x9, 0x5, 0xa, 0x2, {0x1, 0x9, 0x1, 0x7fff, 0x4, 0x1, 0x6, 0x7, 0x3, 0xc000, 0x3, r19, r20, 0x71a5, 0x5}}, {0x3, 0x911, 0x9, 0x7, '(--]!}}.:'}}, {{0x5, 0x1, 0x2, 0xffffffffffffffff, 0x8, 0x1, {0x5, 0x10, 0xf91, 0x7, 0x0, 0x7, 0x4, 0x4a, 0x6, 0x6000, 0x9, r21, r22, 0x6, 0x5}}, {0x0, 0x2, 0x0, 0x401}}, {{0x0, 0x3, 0x0, 0x401, 0x4, 0x3ff, {0x1, 0x1, 0xbc, 0x7, 0x8, 0x7, 0xffff, 0x6, 0x7f, 0x8000, 0x1, 0xee01, r23, 0x233d, 0x4}}, {0x3, 0x6, 0x5, 0x7, 'syz0\x00'}}, {{0x2, 0x2, 0x7, 0x80, 0x4, 0xdb, {0x3, 0x3, 0x7fff, 0x9, 0x0, 0xa8, 0x1000, 0x1f3, 0xfff0, 0x6000, 0x4, r24, r26, 0xccb2, 0x9}}, {0x6, 0x2, 0x6, 0x7, '\x01\x01\x01\x01\x01\x01'}}, {{0x4, 0x1, 0x100000000, 0x5, 0x0, 0x6, {0x1, 0x401, 0x1, 0x2, 0xf, 0x5, 0x100, 0x3, 0x0, 0x2000, 0x0, r27, r28, 0x7, 0x8}}, {0x4, 0x3, 0x6, 0xffff, '\x01\x01\x01\x01\x01\x01'}}, {{0x6, 0x2, 0x6, 0x9, 0x2, 0x2, {0x1, 0xb51, 0x7fffffff, 0x5, 0x8b89, 0x2800, 0x800, 0x6, 0x4, 0x8000, 0x3, r29, r30, 0x80, 0x3}}, {0x0, 0x6, 0x0, 0xef}}, {{0x2, 0x1, 0x5, 0xfff, 0x582, 0x15, {0x2, 0xbb, 0x7, 0x52a, 0x1, 0x5, 0x98, 0x5, 0x3, 0x5000, 0x6, r31, r32, 0x6, 0xffff}}, {0x6, 0x3ff, 0x2, 0x8, '*&'}}, {{0x2, 0x2, 0x3ff, 0x3, 0x2, 0xfffffff8, {0x3, 0x8a, 0x5, 0x8, 0x1, 0x0, 0x7fff, 0x8, 0xfffffffb, 0xc000, 0x8000, r33, r34, 0x5c5, 0x8d0d}}, {0x6, 0xd, 0x6, 0xffffffff, 'wlan1\x00'}}, {{0x6, 0x1, 0x5, 0xee, 0x8, 0x4, {0x1, 0x200, 0x80000000, 0xb81c, 0x7ff, 0x400, 0x122, 0x400, 0x689f, 0xa000, 0xfffffffc, r35, r36, 0x1000, 0x1}}, {0x4, 0x9, 0x6, 0xfffffffa, 'wlan1\x00'}}, {{0x1, 0x1, 0x6, 0x0, 0xf, 0x80000001, {0x0, 0xb8f, 0x57c, 0x8, 0x600, 0x4c44, 0xc833, 0x5, 0x3, 0xa000, 0xfffffff9, r37, r38, 0x6, 0x2}}, {0x3, 0x4, 0x6, 0x3, ':-)@\\['}}]}, &(0x7f0000005d40)={0xa0, 0x0, 0x1, {{0x2, 0x3, 0x100000000, 0x8, 0x5, 0x9, {0x2, 0x7fffffffffffffff, 0x2, 0x7f, 0x7ff, 0x4, 0x0, 0x2, 0x1, 0x2000, 0x7ff, r39, r40, 0x4, 0x8}}, {0x0, 0xd}}}, &(0x7f0000005e00)={0x20, 0x0, 0x10000, {0x9, 0x0, 0x1, 0xfffffffd}}, &(0x7f0000005ec0)={0x130, 0xfffffffffffffffe, 0x1000, {0x6, 0x3, 0x0, '\x00', {0x1, 0xc6d, 0xfffffffffffffffc, 0x8000, 0x0, r41, 0x1000, '\x00', 0x0, 0x7, 0x3, 0x4, {0xa, 0x7}, {0x1, 0x905a}, {0x8, 0x81}, {0x8, 0x2}, 0x10001, 0x7ff, 0x1, 0xffffffff}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f00000060c0), r12) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x50db, &(0x7f0000006100)={0x0, 0x45f9, 0x1000, 0x0, 0xd3, 0x0, r12}, &(0x7f0000006180)=0x0, &(0x7f00000061c0)) r43 = syz_io_uring_complete(r42) r44 = syz_io_uring_setup(0x539f, &(0x7f0000006200)={0x0, 0x25a5, 0x0, 0x2, 0x2b0, 0x0, r43}, &(0x7f0000006280), &(0x7f00000062c0)=0x0) r46 = io_uring_register$IORING_REGISTER_PERSONALITY(r44, 0x9, 0x0, 0x0) syz_io_uring_submit(r42, r45, &(0x7f0000006380)=@IORING_OP_SYMLINKAT={0x26, 0x0, 0x0, r43, &(0x7f0000006300)='./file0\x00', &(0x7f0000006340)='./file0\x00', 0x0, 0x0, 0x0, {0x0, r46}}) syz_kfuzztest_run(&(0x7f00000063c0)='SEG6\x00', &(0x7f0000006400)="8fc7c6d56396ba64559a2bfe12e1779d161166213ee3df8a88660735dadbfa0ee93d2bbf113a5d2f840414bb6a835c8b4664c16258d80aca5d75c4b0f7b9f481b32b056b2500cd38d5f745b2ca6f423c76ecb54c20df71f37e74a7c331e0867f", 0x60, &(0x7f0000006480)="26f86b73ccfe1577a8270fee84cb897698118d2edf06c754c8202386c681cc227fba179b5b9f4aa7b4574a9b1faa900d6db4338134c1988fa60dff908f1ed3f1d861e66fd378f4b75be0769db4b8875930df50ca44c3dde09f6112e7244a77991c9a813f74c0a8fb0a759dd430a1e46be99ade077227a164f6b567c0cbd3b2456c859d3295f82785295b18801aa57559a9190e85ac6205b4a0eec96417782d9a7e0afa0e3d274c00cfa118008b09a9f246051a7f0b9bce54acf1306b6463b474316fa9e8ed41cd670d09818621ed25ed037dfc6e1c5b4f196937b251d422ac00c3012556c45a9e1ee642f5cd2c2965178e24fb30c312a85f9db81cb084141203a2e5ecf64e03f1215f23ef654dd5e96b9001a8019db4e1361d0d275e4faedb83a4c6421575e98f8d7f68718a694f37796f04343f5774d6b76f3d503de622877febe827ae51a2b04b54714e4a512408a48f20e54831fa366670962cc5a6312a69baa14f4451b8abd6113fdbfec90a327b13300bc5743f171d4df0353063c8213905b5ea8e1239f6e4e5d45f8f2f7ee5209560532a091fcc584f0924ae02d756cec52f040e749a6277fbef1f9aca8df92ba05b02a0c1bcaf84b8d7b5d873815804b3c945bb81e759d3ce76cfd69432ee9c20ee168940f3ee98d1ae88247b3907a555751588528c6fbce8fd6ff9f446b331621be104fbc250882406a28594f3fec9ad498950cbef10ba41155632c1ea3551e6816f755c5538cbfd5931d9a37894faa6ed302d06b26f4cb97a986dc21111335bae909f8b399a874774ea24b66fba5d7a3d3d09369c26a026b279c62a9c6fa85f5ddca523f966e22cdaf18663a0c02f9cfa94b2474672de8e7f85b09130a8c37a47d02e4a180d73f635c5a180952db2362acb6665bee7cb74988c54daf3d58fed39371f50abc89cf1e564efae0370be817bd027a2fdd62839c6a7d9678a3087ae16fa48d1517a01d90ed743e5412615c5229b776169b8b9f956ace67a58ec419f91d1b8e3224c4f8836379aa947785a21bd20ab82677817f3ea2ea2caf193b1bf63fbc2eb574010abb261867121e1313b5d2a1e2c48c2202a3c072e8f3ee545cfc8c994ec9a44bcab7180ba95755e67c1906a5db72abc46d57ee053c6c8659878a25c4c8855cbd8836ccb6d8f6f12d434810555f9295880ca3d42164d1c864982756d001cdffcc3594362fddb3da0118d4b532aa9141ac6051b3f3e5b4c0b503045fb3166297c90ecb5ded55f6db34d89bd5d4518daa68ddb68c02ff1b80f9cb66a6a23db3b765608c4d672766273c17715e788c200f71c0e402fb513b6a8ffde67c40122d86347be658c4d0b91f4ea29fd5a4c017c288c41b40ca04e17bd3945d0e80fb7798706aa2e870fae9b91f1f7891fe4f1da063124e8c567198f670dbb75e82aca4fc0c8211899317920c058e1c371705d4dcf3c00cb4d2c136a4d828d3efeebdbdbcc7bf7df157bb0e743980f14844a7b466d12337a4815ed84117f56d719ab50a6c28ef55da35c8cce6eba0e8d2bafd9f812b4d5f265c0b442a075ef168500174ab27c876dc2d6094ce534920bc639f02c993dd8b07524e8118e8793fdc1b080e1e0181f36f4e2b7f047b23e607301e3d675360a8423a1e670a00ffb1a5ce87fb262ed01c58d779fab1589d9f374a0c001dc9c09828b000fe50ad21e53ba0a8129e223f7ffc79355d4e544fa731a0b4795b7f1c644161d7db3546f32f92ca5650eef1fc206568d367bcaf46411374dce9e44fb9e36836203842a7f2a2ea96f90ba76f81688d7746b8a4de9888b9d8a27a177f98ec9f100bcaaa76e6edc0c42c2d84fa84ad70e326e397f13a428b660559495c6d2a4c68fd49c29e229e0cd676cc895f6496a15f15c65de333d77839b13c9beb57823006d4d1f7f2d1e095016061a08be673779d7e29574dcd21934b248da6adcb98e9c5114ef92b4fd5b9fb3d334e945af586b0b9a47785017fe5a78da3d28b6960089bbab1c89bf549badfb57afaff8a3d6f1b310f945d590016f5612d7332c2a43dcda9326f498fe47f4907fbdc436df6c7f663daff7971d717e641f9cefe83f373e23e06125168af6a58134c425a3a7a519758a3100de2c8f3e447f0b9bcb87833647454518805ecf34128944f44cc075a9f9c47645a29412b66c7087d78539463deb2a138a2c504d8dbf638be8355e1a17fc92b094d16bc9280dbfea65905d56785d4a2b73c5e38c386dd9dd9a40f559b3742b658d216b49c5bf4173fab9de0ed22f81c3739aa925a14dead392e0ce12557a8e0d7861f1907aad63d6560889b4638c422f17021ad105108e155562bbce0a4c395787a1c881a61bf941461dc0f76d5890acc7cf2730a9ab1e9ccb1d133a5c158a19d7974d7f4a86f46a6485eb0896a6f6b06e35eb160187a0c453ba99ed1ae627785a87a3c581e4bd19fb9de755916877cc378b94df22fe4600b40f1e341af51427136377fdf88958aafb3028ca4600e62b40fcf88878bef7e1f89d9114fad5f25bcef274d370f51466e1fecf4b75b8dfcf4863f64f1d389553abce8500da93bf1058849f6b58d5541a7daf7a753895b0e71fc7ca986e8d1cae092897b3e3aed9141fd8d61bda060b1dd8397678bbb7f855e4b84f15b95579b86c1142b5823db9ceacfb2646b0c8ef61cc21a9bf121124367ce73dfdd23d85b37fa0e098e7d1c6c242bc2ad0315ba423db2806825ddee8623ab18196e913e48f379088d6e9cabe6fe00446aaccbc74dd52444114a7a9350946f6a19d9651a1fc29cbbd64e0783b6b8d414e20c84a610aa00d49363e2fd5b92c57e343785518a65faaf652612baff01c4e89ef57fc3b6eb64b0fa8efc5119de768ff25f9503807a29e06197d56f92b01d0fd68de8a952a0e23e16def8efbe7f3cc396963efb2d99cc16b4eb2b368d76666d574b33cd5843bea05c323baf4e427e27a45ec8d9a7abe245493eac3c6b1c54b5609ddee99b77991abcefb29f3f1957ea70a2e634b006a99ae1f72802d3df879ca068129dd503ea55780a1ad5043fbfd48b3061353d7972b3cc1bca5c1b907e8b0660a9128ea44dcf758f531fd3a872649633e0a383f63d082baf688447684a5fa46552b86de49159e5a056b8d3109892ae7f8b69006bd2056978e35b7ad6b38861c4af927f705b38020f123a8536da7125431565fb76d5cdb548277875c5bf5d9895f71965fc31fa264abf2d876bf447f339a7699068cca856bbe79dee93434e749abedba9c8d8ea79dc073076860ece6ffef7f4ee9e5a810fb541706566e9691bb4d2109ad768417fcb72a7f9f62fb45f772f93d8994591e1fb837e208489ee073ce443795aae6ee9b94d1ef06adbdd4cec7d4d091550aa5a6a3ee84c1e3095118ff42c92dff39e524d8524f75a1eec8e73f167c881fc3a6311360bea9c89b68a1895b2ed18711a074566c8ce180d1801ff327403212db90db06ce461d135d42236a49281179da493d71efde292ed3bbb39ccee3f3ef8bcb2197bf3a392d2fd0dbafe8185d2866e068a8b26b3495a8355959d0ada698e54c67f2b8e5ea10987844afd67a3bdf73de39326adac10edc8bc29c4300ceef4cf58c2e6961b87b05ef4bf00e53ec4acede2d15f38325dfd6d17d9a4deae4684af38816fbde94a9af0daf4a508aeef62fde4f2b29d033ad51da091066c768586cd77928661a9ceeecea9cf4ae67f3d5a3010ee4cad4c97047c3d9c3064cda34b0006cf18dfdf0d7ab25b3585cffdeb5367894349fd5788e1d73b507b21b66ee6a8897d74129b6dc76637b24149bb7722486c9ec0845e68c43e0552f23d5ecf5dca58b381d1d512dd6da5d0d8cdfbac3bea98b04fac0db9bbb687086b54993aa28fabbbe9e2dd7a2f9da3ddd791f2299470c6ccfe802353776e3d7ee03c0af8864289c0d6a6b731c450e40eb81baf1838f3d4199eff36c1159fbb64ee815de0c612ed5c276e05e670823e0ed232149e48ea6fbf8bb9b6a42a5ece8018015110da1656c63cda1ee5d66f21b77c244f097e86be5abbe4f4c3cbc043e05aa08f74bd28360c6b2862c2987db397ba7c68b88fad1826b00ddd9e06d2084138db5f4be5b0fbf88c3b309fd57906fc77ea3da69db4dc0e0f9f65eddbeab1432a746e586c632ccac3bf5440f20d8c1d6115f92ea06663fc157e08cb1216dd674619e301190443e01ce108d846cb6ae9a66b97fd2e477395d2724cb0e01a5a132dd1e34c468644d7989bca3e5edd368b350e248cc8f4dd20d0e14cec66ae019535a013ee53f7920cd8e92cbd0a0176d321dd447c129d97e09994beb449d6502672bb3cdcd136a4410e00d06ca537d650077f98fb8559f9fc5a19f0f3222bcc0afd11611d5b0b03eba32f5c89a12819cd019dd3d77ed0a0d1ecf01369792bf4beb2569dcd5e3505e9e90a95fe4b500b3157fe5e76a290bb5cba1749408b449777d7b75b6d77e87ffecccb859dfd0b81193677a00c29c8825b30be893e0cfd52bbcb2620c255c6364bbbe8e9f0dea6df565bc963c1464155df57d6ea396e92ae8279e7ab7ffc17f8ea6dcf4cf799bbe6284dc5573d4139e2908d69880d4484679b5e641ee30d25069c75a18fb7734b5fefe31bcd46a3dfd99ed4f024bc158a2db1acfb6d1b35527241336c4f04529e5052def1173636b09652812741e0eb1f547900809ca2366b5119c26eb79c21ffa728f46e5768c779f6f3ed1bba8c232c4041b4a0aa4b7b2105e3ef37842080c5f9a39cff3b058e11c8026bd682d3f7ee96fa090c966a2a08a17788a421e7ca6d3abcda616ec6c1325ea4e91fcbab9e06b4f9c2b5df14998ffce2cac00db9d2c95379b9fc55a447e797fbb8837faffccb8ba91a87887a12808ebf254fa45fad2ea4dee01a2f9f490410e220a0bcb5b1229729f6db3e10f97c5dc107ca9972a7123a68fee2902b2d044ea8f84b6d43c9920d1ef3ad113cee3d326ecbce096d865b80df759c0aac97e923062bdb8f5ba2249e7a54417429a9d09aad4e293116b991978ec7a61a1d71995e97cf4c37512b2ff5a67cb202304a8a90b34399ff98ac45f8fad4a87dbae9aa01239c0f2f97a67c12d50ad7aaadff0c418f9fa75a196959b7854fd92d73404851d6c53c13eace926b3f43b0ed8f0d101ea0eb88839cd57eb1c8c75d88a907b1e93b1c47586bbe1a83bd68074e300d75736ca5b98c70e36456cc696ba1646e938c46fccbb32fe5aed4509b2b09a0af5bc34b2b050d20d806988d46fe6f075ab3627bbf48b92d8b91ed67257de78dd44efe09fcb6aef805cc53ef285551e0b1a4d917d8411b24c74e9a02205a4018039cf31b647dd95a5f5aab3396a3a93b057088632d450c065ae9175c05a65e5062de24eeff15cc6e02718aea43b812ba7b0fbff2743862afa968241166631606256a83bc570c43c11d0148436bd3ff436a2d1b2e1ccba7441d03e1576ef38b7adfe04676d52bc692d2f66bf5f0c82e5e7dd89b268fb4536fa3870b5470acf462d5b2999543044066892ef54a306ae7244f9372afc83d696eac29e7c24963ffbf1468dbbba9d3d37a6b6543781bcf7005a9f46960786045afad33a61b6d13a72c8574777b7e80ec43f5df42614fc62097c2775e3f11add8f50f6ef09199dd68990ffc3aeb1fd120738ac65ec7d88444a8b022f3d719c8623cfecab626950779fb70ae87a3d7d5faedfe2ab843fe75fe980f9b98ab9ee42dc625db03c5cb1f1dbbbb943fbdb2d1a4a9350fb7f7662545a76483c0459fabcb8d8099ab81c581d90c36c8c0b7bd0dab09c1e3c12304069e431a74037bf7c4501d632a204be07d10ed809c9be6fc16293d9f9de366e36990236402f67242647768c77170c04764e1d82f0875d94fc0cb1d013b15d2fa9aba65fc245a68e17a656b968ec5620c429b31aee046b639b7c615b49524cc7ab71ee969158c67bad96b89f67e3a4e5fc67d6f11fb840907d279af0954b8f5e49a96e774d74b4ca7926bbad6511e96123d552db7d11839c7a53abe73c137c7ff1286704af9375722784cee8e0e73b6cf26c4521e339f9980a63955a155872f82466bd89efcf5846f9b05e09cc27b436ef8269df3c2d6b3b0ac04f5ccbe684ac43a26687f1e0fef066bff304b2266ed754da319e6528dbd0c3ea3d159e488d3d727628ab10fd0a908c82272485be5e17d442e91e01d8f77f9c12ebf680e5db6ef99b8166e190fc93c082c7416b6e9e90d31ca030188e1e5881ec279da425bb4885a1f6cd7ef0aea01a2607485255c8c4610a0efc08fd0b175254b827ceed23145fb86055eca1e6381e10be319a5ec83b00631fec9af8c5193716c4e8062642b067e24eb47bd1213bd6b321d2614a93992d8fd6caa1e6c9e40e808f4d9cb9b5ef1095194c12a80d0673113d6d85b83712beed19ad916a4e12b05e2a843c1869f864f2c7e56879407f9d645d6895760e4432962f15d066874055bdefbbfef33cb199f9ff90541f1f86199910464cd5002282cc32664aa092fc026ef8a0699ea4f71c9f6634cea39a7857e7b929c000b2ddb4112e32948b3b88f03b610ad00afd4677bec2e3d78c91e6c2787449a6bd418d60d5573aa9dc6b29ae0a15173debe501e42d93e96d1de719153ac531375d4214651664635a896b7e7bcbc225856585092d453bb63d40bd875d532aeac9d3ab2ae56e90691faa10a79ab1eab710d0cdffd5029a601c021deb60ada33bff122bb8ff85653f3bd9661d4888843584bf7a3c45d4ef980f4775e18b653af739f3d97919c3b008507e0ca983d46c87bfd180e384ad83aa0658e5fba968fe9168e1fd665f3be4e79da80abea73754f2b324d557eda10d7d8a84310167106a54cde7545f87ebd47da1d8bb99dac4814d59c854f14aead0e2f9bf13b980d157d887a50a966362c0496dc73ca4dbec42cf8133f9d644729a1e02ecd134384e442d328441edc9e09dff1143c79ba611d4402f2b698530c75c491ba8ccd2e9a10fc73eabc33adc16ccf91249eeaa03524f647ac49ab48a8dc275606419f801a3f048e4e47c5a4b17633c8e35c05a994849abd0a542a5c666d472fa1b3ed02962f35526ae61a11c7533b2ee3b5a9ed8884b4861bb5ab159f552e32fea79814450d0d78b4c83dc4654d1f7961a5ec735438c09e45c07393279199ca937b62ab9410607e6880d8047a49a1ea3cc711d126d5005b8aa916548aeef5fb9bee4e071c90ab63d46be03e6c46bae6453694082f65e070e82d765f5a038e725afdf2eaa1732060591db13df6497624c47d2c318ab5694f1f19e6f892b4728c2ae47d9093955d74690772b6d73876b85892c27f1280a42206e36dae7c871f11e30cae135b7582015304dec51632da7e9ada4cf41e1427965e2a3e0d9424a9a9cacc14592bd7b10652ca24fc6b9c056009ced0a3362adc053e22af3180efa3bc8201b82d20d91f0681133a27a1da17e4e6545ecdb3f7a31400cb046cfaf5fa0d0d55470d99eb983a5a4cfc0c7be58ac6d9b69f54d0776553c1055b122820a0f3854a2bc1a5f2e55dc9087eda7c3e33947b9df51dca3f916d7b387e283e104b620c1b8d2cbb5a95017e46391eaaeee2b3820dc2d69f6fe8e75b88304d7d55d7bf6d934f4a5bcee97fae8fcf029a5a8886531586203179ff2d7867460c0620f9dba32437b2c173cbe75ee57fdaa6d13e5d1cc6cee105e2b09fc1be865cd7bf112f0b68a93385c7dd72a75cebdc6bb4512cadacaa4a6b604b1e96a2298d622452766fd6725a198bac91e70790742998bb862d8519d32d48cfd435e03e7c261d7c242d2d026587890df4594cff4d4b60d0b7f90bcc293a74dc11bd2976369d667bc261b382e8eeb06b8dc04468c5c9ca971e9be8057c22902334740585a4d8933b91187936a993d505b39b96aa1c885be9944f8ae3b04640afefb1e354e537c35dd54868a09b3cff920c53855a358b693f2f17b60905a16fd0b0b7295bd873c921d15b2a1207e39cd89dbf895c958a8cdf49655a06a3831c6d2f402222e6a424252c01b5b12a3091e857ae506bb045a81b2692c5055e87c1cf5680754a0ac99cccca3b6addeb71b14694fba1fcf29382a556559f60c8a96638b5a01dbc35dfea26ac2a90975bbd8bd0a42c57e01fc6e84926e39c080d0f72dabbabddf023289c24d66a9b25ad687abd38ebb8a715b4acd5c4b6ff9c24e62bbb04e7b6fb6bc45a72c3c4972f279ebc863f169bee8c6977e516acbeb7910d0646c9b80e41fcea737451eab0413143e396760ea8f1f130de03356ff91c7cc46fea33d64ad83b0c2c187ba607a8149955573102ec1b06bf5fa84439a7266482e003a2c757f2453b75764c846eb392f1499a3afdb325d7be0e9ffb97ea7ef28f58f099a31aab74b63b705483811bbc96787a2637cefcaf14d7c890b9f6c37b69c20f63901c7899c0811a27421fe1b0a92cc34d9cc993e4e9ac404ec80e316d4b6a98922d3bef7a586b4202e9a4e9bc9782e5e7456f204690687089b1a0c0d8c5bca9590b7253f640b0c3fc5b1b4ec970db5a29a12ba8970456f941ad398c2b80290a7ef762057ec4c5cbd13d603321ecb3ae6261d3836720258720706ed18a87e9db2cd1301950a0bbee54ed2f08c12ca9a83dc158726b95a5f991e704837e7a13c7dc663d15281ead022062625e93f5d2643380c588139bece401876220e2997567045a7912b87d3b2219f7cc800524fe7dd3e7202dbc0fc294122499dae623147e1e3083580e6af9afb864de9412c7850c9c305d3723c0afcfcfef6741520d46582c199ca4346262ad10f96a82007afbce52f8fa4204030fb031ed4b25831089dd8a66e89207be1b8dab68ea0624fa2408582b79c17a0727a4a75cf0487cd904b236096845c47ab584724f72cb016abe1457a9672299ae6be756b15079d69b4021eaaeeb267233c12134ac7b14fddcd6ce0620e45499016a1c21709e38dc9825794e701e19635156d1a1b107ba9f16688e0774c15fd048e9e2d1e0f52c0833f765440bc18b9b07ca8c543d1cb1fbe9375ca3850d42d9d4e471b9100e8744cfb0d74bea8c315c7e1ea0a898a689bfaf2fa48d9049058c205241cec8bf5d9d1b7bb825d2292d182f74248ec275cb2ed9c99a8cc7228498ec6e3f0fa1814b6882a1b8d2d70898335fe92b75c7978beab754775b0834a363940aa6e6b82fdf04e07e9e95baeb3f8d89794c449090de16ccbab4db3d9cb040065e071595e7dc957dfacdbb62c6ee87a5878c283878aceee5432af9f506075a9c33564e6912fe34c37a11b4641200e32ab8832976930112f36e8dcea432c0101e841fe932edd860687568eb32105ead04437d05c65a5ac06f7e0cbeada054a9dbd1d0835281d0804bcfb19979d8b790810cd63ded2fceacd38e21067fb4688ff1f10c298db9484214f3b644159a8c179f90b5af19432074086e13492f7de36172053f11176a3111998a4c85cdb999a6481ea73efdc1708a36b3b9898e4484c2be19160b8355e435429195f0c9ec5a9335ee9e9161f025413ae6e549a86f2c241033eab2d7f88a15501e68c1d42aed109eb614aea34834f3f35e5275c5e8a73f401d8b70de6b87013b4ad8e55e959b2b49a6067be42a0aa41a7a86fe0899eabf3775477b9f79caaa253d6f4486994a69cd49445fb8fb13692091dd0aaeb62603f2eaea6064ac2621acd0e8e4b7363a7e2b9c2f88d34902d28460cd8455038a65d4b8fad9f61ed723c521b41626f364cf6f604420062d834b3e50175af09c7255fc7863978e56f659ed0578cfe196369c511325b8a4a2a72518d309d7386a339d71bbc2264d422fb89971ac935738e144b843a6f028d1f9477a2781c1471d89d2902ae0882419d9b4719c07c55b09ef9c9d3a7d43283541dd7c9f452b0e1cb62f77b797be9ff934e5021232dfc5e9cb9a42c0ec736961a8293504ac091ad9a71d72e084ed5e00d5406fbb84249ef2f0c6b364ac5de6999a50cad5d79017d32e879978a5a7fd3f828d45d34d6df690dd3a9862eb1f031b64720eac98777939fcde74643ffc7f87f003e7cf3797f5de33af8d3f2f7b0142c2f2ec61bc2681778640cc32a1c570bfde70dd421c305b439b3fed60e13342a30dbc76f01ba92c2e5e0102b5bebd33045256b550148b7d018f9d0e8f91da3a9f79f9c86ad41cf2b1b64520710c68967d030f9a71be3bf7871737e0eeb1988098128f3696305a33bbd2bd1698d6f982095235173bb10b99febe1aef7658ddb7e2c6bd4292a27779b399d19d9963fafc607756c122d35ab59a2445c03d56b101c06d3d43155b524db94b4d9f81d203ddaa8341b3818a69b2a47fef2c1a1f72bede8b0bf41935127923b5beefc9703fa3cacedce260d6917c72765466380a17a81270bd643b1cf5dd22c4ed7e7325c3078d30b490677e6c92664a8b849902d334b47bf3623a34fd709d1d83cd18affde688440e4db5570abc1ca2cff6d2be95ef7b53e8fb543024da35f2d2a524dc80bd1d5d22f9e644a23266981b5a470567a8566d82f8925ab34193057287f8fff68650b126dab15f9b533d2fe1e15ff9efa1a95f87706806134f71fcfbf0dbb8b7a767cbe7a0eabc575da88b321d6ab8ed27054490952e86b1a80c44ba83430de734be4ca3c2bb62841db05feaf4b352089da3859039cb0a0bc4e927a6019263a4032178f6beffa8b28b2efdf39146820ad5d6e20d694542d1873c87101a0ca2339c88830ca80bde901c58c042f95d0c9874f5984b7c278bd4ae2291ee1c0de6aa10ed0772df970ad2df98bd17be6af68f24bfb665b94c7089464983bd6c097650e409f4ebaee66ed3e07153d0e86966868770d90ed415456eeddaa44c38ac7aabc571f8a9bc38c236c5a7709b459043ef9c119f5bdf925dbddc2f351c7f8a4384efa86a5542202a5081854292b1b763f1495953ad8886d7d102d98dfc1483156a9f701a2cd98ca86156eaa1da5cd20f0b5ab52442e7cc83d885abb98df7cc27fbe1795c09e0a9ba03b327a9533a152d3876aea8051e96d86535c3f5705bf11be885a0b31011f806f192ec210894c32ae43c15b0bf9cef59ec6e6dec149c78400404381c09392a40ecd03547668672ea5a165345c5af4a735843b63a5dec5d5808f8fc5c696e5f82416ed278621b72bee86a7e2a4a982af9588c1ae65ca9806ed429b80169f743a6233dc628afd78b8c352f7f15f904e408e807a620439a58a91a51565dcb6faab6b1d1643f0a7442c422ce463f6cd4c92e9f598a94ff1e6b535b6cdcc62fc34e0ee02426bac9b5826d88396b9bcc8f872d9aedaf090fab51a55a898d57a152ef9183fdb59974ded32904e5f369058119b1729759bd570f3952bc18a7e81e292c6ec63f2db703c50d33d0425efc449c4b6cfba6c8aa314c2a1ba39937d582b67e222ba265b5d6c055d0cd81e5282388281b56738fd811d45d7ad25c080d61aa5946a794e9a0097f4555670948c8b127cfdbe8e924ffdab9845a1f085307088101de9108a3a13f013e65f5ac7e8c8634785b472a967889f47f16c219e374d94a40dd74778a0e77932b9b34ab1bb57aaf3a253d6fc4d642bc89bf28bdb27bcdf4e3742540c7f919a0a6e11e1fe9a1d9f2fb8f54e473424b086afcd50fc5c90ef3efac0e3816a2435a04ea880b23428f7c33c74529a7e426d33be341923e574ab2fe5b0e0c317fe17911e83ccb628c3bb6984e8f5e91f1d221597eee76de9d154e4340772a17e502e74318fecda7f3b7a076ea4af5743a369e18922378aca43e64b69bfe80e95b5be8b02b54fcfcd56e098e4f34f52061da69e5c0703dac0201b030897231255a34e3e358c587704ae52e3e21cc534e6797d5974146d05552b95ae1c39f10927829efd6ccc0bdb068259f597714650e240d202d26eba65f9e9e8e4b69fe335b9f0d4d1f6352d7da9311c8a42d3bd2639eaaefe33f9f6cb714ee94e026f572b73b5cb596d3d58bf3782b18784bc7db7b15d57708afea1a6c530029753cfe376cd56dbdc74357532a105129ed3828191e734bd3c8d914300c8d39d31266f50b5257bba25f6112b0a8375c2ebbd662b42c851a4a123c3993293dfbd66d5a2fe39dac6624e57c4d34b63b71ee7ce2aa01bf16f36e4a9e75cb93d7b6f5af670e61a03defb8fb90cb8f147933b58251899d99e906bd8e0ab4d2549e284d9b124cea9ea530ad82eaa66396b1831b61a310cbfe7c696e46af616d6f8e74019cf460ea0a423c9509678395cca9ef04b7ed6a57cac3c4540b7a560893331e93c175198a1ae4f45300eab8c0de8326b69991ed8e0b6d736ab7e1cf5ae53c4d6b0f5bc225726d0de0354a38d835684cae60d9002a6281e4e10fa5ec2882fc093cf709546b7caa2713dcfe5c5896f2877884cc6784afe6d9ecd4896d3ad7f36aa20761bfb2278616776efd742fe5773c73f85fc6b9d195043551781ec53c762c4fa2d1172aad4625b13b304c2334f320f765c24ea335e8a4c111ca8c12fdb53f518a7b2ac0a402610858c2a9990e1343faccf490b645d7011b9c4d2309e65f2c2210905dcb1d8b621895cad6176e8054c09c2a70eeec70d69a2c71617500bc0fd65bd8dd38b0f163ac77356d1961173eeafbd7e9d52440e045272ce0303a0b1ea5a0a66e53b316ac848f607742ddf13cace2f67a39ebe54eda13812854d2d03357300bd302e8305166b37d693fa5ca6a7b9cdbaf008d1a32a5218c1a9e3afec32e720ff9a2a29c71bbadd0639c90b89b52a40b7e528f79da543ac8a4abf73570c2e272ffb323bd23e950276137dde9cc0edf43441340c275f9a6fe6a3b44d41c2c9afdc28df53e4aab1926f4124d578ea48b6aac924082cd2e61154ab876451ca62453f9ab88a3967c14791da6335eef2c99b2843943ffe629d16d02a62637f66651c1ffe30e0179608cbf0ddb31428de80873548a4027c57444cf5e0f556a66c21abc0e0e8b42a5bc0669a617b072aa8cc905da8c4fb46fae4afcf100e1281cee420a399a1313f9dbe5f2bbf4b97dc0a0f72a43f83cc9c43a8f4442dbe1064ed7bf2fe108ef2c82d1b4b9e4cf1665eba50a50d7d18f41ae980624ead8ce19dbf77ffdc5b952c9bf3c1cb511e7482a038b0bec67b46666f08d35f3d906dfaf4c6cc7bd85893773dceb4ee399733f1dfc1a64d0010b209717dbdb1f8246742b54db5a9168c6705eb2bb33efd6afa381828cf5ab28351fda1f5a51055f871e469475bddfd6294c67a6aa2cbd6de1ab0dcd91728be8a98252807af581b3e5a99df0f68e4974bbcf5a674527559ce82d52abfeb6288bd1881246dae8ab743a516d8220b92fae01d065d8f0b490f292f27651dc94596f33e72013c776828c93dcffd424f7e3d68e9eb0bcb870e495ff242512d9d2e2b08f61143f9629190c9243d5afd13154e55183aed269f5655bb16c35c6daf2200ecd89b5b6bf43263ee57b164c477dd79988d2e2fe15cd733e4beffd04d7cf69c2f9fa331ee668fcf55be256cfa4317a301acb12fb7fedbd46b6f81c4c3f6341f7717e865de06c67487c4372653c2647d2e94b71fddb59444f3810ee96e1b70991e5d0b2f3d4375e7e019e76b0048cef4dcac18185bd2ac4a1e04fb99938812c3265a326cbe172c15965172bd0b014724f0c66b64be09266c991df65acc039c26cb57e35440e438190e1cc397f46fc88a6711fd2cd5001ecbdb191e0121d9b65c1ee849d943a05ff4968e81f2c86308e04e7e78dac38309438bfe2cc1c6de78c1d1a7e74ea8e25739abc371a8b74abd2c5ce80ea84bc5526f44dd4c1bda85495ef3589491327295364b11bd2f7e197003e9a102f71cd18e93dff681593054d5863e93d32913902ce741f740ceb56d20903d60df41ef4d914e1aec9a2f7c6de85727ce49f4d7ab4209927bd46e40b6f445ae69df15812aa51266ee22f176f8cfe19522aea1a0400342d1d41fcd616df8cb2f4bf8fff00994935c62b91f1cbe0e493b431b20ecbb0f3cb719f9c1660f606a569e970120ac50c34987303463580157d6fa38e92270014ad4dbd244107519298ed0420f087ee2a3134734ec674e214bdb64b2f2d1e556173dc082665cffd618f1e562b37c0e773d0f476a5b09f121937873a67f891c9f479d25dd3b2aab75c37ec64d5ca01e3c26bb81ee309419d27b45de0c7b56d57c96145ab66e276d7f297bf9b5249c7c82bf667277daf8c4af64425ca33e6f85fa58d1aef3c4a9ae913d6f299e9fb021d98cd983486d6ce39928864fa3d9a380de5a725846984392bc3d6f61bb70942e01fd1f55d8411e63b7e11d4ac54a09b38d936a1852e6695372686ec45290fd7773e800d0a56c4a570a276ad27ce6657fd9ea5281cfb463346210f6ec72d31ec78f7bac38debcb79a2fd8823f037507e621d88780ae83f6c7d530ec8e1a159eb7b4f4cce2c5405f800f388699ff80527d66c3bcfab234343643fdf7f47d0ec57d30741b385a16ee6fc2fd72245120caa8240d8f8104755d50151259e4d76589af883864947faa3ec7d1411b621b8d41d9374a427f19e29f5ca4398c420ae27b74a058b0325cd748ddca9d11c5d3f9c5fc70184de8653f3d01a4fde2ba3667c278c88557fd6fbaa3227063e457774781085a854f4b2cffb82910f61095f7ee9ef6ef2238bf74211d8cf1af9504f3eee229644d0fdc85565b8e66a0832041e21c98466c89ec72823b3edab0fb42ed65202a5eb5df409f5bda6ae748884a146b34f6cef3d6edb14c224b8b8ade40e04a7f61d021f680a71f72ace0de41625484a0adf988c6aa71257cc6a96b539a2fba55a2f986c9ebaf26ae574c3e837f98f08ae710c226761acff343807e40131469c9d5b9e78e14fac0264fda199b0a2571cd1b6c6e95c0b668ce5fa8ec0c91cdfad58afa5c1336d8901f57f05f115e71240c237c4a91776b8131c1a7809e3f35dcc8d28bde183398b8d61ef6bb8274784f083d3a8060b7436e315f941d71883abf8361bf66aa3538996519e6ee2a31b41865bd2f16063e7cc0198aa555d41c114ec41a8c047cee2e9b8e9cb56ca94b28906b64e9cbbf86b77d1b0bf2a8fc265eb06716f1181a7db11b31cc7b49d99ae19e86fab6383928ae0b3f73936e972b23b8ec1251404c1c85f4dfde89fbec9ab07578815ef077cfc2c6822a8efd2807ac5d382e4064a01890da79ef2e182fa52a2d31c98bf9566f58fa7eb87fb610ff66fe7063d16344f62b7d035653776ab3e63331585066206dd1b25b56275c589f802d57eff3f4ee4344ac30a38f947b26a76cb18a7fc63fd87738102e8f76f911dec4a172e7394544aca0b774be9f741b4dfa5af846a71773498727991b69e0d39542f72d4bc901642da1bf4771ee0149eec36f0c9924fa2adf7660365a015145bff5f19c07729520211c1cbec43298dffe8dc365733d37d8c67679593ac7327c45ee8ddc7d36b324c6f47fbf08d563328e21282f9c48158a37543ea13060a151e163a7e1800684652866344f69a3048f1ac1aedc348900c03ea380d08d1effe089939eddce6eccfc251d54e9ca111d69e9c9f67f9bca50129bcb19539f2a5a1d0a4b58907e6b3af5ca326465000701246b9af43e57a750f5424dc98fe032b84bfd6695017a47e6c88c445f3b3469beac2420da5177ba9e5f69c073d90fe22fabe1fd0eaa1049b2eefe258f5d6c13f6920268abb2350db060139fe338f2ffb2898517d014e0d5bc123370d602b3b7730544635e649be08ab7cdfb0067337e80ce43c34e6a68ad5bd3baffce51966c5fc369cb196ee799e901a153ddc43e6271cebbc75f4e438c70cf919d957015bc3caacc4d2bc75cdeeef793f75314dc7a5e9ef21182e895467e4d249c6e24905a9255694721d6f78745002642f1daa53ec015dededc3be0b1782e5ccd3f363d376a2870f4f888a88ef4837a41284792c6387c1a51e0e797b648012ecc98959c79c43cbb91460ec9b793e90009a6f7d4983324dd58ad457ea3c4d6e9212b528acdcc68c076e8f4f2f116a88e0f6eee395c716b0a5c4e1bb518d32e3ae2b0a1f13f875ad912c79aa467b80ae87cdd0e147d135c9072cc7d157903dbde16f536af5db399bdb670207a00428dc58fc6fd5e0b56f4339c5352588924ce64fd9f8ffcafa4273af44dce30a785d20bcb2d5ec8907e3e870b3e00a82ddd95a159c79c63b37ebfc916bfa6f65bffb956b936b0daf590d1edc47b76915e431b98523ec402ddc34c61621d1c0c90715dc385d3c926e1a0514b5be429488da7661c4200b50c3e1dbfa2a1445078188a3ea4d62679fd6fb3af16fed076be5bb3bb78f900311cf5f9c69d42817c30ac407f566c6ec8f53ecba6a06272c6154d1dbc5035590f9bd9284ee68b34e2cf7f6303796af1b9718aad56fc5f53b662beee3cc6e3f839ff57c65a3501dbe9e6052a6efa54354fcb4c5c92a631a34505de5d833c4de2de1615a27ef785b02325666e4529a7a6d66867a8b10052b8ea6760c8cfd224cbfa671cb87a140deecb0cf6e98d8fd7d7ae722c5b8625499f5e17e39684f79b289a71be2380a733bd730e588df0358491ba9c163d03d6992a9f7bb26d332a2dbbe9684efbd5354b2816571b16101798ba724282ac070fb0cc86c967632b5c91d66a3586a5091c64c9cbc2328e48b9f9073f187d0cd98601f087dce8e71bdb39463b36391980fd41c52c54ad5246b2cb0dddab7a94ecd8202b17c3aef9641cc491fe23879334edc139694d5a4d43fe4210fe4d5cee062dc3c7159447adc0d0b9a02ef1dbb31e4bf5e7fb445742687def2b8a0038d4e0ac15e9729f2e07593b92e9d2c98f891723ec406cfd99c85e8de345b776493a7fd6a5cb2fc6ea3c586755f931a335d06927e847aadc7d0957de40120557d887c3d76329a3e3df2424703f79c9edf9873598ece443c5d0ed7f01d5aa3c18841bb3f273b1d3ed11346b072bbb41184faffbb946b9a49fbe3f32c3f02a1af5bf422e71899d80a07cea7a0eb628b722e7aae7fc5d7efd2e4e3a6ff78af09efbb4c52d155b6572f89fc82fa281956af3963cd5ef45a7e6e2dca23ed512ea2031c60b074479b8578b97c9eb99f19010ba6fc7f54ef63d37a7340cbde9f08db8e0c3d9de8fd1ea82f6f4c06986fff71c3d6b1c91a771143f2d1e865296f6339e9da58bc91c1b6ba657f812bb627d214880f9ff72232d92191ee0ae5dc6a95bdf109436297a95b355b91b551993e6f2e1909e97210b0b879aae2aedb6c3580e6bbb518ccdc87a9ea969cabad03bd779125c1d33bdc4b24c0fa90d4e1f78a58f44154a8c2d673c32e92222532acde4b3c052bb031238a397d6395c575d13ad0124a9c000af4e71312105688e12568feb9236ae3a563c6054aa768a097952e5659ae37d6dd0319bbb96e0c5d3310a1f25615c1e356c61d2ce73ca8690fdb4333c32803099136f1ae523984f10cc6b91fc536f2c9c41526c900f73a1a8e0835363d3936776d6a61b7c069f0b60684fc05bc33e85cdf643599dacb4843d7a638d3e109a4a44a39297f8f128153a628cdd3269d8b725890be248c053a93ec586705acdc314e6d8924e4455c81845ca2257a87e67a3c923eab3fe00b0075e545ba4e5403d7fa5c5e4d2201be25ceabd6f648700466f6fd7c2b076e300ac3337bf66617a4b30fedfd2ad24ec3db0678ab1627758d49f61af1aa7a83083ea80e00d139c2a0a8c3bd9b804d25dc176b5beb20ddea55a79292797951c0e9f0fc06d526994426abe7111b96503378a9baf79b8cbae53946bb206bd15de8066cd44d406b45c3de677d228e012a6bc85fff297286f745481302b525928be85e2d882d3bd96abf112b15b0dcaf0ec308b5d1bb697ac0b85bb3e4e72342518aa55d97b57f23f5e567803b3e251a9cb964c7cb4dffcf9f831a6d61f34e93a7edbcdcb540f7476fe6330e4be6902c339d3571d94d8b61780153c8a0a34cecf86ec8ad4d52fbbb00f8841408259f5d435f5f57171e55353c022ac5a104d36f8114e3a68ae81b4a20225a5d2388cf32e56cddb136795b5e0aee2734ba2220c64c743cdeb0e2d330d4187ed0ac8db44cdfd624bd90314c600f42cc9a2ad46e53f9e8188ae2c7817c1789af6e647f2a2363e85d959dffb44cc7cf0609d7b36c30674ad45d8ba281f4710c49d20991943f0ff00a3b9f812b8ba75aef8e98a0bcb77e9e018dc5c05452a931e1482df7ac48b4ac4ed70ead862a828e19f4c07976e1e9a63bb95d66e9cfd47ee03290e7f0eefbbf870280b857718a1bb75ad7014b4201c961cdc7a6813382b786240ea8f4ece5e162bdd97bfa170ca6d90cc2511d592d3ac7400fd182b1aeb137db361b14f4ad626f7ea3d25ef16744e0e0e36c5b29381ea7933ecd47292635a6cf1fda3e52ee93a6375ca3a5ee60cdadcca5b446e3beeaa761ad8ed0510ad72f75a23357150ba8f5c12b63084dc8ca82bb62eb38f43ceae6aaa2d5fb8ac4132ac6e679118055b81dd736c9cdc9fc1bf0966bd09a218193f310c909e61a647c8215f7c4ee3e8f3b25eac636c8a96a0e464ffd0b4c1ec2082eb2399052554e47f3a34c3420f9ed5aa56cd9b0f1224cfed973eaa770fe099e9d3aedd3d42f6eb93a0115dc1fc715624ff6b0f8f3a4b51db5ab630cc95ec7021c6b4fd123ad355873247d550265bdca2960e74a3d8888cada88e9343b70d5340eeadb155564c62dc1eebdaf002c2c35e0990b695c536a0a752cc2695d668f52b00724230654d6dec51c1f0876e7e29cd662e12e8ce6bc40a318c25e6de630ab705b7843fb15c4a3dbf9a335d07a70f46c70bf28f058625eafc018ef105f83c4564324171e19464cde9ae0f2388c438c41fdb8f81b278cfed8cbcbb9d8a2a5496ea8cf4203edec4669142f2b037f9e5f55298a2467f1088ba13c48188b3ab2cc09d6cd9967acc1e8def2cdb1482bf4e6c5bef3760061a81ad22e77aa882ad1f5d598345b3d18bbec6d4df314cad4e667242b2a9210abfe74b301c4721c8711f9cfdba932ed74a10effcf3cf73bc94ed13dabec7b6ccb0814e71bd52a1c7103bf47ef214b9cd6ca6a12f880857cf01d141b1d88513fe7f2e02282582480f9c257ef4e0ff52920c25a3d0604b3485916065540bf8b9480608e29ac2d5a5a78b1546aae0972620f9e3264a1b1b73b43c7935959d7726b07bc9da0ae4ac08f0db548446c5241ea9f19aa29d5db2de3cdb1e3430a157308855e273dc1f74c1b609aeb2f70bb0021315d33bde8a60a1cc7465b70bb5c652074bb9a030ed8761ec25a35c102b86a8562c827f1536faf2d96e3a88d3549d5e7306754a431de06a58506db917894eef0d484c2e1c897993aede2ffcd0c51f2252924ac82d91e8d364c78d987fd3510bc7518709aaad6a2b0abb237d4860271ec5772f74eecca7915fdd16d93674c4ec0bb130bc8235ff613f9dba91c21a0227dd9d5a3ee0d9ff183868eba5ef8e16c80ae913ce1386e77fba65c125ea036f399de4e88059012de120f5b2271a511d338c9d8e3b297012fc00842dab541e846faeada68cb5dd5fd380087c68e246f2ce721258e7c5e5d4aecab33a5d15fd5be9554998ec6ec4f3884632071ea772d1bc7ef5423435cda7e240e0d715e00af37e6dd81f04c804703e04d62c6a6f90f478ae5189783b634b8f08fb6c6b6703ba8c2f7b167f81a328ffea16b39fba14c67ef2d7d45ef85240682f90148c94a60b0168dc35d9ebd82704be02741988c4e65e0016f9dc0b204220cc49bde0302219d01c500c9acd2c351dd6367cc1e922f7a1ebe4051ea1cae12950ae4a72c86ed5cb078d5f52a4fddd820f5efa141508cdd3b29c642e1d1126ad669fdb2e5899b02087f23443ea5ba8aff0d901bfdf7e314684add3e4732974ea750e098ce5e207eae30eecfff87c11da0c3b79ac9e69d751dc544fd615bd352ed552492e406859f04ea015800d472ee34bf0322e3e144feef67bed694dbaf8781aa7985b2a9f2c19c386d7dcf60b734f6e562682f67730147751fe6a1fe477257a7e0bc107e6b6a4f4782c935de86c3b6a5d80b2318c21637dc91eb4dd348265db094ae44012454ed4d54bb17e6c14f772de430c9844a91f163b1814634b79f47923ba80ce4f17eeaabab729ca92812e4670a6cd0bb7ca70fd9fd021d1c81e0f8c11bf501687816aa7602f483b8134397abd6761fc175ee21353bb7bdc1e908c603e5bcbd9352a1f65fd6491c006e58a74f4375b01a9a578710efbdff05586b26b13574a20079cf7beb322c2b01bbad4c78be74001aacf129c13cb6f34f8de5077c7cd3bc6a090b5ef37922fb015d66e97c1f739bd573064d9616e2807f4c6e9490d151c31ad4eedd2defb466a7a9b196eccceb3ac48d2b9b751c2014c080774d49c027ba17ae7dec21edeb4477fb8f82df7e6ee07fab528b74c5ff178329636eea4bb95af8c7676ad15b68d78d0bdc998e228f15712cec3441609807e264f55d74af423168bc216f73640e018d3897ecba58d2910c2c8c6403333f38d15218a2ab2dc0dd0c644faec131e51c5fac7092540b07964dc0674427cbf279b7ce964ca8f4afc080718c6be492da65303224e8ed558e490c0932b365fda70b20226b2d432d5687d1b7ac1c97ea9c90b26735ce9e7d5406d18a887dbc3d1c38c91450a8212feb0aed675d69ffb666f6c127aeeaf72dbe343947443515365af41d6c23c0d73ef4fd26d77b8560ea45983afa4b7c34bccf59a63f4d29ba6c26f6fde6410277759b496b433b6c7a350bb7d5de314b04d49a0e479ccc43211f5f3727dae8e4a7625275661eb03c9cccd6d39a716e12720d2f9aaff7a6cf29a7e03487049d771313d5291832b914a1bf3ff8bf276beacfdccea9b46a03a68f6a160c590f904fcd7669510c767bc3e6cc690dbf9518ce7ab640d9af22ac1c30ac8fb864760a2127024f18caa2bda498e2d3e94b0745b420d9be240b1272f02d65d90f1ccf89c7248562634a7ae3ee5ee89a50334316c227a00e020488b7761999f7a912a35ff6da837ebc8ee8250e80b0c0d44c1cbbfc8ea73fac70cb988295b76428dfc9edb2c0b3db5186db4da41b6e526b52660373145cef0f977e6e9c751ee95af0a610fcb1a95edfc365bb285bd68738a2ab22c9c0fb75a5e65c6cfc9931285b35bae5adc7d881041742ebbfbc540a50848eb454f42afe27e87c5c56438f5d46200905fee3c3c04a6f8ec4d4aede1e97ee48ab7a340e5e99b643ce2e30d1c400893664a5bae786d658324625846aae9df7d8826fbe2c56d8fc5f01e099e5d3fc371303f30a24014991069d7d7799840cc4311f8853b627b035a6e6ff1530eac65e4064ba53631b16e03c81e6643b776647b4ac341ff7266e8fd6eef7119e116ba25be5b1efe88d0a76442788b7feb647459335b3f1e229cc7ce62c5cca833a8892d25964e13e67b02dfd377d15601c946b04b2db184efce76ac99eb391b269728dcd8356906ad4c0c7439af67701bfabb22664af7a05a0305a5be36765780f505cf35353e9bbf6631d43b66ca2f027e982e495ecdb761cca4b5b87f0e6174817bcb85f9b83e928250f53f1bd30991798306b753abbb32d7689bca88f30d5c51c7e2f5b22ffdf47b9ece1a048633c89a9eeba81697a44e5de6314756734d391c668d0cd39d210a1bcf7ac8b9ebd60b96e6d9535760039beb13147c5b72567de0b1151b822ac28ef3fe2eecb88ae4539a9edca3b2497221ccf70e3d301507a37c075d7f479aa795822e50baac5b38aabc100bb1a606830c22c3d1250682537b71acd4fc46cb640fae47f2a8ac53fae7c758fd8968a3e9f5272d290ed64e2fe7f3963e4cbd7607ab247625ea7fd9c2c02acb5a48fbb069e7cd9498eb9a4806eaac24f122d4f32e8b22f188f5a7418364c4b6d08efe20b2958673ea5c65c14172907b360a76690b6d7939598ff936f4872aa8dc02b63e872f8bfa36de066dc29e4183e515826d41a82e0ec34d50455c80e67b7a0f91c1e65753e0659de39799b97cf64c46849420b490d115ec421bb4f3426452d35b154d0388a2943f2df1e0aa6d96773942949c0742e30061c748543ffbc43cccbfc30fac29573b11cfc6a7245b2e0526fe60c2e086501b719676bff083fa90847b295f1524481e6fc34bb8776d2e404be2494797a5322ca9fd801b9447b5becd81812edf1209b5629aff62a64cac5e492f9ed49a642af548741905a64c6ee1018dbde86e9421e4145b98bbd87b4f8ab567f9383a8e32d710761a336b5f06584c62f215cb53f1544dc250752bedf2db67dd11062e986647622ebcc30bb941c764bbfb58d9e325d344c8155d8bb00680116cbcecd33b0033e6467688bc5963e9300c23c844aed4cdfac4a7c55186b6b1b04d2c804d88271bcb68139a1751aa40aa143bf5ec59468a94fba390366e0de94b8c9aa7cf537ee2b0133683592e744ecae4fec7746fddae8855d5a5a507deb9eefbbcb78a4af7723f97038e42c247d61cbea2af1fc6b79772e4e4b0dc56100763219c347ae49f11d85a99574f5e468298abe5e533abbaaf881c53fdfc465dd041f7440f22de41f66eec7f53fc45284f1192a1c0a1927268255d7cbc82ada9ee289c35536b9ce4db916f934277e9870030bcea055afe6057dd93ca95a51834029e18c601c412469901a1bc373c84eb7c430ac7072e5bc1751db05da3b6a1f78d85dac2a67d4f080f521e8bd687570a4f7cc2d6a4ba68d4ebcd2f4c6135e14b86bd233bafeb3536c9743c470b8a075745afd000c207c07384818da9862a9388b5b6131fa86f26b2d583cbef2bbbde4b10a08a13c933c98a5de81ed6d4c4dd1489d13825a6f682322bfeceb1568c2082ed4bafe2130b6aaf9556d630bc0a380f8e5ab0de573ff1dba4da8e99d7f240a9e462796ea0bc1d79df3ec93b44c5e6d580c42d48ed2717ac1b77d17093f8c182298f0406f1387a1952c53494a3af2b4a4f4e71558146f1ade4ff9b1c6c3f7d3d2d6a52fb4b78b3bb549edc280bb0a62ad2e2790482ab8d2b0a555dae5fdd5ad601842047a513cdc8a83401036284e9e335ace2df626b585009e936b603ef2583f91b43c3313b9e341c6bead96451d6e2c0b675fa1032ec40e562e863b7c13b3998e8af390702dc8a838cc5b172f97de3be22c0d72e5b6d07d5b23d50b43f6b5bec70b26cf98c94f9f69e98287bdbc25f5d7c5c76e70533fd70a35fa7932e28c64496f4006954ca4f2cefa69402dc42d2323b78302f9c32867bfe6971480eb578baa396a6cbb0857b709f7e1fcf46002af470fd213df33aff29f3754d957339349f64c2f4bc5d05c534704c76159ad67a70254cbc913b30ec58eac9c2d666f701660df0207448fe8920c8e34bf8c35084a14f0686762f17c593af38347769f728c27ec85e372d653db326a85baaa53a2b17f9c82f698354c33695b35400a8ad39f4c84ea281f4dec1756666f338b19914ac9551962ece1f79c58bff2d514dd9d6127da07b550f93441e782d7d08d0f53ed7b1aeb1fd1a49768b2548fcedf7e5fa27c8e9c705891ce2248610e1075637f9e0c73359e94994a44b15296eafd3e511db1f53003050d91fcb9fefc1dc7479ae8467d2a4ec9f8b93c36936b11e0a348781033b3b38f00fb60709a8f09bdc966a2fcec23f15f1625bfe3b8fa9daad9110ca7e84c654077e97e848ca49117287c306d88a69ea3e9030c40222a302361dc3c620075fc7fbebc6422f1b86cd0e76865b17ec475f6524a363ae61bb3e396c34e71abda64393a8f7035dea7cf95e3e77edefc6b5864fda81b485973c536b2764bb1c00b968e39da7896a2957032bf2fc87651dd0e973a2c2c01183d233b6efc77efe909c0ee2897318a2b30addf777acb98c812327e33a9d997c278c5b63a6f7c2f7f854c5cbe2f2aa8c29ab81d7db1aa609a84c325ed926cc5b3c14d12cd93014238a6594887db01036ee8dc085b5a5c8511964331d90be82b302a78218ad129634a0d9a7c8290f20881aa9ab9cedf2aa41da6996a6f7e56945595d2f073783dbe23abbcbaaea59f997630a849c0dee8d27f56ccc8804ee3a48ef5d783939cb59fad8f3beb48dbd206b96248045084fff3f5137fcf98267c5aca0649482873029f2beb7f7e5e09543e2cd31013e6461a5e43cfb9a7d93d2eb78aa80ef3392dedbafe383128c150ef201fbadd629e6988907d891f599cff591532dffbefa2d590a77869118e8fcc28ba45d7c96843a9016858507cb26a71d2250d62b73d420392a81ebb9518c20edc442d7d231958ebef08a2761d8198f18875ee02a532e10cfe2f4ac2940101f4f8d324f75c56b4085c666bab933b402423c0f633fdb995cc72269cc6f73c761af37af310b77775685c345e59ef3f03fb434688507a1909614bb9408e0f3b3881c6b792761b36600184a0f3b24055f4f366e230613dd6aaee90ee02826bda6a8cf8e2a09cbd1f2e7bd332b9ec49249485126571db52eb4cd89533a7a89270cb089706d9c3c402bedb6ffec31d4a95a41dfd0d28ba8de934f2ee02aaa900218157c1ab5c2bcf377f698b66519cdc1a2bcd91114a5fee3f4edadb991679f8ce1601125acd9fa0e34818971f7bfe6f73d8b6070ec5f9bb502b921abd42bc89b741dab7b0dcdd089b24b0d29f13772082b0ed5735b7e2a3e59fa49daf044904475c01883b0b5e456462a9735ffc4959ce2d2e0601005832bb433bf845702c89bbd281ae5f019413752461654a48cf352ad64fb2b5e3c8c6e1e6e197dbb9aaa69d5e2ea415d1406df7cab3c1e63e03b3ecdd95578a88ef88d8d97153cd475d0ac82105f6c5cb1c698920f763a28455c434e642a8291d28be47e047ef1d404458dbc5868da4000c8521ba677cb2ea4112f1ff11acfcacacc4478aec9983aa8fc7f93b33b7734dd1045ec82dc56d5967619070750c40a123bf62c4250938f59d7824e5fdd45a8382544ec43ecec0bc963990e4825bec5116e7d9565aa7b30aeb7cbd7d2ce423e1d60d919635e05e7d0c6462e470924268ebd031c9027bd0d744afe1e3a00d76e08555425f28351b281392a146b526cb0b073df83a0350fbb91dd7e99a55d84bd8d9b0766454a440a5eceee43da4b6bbc1b8d16578c70973f5edd80739b283d02316d22fddc5fa4a41d72c4f8ee694822886735ef4c8e31ca8d214c5e1d6788c71d5364ce135d7cf68da884aec54c6ed09c8c60f55a32e00797b823a5fd9cdab39c49033a03c7c4d772f836cc718cd06048a259e830610bd40e98c4b83b5d94f62b7d324590f8d9d45ead5bceca225e7d47bb7af3d590bd7efb531cc1d7967acdd6e32dddea757b3254ec21caa08534625e67d9117697276795f0704a98b9925a0251996b4c6496ac0457120cb7a2a1cde6fcf428484388b078d2de5caa62bee6e28134fab5478dd7db35ecbaf84c157c6dec4941d2ab15b8520e1b8a2690ff45aabfa8600c112ccfa2881a09f9164ae359439ec088f11e70d2f9420cee5658388ca53f6265b561cfb167098e480e84bc2c6fc71c47b650e83561e88511711afd06deae6086818ef5602a031f3e7d788e4a4908978e97b47ebf2965adc9aa3c8811d3dfa60bafd76cfbea6687a028fb16400a68725380835e81dbce18b7b2eae567271e05254ec5ec0f4c659d0eb40522efb90bca5bcccd4ea40b2f6b2e367f1044e04e8a6a0fb802da3fa181ec59274d59ba62315cdc498078e1a879337ac6352bb0837f8842c5cb78c50f626468845c2746c94735e49e3ea984ebc5472ed77edd2be976059e191f2792dae6ac6f6cd021d8ad774a48d7e6ae5d844c983df44ea1b1d98d2ebfb7de1ceb1d64afe45510b328540d0a8841db866d60ecd83b546844335d021f8ed9ee3619288a15127ce7f690c1d08923c2d619af85438f207d8d118094b9a09869d1225f7553d77d22cb70e6624e95963d1fd2dec4a97cc23b052952b04ee1d2a2134cad6c40f834675815282a6b17a3ef354a7b5d01b0de2a2c84620844d1f825a0d146d4bc82ffd4734c9c166a935618530d5bab8205977b237653881e27d7c35af729baf4b89d071b9da5d5a9bc4a174fbbfde49e1ec60dc3965df566f920b3bb79aeae1a0604da0ed78599b3e19416d3633d7d4bbff85fafda5a8b5a400eb8fdeb0552b5e8a6ac1f3a581fbe06c31d14734453b17c273c42b44fb697ecc67a2bd3cf2825d2cc9f53b57bc3502455274cce8c35b61d413f58624d93a172a1354632987a178f79093b65385ba546a83f52c11575d3ecd3f95f682a8b761817fa9d0b066a7d8fa59ceb795bc26765b550bce03de99ce3d7c3cd8a18476f60c265dfa7ece8bdbfc7a69548c8123840ff42750c8fba5a96516df4fd548a90207972a09c530aa610359a569b4b7f4ffb21e05b02b9cbe52e9dfcdb51fbfc9dec214c797e117ae9007d25c66d7eeb16b6dc5582845cd6849ff42519ee7c4ce05893b7123a218584c619dd4eceffcf49e67d7e359747c765ccf1e94135f68abf02a7812520c9db8cffc51b4e69e524e6270d5d5d091a7181ec67b7f10088e28acebec5f85414c6400ba37496fc168113733646f30d7c495b9f9801ca0339fb4b92ea21a011deee9a1ea29e669e2b94c88511dfdeca1e5ec24666f8e7664fae61445fc766e49bfb224259a41b3815a1d5bfeffea8fa905203ba84f33e9d53e8f1261c936da7fda2998039e777f5df2652f7a19dec4d08d9c0f91330ebc8a5ca32c719ee798e3519cf6d13386384be2514b3e34f8b5022979ac68ec2acd730041fe765f303ba780da36351696dc2b44992342a411e5742baf7ac3c824f191dcdcce858efa130f09ccfb8064d3b4119e7638447c8018e97233663f04561b1d643a1410c1e4f7b6c044965a16436de4c611e151bfa8f81cc4ce0237be991a2f1034cbdea685486c30f291ef3825496d5319ed5e60e81f638b3e40619670bf3f27c7a3327f2c0a1bb964f5f7aa6d94f9deddde0a8be85dd8f2aae927d5179c02a86d4d73d0ecae31dd44769f386323f860db52462743aab384d78497f9b586aefad8e9b3a1ad17823b525cf5ad7a9ba60a30d464e6862faddb3bfdbbf9149c4898098f32ce8d085c820683a034e9623234b11da066cb08e040805a36673a08e10353d2bad805b92bb9f263f63793b079a976ad43821d340a414f17a261ef4860923a954990ae90b3fff7abf53d1ca172c560dcc2bcdfc30ea4b332026fa4a90cca908dcf6e86555983e346bfd47e1ac30253ec321672009465133e7617db631dbe94e3f619478a0fcb54c5d484257108e07b928136cecb15c47ae1e440c71d0e2b689328cf848a27cbd7afee367360ac33b63f8b25c89076821634148bcdccfda5cef8461cedf4eb81b2a74aeccbb5ee510ade1349b17e5549ec0ae20e486bb2110dc74ea5ac84f7178581cbe15986feb0220c4e22d274dc27e55bed125dbe2b5ab35f868ee7a41e877d2627a263075585106a9d20ab2eee48b66cf32eab5e5d2858f70a16d504c8a264a5e4782abb630e5f42c2a567bebe4be5aab32a2168ef08bbe8667a5c8d1e23e942a629d14d4ac5b1a4bf28658f1e4fff98ef03e9970e25e1e27bba55b324ab9b946598a7f09b5e05ceb2c823987ec3305c22ea91e11b14f0da3b724229916eab58450cf406b7a6d1e788180ebba5bf36288df975c75de5af01218b59cdd4e2c00b56b7f4e8ab7463ad1fb8e86e0c6b2206b4445180d4e647c701602d7f50cb28705a67e9a2830f8720a7ff04fab9a983ea65e3f6fac6231ce97498921dbf57ebdb431747b5cedc0e6c2826c500102557f7183c9088aec663647b6a2cee3e311ddcf64aa7579cf928cddb6edcb096b970a50b3f3e75afb2d2944b89deed0c22bf45a55652a3cf387aaf1e5dc1888990270c9faa0ec9b63bf812e46fbcf9ea10a8eb482db5c7632fed20cefca9fa684a21954bcac619d54454f4733c20b20114c39fcdd8662bdbbf33824936b33603a4f5c20b9f9198f3ef20c096b8714f5271372693c6ab0b8a91b2345c58b65c6ad0764dba34455498e24c2b7836a8b2bbad5b3b65aaaaf88cbeb271cdf15e68629814c27afb60f1a33bf2231b960e31f1ffa1e1db225f148338c289ed7370b1e473f99e8825caf75127e38d39ef7914c61e7f587e9b550fdb41c5ae104363a7e23a39c02c1a2455d1276f272bbcb0eccbe7d5463d9bad4ccc64f5ee8a440aa37044753268b417a4fd5be17eeac953c8424960cb81c6f51cc6ba90f5edfd083436f83da153edc214b4dd0fc954cae2b8901f11f2edf9210d89d8483635b6e49911df7c85fd95ebe122267f63afb690b881d5704937bec22baef5bee2152e6b1efac781c6ce7926c34424b64da91e4b7be8685aea4a265af4975331f3660e773f9b481bea50b52f8a14467a28beb8d5c48044232c778b71801a5a96fb43edb5b702bb463a3f4f31a91e6e913e2c13b483040e2c8a5b12fbfc5fb8faa4fb3f2e8d05225bc4cc7d137a3974030dfc3f9d02208fcc4eab8c3c82ae230f7b9548ab2ed40c370d51f452a2e58a52e7397a11389aa245808820f2dfca44d48ed0141acd57fdfe898a8f1c7223043bf75ea7c36b7e98c4cf9a52669ab4747c896dffc41d71c633c6af88c1bb4fd394059e700ab78c12c370b8ab9380e0c33937e019daf2edf8063a3f7e81dfc3ed4cb3a062a512da3fac62d0a4ed78da4af45ac27c673762028a7b88662471ee8189fa7bf40b6731aa1d272d211cf60bced3c4ab7a96d51c1f64fa8458f011309f66166322f8515034235418168c92b9f167492558b33e0eb1e97ee73da546d46f4f1a37649fc6dbc65b0402a56b0d5851f0ea74ef59b827f9d03829fcbbffdb7079916d6c7e70fe4c58ef8b6788ae0bebb86f56a28c07e296dd8672e0d0c564fa5e87a23dfb56dc3f37aca7fcecdf51980c10d897d273d0bf74b08be922a60bcc77f014ee561cbcf9efd9abd993afbaf59e197acf69a7ef78374cf56559b7b29801b678d7148a2be12eb251f488ad0d0581b448f227fce1c5e2ff8aecf174b85fea64e4a0f696eac33e43d5dccb4e44c9dbc707bb1615674f621526e849ead4cbc9df142644a970c2ce0c428d82eb2c7f7767f77438325f7f5b6114ef35d1d30b88289f8e3336e42e0242e3b55679f978c5abdd47bc0a20ccca20f9f3f7aec9295506ffc60145138f0b212db959444c8351643892739a8e5d9d198d3978bf320e9faa08b05b321072e42a6e84f143431d73efafd49c09c91a36b9a4baf19ce4861467283c671c5c05c34511e460fb200be5926557f4fe02127976ebe9960b4df2d628348d1ad6820d39dfd387d5725f0671632f437b5b4f08ceac46bf53cd23ce038a5917d18a37bbb6d2d921e7f7eac21396ff1405e88662ee70a6a4976e275fecbb2e6a3ab29f37566b108dbccbb99cdeca790f7e4e94e94cb8c2e25eee5270c12a7ecb2684be2c0f0c779d72fe6f515527dee833b67fb4997d850438d2cec07505e8022bc45522e0140ca86016950c4378326a81113efa6831c165951a57363c761e825a8639dd2f9ad5d77cd1f9bd84278366fd73579dfa8397423b37c5c68dcd6843f9b5349b84ba4a9a3f747e05d33b149f856751857d68735e9621d2b923d7029835ec4dec7e4ed0215dab9e4bdf49bfeb7a75ce4584ba82b73b456a6f161d07051ec0c45d268c1c56f6fe5d4eed4b178e4532c0623563cc8f77b0f2d8a7eecfadc469a7a7f84a13df5d6fb8dc3d6a3ce52fb421153229b3a9e75cf23949c5d4fa7ad217ce0f967d9383f9062370c542f0de1b6213e7e2443333c898218ce3a8cf1c2b4874b2f892669209e3e08a3bf9d86305fce578f461c14535966107ce0ee3725f979e66eb621da145d84084ce080fff1d8a38127af10e2d28768f71282939016be46d3e3e1e9cb3d9e432fd343124a7c1c5abf256732fc241adb39ca84dc8106e3615aa3d011a2d57a74d3e7541908649249ffc9999806c0280062e62c947d6699553d8512dd9c88faaa855012ebea256a9081d6842d7d016d4e342df0fc1208df4c966a263dc0b77c8cbd34ebf8a9fad2e6176a3c5950628fcfcf8e5fb72c055b5a48ca3e8cdd2cace66c847b36bb78d83de519d05156c41e5dd435596a3f17bc9e45a441e24a51758d7dbbf1dc9f87cf49134fb7003aec1fbdc5ba5526dc76018abe3cb6a29a582cf0984ac27142a5b34072109a7e633b5d7e77ae353cb52aab1b3b8421659c93ff7b9f806e204cbf8c2861f1d9ff97bd895c4fba32842c29e54e0933308bdc9d6b54549ea27978796452125f1206d7b064aa55d7bff57b955edc4a869e3f61e2192f2eb6b80717e9022df833f4149fcec282c5316876d64db6c14a409320997011ed38e60dd4a6905540d85a9c6b2f42fb5d72e63938934ec33d892e34fbfa9d9d4590ac645fd34882bff5cfde49f13d14e56993b82a94fd438a31bc13df519843ec0380d8580ea11eb331d0ff28effb573f24dcadff957f569f21d21ce52c0fa8dc51703411129cfb14e9eecfb496a0f866ef4e2b43c8accda1b1d514266f1fc10d927733397a097c25e0fb04ae1daa86b76f85449fb8dc1f33c5134d90545fc920541a7c8738f73bff3dd7bfc0da6bb79417fcd015ce6e3b6c22c8ca113f2820c169a4ea4065e34a23cc2e7763c8652083238e2b943c2c00b0819b857c2775ee6d4e15744626db64b66c91a2b392bb482aac0ea4ef2d1162e89baf54ce29fc52cacfa6b26768aef138e9f95076f221d808ffba799deb65d72824b94367a8cd852b31b5f983b4b0a88263f16030201479d70f1589e566b7a9dc62c6e1811f6cb1e8cdbdadc18f27464253cb541aa07a99a6d32f1555bfa8f75b3843ad9cb0e9a6dc9036c89824ff10d875a6009ae7995edd0a416c471af1e9927e102c906c132db59ada47d43d9b92e50bee2e6589ffef909bf22e5f3fd664c5ef1f87e1daca90f23bebbbff179019054d9565a35573bc9d56ae85bb9ff49681a37fba09114ff9355009d96f9d9db84fbbd9c904fe5ee6e67bbecac7b7666d086083d012bcf456b8cee6006d3af06c72c01c1ae9b884f4661b83522a70d1f6a03a8df63e469237e8ab1b2ef1afb93ac4da75aeec8cb359a285012ade904dfdfa6b19852c135d752ca7a233f11650b7e98837c01b180d77db02f0ab7518138cf3080130c2123944a78dc71da1ce68e4a20f56db8050e1ef77193534840e45e89083e7ebee8bb267d18ce003bce614e8d0b5d5aedcdfac4718c3c96e5ce6e83d9a06a9a1fa3784dfef8a6ea13f8f9cb0de615d591dcd80f996495305dbd18025c3a21fcd80feccebf211734a3c015d899695ee4777dd3209b4cfe9ea507f6d303bd8697b91b3fd500e0d8abf97579b097f6f733350aa0ab6e8837b4ca21b6b3e6924d0003924bf6b785daef844d1348c4e036432eebc42acc53e1285b94a5a2332860dad6f4881a54881970a8a21acd13477fa4ed1aafd274ee57b30fc60eb265c8da486ed14ad74c24670428fc2db71c929e27c4d9234e199bbd3366f1d170038850eb3e891077bc6f17636d1507cc9f884abb5c37e5b64f1b532b74bb331517f526325047da3abbe1dcc9d9d33ff7ed18ad35ddd0f63ba668b057eee21bd3d0c8af93d57a965d778cebd4c220c8e6aa08b66dac10fb05bee04135407f6397813a543df798a7f69c653f714940217c3788ef63a6efa9773bf2127c909e4f9b9c2d9428bf861830f99ea98810f508f45a5e1d803622b12da5a4f79d1da89402d888f9b03a064d7bf51c3ca508a3dad504a57533589381350076b8c0e371a36f97b6e8b460db84c35e7b0f9129c4a635f70c7ebb102e3051ffbf70653a97fb82e74b332045f21a3327757beebcd99183ae13656a9854cfa94ef811137f9f62fe3d14df9f43842e8edaf7fbc41715f8a8ac155a0f76b6c856d964943a0a7a3471d04867beafb56b5430f0ce3246604edf62bf40150b2b8d64631c047ab2eea30fae9ea0f00713b85906209bff7953fd9a7c6434b1455652140da6979326536998173a2bc29edfb5457e9b622b4236fdadc886981c32f5a79f783fc877b23daeaa847607ae4c6206168ffa025e3af1ecdc96f97881e6aa5a99cd26359f467f78d294c4f82d33ae60a0164c9f1b961763a1f8fe6e9b9d1215d6e09a5c8a6210b6271f26925d333562405617bb5c81095a3cc8e69b603233fc10105d09b4a910a7a9f38da427d65ff33132d86b79eaa4589389ee8e782af6ad78bb6f3a4600738d8825fb2368fcd45b773f19e7956092d827ee7367fe7b07beeae2bc104758bcb83bc11ce020f40ed12ceee2e54cec254747c94fed44d94f97e04288b3ce084512b4983d07bef645f2c998da102d76d095cfa23cc675d92a51c1e4c35402f14ac3f122dd5f733a55ce0e73151a04b83e2ff92061e5780a7485f450c1c6e6d6855c15a2eec8f8641d30637144f9924ae2358bc321abd57f42adbc8f4051e14056d5cda5468d4e0c8cf7c216a8faf7b01f5612eb4b32a44e3eb42f906771df8af9aef4dc5d2c56244518a24c101b95da839cfdbffe9a494cdcbcae3278844bfad094e65a6d0f5ae64a64e5bec9d52aa9a2150208011dea5a877da8d63a6579127eb7211c73aec87e7862a284f81432f9db58922d9b3e7c0c8e195bfde7eacb1703f27feec737c8c9ffdb1d65f24d4a1bfef2bf484fd8004f2450c0dc5f581fe4e7b82e830c603346e372cf55be6760a7a9d8c0d80d979003b5ff31c1a9ed9fcce9dec2d471dc1a09f7b92cb9d0876b18f9f370067cdcc62a02bca773175f247eecbff0418820853d75c8c6e51f040d472554bec4e2f3c413e171937f75cfac70fdf1d42a7411b2e9379ba3ed1b3fcb353de14231e9f7d2a45e910578be4c214b29a77d4d171dc174037422baf292c4068897677b74696f5bdbd480d20497ddd3793e1163b79cd6ab42e34ca844c6cf4de7bd3bdfd2fef5f530d4321be4592b9a1284a9c7003e5198bb2793e575460b908610b01f7b1f3bda844f533ce1827653b00267c8cff861b17ece7f73a9447bd46140cb567a276a0cb61feb7a6fa6e66ab3a8e64cec77ae604265939937d932c43d7b320d01749b29e46c3e3e900477e43521febbfb6694746f2d2e5ba94f4e22a511bd464c604721c8e2abd8da27e027d125b49cf69dd0d4fb2f9b9a58644b59c62479302edcf9d4d5560b4f98ed0c5269d9fcfbcca1ea0a06bb1a6d9fa3368d06cd9410e0e9faed3af97077411e3116093f041f815d2238626d142a82b3045f7b12c7ef329f1835f9f7d4f471e97959629e4a46446ccd7c8c3f45d5cba6e2b00904f1331f9d1c29490f628cfa26072613b552726d20fb72ed02fadb06ec193af0356ff509a48c804ceac80b6744d0f53f7afd0d4bd13370f3269b6358775cf9e0adb2666319354e6e1d00e7f7e54f4c6957ab2865d51da471abdeb55f9a50987fc5a0e75ac6c225edeb4bce0eb0ebb18b6e97b5abc9f3138c86f12642c30e434cd75f99ea6773229dbb2b06367466522514f0747e053a46fce6489e261433ef1a806df46506ecf535cc0bfae278492301e4b775a05223ed47a4bbc9b70994b62b2aa1fa836cb59ff9487cc44b2f60205bd9a205ecfaf3e29667b340feac372b19893580ec578724e519d03b79a731e10f6b54501fc7cc8e0eb0ecf3f88f209eae11632d4a0880befe1fbecb957817e0b1ed2f7554c27653b4fcec8dccc56b351755f73c7a3fc55a13f28ba927283732e27d828702cb1880047f95ba9e3b5b599ca6f67166ab2d1f558408900b265ad627f2117a0339c48831aab555bec7332709a5278e175bca4e88a3b7c30e7b24631d199ca115ac5f8d5d71d0b1140a4161c23b7e12c4e7a47762efc3d2b8b916be45b4a02f825c28e1f10d2ec44aa248c7a2e06b7aabd811f066e850b8451c7ef787f0cd5a7c03673f5ac95533c4253c86ae33f1c8fa4b7c084985d34bde2efdc9d819e6ad6127e114cd2794260399421532191fee76341cccc542308d78eed40840ce163c1ebd2c725480a4389fb500f81578ab833d099ca1e41a0075e104d19a78ab0d3fdf2412976a087d4e6ecc052eae45fe106f4fafb15d25642dabfdeb64642b7578999c6837c7381d0e5c2b87a255ba6cb5162b011277d96417940784bdf7d6ed3ade3417a94eab59d446ede653eb293521072f630d87a437bf7bc5ed46ec5c1784af12deb751837eceaf17b624988d1e9645923cac68158d47f5e4ff80eccf38b9e40868a7adfe431c5a15b2f76c081b0338c7aa870ef1f526b989feb21f5e08d14fb98c839c459da04295a4febd38e828213e39451a969753f4bfd6b7e545e9ad92ed5f089f4abc160eec723aa137b3d104d45a7edfe82dda9a79fb772a329d9df3a08b19a30dd066a1accdee98bec27b430bb2523e507b96a0e8e802ecdcfe5be550f6d4469fe3c78f75bb0cb52a9590ac84c41bdfd6ccc86ddefc5108405bdb1b53324619007662d9d318f4eda9ac61d010c14d41976396b58e1c870daa1a7c7cd2b90fd354dd5c96c4a632df6b0437336ee305c90d66ef5c5ece98311a9e89f38d73180a6421f484d70af4acd39881b4647ce2a9dd2ca5f6e64a98922b0411516e12311bfdd02b73514e9c27d330af650117be3ba69e5e32a4fbdaf97d822e4d0d5fdc31b447b3edecb0f85746dc203d1a08152754089c2b7708b20859da0dd480bb96c6fb57ab5e4611a8f36358be854764b1e8631d64df259ac7ef4167463d3dc64b7c0eac787ce3319e5795ad39760590f20203b6257320a445ef56093e8eba3b1d2b93944fcbed6f9646dea5e8976169406a19dbc1f67d4f9326abc806c88da9913373fcd061bfe42e6a282ec21f381ff788599dff51adeb69c2f3e5cb2efc9315cdf5dff35bb686320fa93d478619749d29e3dabe61785f2eddec9ad36b45f64d1e464bd5bb518d6cee2f2afdd9a34ec04d7e91cdf2604b7f10225c322e2c9c342ab6eb88d17e88a0430ed01a4c62709a1a70157433081f4673150e1ed37cba6659958ad54c2908d7043e9e895da00ae7706973c379cb33ad547ecb7b330bc16998a612b7b3d19b914f16e02fa0012d23bc54334d905dc6fe682c2d4cb6fdff12a03b7f777a822cf6c00a44900dd7c4c53d712566027b9550ec6066fcf2f2893d379fa408bb182f617ec78e3a7cb7ff55b3b2e798ff92a544dc307c48d5f679f88b162feaae78b7e0dada8cdcdb12fc7989614e974a5d271e50f7b61272aa41b30568b04fac1f9c7418857f38c6d15ed166498c80ec33c9630efdf522a87cfdbb3d0dab6a241c751449638d47682f51d623eb0eb9b4a7a285bd3a0a36510be957d0b3e16ba11b653928bc842c42ef79eddb8e5d9116edf5864a5d7b5cfd057243eef7dcac48d93aeea1774c417dc6827363c084d7340ab139e1a2b89216d0b8154ba26df8aa74cfe080fcf08fdfaffe6b36c54c199e0e7a3dbc4338418dc24249218c7fb6aedef9fec1a8cb825ddeac2ac94e99b21c666d16745238819d6da3f67985251342c373fc97b8809406fb17a081403bdf7fb3da27bb58c552bb284ec6410b5e45df014b98b834ef01803aa8625ba87b0f00393097323210ba0a915e787825d9cb8a8bfb8ea40e312c18139c43b6cb8e237040657bda21c3fde2f1fe7a650a89586e4bca0041b4e69c8401cd57d508cfa1d763bfabc0017a55c501c0954a20bb607998d61caddc0c296e610371b16ea333098c75283d0e77a328e60537d3ab81a9579d10053f87a4f16671a29c27c9a64e14a80808db4c5aa7877413a0b9bfa63028b1779f691ca0923555a0f593ed606058f5e3d002dd2f2ebc7be41922224e1d8826aecd3c9c6d84a40e5c6cc93700a2bebe156d03dfb7af0f183505b04413d5db154d614512db9631a845246ffd58aeee7660c86b6333c3afc864a046a407ffb10b55194e9b787553e85c0b1a8458fea3a60fb3c4d571a5ff8f5d58addb1ff5812d30009176d22e81cf669bf9ad9bec471fdcd7ef1afb242e9140d3e36ac4494b9fa1e443586c30a5e247a23d5c9388eb13909630cdfdbc830dfa586e04e36e1a9f548a864cee4568b18b49f688b805cd90a7371463ee7ec3b02408da61be4f52a6009dbdac474e7487b76b81602c6ddd10f02ef334aa4d7e543cdfa9d323da5a99cc417c5883c2d6e94a378bc8795ae7db4734d97342f19e1ebd81b97549117bce2f0c9c8709620e2659bfa78fc3550b8dacf92aa7f95a9a16424b54a5d3598bf9acc6d440113575818ba8d6351b47d09c5f2f140da4f266e9cd90c6dde5f313ae56e1b56bf303739e33ab6592bda5fe3b49116c86ed0637a6217d979a3af7dd9d94d15c9057df74abaa1697379d3c6bee43b452da087f9c35c5e0211eb0deafbb1c74907faef22f3641c2241f4a33fd15b76d3d18ab1768f4a898bd8ba2628a36bc48db1fcf8df73b7055f0e903f3a75b2686bca706f8e6c73a037fc0543291b91f5b45558006826003ead468952e9fb811dacf719a2a3073022c761ab89ab9a71131d3e9c13e4f3bbc01e869850b3e1a458c52e6ae48d4977e84584738e2e3cdf7f500d59cb16291906ee06cb852adf0e65c1b142a3258136e2d5b39291ae22b82ec70cfa96fdc3cb27a04fae3f7f1840278033ef7a8a9893245687c7533f9583bc84bc49fda4817ef517e373e4ee9078e59ced48aaf7f57b765cdb3b035ccacf875bdca1b81048402eaa4983cf9a5f30a98a1143f56e7a9b16a5abb0d7851a95f98c73e603a27d15a35dd79cd9f55008377d7c4335eca83e698662c0efb4f523f0608b58e0effb50fc31d068a461899ea711e4cb5cf0d44941e3110de8510e76bc80d8ec588b84d6323a10bac9b526e810e664079bea7d333e75598a1d0be419c55232bb2400c88153f890993a3be5a3d51ffd196544c49841a16cbd79f9a9294cbd9313c170a5fd1651d104cf6839b050c58ff546071969a7ad0aebc0af8ae8ea4085252aeba1f8eef8d87a6f62be24a86112b1d17c4191c5c5d28c54e91bdd57ed096f1de81e3b0be0dd1d76d1f308d053b9ec63df8f59998d6b748aa0d18142ae0d84698c5c9076ee58108bbc37996132da724a5a756df578087e1c8e342b9eee8c249b4e87352879f65f2ee14a0d863966c20c723e5621103b37ce14dbbf238e3dad7b6ed0e2f5c2b13c20d2688639b9ce5bbb5a52132975d580e57e3ad7b4701762c3a6aa75b2b45ce5d4a6364abbe9205fe61ce8e2d844261da5c566ee3217e1542a8f4e99558069fdcaef675aed96dde432b44b520d2cb2b6c2dda6a930871cf5f9d8fbcaf84f31abf8efac1194172d02a12de345341356152deafa2e64a51e8f5e6c075817ed375cd4bc30a795e25a28c9311cc3bf4fa4612509d4d242e6fe2696c43702af4c5d2240358d73a28657edfc676007818f546c4cb2b07259ddad85028cf89648a059f09f69af3643f4f0b0aaeac33f662980e9bead7565616e2c706f0e259d0d442647fe34ce5cacd1de06af33e1ac8bb0414a9fc4640691428364678ef0346d05831f255e8cc15c11d6e8a570ea463fd0fdb599eaa2f0e1155a876c049a80bd72f9a41b44aee461c5b40cd03e41c01b5d65346aef3c2fd62fd0240163318b3fafe0ff12f6cd9e6baf5a1640d2cdb720b84059b2c01258ba78efbdd42d044784de9457184b7c4ebb155378e5ce213cad095d1afd076568916d03868e2604168045ce20ca54d30a15c8adb979db9f46cd70785567b8d5f6fac89d7f2892b36fbb4fe8de9c0bada9f24000636a5a5d79a31b09d71ce95eda30369a195ea2657758529423d485630038e8d2f38c1cf69f44528b19a029529977c9191b9c4be2b1383ea3f04c7dd21dc7741ffeedb19fea62e0d17a3019122649b541fcefcd6fec8d69cdb71b93cd345a4b2ee643f7e78ac2d97a0dc0f7e0ce6f699640750101603597e18872d0840323bc88a5e1e1718ff9c5f11532506f4cd3eeea4f5a58736a3a12bd9315b5fcc2693df2dd9640b9539b7ae7ae13edb6f12ca95cd58410b5c379d2f5612c1a474b1189d4aa1826402ebd595e79d5522230bfd278161f9043d4f10aee32c133522152b2cdeaa27708dc5aa66273e531420621f61cd748c875f5c6376e4344cf13c38dd7acd03474e4c19b6e06aabc43b4de310e35f93c652555c9d4c702c7c8fbf3f15e393c4742e79a8aaf67c20eceb4c8a65678306094740d8d7bae5fd6d1d1e87cd1f1e34db80fa101dca0c9fa204f1504c59ab6c324b34e36c00311b0be8db4ada1a33d634fd5f07ce1d5196acb05261107d031733b8d302a1bca19776f2d24c2601a402a38416889b681a036e735e572502df8b3067f7ed4200df04a01ac1c1eb2f499833c04ff1a7b5d5c5779bb8e05eda1596b877427591e9a0d0da0af1203039101466f57f59377888e4bce0b29616c1040aeb2a7fea1b6fd7abe843784f673df495460515f32563e5921fd63285122d6ce4dd402488c3aa5756ab2d0aeb57c0c5daa167f96ae079120045727ce3b7c9580fe39bc689f30c51ef6389170f484871bc75da2d25f26efc50a2c308c60f5e4c8624b5867df59d03217e2d8c990530ff10c00da427e06d01618acc7cbb01a501a750028caf0e9bb3cd4a8ca415504290510209d566940981ffb0e99beeb47ba01e0c8c62e431105a99fcdcc3e0fe4fb5c4e69dbd182b5346a42ca09a5eddc7bb78c0ce979a62da6ce1d0805fc5a924e1aa952f0e15fa59a3e095c27f6d15faee367f2299168e73378ef24ad16d934d3e55053113601d32c5a04ee6f1e7c9943060348cf8c8d7400fa5fcfd22ee5e911f1221f42a0c392cb30ca2ed10a72e0c339a1c7ca8c71efe9540e1ec0cc6643ff6d0f07289ec373e9b96320a4fc571251916e60d9f968a368bd3b4ba338571027ada63f6779c2feaa9a70186950426c9aa6ab0b3293dd4d59b0f85c4e833f2edf873f6b27b20e41cdb56359e8f9bfad2b58b981f5a07aec4a15e52b6f55a35cea858f5ac1c438f69477808986fb4f8afe656b3575662b31435fe7f6028b1c24840243c76351ddabd313775395739487155bf0c377694d31150b3b14b28576dfc0c86f9baeea5646f7a0ef6c1d0ac2f448113e5ca027a262b74bfc9711d597749d11333ce2a5723d019d44f54bbf1da9664721dd833b51cbeca4ca3212317e97da6d3e44b059420f1536e194b5447e12e1c5f8a19e17c0d1831631774aefbc677a4676a6c6e408ce4c41cdcaadc6b9089c6bf4832e81bc5d80f75a1233a700e8149800c5556d70f032b38b467404a56850d6604e3d082fc078681fa89d5fc422b5ee06fd6a65ea1ca77aad5b859fa615fc2d5b41b4b4edb4b7376833089e75cc0bd56f3917a4a70b0c4e6c0cfaabd238dde8be4bc260f4fe158baf11f97a80d7a6c6c30d08d48d1af64d8c1882638001ece74d9b2f42aaaeddeaf5501d26c7a479215bcb05f56f1d472db703df639fc7fa35c997669fd41183cb48baad730eebfa5931dcb20a683a81b2599655fc1c52757ddafa6a26b677e7a06b11335aa41806b4b1fcaf05f186352f6fd3d7000efa4e667a28be5787e9dd323fe7910fd7cd2c8b17e983febd5b0f8d72596d1b4e6b4be1399f372fcc3b473b667be087fa8dededbe06ba3054e9b885e5c930af4043ee17e1d052e3e270eb91835e7459eeb65a72f6a2ee019bfbf04297f0b21040885c57b6d189dc54d470b5996e28ece3a6830c3483e07727d76d1a570c305fb0c75d7935493280470fc847990f4551bbfae5842725c4855f9f9885a418623ce71a7d52d1f5a1e522e6caefaadb9bc29160882b52754e3d8478644144de4addd4f2fd33a2516b7fe2ba322d59265983bf8a4c89908a5c9f9669880355cfb6fdfd0d50658fa743dd3bab9a69a95c217220a054b9453e4c48d18a8b5ff40184c8e2b973f7772865fc370692714321594de0cec2bd022912149d7e8acc9e5df154041fde6be7b810256074a60c24842e0590ec7d7f1d1b45aa6ccdd88c30b23bfd3160d40ecb41420cfb408d82b7f8fbaf461bb12d5c912a94f2f7a7cc2639a3f36cd07b521495b9aed21e1122bae1e06f77bacfd2fd7db691aba1153e7f4634e1f48011789063059dd5a8cec72d8ab33048c4605d3e8bb6a37079c3548e0e14eaba0bd045d2642df445d707b82e4177275e9c09844f3c5a8b01c961784b307a42d88e8de36d07293bf13bafcd754c7cc0a9dfc86c6cbaf5138bee089f3a53d12cbb9d720ad453eb509dabf437154f4a36d4a3d31473977cd0f832f927812cbfa2730d87a2547480f7f6ae7581af11274b6c5bdacfc27d1ed51a7f3449752385f815da048b5569c8e726214ad3864cd0003fff7910479ac27860e22700a27a804b57066957798741fc22536e449d640ddf163715860b7a473393316ffc568ef809a995822c551be8b17dcf29e6b4b7497ac0985b933b9793760ae1ab847c27fd2fdac29b087135ac83cdf2dc7cb960cd2e6fe16dd07e4a9359868e2db4915e3af47437dc412e916e99145b0b47b2026703a1147ec6e8c066c8ef351a9fa9e151b8afbbf4c055d919af5f727ffae6731c5ee85b9ac1674d7f51125f5607d9a5ac2c880659feb59f3a3c235336a2ae80a58c26a121993099d84aef36319850788c315151f6a509147d9eb7c321a3021dee5002fb39da17a2b2046f5aefb95ff9effc3e6a8e7c202efd008f4dac8d6fcea6458362639416b1085f51ae259fa23c4ace0e906408b88b77fe24fb4cd05cc4eda1ecabbfae95c5d01286aeb26245222cef988a2e8dae71777e3925a3b31eafdbd8d86c538455682f862f079bc844a60c4d9a9f04434b4cbdf4ebb0edcf08aa2c8d1b5841b824b7df1951a67f0d2ef55dfe8f44f03812c0578e9a1410e4ac8c0d8110256438d358256091bb28318156f6d4d31d66925ba26f38e70158d4808950c9727f8df13e0c6bc45075b0ff411a5510def9d32a246ceb55fae12784928dd6f5f1e86498896c42aab6e7a8c4b0c26b5f98f6e7f3fe5e8d1d22f7ee5fdac89febce5bd645e2649f7f68183b6dd47c5fc6de90dfa7e241dea4401e276506dbba98dc06d6fb36164288ef98ece7e041fb62e2f56c38e80202a50a46e63aefec721e72e1a5d7a0345b70311d22cdfc1b6660ae744e142316bcc6c1fb2f62746d6e994a7259f10bcc4692fd6d6e18d6a4a8f1b3ddf8a9ed1e5056a77ada221514a64c4d13af4cdd0ec51dd612b0904a89f6849485afbb4066b3026dbfea1d723bd47436a5cafbb359f3ebc00a116772a595b7169252ba53bb09a330baa2dde9cad0b66d2fb1a22aee18791a9286d4fc7eb82b8c0d87ff26eb8f38b72df26a5f0e49c4f24bca5174b8c671e32895b8e2cd824b2dcd2a9229f8065606c12f5ac718c60c7416bccfb465277d533c9697402c804fa6c21b2b1ffc14fff2e81322e0f0db4821785247f46192f1039726010bb308429e35048c9a715365dc253a9a6786cd2103038f9dd2c04df2dc3bdf37b27b1ec4706887aeeb1ed3133352c124ebea6b695ce84f65b7d61b2c21b1b58e5c6369ad03d9ef7a1f08cdd6dfaafbdee77de92b5317720f5af67da104cc197d5e5fe2b4ddb11c67d7550de91822e30d54372ae2305334458111793ab020222f3f9e2b6dfe6532796c2ad82d1063bd30164e7e6e236917a722834239abcb83e683f5186b557172fcefe7e2042a08628e7f290cd483cec6abb60604e0de363b205fbd0dd909e283dc12cc466085f40c4244f04e92719206fdea4e5997122ff2b0b1bdec992adba91771239d0e7eab11172191f5f2ce33b459388ac06474a2e7543d3600b942f5a277b4dfb68dd22a1bb88fe1a8f92b03cd8ef9dd1b094d84eaea5dd3e66517eaf78efb5fdd6feaca9ab9ff5266ed1f46ad6a138b9d3b2c6ec095a14bb04afa3c8f31a6957a5c4b4916bb6916fb45b3d9d426906191bc6ecb92dc1fe2dfcb20c04f5a115d9c87e8eb07096ad17e54968289bd9b33c53e073af0df28bb98d9567e67585c3ed73a35df82969cae3875e058563d45b3bcd69b7f7b94d4be40314b1b1205c672d9e9b385ee98fa2941657f05be4f0bb504b917db99ac1876ada05933890711690971a0c953ad5c3431447ed3de363606b7076b975b7fe7daa76525c34c59b9f4f28952b40cdb7a827459c9db7dd3068a9db8a104800d95dabd81005532db44c7c37892660d466386fbf3040c47172f7a5199b568e3fe86122dd5c65595f786ff3322cb7cdfb10223df5a7cd3b9abf322dc30ac8162dbe680a10db03a72cd66278a8f243f91a0857c93d2c34c83849239867df3714a216e72599a7bb8666f97e3c76ee1a865f962ec03e2cfb05d221a5f5078c3c722ba848895eebc1e3175db6f46f890c85edcca9425f5c1a5e31f2e776af9eceb6edefa065b3b4fd0d2764613899b81965d6311bde99348bd2b6dfb4314deb6cd034df8ddde1e169c6d95a4189e1ddcfae8ede44358ddf38d790a188aa4b991c2f8934c88a130a9b04c4b610e33c86a28c771ce6648cacf3d6a6eddfb2d9d55d59a8fd192edcaca3bd86dbae88ec8c003930036a1ae404fc701e9e249a7a2aece876c04715f04d688e859e476dbd78dc1aa27eed4a59e67cc538045df964551be2c906fefbd0a3525eb2bce91315bdcbd98846cdc7370406494aa58278cff320b94ced78635d6c766c3376448c659a80f2ada03176b849d49465f4cb3ed14f2cc93c3cc48521bccc63e5981f8cf3a425e81220ceb75b5356a88440079aa7267515eff287bdf1f3150d78ab4a8d3b54202a7d8f5f64c0f1523f663d8d8cff76713727d45f0880a5498173dcb97cbfccabdd66d1f763175a1a05909c86a56a658ccda11a97d1caf5c5be5d549f0c5da991459954185fd818800ee92fe1ee5cf47e5bd9b300e9794e6e24231e1b7e4e023436e94b912f76dcf888be422bfa2a5a459b0ac76e4420774d9ce1253ebbb476b027be4a135b5ded8b4bf1e5f9b7d466ee9419202953aca61b4260c743869e8fa5d9aa612e34886e6b3f9f2b56c49d2605ccb2e5e295d73c5733fd9721b9f1e663f52f755d27939e20f7df3b2b5e27bc18b0db0ec30ed32da3340cd5e80d5b990d27d96e6aca3cfef8671327c5e287bbba53968a2aef825efa837ef6b8b09cfb2f8f2e47cbb4da26cb5d569c43b26c7278d24164a4e91c8c77b928e479f46b1a0cc0dd56a49d257bab2ba329c1b0f8fc4ed775af6b465ee93d21534780f62e76fb6a9a4a6cf72de55407b144db3e9b1c508f3539c9dc04d525b7634a588ba6665a549ce5819a2e05112503e75f6969bae2690677197310e093d1e30fcc1dc7ea08c4795efcec23695eee4e79df7a44d0a6495c86c42655e8e2500202d9363e76f365a10f94a600907cc220407a2d5bebd94ed6b3900ae13c2be21b4da43350ad5f45c01d00c6aad3bc75d21231abe4eededac5669b4d74fc2cb6862698d8d703d6cb3fb8592ce54fe2db486adf4c52777bd62ec85a4b7d9f5dab140c3adba05395329a644161e398a84539017f88b3bda46c6c96ab19115082fed39b28b94ced75167272db5d32f110ddbdf4234b4397d3490da1ebd649f1df80b3c2a6b5552ed460f84466b6a9b591c1616ae2381c938cdb6d12085eea42f2cca2fbc21692bb46ce0e84ae9acd67148be4e0d75802179d8238fbee123f678694f1cd640f360588493afdda30cd2ae6246e79a5267344b7a9ef1120b7e1e927bc42dd762d13e6163fad74d6ac4ee5e7db7ff3f1262abcd2cd18a1f90df47ec4afd04bbec83f8012c28a67e316d7e9c4da243737de9d96486a0d3e61214df870ad9b00dde612a5168d24d8c1e92af0481e9c8fde6d3fb597fffb590bf5c3008253928be16ddbf85126475d0ce2a9d8ceecc66ac0c7f1b62048287cfa18ae4acca5ec5abb616f17b2c3e1b9ce4eb742486229fee9507565ae40254581ae8ad6251db3a5f18ee440bfaca7787c28c53258f2a879b53e711f826aeb2333e915944910c82a1b7f233c22ab2328d6e275a5a04968f6ae2e990b8d8832a37dbb1745204d705ee542621ee86ae8dd89139dda8339ceb37e6cfb74dd0df89644391a0a4c397bef6fd3ad7ebf41f44c084ead35e0d8f12e0c114974654b797750eb71649d5b25d87f978c85116fa2aa4c17131593c8872fa5287311f92939a3eb03f77bbba7e9f0550fb8965ac1b8fa1a848aacd6bf177a7b12b6c8ee7313e90f17d21d404a1175c61ce4231b48ff900f1c964fc2b2940cb93d49b54727d9d757ee1ec5cada2a7aae117550fbf0652943a4fc5ab09ec81df6a0503df2883a7d07333ad3f8de88c2d7c0645c30ee088e6276fe7db16d8882f253f66026ee7501b3e9b812ed7cfee345559216422ccf2c852771cde9721237a2df3cc7a88f31ce41f832f8a473d481affb1c0e22000b0e00a0ac2822de3193aa28da3557e60cd4a3d3057d6b46fc7578d39bcfe5d5525f5cedeebbcbbd945e178c672a4a2c640c9af291900293c4c334aecc803263d018021e4285f0724bfd2081bf1a174a5b90bc8b8ea9ba8585fb3eeb2e0b5b341713e4a83eeda01a118f26d854604049d2d9b20c6da259299c8da79f08dcf89be7fa954dfdc9e8c03e129be0d9c6f033fae8ae038b6aff930e52d4e8cd6c77d19fccfe3fd7d3afff1162493ba7bdbb092ec64a81ad7cf85baf9604194566cb1750fc66322382e2956e57300785fc4c3c471484357780c143f969f0ce4c57866e3b81e46dc2770fb3e7bfbb470bb26e7aa9c94523724e63d5dcdda911e6ef9b8a48f00cf93a8b5ade72cde22560ba5e57458cbc8b86d145d67423129e7989e1ff5e78fd79156e6013b0a1a3f9e31e3ac0f89648728237cc83d7bfdd3ab899d56d553aef00a831e96b8a72e1ddaa5a0865174dd3195362d370d1213f92909784f027e4a45a6611d3793904582a600b1953da6b4d0eb27b172bf98162c44703b24485eb286f424e7b5a47a8aee1037e28720348d616b28b150e98bdaa1875fb2692de470fb1191f3386c2b37b47fab695b1757ac0e5bb838b99ef666201d2027f6403494ac52e742c0fd62ab8bae223e9ef005014385f73cd040b2474143aa1454bcc56212a854a436550a2a74a73938f6045937ff3338d512a3e85d1209807a2c393ed6e418e32ed2be3d37df94fd967d607503347dd2369d3a14a8e4671a1a856d5b803baf9383ece69667718fe907866f10262a58c02eb5f0706073610353b09ed8dbdca307ba9decb7a8f0a026119173b972312095ca5cdfd3a7dfddbdc5a037327fe7f41764105047b4a19d7e87d81c4dbc7b9c7c158dfeeb1e7e3fa45d06ba327593bba7e28bb7a010dd9fe9130164110ddb9ff54d2302d8c476b6145d1f89a055728acb30d510bc93f59328d3582239ac28e5ac3a4c971f19ea95355eabcc55a22ffc35b9dad29163ec662224c524dc545a86787adc89d7db9b197eabfd1d995ae01f248340b1697155ddb2ad540247a59ac8574ed41c8258b74a6fb651f2d33d347d6d38c629c87c188ee4310c199de7f0bbe768e8cc1e7ecb3601af0c8c26d8266cabfc8c83ad1520442cdedef6b59ed8b3bca8c38385a34c360750ea3f8e570252c8bb6c31eb24d12f87eafd4c332b12008a44186ac648c75f9adeb621748906dad542b289bef5fdeb83a23af903fb38540975cb5282709c3a3c9e7dc0ac244dd1827e5197192bbcb023506c8f1fba9db637702007b474bc663c40e8551302185ebe8b06cb30f59e1c569baf9466d2eba8b7023de824b6bdff0c77d6d76c7e528902e4cddcdda2bfea46ca9c5181268d57aea77972e8bda85ca2476d23d662487f6d2e1e5613c5ecd2fb05cc31abfbc509d1756dcc8c0bf8b4901cdb387342b62cbb8fbaff5437d862b3cacea99fe298ecb527d7bc90e89a39b6db7140ad4939d8fea8664b77aa2ded74a0a0118d695e1da97c3c3fcbef58cb59809ba359c7462d58f3fecdadf94a856efd5543768d8a3b27db5f548efe2e51a9b4243c231743f52f5c0355a1a5ddc5f6173f2b24a906d910737dc632a25d1705090f957a3eabccd8f65b62baf4008641c20e8ee6d67c0eff376ec2f88d8cc003d3ef456bfb5da571d55cd7b0a515e278ceb4a2c84422ad291a6bda7210d35ce1f7d3e2144ec7030cc753859dc5533b86e4942394e71acf9f8fe2b9fa5be163484c85cec615e1353a3a5f1a82c55d916fa4ac7f31b1023dcd9130f61a8a7c00301a8e6d871d859139a7852a60829f2087e93e14e59b2762660727da193ecc0dc15e97234bcfdfcea68ff968207c4fbc5e7bff4d9408d0b252da323d2613c3ab9971be3a6c6e8982a1ea2ea6b020cd0b78ad83e248f38f9d7b2c0f81266544b93bc0f02980ab0bf873ed0527d1a78c1283b5cdc12314d22b5e182921d46ddcdf7402a465044a16b2d59df62adc53e689f6e300c53352f267749b79e005062b07d62b029ce5e82845ca6b695ae6c9bc13ab011f22707dfce7e98940231f7704afc12eef282bce1ff8f0dba329cf70fc56fe1cf1d6dd4ca3d079d81ad5f639ff8fd904a54047e2b99d4ef027fce4b70b05b4b5dca48864cb19a65a42148e3e2b9ad158f9bf814a0fc0c9d35c61ecb9a6d39ce0aff53f72c63c93778fa9e01d81ab985ec1ab9337252a4634e4047cd92913d85db0194ad9278e751f02e126c8d9f103cb9fd5b0dd883ee17130460313e6bfb066a2693532785af70fb7bab2a9d45e2853e6f624ff1f4b2d362c63b8fec8f8840969900b1898c11f4aaa950f6be042eef4f57b0b5decd0d4c463a1cc015b517f151431ce6267c02e12dcc119351e3f099187598c7a804a5a736927da508c9a052b6f792a6f24502029c0f758151b65c7cf3e4239b4732b44ecdfe2c8fd3cfac6005a13d132a72f6b6da2d5cc2c8801600eb16c1488187bc7d43bd5c9f6bf4052e7928b17c4f0b9d5bcb2208970780fd8a3fa479fe60a3def0332f2b9a321a36886fac104a4f739db35aecf71bf1588ca6fc3c3430776d304e6fd2c6e335908902d815593ae06c4ba29eddf5f5e3d715f5d2c772e2b0f62c8d53a84a6835a4995af4ad186b21b55d011684ad07f1317d93fd32a87bac3b2027c39173d51c95c486768cb924c628653541146a2850c8a571b2db560eae73e5118b2cb125f273ebeed428a83dc103faa06018ab58facf4c23d4f80a058e509aa5cb88de2e74096ed8c73cf4c1c18fb766af48f8c1f09c85af655ef243567973e2650919fe4289e1b949161560cdfd1436d0eb34fa5dcb1fc6b655e5de8e47dcd61987e28b2b67ee560d3e5bf06f08d1740b541dbf5fe966c548477744009ba253e1799ea46842411f7c66bc59bcdf3c62f265169bd53e2d157ae268f239ce8147f5f7d3f6e1613a4bc45a010e6d7efab1ebcf3666ec3320c356ec9374d4b55b5e226d2976b63f1263c01b5dcfa45b5bd0be9c9c3d11e2ca18f6fcc1b9673e5292c7354047752b0f88934129c4ef7562991261a35bffd61ba0912fc03b776a8ba37588d1fcb98e4e70734778f88795c5e53f9d894eb502b095ec3f2680c1af1b1db4d049d9c4e5d5b65a784b318b2dc1862176a36b64568ead48397ce6c684532a3ceac8d54178ed2c4876008bcf686e1e9bb60fc7f271693110f9cbf43dcb496a70fdab4aaf65bc6119d34c1c5a8138faa23b2b347f2bf0f6cb9605f3f504b0080689091688f03c2dbcdaee698912ae4e5366fae05ac4bf34f3a001f39c612e0a511ef4fa6b71ae32c6a805837530755b7552baac76f76215628592929629ec4e7f386ea26ae151a9fc1858e270621116802af43107b3b952084a19be63734b8effda36de57586b29c50737113d04e1ad7fce51419001d1fbb4c77191321fb3d26be954e8ec78d8f3c5ea6aa0a7c30d2a817b8ec5c3df841147f63a39eea423298d8a05cee34e6db542f4aa58461ea0319251e84b1b4289c2e8f2f3f76cbb459527954bc00128dcf53a015e330f2bb9a43e9703299de6ea9ff7ae84beffb479f94b4cdbf24bde604d69c9378cf8387bb9831c46a619fb99915923d8ca6ce536f47370599f4dde04c823c067c773ac7b6f40ff5af9b30e9fa17cbf1e34e30cf503477d554d7a4c8e085b1900cff0b0a80ee5961942b57b485498ac8683cb52069ed367edd614555d7f53ce7601ab779df7a28cf7be8bc1b6a9e1636c697e22b5f2901ecf6c7348c335c8b4a3c69d9fe63df416760c0c747de61c2e0960dfbe5ce7a553b532b2da5d9645c5d5ef103cd1af91a240311c1d4c3fd0596f4f65f3113f87aae24504e633443ca5b5de854a74d1c619c727a1bd6764a214be118698b17766e2a95d661acb2d0412c7d36cdf4467f6daf14b962cd97e24fa3cd5ad9adf2f3d1093cca7dc676de770970c44c599b996d49b81050c744c7c9049f93c03462089dcf60b9befa1f419a45563f82e7b587b26ebcdf5dc8b4cf190b73e4bd6d6b84a19d4ac62902ae8177d3aedad512b80c9573547bed38d9f02170d4e8b3a1b18fc90e0b8b871ec5227d4c8e114f44ca8c9fe9c5d02054c190559b26b166b7f9480aba380aec7ef6384dfdcf57c2c6119698b0f2a21228dc6d5cab83037bbaa475ce900d18daab7349e11a18e915509c23a50002c3a24ffb02be8686c190c8b40d7f044bb227db73858293befa17719915a8bdbe9f8ce384b9e46541941c0d964abfcf81e701cd72c7bd935eb1678463135b834396f38068ff485b409f310a1b0514bb3ddc46f109f689f9ad498bac5509acbd6579c2bfdbf5411ba85b067ff2733ac937edf72b1c74126e89017dc34e8826218015e25a28af71d9bc21f4dc3a2fdc6e6ece6c2d1b54e5fd3c669f57b054f5d3362935d3022869c3c3a92275a66dda55981262f10f75839a40576f6e39e354336faa442133575f0af25d64bf8c029239dea3b16dd6fe97d11361791cac093dba5668f3e696c12a304cff2613fb886bec87976af2ad8efe68aa8e0efca8fdd663bb65cc5ff4fe114a57ce0a7e3ed2a183614818794437e91fa03d3a7042ddddfaec07cd927a8abb492ba026779a9b029e84f32cbf3f100321cf1b9380ecd8b21f8f492fdf2e34a754a0599635ffb84eaeae713bcde5c55ca74d446c4b04352a18cdfeb00aee0f8c7df00d7b9ea5cfb8d00db3ddf702a5519f03fc02539b540fac4453c36d763dc0f387f38c953abdb2bcf8e1c1942b6adbef0f89163b5ca7def027d09c03106af8b2571613924a815e319db4f0acb27a32da871003bd0e14b69365e8d9a7b9d87a232e018cd277d7b2b5ed2da56363ce9cb64a754419473f714e183c6b663df0090ab6d1cee4a04ea68780806ba2680e95d80b2111df2091fcc06874d044e3cfffd2515e2fc08b720be1ee43839282724aa05ba713d50bdebc6753829cda0999d310d107f534b84d981504d986c3cac8888aa0ee67380d324cf541971b092c9cbc86254bd537f5bb68c0386af4a228104fc03db6aa3258a4b9517150c037cfa34be268dd0c2159833a75caf4da248f71a34a78077e15b44d8d7770999762b0e70b92332009999e5a2390944620363433d01ea4ee78efa89540f652eb622a9373c51c8e4194324070621bcc6ec1a5f99964a6fbe2c2699cf63ec3ab6074cba2f395da358e8ff63048ddee805d13f51bcb470324abc4db5a9df832cacf88ce12d4a759d83e527f4923addf1d846986bb22ed457056287e399622ddb1b6546ecad1d159822d96b84dfae694d2ca66dfb9666a3f2ac1cd69a3e0a57a8c3264b7eae27c3dfdc0679fd79e179b0a05ef73d8a16be7724a23a23df607ee7ef8bf1c85f4f8d48ac70262c0791fd38cac8ac9972a04671434477e34cc1e242605c9e8a03a5ba68e4834e805fa271a998ac9046eb9c2ec1fa24e4fff377e277c978655af4abacfeb9f7f19b0b6ec116a9d59d773b409dbaec6a1f571507ab3d9c3254f6adc8771783a2477a8f744ef678db947efef1b1260fb8d98686a892f1a7d78afb4861754b37780673854c74c7789587771f39299d638e22a4a40f5224144cb8933dbbecef6b141ff990c59f0148c63b338eec3b7e2ef7aae262714d5b0b98879f1b3d5455b84e8730097c7c092a16306e8fdab596985eaa5cc048d4c7cac7120b7348a9840b7934440569592a83196c7858798c6b342daaedf49ec2fd7756b2d63e2ab21b8402fc4f0e47e886fe99a272b1acc04f69ba722f3bd3a87485cf06d9996fd56c544f4d3f03fae0c67aa974c5aebdab64ea11d40c7c2617b9d3664d39d42ca94f314d7069d974c8300035b501d37d55bbd52d78d4cfcab2ea886a685732f3a2e2683fe97b1da11b21dce654e5fba9dc527226d7c1b6149b63f27c489eb3ad183f06d1ce71ca2df5324f4a2082158d1905c328c35b5c5cc38e60eec085e7d86c6b9e0d181856ed08968627a00bd04fa63bd6fa1e995d903abdc76b6f727fe0b51f87721ba1f8943e043725f8213565ad1281eed856a3f5b7320066c05fa7dd7e1e8f87c1beeaaf20ea990a28debfe38ae440592ede139895f613100a99b2de0710505c123d28c280ab440fc264f51281c77e1bf685a12c12f3fc35765f9fc734f318d54f41dd9510d52af3baad403d5281792ad98b396ba3a3fcc61812ed729d877b541f5dede5d6c808ca93d74082a3cde16b615fda486cb7cbf20e045160c5f22c0b498066bd038da324f3db078964e626e023263cffe37b7e7b60689ba612c0d5c0b7377427ce241092c3342ae27f1263ebd1b1e9ac95ceaab495152db27bc30db4b3deba2d736d53fe660bc6758348d5bd643d1ff21aa4d8eb1e5dd4576729ee1e649e1dac96a3995bea6e742116c4c860f8924a8b85d5ebc2214082bab0d48a98626da328bd2fd787ddef88d16ae19ca23c65be3cd3452751ad669aacd2e6085042cfa3b299decc5e538985fe4c2607fb3e74be761d9c33dbaeed9259683a16054bf0022d253d0a2c94062a556ddd41c3220f8aa26cdbac4cff3df5e9b16dfabd6eeee4928636cd693e708c69edc1a5164213ecb0e35e1ebb90c1f202ae37d0ddba7f97b2df5b517e74bfa121a03fbcae3a85541f31895cba0e8d4aece5c935742f27211dc65e14f3311f26371afce2b9dd236d9be1918a5ddc9760d421a06fd455ab36a1ec95f45fc67892836e40e0869973a97d07fbc7cc5598ff7967fb78bf2871ee3b23f78b3dc109f7a0a9e940b5e01ab2a910992fe1ea9e1b8c601d9696d2c2c04fbdd5100c4436cd9bb0840d5de3beca66a72e1e981dc5b7f53d08eeb4ba8352c6d3597cd75d7da630d8a9d016f9906fee70614a2bd0c37a3b1dd3a813ad2708ec8a54b22bfce4433f6bea28fe6bfff5b96f3593da7c3bd3a863ed6503721cbebb9cf5e5c51bbf2170ddf1b7298b82778a98a946d7f2f14e838a3e2db7537ad67d5c276de11095e473da2c43d7635babbab6cb80d7ce1486e614c904fbe0082a74e46c8d07674ebaad6e6ee40f0f6882d4c1b3243d061e81b3be8640f207bb194453ea6c1e252d2a04a2031bd1342fe39369a897f26417d968759a5c3a06f030ad0abb20cba76d22646f9edbabe55561c1a6a262fb965cb00a618faa07fd544270dd212be31615708aaec4096858bc7f660e6899b52171e9396ebe48c12caddc3dc40b2c7493e43b3b3e12b642f1da857d6bac348b2521c50d5ab6b844b5074cf68209cd349a44f480ffe634a0b5f7b29ec26626d36c8f9f0413e6728b5c0f18a2e936cd71ba050d4e8a009f917920498200b457832ba65c0466d64209e93f35115955079a6178ef9ab982395c2c11e0f4099ff31cceb2ef4cbde0319fd77588d0e7b0f824ddf879e4b3668c370b7aba875080a97c455d287c0b591c52fdf3fb190b9f1c52ad92886f8563ac9305e47bfc9272a60ce0172fc83c82e0c640cbe2b2febb171ca215397998223886cf6b1f723657752f48e24a083d95130ac30673282fbb95a40abc93db075439772b5ae02412677ef88a76f9922b0ea85f038f6e5c0bf2c8502db3f5578a4f34d244d61ae4399bc7721d936da326b6d1deb4d005a964f6da05952cc27ee6ab7c985f67b05d8fb1eba7c2a5d154ae867d176386377073e2626b0a3a2b5f882144664a1675cfd107ceeb37620a4a4768b55a24dbf71ceb7d9ba4f0d1e734ae46fd3baa491da572a380d86ddbb40d6e5195e683350e6b58bbcbfff111f24b36d6de9d8fcd3ee8068b9b7450a190edd21869fe43ba26478d3655c53b76ddf67dc282a7d5657e93c252771f53fc1602ada31b000dec61c813f053c692c49b09e4805a5411fc76998e7f82d53128fb4e42ad2e288ee9e003dec36edc7e039fb87721a4126355db44eb43e89bc29c70526158563132349f441e7e85a415b48b9ba536efdc8ef722c7f4a3f52c78072c7ae1d6894bd27583259f6a577edf4007cd320252b73426a1bc5bd7e260625527340e90a369fca1e88d7eaba501cd43207028b7fec5d3d2ec35e90da793ecf3638a1dc0e26104264439cafd8c62df72ad385d0dbba724ba5962b92ff8b0c6c5ef31fb668ba242e74fafbf4fd81b1d526ca3e3a2f25bde45c3c0c17f9f387f90161631b9623aaca870281ec3fd45796de02aee61b9e32e9d3c370bd4b9816b977b34dccfcc6bd71a86d7e8c9ecd8884386cf94e70f4711eee06b68170d1279821148ea161031d9aacd6e4a769450ddab1dbeb4cee429a339713094884fa439968f9b01837492066e6ee6e3f7a6962e5b0bf5b60deb6c25be3121b6b47b65cb457cc82e95fd30a861ba11830bb09741b180c4ad2a5d58b6e1f7b97d1489a06129583552450d15cdb74ec177e18bfd2cf6202e883817dec4ecc60af4fda42f88c6d54b8ec1170255323ee838a16dc547d24afdd9429327371f0a8dd5926faa063d15c3ff3eec70873a53ce5983259ddd9944d5ed780eeb19f334cf61aaf7aab0feb70b3a50ca55d205b647a333daa962aaef9e37761fac411268412fedbf24b783a83783a3cbdecf15aa17a49789ba5352cc197bc9fb66b4f4cff97b79a25aa43c40f5213acd927c104a392724070e347bdd482fc8b3afff1882c3e9e5eaf5027e88efd72ebd37e3d9810e76ea4d7b2b079cfd5d942b59f774f221395b06fa92446db9a8d10de948977645221a7b1e3a564f614878fa1f2d2efb388105e0e1c03d0fc361cb42ec3296e5c68cdbe0f7b3f0d1cf56f667706ba90c2a15607d4e99ad588176ee795a135420e4797a91c9d404628a726ead95f9780a239c2dddd5cc745d2cd4629e659cba34a9e83d014eea0dfa57d641f6109728f6bf964bf397e304dd436680d1fb8d0280a37b06acb4edd16eefb339269e38ce4b9f454ac7c79cd634fd6f19e713c2955c234eac508ea754bc05354f5af089187863479d4840804284c780077c4e4df4a47f395384cfbd00e024a81386abd84fd11bb8c65c769e4a821f01820350487f309197e72b6462f29977519101ebc520008ce3306bb902964c69bd1a0002747e4ceaeb26239f3e1913f290a8182fd838f2de5c3f3ce4904baf398768aac3b9ea9d45af2556ce9cddfbb48255f4e615b3d77a4ecc802a9e338be342db986deeda8fe021cbf6ab9995931e8f624aaf084485e798f4e05d1f50dc81107f9f55f7a3998d3f4cc51f975d38fa4721bb55578473b1be71ed627832435cace367b3d7d5fa6e912249209e0323657b8e5fa6e8530d75911f36258bc32cfda0ca3b8bd067b67440a3101fa9d7c41e4002312e32dd1321c5be4656bbcd28ab4411bfd23aecd6d1f66d2b25e9d518623f8ee2964172c4061a20fe45be641c1a85727968b19e87844f936fbf217de8b985113e5462b0b0507f571be2e81b2a2d1b1d7fd1017f47a5146cfacf0bdebfc833b880b4f73477c8649d70d7db8f1e352d6e3a943012722a02533d61606d93cf024b18a9dc4cbe872b9a2a693d25cdc2d34f8dd8cfa6c25e648c37ab322b30e9776e359fe2e0fbb93b38b688fff75f3bef9d4b93368e89a7f204031ab35ec2250a1a9ebc84f2dc2a93203e955c97109ab59a1dfdfc4d5b009daf69916349f1aa530453d36cd4001fcf1e60d2dde684aa43f4d872fb193776f032e90a39ee4d9f5c5e602503ea9b42a22e88ec83f7049870ee77dde87776fb6ec6fd2064b6150efd3a3246fb21ac7d1df9f51e2ab7188ef3118a7f98d2263f0cc6e5dc171d43df53ac00b226fd2ddcdf075afc85567b47c37c34f0e9bed40f0ccfd5b347a4206f6c661e08e979e28f426cbd7b0180963fcfaff6ceb9aba3b12be95d2dd8bba3c658a41a12d4112e2ae05ed9dbabe27ca541059b61190cde566e56fe9d5bc69d2f53e52b52f8c023a58ec0453a417e84edf37760aa0e3fcbe6ef6ec7f4a203e9ffe3f7cd23cc395ce5e72ef8a3665298599da4de58a712388b4ff9eedb63484b92f0ba8033b1c3c7a9cd1dda07d4ef3d3485eb7232adecc421dbc5ca0a7860f5140c8e93d0b770f0d07bd09ff86b166f6e1efbb467c89d67da9f674e1039bce15bca3c33cf626c29257d4c397562b802c1e254fe1a2cf5803d9f571a83115e1c940d52b862d29657c75e32ec71af341af4998f37e129ed717e7fff26f4d45964cb4a04aa77ce0ce0a9bd53269170704f64811c3848e5b05bd8ec7d92974019f2c5ceb23648417da1cde22a2f0b91f4d62938c21ccba16b957dbe400dfb59949c01c68f59fe11d96d5dad7a39e6a875f3a84cc3b62cd230654812899f4118f136b896743c67de85f820745036a373c039175e1e8bfd363e535f49248059110a119a94a65eba95659964257a531bf1311b2ed28e834fda74222c3604c90c2305c8a4a2bb7b5513a9a60f5a924eb9f1c7acd4b15811da5f4128f2d48efb43573d3b6978bdb8495aa4b80afaddfc9aa74a57a6e5d82a201cbd6cb6d4e6dd9cbf545265d646385aee2d055f4bf039e879a6086088e5c5a37c1a1d47fa374d265fecd3775309a43bcbb520139d08ebaaebd8f1d5a9c1e282ef45084f60ba838b47957f4c9eb363336a923d69c2e18bcd4e68a8f5e74931cf1a67acbe84d8064628d5c429d5398443b8cf487485094c9341c4ec6f8dfb7043bcf5d87a2d833d818ac8e5501e5accafa6b4cfb7b4c00490d1af2106689d42f61382472419c17e1f6f278681cb6821600e645943be22f03c3b8dbf6290201767c763bc07bb1407aee28e507f03fdd18c1ffe29b0fc7b3f0a8ab7e3cc2c13558984ef80856e2286f0bdebc790dc7e7bde03bc271011dd226195ef86d91e57066f5b933007f4d9a96fe2f2ed4861761bdbf3d46739d4aeeeb28bfc98d8515878e637a25ed115060ab2597eba14ef2cc67d247cfa89288a2fb83ccf5af26317617cc9339fbf8adb192567dd24bc11dd8144ff087a758baa2fe6335a5751a18ccd8038facfccc0ed74ad1b6afca6489fac1465623f0af17149a58a33da6da90d1aae212a3db863abfe10ecb680367428634e409d9f85dd4414adf1da3d667c4693b26ff29dbc25475754bac474efc8aed58463b540394e48dd00143550bf53d823c2dba3d20783bc1e49d0d79f75e1fa2e293124c16971f50ab024d6369d42ca2ab3cc75463c3a8bbc580bc1708a40688b341f8d1004e5a4c60ab0e6f315bf686bb21c671b7034a236337bb77a1b7f6d01abc4f4f7558247f59aa10e11bfd6f4c5e65015f09d3eadbb11b854913b93ccad9c8feda1b96363bffc8a06536b7d00f725ce5d6fcf0823dd86e57838d3a02b50bc11813e8a8d8775c06fcf841a943c0d9e025bcf4f5c6946ef4a95b03d97d9e7bbbd3e5a1bcd0ad5fe4323db859c1e43282e82aa29324e97a9925dab3d675d48e663414ddac15f56e9e9de9c39f856bb528358dd003050df5c336116cc29ef8a0e449d5c609db104a5bd53ca5c28fa7dfffc1073d511448ef5e5d86f25f8e81bec9214285700c05f601ebd472d71623ddb2f19aeeeecaf7685890a3644f81f69c1788c3cfafc3f2c8df72cc7d927835e9eb666b129d663c425224778be8dd0d87a1665aad99334ee71c13b2a1a4b96d4c91f70fca27999e6e829017d25bdb870d5e479c6ed087db835c9ac10cd4ee956328c10731fdbfa647de841a72fe9e8ef0ae1e57d81ac3a8573667c41472ab68aac5f4189236436f758c35d07e590a01801626995a3fe4b1bc2dbd37e018610b01f5e0c1f6f11c7bd3f6cfd38bab2529b7795191bd2b36206d468ed501e44c8ca1219f300d8a5da74bec71e9aae07799baa6afdde68ba604712a69ac2c858e76fb309145a2d4e125e2010ba0a12ebd50ed3523b1b65465aea1939c036183313864d16dfdc9bf30ee13c16aee3cb45e4b08e78ce9f7c32f15d686fb670b29b9bd1c9b4064852325383d7526c1c9077fd17b244069fff72a363d86a7306dc96b1a3a42df87d3e85b18ebf4950a11c0469c015fdd0da7e97744a1bce5faebfefd86c4d5b2aa60178c4c5b3f74a266125ca1d65cf9c1558b4a2051554db67569855aafb720d65a233d26e012ad097c0b42c524fa146a70b7b59c1a856d51ceeda5696781762f6c441a95cc4177d0f01de33bd400d0fb582d2d1c44745b068a5cbb98859c4f4e823f680e8fc4c91b0f0399584eb93488d9e601baae47e4b293eda1517ae062a4d3ac1f14f81b856d85a9230a31cf15320272824009143ec4f96213f0d3d560c645db3edf47c66e4fd9d757c09f98e64aa9deb59f8cb1aa2d8dc11f13733e745cedfcd024d90c986829a9215aa16571066d6034709312b1cc8458ae5ed13d2c7dba13401a959a0d9a90fb4a2ae45c8465f8e0ed5119d7c908e228e3244ef2f9ccfb72e1df9c32604a496cf49a9d4d98815a2309542bce0cf234df48458d3dc70c5fbbc78d7376cdd99e53760cfc1612cd6f8e712442f3c54ead35788e561c0adf910956241faa9d40aca975b2c7ae1ee400f3209df2670384a5dfb24663950701f918d374fac88ece0429eaab46a4f3286945e7bf44f688de8dbb6b441d43d2c7be1c557746e318630c9def2168a079bde3b75ddb42b5526685e7b5250012900c241eee5636d8e8ca6f1f8bca6925661df17bfbab26d69c6f332663f9e13fc9f3d40785008bfd9b540e055bdaba231b5be79401424e42b8c4edb81f1d8a33ab13db4f8517729fb352fb41a99c94f5eee3d220c2e1ad319e6f1ec234aefb515a4d2428ce011384c505bc4173eb0bdbdcf18f2a88b76697996b73032a1135ddb11da5805b46c9528fd5fab4b1c46acda6c70389f204131ba63ba20a6db14fdb9de6b6caa65d19d8fed70ef4d179ee3429b1c9084ef7e005a4893faa2f3a8879597efb8c3f7bdd660a6a96028189a35d575d8d433825ca487e033789839963667a4e4ba66bc8d2f2ff04e9d081903e31ad437e73b96ffdb434e650b10756a3ded0e501fd4c2a1db985438368228926d00de93a523b32ca92df73262ab71067b974e85c5a8a8a70eff2ac73cc7eb1b216c7a3d9d6c233486fb02e42af56d5ba1cc7ee0707a8f95dd4b03e6d11c251eca065ad865d908e2cb063adb50e327d72f4bb33be11000aa81c8077467582d347e19b042cdac85bb3beb153c7dc54e7298038c9ee604f61c4feffc214955dcc76a7e41f7edaf0ef597b1f132ea9138301964b60db44a3879f21b53636ed34520ed44095c6a41cc035e3e0e0fff219206be7002524aae8ea29404feef63344cd8720fbb4a204e06b49e9583f49df470fc66a69b61955d0ab9c98221d56ad967fb07534eaddbdcbaebc9840ad3a615fd7ac48113e4dd498d9199bf4e18fc664ce05c2c3d0d9219a3e91213d2b2336af861e2ed206010ec735fb5960e39c10d6feb45ae1de2d441ace81f9cd8067df109bf585dd85bf2f4e081760d3bccc32d1be7634daaba664e3eaaeb03a35262237c2637cad8acc75b3c667147bd2cc40d89ba3d811acafbabd26e0448bb39ea96f631211d5700cb1da53594f13bf5823b70f0a45db205defa29ea47dc2ed7a34b2e7ff21babf6e03f1628f0ccd1a55d845a778f0791e819d2551b93d90d3f96a9c30a3682165be95a63044fae89d2172dd24fb48d98f50ac624e82c3acc2f120457aaa383ea134fe4baabed8bf52f3faa3b2dc6d326d400b59e4c642d3c428c45fe55b4d5beab5831be487ba6f4fa10bdb4d0bd5fada469bcb78debe24338bbf00ec475e41bf5d199d77a59b8bd42da5bf52e3768b5f493933927e795c976d20aa39642fa92d85990cedc181feb750e86f4fcda2c85bf9799e4cbd4c47246ed388749d461adba8f28f00a434f4be9e48ac5d937165e7dc07a87e594688a1fd84513f5518c16d0739452d16d2f0ff801c5b2279d9b4ae47cee523c30a7d566faef8722cd233e32706e8ff7254bc2fff3d869e8865cf411cfe921d13f2b982288755b79c3324382f81a7cd6d39b5d6497b3ee3123f6c4e3f86f159eef64db07a765907a53312c7ef9f0d264c8285c0574eecbb218e58bc7c24eda425ddebedfc077da54928ce0db1e393f8057c790ab25c166dba9ce3228ed24450c7689b6e41ba2c47350cfb1e852f86f5b92dac1a67d08c880d4312e3c33e84e761fedbd4b375b486bd4c2ca4b41ae5cf2aa197b34504a05aae991986ea5048c885022e3818b0c01b98dee1152f9152b8e7b22dd7ead3a18e366017f3fd43312122e25f17f44dceca8c657767f5a43da3d7b92a24b2d382069a37f6efb12108c627e45258de90b851a7565e74de95d7fd8496c74a88406d6fa6067dda480af196b0ad89e25236ffe91b35ef9bb7d0c5f9328ec586c30122f990ade0d3f2eca78812f9ed5380b8de50f5e7af78001ada4aa802b6a6d33185644c815370b6923db1a40e6f00f50936ebdddc4dc6c06d877db1f3f840c641aff595c3464faad7354c35955072744e8db9d5db02a2b83402894bb005bce11fdf278f0e9b4bcbe77d08b865f09d3bad4a37c14be547e10fe843bf2051cecf572790f4f0ba6cb00efeac12fe65bf77a5eafba80983ce0a0535cf83f551cf44f4fdccf192b928b0fb0a30760be6b996ebc0e9ed771f740c9bbbd7bdadb68cbcb4a0b14117c5c1a12936bc1d345197455d0de73544647b89be0ec947259ba3404de085f36fb257ed7de19449cbba351e11b40bb6c0e125ccd70b96caa46b282bfe94925b811ccca25f4e1e40ba30c20a14417811521be70d381abe5a02f86d6fdcdb582aa996f646e53d9d5526582554cca3b13680657b769e92b006603e6f3d7ba8be50ac1e6ac5528b9a6f6b7621c71cf94b29bafb75d052a4a386ea6c9aedb2329ff9422a4129a98ef180996080333b26855ba1d58bebd80ec98a3e2647eb27686bc51908616bcfb30e21ab0e4dd64cfc71b9c2fd6b50430703298c08181c8e12a4988c2b12a04f56fd371e64938a703b33d8edb13e5736f0c35e23264e892273cd2dff5be3b291821dd598826a01703b5efe6ebc7adb87f9615db4e7979be5b8bc804fcb4eccd18794cb765db45301697864d484e2e94035c94676a2a509c09feb6bcdb4df69fef92d782abb5f75f9c920f8d2e81270df0326d86adfe3968d1adcaf0841cd0916ff41a2ad5bd6fe282d82af891d748c1ee3c1341c71e065c23b4ab7b35aad856835425d8f4291a63d65c3f34048d53b8b4cbd2934f13a22ea158af9098dee6278dab79c743eec53cc032786a8ba2a5c03f437f3363f34b1b99f7307ae118c1d288ab2d8fa3f1c512113464713e0c8cef34c650219ecd48f86429234ff11a74386903d9879ff7d66aa48e8809a2ee447a3d9a1ae3ddb45b26997ca4173387c25d43fa9294ec061fbd359341912473cf29bd4423d266752c229012f4eb9da6d89d9330b60c2745f3c85e161c5041dd65401a10a891d45a1a851cd5a0b1dfd35ddf370acd42d2f3990c9aa8c638b42c07b25d5b6db2fb6781416ab0a38bd94893ba79c205a2a022440a37450201483cb8b18e046663e519c24dfae21f161e10af16eb22c8dee528ff21acdf10a99d9278590fe00e6c8b86d8f3bcfc044100dea358aaa8d7859f7fc4e646327dc14f19b267d3635b994e2adc92e242dd01c9f011099a0495e4c5b9400556bd6f46c2a882bb0d9901217697d97f9df64f3667ea61b5a8dbcd0783bb4f088d16c4c3075e2fae72917270514ed309849412aaadc588dd595593a0ebd0e81d9eef36c17ff2455349ecae85095ac89633f1f4d2173b20ca6a9f6ed4c733d9ebe9abaf14c242bb190dd5d9868da91ee4e2a79edf116be25aafed829eeb0cf12e384a548bd5c546cceb7cfd0fb7bb85c0397d78cbe6ff452fd42ab4e5d99b8e94f75aa79f5386f103409f9d542c19e0af95ff59fec624f9c13acacbcc4f2a49d8d5712f67643ca4a2737f9a330945b4f910639bfbf7943267ebe772aa2282d67595cc7932d227eca38b082f8573c8e8a6940122f1ee2fbb125bed9e3156be0d6f7b0d3b7ed912c1ff35bd465cf2dc1563c9f238a4e19aff160f2362055a810bafdbdd3a43b3bb9316818b7f0c2b25e9f0513cb76da1ed85bd49ec58b66f167b933bfd0e9e5d4385b820d888f79436fc8204df5a27da41d4de0e677c4276ce7cd9caa87332ee942a6580cac0fda2002c3e151ceba03f367b141cd76d797e6413b3637aa131cd55e62ff4cac1604336339a9aec619803a8229ab78e01d905c768cb638b1ead3fb6290273f7fd1b5b05ce1ea7ec4635462c149444069bb4aa2fd24eb5a25f9bdc2b7513d1e36c902669af56be86330f3ab20bdbbd40c26d3692525fa1e69c5017ff468fb3499a6e11a3d441364948527b65d2566580badfa7c7d32feba6126b2e96d13916c251734b18fbf8418a23598f8829ad220e8c3b75e1fdc242eaabc63769e40ef61d9ffd8c3384b89be02e4b2267043dbf59010e8bf01c2022defe0677545559209585a6d14bb95de6190ec89e7e4d2fccb6bd5eb0d43c533f64161cc06cfcd2671f98e2ea403e1ad009dedb1d4059d3314dc244b8e108b954e9dfe2fe6ed4fdb59f57beb8416d985776254ef746333f75886bbd413b43c279d1ade19a590b6c8756030b33ce5daccd585d25e8607093a1d2dcc45f34f1a7ba57010887f135126a1d8d296dc904c4e654717107ce8624f1647247ad2787e7a1030208d4818ef748aa407a28cc528bdd1aa2734f6d2f2aaa783f74099048cbabedd8abd97c7922e5f2e4e6e99867691f4594d89028681c03d29ea0ad84e1c17970e18786243aad1ccc3185813aeb1e25eee6936a79c1dfe668c7c28062b91a751512f0630f1a9f45eede84d76496b02155c0ec263276b146bed6ec54eeab246b2187d7db507d82dd1313a02ac64806556818f7b7bf730c05c924f373e5e019e81a5d9286b056db5ea059fd7a92d169e61c4781d0741c2eea0e45b6d523e4a995561472828cfe54180e8ffff44dbd58a1d3f978236f2709c3f3a879d9a0a81845309b3bca02c5f15e62d07ec48b7306c4a5f7404f031551e9c7870b8d817c784f87964ed6edee7aefc2c4c58dd0b222c402ab15b0f71c36755a8356418187b616ebc7e239786f9322a7939a79c7bee0b7e2131ec7ee00cd2981b78f16cbd72d0b7ed160f4153c39ff7072c50a4ceba047bc802c4991fff7edef396827d38a8cf4b24efe92b0f9851970d6d97654b3ff63bd679e664565801000be865caa84825643c0ff73076b9d83a83211f540e6ecae8e8b1760050daf81695e999228989ae1013e4061abbe7929a5c6a126f89e8bfa16557ff99afe16246fbed5ed96b30438e412cee635dd3cc47fa526f28e81dab2942eb2f0dfacbb1ac55d30d42090fcccb7f0b9e520418e195cd682ca17bb7822240bb87c13d6074f20b7895fdd44d7e09498f5af1400cae141764f5ceb29d3fe64c69d851a2d53f34b8015f0d1a32bf461e4356ebc53939c7865b714af2e451e6411a042aa0c0165ff6be2df6b7f6947c8eaab100cf06adab6ab25482b90cd818cffd92f7a3a3d9e71c81fec82348ca359c554adc88948a22e5952348a6f67a7a7359e6bc1dba3fd58e4d079bf205fdd4c69410aef784b8304e7a81ec413a3c7eb1c6117db137f601248dfa6e712506d9006013b9aa22a6bc2fedfc48d36be89c7a498ca237b94e1e1684713e01303a11d06b87f142a43f502e4964a8446e45a09d038f15ce713fb9b5c0a059da2ecfc4a7c0a036e5289de3e7588071c36f654d5bfa869682c47573e404a78ba21a3827fb69278d2ff34b7991e221c31473ae438266969cb42ead936f84b633184bf2a12e7591a836e3562734b7453be3a450fedea17a495b6279734f23f57bcb76385b9afdbb3089b5a74366e307e4272341f3f0929ae356eea3261b228b6c493d04517cbc6c71de51a00633745f09ea4f89f5e6f764bca0f0e9325749ae3bc4076436f896f06db550e5b80e36e9828afe831f05b312f0bac91dd4a93fe73f5f12f22995c0076441512efe2d7431c92876a0cedcc5fa33b829009a53b16a35f1a2b70c8c64759c3a89505b8cade9bd7df76c108ab6d0dd4944a44b3993130df06ad281af953406cea6abc2dad514aec8a516b7751dc0f010dd3e32cc817a09fb727f78326114427d145fd1def774307362bb9e7efb03d66e92394667f0bc8cf35802f06f70caf46f8076a7e5dfac9f50c475348c5d828b74e890abfa42fa4f4aaf6fcf097cf37e623df847dc7cc471334e98791622bff991fda8b2bcfce0db32a62d8a824b84dbef0403ba8a11f03d09882351bb550d0e471d8658079382793ca995a8393ce22af6d9b86f8dc993a02015eea651fcc0902eccafdc773b2ca0791e7a12c9b7b3e2f768758787fdc1a04b372ac12728b8ab081b384b7f2c3c5511f3ab3d2427a183c8434be53076f9112b6c1c2b6573209357795edfa89349dcc27acb33a49a64c7620275f3c6bb8055482ce98348c013e63dc5a8d04fd54386d4cf7e171889d76b12b7996d1fc9ca4d74e30ef9c2bf034cfccb33755650357561ad738c0a06ec467aaee2688fcc9801fb38f89ff4ff869865ae3a2c68863987cd20891df42d9368b311cb77047ab4bebeb0fdcac990127642d7b1dd4c8307678c6c7594e23eb0eeecdc773a95ddbff54ee1e9aff119e7380a9c97733f41440989fc2a51c74cfd44f29d45bb104dce651e8ca87449b3863e8c6f4c089283455f17597189a40c2d4a46d50f16bf7e2053c3bb126ba4649a0ad09a8e91a9126a0bde5089a77e939996fda8226bc0df3527a49be8913489e34273b175a32fdeb1bd1890a314c155e0d5e33c326d159116d3da4699d1e6b78b1f917fd61e32adfadf673a567e44502554376cc4d644819e6cfc759e5bdc13bd90941351ec1e8afebbf02cef9b5e385b3ed54d27bf23400db36dcebefe43dae4358b1ff91cfca3d9896bcdbaa7342805553f117014017c34022ce3d8ff3bb51ea345f24398f97e84af303e29302cded3908aa1a98fd4c0b47ac9480af48fe6141e802623de2a516ab34d50d1591fbb0e57b980447d52ece095ceff30b6ae49d8722d824940fd0b9c19158e5bb2f13c31e87c84b6288457f578aeb0d288ab6306bf48ee87cc13a05953f9f04595b7293f8a0ed45519a29a4f749401a244fd8ca2e0b484012aff425972d03a4322ce17b3d91b2c21026cc37ed2d30636f41182e50fa19218a9a9423290f1545963889a99828707065d1cf44e461692fc7ea7fdfb2d706fb7430281d6af5fa7b2c2827e9685d3e0f98163189b2a270c57540f7ecbb2b8332ccf526c1cd02d39016399a8a246370012c0d77cf921b554510367470e431be8e2c0ea450309d1abfaf1891320315bdf5f6361c3ccf8923f38ecef2f2acf5cbe17ffdf0a3615283cd514fa7b2c8fcc638eb3abc35266ec45f0c658a6547405f3adad038b73adb6571c25e342b28c83f8fa4dbbb1c95aca1359254204b374bf2d6102ac8bbe81e52344b4c65b52f39bc0281da9d395a834e3a037ae9e624927a647945be7a3d870be536991fbd1947efa3f1277cda877fe78ae8cd554553f496834b486b223962b448fda013fcd2ce5b1a9d828ca95f64b03c0fdc723a46a1d1698b06f86002c96a03a7a124193f8d692db772338a87a4b4839e74b65c00a374883295f15d5b4bbca2118aaf054aeefeaa14261693ff617c70ae71a24c734c60e1e456dd25b605c0cd396538d9c46b0dfbe264188b1ff7f6f06d70446a3b544accc7eee607ebc2482da96244a6dff1c837d3b3fedbda3e4e63a18efdeb1b7afc6808a57844cbe34a7ec24ee5dfb94857608af2a388da0918f5658da02e6f77fc791f3cc3f61f998f443850316943e1569bc36c3600587caef17d49adb7ad319be9f536e1486e2f9063cc0f3bdf51bca6c2399803c7c71d7a17402b36a6dfe17c73a3c1d13e7be065a2b9fc9063cd1c40090b80b7b2ad146fdcd3b3e07fe161a6d7ebc78821d8fe69198772707adb23e722f3b4abffb942e38e43707b422487dd7bcdaba7caa78b58e6a08feff3fdc36584bf0ecdee7a8bbf2bf339b8ffff64108944a8493f9304b702b9382b4a74e3bcd6b3a3abc1872f2588a7b934ebb0cb66723c1a7183811a7313289569bcc77953d2e2f968a8ba6c87bd6e914effd25334952d0a75bbeebdce54ad3c09125e9b7c186570650a6021285aa546cfda1167c6836f2f42d415f4c8c80df6bfb3341d7de2bf2b69838f338d0e032b52de5f0fc2d689c40f9762ec49f03124fc76a4737a7724a17c17a7228e9cc94664831fb0f77192625f4e933c9f4c7584565f6f1f71115f5eee76db2d15f7f6ea37c7afcff25023d43cafc0ff58bb2939791fa9ad6438a278f0e2a527287c847158951d45986068b22ee976c5282a27632d849a042bcea33a863f3a9f1631b405c543f89446a0dd1a2107513ed4acdc17269bbe4a8ebe0bc141a8944340b6ef3b6261fc465d47edbc13ae8af122dd39cbc2747919f91df46fa4f93835ae0197eef16a503bf19668d456c3e4671ea9480d9699eec10d48bb439e752d5b2e7cd65f888c5ebf7d507f42a62b0020ee61cfde1084351f53b8e787aa62cc0ce526485260eb077eda45d195235555d761367057d222d01747968a88afe9d5a15ffb8f3f0017e1a0db732c9ce637fae1a140dbbf161dcb6721826435eb3957bc21f4ca15a2b5d75b88805e1344fe106a615e5828438ba9065bb5cc69d4951c7ff0d5f4d6e116413597596f83c15f12458ae47bc040ba41b407c2087c79f606f0ec78455e0a0d760687df908479021fa031c03e44699260389d522184ccde2bc11ba860bc8717fd65126a7593e31a970d5cc8295fa64d95e369410c89abcce17e8f764da51df70c4695b6c9ac2a5c84811c5e8177d2ef3db5c0b09536c2c14f939311d3010d95fe0f4a41e0f4732179d46de7b4f1a9fd701b9631041b042d4a35a9961b04c9c15fab918fc3690b3b8d3f201dcba20f28545b51bd4f3a3dedc1ed84dfd7cf57a48604ac649100448e97a405fd2788415ea35db940f381974669234c4697ab99377591ea90b1b70a012e10843ffb89d8d6c3554e37bbc7a6c431ad787479ab06929b7bece589cbf14771666031faf14d9589cbbcbc0adbab688190d2542ad043507b49359a3457cb1d32964d51fc9bad791cf727d72e7efb543f359838aa761c09625298c1266e249ddd847c34d1d9dc30b5619db4e366769841bf79e14981f4b3832e43d2032b7312920998a6d97b39a7fb281538f15fdb64ebaac2d05456bbcb8374669dcac64e140024406f28f9accbd07cbd5603229d1774ca8b5d1327539643cd6373ed27b99f2e6d12e351ed7932eb48b995ff685243613b40b7fcbd1c6f6455e1ba9195fe2244e086dced7e594665834d67a83f7571e9c610dc5cb014a01e20be288399aca77757850c24b83fde46d94ad2286c29c61e1346cc925c64d055ad9b1fdcef2cfcab92d3e8cc5bcdd6b9d302677e29b5d6e8d151ef60fb092f36654ed958e113965a32e1be0340ee1ec79cdba9c01f9112c9549b1777af5184d4958775ea737d0bce9083f050fe01c51fbe18552b0af3411dce5a711bc2f01d764ccb0d48a4c598ddcc93e5a19a4c46778af04c5e7d217a137e81edf4e388bfbe7307a5bd7a61fb052d7af124bde91c0410c6982297a479d51bcca12bb0019a30f2d722e9f64d3424c192b4acb964f979bd1e600d88e4ab1dadd350886fd47589710f833219b4e6c48d89c23fcfac4a25250686f164674db5d7f259edeb044745bfc53e6c2b60ff4647add5cdf6bd84cba451c23397c6e6ed10eda000ee898f79d8691e3b2397b7053e21026e9184c93ba76aea5a0acceeda2062aba823f053eb6647a367c2a84d7aeece8977b259bc8cffa6326af0378cb996797959ac7863b0b23d8d50ca10cf235d849691408624da22dd333d9147bea937150d9b67809d30fca392212c4274a78df05572595879e922f8c5e8e41d5729a010cec5f4eab78fad2524a4198a541060c07e89a26c95a6d64a2624b8ce9130ad56157730c75b7eacd1fcf6573571fe5150ae8af7e0c70bdeb7ba99608e8ee3aeb2dc46a17ce827bd8f119b70ab86b4a644bcdbc217dfad9eba00e31d7ea081875dde28eb9b2fbe9bc2d14d3f88776206471b538ab6e4b3f305d8610942d5b9d194b0fd218cf1522f283ee9fd36e553fff43f9d8a2164d8336e58869d66f8e245f61dbf7b00e92f1d620c80583d01cf610d402a016a65d728cdffd2ed3492139bcb2b399c6267dd4b1839dc1797aed44ea29e31997acf4cfb9455e98a903ed26a1a16e30610dbc27542aa125a8de3418d2fd159693e4a70436421cbd6f32b46096d61507b889eef280c41b70c8a678a0b6e240fb403b2545b46e534353c53b8bb78382ddb27413b3e4c34a9a1c48d31b49db7137905e7198701fcf7e998434058d27c717b055703c6dbf06f6ef96c5b8784546682e7e4731809dd9ebcfacef5369439905481c642b544777b451883cdfc88729c1207af308523e578e1b96d833ea762cb6524f7d79b25ffdeae3d77a74c86417a622b06ae608f25c7de98448327508caf620faae5e7b6a0624b743b766c1825ed6bb5361e35a46370e7a5f2e9c1cafb3b2e48a025ac572a2b33dc7ad9c1618911e7112e1c3f1d5bc192fe84cfb1feb38cbb28e497a619cf897131a56d037c78b867df4c833d5facb4df496813b438d7f559bd29a0b7f6cbe474246e1a1482e513aa38158e855a6731ee8933fe0384b7c08827b47491e897bf54f45fa14d421988a40ff164086189c5e1507dc446c2291ea41646d3bd2923294a5e4fc140ae44c5d9e4ee8a0c9cc4e47cc6231c7c465a49514a6781983cadf729111b2fb5a52dec0cfa38ac9cdb792049e649212411ffb3636d864c12821a4cae63a7bee3ed225abc2c20c69f55cf506d3d11165a28cce2e74a42c43d721a9663554cfad7d43c5ec731bd499ff8a9cde0ebf5b2d44a3111788b73c1d116e1a2f95f17f920dd1e75f2130ca32b84c8236e19864c7e726ebaaed8635d347df758f8884284c3f18c3dae2ff11805fe906cf07a13fb63212be3c950fe69f539dff4f1e108c9210452d96fcf84427eb7c9b919063809d53fbc8176121550a6bf367ed99d6d8290a1c6413b4764b008e7c2225f83d6c9cb64351fa98fc276b6b283d453d4a20ae4182b825cee869a37dee50a1c65a4493ea20ec05e68c416965e43d16ed4402e7a90560e5d13aec2c88d70d3237cc9c697fdd309034e2566e8d1851af4c7180dcedb2578b94a770d4e1f89f3d4f1a40091605ead60133ff7a29fb53e59c988a8aabe9f5fcadbcd5ace0b00d791224a838f117490d09d84628e1773eed664b9f24b46e6432917cc08e5c68fd35c66e2469083a883aae9fa97d92b536660d5b0d2d2bffcc0e5a586d3ec5a35d5e14d1b79e55090ee4d5915e8deb660dbd12bf08003890e87a8ff6f340e58bac7aae4daca841c3f81220fe530a9a8d30d8593dff96b6e41a3a2a42e446df280d97d6e6d1f71442e816a2fef1ad9d8614353f4f0da36342caceef6030fc65377631dcbe85633cc1d754f769f4e8103c3592e8a8fb8dc23b5a8f863f759610d90325aa2c253b33260ee26118830ab604cc5c7832e0718a176770904b23dd862a7766b728b5ecfe7f9c98f001e34267138c45224c2e4bed63638925ead4c94677421f47cd604fef4f7e09a325d65876c0229e8ac520038acfd818b093a214e0747bdc52f95de043afa49a0af63de8af0033e470425d633c2ee54afdba089fd988bb0a381fc1afbafa2d41b2869b445f6f0992b3e37e35e11af682ffa92b5e1788451c7d6eec4da34aa87132cb1404afffbb416b2de0ba7a29231942eb310b561dc41171bd05e7bca28e08c15f152b2655b8951cff32100fd81dca16b37f5196a3561cd77e0640b6227e5fded500849a65869542695196a96958d44d3c91df65abcdc5f668454e898a53bbb0dc49e18a77c79dfb82562f57983ac258ad181187d929c59ae4ce96b4dc12ff6db7b68e05c46fb4b1d7d7f76eb7a56b8159a56030b7b553a067df186bd9684916665339ae838d30644ab509544f354f4390525e3083f35a6b262ea0e0ba600cfa06012f2c3123c74ed2d54b929b3b38417acb1ee04f3e83feb04b73692604e77efc35319a2c6d57a3c2a96c99aff7dafd87327cf56de81cb75b1c6f4d2a28ff5b45d20cd55675ac671c92a1bb087c3aedf25a716cad3581b09097e9f50263d1b8ec68c3c08d83d26d7feb30e689b0e8602e9ddbce83b3cc67d49d871a1ebcf25c75406ab7a46168dbe07f3fd19f9d0e56d116e50f46df34e2ef12925aa17c78d2a0472b6c95842603f5fffc33a3c47dfe95232909970f9e83cd796b723fafdcc0495ab5989b0f6915a88832d87eab015f9db41cc67cf64c73373b13b9460c9cd47542b59c664a9efb9bf4a254c669ef888bfc6313b2a9375d8986e83062319767c79a0962fce06b8d4b97b9b8472bf1581ee38859a398daf003bed4cb2f332c3a25bd32326d9561cf2dfc38d6ccb029d152c67ca8dd4cb525031198bc17b99b00d3e0a93c180c72e1d85ea63f2543d892fd59b2805032c8a5c5fcd6505fa286302adb0971a091a5c30df3d317db4d608cc08b424b7b98bbf12e2ea62b14ca626ffc73fd4ad81667afe5097fa210a1bb9c87d358f2fcc0ded7c72e22897910cfda6bd5c5e5ca884a61c2a98cbc7dbbbe6403ab9e4830a7f5e408ddbc9ec1ac85dd13c1497ec12d2c9db5de89438f0ac690409af159eeb7e7e71ce83e5557de89d660214e814c1138b5c4cde47d111a59d96554a7616a2b400641ea7d2da8811acbd26c87dbdb4fa5bab3b9dd806b258a4480d822e28cc27a505ce24c96ca4698a90eace94cc95849b2c7fa2d8c709ab586df85edeae7c035c8af4668123f16c68f248c7400360eb000da0d66e7f167fc2b5232102d2f73779910783e619f323edf942c85e4a318809a7b118f718c98e401fc49bc59b02390560e815dfa1bc2cb5dc1f2266fb9d33b7d9a9ac85522efc8eaa278696a32f5cec3cb5556a9ca0ffc006f93a9ae68a927fb6969e92b06b4fdc234dc42731a4b38daf8ac9f8f1f4f73aacdc76b2bcb021474d039c3454eaa0cb47aef8fcd328d94003a3df8a70081663bd1aa5295ba5793c7665bb9ddf265345bed4530956081f327c7572786f98aecf92091c13de5902f36063d1d21f12580afeffb761eea79d373341f2b1d2f48e6d49f3671bdf1f5d822d88fbbca41cba6355d2a73654215cc80eddbb373980d6f2ac89522543585bcd1bd519a2e7b2e9f518c889f26a96e6b3a86c23dc91988cfc3c65c950d0d9b00c231ca30868d908a5cc31c85297c7e08845850dcbfa5b9d209be2f7b29ee11f2bd5247572aaa44931e233d9b04bb6ef83e8f3256df0ebef09ccb4bb58177a5d7a62272947ceda2a2f95a2214fae1304eedf840b949ce8ce5289d3e4ee204bf0f46ceccc37adc80dc34360f12e7c386f443a37664d80fb0190827783968e49a3d7a0ab9df0948bc1eee0f299d4f55982e5bf589e433eec23f9f30b32afb1eabe2b6d15413a541b8eef0a4bed9f2e5db753713c2dbdfcd77029470397a374b17168951bd63ba27f5d8266f908f5f75d8dcf40b17e412a8cba20656acacbf777bca914dd158c58df1e6d57f70f78d7f758cfdbb3a7f42b095fa72be13637a764f291ff36343a9efa4cd4f9ce83e21d088eb5da57d60facc253a9809ad694f82c630d07f86dd4c5a5a3fb28fac1963e924d9a203ba59974070d3b8aa983dd1126c6ed34bf61a48470be943cedc78e4f5ee3ee81f61d434ae2b823625e006b81262cbcafe87b146e1b38de1725997fe0595151ec82bc7de3ca8dd9d275c7fcbbbff048edd6bcb87c7d89bbc8190e36c5eb25d09cf6163a91944bc8d81b8d705f87d9397c4dfb5eae7eb84747b732645475786db6370e433f4b562bbb810eaa5f5fa504571d7072a89da2c7d830006acc5df1750c64965633b8e31aad1c22649b609a0434fc4f5d677dd268f4c87410d416aa392e97557524f7aeb076741addc1eafab923bd95b70683045e96d34314ef449c25d3e1e8173f1d5796d860da62f16a9abc3ec6047a2c6735a97c37c12ac644f461eab32f9755ac9850848b2004ee9a5f696f39ee9d5c5e0c260414abee7407da6f59689c034d116cfaf9f63ea867ff5b170b34fe761c538874553ab0a83361be6241bda4757ffb4bd4c10ed83860ff85268651f557223d0c701dbc2603b3ab33d94c1344bda45b774660736125a1235597f7b64dd504cbb3e17b095b3b836476a8bd87e288377cd1422b2c9552a04569d54a826eac1b4d0ea98cbcaf7ae2ce93df4bbd6af17daa3e353f6bd69eb46035a2109a652ae1f5a7c40d36e117ce1e56496cd34f8e398b77c5742778360b8232174e7fc1a990a3d6b8fc6403392b893e7bf5517b829e86bc4b623e76c7d650ad3131aa1d8a869c9fce8fe156d1b08f39db6dad072f06d687ab143703c89282fe094ef04f88767419f05783f4080c475a3b2d172e0996bc0528173a4c53537699c9959d932afd99e666c98dd85ba0e6b5356ed144ab486ffd190f2bdfa8d4967ec65aaf827a1b23f674cf82a516daae99a5623bfb696e3f7897299199472a7a987898bdb7c92e62ffa43427f1b0748511e78e050998b7ccef263f7b64ec61a011268138ac40a3605ae867c49c85bbf1a7565806f052769916e11f54a96b2ad31771b5f875e77f0765f64e4d92ac79da30c29826d506bf3dce7fef9ab740af9757c2875831fdfcf1d2bf8ca68bccab73eff85e5cb300f4e6cf923a0b0e6288c08d958965d41420315e948b62994325c7d5a995d800514369a73cdaa245e2425a837ed7bd0a7eacd93f8c639857d7df4cbc2c90a4756470252480646261c5e2f7008de8b2de349cab0aac0b5a5f3b97ff9c6dab8da4d2385520cec793e0d9b64ba2e40b635b61027e197940d056a5fdc90859798a36e816b3747b0fff8793a12a0808ef40d957c77a557cabd5801d4f04e9e1d134b104da9b5df9aa72c059afdf9c1d1c8c8b15ec30314450f013a84e101252d435be1c4bef351bf74ffcfd7531283db85d6e129f731934ad35585d166ebc5384fab61a32f64dc669af6333cfdf723888e5fbd9c2731f49794ad64ab51640154a69d0697ade33fdec21f93c1215493a7abd08ce4df3805c5ee985f1212cafd942e45751ce5e668df052015db35b69e6440b02e256eb2db473cbca04009893e052274b340a24aea3a3dbce536a11640aac624e160856de20e4779b9d5f2162f5ef54356ccb48f67cda8222258c4520de17c9082b6ed813a0a02e75a158e0271091128252379a292db04498f928fbc24759b902bd5c30a3cc0ef40793dafb6525201d5a6003cc927cb6f828d383e8ce8f8f746fae9ec102177772ce71405504faee5137c385e949407030a8e83ecce66cf256afc930426404ae9c56c7ac1ee68a79a3c6cc52081a32c6367c82d7bee755014cb3e47d32aa71fe6b6fe7c8e1b7004d827eb396b1995eb4ee2737fac63cd15de6ba73c9c5b6abb278a7b53dc97ba1317b1f8f6764e49fa0f854b0d4489e55c1b8cbd6592454b4db830e7b37f41e021d1901c210256b1d5f3b0c699b586b2b3884254825dce42b5a3f9879d74a09b2675f7342fcd7e9182bf2da246decb6ec6bb37855ae19dd71ef73c547ed51eec6a6182a5b951614fe52e600c7fbec6f0edd9b813f2b77168cc6082c6845e52862ebdf2d72d280b1183e60c9ea8aeb895de7fe51e71b1e68adc70623c0d320567a0d2456a7f3bf8fd9bb685c74bcf349105e39c23a41af529a20d6d6a6b137266ff7393ec67cb4cd6404363007f1b427d5cb430b9e46a784b6084643cb87c1a0c889c2419e7fdb2c44e4cec50fb754fed38cc8a86ae3d805ea4ed88665580d2911070c0306630ee1adfbaf762cf665f7240e9f9daf02709981d509556b1f809c234087d30ecc96eabe644ec6de5aaa2c96e818e2d4353f6ee4582575b18feb7db59518ed901669cac04d537baa9f2084847f602db1368d2447f1a1e40b410db5f9d0b31536b414a7ddd3e0c17893574822c1a90a7136c2ca98ba1cfa11508fccb12618df8b53ca2aca58846b8689b9efc4d539e525d9a0a1a58fc9fe190bedd168b21d6b2d20018b332fe92bb005f3fe7e43055fb57017503ff82109b564d413ea22e09c09d46add02eeb9d00f92738e7028f9e69af72080cc680bca0b0356e947e315b30f5ae9143bae3129d7b45641204cf960d05f81e2a3c7b3301564cc5fed34b49c2e443d28862af7c0c5323e7a2b77b6c54358d703904a4277123bdce070d7d56befb71cb36fb8419c3d1a06e5ad60046c40416718d929c4268fb011aa7a2966cc8995ce8e13d27f5d7087ccbccbac5f9cb765cd057d48f508b9640ac1b5ff8eef95261b2cd5304652b843ef5387b29c996e5b08c98350d26bf97cb169654bd36b1a96a1d029c3c6769579cbbb05355b50f56837f574f9f10e32d0837c4714487ce1fdb2c8dda869fe6bf5c2da3d2c2a7319370d736aa6f5311911f4caa4966d60e4cb9515b31608f8f591d3d2e185b41fc770eae7931b0b2225e4bae67a5f467cb92bb838bf2d21e644f68cb4c146350cce1dc386eb41c1f1fcf80ac04e449391648fef5b9e0c1437fd08bdecbe26f6feddcda6d7495cf19e71fc589e6154a68d4208163b17c67a5a68d663a2bbb3d363a2974bc2bbb60c1d23febacf7f6fb192ec1b6dbc0da7eed3ede4bef53742c1d1b0619bb8dcfc58e4a58da0ddb3c7af660fc6577af12cbf11ff1f6b2ed0558d3df215bf9cf1ee95b17248e002a40f85ab560535c72dc227a0b6939958518e3ea7a049f596284f4987f670e771401e22fb675f22f842c875ab9d535517fbb74209b36f11faba7f8c654f69abccaaf03151272deedb474b787dc4606a278c5d90de97b7962ddfc0101a49856e85090a554f7381aba540278691abdfd48fbbb4346c4669dd6dc8892b4af232c7f566eeb1523ccf9906a6d46d8207f0e68913539449118be01f53cf05c9acd11ca80faeb300d3489aa9b6033cf130f58ad8b76b4b41846288d2a31380855dcfbfbb95d166d2ce8bbb7770ecdfd3c17a3fdb0c68d081e27e0e1173b0e80448ba44ac29fbdef015fd9a21d3c4bd2e16e3f7cc457a9cf2bed6c9e7c54393d15ddc0fdbf6b5b16ce50ec92f55438ad2db792e9d72a87bd5eccd2e1ee0e1f8b750d84e0371b84ab84d6ed81968a7acba1fb32db32d9fbaea613464a03137c12f1f98250b078aa6d72fde8bf73b00d244b92ecd237f4789afac3fe7723c19b761ea85d9cf636fb8ab754987bff19646a584154063ca645b5aa7ab8710af4125c9623f5c1b940431265a0922ab0622778730b50d05218151ca993a4303bd9c0576940cbb8b1f70b48914a69193355cb80b6b70b40e2db3ce7a81be303dc4c12552e5fbdbf527fdd7f47d3cab480fc509d57bda7470f1daee34e0820296c942eedccbdc4a8e2faffa4511c1c9ac1d97e8d51cf696f2c320eabccdccc4e37ed5632f1a6f726920fbf7defac511e1be4f9e0ca7b18ecb9fca1963f420d174d56150aec196489e0d243b67f15a792bb6dfc5e69c0fcd7546438a0b29d927a505c18c5237b090e18adcf5baa0b8bf65dcf059c03e8ac7055094b898ecef7b8de5d0c2449d9931613304f2efb4e1f7154453ba6e0573de2b4d921768f56adfb00f3b2e4d167b868081fd5fc2b9daa3c9e914fcc31cb74747d2e60de4957c03ed2a9297b6f0ec81b80562e288f888158a4f2609d9e6fe2447d8a04f5c30bad4616345670190ca05cd0882f3320c2d6380554b52d132ba7b97a96c6a2e6e4aaa73c13b000c0843dfdb6fb32d1b048998b97b26c4f6ddb2556de1c3f91bc0f1d12d7b235185b639aea6918621bdf568767ae6bbd69414a53839d46c4d8c4183a7b4f54ed4fbcc676d14ad06ace7ffafa84261b535222901615506ddb62dd60f6becdc9ee40ea0d0bbe7612533aff8c3fb0b79c2ef93363f8cd66c17cfb4917aa074b970c1a79c4e56bdbb11f1ad97b61ed0c160a39dcdcc36b419aeeaefacd300e8073d0b1b4643874fe3985a54c7cd843857abe53e00442ea4203ce7b0f71e8ae501ba340c6b41c24ed279cd3dc321734eedfcd750e5be1ff10f8f029ec8effa41a40687e45fb0cd87a7915bb495c86ac607b9eafb16d12dd02163ddaaed934e02d18b04b5009ed61f9bea82b42780f5a0a638c240c11558f16cc18dc645478d464570ad58f3994d64de964d0dc25295067a232ebcf67a37cc5a5000a37c35963b3c1c0ebc9ff09a5037bc60bac8fccbb789ff1450d630d86eef8b3b9d7a02466185509200fe739f90f50112c7efafab7974b573f10537d37f185bd1f17cbda779d0dce20a02b8a8bdd253f6ca79b35c6ec4577d79691b09f687d485f5de692ae432121f7524166a33e84506ec3a15fec7c7cd23a72b03c8dd937da3743dff7289f9d3fe1cfe9135a97115f78879a68457e55b7a7287225722d38b02aa2d4eaf591fa04174fa272f5306027eb780bff53e956e649d682dec1b19cefa412f758869f135f70166ad61bfcd71268775916d2717ce4e217c57e6a8f5a9df18302b7e10333dffb33d42dd5e544f5a765e5ad1dc6c5f5a845717d126152df28db896c4085be134cf86fc37304f5d921cd0dfb5fb869eed41771b9843cc91dacef563608ce29a0b2c94a61c48221c96401702bbb1985a476fb353d17154ee1cd3b9c0cd16acd63b3a2aa3de75053a19d769e3388e25a77106af3af27d2a1fe0484e216851ad994339d0d62fa6fd34bc75a576bb9c9967443886956b61019e72eceba602cb66abdbc477d6fb3a02c72d9c3828faec4cd977345c8b7791b140ca99032a2b3dc8a70316b0ede00244d528aa603c1f60b9c34e1f3120db3901e0e21b8a8197fc7ba079bae0ff7dcfa36413c21ea3add015e6640745855181fca5322d9600766ed15bcaa9734ea6b912b2e79239a36a6c1d0a9ee5715d43eced66ee1356589c75d2f443aa4514af88b760e28846235cdbb236dc5ba0a4cc58a41d087fb01ee287768b43fdd04d2b342e4f55f25feb0406c5b4dacc41eda78909afe2db87a449013235b34af900c8b017a1fbdf365ed73749db9331a4527038d515ed961cf01e64aa34640107499b2a298acaa93509d8f250b1ea197ab9351f2238c22687ebe830ed2b7832bc162660622456628c872f7780da9cd10c5b560385e4c89a59dfa2cbb93ed379ecf54949f5b80b444c6f88ef9546206c21cad477e6cacaf7138b104182c94862359b54b38e18dd1c3179496fc9af47a4bea9dd013d46e841c1813da7b4140362a87b3ed2a7f43dabd42a585bca5bce51dbca618a34256d04d0e8fc8a1c6e8f890c90a049ef5c2e6ec35b9731e44781bbd8212fb947b1b2020dde9d5e01b93842f9026499d9caa48e111d460a55b4bcc045b6e620ee0d67862dce0b3744b568180f2f4c0bd8542631366970b5609cca0a52da26ddde0a3fb4660a5723288e9b1a3ddb92cf966722ce75d2eb94f39775db1c9f8d67bbf449c00ca586cb8c5bee8ecf96f1672bc878e93933ad808b349b3b969d978b4e7f08102349adcc5dbc04b784dac05b4dafbc227d826dd8732a4582b4df626369d5f04975b4b12688e87ff1325171d1ac9340707dcf27b9b8c701cef7a0fc6651f0f5b8b23444b00b9563cf7ba9d3dfd85ae3107abc6d7a712b485fee201ce013728d30d5ff682102cd628f4fcbdca65f6cdfcd30f049b65d5a7db0b9d7d9a23ac177a8e06b5802e26df262ab55e0d31d6b83c0b5abaea33475c08dd85a94514f0be84a8e878c1756106e300eec6008e3c59fa129982a1841d3aae965430c2972b6677c99d2ef43a9b4470f2ef262de3eb09285d7c2d6196a04da4bcefa3436ec9ee6d2dd586a52204785561847d3bba701e699bb10ac4c706718206c671ffb070e94008d8244efb63e7f943c5f4daf2d4a4e4e7f0a80e797e0fda919f51395612b35d9229be7181cd73b4ccc40098bee247f25435ea701e862f1faba7760a40a7ec9c85c660014e52109bde52e015e8aa853723fe1bbc59a9876601ac1bd69b4a0e53cf02d8826b954952545276a02a82eb6d9905eeefd672329945a2433b3712a63f3585141cc8f95bcb34c0e9b67bb07eda92239cb11b22a02b11c88672e2a05bd4541e34352b737d86909072d3c458cb7bc64e6e34673247249fa7066a43e50ca708a26123676c16ca78a059ceb7591153ad82104c39b3b601f205ebbba9fe0c290546520e7c29247d34e23940e01811cf7f01352b016ed17db1cfe68b1b91e981457b647f101e87f175fa872e85f2d4fca6a0e37b57c8048d26e532d1ba95cfeb448c63da96632fb2b84bcb4ba0c93f9abac0e20eaaf92b257ec49a7b58027f47bdada1a335dc6e1b181abde9c6c8358030c09e69b49705c905b7ca95fdd92c886cbedae09819f5ffb4adb2cfb0970c362bf6df5fb40fed75a04b79ac3d898683c8e518567d5e7246be5cc05e046b19ae1b2800afa939164b4543874ed58a0b0afed66e9d6b715e97e5af0584f890d1627f1bf6dc48e0f97c68915f740aec2bd8dbbcd07f613d5a3c205c716c6010e2e0b60d3ec7f80f482167f53b7c7bcfd3a05962033e7218d9e1b751121d91623b1783bf318655d8320202dd274d319e9cbab8f7c3aa8d0851d16c77d075c7758cfc1ac71de99d4acc1d46a5bd1e5aeb6a9d9ad4951d169b38f67d4d1315bdc4be2c6872eef97ae407eba15b8f3a148f376c6f40660513234e8ca9fb0055ec776c1bf8c77269a9a65f75e2891a6d5aaf083d58550e9acc9b91498ef992bd69a1bd137914cc545fa7f4879e06e709e264f49f5fea67612d28c4ba39a0e3378f847cdbb8b35536ddad7d1eed35660005f1079f747c294f02b9d5f59d265970f95bc22f081a92c747f2d860440085a1ce07e4a165589d617292324dcfdf3189f6f65ac5decaaba7f293d69fde6398a97f074f1766cb2907c053da7ce251abb62df9aa66c4f6141e611243eba93dc3f5bdec369036b8f55cf9d25fc29275b1eba5fc1a6208272c2adcd42df07873e2135ad41d949e7bea8556b31544be9f7475776b3e181faa20ced0cc9d2bfc6808bc14c9edc373ba816a239f623bcddb9b6f52265eb66ea56b6873e4a0ff5c90871ce7d5f8b1965d4783873098d57069b89f602eacaede3bd06562d129b72ec0cb4d53388d02a0dcee63b78e59add36a5187d221feaf6042f9115a584e427ed41c3c3a0fcc398959568a134bc89638aa1f2cc93a71385f13e5dde60882daac67bb564925e32eede3fb2ae13cf18d0ef7cf3639db3d109845b752716007d399488c6e127d7922abf621290665d995fb9ec29d1498b56b40667ad240d79e1fc06a9f81413904a83c32937f90bfaa299aafc1bb858f4fb6ab2c953e3cf34fc853f1eabbd8d1d5f61ed9a68d6737104d4deae043243cb4d4a2dd42e3949ed57d3af91cf0444b0c987a23e993e7aaad547c0e869a1e4fe17182a440d64355a16419f529cd0eeee117ae3150f871c5b60d772c064e9173d11279b447e4ce544ede7b2d87128bcbcc46837359e6019ac8a60541d688111165f5748ed56948be7afa0862a466160a8d6eefc7470d35a8e5f83e7f2a08b3a62ac501fbc2003173c0ab20531879dcd278ca8d6dadb279775110d33f2525f806395c42ba375ad2d6c49093f500b29a2e7a9cfaffa6e57b351a41747d7f1cf38e5931d6002dfed68383c6cb629fc78e1c3729e769b67d8b15cc3c4619da98dc03680cc3cffada726820ef2a20508fc26a31b40e498e07d06f411ea7857ae1b13297b3c1ca8199213ed7efb1e6935f4a73541a9fcbe403376f1ab8cee6b049eaeeb1d08f8e414ba52a9656914003438755df172a78013aa9a31833dacae0cec92951e93fda5c2ccd9eb62e8159406023ae08708e64399d98e3980d7defa2ff7ecae3ecf1a3412ab39ec6c40f0dfdeb51fed4d8b0f6f9f908aafa48d6a4d2f68d75c0fc135b30bbf1d5a84189c59b12deab58c122487f4a30c9483115d8f379a8888156055dd30f83a22f7fd19e8c795e8508d939311eeee92b8497fae57dd3d398dddadff411003dc978991690b9b92bbfc8e28b2c8a41499f1abb71ea8e68020055973ccc479c860eef79a4016f23bec03256efbefadc1763f62ee6fa568a6b007ac9f9c69b0068d743da6734f38d5f2b5542aae2f387fefbd3d38e7383a8f7ffdf94811a9e24dad68eda226d67f182ee97ee03230ed10b5054300553fc89d3d70b8b44bfb63e2df86b6c25c486b9a09f2070c3e667c464deec0419619c649dd782aa4dd048ce3c6e60d3069ae0e74a8a635e0fdb3628d561f243d395a81c3a336f577cf0cc3d4faa0f143dff71e0e56e8d6e2e6353a180a8e31f6e8f142d86b0bdd1756a2d4d9e7fa7c35e9deb7e4574cf04c95f44d5aa4b4934c1a7269d8ac37b7d680f9a66ac63268cfa9f4b94dd6107cda2270146a822c1b61841996c605584c9de4e2cbbb40a4a3a0f89636a3b7acae205ea7fc114d71ec2b8c927682af71d74112618ccb3dcf48a23e7acf0b8e59d75c9a0ab17358219b757e650e71cb85c2b43d7e0c90b81c29e352d3b11c52f29c7fe37972a39a712d4f4fc0544f5ebfb5bbdfdfe803a2b407e5056e3bff3048b1ad4d2c786ae6e1712f1a0a538ec3852e13b457f88023bcd9deaadc0e6d8f2f2227632d47f3d57262eb9b6e3cad6fb5af2ed5126dc536bb78483d7d92f711a4a9acf7e2b76e067dee9df1ece3b0a3758cc498a90214037d66478aff037dc8f214b36af08c630378c25b3019c6a492960c1a80b8af87370105942be92789b5f9c2b736108a311a7abfc31cc96d90a9e5d1a28d2e2f31c51644b7cb4537817b816a7125d985d85fd3b601302030cf3bcd1d040d8f902644457ef61444285ee32d157a5301501f73774ee6fa1bb7f8996c07c69dba0e8e0ae1c2f4810a07ba6e49be858cd182a69253d3388c4963d121ac6659345d41d382920b6d66420c3052742eb19b8da15e430592678a7e14ebf6ece85e070d22f5ef1497e46e52d0463417bfdc32ecc7d83d60f5c116d56b8e6b787743c1556af55cc32499c21a866b96ee95d15fb22312da89cbdd88060ad067da68e5985bc596f4bd303ae65d76eda2aa71bb2b04ef4ff2c3bf0c515138e0f5f396f1c7e7d4434910a93bf94e8e7f4ac87709ddf345f5966b4e3efeadbcdab0bb6191c409f574d20bbe9fba2ad7b47970d8b7e7c74639b0070d3da91e2d928d58a8c113fab36dd2cc19afdfe814880c3c09a3085ada44ead79189787e2cd4969b039664097c2651ec46e8ebb3698e0916362a36b22490ba2643570e27d00d02bae7a368589cd35b3604dbdec2fd1b7dcfdcb501207e9f557ebd980fdcc4abb239b541232858ef2d9bb7d0e25989a345de398258c8708b278a9a06596cc49bdc06dbed4a4f8d8ff4574448a4c7e1be70f7e85acd340905668a12646a1669d52b4c9a75b137c5d5d6d26ed14bc3f54b292977a61210c6ac8865dc5a3549dc4a72d0be26031395130cdca259d85fbec800281b0a1f1fdbb9b5bc0c44aa35ebfe24f9e75c1c3bb87cb11eb37bac91a4de8f6a5869748b67fbf2b0a9a07c9ddb7b39f6356160e9db49a7264e982cbc9be684920c03b1905dc6d6952759b9a68ca71e18468a6ba7d21155e07bcd72a007e2de595239b6ee4a869111af53b249440373eab8c34865f3f9a6feee1e9c45a94b8e7d2c0d8cee30ecb7014734fc0f8228d88ad3da449156b2d4d474c1dc383ba7d8c7a418427347dc566c72a1fc9a42230f4d94c73c67468b6cfa7f1b10512732d59a8c58bedce61fe3d79fd0920899136ae7512cb81f178b9771f778b66656cc4949fe2603629618eb6949f94f50affc2801878eb33516b5b1105a4abd0590005222acf112dafbd274029dc92f33de2a40777bdc5f8a05387cea45ce5f209182dccadb470e4f5e93067cec4b71b7621ca8e84ff0b53a125ca922fb8ffdf38b8e25bbb160764039ce1d5622afe9559d91ea2b83d3fb95e3a6d78fc120984815d77f9522147da1ad688c942f6a7b3f7ac89e3feb1633ac631c824fa1597e8a0dcd745c92a08a8eafa3f0a42c873cc9d836a4273e4008305c03b8c0b1171d10979e64e23ddc352ee6418a766ded4ff90cc242dc6e0821be9999b8ad456e6556285b394577db8950f800b1b0418d32e06e39fdbd3de4b15bb03155e8a36ea38f2416d337ac525d36ae7d0a5509f7557b1218f60e8b114e6c41c3a4934a2c42c903e5ca5183e04733c03e305b26a3b781a16c073e0ff730a06af039c84b329110f25f1238d24910688f6bb28f5ebfe4c8f5bccf67409c8ed4252575754e380f77028b36208e62018be69ac2858d30c9da3dfe5ed3d1c4841b6346aacfa00b0fa81d9dc9f525a2e3c74f9952d3c46b5684464ad156e13e50362e5e77401fdbfc100dfa22f6995fa1aba855dd2bf02df75a0537b3b9ce038a55d846da4f4c4933c8b06cd8b03affd065f722a8e02a6acda9c7b5b6bb6ca98407404c320633d08d47dbdb2b951624f66c352abb57f0f7a7b959ac45f218c0417d5aaf0f9fdeedc2ec3bfca719cacac2e24867429d1daf7e35b80ca1b711f0f3b3e983417f16e62f9122ead0aa16cd948638a820274536c694fc03336f28c0479dcf3d38bf664704eeb477068396ced416b04ec7c9a8dd4b2a246d4673559a5827f426edaa0805164b854f06cd9d440f24ed009ebf6e9d98bf632a9ccdaf41a71831a7bb1cd04a3659ea80110bc4f4af7fedd7494888df4eedc26e1535d1852ce90fcc83a8a2239bf8071305acadff8dbec924db638b81836e2ca6d272f75e99b3f85188d8bbfe1172e82ae3752a3443c423e5acfcff25aec15a9a886c842685c40cdeb27a10c2b2d381374ad8dfea4b217fccd05160af1ff8107a1b06bb49c15978c77a6cb17f81a576ddf8e892935ee1214b433c270ba7ab12e013e569c2fb2ee60127f3b43ac005c41cfeef83472fe9f57409af5c66df3c5365b74eb2388c2e2ff1457585ba8ceef02558bb4ab2214f9e70ed7a3ca9376318a2344478481a845816277b384c5c7f40f794e2c5b2c106a4fe7be7a16d7038548b4d91eeeba040e89193e8ebb1669c953d8c20ade675675661f2e1c097cbd7c5e1be210305950a7017af947b19e0413ce496f78ef1edbc54c25bd25886ec81b4d68a46492cc3a2e43e9a29ab8b0885f962c760e4f8da705ecad7060975c84f71470ec539ae4fb71aceb55d07fecdcc6f149fbe0f67fdd56d5fb276e56746f91e529e3c072010698ff71ce02d6ccf1df24370b4665cf579af55e37a8aa8d986dd3a97b6ec2cf92737fb9a8f856ac45807eb905ed54a28e2419ef1526e71d487bb7ac85b89075e6026277a3d8fe9bebb178efacd63b894b158eb59467d2d63e68b3617717b8c2f7bee9e10bc580f85735fcfcc0f0f4b2a62eb9aa3351aa682147be2beb6d3c976aa99e66d92cdd10ea3133535545f7371e8f908b8e91fa25652afd89cb4e0f58434948f116928c576805edc7554efd71c554947e14871c64404ae8357fc81d719d1d3427c63d77ec271c0cb94279a4851b0a372fe08b7343a6bb0863076a28c111c1819d7b7404fdfb2df9242d3b9e92e3d9e54074e2c56ec902a745a71433c50fd91e108549a716f5e1c23ff4c2b94eee99e5b6a9871b0dafbc4d4c668130010fdcb383e9f689c2bb1b1b0afb1fb3fe12d1cd4e889b5243c2ef2805814756b0e35c104090215114555cef6439845c438de3cf688daec9fe1cf353285b61735121d78d3481ab5fec2dac4841eaa04da6d40c731da37b80faaa85373b525d1fa6a1074139e677feaac46216ac231fe03a36c1e9395c9f9ad0d6208da73e79ceba1a1ea4e8e3e93ac914687f883e767024522b581f95e0250388f329310ed9d0a5b746b60b31994de35850c43662daf52edbed05f2a1dc157a726fd0e5d73034a993a42476bd9ca2dc0dfa93ca6ee6d27e3677e1afba84f1c17a5949db355d94ee39e553df882680c982974c17bd96330e8b5cffdb350db87032424966a4868ff37c328288506238a46c45e9c35ab60fd807fb8923e381530db9cf8b085e9604ae6fbfbd221f08882f09b43824e578c63406b85737aee796c1a63b86d325ac8663db8c549e6b647abbdd402b5e6fc031caeb1736c4dc2b38f85a0055c3b0ad70e01953c51c15fa28c57a293e3c28a7ffaecbbaf6565fcd9446257c0f9c64b495c63c99398d115b3b86824e103a7d790319cfa8d3384fb6bf7832c8c9f7a0f63967e23c0c63e515d97c3985f0e921028c76d471f1ea5ddc016e2b177bafa49e7160d87a54de1f7eedffaca5c2262bce6852382430b307b8c107060b835e197e3e15c87f69f74246db59c767219e2932cf5a42cd646766a48bc0146acccbe0db08d12cbf83c518adfadf8c3efb8ce0480babfeb4616313c3a5de5f75a9f02e8277209a88990598e77f4e3ab2f4b943fc28e78755ff3105e4765132b1fadf38183ed60e24c8dc8155fd8ba2687b7a96dffb74fdc143fe26877129772a8d92df9fc240a69e9a20bb66eef414760b51e263ab82b2e7a24eb7683debb4a32ebf847f57e20adbfb8678b1e2eaa315e14921c1f822aa0c01c63bdb595779d5766b9bf1ca25f15ddc54e3aea3ed247a0ab497ed9d0d735559b0df6510830171c0434641a92e7e15aad7615b86c6d042c39fce84d8a822c1b3b17eb94fc31f394d01a0f9898271dc0c139c4182d66f8694c2d589a29040209effd7674a644cf1993077f9d886a0f9d99501b388e411d8a02ea6d50ae4be31b224a22e276c4f5d24d3bc14f19f50232a1fffb5a0b3d8f34017d60001ae987b38538989a9f9a8838d2a16d8eb62cdda34885785aef8e97ec8b8756c27c9320d00feea3ac530ceeccf1f0126d377a6804993605e2bdd6f60eee748ee77c93c30c27ea20e74a8c4a07e69e7e7111b416f0ac2563f9746a0edc814384ab35d9b6213a96d0e73892529e907f6a725d3afffab6d2bb6963798a533e62cccbbb63d2722b9801ca7fdee7a3eba6208cdb76139716eaa082b8aad3fade9ea46f074e9746c0aa5f6a2ac43e0df2853644b15415b4fc50cba3fd1113073cb7ba313582a44145bca5cbab59e397d34b90ef184cc4d848414b1e483e93cdbba330370acf791e436720221b3fb8c8745cd1836e25e1310d1a38f2dd41111844fa224672ac380d632d8c0bda7be5c5259951515c92d02727a9a64e37160ca21b75de5322e3031429b2de246c262b64aa8937d3d5389b5d219abe41a526fc979af670dd1d12c08e35c57063d8a5218501c69c00f1152d5355b65215dae5bb959c26610ce997141a10fa7cd91caf89acc012d7621c282643e94ff6b9916f1a0a37fe6f11b2294f2fdd1f49cdf0e6225371385ee0d6255d848dd206f11bb74f9cb201d0d8b809f048829d6e7f3df2edbff32694129fb4fe4fbe4bc87e145c2242900ea4b86f62143228ba06611b9a7889b0fbc46c904b60799f80a6d49df2fa9ee1522561b65da25fd64ea2435e6f4aa7f21fcdc32eec2a2694592f8c8f2f5bf2b56caa5c158a411c48f8af3524d0d5e1325492ba7d806d09473745b962d2d531f27e237a556eacc014ae2e4c83062f9fb99b0356bd32709c7444eb5c6579a03e5f07e9d61fc843bda7447d35069b0939d35c359ac22f55628e212f7b9167d922f271c6a6fa78d8a29bee50f1a0532e9e36f9b51729c73a6caf89555c57a48c052426d544053cf826228cfc59c6703c0c0a5a5ba69c2a2dd855d301f7a4f6e500d7f01fdb749921856eaec9417d55cf262b3082f29ccefa9c6de696d2e94cdf6ef377d1d9ec55d628d68f23010076eab2c20a70f1f35f5ccb14d41379daa5fda6ec7dc77fc062cd8c11a14b26b37596d63501ef00e7d9e4c94a76c15afe225a2936968ec501b632fad0e3c34a50cd2d4e77fba16bb03b4f3d7d049cac5637d812a8ec95c84d11c1b2b5ecf2e103566ab88d835d3bc72a36e5116fbc668b26c3db42e9d21e263650c4039466f69c2e42248b209b47fc00f950d7e0374a7627b35e33f5a2a8370a2cc8900a3cf9e7873d0ecc53c32349ca9ff05c323c8807bd054a04055cd7fa3ceb641f7dbdc1827309268e6c0aba7c908a19b0e0ce9180b317c7027b2778c95cb853adc636eaacd67bf6d7740100f091fc874bc0c4943728eb5b4c8c4d6c89a0e90b96eabfa38262e99f81cad9edf20299bf78dd48c4602a8122b1311c331b427f29ea5ea214500d096eef4b5ead952df75b5e189266edf30258e815ea970ad8227756a8f60f5debd25d5fcab92e8a0ff5e1369961d796730fcd4d2cb400cdc46d67e77365b846ceb1991e6d492603ad9b61336cc180e40de55c1aa2e51399698a1d23b3b31ac5d5cec5fb10bcf10a506ce52d2320f615f810f781358ca0d23d2d324977156c1b5c18e5a2c6a02028a40373ffd5c3afccccb92f7cefde2891e69aa49e7a8ecf8e275cbed5176c0a1a7ad96fa8faca234b32b1683e78321a82c05e316e2e15d52c89fcfb233815e9981ecf3684dd41d84286097e78ae1afb89c94488659cb274f765c72244f1936733c40d8894fc3717580e681dc6571edf1aea38cc4c65270f44ac368b7d1cd7a86d491ad50cec56470b451dd16f0f26d336c6b355fa176a1fbcad193d996b1877660574805dfd8bdf4c2d5ad5d521a4a5745028dc7069aa724e8135d1c7ce1ea7601a9f824c0aed405e3475ae16e5ed1998d139bd028e9375068ae42a6df9b3dced7e22c493f50ea13d200f056c79e5cea73d4b3dd8e07d81b3433698f322913cdc117a9a46d6236b93f36eb1c2388eed31fa56c960e2b6c706378536a2ca2b9542c8dbac145ae109e65202af98a72582406b3eecf41ff166518d574c88c9b03e2b7c112611a5688bfcdfe830e0d5e04cf3c4d75f40c1d7395f7f84c5d23bd164c619c9a0baa214ca31fcafcb2791d99da41f381cf652cdc98a6134f679c1118b7fa503e9ad1b06a7c26c6339069485910515acc89b43d6f31d773be54560101775234dff26cebb9138a7f865b9d6d792284f011b7b1d910e3235ccdca0bf0f96b80e1fa1a9c93e0a9cdfa3f712d3f139f9df4479d0ee1f4d4d67a354e975837247802c87c594e5716808d3dc404890beb51fe5896d8a045c9d1f8d5ed015a86fce9d1e81d74ac80404c30083b5a7336ef13989620dac8e7a2a558c8d1f1b6e929add6b9a3622739ad4eb93afe997ddb4fecce60f5fc775b6efb527fdc055982fe2ad505c002516175e6284d872056a927b48be6aad370183d815c58af790f618e0f748d725146193f618aef1b5a064635b50ce682b3961a2f19eab84e293abe4087d7ee117c08608fc4bc9637ebbeb945bcdd66207b2f02331cf5796611c8e2dbfc45c2195ed1c197916f5b493606b99e0c9abb38bd933a2f70fca4d675d4e1b6635d7a607a224f91caa438323bf9e1a70e0ca5c16d0d882b6d35b2103ea8c5e7314a4516627251a825b3902540048ba48fae626af3fa4a21e81367d4758cff6c429904376e9594089e7f5527074cb1ccff7799eeb71bd16953aa4c851d45e938980bbd56cfaececbe9ff393630c24f763c48a6e28c9a77a25b915f1a99d74cb33218179f46e78a2d6eeba8477a6144f6d2deb294c8da6d95a950b77fb133236b3e5d2f540c092a58746c797c3868e380347c0a9b9ebdb67db8b5f51cbd135a73c270cd2b30c435804f43e443c0815fc5f375a73010926d7864388523d2eea07007cf3f817704efd0319f0487c515981f29723ace36d167b990ddcc7e064d521b3aa6a6655a0a365afa6caf1ef40fae23a9e42ce08c57bbf5a41a0bd54354b0dcf74ca77771d78aaef2a0c51c5998b91642fdd4f953d2a4291ce308e726427bded86fa0ce56ac0ed4a16e6f0541efaf845d5350b6117f79b8646b49601800b732adf992358298c59e64921b7ac430e4872ce0a9cb37c483a4451f4dd08e68e6c87905c50031e3b0f730985564a3a5c29db28aafef3f8cb05c2644d9aaa1015e2ec8bafc2640481abac6b18b12f3e7233704d47e0a1df4accfb03d3e6a3222929157ed1f6dc2d86b0536f2b48e99996247412266c9a28c3230d2ce20ea9d43808a9af936aa81710853a1b1bfa5797c1655fced7912f19041702d8a4f7e9626a4a793b6e58b155011c9447ff926844c820828202859fc75394f45b2bad859b34f36fa98f6a9e8ede680b23b51f793fd996dba5e6c23a6740aa6a46b07d6e53b74b65c041733ca156a3698772c3eede0e0887993a85e6290dc7fd14545e5d923a512e1d7b4cbd96010445c9d9e855afaa7c53f53baff420ac332d316a35a238a1815d272f60c3e886ca858d6448ed51a0c7676db70b8fb7b04980b976ccbf0a3110437b7c21e85d4944edb7b6ce0f652cd5da561a9b34211b26e641236a857dc1fbc43c12a4eb9ebbf96cfea736f2d8298cedafdd0ab073a7ac697960c4d65e64d956058c1acb02dbaa11c7a169b4be13952694d8dfe84ef06b1a3583171d99de754b32c41861c1be8b6dda60687e67aa6d8249e528349cccec97e399bb639dfbf4479f54c591d31f588932af57b5ab87843aba2c8063c55664bb8375e24e5346ea03cfadfe42795453c46a8f3ccec7d5b9d2896d34e0432cefa1464f6338b40fb1b2e1ff9026898ebd6eb806339f488464ff70eb741239556b55e6872e2d90ad69f11e6ca2bd7ccb8b6d39933fcf3dca15b13a76b4adee2b1898b60bd6bd051f9e4e516aac6650a50a5077b9caeba9f286e58886ed39dfe8cf9ba25dc84e1ae847b5637962b4c08b01601808dfbd93c644c9dec8d62123c9005b51dbb02d7144a12d49ffe018fb832aa5eedfaaff32784001f0f4801396189e0e5f525b79caa0f010d6574cd479fa9cc632f6a2558fdd4eb2931375e7ac9eb99f31c1039a9780bfec6430b155cb4d205bb33c735509c270167dfbfefe65062c757b41493beda43133ce24d497744a907fd78ddd8a0fc896a8eb60dd174690672c6952789f29024ef540d21e99f15fb127a0d8b7b7f0e48233c5778f578a1e83088a659bded44bf41e8edb8a02f091509f0b05f06df737891fd7e0971a0e1735d22da7018386792fd5f2bda365f48194a00b89faa4bb1d972788d740c57418921eb4d6176d160b209460d544734ae43e99658aa367e8973c3ce1137d936103a842da4dbb085f25236be94f9cbea7fe4e8dbfaab901de38ac0ed4458fa7d94503d42cbb8eb53042cbcb7e12ecdd5cdaf655b51d61c0a6a07b562b619b6dff90e0edf99d8c20278ba17ac5480f04a3a60ba83678b3dbb4247e5fb96ef134fd77a699bc7812d1c9d31875a298c701da0f17e426e4f6074f82dac60c9e0d2387ef54d602ee9b77587513c97cf3c29ec5c1fe318cd1d0d049968498da6916ab56edf7a4c16c4c55b3f52c21989b196276d2a7c5a7e21b47665876be4b0f3f5f69554cd404fd4453a4d14b58bdd623007e51eb90615a65c959305ba93337ade682e432daff7eb2beb47cd08917290dca5421775a24f8656ff18b0a918fe4f77dc8a63a151093b8441552885aa993d0ea6eec60e1d60a0ce8d264d66dd29ded7ae9c08704998667ce116c870d7970abe04cd3a58b9df79728b7b73854425b5cbcc62c66a8b38d6b7ca8fe55eedf9e265be8f100f8e6d95b2ff66c4570439b6932dda3f16d73e69625206551b85fa977ecb8181d95696777455a09d5197a22ac5d1a780d7746726eb0a84f93a11d4972871e24a587dca5442b449727a6ece2db6f3d8f513ff2906c7860f972e8d99bcee1e88739aad134b14618241b9a2d97997e7893582306f11e08fb979c34d31f96b39a09d51451e277442c3b8a26b98aed6990d57e44e2d9e99ecba825ac8b51d19f46441bd3a3a726b39336b09600a68097e8d73a01bfc0c739abf599897d19e7e81f2945351b10f1af8b9e62604b30addf0194ce8e88d78d8361f23ad92b8603e20c7e70929e843b22dbb8840fe4ba461008eef25a51a564bd33d85b992996de97a0f4b5dc3356f54413e53b36f24d31876f9133db4691d1ba5519d82ebfe05a11212c21a1083cf8645dcc7425fdef414131cbfc4a40f82ca79815c5533c5700093810cdc284a84305511395cf12a8b76227ff02af2558c56ba6e611fcfeebf77f05393797a8b67c20acdf593c47cac0bc599f10f622e4168b2930a9be32e499637d90777f07fcf86d9bc65d98d2e0332e92feefd802fd59cfc93ff4f71a7c29b33b9f06fb16c3aa23254030f015a1fd288d3df8dd3fe00cdab8cf6859311a18f76a90acd1f3db082d9222a3e488ac69513d6bfd5a326f749680c6e710466e411c20ed352fe8fe90d6c3cdab7e10c96c86c63f4960015132efafac31ab38f2849a4180392742c71566383e79db7e1114a74ddb19d66febab0a96ac3fd4dac337a073c07319d5538ab41f2b87aaccad5b33e1a830bb277ffb09d0e4d9eda6a9df9e24d7579a31e820d46ec07a17be8913c6259ec9714fe024ec03a6f2656d4904905328f7e9788088bbc7ec666588581ec522f6a6bb7e4edb9c85fe87a8d5cfb788d477248a6daa3960850e5a13e0df41b3db8b07cdf166bd90ad3f777ae2456751434886bc7d57189e66f0e6e1d9f5db57428cdf098b833c1b2ca8390a9bd483e5afb6e8ca11f12614fec46985e0ca98818ab2c3a3c311e3f3c53e6776f42f6ff35b12805f3ca9b390c20aed909b23d7e1e19f322809c28d6c7ee96a36cfe268b2dae202ed172814d62650423241b98a7d617b91f8e81a00b15bd1c7e6e5660923c0831034e7518b26a8f90c8b1588a23945325f0bf152d6eca65a04a330c08f67b2524adf4f5292d6c254e4bea7fcc9d87d1721a93f969554bcba69a3be8d20b4baeb7afcd8353438c13eedf4b2aec0642196f43e8b5a3addd5901b2645d2794ff144a7bee876b33968fa2485982710e944c0b175728a51c1865a51867ae0e889d4a94d9c76347c0eb4430e9a2399a79f4055e7bc1542b2bf8478edd5cdd174e0907a1487bff7a3d8ea85d480d55c90ed84c0bd0bbe287c5f5598829c7a8a2e16220231db90cb7f8fca22c73a67275df2f23aea835c86797cc0c6f2081cb4d70370f89a58eba3f5b2acbfe97fe8cd1ae5e0c3bf42dd13f2cd958ea9735c6aa0e51e1e5d85d3f037a2d3ffb640934ec7468fcddd42946be81bfd801942f95694c3267a6237fa8229aaaa51d8156c9d575596fbb24c2082423272f3f02da12c870b58b64e747044fcdd933685e7b4c3247e9fc4b1dad8834fdad50103b8c7ea4f4434a4a0c982060e4a095d4ae7c3a1165af8220fcf2ee380841e32d7cb2f67b535c09c5af35d935eb091f072001f9ea70e289e2a9d8c9b107fb5b6a87bd3282a0ab8484f603c9e0e8aabeade763deca697e7373592c69b9429c7622eba408cd56554a94b1ab5e789015dafbc636bcc3e099129c023424e6c2cbf319db97fde78a14b78f767da6524d06da7b8dc0df81c19905ff225dc17bf225ae5ba75546cb2ca9cd99dc133f338f191ff049a3de4fc3ba7d1b22097c7e40cd13b66aa7ff3421259002d19fc47fcba16eb20a476c138866258926c0a87fea8841488a807c5502237a9e8d96445586892c53641d72ba9f876eaaf269e810658af5b1d7b5dcde6e4f1a009a92c63a9e8c3e19c29316a23848693a0921c68f2b4a40e007bb85308c8ad32f15f21c1ba42d902e17fc7e930325ce2459a99e2e81b6b0b94209d405361e9938af2d2b0d3e1be93bb5b1aa38c5ba1ac76caba677be41ac7112448a72c97ec8ee62e0979c4fd23ebf7c6d151762a36061ecd9507b91f6bbf363744544602a2dec64667ce5d106fbdcbb143276dc8f723250caa9d24b9495b8d76bd72d8bc93b4d7b22d8ff0a9a82f668fd1e54a478b59e54bf9a0529e9a148b8f146bfb1e4de9bd52ec1747be2fa875ddd1cdf6345d3393799065c4cd8118e33d695dd4b98efca18e10003aab586d84617512ab40e5f6ecb5fd6712ede74c3882ac8810b806d4707326d623ea4865abb0ca150476a2dee29e05047fa778dd34857fd63d4a0ee8dbab244603ad067c236d190fb89fc46f7f21d163f43d36d92092ac4ef498e89b66b5ef96b08b41e0e358f3b1bee336ab6e6386128bb8f2c25c734569e7c100427608d0c8b1754165aed4c56f0214c9fc5e15018a0de32ffbb7172e969736b690f96c50f3b85b0fddcf55c5fb526ea0dd6c42e1883e12c718299ee97d321601369351aab917c0a427c1bb63541acff3c9479e4db1a9c81bd6e9a71cb75aaee0d6649b3382a1b03e5677f74b42659c381e1cffa14843f6efbd51f5ac5a7f31bd54ab7ddec536327539f4f1258567650981228da5df32958112e2d8de27ed481a83c810b92668a4dcfbd6767798c3c899c8f5184b0ad30525bf102ba40c375d86cfe8eee601ce96829981ab56a86cafa2a154d63312fe97b19f243b326921f049bd48e37729cc96f26d2b07ce46377b7397c1f536f5ef6fd66f6c4116ea96b08330448ac72ffb5faa8eeb9ded68fe7e54a0e49271d37d658341e16737ce37bf47cb4b7fd6cbdcd6e6117b7f006ec8f4290c3b935f491f1356940e5c96195d4c022bc03f03b579eca67263444275d8d3c288014dc9169d3297b54c1a628ffbf74ee9e7511812aedda4039dcb0892d180b50f940992fc920d6f748dcc4b9155186b0e5474be0e68a3b4bb7ea52d0a136664d251560b037e8f8df2b0a2640e420b19d143400d9678dac4e7a2b4be287f6891ffcfb1c11bb4f2b9688aeae272b701b2471bd12f82c8f2ad9b8ce1e9aa4084912a498944bacf4faf75d6fb092b61fbac442f64e66dbe570545f0995dedba17e72673364a8a07b3d33affc79fef0e4e4fe41ae8db6ae027d5821026561b61498f75de599f46d7743cef145b741aa2fd67205c18e8757073d1b6bf0a66f06e0c1ec6fd1ce3daf913b016b427cdf4f7b19f9fb22b2a1fc4510449fd020e54fc93f7609f56519f7e6caf02f5b8be3a36d9263890e2068a9bee98469a117964a4b5e39cfee8eb1605ded96b2acc51afc99821ae7bf50d4b4791eb3eca53b7ae0005e5d74135fcfc112fbbee5a68125f10249cf8340c0f22d412a74fae14068ece35c4617f90f1b75e84b1ae9ecf6c18c7504f068b034462cbf349316fc63d580eff2fcf36cd296379a8bfff91294c58dbfdd93c98285e7aed4489a4670c7070907b7cced1c54419034f69e81edec13b35c49bbf473c6ca32ee4bfa9b1676053b79807350c55f3ae6005d6e5adc4328d78e8197854c45b5ddd5a1dce9a6b03d0ca45aebc068f3bd70d3202f5e1e17398e0a7c957aa6436b061fb80db2e726df5607b496194f911098faac0608b03eca5058fc43beb56865cef28fb9aa0d311bca89b8a0acb02b583e01f2089adc1dfa113ec812f1cc5b4b7fcfbe044ea2b3b2a93f2945d31db3e1c5e9e35f99b607d14fa0221b61644fb66e8c7a22f329cddfb22d2bcae360d22ac556bc7f35a00a3f2760d1fbbc297a3a08502985f69a7524d997c6fe3002e0fd6703b67d70dbb57926069fd7433f4cb82173e542ea4be236fcf30d03a82a32bccfa7b373a46db0ac27bba4cb00edf6bccf3c8270cacdd0730a3d7b46b71084821a5e85d3a9493da176569df13162bd8bc911da153d7976e73121a025301997f2aad8ccfe4b9939665dc6699ce20fcfcfa2e1278039f3fdf2db0d7de3c9de4ee4e64453670a2be516c33b06f545a6063f121553cd096e12f4dee94f5a2858aad5dc12c081fe614fdc4ba0fbbd623a38835f7c1c5ef8414c24dbd32b37e4bf0a0bdcbbd12946ca82032ec338256786beb027d62d832fb99b579a8e162c10c67d479d397caa7d7e0c714c4491b5d804c87be8afdb26204d37548b869aa0e94adadb97f5e7db32bcb471bd5bb2aebd80d6947786b6a322ab569679856413eba30e0dcb1d31cae96b71d43846c39044691d5ffefa1cad55e5d59d8f8302bcc410086ca41b576c5dc18e5ce80e2de4f7eb57b1414ef29cd00c1fbd906852915d03f9f5265411d428d23f04a70fb46aa7b60146c6f272136f13a0426d149256b936505f03997fa86e2507b04e25c871578fa980d2323fef7e8031209043ae56baa4e0ec407084ada94d96ea836080d5a66e0d87aa7deea927ae9f5b80a58bbc2555f7a95680ac7b7c0f7ada2f5769a5dd272a102b94c883116daad90be2595175f99656aad3dd36336d84ebaf97d1d5e2782b4c392df227") r47 = syz_kvm_setup_syzos_vm$x86(r43, &(0x7f0000bfe000/0x400000)=nil) syz_kvm_add_vcpu$x86(r47, &(0x7f0000016780)={0x0, &(0x7f0000016480)=[@out_dx={0x6a, 0x28, {0x351c, 0x2, 0x3}}, @out_dx={0x6a, 0x28, {0xbe7d, 0x2, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0xf10c, 0x5, 0x90, 0x2}}, @out_dx={0x6a, 0x28, {0x4c98, 0x6, 0x59fe}}, @nested_load_syzos={0x136, 0xa8, {0x3, 0x2, [@enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x2, @guest64=0x280d, 0x2e0, 0x4, 0xfffffffffffffff8}}, @wrmsr={0x65, 0x20, {0x285, 0x7}}, @uexit={0x0, 0x18, 0x5}]}}, @nested_amd_clgi={0x17f, 0x10}, @wr_crn={0x67, 0x20, {0x4, 0x4}}, @rdmsr={0x66, 0x18, {0x2e6}}, @uexit={0x0, 0x18, 0xe}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x0, @ro_nat=0x6404, 0x10, 0xfffffffffffffff7, 0xe}}, @enable_nested={0x12c, 0x18}, @nested_vmresume={0x130, 0x18, 0x3}, @nested_amd_vmload={0x182, 0x18, 0x3}, @nested_load_code={0x12e, 0x63, {0x2, "2e0f017133c4216ac2c00066baf80cb86e897c81ef66bafc0c66b8af0b66ef420f01c33601e312ec0f00dec74424007a000000c74424020b000000ff1c24400fa1c443314a890a0000000b"}}, @nested_amd_stgi={0x17e, 0x10}], 0x2c3}) r48 = mmap$KVM_VCPU(&(0x7f0000cbe000/0x1000)=nil, 0x0, 0xd, 0x80000, r12, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r48, 0x4) syz_kvm_assert_syzos_uexit$x86(r44, r48, 0x3) r49 = ioctl$KVM_CREATE_VM(r12, 0xae01, 0x20) syz_kvm_setup_cpu$ppc64(r49, r43, &(0x7f0000e17000/0x18000)=nil, &(0x7f0000016a40)=[{0x0, &(0x7f00000167c0)="0000003d0000086104000879000008650c0008610000803f00009c6304009c7b00009c67d0049c63246bc07ffacddffe0000603c00006360040063780000636404006360269fe17f0000603c0000636004006378000063643c02636042000044f5009007d6db8bef0000a03e0000b5620400b57a0000b5662a00b5620001c03e0000d6620000d5920000a03e0000b5620400b57a0000b5662a00b562736fc03ea7f7d6620000d5920000a03e0000b5620400b57a0000b5662e00b562905ec03ee010d6620000d5920000a03e0000b5620400b57a0000b5663200b5620000c03ee0d1d6620000d5920000603c00006360040063780000636400f063600000803c0000846004008478000084642a008460220000448fed9ff30000603c00006360040063780000636400ef6360b5ad803cca82846004008478ea5e8464a2e88460f167a03cbee3a5600400a578a557a5645546a56003f4c03cb487c6600400c67873edc6641551c6601de9e03ce4a0e7600400e778d884e7642576e7600870003deef70861040008791f720865674008617fc5203d5dc62961040029797f83296531e82961ec4b403dd8c04a6104004a79e3f44a6576a04a6142000044c7dd79120000603c00006360040063780000636408ef6360ae15803c967484600400847848298464f27b8460fb2ba03c3a84a5600400a57866dfa5640e85a5609421c03c544cc6600400c6788ed8c6642d18c6602715e03c9877e7600400e778527ae7644a11e760b221003d4162086104000879f61f0865aa6f086100f5203d4c23296104002979da1a296595bf296193f7403dde994a6104004a795ee84a65a0514a61d50a603d34f96b6104006b7921196b65ab4f6b6122000044", 0x278}], 0x1, 0x15, &(0x7f0000016a80)=[@featur1={0x1, 0xfff}], 0x1) syz_kvm_setup_syzos_vm$x86(r49, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(r42, 0x0, &(0x7f0000016ac0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000016b00), &(0x7f0000016b40)='./file1\x00', 0x1000840, &(0x7f0000016b80)={[{@ownmask={'ownmask', 0x3d, 0x9}}, {@uid={'uid', 0x3d, r39}}, {@gid={'gid', 0x3d, r25}}, {@ftsuffix={'ftsuffix', 0x3d, 0x1b2a}}, {@ftsuffix={'ftsuffix', 0x3d, 0x95}}, {@ftsuffix={'ftsuffix', 0x3d, 0x2}}], [{@uid_lt={'uid<', r37}}, {@subj_type}]}, 0x1, 0x2a, &(0x7f0000016c80)="$eJyq3PSiSzhjn1ni6QQv2eL9NXzv/l1Tb+R79PvXuQuAAAAA///Puw+p") syz_open_dev$I2C(&(0x7f0000016cc0), 0x9, 0x107c00) r50 = clone3$auto(&(0x7f0000016d00)={0x2, 0x27e, 0x5, 0x2, 0x6, 0x0, 0x6, 0x5, 0xd, 0x7ea2, 0xffffffffffffffff}, 0x90c4) syz_open_procfs(r50, &(0x7f0000016d80)='fdinfo/3\x00') r51 = syz_open_dev$ttys(0xc, 0x2, 0x1) syz_open_pts(r51, 0x8400) syz_pidfd_open(r16, 0x0) r52 = pkey_alloc(0x0, 0x0) syz_pkey_set(r52, 0x1) syz_read_part_table(0x67, &(0x7f0000016dc0)="$eJwAVwCo/6k57hMEqlDNSDO4ZVQCcLxIue9czoZuafU/43B5GQ8/SfKEAJSVthoZct6TJycbea3BUcvLUazBD0Yw9qOvvKZmop6ihOZrQz9pF64MLnCI87vjyBXT9QEAAP//A0oqtA==") syz_socket_connect_nvme_tcp() r53 = syz_usb_connect(0x3, 0x840, &(0x7f0000016e40)={{0x12, 0x1, 0x300, 0x42, 0x66, 0x24, 0x8, 0x2357, 0x9000, 0x8c65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x82e, 0x3, 0x7f, 0x2, 0x20, 0x5, [{{0x9, 0x4, 0xce, 0x7, 0xf, 0xaf, 0xe8, 0x6e, 0x0, [@uac_control={{0xa, 0x24, 0x1, 0x7ff, 0x6}, [@processing_unit={0x7, 0x24, 0x7, 0x4, 0x4, 0x1}]}, @cdc_ncm={{0x7, 0x24, 0x6, 0x0, 0x1, "a34e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x7fffffff, 0x0, 0x7, 0x8}, {0x6, 0x24, 0x1a, 0x9, 0x4}, [@mdlm_detail={0xd8, 0x24, 0x13, 0x1, "fcb64e07cbc613ee0fb47b172d8cb25490f7d08dca4c04f248b0d2c6c5d4fd13c90c337dbfe045783ce1ee1399fa76c14b25f5c338b041833f787b776e0c3c255189f0694e731cc1edd1269dee99eed04d16af2ae0f124510006a64280fbf1ac1146beee985883566c169abff09e46018c5ddfdcefb4c06a4626f8eeb21b618fe70adf76c204c1a9305d06d90852b606a0698c6678280d4829c78171526b7cf0cf95cab7e3afb3b58fcfaf6d70eb433347fbae1294b288b8d339b3d78fdbc0f227907aaa921ca3026e4c5ce34211e3c907b42ca6"}, @mbim_extended={0x8, 0x24, 0x1c, 0xfff, 0x1, 0xf51}, @mbim_extended={0x8, 0x24, 0x1c, 0x80, 0x2, 0x7f}, @obex={0x5, 0x24, 0x15, 0x4d}, @mbim_extended={0x8, 0x24, 0x1c, 0xbf26, 0x10, 0x7806}]}], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x6, 0x40, 0xb, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x4, 0x8}, @generic={0xe8, 0x30, "68849f67c98033bfdc9bc67c706e689f08da2d587b668f1f676bbbc38f71f68c0129159b912f3288af2d8f5b2a9e6a416c8e3445c333df5f7008233683c674208456cfcb7a598fd1430b9bb55e9b6fbf6cd0797ffdb48e94a2bb0a7b924dc3fe2c8b37ff8b6d67a0551a582d713454dc2f829c5fa9bb41053a7b74b601c8ab8454e2d48d213eb4f873d9693119cf01d9779afaa261bd19f84e3998a27cc27fdbaa15467cd6f5442aec6c7d12861746b6bab7b93701f011de1e995c1c204b4c2680503a47bad86fa429cf00ded48239fb555ab98087edeaeeba89b14dad51b1993c25e60109bf"}]}}, {{0x9, 0x5, 0xa, 0x1, 0x40, 0xf7, 0x2, 0x5}}, {{0x9, 0x5, 0x5, 0x10, 0x3ff, 0x7, 0x14}}, {{0x9, 0x5, 0xe, 0x10, 0x200, 0xc7, 0x46, 0x2}}, {{0x9, 0x5, 0xd, 0xa, 0x10, 0x40, 0x8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x1, 0x7}]}}, {{0x9, 0x5, 0x8, 0x2, 0x3ff, 0x10, 0x9, 0x8, [@generic={0xf8, 0x1, "8709dae6274078001913ce2efbcb79ab1133baa4f7e07b3b2c7ff70389e902b3684a95a29997f2d20ff4af270d19a8e0b4f24df512a7981b5cc217941cc55d0ee52777d5469f8d59a8b5b4a6e4fe8c2c9450b47d3153ab98f8e25d699873d3bdb2640075123c4c4bf270db5a2e30c478e75e0e80aca0d41af746e3efb598b2dbec647abd397b0efbb2e744238a48cefe4299f48385e74d325ba52c15b168234a996d3257eaab4fefcba6b898c91dd99e0c080a10191184ea552c28223c35e63ea9406888a94759ad4c30baec3d37bc12628f39fd0e1ea1665122b4a04adec0d9632421ac7518851c5c9256a33e291201a3af1af8df0a"}, @generic={0x66, 0x4, "e24af39366d6cc5b860379367e9b5af91238a8ad60d4d3330b86615c238b9adc150ca8d4d89f347cefed3502f2a64669ec10c9352cc3f00bb7bfff70a34070247f372fd56b348f50f94509038994df699dd0bd1e0f291424502d0abfa275df94ab99686b"}]}}, {{0x9, 0x5, 0x3, 0x3, 0x20, 0x10, 0x6, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x2, 0xf}]}}, {{0x9, 0x5, 0xa, 0x10, 0x20, 0x2, 0x6a, 0x9c}}, {{0x9, 0x5, 0x6, 0x0, 0x8, 0xa6, 0x0, 0x3}}, {{0x9, 0x5, 0xe, 0x10, 0x400, 0x8, 0x6, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x80, 0xfffe}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x8, 0x6}]}}, {{0x9, 0x5, 0x2, 0xc, 0x20, 0x7, 0xfe, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0x8, 0x0, 0x20, 0x5, 0x7}}, {{0x9, 0x5, 0x5, 0x10, 0x400, 0x94, 0x9, 0x7, [@generic={0xdd, 0x30, "77867ea85d1b66ca1b835f1ffe80b4e15a4297fd75060e9ca4a21e385adab09508051dd6105eaa7cdcecdcc320bc7f956eeb82394feeae2b09c0990c54433f3734da18ccf13f5fcc5bb32eb3bb6b062a282989582d898d9e25f97d5d3927fbc22c45904983860eb61eafd34b54ed2cc8b55cf197d31bbb18106360ad77240c1f44fd50f1a944b9f5557f95e94513b0ad4d6079e15e8d3b4301027dece5a5ba8488a265ab3067ce7d0f2d5ad3117bddf068f591f61d6646f96a3772bb1d8807ba9dd6d7a0beecb27298c3f090b2b7ed72979d14deae685d250f2cc0"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x81, 0x70}]}}, {{0x9, 0x5, 0x5, 0x0, 0x3ff, 0x7, 0x0, 0xd5}}, {{0x9, 0x5, 0xc, 0x0, 0x40, 0x0, 0xb, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc4, 0x6e}, @generic={0xe, 0xd, "36cb58afca23d3e3cd43840a"}]}}]}}, {{0x9, 0x4, 0x8c, 0x0, 0xc, 0x77, 0x71, 0x4d, 0xff, [@cdc_ecm={{0xb, 0x24, 0x6, 0x0, 0x0, "378790738559"}, {0x5, 0x24, 0x0, 0xdd}, {0xd, 0x24, 0xf, 0x1, 0x5, 0x926, 0x1, 0x5}, [@mdlm={0x15, 0x24, 0x12, 0x7}, @country_functional={0x10, 0x24, 0x7, 0xf, 0x47f, [0x7, 0x5, 0xa5a, 0xf25d, 0x10]}, @ncm={0x6, 0x24, 0x1a, 0x100, 0x1}, @country_functional={0x6, 0x24, 0x7, 0x9, 0x81}, @country_functional={0xe, 0x24, 0x7, 0x10, 0x3a, [0x1400, 0x1, 0x3, 0x8]}]}, @uac_control={{0xa, 0x24, 0x1, 0x80, 0x80}}], [{{0x9, 0x5, 0x5, 0x8, 0x200, 0x39, 0x3, 0x2}}, {{0x9, 0x5, 0x0, 0x1, 0x10, 0x6c, 0x9, 0x4, [@generic={0xec, 0xc, "cd0d3ce6b75c2b01f97fcb20adf4d99a5a6276a0a0717a5cbdaae5bde2286c78f23ec6527fe1490d74ccaf86bae71c9879a22fb098f798415a4210a098cc4d7658353019718991bb6a8d77a8e7b5d4507404e96ff45614cb5cdad6985e76eec52fa70774a80ce5407b62d01051262f8136aa68c22ea4115b5e27653c40a81cff49a13bf79d599e1eea6f2ab7897c7165b36cb683a87ae079d8ff5f450ddff53f2a7a042d0732f9357ce23fb6a1310f9584d8a7557b654936d97d49be797a565302d1e615a70061101f01cb75333ed4fc3fb983e30f4904195e253a3add43bd069794bcace63863b8c55b"}, @generic={0x31, 0xe, "a6772f6053bbf3fbcc2e4b92794df700a7499308d02da807f64c0bb6a2df535b939af7a1a2e98682e084019d17ff1e"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0xf8, 0x0, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x1d2}]}}, {{0x9, 0x5, 0x0, 0x7, 0x400, 0x7f, 0xf9, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x5, 0xb57}, @generic={0x43, 0x1a, "cb18238b9bb4f2cf09a9e512ee7299837421b4dea8530c6a24f72229b4c3803db0b8159c4fc1d0c512c36706f72652839ab687708e60653bc855f3efc0191d44ce"}]}}, {{0x9, 0x5, 0x1, 0x0, 0x10, 0x5e, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x0, 0x2}, @generic={0xa, 0xd, "0ea835cf6f9897dd"}]}}, {{0x9, 0x5, 0x2, 0x1, 0x8, 0x8, 0x7, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x81377ff213a15d50, 0x40, 0xc590}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x2, 0x4}]}}, {{0x9, 0x5, 0x2, 0x2, 0x400, 0x6, 0x6, 0x7}}, {{0x9, 0x5, 0x2, 0x3, 0x200, 0xe, 0x4, 0x4, [@generic={0x5, 0x11, "b9f5e7"}, @uac_iso={0x7, 0x25, 0x1, 0x40, 0x6, 0x6}]}}, {{0x9, 0x5, 0x3, 0x10, 0x0, 0x8a, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x9, 0x4}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x73, 0x1ff}]}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x4, 0x8, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xd}]}}, {{0x9, 0x5, 0x6, 0x10, 0x200, 0x3, 0x7, 0x0, [@generic={0x4e, 0x21, "de218ddf3078a6fbd86d425731334bc46cce8cf519b9cef7c417703ac6b7c8d919df45ea16b8089069bbf34f03abe752c1ee7d7e03a08637bcdc17d4cf34c2756eda9fbf09fdfcfca3052859"}]}}, {{0x9, 0x5, 0x7, 0x2, 0x400, 0x6, 0x8}}]}}, {{0x9, 0x4, 0xb9, 0x8, 0x3, 0x5b, 0x5d, 0x4c, 0xbf, [], [{{0x9, 0x5, 0x5, 0x0, 0x400, 0x9, 0x5}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0xf9, 0xea, 0x2}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xee, 0xbf, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xc7}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x5, 0x6}]}}]}}]}}]}}, &(0x7f0000017780)={0xa, &(0x7f0000017680)={0xa, 0x6, 0x300, 0x8, 0x4, 0x4, 0x10, 0x3}, 0x5, &(0x7f00000176c0)={0x5, 0xf, 0x5}, 0x2, [{0x4, &(0x7f0000017700)=@lang_id={0x4, 0x3, 0x41c}}, {0x4, &(0x7f0000017740)=@lang_id={0x4, 0x3, 0x425}}]}) r54 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000177c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r53, &(0x7f0000017a80)={0x2c, &(0x7f0000017840)={0x0, 0x1, 0x101, {0x101, 0xa, "3681db1760f476d161e6331af001dff260ea6b4a4cea6097ecb1958b59faab7a902848c262a0bb7bb004a6454444f39114416399cc7a71e71547c56a02f133907f22c3f12ced90a4d6ae9ff8fd98b3e7cd83d8745c649289b5fd78f706859e152148d76f8f0d0fa049834365be85ce2b50358758a90b57339c874457410ae277d2b118f38427a932a2c7cacc09aed3ee5730793f36dce0ed57b9c65ff63c7eb7ebbfebe9094e0853051b9f3dfaf6c2ab61265b3af1f34872569ff3e04b2ec1ef09a3692a88292ffa38b851e6fe031a70a551e8844b16d138ce126ce0419571f4349aee237a2bf6fc52cb78f26f30c936902d7f29d3a5615dad86e4c69ca03f"}}, &(0x7f0000017980)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x4c0a}}, &(0x7f00000179c0)={0x0, 0xf, 0x5, {0x5, 0xf, 0x5}}, &(0x7f0000017a00)={0x20, 0x29, 0xf, {0xf, 0x29, 0xeb, 0x10, 0x81, 0xc, "e76746f0", "f19276a0"}}, &(0x7f0000017a40)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xd, 0x2, 0x8, 0xe, 0x7, 0x8, 0x515}}}, &(0x7f0000017ec0)={0x84, &(0x7f0000017ac0)={0x40, 0x17, 0x1e, "63fd640c63a3d40d56edf64acb1036df01c37dff2b11b8bd6dce4f20b2ce"}, &(0x7f0000017b00)={0x0, 0xa, 0x1, 0xfd}, &(0x7f0000017b40)={0x0, 0x8, 0x1, 0x5}, &(0x7f0000017b80)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000017bc0)={0x20, 0x0, 0x8, {0x80, 0x1, [0xf00f]}}, &(0x7f0000017c00)={0x40, 0x7, 0x2, 0x2}, &(0x7f0000017c40)={0x40, 0x9, 0x1, 0x6}, &(0x7f0000017c80)={0x40, 0xb, 0x2, "dd91"}, &(0x7f0000017cc0)={0x40, 0xf, 0x2, 0x1}, &(0x7f0000017d00)={0x40, 0x13, 0x6, @multicast}, &(0x7f0000017d40)={0x40, 0x17, 0x6, @local}, &(0x7f0000017d80)={0x40, 0x19, 0x2, "73dc"}, &(0x7f0000017dc0)={0x40, 0x1a, 0x2, 0x8}, &(0x7f0000017e00)={0x40, 0x1c, 0x1, 0x81}, &(0x7f0000017e40)={0x40, 0x1e, 0x1}, &(0x7f0000017e80)={0x40, 0x21, 0x1, 0x7f}}) syz_usb_disconnect(r53) syz_usb_ep_read(r54, 0xb, 0x6c, &(0x7f0000017f80)=""/108) r55 = syz_usb_connect$printer(0x2, 0x36, &(0x7f0000018000)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x40, 0x3f0, 0x4, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xba, 0x80, 0x1, [{{0x9, 0x4, 0x0, 0x7, 0x1, 0x7, 0x1, 0x3, 0x5, "", {{{0x9, 0x5, 0x1, 0x2, 0x8, 0x4, 0x2, 0xc9}}, [{{0x9, 0x5, 0x82, 0x2, 0x20, 0xfb, 0x1, 0xf}}]}}}]}}]}}, &(0x7f0000018180)={0xa, &(0x7f0000018040)={0xa, 0x6, 0x300, 0x4c, 0x3, 0x7f, 0x20, 0x81}, 0x2b, &(0x7f0000018080)={0x5, 0xf, 0x2b, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x2c, 0x6, 0x60, 0x64, 0x4}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x6, 0x7, 0x1, 0x680}, @ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x2, 0x3}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0xc, 0x5, 0xd4, 0x21bb}]}, 0x2, [{0x55, &(0x7f00000180c0)=@string={0x55, 0x3, "8a4234831e8888aedd9ad22d4f28938cda9aa9a900037c311cae82fd231caa312795c2b2f747f7bedc807a10652dcf379da07ebe9635310275c1f0ed956da64df98af4ea239c452aa85b311b94d471e9d3423a"}}, {0x4, &(0x7f0000018140)=@lang_id={0x4, 0x3, 0x83e}}]}) syz_usb_ep_write(r55, 0x4, 0xa7, &(0x7f00000181c0)="c9de81d2b7fd1d65610b4083b89828a1eeb3c1fe78e802b87bcad52205e7f4d5773025c8c92cf009171f12788aa9afbf0167112693c5625eecd433f1b0ed30d3ef6194f9afe363c1334df356e261dc73f07cac0e40a0348c52257f14f9a9f60d5698352069eed46ef10f4a97b1560f7605b0aa631949af14354c1acabb768609d122466f6849102936f4001d18015df428570b6e59759b75e723b1e612800b56ea89a55d2c6378") syz_usbip_server_init(0x5) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif #ifndef __NR_statx #define __NR_statx 332 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define KMEMLEAK_FILE "/sys/kernel/debug/kmemleak" static const char* setup_leak() { if (!write_file(KMEMLEAK_FILE, "scan=off")) { if (errno == EBUSY) return "KMEMLEAK disabled: increase CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE" " or unset CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF"; return "failed to write(kmemleak, \"scan=off\")"; } if (!write_file(KMEMLEAK_FILE, "scan")) return "failed to write(kmemleak, \"scan\")"; sleep(5); if (!write_file(KMEMLEAK_FILE, "scan")) return "failed to write(kmemleak, \"scan\")"; if (!write_file(KMEMLEAK_FILE, "clear")) return "failed to write(kmemleak, \"clear\")"; return NULL; } static void check_leaks(void) { int fd = open(KMEMLEAK_FILE, O_RDWR); if (fd == -1) exit(1); uint64_t start = current_time_ms(); if (write(fd, "scan", 4) != 4) exit(1); sleep(1); while (current_time_ms() - start < 4 * 1000) sleep(1); if (write(fd, "scan", 4) != 4) exit(1); static char buf[128 << 10]; ssize_t n = read(fd, buf, sizeof(buf) - 1); if (n < 0) exit(1); int nleaks = 0; if (n != 0) { sleep(1); if (write(fd, "scan", 4) != 4) exit(1); if (lseek(fd, 0, SEEK_SET) < 0) exit(1); n = read(fd, buf, sizeof(buf) - 1); if (n < 0) exit(1); buf[n] = 0; char* pos = buf; char* end = buf + n; while (pos < end) { char* next = strstr(pos + 1, "unreferenced object"); if (!next) next = end; char prev = *next; *next = 0; fprintf(stderr, "BUG: memory leak\n%s\n", pos); *next = prev; pos = next; nleaks++; } } if (write(fd, "clear", 5) != 5) exit(1); close(fd); if (nleaks) exit(1); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 82; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 63 ? 4000 : 0) + (call == 72 ? 200 : 0) + (call == 74 ? 3000 : 0) + (call == 75 ? 3000 : 0) + (call == 76 ? 300 : 0) + (call == 77 ? 300 : 0) + (call == 78 ? 300 : 0) + (call == 79 ? 3000 : 0) + (call == 80 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); check_leaks(); } } uint64_t r[56] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x200000000040 = 0x200000000000; *(uint32_t*)0x200000000048 = 5; *(uint32_t*)0x20000000004c = 0; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0109207, /*arg=*/0x200000000040ul); break; case 1: memcpy((void*)0x200000000080, "/dev/dri/controlD#\000", 19); res = -1; res = syz_open_dev(/*dev=*/0x200000000080, /*id=*/3, /*flags=O_SYNC|O_DIRECT|O_APPEND*/0x105400); if (res != -1) r[0] = res; break; case 2: *(uint32_t*)0x200000000100 = 1; *(uint64_t*)0x200000000108 = 0x2000000000c0; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0106426, /*arg=*/0x200000000100ul); for (int i = 0; i < 4; i++) { syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0106426, /*arg=*/0x200000000100ul); } if (res != -1) r[1] = *(uint32_t*)0x2000000000c0; break; case 3: *(uint32_t*)0x2000000001c0 = r[1]; *(uint64_t*)0x2000000001c8 = 0x200000000140; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x4010641c, /*arg=*/0x2000000001c0ul); break; case 4: *(uint32_t*)0x200000000200 = 0; *(uint32_t*)0x200000000204 = 0; *(uint32_t*)0x20000000020c = 0; *(uint32_t*)0x200000000210 = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc01464a6, /*arg=*/0x200000000200ul); if (res != -1) r[2] = *(uint32_t*)0x200000000208; break; case 5: *(uint32_t*)0x200000000240 = 0; *(uint32_t*)0x200000000244 = 0; *(uint32_t*)0x20000000024c = 0; *(uint32_t*)0x200000000250 = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc01464a6, /*arg=*/0x200000000240ul); if (res != -1) r[3] = *(uint32_t*)0x200000000248; break; case 6: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0086465, /*arg=*/0x200000000280ul); if (res != -1) r[4] = *(uint32_t*)0x200000000280; break; case 7: *(uint64_t*)0x200000000300 = 0x2000000002c0; *(uint32_t*)0x2000000002c0 = 0; *(uint32_t*)0x2000000002c4 = 0; *(uint32_t*)0x2000000002c8 = 0; *(uint32_t*)0x2000000002cc = 0; *(uint32_t*)0x2000000002d0 = 0; *(uint32_t*)0x2000000002d4 = 0; *(uint32_t*)0x2000000002d8 = 0; *(uint32_t*)0x2000000002dc = 0; *(uint32_t*)0x200000000308 = 8; *(uint32_t*)0x20000000030c = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc06864a1, /*arg=*/0x200000000300ul); if (res != -1) r[5] = *(uint32_t*)0x200000000310; break; case 8: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0086465, /*arg=*/0x200000000380ul); if (res != -1) r[6] = *(uint32_t*)0x200000000380; break; case 9: *(uint32_t*)0x2000000009c0 = 0; *(uint32_t*)0x2000000009c4 = 6; *(uint64_t*)0x2000000009c8 = 0x2000000003c0; *(uint32_t*)0x2000000003c0 = r[2]; *(uint32_t*)0x2000000003c4 = r[3]; *(uint32_t*)0x2000000003c8 = r[4]; *(uint32_t*)0x2000000003cc = r[5]; *(uint32_t*)0x2000000003d0 = r[6]; *(uint32_t*)0x2000000003d4 = 0; *(uint64_t*)0x2000000009d0 = 0x200000000400; *(uint32_t*)0x200000000400 = 7; *(uint32_t*)0x200000000404 = 0x80; *(uint64_t*)0x2000000009d8 = 0x200000000940; *(uint32_t*)0x200000000940 = 0; *(uint32_t*)0x200000000944 = 0; *(uint32_t*)0x200000000948 = 0; *(uint32_t*)0x20000000094c = 0; *(uint32_t*)0x200000000950 = 0; *(uint32_t*)0x200000000954 = 0; *(uint64_t*)0x2000000009e0 = 0x200000000980; *(uint64_t*)0x200000000980 = 0xff; *(uint64_t*)0x200000000988 = 0xfffffffffffffffb; *(uint64_t*)0x200000000990 = 9; *(uint64_t*)0x200000000998 = 0x100; *(uint64_t*)0x2000000009a0 = 4; *(uint64_t*)0x2000000009a8 = 0x10000; *(uint64_t*)0x2000000009b0 = 0xfff; *(uint64_t*)0x2000000009b8 = 0x484; *(uint64_t*)0x2000000009e8 = 0; *(uint64_t*)0x2000000009f0 = 0x73ca1ec4; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc03864bc, /*arg=*/0x2000000009c0ul); break; case 10: *(uint8_t*)0x200000000000 = 8; *(uint8_t*)0x200000000001 = 2; *(uint8_t*)0x200000000002 = 0x11; *(uint8_t*)0x200000000003 = 0; *(uint8_t*)0x200000000004 = 0; *(uint8_t*)0x200000000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xe, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 6, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); memset((void*)0x200000000044, 255, 6); *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 1; memcpy((void*)0x200000000050, "\x01\xab\xb5\xa4\x2e\x6e", 6); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 5, 4, 12); *(uint8_t*)0x200000000058 = 7; *(uint8_t*)0x200000000059 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 2, 6); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x1b); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memset((void*)0x2000000000c0, 1, 6); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/6, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_bprm_check_security\000", 28); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xd1\xa2\x22\xa1\x13\xaf\xa5\x09\x37\xeb\x93\xa6\x9f\x4a\x6d\xae\xb1\xc5\x11\x85\x97\x3f\xcb\xcd\x8a\xc1\x51\x1f\xee\x51\x66\xf0\xa2\xd7\xb1\x07\xca\x8b\xa7\x4b\x42\xac\x08\x04\x22\xe3\xe2\x6c\x8f\xd0\x70\x7d\x33\x52\xf3\xe0\x46\x7c\x44\x6d\x0f\xd5\x9f\xdc\x79\x62\x04\xde\xb5\x20\xc9\xf3\x9c\xeb\x06\xb1\x2c\x5d\xec\x1f\x8d\x80\x43\x5d\x3a\x95\x31\xb3\xc8\xc6\x3e\xca\x16\x67\x0b\x0b\xe3\x27\x76\x98\x48\x5a\x45\xd9\x1a\x47\x37\xcd\xc1\x7c\x96\x06\x54\x23\x34\x8e\x49\x7b\x47\x3b\x96\xcd\x4d\x87\x0b\x36\x08\x09\xcf\xb9\x63\x1f\x7a\x2c\xda\xdf\x25\xba\xad\xe0\xa0\x28\xdf\xa8\x48\x75\xee\xae\xa7\x10\xf4\x4e\xe0\xc6\x0b\xe3\x1d\x07\x66\x79\x21\x37\x5c\xbf\x5e\x90\x56\x5a\x75\x94\xd7\x8c\x49\xee\x1a\x77\x3a\x21\x69\x6e\x3e\x0f\x6e\x9d\x5a\x9c\xc8\x26\x1a\x51\x99\x02\x69\xf0\x6e\x56\x42\xa8\x10\x55\xab\x67", 202); memcpy((void*)0x2000000002c0, "\x4c\xe6\x39\xfa\xe6\xa5\xb1\xdb\xfb\x9b\x05\xcd\xf4\x4c\x3b\x14\xdf\x7c\x00\x1e\xf8\x93\x1a\x51\x17\xea\x1b\xa1\x75\xc0\xa1\xe0\x80\x6d\xec\x26\xa6\x1e\x38\xc8\xb3\x55\xe6\x33\x4a\xab\x16\x93\x6f\x3b\x93\x88\xce\x1e\x11\x57\x87\xf0\xa1\x64\xe9\x87\xd9\xe1\x33\x9b\xbb\xdc\x21\x47\x94\x03\x32\x2c\xf6\xc7\xb5\x5d\xaf\xea\x9c\xf5\x27\xb3\x25\x32\xbe\x38\xa2\xf0\x55\x79\x07\xe3\x57\xb0\x5e\x19\x86\x22\x78\x88\xaa\xc6\xcc\x43\xa9\xe5\xea\x5e\x3c\x09\x3b\x69\x3d\x4d\x13\xb3\x78\xac\x22\x43", 122); res = -1; res = syz_clone(/*flags=CLONE_NEWNET|CLONE_NEWCGROUP|CLONE_VM*/0x42000100, /*stack=*/0x200000000140, /*stack_len=*/0xca, /*parentid=*/0x200000000240, /*childtid=*/0x200000000280, /*tls=*/0x2000000002c0); if (res != -1) r[7] = res; break; case 14: memcpy((void*)0x2000000004c0, "syz0\000", 5); res = syscall(__NR_openat, /*fd=*/(intptr_t)-1, /*file=*/0x2000000004c0ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[8] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x8000; *(uint64_t*)0x200000000508 = 0x200000000340; *(uint64_t*)0x200000000510 = 0x200000000380; *(uint64_t*)0x200000000518 = 0x2000000003c0; *(uint32_t*)0x200000000520 = 0x3d; *(uint64_t*)0x200000000528 = 0x200000000400; *(uint64_t*)0x200000000530 = 0x36; *(uint64_t*)0x200000000538 = 0x200000000440; *(uint64_t*)0x200000000540 = 0x200000000480; *(uint32_t*)0x200000000480 = r[7]; *(uint32_t*)0x200000000484 = r[7]; *(uint32_t*)0x200000000488 = r[7]; *(uint32_t*)0x20000000048c = r[7]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = r[8]; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[9] = res; r[10] = *(uint32_t*)0x200000000340; r[11] = *(uint32_t*)0x200000000380; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000000740 = 5; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000000740ul); if (res != -1) r[12] = res; break; case 18: memset((void*)0x200000002900, 0, 32); *(uint16_t*)0x200000002920 = 7; *(uint32_t*)0x200000002924 = 0x7eb; *(uint32_t*)0x200000002928 = 0xd8c; *(uint64_t*)0x200000002930 = 6; *(uint64_t*)0x200000002938 = 0x65c7; *(uint32_t*)0x200000002940 = r[7]; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0481273, /*arg=*/0x200000002900ul); if (res != -1) r[13] = *(uint32_t*)0x200000002940; break; case 19: *(uint32_t*)0x200000002c00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000002b00ul, /*optlen=*/0x200000002c00ul); if (res != -1) r[14] = *(uint32_t*)0x200000002b34; break; case 20: *(uint32_t*)0x200000002dc0 = 7; *(uint32_t*)0x200000002dc4 = 0xee00; *(uint32_t*)0x200000002dc8 = 0xee01; *(uint32_t*)0x200000002dcc = 3; *(uint32_t*)0x200000002dd0 = 1; *(uint32_t*)0x200000002dd4 = 2; *(uint16_t*)0x200000002dd8 = 0x100; *(uint32_t*)0x200000002ddc = 8; *(uint64_t*)0x200000002de0 = 1; *(uint64_t*)0x200000002de8 = 8; *(uint64_t*)0x200000002df0 = 0; *(uint32_t*)0x200000002df8 = r[9]; *(uint32_t*)0x200000002dfc = r[9]; *(uint16_t*)0x200000002e00 = 0x8000; *(uint16_t*)0x200000002e02 = 0; *(uint64_t*)0x200000002e08 = 0x200000002c40; memcpy((void*)0x200000002c40, "\x04\xdb\xcb\x20\x9f\x35\xe5\xdd\xfd\xb1\xb3\xb7\xa7\x41\xcb\x0d\xa9\xe7\xb4\xa9\x7e\x26\xe4\xd6\x4c\xa5\x56\x0a\xd3\xea\x50\xd5\x19\xbb\xf0\x49\xc3\x13\x51\x11\xc4\xde\x1f\x36\xb6\xb3\x08\xbb\xd0\x28\xe4\x49\x5d\x46\xed\x83\x93\xe7\x59\xfd\x0a\x3a\x8a\x87\xf1\xdb\x87\x49\xda\x45\xe9\xa5\xf9\x99\xf3\xe7\x4d\x92\x0c\xe2\x0c\x4d\x2b\xfe\x9c\xa7\x2e\x5f\xae\xa3\x4e\x25\x4e\xbb\x9c\xa9", 96); *(uint64_t*)0x200000002e10 = 0x200000002cc0; memcpy((void*)0x200000002cc0, "\x9e\x74\x6e\x3d\x21\x9f\x0d\xf0\xdb\x9f\x4d\xac\x0a\xfe\x9f\xc6\xa3\xef\x5f\xca\xb6\x05\x8f\x83\xfa\x7c\xff\x2a\x82\xd2\x0c\x2e\x4f\x57\x52\x59\xea\xbb\xe0\x67\x34\x84\x3f\x87\x1e\x50\xf4\xd4\x7b\xd6\x2e\xad\x38\xd7\xbe\x8c\xe3\x0b\x95\x11\x52\x85\xd1\x6a\xbc\x71\x8c\x0d\xa4\x82\xb9\x0f\x24\x29\x9f\x30\x17\xce\x2a\x53\x6d\xab\x65\x9a\xca\x91\xd1\xcf\x68\x91\x07\x44\x81\x50\xe4\x56\x6a\xbf\x4c\x05\x7b\xde\x3c\x37\x82\x36\xa3\x78\x10\x59\xcc\x80\x08\x67\x30\x9f\xb2\x08\xab\x69\xfe\x7d\x3f\xff\x31\x19\x8f\x36\x33\x05\x53\x9b\xa5\xa1\x74\x23\xbd\x83\x45\xe1\x0a\x25\x07\xad\xfd\x0b\x0d\xf3\x10\xc3\x34\x82\xd2\xcc\x9c\x9b\xa7\xbf\x80\xc8\xc7\xe2\x15\x9c\x09\xd9\x40\x2b\x1d\x7c\xa8\x8f\x84\xe7\xb4\xce\xb8\xa1\x93\xec\xe6\xdd\x5f\xaa\x70\x42\x9f\xba\xc4\xf1\x02\x0c\x76\x67\x30\x2d\x4a\x57\xab\x63\x7f\x35\xff\xe4\x2e\x58\x59\x3f\xe3\xec\xe0\x7b\x5d\x63\x7e\xf6\xd9\x73\x34\x22\x57\xfe\x2c\x5b\x11\x69\x39\x99\x09\xba\x6d\x36\x9f\xde", 234); res = syscall(__NR_shmctl, /*shmid=*/0xfffffffd, /*cmd=*/0xdul, /*buf=*/0x200000002dc0ul); if (res != -1) { r[15] = *(uint32_t*)0x200000002dc8; r[16] = *(uint32_t*)0x200000002dfc; } break; case 21: memcpy((void*)0x200000002ec0, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x200000002ec0ul, /*statbuf=*/0x200000002f00ul, /*flag=*/0ul); if (res != -1) r[17] = *(uint32_t*)0x200000002f18; break; case 22: memcpy((void*)0x200000002f80, "./file1\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000002f80ul, /*statbuf=*/0x200000002fc0ul); if (res != -1) r[18] = *(uint32_t*)0x200000002fdc; break; case 23: memcpy((void*)0x2000000031c0, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x2000000031c0ul, /*statbuf=*/0x200000003200ul, /*flag=AT_SYMLINK_FOLLOW*/0x400ul); if (res != -1) r[19] = *(uint32_t*)0x200000003218; break; case 24: *(uint32_t*)0x200000004380 = 0x8000; *(uint32_t*)0x200000004384 = 0; *(uint32_t*)0x200000004388 = -1; *(uint32_t*)0x20000000438c = 0xfffffbff; *(uint32_t*)0x200000004390 = 0xff; *(uint32_t*)0x200000004394 = 7; *(uint16_t*)0x200000004398 = 5; *(uint32_t*)0x20000000439c = 0x3ff; *(uint64_t*)0x2000000043a0 = 5; *(uint64_t*)0x2000000043a8 = 0xffffffffffff05c3; *(uint64_t*)0x2000000043b0 = 0xffffffff; *(uint32_t*)0x2000000043b8 = 0x10000; *(uint32_t*)0x2000000043bc = r[7]; *(uint16_t*)0x2000000043c0 = 6; *(uint16_t*)0x2000000043c2 = 0; *(uint64_t*)0x2000000043c8 = 0x200000003280; memcpy((void*)0x200000003280, "\x97\x6f\xf3\x42\x90\xbd\x8b\xc7\xa7\xcb\xfc\x2a\x01\xcd\x57\xbb\x3f\xef\x9e\xfb\x98\x36\x92\x3f\xea\xb6\xb2\x20\x96\xe6\xa7\xf3\x05\xb4\xa4\x72\x5f\x36\x2d\x86\xba\x08\xa3\x46\xf5\xad\x87\x65\x1b\x24\x79\x4b\x4e\xe5\x81\x3e\x05\x57\xb0\xef\x0a\x7c\x19\xb1\xea\xfe\xf2\xa1\x69\x09\xab\xb9\xc8\x55\xec\x45\x36\xad\xac\x1b\x48\x2e\x8e\x5a\x1d\xc4\x78\xa0\x25\xfe\xb8\xb6\x30\x4b\xdc\xd4\x75\xb1\xd9\x17\xa5\xb6\xc9\xd2\x7a\x6b\x48\x58\xcb\xa4\xd2\x53\x01\xfe\x26\x1b\xf1\x23\x13\xf6\xe8\x22\x4f\xc5\xab\x0b\xb2\xfd\x40\x41\x04\xdd\xef\xc2\xf2\x7a\x36\xd9\xd1\x0e\xca\xc7\x92\x9d\xb5\xff\xc1\xdf\x4c\x6f\xb6\xe5\x63\x70\x20\xab\xf5\xe6\x50\x43\x10\xab\x6d\xe6\x59\xb6\x56\xce\xe8\xad\x04\xd0\x46\x75\x6d\xda\xe3\x3d\x8d\x22\x38\x54\xdc\x8c\x31\x83\x92\x48\x2c\xb9\x91\x82\x78\x24\xf4\x0d\xaf\x98\xda\x16\x6c\x91\x6d\xbb\x8c\x15\x6c\x42\x19\x7b\x66\x4d\x75\x90\xe6\xd2\xcf\x4e\xa3\x28\x0f\x84\x05\x1c\x9e\xe3\x11\x41\x42\xdb\x27\x53\x6b\xcd\x98\x3f\x17\x0f\x22\x1c\x15\xda\xe9\xa1\x1a\x52\xe8\x42\x53\x66\x3e\xa4\x30\x8f", 254); *(uint64_t*)0x2000000043d0 = 0x200000003380; memcpy((void*)0x200000003380, "\x2c\x9f\x8f\x38\x8d\x23\x3b\x4f\x05\x4c\xde\x11\x35\x8e\xb6\x32\xfe\xac\x99\x15\x72\x36\xe3\x70\xad\x09\xea\x7b\x82\xba\x57\x85\xb9\xe9\xaf\xa9\xe6\x86\xa6\x2a\x5d\x2d\x53\xe4\x78\xad\x6b\xdc\x5f\xff\xb6\x47\xb0\x83\x5e\x14\x74\x19\x66\x7c\x9a\x11\x6d\x7d\xc9\x62\x8b\x1e\x9f\x7f\x66\x53\x3e\x8e\x73\x6b\x4a\x65\x9a\x78\x4c\x61\x0d\xa8\xc5\x00\x10\xc4\xad\x47\xec\xbb\x1e\xb2\xee\x6a\xa0\xb4\x90\x90\xe7\x09\x13\x8a\xb2\xd1\x71\xe1\xdb\xdd\x6e\x86\x53\xe0\x62\x12\x39\x1e\x7d\xc1\xb2\x8b\xdd\x23\x12\x94\x24\x50\x0d\xcd\x83\x43\xba\x19\x8c\x60\xcd\x97\x01\xaf\x62\xb4\x66\x2b\x08\x2d\xdc\x55\xe8\x14\x9d\x60\x89\x1c\x65\x0e\x77\x47\x55\xfc\x3a\x0d\x10\x0f\xf0\xbc\x67\x6b\x46\x6e\x3d\xec\x52\xca\x77\xd2\xc4\xce\x10\x3f\xc4\x4b\xb5\x63\xb3\xc1\x82\xcf\x2f\x65\x54\x13\x03\xd2\xd2\x9f\xcb\xf5\xa3\xf4\x22\x88\xf8\xfe\x1c\x23\x6c\x3e\x12\x17\x0e\x7a\xc6\x00\xc5\x26\x5c\xc5\x97\x4e\x25\x59\x7f\x04\x9e\x9c\x01\x5c\x76\xde\xc0\xd7\xcd\x29\x79\xcc\xe1\x23\xad\x64\x72\x97\x95\x8c\x9d\x7d\xfb\xc3\x6a\xfc\x2a\xe4\xb9\xd2\xc0\x9a\xc1\x72\xa0\x4d\xac\xff\xae\x8a\x50\x21\x9a\x4e\xc4\xad\xf0\x6f\xf8\x07\x47\xd4\x0c\x46\xdd\xc0\x76\x4a\xf4\xd7\x78\x28\x07\xb8\xf1\x4f\xb7\x97\xb2\x78\x0b\xb6\x8e\x6b\x2a\x95\xdd\xe5\x08\xf4\x06\x3c\x65\xd8\x71\x43\xff\x24\x66\xfe\x29\xff\x3a\xfa\x65\x20\x2a\x99\x24\x0c\x57\x99\x0e\x20\xc5\xf3\x4a\x95\xbd\x81\x35\x72\xf4\x7d\x8d\x48\x2d\xb3\xfc\xeb\x9f\x1c\x54\xc8\xa8\xdd\x63\x32\xe8\x3f\xa3\x9d\x66\x51\xc7\xb7\x8f\xa9\x71\xee\x88\x75\x6e\x2e\x5a\x3f\xb0\x29\xc7\x7a\x48\xfd\x41\x64\xf1\x07\xc8\x82\xd1\x74\x3b\xf8\x52\xc1\x48\x66\xa4\x37\xca\x56\xd1\xd2\xd1\x99\xf9\x3f\x75\x87\x19\xd2\x29\x3c\x58\x91\xb7\x7e\x86\x0b\x2b\x7c\x66\x51\x29\xfb\xce\x45\x5e\x93\xce\x66\xb6\x75\x61\x9b\xbb\x23\x62\x9d\x2b\xc8\x68\x2e\xd4\x69\x5d\x8c\x6a\xfe\x25\x6d\x37\x2f\x9f\xed\x83\x9d\xe5\xb5\xf6\x8d\x1d\x30\xcf\xfb\x1a\x4e\x74\x02\xb9\x55\x11\x29\xed\xc4\xc2\xde\xec\x8c\x16\x71\x4e\xa3\x09\xcf\x20\xac\x7f\x17\xf5\xfd\x3c\xb9\x7b\xfb\xff\x2d\xd3\x62\x16\xb8\xf7\x34\x03\x60\x7b\x4e\xcb\x2d\xc4\x24\x48\xee\xd5\x6f\xb2\x32\x66\xbd\x0f\xdf\x7e\xee\x43\xf3\x4b\xe3\x70\x6e\xcc\x70\x59\x27\xad\xa3\xd8\x4f\x94\xd8\xa2\x89\x8c\xe0\x0d\xe3\x69\xc6\x07\x55\x2f\x69\x94\xec\x15\xf6\x6c\xe6\x5c\x49\x52\xe3\x05\x81\xed\xe4\x6a\x20\x33\x58\x9d\x2c\x28\x99\x4b\xda\x05\x31\x94\x39\x19\xe3\x01\xa6\xd8\x18\x7d\xa7\xb4\x98\x96\x6a\xf1\xfe\x3e\x41\x0e\x5c\x16\x7a\xfb\x13\x3b\x3e\x5e\x40\xdb\x61\x87\x03\x97\x7b\x24\x00\x2f\x62\x11\x83\xb6\x1a\x6b\x68\x03\x01\x38\x7e\x2d\x89\x56\x5f\x0f\x62\xde\x82\x55\x16\xd3\x49\xc1\x74\xc0\x79\x24\xf4\xa8\xdf\xfb\x28\x17\x09\xe9\x97\xaf\x6d\xa5\xa6\x2a\x95\x49\x69\xb5\x33\x5f\x30\x74\xf2\x40\x02\x45\xa7\x7b\x19\x51\x31\xd2\x6c\xe4\x3e\x17\xc3\xa2\x01\xa5\xb8\x51\x8f\x8f\x96\x1f\x2b\xe9\xd1\x70\xc6\xf5\xb2\xb2\x36\xa3\x94\x45\x6e\x57\x7b\xad\xa3\x30\x7f\x4e\xaa\x8e\x03\x52\xbb\x59\x50\x37\xe7\xf3\x0f\x5d\xdb\xdf\x01\x4b\xa5\xb6\xf3\xce\xe6\xaf\x1f\xd4\x74\x4f\xd0\xbb\xac\x1e\x2c\xe2\x98\x53\xc7\x22\x95\x6d\xa7\xde\x4e\x3f\xb9\x24\x18\x20\xb0\x58\x6f\xfa\x29\xda\x5b\x6c\xdd\x12\xda\x1a\x04\x18\x64\x3b\x4b\xa9\x6b\xb4\x32\x42\x14\x6f\x6c\x0a\x33\x98\x0b\x93\x85\xda\x28\x3a\x2a\x05\x2b\x8c\x20\x1f\x42\x39\xf9\x57\xfe\xa5\xf2\x3e\xfc\xd5\xad\x3b\xb0\x76\xab\xee\x60\xce\x46\x7e\xae\x68\x05\xe1\x86\xe9\x74\x93\x42\x80\xa2\x67\xdb\xf7\x32\x0c\xb9\x0f\xe9\x32\x2b\xdb\x6c\xe8\x09\xbd\x35\xb4\x13\x0b\xe8\x71\x19\x04\x7e\xfd\x75\x5c\xc7\x47\x74\x3e\x6d\xa5\x1b\x24\xaf\x5c\x01\x66\x1b\xe2\xf8\x13\xce\xf7\xd7\xed\x9b\x61\xe8\x3e\x0d\xca\x2c\x82\x21\x52\x5b\x28\x15\x70\x27\x6a\x59\x58\xc2\x61\x49\x29\x79\x4c\x2d\x55\xa6\xb1\x5d\x17\x01\xb1\x96\x1a\x07\x8e\xde\xff\x50\xe0\xeb\x0e\x02\xd9\xb1\xd4\x02\x65\x7c\xe2\x5b\xda\xaf\x91\x0b\xa4\x54\x94\x83\x63\x1a\x54\x89\xca\x98\xfe\x97\x9c\x54\xc7\x40\x0c\x9c\xc6\x8f\xed\x1a\xb0\x0c\x40\x2f\x49\xd3\x6c\x4d\x7b\x2f\xb2\x73\xf3\x92\xae\xd4\xf8\xde\xf2\x56\xd4\x09\xe5\x0d\x26\xe7\x25\x1f\x91\xb9\xf5\xbc\xd8\xe8\x42\x02\xe5\x20\xcb\x7f\xe4\x34\x74\x4f\xe3\xa8\x83\x1c\x1a\xf1\xeb\x20\xa8\xf8\x85\x79\xab\x19\x26\x8d\x7e\xef\xc6\xdc\xd8\xc9\x4e\x3b\x68\x96\xe3\x36\xe0\xf7\x38\xaa\x24\x4c\x2d\xbe\xc1\x23\x24\xa8\xa1\xca\x70\xe0\x40\xd0\x7a\x79\x00\xf7\x6f\x0b\x09\xe0\xfa\xab\x42\x44\xd5\x68\xc0\x03\x09\xb8\xf3\x11\x57\xd9\x17\x88\xc8\x71\xd6\x16\xd0\x57\x2a\x26\xf9\xbf\x40\xb2\xff\x8f\x03\x4d\xd9\x64\x6f\xb1\x3e\xba\xd2\x95\x1f\xb7\xa9\xea\x55\x09\x21\x13\x59\x75\x9f\xa4\x95\x72\x2e\x0c\xe6\xe2\x4b\x48\xe3\xd2\xa1\xec\x69\x39\x83\x80\x40\xd0\x0c\xb9\x08\xd9\xed\xaf\xa8\xc3\x84\x57\x54\xbd\x5b\xe9\x0f\x6f\x92\xcc\x70\x33\x8b\x3b\x1f\xc0\x72\xcf\x26\x82\x74\x03\x71\xca\xed\xd8\x0f\xec\xe8\x59\xb1\x58\x7f\x04\x14\x7f\x50\xc5\xa9\xbe\x92\x7b\x5d\x51\xae\x42\x8a\x1c\x7e\x4b\x59\x4e\xc2\x42\xa0\xda\xb9\x05\x81\x74\x24\x28\xe5\xdb\x58\xac\x1a\xe3\x24\x96\xf3\x71\x19\x82\x0a\xe2\x95\xa3\xdf\x7a\x95\x50\x9d\x05\xd7\x5c\xd7\x78\xb5\x4e\x44\xa3\x17\xeb\x90\x1c\x7c\xc2\x8f\xf7\x4a\xb5\x3b\x6f\x4f\xb4\xad\xe0\xfc\x4a\xf2\xbe\x36\xd7\x60\x47\x6c\xa8\x53\xa7\x82\xe7\x61\x4a\x13\x3a\x99\xf1\xe5\xf0\xf1\x2b\x9a\x95\x8e\x70\x25\x0f\xc9\xbd\xb8\x98\xdb\xe3\x4d\x8e\xe3\x2b\x23\xee\x9f\x01\x92\xfd\x4b\xf8\xf9\x62\x2e\xdd\x9f\x7a\xca\xf4\xf4\xb9\x26\x73\xcc\xff\x23\x22\x7c\x94\x13\x22\x71\x73\x5a\xc8\x3d\xe7\x39\xc8\x5c\xee\x73\xab\xf9\x4e\xa2\xfd\x0e\x5b\x9c\x54\xfb\x7a\x2b\xc8\x77\x1e\xdf\xe9\xba\x3e\xb7\x0d\xcc\xe5\x6f\x78\x90\xaa\x8a\x20\x28\xe6\xd3\x18\xec\x23\x4b\x52\x56\x26\xe2\x46\x0c\x4d\x00\x7e\x74\xf7\xad\x40\x68\x01\x5a\x50\x32\xfb\x6f\xc5\x53\xb2\x7f\xaf\x76\x46\x71\x22\x2e\xf4\xb3\x98\x04\xe3\x00\xd9\xa5\x8e\xb4\xd9\xdb\x9f\x3f\xe2\x01\x27\xda\xad\xee\x11\x78\x74\xff\x95\xe3\x67\x6e\x37\xbf\xae\x30\x61\xe9\x5a\x71\xe9\x7b\x15\xe2\x43\x49\xf0\x78\x56\xde\xf1\x73\xd2\xce\x45\x9a\xff\xa7\x7c\x5b\x47\xf8\xb6\x77\xa1\x65\x8f\x7d\x89\xaf\x72\x25\x3c\x80\x0e\x62\xce\x2b\x11\xf4\xbd\x83\x7f\xe9\x80\xf0\x2d\x4f\x97\x19\xc0\xfe\x48\x45\x4f\x72\x80\x9d\xed\xda\xa9\x72\xd6\x52\x82\xec\xff\xee\x15\x69\xa2\xa5\x37\x70\x96\xff\x3f\x01\x00\x44\xe7\x1b\xe8\xba\xab\xfe\x65\xe9\x9b\xe1\x03\x86\xad\xa7\x0a\xbf\xe8\x6e\x7a\x4f\xfa\x87\x53\xf8\x62\xd2\x70\x4c\xec\xeb\x6d\xf3\x4a\x6d\xd4\x86\x75\x44\x1f\x7c\xca\x63\x5e\x40\x1c\xb2\x30\x6d\x17\x26\xe1\xc3\xc0\x42\x66\x41\x9e\x99\x11\x88\xe7\x7c\xdf\xe9\xe0\xaa\x13\xc7\x61\x07\xa2\xa2\x7f\x72\x16\xb4\x2a\x69\x0c\x00\x63\xc9\x2f\xd2\x22\xf4\x5f\xb0\x82\x0d\x04\x64\xef\x0b\x7a\xe6\x51\x5e\x81\x74\xc7\xf9\x0f\xfd\xec\x6d\xc2\x91\x3d\x5a\xd1\xfe\xb8\x06\x17\x70\x16\x23\x36\x3a\x4e\x73\x51\x07\xb3\x00\x23\x1c\xa5\x62\x4a\xdd\xf0\x83\xe0\x75\xac\xa1\xd1\x8d\x95\xc0\x1b\x73\x57\xa4\x11\x8f\xc4\x92\xc0\x7f\xf1\xc0\x71\x1a\x9e\x00\xbd\x78\xff\x8e\x43\x1d\x7a\xf6\x74\xdc\xe5\x58\x32\xf4\x59\x01\xf2\x35\xb7\x82\x4e\x8a\xd0\xed\x0d\x8d\x67\xf7\xff\x61\x2f\xf1\xec\xa7\x4a\x4d\xea\xc7\x21\xfd\x1c\x85\x98\x0d\x87\xdb\xc8\xdb\xef\x59\xf3\x75\x47\x20\xf0\xb9\x26\xc2\x5e\x84\xb1\xd7\x60\x5c\x50\x5f\x8e\x75\x03\x8f\xa2\x9f\x38\xcb\xfc\x97\x71\x2f\x92\x44\x75\x85\xa4\x54\x75\xa9\x0d\xb7\xd8\x1c\xe2\xb4\x29\x29\xfa\x6a\xe4\xa6\x79\x05\x60\x02\x5f\xe0\x57\x7a\xb5\x23\x58\xf0\xb0\x98\x80\x04\x58\x66\x6b\xad\x64\x69\x91\xe1\x46\xec\x90\x45\x11\xca\x26\x55\x18\x36\x31\xbd\xf0\xd5\x40\x58\x79\xd6\xf6\x99\x32\xc8\x44\x19\x0e\x2d\x91\x6a\x7a\xe6\x5d\xa2\x87\xac\xf8\x01\x20\x96\x48\x80\x0a\x1d\xfe\x3e\x9b\x38\xf7\xb5\x86\x41\xb0\xfc\x18\x04\xf9\xa2\x79\xd8\xf4\xc8\x03\xd0\x56\x56\x50\x60\x6f\x60\xa7\xe9\x9f\xe4\x61\xab\x36\xd7\x25\xca\x76\x46\x11\xcc\x20\x3f\xfd\xe0\xf0\x6a\xd8\x7c\xf9\x16\x02\x38\x1f\x1e\xc7\xaa\x25\x5b\x6d\x21\xa8\x5f\xe2\xe3\x2a\x06\x0f\x18\xb5\x33\x85\x47\x6d\xb4\x36\x91\x9f\x9e\xe6\x99\x57\x04\x04\x63\x50\xe0\x98\xce\x1e\x66\xa1\xb8\x32\x8f\xce\x20\xe1\xf8\xc9\x8c\xef\xae\xf2\x9c\xba\xc0\xbd\x9c\x0f\x19\x14\x53\x8a\xbd\x48\x43\x6e\x92\xbb\xcf\x12\x71\xac\x66\xce\xd7\xa5\x30\x13\xf8\x15\xf0\x15\xf3\x61\x80\xe3\x23\xac\x82\x47\x12\x8a\x91\x59\x38\xc8\x9f\x71\x13\x32\xd9\x75\x89\x35\x18\x0e\xea\xc8\xb8\xc9\xf9\x9f\x9f\x30\x6d\x34\x81\xb3\xa6\x8b\xf9\x61\x33\x60\x68\x1a\x92\x43\x7c\x7b\xd8\x0a\xdf\x98\x99\x09\x3f\x32\x86\xfd\x18\x54\x0a\x8c\x74\x25\x10\xdb\x91\xe4\x8a\x12\x55\xdb\xcd\x21\x8f\xe7\xa3\x4c\x50\x58\xad\x59\xa6\x96\x2a\xbf\xf5\x32\x7f\xac\xd4\xc2\xb3\xa5\x1a\xe1\x33\x47\xd5\x6a\x19\xf4\x84\xef\x62\xd5\x27\x99\xff\xe8\x02\xc9\xfe\xdc\xf9\xc0\x76\x89\x60\x18\xdb\x33\xcf\x2b\xd9\xb0\xca\x59\xde\x3f\x74\x87\xa2\x73\xf7\xe8\xcb\x6d\x09\x0b\x14\xa8\x3d\xdd\x2f\x26\x1d\x41\xf0\xfd\x19\x48\xe0\xbe\x62\x92\x9f\xc6\x68\xb9\xf1\x37\x53\xe6\x1d\x08\xb1\xa8\x87\x52\xdb\xfa\x31\x5e\x79\xc2\xd8\x18\x81\x19\x0d\x2b\x6a\xd3\x3a\xd8\xac\x03\x6e\x5a\x22\xb5\xea\x82\x25\xea\x41\x0e\x9e\x8e\xbf\x86\xc4\xa7\xea\x49\x76\x59\x53\xcd\x96\xd0\x54\x31\x15\x7a\x80\x48\xfa\x61\xb8\x0b\xa6\x06\xcf\x53\xaf\x83\x49\xcf\xad\xb8\x95\x59\xfd\xf2\x04\xed\x28\x3d\x71\xbb\xf7\x00\xa9\xcc\x37\x82\x60\x78\x96\xc8\x51\xb7\x58\x40\x5b\x00\x7e\x61\x50\xcc\x7e\x65\x86\xde\xbd\xa1\x2a\x1c\x4b\x2b\x63\x66\xb3\x87\x96\x23\xcf\x9e\xed\x75\xd5\x6f\x4a\xbc\xa9\x15\x1e\xb5\x04\x67\x0a\x4a\x51\x8c\x66\x8e\xd9\x48\x8d\x8b\x5f\x1f\x21\x2e\xa6\x9c\x51\xa7\x49\x72\x60\xc2\xa4\x85\x94\x88\xb7\x59\x60\x31\x3d\xd3\xf2\x9b\xfb\x75\xea\x09\x4b\xa3\x25\xf7\x9a\x02\x8d\x07\xdb\xf2\x13\x7b\xfe\xfd\x26\x1b\x0c\x56\x09\xa1\x69\xd5\xf1\xbb\xe1\x81\x5f\x06\xae\x4e\x26\xf5\xf3\xf4\xb3\x6c\xcc\xdd\x3f\xb7\xf8\xad\xcb\x76\x45\xe3\x7e\xd7\xd9\xb6\x3c\x9e\x21\xcd\xc5\x95\x4e\x28\x52\xbb\xfe\xe5\xbc\x30\xa9\x78\x39\x91\x89\xe6\x3b\x92\x69\x9d\x81\x0c\x58\x9d\x61\xd0\xcd\x0c\x6b\xf4\xff\xb8\x92\x53\x7e\x0e\xf1\x88\x7d\x1e\xa0\x47\x29\x0f\xf6\x09\x58\x4a\x00\xde\xc7\x98\xf8\xe7\x2e\x06\xc1\xbe\x83\x99\xea\x06\x9f\xd1\x3c\xaf\x0e\x1b\x4c\xd6\x6f\x84\xe2\x68\x69\x16\x7d\x54\xb8\xc4\x3c\x96\x7b\x27\x0b\xd8\x56\x1f\x99\xdc\x84\x02\x42\x23\x40\x2c\xe0\x95\x7d\x93\xe8\x58\x2b\xb8\xf4\x58\x3c\xc2\x64\x88\x61\xfc\x56\x2f\xc2\x10\x2a\x32\x6e\x92\x1a\x41\x8f\xd5\x18\xce\x63\x6e\x4e\x3e\xdc\x36\xfd\x89\xbc\xa2\x5a\xdd\x71\xac\xcb\x89\xd7\x77\x07\x05\x26\xd9\xcf\x72\x74\xdd\x48\x69\x09\xc3\xb1\x42\xd2\x7f\xb0\xab\xd4\x67\xbe\x27\xc3\x6e\x84\x87\xcc\xda\x73\xad\x0c\x89\xad\xec\xd3\x6a\x08\xc3\x7c\xe1\x5b\x87\x6f\xd2\x12\x1a\x7b\x0d\x11\xbd\xe8\x67\x59\xee\xb6\x62\x87\xb4\x4c\x61\xce\xd7\xf7\x4a\x14\x30\x44\xae\x80\x58\x69\xd3\x1a\x1b\x1c\x44\xb8\x15\x0d\x8d\x63\x0d\xeb\xff\x9e\x95\xc3\x11\x87\xb7\x74\x44\x1f\xa8\x13\x7c\x08\xca\x31\x6a\xb7\x78\x15\x99\x17\xdf\xbe\xec\x94\x52\x9d\x3a\x12\xc1\x6b\x9f\x39\xc4\xd7\x79\x44\xe6\xf1\x6c\xf9\xb8\x19\xf9\xd8\xa4\x2e\xe7\x32\x91\xed\x84\xe2\xd5\x84\xb3\x05\xae\xb7\x99\xc2\xcd\x76\xf3\xaf\xd7\xe8\x26\xbe\xf0\xb7\x71\x59\xbb\x4d\xad\x11\x39\xea\xa9\xcd\xe7\xbb\xfd\xca\x74\x0a\xdd\xb5\x11\xeb\x8b\x91\xd5\x48\xe1\x8d\x7c\xd6\x91\xdc\xe8\x57\x83\x82\xec\xd0\x9e\xad\x35\x6f\x85\xa4\xac\xee\x4b\xb8\xb1\x93\x42\xc7\x48\xad\x97\x04\xb1\x1e\x1d\x9b\x02\xc0\x21\x8c\xa3\xe7\x99\xab\x80\x01\x70\x52\xfd\xd6\x6e\x91\x01\xa0\x0b\x76\x57\xeb\xdc\x89\xcd\x42\x53\x34\xa9\x16\xdf\x19\xdb\xda\xf6\xe4\xf6\x3b\xc0\x34\x92\x91\x3c\x86\xd0\x58\xea\x61\x68\x5d\xf7\x7a\x06\xe0\xdf\x07\xed\x3f\xc1\xf9\x2d\xf0\x67\xe8\x6d\x00\x33\x64\x0c\x10\xf4\x0c\x27\x9c\x26\x4c\x47\x7b\x28\x99\xd4\xa2\x44\xb6\x7e\xe8\x84\xe5\x19\xb4\xdb\xdc\x5d\x6f\x1c\x3a\xb6\x7c\x12\x3a\x59\x79\x74\xbf\x3a\x57\xec\xc9\x09\xbe\x91\x33\x91\x70\x17\xdb\x1d\x7c\x9e\x19\x26\x18\x52\x4a\x93\x92\x95\x7a\xfe\xbe\xef\xb2\xd8\xbc\x47\x61\x03\x40\x70\xf4\x17\x95\x82\x22\x6e\x34\xb1\x86\x5d\x26\xbe\x00\xc9\xbd\x31\x32\x0c\x31\x3c\xb5\x09\x05\x7c\x27\xf1\x27\x4c\x78\xf4\x71\xbf\x69\xb8\x5d\xbd\x47\x82\x37\x38\x3b\xe8\x6c\x86\xf4\xb0\x11\x7a\x2b\x15\x78\x20\x83\x2d\x07\xd8\x8d\x2e\x78\xa9\xab\xa0\xb0\x45\xa1\x9d\xbf\x8a\x6f\xae\xd4\x0e\x41\xca\x47\xc0\x13\xc2\x90\x3e\x69\xf2\xba\x49\xb0\x7b\x36\xe1\xf3\xbd\x69\xbd\x4a\x82\xef\x2a\x42\x8a\x83\x13\x57\xd2\x5f\x55\x68\xb6\x9e\x94\x22\xa3\xba\x95\x33\xfb\x5e\xc2\x40\xa3\x91\xaa\x7b\x61\x2a\xcd\xd3\x50\x2f\xe9\x29\x6d\x4f\xa0\x2a\xf3\x9f\x21\xf1\x59\xaf\x52\x8d\xaa\x38\x94\xc3\xd1\x0b\xc8\xf7\x0f\x20\x41\x53\xa0\x66\xe1\xe6\xe1\x17\x42\x32\xfc\x42\x0e\xc6\x47\xe2\x9b\xb4\x68\x8f\x26\xc7\xd4\x63\xcd\xeb\x95\xeb\xa4\xc0\xd1\xed\x3f\x5f\xe4\x1d\x5e\x34\xc0\xb2\x7b\x58\x74\x54\xfb\x40\x3e\x8c\x9a\x0f\xe9\x0f\x53\x17\x4d\x54\x7d\xbc\xca\xdb\x64\x81\xc4\x8c\x97\x9c\xf3\x41\x4d\x0d\x47\x16\x0a\x0b\x9f\x6d\x9a\x4f\xa8\x48\x96\x53\xca\x2e\x92\x42\x23\xa8\xa5\x2b\xa6\x3f\xbc\x1a\xf0\x34\xcb\xf4\x4c\xca\x47\x28\xf0\x9e\x1f\x57\x70\x6d\x61\x07\xee\xdc\x06\x59\xbb\x9c\x6d\x8a\x33\x83\xf1\x1c\xc8\x7e\x53\xaa\xe6\xdc\xb8\x38\x53\x37\x9a\x6c\x0d\x53\x6b\x1e\x06\x77\x3a\xff\x31\xea\x60\x03\x97\xc4\x3a\x66\xf3\x02\x83\x7d\x52\x1f\xb6\xab\xfd\xe5\xbe\xed\x88\x49\x3a\x5e\xec\xfb\x26\xab\x6f\xc3\xf8\x79\xec\x01\x21\xf3\xaa\x73\x30\xbf\xb8\x2d\x14\x52\x8d\x9c\x5e\x20\x33\xc0\x5c\xc6\xb6\x0f\x66\x69\x27\x3f\x99\x09\x9a\x5d\x72\xc2\xc5\x14\x4d\xc0\xb2\xaa\xfe\x0f\xe7\xbd\x01\xeb\xae\x29\xbc\xd8\x2f\x4c\xa4\x3c\x5a\x22\x97\x4c\x3c\x9d\x92\x3a\x62\xe3\x90\x53\x2e\x27\x74\x80\x00\x15\x30\x7b\x8a\xea\xf1\xb7\xa0\x61\xfe\x77\x13\x1a\x5e\x12\xa9\xcb\x09\x0e\xda\x58\x4a\xcd\xad\x7b\xd8\xaf\xb2\x0d\xea\xb6\x5d\x7d\x1c\xf3\xd1\x6c\xa8\x18\x7a\xde\xd0\x8a\x9d\xd9\xbf\x83\x0c\xeb\x11\x13\x97\x72\x11\x03\x5b\x1a\x90\x51\xae\x1c\xa5\xf1\xf3\x26\xe4\xa6\xe2\x57\xb6\x2d\x77\x92\xef\xfd\x00\x5f\x18\x3d\xf7\x82\xba\xd3\x19\xbd\xa6\x7a\x92\x38\x6c\x66\x22\xd0\x02\xee\x87\xcf\xcb\x1a\x4f\x9b\x4b\xb4\x21\x7e\x86\x75\x29\x9f\x2d\x8c\x8f\x8a\x63\x24\xd3\x60\x2f\x76\x83\x90\xa1\x24\x78\xe7\xaf\xd2\xd5\x2c\xd2\x35\x67\xb1\x98\x4d\x48\xd8\x55\xcf\x07\x21\x40\x12\x6a\xb0\xa8\x94\x27\x59\xcf\x38\x98\xf1\x18\x28\x4d\x2a\x93\x37\x21\xd7\x1d\xb4\x20\xe8\x30\xc8\x8e\x23\xb1\xf0\x7b\x44\x25\xb9\x7d\x0b\x83\x74\xbd\xe0\xcb\x8c\x3b\xe3\x52\x47\x1c\x15\xc0\xdb\x69\x27\x62\x61\x76\x3f\x46\xba\x3d\x04\x3e\xf6\x37\xdc\xb3\xf9\xb0\xf2\xd4\x34\x00\x29\x22\x2b\xe8\x10\xbf\xcc\x54\xe4\x47\xb9\xed\x75\x0f\x2f\x27\x59\x71\xa6\x3a\xd6\x12\x7b\xc7\x42\x3c\x3f\xe8\xfe\x22\xf2\x81\xa7\x27\xb9\x49\x6b\x70\x3f\x0f\x68\x87\x8c\xa8\xe1\x17\x48\x5e\xb7\xc8\xa7\xb3\x82\x66\xbd\x5a\x07\xb5\xa2\xf8\xa9\xc0\xd0\x2c\xcf\x8c\x8f\x76\x2b\xd1\xad\x4b\x21\x5b\x29\x59\x69\xdf\xcb\x9f\x19\xc1\x3d\x88\xf7\x2b\x54\xe5\x94\x00\xa7\x20\x1a\xc7\x9f\xe2\xfc\xaf\x32\x9c\x8e\x35\xa3\xea\xf2\x41\x76\x21\xa0\x0e\xb5\xcd\x2d\xa5\x0c\x61\x1d\x5b\x33\xe3\x59\x97\x07\x1b\xc1\xfa\x35\xd6\xcc\x81\x24\x7c\x17\xbc\xe3\x9d\x22\x51\x72\xed\x4a\x10\x64\x0c\xad\x81\x78\x86\x5b\x30\x7b\x86\x63\x23\xa2\x55\x69\xb6\xad\x32\x92\xcd\x47\xf7\x30\x44\xce\x58\xc4\x54\x96\x1c\xb5\x52\x37\x88\xa1\x4c\xc4\x62\x28\x51\x73\x12\xb7\x47\x93\xf0\x33\x60\x92\xe7\xe3\x0a\x0d\xa1\x43\x18\x94\x5c\xa2\x31\x29\x22\xbd\xc8\xf6\xe9\xa4\x15\x99\x13\xfd\x72\xdc\xb4\xe4\xc7\x87\x79\x6e\xe4\x65\xca\x2b\xf4\xcf\x36\x28\x72\x5a\x39\x11\x97\xef\xe8\x10\x4e\xa7\x1c\x63\x0b\x72\xcc\xf8\xfe\x42\x7b\xe8\x0a\x0c\xa6\xb1\x4f\x53\xff\x96\x97\xb6\x27\x9f\x0b\x2c\xd2\x3e\x35\x6f\x95\x1d\x7c\x08\xb7\xf1\x46\xeb\xaa\x3c\xba\xa6\xa9\x0d\x1d\x9a\xf1\x87\xe2\x1c\x82\x93\x77\x78\x1d\x75\xd5\x44\x66\x28\x45\xd4\x03\x22\x65\x16\xf4\x05\x24\x79\xd8\xff\x17\x6e\x24\xce\x55\x10\xd6\xe3\x3f\x04\x43\x84\x62\x38\x6b\xab\xfc\x53\xbe\x7c\xfb\x60\x15\x29\x69\x79\xfe\x41\x22\x19\x2c\xd4\x4b\x04\x6e\xa7\xe7\x12\x38\xc0\xd3\x06\x0a\x38\x22\x5b\x9a\xfa\xba\xf1\x69\x33\x54\xb3\x52\x1e\x2a\xaf\x5d\xe3\xe8\x5e\x5c\x58\x67\x65\xef\x8e\x2f\x9c\x98\xb8\xed\x4a\x53\x5f\x67\x08\xf0\xf1\x71\x89\x5b\x57\xda\x98\x1c\x4b\x3d\x85\x1f\xc7\x83\x22\x85\x7b\x8f\xcf\xfd\xfc\x34\xfa\x3e\xf6\x58\xea\xbd\x56\x7b\x2f\xf3\x5f\x0a\xe2\x88\x70\x1a\x81\x1f\x72\x5c\x87\x19\xda\xab\x47\x25\xc7\xba\xe2\xa7\x17\x48\x61\x81\x2e\xc8\xe9\xa9\x99\xa4\xa7\xdf\xf3\x79\x00\x8f\xb7\xa9\x3b\xb9\xd5\xda\x43\xea\x9e\x10\x81\x9f\x91\x41\x19\xf4\x74\xdf\x29\xac\xdc\x90\xe1\xb4\x90\x1f\xa8\xd2\x80\x63\x94\xad\xb6\xd3\x4f\x56\x44\x89\x34\x00\x15\xdf\x15\x4d\xbd\x9e\x9b\xfa\x66\x9e\x27\x7a\x4c\x35\x22\x07\x4c\xda\x8f\x03\x6e\x1c\x76\x2a\x2a\xba\xdf\x38\x78\xe7\xb7\x05\x98\xe4\xdf\x8f\x7d\x6e\x13\x4e\x13\x50\x9f\x1f\x3e\xb2\xa4\x61\x87\x2a\xde\xdc\xc3\x64\x07\xd0\x3d\x45\x3e\x71\x0f\x3b\x03\x05\xb3\x5c\x06\x9b\xcf\x65\x50\x88\x8b\xe2\xc3\xdf\x87\x96\x22\xf7\xc0\x91\x60\x5c\x2b\x47\x33\x84\xe4\xaa\xbf\x37\x38\x45\xb6\x43\x89\x3e\xa0\x3c\xa9\xa2\x33\x2f\x72\x76\xab\x52\xea\x5e\x69\xa3\x20\x6d\x0b\x29\xec\xa1\x9f\xe9\xb5\x61\xd5\x87\x48\xf0\xfb\x5f\x7c\xde\x5d\x32\xad\x76\x81\x33\xa5\x73\x3d\xb2\x74\x11\xac\x56\x84\x9c\x31\xc9\xcc\x98\x77\xcd\x77\x1a\xd8\x7d\xb0\x01\x4b\x01\x1c\x07\x1a\x8a\x57\xaf\xcc\x91\x11\xfa\xd2\x41", 4096); res = syscall(__NR_shmctl, /*shmid=*/0xfffffffa, /*cmd=*/0x19, /*buf=*/0x200000004380ul); if (res != -1) r[20] = *(uint32_t*)0x200000004388; break; case 25: memcpy((void*)0x200000004400, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x200000004400ul, /*statbuf=*/0x200000004440ul, /*flag=AT_SYMLINK_FOLLOW*/0x400ul); if (res != -1) r[21] = *(uint32_t*)0x200000004458; break; case 26: *(uint32_t*)0x2000000046c0 = 0x89d; *(uint32_t*)0x2000000046c4 = 0; *(uint32_t*)0x2000000046c8 = 0xee01; *(uint32_t*)0x2000000046cc = 3; *(uint32_t*)0x2000000046d0 = 0; *(uint32_t*)0x2000000046d4 = 1; *(uint16_t*)0x2000000046d8 = 0x7fff; *(uint32_t*)0x2000000046dc = 8; *(uint64_t*)0x2000000046e0 = 0xe40; *(uint64_t*)0x2000000046e8 = 0x7fffffffffffffff; *(uint64_t*)0x2000000046f0 = 5; *(uint32_t*)0x2000000046f8 = r[7]; *(uint32_t*)0x2000000046fc = r[11]; *(uint16_t*)0x200000004700 = 6; *(uint16_t*)0x200000004702 = 0; *(uint64_t*)0x200000004708 = 0x2000000044c0; memcpy((void*)0x2000000044c0, "\xab\x56\x1a\xab\x77\xc5\x83\xce\x98\x5b\x97\x83\xd9\x6b\x5e\x4e\x38\x24\xcb\x30\x26\xda\x2e\xfe\xe0\x10\x1d\x24\xcc\x3c\x6b\x58\xc7\x96\x6f\x22\x6c\x27\x69\x9f\x3d\xc1\x5a\x33\x04\x86\x26\x22\xef\xda\x37\xf5\x7e\x57\x97\xf7\x36\xc4\x82\xb3\x34\xc0\xdb\x10\x39\x38\x2a\x78\x92\x8d\x47\x08\x28\x2c\x72\xdc\x71\x40\x25\xc2\xcc\xa6\xfe\xf3\x0b\x64\xfb\x05\x0e\xe5\x84\x5b\x12\x53\x79\x9b\x15\x94\x0b\x96\x71\x16\x83\x9e\x00\x75\x33\x0d\xa8\xaf\x7e\xe9\xa5\xb5\x2c\x57\x68\xfb\xf0\x2f\x31\x54\x71\xe6\xd7\xac\x77\x80\xee\xdc\xf5\x6d\xab\x90\x44\x17\x64\xc1\x05\x3f\x95\xa9\xe9\x4f\xee\xc9\xea\x2b\x68\x20\xf3\xbe\x40\xe3\x4d\xcf\xbf\xe7\x1b\x03\x37\x8a\x75\x1c\x0e\x0f\xd0\x4f\xcd\xa9\x24\x05\x00\x48\xf5\x17\x08\x50\x35\x00\x60\x92\x35\xcc\x75\xd2\x99\xee\xd6\x6d\x2a\xc9\x58\x3e\x91\xdd\x31\xb9\xcf\xe3\xaf\x5c\x24\x89\xc2\x04\x01\x4b\x7a\x74\x54\x9d\x85\xc8\xe8\xdb\xac\xeb\x63\x88\xf2\x45\xc2\x62\x98\x6d\x6b\x26\xea\xdd\x8f\xcb\x38\x58\x7b\x69\x8b\x3c\x59\xfd\xf6\x3a\x82\xc6\x43\xdb\x5a\xa1\x79\x14\xbf\xa0", 252); *(uint64_t*)0x200000004710 = 0x2000000045c0; memcpy((void*)0x2000000045c0, "\xbe\x29\x01\x74\xf8\xce\x0f\x04\x91\x1d\x69\xba\xda\xe0\xbf\x37\xc4\xfa\x5b\x15\xfa\x3b\x18\x83\xef\x70\x70\x38\x44\x4d\xe4\xae\xf3\xa7\x3f\x33\x83\x48\x0e\x83\x0d\xdb\x75\x62\x43\xc2\x97\x09\xee\xdf\x69\x74\xed\xf3\xbe\x9d\xf1\x36\x37\xb4\x8e\xd1\x4e\xdc\x03\xd7\x24\x3b\xdb\x53\xfd\x99\xe2\xee\xa6\x02\x56\x93\xad\x07\x01\xb8\x2c\xa3\x8d\xd6\xd0\x8c\xda\x9e\x31\x03\x1d\xcc\x02\xff\xa5\x43\x84\xc4\xaa\x7d\x87\x0f\x8b\x1a\xb9\xff\x5c\x0e\x74\x4c\xef\x60\xad\x54\x18\xd5\xa3\xb9\xec\xdf\x09\xa5\x4a\x1d\x9b\x12\xb1\x0e\xcd\x3b\xcc\x7b\xfe\x6e\xc0\x2b\x56\x8d\xaf\x99\xa5\x9c\xa9\x2b\x8a\x9e\xec\x61\x2f\x38\x29\xa0\x8c\x44\xfd\x4b\x27\x61\x1d\xa5\x90\x8b\x59\x1f\x34\x0e\x23\xf5\xba\x2a\xdb\x1e\x29\xe8\x9f\x28\xf5\xf2\x51\x43\x79\xe4\x54\x62\xdb\xc3\x0a\x72\x02\xbb\x25\xc1\x9a\xc6\x14\x89\x11\x9c\x4a\x8a\xae\xa4\x00\x0a\xac\x82\x81\xc3\xd4\x26\xd8\xa0\x82\xb7\xdc\x78\xf5\x7a\x12\xa5\xc6\x35\x62", 225); res = syscall(__NR_shmctl, /*shmid=*/0xe, /*cmd=*/3ul, /*buf=*/0x2000000046c0ul); if (res != -1) r[22] = *(uint32_t*)0x2000000046c8; break; case 27: res = syscall(__NR_fstat, /*fd=*/r[10], /*statbuf=*/0x200000004740ul); if (res != -1) r[23] = *(uint32_t*)0x20000000475c; break; case 28: *(uint32_t*)0x200000004840 = 8; *(uint32_t*)0x200000004844 = 0; *(uint32_t*)0x200000004848 = 0xee01; *(uint32_t*)0x20000000484c = 0; *(uint32_t*)0x200000004850 = 4; *(uint32_t*)0x200000004854 = 2; *(uint16_t*)0x200000004858 = 5; *(uint64_t*)0x200000004860 = 0x2000000047c0; *(uint8_t*)0x2000000047c0 = 4; *(uint64_t*)0x200000004868 = 0x200000004800; *(uint8_t*)0x200000004800 = 5; *(uint64_t*)0x200000004870 = 4; *(uint64_t*)0x200000004878 = 6; *(uint64_t*)0x200000004880 = 0; *(uint64_t*)0x200000004888 = 8; *(uint64_t*)0x200000004890 = 0xac0; *(uint16_t*)0x200000004898 = 3; *(uint16_t*)0x20000000489a = 0x401; *(uint16_t*)0x20000000489c = 2; *(uint32_t*)0x2000000048a0 = 0x400; *(uint32_t*)0x2000000048a4 = 7; res = syscall(__NR_msgctl, /*msqid=*/8, /*cmd=*/3ul, /*buf=*/0x200000004840ul); if (res != -1) { r[24] = *(uint32_t*)0x200000004844; r[25] = *(uint32_t*)0x200000004848; } break; case 29: res = syscall(__NR_getegid); if (res != -1) r[26] = res; break; case 30: *(uint32_t*)0x200000004980 = 7; *(uint32_t*)0x200000004984 = 0xee00; *(uint32_t*)0x200000004988 = -1; *(uint32_t*)0x20000000498c = 1; *(uint32_t*)0x200000004990 = 0x972; *(uint32_t*)0x200000004994 = 2; *(uint16_t*)0x200000004998 = 6; *(uint32_t*)0x20000000499c = 7; *(uint64_t*)0x2000000049a0 = 6; *(uint64_t*)0x2000000049a8 = 0xb9; *(uint64_t*)0x2000000049b0 = 8; *(uint32_t*)0x2000000049b8 = r[7]; *(uint32_t*)0x2000000049bc = 5; *(uint16_t*)0x2000000049c0 = 0x83; *(uint16_t*)0x2000000049c2 = 0; *(uint64_t*)0x2000000049c8 = 0x2000000048c0; memcpy((void*)0x2000000048c0, "\x41\x66\xdd\x81\x28\x46\x69\xcc\x65\x29\xe5\xa0\xef\x08\x1d\x37\x0a\x00\x72\x2e\x0c\x77\x00\xe4\x84\x17\x7e\x27\x29\xe5\x5d\x1f\xe0\xf7\x56\x46\x90\x88\x13\x82\xa8\x50\xb3\xb8\xd6\x19\x5e\xa5\xd0\x32\xed\xc9\x98\x53\x5f\xc7\x87\x92\x8a\xb4\xa3\xb1\x89\x15\x40\xd2\x46\xd4\x0d\xaa\x7a\x5f\xd7\xdb\x2b\xd6\xc9\x9b\x3f\x2a\x7e\x51\x4d\x00\x69\xf2\xbf\xb4\x85\xd9\xe0\x8e\x67\xc4\x68\x24\xc2\xe7\x04\xff\xa0\x43\x1e\x1c\x20\x43\x29\x72\xad\xef\x08\x49\x21\xd4", 114); *(uint64_t*)0x2000000049d0 = 0x200000004940; memcpy((void*)0x200000004940, "\x3c\x67\x3d\x0f\x3b\xdb\xe2\x04\x83\xbd\x0e\xf8\xf8\xa2\xc8\x65\xbb\x81\x7c\x75\xa3\x55\x5f\x98\xda\xdf\x18\xfb\x4d\x80\x5b\xd3\x39\xd5\x71\x7d\xef\xd4\x70\xce", 40); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0xeul, /*buf=*/0x200000004980ul); if (res != -1) r[27] = *(uint32_t*)0x200000004984; break; case 31: *(uint32_t*)0x200000004a80 = 0x80000001; *(uint32_t*)0x200000004a84 = 0; *(uint32_t*)0x200000004a88 = 0; *(uint32_t*)0x200000004a8c = 0x8b; *(uint32_t*)0x200000004a90 = 0x4000000; *(uint32_t*)0x200000004a94 = 0xe206; *(uint16_t*)0x200000004a98 = 0x366d; *(uint64_t*)0x200000004aa0 = 0x200000004a00; *(uint8_t*)0x200000004a00 = 5; *(uint64_t*)0x200000004aa8 = 0x200000004a40; *(uint8_t*)0x200000004a40 = 7; *(uint64_t*)0x200000004ab0 = 0xb5; *(uint64_t*)0x200000004ab8 = 0x5a; *(uint64_t*)0x200000004ac0 = 4; *(uint64_t*)0x200000004ac8 = 0x7fffffff; *(uint64_t*)0x200000004ad0 = 2; *(uint16_t*)0x200000004ad8 = 0x4d49; *(uint16_t*)0x200000004ada = 0; *(uint16_t*)0x200000004adc = 2; *(uint32_t*)0x200000004ae0 = r[9]; *(uint32_t*)0x200000004ae4 = r[11]; res = syscall(__NR_msgctl, /*msqid=*/0xff, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[28] = *(uint32_t*)0x200000004a88; break; case 32: *(uint32_t*)0x200000004b40 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000004b00ul, /*optlen=*/0x200000004b40ul); if (res != -1) r[29] = *(uint32_t*)0x200000004b04; break; case 33: *(uint32_t*)0x200000004c00 = 9; *(uint32_t*)0x200000004c04 = 0; *(uint32_t*)0x200000004c08 = -1; *(uint32_t*)0x200000004c0c = 0; *(uint32_t*)0x200000004c10 = 1; *(uint32_t*)0x200000004c14 = 5; *(uint16_t*)0x200000004c18 = 3; *(uint64_t*)0x200000004c20 = 0x200000004b80; *(uint8_t*)0x200000004b80 = 9; *(uint64_t*)0x200000004c28 = 0x200000004bc0; *(uint8_t*)0x200000004bc0 = 0x10; *(uint64_t*)0x200000004c30 = 0x93e; *(uint64_t*)0x200000004c38 = 0xb4; *(uint64_t*)0x200000004c40 = 0x7fffffffffffffff; *(uint64_t*)0x200000004c48 = 2; *(uint64_t*)0x200000004c50 = 8; *(uint16_t*)0x200000004c58 = 8; *(uint16_t*)0x200000004c5a = 0x77; *(uint16_t*)0x200000004c5c = 0x10; *(uint32_t*)0x200000004c60 = 0xa711; *(uint32_t*)0x200000004c64 = 0xd; res = syscall(__NR_msgctl, /*msqid=*/9, /*cmd=*/0xbul, /*buf=*/0x200000004c00ul); if (res != -1) r[30] = *(uint32_t*)0x200000004c08; break; case 34: res = syscall(__NR_getresuid, /*ruid=*/0x200000004c80ul, /*euid=*/0x200000004cc0ul, /*suid=*/0x200000004d00ul); if (res != -1) r[31] = *(uint32_t*)0x200000004cc0; break; case 35: memcpy((void*)0x200000004d40, "./file0\000", 8); res = syscall(__NR_statx, /*fd=*/(intptr_t)-1, /*file=*/0x200000004d40ul, /*flags=AT_NO_AUTOMOUNT*/0x800ul, /*mask=STATX_NLINK*/4ul, /*statxbuf=*/0x200000004d80ul); if (res != -1) r[32] = *(uint32_t*)0x200000004d98; break; case 36: *(uint32_t*)0x200000004f00 = 8; *(uint32_t*)0x200000004f04 = 0; *(uint32_t*)0x200000004f08 = 0xee01; *(uint32_t*)0x200000004f0c = 6; *(uint32_t*)0x200000004f10 = 0x1000; *(uint32_t*)0x200000004f14 = 0x3ff; *(uint16_t*)0x200000004f18 = 2; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 7; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 0x95; *(uint64_t*)0x200000004f30 = 3; *(uint64_t*)0x200000004f38 = 3; *(uint64_t*)0x200000004f40 = 6; *(uint64_t*)0x200000004f48 = 0x8001; *(uint64_t*)0x200000004f50 = 0x7f; *(uint16_t*)0x200000004f58 = 5; *(uint16_t*)0x200000004f5a = 3; *(uint16_t*)0x200000004f5c = 0xc; *(uint32_t*)0x200000004f60 = r[7]; *(uint32_t*)0x200000004f64 = 9; res = syscall(__NR_msgctl, /*msqid=*/9, /*cmd=*/0xdul, /*buf=*/0x200000004f00ul); if (res != -1) r[33] = *(uint32_t*)0x200000004f04; break; case 37: *(uint32_t*)0x200000005040 = 1; *(uint32_t*)0x200000005044 = 0; *(uint32_t*)0x200000005048 = 0xee00; *(uint32_t*)0x20000000504c = 2; *(uint32_t*)0x200000005050 = 8; *(uint32_t*)0x200000005054 = 0xfffffff8; *(uint16_t*)0x200000005058 = 2; *(uint32_t*)0x20000000505c = 2; *(uint64_t*)0x200000005060 = 6; *(uint64_t*)0x200000005068 = 0xb; *(uint64_t*)0x200000005070 = 0x100000001; *(uint32_t*)0x200000005078 = r[11]; *(uint32_t*)0x20000000507c = 0xc; *(uint16_t*)0x200000005080 = 8; *(uint16_t*)0x200000005082 = 0; *(uint64_t*)0x200000005088 = 0x200000004f80; *(uint64_t*)0x200000005090 = 0x200000004fc0; memcpy((void*)0x200000004fc0, "\x4f\x52\x5e\x34\x0c\xd5\xa8\x6e\x08\x81\x81\x48\x10\xa2\xa9\x1a\x15\xb1\xd5\xd1\x4f\x4a\x79\xd1\x4d\xde\x31\x8e\xef\xbd\xd8\xe8\xe7\x28\xd4\x13\x18\x7e\xde\x4f\xd0\x69\xfc\x17\x3d\x33\xf2\x51\x93\x66\x58\xb9\x70\x95\x9c\xdd\x1a\x15\xbc\xc3\xc2\x6a\xd7\x6b\x38\xa5\xbe\x0c\x00\x53\x2a\xc5\x25\x4d\x63\x2a\x2d\x80\x03\x57\xde\x96\xe6\xf2\xf7\x84\x16\x88\x31\x49\x22\xa5\xeb\x15\x30\xe0\xb7\x35\x2c\xa6\x06\x39\xdb\x76\x97\x14\x2d\xe2\xaa\x07\xc7\xc6\xa7", 113); res = syscall(__NR_shmctl, /*shmid=*/7, /*cmd=*/3ul, /*buf=*/0x200000005040ul); if (res != -1) r[34] = *(uint32_t*)0x200000005048; break; case 38: *(uint32_t*)0x2000000051c0 = 0x20000000; *(uint32_t*)0x2000000051c4 = -1; *(uint32_t*)0x2000000051c8 = 0; *(uint32_t*)0x2000000051cc = 0x60000000; *(uint32_t*)0x2000000051d0 = 5; *(uint32_t*)0x2000000051d4 = 0xb; *(uint16_t*)0x2000000051d8 = 4; *(uint32_t*)0x2000000051dc = 7; *(uint64_t*)0x2000000051e0 = 0x68b; *(uint64_t*)0x2000000051e8 = 0x19; *(uint64_t*)0x2000000051f0 = 0xfffffffffffffff8; *(uint32_t*)0x2000000051f8 = 0; *(uint32_t*)0x2000000051fc = r[9]; *(uint16_t*)0x200000005200 = 0xc90; *(uint16_t*)0x200000005202 = 0; *(uint64_t*)0x200000005208 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\x39\x0c\xeb\x0f\x41\x0c\x00\x25\x27\xeb\x3b\x46\xb1\x0c\x24\x49\x71\x04\x20\x0a\x43\xcd\xd5\x23\xe8\xa7\x27\x86\xcf\x59\x38\x0b\xde\x52\x4c\xb5\x95\x56\xd5\xb2\x56\xca\xe0\x7e\x34\x3b\x52\xbe\xb1\x8b\x62\xea\xb0\x7c\x44\x5e\xef\xcb\x35\xda\xbf\x18\x6e\xf8\x40\x41\x7c\x40\x8f\x79\xb7\x4a\xa6\xed\x33\x3f\x94\x62\xac\xfc\x1d\xb1\x46\xb6\x67\xa8\x96\x29\x92\xf2\x0a\xf8\x6d\x7c\x20\x38\x50\x25\xa7\x4f\x90\x71\xc7\x98\x44\x53\x6c\xb7\xac\x8f\x88\x65\xfe\xd4\xa5\x7d\x02\x2b\xea\xf6\x18\xbd\xcc\x65\x09\xc5\xbe\x81\x03\x7e\x58\x4a\xbb\x6e\xa9\xb8\xcf\x0d\x2e\x17\x5f\xcb\xfe\x9b\xda\x36\x68\xd7\x52\x68\xcb\x86\x05\xfe\xc3\xba\x1b\xb1\xe6\xc2\x76\xa1\x49\x29\xc3\x46\x0e\x16\x93\x45\x8f\x22\x61\x23\x52\xdb\x6a\x3e\xfa\x4d\x7c\x74\x83\xd2", 184); *(uint64_t*)0x200000005210 = 0x200000005180; memcpy((void*)0x200000005180, "\x35\x8f\x28\x87\x0b\xec\xbb", 7); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0ul, /*buf=*/0x2000000051c0ul); if (res != -1) r[35] = *(uint32_t*)0x2000000051c4; break; case 39: memcpy((void*)0x200000005240, "./file1\000", 8); *(uint64_t*)0x200000005280 = 4; *(uint64_t*)0x200000005288 = 4; *(uint64_t*)0x200000005290 = 0x100000001; *(uint32_t*)0x200000005298 = 0xc49; *(uint32_t*)0x20000000529c = 0; *(uint32_t*)0x2000000052a0 = 0xee01; *(uint32_t*)0x2000000052a4 = 0; *(uint64_t*)0x2000000052a8 = 0x101; *(uint64_t*)0x2000000052b0 = 0x8000000000000001; *(uint64_t*)0x2000000052b8 = 0xfffffffffffffff8; *(uint64_t*)0x2000000052c0 = 7; *(uint64_t*)0x2000000052c8 = 0; *(uint64_t*)0x2000000052d0 = 8; *(uint64_t*)0x2000000052d8 = 0x8001; *(uint64_t*)0x2000000052e0 = 5; *(uint64_t*)0x2000000052e8 = 8; *(uint64_t*)0x2000000052f0 = 9; memset((void*)0x2000000052f8, 0, 24); res = syscall(__NR_newfstatat, /*dfd=*/(intptr_t)-1, /*filename=*/0x200000005240ul, /*statbuf=*/0x200000005280ul, /*flag=*/6); if (res != -1) r[36] = *(uint32_t*)0x2000000052a0; break; case 40: *(uint32_t*)0x200000005380 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000005340ul, /*optlen=*/0x200000005380ul); if (res != -1) r[37] = *(uint32_t*)0x200000005344; break; case 41: *(uint32_t*)0x200000005440 = 9; *(uint32_t*)0x200000005444 = -1; *(uint32_t*)0x200000005448 = 0; *(uint32_t*)0x20000000544c = 1; *(uint32_t*)0x200000005450 = 0; *(uint32_t*)0x200000005454 = 0xabc2; *(uint16_t*)0x200000005458 = 0x100; *(uint64_t*)0x200000005460 = 0x2000000053c0; *(uint8_t*)0x2000000053c0 = 0xe; *(uint64_t*)0x200000005468 = 0x200000005400; *(uint8_t*)0x200000005400 = 7; *(uint64_t*)0x200000005470 = 8; *(uint64_t*)0x200000005478 = 0xa2; *(uint64_t*)0x200000005480 = 0xf3; *(uint64_t*)0x200000005488 = 4; *(uint64_t*)0x200000005490 = 6; *(uint16_t*)0x200000005498 = 5; *(uint16_t*)0x20000000549a = 0xd7c4; *(uint16_t*)0x20000000549c = 0x80; *(uint32_t*)0x2000000054a0 = r[9]; *(uint32_t*)0x2000000054a4 = r[7]; res = syscall(__NR_msgctl, /*msqid=*/0x10000, /*cmd=*/1, /*buf=*/0x200000005440ul); if (res != -1) r[38] = *(uint32_t*)0x200000005448; break; case 42: memcpy((void*)0x200000005b40, "./file0\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000005b40ul, /*statbuf=*/0x200000005b80ul); if (res != -1) r[39] = *(uint32_t*)0x200000005b98; break; case 43: memcpy((void*)0x200000005c00, "./file0\000", 8); res = syscall(__NR_statx, /*fd=*/0xffffff9c, /*file=*/0x200000005c00ul, /*flags=AT_SYMLINK_NOFOLLOW*/0x100ul, /*mask=STATX_INO*/0x100ul, /*statxbuf=*/0x200000005c40ul); if (res != -1) r[40] = *(uint32_t*)0x200000005c58; break; case 44: *(uint32_t*)0x200000005e80 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000005e40ul, /*optlen=*/0x200000005e80ul); if (res != -1) r[41] = *(uint32_t*)0x200000005e48; break; case 45: memcpy((void*)0x200000000780, "\x68\xf4\xb9\xc0\x22\x24\x5b\x56\x0b\x41\x94\x27\xc3\xc5\x6d\xc4\xee\x17\xcd\x42\x2a\xc4\x81\xd8\xd2\xdc\x27\xc0\xc2\x4a\xdf\x78\x20\x96\x47\x7e\x5b\x7a\x14\x77\x33\xcc\xa0\xee\xd7\xce\xd0\xab\xb0\x3e\xcf\xa0\xf8\x3e\x91\x42\x28\xec\x4e\x01\x9a\x38\x46\x8e\x2e\x4e\xe4\xed\xbd\xa0\x23\x53\xee\x9a\x4c\x10\x63\x39\xd7\xb1\x18\xa3\x0e\x93\xe6\xde\x45\x52\x28\x8a\xfe\x03\x2a\xf1\xf8\x97\xef\x39\xce\x14\x0c\xb1\xd4\x52\x64\x41\x33\x19\x9f\x16\x65\x3b\x92\x15\xc3\x7f\x78\xf1\x92\x75\x2d\x03\x1c\x64\x28\xd7\x35\x62\x11\x49\xde\x62\x43\xa0\xab\x6f\xc4\x65\x28\xb0\xa0\xe2\xd6\x4e\x65\xec\xd9\xe1\x34\x09\xab\xd5\xe7\x30\x39\xdd\x00\xe0\x88\x05\xe5\x1a\xdf\x3a\x85\x99\xd9\x9d\x69\xf2\x37\x75\x04\x4d\x38\x40\x23\x4f\x1d\xb0\x89\xfb\x09\x87\xd6\x45\xec\x25\xf4\xad\x3e\xee\xb9\x60\x4d\x1f\x2a\xb6\x9f\xc3\xbf\x83\x15\xbf\x2e\x7b\x91\x88\x6d\x2a\x6f\x50\x71\xb6\x6f\xe5\x04\x8b\x6b\x65\x44\x12\x90\x05\x07\x34\x0d\xd1\xad\xd2\x74\x48\xea\x31\x68\x5b\x4e\x86\x7c\x68\xc9\xb5\x51\xdf\x24\x6b\x90\xd0\xd0\xfd\x9a\xf8\xdf\xc6\x47\xfc\xe7\xc3\x77\xaa\x36\x48\x62\xff\x02\x43\xff\xd0\x47\x47\xb9\x45\xba\xa3\x7d\x75\x5c\x23\x60\x92\xb3\xac\x7a\xac\xf6\x12\xa4\x03\x26\xde\x09\x06\x32\x12\xae\xe8\x6e\x16\x3a\xaa\xff\xfd\x8a\xde\xe4\xb5\x15\x46\x5c\xc9\x19\xc1\x51\x3d\xc7\xc9\x67\x8e\xe6\x48\x3f\xc3\xfc\x68\xb8\x84\xa9\xcc\x60\x4f\x36\x23\x86\xfe\xeb\x1a\x7e\xfb\xd4\x1d\x42\x62\x7f\x06\xfb\xf6\xcf\x91\x3a\xca\xee\x58\x4d\xa6\x05\x0c\xd6\xf4\x9a\xb9\x6e\xde\x69\x21\x6b\x0a\xca\x34\x99\x94\x7b\x02\xf1\xb6\x23\x24\x5d\x4c\xc5\xdf\xb5\xbc\x7c\x28\xc4\xf7\x77\x33\xc3\x33\x0d\x49\xbb\x25\xce\x9b\x47\x97\x8b\x57\x6c\x20\xe1\xc4\xd8\xb6\xee\x1d\xdb\x2c\x80\xeb\x99\xa3\x53\x69\x68\xaa\xf2\xf0\x1b\xa3\x14\x2d\x6d\x71\x39\xf4\x7a\xd8\x71\x32\x7d\x9e\xb2\xfc\x36\x4b\xb4\x2c\xb6\x0a\x57\x2c\x71\xd1\xa1\x3f\x94\x05\x6c\x72\x7a\xd8\x0d\xbc\x0b\x38\x03\xd3\xed\x00\x7c\xdf\xbd\xc6\xf9\x86\x84\x5b\x23\x96\x71\x23\x3e\xbe\x9c\x97\x3b\xcd\x86\x53\xc3\x73\x2e\x52\x51\x64\x09\x02\x0f\x4b\xd0\x51\x64\x90\x93\x29\xcf\x8b\x09\xd5\x7b\xc4\x9f\xdf\xc9\xc9\x6e\xe7\x8b\x92\xbd\xc6\xe8\x65\xb5\x61\x95\xbf\x29\x87\xb6\xb4\xad\xff\x61\x96\xf3\x7f\xfd\x8d\xe5\x10\x80\x0b\x32\x8e\xd7\xbf\x86\xae\x6d\x4f\xb1\xd8\xe8\x3d\x1c\x8c\xc9\x3c\x12\x7d\xfb\x65\x89\xd7\xe6\x1a\xd8\x55\x9c\x87\x00\x74\x19\x88\xa0\x6c\x4b\x3a\x03\xee\x3e\x95\x69\xf7\x95\xd7\xf1\x43\x3c\xdb\x52\x0e\xb4\x51\xc3\x51\xc2\x30\x13\xc8\xb6\x00\x7d\x14\x7d\x24\xdd\x1d\x52\xfa\x5b\x0e\x40\x54\x0f\x38\xbc\xf7\x41\x9e\xb9\x8a\x47\x90\x1e\x93\x57\xa7\x8e\xdc\x70\x1a\xe8\x2f\xd0\x58\xcd\x6d\x96\x96\x9f\x2c\x6b\x4b\x82\xea\xca\xe1\x12\xd6\x7d\x06\x2d\x56\xf0\xfe\x3b\x9c\xae\x85\x67\x2c\x67\x94\x97\x70\x72\x54\x76\x35\x35\x09\x27\x69\xd3\x8d\x26\xb9\xa6\x51\x0d\x9f\x64\xfb\x09\xdc\xb7\x28\x3d\xe4\x25\x70\x54\x6b\x0c\x76\x3e\xd8\xcf\x60\xf5\x3d\xb8\x6b\x75\x63\xe5\x72\x6f\x61\x6c\x4b\xb2\xbe\xae\x0a\x9e\x18\x6e\xea\x24\xf6\x42\xd7\x0d\x34\x54\x57\x84\xe4\x63\x0d\x4e\x3a\xc0\x28\x9c\x2c\xaa\x22\x62\x8e\x29\x9b\x29\x3d\x27\x30\xca\xe7\xfb\x99\xd4\xde\xa0\x73\xe5\xa0\xba\x5f\x34\xf7\x7d\xd9\x28\x38\x95\x43\xe0\x0f\x2b\x59\x56\x49\xab\x73\x64\x54\x25\xe2\x73\xe4\xb6\xd7\x54\xcd\x17\xa6\x27\xae\xe1\xda\x76\x71\x60\xbf\xe8\x6b\x04\x16\xad\xaa\x61\xeb\xee\x1b\xf7\x40\x9f\x28\x44\x85\xd4\x3f\x8f\x48\x4d\x05\x3a\x17\x36\xda\x79\x21\x28\x59\xf4\x8b\x71\xce\xc7\x7e\xe2\x3f\x77\x1a\xdc\xed\x4f\xe5\x26\x49\x59\x75\xbd\x04\xba\x08\xc7\x99\xc0\x7f\x57\x08\x4a\xbb\xd6\xba\x42\x81\x14\x0d\xd8\xec\x06\x93\x18\x0a\x4d\xaa\xf4\x8b\x72\xed\x48\xdf\x13\x7f\x68\xdd\xed\x9a\x41\x14\x54\xfa\xf8\x8d\xad\x18\x1a\xa2\x30\x6c\x36\xc1\x3c\x15\xa5\xfc\xaa\xb5\xbb\x79\x20\x1b\x41\x7f\x40\x3c\x83\xd0\x41\x9e\x29\xf6\x2a\x66\xa0\xe0\x27\x6f\x9f\x96\xc8\x7f\x94\xb7\xc8\xa3\x2b\x94\xce\xa7\xef\x64\xfc\x4f\xf4\x1b\x21\xd6\x84\x6c\x2d\xad\x67\xbf\xa8\xa4\xb5\x7a\x6e\x50\x01\xe4\x02\x05\xd3\x86\xba\x77\xae\x13\xc9\xa1\x12\x12\x83\x15\xcd\x6a\x1a\x64\x1b\x22\x8d\xe0\x6e\xb0\xa7\x09\xf5\xe7\x4d\xa4\x75\xd2\x2f\xfc\x65\x33\xc9\xd9\xb2\xbe\x00\xd2\x2b\xcc\x8b\x47\x18\x70\x56\x09\x60\x8e\xc3\xe4\xc4\x35\x79\xcf\xae\x0b\x60\x02\xf3\x15\x4d\xa6\x14\x7b\x85\x6d\x82\xf3\xdc\x4d\x4b\xac\x4f\x50\x9b\x91\x07\x96\xaa\xce\x37\x5a\xe7\x9c\x8b\xd3\xe7\x5d\x70\x9a\xa0\xd9\x0e\x29\xef\x0e\x03\xc6\x9f\xb8\xe5\xbc\xb3\x4e\x4c\xf1\x4a\x6e\x7c\xf4\xa4\x08\xe9\x9a\xab\xdd\xca\xab\xe1\xf0\xc7\x23\x83\x67\x1b\x45\x63\xcd\x06\xea\x9c\x75\xe5\xbc\x2e\x3c\x95\x56\xac\x45\xf0\x7b\xd0\xd6\xc9\xb3\x91\xdb\xaa\x70\x17\x1e\x71\x30\x1f\xd5\x39\x5d\xe3\x83\xd1\x35\x81\x4c\x12\x14\xce\x33\x20\x8c\x1b\xd8\x40\x3e\x94\x8f\xa0\xb3\x93\x79\xa1\x40\x29\xf1\x19\x58\xfe\xc9\xeb\x46\x0e\x3f\x9c\x73\x49\xaf\x63\x06\xd2\xe0\xca\xc9\xa4\xe4\xde\x43\xe9\x31\x27\xc6\xec\x8b\x17\x82\x0a\x57\x00\x21\x8f\x5b\x08\xe0\xa8\xce\x0a\x44\x8d\x68\x8c\x94\x5d\x36\xb7\x19\xb2\xdc\x71\x1a\x8d\x48\x09\x8b\xf4\xed\xc5\xe2\x6f\xa5\x64\x7a\x64\x72\x40\xff\xf4\xd7\x66\x88\xbc\xa7\x13\xb8\xdd\x71\x72\xaf\xef\xba\x6e\x4a\x95\xf1\x1a\x11\x1e\x3c\xf0\x39\xbb\xfa\x41\x53\x6d\x9a\xd7\xb0\xfb\xbb\x4f\xf8\x2c\xf1\x9a\x72\xeb\x07\xbd\xca\xab\xa2\x29\x1f\xfa\xa0\xd0\x77\x5f\x1a\xeb\x68\x66\xc2\x3c\xfd\x9c\x8e\xa6\x8c\x13\x87\xf8\x97\x72\xea\xef\x20\x20\xbc\xaa\xc5\xfe\xfd\xf1\x04\xce\x51\x60\xaa\xdd\xd6\x5f\xe9\xc4\x89\x85\x1f\xb0\x90\xce\xbf\x02\x20\x32\x1d\xcc\x57\xfd\xf7\x1e\x9a\x1c\x1e\xa5\x3f\xf1\x7d\x13\x13\x04\x46\x9e\xad\xed\x3a\x14\x38\x33\xaf\xff\x98\xa9\x3c\x1c\x41\x34\x94\xbc\x0d\x6c\xf3\x47\x0b\x2e\xee\x53\x4d\x4f\x17\xde\x37\xac\xa7\x5d\x82\x16\x9f\x1b\x63\x34\x12\x30\xd4\x7e\x85\xbe\xb0\xe6\xf5\x0c\xe7\x25\x56\xe3\x7b\x73\x96\x12\x92\xb9\xf0\x34\x38\x51\xe9\xdc\xa9\xfb\xf4\xee\x45\xa5\x81\x4b\x04\x44\x44\x54\x41\x3a\x01\x9f\x82\x94\x98\x81\xc8\x1a\x5d\xdd\xd2\x09\x7a\x8e\x5c\x45\xd6\x8b\x80\x8a\xdc\x27\xfa\x3a\xbe\x55\x16\xb2\xa5\xc1\xcc\x71\x9e\xe0\xc9\x79\x66\x68\x31\xa1\x5a\x96\x4d\x5f\xc2\xe8\x70\x68\xcb\xc4\xe4\x70\xd6\x4f\x34\xf0\xfa\x9a\xc7\xe9\x4a\x06\x93\xdc\x21\x96\x42\x97\xb9\x6d\xe2\x93\xad\x5a\x77\xf2\xa8\xdc\xe2\x71\xa8\x9d\x10\xa1\x0b\x45\x8a\x8a\x8c\x52\x1f\x27\xa5\x0c\xd2\x06\xbf\x0e\xc9\xf2\xab\xb3\xdc\x16\x82\xd3\xad\xd7\x5b\x81\x3c\x59\x79\xef\x56\x58\x3b\x52\x12\x77\x5d\x61\x73\x22\xbd\xd7\xc3\x44\xfb\x0c\x2d\xc1\xdb\xcc\x63\x12\x31\x19\xbd\x65\x2a\xf9\x41\x35\x5f\x56\x1b\x8f\xa4\x9b\x8e\x0c\xab\xa9\x00\x02\xc4\x8b\x88\xc8\x0e\xbe\xa6\x77\x71\xfb\x47\x9f\x52\x89\xca\xf5\xea\xe1\x8f\x01\xa0\xcd\x74\x60\xf3\xde\x6c\x3f\x92\xf1\xd4\x3b\x56\xb0\xdd\xed\xb7\x05\x9e\x7f\x18\x06\x9f\x80\x4b\x20\x56\xa2\x0a\xcb\xdf\x25\xf8\xca\x36\xdc\x1a\xff\xa8\x0e\x22\x03\xa0\xf3\x63\x92\x63\xa4\x2e\x9b\x3a\xd0\x61\x4c\x6b\xb3\xcf\xa4\x37\x6b\x28\x54\xf6\x0b\xcd\x92\x97\xbb\x0c\xb4\x54\x16\x13\x6f\x21\xbc\xa9\xfe\x38\xfe\xf0\xa1\xc2\x65\xae\x42\x3b\x36\xef\xf0\xc7\xf9\xe8\x4d\x3e\xdc\xe5\xdf\x6a\x2e\x76\x89\x49\xec\x9d\xc4\xf9\x18\x6c\x48\x95\x46\xe2\x4c\x71\x3d\xb9\x19\xbd\x51\xe6\x04\x45\x92\x83\x7c\x8b\x7f\x03\x7a\x8b\x3a\x90\x84\xd9\x61\xc0\x2f\xd0\xaa\x42\x45\xba\xa5\xe9\x17\xd7\xf9\x3f\x09\x6f\xc0\x0c\xd3\xda\x05\x7e\xda\xa7\x47\x6f\x9a\x38\x83\xc1\xab\x86\x3a\x91\x77\x46\xbd\x00\xe8\x78\x55\xbb\x58\x00\x16\x74\xec\x10\x54\x2e\x70\x30\x63\x10\xd7\x33\x99\xf3\x4a\x25\x4c\xfd\x03\xb4\xfd\xa6\xde\xdc\x8d\x7f\x2a\x8c\x81\xe6\xe1\x7b\xea\xb6\x71\x0a\x2c\x2a\x39\xd3\x8d\xaf\x05\xe0\x4e\x38\xe9\xd1\x0f\x30\x81\x31\xde\x76\xa3\x59\xbd\x59\x01\x5f\xc9\xf1\x07\x69\xd3\x6c\x16\x0d\x3e\xfb\x66\x17\x4a\x97\xb6\xa5\x99\xe7\x4b\xae\xdf\x33\x6c\x3d\x9b\x0c\xed\x61\x7b\xf0\xa5\x30\x88\x2d\x91\x68\xe6\x4b\xfb\x9c\x36\xea\x35\x1a\xf4\x36\xf7\x80\x54\x4c\xd1\xf0\x06\xe5\xdb\x43\x9d\x1c\xd9\xc6\xe2\xb5\x91\xc3\x76\x98\xe3\xb9\x56\xfd\xd6\xa9\x6d\x0c\x1f\xf5\xa5\xc2\xb4\xf2\x0e\x82\x04\xfa\x23\x94\xeb\xd1\x8b\x63\x60\x72\xf7\x6d\x49\x87\x13\xd7\x25\x8f\x8f\xda\xa7\xd1\x73\xbb\x52\x61\x9e\xcf\xbd\x03\x7e\x9d\x9e\x8e\xfd\x79\xe7\x76\xea\x36\x88\x99\x04\x15\x29\x81\xd3\x98\xf3\x4b\x5e\x75\x82\xb7\x37\x3f\xeb\x13\x10\xf6\xa3\xf4\x3d\xa3\x65\x62\x11\x58\x1c\x4d\xcf\x82\xbb\x82\xcb\x51\x34\x62\x80\x8c\xea\x9f\xe2\x1d\x0c\xf8\x70\x74\x53\xe9\xc1\xde\x7a\x96\xa3\x82\x92\x12\xcb\xe8\x85\xaf\xf1\x0c\x11\x17\x1f\x5a\xbf\x14\xa8\xe6\xf2\x2f\xd0\x04\x8a\xc5\xe4\x18\x63\x80\xc1\x4c\x5c\x2d\x4f\xe1\x3b\xe2\xdd\x3e\x6f\x26\xcf\xa9\x45\x22\xd6\x25\xdc\x49\xd1\x79\xbc\xc4\x8c\xb4\x2e\xa4\x0e\x94\xf3\x3d\x9e\x76\xef\x92\x57\x46\xcb\x52\x51\x39\xea\x62\x05\xc6\xf1\x22\x1d\x93\x42\xe2\x02\xe5\x7b\x81\x8a\x7d\x12\x14\xde\x38\xee\x95\x02\x99\x3b\x73\x08\x66\x02\xa9\x75\x19\xf6\xa0\x99\x90\x1b\x8d\xbd\x57\x6a\xbd\x64\xa8\xb1\x3d\x5a\x93\x0f\x82\xc0\x6f\xb9\xc5\xbc\xfc\x2d\xff\xa9\x77\x83\xea\xa3\x38\x5e\x72\xf9\x98\x5d\x57\xd7\xcc\xf9\x3b\x7c\x60\x79\x92\xcb\xd2\x49\xed\x74\xb6\xda\x3f\xf1\xdc\xf6\xc7\x23\xcc\xb3\x72\x5e\xf1\x8b\xe3\x54\x16\x0d\x21\xb9\x31\x4a\x7d\x01\xcc\x29\x7c\x6b\x1f\xdc\x8a\x24\x14\x2e\x55\x5d\xd8\xfd\x4a\x28\xe0\x4c\x85\x83\x6e\x46\xe6\x63\x64\x90\x8e\xb8\x4f\xac\xaa\xbb\x83\x3b\x1d\xa7\x03\x19\x67\xc1\x0b\x8c\x2a\xa3\xcf\xf4\x4f\x7a\x9d\xcf\xd0\x66\x5d\x1e\x90\xd9\x3b\xe0\xdf\x77\xa2\x5a\x48\x23\xd8\xdd\x35\xc3\x5d\xc4\xcf\x1c\x73\xba\x26\xab\x20\x47\x3f\x30\x12\x23\xa6\xac\x96\x72\x22\x0b\xe0\x95\x0f\x92\xbf\x16\x79\x87\x45\x44\xf8\xc1\x0e\x23\xbc\x9e\xe1\xd4\x0a\x00\x6c\x98\x9b\xf9\x88\x50\x20\xa6\x5a\x4e\x76\x63\xa8\x11\x7b\xec\x09\xe2\xa2\x10\x9c\x52\x78\x9b\xf7\xfb\xc0\x0c\xd3\xef\xd7\xa6\x52\xb1\x5c\x4c\x4c\x05\xf6\x54\x11\x8e\x90\x64\x3e\x64\x9d\x7f\xe4\x31\x95\x7b\x6f\x1d\xc5\x92\x5b\xa9\xab\x6f\xd8\xa1\xf6\xa0\xf8\x3a\x8a\x51\x9c\x1d\xfe\x42\x36\x03\x4c\xa5\x56\x7e\xac\x95\xea\x12\x91\x2e\x60\x67\x18\x1d\x61\x29\x4b\xcf\x09\xc1\x7f\x9d\x94\x8a\x03\xb0\xaf\xcd\xfd\x3a\x5d\x47\x0d\x28\x9e\x4b\x47\x44\xe6\x88\xae\xe6\x8b\xf2\x6d\xa0\x15\x43\x8a\x9c\x33\x6b\xea\x06\xdd\xad\x48\x74\x65\x32\x89\xc3\x4c\x03\x27\x64\x18\x0f\x97\x98\xf3\x3c\xc0\xb8\x2b\x36\x87\xdf\x74\xfe\xca\xde\xba\x2e\x58\xb9\x70\xd6\xe4\x65\x4d\x7b\x09\xb0\xd8\x5c\x78\x96\x12\x76\xa9\x45\x03\x09\x85\x77\xba\x49\x32\xd1\x7e\x0a\x7d\xd1\x98\x7e\x85\xc4\xaf\xcf\x01\xf6\x8d\x74\x42\x03\x82\x46\xb6\x84\x9b\xd1\x6f\xe0\x35\x93\x6b\xe7\x5e\x56\x26\xcd\x3d\x06\x8b\x9d\xf9\x30\x85\xa1\x2b\x95\x69\xcb\x27\xd3\x01\xca\xaf\x2f\x4f\x33\x7c\xe6\xb1\x94\xf4\xa8\x5a\x17\x55\xa2\xb3\x80\x53\x67\xe5\xde\x5e\x41\x34\xdf\x4f\xc3\x94\x16\x25\xd4\x41\x71\xa9\x84\x0e\xf2\x26\x7a\xd8\x1f\x2a\xee\x6c\x34\xec\xd3\xae\x96\x28\x12\x85\xb5\x4f\xbc\x21\x72\x90\xfe\x1f\x46\x75\xfe\x64\xd1\xb8\x44\xcb\x43\xc7\x55\xba\x29\xda\xb5\x31\xe8\x37\xec\xe7\x14\x60\x09\xfe\x04\xb7\x27\x25\x7b\xfa\x7a\xd4\x18\x0e\x82\xe9\xad\x17\x0a\x9a\xb7\x81\xef\xc1\x50\x60\x0c\xe3\x70\x43\xcc\xee\x03\xcc\xfb\xe7\x65\x09\xd6\x3f\xf8\xf2\x18\x62\x73\x6a\x43\x45\x57\x8c\x87\xf8\xf4\x14\x2c\x97\xa4\x7a\xdd\x5c\x7d\x6d\x73\x59\xb2\x69\x01\x55\xa1\x1c\xdb\xe9\xbe\x34\x79\xe0\xf4\xb2\xdd\x44\xa6\x8a\x78\x48\x51\x8d\x55\x89\x7e\x49\xbf\xaf\x2e\xef\xe6\xbc\x06\xd5\x60\xe2\x5f\x52\xad\x12\x31\xd4\x66\x44\x27\xba\xd4\xab\xa0\xd6\x15\x98\x5a\xfa\x47\xeb\xaf\x24\x2d\x3b\x8c\x16\x8a\xd5\x9c\xc0\x5a\x1c\xe7\x50\xd7\x32\xa6\x72\x03\xb3\xfc\xfa\xa4\xed\x6b\x2f\xf0\x04\x15\x2e\xef\x56\x52\xbe\xea\x4c\x62\x70\x20\x3f\x15\x4c\x70\xbb\x6c\x5f\xda\xc2\x4b\xd7\xfc\xb6\x38\x9b\xd1\xb5\x17\x59\x20\x5b\xa1\xaa\x1b\xea\xb6\xec\xa9\x97\x36\xf4\xa4\x3f\x21\xa6\x39\x53\x64\x61\xd2\x43\x8a\x91\x3e\xd0\x3b\x63\xdb\x26\x21\xc6\x3a\xcb\x49\x6e\xec\xf9\x83\x8b\xfa\x7f\x18\x52\x43\x7b\x45\x8b\x10\x46\x19\x7e\x51\x1e\xa8\x14\x79\x69\x09\x04\xbc\x3a\x0b\xb4\xb9\xec\xc0\x96\x2e\x33\xc4\xcd\xd9\x21\xf8\x24\xab\xc2\xc1\x95\x88\x61\x3e\xfd\xee\x01\xdb\x70\x1a\xe5\x44\x0c\xdd\x98\x7d\x86\x83\x14\xdf\x9a\xc7\xba\xe5\x92\x74\x02\x1a\x5d\x06\x43\xf8\xd1\xd3\xa9\x7b\x8c\x8b\xf0\x2e\xe9\xfc\x05\x6c\xc1\x64\x72\x48\x51\x43\x5f\x90\x76\x85\xc3\x49\xdb\x94\x29\xfe\xc6\xe2\xdf\x3c\x53\x4d\x94\xcc\xe4\xec\xd2\xea\x55\xd7\x2a\xa8\x82\x64\xc8\x6a\x40\xfa\x66\x93\x06\xb9\x5b\xcd\xef\xca\xf5\x4f\x11\x77\x70\xa0\x4f\x35\xe7\x21\xf2\x84\xf6\x81\xb9\xd3\x11\x4c\x4b\xed\x29\xf2\x09\x22\x06\x38\xde\xfe\x43\xfc\x43\x66\x95\xa5\x8e\xd3\xf2\x0d\xc9\x21\xe4\xa2\x1c\x79\xe5\x80\x39\x27\xde\xeb\x5a\x14\xc5\x32\xe3\xcd\x83\xba\x32\x98\x1c\x19\x2e\x20\xe9\x3e\xef\x67\x44\x02\xaf\xba\x8d\x37\x81\x19\xf6\x34\xff\x06\x5f\xb2\x94\xf9\xe3\x8c\x19\x74\xd4\xd3\x7c\xf6\x73\xb5\x87\x97\xb5\xe2\x6e\x22\xb0\x29\x16\x23\xff\x15\xd0\x02\xd5\x5a\x8d\xd0\x0f\xe4\xb1\xfd\x54\x17\x7d\x1f\xd0\x65\xda\x0b\x17\x47\x93\x16\xb5\x8a\x84\x95\xac\xa4\x2c\x44\x0b\x63\xc8\xf4\xb1\xa9\x53\x8d\xf1\x0c\x8c\x95\x46\xfd\x8c\x41\x95\xe1\xea\xed\x31\x54\x3b\x80\x61\xc8\x60\x2a\x89\x77\x12\x3f\x56\xe5\xf1\x1c\xd0\x5f\x5a\x36\xa4\x48\xcc\x25\x75\x71\xf0\xe5\xbb\xde\x25\xae\x82\xf5\x83\xcb\x31\x3a\xe7\xbf\x5d\xec\xe5\x6b\x61\x73\x21\xcf\xa6\x0a\xa9\x27\x8a\x28\xee\x9f\x78\xec\x7d\xdf\xc5\xd0\xf6\x65\xab\x1a\x1d\x55\x31\xf2\x40\x6f\xfa\x9b\x5a\xd6\xf9\xae\x4c\x98\xf8\x54\x47\xfb\xdb\x9e\xfc\x2a\xb3\x98\x80\x1e\x90\x5c\x22\x9e\x16\xad\x9f\x87\xbf\x61\x95\x6a\x78\x29\x73\x3f\xff\x1d\xbb\x2c\x35\x55\x48\xc4\xe3\x03\xd1\xfb\x25\x87\xab\xea\xed\x69\x11\xb3\xd5\x57\x8d\x9d\x43\x55\x19\x3a\xf1\xf6\xee\xf1\x87\x0f\x0f\x1d\xf7\x36\x15\xa5\xd9\xff\xe9\xd4\x2b\x7f\x94\xc2\x15\xf9\xce\xb4\x1d\x60\x5e\x95\xa5\x4b\x5f\xb3\xc6\x2f\x34\x39\x6f\x9f\x95\x1c\x56\x50\x92\x0f\x15\x9c\x1c\x33\x0e\xcf\x7b\xf7\x0b\x1b\x8d\x0a\x97\x3f\xf4\xaf\x34\x4e\x99\x50\xff\xb9\xed\xfc\xd3\x26\x81\x8e\x28\x47\x1c\xcc\xbf\x70\xb7\x1a\xc2\x86\x3e\xaf\x7e\xf9\x5d\xbc\xb2\xf9\x88\xc8\x5c\x26\x6f\x86\x99\x14\x71\x99\x06\x21\x3c\x0d\xb1\x8a\x4a\x47\x12\xb0\x2f\x72\x01\xdc\x95\x30\x5a\x3a\x53\x1f\x46\x6f\x94\x9f\xef\x61\x2c\xcc\xaa\x93\x6d\x47\xae\xf4\xbb\xad\x39\x08\x50\xf2\xb8\xfd\x99\x15\x42\xe3\x98\x6d\xe1\x00\x00\xdb\xd2\xbc\x09\xf1\x6c\x99\xed\x0b\x46\x1c\xab\x44\x4a\x1d\xb0\x69\x38\x14\x34\x54\x07\x95\x15\x0d\xe1\x24\x27\xb1\xb5\xd0\x60\x1a\x52\x32\x04\x28\x3f\xdd\x6b\x69\xe4\x03\xfd\xc3\xf9\x44\x21\x14\x0d\xbf\x94\x86\x5f\x35\xaf\x7a\x7b\xae\x55\x47\x97\x8f\xdd\x80\x5c\xc5\x2d\x68\xf4\xff\x49\xbe\xec\x49\x20\xe2\x5d\x8e\x4a\x23\x7a\x86\xc7\x85\xcc\xcc\x3f\x2e\xe7\xff\xac\x88\x1e\x99\xe5\x76\x12\xc8\xc9\x4b\xde\x40\x09\x15\xf3\xf7\x5b\x54\x65\x79\xf4\x01\xe2\xbe\x54\x93\x09\x04\xb9\x8c\x82\x42\x39\x4d\x81\xfe\x94\xd2\x67\xd3\xca\x3e\xa3\xa0\xe1\xc9\x10\x7e\xcc\x29\x8e\xfa\xe6\xa1\x9e\x73\x37\x88\x3e\x27\xaf\x27\x1e\x06\x29\x9a\xcc\x75\x59\xf0\xea\x46\x1b\x87\x5e\x27\x13\x8c\xd3\x5e\x04\x63\x19\xfe\x9f\x83\x8c\x51\x13\x05\xfc\x80\x3c\xc2\x43\x09\xdb\xf3\x35\xb2\x25\xc5\x8b\x6c\xae\xb2\x72\x4e\x44\xa9\x27\x8c\xa8\x23\x51\x9a\x72\x43\x3c\xeb\x21\x66\xb4\xb7\x3a\x35\xb9\x7d\xe2\xf5\x54\x38\xb9\x58\x26\xe0\xab\x34\x85\x01\x18\x73\x75\xb0\x96\x23\x67\xdb\x53\x49\x53\x46\x76\xf3\x52\x83\x5a\x10\x59\xc3\x07\x42\x1b\x2b\xeb\x2e\x63\xc0\xa0\x06\xd5\x27\x1f\x49\x3e\x59\x06\x98\x82\xb1\x03\xd5\x36\x60\x8d\x18\xd6\x1e\x97\x42\x22\xc4\x3b\x7c\xa9\x25\x29\xc8\xb0\xcc\x2a\xe9\xdf\x8c\x2b\xc2\xb2\x0d\x68\x33\x14\x7e\xc4\x11\xc4\xa5\xbf\xf5\x34\xcc\x72\xb2\x67\x71\x45\x92\xa4\xe4\x32\x52\x68\x49\x40\xf5\x4e\xbf\x5f\x39\xf2\x8d\xee\xab\x2c\x89\xab\xad\xdf\xb6\xfc\xd2\xb1\xc0\x25\xbf\x30\xdc\x2e\xdb\xc0\x82\x3c\xcd\x19\xfe\x52\xf9\xc0\xb3\x8c\x9c\x1a\xcd\x6b\x0e\xfc\x3f\x68\x8b\x80\xbb\xef\x54\x73\xcd\xdf\x82\x02\x70\xd7\x21\x24\x5c\xdf\xa0\x1b\xff\x14\x85\x86\x49\x74\xb4\x28\xdd\x19\x33\xfb\xce\x96\x8d\x27\xae\xce\xa5\xdd\xa0\xca\x95\x61\x91\x9d\x5d\x85\xb0\x98\xfc\x4f\x3e\xfb\xf7\xea\xd3\x91\x28\x51\x92\x46\x28\xb8\x88\xa2\x8e\x46\x32\x0a\xfe\x8a\x30\x22\x39\x14\x7f\x48\xf2\xcc\x2a\xb2\x74\xdb\x1a\xee\x56\x5b\x15\xba\x2d\xb8\x32\xfa\x63\x03\x44\xd0\x1c\xfb\xa1\x12\x87\xb2\x5c\x22\x6f\x28\xbc\x4e\xbe\x1d\x20\x4e\x90\xa3\x9a\x81\xc6\xb2\x13\x6b\x01\x64\xed\xb6\x51\x94\xea\x55\x10\xa9\xb9\xef\xc0\xd0\xa2\x35\x26\x42\xf0\xa8\xa2\x3e\xf4\xe6\xeb\x89\x48\xf5\xab\x42\xeb\xd4\x5a\xc9\x46\xbf\xdb\x68\x9c\xba\x13\x76\x7f\x8d\x5f\x77\x8c\x42\xe2\xd0\x7d\x08\x84\x91\xe0\x6d\xb5\xcf\xbe\x29\xea\x3f\x45\xa4\x31\x57\x94\x5d\x41\x9d\xe6\x32\xdb\x52\xfa\x13\x3d\x99\x0e\xfe\x2c\x9e\x47\x3e\xc3\x6d\x68\x9d\x0b\x81\x58\x45\xaf\x57\x61\x98\x1d\x46\xd5\xb9\xf3\x86\x5f\x91\x6b\x5b\xb9\x3c\xf8\xf2\xe8\xd4\xa1\x1c\x8a\xfa\xcf\xac\x2c\x64\x7e\x6a\xe9\xa8\x69\x6c\x9e\xcb\x6b\xdb\xdb\x21\x79\xf9\x71\xeb\x75\xe1\x4d\x52\x59\x8e\xd6\xc1\x6e\xc1\x42\x7e\x21\xdf\x5c\x5a\xbb\xbd\x85\xe4\x2f\x32\xdf\x37\xc4\x85\xff\x33\xd0\x65\x45\x71\xec\x60\xaf\x86\x74\xba\x35\xc3\xef\x62\x7d\x24\xb1\xc2\xd8\x4f\xf2\x52\x54\x16\xc2\xa4\x26\x5f\xb6\xde\x81\x73\xfa\xec\xcf\xd3\x13\x83\x16\xc4\xc7\xc3\x29\x01\x79\x28\xfe\x1b\x64\xc2\x9d\xfe\xb4\x57\x0f\x7d\xe9\x3f\x94\x46\x15\x31\x6f\xd3\xae\x6c\xc1\x2b\x94\x33\x2f\xad\xf7\x5b\x15\xa1\x3d\x6f\xf2\x7f\x7c\x61\x98\x17\x37\xef\xc6\xdf\xb5\x28\x94\x25\x32\xee\xf5\xe5\xdc\xb8\x03\xc1\xed\x04\xda\x23\xbf\xee\x62\x3a\x89\x08\x8d\x87\x83\xc7\xed\xda\x3f\x56\xc5\x40\x4e\xe7\xe4\x2f\x09\x85\x47\x53\xc1\xa0\xdd\x78\x72\x3c\x9c\x4e\xf1\x2c\x7e\xad\x18\x63\xa5\x3a\xf4\x8d\x8d\x61\x45\x7f\x24\x32\xff\xae\xbb\x35\x6a\x6e\x78\xa1\x59\x1f\x04\x24\xaa\xa1\xf0\x25\xdd\xa1\x7a\x7b\x5e\xae\x39\x89\xb2\x7a\x57\x3f\x59\xbb\xfe\x2f\x99\x3f\xb1\x82\x73\xdc\x35\x6a\xa5\x9e\xc1\xb2\xf1\x51\xf8\x4b\x97\x33\xb2\x71\xf1\xe0\x4d\x17\xd4\x1e\x72\x8e\xf5\x2c\xfb\xc0\x11\x1f\x12\x32\x13\xfb\x22\x23\x7d\x81\xb0\x02\x9b\xdf\xf7\x01\x7f\x87\x03\xe1\xee\x30\x17\x58\xca\x9e\x22\x39\x9c\x42\x0b\x36\x31\xe5\xb9\x98\x73\x7c\x2a\x75\x93\x9f\xa4\x6d\x1e\x61\x7d\x7b\x19\xfb\xa4\x91\x9e\x35\xca\x92\xd8\xb5\x97\x98\xda\x36\xa0\xa5\xd4\x34\x1a\x6e\xb5\x7d\x51\x29\x51\x3a\x6e\x86\x2e\xa9\x4f\x27\xc7\x83\xc9\xe6\x8f\x93\x0d\x5d\x33\x7c\x28\x9d\xed\x11\xd5\x10\x84\x7a\x50\xc6\x1c\x47\x94\x0c\x17\xa3\x2b\x28\x7f\x70\x46\x64\xf1\xb6\x1e\x16\x48\x85\x08\x91\xf8\x0a\x4b\x61\x47\x93\x48\xb4\x34\x40\xd0\xc9\xc9\x1b\x89\x25\x7a\x4a\xf7\x25\x3e\xe5\xbe\x6b\xbd\x56\xf2\x29\x86\xc3\x8b\x53\x6b\x8d\x50\x00\x10\x2c\xff\xd1\x0d\x93\x80\x8b\x8b\x1c\x4e\xb5\x3f\x0c\x69\x7c\x21\x71\x61\xc4\xcb\x7e\x09\x1d\x43\x88\xce\x3a\x20\xeb\x53\x51\x53\x8c\x2a\xf3\xa9\x06\xe6\xac\x66\x4a\x5d\x08\x3e\x39\x5e\xaa\x5d\xe7\x91\xac\xe4\x5b\xd0\x2b\x5e\x26\xbd\x36\xbe\x79\x6e\x95\xc7\x44\x22\xb7\xd8\xf0\x0c\x7b\xdf\x4b\x64\x8a\x1e\x9c\xcf\x68\xe9\x12\xab\xbf\xff\x3c\x74\xd8\xc5\x63\x85\xd7\xa8\x9a\x84\xad\x3c\x39\x46\xa3\x8e\x82\x08\x0c\x3b\x38\xa0\x29\x80\x70\xd8\x85\x04\x75\xb9\x5b\x37\x9d\x62\xf5\x02\x91\x03\xa7\xb4\x5d\xef\x66\xd2\x5a\x08\xe2\x41\xc4\x2c\x34\x38\x82\x8e\x59\xf5\xb1\xd1\xfd\x8c\x97\x56\x49\xd0\x3f\xe3\xe5\x36\xba\xba\xed\xe3\xfc\x3c\xaf\xef\x77\xa7\x2c\xd2\x7b\x94\xc1\xd7\x74\xef\xbe\x19\x37\x47\x02\xf3\x93\x72\x98\x98\xbd\x09\xbc\x8a\x40\x77\x20\xd6\x7e\x9f\xed\xf0\x18\x52\xb8\x93\x66\x4e\x35\xc2\x6b\xb4\x86\x56\xa5\x68\x9e\x7e\x3a\x63\x2e\x9e\x5a\x3b\xbe\x87\x5e\xc6\xb5\xeb\x73\xfe\xe6\xe6\x05\x54\x75\x96\xd0\xed\xe3\x9c\x48\xb9\xd9\xf6\x3d\x7b\x38\xc1\xf6\x19\xbc\x6f\x69\x03\xc0\x2c\x47\x40\x3a\xe8\x53\x9a\xea\x78\x93\xfb\x81\x10\xe4\xb5\xa9\x07\x08\x36\x85\x3f\x3a\x61\x64\x83\x27\xf0\xc6\x95\x37\x94\xfa\xb3\x89\x37\xb2\x78\xdc\x0a\x1e\xd3\x31\xef\x4a\x03\x60\xc4\x1f\x4f\xb3\x5b\x7c\xa6\xe1\x17\xe7\x85\x83\x3a\x22\x4f\xbe\xa8\x24\x1c\x59\xc9\xd9\x6a\xd6\x50\x95\x9a\x23\xc7\x47\xd4\x78\x81\x02\x1a\x53\x0c\x9a\xee\xc1\x3b\x5b\x99\xa2\x68\xe2\xa6\x3a\x2b\x96\x84\x6c\xd3\xe8\x52\x0c\x77\x0f\xbe\xaf\x52\xf9\xa6\xe3\x6b\x7d\x5e\x0d\xb7\x46\x78\x86\x13\xf6\xea\xd8\x87\x38\xd0\x0c\x30\x20\x6f\xe0\x72\x95\xb7\x0e\xd2\x1e\x05\x28\xa7\xb9\x09\xf3\xd2\xcc\x64\x7b\x33\x5d\xc7\xb9\x82\x99\x07\xc3\x80\xe5\x83\xbb\x40\x8a\xe2\x71\x0b\x40\xd4\x4d\xf1\x2a\xb9\x8a\xc6\xf0\x88\x82\xc2\x57\xc2\x6b\x25\x60\x8b\xa5\xaf\x2e\x00\xe7\xc3\x3e\x60\x84\xec\x86\xa2\x25\x8c\xc3\xdc\x8b\xc6\x3c\x2e\xef\x54\x83\xb8\xaa\xef\x1c\xb7\xad\x63\xf4\xa2\x86\x80\x3a\xcc\xe8\x1a\xd1\x40\x97\x47\x3c\x65\xd9\xc3\x7f\x25\x78\xde\x04\xe1\x8a\x71\x95\x14\x58\xf2\xae\x3a\xb1\xd4\x5a\x54\x8f\xe1\x1d\x47\x64\x80\x6e\x71\x3b\x62\x8c\x19\x67\xda\x91\x8e\x8e\xd6\x55\x6e\x61\x9b\xee\xf0\x8a\xd8\xb9\x3d\x7d\x70\x91\x74\x57\xd9\xc8\x94\xc7\xbb\xc3\x04\xda\xca\x44\x3d\x14\x65\x6a\x02\x68\xd7\x4e\x76\x58\x37\x74\x41\xe5\xfd\xb1\x41\x48\x96\x4f\x56\xa3\x05\x8a\x8e\x1a\x95\xe1\x00\x22\x77\x0d\xa5\x57\x44\x53\x87\xf2\x42\x5e\x7b\xcd\x38\x6e\x62\x1f\x88\x71\x3f\xa5\x7f\x44\x24\x62\xfc\x8f\x7a\x58\x8f\x84\x9e\xc7\xa1\x08\xc6\xa5\xa7\x77\x28\x3f\xc2\x4c\x87\x98\x74\x76\x75\x26\xc5\xb6\xb2\xd2\x22\x12\xf4\xbb\x88\x98\x81\x1f\x73\x1e\x78\xb0\x01\xae\x05\x2c\x47\xd8\x32\xcb\xd8\x67\x83\x14\xcc\x31\x3f\xb6\xb9\x96\x6b\xcd\xe9\xb1\xce\x15\xb9\x2f\x05\x97\xd5\x8b\x15\xd9\x1e\x31\xf2\x21\xb2\xf1\xd6\x35\x4e\x49\xde\x2a\x7a\x58\xd5\x8f\x36\x1f\xd6\x47\xfc\x29\xdc\xa3\xb5\xda\x3c\x64\x49\xc5\x2c\xfc\x5b\x87\xbb\x48\x43\xce\xfb\x10\x52\xeb\x68\x47\x8b\x51\xc1\x68\x91\x28\xbe\x43\x4f\x0d\x34\xb5\x11\xcb\xb1\xe8\x4b\x8b\x21\x1a\x9f\xf1\xae\xba\x55\x18\x52\x91\xed\x53\x95\xd4\xca\x5b\x96\x6d\xcb\x7f\xbf\xf4\x32\xb9\x31\xf6\x76\x6a\x9b\x37\xd3\x41\xd5\xf8\x3d\x29\x69\xf4\x9f\xb8\x57\x91\x3f\xd0\x94\xee\x91\x53\xe9\x05\xfd\x3a\x00\x08\x25\xf4\xc9\xd5\x91\xca\xe9\xe1\xfa\x33\xab\xf9\x46\x63\xfa\xb4\x9e\x46\x0f\x13\x44\xca\xe1\xe6\x80\x4f\x2a\x53\x10\x8c\xb0\xf2\x9b\xbc\x0f\x6a\x07\x56\x88\xd9\x87\xd6\xcf\x7c\xa3\x85\x10\x08\xfd\x82\xc3\x55\x89\xec\x90\xe3\x90\x2c\xb1\xed\x05\x13\x55\x5e\x30\x3b\x91\x02\x2a\x04\x54\x94\x8a\xa7\xd8\x66\xdf\xb4\xb9\x7f\xdf\x67\x98\xbe\x4c\x74\x22\x76\xd9\x9f\x68\x53\x70\xa9\x10\xfc\x2b\xe7\xb2\x89\xa4\x45\x73\x78\x5e\x09\xad\x0a\x20\x79\x40\xea\x85\x9b\xef\xff\xd9\x5c\xc9\x70\x69\x77\x7e\x3d\xd0\x50\x62\x61\xa8\xed\xb9\x4a\xb2\x5d\xea\xbd\x37\x1b\xf0\xe8\xdb\xd5\xf0\x35\xa7\x53\x87\x1f\xaa\x53\x52\xcd\xdf\xa9\x04\x96\xdc\x39\x85\xff\xbc\xa1\xb3\x12\x90\xe7\xeb\x46\x0c\x20\x92\x01\x26\xbb\x8c\xa9\x30\x4e\x35\x53\xb3\x74\x8a\x8f\x5d\xf0\xa8\x97\x7a\xb9\x94\x72\x8f\xbb\x54\x0e\x07\x3c\xc3\xf0\x80\x5b\x5d\xf2\x88\x00\x08\x31\xd8\x06\x1c\x06\xd4\x16\xf4\x58\xa2\x54\x7f\xf4\xe6\x03\x6d\xe1\x18\x1c\xd1\xd4\x2a\xf4\x16\x15\xba\x4e\x16\xd6\xf7\xae\xf1\xcb\x34\x06\x07\x22\x21\x2f\xf5\x61\x27\x5b\xc4\x97\x4f\x00\x94\x8f\x54\x2a\x5e\x06\xbf\x40\xb8\x57\x2d\xf1\xd8\xd6\x8b\xa0\x60\x8d\xcb\x02\x7f\x8f\x11\xc0\xb9\x3e\x65\xb2\xde\x9a\x16\xfe\x11\x5e\xa9\x40\xcd\x90\x4e\x11\xb2\xfb\xb7\xc0\xe6\x72\x90\x76\x65\x73\x72\xc1\x34\xee\x6f\xe8\xe0\xfa\x6f\x9c\x2e\xc1\x2b\xde\x36\xe4\x62\x52\x12\xa4\x72\xd1\x50\x10\x51\x01\x68\x14\x79\x1e\x7a\x2f\xef\xbf\xca\x68\x58\x98\x65\xf0\x83\x7a\x32\xb1\x20\x1c\x32\x29\x10\x54\xbf\x71\x87\xe0\x3c\xde\x3a\xdd\x7a\x33\x98\xae\xbe\x76\x67\x2e\x4f\x8a\xd8\x1a\x9e\xab\xec\x9f\xef\xab\xbb\x62\xc1\xd7\x3a\xdc\x3e\xf5\x8a\x68\x77\x5f\x51\x6a\x99\xf5\x4a\x75\xa7\xa7\xb5\x30\xdf\xfc\xa8\x2d\x2b\x22\x2c\x99\x3b\x78\x5a\x1a\x7b\x6f\x7a\xcc\xb5\x84\xae\x25\xab\xe1\x51\x7d\x70\xa6\x9f\xa2\xdf\x2c\x77\xe4\xe0\x75\x5e\x18\x7f\x60\xbc\x82\x46\x58\xb8\xd8\x8d\xaf\xbc\x24\x0a\xbe\xec\x34\x93\xfd\xad\xd6\xa1\xa9\x46\x80\xe5\xdb\x4b\xc1\x86\x2c\x75\x8a\x51\x90\x21\xc0\x12\x17\x89\xf4\xcd\xf1\xe2\xa7\x1c\xd5\x36\xda\xae\xc9\xe4\xb7\x2e\x9e\x25\xd9\x25\x1f\xd3\xee\x51\x1f\x1e\x08\x1f\x90\x6d\x90\xdd\x4d\xf5\xce\xf6\xed\xf4\x11\xaa\xbc\xfd\x5d\x93\x3e\x26\x53\x58\x1f\x1f\x0a\x49\xd8\x5d\x50\x3a\xb0\xf1\x28\x87\x43\xa8\xef\x59\x69\xfe\x4a\xe3\xaf\x9a\xff\xb7\x90\x5a\xc3\xa9\x04\xca\x86\xcd\x7e\x8c\xc5\xb9\x66\x77\xfb\xd2\xbb\xe3\xe3\xe6\x7d\x56\x4e\x2d\xb1\xf1\x4f\x6a\x98\x2d\xa3\xb7\xab\x59\x0a\x1f\xb4\x3c\x44\x95\x6c\xeb\x95\xd2\xd5\x9d\xb9\xe3\x51\x75\x06\xc0\xe1\x64\x3a\x07\x66\x4f\x7a\x27\x9f\x23\xb9\x94\x5c\x32\x42\x79\x60\x24\x2e\x74\x78\x14\x1a\xd1\xd1\x70\x1f\x68\x03\x3b\x69\xc7\xbd\x2d\x64\x31\x8b\xbf\x48\xa0\x5a\x32\x77\x99\x56\xe1\x61\xf4\x26\x82\xbc\x1c\x93\x30\xcb\x6a\xbf\x5a\xfd\x31\xc8\xe1\x1a\x4b\x07\x8b\x03\x57\x9e\x09\x9f\xd3\xd8\xe3\x47\x33\x0a\x01\xfd\xc2\xb5\xca\x05\x00\x1a\x2d\x13\x9a\x5b\xd7\x12\x8a\x02\xf9\xd1\x9b\x85\x81\xba\xd0\xe1\x4f\xaf\x9f\x0a\x13\x2a\x6d\x85\xbb\xd2\x91\xde\x69\x6a\x8c\x67\xd2\xf8\xc3\x13\x4a\xac\x24\xe4\x1b\xb5\xa4\xfd\x74\x2c\x13\x71\xf9\xa8\xe1\x8e\xc9\x05\x0b\x39\x8a\x60\x48\x88\xab\x12\xa8\xed\xec\x79\x29\x74\x45\x6a\xc6\xc6\x29\x89\xa7\x8d\x72\xe8\x4e\x0b\xd7\xaa\xd9\xe1\xc0\x86\x01\xe2\x07\x0a\x4f\x2b\xb1\x00\x91\x04\x08\x82\x78\x26\x3c\x2a\x64\x5d\x31\x87\xed\xf1\x2f\xcf\xeb\xd3\xd8\xb3\x7d\xd8\x93\xb2\x5e\x41\xed\xb5\x18\x08\x9e\x06\xe1\xe2\x6a\x07\x7b\xbc\xb6\xb7\x06\x8c\xa7\x4e\x1c\x4b\x59\x49\x7a\xb4\x81\xfa\xa7\xd1\x83\x49\xd0\xfd\xaf\xf9\xf8\xa0\xcb\x6c\x24\x25\x60\xe3\x1a\x9f\x9e\x34\xc6\xd8\xda\x4e\x6b\x47\x10\x00\xdc\xe4\x6d\x80\x25\x27\x00\xfb\xbf\xa3\x92\x2d\x5d\xee\xd3\x3d\x10\x92\x06\xaf\x07\xf3\xa2\xa3\x48\xa6\x1c\xec\x80\xdf\x13\x02\xc9\x8b\x76\x25\x79\x7a\x11\x3e\xb0\xb7\x14\xee\x64\x7f\x7d\x13\xd6\xc1\x02\x25\xbc\x12\x1b\x66\x66\x08\x3f\xc1\x5b\x63\xc2\xb0\x7e\x48\x71\x67\xb0\xcd\x11\x6c\xa2\xa3\x99\x32\x2b\x9c\x08\xf4\x18\xd1\xbd\x83\xcf\xc3\x97\xad\xaf\x8b\xa2\x67\xed\x46\x30\xfc\xb6\x20\x37\x60\x3c\xaa\xaf\x96\x83\x12\xe3\x35\xaf\xd6\x63\xfc\xed\x69\x90\x0e\x25\x07\x39\x63\xb5\x45\x9f\x59\x7d\x7e\x7e\x58\x16\x47\xc9\x94\xd0\xfd\xef\x88\xa1\xae\x4c\x92\x14\xf6\x68\x0e\x21\x5e\xe6\xa1\x50\x97\xbe\xa9\x01\xb4\x67\xb5\x82\x75\x22\xe6\x8b\x02\x07\x68\xe8\xa3\x40\xfa\xee\x75\xec\xd4\x6a\xf9\x0a\xe3\x8e\xed\xad\xb6\xd7\x51\xc5\xa1\xfc\x5f\xfb\x86\x6a\x0c\xad\xf8\x59\x49\xdd\x96\x31\x34\x4a\x46\xe9\x50\x91\xc5\x85\x9a\xc7\xd0\x78\x31\x53\xbe\x8f\xc8\x9a\x1a\xdf\xd4\xcc\x3f\x45\x3a\xc8\xb1\x1d\x6b\xd6\x37\xf9\x5e\x63\xd2\x8c\x3c\x66\x55\x17\x00\x02\x88\xe7\xa0\x8e\xa7\x1a\x7a\xc0\xd5\x69\xee\x05\xcf\x8a\x66\x31\xa9\xba\x1a\xf4\x56\xd0\x0f\xb0\x49\xf1\xc3\x36\x6e\x8d\x92\x9b\x68\x20\xfb\xef\xb6\x58\x83\x77\x3b\xac\xb1\xcb\x1a\x71\x05\xdd\x2c\xa6\x0e\xdd\xe9\x5f\xa2\xf3\x5a\x34\xa3\x69\xc5\xf0\x4b\x65\xe0\x81\x56\x50\x2f\x8c\xf1\x76\xe4\xf9\x93\x9a\xfb\x6b\xba\xcd\xab\xc5\xc8\x11\x6d\xbd\xe9\xb6\xd2\x12\xbf\x12\x5f\x76\x97\xa8\x57\x1d\x69\xde\x44\x3d\x4d\x86\xf4\xbe\x17\xa9\x59\x14\x8f\xd6\x10\x5a\x67\x4c\xe5\x23\xf3\x7c\x2c\x09\xe1\xce\x1c\xc7\x12\x74\xa4\x75\xca\x3b\x09\x31\xad\xca\x18\x99\xbf\x7b\xaa\xf2\xdc\x3a\x94\x88\xad\xb1\x30\x68\x57\x7e\xd2\xba\x96\xa7\x93\x7f\xff\x3a\x9a\xeb\x46\x12\x34\x53\x2a\xfb\x21\x50\x83\xc8\x97\x99\xa0\xfa\xc0\xad\x2a\xfe\xba\x7a\x33\xde\xf1\xb3\x02\xb1\x2a\x6a\x4d\x7a\x22\x01\xb9\x15\xa2\xc3\xbf\xb5\xcb\xfc\xe7\x46\x88\x5a\xec\xb3\xdb\xc4\xde\x9c\x4d\xc1\xea\x7c\x33\x26\xb7\x31\x8c\x65\xd3\x76\x3a\x5f\x2b\x42\xa0\xa9\x7b\xe0\x6e\x2a\x04\x06\x36\xc2\xfa\xc7\xdb\x42\x72\xd9\x35\x4d\x59\xcd\xa5\x54\x6a\x34\x15\xc8\xf0\x4c\x70\x9e\x0a\xe4\xff\xac\x3e\xc8\x29\x99\xb5\xc5\x0e\xe2\x8a\xe8\x51\x93\xbe\x4a\x68\x88\xdb\x01\xc1\xb7\x70\xf8\x54\xfa\x3b\x66\xc2\xad\xc2\x9c\x6c\x7c\x0d\x3a\x15\xa7\x22\x4b\x23\x5f\xbc\x61\x86\x3b\xf9\xaf\x6d\x8e\xeb\x35\xd6\x7d\x99\x66\xe3\x22\x0f\x0b\xbf\x0e\x10\x15\x58\xa6\x15\x59\xf9\xe6\xdb\xf2\x86\x11\x4a\x94\xe0\x95\x03\x50\xf7\x01\x0f\x3a\x46\xe1\xa9\x8c\x93\x9b\x37\x27\xf1\xd1\x25\xab\x2c\x0c\x5c\x1d\x7c\xab\xec\x0d\x7e\xa6\x86\x97\x84\x3c\x8a\xe9\x03\x6c\x3d\x48\x46\x98\x50\x44\x07\x48\xe7\xcc\xe6\xa2\x60\x16\x54\xd8\xc5\x97\xc5\xd2\x26\xcd\x4f\xfb\xda\x15\x3e\x2f\xec\xf0\xb5\x83\x43\xeb\x7a\xcf\xae\xae\xe0\x29\x70\xf0\x11\x56\x8a\xd2\x6e\x43\x83\xbe\xe5\xda\xf9\x58\x02\xf7\x42\xb0\xb8\xe3\x5d\xad\xc2\x01\x64\x97\x9d\xc4\xea\xb6\xf3\x33\xa2\x94\x12\x91\x6b\xae\xcd\x7d\x11\xe1\x8d\x7d\x56\x6a\x9f\x70\x9a\x49\x31\x43\x39\x19\x51\x4c\x73\x56\x39\xde\xdf\x1d\xf6\x5e\xbd\xe8\xa1\x45\x55\xec\xc2\x54\xfa\x4e\x31\x79\xc6\x11\xaf\x0a\xe3\x2c\x8c\x81\x29\xc0\x13\x9e\x99\x04\x82\x1c\x76\x97\x1b\x2d\x2b\x08\xe8\x39\x28\x14\x29\xcc\x0b\x02\xcf\x5a\xbc\x1f\xb7\x8a\xea\xd7\xd7\x72\xa6\x72\xcd\xa2\xec\x38\xb6\x9f\x85\x8a\x30\x07\xed\x6d\x77\x3e\x41\x75\x21\xb9\x4e\x7c\xfd\x21\xb3\xf7\x63\x61\xa8\x33\xbf\x0c\x8a\x58\xcd\xa1\xc7\x53\x23\x65\x38\xe7\xd1\xbe\x27\x8c\xda\xb7\x8f\xb7\x3f\x36\x28\x06\x15\xaa\x49\xd8\xab\x1d\xea\xc1\x29\x2b\xe4\x48\x0f\xb6\x09\xe7\xe6\x36\x4c\x30\x0a\x86\x13\xd3\x7c\x80\x24\xaa\x6a\x72\xc1\xe4\xa3\x34\xe7\x78\x17\xf9\xcd\xe0\xe1\x0c\xc5\x7b\x7c\x3b\xbc\xa5\x0f\x40\xe1\x5b\x9a\x10\x42\xef\xb7\x80\x2c\x40\x41\x86\xe4\x79\xf5\xf7\x63\x6a\xb5\x0d\x26\x14\x73\xf5\x80\x4a\x75\xf6\xcb\x1f\xcb\x69\x3c\xec\xbe\x9a\x61\xbb\x96\x95\x80\x1c\x7c\xa6\xf9\x27\xe4\x0e\x6a\xa9\x1a\x9a\xf7\x1c\xb5\xd9\x67\xf7\x90\x57\xf9\x55\xd0\xa4\xed\x58\xce\x99\x9f\x9a\xcd\x21\xc1\xa1\xea\x10\x88\x59\x56\xb4\x6e\x44\xca\x83\x0a\xb2\xee\x7a\xdd\x50\xd2\xc1\xfa\x3d\xea\x6f\x4c\x73\x31\xb1\xe5\x3f\xbe\xfc\x7e\x42\x4a\xff\x17\x8c\xef\xf9\x5a\x89\x10\xd3\x99\x52\x70\x4e\xf7\x85\x54\x19\xd3\xcc\x08\xc7\x20\x59\x90\xaf\x44\x7e\x18\xd3\x94\x5d\x13\x3e\x99\xba\x55\x06\xe5\x0e\x31\xbb\x28\xeb\xb5\x13\x37\xe3\x8e\x5d\xab\xfd\xb6\xd2\x0b\xe6\x8a\x04\x05\x0d\xd9\x91\x87\x48\x36\x8d\x58\xb8\x34\x9e\xe6\x0d\xe4\x1d\xbb\xc8\x32\x55\xdb\x8e\x36\x0c\x35\x81\xa3\xb5\x52\x3f\x5c\x36\xd7\xe2\x93\xeb\x4e\x2b\x01\x49\x82\x36\x7e\x28\x6c\x6f\xaa\xcc\x85\x03\xcf\x4d\x91\xc4\x04\x98\x04\xce\x5a\x7f\xde\x5f\xa1\x9c\x6a\x5b\x5f\x33\x0f\xe3\xf4\x4d\x7f\x33\x80\x9b\xfc\x5b\x13\x95\x6f\x64\x66\x3a\xcb\x8c\x32\x46\x73\x82\x9c\x13\x2d\x3c\x73\x52\x5f\x8f\x8e\xa3\xa8\x32\xf8\x89\x75\xd1\x4c\x31\x8c\x05\xbb\x56\x72\xc8\x2b\xb0\x2f\x9a\xcf\x2d\xbc\xba\xf6\x8e\x5e\x47\x8d\xc5\x19\xe5\x22\x84\x0b\xd8\xf0\x8b\x50\xc5\x06\xa7\x5b\xc2\xfd\x09\x2e\x41\x51\x99\xe5\x77\x1d\x8c\xe0\x3f\x08\x8e\x9b\xfd\x45\x51\xc2\xe8\xee\xdb\x85\x93\x03\xed\x75\x76\x01\xbd\xb1\x6b\xff\x54\x31\x23\xd7\x57\x0a\xc5\x0d\x28\x58\xcf\xf2\xa7\xf9\x75\x8c\xb2\x4f\xf0\x55\x4f\x91\x31\x29\x97\x58\xc0\x10\x11\x3d\x9b\x6f\x0b\xc7\x24\x6f\xab\xec\x33\xc5\x8d\xea\x92\x5b\x9e\xa7\x3a\xb3\x81\xc4\xaa\xa8\xfb\x21\x65\xc9\xd7\xd8\xb8\xa7\x01\x20\x22\x50\xd3\x60\xfc\x61\x75\x80\x56\x5e\x78\xd5\x36\x7e\x3f\xbc\xd8\x41\xd4\x50\x3a\x7c\x20\xc2\x05\x60\xa0\x3e\x39\x7b\x0d\x3c\xab\x57\x25\x4d\x36\x51\x12\xaa\xd9\x95\xa9\xe3\x91\x96\x14\xbc\xdc\x6c\xa2\x05\x5d\x0d\x87\x42\x9e\xe3\x30\x5a\x67\xfa\x69\xc6\x02\x4a\x3f\x63\x64\x64\xbc\xab\x62\xc9\x9a\x4d\x04\x53\xf5\xbf\x87\x9c\xd5\xd4\x6e\x3c\xf7\x61\xbb\x91\x10\x9b\xd3\x28\x16\x9f\x95\xe9\x8b\x74\x42\xcd\x05\xa5\xdd\x86\xe1\x85\x36\xd2\x05\x26\x2c\x62\x00\x02\xe7\xa3\xa8\xaf\xed\x46\x81\xc2\x71\xa3\x4f\x0b\x90\x9d\x1c\x86\x1f\x9c\x18\xfc\x76\xd3\xbf\xdd\x99\x37\x85\x18\x5d\xc3\xe2\xe3\x4d\x7f\xba\x68\x6e\xd0\xf7\x33\xd1\x65\x40\x67\x0a\x65\x77\x86\x42\x10\x07\xcc\x1a\x8f\xf9\x72\x36\xfb\x53\xd8\x66\x49\x11\xdc\xaa\xc2\x75\x43\x50\xea\xde\x70\x83\x74\xef\x06\xb2\xf6\x12\x32\xa3\xf5\xb4\x57\x01\xcf\xc0\x92\x84\xb6\xe3\x18\x4c\x7c\x41\x43\xe9\xa3\x04\x98\x4c\x4b\xf1\xa1\x4e\xc7\x55\x11\xaf\x82\xb2\xc6\xc3\xe6\xd5\x99\x07\x28\xf4\xb7\x24\x29\x4d\xfe\xfc\x35\xd1\xc7\x5d\xb9\xef\xc7\x69\xda\xbf\xb5\xcf\xa0\xc5\x48\xc2\xd5\xaa\x9e\x79\x84\x10\xf2\xb2\xbd\xc3\x2d\xa9\x5c\x94\x5a\xee\xbb\xf0\x6e\x2d\x1e\x22\x17\x6b\x66\xe7\xd2\x2b\xeb\xed\x83\x87\x5b\x4c\x86\x3e\xb5\x5a\x71\x94\xc7\x5b\xde\x29\xa8\xc7\x81\x6e\x5c\x3c\x65\x0c\x32\xcf\x54\xf5\xd9\xac\x35\xd3\x8b\xf1\x9e\xcd\xb0\x05\xf4\x76\xab\x05\x0d\x96\xb7\xb7\xfc\x62\x2f\x1a\xc3\x57\xb2\x8f\xbd\x7c\x38\xf8\x1a\xbf\xa0\x63\x55\xa3\x0b\x38\x03\xf0\x42\xc4\xc0\x8a\x82\x74\xda\xf0\x18\x3c\x0e\x52\xa6\x34\xfd\x29\x9a\xee\x99\x4d\xd3\x55\x4e\xdb\x6a\xdf\x99\xba\xd5\xb9\x13\x0b\x49\x1e\xc9\x35\x3c\x7f\x36\xe5\xfa\x7c\x02\x66\x27\xf6\x8f\x67\xc7\x75\xfe\x19\x0a\xeb\x43\xfe\xbf\x56\xf5\x5b\xc1\xa4\xf5\xc2\x29\x48\xe5\xb2\x9a\x11\x7f\x6d\x06\xd4\xc6\x8e\x51\x44\x9f\x08\xa6\xd0\xd2\xe6\x75\x20\xeb\xc0\x67\x0e\x2d\xf3\xd2\xf7\xae\xeb\xfb\xb8\x76\x43\xe5\x8d\x01\x76\x96\x5d\x60\x0d\x97\xa2\x2c\x7a\x05\x56\xa2\xc0\x47\x9d\xe6\x4f\x8b\x44\x92\xdf\xb5\x42\xe8\xd3\xa3\xef\x09\x6f\x99\xd3\x9e\x67\x7a\x07\xac\x97\xdc\x25\x9d\x9f\x75\x9b\x98\xe9\x47\xf1\xae\x8a\x92\x78\xb9\xbd\xcb\x85\x10\xfb\x06\x64\x12\x18\xf7\x9f\x67\xe4\xf5\xba\xff\xbe\x5d\x3c\xc3\x8e\x14\x98\x93\x8c\x55\x09\xa3\xf6\x9f\x32\x39\x2f\x66\x0e\x00\x59\x43\xed\x14\x45\x85\x29\xe8\x25\x93\xbf\xb6\xc4\xd3\xe4\x63\x10\x3a\xab\x3c\xdc\x8d\x46\x8c\x9a\x2c\x20\x1b\xee\x3a\xe6\x63\xf0\x79\x24\x60\xd4\xb7\x1e\x03\x1a\x83\xc3\x3f\x91\x72\x33\x2b\x51\x4f\x74\xb0\x9c\x72\xcd\x6a\xd7\x6e\x90\x6f\xa4\x64\x4f\x3c\x14\x2b\x12\x8c\x1f\xf2\xb8\x4e\x79\x37\x75\x99\xd4\xe2\xc7\x11\x45\xc4\x92\xff\x3d\xab\x44\x79\x3b\x90\x56\x75\x89\x5f\xe3\xdf\x54\x4f\xe7\x25\xea\x5f\x7d\x2f\xe3\x85\x4d\x70\x30\xce\x91\x95\x7f\xad\x4f\x7b\xd7\xbd\x7f\x1d\x1a\x16\x54\xe3\xfc\xd0\xed\xf9\xda\xa7\x2b\xd9\x62\xd6\xb6\x4d\x0d\x99\x0d\x5a\x48\x50\x80\x2b\x92\x97\xfe\xb6\x22\xaa\xfc\xcc\x10\x7e\xa2\xa8\xee\xa4\xf0\xda\x89\x94\x1b\x12\xa0\xec\x1b\xfd\x72\xa2\xed\x44\xff\xf9\xf8\x24\x11\xec\xfe\x9f\x19\xeb\x95\x7b\x48\xf8\x59\xce\x04\x5d\xa2\x33\xc9\x96\x8b\x76\x3e\xd9\x44\x13\xba\x0f\x68\xdd\xca\x65\xce\xa0\xab\xb6\x87\x3c\x89\x29\x02\x41\x6f\x5e\xad\xd9\x11\xd8\x44\x2f\x03\x16\xfb\xde\xa9\xf1\x14\x0b\x3e\x83\x05\xaf\xb5\x10\xa3\xec\x59\x0c\xe2\x0f\xd5\x8d\x3b\xf0\x51\xc2\x66\x3e\x74\xae\x64\xee\xb9\xa1\x46\x3c\x88\x41\xac\x0b\x72\xb7\x32\xb7\xef\x12\x7f\x5a\x7d\x9a\x87\xd6\xb8\x49\x1e\x75\x33\x17\x35\x0d\x7d\x1a\xe5\x93\xe6\xc2\x00\x6f\x23\xb2\x27\x4d\xb5\x8e\xe3\x44\x45\x3c\x38\xe2\x99\xc1\x41\x82\x1a\xc4\x7e\x88\xdd\xd9\x38\x93\xdf\x56\xba\xf5\x01\xfc\xed\xee\x34\xac\x65\x7f\x27\x9a\x9c\x39\xcc\x38", 8192); *(uint64_t*)0x200000006000 = 0x200000002780; *(uint32_t*)0x200000002780 = 0x50; *(uint32_t*)0x200000002784 = 0; *(uint64_t*)0x200000002788 = 0xf48; *(uint32_t*)0x200000002790 = 7; *(uint32_t*)0x200000002794 = 0x2d; *(uint32_t*)0x200000002798 = 0xfffffff7; *(uint32_t*)0x20000000279c = 0x10820000; *(uint16_t*)0x2000000027a0 = 9; *(uint16_t*)0x2000000027a2 = 0xa42; *(uint32_t*)0x2000000027a4 = 0x7e; *(uint32_t*)0x2000000027a8 = 1; *(uint16_t*)0x2000000027ac = 0; *(uint16_t*)0x2000000027ae = 0; *(uint32_t*)0x2000000027b0 = 2; *(uint32_t*)0x2000000027b4 = 0; memset((void*)0x2000000027b8, 0, 24); *(uint64_t*)0x200000006008 = 0x200000002800; *(uint32_t*)0x200000002800 = 0x18; *(uint32_t*)0x200000002804 = 0; *(uint64_t*)0x200000002808 = 0x200; *(uint64_t*)0x200000002810 = 5; *(uint64_t*)0x200000006010 = 0x200000002840; *(uint32_t*)0x200000002840 = 0x18; *(uint32_t*)0x200000002844 = 0; *(uint64_t*)0x200000002848 = 0x3ff; *(uint64_t*)0x200000002850 = 1; *(uint64_t*)0x200000006018 = 0x200000002880; *(uint32_t*)0x200000002880 = 0x18; *(uint32_t*)0x200000002884 = 0xffffffda; *(uint64_t*)0x200000002888 = 7; *(uint32_t*)0x200000002890 = 0xc6a; *(uint32_t*)0x200000002894 = 0; *(uint64_t*)0x200000006020 = 0x2000000028c0; *(uint32_t*)0x2000000028c0 = 0x18; *(uint32_t*)0x2000000028c4 = 0; *(uint64_t*)0x2000000028c8 = 3; *(uint32_t*)0x2000000028d0 = 0; *(uint32_t*)0x2000000028d4 = 0; *(uint64_t*)0x200000006028 = 0x200000002980; *(uint32_t*)0x200000002980 = 0x28; *(uint32_t*)0x200000002984 = 0; *(uint64_t*)0x200000002988 = 0xfffffffffffffff8; *(uint64_t*)0x200000002990 = 0x1ff; *(uint64_t*)0x200000002998 = 6; *(uint32_t*)0x2000000029a0 = 2; *(uint32_t*)0x2000000029a4 = r[13]; *(uint64_t*)0x200000006030 = 0x2000000029c0; *(uint32_t*)0x2000000029c0 = 0x60; *(uint32_t*)0x2000000029c4 = 0; *(uint64_t*)0x2000000029c8 = 0xf; *(uint64_t*)0x2000000029d0 = 0; *(uint64_t*)0x2000000029d8 = 4; *(uint64_t*)0x2000000029e0 = 0xb0e; *(uint64_t*)0x2000000029e8 = 1; *(uint64_t*)0x2000000029f0 = 6; *(uint32_t*)0x2000000029f8 = 7; *(uint32_t*)0x2000000029fc = 0x40b4; *(uint32_t*)0x200000002a00 = 0x2594; *(uint32_t*)0x200000002a04 = 0; memset((void*)0x200000002a08, 0, 24); *(uint64_t*)0x200000006038 = 0x200000002a40; *(uint32_t*)0x200000002a40 = 0x18; *(uint32_t*)0x200000002a44 = 0; *(uint64_t*)0x200000002a48 = 0x75aeeeb5; *(uint32_t*)0x200000002a50 = 0xc; *(uint32_t*)0x200000002a54 = 0; *(uint64_t*)0x200000006040 = 0x200000002a80; *(uint32_t*)0x200000002a80 = 0x11; *(uint32_t*)0x200000002a84 = 0; *(uint64_t*)0x200000002a88 = 0xc0000000000; memset((void*)0x200000002a90, 0, 1); *(uint64_t*)0x200000006048 = 0x200000002ac0; *(uint32_t*)0x200000002ac0 = 0x20; *(uint32_t*)0x200000002ac4 = 0; *(uint64_t*)0x200000002ac8 = 4; *(uint64_t*)0x200000002ad0 = 0; *(uint32_t*)0x200000002ad8 = 5; *(uint32_t*)0x200000002adc = 0; *(uint64_t*)0x200000006050 = 0x200000002e40; *(uint32_t*)0x200000002e40 = 0x78; *(uint32_t*)0x200000002e44 = 0; *(uint64_t*)0x200000002e48 = 6; *(uint64_t*)0x200000002e50 = 8; *(uint32_t*)0x200000002e58 = 8; *(uint32_t*)0x200000002e5c = 0; *(uint64_t*)0x200000002e60 = 0; *(uint64_t*)0x200000002e68 = 0xa2; *(uint64_t*)0x200000002e70 = 0x101; *(uint64_t*)0x200000002e78 = 0x279; *(uint64_t*)0x200000002e80 = 6; *(uint64_t*)0x200000002e88 = 4; *(uint32_t*)0x200000002e90 = 6; *(uint32_t*)0x200000002e94 = 6; *(uint32_t*)0x200000002e98 = 0x580; *(uint32_t*)0x200000002e9c = 0x8000; *(uint32_t*)0x200000002ea0 = 8; *(uint32_t*)0x200000002ea4 = r[14]; *(uint32_t*)0x200000002ea8 = r[15]; *(uint32_t*)0x200000002eac = 2; *(uint32_t*)0x200000002eb0 = 2; *(uint32_t*)0x200000002eb4 = 0; *(uint64_t*)0x200000006058 = 0x200000003040; *(uint32_t*)0x200000003040 = 0x90; *(uint32_t*)0x200000003044 = 0; *(uint64_t*)0x200000003048 = 4; *(uint64_t*)0x200000003050 = 4; *(uint64_t*)0x200000003058 = 3; *(uint64_t*)0x200000003060 = 1; *(uint64_t*)0x200000003068 = 9; *(uint32_t*)0x200000003070 = 0; *(uint32_t*)0x200000003074 = 0; *(uint64_t*)0x200000003078 = 6; *(uint64_t*)0x200000003080 = 0xf84; *(uint64_t*)0x200000003088 = 0xffff; *(uint64_t*)0x200000003090 = 9; *(uint64_t*)0x200000003098 = 6; *(uint64_t*)0x2000000030a0 = 7; *(uint32_t*)0x2000000030a8 = 0x4f; *(uint32_t*)0x2000000030ac = 0x8e; *(uint32_t*)0x2000000030b0 = 8; *(uint32_t*)0x2000000030b4 = 0xa000; *(uint32_t*)0x2000000030b8 = 0x401; *(uint32_t*)0x2000000030bc = r[17]; *(uint32_t*)0x2000000030c0 = r[18]; *(uint32_t*)0x2000000030c4 = 0; *(uint32_t*)0x2000000030c8 = 0x3674; *(uint32_t*)0x2000000030cc = 0; *(uint64_t*)0x200000006060 = 0x200000003100; *(uint32_t*)0x200000003100 = 0x88; *(uint32_t*)0x200000003104 = 0xffffffda; *(uint64_t*)0x200000003108 = 0x7fffffffffffffff; *(uint64_t*)0x200000003110 = 3; *(uint64_t*)0x200000003118 = 7; *(uint32_t*)0x200000003120 = 1; *(uint32_t*)0x200000003124 = 4; memset((void*)0x200000003128, 0, 1); *(uint64_t*)0x200000003130 = 1; *(uint64_t*)0x200000003138 = 5; *(uint32_t*)0x200000003140 = 1; *(uint32_t*)0x200000003144 = 0xfffffffc; memset((void*)0x200000003148, 0, 1); *(uint64_t*)0x200000003150 = 6; *(uint64_t*)0x200000003158 = 5; *(uint32_t*)0x200000003160 = 0; *(uint32_t*)0x200000003164 = 0x98; *(uint64_t*)0x200000003168 = 0; *(uint64_t*)0x200000003170 = 8; *(uint32_t*)0x200000003178 = 1; *(uint32_t*)0x20000000317c = 0x1000; memset((void*)0x200000003180, 91, 1); *(uint64_t*)0x200000006068 = 0x2000000054c0; *(uint32_t*)0x2000000054c0 = 0x648; *(uint32_t*)0x2000000054c4 = 0; *(uint64_t*)0x2000000054c8 = 1; *(uint64_t*)0x2000000054d0 = 0; *(uint64_t*)0x2000000054d8 = 3; *(uint64_t*)0x2000000054e0 = 9; *(uint64_t*)0x2000000054e8 = 5; *(uint32_t*)0x2000000054f0 = 0xa; *(uint32_t*)0x2000000054f4 = 2; *(uint64_t*)0x2000000054f8 = 1; *(uint64_t*)0x200000005500 = 9; *(uint64_t*)0x200000005508 = 1; *(uint64_t*)0x200000005510 = 0x7fff; *(uint64_t*)0x200000005518 = 4; *(uint64_t*)0x200000005520 = 1; *(uint32_t*)0x200000005528 = 6; *(uint32_t*)0x20000000552c = 7; *(uint32_t*)0x200000005530 = 3; *(uint32_t*)0x200000005534 = 0xc000; *(uint32_t*)0x200000005538 = 3; *(uint32_t*)0x20000000553c = r[19]; *(uint32_t*)0x200000005540 = r[20]; *(uint32_t*)0x200000005544 = 0x71a5; *(uint32_t*)0x200000005548 = 5; *(uint32_t*)0x20000000554c = 0; *(uint64_t*)0x200000005550 = 3; *(uint64_t*)0x200000005558 = 0x911; *(uint32_t*)0x200000005560 = 9; *(uint32_t*)0x200000005564 = 7; memcpy((void*)0x200000005568, "(--]!}}.:", 9); *(uint64_t*)0x200000005578 = 5; *(uint64_t*)0x200000005580 = 1; *(uint64_t*)0x200000005588 = 2; *(uint64_t*)0x200000005590 = -1; *(uint32_t*)0x200000005598 = 8; *(uint32_t*)0x20000000559c = 1; *(uint64_t*)0x2000000055a0 = 5; *(uint64_t*)0x2000000055a8 = 0x10; *(uint64_t*)0x2000000055b0 = 0xf91; *(uint64_t*)0x2000000055b8 = 7; *(uint64_t*)0x2000000055c0 = 0; *(uint64_t*)0x2000000055c8 = 7; *(uint32_t*)0x2000000055d0 = 4; *(uint32_t*)0x2000000055d4 = 0x4a; *(uint32_t*)0x2000000055d8 = 6; *(uint32_t*)0x2000000055dc = 0x6000; *(uint32_t*)0x2000000055e0 = 9; *(uint32_t*)0x2000000055e4 = r[21]; *(uint32_t*)0x2000000055e8 = r[22]; *(uint32_t*)0x2000000055ec = 6; *(uint32_t*)0x2000000055f0 = 5; *(uint32_t*)0x2000000055f4 = 0; *(uint64_t*)0x2000000055f8 = 0; *(uint64_t*)0x200000005600 = 2; *(uint32_t*)0x200000005608 = 0; *(uint32_t*)0x20000000560c = 0x401; *(uint64_t*)0x200000005610 = 0; *(uint64_t*)0x200000005618 = 3; *(uint64_t*)0x200000005620 = 0; *(uint64_t*)0x200000005628 = 0x401; *(uint32_t*)0x200000005630 = 4; *(uint32_t*)0x200000005634 = 0x3ff; *(uint64_t*)0x200000005638 = 1; *(uint64_t*)0x200000005640 = 1; *(uint64_t*)0x200000005648 = 0xbc; *(uint64_t*)0x200000005650 = 7; *(uint64_t*)0x200000005658 = 8; *(uint64_t*)0x200000005660 = 7; *(uint32_t*)0x200000005668 = 0xffff; *(uint32_t*)0x20000000566c = 6; *(uint32_t*)0x200000005670 = 0x7f; *(uint32_t*)0x200000005674 = 0x8000; *(uint32_t*)0x200000005678 = 1; *(uint32_t*)0x20000000567c = 0xee01; *(uint32_t*)0x200000005680 = r[23]; *(uint32_t*)0x200000005684 = 0x233d; *(uint32_t*)0x200000005688 = 4; *(uint32_t*)0x20000000568c = 0; *(uint64_t*)0x200000005690 = 3; *(uint64_t*)0x200000005698 = 6; *(uint32_t*)0x2000000056a0 = 5; *(uint32_t*)0x2000000056a4 = 7; memcpy((void*)0x2000000056a8, "syz0\000", 5); *(uint64_t*)0x2000000056b0 = 2; *(uint64_t*)0x2000000056b8 = 2; *(uint64_t*)0x2000000056c0 = 7; *(uint64_t*)0x2000000056c8 = 0x80; *(uint32_t*)0x2000000056d0 = 4; *(uint32_t*)0x2000000056d4 = 0xdb; *(uint64_t*)0x2000000056d8 = 3; *(uint64_t*)0x2000000056e0 = 3; *(uint64_t*)0x2000000056e8 = 0x7fff; *(uint64_t*)0x2000000056f0 = 9; *(uint64_t*)0x2000000056f8 = 0; *(uint64_t*)0x200000005700 = 0xa8; *(uint32_t*)0x200000005708 = 0x1000; *(uint32_t*)0x20000000570c = 0x1f3; *(uint32_t*)0x200000005710 = 0xfff0; *(uint32_t*)0x200000005714 = 0x6000; *(uint32_t*)0x200000005718 = 4; *(uint32_t*)0x20000000571c = r[24]; *(uint32_t*)0x200000005720 = r[26]; *(uint32_t*)0x200000005724 = 0xccb2; *(uint32_t*)0x200000005728 = 9; *(uint32_t*)0x20000000572c = 0; *(uint64_t*)0x200000005730 = 6; *(uint64_t*)0x200000005738 = 2; *(uint32_t*)0x200000005740 = 6; *(uint32_t*)0x200000005744 = 7; memset((void*)0x200000005748, 1, 6); *(uint64_t*)0x200000005750 = 4; *(uint64_t*)0x200000005758 = 1; *(uint64_t*)0x200000005760 = 0x100000000; *(uint64_t*)0x200000005768 = 5; *(uint32_t*)0x200000005770 = 0; *(uint32_t*)0x200000005774 = 6; *(uint64_t*)0x200000005778 = 1; *(uint64_t*)0x200000005780 = 0x401; *(uint64_t*)0x200000005788 = 1; *(uint64_t*)0x200000005790 = 2; *(uint64_t*)0x200000005798 = 0xf; *(uint64_t*)0x2000000057a0 = 5; *(uint32_t*)0x2000000057a8 = 0x100; *(uint32_t*)0x2000000057ac = 3; *(uint32_t*)0x2000000057b0 = 0; *(uint32_t*)0x2000000057b4 = 0x2000; *(uint32_t*)0x2000000057b8 = 0; *(uint32_t*)0x2000000057bc = r[27]; *(uint32_t*)0x2000000057c0 = r[28]; *(uint32_t*)0x2000000057c4 = 7; *(uint32_t*)0x2000000057c8 = 8; *(uint32_t*)0x2000000057cc = 0; *(uint64_t*)0x2000000057d0 = 4; *(uint64_t*)0x2000000057d8 = 3; *(uint32_t*)0x2000000057e0 = 6; *(uint32_t*)0x2000000057e4 = 0xffff; memset((void*)0x2000000057e8, 1, 6); *(uint64_t*)0x2000000057f0 = 6; *(uint64_t*)0x2000000057f8 = 2; *(uint64_t*)0x200000005800 = 6; *(uint64_t*)0x200000005808 = 9; *(uint32_t*)0x200000005810 = 2; *(uint32_t*)0x200000005814 = 2; *(uint64_t*)0x200000005818 = 1; *(uint64_t*)0x200000005820 = 0xb51; *(uint64_t*)0x200000005828 = 0x7fffffff; *(uint64_t*)0x200000005830 = 5; *(uint64_t*)0x200000005838 = 0x8b89; *(uint64_t*)0x200000005840 = 0x2800; *(uint32_t*)0x200000005848 = 0x800; *(uint32_t*)0x20000000584c = 6; *(uint32_t*)0x200000005850 = 4; *(uint32_t*)0x200000005854 = 0x8000; *(uint32_t*)0x200000005858 = 3; *(uint32_t*)0x20000000585c = r[29]; *(uint32_t*)0x200000005860 = r[30]; *(uint32_t*)0x200000005864 = 0x80; *(uint32_t*)0x200000005868 = 3; *(uint32_t*)0x20000000586c = 0; *(uint64_t*)0x200000005870 = 0; *(uint64_t*)0x200000005878 = 6; *(uint32_t*)0x200000005880 = 0; *(uint32_t*)0x200000005884 = 0xef; *(uint64_t*)0x200000005888 = 2; *(uint64_t*)0x200000005890 = 1; *(uint64_t*)0x200000005898 = 5; *(uint64_t*)0x2000000058a0 = 0xfff; *(uint32_t*)0x2000000058a8 = 0x582; *(uint32_t*)0x2000000058ac = 0x15; *(uint64_t*)0x2000000058b0 = 2; *(uint64_t*)0x2000000058b8 = 0xbb; *(uint64_t*)0x2000000058c0 = 7; *(uint64_t*)0x2000000058c8 = 0x52a; *(uint64_t*)0x2000000058d0 = 1; *(uint64_t*)0x2000000058d8 = 5; *(uint32_t*)0x2000000058e0 = 0x98; *(uint32_t*)0x2000000058e4 = 5; *(uint32_t*)0x2000000058e8 = 3; *(uint32_t*)0x2000000058ec = 0x5000; *(uint32_t*)0x2000000058f0 = 6; *(uint32_t*)0x2000000058f4 = r[31]; *(uint32_t*)0x2000000058f8 = r[32]; *(uint32_t*)0x2000000058fc = 6; *(uint32_t*)0x200000005900 = 0xffff; *(uint32_t*)0x200000005904 = 0; *(uint64_t*)0x200000005908 = 6; *(uint64_t*)0x200000005910 = 0x3ff; *(uint32_t*)0x200000005918 = 2; *(uint32_t*)0x20000000591c = 8; memcpy((void*)0x200000005920, "*&", 2); *(uint64_t*)0x200000005928 = 2; *(uint64_t*)0x200000005930 = 2; *(uint64_t*)0x200000005938 = 0x3ff; *(uint64_t*)0x200000005940 = 3; *(uint32_t*)0x200000005948 = 2; *(uint32_t*)0x20000000594c = 0xfffffff8; *(uint64_t*)0x200000005950 = 3; *(uint64_t*)0x200000005958 = 0x8a; *(uint64_t*)0x200000005960 = 5; *(uint64_t*)0x200000005968 = 8; *(uint64_t*)0x200000005970 = 1; *(uint64_t*)0x200000005978 = 0; *(uint32_t*)0x200000005980 = 0x7fff; *(uint32_t*)0x200000005984 = 8; *(uint32_t*)0x200000005988 = 0xfffffffb; *(uint32_t*)0x20000000598c = 0xc000; *(uint32_t*)0x200000005990 = 0x8000; *(uint32_t*)0x200000005994 = r[33]; *(uint32_t*)0x200000005998 = r[34]; *(uint32_t*)0x20000000599c = 0x5c5; *(uint32_t*)0x2000000059a0 = 0x8d0d; *(uint32_t*)0x2000000059a4 = 0; *(uint64_t*)0x2000000059a8 = 6; *(uint64_t*)0x2000000059b0 = 0xd; *(uint32_t*)0x2000000059b8 = 6; *(uint32_t*)0x2000000059bc = -1; memcpy((void*)0x2000000059c0, "wlan1\000", 6); *(uint64_t*)0x2000000059c8 = 6; *(uint64_t*)0x2000000059d0 = 1; *(uint64_t*)0x2000000059d8 = 5; *(uint64_t*)0x2000000059e0 = 0xee; *(uint32_t*)0x2000000059e8 = 8; *(uint32_t*)0x2000000059ec = 4; *(uint64_t*)0x2000000059f0 = 1; *(uint64_t*)0x2000000059f8 = 0x200; *(uint64_t*)0x200000005a00 = 0x80000000; *(uint64_t*)0x200000005a08 = 0xb81c; *(uint64_t*)0x200000005a10 = 0x7ff; *(uint64_t*)0x200000005a18 = 0x400; *(uint32_t*)0x200000005a20 = 0x122; *(uint32_t*)0x200000005a24 = 0x400; *(uint32_t*)0x200000005a28 = 0x689f; *(uint32_t*)0x200000005a2c = 0xa000; *(uint32_t*)0x200000005a30 = 0xfffffffc; *(uint32_t*)0x200000005a34 = r[35]; *(uint32_t*)0x200000005a38 = r[36]; *(uint32_t*)0x200000005a3c = 0x1000; *(uint32_t*)0x200000005a40 = 1; *(uint32_t*)0x200000005a44 = 0; *(uint64_t*)0x200000005a48 = 4; *(uint64_t*)0x200000005a50 = 9; *(uint32_t*)0x200000005a58 = 6; *(uint32_t*)0x200000005a5c = 0xfffffffa; memcpy((void*)0x200000005a60, "wlan1\000", 6); *(uint64_t*)0x200000005a68 = 1; *(uint64_t*)0x200000005a70 = 1; *(uint64_t*)0x200000005a78 = 6; *(uint64_t*)0x200000005a80 = 0; *(uint32_t*)0x200000005a88 = 0xf; *(uint32_t*)0x200000005a8c = 0x80000001; *(uint64_t*)0x200000005a90 = 0; *(uint64_t*)0x200000005a98 = 0xb8f; *(uint64_t*)0x200000005aa0 = 0x57c; *(uint64_t*)0x200000005aa8 = 8; *(uint64_t*)0x200000005ab0 = 0x600; *(uint64_t*)0x200000005ab8 = 0x4c44; *(uint32_t*)0x200000005ac0 = 0xc833; *(uint32_t*)0x200000005ac4 = 5; *(uint32_t*)0x200000005ac8 = 3; *(uint32_t*)0x200000005acc = 0xa000; *(uint32_t*)0x200000005ad0 = 0xfffffff9; *(uint32_t*)0x200000005ad4 = r[37]; *(uint32_t*)0x200000005ad8 = r[38]; *(uint32_t*)0x200000005adc = 6; *(uint32_t*)0x200000005ae0 = 2; *(uint32_t*)0x200000005ae4 = 0; *(uint64_t*)0x200000005ae8 = 3; *(uint64_t*)0x200000005af0 = 4; *(uint32_t*)0x200000005af8 = 6; *(uint32_t*)0x200000005afc = 3; memcpy((void*)0x200000005b00, ":-)@\\[", 6); *(uint64_t*)0x200000006070 = 0x200000005d40; *(uint32_t*)0x200000005d40 = 0xa0; *(uint32_t*)0x200000005d44 = 0; *(uint64_t*)0x200000005d48 = 1; *(uint64_t*)0x200000005d50 = 2; *(uint64_t*)0x200000005d58 = 3; *(uint64_t*)0x200000005d60 = 0x100000000; *(uint64_t*)0x200000005d68 = 8; *(uint32_t*)0x200000005d70 = 5; *(uint32_t*)0x200000005d74 = 9; *(uint64_t*)0x200000005d78 = 2; *(uint64_t*)0x200000005d80 = 0x7fffffffffffffff; *(uint64_t*)0x200000005d88 = 2; *(uint64_t*)0x200000005d90 = 0x7f; *(uint64_t*)0x200000005d98 = 0x7ff; *(uint64_t*)0x200000005da0 = 4; *(uint32_t*)0x200000005da8 = 0; *(uint32_t*)0x200000005dac = 2; *(uint32_t*)0x200000005db0 = 1; *(uint32_t*)0x200000005db4 = 0x2000; *(uint32_t*)0x200000005db8 = 0x7ff; *(uint32_t*)0x200000005dbc = r[39]; *(uint32_t*)0x200000005dc0 = r[40]; *(uint32_t*)0x200000005dc4 = 4; *(uint32_t*)0x200000005dc8 = 8; *(uint32_t*)0x200000005dcc = 0; *(uint64_t*)0x200000005dd0 = 0; *(uint32_t*)0x200000005dd8 = 0xd; *(uint32_t*)0x200000005ddc = 0; *(uint64_t*)0x200000006078 = 0x200000005e00; *(uint32_t*)0x200000005e00 = 0x20; *(uint32_t*)0x200000005e04 = 0; *(uint64_t*)0x200000005e08 = 0x10000; *(uint32_t*)0x200000005e10 = 9; *(uint32_t*)0x200000005e14 = 0; *(uint32_t*)0x200000005e18 = 1; *(uint32_t*)0x200000005e1c = 0xfffffffd; *(uint64_t*)0x200000006080 = 0x200000005ec0; *(uint32_t*)0x200000005ec0 = 0x130; *(uint32_t*)0x200000005ec4 = 0xfffffffe; *(uint64_t*)0x200000005ec8 = 0x1000; *(uint64_t*)0x200000005ed0 = 6; *(uint32_t*)0x200000005ed8 = 3; *(uint32_t*)0x200000005edc = 0; memset((void*)0x200000005ee0, 0, 16); *(uint32_t*)0x200000005ef0 = 1; *(uint32_t*)0x200000005ef4 = 0xc6d; *(uint64_t*)0x200000005ef8 = 0xfffffffffffffffc; *(uint32_t*)0x200000005f00 = 0x8000; *(uint32_t*)0x200000005f04 = 0; *(uint32_t*)0x200000005f08 = r[41]; *(uint16_t*)0x200000005f0c = 0x1000; memset((void*)0x200000005f0e, 0, 2); *(uint64_t*)0x200000005f10 = 0; *(uint64_t*)0x200000005f18 = 7; *(uint64_t*)0x200000005f20 = 3; *(uint64_t*)0x200000005f28 = 4; *(uint64_t*)0x200000005f30 = 0xa; *(uint32_t*)0x200000005f38 = 7; *(uint32_t*)0x200000005f3c = 0; *(uint64_t*)0x200000005f40 = 1; *(uint32_t*)0x200000005f48 = 0x905a; *(uint32_t*)0x200000005f4c = 0; *(uint64_t*)0x200000005f50 = 8; *(uint32_t*)0x200000005f58 = 0x81; *(uint32_t*)0x200000005f5c = 0; *(uint64_t*)0x200000005f60 = 8; *(uint32_t*)0x200000005f68 = 2; *(uint32_t*)0x200000005f6c = 0; *(uint32_t*)0x200000005f70 = 0x10001; *(uint32_t*)0x200000005f74 = 0x7ff; *(uint32_t*)0x200000005f78 = 1; *(uint32_t*)0x200000005f7c = -1; memset((void*)0x200000005f80, 0, 112); syz_fuse_handle_req(/*fd=*/r[12], /*buf=*/0x200000000780, /*len=*/0x2000, /*res=*/0x200000006000); break; case 46: memcpy((void*)0x2000000060c0, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x2000000060c0, /*fd=*/r[12]); break; case 47: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 48: *(uint32_t*)0x200000006104 = 0x45f9; *(uint32_t*)0x200000006108 = 0x1000; *(uint32_t*)0x20000000610c = 0; *(uint32_t*)0x200000006110 = 0xd3; *(uint32_t*)0x200000006118 = r[12]; memset((void*)0x20000000611c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x50db, /*params=*/0x200000006100, /*ring_ptr=*/0x200000006180, /*sqes_ptr=*/0x2000000061c0); if (res != -1) r[42] = *(uint64_t*)0x200000006180; break; case 49: res = -1; res = syz_io_uring_complete(/*ring_ptr=*/r[42]); if (res != -1) r[43] = res; break; case 50: *(uint32_t*)0x200000006204 = 0x25a5; *(uint32_t*)0x200000006208 = 0; *(uint32_t*)0x20000000620c = 2; *(uint32_t*)0x200000006210 = 0x2b0; *(uint32_t*)0x200000006218 = r[43]; memset((void*)0x20000000621c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x539f, /*params=*/0x200000006200, /*ring_ptr=*/0x200000006280, /*sqes_ptr=*/0x2000000062c0); if (res != -1) { r[44] = res; r[45] = *(uint64_t*)0x2000000062c0; } break; case 51: res = syscall(__NR_io_uring_register, /*fd=*/r[44], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[46] = res; break; case 52: *(uint8_t*)0x200000006380 = 0x26; *(uint8_t*)0x200000006381 = 0; *(uint16_t*)0x200000006382 = 0; *(uint32_t*)0x200000006384 = r[43]; *(uint64_t*)0x200000006388 = 0x200000006300; memcpy((void*)0x200000006300, "./file0\000", 8); *(uint64_t*)0x200000006390 = 0x200000006340; memcpy((void*)0x200000006340, "./file0\000", 8); *(uint32_t*)0x200000006398 = 0; *(uint32_t*)0x20000000639c = 0; *(uint64_t*)0x2000000063a0 = 0; *(uint16_t*)0x2000000063a8 = 0; *(uint16_t*)0x2000000063aa = r[46]; memset((void*)0x2000000063ac, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[42], /*sqes_ptr=*/r[45], /*sqe=*/0x200000006380); break; case 53: memcpy((void*)0x2000000063c0, "SEG6\000", 5); memcpy((void*)0x200000006480, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xc7\xc6\xd5\x63\x96\xba\x64\x55\x9a\x2b\xfe\x12\xe1\x77\x9d\x16\x11\x66\x21\x3e\xe3\xdf\x8a\x88\x66\x07\x35\xda\xdb\xfa\x0e\xe9\x3d\x2b\xbf\x11\x3a\x5d\x2f\x84\x04\x14\xbb\x6a\x83\x5c\x8b\x46\x64\xc1\x62\x58\xd8\x0a\xca\x5d\x75\xc4\xb0\xf7\xb9\xf4\x81\xb3\x2b\x05\x6b\x25\x00\xcd\x38\xd5\xf7\x45\xb2\xca\x6f\x42\x3c\x76\xec\xb5\x4c\x20\xdf\x71\xf3\x7e\x74\xa7\xc3\x31\xe0\x86\x7f\x00\x00\x00\x00\x00\x00\x00\x00", 144); syz_kfuzztest_run(/*name=*/0x2000000063c0, /*data=*/0x200000006400, /*len=*/0x90, /*buf=*/0x200000006480); break; case 54: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[43], /*usermem=*/0x200000bfe000); if (res != -1) r[47] = res; break; case 55: *(uint64_t*)0x200000016780 = 0; *(uint64_t*)0x200000016788 = 0x200000016480; *(uint64_t*)0x200000016480 = 0x6a; *(uint64_t*)0x200000016488 = 0x28; *(uint64_t*)0x200000016490 = 0x351c; *(uint64_t*)0x200000016498 = 2; *(uint64_t*)0x2000000164a0 = 3; *(uint64_t*)0x2000000164a8 = 0x6a; *(uint64_t*)0x2000000164b0 = 0x28; *(uint64_t*)0x2000000164b8 = 0xbe7d; *(uint64_t*)0x2000000164c0 = 2; *(uint64_t*)0x2000000164c8 = 8; *(uint64_t*)0x2000000164d0 = 0x180; *(uint64_t*)0x2000000164d8 = 0x38; *(uint64_t*)0x2000000164e0 = 3; *(uint64_t*)0x2000000164e8 = 0xf10c; *(uint64_t*)0x2000000164f0 = 5; *(uint64_t*)0x2000000164f8 = 0x90; *(uint64_t*)0x200000016500 = 2; *(uint64_t*)0x200000016508 = 0x6a; *(uint64_t*)0x200000016510 = 0x28; *(uint64_t*)0x200000016518 = 0x4c98; *(uint64_t*)0x200000016520 = 6; *(uint64_t*)0x200000016528 = 0x59fe; *(uint64_t*)0x200000016530 = 0x136; *(uint64_t*)0x200000016538 = 0xa8; *(uint64_t*)0x200000016540 = 3; *(uint64_t*)0x200000016548 = 2; *(uint64_t*)0x200000016550 = 0x12c; *(uint64_t*)0x200000016558 = 0x18; *(uint64_t*)0x200000016560 = 0; *(uint64_t*)0x200000016568 = 0x154; *(uint64_t*)0x200000016570 = 0x38; *(uint64_t*)0x200000016578 = 2; *(uint64_t*)0x200000016580 = 0x280d; *(uint64_t*)0x200000016588 = 0x2e0; *(uint64_t*)0x200000016590 = 4; *(uint64_t*)0x200000016598 = 0xfffffffffffffff8; *(uint64_t*)0x2000000165a0 = 0x65; *(uint64_t*)0x2000000165a8 = 0x20; *(uint64_t*)0x2000000165b0 = 0x285; *(uint64_t*)0x2000000165b8 = 7; *(uint64_t*)0x2000000165c0 = 0; *(uint64_t*)0x2000000165c8 = 0x18; *(uint64_t*)0x2000000165d0 = 5; *(uint64_t*)0x2000000165d8 = 0x17f; *(uint64_t*)0x2000000165e0 = 0x10; *(uint64_t*)0x2000000165e8 = 0x67; *(uint64_t*)0x2000000165f0 = 0x20; *(uint64_t*)0x2000000165f8 = 4; *(uint64_t*)0x200000016600 = 4; *(uint64_t*)0x200000016608 = 0x66; *(uint64_t*)0x200000016610 = 0x18; *(uint64_t*)0x200000016618 = 0x2e6; *(uint64_t*)0x200000016620 = 0; *(uint64_t*)0x200000016628 = 0x18; *(uint64_t*)0x200000016630 = 0xe; *(uint64_t*)0x200000016638 = 0x12f; *(uint64_t*)0x200000016640 = 0x18; *(uint64_t*)0x200000016648 = 3; *(uint64_t*)0x200000016650 = 0x154; *(uint64_t*)0x200000016658 = 0x38; *(uint64_t*)0x200000016660 = 0; *(uint64_t*)0x200000016668 = 0x6404; *(uint64_t*)0x200000016670 = 0x10; *(uint64_t*)0x200000016678 = 0xfffffffffffffff7; *(uint64_t*)0x200000016680 = 0xe; *(uint64_t*)0x200000016688 = 0x12c; *(uint64_t*)0x200000016690 = 0x18; *(uint64_t*)0x200000016698 = 0; *(uint64_t*)0x2000000166a0 = 0x130; *(uint64_t*)0x2000000166a8 = 0x18; *(uint64_t*)0x2000000166b0 = 3; *(uint64_t*)0x2000000166b8 = 0x182; *(uint64_t*)0x2000000166c0 = 0x18; *(uint64_t*)0x2000000166c8 = 3; *(uint64_t*)0x2000000166d0 = 0x12e; *(uint64_t*)0x2000000166d8 = 0x63; *(uint64_t*)0x2000000166e0 = 2; memcpy((void*)0x2000000166e8, "\x2e\x0f\x01\x71\x33\xc4\x21\x6a\xc2\xc0\x00\x66\xba\xf8\x0c\xb8\x6e\x89\x7c\x81\xef\x66\xba\xfc\x0c\x66\xb8\xaf\x0b\x66\xef\x42\x0f\x01\xc3\x36\x01\xe3\x12\xec\x0f\x00\xde\xc7\x44\x24\x00\x7a\x00\x00\x00\xc7\x44\x24\x02\x0b\x00\x00\x00\xff\x1c\x24\x40\x0f\xa1\xc4\x43\x31\x4a\x89\x0a\x00\x00\x00\x0b", 75); *(uint64_t*)0x200000016733 = 0x17e; *(uint64_t*)0x20000001673b = 0x10; *(uint64_t*)0x200000016790 = 0x2c3; syz_kvm_add_vcpu(/*vm=*/r[47], /*text=*/0x200000016780); break; case 56: res = syscall(__NR_mmap, /*addr=*/0x200000cbe000ul, /*len=*/0ul, /*prot=PROT_SEM|PROT_READ|PROT_EXEC*/0xdul, /*flags=MAP_SYNC*/0x80000ul, /*cpufd=*/r[12], /*offset=*/0ul); if (res != -1) r[48] = res; break; case 57: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[48], /*exitcode=*/4); break; case 58: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[44], /*run=*/r[48], /*exitcode=*/3); break; case 59: res = syscall(__NR_ioctl, /*fd=*/r[12], /*cmd=*/0xae01, /*type=*/0x20ul); if (res != -1) r[49] = res; break; case 60: *(uint64_t*)0x200000016a40 = 0; *(uint64_t*)0x200000016a48 = 0x2000000167c0; memcpy((void*)0x2000000167c0, "\x00\x00\x00\x3d\x00\x00\x08\x61\x04\x00\x08\x79\x00\x00\x08\x65\x0c\x00\x08\x61\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\xd0\x04\x9c\x63\x24\x6b\xc0\x7f\xfa\xcd\xdf\xfe\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x04\x00\x63\x60\x26\x9f\xe1\x7f\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x3c\x02\x63\x60\x42\x00\x00\x44\xf5\x00\x90\x07\xd6\xdb\x8b\xef\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2a\x00\xb5\x62\x00\x01\xc0\x3e\x00\x00\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2a\x00\xb5\x62\x73\x6f\xc0\x3e\xa7\xf7\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2e\x00\xb5\x62\x90\x5e\xc0\x3e\xe0\x10\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x32\x00\xb5\x62\x00\x00\xc0\x3e\xe0\xd1\xd6\x62\x00\x00\xd5\x92\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x2a\x00\x84\x60\x22\x00\x00\x44\x8f\xed\x9f\xf3\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xef\x63\x60\xb5\xad\x80\x3c\xca\x82\x84\x60\x04\x00\x84\x78\xea\x5e\x84\x64\xa2\xe8\x84\x60\xf1\x67\xa0\x3c\xbe\xe3\xa5\x60\x04\x00\xa5\x78\xa5\x57\xa5\x64\x55\x46\xa5\x60\x03\xf4\xc0\x3c\xb4\x87\xc6\x60\x04\x00\xc6\x78\x73\xed\xc6\x64\x15\x51\xc6\x60\x1d\xe9\xe0\x3c\xe4\xa0\xe7\x60\x04\x00\xe7\x78\xd8\x84\xe7\x64\x25\x76\xe7\x60\x08\x70\x00\x3d\xee\xf7\x08\x61\x04\x00\x08\x79\x1f\x72\x08\x65\x67\x40\x08\x61\x7f\xc5\x20\x3d\x5d\xc6\x29\x61\x04\x00\x29\x79\x7f\x83\x29\x65\x31\xe8\x29\x61\xec\x4b\x40\x3d\xd8\xc0\x4a\x61\x04\x00\x4a\x79\xe3\xf4\x4a\x65\x76\xa0\x4a\x61\x42\x00\x00\x44\xc7\xdd\x79\x12\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x08\xef\x63\x60\xae\x15\x80\x3c\x96\x74\x84\x60\x04\x00\x84\x78\x48\x29\x84\x64\xf2\x7b\x84\x60\xfb\x2b\xa0\x3c\x3a\x84\xa5\x60\x04\x00\xa5\x78\x66\xdf\xa5\x64\x0e\x85\xa5\x60\x94\x21\xc0\x3c\x54\x4c\xc6\x60\x04\x00\xc6\x78\x8e\xd8\xc6\x64\x2d\x18\xc6\x60\x27\x15\xe0\x3c\x98\x77\xe7\x60\x04\x00\xe7\x78\x52\x7a\xe7\x64\x4a\x11\xe7\x60\xb2\x21\x00\x3d\x41\x62\x08\x61\x04\x00\x08\x79\xf6\x1f\x08\x65\xaa\x6f\x08\x61\x00\xf5\x20\x3d\x4c\x23\x29\x61\x04\x00\x29\x79\xda\x1a\x29\x65\x95\xbf\x29\x61\x93\xf7\x40\x3d\xde\x99\x4a\x61\x04\x00\x4a\x79\x5e\xe8\x4a\x65\xa0\x51\x4a\x61\xd5\x0a\x60\x3d\x34\xf9\x6b\x61\x04\x00\x6b\x79\x21\x19\x6b\x65\xab\x4f\x6b\x61\x22\x00\x00\x44", 632); *(uint64_t*)0x200000016a50 = 0x278; *(uint64_t*)0x200000016a80 = 1; *(uint64_t*)0x200000016a88 = 0xfff; syz_kvm_setup_cpu(/*fd=*/r[49], /*cpufd=*/r[43], /*usermem=*/0x200000e17000, /*text=*/0x200000016a40, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_PID1|KVM_SETUP_PPC64_DR|KVM_SETUP_PPC64_LE*/0x15, /*opts=*/0x200000016a80, /*nopt=*/1); break; case 61: syz_kvm_setup_syzos_vm(/*fd=*/r[49], /*usermem=*/0x200000c00000); break; case 62: *(uint32_t*)0x200000016ac0 = 1; syz_memcpy_off(/*ring_ptr=*/r[42], /*flag_off=*/0, /*src=*/0x200000016ac0, /*src_off=*/0, /*nbytes=*/4); break; case 63: memcpy((void*)0x200000016b00, "adfs\000", 5); memcpy((void*)0x200000016b40, "./file1\000", 8); memcpy((void*)0x200000016b80, "ownmask", 7); *(uint8_t*)0x200000016b87 = 0x3d; sprintf((char*)0x200000016b88, "%023llo", (long long)9); *(uint8_t*)0x200000016b9f = 0x2c; memcpy((void*)0x200000016ba0, "uid", 3); *(uint8_t*)0x200000016ba3 = 0x3d; sprintf((char*)0x200000016ba4, "0x%016llx", (long long)r[39]); *(uint8_t*)0x200000016bb6 = 0x2c; memcpy((void*)0x200000016bb7, "gid", 3); *(uint8_t*)0x200000016bba = 0x3d; sprintf((char*)0x200000016bbb, "0x%016llx", (long long)r[25]); *(uint8_t*)0x200000016bcd = 0x2c; memcpy((void*)0x200000016bce, "ftsuffix", 8); *(uint8_t*)0x200000016bd6 = 0x3d; sprintf((char*)0x200000016bd7, "%020llu", (long long)0x1b2a); *(uint8_t*)0x200000016beb = 0x2c; memcpy((void*)0x200000016bec, "ftsuffix", 8); *(uint8_t*)0x200000016bf4 = 0x3d; sprintf((char*)0x200000016bf5, "%020llu", (long long)0x95); *(uint8_t*)0x200000016c09 = 0x2c; memcpy((void*)0x200000016c0a, "ftsuffix", 8); *(uint8_t*)0x200000016c12 = 0x3d; sprintf((char*)0x200000016c13, "%020llu", (long long)2); *(uint8_t*)0x200000016c27 = 0x2c; memcpy((void*)0x200000016c28, "uid<", 4); sprintf((char*)0x200000016c2c, "%020llu", (long long)r[37]); *(uint8_t*)0x200000016c40 = 0x2c; memcpy((void*)0x200000016c41, "subj_type", 9); *(uint8_t*)0x200000016c4a = 0x3d; *(uint8_t*)0x200000016c4b = 0x2c; *(uint8_t*)0x200000016c4c = 0; memcpy((void*)0x200000016c80, "\x78\x9c\xaa\xdc\xf4\xa2\x4b\x38\x63\x9f\x59\xe2\xe9\x04\x2f\xd9\xe2\xfd\x35\x7c\xef\xfe\x5d\x53\x6f\xe4\x7b\xf4\xfb\xd7\xb9\x0b\x80\x00\x00\x00\xff\xff\xcf\xbb\x0f\xa9", 42); syz_mount_image(/*fs=*/0x200000016b00, /*dir=*/0x200000016b40, /*flags=MS_STRICTATIME|MS_NODIRATIME|MS_MANDLOCK*/0x1000840, /*opts=*/0x200000016b80, /*chdir=*/1, /*size=*/0x2a, /*img=*/0x200000016c80); break; case 64: memcpy((void*)0x200000016cc0, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000016cc0, /*id=*/9, /*flags=O_SYNC|O_NONBLOCK|O_DIRECT|FASYNC|O_APPEND*/0x107c00); break; case 65: *(uint64_t*)0x200000016d00 = 2; *(uint64_t*)0x200000016d08 = 0x27e; *(uint64_t*)0x200000016d10 = 5; *(uint64_t*)0x200000016d18 = 2; *(uint64_t*)0x200000016d20 = 6; *(uint64_t*)0x200000016d28 = 0; *(uint64_t*)0x200000016d30 = 6; *(uint64_t*)0x200000016d38 = 5; *(uint64_t*)0x200000016d40 = 0xd; *(uint64_t*)0x200000016d48 = 0x7ea2; *(uint64_t*)0x200000016d50 = -1; res = syscall(__NR_clone3, /*uargs=*/0x200000016d00ul, /*size=*/0x90c4ul); if (res != -1) r[50] = res; break; case 66: memcpy((void*)0x200000016d80, "fdinfo/3\000", 9); syz_open_procfs(/*pid=*/r[50], /*file=*/0x200000016d80); break; case 67: res = -1; res = syz_open_dev(/*dev=*/0xc, /*major=*/2, /*minor=*/0x15); if (res != -1) r[51] = res; break; case 68: syz_open_pts(/*fd=*/r[51], /*flags=O_LARGEFILE|O_APPEND*/0x8400); break; case 69: syz_pidfd_open(/*pid=*/r[16], /*flags=*/0); break; case 70: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[52] = res; break; case 71: syz_pkey_set(/*key=*/r[52], /*val=PKEY_DISABLE_ACCESS*/1); break; case 72: memcpy((void*)0x200000016dc0, "\x78\x9c\x00\x57\x00\xa8\xff\xa9\x39\xee\x13\x04\xaa\x50\xcd\x48\x33\xb8\x65\x54\x02\x70\xbc\x48\xb9\xef\x5c\xce\x86\x6e\x69\xf5\x3f\xe3\x70\x79\x19\x0f\x3f\x49\xf2\x84\x00\x94\x95\xb6\x1a\x19\x72\xde\x93\x27\x27\x1b\x79\xad\xc1\x51\xcb\xcb\x51\xac\xc1\x0f\x46\x30\xf6\xa3\xaf\xbc\xa6\x66\xa2\x9e\xa2\x84\xe6\x6b\x43\x3f\x69\x17\xae\x0c\x2e\x70\x88\xf3\xbb\xe3\xc8\x15\xd3\xf5\x01\x00\x00\xff\xff\x03\x4a\x2a\xb4", 103); syz_read_part_table(/*size=*/0x67, /*img=*/0x200000016dc0); break; case 73: syz_socket_connect_nvme_tcp(); break; case 74: *(uint8_t*)0x200000016e40 = 0x12; *(uint8_t*)0x200000016e41 = 1; *(uint16_t*)0x200000016e42 = 0x300; *(uint8_t*)0x200000016e44 = 0x42; *(uint8_t*)0x200000016e45 = 0x66; *(uint8_t*)0x200000016e46 = 0x24; *(uint8_t*)0x200000016e47 = 8; *(uint16_t*)0x200000016e48 = 0x2357; *(uint16_t*)0x200000016e4a = 0x9000; *(uint16_t*)0x200000016e4c = 0x8c65; *(uint8_t*)0x200000016e4e = 1; *(uint8_t*)0x200000016e4f = 2; *(uint8_t*)0x200000016e50 = 3; *(uint8_t*)0x200000016e51 = 1; *(uint8_t*)0x200000016e52 = 9; *(uint8_t*)0x200000016e53 = 2; *(uint16_t*)0x200000016e54 = 0x82e; *(uint8_t*)0x200000016e56 = 3; *(uint8_t*)0x200000016e57 = 0x7f; *(uint8_t*)0x200000016e58 = 2; *(uint8_t*)0x200000016e59 = 0x20; *(uint8_t*)0x200000016e5a = 5; *(uint8_t*)0x200000016e5b = 9; *(uint8_t*)0x200000016e5c = 4; *(uint8_t*)0x200000016e5d = 0xce; *(uint8_t*)0x200000016e5e = 7; *(uint8_t*)0x200000016e5f = 0xf; *(uint8_t*)0x200000016e60 = 0xaf; *(uint8_t*)0x200000016e61 = 0xe8; *(uint8_t*)0x200000016e62 = 0x6e; *(uint8_t*)0x200000016e63 = 0; *(uint8_t*)0x200000016e64 = 0xa; *(uint8_t*)0x200000016e65 = 0x24; *(uint8_t*)0x200000016e66 = 1; *(uint16_t*)0x200000016e67 = 0x7ff; *(uint8_t*)0x200000016e69 = 6; *(uint8_t*)0x200000016e6a = 2; *(uint8_t*)0x200000016e6b = 1; *(uint8_t*)0x200000016e6c = 2; *(uint8_t*)0x200000016e6d = 7; *(uint8_t*)0x200000016e6e = 0x24; *(uint8_t*)0x200000016e6f = 7; *(uint8_t*)0x200000016e70 = 4; *(uint16_t*)0x200000016e71 = 4; *(uint8_t*)0x200000016e73 = 1; *(uint8_t*)0x200000016e74 = 7; *(uint8_t*)0x200000016e75 = 0x24; *(uint8_t*)0x200000016e76 = 6; *(uint8_t*)0x200000016e77 = 0; *(uint8_t*)0x200000016e78 = 1; memcpy((void*)0x200000016e79, "\xa3\x4e", 2); *(uint8_t*)0x200000016e7b = 5; *(uint8_t*)0x200000016e7c = 0x24; *(uint8_t*)0x200000016e7d = 0; *(uint16_t*)0x200000016e7e = 2; *(uint8_t*)0x200000016e80 = 0xd; *(uint8_t*)0x200000016e81 = 0x24; *(uint8_t*)0x200000016e82 = 0xf; *(uint8_t*)0x200000016e83 = 1; *(uint32_t*)0x200000016e84 = 0x7fffffff; *(uint16_t*)0x200000016e88 = 0; *(uint16_t*)0x200000016e8a = 7; *(uint8_t*)0x200000016e8c = 8; *(uint8_t*)0x200000016e8d = 6; *(uint8_t*)0x200000016e8e = 0x24; *(uint8_t*)0x200000016e8f = 0x1a; *(uint16_t*)0x200000016e90 = 9; *(uint8_t*)0x200000016e92 = 4; *(uint8_t*)0x200000016e93 = 0xd8; *(uint8_t*)0x200000016e94 = 0x24; *(uint8_t*)0x200000016e95 = 0x13; *(uint8_t*)0x200000016e96 = 1; memcpy((void*)0x200000016e97, "\xfc\xb6\x4e\x07\xcb\xc6\x13\xee\x0f\xb4\x7b\x17\x2d\x8c\xb2\x54\x90\xf7\xd0\x8d\xca\x4c\x04\xf2\x48\xb0\xd2\xc6\xc5\xd4\xfd\x13\xc9\x0c\x33\x7d\xbf\xe0\x45\x78\x3c\xe1\xee\x13\x99\xfa\x76\xc1\x4b\x25\xf5\xc3\x38\xb0\x41\x83\x3f\x78\x7b\x77\x6e\x0c\x3c\x25\x51\x89\xf0\x69\x4e\x73\x1c\xc1\xed\xd1\x26\x9d\xee\x99\xee\xd0\x4d\x16\xaf\x2a\xe0\xf1\x24\x51\x00\x06\xa6\x42\x80\xfb\xf1\xac\x11\x46\xbe\xee\x98\x58\x83\x56\x6c\x16\x9a\xbf\xf0\x9e\x46\x01\x8c\x5d\xdf\xdc\xef\xb4\xc0\x6a\x46\x26\xf8\xee\xb2\x1b\x61\x8f\xe7\x0a\xdf\x76\xc2\x04\xc1\xa9\x30\x5d\x06\xd9\x08\x52\xb6\x06\xa0\x69\x8c\x66\x78\x28\x0d\x48\x29\xc7\x81\x71\x52\x6b\x7c\xf0\xcf\x95\xca\xb7\xe3\xaf\xb3\xb5\x8f\xcf\xaf\x6d\x70\xeb\x43\x33\x47\xfb\xae\x12\x94\xb2\x88\xb8\xd3\x39\xb3\xd7\x8f\xdb\xc0\xf2\x27\x90\x7a\xaa\x92\x1c\xa3\x02\x6e\x4c\x5c\xe3\x42\x11\xe3\xc9\x07\xb4\x2c\xa6", 212); *(uint8_t*)0x200000016f6b = 8; *(uint8_t*)0x200000016f6c = 0x24; *(uint8_t*)0x200000016f6d = 0x1c; *(uint16_t*)0x200000016f6e = 0xfff; *(uint8_t*)0x200000016f70 = 1; *(uint16_t*)0x200000016f71 = 0xf51; *(uint8_t*)0x200000016f73 = 8; *(uint8_t*)0x200000016f74 = 0x24; *(uint8_t*)0x200000016f75 = 0x1c; *(uint16_t*)0x200000016f76 = 0x80; *(uint8_t*)0x200000016f78 = 2; *(uint16_t*)0x200000016f79 = 0x7f; *(uint8_t*)0x200000016f7b = 5; *(uint8_t*)0x200000016f7c = 0x24; *(uint8_t*)0x200000016f7d = 0x15; *(uint16_t*)0x200000016f7e = 0x4d; *(uint8_t*)0x200000016f80 = 8; *(uint8_t*)0x200000016f81 = 0x24; *(uint8_t*)0x200000016f82 = 0x1c; *(uint16_t*)0x200000016f83 = 0xbf26; *(uint8_t*)0x200000016f85 = 0x10; *(uint16_t*)0x200000016f86 = 0x7806; *(uint8_t*)0x200000016f88 = 9; *(uint8_t*)0x200000016f89 = 5; *(uint8_t*)0x200000016f8a = 1; *(uint8_t*)0x200000016f8b = 0; *(uint16_t*)0x200000016f8c = 0x200; *(uint8_t*)0x200000016f8e = 6; *(uint8_t*)0x200000016f8f = 0x40; *(uint8_t*)0x200000016f90 = 0xb; *(uint8_t*)0x200000016f91 = 7; *(uint8_t*)0x200000016f92 = 0x25; *(uint8_t*)0x200000016f93 = 1; *(uint8_t*)0x200000016f94 = 3; *(uint8_t*)0x200000016f95 = 4; *(uint16_t*)0x200000016f96 = 8; *(uint8_t*)0x200000016f98 = 0xe8; *(uint8_t*)0x200000016f99 = 0x30; memcpy((void*)0x200000016f9a, "\x68\x84\x9f\x67\xc9\x80\x33\xbf\xdc\x9b\xc6\x7c\x70\x6e\x68\x9f\x08\xda\x2d\x58\x7b\x66\x8f\x1f\x67\x6b\xbb\xc3\x8f\x71\xf6\x8c\x01\x29\x15\x9b\x91\x2f\x32\x88\xaf\x2d\x8f\x5b\x2a\x9e\x6a\x41\x6c\x8e\x34\x45\xc3\x33\xdf\x5f\x70\x08\x23\x36\x83\xc6\x74\x20\x84\x56\xcf\xcb\x7a\x59\x8f\xd1\x43\x0b\x9b\xb5\x5e\x9b\x6f\xbf\x6c\xd0\x79\x7f\xfd\xb4\x8e\x94\xa2\xbb\x0a\x7b\x92\x4d\xc3\xfe\x2c\x8b\x37\xff\x8b\x6d\x67\xa0\x55\x1a\x58\x2d\x71\x34\x54\xdc\x2f\x82\x9c\x5f\xa9\xbb\x41\x05\x3a\x7b\x74\xb6\x01\xc8\xab\x84\x54\xe2\xd4\x8d\x21\x3e\xb4\xf8\x73\xd9\x69\x31\x19\xcf\x01\xd9\x77\x9a\xfa\xa2\x61\xbd\x19\xf8\x4e\x39\x98\xa2\x7c\xc2\x7f\xdb\xaa\x15\x46\x7c\xd6\xf5\x44\x2a\xec\x6c\x7d\x12\x86\x17\x46\xb6\xba\xb7\xb9\x37\x01\xf0\x11\xde\x1e\x99\x5c\x1c\x20\x4b\x4c\x26\x80\x50\x3a\x47\xba\xd8\x6f\xa4\x29\xcf\x00\xde\xd4\x82\x39\xfb\x55\x5a\xb9\x80\x87\xed\xea\xee\xba\x89\xb1\x4d\xad\x51\xb1\x99\x3c\x25\xe6\x01\x09\xbf", 230); *(uint8_t*)0x200000017080 = 9; *(uint8_t*)0x200000017081 = 5; *(uint8_t*)0x200000017082 = 0xa; *(uint8_t*)0x200000017083 = 1; *(uint16_t*)0x200000017084 = 0x40; *(uint8_t*)0x200000017086 = 0xf7; *(uint8_t*)0x200000017087 = 2; *(uint8_t*)0x200000017088 = 5; *(uint8_t*)0x200000017089 = 9; *(uint8_t*)0x20000001708a = 5; *(uint8_t*)0x20000001708b = 5; *(uint8_t*)0x20000001708c = 0x10; *(uint16_t*)0x20000001708d = 0x3ff; *(uint8_t*)0x20000001708f = 7; *(uint8_t*)0x200000017090 = 0x14; *(uint8_t*)0x200000017091 = 0; *(uint8_t*)0x200000017092 = 9; *(uint8_t*)0x200000017093 = 5; *(uint8_t*)0x200000017094 = 0xe; *(uint8_t*)0x200000017095 = 0x10; *(uint16_t*)0x200000017096 = 0x200; *(uint8_t*)0x200000017098 = 0xc7; *(uint8_t*)0x200000017099 = 0x46; *(uint8_t*)0x20000001709a = 2; *(uint8_t*)0x20000001709b = 9; *(uint8_t*)0x20000001709c = 5; *(uint8_t*)0x20000001709d = 0xd; *(uint8_t*)0x20000001709e = 0xa; *(uint16_t*)0x20000001709f = 0x10; *(uint8_t*)0x2000000170a1 = 0x40; *(uint8_t*)0x2000000170a2 = 8; *(uint8_t*)0x2000000170a3 = 2; *(uint8_t*)0x2000000170a4 = 7; *(uint8_t*)0x2000000170a5 = 0x25; *(uint8_t*)0x2000000170a6 = 1; *(uint8_t*)0x2000000170a7 = 0x82; *(uint8_t*)0x2000000170a8 = 1; *(uint16_t*)0x2000000170a9 = 7; *(uint8_t*)0x2000000170ab = 9; *(uint8_t*)0x2000000170ac = 5; *(uint8_t*)0x2000000170ad = 8; *(uint8_t*)0x2000000170ae = 2; *(uint16_t*)0x2000000170af = 0x3ff; *(uint8_t*)0x2000000170b1 = 0x10; *(uint8_t*)0x2000000170b2 = 9; *(uint8_t*)0x2000000170b3 = 8; *(uint8_t*)0x2000000170b4 = 0xf8; *(uint8_t*)0x2000000170b5 = 1; memcpy((void*)0x2000000170b6, "\x87\x09\xda\xe6\x27\x40\x78\x00\x19\x13\xce\x2e\xfb\xcb\x79\xab\x11\x33\xba\xa4\xf7\xe0\x7b\x3b\x2c\x7f\xf7\x03\x89\xe9\x02\xb3\x68\x4a\x95\xa2\x99\x97\xf2\xd2\x0f\xf4\xaf\x27\x0d\x19\xa8\xe0\xb4\xf2\x4d\xf5\x12\xa7\x98\x1b\x5c\xc2\x17\x94\x1c\xc5\x5d\x0e\xe5\x27\x77\xd5\x46\x9f\x8d\x59\xa8\xb5\xb4\xa6\xe4\xfe\x8c\x2c\x94\x50\xb4\x7d\x31\x53\xab\x98\xf8\xe2\x5d\x69\x98\x73\xd3\xbd\xb2\x64\x00\x75\x12\x3c\x4c\x4b\xf2\x70\xdb\x5a\x2e\x30\xc4\x78\xe7\x5e\x0e\x80\xac\xa0\xd4\x1a\xf7\x46\xe3\xef\xb5\x98\xb2\xdb\xec\x64\x7a\xbd\x39\x7b\x0e\xfb\xb2\xe7\x44\x23\x8a\x48\xce\xfe\x42\x99\xf4\x83\x85\xe7\x4d\x32\x5b\xa5\x2c\x15\xb1\x68\x23\x4a\x99\x6d\x32\x57\xea\xab\x4f\xef\xcb\xa6\xb8\x98\xc9\x1d\xd9\x9e\x0c\x08\x0a\x10\x19\x11\x84\xea\x55\x2c\x28\x22\x3c\x35\xe6\x3e\xa9\x40\x68\x88\xa9\x47\x59\xad\x4c\x30\xba\xec\x3d\x37\xbc\x12\x62\x8f\x39\xfd\x0e\x1e\xa1\x66\x51\x22\xb4\xa0\x4a\xde\xc0\xd9\x63\x24\x21\xac\x75\x18\x85\x1c\x5c\x92\x56\xa3\x3e\x29\x12\x01\xa3\xaf\x1a\xf8\xdf\x0a", 246); *(uint8_t*)0x2000000171ac = 0x66; *(uint8_t*)0x2000000171ad = 4; memcpy((void*)0x2000000171ae, "\xe2\x4a\xf3\x93\x66\xd6\xcc\x5b\x86\x03\x79\x36\x7e\x9b\x5a\xf9\x12\x38\xa8\xad\x60\xd4\xd3\x33\x0b\x86\x61\x5c\x23\x8b\x9a\xdc\x15\x0c\xa8\xd4\xd8\x9f\x34\x7c\xef\xed\x35\x02\xf2\xa6\x46\x69\xec\x10\xc9\x35\x2c\xc3\xf0\x0b\xb7\xbf\xff\x70\xa3\x40\x70\x24\x7f\x37\x2f\xd5\x6b\x34\x8f\x50\xf9\x45\x09\x03\x89\x94\xdf\x69\x9d\xd0\xbd\x1e\x0f\x29\x14\x24\x50\x2d\x0a\xbf\xa2\x75\xdf\x94\xab\x99\x68\x6b", 100); *(uint8_t*)0x200000017212 = 9; *(uint8_t*)0x200000017213 = 5; *(uint8_t*)0x200000017214 = 3; *(uint8_t*)0x200000017215 = 3; *(uint16_t*)0x200000017216 = 0x20; *(uint8_t*)0x200000017218 = 0x10; *(uint8_t*)0x200000017219 = 6; *(uint8_t*)0x20000001721a = 4; *(uint8_t*)0x20000001721b = 7; *(uint8_t*)0x20000001721c = 0x25; *(uint8_t*)0x20000001721d = 1; *(uint8_t*)0x20000001721e = 0; *(uint8_t*)0x20000001721f = 2; *(uint16_t*)0x200000017220 = 0xf; *(uint8_t*)0x200000017222 = 9; *(uint8_t*)0x200000017223 = 5; *(uint8_t*)0x200000017224 = 0xa; *(uint8_t*)0x200000017225 = 0x10; *(uint16_t*)0x200000017226 = 0x20; *(uint8_t*)0x200000017228 = 2; *(uint8_t*)0x200000017229 = 0x6a; *(uint8_t*)0x20000001722a = 0x9c; *(uint8_t*)0x20000001722b = 9; *(uint8_t*)0x20000001722c = 5; *(uint8_t*)0x20000001722d = 6; *(uint8_t*)0x20000001722e = 0; *(uint16_t*)0x20000001722f = 8; *(uint8_t*)0x200000017231 = 0xa6; *(uint8_t*)0x200000017232 = 0; *(uint8_t*)0x200000017233 = 3; *(uint8_t*)0x200000017234 = 9; *(uint8_t*)0x200000017235 = 5; *(uint8_t*)0x200000017236 = 0xe; *(uint8_t*)0x200000017237 = 0x10; *(uint16_t*)0x200000017238 = 0x400; *(uint8_t*)0x20000001723a = 8; *(uint8_t*)0x20000001723b = 6; *(uint8_t*)0x20000001723c = 2; *(uint8_t*)0x20000001723d = 7; *(uint8_t*)0x20000001723e = 0x25; *(uint8_t*)0x20000001723f = 1; *(uint8_t*)0x200000017240 = 0x80; *(uint8_t*)0x200000017241 = 0x80; *(uint16_t*)0x200000017242 = 0xfffe; *(uint8_t*)0x200000017244 = 7; *(uint8_t*)0x200000017245 = 0x25; *(uint8_t*)0x200000017246 = 1; *(uint8_t*)0x200000017247 = 0; *(uint8_t*)0x200000017248 = 8; *(uint16_t*)0x200000017249 = 6; *(uint8_t*)0x20000001724b = 9; *(uint8_t*)0x20000001724c = 5; *(uint8_t*)0x20000001724d = 2; *(uint8_t*)0x20000001724e = 0xc; *(uint16_t*)0x20000001724f = 0x20; *(uint8_t*)0x200000017251 = 7; *(uint8_t*)0x200000017252 = 0xfe; *(uint8_t*)0x200000017253 = 1; *(uint8_t*)0x200000017254 = 7; *(uint8_t*)0x200000017255 = 0x25; *(uint8_t*)0x200000017256 = 1; *(uint8_t*)0x200000017257 = 2; *(uint8_t*)0x200000017258 = 3; *(uint16_t*)0x200000017259 = 7; *(uint8_t*)0x20000001725b = 9; *(uint8_t*)0x20000001725c = 5; *(uint8_t*)0x20000001725d = 8; *(uint8_t*)0x20000001725e = 0; *(uint16_t*)0x20000001725f = 0x20; *(uint8_t*)0x200000017261 = 5; *(uint8_t*)0x200000017262 = 7; *(uint8_t*)0x200000017263 = 0; *(uint8_t*)0x200000017264 = 9; *(uint8_t*)0x200000017265 = 5; *(uint8_t*)0x200000017266 = 5; *(uint8_t*)0x200000017267 = 0x10; *(uint16_t*)0x200000017268 = 0x400; *(uint8_t*)0x20000001726a = 0x94; *(uint8_t*)0x20000001726b = 9; *(uint8_t*)0x20000001726c = 7; *(uint8_t*)0x20000001726d = 0xdd; *(uint8_t*)0x20000001726e = 0x30; memcpy((void*)0x20000001726f, "\x77\x86\x7e\xa8\x5d\x1b\x66\xca\x1b\x83\x5f\x1f\xfe\x80\xb4\xe1\x5a\x42\x97\xfd\x75\x06\x0e\x9c\xa4\xa2\x1e\x38\x5a\xda\xb0\x95\x08\x05\x1d\xd6\x10\x5e\xaa\x7c\xdc\xec\xdc\xc3\x20\xbc\x7f\x95\x6e\xeb\x82\x39\x4f\xee\xae\x2b\x09\xc0\x99\x0c\x54\x43\x3f\x37\x34\xda\x18\xcc\xf1\x3f\x5f\xcc\x5b\xb3\x2e\xb3\xbb\x6b\x06\x2a\x28\x29\x89\x58\x2d\x89\x8d\x9e\x25\xf9\x7d\x5d\x39\x27\xfb\xc2\x2c\x45\x90\x49\x83\x86\x0e\xb6\x1e\xaf\xd3\x4b\x54\xed\x2c\xc8\xb5\x5c\xf1\x97\xd3\x1b\xbb\x18\x10\x63\x60\xad\x77\x24\x0c\x1f\x44\xfd\x50\xf1\xa9\x44\xb9\xf5\x55\x7f\x95\xe9\x45\x13\xb0\xad\x4d\x60\x79\xe1\x5e\x8d\x3b\x43\x01\x02\x7d\xec\xe5\xa5\xba\x84\x88\xa2\x65\xab\x30\x67\xce\x7d\x0f\x2d\x5a\xd3\x11\x7b\xdd\xf0\x68\xf5\x91\xf6\x1d\x66\x46\xf9\x6a\x37\x72\xbb\x1d\x88\x07\xba\x9d\xd6\xd7\xa0\xbe\xec\xb2\x72\x98\xc3\xf0\x90\xb2\xb7\xed\x72\x97\x9d\x14\xde\xae\x68\x5d\x25\x0f\x2c\xc0", 219); *(uint8_t*)0x20000001734a = 7; *(uint8_t*)0x20000001734b = 0x25; *(uint8_t*)0x20000001734c = 1; *(uint8_t*)0x20000001734d = 2; *(uint8_t*)0x20000001734e = 0x81; *(uint16_t*)0x20000001734f = 0x70; *(uint8_t*)0x200000017351 = 9; *(uint8_t*)0x200000017352 = 5; *(uint8_t*)0x200000017353 = 5; *(uint8_t*)0x200000017354 = 0; *(uint16_t*)0x200000017355 = 0x3ff; *(uint8_t*)0x200000017357 = 7; *(uint8_t*)0x200000017358 = 0; *(uint8_t*)0x200000017359 = 0xd5; *(uint8_t*)0x20000001735a = 9; *(uint8_t*)0x20000001735b = 5; *(uint8_t*)0x20000001735c = 0xc; *(uint8_t*)0x20000001735d = 0; *(uint16_t*)0x20000001735e = 0x40; *(uint8_t*)0x200000017360 = 0; *(uint8_t*)0x200000017361 = 0xb; *(uint8_t*)0x200000017362 = 6; *(uint8_t*)0x200000017363 = 7; *(uint8_t*)0x200000017364 = 0x25; *(uint8_t*)0x200000017365 = 1; *(uint8_t*)0x200000017366 = 0x80; *(uint8_t*)0x200000017367 = 0xc4; *(uint16_t*)0x200000017368 = 0x6e; *(uint8_t*)0x20000001736a = 0xe; *(uint8_t*)0x20000001736b = 0xd; memcpy((void*)0x20000001736c, "\x36\xcb\x58\xaf\xca\x23\xd3\xe3\xcd\x43\x84\x0a", 12); *(uint8_t*)0x200000017378 = 9; *(uint8_t*)0x200000017379 = 4; *(uint8_t*)0x20000001737a = 0x8c; *(uint8_t*)0x20000001737b = 0; *(uint8_t*)0x20000001737c = 0xc; *(uint8_t*)0x20000001737d = 0x77; *(uint8_t*)0x20000001737e = 0x71; *(uint8_t*)0x20000001737f = 0x4d; *(uint8_t*)0x200000017380 = -1; *(uint8_t*)0x200000017381 = 0xb; *(uint8_t*)0x200000017382 = 0x24; *(uint8_t*)0x200000017383 = 6; *(uint8_t*)0x200000017384 = 0; *(uint8_t*)0x200000017385 = 0; memcpy((void*)0x200000017386, "\x37\x87\x90\x73\x85\x59", 6); *(uint8_t*)0x20000001738c = 5; *(uint8_t*)0x20000001738d = 0x24; *(uint8_t*)0x20000001738e = 0; *(uint16_t*)0x20000001738f = 0xdd; *(uint8_t*)0x200000017391 = 0xd; *(uint8_t*)0x200000017392 = 0x24; *(uint8_t*)0x200000017393 = 0xf; *(uint8_t*)0x200000017394 = 1; *(uint32_t*)0x200000017395 = 5; *(uint16_t*)0x200000017399 = 0x926; *(uint16_t*)0x20000001739b = 1; *(uint8_t*)0x20000001739d = 5; *(uint8_t*)0x20000001739e = 0x15; *(uint8_t*)0x20000001739f = 0x24; *(uint8_t*)0x2000000173a0 = 0x12; *(uint16_t*)0x2000000173a1 = 7; *(uint64_t*)0x2000000173a3 = 0x14f5e048ba817a3; *(uint64_t*)0x2000000173ab = 0x2a397ecbffc007a6; *(uint8_t*)0x2000000173b3 = 0x10; *(uint8_t*)0x2000000173b4 = 0x24; *(uint8_t*)0x2000000173b5 = 7; *(uint8_t*)0x2000000173b6 = 0xf; *(uint16_t*)0x2000000173b7 = 0x47f; *(uint16_t*)0x2000000173b9 = 7; *(uint16_t*)0x2000000173bb = 5; *(uint16_t*)0x2000000173bd = 0xa5a; *(uint16_t*)0x2000000173bf = 0xf25d; *(uint16_t*)0x2000000173c1 = 0x10; *(uint8_t*)0x2000000173c3 = 6; *(uint8_t*)0x2000000173c4 = 0x24; *(uint8_t*)0x2000000173c5 = 0x1a; *(uint16_t*)0x2000000173c6 = 0x100; *(uint8_t*)0x2000000173c8 = 1; *(uint8_t*)0x2000000173c9 = 6; *(uint8_t*)0x2000000173ca = 0x24; *(uint8_t*)0x2000000173cb = 7; *(uint8_t*)0x2000000173cc = 9; *(uint16_t*)0x2000000173cd = 0x81; *(uint8_t*)0x2000000173cf = 0xe; *(uint8_t*)0x2000000173d0 = 0x24; *(uint8_t*)0x2000000173d1 = 7; *(uint8_t*)0x2000000173d2 = 0x10; *(uint16_t*)0x2000000173d3 = 0x3a; *(uint16_t*)0x2000000173d5 = 0x1400; *(uint16_t*)0x2000000173d7 = 1; *(uint16_t*)0x2000000173d9 = 3; *(uint16_t*)0x2000000173db = 8; *(uint8_t*)0x2000000173dd = 0xa; *(uint8_t*)0x2000000173de = 0x24; *(uint8_t*)0x2000000173df = 1; *(uint16_t*)0x2000000173e0 = 0x80; *(uint8_t*)0x2000000173e2 = 0x80; *(uint8_t*)0x2000000173e3 = 2; *(uint8_t*)0x2000000173e4 = 1; *(uint8_t*)0x2000000173e5 = 2; *(uint8_t*)0x2000000173e6 = 9; *(uint8_t*)0x2000000173e7 = 5; *(uint8_t*)0x2000000173e8 = 5; *(uint8_t*)0x2000000173e9 = 8; *(uint16_t*)0x2000000173ea = 0x200; *(uint8_t*)0x2000000173ec = 0x39; *(uint8_t*)0x2000000173ed = 3; *(uint8_t*)0x2000000173ee = 2; *(uint8_t*)0x2000000173ef = 9; *(uint8_t*)0x2000000173f0 = 5; *(uint8_t*)0x2000000173f1 = 0; *(uint8_t*)0x2000000173f2 = 1; *(uint16_t*)0x2000000173f3 = 0x10; *(uint8_t*)0x2000000173f5 = 0x6c; *(uint8_t*)0x2000000173f6 = 9; *(uint8_t*)0x2000000173f7 = 4; *(uint8_t*)0x2000000173f8 = 0xec; *(uint8_t*)0x2000000173f9 = 0xc; memcpy((void*)0x2000000173fa, "\xcd\x0d\x3c\xe6\xb7\x5c\x2b\x01\xf9\x7f\xcb\x20\xad\xf4\xd9\x9a\x5a\x62\x76\xa0\xa0\x71\x7a\x5c\xbd\xaa\xe5\xbd\xe2\x28\x6c\x78\xf2\x3e\xc6\x52\x7f\xe1\x49\x0d\x74\xcc\xaf\x86\xba\xe7\x1c\x98\x79\xa2\x2f\xb0\x98\xf7\x98\x41\x5a\x42\x10\xa0\x98\xcc\x4d\x76\x58\x35\x30\x19\x71\x89\x91\xbb\x6a\x8d\x77\xa8\xe7\xb5\xd4\x50\x74\x04\xe9\x6f\xf4\x56\x14\xcb\x5c\xda\xd6\x98\x5e\x76\xee\xc5\x2f\xa7\x07\x74\xa8\x0c\xe5\x40\x7b\x62\xd0\x10\x51\x26\x2f\x81\x36\xaa\x68\xc2\x2e\xa4\x11\x5b\x5e\x27\x65\x3c\x40\xa8\x1c\xff\x49\xa1\x3b\xf7\x9d\x59\x9e\x1e\xea\x6f\x2a\xb7\x89\x7c\x71\x65\xb3\x6c\xb6\x83\xa8\x7a\xe0\x79\xd8\xff\x5f\x45\x0d\xdf\xf5\x3f\x2a\x7a\x04\x2d\x07\x32\xf9\x35\x7c\xe2\x3f\xb6\xa1\x31\x0f\x95\x84\xd8\xa7\x55\x7b\x65\x49\x36\xd9\x7d\x49\xbe\x79\x7a\x56\x53\x02\xd1\xe6\x15\xa7\x00\x61\x10\x1f\x01\xcb\x75\x33\x3e\xd4\xfc\x3f\xb9\x83\xe3\x0f\x49\x04\x19\x5e\x25\x3a\x3a\xdd\x43\xbd\x06\x97\x94\xbc\xac\xe6\x38\x63\xb8\xc5\x5b", 234); *(uint8_t*)0x2000000174e4 = 0x31; *(uint8_t*)0x2000000174e5 = 0xe; memcpy((void*)0x2000000174e6, "\xa6\x77\x2f\x60\x53\xbb\xf3\xfb\xcc\x2e\x4b\x92\x79\x4d\xf7\x00\xa7\x49\x93\x08\xd0\x2d\xa8\x07\xf6\x4c\x0b\xb6\xa2\xdf\x53\x5b\x93\x9a\xf7\xa1\xa2\xe9\x86\x82\xe0\x84\x01\x9d\x17\xff\x1e", 47); *(uint8_t*)0x200000017515 = 9; *(uint8_t*)0x200000017516 = 5; *(uint8_t*)0x200000017517 = 7; *(uint8_t*)0x200000017518 = 3; *(uint16_t*)0x200000017519 = 0x400; *(uint8_t*)0x20000001751b = 0xf8; *(uint8_t*)0x20000001751c = 0; *(uint8_t*)0x20000001751d = 3; *(uint8_t*)0x20000001751e = 7; *(uint8_t*)0x20000001751f = 0x25; *(uint8_t*)0x200000017520 = 1; *(uint8_t*)0x200000017521 = 2; *(uint8_t*)0x200000017522 = 5; *(uint16_t*)0x200000017523 = 0x1d2; *(uint8_t*)0x200000017525 = 9; *(uint8_t*)0x200000017526 = 5; *(uint8_t*)0x200000017527 = 0; *(uint8_t*)0x200000017528 = 7; *(uint16_t*)0x200000017529 = 0x400; *(uint8_t*)0x20000001752b = 0x7f; *(uint8_t*)0x20000001752c = 0xf9; *(uint8_t*)0x20000001752d = 0x27; *(uint8_t*)0x20000001752e = 7; *(uint8_t*)0x20000001752f = 0x25; *(uint8_t*)0x200000017530 = 1; *(uint8_t*)0x200000017531 = 0x81; *(uint8_t*)0x200000017532 = 5; *(uint16_t*)0x200000017533 = 0xb57; *(uint8_t*)0x200000017535 = 0x43; *(uint8_t*)0x200000017536 = 0x1a; memcpy((void*)0x200000017537, "\xcb\x18\x23\x8b\x9b\xb4\xf2\xcf\x09\xa9\xe5\x12\xee\x72\x99\x83\x74\x21\xb4\xde\xa8\x53\x0c\x6a\x24\xf7\x22\x29\xb4\xc3\x80\x3d\xb0\xb8\x15\x9c\x4f\xc1\xd0\xc5\x12\xc3\x67\x06\xf7\x26\x52\x83\x9a\xb6\x87\x70\x8e\x60\x65\x3b\xc8\x55\xf3\xef\xc0\x19\x1d\x44\xce", 65); *(uint8_t*)0x200000017578 = 9; *(uint8_t*)0x200000017579 = 5; *(uint8_t*)0x20000001757a = 1; *(uint8_t*)0x20000001757b = 0; *(uint16_t*)0x20000001757c = 0x10; *(uint8_t*)0x20000001757e = 0x5e; *(uint8_t*)0x20000001757f = 1; *(uint8_t*)0x200000017580 = 0x33; *(uint8_t*)0x200000017581 = 7; *(uint8_t*)0x200000017582 = 0x25; *(uint8_t*)0x200000017583 = 1; *(uint8_t*)0x200000017584 = 0x81; *(uint8_t*)0x200000017585 = 0; *(uint16_t*)0x200000017586 = 2; *(uint8_t*)0x200000017588 = 0xa; *(uint8_t*)0x200000017589 = 0xd; memcpy((void*)0x20000001758a, "\x0e\xa8\x35\xcf\x6f\x98\x97\xdd", 8); *(uint8_t*)0x200000017592 = 9; *(uint8_t*)0x200000017593 = 5; *(uint8_t*)0x200000017594 = 2; *(uint8_t*)0x200000017595 = 1; *(uint16_t*)0x200000017596 = 8; *(uint8_t*)0x200000017598 = 8; *(uint8_t*)0x200000017599 = 7; *(uint8_t*)0x20000001759a = 2; *(uint8_t*)0x20000001759b = 7; *(uint8_t*)0x20000001759c = 0x25; *(uint8_t*)0x20000001759d = 1; *(uint8_t*)0x20000001759e = 0x50; *(uint8_t*)0x20000001759f = 0x40; *(uint16_t*)0x2000000175a0 = 0xc590; *(uint8_t*)0x2000000175a2 = 7; *(uint8_t*)0x2000000175a3 = 0x25; *(uint8_t*)0x2000000175a4 = 1; *(uint8_t*)0x2000000175a5 = 3; *(uint8_t*)0x2000000175a6 = 2; *(uint16_t*)0x2000000175a7 = 4; *(uint8_t*)0x2000000175a9 = 9; *(uint8_t*)0x2000000175aa = 5; *(uint8_t*)0x2000000175ab = 2; *(uint8_t*)0x2000000175ac = 2; *(uint16_t*)0x2000000175ad = 0x400; *(uint8_t*)0x2000000175af = 6; *(uint8_t*)0x2000000175b0 = 6; *(uint8_t*)0x2000000175b1 = 7; *(uint8_t*)0x2000000175b2 = 9; *(uint8_t*)0x2000000175b3 = 5; *(uint8_t*)0x2000000175b4 = 2; *(uint8_t*)0x2000000175b5 = 3; *(uint16_t*)0x2000000175b6 = 0x200; *(uint8_t*)0x2000000175b8 = 0xe; *(uint8_t*)0x2000000175b9 = 4; *(uint8_t*)0x2000000175ba = 4; *(uint8_t*)0x2000000175bb = 5; *(uint8_t*)0x2000000175bc = 0x11; memcpy((void*)0x2000000175bd, "\xb9\xf5\xe7", 3); *(uint8_t*)0x2000000175c0 = 7; *(uint8_t*)0x2000000175c1 = 0x25; *(uint8_t*)0x2000000175c2 = 1; *(uint8_t*)0x2000000175c3 = 0x40; *(uint8_t*)0x2000000175c4 = 6; *(uint16_t*)0x2000000175c5 = 6; *(uint8_t*)0x2000000175c7 = 9; *(uint8_t*)0x2000000175c8 = 5; *(uint8_t*)0x2000000175c9 = 3; *(uint8_t*)0x2000000175ca = 0x10; *(uint16_t*)0x2000000175cb = 0; *(uint8_t*)0x2000000175cd = 0x8a; *(uint8_t*)0x2000000175ce = 7; *(uint8_t*)0x2000000175cf = 8; *(uint8_t*)0x2000000175d0 = 7; *(uint8_t*)0x2000000175d1 = 0x25; *(uint8_t*)0x2000000175d2 = 1; *(uint8_t*)0x2000000175d3 = 0x81; *(uint8_t*)0x2000000175d4 = 9; *(uint16_t*)0x2000000175d5 = 4; *(uint8_t*)0x2000000175d7 = 7; *(uint8_t*)0x2000000175d8 = 0x25; *(uint8_t*)0x2000000175d9 = 1; *(uint8_t*)0x2000000175da = 3; *(uint8_t*)0x2000000175db = 0x73; *(uint16_t*)0x2000000175dc = 0x1ff; *(uint8_t*)0x2000000175de = 9; *(uint8_t*)0x2000000175df = 5; *(uint8_t*)0x2000000175e0 = 3; *(uint8_t*)0x2000000175e1 = 2; *(uint16_t*)0x2000000175e2 = 0x40; *(uint8_t*)0x2000000175e4 = 4; *(uint8_t*)0x2000000175e5 = 8; *(uint8_t*)0x2000000175e6 = 4; *(uint8_t*)0x2000000175e7 = 7; *(uint8_t*)0x2000000175e8 = 0x25; *(uint8_t*)0x2000000175e9 = 1; *(uint8_t*)0x2000000175ea = 0; *(uint8_t*)0x2000000175eb = 0; *(uint16_t*)0x2000000175ec = 0xd; *(uint8_t*)0x2000000175ee = 9; *(uint8_t*)0x2000000175ef = 5; *(uint8_t*)0x2000000175f0 = 6; *(uint8_t*)0x2000000175f1 = 0x10; *(uint16_t*)0x2000000175f2 = 0x200; *(uint8_t*)0x2000000175f4 = 3; *(uint8_t*)0x2000000175f5 = 7; *(uint8_t*)0x2000000175f6 = 0; *(uint8_t*)0x2000000175f7 = 0x4e; *(uint8_t*)0x2000000175f8 = 0x21; memcpy((void*)0x2000000175f9, "\xde\x21\x8d\xdf\x30\x78\xa6\xfb\xd8\x6d\x42\x57\x31\x33\x4b\xc4\x6c\xce\x8c\xf5\x19\xb9\xce\xf7\xc4\x17\x70\x3a\xc6\xb7\xc8\xd9\x19\xdf\x45\xea\x16\xb8\x08\x90\x69\xbb\xf3\x4f\x03\xab\xe7\x52\xc1\xee\x7d\x7e\x03\xa0\x86\x37\xbc\xdc\x17\xd4\xcf\x34\xc2\x75\x6e\xda\x9f\xbf\x09\xfd\xfc\xfc\xa3\x05\x28\x59", 76); *(uint8_t*)0x200000017645 = 9; *(uint8_t*)0x200000017646 = 5; *(uint8_t*)0x200000017647 = 7; *(uint8_t*)0x200000017648 = 2; *(uint16_t*)0x200000017649 = 0x400; *(uint8_t*)0x20000001764b = 6; *(uint8_t*)0x20000001764c = 8; *(uint8_t*)0x20000001764d = 0; *(uint8_t*)0x20000001764e = 9; *(uint8_t*)0x20000001764f = 4; *(uint8_t*)0x200000017650 = 0xb9; *(uint8_t*)0x200000017651 = 8; *(uint8_t*)0x200000017652 = 3; *(uint8_t*)0x200000017653 = 0x5b; *(uint8_t*)0x200000017654 = 0x5d; *(uint8_t*)0x200000017655 = 0x4c; *(uint8_t*)0x200000017656 = 0xbf; *(uint8_t*)0x200000017657 = 9; *(uint8_t*)0x200000017658 = 5; *(uint8_t*)0x200000017659 = 5; *(uint8_t*)0x20000001765a = 0; *(uint16_t*)0x20000001765b = 0x400; *(uint8_t*)0x20000001765d = 9; *(uint8_t*)0x20000001765e = 5; *(uint8_t*)0x20000001765f = 0; *(uint8_t*)0x200000017660 = 9; *(uint8_t*)0x200000017661 = 5; *(uint8_t*)0x200000017662 = 0xe; *(uint8_t*)0x200000017663 = 4; *(uint16_t*)0x200000017664 = 0x10; *(uint8_t*)0x200000017666 = 0xf9; *(uint8_t*)0x200000017667 = 0xea; *(uint8_t*)0x200000017668 = 2; *(uint8_t*)0x200000017669 = 9; *(uint8_t*)0x20000001766a = 5; *(uint8_t*)0x20000001766b = 6; *(uint8_t*)0x20000001766c = 0x10; *(uint16_t*)0x20000001766d = 0x20; *(uint8_t*)0x20000001766f = 0xee; *(uint8_t*)0x200000017670 = 0xbf; *(uint8_t*)0x200000017671 = 4; *(uint8_t*)0x200000017672 = 7; *(uint8_t*)0x200000017673 = 0x25; *(uint8_t*)0x200000017674 = 1; *(uint8_t*)0x200000017675 = 0; *(uint8_t*)0x200000017676 = 9; *(uint16_t*)0x200000017677 = 0xc7; *(uint8_t*)0x200000017679 = 7; *(uint8_t*)0x20000001767a = 0x25; *(uint8_t*)0x20000001767b = 1; *(uint8_t*)0x20000001767c = 0x80; *(uint8_t*)0x20000001767d = 5; *(uint16_t*)0x20000001767e = 6; *(uint32_t*)0x200000017780 = 0xa; *(uint64_t*)0x200000017784 = 0x200000017680; *(uint8_t*)0x200000017680 = 0xa; *(uint8_t*)0x200000017681 = 6; *(uint16_t*)0x200000017682 = 0x300; *(uint8_t*)0x200000017684 = 8; *(uint8_t*)0x200000017685 = 4; *(uint8_t*)0x200000017686 = 4; *(uint8_t*)0x200000017687 = 0x10; *(uint8_t*)0x200000017688 = 3; *(uint8_t*)0x200000017689 = 0; *(uint32_t*)0x20000001778c = 5; *(uint64_t*)0x200000017790 = 0x2000000176c0; *(uint8_t*)0x2000000176c0 = 5; *(uint8_t*)0x2000000176c1 = 0xf; *(uint16_t*)0x2000000176c2 = 5; *(uint8_t*)0x2000000176c4 = 0; *(uint32_t*)0x200000017798 = 2; *(uint32_t*)0x20000001779c = 4; *(uint64_t*)0x2000000177a0 = 0x200000017700; *(uint8_t*)0x200000017700 = 4; *(uint8_t*)0x200000017701 = 3; *(uint16_t*)0x200000017702 = 0x41c; *(uint32_t*)0x2000000177a8 = 4; *(uint64_t*)0x2000000177ac = 0x200000017740; *(uint8_t*)0x200000017740 = 4; *(uint8_t*)0x200000017741 = 3; *(uint16_t*)0x200000017742 = 0x425; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0x840, /*dev=*/0x200000016e40, /*conn_descs=*/0x200000017780); if (res != -1) r[53] = res; break; case 75: *(uint8_t*)0x2000000177c0 = 0x12; *(uint8_t*)0x2000000177c1 = 1; *(uint16_t*)0x2000000177c2 = 0x200; *(uint8_t*)0x2000000177c4 = -1; *(uint8_t*)0x2000000177c5 = -1; *(uint8_t*)0x2000000177c6 = -1; *(uint8_t*)0x2000000177c7 = 0x40; *(uint16_t*)0x2000000177c8 = 0xcf3; *(uint16_t*)0x2000000177ca = 0x9271; *(uint16_t*)0x2000000177cc = 0x108; *(uint8_t*)0x2000000177ce = 1; *(uint8_t*)0x2000000177cf = 2; *(uint8_t*)0x2000000177d0 = 3; *(uint8_t*)0x2000000177d1 = 1; *(uint8_t*)0x2000000177d2 = 9; *(uint8_t*)0x2000000177d3 = 2; *(uint16_t*)0x2000000177d4 = 0x48; *(uint8_t*)0x2000000177d6 = 1; *(uint8_t*)0x2000000177d7 = 1; *(uint8_t*)0x2000000177d8 = 0; *(uint8_t*)0x2000000177d9 = 0x80; *(uint8_t*)0x2000000177da = 0xfa; *(uint8_t*)0x2000000177db = 9; *(uint8_t*)0x2000000177dc = 4; *(uint8_t*)0x2000000177dd = 0; *(uint8_t*)0x2000000177de = 0; *(uint8_t*)0x2000000177df = 6; *(uint8_t*)0x2000000177e0 = -1; *(uint8_t*)0x2000000177e1 = 0; *(uint8_t*)0x2000000177e2 = 0; *(uint8_t*)0x2000000177e3 = 0; *(uint8_t*)0x2000000177e4 = 9; *(uint8_t*)0x2000000177e5 = 5; *(uint8_t*)0x2000000177e6 = 1; *(uint8_t*)0x2000000177e7 = 2; *(uint16_t*)0x2000000177e8 = 0x200; *(uint8_t*)0x2000000177ea = 0; *(uint8_t*)0x2000000177eb = 0; *(uint8_t*)0x2000000177ec = 0; *(uint8_t*)0x2000000177ed = 9; *(uint8_t*)0x2000000177ee = 5; *(uint8_t*)0x2000000177ef = 0x82; *(uint8_t*)0x2000000177f0 = 2; *(uint16_t*)0x2000000177f1 = 0x200; *(uint8_t*)0x2000000177f3 = 0; *(uint8_t*)0x2000000177f4 = 0; *(uint8_t*)0x2000000177f5 = 0; *(uint8_t*)0x2000000177f6 = 9; *(uint8_t*)0x2000000177f7 = 5; *(uint8_t*)0x2000000177f8 = 0x83; *(uint8_t*)0x2000000177f9 = 3; *(uint16_t*)0x2000000177fa = 0x40; *(uint8_t*)0x2000000177fc = 1; *(uint8_t*)0x2000000177fd = 0; *(uint8_t*)0x2000000177fe = 0; *(uint8_t*)0x2000000177ff = 9; *(uint8_t*)0x200000017800 = 5; *(uint8_t*)0x200000017801 = 4; *(uint8_t*)0x200000017802 = 3; *(uint16_t*)0x200000017803 = 0x40; *(uint8_t*)0x200000017805 = 1; *(uint8_t*)0x200000017806 = 0; *(uint8_t*)0x200000017807 = 0; *(uint8_t*)0x200000017808 = 9; *(uint8_t*)0x200000017809 = 5; *(uint8_t*)0x20000001780a = 5; *(uint8_t*)0x20000001780b = 2; *(uint16_t*)0x20000001780c = 0x200; *(uint8_t*)0x20000001780e = 0; *(uint8_t*)0x20000001780f = 0; *(uint8_t*)0x200000017810 = 0; *(uint8_t*)0x200000017811 = 9; *(uint8_t*)0x200000017812 = 5; *(uint8_t*)0x200000017813 = 6; *(uint8_t*)0x200000017814 = 2; *(uint16_t*)0x200000017815 = 0x200; *(uint8_t*)0x200000017817 = 0; *(uint8_t*)0x200000017818 = 0; *(uint8_t*)0x200000017819 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x2000000177c0, /*conn_descs=*/0); if (res != -1) r[54] = res; break; case 76: *(uint32_t*)0x200000017a80 = 0x2c; *(uint64_t*)0x200000017a84 = 0x200000017840; *(uint8_t*)0x200000017840 = 0; *(uint8_t*)0x200000017841 = 1; *(uint32_t*)0x200000017842 = 0x101; *(uint8_t*)0x200000017846 = 1; *(uint8_t*)0x200000017847 = 0xa; memcpy((void*)0x200000017848, "\x36\x81\xdb\x17\x60\xf4\x76\xd1\x61\xe6\x33\x1a\xf0\x01\xdf\xf2\x60\xea\x6b\x4a\x4c\xea\x60\x97\xec\xb1\x95\x8b\x59\xfa\xab\x7a\x90\x28\x48\xc2\x62\xa0\xbb\x7b\xb0\x04\xa6\x45\x44\x44\xf3\x91\x14\x41\x63\x99\xcc\x7a\x71\xe7\x15\x47\xc5\x6a\x02\xf1\x33\x90\x7f\x22\xc3\xf1\x2c\xed\x90\xa4\xd6\xae\x9f\xf8\xfd\x98\xb3\xe7\xcd\x83\xd8\x74\x5c\x64\x92\x89\xb5\xfd\x78\xf7\x06\x85\x9e\x15\x21\x48\xd7\x6f\x8f\x0d\x0f\xa0\x49\x83\x43\x65\xbe\x85\xce\x2b\x50\x35\x87\x58\xa9\x0b\x57\x33\x9c\x87\x44\x57\x41\x0a\xe2\x77\xd2\xb1\x18\xf3\x84\x27\xa9\x32\xa2\xc7\xca\xcc\x09\xae\xd3\xee\x57\x30\x79\x3f\x36\xdc\xe0\xed\x57\xb9\xc6\x5f\xf6\x3c\x7e\xb7\xeb\xbf\xeb\xe9\x09\x4e\x08\x53\x05\x1b\x9f\x3d\xfa\xf6\xc2\xab\x61\x26\x5b\x3a\xf1\xf3\x48\x72\x56\x9f\xf3\xe0\x4b\x2e\xc1\xef\x09\xa3\x69\x2a\x88\x29\x2f\xfa\x38\xb8\x51\xe6\xfe\x03\x1a\x70\xa5\x51\xe8\x84\x4b\x16\xd1\x38\xce\x12\x6c\xe0\x41\x95\x71\xf4\x34\x9a\xee\x23\x7a\x2b\xf6\xfc\x52\xcb\x78\xf2\x6f\x30\xc9\x36\x90\x2d\x7f\x29\xd3\xa5\x61\x5d\xad\x86\xe4\xc6\x9c\xa0\x3f", 255); *(uint64_t*)0x200000017a8c = 0x200000017980; *(uint8_t*)0x200000017980 = 0; *(uint8_t*)0x200000017981 = 3; *(uint32_t*)0x200000017982 = 4; *(uint8_t*)0x200000017986 = 4; *(uint8_t*)0x200000017987 = 3; *(uint16_t*)0x200000017988 = 0x4c0a; *(uint64_t*)0x200000017a94 = 0x2000000179c0; *(uint8_t*)0x2000000179c0 = 0; *(uint8_t*)0x2000000179c1 = 0xf; *(uint32_t*)0x2000000179c2 = 5; *(uint8_t*)0x2000000179c6 = 5; *(uint8_t*)0x2000000179c7 = 0xf; *(uint16_t*)0x2000000179c8 = 5; *(uint8_t*)0x2000000179ca = 0; *(uint64_t*)0x200000017a9c = 0x200000017a00; *(uint8_t*)0x200000017a00 = 0x20; *(uint8_t*)0x200000017a01 = 0x29; *(uint32_t*)0x200000017a02 = 0xf; *(uint8_t*)0x200000017a06 = 0xf; *(uint8_t*)0x200000017a07 = 0x29; *(uint8_t*)0x200000017a08 = 0xeb; *(uint16_t*)0x200000017a09 = 0x10; *(uint8_t*)0x200000017a0b = 0x81; *(uint8_t*)0x200000017a0c = 0xc; memcpy((void*)0x200000017a0d, "\xe7\x67\x46\xf0", 4); memcpy((void*)0x200000017a11, "\xf1\x92\x76\xa0", 4); *(uint64_t*)0x200000017aa4 = 0x200000017a40; *(uint8_t*)0x200000017a40 = 0x20; *(uint8_t*)0x200000017a41 = 0x2a; *(uint32_t*)0x200000017a42 = 0xc; *(uint8_t*)0x200000017a46 = 0xc; *(uint8_t*)0x200000017a47 = 0x2a; *(uint8_t*)0x200000017a48 = 0xd; *(uint16_t*)0x200000017a49 = 2; *(uint8_t*)0x200000017a4b = 8; *(uint8_t*)0x200000017a4c = 0xe; *(uint8_t*)0x200000017a4d = 7; *(uint16_t*)0x200000017a4e = 8; *(uint16_t*)0x200000017a50 = 0x515; *(uint32_t*)0x200000017ec0 = 0x84; *(uint64_t*)0x200000017ec4 = 0x200000017ac0; *(uint8_t*)0x200000017ac0 = 0x40; *(uint8_t*)0x200000017ac1 = 0x17; *(uint32_t*)0x200000017ac2 = 0x1e; memcpy((void*)0x200000017ac6, "\x63\xfd\x64\x0c\x63\xa3\xd4\x0d\x56\xed\xf6\x4a\xcb\x10\x36\xdf\x01\xc3\x7d\xff\x2b\x11\xb8\xbd\x6d\xce\x4f\x20\xb2\xce", 30); *(uint64_t*)0x200000017ecc = 0x200000017b00; *(uint8_t*)0x200000017b00 = 0; *(uint8_t*)0x200000017b01 = 0xa; *(uint32_t*)0x200000017b02 = 1; *(uint8_t*)0x200000017b06 = 0xfd; *(uint64_t*)0x200000017ed4 = 0x200000017b40; *(uint8_t*)0x200000017b40 = 0; *(uint8_t*)0x200000017b41 = 8; *(uint32_t*)0x200000017b42 = 1; *(uint8_t*)0x200000017b46 = 5; *(uint64_t*)0x200000017edc = 0x200000017b80; *(uint8_t*)0x200000017b80 = 0x20; *(uint8_t*)0x200000017b81 = 0; *(uint32_t*)0x200000017b82 = 4; *(uint16_t*)0x200000017b86 = 1; *(uint16_t*)0x200000017b88 = 1; *(uint64_t*)0x200000017ee4 = 0x200000017bc0; *(uint8_t*)0x200000017bc0 = 0x20; *(uint8_t*)0x200000017bc1 = 0; *(uint32_t*)0x200000017bc2 = 8; *(uint16_t*)0x200000017bc6 = 0x80; *(uint16_t*)0x200000017bc8 = 1; *(uint32_t*)0x200000017bca = 0xf00f; *(uint64_t*)0x200000017eec = 0x200000017c00; *(uint8_t*)0x200000017c00 = 0x40; *(uint8_t*)0x200000017c01 = 7; *(uint32_t*)0x200000017c02 = 2; *(uint16_t*)0x200000017c06 = 2; *(uint64_t*)0x200000017ef4 = 0x200000017c40; *(uint8_t*)0x200000017c40 = 0x40; *(uint8_t*)0x200000017c41 = 9; *(uint32_t*)0x200000017c42 = 1; *(uint8_t*)0x200000017c46 = 6; *(uint64_t*)0x200000017efc = 0x200000017c80; *(uint8_t*)0x200000017c80 = 0x40; *(uint8_t*)0x200000017c81 = 0xb; *(uint32_t*)0x200000017c82 = 2; memcpy((void*)0x200000017c86, "\xdd\x91", 2); *(uint64_t*)0x200000017f04 = 0x200000017cc0; *(uint8_t*)0x200000017cc0 = 0x40; *(uint8_t*)0x200000017cc1 = 0xf; *(uint32_t*)0x200000017cc2 = 2; *(uint16_t*)0x200000017cc6 = 1; *(uint64_t*)0x200000017f0c = 0x200000017d00; *(uint8_t*)0x200000017d00 = 0x40; *(uint8_t*)0x200000017d01 = 0x13; *(uint32_t*)0x200000017d02 = 6; memset((void*)0x200000017d06, 187, 6); *(uint64_t*)0x200000017f14 = 0x200000017d40; *(uint8_t*)0x200000017d40 = 0x40; *(uint8_t*)0x200000017d41 = 0x17; *(uint32_t*)0x200000017d42 = 6; memset((void*)0x200000017d46, 170, 5); *(uint8_t*)0x200000017d4b = 0xaa; *(uint64_t*)0x200000017f1c = 0x200000017d80; *(uint8_t*)0x200000017d80 = 0x40; *(uint8_t*)0x200000017d81 = 0x19; *(uint32_t*)0x200000017d82 = 2; memcpy((void*)0x200000017d86, "\x73\xdc", 2); *(uint64_t*)0x200000017f24 = 0x200000017dc0; *(uint8_t*)0x200000017dc0 = 0x40; *(uint8_t*)0x200000017dc1 = 0x1a; *(uint32_t*)0x200000017dc2 = 2; *(uint16_t*)0x200000017dc6 = 8; *(uint64_t*)0x200000017f2c = 0x200000017e00; *(uint8_t*)0x200000017e00 = 0x40; *(uint8_t*)0x200000017e01 = 0x1c; *(uint32_t*)0x200000017e02 = 1; *(uint8_t*)0x200000017e06 = 0x81; *(uint64_t*)0x200000017f34 = 0x200000017e40; *(uint8_t*)0x200000017e40 = 0x40; *(uint8_t*)0x200000017e41 = 0x1e; *(uint32_t*)0x200000017e42 = 1; *(uint8_t*)0x200000017e46 = 0; *(uint64_t*)0x200000017f3c = 0x200000017e80; *(uint8_t*)0x200000017e80 = 0x40; *(uint8_t*)0x200000017e81 = 0x21; *(uint32_t*)0x200000017e82 = 1; *(uint8_t*)0x200000017e86 = 0x7f; syz_usb_control_io(/*fd=*/r[53], /*descs=*/0x200000017a80, /*resps=*/0x200000017ec0); break; case 77: syz_usb_disconnect(/*fd=*/r[53]); break; case 78: syz_usb_ep_read(/*fd=*/r[54], /*ep=*/0xb, /*len=*/0x6c, /*data=*/0x200000017f80); break; case 79: *(uint8_t*)0x200000018000 = 0x12; *(uint8_t*)0x200000018001 = 1; *(uint16_t*)0x200000018002 = 0x201; *(uint8_t*)0x200000018004 = 0; *(uint8_t*)0x200000018005 = 0; *(uint8_t*)0x200000018006 = 0; *(uint8_t*)0x200000018007 = 0x40; *(uint16_t*)0x200000018008 = 0x3f0; *(uint16_t*)0x20000001800a = 4; *(uint16_t*)0x20000001800c = 0x40; *(uint8_t*)0x20000001800e = 1; *(uint8_t*)0x20000001800f = 2; *(uint8_t*)0x200000018010 = 3; *(uint8_t*)0x200000018011 = 1; *(uint8_t*)0x200000018012 = 9; *(uint8_t*)0x200000018013 = 2; *(uint16_t*)0x200000018014 = 0x24; *(uint8_t*)0x200000018016 = 1; *(uint8_t*)0x200000018017 = 1; *(uint8_t*)0x200000018018 = 0xba; *(uint8_t*)0x200000018019 = 0x80; *(uint8_t*)0x20000001801a = 1; *(uint8_t*)0x20000001801b = 9; *(uint8_t*)0x20000001801c = 4; *(uint8_t*)0x20000001801d = 0; *(uint8_t*)0x20000001801e = 7; *(uint8_t*)0x20000001801f = 1; *(uint8_t*)0x200000018020 = 7; *(uint8_t*)0x200000018021 = 1; *(uint8_t*)0x200000018022 = 3; *(uint8_t*)0x200000018023 = 5; *(uint8_t*)0x200000018024 = 9; *(uint8_t*)0x200000018025 = 5; *(uint8_t*)0x200000018026 = 1; *(uint8_t*)0x200000018027 = 2; *(uint16_t*)0x200000018028 = 8; *(uint8_t*)0x20000001802a = 4; *(uint8_t*)0x20000001802b = 2; *(uint8_t*)0x20000001802c = 0xc9; *(uint8_t*)0x20000001802d = 9; *(uint8_t*)0x20000001802e = 5; *(uint8_t*)0x20000001802f = 0x82; *(uint8_t*)0x200000018030 = 2; *(uint16_t*)0x200000018031 = 0x20; *(uint8_t*)0x200000018033 = 0xfb; *(uint8_t*)0x200000018034 = 1; *(uint8_t*)0x200000018035 = 0xf; *(uint32_t*)0x200000018180 = 0xa; *(uint64_t*)0x200000018184 = 0x200000018040; *(uint8_t*)0x200000018040 = 0xa; *(uint8_t*)0x200000018041 = 6; *(uint16_t*)0x200000018042 = 0x300; *(uint8_t*)0x200000018044 = 0x4c; *(uint8_t*)0x200000018045 = 3; *(uint8_t*)0x200000018046 = 0x7f; *(uint8_t*)0x200000018047 = 0x20; *(uint8_t*)0x200000018048 = 0x81; *(uint8_t*)0x200000018049 = 0; *(uint32_t*)0x20000001818c = 0x2b; *(uint64_t*)0x200000018190 = 0x200000018080; *(uint8_t*)0x200000018080 = 5; *(uint8_t*)0x200000018081 = 0xf; *(uint16_t*)0x200000018082 = 0x2b; *(uint8_t*)0x200000018084 = 4; *(uint8_t*)0x200000018085 = 0xb; *(uint8_t*)0x200000018086 = 0x10; *(uint8_t*)0x200000018087 = 1; *(uint8_t*)0x200000018088 = 0xc; *(uint16_t*)0x200000018089 = 0x2c; *(uint8_t*)0x20000001808b = 6; *(uint8_t*)0x20000001808c = 0x60; *(uint16_t*)0x20000001808d = 0x64; *(uint8_t*)0x20000001808f = 4; *(uint8_t*)0x200000018090 = 0xa; *(uint8_t*)0x200000018091 = 0x10; *(uint8_t*)0x200000018092 = 3; *(uint8_t*)0x200000018093 = 0; *(uint16_t*)0x200000018094 = 6; *(uint8_t*)0x200000018096 = 7; *(uint8_t*)0x200000018097 = 1; *(uint16_t*)0x200000018098 = 0x680; *(uint8_t*)0x20000001809a = 7; *(uint8_t*)0x20000001809b = 0x10; *(uint8_t*)0x20000001809c = 2; STORE_BY_BITMASK(uint32_t, , 0x20000001809d, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20000001809e, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001809e, 2, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001809f, 3, 0, 16); *(uint8_t*)0x2000000180a1 = 0xa; *(uint8_t*)0x2000000180a2 = 0x10; *(uint8_t*)0x2000000180a3 = 3; *(uint8_t*)0x2000000180a4 = 0; *(uint16_t*)0x2000000180a5 = 0xc; *(uint8_t*)0x2000000180a7 = 5; *(uint8_t*)0x2000000180a8 = 0xd4; *(uint16_t*)0x2000000180a9 = 0x21bb; *(uint32_t*)0x200000018198 = 2; *(uint32_t*)0x20000001819c = 0x55; *(uint64_t*)0x2000000181a0 = 0x2000000180c0; *(uint8_t*)0x2000000180c0 = 0x55; *(uint8_t*)0x2000000180c1 = 3; memcpy((void*)0x2000000180c2, "\x8a\x42\x34\x83\x1e\x88\x88\xae\xdd\x9a\xd2\x2d\x4f\x28\x93\x8c\xda\x9a\xa9\xa9\x00\x03\x7c\x31\x1c\xae\x82\xfd\x23\x1c\xaa\x31\x27\x95\xc2\xb2\xf7\x47\xf7\xbe\xdc\x80\x7a\x10\x65\x2d\xcf\x37\x9d\xa0\x7e\xbe\x96\x35\x31\x02\x75\xc1\xf0\xed\x95\x6d\xa6\x4d\xf9\x8a\xf4\xea\x23\x9c\x45\x2a\xa8\x5b\x31\x1b\x94\xd4\x71\xe9\xd3\x42\x3a", 83); *(uint32_t*)0x2000000181a8 = 4; *(uint64_t*)0x2000000181ac = 0x200000018140; *(uint8_t*)0x200000018140 = 4; *(uint8_t*)0x200000018141 = 3; *(uint16_t*)0x200000018142 = 0x83e; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_FULL*/2, /*dev_len=*/0x36, /*dev=*/0x200000018000, /*conn_descs=*/0x200000018180); if (res != -1) r[55] = res; break; case 80: memcpy((void*)0x2000000181c0, "\xc9\xde\x81\xd2\xb7\xfd\x1d\x65\x61\x0b\x40\x83\xb8\x98\x28\xa1\xee\xb3\xc1\xfe\x78\xe8\x02\xb8\x7b\xca\xd5\x22\x05\xe7\xf4\xd5\x77\x30\x25\xc8\xc9\x2c\xf0\x09\x17\x1f\x12\x78\x8a\xa9\xaf\xbf\x01\x67\x11\x26\x93\xc5\x62\x5e\xec\xd4\x33\xf1\xb0\xed\x30\xd3\xef\x61\x94\xf9\xaf\xe3\x63\xc1\x33\x4d\xf3\x56\xe2\x61\xdc\x73\xf0\x7c\xac\x0e\x40\xa0\x34\x8c\x52\x25\x7f\x14\xf9\xa9\xf6\x0d\x56\x98\x35\x20\x69\xee\xd4\x6e\xf1\x0f\x4a\x97\xb1\x56\x0f\x76\x05\xb0\xaa\x63\x19\x49\xaf\x14\x35\x4c\x1a\xca\xbb\x76\x86\x09\xd1\x22\x46\x6f\x68\x49\x10\x29\x36\xf4\x00\x1d\x18\x01\x5d\xf4\x28\x57\x0b\x6e\x59\x75\x9b\x75\xe7\x23\xb1\xe6\x12\x80\x0b\x56\xea\x89\xa5\x5d\x2c\x63\x78", 167); syz_usb_ep_write(/*fd=*/r[55], /*ep=*/4, /*len=*/0xa7, /*data=*/0x2000000181c0); break; case 81: syz_usbip_server_init(/*speed=USB_SPEED_SUPER*/5); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_leak())) printf("the reproducer may not work as expected: leak checking setup failed: %s\n", reason); if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6305:17: error: '__NR_socketcall' undeclared (first use in this function) :6305:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor2641725101 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/5 (1.24s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$MON_IOCX_MFETCH(0xffffffffffffffff, 0xc0109207, &(0x7f0000000040)={&(0x7f0000000000)=[0x0, 0x0, 0x0, 0x0, 0x0], 0x5}) (fail_nth: 1) r0 = syz_open_dev$dricontrol(&(0x7f0000000080), 0x3, 0x105400) (async) ioctl$DRM_IOCTL_RES_CTX(0xffffffffffffffff, 0xc0106426, &(0x7f0000000100)={0x1, &(0x7f00000000c0)=[{0x0}]}) (rerun: 4) ioctl$DRM_IOCTL_SET_SAREA_CTX(r0, 0x4010641c, &(0x7f00000001c0)={r1, &(0x7f0000000140)=""/106}) ioctl$DRM_IOCTL_MODE_GETENCODER(r0, 0xc01464a6, &(0x7f0000000200)={0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_MODE_GETENCODER(r0, 0xc01464a6, &(0x7f0000000240)={0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID(0xffffffffffffffff, 0xc0086465, &(0x7f0000000280)={0x0}) ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f0000000300)={&(0x7f00000002c0)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x8, 0x0, 0x0}) ioctl$DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID(0xffffffffffffffff, 0xc0086465, &(0x7f0000000380)={0x0}) ioctl$DRM_IOCTL_MODE_ATOMIC(r0, 0xc03864bc, &(0x7f00000009c0)={0x0, 0x6, &(0x7f00000003c0)=[r2, r3, r4, r5, r6, 0x0], &(0x7f0000000400)=[0x7, 0x80], &(0x7f0000000940)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000980)=[0xff, 0xfffffffffffffffb, 0x9, 0x100, 0x4, 0x10000, 0xfff, 0x484], 0x0, 0x73ca1ec4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@action_no_ack={{{0x0, 0x0, 0xe, 0x0, 0x0, 0x1, 0x1, 0x0, 0x1}, {0x6}, @broadcast, @device_b, @random="01abb5a42e6e", {0x0, 0x5}}, @smps={0x7, 0x1, {0x1, 0x1}}}, 0x1b) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_bprm_check_security\x00') r7 = syz_clone(0x42000100, &(0x7f0000000140)="d1a222a113afa50937eb93a69f4a6daeb1c51185973fcbcd8ac1511fee5166f0a2d7b107ca8ba74b42ac080422e3e26c8fd0707d3352f3e0467c446d0fd59fdc796204deb520c9f39ceb06b12c5dec1f8d80435d3a9531b3c8c63eca16670b0be3277698485a45d91a4737cdc17c96065423348e497b473b96cd4d870b360809cfb9631f7a2cdadf25baade0a028dfa84875eeaea710f44ee0c60be31d07667921375cbf5e90565a7594d78c49ee1a773a21696e3e0f6e9d5a9cc8261a51990269f06e5642a81055ab67", 0xca, &(0x7f0000000240), &(0x7f0000000280), &(0x7f00000002c0)="4ce639fae6a5b1dbfb9b05cdf44c3b14df7c001ef8931a5117ea1ba175c0a1e0806dec26a61e38c8b355e6334aab16936f3b9388ce1e115787f0a164e987d9e1339bbbdc21479403322cf6c7b55dafea9cf527b32532be38a2f0557907e357b05e1986227888aac6cc43a9e5ea5e3c093b693d4d13b378ac2243") r8 = openat$cgroup(0xffffffffffffffff, &(0x7f00000004c0)='syz0\x00', 0x200002, 0x0) r9 = syz_clone3(&(0x7f0000000500)={0x8000, &(0x7f0000000340)=0xffffffffffffffff, &(0x7f0000000380)=0x0, &(0x7f00000003c0), {0x3d}, &(0x7f0000000400)=""/54, 0x36, &(0x7f0000000440)=""/57, &(0x7f0000000480)=[r7, r7, r7, r7], 0x4, {r8}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x98, &(0x7f00000005c0)={@remote, @empty, @void, {@llc_tr={0x11, {@llc={0x0, 0x4, "d4f0", "3855a5dee3a80835452966b4819b8e62fe420ebc741cb5df2368e0d83b02a44133dda9714f0ae883ab9c1c66c38864627043bb1cb645f8ca7ee26fb421090e98e576724d716c681bc3e802709219450517396e0b82978a08ba9cd791a977b9971dfcc61a5318a165f4fccd530654e11d54ca4f12b28362bee6c70bcfa1ce0d983864306cf6ad"}}}}}, &(0x7f0000000680)={0x0, 0x1, [0xf2e, 0xb2e, 0xcd, 0xc93]}) syz_emit_vhci(&(0x7f00000006c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x2, 0x12}, @l2cap_cid_le_signaling={{0xe}, @l2cap_le_conn_rsp={{0x15, 0x3, 0xa}, {0x1, 0x1, 0x0, 0xb, 0x9b9d}}}}, 0x17) syz_extract_tcp_res(&(0x7f0000000700), 0x8001, 0x7fff) r12 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000000740)=0x5) ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f0000002900)={'\x00', 0x7, 0x7eb, 0xd8c, 0x6, 0x65c7, r7}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000002b00)={{{@in6=@loopback, @in6=@ipv4={""/10, ""/2, @local}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@multicast1}}, &(0x7f0000002c00)=0xe8) shmctl$auto_SHM_STAT(0xfffffffd, 0xd, &(0x7f0000002dc0)={{0x7, 0xee00, 0xee01, 0x3, 0x1, 0x2, 0x100}, 0x8, 0x1, 0x8, 0x0, @inferred=r9, @inferred=r9, 0x8000, 0x0, &(0x7f0000002c40)="04dbcb209f35e5ddfdb1b3b7a741cb0da9e7b4a97e26e4d64ca5560ad3ea50d519bbf049c3135111c4de1f36b6b308bbd028e4495d46ed8393e759fd0a3a8a87f1db8749da45e9a5f999f3e74d920ce20c4d2bfe9ca72e5faea34e254ebb9ca9", &(0x7f0000002cc0)="9e746e3d219f0df0db9f4dac0afe9fc6a3ef5fcab6058f83fa7cff2a82d20c2e4f575259eabbe06734843f871e50f4d47bd62ead38d7be8ce30b95115285d16abc718c0da482b90f24299f3017ce2a536dab659aca91d1cf689107448150e4566abf4c057bde3c378236a3781059cc800867309fb208ab69fe7d3fff31198f363305539ba5a17423bd8345e10a2507adfd0b0df310c33482d2cc9c9ba7bf80c8c7e2159c09d9402b1d7ca88f84e7b4ceb8a193ece6dd5faa70429fbac4f1020c7667302d4a57ab637f35ffe42e58593fe3ece07b5d637ef6d973342257fe2c5b1169399909ba6d369fde"}) newfstatat(0xffffffffffffff9c, &(0x7f0000002ec0)='./file0\x00', &(0x7f0000002f00)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x0) lstat(&(0x7f0000002f80)='./file1\x00', &(0x7f0000002fc0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) newfstatat(0xffffffffffffff9c, &(0x7f00000031c0)='./file0\x00', &(0x7f0000003200)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x400) shmctl$auto(0xfffffffa, 0x19, &(0x7f0000004380)={{0x8000, 0x0, 0xffffffffffffffff, 0xfffffbff, 0xff, 0x7, 0x5}, 0x3ff, 0x5, 0xffffffffffff05c3, 0xffffffff, @raw=0x10000, @inferred=r7, 0x6, 0x0, &(0x7f0000003280)="976ff34290bd8bc7a7cbfc2a01cd57bb3fef9efb9836923feab6b22096e6a7f305b4a4725f362d86ba08a346f5ad87651b24794b4ee5813e0557b0ef0a7c19b1eafef2a16909abb9c855ec4536adac1b482e8e5a1dc478a025feb8b6304bdcd475b1d917a5b6c9d27a6b4858cba4d25301fe261bf12313f6e8224fc5ab0bb2fd404104ddefc2f27a36d9d10ecac7929db5ffc1df4c6fb6e5637020abf5e6504310ab6de659b656cee8ad04d046756ddae33d8d223854dc8c318392482cb991827824f40daf98da166c916dbb8c156c42197b664d7590e6d2cf4ea3280f84051c9ee3114142db27536bcd983f170f221c15dae9a11a52e84253663ea4308f", &(0x7f0000003380)="2c9f8f388d233b4f054cde11358eb632feac99157236e370ad09ea7b82ba5785b9e9afa9e686a62a5d2d53e478ad6bdc5fffb647b0835e147419667c9a116d7dc9628b1e9f7f66533e8e736b4a659a784c610da8c50010c4ad47ecbb1eb2ee6aa0b49090e709138ab2d171e1dbdd6e8653e06212391e7dc1b28bdd23129424500dcd8343ba198c60cd9701af62b4662b082ddc55e8149d60891c650e774755fc3a0d100ff0bc676b466e3dec52ca77d2c4ce103fc44bb563b3c182cf2f65541303d2d29fcbf5a3f42288f8fe1c236c3e12170e7ac600c5265cc5974e25597f049e9c015c76dec0d7cd2979cce123ad647297958c9d7dfbc36afc2ae4b9d2c09ac172a04dacffae8a50219a4ec4adf06ff80747d40c46ddc0764af4d7782807b8f14fb797b2780bb68e6b2a95dde508f4063c65d87143ff2466fe29ff3afa65202a99240c57990e20c5f34a95bd813572f47d8d482db3fceb9f1c54c8a8dd6332e83fa39d6651c7b78fa971ee88756e2e5a3fb029c77a48fd4164f107c882d1743bf852c14866a437ca56d1d2d199f93f758719d2293c5891b77e860b2b7c665129fbce455e93ce66b675619bbb23629d2bc8682ed4695d8c6afe256d372f9fed839de5b5f68d1d30cffb1a4e7402b9551129edc4c2deec8c16714ea309cf20ac7f17f5fd3cb97bfbff2dd36216b8f73403607b4ecb2dc42448eed56fb23266bd0fdf7eee43f34be3706ecc705927ada3d84f94d8a2898ce00de369c607552f6994ec15f66ce65c4952e30581ede46a2033589d2c28994bda0531943919e301a6d8187da7b498966af1fe3e410e5c167afb133b3e5e40db618703977b24002f621183b61a6b680301387e2d89565f0f62de825516d349c174c07924f4a8dffb281709e997af6da5a62a954969b5335f3074f2400245a77b195131d26ce43e17c3a201a5b8518f8f961f2be9d170c6f5b2b236a394456e577bada3307f4eaa8e0352bb595037e7f30f5ddbdf014ba5b6f3cee6af1fd4744fd0bbac1e2ce29853c722956da7de4e3fb9241820b0586ffa29da5b6cdd12da1a0418643b4ba96bb43242146f6c0a33980b9385da283a2a052b8c201f4239f957fea5f23efcd5ad3bb076abee60ce467eae6805e186e974934280a267dbf7320cb90fe9322bdb6ce809bd35b4130be87119047efd755cc747743e6da51b24af5c01661be2f813cef7d7ed9b61e83e0dca2c8221525b281570276a5958c2614929794c2d55a6b15d1701b1961a078edeff50e0eb0e02d9b1d402657ce25bdaaf910ba4549483631a5489ca98fe979c54c7400c9cc68fed1ab00c402f49d36c4d7b2fb273f392aed4f8def256d409e50d26e7251f91b9f5bcd8e84202e520cb7fe434744fe3a8831c1af1eb20a8f88579ab19268d7eefc6dcd8c94e3b6896e336e0f738aa244c2dbec12324a8a1ca70e040d07a7900f76f0b09e0faab4244d568c00309b8f31157d91788c871d616d0572a26f9bf40b2ff8f034dd9646fb13ebad2951fb7a9ea5509211359759fa495722e0ce6e24b48e3d2a1ec6939838040d00cb908d9edafa8c3845754bd5be90f6f92cc70338b3b1fc072cf2682740371caedd80fece859b1587f04147f50c5a9be927b5d51ae428a1c7e4b594ec242a0dab90581742428e5db58ac1ae32496f37119820ae295a3df7a95509d05d75cd778b54e44a317eb901c7cc28ff74ab53b6f4fb4ade0fc4af2be36d760476ca853a782e7614a133a99f1e5f0f12b9a958e70250fc9bdb898dbe34d8ee32b23ee9f0192fd4bf8f9622edd9f7acaf4f4b92673ccff23227c94132271735ac83de739c85cee73abf94ea2fd0e5b9c54fb7a2bc8771edfe9ba3eb70dcce56f7890aa8a2028e6d318ec234b525626e2460c4d007e74f7ad4068015a5032fb6fc553b27faf764671222ef4b39804e300d9a58eb4d9db9f3fe20127daadee117874ff95e3676e37bfae3061e95a71e97b15e24349f07856def173d2ce459affa77c5b47f8b677a1658f7d89af72253c800e62ce2b11f4bd837fe980f02d4f9719c0fe48454f72809deddaa972d65282ecffee1569a2a5377096ff3f010044e71be8baabfe65e99be10386ada70abfe86e7a4ffa8753f862d2704ceceb6df34a6dd48675441f7cca635e401cb2306d1726e1c3c04266419e991188e77cdfe9e0aa13c76107a2a27f7216b42a690c0063c92fd222f45fb0820d0464ef0b7ae6515e8174c7f90ffdec6dc2913d5ad1feb80617701623363a4e735107b300231ca5624addf083e075aca1d18d95c01b7357a4118fc492c07ff1c0711a9e00bd78ff8e431d7af674dce55832f45901f235b7824e8ad0ed0d8d67f7ff612ff1eca74a4deac721fd1c85980d87dbc8dbef59f3754720f0b926c25e84b1d7605c505f8e75038fa29f38cbfc97712f92447585a45475a90db7d81ce2b42929fa6ae4a6790560025fe0577ab52358f0b098800458666bad646991e146ec904511ca2655183631bdf0d5405879d6f69932c844190e2d916a7ae65da287acf801209648800a1dfe3e9b38f7b58641b0fc1804f9a279d8f4c803d0565650606f60a7e99fe461ab36d725ca764611cc203ffde0f06ad87cf91602381f1ec7aa255b6d21a85fe2e32a060f18b53385476db436919f9ee6995704046350e098ce1e66a1b8328fce20e1f8c98cefaef29cbac0bd9c0f1914538abd48436e92bbcf1271ac66ced7a53013f815f015f36180e323ac8247128a915938c89f711332d9758935180eeac8b8c9f99f9f306d3481b3a68bf9613360681a92437c7bd80adf9899093f3286fd18540a8c742510db91e48a1255dbcd218fe7a34c5058ad59a6962abff5327facd4c2b3a51ae13347d56a19f484ef62d52799ffe802c9fedcf9c076896018db33cf2bd9b0ca59de3f7487a273f7e8cb6d090b14a83ddd2f261d41f0fd1948e0be62929fc668b9f13753e61d08b1a88752dbfa315e79c2d81881190d2b6ad33ad8ac036e5a22b5ea8225ea410e9e8ebf86c4a7ea49765953cd96d05431157a8048fa61b80ba606cf53af8349cfadb89559fdf204ed283d71bbf700a9cc3782607896c851b758405b007e6150cc7e6586debda12a1c4b2b6366b3879623cf9eed75d56f4abca9151eb504670a4a518c668ed9488d8b5f1f212ea69c51a7497260c2a4859488b75960313dd3f29bfb75ea094ba325f79a028d07dbf2137bfefd261b0c5609a169d5f1bbe1815f06ae4e26f5f3f4b36cccdd3fb7f8adcb7645e37ed7d9b63c9e21cdc5954e2852bbfee5bc30a978399189e63b92699d810c589d61d0cd0c6bf4ffb892537e0ef1887d1ea047290ff609584a00dec798f8e72e06c1be8399ea069fd13caf0e1b4cd66f84e26869167d54b8c43c967b270bd8561f99dc84024223402ce0957d93e8582bb8f4583cc2648861fc562fc2102a326e921a418fd518ce636e4e3edc36fd89bca25add71accb89d777070526d9cf7274dd486909c3b142d27fb0abd467be27c36e8487ccda73ad0c89adecd36a08c37ce15b876fd2121a7b0d11bde86759eeb66287b44c61ced7f74a143044ae805869d31a1b1c44b8150d8d630debff9e95c31187b774441fa8137c08ca316ab778159917dfbeec94529d3a12c16b9f39c4d77944e6f16cf9b819f9d8a42ee73291ed84e2d584b305aeb799c2cd76f3afd7e826bef0b77159bb4dad1139eaa9cde7bbfdca740addb511eb8b91d548e18d7cd691dce8578382ecd09ead356f85a4acee4bb8b19342c748ad9704b11e1d9b02c0218ca3e799ab80017052fdd66e9101a00b7657ebdc89cd425334a916df19dbdaf6e4f63bc03492913c86d058ea61685df77a06e0df07ed3fc1f92df067e86d0033640c10f40c279c264c477b2899d4a244b67ee884e519b4dbdc5d6f1c3ab67c123a597974bf3a57ecc909be9133917017db1d7c9e192618524a9392957afebeefb2d8bc4761034070f4179582226e34b1865d26be00c9bd31320c313cb509057c27f1274c78f471bf69b85dbd478237383be86c86f4b0117a2b157820832d07d88d2e78a9aba0b045a19dbf8a6faed40e41ca47c013c2903e69f2ba49b07b36e1f3bd69bd4a82ef2a428a831357d25f5568b69e9422a3ba9533fb5ec240a391aa7b612acdd3502fe9296d4fa02af39f21f159af528daa3894c3d10bc8f70f204153a066e1e6e1174232fc420ec647e29bb4688f26c7d463cdeb95eba4c0d1ed3f5fe41d5e34c0b27b587454fb403e8c9a0fe90f53174d547dbccadb6481c48c979cf3414d0d47160a0b9f6d9a4fa8489653ca2e924223a8a52ba63fbc1af034cbf44cca4728f09e1f57706d6107eedc0659bb9c6d8a3383f11cc87e53aae6dcb83853379a6c0d536b1e06773aff31ea600397c43a66f302837d521fb6abfde5beed88493a5eecfb26ab6fc3f879ec0121f3aa7330bfb82d14528d9c5e2033c05cc6b60f6669273f99099a5d72c2c5144dc0b2aafe0fe7bd01ebae29bcd82f4ca43c5a22974c3c9d923a62e390532e2774800015307b8aeaf1b7a061fe77131a5e12a9cb090eda584acdad7bd8afb20deab65d7d1cf3d16ca8187aded08a9dd9bf830ceb1113977211035b1a9051ae1ca5f1f326e4a6e257b62d7792effd005f183df782bad319bda67a92386c6622d002ee87cfcb1a4f9b4bb4217e8675299f2d8c8f8a6324d3602f768390a12478e7afd2d52cd23567b1984d48d855cf072140126ab0a8942759cf3898f118284d2a933721d71db420e830c88e23b1f07b4425b97d0b8374bde0cb8c3be352471c15c0db69276261763f46ba3d043ef637dcb3f9b0f2d4340029222be810bfcc54e447b9ed750f2f275971a63ad6127bc7423c3fe8fe22f281a727b9496b703f0f68878ca8e117485eb7c8a7b38266bd5a07b5a2f8a9c0d02ccf8c8f762bd1ad4b215b295969dfcb9f19c13d88f72b54e59400a7201ac79fe2fcaf329c8e35a3eaf2417621a00eb5cd2da50c611d5b33e35997071bc1fa35d6cc81247c17bce39d225172ed4a10640cad8178865b307b866323a25569b6ad3292cd47f73044ce58c454961cb5523788a14cc46228517312b74793f0336092e7e30a0da14318945ca2312922bdc8f6e9a4159913fd72dcb4e4c787796ee465ca2bf4cf3628725a391197efe8104ea71c630b72ccf8fe427be80a0ca6b14f53ff9697b6279f0b2cd23e356f951d7c08b7f146ebaa3cbaa6a90d1d9af187e21c829377781d75d544662845d403226516f4052479d8ff176e24ce5510d6e33f04438462386babfc53be7cfb6015296979fe4122192cd44b046ea7e71238c0d3060a38225b9afabaf1693354b3521e2aaf5de3e85e5c586765ef8e2f9c98b8ed4a535f6708f0f171895b57da981c4b3d851fc78322857b8fcffdfc34fa3ef658eabd567b2ff35f0ae288701a811f725c8719daab4725c7bae2a7174861812ec8e9a999a4a7dff379008fb7a93bb9d5da43ea9e10819f914119f474df29acdc90e1b4901fa8d2806394adb6d34f564489340015df154dbd9e9bfa669e277a4c3522074cda8f036e1c762a2abadf3878e7b70598e4df8f7d6e134e13509f1f3eb2a461872adedcc36407d03d453e710f3b0305b35c069bcf6550888be2c3df879622f7c091605c2b473384e4aabf373845b643893ea03ca9a2332f7276ab52ea5e69a3206d0b29eca19fe9b561d58748f0fb5f7cde5d32ad768133a5733db27411ac56849c31c9cc9877cd771ad87db0014b011c071a8a57afcc9111fad241"}) newfstatat(0xffffffffffffff9c, &(0x7f0000004400)='./file0\x00', &(0x7f0000004440)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x400) shmctl$auto_IPC_INFO(0xe, 0x3, &(0x7f00000046c0)={{0x89d, 0x0, 0xee01, 0x3, 0x0, 0x1, 0x7fff}, 0x8, 0xe40, 0x7fffffffffffffff, 0x5, @inferred=r7, @inferred=r11, 0x6, 0x0, &(0x7f00000044c0)="ab561aab77c583ce985b9783d96b5e4e3824cb3026da2efee0101d24cc3c6b58c7966f226c27699f3dc15a3304862622efda37f57e5797f736c482b334c0db1039382a78928d4708282c72dc714025c2cca6fef30b64fb050ee5845b1253799b15940b967116839e0075330da8af7ee9a5b52c5768fbf02f315471e6d7ac7780eedcf56dab90441764c1053f95a9e94feec9ea2b6820f3be40e34dcfbfe71b03378a751c0e0fd04fcda924050048f51708503500609235cc75d299eed66d2ac9583e91dd31b9cfe3af5c2489c204014b7a74549d85c8e8dbaceb6388f245c262986d6b26eadd8fcb38587b698b3c59fdf63a82c643db5aa17914bfa0", &(0x7f00000045c0)="be290174f8ce0f04911d69badae0bf37c4fa5b15fa3b1883ef707038444de4aef3a73f3383480e830ddb756243c29709eedf6974edf3be9df13637b48ed14edc03d7243bdb53fd99e2eea6025693ad0701b82ca38dd6d08cda9e31031dcc02ffa54384c4aa7d870f8b1ab9ff5c0e744cef60ad5418d5a3b9ecdf09a54a1d9b12b10ecd3bcc7bfe6ec02b568daf99a59ca92b8a9eec612f3829a08c44fd4b27611da5908b591f340e23f5ba2adb1e29e89f28f5f2514379e45462dbc30a7202bb25c19ac61489119c4a8aaea4000aac8281c3d426d8a082b7dc78f57a12a5c63562"}) fstat(r10, &(0x7f0000004740)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) msgctl$auto_IPC_INFO(0x8, 0x3, &(0x7f0000004840)={{0x8, 0x0, 0xee01, 0x0, 0x4, 0x2, 0x5}, &(0x7f00000047c0)=0x4, &(0x7f0000004800)=0x5, 0x4, 0x6, 0x0, 0x8, 0xac0, 0x3, 0x401, 0x2, @raw=0x400, @raw=0x7}) r26 = getegid() shmctl$auto_SHM_INFO(0x9, 0xe, &(0x7f0000004980)={{0x7, 0xee00, 0xffffffffffffffff, 0x1, 0x972, 0x2, 0x6}, 0x7, 0x6, 0xb9, 0x8, @inferred=r7, @raw=0x5, 0x83, 0x0, &(0x7f00000048c0)="4166dd81284669cc6529e5a0ef081d370a00722e0c7700e484177e2729e55d1fe0f7564690881382a850b3b8d6195ea5d032edc998535fc787928ab4a3b1891540d246d40daa7a5fd7db2bd6c99b3f2a7e514d0069f2bfb485d9e08e67c46824c2e704ffa0431e1c20432972adef084921d4", &(0x7f0000004940)="3c673d0f3bdbe20483bd0ef8f8a2c865bb817c75a3555f98dadf18fb4d805bd339d5717defd470ce"}) msgctl$auto_MSG_INFO(0xff, 0xc, &(0x7f0000004a80)={{0x80000001, 0x0, 0x0, 0x8b, 0x4000000, 0xe206, 0x366d}, &(0x7f0000004a00)=0x5, &(0x7f0000004a40)=0x7, 0xb5, 0x5a, 0x4, 0x7fffffff, 0x2, 0x4d49, 0x0, 0x2, @inferred=r9, @inferred=r11}) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000004b00)={0x0, 0x0}, &(0x7f0000004b40)=0xc) msgctl$auto_MSG_STAT(0x9, 0xb, &(0x7f0000004c00)={{0x9, 0x0, 0xffffffffffffffff, 0x0, 0x1, 0x5, 0x3}, &(0x7f0000004b80)=0x9, &(0x7f0000004bc0)=0x10, 0x93e, 0xb4, 0x7fffffffffffffff, 0x2, 0x8, 0x8, 0x77, 0x10, @raw=0xa711, @raw=0xd}) getresuid(&(0x7f0000004c80), &(0x7f0000004cc0)=0x0, &(0x7f0000004d00)) statx(0xffffffffffffffff, &(0x7f0000004d40)='./file0\x00', 0x800, 0x4, &(0x7f0000004d80)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) msgctl$auto_MSG_STAT_ANY(0x9, 0xd, &(0x7f0000004f00)={{0x8, 0x0, 0xee01, 0x6, 0x1000, 0x3ff, 0x2}, &(0x7f0000004e80)=0x7, &(0x7f0000004ec0)=0x95, 0x3, 0x3, 0x6, 0x8001, 0x7f, 0x5, 0x3, 0xc, @inferred=r7, @raw=0x9}) shmctl$auto_IPC_INFO(0x7, 0x3, &(0x7f0000005040)={{0x1, 0x0, 0xee00, 0x2, 0x8, 0xfffffff8, 0x2}, 0x2, 0x6, 0xb, 0x100000001, @inferred=r11, @raw=0xc, 0x8, 0x0, &(0x7f0000004f80), &(0x7f0000004fc0)="4f525e340cd5a86e0881814810a2a91a15b1d5d14f4a79d14dde318eefbdd8e8e728d413187ede4fd069fc173d33f251936658b970959cdd1a15bcc3c26ad76b38a5be0c00532ac5254d632a2d800357de96e6f2f7841688314922a5eb1530e0b7352ca60639db7697142de2aa07c7c6a7"}) shmctl$auto_IPC_RMID(0x9, 0x0, &(0x7f00000051c0)={{0x20000000, 0xffffffffffffffff, 0x0, 0x60000000, 0x5, 0xb, 0x4}, 0x7, 0x68b, 0x19, 0xfffffffffffffff8, @raw, @inferred=r9, 0xc90, 0x0, &(0x7f00000050c0)="390ceb0f410c002527eb3b46b10c24497104200a43cdd523e8a72786cf59380bde524cb59556d5b256cae07e343b52beb18b62eab07c445eefcb35dabf186ef840417c408f79b74aa6ed333f9462acfc1db146b667a8962992f20af86d7c20385025a74f9071c79844536cb7ac8f8865fed4a57d022beaf618bdcc6509c5be81037e584abb6ea9b8cf0d2e175fcbfe9bda3668d75268cb8605fec3ba1bb1e6c276a14929c3460e1693458f22612352db6a3efa4d7c7483d2", &(0x7f0000005180)="358f28870becbb"}) newfstatat$auto(0xffffffffffffffff, &(0x7f0000005240)='./file1\x00', &(0x7f0000005280)={0x4, 0x4, 0x100000001, 0xc49, 0x0, 0xee01, 0x0, 0x101, 0x8000000000000001, 0xfffffffffffffff8, 0x7, 0x0, 0x8, 0x8001, 0x5, 0x8, 0x9}, 0x6) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000005340)={0x0, 0x0}, &(0x7f0000005380)=0xc) msgctl$auto(0x10000, 0x1, &(0x7f0000005440)={{0x9, 0xffffffffffffffff, 0x0, 0x1, 0x0, 0xabc2, 0x100}, &(0x7f00000053c0)=0xe, &(0x7f0000005400)=0x7, 0x8, 0xa2, 0xf3, 0x4, 0x6, 0x5, 0xd7c4, 0x80, @inferred=r9, @inferred=r7}) lstat(&(0x7f0000005b40)='./file0\x00', &(0x7f0000005b80)={0x0, 0x0, 0x0, 0x0, 0x0}) statx(0xffffffffffffff9c, &(0x7f0000005c00)='./file0\x00', 0x100, 0x100, &(0x7f0000005c40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000005e40)={0x0, 0x0, 0x0}, &(0x7f0000005e80)=0xc) syz_fuse_handle_req(r12, &(0x7f0000000780)="68f4b9c022245b560b419427c3c56dc4ee17cd422ac481d8d2dc27c0c24adf782096477e5b7a147733cca0eed7ced0abb03ecfa0f83e914228ec4e019a38468e2e4ee4edbda02353ee9a4c106339d7b118a30e93e6de4552288afe032af1f897ef39ce140cb1d452644133199f16653b9215c37f78f192752d031c6428d735621149de6243a0ab6fc46528b0a0e2d64e65ecd9e13409abd5e73039dd00e08805e51adf3a8599d99d69f23775044d3840234f1db089fb0987d645ec25f4ad3eeeb9604d1f2ab69fc3bf8315bf2e7b91886d2a6f5071b66fe5048b6b654412900507340dd1add27448ea31685b4e867c68c9b551df246b90d0d0fd9af8dfc647fce7c377aa364862ff0243ffd04747b945baa37d755c236092b3ac7aacf612a40326de09063212aee86e163aaafffd8adee4b515465cc919c1513dc7c9678ee6483fc3fc68b884a9cc604f362386feeb1a7efbd41d42627f06fbf6cf913acaee584da6050cd6f49ab96ede69216b0aca3499947b02f1b623245d4cc5dfb5bc7c28c4f77733c3330d49bb25ce9b47978b576c20e1c4d8b6ee1ddb2c80eb99a3536968aaf2f01ba3142d6d7139f47ad871327d9eb2fc364bb42cb60a572c71d1a13f94056c727ad80dbc0b3803d3ed007cdfbdc6f986845b239671233ebe9c973bcd8653c3732e52516409020f4bd05164909329cf8b09d57bc49fdfc9c96ee78b92bdc6e865b56195bf2987b6b4adff6196f37ffd8de510800b328ed7bf86ae6d4fb1d8e83d1c8cc93c127dfb6589d7e61ad8559c8700741988a06c4b3a03ee3e9569f795d7f1433cdb520eb451c351c23013c8b6007d147d24dd1d52fa5b0e40540f38bcf7419eb98a47901e9357a78edc701ae82fd058cd6d96969f2c6b4b82eacae112d67d062d56f0fe3b9cae85672c679497707254763535092769d38d26b9a6510d9f64fb09dcb7283de42570546b0c763ed8cf60f53db86b7563e5726f616c4bb2beae0a9e186eea24f642d70d34545784e4630d4e3ac0289c2caa22628e299b293d2730cae7fb99d4dea073e5a0ba5f34f77dd928389543e00f2b595649ab73645425e273e4b6d754cd17a627aee1da767160bfe86b0416adaa61ebee1bf7409f284485d43f8f484d053a1736da79212859f48b71cec77ee23f771adced4fe526495975bd04ba08c799c07f57084abbd6ba4281140dd8ec0693180a4daaf48b72ed48df137f68dded9a411454faf88dad181aa2306c36c13c15a5fcaab5bb79201b417f403c83d0419e29f62a66a0e0276f9f96c87f94b7c8a32b94cea7ef64fc4ff41b21d6846c2dad67bfa8a4b57a6e5001e40205d386ba77ae13c9a112128315cd6a1a641b228de06eb0a709f5e74da475d22ffc6533c9d9b2be00d22bcc8b4718705609608ec3e4c43579cfae0b6002f3154da6147b856d82f3dc4d4bac4f509b910796aace375ae79c8bd3e75d709aa0d90e29ef0e03c69fb8e5bcb34e4cf14a6e7cf4a408e99aabddcaabe1f0c72383671b4563cd06ea9c75e5bc2e3c9556ac45f07bd0d6c9b391dbaa70171e71301fd5395de383d135814c1214ce33208c1bd8403e948fa0b39379a14029f11958fec9eb460e3f9c7349af6306d2e0cac9a4e4de43e93127c6ec8b17820a5700218f5b08e0a8ce0a448d688c945d36b719b2dc711a8d48098bf4edc5e26fa5647a647240fff4d76688bca713b8dd7172afefba6e4a95f11a111e3cf039bbfa41536d9ad7b0fbbb4ff82cf19a72eb07bdcaaba2291ffaa0d0775f1aeb6866c23cfd9c8ea68c1387f89772eaef2020bcaac5fefdf104ce5160aaddd65fe9c489851fb090cebf0220321dcc57fdf71e9a1c1ea53ff17d131304469eaded3a143833afff98a93c1c413494bc0d6cf3470b2eee534d4f17de37aca75d82169f1b63341230d47e85beb0e6f50ce72556e37b73961292b9f0343851e9dca9fbf4ee45a5814b04444454413a019f82949881c81a5dddd2097a8e5c45d68b808adc27fa3abe5516b2a5c1cc719ee0c979666831a15a964d5fc2e87068cbc4e470d64f34f0fa9ac7e94a0693dc21964297b96de293ad5a77f2a8dce271a89d10a10b458a8a8c521f27a50cd206bf0ec9f2abb3dc1682d3add75b813c5979ef56583b5212775d617322bdd7c344fb0c2dc1dbcc63123119bd652af941355f561b8fa49b8e0caba90002c48b88c80ebea67771fb479f5289caf5eae18f01a0cd7460f3de6c3f92f1d43b56b0ddedb7059e7f18069f804b2056a20acbdf25f8ca36dc1affa80e2203a0f3639263a42e9b3ad0614c6bb3cfa4376b2854f60bcd9297bb0cb45416136f21bca9fe38fef0a1c265ae423b36eff0c7f9e84d3edce5df6a2e768949ec9dc4f9186c489546e24c713db919bd51e6044592837c8b7f037a8b3a9084d961c02fd0aa4245baa5e917d7f93f096fc00cd3da057edaa7476f9a3883c1ab863a917746bd00e87855bb58001674ec10542e70306310d73399f34a254cfd03b4fda6dedc8d7f2a8c81e6e17beab6710a2c2a39d38daf05e04e38e9d10f308131de76a359bd59015fc9f10769d36c160d3efb66174a97b6a599e74baedf336c3d9b0ced617bf0a530882d9168e64bfb9c36ea351af436f780544cd1f006e5db439d1cd9c6e2b591c37698e3b956fdd6a96d0c1ff5a5c2b4f20e8204fa2394ebd18b636072f76d498713d7258f8fdaa7d173bb52619ecfbd037e9d9e8efd79e776ea36889904152981d398f34b5e7582b7373feb1310f6a3f43da3656211581c4dcf82bb82cb513462808cea9fe21d0cf8707453e9c1de7a96a3829212cbe885aff10c11171f5abf14a8e6f22fd0048ac5e4186380c14c5c2d4fe13be2dd3e6f26cfa94522d625dc49d179bcc48cb42ea40e94f33d9e76ef925746cb525139ea6205c6f1221d9342e202e57b818a7d1214de38ee9502993b73086602a97519f6a099901b8dbd576abd64a8b13d5a930f82c06fb9c5bcfc2dffa97783eaa3385e72f9985d57d7ccf93b7c607992cbd249ed74b6da3ff1dcf6c723ccb3725ef18be354160d21b9314a7d01cc297c6b1fdc8a24142e555dd8fd4a28e04c85836e46e66364908eb84facaabb833b1da7031967c10b8c2aa3cff44f7a9dcfd0665d1e90d93be0df77a25a4823d8dd35c35dc4cf1c73ba26ab20473f301223a6ac9672220be0950f92bf1679874544f8c10e23bc9ee1d40a006c989bf9885020a65a4e7663a8117bec09e2a2109c52789bf7fbc00cd3efd7a652b15c4c4c05f654118e90643e649d7fe431957b6f1dc5925ba9ab6fd8a1f6a0f83a8a519c1dfe4236034ca5567eac95ea12912e6067181d61294bcf09c17f9d948a03b0afcdfd3a5d470d289e4b4744e688aee68bf26da015438a9c336bea06ddad4874653289c34c032764180f9798f33cc0b82b3687df74fecadeba2e58b970d6e4654d7b09b0d85c78961276a94503098577ba4932d17e0a7dd1987e85c4afcf01f68d7442038246b6849bd16fe035936be75e5626cd3d068b9df93085a12b9569cb27d301caaf2f4f337ce6b194f4a85a1755a2b3805367e5de5e4134df4fc3941625d44171a9840ef2267ad81f2aee6c34ecd3ae96281285b54fbc217290fe1f4675fe64d1b844cb43c755ba29dab531e837ece7146009fe04b727257bfa7ad4180e82e9ad170a9ab781efc150600ce37043ccee03ccfbe76509d63ff8f21862736a4345578c87f8f4142c97a47add5c7d6d7359b2690155a11cdbe9be3479e0f4b2dd44a68a7848518d55897e49bfaf2eefe6bc06d560e25f52ad1231d4664427bad4aba0d615985afa47ebaf242d3b8c168ad59cc05a1ce750d732a67203b3fcfaa4ed6b2ff004152eef5652beea4c6270203f154c70bb6c5fdac24bd7fcb6389bd1b51759205ba1aa1beab6eca99736f4a43f21a639536461d2438a913ed03b63db2621c63acb496eecf9838bfa7f1852437b458b1046197e511ea81479690904bc3a0bb4b9ecc0962e33c4cdd921f824abc2c19588613efdee01db701ae5440cdd987d868314df9ac7bae59274021a5d0643f8d1d3a97b8c8bf02ee9fc056cc164724851435f907685c349db9429fec6e2df3c534d94cce4ecd2ea55d72aa88264c86a40fa669306b95bcdefcaf54f117770a04f35e721f284f681b9d3114c4bed29f209220638defe43fc436695a58ed3f20dc921e4a21c79e5803927deeb5a14c532e3cd83ba32981c192e20e93eef674402afba8d378119f634ff065fb294f9e38c1974d4d37cf673b58797b5e26e22b0291623ff15d002d55a8dd00fe4b1fd54177d1fd065da0b17479316b58a8495aca42c440b63c8f4b1a9538df10c8c9546fd8c4195e1eaed31543b8061c8602a8977123f56e5f11cd05f5a36a448cc257571f0e5bbde25ae82f583cb313ae7bf5dece56b617321cfa60aa9278a28ee9f78ec7ddfc5d0f665ab1a1d5531f2406ffa9b5ad6f9ae4c98f85447fbdb9efc2ab398801e905c229e16ad9f87bf61956a7829733fff1dbb2c355548c4e303d1fb2587abeaed6911b3d5578d9d4355193af1f6eef1870f0f1df73615a5d9ffe9d42b7f94c215f9ceb41d605e95a54b5fb3c62f34396f9f951c5650920f159c1c330ecf7bf70b1b8d0a973ff4af344e9950ffb9edfcd326818e28471cccbf70b71ac2863eaf7ef95dbcb2f988c85c266f869914719906213c0db18a4a4712b02f7201dc95305a3a531f466f949fef612cccaa936d47aef4bbad390850f2b8fd991542e3986de10000dbd2bc09f16c99ed0b461cab444a1db069381434540795150de12427b1b5d0601a523204283fdd6b69e403fdc3f94421140dbf94865f35af7a7bae5547978fdd805cc52d68f4ff49beec4920e25d8e4a237a86c785cccc3f2ee7ffac881e99e57612c8c94bde400915f3f75b546579f401e2be54930904b98c8242394d81fe94d267d3ca3ea3a0e1c9107ecc298efae6a19e7337883e27af271e06299acc7559f0ea461b875e27138cd35e046319fe9f838c511305fc803cc24309dbf335b225c58b6caeb2724e44a9278ca823519a72433ceb2166b4b73a35b97de2f55438b95826e0ab348501187375b0962367db5349534676f352835a1059c307421b2beb2e63c0a006d5271f493e59069882b103d536608d18d61e974222c43b7ca92529c8b0cc2ae9df8c2bc2b20d6833147ec411c4a5bff534cc72b267714592a4e43252684940f54ebf5f39f28deeab2c89abaddfb6fcd2b1c025bf30dc2edbc0823ccd19fe52f9c0b38c9c1acd6b0efc3f688b80bbef5473cddf820270d721245cdfa01bff1485864974b428dd1933fbce968d27aecea5dda0ca9561919d5d85b098fc4f3efbf7ead3912851924628b888a28e46320afe8a302239147f48f2cc2ab274db1aee565b15ba2db832fa630344d01cfba11287b25c226f28bc4ebe1d204e90a39a81c6b2136b0164edb65194ea5510a9b9efc0d0a2352642f0a8a23ef4e6eb8948f5ab42ebd45ac946bfdb689cba13767f8d5f778c42e2d07d088491e06db5cfbe29ea3f45a43157945d419de632db52fa133d990efe2c9e473ec36d689d0b815845af5761981d46d5b9f3865f916b5bb93cf8f2e8d4a11c8afacfac2c647e6ae9a8696c9ecb6bdbdb2179f971eb75e14d52598ed6c16ec1427e21df5c5abbbd85e42f32df37c485ff33d0654571ec60af8674ba35c3ef627d24b1c2d84ff2525416c2a4265fb6de8173faeccfd3138316c4c7c329017928fe1b64c29dfeb4570f7de93f944615316fd3ae6cc12b94332fadf75b15a13d6ff27f7c61981737efc6dfb528942532eef5e5dcb803c1ed04da23bfee623a89088d8783c7edda3f56c5404ee7e42f09854753c1a0dd78723c9c4ef12c7ead1863a53af48d8d61457f2432ffaebb356a6e78a1591f0424aaa1f025dda17a7b5eae3989b27a573f59bbfe2f993fb18273dc356aa59ec1b2f151f84b9733b271f1e04d17d41e728ef52cfbc0111f123213fb22237d81b0029bdff7017f8703e1ee301758ca9e22399c420b3631e5b998737c2a75939fa46d1e617d7b19fba4919e35ca92d8b59798da36a0a5d4341a6eb57d5129513a6e862ea94f27c783c9e68f930d5d337c289ded11d510847a50c61c47940c17a32b287f704664f1b61e1648850891f80a4b61479348b43440d0c9c91b89257a4af7253ee5be6bbd56f22986c38b536b8d5000102cffd10d93808b8b1c4eb53f0c697c217161c4cb7e091d4388ce3a20eb5351538c2af3a906e6ac664a5d083e395eaa5de791ace45bd02b5e26bd36be796e95c74422b7d8f00c7bdf4b648a1e9ccf68e912abbfff3c74d8c56385d7a89a84ad3c3946a38e82080c3b38a0298070d8850475b95b379d62f5029103a7b45def66d25a08e241c42c3438828e59f5b1d1fd8c975649d03fe3e536babaede3fc3cafef77a72cd27b94c1d774efbe19374702f393729898bd09bc8a407720d67e9fedf01852b893664e35c26bb48656a5689e7e3a632e9e5a3bbe875ec6b5eb73fee6e605547596d0ede39c48b9d9f63d7b38c1f619bc6f6903c02c47403ae8539aea7893fb8110e4b5a9070836853f3a61648327f0c6953794fab38937b278dc0a1ed331ef4a0360c41f4fb35b7ca6e117e785833a224fbea8241c59c9d96ad650959a23c747d47881021a530c9aeec13b5b99a268e2a63a2b96846cd3e8520c770fbeaf52f9a6e36b7d5e0db746788613f6ead88738d00c30206fe07295b70ed21e0528a7b909f3d2cc647b335dc7b9829907c380e583bb408ae2710b40d44df12ab98ac6f08882c257c26b25608ba5af2e00e7c33e6084ec86a2258cc3dc8bc63c2eef5483b8aaef1cb7ad63f4a286803acce81ad14097473c65d9c37f2578de04e18a71951458f2ae3ab1d45a548fe11d4764806e713b628c1967da918e8ed6556e619beef08ad8b93d7d70917457d9c894c7bbc304daca443d14656a0268d74e7658377441e5fdb14148964f56a3058a8e1a95e10022770da557445387f2425e7bcd386e621f88713fa57f442462fc8f7a588f849ec7a108c6a5a777283fc24c879874767526c5b6b2d22212f4bb8898811f731e78b001ae052c47d832cbd8678314cc313fb6b9966bcde9b1ce15b92f0597d58b15d91e31f221b2f1d6354e49de2a7a58d58f361fd647fc29dca3b5da3c6449c52cfc5b87bb4843cefb1052eb68478b51c1689128be434f0d34b511cbb1e84b8b211a9ff1aeba55185291ed5395d4ca5b966dcb7fbff432b931f6766a9b37d341d5f83d2969f49fb857913fd094ee9153e905fd3a000825f4c9d591cae9e1fa33abf94663fab49e460f1344cae1e6804f2a53108cb0f29bbc0f6a075688d987d6cf7ca3851008fd82c35589ec90e3902cb1ed0513555e303b91022a0454948aa7d866dfb4b97fdf6798be4c742276d99f685370a910fc2be7b289a44573785e09ad0a207940ea859befffd95cc97069777e3dd0506261a8edb94ab25deabd371bf0e8dbd5f035a753871faa5352cddfa90496dc3985ffbca1b31290e7eb460c20920126bb8ca9304e3553b3748a8f5df0a8977ab994728fbb540e073cc3f0805b5df288000831d8061c06d416f458a2547ff4e6036de1181cd1d42af41615ba4e16d6f7aef1cb34060722212ff561275bc4974f00948f542a5e06bf40b8572df1d8d68ba0608dcb027f8f11c0b93e65b2de9a16fe115ea940cd904e11b2fbb7c0e6729076657372c134ee6fe8e0fa6f9c2ec12bde36e4625212a472d1501051016814791e7a2fefbfca68589865f0837a32b1201c32291054bf7187e03cde3add7a3398aebe76672e4f8ad81a9eabec9fefabbb62c1d73adc3ef58a68775f516a99f54a75a7a7b530dffca82d2b222c993b785a1a7b6f7accb584ae25abe1517d70a69fa2df2c77e4e0755e187f60bc824658b8d88dafbc240abeec3493fdadd6a1a94680e5db4bc1862c758a519021c0121789f4cdf1e2a71cd536daaec9e4b72e9e25d9251fd3ee511f1e081f906d90dd4df5cef6edf411aabcfd5d933e2653581f1f0a49d85d503ab0f1288743a8ef5969fe4ae3af9affb7905ac3a904ca86cd7e8cc5b96677fbd2bbe3e3e67d564e2db1f14f6a982da3b7ab590a1fb43c44956ceb95d2d59db9e3517506c0e1643a07664f7a279f23b9945c32427960242e7478141ad1d1701f68033b69c7bd2d64318bbf48a05a32779956e161f42682bc1c9330cb6abf5afd31c8e11a4b078b03579e099fd3d8e347330a01fdc2b5ca05001a2d139a5bd7128a02f9d19b8581bad0e14faf9f0a132a6d85bbd291de696a8c67d2f8c3134aac24e41bb5a4fd742c1371f9a8e18ec9050b398a604888ab12a8edec792974456ac6c62989a78d72e84e0bd7aad9e1c08601e2070a4f2bb1009104088278263c2a645d3187edf12fcfebd3d8b37dd893b25e41edb518089e06e1e26a077bbcb6b7068ca74e1c4b59497ab481faa7d18349d0fdaff9f8a0cb6c242560e31a9f9e34c6d8da4e6b471000dce46d80252700fbbfa3922d5deed33d109206af07f3a2a348a61cec80df1302c98b7625797a113eb0b714ee647f7d13d6c10225bc121b6666083fc15b63c2b07e487167b0cd116ca2a399322b9c08f418d1bd83cfc397adaf8ba267ed4630fcb62037603caaaf968312e335afd663fced69900e25073963b5459f597d7e7e581647c994d0fdef88a1ae4c9214f6680e215ee6a15097bea901b467b5827522e68b020768e8a340faee75ecd46af90ae38eedadb6d751c5a1fc5ffb866a0cadf85949dd9631344a46e95091c5859ac7d0783153be8fc89a1adfd4cc3f453ac8b11d6bd637f95e63d28c3c665517000288e7a08ea71a7ac0d569ee05cf8a6631a9ba1af456d00fb049f1c3366e8d929b6820fbefb65883773bacb1cb1a7105dd2ca60edde95fa2f35a34a369c5f04b65e08156502f8cf176e4f9939afb6bbacdabc5c8116dbde9b6d212bf125f7697a8571d69de443d4d86f4be17a959148fd6105a674ce523f37c2c09e1ce1cc71274a475ca3b0931adca1899bf7baaf2dc3a9488adb13068577ed2ba96a7937fff3a9aeb461234532afb215083c89799a0fac0ad2afeba7a33def1b302b12a6a4d7a2201b915a2c3bfb5cbfce746885aecb3dbc4de9c4dc1ea7c3326b7318c65d3763a5f2b42a0a97be06e2a040636c2fac7db4272d9354d59cda5546a3415c8f04c709e0ae4ffac3ec82999b5c50ee28ae85193be4a6888db01c1b770f854fa3b66c2adc29c6c7c0d3a15a7224b235fbc61863bf9af6d8eeb35d67d9966e3220f0bbf0e101558a61559f9e6dbf286114a94e0950350f7010f3a46e1a98c939b3727f1d125ab2c0c5c1d7cabec0d7ea68697843c8ae9036c3d48469850440748e7cce6a2601654d8c597c5d226cd4ffbda153e2fecf0b58343eb7acfaeaee02970f011568ad26e4383bee5daf95802f742b0b8e35dadc20164979dc4eab6f333a29412916baecd7d11e18d7d566a9f709a4931433919514c735639dedf1df65ebde8a14555ecc254fa4e3179c611af0ae32c8c8129c0139e9904821c76971b2d2b08e839281429cc0b02cf5abc1fb78aead7d772a672cda2ec38b69f858a3007ed6d773e417521b94e7cfd21b3f76361a833bf0c8a58cda1c753236538e7d1be278cdab78fb73f36280615aa49d8ab1deac1292be4480fb609e7e6364c300a8613d37c8024aa6a72c1e4a334e77817f9cde0e10cc57b7c3bbca50f40e15b9a1042efb7802c404186e479f5f7636ab50d261473f5804a75f6cb1fcb693cecbe9a61bb9695801c7ca6f927e40e6aa91a9af71cb5d967f79057f955d0a4ed58ce999f9acd21c1a1ea10885956b46e44ca830ab2ee7add50d2c1fa3dea6f4c7331b1e53fbefc7e424aff178ceff95a8910d39952704ef7855419d3cc08c7205990af447e18d3945d133e99ba5506e50e31bb28ebb51337e38e5dabfdb6d20be68a04050dd9918748368d58b8349ee60de41dbbc83255db8e360c3581a3b5523f5c36d7e293eb4e2b014982367e286c6faacc8503cf4d91c4049804ce5a7fde5fa19c6a5b5f330fe3f44d7f33809bfc5b13956f64663acb8c324673829c132d3c73525f8f8ea3a832f88975d14c318c05bb5672c82bb02f9acf2dbcbaf68e5e478dc519e522840bd8f08b50c506a75bc2fd092e415199e5771d8ce03f088e9bfd4551c2e8eedb859303ed757601bdb16bff543123d7570ac50d2858cff2a7f9758cb24ff0554f9131299758c010113d9b6f0bc7246fabec33c58dea925b9ea73ab381c4aaa8fb2165c9d7d8b8a701202250d360fc617580565e78d5367e3fbcd841d4503a7c20c20560a03e397b0d3cab57254d365112aad995a9e3919614bcdc6ca2055d0d87429ee3305a67fa69c6024a3f636464bcab62c99a4d0453f5bf879cd5d46e3cf761bb91109bd328169f95e98b7442cd05a5dd86e18536d205262c620002e7a3a8afed4681c271a34f0b909d1c861f9c18fc76d3bfdd993785185dc3e2e34d7fba686ed0f733d16540670a657786421007cc1a8ff97236fb53d8664911dcaac2754350eade708374ef06b2f61232a3f5b45701cfc09284b6e3184c7c4143e9a304984c4bf1a14ec75511af82b2c6c3e6d5990728f4b724294dfefc35d1c75db9efc769dabfb5cfa0c548c2d5aa9e798410f2b2bdc32da95c945aeebbf06e2d1e22176b66e7d22bebed83875b4c863eb55a7194c75bde29a8c7816e5c3c650c32cf54f5d9ac35d38bf19ecdb005f476ab050d96b7b7fc622f1ac357b28fbd7c38f81abfa06355a30b3803f042c4c08a8274daf0183c0e52a634fd299aee994dd3554edb6adf99bad5b9130b491ec9353c7f36e5fa7c026627f68f67c775fe190aeb43febf56f55bc1a4f5c22948e5b29a117f6d06d4c68e51449f08a6d0d2e67520ebc0670e2df3d2f7aeebfbb87643e58d0176965d600d97a22c7a0556a2c0479de64f8b4492dfb542e8d3a3ef096f99d39e677a07ac97dc259d9f759b98e947f1ae8a9278b9bdcb8510fb06641218f79f67e4f5baffbe5d3cc38e1498938c5509a3f69f32392f660e005943ed14458529e82593bfb6c4d3e463103aab3cdc8d468c9a2c201bee3ae663f0792460d4b71e031a83c33f9172332b514f74b09c72cd6ad76e906fa4644f3c142b128c1ff2b84e79377599d4e2c71145c492ff3dab44793b905675895fe3df544fe725ea5f7d2fe3854d7030ce91957fad4f7bd7bd7f1d1a1654e3fcd0edf9daa72bd962d6b64d0d990d5a4850802b9297feb622aafccc107ea2a8eea4f0da89941b12a0ec1bfd72a2ed44fff9f82411ecfe9f19eb957b48f859ce045da233c9968b763ed94413ba0f68ddca65cea0abb6873c892902416f5eadd911d8442f0316fbdea9f1140b3e8305afb510a3ec590ce20fd58d3bf051c2663e74ae64eeb9a1463c8841ac0b72b732b7ef127f5a7d9a87d6b8491e753317350d7d1ae593e6c2006f23b2274db58ee344453c38e299c141821ac47e88ddd93893df56baf501fcedee34ac657f279a9c39cc38", 0x2000, &(0x7f0000006000)={&(0x7f0000002780)={0x50, 0x0, 0xf48, {0x7, 0x2d, 0xfffffff7, 0x10820000, 0x9, 0xa42, 0x7e, 0x1, 0x0, 0x0, 0x2}}, &(0x7f0000002800)={0x18, 0x0, 0x200, {0x5}}, &(0x7f0000002840)={0x18, 0x0, 0x3ff, {0x1}}, &(0x7f0000002880)={0x18, 0xffffffffffffffda, 0x7, {0xc6a}}, &(0x7f00000028c0)={0x18, 0x0, 0x3}, &(0x7f0000002980)={0x28, 0x0, 0xfffffffffffffff8, {{0x1ff, 0x6, 0x2, r13}}}, &(0x7f00000029c0)={0x60, 0x0, 0xf, {{0x0, 0x4, 0xb0e, 0x1, 0x6, 0x7, 0x40b4, 0x2594}}}, &(0x7f0000002a40)={0x18, 0x0, 0x75aeeeb5, {0xc}}, &(0x7f0000002a80)={0x11, 0x0, 0xc0000000000, {'\x00'}}, &(0x7f0000002ac0)={0x20, 0x0, 0x4, {0x0, 0x5}}, &(0x7f0000002e40)={0x78, 0x0, 0x6, {0x8, 0x8, 0x0, {0x0, 0xa2, 0x101, 0x279, 0x6, 0x4, 0x6, 0x6, 0x580, 0x8000, 0x8, r14, r15, 0x2, 0x2}}}, &(0x7f0000003040)={0x90, 0x0, 0x4, {0x4, 0x3, 0x1, 0x9, 0x0, 0x0, {0x6, 0xf84, 0xffff, 0x9, 0x6, 0x7, 0x4f, 0x8e, 0x8, 0xa000, 0x401, r17, r18, 0x0, 0x3674}}}, &(0x7f0000003100)={0x88, 0xffffffffffffffda, 0x7fffffffffffffff, [{0x3, 0x7, 0x1, 0x4, '\x00'}, {0x1, 0x5, 0x1, 0xfffffffc, '\x00'}, {0x6, 0x5, 0x0, 0x98}, {0x0, 0x8, 0x1, 0x1000, '['}]}, &(0x7f00000054c0)={0x648, 0x0, 0x1, [{{0x0, 0x3, 0x9, 0x5, 0xa, 0x2, {0x1, 0x9, 0x1, 0x7fff, 0x4, 0x1, 0x6, 0x7, 0x3, 0xc000, 0x3, r19, r20, 0x71a5, 0x5}}, {0x3, 0x911, 0x9, 0x7, '(--]!}}.:'}}, {{0x5, 0x1, 0x2, 0xffffffffffffffff, 0x8, 0x1, {0x5, 0x10, 0xf91, 0x7, 0x0, 0x7, 0x4, 0x4a, 0x6, 0x6000, 0x9, r21, r22, 0x6, 0x5}}, {0x0, 0x2, 0x0, 0x401}}, {{0x0, 0x3, 0x0, 0x401, 0x4, 0x3ff, {0x1, 0x1, 0xbc, 0x7, 0x8, 0x7, 0xffff, 0x6, 0x7f, 0x8000, 0x1, 0xee01, r23, 0x233d, 0x4}}, {0x3, 0x6, 0x5, 0x7, 'syz0\x00'}}, {{0x2, 0x2, 0x7, 0x80, 0x4, 0xdb, {0x3, 0x3, 0x7fff, 0x9, 0x0, 0xa8, 0x1000, 0x1f3, 0xfff0, 0x6000, 0x4, r24, r26, 0xccb2, 0x9}}, {0x6, 0x2, 0x6, 0x7, '\x01\x01\x01\x01\x01\x01'}}, {{0x4, 0x1, 0x100000000, 0x5, 0x0, 0x6, {0x1, 0x401, 0x1, 0x2, 0xf, 0x5, 0x100, 0x3, 0x0, 0x2000, 0x0, r27, r28, 0x7, 0x8}}, {0x4, 0x3, 0x6, 0xffff, '\x01\x01\x01\x01\x01\x01'}}, {{0x6, 0x2, 0x6, 0x9, 0x2, 0x2, {0x1, 0xb51, 0x7fffffff, 0x5, 0x8b89, 0x2800, 0x800, 0x6, 0x4, 0x8000, 0x3, r29, r30, 0x80, 0x3}}, {0x0, 0x6, 0x0, 0xef}}, {{0x2, 0x1, 0x5, 0xfff, 0x582, 0x15, {0x2, 0xbb, 0x7, 0x52a, 0x1, 0x5, 0x98, 0x5, 0x3, 0x5000, 0x6, r31, r32, 0x6, 0xffff}}, {0x6, 0x3ff, 0x2, 0x8, '*&'}}, {{0x2, 0x2, 0x3ff, 0x3, 0x2, 0xfffffff8, {0x3, 0x8a, 0x5, 0x8, 0x1, 0x0, 0x7fff, 0x8, 0xfffffffb, 0xc000, 0x8000, r33, r34, 0x5c5, 0x8d0d}}, {0x6, 0xd, 0x6, 0xffffffff, 'wlan1\x00'}}, {{0x6, 0x1, 0x5, 0xee, 0x8, 0x4, {0x1, 0x200, 0x80000000, 0xb81c, 0x7ff, 0x400, 0x122, 0x400, 0x689f, 0xa000, 0xfffffffc, r35, r36, 0x1000, 0x1}}, {0x4, 0x9, 0x6, 0xfffffffa, 'wlan1\x00'}}, {{0x1, 0x1, 0x6, 0x0, 0xf, 0x80000001, {0x0, 0xb8f, 0x57c, 0x8, 0x600, 0x4c44, 0xc833, 0x5, 0x3, 0xa000, 0xfffffff9, r37, r38, 0x6, 0x2}}, {0x3, 0x4, 0x6, 0x3, ':-)@\\['}}]}, &(0x7f0000005d40)={0xa0, 0x0, 0x1, {{0x2, 0x3, 0x100000000, 0x8, 0x5, 0x9, {0x2, 0x7fffffffffffffff, 0x2, 0x7f, 0x7ff, 0x4, 0x0, 0x2, 0x1, 0x2000, 0x7ff, r39, r40, 0x4, 0x8}}, {0x0, 0xd}}}, &(0x7f0000005e00)={0x20, 0x0, 0x10000, {0x9, 0x0, 0x1, 0xfffffffd}}, &(0x7f0000005ec0)={0x130, 0xfffffffffffffffe, 0x1000, {0x6, 0x3, 0x0, '\x00', {0x1, 0xc6d, 0xfffffffffffffffc, 0x8000, 0x0, r41, 0x1000, '\x00', 0x0, 0x7, 0x3, 0x4, {0xa, 0x7}, {0x1, 0x905a}, {0x8, 0x81}, {0x8, 0x2}, 0x10001, 0x7ff, 0x1, 0xffffffff}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f00000060c0), r12) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x50db, &(0x7f0000006100)={0x0, 0x45f9, 0x1000, 0x0, 0xd3, 0x0, r12}, &(0x7f0000006180)=0x0, &(0x7f00000061c0)) r43 = syz_io_uring_complete(r42) r44 = syz_io_uring_setup(0x539f, &(0x7f0000006200)={0x0, 0x25a5, 0x0, 0x2, 0x2b0, 0x0, r43}, &(0x7f0000006280), &(0x7f00000062c0)=0x0) r46 = io_uring_register$IORING_REGISTER_PERSONALITY(r44, 0x9, 0x0, 0x0) syz_io_uring_submit(r42, r45, &(0x7f0000006380)=@IORING_OP_SYMLINKAT={0x26, 0x0, 0x0, r43, &(0x7f0000006300)='./file0\x00', &(0x7f0000006340)='./file0\x00', 0x0, 0x0, 0x0, {0x0, r46}}) syz_kfuzztest_run(&(0x7f00000063c0)='SEG6\x00', &(0x7f0000006400)="8fc7c6d56396ba64559a2bfe12e1779d161166213ee3df8a88660735dadbfa0ee93d2bbf113a5d2f840414bb6a835c8b4664c16258d80aca5d75c4b0f7b9f481b32b056b2500cd38d5f745b2ca6f423c76ecb54c20df71f37e74a7c331e0867f", 0x60, &(0x7f0000006480)="26f86b73ccfe1577a8270fee84cb897698118d2edf06c754c8202386c681cc227fba179b5b9f4aa7b4574a9b1faa900d6db4338134c1988fa60dff908f1ed3f1d861e66fd378f4b75be0769db4b8875930df50ca44c3dde09f6112e7244a77991c9a813f74c0a8fb0a759dd430a1e46be99ade077227a164f6b567c0cbd3b2456c859d3295f82785295b18801aa57559a9190e85ac6205b4a0eec96417782d9a7e0afa0e3d274c00cfa118008b09a9f246051a7f0b9bce54acf1306b6463b474316fa9e8ed41cd670d09818621ed25ed037dfc6e1c5b4f196937b251d422ac00c3012556c45a9e1ee642f5cd2c2965178e24fb30c312a85f9db81cb084141203a2e5ecf64e03f1215f23ef654dd5e96b9001a8019db4e1361d0d275e4faedb83a4c6421575e98f8d7f68718a694f37796f04343f5774d6b76f3d503de622877febe827ae51a2b04b54714e4a512408a48f20e54831fa366670962cc5a6312a69baa14f4451b8abd6113fdbfec90a327b13300bc5743f171d4df0353063c8213905b5ea8e1239f6e4e5d45f8f2f7ee5209560532a091fcc584f0924ae02d756cec52f040e749a6277fbef1f9aca8df92ba05b02a0c1bcaf84b8d7b5d873815804b3c945bb81e759d3ce76cfd69432ee9c20ee168940f3ee98d1ae88247b3907a555751588528c6fbce8fd6ff9f446b331621be104fbc250882406a28594f3fec9ad498950cbef10ba41155632c1ea3551e6816f755c5538cbfd5931d9a37894faa6ed302d06b26f4cb97a986dc21111335bae909f8b399a874774ea24b66fba5d7a3d3d09369c26a026b279c62a9c6fa85f5ddca523f966e22cdaf18663a0c02f9cfa94b2474672de8e7f85b09130a8c37a47d02e4a180d73f635c5a180952db2362acb6665bee7cb74988c54daf3d58fed39371f50abc89cf1e564efae0370be817bd027a2fdd62839c6a7d9678a3087ae16fa48d1517a01d90ed743e5412615c5229b776169b8b9f956ace67a58ec419f91d1b8e3224c4f8836379aa947785a21bd20ab82677817f3ea2ea2caf193b1bf63fbc2eb574010abb261867121e1313b5d2a1e2c48c2202a3c072e8f3ee545cfc8c994ec9a44bcab7180ba95755e67c1906a5db72abc46d57ee053c6c8659878a25c4c8855cbd8836ccb6d8f6f12d434810555f9295880ca3d42164d1c864982756d001cdffcc3594362fddb3da0118d4b532aa9141ac6051b3f3e5b4c0b503045fb3166297c90ecb5ded55f6db34d89bd5d4518daa68ddb68c02ff1b80f9cb66a6a23db3b765608c4d672766273c17715e788c200f71c0e402fb513b6a8ffde67c40122d86347be658c4d0b91f4ea29fd5a4c017c288c41b40ca04e17bd3945d0e80fb7798706aa2e870fae9b91f1f7891fe4f1da063124e8c567198f670dbb75e82aca4fc0c8211899317920c058e1c371705d4dcf3c00cb4d2c136a4d828d3efeebdbdbcc7bf7df157bb0e743980f14844a7b466d12337a4815ed84117f56d719ab50a6c28ef55da35c8cce6eba0e8d2bafd9f812b4d5f265c0b442a075ef168500174ab27c876dc2d6094ce534920bc639f02c993dd8b07524e8118e8793fdc1b080e1e0181f36f4e2b7f047b23e607301e3d675360a8423a1e670a00ffb1a5ce87fb262ed01c58d779fab1589d9f374a0c001dc9c09828b000fe50ad21e53ba0a8129e223f7ffc79355d4e544fa731a0b4795b7f1c644161d7db3546f32f92ca5650eef1fc206568d367bcaf46411374dce9e44fb9e36836203842a7f2a2ea96f90ba76f81688d7746b8a4de9888b9d8a27a177f98ec9f100bcaaa76e6edc0c42c2d84fa84ad70e326e397f13a428b660559495c6d2a4c68fd49c29e229e0cd676cc895f6496a15f15c65de333d77839b13c9beb57823006d4d1f7f2d1e095016061a08be673779d7e29574dcd21934b248da6adcb98e9c5114ef92b4fd5b9fb3d334e945af586b0b9a47785017fe5a78da3d28b6960089bbab1c89bf549badfb57afaff8a3d6f1b310f945d590016f5612d7332c2a43dcda9326f498fe47f4907fbdc436df6c7f663daff7971d717e641f9cefe83f373e23e06125168af6a58134c425a3a7a519758a3100de2c8f3e447f0b9bcb87833647454518805ecf34128944f44cc075a9f9c47645a29412b66c7087d78539463deb2a138a2c504d8dbf638be8355e1a17fc92b094d16bc9280dbfea65905d56785d4a2b73c5e38c386dd9dd9a40f559b3742b658d216b49c5bf4173fab9de0ed22f81c3739aa925a14dead392e0ce12557a8e0d7861f1907aad63d6560889b4638c422f17021ad105108e155562bbce0a4c395787a1c881a61bf941461dc0f76d5890acc7cf2730a9ab1e9ccb1d133a5c158a19d7974d7f4a86f46a6485eb0896a6f6b06e35eb160187a0c453ba99ed1ae627785a87a3c581e4bd19fb9de755916877cc378b94df22fe4600b40f1e341af51427136377fdf88958aafb3028ca4600e62b40fcf88878bef7e1f89d9114fad5f25bcef274d370f51466e1fecf4b75b8dfcf4863f64f1d389553abce8500da93bf1058849f6b58d5541a7daf7a753895b0e71fc7ca986e8d1cae092897b3e3aed9141fd8d61bda060b1dd8397678bbb7f855e4b84f15b95579b86c1142b5823db9ceacfb2646b0c8ef61cc21a9bf121124367ce73dfdd23d85b37fa0e098e7d1c6c242bc2ad0315ba423db2806825ddee8623ab18196e913e48f379088d6e9cabe6fe00446aaccbc74dd52444114a7a9350946f6a19d9651a1fc29cbbd64e0783b6b8d414e20c84a610aa00d49363e2fd5b92c57e343785518a65faaf652612baff01c4e89ef57fc3b6eb64b0fa8efc5119de768ff25f9503807a29e06197d56f92b01d0fd68de8a952a0e23e16def8efbe7f3cc396963efb2d99cc16b4eb2b368d76666d574b33cd5843bea05c323baf4e427e27a45ec8d9a7abe245493eac3c6b1c54b5609ddee99b77991abcefb29f3f1957ea70a2e634b006a99ae1f72802d3df879ca068129dd503ea55780a1ad5043fbfd48b3061353d7972b3cc1bca5c1b907e8b0660a9128ea44dcf758f531fd3a872649633e0a383f63d082baf688447684a5fa46552b86de49159e5a056b8d3109892ae7f8b69006bd2056978e35b7ad6b38861c4af927f705b38020f123a8536da7125431565fb76d5cdb548277875c5bf5d9895f71965fc31fa264abf2d876bf447f339a7699068cca856bbe79dee93434e749abedba9c8d8ea79dc073076860ece6ffef7f4ee9e5a810fb541706566e9691bb4d2109ad768417fcb72a7f9f62fb45f772f93d8994591e1fb837e208489ee073ce443795aae6ee9b94d1ef06adbdd4cec7d4d091550aa5a6a3ee84c1e3095118ff42c92dff39e524d8524f75a1eec8e73f167c881fc3a6311360bea9c89b68a1895b2ed18711a074566c8ce180d1801ff327403212db90db06ce461d135d42236a49281179da493d71efde292ed3bbb39ccee3f3ef8bcb2197bf3a392d2fd0dbafe8185d2866e068a8b26b3495a8355959d0ada698e54c67f2b8e5ea10987844afd67a3bdf73de39326adac10edc8bc29c4300ceef4cf58c2e6961b87b05ef4bf00e53ec4acede2d15f38325dfd6d17d9a4deae4684af38816fbde94a9af0daf4a508aeef62fde4f2b29d033ad51da091066c768586cd77928661a9ceeecea9cf4ae67f3d5a3010ee4cad4c97047c3d9c3064cda34b0006cf18dfdf0d7ab25b3585cffdeb5367894349fd5788e1d73b507b21b66ee6a8897d74129b6dc76637b24149bb7722486c9ec0845e68c43e0552f23d5ecf5dca58b381d1d512dd6da5d0d8cdfbac3bea98b04fac0db9bbb687086b54993aa28fabbbe9e2dd7a2f9da3ddd791f2299470c6ccfe802353776e3d7ee03c0af8864289c0d6a6b731c450e40eb81baf1838f3d4199eff36c1159fbb64ee815de0c612ed5c276e05e670823e0ed232149e48ea6fbf8bb9b6a42a5ece8018015110da1656c63cda1ee5d66f21b77c244f097e86be5abbe4f4c3cbc043e05aa08f74bd28360c6b2862c2987db397ba7c68b88fad1826b00ddd9e06d2084138db5f4be5b0fbf88c3b309fd57906fc77ea3da69db4dc0e0f9f65eddbeab1432a746e586c632ccac3bf5440f20d8c1d6115f92ea06663fc157e08cb1216dd674619e301190443e01ce108d846cb6ae9a66b97fd2e477395d2724cb0e01a5a132dd1e34c468644d7989bca3e5edd368b350e248cc8f4dd20d0e14cec66ae019535a013ee53f7920cd8e92cbd0a0176d321dd447c129d97e09994beb449d6502672bb3cdcd136a4410e00d06ca537d650077f98fb8559f9fc5a19f0f3222bcc0afd11611d5b0b03eba32f5c89a12819cd019dd3d77ed0a0d1ecf01369792bf4beb2569dcd5e3505e9e90a95fe4b500b3157fe5e76a290bb5cba1749408b449777d7b75b6d77e87ffecccb859dfd0b81193677a00c29c8825b30be893e0cfd52bbcb2620c255c6364bbbe8e9f0dea6df565bc963c1464155df57d6ea396e92ae8279e7ab7ffc17f8ea6dcf4cf799bbe6284dc5573d4139e2908d69880d4484679b5e641ee30d25069c75a18fb7734b5fefe31bcd46a3dfd99ed4f024bc158a2db1acfb6d1b35527241336c4f04529e5052def1173636b09652812741e0eb1f547900809ca2366b5119c26eb79c21ffa728f46e5768c779f6f3ed1bba8c232c4041b4a0aa4b7b2105e3ef37842080c5f9a39cff3b058e11c8026bd682d3f7ee96fa090c966a2a08a17788a421e7ca6d3abcda616ec6c1325ea4e91fcbab9e06b4f9c2b5df14998ffce2cac00db9d2c95379b9fc55a447e797fbb8837faffccb8ba91a87887a12808ebf254fa45fad2ea4dee01a2f9f490410e220a0bcb5b1229729f6db3e10f97c5dc107ca9972a7123a68fee2902b2d044ea8f84b6d43c9920d1ef3ad113cee3d326ecbce096d865b80df759c0aac97e923062bdb8f5ba2249e7a54417429a9d09aad4e293116b991978ec7a61a1d71995e97cf4c37512b2ff5a67cb202304a8a90b34399ff98ac45f8fad4a87dbae9aa01239c0f2f97a67c12d50ad7aaadff0c418f9fa75a196959b7854fd92d73404851d6c53c13eace926b3f43b0ed8f0d101ea0eb88839cd57eb1c8c75d88a907b1e93b1c47586bbe1a83bd68074e300d75736ca5b98c70e36456cc696ba1646e938c46fccbb32fe5aed4509b2b09a0af5bc34b2b050d20d806988d46fe6f075ab3627bbf48b92d8b91ed67257de78dd44efe09fcb6aef805cc53ef285551e0b1a4d917d8411b24c74e9a02205a4018039cf31b647dd95a5f5aab3396a3a93b057088632d450c065ae9175c05a65e5062de24eeff15cc6e02718aea43b812ba7b0fbff2743862afa968241166631606256a83bc570c43c11d0148436bd3ff436a2d1b2e1ccba7441d03e1576ef38b7adfe04676d52bc692d2f66bf5f0c82e5e7dd89b268fb4536fa3870b5470acf462d5b2999543044066892ef54a306ae7244f9372afc83d696eac29e7c24963ffbf1468dbbba9d3d37a6b6543781bcf7005a9f46960786045afad33a61b6d13a72c8574777b7e80ec43f5df42614fc62097c2775e3f11add8f50f6ef09199dd68990ffc3aeb1fd120738ac65ec7d88444a8b022f3d719c8623cfecab626950779fb70ae87a3d7d5faedfe2ab843fe75fe980f9b98ab9ee42dc625db03c5cb1f1dbbbb943fbdb2d1a4a9350fb7f7662545a76483c0459fabcb8d8099ab81c581d90c36c8c0b7bd0dab09c1e3c12304069e431a74037bf7c4501d632a204be07d10ed809c9be6fc16293d9f9de366e36990236402f67242647768c77170c04764e1d82f0875d94fc0cb1d013b15d2fa9aba65fc245a68e17a656b968ec5620c429b31aee046b639b7c615b49524cc7ab71ee969158c67bad96b89f67e3a4e5fc67d6f11fb840907d279af0954b8f5e49a96e774d74b4ca7926bbad6511e96123d552db7d11839c7a53abe73c137c7ff1286704af9375722784cee8e0e73b6cf26c4521e339f9980a63955a155872f82466bd89efcf5846f9b05e09cc27b436ef8269df3c2d6b3b0ac04f5ccbe684ac43a26687f1e0fef066bff304b2266ed754da319e6528dbd0c3ea3d159e488d3d727628ab10fd0a908c82272485be5e17d442e91e01d8f77f9c12ebf680e5db6ef99b8166e190fc93c082c7416b6e9e90d31ca030188e1e5881ec279da425bb4885a1f6cd7ef0aea01a2607485255c8c4610a0efc08fd0b175254b827ceed23145fb86055eca1e6381e10be319a5ec83b00631fec9af8c5193716c4e8062642b067e24eb47bd1213bd6b321d2614a93992d8fd6caa1e6c9e40e808f4d9cb9b5ef1095194c12a80d0673113d6d85b83712beed19ad916a4e12b05e2a843c1869f864f2c7e56879407f9d645d6895760e4432962f15d066874055bdefbbfef33cb199f9ff90541f1f86199910464cd5002282cc32664aa092fc026ef8a0699ea4f71c9f6634cea39a7857e7b929c000b2ddb4112e32948b3b88f03b610ad00afd4677bec2e3d78c91e6c2787449a6bd418d60d5573aa9dc6b29ae0a15173debe501e42d93e96d1de719153ac531375d4214651664635a896b7e7bcbc225856585092d453bb63d40bd875d532aeac9d3ab2ae56e90691faa10a79ab1eab710d0cdffd5029a601c021deb60ada33bff122bb8ff85653f3bd9661d4888843584bf7a3c45d4ef980f4775e18b653af739f3d97919c3b008507e0ca983d46c87bfd180e384ad83aa0658e5fba968fe9168e1fd665f3be4e79da80abea73754f2b324d557eda10d7d8a84310167106a54cde7545f87ebd47da1d8bb99dac4814d59c854f14aead0e2f9bf13b980d157d887a50a966362c0496dc73ca4dbec42cf8133f9d644729a1e02ecd134384e442d328441edc9e09dff1143c79ba611d4402f2b698530c75c491ba8ccd2e9a10fc73eabc33adc16ccf91249eeaa03524f647ac49ab48a8dc275606419f801a3f048e4e47c5a4b17633c8e35c05a994849abd0a542a5c666d472fa1b3ed02962f35526ae61a11c7533b2ee3b5a9ed8884b4861bb5ab159f552e32fea79814450d0d78b4c83dc4654d1f7961a5ec735438c09e45c07393279199ca937b62ab9410607e6880d8047a49a1ea3cc711d126d5005b8aa916548aeef5fb9bee4e071c90ab63d46be03e6c46bae6453694082f65e070e82d765f5a038e725afdf2eaa1732060591db13df6497624c47d2c318ab5694f1f19e6f892b4728c2ae47d9093955d74690772b6d73876b85892c27f1280a42206e36dae7c871f11e30cae135b7582015304dec51632da7e9ada4cf41e1427965e2a3e0d9424a9a9cacc14592bd7b10652ca24fc6b9c056009ced0a3362adc053e22af3180efa3bc8201b82d20d91f0681133a27a1da17e4e6545ecdb3f7a31400cb046cfaf5fa0d0d55470d99eb983a5a4cfc0c7be58ac6d9b69f54d0776553c1055b122820a0f3854a2bc1a5f2e55dc9087eda7c3e33947b9df51dca3f916d7b387e283e104b620c1b8d2cbb5a95017e46391eaaeee2b3820dc2d69f6fe8e75b88304d7d55d7bf6d934f4a5bcee97fae8fcf029a5a8886531586203179ff2d7867460c0620f9dba32437b2c173cbe75ee57fdaa6d13e5d1cc6cee105e2b09fc1be865cd7bf112f0b68a93385c7dd72a75cebdc6bb4512cadacaa4a6b604b1e96a2298d622452766fd6725a198bac91e70790742998bb862d8519d32d48cfd435e03e7c261d7c242d2d026587890df4594cff4d4b60d0b7f90bcc293a74dc11bd2976369d667bc261b382e8eeb06b8dc04468c5c9ca971e9be8057c22902334740585a4d8933b91187936a993d505b39b96aa1c885be9944f8ae3b04640afefb1e354e537c35dd54868a09b3cff920c53855a358b693f2f17b60905a16fd0b0b7295bd873c921d15b2a1207e39cd89dbf895c958a8cdf49655a06a3831c6d2f402222e6a424252c01b5b12a3091e857ae506bb045a81b2692c5055e87c1cf5680754a0ac99cccca3b6addeb71b14694fba1fcf29382a556559f60c8a96638b5a01dbc35dfea26ac2a90975bbd8bd0a42c57e01fc6e84926e39c080d0f72dabbabddf023289c24d66a9b25ad687abd38ebb8a715b4acd5c4b6ff9c24e62bbb04e7b6fb6bc45a72c3c4972f279ebc863f169bee8c6977e516acbeb7910d0646c9b80e41fcea737451eab0413143e396760ea8f1f130de03356ff91c7cc46fea33d64ad83b0c2c187ba607a8149955573102ec1b06bf5fa84439a7266482e003a2c757f2453b75764c846eb392f1499a3afdb325d7be0e9ffb97ea7ef28f58f099a31aab74b63b705483811bbc96787a2637cefcaf14d7c890b9f6c37b69c20f63901c7899c0811a27421fe1b0a92cc34d9cc993e4e9ac404ec80e316d4b6a98922d3bef7a586b4202e9a4e9bc9782e5e7456f204690687089b1a0c0d8c5bca9590b7253f640b0c3fc5b1b4ec970db5a29a12ba8970456f941ad398c2b80290a7ef762057ec4c5cbd13d603321ecb3ae6261d3836720258720706ed18a87e9db2cd1301950a0bbee54ed2f08c12ca9a83dc158726b95a5f991e704837e7a13c7dc663d15281ead022062625e93f5d2643380c588139bece401876220e2997567045a7912b87d3b2219f7cc800524fe7dd3e7202dbc0fc294122499dae623147e1e3083580e6af9afb864de9412c7850c9c305d3723c0afcfcfef6741520d46582c199ca4346262ad10f96a82007afbce52f8fa4204030fb031ed4b25831089dd8a66e89207be1b8dab68ea0624fa2408582b79c17a0727a4a75cf0487cd904b236096845c47ab584724f72cb016abe1457a9672299ae6be756b15079d69b4021eaaeeb267233c12134ac7b14fddcd6ce0620e45499016a1c21709e38dc9825794e701e19635156d1a1b107ba9f16688e0774c15fd048e9e2d1e0f52c0833f765440bc18b9b07ca8c543d1cb1fbe9375ca3850d42d9d4e471b9100e8744cfb0d74bea8c315c7e1ea0a898a689bfaf2fa48d9049058c205241cec8bf5d9d1b7bb825d2292d182f74248ec275cb2ed9c99a8cc7228498ec6e3f0fa1814b6882a1b8d2d70898335fe92b75c7978beab754775b0834a363940aa6e6b82fdf04e07e9e95baeb3f8d89794c449090de16ccbab4db3d9cb040065e071595e7dc957dfacdbb62c6ee87a5878c283878aceee5432af9f506075a9c33564e6912fe34c37a11b4641200e32ab8832976930112f36e8dcea432c0101e841fe932edd860687568eb32105ead04437d05c65a5ac06f7e0cbeada054a9dbd1d0835281d0804bcfb19979d8b790810cd63ded2fceacd38e21067fb4688ff1f10c298db9484214f3b644159a8c179f90b5af19432074086e13492f7de36172053f11176a3111998a4c85cdb999a6481ea73efdc1708a36b3b9898e4484c2be19160b8355e435429195f0c9ec5a9335ee9e9161f025413ae6e549a86f2c241033eab2d7f88a15501e68c1d42aed109eb614aea34834f3f35e5275c5e8a73f401d8b70de6b87013b4ad8e55e959b2b49a6067be42a0aa41a7a86fe0899eabf3775477b9f79caaa253d6f4486994a69cd49445fb8fb13692091dd0aaeb62603f2eaea6064ac2621acd0e8e4b7363a7e2b9c2f88d34902d28460cd8455038a65d4b8fad9f61ed723c521b41626f364cf6f604420062d834b3e50175af09c7255fc7863978e56f659ed0578cfe196369c511325b8a4a2a72518d309d7386a339d71bbc2264d422fb89971ac935738e144b843a6f028d1f9477a2781c1471d89d2902ae0882419d9b4719c07c55b09ef9c9d3a7d43283541dd7c9f452b0e1cb62f77b797be9ff934e5021232dfc5e9cb9a42c0ec736961a8293504ac091ad9a71d72e084ed5e00d5406fbb84249ef2f0c6b364ac5de6999a50cad5d79017d32e879978a5a7fd3f828d45d34d6df690dd3a9862eb1f031b64720eac98777939fcde74643ffc7f87f003e7cf3797f5de33af8d3f2f7b0142c2f2ec61bc2681778640cc32a1c570bfde70dd421c305b439b3fed60e13342a30dbc76f01ba92c2e5e0102b5bebd33045256b550148b7d018f9d0e8f91da3a9f79f9c86ad41cf2b1b64520710c68967d030f9a71be3bf7871737e0eeb1988098128f3696305a33bbd2bd1698d6f982095235173bb10b99febe1aef7658ddb7e2c6bd4292a27779b399d19d9963fafc607756c122d35ab59a2445c03d56b101c06d3d43155b524db94b4d9f81d203ddaa8341b3818a69b2a47fef2c1a1f72bede8b0bf41935127923b5beefc9703fa3cacedce260d6917c72765466380a17a81270bd643b1cf5dd22c4ed7e7325c3078d30b490677e6c92664a8b849902d334b47bf3623a34fd709d1d83cd18affde688440e4db5570abc1ca2cff6d2be95ef7b53e8fb543024da35f2d2a524dc80bd1d5d22f9e644a23266981b5a470567a8566d82f8925ab34193057287f8fff68650b126dab15f9b533d2fe1e15ff9efa1a95f87706806134f71fcfbf0dbb8b7a767cbe7a0eabc575da88b321d6ab8ed27054490952e86b1a80c44ba83430de734be4ca3c2bb62841db05feaf4b352089da3859039cb0a0bc4e927a6019263a4032178f6beffa8b28b2efdf39146820ad5d6e20d694542d1873c87101a0ca2339c88830ca80bde901c58c042f95d0c9874f5984b7c278bd4ae2291ee1c0de6aa10ed0772df970ad2df98bd17be6af68f24bfb665b94c7089464983bd6c097650e409f4ebaee66ed3e07153d0e86966868770d90ed415456eeddaa44c38ac7aabc571f8a9bc38c236c5a7709b459043ef9c119f5bdf925dbddc2f351c7f8a4384efa86a5542202a5081854292b1b763f1495953ad8886d7d102d98dfc1483156a9f701a2cd98ca86156eaa1da5cd20f0b5ab52442e7cc83d885abb98df7cc27fbe1795c09e0a9ba03b327a9533a152d3876aea8051e96d86535c3f5705bf11be885a0b31011f806f192ec210894c32ae43c15b0bf9cef59ec6e6dec149c78400404381c09392a40ecd03547668672ea5a165345c5af4a735843b63a5dec5d5808f8fc5c696e5f82416ed278621b72bee86a7e2a4a982af9588c1ae65ca9806ed429b80169f743a6233dc628afd78b8c352f7f15f904e408e807a620439a58a91a51565dcb6faab6b1d1643f0a7442c422ce463f6cd4c92e9f598a94ff1e6b535b6cdcc62fc34e0ee02426bac9b5826d88396b9bcc8f872d9aedaf090fab51a55a898d57a152ef9183fdb59974ded32904e5f369058119b1729759bd570f3952bc18a7e81e292c6ec63f2db703c50d33d0425efc449c4b6cfba6c8aa314c2a1ba39937d582b67e222ba265b5d6c055d0cd81e5282388281b56738fd811d45d7ad25c080d61aa5946a794e9a0097f4555670948c8b127cfdbe8e924ffdab9845a1f085307088101de9108a3a13f013e65f5ac7e8c8634785b472a967889f47f16c219e374d94a40dd74778a0e77932b9b34ab1bb57aaf3a253d6fc4d642bc89bf28bdb27bcdf4e3742540c7f919a0a6e11e1fe9a1d9f2fb8f54e473424b086afcd50fc5c90ef3efac0e3816a2435a04ea880b23428f7c33c74529a7e426d33be341923e574ab2fe5b0e0c317fe17911e83ccb628c3bb6984e8f5e91f1d221597eee76de9d154e4340772a17e502e74318fecda7f3b7a076ea4af5743a369e18922378aca43e64b69bfe80e95b5be8b02b54fcfcd56e098e4f34f52061da69e5c0703dac0201b030897231255a34e3e358c587704ae52e3e21cc534e6797d5974146d05552b95ae1c39f10927829efd6ccc0bdb068259f597714650e240d202d26eba65f9e9e8e4b69fe335b9f0d4d1f6352d7da9311c8a42d3bd2639eaaefe33f9f6cb714ee94e026f572b73b5cb596d3d58bf3782b18784bc7db7b15d57708afea1a6c530029753cfe376cd56dbdc74357532a105129ed3828191e734bd3c8d914300c8d39d31266f50b5257bba25f6112b0a8375c2ebbd662b42c851a4a123c3993293dfbd66d5a2fe39dac6624e57c4d34b63b71ee7ce2aa01bf16f36e4a9e75cb93d7b6f5af670e61a03defb8fb90cb8f147933b58251899d99e906bd8e0ab4d2549e284d9b124cea9ea530ad82eaa66396b1831b61a310cbfe7c696e46af616d6f8e74019cf460ea0a423c9509678395cca9ef04b7ed6a57cac3c4540b7a560893331e93c175198a1ae4f45300eab8c0de8326b69991ed8e0b6d736ab7e1cf5ae53c4d6b0f5bc225726d0de0354a38d835684cae60d9002a6281e4e10fa5ec2882fc093cf709546b7caa2713dcfe5c5896f2877884cc6784afe6d9ecd4896d3ad7f36aa20761bfb2278616776efd742fe5773c73f85fc6b9d195043551781ec53c762c4fa2d1172aad4625b13b304c2334f320f765c24ea335e8a4c111ca8c12fdb53f518a7b2ac0a402610858c2a9990e1343faccf490b645d7011b9c4d2309e65f2c2210905dcb1d8b621895cad6176e8054c09c2a70eeec70d69a2c71617500bc0fd65bd8dd38b0f163ac77356d1961173eeafbd7e9d52440e045272ce0303a0b1ea5a0a66e53b316ac848f607742ddf13cace2f67a39ebe54eda13812854d2d03357300bd302e8305166b37d693fa5ca6a7b9cdbaf008d1a32a5218c1a9e3afec32e720ff9a2a29c71bbadd0639c90b89b52a40b7e528f79da543ac8a4abf73570c2e272ffb323bd23e950276137dde9cc0edf43441340c275f9a6fe6a3b44d41c2c9afdc28df53e4aab1926f4124d578ea48b6aac924082cd2e61154ab876451ca62453f9ab88a3967c14791da6335eef2c99b2843943ffe629d16d02a62637f66651c1ffe30e0179608cbf0ddb31428de80873548a4027c57444cf5e0f556a66c21abc0e0e8b42a5bc0669a617b072aa8cc905da8c4fb46fae4afcf100e1281cee420a399a1313f9dbe5f2bbf4b97dc0a0f72a43f83cc9c43a8f4442dbe1064ed7bf2fe108ef2c82d1b4b9e4cf1665eba50a50d7d18f41ae980624ead8ce19dbf77ffdc5b952c9bf3c1cb511e7482a038b0bec67b46666f08d35f3d906dfaf4c6cc7bd85893773dceb4ee399733f1dfc1a64d0010b209717dbdb1f8246742b54db5a9168c6705eb2bb33efd6afa381828cf5ab28351fda1f5a51055f871e469475bddfd6294c67a6aa2cbd6de1ab0dcd91728be8a98252807af581b3e5a99df0f68e4974bbcf5a674527559ce82d52abfeb6288bd1881246dae8ab743a516d8220b92fae01d065d8f0b490f292f27651dc94596f33e72013c776828c93dcffd424f7e3d68e9eb0bcb870e495ff242512d9d2e2b08f61143f9629190c9243d5afd13154e55183aed269f5655bb16c35c6daf2200ecd89b5b6bf43263ee57b164c477dd79988d2e2fe15cd733e4beffd04d7cf69c2f9fa331ee668fcf55be256cfa4317a301acb12fb7fedbd46b6f81c4c3f6341f7717e865de06c67487c4372653c2647d2e94b71fddb59444f3810ee96e1b70991e5d0b2f3d4375e7e019e76b0048cef4dcac18185bd2ac4a1e04fb99938812c3265a326cbe172c15965172bd0b014724f0c66b64be09266c991df65acc039c26cb57e35440e438190e1cc397f46fc88a6711fd2cd5001ecbdb191e0121d9b65c1ee849d943a05ff4968e81f2c86308e04e7e78dac38309438bfe2cc1c6de78c1d1a7e74ea8e25739abc371a8b74abd2c5ce80ea84bc5526f44dd4c1bda85495ef3589491327295364b11bd2f7e197003e9a102f71cd18e93dff681593054d5863e93d32913902ce741f740ceb56d20903d60df41ef4d914e1aec9a2f7c6de85727ce49f4d7ab4209927bd46e40b6f445ae69df15812aa51266ee22f176f8cfe19522aea1a0400342d1d41fcd616df8cb2f4bf8fff00994935c62b91f1cbe0e493b431b20ecbb0f3cb719f9c1660f606a569e970120ac50c34987303463580157d6fa38e92270014ad4dbd244107519298ed0420f087ee2a3134734ec674e214bdb64b2f2d1e556173dc082665cffd618f1e562b37c0e773d0f476a5b09f121937873a67f891c9f479d25dd3b2aab75c37ec64d5ca01e3c26bb81ee309419d27b45de0c7b56d57c96145ab66e276d7f297bf9b5249c7c82bf667277daf8c4af64425ca33e6f85fa58d1aef3c4a9ae913d6f299e9fb021d98cd983486d6ce39928864fa3d9a380de5a725846984392bc3d6f61bb70942e01fd1f55d8411e63b7e11d4ac54a09b38d936a1852e6695372686ec45290fd7773e800d0a56c4a570a276ad27ce6657fd9ea5281cfb463346210f6ec72d31ec78f7bac38debcb79a2fd8823f037507e621d88780ae83f6c7d530ec8e1a159eb7b4f4cce2c5405f800f388699ff80527d66c3bcfab234343643fdf7f47d0ec57d30741b385a16ee6fc2fd72245120caa8240d8f8104755d50151259e4d76589af883864947faa3ec7d1411b621b8d41d9374a427f19e29f5ca4398c420ae27b74a058b0325cd748ddca9d11c5d3f9c5fc70184de8653f3d01a4fde2ba3667c278c88557fd6fbaa3227063e457774781085a854f4b2cffb82910f61095f7ee9ef6ef2238bf74211d8cf1af9504f3eee229644d0fdc85565b8e66a0832041e21c98466c89ec72823b3edab0fb42ed65202a5eb5df409f5bda6ae748884a146b34f6cef3d6edb14c224b8b8ade40e04a7f61d021f680a71f72ace0de41625484a0adf988c6aa71257cc6a96b539a2fba55a2f986c9ebaf26ae574c3e837f98f08ae710c226761acff343807e40131469c9d5b9e78e14fac0264fda199b0a2571cd1b6c6e95c0b668ce5fa8ec0c91cdfad58afa5c1336d8901f57f05f115e71240c237c4a91776b8131c1a7809e3f35dcc8d28bde183398b8d61ef6bb8274784f083d3a8060b7436e315f941d71883abf8361bf66aa3538996519e6ee2a31b41865bd2f16063e7cc0198aa555d41c114ec41a8c047cee2e9b8e9cb56ca94b28906b64e9cbbf86b77d1b0bf2a8fc265eb06716f1181a7db11b31cc7b49d99ae19e86fab6383928ae0b3f73936e972b23b8ec1251404c1c85f4dfde89fbec9ab07578815ef077cfc2c6822a8efd2807ac5d382e4064a01890da79ef2e182fa52a2d31c98bf9566f58fa7eb87fb610ff66fe7063d16344f62b7d035653776ab3e63331585066206dd1b25b56275c589f802d57eff3f4ee4344ac30a38f947b26a76cb18a7fc63fd87738102e8f76f911dec4a172e7394544aca0b774be9f741b4dfa5af846a71773498727991b69e0d39542f72d4bc901642da1bf4771ee0149eec36f0c9924fa2adf7660365a015145bff5f19c07729520211c1cbec43298dffe8dc365733d37d8c67679593ac7327c45ee8ddc7d36b324c6f47fbf08d563328e21282f9c48158a37543ea13060a151e163a7e1800684652866344f69a3048f1ac1aedc348900c03ea380d08d1effe089939eddce6eccfc251d54e9ca111d69e9c9f67f9bca50129bcb19539f2a5a1d0a4b58907e6b3af5ca326465000701246b9af43e57a750f5424dc98fe032b84bfd6695017a47e6c88c445f3b3469beac2420da5177ba9e5f69c073d90fe22fabe1fd0eaa1049b2eefe258f5d6c13f6920268abb2350db060139fe338f2ffb2898517d014e0d5bc123370d602b3b7730544635e649be08ab7cdfb0067337e80ce43c34e6a68ad5bd3baffce51966c5fc369cb196ee799e901a153ddc43e6271cebbc75f4e438c70cf919d957015bc3caacc4d2bc75cdeeef793f75314dc7a5e9ef21182e895467e4d249c6e24905a9255694721d6f78745002642f1daa53ec015dededc3be0b1782e5ccd3f363d376a2870f4f888a88ef4837a41284792c6387c1a51e0e797b648012ecc98959c79c43cbb91460ec9b793e90009a6f7d4983324dd58ad457ea3c4d6e9212b528acdcc68c076e8f4f2f116a88e0f6eee395c716b0a5c4e1bb518d32e3ae2b0a1f13f875ad912c79aa467b80ae87cdd0e147d135c9072cc7d157903dbde16f536af5db399bdb670207a00428dc58fc6fd5e0b56f4339c5352588924ce64fd9f8ffcafa4273af44dce30a785d20bcb2d5ec8907e3e870b3e00a82ddd95a159c79c63b37ebfc916bfa6f65bffb956b936b0daf590d1edc47b76915e431b98523ec402ddc34c61621d1c0c90715dc385d3c926e1a0514b5be429488da7661c4200b50c3e1dbfa2a1445078188a3ea4d62679fd6fb3af16fed076be5bb3bb78f900311cf5f9c69d42817c30ac407f566c6ec8f53ecba6a06272c6154d1dbc5035590f9bd9284ee68b34e2cf7f6303796af1b9718aad56fc5f53b662beee3cc6e3f839ff57c65a3501dbe9e6052a6efa54354fcb4c5c92a631a34505de5d833c4de2de1615a27ef785b02325666e4529a7a6d66867a8b10052b8ea6760c8cfd224cbfa671cb87a140deecb0cf6e98d8fd7d7ae722c5b8625499f5e17e39684f79b289a71be2380a733bd730e588df0358491ba9c163d03d6992a9f7bb26d332a2dbbe9684efbd5354b2816571b16101798ba724282ac070fb0cc86c967632b5c91d66a3586a5091c64c9cbc2328e48b9f9073f187d0cd98601f087dce8e71bdb39463b36391980fd41c52c54ad5246b2cb0dddab7a94ecd8202b17c3aef9641cc491fe23879334edc139694d5a4d43fe4210fe4d5cee062dc3c7159447adc0d0b9a02ef1dbb31e4bf5e7fb445742687def2b8a0038d4e0ac15e9729f2e07593b92e9d2c98f891723ec406cfd99c85e8de345b776493a7fd6a5cb2fc6ea3c586755f931a335d06927e847aadc7d0957de40120557d887c3d76329a3e3df2424703f79c9edf9873598ece443c5d0ed7f01d5aa3c18841bb3f273b1d3ed11346b072bbb41184faffbb946b9a49fbe3f32c3f02a1af5bf422e71899d80a07cea7a0eb628b722e7aae7fc5d7efd2e4e3a6ff78af09efbb4c52d155b6572f89fc82fa281956af3963cd5ef45a7e6e2dca23ed512ea2031c60b074479b8578b97c9eb99f19010ba6fc7f54ef63d37a7340cbde9f08db8e0c3d9de8fd1ea82f6f4c06986fff71c3d6b1c91a771143f2d1e865296f6339e9da58bc91c1b6ba657f812bb627d214880f9ff72232d92191ee0ae5dc6a95bdf109436297a95b355b91b551993e6f2e1909e97210b0b879aae2aedb6c3580e6bbb518ccdc87a9ea969cabad03bd779125c1d33bdc4b24c0fa90d4e1f78a58f44154a8c2d673c32e92222532acde4b3c052bb031238a397d6395c575d13ad0124a9c000af4e71312105688e12568feb9236ae3a563c6054aa768a097952e5659ae37d6dd0319bbb96e0c5d3310a1f25615c1e356c61d2ce73ca8690fdb4333c32803099136f1ae523984f10cc6b91fc536f2c9c41526c900f73a1a8e0835363d3936776d6a61b7c069f0b60684fc05bc33e85cdf643599dacb4843d7a638d3e109a4a44a39297f8f128153a628cdd3269d8b725890be248c053a93ec586705acdc314e6d8924e4455c81845ca2257a87e67a3c923eab3fe00b0075e545ba4e5403d7fa5c5e4d2201be25ceabd6f648700466f6fd7c2b076e300ac3337bf66617a4b30fedfd2ad24ec3db0678ab1627758d49f61af1aa7a83083ea80e00d139c2a0a8c3bd9b804d25dc176b5beb20ddea55a79292797951c0e9f0fc06d526994426abe7111b96503378a9baf79b8cbae53946bb206bd15de8066cd44d406b45c3de677d228e012a6bc85fff297286f745481302b525928be85e2d882d3bd96abf112b15b0dcaf0ec308b5d1bb697ac0b85bb3e4e72342518aa55d97b57f23f5e567803b3e251a9cb964c7cb4dffcf9f831a6d61f34e93a7edbcdcb540f7476fe6330e4be6902c339d3571d94d8b61780153c8a0a34cecf86ec8ad4d52fbbb00f8841408259f5d435f5f57171e55353c022ac5a104d36f8114e3a68ae81b4a20225a5d2388cf32e56cddb136795b5e0aee2734ba2220c64c743cdeb0e2d330d4187ed0ac8db44cdfd624bd90314c600f42cc9a2ad46e53f9e8188ae2c7817c1789af6e647f2a2363e85d959dffb44cc7cf0609d7b36c30674ad45d8ba281f4710c49d20991943f0ff00a3b9f812b8ba75aef8e98a0bcb77e9e018dc5c05452a931e1482df7ac48b4ac4ed70ead862a828e19f4c07976e1e9a63bb95d66e9cfd47ee03290e7f0eefbbf870280b857718a1bb75ad7014b4201c961cdc7a6813382b786240ea8f4ece5e162bdd97bfa170ca6d90cc2511d592d3ac7400fd182b1aeb137db361b14f4ad626f7ea3d25ef16744e0e0e36c5b29381ea7933ecd47292635a6cf1fda3e52ee93a6375ca3a5ee60cdadcca5b446e3beeaa761ad8ed0510ad72f75a23357150ba8f5c12b63084dc8ca82bb62eb38f43ceae6aaa2d5fb8ac4132ac6e679118055b81dd736c9cdc9fc1bf0966bd09a218193f310c909e61a647c8215f7c4ee3e8f3b25eac636c8a96a0e464ffd0b4c1ec2082eb2399052554e47f3a34c3420f9ed5aa56cd9b0f1224cfed973eaa770fe099e9d3aedd3d42f6eb93a0115dc1fc715624ff6b0f8f3a4b51db5ab630cc95ec7021c6b4fd123ad355873247d550265bdca2960e74a3d8888cada88e9343b70d5340eeadb155564c62dc1eebdaf002c2c35e0990b695c536a0a752cc2695d668f52b00724230654d6dec51c1f0876e7e29cd662e12e8ce6bc40a318c25e6de630ab705b7843fb15c4a3dbf9a335d07a70f46c70bf28f058625eafc018ef105f83c4564324171e19464cde9ae0f2388c438c41fdb8f81b278cfed8cbcbb9d8a2a5496ea8cf4203edec4669142f2b037f9e5f55298a2467f1088ba13c48188b3ab2cc09d6cd9967acc1e8def2cdb1482bf4e6c5bef3760061a81ad22e77aa882ad1f5d598345b3d18bbec6d4df314cad4e667242b2a9210abfe74b301c4721c8711f9cfdba932ed74a10effcf3cf73bc94ed13dabec7b6ccb0814e71bd52a1c7103bf47ef214b9cd6ca6a12f880857cf01d141b1d88513fe7f2e02282582480f9c257ef4e0ff52920c25a3d0604b3485916065540bf8b9480608e29ac2d5a5a78b1546aae0972620f9e3264a1b1b73b43c7935959d7726b07bc9da0ae4ac08f0db548446c5241ea9f19aa29d5db2de3cdb1e3430a157308855e273dc1f74c1b609aeb2f70bb0021315d33bde8a60a1cc7465b70bb5c652074bb9a030ed8761ec25a35c102b86a8562c827f1536faf2d96e3a88d3549d5e7306754a431de06a58506db917894eef0d484c2e1c897993aede2ffcd0c51f2252924ac82d91e8d364c78d987fd3510bc7518709aaad6a2b0abb237d4860271ec5772f74eecca7915fdd16d93674c4ec0bb130bc8235ff613f9dba91c21a0227dd9d5a3ee0d9ff183868eba5ef8e16c80ae913ce1386e77fba65c125ea036f399de4e88059012de120f5b2271a511d338c9d8e3b297012fc00842dab541e846faeada68cb5dd5fd380087c68e246f2ce721258e7c5e5d4aecab33a5d15fd5be9554998ec6ec4f3884632071ea772d1bc7ef5423435cda7e240e0d715e00af37e6dd81f04c804703e04d62c6a6f90f478ae5189783b634b8f08fb6c6b6703ba8c2f7b167f81a328ffea16b39fba14c67ef2d7d45ef85240682f90148c94a60b0168dc35d9ebd82704be02741988c4e65e0016f9dc0b204220cc49bde0302219d01c500c9acd2c351dd6367cc1e922f7a1ebe4051ea1cae12950ae4a72c86ed5cb078d5f52a4fddd820f5efa141508cdd3b29c642e1d1126ad669fdb2e5899b02087f23443ea5ba8aff0d901bfdf7e314684add3e4732974ea750e098ce5e207eae30eecfff87c11da0c3b79ac9e69d751dc544fd615bd352ed552492e406859f04ea015800d472ee34bf0322e3e144feef67bed694dbaf8781aa7985b2a9f2c19c386d7dcf60b734f6e562682f67730147751fe6a1fe477257a7e0bc107e6b6a4f4782c935de86c3b6a5d80b2318c21637dc91eb4dd348265db094ae44012454ed4d54bb17e6c14f772de430c9844a91f163b1814634b79f47923ba80ce4f17eeaabab729ca92812e4670a6cd0bb7ca70fd9fd021d1c81e0f8c11bf501687816aa7602f483b8134397abd6761fc175ee21353bb7bdc1e908c603e5bcbd9352a1f65fd6491c006e58a74f4375b01a9a578710efbdff05586b26b13574a20079cf7beb322c2b01bbad4c78be74001aacf129c13cb6f34f8de5077c7cd3bc6a090b5ef37922fb015d66e97c1f739bd573064d9616e2807f4c6e9490d151c31ad4eedd2defb466a7a9b196eccceb3ac48d2b9b751c2014c080774d49c027ba17ae7dec21edeb4477fb8f82df7e6ee07fab528b74c5ff178329636eea4bb95af8c7676ad15b68d78d0bdc998e228f15712cec3441609807e264f55d74af423168bc216f73640e018d3897ecba58d2910c2c8c6403333f38d15218a2ab2dc0dd0c644faec131e51c5fac7092540b07964dc0674427cbf279b7ce964ca8f4afc080718c6be492da65303224e8ed558e490c0932b365fda70b20226b2d432d5687d1b7ac1c97ea9c90b26735ce9e7d5406d18a887dbc3d1c38c91450a8212feb0aed675d69ffb666f6c127aeeaf72dbe343947443515365af41d6c23c0d73ef4fd26d77b8560ea45983afa4b7c34bccf59a63f4d29ba6c26f6fde6410277759b496b433b6c7a350bb7d5de314b04d49a0e479ccc43211f5f3727dae8e4a7625275661eb03c9cccd6d39a716e12720d2f9aaff7a6cf29a7e03487049d771313d5291832b914a1bf3ff8bf276beacfdccea9b46a03a68f6a160c590f904fcd7669510c767bc3e6cc690dbf9518ce7ab640d9af22ac1c30ac8fb864760a2127024f18caa2bda498e2d3e94b0745b420d9be240b1272f02d65d90f1ccf89c7248562634a7ae3ee5ee89a50334316c227a00e020488b7761999f7a912a35ff6da837ebc8ee8250e80b0c0d44c1cbbfc8ea73fac70cb988295b76428dfc9edb2c0b3db5186db4da41b6e526b52660373145cef0f977e6e9c751ee95af0a610fcb1a95edfc365bb285bd68738a2ab22c9c0fb75a5e65c6cfc9931285b35bae5adc7d881041742ebbfbc540a50848eb454f42afe27e87c5c56438f5d46200905fee3c3c04a6f8ec4d4aede1e97ee48ab7a340e5e99b643ce2e30d1c400893664a5bae786d658324625846aae9df7d8826fbe2c56d8fc5f01e099e5d3fc371303f30a24014991069d7d7799840cc4311f8853b627b035a6e6ff1530eac65e4064ba53631b16e03c81e6643b776647b4ac341ff7266e8fd6eef7119e116ba25be5b1efe88d0a76442788b7feb647459335b3f1e229cc7ce62c5cca833a8892d25964e13e67b02dfd377d15601c946b04b2db184efce76ac99eb391b269728dcd8356906ad4c0c7439af67701bfabb22664af7a05a0305a5be36765780f505cf35353e9bbf6631d43b66ca2f027e982e495ecdb761cca4b5b87f0e6174817bcb85f9b83e928250f53f1bd30991798306b753abbb32d7689bca88f30d5c51c7e2f5b22ffdf47b9ece1a048633c89a9eeba81697a44e5de6314756734d391c668d0cd39d210a1bcf7ac8b9ebd60b96e6d9535760039beb13147c5b72567de0b1151b822ac28ef3fe2eecb88ae4539a9edca3b2497221ccf70e3d301507a37c075d7f479aa795822e50baac5b38aabc100bb1a606830c22c3d1250682537b71acd4fc46cb640fae47f2a8ac53fae7c758fd8968a3e9f5272d290ed64e2fe7f3963e4cbd7607ab247625ea7fd9c2c02acb5a48fbb069e7cd9498eb9a4806eaac24f122d4f32e8b22f188f5a7418364c4b6d08efe20b2958673ea5c65c14172907b360a76690b6d7939598ff936f4872aa8dc02b63e872f8bfa36de066dc29e4183e515826d41a82e0ec34d50455c80e67b7a0f91c1e65753e0659de39799b97cf64c46849420b490d115ec421bb4f3426452d35b154d0388a2943f2df1e0aa6d96773942949c0742e30061c748543ffbc43cccbfc30fac29573b11cfc6a7245b2e0526fe60c2e086501b719676bff083fa90847b295f1524481e6fc34bb8776d2e404be2494797a5322ca9fd801b9447b5becd81812edf1209b5629aff62a64cac5e492f9ed49a642af548741905a64c6ee1018dbde86e9421e4145b98bbd87b4f8ab567f9383a8e32d710761a336b5f06584c62f215cb53f1544dc250752bedf2db67dd11062e986647622ebcc30bb941c764bbfb58d9e325d344c8155d8bb00680116cbcecd33b0033e6467688bc5963e9300c23c844aed4cdfac4a7c55186b6b1b04d2c804d88271bcb68139a1751aa40aa143bf5ec59468a94fba390366e0de94b8c9aa7cf537ee2b0133683592e744ecae4fec7746fddae8855d5a5a507deb9eefbbcb78a4af7723f97038e42c247d61cbea2af1fc6b79772e4e4b0dc56100763219c347ae49f11d85a99574f5e468298abe5e533abbaaf881c53fdfc465dd041f7440f22de41f66eec7f53fc45284f1192a1c0a1927268255d7cbc82ada9ee289c35536b9ce4db916f934277e9870030bcea055afe6057dd93ca95a51834029e18c601c412469901a1bc373c84eb7c430ac7072e5bc1751db05da3b6a1f78d85dac2a67d4f080f521e8bd687570a4f7cc2d6a4ba68d4ebcd2f4c6135e14b86bd233bafeb3536c9743c470b8a075745afd000c207c07384818da9862a9388b5b6131fa86f26b2d583cbef2bbbde4b10a08a13c933c98a5de81ed6d4c4dd1489d13825a6f682322bfeceb1568c2082ed4bafe2130b6aaf9556d630bc0a380f8e5ab0de573ff1dba4da8e99d7f240a9e462796ea0bc1d79df3ec93b44c5e6d580c42d48ed2717ac1b77d17093f8c182298f0406f1387a1952c53494a3af2b4a4f4e71558146f1ade4ff9b1c6c3f7d3d2d6a52fb4b78b3bb549edc280bb0a62ad2e2790482ab8d2b0a555dae5fdd5ad601842047a513cdc8a83401036284e9e335ace2df626b585009e936b603ef2583f91b43c3313b9e341c6bead96451d6e2c0b675fa1032ec40e562e863b7c13b3998e8af390702dc8a838cc5b172f97de3be22c0d72e5b6d07d5b23d50b43f6b5bec70b26cf98c94f9f69e98287bdbc25f5d7c5c76e70533fd70a35fa7932e28c64496f4006954ca4f2cefa69402dc42d2323b78302f9c32867bfe6971480eb578baa396a6cbb0857b709f7e1fcf46002af470fd213df33aff29f3754d957339349f64c2f4bc5d05c534704c76159ad67a70254cbc913b30ec58eac9c2d666f701660df0207448fe8920c8e34bf8c35084a14f0686762f17c593af38347769f728c27ec85e372d653db326a85baaa53a2b17f9c82f698354c33695b35400a8ad39f4c84ea281f4dec1756666f338b19914ac9551962ece1f79c58bff2d514dd9d6127da07b550f93441e782d7d08d0f53ed7b1aeb1fd1a49768b2548fcedf7e5fa27c8e9c705891ce2248610e1075637f9e0c73359e94994a44b15296eafd3e511db1f53003050d91fcb9fefc1dc7479ae8467d2a4ec9f8b93c36936b11e0a348781033b3b38f00fb60709a8f09bdc966a2fcec23f15f1625bfe3b8fa9daad9110ca7e84c654077e97e848ca49117287c306d88a69ea3e9030c40222a302361dc3c620075fc7fbebc6422f1b86cd0e76865b17ec475f6524a363ae61bb3e396c34e71abda64393a8f7035dea7cf95e3e77edefc6b5864fda81b485973c536b2764bb1c00b968e39da7896a2957032bf2fc87651dd0e973a2c2c01183d233b6efc77efe909c0ee2897318a2b30addf777acb98c812327e33a9d997c278c5b63a6f7c2f7f854c5cbe2f2aa8c29ab81d7db1aa609a84c325ed926cc5b3c14d12cd93014238a6594887db01036ee8dc085b5a5c8511964331d90be82b302a78218ad129634a0d9a7c8290f20881aa9ab9cedf2aa41da6996a6f7e56945595d2f073783dbe23abbcbaaea59f997630a849c0dee8d27f56ccc8804ee3a48ef5d783939cb59fad8f3beb48dbd206b96248045084fff3f5137fcf98267c5aca0649482873029f2beb7f7e5e09543e2cd31013e6461a5e43cfb9a7d93d2eb78aa80ef3392dedbafe383128c150ef201fbadd629e6988907d891f599cff591532dffbefa2d590a77869118e8fcc28ba45d7c96843a9016858507cb26a71d2250d62b73d420392a81ebb9518c20edc442d7d231958ebef08a2761d8198f18875ee02a532e10cfe2f4ac2940101f4f8d324f75c56b4085c666bab933b402423c0f633fdb995cc72269cc6f73c761af37af310b77775685c345e59ef3f03fb434688507a1909614bb9408e0f3b3881c6b792761b36600184a0f3b24055f4f366e230613dd6aaee90ee02826bda6a8cf8e2a09cbd1f2e7bd332b9ec49249485126571db52eb4cd89533a7a89270cb089706d9c3c402bedb6ffec31d4a95a41dfd0d28ba8de934f2ee02aaa900218157c1ab5c2bcf377f698b66519cdc1a2bcd91114a5fee3f4edadb991679f8ce1601125acd9fa0e34818971f7bfe6f73d8b6070ec5f9bb502b921abd42bc89b741dab7b0dcdd089b24b0d29f13772082b0ed5735b7e2a3e59fa49daf044904475c01883b0b5e456462a9735ffc4959ce2d2e0601005832bb433bf845702c89bbd281ae5f019413752461654a48cf352ad64fb2b5e3c8c6e1e6e197dbb9aaa69d5e2ea415d1406df7cab3c1e63e03b3ecdd95578a88ef88d8d97153cd475d0ac82105f6c5cb1c698920f763a28455c434e642a8291d28be47e047ef1d404458dbc5868da4000c8521ba677cb2ea4112f1ff11acfcacacc4478aec9983aa8fc7f93b33b7734dd1045ec82dc56d5967619070750c40a123bf62c4250938f59d7824e5fdd45a8382544ec43ecec0bc963990e4825bec5116e7d9565aa7b30aeb7cbd7d2ce423e1d60d919635e05e7d0c6462e470924268ebd031c9027bd0d744afe1e3a00d76e08555425f28351b281392a146b526cb0b073df83a0350fbb91dd7e99a55d84bd8d9b0766454a440a5eceee43da4b6bbc1b8d16578c70973f5edd80739b283d02316d22fddc5fa4a41d72c4f8ee694822886735ef4c8e31ca8d214c5e1d6788c71d5364ce135d7cf68da884aec54c6ed09c8c60f55a32e00797b823a5fd9cdab39c49033a03c7c4d772f836cc718cd06048a259e830610bd40e98c4b83b5d94f62b7d324590f8d9d45ead5bceca225e7d47bb7af3d590bd7efb531cc1d7967acdd6e32dddea757b3254ec21caa08534625e67d9117697276795f0704a98b9925a0251996b4c6496ac0457120cb7a2a1cde6fcf428484388b078d2de5caa62bee6e28134fab5478dd7db35ecbaf84c157c6dec4941d2ab15b8520e1b8a2690ff45aabfa8600c112ccfa2881a09f9164ae359439ec088f11e70d2f9420cee5658388ca53f6265b561cfb167098e480e84bc2c6fc71c47b650e83561e88511711afd06deae6086818ef5602a031f3e7d788e4a4908978e97b47ebf2965adc9aa3c8811d3dfa60bafd76cfbea6687a028fb16400a68725380835e81dbce18b7b2eae567271e05254ec5ec0f4c659d0eb40522efb90bca5bcccd4ea40b2f6b2e367f1044e04e8a6a0fb802da3fa181ec59274d59ba62315cdc498078e1a879337ac6352bb0837f8842c5cb78c50f626468845c2746c94735e49e3ea984ebc5472ed77edd2be976059e191f2792dae6ac6f6cd021d8ad774a48d7e6ae5d844c983df44ea1b1d98d2ebfb7de1ceb1d64afe45510b328540d0a8841db866d60ecd83b546844335d021f8ed9ee3619288a15127ce7f690c1d08923c2d619af85438f207d8d118094b9a09869d1225f7553d77d22cb70e6624e95963d1fd2dec4a97cc23b052952b04ee1d2a2134cad6c40f834675815282a6b17a3ef354a7b5d01b0de2a2c84620844d1f825a0d146d4bc82ffd4734c9c166a935618530d5bab8205977b237653881e27d7c35af729baf4b89d071b9da5d5a9bc4a174fbbfde49e1ec60dc3965df566f920b3bb79aeae1a0604da0ed78599b3e19416d3633d7d4bbff85fafda5a8b5a400eb8fdeb0552b5e8a6ac1f3a581fbe06c31d14734453b17c273c42b44fb697ecc67a2bd3cf2825d2cc9f53b57bc3502455274cce8c35b61d413f58624d93a172a1354632987a178f79093b65385ba546a83f52c11575d3ecd3f95f682a8b761817fa9d0b066a7d8fa59ceb795bc26765b550bce03de99ce3d7c3cd8a18476f60c265dfa7ece8bdbfc7a69548c8123840ff42750c8fba5a96516df4fd548a90207972a09c530aa610359a569b4b7f4ffb21e05b02b9cbe52e9dfcdb51fbfc9dec214c797e117ae9007d25c66d7eeb16b6dc5582845cd6849ff42519ee7c4ce05893b7123a218584c619dd4eceffcf49e67d7e359747c765ccf1e94135f68abf02a7812520c9db8cffc51b4e69e524e6270d5d5d091a7181ec67b7f10088e28acebec5f85414c6400ba37496fc168113733646f30d7c495b9f9801ca0339fb4b92ea21a011deee9a1ea29e669e2b94c88511dfdeca1e5ec24666f8e7664fae61445fc766e49bfb224259a41b3815a1d5bfeffea8fa905203ba84f33e9d53e8f1261c936da7fda2998039e777f5df2652f7a19dec4d08d9c0f91330ebc8a5ca32c719ee798e3519cf6d13386384be2514b3e34f8b5022979ac68ec2acd730041fe765f303ba780da36351696dc2b44992342a411e5742baf7ac3c824f191dcdcce858efa130f09ccfb8064d3b4119e7638447c8018e97233663f04561b1d643a1410c1e4f7b6c044965a16436de4c611e151bfa8f81cc4ce0237be991a2f1034cbdea685486c30f291ef3825496d5319ed5e60e81f638b3e40619670bf3f27c7a3327f2c0a1bb964f5f7aa6d94f9deddde0a8be85dd8f2aae927d5179c02a86d4d73d0ecae31dd44769f386323f860db52462743aab384d78497f9b586aefad8e9b3a1ad17823b525cf5ad7a9ba60a30d464e6862faddb3bfdbbf9149c4898098f32ce8d085c820683a034e9623234b11da066cb08e040805a36673a08e10353d2bad805b92bb9f263f63793b079a976ad43821d340a414f17a261ef4860923a954990ae90b3fff7abf53d1ca172c560dcc2bcdfc30ea4b332026fa4a90cca908dcf6e86555983e346bfd47e1ac30253ec321672009465133e7617db631dbe94e3f619478a0fcb54c5d484257108e07b928136cecb15c47ae1e440c71d0e2b689328cf848a27cbd7afee367360ac33b63f8b25c89076821634148bcdccfda5cef8461cedf4eb81b2a74aeccbb5ee510ade1349b17e5549ec0ae20e486bb2110dc74ea5ac84f7178581cbe15986feb0220c4e22d274dc27e55bed125dbe2b5ab35f868ee7a41e877d2627a263075585106a9d20ab2eee48b66cf32eab5e5d2858f70a16d504c8a264a5e4782abb630e5f42c2a567bebe4be5aab32a2168ef08bbe8667a5c8d1e23e942a629d14d4ac5b1a4bf28658f1e4fff98ef03e9970e25e1e27bba55b324ab9b946598a7f09b5e05ceb2c823987ec3305c22ea91e11b14f0da3b724229916eab58450cf406b7a6d1e788180ebba5bf36288df975c75de5af01218b59cdd4e2c00b56b7f4e8ab7463ad1fb8e86e0c6b2206b4445180d4e647c701602d7f50cb28705a67e9a2830f8720a7ff04fab9a983ea65e3f6fac6231ce97498921dbf57ebdb431747b5cedc0e6c2826c500102557f7183c9088aec663647b6a2cee3e311ddcf64aa7579cf928cddb6edcb096b970a50b3f3e75afb2d2944b89deed0c22bf45a55652a3cf387aaf1e5dc1888990270c9faa0ec9b63bf812e46fbcf9ea10a8eb482db5c7632fed20cefca9fa684a21954bcac619d54454f4733c20b20114c39fcdd8662bdbbf33824936b33603a4f5c20b9f9198f3ef20c096b8714f5271372693c6ab0b8a91b2345c58b65c6ad0764dba34455498e24c2b7836a8b2bbad5b3b65aaaaf88cbeb271cdf15e68629814c27afb60f1a33bf2231b960e31f1ffa1e1db225f148338c289ed7370b1e473f99e8825caf75127e38d39ef7914c61e7f587e9b550fdb41c5ae104363a7e23a39c02c1a2455d1276f272bbcb0eccbe7d5463d9bad4ccc64f5ee8a440aa37044753268b417a4fd5be17eeac953c8424960cb81c6f51cc6ba90f5edfd083436f83da153edc214b4dd0fc954cae2b8901f11f2edf9210d89d8483635b6e49911df7c85fd95ebe122267f63afb690b881d5704937bec22baef5bee2152e6b1efac781c6ce7926c34424b64da91e4b7be8685aea4a265af4975331f3660e773f9b481bea50b52f8a14467a28beb8d5c48044232c778b71801a5a96fb43edb5b702bb463a3f4f31a91e6e913e2c13b483040e2c8a5b12fbfc5fb8faa4fb3f2e8d05225bc4cc7d137a3974030dfc3f9d02208fcc4eab8c3c82ae230f7b9548ab2ed40c370d51f452a2e58a52e7397a11389aa245808820f2dfca44d48ed0141acd57fdfe898a8f1c7223043bf75ea7c36b7e98c4cf9a52669ab4747c896dffc41d71c633c6af88c1bb4fd394059e700ab78c12c370b8ab9380e0c33937e019daf2edf8063a3f7e81dfc3ed4cb3a062a512da3fac62d0a4ed78da4af45ac27c673762028a7b88662471ee8189fa7bf40b6731aa1d272d211cf60bced3c4ab7a96d51c1f64fa8458f011309f66166322f8515034235418168c92b9f167492558b33e0eb1e97ee73da546d46f4f1a37649fc6dbc65b0402a56b0d5851f0ea74ef59b827f9d03829fcbbffdb7079916d6c7e70fe4c58ef8b6788ae0bebb86f56a28c07e296dd8672e0d0c564fa5e87a23dfb56dc3f37aca7fcecdf51980c10d897d273d0bf74b08be922a60bcc77f014ee561cbcf9efd9abd993afbaf59e197acf69a7ef78374cf56559b7b29801b678d7148a2be12eb251f488ad0d0581b448f227fce1c5e2ff8aecf174b85fea64e4a0f696eac33e43d5dccb4e44c9dbc707bb1615674f621526e849ead4cbc9df142644a970c2ce0c428d82eb2c7f7767f77438325f7f5b6114ef35d1d30b88289f8e3336e42e0242e3b55679f978c5abdd47bc0a20ccca20f9f3f7aec9295506ffc60145138f0b212db959444c8351643892739a8e5d9d198d3978bf320e9faa08b05b321072e42a6e84f143431d73efafd49c09c91a36b9a4baf19ce4861467283c671c5c05c34511e460fb200be5926557f4fe02127976ebe9960b4df2d628348d1ad6820d39dfd387d5725f0671632f437b5b4f08ceac46bf53cd23ce038a5917d18a37bbb6d2d921e7f7eac21396ff1405e88662ee70a6a4976e275fecbb2e6a3ab29f37566b108dbccbb99cdeca790f7e4e94e94cb8c2e25eee5270c12a7ecb2684be2c0f0c779d72fe6f515527dee833b67fb4997d850438d2cec07505e8022bc45522e0140ca86016950c4378326a81113efa6831c165951a57363c761e825a8639dd2f9ad5d77cd1f9bd84278366fd73579dfa8397423b37c5c68dcd6843f9b5349b84ba4a9a3f747e05d33b149f856751857d68735e9621d2b923d7029835ec4dec7e4ed0215dab9e4bdf49bfeb7a75ce4584ba82b73b456a6f161d07051ec0c45d268c1c56f6fe5d4eed4b178e4532c0623563cc8f77b0f2d8a7eecfadc469a7a7f84a13df5d6fb8dc3d6a3ce52fb421153229b3a9e75cf23949c5d4fa7ad217ce0f967d9383f9062370c542f0de1b6213e7e2443333c898218ce3a8cf1c2b4874b2f892669209e3e08a3bf9d86305fce578f461c14535966107ce0ee3725f979e66eb621da145d84084ce080fff1d8a38127af10e2d28768f71282939016be46d3e3e1e9cb3d9e432fd343124a7c1c5abf256732fc241adb39ca84dc8106e3615aa3d011a2d57a74d3e7541908649249ffc9999806c0280062e62c947d6699553d8512dd9c88faaa855012ebea256a9081d6842d7d016d4e342df0fc1208df4c966a263dc0b77c8cbd34ebf8a9fad2e6176a3c5950628fcfcf8e5fb72c055b5a48ca3e8cdd2cace66c847b36bb78d83de519d05156c41e5dd435596a3f17bc9e45a441e24a51758d7dbbf1dc9f87cf49134fb7003aec1fbdc5ba5526dc76018abe3cb6a29a582cf0984ac27142a5b34072109a7e633b5d7e77ae353cb52aab1b3b8421659c93ff7b9f806e204cbf8c2861f1d9ff97bd895c4fba32842c29e54e0933308bdc9d6b54549ea27978796452125f1206d7b064aa55d7bff57b955edc4a869e3f61e2192f2eb6b80717e9022df833f4149fcec282c5316876d64db6c14a409320997011ed38e60dd4a6905540d85a9c6b2f42fb5d72e63938934ec33d892e34fbfa9d9d4590ac645fd34882bff5cfde49f13d14e56993b82a94fd438a31bc13df519843ec0380d8580ea11eb331d0ff28effb573f24dcadff957f569f21d21ce52c0fa8dc51703411129cfb14e9eecfb496a0f866ef4e2b43c8accda1b1d514266f1fc10d927733397a097c25e0fb04ae1daa86b76f85449fb8dc1f33c5134d90545fc920541a7c8738f73bff3dd7bfc0da6bb79417fcd015ce6e3b6c22c8ca113f2820c169a4ea4065e34a23cc2e7763c8652083238e2b943c2c00b0819b857c2775ee6d4e15744626db64b66c91a2b392bb482aac0ea4ef2d1162e89baf54ce29fc52cacfa6b26768aef138e9f95076f221d808ffba799deb65d72824b94367a8cd852b31b5f983b4b0a88263f16030201479d70f1589e566b7a9dc62c6e1811f6cb1e8cdbdadc18f27464253cb541aa07a99a6d32f1555bfa8f75b3843ad9cb0e9a6dc9036c89824ff10d875a6009ae7995edd0a416c471af1e9927e102c906c132db59ada47d43d9b92e50bee2e6589ffef909bf22e5f3fd664c5ef1f87e1daca90f23bebbbff179019054d9565a35573bc9d56ae85bb9ff49681a37fba09114ff9355009d96f9d9db84fbbd9c904fe5ee6e67bbecac7b7666d086083d012bcf456b8cee6006d3af06c72c01c1ae9b884f4661b83522a70d1f6a03a8df63e469237e8ab1b2ef1afb93ac4da75aeec8cb359a285012ade904dfdfa6b19852c135d752ca7a233f11650b7e98837c01b180d77db02f0ab7518138cf3080130c2123944a78dc71da1ce68e4a20f56db8050e1ef77193534840e45e89083e7ebee8bb267d18ce003bce614e8d0b5d5aedcdfac4718c3c96e5ce6e83d9a06a9a1fa3784dfef8a6ea13f8f9cb0de615d591dcd80f996495305dbd18025c3a21fcd80feccebf211734a3c015d899695ee4777dd3209b4cfe9ea507f6d303bd8697b91b3fd500e0d8abf97579b097f6f733350aa0ab6e8837b4ca21b6b3e6924d0003924bf6b785daef844d1348c4e036432eebc42acc53e1285b94a5a2332860dad6f4881a54881970a8a21acd13477fa4ed1aafd274ee57b30fc60eb265c8da486ed14ad74c24670428fc2db71c929e27c4d9234e199bbd3366f1d170038850eb3e891077bc6f17636d1507cc9f884abb5c37e5b64f1b532b74bb331517f526325047da3abbe1dcc9d9d33ff7ed18ad35ddd0f63ba668b057eee21bd3d0c8af93d57a965d778cebd4c220c8e6aa08b66dac10fb05bee04135407f6397813a543df798a7f69c653f714940217c3788ef63a6efa9773bf2127c909e4f9b9c2d9428bf861830f99ea98810f508f45a5e1d803622b12da5a4f79d1da89402d888f9b03a064d7bf51c3ca508a3dad504a57533589381350076b8c0e371a36f97b6e8b460db84c35e7b0f9129c4a635f70c7ebb102e3051ffbf70653a97fb82e74b332045f21a3327757beebcd99183ae13656a9854cfa94ef811137f9f62fe3d14df9f43842e8edaf7fbc41715f8a8ac155a0f76b6c856d964943a0a7a3471d04867beafb56b5430f0ce3246604edf62bf40150b2b8d64631c047ab2eea30fae9ea0f00713b85906209bff7953fd9a7c6434b1455652140da6979326536998173a2bc29edfb5457e9b622b4236fdadc886981c32f5a79f783fc877b23daeaa847607ae4c6206168ffa025e3af1ecdc96f97881e6aa5a99cd26359f467f78d294c4f82d33ae60a0164c9f1b961763a1f8fe6e9b9d1215d6e09a5c8a6210b6271f26925d333562405617bb5c81095a3cc8e69b603233fc10105d09b4a910a7a9f38da427d65ff33132d86b79eaa4589389ee8e782af6ad78bb6f3a4600738d8825fb2368fcd45b773f19e7956092d827ee7367fe7b07beeae2bc104758bcb83bc11ce020f40ed12ceee2e54cec254747c94fed44d94f97e04288b3ce084512b4983d07bef645f2c998da102d76d095cfa23cc675d92a51c1e4c35402f14ac3f122dd5f733a55ce0e73151a04b83e2ff92061e5780a7485f450c1c6e6d6855c15a2eec8f8641d30637144f9924ae2358bc321abd57f42adbc8f4051e14056d5cda5468d4e0c8cf7c216a8faf7b01f5612eb4b32a44e3eb42f906771df8af9aef4dc5d2c56244518a24c101b95da839cfdbffe9a494cdcbcae3278844bfad094e65a6d0f5ae64a64e5bec9d52aa9a2150208011dea5a877da8d63a6579127eb7211c73aec87e7862a284f81432f9db58922d9b3e7c0c8e195bfde7eacb1703f27feec737c8c9ffdb1d65f24d4a1bfef2bf484fd8004f2450c0dc5f581fe4e7b82e830c603346e372cf55be6760a7a9d8c0d80d979003b5ff31c1a9ed9fcce9dec2d471dc1a09f7b92cb9d0876b18f9f370067cdcc62a02bca773175f247eecbff0418820853d75c8c6e51f040d472554bec4e2f3c413e171937f75cfac70fdf1d42a7411b2e9379ba3ed1b3fcb353de14231e9f7d2a45e910578be4c214b29a77d4d171dc174037422baf292c4068897677b74696f5bdbd480d20497ddd3793e1163b79cd6ab42e34ca844c6cf4de7bd3bdfd2fef5f530d4321be4592b9a1284a9c7003e5198bb2793e575460b908610b01f7b1f3bda844f533ce1827653b00267c8cff861b17ece7f73a9447bd46140cb567a276a0cb61feb7a6fa6e66ab3a8e64cec77ae604265939937d932c43d7b320d01749b29e46c3e3e900477e43521febbfb6694746f2d2e5ba94f4e22a511bd464c604721c8e2abd8da27e027d125b49cf69dd0d4fb2f9b9a58644b59c62479302edcf9d4d5560b4f98ed0c5269d9fcfbcca1ea0a06bb1a6d9fa3368d06cd9410e0e9faed3af97077411e3116093f041f815d2238626d142a82b3045f7b12c7ef329f1835f9f7d4f471e97959629e4a46446ccd7c8c3f45d5cba6e2b00904f1331f9d1c29490f628cfa26072613b552726d20fb72ed02fadb06ec193af0356ff509a48c804ceac80b6744d0f53f7afd0d4bd13370f3269b6358775cf9e0adb2666319354e6e1d00e7f7e54f4c6957ab2865d51da471abdeb55f9a50987fc5a0e75ac6c225edeb4bce0eb0ebb18b6e97b5abc9f3138c86f12642c30e434cd75f99ea6773229dbb2b06367466522514f0747e053a46fce6489e261433ef1a806df46506ecf535cc0bfae278492301e4b775a05223ed47a4bbc9b70994b62b2aa1fa836cb59ff9487cc44b2f60205bd9a205ecfaf3e29667b340feac372b19893580ec578724e519d03b79a731e10f6b54501fc7cc8e0eb0ecf3f88f209eae11632d4a0880befe1fbecb957817e0b1ed2f7554c27653b4fcec8dccc56b351755f73c7a3fc55a13f28ba927283732e27d828702cb1880047f95ba9e3b5b599ca6f67166ab2d1f558408900b265ad627f2117a0339c48831aab555bec7332709a5278e175bca4e88a3b7c30e7b24631d199ca115ac5f8d5d71d0b1140a4161c23b7e12c4e7a47762efc3d2b8b916be45b4a02f825c28e1f10d2ec44aa248c7a2e06b7aabd811f066e850b8451c7ef787f0cd5a7c03673f5ac95533c4253c86ae33f1c8fa4b7c084985d34bde2efdc9d819e6ad6127e114cd2794260399421532191fee76341cccc542308d78eed40840ce163c1ebd2c725480a4389fb500f81578ab833d099ca1e41a0075e104d19a78ab0d3fdf2412976a087d4e6ecc052eae45fe106f4fafb15d25642dabfdeb64642b7578999c6837c7381d0e5c2b87a255ba6cb5162b011277d96417940784bdf7d6ed3ade3417a94eab59d446ede653eb293521072f630d87a437bf7bc5ed46ec5c1784af12deb751837eceaf17b624988d1e9645923cac68158d47f5e4ff80eccf38b9e40868a7adfe431c5a15b2f76c081b0338c7aa870ef1f526b989feb21f5e08d14fb98c839c459da04295a4febd38e828213e39451a969753f4bfd6b7e545e9ad92ed5f089f4abc160eec723aa137b3d104d45a7edfe82dda9a79fb772a329d9df3a08b19a30dd066a1accdee98bec27b430bb2523e507b96a0e8e802ecdcfe5be550f6d4469fe3c78f75bb0cb52a9590ac84c41bdfd6ccc86ddefc5108405bdb1b53324619007662d9d318f4eda9ac61d010c14d41976396b58e1c870daa1a7c7cd2b90fd354dd5c96c4a632df6b0437336ee305c90d66ef5c5ece98311a9e89f38d73180a6421f484d70af4acd39881b4647ce2a9dd2ca5f6e64a98922b0411516e12311bfdd02b73514e9c27d330af650117be3ba69e5e32a4fbdaf97d822e4d0d5fdc31b447b3edecb0f85746dc203d1a08152754089c2b7708b20859da0dd480bb96c6fb57ab5e4611a8f36358be854764b1e8631d64df259ac7ef4167463d3dc64b7c0eac787ce3319e5795ad39760590f20203b6257320a445ef56093e8eba3b1d2b93944fcbed6f9646dea5e8976169406a19dbc1f67d4f9326abc806c88da9913373fcd061bfe42e6a282ec21f381ff788599dff51adeb69c2f3e5cb2efc9315cdf5dff35bb686320fa93d478619749d29e3dabe61785f2eddec9ad36b45f64d1e464bd5bb518d6cee2f2afdd9a34ec04d7e91cdf2604b7f10225c322e2c9c342ab6eb88d17e88a0430ed01a4c62709a1a70157433081f4673150e1ed37cba6659958ad54c2908d7043e9e895da00ae7706973c379cb33ad547ecb7b330bc16998a612b7b3d19b914f16e02fa0012d23bc54334d905dc6fe682c2d4cb6fdff12a03b7f777a822cf6c00a44900dd7c4c53d712566027b9550ec6066fcf2f2893d379fa408bb182f617ec78e3a7cb7ff55b3b2e798ff92a544dc307c48d5f679f88b162feaae78b7e0dada8cdcdb12fc7989614e974a5d271e50f7b61272aa41b30568b04fac1f9c7418857f38c6d15ed166498c80ec33c9630efdf522a87cfdbb3d0dab6a241c751449638d47682f51d623eb0eb9b4a7a285bd3a0a36510be957d0b3e16ba11b653928bc842c42ef79eddb8e5d9116edf5864a5d7b5cfd057243eef7dcac48d93aeea1774c417dc6827363c084d7340ab139e1a2b89216d0b8154ba26df8aa74cfe080fcf08fdfaffe6b36c54c199e0e7a3dbc4338418dc24249218c7fb6aedef9fec1a8cb825ddeac2ac94e99b21c666d16745238819d6da3f67985251342c373fc97b8809406fb17a081403bdf7fb3da27bb58c552bb284ec6410b5e45df014b98b834ef01803aa8625ba87b0f00393097323210ba0a915e787825d9cb8a8bfb8ea40e312c18139c43b6cb8e237040657bda21c3fde2f1fe7a650a89586e4bca0041b4e69c8401cd57d508cfa1d763bfabc0017a55c501c0954a20bb607998d61caddc0c296e610371b16ea333098c75283d0e77a328e60537d3ab81a9579d10053f87a4f16671a29c27c9a64e14a80808db4c5aa7877413a0b9bfa63028b1779f691ca0923555a0f593ed606058f5e3d002dd2f2ebc7be41922224e1d8826aecd3c9c6d84a40e5c6cc93700a2bebe156d03dfb7af0f183505b04413d5db154d614512db9631a845246ffd58aeee7660c86b6333c3afc864a046a407ffb10b55194e9b787553e85c0b1a8458fea3a60fb3c4d571a5ff8f5d58addb1ff5812d30009176d22e81cf669bf9ad9bec471fdcd7ef1afb242e9140d3e36ac4494b9fa1e443586c30a5e247a23d5c9388eb13909630cdfdbc830dfa586e04e36e1a9f548a864cee4568b18b49f688b805cd90a7371463ee7ec3b02408da61be4f52a6009dbdac474e7487b76b81602c6ddd10f02ef334aa4d7e543cdfa9d323da5a99cc417c5883c2d6e94a378bc8795ae7db4734d97342f19e1ebd81b97549117bce2f0c9c8709620e2659bfa78fc3550b8dacf92aa7f95a9a16424b54a5d3598bf9acc6d440113575818ba8d6351b47d09c5f2f140da4f266e9cd90c6dde5f313ae56e1b56bf303739e33ab6592bda5fe3b49116c86ed0637a6217d979a3af7dd9d94d15c9057df74abaa1697379d3c6bee43b452da087f9c35c5e0211eb0deafbb1c74907faef22f3641c2241f4a33fd15b76d3d18ab1768f4a898bd8ba2628a36bc48db1fcf8df73b7055f0e903f3a75b2686bca706f8e6c73a037fc0543291b91f5b45558006826003ead468952e9fb811dacf719a2a3073022c761ab89ab9a71131d3e9c13e4f3bbc01e869850b3e1a458c52e6ae48d4977e84584738e2e3cdf7f500d59cb16291906ee06cb852adf0e65c1b142a3258136e2d5b39291ae22b82ec70cfa96fdc3cb27a04fae3f7f1840278033ef7a8a9893245687c7533f9583bc84bc49fda4817ef517e373e4ee9078e59ced48aaf7f57b765cdb3b035ccacf875bdca1b81048402eaa4983cf9a5f30a98a1143f56e7a9b16a5abb0d7851a95f98c73e603a27d15a35dd79cd9f55008377d7c4335eca83e698662c0efb4f523f0608b58e0effb50fc31d068a461899ea711e4cb5cf0d44941e3110de8510e76bc80d8ec588b84d6323a10bac9b526e810e664079bea7d333e75598a1d0be419c55232bb2400c88153f890993a3be5a3d51ffd196544c49841a16cbd79f9a9294cbd9313c170a5fd1651d104cf6839b050c58ff546071969a7ad0aebc0af8ae8ea4085252aeba1f8eef8d87a6f62be24a86112b1d17c4191c5c5d28c54e91bdd57ed096f1de81e3b0be0dd1d76d1f308d053b9ec63df8f59998d6b748aa0d18142ae0d84698c5c9076ee58108bbc37996132da724a5a756df578087e1c8e342b9eee8c249b4e87352879f65f2ee14a0d863966c20c723e5621103b37ce14dbbf238e3dad7b6ed0e2f5c2b13c20d2688639b9ce5bbb5a52132975d580e57e3ad7b4701762c3a6aa75b2b45ce5d4a6364abbe9205fe61ce8e2d844261da5c566ee3217e1542a8f4e99558069fdcaef675aed96dde432b44b520d2cb2b6c2dda6a930871cf5f9d8fbcaf84f31abf8efac1194172d02a12de345341356152deafa2e64a51e8f5e6c075817ed375cd4bc30a795e25a28c9311cc3bf4fa4612509d4d242e6fe2696c43702af4c5d2240358d73a28657edfc676007818f546c4cb2b07259ddad85028cf89648a059f09f69af3643f4f0b0aaeac33f662980e9bead7565616e2c706f0e259d0d442647fe34ce5cacd1de06af33e1ac8bb0414a9fc4640691428364678ef0346d05831f255e8cc15c11d6e8a570ea463fd0fdb599eaa2f0e1155a876c049a80bd72f9a41b44aee461c5b40cd03e41c01b5d65346aef3c2fd62fd0240163318b3fafe0ff12f6cd9e6baf5a1640d2cdb720b84059b2c01258ba78efbdd42d044784de9457184b7c4ebb155378e5ce213cad095d1afd076568916d03868e2604168045ce20ca54d30a15c8adb979db9f46cd70785567b8d5f6fac89d7f2892b36fbb4fe8de9c0bada9f24000636a5a5d79a31b09d71ce95eda30369a195ea2657758529423d485630038e8d2f38c1cf69f44528b19a029529977c9191b9c4be2b1383ea3f04c7dd21dc7741ffeedb19fea62e0d17a3019122649b541fcefcd6fec8d69cdb71b93cd345a4b2ee643f7e78ac2d97a0dc0f7e0ce6f699640750101603597e18872d0840323bc88a5e1e1718ff9c5f11532506f4cd3eeea4f5a58736a3a12bd9315b5fcc2693df2dd9640b9539b7ae7ae13edb6f12ca95cd58410b5c379d2f5612c1a474b1189d4aa1826402ebd595e79d5522230bfd278161f9043d4f10aee32c133522152b2cdeaa27708dc5aa66273e531420621f61cd748c875f5c6376e4344cf13c38dd7acd03474e4c19b6e06aabc43b4de310e35f93c652555c9d4c702c7c8fbf3f15e393c4742e79a8aaf67c20eceb4c8a65678306094740d8d7bae5fd6d1d1e87cd1f1e34db80fa101dca0c9fa204f1504c59ab6c324b34e36c00311b0be8db4ada1a33d634fd5f07ce1d5196acb05261107d031733b8d302a1bca19776f2d24c2601a402a38416889b681a036e735e572502df8b3067f7ed4200df04a01ac1c1eb2f499833c04ff1a7b5d5c5779bb8e05eda1596b877427591e9a0d0da0af1203039101466f57f59377888e4bce0b29616c1040aeb2a7fea1b6fd7abe843784f673df495460515f32563e5921fd63285122d6ce4dd402488c3aa5756ab2d0aeb57c0c5daa167f96ae079120045727ce3b7c9580fe39bc689f30c51ef6389170f484871bc75da2d25f26efc50a2c308c60f5e4c8624b5867df59d03217e2d8c990530ff10c00da427e06d01618acc7cbb01a501a750028caf0e9bb3cd4a8ca415504290510209d566940981ffb0e99beeb47ba01e0c8c62e431105a99fcdcc3e0fe4fb5c4e69dbd182b5346a42ca09a5eddc7bb78c0ce979a62da6ce1d0805fc5a924e1aa952f0e15fa59a3e095c27f6d15faee367f2299168e73378ef24ad16d934d3e55053113601d32c5a04ee6f1e7c9943060348cf8c8d7400fa5fcfd22ee5e911f1221f42a0c392cb30ca2ed10a72e0c339a1c7ca8c71efe9540e1ec0cc6643ff6d0f07289ec373e9b96320a4fc571251916e60d9f968a368bd3b4ba338571027ada63f6779c2feaa9a70186950426c9aa6ab0b3293dd4d59b0f85c4e833f2edf873f6b27b20e41cdb56359e8f9bfad2b58b981f5a07aec4a15e52b6f55a35cea858f5ac1c438f69477808986fb4f8afe656b3575662b31435fe7f6028b1c24840243c76351ddabd313775395739487155bf0c377694d31150b3b14b28576dfc0c86f9baeea5646f7a0ef6c1d0ac2f448113e5ca027a262b74bfc9711d597749d11333ce2a5723d019d44f54bbf1da9664721dd833b51cbeca4ca3212317e97da6d3e44b059420f1536e194b5447e12e1c5f8a19e17c0d1831631774aefbc677a4676a6c6e408ce4c41cdcaadc6b9089c6bf4832e81bc5d80f75a1233a700e8149800c5556d70f032b38b467404a56850d6604e3d082fc078681fa89d5fc422b5ee06fd6a65ea1ca77aad5b859fa615fc2d5b41b4b4edb4b7376833089e75cc0bd56f3917a4a70b0c4e6c0cfaabd238dde8be4bc260f4fe158baf11f97a80d7a6c6c30d08d48d1af64d8c1882638001ece74d9b2f42aaaeddeaf5501d26c7a479215bcb05f56f1d472db703df639fc7fa35c997669fd41183cb48baad730eebfa5931dcb20a683a81b2599655fc1c52757ddafa6a26b677e7a06b11335aa41806b4b1fcaf05f186352f6fd3d7000efa4e667a28be5787e9dd323fe7910fd7cd2c8b17e983febd5b0f8d72596d1b4e6b4be1399f372fcc3b473b667be087fa8dededbe06ba3054e9b885e5c930af4043ee17e1d052e3e270eb91835e7459eeb65a72f6a2ee019bfbf04297f0b21040885c57b6d189dc54d470b5996e28ece3a6830c3483e07727d76d1a570c305fb0c75d7935493280470fc847990f4551bbfae5842725c4855f9f9885a418623ce71a7d52d1f5a1e522e6caefaadb9bc29160882b52754e3d8478644144de4addd4f2fd33a2516b7fe2ba322d59265983bf8a4c89908a5c9f9669880355cfb6fdfd0d50658fa743dd3bab9a69a95c217220a054b9453e4c48d18a8b5ff40184c8e2b973f7772865fc370692714321594de0cec2bd022912149d7e8acc9e5df154041fde6be7b810256074a60c24842e0590ec7d7f1d1b45aa6ccdd88c30b23bfd3160d40ecb41420cfb408d82b7f8fbaf461bb12d5c912a94f2f7a7cc2639a3f36cd07b521495b9aed21e1122bae1e06f77bacfd2fd7db691aba1153e7f4634e1f48011789063059dd5a8cec72d8ab33048c4605d3e8bb6a37079c3548e0e14eaba0bd045d2642df445d707b82e4177275e9c09844f3c5a8b01c961784b307a42d88e8de36d07293bf13bafcd754c7cc0a9dfc86c6cbaf5138bee089f3a53d12cbb9d720ad453eb509dabf437154f4a36d4a3d31473977cd0f832f927812cbfa2730d87a2547480f7f6ae7581af11274b6c5bdacfc27d1ed51a7f3449752385f815da048b5569c8e726214ad3864cd0003fff7910479ac27860e22700a27a804b57066957798741fc22536e449d640ddf163715860b7a473393316ffc568ef809a995822c551be8b17dcf29e6b4b7497ac0985b933b9793760ae1ab847c27fd2fdac29b087135ac83cdf2dc7cb960cd2e6fe16dd07e4a9359868e2db4915e3af47437dc412e916e99145b0b47b2026703a1147ec6e8c066c8ef351a9fa9e151b8afbbf4c055d919af5f727ffae6731c5ee85b9ac1674d7f51125f5607d9a5ac2c880659feb59f3a3c235336a2ae80a58c26a121993099d84aef36319850788c315151f6a509147d9eb7c321a3021dee5002fb39da17a2b2046f5aefb95ff9effc3e6a8e7c202efd008f4dac8d6fcea6458362639416b1085f51ae259fa23c4ace0e906408b88b77fe24fb4cd05cc4eda1ecabbfae95c5d01286aeb26245222cef988a2e8dae71777e3925a3b31eafdbd8d86c538455682f862f079bc844a60c4d9a9f04434b4cbdf4ebb0edcf08aa2c8d1b5841b824b7df1951a67f0d2ef55dfe8f44f03812c0578e9a1410e4ac8c0d8110256438d358256091bb28318156f6d4d31d66925ba26f38e70158d4808950c9727f8df13e0c6bc45075b0ff411a5510def9d32a246ceb55fae12784928dd6f5f1e86498896c42aab6e7a8c4b0c26b5f98f6e7f3fe5e8d1d22f7ee5fdac89febce5bd645e2649f7f68183b6dd47c5fc6de90dfa7e241dea4401e276506dbba98dc06d6fb36164288ef98ece7e041fb62e2f56c38e80202a50a46e63aefec721e72e1a5d7a0345b70311d22cdfc1b6660ae744e142316bcc6c1fb2f62746d6e994a7259f10bcc4692fd6d6e18d6a4a8f1b3ddf8a9ed1e5056a77ada221514a64c4d13af4cdd0ec51dd612b0904a89f6849485afbb4066b3026dbfea1d723bd47436a5cafbb359f3ebc00a116772a595b7169252ba53bb09a330baa2dde9cad0b66d2fb1a22aee18791a9286d4fc7eb82b8c0d87ff26eb8f38b72df26a5f0e49c4f24bca5174b8c671e32895b8e2cd824b2dcd2a9229f8065606c12f5ac718c60c7416bccfb465277d533c9697402c804fa6c21b2b1ffc14fff2e81322e0f0db4821785247f46192f1039726010bb308429e35048c9a715365dc253a9a6786cd2103038f9dd2c04df2dc3bdf37b27b1ec4706887aeeb1ed3133352c124ebea6b695ce84f65b7d61b2c21b1b58e5c6369ad03d9ef7a1f08cdd6dfaafbdee77de92b5317720f5af67da104cc197d5e5fe2b4ddb11c67d7550de91822e30d54372ae2305334458111793ab020222f3f9e2b6dfe6532796c2ad82d1063bd30164e7e6e236917a722834239abcb83e683f5186b557172fcefe7e2042a08628e7f290cd483cec6abb60604e0de363b205fbd0dd909e283dc12cc466085f40c4244f04e92719206fdea4e5997122ff2b0b1bdec992adba91771239d0e7eab11172191f5f2ce33b459388ac06474a2e7543d3600b942f5a277b4dfb68dd22a1bb88fe1a8f92b03cd8ef9dd1b094d84eaea5dd3e66517eaf78efb5fdd6feaca9ab9ff5266ed1f46ad6a138b9d3b2c6ec095a14bb04afa3c8f31a6957a5c4b4916bb6916fb45b3d9d426906191bc6ecb92dc1fe2dfcb20c04f5a115d9c87e8eb07096ad17e54968289bd9b33c53e073af0df28bb98d9567e67585c3ed73a35df82969cae3875e058563d45b3bcd69b7f7b94d4be40314b1b1205c672d9e9b385ee98fa2941657f05be4f0bb504b917db99ac1876ada05933890711690971a0c953ad5c3431447ed3de363606b7076b975b7fe7daa76525c34c59b9f4f28952b40cdb7a827459c9db7dd3068a9db8a104800d95dabd81005532db44c7c37892660d466386fbf3040c47172f7a5199b568e3fe86122dd5c65595f786ff3322cb7cdfb10223df5a7cd3b9abf322dc30ac8162dbe680a10db03a72cd66278a8f243f91a0857c93d2c34c83849239867df3714a216e72599a7bb8666f97e3c76ee1a865f962ec03e2cfb05d221a5f5078c3c722ba848895eebc1e3175db6f46f890c85edcca9425f5c1a5e31f2e776af9eceb6edefa065b3b4fd0d2764613899b81965d6311bde99348bd2b6dfb4314deb6cd034df8ddde1e169c6d95a4189e1ddcfae8ede44358ddf38d790a188aa4b991c2f8934c88a130a9b04c4b610e33c86a28c771ce6648cacf3d6a6eddfb2d9d55d59a8fd192edcaca3bd86dbae88ec8c003930036a1ae404fc701e9e249a7a2aece876c04715f04d688e859e476dbd78dc1aa27eed4a59e67cc538045df964551be2c906fefbd0a3525eb2bce91315bdcbd98846cdc7370406494aa58278cff320b94ced78635d6c766c3376448c659a80f2ada03176b849d49465f4cb3ed14f2cc93c3cc48521bccc63e5981f8cf3a425e81220ceb75b5356a88440079aa7267515eff287bdf1f3150d78ab4a8d3b54202a7d8f5f64c0f1523f663d8d8cff76713727d45f0880a5498173dcb97cbfccabdd66d1f763175a1a05909c86a56a658ccda11a97d1caf5c5be5d549f0c5da991459954185fd818800ee92fe1ee5cf47e5bd9b300e9794e6e24231e1b7e4e023436e94b912f76dcf888be422bfa2a5a459b0ac76e4420774d9ce1253ebbb476b027be4a135b5ded8b4bf1e5f9b7d466ee9419202953aca61b4260c743869e8fa5d9aa612e34886e6b3f9f2b56c49d2605ccb2e5e295d73c5733fd9721b9f1e663f52f755d27939e20f7df3b2b5e27bc18b0db0ec30ed32da3340cd5e80d5b990d27d96e6aca3cfef8671327c5e287bbba53968a2aef825efa837ef6b8b09cfb2f8f2e47cbb4da26cb5d569c43b26c7278d24164a4e91c8c77b928e479f46b1a0cc0dd56a49d257bab2ba329c1b0f8fc4ed775af6b465ee93d21534780f62e76fb6a9a4a6cf72de55407b144db3e9b1c508f3539c9dc04d525b7634a588ba6665a549ce5819a2e05112503e75f6969bae2690677197310e093d1e30fcc1dc7ea08c4795efcec23695eee4e79df7a44d0a6495c86c42655e8e2500202d9363e76f365a10f94a600907cc220407a2d5bebd94ed6b3900ae13c2be21b4da43350ad5f45c01d00c6aad3bc75d21231abe4eededac5669b4d74fc2cb6862698d8d703d6cb3fb8592ce54fe2db486adf4c52777bd62ec85a4b7d9f5dab140c3adba05395329a644161e398a84539017f88b3bda46c6c96ab19115082fed39b28b94ced75167272db5d32f110ddbdf4234b4397d3490da1ebd649f1df80b3c2a6b5552ed460f84466b6a9b591c1616ae2381c938cdb6d12085eea42f2cca2fbc21692bb46ce0e84ae9acd67148be4e0d75802179d8238fbee123f678694f1cd640f360588493afdda30cd2ae6246e79a5267344b7a9ef1120b7e1e927bc42dd762d13e6163fad74d6ac4ee5e7db7ff3f1262abcd2cd18a1f90df47ec4afd04bbec83f8012c28a67e316d7e9c4da243737de9d96486a0d3e61214df870ad9b00dde612a5168d24d8c1e92af0481e9c8fde6d3fb597fffb590bf5c3008253928be16ddbf85126475d0ce2a9d8ceecc66ac0c7f1b62048287cfa18ae4acca5ec5abb616f17b2c3e1b9ce4eb742486229fee9507565ae40254581ae8ad6251db3a5f18ee440bfaca7787c28c53258f2a879b53e711f826aeb2333e915944910c82a1b7f233c22ab2328d6e275a5a04968f6ae2e990b8d8832a37dbb1745204d705ee542621ee86ae8dd89139dda8339ceb37e6cfb74dd0df89644391a0a4c397bef6fd3ad7ebf41f44c084ead35e0d8f12e0c114974654b797750eb71649d5b25d87f978c85116fa2aa4c17131593c8872fa5287311f92939a3eb03f77bbba7e9f0550fb8965ac1b8fa1a848aacd6bf177a7b12b6c8ee7313e90f17d21d404a1175c61ce4231b48ff900f1c964fc2b2940cb93d49b54727d9d757ee1ec5cada2a7aae117550fbf0652943a4fc5ab09ec81df6a0503df2883a7d07333ad3f8de88c2d7c0645c30ee088e6276fe7db16d8882f253f66026ee7501b3e9b812ed7cfee345559216422ccf2c852771cde9721237a2df3cc7a88f31ce41f832f8a473d481affb1c0e22000b0e00a0ac2822de3193aa28da3557e60cd4a3d3057d6b46fc7578d39bcfe5d5525f5cedeebbcbbd945e178c672a4a2c640c9af291900293c4c334aecc803263d018021e4285f0724bfd2081bf1a174a5b90bc8b8ea9ba8585fb3eeb2e0b5b341713e4a83eeda01a118f26d854604049d2d9b20c6da259299c8da79f08dcf89be7fa954dfdc9e8c03e129be0d9c6f033fae8ae038b6aff930e52d4e8cd6c77d19fccfe3fd7d3afff1162493ba7bdbb092ec64a81ad7cf85baf9604194566cb1750fc66322382e2956e57300785fc4c3c471484357780c143f969f0ce4c57866e3b81e46dc2770fb3e7bfbb470bb26e7aa9c94523724e63d5dcdda911e6ef9b8a48f00cf93a8b5ade72cde22560ba5e57458cbc8b86d145d67423129e7989e1ff5e78fd79156e6013b0a1a3f9e31e3ac0f89648728237cc83d7bfdd3ab899d56d553aef00a831e96b8a72e1ddaa5a0865174dd3195362d370d1213f92909784f027e4a45a6611d3793904582a600b1953da6b4d0eb27b172bf98162c44703b24485eb286f424e7b5a47a8aee1037e28720348d616b28b150e98bdaa1875fb2692de470fb1191f3386c2b37b47fab695b1757ac0e5bb838b99ef666201d2027f6403494ac52e742c0fd62ab8bae223e9ef005014385f73cd040b2474143aa1454bcc56212a854a436550a2a74a73938f6045937ff3338d512a3e85d1209807a2c393ed6e418e32ed2be3d37df94fd967d607503347dd2369d3a14a8e4671a1a856d5b803baf9383ece69667718fe907866f10262a58c02eb5f0706073610353b09ed8dbdca307ba9decb7a8f0a026119173b972312095ca5cdfd3a7dfddbdc5a037327fe7f41764105047b4a19d7e87d81c4dbc7b9c7c158dfeeb1e7e3fa45d06ba327593bba7e28bb7a010dd9fe9130164110ddb9ff54d2302d8c476b6145d1f89a055728acb30d510bc93f59328d3582239ac28e5ac3a4c971f19ea95355eabcc55a22ffc35b9dad29163ec662224c524dc545a86787adc89d7db9b197eabfd1d995ae01f248340b1697155ddb2ad540247a59ac8574ed41c8258b74a6fb651f2d33d347d6d38c629c87c188ee4310c199de7f0bbe768e8cc1e7ecb3601af0c8c26d8266cabfc8c83ad1520442cdedef6b59ed8b3bca8c38385a34c360750ea3f8e570252c8bb6c31eb24d12f87eafd4c332b12008a44186ac648c75f9adeb621748906dad542b289bef5fdeb83a23af903fb38540975cb5282709c3a3c9e7dc0ac244dd1827e5197192bbcb023506c8f1fba9db637702007b474bc663c40e8551302185ebe8b06cb30f59e1c569baf9466d2eba8b7023de824b6bdff0c77d6d76c7e528902e4cddcdda2bfea46ca9c5181268d57aea77972e8bda85ca2476d23d662487f6d2e1e5613c5ecd2fb05cc31abfbc509d1756dcc8c0bf8b4901cdb387342b62cbb8fbaff5437d862b3cacea99fe298ecb527d7bc90e89a39b6db7140ad4939d8fea8664b77aa2ded74a0a0118d695e1da97c3c3fcbef58cb59809ba359c7462d58f3fecdadf94a856efd5543768d8a3b27db5f548efe2e51a9b4243c231743f52f5c0355a1a5ddc5f6173f2b24a906d910737dc632a25d1705090f957a3eabccd8f65b62baf4008641c20e8ee6d67c0eff376ec2f88d8cc003d3ef456bfb5da571d55cd7b0a515e278ceb4a2c84422ad291a6bda7210d35ce1f7d3e2144ec7030cc753859dc5533b86e4942394e71acf9f8fe2b9fa5be163484c85cec615e1353a3a5f1a82c55d916fa4ac7f31b1023dcd9130f61a8a7c00301a8e6d871d859139a7852a60829f2087e93e14e59b2762660727da193ecc0dc15e97234bcfdfcea68ff968207c4fbc5e7bff4d9408d0b252da323d2613c3ab9971be3a6c6e8982a1ea2ea6b020cd0b78ad83e248f38f9d7b2c0f81266544b93bc0f02980ab0bf873ed0527d1a78c1283b5cdc12314d22b5e182921d46ddcdf7402a465044a16b2d59df62adc53e689f6e300c53352f267749b79e005062b07d62b029ce5e82845ca6b695ae6c9bc13ab011f22707dfce7e98940231f7704afc12eef282bce1ff8f0dba329cf70fc56fe1cf1d6dd4ca3d079d81ad5f639ff8fd904a54047e2b99d4ef027fce4b70b05b4b5dca48864cb19a65a42148e3e2b9ad158f9bf814a0fc0c9d35c61ecb9a6d39ce0aff53f72c63c93778fa9e01d81ab985ec1ab9337252a4634e4047cd92913d85db0194ad9278e751f02e126c8d9f103cb9fd5b0dd883ee17130460313e6bfb066a2693532785af70fb7bab2a9d45e2853e6f624ff1f4b2d362c63b8fec8f8840969900b1898c11f4aaa950f6be042eef4f57b0b5decd0d4c463a1cc015b517f151431ce6267c02e12dcc119351e3f099187598c7a804a5a736927da508c9a052b6f792a6f24502029c0f758151b65c7cf3e4239b4732b44ecdfe2c8fd3cfac6005a13d132a72f6b6da2d5cc2c8801600eb16c1488187bc7d43bd5c9f6bf4052e7928b17c4f0b9d5bcb2208970780fd8a3fa479fe60a3def0332f2b9a321a36886fac104a4f739db35aecf71bf1588ca6fc3c3430776d304e6fd2c6e335908902d815593ae06c4ba29eddf5f5e3d715f5d2c772e2b0f62c8d53a84a6835a4995af4ad186b21b55d011684ad07f1317d93fd32a87bac3b2027c39173d51c95c486768cb924c628653541146a2850c8a571b2db560eae73e5118b2cb125f273ebeed428a83dc103faa06018ab58facf4c23d4f80a058e509aa5cb88de2e74096ed8c73cf4c1c18fb766af48f8c1f09c85af655ef243567973e2650919fe4289e1b949161560cdfd1436d0eb34fa5dcb1fc6b655e5de8e47dcd61987e28b2b67ee560d3e5bf06f08d1740b541dbf5fe966c548477744009ba253e1799ea46842411f7c66bc59bcdf3c62f265169bd53e2d157ae268f239ce8147f5f7d3f6e1613a4bc45a010e6d7efab1ebcf3666ec3320c356ec9374d4b55b5e226d2976b63f1263c01b5dcfa45b5bd0be9c9c3d11e2ca18f6fcc1b9673e5292c7354047752b0f88934129c4ef7562991261a35bffd61ba0912fc03b776a8ba37588d1fcb98e4e70734778f88795c5e53f9d894eb502b095ec3f2680c1af1b1db4d049d9c4e5d5b65a784b318b2dc1862176a36b64568ead48397ce6c684532a3ceac8d54178ed2c4876008bcf686e1e9bb60fc7f271693110f9cbf43dcb496a70fdab4aaf65bc6119d34c1c5a8138faa23b2b347f2bf0f6cb9605f3f504b0080689091688f03c2dbcdaee698912ae4e5366fae05ac4bf34f3a001f39c612e0a511ef4fa6b71ae32c6a805837530755b7552baac76f76215628592929629ec4e7f386ea26ae151a9fc1858e270621116802af43107b3b952084a19be63734b8effda36de57586b29c50737113d04e1ad7fce51419001d1fbb4c77191321fb3d26be954e8ec78d8f3c5ea6aa0a7c30d2a817b8ec5c3df841147f63a39eea423298d8a05cee34e6db542f4aa58461ea0319251e84b1b4289c2e8f2f3f76cbb459527954bc00128dcf53a015e330f2bb9a43e9703299de6ea9ff7ae84beffb479f94b4cdbf24bde604d69c9378cf8387bb9831c46a619fb99915923d8ca6ce536f47370599f4dde04c823c067c773ac7b6f40ff5af9b30e9fa17cbf1e34e30cf503477d554d7a4c8e085b1900cff0b0a80ee5961942b57b485498ac8683cb52069ed367edd614555d7f53ce7601ab779df7a28cf7be8bc1b6a9e1636c697e22b5f2901ecf6c7348c335c8b4a3c69d9fe63df416760c0c747de61c2e0960dfbe5ce7a553b532b2da5d9645c5d5ef103cd1af91a240311c1d4c3fd0596f4f65f3113f87aae24504e633443ca5b5de854a74d1c619c727a1bd6764a214be118698b17766e2a95d661acb2d0412c7d36cdf4467f6daf14b962cd97e24fa3cd5ad9adf2f3d1093cca7dc676de770970c44c599b996d49b81050c744c7c9049f93c03462089dcf60b9befa1f419a45563f82e7b587b26ebcdf5dc8b4cf190b73e4bd6d6b84a19d4ac62902ae8177d3aedad512b80c9573547bed38d9f02170d4e8b3a1b18fc90e0b8b871ec5227d4c8e114f44ca8c9fe9c5d02054c190559b26b166b7f9480aba380aec7ef6384dfdcf57c2c6119698b0f2a21228dc6d5cab83037bbaa475ce900d18daab7349e11a18e915509c23a50002c3a24ffb02be8686c190c8b40d7f044bb227db73858293befa17719915a8bdbe9f8ce384b9e46541941c0d964abfcf81e701cd72c7bd935eb1678463135b834396f38068ff485b409f310a1b0514bb3ddc46f109f689f9ad498bac5509acbd6579c2bfdbf5411ba85b067ff2733ac937edf72b1c74126e89017dc34e8826218015e25a28af71d9bc21f4dc3a2fdc6e6ece6c2d1b54e5fd3c669f57b054f5d3362935d3022869c3c3a92275a66dda55981262f10f75839a40576f6e39e354336faa442133575f0af25d64bf8c029239dea3b16dd6fe97d11361791cac093dba5668f3e696c12a304cff2613fb886bec87976af2ad8efe68aa8e0efca8fdd663bb65cc5ff4fe114a57ce0a7e3ed2a183614818794437e91fa03d3a7042ddddfaec07cd927a8abb492ba026779a9b029e84f32cbf3f100321cf1b9380ecd8b21f8f492fdf2e34a754a0599635ffb84eaeae713bcde5c55ca74d446c4b04352a18cdfeb00aee0f8c7df00d7b9ea5cfb8d00db3ddf702a5519f03fc02539b540fac4453c36d763dc0f387f38c953abdb2bcf8e1c1942b6adbef0f89163b5ca7def027d09c03106af8b2571613924a815e319db4f0acb27a32da871003bd0e14b69365e8d9a7b9d87a232e018cd277d7b2b5ed2da56363ce9cb64a754419473f714e183c6b663df0090ab6d1cee4a04ea68780806ba2680e95d80b2111df2091fcc06874d044e3cfffd2515e2fc08b720be1ee43839282724aa05ba713d50bdebc6753829cda0999d310d107f534b84d981504d986c3cac8888aa0ee67380d324cf541971b092c9cbc86254bd537f5bb68c0386af4a228104fc03db6aa3258a4b9517150c037cfa34be268dd0c2159833a75caf4da248f71a34a78077e15b44d8d7770999762b0e70b92332009999e5a2390944620363433d01ea4ee78efa89540f652eb622a9373c51c8e4194324070621bcc6ec1a5f99964a6fbe2c2699cf63ec3ab6074cba2f395da358e8ff63048ddee805d13f51bcb470324abc4db5a9df832cacf88ce12d4a759d83e527f4923addf1d846986bb22ed457056287e399622ddb1b6546ecad1d159822d96b84dfae694d2ca66dfb9666a3f2ac1cd69a3e0a57a8c3264b7eae27c3dfdc0679fd79e179b0a05ef73d8a16be7724a23a23df607ee7ef8bf1c85f4f8d48ac70262c0791fd38cac8ac9972a04671434477e34cc1e242605c9e8a03a5ba68e4834e805fa271a998ac9046eb9c2ec1fa24e4fff377e277c978655af4abacfeb9f7f19b0b6ec116a9d59d773b409dbaec6a1f571507ab3d9c3254f6adc8771783a2477a8f744ef678db947efef1b1260fb8d98686a892f1a7d78afb4861754b37780673854c74c7789587771f39299d638e22a4a40f5224144cb8933dbbecef6b141ff990c59f0148c63b338eec3b7e2ef7aae262714d5b0b98879f1b3d5455b84e8730097c7c092a16306e8fdab596985eaa5cc048d4c7cac7120b7348a9840b7934440569592a83196c7858798c6b342daaedf49ec2fd7756b2d63e2ab21b8402fc4f0e47e886fe99a272b1acc04f69ba722f3bd3a87485cf06d9996fd56c544f4d3f03fae0c67aa974c5aebdab64ea11d40c7c2617b9d3664d39d42ca94f314d7069d974c8300035b501d37d55bbd52d78d4cfcab2ea886a685732f3a2e2683fe97b1da11b21dce654e5fba9dc527226d7c1b6149b63f27c489eb3ad183f06d1ce71ca2df5324f4a2082158d1905c328c35b5c5cc38e60eec085e7d86c6b9e0d181856ed08968627a00bd04fa63bd6fa1e995d903abdc76b6f727fe0b51f87721ba1f8943e043725f8213565ad1281eed856a3f5b7320066c05fa7dd7e1e8f87c1beeaaf20ea990a28debfe38ae440592ede139895f613100a99b2de0710505c123d28c280ab440fc264f51281c77e1bf685a12c12f3fc35765f9fc734f318d54f41dd9510d52af3baad403d5281792ad98b396ba3a3fcc61812ed729d877b541f5dede5d6c808ca93d74082a3cde16b615fda486cb7cbf20e045160c5f22c0b498066bd038da324f3db078964e626e023263cffe37b7e7b60689ba612c0d5c0b7377427ce241092c3342ae27f1263ebd1b1e9ac95ceaab495152db27bc30db4b3deba2d736d53fe660bc6758348d5bd643d1ff21aa4d8eb1e5dd4576729ee1e649e1dac96a3995bea6e742116c4c860f8924a8b85d5ebc2214082bab0d48a98626da328bd2fd787ddef88d16ae19ca23c65be3cd3452751ad669aacd2e6085042cfa3b299decc5e538985fe4c2607fb3e74be761d9c33dbaeed9259683a16054bf0022d253d0a2c94062a556ddd41c3220f8aa26cdbac4cff3df5e9b16dfabd6eeee4928636cd693e708c69edc1a5164213ecb0e35e1ebb90c1f202ae37d0ddba7f97b2df5b517e74bfa121a03fbcae3a85541f31895cba0e8d4aece5c935742f27211dc65e14f3311f26371afce2b9dd236d9be1918a5ddc9760d421a06fd455ab36a1ec95f45fc67892836e40e0869973a97d07fbc7cc5598ff7967fb78bf2871ee3b23f78b3dc109f7a0a9e940b5e01ab2a910992fe1ea9e1b8c601d9696d2c2c04fbdd5100c4436cd9bb0840d5de3beca66a72e1e981dc5b7f53d08eeb4ba8352c6d3597cd75d7da630d8a9d016f9906fee70614a2bd0c37a3b1dd3a813ad2708ec8a54b22bfce4433f6bea28fe6bfff5b96f3593da7c3bd3a863ed6503721cbebb9cf5e5c51bbf2170ddf1b7298b82778a98a946d7f2f14e838a3e2db7537ad67d5c276de11095e473da2c43d7635babbab6cb80d7ce1486e614c904fbe0082a74e46c8d07674ebaad6e6ee40f0f6882d4c1b3243d061e81b3be8640f207bb194453ea6c1e252d2a04a2031bd1342fe39369a897f26417d968759a5c3a06f030ad0abb20cba76d22646f9edbabe55561c1a6a262fb965cb00a618faa07fd544270dd212be31615708aaec4096858bc7f660e6899b52171e9396ebe48c12caddc3dc40b2c7493e43b3b3e12b642f1da857d6bac348b2521c50d5ab6b844b5074cf68209cd349a44f480ffe634a0b5f7b29ec26626d36c8f9f0413e6728b5c0f18a2e936cd71ba050d4e8a009f917920498200b457832ba65c0466d64209e93f35115955079a6178ef9ab982395c2c11e0f4099ff31cceb2ef4cbde0319fd77588d0e7b0f824ddf879e4b3668c370b7aba875080a97c455d287c0b591c52fdf3fb190b9f1c52ad92886f8563ac9305e47bfc9272a60ce0172fc83c82e0c640cbe2b2febb171ca215397998223886cf6b1f723657752f48e24a083d95130ac30673282fbb95a40abc93db075439772b5ae02412677ef88a76f9922b0ea85f038f6e5c0bf2c8502db3f5578a4f34d244d61ae4399bc7721d936da326b6d1deb4d005a964f6da05952cc27ee6ab7c985f67b05d8fb1eba7c2a5d154ae867d176386377073e2626b0a3a2b5f882144664a1675cfd107ceeb37620a4a4768b55a24dbf71ceb7d9ba4f0d1e734ae46fd3baa491da572a380d86ddbb40d6e5195e683350e6b58bbcbfff111f24b36d6de9d8fcd3ee8068b9b7450a190edd21869fe43ba26478d3655c53b76ddf67dc282a7d5657e93c252771f53fc1602ada31b000dec61c813f053c692c49b09e4805a5411fc76998e7f82d53128fb4e42ad2e288ee9e003dec36edc7e039fb87721a4126355db44eb43e89bc29c70526158563132349f441e7e85a415b48b9ba536efdc8ef722c7f4a3f52c78072c7ae1d6894bd27583259f6a577edf4007cd320252b73426a1bc5bd7e260625527340e90a369fca1e88d7eaba501cd43207028b7fec5d3d2ec35e90da793ecf3638a1dc0e26104264439cafd8c62df72ad385d0dbba724ba5962b92ff8b0c6c5ef31fb668ba242e74fafbf4fd81b1d526ca3e3a2f25bde45c3c0c17f9f387f90161631b9623aaca870281ec3fd45796de02aee61b9e32e9d3c370bd4b9816b977b34dccfcc6bd71a86d7e8c9ecd8884386cf94e70f4711eee06b68170d1279821148ea161031d9aacd6e4a769450ddab1dbeb4cee429a339713094884fa439968f9b01837492066e6ee6e3f7a6962e5b0bf5b60deb6c25be3121b6b47b65cb457cc82e95fd30a861ba11830bb09741b180c4ad2a5d58b6e1f7b97d1489a06129583552450d15cdb74ec177e18bfd2cf6202e883817dec4ecc60af4fda42f88c6d54b8ec1170255323ee838a16dc547d24afdd9429327371f0a8dd5926faa063d15c3ff3eec70873a53ce5983259ddd9944d5ed780eeb19f334cf61aaf7aab0feb70b3a50ca55d205b647a333daa962aaef9e37761fac411268412fedbf24b783a83783a3cbdecf15aa17a49789ba5352cc197bc9fb66b4f4cff97b79a25aa43c40f5213acd927c104a392724070e347bdd482fc8b3afff1882c3e9e5eaf5027e88efd72ebd37e3d9810e76ea4d7b2b079cfd5d942b59f774f221395b06fa92446db9a8d10de948977645221a7b1e3a564f614878fa1f2d2efb388105e0e1c03d0fc361cb42ec3296e5c68cdbe0f7b3f0d1cf56f667706ba90c2a15607d4e99ad588176ee795a135420e4797a91c9d404628a726ead95f9780a239c2dddd5cc745d2cd4629e659cba34a9e83d014eea0dfa57d641f6109728f6bf964bf397e304dd436680d1fb8d0280a37b06acb4edd16eefb339269e38ce4b9f454ac7c79cd634fd6f19e713c2955c234eac508ea754bc05354f5af089187863479d4840804284c780077c4e4df4a47f395384cfbd00e024a81386abd84fd11bb8c65c769e4a821f01820350487f309197e72b6462f29977519101ebc520008ce3306bb902964c69bd1a0002747e4ceaeb26239f3e1913f290a8182fd838f2de5c3f3ce4904baf398768aac3b9ea9d45af2556ce9cddfbb48255f4e615b3d77a4ecc802a9e338be342db986deeda8fe021cbf6ab9995931e8f624aaf084485e798f4e05d1f50dc81107f9f55f7a3998d3f4cc51f975d38fa4721bb55578473b1be71ed627832435cace367b3d7d5fa6e912249209e0323657b8e5fa6e8530d75911f36258bc32cfda0ca3b8bd067b67440a3101fa9d7c41e4002312e32dd1321c5be4656bbcd28ab4411bfd23aecd6d1f66d2b25e9d518623f8ee2964172c4061a20fe45be641c1a85727968b19e87844f936fbf217de8b985113e5462b0b0507f571be2e81b2a2d1b1d7fd1017f47a5146cfacf0bdebfc833b880b4f73477c8649d70d7db8f1e352d6e3a943012722a02533d61606d93cf024b18a9dc4cbe872b9a2a693d25cdc2d34f8dd8cfa6c25e648c37ab322b30e9776e359fe2e0fbb93b38b688fff75f3bef9d4b93368e89a7f204031ab35ec2250a1a9ebc84f2dc2a93203e955c97109ab59a1dfdfc4d5b009daf69916349f1aa530453d36cd4001fcf1e60d2dde684aa43f4d872fb193776f032e90a39ee4d9f5c5e602503ea9b42a22e88ec83f7049870ee77dde87776fb6ec6fd2064b6150efd3a3246fb21ac7d1df9f51e2ab7188ef3118a7f98d2263f0cc6e5dc171d43df53ac00b226fd2ddcdf075afc85567b47c37c34f0e9bed40f0ccfd5b347a4206f6c661e08e979e28f426cbd7b0180963fcfaff6ceb9aba3b12be95d2dd8bba3c658a41a12d4112e2ae05ed9dbabe27ca541059b61190cde566e56fe9d5bc69d2f53e52b52f8c023a58ec0453a417e84edf37760aa0e3fcbe6ef6ec7f4a203e9ffe3f7cd23cc395ce5e72ef8a3665298599da4de58a712388b4ff9eedb63484b92f0ba8033b1c3c7a9cd1dda07d4ef3d3485eb7232adecc421dbc5ca0a7860f5140c8e93d0b770f0d07bd09ff86b166f6e1efbb467c89d67da9f674e1039bce15bca3c33cf626c29257d4c397562b802c1e254fe1a2cf5803d9f571a83115e1c940d52b862d29657c75e32ec71af341af4998f37e129ed717e7fff26f4d45964cb4a04aa77ce0ce0a9bd53269170704f64811c3848e5b05bd8ec7d92974019f2c5ceb23648417da1cde22a2f0b91f4d62938c21ccba16b957dbe400dfb59949c01c68f59fe11d96d5dad7a39e6a875f3a84cc3b62cd230654812899f4118f136b896743c67de85f820745036a373c039175e1e8bfd363e535f49248059110a119a94a65eba95659964257a531bf1311b2ed28e834fda74222c3604c90c2305c8a4a2bb7b5513a9a60f5a924eb9f1c7acd4b15811da5f4128f2d48efb43573d3b6978bdb8495aa4b80afaddfc9aa74a57a6e5d82a201cbd6cb6d4e6dd9cbf545265d646385aee2d055f4bf039e879a6086088e5c5a37c1a1d47fa374d265fecd3775309a43bcbb520139d08ebaaebd8f1d5a9c1e282ef45084f60ba838b47957f4c9eb363336a923d69c2e18bcd4e68a8f5e74931cf1a67acbe84d8064628d5c429d5398443b8cf487485094c9341c4ec6f8dfb7043bcf5d87a2d833d818ac8e5501e5accafa6b4cfb7b4c00490d1af2106689d42f61382472419c17e1f6f278681cb6821600e645943be22f03c3b8dbf6290201767c763bc07bb1407aee28e507f03fdd18c1ffe29b0fc7b3f0a8ab7e3cc2c13558984ef80856e2286f0bdebc790dc7e7bde03bc271011dd226195ef86d91e57066f5b933007f4d9a96fe2f2ed4861761bdbf3d46739d4aeeeb28bfc98d8515878e637a25ed115060ab2597eba14ef2cc67d247cfa89288a2fb83ccf5af26317617cc9339fbf8adb192567dd24bc11dd8144ff087a758baa2fe6335a5751a18ccd8038facfccc0ed74ad1b6afca6489fac1465623f0af17149a58a33da6da90d1aae212a3db863abfe10ecb680367428634e409d9f85dd4414adf1da3d667c4693b26ff29dbc25475754bac474efc8aed58463b540394e48dd00143550bf53d823c2dba3d20783bc1e49d0d79f75e1fa2e293124c16971f50ab024d6369d42ca2ab3cc75463c3a8bbc580bc1708a40688b341f8d1004e5a4c60ab0e6f315bf686bb21c671b7034a236337bb77a1b7f6d01abc4f4f7558247f59aa10e11bfd6f4c5e65015f09d3eadbb11b854913b93ccad9c8feda1b96363bffc8a06536b7d00f725ce5d6fcf0823dd86e57838d3a02b50bc11813e8a8d8775c06fcf841a943c0d9e025bcf4f5c6946ef4a95b03d97d9e7bbbd3e5a1bcd0ad5fe4323db859c1e43282e82aa29324e97a9925dab3d675d48e663414ddac15f56e9e9de9c39f856bb528358dd003050df5c336116cc29ef8a0e449d5c609db104a5bd53ca5c28fa7dfffc1073d511448ef5e5d86f25f8e81bec9214285700c05f601ebd472d71623ddb2f19aeeeecaf7685890a3644f81f69c1788c3cfafc3f2c8df72cc7d927835e9eb666b129d663c425224778be8dd0d87a1665aad99334ee71c13b2a1a4b96d4c91f70fca27999e6e829017d25bdb870d5e479c6ed087db835c9ac10cd4ee956328c10731fdbfa647de841a72fe9e8ef0ae1e57d81ac3a8573667c41472ab68aac5f4189236436f758c35d07e590a01801626995a3fe4b1bc2dbd37e018610b01f5e0c1f6f11c7bd3f6cfd38bab2529b7795191bd2b36206d468ed501e44c8ca1219f300d8a5da74bec71e9aae07799baa6afdde68ba604712a69ac2c858e76fb309145a2d4e125e2010ba0a12ebd50ed3523b1b65465aea1939c036183313864d16dfdc9bf30ee13c16aee3cb45e4b08e78ce9f7c32f15d686fb670b29b9bd1c9b4064852325383d7526c1c9077fd17b244069fff72a363d86a7306dc96b1a3a42df87d3e85b18ebf4950a11c0469c015fdd0da7e97744a1bce5faebfefd86c4d5b2aa60178c4c5b3f74a266125ca1d65cf9c1558b4a2051554db67569855aafb720d65a233d26e012ad097c0b42c524fa146a70b7b59c1a856d51ceeda5696781762f6c441a95cc4177d0f01de33bd400d0fb582d2d1c44745b068a5cbb98859c4f4e823f680e8fc4c91b0f0399584eb93488d9e601baae47e4b293eda1517ae062a4d3ac1f14f81b856d85a9230a31cf15320272824009143ec4f96213f0d3d560c645db3edf47c66e4fd9d757c09f98e64aa9deb59f8cb1aa2d8dc11f13733e745cedfcd024d90c986829a9215aa16571066d6034709312b1cc8458ae5ed13d2c7dba13401a959a0d9a90fb4a2ae45c8465f8e0ed5119d7c908e228e3244ef2f9ccfb72e1df9c32604a496cf49a9d4d98815a2309542bce0cf234df48458d3dc70c5fbbc78d7376cdd99e53760cfc1612cd6f8e712442f3c54ead35788e561c0adf910956241faa9d40aca975b2c7ae1ee400f3209df2670384a5dfb24663950701f918d374fac88ece0429eaab46a4f3286945e7bf44f688de8dbb6b441d43d2c7be1c557746e318630c9def2168a079bde3b75ddb42b5526685e7b5250012900c241eee5636d8e8ca6f1f8bca6925661df17bfbab26d69c6f332663f9e13fc9f3d40785008bfd9b540e055bdaba231b5be79401424e42b8c4edb81f1d8a33ab13db4f8517729fb352fb41a99c94f5eee3d220c2e1ad319e6f1ec234aefb515a4d2428ce011384c505bc4173eb0bdbdcf18f2a88b76697996b73032a1135ddb11da5805b46c9528fd5fab4b1c46acda6c70389f204131ba63ba20a6db14fdb9de6b6caa65d19d8fed70ef4d179ee3429b1c9084ef7e005a4893faa2f3a8879597efb8c3f7bdd660a6a96028189a35d575d8d433825ca487e033789839963667a4e4ba66bc8d2f2ff04e9d081903e31ad437e73b96ffdb434e650b10756a3ded0e501fd4c2a1db985438368228926d00de93a523b32ca92df73262ab71067b974e85c5a8a8a70eff2ac73cc7eb1b216c7a3d9d6c233486fb02e42af56d5ba1cc7ee0707a8f95dd4b03e6d11c251eca065ad865d908e2cb063adb50e327d72f4bb33be11000aa81c8077467582d347e19b042cdac85bb3beb153c7dc54e7298038c9ee604f61c4feffc214955dcc76a7e41f7edaf0ef597b1f132ea9138301964b60db44a3879f21b53636ed34520ed44095c6a41cc035e3e0e0fff219206be7002524aae8ea29404feef63344cd8720fbb4a204e06b49e9583f49df470fc66a69b61955d0ab9c98221d56ad967fb07534eaddbdcbaebc9840ad3a615fd7ac48113e4dd498d9199bf4e18fc664ce05c2c3d0d9219a3e91213d2b2336af861e2ed206010ec735fb5960e39c10d6feb45ae1de2d441ace81f9cd8067df109bf585dd85bf2f4e081760d3bccc32d1be7634daaba664e3eaaeb03a35262237c2637cad8acc75b3c667147bd2cc40d89ba3d811acafbabd26e0448bb39ea96f631211d5700cb1da53594f13bf5823b70f0a45db205defa29ea47dc2ed7a34b2e7ff21babf6e03f1628f0ccd1a55d845a778f0791e819d2551b93d90d3f96a9c30a3682165be95a63044fae89d2172dd24fb48d98f50ac624e82c3acc2f120457aaa383ea134fe4baabed8bf52f3faa3b2dc6d326d400b59e4c642d3c428c45fe55b4d5beab5831be487ba6f4fa10bdb4d0bd5fada469bcb78debe24338bbf00ec475e41bf5d199d77a59b8bd42da5bf52e3768b5f493933927e795c976d20aa39642fa92d85990cedc181feb750e86f4fcda2c85bf9799e4cbd4c47246ed388749d461adba8f28f00a434f4be9e48ac5d937165e7dc07a87e594688a1fd84513f5518c16d0739452d16d2f0ff801c5b2279d9b4ae47cee523c30a7d566faef8722cd233e32706e8ff7254bc2fff3d869e8865cf411cfe921d13f2b982288755b79c3324382f81a7cd6d39b5d6497b3ee3123f6c4e3f86f159eef64db07a765907a53312c7ef9f0d264c8285c0574eecbb218e58bc7c24eda425ddebedfc077da54928ce0db1e393f8057c790ab25c166dba9ce3228ed24450c7689b6e41ba2c47350cfb1e852f86f5b92dac1a67d08c880d4312e3c33e84e761fedbd4b375b486bd4c2ca4b41ae5cf2aa197b34504a05aae991986ea5048c885022e3818b0c01b98dee1152f9152b8e7b22dd7ead3a18e366017f3fd43312122e25f17f44dceca8c657767f5a43da3d7b92a24b2d382069a37f6efb12108c627e45258de90b851a7565e74de95d7fd8496c74a88406d6fa6067dda480af196b0ad89e25236ffe91b35ef9bb7d0c5f9328ec586c30122f990ade0d3f2eca78812f9ed5380b8de50f5e7af78001ada4aa802b6a6d33185644c815370b6923db1a40e6f00f50936ebdddc4dc6c06d877db1f3f840c641aff595c3464faad7354c35955072744e8db9d5db02a2b83402894bb005bce11fdf278f0e9b4bcbe77d08b865f09d3bad4a37c14be547e10fe843bf2051cecf572790f4f0ba6cb00efeac12fe65bf77a5eafba80983ce0a0535cf83f551cf44f4fdccf192b928b0fb0a30760be6b996ebc0e9ed771f740c9bbbd7bdadb68cbcb4a0b14117c5c1a12936bc1d345197455d0de73544647b89be0ec947259ba3404de085f36fb257ed7de19449cbba351e11b40bb6c0e125ccd70b96caa46b282bfe94925b811ccca25f4e1e40ba30c20a14417811521be70d381abe5a02f86d6fdcdb582aa996f646e53d9d5526582554cca3b13680657b769e92b006603e6f3d7ba8be50ac1e6ac5528b9a6f6b7621c71cf94b29bafb75d052a4a386ea6c9aedb2329ff9422a4129a98ef180996080333b26855ba1d58bebd80ec98a3e2647eb27686bc51908616bcfb30e21ab0e4dd64cfc71b9c2fd6b50430703298c08181c8e12a4988c2b12a04f56fd371e64938a703b33d8edb13e5736f0c35e23264e892273cd2dff5be3b291821dd598826a01703b5efe6ebc7adb87f9615db4e7979be5b8bc804fcb4eccd18794cb765db45301697864d484e2e94035c94676a2a509c09feb6bcdb4df69fef92d782abb5f75f9c920f8d2e81270df0326d86adfe3968d1adcaf0841cd0916ff41a2ad5bd6fe282d82af891d748c1ee3c1341c71e065c23b4ab7b35aad856835425d8f4291a63d65c3f34048d53b8b4cbd2934f13a22ea158af9098dee6278dab79c743eec53cc032786a8ba2a5c03f437f3363f34b1b99f7307ae118c1d288ab2d8fa3f1c512113464713e0c8cef34c650219ecd48f86429234ff11a74386903d9879ff7d66aa48e8809a2ee447a3d9a1ae3ddb45b26997ca4173387c25d43fa9294ec061fbd359341912473cf29bd4423d266752c229012f4eb9da6d89d9330b60c2745f3c85e161c5041dd65401a10a891d45a1a851cd5a0b1dfd35ddf370acd42d2f3990c9aa8c638b42c07b25d5b6db2fb6781416ab0a38bd94893ba79c205a2a022440a37450201483cb8b18e046663e519c24dfae21f161e10af16eb22c8dee528ff21acdf10a99d9278590fe00e6c8b86d8f3bcfc044100dea358aaa8d7859f7fc4e646327dc14f19b267d3635b994e2adc92e242dd01c9f011099a0495e4c5b9400556bd6f46c2a882bb0d9901217697d97f9df64f3667ea61b5a8dbcd0783bb4f088d16c4c3075e2fae72917270514ed309849412aaadc588dd595593a0ebd0e81d9eef36c17ff2455349ecae85095ac89633f1f4d2173b20ca6a9f6ed4c733d9ebe9abaf14c242bb190dd5d9868da91ee4e2a79edf116be25aafed829eeb0cf12e384a548bd5c546cceb7cfd0fb7bb85c0397d78cbe6ff452fd42ab4e5d99b8e94f75aa79f5386f103409f9d542c19e0af95ff59fec624f9c13acacbcc4f2a49d8d5712f67643ca4a2737f9a330945b4f910639bfbf7943267ebe772aa2282d67595cc7932d227eca38b082f8573c8e8a6940122f1ee2fbb125bed9e3156be0d6f7b0d3b7ed912c1ff35bd465cf2dc1563c9f238a4e19aff160f2362055a810bafdbdd3a43b3bb9316818b7f0c2b25e9f0513cb76da1ed85bd49ec58b66f167b933bfd0e9e5d4385b820d888f79436fc8204df5a27da41d4de0e677c4276ce7cd9caa87332ee942a6580cac0fda2002c3e151ceba03f367b141cd76d797e6413b3637aa131cd55e62ff4cac1604336339a9aec619803a8229ab78e01d905c768cb638b1ead3fb6290273f7fd1b5b05ce1ea7ec4635462c149444069bb4aa2fd24eb5a25f9bdc2b7513d1e36c902669af56be86330f3ab20bdbbd40c26d3692525fa1e69c5017ff468fb3499a6e11a3d441364948527b65d2566580badfa7c7d32feba6126b2e96d13916c251734b18fbf8418a23598f8829ad220e8c3b75e1fdc242eaabc63769e40ef61d9ffd8c3384b89be02e4b2267043dbf59010e8bf01c2022defe0677545559209585a6d14bb95de6190ec89e7e4d2fccb6bd5eb0d43c533f64161cc06cfcd2671f98e2ea403e1ad009dedb1d4059d3314dc244b8e108b954e9dfe2fe6ed4fdb59f57beb8416d985776254ef746333f75886bbd413b43c279d1ade19a590b6c8756030b33ce5daccd585d25e8607093a1d2dcc45f34f1a7ba57010887f135126a1d8d296dc904c4e654717107ce8624f1647247ad2787e7a1030208d4818ef748aa407a28cc528bdd1aa2734f6d2f2aaa783f74099048cbabedd8abd97c7922e5f2e4e6e99867691f4594d89028681c03d29ea0ad84e1c17970e18786243aad1ccc3185813aeb1e25eee6936a79c1dfe668c7c28062b91a751512f0630f1a9f45eede84d76496b02155c0ec263276b146bed6ec54eeab246b2187d7db507d82dd1313a02ac64806556818f7b7bf730c05c924f373e5e019e81a5d9286b056db5ea059fd7a92d169e61c4781d0741c2eea0e45b6d523e4a995561472828cfe54180e8ffff44dbd58a1d3f978236f2709c3f3a879d9a0a81845309b3bca02c5f15e62d07ec48b7306c4a5f7404f031551e9c7870b8d817c784f87964ed6edee7aefc2c4c58dd0b222c402ab15b0f71c36755a8356418187b616ebc7e239786f9322a7939a79c7bee0b7e2131ec7ee00cd2981b78f16cbd72d0b7ed160f4153c39ff7072c50a4ceba047bc802c4991fff7edef396827d38a8cf4b24efe92b0f9851970d6d97654b3ff63bd679e664565801000be865caa84825643c0ff73076b9d83a83211f540e6ecae8e8b1760050daf81695e999228989ae1013e4061abbe7929a5c6a126f89e8bfa16557ff99afe16246fbed5ed96b30438e412cee635dd3cc47fa526f28e81dab2942eb2f0dfacbb1ac55d30d42090fcccb7f0b9e520418e195cd682ca17bb7822240bb87c13d6074f20b7895fdd44d7e09498f5af1400cae141764f5ceb29d3fe64c69d851a2d53f34b8015f0d1a32bf461e4356ebc53939c7865b714af2e451e6411a042aa0c0165ff6be2df6b7f6947c8eaab100cf06adab6ab25482b90cd818cffd92f7a3a3d9e71c81fec82348ca359c554adc88948a22e5952348a6f67a7a7359e6bc1dba3fd58e4d079bf205fdd4c69410aef784b8304e7a81ec413a3c7eb1c6117db137f601248dfa6e712506d9006013b9aa22a6bc2fedfc48d36be89c7a498ca237b94e1e1684713e01303a11d06b87f142a43f502e4964a8446e45a09d038f15ce713fb9b5c0a059da2ecfc4a7c0a036e5289de3e7588071c36f654d5bfa869682c47573e404a78ba21a3827fb69278d2ff34b7991e221c31473ae438266969cb42ead936f84b633184bf2a12e7591a836e3562734b7453be3a450fedea17a495b6279734f23f57bcb76385b9afdbb3089b5a74366e307e4272341f3f0929ae356eea3261b228b6c493d04517cbc6c71de51a00633745f09ea4f89f5e6f764bca0f0e9325749ae3bc4076436f896f06db550e5b80e36e9828afe831f05b312f0bac91dd4a93fe73f5f12f22995c0076441512efe2d7431c92876a0cedcc5fa33b829009a53b16a35f1a2b70c8c64759c3a89505b8cade9bd7df76c108ab6d0dd4944a44b3993130df06ad281af953406cea6abc2dad514aec8a516b7751dc0f010dd3e32cc817a09fb727f78326114427d145fd1def774307362bb9e7efb03d66e92394667f0bc8cf35802f06f70caf46f8076a7e5dfac9f50c475348c5d828b74e890abfa42fa4f4aaf6fcf097cf37e623df847dc7cc471334e98791622bff991fda8b2bcfce0db32a62d8a824b84dbef0403ba8a11f03d09882351bb550d0e471d8658079382793ca995a8393ce22af6d9b86f8dc993a02015eea651fcc0902eccafdc773b2ca0791e7a12c9b7b3e2f768758787fdc1a04b372ac12728b8ab081b384b7f2c3c5511f3ab3d2427a183c8434be53076f9112b6c1c2b6573209357795edfa89349dcc27acb33a49a64c7620275f3c6bb8055482ce98348c013e63dc5a8d04fd54386d4cf7e171889d76b12b7996d1fc9ca4d74e30ef9c2bf034cfccb33755650357561ad738c0a06ec467aaee2688fcc9801fb38f89ff4ff869865ae3a2c68863987cd20891df42d9368b311cb77047ab4bebeb0fdcac990127642d7b1dd4c8307678c6c7594e23eb0eeecdc773a95ddbff54ee1e9aff119e7380a9c97733f41440989fc2a51c74cfd44f29d45bb104dce651e8ca87449b3863e8c6f4c089283455f17597189a40c2d4a46d50f16bf7e2053c3bb126ba4649a0ad09a8e91a9126a0bde5089a77e939996fda8226bc0df3527a49be8913489e34273b175a32fdeb1bd1890a314c155e0d5e33c326d159116d3da4699d1e6b78b1f917fd61e32adfadf673a567e44502554376cc4d644819e6cfc759e5bdc13bd90941351ec1e8afebbf02cef9b5e385b3ed54d27bf23400db36dcebefe43dae4358b1ff91cfca3d9896bcdbaa7342805553f117014017c34022ce3d8ff3bb51ea345f24398f97e84af303e29302cded3908aa1a98fd4c0b47ac9480af48fe6141e802623de2a516ab34d50d1591fbb0e57b980447d52ece095ceff30b6ae49d8722d824940fd0b9c19158e5bb2f13c31e87c84b6288457f578aeb0d288ab6306bf48ee87cc13a05953f9f04595b7293f8a0ed45519a29a4f749401a244fd8ca2e0b484012aff425972d03a4322ce17b3d91b2c21026cc37ed2d30636f41182e50fa19218a9a9423290f1545963889a99828707065d1cf44e461692fc7ea7fdfb2d706fb7430281d6af5fa7b2c2827e9685d3e0f98163189b2a270c57540f7ecbb2b8332ccf526c1cd02d39016399a8a246370012c0d77cf921b554510367470e431be8e2c0ea450309d1abfaf1891320315bdf5f6361c3ccf8923f38ecef2f2acf5cbe17ffdf0a3615283cd514fa7b2c8fcc638eb3abc35266ec45f0c658a6547405f3adad038b73adb6571c25e342b28c83f8fa4dbbb1c95aca1359254204b374bf2d6102ac8bbe81e52344b4c65b52f39bc0281da9d395a834e3a037ae9e624927a647945be7a3d870be536991fbd1947efa3f1277cda877fe78ae8cd554553f496834b486b223962b448fda013fcd2ce5b1a9d828ca95f64b03c0fdc723a46a1d1698b06f86002c96a03a7a124193f8d692db772338a87a4b4839e74b65c00a374883295f15d5b4bbca2118aaf054aeefeaa14261693ff617c70ae71a24c734c60e1e456dd25b605c0cd396538d9c46b0dfbe264188b1ff7f6f06d70446a3b544accc7eee607ebc2482da96244a6dff1c837d3b3fedbda3e4e63a18efdeb1b7afc6808a57844cbe34a7ec24ee5dfb94857608af2a388da0918f5658da02e6f77fc791f3cc3f61f998f443850316943e1569bc36c3600587caef17d49adb7ad319be9f536e1486e2f9063cc0f3bdf51bca6c2399803c7c71d7a17402b36a6dfe17c73a3c1d13e7be065a2b9fc9063cd1c40090b80b7b2ad146fdcd3b3e07fe161a6d7ebc78821d8fe69198772707adb23e722f3b4abffb942e38e43707b422487dd7bcdaba7caa78b58e6a08feff3fdc36584bf0ecdee7a8bbf2bf339b8ffff64108944a8493f9304b702b9382b4a74e3bcd6b3a3abc1872f2588a7b934ebb0cb66723c1a7183811a7313289569bcc77953d2e2f968a8ba6c87bd6e914effd25334952d0a75bbeebdce54ad3c09125e9b7c186570650a6021285aa546cfda1167c6836f2f42d415f4c8c80df6bfb3341d7de2bf2b69838f338d0e032b52de5f0fc2d689c40f9762ec49f03124fc76a4737a7724a17c17a7228e9cc94664831fb0f77192625f4e933c9f4c7584565f6f1f71115f5eee76db2d15f7f6ea37c7afcff25023d43cafc0ff58bb2939791fa9ad6438a278f0e2a527287c847158951d45986068b22ee976c5282a27632d849a042bcea33a863f3a9f1631b405c543f89446a0dd1a2107513ed4acdc17269bbe4a8ebe0bc141a8944340b6ef3b6261fc465d47edbc13ae8af122dd39cbc2747919f91df46fa4f93835ae0197eef16a503bf19668d456c3e4671ea9480d9699eec10d48bb439e752d5b2e7cd65f888c5ebf7d507f42a62b0020ee61cfde1084351f53b8e787aa62cc0ce526485260eb077eda45d195235555d761367057d222d01747968a88afe9d5a15ffb8f3f0017e1a0db732c9ce637fae1a140dbbf161dcb6721826435eb3957bc21f4ca15a2b5d75b88805e1344fe106a615e5828438ba9065bb5cc69d4951c7ff0d5f4d6e116413597596f83c15f12458ae47bc040ba41b407c2087c79f606f0ec78455e0a0d760687df908479021fa031c03e44699260389d522184ccde2bc11ba860bc8717fd65126a7593e31a970d5cc8295fa64d95e369410c89abcce17e8f764da51df70c4695b6c9ac2a5c84811c5e8177d2ef3db5c0b09536c2c14f939311d3010d95fe0f4a41e0f4732179d46de7b4f1a9fd701b9631041b042d4a35a9961b04c9c15fab918fc3690b3b8d3f201dcba20f28545b51bd4f3a3dedc1ed84dfd7cf57a48604ac649100448e97a405fd2788415ea35db940f381974669234c4697ab99377591ea90b1b70a012e10843ffb89d8d6c3554e37bbc7a6c431ad787479ab06929b7bece589cbf14771666031faf14d9589cbbcbc0adbab688190d2542ad043507b49359a3457cb1d32964d51fc9bad791cf727d72e7efb543f359838aa761c09625298c1266e249ddd847c34d1d9dc30b5619db4e366769841bf79e14981f4b3832e43d2032b7312920998a6d97b39a7fb281538f15fdb64ebaac2d05456bbcb8374669dcac64e140024406f28f9accbd07cbd5603229d1774ca8b5d1327539643cd6373ed27b99f2e6d12e351ed7932eb48b995ff685243613b40b7fcbd1c6f6455e1ba9195fe2244e086dced7e594665834d67a83f7571e9c610dc5cb014a01e20be288399aca77757850c24b83fde46d94ad2286c29c61e1346cc925c64d055ad9b1fdcef2cfcab92d3e8cc5bcdd6b9d302677e29b5d6e8d151ef60fb092f36654ed958e113965a32e1be0340ee1ec79cdba9c01f9112c9549b1777af5184d4958775ea737d0bce9083f050fe01c51fbe18552b0af3411dce5a711bc2f01d764ccb0d48a4c598ddcc93e5a19a4c46778af04c5e7d217a137e81edf4e388bfbe7307a5bd7a61fb052d7af124bde91c0410c6982297a479d51bcca12bb0019a30f2d722e9f64d3424c192b4acb964f979bd1e600d88e4ab1dadd350886fd47589710f833219b4e6c48d89c23fcfac4a25250686f164674db5d7f259edeb044745bfc53e6c2b60ff4647add5cdf6bd84cba451c23397c6e6ed10eda000ee898f79d8691e3b2397b7053e21026e9184c93ba76aea5a0acceeda2062aba823f053eb6647a367c2a84d7aeece8977b259bc8cffa6326af0378cb996797959ac7863b0b23d8d50ca10cf235d849691408624da22dd333d9147bea937150d9b67809d30fca392212c4274a78df05572595879e922f8c5e8e41d5729a010cec5f4eab78fad2524a4198a541060c07e89a26c95a6d64a2624b8ce9130ad56157730c75b7eacd1fcf6573571fe5150ae8af7e0c70bdeb7ba99608e8ee3aeb2dc46a17ce827bd8f119b70ab86b4a644bcdbc217dfad9eba00e31d7ea081875dde28eb9b2fbe9bc2d14d3f88776206471b538ab6e4b3f305d8610942d5b9d194b0fd218cf1522f283ee9fd36e553fff43f9d8a2164d8336e58869d66f8e245f61dbf7b00e92f1d620c80583d01cf610d402a016a65d728cdffd2ed3492139bcb2b399c6267dd4b1839dc1797aed44ea29e31997acf4cfb9455e98a903ed26a1a16e30610dbc27542aa125a8de3418d2fd159693e4a70436421cbd6f32b46096d61507b889eef280c41b70c8a678a0b6e240fb403b2545b46e534353c53b8bb78382ddb27413b3e4c34a9a1c48d31b49db7137905e7198701fcf7e998434058d27c717b055703c6dbf06f6ef96c5b8784546682e7e4731809dd9ebcfacef5369439905481c642b544777b451883cdfc88729c1207af308523e578e1b96d833ea762cb6524f7d79b25ffdeae3d77a74c86417a622b06ae608f25c7de98448327508caf620faae5e7b6a0624b743b766c1825ed6bb5361e35a46370e7a5f2e9c1cafb3b2e48a025ac572a2b33dc7ad9c1618911e7112e1c3f1d5bc192fe84cfb1feb38cbb28e497a619cf897131a56d037c78b867df4c833d5facb4df496813b438d7f559bd29a0b7f6cbe474246e1a1482e513aa38158e855a6731ee8933fe0384b7c08827b47491e897bf54f45fa14d421988a40ff164086189c5e1507dc446c2291ea41646d3bd2923294a5e4fc140ae44c5d9e4ee8a0c9cc4e47cc6231c7c465a49514a6781983cadf729111b2fb5a52dec0cfa38ac9cdb792049e649212411ffb3636d864c12821a4cae63a7bee3ed225abc2c20c69f55cf506d3d11165a28cce2e74a42c43d721a9663554cfad7d43c5ec731bd499ff8a9cde0ebf5b2d44a3111788b73c1d116e1a2f95f17f920dd1e75f2130ca32b84c8236e19864c7e726ebaaed8635d347df758f8884284c3f18c3dae2ff11805fe906cf07a13fb63212be3c950fe69f539dff4f1e108c9210452d96fcf84427eb7c9b919063809d53fbc8176121550a6bf367ed99d6d8290a1c6413b4764b008e7c2225f83d6c9cb64351fa98fc276b6b283d453d4a20ae4182b825cee869a37dee50a1c65a4493ea20ec05e68c416965e43d16ed4402e7a90560e5d13aec2c88d70d3237cc9c697fdd309034e2566e8d1851af4c7180dcedb2578b94a770d4e1f89f3d4f1a40091605ead60133ff7a29fb53e59c988a8aabe9f5fcadbcd5ace0b00d791224a838f117490d09d84628e1773eed664b9f24b46e6432917cc08e5c68fd35c66e2469083a883aae9fa97d92b536660d5b0d2d2bffcc0e5a586d3ec5a35d5e14d1b79e55090ee4d5915e8deb660dbd12bf08003890e87a8ff6f340e58bac7aae4daca841c3f81220fe530a9a8d30d8593dff96b6e41a3a2a42e446df280d97d6e6d1f71442e816a2fef1ad9d8614353f4f0da36342caceef6030fc65377631dcbe85633cc1d754f769f4e8103c3592e8a8fb8dc23b5a8f863f759610d90325aa2c253b33260ee26118830ab604cc5c7832e0718a176770904b23dd862a7766b728b5ecfe7f9c98f001e34267138c45224c2e4bed63638925ead4c94677421f47cd604fef4f7e09a325d65876c0229e8ac520038acfd818b093a214e0747bdc52f95de043afa49a0af63de8af0033e470425d633c2ee54afdba089fd988bb0a381fc1afbafa2d41b2869b445f6f0992b3e37e35e11af682ffa92b5e1788451c7d6eec4da34aa87132cb1404afffbb416b2de0ba7a29231942eb310b561dc41171bd05e7bca28e08c15f152b2655b8951cff32100fd81dca16b37f5196a3561cd77e0640b6227e5fded500849a65869542695196a96958d44d3c91df65abcdc5f668454e898a53bbb0dc49e18a77c79dfb82562f57983ac258ad181187d929c59ae4ce96b4dc12ff6db7b68e05c46fb4b1d7d7f76eb7a56b8159a56030b7b553a067df186bd9684916665339ae838d30644ab509544f354f4390525e3083f35a6b262ea0e0ba600cfa06012f2c3123c74ed2d54b929b3b38417acb1ee04f3e83feb04b73692604e77efc35319a2c6d57a3c2a96c99aff7dafd87327cf56de81cb75b1c6f4d2a28ff5b45d20cd55675ac671c92a1bb087c3aedf25a716cad3581b09097e9f50263d1b8ec68c3c08d83d26d7feb30e689b0e8602e9ddbce83b3cc67d49d871a1ebcf25c75406ab7a46168dbe07f3fd19f9d0e56d116e50f46df34e2ef12925aa17c78d2a0472b6c95842603f5fffc33a3c47dfe95232909970f9e83cd796b723fafdcc0495ab5989b0f6915a88832d87eab015f9db41cc67cf64c73373b13b9460c9cd47542b59c664a9efb9bf4a254c669ef888bfc6313b2a9375d8986e83062319767c79a0962fce06b8d4b97b9b8472bf1581ee38859a398daf003bed4cb2f332c3a25bd32326d9561cf2dfc38d6ccb029d152c67ca8dd4cb525031198bc17b99b00d3e0a93c180c72e1d85ea63f2543d892fd59b2805032c8a5c5fcd6505fa286302adb0971a091a5c30df3d317db4d608cc08b424b7b98bbf12e2ea62b14ca626ffc73fd4ad81667afe5097fa210a1bb9c87d358f2fcc0ded7c72e22897910cfda6bd5c5e5ca884a61c2a98cbc7dbbbe6403ab9e4830a7f5e408ddbc9ec1ac85dd13c1497ec12d2c9db5de89438f0ac690409af159eeb7e7e71ce83e5557de89d660214e814c1138b5c4cde47d111a59d96554a7616a2b400641ea7d2da8811acbd26c87dbdb4fa5bab3b9dd806b258a4480d822e28cc27a505ce24c96ca4698a90eace94cc95849b2c7fa2d8c709ab586df85edeae7c035c8af4668123f16c68f248c7400360eb000da0d66e7f167fc2b5232102d2f73779910783e619f323edf942c85e4a318809a7b118f718c98e401fc49bc59b02390560e815dfa1bc2cb5dc1f2266fb9d33b7d9a9ac85522efc8eaa278696a32f5cec3cb5556a9ca0ffc006f93a9ae68a927fb6969e92b06b4fdc234dc42731a4b38daf8ac9f8f1f4f73aacdc76b2bcb021474d039c3454eaa0cb47aef8fcd328d94003a3df8a70081663bd1aa5295ba5793c7665bb9ddf265345bed4530956081f327c7572786f98aecf92091c13de5902f36063d1d21f12580afeffb761eea79d373341f2b1d2f48e6d49f3671bdf1f5d822d88fbbca41cba6355d2a73654215cc80eddbb373980d6f2ac89522543585bcd1bd519a2e7b2e9f518c889f26a96e6b3a86c23dc91988cfc3c65c950d0d9b00c231ca30868d908a5cc31c85297c7e08845850dcbfa5b9d209be2f7b29ee11f2bd5247572aaa44931e233d9b04bb6ef83e8f3256df0ebef09ccb4bb58177a5d7a62272947ceda2a2f95a2214fae1304eedf840b949ce8ce5289d3e4ee204bf0f46ceccc37adc80dc34360f12e7c386f443a37664d80fb0190827783968e49a3d7a0ab9df0948bc1eee0f299d4f55982e5bf589e433eec23f9f30b32afb1eabe2b6d15413a541b8eef0a4bed9f2e5db753713c2dbdfcd77029470397a374b17168951bd63ba27f5d8266f908f5f75d8dcf40b17e412a8cba20656acacbf777bca914dd158c58df1e6d57f70f78d7f758cfdbb3a7f42b095fa72be13637a764f291ff36343a9efa4cd4f9ce83e21d088eb5da57d60facc253a9809ad694f82c630d07f86dd4c5a5a3fb28fac1963e924d9a203ba59974070d3b8aa983dd1126c6ed34bf61a48470be943cedc78e4f5ee3ee81f61d434ae2b823625e006b81262cbcafe87b146e1b38de1725997fe0595151ec82bc7de3ca8dd9d275c7fcbbbff048edd6bcb87c7d89bbc8190e36c5eb25d09cf6163a91944bc8d81b8d705f87d9397c4dfb5eae7eb84747b732645475786db6370e433f4b562bbb810eaa5f5fa504571d7072a89da2c7d830006acc5df1750c64965633b8e31aad1c22649b609a0434fc4f5d677dd268f4c87410d416aa392e97557524f7aeb076741addc1eafab923bd95b70683045e96d34314ef449c25d3e1e8173f1d5796d860da62f16a9abc3ec6047a2c6735a97c37c12ac644f461eab32f9755ac9850848b2004ee9a5f696f39ee9d5c5e0c260414abee7407da6f59689c034d116cfaf9f63ea867ff5b170b34fe761c538874553ab0a83361be6241bda4757ffb4bd4c10ed83860ff85268651f557223d0c701dbc2603b3ab33d94c1344bda45b774660736125a1235597f7b64dd504cbb3e17b095b3b836476a8bd87e288377cd1422b2c9552a04569d54a826eac1b4d0ea98cbcaf7ae2ce93df4bbd6af17daa3e353f6bd69eb46035a2109a652ae1f5a7c40d36e117ce1e56496cd34f8e398b77c5742778360b8232174e7fc1a990a3d6b8fc6403392b893e7bf5517b829e86bc4b623e76c7d650ad3131aa1d8a869c9fce8fe156d1b08f39db6dad072f06d687ab143703c89282fe094ef04f88767419f05783f4080c475a3b2d172e0996bc0528173a4c53537699c9959d932afd99e666c98dd85ba0e6b5356ed144ab486ffd190f2bdfa8d4967ec65aaf827a1b23f674cf82a516daae99a5623bfb696e3f7897299199472a7a987898bdb7c92e62ffa43427f1b0748511e78e050998b7ccef263f7b64ec61a011268138ac40a3605ae867c49c85bbf1a7565806f052769916e11f54a96b2ad31771b5f875e77f0765f64e4d92ac79da30c29826d506bf3dce7fef9ab740af9757c2875831fdfcf1d2bf8ca68bccab73eff85e5cb300f4e6cf923a0b0e6288c08d958965d41420315e948b62994325c7d5a995d800514369a73cdaa245e2425a837ed7bd0a7eacd93f8c639857d7df4cbc2c90a4756470252480646261c5e2f7008de8b2de349cab0aac0b5a5f3b97ff9c6dab8da4d2385520cec793e0d9b64ba2e40b635b61027e197940d056a5fdc90859798a36e816b3747b0fff8793a12a0808ef40d957c77a557cabd5801d4f04e9e1d134b104da9b5df9aa72c059afdf9c1d1c8c8b15ec30314450f013a84e101252d435be1c4bef351bf74ffcfd7531283db85d6e129f731934ad35585d166ebc5384fab61a32f64dc669af6333cfdf723888e5fbd9c2731f49794ad64ab51640154a69d0697ade33fdec21f93c1215493a7abd08ce4df3805c5ee985f1212cafd942e45751ce5e668df052015db35b69e6440b02e256eb2db473cbca04009893e052274b340a24aea3a3dbce536a11640aac624e160856de20e4779b9d5f2162f5ef54356ccb48f67cda8222258c4520de17c9082b6ed813a0a02e75a158e0271091128252379a292db04498f928fbc24759b902bd5c30a3cc0ef40793dafb6525201d5a6003cc927cb6f828d383e8ce8f8f746fae9ec102177772ce71405504faee5137c385e949407030a8e83ecce66cf256afc930426404ae9c56c7ac1ee68a79a3c6cc52081a32c6367c82d7bee755014cb3e47d32aa71fe6b6fe7c8e1b7004d827eb396b1995eb4ee2737fac63cd15de6ba73c9c5b6abb278a7b53dc97ba1317b1f8f6764e49fa0f854b0d4489e55c1b8cbd6592454b4db830e7b37f41e021d1901c210256b1d5f3b0c699b586b2b3884254825dce42b5a3f9879d74a09b2675f7342fcd7e9182bf2da246decb6ec6bb37855ae19dd71ef73c547ed51eec6a6182a5b951614fe52e600c7fbec6f0edd9b813f2b77168cc6082c6845e52862ebdf2d72d280b1183e60c9ea8aeb895de7fe51e71b1e68adc70623c0d320567a0d2456a7f3bf8fd9bb685c74bcf349105e39c23a41af529a20d6d6a6b137266ff7393ec67cb4cd6404363007f1b427d5cb430b9e46a784b6084643cb87c1a0c889c2419e7fdb2c44e4cec50fb754fed38cc8a86ae3d805ea4ed88665580d2911070c0306630ee1adfbaf762cf665f7240e9f9daf02709981d509556b1f809c234087d30ecc96eabe644ec6de5aaa2c96e818e2d4353f6ee4582575b18feb7db59518ed901669cac04d537baa9f2084847f602db1368d2447f1a1e40b410db5f9d0b31536b414a7ddd3e0c17893574822c1a90a7136c2ca98ba1cfa11508fccb12618df8b53ca2aca58846b8689b9efc4d539e525d9a0a1a58fc9fe190bedd168b21d6b2d20018b332fe92bb005f3fe7e43055fb57017503ff82109b564d413ea22e09c09d46add02eeb9d00f92738e7028f9e69af72080cc680bca0b0356e947e315b30f5ae9143bae3129d7b45641204cf960d05f81e2a3c7b3301564cc5fed34b49c2e443d28862af7c0c5323e7a2b77b6c54358d703904a4277123bdce070d7d56befb71cb36fb8419c3d1a06e5ad60046c40416718d929c4268fb011aa7a2966cc8995ce8e13d27f5d7087ccbccbac5f9cb765cd057d48f508b9640ac1b5ff8eef95261b2cd5304652b843ef5387b29c996e5b08c98350d26bf97cb169654bd36b1a96a1d029c3c6769579cbbb05355b50f56837f574f9f10e32d0837c4714487ce1fdb2c8dda869fe6bf5c2da3d2c2a7319370d736aa6f5311911f4caa4966d60e4cb9515b31608f8f591d3d2e185b41fc770eae7931b0b2225e4bae67a5f467cb92bb838bf2d21e644f68cb4c146350cce1dc386eb41c1f1fcf80ac04e449391648fef5b9e0c1437fd08bdecbe26f6feddcda6d7495cf19e71fc589e6154a68d4208163b17c67a5a68d663a2bbb3d363a2974bc2bbb60c1d23febacf7f6fb192ec1b6dbc0da7eed3ede4bef53742c1d1b0619bb8dcfc58e4a58da0ddb3c7af660fc6577af12cbf11ff1f6b2ed0558d3df215bf9cf1ee95b17248e002a40f85ab560535c72dc227a0b6939958518e3ea7a049f596284f4987f670e771401e22fb675f22f842c875ab9d535517fbb74209b36f11faba7f8c654f69abccaaf03151272deedb474b787dc4606a278c5d90de97b7962ddfc0101a49856e85090a554f7381aba540278691abdfd48fbbb4346c4669dd6dc8892b4af232c7f566eeb1523ccf9906a6d46d8207f0e68913539449118be01f53cf05c9acd11ca80faeb300d3489aa9b6033cf130f58ad8b76b4b41846288d2a31380855dcfbfbb95d166d2ce8bbb7770ecdfd3c17a3fdb0c68d081e27e0e1173b0e80448ba44ac29fbdef015fd9a21d3c4bd2e16e3f7cc457a9cf2bed6c9e7c54393d15ddc0fdbf6b5b16ce50ec92f55438ad2db792e9d72a87bd5eccd2e1ee0e1f8b750d84e0371b84ab84d6ed81968a7acba1fb32db32d9fbaea613464a03137c12f1f98250b078aa6d72fde8bf73b00d244b92ecd237f4789afac3fe7723c19b761ea85d9cf636fb8ab754987bff19646a584154063ca645b5aa7ab8710af4125c9623f5c1b940431265a0922ab0622778730b50d05218151ca993a4303bd9c0576940cbb8b1f70b48914a69193355cb80b6b70b40e2db3ce7a81be303dc4c12552e5fbdbf527fdd7f47d3cab480fc509d57bda7470f1daee34e0820296c942eedccbdc4a8e2faffa4511c1c9ac1d97e8d51cf696f2c320eabccdccc4e37ed5632f1a6f726920fbf7defac511e1be4f9e0ca7b18ecb9fca1963f420d174d56150aec196489e0d243b67f15a792bb6dfc5e69c0fcd7546438a0b29d927a505c18c5237b090e18adcf5baa0b8bf65dcf059c03e8ac7055094b898ecef7b8de5d0c2449d9931613304f2efb4e1f7154453ba6e0573de2b4d921768f56adfb00f3b2e4d167b868081fd5fc2b9daa3c9e914fcc31cb74747d2e60de4957c03ed2a9297b6f0ec81b80562e288f888158a4f2609d9e6fe2447d8a04f5c30bad4616345670190ca05cd0882f3320c2d6380554b52d132ba7b97a96c6a2e6e4aaa73c13b000c0843dfdb6fb32d1b048998b97b26c4f6ddb2556de1c3f91bc0f1d12d7b235185b639aea6918621bdf568767ae6bbd69414a53839d46c4d8c4183a7b4f54ed4fbcc676d14ad06ace7ffafa84261b535222901615506ddb62dd60f6becdc9ee40ea0d0bbe7612533aff8c3fb0b79c2ef93363f8cd66c17cfb4917aa074b970c1a79c4e56bdbb11f1ad97b61ed0c160a39dcdcc36b419aeeaefacd300e8073d0b1b4643874fe3985a54c7cd843857abe53e00442ea4203ce7b0f71e8ae501ba340c6b41c24ed279cd3dc321734eedfcd750e5be1ff10f8f029ec8effa41a40687e45fb0cd87a7915bb495c86ac607b9eafb16d12dd02163ddaaed934e02d18b04b5009ed61f9bea82b42780f5a0a638c240c11558f16cc18dc645478d464570ad58f3994d64de964d0dc25295067a232ebcf67a37cc5a5000a37c35963b3c1c0ebc9ff09a5037bc60bac8fccbb789ff1450d630d86eef8b3b9d7a02466185509200fe739f90f50112c7efafab7974b573f10537d37f185bd1f17cbda779d0dce20a02b8a8bdd253f6ca79b35c6ec4577d79691b09f687d485f5de692ae432121f7524166a33e84506ec3a15fec7c7cd23a72b03c8dd937da3743dff7289f9d3fe1cfe9135a97115f78879a68457e55b7a7287225722d38b02aa2d4eaf591fa04174fa272f5306027eb780bff53e956e649d682dec1b19cefa412f758869f135f70166ad61bfcd71268775916d2717ce4e217c57e6a8f5a9df18302b7e10333dffb33d42dd5e544f5a765e5ad1dc6c5f5a845717d126152df28db896c4085be134cf86fc37304f5d921cd0dfb5fb869eed41771b9843cc91dacef563608ce29a0b2c94a61c48221c96401702bbb1985a476fb353d17154ee1cd3b9c0cd16acd63b3a2aa3de75053a19d769e3388e25a77106af3af27d2a1fe0484e216851ad994339d0d62fa6fd34bc75a576bb9c9967443886956b61019e72eceba602cb66abdbc477d6fb3a02c72d9c3828faec4cd977345c8b7791b140ca99032a2b3dc8a70316b0ede00244d528aa603c1f60b9c34e1f3120db3901e0e21b8a8197fc7ba079bae0ff7dcfa36413c21ea3add015e6640745855181fca5322d9600766ed15bcaa9734ea6b912b2e79239a36a6c1d0a9ee5715d43eced66ee1356589c75d2f443aa4514af88b760e28846235cdbb236dc5ba0a4cc58a41d087fb01ee287768b43fdd04d2b342e4f55f25feb0406c5b4dacc41eda78909afe2db87a449013235b34af900c8b017a1fbdf365ed73749db9331a4527038d515ed961cf01e64aa34640107499b2a298acaa93509d8f250b1ea197ab9351f2238c22687ebe830ed2b7832bc162660622456628c872f7780da9cd10c5b560385e4c89a59dfa2cbb93ed379ecf54949f5b80b444c6f88ef9546206c21cad477e6cacaf7138b104182c94862359b54b38e18dd1c3179496fc9af47a4bea9dd013d46e841c1813da7b4140362a87b3ed2a7f43dabd42a585bca5bce51dbca618a34256d04d0e8fc8a1c6e8f890c90a049ef5c2e6ec35b9731e44781bbd8212fb947b1b2020dde9d5e01b93842f9026499d9caa48e111d460a55b4bcc045b6e620ee0d67862dce0b3744b568180f2f4c0bd8542631366970b5609cca0a52da26ddde0a3fb4660a5723288e9b1a3ddb92cf966722ce75d2eb94f39775db1c9f8d67bbf449c00ca586cb8c5bee8ecf96f1672bc878e93933ad808b349b3b969d978b4e7f08102349adcc5dbc04b784dac05b4dafbc227d826dd8732a4582b4df626369d5f04975b4b12688e87ff1325171d1ac9340707dcf27b9b8c701cef7a0fc6651f0f5b8b23444b00b9563cf7ba9d3dfd85ae3107abc6d7a712b485fee201ce013728d30d5ff682102cd628f4fcbdca65f6cdfcd30f049b65d5a7db0b9d7d9a23ac177a8e06b5802e26df262ab55e0d31d6b83c0b5abaea33475c08dd85a94514f0be84a8e878c1756106e300eec6008e3c59fa129982a1841d3aae965430c2972b6677c99d2ef43a9b4470f2ef262de3eb09285d7c2d6196a04da4bcefa3436ec9ee6d2dd586a52204785561847d3bba701e699bb10ac4c706718206c671ffb070e94008d8244efb63e7f943c5f4daf2d4a4e4e7f0a80e797e0fda919f51395612b35d9229be7181cd73b4ccc40098bee247f25435ea701e862f1faba7760a40a7ec9c85c660014e52109bde52e015e8aa853723fe1bbc59a9876601ac1bd69b4a0e53cf02d8826b954952545276a02a82eb6d9905eeefd672329945a2433b3712a63f3585141cc8f95bcb34c0e9b67bb07eda92239cb11b22a02b11c88672e2a05bd4541e34352b737d86909072d3c458cb7bc64e6e34673247249fa7066a43e50ca708a26123676c16ca78a059ceb7591153ad82104c39b3b601f205ebbba9fe0c290546520e7c29247d34e23940e01811cf7f01352b016ed17db1cfe68b1b91e981457b647f101e87f175fa872e85f2d4fca6a0e37b57c8048d26e532d1ba95cfeb448c63da96632fb2b84bcb4ba0c93f9abac0e20eaaf92b257ec49a7b58027f47bdada1a335dc6e1b181abde9c6c8358030c09e69b49705c905b7ca95fdd92c886cbedae09819f5ffb4adb2cfb0970c362bf6df5fb40fed75a04b79ac3d898683c8e518567d5e7246be5cc05e046b19ae1b2800afa939164b4543874ed58a0b0afed66e9d6b715e97e5af0584f890d1627f1bf6dc48e0f97c68915f740aec2bd8dbbcd07f613d5a3c205c716c6010e2e0b60d3ec7f80f482167f53b7c7bcfd3a05962033e7218d9e1b751121d91623b1783bf318655d8320202dd274d319e9cbab8f7c3aa8d0851d16c77d075c7758cfc1ac71de99d4acc1d46a5bd1e5aeb6a9d9ad4951d169b38f67d4d1315bdc4be2c6872eef97ae407eba15b8f3a148f376c6f40660513234e8ca9fb0055ec776c1bf8c77269a9a65f75e2891a6d5aaf083d58550e9acc9b91498ef992bd69a1bd137914cc545fa7f4879e06e709e264f49f5fea67612d28c4ba39a0e3378f847cdbb8b35536ddad7d1eed35660005f1079f747c294f02b9d5f59d265970f95bc22f081a92c747f2d860440085a1ce07e4a165589d617292324dcfdf3189f6f65ac5decaaba7f293d69fde6398a97f074f1766cb2907c053da7ce251abb62df9aa66c4f6141e611243eba93dc3f5bdec369036b8f55cf9d25fc29275b1eba5fc1a6208272c2adcd42df07873e2135ad41d949e7bea8556b31544be9f7475776b3e181faa20ced0cc9d2bfc6808bc14c9edc373ba816a239f623bcddb9b6f52265eb66ea56b6873e4a0ff5c90871ce7d5f8b1965d4783873098d57069b89f602eacaede3bd06562d129b72ec0cb4d53388d02a0dcee63b78e59add36a5187d221feaf6042f9115a584e427ed41c3c3a0fcc398959568a134bc89638aa1f2cc93a71385f13e5dde60882daac67bb564925e32eede3fb2ae13cf18d0ef7cf3639db3d109845b752716007d399488c6e127d7922abf621290665d995fb9ec29d1498b56b40667ad240d79e1fc06a9f81413904a83c32937f90bfaa299aafc1bb858f4fb6ab2c953e3cf34fc853f1eabbd8d1d5f61ed9a68d6737104d4deae043243cb4d4a2dd42e3949ed57d3af91cf0444b0c987a23e993e7aaad547c0e869a1e4fe17182a440d64355a16419f529cd0eeee117ae3150f871c5b60d772c064e9173d11279b447e4ce544ede7b2d87128bcbcc46837359e6019ac8a60541d688111165f5748ed56948be7afa0862a466160a8d6eefc7470d35a8e5f83e7f2a08b3a62ac501fbc2003173c0ab20531879dcd278ca8d6dadb279775110d33f2525f806395c42ba375ad2d6c49093f500b29a2e7a9cfaffa6e57b351a41747d7f1cf38e5931d6002dfed68383c6cb629fc78e1c3729e769b67d8b15cc3c4619da98dc03680cc3cffada726820ef2a20508fc26a31b40e498e07d06f411ea7857ae1b13297b3c1ca8199213ed7efb1e6935f4a73541a9fcbe403376f1ab8cee6b049eaeeb1d08f8e414ba52a9656914003438755df172a78013aa9a31833dacae0cec92951e93fda5c2ccd9eb62e8159406023ae08708e64399d98e3980d7defa2ff7ecae3ecf1a3412ab39ec6c40f0dfdeb51fed4d8b0f6f9f908aafa48d6a4d2f68d75c0fc135b30bbf1d5a84189c59b12deab58c122487f4a30c9483115d8f379a8888156055dd30f83a22f7fd19e8c795e8508d939311eeee92b8497fae57dd3d398dddadff411003dc978991690b9b92bbfc8e28b2c8a41499f1abb71ea8e68020055973ccc479c860eef79a4016f23bec03256efbefadc1763f62ee6fa568a6b007ac9f9c69b0068d743da6734f38d5f2b5542aae2f387fefbd3d38e7383a8f7ffdf94811a9e24dad68eda226d67f182ee97ee03230ed10b5054300553fc89d3d70b8b44bfb63e2df86b6c25c486b9a09f2070c3e667c464deec0419619c649dd782aa4dd048ce3c6e60d3069ae0e74a8a635e0fdb3628d561f243d395a81c3a336f577cf0cc3d4faa0f143dff71e0e56e8d6e2e6353a180a8e31f6e8f142d86b0bdd1756a2d4d9e7fa7c35e9deb7e4574cf04c95f44d5aa4b4934c1a7269d8ac37b7d680f9a66ac63268cfa9f4b94dd6107cda2270146a822c1b61841996c605584c9de4e2cbbb40a4a3a0f89636a3b7acae205ea7fc114d71ec2b8c927682af71d74112618ccb3dcf48a23e7acf0b8e59d75c9a0ab17358219b757e650e71cb85c2b43d7e0c90b81c29e352d3b11c52f29c7fe37972a39a712d4f4fc0544f5ebfb5bbdfdfe803a2b407e5056e3bff3048b1ad4d2c786ae6e1712f1a0a538ec3852e13b457f88023bcd9deaadc0e6d8f2f2227632d47f3d57262eb9b6e3cad6fb5af2ed5126dc536bb78483d7d92f711a4a9acf7e2b76e067dee9df1ece3b0a3758cc498a90214037d66478aff037dc8f214b36af08c630378c25b3019c6a492960c1a80b8af87370105942be92789b5f9c2b736108a311a7abfc31cc96d90a9e5d1a28d2e2f31c51644b7cb4537817b816a7125d985d85fd3b601302030cf3bcd1d040d8f902644457ef61444285ee32d157a5301501f73774ee6fa1bb7f8996c07c69dba0e8e0ae1c2f4810a07ba6e49be858cd182a69253d3388c4963d121ac6659345d41d382920b6d66420c3052742eb19b8da15e430592678a7e14ebf6ece85e070d22f5ef1497e46e52d0463417bfdc32ecc7d83d60f5c116d56b8e6b787743c1556af55cc32499c21a866b96ee95d15fb22312da89cbdd88060ad067da68e5985bc596f4bd303ae65d76eda2aa71bb2b04ef4ff2c3bf0c515138e0f5f396f1c7e7d4434910a93bf94e8e7f4ac87709ddf345f5966b4e3efeadbcdab0bb6191c409f574d20bbe9fba2ad7b47970d8b7e7c74639b0070d3da91e2d928d58a8c113fab36dd2cc19afdfe814880c3c09a3085ada44ead79189787e2cd4969b039664097c2651ec46e8ebb3698e0916362a36b22490ba2643570e27d00d02bae7a368589cd35b3604dbdec2fd1b7dcfdcb501207e9f557ebd980fdcc4abb239b541232858ef2d9bb7d0e25989a345de398258c8708b278a9a06596cc49bdc06dbed4a4f8d8ff4574448a4c7e1be70f7e85acd340905668a12646a1669d52b4c9a75b137c5d5d6d26ed14bc3f54b292977a61210c6ac8865dc5a3549dc4a72d0be26031395130cdca259d85fbec800281b0a1f1fdbb9b5bc0c44aa35ebfe24f9e75c1c3bb87cb11eb37bac91a4de8f6a5869748b67fbf2b0a9a07c9ddb7b39f6356160e9db49a7264e982cbc9be684920c03b1905dc6d6952759b9a68ca71e18468a6ba7d21155e07bcd72a007e2de595239b6ee4a869111af53b249440373eab8c34865f3f9a6feee1e9c45a94b8e7d2c0d8cee30ecb7014734fc0f8228d88ad3da449156b2d4d474c1dc383ba7d8c7a418427347dc566c72a1fc9a42230f4d94c73c67468b6cfa7f1b10512732d59a8c58bedce61fe3d79fd0920899136ae7512cb81f178b9771f778b66656cc4949fe2603629618eb6949f94f50affc2801878eb33516b5b1105a4abd0590005222acf112dafbd274029dc92f33de2a40777bdc5f8a05387cea45ce5f209182dccadb470e4f5e93067cec4b71b7621ca8e84ff0b53a125ca922fb8ffdf38b8e25bbb160764039ce1d5622afe9559d91ea2b83d3fb95e3a6d78fc120984815d77f9522147da1ad688c942f6a7b3f7ac89e3feb1633ac631c824fa1597e8a0dcd745c92a08a8eafa3f0a42c873cc9d836a4273e4008305c03b8c0b1171d10979e64e23ddc352ee6418a766ded4ff90cc242dc6e0821be9999b8ad456e6556285b394577db8950f800b1b0418d32e06e39fdbd3de4b15bb03155e8a36ea38f2416d337ac525d36ae7d0a5509f7557b1218f60e8b114e6c41c3a4934a2c42c903e5ca5183e04733c03e305b26a3b781a16c073e0ff730a06af039c84b329110f25f1238d24910688f6bb28f5ebfe4c8f5bccf67409c8ed4252575754e380f77028b36208e62018be69ac2858d30c9da3dfe5ed3d1c4841b6346aacfa00b0fa81d9dc9f525a2e3c74f9952d3c46b5684464ad156e13e50362e5e77401fdbfc100dfa22f6995fa1aba855dd2bf02df75a0537b3b9ce038a55d846da4f4c4933c8b06cd8b03affd065f722a8e02a6acda9c7b5b6bb6ca98407404c320633d08d47dbdb2b951624f66c352abb57f0f7a7b959ac45f218c0417d5aaf0f9fdeedc2ec3bfca719cacac2e24867429d1daf7e35b80ca1b711f0f3b3e983417f16e62f9122ead0aa16cd948638a820274536c694fc03336f28c0479dcf3d38bf664704eeb477068396ced416b04ec7c9a8dd4b2a246d4673559a5827f426edaa0805164b854f06cd9d440f24ed009ebf6e9d98bf632a9ccdaf41a71831a7bb1cd04a3659ea80110bc4f4af7fedd7494888df4eedc26e1535d1852ce90fcc83a8a2239bf8071305acadff8dbec924db638b81836e2ca6d272f75e99b3f85188d8bbfe1172e82ae3752a3443c423e5acfcff25aec15a9a886c842685c40cdeb27a10c2b2d381374ad8dfea4b217fccd05160af1ff8107a1b06bb49c15978c77a6cb17f81a576ddf8e892935ee1214b433c270ba7ab12e013e569c2fb2ee60127f3b43ac005c41cfeef83472fe9f57409af5c66df3c5365b74eb2388c2e2ff1457585ba8ceef02558bb4ab2214f9e70ed7a3ca9376318a2344478481a845816277b384c5c7f40f794e2c5b2c106a4fe7be7a16d7038548b4d91eeeba040e89193e8ebb1669c953d8c20ade675675661f2e1c097cbd7c5e1be210305950a7017af947b19e0413ce496f78ef1edbc54c25bd25886ec81b4d68a46492cc3a2e43e9a29ab8b0885f962c760e4f8da705ecad7060975c84f71470ec539ae4fb71aceb55d07fecdcc6f149fbe0f67fdd56d5fb276e56746f91e529e3c072010698ff71ce02d6ccf1df24370b4665cf579af55e37a8aa8d986dd3a97b6ec2cf92737fb9a8f856ac45807eb905ed54a28e2419ef1526e71d487bb7ac85b89075e6026277a3d8fe9bebb178efacd63b894b158eb59467d2d63e68b3617717b8c2f7bee9e10bc580f85735fcfcc0f0f4b2a62eb9aa3351aa682147be2beb6d3c976aa99e66d92cdd10ea3133535545f7371e8f908b8e91fa25652afd89cb4e0f58434948f116928c576805edc7554efd71c554947e14871c64404ae8357fc81d719d1d3427c63d77ec271c0cb94279a4851b0a372fe08b7343a6bb0863076a28c111c1819d7b7404fdfb2df9242d3b9e92e3d9e54074e2c56ec902a745a71433c50fd91e108549a716f5e1c23ff4c2b94eee99e5b6a9871b0dafbc4d4c668130010fdcb383e9f689c2bb1b1b0afb1fb3fe12d1cd4e889b5243c2ef2805814756b0e35c104090215114555cef6439845c438de3cf688daec9fe1cf353285b61735121d78d3481ab5fec2dac4841eaa04da6d40c731da37b80faaa85373b525d1fa6a1074139e677feaac46216ac231fe03a36c1e9395c9f9ad0d6208da73e79ceba1a1ea4e8e3e93ac914687f883e767024522b581f95e0250388f329310ed9d0a5b746b60b31994de35850c43662daf52edbed05f2a1dc157a726fd0e5d73034a993a42476bd9ca2dc0dfa93ca6ee6d27e3677e1afba84f1c17a5949db355d94ee39e553df882680c982974c17bd96330e8b5cffdb350db87032424966a4868ff37c328288506238a46c45e9c35ab60fd807fb8923e381530db9cf8b085e9604ae6fbfbd221f08882f09b43824e578c63406b85737aee796c1a63b86d325ac8663db8c549e6b647abbdd402b5e6fc031caeb1736c4dc2b38f85a0055c3b0ad70e01953c51c15fa28c57a293e3c28a7ffaecbbaf6565fcd9446257c0f9c64b495c63c99398d115b3b86824e103a7d790319cfa8d3384fb6bf7832c8c9f7a0f63967e23c0c63e515d97c3985f0e921028c76d471f1ea5ddc016e2b177bafa49e7160d87a54de1f7eedffaca5c2262bce6852382430b307b8c107060b835e197e3e15c87f69f74246db59c767219e2932cf5a42cd646766a48bc0146acccbe0db08d12cbf83c518adfadf8c3efb8ce0480babfeb4616313c3a5de5f75a9f02e8277209a88990598e77f4e3ab2f4b943fc28e78755ff3105e4765132b1fadf38183ed60e24c8dc8155fd8ba2687b7a96dffb74fdc143fe26877129772a8d92df9fc240a69e9a20bb66eef414760b51e263ab82b2e7a24eb7683debb4a32ebf847f57e20adbfb8678b1e2eaa315e14921c1f822aa0c01c63bdb595779d5766b9bf1ca25f15ddc54e3aea3ed247a0ab497ed9d0d735559b0df6510830171c0434641a92e7e15aad7615b86c6d042c39fce84d8a822c1b3b17eb94fc31f394d01a0f9898271dc0c139c4182d66f8694c2d589a29040209effd7674a644cf1993077f9d886a0f9d99501b388e411d8a02ea6d50ae4be31b224a22e276c4f5d24d3bc14f19f50232a1fffb5a0b3d8f34017d60001ae987b38538989a9f9a8838d2a16d8eb62cdda34885785aef8e97ec8b8756c27c9320d00feea3ac530ceeccf1f0126d377a6804993605e2bdd6f60eee748ee77c93c30c27ea20e74a8c4a07e69e7e7111b416f0ac2563f9746a0edc814384ab35d9b6213a96d0e73892529e907f6a725d3afffab6d2bb6963798a533e62cccbbb63d2722b9801ca7fdee7a3eba6208cdb76139716eaa082b8aad3fade9ea46f074e9746c0aa5f6a2ac43e0df2853644b15415b4fc50cba3fd1113073cb7ba313582a44145bca5cbab59e397d34b90ef184cc4d848414b1e483e93cdbba330370acf791e436720221b3fb8c8745cd1836e25e1310d1a38f2dd41111844fa224672ac380d632d8c0bda7be5c5259951515c92d02727a9a64e37160ca21b75de5322e3031429b2de246c262b64aa8937d3d5389b5d219abe41a526fc979af670dd1d12c08e35c57063d8a5218501c69c00f1152d5355b65215dae5bb959c26610ce997141a10fa7cd91caf89acc012d7621c282643e94ff6b9916f1a0a37fe6f11b2294f2fdd1f49cdf0e6225371385ee0d6255d848dd206f11bb74f9cb201d0d8b809f048829d6e7f3df2edbff32694129fb4fe4fbe4bc87e145c2242900ea4b86f62143228ba06611b9a7889b0fbc46c904b60799f80a6d49df2fa9ee1522561b65da25fd64ea2435e6f4aa7f21fcdc32eec2a2694592f8c8f2f5bf2b56caa5c158a411c48f8af3524d0d5e1325492ba7d806d09473745b962d2d531f27e237a556eacc014ae2e4c83062f9fb99b0356bd32709c7444eb5c6579a03e5f07e9d61fc843bda7447d35069b0939d35c359ac22f55628e212f7b9167d922f271c6a6fa78d8a29bee50f1a0532e9e36f9b51729c73a6caf89555c57a48c052426d544053cf826228cfc59c6703c0c0a5a5ba69c2a2dd855d301f7a4f6e500d7f01fdb749921856eaec9417d55cf262b3082f29ccefa9c6de696d2e94cdf6ef377d1d9ec55d628d68f23010076eab2c20a70f1f35f5ccb14d41379daa5fda6ec7dc77fc062cd8c11a14b26b37596d63501ef00e7d9e4c94a76c15afe225a2936968ec501b632fad0e3c34a50cd2d4e77fba16bb03b4f3d7d049cac5637d812a8ec95c84d11c1b2b5ecf2e103566ab88d835d3bc72a36e5116fbc668b26c3db42e9d21e263650c4039466f69c2e42248b209b47fc00f950d7e0374a7627b35e33f5a2a8370a2cc8900a3cf9e7873d0ecc53c32349ca9ff05c323c8807bd054a04055cd7fa3ceb641f7dbdc1827309268e6c0aba7c908a19b0e0ce9180b317c7027b2778c95cb853adc636eaacd67bf6d7740100f091fc874bc0c4943728eb5b4c8c4d6c89a0e90b96eabfa38262e99f81cad9edf20299bf78dd48c4602a8122b1311c331b427f29ea5ea214500d096eef4b5ead952df75b5e189266edf30258e815ea970ad8227756a8f60f5debd25d5fcab92e8a0ff5e1369961d796730fcd4d2cb400cdc46d67e77365b846ceb1991e6d492603ad9b61336cc180e40de55c1aa2e51399698a1d23b3b31ac5d5cec5fb10bcf10a506ce52d2320f615f810f781358ca0d23d2d324977156c1b5c18e5a2c6a02028a40373ffd5c3afccccb92f7cefde2891e69aa49e7a8ecf8e275cbed5176c0a1a7ad96fa8faca234b32b1683e78321a82c05e316e2e15d52c89fcfb233815e9981ecf3684dd41d84286097e78ae1afb89c94488659cb274f765c72244f1936733c40d8894fc3717580e681dc6571edf1aea38cc4c65270f44ac368b7d1cd7a86d491ad50cec56470b451dd16f0f26d336c6b355fa176a1fbcad193d996b1877660574805dfd8bdf4c2d5ad5d521a4a5745028dc7069aa724e8135d1c7ce1ea7601a9f824c0aed405e3475ae16e5ed1998d139bd028e9375068ae42a6df9b3dced7e22c493f50ea13d200f056c79e5cea73d4b3dd8e07d81b3433698f322913cdc117a9a46d6236b93f36eb1c2388eed31fa56c960e2b6c706378536a2ca2b9542c8dbac145ae109e65202af98a72582406b3eecf41ff166518d574c88c9b03e2b7c112611a5688bfcdfe830e0d5e04cf3c4d75f40c1d7395f7f84c5d23bd164c619c9a0baa214ca31fcafcb2791d99da41f381cf652cdc98a6134f679c1118b7fa503e9ad1b06a7c26c6339069485910515acc89b43d6f31d773be54560101775234dff26cebb9138a7f865b9d6d792284f011b7b1d910e3235ccdca0bf0f96b80e1fa1a9c93e0a9cdfa3f712d3f139f9df4479d0ee1f4d4d67a354e975837247802c87c594e5716808d3dc404890beb51fe5896d8a045c9d1f8d5ed015a86fce9d1e81d74ac80404c30083b5a7336ef13989620dac8e7a2a558c8d1f1b6e929add6b9a3622739ad4eb93afe997ddb4fecce60f5fc775b6efb527fdc055982fe2ad505c002516175e6284d872056a927b48be6aad370183d815c58af790f618e0f748d725146193f618aef1b5a064635b50ce682b3961a2f19eab84e293abe4087d7ee117c08608fc4bc9637ebbeb945bcdd66207b2f02331cf5796611c8e2dbfc45c2195ed1c197916f5b493606b99e0c9abb38bd933a2f70fca4d675d4e1b6635d7a607a224f91caa438323bf9e1a70e0ca5c16d0d882b6d35b2103ea8c5e7314a4516627251a825b3902540048ba48fae626af3fa4a21e81367d4758cff6c429904376e9594089e7f5527074cb1ccff7799eeb71bd16953aa4c851d45e938980bbd56cfaececbe9ff393630c24f763c48a6e28c9a77a25b915f1a99d74cb33218179f46e78a2d6eeba8477a6144f6d2deb294c8da6d95a950b77fb133236b3e5d2f540c092a58746c797c3868e380347c0a9b9ebdb67db8b5f51cbd135a73c270cd2b30c435804f43e443c0815fc5f375a73010926d7864388523d2eea07007cf3f817704efd0319f0487c515981f29723ace36d167b990ddcc7e064d521b3aa6a6655a0a365afa6caf1ef40fae23a9e42ce08c57bbf5a41a0bd54354b0dcf74ca77771d78aaef2a0c51c5998b91642fdd4f953d2a4291ce308e726427bded86fa0ce56ac0ed4a16e6f0541efaf845d5350b6117f79b8646b49601800b732adf992358298c59e64921b7ac430e4872ce0a9cb37c483a4451f4dd08e68e6c87905c50031e3b0f730985564a3a5c29db28aafef3f8cb05c2644d9aaa1015e2ec8bafc2640481abac6b18b12f3e7233704d47e0a1df4accfb03d3e6a3222929157ed1f6dc2d86b0536f2b48e99996247412266c9a28c3230d2ce20ea9d43808a9af936aa81710853a1b1bfa5797c1655fced7912f19041702d8a4f7e9626a4a793b6e58b155011c9447ff926844c820828202859fc75394f45b2bad859b34f36fa98f6a9e8ede680b23b51f793fd996dba5e6c23a6740aa6a46b07d6e53b74b65c041733ca156a3698772c3eede0e0887993a85e6290dc7fd14545e5d923a512e1d7b4cbd96010445c9d9e855afaa7c53f53baff420ac332d316a35a238a1815d272f60c3e886ca858d6448ed51a0c7676db70b8fb7b04980b976ccbf0a3110437b7c21e85d4944edb7b6ce0f652cd5da561a9b34211b26e641236a857dc1fbc43c12a4eb9ebbf96cfea736f2d8298cedafdd0ab073a7ac697960c4d65e64d956058c1acb02dbaa11c7a169b4be13952694d8dfe84ef06b1a3583171d99de754b32c41861c1be8b6dda60687e67aa6d8249e528349cccec97e399bb639dfbf4479f54c591d31f588932af57b5ab87843aba2c8063c55664bb8375e24e5346ea03cfadfe42795453c46a8f3ccec7d5b9d2896d34e0432cefa1464f6338b40fb1b2e1ff9026898ebd6eb806339f488464ff70eb741239556b55e6872e2d90ad69f11e6ca2bd7ccb8b6d39933fcf3dca15b13a76b4adee2b1898b60bd6bd051f9e4e516aac6650a50a5077b9caeba9f286e58886ed39dfe8cf9ba25dc84e1ae847b5637962b4c08b01601808dfbd93c644c9dec8d62123c9005b51dbb02d7144a12d49ffe018fb832aa5eedfaaff32784001f0f4801396189e0e5f525b79caa0f010d6574cd479fa9cc632f6a2558fdd4eb2931375e7ac9eb99f31c1039a9780bfec6430b155cb4d205bb33c735509c270167dfbfefe65062c757b41493beda43133ce24d497744a907fd78ddd8a0fc896a8eb60dd174690672c6952789f29024ef540d21e99f15fb127a0d8b7b7f0e48233c5778f578a1e83088a659bded44bf41e8edb8a02f091509f0b05f06df737891fd7e0971a0e1735d22da7018386792fd5f2bda365f48194a00b89faa4bb1d972788d740c57418921eb4d6176d160b209460d544734ae43e99658aa367e8973c3ce1137d936103a842da4dbb085f25236be94f9cbea7fe4e8dbfaab901de38ac0ed4458fa7d94503d42cbb8eb53042cbcb7e12ecdd5cdaf655b51d61c0a6a07b562b619b6dff90e0edf99d8c20278ba17ac5480f04a3a60ba83678b3dbb4247e5fb96ef134fd77a699bc7812d1c9d31875a298c701da0f17e426e4f6074f82dac60c9e0d2387ef54d602ee9b77587513c97cf3c29ec5c1fe318cd1d0d049968498da6916ab56edf7a4c16c4c55b3f52c21989b196276d2a7c5a7e21b47665876be4b0f3f5f69554cd404fd4453a4d14b58bdd623007e51eb90615a65c959305ba93337ade682e432daff7eb2beb47cd08917290dca5421775a24f8656ff18b0a918fe4f77dc8a63a151093b8441552885aa993d0ea6eec60e1d60a0ce8d264d66dd29ded7ae9c08704998667ce116c870d7970abe04cd3a58b9df79728b7b73854425b5cbcc62c66a8b38d6b7ca8fe55eedf9e265be8f100f8e6d95b2ff66c4570439b6932dda3f16d73e69625206551b85fa977ecb8181d95696777455a09d5197a22ac5d1a780d7746726eb0a84f93a11d4972871e24a587dca5442b449727a6ece2db6f3d8f513ff2906c7860f972e8d99bcee1e88739aad134b14618241b9a2d97997e7893582306f11e08fb979c34d31f96b39a09d51451e277442c3b8a26b98aed6990d57e44e2d9e99ecba825ac8b51d19f46441bd3a3a726b39336b09600a68097e8d73a01bfc0c739abf599897d19e7e81f2945351b10f1af8b9e62604b30addf0194ce8e88d78d8361f23ad92b8603e20c7e70929e843b22dbb8840fe4ba461008eef25a51a564bd33d85b992996de97a0f4b5dc3356f54413e53b36f24d31876f9133db4691d1ba5519d82ebfe05a11212c21a1083cf8645dcc7425fdef414131cbfc4a40f82ca79815c5533c5700093810cdc284a84305511395cf12a8b76227ff02af2558c56ba6e611fcfeebf77f05393797a8b67c20acdf593c47cac0bc599f10f622e4168b2930a9be32e499637d90777f07fcf86d9bc65d98d2e0332e92feefd802fd59cfc93ff4f71a7c29b33b9f06fb16c3aa23254030f015a1fd288d3df8dd3fe00cdab8cf6859311a18f76a90acd1f3db082d9222a3e488ac69513d6bfd5a326f749680c6e710466e411c20ed352fe8fe90d6c3cdab7e10c96c86c63f4960015132efafac31ab38f2849a4180392742c71566383e79db7e1114a74ddb19d66febab0a96ac3fd4dac337a073c07319d5538ab41f2b87aaccad5b33e1a830bb277ffb09d0e4d9eda6a9df9e24d7579a31e820d46ec07a17be8913c6259ec9714fe024ec03a6f2656d4904905328f7e9788088bbc7ec666588581ec522f6a6bb7e4edb9c85fe87a8d5cfb788d477248a6daa3960850e5a13e0df41b3db8b07cdf166bd90ad3f777ae2456751434886bc7d57189e66f0e6e1d9f5db57428cdf098b833c1b2ca8390a9bd483e5afb6e8ca11f12614fec46985e0ca98818ab2c3a3c311e3f3c53e6776f42f6ff35b12805f3ca9b390c20aed909b23d7e1e19f322809c28d6c7ee96a36cfe268b2dae202ed172814d62650423241b98a7d617b91f8e81a00b15bd1c7e6e5660923c0831034e7518b26a8f90c8b1588a23945325f0bf152d6eca65a04a330c08f67b2524adf4f5292d6c254e4bea7fcc9d87d1721a93f969554bcba69a3be8d20b4baeb7afcd8353438c13eedf4b2aec0642196f43e8b5a3addd5901b2645d2794ff144a7bee876b33968fa2485982710e944c0b175728a51c1865a51867ae0e889d4a94d9c76347c0eb4430e9a2399a79f4055e7bc1542b2bf8478edd5cdd174e0907a1487bff7a3d8ea85d480d55c90ed84c0bd0bbe287c5f5598829c7a8a2e16220231db90cb7f8fca22c73a67275df2f23aea835c86797cc0c6f2081cb4d70370f89a58eba3f5b2acbfe97fe8cd1ae5e0c3bf42dd13f2cd958ea9735c6aa0e51e1e5d85d3f037a2d3ffb640934ec7468fcddd42946be81bfd801942f95694c3267a6237fa8229aaaa51d8156c9d575596fbb24c2082423272f3f02da12c870b58b64e747044fcdd933685e7b4c3247e9fc4b1dad8834fdad50103b8c7ea4f4434a4a0c982060e4a095d4ae7c3a1165af8220fcf2ee380841e32d7cb2f67b535c09c5af35d935eb091f072001f9ea70e289e2a9d8c9b107fb5b6a87bd3282a0ab8484f603c9e0e8aabeade763deca697e7373592c69b9429c7622eba408cd56554a94b1ab5e789015dafbc636bcc3e099129c023424e6c2cbf319db97fde78a14b78f767da6524d06da7b8dc0df81c19905ff225dc17bf225ae5ba75546cb2ca9cd99dc133f338f191ff049a3de4fc3ba7d1b22097c7e40cd13b66aa7ff3421259002d19fc47fcba16eb20a476c138866258926c0a87fea8841488a807c5502237a9e8d96445586892c53641d72ba9f876eaaf269e810658af5b1d7b5dcde6e4f1a009a92c63a9e8c3e19c29316a23848693a0921c68f2b4a40e007bb85308c8ad32f15f21c1ba42d902e17fc7e930325ce2459a99e2e81b6b0b94209d405361e9938af2d2b0d3e1be93bb5b1aa38c5ba1ac76caba677be41ac7112448a72c97ec8ee62e0979c4fd23ebf7c6d151762a36061ecd9507b91f6bbf363744544602a2dec64667ce5d106fbdcbb143276dc8f723250caa9d24b9495b8d76bd72d8bc93b4d7b22d8ff0a9a82f668fd1e54a478b59e54bf9a0529e9a148b8f146bfb1e4de9bd52ec1747be2fa875ddd1cdf6345d3393799065c4cd8118e33d695dd4b98efca18e10003aab586d84617512ab40e5f6ecb5fd6712ede74c3882ac8810b806d4707326d623ea4865abb0ca150476a2dee29e05047fa778dd34857fd63d4a0ee8dbab244603ad067c236d190fb89fc46f7f21d163f43d36d92092ac4ef498e89b66b5ef96b08b41e0e358f3b1bee336ab6e6386128bb8f2c25c734569e7c100427608d0c8b1754165aed4c56f0214c9fc5e15018a0de32ffbb7172e969736b690f96c50f3b85b0fddcf55c5fb526ea0dd6c42e1883e12c718299ee97d321601369351aab917c0a427c1bb63541acff3c9479e4db1a9c81bd6e9a71cb75aaee0d6649b3382a1b03e5677f74b42659c381e1cffa14843f6efbd51f5ac5a7f31bd54ab7ddec536327539f4f1258567650981228da5df32958112e2d8de27ed481a83c810b92668a4dcfbd6767798c3c899c8f5184b0ad30525bf102ba40c375d86cfe8eee601ce96829981ab56a86cafa2a154d63312fe97b19f243b326921f049bd48e37729cc96f26d2b07ce46377b7397c1f536f5ef6fd66f6c4116ea96b08330448ac72ffb5faa8eeb9ded68fe7e54a0e49271d37d658341e16737ce37bf47cb4b7fd6cbdcd6e6117b7f006ec8f4290c3b935f491f1356940e5c96195d4c022bc03f03b579eca67263444275d8d3c288014dc9169d3297b54c1a628ffbf74ee9e7511812aedda4039dcb0892d180b50f940992fc920d6f748dcc4b9155186b0e5474be0e68a3b4bb7ea52d0a136664d251560b037e8f8df2b0a2640e420b19d143400d9678dac4e7a2b4be287f6891ffcfb1c11bb4f2b9688aeae272b701b2471bd12f82c8f2ad9b8ce1e9aa4084912a498944bacf4faf75d6fb092b61fbac442f64e66dbe570545f0995dedba17e72673364a8a07b3d33affc79fef0e4e4fe41ae8db6ae027d5821026561b61498f75de599f46d7743cef145b741aa2fd67205c18e8757073d1b6bf0a66f06e0c1ec6fd1ce3daf913b016b427cdf4f7b19f9fb22b2a1fc4510449fd020e54fc93f7609f56519f7e6caf02f5b8be3a36d9263890e2068a9bee98469a117964a4b5e39cfee8eb1605ded96b2acc51afc99821ae7bf50d4b4791eb3eca53b7ae0005e5d74135fcfc112fbbee5a68125f10249cf8340c0f22d412a74fae14068ece35c4617f90f1b75e84b1ae9ecf6c18c7504f068b034462cbf349316fc63d580eff2fcf36cd296379a8bfff91294c58dbfdd93c98285e7aed4489a4670c7070907b7cced1c54419034f69e81edec13b35c49bbf473c6ca32ee4bfa9b1676053b79807350c55f3ae6005d6e5adc4328d78e8197854c45b5ddd5a1dce9a6b03d0ca45aebc068f3bd70d3202f5e1e17398e0a7c957aa6436b061fb80db2e726df5607b496194f911098faac0608b03eca5058fc43beb56865cef28fb9aa0d311bca89b8a0acb02b583e01f2089adc1dfa113ec812f1cc5b4b7fcfbe044ea2b3b2a93f2945d31db3e1c5e9e35f99b607d14fa0221b61644fb66e8c7a22f329cddfb22d2bcae360d22ac556bc7f35a00a3f2760d1fbbc297a3a08502985f69a7524d997c6fe3002e0fd6703b67d70dbb57926069fd7433f4cb82173e542ea4be236fcf30d03a82a32bccfa7b373a46db0ac27bba4cb00edf6bccf3c8270cacdd0730a3d7b46b71084821a5e85d3a9493da176569df13162bd8bc911da153d7976e73121a025301997f2aad8ccfe4b9939665dc6699ce20fcfcfa2e1278039f3fdf2db0d7de3c9de4ee4e64453670a2be516c33b06f545a6063f121553cd096e12f4dee94f5a2858aad5dc12c081fe614fdc4ba0fbbd623a38835f7c1c5ef8414c24dbd32b37e4bf0a0bdcbbd12946ca82032ec338256786beb027d62d832fb99b579a8e162c10c67d479d397caa7d7e0c714c4491b5d804c87be8afdb26204d37548b869aa0e94adadb97f5e7db32bcb471bd5bb2aebd80d6947786b6a322ab569679856413eba30e0dcb1d31cae96b71d43846c39044691d5ffefa1cad55e5d59d8f8302bcc410086ca41b576c5dc18e5ce80e2de4f7eb57b1414ef29cd00c1fbd906852915d03f9f5265411d428d23f04a70fb46aa7b60146c6f272136f13a0426d149256b936505f03997fa86e2507b04e25c871578fa980d2323fef7e8031209043ae56baa4e0ec407084ada94d96ea836080d5a66e0d87aa7deea927ae9f5b80a58bbc2555f7a95680ac7b7c0f7ada2f5769a5dd272a102b94c883116daad90be2595175f99656aad3dd36336d84ebaf97d1d5e2782b4c392df227") r47 = syz_kvm_setup_syzos_vm$x86(r43, &(0x7f0000bfe000/0x400000)=nil) syz_kvm_add_vcpu$x86(r47, &(0x7f0000016780)={0x0, &(0x7f0000016480)=[@out_dx={0x6a, 0x28, {0x351c, 0x2, 0x3}}, @out_dx={0x6a, 0x28, {0xbe7d, 0x2, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0xf10c, 0x5, 0x90, 0x2}}, @out_dx={0x6a, 0x28, {0x4c98, 0x6, 0x59fe}}, @nested_load_syzos={0x136, 0xa8, {0x3, 0x2, [@enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x2, @guest64=0x280d, 0x2e0, 0x4, 0xfffffffffffffff8}}, @wrmsr={0x65, 0x20, {0x285, 0x7}}, @uexit={0x0, 0x18, 0x5}]}}, @nested_amd_clgi={0x17f, 0x10}, @wr_crn={0x67, 0x20, {0x4, 0x4}}, @rdmsr={0x66, 0x18, {0x2e6}}, @uexit={0x0, 0x18, 0xe}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x0, @ro_nat=0x6404, 0x10, 0xfffffffffffffff7, 0xe}}, @enable_nested={0x12c, 0x18}, @nested_vmresume={0x130, 0x18, 0x3}, @nested_amd_vmload={0x182, 0x18, 0x3}, @nested_load_code={0x12e, 0x63, {0x2, "2e0f017133c4216ac2c00066baf80cb86e897c81ef66bafc0c66b8af0b66ef420f01c33601e312ec0f00dec74424007a000000c74424020b000000ff1c24400fa1c443314a890a0000000b"}}, @nested_amd_stgi={0x17e, 0x10}], 0x2c3}) r48 = mmap$KVM_VCPU(&(0x7f0000cbe000/0x1000)=nil, 0x0, 0xd, 0x80000, r12, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r48, 0x4) syz_kvm_assert_syzos_uexit$x86(r44, r48, 0x3) r49 = ioctl$KVM_CREATE_VM(r12, 0xae01, 0x20) syz_kvm_setup_cpu$ppc64(r49, r43, &(0x7f0000e17000/0x18000)=nil, &(0x7f0000016a40)=[{0x0, &(0x7f00000167c0)="0000003d0000086104000879000008650c0008610000803f00009c6304009c7b00009c67d0049c63246bc07ffacddffe0000603c00006360040063780000636404006360269fe17f0000603c0000636004006378000063643c02636042000044f5009007d6db8bef0000a03e0000b5620400b57a0000b5662a00b5620001c03e0000d6620000d5920000a03e0000b5620400b57a0000b5662a00b562736fc03ea7f7d6620000d5920000a03e0000b5620400b57a0000b5662e00b562905ec03ee010d6620000d5920000a03e0000b5620400b57a0000b5663200b5620000c03ee0d1d6620000d5920000603c00006360040063780000636400f063600000803c0000846004008478000084642a008460220000448fed9ff30000603c00006360040063780000636400ef6360b5ad803cca82846004008478ea5e8464a2e88460f167a03cbee3a5600400a578a557a5645546a56003f4c03cb487c6600400c67873edc6641551c6601de9e03ce4a0e7600400e778d884e7642576e7600870003deef70861040008791f720865674008617fc5203d5dc62961040029797f83296531e82961ec4b403dd8c04a6104004a79e3f44a6576a04a6142000044c7dd79120000603c00006360040063780000636408ef6360ae15803c967484600400847848298464f27b8460fb2ba03c3a84a5600400a57866dfa5640e85a5609421c03c544cc6600400c6788ed8c6642d18c6602715e03c9877e7600400e778527ae7644a11e760b221003d4162086104000879f61f0865aa6f086100f5203d4c23296104002979da1a296595bf296193f7403dde994a6104004a795ee84a65a0514a61d50a603d34f96b6104006b7921196b65ab4f6b6122000044", 0x278}], 0x1, 0x15, &(0x7f0000016a80)=[@featur1={0x1, 0xfff}], 0x1) syz_kvm_setup_syzos_vm$x86(r49, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(r42, 0x0, &(0x7f0000016ac0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000016b00), &(0x7f0000016b40)='./file1\x00', 0x1000840, &(0x7f0000016b80)={[{@ownmask={'ownmask', 0x3d, 0x9}}, {@uid={'uid', 0x3d, r39}}, {@gid={'gid', 0x3d, r25}}, {@ftsuffix={'ftsuffix', 0x3d, 0x1b2a}}, {@ftsuffix={'ftsuffix', 0x3d, 0x95}}, {@ftsuffix={'ftsuffix', 0x3d, 0x2}}], [{@uid_lt={'uid<', r37}}, {@subj_type}]}, 0x1, 0x2a, &(0x7f0000016c80)="$eJyq3PSiSzhjn1ni6QQv2eL9NXzv/l1Tb+R79PvXuQuAAAAA///Puw+p") syz_open_dev$I2C(&(0x7f0000016cc0), 0x9, 0x107c00) r50 = clone3$auto(&(0x7f0000016d00)={0x2, 0x27e, 0x5, 0x2, 0x6, 0x0, 0x6, 0x5, 0xd, 0x7ea2, 0xffffffffffffffff}, 0x90c4) syz_open_procfs(r50, &(0x7f0000016d80)='fdinfo/3\x00') r51 = syz_open_dev$ttys(0xc, 0x2, 0x1) syz_open_pts(r51, 0x8400) syz_pidfd_open(r16, 0x0) r52 = pkey_alloc(0x0, 0x0) syz_pkey_set(r52, 0x1) syz_read_part_table(0x67, &(0x7f0000016dc0)="$eJwAVwCo/6k57hMEqlDNSDO4ZVQCcLxIue9czoZuafU/43B5GQ8/SfKEAJSVthoZct6TJycbea3BUcvLUazBD0Yw9qOvvKZmop6ihOZrQz9pF64MLnCI87vjyBXT9QEAAP//A0oqtA==") syz_socket_connect_nvme_tcp() r53 = syz_usb_connect(0x3, 0x840, &(0x7f0000016e40)={{0x12, 0x1, 0x300, 0x42, 0x66, 0x24, 0x8, 0x2357, 0x9000, 0x8c65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x82e, 0x3, 0x7f, 0x2, 0x20, 0x5, [{{0x9, 0x4, 0xce, 0x7, 0xf, 0xaf, 0xe8, 0x6e, 0x0, [@uac_control={{0xa, 0x24, 0x1, 0x7ff, 0x6}, [@processing_unit={0x7, 0x24, 0x7, 0x4, 0x4, 0x1}]}, @cdc_ncm={{0x7, 0x24, 0x6, 0x0, 0x1, "a34e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x7fffffff, 0x0, 0x7, 0x8}, {0x6, 0x24, 0x1a, 0x9, 0x4}, [@mdlm_detail={0xd8, 0x24, 0x13, 0x1, "fcb64e07cbc613ee0fb47b172d8cb25490f7d08dca4c04f248b0d2c6c5d4fd13c90c337dbfe045783ce1ee1399fa76c14b25f5c338b041833f787b776e0c3c255189f0694e731cc1edd1269dee99eed04d16af2ae0f124510006a64280fbf1ac1146beee985883566c169abff09e46018c5ddfdcefb4c06a4626f8eeb21b618fe70adf76c204c1a9305d06d90852b606a0698c6678280d4829c78171526b7cf0cf95cab7e3afb3b58fcfaf6d70eb433347fbae1294b288b8d339b3d78fdbc0f227907aaa921ca3026e4c5ce34211e3c907b42ca6"}, @mbim_extended={0x8, 0x24, 0x1c, 0xfff, 0x1, 0xf51}, @mbim_extended={0x8, 0x24, 0x1c, 0x80, 0x2, 0x7f}, @obex={0x5, 0x24, 0x15, 0x4d}, @mbim_extended={0x8, 0x24, 0x1c, 0xbf26, 0x10, 0x7806}]}], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x6, 0x40, 0xb, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x4, 0x8}, @generic={0xe8, 0x30, "68849f67c98033bfdc9bc67c706e689f08da2d587b668f1f676bbbc38f71f68c0129159b912f3288af2d8f5b2a9e6a416c8e3445c333df5f7008233683c674208456cfcb7a598fd1430b9bb55e9b6fbf6cd0797ffdb48e94a2bb0a7b924dc3fe2c8b37ff8b6d67a0551a582d713454dc2f829c5fa9bb41053a7b74b601c8ab8454e2d48d213eb4f873d9693119cf01d9779afaa261bd19f84e3998a27cc27fdbaa15467cd6f5442aec6c7d12861746b6bab7b93701f011de1e995c1c204b4c2680503a47bad86fa429cf00ded48239fb555ab98087edeaeeba89b14dad51b1993c25e60109bf"}]}}, {{0x9, 0x5, 0xa, 0x1, 0x40, 0xf7, 0x2, 0x5}}, {{0x9, 0x5, 0x5, 0x10, 0x3ff, 0x7, 0x14}}, {{0x9, 0x5, 0xe, 0x10, 0x200, 0xc7, 0x46, 0x2}}, {{0x9, 0x5, 0xd, 0xa, 0x10, 0x40, 0x8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x1, 0x7}]}}, {{0x9, 0x5, 0x8, 0x2, 0x3ff, 0x10, 0x9, 0x8, [@generic={0xf8, 0x1, "8709dae6274078001913ce2efbcb79ab1133baa4f7e07b3b2c7ff70389e902b3684a95a29997f2d20ff4af270d19a8e0b4f24df512a7981b5cc217941cc55d0ee52777d5469f8d59a8b5b4a6e4fe8c2c9450b47d3153ab98f8e25d699873d3bdb2640075123c4c4bf270db5a2e30c478e75e0e80aca0d41af746e3efb598b2dbec647abd397b0efbb2e744238a48cefe4299f48385e74d325ba52c15b168234a996d3257eaab4fefcba6b898c91dd99e0c080a10191184ea552c28223c35e63ea9406888a94759ad4c30baec3d37bc12628f39fd0e1ea1665122b4a04adec0d9632421ac7518851c5c9256a33e291201a3af1af8df0a"}, @generic={0x66, 0x4, "e24af39366d6cc5b860379367e9b5af91238a8ad60d4d3330b86615c238b9adc150ca8d4d89f347cefed3502f2a64669ec10c9352cc3f00bb7bfff70a34070247f372fd56b348f50f94509038994df699dd0bd1e0f291424502d0abfa275df94ab99686b"}]}}, {{0x9, 0x5, 0x3, 0x3, 0x20, 0x10, 0x6, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x2, 0xf}]}}, {{0x9, 0x5, 0xa, 0x10, 0x20, 0x2, 0x6a, 0x9c}}, {{0x9, 0x5, 0x6, 0x0, 0x8, 0xa6, 0x0, 0x3}}, {{0x9, 0x5, 0xe, 0x10, 0x400, 0x8, 0x6, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x80, 0xfffe}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x8, 0x6}]}}, {{0x9, 0x5, 0x2, 0xc, 0x20, 0x7, 0xfe, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0x8, 0x0, 0x20, 0x5, 0x7}}, {{0x9, 0x5, 0x5, 0x10, 0x400, 0x94, 0x9, 0x7, [@generic={0xdd, 0x30, "77867ea85d1b66ca1b835f1ffe80b4e15a4297fd75060e9ca4a21e385adab09508051dd6105eaa7cdcecdcc320bc7f956eeb82394feeae2b09c0990c54433f3734da18ccf13f5fcc5bb32eb3bb6b062a282989582d898d9e25f97d5d3927fbc22c45904983860eb61eafd34b54ed2cc8b55cf197d31bbb18106360ad77240c1f44fd50f1a944b9f5557f95e94513b0ad4d6079e15e8d3b4301027dece5a5ba8488a265ab3067ce7d0f2d5ad3117bddf068f591f61d6646f96a3772bb1d8807ba9dd6d7a0beecb27298c3f090b2b7ed72979d14deae685d250f2cc0"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x81, 0x70}]}}, {{0x9, 0x5, 0x5, 0x0, 0x3ff, 0x7, 0x0, 0xd5}}, {{0x9, 0x5, 0xc, 0x0, 0x40, 0x0, 0xb, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc4, 0x6e}, @generic={0xe, 0xd, "36cb58afca23d3e3cd43840a"}]}}]}}, {{0x9, 0x4, 0x8c, 0x0, 0xc, 0x77, 0x71, 0x4d, 0xff, [@cdc_ecm={{0xb, 0x24, 0x6, 0x0, 0x0, "378790738559"}, {0x5, 0x24, 0x0, 0xdd}, {0xd, 0x24, 0xf, 0x1, 0x5, 0x926, 0x1, 0x5}, [@mdlm={0x15, 0x24, 0x12, 0x7}, @country_functional={0x10, 0x24, 0x7, 0xf, 0x47f, [0x7, 0x5, 0xa5a, 0xf25d, 0x10]}, @ncm={0x6, 0x24, 0x1a, 0x100, 0x1}, @country_functional={0x6, 0x24, 0x7, 0x9, 0x81}, @country_functional={0xe, 0x24, 0x7, 0x10, 0x3a, [0x1400, 0x1, 0x3, 0x8]}]}, @uac_control={{0xa, 0x24, 0x1, 0x80, 0x80}}], [{{0x9, 0x5, 0x5, 0x8, 0x200, 0x39, 0x3, 0x2}}, {{0x9, 0x5, 0x0, 0x1, 0x10, 0x6c, 0x9, 0x4, [@generic={0xec, 0xc, "cd0d3ce6b75c2b01f97fcb20adf4d99a5a6276a0a0717a5cbdaae5bde2286c78f23ec6527fe1490d74ccaf86bae71c9879a22fb098f798415a4210a098cc4d7658353019718991bb6a8d77a8e7b5d4507404e96ff45614cb5cdad6985e76eec52fa70774a80ce5407b62d01051262f8136aa68c22ea4115b5e27653c40a81cff49a13bf79d599e1eea6f2ab7897c7165b36cb683a87ae079d8ff5f450ddff53f2a7a042d0732f9357ce23fb6a1310f9584d8a7557b654936d97d49be797a565302d1e615a70061101f01cb75333ed4fc3fb983e30f4904195e253a3add43bd069794bcace63863b8c55b"}, @generic={0x31, 0xe, "a6772f6053bbf3fbcc2e4b92794df700a7499308d02da807f64c0bb6a2df535b939af7a1a2e98682e084019d17ff1e"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0xf8, 0x0, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x1d2}]}}, {{0x9, 0x5, 0x0, 0x7, 0x400, 0x7f, 0xf9, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x5, 0xb57}, @generic={0x43, 0x1a, "cb18238b9bb4f2cf09a9e512ee7299837421b4dea8530c6a24f72229b4c3803db0b8159c4fc1d0c512c36706f72652839ab687708e60653bc855f3efc0191d44ce"}]}}, {{0x9, 0x5, 0x1, 0x0, 0x10, 0x5e, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x0, 0x2}, @generic={0xa, 0xd, "0ea835cf6f9897dd"}]}}, {{0x9, 0x5, 0x2, 0x1, 0x8, 0x8, 0x7, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x81377ff213a15d50, 0x40, 0xc590}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x2, 0x4}]}}, {{0x9, 0x5, 0x2, 0x2, 0x400, 0x6, 0x6, 0x7}}, {{0x9, 0x5, 0x2, 0x3, 0x200, 0xe, 0x4, 0x4, [@generic={0x5, 0x11, "b9f5e7"}, @uac_iso={0x7, 0x25, 0x1, 0x40, 0x6, 0x6}]}}, {{0x9, 0x5, 0x3, 0x10, 0x0, 0x8a, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x9, 0x4}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x73, 0x1ff}]}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x4, 0x8, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xd}]}}, {{0x9, 0x5, 0x6, 0x10, 0x200, 0x3, 0x7, 0x0, [@generic={0x4e, 0x21, "de218ddf3078a6fbd86d425731334bc46cce8cf519b9cef7c417703ac6b7c8d919df45ea16b8089069bbf34f03abe752c1ee7d7e03a08637bcdc17d4cf34c2756eda9fbf09fdfcfca3052859"}]}}, {{0x9, 0x5, 0x7, 0x2, 0x400, 0x6, 0x8}}]}}, {{0x9, 0x4, 0xb9, 0x8, 0x3, 0x5b, 0x5d, 0x4c, 0xbf, [], [{{0x9, 0x5, 0x5, 0x0, 0x400, 0x9, 0x5}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0xf9, 0xea, 0x2}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xee, 0xbf, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xc7}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x5, 0x6}]}}]}}]}}]}}, &(0x7f0000017780)={0xa, &(0x7f0000017680)={0xa, 0x6, 0x300, 0x8, 0x4, 0x4, 0x10, 0x3}, 0x5, &(0x7f00000176c0)={0x5, 0xf, 0x5}, 0x2, [{0x4, &(0x7f0000017700)=@lang_id={0x4, 0x3, 0x41c}}, {0x4, &(0x7f0000017740)=@lang_id={0x4, 0x3, 0x425}}]}) r54 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000177c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r53, &(0x7f0000017a80)={0x2c, &(0x7f0000017840)={0x0, 0x1, 0x101, {0x101, 0xa, "3681db1760f476d161e6331af001dff260ea6b4a4cea6097ecb1958b59faab7a902848c262a0bb7bb004a6454444f39114416399cc7a71e71547c56a02f133907f22c3f12ced90a4d6ae9ff8fd98b3e7cd83d8745c649289b5fd78f706859e152148d76f8f0d0fa049834365be85ce2b50358758a90b57339c874457410ae277d2b118f38427a932a2c7cacc09aed3ee5730793f36dce0ed57b9c65ff63c7eb7ebbfebe9094e0853051b9f3dfaf6c2ab61265b3af1f34872569ff3e04b2ec1ef09a3692a88292ffa38b851e6fe031a70a551e8844b16d138ce126ce0419571f4349aee237a2bf6fc52cb78f26f30c936902d7f29d3a5615dad86e4c69ca03f"}}, &(0x7f0000017980)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x4c0a}}, &(0x7f00000179c0)={0x0, 0xf, 0x5, {0x5, 0xf, 0x5}}, &(0x7f0000017a00)={0x20, 0x29, 0xf, {0xf, 0x29, 0xeb, 0x10, 0x81, 0xc, "e76746f0", "f19276a0"}}, &(0x7f0000017a40)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xd, 0x2, 0x8, 0xe, 0x7, 0x8, 0x515}}}, &(0x7f0000017ec0)={0x84, &(0x7f0000017ac0)={0x40, 0x17, 0x1e, "63fd640c63a3d40d56edf64acb1036df01c37dff2b11b8bd6dce4f20b2ce"}, &(0x7f0000017b00)={0x0, 0xa, 0x1, 0xfd}, &(0x7f0000017b40)={0x0, 0x8, 0x1, 0x5}, &(0x7f0000017b80)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000017bc0)={0x20, 0x0, 0x8, {0x80, 0x1, [0xf00f]}}, &(0x7f0000017c00)={0x40, 0x7, 0x2, 0x2}, &(0x7f0000017c40)={0x40, 0x9, 0x1, 0x6}, &(0x7f0000017c80)={0x40, 0xb, 0x2, "dd91"}, &(0x7f0000017cc0)={0x40, 0xf, 0x2, 0x1}, &(0x7f0000017d00)={0x40, 0x13, 0x6, @multicast}, &(0x7f0000017d40)={0x40, 0x17, 0x6, @local}, &(0x7f0000017d80)={0x40, 0x19, 0x2, "73dc"}, &(0x7f0000017dc0)={0x40, 0x1a, 0x2, 0x8}, &(0x7f0000017e00)={0x40, 0x1c, 0x1, 0x81}, &(0x7f0000017e40)={0x40, 0x1e, 0x1}, &(0x7f0000017e80)={0x40, 0x21, 0x1, 0x7f}}) syz_usb_disconnect(r53) syz_usb_ep_read(r54, 0xb, 0x6c, &(0x7f0000017f80)=""/108) r55 = syz_usb_connect$printer(0x2, 0x36, &(0x7f0000018000)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x40, 0x3f0, 0x4, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xba, 0x80, 0x1, [{{0x9, 0x4, 0x0, 0x7, 0x1, 0x7, 0x1, 0x3, 0x5, "", {{{0x9, 0x5, 0x1, 0x2, 0x8, 0x4, 0x2, 0xc9}}, [{{0x9, 0x5, 0x82, 0x2, 0x20, 0xfb, 0x1, 0xf}}]}}}]}}]}}, &(0x7f0000018180)={0xa, &(0x7f0000018040)={0xa, 0x6, 0x300, 0x4c, 0x3, 0x7f, 0x20, 0x81}, 0x2b, &(0x7f0000018080)={0x5, 0xf, 0x2b, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x2c, 0x6, 0x60, 0x64, 0x4}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x6, 0x7, 0x1, 0x680}, @ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x2, 0x3}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0xc, 0x5, 0xd4, 0x21bb}]}, 0x2, [{0x55, &(0x7f00000180c0)=@string={0x55, 0x3, "8a4234831e8888aedd9ad22d4f28938cda9aa9a900037c311cae82fd231caa312795c2b2f747f7bedc807a10652dcf379da07ebe9635310275c1f0ed956da64df98af4ea239c452aa85b311b94d471e9d3423a"}}, {0x4, &(0x7f0000018140)=@lang_id={0x4, 0x3, 0x83e}}]}) syz_usb_ep_write(r55, 0x4, 0xa7, &(0x7f00000181c0)="c9de81d2b7fd1d65610b4083b89828a1eeb3c1fe78e802b87bcad52205e7f4d5773025c8c92cf009171f12788aa9afbf0167112693c5625eecd433f1b0ed30d3ef6194f9afe363c1334df356e261dc73f07cac0e40a0348c52257f14f9a9f60d5698352069eed46ef10f4a97b1560f7605b0aa631949af14354c1acabb768609d122466f6849102936f4001d18015df428570b6e59759b75e723b1e612800b56ea89a55d2c6378") syz_usbip_server_init(0x5) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif #ifndef __NR_statx #define __NR_statx 332 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 82; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 63 ? 4000 : 0) + (call == 72 ? 200 : 0) + (call == 74 ? 3000 : 0) + (call == 75 ? 3000 : 0) + (call == 76 ? 300 : 0) + (call == 77 ? 300 : 0) + (call == 78 ? 300 : 0) + (call == 79 ? 3000 : 0) + (call == 80 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[56] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x200000000040 = 0x200000000000; *(uint32_t*)0x200000000048 = 5; *(uint32_t*)0x20000000004c = 0; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0109207, /*arg=*/0x200000000040ul); break; case 1: memcpy((void*)0x200000000080, "/dev/dri/controlD#\000", 19); res = -1; res = syz_open_dev(/*dev=*/0x200000000080, /*id=*/3, /*flags=O_SYNC|O_DIRECT|O_APPEND*/0x105400); if (res != -1) r[0] = res; break; case 2: *(uint32_t*)0x200000000100 = 1; *(uint64_t*)0x200000000108 = 0x2000000000c0; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0106426, /*arg=*/0x200000000100ul); for (int i = 0; i < 4; i++) { syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0106426, /*arg=*/0x200000000100ul); } if (res != -1) r[1] = *(uint32_t*)0x2000000000c0; break; case 3: *(uint32_t*)0x2000000001c0 = r[1]; *(uint64_t*)0x2000000001c8 = 0x200000000140; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x4010641c, /*arg=*/0x2000000001c0ul); break; case 4: *(uint32_t*)0x200000000200 = 0; *(uint32_t*)0x200000000204 = 0; *(uint32_t*)0x20000000020c = 0; *(uint32_t*)0x200000000210 = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc01464a6, /*arg=*/0x200000000200ul); if (res != -1) r[2] = *(uint32_t*)0x200000000208; break; case 5: *(uint32_t*)0x200000000240 = 0; *(uint32_t*)0x200000000244 = 0; *(uint32_t*)0x20000000024c = 0; *(uint32_t*)0x200000000250 = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc01464a6, /*arg=*/0x200000000240ul); if (res != -1) r[3] = *(uint32_t*)0x200000000248; break; case 6: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0086465, /*arg=*/0x200000000280ul); if (res != -1) r[4] = *(uint32_t*)0x200000000280; break; case 7: *(uint64_t*)0x200000000300 = 0x2000000002c0; *(uint32_t*)0x2000000002c0 = 0; *(uint32_t*)0x2000000002c4 = 0; *(uint32_t*)0x2000000002c8 = 0; *(uint32_t*)0x2000000002cc = 0; *(uint32_t*)0x2000000002d0 = 0; *(uint32_t*)0x2000000002d4 = 0; *(uint32_t*)0x2000000002d8 = 0; *(uint32_t*)0x2000000002dc = 0; *(uint32_t*)0x200000000308 = 8; *(uint32_t*)0x20000000030c = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc06864a1, /*arg=*/0x200000000300ul); if (res != -1) r[5] = *(uint32_t*)0x200000000310; break; case 8: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0086465, /*arg=*/0x200000000380ul); if (res != -1) r[6] = *(uint32_t*)0x200000000380; break; case 9: *(uint32_t*)0x2000000009c0 = 0; *(uint32_t*)0x2000000009c4 = 6; *(uint64_t*)0x2000000009c8 = 0x2000000003c0; *(uint32_t*)0x2000000003c0 = r[2]; *(uint32_t*)0x2000000003c4 = r[3]; *(uint32_t*)0x2000000003c8 = r[4]; *(uint32_t*)0x2000000003cc = r[5]; *(uint32_t*)0x2000000003d0 = r[6]; *(uint32_t*)0x2000000003d4 = 0; *(uint64_t*)0x2000000009d0 = 0x200000000400; *(uint32_t*)0x200000000400 = 7; *(uint32_t*)0x200000000404 = 0x80; *(uint64_t*)0x2000000009d8 = 0x200000000940; *(uint32_t*)0x200000000940 = 0; *(uint32_t*)0x200000000944 = 0; *(uint32_t*)0x200000000948 = 0; *(uint32_t*)0x20000000094c = 0; *(uint32_t*)0x200000000950 = 0; *(uint32_t*)0x200000000954 = 0; *(uint64_t*)0x2000000009e0 = 0x200000000980; *(uint64_t*)0x200000000980 = 0xff; *(uint64_t*)0x200000000988 = 0xfffffffffffffffb; *(uint64_t*)0x200000000990 = 9; *(uint64_t*)0x200000000998 = 0x100; *(uint64_t*)0x2000000009a0 = 4; *(uint64_t*)0x2000000009a8 = 0x10000; *(uint64_t*)0x2000000009b0 = 0xfff; *(uint64_t*)0x2000000009b8 = 0x484; *(uint64_t*)0x2000000009e8 = 0; *(uint64_t*)0x2000000009f0 = 0x73ca1ec4; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc03864bc, /*arg=*/0x2000000009c0ul); break; case 10: *(uint8_t*)0x200000000000 = 8; *(uint8_t*)0x200000000001 = 2; *(uint8_t*)0x200000000002 = 0x11; *(uint8_t*)0x200000000003 = 0; *(uint8_t*)0x200000000004 = 0; *(uint8_t*)0x200000000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xe, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 6, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); memset((void*)0x200000000044, 255, 6); *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 1; memcpy((void*)0x200000000050, "\x01\xab\xb5\xa4\x2e\x6e", 6); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 5, 4, 12); *(uint8_t*)0x200000000058 = 7; *(uint8_t*)0x200000000059 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 2, 6); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x1b); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memset((void*)0x2000000000c0, 1, 6); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/6, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_bprm_check_security\000", 28); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xd1\xa2\x22\xa1\x13\xaf\xa5\x09\x37\xeb\x93\xa6\x9f\x4a\x6d\xae\xb1\xc5\x11\x85\x97\x3f\xcb\xcd\x8a\xc1\x51\x1f\xee\x51\x66\xf0\xa2\xd7\xb1\x07\xca\x8b\xa7\x4b\x42\xac\x08\x04\x22\xe3\xe2\x6c\x8f\xd0\x70\x7d\x33\x52\xf3\xe0\x46\x7c\x44\x6d\x0f\xd5\x9f\xdc\x79\x62\x04\xde\xb5\x20\xc9\xf3\x9c\xeb\x06\xb1\x2c\x5d\xec\x1f\x8d\x80\x43\x5d\x3a\x95\x31\xb3\xc8\xc6\x3e\xca\x16\x67\x0b\x0b\xe3\x27\x76\x98\x48\x5a\x45\xd9\x1a\x47\x37\xcd\xc1\x7c\x96\x06\x54\x23\x34\x8e\x49\x7b\x47\x3b\x96\xcd\x4d\x87\x0b\x36\x08\x09\xcf\xb9\x63\x1f\x7a\x2c\xda\xdf\x25\xba\xad\xe0\xa0\x28\xdf\xa8\x48\x75\xee\xae\xa7\x10\xf4\x4e\xe0\xc6\x0b\xe3\x1d\x07\x66\x79\x21\x37\x5c\xbf\x5e\x90\x56\x5a\x75\x94\xd7\x8c\x49\xee\x1a\x77\x3a\x21\x69\x6e\x3e\x0f\x6e\x9d\x5a\x9c\xc8\x26\x1a\x51\x99\x02\x69\xf0\x6e\x56\x42\xa8\x10\x55\xab\x67", 202); memcpy((void*)0x2000000002c0, "\x4c\xe6\x39\xfa\xe6\xa5\xb1\xdb\xfb\x9b\x05\xcd\xf4\x4c\x3b\x14\xdf\x7c\x00\x1e\xf8\x93\x1a\x51\x17\xea\x1b\xa1\x75\xc0\xa1\xe0\x80\x6d\xec\x26\xa6\x1e\x38\xc8\xb3\x55\xe6\x33\x4a\xab\x16\x93\x6f\x3b\x93\x88\xce\x1e\x11\x57\x87\xf0\xa1\x64\xe9\x87\xd9\xe1\x33\x9b\xbb\xdc\x21\x47\x94\x03\x32\x2c\xf6\xc7\xb5\x5d\xaf\xea\x9c\xf5\x27\xb3\x25\x32\xbe\x38\xa2\xf0\x55\x79\x07\xe3\x57\xb0\x5e\x19\x86\x22\x78\x88\xaa\xc6\xcc\x43\xa9\xe5\xea\x5e\x3c\x09\x3b\x69\x3d\x4d\x13\xb3\x78\xac\x22\x43", 122); res = -1; res = syz_clone(/*flags=CLONE_NEWNET|CLONE_NEWCGROUP|CLONE_VM*/0x42000100, /*stack=*/0x200000000140, /*stack_len=*/0xca, /*parentid=*/0x200000000240, /*childtid=*/0x200000000280, /*tls=*/0x2000000002c0); if (res != -1) r[7] = res; break; case 14: memcpy((void*)0x2000000004c0, "syz0\000", 5); res = syscall(__NR_openat, /*fd=*/(intptr_t)-1, /*file=*/0x2000000004c0ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[8] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x8000; *(uint64_t*)0x200000000508 = 0x200000000340; *(uint64_t*)0x200000000510 = 0x200000000380; *(uint64_t*)0x200000000518 = 0x2000000003c0; *(uint32_t*)0x200000000520 = 0x3d; *(uint64_t*)0x200000000528 = 0x200000000400; *(uint64_t*)0x200000000530 = 0x36; *(uint64_t*)0x200000000538 = 0x200000000440; *(uint64_t*)0x200000000540 = 0x200000000480; *(uint32_t*)0x200000000480 = r[7]; *(uint32_t*)0x200000000484 = r[7]; *(uint32_t*)0x200000000488 = r[7]; *(uint32_t*)0x20000000048c = r[7]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = r[8]; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[9] = res; r[10] = *(uint32_t*)0x200000000340; r[11] = *(uint32_t*)0x200000000380; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000000740 = 5; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000000740ul); if (res != -1) r[12] = res; break; case 18: memset((void*)0x200000002900, 0, 32); *(uint16_t*)0x200000002920 = 7; *(uint32_t*)0x200000002924 = 0x7eb; *(uint32_t*)0x200000002928 = 0xd8c; *(uint64_t*)0x200000002930 = 6; *(uint64_t*)0x200000002938 = 0x65c7; *(uint32_t*)0x200000002940 = r[7]; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0481273, /*arg=*/0x200000002900ul); if (res != -1) r[13] = *(uint32_t*)0x200000002940; break; case 19: *(uint32_t*)0x200000002c00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000002b00ul, /*optlen=*/0x200000002c00ul); if (res != -1) r[14] = *(uint32_t*)0x200000002b34; break; case 20: *(uint32_t*)0x200000002dc0 = 7; *(uint32_t*)0x200000002dc4 = 0xee00; *(uint32_t*)0x200000002dc8 = 0xee01; *(uint32_t*)0x200000002dcc = 3; *(uint32_t*)0x200000002dd0 = 1; *(uint32_t*)0x200000002dd4 = 2; *(uint16_t*)0x200000002dd8 = 0x100; *(uint32_t*)0x200000002ddc = 8; *(uint64_t*)0x200000002de0 = 1; *(uint64_t*)0x200000002de8 = 8; *(uint64_t*)0x200000002df0 = 0; *(uint32_t*)0x200000002df8 = r[9]; *(uint32_t*)0x200000002dfc = r[9]; *(uint16_t*)0x200000002e00 = 0x8000; *(uint16_t*)0x200000002e02 = 0; *(uint64_t*)0x200000002e08 = 0x200000002c40; memcpy((void*)0x200000002c40, "\x04\xdb\xcb\x20\x9f\x35\xe5\xdd\xfd\xb1\xb3\xb7\xa7\x41\xcb\x0d\xa9\xe7\xb4\xa9\x7e\x26\xe4\xd6\x4c\xa5\x56\x0a\xd3\xea\x50\xd5\x19\xbb\xf0\x49\xc3\x13\x51\x11\xc4\xde\x1f\x36\xb6\xb3\x08\xbb\xd0\x28\xe4\x49\x5d\x46\xed\x83\x93\xe7\x59\xfd\x0a\x3a\x8a\x87\xf1\xdb\x87\x49\xda\x45\xe9\xa5\xf9\x99\xf3\xe7\x4d\x92\x0c\xe2\x0c\x4d\x2b\xfe\x9c\xa7\x2e\x5f\xae\xa3\x4e\x25\x4e\xbb\x9c\xa9", 96); *(uint64_t*)0x200000002e10 = 0x200000002cc0; memcpy((void*)0x200000002cc0, "\x9e\x74\x6e\x3d\x21\x9f\x0d\xf0\xdb\x9f\x4d\xac\x0a\xfe\x9f\xc6\xa3\xef\x5f\xca\xb6\x05\x8f\x83\xfa\x7c\xff\x2a\x82\xd2\x0c\x2e\x4f\x57\x52\x59\xea\xbb\xe0\x67\x34\x84\x3f\x87\x1e\x50\xf4\xd4\x7b\xd6\x2e\xad\x38\xd7\xbe\x8c\xe3\x0b\x95\x11\x52\x85\xd1\x6a\xbc\x71\x8c\x0d\xa4\x82\xb9\x0f\x24\x29\x9f\x30\x17\xce\x2a\x53\x6d\xab\x65\x9a\xca\x91\xd1\xcf\x68\x91\x07\x44\x81\x50\xe4\x56\x6a\xbf\x4c\x05\x7b\xde\x3c\x37\x82\x36\xa3\x78\x10\x59\xcc\x80\x08\x67\x30\x9f\xb2\x08\xab\x69\xfe\x7d\x3f\xff\x31\x19\x8f\x36\x33\x05\x53\x9b\xa5\xa1\x74\x23\xbd\x83\x45\xe1\x0a\x25\x07\xad\xfd\x0b\x0d\xf3\x10\xc3\x34\x82\xd2\xcc\x9c\x9b\xa7\xbf\x80\xc8\xc7\xe2\x15\x9c\x09\xd9\x40\x2b\x1d\x7c\xa8\x8f\x84\xe7\xb4\xce\xb8\xa1\x93\xec\xe6\xdd\x5f\xaa\x70\x42\x9f\xba\xc4\xf1\x02\x0c\x76\x67\x30\x2d\x4a\x57\xab\x63\x7f\x35\xff\xe4\x2e\x58\x59\x3f\xe3\xec\xe0\x7b\x5d\x63\x7e\xf6\xd9\x73\x34\x22\x57\xfe\x2c\x5b\x11\x69\x39\x99\x09\xba\x6d\x36\x9f\xde", 234); res = syscall(__NR_shmctl, /*shmid=*/0xfffffffd, /*cmd=*/0xdul, /*buf=*/0x200000002dc0ul); if (res != -1) { r[15] = *(uint32_t*)0x200000002dc8; r[16] = *(uint32_t*)0x200000002dfc; } break; case 21: memcpy((void*)0x200000002ec0, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x200000002ec0ul, /*statbuf=*/0x200000002f00ul, /*flag=*/0ul); if (res != -1) r[17] = *(uint32_t*)0x200000002f18; break; case 22: memcpy((void*)0x200000002f80, "./file1\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000002f80ul, /*statbuf=*/0x200000002fc0ul); if (res != -1) r[18] = *(uint32_t*)0x200000002fdc; break; case 23: memcpy((void*)0x2000000031c0, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x2000000031c0ul, /*statbuf=*/0x200000003200ul, /*flag=AT_SYMLINK_FOLLOW*/0x400ul); if (res != -1) r[19] = *(uint32_t*)0x200000003218; break; case 24: *(uint32_t*)0x200000004380 = 0x8000; *(uint32_t*)0x200000004384 = 0; *(uint32_t*)0x200000004388 = -1; *(uint32_t*)0x20000000438c = 0xfffffbff; *(uint32_t*)0x200000004390 = 0xff; *(uint32_t*)0x200000004394 = 7; *(uint16_t*)0x200000004398 = 5; *(uint32_t*)0x20000000439c = 0x3ff; *(uint64_t*)0x2000000043a0 = 5; *(uint64_t*)0x2000000043a8 = 0xffffffffffff05c3; *(uint64_t*)0x2000000043b0 = 0xffffffff; *(uint32_t*)0x2000000043b8 = 0x10000; *(uint32_t*)0x2000000043bc = r[7]; *(uint16_t*)0x2000000043c0 = 6; *(uint16_t*)0x2000000043c2 = 0; *(uint64_t*)0x2000000043c8 = 0x200000003280; memcpy((void*)0x200000003280, "\x97\x6f\xf3\x42\x90\xbd\x8b\xc7\xa7\xcb\xfc\x2a\x01\xcd\x57\xbb\x3f\xef\x9e\xfb\x98\x36\x92\x3f\xea\xb6\xb2\x20\x96\xe6\xa7\xf3\x05\xb4\xa4\x72\x5f\x36\x2d\x86\xba\x08\xa3\x46\xf5\xad\x87\x65\x1b\x24\x79\x4b\x4e\xe5\x81\x3e\x05\x57\xb0\xef\x0a\x7c\x19\xb1\xea\xfe\xf2\xa1\x69\x09\xab\xb9\xc8\x55\xec\x45\x36\xad\xac\x1b\x48\x2e\x8e\x5a\x1d\xc4\x78\xa0\x25\xfe\xb8\xb6\x30\x4b\xdc\xd4\x75\xb1\xd9\x17\xa5\xb6\xc9\xd2\x7a\x6b\x48\x58\xcb\xa4\xd2\x53\x01\xfe\x26\x1b\xf1\x23\x13\xf6\xe8\x22\x4f\xc5\xab\x0b\xb2\xfd\x40\x41\x04\xdd\xef\xc2\xf2\x7a\x36\xd9\xd1\x0e\xca\xc7\x92\x9d\xb5\xff\xc1\xdf\x4c\x6f\xb6\xe5\x63\x70\x20\xab\xf5\xe6\x50\x43\x10\xab\x6d\xe6\x59\xb6\x56\xce\xe8\xad\x04\xd0\x46\x75\x6d\xda\xe3\x3d\x8d\x22\x38\x54\xdc\x8c\x31\x83\x92\x48\x2c\xb9\x91\x82\x78\x24\xf4\x0d\xaf\x98\xda\x16\x6c\x91\x6d\xbb\x8c\x15\x6c\x42\x19\x7b\x66\x4d\x75\x90\xe6\xd2\xcf\x4e\xa3\x28\x0f\x84\x05\x1c\x9e\xe3\x11\x41\x42\xdb\x27\x53\x6b\xcd\x98\x3f\x17\x0f\x22\x1c\x15\xda\xe9\xa1\x1a\x52\xe8\x42\x53\x66\x3e\xa4\x30\x8f", 254); *(uint64_t*)0x2000000043d0 = 0x200000003380; memcpy((void*)0x200000003380, "\x2c\x9f\x8f\x38\x8d\x23\x3b\x4f\x05\x4c\xde\x11\x35\x8e\xb6\x32\xfe\xac\x99\x15\x72\x36\xe3\x70\xad\x09\xea\x7b\x82\xba\x57\x85\xb9\xe9\xaf\xa9\xe6\x86\xa6\x2a\x5d\x2d\x53\xe4\x78\xad\x6b\xdc\x5f\xff\xb6\x47\xb0\x83\x5e\x14\x74\x19\x66\x7c\x9a\x11\x6d\x7d\xc9\x62\x8b\x1e\x9f\x7f\x66\x53\x3e\x8e\x73\x6b\x4a\x65\x9a\x78\x4c\x61\x0d\xa8\xc5\x00\x10\xc4\xad\x47\xec\xbb\x1e\xb2\xee\x6a\xa0\xb4\x90\x90\xe7\x09\x13\x8a\xb2\xd1\x71\xe1\xdb\xdd\x6e\x86\x53\xe0\x62\x12\x39\x1e\x7d\xc1\xb2\x8b\xdd\x23\x12\x94\x24\x50\x0d\xcd\x83\x43\xba\x19\x8c\x60\xcd\x97\x01\xaf\x62\xb4\x66\x2b\x08\x2d\xdc\x55\xe8\x14\x9d\x60\x89\x1c\x65\x0e\x77\x47\x55\xfc\x3a\x0d\x10\x0f\xf0\xbc\x67\x6b\x46\x6e\x3d\xec\x52\xca\x77\xd2\xc4\xce\x10\x3f\xc4\x4b\xb5\x63\xb3\xc1\x82\xcf\x2f\x65\x54\x13\x03\xd2\xd2\x9f\xcb\xf5\xa3\xf4\x22\x88\xf8\xfe\x1c\x23\x6c\x3e\x12\x17\x0e\x7a\xc6\x00\xc5\x26\x5c\xc5\x97\x4e\x25\x59\x7f\x04\x9e\x9c\x01\x5c\x76\xde\xc0\xd7\xcd\x29\x79\xcc\xe1\x23\xad\x64\x72\x97\x95\x8c\x9d\x7d\xfb\xc3\x6a\xfc\x2a\xe4\xb9\xd2\xc0\x9a\xc1\x72\xa0\x4d\xac\xff\xae\x8a\x50\x21\x9a\x4e\xc4\xad\xf0\x6f\xf8\x07\x47\xd4\x0c\x46\xdd\xc0\x76\x4a\xf4\xd7\x78\x28\x07\xb8\xf1\x4f\xb7\x97\xb2\x78\x0b\xb6\x8e\x6b\x2a\x95\xdd\xe5\x08\xf4\x06\x3c\x65\xd8\x71\x43\xff\x24\x66\xfe\x29\xff\x3a\xfa\x65\x20\x2a\x99\x24\x0c\x57\x99\x0e\x20\xc5\xf3\x4a\x95\xbd\x81\x35\x72\xf4\x7d\x8d\x48\x2d\xb3\xfc\xeb\x9f\x1c\x54\xc8\xa8\xdd\x63\x32\xe8\x3f\xa3\x9d\x66\x51\xc7\xb7\x8f\xa9\x71\xee\x88\x75\x6e\x2e\x5a\x3f\xb0\x29\xc7\x7a\x48\xfd\x41\x64\xf1\x07\xc8\x82\xd1\x74\x3b\xf8\x52\xc1\x48\x66\xa4\x37\xca\x56\xd1\xd2\xd1\x99\xf9\x3f\x75\x87\x19\xd2\x29\x3c\x58\x91\xb7\x7e\x86\x0b\x2b\x7c\x66\x51\x29\xfb\xce\x45\x5e\x93\xce\x66\xb6\x75\x61\x9b\xbb\x23\x62\x9d\x2b\xc8\x68\x2e\xd4\x69\x5d\x8c\x6a\xfe\x25\x6d\x37\x2f\x9f\xed\x83\x9d\xe5\xb5\xf6\x8d\x1d\x30\xcf\xfb\x1a\x4e\x74\x02\xb9\x55\x11\x29\xed\xc4\xc2\xde\xec\x8c\x16\x71\x4e\xa3\x09\xcf\x20\xac\x7f\x17\xf5\xfd\x3c\xb9\x7b\xfb\xff\x2d\xd3\x62\x16\xb8\xf7\x34\x03\x60\x7b\x4e\xcb\x2d\xc4\x24\x48\xee\xd5\x6f\xb2\x32\x66\xbd\x0f\xdf\x7e\xee\x43\xf3\x4b\xe3\x70\x6e\xcc\x70\x59\x27\xad\xa3\xd8\x4f\x94\xd8\xa2\x89\x8c\xe0\x0d\xe3\x69\xc6\x07\x55\x2f\x69\x94\xec\x15\xf6\x6c\xe6\x5c\x49\x52\xe3\x05\x81\xed\xe4\x6a\x20\x33\x58\x9d\x2c\x28\x99\x4b\xda\x05\x31\x94\x39\x19\xe3\x01\xa6\xd8\x18\x7d\xa7\xb4\x98\x96\x6a\xf1\xfe\x3e\x41\x0e\x5c\x16\x7a\xfb\x13\x3b\x3e\x5e\x40\xdb\x61\x87\x03\x97\x7b\x24\x00\x2f\x62\x11\x83\xb6\x1a\x6b\x68\x03\x01\x38\x7e\x2d\x89\x56\x5f\x0f\x62\xde\x82\x55\x16\xd3\x49\xc1\x74\xc0\x79\x24\xf4\xa8\xdf\xfb\x28\x17\x09\xe9\x97\xaf\x6d\xa5\xa6\x2a\x95\x49\x69\xb5\x33\x5f\x30\x74\xf2\x40\x02\x45\xa7\x7b\x19\x51\x31\xd2\x6c\xe4\x3e\x17\xc3\xa2\x01\xa5\xb8\x51\x8f\x8f\x96\x1f\x2b\xe9\xd1\x70\xc6\xf5\xb2\xb2\x36\xa3\x94\x45\x6e\x57\x7b\xad\xa3\x30\x7f\x4e\xaa\x8e\x03\x52\xbb\x59\x50\x37\xe7\xf3\x0f\x5d\xdb\xdf\x01\x4b\xa5\xb6\xf3\xce\xe6\xaf\x1f\xd4\x74\x4f\xd0\xbb\xac\x1e\x2c\xe2\x98\x53\xc7\x22\x95\x6d\xa7\xde\x4e\x3f\xb9\x24\x18\x20\xb0\x58\x6f\xfa\x29\xda\x5b\x6c\xdd\x12\xda\x1a\x04\x18\x64\x3b\x4b\xa9\x6b\xb4\x32\x42\x14\x6f\x6c\x0a\x33\x98\x0b\x93\x85\xda\x28\x3a\x2a\x05\x2b\x8c\x20\x1f\x42\x39\xf9\x57\xfe\xa5\xf2\x3e\xfc\xd5\xad\x3b\xb0\x76\xab\xee\x60\xce\x46\x7e\xae\x68\x05\xe1\x86\xe9\x74\x93\x42\x80\xa2\x67\xdb\xf7\x32\x0c\xb9\x0f\xe9\x32\x2b\xdb\x6c\xe8\x09\xbd\x35\xb4\x13\x0b\xe8\x71\x19\x04\x7e\xfd\x75\x5c\xc7\x47\x74\x3e\x6d\xa5\x1b\x24\xaf\x5c\x01\x66\x1b\xe2\xf8\x13\xce\xf7\xd7\xed\x9b\x61\xe8\x3e\x0d\xca\x2c\x82\x21\x52\x5b\x28\x15\x70\x27\x6a\x59\x58\xc2\x61\x49\x29\x79\x4c\x2d\x55\xa6\xb1\x5d\x17\x01\xb1\x96\x1a\x07\x8e\xde\xff\x50\xe0\xeb\x0e\x02\xd9\xb1\xd4\x02\x65\x7c\xe2\x5b\xda\xaf\x91\x0b\xa4\x54\x94\x83\x63\x1a\x54\x89\xca\x98\xfe\x97\x9c\x54\xc7\x40\x0c\x9c\xc6\x8f\xed\x1a\xb0\x0c\x40\x2f\x49\xd3\x6c\x4d\x7b\x2f\xb2\x73\xf3\x92\xae\xd4\xf8\xde\xf2\x56\xd4\x09\xe5\x0d\x26\xe7\x25\x1f\x91\xb9\xf5\xbc\xd8\xe8\x42\x02\xe5\x20\xcb\x7f\xe4\x34\x74\x4f\xe3\xa8\x83\x1c\x1a\xf1\xeb\x20\xa8\xf8\x85\x79\xab\x19\x26\x8d\x7e\xef\xc6\xdc\xd8\xc9\x4e\x3b\x68\x96\xe3\x36\xe0\xf7\x38\xaa\x24\x4c\x2d\xbe\xc1\x23\x24\xa8\xa1\xca\x70\xe0\x40\xd0\x7a\x79\x00\xf7\x6f\x0b\x09\xe0\xfa\xab\x42\x44\xd5\x68\xc0\x03\x09\xb8\xf3\x11\x57\xd9\x17\x88\xc8\x71\xd6\x16\xd0\x57\x2a\x26\xf9\xbf\x40\xb2\xff\x8f\x03\x4d\xd9\x64\x6f\xb1\x3e\xba\xd2\x95\x1f\xb7\xa9\xea\x55\x09\x21\x13\x59\x75\x9f\xa4\x95\x72\x2e\x0c\xe6\xe2\x4b\x48\xe3\xd2\xa1\xec\x69\x39\x83\x80\x40\xd0\x0c\xb9\x08\xd9\xed\xaf\xa8\xc3\x84\x57\x54\xbd\x5b\xe9\x0f\x6f\x92\xcc\x70\x33\x8b\x3b\x1f\xc0\x72\xcf\x26\x82\x74\x03\x71\xca\xed\xd8\x0f\xec\xe8\x59\xb1\x58\x7f\x04\x14\x7f\x50\xc5\xa9\xbe\x92\x7b\x5d\x51\xae\x42\x8a\x1c\x7e\x4b\x59\x4e\xc2\x42\xa0\xda\xb9\x05\x81\x74\x24\x28\xe5\xdb\x58\xac\x1a\xe3\x24\x96\xf3\x71\x19\x82\x0a\xe2\x95\xa3\xdf\x7a\x95\x50\x9d\x05\xd7\x5c\xd7\x78\xb5\x4e\x44\xa3\x17\xeb\x90\x1c\x7c\xc2\x8f\xf7\x4a\xb5\x3b\x6f\x4f\xb4\xad\xe0\xfc\x4a\xf2\xbe\x36\xd7\x60\x47\x6c\xa8\x53\xa7\x82\xe7\x61\x4a\x13\x3a\x99\xf1\xe5\xf0\xf1\x2b\x9a\x95\x8e\x70\x25\x0f\xc9\xbd\xb8\x98\xdb\xe3\x4d\x8e\xe3\x2b\x23\xee\x9f\x01\x92\xfd\x4b\xf8\xf9\x62\x2e\xdd\x9f\x7a\xca\xf4\xf4\xb9\x26\x73\xcc\xff\x23\x22\x7c\x94\x13\x22\x71\x73\x5a\xc8\x3d\xe7\x39\xc8\x5c\xee\x73\xab\xf9\x4e\xa2\xfd\x0e\x5b\x9c\x54\xfb\x7a\x2b\xc8\x77\x1e\xdf\xe9\xba\x3e\xb7\x0d\xcc\xe5\x6f\x78\x90\xaa\x8a\x20\x28\xe6\xd3\x18\xec\x23\x4b\x52\x56\x26\xe2\x46\x0c\x4d\x00\x7e\x74\xf7\xad\x40\x68\x01\x5a\x50\x32\xfb\x6f\xc5\x53\xb2\x7f\xaf\x76\x46\x71\x22\x2e\xf4\xb3\x98\x04\xe3\x00\xd9\xa5\x8e\xb4\xd9\xdb\x9f\x3f\xe2\x01\x27\xda\xad\xee\x11\x78\x74\xff\x95\xe3\x67\x6e\x37\xbf\xae\x30\x61\xe9\x5a\x71\xe9\x7b\x15\xe2\x43\x49\xf0\x78\x56\xde\xf1\x73\xd2\xce\x45\x9a\xff\xa7\x7c\x5b\x47\xf8\xb6\x77\xa1\x65\x8f\x7d\x89\xaf\x72\x25\x3c\x80\x0e\x62\xce\x2b\x11\xf4\xbd\x83\x7f\xe9\x80\xf0\x2d\x4f\x97\x19\xc0\xfe\x48\x45\x4f\x72\x80\x9d\xed\xda\xa9\x72\xd6\x52\x82\xec\xff\xee\x15\x69\xa2\xa5\x37\x70\x96\xff\x3f\x01\x00\x44\xe7\x1b\xe8\xba\xab\xfe\x65\xe9\x9b\xe1\x03\x86\xad\xa7\x0a\xbf\xe8\x6e\x7a\x4f\xfa\x87\x53\xf8\x62\xd2\x70\x4c\xec\xeb\x6d\xf3\x4a\x6d\xd4\x86\x75\x44\x1f\x7c\xca\x63\x5e\x40\x1c\xb2\x30\x6d\x17\x26\xe1\xc3\xc0\x42\x66\x41\x9e\x99\x11\x88\xe7\x7c\xdf\xe9\xe0\xaa\x13\xc7\x61\x07\xa2\xa2\x7f\x72\x16\xb4\x2a\x69\x0c\x00\x63\xc9\x2f\xd2\x22\xf4\x5f\xb0\x82\x0d\x04\x64\xef\x0b\x7a\xe6\x51\x5e\x81\x74\xc7\xf9\x0f\xfd\xec\x6d\xc2\x91\x3d\x5a\xd1\xfe\xb8\x06\x17\x70\x16\x23\x36\x3a\x4e\x73\x51\x07\xb3\x00\x23\x1c\xa5\x62\x4a\xdd\xf0\x83\xe0\x75\xac\xa1\xd1\x8d\x95\xc0\x1b\x73\x57\xa4\x11\x8f\xc4\x92\xc0\x7f\xf1\xc0\x71\x1a\x9e\x00\xbd\x78\xff\x8e\x43\x1d\x7a\xf6\x74\xdc\xe5\x58\x32\xf4\x59\x01\xf2\x35\xb7\x82\x4e\x8a\xd0\xed\x0d\x8d\x67\xf7\xff\x61\x2f\xf1\xec\xa7\x4a\x4d\xea\xc7\x21\xfd\x1c\x85\x98\x0d\x87\xdb\xc8\xdb\xef\x59\xf3\x75\x47\x20\xf0\xb9\x26\xc2\x5e\x84\xb1\xd7\x60\x5c\x50\x5f\x8e\x75\x03\x8f\xa2\x9f\x38\xcb\xfc\x97\x71\x2f\x92\x44\x75\x85\xa4\x54\x75\xa9\x0d\xb7\xd8\x1c\xe2\xb4\x29\x29\xfa\x6a\xe4\xa6\x79\x05\x60\x02\x5f\xe0\x57\x7a\xb5\x23\x58\xf0\xb0\x98\x80\x04\x58\x66\x6b\xad\x64\x69\x91\xe1\x46\xec\x90\x45\x11\xca\x26\x55\x18\x36\x31\xbd\xf0\xd5\x40\x58\x79\xd6\xf6\x99\x32\xc8\x44\x19\x0e\x2d\x91\x6a\x7a\xe6\x5d\xa2\x87\xac\xf8\x01\x20\x96\x48\x80\x0a\x1d\xfe\x3e\x9b\x38\xf7\xb5\x86\x41\xb0\xfc\x18\x04\xf9\xa2\x79\xd8\xf4\xc8\x03\xd0\x56\x56\x50\x60\x6f\x60\xa7\xe9\x9f\xe4\x61\xab\x36\xd7\x25\xca\x76\x46\x11\xcc\x20\x3f\xfd\xe0\xf0\x6a\xd8\x7c\xf9\x16\x02\x38\x1f\x1e\xc7\xaa\x25\x5b\x6d\x21\xa8\x5f\xe2\xe3\x2a\x06\x0f\x18\xb5\x33\x85\x47\x6d\xb4\x36\x91\x9f\x9e\xe6\x99\x57\x04\x04\x63\x50\xe0\x98\xce\x1e\x66\xa1\xb8\x32\x8f\xce\x20\xe1\xf8\xc9\x8c\xef\xae\xf2\x9c\xba\xc0\xbd\x9c\x0f\x19\x14\x53\x8a\xbd\x48\x43\x6e\x92\xbb\xcf\x12\x71\xac\x66\xce\xd7\xa5\x30\x13\xf8\x15\xf0\x15\xf3\x61\x80\xe3\x23\xac\x82\x47\x12\x8a\x91\x59\x38\xc8\x9f\x71\x13\x32\xd9\x75\x89\x35\x18\x0e\xea\xc8\xb8\xc9\xf9\x9f\x9f\x30\x6d\x34\x81\xb3\xa6\x8b\xf9\x61\x33\x60\x68\x1a\x92\x43\x7c\x7b\xd8\x0a\xdf\x98\x99\x09\x3f\x32\x86\xfd\x18\x54\x0a\x8c\x74\x25\x10\xdb\x91\xe4\x8a\x12\x55\xdb\xcd\x21\x8f\xe7\xa3\x4c\x50\x58\xad\x59\xa6\x96\x2a\xbf\xf5\x32\x7f\xac\xd4\xc2\xb3\xa5\x1a\xe1\x33\x47\xd5\x6a\x19\xf4\x84\xef\x62\xd5\x27\x99\xff\xe8\x02\xc9\xfe\xdc\xf9\xc0\x76\x89\x60\x18\xdb\x33\xcf\x2b\xd9\xb0\xca\x59\xde\x3f\x74\x87\xa2\x73\xf7\xe8\xcb\x6d\x09\x0b\x14\xa8\x3d\xdd\x2f\x26\x1d\x41\xf0\xfd\x19\x48\xe0\xbe\x62\x92\x9f\xc6\x68\xb9\xf1\x37\x53\xe6\x1d\x08\xb1\xa8\x87\x52\xdb\xfa\x31\x5e\x79\xc2\xd8\x18\x81\x19\x0d\x2b\x6a\xd3\x3a\xd8\xac\x03\x6e\x5a\x22\xb5\xea\x82\x25\xea\x41\x0e\x9e\x8e\xbf\x86\xc4\xa7\xea\x49\x76\x59\x53\xcd\x96\xd0\x54\x31\x15\x7a\x80\x48\xfa\x61\xb8\x0b\xa6\x06\xcf\x53\xaf\x83\x49\xcf\xad\xb8\x95\x59\xfd\xf2\x04\xed\x28\x3d\x71\xbb\xf7\x00\xa9\xcc\x37\x82\x60\x78\x96\xc8\x51\xb7\x58\x40\x5b\x00\x7e\x61\x50\xcc\x7e\x65\x86\xde\xbd\xa1\x2a\x1c\x4b\x2b\x63\x66\xb3\x87\x96\x23\xcf\x9e\xed\x75\xd5\x6f\x4a\xbc\xa9\x15\x1e\xb5\x04\x67\x0a\x4a\x51\x8c\x66\x8e\xd9\x48\x8d\x8b\x5f\x1f\x21\x2e\xa6\x9c\x51\xa7\x49\x72\x60\xc2\xa4\x85\x94\x88\xb7\x59\x60\x31\x3d\xd3\xf2\x9b\xfb\x75\xea\x09\x4b\xa3\x25\xf7\x9a\x02\x8d\x07\xdb\xf2\x13\x7b\xfe\xfd\x26\x1b\x0c\x56\x09\xa1\x69\xd5\xf1\xbb\xe1\x81\x5f\x06\xae\x4e\x26\xf5\xf3\xf4\xb3\x6c\xcc\xdd\x3f\xb7\xf8\xad\xcb\x76\x45\xe3\x7e\xd7\xd9\xb6\x3c\x9e\x21\xcd\xc5\x95\x4e\x28\x52\xbb\xfe\xe5\xbc\x30\xa9\x78\x39\x91\x89\xe6\x3b\x92\x69\x9d\x81\x0c\x58\x9d\x61\xd0\xcd\x0c\x6b\xf4\xff\xb8\x92\x53\x7e\x0e\xf1\x88\x7d\x1e\xa0\x47\x29\x0f\xf6\x09\x58\x4a\x00\xde\xc7\x98\xf8\xe7\x2e\x06\xc1\xbe\x83\x99\xea\x06\x9f\xd1\x3c\xaf\x0e\x1b\x4c\xd6\x6f\x84\xe2\x68\x69\x16\x7d\x54\xb8\xc4\x3c\x96\x7b\x27\x0b\xd8\x56\x1f\x99\xdc\x84\x02\x42\x23\x40\x2c\xe0\x95\x7d\x93\xe8\x58\x2b\xb8\xf4\x58\x3c\xc2\x64\x88\x61\xfc\x56\x2f\xc2\x10\x2a\x32\x6e\x92\x1a\x41\x8f\xd5\x18\xce\x63\x6e\x4e\x3e\xdc\x36\xfd\x89\xbc\xa2\x5a\xdd\x71\xac\xcb\x89\xd7\x77\x07\x05\x26\xd9\xcf\x72\x74\xdd\x48\x69\x09\xc3\xb1\x42\xd2\x7f\xb0\xab\xd4\x67\xbe\x27\xc3\x6e\x84\x87\xcc\xda\x73\xad\x0c\x89\xad\xec\xd3\x6a\x08\xc3\x7c\xe1\x5b\x87\x6f\xd2\x12\x1a\x7b\x0d\x11\xbd\xe8\x67\x59\xee\xb6\x62\x87\xb4\x4c\x61\xce\xd7\xf7\x4a\x14\x30\x44\xae\x80\x58\x69\xd3\x1a\x1b\x1c\x44\xb8\x15\x0d\x8d\x63\x0d\xeb\xff\x9e\x95\xc3\x11\x87\xb7\x74\x44\x1f\xa8\x13\x7c\x08\xca\x31\x6a\xb7\x78\x15\x99\x17\xdf\xbe\xec\x94\x52\x9d\x3a\x12\xc1\x6b\x9f\x39\xc4\xd7\x79\x44\xe6\xf1\x6c\xf9\xb8\x19\xf9\xd8\xa4\x2e\xe7\x32\x91\xed\x84\xe2\xd5\x84\xb3\x05\xae\xb7\x99\xc2\xcd\x76\xf3\xaf\xd7\xe8\x26\xbe\xf0\xb7\x71\x59\xbb\x4d\xad\x11\x39\xea\xa9\xcd\xe7\xbb\xfd\xca\x74\x0a\xdd\xb5\x11\xeb\x8b\x91\xd5\x48\xe1\x8d\x7c\xd6\x91\xdc\xe8\x57\x83\x82\xec\xd0\x9e\xad\x35\x6f\x85\xa4\xac\xee\x4b\xb8\xb1\x93\x42\xc7\x48\xad\x97\x04\xb1\x1e\x1d\x9b\x02\xc0\x21\x8c\xa3\xe7\x99\xab\x80\x01\x70\x52\xfd\xd6\x6e\x91\x01\xa0\x0b\x76\x57\xeb\xdc\x89\xcd\x42\x53\x34\xa9\x16\xdf\x19\xdb\xda\xf6\xe4\xf6\x3b\xc0\x34\x92\x91\x3c\x86\xd0\x58\xea\x61\x68\x5d\xf7\x7a\x06\xe0\xdf\x07\xed\x3f\xc1\xf9\x2d\xf0\x67\xe8\x6d\x00\x33\x64\x0c\x10\xf4\x0c\x27\x9c\x26\x4c\x47\x7b\x28\x99\xd4\xa2\x44\xb6\x7e\xe8\x84\xe5\x19\xb4\xdb\xdc\x5d\x6f\x1c\x3a\xb6\x7c\x12\x3a\x59\x79\x74\xbf\x3a\x57\xec\xc9\x09\xbe\x91\x33\x91\x70\x17\xdb\x1d\x7c\x9e\x19\x26\x18\x52\x4a\x93\x92\x95\x7a\xfe\xbe\xef\xb2\xd8\xbc\x47\x61\x03\x40\x70\xf4\x17\x95\x82\x22\x6e\x34\xb1\x86\x5d\x26\xbe\x00\xc9\xbd\x31\x32\x0c\x31\x3c\xb5\x09\x05\x7c\x27\xf1\x27\x4c\x78\xf4\x71\xbf\x69\xb8\x5d\xbd\x47\x82\x37\x38\x3b\xe8\x6c\x86\xf4\xb0\x11\x7a\x2b\x15\x78\x20\x83\x2d\x07\xd8\x8d\x2e\x78\xa9\xab\xa0\xb0\x45\xa1\x9d\xbf\x8a\x6f\xae\xd4\x0e\x41\xca\x47\xc0\x13\xc2\x90\x3e\x69\xf2\xba\x49\xb0\x7b\x36\xe1\xf3\xbd\x69\xbd\x4a\x82\xef\x2a\x42\x8a\x83\x13\x57\xd2\x5f\x55\x68\xb6\x9e\x94\x22\xa3\xba\x95\x33\xfb\x5e\xc2\x40\xa3\x91\xaa\x7b\x61\x2a\xcd\xd3\x50\x2f\xe9\x29\x6d\x4f\xa0\x2a\xf3\x9f\x21\xf1\x59\xaf\x52\x8d\xaa\x38\x94\xc3\xd1\x0b\xc8\xf7\x0f\x20\x41\x53\xa0\x66\xe1\xe6\xe1\x17\x42\x32\xfc\x42\x0e\xc6\x47\xe2\x9b\xb4\x68\x8f\x26\xc7\xd4\x63\xcd\xeb\x95\xeb\xa4\xc0\xd1\xed\x3f\x5f\xe4\x1d\x5e\x34\xc0\xb2\x7b\x58\x74\x54\xfb\x40\x3e\x8c\x9a\x0f\xe9\x0f\x53\x17\x4d\x54\x7d\xbc\xca\xdb\x64\x81\xc4\x8c\x97\x9c\xf3\x41\x4d\x0d\x47\x16\x0a\x0b\x9f\x6d\x9a\x4f\xa8\x48\x96\x53\xca\x2e\x92\x42\x23\xa8\xa5\x2b\xa6\x3f\xbc\x1a\xf0\x34\xcb\xf4\x4c\xca\x47\x28\xf0\x9e\x1f\x57\x70\x6d\x61\x07\xee\xdc\x06\x59\xbb\x9c\x6d\x8a\x33\x83\xf1\x1c\xc8\x7e\x53\xaa\xe6\xdc\xb8\x38\x53\x37\x9a\x6c\x0d\x53\x6b\x1e\x06\x77\x3a\xff\x31\xea\x60\x03\x97\xc4\x3a\x66\xf3\x02\x83\x7d\x52\x1f\xb6\xab\xfd\xe5\xbe\xed\x88\x49\x3a\x5e\xec\xfb\x26\xab\x6f\xc3\xf8\x79\xec\x01\x21\xf3\xaa\x73\x30\xbf\xb8\x2d\x14\x52\x8d\x9c\x5e\x20\x33\xc0\x5c\xc6\xb6\x0f\x66\x69\x27\x3f\x99\x09\x9a\x5d\x72\xc2\xc5\x14\x4d\xc0\xb2\xaa\xfe\x0f\xe7\xbd\x01\xeb\xae\x29\xbc\xd8\x2f\x4c\xa4\x3c\x5a\x22\x97\x4c\x3c\x9d\x92\x3a\x62\xe3\x90\x53\x2e\x27\x74\x80\x00\x15\x30\x7b\x8a\xea\xf1\xb7\xa0\x61\xfe\x77\x13\x1a\x5e\x12\xa9\xcb\x09\x0e\xda\x58\x4a\xcd\xad\x7b\xd8\xaf\xb2\x0d\xea\xb6\x5d\x7d\x1c\xf3\xd1\x6c\xa8\x18\x7a\xde\xd0\x8a\x9d\xd9\xbf\x83\x0c\xeb\x11\x13\x97\x72\x11\x03\x5b\x1a\x90\x51\xae\x1c\xa5\xf1\xf3\x26\xe4\xa6\xe2\x57\xb6\x2d\x77\x92\xef\xfd\x00\x5f\x18\x3d\xf7\x82\xba\xd3\x19\xbd\xa6\x7a\x92\x38\x6c\x66\x22\xd0\x02\xee\x87\xcf\xcb\x1a\x4f\x9b\x4b\xb4\x21\x7e\x86\x75\x29\x9f\x2d\x8c\x8f\x8a\x63\x24\xd3\x60\x2f\x76\x83\x90\xa1\x24\x78\xe7\xaf\xd2\xd5\x2c\xd2\x35\x67\xb1\x98\x4d\x48\xd8\x55\xcf\x07\x21\x40\x12\x6a\xb0\xa8\x94\x27\x59\xcf\x38\x98\xf1\x18\x28\x4d\x2a\x93\x37\x21\xd7\x1d\xb4\x20\xe8\x30\xc8\x8e\x23\xb1\xf0\x7b\x44\x25\xb9\x7d\x0b\x83\x74\xbd\xe0\xcb\x8c\x3b\xe3\x52\x47\x1c\x15\xc0\xdb\x69\x27\x62\x61\x76\x3f\x46\xba\x3d\x04\x3e\xf6\x37\xdc\xb3\xf9\xb0\xf2\xd4\x34\x00\x29\x22\x2b\xe8\x10\xbf\xcc\x54\xe4\x47\xb9\xed\x75\x0f\x2f\x27\x59\x71\xa6\x3a\xd6\x12\x7b\xc7\x42\x3c\x3f\xe8\xfe\x22\xf2\x81\xa7\x27\xb9\x49\x6b\x70\x3f\x0f\x68\x87\x8c\xa8\xe1\x17\x48\x5e\xb7\xc8\xa7\xb3\x82\x66\xbd\x5a\x07\xb5\xa2\xf8\xa9\xc0\xd0\x2c\xcf\x8c\x8f\x76\x2b\xd1\xad\x4b\x21\x5b\x29\x59\x69\xdf\xcb\x9f\x19\xc1\x3d\x88\xf7\x2b\x54\xe5\x94\x00\xa7\x20\x1a\xc7\x9f\xe2\xfc\xaf\x32\x9c\x8e\x35\xa3\xea\xf2\x41\x76\x21\xa0\x0e\xb5\xcd\x2d\xa5\x0c\x61\x1d\x5b\x33\xe3\x59\x97\x07\x1b\xc1\xfa\x35\xd6\xcc\x81\x24\x7c\x17\xbc\xe3\x9d\x22\x51\x72\xed\x4a\x10\x64\x0c\xad\x81\x78\x86\x5b\x30\x7b\x86\x63\x23\xa2\x55\x69\xb6\xad\x32\x92\xcd\x47\xf7\x30\x44\xce\x58\xc4\x54\x96\x1c\xb5\x52\x37\x88\xa1\x4c\xc4\x62\x28\x51\x73\x12\xb7\x47\x93\xf0\x33\x60\x92\xe7\xe3\x0a\x0d\xa1\x43\x18\x94\x5c\xa2\x31\x29\x22\xbd\xc8\xf6\xe9\xa4\x15\x99\x13\xfd\x72\xdc\xb4\xe4\xc7\x87\x79\x6e\xe4\x65\xca\x2b\xf4\xcf\x36\x28\x72\x5a\x39\x11\x97\xef\xe8\x10\x4e\xa7\x1c\x63\x0b\x72\xcc\xf8\xfe\x42\x7b\xe8\x0a\x0c\xa6\xb1\x4f\x53\xff\x96\x97\xb6\x27\x9f\x0b\x2c\xd2\x3e\x35\x6f\x95\x1d\x7c\x08\xb7\xf1\x46\xeb\xaa\x3c\xba\xa6\xa9\x0d\x1d\x9a\xf1\x87\xe2\x1c\x82\x93\x77\x78\x1d\x75\xd5\x44\x66\x28\x45\xd4\x03\x22\x65\x16\xf4\x05\x24\x79\xd8\xff\x17\x6e\x24\xce\x55\x10\xd6\xe3\x3f\x04\x43\x84\x62\x38\x6b\xab\xfc\x53\xbe\x7c\xfb\x60\x15\x29\x69\x79\xfe\x41\x22\x19\x2c\xd4\x4b\x04\x6e\xa7\xe7\x12\x38\xc0\xd3\x06\x0a\x38\x22\x5b\x9a\xfa\xba\xf1\x69\x33\x54\xb3\x52\x1e\x2a\xaf\x5d\xe3\xe8\x5e\x5c\x58\x67\x65\xef\x8e\x2f\x9c\x98\xb8\xed\x4a\x53\x5f\x67\x08\xf0\xf1\x71\x89\x5b\x57\xda\x98\x1c\x4b\x3d\x85\x1f\xc7\x83\x22\x85\x7b\x8f\xcf\xfd\xfc\x34\xfa\x3e\xf6\x58\xea\xbd\x56\x7b\x2f\xf3\x5f\x0a\xe2\x88\x70\x1a\x81\x1f\x72\x5c\x87\x19\xda\xab\x47\x25\xc7\xba\xe2\xa7\x17\x48\x61\x81\x2e\xc8\xe9\xa9\x99\xa4\xa7\xdf\xf3\x79\x00\x8f\xb7\xa9\x3b\xb9\xd5\xda\x43\xea\x9e\x10\x81\x9f\x91\x41\x19\xf4\x74\xdf\x29\xac\xdc\x90\xe1\xb4\x90\x1f\xa8\xd2\x80\x63\x94\xad\xb6\xd3\x4f\x56\x44\x89\x34\x00\x15\xdf\x15\x4d\xbd\x9e\x9b\xfa\x66\x9e\x27\x7a\x4c\x35\x22\x07\x4c\xda\x8f\x03\x6e\x1c\x76\x2a\x2a\xba\xdf\x38\x78\xe7\xb7\x05\x98\xe4\xdf\x8f\x7d\x6e\x13\x4e\x13\x50\x9f\x1f\x3e\xb2\xa4\x61\x87\x2a\xde\xdc\xc3\x64\x07\xd0\x3d\x45\x3e\x71\x0f\x3b\x03\x05\xb3\x5c\x06\x9b\xcf\x65\x50\x88\x8b\xe2\xc3\xdf\x87\x96\x22\xf7\xc0\x91\x60\x5c\x2b\x47\x33\x84\xe4\xaa\xbf\x37\x38\x45\xb6\x43\x89\x3e\xa0\x3c\xa9\xa2\x33\x2f\x72\x76\xab\x52\xea\x5e\x69\xa3\x20\x6d\x0b\x29\xec\xa1\x9f\xe9\xb5\x61\xd5\x87\x48\xf0\xfb\x5f\x7c\xde\x5d\x32\xad\x76\x81\x33\xa5\x73\x3d\xb2\x74\x11\xac\x56\x84\x9c\x31\xc9\xcc\x98\x77\xcd\x77\x1a\xd8\x7d\xb0\x01\x4b\x01\x1c\x07\x1a\x8a\x57\xaf\xcc\x91\x11\xfa\xd2\x41", 4096); res = syscall(__NR_shmctl, /*shmid=*/0xfffffffa, /*cmd=*/0x19, /*buf=*/0x200000004380ul); if (res != -1) r[20] = *(uint32_t*)0x200000004388; break; case 25: memcpy((void*)0x200000004400, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x200000004400ul, /*statbuf=*/0x200000004440ul, /*flag=AT_SYMLINK_FOLLOW*/0x400ul); if (res != -1) r[21] = *(uint32_t*)0x200000004458; break; case 26: *(uint32_t*)0x2000000046c0 = 0x89d; *(uint32_t*)0x2000000046c4 = 0; *(uint32_t*)0x2000000046c8 = 0xee01; *(uint32_t*)0x2000000046cc = 3; *(uint32_t*)0x2000000046d0 = 0; *(uint32_t*)0x2000000046d4 = 1; *(uint16_t*)0x2000000046d8 = 0x7fff; *(uint32_t*)0x2000000046dc = 8; *(uint64_t*)0x2000000046e0 = 0xe40; *(uint64_t*)0x2000000046e8 = 0x7fffffffffffffff; *(uint64_t*)0x2000000046f0 = 5; *(uint32_t*)0x2000000046f8 = r[7]; *(uint32_t*)0x2000000046fc = r[11]; *(uint16_t*)0x200000004700 = 6; *(uint16_t*)0x200000004702 = 0; *(uint64_t*)0x200000004708 = 0x2000000044c0; memcpy((void*)0x2000000044c0, "\xab\x56\x1a\xab\x77\xc5\x83\xce\x98\x5b\x97\x83\xd9\x6b\x5e\x4e\x38\x24\xcb\x30\x26\xda\x2e\xfe\xe0\x10\x1d\x24\xcc\x3c\x6b\x58\xc7\x96\x6f\x22\x6c\x27\x69\x9f\x3d\xc1\x5a\x33\x04\x86\x26\x22\xef\xda\x37\xf5\x7e\x57\x97\xf7\x36\xc4\x82\xb3\x34\xc0\xdb\x10\x39\x38\x2a\x78\x92\x8d\x47\x08\x28\x2c\x72\xdc\x71\x40\x25\xc2\xcc\xa6\xfe\xf3\x0b\x64\xfb\x05\x0e\xe5\x84\x5b\x12\x53\x79\x9b\x15\x94\x0b\x96\x71\x16\x83\x9e\x00\x75\x33\x0d\xa8\xaf\x7e\xe9\xa5\xb5\x2c\x57\x68\xfb\xf0\x2f\x31\x54\x71\xe6\xd7\xac\x77\x80\xee\xdc\xf5\x6d\xab\x90\x44\x17\x64\xc1\x05\x3f\x95\xa9\xe9\x4f\xee\xc9\xea\x2b\x68\x20\xf3\xbe\x40\xe3\x4d\xcf\xbf\xe7\x1b\x03\x37\x8a\x75\x1c\x0e\x0f\xd0\x4f\xcd\xa9\x24\x05\x00\x48\xf5\x17\x08\x50\x35\x00\x60\x92\x35\xcc\x75\xd2\x99\xee\xd6\x6d\x2a\xc9\x58\x3e\x91\xdd\x31\xb9\xcf\xe3\xaf\x5c\x24\x89\xc2\x04\x01\x4b\x7a\x74\x54\x9d\x85\xc8\xe8\xdb\xac\xeb\x63\x88\xf2\x45\xc2\x62\x98\x6d\x6b\x26\xea\xdd\x8f\xcb\x38\x58\x7b\x69\x8b\x3c\x59\xfd\xf6\x3a\x82\xc6\x43\xdb\x5a\xa1\x79\x14\xbf\xa0", 252); *(uint64_t*)0x200000004710 = 0x2000000045c0; memcpy((void*)0x2000000045c0, "\xbe\x29\x01\x74\xf8\xce\x0f\x04\x91\x1d\x69\xba\xda\xe0\xbf\x37\xc4\xfa\x5b\x15\xfa\x3b\x18\x83\xef\x70\x70\x38\x44\x4d\xe4\xae\xf3\xa7\x3f\x33\x83\x48\x0e\x83\x0d\xdb\x75\x62\x43\xc2\x97\x09\xee\xdf\x69\x74\xed\xf3\xbe\x9d\xf1\x36\x37\xb4\x8e\xd1\x4e\xdc\x03\xd7\x24\x3b\xdb\x53\xfd\x99\xe2\xee\xa6\x02\x56\x93\xad\x07\x01\xb8\x2c\xa3\x8d\xd6\xd0\x8c\xda\x9e\x31\x03\x1d\xcc\x02\xff\xa5\x43\x84\xc4\xaa\x7d\x87\x0f\x8b\x1a\xb9\xff\x5c\x0e\x74\x4c\xef\x60\xad\x54\x18\xd5\xa3\xb9\xec\xdf\x09\xa5\x4a\x1d\x9b\x12\xb1\x0e\xcd\x3b\xcc\x7b\xfe\x6e\xc0\x2b\x56\x8d\xaf\x99\xa5\x9c\xa9\x2b\x8a\x9e\xec\x61\x2f\x38\x29\xa0\x8c\x44\xfd\x4b\x27\x61\x1d\xa5\x90\x8b\x59\x1f\x34\x0e\x23\xf5\xba\x2a\xdb\x1e\x29\xe8\x9f\x28\xf5\xf2\x51\x43\x79\xe4\x54\x62\xdb\xc3\x0a\x72\x02\xbb\x25\xc1\x9a\xc6\x14\x89\x11\x9c\x4a\x8a\xae\xa4\x00\x0a\xac\x82\x81\xc3\xd4\x26\xd8\xa0\x82\xb7\xdc\x78\xf5\x7a\x12\xa5\xc6\x35\x62", 225); res = syscall(__NR_shmctl, /*shmid=*/0xe, /*cmd=*/3ul, /*buf=*/0x2000000046c0ul); if (res != -1) r[22] = *(uint32_t*)0x2000000046c8; break; case 27: res = syscall(__NR_fstat, /*fd=*/r[10], /*statbuf=*/0x200000004740ul); if (res != -1) r[23] = *(uint32_t*)0x20000000475c; break; case 28: *(uint32_t*)0x200000004840 = 8; *(uint32_t*)0x200000004844 = 0; *(uint32_t*)0x200000004848 = 0xee01; *(uint32_t*)0x20000000484c = 0; *(uint32_t*)0x200000004850 = 4; *(uint32_t*)0x200000004854 = 2; *(uint16_t*)0x200000004858 = 5; *(uint64_t*)0x200000004860 = 0x2000000047c0; *(uint8_t*)0x2000000047c0 = 4; *(uint64_t*)0x200000004868 = 0x200000004800; *(uint8_t*)0x200000004800 = 5; *(uint64_t*)0x200000004870 = 4; *(uint64_t*)0x200000004878 = 6; *(uint64_t*)0x200000004880 = 0; *(uint64_t*)0x200000004888 = 8; *(uint64_t*)0x200000004890 = 0xac0; *(uint16_t*)0x200000004898 = 3; *(uint16_t*)0x20000000489a = 0x401; *(uint16_t*)0x20000000489c = 2; *(uint32_t*)0x2000000048a0 = 0x400; *(uint32_t*)0x2000000048a4 = 7; res = syscall(__NR_msgctl, /*msqid=*/8, /*cmd=*/3ul, /*buf=*/0x200000004840ul); if (res != -1) { r[24] = *(uint32_t*)0x200000004844; r[25] = *(uint32_t*)0x200000004848; } break; case 29: res = syscall(__NR_getegid); if (res != -1) r[26] = res; break; case 30: *(uint32_t*)0x200000004980 = 7; *(uint32_t*)0x200000004984 = 0xee00; *(uint32_t*)0x200000004988 = -1; *(uint32_t*)0x20000000498c = 1; *(uint32_t*)0x200000004990 = 0x972; *(uint32_t*)0x200000004994 = 2; *(uint16_t*)0x200000004998 = 6; *(uint32_t*)0x20000000499c = 7; *(uint64_t*)0x2000000049a0 = 6; *(uint64_t*)0x2000000049a8 = 0xb9; *(uint64_t*)0x2000000049b0 = 8; *(uint32_t*)0x2000000049b8 = r[7]; *(uint32_t*)0x2000000049bc = 5; *(uint16_t*)0x2000000049c0 = 0x83; *(uint16_t*)0x2000000049c2 = 0; *(uint64_t*)0x2000000049c8 = 0x2000000048c0; memcpy((void*)0x2000000048c0, "\x41\x66\xdd\x81\x28\x46\x69\xcc\x65\x29\xe5\xa0\xef\x08\x1d\x37\x0a\x00\x72\x2e\x0c\x77\x00\xe4\x84\x17\x7e\x27\x29\xe5\x5d\x1f\xe0\xf7\x56\x46\x90\x88\x13\x82\xa8\x50\xb3\xb8\xd6\x19\x5e\xa5\xd0\x32\xed\xc9\x98\x53\x5f\xc7\x87\x92\x8a\xb4\xa3\xb1\x89\x15\x40\xd2\x46\xd4\x0d\xaa\x7a\x5f\xd7\xdb\x2b\xd6\xc9\x9b\x3f\x2a\x7e\x51\x4d\x00\x69\xf2\xbf\xb4\x85\xd9\xe0\x8e\x67\xc4\x68\x24\xc2\xe7\x04\xff\xa0\x43\x1e\x1c\x20\x43\x29\x72\xad\xef\x08\x49\x21\xd4", 114); *(uint64_t*)0x2000000049d0 = 0x200000004940; memcpy((void*)0x200000004940, "\x3c\x67\x3d\x0f\x3b\xdb\xe2\x04\x83\xbd\x0e\xf8\xf8\xa2\xc8\x65\xbb\x81\x7c\x75\xa3\x55\x5f\x98\xda\xdf\x18\xfb\x4d\x80\x5b\xd3\x39\xd5\x71\x7d\xef\xd4\x70\xce", 40); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0xeul, /*buf=*/0x200000004980ul); if (res != -1) r[27] = *(uint32_t*)0x200000004984; break; case 31: *(uint32_t*)0x200000004a80 = 0x80000001; *(uint32_t*)0x200000004a84 = 0; *(uint32_t*)0x200000004a88 = 0; *(uint32_t*)0x200000004a8c = 0x8b; *(uint32_t*)0x200000004a90 = 0x4000000; *(uint32_t*)0x200000004a94 = 0xe206; *(uint16_t*)0x200000004a98 = 0x366d; *(uint64_t*)0x200000004aa0 = 0x200000004a00; *(uint8_t*)0x200000004a00 = 5; *(uint64_t*)0x200000004aa8 = 0x200000004a40; *(uint8_t*)0x200000004a40 = 7; *(uint64_t*)0x200000004ab0 = 0xb5; *(uint64_t*)0x200000004ab8 = 0x5a; *(uint64_t*)0x200000004ac0 = 4; *(uint64_t*)0x200000004ac8 = 0x7fffffff; *(uint64_t*)0x200000004ad0 = 2; *(uint16_t*)0x200000004ad8 = 0x4d49; *(uint16_t*)0x200000004ada = 0; *(uint16_t*)0x200000004adc = 2; *(uint32_t*)0x200000004ae0 = r[9]; *(uint32_t*)0x200000004ae4 = r[11]; res = syscall(__NR_msgctl, /*msqid=*/0xff, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[28] = *(uint32_t*)0x200000004a88; break; case 32: *(uint32_t*)0x200000004b40 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000004b00ul, /*optlen=*/0x200000004b40ul); if (res != -1) r[29] = *(uint32_t*)0x200000004b04; break; case 33: *(uint32_t*)0x200000004c00 = 9; *(uint32_t*)0x200000004c04 = 0; *(uint32_t*)0x200000004c08 = -1; *(uint32_t*)0x200000004c0c = 0; *(uint32_t*)0x200000004c10 = 1; *(uint32_t*)0x200000004c14 = 5; *(uint16_t*)0x200000004c18 = 3; *(uint64_t*)0x200000004c20 = 0x200000004b80; *(uint8_t*)0x200000004b80 = 9; *(uint64_t*)0x200000004c28 = 0x200000004bc0; *(uint8_t*)0x200000004bc0 = 0x10; *(uint64_t*)0x200000004c30 = 0x93e; *(uint64_t*)0x200000004c38 = 0xb4; *(uint64_t*)0x200000004c40 = 0x7fffffffffffffff; *(uint64_t*)0x200000004c48 = 2; *(uint64_t*)0x200000004c50 = 8; *(uint16_t*)0x200000004c58 = 8; *(uint16_t*)0x200000004c5a = 0x77; *(uint16_t*)0x200000004c5c = 0x10; *(uint32_t*)0x200000004c60 = 0xa711; *(uint32_t*)0x200000004c64 = 0xd; res = syscall(__NR_msgctl, /*msqid=*/9, /*cmd=*/0xbul, /*buf=*/0x200000004c00ul); if (res != -1) r[30] = *(uint32_t*)0x200000004c08; break; case 34: res = syscall(__NR_getresuid, /*ruid=*/0x200000004c80ul, /*euid=*/0x200000004cc0ul, /*suid=*/0x200000004d00ul); if (res != -1) r[31] = *(uint32_t*)0x200000004cc0; break; case 35: memcpy((void*)0x200000004d40, "./file0\000", 8); res = syscall(__NR_statx, /*fd=*/(intptr_t)-1, /*file=*/0x200000004d40ul, /*flags=AT_NO_AUTOMOUNT*/0x800ul, /*mask=STATX_NLINK*/4ul, /*statxbuf=*/0x200000004d80ul); if (res != -1) r[32] = *(uint32_t*)0x200000004d98; break; case 36: *(uint32_t*)0x200000004f00 = 8; *(uint32_t*)0x200000004f04 = 0; *(uint32_t*)0x200000004f08 = 0xee01; *(uint32_t*)0x200000004f0c = 6; *(uint32_t*)0x200000004f10 = 0x1000; *(uint32_t*)0x200000004f14 = 0x3ff; *(uint16_t*)0x200000004f18 = 2; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 7; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 0x95; *(uint64_t*)0x200000004f30 = 3; *(uint64_t*)0x200000004f38 = 3; *(uint64_t*)0x200000004f40 = 6; *(uint64_t*)0x200000004f48 = 0x8001; *(uint64_t*)0x200000004f50 = 0x7f; *(uint16_t*)0x200000004f58 = 5; *(uint16_t*)0x200000004f5a = 3; *(uint16_t*)0x200000004f5c = 0xc; *(uint32_t*)0x200000004f60 = r[7]; *(uint32_t*)0x200000004f64 = 9; res = syscall(__NR_msgctl, /*msqid=*/9, /*cmd=*/0xdul, /*buf=*/0x200000004f00ul); if (res != -1) r[33] = *(uint32_t*)0x200000004f04; break; case 37: *(uint32_t*)0x200000005040 = 1; *(uint32_t*)0x200000005044 = 0; *(uint32_t*)0x200000005048 = 0xee00; *(uint32_t*)0x20000000504c = 2; *(uint32_t*)0x200000005050 = 8; *(uint32_t*)0x200000005054 = 0xfffffff8; *(uint16_t*)0x200000005058 = 2; *(uint32_t*)0x20000000505c = 2; *(uint64_t*)0x200000005060 = 6; *(uint64_t*)0x200000005068 = 0xb; *(uint64_t*)0x200000005070 = 0x100000001; *(uint32_t*)0x200000005078 = r[11]; *(uint32_t*)0x20000000507c = 0xc; *(uint16_t*)0x200000005080 = 8; *(uint16_t*)0x200000005082 = 0; *(uint64_t*)0x200000005088 = 0x200000004f80; *(uint64_t*)0x200000005090 = 0x200000004fc0; memcpy((void*)0x200000004fc0, "\x4f\x52\x5e\x34\x0c\xd5\xa8\x6e\x08\x81\x81\x48\x10\xa2\xa9\x1a\x15\xb1\xd5\xd1\x4f\x4a\x79\xd1\x4d\xde\x31\x8e\xef\xbd\xd8\xe8\xe7\x28\xd4\x13\x18\x7e\xde\x4f\xd0\x69\xfc\x17\x3d\x33\xf2\x51\x93\x66\x58\xb9\x70\x95\x9c\xdd\x1a\x15\xbc\xc3\xc2\x6a\xd7\x6b\x38\xa5\xbe\x0c\x00\x53\x2a\xc5\x25\x4d\x63\x2a\x2d\x80\x03\x57\xde\x96\xe6\xf2\xf7\x84\x16\x88\x31\x49\x22\xa5\xeb\x15\x30\xe0\xb7\x35\x2c\xa6\x06\x39\xdb\x76\x97\x14\x2d\xe2\xaa\x07\xc7\xc6\xa7", 113); res = syscall(__NR_shmctl, /*shmid=*/7, /*cmd=*/3ul, /*buf=*/0x200000005040ul); if (res != -1) r[34] = *(uint32_t*)0x200000005048; break; case 38: *(uint32_t*)0x2000000051c0 = 0x20000000; *(uint32_t*)0x2000000051c4 = -1; *(uint32_t*)0x2000000051c8 = 0; *(uint32_t*)0x2000000051cc = 0x60000000; *(uint32_t*)0x2000000051d0 = 5; *(uint32_t*)0x2000000051d4 = 0xb; *(uint16_t*)0x2000000051d8 = 4; *(uint32_t*)0x2000000051dc = 7; *(uint64_t*)0x2000000051e0 = 0x68b; *(uint64_t*)0x2000000051e8 = 0x19; *(uint64_t*)0x2000000051f0 = 0xfffffffffffffff8; *(uint32_t*)0x2000000051f8 = 0; *(uint32_t*)0x2000000051fc = r[9]; *(uint16_t*)0x200000005200 = 0xc90; *(uint16_t*)0x200000005202 = 0; *(uint64_t*)0x200000005208 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\x39\x0c\xeb\x0f\x41\x0c\x00\x25\x27\xeb\x3b\x46\xb1\x0c\x24\x49\x71\x04\x20\x0a\x43\xcd\xd5\x23\xe8\xa7\x27\x86\xcf\x59\x38\x0b\xde\x52\x4c\xb5\x95\x56\xd5\xb2\x56\xca\xe0\x7e\x34\x3b\x52\xbe\xb1\x8b\x62\xea\xb0\x7c\x44\x5e\xef\xcb\x35\xda\xbf\x18\x6e\xf8\x40\x41\x7c\x40\x8f\x79\xb7\x4a\xa6\xed\x33\x3f\x94\x62\xac\xfc\x1d\xb1\x46\xb6\x67\xa8\x96\x29\x92\xf2\x0a\xf8\x6d\x7c\x20\x38\x50\x25\xa7\x4f\x90\x71\xc7\x98\x44\x53\x6c\xb7\xac\x8f\x88\x65\xfe\xd4\xa5\x7d\x02\x2b\xea\xf6\x18\xbd\xcc\x65\x09\xc5\xbe\x81\x03\x7e\x58\x4a\xbb\x6e\xa9\xb8\xcf\x0d\x2e\x17\x5f\xcb\xfe\x9b\xda\x36\x68\xd7\x52\x68\xcb\x86\x05\xfe\xc3\xba\x1b\xb1\xe6\xc2\x76\xa1\x49\x29\xc3\x46\x0e\x16\x93\x45\x8f\x22\x61\x23\x52\xdb\x6a\x3e\xfa\x4d\x7c\x74\x83\xd2", 184); *(uint64_t*)0x200000005210 = 0x200000005180; memcpy((void*)0x200000005180, "\x35\x8f\x28\x87\x0b\xec\xbb", 7); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0ul, /*buf=*/0x2000000051c0ul); if (res != -1) r[35] = *(uint32_t*)0x2000000051c4; break; case 39: memcpy((void*)0x200000005240, "./file1\000", 8); *(uint64_t*)0x200000005280 = 4; *(uint64_t*)0x200000005288 = 4; *(uint64_t*)0x200000005290 = 0x100000001; *(uint32_t*)0x200000005298 = 0xc49; *(uint32_t*)0x20000000529c = 0; *(uint32_t*)0x2000000052a0 = 0xee01; *(uint32_t*)0x2000000052a4 = 0; *(uint64_t*)0x2000000052a8 = 0x101; *(uint64_t*)0x2000000052b0 = 0x8000000000000001; *(uint64_t*)0x2000000052b8 = 0xfffffffffffffff8; *(uint64_t*)0x2000000052c0 = 7; *(uint64_t*)0x2000000052c8 = 0; *(uint64_t*)0x2000000052d0 = 8; *(uint64_t*)0x2000000052d8 = 0x8001; *(uint64_t*)0x2000000052e0 = 5; *(uint64_t*)0x2000000052e8 = 8; *(uint64_t*)0x2000000052f0 = 9; memset((void*)0x2000000052f8, 0, 24); res = syscall(__NR_newfstatat, /*dfd=*/(intptr_t)-1, /*filename=*/0x200000005240ul, /*statbuf=*/0x200000005280ul, /*flag=*/6); if (res != -1) r[36] = *(uint32_t*)0x2000000052a0; break; case 40: *(uint32_t*)0x200000005380 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000005340ul, /*optlen=*/0x200000005380ul); if (res != -1) r[37] = *(uint32_t*)0x200000005344; break; case 41: *(uint32_t*)0x200000005440 = 9; *(uint32_t*)0x200000005444 = -1; *(uint32_t*)0x200000005448 = 0; *(uint32_t*)0x20000000544c = 1; *(uint32_t*)0x200000005450 = 0; *(uint32_t*)0x200000005454 = 0xabc2; *(uint16_t*)0x200000005458 = 0x100; *(uint64_t*)0x200000005460 = 0x2000000053c0; *(uint8_t*)0x2000000053c0 = 0xe; *(uint64_t*)0x200000005468 = 0x200000005400; *(uint8_t*)0x200000005400 = 7; *(uint64_t*)0x200000005470 = 8; *(uint64_t*)0x200000005478 = 0xa2; *(uint64_t*)0x200000005480 = 0xf3; *(uint64_t*)0x200000005488 = 4; *(uint64_t*)0x200000005490 = 6; *(uint16_t*)0x200000005498 = 5; *(uint16_t*)0x20000000549a = 0xd7c4; *(uint16_t*)0x20000000549c = 0x80; *(uint32_t*)0x2000000054a0 = r[9]; *(uint32_t*)0x2000000054a4 = r[7]; res = syscall(__NR_msgctl, /*msqid=*/0x10000, /*cmd=*/1, /*buf=*/0x200000005440ul); if (res != -1) r[38] = *(uint32_t*)0x200000005448; break; case 42: memcpy((void*)0x200000005b40, "./file0\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000005b40ul, /*statbuf=*/0x200000005b80ul); if (res != -1) r[39] = *(uint32_t*)0x200000005b98; break; case 43: memcpy((void*)0x200000005c00, "./file0\000", 8); res = syscall(__NR_statx, /*fd=*/0xffffff9c, /*file=*/0x200000005c00ul, /*flags=AT_SYMLINK_NOFOLLOW*/0x100ul, /*mask=STATX_INO*/0x100ul, /*statxbuf=*/0x200000005c40ul); if (res != -1) r[40] = *(uint32_t*)0x200000005c58; break; case 44: *(uint32_t*)0x200000005e80 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000005e40ul, /*optlen=*/0x200000005e80ul); if (res != -1) r[41] = *(uint32_t*)0x200000005e48; break; case 45: memcpy((void*)0x200000000780, "\x68\xf4\xb9\xc0\x22\x24\x5b\x56\x0b\x41\x94\x27\xc3\xc5\x6d\xc4\xee\x17\xcd\x42\x2a\xc4\x81\xd8\xd2\xdc\x27\xc0\xc2\x4a\xdf\x78\x20\x96\x47\x7e\x5b\x7a\x14\x77\x33\xcc\xa0\xee\xd7\xce\xd0\xab\xb0\x3e\xcf\xa0\xf8\x3e\x91\x42\x28\xec\x4e\x01\x9a\x38\x46\x8e\x2e\x4e\xe4\xed\xbd\xa0\x23\x53\xee\x9a\x4c\x10\x63\x39\xd7\xb1\x18\xa3\x0e\x93\xe6\xde\x45\x52\x28\x8a\xfe\x03\x2a\xf1\xf8\x97\xef\x39\xce\x14\x0c\xb1\xd4\x52\x64\x41\x33\x19\x9f\x16\x65\x3b\x92\x15\xc3\x7f\x78\xf1\x92\x75\x2d\x03\x1c\x64\x28\xd7\x35\x62\x11\x49\xde\x62\x43\xa0\xab\x6f\xc4\x65\x28\xb0\xa0\xe2\xd6\x4e\x65\xec\xd9\xe1\x34\x09\xab\xd5\xe7\x30\x39\xdd\x00\xe0\x88\x05\xe5\x1a\xdf\x3a\x85\x99\xd9\x9d\x69\xf2\x37\x75\x04\x4d\x38\x40\x23\x4f\x1d\xb0\x89\xfb\x09\x87\xd6\x45\xec\x25\xf4\xad\x3e\xee\xb9\x60\x4d\x1f\x2a\xb6\x9f\xc3\xbf\x83\x15\xbf\x2e\x7b\x91\x88\x6d\x2a\x6f\x50\x71\xb6\x6f\xe5\x04\x8b\x6b\x65\x44\x12\x90\x05\x07\x34\x0d\xd1\xad\xd2\x74\x48\xea\x31\x68\x5b\x4e\x86\x7c\x68\xc9\xb5\x51\xdf\x24\x6b\x90\xd0\xd0\xfd\x9a\xf8\xdf\xc6\x47\xfc\xe7\xc3\x77\xaa\x36\x48\x62\xff\x02\x43\xff\xd0\x47\x47\xb9\x45\xba\xa3\x7d\x75\x5c\x23\x60\x92\xb3\xac\x7a\xac\xf6\x12\xa4\x03\x26\xde\x09\x06\x32\x12\xae\xe8\x6e\x16\x3a\xaa\xff\xfd\x8a\xde\xe4\xb5\x15\x46\x5c\xc9\x19\xc1\x51\x3d\xc7\xc9\x67\x8e\xe6\x48\x3f\xc3\xfc\x68\xb8\x84\xa9\xcc\x60\x4f\x36\x23\x86\xfe\xeb\x1a\x7e\xfb\xd4\x1d\x42\x62\x7f\x06\xfb\xf6\xcf\x91\x3a\xca\xee\x58\x4d\xa6\x05\x0c\xd6\xf4\x9a\xb9\x6e\xde\x69\x21\x6b\x0a\xca\x34\x99\x94\x7b\x02\xf1\xb6\x23\x24\x5d\x4c\xc5\xdf\xb5\xbc\x7c\x28\xc4\xf7\x77\x33\xc3\x33\x0d\x49\xbb\x25\xce\x9b\x47\x97\x8b\x57\x6c\x20\xe1\xc4\xd8\xb6\xee\x1d\xdb\x2c\x80\xeb\x99\xa3\x53\x69\x68\xaa\xf2\xf0\x1b\xa3\x14\x2d\x6d\x71\x39\xf4\x7a\xd8\x71\x32\x7d\x9e\xb2\xfc\x36\x4b\xb4\x2c\xb6\x0a\x57\x2c\x71\xd1\xa1\x3f\x94\x05\x6c\x72\x7a\xd8\x0d\xbc\x0b\x38\x03\xd3\xed\x00\x7c\xdf\xbd\xc6\xf9\x86\x84\x5b\x23\x96\x71\x23\x3e\xbe\x9c\x97\x3b\xcd\x86\x53\xc3\x73\x2e\x52\x51\x64\x09\x02\x0f\x4b\xd0\x51\x64\x90\x93\x29\xcf\x8b\x09\xd5\x7b\xc4\x9f\xdf\xc9\xc9\x6e\xe7\x8b\x92\xbd\xc6\xe8\x65\xb5\x61\x95\xbf\x29\x87\xb6\xb4\xad\xff\x61\x96\xf3\x7f\xfd\x8d\xe5\x10\x80\x0b\x32\x8e\xd7\xbf\x86\xae\x6d\x4f\xb1\xd8\xe8\x3d\x1c\x8c\xc9\x3c\x12\x7d\xfb\x65\x89\xd7\xe6\x1a\xd8\x55\x9c\x87\x00\x74\x19\x88\xa0\x6c\x4b\x3a\x03\xee\x3e\x95\x69\xf7\x95\xd7\xf1\x43\x3c\xdb\x52\x0e\xb4\x51\xc3\x51\xc2\x30\x13\xc8\xb6\x00\x7d\x14\x7d\x24\xdd\x1d\x52\xfa\x5b\x0e\x40\x54\x0f\x38\xbc\xf7\x41\x9e\xb9\x8a\x47\x90\x1e\x93\x57\xa7\x8e\xdc\x70\x1a\xe8\x2f\xd0\x58\xcd\x6d\x96\x96\x9f\x2c\x6b\x4b\x82\xea\xca\xe1\x12\xd6\x7d\x06\x2d\x56\xf0\xfe\x3b\x9c\xae\x85\x67\x2c\x67\x94\x97\x70\x72\x54\x76\x35\x35\x09\x27\x69\xd3\x8d\x26\xb9\xa6\x51\x0d\x9f\x64\xfb\x09\xdc\xb7\x28\x3d\xe4\x25\x70\x54\x6b\x0c\x76\x3e\xd8\xcf\x60\xf5\x3d\xb8\x6b\x75\x63\xe5\x72\x6f\x61\x6c\x4b\xb2\xbe\xae\x0a\x9e\x18\x6e\xea\x24\xf6\x42\xd7\x0d\x34\x54\x57\x84\xe4\x63\x0d\x4e\x3a\xc0\x28\x9c\x2c\xaa\x22\x62\x8e\x29\x9b\x29\x3d\x27\x30\xca\xe7\xfb\x99\xd4\xde\xa0\x73\xe5\xa0\xba\x5f\x34\xf7\x7d\xd9\x28\x38\x95\x43\xe0\x0f\x2b\x59\x56\x49\xab\x73\x64\x54\x25\xe2\x73\xe4\xb6\xd7\x54\xcd\x17\xa6\x27\xae\xe1\xda\x76\x71\x60\xbf\xe8\x6b\x04\x16\xad\xaa\x61\xeb\xee\x1b\xf7\x40\x9f\x28\x44\x85\xd4\x3f\x8f\x48\x4d\x05\x3a\x17\x36\xda\x79\x21\x28\x59\xf4\x8b\x71\xce\xc7\x7e\xe2\x3f\x77\x1a\xdc\xed\x4f\xe5\x26\x49\x59\x75\xbd\x04\xba\x08\xc7\x99\xc0\x7f\x57\x08\x4a\xbb\xd6\xba\x42\x81\x14\x0d\xd8\xec\x06\x93\x18\x0a\x4d\xaa\xf4\x8b\x72\xed\x48\xdf\x13\x7f\x68\xdd\xed\x9a\x41\x14\x54\xfa\xf8\x8d\xad\x18\x1a\xa2\x30\x6c\x36\xc1\x3c\x15\xa5\xfc\xaa\xb5\xbb\x79\x20\x1b\x41\x7f\x40\x3c\x83\xd0\x41\x9e\x29\xf6\x2a\x66\xa0\xe0\x27\x6f\x9f\x96\xc8\x7f\x94\xb7\xc8\xa3\x2b\x94\xce\xa7\xef\x64\xfc\x4f\xf4\x1b\x21\xd6\x84\x6c\x2d\xad\x67\xbf\xa8\xa4\xb5\x7a\x6e\x50\x01\xe4\x02\x05\xd3\x86\xba\x77\xae\x13\xc9\xa1\x12\x12\x83\x15\xcd\x6a\x1a\x64\x1b\x22\x8d\xe0\x6e\xb0\xa7\x09\xf5\xe7\x4d\xa4\x75\xd2\x2f\xfc\x65\x33\xc9\xd9\xb2\xbe\x00\xd2\x2b\xcc\x8b\x47\x18\x70\x56\x09\x60\x8e\xc3\xe4\xc4\x35\x79\xcf\xae\x0b\x60\x02\xf3\x15\x4d\xa6\x14\x7b\x85\x6d\x82\xf3\xdc\x4d\x4b\xac\x4f\x50\x9b\x91\x07\x96\xaa\xce\x37\x5a\xe7\x9c\x8b\xd3\xe7\x5d\x70\x9a\xa0\xd9\x0e\x29\xef\x0e\x03\xc6\x9f\xb8\xe5\xbc\xb3\x4e\x4c\xf1\x4a\x6e\x7c\xf4\xa4\x08\xe9\x9a\xab\xdd\xca\xab\xe1\xf0\xc7\x23\x83\x67\x1b\x45\x63\xcd\x06\xea\x9c\x75\xe5\xbc\x2e\x3c\x95\x56\xac\x45\xf0\x7b\xd0\xd6\xc9\xb3\x91\xdb\xaa\x70\x17\x1e\x71\x30\x1f\xd5\x39\x5d\xe3\x83\xd1\x35\x81\x4c\x12\x14\xce\x33\x20\x8c\x1b\xd8\x40\x3e\x94\x8f\xa0\xb3\x93\x79\xa1\x40\x29\xf1\x19\x58\xfe\xc9\xeb\x46\x0e\x3f\x9c\x73\x49\xaf\x63\x06\xd2\xe0\xca\xc9\xa4\xe4\xde\x43\xe9\x31\x27\xc6\xec\x8b\x17\x82\x0a\x57\x00\x21\x8f\x5b\x08\xe0\xa8\xce\x0a\x44\x8d\x68\x8c\x94\x5d\x36\xb7\x19\xb2\xdc\x71\x1a\x8d\x48\x09\x8b\xf4\xed\xc5\xe2\x6f\xa5\x64\x7a\x64\x72\x40\xff\xf4\xd7\x66\x88\xbc\xa7\x13\xb8\xdd\x71\x72\xaf\xef\xba\x6e\x4a\x95\xf1\x1a\x11\x1e\x3c\xf0\x39\xbb\xfa\x41\x53\x6d\x9a\xd7\xb0\xfb\xbb\x4f\xf8\x2c\xf1\x9a\x72\xeb\x07\xbd\xca\xab\xa2\x29\x1f\xfa\xa0\xd0\x77\x5f\x1a\xeb\x68\x66\xc2\x3c\xfd\x9c\x8e\xa6\x8c\x13\x87\xf8\x97\x72\xea\xef\x20\x20\xbc\xaa\xc5\xfe\xfd\xf1\x04\xce\x51\x60\xaa\xdd\xd6\x5f\xe9\xc4\x89\x85\x1f\xb0\x90\xce\xbf\x02\x20\x32\x1d\xcc\x57\xfd\xf7\x1e\x9a\x1c\x1e\xa5\x3f\xf1\x7d\x13\x13\x04\x46\x9e\xad\xed\x3a\x14\x38\x33\xaf\xff\x98\xa9\x3c\x1c\x41\x34\x94\xbc\x0d\x6c\xf3\x47\x0b\x2e\xee\x53\x4d\x4f\x17\xde\x37\xac\xa7\x5d\x82\x16\x9f\x1b\x63\x34\x12\x30\xd4\x7e\x85\xbe\xb0\xe6\xf5\x0c\xe7\x25\x56\xe3\x7b\x73\x96\x12\x92\xb9\xf0\x34\x38\x51\xe9\xdc\xa9\xfb\xf4\xee\x45\xa5\x81\x4b\x04\x44\x44\x54\x41\x3a\x01\x9f\x82\x94\x98\x81\xc8\x1a\x5d\xdd\xd2\x09\x7a\x8e\x5c\x45\xd6\x8b\x80\x8a\xdc\x27\xfa\x3a\xbe\x55\x16\xb2\xa5\xc1\xcc\x71\x9e\xe0\xc9\x79\x66\x68\x31\xa1\x5a\x96\x4d\x5f\xc2\xe8\x70\x68\xcb\xc4\xe4\x70\xd6\x4f\x34\xf0\xfa\x9a\xc7\xe9\x4a\x06\x93\xdc\x21\x96\x42\x97\xb9\x6d\xe2\x93\xad\x5a\x77\xf2\xa8\xdc\xe2\x71\xa8\x9d\x10\xa1\x0b\x45\x8a\x8a\x8c\x52\x1f\x27\xa5\x0c\xd2\x06\xbf\x0e\xc9\xf2\xab\xb3\xdc\x16\x82\xd3\xad\xd7\x5b\x81\x3c\x59\x79\xef\x56\x58\x3b\x52\x12\x77\x5d\x61\x73\x22\xbd\xd7\xc3\x44\xfb\x0c\x2d\xc1\xdb\xcc\x63\x12\x31\x19\xbd\x65\x2a\xf9\x41\x35\x5f\x56\x1b\x8f\xa4\x9b\x8e\x0c\xab\xa9\x00\x02\xc4\x8b\x88\xc8\x0e\xbe\xa6\x77\x71\xfb\x47\x9f\x52\x89\xca\xf5\xea\xe1\x8f\x01\xa0\xcd\x74\x60\xf3\xde\x6c\x3f\x92\xf1\xd4\x3b\x56\xb0\xdd\xed\xb7\x05\x9e\x7f\x18\x06\x9f\x80\x4b\x20\x56\xa2\x0a\xcb\xdf\x25\xf8\xca\x36\xdc\x1a\xff\xa8\x0e\x22\x03\xa0\xf3\x63\x92\x63\xa4\x2e\x9b\x3a\xd0\x61\x4c\x6b\xb3\xcf\xa4\x37\x6b\x28\x54\xf6\x0b\xcd\x92\x97\xbb\x0c\xb4\x54\x16\x13\x6f\x21\xbc\xa9\xfe\x38\xfe\xf0\xa1\xc2\x65\xae\x42\x3b\x36\xef\xf0\xc7\xf9\xe8\x4d\x3e\xdc\xe5\xdf\x6a\x2e\x76\x89\x49\xec\x9d\xc4\xf9\x18\x6c\x48\x95\x46\xe2\x4c\x71\x3d\xb9\x19\xbd\x51\xe6\x04\x45\x92\x83\x7c\x8b\x7f\x03\x7a\x8b\x3a\x90\x84\xd9\x61\xc0\x2f\xd0\xaa\x42\x45\xba\xa5\xe9\x17\xd7\xf9\x3f\x09\x6f\xc0\x0c\xd3\xda\x05\x7e\xda\xa7\x47\x6f\x9a\x38\x83\xc1\xab\x86\x3a\x91\x77\x46\xbd\x00\xe8\x78\x55\xbb\x58\x00\x16\x74\xec\x10\x54\x2e\x70\x30\x63\x10\xd7\x33\x99\xf3\x4a\x25\x4c\xfd\x03\xb4\xfd\xa6\xde\xdc\x8d\x7f\x2a\x8c\x81\xe6\xe1\x7b\xea\xb6\x71\x0a\x2c\x2a\x39\xd3\x8d\xaf\x05\xe0\x4e\x38\xe9\xd1\x0f\x30\x81\x31\xde\x76\xa3\x59\xbd\x59\x01\x5f\xc9\xf1\x07\x69\xd3\x6c\x16\x0d\x3e\xfb\x66\x17\x4a\x97\xb6\xa5\x99\xe7\x4b\xae\xdf\x33\x6c\x3d\x9b\x0c\xed\x61\x7b\xf0\xa5\x30\x88\x2d\x91\x68\xe6\x4b\xfb\x9c\x36\xea\x35\x1a\xf4\x36\xf7\x80\x54\x4c\xd1\xf0\x06\xe5\xdb\x43\x9d\x1c\xd9\xc6\xe2\xb5\x91\xc3\x76\x98\xe3\xb9\x56\xfd\xd6\xa9\x6d\x0c\x1f\xf5\xa5\xc2\xb4\xf2\x0e\x82\x04\xfa\x23\x94\xeb\xd1\x8b\x63\x60\x72\xf7\x6d\x49\x87\x13\xd7\x25\x8f\x8f\xda\xa7\xd1\x73\xbb\x52\x61\x9e\xcf\xbd\x03\x7e\x9d\x9e\x8e\xfd\x79\xe7\x76\xea\x36\x88\x99\x04\x15\x29\x81\xd3\x98\xf3\x4b\x5e\x75\x82\xb7\x37\x3f\xeb\x13\x10\xf6\xa3\xf4\x3d\xa3\x65\x62\x11\x58\x1c\x4d\xcf\x82\xbb\x82\xcb\x51\x34\x62\x80\x8c\xea\x9f\xe2\x1d\x0c\xf8\x70\x74\x53\xe9\xc1\xde\x7a\x96\xa3\x82\x92\x12\xcb\xe8\x85\xaf\xf1\x0c\x11\x17\x1f\x5a\xbf\x14\xa8\xe6\xf2\x2f\xd0\x04\x8a\xc5\xe4\x18\x63\x80\xc1\x4c\x5c\x2d\x4f\xe1\x3b\xe2\xdd\x3e\x6f\x26\xcf\xa9\x45\x22\xd6\x25\xdc\x49\xd1\x79\xbc\xc4\x8c\xb4\x2e\xa4\x0e\x94\xf3\x3d\x9e\x76\xef\x92\x57\x46\xcb\x52\x51\x39\xea\x62\x05\xc6\xf1\x22\x1d\x93\x42\xe2\x02\xe5\x7b\x81\x8a\x7d\x12\x14\xde\x38\xee\x95\x02\x99\x3b\x73\x08\x66\x02\xa9\x75\x19\xf6\xa0\x99\x90\x1b\x8d\xbd\x57\x6a\xbd\x64\xa8\xb1\x3d\x5a\x93\x0f\x82\xc0\x6f\xb9\xc5\xbc\xfc\x2d\xff\xa9\x77\x83\xea\xa3\x38\x5e\x72\xf9\x98\x5d\x57\xd7\xcc\xf9\x3b\x7c\x60\x79\x92\xcb\xd2\x49\xed\x74\xb6\xda\x3f\xf1\xdc\xf6\xc7\x23\xcc\xb3\x72\x5e\xf1\x8b\xe3\x54\x16\x0d\x21\xb9\x31\x4a\x7d\x01\xcc\x29\x7c\x6b\x1f\xdc\x8a\x24\x14\x2e\x55\x5d\xd8\xfd\x4a\x28\xe0\x4c\x85\x83\x6e\x46\xe6\x63\x64\x90\x8e\xb8\x4f\xac\xaa\xbb\x83\x3b\x1d\xa7\x03\x19\x67\xc1\x0b\x8c\x2a\xa3\xcf\xf4\x4f\x7a\x9d\xcf\xd0\x66\x5d\x1e\x90\xd9\x3b\xe0\xdf\x77\xa2\x5a\x48\x23\xd8\xdd\x35\xc3\x5d\xc4\xcf\x1c\x73\xba\x26\xab\x20\x47\x3f\x30\x12\x23\xa6\xac\x96\x72\x22\x0b\xe0\x95\x0f\x92\xbf\x16\x79\x87\x45\x44\xf8\xc1\x0e\x23\xbc\x9e\xe1\xd4\x0a\x00\x6c\x98\x9b\xf9\x88\x50\x20\xa6\x5a\x4e\x76\x63\xa8\x11\x7b\xec\x09\xe2\xa2\x10\x9c\x52\x78\x9b\xf7\xfb\xc0\x0c\xd3\xef\xd7\xa6\x52\xb1\x5c\x4c\x4c\x05\xf6\x54\x11\x8e\x90\x64\x3e\x64\x9d\x7f\xe4\x31\x95\x7b\x6f\x1d\xc5\x92\x5b\xa9\xab\x6f\xd8\xa1\xf6\xa0\xf8\x3a\x8a\x51\x9c\x1d\xfe\x42\x36\x03\x4c\xa5\x56\x7e\xac\x95\xea\x12\x91\x2e\x60\x67\x18\x1d\x61\x29\x4b\xcf\x09\xc1\x7f\x9d\x94\x8a\x03\xb0\xaf\xcd\xfd\x3a\x5d\x47\x0d\x28\x9e\x4b\x47\x44\xe6\x88\xae\xe6\x8b\xf2\x6d\xa0\x15\x43\x8a\x9c\x33\x6b\xea\x06\xdd\xad\x48\x74\x65\x32\x89\xc3\x4c\x03\x27\x64\x18\x0f\x97\x98\xf3\x3c\xc0\xb8\x2b\x36\x87\xdf\x74\xfe\xca\xde\xba\x2e\x58\xb9\x70\xd6\xe4\x65\x4d\x7b\x09\xb0\xd8\x5c\x78\x96\x12\x76\xa9\x45\x03\x09\x85\x77\xba\x49\x32\xd1\x7e\x0a\x7d\xd1\x98\x7e\x85\xc4\xaf\xcf\x01\xf6\x8d\x74\x42\x03\x82\x46\xb6\x84\x9b\xd1\x6f\xe0\x35\x93\x6b\xe7\x5e\x56\x26\xcd\x3d\x06\x8b\x9d\xf9\x30\x85\xa1\x2b\x95\x69\xcb\x27\xd3\x01\xca\xaf\x2f\x4f\x33\x7c\xe6\xb1\x94\xf4\xa8\x5a\x17\x55\xa2\xb3\x80\x53\x67\xe5\xde\x5e\x41\x34\xdf\x4f\xc3\x94\x16\x25\xd4\x41\x71\xa9\x84\x0e\xf2\x26\x7a\xd8\x1f\x2a\xee\x6c\x34\xec\xd3\xae\x96\x28\x12\x85\xb5\x4f\xbc\x21\x72\x90\xfe\x1f\x46\x75\xfe\x64\xd1\xb8\x44\xcb\x43\xc7\x55\xba\x29\xda\xb5\x31\xe8\x37\xec\xe7\x14\x60\x09\xfe\x04\xb7\x27\x25\x7b\xfa\x7a\xd4\x18\x0e\x82\xe9\xad\x17\x0a\x9a\xb7\x81\xef\xc1\x50\x60\x0c\xe3\x70\x43\xcc\xee\x03\xcc\xfb\xe7\x65\x09\xd6\x3f\xf8\xf2\x18\x62\x73\x6a\x43\x45\x57\x8c\x87\xf8\xf4\x14\x2c\x97\xa4\x7a\xdd\x5c\x7d\x6d\x73\x59\xb2\x69\x01\x55\xa1\x1c\xdb\xe9\xbe\x34\x79\xe0\xf4\xb2\xdd\x44\xa6\x8a\x78\x48\x51\x8d\x55\x89\x7e\x49\xbf\xaf\x2e\xef\xe6\xbc\x06\xd5\x60\xe2\x5f\x52\xad\x12\x31\xd4\x66\x44\x27\xba\xd4\xab\xa0\xd6\x15\x98\x5a\xfa\x47\xeb\xaf\x24\x2d\x3b\x8c\x16\x8a\xd5\x9c\xc0\x5a\x1c\xe7\x50\xd7\x32\xa6\x72\x03\xb3\xfc\xfa\xa4\xed\x6b\x2f\xf0\x04\x15\x2e\xef\x56\x52\xbe\xea\x4c\x62\x70\x20\x3f\x15\x4c\x70\xbb\x6c\x5f\xda\xc2\x4b\xd7\xfc\xb6\x38\x9b\xd1\xb5\x17\x59\x20\x5b\xa1\xaa\x1b\xea\xb6\xec\xa9\x97\x36\xf4\xa4\x3f\x21\xa6\x39\x53\x64\x61\xd2\x43\x8a\x91\x3e\xd0\x3b\x63\xdb\x26\x21\xc6\x3a\xcb\x49\x6e\xec\xf9\x83\x8b\xfa\x7f\x18\x52\x43\x7b\x45\x8b\x10\x46\x19\x7e\x51\x1e\xa8\x14\x79\x69\x09\x04\xbc\x3a\x0b\xb4\xb9\xec\xc0\x96\x2e\x33\xc4\xcd\xd9\x21\xf8\x24\xab\xc2\xc1\x95\x88\x61\x3e\xfd\xee\x01\xdb\x70\x1a\xe5\x44\x0c\xdd\x98\x7d\x86\x83\x14\xdf\x9a\xc7\xba\xe5\x92\x74\x02\x1a\x5d\x06\x43\xf8\xd1\xd3\xa9\x7b\x8c\x8b\xf0\x2e\xe9\xfc\x05\x6c\xc1\x64\x72\x48\x51\x43\x5f\x90\x76\x85\xc3\x49\xdb\x94\x29\xfe\xc6\xe2\xdf\x3c\x53\x4d\x94\xcc\xe4\xec\xd2\xea\x55\xd7\x2a\xa8\x82\x64\xc8\x6a\x40\xfa\x66\x93\x06\xb9\x5b\xcd\xef\xca\xf5\x4f\x11\x77\x70\xa0\x4f\x35\xe7\x21\xf2\x84\xf6\x81\xb9\xd3\x11\x4c\x4b\xed\x29\xf2\x09\x22\x06\x38\xde\xfe\x43\xfc\x43\x66\x95\xa5\x8e\xd3\xf2\x0d\xc9\x21\xe4\xa2\x1c\x79\xe5\x80\x39\x27\xde\xeb\x5a\x14\xc5\x32\xe3\xcd\x83\xba\x32\x98\x1c\x19\x2e\x20\xe9\x3e\xef\x67\x44\x02\xaf\xba\x8d\x37\x81\x19\xf6\x34\xff\x06\x5f\xb2\x94\xf9\xe3\x8c\x19\x74\xd4\xd3\x7c\xf6\x73\xb5\x87\x97\xb5\xe2\x6e\x22\xb0\x29\x16\x23\xff\x15\xd0\x02\xd5\x5a\x8d\xd0\x0f\xe4\xb1\xfd\x54\x17\x7d\x1f\xd0\x65\xda\x0b\x17\x47\x93\x16\xb5\x8a\x84\x95\xac\xa4\x2c\x44\x0b\x63\xc8\xf4\xb1\xa9\x53\x8d\xf1\x0c\x8c\x95\x46\xfd\x8c\x41\x95\xe1\xea\xed\x31\x54\x3b\x80\x61\xc8\x60\x2a\x89\x77\x12\x3f\x56\xe5\xf1\x1c\xd0\x5f\x5a\x36\xa4\x48\xcc\x25\x75\x71\xf0\xe5\xbb\xde\x25\xae\x82\xf5\x83\xcb\x31\x3a\xe7\xbf\x5d\xec\xe5\x6b\x61\x73\x21\xcf\xa6\x0a\xa9\x27\x8a\x28\xee\x9f\x78\xec\x7d\xdf\xc5\xd0\xf6\x65\xab\x1a\x1d\x55\x31\xf2\x40\x6f\xfa\x9b\x5a\xd6\xf9\xae\x4c\x98\xf8\x54\x47\xfb\xdb\x9e\xfc\x2a\xb3\x98\x80\x1e\x90\x5c\x22\x9e\x16\xad\x9f\x87\xbf\x61\x95\x6a\x78\x29\x73\x3f\xff\x1d\xbb\x2c\x35\x55\x48\xc4\xe3\x03\xd1\xfb\x25\x87\xab\xea\xed\x69\x11\xb3\xd5\x57\x8d\x9d\x43\x55\x19\x3a\xf1\xf6\xee\xf1\x87\x0f\x0f\x1d\xf7\x36\x15\xa5\xd9\xff\xe9\xd4\x2b\x7f\x94\xc2\x15\xf9\xce\xb4\x1d\x60\x5e\x95\xa5\x4b\x5f\xb3\xc6\x2f\x34\x39\x6f\x9f\x95\x1c\x56\x50\x92\x0f\x15\x9c\x1c\x33\x0e\xcf\x7b\xf7\x0b\x1b\x8d\x0a\x97\x3f\xf4\xaf\x34\x4e\x99\x50\xff\xb9\xed\xfc\xd3\x26\x81\x8e\x28\x47\x1c\xcc\xbf\x70\xb7\x1a\xc2\x86\x3e\xaf\x7e\xf9\x5d\xbc\xb2\xf9\x88\xc8\x5c\x26\x6f\x86\x99\x14\x71\x99\x06\x21\x3c\x0d\xb1\x8a\x4a\x47\x12\xb0\x2f\x72\x01\xdc\x95\x30\x5a\x3a\x53\x1f\x46\x6f\x94\x9f\xef\x61\x2c\xcc\xaa\x93\x6d\x47\xae\xf4\xbb\xad\x39\x08\x50\xf2\xb8\xfd\x99\x15\x42\xe3\x98\x6d\xe1\x00\x00\xdb\xd2\xbc\x09\xf1\x6c\x99\xed\x0b\x46\x1c\xab\x44\x4a\x1d\xb0\x69\x38\x14\x34\x54\x07\x95\x15\x0d\xe1\x24\x27\xb1\xb5\xd0\x60\x1a\x52\x32\x04\x28\x3f\xdd\x6b\x69\xe4\x03\xfd\xc3\xf9\x44\x21\x14\x0d\xbf\x94\x86\x5f\x35\xaf\x7a\x7b\xae\x55\x47\x97\x8f\xdd\x80\x5c\xc5\x2d\x68\xf4\xff\x49\xbe\xec\x49\x20\xe2\x5d\x8e\x4a\x23\x7a\x86\xc7\x85\xcc\xcc\x3f\x2e\xe7\xff\xac\x88\x1e\x99\xe5\x76\x12\xc8\xc9\x4b\xde\x40\x09\x15\xf3\xf7\x5b\x54\x65\x79\xf4\x01\xe2\xbe\x54\x93\x09\x04\xb9\x8c\x82\x42\x39\x4d\x81\xfe\x94\xd2\x67\xd3\xca\x3e\xa3\xa0\xe1\xc9\x10\x7e\xcc\x29\x8e\xfa\xe6\xa1\x9e\x73\x37\x88\x3e\x27\xaf\x27\x1e\x06\x29\x9a\xcc\x75\x59\xf0\xea\x46\x1b\x87\x5e\x27\x13\x8c\xd3\x5e\x04\x63\x19\xfe\x9f\x83\x8c\x51\x13\x05\xfc\x80\x3c\xc2\x43\x09\xdb\xf3\x35\xb2\x25\xc5\x8b\x6c\xae\xb2\x72\x4e\x44\xa9\x27\x8c\xa8\x23\x51\x9a\x72\x43\x3c\xeb\x21\x66\xb4\xb7\x3a\x35\xb9\x7d\xe2\xf5\x54\x38\xb9\x58\x26\xe0\xab\x34\x85\x01\x18\x73\x75\xb0\x96\x23\x67\xdb\x53\x49\x53\x46\x76\xf3\x52\x83\x5a\x10\x59\xc3\x07\x42\x1b\x2b\xeb\x2e\x63\xc0\xa0\x06\xd5\x27\x1f\x49\x3e\x59\x06\x98\x82\xb1\x03\xd5\x36\x60\x8d\x18\xd6\x1e\x97\x42\x22\xc4\x3b\x7c\xa9\x25\x29\xc8\xb0\xcc\x2a\xe9\xdf\x8c\x2b\xc2\xb2\x0d\x68\x33\x14\x7e\xc4\x11\xc4\xa5\xbf\xf5\x34\xcc\x72\xb2\x67\x71\x45\x92\xa4\xe4\x32\x52\x68\x49\x40\xf5\x4e\xbf\x5f\x39\xf2\x8d\xee\xab\x2c\x89\xab\xad\xdf\xb6\xfc\xd2\xb1\xc0\x25\xbf\x30\xdc\x2e\xdb\xc0\x82\x3c\xcd\x19\xfe\x52\xf9\xc0\xb3\x8c\x9c\x1a\xcd\x6b\x0e\xfc\x3f\x68\x8b\x80\xbb\xef\x54\x73\xcd\xdf\x82\x02\x70\xd7\x21\x24\x5c\xdf\xa0\x1b\xff\x14\x85\x86\x49\x74\xb4\x28\xdd\x19\x33\xfb\xce\x96\x8d\x27\xae\xce\xa5\xdd\xa0\xca\x95\x61\x91\x9d\x5d\x85\xb0\x98\xfc\x4f\x3e\xfb\xf7\xea\xd3\x91\x28\x51\x92\x46\x28\xb8\x88\xa2\x8e\x46\x32\x0a\xfe\x8a\x30\x22\x39\x14\x7f\x48\xf2\xcc\x2a\xb2\x74\xdb\x1a\xee\x56\x5b\x15\xba\x2d\xb8\x32\xfa\x63\x03\x44\xd0\x1c\xfb\xa1\x12\x87\xb2\x5c\x22\x6f\x28\xbc\x4e\xbe\x1d\x20\x4e\x90\xa3\x9a\x81\xc6\xb2\x13\x6b\x01\x64\xed\xb6\x51\x94\xea\x55\x10\xa9\xb9\xef\xc0\xd0\xa2\x35\x26\x42\xf0\xa8\xa2\x3e\xf4\xe6\xeb\x89\x48\xf5\xab\x42\xeb\xd4\x5a\xc9\x46\xbf\xdb\x68\x9c\xba\x13\x76\x7f\x8d\x5f\x77\x8c\x42\xe2\xd0\x7d\x08\x84\x91\xe0\x6d\xb5\xcf\xbe\x29\xea\x3f\x45\xa4\x31\x57\x94\x5d\x41\x9d\xe6\x32\xdb\x52\xfa\x13\x3d\x99\x0e\xfe\x2c\x9e\x47\x3e\xc3\x6d\x68\x9d\x0b\x81\x58\x45\xaf\x57\x61\x98\x1d\x46\xd5\xb9\xf3\x86\x5f\x91\x6b\x5b\xb9\x3c\xf8\xf2\xe8\xd4\xa1\x1c\x8a\xfa\xcf\xac\x2c\x64\x7e\x6a\xe9\xa8\x69\x6c\x9e\xcb\x6b\xdb\xdb\x21\x79\xf9\x71\xeb\x75\xe1\x4d\x52\x59\x8e\xd6\xc1\x6e\xc1\x42\x7e\x21\xdf\x5c\x5a\xbb\xbd\x85\xe4\x2f\x32\xdf\x37\xc4\x85\xff\x33\xd0\x65\x45\x71\xec\x60\xaf\x86\x74\xba\x35\xc3\xef\x62\x7d\x24\xb1\xc2\xd8\x4f\xf2\x52\x54\x16\xc2\xa4\x26\x5f\xb6\xde\x81\x73\xfa\xec\xcf\xd3\x13\x83\x16\xc4\xc7\xc3\x29\x01\x79\x28\xfe\x1b\x64\xc2\x9d\xfe\xb4\x57\x0f\x7d\xe9\x3f\x94\x46\x15\x31\x6f\xd3\xae\x6c\xc1\x2b\x94\x33\x2f\xad\xf7\x5b\x15\xa1\x3d\x6f\xf2\x7f\x7c\x61\x98\x17\x37\xef\xc6\xdf\xb5\x28\x94\x25\x32\xee\xf5\xe5\xdc\xb8\x03\xc1\xed\x04\xda\x23\xbf\xee\x62\x3a\x89\x08\x8d\x87\x83\xc7\xed\xda\x3f\x56\xc5\x40\x4e\xe7\xe4\x2f\x09\x85\x47\x53\xc1\xa0\xdd\x78\x72\x3c\x9c\x4e\xf1\x2c\x7e\xad\x18\x63\xa5\x3a\xf4\x8d\x8d\x61\x45\x7f\x24\x32\xff\xae\xbb\x35\x6a\x6e\x78\xa1\x59\x1f\x04\x24\xaa\xa1\xf0\x25\xdd\xa1\x7a\x7b\x5e\xae\x39\x89\xb2\x7a\x57\x3f\x59\xbb\xfe\x2f\x99\x3f\xb1\x82\x73\xdc\x35\x6a\xa5\x9e\xc1\xb2\xf1\x51\xf8\x4b\x97\x33\xb2\x71\xf1\xe0\x4d\x17\xd4\x1e\x72\x8e\xf5\x2c\xfb\xc0\x11\x1f\x12\x32\x13\xfb\x22\x23\x7d\x81\xb0\x02\x9b\xdf\xf7\x01\x7f\x87\x03\xe1\xee\x30\x17\x58\xca\x9e\x22\x39\x9c\x42\x0b\x36\x31\xe5\xb9\x98\x73\x7c\x2a\x75\x93\x9f\xa4\x6d\x1e\x61\x7d\x7b\x19\xfb\xa4\x91\x9e\x35\xca\x92\xd8\xb5\x97\x98\xda\x36\xa0\xa5\xd4\x34\x1a\x6e\xb5\x7d\x51\x29\x51\x3a\x6e\x86\x2e\xa9\x4f\x27\xc7\x83\xc9\xe6\x8f\x93\x0d\x5d\x33\x7c\x28\x9d\xed\x11\xd5\x10\x84\x7a\x50\xc6\x1c\x47\x94\x0c\x17\xa3\x2b\x28\x7f\x70\x46\x64\xf1\xb6\x1e\x16\x48\x85\x08\x91\xf8\x0a\x4b\x61\x47\x93\x48\xb4\x34\x40\xd0\xc9\xc9\x1b\x89\x25\x7a\x4a\xf7\x25\x3e\xe5\xbe\x6b\xbd\x56\xf2\x29\x86\xc3\x8b\x53\x6b\x8d\x50\x00\x10\x2c\xff\xd1\x0d\x93\x80\x8b\x8b\x1c\x4e\xb5\x3f\x0c\x69\x7c\x21\x71\x61\xc4\xcb\x7e\x09\x1d\x43\x88\xce\x3a\x20\xeb\x53\x51\x53\x8c\x2a\xf3\xa9\x06\xe6\xac\x66\x4a\x5d\x08\x3e\x39\x5e\xaa\x5d\xe7\x91\xac\xe4\x5b\xd0\x2b\x5e\x26\xbd\x36\xbe\x79\x6e\x95\xc7\x44\x22\xb7\xd8\xf0\x0c\x7b\xdf\x4b\x64\x8a\x1e\x9c\xcf\x68\xe9\x12\xab\xbf\xff\x3c\x74\xd8\xc5\x63\x85\xd7\xa8\x9a\x84\xad\x3c\x39\x46\xa3\x8e\x82\x08\x0c\x3b\x38\xa0\x29\x80\x70\xd8\x85\x04\x75\xb9\x5b\x37\x9d\x62\xf5\x02\x91\x03\xa7\xb4\x5d\xef\x66\xd2\x5a\x08\xe2\x41\xc4\x2c\x34\x38\x82\x8e\x59\xf5\xb1\xd1\xfd\x8c\x97\x56\x49\xd0\x3f\xe3\xe5\x36\xba\xba\xed\xe3\xfc\x3c\xaf\xef\x77\xa7\x2c\xd2\x7b\x94\xc1\xd7\x74\xef\xbe\x19\x37\x47\x02\xf3\x93\x72\x98\x98\xbd\x09\xbc\x8a\x40\x77\x20\xd6\x7e\x9f\xed\xf0\x18\x52\xb8\x93\x66\x4e\x35\xc2\x6b\xb4\x86\x56\xa5\x68\x9e\x7e\x3a\x63\x2e\x9e\x5a\x3b\xbe\x87\x5e\xc6\xb5\xeb\x73\xfe\xe6\xe6\x05\x54\x75\x96\xd0\xed\xe3\x9c\x48\xb9\xd9\xf6\x3d\x7b\x38\xc1\xf6\x19\xbc\x6f\x69\x03\xc0\x2c\x47\x40\x3a\xe8\x53\x9a\xea\x78\x93\xfb\x81\x10\xe4\xb5\xa9\x07\x08\x36\x85\x3f\x3a\x61\x64\x83\x27\xf0\xc6\x95\x37\x94\xfa\xb3\x89\x37\xb2\x78\xdc\x0a\x1e\xd3\x31\xef\x4a\x03\x60\xc4\x1f\x4f\xb3\x5b\x7c\xa6\xe1\x17\xe7\x85\x83\x3a\x22\x4f\xbe\xa8\x24\x1c\x59\xc9\xd9\x6a\xd6\x50\x95\x9a\x23\xc7\x47\xd4\x78\x81\x02\x1a\x53\x0c\x9a\xee\xc1\x3b\x5b\x99\xa2\x68\xe2\xa6\x3a\x2b\x96\x84\x6c\xd3\xe8\x52\x0c\x77\x0f\xbe\xaf\x52\xf9\xa6\xe3\x6b\x7d\x5e\x0d\xb7\x46\x78\x86\x13\xf6\xea\xd8\x87\x38\xd0\x0c\x30\x20\x6f\xe0\x72\x95\xb7\x0e\xd2\x1e\x05\x28\xa7\xb9\x09\xf3\xd2\xcc\x64\x7b\x33\x5d\xc7\xb9\x82\x99\x07\xc3\x80\xe5\x83\xbb\x40\x8a\xe2\x71\x0b\x40\xd4\x4d\xf1\x2a\xb9\x8a\xc6\xf0\x88\x82\xc2\x57\xc2\x6b\x25\x60\x8b\xa5\xaf\x2e\x00\xe7\xc3\x3e\x60\x84\xec\x86\xa2\x25\x8c\xc3\xdc\x8b\xc6\x3c\x2e\xef\x54\x83\xb8\xaa\xef\x1c\xb7\xad\x63\xf4\xa2\x86\x80\x3a\xcc\xe8\x1a\xd1\x40\x97\x47\x3c\x65\xd9\xc3\x7f\x25\x78\xde\x04\xe1\x8a\x71\x95\x14\x58\xf2\xae\x3a\xb1\xd4\x5a\x54\x8f\xe1\x1d\x47\x64\x80\x6e\x71\x3b\x62\x8c\x19\x67\xda\x91\x8e\x8e\xd6\x55\x6e\x61\x9b\xee\xf0\x8a\xd8\xb9\x3d\x7d\x70\x91\x74\x57\xd9\xc8\x94\xc7\xbb\xc3\x04\xda\xca\x44\x3d\x14\x65\x6a\x02\x68\xd7\x4e\x76\x58\x37\x74\x41\xe5\xfd\xb1\x41\x48\x96\x4f\x56\xa3\x05\x8a\x8e\x1a\x95\xe1\x00\x22\x77\x0d\xa5\x57\x44\x53\x87\xf2\x42\x5e\x7b\xcd\x38\x6e\x62\x1f\x88\x71\x3f\xa5\x7f\x44\x24\x62\xfc\x8f\x7a\x58\x8f\x84\x9e\xc7\xa1\x08\xc6\xa5\xa7\x77\x28\x3f\xc2\x4c\x87\x98\x74\x76\x75\x26\xc5\xb6\xb2\xd2\x22\x12\xf4\xbb\x88\x98\x81\x1f\x73\x1e\x78\xb0\x01\xae\x05\x2c\x47\xd8\x32\xcb\xd8\x67\x83\x14\xcc\x31\x3f\xb6\xb9\x96\x6b\xcd\xe9\xb1\xce\x15\xb9\x2f\x05\x97\xd5\x8b\x15\xd9\x1e\x31\xf2\x21\xb2\xf1\xd6\x35\x4e\x49\xde\x2a\x7a\x58\xd5\x8f\x36\x1f\xd6\x47\xfc\x29\xdc\xa3\xb5\xda\x3c\x64\x49\xc5\x2c\xfc\x5b\x87\xbb\x48\x43\xce\xfb\x10\x52\xeb\x68\x47\x8b\x51\xc1\x68\x91\x28\xbe\x43\x4f\x0d\x34\xb5\x11\xcb\xb1\xe8\x4b\x8b\x21\x1a\x9f\xf1\xae\xba\x55\x18\x52\x91\xed\x53\x95\xd4\xca\x5b\x96\x6d\xcb\x7f\xbf\xf4\x32\xb9\x31\xf6\x76\x6a\x9b\x37\xd3\x41\xd5\xf8\x3d\x29\x69\xf4\x9f\xb8\x57\x91\x3f\xd0\x94\xee\x91\x53\xe9\x05\xfd\x3a\x00\x08\x25\xf4\xc9\xd5\x91\xca\xe9\xe1\xfa\x33\xab\xf9\x46\x63\xfa\xb4\x9e\x46\x0f\x13\x44\xca\xe1\xe6\x80\x4f\x2a\x53\x10\x8c\xb0\xf2\x9b\xbc\x0f\x6a\x07\x56\x88\xd9\x87\xd6\xcf\x7c\xa3\x85\x10\x08\xfd\x82\xc3\x55\x89\xec\x90\xe3\x90\x2c\xb1\xed\x05\x13\x55\x5e\x30\x3b\x91\x02\x2a\x04\x54\x94\x8a\xa7\xd8\x66\xdf\xb4\xb9\x7f\xdf\x67\x98\xbe\x4c\x74\x22\x76\xd9\x9f\x68\x53\x70\xa9\x10\xfc\x2b\xe7\xb2\x89\xa4\x45\x73\x78\x5e\x09\xad\x0a\x20\x79\x40\xea\x85\x9b\xef\xff\xd9\x5c\xc9\x70\x69\x77\x7e\x3d\xd0\x50\x62\x61\xa8\xed\xb9\x4a\xb2\x5d\xea\xbd\x37\x1b\xf0\xe8\xdb\xd5\xf0\x35\xa7\x53\x87\x1f\xaa\x53\x52\xcd\xdf\xa9\x04\x96\xdc\x39\x85\xff\xbc\xa1\xb3\x12\x90\xe7\xeb\x46\x0c\x20\x92\x01\x26\xbb\x8c\xa9\x30\x4e\x35\x53\xb3\x74\x8a\x8f\x5d\xf0\xa8\x97\x7a\xb9\x94\x72\x8f\xbb\x54\x0e\x07\x3c\xc3\xf0\x80\x5b\x5d\xf2\x88\x00\x08\x31\xd8\x06\x1c\x06\xd4\x16\xf4\x58\xa2\x54\x7f\xf4\xe6\x03\x6d\xe1\x18\x1c\xd1\xd4\x2a\xf4\x16\x15\xba\x4e\x16\xd6\xf7\xae\xf1\xcb\x34\x06\x07\x22\x21\x2f\xf5\x61\x27\x5b\xc4\x97\x4f\x00\x94\x8f\x54\x2a\x5e\x06\xbf\x40\xb8\x57\x2d\xf1\xd8\xd6\x8b\xa0\x60\x8d\xcb\x02\x7f\x8f\x11\xc0\xb9\x3e\x65\xb2\xde\x9a\x16\xfe\x11\x5e\xa9\x40\xcd\x90\x4e\x11\xb2\xfb\xb7\xc0\xe6\x72\x90\x76\x65\x73\x72\xc1\x34\xee\x6f\xe8\xe0\xfa\x6f\x9c\x2e\xc1\x2b\xde\x36\xe4\x62\x52\x12\xa4\x72\xd1\x50\x10\x51\x01\x68\x14\x79\x1e\x7a\x2f\xef\xbf\xca\x68\x58\x98\x65\xf0\x83\x7a\x32\xb1\x20\x1c\x32\x29\x10\x54\xbf\x71\x87\xe0\x3c\xde\x3a\xdd\x7a\x33\x98\xae\xbe\x76\x67\x2e\x4f\x8a\xd8\x1a\x9e\xab\xec\x9f\xef\xab\xbb\x62\xc1\xd7\x3a\xdc\x3e\xf5\x8a\x68\x77\x5f\x51\x6a\x99\xf5\x4a\x75\xa7\xa7\xb5\x30\xdf\xfc\xa8\x2d\x2b\x22\x2c\x99\x3b\x78\x5a\x1a\x7b\x6f\x7a\xcc\xb5\x84\xae\x25\xab\xe1\x51\x7d\x70\xa6\x9f\xa2\xdf\x2c\x77\xe4\xe0\x75\x5e\x18\x7f\x60\xbc\x82\x46\x58\xb8\xd8\x8d\xaf\xbc\x24\x0a\xbe\xec\x34\x93\xfd\xad\xd6\xa1\xa9\x46\x80\xe5\xdb\x4b\xc1\x86\x2c\x75\x8a\x51\x90\x21\xc0\x12\x17\x89\xf4\xcd\xf1\xe2\xa7\x1c\xd5\x36\xda\xae\xc9\xe4\xb7\x2e\x9e\x25\xd9\x25\x1f\xd3\xee\x51\x1f\x1e\x08\x1f\x90\x6d\x90\xdd\x4d\xf5\xce\xf6\xed\xf4\x11\xaa\xbc\xfd\x5d\x93\x3e\x26\x53\x58\x1f\x1f\x0a\x49\xd8\x5d\x50\x3a\xb0\xf1\x28\x87\x43\xa8\xef\x59\x69\xfe\x4a\xe3\xaf\x9a\xff\xb7\x90\x5a\xc3\xa9\x04\xca\x86\xcd\x7e\x8c\xc5\xb9\x66\x77\xfb\xd2\xbb\xe3\xe3\xe6\x7d\x56\x4e\x2d\xb1\xf1\x4f\x6a\x98\x2d\xa3\xb7\xab\x59\x0a\x1f\xb4\x3c\x44\x95\x6c\xeb\x95\xd2\xd5\x9d\xb9\xe3\x51\x75\x06\xc0\xe1\x64\x3a\x07\x66\x4f\x7a\x27\x9f\x23\xb9\x94\x5c\x32\x42\x79\x60\x24\x2e\x74\x78\x14\x1a\xd1\xd1\x70\x1f\x68\x03\x3b\x69\xc7\xbd\x2d\x64\x31\x8b\xbf\x48\xa0\x5a\x32\x77\x99\x56\xe1\x61\xf4\x26\x82\xbc\x1c\x93\x30\xcb\x6a\xbf\x5a\xfd\x31\xc8\xe1\x1a\x4b\x07\x8b\x03\x57\x9e\x09\x9f\xd3\xd8\xe3\x47\x33\x0a\x01\xfd\xc2\xb5\xca\x05\x00\x1a\x2d\x13\x9a\x5b\xd7\x12\x8a\x02\xf9\xd1\x9b\x85\x81\xba\xd0\xe1\x4f\xaf\x9f\x0a\x13\x2a\x6d\x85\xbb\xd2\x91\xde\x69\x6a\x8c\x67\xd2\xf8\xc3\x13\x4a\xac\x24\xe4\x1b\xb5\xa4\xfd\x74\x2c\x13\x71\xf9\xa8\xe1\x8e\xc9\x05\x0b\x39\x8a\x60\x48\x88\xab\x12\xa8\xed\xec\x79\x29\x74\x45\x6a\xc6\xc6\x29\x89\xa7\x8d\x72\xe8\x4e\x0b\xd7\xaa\xd9\xe1\xc0\x86\x01\xe2\x07\x0a\x4f\x2b\xb1\x00\x91\x04\x08\x82\x78\x26\x3c\x2a\x64\x5d\x31\x87\xed\xf1\x2f\xcf\xeb\xd3\xd8\xb3\x7d\xd8\x93\xb2\x5e\x41\xed\xb5\x18\x08\x9e\x06\xe1\xe2\x6a\x07\x7b\xbc\xb6\xb7\x06\x8c\xa7\x4e\x1c\x4b\x59\x49\x7a\xb4\x81\xfa\xa7\xd1\x83\x49\xd0\xfd\xaf\xf9\xf8\xa0\xcb\x6c\x24\x25\x60\xe3\x1a\x9f\x9e\x34\xc6\xd8\xda\x4e\x6b\x47\x10\x00\xdc\xe4\x6d\x80\x25\x27\x00\xfb\xbf\xa3\x92\x2d\x5d\xee\xd3\x3d\x10\x92\x06\xaf\x07\xf3\xa2\xa3\x48\xa6\x1c\xec\x80\xdf\x13\x02\xc9\x8b\x76\x25\x79\x7a\x11\x3e\xb0\xb7\x14\xee\x64\x7f\x7d\x13\xd6\xc1\x02\x25\xbc\x12\x1b\x66\x66\x08\x3f\xc1\x5b\x63\xc2\xb0\x7e\x48\x71\x67\xb0\xcd\x11\x6c\xa2\xa3\x99\x32\x2b\x9c\x08\xf4\x18\xd1\xbd\x83\xcf\xc3\x97\xad\xaf\x8b\xa2\x67\xed\x46\x30\xfc\xb6\x20\x37\x60\x3c\xaa\xaf\x96\x83\x12\xe3\x35\xaf\xd6\x63\xfc\xed\x69\x90\x0e\x25\x07\x39\x63\xb5\x45\x9f\x59\x7d\x7e\x7e\x58\x16\x47\xc9\x94\xd0\xfd\xef\x88\xa1\xae\x4c\x92\x14\xf6\x68\x0e\x21\x5e\xe6\xa1\x50\x97\xbe\xa9\x01\xb4\x67\xb5\x82\x75\x22\xe6\x8b\x02\x07\x68\xe8\xa3\x40\xfa\xee\x75\xec\xd4\x6a\xf9\x0a\xe3\x8e\xed\xad\xb6\xd7\x51\xc5\xa1\xfc\x5f\xfb\x86\x6a\x0c\xad\xf8\x59\x49\xdd\x96\x31\x34\x4a\x46\xe9\x50\x91\xc5\x85\x9a\xc7\xd0\x78\x31\x53\xbe\x8f\xc8\x9a\x1a\xdf\xd4\xcc\x3f\x45\x3a\xc8\xb1\x1d\x6b\xd6\x37\xf9\x5e\x63\xd2\x8c\x3c\x66\x55\x17\x00\x02\x88\xe7\xa0\x8e\xa7\x1a\x7a\xc0\xd5\x69\xee\x05\xcf\x8a\x66\x31\xa9\xba\x1a\xf4\x56\xd0\x0f\xb0\x49\xf1\xc3\x36\x6e\x8d\x92\x9b\x68\x20\xfb\xef\xb6\x58\x83\x77\x3b\xac\xb1\xcb\x1a\x71\x05\xdd\x2c\xa6\x0e\xdd\xe9\x5f\xa2\xf3\x5a\x34\xa3\x69\xc5\xf0\x4b\x65\xe0\x81\x56\x50\x2f\x8c\xf1\x76\xe4\xf9\x93\x9a\xfb\x6b\xba\xcd\xab\xc5\xc8\x11\x6d\xbd\xe9\xb6\xd2\x12\xbf\x12\x5f\x76\x97\xa8\x57\x1d\x69\xde\x44\x3d\x4d\x86\xf4\xbe\x17\xa9\x59\x14\x8f\xd6\x10\x5a\x67\x4c\xe5\x23\xf3\x7c\x2c\x09\xe1\xce\x1c\xc7\x12\x74\xa4\x75\xca\x3b\x09\x31\xad\xca\x18\x99\xbf\x7b\xaa\xf2\xdc\x3a\x94\x88\xad\xb1\x30\x68\x57\x7e\xd2\xba\x96\xa7\x93\x7f\xff\x3a\x9a\xeb\x46\x12\x34\x53\x2a\xfb\x21\x50\x83\xc8\x97\x99\xa0\xfa\xc0\xad\x2a\xfe\xba\x7a\x33\xde\xf1\xb3\x02\xb1\x2a\x6a\x4d\x7a\x22\x01\xb9\x15\xa2\xc3\xbf\xb5\xcb\xfc\xe7\x46\x88\x5a\xec\xb3\xdb\xc4\xde\x9c\x4d\xc1\xea\x7c\x33\x26\xb7\x31\x8c\x65\xd3\x76\x3a\x5f\x2b\x42\xa0\xa9\x7b\xe0\x6e\x2a\x04\x06\x36\xc2\xfa\xc7\xdb\x42\x72\xd9\x35\x4d\x59\xcd\xa5\x54\x6a\x34\x15\xc8\xf0\x4c\x70\x9e\x0a\xe4\xff\xac\x3e\xc8\x29\x99\xb5\xc5\x0e\xe2\x8a\xe8\x51\x93\xbe\x4a\x68\x88\xdb\x01\xc1\xb7\x70\xf8\x54\xfa\x3b\x66\xc2\xad\xc2\x9c\x6c\x7c\x0d\x3a\x15\xa7\x22\x4b\x23\x5f\xbc\x61\x86\x3b\xf9\xaf\x6d\x8e\xeb\x35\xd6\x7d\x99\x66\xe3\x22\x0f\x0b\xbf\x0e\x10\x15\x58\xa6\x15\x59\xf9\xe6\xdb\xf2\x86\x11\x4a\x94\xe0\x95\x03\x50\xf7\x01\x0f\x3a\x46\xe1\xa9\x8c\x93\x9b\x37\x27\xf1\xd1\x25\xab\x2c\x0c\x5c\x1d\x7c\xab\xec\x0d\x7e\xa6\x86\x97\x84\x3c\x8a\xe9\x03\x6c\x3d\x48\x46\x98\x50\x44\x07\x48\xe7\xcc\xe6\xa2\x60\x16\x54\xd8\xc5\x97\xc5\xd2\x26\xcd\x4f\xfb\xda\x15\x3e\x2f\xec\xf0\xb5\x83\x43\xeb\x7a\xcf\xae\xae\xe0\x29\x70\xf0\x11\x56\x8a\xd2\x6e\x43\x83\xbe\xe5\xda\xf9\x58\x02\xf7\x42\xb0\xb8\xe3\x5d\xad\xc2\x01\x64\x97\x9d\xc4\xea\xb6\xf3\x33\xa2\x94\x12\x91\x6b\xae\xcd\x7d\x11\xe1\x8d\x7d\x56\x6a\x9f\x70\x9a\x49\x31\x43\x39\x19\x51\x4c\x73\x56\x39\xde\xdf\x1d\xf6\x5e\xbd\xe8\xa1\x45\x55\xec\xc2\x54\xfa\x4e\x31\x79\xc6\x11\xaf\x0a\xe3\x2c\x8c\x81\x29\xc0\x13\x9e\x99\x04\x82\x1c\x76\x97\x1b\x2d\x2b\x08\xe8\x39\x28\x14\x29\xcc\x0b\x02\xcf\x5a\xbc\x1f\xb7\x8a\xea\xd7\xd7\x72\xa6\x72\xcd\xa2\xec\x38\xb6\x9f\x85\x8a\x30\x07\xed\x6d\x77\x3e\x41\x75\x21\xb9\x4e\x7c\xfd\x21\xb3\xf7\x63\x61\xa8\x33\xbf\x0c\x8a\x58\xcd\xa1\xc7\x53\x23\x65\x38\xe7\xd1\xbe\x27\x8c\xda\xb7\x8f\xb7\x3f\x36\x28\x06\x15\xaa\x49\xd8\xab\x1d\xea\xc1\x29\x2b\xe4\x48\x0f\xb6\x09\xe7\xe6\x36\x4c\x30\x0a\x86\x13\xd3\x7c\x80\x24\xaa\x6a\x72\xc1\xe4\xa3\x34\xe7\x78\x17\xf9\xcd\xe0\xe1\x0c\xc5\x7b\x7c\x3b\xbc\xa5\x0f\x40\xe1\x5b\x9a\x10\x42\xef\xb7\x80\x2c\x40\x41\x86\xe4\x79\xf5\xf7\x63\x6a\xb5\x0d\x26\x14\x73\xf5\x80\x4a\x75\xf6\xcb\x1f\xcb\x69\x3c\xec\xbe\x9a\x61\xbb\x96\x95\x80\x1c\x7c\xa6\xf9\x27\xe4\x0e\x6a\xa9\x1a\x9a\xf7\x1c\xb5\xd9\x67\xf7\x90\x57\xf9\x55\xd0\xa4\xed\x58\xce\x99\x9f\x9a\xcd\x21\xc1\xa1\xea\x10\x88\x59\x56\xb4\x6e\x44\xca\x83\x0a\xb2\xee\x7a\xdd\x50\xd2\xc1\xfa\x3d\xea\x6f\x4c\x73\x31\xb1\xe5\x3f\xbe\xfc\x7e\x42\x4a\xff\x17\x8c\xef\xf9\x5a\x89\x10\xd3\x99\x52\x70\x4e\xf7\x85\x54\x19\xd3\xcc\x08\xc7\x20\x59\x90\xaf\x44\x7e\x18\xd3\x94\x5d\x13\x3e\x99\xba\x55\x06\xe5\x0e\x31\xbb\x28\xeb\xb5\x13\x37\xe3\x8e\x5d\xab\xfd\xb6\xd2\x0b\xe6\x8a\x04\x05\x0d\xd9\x91\x87\x48\x36\x8d\x58\xb8\x34\x9e\xe6\x0d\xe4\x1d\xbb\xc8\x32\x55\xdb\x8e\x36\x0c\x35\x81\xa3\xb5\x52\x3f\x5c\x36\xd7\xe2\x93\xeb\x4e\x2b\x01\x49\x82\x36\x7e\x28\x6c\x6f\xaa\xcc\x85\x03\xcf\x4d\x91\xc4\x04\x98\x04\xce\x5a\x7f\xde\x5f\xa1\x9c\x6a\x5b\x5f\x33\x0f\xe3\xf4\x4d\x7f\x33\x80\x9b\xfc\x5b\x13\x95\x6f\x64\x66\x3a\xcb\x8c\x32\x46\x73\x82\x9c\x13\x2d\x3c\x73\x52\x5f\x8f\x8e\xa3\xa8\x32\xf8\x89\x75\xd1\x4c\x31\x8c\x05\xbb\x56\x72\xc8\x2b\xb0\x2f\x9a\xcf\x2d\xbc\xba\xf6\x8e\x5e\x47\x8d\xc5\x19\xe5\x22\x84\x0b\xd8\xf0\x8b\x50\xc5\x06\xa7\x5b\xc2\xfd\x09\x2e\x41\x51\x99\xe5\x77\x1d\x8c\xe0\x3f\x08\x8e\x9b\xfd\x45\x51\xc2\xe8\xee\xdb\x85\x93\x03\xed\x75\x76\x01\xbd\xb1\x6b\xff\x54\x31\x23\xd7\x57\x0a\xc5\x0d\x28\x58\xcf\xf2\xa7\xf9\x75\x8c\xb2\x4f\xf0\x55\x4f\x91\x31\x29\x97\x58\xc0\x10\x11\x3d\x9b\x6f\x0b\xc7\x24\x6f\xab\xec\x33\xc5\x8d\xea\x92\x5b\x9e\xa7\x3a\xb3\x81\xc4\xaa\xa8\xfb\x21\x65\xc9\xd7\xd8\xb8\xa7\x01\x20\x22\x50\xd3\x60\xfc\x61\x75\x80\x56\x5e\x78\xd5\x36\x7e\x3f\xbc\xd8\x41\xd4\x50\x3a\x7c\x20\xc2\x05\x60\xa0\x3e\x39\x7b\x0d\x3c\xab\x57\x25\x4d\x36\x51\x12\xaa\xd9\x95\xa9\xe3\x91\x96\x14\xbc\xdc\x6c\xa2\x05\x5d\x0d\x87\x42\x9e\xe3\x30\x5a\x67\xfa\x69\xc6\x02\x4a\x3f\x63\x64\x64\xbc\xab\x62\xc9\x9a\x4d\x04\x53\xf5\xbf\x87\x9c\xd5\xd4\x6e\x3c\xf7\x61\xbb\x91\x10\x9b\xd3\x28\x16\x9f\x95\xe9\x8b\x74\x42\xcd\x05\xa5\xdd\x86\xe1\x85\x36\xd2\x05\x26\x2c\x62\x00\x02\xe7\xa3\xa8\xaf\xed\x46\x81\xc2\x71\xa3\x4f\x0b\x90\x9d\x1c\x86\x1f\x9c\x18\xfc\x76\xd3\xbf\xdd\x99\x37\x85\x18\x5d\xc3\xe2\xe3\x4d\x7f\xba\x68\x6e\xd0\xf7\x33\xd1\x65\x40\x67\x0a\x65\x77\x86\x42\x10\x07\xcc\x1a\x8f\xf9\x72\x36\xfb\x53\xd8\x66\x49\x11\xdc\xaa\xc2\x75\x43\x50\xea\xde\x70\x83\x74\xef\x06\xb2\xf6\x12\x32\xa3\xf5\xb4\x57\x01\xcf\xc0\x92\x84\xb6\xe3\x18\x4c\x7c\x41\x43\xe9\xa3\x04\x98\x4c\x4b\xf1\xa1\x4e\xc7\x55\x11\xaf\x82\xb2\xc6\xc3\xe6\xd5\x99\x07\x28\xf4\xb7\x24\x29\x4d\xfe\xfc\x35\xd1\xc7\x5d\xb9\xef\xc7\x69\xda\xbf\xb5\xcf\xa0\xc5\x48\xc2\xd5\xaa\x9e\x79\x84\x10\xf2\xb2\xbd\xc3\x2d\xa9\x5c\x94\x5a\xee\xbb\xf0\x6e\x2d\x1e\x22\x17\x6b\x66\xe7\xd2\x2b\xeb\xed\x83\x87\x5b\x4c\x86\x3e\xb5\x5a\x71\x94\xc7\x5b\xde\x29\xa8\xc7\x81\x6e\x5c\x3c\x65\x0c\x32\xcf\x54\xf5\xd9\xac\x35\xd3\x8b\xf1\x9e\xcd\xb0\x05\xf4\x76\xab\x05\x0d\x96\xb7\xb7\xfc\x62\x2f\x1a\xc3\x57\xb2\x8f\xbd\x7c\x38\xf8\x1a\xbf\xa0\x63\x55\xa3\x0b\x38\x03\xf0\x42\xc4\xc0\x8a\x82\x74\xda\xf0\x18\x3c\x0e\x52\xa6\x34\xfd\x29\x9a\xee\x99\x4d\xd3\x55\x4e\xdb\x6a\xdf\x99\xba\xd5\xb9\x13\x0b\x49\x1e\xc9\x35\x3c\x7f\x36\xe5\xfa\x7c\x02\x66\x27\xf6\x8f\x67\xc7\x75\xfe\x19\x0a\xeb\x43\xfe\xbf\x56\xf5\x5b\xc1\xa4\xf5\xc2\x29\x48\xe5\xb2\x9a\x11\x7f\x6d\x06\xd4\xc6\x8e\x51\x44\x9f\x08\xa6\xd0\xd2\xe6\x75\x20\xeb\xc0\x67\x0e\x2d\xf3\xd2\xf7\xae\xeb\xfb\xb8\x76\x43\xe5\x8d\x01\x76\x96\x5d\x60\x0d\x97\xa2\x2c\x7a\x05\x56\xa2\xc0\x47\x9d\xe6\x4f\x8b\x44\x92\xdf\xb5\x42\xe8\xd3\xa3\xef\x09\x6f\x99\xd3\x9e\x67\x7a\x07\xac\x97\xdc\x25\x9d\x9f\x75\x9b\x98\xe9\x47\xf1\xae\x8a\x92\x78\xb9\xbd\xcb\x85\x10\xfb\x06\x64\x12\x18\xf7\x9f\x67\xe4\xf5\xba\xff\xbe\x5d\x3c\xc3\x8e\x14\x98\x93\x8c\x55\x09\xa3\xf6\x9f\x32\x39\x2f\x66\x0e\x00\x59\x43\xed\x14\x45\x85\x29\xe8\x25\x93\xbf\xb6\xc4\xd3\xe4\x63\x10\x3a\xab\x3c\xdc\x8d\x46\x8c\x9a\x2c\x20\x1b\xee\x3a\xe6\x63\xf0\x79\x24\x60\xd4\xb7\x1e\x03\x1a\x83\xc3\x3f\x91\x72\x33\x2b\x51\x4f\x74\xb0\x9c\x72\xcd\x6a\xd7\x6e\x90\x6f\xa4\x64\x4f\x3c\x14\x2b\x12\x8c\x1f\xf2\xb8\x4e\x79\x37\x75\x99\xd4\xe2\xc7\x11\x45\xc4\x92\xff\x3d\xab\x44\x79\x3b\x90\x56\x75\x89\x5f\xe3\xdf\x54\x4f\xe7\x25\xea\x5f\x7d\x2f\xe3\x85\x4d\x70\x30\xce\x91\x95\x7f\xad\x4f\x7b\xd7\xbd\x7f\x1d\x1a\x16\x54\xe3\xfc\xd0\xed\xf9\xda\xa7\x2b\xd9\x62\xd6\xb6\x4d\x0d\x99\x0d\x5a\x48\x50\x80\x2b\x92\x97\xfe\xb6\x22\xaa\xfc\xcc\x10\x7e\xa2\xa8\xee\xa4\xf0\xda\x89\x94\x1b\x12\xa0\xec\x1b\xfd\x72\xa2\xed\x44\xff\xf9\xf8\x24\x11\xec\xfe\x9f\x19\xeb\x95\x7b\x48\xf8\x59\xce\x04\x5d\xa2\x33\xc9\x96\x8b\x76\x3e\xd9\x44\x13\xba\x0f\x68\xdd\xca\x65\xce\xa0\xab\xb6\x87\x3c\x89\x29\x02\x41\x6f\x5e\xad\xd9\x11\xd8\x44\x2f\x03\x16\xfb\xde\xa9\xf1\x14\x0b\x3e\x83\x05\xaf\xb5\x10\xa3\xec\x59\x0c\xe2\x0f\xd5\x8d\x3b\xf0\x51\xc2\x66\x3e\x74\xae\x64\xee\xb9\xa1\x46\x3c\x88\x41\xac\x0b\x72\xb7\x32\xb7\xef\x12\x7f\x5a\x7d\x9a\x87\xd6\xb8\x49\x1e\x75\x33\x17\x35\x0d\x7d\x1a\xe5\x93\xe6\xc2\x00\x6f\x23\xb2\x27\x4d\xb5\x8e\xe3\x44\x45\x3c\x38\xe2\x99\xc1\x41\x82\x1a\xc4\x7e\x88\xdd\xd9\x38\x93\xdf\x56\xba\xf5\x01\xfc\xed\xee\x34\xac\x65\x7f\x27\x9a\x9c\x39\xcc\x38", 8192); *(uint64_t*)0x200000006000 = 0x200000002780; *(uint32_t*)0x200000002780 = 0x50; *(uint32_t*)0x200000002784 = 0; *(uint64_t*)0x200000002788 = 0xf48; *(uint32_t*)0x200000002790 = 7; *(uint32_t*)0x200000002794 = 0x2d; *(uint32_t*)0x200000002798 = 0xfffffff7; *(uint32_t*)0x20000000279c = 0x10820000; *(uint16_t*)0x2000000027a0 = 9; *(uint16_t*)0x2000000027a2 = 0xa42; *(uint32_t*)0x2000000027a4 = 0x7e; *(uint32_t*)0x2000000027a8 = 1; *(uint16_t*)0x2000000027ac = 0; *(uint16_t*)0x2000000027ae = 0; *(uint32_t*)0x2000000027b0 = 2; *(uint32_t*)0x2000000027b4 = 0; memset((void*)0x2000000027b8, 0, 24); *(uint64_t*)0x200000006008 = 0x200000002800; *(uint32_t*)0x200000002800 = 0x18; *(uint32_t*)0x200000002804 = 0; *(uint64_t*)0x200000002808 = 0x200; *(uint64_t*)0x200000002810 = 5; *(uint64_t*)0x200000006010 = 0x200000002840; *(uint32_t*)0x200000002840 = 0x18; *(uint32_t*)0x200000002844 = 0; *(uint64_t*)0x200000002848 = 0x3ff; *(uint64_t*)0x200000002850 = 1; *(uint64_t*)0x200000006018 = 0x200000002880; *(uint32_t*)0x200000002880 = 0x18; *(uint32_t*)0x200000002884 = 0xffffffda; *(uint64_t*)0x200000002888 = 7; *(uint32_t*)0x200000002890 = 0xc6a; *(uint32_t*)0x200000002894 = 0; *(uint64_t*)0x200000006020 = 0x2000000028c0; *(uint32_t*)0x2000000028c0 = 0x18; *(uint32_t*)0x2000000028c4 = 0; *(uint64_t*)0x2000000028c8 = 3; *(uint32_t*)0x2000000028d0 = 0; *(uint32_t*)0x2000000028d4 = 0; *(uint64_t*)0x200000006028 = 0x200000002980; *(uint32_t*)0x200000002980 = 0x28; *(uint32_t*)0x200000002984 = 0; *(uint64_t*)0x200000002988 = 0xfffffffffffffff8; *(uint64_t*)0x200000002990 = 0x1ff; *(uint64_t*)0x200000002998 = 6; *(uint32_t*)0x2000000029a0 = 2; *(uint32_t*)0x2000000029a4 = r[13]; *(uint64_t*)0x200000006030 = 0x2000000029c0; *(uint32_t*)0x2000000029c0 = 0x60; *(uint32_t*)0x2000000029c4 = 0; *(uint64_t*)0x2000000029c8 = 0xf; *(uint64_t*)0x2000000029d0 = 0; *(uint64_t*)0x2000000029d8 = 4; *(uint64_t*)0x2000000029e0 = 0xb0e; *(uint64_t*)0x2000000029e8 = 1; *(uint64_t*)0x2000000029f0 = 6; *(uint32_t*)0x2000000029f8 = 7; *(uint32_t*)0x2000000029fc = 0x40b4; *(uint32_t*)0x200000002a00 = 0x2594; *(uint32_t*)0x200000002a04 = 0; memset((void*)0x200000002a08, 0, 24); *(uint64_t*)0x200000006038 = 0x200000002a40; *(uint32_t*)0x200000002a40 = 0x18; *(uint32_t*)0x200000002a44 = 0; *(uint64_t*)0x200000002a48 = 0x75aeeeb5; *(uint32_t*)0x200000002a50 = 0xc; *(uint32_t*)0x200000002a54 = 0; *(uint64_t*)0x200000006040 = 0x200000002a80; *(uint32_t*)0x200000002a80 = 0x11; *(uint32_t*)0x200000002a84 = 0; *(uint64_t*)0x200000002a88 = 0xc0000000000; memset((void*)0x200000002a90, 0, 1); *(uint64_t*)0x200000006048 = 0x200000002ac0; *(uint32_t*)0x200000002ac0 = 0x20; *(uint32_t*)0x200000002ac4 = 0; *(uint64_t*)0x200000002ac8 = 4; *(uint64_t*)0x200000002ad0 = 0; *(uint32_t*)0x200000002ad8 = 5; *(uint32_t*)0x200000002adc = 0; *(uint64_t*)0x200000006050 = 0x200000002e40; *(uint32_t*)0x200000002e40 = 0x78; *(uint32_t*)0x200000002e44 = 0; *(uint64_t*)0x200000002e48 = 6; *(uint64_t*)0x200000002e50 = 8; *(uint32_t*)0x200000002e58 = 8; *(uint32_t*)0x200000002e5c = 0; *(uint64_t*)0x200000002e60 = 0; *(uint64_t*)0x200000002e68 = 0xa2; *(uint64_t*)0x200000002e70 = 0x101; *(uint64_t*)0x200000002e78 = 0x279; *(uint64_t*)0x200000002e80 = 6; *(uint64_t*)0x200000002e88 = 4; *(uint32_t*)0x200000002e90 = 6; *(uint32_t*)0x200000002e94 = 6; *(uint32_t*)0x200000002e98 = 0x580; *(uint32_t*)0x200000002e9c = 0x8000; *(uint32_t*)0x200000002ea0 = 8; *(uint32_t*)0x200000002ea4 = r[14]; *(uint32_t*)0x200000002ea8 = r[15]; *(uint32_t*)0x200000002eac = 2; *(uint32_t*)0x200000002eb0 = 2; *(uint32_t*)0x200000002eb4 = 0; *(uint64_t*)0x200000006058 = 0x200000003040; *(uint32_t*)0x200000003040 = 0x90; *(uint32_t*)0x200000003044 = 0; *(uint64_t*)0x200000003048 = 4; *(uint64_t*)0x200000003050 = 4; *(uint64_t*)0x200000003058 = 3; *(uint64_t*)0x200000003060 = 1; *(uint64_t*)0x200000003068 = 9; *(uint32_t*)0x200000003070 = 0; *(uint32_t*)0x200000003074 = 0; *(uint64_t*)0x200000003078 = 6; *(uint64_t*)0x200000003080 = 0xf84; *(uint64_t*)0x200000003088 = 0xffff; *(uint64_t*)0x200000003090 = 9; *(uint64_t*)0x200000003098 = 6; *(uint64_t*)0x2000000030a0 = 7; *(uint32_t*)0x2000000030a8 = 0x4f; *(uint32_t*)0x2000000030ac = 0x8e; *(uint32_t*)0x2000000030b0 = 8; *(uint32_t*)0x2000000030b4 = 0xa000; *(uint32_t*)0x2000000030b8 = 0x401; *(uint32_t*)0x2000000030bc = r[17]; *(uint32_t*)0x2000000030c0 = r[18]; *(uint32_t*)0x2000000030c4 = 0; *(uint32_t*)0x2000000030c8 = 0x3674; *(uint32_t*)0x2000000030cc = 0; *(uint64_t*)0x200000006060 = 0x200000003100; *(uint32_t*)0x200000003100 = 0x88; *(uint32_t*)0x200000003104 = 0xffffffda; *(uint64_t*)0x200000003108 = 0x7fffffffffffffff; *(uint64_t*)0x200000003110 = 3; *(uint64_t*)0x200000003118 = 7; *(uint32_t*)0x200000003120 = 1; *(uint32_t*)0x200000003124 = 4; memset((void*)0x200000003128, 0, 1); *(uint64_t*)0x200000003130 = 1; *(uint64_t*)0x200000003138 = 5; *(uint32_t*)0x200000003140 = 1; *(uint32_t*)0x200000003144 = 0xfffffffc; memset((void*)0x200000003148, 0, 1); *(uint64_t*)0x200000003150 = 6; *(uint64_t*)0x200000003158 = 5; *(uint32_t*)0x200000003160 = 0; *(uint32_t*)0x200000003164 = 0x98; *(uint64_t*)0x200000003168 = 0; *(uint64_t*)0x200000003170 = 8; *(uint32_t*)0x200000003178 = 1; *(uint32_t*)0x20000000317c = 0x1000; memset((void*)0x200000003180, 91, 1); *(uint64_t*)0x200000006068 = 0x2000000054c0; *(uint32_t*)0x2000000054c0 = 0x648; *(uint32_t*)0x2000000054c4 = 0; *(uint64_t*)0x2000000054c8 = 1; *(uint64_t*)0x2000000054d0 = 0; *(uint64_t*)0x2000000054d8 = 3; *(uint64_t*)0x2000000054e0 = 9; *(uint64_t*)0x2000000054e8 = 5; *(uint32_t*)0x2000000054f0 = 0xa; *(uint32_t*)0x2000000054f4 = 2; *(uint64_t*)0x2000000054f8 = 1; *(uint64_t*)0x200000005500 = 9; *(uint64_t*)0x200000005508 = 1; *(uint64_t*)0x200000005510 = 0x7fff; *(uint64_t*)0x200000005518 = 4; *(uint64_t*)0x200000005520 = 1; *(uint32_t*)0x200000005528 = 6; *(uint32_t*)0x20000000552c = 7; *(uint32_t*)0x200000005530 = 3; *(uint32_t*)0x200000005534 = 0xc000; *(uint32_t*)0x200000005538 = 3; *(uint32_t*)0x20000000553c = r[19]; *(uint32_t*)0x200000005540 = r[20]; *(uint32_t*)0x200000005544 = 0x71a5; *(uint32_t*)0x200000005548 = 5; *(uint32_t*)0x20000000554c = 0; *(uint64_t*)0x200000005550 = 3; *(uint64_t*)0x200000005558 = 0x911; *(uint32_t*)0x200000005560 = 9; *(uint32_t*)0x200000005564 = 7; memcpy((void*)0x200000005568, "(--]!}}.:", 9); *(uint64_t*)0x200000005578 = 5; *(uint64_t*)0x200000005580 = 1; *(uint64_t*)0x200000005588 = 2; *(uint64_t*)0x200000005590 = -1; *(uint32_t*)0x200000005598 = 8; *(uint32_t*)0x20000000559c = 1; *(uint64_t*)0x2000000055a0 = 5; *(uint64_t*)0x2000000055a8 = 0x10; *(uint64_t*)0x2000000055b0 = 0xf91; *(uint64_t*)0x2000000055b8 = 7; *(uint64_t*)0x2000000055c0 = 0; *(uint64_t*)0x2000000055c8 = 7; *(uint32_t*)0x2000000055d0 = 4; *(uint32_t*)0x2000000055d4 = 0x4a; *(uint32_t*)0x2000000055d8 = 6; *(uint32_t*)0x2000000055dc = 0x6000; *(uint32_t*)0x2000000055e0 = 9; *(uint32_t*)0x2000000055e4 = r[21]; *(uint32_t*)0x2000000055e8 = r[22]; *(uint32_t*)0x2000000055ec = 6; *(uint32_t*)0x2000000055f0 = 5; *(uint32_t*)0x2000000055f4 = 0; *(uint64_t*)0x2000000055f8 = 0; *(uint64_t*)0x200000005600 = 2; *(uint32_t*)0x200000005608 = 0; *(uint32_t*)0x20000000560c = 0x401; *(uint64_t*)0x200000005610 = 0; *(uint64_t*)0x200000005618 = 3; *(uint64_t*)0x200000005620 = 0; *(uint64_t*)0x200000005628 = 0x401; *(uint32_t*)0x200000005630 = 4; *(uint32_t*)0x200000005634 = 0x3ff; *(uint64_t*)0x200000005638 = 1; *(uint64_t*)0x200000005640 = 1; *(uint64_t*)0x200000005648 = 0xbc; *(uint64_t*)0x200000005650 = 7; *(uint64_t*)0x200000005658 = 8; *(uint64_t*)0x200000005660 = 7; *(uint32_t*)0x200000005668 = 0xffff; *(uint32_t*)0x20000000566c = 6; *(uint32_t*)0x200000005670 = 0x7f; *(uint32_t*)0x200000005674 = 0x8000; *(uint32_t*)0x200000005678 = 1; *(uint32_t*)0x20000000567c = 0xee01; *(uint32_t*)0x200000005680 = r[23]; *(uint32_t*)0x200000005684 = 0x233d; *(uint32_t*)0x200000005688 = 4; *(uint32_t*)0x20000000568c = 0; *(uint64_t*)0x200000005690 = 3; *(uint64_t*)0x200000005698 = 6; *(uint32_t*)0x2000000056a0 = 5; *(uint32_t*)0x2000000056a4 = 7; memcpy((void*)0x2000000056a8, "syz0\000", 5); *(uint64_t*)0x2000000056b0 = 2; *(uint64_t*)0x2000000056b8 = 2; *(uint64_t*)0x2000000056c0 = 7; *(uint64_t*)0x2000000056c8 = 0x80; *(uint32_t*)0x2000000056d0 = 4; *(uint32_t*)0x2000000056d4 = 0xdb; *(uint64_t*)0x2000000056d8 = 3; *(uint64_t*)0x2000000056e0 = 3; *(uint64_t*)0x2000000056e8 = 0x7fff; *(uint64_t*)0x2000000056f0 = 9; *(uint64_t*)0x2000000056f8 = 0; *(uint64_t*)0x200000005700 = 0xa8; *(uint32_t*)0x200000005708 = 0x1000; *(uint32_t*)0x20000000570c = 0x1f3; *(uint32_t*)0x200000005710 = 0xfff0; *(uint32_t*)0x200000005714 = 0x6000; *(uint32_t*)0x200000005718 = 4; *(uint32_t*)0x20000000571c = r[24]; *(uint32_t*)0x200000005720 = r[26]; *(uint32_t*)0x200000005724 = 0xccb2; *(uint32_t*)0x200000005728 = 9; *(uint32_t*)0x20000000572c = 0; *(uint64_t*)0x200000005730 = 6; *(uint64_t*)0x200000005738 = 2; *(uint32_t*)0x200000005740 = 6; *(uint32_t*)0x200000005744 = 7; memset((void*)0x200000005748, 1, 6); *(uint64_t*)0x200000005750 = 4; *(uint64_t*)0x200000005758 = 1; *(uint64_t*)0x200000005760 = 0x100000000; *(uint64_t*)0x200000005768 = 5; *(uint32_t*)0x200000005770 = 0; *(uint32_t*)0x200000005774 = 6; *(uint64_t*)0x200000005778 = 1; *(uint64_t*)0x200000005780 = 0x401; *(uint64_t*)0x200000005788 = 1; *(uint64_t*)0x200000005790 = 2; *(uint64_t*)0x200000005798 = 0xf; *(uint64_t*)0x2000000057a0 = 5; *(uint32_t*)0x2000000057a8 = 0x100; *(uint32_t*)0x2000000057ac = 3; *(uint32_t*)0x2000000057b0 = 0; *(uint32_t*)0x2000000057b4 = 0x2000; *(uint32_t*)0x2000000057b8 = 0; *(uint32_t*)0x2000000057bc = r[27]; *(uint32_t*)0x2000000057c0 = r[28]; *(uint32_t*)0x2000000057c4 = 7; *(uint32_t*)0x2000000057c8 = 8; *(uint32_t*)0x2000000057cc = 0; *(uint64_t*)0x2000000057d0 = 4; *(uint64_t*)0x2000000057d8 = 3; *(uint32_t*)0x2000000057e0 = 6; *(uint32_t*)0x2000000057e4 = 0xffff; memset((void*)0x2000000057e8, 1, 6); *(uint64_t*)0x2000000057f0 = 6; *(uint64_t*)0x2000000057f8 = 2; *(uint64_t*)0x200000005800 = 6; *(uint64_t*)0x200000005808 = 9; *(uint32_t*)0x200000005810 = 2; *(uint32_t*)0x200000005814 = 2; *(uint64_t*)0x200000005818 = 1; *(uint64_t*)0x200000005820 = 0xb51; *(uint64_t*)0x200000005828 = 0x7fffffff; *(uint64_t*)0x200000005830 = 5; *(uint64_t*)0x200000005838 = 0x8b89; *(uint64_t*)0x200000005840 = 0x2800; *(uint32_t*)0x200000005848 = 0x800; *(uint32_t*)0x20000000584c = 6; *(uint32_t*)0x200000005850 = 4; *(uint32_t*)0x200000005854 = 0x8000; *(uint32_t*)0x200000005858 = 3; *(uint32_t*)0x20000000585c = r[29]; *(uint32_t*)0x200000005860 = r[30]; *(uint32_t*)0x200000005864 = 0x80; *(uint32_t*)0x200000005868 = 3; *(uint32_t*)0x20000000586c = 0; *(uint64_t*)0x200000005870 = 0; *(uint64_t*)0x200000005878 = 6; *(uint32_t*)0x200000005880 = 0; *(uint32_t*)0x200000005884 = 0xef; *(uint64_t*)0x200000005888 = 2; *(uint64_t*)0x200000005890 = 1; *(uint64_t*)0x200000005898 = 5; *(uint64_t*)0x2000000058a0 = 0xfff; *(uint32_t*)0x2000000058a8 = 0x582; *(uint32_t*)0x2000000058ac = 0x15; *(uint64_t*)0x2000000058b0 = 2; *(uint64_t*)0x2000000058b8 = 0xbb; *(uint64_t*)0x2000000058c0 = 7; *(uint64_t*)0x2000000058c8 = 0x52a; *(uint64_t*)0x2000000058d0 = 1; *(uint64_t*)0x2000000058d8 = 5; *(uint32_t*)0x2000000058e0 = 0x98; *(uint32_t*)0x2000000058e4 = 5; *(uint32_t*)0x2000000058e8 = 3; *(uint32_t*)0x2000000058ec = 0x5000; *(uint32_t*)0x2000000058f0 = 6; *(uint32_t*)0x2000000058f4 = r[31]; *(uint32_t*)0x2000000058f8 = r[32]; *(uint32_t*)0x2000000058fc = 6; *(uint32_t*)0x200000005900 = 0xffff; *(uint32_t*)0x200000005904 = 0; *(uint64_t*)0x200000005908 = 6; *(uint64_t*)0x200000005910 = 0x3ff; *(uint32_t*)0x200000005918 = 2; *(uint32_t*)0x20000000591c = 8; memcpy((void*)0x200000005920, "*&", 2); *(uint64_t*)0x200000005928 = 2; *(uint64_t*)0x200000005930 = 2; *(uint64_t*)0x200000005938 = 0x3ff; *(uint64_t*)0x200000005940 = 3; *(uint32_t*)0x200000005948 = 2; *(uint32_t*)0x20000000594c = 0xfffffff8; *(uint64_t*)0x200000005950 = 3; *(uint64_t*)0x200000005958 = 0x8a; *(uint64_t*)0x200000005960 = 5; *(uint64_t*)0x200000005968 = 8; *(uint64_t*)0x200000005970 = 1; *(uint64_t*)0x200000005978 = 0; *(uint32_t*)0x200000005980 = 0x7fff; *(uint32_t*)0x200000005984 = 8; *(uint32_t*)0x200000005988 = 0xfffffffb; *(uint32_t*)0x20000000598c = 0xc000; *(uint32_t*)0x200000005990 = 0x8000; *(uint32_t*)0x200000005994 = r[33]; *(uint32_t*)0x200000005998 = r[34]; *(uint32_t*)0x20000000599c = 0x5c5; *(uint32_t*)0x2000000059a0 = 0x8d0d; *(uint32_t*)0x2000000059a4 = 0; *(uint64_t*)0x2000000059a8 = 6; *(uint64_t*)0x2000000059b0 = 0xd; *(uint32_t*)0x2000000059b8 = 6; *(uint32_t*)0x2000000059bc = -1; memcpy((void*)0x2000000059c0, "wlan1\000", 6); *(uint64_t*)0x2000000059c8 = 6; *(uint64_t*)0x2000000059d0 = 1; *(uint64_t*)0x2000000059d8 = 5; *(uint64_t*)0x2000000059e0 = 0xee; *(uint32_t*)0x2000000059e8 = 8; *(uint32_t*)0x2000000059ec = 4; *(uint64_t*)0x2000000059f0 = 1; *(uint64_t*)0x2000000059f8 = 0x200; *(uint64_t*)0x200000005a00 = 0x80000000; *(uint64_t*)0x200000005a08 = 0xb81c; *(uint64_t*)0x200000005a10 = 0x7ff; *(uint64_t*)0x200000005a18 = 0x400; *(uint32_t*)0x200000005a20 = 0x122; *(uint32_t*)0x200000005a24 = 0x400; *(uint32_t*)0x200000005a28 = 0x689f; *(uint32_t*)0x200000005a2c = 0xa000; *(uint32_t*)0x200000005a30 = 0xfffffffc; *(uint32_t*)0x200000005a34 = r[35]; *(uint32_t*)0x200000005a38 = r[36]; *(uint32_t*)0x200000005a3c = 0x1000; *(uint32_t*)0x200000005a40 = 1; *(uint32_t*)0x200000005a44 = 0; *(uint64_t*)0x200000005a48 = 4; *(uint64_t*)0x200000005a50 = 9; *(uint32_t*)0x200000005a58 = 6; *(uint32_t*)0x200000005a5c = 0xfffffffa; memcpy((void*)0x200000005a60, "wlan1\000", 6); *(uint64_t*)0x200000005a68 = 1; *(uint64_t*)0x200000005a70 = 1; *(uint64_t*)0x200000005a78 = 6; *(uint64_t*)0x200000005a80 = 0; *(uint32_t*)0x200000005a88 = 0xf; *(uint32_t*)0x200000005a8c = 0x80000001; *(uint64_t*)0x200000005a90 = 0; *(uint64_t*)0x200000005a98 = 0xb8f; *(uint64_t*)0x200000005aa0 = 0x57c; *(uint64_t*)0x200000005aa8 = 8; *(uint64_t*)0x200000005ab0 = 0x600; *(uint64_t*)0x200000005ab8 = 0x4c44; *(uint32_t*)0x200000005ac0 = 0xc833; *(uint32_t*)0x200000005ac4 = 5; *(uint32_t*)0x200000005ac8 = 3; *(uint32_t*)0x200000005acc = 0xa000; *(uint32_t*)0x200000005ad0 = 0xfffffff9; *(uint32_t*)0x200000005ad4 = r[37]; *(uint32_t*)0x200000005ad8 = r[38]; *(uint32_t*)0x200000005adc = 6; *(uint32_t*)0x200000005ae0 = 2; *(uint32_t*)0x200000005ae4 = 0; *(uint64_t*)0x200000005ae8 = 3; *(uint64_t*)0x200000005af0 = 4; *(uint32_t*)0x200000005af8 = 6; *(uint32_t*)0x200000005afc = 3; memcpy((void*)0x200000005b00, ":-)@\\[", 6); *(uint64_t*)0x200000006070 = 0x200000005d40; *(uint32_t*)0x200000005d40 = 0xa0; *(uint32_t*)0x200000005d44 = 0; *(uint64_t*)0x200000005d48 = 1; *(uint64_t*)0x200000005d50 = 2; *(uint64_t*)0x200000005d58 = 3; *(uint64_t*)0x200000005d60 = 0x100000000; *(uint64_t*)0x200000005d68 = 8; *(uint32_t*)0x200000005d70 = 5; *(uint32_t*)0x200000005d74 = 9; *(uint64_t*)0x200000005d78 = 2; *(uint64_t*)0x200000005d80 = 0x7fffffffffffffff; *(uint64_t*)0x200000005d88 = 2; *(uint64_t*)0x200000005d90 = 0x7f; *(uint64_t*)0x200000005d98 = 0x7ff; *(uint64_t*)0x200000005da0 = 4; *(uint32_t*)0x200000005da8 = 0; *(uint32_t*)0x200000005dac = 2; *(uint32_t*)0x200000005db0 = 1; *(uint32_t*)0x200000005db4 = 0x2000; *(uint32_t*)0x200000005db8 = 0x7ff; *(uint32_t*)0x200000005dbc = r[39]; *(uint32_t*)0x200000005dc0 = r[40]; *(uint32_t*)0x200000005dc4 = 4; *(uint32_t*)0x200000005dc8 = 8; *(uint32_t*)0x200000005dcc = 0; *(uint64_t*)0x200000005dd0 = 0; *(uint32_t*)0x200000005dd8 = 0xd; *(uint32_t*)0x200000005ddc = 0; *(uint64_t*)0x200000006078 = 0x200000005e00; *(uint32_t*)0x200000005e00 = 0x20; *(uint32_t*)0x200000005e04 = 0; *(uint64_t*)0x200000005e08 = 0x10000; *(uint32_t*)0x200000005e10 = 9; *(uint32_t*)0x200000005e14 = 0; *(uint32_t*)0x200000005e18 = 1; *(uint32_t*)0x200000005e1c = 0xfffffffd; *(uint64_t*)0x200000006080 = 0x200000005ec0; *(uint32_t*)0x200000005ec0 = 0x130; *(uint32_t*)0x200000005ec4 = 0xfffffffe; *(uint64_t*)0x200000005ec8 = 0x1000; *(uint64_t*)0x200000005ed0 = 6; *(uint32_t*)0x200000005ed8 = 3; *(uint32_t*)0x200000005edc = 0; memset((void*)0x200000005ee0, 0, 16); *(uint32_t*)0x200000005ef0 = 1; *(uint32_t*)0x200000005ef4 = 0xc6d; *(uint64_t*)0x200000005ef8 = 0xfffffffffffffffc; *(uint32_t*)0x200000005f00 = 0x8000; *(uint32_t*)0x200000005f04 = 0; *(uint32_t*)0x200000005f08 = r[41]; *(uint16_t*)0x200000005f0c = 0x1000; memset((void*)0x200000005f0e, 0, 2); *(uint64_t*)0x200000005f10 = 0; *(uint64_t*)0x200000005f18 = 7; *(uint64_t*)0x200000005f20 = 3; *(uint64_t*)0x200000005f28 = 4; *(uint64_t*)0x200000005f30 = 0xa; *(uint32_t*)0x200000005f38 = 7; *(uint32_t*)0x200000005f3c = 0; *(uint64_t*)0x200000005f40 = 1; *(uint32_t*)0x200000005f48 = 0x905a; *(uint32_t*)0x200000005f4c = 0; *(uint64_t*)0x200000005f50 = 8; *(uint32_t*)0x200000005f58 = 0x81; *(uint32_t*)0x200000005f5c = 0; *(uint64_t*)0x200000005f60 = 8; *(uint32_t*)0x200000005f68 = 2; *(uint32_t*)0x200000005f6c = 0; *(uint32_t*)0x200000005f70 = 0x10001; *(uint32_t*)0x200000005f74 = 0x7ff; *(uint32_t*)0x200000005f78 = 1; *(uint32_t*)0x200000005f7c = -1; memset((void*)0x200000005f80, 0, 112); syz_fuse_handle_req(/*fd=*/r[12], /*buf=*/0x200000000780, /*len=*/0x2000, /*res=*/0x200000006000); break; case 46: memcpy((void*)0x2000000060c0, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x2000000060c0, /*fd=*/r[12]); break; case 47: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 48: *(uint32_t*)0x200000006104 = 0x45f9; *(uint32_t*)0x200000006108 = 0x1000; *(uint32_t*)0x20000000610c = 0; *(uint32_t*)0x200000006110 = 0xd3; *(uint32_t*)0x200000006118 = r[12]; memset((void*)0x20000000611c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x50db, /*params=*/0x200000006100, /*ring_ptr=*/0x200000006180, /*sqes_ptr=*/0x2000000061c0); if (res != -1) r[42] = *(uint64_t*)0x200000006180; break; case 49: res = -1; res = syz_io_uring_complete(/*ring_ptr=*/r[42]); if (res != -1) r[43] = res; break; case 50: *(uint32_t*)0x200000006204 = 0x25a5; *(uint32_t*)0x200000006208 = 0; *(uint32_t*)0x20000000620c = 2; *(uint32_t*)0x200000006210 = 0x2b0; *(uint32_t*)0x200000006218 = r[43]; memset((void*)0x20000000621c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x539f, /*params=*/0x200000006200, /*ring_ptr=*/0x200000006280, /*sqes_ptr=*/0x2000000062c0); if (res != -1) { r[44] = res; r[45] = *(uint64_t*)0x2000000062c0; } break; case 51: res = syscall(__NR_io_uring_register, /*fd=*/r[44], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[46] = res; break; case 52: *(uint8_t*)0x200000006380 = 0x26; *(uint8_t*)0x200000006381 = 0; *(uint16_t*)0x200000006382 = 0; *(uint32_t*)0x200000006384 = r[43]; *(uint64_t*)0x200000006388 = 0x200000006300; memcpy((void*)0x200000006300, "./file0\000", 8); *(uint64_t*)0x200000006390 = 0x200000006340; memcpy((void*)0x200000006340, "./file0\000", 8); *(uint32_t*)0x200000006398 = 0; *(uint32_t*)0x20000000639c = 0; *(uint64_t*)0x2000000063a0 = 0; *(uint16_t*)0x2000000063a8 = 0; *(uint16_t*)0x2000000063aa = r[46]; memset((void*)0x2000000063ac, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[42], /*sqes_ptr=*/r[45], /*sqe=*/0x200000006380); break; case 53: memcpy((void*)0x2000000063c0, "SEG6\000", 5); memcpy((void*)0x200000006480, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xc7\xc6\xd5\x63\x96\xba\x64\x55\x9a\x2b\xfe\x12\xe1\x77\x9d\x16\x11\x66\x21\x3e\xe3\xdf\x8a\x88\x66\x07\x35\xda\xdb\xfa\x0e\xe9\x3d\x2b\xbf\x11\x3a\x5d\x2f\x84\x04\x14\xbb\x6a\x83\x5c\x8b\x46\x64\xc1\x62\x58\xd8\x0a\xca\x5d\x75\xc4\xb0\xf7\xb9\xf4\x81\xb3\x2b\x05\x6b\x25\x00\xcd\x38\xd5\xf7\x45\xb2\xca\x6f\x42\x3c\x76\xec\xb5\x4c\x20\xdf\x71\xf3\x7e\x74\xa7\xc3\x31\xe0\x86\x7f\x00\x00\x00\x00\x00\x00\x00\x00", 144); syz_kfuzztest_run(/*name=*/0x2000000063c0, /*data=*/0x200000006400, /*len=*/0x90, /*buf=*/0x200000006480); break; case 54: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[43], /*usermem=*/0x200000bfe000); if (res != -1) r[47] = res; break; case 55: *(uint64_t*)0x200000016780 = 0; *(uint64_t*)0x200000016788 = 0x200000016480; *(uint64_t*)0x200000016480 = 0x6a; *(uint64_t*)0x200000016488 = 0x28; *(uint64_t*)0x200000016490 = 0x351c; *(uint64_t*)0x200000016498 = 2; *(uint64_t*)0x2000000164a0 = 3; *(uint64_t*)0x2000000164a8 = 0x6a; *(uint64_t*)0x2000000164b0 = 0x28; *(uint64_t*)0x2000000164b8 = 0xbe7d; *(uint64_t*)0x2000000164c0 = 2; *(uint64_t*)0x2000000164c8 = 8; *(uint64_t*)0x2000000164d0 = 0x180; *(uint64_t*)0x2000000164d8 = 0x38; *(uint64_t*)0x2000000164e0 = 3; *(uint64_t*)0x2000000164e8 = 0xf10c; *(uint64_t*)0x2000000164f0 = 5; *(uint64_t*)0x2000000164f8 = 0x90; *(uint64_t*)0x200000016500 = 2; *(uint64_t*)0x200000016508 = 0x6a; *(uint64_t*)0x200000016510 = 0x28; *(uint64_t*)0x200000016518 = 0x4c98; *(uint64_t*)0x200000016520 = 6; *(uint64_t*)0x200000016528 = 0x59fe; *(uint64_t*)0x200000016530 = 0x136; *(uint64_t*)0x200000016538 = 0xa8; *(uint64_t*)0x200000016540 = 3; *(uint64_t*)0x200000016548 = 2; *(uint64_t*)0x200000016550 = 0x12c; *(uint64_t*)0x200000016558 = 0x18; *(uint64_t*)0x200000016560 = 0; *(uint64_t*)0x200000016568 = 0x154; *(uint64_t*)0x200000016570 = 0x38; *(uint64_t*)0x200000016578 = 2; *(uint64_t*)0x200000016580 = 0x280d; *(uint64_t*)0x200000016588 = 0x2e0; *(uint64_t*)0x200000016590 = 4; *(uint64_t*)0x200000016598 = 0xfffffffffffffff8; *(uint64_t*)0x2000000165a0 = 0x65; *(uint64_t*)0x2000000165a8 = 0x20; *(uint64_t*)0x2000000165b0 = 0x285; *(uint64_t*)0x2000000165b8 = 7; *(uint64_t*)0x2000000165c0 = 0; *(uint64_t*)0x2000000165c8 = 0x18; *(uint64_t*)0x2000000165d0 = 5; *(uint64_t*)0x2000000165d8 = 0x17f; *(uint64_t*)0x2000000165e0 = 0x10; *(uint64_t*)0x2000000165e8 = 0x67; *(uint64_t*)0x2000000165f0 = 0x20; *(uint64_t*)0x2000000165f8 = 4; *(uint64_t*)0x200000016600 = 4; *(uint64_t*)0x200000016608 = 0x66; *(uint64_t*)0x200000016610 = 0x18; *(uint64_t*)0x200000016618 = 0x2e6; *(uint64_t*)0x200000016620 = 0; *(uint64_t*)0x200000016628 = 0x18; *(uint64_t*)0x200000016630 = 0xe; *(uint64_t*)0x200000016638 = 0x12f; *(uint64_t*)0x200000016640 = 0x18; *(uint64_t*)0x200000016648 = 3; *(uint64_t*)0x200000016650 = 0x154; *(uint64_t*)0x200000016658 = 0x38; *(uint64_t*)0x200000016660 = 0; *(uint64_t*)0x200000016668 = 0x6404; *(uint64_t*)0x200000016670 = 0x10; *(uint64_t*)0x200000016678 = 0xfffffffffffffff7; *(uint64_t*)0x200000016680 = 0xe; *(uint64_t*)0x200000016688 = 0x12c; *(uint64_t*)0x200000016690 = 0x18; *(uint64_t*)0x200000016698 = 0; *(uint64_t*)0x2000000166a0 = 0x130; *(uint64_t*)0x2000000166a8 = 0x18; *(uint64_t*)0x2000000166b0 = 3; *(uint64_t*)0x2000000166b8 = 0x182; *(uint64_t*)0x2000000166c0 = 0x18; *(uint64_t*)0x2000000166c8 = 3; *(uint64_t*)0x2000000166d0 = 0x12e; *(uint64_t*)0x2000000166d8 = 0x63; *(uint64_t*)0x2000000166e0 = 2; memcpy((void*)0x2000000166e8, "\x2e\x0f\x01\x71\x33\xc4\x21\x6a\xc2\xc0\x00\x66\xba\xf8\x0c\xb8\x6e\x89\x7c\x81\xef\x66\xba\xfc\x0c\x66\xb8\xaf\x0b\x66\xef\x42\x0f\x01\xc3\x36\x01\xe3\x12\xec\x0f\x00\xde\xc7\x44\x24\x00\x7a\x00\x00\x00\xc7\x44\x24\x02\x0b\x00\x00\x00\xff\x1c\x24\x40\x0f\xa1\xc4\x43\x31\x4a\x89\x0a\x00\x00\x00\x0b", 75); *(uint64_t*)0x200000016733 = 0x17e; *(uint64_t*)0x20000001673b = 0x10; *(uint64_t*)0x200000016790 = 0x2c3; syz_kvm_add_vcpu(/*vm=*/r[47], /*text=*/0x200000016780); break; case 56: res = syscall(__NR_mmap, /*addr=*/0x200000cbe000ul, /*len=*/0ul, /*prot=PROT_SEM|PROT_READ|PROT_EXEC*/0xdul, /*flags=MAP_SYNC*/0x80000ul, /*cpufd=*/r[12], /*offset=*/0ul); if (res != -1) r[48] = res; break; case 57: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[48], /*exitcode=*/4); break; case 58: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[44], /*run=*/r[48], /*exitcode=*/3); break; case 59: res = syscall(__NR_ioctl, /*fd=*/r[12], /*cmd=*/0xae01, /*type=*/0x20ul); if (res != -1) r[49] = res; break; case 60: *(uint64_t*)0x200000016a40 = 0; *(uint64_t*)0x200000016a48 = 0x2000000167c0; memcpy((void*)0x2000000167c0, "\x00\x00\x00\x3d\x00\x00\x08\x61\x04\x00\x08\x79\x00\x00\x08\x65\x0c\x00\x08\x61\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\xd0\x04\x9c\x63\x24\x6b\xc0\x7f\xfa\xcd\xdf\xfe\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x04\x00\x63\x60\x26\x9f\xe1\x7f\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x3c\x02\x63\x60\x42\x00\x00\x44\xf5\x00\x90\x07\xd6\xdb\x8b\xef\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2a\x00\xb5\x62\x00\x01\xc0\x3e\x00\x00\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2a\x00\xb5\x62\x73\x6f\xc0\x3e\xa7\xf7\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2e\x00\xb5\x62\x90\x5e\xc0\x3e\xe0\x10\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x32\x00\xb5\x62\x00\x00\xc0\x3e\xe0\xd1\xd6\x62\x00\x00\xd5\x92\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x2a\x00\x84\x60\x22\x00\x00\x44\x8f\xed\x9f\xf3\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xef\x63\x60\xb5\xad\x80\x3c\xca\x82\x84\x60\x04\x00\x84\x78\xea\x5e\x84\x64\xa2\xe8\x84\x60\xf1\x67\xa0\x3c\xbe\xe3\xa5\x60\x04\x00\xa5\x78\xa5\x57\xa5\x64\x55\x46\xa5\x60\x03\xf4\xc0\x3c\xb4\x87\xc6\x60\x04\x00\xc6\x78\x73\xed\xc6\x64\x15\x51\xc6\x60\x1d\xe9\xe0\x3c\xe4\xa0\xe7\x60\x04\x00\xe7\x78\xd8\x84\xe7\x64\x25\x76\xe7\x60\x08\x70\x00\x3d\xee\xf7\x08\x61\x04\x00\x08\x79\x1f\x72\x08\x65\x67\x40\x08\x61\x7f\xc5\x20\x3d\x5d\xc6\x29\x61\x04\x00\x29\x79\x7f\x83\x29\x65\x31\xe8\x29\x61\xec\x4b\x40\x3d\xd8\xc0\x4a\x61\x04\x00\x4a\x79\xe3\xf4\x4a\x65\x76\xa0\x4a\x61\x42\x00\x00\x44\xc7\xdd\x79\x12\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x08\xef\x63\x60\xae\x15\x80\x3c\x96\x74\x84\x60\x04\x00\x84\x78\x48\x29\x84\x64\xf2\x7b\x84\x60\xfb\x2b\xa0\x3c\x3a\x84\xa5\x60\x04\x00\xa5\x78\x66\xdf\xa5\x64\x0e\x85\xa5\x60\x94\x21\xc0\x3c\x54\x4c\xc6\x60\x04\x00\xc6\x78\x8e\xd8\xc6\x64\x2d\x18\xc6\x60\x27\x15\xe0\x3c\x98\x77\xe7\x60\x04\x00\xe7\x78\x52\x7a\xe7\x64\x4a\x11\xe7\x60\xb2\x21\x00\x3d\x41\x62\x08\x61\x04\x00\x08\x79\xf6\x1f\x08\x65\xaa\x6f\x08\x61\x00\xf5\x20\x3d\x4c\x23\x29\x61\x04\x00\x29\x79\xda\x1a\x29\x65\x95\xbf\x29\x61\x93\xf7\x40\x3d\xde\x99\x4a\x61\x04\x00\x4a\x79\x5e\xe8\x4a\x65\xa0\x51\x4a\x61\xd5\x0a\x60\x3d\x34\xf9\x6b\x61\x04\x00\x6b\x79\x21\x19\x6b\x65\xab\x4f\x6b\x61\x22\x00\x00\x44", 632); *(uint64_t*)0x200000016a50 = 0x278; *(uint64_t*)0x200000016a80 = 1; *(uint64_t*)0x200000016a88 = 0xfff; syz_kvm_setup_cpu(/*fd=*/r[49], /*cpufd=*/r[43], /*usermem=*/0x200000e17000, /*text=*/0x200000016a40, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_PID1|KVM_SETUP_PPC64_DR|KVM_SETUP_PPC64_LE*/0x15, /*opts=*/0x200000016a80, /*nopt=*/1); break; case 61: syz_kvm_setup_syzos_vm(/*fd=*/r[49], /*usermem=*/0x200000c00000); break; case 62: *(uint32_t*)0x200000016ac0 = 1; syz_memcpy_off(/*ring_ptr=*/r[42], /*flag_off=*/0, /*src=*/0x200000016ac0, /*src_off=*/0, /*nbytes=*/4); break; case 63: memcpy((void*)0x200000016b00, "adfs\000", 5); memcpy((void*)0x200000016b40, "./file1\000", 8); memcpy((void*)0x200000016b80, "ownmask", 7); *(uint8_t*)0x200000016b87 = 0x3d; sprintf((char*)0x200000016b88, "%023llo", (long long)9); *(uint8_t*)0x200000016b9f = 0x2c; memcpy((void*)0x200000016ba0, "uid", 3); *(uint8_t*)0x200000016ba3 = 0x3d; sprintf((char*)0x200000016ba4, "0x%016llx", (long long)r[39]); *(uint8_t*)0x200000016bb6 = 0x2c; memcpy((void*)0x200000016bb7, "gid", 3); *(uint8_t*)0x200000016bba = 0x3d; sprintf((char*)0x200000016bbb, "0x%016llx", (long long)r[25]); *(uint8_t*)0x200000016bcd = 0x2c; memcpy((void*)0x200000016bce, "ftsuffix", 8); *(uint8_t*)0x200000016bd6 = 0x3d; sprintf((char*)0x200000016bd7, "%020llu", (long long)0x1b2a); *(uint8_t*)0x200000016beb = 0x2c; memcpy((void*)0x200000016bec, "ftsuffix", 8); *(uint8_t*)0x200000016bf4 = 0x3d; sprintf((char*)0x200000016bf5, "%020llu", (long long)0x95); *(uint8_t*)0x200000016c09 = 0x2c; memcpy((void*)0x200000016c0a, "ftsuffix", 8); *(uint8_t*)0x200000016c12 = 0x3d; sprintf((char*)0x200000016c13, "%020llu", (long long)2); *(uint8_t*)0x200000016c27 = 0x2c; memcpy((void*)0x200000016c28, "uid<", 4); sprintf((char*)0x200000016c2c, "%020llu", (long long)r[37]); *(uint8_t*)0x200000016c40 = 0x2c; memcpy((void*)0x200000016c41, "subj_type", 9); *(uint8_t*)0x200000016c4a = 0x3d; *(uint8_t*)0x200000016c4b = 0x2c; *(uint8_t*)0x200000016c4c = 0; memcpy((void*)0x200000016c80, "\x78\x9c\xaa\xdc\xf4\xa2\x4b\x38\x63\x9f\x59\xe2\xe9\x04\x2f\xd9\xe2\xfd\x35\x7c\xef\xfe\x5d\x53\x6f\xe4\x7b\xf4\xfb\xd7\xb9\x0b\x80\x00\x00\x00\xff\xff\xcf\xbb\x0f\xa9", 42); syz_mount_image(/*fs=*/0x200000016b00, /*dir=*/0x200000016b40, /*flags=MS_STRICTATIME|MS_NODIRATIME|MS_MANDLOCK*/0x1000840, /*opts=*/0x200000016b80, /*chdir=*/1, /*size=*/0x2a, /*img=*/0x200000016c80); break; case 64: memcpy((void*)0x200000016cc0, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000016cc0, /*id=*/9, /*flags=O_SYNC|O_NONBLOCK|O_DIRECT|FASYNC|O_APPEND*/0x107c00); break; case 65: *(uint64_t*)0x200000016d00 = 2; *(uint64_t*)0x200000016d08 = 0x27e; *(uint64_t*)0x200000016d10 = 5; *(uint64_t*)0x200000016d18 = 2; *(uint64_t*)0x200000016d20 = 6; *(uint64_t*)0x200000016d28 = 0; *(uint64_t*)0x200000016d30 = 6; *(uint64_t*)0x200000016d38 = 5; *(uint64_t*)0x200000016d40 = 0xd; *(uint64_t*)0x200000016d48 = 0x7ea2; *(uint64_t*)0x200000016d50 = -1; res = syscall(__NR_clone3, /*uargs=*/0x200000016d00ul, /*size=*/0x90c4ul); if (res != -1) r[50] = res; break; case 66: memcpy((void*)0x200000016d80, "fdinfo/3\000", 9); syz_open_procfs(/*pid=*/r[50], /*file=*/0x200000016d80); break; case 67: res = -1; res = syz_open_dev(/*dev=*/0xc, /*major=*/2, /*minor=*/0x15 + procid*2); if (res != -1) r[51] = res; break; case 68: syz_open_pts(/*fd=*/r[51], /*flags=O_LARGEFILE|O_APPEND*/0x8400); break; case 69: syz_pidfd_open(/*pid=*/r[16], /*flags=*/0); break; case 70: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[52] = res; break; case 71: syz_pkey_set(/*key=*/r[52], /*val=PKEY_DISABLE_ACCESS*/1); break; case 72: memcpy((void*)0x200000016dc0, "\x78\x9c\x00\x57\x00\xa8\xff\xa9\x39\xee\x13\x04\xaa\x50\xcd\x48\x33\xb8\x65\x54\x02\x70\xbc\x48\xb9\xef\x5c\xce\x86\x6e\x69\xf5\x3f\xe3\x70\x79\x19\x0f\x3f\x49\xf2\x84\x00\x94\x95\xb6\x1a\x19\x72\xde\x93\x27\x27\x1b\x79\xad\xc1\x51\xcb\xcb\x51\xac\xc1\x0f\x46\x30\xf6\xa3\xaf\xbc\xa6\x66\xa2\x9e\xa2\x84\xe6\x6b\x43\x3f\x69\x17\xae\x0c\x2e\x70\x88\xf3\xbb\xe3\xc8\x15\xd3\xf5\x01\x00\x00\xff\xff\x03\x4a\x2a\xb4", 103); syz_read_part_table(/*size=*/0x67, /*img=*/0x200000016dc0); break; case 73: syz_socket_connect_nvme_tcp(); break; case 74: *(uint8_t*)0x200000016e40 = 0x12; *(uint8_t*)0x200000016e41 = 1; *(uint16_t*)0x200000016e42 = 0x300; *(uint8_t*)0x200000016e44 = 0x42; *(uint8_t*)0x200000016e45 = 0x66; *(uint8_t*)0x200000016e46 = 0x24; *(uint8_t*)0x200000016e47 = 8; *(uint16_t*)0x200000016e48 = 0x2357; *(uint16_t*)0x200000016e4a = 0x9000; *(uint16_t*)0x200000016e4c = 0x8c65; *(uint8_t*)0x200000016e4e = 1; *(uint8_t*)0x200000016e4f = 2; *(uint8_t*)0x200000016e50 = 3; *(uint8_t*)0x200000016e51 = 1; *(uint8_t*)0x200000016e52 = 9; *(uint8_t*)0x200000016e53 = 2; *(uint16_t*)0x200000016e54 = 0x82e; *(uint8_t*)0x200000016e56 = 3; *(uint8_t*)0x200000016e57 = 0x7f; *(uint8_t*)0x200000016e58 = 2; *(uint8_t*)0x200000016e59 = 0x20; *(uint8_t*)0x200000016e5a = 5; *(uint8_t*)0x200000016e5b = 9; *(uint8_t*)0x200000016e5c = 4; *(uint8_t*)0x200000016e5d = 0xce; *(uint8_t*)0x200000016e5e = 7; *(uint8_t*)0x200000016e5f = 0xf; *(uint8_t*)0x200000016e60 = 0xaf; *(uint8_t*)0x200000016e61 = 0xe8; *(uint8_t*)0x200000016e62 = 0x6e; *(uint8_t*)0x200000016e63 = 0; *(uint8_t*)0x200000016e64 = 0xa; *(uint8_t*)0x200000016e65 = 0x24; *(uint8_t*)0x200000016e66 = 1; *(uint16_t*)0x200000016e67 = 0x7ff; *(uint8_t*)0x200000016e69 = 6; *(uint8_t*)0x200000016e6a = 2; *(uint8_t*)0x200000016e6b = 1; *(uint8_t*)0x200000016e6c = 2; *(uint8_t*)0x200000016e6d = 7; *(uint8_t*)0x200000016e6e = 0x24; *(uint8_t*)0x200000016e6f = 7; *(uint8_t*)0x200000016e70 = 4; *(uint16_t*)0x200000016e71 = 4; *(uint8_t*)0x200000016e73 = 1; *(uint8_t*)0x200000016e74 = 7; *(uint8_t*)0x200000016e75 = 0x24; *(uint8_t*)0x200000016e76 = 6; *(uint8_t*)0x200000016e77 = 0; *(uint8_t*)0x200000016e78 = 1; memcpy((void*)0x200000016e79, "\xa3\x4e", 2); *(uint8_t*)0x200000016e7b = 5; *(uint8_t*)0x200000016e7c = 0x24; *(uint8_t*)0x200000016e7d = 0; *(uint16_t*)0x200000016e7e = 2; *(uint8_t*)0x200000016e80 = 0xd; *(uint8_t*)0x200000016e81 = 0x24; *(uint8_t*)0x200000016e82 = 0xf; *(uint8_t*)0x200000016e83 = 1; *(uint32_t*)0x200000016e84 = 0x7fffffff; *(uint16_t*)0x200000016e88 = 0; *(uint16_t*)0x200000016e8a = 7; *(uint8_t*)0x200000016e8c = 8; *(uint8_t*)0x200000016e8d = 6; *(uint8_t*)0x200000016e8e = 0x24; *(uint8_t*)0x200000016e8f = 0x1a; *(uint16_t*)0x200000016e90 = 9; *(uint8_t*)0x200000016e92 = 4; *(uint8_t*)0x200000016e93 = 0xd8; *(uint8_t*)0x200000016e94 = 0x24; *(uint8_t*)0x200000016e95 = 0x13; *(uint8_t*)0x200000016e96 = 1; memcpy((void*)0x200000016e97, "\xfc\xb6\x4e\x07\xcb\xc6\x13\xee\x0f\xb4\x7b\x17\x2d\x8c\xb2\x54\x90\xf7\xd0\x8d\xca\x4c\x04\xf2\x48\xb0\xd2\xc6\xc5\xd4\xfd\x13\xc9\x0c\x33\x7d\xbf\xe0\x45\x78\x3c\xe1\xee\x13\x99\xfa\x76\xc1\x4b\x25\xf5\xc3\x38\xb0\x41\x83\x3f\x78\x7b\x77\x6e\x0c\x3c\x25\x51\x89\xf0\x69\x4e\x73\x1c\xc1\xed\xd1\x26\x9d\xee\x99\xee\xd0\x4d\x16\xaf\x2a\xe0\xf1\x24\x51\x00\x06\xa6\x42\x80\xfb\xf1\xac\x11\x46\xbe\xee\x98\x58\x83\x56\x6c\x16\x9a\xbf\xf0\x9e\x46\x01\x8c\x5d\xdf\xdc\xef\xb4\xc0\x6a\x46\x26\xf8\xee\xb2\x1b\x61\x8f\xe7\x0a\xdf\x76\xc2\x04\xc1\xa9\x30\x5d\x06\xd9\x08\x52\xb6\x06\xa0\x69\x8c\x66\x78\x28\x0d\x48\x29\xc7\x81\x71\x52\x6b\x7c\xf0\xcf\x95\xca\xb7\xe3\xaf\xb3\xb5\x8f\xcf\xaf\x6d\x70\xeb\x43\x33\x47\xfb\xae\x12\x94\xb2\x88\xb8\xd3\x39\xb3\xd7\x8f\xdb\xc0\xf2\x27\x90\x7a\xaa\x92\x1c\xa3\x02\x6e\x4c\x5c\xe3\x42\x11\xe3\xc9\x07\xb4\x2c\xa6", 212); *(uint8_t*)0x200000016f6b = 8; *(uint8_t*)0x200000016f6c = 0x24; *(uint8_t*)0x200000016f6d = 0x1c; *(uint16_t*)0x200000016f6e = 0xfff; *(uint8_t*)0x200000016f70 = 1; *(uint16_t*)0x200000016f71 = 0xf51; *(uint8_t*)0x200000016f73 = 8; *(uint8_t*)0x200000016f74 = 0x24; *(uint8_t*)0x200000016f75 = 0x1c; *(uint16_t*)0x200000016f76 = 0x80; *(uint8_t*)0x200000016f78 = 2; *(uint16_t*)0x200000016f79 = 0x7f; *(uint8_t*)0x200000016f7b = 5; *(uint8_t*)0x200000016f7c = 0x24; *(uint8_t*)0x200000016f7d = 0x15; *(uint16_t*)0x200000016f7e = 0x4d; *(uint8_t*)0x200000016f80 = 8; *(uint8_t*)0x200000016f81 = 0x24; *(uint8_t*)0x200000016f82 = 0x1c; *(uint16_t*)0x200000016f83 = 0xbf26; *(uint8_t*)0x200000016f85 = 0x10; *(uint16_t*)0x200000016f86 = 0x7806; *(uint8_t*)0x200000016f88 = 9; *(uint8_t*)0x200000016f89 = 5; *(uint8_t*)0x200000016f8a = 1; *(uint8_t*)0x200000016f8b = 0; *(uint16_t*)0x200000016f8c = 0x200; *(uint8_t*)0x200000016f8e = 6; *(uint8_t*)0x200000016f8f = 0x40; *(uint8_t*)0x200000016f90 = 0xb; *(uint8_t*)0x200000016f91 = 7; *(uint8_t*)0x200000016f92 = 0x25; *(uint8_t*)0x200000016f93 = 1; *(uint8_t*)0x200000016f94 = 3; *(uint8_t*)0x200000016f95 = 4; *(uint16_t*)0x200000016f96 = 8; *(uint8_t*)0x200000016f98 = 0xe8; *(uint8_t*)0x200000016f99 = 0x30; memcpy((void*)0x200000016f9a, "\x68\x84\x9f\x67\xc9\x80\x33\xbf\xdc\x9b\xc6\x7c\x70\x6e\x68\x9f\x08\xda\x2d\x58\x7b\x66\x8f\x1f\x67\x6b\xbb\xc3\x8f\x71\xf6\x8c\x01\x29\x15\x9b\x91\x2f\x32\x88\xaf\x2d\x8f\x5b\x2a\x9e\x6a\x41\x6c\x8e\x34\x45\xc3\x33\xdf\x5f\x70\x08\x23\x36\x83\xc6\x74\x20\x84\x56\xcf\xcb\x7a\x59\x8f\xd1\x43\x0b\x9b\xb5\x5e\x9b\x6f\xbf\x6c\xd0\x79\x7f\xfd\xb4\x8e\x94\xa2\xbb\x0a\x7b\x92\x4d\xc3\xfe\x2c\x8b\x37\xff\x8b\x6d\x67\xa0\x55\x1a\x58\x2d\x71\x34\x54\xdc\x2f\x82\x9c\x5f\xa9\xbb\x41\x05\x3a\x7b\x74\xb6\x01\xc8\xab\x84\x54\xe2\xd4\x8d\x21\x3e\xb4\xf8\x73\xd9\x69\x31\x19\xcf\x01\xd9\x77\x9a\xfa\xa2\x61\xbd\x19\xf8\x4e\x39\x98\xa2\x7c\xc2\x7f\xdb\xaa\x15\x46\x7c\xd6\xf5\x44\x2a\xec\x6c\x7d\x12\x86\x17\x46\xb6\xba\xb7\xb9\x37\x01\xf0\x11\xde\x1e\x99\x5c\x1c\x20\x4b\x4c\x26\x80\x50\x3a\x47\xba\xd8\x6f\xa4\x29\xcf\x00\xde\xd4\x82\x39\xfb\x55\x5a\xb9\x80\x87\xed\xea\xee\xba\x89\xb1\x4d\xad\x51\xb1\x99\x3c\x25\xe6\x01\x09\xbf", 230); *(uint8_t*)0x200000017080 = 9; *(uint8_t*)0x200000017081 = 5; *(uint8_t*)0x200000017082 = 0xa; *(uint8_t*)0x200000017083 = 1; *(uint16_t*)0x200000017084 = 0x40; *(uint8_t*)0x200000017086 = 0xf7; *(uint8_t*)0x200000017087 = 2; *(uint8_t*)0x200000017088 = 5; *(uint8_t*)0x200000017089 = 9; *(uint8_t*)0x20000001708a = 5; *(uint8_t*)0x20000001708b = 5; *(uint8_t*)0x20000001708c = 0x10; *(uint16_t*)0x20000001708d = 0x3ff; *(uint8_t*)0x20000001708f = 7; *(uint8_t*)0x200000017090 = 0x14; *(uint8_t*)0x200000017091 = 0; *(uint8_t*)0x200000017092 = 9; *(uint8_t*)0x200000017093 = 5; *(uint8_t*)0x200000017094 = 0xe; *(uint8_t*)0x200000017095 = 0x10; *(uint16_t*)0x200000017096 = 0x200; *(uint8_t*)0x200000017098 = 0xc7; *(uint8_t*)0x200000017099 = 0x46; *(uint8_t*)0x20000001709a = 2; *(uint8_t*)0x20000001709b = 9; *(uint8_t*)0x20000001709c = 5; *(uint8_t*)0x20000001709d = 0xd; *(uint8_t*)0x20000001709e = 0xa; *(uint16_t*)0x20000001709f = 0x10; *(uint8_t*)0x2000000170a1 = 0x40; *(uint8_t*)0x2000000170a2 = 8; *(uint8_t*)0x2000000170a3 = 2; *(uint8_t*)0x2000000170a4 = 7; *(uint8_t*)0x2000000170a5 = 0x25; *(uint8_t*)0x2000000170a6 = 1; *(uint8_t*)0x2000000170a7 = 0x82; *(uint8_t*)0x2000000170a8 = 1; *(uint16_t*)0x2000000170a9 = 7; *(uint8_t*)0x2000000170ab = 9; *(uint8_t*)0x2000000170ac = 5; *(uint8_t*)0x2000000170ad = 8; *(uint8_t*)0x2000000170ae = 2; *(uint16_t*)0x2000000170af = 0x3ff; *(uint8_t*)0x2000000170b1 = 0x10; *(uint8_t*)0x2000000170b2 = 9; *(uint8_t*)0x2000000170b3 = 8; *(uint8_t*)0x2000000170b4 = 0xf8; *(uint8_t*)0x2000000170b5 = 1; memcpy((void*)0x2000000170b6, "\x87\x09\xda\xe6\x27\x40\x78\x00\x19\x13\xce\x2e\xfb\xcb\x79\xab\x11\x33\xba\xa4\xf7\xe0\x7b\x3b\x2c\x7f\xf7\x03\x89\xe9\x02\xb3\x68\x4a\x95\xa2\x99\x97\xf2\xd2\x0f\xf4\xaf\x27\x0d\x19\xa8\xe0\xb4\xf2\x4d\xf5\x12\xa7\x98\x1b\x5c\xc2\x17\x94\x1c\xc5\x5d\x0e\xe5\x27\x77\xd5\x46\x9f\x8d\x59\xa8\xb5\xb4\xa6\xe4\xfe\x8c\x2c\x94\x50\xb4\x7d\x31\x53\xab\x98\xf8\xe2\x5d\x69\x98\x73\xd3\xbd\xb2\x64\x00\x75\x12\x3c\x4c\x4b\xf2\x70\xdb\x5a\x2e\x30\xc4\x78\xe7\x5e\x0e\x80\xac\xa0\xd4\x1a\xf7\x46\xe3\xef\xb5\x98\xb2\xdb\xec\x64\x7a\xbd\x39\x7b\x0e\xfb\xb2\xe7\x44\x23\x8a\x48\xce\xfe\x42\x99\xf4\x83\x85\xe7\x4d\x32\x5b\xa5\x2c\x15\xb1\x68\x23\x4a\x99\x6d\x32\x57\xea\xab\x4f\xef\xcb\xa6\xb8\x98\xc9\x1d\xd9\x9e\x0c\x08\x0a\x10\x19\x11\x84\xea\x55\x2c\x28\x22\x3c\x35\xe6\x3e\xa9\x40\x68\x88\xa9\x47\x59\xad\x4c\x30\xba\xec\x3d\x37\xbc\x12\x62\x8f\x39\xfd\x0e\x1e\xa1\x66\x51\x22\xb4\xa0\x4a\xde\xc0\xd9\x63\x24\x21\xac\x75\x18\x85\x1c\x5c\x92\x56\xa3\x3e\x29\x12\x01\xa3\xaf\x1a\xf8\xdf\x0a", 246); *(uint8_t*)0x2000000171ac = 0x66; *(uint8_t*)0x2000000171ad = 4; memcpy((void*)0x2000000171ae, "\xe2\x4a\xf3\x93\x66\xd6\xcc\x5b\x86\x03\x79\x36\x7e\x9b\x5a\xf9\x12\x38\xa8\xad\x60\xd4\xd3\x33\x0b\x86\x61\x5c\x23\x8b\x9a\xdc\x15\x0c\xa8\xd4\xd8\x9f\x34\x7c\xef\xed\x35\x02\xf2\xa6\x46\x69\xec\x10\xc9\x35\x2c\xc3\xf0\x0b\xb7\xbf\xff\x70\xa3\x40\x70\x24\x7f\x37\x2f\xd5\x6b\x34\x8f\x50\xf9\x45\x09\x03\x89\x94\xdf\x69\x9d\xd0\xbd\x1e\x0f\x29\x14\x24\x50\x2d\x0a\xbf\xa2\x75\xdf\x94\xab\x99\x68\x6b", 100); *(uint8_t*)0x200000017212 = 9; *(uint8_t*)0x200000017213 = 5; *(uint8_t*)0x200000017214 = 3; *(uint8_t*)0x200000017215 = 3; *(uint16_t*)0x200000017216 = 0x20; *(uint8_t*)0x200000017218 = 0x10; *(uint8_t*)0x200000017219 = 6; *(uint8_t*)0x20000001721a = 4; *(uint8_t*)0x20000001721b = 7; *(uint8_t*)0x20000001721c = 0x25; *(uint8_t*)0x20000001721d = 1; *(uint8_t*)0x20000001721e = 0; *(uint8_t*)0x20000001721f = 2; *(uint16_t*)0x200000017220 = 0xf; *(uint8_t*)0x200000017222 = 9; *(uint8_t*)0x200000017223 = 5; *(uint8_t*)0x200000017224 = 0xa; *(uint8_t*)0x200000017225 = 0x10; *(uint16_t*)0x200000017226 = 0x20; *(uint8_t*)0x200000017228 = 2; *(uint8_t*)0x200000017229 = 0x6a; *(uint8_t*)0x20000001722a = 0x9c; *(uint8_t*)0x20000001722b = 9; *(uint8_t*)0x20000001722c = 5; *(uint8_t*)0x20000001722d = 6; *(uint8_t*)0x20000001722e = 0; *(uint16_t*)0x20000001722f = 8; *(uint8_t*)0x200000017231 = 0xa6; *(uint8_t*)0x200000017232 = 0; *(uint8_t*)0x200000017233 = 3; *(uint8_t*)0x200000017234 = 9; *(uint8_t*)0x200000017235 = 5; *(uint8_t*)0x200000017236 = 0xe; *(uint8_t*)0x200000017237 = 0x10; *(uint16_t*)0x200000017238 = 0x400; *(uint8_t*)0x20000001723a = 8; *(uint8_t*)0x20000001723b = 6; *(uint8_t*)0x20000001723c = 2; *(uint8_t*)0x20000001723d = 7; *(uint8_t*)0x20000001723e = 0x25; *(uint8_t*)0x20000001723f = 1; *(uint8_t*)0x200000017240 = 0x80; *(uint8_t*)0x200000017241 = 0x80; *(uint16_t*)0x200000017242 = 0xfffe; *(uint8_t*)0x200000017244 = 7; *(uint8_t*)0x200000017245 = 0x25; *(uint8_t*)0x200000017246 = 1; *(uint8_t*)0x200000017247 = 0; *(uint8_t*)0x200000017248 = 8; *(uint16_t*)0x200000017249 = 6; *(uint8_t*)0x20000001724b = 9; *(uint8_t*)0x20000001724c = 5; *(uint8_t*)0x20000001724d = 2; *(uint8_t*)0x20000001724e = 0xc; *(uint16_t*)0x20000001724f = 0x20; *(uint8_t*)0x200000017251 = 7; *(uint8_t*)0x200000017252 = 0xfe; *(uint8_t*)0x200000017253 = 1; *(uint8_t*)0x200000017254 = 7; *(uint8_t*)0x200000017255 = 0x25; *(uint8_t*)0x200000017256 = 1; *(uint8_t*)0x200000017257 = 2; *(uint8_t*)0x200000017258 = 3; *(uint16_t*)0x200000017259 = 7; *(uint8_t*)0x20000001725b = 9; *(uint8_t*)0x20000001725c = 5; *(uint8_t*)0x20000001725d = 8; *(uint8_t*)0x20000001725e = 0; *(uint16_t*)0x20000001725f = 0x20; *(uint8_t*)0x200000017261 = 5; *(uint8_t*)0x200000017262 = 7; *(uint8_t*)0x200000017263 = 0; *(uint8_t*)0x200000017264 = 9; *(uint8_t*)0x200000017265 = 5; *(uint8_t*)0x200000017266 = 5; *(uint8_t*)0x200000017267 = 0x10; *(uint16_t*)0x200000017268 = 0x400; *(uint8_t*)0x20000001726a = 0x94; *(uint8_t*)0x20000001726b = 9; *(uint8_t*)0x20000001726c = 7; *(uint8_t*)0x20000001726d = 0xdd; *(uint8_t*)0x20000001726e = 0x30; memcpy((void*)0x20000001726f, "\x77\x86\x7e\xa8\x5d\x1b\x66\xca\x1b\x83\x5f\x1f\xfe\x80\xb4\xe1\x5a\x42\x97\xfd\x75\x06\x0e\x9c\xa4\xa2\x1e\x38\x5a\xda\xb0\x95\x08\x05\x1d\xd6\x10\x5e\xaa\x7c\xdc\xec\xdc\xc3\x20\xbc\x7f\x95\x6e\xeb\x82\x39\x4f\xee\xae\x2b\x09\xc0\x99\x0c\x54\x43\x3f\x37\x34\xda\x18\xcc\xf1\x3f\x5f\xcc\x5b\xb3\x2e\xb3\xbb\x6b\x06\x2a\x28\x29\x89\x58\x2d\x89\x8d\x9e\x25\xf9\x7d\x5d\x39\x27\xfb\xc2\x2c\x45\x90\x49\x83\x86\x0e\xb6\x1e\xaf\xd3\x4b\x54\xed\x2c\xc8\xb5\x5c\xf1\x97\xd3\x1b\xbb\x18\x10\x63\x60\xad\x77\x24\x0c\x1f\x44\xfd\x50\xf1\xa9\x44\xb9\xf5\x55\x7f\x95\xe9\x45\x13\xb0\xad\x4d\x60\x79\xe1\x5e\x8d\x3b\x43\x01\x02\x7d\xec\xe5\xa5\xba\x84\x88\xa2\x65\xab\x30\x67\xce\x7d\x0f\x2d\x5a\xd3\x11\x7b\xdd\xf0\x68\xf5\x91\xf6\x1d\x66\x46\xf9\x6a\x37\x72\xbb\x1d\x88\x07\xba\x9d\xd6\xd7\xa0\xbe\xec\xb2\x72\x98\xc3\xf0\x90\xb2\xb7\xed\x72\x97\x9d\x14\xde\xae\x68\x5d\x25\x0f\x2c\xc0", 219); *(uint8_t*)0x20000001734a = 7; *(uint8_t*)0x20000001734b = 0x25; *(uint8_t*)0x20000001734c = 1; *(uint8_t*)0x20000001734d = 2; *(uint8_t*)0x20000001734e = 0x81; *(uint16_t*)0x20000001734f = 0x70; *(uint8_t*)0x200000017351 = 9; *(uint8_t*)0x200000017352 = 5; *(uint8_t*)0x200000017353 = 5; *(uint8_t*)0x200000017354 = 0; *(uint16_t*)0x200000017355 = 0x3ff; *(uint8_t*)0x200000017357 = 7; *(uint8_t*)0x200000017358 = 0; *(uint8_t*)0x200000017359 = 0xd5; *(uint8_t*)0x20000001735a = 9; *(uint8_t*)0x20000001735b = 5; *(uint8_t*)0x20000001735c = 0xc; *(uint8_t*)0x20000001735d = 0; *(uint16_t*)0x20000001735e = 0x40; *(uint8_t*)0x200000017360 = 0; *(uint8_t*)0x200000017361 = 0xb; *(uint8_t*)0x200000017362 = 6; *(uint8_t*)0x200000017363 = 7; *(uint8_t*)0x200000017364 = 0x25; *(uint8_t*)0x200000017365 = 1; *(uint8_t*)0x200000017366 = 0x80; *(uint8_t*)0x200000017367 = 0xc4; *(uint16_t*)0x200000017368 = 0x6e; *(uint8_t*)0x20000001736a = 0xe; *(uint8_t*)0x20000001736b = 0xd; memcpy((void*)0x20000001736c, "\x36\xcb\x58\xaf\xca\x23\xd3\xe3\xcd\x43\x84\x0a", 12); *(uint8_t*)0x200000017378 = 9; *(uint8_t*)0x200000017379 = 4; *(uint8_t*)0x20000001737a = 0x8c; *(uint8_t*)0x20000001737b = 0; *(uint8_t*)0x20000001737c = 0xc; *(uint8_t*)0x20000001737d = 0x77; *(uint8_t*)0x20000001737e = 0x71; *(uint8_t*)0x20000001737f = 0x4d; *(uint8_t*)0x200000017380 = -1; *(uint8_t*)0x200000017381 = 0xb; *(uint8_t*)0x200000017382 = 0x24; *(uint8_t*)0x200000017383 = 6; *(uint8_t*)0x200000017384 = 0; *(uint8_t*)0x200000017385 = 0; memcpy((void*)0x200000017386, "\x37\x87\x90\x73\x85\x59", 6); *(uint8_t*)0x20000001738c = 5; *(uint8_t*)0x20000001738d = 0x24; *(uint8_t*)0x20000001738e = 0; *(uint16_t*)0x20000001738f = 0xdd; *(uint8_t*)0x200000017391 = 0xd; *(uint8_t*)0x200000017392 = 0x24; *(uint8_t*)0x200000017393 = 0xf; *(uint8_t*)0x200000017394 = 1; *(uint32_t*)0x200000017395 = 5; *(uint16_t*)0x200000017399 = 0x926; *(uint16_t*)0x20000001739b = 1; *(uint8_t*)0x20000001739d = 5; *(uint8_t*)0x20000001739e = 0x15; *(uint8_t*)0x20000001739f = 0x24; *(uint8_t*)0x2000000173a0 = 0x12; *(uint16_t*)0x2000000173a1 = 7; *(uint64_t*)0x2000000173a3 = 0x14f5e048ba817a3; *(uint64_t*)0x2000000173ab = 0x2a397ecbffc007a6; *(uint8_t*)0x2000000173b3 = 0x10; *(uint8_t*)0x2000000173b4 = 0x24; *(uint8_t*)0x2000000173b5 = 7; *(uint8_t*)0x2000000173b6 = 0xf; *(uint16_t*)0x2000000173b7 = 0x47f; *(uint16_t*)0x2000000173b9 = 7; *(uint16_t*)0x2000000173bb = 5; *(uint16_t*)0x2000000173bd = 0xa5a; *(uint16_t*)0x2000000173bf = 0xf25d; *(uint16_t*)0x2000000173c1 = 0x10; *(uint8_t*)0x2000000173c3 = 6; *(uint8_t*)0x2000000173c4 = 0x24; *(uint8_t*)0x2000000173c5 = 0x1a; *(uint16_t*)0x2000000173c6 = 0x100; *(uint8_t*)0x2000000173c8 = 1; *(uint8_t*)0x2000000173c9 = 6; *(uint8_t*)0x2000000173ca = 0x24; *(uint8_t*)0x2000000173cb = 7; *(uint8_t*)0x2000000173cc = 9; *(uint16_t*)0x2000000173cd = 0x81; *(uint8_t*)0x2000000173cf = 0xe; *(uint8_t*)0x2000000173d0 = 0x24; *(uint8_t*)0x2000000173d1 = 7; *(uint8_t*)0x2000000173d2 = 0x10; *(uint16_t*)0x2000000173d3 = 0x3a; *(uint16_t*)0x2000000173d5 = 0x1400; *(uint16_t*)0x2000000173d7 = 1; *(uint16_t*)0x2000000173d9 = 3; *(uint16_t*)0x2000000173db = 8; *(uint8_t*)0x2000000173dd = 0xa; *(uint8_t*)0x2000000173de = 0x24; *(uint8_t*)0x2000000173df = 1; *(uint16_t*)0x2000000173e0 = 0x80; *(uint8_t*)0x2000000173e2 = 0x80; *(uint8_t*)0x2000000173e3 = 2; *(uint8_t*)0x2000000173e4 = 1; *(uint8_t*)0x2000000173e5 = 2; *(uint8_t*)0x2000000173e6 = 9; *(uint8_t*)0x2000000173e7 = 5; *(uint8_t*)0x2000000173e8 = 5; *(uint8_t*)0x2000000173e9 = 8; *(uint16_t*)0x2000000173ea = 0x200; *(uint8_t*)0x2000000173ec = 0x39; *(uint8_t*)0x2000000173ed = 3; *(uint8_t*)0x2000000173ee = 2; *(uint8_t*)0x2000000173ef = 9; *(uint8_t*)0x2000000173f0 = 5; *(uint8_t*)0x2000000173f1 = 0; *(uint8_t*)0x2000000173f2 = 1; *(uint16_t*)0x2000000173f3 = 0x10; *(uint8_t*)0x2000000173f5 = 0x6c; *(uint8_t*)0x2000000173f6 = 9; *(uint8_t*)0x2000000173f7 = 4; *(uint8_t*)0x2000000173f8 = 0xec; *(uint8_t*)0x2000000173f9 = 0xc; memcpy((void*)0x2000000173fa, "\xcd\x0d\x3c\xe6\xb7\x5c\x2b\x01\xf9\x7f\xcb\x20\xad\xf4\xd9\x9a\x5a\x62\x76\xa0\xa0\x71\x7a\x5c\xbd\xaa\xe5\xbd\xe2\x28\x6c\x78\xf2\x3e\xc6\x52\x7f\xe1\x49\x0d\x74\xcc\xaf\x86\xba\xe7\x1c\x98\x79\xa2\x2f\xb0\x98\xf7\x98\x41\x5a\x42\x10\xa0\x98\xcc\x4d\x76\x58\x35\x30\x19\x71\x89\x91\xbb\x6a\x8d\x77\xa8\xe7\xb5\xd4\x50\x74\x04\xe9\x6f\xf4\x56\x14\xcb\x5c\xda\xd6\x98\x5e\x76\xee\xc5\x2f\xa7\x07\x74\xa8\x0c\xe5\x40\x7b\x62\xd0\x10\x51\x26\x2f\x81\x36\xaa\x68\xc2\x2e\xa4\x11\x5b\x5e\x27\x65\x3c\x40\xa8\x1c\xff\x49\xa1\x3b\xf7\x9d\x59\x9e\x1e\xea\x6f\x2a\xb7\x89\x7c\x71\x65\xb3\x6c\xb6\x83\xa8\x7a\xe0\x79\xd8\xff\x5f\x45\x0d\xdf\xf5\x3f\x2a\x7a\x04\x2d\x07\x32\xf9\x35\x7c\xe2\x3f\xb6\xa1\x31\x0f\x95\x84\xd8\xa7\x55\x7b\x65\x49\x36\xd9\x7d\x49\xbe\x79\x7a\x56\x53\x02\xd1\xe6\x15\xa7\x00\x61\x10\x1f\x01\xcb\x75\x33\x3e\xd4\xfc\x3f\xb9\x83\xe3\x0f\x49\x04\x19\x5e\x25\x3a\x3a\xdd\x43\xbd\x06\x97\x94\xbc\xac\xe6\x38\x63\xb8\xc5\x5b", 234); *(uint8_t*)0x2000000174e4 = 0x31; *(uint8_t*)0x2000000174e5 = 0xe; memcpy((void*)0x2000000174e6, "\xa6\x77\x2f\x60\x53\xbb\xf3\xfb\xcc\x2e\x4b\x92\x79\x4d\xf7\x00\xa7\x49\x93\x08\xd0\x2d\xa8\x07\xf6\x4c\x0b\xb6\xa2\xdf\x53\x5b\x93\x9a\xf7\xa1\xa2\xe9\x86\x82\xe0\x84\x01\x9d\x17\xff\x1e", 47); *(uint8_t*)0x200000017515 = 9; *(uint8_t*)0x200000017516 = 5; *(uint8_t*)0x200000017517 = 7; *(uint8_t*)0x200000017518 = 3; *(uint16_t*)0x200000017519 = 0x400; *(uint8_t*)0x20000001751b = 0xf8; *(uint8_t*)0x20000001751c = 0; *(uint8_t*)0x20000001751d = 3; *(uint8_t*)0x20000001751e = 7; *(uint8_t*)0x20000001751f = 0x25; *(uint8_t*)0x200000017520 = 1; *(uint8_t*)0x200000017521 = 2; *(uint8_t*)0x200000017522 = 5; *(uint16_t*)0x200000017523 = 0x1d2; *(uint8_t*)0x200000017525 = 9; *(uint8_t*)0x200000017526 = 5; *(uint8_t*)0x200000017527 = 0; *(uint8_t*)0x200000017528 = 7; *(uint16_t*)0x200000017529 = 0x400; *(uint8_t*)0x20000001752b = 0x7f; *(uint8_t*)0x20000001752c = 0xf9; *(uint8_t*)0x20000001752d = 0x27; *(uint8_t*)0x20000001752e = 7; *(uint8_t*)0x20000001752f = 0x25; *(uint8_t*)0x200000017530 = 1; *(uint8_t*)0x200000017531 = 0x81; *(uint8_t*)0x200000017532 = 5; *(uint16_t*)0x200000017533 = 0xb57; *(uint8_t*)0x200000017535 = 0x43; *(uint8_t*)0x200000017536 = 0x1a; memcpy((void*)0x200000017537, "\xcb\x18\x23\x8b\x9b\xb4\xf2\xcf\x09\xa9\xe5\x12\xee\x72\x99\x83\x74\x21\xb4\xde\xa8\x53\x0c\x6a\x24\xf7\x22\x29\xb4\xc3\x80\x3d\xb0\xb8\x15\x9c\x4f\xc1\xd0\xc5\x12\xc3\x67\x06\xf7\x26\x52\x83\x9a\xb6\x87\x70\x8e\x60\x65\x3b\xc8\x55\xf3\xef\xc0\x19\x1d\x44\xce", 65); *(uint8_t*)0x200000017578 = 9; *(uint8_t*)0x200000017579 = 5; *(uint8_t*)0x20000001757a = 1; *(uint8_t*)0x20000001757b = 0; *(uint16_t*)0x20000001757c = 0x10; *(uint8_t*)0x20000001757e = 0x5e; *(uint8_t*)0x20000001757f = 1; *(uint8_t*)0x200000017580 = 0x33; *(uint8_t*)0x200000017581 = 7; *(uint8_t*)0x200000017582 = 0x25; *(uint8_t*)0x200000017583 = 1; *(uint8_t*)0x200000017584 = 0x81; *(uint8_t*)0x200000017585 = 0; *(uint16_t*)0x200000017586 = 2; *(uint8_t*)0x200000017588 = 0xa; *(uint8_t*)0x200000017589 = 0xd; memcpy((void*)0x20000001758a, "\x0e\xa8\x35\xcf\x6f\x98\x97\xdd", 8); *(uint8_t*)0x200000017592 = 9; *(uint8_t*)0x200000017593 = 5; *(uint8_t*)0x200000017594 = 2; *(uint8_t*)0x200000017595 = 1; *(uint16_t*)0x200000017596 = 8; *(uint8_t*)0x200000017598 = 8; *(uint8_t*)0x200000017599 = 7; *(uint8_t*)0x20000001759a = 2; *(uint8_t*)0x20000001759b = 7; *(uint8_t*)0x20000001759c = 0x25; *(uint8_t*)0x20000001759d = 1; *(uint8_t*)0x20000001759e = 0x50; *(uint8_t*)0x20000001759f = 0x40; *(uint16_t*)0x2000000175a0 = 0xc590; *(uint8_t*)0x2000000175a2 = 7; *(uint8_t*)0x2000000175a3 = 0x25; *(uint8_t*)0x2000000175a4 = 1; *(uint8_t*)0x2000000175a5 = 3; *(uint8_t*)0x2000000175a6 = 2; *(uint16_t*)0x2000000175a7 = 4; *(uint8_t*)0x2000000175a9 = 9; *(uint8_t*)0x2000000175aa = 5; *(uint8_t*)0x2000000175ab = 2; *(uint8_t*)0x2000000175ac = 2; *(uint16_t*)0x2000000175ad = 0x400; *(uint8_t*)0x2000000175af = 6; *(uint8_t*)0x2000000175b0 = 6; *(uint8_t*)0x2000000175b1 = 7; *(uint8_t*)0x2000000175b2 = 9; *(uint8_t*)0x2000000175b3 = 5; *(uint8_t*)0x2000000175b4 = 2; *(uint8_t*)0x2000000175b5 = 3; *(uint16_t*)0x2000000175b6 = 0x200; *(uint8_t*)0x2000000175b8 = 0xe; *(uint8_t*)0x2000000175b9 = 4; *(uint8_t*)0x2000000175ba = 4; *(uint8_t*)0x2000000175bb = 5; *(uint8_t*)0x2000000175bc = 0x11; memcpy((void*)0x2000000175bd, "\xb9\xf5\xe7", 3); *(uint8_t*)0x2000000175c0 = 7; *(uint8_t*)0x2000000175c1 = 0x25; *(uint8_t*)0x2000000175c2 = 1; *(uint8_t*)0x2000000175c3 = 0x40; *(uint8_t*)0x2000000175c4 = 6; *(uint16_t*)0x2000000175c5 = 6; *(uint8_t*)0x2000000175c7 = 9; *(uint8_t*)0x2000000175c8 = 5; *(uint8_t*)0x2000000175c9 = 3; *(uint8_t*)0x2000000175ca = 0x10; *(uint16_t*)0x2000000175cb = 0; *(uint8_t*)0x2000000175cd = 0x8a; *(uint8_t*)0x2000000175ce = 7; *(uint8_t*)0x2000000175cf = 8; *(uint8_t*)0x2000000175d0 = 7; *(uint8_t*)0x2000000175d1 = 0x25; *(uint8_t*)0x2000000175d2 = 1; *(uint8_t*)0x2000000175d3 = 0x81; *(uint8_t*)0x2000000175d4 = 9; *(uint16_t*)0x2000000175d5 = 4; *(uint8_t*)0x2000000175d7 = 7; *(uint8_t*)0x2000000175d8 = 0x25; *(uint8_t*)0x2000000175d9 = 1; *(uint8_t*)0x2000000175da = 3; *(uint8_t*)0x2000000175db = 0x73; *(uint16_t*)0x2000000175dc = 0x1ff; *(uint8_t*)0x2000000175de = 9; *(uint8_t*)0x2000000175df = 5; *(uint8_t*)0x2000000175e0 = 3; *(uint8_t*)0x2000000175e1 = 2; *(uint16_t*)0x2000000175e2 = 0x40; *(uint8_t*)0x2000000175e4 = 4; *(uint8_t*)0x2000000175e5 = 8; *(uint8_t*)0x2000000175e6 = 4; *(uint8_t*)0x2000000175e7 = 7; *(uint8_t*)0x2000000175e8 = 0x25; *(uint8_t*)0x2000000175e9 = 1; *(uint8_t*)0x2000000175ea = 0; *(uint8_t*)0x2000000175eb = 0; *(uint16_t*)0x2000000175ec = 0xd; *(uint8_t*)0x2000000175ee = 9; *(uint8_t*)0x2000000175ef = 5; *(uint8_t*)0x2000000175f0 = 6; *(uint8_t*)0x2000000175f1 = 0x10; *(uint16_t*)0x2000000175f2 = 0x200; *(uint8_t*)0x2000000175f4 = 3; *(uint8_t*)0x2000000175f5 = 7; *(uint8_t*)0x2000000175f6 = 0; *(uint8_t*)0x2000000175f7 = 0x4e; *(uint8_t*)0x2000000175f8 = 0x21; memcpy((void*)0x2000000175f9, "\xde\x21\x8d\xdf\x30\x78\xa6\xfb\xd8\x6d\x42\x57\x31\x33\x4b\xc4\x6c\xce\x8c\xf5\x19\xb9\xce\xf7\xc4\x17\x70\x3a\xc6\xb7\xc8\xd9\x19\xdf\x45\xea\x16\xb8\x08\x90\x69\xbb\xf3\x4f\x03\xab\xe7\x52\xc1\xee\x7d\x7e\x03\xa0\x86\x37\xbc\xdc\x17\xd4\xcf\x34\xc2\x75\x6e\xda\x9f\xbf\x09\xfd\xfc\xfc\xa3\x05\x28\x59", 76); *(uint8_t*)0x200000017645 = 9; *(uint8_t*)0x200000017646 = 5; *(uint8_t*)0x200000017647 = 7; *(uint8_t*)0x200000017648 = 2; *(uint16_t*)0x200000017649 = 0x400; *(uint8_t*)0x20000001764b = 6; *(uint8_t*)0x20000001764c = 8; *(uint8_t*)0x20000001764d = 0; *(uint8_t*)0x20000001764e = 9; *(uint8_t*)0x20000001764f = 4; *(uint8_t*)0x200000017650 = 0xb9; *(uint8_t*)0x200000017651 = 8; *(uint8_t*)0x200000017652 = 3; *(uint8_t*)0x200000017653 = 0x5b; *(uint8_t*)0x200000017654 = 0x5d; *(uint8_t*)0x200000017655 = 0x4c; *(uint8_t*)0x200000017656 = 0xbf; *(uint8_t*)0x200000017657 = 9; *(uint8_t*)0x200000017658 = 5; *(uint8_t*)0x200000017659 = 5; *(uint8_t*)0x20000001765a = 0; *(uint16_t*)0x20000001765b = 0x400; *(uint8_t*)0x20000001765d = 9; *(uint8_t*)0x20000001765e = 5; *(uint8_t*)0x20000001765f = 0; *(uint8_t*)0x200000017660 = 9; *(uint8_t*)0x200000017661 = 5; *(uint8_t*)0x200000017662 = 0xe; *(uint8_t*)0x200000017663 = 4; *(uint16_t*)0x200000017664 = 0x10; *(uint8_t*)0x200000017666 = 0xf9; *(uint8_t*)0x200000017667 = 0xea; *(uint8_t*)0x200000017668 = 2; *(uint8_t*)0x200000017669 = 9; *(uint8_t*)0x20000001766a = 5; *(uint8_t*)0x20000001766b = 6; *(uint8_t*)0x20000001766c = 0x10; *(uint16_t*)0x20000001766d = 0x20; *(uint8_t*)0x20000001766f = 0xee; *(uint8_t*)0x200000017670 = 0xbf; *(uint8_t*)0x200000017671 = 4; *(uint8_t*)0x200000017672 = 7; *(uint8_t*)0x200000017673 = 0x25; *(uint8_t*)0x200000017674 = 1; *(uint8_t*)0x200000017675 = 0; *(uint8_t*)0x200000017676 = 9; *(uint16_t*)0x200000017677 = 0xc7; *(uint8_t*)0x200000017679 = 7; *(uint8_t*)0x20000001767a = 0x25; *(uint8_t*)0x20000001767b = 1; *(uint8_t*)0x20000001767c = 0x80; *(uint8_t*)0x20000001767d = 5; *(uint16_t*)0x20000001767e = 6; *(uint32_t*)0x200000017780 = 0xa; *(uint64_t*)0x200000017784 = 0x200000017680; *(uint8_t*)0x200000017680 = 0xa; *(uint8_t*)0x200000017681 = 6; *(uint16_t*)0x200000017682 = 0x300; *(uint8_t*)0x200000017684 = 8; *(uint8_t*)0x200000017685 = 4; *(uint8_t*)0x200000017686 = 4; *(uint8_t*)0x200000017687 = 0x10; *(uint8_t*)0x200000017688 = 3; *(uint8_t*)0x200000017689 = 0; *(uint32_t*)0x20000001778c = 5; *(uint64_t*)0x200000017790 = 0x2000000176c0; *(uint8_t*)0x2000000176c0 = 5; *(uint8_t*)0x2000000176c1 = 0xf; *(uint16_t*)0x2000000176c2 = 5; *(uint8_t*)0x2000000176c4 = 0; *(uint32_t*)0x200000017798 = 2; *(uint32_t*)0x20000001779c = 4; *(uint64_t*)0x2000000177a0 = 0x200000017700; *(uint8_t*)0x200000017700 = 4; *(uint8_t*)0x200000017701 = 3; *(uint16_t*)0x200000017702 = 0x41c; *(uint32_t*)0x2000000177a8 = 4; *(uint64_t*)0x2000000177ac = 0x200000017740; *(uint8_t*)0x200000017740 = 4; *(uint8_t*)0x200000017741 = 3; *(uint16_t*)0x200000017742 = 0x425; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0x840, /*dev=*/0x200000016e40, /*conn_descs=*/0x200000017780); if (res != -1) r[53] = res; break; case 75: *(uint8_t*)0x2000000177c0 = 0x12; *(uint8_t*)0x2000000177c1 = 1; *(uint16_t*)0x2000000177c2 = 0x200; *(uint8_t*)0x2000000177c4 = -1; *(uint8_t*)0x2000000177c5 = -1; *(uint8_t*)0x2000000177c6 = -1; *(uint8_t*)0x2000000177c7 = 0x40; *(uint16_t*)0x2000000177c8 = 0xcf3; *(uint16_t*)0x2000000177ca = 0x9271; *(uint16_t*)0x2000000177cc = 0x108; *(uint8_t*)0x2000000177ce = 1; *(uint8_t*)0x2000000177cf = 2; *(uint8_t*)0x2000000177d0 = 3; *(uint8_t*)0x2000000177d1 = 1; *(uint8_t*)0x2000000177d2 = 9; *(uint8_t*)0x2000000177d3 = 2; *(uint16_t*)0x2000000177d4 = 0x48; *(uint8_t*)0x2000000177d6 = 1; *(uint8_t*)0x2000000177d7 = 1; *(uint8_t*)0x2000000177d8 = 0; *(uint8_t*)0x2000000177d9 = 0x80; *(uint8_t*)0x2000000177da = 0xfa; *(uint8_t*)0x2000000177db = 9; *(uint8_t*)0x2000000177dc = 4; *(uint8_t*)0x2000000177dd = 0; *(uint8_t*)0x2000000177de = 0; *(uint8_t*)0x2000000177df = 6; *(uint8_t*)0x2000000177e0 = -1; *(uint8_t*)0x2000000177e1 = 0; *(uint8_t*)0x2000000177e2 = 0; *(uint8_t*)0x2000000177e3 = 0; *(uint8_t*)0x2000000177e4 = 9; *(uint8_t*)0x2000000177e5 = 5; *(uint8_t*)0x2000000177e6 = 1; *(uint8_t*)0x2000000177e7 = 2; *(uint16_t*)0x2000000177e8 = 0x200; *(uint8_t*)0x2000000177ea = 0; *(uint8_t*)0x2000000177eb = 0; *(uint8_t*)0x2000000177ec = 0; *(uint8_t*)0x2000000177ed = 9; *(uint8_t*)0x2000000177ee = 5; *(uint8_t*)0x2000000177ef = 0x82; *(uint8_t*)0x2000000177f0 = 2; *(uint16_t*)0x2000000177f1 = 0x200; *(uint8_t*)0x2000000177f3 = 0; *(uint8_t*)0x2000000177f4 = 0; *(uint8_t*)0x2000000177f5 = 0; *(uint8_t*)0x2000000177f6 = 9; *(uint8_t*)0x2000000177f7 = 5; *(uint8_t*)0x2000000177f8 = 0x83; *(uint8_t*)0x2000000177f9 = 3; *(uint16_t*)0x2000000177fa = 0x40; *(uint8_t*)0x2000000177fc = 1; *(uint8_t*)0x2000000177fd = 0; *(uint8_t*)0x2000000177fe = 0; *(uint8_t*)0x2000000177ff = 9; *(uint8_t*)0x200000017800 = 5; *(uint8_t*)0x200000017801 = 4; *(uint8_t*)0x200000017802 = 3; *(uint16_t*)0x200000017803 = 0x40; *(uint8_t*)0x200000017805 = 1; *(uint8_t*)0x200000017806 = 0; *(uint8_t*)0x200000017807 = 0; *(uint8_t*)0x200000017808 = 9; *(uint8_t*)0x200000017809 = 5; *(uint8_t*)0x20000001780a = 5; *(uint8_t*)0x20000001780b = 2; *(uint16_t*)0x20000001780c = 0x200; *(uint8_t*)0x20000001780e = 0; *(uint8_t*)0x20000001780f = 0; *(uint8_t*)0x200000017810 = 0; *(uint8_t*)0x200000017811 = 9; *(uint8_t*)0x200000017812 = 5; *(uint8_t*)0x200000017813 = 6; *(uint8_t*)0x200000017814 = 2; *(uint16_t*)0x200000017815 = 0x200; *(uint8_t*)0x200000017817 = 0; *(uint8_t*)0x200000017818 = 0; *(uint8_t*)0x200000017819 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x2000000177c0, /*conn_descs=*/0); if (res != -1) r[54] = res; break; case 76: *(uint32_t*)0x200000017a80 = 0x2c; *(uint64_t*)0x200000017a84 = 0x200000017840; *(uint8_t*)0x200000017840 = 0; *(uint8_t*)0x200000017841 = 1; *(uint32_t*)0x200000017842 = 0x101; *(uint8_t*)0x200000017846 = 1; *(uint8_t*)0x200000017847 = 0xa; memcpy((void*)0x200000017848, "\x36\x81\xdb\x17\x60\xf4\x76\xd1\x61\xe6\x33\x1a\xf0\x01\xdf\xf2\x60\xea\x6b\x4a\x4c\xea\x60\x97\xec\xb1\x95\x8b\x59\xfa\xab\x7a\x90\x28\x48\xc2\x62\xa0\xbb\x7b\xb0\x04\xa6\x45\x44\x44\xf3\x91\x14\x41\x63\x99\xcc\x7a\x71\xe7\x15\x47\xc5\x6a\x02\xf1\x33\x90\x7f\x22\xc3\xf1\x2c\xed\x90\xa4\xd6\xae\x9f\xf8\xfd\x98\xb3\xe7\xcd\x83\xd8\x74\x5c\x64\x92\x89\xb5\xfd\x78\xf7\x06\x85\x9e\x15\x21\x48\xd7\x6f\x8f\x0d\x0f\xa0\x49\x83\x43\x65\xbe\x85\xce\x2b\x50\x35\x87\x58\xa9\x0b\x57\x33\x9c\x87\x44\x57\x41\x0a\xe2\x77\xd2\xb1\x18\xf3\x84\x27\xa9\x32\xa2\xc7\xca\xcc\x09\xae\xd3\xee\x57\x30\x79\x3f\x36\xdc\xe0\xed\x57\xb9\xc6\x5f\xf6\x3c\x7e\xb7\xeb\xbf\xeb\xe9\x09\x4e\x08\x53\x05\x1b\x9f\x3d\xfa\xf6\xc2\xab\x61\x26\x5b\x3a\xf1\xf3\x48\x72\x56\x9f\xf3\xe0\x4b\x2e\xc1\xef\x09\xa3\x69\x2a\x88\x29\x2f\xfa\x38\xb8\x51\xe6\xfe\x03\x1a\x70\xa5\x51\xe8\x84\x4b\x16\xd1\x38\xce\x12\x6c\xe0\x41\x95\x71\xf4\x34\x9a\xee\x23\x7a\x2b\xf6\xfc\x52\xcb\x78\xf2\x6f\x30\xc9\x36\x90\x2d\x7f\x29\xd3\xa5\x61\x5d\xad\x86\xe4\xc6\x9c\xa0\x3f", 255); *(uint64_t*)0x200000017a8c = 0x200000017980; *(uint8_t*)0x200000017980 = 0; *(uint8_t*)0x200000017981 = 3; *(uint32_t*)0x200000017982 = 4; *(uint8_t*)0x200000017986 = 4; *(uint8_t*)0x200000017987 = 3; *(uint16_t*)0x200000017988 = 0x4c0a; *(uint64_t*)0x200000017a94 = 0x2000000179c0; *(uint8_t*)0x2000000179c0 = 0; *(uint8_t*)0x2000000179c1 = 0xf; *(uint32_t*)0x2000000179c2 = 5; *(uint8_t*)0x2000000179c6 = 5; *(uint8_t*)0x2000000179c7 = 0xf; *(uint16_t*)0x2000000179c8 = 5; *(uint8_t*)0x2000000179ca = 0; *(uint64_t*)0x200000017a9c = 0x200000017a00; *(uint8_t*)0x200000017a00 = 0x20; *(uint8_t*)0x200000017a01 = 0x29; *(uint32_t*)0x200000017a02 = 0xf; *(uint8_t*)0x200000017a06 = 0xf; *(uint8_t*)0x200000017a07 = 0x29; *(uint8_t*)0x200000017a08 = 0xeb; *(uint16_t*)0x200000017a09 = 0x10; *(uint8_t*)0x200000017a0b = 0x81; *(uint8_t*)0x200000017a0c = 0xc; memcpy((void*)0x200000017a0d, "\xe7\x67\x46\xf0", 4); memcpy((void*)0x200000017a11, "\xf1\x92\x76\xa0", 4); *(uint64_t*)0x200000017aa4 = 0x200000017a40; *(uint8_t*)0x200000017a40 = 0x20; *(uint8_t*)0x200000017a41 = 0x2a; *(uint32_t*)0x200000017a42 = 0xc; *(uint8_t*)0x200000017a46 = 0xc; *(uint8_t*)0x200000017a47 = 0x2a; *(uint8_t*)0x200000017a48 = 0xd; *(uint16_t*)0x200000017a49 = 2; *(uint8_t*)0x200000017a4b = 8; *(uint8_t*)0x200000017a4c = 0xe; *(uint8_t*)0x200000017a4d = 7; *(uint16_t*)0x200000017a4e = 8; *(uint16_t*)0x200000017a50 = 0x515; *(uint32_t*)0x200000017ec0 = 0x84; *(uint64_t*)0x200000017ec4 = 0x200000017ac0; *(uint8_t*)0x200000017ac0 = 0x40; *(uint8_t*)0x200000017ac1 = 0x17; *(uint32_t*)0x200000017ac2 = 0x1e; memcpy((void*)0x200000017ac6, "\x63\xfd\x64\x0c\x63\xa3\xd4\x0d\x56\xed\xf6\x4a\xcb\x10\x36\xdf\x01\xc3\x7d\xff\x2b\x11\xb8\xbd\x6d\xce\x4f\x20\xb2\xce", 30); *(uint64_t*)0x200000017ecc = 0x200000017b00; *(uint8_t*)0x200000017b00 = 0; *(uint8_t*)0x200000017b01 = 0xa; *(uint32_t*)0x200000017b02 = 1; *(uint8_t*)0x200000017b06 = 0xfd; *(uint64_t*)0x200000017ed4 = 0x200000017b40; *(uint8_t*)0x200000017b40 = 0; *(uint8_t*)0x200000017b41 = 8; *(uint32_t*)0x200000017b42 = 1; *(uint8_t*)0x200000017b46 = 5; *(uint64_t*)0x200000017edc = 0x200000017b80; *(uint8_t*)0x200000017b80 = 0x20; *(uint8_t*)0x200000017b81 = 0; *(uint32_t*)0x200000017b82 = 4; *(uint16_t*)0x200000017b86 = 1; *(uint16_t*)0x200000017b88 = 1; *(uint64_t*)0x200000017ee4 = 0x200000017bc0; *(uint8_t*)0x200000017bc0 = 0x20; *(uint8_t*)0x200000017bc1 = 0; *(uint32_t*)0x200000017bc2 = 8; *(uint16_t*)0x200000017bc6 = 0x80; *(uint16_t*)0x200000017bc8 = 1; *(uint32_t*)0x200000017bca = 0xf00f; *(uint64_t*)0x200000017eec = 0x200000017c00; *(uint8_t*)0x200000017c00 = 0x40; *(uint8_t*)0x200000017c01 = 7; *(uint32_t*)0x200000017c02 = 2; *(uint16_t*)0x200000017c06 = 2; *(uint64_t*)0x200000017ef4 = 0x200000017c40; *(uint8_t*)0x200000017c40 = 0x40; *(uint8_t*)0x200000017c41 = 9; *(uint32_t*)0x200000017c42 = 1; *(uint8_t*)0x200000017c46 = 6; *(uint64_t*)0x200000017efc = 0x200000017c80; *(uint8_t*)0x200000017c80 = 0x40; *(uint8_t*)0x200000017c81 = 0xb; *(uint32_t*)0x200000017c82 = 2; memcpy((void*)0x200000017c86, "\xdd\x91", 2); *(uint64_t*)0x200000017f04 = 0x200000017cc0; *(uint8_t*)0x200000017cc0 = 0x40; *(uint8_t*)0x200000017cc1 = 0xf; *(uint32_t*)0x200000017cc2 = 2; *(uint16_t*)0x200000017cc6 = 1; *(uint64_t*)0x200000017f0c = 0x200000017d00; *(uint8_t*)0x200000017d00 = 0x40; *(uint8_t*)0x200000017d01 = 0x13; *(uint32_t*)0x200000017d02 = 6; memset((void*)0x200000017d06, 187, 6); *(uint64_t*)0x200000017f14 = 0x200000017d40; *(uint8_t*)0x200000017d40 = 0x40; *(uint8_t*)0x200000017d41 = 0x17; *(uint32_t*)0x200000017d42 = 6; memset((void*)0x200000017d46, 170, 5); *(uint8_t*)0x200000017d4b = 0xaa; *(uint64_t*)0x200000017f1c = 0x200000017d80; *(uint8_t*)0x200000017d80 = 0x40; *(uint8_t*)0x200000017d81 = 0x19; *(uint32_t*)0x200000017d82 = 2; memcpy((void*)0x200000017d86, "\x73\xdc", 2); *(uint64_t*)0x200000017f24 = 0x200000017dc0; *(uint8_t*)0x200000017dc0 = 0x40; *(uint8_t*)0x200000017dc1 = 0x1a; *(uint32_t*)0x200000017dc2 = 2; *(uint16_t*)0x200000017dc6 = 8; *(uint64_t*)0x200000017f2c = 0x200000017e00; *(uint8_t*)0x200000017e00 = 0x40; *(uint8_t*)0x200000017e01 = 0x1c; *(uint32_t*)0x200000017e02 = 1; *(uint8_t*)0x200000017e06 = 0x81; *(uint64_t*)0x200000017f34 = 0x200000017e40; *(uint8_t*)0x200000017e40 = 0x40; *(uint8_t*)0x200000017e41 = 0x1e; *(uint32_t*)0x200000017e42 = 1; *(uint8_t*)0x200000017e46 = 0; *(uint64_t*)0x200000017f3c = 0x200000017e80; *(uint8_t*)0x200000017e80 = 0x40; *(uint8_t*)0x200000017e81 = 0x21; *(uint32_t*)0x200000017e82 = 1; *(uint8_t*)0x200000017e86 = 0x7f; syz_usb_control_io(/*fd=*/r[53], /*descs=*/0x200000017a80, /*resps=*/0x200000017ec0); break; case 77: syz_usb_disconnect(/*fd=*/r[53]); break; case 78: syz_usb_ep_read(/*fd=*/r[54], /*ep=*/0xb, /*len=*/0x6c, /*data=*/0x200000017f80); break; case 79: *(uint8_t*)0x200000018000 = 0x12; *(uint8_t*)0x200000018001 = 1; *(uint16_t*)0x200000018002 = 0x201; *(uint8_t*)0x200000018004 = 0; *(uint8_t*)0x200000018005 = 0; *(uint8_t*)0x200000018006 = 0; *(uint8_t*)0x200000018007 = 0x40; *(uint16_t*)0x200000018008 = 0x3f0; *(uint16_t*)0x20000001800a = 4; *(uint16_t*)0x20000001800c = 0x40; *(uint8_t*)0x20000001800e = 1; *(uint8_t*)0x20000001800f = 2; *(uint8_t*)0x200000018010 = 3; *(uint8_t*)0x200000018011 = 1; *(uint8_t*)0x200000018012 = 9; *(uint8_t*)0x200000018013 = 2; *(uint16_t*)0x200000018014 = 0x24; *(uint8_t*)0x200000018016 = 1; *(uint8_t*)0x200000018017 = 1; *(uint8_t*)0x200000018018 = 0xba; *(uint8_t*)0x200000018019 = 0x80; *(uint8_t*)0x20000001801a = 1; *(uint8_t*)0x20000001801b = 9; *(uint8_t*)0x20000001801c = 4; *(uint8_t*)0x20000001801d = 0; *(uint8_t*)0x20000001801e = 7; *(uint8_t*)0x20000001801f = 1; *(uint8_t*)0x200000018020 = 7; *(uint8_t*)0x200000018021 = 1; *(uint8_t*)0x200000018022 = 3; *(uint8_t*)0x200000018023 = 5; *(uint8_t*)0x200000018024 = 9; *(uint8_t*)0x200000018025 = 5; *(uint8_t*)0x200000018026 = 1; *(uint8_t*)0x200000018027 = 2; *(uint16_t*)0x200000018028 = 8; *(uint8_t*)0x20000001802a = 4; *(uint8_t*)0x20000001802b = 2; *(uint8_t*)0x20000001802c = 0xc9; *(uint8_t*)0x20000001802d = 9; *(uint8_t*)0x20000001802e = 5; *(uint8_t*)0x20000001802f = 0x82; *(uint8_t*)0x200000018030 = 2; *(uint16_t*)0x200000018031 = 0x20; *(uint8_t*)0x200000018033 = 0xfb; *(uint8_t*)0x200000018034 = 1; *(uint8_t*)0x200000018035 = 0xf; *(uint32_t*)0x200000018180 = 0xa; *(uint64_t*)0x200000018184 = 0x200000018040; *(uint8_t*)0x200000018040 = 0xa; *(uint8_t*)0x200000018041 = 6; *(uint16_t*)0x200000018042 = 0x300; *(uint8_t*)0x200000018044 = 0x4c; *(uint8_t*)0x200000018045 = 3; *(uint8_t*)0x200000018046 = 0x7f; *(uint8_t*)0x200000018047 = 0x20; *(uint8_t*)0x200000018048 = 0x81; *(uint8_t*)0x200000018049 = 0; *(uint32_t*)0x20000001818c = 0x2b; *(uint64_t*)0x200000018190 = 0x200000018080; *(uint8_t*)0x200000018080 = 5; *(uint8_t*)0x200000018081 = 0xf; *(uint16_t*)0x200000018082 = 0x2b; *(uint8_t*)0x200000018084 = 4; *(uint8_t*)0x200000018085 = 0xb; *(uint8_t*)0x200000018086 = 0x10; *(uint8_t*)0x200000018087 = 1; *(uint8_t*)0x200000018088 = 0xc; *(uint16_t*)0x200000018089 = 0x2c; *(uint8_t*)0x20000001808b = 6; *(uint8_t*)0x20000001808c = 0x60; *(uint16_t*)0x20000001808d = 0x64; *(uint8_t*)0x20000001808f = 4; *(uint8_t*)0x200000018090 = 0xa; *(uint8_t*)0x200000018091 = 0x10; *(uint8_t*)0x200000018092 = 3; *(uint8_t*)0x200000018093 = 0; *(uint16_t*)0x200000018094 = 6; *(uint8_t*)0x200000018096 = 7; *(uint8_t*)0x200000018097 = 1; *(uint16_t*)0x200000018098 = 0x680; *(uint8_t*)0x20000001809a = 7; *(uint8_t*)0x20000001809b = 0x10; *(uint8_t*)0x20000001809c = 2; STORE_BY_BITMASK(uint32_t, , 0x20000001809d, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20000001809e, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001809e, 2, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001809f, 3, 0, 16); *(uint8_t*)0x2000000180a1 = 0xa; *(uint8_t*)0x2000000180a2 = 0x10; *(uint8_t*)0x2000000180a3 = 3; *(uint8_t*)0x2000000180a4 = 0; *(uint16_t*)0x2000000180a5 = 0xc; *(uint8_t*)0x2000000180a7 = 5; *(uint8_t*)0x2000000180a8 = 0xd4; *(uint16_t*)0x2000000180a9 = 0x21bb; *(uint32_t*)0x200000018198 = 2; *(uint32_t*)0x20000001819c = 0x55; *(uint64_t*)0x2000000181a0 = 0x2000000180c0; *(uint8_t*)0x2000000180c0 = 0x55; *(uint8_t*)0x2000000180c1 = 3; memcpy((void*)0x2000000180c2, "\x8a\x42\x34\x83\x1e\x88\x88\xae\xdd\x9a\xd2\x2d\x4f\x28\x93\x8c\xda\x9a\xa9\xa9\x00\x03\x7c\x31\x1c\xae\x82\xfd\x23\x1c\xaa\x31\x27\x95\xc2\xb2\xf7\x47\xf7\xbe\xdc\x80\x7a\x10\x65\x2d\xcf\x37\x9d\xa0\x7e\xbe\x96\x35\x31\x02\x75\xc1\xf0\xed\x95\x6d\xa6\x4d\xf9\x8a\xf4\xea\x23\x9c\x45\x2a\xa8\x5b\x31\x1b\x94\xd4\x71\xe9\xd3\x42\x3a", 83); *(uint32_t*)0x2000000181a8 = 4; *(uint64_t*)0x2000000181ac = 0x200000018140; *(uint8_t*)0x200000018140 = 4; *(uint8_t*)0x200000018141 = 3; *(uint16_t*)0x200000018142 = 0x83e; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_FULL*/2, /*dev_len=*/0x36, /*dev=*/0x200000018000, /*conn_descs=*/0x200000018180); if (res != -1) r[55] = res; break; case 80: memcpy((void*)0x2000000181c0, "\xc9\xde\x81\xd2\xb7\xfd\x1d\x65\x61\x0b\x40\x83\xb8\x98\x28\xa1\xee\xb3\xc1\xfe\x78\xe8\x02\xb8\x7b\xca\xd5\x22\x05\xe7\xf4\xd5\x77\x30\x25\xc8\xc9\x2c\xf0\x09\x17\x1f\x12\x78\x8a\xa9\xaf\xbf\x01\x67\x11\x26\x93\xc5\x62\x5e\xec\xd4\x33\xf1\xb0\xed\x30\xd3\xef\x61\x94\xf9\xaf\xe3\x63\xc1\x33\x4d\xf3\x56\xe2\x61\xdc\x73\xf0\x7c\xac\x0e\x40\xa0\x34\x8c\x52\x25\x7f\x14\xf9\xa9\xf6\x0d\x56\x98\x35\x20\x69\xee\xd4\x6e\xf1\x0f\x4a\x97\xb1\x56\x0f\x76\x05\xb0\xaa\x63\x19\x49\xaf\x14\x35\x4c\x1a\xca\xbb\x76\x86\x09\xd1\x22\x46\x6f\x68\x49\x10\x29\x36\xf4\x00\x1d\x18\x01\x5d\xf4\x28\x57\x0b\x6e\x59\x75\x9b\x75\xe7\x23\xb1\xe6\x12\x80\x0b\x56\xea\x89\xa5\x5d\x2c\x63\x78", 167); syz_usb_ep_write(/*fd=*/r[55], /*ep=*/4, /*len=*/0xa7, /*data=*/0x2000000181c0); break; case 81: syz_usbip_server_init(/*speed=USB_SPEED_SUPER*/5); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } : In function 'execute_call': :6235:17: error: '__NR_socketcall' undeclared (first use in this function) :6235:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor1223583907 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/29 (1.27s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$MON_IOCX_MFETCH(0xffffffffffffffff, 0xc0109207, &(0x7f0000000040)={&(0x7f0000000000)=[0x0, 0x0, 0x0, 0x0, 0x0], 0x5}) (fail_nth: 1) r0 = syz_open_dev$dricontrol(&(0x7f0000000080), 0x3, 0x105400) (async) ioctl$DRM_IOCTL_RES_CTX(0xffffffffffffffff, 0xc0106426, &(0x7f0000000100)={0x1, &(0x7f00000000c0)=[{0x0}]}) (rerun: 4) ioctl$DRM_IOCTL_SET_SAREA_CTX(r0, 0x4010641c, &(0x7f00000001c0)={r1, &(0x7f0000000140)=""/106}) ioctl$DRM_IOCTL_MODE_GETENCODER(r0, 0xc01464a6, &(0x7f0000000200)={0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_MODE_GETENCODER(r0, 0xc01464a6, &(0x7f0000000240)={0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID(0xffffffffffffffff, 0xc0086465, &(0x7f0000000280)={0x0}) ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f0000000300)={&(0x7f00000002c0)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x8, 0x0, 0x0}) ioctl$DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID(0xffffffffffffffff, 0xc0086465, &(0x7f0000000380)={0x0}) ioctl$DRM_IOCTL_MODE_ATOMIC(r0, 0xc03864bc, &(0x7f00000009c0)={0x0, 0x6, &(0x7f00000003c0)=[r2, r3, r4, r5, r6, 0x0], &(0x7f0000000400)=[0x7, 0x80], &(0x7f0000000940)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000980)=[0xff, 0xfffffffffffffffb, 0x9, 0x100, 0x4, 0x10000, 0xfff, 0x484], 0x0, 0x73ca1ec4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@action_no_ack={{{0x0, 0x0, 0xe, 0x0, 0x0, 0x1, 0x1, 0x0, 0x1}, {0x6}, @broadcast, @device_b, @random="01abb5a42e6e", {0x0, 0x5}}, @smps={0x7, 0x1, {0x1, 0x1}}}, 0x1b) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_bprm_check_security\x00') r7 = syz_clone(0x42000100, &(0x7f0000000140)="d1a222a113afa50937eb93a69f4a6daeb1c51185973fcbcd8ac1511fee5166f0a2d7b107ca8ba74b42ac080422e3e26c8fd0707d3352f3e0467c446d0fd59fdc796204deb520c9f39ceb06b12c5dec1f8d80435d3a9531b3c8c63eca16670b0be3277698485a45d91a4737cdc17c96065423348e497b473b96cd4d870b360809cfb9631f7a2cdadf25baade0a028dfa84875eeaea710f44ee0c60be31d07667921375cbf5e90565a7594d78c49ee1a773a21696e3e0f6e9d5a9cc8261a51990269f06e5642a81055ab67", 0xca, &(0x7f0000000240), &(0x7f0000000280), &(0x7f00000002c0)="4ce639fae6a5b1dbfb9b05cdf44c3b14df7c001ef8931a5117ea1ba175c0a1e0806dec26a61e38c8b355e6334aab16936f3b9388ce1e115787f0a164e987d9e1339bbbdc21479403322cf6c7b55dafea9cf527b32532be38a2f0557907e357b05e1986227888aac6cc43a9e5ea5e3c093b693d4d13b378ac2243") r8 = openat$cgroup(0xffffffffffffffff, &(0x7f00000004c0)='syz0\x00', 0x200002, 0x0) r9 = syz_clone3(&(0x7f0000000500)={0x8000, &(0x7f0000000340)=0xffffffffffffffff, &(0x7f0000000380)=0x0, &(0x7f00000003c0), {0x3d}, &(0x7f0000000400)=""/54, 0x36, &(0x7f0000000440)=""/57, &(0x7f0000000480)=[r7, r7, r7, r7], 0x4, {r8}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x98, &(0x7f00000005c0)={@remote, @empty, @void, {@llc_tr={0x11, {@llc={0x0, 0x4, "d4f0", "3855a5dee3a80835452966b4819b8e62fe420ebc741cb5df2368e0d83b02a44133dda9714f0ae883ab9c1c66c38864627043bb1cb645f8ca7ee26fb421090e98e576724d716c681bc3e802709219450517396e0b82978a08ba9cd791a977b9971dfcc61a5318a165f4fccd530654e11d54ca4f12b28362bee6c70bcfa1ce0d983864306cf6ad"}}}}}, &(0x7f0000000680)={0x0, 0x1, [0xf2e, 0xb2e, 0xcd, 0xc93]}) syz_emit_vhci(&(0x7f00000006c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x2, 0x12}, @l2cap_cid_le_signaling={{0xe}, @l2cap_le_conn_rsp={{0x15, 0x3, 0xa}, {0x1, 0x1, 0x0, 0xb, 0x9b9d}}}}, 0x17) syz_extract_tcp_res(&(0x7f0000000700), 0x8001, 0x7fff) r12 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000000740)=0x5) ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f0000002900)={'\x00', 0x7, 0x7eb, 0xd8c, 0x6, 0x65c7, r7}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000002b00)={{{@in6=@loopback, @in6=@ipv4={""/10, ""/2, @local}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@multicast1}}, &(0x7f0000002c00)=0xe8) shmctl$auto_SHM_STAT(0xfffffffd, 0xd, &(0x7f0000002dc0)={{0x7, 0xee00, 0xee01, 0x3, 0x1, 0x2, 0x100}, 0x8, 0x1, 0x8, 0x0, @inferred=r9, @inferred=r9, 0x8000, 0x0, &(0x7f0000002c40)="04dbcb209f35e5ddfdb1b3b7a741cb0da9e7b4a97e26e4d64ca5560ad3ea50d519bbf049c3135111c4de1f36b6b308bbd028e4495d46ed8393e759fd0a3a8a87f1db8749da45e9a5f999f3e74d920ce20c4d2bfe9ca72e5faea34e254ebb9ca9", &(0x7f0000002cc0)="9e746e3d219f0df0db9f4dac0afe9fc6a3ef5fcab6058f83fa7cff2a82d20c2e4f575259eabbe06734843f871e50f4d47bd62ead38d7be8ce30b95115285d16abc718c0da482b90f24299f3017ce2a536dab659aca91d1cf689107448150e4566abf4c057bde3c378236a3781059cc800867309fb208ab69fe7d3fff31198f363305539ba5a17423bd8345e10a2507adfd0b0df310c33482d2cc9c9ba7bf80c8c7e2159c09d9402b1d7ca88f84e7b4ceb8a193ece6dd5faa70429fbac4f1020c7667302d4a57ab637f35ffe42e58593fe3ece07b5d637ef6d973342257fe2c5b1169399909ba6d369fde"}) newfstatat(0xffffffffffffff9c, &(0x7f0000002ec0)='./file0\x00', &(0x7f0000002f00)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x0) lstat(&(0x7f0000002f80)='./file1\x00', &(0x7f0000002fc0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) newfstatat(0xffffffffffffff9c, &(0x7f00000031c0)='./file0\x00', &(0x7f0000003200)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x400) shmctl$auto(0xfffffffa, 0x19, &(0x7f0000004380)={{0x8000, 0x0, 0xffffffffffffffff, 0xfffffbff, 0xff, 0x7, 0x5}, 0x3ff, 0x5, 0xffffffffffff05c3, 0xffffffff, @raw=0x10000, @inferred=r7, 0x6, 0x0, &(0x7f0000003280)="976ff34290bd8bc7a7cbfc2a01cd57bb3fef9efb9836923feab6b22096e6a7f305b4a4725f362d86ba08a346f5ad87651b24794b4ee5813e0557b0ef0a7c19b1eafef2a16909abb9c855ec4536adac1b482e8e5a1dc478a025feb8b6304bdcd475b1d917a5b6c9d27a6b4858cba4d25301fe261bf12313f6e8224fc5ab0bb2fd404104ddefc2f27a36d9d10ecac7929db5ffc1df4c6fb6e5637020abf5e6504310ab6de659b656cee8ad04d046756ddae33d8d223854dc8c318392482cb991827824f40daf98da166c916dbb8c156c42197b664d7590e6d2cf4ea3280f84051c9ee3114142db27536bcd983f170f221c15dae9a11a52e84253663ea4308f", &(0x7f0000003380)="2c9f8f388d233b4f054cde11358eb632feac99157236e370ad09ea7b82ba5785b9e9afa9e686a62a5d2d53e478ad6bdc5fffb647b0835e147419667c9a116d7dc9628b1e9f7f66533e8e736b4a659a784c610da8c50010c4ad47ecbb1eb2ee6aa0b49090e709138ab2d171e1dbdd6e8653e06212391e7dc1b28bdd23129424500dcd8343ba198c60cd9701af62b4662b082ddc55e8149d60891c650e774755fc3a0d100ff0bc676b466e3dec52ca77d2c4ce103fc44bb563b3c182cf2f65541303d2d29fcbf5a3f42288f8fe1c236c3e12170e7ac600c5265cc5974e25597f049e9c015c76dec0d7cd2979cce123ad647297958c9d7dfbc36afc2ae4b9d2c09ac172a04dacffae8a50219a4ec4adf06ff80747d40c46ddc0764af4d7782807b8f14fb797b2780bb68e6b2a95dde508f4063c65d87143ff2466fe29ff3afa65202a99240c57990e20c5f34a95bd813572f47d8d482db3fceb9f1c54c8a8dd6332e83fa39d6651c7b78fa971ee88756e2e5a3fb029c77a48fd4164f107c882d1743bf852c14866a437ca56d1d2d199f93f758719d2293c5891b77e860b2b7c665129fbce455e93ce66b675619bbb23629d2bc8682ed4695d8c6afe256d372f9fed839de5b5f68d1d30cffb1a4e7402b9551129edc4c2deec8c16714ea309cf20ac7f17f5fd3cb97bfbff2dd36216b8f73403607b4ecb2dc42448eed56fb23266bd0fdf7eee43f34be3706ecc705927ada3d84f94d8a2898ce00de369c607552f6994ec15f66ce65c4952e30581ede46a2033589d2c28994bda0531943919e301a6d8187da7b498966af1fe3e410e5c167afb133b3e5e40db618703977b24002f621183b61a6b680301387e2d89565f0f62de825516d349c174c07924f4a8dffb281709e997af6da5a62a954969b5335f3074f2400245a77b195131d26ce43e17c3a201a5b8518f8f961f2be9d170c6f5b2b236a394456e577bada3307f4eaa8e0352bb595037e7f30f5ddbdf014ba5b6f3cee6af1fd4744fd0bbac1e2ce29853c722956da7de4e3fb9241820b0586ffa29da5b6cdd12da1a0418643b4ba96bb43242146f6c0a33980b9385da283a2a052b8c201f4239f957fea5f23efcd5ad3bb076abee60ce467eae6805e186e974934280a267dbf7320cb90fe9322bdb6ce809bd35b4130be87119047efd755cc747743e6da51b24af5c01661be2f813cef7d7ed9b61e83e0dca2c8221525b281570276a5958c2614929794c2d55a6b15d1701b1961a078edeff50e0eb0e02d9b1d402657ce25bdaaf910ba4549483631a5489ca98fe979c54c7400c9cc68fed1ab00c402f49d36c4d7b2fb273f392aed4f8def256d409e50d26e7251f91b9f5bcd8e84202e520cb7fe434744fe3a8831c1af1eb20a8f88579ab19268d7eefc6dcd8c94e3b6896e336e0f738aa244c2dbec12324a8a1ca70e040d07a7900f76f0b09e0faab4244d568c00309b8f31157d91788c871d616d0572a26f9bf40b2ff8f034dd9646fb13ebad2951fb7a9ea5509211359759fa495722e0ce6e24b48e3d2a1ec6939838040d00cb908d9edafa8c3845754bd5be90f6f92cc70338b3b1fc072cf2682740371caedd80fece859b1587f04147f50c5a9be927b5d51ae428a1c7e4b594ec242a0dab90581742428e5db58ac1ae32496f37119820ae295a3df7a95509d05d75cd778b54e44a317eb901c7cc28ff74ab53b6f4fb4ade0fc4af2be36d760476ca853a782e7614a133a99f1e5f0f12b9a958e70250fc9bdb898dbe34d8ee32b23ee9f0192fd4bf8f9622edd9f7acaf4f4b92673ccff23227c94132271735ac83de739c85cee73abf94ea2fd0e5b9c54fb7a2bc8771edfe9ba3eb70dcce56f7890aa8a2028e6d318ec234b525626e2460c4d007e74f7ad4068015a5032fb6fc553b27faf764671222ef4b39804e300d9a58eb4d9db9f3fe20127daadee117874ff95e3676e37bfae3061e95a71e97b15e24349f07856def173d2ce459affa77c5b47f8b677a1658f7d89af72253c800e62ce2b11f4bd837fe980f02d4f9719c0fe48454f72809deddaa972d65282ecffee1569a2a5377096ff3f010044e71be8baabfe65e99be10386ada70abfe86e7a4ffa8753f862d2704ceceb6df34a6dd48675441f7cca635e401cb2306d1726e1c3c04266419e991188e77cdfe9e0aa13c76107a2a27f7216b42a690c0063c92fd222f45fb0820d0464ef0b7ae6515e8174c7f90ffdec6dc2913d5ad1feb80617701623363a4e735107b300231ca5624addf083e075aca1d18d95c01b7357a4118fc492c07ff1c0711a9e00bd78ff8e431d7af674dce55832f45901f235b7824e8ad0ed0d8d67f7ff612ff1eca74a4deac721fd1c85980d87dbc8dbef59f3754720f0b926c25e84b1d7605c505f8e75038fa29f38cbfc97712f92447585a45475a90db7d81ce2b42929fa6ae4a6790560025fe0577ab52358f0b098800458666bad646991e146ec904511ca2655183631bdf0d5405879d6f69932c844190e2d916a7ae65da287acf801209648800a1dfe3e9b38f7b58641b0fc1804f9a279d8f4c803d0565650606f60a7e99fe461ab36d725ca764611cc203ffde0f06ad87cf91602381f1ec7aa255b6d21a85fe2e32a060f18b53385476db436919f9ee6995704046350e098ce1e66a1b8328fce20e1f8c98cefaef29cbac0bd9c0f1914538abd48436e92bbcf1271ac66ced7a53013f815f015f36180e323ac8247128a915938c89f711332d9758935180eeac8b8c9f99f9f306d3481b3a68bf9613360681a92437c7bd80adf9899093f3286fd18540a8c742510db91e48a1255dbcd218fe7a34c5058ad59a6962abff5327facd4c2b3a51ae13347d56a19f484ef62d52799ffe802c9fedcf9c076896018db33cf2bd9b0ca59de3f7487a273f7e8cb6d090b14a83ddd2f261d41f0fd1948e0be62929fc668b9f13753e61d08b1a88752dbfa315e79c2d81881190d2b6ad33ad8ac036e5a22b5ea8225ea410e9e8ebf86c4a7ea49765953cd96d05431157a8048fa61b80ba606cf53af8349cfadb89559fdf204ed283d71bbf700a9cc3782607896c851b758405b007e6150cc7e6586debda12a1c4b2b6366b3879623cf9eed75d56f4abca9151eb504670a4a518c668ed9488d8b5f1f212ea69c51a7497260c2a4859488b75960313dd3f29bfb75ea094ba325f79a028d07dbf2137bfefd261b0c5609a169d5f1bbe1815f06ae4e26f5f3f4b36cccdd3fb7f8adcb7645e37ed7d9b63c9e21cdc5954e2852bbfee5bc30a978399189e63b92699d810c589d61d0cd0c6bf4ffb892537e0ef1887d1ea047290ff609584a00dec798f8e72e06c1be8399ea069fd13caf0e1b4cd66f84e26869167d54b8c43c967b270bd8561f99dc84024223402ce0957d93e8582bb8f4583cc2648861fc562fc2102a326e921a418fd518ce636e4e3edc36fd89bca25add71accb89d777070526d9cf7274dd486909c3b142d27fb0abd467be27c36e8487ccda73ad0c89adecd36a08c37ce15b876fd2121a7b0d11bde86759eeb66287b44c61ced7f74a143044ae805869d31a1b1c44b8150d8d630debff9e95c31187b774441fa8137c08ca316ab778159917dfbeec94529d3a12c16b9f39c4d77944e6f16cf9b819f9d8a42ee73291ed84e2d584b305aeb799c2cd76f3afd7e826bef0b77159bb4dad1139eaa9cde7bbfdca740addb511eb8b91d548e18d7cd691dce8578382ecd09ead356f85a4acee4bb8b19342c748ad9704b11e1d9b02c0218ca3e799ab80017052fdd66e9101a00b7657ebdc89cd425334a916df19dbdaf6e4f63bc03492913c86d058ea61685df77a06e0df07ed3fc1f92df067e86d0033640c10f40c279c264c477b2899d4a244b67ee884e519b4dbdc5d6f1c3ab67c123a597974bf3a57ecc909be9133917017db1d7c9e192618524a9392957afebeefb2d8bc4761034070f4179582226e34b1865d26be00c9bd31320c313cb509057c27f1274c78f471bf69b85dbd478237383be86c86f4b0117a2b157820832d07d88d2e78a9aba0b045a19dbf8a6faed40e41ca47c013c2903e69f2ba49b07b36e1f3bd69bd4a82ef2a428a831357d25f5568b69e9422a3ba9533fb5ec240a391aa7b612acdd3502fe9296d4fa02af39f21f159af528daa3894c3d10bc8f70f204153a066e1e6e1174232fc420ec647e29bb4688f26c7d463cdeb95eba4c0d1ed3f5fe41d5e34c0b27b587454fb403e8c9a0fe90f53174d547dbccadb6481c48c979cf3414d0d47160a0b9f6d9a4fa8489653ca2e924223a8a52ba63fbc1af034cbf44cca4728f09e1f57706d6107eedc0659bb9c6d8a3383f11cc87e53aae6dcb83853379a6c0d536b1e06773aff31ea600397c43a66f302837d521fb6abfde5beed88493a5eecfb26ab6fc3f879ec0121f3aa7330bfb82d14528d9c5e2033c05cc6b60f6669273f99099a5d72c2c5144dc0b2aafe0fe7bd01ebae29bcd82f4ca43c5a22974c3c9d923a62e390532e2774800015307b8aeaf1b7a061fe77131a5e12a9cb090eda584acdad7bd8afb20deab65d7d1cf3d16ca8187aded08a9dd9bf830ceb1113977211035b1a9051ae1ca5f1f326e4a6e257b62d7792effd005f183df782bad319bda67a92386c6622d002ee87cfcb1a4f9b4bb4217e8675299f2d8c8f8a6324d3602f768390a12478e7afd2d52cd23567b1984d48d855cf072140126ab0a8942759cf3898f118284d2a933721d71db420e830c88e23b1f07b4425b97d0b8374bde0cb8c3be352471c15c0db69276261763f46ba3d043ef637dcb3f9b0f2d4340029222be810bfcc54e447b9ed750f2f275971a63ad6127bc7423c3fe8fe22f281a727b9496b703f0f68878ca8e117485eb7c8a7b38266bd5a07b5a2f8a9c0d02ccf8c8f762bd1ad4b215b295969dfcb9f19c13d88f72b54e59400a7201ac79fe2fcaf329c8e35a3eaf2417621a00eb5cd2da50c611d5b33e35997071bc1fa35d6cc81247c17bce39d225172ed4a10640cad8178865b307b866323a25569b6ad3292cd47f73044ce58c454961cb5523788a14cc46228517312b74793f0336092e7e30a0da14318945ca2312922bdc8f6e9a4159913fd72dcb4e4c787796ee465ca2bf4cf3628725a391197efe8104ea71c630b72ccf8fe427be80a0ca6b14f53ff9697b6279f0b2cd23e356f951d7c08b7f146ebaa3cbaa6a90d1d9af187e21c829377781d75d544662845d403226516f4052479d8ff176e24ce5510d6e33f04438462386babfc53be7cfb6015296979fe4122192cd44b046ea7e71238c0d3060a38225b9afabaf1693354b3521e2aaf5de3e85e5c586765ef8e2f9c98b8ed4a535f6708f0f171895b57da981c4b3d851fc78322857b8fcffdfc34fa3ef658eabd567b2ff35f0ae288701a811f725c8719daab4725c7bae2a7174861812ec8e9a999a4a7dff379008fb7a93bb9d5da43ea9e10819f914119f474df29acdc90e1b4901fa8d2806394adb6d34f564489340015df154dbd9e9bfa669e277a4c3522074cda8f036e1c762a2abadf3878e7b70598e4df8f7d6e134e13509f1f3eb2a461872adedcc36407d03d453e710f3b0305b35c069bcf6550888be2c3df879622f7c091605c2b473384e4aabf373845b643893ea03ca9a2332f7276ab52ea5e69a3206d0b29eca19fe9b561d58748f0fb5f7cde5d32ad768133a5733db27411ac56849c31c9cc9877cd771ad87db0014b011c071a8a57afcc9111fad241"}) newfstatat(0xffffffffffffff9c, &(0x7f0000004400)='./file0\x00', &(0x7f0000004440)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x400) shmctl$auto_IPC_INFO(0xe, 0x3, &(0x7f00000046c0)={{0x89d, 0x0, 0xee01, 0x3, 0x0, 0x1, 0x7fff}, 0x8, 0xe40, 0x7fffffffffffffff, 0x5, @inferred=r7, @inferred=r11, 0x6, 0x0, &(0x7f00000044c0)="ab561aab77c583ce985b9783d96b5e4e3824cb3026da2efee0101d24cc3c6b58c7966f226c27699f3dc15a3304862622efda37f57e5797f736c482b334c0db1039382a78928d4708282c72dc714025c2cca6fef30b64fb050ee5845b1253799b15940b967116839e0075330da8af7ee9a5b52c5768fbf02f315471e6d7ac7780eedcf56dab90441764c1053f95a9e94feec9ea2b6820f3be40e34dcfbfe71b03378a751c0e0fd04fcda924050048f51708503500609235cc75d299eed66d2ac9583e91dd31b9cfe3af5c2489c204014b7a74549d85c8e8dbaceb6388f245c262986d6b26eadd8fcb38587b698b3c59fdf63a82c643db5aa17914bfa0", &(0x7f00000045c0)="be290174f8ce0f04911d69badae0bf37c4fa5b15fa3b1883ef707038444de4aef3a73f3383480e830ddb756243c29709eedf6974edf3be9df13637b48ed14edc03d7243bdb53fd99e2eea6025693ad0701b82ca38dd6d08cda9e31031dcc02ffa54384c4aa7d870f8b1ab9ff5c0e744cef60ad5418d5a3b9ecdf09a54a1d9b12b10ecd3bcc7bfe6ec02b568daf99a59ca92b8a9eec612f3829a08c44fd4b27611da5908b591f340e23f5ba2adb1e29e89f28f5f2514379e45462dbc30a7202bb25c19ac61489119c4a8aaea4000aac8281c3d426d8a082b7dc78f57a12a5c63562"}) fstat(r10, &(0x7f0000004740)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) msgctl$auto_IPC_INFO(0x8, 0x3, &(0x7f0000004840)={{0x8, 0x0, 0xee01, 0x0, 0x4, 0x2, 0x5}, &(0x7f00000047c0)=0x4, &(0x7f0000004800)=0x5, 0x4, 0x6, 0x0, 0x8, 0xac0, 0x3, 0x401, 0x2, @raw=0x400, @raw=0x7}) r26 = getegid() shmctl$auto_SHM_INFO(0x9, 0xe, &(0x7f0000004980)={{0x7, 0xee00, 0xffffffffffffffff, 0x1, 0x972, 0x2, 0x6}, 0x7, 0x6, 0xb9, 0x8, @inferred=r7, @raw=0x5, 0x83, 0x0, &(0x7f00000048c0)="4166dd81284669cc6529e5a0ef081d370a00722e0c7700e484177e2729e55d1fe0f7564690881382a850b3b8d6195ea5d032edc998535fc787928ab4a3b1891540d246d40daa7a5fd7db2bd6c99b3f2a7e514d0069f2bfb485d9e08e67c46824c2e704ffa0431e1c20432972adef084921d4", &(0x7f0000004940)="3c673d0f3bdbe20483bd0ef8f8a2c865bb817c75a3555f98dadf18fb4d805bd339d5717defd470ce"}) msgctl$auto_MSG_INFO(0xff, 0xc, &(0x7f0000004a80)={{0x80000001, 0x0, 0x0, 0x8b, 0x4000000, 0xe206, 0x366d}, &(0x7f0000004a00)=0x5, &(0x7f0000004a40)=0x7, 0xb5, 0x5a, 0x4, 0x7fffffff, 0x2, 0x4d49, 0x0, 0x2, @inferred=r9, @inferred=r11}) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000004b00)={0x0, 0x0}, &(0x7f0000004b40)=0xc) msgctl$auto_MSG_STAT(0x9, 0xb, &(0x7f0000004c00)={{0x9, 0x0, 0xffffffffffffffff, 0x0, 0x1, 0x5, 0x3}, &(0x7f0000004b80)=0x9, &(0x7f0000004bc0)=0x10, 0x93e, 0xb4, 0x7fffffffffffffff, 0x2, 0x8, 0x8, 0x77, 0x10, @raw=0xa711, @raw=0xd}) getresuid(&(0x7f0000004c80), &(0x7f0000004cc0)=0x0, &(0x7f0000004d00)) statx(0xffffffffffffffff, &(0x7f0000004d40)='./file0\x00', 0x800, 0x4, &(0x7f0000004d80)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) msgctl$auto_MSG_STAT_ANY(0x9, 0xd, &(0x7f0000004f00)={{0x8, 0x0, 0xee01, 0x6, 0x1000, 0x3ff, 0x2}, &(0x7f0000004e80)=0x7, &(0x7f0000004ec0)=0x95, 0x3, 0x3, 0x6, 0x8001, 0x7f, 0x5, 0x3, 0xc, @inferred=r7, @raw=0x9}) shmctl$auto_IPC_INFO(0x7, 0x3, &(0x7f0000005040)={{0x1, 0x0, 0xee00, 0x2, 0x8, 0xfffffff8, 0x2}, 0x2, 0x6, 0xb, 0x100000001, @inferred=r11, @raw=0xc, 0x8, 0x0, &(0x7f0000004f80), &(0x7f0000004fc0)="4f525e340cd5a86e0881814810a2a91a15b1d5d14f4a79d14dde318eefbdd8e8e728d413187ede4fd069fc173d33f251936658b970959cdd1a15bcc3c26ad76b38a5be0c00532ac5254d632a2d800357de96e6f2f7841688314922a5eb1530e0b7352ca60639db7697142de2aa07c7c6a7"}) shmctl$auto_IPC_RMID(0x9, 0x0, &(0x7f00000051c0)={{0x20000000, 0xffffffffffffffff, 0x0, 0x60000000, 0x5, 0xb, 0x4}, 0x7, 0x68b, 0x19, 0xfffffffffffffff8, @raw, @inferred=r9, 0xc90, 0x0, &(0x7f00000050c0)="390ceb0f410c002527eb3b46b10c24497104200a43cdd523e8a72786cf59380bde524cb59556d5b256cae07e343b52beb18b62eab07c445eefcb35dabf186ef840417c408f79b74aa6ed333f9462acfc1db146b667a8962992f20af86d7c20385025a74f9071c79844536cb7ac8f8865fed4a57d022beaf618bdcc6509c5be81037e584abb6ea9b8cf0d2e175fcbfe9bda3668d75268cb8605fec3ba1bb1e6c276a14929c3460e1693458f22612352db6a3efa4d7c7483d2", &(0x7f0000005180)="358f28870becbb"}) newfstatat$auto(0xffffffffffffffff, &(0x7f0000005240)='./file1\x00', &(0x7f0000005280)={0x4, 0x4, 0x100000001, 0xc49, 0x0, 0xee01, 0x0, 0x101, 0x8000000000000001, 0xfffffffffffffff8, 0x7, 0x0, 0x8, 0x8001, 0x5, 0x8, 0x9}, 0x6) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000005340)={0x0, 0x0}, &(0x7f0000005380)=0xc) msgctl$auto(0x10000, 0x1, &(0x7f0000005440)={{0x9, 0xffffffffffffffff, 0x0, 0x1, 0x0, 0xabc2, 0x100}, &(0x7f00000053c0)=0xe, &(0x7f0000005400)=0x7, 0x8, 0xa2, 0xf3, 0x4, 0x6, 0x5, 0xd7c4, 0x80, @inferred=r9, @inferred=r7}) lstat(&(0x7f0000005b40)='./file0\x00', &(0x7f0000005b80)={0x0, 0x0, 0x0, 0x0, 0x0}) statx(0xffffffffffffff9c, &(0x7f0000005c00)='./file0\x00', 0x100, 0x100, &(0x7f0000005c40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000005e40)={0x0, 0x0, 0x0}, &(0x7f0000005e80)=0xc) syz_fuse_handle_req(r12, &(0x7f0000000780)="68f4b9c022245b560b419427c3c56dc4ee17cd422ac481d8d2dc27c0c24adf782096477e5b7a147733cca0eed7ced0abb03ecfa0f83e914228ec4e019a38468e2e4ee4edbda02353ee9a4c106339d7b118a30e93e6de4552288afe032af1f897ef39ce140cb1d452644133199f16653b9215c37f78f192752d031c6428d735621149de6243a0ab6fc46528b0a0e2d64e65ecd9e13409abd5e73039dd00e08805e51adf3a8599d99d69f23775044d3840234f1db089fb0987d645ec25f4ad3eeeb9604d1f2ab69fc3bf8315bf2e7b91886d2a6f5071b66fe5048b6b654412900507340dd1add27448ea31685b4e867c68c9b551df246b90d0d0fd9af8dfc647fce7c377aa364862ff0243ffd04747b945baa37d755c236092b3ac7aacf612a40326de09063212aee86e163aaafffd8adee4b515465cc919c1513dc7c9678ee6483fc3fc68b884a9cc604f362386feeb1a7efbd41d42627f06fbf6cf913acaee584da6050cd6f49ab96ede69216b0aca3499947b02f1b623245d4cc5dfb5bc7c28c4f77733c3330d49bb25ce9b47978b576c20e1c4d8b6ee1ddb2c80eb99a3536968aaf2f01ba3142d6d7139f47ad871327d9eb2fc364bb42cb60a572c71d1a13f94056c727ad80dbc0b3803d3ed007cdfbdc6f986845b239671233ebe9c973bcd8653c3732e52516409020f4bd05164909329cf8b09d57bc49fdfc9c96ee78b92bdc6e865b56195bf2987b6b4adff6196f37ffd8de510800b328ed7bf86ae6d4fb1d8e83d1c8cc93c127dfb6589d7e61ad8559c8700741988a06c4b3a03ee3e9569f795d7f1433cdb520eb451c351c23013c8b6007d147d24dd1d52fa5b0e40540f38bcf7419eb98a47901e9357a78edc701ae82fd058cd6d96969f2c6b4b82eacae112d67d062d56f0fe3b9cae85672c679497707254763535092769d38d26b9a6510d9f64fb09dcb7283de42570546b0c763ed8cf60f53db86b7563e5726f616c4bb2beae0a9e186eea24f642d70d34545784e4630d4e3ac0289c2caa22628e299b293d2730cae7fb99d4dea073e5a0ba5f34f77dd928389543e00f2b595649ab73645425e273e4b6d754cd17a627aee1da767160bfe86b0416adaa61ebee1bf7409f284485d43f8f484d053a1736da79212859f48b71cec77ee23f771adced4fe526495975bd04ba08c799c07f57084abbd6ba4281140dd8ec0693180a4daaf48b72ed48df137f68dded9a411454faf88dad181aa2306c36c13c15a5fcaab5bb79201b417f403c83d0419e29f62a66a0e0276f9f96c87f94b7c8a32b94cea7ef64fc4ff41b21d6846c2dad67bfa8a4b57a6e5001e40205d386ba77ae13c9a112128315cd6a1a641b228de06eb0a709f5e74da475d22ffc6533c9d9b2be00d22bcc8b4718705609608ec3e4c43579cfae0b6002f3154da6147b856d82f3dc4d4bac4f509b910796aace375ae79c8bd3e75d709aa0d90e29ef0e03c69fb8e5bcb34e4cf14a6e7cf4a408e99aabddcaabe1f0c72383671b4563cd06ea9c75e5bc2e3c9556ac45f07bd0d6c9b391dbaa70171e71301fd5395de383d135814c1214ce33208c1bd8403e948fa0b39379a14029f11958fec9eb460e3f9c7349af6306d2e0cac9a4e4de43e93127c6ec8b17820a5700218f5b08e0a8ce0a448d688c945d36b719b2dc711a8d48098bf4edc5e26fa5647a647240fff4d76688bca713b8dd7172afefba6e4a95f11a111e3cf039bbfa41536d9ad7b0fbbb4ff82cf19a72eb07bdcaaba2291ffaa0d0775f1aeb6866c23cfd9c8ea68c1387f89772eaef2020bcaac5fefdf104ce5160aaddd65fe9c489851fb090cebf0220321dcc57fdf71e9a1c1ea53ff17d131304469eaded3a143833afff98a93c1c413494bc0d6cf3470b2eee534d4f17de37aca75d82169f1b63341230d47e85beb0e6f50ce72556e37b73961292b9f0343851e9dca9fbf4ee45a5814b04444454413a019f82949881c81a5dddd2097a8e5c45d68b808adc27fa3abe5516b2a5c1cc719ee0c979666831a15a964d5fc2e87068cbc4e470d64f34f0fa9ac7e94a0693dc21964297b96de293ad5a77f2a8dce271a89d10a10b458a8a8c521f27a50cd206bf0ec9f2abb3dc1682d3add75b813c5979ef56583b5212775d617322bdd7c344fb0c2dc1dbcc63123119bd652af941355f561b8fa49b8e0caba90002c48b88c80ebea67771fb479f5289caf5eae18f01a0cd7460f3de6c3f92f1d43b56b0ddedb7059e7f18069f804b2056a20acbdf25f8ca36dc1affa80e2203a0f3639263a42e9b3ad0614c6bb3cfa4376b2854f60bcd9297bb0cb45416136f21bca9fe38fef0a1c265ae423b36eff0c7f9e84d3edce5df6a2e768949ec9dc4f9186c489546e24c713db919bd51e6044592837c8b7f037a8b3a9084d961c02fd0aa4245baa5e917d7f93f096fc00cd3da057edaa7476f9a3883c1ab863a917746bd00e87855bb58001674ec10542e70306310d73399f34a254cfd03b4fda6dedc8d7f2a8c81e6e17beab6710a2c2a39d38daf05e04e38e9d10f308131de76a359bd59015fc9f10769d36c160d3efb66174a97b6a599e74baedf336c3d9b0ced617bf0a530882d9168e64bfb9c36ea351af436f780544cd1f006e5db439d1cd9c6e2b591c37698e3b956fdd6a96d0c1ff5a5c2b4f20e8204fa2394ebd18b636072f76d498713d7258f8fdaa7d173bb52619ecfbd037e9d9e8efd79e776ea36889904152981d398f34b5e7582b7373feb1310f6a3f43da3656211581c4dcf82bb82cb513462808cea9fe21d0cf8707453e9c1de7a96a3829212cbe885aff10c11171f5abf14a8e6f22fd0048ac5e4186380c14c5c2d4fe13be2dd3e6f26cfa94522d625dc49d179bcc48cb42ea40e94f33d9e76ef925746cb525139ea6205c6f1221d9342e202e57b818a7d1214de38ee9502993b73086602a97519f6a099901b8dbd576abd64a8b13d5a930f82c06fb9c5bcfc2dffa97783eaa3385e72f9985d57d7ccf93b7c607992cbd249ed74b6da3ff1dcf6c723ccb3725ef18be354160d21b9314a7d01cc297c6b1fdc8a24142e555dd8fd4a28e04c85836e46e66364908eb84facaabb833b1da7031967c10b8c2aa3cff44f7a9dcfd0665d1e90d93be0df77a25a4823d8dd35c35dc4cf1c73ba26ab20473f301223a6ac9672220be0950f92bf1679874544f8c10e23bc9ee1d40a006c989bf9885020a65a4e7663a8117bec09e2a2109c52789bf7fbc00cd3efd7a652b15c4c4c05f654118e90643e649d7fe431957b6f1dc5925ba9ab6fd8a1f6a0f83a8a519c1dfe4236034ca5567eac95ea12912e6067181d61294bcf09c17f9d948a03b0afcdfd3a5d470d289e4b4744e688aee68bf26da015438a9c336bea06ddad4874653289c34c032764180f9798f33cc0b82b3687df74fecadeba2e58b970d6e4654d7b09b0d85c78961276a94503098577ba4932d17e0a7dd1987e85c4afcf01f68d7442038246b6849bd16fe035936be75e5626cd3d068b9df93085a12b9569cb27d301caaf2f4f337ce6b194f4a85a1755a2b3805367e5de5e4134df4fc3941625d44171a9840ef2267ad81f2aee6c34ecd3ae96281285b54fbc217290fe1f4675fe64d1b844cb43c755ba29dab531e837ece7146009fe04b727257bfa7ad4180e82e9ad170a9ab781efc150600ce37043ccee03ccfbe76509d63ff8f21862736a4345578c87f8f4142c97a47add5c7d6d7359b2690155a11cdbe9be3479e0f4b2dd44a68a7848518d55897e49bfaf2eefe6bc06d560e25f52ad1231d4664427bad4aba0d615985afa47ebaf242d3b8c168ad59cc05a1ce750d732a67203b3fcfaa4ed6b2ff004152eef5652beea4c6270203f154c70bb6c5fdac24bd7fcb6389bd1b51759205ba1aa1beab6eca99736f4a43f21a639536461d2438a913ed03b63db2621c63acb496eecf9838bfa7f1852437b458b1046197e511ea81479690904bc3a0bb4b9ecc0962e33c4cdd921f824abc2c19588613efdee01db701ae5440cdd987d868314df9ac7bae59274021a5d0643f8d1d3a97b8c8bf02ee9fc056cc164724851435f907685c349db9429fec6e2df3c534d94cce4ecd2ea55d72aa88264c86a40fa669306b95bcdefcaf54f117770a04f35e721f284f681b9d3114c4bed29f209220638defe43fc436695a58ed3f20dc921e4a21c79e5803927deeb5a14c532e3cd83ba32981c192e20e93eef674402afba8d378119f634ff065fb294f9e38c1974d4d37cf673b58797b5e26e22b0291623ff15d002d55a8dd00fe4b1fd54177d1fd065da0b17479316b58a8495aca42c440b63c8f4b1a9538df10c8c9546fd8c4195e1eaed31543b8061c8602a8977123f56e5f11cd05f5a36a448cc257571f0e5bbde25ae82f583cb313ae7bf5dece56b617321cfa60aa9278a28ee9f78ec7ddfc5d0f665ab1a1d5531f2406ffa9b5ad6f9ae4c98f85447fbdb9efc2ab398801e905c229e16ad9f87bf61956a7829733fff1dbb2c355548c4e303d1fb2587abeaed6911b3d5578d9d4355193af1f6eef1870f0f1df73615a5d9ffe9d42b7f94c215f9ceb41d605e95a54b5fb3c62f34396f9f951c5650920f159c1c330ecf7bf70b1b8d0a973ff4af344e9950ffb9edfcd326818e28471cccbf70b71ac2863eaf7ef95dbcb2f988c85c266f869914719906213c0db18a4a4712b02f7201dc95305a3a531f466f949fef612cccaa936d47aef4bbad390850f2b8fd991542e3986de10000dbd2bc09f16c99ed0b461cab444a1db069381434540795150de12427b1b5d0601a523204283fdd6b69e403fdc3f94421140dbf94865f35af7a7bae5547978fdd805cc52d68f4ff49beec4920e25d8e4a237a86c785cccc3f2ee7ffac881e99e57612c8c94bde400915f3f75b546579f401e2be54930904b98c8242394d81fe94d267d3ca3ea3a0e1c9107ecc298efae6a19e7337883e27af271e06299acc7559f0ea461b875e27138cd35e046319fe9f838c511305fc803cc24309dbf335b225c58b6caeb2724e44a9278ca823519a72433ceb2166b4b73a35b97de2f55438b95826e0ab348501187375b0962367db5349534676f352835a1059c307421b2beb2e63c0a006d5271f493e59069882b103d536608d18d61e974222c43b7ca92529c8b0cc2ae9df8c2bc2b20d6833147ec411c4a5bff534cc72b267714592a4e43252684940f54ebf5f39f28deeab2c89abaddfb6fcd2b1c025bf30dc2edbc0823ccd19fe52f9c0b38c9c1acd6b0efc3f688b80bbef5473cddf820270d721245cdfa01bff1485864974b428dd1933fbce968d27aecea5dda0ca9561919d5d85b098fc4f3efbf7ead3912851924628b888a28e46320afe8a302239147f48f2cc2ab274db1aee565b15ba2db832fa630344d01cfba11287b25c226f28bc4ebe1d204e90a39a81c6b2136b0164edb65194ea5510a9b9efc0d0a2352642f0a8a23ef4e6eb8948f5ab42ebd45ac946bfdb689cba13767f8d5f778c42e2d07d088491e06db5cfbe29ea3f45a43157945d419de632db52fa133d990efe2c9e473ec36d689d0b815845af5761981d46d5b9f3865f916b5bb93cf8f2e8d4a11c8afacfac2c647e6ae9a8696c9ecb6bdbdb2179f971eb75e14d52598ed6c16ec1427e21df5c5abbbd85e42f32df37c485ff33d0654571ec60af8674ba35c3ef627d24b1c2d84ff2525416c2a4265fb6de8173faeccfd3138316c4c7c329017928fe1b64c29dfeb4570f7de93f944615316fd3ae6cc12b94332fadf75b15a13d6ff27f7c61981737efc6dfb528942532eef5e5dcb803c1ed04da23bfee623a89088d8783c7edda3f56c5404ee7e42f09854753c1a0dd78723c9c4ef12c7ead1863a53af48d8d61457f2432ffaebb356a6e78a1591f0424aaa1f025dda17a7b5eae3989b27a573f59bbfe2f993fb18273dc356aa59ec1b2f151f84b9733b271f1e04d17d41e728ef52cfbc0111f123213fb22237d81b0029bdff7017f8703e1ee301758ca9e22399c420b3631e5b998737c2a75939fa46d1e617d7b19fba4919e35ca92d8b59798da36a0a5d4341a6eb57d5129513a6e862ea94f27c783c9e68f930d5d337c289ded11d510847a50c61c47940c17a32b287f704664f1b61e1648850891f80a4b61479348b43440d0c9c91b89257a4af7253ee5be6bbd56f22986c38b536b8d5000102cffd10d93808b8b1c4eb53f0c697c217161c4cb7e091d4388ce3a20eb5351538c2af3a906e6ac664a5d083e395eaa5de791ace45bd02b5e26bd36be796e95c74422b7d8f00c7bdf4b648a1e9ccf68e912abbfff3c74d8c56385d7a89a84ad3c3946a38e82080c3b38a0298070d8850475b95b379d62f5029103a7b45def66d25a08e241c42c3438828e59f5b1d1fd8c975649d03fe3e536babaede3fc3cafef77a72cd27b94c1d774efbe19374702f393729898bd09bc8a407720d67e9fedf01852b893664e35c26bb48656a5689e7e3a632e9e5a3bbe875ec6b5eb73fee6e605547596d0ede39c48b9d9f63d7b38c1f619bc6f6903c02c47403ae8539aea7893fb8110e4b5a9070836853f3a61648327f0c6953794fab38937b278dc0a1ed331ef4a0360c41f4fb35b7ca6e117e785833a224fbea8241c59c9d96ad650959a23c747d47881021a530c9aeec13b5b99a268e2a63a2b96846cd3e8520c770fbeaf52f9a6e36b7d5e0db746788613f6ead88738d00c30206fe07295b70ed21e0528a7b909f3d2cc647b335dc7b9829907c380e583bb408ae2710b40d44df12ab98ac6f08882c257c26b25608ba5af2e00e7c33e6084ec86a2258cc3dc8bc63c2eef5483b8aaef1cb7ad63f4a286803acce81ad14097473c65d9c37f2578de04e18a71951458f2ae3ab1d45a548fe11d4764806e713b628c1967da918e8ed6556e619beef08ad8b93d7d70917457d9c894c7bbc304daca443d14656a0268d74e7658377441e5fdb14148964f56a3058a8e1a95e10022770da557445387f2425e7bcd386e621f88713fa57f442462fc8f7a588f849ec7a108c6a5a777283fc24c879874767526c5b6b2d22212f4bb8898811f731e78b001ae052c47d832cbd8678314cc313fb6b9966bcde9b1ce15b92f0597d58b15d91e31f221b2f1d6354e49de2a7a58d58f361fd647fc29dca3b5da3c6449c52cfc5b87bb4843cefb1052eb68478b51c1689128be434f0d34b511cbb1e84b8b211a9ff1aeba55185291ed5395d4ca5b966dcb7fbff432b931f6766a9b37d341d5f83d2969f49fb857913fd094ee9153e905fd3a000825f4c9d591cae9e1fa33abf94663fab49e460f1344cae1e6804f2a53108cb0f29bbc0f6a075688d987d6cf7ca3851008fd82c35589ec90e3902cb1ed0513555e303b91022a0454948aa7d866dfb4b97fdf6798be4c742276d99f685370a910fc2be7b289a44573785e09ad0a207940ea859befffd95cc97069777e3dd0506261a8edb94ab25deabd371bf0e8dbd5f035a753871faa5352cddfa90496dc3985ffbca1b31290e7eb460c20920126bb8ca9304e3553b3748a8f5df0a8977ab994728fbb540e073cc3f0805b5df288000831d8061c06d416f458a2547ff4e6036de1181cd1d42af41615ba4e16d6f7aef1cb34060722212ff561275bc4974f00948f542a5e06bf40b8572df1d8d68ba0608dcb027f8f11c0b93e65b2de9a16fe115ea940cd904e11b2fbb7c0e6729076657372c134ee6fe8e0fa6f9c2ec12bde36e4625212a472d1501051016814791e7a2fefbfca68589865f0837a32b1201c32291054bf7187e03cde3add7a3398aebe76672e4f8ad81a9eabec9fefabbb62c1d73adc3ef58a68775f516a99f54a75a7a7b530dffca82d2b222c993b785a1a7b6f7accb584ae25abe1517d70a69fa2df2c77e4e0755e187f60bc824658b8d88dafbc240abeec3493fdadd6a1a94680e5db4bc1862c758a519021c0121789f4cdf1e2a71cd536daaec9e4b72e9e25d9251fd3ee511f1e081f906d90dd4df5cef6edf411aabcfd5d933e2653581f1f0a49d85d503ab0f1288743a8ef5969fe4ae3af9affb7905ac3a904ca86cd7e8cc5b96677fbd2bbe3e3e67d564e2db1f14f6a982da3b7ab590a1fb43c44956ceb95d2d59db9e3517506c0e1643a07664f7a279f23b9945c32427960242e7478141ad1d1701f68033b69c7bd2d64318bbf48a05a32779956e161f42682bc1c9330cb6abf5afd31c8e11a4b078b03579e099fd3d8e347330a01fdc2b5ca05001a2d139a5bd7128a02f9d19b8581bad0e14faf9f0a132a6d85bbd291de696a8c67d2f8c3134aac24e41bb5a4fd742c1371f9a8e18ec9050b398a604888ab12a8edec792974456ac6c62989a78d72e84e0bd7aad9e1c08601e2070a4f2bb1009104088278263c2a645d3187edf12fcfebd3d8b37dd893b25e41edb518089e06e1e26a077bbcb6b7068ca74e1c4b59497ab481faa7d18349d0fdaff9f8a0cb6c242560e31a9f9e34c6d8da4e6b471000dce46d80252700fbbfa3922d5deed33d109206af07f3a2a348a61cec80df1302c98b7625797a113eb0b714ee647f7d13d6c10225bc121b6666083fc15b63c2b07e487167b0cd116ca2a399322b9c08f418d1bd83cfc397adaf8ba267ed4630fcb62037603caaaf968312e335afd663fced69900e25073963b5459f597d7e7e581647c994d0fdef88a1ae4c9214f6680e215ee6a15097bea901b467b5827522e68b020768e8a340faee75ecd46af90ae38eedadb6d751c5a1fc5ffb866a0cadf85949dd9631344a46e95091c5859ac7d0783153be8fc89a1adfd4cc3f453ac8b11d6bd637f95e63d28c3c665517000288e7a08ea71a7ac0d569ee05cf8a6631a9ba1af456d00fb049f1c3366e8d929b6820fbefb65883773bacb1cb1a7105dd2ca60edde95fa2f35a34a369c5f04b65e08156502f8cf176e4f9939afb6bbacdabc5c8116dbde9b6d212bf125f7697a8571d69de443d4d86f4be17a959148fd6105a674ce523f37c2c09e1ce1cc71274a475ca3b0931adca1899bf7baaf2dc3a9488adb13068577ed2ba96a7937fff3a9aeb461234532afb215083c89799a0fac0ad2afeba7a33def1b302b12a6a4d7a2201b915a2c3bfb5cbfce746885aecb3dbc4de9c4dc1ea7c3326b7318c65d3763a5f2b42a0a97be06e2a040636c2fac7db4272d9354d59cda5546a3415c8f04c709e0ae4ffac3ec82999b5c50ee28ae85193be4a6888db01c1b770f854fa3b66c2adc29c6c7c0d3a15a7224b235fbc61863bf9af6d8eeb35d67d9966e3220f0bbf0e101558a61559f9e6dbf286114a94e0950350f7010f3a46e1a98c939b3727f1d125ab2c0c5c1d7cabec0d7ea68697843c8ae9036c3d48469850440748e7cce6a2601654d8c597c5d226cd4ffbda153e2fecf0b58343eb7acfaeaee02970f011568ad26e4383bee5daf95802f742b0b8e35dadc20164979dc4eab6f333a29412916baecd7d11e18d7d566a9f709a4931433919514c735639dedf1df65ebde8a14555ecc254fa4e3179c611af0ae32c8c8129c0139e9904821c76971b2d2b08e839281429cc0b02cf5abc1fb78aead7d772a672cda2ec38b69f858a3007ed6d773e417521b94e7cfd21b3f76361a833bf0c8a58cda1c753236538e7d1be278cdab78fb73f36280615aa49d8ab1deac1292be4480fb609e7e6364c300a8613d37c8024aa6a72c1e4a334e77817f9cde0e10cc57b7c3bbca50f40e15b9a1042efb7802c404186e479f5f7636ab50d261473f5804a75f6cb1fcb693cecbe9a61bb9695801c7ca6f927e40e6aa91a9af71cb5d967f79057f955d0a4ed58ce999f9acd21c1a1ea10885956b46e44ca830ab2ee7add50d2c1fa3dea6f4c7331b1e53fbefc7e424aff178ceff95a8910d39952704ef7855419d3cc08c7205990af447e18d3945d133e99ba5506e50e31bb28ebb51337e38e5dabfdb6d20be68a04050dd9918748368d58b8349ee60de41dbbc83255db8e360c3581a3b5523f5c36d7e293eb4e2b014982367e286c6faacc8503cf4d91c4049804ce5a7fde5fa19c6a5b5f330fe3f44d7f33809bfc5b13956f64663acb8c324673829c132d3c73525f8f8ea3a832f88975d14c318c05bb5672c82bb02f9acf2dbcbaf68e5e478dc519e522840bd8f08b50c506a75bc2fd092e415199e5771d8ce03f088e9bfd4551c2e8eedb859303ed757601bdb16bff543123d7570ac50d2858cff2a7f9758cb24ff0554f9131299758c010113d9b6f0bc7246fabec33c58dea925b9ea73ab381c4aaa8fb2165c9d7d8b8a701202250d360fc617580565e78d5367e3fbcd841d4503a7c20c20560a03e397b0d3cab57254d365112aad995a9e3919614bcdc6ca2055d0d87429ee3305a67fa69c6024a3f636464bcab62c99a4d0453f5bf879cd5d46e3cf761bb91109bd328169f95e98b7442cd05a5dd86e18536d205262c620002e7a3a8afed4681c271a34f0b909d1c861f9c18fc76d3bfdd993785185dc3e2e34d7fba686ed0f733d16540670a657786421007cc1a8ff97236fb53d8664911dcaac2754350eade708374ef06b2f61232a3f5b45701cfc09284b6e3184c7c4143e9a304984c4bf1a14ec75511af82b2c6c3e6d5990728f4b724294dfefc35d1c75db9efc769dabfb5cfa0c548c2d5aa9e798410f2b2bdc32da95c945aeebbf06e2d1e22176b66e7d22bebed83875b4c863eb55a7194c75bde29a8c7816e5c3c650c32cf54f5d9ac35d38bf19ecdb005f476ab050d96b7b7fc622f1ac357b28fbd7c38f81abfa06355a30b3803f042c4c08a8274daf0183c0e52a634fd299aee994dd3554edb6adf99bad5b9130b491ec9353c7f36e5fa7c026627f68f67c775fe190aeb43febf56f55bc1a4f5c22948e5b29a117f6d06d4c68e51449f08a6d0d2e67520ebc0670e2df3d2f7aeebfbb87643e58d0176965d600d97a22c7a0556a2c0479de64f8b4492dfb542e8d3a3ef096f99d39e677a07ac97dc259d9f759b98e947f1ae8a9278b9bdcb8510fb06641218f79f67e4f5baffbe5d3cc38e1498938c5509a3f69f32392f660e005943ed14458529e82593bfb6c4d3e463103aab3cdc8d468c9a2c201bee3ae663f0792460d4b71e031a83c33f9172332b514f74b09c72cd6ad76e906fa4644f3c142b128c1ff2b84e79377599d4e2c71145c492ff3dab44793b905675895fe3df544fe725ea5f7d2fe3854d7030ce91957fad4f7bd7bd7f1d1a1654e3fcd0edf9daa72bd962d6b64d0d990d5a4850802b9297feb622aafccc107ea2a8eea4f0da89941b12a0ec1bfd72a2ed44fff9f82411ecfe9f19eb957b48f859ce045da233c9968b763ed94413ba0f68ddca65cea0abb6873c892902416f5eadd911d8442f0316fbdea9f1140b3e8305afb510a3ec590ce20fd58d3bf051c2663e74ae64eeb9a1463c8841ac0b72b732b7ef127f5a7d9a87d6b8491e753317350d7d1ae593e6c2006f23b2274db58ee344453c38e299c141821ac47e88ddd93893df56baf501fcedee34ac657f279a9c39cc38", 0x2000, &(0x7f0000006000)={&(0x7f0000002780)={0x50, 0x0, 0xf48, {0x7, 0x2d, 0xfffffff7, 0x10820000, 0x9, 0xa42, 0x7e, 0x1, 0x0, 0x0, 0x2}}, &(0x7f0000002800)={0x18, 0x0, 0x200, {0x5}}, &(0x7f0000002840)={0x18, 0x0, 0x3ff, {0x1}}, &(0x7f0000002880)={0x18, 0xffffffffffffffda, 0x7, {0xc6a}}, &(0x7f00000028c0)={0x18, 0x0, 0x3}, &(0x7f0000002980)={0x28, 0x0, 0xfffffffffffffff8, {{0x1ff, 0x6, 0x2, r13}}}, &(0x7f00000029c0)={0x60, 0x0, 0xf, {{0x0, 0x4, 0xb0e, 0x1, 0x6, 0x7, 0x40b4, 0x2594}}}, &(0x7f0000002a40)={0x18, 0x0, 0x75aeeeb5, {0xc}}, &(0x7f0000002a80)={0x11, 0x0, 0xc0000000000, {'\x00'}}, &(0x7f0000002ac0)={0x20, 0x0, 0x4, {0x0, 0x5}}, &(0x7f0000002e40)={0x78, 0x0, 0x6, {0x8, 0x8, 0x0, {0x0, 0xa2, 0x101, 0x279, 0x6, 0x4, 0x6, 0x6, 0x580, 0x8000, 0x8, r14, r15, 0x2, 0x2}}}, &(0x7f0000003040)={0x90, 0x0, 0x4, {0x4, 0x3, 0x1, 0x9, 0x0, 0x0, {0x6, 0xf84, 0xffff, 0x9, 0x6, 0x7, 0x4f, 0x8e, 0x8, 0xa000, 0x401, r17, r18, 0x0, 0x3674}}}, &(0x7f0000003100)={0x88, 0xffffffffffffffda, 0x7fffffffffffffff, [{0x3, 0x7, 0x1, 0x4, '\x00'}, {0x1, 0x5, 0x1, 0xfffffffc, '\x00'}, {0x6, 0x5, 0x0, 0x98}, {0x0, 0x8, 0x1, 0x1000, '['}]}, &(0x7f00000054c0)={0x648, 0x0, 0x1, [{{0x0, 0x3, 0x9, 0x5, 0xa, 0x2, {0x1, 0x9, 0x1, 0x7fff, 0x4, 0x1, 0x6, 0x7, 0x3, 0xc000, 0x3, r19, r20, 0x71a5, 0x5}}, {0x3, 0x911, 0x9, 0x7, '(--]!}}.:'}}, {{0x5, 0x1, 0x2, 0xffffffffffffffff, 0x8, 0x1, {0x5, 0x10, 0xf91, 0x7, 0x0, 0x7, 0x4, 0x4a, 0x6, 0x6000, 0x9, r21, r22, 0x6, 0x5}}, {0x0, 0x2, 0x0, 0x401}}, {{0x0, 0x3, 0x0, 0x401, 0x4, 0x3ff, {0x1, 0x1, 0xbc, 0x7, 0x8, 0x7, 0xffff, 0x6, 0x7f, 0x8000, 0x1, 0xee01, r23, 0x233d, 0x4}}, {0x3, 0x6, 0x5, 0x7, 'syz0\x00'}}, {{0x2, 0x2, 0x7, 0x80, 0x4, 0xdb, {0x3, 0x3, 0x7fff, 0x9, 0x0, 0xa8, 0x1000, 0x1f3, 0xfff0, 0x6000, 0x4, r24, r26, 0xccb2, 0x9}}, {0x6, 0x2, 0x6, 0x7, '\x01\x01\x01\x01\x01\x01'}}, {{0x4, 0x1, 0x100000000, 0x5, 0x0, 0x6, {0x1, 0x401, 0x1, 0x2, 0xf, 0x5, 0x100, 0x3, 0x0, 0x2000, 0x0, r27, r28, 0x7, 0x8}}, {0x4, 0x3, 0x6, 0xffff, '\x01\x01\x01\x01\x01\x01'}}, {{0x6, 0x2, 0x6, 0x9, 0x2, 0x2, {0x1, 0xb51, 0x7fffffff, 0x5, 0x8b89, 0x2800, 0x800, 0x6, 0x4, 0x8000, 0x3, r29, r30, 0x80, 0x3}}, {0x0, 0x6, 0x0, 0xef}}, {{0x2, 0x1, 0x5, 0xfff, 0x582, 0x15, {0x2, 0xbb, 0x7, 0x52a, 0x1, 0x5, 0x98, 0x5, 0x3, 0x5000, 0x6, r31, r32, 0x6, 0xffff}}, {0x6, 0x3ff, 0x2, 0x8, '*&'}}, {{0x2, 0x2, 0x3ff, 0x3, 0x2, 0xfffffff8, {0x3, 0x8a, 0x5, 0x8, 0x1, 0x0, 0x7fff, 0x8, 0xfffffffb, 0xc000, 0x8000, r33, r34, 0x5c5, 0x8d0d}}, {0x6, 0xd, 0x6, 0xffffffff, 'wlan1\x00'}}, {{0x6, 0x1, 0x5, 0xee, 0x8, 0x4, {0x1, 0x200, 0x80000000, 0xb81c, 0x7ff, 0x400, 0x122, 0x400, 0x689f, 0xa000, 0xfffffffc, r35, r36, 0x1000, 0x1}}, {0x4, 0x9, 0x6, 0xfffffffa, 'wlan1\x00'}}, {{0x1, 0x1, 0x6, 0x0, 0xf, 0x80000001, {0x0, 0xb8f, 0x57c, 0x8, 0x600, 0x4c44, 0xc833, 0x5, 0x3, 0xa000, 0xfffffff9, r37, r38, 0x6, 0x2}}, {0x3, 0x4, 0x6, 0x3, ':-)@\\['}}]}, &(0x7f0000005d40)={0xa0, 0x0, 0x1, {{0x2, 0x3, 0x100000000, 0x8, 0x5, 0x9, {0x2, 0x7fffffffffffffff, 0x2, 0x7f, 0x7ff, 0x4, 0x0, 0x2, 0x1, 0x2000, 0x7ff, r39, r40, 0x4, 0x8}}, {0x0, 0xd}}}, &(0x7f0000005e00)={0x20, 0x0, 0x10000, {0x9, 0x0, 0x1, 0xfffffffd}}, &(0x7f0000005ec0)={0x130, 0xfffffffffffffffe, 0x1000, {0x6, 0x3, 0x0, '\x00', {0x1, 0xc6d, 0xfffffffffffffffc, 0x8000, 0x0, r41, 0x1000, '\x00', 0x0, 0x7, 0x3, 0x4, {0xa, 0x7}, {0x1, 0x905a}, {0x8, 0x81}, {0x8, 0x2}, 0x10001, 0x7ff, 0x1, 0xffffffff}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f00000060c0), r12) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x50db, &(0x7f0000006100)={0x0, 0x45f9, 0x1000, 0x0, 0xd3, 0x0, r12}, &(0x7f0000006180)=0x0, &(0x7f00000061c0)) r43 = syz_io_uring_complete(r42) r44 = syz_io_uring_setup(0x539f, &(0x7f0000006200)={0x0, 0x25a5, 0x0, 0x2, 0x2b0, 0x0, r43}, &(0x7f0000006280), &(0x7f00000062c0)=0x0) r46 = io_uring_register$IORING_REGISTER_PERSONALITY(r44, 0x9, 0x0, 0x0) syz_io_uring_submit(r42, r45, &(0x7f0000006380)=@IORING_OP_SYMLINKAT={0x26, 0x0, 0x0, r43, &(0x7f0000006300)='./file0\x00', &(0x7f0000006340)='./file0\x00', 0x0, 0x0, 0x0, {0x0, r46}}) syz_kfuzztest_run(&(0x7f00000063c0)='SEG6\x00', &(0x7f0000006400)="8fc7c6d56396ba64559a2bfe12e1779d161166213ee3df8a88660735dadbfa0ee93d2bbf113a5d2f840414bb6a835c8b4664c16258d80aca5d75c4b0f7b9f481b32b056b2500cd38d5f745b2ca6f423c76ecb54c20df71f37e74a7c331e0867f", 0x60, &(0x7f0000006480)="26f86b73ccfe1577a8270fee84cb897698118d2edf06c754c8202386c681cc227fba179b5b9f4aa7b4574a9b1faa900d6db4338134c1988fa60dff908f1ed3f1d861e66fd378f4b75be0769db4b8875930df50ca44c3dde09f6112e7244a77991c9a813f74c0a8fb0a759dd430a1e46be99ade077227a164f6b567c0cbd3b2456c859d3295f82785295b18801aa57559a9190e85ac6205b4a0eec96417782d9a7e0afa0e3d274c00cfa118008b09a9f246051a7f0b9bce54acf1306b6463b474316fa9e8ed41cd670d09818621ed25ed037dfc6e1c5b4f196937b251d422ac00c3012556c45a9e1ee642f5cd2c2965178e24fb30c312a85f9db81cb084141203a2e5ecf64e03f1215f23ef654dd5e96b9001a8019db4e1361d0d275e4faedb83a4c6421575e98f8d7f68718a694f37796f04343f5774d6b76f3d503de622877febe827ae51a2b04b54714e4a512408a48f20e54831fa366670962cc5a6312a69baa14f4451b8abd6113fdbfec90a327b13300bc5743f171d4df0353063c8213905b5ea8e1239f6e4e5d45f8f2f7ee5209560532a091fcc584f0924ae02d756cec52f040e749a6277fbef1f9aca8df92ba05b02a0c1bcaf84b8d7b5d873815804b3c945bb81e759d3ce76cfd69432ee9c20ee168940f3ee98d1ae88247b3907a555751588528c6fbce8fd6ff9f446b331621be104fbc250882406a28594f3fec9ad498950cbef10ba41155632c1ea3551e6816f755c5538cbfd5931d9a37894faa6ed302d06b26f4cb97a986dc21111335bae909f8b399a874774ea24b66fba5d7a3d3d09369c26a026b279c62a9c6fa85f5ddca523f966e22cdaf18663a0c02f9cfa94b2474672de8e7f85b09130a8c37a47d02e4a180d73f635c5a180952db2362acb6665bee7cb74988c54daf3d58fed39371f50abc89cf1e564efae0370be817bd027a2fdd62839c6a7d9678a3087ae16fa48d1517a01d90ed743e5412615c5229b776169b8b9f956ace67a58ec419f91d1b8e3224c4f8836379aa947785a21bd20ab82677817f3ea2ea2caf193b1bf63fbc2eb574010abb261867121e1313b5d2a1e2c48c2202a3c072e8f3ee545cfc8c994ec9a44bcab7180ba95755e67c1906a5db72abc46d57ee053c6c8659878a25c4c8855cbd8836ccb6d8f6f12d434810555f9295880ca3d42164d1c864982756d001cdffcc3594362fddb3da0118d4b532aa9141ac6051b3f3e5b4c0b503045fb3166297c90ecb5ded55f6db34d89bd5d4518daa68ddb68c02ff1b80f9cb66a6a23db3b765608c4d672766273c17715e788c200f71c0e402fb513b6a8ffde67c40122d86347be658c4d0b91f4ea29fd5a4c017c288c41b40ca04e17bd3945d0e80fb7798706aa2e870fae9b91f1f7891fe4f1da063124e8c567198f670dbb75e82aca4fc0c8211899317920c058e1c371705d4dcf3c00cb4d2c136a4d828d3efeebdbdbcc7bf7df157bb0e743980f14844a7b466d12337a4815ed84117f56d719ab50a6c28ef55da35c8cce6eba0e8d2bafd9f812b4d5f265c0b442a075ef168500174ab27c876dc2d6094ce534920bc639f02c993dd8b07524e8118e8793fdc1b080e1e0181f36f4e2b7f047b23e607301e3d675360a8423a1e670a00ffb1a5ce87fb262ed01c58d779fab1589d9f374a0c001dc9c09828b000fe50ad21e53ba0a8129e223f7ffc79355d4e544fa731a0b4795b7f1c644161d7db3546f32f92ca5650eef1fc206568d367bcaf46411374dce9e44fb9e36836203842a7f2a2ea96f90ba76f81688d7746b8a4de9888b9d8a27a177f98ec9f100bcaaa76e6edc0c42c2d84fa84ad70e326e397f13a428b660559495c6d2a4c68fd49c29e229e0cd676cc895f6496a15f15c65de333d77839b13c9beb57823006d4d1f7f2d1e095016061a08be673779d7e29574dcd21934b248da6adcb98e9c5114ef92b4fd5b9fb3d334e945af586b0b9a47785017fe5a78da3d28b6960089bbab1c89bf549badfb57afaff8a3d6f1b310f945d590016f5612d7332c2a43dcda9326f498fe47f4907fbdc436df6c7f663daff7971d717e641f9cefe83f373e23e06125168af6a58134c425a3a7a519758a3100de2c8f3e447f0b9bcb87833647454518805ecf34128944f44cc075a9f9c47645a29412b66c7087d78539463deb2a138a2c504d8dbf638be8355e1a17fc92b094d16bc9280dbfea65905d56785d4a2b73c5e38c386dd9dd9a40f559b3742b658d216b49c5bf4173fab9de0ed22f81c3739aa925a14dead392e0ce12557a8e0d7861f1907aad63d6560889b4638c422f17021ad105108e155562bbce0a4c395787a1c881a61bf941461dc0f76d5890acc7cf2730a9ab1e9ccb1d133a5c158a19d7974d7f4a86f46a6485eb0896a6f6b06e35eb160187a0c453ba99ed1ae627785a87a3c581e4bd19fb9de755916877cc378b94df22fe4600b40f1e341af51427136377fdf88958aafb3028ca4600e62b40fcf88878bef7e1f89d9114fad5f25bcef274d370f51466e1fecf4b75b8dfcf4863f64f1d389553abce8500da93bf1058849f6b58d5541a7daf7a753895b0e71fc7ca986e8d1cae092897b3e3aed9141fd8d61bda060b1dd8397678bbb7f855e4b84f15b95579b86c1142b5823db9ceacfb2646b0c8ef61cc21a9bf121124367ce73dfdd23d85b37fa0e098e7d1c6c242bc2ad0315ba423db2806825ddee8623ab18196e913e48f379088d6e9cabe6fe00446aaccbc74dd52444114a7a9350946f6a19d9651a1fc29cbbd64e0783b6b8d414e20c84a610aa00d49363e2fd5b92c57e343785518a65faaf652612baff01c4e89ef57fc3b6eb64b0fa8efc5119de768ff25f9503807a29e06197d56f92b01d0fd68de8a952a0e23e16def8efbe7f3cc396963efb2d99cc16b4eb2b368d76666d574b33cd5843bea05c323baf4e427e27a45ec8d9a7abe245493eac3c6b1c54b5609ddee99b77991abcefb29f3f1957ea70a2e634b006a99ae1f72802d3df879ca068129dd503ea55780a1ad5043fbfd48b3061353d7972b3cc1bca5c1b907e8b0660a9128ea44dcf758f531fd3a872649633e0a383f63d082baf688447684a5fa46552b86de49159e5a056b8d3109892ae7f8b69006bd2056978e35b7ad6b38861c4af927f705b38020f123a8536da7125431565fb76d5cdb548277875c5bf5d9895f71965fc31fa264abf2d876bf447f339a7699068cca856bbe79dee93434e749abedba9c8d8ea79dc073076860ece6ffef7f4ee9e5a810fb541706566e9691bb4d2109ad768417fcb72a7f9f62fb45f772f93d8994591e1fb837e208489ee073ce443795aae6ee9b94d1ef06adbdd4cec7d4d091550aa5a6a3ee84c1e3095118ff42c92dff39e524d8524f75a1eec8e73f167c881fc3a6311360bea9c89b68a1895b2ed18711a074566c8ce180d1801ff327403212db90db06ce461d135d42236a49281179da493d71efde292ed3bbb39ccee3f3ef8bcb2197bf3a392d2fd0dbafe8185d2866e068a8b26b3495a8355959d0ada698e54c67f2b8e5ea10987844afd67a3bdf73de39326adac10edc8bc29c4300ceef4cf58c2e6961b87b05ef4bf00e53ec4acede2d15f38325dfd6d17d9a4deae4684af38816fbde94a9af0daf4a508aeef62fde4f2b29d033ad51da091066c768586cd77928661a9ceeecea9cf4ae67f3d5a3010ee4cad4c97047c3d9c3064cda34b0006cf18dfdf0d7ab25b3585cffdeb5367894349fd5788e1d73b507b21b66ee6a8897d74129b6dc76637b24149bb7722486c9ec0845e68c43e0552f23d5ecf5dca58b381d1d512dd6da5d0d8cdfbac3bea98b04fac0db9bbb687086b54993aa28fabbbe9e2dd7a2f9da3ddd791f2299470c6ccfe802353776e3d7ee03c0af8864289c0d6a6b731c450e40eb81baf1838f3d4199eff36c1159fbb64ee815de0c612ed5c276e05e670823e0ed232149e48ea6fbf8bb9b6a42a5ece8018015110da1656c63cda1ee5d66f21b77c244f097e86be5abbe4f4c3cbc043e05aa08f74bd28360c6b2862c2987db397ba7c68b88fad1826b00ddd9e06d2084138db5f4be5b0fbf88c3b309fd57906fc77ea3da69db4dc0e0f9f65eddbeab1432a746e586c632ccac3bf5440f20d8c1d6115f92ea06663fc157e08cb1216dd674619e301190443e01ce108d846cb6ae9a66b97fd2e477395d2724cb0e01a5a132dd1e34c468644d7989bca3e5edd368b350e248cc8f4dd20d0e14cec66ae019535a013ee53f7920cd8e92cbd0a0176d321dd447c129d97e09994beb449d6502672bb3cdcd136a4410e00d06ca537d650077f98fb8559f9fc5a19f0f3222bcc0afd11611d5b0b03eba32f5c89a12819cd019dd3d77ed0a0d1ecf01369792bf4beb2569dcd5e3505e9e90a95fe4b500b3157fe5e76a290bb5cba1749408b449777d7b75b6d77e87ffecccb859dfd0b81193677a00c29c8825b30be893e0cfd52bbcb2620c255c6364bbbe8e9f0dea6df565bc963c1464155df57d6ea396e92ae8279e7ab7ffc17f8ea6dcf4cf799bbe6284dc5573d4139e2908d69880d4484679b5e641ee30d25069c75a18fb7734b5fefe31bcd46a3dfd99ed4f024bc158a2db1acfb6d1b35527241336c4f04529e5052def1173636b09652812741e0eb1f547900809ca2366b5119c26eb79c21ffa728f46e5768c779f6f3ed1bba8c232c4041b4a0aa4b7b2105e3ef37842080c5f9a39cff3b058e11c8026bd682d3f7ee96fa090c966a2a08a17788a421e7ca6d3abcda616ec6c1325ea4e91fcbab9e06b4f9c2b5df14998ffce2cac00db9d2c95379b9fc55a447e797fbb8837faffccb8ba91a87887a12808ebf254fa45fad2ea4dee01a2f9f490410e220a0bcb5b1229729f6db3e10f97c5dc107ca9972a7123a68fee2902b2d044ea8f84b6d43c9920d1ef3ad113cee3d326ecbce096d865b80df759c0aac97e923062bdb8f5ba2249e7a54417429a9d09aad4e293116b991978ec7a61a1d71995e97cf4c37512b2ff5a67cb202304a8a90b34399ff98ac45f8fad4a87dbae9aa01239c0f2f97a67c12d50ad7aaadff0c418f9fa75a196959b7854fd92d73404851d6c53c13eace926b3f43b0ed8f0d101ea0eb88839cd57eb1c8c75d88a907b1e93b1c47586bbe1a83bd68074e300d75736ca5b98c70e36456cc696ba1646e938c46fccbb32fe5aed4509b2b09a0af5bc34b2b050d20d806988d46fe6f075ab3627bbf48b92d8b91ed67257de78dd44efe09fcb6aef805cc53ef285551e0b1a4d917d8411b24c74e9a02205a4018039cf31b647dd95a5f5aab3396a3a93b057088632d450c065ae9175c05a65e5062de24eeff15cc6e02718aea43b812ba7b0fbff2743862afa968241166631606256a83bc570c43c11d0148436bd3ff436a2d1b2e1ccba7441d03e1576ef38b7adfe04676d52bc692d2f66bf5f0c82e5e7dd89b268fb4536fa3870b5470acf462d5b2999543044066892ef54a306ae7244f9372afc83d696eac29e7c24963ffbf1468dbbba9d3d37a6b6543781bcf7005a9f46960786045afad33a61b6d13a72c8574777b7e80ec43f5df42614fc62097c2775e3f11add8f50f6ef09199dd68990ffc3aeb1fd120738ac65ec7d88444a8b022f3d719c8623cfecab626950779fb70ae87a3d7d5faedfe2ab843fe75fe980f9b98ab9ee42dc625db03c5cb1f1dbbbb943fbdb2d1a4a9350fb7f7662545a76483c0459fabcb8d8099ab81c581d90c36c8c0b7bd0dab09c1e3c12304069e431a74037bf7c4501d632a204be07d10ed809c9be6fc16293d9f9de366e36990236402f67242647768c77170c04764e1d82f0875d94fc0cb1d013b15d2fa9aba65fc245a68e17a656b968ec5620c429b31aee046b639b7c615b49524cc7ab71ee969158c67bad96b89f67e3a4e5fc67d6f11fb840907d279af0954b8f5e49a96e774d74b4ca7926bbad6511e96123d552db7d11839c7a53abe73c137c7ff1286704af9375722784cee8e0e73b6cf26c4521e339f9980a63955a155872f82466bd89efcf5846f9b05e09cc27b436ef8269df3c2d6b3b0ac04f5ccbe684ac43a26687f1e0fef066bff304b2266ed754da319e6528dbd0c3ea3d159e488d3d727628ab10fd0a908c82272485be5e17d442e91e01d8f77f9c12ebf680e5db6ef99b8166e190fc93c082c7416b6e9e90d31ca030188e1e5881ec279da425bb4885a1f6cd7ef0aea01a2607485255c8c4610a0efc08fd0b175254b827ceed23145fb86055eca1e6381e10be319a5ec83b00631fec9af8c5193716c4e8062642b067e24eb47bd1213bd6b321d2614a93992d8fd6caa1e6c9e40e808f4d9cb9b5ef1095194c12a80d0673113d6d85b83712beed19ad916a4e12b05e2a843c1869f864f2c7e56879407f9d645d6895760e4432962f15d066874055bdefbbfef33cb199f9ff90541f1f86199910464cd5002282cc32664aa092fc026ef8a0699ea4f71c9f6634cea39a7857e7b929c000b2ddb4112e32948b3b88f03b610ad00afd4677bec2e3d78c91e6c2787449a6bd418d60d5573aa9dc6b29ae0a15173debe501e42d93e96d1de719153ac531375d4214651664635a896b7e7bcbc225856585092d453bb63d40bd875d532aeac9d3ab2ae56e90691faa10a79ab1eab710d0cdffd5029a601c021deb60ada33bff122bb8ff85653f3bd9661d4888843584bf7a3c45d4ef980f4775e18b653af739f3d97919c3b008507e0ca983d46c87bfd180e384ad83aa0658e5fba968fe9168e1fd665f3be4e79da80abea73754f2b324d557eda10d7d8a84310167106a54cde7545f87ebd47da1d8bb99dac4814d59c854f14aead0e2f9bf13b980d157d887a50a966362c0496dc73ca4dbec42cf8133f9d644729a1e02ecd134384e442d328441edc9e09dff1143c79ba611d4402f2b698530c75c491ba8ccd2e9a10fc73eabc33adc16ccf91249eeaa03524f647ac49ab48a8dc275606419f801a3f048e4e47c5a4b17633c8e35c05a994849abd0a542a5c666d472fa1b3ed02962f35526ae61a11c7533b2ee3b5a9ed8884b4861bb5ab159f552e32fea79814450d0d78b4c83dc4654d1f7961a5ec735438c09e45c07393279199ca937b62ab9410607e6880d8047a49a1ea3cc711d126d5005b8aa916548aeef5fb9bee4e071c90ab63d46be03e6c46bae6453694082f65e070e82d765f5a038e725afdf2eaa1732060591db13df6497624c47d2c318ab5694f1f19e6f892b4728c2ae47d9093955d74690772b6d73876b85892c27f1280a42206e36dae7c871f11e30cae135b7582015304dec51632da7e9ada4cf41e1427965e2a3e0d9424a9a9cacc14592bd7b10652ca24fc6b9c056009ced0a3362adc053e22af3180efa3bc8201b82d20d91f0681133a27a1da17e4e6545ecdb3f7a31400cb046cfaf5fa0d0d55470d99eb983a5a4cfc0c7be58ac6d9b69f54d0776553c1055b122820a0f3854a2bc1a5f2e55dc9087eda7c3e33947b9df51dca3f916d7b387e283e104b620c1b8d2cbb5a95017e46391eaaeee2b3820dc2d69f6fe8e75b88304d7d55d7bf6d934f4a5bcee97fae8fcf029a5a8886531586203179ff2d7867460c0620f9dba32437b2c173cbe75ee57fdaa6d13e5d1cc6cee105e2b09fc1be865cd7bf112f0b68a93385c7dd72a75cebdc6bb4512cadacaa4a6b604b1e96a2298d622452766fd6725a198bac91e70790742998bb862d8519d32d48cfd435e03e7c261d7c242d2d026587890df4594cff4d4b60d0b7f90bcc293a74dc11bd2976369d667bc261b382e8eeb06b8dc04468c5c9ca971e9be8057c22902334740585a4d8933b91187936a993d505b39b96aa1c885be9944f8ae3b04640afefb1e354e537c35dd54868a09b3cff920c53855a358b693f2f17b60905a16fd0b0b7295bd873c921d15b2a1207e39cd89dbf895c958a8cdf49655a06a3831c6d2f402222e6a424252c01b5b12a3091e857ae506bb045a81b2692c5055e87c1cf5680754a0ac99cccca3b6addeb71b14694fba1fcf29382a556559f60c8a96638b5a01dbc35dfea26ac2a90975bbd8bd0a42c57e01fc6e84926e39c080d0f72dabbabddf023289c24d66a9b25ad687abd38ebb8a715b4acd5c4b6ff9c24e62bbb04e7b6fb6bc45a72c3c4972f279ebc863f169bee8c6977e516acbeb7910d0646c9b80e41fcea737451eab0413143e396760ea8f1f130de03356ff91c7cc46fea33d64ad83b0c2c187ba607a8149955573102ec1b06bf5fa84439a7266482e003a2c757f2453b75764c846eb392f1499a3afdb325d7be0e9ffb97ea7ef28f58f099a31aab74b63b705483811bbc96787a2637cefcaf14d7c890b9f6c37b69c20f63901c7899c0811a27421fe1b0a92cc34d9cc993e4e9ac404ec80e316d4b6a98922d3bef7a586b4202e9a4e9bc9782e5e7456f204690687089b1a0c0d8c5bca9590b7253f640b0c3fc5b1b4ec970db5a29a12ba8970456f941ad398c2b80290a7ef762057ec4c5cbd13d603321ecb3ae6261d3836720258720706ed18a87e9db2cd1301950a0bbee54ed2f08c12ca9a83dc158726b95a5f991e704837e7a13c7dc663d15281ead022062625e93f5d2643380c588139bece401876220e2997567045a7912b87d3b2219f7cc800524fe7dd3e7202dbc0fc294122499dae623147e1e3083580e6af9afb864de9412c7850c9c305d3723c0afcfcfef6741520d46582c199ca4346262ad10f96a82007afbce52f8fa4204030fb031ed4b25831089dd8a66e89207be1b8dab68ea0624fa2408582b79c17a0727a4a75cf0487cd904b236096845c47ab584724f72cb016abe1457a9672299ae6be756b15079d69b4021eaaeeb267233c12134ac7b14fddcd6ce0620e45499016a1c21709e38dc9825794e701e19635156d1a1b107ba9f16688e0774c15fd048e9e2d1e0f52c0833f765440bc18b9b07ca8c543d1cb1fbe9375ca3850d42d9d4e471b9100e8744cfb0d74bea8c315c7e1ea0a898a689bfaf2fa48d9049058c205241cec8bf5d9d1b7bb825d2292d182f74248ec275cb2ed9c99a8cc7228498ec6e3f0fa1814b6882a1b8d2d70898335fe92b75c7978beab754775b0834a363940aa6e6b82fdf04e07e9e95baeb3f8d89794c449090de16ccbab4db3d9cb040065e071595e7dc957dfacdbb62c6ee87a5878c283878aceee5432af9f506075a9c33564e6912fe34c37a11b4641200e32ab8832976930112f36e8dcea432c0101e841fe932edd860687568eb32105ead04437d05c65a5ac06f7e0cbeada054a9dbd1d0835281d0804bcfb19979d8b790810cd63ded2fceacd38e21067fb4688ff1f10c298db9484214f3b644159a8c179f90b5af19432074086e13492f7de36172053f11176a3111998a4c85cdb999a6481ea73efdc1708a36b3b9898e4484c2be19160b8355e435429195f0c9ec5a9335ee9e9161f025413ae6e549a86f2c241033eab2d7f88a15501e68c1d42aed109eb614aea34834f3f35e5275c5e8a73f401d8b70de6b87013b4ad8e55e959b2b49a6067be42a0aa41a7a86fe0899eabf3775477b9f79caaa253d6f4486994a69cd49445fb8fb13692091dd0aaeb62603f2eaea6064ac2621acd0e8e4b7363a7e2b9c2f88d34902d28460cd8455038a65d4b8fad9f61ed723c521b41626f364cf6f604420062d834b3e50175af09c7255fc7863978e56f659ed0578cfe196369c511325b8a4a2a72518d309d7386a339d71bbc2264d422fb89971ac935738e144b843a6f028d1f9477a2781c1471d89d2902ae0882419d9b4719c07c55b09ef9c9d3a7d43283541dd7c9f452b0e1cb62f77b797be9ff934e5021232dfc5e9cb9a42c0ec736961a8293504ac091ad9a71d72e084ed5e00d5406fbb84249ef2f0c6b364ac5de6999a50cad5d79017d32e879978a5a7fd3f828d45d34d6df690dd3a9862eb1f031b64720eac98777939fcde74643ffc7f87f003e7cf3797f5de33af8d3f2f7b0142c2f2ec61bc2681778640cc32a1c570bfde70dd421c305b439b3fed60e13342a30dbc76f01ba92c2e5e0102b5bebd33045256b550148b7d018f9d0e8f91da3a9f79f9c86ad41cf2b1b64520710c68967d030f9a71be3bf7871737e0eeb1988098128f3696305a33bbd2bd1698d6f982095235173bb10b99febe1aef7658ddb7e2c6bd4292a27779b399d19d9963fafc607756c122d35ab59a2445c03d56b101c06d3d43155b524db94b4d9f81d203ddaa8341b3818a69b2a47fef2c1a1f72bede8b0bf41935127923b5beefc9703fa3cacedce260d6917c72765466380a17a81270bd643b1cf5dd22c4ed7e7325c3078d30b490677e6c92664a8b849902d334b47bf3623a34fd709d1d83cd18affde688440e4db5570abc1ca2cff6d2be95ef7b53e8fb543024da35f2d2a524dc80bd1d5d22f9e644a23266981b5a470567a8566d82f8925ab34193057287f8fff68650b126dab15f9b533d2fe1e15ff9efa1a95f87706806134f71fcfbf0dbb8b7a767cbe7a0eabc575da88b321d6ab8ed27054490952e86b1a80c44ba83430de734be4ca3c2bb62841db05feaf4b352089da3859039cb0a0bc4e927a6019263a4032178f6beffa8b28b2efdf39146820ad5d6e20d694542d1873c87101a0ca2339c88830ca80bde901c58c042f95d0c9874f5984b7c278bd4ae2291ee1c0de6aa10ed0772df970ad2df98bd17be6af68f24bfb665b94c7089464983bd6c097650e409f4ebaee66ed3e07153d0e86966868770d90ed415456eeddaa44c38ac7aabc571f8a9bc38c236c5a7709b459043ef9c119f5bdf925dbddc2f351c7f8a4384efa86a5542202a5081854292b1b763f1495953ad8886d7d102d98dfc1483156a9f701a2cd98ca86156eaa1da5cd20f0b5ab52442e7cc83d885abb98df7cc27fbe1795c09e0a9ba03b327a9533a152d3876aea8051e96d86535c3f5705bf11be885a0b31011f806f192ec210894c32ae43c15b0bf9cef59ec6e6dec149c78400404381c09392a40ecd03547668672ea5a165345c5af4a735843b63a5dec5d5808f8fc5c696e5f82416ed278621b72bee86a7e2a4a982af9588c1ae65ca9806ed429b80169f743a6233dc628afd78b8c352f7f15f904e408e807a620439a58a91a51565dcb6faab6b1d1643f0a7442c422ce463f6cd4c92e9f598a94ff1e6b535b6cdcc62fc34e0ee02426bac9b5826d88396b9bcc8f872d9aedaf090fab51a55a898d57a152ef9183fdb59974ded32904e5f369058119b1729759bd570f3952bc18a7e81e292c6ec63f2db703c50d33d0425efc449c4b6cfba6c8aa314c2a1ba39937d582b67e222ba265b5d6c055d0cd81e5282388281b56738fd811d45d7ad25c080d61aa5946a794e9a0097f4555670948c8b127cfdbe8e924ffdab9845a1f085307088101de9108a3a13f013e65f5ac7e8c8634785b472a967889f47f16c219e374d94a40dd74778a0e77932b9b34ab1bb57aaf3a253d6fc4d642bc89bf28bdb27bcdf4e3742540c7f919a0a6e11e1fe9a1d9f2fb8f54e473424b086afcd50fc5c90ef3efac0e3816a2435a04ea880b23428f7c33c74529a7e426d33be341923e574ab2fe5b0e0c317fe17911e83ccb628c3bb6984e8f5e91f1d221597eee76de9d154e4340772a17e502e74318fecda7f3b7a076ea4af5743a369e18922378aca43e64b69bfe80e95b5be8b02b54fcfcd56e098e4f34f52061da69e5c0703dac0201b030897231255a34e3e358c587704ae52e3e21cc534e6797d5974146d05552b95ae1c39f10927829efd6ccc0bdb068259f597714650e240d202d26eba65f9e9e8e4b69fe335b9f0d4d1f6352d7da9311c8a42d3bd2639eaaefe33f9f6cb714ee94e026f572b73b5cb596d3d58bf3782b18784bc7db7b15d57708afea1a6c530029753cfe376cd56dbdc74357532a105129ed3828191e734bd3c8d914300c8d39d31266f50b5257bba25f6112b0a8375c2ebbd662b42c851a4a123c3993293dfbd66d5a2fe39dac6624e57c4d34b63b71ee7ce2aa01bf16f36e4a9e75cb93d7b6f5af670e61a03defb8fb90cb8f147933b58251899d99e906bd8e0ab4d2549e284d9b124cea9ea530ad82eaa66396b1831b61a310cbfe7c696e46af616d6f8e74019cf460ea0a423c9509678395cca9ef04b7ed6a57cac3c4540b7a560893331e93c175198a1ae4f45300eab8c0de8326b69991ed8e0b6d736ab7e1cf5ae53c4d6b0f5bc225726d0de0354a38d835684cae60d9002a6281e4e10fa5ec2882fc093cf709546b7caa2713dcfe5c5896f2877884cc6784afe6d9ecd4896d3ad7f36aa20761bfb2278616776efd742fe5773c73f85fc6b9d195043551781ec53c762c4fa2d1172aad4625b13b304c2334f320f765c24ea335e8a4c111ca8c12fdb53f518a7b2ac0a402610858c2a9990e1343faccf490b645d7011b9c4d2309e65f2c2210905dcb1d8b621895cad6176e8054c09c2a70eeec70d69a2c71617500bc0fd65bd8dd38b0f163ac77356d1961173eeafbd7e9d52440e045272ce0303a0b1ea5a0a66e53b316ac848f607742ddf13cace2f67a39ebe54eda13812854d2d03357300bd302e8305166b37d693fa5ca6a7b9cdbaf008d1a32a5218c1a9e3afec32e720ff9a2a29c71bbadd0639c90b89b52a40b7e528f79da543ac8a4abf73570c2e272ffb323bd23e950276137dde9cc0edf43441340c275f9a6fe6a3b44d41c2c9afdc28df53e4aab1926f4124d578ea48b6aac924082cd2e61154ab876451ca62453f9ab88a3967c14791da6335eef2c99b2843943ffe629d16d02a62637f66651c1ffe30e0179608cbf0ddb31428de80873548a4027c57444cf5e0f556a66c21abc0e0e8b42a5bc0669a617b072aa8cc905da8c4fb46fae4afcf100e1281cee420a399a1313f9dbe5f2bbf4b97dc0a0f72a43f83cc9c43a8f4442dbe1064ed7bf2fe108ef2c82d1b4b9e4cf1665eba50a50d7d18f41ae980624ead8ce19dbf77ffdc5b952c9bf3c1cb511e7482a038b0bec67b46666f08d35f3d906dfaf4c6cc7bd85893773dceb4ee399733f1dfc1a64d0010b209717dbdb1f8246742b54db5a9168c6705eb2bb33efd6afa381828cf5ab28351fda1f5a51055f871e469475bddfd6294c67a6aa2cbd6de1ab0dcd91728be8a98252807af581b3e5a99df0f68e4974bbcf5a674527559ce82d52abfeb6288bd1881246dae8ab743a516d8220b92fae01d065d8f0b490f292f27651dc94596f33e72013c776828c93dcffd424f7e3d68e9eb0bcb870e495ff242512d9d2e2b08f61143f9629190c9243d5afd13154e55183aed269f5655bb16c35c6daf2200ecd89b5b6bf43263ee57b164c477dd79988d2e2fe15cd733e4beffd04d7cf69c2f9fa331ee668fcf55be256cfa4317a301acb12fb7fedbd46b6f81c4c3f6341f7717e865de06c67487c4372653c2647d2e94b71fddb59444f3810ee96e1b70991e5d0b2f3d4375e7e019e76b0048cef4dcac18185bd2ac4a1e04fb99938812c3265a326cbe172c15965172bd0b014724f0c66b64be09266c991df65acc039c26cb57e35440e438190e1cc397f46fc88a6711fd2cd5001ecbdb191e0121d9b65c1ee849d943a05ff4968e81f2c86308e04e7e78dac38309438bfe2cc1c6de78c1d1a7e74ea8e25739abc371a8b74abd2c5ce80ea84bc5526f44dd4c1bda85495ef3589491327295364b11bd2f7e197003e9a102f71cd18e93dff681593054d5863e93d32913902ce741f740ceb56d20903d60df41ef4d914e1aec9a2f7c6de85727ce49f4d7ab4209927bd46e40b6f445ae69df15812aa51266ee22f176f8cfe19522aea1a0400342d1d41fcd616df8cb2f4bf8fff00994935c62b91f1cbe0e493b431b20ecbb0f3cb719f9c1660f606a569e970120ac50c34987303463580157d6fa38e92270014ad4dbd244107519298ed0420f087ee2a3134734ec674e214bdb64b2f2d1e556173dc082665cffd618f1e562b37c0e773d0f476a5b09f121937873a67f891c9f479d25dd3b2aab75c37ec64d5ca01e3c26bb81ee309419d27b45de0c7b56d57c96145ab66e276d7f297bf9b5249c7c82bf667277daf8c4af64425ca33e6f85fa58d1aef3c4a9ae913d6f299e9fb021d98cd983486d6ce39928864fa3d9a380de5a725846984392bc3d6f61bb70942e01fd1f55d8411e63b7e11d4ac54a09b38d936a1852e6695372686ec45290fd7773e800d0a56c4a570a276ad27ce6657fd9ea5281cfb463346210f6ec72d31ec78f7bac38debcb79a2fd8823f037507e621d88780ae83f6c7d530ec8e1a159eb7b4f4cce2c5405f800f388699ff80527d66c3bcfab234343643fdf7f47d0ec57d30741b385a16ee6fc2fd72245120caa8240d8f8104755d50151259e4d76589af883864947faa3ec7d1411b621b8d41d9374a427f19e29f5ca4398c420ae27b74a058b0325cd748ddca9d11c5d3f9c5fc70184de8653f3d01a4fde2ba3667c278c88557fd6fbaa3227063e457774781085a854f4b2cffb82910f61095f7ee9ef6ef2238bf74211d8cf1af9504f3eee229644d0fdc85565b8e66a0832041e21c98466c89ec72823b3edab0fb42ed65202a5eb5df409f5bda6ae748884a146b34f6cef3d6edb14c224b8b8ade40e04a7f61d021f680a71f72ace0de41625484a0adf988c6aa71257cc6a96b539a2fba55a2f986c9ebaf26ae574c3e837f98f08ae710c226761acff343807e40131469c9d5b9e78e14fac0264fda199b0a2571cd1b6c6e95c0b668ce5fa8ec0c91cdfad58afa5c1336d8901f57f05f115e71240c237c4a91776b8131c1a7809e3f35dcc8d28bde183398b8d61ef6bb8274784f083d3a8060b7436e315f941d71883abf8361bf66aa3538996519e6ee2a31b41865bd2f16063e7cc0198aa555d41c114ec41a8c047cee2e9b8e9cb56ca94b28906b64e9cbbf86b77d1b0bf2a8fc265eb06716f1181a7db11b31cc7b49d99ae19e86fab6383928ae0b3f73936e972b23b8ec1251404c1c85f4dfde89fbec9ab07578815ef077cfc2c6822a8efd2807ac5d382e4064a01890da79ef2e182fa52a2d31c98bf9566f58fa7eb87fb610ff66fe7063d16344f62b7d035653776ab3e63331585066206dd1b25b56275c589f802d57eff3f4ee4344ac30a38f947b26a76cb18a7fc63fd87738102e8f76f911dec4a172e7394544aca0b774be9f741b4dfa5af846a71773498727991b69e0d39542f72d4bc901642da1bf4771ee0149eec36f0c9924fa2adf7660365a015145bff5f19c07729520211c1cbec43298dffe8dc365733d37d8c67679593ac7327c45ee8ddc7d36b324c6f47fbf08d563328e21282f9c48158a37543ea13060a151e163a7e1800684652866344f69a3048f1ac1aedc348900c03ea380d08d1effe089939eddce6eccfc251d54e9ca111d69e9c9f67f9bca50129bcb19539f2a5a1d0a4b58907e6b3af5ca326465000701246b9af43e57a750f5424dc98fe032b84bfd6695017a47e6c88c445f3b3469beac2420da5177ba9e5f69c073d90fe22fabe1fd0eaa1049b2eefe258f5d6c13f6920268abb2350db060139fe338f2ffb2898517d014e0d5bc123370d602b3b7730544635e649be08ab7cdfb0067337e80ce43c34e6a68ad5bd3baffce51966c5fc369cb196ee799e901a153ddc43e6271cebbc75f4e438c70cf919d957015bc3caacc4d2bc75cdeeef793f75314dc7a5e9ef21182e895467e4d249c6e24905a9255694721d6f78745002642f1daa53ec015dededc3be0b1782e5ccd3f363d376a2870f4f888a88ef4837a41284792c6387c1a51e0e797b648012ecc98959c79c43cbb91460ec9b793e90009a6f7d4983324dd58ad457ea3c4d6e9212b528acdcc68c076e8f4f2f116a88e0f6eee395c716b0a5c4e1bb518d32e3ae2b0a1f13f875ad912c79aa467b80ae87cdd0e147d135c9072cc7d157903dbde16f536af5db399bdb670207a00428dc58fc6fd5e0b56f4339c5352588924ce64fd9f8ffcafa4273af44dce30a785d20bcb2d5ec8907e3e870b3e00a82ddd95a159c79c63b37ebfc916bfa6f65bffb956b936b0daf590d1edc47b76915e431b98523ec402ddc34c61621d1c0c90715dc385d3c926e1a0514b5be429488da7661c4200b50c3e1dbfa2a1445078188a3ea4d62679fd6fb3af16fed076be5bb3bb78f900311cf5f9c69d42817c30ac407f566c6ec8f53ecba6a06272c6154d1dbc5035590f9bd9284ee68b34e2cf7f6303796af1b9718aad56fc5f53b662beee3cc6e3f839ff57c65a3501dbe9e6052a6efa54354fcb4c5c92a631a34505de5d833c4de2de1615a27ef785b02325666e4529a7a6d66867a8b10052b8ea6760c8cfd224cbfa671cb87a140deecb0cf6e98d8fd7d7ae722c5b8625499f5e17e39684f79b289a71be2380a733bd730e588df0358491ba9c163d03d6992a9f7bb26d332a2dbbe9684efbd5354b2816571b16101798ba724282ac070fb0cc86c967632b5c91d66a3586a5091c64c9cbc2328e48b9f9073f187d0cd98601f087dce8e71bdb39463b36391980fd41c52c54ad5246b2cb0dddab7a94ecd8202b17c3aef9641cc491fe23879334edc139694d5a4d43fe4210fe4d5cee062dc3c7159447adc0d0b9a02ef1dbb31e4bf5e7fb445742687def2b8a0038d4e0ac15e9729f2e07593b92e9d2c98f891723ec406cfd99c85e8de345b776493a7fd6a5cb2fc6ea3c586755f931a335d06927e847aadc7d0957de40120557d887c3d76329a3e3df2424703f79c9edf9873598ece443c5d0ed7f01d5aa3c18841bb3f273b1d3ed11346b072bbb41184faffbb946b9a49fbe3f32c3f02a1af5bf422e71899d80a07cea7a0eb628b722e7aae7fc5d7efd2e4e3a6ff78af09efbb4c52d155b6572f89fc82fa281956af3963cd5ef45a7e6e2dca23ed512ea2031c60b074479b8578b97c9eb99f19010ba6fc7f54ef63d37a7340cbde9f08db8e0c3d9de8fd1ea82f6f4c06986fff71c3d6b1c91a771143f2d1e865296f6339e9da58bc91c1b6ba657f812bb627d214880f9ff72232d92191ee0ae5dc6a95bdf109436297a95b355b91b551993e6f2e1909e97210b0b879aae2aedb6c3580e6bbb518ccdc87a9ea969cabad03bd779125c1d33bdc4b24c0fa90d4e1f78a58f44154a8c2d673c32e92222532acde4b3c052bb031238a397d6395c575d13ad0124a9c000af4e71312105688e12568feb9236ae3a563c6054aa768a097952e5659ae37d6dd0319bbb96e0c5d3310a1f25615c1e356c61d2ce73ca8690fdb4333c32803099136f1ae523984f10cc6b91fc536f2c9c41526c900f73a1a8e0835363d3936776d6a61b7c069f0b60684fc05bc33e85cdf643599dacb4843d7a638d3e109a4a44a39297f8f128153a628cdd3269d8b725890be248c053a93ec586705acdc314e6d8924e4455c81845ca2257a87e67a3c923eab3fe00b0075e545ba4e5403d7fa5c5e4d2201be25ceabd6f648700466f6fd7c2b076e300ac3337bf66617a4b30fedfd2ad24ec3db0678ab1627758d49f61af1aa7a83083ea80e00d139c2a0a8c3bd9b804d25dc176b5beb20ddea55a79292797951c0e9f0fc06d526994426abe7111b96503378a9baf79b8cbae53946bb206bd15de8066cd44d406b45c3de677d228e012a6bc85fff297286f745481302b525928be85e2d882d3bd96abf112b15b0dcaf0ec308b5d1bb697ac0b85bb3e4e72342518aa55d97b57f23f5e567803b3e251a9cb964c7cb4dffcf9f831a6d61f34e93a7edbcdcb540f7476fe6330e4be6902c339d3571d94d8b61780153c8a0a34cecf86ec8ad4d52fbbb00f8841408259f5d435f5f57171e55353c022ac5a104d36f8114e3a68ae81b4a20225a5d2388cf32e56cddb136795b5e0aee2734ba2220c64c743cdeb0e2d330d4187ed0ac8db44cdfd624bd90314c600f42cc9a2ad46e53f9e8188ae2c7817c1789af6e647f2a2363e85d959dffb44cc7cf0609d7b36c30674ad45d8ba281f4710c49d20991943f0ff00a3b9f812b8ba75aef8e98a0bcb77e9e018dc5c05452a931e1482df7ac48b4ac4ed70ead862a828e19f4c07976e1e9a63bb95d66e9cfd47ee03290e7f0eefbbf870280b857718a1bb75ad7014b4201c961cdc7a6813382b786240ea8f4ece5e162bdd97bfa170ca6d90cc2511d592d3ac7400fd182b1aeb137db361b14f4ad626f7ea3d25ef16744e0e0e36c5b29381ea7933ecd47292635a6cf1fda3e52ee93a6375ca3a5ee60cdadcca5b446e3beeaa761ad8ed0510ad72f75a23357150ba8f5c12b63084dc8ca82bb62eb38f43ceae6aaa2d5fb8ac4132ac6e679118055b81dd736c9cdc9fc1bf0966bd09a218193f310c909e61a647c8215f7c4ee3e8f3b25eac636c8a96a0e464ffd0b4c1ec2082eb2399052554e47f3a34c3420f9ed5aa56cd9b0f1224cfed973eaa770fe099e9d3aedd3d42f6eb93a0115dc1fc715624ff6b0f8f3a4b51db5ab630cc95ec7021c6b4fd123ad355873247d550265bdca2960e74a3d8888cada88e9343b70d5340eeadb155564c62dc1eebdaf002c2c35e0990b695c536a0a752cc2695d668f52b00724230654d6dec51c1f0876e7e29cd662e12e8ce6bc40a318c25e6de630ab705b7843fb15c4a3dbf9a335d07a70f46c70bf28f058625eafc018ef105f83c4564324171e19464cde9ae0f2388c438c41fdb8f81b278cfed8cbcbb9d8a2a5496ea8cf4203edec4669142f2b037f9e5f55298a2467f1088ba13c48188b3ab2cc09d6cd9967acc1e8def2cdb1482bf4e6c5bef3760061a81ad22e77aa882ad1f5d598345b3d18bbec6d4df314cad4e667242b2a9210abfe74b301c4721c8711f9cfdba932ed74a10effcf3cf73bc94ed13dabec7b6ccb0814e71bd52a1c7103bf47ef214b9cd6ca6a12f880857cf01d141b1d88513fe7f2e02282582480f9c257ef4e0ff52920c25a3d0604b3485916065540bf8b9480608e29ac2d5a5a78b1546aae0972620f9e3264a1b1b73b43c7935959d7726b07bc9da0ae4ac08f0db548446c5241ea9f19aa29d5db2de3cdb1e3430a157308855e273dc1f74c1b609aeb2f70bb0021315d33bde8a60a1cc7465b70bb5c652074bb9a030ed8761ec25a35c102b86a8562c827f1536faf2d96e3a88d3549d5e7306754a431de06a58506db917894eef0d484c2e1c897993aede2ffcd0c51f2252924ac82d91e8d364c78d987fd3510bc7518709aaad6a2b0abb237d4860271ec5772f74eecca7915fdd16d93674c4ec0bb130bc8235ff613f9dba91c21a0227dd9d5a3ee0d9ff183868eba5ef8e16c80ae913ce1386e77fba65c125ea036f399de4e88059012de120f5b2271a511d338c9d8e3b297012fc00842dab541e846faeada68cb5dd5fd380087c68e246f2ce721258e7c5e5d4aecab33a5d15fd5be9554998ec6ec4f3884632071ea772d1bc7ef5423435cda7e240e0d715e00af37e6dd81f04c804703e04d62c6a6f90f478ae5189783b634b8f08fb6c6b6703ba8c2f7b167f81a328ffea16b39fba14c67ef2d7d45ef85240682f90148c94a60b0168dc35d9ebd82704be02741988c4e65e0016f9dc0b204220cc49bde0302219d01c500c9acd2c351dd6367cc1e922f7a1ebe4051ea1cae12950ae4a72c86ed5cb078d5f52a4fddd820f5efa141508cdd3b29c642e1d1126ad669fdb2e5899b02087f23443ea5ba8aff0d901bfdf7e314684add3e4732974ea750e098ce5e207eae30eecfff87c11da0c3b79ac9e69d751dc544fd615bd352ed552492e406859f04ea015800d472ee34bf0322e3e144feef67bed694dbaf8781aa7985b2a9f2c19c386d7dcf60b734f6e562682f67730147751fe6a1fe477257a7e0bc107e6b6a4f4782c935de86c3b6a5d80b2318c21637dc91eb4dd348265db094ae44012454ed4d54bb17e6c14f772de430c9844a91f163b1814634b79f47923ba80ce4f17eeaabab729ca92812e4670a6cd0bb7ca70fd9fd021d1c81e0f8c11bf501687816aa7602f483b8134397abd6761fc175ee21353bb7bdc1e908c603e5bcbd9352a1f65fd6491c006e58a74f4375b01a9a578710efbdff05586b26b13574a20079cf7beb322c2b01bbad4c78be74001aacf129c13cb6f34f8de5077c7cd3bc6a090b5ef37922fb015d66e97c1f739bd573064d9616e2807f4c6e9490d151c31ad4eedd2defb466a7a9b196eccceb3ac48d2b9b751c2014c080774d49c027ba17ae7dec21edeb4477fb8f82df7e6ee07fab528b74c5ff178329636eea4bb95af8c7676ad15b68d78d0bdc998e228f15712cec3441609807e264f55d74af423168bc216f73640e018d3897ecba58d2910c2c8c6403333f38d15218a2ab2dc0dd0c644faec131e51c5fac7092540b07964dc0674427cbf279b7ce964ca8f4afc080718c6be492da65303224e8ed558e490c0932b365fda70b20226b2d432d5687d1b7ac1c97ea9c90b26735ce9e7d5406d18a887dbc3d1c38c91450a8212feb0aed675d69ffb666f6c127aeeaf72dbe343947443515365af41d6c23c0d73ef4fd26d77b8560ea45983afa4b7c34bccf59a63f4d29ba6c26f6fde6410277759b496b433b6c7a350bb7d5de314b04d49a0e479ccc43211f5f3727dae8e4a7625275661eb03c9cccd6d39a716e12720d2f9aaff7a6cf29a7e03487049d771313d5291832b914a1bf3ff8bf276beacfdccea9b46a03a68f6a160c590f904fcd7669510c767bc3e6cc690dbf9518ce7ab640d9af22ac1c30ac8fb864760a2127024f18caa2bda498e2d3e94b0745b420d9be240b1272f02d65d90f1ccf89c7248562634a7ae3ee5ee89a50334316c227a00e020488b7761999f7a912a35ff6da837ebc8ee8250e80b0c0d44c1cbbfc8ea73fac70cb988295b76428dfc9edb2c0b3db5186db4da41b6e526b52660373145cef0f977e6e9c751ee95af0a610fcb1a95edfc365bb285bd68738a2ab22c9c0fb75a5e65c6cfc9931285b35bae5adc7d881041742ebbfbc540a50848eb454f42afe27e87c5c56438f5d46200905fee3c3c04a6f8ec4d4aede1e97ee48ab7a340e5e99b643ce2e30d1c400893664a5bae786d658324625846aae9df7d8826fbe2c56d8fc5f01e099e5d3fc371303f30a24014991069d7d7799840cc4311f8853b627b035a6e6ff1530eac65e4064ba53631b16e03c81e6643b776647b4ac341ff7266e8fd6eef7119e116ba25be5b1efe88d0a76442788b7feb647459335b3f1e229cc7ce62c5cca833a8892d25964e13e67b02dfd377d15601c946b04b2db184efce76ac99eb391b269728dcd8356906ad4c0c7439af67701bfabb22664af7a05a0305a5be36765780f505cf35353e9bbf6631d43b66ca2f027e982e495ecdb761cca4b5b87f0e6174817bcb85f9b83e928250f53f1bd30991798306b753abbb32d7689bca88f30d5c51c7e2f5b22ffdf47b9ece1a048633c89a9eeba81697a44e5de6314756734d391c668d0cd39d210a1bcf7ac8b9ebd60b96e6d9535760039beb13147c5b72567de0b1151b822ac28ef3fe2eecb88ae4539a9edca3b2497221ccf70e3d301507a37c075d7f479aa795822e50baac5b38aabc100bb1a606830c22c3d1250682537b71acd4fc46cb640fae47f2a8ac53fae7c758fd8968a3e9f5272d290ed64e2fe7f3963e4cbd7607ab247625ea7fd9c2c02acb5a48fbb069e7cd9498eb9a4806eaac24f122d4f32e8b22f188f5a7418364c4b6d08efe20b2958673ea5c65c14172907b360a76690b6d7939598ff936f4872aa8dc02b63e872f8bfa36de066dc29e4183e515826d41a82e0ec34d50455c80e67b7a0f91c1e65753e0659de39799b97cf64c46849420b490d115ec421bb4f3426452d35b154d0388a2943f2df1e0aa6d96773942949c0742e30061c748543ffbc43cccbfc30fac29573b11cfc6a7245b2e0526fe60c2e086501b719676bff083fa90847b295f1524481e6fc34bb8776d2e404be2494797a5322ca9fd801b9447b5becd81812edf1209b5629aff62a64cac5e492f9ed49a642af548741905a64c6ee1018dbde86e9421e4145b98bbd87b4f8ab567f9383a8e32d710761a336b5f06584c62f215cb53f1544dc250752bedf2db67dd11062e986647622ebcc30bb941c764bbfb58d9e325d344c8155d8bb00680116cbcecd33b0033e6467688bc5963e9300c23c844aed4cdfac4a7c55186b6b1b04d2c804d88271bcb68139a1751aa40aa143bf5ec59468a94fba390366e0de94b8c9aa7cf537ee2b0133683592e744ecae4fec7746fddae8855d5a5a507deb9eefbbcb78a4af7723f97038e42c247d61cbea2af1fc6b79772e4e4b0dc56100763219c347ae49f11d85a99574f5e468298abe5e533abbaaf881c53fdfc465dd041f7440f22de41f66eec7f53fc45284f1192a1c0a1927268255d7cbc82ada9ee289c35536b9ce4db916f934277e9870030bcea055afe6057dd93ca95a51834029e18c601c412469901a1bc373c84eb7c430ac7072e5bc1751db05da3b6a1f78d85dac2a67d4f080f521e8bd687570a4f7cc2d6a4ba68d4ebcd2f4c6135e14b86bd233bafeb3536c9743c470b8a075745afd000c207c07384818da9862a9388b5b6131fa86f26b2d583cbef2bbbde4b10a08a13c933c98a5de81ed6d4c4dd1489d13825a6f682322bfeceb1568c2082ed4bafe2130b6aaf9556d630bc0a380f8e5ab0de573ff1dba4da8e99d7f240a9e462796ea0bc1d79df3ec93b44c5e6d580c42d48ed2717ac1b77d17093f8c182298f0406f1387a1952c53494a3af2b4a4f4e71558146f1ade4ff9b1c6c3f7d3d2d6a52fb4b78b3bb549edc280bb0a62ad2e2790482ab8d2b0a555dae5fdd5ad601842047a513cdc8a83401036284e9e335ace2df626b585009e936b603ef2583f91b43c3313b9e341c6bead96451d6e2c0b675fa1032ec40e562e863b7c13b3998e8af390702dc8a838cc5b172f97de3be22c0d72e5b6d07d5b23d50b43f6b5bec70b26cf98c94f9f69e98287bdbc25f5d7c5c76e70533fd70a35fa7932e28c64496f4006954ca4f2cefa69402dc42d2323b78302f9c32867bfe6971480eb578baa396a6cbb0857b709f7e1fcf46002af470fd213df33aff29f3754d957339349f64c2f4bc5d05c534704c76159ad67a70254cbc913b30ec58eac9c2d666f701660df0207448fe8920c8e34bf8c35084a14f0686762f17c593af38347769f728c27ec85e372d653db326a85baaa53a2b17f9c82f698354c33695b35400a8ad39f4c84ea281f4dec1756666f338b19914ac9551962ece1f79c58bff2d514dd9d6127da07b550f93441e782d7d08d0f53ed7b1aeb1fd1a49768b2548fcedf7e5fa27c8e9c705891ce2248610e1075637f9e0c73359e94994a44b15296eafd3e511db1f53003050d91fcb9fefc1dc7479ae8467d2a4ec9f8b93c36936b11e0a348781033b3b38f00fb60709a8f09bdc966a2fcec23f15f1625bfe3b8fa9daad9110ca7e84c654077e97e848ca49117287c306d88a69ea3e9030c40222a302361dc3c620075fc7fbebc6422f1b86cd0e76865b17ec475f6524a363ae61bb3e396c34e71abda64393a8f7035dea7cf95e3e77edefc6b5864fda81b485973c536b2764bb1c00b968e39da7896a2957032bf2fc87651dd0e973a2c2c01183d233b6efc77efe909c0ee2897318a2b30addf777acb98c812327e33a9d997c278c5b63a6f7c2f7f854c5cbe2f2aa8c29ab81d7db1aa609a84c325ed926cc5b3c14d12cd93014238a6594887db01036ee8dc085b5a5c8511964331d90be82b302a78218ad129634a0d9a7c8290f20881aa9ab9cedf2aa41da6996a6f7e56945595d2f073783dbe23abbcbaaea59f997630a849c0dee8d27f56ccc8804ee3a48ef5d783939cb59fad8f3beb48dbd206b96248045084fff3f5137fcf98267c5aca0649482873029f2beb7f7e5e09543e2cd31013e6461a5e43cfb9a7d93d2eb78aa80ef3392dedbafe383128c150ef201fbadd629e6988907d891f599cff591532dffbefa2d590a77869118e8fcc28ba45d7c96843a9016858507cb26a71d2250d62b73d420392a81ebb9518c20edc442d7d231958ebef08a2761d8198f18875ee02a532e10cfe2f4ac2940101f4f8d324f75c56b4085c666bab933b402423c0f633fdb995cc72269cc6f73c761af37af310b77775685c345e59ef3f03fb434688507a1909614bb9408e0f3b3881c6b792761b36600184a0f3b24055f4f366e230613dd6aaee90ee02826bda6a8cf8e2a09cbd1f2e7bd332b9ec49249485126571db52eb4cd89533a7a89270cb089706d9c3c402bedb6ffec31d4a95a41dfd0d28ba8de934f2ee02aaa900218157c1ab5c2bcf377f698b66519cdc1a2bcd91114a5fee3f4edadb991679f8ce1601125acd9fa0e34818971f7bfe6f73d8b6070ec5f9bb502b921abd42bc89b741dab7b0dcdd089b24b0d29f13772082b0ed5735b7e2a3e59fa49daf044904475c01883b0b5e456462a9735ffc4959ce2d2e0601005832bb433bf845702c89bbd281ae5f019413752461654a48cf352ad64fb2b5e3c8c6e1e6e197dbb9aaa69d5e2ea415d1406df7cab3c1e63e03b3ecdd95578a88ef88d8d97153cd475d0ac82105f6c5cb1c698920f763a28455c434e642a8291d28be47e047ef1d404458dbc5868da4000c8521ba677cb2ea4112f1ff11acfcacacc4478aec9983aa8fc7f93b33b7734dd1045ec82dc56d5967619070750c40a123bf62c4250938f59d7824e5fdd45a8382544ec43ecec0bc963990e4825bec5116e7d9565aa7b30aeb7cbd7d2ce423e1d60d919635e05e7d0c6462e470924268ebd031c9027bd0d744afe1e3a00d76e08555425f28351b281392a146b526cb0b073df83a0350fbb91dd7e99a55d84bd8d9b0766454a440a5eceee43da4b6bbc1b8d16578c70973f5edd80739b283d02316d22fddc5fa4a41d72c4f8ee694822886735ef4c8e31ca8d214c5e1d6788c71d5364ce135d7cf68da884aec54c6ed09c8c60f55a32e00797b823a5fd9cdab39c49033a03c7c4d772f836cc718cd06048a259e830610bd40e98c4b83b5d94f62b7d324590f8d9d45ead5bceca225e7d47bb7af3d590bd7efb531cc1d7967acdd6e32dddea757b3254ec21caa08534625e67d9117697276795f0704a98b9925a0251996b4c6496ac0457120cb7a2a1cde6fcf428484388b078d2de5caa62bee6e28134fab5478dd7db35ecbaf84c157c6dec4941d2ab15b8520e1b8a2690ff45aabfa8600c112ccfa2881a09f9164ae359439ec088f11e70d2f9420cee5658388ca53f6265b561cfb167098e480e84bc2c6fc71c47b650e83561e88511711afd06deae6086818ef5602a031f3e7d788e4a4908978e97b47ebf2965adc9aa3c8811d3dfa60bafd76cfbea6687a028fb16400a68725380835e81dbce18b7b2eae567271e05254ec5ec0f4c659d0eb40522efb90bca5bcccd4ea40b2f6b2e367f1044e04e8a6a0fb802da3fa181ec59274d59ba62315cdc498078e1a879337ac6352bb0837f8842c5cb78c50f626468845c2746c94735e49e3ea984ebc5472ed77edd2be976059e191f2792dae6ac6f6cd021d8ad774a48d7e6ae5d844c983df44ea1b1d98d2ebfb7de1ceb1d64afe45510b328540d0a8841db866d60ecd83b546844335d021f8ed9ee3619288a15127ce7f690c1d08923c2d619af85438f207d8d118094b9a09869d1225f7553d77d22cb70e6624e95963d1fd2dec4a97cc23b052952b04ee1d2a2134cad6c40f834675815282a6b17a3ef354a7b5d01b0de2a2c84620844d1f825a0d146d4bc82ffd4734c9c166a935618530d5bab8205977b237653881e27d7c35af729baf4b89d071b9da5d5a9bc4a174fbbfde49e1ec60dc3965df566f920b3bb79aeae1a0604da0ed78599b3e19416d3633d7d4bbff85fafda5a8b5a400eb8fdeb0552b5e8a6ac1f3a581fbe06c31d14734453b17c273c42b44fb697ecc67a2bd3cf2825d2cc9f53b57bc3502455274cce8c35b61d413f58624d93a172a1354632987a178f79093b65385ba546a83f52c11575d3ecd3f95f682a8b761817fa9d0b066a7d8fa59ceb795bc26765b550bce03de99ce3d7c3cd8a18476f60c265dfa7ece8bdbfc7a69548c8123840ff42750c8fba5a96516df4fd548a90207972a09c530aa610359a569b4b7f4ffb21e05b02b9cbe52e9dfcdb51fbfc9dec214c797e117ae9007d25c66d7eeb16b6dc5582845cd6849ff42519ee7c4ce05893b7123a218584c619dd4eceffcf49e67d7e359747c765ccf1e94135f68abf02a7812520c9db8cffc51b4e69e524e6270d5d5d091a7181ec67b7f10088e28acebec5f85414c6400ba37496fc168113733646f30d7c495b9f9801ca0339fb4b92ea21a011deee9a1ea29e669e2b94c88511dfdeca1e5ec24666f8e7664fae61445fc766e49bfb224259a41b3815a1d5bfeffea8fa905203ba84f33e9d53e8f1261c936da7fda2998039e777f5df2652f7a19dec4d08d9c0f91330ebc8a5ca32c719ee798e3519cf6d13386384be2514b3e34f8b5022979ac68ec2acd730041fe765f303ba780da36351696dc2b44992342a411e5742baf7ac3c824f191dcdcce858efa130f09ccfb8064d3b4119e7638447c8018e97233663f04561b1d643a1410c1e4f7b6c044965a16436de4c611e151bfa8f81cc4ce0237be991a2f1034cbdea685486c30f291ef3825496d5319ed5e60e81f638b3e40619670bf3f27c7a3327f2c0a1bb964f5f7aa6d94f9deddde0a8be85dd8f2aae927d5179c02a86d4d73d0ecae31dd44769f386323f860db52462743aab384d78497f9b586aefad8e9b3a1ad17823b525cf5ad7a9ba60a30d464e6862faddb3bfdbbf9149c4898098f32ce8d085c820683a034e9623234b11da066cb08e040805a36673a08e10353d2bad805b92bb9f263f63793b079a976ad43821d340a414f17a261ef4860923a954990ae90b3fff7abf53d1ca172c560dcc2bcdfc30ea4b332026fa4a90cca908dcf6e86555983e346bfd47e1ac30253ec321672009465133e7617db631dbe94e3f619478a0fcb54c5d484257108e07b928136cecb15c47ae1e440c71d0e2b689328cf848a27cbd7afee367360ac33b63f8b25c89076821634148bcdccfda5cef8461cedf4eb81b2a74aeccbb5ee510ade1349b17e5549ec0ae20e486bb2110dc74ea5ac84f7178581cbe15986feb0220c4e22d274dc27e55bed125dbe2b5ab35f868ee7a41e877d2627a263075585106a9d20ab2eee48b66cf32eab5e5d2858f70a16d504c8a264a5e4782abb630e5f42c2a567bebe4be5aab32a2168ef08bbe8667a5c8d1e23e942a629d14d4ac5b1a4bf28658f1e4fff98ef03e9970e25e1e27bba55b324ab9b946598a7f09b5e05ceb2c823987ec3305c22ea91e11b14f0da3b724229916eab58450cf406b7a6d1e788180ebba5bf36288df975c75de5af01218b59cdd4e2c00b56b7f4e8ab7463ad1fb8e86e0c6b2206b4445180d4e647c701602d7f50cb28705a67e9a2830f8720a7ff04fab9a983ea65e3f6fac6231ce97498921dbf57ebdb431747b5cedc0e6c2826c500102557f7183c9088aec663647b6a2cee3e311ddcf64aa7579cf928cddb6edcb096b970a50b3f3e75afb2d2944b89deed0c22bf45a55652a3cf387aaf1e5dc1888990270c9faa0ec9b63bf812e46fbcf9ea10a8eb482db5c7632fed20cefca9fa684a21954bcac619d54454f4733c20b20114c39fcdd8662bdbbf33824936b33603a4f5c20b9f9198f3ef20c096b8714f5271372693c6ab0b8a91b2345c58b65c6ad0764dba34455498e24c2b7836a8b2bbad5b3b65aaaaf88cbeb271cdf15e68629814c27afb60f1a33bf2231b960e31f1ffa1e1db225f148338c289ed7370b1e473f99e8825caf75127e38d39ef7914c61e7f587e9b550fdb41c5ae104363a7e23a39c02c1a2455d1276f272bbcb0eccbe7d5463d9bad4ccc64f5ee8a440aa37044753268b417a4fd5be17eeac953c8424960cb81c6f51cc6ba90f5edfd083436f83da153edc214b4dd0fc954cae2b8901f11f2edf9210d89d8483635b6e49911df7c85fd95ebe122267f63afb690b881d5704937bec22baef5bee2152e6b1efac781c6ce7926c34424b64da91e4b7be8685aea4a265af4975331f3660e773f9b481bea50b52f8a14467a28beb8d5c48044232c778b71801a5a96fb43edb5b702bb463a3f4f31a91e6e913e2c13b483040e2c8a5b12fbfc5fb8faa4fb3f2e8d05225bc4cc7d137a3974030dfc3f9d02208fcc4eab8c3c82ae230f7b9548ab2ed40c370d51f452a2e58a52e7397a11389aa245808820f2dfca44d48ed0141acd57fdfe898a8f1c7223043bf75ea7c36b7e98c4cf9a52669ab4747c896dffc41d71c633c6af88c1bb4fd394059e700ab78c12c370b8ab9380e0c33937e019daf2edf8063a3f7e81dfc3ed4cb3a062a512da3fac62d0a4ed78da4af45ac27c673762028a7b88662471ee8189fa7bf40b6731aa1d272d211cf60bced3c4ab7a96d51c1f64fa8458f011309f66166322f8515034235418168c92b9f167492558b33e0eb1e97ee73da546d46f4f1a37649fc6dbc65b0402a56b0d5851f0ea74ef59b827f9d03829fcbbffdb7079916d6c7e70fe4c58ef8b6788ae0bebb86f56a28c07e296dd8672e0d0c564fa5e87a23dfb56dc3f37aca7fcecdf51980c10d897d273d0bf74b08be922a60bcc77f014ee561cbcf9efd9abd993afbaf59e197acf69a7ef78374cf56559b7b29801b678d7148a2be12eb251f488ad0d0581b448f227fce1c5e2ff8aecf174b85fea64e4a0f696eac33e43d5dccb4e44c9dbc707bb1615674f621526e849ead4cbc9df142644a970c2ce0c428d82eb2c7f7767f77438325f7f5b6114ef35d1d30b88289f8e3336e42e0242e3b55679f978c5abdd47bc0a20ccca20f9f3f7aec9295506ffc60145138f0b212db959444c8351643892739a8e5d9d198d3978bf320e9faa08b05b321072e42a6e84f143431d73efafd49c09c91a36b9a4baf19ce4861467283c671c5c05c34511e460fb200be5926557f4fe02127976ebe9960b4df2d628348d1ad6820d39dfd387d5725f0671632f437b5b4f08ceac46bf53cd23ce038a5917d18a37bbb6d2d921e7f7eac21396ff1405e88662ee70a6a4976e275fecbb2e6a3ab29f37566b108dbccbb99cdeca790f7e4e94e94cb8c2e25eee5270c12a7ecb2684be2c0f0c779d72fe6f515527dee833b67fb4997d850438d2cec07505e8022bc45522e0140ca86016950c4378326a81113efa6831c165951a57363c761e825a8639dd2f9ad5d77cd1f9bd84278366fd73579dfa8397423b37c5c68dcd6843f9b5349b84ba4a9a3f747e05d33b149f856751857d68735e9621d2b923d7029835ec4dec7e4ed0215dab9e4bdf49bfeb7a75ce4584ba82b73b456a6f161d07051ec0c45d268c1c56f6fe5d4eed4b178e4532c0623563cc8f77b0f2d8a7eecfadc469a7a7f84a13df5d6fb8dc3d6a3ce52fb421153229b3a9e75cf23949c5d4fa7ad217ce0f967d9383f9062370c542f0de1b6213e7e2443333c898218ce3a8cf1c2b4874b2f892669209e3e08a3bf9d86305fce578f461c14535966107ce0ee3725f979e66eb621da145d84084ce080fff1d8a38127af10e2d28768f71282939016be46d3e3e1e9cb3d9e432fd343124a7c1c5abf256732fc241adb39ca84dc8106e3615aa3d011a2d57a74d3e7541908649249ffc9999806c0280062e62c947d6699553d8512dd9c88faaa855012ebea256a9081d6842d7d016d4e342df0fc1208df4c966a263dc0b77c8cbd34ebf8a9fad2e6176a3c5950628fcfcf8e5fb72c055b5a48ca3e8cdd2cace66c847b36bb78d83de519d05156c41e5dd435596a3f17bc9e45a441e24a51758d7dbbf1dc9f87cf49134fb7003aec1fbdc5ba5526dc76018abe3cb6a29a582cf0984ac27142a5b34072109a7e633b5d7e77ae353cb52aab1b3b8421659c93ff7b9f806e204cbf8c2861f1d9ff97bd895c4fba32842c29e54e0933308bdc9d6b54549ea27978796452125f1206d7b064aa55d7bff57b955edc4a869e3f61e2192f2eb6b80717e9022df833f4149fcec282c5316876d64db6c14a409320997011ed38e60dd4a6905540d85a9c6b2f42fb5d72e63938934ec33d892e34fbfa9d9d4590ac645fd34882bff5cfde49f13d14e56993b82a94fd438a31bc13df519843ec0380d8580ea11eb331d0ff28effb573f24dcadff957f569f21d21ce52c0fa8dc51703411129cfb14e9eecfb496a0f866ef4e2b43c8accda1b1d514266f1fc10d927733397a097c25e0fb04ae1daa86b76f85449fb8dc1f33c5134d90545fc920541a7c8738f73bff3dd7bfc0da6bb79417fcd015ce6e3b6c22c8ca113f2820c169a4ea4065e34a23cc2e7763c8652083238e2b943c2c00b0819b857c2775ee6d4e15744626db64b66c91a2b392bb482aac0ea4ef2d1162e89baf54ce29fc52cacfa6b26768aef138e9f95076f221d808ffba799deb65d72824b94367a8cd852b31b5f983b4b0a88263f16030201479d70f1589e566b7a9dc62c6e1811f6cb1e8cdbdadc18f27464253cb541aa07a99a6d32f1555bfa8f75b3843ad9cb0e9a6dc9036c89824ff10d875a6009ae7995edd0a416c471af1e9927e102c906c132db59ada47d43d9b92e50bee2e6589ffef909bf22e5f3fd664c5ef1f87e1daca90f23bebbbff179019054d9565a35573bc9d56ae85bb9ff49681a37fba09114ff9355009d96f9d9db84fbbd9c904fe5ee6e67bbecac7b7666d086083d012bcf456b8cee6006d3af06c72c01c1ae9b884f4661b83522a70d1f6a03a8df63e469237e8ab1b2ef1afb93ac4da75aeec8cb359a285012ade904dfdfa6b19852c135d752ca7a233f11650b7e98837c01b180d77db02f0ab7518138cf3080130c2123944a78dc71da1ce68e4a20f56db8050e1ef77193534840e45e89083e7ebee8bb267d18ce003bce614e8d0b5d5aedcdfac4718c3c96e5ce6e83d9a06a9a1fa3784dfef8a6ea13f8f9cb0de615d591dcd80f996495305dbd18025c3a21fcd80feccebf211734a3c015d899695ee4777dd3209b4cfe9ea507f6d303bd8697b91b3fd500e0d8abf97579b097f6f733350aa0ab6e8837b4ca21b6b3e6924d0003924bf6b785daef844d1348c4e036432eebc42acc53e1285b94a5a2332860dad6f4881a54881970a8a21acd13477fa4ed1aafd274ee57b30fc60eb265c8da486ed14ad74c24670428fc2db71c929e27c4d9234e199bbd3366f1d170038850eb3e891077bc6f17636d1507cc9f884abb5c37e5b64f1b532b74bb331517f526325047da3abbe1dcc9d9d33ff7ed18ad35ddd0f63ba668b057eee21bd3d0c8af93d57a965d778cebd4c220c8e6aa08b66dac10fb05bee04135407f6397813a543df798a7f69c653f714940217c3788ef63a6efa9773bf2127c909e4f9b9c2d9428bf861830f99ea98810f508f45a5e1d803622b12da5a4f79d1da89402d888f9b03a064d7bf51c3ca508a3dad504a57533589381350076b8c0e371a36f97b6e8b460db84c35e7b0f9129c4a635f70c7ebb102e3051ffbf70653a97fb82e74b332045f21a3327757beebcd99183ae13656a9854cfa94ef811137f9f62fe3d14df9f43842e8edaf7fbc41715f8a8ac155a0f76b6c856d964943a0a7a3471d04867beafb56b5430f0ce3246604edf62bf40150b2b8d64631c047ab2eea30fae9ea0f00713b85906209bff7953fd9a7c6434b1455652140da6979326536998173a2bc29edfb5457e9b622b4236fdadc886981c32f5a79f783fc877b23daeaa847607ae4c6206168ffa025e3af1ecdc96f97881e6aa5a99cd26359f467f78d294c4f82d33ae60a0164c9f1b961763a1f8fe6e9b9d1215d6e09a5c8a6210b6271f26925d333562405617bb5c81095a3cc8e69b603233fc10105d09b4a910a7a9f38da427d65ff33132d86b79eaa4589389ee8e782af6ad78bb6f3a4600738d8825fb2368fcd45b773f19e7956092d827ee7367fe7b07beeae2bc104758bcb83bc11ce020f40ed12ceee2e54cec254747c94fed44d94f97e04288b3ce084512b4983d07bef645f2c998da102d76d095cfa23cc675d92a51c1e4c35402f14ac3f122dd5f733a55ce0e73151a04b83e2ff92061e5780a7485f450c1c6e6d6855c15a2eec8f8641d30637144f9924ae2358bc321abd57f42adbc8f4051e14056d5cda5468d4e0c8cf7c216a8faf7b01f5612eb4b32a44e3eb42f906771df8af9aef4dc5d2c56244518a24c101b95da839cfdbffe9a494cdcbcae3278844bfad094e65a6d0f5ae64a64e5bec9d52aa9a2150208011dea5a877da8d63a6579127eb7211c73aec87e7862a284f81432f9db58922d9b3e7c0c8e195bfde7eacb1703f27feec737c8c9ffdb1d65f24d4a1bfef2bf484fd8004f2450c0dc5f581fe4e7b82e830c603346e372cf55be6760a7a9d8c0d80d979003b5ff31c1a9ed9fcce9dec2d471dc1a09f7b92cb9d0876b18f9f370067cdcc62a02bca773175f247eecbff0418820853d75c8c6e51f040d472554bec4e2f3c413e171937f75cfac70fdf1d42a7411b2e9379ba3ed1b3fcb353de14231e9f7d2a45e910578be4c214b29a77d4d171dc174037422baf292c4068897677b74696f5bdbd480d20497ddd3793e1163b79cd6ab42e34ca844c6cf4de7bd3bdfd2fef5f530d4321be4592b9a1284a9c7003e5198bb2793e575460b908610b01f7b1f3bda844f533ce1827653b00267c8cff861b17ece7f73a9447bd46140cb567a276a0cb61feb7a6fa6e66ab3a8e64cec77ae604265939937d932c43d7b320d01749b29e46c3e3e900477e43521febbfb6694746f2d2e5ba94f4e22a511bd464c604721c8e2abd8da27e027d125b49cf69dd0d4fb2f9b9a58644b59c62479302edcf9d4d5560b4f98ed0c5269d9fcfbcca1ea0a06bb1a6d9fa3368d06cd9410e0e9faed3af97077411e3116093f041f815d2238626d142a82b3045f7b12c7ef329f1835f9f7d4f471e97959629e4a46446ccd7c8c3f45d5cba6e2b00904f1331f9d1c29490f628cfa26072613b552726d20fb72ed02fadb06ec193af0356ff509a48c804ceac80b6744d0f53f7afd0d4bd13370f3269b6358775cf9e0adb2666319354e6e1d00e7f7e54f4c6957ab2865d51da471abdeb55f9a50987fc5a0e75ac6c225edeb4bce0eb0ebb18b6e97b5abc9f3138c86f12642c30e434cd75f99ea6773229dbb2b06367466522514f0747e053a46fce6489e261433ef1a806df46506ecf535cc0bfae278492301e4b775a05223ed47a4bbc9b70994b62b2aa1fa836cb59ff9487cc44b2f60205bd9a205ecfaf3e29667b340feac372b19893580ec578724e519d03b79a731e10f6b54501fc7cc8e0eb0ecf3f88f209eae11632d4a0880befe1fbecb957817e0b1ed2f7554c27653b4fcec8dccc56b351755f73c7a3fc55a13f28ba927283732e27d828702cb1880047f95ba9e3b5b599ca6f67166ab2d1f558408900b265ad627f2117a0339c48831aab555bec7332709a5278e175bca4e88a3b7c30e7b24631d199ca115ac5f8d5d71d0b1140a4161c23b7e12c4e7a47762efc3d2b8b916be45b4a02f825c28e1f10d2ec44aa248c7a2e06b7aabd811f066e850b8451c7ef787f0cd5a7c03673f5ac95533c4253c86ae33f1c8fa4b7c084985d34bde2efdc9d819e6ad6127e114cd2794260399421532191fee76341cccc542308d78eed40840ce163c1ebd2c725480a4389fb500f81578ab833d099ca1e41a0075e104d19a78ab0d3fdf2412976a087d4e6ecc052eae45fe106f4fafb15d25642dabfdeb64642b7578999c6837c7381d0e5c2b87a255ba6cb5162b011277d96417940784bdf7d6ed3ade3417a94eab59d446ede653eb293521072f630d87a437bf7bc5ed46ec5c1784af12deb751837eceaf17b624988d1e9645923cac68158d47f5e4ff80eccf38b9e40868a7adfe431c5a15b2f76c081b0338c7aa870ef1f526b989feb21f5e08d14fb98c839c459da04295a4febd38e828213e39451a969753f4bfd6b7e545e9ad92ed5f089f4abc160eec723aa137b3d104d45a7edfe82dda9a79fb772a329d9df3a08b19a30dd066a1accdee98bec27b430bb2523e507b96a0e8e802ecdcfe5be550f6d4469fe3c78f75bb0cb52a9590ac84c41bdfd6ccc86ddefc5108405bdb1b53324619007662d9d318f4eda9ac61d010c14d41976396b58e1c870daa1a7c7cd2b90fd354dd5c96c4a632df6b0437336ee305c90d66ef5c5ece98311a9e89f38d73180a6421f484d70af4acd39881b4647ce2a9dd2ca5f6e64a98922b0411516e12311bfdd02b73514e9c27d330af650117be3ba69e5e32a4fbdaf97d822e4d0d5fdc31b447b3edecb0f85746dc203d1a08152754089c2b7708b20859da0dd480bb96c6fb57ab5e4611a8f36358be854764b1e8631d64df259ac7ef4167463d3dc64b7c0eac787ce3319e5795ad39760590f20203b6257320a445ef56093e8eba3b1d2b93944fcbed6f9646dea5e8976169406a19dbc1f67d4f9326abc806c88da9913373fcd061bfe42e6a282ec21f381ff788599dff51adeb69c2f3e5cb2efc9315cdf5dff35bb686320fa93d478619749d29e3dabe61785f2eddec9ad36b45f64d1e464bd5bb518d6cee2f2afdd9a34ec04d7e91cdf2604b7f10225c322e2c9c342ab6eb88d17e88a0430ed01a4c62709a1a70157433081f4673150e1ed37cba6659958ad54c2908d7043e9e895da00ae7706973c379cb33ad547ecb7b330bc16998a612b7b3d19b914f16e02fa0012d23bc54334d905dc6fe682c2d4cb6fdff12a03b7f777a822cf6c00a44900dd7c4c53d712566027b9550ec6066fcf2f2893d379fa408bb182f617ec78e3a7cb7ff55b3b2e798ff92a544dc307c48d5f679f88b162feaae78b7e0dada8cdcdb12fc7989614e974a5d271e50f7b61272aa41b30568b04fac1f9c7418857f38c6d15ed166498c80ec33c9630efdf522a87cfdbb3d0dab6a241c751449638d47682f51d623eb0eb9b4a7a285bd3a0a36510be957d0b3e16ba11b653928bc842c42ef79eddb8e5d9116edf5864a5d7b5cfd057243eef7dcac48d93aeea1774c417dc6827363c084d7340ab139e1a2b89216d0b8154ba26df8aa74cfe080fcf08fdfaffe6b36c54c199e0e7a3dbc4338418dc24249218c7fb6aedef9fec1a8cb825ddeac2ac94e99b21c666d16745238819d6da3f67985251342c373fc97b8809406fb17a081403bdf7fb3da27bb58c552bb284ec6410b5e45df014b98b834ef01803aa8625ba87b0f00393097323210ba0a915e787825d9cb8a8bfb8ea40e312c18139c43b6cb8e237040657bda21c3fde2f1fe7a650a89586e4bca0041b4e69c8401cd57d508cfa1d763bfabc0017a55c501c0954a20bb607998d61caddc0c296e610371b16ea333098c75283d0e77a328e60537d3ab81a9579d10053f87a4f16671a29c27c9a64e14a80808db4c5aa7877413a0b9bfa63028b1779f691ca0923555a0f593ed606058f5e3d002dd2f2ebc7be41922224e1d8826aecd3c9c6d84a40e5c6cc93700a2bebe156d03dfb7af0f183505b04413d5db154d614512db9631a845246ffd58aeee7660c86b6333c3afc864a046a407ffb10b55194e9b787553e85c0b1a8458fea3a60fb3c4d571a5ff8f5d58addb1ff5812d30009176d22e81cf669bf9ad9bec471fdcd7ef1afb242e9140d3e36ac4494b9fa1e443586c30a5e247a23d5c9388eb13909630cdfdbc830dfa586e04e36e1a9f548a864cee4568b18b49f688b805cd90a7371463ee7ec3b02408da61be4f52a6009dbdac474e7487b76b81602c6ddd10f02ef334aa4d7e543cdfa9d323da5a99cc417c5883c2d6e94a378bc8795ae7db4734d97342f19e1ebd81b97549117bce2f0c9c8709620e2659bfa78fc3550b8dacf92aa7f95a9a16424b54a5d3598bf9acc6d440113575818ba8d6351b47d09c5f2f140da4f266e9cd90c6dde5f313ae56e1b56bf303739e33ab6592bda5fe3b49116c86ed0637a6217d979a3af7dd9d94d15c9057df74abaa1697379d3c6bee43b452da087f9c35c5e0211eb0deafbb1c74907faef22f3641c2241f4a33fd15b76d3d18ab1768f4a898bd8ba2628a36bc48db1fcf8df73b7055f0e903f3a75b2686bca706f8e6c73a037fc0543291b91f5b45558006826003ead468952e9fb811dacf719a2a3073022c761ab89ab9a71131d3e9c13e4f3bbc01e869850b3e1a458c52e6ae48d4977e84584738e2e3cdf7f500d59cb16291906ee06cb852adf0e65c1b142a3258136e2d5b39291ae22b82ec70cfa96fdc3cb27a04fae3f7f1840278033ef7a8a9893245687c7533f9583bc84bc49fda4817ef517e373e4ee9078e59ced48aaf7f57b765cdb3b035ccacf875bdca1b81048402eaa4983cf9a5f30a98a1143f56e7a9b16a5abb0d7851a95f98c73e603a27d15a35dd79cd9f55008377d7c4335eca83e698662c0efb4f523f0608b58e0effb50fc31d068a461899ea711e4cb5cf0d44941e3110de8510e76bc80d8ec588b84d6323a10bac9b526e810e664079bea7d333e75598a1d0be419c55232bb2400c88153f890993a3be5a3d51ffd196544c49841a16cbd79f9a9294cbd9313c170a5fd1651d104cf6839b050c58ff546071969a7ad0aebc0af8ae8ea4085252aeba1f8eef8d87a6f62be24a86112b1d17c4191c5c5d28c54e91bdd57ed096f1de81e3b0be0dd1d76d1f308d053b9ec63df8f59998d6b748aa0d18142ae0d84698c5c9076ee58108bbc37996132da724a5a756df578087e1c8e342b9eee8c249b4e87352879f65f2ee14a0d863966c20c723e5621103b37ce14dbbf238e3dad7b6ed0e2f5c2b13c20d2688639b9ce5bbb5a52132975d580e57e3ad7b4701762c3a6aa75b2b45ce5d4a6364abbe9205fe61ce8e2d844261da5c566ee3217e1542a8f4e99558069fdcaef675aed96dde432b44b520d2cb2b6c2dda6a930871cf5f9d8fbcaf84f31abf8efac1194172d02a12de345341356152deafa2e64a51e8f5e6c075817ed375cd4bc30a795e25a28c9311cc3bf4fa4612509d4d242e6fe2696c43702af4c5d2240358d73a28657edfc676007818f546c4cb2b07259ddad85028cf89648a059f09f69af3643f4f0b0aaeac33f662980e9bead7565616e2c706f0e259d0d442647fe34ce5cacd1de06af33e1ac8bb0414a9fc4640691428364678ef0346d05831f255e8cc15c11d6e8a570ea463fd0fdb599eaa2f0e1155a876c049a80bd72f9a41b44aee461c5b40cd03e41c01b5d65346aef3c2fd62fd0240163318b3fafe0ff12f6cd9e6baf5a1640d2cdb720b84059b2c01258ba78efbdd42d044784de9457184b7c4ebb155378e5ce213cad095d1afd076568916d03868e2604168045ce20ca54d30a15c8adb979db9f46cd70785567b8d5f6fac89d7f2892b36fbb4fe8de9c0bada9f24000636a5a5d79a31b09d71ce95eda30369a195ea2657758529423d485630038e8d2f38c1cf69f44528b19a029529977c9191b9c4be2b1383ea3f04c7dd21dc7741ffeedb19fea62e0d17a3019122649b541fcefcd6fec8d69cdb71b93cd345a4b2ee643f7e78ac2d97a0dc0f7e0ce6f699640750101603597e18872d0840323bc88a5e1e1718ff9c5f11532506f4cd3eeea4f5a58736a3a12bd9315b5fcc2693df2dd9640b9539b7ae7ae13edb6f12ca95cd58410b5c379d2f5612c1a474b1189d4aa1826402ebd595e79d5522230bfd278161f9043d4f10aee32c133522152b2cdeaa27708dc5aa66273e531420621f61cd748c875f5c6376e4344cf13c38dd7acd03474e4c19b6e06aabc43b4de310e35f93c652555c9d4c702c7c8fbf3f15e393c4742e79a8aaf67c20eceb4c8a65678306094740d8d7bae5fd6d1d1e87cd1f1e34db80fa101dca0c9fa204f1504c59ab6c324b34e36c00311b0be8db4ada1a33d634fd5f07ce1d5196acb05261107d031733b8d302a1bca19776f2d24c2601a402a38416889b681a036e735e572502df8b3067f7ed4200df04a01ac1c1eb2f499833c04ff1a7b5d5c5779bb8e05eda1596b877427591e9a0d0da0af1203039101466f57f59377888e4bce0b29616c1040aeb2a7fea1b6fd7abe843784f673df495460515f32563e5921fd63285122d6ce4dd402488c3aa5756ab2d0aeb57c0c5daa167f96ae079120045727ce3b7c9580fe39bc689f30c51ef6389170f484871bc75da2d25f26efc50a2c308c60f5e4c8624b5867df59d03217e2d8c990530ff10c00da427e06d01618acc7cbb01a501a750028caf0e9bb3cd4a8ca415504290510209d566940981ffb0e99beeb47ba01e0c8c62e431105a99fcdcc3e0fe4fb5c4e69dbd182b5346a42ca09a5eddc7bb78c0ce979a62da6ce1d0805fc5a924e1aa952f0e15fa59a3e095c27f6d15faee367f2299168e73378ef24ad16d934d3e55053113601d32c5a04ee6f1e7c9943060348cf8c8d7400fa5fcfd22ee5e911f1221f42a0c392cb30ca2ed10a72e0c339a1c7ca8c71efe9540e1ec0cc6643ff6d0f07289ec373e9b96320a4fc571251916e60d9f968a368bd3b4ba338571027ada63f6779c2feaa9a70186950426c9aa6ab0b3293dd4d59b0f85c4e833f2edf873f6b27b20e41cdb56359e8f9bfad2b58b981f5a07aec4a15e52b6f55a35cea858f5ac1c438f69477808986fb4f8afe656b3575662b31435fe7f6028b1c24840243c76351ddabd313775395739487155bf0c377694d31150b3b14b28576dfc0c86f9baeea5646f7a0ef6c1d0ac2f448113e5ca027a262b74bfc9711d597749d11333ce2a5723d019d44f54bbf1da9664721dd833b51cbeca4ca3212317e97da6d3e44b059420f1536e194b5447e12e1c5f8a19e17c0d1831631774aefbc677a4676a6c6e408ce4c41cdcaadc6b9089c6bf4832e81bc5d80f75a1233a700e8149800c5556d70f032b38b467404a56850d6604e3d082fc078681fa89d5fc422b5ee06fd6a65ea1ca77aad5b859fa615fc2d5b41b4b4edb4b7376833089e75cc0bd56f3917a4a70b0c4e6c0cfaabd238dde8be4bc260f4fe158baf11f97a80d7a6c6c30d08d48d1af64d8c1882638001ece74d9b2f42aaaeddeaf5501d26c7a479215bcb05f56f1d472db703df639fc7fa35c997669fd41183cb48baad730eebfa5931dcb20a683a81b2599655fc1c52757ddafa6a26b677e7a06b11335aa41806b4b1fcaf05f186352f6fd3d7000efa4e667a28be5787e9dd323fe7910fd7cd2c8b17e983febd5b0f8d72596d1b4e6b4be1399f372fcc3b473b667be087fa8dededbe06ba3054e9b885e5c930af4043ee17e1d052e3e270eb91835e7459eeb65a72f6a2ee019bfbf04297f0b21040885c57b6d189dc54d470b5996e28ece3a6830c3483e07727d76d1a570c305fb0c75d7935493280470fc847990f4551bbfae5842725c4855f9f9885a418623ce71a7d52d1f5a1e522e6caefaadb9bc29160882b52754e3d8478644144de4addd4f2fd33a2516b7fe2ba322d59265983bf8a4c89908a5c9f9669880355cfb6fdfd0d50658fa743dd3bab9a69a95c217220a054b9453e4c48d18a8b5ff40184c8e2b973f7772865fc370692714321594de0cec2bd022912149d7e8acc9e5df154041fde6be7b810256074a60c24842e0590ec7d7f1d1b45aa6ccdd88c30b23bfd3160d40ecb41420cfb408d82b7f8fbaf461bb12d5c912a94f2f7a7cc2639a3f36cd07b521495b9aed21e1122bae1e06f77bacfd2fd7db691aba1153e7f4634e1f48011789063059dd5a8cec72d8ab33048c4605d3e8bb6a37079c3548e0e14eaba0bd045d2642df445d707b82e4177275e9c09844f3c5a8b01c961784b307a42d88e8de36d07293bf13bafcd754c7cc0a9dfc86c6cbaf5138bee089f3a53d12cbb9d720ad453eb509dabf437154f4a36d4a3d31473977cd0f832f927812cbfa2730d87a2547480f7f6ae7581af11274b6c5bdacfc27d1ed51a7f3449752385f815da048b5569c8e726214ad3864cd0003fff7910479ac27860e22700a27a804b57066957798741fc22536e449d640ddf163715860b7a473393316ffc568ef809a995822c551be8b17dcf29e6b4b7497ac0985b933b9793760ae1ab847c27fd2fdac29b087135ac83cdf2dc7cb960cd2e6fe16dd07e4a9359868e2db4915e3af47437dc412e916e99145b0b47b2026703a1147ec6e8c066c8ef351a9fa9e151b8afbbf4c055d919af5f727ffae6731c5ee85b9ac1674d7f51125f5607d9a5ac2c880659feb59f3a3c235336a2ae80a58c26a121993099d84aef36319850788c315151f6a509147d9eb7c321a3021dee5002fb39da17a2b2046f5aefb95ff9effc3e6a8e7c202efd008f4dac8d6fcea6458362639416b1085f51ae259fa23c4ace0e906408b88b77fe24fb4cd05cc4eda1ecabbfae95c5d01286aeb26245222cef988a2e8dae71777e3925a3b31eafdbd8d86c538455682f862f079bc844a60c4d9a9f04434b4cbdf4ebb0edcf08aa2c8d1b5841b824b7df1951a67f0d2ef55dfe8f44f03812c0578e9a1410e4ac8c0d8110256438d358256091bb28318156f6d4d31d66925ba26f38e70158d4808950c9727f8df13e0c6bc45075b0ff411a5510def9d32a246ceb55fae12784928dd6f5f1e86498896c42aab6e7a8c4b0c26b5f98f6e7f3fe5e8d1d22f7ee5fdac89febce5bd645e2649f7f68183b6dd47c5fc6de90dfa7e241dea4401e276506dbba98dc06d6fb36164288ef98ece7e041fb62e2f56c38e80202a50a46e63aefec721e72e1a5d7a0345b70311d22cdfc1b6660ae744e142316bcc6c1fb2f62746d6e994a7259f10bcc4692fd6d6e18d6a4a8f1b3ddf8a9ed1e5056a77ada221514a64c4d13af4cdd0ec51dd612b0904a89f6849485afbb4066b3026dbfea1d723bd47436a5cafbb359f3ebc00a116772a595b7169252ba53bb09a330baa2dde9cad0b66d2fb1a22aee18791a9286d4fc7eb82b8c0d87ff26eb8f38b72df26a5f0e49c4f24bca5174b8c671e32895b8e2cd824b2dcd2a9229f8065606c12f5ac718c60c7416bccfb465277d533c9697402c804fa6c21b2b1ffc14fff2e81322e0f0db4821785247f46192f1039726010bb308429e35048c9a715365dc253a9a6786cd2103038f9dd2c04df2dc3bdf37b27b1ec4706887aeeb1ed3133352c124ebea6b695ce84f65b7d61b2c21b1b58e5c6369ad03d9ef7a1f08cdd6dfaafbdee77de92b5317720f5af67da104cc197d5e5fe2b4ddb11c67d7550de91822e30d54372ae2305334458111793ab020222f3f9e2b6dfe6532796c2ad82d1063bd30164e7e6e236917a722834239abcb83e683f5186b557172fcefe7e2042a08628e7f290cd483cec6abb60604e0de363b205fbd0dd909e283dc12cc466085f40c4244f04e92719206fdea4e5997122ff2b0b1bdec992adba91771239d0e7eab11172191f5f2ce33b459388ac06474a2e7543d3600b942f5a277b4dfb68dd22a1bb88fe1a8f92b03cd8ef9dd1b094d84eaea5dd3e66517eaf78efb5fdd6feaca9ab9ff5266ed1f46ad6a138b9d3b2c6ec095a14bb04afa3c8f31a6957a5c4b4916bb6916fb45b3d9d426906191bc6ecb92dc1fe2dfcb20c04f5a115d9c87e8eb07096ad17e54968289bd9b33c53e073af0df28bb98d9567e67585c3ed73a35df82969cae3875e058563d45b3bcd69b7f7b94d4be40314b1b1205c672d9e9b385ee98fa2941657f05be4f0bb504b917db99ac1876ada05933890711690971a0c953ad5c3431447ed3de363606b7076b975b7fe7daa76525c34c59b9f4f28952b40cdb7a827459c9db7dd3068a9db8a104800d95dabd81005532db44c7c37892660d466386fbf3040c47172f7a5199b568e3fe86122dd5c65595f786ff3322cb7cdfb10223df5a7cd3b9abf322dc30ac8162dbe680a10db03a72cd66278a8f243f91a0857c93d2c34c83849239867df3714a216e72599a7bb8666f97e3c76ee1a865f962ec03e2cfb05d221a5f5078c3c722ba848895eebc1e3175db6f46f890c85edcca9425f5c1a5e31f2e776af9eceb6edefa065b3b4fd0d2764613899b81965d6311bde99348bd2b6dfb4314deb6cd034df8ddde1e169c6d95a4189e1ddcfae8ede44358ddf38d790a188aa4b991c2f8934c88a130a9b04c4b610e33c86a28c771ce6648cacf3d6a6eddfb2d9d55d59a8fd192edcaca3bd86dbae88ec8c003930036a1ae404fc701e9e249a7a2aece876c04715f04d688e859e476dbd78dc1aa27eed4a59e67cc538045df964551be2c906fefbd0a3525eb2bce91315bdcbd98846cdc7370406494aa58278cff320b94ced78635d6c766c3376448c659a80f2ada03176b849d49465f4cb3ed14f2cc93c3cc48521bccc63e5981f8cf3a425e81220ceb75b5356a88440079aa7267515eff287bdf1f3150d78ab4a8d3b54202a7d8f5f64c0f1523f663d8d8cff76713727d45f0880a5498173dcb97cbfccabdd66d1f763175a1a05909c86a56a658ccda11a97d1caf5c5be5d549f0c5da991459954185fd818800ee92fe1ee5cf47e5bd9b300e9794e6e24231e1b7e4e023436e94b912f76dcf888be422bfa2a5a459b0ac76e4420774d9ce1253ebbb476b027be4a135b5ded8b4bf1e5f9b7d466ee9419202953aca61b4260c743869e8fa5d9aa612e34886e6b3f9f2b56c49d2605ccb2e5e295d73c5733fd9721b9f1e663f52f755d27939e20f7df3b2b5e27bc18b0db0ec30ed32da3340cd5e80d5b990d27d96e6aca3cfef8671327c5e287bbba53968a2aef825efa837ef6b8b09cfb2f8f2e47cbb4da26cb5d569c43b26c7278d24164a4e91c8c77b928e479f46b1a0cc0dd56a49d257bab2ba329c1b0f8fc4ed775af6b465ee93d21534780f62e76fb6a9a4a6cf72de55407b144db3e9b1c508f3539c9dc04d525b7634a588ba6665a549ce5819a2e05112503e75f6969bae2690677197310e093d1e30fcc1dc7ea08c4795efcec23695eee4e79df7a44d0a6495c86c42655e8e2500202d9363e76f365a10f94a600907cc220407a2d5bebd94ed6b3900ae13c2be21b4da43350ad5f45c01d00c6aad3bc75d21231abe4eededac5669b4d74fc2cb6862698d8d703d6cb3fb8592ce54fe2db486adf4c52777bd62ec85a4b7d9f5dab140c3adba05395329a644161e398a84539017f88b3bda46c6c96ab19115082fed39b28b94ced75167272db5d32f110ddbdf4234b4397d3490da1ebd649f1df80b3c2a6b5552ed460f84466b6a9b591c1616ae2381c938cdb6d12085eea42f2cca2fbc21692bb46ce0e84ae9acd67148be4e0d75802179d8238fbee123f678694f1cd640f360588493afdda30cd2ae6246e79a5267344b7a9ef1120b7e1e927bc42dd762d13e6163fad74d6ac4ee5e7db7ff3f1262abcd2cd18a1f90df47ec4afd04bbec83f8012c28a67e316d7e9c4da243737de9d96486a0d3e61214df870ad9b00dde612a5168d24d8c1e92af0481e9c8fde6d3fb597fffb590bf5c3008253928be16ddbf85126475d0ce2a9d8ceecc66ac0c7f1b62048287cfa18ae4acca5ec5abb616f17b2c3e1b9ce4eb742486229fee9507565ae40254581ae8ad6251db3a5f18ee440bfaca7787c28c53258f2a879b53e711f826aeb2333e915944910c82a1b7f233c22ab2328d6e275a5a04968f6ae2e990b8d8832a37dbb1745204d705ee542621ee86ae8dd89139dda8339ceb37e6cfb74dd0df89644391a0a4c397bef6fd3ad7ebf41f44c084ead35e0d8f12e0c114974654b797750eb71649d5b25d87f978c85116fa2aa4c17131593c8872fa5287311f92939a3eb03f77bbba7e9f0550fb8965ac1b8fa1a848aacd6bf177a7b12b6c8ee7313e90f17d21d404a1175c61ce4231b48ff900f1c964fc2b2940cb93d49b54727d9d757ee1ec5cada2a7aae117550fbf0652943a4fc5ab09ec81df6a0503df2883a7d07333ad3f8de88c2d7c0645c30ee088e6276fe7db16d8882f253f66026ee7501b3e9b812ed7cfee345559216422ccf2c852771cde9721237a2df3cc7a88f31ce41f832f8a473d481affb1c0e22000b0e00a0ac2822de3193aa28da3557e60cd4a3d3057d6b46fc7578d39bcfe5d5525f5cedeebbcbbd945e178c672a4a2c640c9af291900293c4c334aecc803263d018021e4285f0724bfd2081bf1a174a5b90bc8b8ea9ba8585fb3eeb2e0b5b341713e4a83eeda01a118f26d854604049d2d9b20c6da259299c8da79f08dcf89be7fa954dfdc9e8c03e129be0d9c6f033fae8ae038b6aff930e52d4e8cd6c77d19fccfe3fd7d3afff1162493ba7bdbb092ec64a81ad7cf85baf9604194566cb1750fc66322382e2956e57300785fc4c3c471484357780c143f969f0ce4c57866e3b81e46dc2770fb3e7bfbb470bb26e7aa9c94523724e63d5dcdda911e6ef9b8a48f00cf93a8b5ade72cde22560ba5e57458cbc8b86d145d67423129e7989e1ff5e78fd79156e6013b0a1a3f9e31e3ac0f89648728237cc83d7bfdd3ab899d56d553aef00a831e96b8a72e1ddaa5a0865174dd3195362d370d1213f92909784f027e4a45a6611d3793904582a600b1953da6b4d0eb27b172bf98162c44703b24485eb286f424e7b5a47a8aee1037e28720348d616b28b150e98bdaa1875fb2692de470fb1191f3386c2b37b47fab695b1757ac0e5bb838b99ef666201d2027f6403494ac52e742c0fd62ab8bae223e9ef005014385f73cd040b2474143aa1454bcc56212a854a436550a2a74a73938f6045937ff3338d512a3e85d1209807a2c393ed6e418e32ed2be3d37df94fd967d607503347dd2369d3a14a8e4671a1a856d5b803baf9383ece69667718fe907866f10262a58c02eb5f0706073610353b09ed8dbdca307ba9decb7a8f0a026119173b972312095ca5cdfd3a7dfddbdc5a037327fe7f41764105047b4a19d7e87d81c4dbc7b9c7c158dfeeb1e7e3fa45d06ba327593bba7e28bb7a010dd9fe9130164110ddb9ff54d2302d8c476b6145d1f89a055728acb30d510bc93f59328d3582239ac28e5ac3a4c971f19ea95355eabcc55a22ffc35b9dad29163ec662224c524dc545a86787adc89d7db9b197eabfd1d995ae01f248340b1697155ddb2ad540247a59ac8574ed41c8258b74a6fb651f2d33d347d6d38c629c87c188ee4310c199de7f0bbe768e8cc1e7ecb3601af0c8c26d8266cabfc8c83ad1520442cdedef6b59ed8b3bca8c38385a34c360750ea3f8e570252c8bb6c31eb24d12f87eafd4c332b12008a44186ac648c75f9adeb621748906dad542b289bef5fdeb83a23af903fb38540975cb5282709c3a3c9e7dc0ac244dd1827e5197192bbcb023506c8f1fba9db637702007b474bc663c40e8551302185ebe8b06cb30f59e1c569baf9466d2eba8b7023de824b6bdff0c77d6d76c7e528902e4cddcdda2bfea46ca9c5181268d57aea77972e8bda85ca2476d23d662487f6d2e1e5613c5ecd2fb05cc31abfbc509d1756dcc8c0bf8b4901cdb387342b62cbb8fbaff5437d862b3cacea99fe298ecb527d7bc90e89a39b6db7140ad4939d8fea8664b77aa2ded74a0a0118d695e1da97c3c3fcbef58cb59809ba359c7462d58f3fecdadf94a856efd5543768d8a3b27db5f548efe2e51a9b4243c231743f52f5c0355a1a5ddc5f6173f2b24a906d910737dc632a25d1705090f957a3eabccd8f65b62baf4008641c20e8ee6d67c0eff376ec2f88d8cc003d3ef456bfb5da571d55cd7b0a515e278ceb4a2c84422ad291a6bda7210d35ce1f7d3e2144ec7030cc753859dc5533b86e4942394e71acf9f8fe2b9fa5be163484c85cec615e1353a3a5f1a82c55d916fa4ac7f31b1023dcd9130f61a8a7c00301a8e6d871d859139a7852a60829f2087e93e14e59b2762660727da193ecc0dc15e97234bcfdfcea68ff968207c4fbc5e7bff4d9408d0b252da323d2613c3ab9971be3a6c6e8982a1ea2ea6b020cd0b78ad83e248f38f9d7b2c0f81266544b93bc0f02980ab0bf873ed0527d1a78c1283b5cdc12314d22b5e182921d46ddcdf7402a465044a16b2d59df62adc53e689f6e300c53352f267749b79e005062b07d62b029ce5e82845ca6b695ae6c9bc13ab011f22707dfce7e98940231f7704afc12eef282bce1ff8f0dba329cf70fc56fe1cf1d6dd4ca3d079d81ad5f639ff8fd904a54047e2b99d4ef027fce4b70b05b4b5dca48864cb19a65a42148e3e2b9ad158f9bf814a0fc0c9d35c61ecb9a6d39ce0aff53f72c63c93778fa9e01d81ab985ec1ab9337252a4634e4047cd92913d85db0194ad9278e751f02e126c8d9f103cb9fd5b0dd883ee17130460313e6bfb066a2693532785af70fb7bab2a9d45e2853e6f624ff1f4b2d362c63b8fec8f8840969900b1898c11f4aaa950f6be042eef4f57b0b5decd0d4c463a1cc015b517f151431ce6267c02e12dcc119351e3f099187598c7a804a5a736927da508c9a052b6f792a6f24502029c0f758151b65c7cf3e4239b4732b44ecdfe2c8fd3cfac6005a13d132a72f6b6da2d5cc2c8801600eb16c1488187bc7d43bd5c9f6bf4052e7928b17c4f0b9d5bcb2208970780fd8a3fa479fe60a3def0332f2b9a321a36886fac104a4f739db35aecf71bf1588ca6fc3c3430776d304e6fd2c6e335908902d815593ae06c4ba29eddf5f5e3d715f5d2c772e2b0f62c8d53a84a6835a4995af4ad186b21b55d011684ad07f1317d93fd32a87bac3b2027c39173d51c95c486768cb924c628653541146a2850c8a571b2db560eae73e5118b2cb125f273ebeed428a83dc103faa06018ab58facf4c23d4f80a058e509aa5cb88de2e74096ed8c73cf4c1c18fb766af48f8c1f09c85af655ef243567973e2650919fe4289e1b949161560cdfd1436d0eb34fa5dcb1fc6b655e5de8e47dcd61987e28b2b67ee560d3e5bf06f08d1740b541dbf5fe966c548477744009ba253e1799ea46842411f7c66bc59bcdf3c62f265169bd53e2d157ae268f239ce8147f5f7d3f6e1613a4bc45a010e6d7efab1ebcf3666ec3320c356ec9374d4b55b5e226d2976b63f1263c01b5dcfa45b5bd0be9c9c3d11e2ca18f6fcc1b9673e5292c7354047752b0f88934129c4ef7562991261a35bffd61ba0912fc03b776a8ba37588d1fcb98e4e70734778f88795c5e53f9d894eb502b095ec3f2680c1af1b1db4d049d9c4e5d5b65a784b318b2dc1862176a36b64568ead48397ce6c684532a3ceac8d54178ed2c4876008bcf686e1e9bb60fc7f271693110f9cbf43dcb496a70fdab4aaf65bc6119d34c1c5a8138faa23b2b347f2bf0f6cb9605f3f504b0080689091688f03c2dbcdaee698912ae4e5366fae05ac4bf34f3a001f39c612e0a511ef4fa6b71ae32c6a805837530755b7552baac76f76215628592929629ec4e7f386ea26ae151a9fc1858e270621116802af43107b3b952084a19be63734b8effda36de57586b29c50737113d04e1ad7fce51419001d1fbb4c77191321fb3d26be954e8ec78d8f3c5ea6aa0a7c30d2a817b8ec5c3df841147f63a39eea423298d8a05cee34e6db542f4aa58461ea0319251e84b1b4289c2e8f2f3f76cbb459527954bc00128dcf53a015e330f2bb9a43e9703299de6ea9ff7ae84beffb479f94b4cdbf24bde604d69c9378cf8387bb9831c46a619fb99915923d8ca6ce536f47370599f4dde04c823c067c773ac7b6f40ff5af9b30e9fa17cbf1e34e30cf503477d554d7a4c8e085b1900cff0b0a80ee5961942b57b485498ac8683cb52069ed367edd614555d7f53ce7601ab779df7a28cf7be8bc1b6a9e1636c697e22b5f2901ecf6c7348c335c8b4a3c69d9fe63df416760c0c747de61c2e0960dfbe5ce7a553b532b2da5d9645c5d5ef103cd1af91a240311c1d4c3fd0596f4f65f3113f87aae24504e633443ca5b5de854a74d1c619c727a1bd6764a214be118698b17766e2a95d661acb2d0412c7d36cdf4467f6daf14b962cd97e24fa3cd5ad9adf2f3d1093cca7dc676de770970c44c599b996d49b81050c744c7c9049f93c03462089dcf60b9befa1f419a45563f82e7b587b26ebcdf5dc8b4cf190b73e4bd6d6b84a19d4ac62902ae8177d3aedad512b80c9573547bed38d9f02170d4e8b3a1b18fc90e0b8b871ec5227d4c8e114f44ca8c9fe9c5d02054c190559b26b166b7f9480aba380aec7ef6384dfdcf57c2c6119698b0f2a21228dc6d5cab83037bbaa475ce900d18daab7349e11a18e915509c23a50002c3a24ffb02be8686c190c8b40d7f044bb227db73858293befa17719915a8bdbe9f8ce384b9e46541941c0d964abfcf81e701cd72c7bd935eb1678463135b834396f38068ff485b409f310a1b0514bb3ddc46f109f689f9ad498bac5509acbd6579c2bfdbf5411ba85b067ff2733ac937edf72b1c74126e89017dc34e8826218015e25a28af71d9bc21f4dc3a2fdc6e6ece6c2d1b54e5fd3c669f57b054f5d3362935d3022869c3c3a92275a66dda55981262f10f75839a40576f6e39e354336faa442133575f0af25d64bf8c029239dea3b16dd6fe97d11361791cac093dba5668f3e696c12a304cff2613fb886bec87976af2ad8efe68aa8e0efca8fdd663bb65cc5ff4fe114a57ce0a7e3ed2a183614818794437e91fa03d3a7042ddddfaec07cd927a8abb492ba026779a9b029e84f32cbf3f100321cf1b9380ecd8b21f8f492fdf2e34a754a0599635ffb84eaeae713bcde5c55ca74d446c4b04352a18cdfeb00aee0f8c7df00d7b9ea5cfb8d00db3ddf702a5519f03fc02539b540fac4453c36d763dc0f387f38c953abdb2bcf8e1c1942b6adbef0f89163b5ca7def027d09c03106af8b2571613924a815e319db4f0acb27a32da871003bd0e14b69365e8d9a7b9d87a232e018cd277d7b2b5ed2da56363ce9cb64a754419473f714e183c6b663df0090ab6d1cee4a04ea68780806ba2680e95d80b2111df2091fcc06874d044e3cfffd2515e2fc08b720be1ee43839282724aa05ba713d50bdebc6753829cda0999d310d107f534b84d981504d986c3cac8888aa0ee67380d324cf541971b092c9cbc86254bd537f5bb68c0386af4a228104fc03db6aa3258a4b9517150c037cfa34be268dd0c2159833a75caf4da248f71a34a78077e15b44d8d7770999762b0e70b92332009999e5a2390944620363433d01ea4ee78efa89540f652eb622a9373c51c8e4194324070621bcc6ec1a5f99964a6fbe2c2699cf63ec3ab6074cba2f395da358e8ff63048ddee805d13f51bcb470324abc4db5a9df832cacf88ce12d4a759d83e527f4923addf1d846986bb22ed457056287e399622ddb1b6546ecad1d159822d96b84dfae694d2ca66dfb9666a3f2ac1cd69a3e0a57a8c3264b7eae27c3dfdc0679fd79e179b0a05ef73d8a16be7724a23a23df607ee7ef8bf1c85f4f8d48ac70262c0791fd38cac8ac9972a04671434477e34cc1e242605c9e8a03a5ba68e4834e805fa271a998ac9046eb9c2ec1fa24e4fff377e277c978655af4abacfeb9f7f19b0b6ec116a9d59d773b409dbaec6a1f571507ab3d9c3254f6adc8771783a2477a8f744ef678db947efef1b1260fb8d98686a892f1a7d78afb4861754b37780673854c74c7789587771f39299d638e22a4a40f5224144cb8933dbbecef6b141ff990c59f0148c63b338eec3b7e2ef7aae262714d5b0b98879f1b3d5455b84e8730097c7c092a16306e8fdab596985eaa5cc048d4c7cac7120b7348a9840b7934440569592a83196c7858798c6b342daaedf49ec2fd7756b2d63e2ab21b8402fc4f0e47e886fe99a272b1acc04f69ba722f3bd3a87485cf06d9996fd56c544f4d3f03fae0c67aa974c5aebdab64ea11d40c7c2617b9d3664d39d42ca94f314d7069d974c8300035b501d37d55bbd52d78d4cfcab2ea886a685732f3a2e2683fe97b1da11b21dce654e5fba9dc527226d7c1b6149b63f27c489eb3ad183f06d1ce71ca2df5324f4a2082158d1905c328c35b5c5cc38e60eec085e7d86c6b9e0d181856ed08968627a00bd04fa63bd6fa1e995d903abdc76b6f727fe0b51f87721ba1f8943e043725f8213565ad1281eed856a3f5b7320066c05fa7dd7e1e8f87c1beeaaf20ea990a28debfe38ae440592ede139895f613100a99b2de0710505c123d28c280ab440fc264f51281c77e1bf685a12c12f3fc35765f9fc734f318d54f41dd9510d52af3baad403d5281792ad98b396ba3a3fcc61812ed729d877b541f5dede5d6c808ca93d74082a3cde16b615fda486cb7cbf20e045160c5f22c0b498066bd038da324f3db078964e626e023263cffe37b7e7b60689ba612c0d5c0b7377427ce241092c3342ae27f1263ebd1b1e9ac95ceaab495152db27bc30db4b3deba2d736d53fe660bc6758348d5bd643d1ff21aa4d8eb1e5dd4576729ee1e649e1dac96a3995bea6e742116c4c860f8924a8b85d5ebc2214082bab0d48a98626da328bd2fd787ddef88d16ae19ca23c65be3cd3452751ad669aacd2e6085042cfa3b299decc5e538985fe4c2607fb3e74be761d9c33dbaeed9259683a16054bf0022d253d0a2c94062a556ddd41c3220f8aa26cdbac4cff3df5e9b16dfabd6eeee4928636cd693e708c69edc1a5164213ecb0e35e1ebb90c1f202ae37d0ddba7f97b2df5b517e74bfa121a03fbcae3a85541f31895cba0e8d4aece5c935742f27211dc65e14f3311f26371afce2b9dd236d9be1918a5ddc9760d421a06fd455ab36a1ec95f45fc67892836e40e0869973a97d07fbc7cc5598ff7967fb78bf2871ee3b23f78b3dc109f7a0a9e940b5e01ab2a910992fe1ea9e1b8c601d9696d2c2c04fbdd5100c4436cd9bb0840d5de3beca66a72e1e981dc5b7f53d08eeb4ba8352c6d3597cd75d7da630d8a9d016f9906fee70614a2bd0c37a3b1dd3a813ad2708ec8a54b22bfce4433f6bea28fe6bfff5b96f3593da7c3bd3a863ed6503721cbebb9cf5e5c51bbf2170ddf1b7298b82778a98a946d7f2f14e838a3e2db7537ad67d5c276de11095e473da2c43d7635babbab6cb80d7ce1486e614c904fbe0082a74e46c8d07674ebaad6e6ee40f0f6882d4c1b3243d061e81b3be8640f207bb194453ea6c1e252d2a04a2031bd1342fe39369a897f26417d968759a5c3a06f030ad0abb20cba76d22646f9edbabe55561c1a6a262fb965cb00a618faa07fd544270dd212be31615708aaec4096858bc7f660e6899b52171e9396ebe48c12caddc3dc40b2c7493e43b3b3e12b642f1da857d6bac348b2521c50d5ab6b844b5074cf68209cd349a44f480ffe634a0b5f7b29ec26626d36c8f9f0413e6728b5c0f18a2e936cd71ba050d4e8a009f917920498200b457832ba65c0466d64209e93f35115955079a6178ef9ab982395c2c11e0f4099ff31cceb2ef4cbde0319fd77588d0e7b0f824ddf879e4b3668c370b7aba875080a97c455d287c0b591c52fdf3fb190b9f1c52ad92886f8563ac9305e47bfc9272a60ce0172fc83c82e0c640cbe2b2febb171ca215397998223886cf6b1f723657752f48e24a083d95130ac30673282fbb95a40abc93db075439772b5ae02412677ef88a76f9922b0ea85f038f6e5c0bf2c8502db3f5578a4f34d244d61ae4399bc7721d936da326b6d1deb4d005a964f6da05952cc27ee6ab7c985f67b05d8fb1eba7c2a5d154ae867d176386377073e2626b0a3a2b5f882144664a1675cfd107ceeb37620a4a4768b55a24dbf71ceb7d9ba4f0d1e734ae46fd3baa491da572a380d86ddbb40d6e5195e683350e6b58bbcbfff111f24b36d6de9d8fcd3ee8068b9b7450a190edd21869fe43ba26478d3655c53b76ddf67dc282a7d5657e93c252771f53fc1602ada31b000dec61c813f053c692c49b09e4805a5411fc76998e7f82d53128fb4e42ad2e288ee9e003dec36edc7e039fb87721a4126355db44eb43e89bc29c70526158563132349f441e7e85a415b48b9ba536efdc8ef722c7f4a3f52c78072c7ae1d6894bd27583259f6a577edf4007cd320252b73426a1bc5bd7e260625527340e90a369fca1e88d7eaba501cd43207028b7fec5d3d2ec35e90da793ecf3638a1dc0e26104264439cafd8c62df72ad385d0dbba724ba5962b92ff8b0c6c5ef31fb668ba242e74fafbf4fd81b1d526ca3e3a2f25bde45c3c0c17f9f387f90161631b9623aaca870281ec3fd45796de02aee61b9e32e9d3c370bd4b9816b977b34dccfcc6bd71a86d7e8c9ecd8884386cf94e70f4711eee06b68170d1279821148ea161031d9aacd6e4a769450ddab1dbeb4cee429a339713094884fa439968f9b01837492066e6ee6e3f7a6962e5b0bf5b60deb6c25be3121b6b47b65cb457cc82e95fd30a861ba11830bb09741b180c4ad2a5d58b6e1f7b97d1489a06129583552450d15cdb74ec177e18bfd2cf6202e883817dec4ecc60af4fda42f88c6d54b8ec1170255323ee838a16dc547d24afdd9429327371f0a8dd5926faa063d15c3ff3eec70873a53ce5983259ddd9944d5ed780eeb19f334cf61aaf7aab0feb70b3a50ca55d205b647a333daa962aaef9e37761fac411268412fedbf24b783a83783a3cbdecf15aa17a49789ba5352cc197bc9fb66b4f4cff97b79a25aa43c40f5213acd927c104a392724070e347bdd482fc8b3afff1882c3e9e5eaf5027e88efd72ebd37e3d9810e76ea4d7b2b079cfd5d942b59f774f221395b06fa92446db9a8d10de948977645221a7b1e3a564f614878fa1f2d2efb388105e0e1c03d0fc361cb42ec3296e5c68cdbe0f7b3f0d1cf56f667706ba90c2a15607d4e99ad588176ee795a135420e4797a91c9d404628a726ead95f9780a239c2dddd5cc745d2cd4629e659cba34a9e83d014eea0dfa57d641f6109728f6bf964bf397e304dd436680d1fb8d0280a37b06acb4edd16eefb339269e38ce4b9f454ac7c79cd634fd6f19e713c2955c234eac508ea754bc05354f5af089187863479d4840804284c780077c4e4df4a47f395384cfbd00e024a81386abd84fd11bb8c65c769e4a821f01820350487f309197e72b6462f29977519101ebc520008ce3306bb902964c69bd1a0002747e4ceaeb26239f3e1913f290a8182fd838f2de5c3f3ce4904baf398768aac3b9ea9d45af2556ce9cddfbb48255f4e615b3d77a4ecc802a9e338be342db986deeda8fe021cbf6ab9995931e8f624aaf084485e798f4e05d1f50dc81107f9f55f7a3998d3f4cc51f975d38fa4721bb55578473b1be71ed627832435cace367b3d7d5fa6e912249209e0323657b8e5fa6e8530d75911f36258bc32cfda0ca3b8bd067b67440a3101fa9d7c41e4002312e32dd1321c5be4656bbcd28ab4411bfd23aecd6d1f66d2b25e9d518623f8ee2964172c4061a20fe45be641c1a85727968b19e87844f936fbf217de8b985113e5462b0b0507f571be2e81b2a2d1b1d7fd1017f47a5146cfacf0bdebfc833b880b4f73477c8649d70d7db8f1e352d6e3a943012722a02533d61606d93cf024b18a9dc4cbe872b9a2a693d25cdc2d34f8dd8cfa6c25e648c37ab322b30e9776e359fe2e0fbb93b38b688fff75f3bef9d4b93368e89a7f204031ab35ec2250a1a9ebc84f2dc2a93203e955c97109ab59a1dfdfc4d5b009daf69916349f1aa530453d36cd4001fcf1e60d2dde684aa43f4d872fb193776f032e90a39ee4d9f5c5e602503ea9b42a22e88ec83f7049870ee77dde87776fb6ec6fd2064b6150efd3a3246fb21ac7d1df9f51e2ab7188ef3118a7f98d2263f0cc6e5dc171d43df53ac00b226fd2ddcdf075afc85567b47c37c34f0e9bed40f0ccfd5b347a4206f6c661e08e979e28f426cbd7b0180963fcfaff6ceb9aba3b12be95d2dd8bba3c658a41a12d4112e2ae05ed9dbabe27ca541059b61190cde566e56fe9d5bc69d2f53e52b52f8c023a58ec0453a417e84edf37760aa0e3fcbe6ef6ec7f4a203e9ffe3f7cd23cc395ce5e72ef8a3665298599da4de58a712388b4ff9eedb63484b92f0ba8033b1c3c7a9cd1dda07d4ef3d3485eb7232adecc421dbc5ca0a7860f5140c8e93d0b770f0d07bd09ff86b166f6e1efbb467c89d67da9f674e1039bce15bca3c33cf626c29257d4c397562b802c1e254fe1a2cf5803d9f571a83115e1c940d52b862d29657c75e32ec71af341af4998f37e129ed717e7fff26f4d45964cb4a04aa77ce0ce0a9bd53269170704f64811c3848e5b05bd8ec7d92974019f2c5ceb23648417da1cde22a2f0b91f4d62938c21ccba16b957dbe400dfb59949c01c68f59fe11d96d5dad7a39e6a875f3a84cc3b62cd230654812899f4118f136b896743c67de85f820745036a373c039175e1e8bfd363e535f49248059110a119a94a65eba95659964257a531bf1311b2ed28e834fda74222c3604c90c2305c8a4a2bb7b5513a9a60f5a924eb9f1c7acd4b15811da5f4128f2d48efb43573d3b6978bdb8495aa4b80afaddfc9aa74a57a6e5d82a201cbd6cb6d4e6dd9cbf545265d646385aee2d055f4bf039e879a6086088e5c5a37c1a1d47fa374d265fecd3775309a43bcbb520139d08ebaaebd8f1d5a9c1e282ef45084f60ba838b47957f4c9eb363336a923d69c2e18bcd4e68a8f5e74931cf1a67acbe84d8064628d5c429d5398443b8cf487485094c9341c4ec6f8dfb7043bcf5d87a2d833d818ac8e5501e5accafa6b4cfb7b4c00490d1af2106689d42f61382472419c17e1f6f278681cb6821600e645943be22f03c3b8dbf6290201767c763bc07bb1407aee28e507f03fdd18c1ffe29b0fc7b3f0a8ab7e3cc2c13558984ef80856e2286f0bdebc790dc7e7bde03bc271011dd226195ef86d91e57066f5b933007f4d9a96fe2f2ed4861761bdbf3d46739d4aeeeb28bfc98d8515878e637a25ed115060ab2597eba14ef2cc67d247cfa89288a2fb83ccf5af26317617cc9339fbf8adb192567dd24bc11dd8144ff087a758baa2fe6335a5751a18ccd8038facfccc0ed74ad1b6afca6489fac1465623f0af17149a58a33da6da90d1aae212a3db863abfe10ecb680367428634e409d9f85dd4414adf1da3d667c4693b26ff29dbc25475754bac474efc8aed58463b540394e48dd00143550bf53d823c2dba3d20783bc1e49d0d79f75e1fa2e293124c16971f50ab024d6369d42ca2ab3cc75463c3a8bbc580bc1708a40688b341f8d1004e5a4c60ab0e6f315bf686bb21c671b7034a236337bb77a1b7f6d01abc4f4f7558247f59aa10e11bfd6f4c5e65015f09d3eadbb11b854913b93ccad9c8feda1b96363bffc8a06536b7d00f725ce5d6fcf0823dd86e57838d3a02b50bc11813e8a8d8775c06fcf841a943c0d9e025bcf4f5c6946ef4a95b03d97d9e7bbbd3e5a1bcd0ad5fe4323db859c1e43282e82aa29324e97a9925dab3d675d48e663414ddac15f56e9e9de9c39f856bb528358dd003050df5c336116cc29ef8a0e449d5c609db104a5bd53ca5c28fa7dfffc1073d511448ef5e5d86f25f8e81bec9214285700c05f601ebd472d71623ddb2f19aeeeecaf7685890a3644f81f69c1788c3cfafc3f2c8df72cc7d927835e9eb666b129d663c425224778be8dd0d87a1665aad99334ee71c13b2a1a4b96d4c91f70fca27999e6e829017d25bdb870d5e479c6ed087db835c9ac10cd4ee956328c10731fdbfa647de841a72fe9e8ef0ae1e57d81ac3a8573667c41472ab68aac5f4189236436f758c35d07e590a01801626995a3fe4b1bc2dbd37e018610b01f5e0c1f6f11c7bd3f6cfd38bab2529b7795191bd2b36206d468ed501e44c8ca1219f300d8a5da74bec71e9aae07799baa6afdde68ba604712a69ac2c858e76fb309145a2d4e125e2010ba0a12ebd50ed3523b1b65465aea1939c036183313864d16dfdc9bf30ee13c16aee3cb45e4b08e78ce9f7c32f15d686fb670b29b9bd1c9b4064852325383d7526c1c9077fd17b244069fff72a363d86a7306dc96b1a3a42df87d3e85b18ebf4950a11c0469c015fdd0da7e97744a1bce5faebfefd86c4d5b2aa60178c4c5b3f74a266125ca1d65cf9c1558b4a2051554db67569855aafb720d65a233d26e012ad097c0b42c524fa146a70b7b59c1a856d51ceeda5696781762f6c441a95cc4177d0f01de33bd400d0fb582d2d1c44745b068a5cbb98859c4f4e823f680e8fc4c91b0f0399584eb93488d9e601baae47e4b293eda1517ae062a4d3ac1f14f81b856d85a9230a31cf15320272824009143ec4f96213f0d3d560c645db3edf47c66e4fd9d757c09f98e64aa9deb59f8cb1aa2d8dc11f13733e745cedfcd024d90c986829a9215aa16571066d6034709312b1cc8458ae5ed13d2c7dba13401a959a0d9a90fb4a2ae45c8465f8e0ed5119d7c908e228e3244ef2f9ccfb72e1df9c32604a496cf49a9d4d98815a2309542bce0cf234df48458d3dc70c5fbbc78d7376cdd99e53760cfc1612cd6f8e712442f3c54ead35788e561c0adf910956241faa9d40aca975b2c7ae1ee400f3209df2670384a5dfb24663950701f918d374fac88ece0429eaab46a4f3286945e7bf44f688de8dbb6b441d43d2c7be1c557746e318630c9def2168a079bde3b75ddb42b5526685e7b5250012900c241eee5636d8e8ca6f1f8bca6925661df17bfbab26d69c6f332663f9e13fc9f3d40785008bfd9b540e055bdaba231b5be79401424e42b8c4edb81f1d8a33ab13db4f8517729fb352fb41a99c94f5eee3d220c2e1ad319e6f1ec234aefb515a4d2428ce011384c505bc4173eb0bdbdcf18f2a88b76697996b73032a1135ddb11da5805b46c9528fd5fab4b1c46acda6c70389f204131ba63ba20a6db14fdb9de6b6caa65d19d8fed70ef4d179ee3429b1c9084ef7e005a4893faa2f3a8879597efb8c3f7bdd660a6a96028189a35d575d8d433825ca487e033789839963667a4e4ba66bc8d2f2ff04e9d081903e31ad437e73b96ffdb434e650b10756a3ded0e501fd4c2a1db985438368228926d00de93a523b32ca92df73262ab71067b974e85c5a8a8a70eff2ac73cc7eb1b216c7a3d9d6c233486fb02e42af56d5ba1cc7ee0707a8f95dd4b03e6d11c251eca065ad865d908e2cb063adb50e327d72f4bb33be11000aa81c8077467582d347e19b042cdac85bb3beb153c7dc54e7298038c9ee604f61c4feffc214955dcc76a7e41f7edaf0ef597b1f132ea9138301964b60db44a3879f21b53636ed34520ed44095c6a41cc035e3e0e0fff219206be7002524aae8ea29404feef63344cd8720fbb4a204e06b49e9583f49df470fc66a69b61955d0ab9c98221d56ad967fb07534eaddbdcbaebc9840ad3a615fd7ac48113e4dd498d9199bf4e18fc664ce05c2c3d0d9219a3e91213d2b2336af861e2ed206010ec735fb5960e39c10d6feb45ae1de2d441ace81f9cd8067df109bf585dd85bf2f4e081760d3bccc32d1be7634daaba664e3eaaeb03a35262237c2637cad8acc75b3c667147bd2cc40d89ba3d811acafbabd26e0448bb39ea96f631211d5700cb1da53594f13bf5823b70f0a45db205defa29ea47dc2ed7a34b2e7ff21babf6e03f1628f0ccd1a55d845a778f0791e819d2551b93d90d3f96a9c30a3682165be95a63044fae89d2172dd24fb48d98f50ac624e82c3acc2f120457aaa383ea134fe4baabed8bf52f3faa3b2dc6d326d400b59e4c642d3c428c45fe55b4d5beab5831be487ba6f4fa10bdb4d0bd5fada469bcb78debe24338bbf00ec475e41bf5d199d77a59b8bd42da5bf52e3768b5f493933927e795c976d20aa39642fa92d85990cedc181feb750e86f4fcda2c85bf9799e4cbd4c47246ed388749d461adba8f28f00a434f4be9e48ac5d937165e7dc07a87e594688a1fd84513f5518c16d0739452d16d2f0ff801c5b2279d9b4ae47cee523c30a7d566faef8722cd233e32706e8ff7254bc2fff3d869e8865cf411cfe921d13f2b982288755b79c3324382f81a7cd6d39b5d6497b3ee3123f6c4e3f86f159eef64db07a765907a53312c7ef9f0d264c8285c0574eecbb218e58bc7c24eda425ddebedfc077da54928ce0db1e393f8057c790ab25c166dba9ce3228ed24450c7689b6e41ba2c47350cfb1e852f86f5b92dac1a67d08c880d4312e3c33e84e761fedbd4b375b486bd4c2ca4b41ae5cf2aa197b34504a05aae991986ea5048c885022e3818b0c01b98dee1152f9152b8e7b22dd7ead3a18e366017f3fd43312122e25f17f44dceca8c657767f5a43da3d7b92a24b2d382069a37f6efb12108c627e45258de90b851a7565e74de95d7fd8496c74a88406d6fa6067dda480af196b0ad89e25236ffe91b35ef9bb7d0c5f9328ec586c30122f990ade0d3f2eca78812f9ed5380b8de50f5e7af78001ada4aa802b6a6d33185644c815370b6923db1a40e6f00f50936ebdddc4dc6c06d877db1f3f840c641aff595c3464faad7354c35955072744e8db9d5db02a2b83402894bb005bce11fdf278f0e9b4bcbe77d08b865f09d3bad4a37c14be547e10fe843bf2051cecf572790f4f0ba6cb00efeac12fe65bf77a5eafba80983ce0a0535cf83f551cf44f4fdccf192b928b0fb0a30760be6b996ebc0e9ed771f740c9bbbd7bdadb68cbcb4a0b14117c5c1a12936bc1d345197455d0de73544647b89be0ec947259ba3404de085f36fb257ed7de19449cbba351e11b40bb6c0e125ccd70b96caa46b282bfe94925b811ccca25f4e1e40ba30c20a14417811521be70d381abe5a02f86d6fdcdb582aa996f646e53d9d5526582554cca3b13680657b769e92b006603e6f3d7ba8be50ac1e6ac5528b9a6f6b7621c71cf94b29bafb75d052a4a386ea6c9aedb2329ff9422a4129a98ef180996080333b26855ba1d58bebd80ec98a3e2647eb27686bc51908616bcfb30e21ab0e4dd64cfc71b9c2fd6b50430703298c08181c8e12a4988c2b12a04f56fd371e64938a703b33d8edb13e5736f0c35e23264e892273cd2dff5be3b291821dd598826a01703b5efe6ebc7adb87f9615db4e7979be5b8bc804fcb4eccd18794cb765db45301697864d484e2e94035c94676a2a509c09feb6bcdb4df69fef92d782abb5f75f9c920f8d2e81270df0326d86adfe3968d1adcaf0841cd0916ff41a2ad5bd6fe282d82af891d748c1ee3c1341c71e065c23b4ab7b35aad856835425d8f4291a63d65c3f34048d53b8b4cbd2934f13a22ea158af9098dee6278dab79c743eec53cc032786a8ba2a5c03f437f3363f34b1b99f7307ae118c1d288ab2d8fa3f1c512113464713e0c8cef34c650219ecd48f86429234ff11a74386903d9879ff7d66aa48e8809a2ee447a3d9a1ae3ddb45b26997ca4173387c25d43fa9294ec061fbd359341912473cf29bd4423d266752c229012f4eb9da6d89d9330b60c2745f3c85e161c5041dd65401a10a891d45a1a851cd5a0b1dfd35ddf370acd42d2f3990c9aa8c638b42c07b25d5b6db2fb6781416ab0a38bd94893ba79c205a2a022440a37450201483cb8b18e046663e519c24dfae21f161e10af16eb22c8dee528ff21acdf10a99d9278590fe00e6c8b86d8f3bcfc044100dea358aaa8d7859f7fc4e646327dc14f19b267d3635b994e2adc92e242dd01c9f011099a0495e4c5b9400556bd6f46c2a882bb0d9901217697d97f9df64f3667ea61b5a8dbcd0783bb4f088d16c4c3075e2fae72917270514ed309849412aaadc588dd595593a0ebd0e81d9eef36c17ff2455349ecae85095ac89633f1f4d2173b20ca6a9f6ed4c733d9ebe9abaf14c242bb190dd5d9868da91ee4e2a79edf116be25aafed829eeb0cf12e384a548bd5c546cceb7cfd0fb7bb85c0397d78cbe6ff452fd42ab4e5d99b8e94f75aa79f5386f103409f9d542c19e0af95ff59fec624f9c13acacbcc4f2a49d8d5712f67643ca4a2737f9a330945b4f910639bfbf7943267ebe772aa2282d67595cc7932d227eca38b082f8573c8e8a6940122f1ee2fbb125bed9e3156be0d6f7b0d3b7ed912c1ff35bd465cf2dc1563c9f238a4e19aff160f2362055a810bafdbdd3a43b3bb9316818b7f0c2b25e9f0513cb76da1ed85bd49ec58b66f167b933bfd0e9e5d4385b820d888f79436fc8204df5a27da41d4de0e677c4276ce7cd9caa87332ee942a6580cac0fda2002c3e151ceba03f367b141cd76d797e6413b3637aa131cd55e62ff4cac1604336339a9aec619803a8229ab78e01d905c768cb638b1ead3fb6290273f7fd1b5b05ce1ea7ec4635462c149444069bb4aa2fd24eb5a25f9bdc2b7513d1e36c902669af56be86330f3ab20bdbbd40c26d3692525fa1e69c5017ff468fb3499a6e11a3d441364948527b65d2566580badfa7c7d32feba6126b2e96d13916c251734b18fbf8418a23598f8829ad220e8c3b75e1fdc242eaabc63769e40ef61d9ffd8c3384b89be02e4b2267043dbf59010e8bf01c2022defe0677545559209585a6d14bb95de6190ec89e7e4d2fccb6bd5eb0d43c533f64161cc06cfcd2671f98e2ea403e1ad009dedb1d4059d3314dc244b8e108b954e9dfe2fe6ed4fdb59f57beb8416d985776254ef746333f75886bbd413b43c279d1ade19a590b6c8756030b33ce5daccd585d25e8607093a1d2dcc45f34f1a7ba57010887f135126a1d8d296dc904c4e654717107ce8624f1647247ad2787e7a1030208d4818ef748aa407a28cc528bdd1aa2734f6d2f2aaa783f74099048cbabedd8abd97c7922e5f2e4e6e99867691f4594d89028681c03d29ea0ad84e1c17970e18786243aad1ccc3185813aeb1e25eee6936a79c1dfe668c7c28062b91a751512f0630f1a9f45eede84d76496b02155c0ec263276b146bed6ec54eeab246b2187d7db507d82dd1313a02ac64806556818f7b7bf730c05c924f373e5e019e81a5d9286b056db5ea059fd7a92d169e61c4781d0741c2eea0e45b6d523e4a995561472828cfe54180e8ffff44dbd58a1d3f978236f2709c3f3a879d9a0a81845309b3bca02c5f15e62d07ec48b7306c4a5f7404f031551e9c7870b8d817c784f87964ed6edee7aefc2c4c58dd0b222c402ab15b0f71c36755a8356418187b616ebc7e239786f9322a7939a79c7bee0b7e2131ec7ee00cd2981b78f16cbd72d0b7ed160f4153c39ff7072c50a4ceba047bc802c4991fff7edef396827d38a8cf4b24efe92b0f9851970d6d97654b3ff63bd679e664565801000be865caa84825643c0ff73076b9d83a83211f540e6ecae8e8b1760050daf81695e999228989ae1013e4061abbe7929a5c6a126f89e8bfa16557ff99afe16246fbed5ed96b30438e412cee635dd3cc47fa526f28e81dab2942eb2f0dfacbb1ac55d30d42090fcccb7f0b9e520418e195cd682ca17bb7822240bb87c13d6074f20b7895fdd44d7e09498f5af1400cae141764f5ceb29d3fe64c69d851a2d53f34b8015f0d1a32bf461e4356ebc53939c7865b714af2e451e6411a042aa0c0165ff6be2df6b7f6947c8eaab100cf06adab6ab25482b90cd818cffd92f7a3a3d9e71c81fec82348ca359c554adc88948a22e5952348a6f67a7a7359e6bc1dba3fd58e4d079bf205fdd4c69410aef784b8304e7a81ec413a3c7eb1c6117db137f601248dfa6e712506d9006013b9aa22a6bc2fedfc48d36be89c7a498ca237b94e1e1684713e01303a11d06b87f142a43f502e4964a8446e45a09d038f15ce713fb9b5c0a059da2ecfc4a7c0a036e5289de3e7588071c36f654d5bfa869682c47573e404a78ba21a3827fb69278d2ff34b7991e221c31473ae438266969cb42ead936f84b633184bf2a12e7591a836e3562734b7453be3a450fedea17a495b6279734f23f57bcb76385b9afdbb3089b5a74366e307e4272341f3f0929ae356eea3261b228b6c493d04517cbc6c71de51a00633745f09ea4f89f5e6f764bca0f0e9325749ae3bc4076436f896f06db550e5b80e36e9828afe831f05b312f0bac91dd4a93fe73f5f12f22995c0076441512efe2d7431c92876a0cedcc5fa33b829009a53b16a35f1a2b70c8c64759c3a89505b8cade9bd7df76c108ab6d0dd4944a44b3993130df06ad281af953406cea6abc2dad514aec8a516b7751dc0f010dd3e32cc817a09fb727f78326114427d145fd1def774307362bb9e7efb03d66e92394667f0bc8cf35802f06f70caf46f8076a7e5dfac9f50c475348c5d828b74e890abfa42fa4f4aaf6fcf097cf37e623df847dc7cc471334e98791622bff991fda8b2bcfce0db32a62d8a824b84dbef0403ba8a11f03d09882351bb550d0e471d8658079382793ca995a8393ce22af6d9b86f8dc993a02015eea651fcc0902eccafdc773b2ca0791e7a12c9b7b3e2f768758787fdc1a04b372ac12728b8ab081b384b7f2c3c5511f3ab3d2427a183c8434be53076f9112b6c1c2b6573209357795edfa89349dcc27acb33a49a64c7620275f3c6bb8055482ce98348c013e63dc5a8d04fd54386d4cf7e171889d76b12b7996d1fc9ca4d74e30ef9c2bf034cfccb33755650357561ad738c0a06ec467aaee2688fcc9801fb38f89ff4ff869865ae3a2c68863987cd20891df42d9368b311cb77047ab4bebeb0fdcac990127642d7b1dd4c8307678c6c7594e23eb0eeecdc773a95ddbff54ee1e9aff119e7380a9c97733f41440989fc2a51c74cfd44f29d45bb104dce651e8ca87449b3863e8c6f4c089283455f17597189a40c2d4a46d50f16bf7e2053c3bb126ba4649a0ad09a8e91a9126a0bde5089a77e939996fda8226bc0df3527a49be8913489e34273b175a32fdeb1bd1890a314c155e0d5e33c326d159116d3da4699d1e6b78b1f917fd61e32adfadf673a567e44502554376cc4d644819e6cfc759e5bdc13bd90941351ec1e8afebbf02cef9b5e385b3ed54d27bf23400db36dcebefe43dae4358b1ff91cfca3d9896bcdbaa7342805553f117014017c34022ce3d8ff3bb51ea345f24398f97e84af303e29302cded3908aa1a98fd4c0b47ac9480af48fe6141e802623de2a516ab34d50d1591fbb0e57b980447d52ece095ceff30b6ae49d8722d824940fd0b9c19158e5bb2f13c31e87c84b6288457f578aeb0d288ab6306bf48ee87cc13a05953f9f04595b7293f8a0ed45519a29a4f749401a244fd8ca2e0b484012aff425972d03a4322ce17b3d91b2c21026cc37ed2d30636f41182e50fa19218a9a9423290f1545963889a99828707065d1cf44e461692fc7ea7fdfb2d706fb7430281d6af5fa7b2c2827e9685d3e0f98163189b2a270c57540f7ecbb2b8332ccf526c1cd02d39016399a8a246370012c0d77cf921b554510367470e431be8e2c0ea450309d1abfaf1891320315bdf5f6361c3ccf8923f38ecef2f2acf5cbe17ffdf0a3615283cd514fa7b2c8fcc638eb3abc35266ec45f0c658a6547405f3adad038b73adb6571c25e342b28c83f8fa4dbbb1c95aca1359254204b374bf2d6102ac8bbe81e52344b4c65b52f39bc0281da9d395a834e3a037ae9e624927a647945be7a3d870be536991fbd1947efa3f1277cda877fe78ae8cd554553f496834b486b223962b448fda013fcd2ce5b1a9d828ca95f64b03c0fdc723a46a1d1698b06f86002c96a03a7a124193f8d692db772338a87a4b4839e74b65c00a374883295f15d5b4bbca2118aaf054aeefeaa14261693ff617c70ae71a24c734c60e1e456dd25b605c0cd396538d9c46b0dfbe264188b1ff7f6f06d70446a3b544accc7eee607ebc2482da96244a6dff1c837d3b3fedbda3e4e63a18efdeb1b7afc6808a57844cbe34a7ec24ee5dfb94857608af2a388da0918f5658da02e6f77fc791f3cc3f61f998f443850316943e1569bc36c3600587caef17d49adb7ad319be9f536e1486e2f9063cc0f3bdf51bca6c2399803c7c71d7a17402b36a6dfe17c73a3c1d13e7be065a2b9fc9063cd1c40090b80b7b2ad146fdcd3b3e07fe161a6d7ebc78821d8fe69198772707adb23e722f3b4abffb942e38e43707b422487dd7bcdaba7caa78b58e6a08feff3fdc36584bf0ecdee7a8bbf2bf339b8ffff64108944a8493f9304b702b9382b4a74e3bcd6b3a3abc1872f2588a7b934ebb0cb66723c1a7183811a7313289569bcc77953d2e2f968a8ba6c87bd6e914effd25334952d0a75bbeebdce54ad3c09125e9b7c186570650a6021285aa546cfda1167c6836f2f42d415f4c8c80df6bfb3341d7de2bf2b69838f338d0e032b52de5f0fc2d689c40f9762ec49f03124fc76a4737a7724a17c17a7228e9cc94664831fb0f77192625f4e933c9f4c7584565f6f1f71115f5eee76db2d15f7f6ea37c7afcff25023d43cafc0ff58bb2939791fa9ad6438a278f0e2a527287c847158951d45986068b22ee976c5282a27632d849a042bcea33a863f3a9f1631b405c543f89446a0dd1a2107513ed4acdc17269bbe4a8ebe0bc141a8944340b6ef3b6261fc465d47edbc13ae8af122dd39cbc2747919f91df46fa4f93835ae0197eef16a503bf19668d456c3e4671ea9480d9699eec10d48bb439e752d5b2e7cd65f888c5ebf7d507f42a62b0020ee61cfde1084351f53b8e787aa62cc0ce526485260eb077eda45d195235555d761367057d222d01747968a88afe9d5a15ffb8f3f0017e1a0db732c9ce637fae1a140dbbf161dcb6721826435eb3957bc21f4ca15a2b5d75b88805e1344fe106a615e5828438ba9065bb5cc69d4951c7ff0d5f4d6e116413597596f83c15f12458ae47bc040ba41b407c2087c79f606f0ec78455e0a0d760687df908479021fa031c03e44699260389d522184ccde2bc11ba860bc8717fd65126a7593e31a970d5cc8295fa64d95e369410c89abcce17e8f764da51df70c4695b6c9ac2a5c84811c5e8177d2ef3db5c0b09536c2c14f939311d3010d95fe0f4a41e0f4732179d46de7b4f1a9fd701b9631041b042d4a35a9961b04c9c15fab918fc3690b3b8d3f201dcba20f28545b51bd4f3a3dedc1ed84dfd7cf57a48604ac649100448e97a405fd2788415ea35db940f381974669234c4697ab99377591ea90b1b70a012e10843ffb89d8d6c3554e37bbc7a6c431ad787479ab06929b7bece589cbf14771666031faf14d9589cbbcbc0adbab688190d2542ad043507b49359a3457cb1d32964d51fc9bad791cf727d72e7efb543f359838aa761c09625298c1266e249ddd847c34d1d9dc30b5619db4e366769841bf79e14981f4b3832e43d2032b7312920998a6d97b39a7fb281538f15fdb64ebaac2d05456bbcb8374669dcac64e140024406f28f9accbd07cbd5603229d1774ca8b5d1327539643cd6373ed27b99f2e6d12e351ed7932eb48b995ff685243613b40b7fcbd1c6f6455e1ba9195fe2244e086dced7e594665834d67a83f7571e9c610dc5cb014a01e20be288399aca77757850c24b83fde46d94ad2286c29c61e1346cc925c64d055ad9b1fdcef2cfcab92d3e8cc5bcdd6b9d302677e29b5d6e8d151ef60fb092f36654ed958e113965a32e1be0340ee1ec79cdba9c01f9112c9549b1777af5184d4958775ea737d0bce9083f050fe01c51fbe18552b0af3411dce5a711bc2f01d764ccb0d48a4c598ddcc93e5a19a4c46778af04c5e7d217a137e81edf4e388bfbe7307a5bd7a61fb052d7af124bde91c0410c6982297a479d51bcca12bb0019a30f2d722e9f64d3424c192b4acb964f979bd1e600d88e4ab1dadd350886fd47589710f833219b4e6c48d89c23fcfac4a25250686f164674db5d7f259edeb044745bfc53e6c2b60ff4647add5cdf6bd84cba451c23397c6e6ed10eda000ee898f79d8691e3b2397b7053e21026e9184c93ba76aea5a0acceeda2062aba823f053eb6647a367c2a84d7aeece8977b259bc8cffa6326af0378cb996797959ac7863b0b23d8d50ca10cf235d849691408624da22dd333d9147bea937150d9b67809d30fca392212c4274a78df05572595879e922f8c5e8e41d5729a010cec5f4eab78fad2524a4198a541060c07e89a26c95a6d64a2624b8ce9130ad56157730c75b7eacd1fcf6573571fe5150ae8af7e0c70bdeb7ba99608e8ee3aeb2dc46a17ce827bd8f119b70ab86b4a644bcdbc217dfad9eba00e31d7ea081875dde28eb9b2fbe9bc2d14d3f88776206471b538ab6e4b3f305d8610942d5b9d194b0fd218cf1522f283ee9fd36e553fff43f9d8a2164d8336e58869d66f8e245f61dbf7b00e92f1d620c80583d01cf610d402a016a65d728cdffd2ed3492139bcb2b399c6267dd4b1839dc1797aed44ea29e31997acf4cfb9455e98a903ed26a1a16e30610dbc27542aa125a8de3418d2fd159693e4a70436421cbd6f32b46096d61507b889eef280c41b70c8a678a0b6e240fb403b2545b46e534353c53b8bb78382ddb27413b3e4c34a9a1c48d31b49db7137905e7198701fcf7e998434058d27c717b055703c6dbf06f6ef96c5b8784546682e7e4731809dd9ebcfacef5369439905481c642b544777b451883cdfc88729c1207af308523e578e1b96d833ea762cb6524f7d79b25ffdeae3d77a74c86417a622b06ae608f25c7de98448327508caf620faae5e7b6a0624b743b766c1825ed6bb5361e35a46370e7a5f2e9c1cafb3b2e48a025ac572a2b33dc7ad9c1618911e7112e1c3f1d5bc192fe84cfb1feb38cbb28e497a619cf897131a56d037c78b867df4c833d5facb4df496813b438d7f559bd29a0b7f6cbe474246e1a1482e513aa38158e855a6731ee8933fe0384b7c08827b47491e897bf54f45fa14d421988a40ff164086189c5e1507dc446c2291ea41646d3bd2923294a5e4fc140ae44c5d9e4ee8a0c9cc4e47cc6231c7c465a49514a6781983cadf729111b2fb5a52dec0cfa38ac9cdb792049e649212411ffb3636d864c12821a4cae63a7bee3ed225abc2c20c69f55cf506d3d11165a28cce2e74a42c43d721a9663554cfad7d43c5ec731bd499ff8a9cde0ebf5b2d44a3111788b73c1d116e1a2f95f17f920dd1e75f2130ca32b84c8236e19864c7e726ebaaed8635d347df758f8884284c3f18c3dae2ff11805fe906cf07a13fb63212be3c950fe69f539dff4f1e108c9210452d96fcf84427eb7c9b919063809d53fbc8176121550a6bf367ed99d6d8290a1c6413b4764b008e7c2225f83d6c9cb64351fa98fc276b6b283d453d4a20ae4182b825cee869a37dee50a1c65a4493ea20ec05e68c416965e43d16ed4402e7a90560e5d13aec2c88d70d3237cc9c697fdd309034e2566e8d1851af4c7180dcedb2578b94a770d4e1f89f3d4f1a40091605ead60133ff7a29fb53e59c988a8aabe9f5fcadbcd5ace0b00d791224a838f117490d09d84628e1773eed664b9f24b46e6432917cc08e5c68fd35c66e2469083a883aae9fa97d92b536660d5b0d2d2bffcc0e5a586d3ec5a35d5e14d1b79e55090ee4d5915e8deb660dbd12bf08003890e87a8ff6f340e58bac7aae4daca841c3f81220fe530a9a8d30d8593dff96b6e41a3a2a42e446df280d97d6e6d1f71442e816a2fef1ad9d8614353f4f0da36342caceef6030fc65377631dcbe85633cc1d754f769f4e8103c3592e8a8fb8dc23b5a8f863f759610d90325aa2c253b33260ee26118830ab604cc5c7832e0718a176770904b23dd862a7766b728b5ecfe7f9c98f001e34267138c45224c2e4bed63638925ead4c94677421f47cd604fef4f7e09a325d65876c0229e8ac520038acfd818b093a214e0747bdc52f95de043afa49a0af63de8af0033e470425d633c2ee54afdba089fd988bb0a381fc1afbafa2d41b2869b445f6f0992b3e37e35e11af682ffa92b5e1788451c7d6eec4da34aa87132cb1404afffbb416b2de0ba7a29231942eb310b561dc41171bd05e7bca28e08c15f152b2655b8951cff32100fd81dca16b37f5196a3561cd77e0640b6227e5fded500849a65869542695196a96958d44d3c91df65abcdc5f668454e898a53bbb0dc49e18a77c79dfb82562f57983ac258ad181187d929c59ae4ce96b4dc12ff6db7b68e05c46fb4b1d7d7f76eb7a56b8159a56030b7b553a067df186bd9684916665339ae838d30644ab509544f354f4390525e3083f35a6b262ea0e0ba600cfa06012f2c3123c74ed2d54b929b3b38417acb1ee04f3e83feb04b73692604e77efc35319a2c6d57a3c2a96c99aff7dafd87327cf56de81cb75b1c6f4d2a28ff5b45d20cd55675ac671c92a1bb087c3aedf25a716cad3581b09097e9f50263d1b8ec68c3c08d83d26d7feb30e689b0e8602e9ddbce83b3cc67d49d871a1ebcf25c75406ab7a46168dbe07f3fd19f9d0e56d116e50f46df34e2ef12925aa17c78d2a0472b6c95842603f5fffc33a3c47dfe95232909970f9e83cd796b723fafdcc0495ab5989b0f6915a88832d87eab015f9db41cc67cf64c73373b13b9460c9cd47542b59c664a9efb9bf4a254c669ef888bfc6313b2a9375d8986e83062319767c79a0962fce06b8d4b97b9b8472bf1581ee38859a398daf003bed4cb2f332c3a25bd32326d9561cf2dfc38d6ccb029d152c67ca8dd4cb525031198bc17b99b00d3e0a93c180c72e1d85ea63f2543d892fd59b2805032c8a5c5fcd6505fa286302adb0971a091a5c30df3d317db4d608cc08b424b7b98bbf12e2ea62b14ca626ffc73fd4ad81667afe5097fa210a1bb9c87d358f2fcc0ded7c72e22897910cfda6bd5c5e5ca884a61c2a98cbc7dbbbe6403ab9e4830a7f5e408ddbc9ec1ac85dd13c1497ec12d2c9db5de89438f0ac690409af159eeb7e7e71ce83e5557de89d660214e814c1138b5c4cde47d111a59d96554a7616a2b400641ea7d2da8811acbd26c87dbdb4fa5bab3b9dd806b258a4480d822e28cc27a505ce24c96ca4698a90eace94cc95849b2c7fa2d8c709ab586df85edeae7c035c8af4668123f16c68f248c7400360eb000da0d66e7f167fc2b5232102d2f73779910783e619f323edf942c85e4a318809a7b118f718c98e401fc49bc59b02390560e815dfa1bc2cb5dc1f2266fb9d33b7d9a9ac85522efc8eaa278696a32f5cec3cb5556a9ca0ffc006f93a9ae68a927fb6969e92b06b4fdc234dc42731a4b38daf8ac9f8f1f4f73aacdc76b2bcb021474d039c3454eaa0cb47aef8fcd328d94003a3df8a70081663bd1aa5295ba5793c7665bb9ddf265345bed4530956081f327c7572786f98aecf92091c13de5902f36063d1d21f12580afeffb761eea79d373341f2b1d2f48e6d49f3671bdf1f5d822d88fbbca41cba6355d2a73654215cc80eddbb373980d6f2ac89522543585bcd1bd519a2e7b2e9f518c889f26a96e6b3a86c23dc91988cfc3c65c950d0d9b00c231ca30868d908a5cc31c85297c7e08845850dcbfa5b9d209be2f7b29ee11f2bd5247572aaa44931e233d9b04bb6ef83e8f3256df0ebef09ccb4bb58177a5d7a62272947ceda2a2f95a2214fae1304eedf840b949ce8ce5289d3e4ee204bf0f46ceccc37adc80dc34360f12e7c386f443a37664d80fb0190827783968e49a3d7a0ab9df0948bc1eee0f299d4f55982e5bf589e433eec23f9f30b32afb1eabe2b6d15413a541b8eef0a4bed9f2e5db753713c2dbdfcd77029470397a374b17168951bd63ba27f5d8266f908f5f75d8dcf40b17e412a8cba20656acacbf777bca914dd158c58df1e6d57f70f78d7f758cfdbb3a7f42b095fa72be13637a764f291ff36343a9efa4cd4f9ce83e21d088eb5da57d60facc253a9809ad694f82c630d07f86dd4c5a5a3fb28fac1963e924d9a203ba59974070d3b8aa983dd1126c6ed34bf61a48470be943cedc78e4f5ee3ee81f61d434ae2b823625e006b81262cbcafe87b146e1b38de1725997fe0595151ec82bc7de3ca8dd9d275c7fcbbbff048edd6bcb87c7d89bbc8190e36c5eb25d09cf6163a91944bc8d81b8d705f87d9397c4dfb5eae7eb84747b732645475786db6370e433f4b562bbb810eaa5f5fa504571d7072a89da2c7d830006acc5df1750c64965633b8e31aad1c22649b609a0434fc4f5d677dd268f4c87410d416aa392e97557524f7aeb076741addc1eafab923bd95b70683045e96d34314ef449c25d3e1e8173f1d5796d860da62f16a9abc3ec6047a2c6735a97c37c12ac644f461eab32f9755ac9850848b2004ee9a5f696f39ee9d5c5e0c260414abee7407da6f59689c034d116cfaf9f63ea867ff5b170b34fe761c538874553ab0a83361be6241bda4757ffb4bd4c10ed83860ff85268651f557223d0c701dbc2603b3ab33d94c1344bda45b774660736125a1235597f7b64dd504cbb3e17b095b3b836476a8bd87e288377cd1422b2c9552a04569d54a826eac1b4d0ea98cbcaf7ae2ce93df4bbd6af17daa3e353f6bd69eb46035a2109a652ae1f5a7c40d36e117ce1e56496cd34f8e398b77c5742778360b8232174e7fc1a990a3d6b8fc6403392b893e7bf5517b829e86bc4b623e76c7d650ad3131aa1d8a869c9fce8fe156d1b08f39db6dad072f06d687ab143703c89282fe094ef04f88767419f05783f4080c475a3b2d172e0996bc0528173a4c53537699c9959d932afd99e666c98dd85ba0e6b5356ed144ab486ffd190f2bdfa8d4967ec65aaf827a1b23f674cf82a516daae99a5623bfb696e3f7897299199472a7a987898bdb7c92e62ffa43427f1b0748511e78e050998b7ccef263f7b64ec61a011268138ac40a3605ae867c49c85bbf1a7565806f052769916e11f54a96b2ad31771b5f875e77f0765f64e4d92ac79da30c29826d506bf3dce7fef9ab740af9757c2875831fdfcf1d2bf8ca68bccab73eff85e5cb300f4e6cf923a0b0e6288c08d958965d41420315e948b62994325c7d5a995d800514369a73cdaa245e2425a837ed7bd0a7eacd93f8c639857d7df4cbc2c90a4756470252480646261c5e2f7008de8b2de349cab0aac0b5a5f3b97ff9c6dab8da4d2385520cec793e0d9b64ba2e40b635b61027e197940d056a5fdc90859798a36e816b3747b0fff8793a12a0808ef40d957c77a557cabd5801d4f04e9e1d134b104da9b5df9aa72c059afdf9c1d1c8c8b15ec30314450f013a84e101252d435be1c4bef351bf74ffcfd7531283db85d6e129f731934ad35585d166ebc5384fab61a32f64dc669af6333cfdf723888e5fbd9c2731f49794ad64ab51640154a69d0697ade33fdec21f93c1215493a7abd08ce4df3805c5ee985f1212cafd942e45751ce5e668df052015db35b69e6440b02e256eb2db473cbca04009893e052274b340a24aea3a3dbce536a11640aac624e160856de20e4779b9d5f2162f5ef54356ccb48f67cda8222258c4520de17c9082b6ed813a0a02e75a158e0271091128252379a292db04498f928fbc24759b902bd5c30a3cc0ef40793dafb6525201d5a6003cc927cb6f828d383e8ce8f8f746fae9ec102177772ce71405504faee5137c385e949407030a8e83ecce66cf256afc930426404ae9c56c7ac1ee68a79a3c6cc52081a32c6367c82d7bee755014cb3e47d32aa71fe6b6fe7c8e1b7004d827eb396b1995eb4ee2737fac63cd15de6ba73c9c5b6abb278a7b53dc97ba1317b1f8f6764e49fa0f854b0d4489e55c1b8cbd6592454b4db830e7b37f41e021d1901c210256b1d5f3b0c699b586b2b3884254825dce42b5a3f9879d74a09b2675f7342fcd7e9182bf2da246decb6ec6bb37855ae19dd71ef73c547ed51eec6a6182a5b951614fe52e600c7fbec6f0edd9b813f2b77168cc6082c6845e52862ebdf2d72d280b1183e60c9ea8aeb895de7fe51e71b1e68adc70623c0d320567a0d2456a7f3bf8fd9bb685c74bcf349105e39c23a41af529a20d6d6a6b137266ff7393ec67cb4cd6404363007f1b427d5cb430b9e46a784b6084643cb87c1a0c889c2419e7fdb2c44e4cec50fb754fed38cc8a86ae3d805ea4ed88665580d2911070c0306630ee1adfbaf762cf665f7240e9f9daf02709981d509556b1f809c234087d30ecc96eabe644ec6de5aaa2c96e818e2d4353f6ee4582575b18feb7db59518ed901669cac04d537baa9f2084847f602db1368d2447f1a1e40b410db5f9d0b31536b414a7ddd3e0c17893574822c1a90a7136c2ca98ba1cfa11508fccb12618df8b53ca2aca58846b8689b9efc4d539e525d9a0a1a58fc9fe190bedd168b21d6b2d20018b332fe92bb005f3fe7e43055fb57017503ff82109b564d413ea22e09c09d46add02eeb9d00f92738e7028f9e69af72080cc680bca0b0356e947e315b30f5ae9143bae3129d7b45641204cf960d05f81e2a3c7b3301564cc5fed34b49c2e443d28862af7c0c5323e7a2b77b6c54358d703904a4277123bdce070d7d56befb71cb36fb8419c3d1a06e5ad60046c40416718d929c4268fb011aa7a2966cc8995ce8e13d27f5d7087ccbccbac5f9cb765cd057d48f508b9640ac1b5ff8eef95261b2cd5304652b843ef5387b29c996e5b08c98350d26bf97cb169654bd36b1a96a1d029c3c6769579cbbb05355b50f56837f574f9f10e32d0837c4714487ce1fdb2c8dda869fe6bf5c2da3d2c2a7319370d736aa6f5311911f4caa4966d60e4cb9515b31608f8f591d3d2e185b41fc770eae7931b0b2225e4bae67a5f467cb92bb838bf2d21e644f68cb4c146350cce1dc386eb41c1f1fcf80ac04e449391648fef5b9e0c1437fd08bdecbe26f6feddcda6d7495cf19e71fc589e6154a68d4208163b17c67a5a68d663a2bbb3d363a2974bc2bbb60c1d23febacf7f6fb192ec1b6dbc0da7eed3ede4bef53742c1d1b0619bb8dcfc58e4a58da0ddb3c7af660fc6577af12cbf11ff1f6b2ed0558d3df215bf9cf1ee95b17248e002a40f85ab560535c72dc227a0b6939958518e3ea7a049f596284f4987f670e771401e22fb675f22f842c875ab9d535517fbb74209b36f11faba7f8c654f69abccaaf03151272deedb474b787dc4606a278c5d90de97b7962ddfc0101a49856e85090a554f7381aba540278691abdfd48fbbb4346c4669dd6dc8892b4af232c7f566eeb1523ccf9906a6d46d8207f0e68913539449118be01f53cf05c9acd11ca80faeb300d3489aa9b6033cf130f58ad8b76b4b41846288d2a31380855dcfbfbb95d166d2ce8bbb7770ecdfd3c17a3fdb0c68d081e27e0e1173b0e80448ba44ac29fbdef015fd9a21d3c4bd2e16e3f7cc457a9cf2bed6c9e7c54393d15ddc0fdbf6b5b16ce50ec92f55438ad2db792e9d72a87bd5eccd2e1ee0e1f8b750d84e0371b84ab84d6ed81968a7acba1fb32db32d9fbaea613464a03137c12f1f98250b078aa6d72fde8bf73b00d244b92ecd237f4789afac3fe7723c19b761ea85d9cf636fb8ab754987bff19646a584154063ca645b5aa7ab8710af4125c9623f5c1b940431265a0922ab0622778730b50d05218151ca993a4303bd9c0576940cbb8b1f70b48914a69193355cb80b6b70b40e2db3ce7a81be303dc4c12552e5fbdbf527fdd7f47d3cab480fc509d57bda7470f1daee34e0820296c942eedccbdc4a8e2faffa4511c1c9ac1d97e8d51cf696f2c320eabccdccc4e37ed5632f1a6f726920fbf7defac511e1be4f9e0ca7b18ecb9fca1963f420d174d56150aec196489e0d243b67f15a792bb6dfc5e69c0fcd7546438a0b29d927a505c18c5237b090e18adcf5baa0b8bf65dcf059c03e8ac7055094b898ecef7b8de5d0c2449d9931613304f2efb4e1f7154453ba6e0573de2b4d921768f56adfb00f3b2e4d167b868081fd5fc2b9daa3c9e914fcc31cb74747d2e60de4957c03ed2a9297b6f0ec81b80562e288f888158a4f2609d9e6fe2447d8a04f5c30bad4616345670190ca05cd0882f3320c2d6380554b52d132ba7b97a96c6a2e6e4aaa73c13b000c0843dfdb6fb32d1b048998b97b26c4f6ddb2556de1c3f91bc0f1d12d7b235185b639aea6918621bdf568767ae6bbd69414a53839d46c4d8c4183a7b4f54ed4fbcc676d14ad06ace7ffafa84261b535222901615506ddb62dd60f6becdc9ee40ea0d0bbe7612533aff8c3fb0b79c2ef93363f8cd66c17cfb4917aa074b970c1a79c4e56bdbb11f1ad97b61ed0c160a39dcdcc36b419aeeaefacd300e8073d0b1b4643874fe3985a54c7cd843857abe53e00442ea4203ce7b0f71e8ae501ba340c6b41c24ed279cd3dc321734eedfcd750e5be1ff10f8f029ec8effa41a40687e45fb0cd87a7915bb495c86ac607b9eafb16d12dd02163ddaaed934e02d18b04b5009ed61f9bea82b42780f5a0a638c240c11558f16cc18dc645478d464570ad58f3994d64de964d0dc25295067a232ebcf67a37cc5a5000a37c35963b3c1c0ebc9ff09a5037bc60bac8fccbb789ff1450d630d86eef8b3b9d7a02466185509200fe739f90f50112c7efafab7974b573f10537d37f185bd1f17cbda779d0dce20a02b8a8bdd253f6ca79b35c6ec4577d79691b09f687d485f5de692ae432121f7524166a33e84506ec3a15fec7c7cd23a72b03c8dd937da3743dff7289f9d3fe1cfe9135a97115f78879a68457e55b7a7287225722d38b02aa2d4eaf591fa04174fa272f5306027eb780bff53e956e649d682dec1b19cefa412f758869f135f70166ad61bfcd71268775916d2717ce4e217c57e6a8f5a9df18302b7e10333dffb33d42dd5e544f5a765e5ad1dc6c5f5a845717d126152df28db896c4085be134cf86fc37304f5d921cd0dfb5fb869eed41771b9843cc91dacef563608ce29a0b2c94a61c48221c96401702bbb1985a476fb353d17154ee1cd3b9c0cd16acd63b3a2aa3de75053a19d769e3388e25a77106af3af27d2a1fe0484e216851ad994339d0d62fa6fd34bc75a576bb9c9967443886956b61019e72eceba602cb66abdbc477d6fb3a02c72d9c3828faec4cd977345c8b7791b140ca99032a2b3dc8a70316b0ede00244d528aa603c1f60b9c34e1f3120db3901e0e21b8a8197fc7ba079bae0ff7dcfa36413c21ea3add015e6640745855181fca5322d9600766ed15bcaa9734ea6b912b2e79239a36a6c1d0a9ee5715d43eced66ee1356589c75d2f443aa4514af88b760e28846235cdbb236dc5ba0a4cc58a41d087fb01ee287768b43fdd04d2b342e4f55f25feb0406c5b4dacc41eda78909afe2db87a449013235b34af900c8b017a1fbdf365ed73749db9331a4527038d515ed961cf01e64aa34640107499b2a298acaa93509d8f250b1ea197ab9351f2238c22687ebe830ed2b7832bc162660622456628c872f7780da9cd10c5b560385e4c89a59dfa2cbb93ed379ecf54949f5b80b444c6f88ef9546206c21cad477e6cacaf7138b104182c94862359b54b38e18dd1c3179496fc9af47a4bea9dd013d46e841c1813da7b4140362a87b3ed2a7f43dabd42a585bca5bce51dbca618a34256d04d0e8fc8a1c6e8f890c90a049ef5c2e6ec35b9731e44781bbd8212fb947b1b2020dde9d5e01b93842f9026499d9caa48e111d460a55b4bcc045b6e620ee0d67862dce0b3744b568180f2f4c0bd8542631366970b5609cca0a52da26ddde0a3fb4660a5723288e9b1a3ddb92cf966722ce75d2eb94f39775db1c9f8d67bbf449c00ca586cb8c5bee8ecf96f1672bc878e93933ad808b349b3b969d978b4e7f08102349adcc5dbc04b784dac05b4dafbc227d826dd8732a4582b4df626369d5f04975b4b12688e87ff1325171d1ac9340707dcf27b9b8c701cef7a0fc6651f0f5b8b23444b00b9563cf7ba9d3dfd85ae3107abc6d7a712b485fee201ce013728d30d5ff682102cd628f4fcbdca65f6cdfcd30f049b65d5a7db0b9d7d9a23ac177a8e06b5802e26df262ab55e0d31d6b83c0b5abaea33475c08dd85a94514f0be84a8e878c1756106e300eec6008e3c59fa129982a1841d3aae965430c2972b6677c99d2ef43a9b4470f2ef262de3eb09285d7c2d6196a04da4bcefa3436ec9ee6d2dd586a52204785561847d3bba701e699bb10ac4c706718206c671ffb070e94008d8244efb63e7f943c5f4daf2d4a4e4e7f0a80e797e0fda919f51395612b35d9229be7181cd73b4ccc40098bee247f25435ea701e862f1faba7760a40a7ec9c85c660014e52109bde52e015e8aa853723fe1bbc59a9876601ac1bd69b4a0e53cf02d8826b954952545276a02a82eb6d9905eeefd672329945a2433b3712a63f3585141cc8f95bcb34c0e9b67bb07eda92239cb11b22a02b11c88672e2a05bd4541e34352b737d86909072d3c458cb7bc64e6e34673247249fa7066a43e50ca708a26123676c16ca78a059ceb7591153ad82104c39b3b601f205ebbba9fe0c290546520e7c29247d34e23940e01811cf7f01352b016ed17db1cfe68b1b91e981457b647f101e87f175fa872e85f2d4fca6a0e37b57c8048d26e532d1ba95cfeb448c63da96632fb2b84bcb4ba0c93f9abac0e20eaaf92b257ec49a7b58027f47bdada1a335dc6e1b181abde9c6c8358030c09e69b49705c905b7ca95fdd92c886cbedae09819f5ffb4adb2cfb0970c362bf6df5fb40fed75a04b79ac3d898683c8e518567d5e7246be5cc05e046b19ae1b2800afa939164b4543874ed58a0b0afed66e9d6b715e97e5af0584f890d1627f1bf6dc48e0f97c68915f740aec2bd8dbbcd07f613d5a3c205c716c6010e2e0b60d3ec7f80f482167f53b7c7bcfd3a05962033e7218d9e1b751121d91623b1783bf318655d8320202dd274d319e9cbab8f7c3aa8d0851d16c77d075c7758cfc1ac71de99d4acc1d46a5bd1e5aeb6a9d9ad4951d169b38f67d4d1315bdc4be2c6872eef97ae407eba15b8f3a148f376c6f40660513234e8ca9fb0055ec776c1bf8c77269a9a65f75e2891a6d5aaf083d58550e9acc9b91498ef992bd69a1bd137914cc545fa7f4879e06e709e264f49f5fea67612d28c4ba39a0e3378f847cdbb8b35536ddad7d1eed35660005f1079f747c294f02b9d5f59d265970f95bc22f081a92c747f2d860440085a1ce07e4a165589d617292324dcfdf3189f6f65ac5decaaba7f293d69fde6398a97f074f1766cb2907c053da7ce251abb62df9aa66c4f6141e611243eba93dc3f5bdec369036b8f55cf9d25fc29275b1eba5fc1a6208272c2adcd42df07873e2135ad41d949e7bea8556b31544be9f7475776b3e181faa20ced0cc9d2bfc6808bc14c9edc373ba816a239f623bcddb9b6f52265eb66ea56b6873e4a0ff5c90871ce7d5f8b1965d4783873098d57069b89f602eacaede3bd06562d129b72ec0cb4d53388d02a0dcee63b78e59add36a5187d221feaf6042f9115a584e427ed41c3c3a0fcc398959568a134bc89638aa1f2cc93a71385f13e5dde60882daac67bb564925e32eede3fb2ae13cf18d0ef7cf3639db3d109845b752716007d399488c6e127d7922abf621290665d995fb9ec29d1498b56b40667ad240d79e1fc06a9f81413904a83c32937f90bfaa299aafc1bb858f4fb6ab2c953e3cf34fc853f1eabbd8d1d5f61ed9a68d6737104d4deae043243cb4d4a2dd42e3949ed57d3af91cf0444b0c987a23e993e7aaad547c0e869a1e4fe17182a440d64355a16419f529cd0eeee117ae3150f871c5b60d772c064e9173d11279b447e4ce544ede7b2d87128bcbcc46837359e6019ac8a60541d688111165f5748ed56948be7afa0862a466160a8d6eefc7470d35a8e5f83e7f2a08b3a62ac501fbc2003173c0ab20531879dcd278ca8d6dadb279775110d33f2525f806395c42ba375ad2d6c49093f500b29a2e7a9cfaffa6e57b351a41747d7f1cf38e5931d6002dfed68383c6cb629fc78e1c3729e769b67d8b15cc3c4619da98dc03680cc3cffada726820ef2a20508fc26a31b40e498e07d06f411ea7857ae1b13297b3c1ca8199213ed7efb1e6935f4a73541a9fcbe403376f1ab8cee6b049eaeeb1d08f8e414ba52a9656914003438755df172a78013aa9a31833dacae0cec92951e93fda5c2ccd9eb62e8159406023ae08708e64399d98e3980d7defa2ff7ecae3ecf1a3412ab39ec6c40f0dfdeb51fed4d8b0f6f9f908aafa48d6a4d2f68d75c0fc135b30bbf1d5a84189c59b12deab58c122487f4a30c9483115d8f379a8888156055dd30f83a22f7fd19e8c795e8508d939311eeee92b8497fae57dd3d398dddadff411003dc978991690b9b92bbfc8e28b2c8a41499f1abb71ea8e68020055973ccc479c860eef79a4016f23bec03256efbefadc1763f62ee6fa568a6b007ac9f9c69b0068d743da6734f38d5f2b5542aae2f387fefbd3d38e7383a8f7ffdf94811a9e24dad68eda226d67f182ee97ee03230ed10b5054300553fc89d3d70b8b44bfb63e2df86b6c25c486b9a09f2070c3e667c464deec0419619c649dd782aa4dd048ce3c6e60d3069ae0e74a8a635e0fdb3628d561f243d395a81c3a336f577cf0cc3d4faa0f143dff71e0e56e8d6e2e6353a180a8e31f6e8f142d86b0bdd1756a2d4d9e7fa7c35e9deb7e4574cf04c95f44d5aa4b4934c1a7269d8ac37b7d680f9a66ac63268cfa9f4b94dd6107cda2270146a822c1b61841996c605584c9de4e2cbbb40a4a3a0f89636a3b7acae205ea7fc114d71ec2b8c927682af71d74112618ccb3dcf48a23e7acf0b8e59d75c9a0ab17358219b757e650e71cb85c2b43d7e0c90b81c29e352d3b11c52f29c7fe37972a39a712d4f4fc0544f5ebfb5bbdfdfe803a2b407e5056e3bff3048b1ad4d2c786ae6e1712f1a0a538ec3852e13b457f88023bcd9deaadc0e6d8f2f2227632d47f3d57262eb9b6e3cad6fb5af2ed5126dc536bb78483d7d92f711a4a9acf7e2b76e067dee9df1ece3b0a3758cc498a90214037d66478aff037dc8f214b36af08c630378c25b3019c6a492960c1a80b8af87370105942be92789b5f9c2b736108a311a7abfc31cc96d90a9e5d1a28d2e2f31c51644b7cb4537817b816a7125d985d85fd3b601302030cf3bcd1d040d8f902644457ef61444285ee32d157a5301501f73774ee6fa1bb7f8996c07c69dba0e8e0ae1c2f4810a07ba6e49be858cd182a69253d3388c4963d121ac6659345d41d382920b6d66420c3052742eb19b8da15e430592678a7e14ebf6ece85e070d22f5ef1497e46e52d0463417bfdc32ecc7d83d60f5c116d56b8e6b787743c1556af55cc32499c21a866b96ee95d15fb22312da89cbdd88060ad067da68e5985bc596f4bd303ae65d76eda2aa71bb2b04ef4ff2c3bf0c515138e0f5f396f1c7e7d4434910a93bf94e8e7f4ac87709ddf345f5966b4e3efeadbcdab0bb6191c409f574d20bbe9fba2ad7b47970d8b7e7c74639b0070d3da91e2d928d58a8c113fab36dd2cc19afdfe814880c3c09a3085ada44ead79189787e2cd4969b039664097c2651ec46e8ebb3698e0916362a36b22490ba2643570e27d00d02bae7a368589cd35b3604dbdec2fd1b7dcfdcb501207e9f557ebd980fdcc4abb239b541232858ef2d9bb7d0e25989a345de398258c8708b278a9a06596cc49bdc06dbed4a4f8d8ff4574448a4c7e1be70f7e85acd340905668a12646a1669d52b4c9a75b137c5d5d6d26ed14bc3f54b292977a61210c6ac8865dc5a3549dc4a72d0be26031395130cdca259d85fbec800281b0a1f1fdbb9b5bc0c44aa35ebfe24f9e75c1c3bb87cb11eb37bac91a4de8f6a5869748b67fbf2b0a9a07c9ddb7b39f6356160e9db49a7264e982cbc9be684920c03b1905dc6d6952759b9a68ca71e18468a6ba7d21155e07bcd72a007e2de595239b6ee4a869111af53b249440373eab8c34865f3f9a6feee1e9c45a94b8e7d2c0d8cee30ecb7014734fc0f8228d88ad3da449156b2d4d474c1dc383ba7d8c7a418427347dc566c72a1fc9a42230f4d94c73c67468b6cfa7f1b10512732d59a8c58bedce61fe3d79fd0920899136ae7512cb81f178b9771f778b66656cc4949fe2603629618eb6949f94f50affc2801878eb33516b5b1105a4abd0590005222acf112dafbd274029dc92f33de2a40777bdc5f8a05387cea45ce5f209182dccadb470e4f5e93067cec4b71b7621ca8e84ff0b53a125ca922fb8ffdf38b8e25bbb160764039ce1d5622afe9559d91ea2b83d3fb95e3a6d78fc120984815d77f9522147da1ad688c942f6a7b3f7ac89e3feb1633ac631c824fa1597e8a0dcd745c92a08a8eafa3f0a42c873cc9d836a4273e4008305c03b8c0b1171d10979e64e23ddc352ee6418a766ded4ff90cc242dc6e0821be9999b8ad456e6556285b394577db8950f800b1b0418d32e06e39fdbd3de4b15bb03155e8a36ea38f2416d337ac525d36ae7d0a5509f7557b1218f60e8b114e6c41c3a4934a2c42c903e5ca5183e04733c03e305b26a3b781a16c073e0ff730a06af039c84b329110f25f1238d24910688f6bb28f5ebfe4c8f5bccf67409c8ed4252575754e380f77028b36208e62018be69ac2858d30c9da3dfe5ed3d1c4841b6346aacfa00b0fa81d9dc9f525a2e3c74f9952d3c46b5684464ad156e13e50362e5e77401fdbfc100dfa22f6995fa1aba855dd2bf02df75a0537b3b9ce038a55d846da4f4c4933c8b06cd8b03affd065f722a8e02a6acda9c7b5b6bb6ca98407404c320633d08d47dbdb2b951624f66c352abb57f0f7a7b959ac45f218c0417d5aaf0f9fdeedc2ec3bfca719cacac2e24867429d1daf7e35b80ca1b711f0f3b3e983417f16e62f9122ead0aa16cd948638a820274536c694fc03336f28c0479dcf3d38bf664704eeb477068396ced416b04ec7c9a8dd4b2a246d4673559a5827f426edaa0805164b854f06cd9d440f24ed009ebf6e9d98bf632a9ccdaf41a71831a7bb1cd04a3659ea80110bc4f4af7fedd7494888df4eedc26e1535d1852ce90fcc83a8a2239bf8071305acadff8dbec924db638b81836e2ca6d272f75e99b3f85188d8bbfe1172e82ae3752a3443c423e5acfcff25aec15a9a886c842685c40cdeb27a10c2b2d381374ad8dfea4b217fccd05160af1ff8107a1b06bb49c15978c77a6cb17f81a576ddf8e892935ee1214b433c270ba7ab12e013e569c2fb2ee60127f3b43ac005c41cfeef83472fe9f57409af5c66df3c5365b74eb2388c2e2ff1457585ba8ceef02558bb4ab2214f9e70ed7a3ca9376318a2344478481a845816277b384c5c7f40f794e2c5b2c106a4fe7be7a16d7038548b4d91eeeba040e89193e8ebb1669c953d8c20ade675675661f2e1c097cbd7c5e1be210305950a7017af947b19e0413ce496f78ef1edbc54c25bd25886ec81b4d68a46492cc3a2e43e9a29ab8b0885f962c760e4f8da705ecad7060975c84f71470ec539ae4fb71aceb55d07fecdcc6f149fbe0f67fdd56d5fb276e56746f91e529e3c072010698ff71ce02d6ccf1df24370b4665cf579af55e37a8aa8d986dd3a97b6ec2cf92737fb9a8f856ac45807eb905ed54a28e2419ef1526e71d487bb7ac85b89075e6026277a3d8fe9bebb178efacd63b894b158eb59467d2d63e68b3617717b8c2f7bee9e10bc580f85735fcfcc0f0f4b2a62eb9aa3351aa682147be2beb6d3c976aa99e66d92cdd10ea3133535545f7371e8f908b8e91fa25652afd89cb4e0f58434948f116928c576805edc7554efd71c554947e14871c64404ae8357fc81d719d1d3427c63d77ec271c0cb94279a4851b0a372fe08b7343a6bb0863076a28c111c1819d7b7404fdfb2df9242d3b9e92e3d9e54074e2c56ec902a745a71433c50fd91e108549a716f5e1c23ff4c2b94eee99e5b6a9871b0dafbc4d4c668130010fdcb383e9f689c2bb1b1b0afb1fb3fe12d1cd4e889b5243c2ef2805814756b0e35c104090215114555cef6439845c438de3cf688daec9fe1cf353285b61735121d78d3481ab5fec2dac4841eaa04da6d40c731da37b80faaa85373b525d1fa6a1074139e677feaac46216ac231fe03a36c1e9395c9f9ad0d6208da73e79ceba1a1ea4e8e3e93ac914687f883e767024522b581f95e0250388f329310ed9d0a5b746b60b31994de35850c43662daf52edbed05f2a1dc157a726fd0e5d73034a993a42476bd9ca2dc0dfa93ca6ee6d27e3677e1afba84f1c17a5949db355d94ee39e553df882680c982974c17bd96330e8b5cffdb350db87032424966a4868ff37c328288506238a46c45e9c35ab60fd807fb8923e381530db9cf8b085e9604ae6fbfbd221f08882f09b43824e578c63406b85737aee796c1a63b86d325ac8663db8c549e6b647abbdd402b5e6fc031caeb1736c4dc2b38f85a0055c3b0ad70e01953c51c15fa28c57a293e3c28a7ffaecbbaf6565fcd9446257c0f9c64b495c63c99398d115b3b86824e103a7d790319cfa8d3384fb6bf7832c8c9f7a0f63967e23c0c63e515d97c3985f0e921028c76d471f1ea5ddc016e2b177bafa49e7160d87a54de1f7eedffaca5c2262bce6852382430b307b8c107060b835e197e3e15c87f69f74246db59c767219e2932cf5a42cd646766a48bc0146acccbe0db08d12cbf83c518adfadf8c3efb8ce0480babfeb4616313c3a5de5f75a9f02e8277209a88990598e77f4e3ab2f4b943fc28e78755ff3105e4765132b1fadf38183ed60e24c8dc8155fd8ba2687b7a96dffb74fdc143fe26877129772a8d92df9fc240a69e9a20bb66eef414760b51e263ab82b2e7a24eb7683debb4a32ebf847f57e20adbfb8678b1e2eaa315e14921c1f822aa0c01c63bdb595779d5766b9bf1ca25f15ddc54e3aea3ed247a0ab497ed9d0d735559b0df6510830171c0434641a92e7e15aad7615b86c6d042c39fce84d8a822c1b3b17eb94fc31f394d01a0f9898271dc0c139c4182d66f8694c2d589a29040209effd7674a644cf1993077f9d886a0f9d99501b388e411d8a02ea6d50ae4be31b224a22e276c4f5d24d3bc14f19f50232a1fffb5a0b3d8f34017d60001ae987b38538989a9f9a8838d2a16d8eb62cdda34885785aef8e97ec8b8756c27c9320d00feea3ac530ceeccf1f0126d377a6804993605e2bdd6f60eee748ee77c93c30c27ea20e74a8c4a07e69e7e7111b416f0ac2563f9746a0edc814384ab35d9b6213a96d0e73892529e907f6a725d3afffab6d2bb6963798a533e62cccbbb63d2722b9801ca7fdee7a3eba6208cdb76139716eaa082b8aad3fade9ea46f074e9746c0aa5f6a2ac43e0df2853644b15415b4fc50cba3fd1113073cb7ba313582a44145bca5cbab59e397d34b90ef184cc4d848414b1e483e93cdbba330370acf791e436720221b3fb8c8745cd1836e25e1310d1a38f2dd41111844fa224672ac380d632d8c0bda7be5c5259951515c92d02727a9a64e37160ca21b75de5322e3031429b2de246c262b64aa8937d3d5389b5d219abe41a526fc979af670dd1d12c08e35c57063d8a5218501c69c00f1152d5355b65215dae5bb959c26610ce997141a10fa7cd91caf89acc012d7621c282643e94ff6b9916f1a0a37fe6f11b2294f2fdd1f49cdf0e6225371385ee0d6255d848dd206f11bb74f9cb201d0d8b809f048829d6e7f3df2edbff32694129fb4fe4fbe4bc87e145c2242900ea4b86f62143228ba06611b9a7889b0fbc46c904b60799f80a6d49df2fa9ee1522561b65da25fd64ea2435e6f4aa7f21fcdc32eec2a2694592f8c8f2f5bf2b56caa5c158a411c48f8af3524d0d5e1325492ba7d806d09473745b962d2d531f27e237a556eacc014ae2e4c83062f9fb99b0356bd32709c7444eb5c6579a03e5f07e9d61fc843bda7447d35069b0939d35c359ac22f55628e212f7b9167d922f271c6a6fa78d8a29bee50f1a0532e9e36f9b51729c73a6caf89555c57a48c052426d544053cf826228cfc59c6703c0c0a5a5ba69c2a2dd855d301f7a4f6e500d7f01fdb749921856eaec9417d55cf262b3082f29ccefa9c6de696d2e94cdf6ef377d1d9ec55d628d68f23010076eab2c20a70f1f35f5ccb14d41379daa5fda6ec7dc77fc062cd8c11a14b26b37596d63501ef00e7d9e4c94a76c15afe225a2936968ec501b632fad0e3c34a50cd2d4e77fba16bb03b4f3d7d049cac5637d812a8ec95c84d11c1b2b5ecf2e103566ab88d835d3bc72a36e5116fbc668b26c3db42e9d21e263650c4039466f69c2e42248b209b47fc00f950d7e0374a7627b35e33f5a2a8370a2cc8900a3cf9e7873d0ecc53c32349ca9ff05c323c8807bd054a04055cd7fa3ceb641f7dbdc1827309268e6c0aba7c908a19b0e0ce9180b317c7027b2778c95cb853adc636eaacd67bf6d7740100f091fc874bc0c4943728eb5b4c8c4d6c89a0e90b96eabfa38262e99f81cad9edf20299bf78dd48c4602a8122b1311c331b427f29ea5ea214500d096eef4b5ead952df75b5e189266edf30258e815ea970ad8227756a8f60f5debd25d5fcab92e8a0ff5e1369961d796730fcd4d2cb400cdc46d67e77365b846ceb1991e6d492603ad9b61336cc180e40de55c1aa2e51399698a1d23b3b31ac5d5cec5fb10bcf10a506ce52d2320f615f810f781358ca0d23d2d324977156c1b5c18e5a2c6a02028a40373ffd5c3afccccb92f7cefde2891e69aa49e7a8ecf8e275cbed5176c0a1a7ad96fa8faca234b32b1683e78321a82c05e316e2e15d52c89fcfb233815e9981ecf3684dd41d84286097e78ae1afb89c94488659cb274f765c72244f1936733c40d8894fc3717580e681dc6571edf1aea38cc4c65270f44ac368b7d1cd7a86d491ad50cec56470b451dd16f0f26d336c6b355fa176a1fbcad193d996b1877660574805dfd8bdf4c2d5ad5d521a4a5745028dc7069aa724e8135d1c7ce1ea7601a9f824c0aed405e3475ae16e5ed1998d139bd028e9375068ae42a6df9b3dced7e22c493f50ea13d200f056c79e5cea73d4b3dd8e07d81b3433698f322913cdc117a9a46d6236b93f36eb1c2388eed31fa56c960e2b6c706378536a2ca2b9542c8dbac145ae109e65202af98a72582406b3eecf41ff166518d574c88c9b03e2b7c112611a5688bfcdfe830e0d5e04cf3c4d75f40c1d7395f7f84c5d23bd164c619c9a0baa214ca31fcafcb2791d99da41f381cf652cdc98a6134f679c1118b7fa503e9ad1b06a7c26c6339069485910515acc89b43d6f31d773be54560101775234dff26cebb9138a7f865b9d6d792284f011b7b1d910e3235ccdca0bf0f96b80e1fa1a9c93e0a9cdfa3f712d3f139f9df4479d0ee1f4d4d67a354e975837247802c87c594e5716808d3dc404890beb51fe5896d8a045c9d1f8d5ed015a86fce9d1e81d74ac80404c30083b5a7336ef13989620dac8e7a2a558c8d1f1b6e929add6b9a3622739ad4eb93afe997ddb4fecce60f5fc775b6efb527fdc055982fe2ad505c002516175e6284d872056a927b48be6aad370183d815c58af790f618e0f748d725146193f618aef1b5a064635b50ce682b3961a2f19eab84e293abe4087d7ee117c08608fc4bc9637ebbeb945bcdd66207b2f02331cf5796611c8e2dbfc45c2195ed1c197916f5b493606b99e0c9abb38bd933a2f70fca4d675d4e1b6635d7a607a224f91caa438323bf9e1a70e0ca5c16d0d882b6d35b2103ea8c5e7314a4516627251a825b3902540048ba48fae626af3fa4a21e81367d4758cff6c429904376e9594089e7f5527074cb1ccff7799eeb71bd16953aa4c851d45e938980bbd56cfaececbe9ff393630c24f763c48a6e28c9a77a25b915f1a99d74cb33218179f46e78a2d6eeba8477a6144f6d2deb294c8da6d95a950b77fb133236b3e5d2f540c092a58746c797c3868e380347c0a9b9ebdb67db8b5f51cbd135a73c270cd2b30c435804f43e443c0815fc5f375a73010926d7864388523d2eea07007cf3f817704efd0319f0487c515981f29723ace36d167b990ddcc7e064d521b3aa6a6655a0a365afa6caf1ef40fae23a9e42ce08c57bbf5a41a0bd54354b0dcf74ca77771d78aaef2a0c51c5998b91642fdd4f953d2a4291ce308e726427bded86fa0ce56ac0ed4a16e6f0541efaf845d5350b6117f79b8646b49601800b732adf992358298c59e64921b7ac430e4872ce0a9cb37c483a4451f4dd08e68e6c87905c50031e3b0f730985564a3a5c29db28aafef3f8cb05c2644d9aaa1015e2ec8bafc2640481abac6b18b12f3e7233704d47e0a1df4accfb03d3e6a3222929157ed1f6dc2d86b0536f2b48e99996247412266c9a28c3230d2ce20ea9d43808a9af936aa81710853a1b1bfa5797c1655fced7912f19041702d8a4f7e9626a4a793b6e58b155011c9447ff926844c820828202859fc75394f45b2bad859b34f36fa98f6a9e8ede680b23b51f793fd996dba5e6c23a6740aa6a46b07d6e53b74b65c041733ca156a3698772c3eede0e0887993a85e6290dc7fd14545e5d923a512e1d7b4cbd96010445c9d9e855afaa7c53f53baff420ac332d316a35a238a1815d272f60c3e886ca858d6448ed51a0c7676db70b8fb7b04980b976ccbf0a3110437b7c21e85d4944edb7b6ce0f652cd5da561a9b34211b26e641236a857dc1fbc43c12a4eb9ebbf96cfea736f2d8298cedafdd0ab073a7ac697960c4d65e64d956058c1acb02dbaa11c7a169b4be13952694d8dfe84ef06b1a3583171d99de754b32c41861c1be8b6dda60687e67aa6d8249e528349cccec97e399bb639dfbf4479f54c591d31f588932af57b5ab87843aba2c8063c55664bb8375e24e5346ea03cfadfe42795453c46a8f3ccec7d5b9d2896d34e0432cefa1464f6338b40fb1b2e1ff9026898ebd6eb806339f488464ff70eb741239556b55e6872e2d90ad69f11e6ca2bd7ccb8b6d39933fcf3dca15b13a76b4adee2b1898b60bd6bd051f9e4e516aac6650a50a5077b9caeba9f286e58886ed39dfe8cf9ba25dc84e1ae847b5637962b4c08b01601808dfbd93c644c9dec8d62123c9005b51dbb02d7144a12d49ffe018fb832aa5eedfaaff32784001f0f4801396189e0e5f525b79caa0f010d6574cd479fa9cc632f6a2558fdd4eb2931375e7ac9eb99f31c1039a9780bfec6430b155cb4d205bb33c735509c270167dfbfefe65062c757b41493beda43133ce24d497744a907fd78ddd8a0fc896a8eb60dd174690672c6952789f29024ef540d21e99f15fb127a0d8b7b7f0e48233c5778f578a1e83088a659bded44bf41e8edb8a02f091509f0b05f06df737891fd7e0971a0e1735d22da7018386792fd5f2bda365f48194a00b89faa4bb1d972788d740c57418921eb4d6176d160b209460d544734ae43e99658aa367e8973c3ce1137d936103a842da4dbb085f25236be94f9cbea7fe4e8dbfaab901de38ac0ed4458fa7d94503d42cbb8eb53042cbcb7e12ecdd5cdaf655b51d61c0a6a07b562b619b6dff90e0edf99d8c20278ba17ac5480f04a3a60ba83678b3dbb4247e5fb96ef134fd77a699bc7812d1c9d31875a298c701da0f17e426e4f6074f82dac60c9e0d2387ef54d602ee9b77587513c97cf3c29ec5c1fe318cd1d0d049968498da6916ab56edf7a4c16c4c55b3f52c21989b196276d2a7c5a7e21b47665876be4b0f3f5f69554cd404fd4453a4d14b58bdd623007e51eb90615a65c959305ba93337ade682e432daff7eb2beb47cd08917290dca5421775a24f8656ff18b0a918fe4f77dc8a63a151093b8441552885aa993d0ea6eec60e1d60a0ce8d264d66dd29ded7ae9c08704998667ce116c870d7970abe04cd3a58b9df79728b7b73854425b5cbcc62c66a8b38d6b7ca8fe55eedf9e265be8f100f8e6d95b2ff66c4570439b6932dda3f16d73e69625206551b85fa977ecb8181d95696777455a09d5197a22ac5d1a780d7746726eb0a84f93a11d4972871e24a587dca5442b449727a6ece2db6f3d8f513ff2906c7860f972e8d99bcee1e88739aad134b14618241b9a2d97997e7893582306f11e08fb979c34d31f96b39a09d51451e277442c3b8a26b98aed6990d57e44e2d9e99ecba825ac8b51d19f46441bd3a3a726b39336b09600a68097e8d73a01bfc0c739abf599897d19e7e81f2945351b10f1af8b9e62604b30addf0194ce8e88d78d8361f23ad92b8603e20c7e70929e843b22dbb8840fe4ba461008eef25a51a564bd33d85b992996de97a0f4b5dc3356f54413e53b36f24d31876f9133db4691d1ba5519d82ebfe05a11212c21a1083cf8645dcc7425fdef414131cbfc4a40f82ca79815c5533c5700093810cdc284a84305511395cf12a8b76227ff02af2558c56ba6e611fcfeebf77f05393797a8b67c20acdf593c47cac0bc599f10f622e4168b2930a9be32e499637d90777f07fcf86d9bc65d98d2e0332e92feefd802fd59cfc93ff4f71a7c29b33b9f06fb16c3aa23254030f015a1fd288d3df8dd3fe00cdab8cf6859311a18f76a90acd1f3db082d9222a3e488ac69513d6bfd5a326f749680c6e710466e411c20ed352fe8fe90d6c3cdab7e10c96c86c63f4960015132efafac31ab38f2849a4180392742c71566383e79db7e1114a74ddb19d66febab0a96ac3fd4dac337a073c07319d5538ab41f2b87aaccad5b33e1a830bb277ffb09d0e4d9eda6a9df9e24d7579a31e820d46ec07a17be8913c6259ec9714fe024ec03a6f2656d4904905328f7e9788088bbc7ec666588581ec522f6a6bb7e4edb9c85fe87a8d5cfb788d477248a6daa3960850e5a13e0df41b3db8b07cdf166bd90ad3f777ae2456751434886bc7d57189e66f0e6e1d9f5db57428cdf098b833c1b2ca8390a9bd483e5afb6e8ca11f12614fec46985e0ca98818ab2c3a3c311e3f3c53e6776f42f6ff35b12805f3ca9b390c20aed909b23d7e1e19f322809c28d6c7ee96a36cfe268b2dae202ed172814d62650423241b98a7d617b91f8e81a00b15bd1c7e6e5660923c0831034e7518b26a8f90c8b1588a23945325f0bf152d6eca65a04a330c08f67b2524adf4f5292d6c254e4bea7fcc9d87d1721a93f969554bcba69a3be8d20b4baeb7afcd8353438c13eedf4b2aec0642196f43e8b5a3addd5901b2645d2794ff144a7bee876b33968fa2485982710e944c0b175728a51c1865a51867ae0e889d4a94d9c76347c0eb4430e9a2399a79f4055e7bc1542b2bf8478edd5cdd174e0907a1487bff7a3d8ea85d480d55c90ed84c0bd0bbe287c5f5598829c7a8a2e16220231db90cb7f8fca22c73a67275df2f23aea835c86797cc0c6f2081cb4d70370f89a58eba3f5b2acbfe97fe8cd1ae5e0c3bf42dd13f2cd958ea9735c6aa0e51e1e5d85d3f037a2d3ffb640934ec7468fcddd42946be81bfd801942f95694c3267a6237fa8229aaaa51d8156c9d575596fbb24c2082423272f3f02da12c870b58b64e747044fcdd933685e7b4c3247e9fc4b1dad8834fdad50103b8c7ea4f4434a4a0c982060e4a095d4ae7c3a1165af8220fcf2ee380841e32d7cb2f67b535c09c5af35d935eb091f072001f9ea70e289e2a9d8c9b107fb5b6a87bd3282a0ab8484f603c9e0e8aabeade763deca697e7373592c69b9429c7622eba408cd56554a94b1ab5e789015dafbc636bcc3e099129c023424e6c2cbf319db97fde78a14b78f767da6524d06da7b8dc0df81c19905ff225dc17bf225ae5ba75546cb2ca9cd99dc133f338f191ff049a3de4fc3ba7d1b22097c7e40cd13b66aa7ff3421259002d19fc47fcba16eb20a476c138866258926c0a87fea8841488a807c5502237a9e8d96445586892c53641d72ba9f876eaaf269e810658af5b1d7b5dcde6e4f1a009a92c63a9e8c3e19c29316a23848693a0921c68f2b4a40e007bb85308c8ad32f15f21c1ba42d902e17fc7e930325ce2459a99e2e81b6b0b94209d405361e9938af2d2b0d3e1be93bb5b1aa38c5ba1ac76caba677be41ac7112448a72c97ec8ee62e0979c4fd23ebf7c6d151762a36061ecd9507b91f6bbf363744544602a2dec64667ce5d106fbdcbb143276dc8f723250caa9d24b9495b8d76bd72d8bc93b4d7b22d8ff0a9a82f668fd1e54a478b59e54bf9a0529e9a148b8f146bfb1e4de9bd52ec1747be2fa875ddd1cdf6345d3393799065c4cd8118e33d695dd4b98efca18e10003aab586d84617512ab40e5f6ecb5fd6712ede74c3882ac8810b806d4707326d623ea4865abb0ca150476a2dee29e05047fa778dd34857fd63d4a0ee8dbab244603ad067c236d190fb89fc46f7f21d163f43d36d92092ac4ef498e89b66b5ef96b08b41e0e358f3b1bee336ab6e6386128bb8f2c25c734569e7c100427608d0c8b1754165aed4c56f0214c9fc5e15018a0de32ffbb7172e969736b690f96c50f3b85b0fddcf55c5fb526ea0dd6c42e1883e12c718299ee97d321601369351aab917c0a427c1bb63541acff3c9479e4db1a9c81bd6e9a71cb75aaee0d6649b3382a1b03e5677f74b42659c381e1cffa14843f6efbd51f5ac5a7f31bd54ab7ddec536327539f4f1258567650981228da5df32958112e2d8de27ed481a83c810b92668a4dcfbd6767798c3c899c8f5184b0ad30525bf102ba40c375d86cfe8eee601ce96829981ab56a86cafa2a154d63312fe97b19f243b326921f049bd48e37729cc96f26d2b07ce46377b7397c1f536f5ef6fd66f6c4116ea96b08330448ac72ffb5faa8eeb9ded68fe7e54a0e49271d37d658341e16737ce37bf47cb4b7fd6cbdcd6e6117b7f006ec8f4290c3b935f491f1356940e5c96195d4c022bc03f03b579eca67263444275d8d3c288014dc9169d3297b54c1a628ffbf74ee9e7511812aedda4039dcb0892d180b50f940992fc920d6f748dcc4b9155186b0e5474be0e68a3b4bb7ea52d0a136664d251560b037e8f8df2b0a2640e420b19d143400d9678dac4e7a2b4be287f6891ffcfb1c11bb4f2b9688aeae272b701b2471bd12f82c8f2ad9b8ce1e9aa4084912a498944bacf4faf75d6fb092b61fbac442f64e66dbe570545f0995dedba17e72673364a8a07b3d33affc79fef0e4e4fe41ae8db6ae027d5821026561b61498f75de599f46d7743cef145b741aa2fd67205c18e8757073d1b6bf0a66f06e0c1ec6fd1ce3daf913b016b427cdf4f7b19f9fb22b2a1fc4510449fd020e54fc93f7609f56519f7e6caf02f5b8be3a36d9263890e2068a9bee98469a117964a4b5e39cfee8eb1605ded96b2acc51afc99821ae7bf50d4b4791eb3eca53b7ae0005e5d74135fcfc112fbbee5a68125f10249cf8340c0f22d412a74fae14068ece35c4617f90f1b75e84b1ae9ecf6c18c7504f068b034462cbf349316fc63d580eff2fcf36cd296379a8bfff91294c58dbfdd93c98285e7aed4489a4670c7070907b7cced1c54419034f69e81edec13b35c49bbf473c6ca32ee4bfa9b1676053b79807350c55f3ae6005d6e5adc4328d78e8197854c45b5ddd5a1dce9a6b03d0ca45aebc068f3bd70d3202f5e1e17398e0a7c957aa6436b061fb80db2e726df5607b496194f911098faac0608b03eca5058fc43beb56865cef28fb9aa0d311bca89b8a0acb02b583e01f2089adc1dfa113ec812f1cc5b4b7fcfbe044ea2b3b2a93f2945d31db3e1c5e9e35f99b607d14fa0221b61644fb66e8c7a22f329cddfb22d2bcae360d22ac556bc7f35a00a3f2760d1fbbc297a3a08502985f69a7524d997c6fe3002e0fd6703b67d70dbb57926069fd7433f4cb82173e542ea4be236fcf30d03a82a32bccfa7b373a46db0ac27bba4cb00edf6bccf3c8270cacdd0730a3d7b46b71084821a5e85d3a9493da176569df13162bd8bc911da153d7976e73121a025301997f2aad8ccfe4b9939665dc6699ce20fcfcfa2e1278039f3fdf2db0d7de3c9de4ee4e64453670a2be516c33b06f545a6063f121553cd096e12f4dee94f5a2858aad5dc12c081fe614fdc4ba0fbbd623a38835f7c1c5ef8414c24dbd32b37e4bf0a0bdcbbd12946ca82032ec338256786beb027d62d832fb99b579a8e162c10c67d479d397caa7d7e0c714c4491b5d804c87be8afdb26204d37548b869aa0e94adadb97f5e7db32bcb471bd5bb2aebd80d6947786b6a322ab569679856413eba30e0dcb1d31cae96b71d43846c39044691d5ffefa1cad55e5d59d8f8302bcc410086ca41b576c5dc18e5ce80e2de4f7eb57b1414ef29cd00c1fbd906852915d03f9f5265411d428d23f04a70fb46aa7b60146c6f272136f13a0426d149256b936505f03997fa86e2507b04e25c871578fa980d2323fef7e8031209043ae56baa4e0ec407084ada94d96ea836080d5a66e0d87aa7deea927ae9f5b80a58bbc2555f7a95680ac7b7c0f7ada2f5769a5dd272a102b94c883116daad90be2595175f99656aad3dd36336d84ebaf97d1d5e2782b4c392df227") r47 = syz_kvm_setup_syzos_vm$x86(r43, &(0x7f0000bfe000/0x400000)=nil) syz_kvm_add_vcpu$x86(r47, &(0x7f0000016780)={0x0, &(0x7f0000016480)=[@out_dx={0x6a, 0x28, {0x351c, 0x2, 0x3}}, @out_dx={0x6a, 0x28, {0xbe7d, 0x2, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0xf10c, 0x5, 0x90, 0x2}}, @out_dx={0x6a, 0x28, {0x4c98, 0x6, 0x59fe}}, @nested_load_syzos={0x136, 0xa8, {0x3, 0x2, [@enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x2, @guest64=0x280d, 0x2e0, 0x4, 0xfffffffffffffff8}}, @wrmsr={0x65, 0x20, {0x285, 0x7}}, @uexit={0x0, 0x18, 0x5}]}}, @nested_amd_clgi={0x17f, 0x10}, @wr_crn={0x67, 0x20, {0x4, 0x4}}, @rdmsr={0x66, 0x18, {0x2e6}}, @uexit={0x0, 0x18, 0xe}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x0, @ro_nat=0x6404, 0x10, 0xfffffffffffffff7, 0xe}}, @enable_nested={0x12c, 0x18}, @nested_vmresume={0x130, 0x18, 0x3}, @nested_amd_vmload={0x182, 0x18, 0x3}, @nested_load_code={0x12e, 0x63, {0x2, "2e0f017133c4216ac2c00066baf80cb86e897c81ef66bafc0c66b8af0b66ef420f01c33601e312ec0f00dec74424007a000000c74424020b000000ff1c24400fa1c443314a890a0000000b"}}, @nested_amd_stgi={0x17e, 0x10}], 0x2c3}) r48 = mmap$KVM_VCPU(&(0x7f0000cbe000/0x1000)=nil, 0x0, 0xd, 0x80000, r12, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r48, 0x4) syz_kvm_assert_syzos_uexit$x86(r44, r48, 0x3) r49 = ioctl$KVM_CREATE_VM(r12, 0xae01, 0x20) syz_kvm_setup_cpu$ppc64(r49, r43, &(0x7f0000e17000/0x18000)=nil, &(0x7f0000016a40)=[{0x0, &(0x7f00000167c0)="0000003d0000086104000879000008650c0008610000803f00009c6304009c7b00009c67d0049c63246bc07ffacddffe0000603c00006360040063780000636404006360269fe17f0000603c0000636004006378000063643c02636042000044f5009007d6db8bef0000a03e0000b5620400b57a0000b5662a00b5620001c03e0000d6620000d5920000a03e0000b5620400b57a0000b5662a00b562736fc03ea7f7d6620000d5920000a03e0000b5620400b57a0000b5662e00b562905ec03ee010d6620000d5920000a03e0000b5620400b57a0000b5663200b5620000c03ee0d1d6620000d5920000603c00006360040063780000636400f063600000803c0000846004008478000084642a008460220000448fed9ff30000603c00006360040063780000636400ef6360b5ad803cca82846004008478ea5e8464a2e88460f167a03cbee3a5600400a578a557a5645546a56003f4c03cb487c6600400c67873edc6641551c6601de9e03ce4a0e7600400e778d884e7642576e7600870003deef70861040008791f720865674008617fc5203d5dc62961040029797f83296531e82961ec4b403dd8c04a6104004a79e3f44a6576a04a6142000044c7dd79120000603c00006360040063780000636408ef6360ae15803c967484600400847848298464f27b8460fb2ba03c3a84a5600400a57866dfa5640e85a5609421c03c544cc6600400c6788ed8c6642d18c6602715e03c9877e7600400e778527ae7644a11e760b221003d4162086104000879f61f0865aa6f086100f5203d4c23296104002979da1a296595bf296193f7403dde994a6104004a795ee84a65a0514a61d50a603d34f96b6104006b7921196b65ab4f6b6122000044", 0x278}], 0x1, 0x15, &(0x7f0000016a80)=[@featur1={0x1, 0xfff}], 0x1) syz_kvm_setup_syzos_vm$x86(r49, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(r42, 0x0, &(0x7f0000016ac0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000016b00), &(0x7f0000016b40)='./file1\x00', 0x1000840, &(0x7f0000016b80)={[{@ownmask={'ownmask', 0x3d, 0x9}}, {@uid={'uid', 0x3d, r39}}, {@gid={'gid', 0x3d, r25}}, {@ftsuffix={'ftsuffix', 0x3d, 0x1b2a}}, {@ftsuffix={'ftsuffix', 0x3d, 0x95}}, {@ftsuffix={'ftsuffix', 0x3d, 0x2}}], [{@uid_lt={'uid<', r37}}, {@subj_type}]}, 0x1, 0x2a, &(0x7f0000016c80)="$eJyq3PSiSzhjn1ni6QQv2eL9NXzv/l1Tb+R79PvXuQuAAAAA///Puw+p") syz_open_dev$I2C(&(0x7f0000016cc0), 0x9, 0x107c00) r50 = clone3$auto(&(0x7f0000016d00)={0x2, 0x27e, 0x5, 0x2, 0x6, 0x0, 0x6, 0x5, 0xd, 0x7ea2, 0xffffffffffffffff}, 0x90c4) syz_open_procfs(r50, &(0x7f0000016d80)='fdinfo/3\x00') r51 = syz_open_dev$ttys(0xc, 0x2, 0x1) syz_open_pts(r51, 0x8400) syz_pidfd_open(r16, 0x0) r52 = pkey_alloc(0x0, 0x0) syz_pkey_set(r52, 0x1) syz_read_part_table(0x67, &(0x7f0000016dc0)="$eJwAVwCo/6k57hMEqlDNSDO4ZVQCcLxIue9czoZuafU/43B5GQ8/SfKEAJSVthoZct6TJycbea3BUcvLUazBD0Yw9qOvvKZmop6ihOZrQz9pF64MLnCI87vjyBXT9QEAAP//A0oqtA==") syz_socket_connect_nvme_tcp() r53 = syz_usb_connect(0x3, 0x840, &(0x7f0000016e40)={{0x12, 0x1, 0x300, 0x42, 0x66, 0x24, 0x8, 0x2357, 0x9000, 0x8c65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x82e, 0x3, 0x7f, 0x2, 0x20, 0x5, [{{0x9, 0x4, 0xce, 0x7, 0xf, 0xaf, 0xe8, 0x6e, 0x0, [@uac_control={{0xa, 0x24, 0x1, 0x7ff, 0x6}, [@processing_unit={0x7, 0x24, 0x7, 0x4, 0x4, 0x1}]}, @cdc_ncm={{0x7, 0x24, 0x6, 0x0, 0x1, "a34e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x7fffffff, 0x0, 0x7, 0x8}, {0x6, 0x24, 0x1a, 0x9, 0x4}, [@mdlm_detail={0xd8, 0x24, 0x13, 0x1, "fcb64e07cbc613ee0fb47b172d8cb25490f7d08dca4c04f248b0d2c6c5d4fd13c90c337dbfe045783ce1ee1399fa76c14b25f5c338b041833f787b776e0c3c255189f0694e731cc1edd1269dee99eed04d16af2ae0f124510006a64280fbf1ac1146beee985883566c169abff09e46018c5ddfdcefb4c06a4626f8eeb21b618fe70adf76c204c1a9305d06d90852b606a0698c6678280d4829c78171526b7cf0cf95cab7e3afb3b58fcfaf6d70eb433347fbae1294b288b8d339b3d78fdbc0f227907aaa921ca3026e4c5ce34211e3c907b42ca6"}, @mbim_extended={0x8, 0x24, 0x1c, 0xfff, 0x1, 0xf51}, @mbim_extended={0x8, 0x24, 0x1c, 0x80, 0x2, 0x7f}, @obex={0x5, 0x24, 0x15, 0x4d}, @mbim_extended={0x8, 0x24, 0x1c, 0xbf26, 0x10, 0x7806}]}], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x6, 0x40, 0xb, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x4, 0x8}, @generic={0xe8, 0x30, "68849f67c98033bfdc9bc67c706e689f08da2d587b668f1f676bbbc38f71f68c0129159b912f3288af2d8f5b2a9e6a416c8e3445c333df5f7008233683c674208456cfcb7a598fd1430b9bb55e9b6fbf6cd0797ffdb48e94a2bb0a7b924dc3fe2c8b37ff8b6d67a0551a582d713454dc2f829c5fa9bb41053a7b74b601c8ab8454e2d48d213eb4f873d9693119cf01d9779afaa261bd19f84e3998a27cc27fdbaa15467cd6f5442aec6c7d12861746b6bab7b93701f011de1e995c1c204b4c2680503a47bad86fa429cf00ded48239fb555ab98087edeaeeba89b14dad51b1993c25e60109bf"}]}}, {{0x9, 0x5, 0xa, 0x1, 0x40, 0xf7, 0x2, 0x5}}, {{0x9, 0x5, 0x5, 0x10, 0x3ff, 0x7, 0x14}}, {{0x9, 0x5, 0xe, 0x10, 0x200, 0xc7, 0x46, 0x2}}, {{0x9, 0x5, 0xd, 0xa, 0x10, 0x40, 0x8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x1, 0x7}]}}, {{0x9, 0x5, 0x8, 0x2, 0x3ff, 0x10, 0x9, 0x8, [@generic={0xf8, 0x1, "8709dae6274078001913ce2efbcb79ab1133baa4f7e07b3b2c7ff70389e902b3684a95a29997f2d20ff4af270d19a8e0b4f24df512a7981b5cc217941cc55d0ee52777d5469f8d59a8b5b4a6e4fe8c2c9450b47d3153ab98f8e25d699873d3bdb2640075123c4c4bf270db5a2e30c478e75e0e80aca0d41af746e3efb598b2dbec647abd397b0efbb2e744238a48cefe4299f48385e74d325ba52c15b168234a996d3257eaab4fefcba6b898c91dd99e0c080a10191184ea552c28223c35e63ea9406888a94759ad4c30baec3d37bc12628f39fd0e1ea1665122b4a04adec0d9632421ac7518851c5c9256a33e291201a3af1af8df0a"}, @generic={0x66, 0x4, "e24af39366d6cc5b860379367e9b5af91238a8ad60d4d3330b86615c238b9adc150ca8d4d89f347cefed3502f2a64669ec10c9352cc3f00bb7bfff70a34070247f372fd56b348f50f94509038994df699dd0bd1e0f291424502d0abfa275df94ab99686b"}]}}, {{0x9, 0x5, 0x3, 0x3, 0x20, 0x10, 0x6, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x2, 0xf}]}}, {{0x9, 0x5, 0xa, 0x10, 0x20, 0x2, 0x6a, 0x9c}}, {{0x9, 0x5, 0x6, 0x0, 0x8, 0xa6, 0x0, 0x3}}, {{0x9, 0x5, 0xe, 0x10, 0x400, 0x8, 0x6, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x80, 0xfffe}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x8, 0x6}]}}, {{0x9, 0x5, 0x2, 0xc, 0x20, 0x7, 0xfe, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0x8, 0x0, 0x20, 0x5, 0x7}}, {{0x9, 0x5, 0x5, 0x10, 0x400, 0x94, 0x9, 0x7, [@generic={0xdd, 0x30, "77867ea85d1b66ca1b835f1ffe80b4e15a4297fd75060e9ca4a21e385adab09508051dd6105eaa7cdcecdcc320bc7f956eeb82394feeae2b09c0990c54433f3734da18ccf13f5fcc5bb32eb3bb6b062a282989582d898d9e25f97d5d3927fbc22c45904983860eb61eafd34b54ed2cc8b55cf197d31bbb18106360ad77240c1f44fd50f1a944b9f5557f95e94513b0ad4d6079e15e8d3b4301027dece5a5ba8488a265ab3067ce7d0f2d5ad3117bddf068f591f61d6646f96a3772bb1d8807ba9dd6d7a0beecb27298c3f090b2b7ed72979d14deae685d250f2cc0"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x81, 0x70}]}}, {{0x9, 0x5, 0x5, 0x0, 0x3ff, 0x7, 0x0, 0xd5}}, {{0x9, 0x5, 0xc, 0x0, 0x40, 0x0, 0xb, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc4, 0x6e}, @generic={0xe, 0xd, "36cb58afca23d3e3cd43840a"}]}}]}}, {{0x9, 0x4, 0x8c, 0x0, 0xc, 0x77, 0x71, 0x4d, 0xff, [@cdc_ecm={{0xb, 0x24, 0x6, 0x0, 0x0, "378790738559"}, {0x5, 0x24, 0x0, 0xdd}, {0xd, 0x24, 0xf, 0x1, 0x5, 0x926, 0x1, 0x5}, [@mdlm={0x15, 0x24, 0x12, 0x7}, @country_functional={0x10, 0x24, 0x7, 0xf, 0x47f, [0x7, 0x5, 0xa5a, 0xf25d, 0x10]}, @ncm={0x6, 0x24, 0x1a, 0x100, 0x1}, @country_functional={0x6, 0x24, 0x7, 0x9, 0x81}, @country_functional={0xe, 0x24, 0x7, 0x10, 0x3a, [0x1400, 0x1, 0x3, 0x8]}]}, @uac_control={{0xa, 0x24, 0x1, 0x80, 0x80}}], [{{0x9, 0x5, 0x5, 0x8, 0x200, 0x39, 0x3, 0x2}}, {{0x9, 0x5, 0x0, 0x1, 0x10, 0x6c, 0x9, 0x4, [@generic={0xec, 0xc, "cd0d3ce6b75c2b01f97fcb20adf4d99a5a6276a0a0717a5cbdaae5bde2286c78f23ec6527fe1490d74ccaf86bae71c9879a22fb098f798415a4210a098cc4d7658353019718991bb6a8d77a8e7b5d4507404e96ff45614cb5cdad6985e76eec52fa70774a80ce5407b62d01051262f8136aa68c22ea4115b5e27653c40a81cff49a13bf79d599e1eea6f2ab7897c7165b36cb683a87ae079d8ff5f450ddff53f2a7a042d0732f9357ce23fb6a1310f9584d8a7557b654936d97d49be797a565302d1e615a70061101f01cb75333ed4fc3fb983e30f4904195e253a3add43bd069794bcace63863b8c55b"}, @generic={0x31, 0xe, "a6772f6053bbf3fbcc2e4b92794df700a7499308d02da807f64c0bb6a2df535b939af7a1a2e98682e084019d17ff1e"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0xf8, 0x0, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x1d2}]}}, {{0x9, 0x5, 0x0, 0x7, 0x400, 0x7f, 0xf9, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x5, 0xb57}, @generic={0x43, 0x1a, "cb18238b9bb4f2cf09a9e512ee7299837421b4dea8530c6a24f72229b4c3803db0b8159c4fc1d0c512c36706f72652839ab687708e60653bc855f3efc0191d44ce"}]}}, {{0x9, 0x5, 0x1, 0x0, 0x10, 0x5e, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x0, 0x2}, @generic={0xa, 0xd, "0ea835cf6f9897dd"}]}}, {{0x9, 0x5, 0x2, 0x1, 0x8, 0x8, 0x7, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x81377ff213a15d50, 0x40, 0xc590}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x2, 0x4}]}}, {{0x9, 0x5, 0x2, 0x2, 0x400, 0x6, 0x6, 0x7}}, {{0x9, 0x5, 0x2, 0x3, 0x200, 0xe, 0x4, 0x4, [@generic={0x5, 0x11, "b9f5e7"}, @uac_iso={0x7, 0x25, 0x1, 0x40, 0x6, 0x6}]}}, {{0x9, 0x5, 0x3, 0x10, 0x0, 0x8a, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x9, 0x4}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x73, 0x1ff}]}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x4, 0x8, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xd}]}}, {{0x9, 0x5, 0x6, 0x10, 0x200, 0x3, 0x7, 0x0, [@generic={0x4e, 0x21, "de218ddf3078a6fbd86d425731334bc46cce8cf519b9cef7c417703ac6b7c8d919df45ea16b8089069bbf34f03abe752c1ee7d7e03a08637bcdc17d4cf34c2756eda9fbf09fdfcfca3052859"}]}}, {{0x9, 0x5, 0x7, 0x2, 0x400, 0x6, 0x8}}]}}, {{0x9, 0x4, 0xb9, 0x8, 0x3, 0x5b, 0x5d, 0x4c, 0xbf, [], [{{0x9, 0x5, 0x5, 0x0, 0x400, 0x9, 0x5}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0xf9, 0xea, 0x2}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xee, 0xbf, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xc7}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x5, 0x6}]}}]}}]}}]}}, &(0x7f0000017780)={0xa, &(0x7f0000017680)={0xa, 0x6, 0x300, 0x8, 0x4, 0x4, 0x10, 0x3}, 0x5, &(0x7f00000176c0)={0x5, 0xf, 0x5}, 0x2, [{0x4, &(0x7f0000017700)=@lang_id={0x4, 0x3, 0x41c}}, {0x4, &(0x7f0000017740)=@lang_id={0x4, 0x3, 0x425}}]}) r54 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000177c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r53, &(0x7f0000017a80)={0x2c, &(0x7f0000017840)={0x0, 0x1, 0x101, {0x101, 0xa, "3681db1760f476d161e6331af001dff260ea6b4a4cea6097ecb1958b59faab7a902848c262a0bb7bb004a6454444f39114416399cc7a71e71547c56a02f133907f22c3f12ced90a4d6ae9ff8fd98b3e7cd83d8745c649289b5fd78f706859e152148d76f8f0d0fa049834365be85ce2b50358758a90b57339c874457410ae277d2b118f38427a932a2c7cacc09aed3ee5730793f36dce0ed57b9c65ff63c7eb7ebbfebe9094e0853051b9f3dfaf6c2ab61265b3af1f34872569ff3e04b2ec1ef09a3692a88292ffa38b851e6fe031a70a551e8844b16d138ce126ce0419571f4349aee237a2bf6fc52cb78f26f30c936902d7f29d3a5615dad86e4c69ca03f"}}, &(0x7f0000017980)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x4c0a}}, &(0x7f00000179c0)={0x0, 0xf, 0x5, {0x5, 0xf, 0x5}}, &(0x7f0000017a00)={0x20, 0x29, 0xf, {0xf, 0x29, 0xeb, 0x10, 0x81, 0xc, "e76746f0", "f19276a0"}}, &(0x7f0000017a40)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xd, 0x2, 0x8, 0xe, 0x7, 0x8, 0x515}}}, &(0x7f0000017ec0)={0x84, &(0x7f0000017ac0)={0x40, 0x17, 0x1e, "63fd640c63a3d40d56edf64acb1036df01c37dff2b11b8bd6dce4f20b2ce"}, &(0x7f0000017b00)={0x0, 0xa, 0x1, 0xfd}, &(0x7f0000017b40)={0x0, 0x8, 0x1, 0x5}, &(0x7f0000017b80)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000017bc0)={0x20, 0x0, 0x8, {0x80, 0x1, [0xf00f]}}, &(0x7f0000017c00)={0x40, 0x7, 0x2, 0x2}, &(0x7f0000017c40)={0x40, 0x9, 0x1, 0x6}, &(0x7f0000017c80)={0x40, 0xb, 0x2, "dd91"}, &(0x7f0000017cc0)={0x40, 0xf, 0x2, 0x1}, &(0x7f0000017d00)={0x40, 0x13, 0x6, @multicast}, &(0x7f0000017d40)={0x40, 0x17, 0x6, @local}, &(0x7f0000017d80)={0x40, 0x19, 0x2, "73dc"}, &(0x7f0000017dc0)={0x40, 0x1a, 0x2, 0x8}, &(0x7f0000017e00)={0x40, 0x1c, 0x1, 0x81}, &(0x7f0000017e40)={0x40, 0x1e, 0x1}, &(0x7f0000017e80)={0x40, 0x21, 0x1, 0x7f}}) syz_usb_disconnect(r53) syz_usb_ep_read(r54, 0xb, 0x6c, &(0x7f0000017f80)=""/108) r55 = syz_usb_connect$printer(0x2, 0x36, &(0x7f0000018000)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x40, 0x3f0, 0x4, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xba, 0x80, 0x1, [{{0x9, 0x4, 0x0, 0x7, 0x1, 0x7, 0x1, 0x3, 0x5, "", {{{0x9, 0x5, 0x1, 0x2, 0x8, 0x4, 0x2, 0xc9}}, [{{0x9, 0x5, 0x82, 0x2, 0x20, 0xfb, 0x1, 0xf}}]}}}]}}]}}, &(0x7f0000018180)={0xa, &(0x7f0000018040)={0xa, 0x6, 0x300, 0x4c, 0x3, 0x7f, 0x20, 0x81}, 0x2b, &(0x7f0000018080)={0x5, 0xf, 0x2b, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x2c, 0x6, 0x60, 0x64, 0x4}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x6, 0x7, 0x1, 0x680}, @ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x2, 0x3}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0xc, 0x5, 0xd4, 0x21bb}]}, 0x2, [{0x55, &(0x7f00000180c0)=@string={0x55, 0x3, "8a4234831e8888aedd9ad22d4f28938cda9aa9a900037c311cae82fd231caa312795c2b2f747f7bedc807a10652dcf379da07ebe9635310275c1f0ed956da64df98af4ea239c452aa85b311b94d471e9d3423a"}}, {0x4, &(0x7f0000018140)=@lang_id={0x4, 0x3, 0x83e}}]}) syz_usb_ep_write(r55, 0x4, 0xa7, &(0x7f00000181c0)="c9de81d2b7fd1d65610b4083b89828a1eeb3c1fe78e802b87bcad52205e7f4d5773025c8c92cf009171f12788aa9afbf0167112693c5625eecd433f1b0ed30d3ef6194f9afe363c1334df356e261dc73f07cac0e40a0348c52257f14f9a9f60d5698352069eed46ef10f4a97b1560f7605b0aa631949af14354c1acabb768609d122466f6849102936f4001d18015df428570b6e59759b75e723b1e612800b56ea89a55d2c6378") syz_usbip_server_init(0x5) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif #ifndef __NR_statx #define __NR_statx 332 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } if (symlink("/dev/binderfs", "./binderfs")) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 82; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 63 ? 4000 : 0) + (call == 72 ? 200 : 0) + (call == 74 ? 3000 : 0) + (call == 75 ? 3000 : 0) + (call == 76 ? 300 : 0) + (call == 77 ? 300 : 0) + (call == 78 ? 300 : 0) + (call == 79 ? 3000 : 0) + (call == 80 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[56] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x200000000040 = 0x200000000000; *(uint32_t*)0x200000000048 = 5; *(uint32_t*)0x20000000004c = 0; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0109207, /*arg=*/0x200000000040ul); break; case 1: memcpy((void*)0x200000000080, "/dev/dri/controlD#\000", 19); res = -1; res = syz_open_dev(/*dev=*/0x200000000080, /*id=*/3, /*flags=O_SYNC|O_DIRECT|O_APPEND*/0x105400); if (res != -1) r[0] = res; break; case 2: *(uint32_t*)0x200000000100 = 1; *(uint64_t*)0x200000000108 = 0x2000000000c0; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0106426, /*arg=*/0x200000000100ul); for (int i = 0; i < 4; i++) { syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0106426, /*arg=*/0x200000000100ul); } if (res != -1) r[1] = *(uint32_t*)0x2000000000c0; break; case 3: *(uint32_t*)0x2000000001c0 = r[1]; *(uint64_t*)0x2000000001c8 = 0x200000000140; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x4010641c, /*arg=*/0x2000000001c0ul); break; case 4: *(uint32_t*)0x200000000200 = 0; *(uint32_t*)0x200000000204 = 0; *(uint32_t*)0x20000000020c = 0; *(uint32_t*)0x200000000210 = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc01464a6, /*arg=*/0x200000000200ul); if (res != -1) r[2] = *(uint32_t*)0x200000000208; break; case 5: *(uint32_t*)0x200000000240 = 0; *(uint32_t*)0x200000000244 = 0; *(uint32_t*)0x20000000024c = 0; *(uint32_t*)0x200000000250 = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc01464a6, /*arg=*/0x200000000240ul); if (res != -1) r[3] = *(uint32_t*)0x200000000248; break; case 6: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0086465, /*arg=*/0x200000000280ul); if (res != -1) r[4] = *(uint32_t*)0x200000000280; break; case 7: *(uint64_t*)0x200000000300 = 0x2000000002c0; *(uint32_t*)0x2000000002c0 = 0; *(uint32_t*)0x2000000002c4 = 0; *(uint32_t*)0x2000000002c8 = 0; *(uint32_t*)0x2000000002cc = 0; *(uint32_t*)0x2000000002d0 = 0; *(uint32_t*)0x2000000002d4 = 0; *(uint32_t*)0x2000000002d8 = 0; *(uint32_t*)0x2000000002dc = 0; *(uint32_t*)0x200000000308 = 8; *(uint32_t*)0x20000000030c = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc06864a1, /*arg=*/0x200000000300ul); if (res != -1) r[5] = *(uint32_t*)0x200000000310; break; case 8: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0086465, /*arg=*/0x200000000380ul); if (res != -1) r[6] = *(uint32_t*)0x200000000380; break; case 9: *(uint32_t*)0x2000000009c0 = 0; *(uint32_t*)0x2000000009c4 = 6; *(uint64_t*)0x2000000009c8 = 0x2000000003c0; *(uint32_t*)0x2000000003c0 = r[2]; *(uint32_t*)0x2000000003c4 = r[3]; *(uint32_t*)0x2000000003c8 = r[4]; *(uint32_t*)0x2000000003cc = r[5]; *(uint32_t*)0x2000000003d0 = r[6]; *(uint32_t*)0x2000000003d4 = 0; *(uint64_t*)0x2000000009d0 = 0x200000000400; *(uint32_t*)0x200000000400 = 7; *(uint32_t*)0x200000000404 = 0x80; *(uint64_t*)0x2000000009d8 = 0x200000000940; *(uint32_t*)0x200000000940 = 0; *(uint32_t*)0x200000000944 = 0; *(uint32_t*)0x200000000948 = 0; *(uint32_t*)0x20000000094c = 0; *(uint32_t*)0x200000000950 = 0; *(uint32_t*)0x200000000954 = 0; *(uint64_t*)0x2000000009e0 = 0x200000000980; *(uint64_t*)0x200000000980 = 0xff; *(uint64_t*)0x200000000988 = 0xfffffffffffffffb; *(uint64_t*)0x200000000990 = 9; *(uint64_t*)0x200000000998 = 0x100; *(uint64_t*)0x2000000009a0 = 4; *(uint64_t*)0x2000000009a8 = 0x10000; *(uint64_t*)0x2000000009b0 = 0xfff; *(uint64_t*)0x2000000009b8 = 0x484; *(uint64_t*)0x2000000009e8 = 0; *(uint64_t*)0x2000000009f0 = 0x73ca1ec4; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc03864bc, /*arg=*/0x2000000009c0ul); break; case 10: *(uint8_t*)0x200000000000 = 8; *(uint8_t*)0x200000000001 = 2; *(uint8_t*)0x200000000002 = 0x11; *(uint8_t*)0x200000000003 = 0; *(uint8_t*)0x200000000004 = 0; *(uint8_t*)0x200000000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xe, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 6, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); memset((void*)0x200000000044, 255, 6); *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 1; memcpy((void*)0x200000000050, "\x01\xab\xb5\xa4\x2e\x6e", 6); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 5, 4, 12); *(uint8_t*)0x200000000058 = 7; *(uint8_t*)0x200000000059 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 2, 6); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x1b); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memset((void*)0x2000000000c0, 1, 6); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/6, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_bprm_check_security\000", 28); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xd1\xa2\x22\xa1\x13\xaf\xa5\x09\x37\xeb\x93\xa6\x9f\x4a\x6d\xae\xb1\xc5\x11\x85\x97\x3f\xcb\xcd\x8a\xc1\x51\x1f\xee\x51\x66\xf0\xa2\xd7\xb1\x07\xca\x8b\xa7\x4b\x42\xac\x08\x04\x22\xe3\xe2\x6c\x8f\xd0\x70\x7d\x33\x52\xf3\xe0\x46\x7c\x44\x6d\x0f\xd5\x9f\xdc\x79\x62\x04\xde\xb5\x20\xc9\xf3\x9c\xeb\x06\xb1\x2c\x5d\xec\x1f\x8d\x80\x43\x5d\x3a\x95\x31\xb3\xc8\xc6\x3e\xca\x16\x67\x0b\x0b\xe3\x27\x76\x98\x48\x5a\x45\xd9\x1a\x47\x37\xcd\xc1\x7c\x96\x06\x54\x23\x34\x8e\x49\x7b\x47\x3b\x96\xcd\x4d\x87\x0b\x36\x08\x09\xcf\xb9\x63\x1f\x7a\x2c\xda\xdf\x25\xba\xad\xe0\xa0\x28\xdf\xa8\x48\x75\xee\xae\xa7\x10\xf4\x4e\xe0\xc6\x0b\xe3\x1d\x07\x66\x79\x21\x37\x5c\xbf\x5e\x90\x56\x5a\x75\x94\xd7\x8c\x49\xee\x1a\x77\x3a\x21\x69\x6e\x3e\x0f\x6e\x9d\x5a\x9c\xc8\x26\x1a\x51\x99\x02\x69\xf0\x6e\x56\x42\xa8\x10\x55\xab\x67", 202); memcpy((void*)0x2000000002c0, "\x4c\xe6\x39\xfa\xe6\xa5\xb1\xdb\xfb\x9b\x05\xcd\xf4\x4c\x3b\x14\xdf\x7c\x00\x1e\xf8\x93\x1a\x51\x17\xea\x1b\xa1\x75\xc0\xa1\xe0\x80\x6d\xec\x26\xa6\x1e\x38\xc8\xb3\x55\xe6\x33\x4a\xab\x16\x93\x6f\x3b\x93\x88\xce\x1e\x11\x57\x87\xf0\xa1\x64\xe9\x87\xd9\xe1\x33\x9b\xbb\xdc\x21\x47\x94\x03\x32\x2c\xf6\xc7\xb5\x5d\xaf\xea\x9c\xf5\x27\xb3\x25\x32\xbe\x38\xa2\xf0\x55\x79\x07\xe3\x57\xb0\x5e\x19\x86\x22\x78\x88\xaa\xc6\xcc\x43\xa9\xe5\xea\x5e\x3c\x09\x3b\x69\x3d\x4d\x13\xb3\x78\xac\x22\x43", 122); res = -1; res = syz_clone(/*flags=CLONE_NEWNET|CLONE_NEWCGROUP|CLONE_VM*/0x42000100, /*stack=*/0x200000000140, /*stack_len=*/0xca, /*parentid=*/0x200000000240, /*childtid=*/0x200000000280, /*tls=*/0x2000000002c0); if (res != -1) r[7] = res; break; case 14: memcpy((void*)0x2000000004c0, "syz0\000", 5); res = syscall(__NR_openat, /*fd=*/(intptr_t)-1, /*file=*/0x2000000004c0ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[8] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x8000; *(uint64_t*)0x200000000508 = 0x200000000340; *(uint64_t*)0x200000000510 = 0x200000000380; *(uint64_t*)0x200000000518 = 0x2000000003c0; *(uint32_t*)0x200000000520 = 0x3d; *(uint64_t*)0x200000000528 = 0x200000000400; *(uint64_t*)0x200000000530 = 0x36; *(uint64_t*)0x200000000538 = 0x200000000440; *(uint64_t*)0x200000000540 = 0x200000000480; *(uint32_t*)0x200000000480 = r[7]; *(uint32_t*)0x200000000484 = r[7]; *(uint32_t*)0x200000000488 = r[7]; *(uint32_t*)0x20000000048c = r[7]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = r[8]; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[9] = res; r[10] = *(uint32_t*)0x200000000340; r[11] = *(uint32_t*)0x200000000380; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000000740 = 5; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000000740ul); if (res != -1) r[12] = res; break; case 18: memset((void*)0x200000002900, 0, 32); *(uint16_t*)0x200000002920 = 7; *(uint32_t*)0x200000002924 = 0x7eb; *(uint32_t*)0x200000002928 = 0xd8c; *(uint64_t*)0x200000002930 = 6; *(uint64_t*)0x200000002938 = 0x65c7; *(uint32_t*)0x200000002940 = r[7]; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0481273, /*arg=*/0x200000002900ul); if (res != -1) r[13] = *(uint32_t*)0x200000002940; break; case 19: *(uint32_t*)0x200000002c00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000002b00ul, /*optlen=*/0x200000002c00ul); if (res != -1) r[14] = *(uint32_t*)0x200000002b34; break; case 20: *(uint32_t*)0x200000002dc0 = 7; *(uint32_t*)0x200000002dc4 = 0xee00; *(uint32_t*)0x200000002dc8 = 0xee01; *(uint32_t*)0x200000002dcc = 3; *(uint32_t*)0x200000002dd0 = 1; *(uint32_t*)0x200000002dd4 = 2; *(uint16_t*)0x200000002dd8 = 0x100; *(uint32_t*)0x200000002ddc = 8; *(uint64_t*)0x200000002de0 = 1; *(uint64_t*)0x200000002de8 = 8; *(uint64_t*)0x200000002df0 = 0; *(uint32_t*)0x200000002df8 = r[9]; *(uint32_t*)0x200000002dfc = r[9]; *(uint16_t*)0x200000002e00 = 0x8000; *(uint16_t*)0x200000002e02 = 0; *(uint64_t*)0x200000002e08 = 0x200000002c40; memcpy((void*)0x200000002c40, "\x04\xdb\xcb\x20\x9f\x35\xe5\xdd\xfd\xb1\xb3\xb7\xa7\x41\xcb\x0d\xa9\xe7\xb4\xa9\x7e\x26\xe4\xd6\x4c\xa5\x56\x0a\xd3\xea\x50\xd5\x19\xbb\xf0\x49\xc3\x13\x51\x11\xc4\xde\x1f\x36\xb6\xb3\x08\xbb\xd0\x28\xe4\x49\x5d\x46\xed\x83\x93\xe7\x59\xfd\x0a\x3a\x8a\x87\xf1\xdb\x87\x49\xda\x45\xe9\xa5\xf9\x99\xf3\xe7\x4d\x92\x0c\xe2\x0c\x4d\x2b\xfe\x9c\xa7\x2e\x5f\xae\xa3\x4e\x25\x4e\xbb\x9c\xa9", 96); *(uint64_t*)0x200000002e10 = 0x200000002cc0; memcpy((void*)0x200000002cc0, "\x9e\x74\x6e\x3d\x21\x9f\x0d\xf0\xdb\x9f\x4d\xac\x0a\xfe\x9f\xc6\xa3\xef\x5f\xca\xb6\x05\x8f\x83\xfa\x7c\xff\x2a\x82\xd2\x0c\x2e\x4f\x57\x52\x59\xea\xbb\xe0\x67\x34\x84\x3f\x87\x1e\x50\xf4\xd4\x7b\xd6\x2e\xad\x38\xd7\xbe\x8c\xe3\x0b\x95\x11\x52\x85\xd1\x6a\xbc\x71\x8c\x0d\xa4\x82\xb9\x0f\x24\x29\x9f\x30\x17\xce\x2a\x53\x6d\xab\x65\x9a\xca\x91\xd1\xcf\x68\x91\x07\x44\x81\x50\xe4\x56\x6a\xbf\x4c\x05\x7b\xde\x3c\x37\x82\x36\xa3\x78\x10\x59\xcc\x80\x08\x67\x30\x9f\xb2\x08\xab\x69\xfe\x7d\x3f\xff\x31\x19\x8f\x36\x33\x05\x53\x9b\xa5\xa1\x74\x23\xbd\x83\x45\xe1\x0a\x25\x07\xad\xfd\x0b\x0d\xf3\x10\xc3\x34\x82\xd2\xcc\x9c\x9b\xa7\xbf\x80\xc8\xc7\xe2\x15\x9c\x09\xd9\x40\x2b\x1d\x7c\xa8\x8f\x84\xe7\xb4\xce\xb8\xa1\x93\xec\xe6\xdd\x5f\xaa\x70\x42\x9f\xba\xc4\xf1\x02\x0c\x76\x67\x30\x2d\x4a\x57\xab\x63\x7f\x35\xff\xe4\x2e\x58\x59\x3f\xe3\xec\xe0\x7b\x5d\x63\x7e\xf6\xd9\x73\x34\x22\x57\xfe\x2c\x5b\x11\x69\x39\x99\x09\xba\x6d\x36\x9f\xde", 234); res = syscall(__NR_shmctl, /*shmid=*/0xfffffffd, /*cmd=*/0xdul, /*buf=*/0x200000002dc0ul); if (res != -1) { r[15] = *(uint32_t*)0x200000002dc8; r[16] = *(uint32_t*)0x200000002dfc; } break; case 21: memcpy((void*)0x200000002ec0, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x200000002ec0ul, /*statbuf=*/0x200000002f00ul, /*flag=*/0ul); if (res != -1) r[17] = *(uint32_t*)0x200000002f18; break; case 22: memcpy((void*)0x200000002f80, "./file1\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000002f80ul, /*statbuf=*/0x200000002fc0ul); if (res != -1) r[18] = *(uint32_t*)0x200000002fdc; break; case 23: memcpy((void*)0x2000000031c0, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x2000000031c0ul, /*statbuf=*/0x200000003200ul, /*flag=AT_SYMLINK_FOLLOW*/0x400ul); if (res != -1) r[19] = *(uint32_t*)0x200000003218; break; case 24: *(uint32_t*)0x200000004380 = 0x8000; *(uint32_t*)0x200000004384 = 0; *(uint32_t*)0x200000004388 = -1; *(uint32_t*)0x20000000438c = 0xfffffbff; *(uint32_t*)0x200000004390 = 0xff; *(uint32_t*)0x200000004394 = 7; *(uint16_t*)0x200000004398 = 5; *(uint32_t*)0x20000000439c = 0x3ff; *(uint64_t*)0x2000000043a0 = 5; *(uint64_t*)0x2000000043a8 = 0xffffffffffff05c3; *(uint64_t*)0x2000000043b0 = 0xffffffff; *(uint32_t*)0x2000000043b8 = 0x10000; *(uint32_t*)0x2000000043bc = r[7]; *(uint16_t*)0x2000000043c0 = 6; *(uint16_t*)0x2000000043c2 = 0; *(uint64_t*)0x2000000043c8 = 0x200000003280; memcpy((void*)0x200000003280, "\x97\x6f\xf3\x42\x90\xbd\x8b\xc7\xa7\xcb\xfc\x2a\x01\xcd\x57\xbb\x3f\xef\x9e\xfb\x98\x36\x92\x3f\xea\xb6\xb2\x20\x96\xe6\xa7\xf3\x05\xb4\xa4\x72\x5f\x36\x2d\x86\xba\x08\xa3\x46\xf5\xad\x87\x65\x1b\x24\x79\x4b\x4e\xe5\x81\x3e\x05\x57\xb0\xef\x0a\x7c\x19\xb1\xea\xfe\xf2\xa1\x69\x09\xab\xb9\xc8\x55\xec\x45\x36\xad\xac\x1b\x48\x2e\x8e\x5a\x1d\xc4\x78\xa0\x25\xfe\xb8\xb6\x30\x4b\xdc\xd4\x75\xb1\xd9\x17\xa5\xb6\xc9\xd2\x7a\x6b\x48\x58\xcb\xa4\xd2\x53\x01\xfe\x26\x1b\xf1\x23\x13\xf6\xe8\x22\x4f\xc5\xab\x0b\xb2\xfd\x40\x41\x04\xdd\xef\xc2\xf2\x7a\x36\xd9\xd1\x0e\xca\xc7\x92\x9d\xb5\xff\xc1\xdf\x4c\x6f\xb6\xe5\x63\x70\x20\xab\xf5\xe6\x50\x43\x10\xab\x6d\xe6\x59\xb6\x56\xce\xe8\xad\x04\xd0\x46\x75\x6d\xda\xe3\x3d\x8d\x22\x38\x54\xdc\x8c\x31\x83\x92\x48\x2c\xb9\x91\x82\x78\x24\xf4\x0d\xaf\x98\xda\x16\x6c\x91\x6d\xbb\x8c\x15\x6c\x42\x19\x7b\x66\x4d\x75\x90\xe6\xd2\xcf\x4e\xa3\x28\x0f\x84\x05\x1c\x9e\xe3\x11\x41\x42\xdb\x27\x53\x6b\xcd\x98\x3f\x17\x0f\x22\x1c\x15\xda\xe9\xa1\x1a\x52\xe8\x42\x53\x66\x3e\xa4\x30\x8f", 254); *(uint64_t*)0x2000000043d0 = 0x200000003380; memcpy((void*)0x200000003380, "\x2c\x9f\x8f\x38\x8d\x23\x3b\x4f\x05\x4c\xde\x11\x35\x8e\xb6\x32\xfe\xac\x99\x15\x72\x36\xe3\x70\xad\x09\xea\x7b\x82\xba\x57\x85\xb9\xe9\xaf\xa9\xe6\x86\xa6\x2a\x5d\x2d\x53\xe4\x78\xad\x6b\xdc\x5f\xff\xb6\x47\xb0\x83\x5e\x14\x74\x19\x66\x7c\x9a\x11\x6d\x7d\xc9\x62\x8b\x1e\x9f\x7f\x66\x53\x3e\x8e\x73\x6b\x4a\x65\x9a\x78\x4c\x61\x0d\xa8\xc5\x00\x10\xc4\xad\x47\xec\xbb\x1e\xb2\xee\x6a\xa0\xb4\x90\x90\xe7\x09\x13\x8a\xb2\xd1\x71\xe1\xdb\xdd\x6e\x86\x53\xe0\x62\x12\x39\x1e\x7d\xc1\xb2\x8b\xdd\x23\x12\x94\x24\x50\x0d\xcd\x83\x43\xba\x19\x8c\x60\xcd\x97\x01\xaf\x62\xb4\x66\x2b\x08\x2d\xdc\x55\xe8\x14\x9d\x60\x89\x1c\x65\x0e\x77\x47\x55\xfc\x3a\x0d\x10\x0f\xf0\xbc\x67\x6b\x46\x6e\x3d\xec\x52\xca\x77\xd2\xc4\xce\x10\x3f\xc4\x4b\xb5\x63\xb3\xc1\x82\xcf\x2f\x65\x54\x13\x03\xd2\xd2\x9f\xcb\xf5\xa3\xf4\x22\x88\xf8\xfe\x1c\x23\x6c\x3e\x12\x17\x0e\x7a\xc6\x00\xc5\x26\x5c\xc5\x97\x4e\x25\x59\x7f\x04\x9e\x9c\x01\x5c\x76\xde\xc0\xd7\xcd\x29\x79\xcc\xe1\x23\xad\x64\x72\x97\x95\x8c\x9d\x7d\xfb\xc3\x6a\xfc\x2a\xe4\xb9\xd2\xc0\x9a\xc1\x72\xa0\x4d\xac\xff\xae\x8a\x50\x21\x9a\x4e\xc4\xad\xf0\x6f\xf8\x07\x47\xd4\x0c\x46\xdd\xc0\x76\x4a\xf4\xd7\x78\x28\x07\xb8\xf1\x4f\xb7\x97\xb2\x78\x0b\xb6\x8e\x6b\x2a\x95\xdd\xe5\x08\xf4\x06\x3c\x65\xd8\x71\x43\xff\x24\x66\xfe\x29\xff\x3a\xfa\x65\x20\x2a\x99\x24\x0c\x57\x99\x0e\x20\xc5\xf3\x4a\x95\xbd\x81\x35\x72\xf4\x7d\x8d\x48\x2d\xb3\xfc\xeb\x9f\x1c\x54\xc8\xa8\xdd\x63\x32\xe8\x3f\xa3\x9d\x66\x51\xc7\xb7\x8f\xa9\x71\xee\x88\x75\x6e\x2e\x5a\x3f\xb0\x29\xc7\x7a\x48\xfd\x41\x64\xf1\x07\xc8\x82\xd1\x74\x3b\xf8\x52\xc1\x48\x66\xa4\x37\xca\x56\xd1\xd2\xd1\x99\xf9\x3f\x75\x87\x19\xd2\x29\x3c\x58\x91\xb7\x7e\x86\x0b\x2b\x7c\x66\x51\x29\xfb\xce\x45\x5e\x93\xce\x66\xb6\x75\x61\x9b\xbb\x23\x62\x9d\x2b\xc8\x68\x2e\xd4\x69\x5d\x8c\x6a\xfe\x25\x6d\x37\x2f\x9f\xed\x83\x9d\xe5\xb5\xf6\x8d\x1d\x30\xcf\xfb\x1a\x4e\x74\x02\xb9\x55\x11\x29\xed\xc4\xc2\xde\xec\x8c\x16\x71\x4e\xa3\x09\xcf\x20\xac\x7f\x17\xf5\xfd\x3c\xb9\x7b\xfb\xff\x2d\xd3\x62\x16\xb8\xf7\x34\x03\x60\x7b\x4e\xcb\x2d\xc4\x24\x48\xee\xd5\x6f\xb2\x32\x66\xbd\x0f\xdf\x7e\xee\x43\xf3\x4b\xe3\x70\x6e\xcc\x70\x59\x27\xad\xa3\xd8\x4f\x94\xd8\xa2\x89\x8c\xe0\x0d\xe3\x69\xc6\x07\x55\x2f\x69\x94\xec\x15\xf6\x6c\xe6\x5c\x49\x52\xe3\x05\x81\xed\xe4\x6a\x20\x33\x58\x9d\x2c\x28\x99\x4b\xda\x05\x31\x94\x39\x19\xe3\x01\xa6\xd8\x18\x7d\xa7\xb4\x98\x96\x6a\xf1\xfe\x3e\x41\x0e\x5c\x16\x7a\xfb\x13\x3b\x3e\x5e\x40\xdb\x61\x87\x03\x97\x7b\x24\x00\x2f\x62\x11\x83\xb6\x1a\x6b\x68\x03\x01\x38\x7e\x2d\x89\x56\x5f\x0f\x62\xde\x82\x55\x16\xd3\x49\xc1\x74\xc0\x79\x24\xf4\xa8\xdf\xfb\x28\x17\x09\xe9\x97\xaf\x6d\xa5\xa6\x2a\x95\x49\x69\xb5\x33\x5f\x30\x74\xf2\x40\x02\x45\xa7\x7b\x19\x51\x31\xd2\x6c\xe4\x3e\x17\xc3\xa2\x01\xa5\xb8\x51\x8f\x8f\x96\x1f\x2b\xe9\xd1\x70\xc6\xf5\xb2\xb2\x36\xa3\x94\x45\x6e\x57\x7b\xad\xa3\x30\x7f\x4e\xaa\x8e\x03\x52\xbb\x59\x50\x37\xe7\xf3\x0f\x5d\xdb\xdf\x01\x4b\xa5\xb6\xf3\xce\xe6\xaf\x1f\xd4\x74\x4f\xd0\xbb\xac\x1e\x2c\xe2\x98\x53\xc7\x22\x95\x6d\xa7\xde\x4e\x3f\xb9\x24\x18\x20\xb0\x58\x6f\xfa\x29\xda\x5b\x6c\xdd\x12\xda\x1a\x04\x18\x64\x3b\x4b\xa9\x6b\xb4\x32\x42\x14\x6f\x6c\x0a\x33\x98\x0b\x93\x85\xda\x28\x3a\x2a\x05\x2b\x8c\x20\x1f\x42\x39\xf9\x57\xfe\xa5\xf2\x3e\xfc\xd5\xad\x3b\xb0\x76\xab\xee\x60\xce\x46\x7e\xae\x68\x05\xe1\x86\xe9\x74\x93\x42\x80\xa2\x67\xdb\xf7\x32\x0c\xb9\x0f\xe9\x32\x2b\xdb\x6c\xe8\x09\xbd\x35\xb4\x13\x0b\xe8\x71\x19\x04\x7e\xfd\x75\x5c\xc7\x47\x74\x3e\x6d\xa5\x1b\x24\xaf\x5c\x01\x66\x1b\xe2\xf8\x13\xce\xf7\xd7\xed\x9b\x61\xe8\x3e\x0d\xca\x2c\x82\x21\x52\x5b\x28\x15\x70\x27\x6a\x59\x58\xc2\x61\x49\x29\x79\x4c\x2d\x55\xa6\xb1\x5d\x17\x01\xb1\x96\x1a\x07\x8e\xde\xff\x50\xe0\xeb\x0e\x02\xd9\xb1\xd4\x02\x65\x7c\xe2\x5b\xda\xaf\x91\x0b\xa4\x54\x94\x83\x63\x1a\x54\x89\xca\x98\xfe\x97\x9c\x54\xc7\x40\x0c\x9c\xc6\x8f\xed\x1a\xb0\x0c\x40\x2f\x49\xd3\x6c\x4d\x7b\x2f\xb2\x73\xf3\x92\xae\xd4\xf8\xde\xf2\x56\xd4\x09\xe5\x0d\x26\xe7\x25\x1f\x91\xb9\xf5\xbc\xd8\xe8\x42\x02\xe5\x20\xcb\x7f\xe4\x34\x74\x4f\xe3\xa8\x83\x1c\x1a\xf1\xeb\x20\xa8\xf8\x85\x79\xab\x19\x26\x8d\x7e\xef\xc6\xdc\xd8\xc9\x4e\x3b\x68\x96\xe3\x36\xe0\xf7\x38\xaa\x24\x4c\x2d\xbe\xc1\x23\x24\xa8\xa1\xca\x70\xe0\x40\xd0\x7a\x79\x00\xf7\x6f\x0b\x09\xe0\xfa\xab\x42\x44\xd5\x68\xc0\x03\x09\xb8\xf3\x11\x57\xd9\x17\x88\xc8\x71\xd6\x16\xd0\x57\x2a\x26\xf9\xbf\x40\xb2\xff\x8f\x03\x4d\xd9\x64\x6f\xb1\x3e\xba\xd2\x95\x1f\xb7\xa9\xea\x55\x09\x21\x13\x59\x75\x9f\xa4\x95\x72\x2e\x0c\xe6\xe2\x4b\x48\xe3\xd2\xa1\xec\x69\x39\x83\x80\x40\xd0\x0c\xb9\x08\xd9\xed\xaf\xa8\xc3\x84\x57\x54\xbd\x5b\xe9\x0f\x6f\x92\xcc\x70\x33\x8b\x3b\x1f\xc0\x72\xcf\x26\x82\x74\x03\x71\xca\xed\xd8\x0f\xec\xe8\x59\xb1\x58\x7f\x04\x14\x7f\x50\xc5\xa9\xbe\x92\x7b\x5d\x51\xae\x42\x8a\x1c\x7e\x4b\x59\x4e\xc2\x42\xa0\xda\xb9\x05\x81\x74\x24\x28\xe5\xdb\x58\xac\x1a\xe3\x24\x96\xf3\x71\x19\x82\x0a\xe2\x95\xa3\xdf\x7a\x95\x50\x9d\x05\xd7\x5c\xd7\x78\xb5\x4e\x44\xa3\x17\xeb\x90\x1c\x7c\xc2\x8f\xf7\x4a\xb5\x3b\x6f\x4f\xb4\xad\xe0\xfc\x4a\xf2\xbe\x36\xd7\x60\x47\x6c\xa8\x53\xa7\x82\xe7\x61\x4a\x13\x3a\x99\xf1\xe5\xf0\xf1\x2b\x9a\x95\x8e\x70\x25\x0f\xc9\xbd\xb8\x98\xdb\xe3\x4d\x8e\xe3\x2b\x23\xee\x9f\x01\x92\xfd\x4b\xf8\xf9\x62\x2e\xdd\x9f\x7a\xca\xf4\xf4\xb9\x26\x73\xcc\xff\x23\x22\x7c\x94\x13\x22\x71\x73\x5a\xc8\x3d\xe7\x39\xc8\x5c\xee\x73\xab\xf9\x4e\xa2\xfd\x0e\x5b\x9c\x54\xfb\x7a\x2b\xc8\x77\x1e\xdf\xe9\xba\x3e\xb7\x0d\xcc\xe5\x6f\x78\x90\xaa\x8a\x20\x28\xe6\xd3\x18\xec\x23\x4b\x52\x56\x26\xe2\x46\x0c\x4d\x00\x7e\x74\xf7\xad\x40\x68\x01\x5a\x50\x32\xfb\x6f\xc5\x53\xb2\x7f\xaf\x76\x46\x71\x22\x2e\xf4\xb3\x98\x04\xe3\x00\xd9\xa5\x8e\xb4\xd9\xdb\x9f\x3f\xe2\x01\x27\xda\xad\xee\x11\x78\x74\xff\x95\xe3\x67\x6e\x37\xbf\xae\x30\x61\xe9\x5a\x71\xe9\x7b\x15\xe2\x43\x49\xf0\x78\x56\xde\xf1\x73\xd2\xce\x45\x9a\xff\xa7\x7c\x5b\x47\xf8\xb6\x77\xa1\x65\x8f\x7d\x89\xaf\x72\x25\x3c\x80\x0e\x62\xce\x2b\x11\xf4\xbd\x83\x7f\xe9\x80\xf0\x2d\x4f\x97\x19\xc0\xfe\x48\x45\x4f\x72\x80\x9d\xed\xda\xa9\x72\xd6\x52\x82\xec\xff\xee\x15\x69\xa2\xa5\x37\x70\x96\xff\x3f\x01\x00\x44\xe7\x1b\xe8\xba\xab\xfe\x65\xe9\x9b\xe1\x03\x86\xad\xa7\x0a\xbf\xe8\x6e\x7a\x4f\xfa\x87\x53\xf8\x62\xd2\x70\x4c\xec\xeb\x6d\xf3\x4a\x6d\xd4\x86\x75\x44\x1f\x7c\xca\x63\x5e\x40\x1c\xb2\x30\x6d\x17\x26\xe1\xc3\xc0\x42\x66\x41\x9e\x99\x11\x88\xe7\x7c\xdf\xe9\xe0\xaa\x13\xc7\x61\x07\xa2\xa2\x7f\x72\x16\xb4\x2a\x69\x0c\x00\x63\xc9\x2f\xd2\x22\xf4\x5f\xb0\x82\x0d\x04\x64\xef\x0b\x7a\xe6\x51\x5e\x81\x74\xc7\xf9\x0f\xfd\xec\x6d\xc2\x91\x3d\x5a\xd1\xfe\xb8\x06\x17\x70\x16\x23\x36\x3a\x4e\x73\x51\x07\xb3\x00\x23\x1c\xa5\x62\x4a\xdd\xf0\x83\xe0\x75\xac\xa1\xd1\x8d\x95\xc0\x1b\x73\x57\xa4\x11\x8f\xc4\x92\xc0\x7f\xf1\xc0\x71\x1a\x9e\x00\xbd\x78\xff\x8e\x43\x1d\x7a\xf6\x74\xdc\xe5\x58\x32\xf4\x59\x01\xf2\x35\xb7\x82\x4e\x8a\xd0\xed\x0d\x8d\x67\xf7\xff\x61\x2f\xf1\xec\xa7\x4a\x4d\xea\xc7\x21\xfd\x1c\x85\x98\x0d\x87\xdb\xc8\xdb\xef\x59\xf3\x75\x47\x20\xf0\xb9\x26\xc2\x5e\x84\xb1\xd7\x60\x5c\x50\x5f\x8e\x75\x03\x8f\xa2\x9f\x38\xcb\xfc\x97\x71\x2f\x92\x44\x75\x85\xa4\x54\x75\xa9\x0d\xb7\xd8\x1c\xe2\xb4\x29\x29\xfa\x6a\xe4\xa6\x79\x05\x60\x02\x5f\xe0\x57\x7a\xb5\x23\x58\xf0\xb0\x98\x80\x04\x58\x66\x6b\xad\x64\x69\x91\xe1\x46\xec\x90\x45\x11\xca\x26\x55\x18\x36\x31\xbd\xf0\xd5\x40\x58\x79\xd6\xf6\x99\x32\xc8\x44\x19\x0e\x2d\x91\x6a\x7a\xe6\x5d\xa2\x87\xac\xf8\x01\x20\x96\x48\x80\x0a\x1d\xfe\x3e\x9b\x38\xf7\xb5\x86\x41\xb0\xfc\x18\x04\xf9\xa2\x79\xd8\xf4\xc8\x03\xd0\x56\x56\x50\x60\x6f\x60\xa7\xe9\x9f\xe4\x61\xab\x36\xd7\x25\xca\x76\x46\x11\xcc\x20\x3f\xfd\xe0\xf0\x6a\xd8\x7c\xf9\x16\x02\x38\x1f\x1e\xc7\xaa\x25\x5b\x6d\x21\xa8\x5f\xe2\xe3\x2a\x06\x0f\x18\xb5\x33\x85\x47\x6d\xb4\x36\x91\x9f\x9e\xe6\x99\x57\x04\x04\x63\x50\xe0\x98\xce\x1e\x66\xa1\xb8\x32\x8f\xce\x20\xe1\xf8\xc9\x8c\xef\xae\xf2\x9c\xba\xc0\xbd\x9c\x0f\x19\x14\x53\x8a\xbd\x48\x43\x6e\x92\xbb\xcf\x12\x71\xac\x66\xce\xd7\xa5\x30\x13\xf8\x15\xf0\x15\xf3\x61\x80\xe3\x23\xac\x82\x47\x12\x8a\x91\x59\x38\xc8\x9f\x71\x13\x32\xd9\x75\x89\x35\x18\x0e\xea\xc8\xb8\xc9\xf9\x9f\x9f\x30\x6d\x34\x81\xb3\xa6\x8b\xf9\x61\x33\x60\x68\x1a\x92\x43\x7c\x7b\xd8\x0a\xdf\x98\x99\x09\x3f\x32\x86\xfd\x18\x54\x0a\x8c\x74\x25\x10\xdb\x91\xe4\x8a\x12\x55\xdb\xcd\x21\x8f\xe7\xa3\x4c\x50\x58\xad\x59\xa6\x96\x2a\xbf\xf5\x32\x7f\xac\xd4\xc2\xb3\xa5\x1a\xe1\x33\x47\xd5\x6a\x19\xf4\x84\xef\x62\xd5\x27\x99\xff\xe8\x02\xc9\xfe\xdc\xf9\xc0\x76\x89\x60\x18\xdb\x33\xcf\x2b\xd9\xb0\xca\x59\xde\x3f\x74\x87\xa2\x73\xf7\xe8\xcb\x6d\x09\x0b\x14\xa8\x3d\xdd\x2f\x26\x1d\x41\xf0\xfd\x19\x48\xe0\xbe\x62\x92\x9f\xc6\x68\xb9\xf1\x37\x53\xe6\x1d\x08\xb1\xa8\x87\x52\xdb\xfa\x31\x5e\x79\xc2\xd8\x18\x81\x19\x0d\x2b\x6a\xd3\x3a\xd8\xac\x03\x6e\x5a\x22\xb5\xea\x82\x25\xea\x41\x0e\x9e\x8e\xbf\x86\xc4\xa7\xea\x49\x76\x59\x53\xcd\x96\xd0\x54\x31\x15\x7a\x80\x48\xfa\x61\xb8\x0b\xa6\x06\xcf\x53\xaf\x83\x49\xcf\xad\xb8\x95\x59\xfd\xf2\x04\xed\x28\x3d\x71\xbb\xf7\x00\xa9\xcc\x37\x82\x60\x78\x96\xc8\x51\xb7\x58\x40\x5b\x00\x7e\x61\x50\xcc\x7e\x65\x86\xde\xbd\xa1\x2a\x1c\x4b\x2b\x63\x66\xb3\x87\x96\x23\xcf\x9e\xed\x75\xd5\x6f\x4a\xbc\xa9\x15\x1e\xb5\x04\x67\x0a\x4a\x51\x8c\x66\x8e\xd9\x48\x8d\x8b\x5f\x1f\x21\x2e\xa6\x9c\x51\xa7\x49\x72\x60\xc2\xa4\x85\x94\x88\xb7\x59\x60\x31\x3d\xd3\xf2\x9b\xfb\x75\xea\x09\x4b\xa3\x25\xf7\x9a\x02\x8d\x07\xdb\xf2\x13\x7b\xfe\xfd\x26\x1b\x0c\x56\x09\xa1\x69\xd5\xf1\xbb\xe1\x81\x5f\x06\xae\x4e\x26\xf5\xf3\xf4\xb3\x6c\xcc\xdd\x3f\xb7\xf8\xad\xcb\x76\x45\xe3\x7e\xd7\xd9\xb6\x3c\x9e\x21\xcd\xc5\x95\x4e\x28\x52\xbb\xfe\xe5\xbc\x30\xa9\x78\x39\x91\x89\xe6\x3b\x92\x69\x9d\x81\x0c\x58\x9d\x61\xd0\xcd\x0c\x6b\xf4\xff\xb8\x92\x53\x7e\x0e\xf1\x88\x7d\x1e\xa0\x47\x29\x0f\xf6\x09\x58\x4a\x00\xde\xc7\x98\xf8\xe7\x2e\x06\xc1\xbe\x83\x99\xea\x06\x9f\xd1\x3c\xaf\x0e\x1b\x4c\xd6\x6f\x84\xe2\x68\x69\x16\x7d\x54\xb8\xc4\x3c\x96\x7b\x27\x0b\xd8\x56\x1f\x99\xdc\x84\x02\x42\x23\x40\x2c\xe0\x95\x7d\x93\xe8\x58\x2b\xb8\xf4\x58\x3c\xc2\x64\x88\x61\xfc\x56\x2f\xc2\x10\x2a\x32\x6e\x92\x1a\x41\x8f\xd5\x18\xce\x63\x6e\x4e\x3e\xdc\x36\xfd\x89\xbc\xa2\x5a\xdd\x71\xac\xcb\x89\xd7\x77\x07\x05\x26\xd9\xcf\x72\x74\xdd\x48\x69\x09\xc3\xb1\x42\xd2\x7f\xb0\xab\xd4\x67\xbe\x27\xc3\x6e\x84\x87\xcc\xda\x73\xad\x0c\x89\xad\xec\xd3\x6a\x08\xc3\x7c\xe1\x5b\x87\x6f\xd2\x12\x1a\x7b\x0d\x11\xbd\xe8\x67\x59\xee\xb6\x62\x87\xb4\x4c\x61\xce\xd7\xf7\x4a\x14\x30\x44\xae\x80\x58\x69\xd3\x1a\x1b\x1c\x44\xb8\x15\x0d\x8d\x63\x0d\xeb\xff\x9e\x95\xc3\x11\x87\xb7\x74\x44\x1f\xa8\x13\x7c\x08\xca\x31\x6a\xb7\x78\x15\x99\x17\xdf\xbe\xec\x94\x52\x9d\x3a\x12\xc1\x6b\x9f\x39\xc4\xd7\x79\x44\xe6\xf1\x6c\xf9\xb8\x19\xf9\xd8\xa4\x2e\xe7\x32\x91\xed\x84\xe2\xd5\x84\xb3\x05\xae\xb7\x99\xc2\xcd\x76\xf3\xaf\xd7\xe8\x26\xbe\xf0\xb7\x71\x59\xbb\x4d\xad\x11\x39\xea\xa9\xcd\xe7\xbb\xfd\xca\x74\x0a\xdd\xb5\x11\xeb\x8b\x91\xd5\x48\xe1\x8d\x7c\xd6\x91\xdc\xe8\x57\x83\x82\xec\xd0\x9e\xad\x35\x6f\x85\xa4\xac\xee\x4b\xb8\xb1\x93\x42\xc7\x48\xad\x97\x04\xb1\x1e\x1d\x9b\x02\xc0\x21\x8c\xa3\xe7\x99\xab\x80\x01\x70\x52\xfd\xd6\x6e\x91\x01\xa0\x0b\x76\x57\xeb\xdc\x89\xcd\x42\x53\x34\xa9\x16\xdf\x19\xdb\xda\xf6\xe4\xf6\x3b\xc0\x34\x92\x91\x3c\x86\xd0\x58\xea\x61\x68\x5d\xf7\x7a\x06\xe0\xdf\x07\xed\x3f\xc1\xf9\x2d\xf0\x67\xe8\x6d\x00\x33\x64\x0c\x10\xf4\x0c\x27\x9c\x26\x4c\x47\x7b\x28\x99\xd4\xa2\x44\xb6\x7e\xe8\x84\xe5\x19\xb4\xdb\xdc\x5d\x6f\x1c\x3a\xb6\x7c\x12\x3a\x59\x79\x74\xbf\x3a\x57\xec\xc9\x09\xbe\x91\x33\x91\x70\x17\xdb\x1d\x7c\x9e\x19\x26\x18\x52\x4a\x93\x92\x95\x7a\xfe\xbe\xef\xb2\xd8\xbc\x47\x61\x03\x40\x70\xf4\x17\x95\x82\x22\x6e\x34\xb1\x86\x5d\x26\xbe\x00\xc9\xbd\x31\x32\x0c\x31\x3c\xb5\x09\x05\x7c\x27\xf1\x27\x4c\x78\xf4\x71\xbf\x69\xb8\x5d\xbd\x47\x82\x37\x38\x3b\xe8\x6c\x86\xf4\xb0\x11\x7a\x2b\x15\x78\x20\x83\x2d\x07\xd8\x8d\x2e\x78\xa9\xab\xa0\xb0\x45\xa1\x9d\xbf\x8a\x6f\xae\xd4\x0e\x41\xca\x47\xc0\x13\xc2\x90\x3e\x69\xf2\xba\x49\xb0\x7b\x36\xe1\xf3\xbd\x69\xbd\x4a\x82\xef\x2a\x42\x8a\x83\x13\x57\xd2\x5f\x55\x68\xb6\x9e\x94\x22\xa3\xba\x95\x33\xfb\x5e\xc2\x40\xa3\x91\xaa\x7b\x61\x2a\xcd\xd3\x50\x2f\xe9\x29\x6d\x4f\xa0\x2a\xf3\x9f\x21\xf1\x59\xaf\x52\x8d\xaa\x38\x94\xc3\xd1\x0b\xc8\xf7\x0f\x20\x41\x53\xa0\x66\xe1\xe6\xe1\x17\x42\x32\xfc\x42\x0e\xc6\x47\xe2\x9b\xb4\x68\x8f\x26\xc7\xd4\x63\xcd\xeb\x95\xeb\xa4\xc0\xd1\xed\x3f\x5f\xe4\x1d\x5e\x34\xc0\xb2\x7b\x58\x74\x54\xfb\x40\x3e\x8c\x9a\x0f\xe9\x0f\x53\x17\x4d\x54\x7d\xbc\xca\xdb\x64\x81\xc4\x8c\x97\x9c\xf3\x41\x4d\x0d\x47\x16\x0a\x0b\x9f\x6d\x9a\x4f\xa8\x48\x96\x53\xca\x2e\x92\x42\x23\xa8\xa5\x2b\xa6\x3f\xbc\x1a\xf0\x34\xcb\xf4\x4c\xca\x47\x28\xf0\x9e\x1f\x57\x70\x6d\x61\x07\xee\xdc\x06\x59\xbb\x9c\x6d\x8a\x33\x83\xf1\x1c\xc8\x7e\x53\xaa\xe6\xdc\xb8\x38\x53\x37\x9a\x6c\x0d\x53\x6b\x1e\x06\x77\x3a\xff\x31\xea\x60\x03\x97\xc4\x3a\x66\xf3\x02\x83\x7d\x52\x1f\xb6\xab\xfd\xe5\xbe\xed\x88\x49\x3a\x5e\xec\xfb\x26\xab\x6f\xc3\xf8\x79\xec\x01\x21\xf3\xaa\x73\x30\xbf\xb8\x2d\x14\x52\x8d\x9c\x5e\x20\x33\xc0\x5c\xc6\xb6\x0f\x66\x69\x27\x3f\x99\x09\x9a\x5d\x72\xc2\xc5\x14\x4d\xc0\xb2\xaa\xfe\x0f\xe7\xbd\x01\xeb\xae\x29\xbc\xd8\x2f\x4c\xa4\x3c\x5a\x22\x97\x4c\x3c\x9d\x92\x3a\x62\xe3\x90\x53\x2e\x27\x74\x80\x00\x15\x30\x7b\x8a\xea\xf1\xb7\xa0\x61\xfe\x77\x13\x1a\x5e\x12\xa9\xcb\x09\x0e\xda\x58\x4a\xcd\xad\x7b\xd8\xaf\xb2\x0d\xea\xb6\x5d\x7d\x1c\xf3\xd1\x6c\xa8\x18\x7a\xde\xd0\x8a\x9d\xd9\xbf\x83\x0c\xeb\x11\x13\x97\x72\x11\x03\x5b\x1a\x90\x51\xae\x1c\xa5\xf1\xf3\x26\xe4\xa6\xe2\x57\xb6\x2d\x77\x92\xef\xfd\x00\x5f\x18\x3d\xf7\x82\xba\xd3\x19\xbd\xa6\x7a\x92\x38\x6c\x66\x22\xd0\x02\xee\x87\xcf\xcb\x1a\x4f\x9b\x4b\xb4\x21\x7e\x86\x75\x29\x9f\x2d\x8c\x8f\x8a\x63\x24\xd3\x60\x2f\x76\x83\x90\xa1\x24\x78\xe7\xaf\xd2\xd5\x2c\xd2\x35\x67\xb1\x98\x4d\x48\xd8\x55\xcf\x07\x21\x40\x12\x6a\xb0\xa8\x94\x27\x59\xcf\x38\x98\xf1\x18\x28\x4d\x2a\x93\x37\x21\xd7\x1d\xb4\x20\xe8\x30\xc8\x8e\x23\xb1\xf0\x7b\x44\x25\xb9\x7d\x0b\x83\x74\xbd\xe0\xcb\x8c\x3b\xe3\x52\x47\x1c\x15\xc0\xdb\x69\x27\x62\x61\x76\x3f\x46\xba\x3d\x04\x3e\xf6\x37\xdc\xb3\xf9\xb0\xf2\xd4\x34\x00\x29\x22\x2b\xe8\x10\xbf\xcc\x54\xe4\x47\xb9\xed\x75\x0f\x2f\x27\x59\x71\xa6\x3a\xd6\x12\x7b\xc7\x42\x3c\x3f\xe8\xfe\x22\xf2\x81\xa7\x27\xb9\x49\x6b\x70\x3f\x0f\x68\x87\x8c\xa8\xe1\x17\x48\x5e\xb7\xc8\xa7\xb3\x82\x66\xbd\x5a\x07\xb5\xa2\xf8\xa9\xc0\xd0\x2c\xcf\x8c\x8f\x76\x2b\xd1\xad\x4b\x21\x5b\x29\x59\x69\xdf\xcb\x9f\x19\xc1\x3d\x88\xf7\x2b\x54\xe5\x94\x00\xa7\x20\x1a\xc7\x9f\xe2\xfc\xaf\x32\x9c\x8e\x35\xa3\xea\xf2\x41\x76\x21\xa0\x0e\xb5\xcd\x2d\xa5\x0c\x61\x1d\x5b\x33\xe3\x59\x97\x07\x1b\xc1\xfa\x35\xd6\xcc\x81\x24\x7c\x17\xbc\xe3\x9d\x22\x51\x72\xed\x4a\x10\x64\x0c\xad\x81\x78\x86\x5b\x30\x7b\x86\x63\x23\xa2\x55\x69\xb6\xad\x32\x92\xcd\x47\xf7\x30\x44\xce\x58\xc4\x54\x96\x1c\xb5\x52\x37\x88\xa1\x4c\xc4\x62\x28\x51\x73\x12\xb7\x47\x93\xf0\x33\x60\x92\xe7\xe3\x0a\x0d\xa1\x43\x18\x94\x5c\xa2\x31\x29\x22\xbd\xc8\xf6\xe9\xa4\x15\x99\x13\xfd\x72\xdc\xb4\xe4\xc7\x87\x79\x6e\xe4\x65\xca\x2b\xf4\xcf\x36\x28\x72\x5a\x39\x11\x97\xef\xe8\x10\x4e\xa7\x1c\x63\x0b\x72\xcc\xf8\xfe\x42\x7b\xe8\x0a\x0c\xa6\xb1\x4f\x53\xff\x96\x97\xb6\x27\x9f\x0b\x2c\xd2\x3e\x35\x6f\x95\x1d\x7c\x08\xb7\xf1\x46\xeb\xaa\x3c\xba\xa6\xa9\x0d\x1d\x9a\xf1\x87\xe2\x1c\x82\x93\x77\x78\x1d\x75\xd5\x44\x66\x28\x45\xd4\x03\x22\x65\x16\xf4\x05\x24\x79\xd8\xff\x17\x6e\x24\xce\x55\x10\xd6\xe3\x3f\x04\x43\x84\x62\x38\x6b\xab\xfc\x53\xbe\x7c\xfb\x60\x15\x29\x69\x79\xfe\x41\x22\x19\x2c\xd4\x4b\x04\x6e\xa7\xe7\x12\x38\xc0\xd3\x06\x0a\x38\x22\x5b\x9a\xfa\xba\xf1\x69\x33\x54\xb3\x52\x1e\x2a\xaf\x5d\xe3\xe8\x5e\x5c\x58\x67\x65\xef\x8e\x2f\x9c\x98\xb8\xed\x4a\x53\x5f\x67\x08\xf0\xf1\x71\x89\x5b\x57\xda\x98\x1c\x4b\x3d\x85\x1f\xc7\x83\x22\x85\x7b\x8f\xcf\xfd\xfc\x34\xfa\x3e\xf6\x58\xea\xbd\x56\x7b\x2f\xf3\x5f\x0a\xe2\x88\x70\x1a\x81\x1f\x72\x5c\x87\x19\xda\xab\x47\x25\xc7\xba\xe2\xa7\x17\x48\x61\x81\x2e\xc8\xe9\xa9\x99\xa4\xa7\xdf\xf3\x79\x00\x8f\xb7\xa9\x3b\xb9\xd5\xda\x43\xea\x9e\x10\x81\x9f\x91\x41\x19\xf4\x74\xdf\x29\xac\xdc\x90\xe1\xb4\x90\x1f\xa8\xd2\x80\x63\x94\xad\xb6\xd3\x4f\x56\x44\x89\x34\x00\x15\xdf\x15\x4d\xbd\x9e\x9b\xfa\x66\x9e\x27\x7a\x4c\x35\x22\x07\x4c\xda\x8f\x03\x6e\x1c\x76\x2a\x2a\xba\xdf\x38\x78\xe7\xb7\x05\x98\xe4\xdf\x8f\x7d\x6e\x13\x4e\x13\x50\x9f\x1f\x3e\xb2\xa4\x61\x87\x2a\xde\xdc\xc3\x64\x07\xd0\x3d\x45\x3e\x71\x0f\x3b\x03\x05\xb3\x5c\x06\x9b\xcf\x65\x50\x88\x8b\xe2\xc3\xdf\x87\x96\x22\xf7\xc0\x91\x60\x5c\x2b\x47\x33\x84\xe4\xaa\xbf\x37\x38\x45\xb6\x43\x89\x3e\xa0\x3c\xa9\xa2\x33\x2f\x72\x76\xab\x52\xea\x5e\x69\xa3\x20\x6d\x0b\x29\xec\xa1\x9f\xe9\xb5\x61\xd5\x87\x48\xf0\xfb\x5f\x7c\xde\x5d\x32\xad\x76\x81\x33\xa5\x73\x3d\xb2\x74\x11\xac\x56\x84\x9c\x31\xc9\xcc\x98\x77\xcd\x77\x1a\xd8\x7d\xb0\x01\x4b\x01\x1c\x07\x1a\x8a\x57\xaf\xcc\x91\x11\xfa\xd2\x41", 4096); res = syscall(__NR_shmctl, /*shmid=*/0xfffffffa, /*cmd=*/0x19, /*buf=*/0x200000004380ul); if (res != -1) r[20] = *(uint32_t*)0x200000004388; break; case 25: memcpy((void*)0x200000004400, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x200000004400ul, /*statbuf=*/0x200000004440ul, /*flag=AT_SYMLINK_FOLLOW*/0x400ul); if (res != -1) r[21] = *(uint32_t*)0x200000004458; break; case 26: *(uint32_t*)0x2000000046c0 = 0x89d; *(uint32_t*)0x2000000046c4 = 0; *(uint32_t*)0x2000000046c8 = 0xee01; *(uint32_t*)0x2000000046cc = 3; *(uint32_t*)0x2000000046d0 = 0; *(uint32_t*)0x2000000046d4 = 1; *(uint16_t*)0x2000000046d8 = 0x7fff; *(uint32_t*)0x2000000046dc = 8; *(uint64_t*)0x2000000046e0 = 0xe40; *(uint64_t*)0x2000000046e8 = 0x7fffffffffffffff; *(uint64_t*)0x2000000046f0 = 5; *(uint32_t*)0x2000000046f8 = r[7]; *(uint32_t*)0x2000000046fc = r[11]; *(uint16_t*)0x200000004700 = 6; *(uint16_t*)0x200000004702 = 0; *(uint64_t*)0x200000004708 = 0x2000000044c0; memcpy((void*)0x2000000044c0, "\xab\x56\x1a\xab\x77\xc5\x83\xce\x98\x5b\x97\x83\xd9\x6b\x5e\x4e\x38\x24\xcb\x30\x26\xda\x2e\xfe\xe0\x10\x1d\x24\xcc\x3c\x6b\x58\xc7\x96\x6f\x22\x6c\x27\x69\x9f\x3d\xc1\x5a\x33\x04\x86\x26\x22\xef\xda\x37\xf5\x7e\x57\x97\xf7\x36\xc4\x82\xb3\x34\xc0\xdb\x10\x39\x38\x2a\x78\x92\x8d\x47\x08\x28\x2c\x72\xdc\x71\x40\x25\xc2\xcc\xa6\xfe\xf3\x0b\x64\xfb\x05\x0e\xe5\x84\x5b\x12\x53\x79\x9b\x15\x94\x0b\x96\x71\x16\x83\x9e\x00\x75\x33\x0d\xa8\xaf\x7e\xe9\xa5\xb5\x2c\x57\x68\xfb\xf0\x2f\x31\x54\x71\xe6\xd7\xac\x77\x80\xee\xdc\xf5\x6d\xab\x90\x44\x17\x64\xc1\x05\x3f\x95\xa9\xe9\x4f\xee\xc9\xea\x2b\x68\x20\xf3\xbe\x40\xe3\x4d\xcf\xbf\xe7\x1b\x03\x37\x8a\x75\x1c\x0e\x0f\xd0\x4f\xcd\xa9\x24\x05\x00\x48\xf5\x17\x08\x50\x35\x00\x60\x92\x35\xcc\x75\xd2\x99\xee\xd6\x6d\x2a\xc9\x58\x3e\x91\xdd\x31\xb9\xcf\xe3\xaf\x5c\x24\x89\xc2\x04\x01\x4b\x7a\x74\x54\x9d\x85\xc8\xe8\xdb\xac\xeb\x63\x88\xf2\x45\xc2\x62\x98\x6d\x6b\x26\xea\xdd\x8f\xcb\x38\x58\x7b\x69\x8b\x3c\x59\xfd\xf6\x3a\x82\xc6\x43\xdb\x5a\xa1\x79\x14\xbf\xa0", 252); *(uint64_t*)0x200000004710 = 0x2000000045c0; memcpy((void*)0x2000000045c0, "\xbe\x29\x01\x74\xf8\xce\x0f\x04\x91\x1d\x69\xba\xda\xe0\xbf\x37\xc4\xfa\x5b\x15\xfa\x3b\x18\x83\xef\x70\x70\x38\x44\x4d\xe4\xae\xf3\xa7\x3f\x33\x83\x48\x0e\x83\x0d\xdb\x75\x62\x43\xc2\x97\x09\xee\xdf\x69\x74\xed\xf3\xbe\x9d\xf1\x36\x37\xb4\x8e\xd1\x4e\xdc\x03\xd7\x24\x3b\xdb\x53\xfd\x99\xe2\xee\xa6\x02\x56\x93\xad\x07\x01\xb8\x2c\xa3\x8d\xd6\xd0\x8c\xda\x9e\x31\x03\x1d\xcc\x02\xff\xa5\x43\x84\xc4\xaa\x7d\x87\x0f\x8b\x1a\xb9\xff\x5c\x0e\x74\x4c\xef\x60\xad\x54\x18\xd5\xa3\xb9\xec\xdf\x09\xa5\x4a\x1d\x9b\x12\xb1\x0e\xcd\x3b\xcc\x7b\xfe\x6e\xc0\x2b\x56\x8d\xaf\x99\xa5\x9c\xa9\x2b\x8a\x9e\xec\x61\x2f\x38\x29\xa0\x8c\x44\xfd\x4b\x27\x61\x1d\xa5\x90\x8b\x59\x1f\x34\x0e\x23\xf5\xba\x2a\xdb\x1e\x29\xe8\x9f\x28\xf5\xf2\x51\x43\x79\xe4\x54\x62\xdb\xc3\x0a\x72\x02\xbb\x25\xc1\x9a\xc6\x14\x89\x11\x9c\x4a\x8a\xae\xa4\x00\x0a\xac\x82\x81\xc3\xd4\x26\xd8\xa0\x82\xb7\xdc\x78\xf5\x7a\x12\xa5\xc6\x35\x62", 225); res = syscall(__NR_shmctl, /*shmid=*/0xe, /*cmd=*/3ul, /*buf=*/0x2000000046c0ul); if (res != -1) r[22] = *(uint32_t*)0x2000000046c8; break; case 27: res = syscall(__NR_fstat, /*fd=*/r[10], /*statbuf=*/0x200000004740ul); if (res != -1) r[23] = *(uint32_t*)0x20000000475c; break; case 28: *(uint32_t*)0x200000004840 = 8; *(uint32_t*)0x200000004844 = 0; *(uint32_t*)0x200000004848 = 0xee01; *(uint32_t*)0x20000000484c = 0; *(uint32_t*)0x200000004850 = 4; *(uint32_t*)0x200000004854 = 2; *(uint16_t*)0x200000004858 = 5; *(uint64_t*)0x200000004860 = 0x2000000047c0; *(uint8_t*)0x2000000047c0 = 4; *(uint64_t*)0x200000004868 = 0x200000004800; *(uint8_t*)0x200000004800 = 5; *(uint64_t*)0x200000004870 = 4; *(uint64_t*)0x200000004878 = 6; *(uint64_t*)0x200000004880 = 0; *(uint64_t*)0x200000004888 = 8; *(uint64_t*)0x200000004890 = 0xac0; *(uint16_t*)0x200000004898 = 3; *(uint16_t*)0x20000000489a = 0x401; *(uint16_t*)0x20000000489c = 2; *(uint32_t*)0x2000000048a0 = 0x400; *(uint32_t*)0x2000000048a4 = 7; res = syscall(__NR_msgctl, /*msqid=*/8, /*cmd=*/3ul, /*buf=*/0x200000004840ul); if (res != -1) { r[24] = *(uint32_t*)0x200000004844; r[25] = *(uint32_t*)0x200000004848; } break; case 29: res = syscall(__NR_getegid); if (res != -1) r[26] = res; break; case 30: *(uint32_t*)0x200000004980 = 7; *(uint32_t*)0x200000004984 = 0xee00; *(uint32_t*)0x200000004988 = -1; *(uint32_t*)0x20000000498c = 1; *(uint32_t*)0x200000004990 = 0x972; *(uint32_t*)0x200000004994 = 2; *(uint16_t*)0x200000004998 = 6; *(uint32_t*)0x20000000499c = 7; *(uint64_t*)0x2000000049a0 = 6; *(uint64_t*)0x2000000049a8 = 0xb9; *(uint64_t*)0x2000000049b0 = 8; *(uint32_t*)0x2000000049b8 = r[7]; *(uint32_t*)0x2000000049bc = 5; *(uint16_t*)0x2000000049c0 = 0x83; *(uint16_t*)0x2000000049c2 = 0; *(uint64_t*)0x2000000049c8 = 0x2000000048c0; memcpy((void*)0x2000000048c0, "\x41\x66\xdd\x81\x28\x46\x69\xcc\x65\x29\xe5\xa0\xef\x08\x1d\x37\x0a\x00\x72\x2e\x0c\x77\x00\xe4\x84\x17\x7e\x27\x29\xe5\x5d\x1f\xe0\xf7\x56\x46\x90\x88\x13\x82\xa8\x50\xb3\xb8\xd6\x19\x5e\xa5\xd0\x32\xed\xc9\x98\x53\x5f\xc7\x87\x92\x8a\xb4\xa3\xb1\x89\x15\x40\xd2\x46\xd4\x0d\xaa\x7a\x5f\xd7\xdb\x2b\xd6\xc9\x9b\x3f\x2a\x7e\x51\x4d\x00\x69\xf2\xbf\xb4\x85\xd9\xe0\x8e\x67\xc4\x68\x24\xc2\xe7\x04\xff\xa0\x43\x1e\x1c\x20\x43\x29\x72\xad\xef\x08\x49\x21\xd4", 114); *(uint64_t*)0x2000000049d0 = 0x200000004940; memcpy((void*)0x200000004940, "\x3c\x67\x3d\x0f\x3b\xdb\xe2\x04\x83\xbd\x0e\xf8\xf8\xa2\xc8\x65\xbb\x81\x7c\x75\xa3\x55\x5f\x98\xda\xdf\x18\xfb\x4d\x80\x5b\xd3\x39\xd5\x71\x7d\xef\xd4\x70\xce", 40); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0xeul, /*buf=*/0x200000004980ul); if (res != -1) r[27] = *(uint32_t*)0x200000004984; break; case 31: *(uint32_t*)0x200000004a80 = 0x80000001; *(uint32_t*)0x200000004a84 = 0; *(uint32_t*)0x200000004a88 = 0; *(uint32_t*)0x200000004a8c = 0x8b; *(uint32_t*)0x200000004a90 = 0x4000000; *(uint32_t*)0x200000004a94 = 0xe206; *(uint16_t*)0x200000004a98 = 0x366d; *(uint64_t*)0x200000004aa0 = 0x200000004a00; *(uint8_t*)0x200000004a00 = 5; *(uint64_t*)0x200000004aa8 = 0x200000004a40; *(uint8_t*)0x200000004a40 = 7; *(uint64_t*)0x200000004ab0 = 0xb5; *(uint64_t*)0x200000004ab8 = 0x5a; *(uint64_t*)0x200000004ac0 = 4; *(uint64_t*)0x200000004ac8 = 0x7fffffff; *(uint64_t*)0x200000004ad0 = 2; *(uint16_t*)0x200000004ad8 = 0x4d49; *(uint16_t*)0x200000004ada = 0; *(uint16_t*)0x200000004adc = 2; *(uint32_t*)0x200000004ae0 = r[9]; *(uint32_t*)0x200000004ae4 = r[11]; res = syscall(__NR_msgctl, /*msqid=*/0xff, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[28] = *(uint32_t*)0x200000004a88; break; case 32: *(uint32_t*)0x200000004b40 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000004b00ul, /*optlen=*/0x200000004b40ul); if (res != -1) r[29] = *(uint32_t*)0x200000004b04; break; case 33: *(uint32_t*)0x200000004c00 = 9; *(uint32_t*)0x200000004c04 = 0; *(uint32_t*)0x200000004c08 = -1; *(uint32_t*)0x200000004c0c = 0; *(uint32_t*)0x200000004c10 = 1; *(uint32_t*)0x200000004c14 = 5; *(uint16_t*)0x200000004c18 = 3; *(uint64_t*)0x200000004c20 = 0x200000004b80; *(uint8_t*)0x200000004b80 = 9; *(uint64_t*)0x200000004c28 = 0x200000004bc0; *(uint8_t*)0x200000004bc0 = 0x10; *(uint64_t*)0x200000004c30 = 0x93e; *(uint64_t*)0x200000004c38 = 0xb4; *(uint64_t*)0x200000004c40 = 0x7fffffffffffffff; *(uint64_t*)0x200000004c48 = 2; *(uint64_t*)0x200000004c50 = 8; *(uint16_t*)0x200000004c58 = 8; *(uint16_t*)0x200000004c5a = 0x77; *(uint16_t*)0x200000004c5c = 0x10; *(uint32_t*)0x200000004c60 = 0xa711; *(uint32_t*)0x200000004c64 = 0xd; res = syscall(__NR_msgctl, /*msqid=*/9, /*cmd=*/0xbul, /*buf=*/0x200000004c00ul); if (res != -1) r[30] = *(uint32_t*)0x200000004c08; break; case 34: res = syscall(__NR_getresuid, /*ruid=*/0x200000004c80ul, /*euid=*/0x200000004cc0ul, /*suid=*/0x200000004d00ul); if (res != -1) r[31] = *(uint32_t*)0x200000004cc0; break; case 35: memcpy((void*)0x200000004d40, "./file0\000", 8); res = syscall(__NR_statx, /*fd=*/(intptr_t)-1, /*file=*/0x200000004d40ul, /*flags=AT_NO_AUTOMOUNT*/0x800ul, /*mask=STATX_NLINK*/4ul, /*statxbuf=*/0x200000004d80ul); if (res != -1) r[32] = *(uint32_t*)0x200000004d98; break; case 36: *(uint32_t*)0x200000004f00 = 8; *(uint32_t*)0x200000004f04 = 0; *(uint32_t*)0x200000004f08 = 0xee01; *(uint32_t*)0x200000004f0c = 6; *(uint32_t*)0x200000004f10 = 0x1000; *(uint32_t*)0x200000004f14 = 0x3ff; *(uint16_t*)0x200000004f18 = 2; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 7; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 0x95; *(uint64_t*)0x200000004f30 = 3; *(uint64_t*)0x200000004f38 = 3; *(uint64_t*)0x200000004f40 = 6; *(uint64_t*)0x200000004f48 = 0x8001; *(uint64_t*)0x200000004f50 = 0x7f; *(uint16_t*)0x200000004f58 = 5; *(uint16_t*)0x200000004f5a = 3; *(uint16_t*)0x200000004f5c = 0xc; *(uint32_t*)0x200000004f60 = r[7]; *(uint32_t*)0x200000004f64 = 9; res = syscall(__NR_msgctl, /*msqid=*/9, /*cmd=*/0xdul, /*buf=*/0x200000004f00ul); if (res != -1) r[33] = *(uint32_t*)0x200000004f04; break; case 37: *(uint32_t*)0x200000005040 = 1; *(uint32_t*)0x200000005044 = 0; *(uint32_t*)0x200000005048 = 0xee00; *(uint32_t*)0x20000000504c = 2; *(uint32_t*)0x200000005050 = 8; *(uint32_t*)0x200000005054 = 0xfffffff8; *(uint16_t*)0x200000005058 = 2; *(uint32_t*)0x20000000505c = 2; *(uint64_t*)0x200000005060 = 6; *(uint64_t*)0x200000005068 = 0xb; *(uint64_t*)0x200000005070 = 0x100000001; *(uint32_t*)0x200000005078 = r[11]; *(uint32_t*)0x20000000507c = 0xc; *(uint16_t*)0x200000005080 = 8; *(uint16_t*)0x200000005082 = 0; *(uint64_t*)0x200000005088 = 0x200000004f80; *(uint64_t*)0x200000005090 = 0x200000004fc0; memcpy((void*)0x200000004fc0, "\x4f\x52\x5e\x34\x0c\xd5\xa8\x6e\x08\x81\x81\x48\x10\xa2\xa9\x1a\x15\xb1\xd5\xd1\x4f\x4a\x79\xd1\x4d\xde\x31\x8e\xef\xbd\xd8\xe8\xe7\x28\xd4\x13\x18\x7e\xde\x4f\xd0\x69\xfc\x17\x3d\x33\xf2\x51\x93\x66\x58\xb9\x70\x95\x9c\xdd\x1a\x15\xbc\xc3\xc2\x6a\xd7\x6b\x38\xa5\xbe\x0c\x00\x53\x2a\xc5\x25\x4d\x63\x2a\x2d\x80\x03\x57\xde\x96\xe6\xf2\xf7\x84\x16\x88\x31\x49\x22\xa5\xeb\x15\x30\xe0\xb7\x35\x2c\xa6\x06\x39\xdb\x76\x97\x14\x2d\xe2\xaa\x07\xc7\xc6\xa7", 113); res = syscall(__NR_shmctl, /*shmid=*/7, /*cmd=*/3ul, /*buf=*/0x200000005040ul); if (res != -1) r[34] = *(uint32_t*)0x200000005048; break; case 38: *(uint32_t*)0x2000000051c0 = 0x20000000; *(uint32_t*)0x2000000051c4 = -1; *(uint32_t*)0x2000000051c8 = 0; *(uint32_t*)0x2000000051cc = 0x60000000; *(uint32_t*)0x2000000051d0 = 5; *(uint32_t*)0x2000000051d4 = 0xb; *(uint16_t*)0x2000000051d8 = 4; *(uint32_t*)0x2000000051dc = 7; *(uint64_t*)0x2000000051e0 = 0x68b; *(uint64_t*)0x2000000051e8 = 0x19; *(uint64_t*)0x2000000051f0 = 0xfffffffffffffff8; *(uint32_t*)0x2000000051f8 = 0; *(uint32_t*)0x2000000051fc = r[9]; *(uint16_t*)0x200000005200 = 0xc90; *(uint16_t*)0x200000005202 = 0; *(uint64_t*)0x200000005208 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\x39\x0c\xeb\x0f\x41\x0c\x00\x25\x27\xeb\x3b\x46\xb1\x0c\x24\x49\x71\x04\x20\x0a\x43\xcd\xd5\x23\xe8\xa7\x27\x86\xcf\x59\x38\x0b\xde\x52\x4c\xb5\x95\x56\xd5\xb2\x56\xca\xe0\x7e\x34\x3b\x52\xbe\xb1\x8b\x62\xea\xb0\x7c\x44\x5e\xef\xcb\x35\xda\xbf\x18\x6e\xf8\x40\x41\x7c\x40\x8f\x79\xb7\x4a\xa6\xed\x33\x3f\x94\x62\xac\xfc\x1d\xb1\x46\xb6\x67\xa8\x96\x29\x92\xf2\x0a\xf8\x6d\x7c\x20\x38\x50\x25\xa7\x4f\x90\x71\xc7\x98\x44\x53\x6c\xb7\xac\x8f\x88\x65\xfe\xd4\xa5\x7d\x02\x2b\xea\xf6\x18\xbd\xcc\x65\x09\xc5\xbe\x81\x03\x7e\x58\x4a\xbb\x6e\xa9\xb8\xcf\x0d\x2e\x17\x5f\xcb\xfe\x9b\xda\x36\x68\xd7\x52\x68\xcb\x86\x05\xfe\xc3\xba\x1b\xb1\xe6\xc2\x76\xa1\x49\x29\xc3\x46\x0e\x16\x93\x45\x8f\x22\x61\x23\x52\xdb\x6a\x3e\xfa\x4d\x7c\x74\x83\xd2", 184); *(uint64_t*)0x200000005210 = 0x200000005180; memcpy((void*)0x200000005180, "\x35\x8f\x28\x87\x0b\xec\xbb", 7); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0ul, /*buf=*/0x2000000051c0ul); if (res != -1) r[35] = *(uint32_t*)0x2000000051c4; break; case 39: memcpy((void*)0x200000005240, "./file1\000", 8); *(uint64_t*)0x200000005280 = 4; *(uint64_t*)0x200000005288 = 4; *(uint64_t*)0x200000005290 = 0x100000001; *(uint32_t*)0x200000005298 = 0xc49; *(uint32_t*)0x20000000529c = 0; *(uint32_t*)0x2000000052a0 = 0xee01; *(uint32_t*)0x2000000052a4 = 0; *(uint64_t*)0x2000000052a8 = 0x101; *(uint64_t*)0x2000000052b0 = 0x8000000000000001; *(uint64_t*)0x2000000052b8 = 0xfffffffffffffff8; *(uint64_t*)0x2000000052c0 = 7; *(uint64_t*)0x2000000052c8 = 0; *(uint64_t*)0x2000000052d0 = 8; *(uint64_t*)0x2000000052d8 = 0x8001; *(uint64_t*)0x2000000052e0 = 5; *(uint64_t*)0x2000000052e8 = 8; *(uint64_t*)0x2000000052f0 = 9; memset((void*)0x2000000052f8, 0, 24); res = syscall(__NR_newfstatat, /*dfd=*/(intptr_t)-1, /*filename=*/0x200000005240ul, /*statbuf=*/0x200000005280ul, /*flag=*/6); if (res != -1) r[36] = *(uint32_t*)0x2000000052a0; break; case 40: *(uint32_t*)0x200000005380 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000005340ul, /*optlen=*/0x200000005380ul); if (res != -1) r[37] = *(uint32_t*)0x200000005344; break; case 41: *(uint32_t*)0x200000005440 = 9; *(uint32_t*)0x200000005444 = -1; *(uint32_t*)0x200000005448 = 0; *(uint32_t*)0x20000000544c = 1; *(uint32_t*)0x200000005450 = 0; *(uint32_t*)0x200000005454 = 0xabc2; *(uint16_t*)0x200000005458 = 0x100; *(uint64_t*)0x200000005460 = 0x2000000053c0; *(uint8_t*)0x2000000053c0 = 0xe; *(uint64_t*)0x200000005468 = 0x200000005400; *(uint8_t*)0x200000005400 = 7; *(uint64_t*)0x200000005470 = 8; *(uint64_t*)0x200000005478 = 0xa2; *(uint64_t*)0x200000005480 = 0xf3; *(uint64_t*)0x200000005488 = 4; *(uint64_t*)0x200000005490 = 6; *(uint16_t*)0x200000005498 = 5; *(uint16_t*)0x20000000549a = 0xd7c4; *(uint16_t*)0x20000000549c = 0x80; *(uint32_t*)0x2000000054a0 = r[9]; *(uint32_t*)0x2000000054a4 = r[7]; res = syscall(__NR_msgctl, /*msqid=*/0x10000, /*cmd=*/1, /*buf=*/0x200000005440ul); if (res != -1) r[38] = *(uint32_t*)0x200000005448; break; case 42: memcpy((void*)0x200000005b40, "./file0\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000005b40ul, /*statbuf=*/0x200000005b80ul); if (res != -1) r[39] = *(uint32_t*)0x200000005b98; break; case 43: memcpy((void*)0x200000005c00, "./file0\000", 8); res = syscall(__NR_statx, /*fd=*/0xffffff9c, /*file=*/0x200000005c00ul, /*flags=AT_SYMLINK_NOFOLLOW*/0x100ul, /*mask=STATX_INO*/0x100ul, /*statxbuf=*/0x200000005c40ul); if (res != -1) r[40] = *(uint32_t*)0x200000005c58; break; case 44: *(uint32_t*)0x200000005e80 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000005e40ul, /*optlen=*/0x200000005e80ul); if (res != -1) r[41] = *(uint32_t*)0x200000005e48; break; case 45: memcpy((void*)0x200000000780, "\x68\xf4\xb9\xc0\x22\x24\x5b\x56\x0b\x41\x94\x27\xc3\xc5\x6d\xc4\xee\x17\xcd\x42\x2a\xc4\x81\xd8\xd2\xdc\x27\xc0\xc2\x4a\xdf\x78\x20\x96\x47\x7e\x5b\x7a\x14\x77\x33\xcc\xa0\xee\xd7\xce\xd0\xab\xb0\x3e\xcf\xa0\xf8\x3e\x91\x42\x28\xec\x4e\x01\x9a\x38\x46\x8e\x2e\x4e\xe4\xed\xbd\xa0\x23\x53\xee\x9a\x4c\x10\x63\x39\xd7\xb1\x18\xa3\x0e\x93\xe6\xde\x45\x52\x28\x8a\xfe\x03\x2a\xf1\xf8\x97\xef\x39\xce\x14\x0c\xb1\xd4\x52\x64\x41\x33\x19\x9f\x16\x65\x3b\x92\x15\xc3\x7f\x78\xf1\x92\x75\x2d\x03\x1c\x64\x28\xd7\x35\x62\x11\x49\xde\x62\x43\xa0\xab\x6f\xc4\x65\x28\xb0\xa0\xe2\xd6\x4e\x65\xec\xd9\xe1\x34\x09\xab\xd5\xe7\x30\x39\xdd\x00\xe0\x88\x05\xe5\x1a\xdf\x3a\x85\x99\xd9\x9d\x69\xf2\x37\x75\x04\x4d\x38\x40\x23\x4f\x1d\xb0\x89\xfb\x09\x87\xd6\x45\xec\x25\xf4\xad\x3e\xee\xb9\x60\x4d\x1f\x2a\xb6\x9f\xc3\xbf\x83\x15\xbf\x2e\x7b\x91\x88\x6d\x2a\x6f\x50\x71\xb6\x6f\xe5\x04\x8b\x6b\x65\x44\x12\x90\x05\x07\x34\x0d\xd1\xad\xd2\x74\x48\xea\x31\x68\x5b\x4e\x86\x7c\x68\xc9\xb5\x51\xdf\x24\x6b\x90\xd0\xd0\xfd\x9a\xf8\xdf\xc6\x47\xfc\xe7\xc3\x77\xaa\x36\x48\x62\xff\x02\x43\xff\xd0\x47\x47\xb9\x45\xba\xa3\x7d\x75\x5c\x23\x60\x92\xb3\xac\x7a\xac\xf6\x12\xa4\x03\x26\xde\x09\x06\x32\x12\xae\xe8\x6e\x16\x3a\xaa\xff\xfd\x8a\xde\xe4\xb5\x15\x46\x5c\xc9\x19\xc1\x51\x3d\xc7\xc9\x67\x8e\xe6\x48\x3f\xc3\xfc\x68\xb8\x84\xa9\xcc\x60\x4f\x36\x23\x86\xfe\xeb\x1a\x7e\xfb\xd4\x1d\x42\x62\x7f\x06\xfb\xf6\xcf\x91\x3a\xca\xee\x58\x4d\xa6\x05\x0c\xd6\xf4\x9a\xb9\x6e\xde\x69\x21\x6b\x0a\xca\x34\x99\x94\x7b\x02\xf1\xb6\x23\x24\x5d\x4c\xc5\xdf\xb5\xbc\x7c\x28\xc4\xf7\x77\x33\xc3\x33\x0d\x49\xbb\x25\xce\x9b\x47\x97\x8b\x57\x6c\x20\xe1\xc4\xd8\xb6\xee\x1d\xdb\x2c\x80\xeb\x99\xa3\x53\x69\x68\xaa\xf2\xf0\x1b\xa3\x14\x2d\x6d\x71\x39\xf4\x7a\xd8\x71\x32\x7d\x9e\xb2\xfc\x36\x4b\xb4\x2c\xb6\x0a\x57\x2c\x71\xd1\xa1\x3f\x94\x05\x6c\x72\x7a\xd8\x0d\xbc\x0b\x38\x03\xd3\xed\x00\x7c\xdf\xbd\xc6\xf9\x86\x84\x5b\x23\x96\x71\x23\x3e\xbe\x9c\x97\x3b\xcd\x86\x53\xc3\x73\x2e\x52\x51\x64\x09\x02\x0f\x4b\xd0\x51\x64\x90\x93\x29\xcf\x8b\x09\xd5\x7b\xc4\x9f\xdf\xc9\xc9\x6e\xe7\x8b\x92\xbd\xc6\xe8\x65\xb5\x61\x95\xbf\x29\x87\xb6\xb4\xad\xff\x61\x96\xf3\x7f\xfd\x8d\xe5\x10\x80\x0b\x32\x8e\xd7\xbf\x86\xae\x6d\x4f\xb1\xd8\xe8\x3d\x1c\x8c\xc9\x3c\x12\x7d\xfb\x65\x89\xd7\xe6\x1a\xd8\x55\x9c\x87\x00\x74\x19\x88\xa0\x6c\x4b\x3a\x03\xee\x3e\x95\x69\xf7\x95\xd7\xf1\x43\x3c\xdb\x52\x0e\xb4\x51\xc3\x51\xc2\x30\x13\xc8\xb6\x00\x7d\x14\x7d\x24\xdd\x1d\x52\xfa\x5b\x0e\x40\x54\x0f\x38\xbc\xf7\x41\x9e\xb9\x8a\x47\x90\x1e\x93\x57\xa7\x8e\xdc\x70\x1a\xe8\x2f\xd0\x58\xcd\x6d\x96\x96\x9f\x2c\x6b\x4b\x82\xea\xca\xe1\x12\xd6\x7d\x06\x2d\x56\xf0\xfe\x3b\x9c\xae\x85\x67\x2c\x67\x94\x97\x70\x72\x54\x76\x35\x35\x09\x27\x69\xd3\x8d\x26\xb9\xa6\x51\x0d\x9f\x64\xfb\x09\xdc\xb7\x28\x3d\xe4\x25\x70\x54\x6b\x0c\x76\x3e\xd8\xcf\x60\xf5\x3d\xb8\x6b\x75\x63\xe5\x72\x6f\x61\x6c\x4b\xb2\xbe\xae\x0a\x9e\x18\x6e\xea\x24\xf6\x42\xd7\x0d\x34\x54\x57\x84\xe4\x63\x0d\x4e\x3a\xc0\x28\x9c\x2c\xaa\x22\x62\x8e\x29\x9b\x29\x3d\x27\x30\xca\xe7\xfb\x99\xd4\xde\xa0\x73\xe5\xa0\xba\x5f\x34\xf7\x7d\xd9\x28\x38\x95\x43\xe0\x0f\x2b\x59\x56\x49\xab\x73\x64\x54\x25\xe2\x73\xe4\xb6\xd7\x54\xcd\x17\xa6\x27\xae\xe1\xda\x76\x71\x60\xbf\xe8\x6b\x04\x16\xad\xaa\x61\xeb\xee\x1b\xf7\x40\x9f\x28\x44\x85\xd4\x3f\x8f\x48\x4d\x05\x3a\x17\x36\xda\x79\x21\x28\x59\xf4\x8b\x71\xce\xc7\x7e\xe2\x3f\x77\x1a\xdc\xed\x4f\xe5\x26\x49\x59\x75\xbd\x04\xba\x08\xc7\x99\xc0\x7f\x57\x08\x4a\xbb\xd6\xba\x42\x81\x14\x0d\xd8\xec\x06\x93\x18\x0a\x4d\xaa\xf4\x8b\x72\xed\x48\xdf\x13\x7f\x68\xdd\xed\x9a\x41\x14\x54\xfa\xf8\x8d\xad\x18\x1a\xa2\x30\x6c\x36\xc1\x3c\x15\xa5\xfc\xaa\xb5\xbb\x79\x20\x1b\x41\x7f\x40\x3c\x83\xd0\x41\x9e\x29\xf6\x2a\x66\xa0\xe0\x27\x6f\x9f\x96\xc8\x7f\x94\xb7\xc8\xa3\x2b\x94\xce\xa7\xef\x64\xfc\x4f\xf4\x1b\x21\xd6\x84\x6c\x2d\xad\x67\xbf\xa8\xa4\xb5\x7a\x6e\x50\x01\xe4\x02\x05\xd3\x86\xba\x77\xae\x13\xc9\xa1\x12\x12\x83\x15\xcd\x6a\x1a\x64\x1b\x22\x8d\xe0\x6e\xb0\xa7\x09\xf5\xe7\x4d\xa4\x75\xd2\x2f\xfc\x65\x33\xc9\xd9\xb2\xbe\x00\xd2\x2b\xcc\x8b\x47\x18\x70\x56\x09\x60\x8e\xc3\xe4\xc4\x35\x79\xcf\xae\x0b\x60\x02\xf3\x15\x4d\xa6\x14\x7b\x85\x6d\x82\xf3\xdc\x4d\x4b\xac\x4f\x50\x9b\x91\x07\x96\xaa\xce\x37\x5a\xe7\x9c\x8b\xd3\xe7\x5d\x70\x9a\xa0\xd9\x0e\x29\xef\x0e\x03\xc6\x9f\xb8\xe5\xbc\xb3\x4e\x4c\xf1\x4a\x6e\x7c\xf4\xa4\x08\xe9\x9a\xab\xdd\xca\xab\xe1\xf0\xc7\x23\x83\x67\x1b\x45\x63\xcd\x06\xea\x9c\x75\xe5\xbc\x2e\x3c\x95\x56\xac\x45\xf0\x7b\xd0\xd6\xc9\xb3\x91\xdb\xaa\x70\x17\x1e\x71\x30\x1f\xd5\x39\x5d\xe3\x83\xd1\x35\x81\x4c\x12\x14\xce\x33\x20\x8c\x1b\xd8\x40\x3e\x94\x8f\xa0\xb3\x93\x79\xa1\x40\x29\xf1\x19\x58\xfe\xc9\xeb\x46\x0e\x3f\x9c\x73\x49\xaf\x63\x06\xd2\xe0\xca\xc9\xa4\xe4\xde\x43\xe9\x31\x27\xc6\xec\x8b\x17\x82\x0a\x57\x00\x21\x8f\x5b\x08\xe0\xa8\xce\x0a\x44\x8d\x68\x8c\x94\x5d\x36\xb7\x19\xb2\xdc\x71\x1a\x8d\x48\x09\x8b\xf4\xed\xc5\xe2\x6f\xa5\x64\x7a\x64\x72\x40\xff\xf4\xd7\x66\x88\xbc\xa7\x13\xb8\xdd\x71\x72\xaf\xef\xba\x6e\x4a\x95\xf1\x1a\x11\x1e\x3c\xf0\x39\xbb\xfa\x41\x53\x6d\x9a\xd7\xb0\xfb\xbb\x4f\xf8\x2c\xf1\x9a\x72\xeb\x07\xbd\xca\xab\xa2\x29\x1f\xfa\xa0\xd0\x77\x5f\x1a\xeb\x68\x66\xc2\x3c\xfd\x9c\x8e\xa6\x8c\x13\x87\xf8\x97\x72\xea\xef\x20\x20\xbc\xaa\xc5\xfe\xfd\xf1\x04\xce\x51\x60\xaa\xdd\xd6\x5f\xe9\xc4\x89\x85\x1f\xb0\x90\xce\xbf\x02\x20\x32\x1d\xcc\x57\xfd\xf7\x1e\x9a\x1c\x1e\xa5\x3f\xf1\x7d\x13\x13\x04\x46\x9e\xad\xed\x3a\x14\x38\x33\xaf\xff\x98\xa9\x3c\x1c\x41\x34\x94\xbc\x0d\x6c\xf3\x47\x0b\x2e\xee\x53\x4d\x4f\x17\xde\x37\xac\xa7\x5d\x82\x16\x9f\x1b\x63\x34\x12\x30\xd4\x7e\x85\xbe\xb0\xe6\xf5\x0c\xe7\x25\x56\xe3\x7b\x73\x96\x12\x92\xb9\xf0\x34\x38\x51\xe9\xdc\xa9\xfb\xf4\xee\x45\xa5\x81\x4b\x04\x44\x44\x54\x41\x3a\x01\x9f\x82\x94\x98\x81\xc8\x1a\x5d\xdd\xd2\x09\x7a\x8e\x5c\x45\xd6\x8b\x80\x8a\xdc\x27\xfa\x3a\xbe\x55\x16\xb2\xa5\xc1\xcc\x71\x9e\xe0\xc9\x79\x66\x68\x31\xa1\x5a\x96\x4d\x5f\xc2\xe8\x70\x68\xcb\xc4\xe4\x70\xd6\x4f\x34\xf0\xfa\x9a\xc7\xe9\x4a\x06\x93\xdc\x21\x96\x42\x97\xb9\x6d\xe2\x93\xad\x5a\x77\xf2\xa8\xdc\xe2\x71\xa8\x9d\x10\xa1\x0b\x45\x8a\x8a\x8c\x52\x1f\x27\xa5\x0c\xd2\x06\xbf\x0e\xc9\xf2\xab\xb3\xdc\x16\x82\xd3\xad\xd7\x5b\x81\x3c\x59\x79\xef\x56\x58\x3b\x52\x12\x77\x5d\x61\x73\x22\xbd\xd7\xc3\x44\xfb\x0c\x2d\xc1\xdb\xcc\x63\x12\x31\x19\xbd\x65\x2a\xf9\x41\x35\x5f\x56\x1b\x8f\xa4\x9b\x8e\x0c\xab\xa9\x00\x02\xc4\x8b\x88\xc8\x0e\xbe\xa6\x77\x71\xfb\x47\x9f\x52\x89\xca\xf5\xea\xe1\x8f\x01\xa0\xcd\x74\x60\xf3\xde\x6c\x3f\x92\xf1\xd4\x3b\x56\xb0\xdd\xed\xb7\x05\x9e\x7f\x18\x06\x9f\x80\x4b\x20\x56\xa2\x0a\xcb\xdf\x25\xf8\xca\x36\xdc\x1a\xff\xa8\x0e\x22\x03\xa0\xf3\x63\x92\x63\xa4\x2e\x9b\x3a\xd0\x61\x4c\x6b\xb3\xcf\xa4\x37\x6b\x28\x54\xf6\x0b\xcd\x92\x97\xbb\x0c\xb4\x54\x16\x13\x6f\x21\xbc\xa9\xfe\x38\xfe\xf0\xa1\xc2\x65\xae\x42\x3b\x36\xef\xf0\xc7\xf9\xe8\x4d\x3e\xdc\xe5\xdf\x6a\x2e\x76\x89\x49\xec\x9d\xc4\xf9\x18\x6c\x48\x95\x46\xe2\x4c\x71\x3d\xb9\x19\xbd\x51\xe6\x04\x45\x92\x83\x7c\x8b\x7f\x03\x7a\x8b\x3a\x90\x84\xd9\x61\xc0\x2f\xd0\xaa\x42\x45\xba\xa5\xe9\x17\xd7\xf9\x3f\x09\x6f\xc0\x0c\xd3\xda\x05\x7e\xda\xa7\x47\x6f\x9a\x38\x83\xc1\xab\x86\x3a\x91\x77\x46\xbd\x00\xe8\x78\x55\xbb\x58\x00\x16\x74\xec\x10\x54\x2e\x70\x30\x63\x10\xd7\x33\x99\xf3\x4a\x25\x4c\xfd\x03\xb4\xfd\xa6\xde\xdc\x8d\x7f\x2a\x8c\x81\xe6\xe1\x7b\xea\xb6\x71\x0a\x2c\x2a\x39\xd3\x8d\xaf\x05\xe0\x4e\x38\xe9\xd1\x0f\x30\x81\x31\xde\x76\xa3\x59\xbd\x59\x01\x5f\xc9\xf1\x07\x69\xd3\x6c\x16\x0d\x3e\xfb\x66\x17\x4a\x97\xb6\xa5\x99\xe7\x4b\xae\xdf\x33\x6c\x3d\x9b\x0c\xed\x61\x7b\xf0\xa5\x30\x88\x2d\x91\x68\xe6\x4b\xfb\x9c\x36\xea\x35\x1a\xf4\x36\xf7\x80\x54\x4c\xd1\xf0\x06\xe5\xdb\x43\x9d\x1c\xd9\xc6\xe2\xb5\x91\xc3\x76\x98\xe3\xb9\x56\xfd\xd6\xa9\x6d\x0c\x1f\xf5\xa5\xc2\xb4\xf2\x0e\x82\x04\xfa\x23\x94\xeb\xd1\x8b\x63\x60\x72\xf7\x6d\x49\x87\x13\xd7\x25\x8f\x8f\xda\xa7\xd1\x73\xbb\x52\x61\x9e\xcf\xbd\x03\x7e\x9d\x9e\x8e\xfd\x79\xe7\x76\xea\x36\x88\x99\x04\x15\x29\x81\xd3\x98\xf3\x4b\x5e\x75\x82\xb7\x37\x3f\xeb\x13\x10\xf6\xa3\xf4\x3d\xa3\x65\x62\x11\x58\x1c\x4d\xcf\x82\xbb\x82\xcb\x51\x34\x62\x80\x8c\xea\x9f\xe2\x1d\x0c\xf8\x70\x74\x53\xe9\xc1\xde\x7a\x96\xa3\x82\x92\x12\xcb\xe8\x85\xaf\xf1\x0c\x11\x17\x1f\x5a\xbf\x14\xa8\xe6\xf2\x2f\xd0\x04\x8a\xc5\xe4\x18\x63\x80\xc1\x4c\x5c\x2d\x4f\xe1\x3b\xe2\xdd\x3e\x6f\x26\xcf\xa9\x45\x22\xd6\x25\xdc\x49\xd1\x79\xbc\xc4\x8c\xb4\x2e\xa4\x0e\x94\xf3\x3d\x9e\x76\xef\x92\x57\x46\xcb\x52\x51\x39\xea\x62\x05\xc6\xf1\x22\x1d\x93\x42\xe2\x02\xe5\x7b\x81\x8a\x7d\x12\x14\xde\x38\xee\x95\x02\x99\x3b\x73\x08\x66\x02\xa9\x75\x19\xf6\xa0\x99\x90\x1b\x8d\xbd\x57\x6a\xbd\x64\xa8\xb1\x3d\x5a\x93\x0f\x82\xc0\x6f\xb9\xc5\xbc\xfc\x2d\xff\xa9\x77\x83\xea\xa3\x38\x5e\x72\xf9\x98\x5d\x57\xd7\xcc\xf9\x3b\x7c\x60\x79\x92\xcb\xd2\x49\xed\x74\xb6\xda\x3f\xf1\xdc\xf6\xc7\x23\xcc\xb3\x72\x5e\xf1\x8b\xe3\x54\x16\x0d\x21\xb9\x31\x4a\x7d\x01\xcc\x29\x7c\x6b\x1f\xdc\x8a\x24\x14\x2e\x55\x5d\xd8\xfd\x4a\x28\xe0\x4c\x85\x83\x6e\x46\xe6\x63\x64\x90\x8e\xb8\x4f\xac\xaa\xbb\x83\x3b\x1d\xa7\x03\x19\x67\xc1\x0b\x8c\x2a\xa3\xcf\xf4\x4f\x7a\x9d\xcf\xd0\x66\x5d\x1e\x90\xd9\x3b\xe0\xdf\x77\xa2\x5a\x48\x23\xd8\xdd\x35\xc3\x5d\xc4\xcf\x1c\x73\xba\x26\xab\x20\x47\x3f\x30\x12\x23\xa6\xac\x96\x72\x22\x0b\xe0\x95\x0f\x92\xbf\x16\x79\x87\x45\x44\xf8\xc1\x0e\x23\xbc\x9e\xe1\xd4\x0a\x00\x6c\x98\x9b\xf9\x88\x50\x20\xa6\x5a\x4e\x76\x63\xa8\x11\x7b\xec\x09\xe2\xa2\x10\x9c\x52\x78\x9b\xf7\xfb\xc0\x0c\xd3\xef\xd7\xa6\x52\xb1\x5c\x4c\x4c\x05\xf6\x54\x11\x8e\x90\x64\x3e\x64\x9d\x7f\xe4\x31\x95\x7b\x6f\x1d\xc5\x92\x5b\xa9\xab\x6f\xd8\xa1\xf6\xa0\xf8\x3a\x8a\x51\x9c\x1d\xfe\x42\x36\x03\x4c\xa5\x56\x7e\xac\x95\xea\x12\x91\x2e\x60\x67\x18\x1d\x61\x29\x4b\xcf\x09\xc1\x7f\x9d\x94\x8a\x03\xb0\xaf\xcd\xfd\x3a\x5d\x47\x0d\x28\x9e\x4b\x47\x44\xe6\x88\xae\xe6\x8b\xf2\x6d\xa0\x15\x43\x8a\x9c\x33\x6b\xea\x06\xdd\xad\x48\x74\x65\x32\x89\xc3\x4c\x03\x27\x64\x18\x0f\x97\x98\xf3\x3c\xc0\xb8\x2b\x36\x87\xdf\x74\xfe\xca\xde\xba\x2e\x58\xb9\x70\xd6\xe4\x65\x4d\x7b\x09\xb0\xd8\x5c\x78\x96\x12\x76\xa9\x45\x03\x09\x85\x77\xba\x49\x32\xd1\x7e\x0a\x7d\xd1\x98\x7e\x85\xc4\xaf\xcf\x01\xf6\x8d\x74\x42\x03\x82\x46\xb6\x84\x9b\xd1\x6f\xe0\x35\x93\x6b\xe7\x5e\x56\x26\xcd\x3d\x06\x8b\x9d\xf9\x30\x85\xa1\x2b\x95\x69\xcb\x27\xd3\x01\xca\xaf\x2f\x4f\x33\x7c\xe6\xb1\x94\xf4\xa8\x5a\x17\x55\xa2\xb3\x80\x53\x67\xe5\xde\x5e\x41\x34\xdf\x4f\xc3\x94\x16\x25\xd4\x41\x71\xa9\x84\x0e\xf2\x26\x7a\xd8\x1f\x2a\xee\x6c\x34\xec\xd3\xae\x96\x28\x12\x85\xb5\x4f\xbc\x21\x72\x90\xfe\x1f\x46\x75\xfe\x64\xd1\xb8\x44\xcb\x43\xc7\x55\xba\x29\xda\xb5\x31\xe8\x37\xec\xe7\x14\x60\x09\xfe\x04\xb7\x27\x25\x7b\xfa\x7a\xd4\x18\x0e\x82\xe9\xad\x17\x0a\x9a\xb7\x81\xef\xc1\x50\x60\x0c\xe3\x70\x43\xcc\xee\x03\xcc\xfb\xe7\x65\x09\xd6\x3f\xf8\xf2\x18\x62\x73\x6a\x43\x45\x57\x8c\x87\xf8\xf4\x14\x2c\x97\xa4\x7a\xdd\x5c\x7d\x6d\x73\x59\xb2\x69\x01\x55\xa1\x1c\xdb\xe9\xbe\x34\x79\xe0\xf4\xb2\xdd\x44\xa6\x8a\x78\x48\x51\x8d\x55\x89\x7e\x49\xbf\xaf\x2e\xef\xe6\xbc\x06\xd5\x60\xe2\x5f\x52\xad\x12\x31\xd4\x66\x44\x27\xba\xd4\xab\xa0\xd6\x15\x98\x5a\xfa\x47\xeb\xaf\x24\x2d\x3b\x8c\x16\x8a\xd5\x9c\xc0\x5a\x1c\xe7\x50\xd7\x32\xa6\x72\x03\xb3\xfc\xfa\xa4\xed\x6b\x2f\xf0\x04\x15\x2e\xef\x56\x52\xbe\xea\x4c\x62\x70\x20\x3f\x15\x4c\x70\xbb\x6c\x5f\xda\xc2\x4b\xd7\xfc\xb6\x38\x9b\xd1\xb5\x17\x59\x20\x5b\xa1\xaa\x1b\xea\xb6\xec\xa9\x97\x36\xf4\xa4\x3f\x21\xa6\x39\x53\x64\x61\xd2\x43\x8a\x91\x3e\xd0\x3b\x63\xdb\x26\x21\xc6\x3a\xcb\x49\x6e\xec\xf9\x83\x8b\xfa\x7f\x18\x52\x43\x7b\x45\x8b\x10\x46\x19\x7e\x51\x1e\xa8\x14\x79\x69\x09\x04\xbc\x3a\x0b\xb4\xb9\xec\xc0\x96\x2e\x33\xc4\xcd\xd9\x21\xf8\x24\xab\xc2\xc1\x95\x88\x61\x3e\xfd\xee\x01\xdb\x70\x1a\xe5\x44\x0c\xdd\x98\x7d\x86\x83\x14\xdf\x9a\xc7\xba\xe5\x92\x74\x02\x1a\x5d\x06\x43\xf8\xd1\xd3\xa9\x7b\x8c\x8b\xf0\x2e\xe9\xfc\x05\x6c\xc1\x64\x72\x48\x51\x43\x5f\x90\x76\x85\xc3\x49\xdb\x94\x29\xfe\xc6\xe2\xdf\x3c\x53\x4d\x94\xcc\xe4\xec\xd2\xea\x55\xd7\x2a\xa8\x82\x64\xc8\x6a\x40\xfa\x66\x93\x06\xb9\x5b\xcd\xef\xca\xf5\x4f\x11\x77\x70\xa0\x4f\x35\xe7\x21\xf2\x84\xf6\x81\xb9\xd3\x11\x4c\x4b\xed\x29\xf2\x09\x22\x06\x38\xde\xfe\x43\xfc\x43\x66\x95\xa5\x8e\xd3\xf2\x0d\xc9\x21\xe4\xa2\x1c\x79\xe5\x80\x39\x27\xde\xeb\x5a\x14\xc5\x32\xe3\xcd\x83\xba\x32\x98\x1c\x19\x2e\x20\xe9\x3e\xef\x67\x44\x02\xaf\xba\x8d\x37\x81\x19\xf6\x34\xff\x06\x5f\xb2\x94\xf9\xe3\x8c\x19\x74\xd4\xd3\x7c\xf6\x73\xb5\x87\x97\xb5\xe2\x6e\x22\xb0\x29\x16\x23\xff\x15\xd0\x02\xd5\x5a\x8d\xd0\x0f\xe4\xb1\xfd\x54\x17\x7d\x1f\xd0\x65\xda\x0b\x17\x47\x93\x16\xb5\x8a\x84\x95\xac\xa4\x2c\x44\x0b\x63\xc8\xf4\xb1\xa9\x53\x8d\xf1\x0c\x8c\x95\x46\xfd\x8c\x41\x95\xe1\xea\xed\x31\x54\x3b\x80\x61\xc8\x60\x2a\x89\x77\x12\x3f\x56\xe5\xf1\x1c\xd0\x5f\x5a\x36\xa4\x48\xcc\x25\x75\x71\xf0\xe5\xbb\xde\x25\xae\x82\xf5\x83\xcb\x31\x3a\xe7\xbf\x5d\xec\xe5\x6b\x61\x73\x21\xcf\xa6\x0a\xa9\x27\x8a\x28\xee\x9f\x78\xec\x7d\xdf\xc5\xd0\xf6\x65\xab\x1a\x1d\x55\x31\xf2\x40\x6f\xfa\x9b\x5a\xd6\xf9\xae\x4c\x98\xf8\x54\x47\xfb\xdb\x9e\xfc\x2a\xb3\x98\x80\x1e\x90\x5c\x22\x9e\x16\xad\x9f\x87\xbf\x61\x95\x6a\x78\x29\x73\x3f\xff\x1d\xbb\x2c\x35\x55\x48\xc4\xe3\x03\xd1\xfb\x25\x87\xab\xea\xed\x69\x11\xb3\xd5\x57\x8d\x9d\x43\x55\x19\x3a\xf1\xf6\xee\xf1\x87\x0f\x0f\x1d\xf7\x36\x15\xa5\xd9\xff\xe9\xd4\x2b\x7f\x94\xc2\x15\xf9\xce\xb4\x1d\x60\x5e\x95\xa5\x4b\x5f\xb3\xc6\x2f\x34\x39\x6f\x9f\x95\x1c\x56\x50\x92\x0f\x15\x9c\x1c\x33\x0e\xcf\x7b\xf7\x0b\x1b\x8d\x0a\x97\x3f\xf4\xaf\x34\x4e\x99\x50\xff\xb9\xed\xfc\xd3\x26\x81\x8e\x28\x47\x1c\xcc\xbf\x70\xb7\x1a\xc2\x86\x3e\xaf\x7e\xf9\x5d\xbc\xb2\xf9\x88\xc8\x5c\x26\x6f\x86\x99\x14\x71\x99\x06\x21\x3c\x0d\xb1\x8a\x4a\x47\x12\xb0\x2f\x72\x01\xdc\x95\x30\x5a\x3a\x53\x1f\x46\x6f\x94\x9f\xef\x61\x2c\xcc\xaa\x93\x6d\x47\xae\xf4\xbb\xad\x39\x08\x50\xf2\xb8\xfd\x99\x15\x42\xe3\x98\x6d\xe1\x00\x00\xdb\xd2\xbc\x09\xf1\x6c\x99\xed\x0b\x46\x1c\xab\x44\x4a\x1d\xb0\x69\x38\x14\x34\x54\x07\x95\x15\x0d\xe1\x24\x27\xb1\xb5\xd0\x60\x1a\x52\x32\x04\x28\x3f\xdd\x6b\x69\xe4\x03\xfd\xc3\xf9\x44\x21\x14\x0d\xbf\x94\x86\x5f\x35\xaf\x7a\x7b\xae\x55\x47\x97\x8f\xdd\x80\x5c\xc5\x2d\x68\xf4\xff\x49\xbe\xec\x49\x20\xe2\x5d\x8e\x4a\x23\x7a\x86\xc7\x85\xcc\xcc\x3f\x2e\xe7\xff\xac\x88\x1e\x99\xe5\x76\x12\xc8\xc9\x4b\xde\x40\x09\x15\xf3\xf7\x5b\x54\x65\x79\xf4\x01\xe2\xbe\x54\x93\x09\x04\xb9\x8c\x82\x42\x39\x4d\x81\xfe\x94\xd2\x67\xd3\xca\x3e\xa3\xa0\xe1\xc9\x10\x7e\xcc\x29\x8e\xfa\xe6\xa1\x9e\x73\x37\x88\x3e\x27\xaf\x27\x1e\x06\x29\x9a\xcc\x75\x59\xf0\xea\x46\x1b\x87\x5e\x27\x13\x8c\xd3\x5e\x04\x63\x19\xfe\x9f\x83\x8c\x51\x13\x05\xfc\x80\x3c\xc2\x43\x09\xdb\xf3\x35\xb2\x25\xc5\x8b\x6c\xae\xb2\x72\x4e\x44\xa9\x27\x8c\xa8\x23\x51\x9a\x72\x43\x3c\xeb\x21\x66\xb4\xb7\x3a\x35\xb9\x7d\xe2\xf5\x54\x38\xb9\x58\x26\xe0\xab\x34\x85\x01\x18\x73\x75\xb0\x96\x23\x67\xdb\x53\x49\x53\x46\x76\xf3\x52\x83\x5a\x10\x59\xc3\x07\x42\x1b\x2b\xeb\x2e\x63\xc0\xa0\x06\xd5\x27\x1f\x49\x3e\x59\x06\x98\x82\xb1\x03\xd5\x36\x60\x8d\x18\xd6\x1e\x97\x42\x22\xc4\x3b\x7c\xa9\x25\x29\xc8\xb0\xcc\x2a\xe9\xdf\x8c\x2b\xc2\xb2\x0d\x68\x33\x14\x7e\xc4\x11\xc4\xa5\xbf\xf5\x34\xcc\x72\xb2\x67\x71\x45\x92\xa4\xe4\x32\x52\x68\x49\x40\xf5\x4e\xbf\x5f\x39\xf2\x8d\xee\xab\x2c\x89\xab\xad\xdf\xb6\xfc\xd2\xb1\xc0\x25\xbf\x30\xdc\x2e\xdb\xc0\x82\x3c\xcd\x19\xfe\x52\xf9\xc0\xb3\x8c\x9c\x1a\xcd\x6b\x0e\xfc\x3f\x68\x8b\x80\xbb\xef\x54\x73\xcd\xdf\x82\x02\x70\xd7\x21\x24\x5c\xdf\xa0\x1b\xff\x14\x85\x86\x49\x74\xb4\x28\xdd\x19\x33\xfb\xce\x96\x8d\x27\xae\xce\xa5\xdd\xa0\xca\x95\x61\x91\x9d\x5d\x85\xb0\x98\xfc\x4f\x3e\xfb\xf7\xea\xd3\x91\x28\x51\x92\x46\x28\xb8\x88\xa2\x8e\x46\x32\x0a\xfe\x8a\x30\x22\x39\x14\x7f\x48\xf2\xcc\x2a\xb2\x74\xdb\x1a\xee\x56\x5b\x15\xba\x2d\xb8\x32\xfa\x63\x03\x44\xd0\x1c\xfb\xa1\x12\x87\xb2\x5c\x22\x6f\x28\xbc\x4e\xbe\x1d\x20\x4e\x90\xa3\x9a\x81\xc6\xb2\x13\x6b\x01\x64\xed\xb6\x51\x94\xea\x55\x10\xa9\xb9\xef\xc0\xd0\xa2\x35\x26\x42\xf0\xa8\xa2\x3e\xf4\xe6\xeb\x89\x48\xf5\xab\x42\xeb\xd4\x5a\xc9\x46\xbf\xdb\x68\x9c\xba\x13\x76\x7f\x8d\x5f\x77\x8c\x42\xe2\xd0\x7d\x08\x84\x91\xe0\x6d\xb5\xcf\xbe\x29\xea\x3f\x45\xa4\x31\x57\x94\x5d\x41\x9d\xe6\x32\xdb\x52\xfa\x13\x3d\x99\x0e\xfe\x2c\x9e\x47\x3e\xc3\x6d\x68\x9d\x0b\x81\x58\x45\xaf\x57\x61\x98\x1d\x46\xd5\xb9\xf3\x86\x5f\x91\x6b\x5b\xb9\x3c\xf8\xf2\xe8\xd4\xa1\x1c\x8a\xfa\xcf\xac\x2c\x64\x7e\x6a\xe9\xa8\x69\x6c\x9e\xcb\x6b\xdb\xdb\x21\x79\xf9\x71\xeb\x75\xe1\x4d\x52\x59\x8e\xd6\xc1\x6e\xc1\x42\x7e\x21\xdf\x5c\x5a\xbb\xbd\x85\xe4\x2f\x32\xdf\x37\xc4\x85\xff\x33\xd0\x65\x45\x71\xec\x60\xaf\x86\x74\xba\x35\xc3\xef\x62\x7d\x24\xb1\xc2\xd8\x4f\xf2\x52\x54\x16\xc2\xa4\x26\x5f\xb6\xde\x81\x73\xfa\xec\xcf\xd3\x13\x83\x16\xc4\xc7\xc3\x29\x01\x79\x28\xfe\x1b\x64\xc2\x9d\xfe\xb4\x57\x0f\x7d\xe9\x3f\x94\x46\x15\x31\x6f\xd3\xae\x6c\xc1\x2b\x94\x33\x2f\xad\xf7\x5b\x15\xa1\x3d\x6f\xf2\x7f\x7c\x61\x98\x17\x37\xef\xc6\xdf\xb5\x28\x94\x25\x32\xee\xf5\xe5\xdc\xb8\x03\xc1\xed\x04\xda\x23\xbf\xee\x62\x3a\x89\x08\x8d\x87\x83\xc7\xed\xda\x3f\x56\xc5\x40\x4e\xe7\xe4\x2f\x09\x85\x47\x53\xc1\xa0\xdd\x78\x72\x3c\x9c\x4e\xf1\x2c\x7e\xad\x18\x63\xa5\x3a\xf4\x8d\x8d\x61\x45\x7f\x24\x32\xff\xae\xbb\x35\x6a\x6e\x78\xa1\x59\x1f\x04\x24\xaa\xa1\xf0\x25\xdd\xa1\x7a\x7b\x5e\xae\x39\x89\xb2\x7a\x57\x3f\x59\xbb\xfe\x2f\x99\x3f\xb1\x82\x73\xdc\x35\x6a\xa5\x9e\xc1\xb2\xf1\x51\xf8\x4b\x97\x33\xb2\x71\xf1\xe0\x4d\x17\xd4\x1e\x72\x8e\xf5\x2c\xfb\xc0\x11\x1f\x12\x32\x13\xfb\x22\x23\x7d\x81\xb0\x02\x9b\xdf\xf7\x01\x7f\x87\x03\xe1\xee\x30\x17\x58\xca\x9e\x22\x39\x9c\x42\x0b\x36\x31\xe5\xb9\x98\x73\x7c\x2a\x75\x93\x9f\xa4\x6d\x1e\x61\x7d\x7b\x19\xfb\xa4\x91\x9e\x35\xca\x92\xd8\xb5\x97\x98\xda\x36\xa0\xa5\xd4\x34\x1a\x6e\xb5\x7d\x51\x29\x51\x3a\x6e\x86\x2e\xa9\x4f\x27\xc7\x83\xc9\xe6\x8f\x93\x0d\x5d\x33\x7c\x28\x9d\xed\x11\xd5\x10\x84\x7a\x50\xc6\x1c\x47\x94\x0c\x17\xa3\x2b\x28\x7f\x70\x46\x64\xf1\xb6\x1e\x16\x48\x85\x08\x91\xf8\x0a\x4b\x61\x47\x93\x48\xb4\x34\x40\xd0\xc9\xc9\x1b\x89\x25\x7a\x4a\xf7\x25\x3e\xe5\xbe\x6b\xbd\x56\xf2\x29\x86\xc3\x8b\x53\x6b\x8d\x50\x00\x10\x2c\xff\xd1\x0d\x93\x80\x8b\x8b\x1c\x4e\xb5\x3f\x0c\x69\x7c\x21\x71\x61\xc4\xcb\x7e\x09\x1d\x43\x88\xce\x3a\x20\xeb\x53\x51\x53\x8c\x2a\xf3\xa9\x06\xe6\xac\x66\x4a\x5d\x08\x3e\x39\x5e\xaa\x5d\xe7\x91\xac\xe4\x5b\xd0\x2b\x5e\x26\xbd\x36\xbe\x79\x6e\x95\xc7\x44\x22\xb7\xd8\xf0\x0c\x7b\xdf\x4b\x64\x8a\x1e\x9c\xcf\x68\xe9\x12\xab\xbf\xff\x3c\x74\xd8\xc5\x63\x85\xd7\xa8\x9a\x84\xad\x3c\x39\x46\xa3\x8e\x82\x08\x0c\x3b\x38\xa0\x29\x80\x70\xd8\x85\x04\x75\xb9\x5b\x37\x9d\x62\xf5\x02\x91\x03\xa7\xb4\x5d\xef\x66\xd2\x5a\x08\xe2\x41\xc4\x2c\x34\x38\x82\x8e\x59\xf5\xb1\xd1\xfd\x8c\x97\x56\x49\xd0\x3f\xe3\xe5\x36\xba\xba\xed\xe3\xfc\x3c\xaf\xef\x77\xa7\x2c\xd2\x7b\x94\xc1\xd7\x74\xef\xbe\x19\x37\x47\x02\xf3\x93\x72\x98\x98\xbd\x09\xbc\x8a\x40\x77\x20\xd6\x7e\x9f\xed\xf0\x18\x52\xb8\x93\x66\x4e\x35\xc2\x6b\xb4\x86\x56\xa5\x68\x9e\x7e\x3a\x63\x2e\x9e\x5a\x3b\xbe\x87\x5e\xc6\xb5\xeb\x73\xfe\xe6\xe6\x05\x54\x75\x96\xd0\xed\xe3\x9c\x48\xb9\xd9\xf6\x3d\x7b\x38\xc1\xf6\x19\xbc\x6f\x69\x03\xc0\x2c\x47\x40\x3a\xe8\x53\x9a\xea\x78\x93\xfb\x81\x10\xe4\xb5\xa9\x07\x08\x36\x85\x3f\x3a\x61\x64\x83\x27\xf0\xc6\x95\x37\x94\xfa\xb3\x89\x37\xb2\x78\xdc\x0a\x1e\xd3\x31\xef\x4a\x03\x60\xc4\x1f\x4f\xb3\x5b\x7c\xa6\xe1\x17\xe7\x85\x83\x3a\x22\x4f\xbe\xa8\x24\x1c\x59\xc9\xd9\x6a\xd6\x50\x95\x9a\x23\xc7\x47\xd4\x78\x81\x02\x1a\x53\x0c\x9a\xee\xc1\x3b\x5b\x99\xa2\x68\xe2\xa6\x3a\x2b\x96\x84\x6c\xd3\xe8\x52\x0c\x77\x0f\xbe\xaf\x52\xf9\xa6\xe3\x6b\x7d\x5e\x0d\xb7\x46\x78\x86\x13\xf6\xea\xd8\x87\x38\xd0\x0c\x30\x20\x6f\xe0\x72\x95\xb7\x0e\xd2\x1e\x05\x28\xa7\xb9\x09\xf3\xd2\xcc\x64\x7b\x33\x5d\xc7\xb9\x82\x99\x07\xc3\x80\xe5\x83\xbb\x40\x8a\xe2\x71\x0b\x40\xd4\x4d\xf1\x2a\xb9\x8a\xc6\xf0\x88\x82\xc2\x57\xc2\x6b\x25\x60\x8b\xa5\xaf\x2e\x00\xe7\xc3\x3e\x60\x84\xec\x86\xa2\x25\x8c\xc3\xdc\x8b\xc6\x3c\x2e\xef\x54\x83\xb8\xaa\xef\x1c\xb7\xad\x63\xf4\xa2\x86\x80\x3a\xcc\xe8\x1a\xd1\x40\x97\x47\x3c\x65\xd9\xc3\x7f\x25\x78\xde\x04\xe1\x8a\x71\x95\x14\x58\xf2\xae\x3a\xb1\xd4\x5a\x54\x8f\xe1\x1d\x47\x64\x80\x6e\x71\x3b\x62\x8c\x19\x67\xda\x91\x8e\x8e\xd6\x55\x6e\x61\x9b\xee\xf0\x8a\xd8\xb9\x3d\x7d\x70\x91\x74\x57\xd9\xc8\x94\xc7\xbb\xc3\x04\xda\xca\x44\x3d\x14\x65\x6a\x02\x68\xd7\x4e\x76\x58\x37\x74\x41\xe5\xfd\xb1\x41\x48\x96\x4f\x56\xa3\x05\x8a\x8e\x1a\x95\xe1\x00\x22\x77\x0d\xa5\x57\x44\x53\x87\xf2\x42\x5e\x7b\xcd\x38\x6e\x62\x1f\x88\x71\x3f\xa5\x7f\x44\x24\x62\xfc\x8f\x7a\x58\x8f\x84\x9e\xc7\xa1\x08\xc6\xa5\xa7\x77\x28\x3f\xc2\x4c\x87\x98\x74\x76\x75\x26\xc5\xb6\xb2\xd2\x22\x12\xf4\xbb\x88\x98\x81\x1f\x73\x1e\x78\xb0\x01\xae\x05\x2c\x47\xd8\x32\xcb\xd8\x67\x83\x14\xcc\x31\x3f\xb6\xb9\x96\x6b\xcd\xe9\xb1\xce\x15\xb9\x2f\x05\x97\xd5\x8b\x15\xd9\x1e\x31\xf2\x21\xb2\xf1\xd6\x35\x4e\x49\xde\x2a\x7a\x58\xd5\x8f\x36\x1f\xd6\x47\xfc\x29\xdc\xa3\xb5\xda\x3c\x64\x49\xc5\x2c\xfc\x5b\x87\xbb\x48\x43\xce\xfb\x10\x52\xeb\x68\x47\x8b\x51\xc1\x68\x91\x28\xbe\x43\x4f\x0d\x34\xb5\x11\xcb\xb1\xe8\x4b\x8b\x21\x1a\x9f\xf1\xae\xba\x55\x18\x52\x91\xed\x53\x95\xd4\xca\x5b\x96\x6d\xcb\x7f\xbf\xf4\x32\xb9\x31\xf6\x76\x6a\x9b\x37\xd3\x41\xd5\xf8\x3d\x29\x69\xf4\x9f\xb8\x57\x91\x3f\xd0\x94\xee\x91\x53\xe9\x05\xfd\x3a\x00\x08\x25\xf4\xc9\xd5\x91\xca\xe9\xe1\xfa\x33\xab\xf9\x46\x63\xfa\xb4\x9e\x46\x0f\x13\x44\xca\xe1\xe6\x80\x4f\x2a\x53\x10\x8c\xb0\xf2\x9b\xbc\x0f\x6a\x07\x56\x88\xd9\x87\xd6\xcf\x7c\xa3\x85\x10\x08\xfd\x82\xc3\x55\x89\xec\x90\xe3\x90\x2c\xb1\xed\x05\x13\x55\x5e\x30\x3b\x91\x02\x2a\x04\x54\x94\x8a\xa7\xd8\x66\xdf\xb4\xb9\x7f\xdf\x67\x98\xbe\x4c\x74\x22\x76\xd9\x9f\x68\x53\x70\xa9\x10\xfc\x2b\xe7\xb2\x89\xa4\x45\x73\x78\x5e\x09\xad\x0a\x20\x79\x40\xea\x85\x9b\xef\xff\xd9\x5c\xc9\x70\x69\x77\x7e\x3d\xd0\x50\x62\x61\xa8\xed\xb9\x4a\xb2\x5d\xea\xbd\x37\x1b\xf0\xe8\xdb\xd5\xf0\x35\xa7\x53\x87\x1f\xaa\x53\x52\xcd\xdf\xa9\x04\x96\xdc\x39\x85\xff\xbc\xa1\xb3\x12\x90\xe7\xeb\x46\x0c\x20\x92\x01\x26\xbb\x8c\xa9\x30\x4e\x35\x53\xb3\x74\x8a\x8f\x5d\xf0\xa8\x97\x7a\xb9\x94\x72\x8f\xbb\x54\x0e\x07\x3c\xc3\xf0\x80\x5b\x5d\xf2\x88\x00\x08\x31\xd8\x06\x1c\x06\xd4\x16\xf4\x58\xa2\x54\x7f\xf4\xe6\x03\x6d\xe1\x18\x1c\xd1\xd4\x2a\xf4\x16\x15\xba\x4e\x16\xd6\xf7\xae\xf1\xcb\x34\x06\x07\x22\x21\x2f\xf5\x61\x27\x5b\xc4\x97\x4f\x00\x94\x8f\x54\x2a\x5e\x06\xbf\x40\xb8\x57\x2d\xf1\xd8\xd6\x8b\xa0\x60\x8d\xcb\x02\x7f\x8f\x11\xc0\xb9\x3e\x65\xb2\xde\x9a\x16\xfe\x11\x5e\xa9\x40\xcd\x90\x4e\x11\xb2\xfb\xb7\xc0\xe6\x72\x90\x76\x65\x73\x72\xc1\x34\xee\x6f\xe8\xe0\xfa\x6f\x9c\x2e\xc1\x2b\xde\x36\xe4\x62\x52\x12\xa4\x72\xd1\x50\x10\x51\x01\x68\x14\x79\x1e\x7a\x2f\xef\xbf\xca\x68\x58\x98\x65\xf0\x83\x7a\x32\xb1\x20\x1c\x32\x29\x10\x54\xbf\x71\x87\xe0\x3c\xde\x3a\xdd\x7a\x33\x98\xae\xbe\x76\x67\x2e\x4f\x8a\xd8\x1a\x9e\xab\xec\x9f\xef\xab\xbb\x62\xc1\xd7\x3a\xdc\x3e\xf5\x8a\x68\x77\x5f\x51\x6a\x99\xf5\x4a\x75\xa7\xa7\xb5\x30\xdf\xfc\xa8\x2d\x2b\x22\x2c\x99\x3b\x78\x5a\x1a\x7b\x6f\x7a\xcc\xb5\x84\xae\x25\xab\xe1\x51\x7d\x70\xa6\x9f\xa2\xdf\x2c\x77\xe4\xe0\x75\x5e\x18\x7f\x60\xbc\x82\x46\x58\xb8\xd8\x8d\xaf\xbc\x24\x0a\xbe\xec\x34\x93\xfd\xad\xd6\xa1\xa9\x46\x80\xe5\xdb\x4b\xc1\x86\x2c\x75\x8a\x51\x90\x21\xc0\x12\x17\x89\xf4\xcd\xf1\xe2\xa7\x1c\xd5\x36\xda\xae\xc9\xe4\xb7\x2e\x9e\x25\xd9\x25\x1f\xd3\xee\x51\x1f\x1e\x08\x1f\x90\x6d\x90\xdd\x4d\xf5\xce\xf6\xed\xf4\x11\xaa\xbc\xfd\x5d\x93\x3e\x26\x53\x58\x1f\x1f\x0a\x49\xd8\x5d\x50\x3a\xb0\xf1\x28\x87\x43\xa8\xef\x59\x69\xfe\x4a\xe3\xaf\x9a\xff\xb7\x90\x5a\xc3\xa9\x04\xca\x86\xcd\x7e\x8c\xc5\xb9\x66\x77\xfb\xd2\xbb\xe3\xe3\xe6\x7d\x56\x4e\x2d\xb1\xf1\x4f\x6a\x98\x2d\xa3\xb7\xab\x59\x0a\x1f\xb4\x3c\x44\x95\x6c\xeb\x95\xd2\xd5\x9d\xb9\xe3\x51\x75\x06\xc0\xe1\x64\x3a\x07\x66\x4f\x7a\x27\x9f\x23\xb9\x94\x5c\x32\x42\x79\x60\x24\x2e\x74\x78\x14\x1a\xd1\xd1\x70\x1f\x68\x03\x3b\x69\xc7\xbd\x2d\x64\x31\x8b\xbf\x48\xa0\x5a\x32\x77\x99\x56\xe1\x61\xf4\x26\x82\xbc\x1c\x93\x30\xcb\x6a\xbf\x5a\xfd\x31\xc8\xe1\x1a\x4b\x07\x8b\x03\x57\x9e\x09\x9f\xd3\xd8\xe3\x47\x33\x0a\x01\xfd\xc2\xb5\xca\x05\x00\x1a\x2d\x13\x9a\x5b\xd7\x12\x8a\x02\xf9\xd1\x9b\x85\x81\xba\xd0\xe1\x4f\xaf\x9f\x0a\x13\x2a\x6d\x85\xbb\xd2\x91\xde\x69\x6a\x8c\x67\xd2\xf8\xc3\x13\x4a\xac\x24\xe4\x1b\xb5\xa4\xfd\x74\x2c\x13\x71\xf9\xa8\xe1\x8e\xc9\x05\x0b\x39\x8a\x60\x48\x88\xab\x12\xa8\xed\xec\x79\x29\x74\x45\x6a\xc6\xc6\x29\x89\xa7\x8d\x72\xe8\x4e\x0b\xd7\xaa\xd9\xe1\xc0\x86\x01\xe2\x07\x0a\x4f\x2b\xb1\x00\x91\x04\x08\x82\x78\x26\x3c\x2a\x64\x5d\x31\x87\xed\xf1\x2f\xcf\xeb\xd3\xd8\xb3\x7d\xd8\x93\xb2\x5e\x41\xed\xb5\x18\x08\x9e\x06\xe1\xe2\x6a\x07\x7b\xbc\xb6\xb7\x06\x8c\xa7\x4e\x1c\x4b\x59\x49\x7a\xb4\x81\xfa\xa7\xd1\x83\x49\xd0\xfd\xaf\xf9\xf8\xa0\xcb\x6c\x24\x25\x60\xe3\x1a\x9f\x9e\x34\xc6\xd8\xda\x4e\x6b\x47\x10\x00\xdc\xe4\x6d\x80\x25\x27\x00\xfb\xbf\xa3\x92\x2d\x5d\xee\xd3\x3d\x10\x92\x06\xaf\x07\xf3\xa2\xa3\x48\xa6\x1c\xec\x80\xdf\x13\x02\xc9\x8b\x76\x25\x79\x7a\x11\x3e\xb0\xb7\x14\xee\x64\x7f\x7d\x13\xd6\xc1\x02\x25\xbc\x12\x1b\x66\x66\x08\x3f\xc1\x5b\x63\xc2\xb0\x7e\x48\x71\x67\xb0\xcd\x11\x6c\xa2\xa3\x99\x32\x2b\x9c\x08\xf4\x18\xd1\xbd\x83\xcf\xc3\x97\xad\xaf\x8b\xa2\x67\xed\x46\x30\xfc\xb6\x20\x37\x60\x3c\xaa\xaf\x96\x83\x12\xe3\x35\xaf\xd6\x63\xfc\xed\x69\x90\x0e\x25\x07\x39\x63\xb5\x45\x9f\x59\x7d\x7e\x7e\x58\x16\x47\xc9\x94\xd0\xfd\xef\x88\xa1\xae\x4c\x92\x14\xf6\x68\x0e\x21\x5e\xe6\xa1\x50\x97\xbe\xa9\x01\xb4\x67\xb5\x82\x75\x22\xe6\x8b\x02\x07\x68\xe8\xa3\x40\xfa\xee\x75\xec\xd4\x6a\xf9\x0a\xe3\x8e\xed\xad\xb6\xd7\x51\xc5\xa1\xfc\x5f\xfb\x86\x6a\x0c\xad\xf8\x59\x49\xdd\x96\x31\x34\x4a\x46\xe9\x50\x91\xc5\x85\x9a\xc7\xd0\x78\x31\x53\xbe\x8f\xc8\x9a\x1a\xdf\xd4\xcc\x3f\x45\x3a\xc8\xb1\x1d\x6b\xd6\x37\xf9\x5e\x63\xd2\x8c\x3c\x66\x55\x17\x00\x02\x88\xe7\xa0\x8e\xa7\x1a\x7a\xc0\xd5\x69\xee\x05\xcf\x8a\x66\x31\xa9\xba\x1a\xf4\x56\xd0\x0f\xb0\x49\xf1\xc3\x36\x6e\x8d\x92\x9b\x68\x20\xfb\xef\xb6\x58\x83\x77\x3b\xac\xb1\xcb\x1a\x71\x05\xdd\x2c\xa6\x0e\xdd\xe9\x5f\xa2\xf3\x5a\x34\xa3\x69\xc5\xf0\x4b\x65\xe0\x81\x56\x50\x2f\x8c\xf1\x76\xe4\xf9\x93\x9a\xfb\x6b\xba\xcd\xab\xc5\xc8\x11\x6d\xbd\xe9\xb6\xd2\x12\xbf\x12\x5f\x76\x97\xa8\x57\x1d\x69\xde\x44\x3d\x4d\x86\xf4\xbe\x17\xa9\x59\x14\x8f\xd6\x10\x5a\x67\x4c\xe5\x23\xf3\x7c\x2c\x09\xe1\xce\x1c\xc7\x12\x74\xa4\x75\xca\x3b\x09\x31\xad\xca\x18\x99\xbf\x7b\xaa\xf2\xdc\x3a\x94\x88\xad\xb1\x30\x68\x57\x7e\xd2\xba\x96\xa7\x93\x7f\xff\x3a\x9a\xeb\x46\x12\x34\x53\x2a\xfb\x21\x50\x83\xc8\x97\x99\xa0\xfa\xc0\xad\x2a\xfe\xba\x7a\x33\xde\xf1\xb3\x02\xb1\x2a\x6a\x4d\x7a\x22\x01\xb9\x15\xa2\xc3\xbf\xb5\xcb\xfc\xe7\x46\x88\x5a\xec\xb3\xdb\xc4\xde\x9c\x4d\xc1\xea\x7c\x33\x26\xb7\x31\x8c\x65\xd3\x76\x3a\x5f\x2b\x42\xa0\xa9\x7b\xe0\x6e\x2a\x04\x06\x36\xc2\xfa\xc7\xdb\x42\x72\xd9\x35\x4d\x59\xcd\xa5\x54\x6a\x34\x15\xc8\xf0\x4c\x70\x9e\x0a\xe4\xff\xac\x3e\xc8\x29\x99\xb5\xc5\x0e\xe2\x8a\xe8\x51\x93\xbe\x4a\x68\x88\xdb\x01\xc1\xb7\x70\xf8\x54\xfa\x3b\x66\xc2\xad\xc2\x9c\x6c\x7c\x0d\x3a\x15\xa7\x22\x4b\x23\x5f\xbc\x61\x86\x3b\xf9\xaf\x6d\x8e\xeb\x35\xd6\x7d\x99\x66\xe3\x22\x0f\x0b\xbf\x0e\x10\x15\x58\xa6\x15\x59\xf9\xe6\xdb\xf2\x86\x11\x4a\x94\xe0\x95\x03\x50\xf7\x01\x0f\x3a\x46\xe1\xa9\x8c\x93\x9b\x37\x27\xf1\xd1\x25\xab\x2c\x0c\x5c\x1d\x7c\xab\xec\x0d\x7e\xa6\x86\x97\x84\x3c\x8a\xe9\x03\x6c\x3d\x48\x46\x98\x50\x44\x07\x48\xe7\xcc\xe6\xa2\x60\x16\x54\xd8\xc5\x97\xc5\xd2\x26\xcd\x4f\xfb\xda\x15\x3e\x2f\xec\xf0\xb5\x83\x43\xeb\x7a\xcf\xae\xae\xe0\x29\x70\xf0\x11\x56\x8a\xd2\x6e\x43\x83\xbe\xe5\xda\xf9\x58\x02\xf7\x42\xb0\xb8\xe3\x5d\xad\xc2\x01\x64\x97\x9d\xc4\xea\xb6\xf3\x33\xa2\x94\x12\x91\x6b\xae\xcd\x7d\x11\xe1\x8d\x7d\x56\x6a\x9f\x70\x9a\x49\x31\x43\x39\x19\x51\x4c\x73\x56\x39\xde\xdf\x1d\xf6\x5e\xbd\xe8\xa1\x45\x55\xec\xc2\x54\xfa\x4e\x31\x79\xc6\x11\xaf\x0a\xe3\x2c\x8c\x81\x29\xc0\x13\x9e\x99\x04\x82\x1c\x76\x97\x1b\x2d\x2b\x08\xe8\x39\x28\x14\x29\xcc\x0b\x02\xcf\x5a\xbc\x1f\xb7\x8a\xea\xd7\xd7\x72\xa6\x72\xcd\xa2\xec\x38\xb6\x9f\x85\x8a\x30\x07\xed\x6d\x77\x3e\x41\x75\x21\xb9\x4e\x7c\xfd\x21\xb3\xf7\x63\x61\xa8\x33\xbf\x0c\x8a\x58\xcd\xa1\xc7\x53\x23\x65\x38\xe7\xd1\xbe\x27\x8c\xda\xb7\x8f\xb7\x3f\x36\x28\x06\x15\xaa\x49\xd8\xab\x1d\xea\xc1\x29\x2b\xe4\x48\x0f\xb6\x09\xe7\xe6\x36\x4c\x30\x0a\x86\x13\xd3\x7c\x80\x24\xaa\x6a\x72\xc1\xe4\xa3\x34\xe7\x78\x17\xf9\xcd\xe0\xe1\x0c\xc5\x7b\x7c\x3b\xbc\xa5\x0f\x40\xe1\x5b\x9a\x10\x42\xef\xb7\x80\x2c\x40\x41\x86\xe4\x79\xf5\xf7\x63\x6a\xb5\x0d\x26\x14\x73\xf5\x80\x4a\x75\xf6\xcb\x1f\xcb\x69\x3c\xec\xbe\x9a\x61\xbb\x96\x95\x80\x1c\x7c\xa6\xf9\x27\xe4\x0e\x6a\xa9\x1a\x9a\xf7\x1c\xb5\xd9\x67\xf7\x90\x57\xf9\x55\xd0\xa4\xed\x58\xce\x99\x9f\x9a\xcd\x21\xc1\xa1\xea\x10\x88\x59\x56\xb4\x6e\x44\xca\x83\x0a\xb2\xee\x7a\xdd\x50\xd2\xc1\xfa\x3d\xea\x6f\x4c\x73\x31\xb1\xe5\x3f\xbe\xfc\x7e\x42\x4a\xff\x17\x8c\xef\xf9\x5a\x89\x10\xd3\x99\x52\x70\x4e\xf7\x85\x54\x19\xd3\xcc\x08\xc7\x20\x59\x90\xaf\x44\x7e\x18\xd3\x94\x5d\x13\x3e\x99\xba\x55\x06\xe5\x0e\x31\xbb\x28\xeb\xb5\x13\x37\xe3\x8e\x5d\xab\xfd\xb6\xd2\x0b\xe6\x8a\x04\x05\x0d\xd9\x91\x87\x48\x36\x8d\x58\xb8\x34\x9e\xe6\x0d\xe4\x1d\xbb\xc8\x32\x55\xdb\x8e\x36\x0c\x35\x81\xa3\xb5\x52\x3f\x5c\x36\xd7\xe2\x93\xeb\x4e\x2b\x01\x49\x82\x36\x7e\x28\x6c\x6f\xaa\xcc\x85\x03\xcf\x4d\x91\xc4\x04\x98\x04\xce\x5a\x7f\xde\x5f\xa1\x9c\x6a\x5b\x5f\x33\x0f\xe3\xf4\x4d\x7f\x33\x80\x9b\xfc\x5b\x13\x95\x6f\x64\x66\x3a\xcb\x8c\x32\x46\x73\x82\x9c\x13\x2d\x3c\x73\x52\x5f\x8f\x8e\xa3\xa8\x32\xf8\x89\x75\xd1\x4c\x31\x8c\x05\xbb\x56\x72\xc8\x2b\xb0\x2f\x9a\xcf\x2d\xbc\xba\xf6\x8e\x5e\x47\x8d\xc5\x19\xe5\x22\x84\x0b\xd8\xf0\x8b\x50\xc5\x06\xa7\x5b\xc2\xfd\x09\x2e\x41\x51\x99\xe5\x77\x1d\x8c\xe0\x3f\x08\x8e\x9b\xfd\x45\x51\xc2\xe8\xee\xdb\x85\x93\x03\xed\x75\x76\x01\xbd\xb1\x6b\xff\x54\x31\x23\xd7\x57\x0a\xc5\x0d\x28\x58\xcf\xf2\xa7\xf9\x75\x8c\xb2\x4f\xf0\x55\x4f\x91\x31\x29\x97\x58\xc0\x10\x11\x3d\x9b\x6f\x0b\xc7\x24\x6f\xab\xec\x33\xc5\x8d\xea\x92\x5b\x9e\xa7\x3a\xb3\x81\xc4\xaa\xa8\xfb\x21\x65\xc9\xd7\xd8\xb8\xa7\x01\x20\x22\x50\xd3\x60\xfc\x61\x75\x80\x56\x5e\x78\xd5\x36\x7e\x3f\xbc\xd8\x41\xd4\x50\x3a\x7c\x20\xc2\x05\x60\xa0\x3e\x39\x7b\x0d\x3c\xab\x57\x25\x4d\x36\x51\x12\xaa\xd9\x95\xa9\xe3\x91\x96\x14\xbc\xdc\x6c\xa2\x05\x5d\x0d\x87\x42\x9e\xe3\x30\x5a\x67\xfa\x69\xc6\x02\x4a\x3f\x63\x64\x64\xbc\xab\x62\xc9\x9a\x4d\x04\x53\xf5\xbf\x87\x9c\xd5\xd4\x6e\x3c\xf7\x61\xbb\x91\x10\x9b\xd3\x28\x16\x9f\x95\xe9\x8b\x74\x42\xcd\x05\xa5\xdd\x86\xe1\x85\x36\xd2\x05\x26\x2c\x62\x00\x02\xe7\xa3\xa8\xaf\xed\x46\x81\xc2\x71\xa3\x4f\x0b\x90\x9d\x1c\x86\x1f\x9c\x18\xfc\x76\xd3\xbf\xdd\x99\x37\x85\x18\x5d\xc3\xe2\xe3\x4d\x7f\xba\x68\x6e\xd0\xf7\x33\xd1\x65\x40\x67\x0a\x65\x77\x86\x42\x10\x07\xcc\x1a\x8f\xf9\x72\x36\xfb\x53\xd8\x66\x49\x11\xdc\xaa\xc2\x75\x43\x50\xea\xde\x70\x83\x74\xef\x06\xb2\xf6\x12\x32\xa3\xf5\xb4\x57\x01\xcf\xc0\x92\x84\xb6\xe3\x18\x4c\x7c\x41\x43\xe9\xa3\x04\x98\x4c\x4b\xf1\xa1\x4e\xc7\x55\x11\xaf\x82\xb2\xc6\xc3\xe6\xd5\x99\x07\x28\xf4\xb7\x24\x29\x4d\xfe\xfc\x35\xd1\xc7\x5d\xb9\xef\xc7\x69\xda\xbf\xb5\xcf\xa0\xc5\x48\xc2\xd5\xaa\x9e\x79\x84\x10\xf2\xb2\xbd\xc3\x2d\xa9\x5c\x94\x5a\xee\xbb\xf0\x6e\x2d\x1e\x22\x17\x6b\x66\xe7\xd2\x2b\xeb\xed\x83\x87\x5b\x4c\x86\x3e\xb5\x5a\x71\x94\xc7\x5b\xde\x29\xa8\xc7\x81\x6e\x5c\x3c\x65\x0c\x32\xcf\x54\xf5\xd9\xac\x35\xd3\x8b\xf1\x9e\xcd\xb0\x05\xf4\x76\xab\x05\x0d\x96\xb7\xb7\xfc\x62\x2f\x1a\xc3\x57\xb2\x8f\xbd\x7c\x38\xf8\x1a\xbf\xa0\x63\x55\xa3\x0b\x38\x03\xf0\x42\xc4\xc0\x8a\x82\x74\xda\xf0\x18\x3c\x0e\x52\xa6\x34\xfd\x29\x9a\xee\x99\x4d\xd3\x55\x4e\xdb\x6a\xdf\x99\xba\xd5\xb9\x13\x0b\x49\x1e\xc9\x35\x3c\x7f\x36\xe5\xfa\x7c\x02\x66\x27\xf6\x8f\x67\xc7\x75\xfe\x19\x0a\xeb\x43\xfe\xbf\x56\xf5\x5b\xc1\xa4\xf5\xc2\x29\x48\xe5\xb2\x9a\x11\x7f\x6d\x06\xd4\xc6\x8e\x51\x44\x9f\x08\xa6\xd0\xd2\xe6\x75\x20\xeb\xc0\x67\x0e\x2d\xf3\xd2\xf7\xae\xeb\xfb\xb8\x76\x43\xe5\x8d\x01\x76\x96\x5d\x60\x0d\x97\xa2\x2c\x7a\x05\x56\xa2\xc0\x47\x9d\xe6\x4f\x8b\x44\x92\xdf\xb5\x42\xe8\xd3\xa3\xef\x09\x6f\x99\xd3\x9e\x67\x7a\x07\xac\x97\xdc\x25\x9d\x9f\x75\x9b\x98\xe9\x47\xf1\xae\x8a\x92\x78\xb9\xbd\xcb\x85\x10\xfb\x06\x64\x12\x18\xf7\x9f\x67\xe4\xf5\xba\xff\xbe\x5d\x3c\xc3\x8e\x14\x98\x93\x8c\x55\x09\xa3\xf6\x9f\x32\x39\x2f\x66\x0e\x00\x59\x43\xed\x14\x45\x85\x29\xe8\x25\x93\xbf\xb6\xc4\xd3\xe4\x63\x10\x3a\xab\x3c\xdc\x8d\x46\x8c\x9a\x2c\x20\x1b\xee\x3a\xe6\x63\xf0\x79\x24\x60\xd4\xb7\x1e\x03\x1a\x83\xc3\x3f\x91\x72\x33\x2b\x51\x4f\x74\xb0\x9c\x72\xcd\x6a\xd7\x6e\x90\x6f\xa4\x64\x4f\x3c\x14\x2b\x12\x8c\x1f\xf2\xb8\x4e\x79\x37\x75\x99\xd4\xe2\xc7\x11\x45\xc4\x92\xff\x3d\xab\x44\x79\x3b\x90\x56\x75\x89\x5f\xe3\xdf\x54\x4f\xe7\x25\xea\x5f\x7d\x2f\xe3\x85\x4d\x70\x30\xce\x91\x95\x7f\xad\x4f\x7b\xd7\xbd\x7f\x1d\x1a\x16\x54\xe3\xfc\xd0\xed\xf9\xda\xa7\x2b\xd9\x62\xd6\xb6\x4d\x0d\x99\x0d\x5a\x48\x50\x80\x2b\x92\x97\xfe\xb6\x22\xaa\xfc\xcc\x10\x7e\xa2\xa8\xee\xa4\xf0\xda\x89\x94\x1b\x12\xa0\xec\x1b\xfd\x72\xa2\xed\x44\xff\xf9\xf8\x24\x11\xec\xfe\x9f\x19\xeb\x95\x7b\x48\xf8\x59\xce\x04\x5d\xa2\x33\xc9\x96\x8b\x76\x3e\xd9\x44\x13\xba\x0f\x68\xdd\xca\x65\xce\xa0\xab\xb6\x87\x3c\x89\x29\x02\x41\x6f\x5e\xad\xd9\x11\xd8\x44\x2f\x03\x16\xfb\xde\xa9\xf1\x14\x0b\x3e\x83\x05\xaf\xb5\x10\xa3\xec\x59\x0c\xe2\x0f\xd5\x8d\x3b\xf0\x51\xc2\x66\x3e\x74\xae\x64\xee\xb9\xa1\x46\x3c\x88\x41\xac\x0b\x72\xb7\x32\xb7\xef\x12\x7f\x5a\x7d\x9a\x87\xd6\xb8\x49\x1e\x75\x33\x17\x35\x0d\x7d\x1a\xe5\x93\xe6\xc2\x00\x6f\x23\xb2\x27\x4d\xb5\x8e\xe3\x44\x45\x3c\x38\xe2\x99\xc1\x41\x82\x1a\xc4\x7e\x88\xdd\xd9\x38\x93\xdf\x56\xba\xf5\x01\xfc\xed\xee\x34\xac\x65\x7f\x27\x9a\x9c\x39\xcc\x38", 8192); *(uint64_t*)0x200000006000 = 0x200000002780; *(uint32_t*)0x200000002780 = 0x50; *(uint32_t*)0x200000002784 = 0; *(uint64_t*)0x200000002788 = 0xf48; *(uint32_t*)0x200000002790 = 7; *(uint32_t*)0x200000002794 = 0x2d; *(uint32_t*)0x200000002798 = 0xfffffff7; *(uint32_t*)0x20000000279c = 0x10820000; *(uint16_t*)0x2000000027a0 = 9; *(uint16_t*)0x2000000027a2 = 0xa42; *(uint32_t*)0x2000000027a4 = 0x7e; *(uint32_t*)0x2000000027a8 = 1; *(uint16_t*)0x2000000027ac = 0; *(uint16_t*)0x2000000027ae = 0; *(uint32_t*)0x2000000027b0 = 2; *(uint32_t*)0x2000000027b4 = 0; memset((void*)0x2000000027b8, 0, 24); *(uint64_t*)0x200000006008 = 0x200000002800; *(uint32_t*)0x200000002800 = 0x18; *(uint32_t*)0x200000002804 = 0; *(uint64_t*)0x200000002808 = 0x200; *(uint64_t*)0x200000002810 = 5; *(uint64_t*)0x200000006010 = 0x200000002840; *(uint32_t*)0x200000002840 = 0x18; *(uint32_t*)0x200000002844 = 0; *(uint64_t*)0x200000002848 = 0x3ff; *(uint64_t*)0x200000002850 = 1; *(uint64_t*)0x200000006018 = 0x200000002880; *(uint32_t*)0x200000002880 = 0x18; *(uint32_t*)0x200000002884 = 0xffffffda; *(uint64_t*)0x200000002888 = 7; *(uint32_t*)0x200000002890 = 0xc6a; *(uint32_t*)0x200000002894 = 0; *(uint64_t*)0x200000006020 = 0x2000000028c0; *(uint32_t*)0x2000000028c0 = 0x18; *(uint32_t*)0x2000000028c4 = 0; *(uint64_t*)0x2000000028c8 = 3; *(uint32_t*)0x2000000028d0 = 0; *(uint32_t*)0x2000000028d4 = 0; *(uint64_t*)0x200000006028 = 0x200000002980; *(uint32_t*)0x200000002980 = 0x28; *(uint32_t*)0x200000002984 = 0; *(uint64_t*)0x200000002988 = 0xfffffffffffffff8; *(uint64_t*)0x200000002990 = 0x1ff; *(uint64_t*)0x200000002998 = 6; *(uint32_t*)0x2000000029a0 = 2; *(uint32_t*)0x2000000029a4 = r[13]; *(uint64_t*)0x200000006030 = 0x2000000029c0; *(uint32_t*)0x2000000029c0 = 0x60; *(uint32_t*)0x2000000029c4 = 0; *(uint64_t*)0x2000000029c8 = 0xf; *(uint64_t*)0x2000000029d0 = 0; *(uint64_t*)0x2000000029d8 = 4; *(uint64_t*)0x2000000029e0 = 0xb0e; *(uint64_t*)0x2000000029e8 = 1; *(uint64_t*)0x2000000029f0 = 6; *(uint32_t*)0x2000000029f8 = 7; *(uint32_t*)0x2000000029fc = 0x40b4; *(uint32_t*)0x200000002a00 = 0x2594; *(uint32_t*)0x200000002a04 = 0; memset((void*)0x200000002a08, 0, 24); *(uint64_t*)0x200000006038 = 0x200000002a40; *(uint32_t*)0x200000002a40 = 0x18; *(uint32_t*)0x200000002a44 = 0; *(uint64_t*)0x200000002a48 = 0x75aeeeb5; *(uint32_t*)0x200000002a50 = 0xc; *(uint32_t*)0x200000002a54 = 0; *(uint64_t*)0x200000006040 = 0x200000002a80; *(uint32_t*)0x200000002a80 = 0x11; *(uint32_t*)0x200000002a84 = 0; *(uint64_t*)0x200000002a88 = 0xc0000000000; memset((void*)0x200000002a90, 0, 1); *(uint64_t*)0x200000006048 = 0x200000002ac0; *(uint32_t*)0x200000002ac0 = 0x20; *(uint32_t*)0x200000002ac4 = 0; *(uint64_t*)0x200000002ac8 = 4; *(uint64_t*)0x200000002ad0 = 0; *(uint32_t*)0x200000002ad8 = 5; *(uint32_t*)0x200000002adc = 0; *(uint64_t*)0x200000006050 = 0x200000002e40; *(uint32_t*)0x200000002e40 = 0x78; *(uint32_t*)0x200000002e44 = 0; *(uint64_t*)0x200000002e48 = 6; *(uint64_t*)0x200000002e50 = 8; *(uint32_t*)0x200000002e58 = 8; *(uint32_t*)0x200000002e5c = 0; *(uint64_t*)0x200000002e60 = 0; *(uint64_t*)0x200000002e68 = 0xa2; *(uint64_t*)0x200000002e70 = 0x101; *(uint64_t*)0x200000002e78 = 0x279; *(uint64_t*)0x200000002e80 = 6; *(uint64_t*)0x200000002e88 = 4; *(uint32_t*)0x200000002e90 = 6; *(uint32_t*)0x200000002e94 = 6; *(uint32_t*)0x200000002e98 = 0x580; *(uint32_t*)0x200000002e9c = 0x8000; *(uint32_t*)0x200000002ea0 = 8; *(uint32_t*)0x200000002ea4 = r[14]; *(uint32_t*)0x200000002ea8 = r[15]; *(uint32_t*)0x200000002eac = 2; *(uint32_t*)0x200000002eb0 = 2; *(uint32_t*)0x200000002eb4 = 0; *(uint64_t*)0x200000006058 = 0x200000003040; *(uint32_t*)0x200000003040 = 0x90; *(uint32_t*)0x200000003044 = 0; *(uint64_t*)0x200000003048 = 4; *(uint64_t*)0x200000003050 = 4; *(uint64_t*)0x200000003058 = 3; *(uint64_t*)0x200000003060 = 1; *(uint64_t*)0x200000003068 = 9; *(uint32_t*)0x200000003070 = 0; *(uint32_t*)0x200000003074 = 0; *(uint64_t*)0x200000003078 = 6; *(uint64_t*)0x200000003080 = 0xf84; *(uint64_t*)0x200000003088 = 0xffff; *(uint64_t*)0x200000003090 = 9; *(uint64_t*)0x200000003098 = 6; *(uint64_t*)0x2000000030a0 = 7; *(uint32_t*)0x2000000030a8 = 0x4f; *(uint32_t*)0x2000000030ac = 0x8e; *(uint32_t*)0x2000000030b0 = 8; *(uint32_t*)0x2000000030b4 = 0xa000; *(uint32_t*)0x2000000030b8 = 0x401; *(uint32_t*)0x2000000030bc = r[17]; *(uint32_t*)0x2000000030c0 = r[18]; *(uint32_t*)0x2000000030c4 = 0; *(uint32_t*)0x2000000030c8 = 0x3674; *(uint32_t*)0x2000000030cc = 0; *(uint64_t*)0x200000006060 = 0x200000003100; *(uint32_t*)0x200000003100 = 0x88; *(uint32_t*)0x200000003104 = 0xffffffda; *(uint64_t*)0x200000003108 = 0x7fffffffffffffff; *(uint64_t*)0x200000003110 = 3; *(uint64_t*)0x200000003118 = 7; *(uint32_t*)0x200000003120 = 1; *(uint32_t*)0x200000003124 = 4; memset((void*)0x200000003128, 0, 1); *(uint64_t*)0x200000003130 = 1; *(uint64_t*)0x200000003138 = 5; *(uint32_t*)0x200000003140 = 1; *(uint32_t*)0x200000003144 = 0xfffffffc; memset((void*)0x200000003148, 0, 1); *(uint64_t*)0x200000003150 = 6; *(uint64_t*)0x200000003158 = 5; *(uint32_t*)0x200000003160 = 0; *(uint32_t*)0x200000003164 = 0x98; *(uint64_t*)0x200000003168 = 0; *(uint64_t*)0x200000003170 = 8; *(uint32_t*)0x200000003178 = 1; *(uint32_t*)0x20000000317c = 0x1000; memset((void*)0x200000003180, 91, 1); *(uint64_t*)0x200000006068 = 0x2000000054c0; *(uint32_t*)0x2000000054c0 = 0x648; *(uint32_t*)0x2000000054c4 = 0; *(uint64_t*)0x2000000054c8 = 1; *(uint64_t*)0x2000000054d0 = 0; *(uint64_t*)0x2000000054d8 = 3; *(uint64_t*)0x2000000054e0 = 9; *(uint64_t*)0x2000000054e8 = 5; *(uint32_t*)0x2000000054f0 = 0xa; *(uint32_t*)0x2000000054f4 = 2; *(uint64_t*)0x2000000054f8 = 1; *(uint64_t*)0x200000005500 = 9; *(uint64_t*)0x200000005508 = 1; *(uint64_t*)0x200000005510 = 0x7fff; *(uint64_t*)0x200000005518 = 4; *(uint64_t*)0x200000005520 = 1; *(uint32_t*)0x200000005528 = 6; *(uint32_t*)0x20000000552c = 7; *(uint32_t*)0x200000005530 = 3; *(uint32_t*)0x200000005534 = 0xc000; *(uint32_t*)0x200000005538 = 3; *(uint32_t*)0x20000000553c = r[19]; *(uint32_t*)0x200000005540 = r[20]; *(uint32_t*)0x200000005544 = 0x71a5; *(uint32_t*)0x200000005548 = 5; *(uint32_t*)0x20000000554c = 0; *(uint64_t*)0x200000005550 = 3; *(uint64_t*)0x200000005558 = 0x911; *(uint32_t*)0x200000005560 = 9; *(uint32_t*)0x200000005564 = 7; memcpy((void*)0x200000005568, "(--]!}}.:", 9); *(uint64_t*)0x200000005578 = 5; *(uint64_t*)0x200000005580 = 1; *(uint64_t*)0x200000005588 = 2; *(uint64_t*)0x200000005590 = -1; *(uint32_t*)0x200000005598 = 8; *(uint32_t*)0x20000000559c = 1; *(uint64_t*)0x2000000055a0 = 5; *(uint64_t*)0x2000000055a8 = 0x10; *(uint64_t*)0x2000000055b0 = 0xf91; *(uint64_t*)0x2000000055b8 = 7; *(uint64_t*)0x2000000055c0 = 0; *(uint64_t*)0x2000000055c8 = 7; *(uint32_t*)0x2000000055d0 = 4; *(uint32_t*)0x2000000055d4 = 0x4a; *(uint32_t*)0x2000000055d8 = 6; *(uint32_t*)0x2000000055dc = 0x6000; *(uint32_t*)0x2000000055e0 = 9; *(uint32_t*)0x2000000055e4 = r[21]; *(uint32_t*)0x2000000055e8 = r[22]; *(uint32_t*)0x2000000055ec = 6; *(uint32_t*)0x2000000055f0 = 5; *(uint32_t*)0x2000000055f4 = 0; *(uint64_t*)0x2000000055f8 = 0; *(uint64_t*)0x200000005600 = 2; *(uint32_t*)0x200000005608 = 0; *(uint32_t*)0x20000000560c = 0x401; *(uint64_t*)0x200000005610 = 0; *(uint64_t*)0x200000005618 = 3; *(uint64_t*)0x200000005620 = 0; *(uint64_t*)0x200000005628 = 0x401; *(uint32_t*)0x200000005630 = 4; *(uint32_t*)0x200000005634 = 0x3ff; *(uint64_t*)0x200000005638 = 1; *(uint64_t*)0x200000005640 = 1; *(uint64_t*)0x200000005648 = 0xbc; *(uint64_t*)0x200000005650 = 7; *(uint64_t*)0x200000005658 = 8; *(uint64_t*)0x200000005660 = 7; *(uint32_t*)0x200000005668 = 0xffff; *(uint32_t*)0x20000000566c = 6; *(uint32_t*)0x200000005670 = 0x7f; *(uint32_t*)0x200000005674 = 0x8000; *(uint32_t*)0x200000005678 = 1; *(uint32_t*)0x20000000567c = 0xee01; *(uint32_t*)0x200000005680 = r[23]; *(uint32_t*)0x200000005684 = 0x233d; *(uint32_t*)0x200000005688 = 4; *(uint32_t*)0x20000000568c = 0; *(uint64_t*)0x200000005690 = 3; *(uint64_t*)0x200000005698 = 6; *(uint32_t*)0x2000000056a0 = 5; *(uint32_t*)0x2000000056a4 = 7; memcpy((void*)0x2000000056a8, "syz0\000", 5); *(uint64_t*)0x2000000056b0 = 2; *(uint64_t*)0x2000000056b8 = 2; *(uint64_t*)0x2000000056c0 = 7; *(uint64_t*)0x2000000056c8 = 0x80; *(uint32_t*)0x2000000056d0 = 4; *(uint32_t*)0x2000000056d4 = 0xdb; *(uint64_t*)0x2000000056d8 = 3; *(uint64_t*)0x2000000056e0 = 3; *(uint64_t*)0x2000000056e8 = 0x7fff; *(uint64_t*)0x2000000056f0 = 9; *(uint64_t*)0x2000000056f8 = 0; *(uint64_t*)0x200000005700 = 0xa8; *(uint32_t*)0x200000005708 = 0x1000; *(uint32_t*)0x20000000570c = 0x1f3; *(uint32_t*)0x200000005710 = 0xfff0; *(uint32_t*)0x200000005714 = 0x6000; *(uint32_t*)0x200000005718 = 4; *(uint32_t*)0x20000000571c = r[24]; *(uint32_t*)0x200000005720 = r[26]; *(uint32_t*)0x200000005724 = 0xccb2; *(uint32_t*)0x200000005728 = 9; *(uint32_t*)0x20000000572c = 0; *(uint64_t*)0x200000005730 = 6; *(uint64_t*)0x200000005738 = 2; *(uint32_t*)0x200000005740 = 6; *(uint32_t*)0x200000005744 = 7; memset((void*)0x200000005748, 1, 6); *(uint64_t*)0x200000005750 = 4; *(uint64_t*)0x200000005758 = 1; *(uint64_t*)0x200000005760 = 0x100000000; *(uint64_t*)0x200000005768 = 5; *(uint32_t*)0x200000005770 = 0; *(uint32_t*)0x200000005774 = 6; *(uint64_t*)0x200000005778 = 1; *(uint64_t*)0x200000005780 = 0x401; *(uint64_t*)0x200000005788 = 1; *(uint64_t*)0x200000005790 = 2; *(uint64_t*)0x200000005798 = 0xf; *(uint64_t*)0x2000000057a0 = 5; *(uint32_t*)0x2000000057a8 = 0x100; *(uint32_t*)0x2000000057ac = 3; *(uint32_t*)0x2000000057b0 = 0; *(uint32_t*)0x2000000057b4 = 0x2000; *(uint32_t*)0x2000000057b8 = 0; *(uint32_t*)0x2000000057bc = r[27]; *(uint32_t*)0x2000000057c0 = r[28]; *(uint32_t*)0x2000000057c4 = 7; *(uint32_t*)0x2000000057c8 = 8; *(uint32_t*)0x2000000057cc = 0; *(uint64_t*)0x2000000057d0 = 4; *(uint64_t*)0x2000000057d8 = 3; *(uint32_t*)0x2000000057e0 = 6; *(uint32_t*)0x2000000057e4 = 0xffff; memset((void*)0x2000000057e8, 1, 6); *(uint64_t*)0x2000000057f0 = 6; *(uint64_t*)0x2000000057f8 = 2; *(uint64_t*)0x200000005800 = 6; *(uint64_t*)0x200000005808 = 9; *(uint32_t*)0x200000005810 = 2; *(uint32_t*)0x200000005814 = 2; *(uint64_t*)0x200000005818 = 1; *(uint64_t*)0x200000005820 = 0xb51; *(uint64_t*)0x200000005828 = 0x7fffffff; *(uint64_t*)0x200000005830 = 5; *(uint64_t*)0x200000005838 = 0x8b89; *(uint64_t*)0x200000005840 = 0x2800; *(uint32_t*)0x200000005848 = 0x800; *(uint32_t*)0x20000000584c = 6; *(uint32_t*)0x200000005850 = 4; *(uint32_t*)0x200000005854 = 0x8000; *(uint32_t*)0x200000005858 = 3; *(uint32_t*)0x20000000585c = r[29]; *(uint32_t*)0x200000005860 = r[30]; *(uint32_t*)0x200000005864 = 0x80; *(uint32_t*)0x200000005868 = 3; *(uint32_t*)0x20000000586c = 0; *(uint64_t*)0x200000005870 = 0; *(uint64_t*)0x200000005878 = 6; *(uint32_t*)0x200000005880 = 0; *(uint32_t*)0x200000005884 = 0xef; *(uint64_t*)0x200000005888 = 2; *(uint64_t*)0x200000005890 = 1; *(uint64_t*)0x200000005898 = 5; *(uint64_t*)0x2000000058a0 = 0xfff; *(uint32_t*)0x2000000058a8 = 0x582; *(uint32_t*)0x2000000058ac = 0x15; *(uint64_t*)0x2000000058b0 = 2; *(uint64_t*)0x2000000058b8 = 0xbb; *(uint64_t*)0x2000000058c0 = 7; *(uint64_t*)0x2000000058c8 = 0x52a; *(uint64_t*)0x2000000058d0 = 1; *(uint64_t*)0x2000000058d8 = 5; *(uint32_t*)0x2000000058e0 = 0x98; *(uint32_t*)0x2000000058e4 = 5; *(uint32_t*)0x2000000058e8 = 3; *(uint32_t*)0x2000000058ec = 0x5000; *(uint32_t*)0x2000000058f0 = 6; *(uint32_t*)0x2000000058f4 = r[31]; *(uint32_t*)0x2000000058f8 = r[32]; *(uint32_t*)0x2000000058fc = 6; *(uint32_t*)0x200000005900 = 0xffff; *(uint32_t*)0x200000005904 = 0; *(uint64_t*)0x200000005908 = 6; *(uint64_t*)0x200000005910 = 0x3ff; *(uint32_t*)0x200000005918 = 2; *(uint32_t*)0x20000000591c = 8; memcpy((void*)0x200000005920, "*&", 2); *(uint64_t*)0x200000005928 = 2; *(uint64_t*)0x200000005930 = 2; *(uint64_t*)0x200000005938 = 0x3ff; *(uint64_t*)0x200000005940 = 3; *(uint32_t*)0x200000005948 = 2; *(uint32_t*)0x20000000594c = 0xfffffff8; *(uint64_t*)0x200000005950 = 3; *(uint64_t*)0x200000005958 = 0x8a; *(uint64_t*)0x200000005960 = 5; *(uint64_t*)0x200000005968 = 8; *(uint64_t*)0x200000005970 = 1; *(uint64_t*)0x200000005978 = 0; *(uint32_t*)0x200000005980 = 0x7fff; *(uint32_t*)0x200000005984 = 8; *(uint32_t*)0x200000005988 = 0xfffffffb; *(uint32_t*)0x20000000598c = 0xc000; *(uint32_t*)0x200000005990 = 0x8000; *(uint32_t*)0x200000005994 = r[33]; *(uint32_t*)0x200000005998 = r[34]; *(uint32_t*)0x20000000599c = 0x5c5; *(uint32_t*)0x2000000059a0 = 0x8d0d; *(uint32_t*)0x2000000059a4 = 0; *(uint64_t*)0x2000000059a8 = 6; *(uint64_t*)0x2000000059b0 = 0xd; *(uint32_t*)0x2000000059b8 = 6; *(uint32_t*)0x2000000059bc = -1; memcpy((void*)0x2000000059c0, "wlan1\000", 6); *(uint64_t*)0x2000000059c8 = 6; *(uint64_t*)0x2000000059d0 = 1; *(uint64_t*)0x2000000059d8 = 5; *(uint64_t*)0x2000000059e0 = 0xee; *(uint32_t*)0x2000000059e8 = 8; *(uint32_t*)0x2000000059ec = 4; *(uint64_t*)0x2000000059f0 = 1; *(uint64_t*)0x2000000059f8 = 0x200; *(uint64_t*)0x200000005a00 = 0x80000000; *(uint64_t*)0x200000005a08 = 0xb81c; *(uint64_t*)0x200000005a10 = 0x7ff; *(uint64_t*)0x200000005a18 = 0x400; *(uint32_t*)0x200000005a20 = 0x122; *(uint32_t*)0x200000005a24 = 0x400; *(uint32_t*)0x200000005a28 = 0x689f; *(uint32_t*)0x200000005a2c = 0xa000; *(uint32_t*)0x200000005a30 = 0xfffffffc; *(uint32_t*)0x200000005a34 = r[35]; *(uint32_t*)0x200000005a38 = r[36]; *(uint32_t*)0x200000005a3c = 0x1000; *(uint32_t*)0x200000005a40 = 1; *(uint32_t*)0x200000005a44 = 0; *(uint64_t*)0x200000005a48 = 4; *(uint64_t*)0x200000005a50 = 9; *(uint32_t*)0x200000005a58 = 6; *(uint32_t*)0x200000005a5c = 0xfffffffa; memcpy((void*)0x200000005a60, "wlan1\000", 6); *(uint64_t*)0x200000005a68 = 1; *(uint64_t*)0x200000005a70 = 1; *(uint64_t*)0x200000005a78 = 6; *(uint64_t*)0x200000005a80 = 0; *(uint32_t*)0x200000005a88 = 0xf; *(uint32_t*)0x200000005a8c = 0x80000001; *(uint64_t*)0x200000005a90 = 0; *(uint64_t*)0x200000005a98 = 0xb8f; *(uint64_t*)0x200000005aa0 = 0x57c; *(uint64_t*)0x200000005aa8 = 8; *(uint64_t*)0x200000005ab0 = 0x600; *(uint64_t*)0x200000005ab8 = 0x4c44; *(uint32_t*)0x200000005ac0 = 0xc833; *(uint32_t*)0x200000005ac4 = 5; *(uint32_t*)0x200000005ac8 = 3; *(uint32_t*)0x200000005acc = 0xa000; *(uint32_t*)0x200000005ad0 = 0xfffffff9; *(uint32_t*)0x200000005ad4 = r[37]; *(uint32_t*)0x200000005ad8 = r[38]; *(uint32_t*)0x200000005adc = 6; *(uint32_t*)0x200000005ae0 = 2; *(uint32_t*)0x200000005ae4 = 0; *(uint64_t*)0x200000005ae8 = 3; *(uint64_t*)0x200000005af0 = 4; *(uint32_t*)0x200000005af8 = 6; *(uint32_t*)0x200000005afc = 3; memcpy((void*)0x200000005b00, ":-)@\\[", 6); *(uint64_t*)0x200000006070 = 0x200000005d40; *(uint32_t*)0x200000005d40 = 0xa0; *(uint32_t*)0x200000005d44 = 0; *(uint64_t*)0x200000005d48 = 1; *(uint64_t*)0x200000005d50 = 2; *(uint64_t*)0x200000005d58 = 3; *(uint64_t*)0x200000005d60 = 0x100000000; *(uint64_t*)0x200000005d68 = 8; *(uint32_t*)0x200000005d70 = 5; *(uint32_t*)0x200000005d74 = 9; *(uint64_t*)0x200000005d78 = 2; *(uint64_t*)0x200000005d80 = 0x7fffffffffffffff; *(uint64_t*)0x200000005d88 = 2; *(uint64_t*)0x200000005d90 = 0x7f; *(uint64_t*)0x200000005d98 = 0x7ff; *(uint64_t*)0x200000005da0 = 4; *(uint32_t*)0x200000005da8 = 0; *(uint32_t*)0x200000005dac = 2; *(uint32_t*)0x200000005db0 = 1; *(uint32_t*)0x200000005db4 = 0x2000; *(uint32_t*)0x200000005db8 = 0x7ff; *(uint32_t*)0x200000005dbc = r[39]; *(uint32_t*)0x200000005dc0 = r[40]; *(uint32_t*)0x200000005dc4 = 4; *(uint32_t*)0x200000005dc8 = 8; *(uint32_t*)0x200000005dcc = 0; *(uint64_t*)0x200000005dd0 = 0; *(uint32_t*)0x200000005dd8 = 0xd; *(uint32_t*)0x200000005ddc = 0; *(uint64_t*)0x200000006078 = 0x200000005e00; *(uint32_t*)0x200000005e00 = 0x20; *(uint32_t*)0x200000005e04 = 0; *(uint64_t*)0x200000005e08 = 0x10000; *(uint32_t*)0x200000005e10 = 9; *(uint32_t*)0x200000005e14 = 0; *(uint32_t*)0x200000005e18 = 1; *(uint32_t*)0x200000005e1c = 0xfffffffd; *(uint64_t*)0x200000006080 = 0x200000005ec0; *(uint32_t*)0x200000005ec0 = 0x130; *(uint32_t*)0x200000005ec4 = 0xfffffffe; *(uint64_t*)0x200000005ec8 = 0x1000; *(uint64_t*)0x200000005ed0 = 6; *(uint32_t*)0x200000005ed8 = 3; *(uint32_t*)0x200000005edc = 0; memset((void*)0x200000005ee0, 0, 16); *(uint32_t*)0x200000005ef0 = 1; *(uint32_t*)0x200000005ef4 = 0xc6d; *(uint64_t*)0x200000005ef8 = 0xfffffffffffffffc; *(uint32_t*)0x200000005f00 = 0x8000; *(uint32_t*)0x200000005f04 = 0; *(uint32_t*)0x200000005f08 = r[41]; *(uint16_t*)0x200000005f0c = 0x1000; memset((void*)0x200000005f0e, 0, 2); *(uint64_t*)0x200000005f10 = 0; *(uint64_t*)0x200000005f18 = 7; *(uint64_t*)0x200000005f20 = 3; *(uint64_t*)0x200000005f28 = 4; *(uint64_t*)0x200000005f30 = 0xa; *(uint32_t*)0x200000005f38 = 7; *(uint32_t*)0x200000005f3c = 0; *(uint64_t*)0x200000005f40 = 1; *(uint32_t*)0x200000005f48 = 0x905a; *(uint32_t*)0x200000005f4c = 0; *(uint64_t*)0x200000005f50 = 8; *(uint32_t*)0x200000005f58 = 0x81; *(uint32_t*)0x200000005f5c = 0; *(uint64_t*)0x200000005f60 = 8; *(uint32_t*)0x200000005f68 = 2; *(uint32_t*)0x200000005f6c = 0; *(uint32_t*)0x200000005f70 = 0x10001; *(uint32_t*)0x200000005f74 = 0x7ff; *(uint32_t*)0x200000005f78 = 1; *(uint32_t*)0x200000005f7c = -1; memset((void*)0x200000005f80, 0, 112); syz_fuse_handle_req(/*fd=*/r[12], /*buf=*/0x200000000780, /*len=*/0x2000, /*res=*/0x200000006000); break; case 46: memcpy((void*)0x2000000060c0, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x2000000060c0, /*fd=*/r[12]); break; case 47: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 48: *(uint32_t*)0x200000006104 = 0x45f9; *(uint32_t*)0x200000006108 = 0x1000; *(uint32_t*)0x20000000610c = 0; *(uint32_t*)0x200000006110 = 0xd3; *(uint32_t*)0x200000006118 = r[12]; memset((void*)0x20000000611c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x50db, /*params=*/0x200000006100, /*ring_ptr=*/0x200000006180, /*sqes_ptr=*/0x2000000061c0); if (res != -1) r[42] = *(uint64_t*)0x200000006180; break; case 49: res = -1; res = syz_io_uring_complete(/*ring_ptr=*/r[42]); if (res != -1) r[43] = res; break; case 50: *(uint32_t*)0x200000006204 = 0x25a5; *(uint32_t*)0x200000006208 = 0; *(uint32_t*)0x20000000620c = 2; *(uint32_t*)0x200000006210 = 0x2b0; *(uint32_t*)0x200000006218 = r[43]; memset((void*)0x20000000621c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x539f, /*params=*/0x200000006200, /*ring_ptr=*/0x200000006280, /*sqes_ptr=*/0x2000000062c0); if (res != -1) { r[44] = res; r[45] = *(uint64_t*)0x2000000062c0; } break; case 51: res = syscall(__NR_io_uring_register, /*fd=*/r[44], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[46] = res; break; case 52: *(uint8_t*)0x200000006380 = 0x26; *(uint8_t*)0x200000006381 = 0; *(uint16_t*)0x200000006382 = 0; *(uint32_t*)0x200000006384 = r[43]; *(uint64_t*)0x200000006388 = 0x200000006300; memcpy((void*)0x200000006300, "./file0\000", 8); *(uint64_t*)0x200000006390 = 0x200000006340; memcpy((void*)0x200000006340, "./file0\000", 8); *(uint32_t*)0x200000006398 = 0; *(uint32_t*)0x20000000639c = 0; *(uint64_t*)0x2000000063a0 = 0; *(uint16_t*)0x2000000063a8 = 0; *(uint16_t*)0x2000000063aa = r[46]; memset((void*)0x2000000063ac, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[42], /*sqes_ptr=*/r[45], /*sqe=*/0x200000006380); break; case 53: memcpy((void*)0x2000000063c0, "SEG6\000", 5); memcpy((void*)0x200000006480, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xc7\xc6\xd5\x63\x96\xba\x64\x55\x9a\x2b\xfe\x12\xe1\x77\x9d\x16\x11\x66\x21\x3e\xe3\xdf\x8a\x88\x66\x07\x35\xda\xdb\xfa\x0e\xe9\x3d\x2b\xbf\x11\x3a\x5d\x2f\x84\x04\x14\xbb\x6a\x83\x5c\x8b\x46\x64\xc1\x62\x58\xd8\x0a\xca\x5d\x75\xc4\xb0\xf7\xb9\xf4\x81\xb3\x2b\x05\x6b\x25\x00\xcd\x38\xd5\xf7\x45\xb2\xca\x6f\x42\x3c\x76\xec\xb5\x4c\x20\xdf\x71\xf3\x7e\x74\xa7\xc3\x31\xe0\x86\x7f\x00\x00\x00\x00\x00\x00\x00\x00", 144); syz_kfuzztest_run(/*name=*/0x2000000063c0, /*data=*/0x200000006400, /*len=*/0x90, /*buf=*/0x200000006480); break; case 54: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[43], /*usermem=*/0x200000bfe000); if (res != -1) r[47] = res; break; case 55: *(uint64_t*)0x200000016780 = 0; *(uint64_t*)0x200000016788 = 0x200000016480; *(uint64_t*)0x200000016480 = 0x6a; *(uint64_t*)0x200000016488 = 0x28; *(uint64_t*)0x200000016490 = 0x351c; *(uint64_t*)0x200000016498 = 2; *(uint64_t*)0x2000000164a0 = 3; *(uint64_t*)0x2000000164a8 = 0x6a; *(uint64_t*)0x2000000164b0 = 0x28; *(uint64_t*)0x2000000164b8 = 0xbe7d; *(uint64_t*)0x2000000164c0 = 2; *(uint64_t*)0x2000000164c8 = 8; *(uint64_t*)0x2000000164d0 = 0x180; *(uint64_t*)0x2000000164d8 = 0x38; *(uint64_t*)0x2000000164e0 = 3; *(uint64_t*)0x2000000164e8 = 0xf10c; *(uint64_t*)0x2000000164f0 = 5; *(uint64_t*)0x2000000164f8 = 0x90; *(uint64_t*)0x200000016500 = 2; *(uint64_t*)0x200000016508 = 0x6a; *(uint64_t*)0x200000016510 = 0x28; *(uint64_t*)0x200000016518 = 0x4c98; *(uint64_t*)0x200000016520 = 6; *(uint64_t*)0x200000016528 = 0x59fe; *(uint64_t*)0x200000016530 = 0x136; *(uint64_t*)0x200000016538 = 0xa8; *(uint64_t*)0x200000016540 = 3; *(uint64_t*)0x200000016548 = 2; *(uint64_t*)0x200000016550 = 0x12c; *(uint64_t*)0x200000016558 = 0x18; *(uint64_t*)0x200000016560 = 0; *(uint64_t*)0x200000016568 = 0x154; *(uint64_t*)0x200000016570 = 0x38; *(uint64_t*)0x200000016578 = 2; *(uint64_t*)0x200000016580 = 0x280d; *(uint64_t*)0x200000016588 = 0x2e0; *(uint64_t*)0x200000016590 = 4; *(uint64_t*)0x200000016598 = 0xfffffffffffffff8; *(uint64_t*)0x2000000165a0 = 0x65; *(uint64_t*)0x2000000165a8 = 0x20; *(uint64_t*)0x2000000165b0 = 0x285; *(uint64_t*)0x2000000165b8 = 7; *(uint64_t*)0x2000000165c0 = 0; *(uint64_t*)0x2000000165c8 = 0x18; *(uint64_t*)0x2000000165d0 = 5; *(uint64_t*)0x2000000165d8 = 0x17f; *(uint64_t*)0x2000000165e0 = 0x10; *(uint64_t*)0x2000000165e8 = 0x67; *(uint64_t*)0x2000000165f0 = 0x20; *(uint64_t*)0x2000000165f8 = 4; *(uint64_t*)0x200000016600 = 4; *(uint64_t*)0x200000016608 = 0x66; *(uint64_t*)0x200000016610 = 0x18; *(uint64_t*)0x200000016618 = 0x2e6; *(uint64_t*)0x200000016620 = 0; *(uint64_t*)0x200000016628 = 0x18; *(uint64_t*)0x200000016630 = 0xe; *(uint64_t*)0x200000016638 = 0x12f; *(uint64_t*)0x200000016640 = 0x18; *(uint64_t*)0x200000016648 = 3; *(uint64_t*)0x200000016650 = 0x154; *(uint64_t*)0x200000016658 = 0x38; *(uint64_t*)0x200000016660 = 0; *(uint64_t*)0x200000016668 = 0x6404; *(uint64_t*)0x200000016670 = 0x10; *(uint64_t*)0x200000016678 = 0xfffffffffffffff7; *(uint64_t*)0x200000016680 = 0xe; *(uint64_t*)0x200000016688 = 0x12c; *(uint64_t*)0x200000016690 = 0x18; *(uint64_t*)0x200000016698 = 0; *(uint64_t*)0x2000000166a0 = 0x130; *(uint64_t*)0x2000000166a8 = 0x18; *(uint64_t*)0x2000000166b0 = 3; *(uint64_t*)0x2000000166b8 = 0x182; *(uint64_t*)0x2000000166c0 = 0x18; *(uint64_t*)0x2000000166c8 = 3; *(uint64_t*)0x2000000166d0 = 0x12e; *(uint64_t*)0x2000000166d8 = 0x63; *(uint64_t*)0x2000000166e0 = 2; memcpy((void*)0x2000000166e8, "\x2e\x0f\x01\x71\x33\xc4\x21\x6a\xc2\xc0\x00\x66\xba\xf8\x0c\xb8\x6e\x89\x7c\x81\xef\x66\xba\xfc\x0c\x66\xb8\xaf\x0b\x66\xef\x42\x0f\x01\xc3\x36\x01\xe3\x12\xec\x0f\x00\xde\xc7\x44\x24\x00\x7a\x00\x00\x00\xc7\x44\x24\x02\x0b\x00\x00\x00\xff\x1c\x24\x40\x0f\xa1\xc4\x43\x31\x4a\x89\x0a\x00\x00\x00\x0b", 75); *(uint64_t*)0x200000016733 = 0x17e; *(uint64_t*)0x20000001673b = 0x10; *(uint64_t*)0x200000016790 = 0x2c3; syz_kvm_add_vcpu(/*vm=*/r[47], /*text=*/0x200000016780); break; case 56: res = syscall(__NR_mmap, /*addr=*/0x200000cbe000ul, /*len=*/0ul, /*prot=PROT_SEM|PROT_READ|PROT_EXEC*/0xdul, /*flags=MAP_SYNC*/0x80000ul, /*cpufd=*/r[12], /*offset=*/0ul); if (res != -1) r[48] = res; break; case 57: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[48], /*exitcode=*/4); break; case 58: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[44], /*run=*/r[48], /*exitcode=*/3); break; case 59: res = syscall(__NR_ioctl, /*fd=*/r[12], /*cmd=*/0xae01, /*type=*/0x20ul); if (res != -1) r[49] = res; break; case 60: *(uint64_t*)0x200000016a40 = 0; *(uint64_t*)0x200000016a48 = 0x2000000167c0; memcpy((void*)0x2000000167c0, "\x00\x00\x00\x3d\x00\x00\x08\x61\x04\x00\x08\x79\x00\x00\x08\x65\x0c\x00\x08\x61\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\xd0\x04\x9c\x63\x24\x6b\xc0\x7f\xfa\xcd\xdf\xfe\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x04\x00\x63\x60\x26\x9f\xe1\x7f\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x3c\x02\x63\x60\x42\x00\x00\x44\xf5\x00\x90\x07\xd6\xdb\x8b\xef\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2a\x00\xb5\x62\x00\x01\xc0\x3e\x00\x00\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2a\x00\xb5\x62\x73\x6f\xc0\x3e\xa7\xf7\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2e\x00\xb5\x62\x90\x5e\xc0\x3e\xe0\x10\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x32\x00\xb5\x62\x00\x00\xc0\x3e\xe0\xd1\xd6\x62\x00\x00\xd5\x92\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x2a\x00\x84\x60\x22\x00\x00\x44\x8f\xed\x9f\xf3\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xef\x63\x60\xb5\xad\x80\x3c\xca\x82\x84\x60\x04\x00\x84\x78\xea\x5e\x84\x64\xa2\xe8\x84\x60\xf1\x67\xa0\x3c\xbe\xe3\xa5\x60\x04\x00\xa5\x78\xa5\x57\xa5\x64\x55\x46\xa5\x60\x03\xf4\xc0\x3c\xb4\x87\xc6\x60\x04\x00\xc6\x78\x73\xed\xc6\x64\x15\x51\xc6\x60\x1d\xe9\xe0\x3c\xe4\xa0\xe7\x60\x04\x00\xe7\x78\xd8\x84\xe7\x64\x25\x76\xe7\x60\x08\x70\x00\x3d\xee\xf7\x08\x61\x04\x00\x08\x79\x1f\x72\x08\x65\x67\x40\x08\x61\x7f\xc5\x20\x3d\x5d\xc6\x29\x61\x04\x00\x29\x79\x7f\x83\x29\x65\x31\xe8\x29\x61\xec\x4b\x40\x3d\xd8\xc0\x4a\x61\x04\x00\x4a\x79\xe3\xf4\x4a\x65\x76\xa0\x4a\x61\x42\x00\x00\x44\xc7\xdd\x79\x12\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x08\xef\x63\x60\xae\x15\x80\x3c\x96\x74\x84\x60\x04\x00\x84\x78\x48\x29\x84\x64\xf2\x7b\x84\x60\xfb\x2b\xa0\x3c\x3a\x84\xa5\x60\x04\x00\xa5\x78\x66\xdf\xa5\x64\x0e\x85\xa5\x60\x94\x21\xc0\x3c\x54\x4c\xc6\x60\x04\x00\xc6\x78\x8e\xd8\xc6\x64\x2d\x18\xc6\x60\x27\x15\xe0\x3c\x98\x77\xe7\x60\x04\x00\xe7\x78\x52\x7a\xe7\x64\x4a\x11\xe7\x60\xb2\x21\x00\x3d\x41\x62\x08\x61\x04\x00\x08\x79\xf6\x1f\x08\x65\xaa\x6f\x08\x61\x00\xf5\x20\x3d\x4c\x23\x29\x61\x04\x00\x29\x79\xda\x1a\x29\x65\x95\xbf\x29\x61\x93\xf7\x40\x3d\xde\x99\x4a\x61\x04\x00\x4a\x79\x5e\xe8\x4a\x65\xa0\x51\x4a\x61\xd5\x0a\x60\x3d\x34\xf9\x6b\x61\x04\x00\x6b\x79\x21\x19\x6b\x65\xab\x4f\x6b\x61\x22\x00\x00\x44", 632); *(uint64_t*)0x200000016a50 = 0x278; *(uint64_t*)0x200000016a80 = 1; *(uint64_t*)0x200000016a88 = 0xfff; syz_kvm_setup_cpu(/*fd=*/r[49], /*cpufd=*/r[43], /*usermem=*/0x200000e17000, /*text=*/0x200000016a40, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_PID1|KVM_SETUP_PPC64_DR|KVM_SETUP_PPC64_LE*/0x15, /*opts=*/0x200000016a80, /*nopt=*/1); break; case 61: syz_kvm_setup_syzos_vm(/*fd=*/r[49], /*usermem=*/0x200000c00000); break; case 62: *(uint32_t*)0x200000016ac0 = 1; syz_memcpy_off(/*ring_ptr=*/r[42], /*flag_off=*/0, /*src=*/0x200000016ac0, /*src_off=*/0, /*nbytes=*/4); break; case 63: memcpy((void*)0x200000016b00, "adfs\000", 5); memcpy((void*)0x200000016b40, "./file1\000", 8); memcpy((void*)0x200000016b80, "ownmask", 7); *(uint8_t*)0x200000016b87 = 0x3d; sprintf((char*)0x200000016b88, "%023llo", (long long)9); *(uint8_t*)0x200000016b9f = 0x2c; memcpy((void*)0x200000016ba0, "uid", 3); *(uint8_t*)0x200000016ba3 = 0x3d; sprintf((char*)0x200000016ba4, "0x%016llx", (long long)r[39]); *(uint8_t*)0x200000016bb6 = 0x2c; memcpy((void*)0x200000016bb7, "gid", 3); *(uint8_t*)0x200000016bba = 0x3d; sprintf((char*)0x200000016bbb, "0x%016llx", (long long)r[25]); *(uint8_t*)0x200000016bcd = 0x2c; memcpy((void*)0x200000016bce, "ftsuffix", 8); *(uint8_t*)0x200000016bd6 = 0x3d; sprintf((char*)0x200000016bd7, "%020llu", (long long)0x1b2a); *(uint8_t*)0x200000016beb = 0x2c; memcpy((void*)0x200000016bec, "ftsuffix", 8); *(uint8_t*)0x200000016bf4 = 0x3d; sprintf((char*)0x200000016bf5, "%020llu", (long long)0x95); *(uint8_t*)0x200000016c09 = 0x2c; memcpy((void*)0x200000016c0a, "ftsuffix", 8); *(uint8_t*)0x200000016c12 = 0x3d; sprintf((char*)0x200000016c13, "%020llu", (long long)2); *(uint8_t*)0x200000016c27 = 0x2c; memcpy((void*)0x200000016c28, "uid<", 4); sprintf((char*)0x200000016c2c, "%020llu", (long long)r[37]); *(uint8_t*)0x200000016c40 = 0x2c; memcpy((void*)0x200000016c41, "subj_type", 9); *(uint8_t*)0x200000016c4a = 0x3d; *(uint8_t*)0x200000016c4b = 0x2c; *(uint8_t*)0x200000016c4c = 0; memcpy((void*)0x200000016c80, "\x78\x9c\xaa\xdc\xf4\xa2\x4b\x38\x63\x9f\x59\xe2\xe9\x04\x2f\xd9\xe2\xfd\x35\x7c\xef\xfe\x5d\x53\x6f\xe4\x7b\xf4\xfb\xd7\xb9\x0b\x80\x00\x00\x00\xff\xff\xcf\xbb\x0f\xa9", 42); syz_mount_image(/*fs=*/0x200000016b00, /*dir=*/0x200000016b40, /*flags=MS_STRICTATIME|MS_NODIRATIME|MS_MANDLOCK*/0x1000840, /*opts=*/0x200000016b80, /*chdir=*/1, /*size=*/0x2a, /*img=*/0x200000016c80); break; case 64: memcpy((void*)0x200000016cc0, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000016cc0, /*id=*/9, /*flags=O_SYNC|O_NONBLOCK|O_DIRECT|FASYNC|O_APPEND*/0x107c00); break; case 65: *(uint64_t*)0x200000016d00 = 2; *(uint64_t*)0x200000016d08 = 0x27e; *(uint64_t*)0x200000016d10 = 5; *(uint64_t*)0x200000016d18 = 2; *(uint64_t*)0x200000016d20 = 6; *(uint64_t*)0x200000016d28 = 0; *(uint64_t*)0x200000016d30 = 6; *(uint64_t*)0x200000016d38 = 5; *(uint64_t*)0x200000016d40 = 0xd; *(uint64_t*)0x200000016d48 = 0x7ea2; *(uint64_t*)0x200000016d50 = -1; res = syscall(__NR_clone3, /*uargs=*/0x200000016d00ul, /*size=*/0x90c4ul); if (res != -1) r[50] = res; break; case 66: memcpy((void*)0x200000016d80, "fdinfo/3\000", 9); syz_open_procfs(/*pid=*/r[50], /*file=*/0x200000016d80); break; case 67: res = -1; res = syz_open_dev(/*dev=*/0xc, /*major=*/2, /*minor=*/0x15); if (res != -1) r[51] = res; break; case 68: syz_open_pts(/*fd=*/r[51], /*flags=O_LARGEFILE|O_APPEND*/0x8400); break; case 69: syz_pidfd_open(/*pid=*/r[16], /*flags=*/0); break; case 70: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[52] = res; break; case 71: syz_pkey_set(/*key=*/r[52], /*val=PKEY_DISABLE_ACCESS*/1); break; case 72: memcpy((void*)0x200000016dc0, "\x78\x9c\x00\x57\x00\xa8\xff\xa9\x39\xee\x13\x04\xaa\x50\xcd\x48\x33\xb8\x65\x54\x02\x70\xbc\x48\xb9\xef\x5c\xce\x86\x6e\x69\xf5\x3f\xe3\x70\x79\x19\x0f\x3f\x49\xf2\x84\x00\x94\x95\xb6\x1a\x19\x72\xde\x93\x27\x27\x1b\x79\xad\xc1\x51\xcb\xcb\x51\xac\xc1\x0f\x46\x30\xf6\xa3\xaf\xbc\xa6\x66\xa2\x9e\xa2\x84\xe6\x6b\x43\x3f\x69\x17\xae\x0c\x2e\x70\x88\xf3\xbb\xe3\xc8\x15\xd3\xf5\x01\x00\x00\xff\xff\x03\x4a\x2a\xb4", 103); syz_read_part_table(/*size=*/0x67, /*img=*/0x200000016dc0); break; case 73: syz_socket_connect_nvme_tcp(); break; case 74: *(uint8_t*)0x200000016e40 = 0x12; *(uint8_t*)0x200000016e41 = 1; *(uint16_t*)0x200000016e42 = 0x300; *(uint8_t*)0x200000016e44 = 0x42; *(uint8_t*)0x200000016e45 = 0x66; *(uint8_t*)0x200000016e46 = 0x24; *(uint8_t*)0x200000016e47 = 8; *(uint16_t*)0x200000016e48 = 0x2357; *(uint16_t*)0x200000016e4a = 0x9000; *(uint16_t*)0x200000016e4c = 0x8c65; *(uint8_t*)0x200000016e4e = 1; *(uint8_t*)0x200000016e4f = 2; *(uint8_t*)0x200000016e50 = 3; *(uint8_t*)0x200000016e51 = 1; *(uint8_t*)0x200000016e52 = 9; *(uint8_t*)0x200000016e53 = 2; *(uint16_t*)0x200000016e54 = 0x82e; *(uint8_t*)0x200000016e56 = 3; *(uint8_t*)0x200000016e57 = 0x7f; *(uint8_t*)0x200000016e58 = 2; *(uint8_t*)0x200000016e59 = 0x20; *(uint8_t*)0x200000016e5a = 5; *(uint8_t*)0x200000016e5b = 9; *(uint8_t*)0x200000016e5c = 4; *(uint8_t*)0x200000016e5d = 0xce; *(uint8_t*)0x200000016e5e = 7; *(uint8_t*)0x200000016e5f = 0xf; *(uint8_t*)0x200000016e60 = 0xaf; *(uint8_t*)0x200000016e61 = 0xe8; *(uint8_t*)0x200000016e62 = 0x6e; *(uint8_t*)0x200000016e63 = 0; *(uint8_t*)0x200000016e64 = 0xa; *(uint8_t*)0x200000016e65 = 0x24; *(uint8_t*)0x200000016e66 = 1; *(uint16_t*)0x200000016e67 = 0x7ff; *(uint8_t*)0x200000016e69 = 6; *(uint8_t*)0x200000016e6a = 2; *(uint8_t*)0x200000016e6b = 1; *(uint8_t*)0x200000016e6c = 2; *(uint8_t*)0x200000016e6d = 7; *(uint8_t*)0x200000016e6e = 0x24; *(uint8_t*)0x200000016e6f = 7; *(uint8_t*)0x200000016e70 = 4; *(uint16_t*)0x200000016e71 = 4; *(uint8_t*)0x200000016e73 = 1; *(uint8_t*)0x200000016e74 = 7; *(uint8_t*)0x200000016e75 = 0x24; *(uint8_t*)0x200000016e76 = 6; *(uint8_t*)0x200000016e77 = 0; *(uint8_t*)0x200000016e78 = 1; memcpy((void*)0x200000016e79, "\xa3\x4e", 2); *(uint8_t*)0x200000016e7b = 5; *(uint8_t*)0x200000016e7c = 0x24; *(uint8_t*)0x200000016e7d = 0; *(uint16_t*)0x200000016e7e = 2; *(uint8_t*)0x200000016e80 = 0xd; *(uint8_t*)0x200000016e81 = 0x24; *(uint8_t*)0x200000016e82 = 0xf; *(uint8_t*)0x200000016e83 = 1; *(uint32_t*)0x200000016e84 = 0x7fffffff; *(uint16_t*)0x200000016e88 = 0; *(uint16_t*)0x200000016e8a = 7; *(uint8_t*)0x200000016e8c = 8; *(uint8_t*)0x200000016e8d = 6; *(uint8_t*)0x200000016e8e = 0x24; *(uint8_t*)0x200000016e8f = 0x1a; *(uint16_t*)0x200000016e90 = 9; *(uint8_t*)0x200000016e92 = 4; *(uint8_t*)0x200000016e93 = 0xd8; *(uint8_t*)0x200000016e94 = 0x24; *(uint8_t*)0x200000016e95 = 0x13; *(uint8_t*)0x200000016e96 = 1; memcpy((void*)0x200000016e97, "\xfc\xb6\x4e\x07\xcb\xc6\x13\xee\x0f\xb4\x7b\x17\x2d\x8c\xb2\x54\x90\xf7\xd0\x8d\xca\x4c\x04\xf2\x48\xb0\xd2\xc6\xc5\xd4\xfd\x13\xc9\x0c\x33\x7d\xbf\xe0\x45\x78\x3c\xe1\xee\x13\x99\xfa\x76\xc1\x4b\x25\xf5\xc3\x38\xb0\x41\x83\x3f\x78\x7b\x77\x6e\x0c\x3c\x25\x51\x89\xf0\x69\x4e\x73\x1c\xc1\xed\xd1\x26\x9d\xee\x99\xee\xd0\x4d\x16\xaf\x2a\xe0\xf1\x24\x51\x00\x06\xa6\x42\x80\xfb\xf1\xac\x11\x46\xbe\xee\x98\x58\x83\x56\x6c\x16\x9a\xbf\xf0\x9e\x46\x01\x8c\x5d\xdf\xdc\xef\xb4\xc0\x6a\x46\x26\xf8\xee\xb2\x1b\x61\x8f\xe7\x0a\xdf\x76\xc2\x04\xc1\xa9\x30\x5d\x06\xd9\x08\x52\xb6\x06\xa0\x69\x8c\x66\x78\x28\x0d\x48\x29\xc7\x81\x71\x52\x6b\x7c\xf0\xcf\x95\xca\xb7\xe3\xaf\xb3\xb5\x8f\xcf\xaf\x6d\x70\xeb\x43\x33\x47\xfb\xae\x12\x94\xb2\x88\xb8\xd3\x39\xb3\xd7\x8f\xdb\xc0\xf2\x27\x90\x7a\xaa\x92\x1c\xa3\x02\x6e\x4c\x5c\xe3\x42\x11\xe3\xc9\x07\xb4\x2c\xa6", 212); *(uint8_t*)0x200000016f6b = 8; *(uint8_t*)0x200000016f6c = 0x24; *(uint8_t*)0x200000016f6d = 0x1c; *(uint16_t*)0x200000016f6e = 0xfff; *(uint8_t*)0x200000016f70 = 1; *(uint16_t*)0x200000016f71 = 0xf51; *(uint8_t*)0x200000016f73 = 8; *(uint8_t*)0x200000016f74 = 0x24; *(uint8_t*)0x200000016f75 = 0x1c; *(uint16_t*)0x200000016f76 = 0x80; *(uint8_t*)0x200000016f78 = 2; *(uint16_t*)0x200000016f79 = 0x7f; *(uint8_t*)0x200000016f7b = 5; *(uint8_t*)0x200000016f7c = 0x24; *(uint8_t*)0x200000016f7d = 0x15; *(uint16_t*)0x200000016f7e = 0x4d; *(uint8_t*)0x200000016f80 = 8; *(uint8_t*)0x200000016f81 = 0x24; *(uint8_t*)0x200000016f82 = 0x1c; *(uint16_t*)0x200000016f83 = 0xbf26; *(uint8_t*)0x200000016f85 = 0x10; *(uint16_t*)0x200000016f86 = 0x7806; *(uint8_t*)0x200000016f88 = 9; *(uint8_t*)0x200000016f89 = 5; *(uint8_t*)0x200000016f8a = 1; *(uint8_t*)0x200000016f8b = 0; *(uint16_t*)0x200000016f8c = 0x200; *(uint8_t*)0x200000016f8e = 6; *(uint8_t*)0x200000016f8f = 0x40; *(uint8_t*)0x200000016f90 = 0xb; *(uint8_t*)0x200000016f91 = 7; *(uint8_t*)0x200000016f92 = 0x25; *(uint8_t*)0x200000016f93 = 1; *(uint8_t*)0x200000016f94 = 3; *(uint8_t*)0x200000016f95 = 4; *(uint16_t*)0x200000016f96 = 8; *(uint8_t*)0x200000016f98 = 0xe8; *(uint8_t*)0x200000016f99 = 0x30; memcpy((void*)0x200000016f9a, "\x68\x84\x9f\x67\xc9\x80\x33\xbf\xdc\x9b\xc6\x7c\x70\x6e\x68\x9f\x08\xda\x2d\x58\x7b\x66\x8f\x1f\x67\x6b\xbb\xc3\x8f\x71\xf6\x8c\x01\x29\x15\x9b\x91\x2f\x32\x88\xaf\x2d\x8f\x5b\x2a\x9e\x6a\x41\x6c\x8e\x34\x45\xc3\x33\xdf\x5f\x70\x08\x23\x36\x83\xc6\x74\x20\x84\x56\xcf\xcb\x7a\x59\x8f\xd1\x43\x0b\x9b\xb5\x5e\x9b\x6f\xbf\x6c\xd0\x79\x7f\xfd\xb4\x8e\x94\xa2\xbb\x0a\x7b\x92\x4d\xc3\xfe\x2c\x8b\x37\xff\x8b\x6d\x67\xa0\x55\x1a\x58\x2d\x71\x34\x54\xdc\x2f\x82\x9c\x5f\xa9\xbb\x41\x05\x3a\x7b\x74\xb6\x01\xc8\xab\x84\x54\xe2\xd4\x8d\x21\x3e\xb4\xf8\x73\xd9\x69\x31\x19\xcf\x01\xd9\x77\x9a\xfa\xa2\x61\xbd\x19\xf8\x4e\x39\x98\xa2\x7c\xc2\x7f\xdb\xaa\x15\x46\x7c\xd6\xf5\x44\x2a\xec\x6c\x7d\x12\x86\x17\x46\xb6\xba\xb7\xb9\x37\x01\xf0\x11\xde\x1e\x99\x5c\x1c\x20\x4b\x4c\x26\x80\x50\x3a\x47\xba\xd8\x6f\xa4\x29\xcf\x00\xde\xd4\x82\x39\xfb\x55\x5a\xb9\x80\x87\xed\xea\xee\xba\x89\xb1\x4d\xad\x51\xb1\x99\x3c\x25\xe6\x01\x09\xbf", 230); *(uint8_t*)0x200000017080 = 9; *(uint8_t*)0x200000017081 = 5; *(uint8_t*)0x200000017082 = 0xa; *(uint8_t*)0x200000017083 = 1; *(uint16_t*)0x200000017084 = 0x40; *(uint8_t*)0x200000017086 = 0xf7; *(uint8_t*)0x200000017087 = 2; *(uint8_t*)0x200000017088 = 5; *(uint8_t*)0x200000017089 = 9; *(uint8_t*)0x20000001708a = 5; *(uint8_t*)0x20000001708b = 5; *(uint8_t*)0x20000001708c = 0x10; *(uint16_t*)0x20000001708d = 0x3ff; *(uint8_t*)0x20000001708f = 7; *(uint8_t*)0x200000017090 = 0x14; *(uint8_t*)0x200000017091 = 0; *(uint8_t*)0x200000017092 = 9; *(uint8_t*)0x200000017093 = 5; *(uint8_t*)0x200000017094 = 0xe; *(uint8_t*)0x200000017095 = 0x10; *(uint16_t*)0x200000017096 = 0x200; *(uint8_t*)0x200000017098 = 0xc7; *(uint8_t*)0x200000017099 = 0x46; *(uint8_t*)0x20000001709a = 2; *(uint8_t*)0x20000001709b = 9; *(uint8_t*)0x20000001709c = 5; *(uint8_t*)0x20000001709d = 0xd; *(uint8_t*)0x20000001709e = 0xa; *(uint16_t*)0x20000001709f = 0x10; *(uint8_t*)0x2000000170a1 = 0x40; *(uint8_t*)0x2000000170a2 = 8; *(uint8_t*)0x2000000170a3 = 2; *(uint8_t*)0x2000000170a4 = 7; *(uint8_t*)0x2000000170a5 = 0x25; *(uint8_t*)0x2000000170a6 = 1; *(uint8_t*)0x2000000170a7 = 0x82; *(uint8_t*)0x2000000170a8 = 1; *(uint16_t*)0x2000000170a9 = 7; *(uint8_t*)0x2000000170ab = 9; *(uint8_t*)0x2000000170ac = 5; *(uint8_t*)0x2000000170ad = 8; *(uint8_t*)0x2000000170ae = 2; *(uint16_t*)0x2000000170af = 0x3ff; *(uint8_t*)0x2000000170b1 = 0x10; *(uint8_t*)0x2000000170b2 = 9; *(uint8_t*)0x2000000170b3 = 8; *(uint8_t*)0x2000000170b4 = 0xf8; *(uint8_t*)0x2000000170b5 = 1; memcpy((void*)0x2000000170b6, "\x87\x09\xda\xe6\x27\x40\x78\x00\x19\x13\xce\x2e\xfb\xcb\x79\xab\x11\x33\xba\xa4\xf7\xe0\x7b\x3b\x2c\x7f\xf7\x03\x89\xe9\x02\xb3\x68\x4a\x95\xa2\x99\x97\xf2\xd2\x0f\xf4\xaf\x27\x0d\x19\xa8\xe0\xb4\xf2\x4d\xf5\x12\xa7\x98\x1b\x5c\xc2\x17\x94\x1c\xc5\x5d\x0e\xe5\x27\x77\xd5\x46\x9f\x8d\x59\xa8\xb5\xb4\xa6\xe4\xfe\x8c\x2c\x94\x50\xb4\x7d\x31\x53\xab\x98\xf8\xe2\x5d\x69\x98\x73\xd3\xbd\xb2\x64\x00\x75\x12\x3c\x4c\x4b\xf2\x70\xdb\x5a\x2e\x30\xc4\x78\xe7\x5e\x0e\x80\xac\xa0\xd4\x1a\xf7\x46\xe3\xef\xb5\x98\xb2\xdb\xec\x64\x7a\xbd\x39\x7b\x0e\xfb\xb2\xe7\x44\x23\x8a\x48\xce\xfe\x42\x99\xf4\x83\x85\xe7\x4d\x32\x5b\xa5\x2c\x15\xb1\x68\x23\x4a\x99\x6d\x32\x57\xea\xab\x4f\xef\xcb\xa6\xb8\x98\xc9\x1d\xd9\x9e\x0c\x08\x0a\x10\x19\x11\x84\xea\x55\x2c\x28\x22\x3c\x35\xe6\x3e\xa9\x40\x68\x88\xa9\x47\x59\xad\x4c\x30\xba\xec\x3d\x37\xbc\x12\x62\x8f\x39\xfd\x0e\x1e\xa1\x66\x51\x22\xb4\xa0\x4a\xde\xc0\xd9\x63\x24\x21\xac\x75\x18\x85\x1c\x5c\x92\x56\xa3\x3e\x29\x12\x01\xa3\xaf\x1a\xf8\xdf\x0a", 246); *(uint8_t*)0x2000000171ac = 0x66; *(uint8_t*)0x2000000171ad = 4; memcpy((void*)0x2000000171ae, "\xe2\x4a\xf3\x93\x66\xd6\xcc\x5b\x86\x03\x79\x36\x7e\x9b\x5a\xf9\x12\x38\xa8\xad\x60\xd4\xd3\x33\x0b\x86\x61\x5c\x23\x8b\x9a\xdc\x15\x0c\xa8\xd4\xd8\x9f\x34\x7c\xef\xed\x35\x02\xf2\xa6\x46\x69\xec\x10\xc9\x35\x2c\xc3\xf0\x0b\xb7\xbf\xff\x70\xa3\x40\x70\x24\x7f\x37\x2f\xd5\x6b\x34\x8f\x50\xf9\x45\x09\x03\x89\x94\xdf\x69\x9d\xd0\xbd\x1e\x0f\x29\x14\x24\x50\x2d\x0a\xbf\xa2\x75\xdf\x94\xab\x99\x68\x6b", 100); *(uint8_t*)0x200000017212 = 9; *(uint8_t*)0x200000017213 = 5; *(uint8_t*)0x200000017214 = 3; *(uint8_t*)0x200000017215 = 3; *(uint16_t*)0x200000017216 = 0x20; *(uint8_t*)0x200000017218 = 0x10; *(uint8_t*)0x200000017219 = 6; *(uint8_t*)0x20000001721a = 4; *(uint8_t*)0x20000001721b = 7; *(uint8_t*)0x20000001721c = 0x25; *(uint8_t*)0x20000001721d = 1; *(uint8_t*)0x20000001721e = 0; *(uint8_t*)0x20000001721f = 2; *(uint16_t*)0x200000017220 = 0xf; *(uint8_t*)0x200000017222 = 9; *(uint8_t*)0x200000017223 = 5; *(uint8_t*)0x200000017224 = 0xa; *(uint8_t*)0x200000017225 = 0x10; *(uint16_t*)0x200000017226 = 0x20; *(uint8_t*)0x200000017228 = 2; *(uint8_t*)0x200000017229 = 0x6a; *(uint8_t*)0x20000001722a = 0x9c; *(uint8_t*)0x20000001722b = 9; *(uint8_t*)0x20000001722c = 5; *(uint8_t*)0x20000001722d = 6; *(uint8_t*)0x20000001722e = 0; *(uint16_t*)0x20000001722f = 8; *(uint8_t*)0x200000017231 = 0xa6; *(uint8_t*)0x200000017232 = 0; *(uint8_t*)0x200000017233 = 3; *(uint8_t*)0x200000017234 = 9; *(uint8_t*)0x200000017235 = 5; *(uint8_t*)0x200000017236 = 0xe; *(uint8_t*)0x200000017237 = 0x10; *(uint16_t*)0x200000017238 = 0x400; *(uint8_t*)0x20000001723a = 8; *(uint8_t*)0x20000001723b = 6; *(uint8_t*)0x20000001723c = 2; *(uint8_t*)0x20000001723d = 7; *(uint8_t*)0x20000001723e = 0x25; *(uint8_t*)0x20000001723f = 1; *(uint8_t*)0x200000017240 = 0x80; *(uint8_t*)0x200000017241 = 0x80; *(uint16_t*)0x200000017242 = 0xfffe; *(uint8_t*)0x200000017244 = 7; *(uint8_t*)0x200000017245 = 0x25; *(uint8_t*)0x200000017246 = 1; *(uint8_t*)0x200000017247 = 0; *(uint8_t*)0x200000017248 = 8; *(uint16_t*)0x200000017249 = 6; *(uint8_t*)0x20000001724b = 9; *(uint8_t*)0x20000001724c = 5; *(uint8_t*)0x20000001724d = 2; *(uint8_t*)0x20000001724e = 0xc; *(uint16_t*)0x20000001724f = 0x20; *(uint8_t*)0x200000017251 = 7; *(uint8_t*)0x200000017252 = 0xfe; *(uint8_t*)0x200000017253 = 1; *(uint8_t*)0x200000017254 = 7; *(uint8_t*)0x200000017255 = 0x25; *(uint8_t*)0x200000017256 = 1; *(uint8_t*)0x200000017257 = 2; *(uint8_t*)0x200000017258 = 3; *(uint16_t*)0x200000017259 = 7; *(uint8_t*)0x20000001725b = 9; *(uint8_t*)0x20000001725c = 5; *(uint8_t*)0x20000001725d = 8; *(uint8_t*)0x20000001725e = 0; *(uint16_t*)0x20000001725f = 0x20; *(uint8_t*)0x200000017261 = 5; *(uint8_t*)0x200000017262 = 7; *(uint8_t*)0x200000017263 = 0; *(uint8_t*)0x200000017264 = 9; *(uint8_t*)0x200000017265 = 5; *(uint8_t*)0x200000017266 = 5; *(uint8_t*)0x200000017267 = 0x10; *(uint16_t*)0x200000017268 = 0x400; *(uint8_t*)0x20000001726a = 0x94; *(uint8_t*)0x20000001726b = 9; *(uint8_t*)0x20000001726c = 7; *(uint8_t*)0x20000001726d = 0xdd; *(uint8_t*)0x20000001726e = 0x30; memcpy((void*)0x20000001726f, "\x77\x86\x7e\xa8\x5d\x1b\x66\xca\x1b\x83\x5f\x1f\xfe\x80\xb4\xe1\x5a\x42\x97\xfd\x75\x06\x0e\x9c\xa4\xa2\x1e\x38\x5a\xda\xb0\x95\x08\x05\x1d\xd6\x10\x5e\xaa\x7c\xdc\xec\xdc\xc3\x20\xbc\x7f\x95\x6e\xeb\x82\x39\x4f\xee\xae\x2b\x09\xc0\x99\x0c\x54\x43\x3f\x37\x34\xda\x18\xcc\xf1\x3f\x5f\xcc\x5b\xb3\x2e\xb3\xbb\x6b\x06\x2a\x28\x29\x89\x58\x2d\x89\x8d\x9e\x25\xf9\x7d\x5d\x39\x27\xfb\xc2\x2c\x45\x90\x49\x83\x86\x0e\xb6\x1e\xaf\xd3\x4b\x54\xed\x2c\xc8\xb5\x5c\xf1\x97\xd3\x1b\xbb\x18\x10\x63\x60\xad\x77\x24\x0c\x1f\x44\xfd\x50\xf1\xa9\x44\xb9\xf5\x55\x7f\x95\xe9\x45\x13\xb0\xad\x4d\x60\x79\xe1\x5e\x8d\x3b\x43\x01\x02\x7d\xec\xe5\xa5\xba\x84\x88\xa2\x65\xab\x30\x67\xce\x7d\x0f\x2d\x5a\xd3\x11\x7b\xdd\xf0\x68\xf5\x91\xf6\x1d\x66\x46\xf9\x6a\x37\x72\xbb\x1d\x88\x07\xba\x9d\xd6\xd7\xa0\xbe\xec\xb2\x72\x98\xc3\xf0\x90\xb2\xb7\xed\x72\x97\x9d\x14\xde\xae\x68\x5d\x25\x0f\x2c\xc0", 219); *(uint8_t*)0x20000001734a = 7; *(uint8_t*)0x20000001734b = 0x25; *(uint8_t*)0x20000001734c = 1; *(uint8_t*)0x20000001734d = 2; *(uint8_t*)0x20000001734e = 0x81; *(uint16_t*)0x20000001734f = 0x70; *(uint8_t*)0x200000017351 = 9; *(uint8_t*)0x200000017352 = 5; *(uint8_t*)0x200000017353 = 5; *(uint8_t*)0x200000017354 = 0; *(uint16_t*)0x200000017355 = 0x3ff; *(uint8_t*)0x200000017357 = 7; *(uint8_t*)0x200000017358 = 0; *(uint8_t*)0x200000017359 = 0xd5; *(uint8_t*)0x20000001735a = 9; *(uint8_t*)0x20000001735b = 5; *(uint8_t*)0x20000001735c = 0xc; *(uint8_t*)0x20000001735d = 0; *(uint16_t*)0x20000001735e = 0x40; *(uint8_t*)0x200000017360 = 0; *(uint8_t*)0x200000017361 = 0xb; *(uint8_t*)0x200000017362 = 6; *(uint8_t*)0x200000017363 = 7; *(uint8_t*)0x200000017364 = 0x25; *(uint8_t*)0x200000017365 = 1; *(uint8_t*)0x200000017366 = 0x80; *(uint8_t*)0x200000017367 = 0xc4; *(uint16_t*)0x200000017368 = 0x6e; *(uint8_t*)0x20000001736a = 0xe; *(uint8_t*)0x20000001736b = 0xd; memcpy((void*)0x20000001736c, "\x36\xcb\x58\xaf\xca\x23\xd3\xe3\xcd\x43\x84\x0a", 12); *(uint8_t*)0x200000017378 = 9; *(uint8_t*)0x200000017379 = 4; *(uint8_t*)0x20000001737a = 0x8c; *(uint8_t*)0x20000001737b = 0; *(uint8_t*)0x20000001737c = 0xc; *(uint8_t*)0x20000001737d = 0x77; *(uint8_t*)0x20000001737e = 0x71; *(uint8_t*)0x20000001737f = 0x4d; *(uint8_t*)0x200000017380 = -1; *(uint8_t*)0x200000017381 = 0xb; *(uint8_t*)0x200000017382 = 0x24; *(uint8_t*)0x200000017383 = 6; *(uint8_t*)0x200000017384 = 0; *(uint8_t*)0x200000017385 = 0; memcpy((void*)0x200000017386, "\x37\x87\x90\x73\x85\x59", 6); *(uint8_t*)0x20000001738c = 5; *(uint8_t*)0x20000001738d = 0x24; *(uint8_t*)0x20000001738e = 0; *(uint16_t*)0x20000001738f = 0xdd; *(uint8_t*)0x200000017391 = 0xd; *(uint8_t*)0x200000017392 = 0x24; *(uint8_t*)0x200000017393 = 0xf; *(uint8_t*)0x200000017394 = 1; *(uint32_t*)0x200000017395 = 5; *(uint16_t*)0x200000017399 = 0x926; *(uint16_t*)0x20000001739b = 1; *(uint8_t*)0x20000001739d = 5; *(uint8_t*)0x20000001739e = 0x15; *(uint8_t*)0x20000001739f = 0x24; *(uint8_t*)0x2000000173a0 = 0x12; *(uint16_t*)0x2000000173a1 = 7; *(uint64_t*)0x2000000173a3 = 0x14f5e048ba817a3; *(uint64_t*)0x2000000173ab = 0x2a397ecbffc007a6; *(uint8_t*)0x2000000173b3 = 0x10; *(uint8_t*)0x2000000173b4 = 0x24; *(uint8_t*)0x2000000173b5 = 7; *(uint8_t*)0x2000000173b6 = 0xf; *(uint16_t*)0x2000000173b7 = 0x47f; *(uint16_t*)0x2000000173b9 = 7; *(uint16_t*)0x2000000173bb = 5; *(uint16_t*)0x2000000173bd = 0xa5a; *(uint16_t*)0x2000000173bf = 0xf25d; *(uint16_t*)0x2000000173c1 = 0x10; *(uint8_t*)0x2000000173c3 = 6; *(uint8_t*)0x2000000173c4 = 0x24; *(uint8_t*)0x2000000173c5 = 0x1a; *(uint16_t*)0x2000000173c6 = 0x100; *(uint8_t*)0x2000000173c8 = 1; *(uint8_t*)0x2000000173c9 = 6; *(uint8_t*)0x2000000173ca = 0x24; *(uint8_t*)0x2000000173cb = 7; *(uint8_t*)0x2000000173cc = 9; *(uint16_t*)0x2000000173cd = 0x81; *(uint8_t*)0x2000000173cf = 0xe; *(uint8_t*)0x2000000173d0 = 0x24; *(uint8_t*)0x2000000173d1 = 7; *(uint8_t*)0x2000000173d2 = 0x10; *(uint16_t*)0x2000000173d3 = 0x3a; *(uint16_t*)0x2000000173d5 = 0x1400; *(uint16_t*)0x2000000173d7 = 1; *(uint16_t*)0x2000000173d9 = 3; *(uint16_t*)0x2000000173db = 8; *(uint8_t*)0x2000000173dd = 0xa; *(uint8_t*)0x2000000173de = 0x24; *(uint8_t*)0x2000000173df = 1; *(uint16_t*)0x2000000173e0 = 0x80; *(uint8_t*)0x2000000173e2 = 0x80; *(uint8_t*)0x2000000173e3 = 2; *(uint8_t*)0x2000000173e4 = 1; *(uint8_t*)0x2000000173e5 = 2; *(uint8_t*)0x2000000173e6 = 9; *(uint8_t*)0x2000000173e7 = 5; *(uint8_t*)0x2000000173e8 = 5; *(uint8_t*)0x2000000173e9 = 8; *(uint16_t*)0x2000000173ea = 0x200; *(uint8_t*)0x2000000173ec = 0x39; *(uint8_t*)0x2000000173ed = 3; *(uint8_t*)0x2000000173ee = 2; *(uint8_t*)0x2000000173ef = 9; *(uint8_t*)0x2000000173f0 = 5; *(uint8_t*)0x2000000173f1 = 0; *(uint8_t*)0x2000000173f2 = 1; *(uint16_t*)0x2000000173f3 = 0x10; *(uint8_t*)0x2000000173f5 = 0x6c; *(uint8_t*)0x2000000173f6 = 9; *(uint8_t*)0x2000000173f7 = 4; *(uint8_t*)0x2000000173f8 = 0xec; *(uint8_t*)0x2000000173f9 = 0xc; memcpy((void*)0x2000000173fa, "\xcd\x0d\x3c\xe6\xb7\x5c\x2b\x01\xf9\x7f\xcb\x20\xad\xf4\xd9\x9a\x5a\x62\x76\xa0\xa0\x71\x7a\x5c\xbd\xaa\xe5\xbd\xe2\x28\x6c\x78\xf2\x3e\xc6\x52\x7f\xe1\x49\x0d\x74\xcc\xaf\x86\xba\xe7\x1c\x98\x79\xa2\x2f\xb0\x98\xf7\x98\x41\x5a\x42\x10\xa0\x98\xcc\x4d\x76\x58\x35\x30\x19\x71\x89\x91\xbb\x6a\x8d\x77\xa8\xe7\xb5\xd4\x50\x74\x04\xe9\x6f\xf4\x56\x14\xcb\x5c\xda\xd6\x98\x5e\x76\xee\xc5\x2f\xa7\x07\x74\xa8\x0c\xe5\x40\x7b\x62\xd0\x10\x51\x26\x2f\x81\x36\xaa\x68\xc2\x2e\xa4\x11\x5b\x5e\x27\x65\x3c\x40\xa8\x1c\xff\x49\xa1\x3b\xf7\x9d\x59\x9e\x1e\xea\x6f\x2a\xb7\x89\x7c\x71\x65\xb3\x6c\xb6\x83\xa8\x7a\xe0\x79\xd8\xff\x5f\x45\x0d\xdf\xf5\x3f\x2a\x7a\x04\x2d\x07\x32\xf9\x35\x7c\xe2\x3f\xb6\xa1\x31\x0f\x95\x84\xd8\xa7\x55\x7b\x65\x49\x36\xd9\x7d\x49\xbe\x79\x7a\x56\x53\x02\xd1\xe6\x15\xa7\x00\x61\x10\x1f\x01\xcb\x75\x33\x3e\xd4\xfc\x3f\xb9\x83\xe3\x0f\x49\x04\x19\x5e\x25\x3a\x3a\xdd\x43\xbd\x06\x97\x94\xbc\xac\xe6\x38\x63\xb8\xc5\x5b", 234); *(uint8_t*)0x2000000174e4 = 0x31; *(uint8_t*)0x2000000174e5 = 0xe; memcpy((void*)0x2000000174e6, "\xa6\x77\x2f\x60\x53\xbb\xf3\xfb\xcc\x2e\x4b\x92\x79\x4d\xf7\x00\xa7\x49\x93\x08\xd0\x2d\xa8\x07\xf6\x4c\x0b\xb6\xa2\xdf\x53\x5b\x93\x9a\xf7\xa1\xa2\xe9\x86\x82\xe0\x84\x01\x9d\x17\xff\x1e", 47); *(uint8_t*)0x200000017515 = 9; *(uint8_t*)0x200000017516 = 5; *(uint8_t*)0x200000017517 = 7; *(uint8_t*)0x200000017518 = 3; *(uint16_t*)0x200000017519 = 0x400; *(uint8_t*)0x20000001751b = 0xf8; *(uint8_t*)0x20000001751c = 0; *(uint8_t*)0x20000001751d = 3; *(uint8_t*)0x20000001751e = 7; *(uint8_t*)0x20000001751f = 0x25; *(uint8_t*)0x200000017520 = 1; *(uint8_t*)0x200000017521 = 2; *(uint8_t*)0x200000017522 = 5; *(uint16_t*)0x200000017523 = 0x1d2; *(uint8_t*)0x200000017525 = 9; *(uint8_t*)0x200000017526 = 5; *(uint8_t*)0x200000017527 = 0; *(uint8_t*)0x200000017528 = 7; *(uint16_t*)0x200000017529 = 0x400; *(uint8_t*)0x20000001752b = 0x7f; *(uint8_t*)0x20000001752c = 0xf9; *(uint8_t*)0x20000001752d = 0x27; *(uint8_t*)0x20000001752e = 7; *(uint8_t*)0x20000001752f = 0x25; *(uint8_t*)0x200000017530 = 1; *(uint8_t*)0x200000017531 = 0x81; *(uint8_t*)0x200000017532 = 5; *(uint16_t*)0x200000017533 = 0xb57; *(uint8_t*)0x200000017535 = 0x43; *(uint8_t*)0x200000017536 = 0x1a; memcpy((void*)0x200000017537, "\xcb\x18\x23\x8b\x9b\xb4\xf2\xcf\x09\xa9\xe5\x12\xee\x72\x99\x83\x74\x21\xb4\xde\xa8\x53\x0c\x6a\x24\xf7\x22\x29\xb4\xc3\x80\x3d\xb0\xb8\x15\x9c\x4f\xc1\xd0\xc5\x12\xc3\x67\x06\xf7\x26\x52\x83\x9a\xb6\x87\x70\x8e\x60\x65\x3b\xc8\x55\xf3\xef\xc0\x19\x1d\x44\xce", 65); *(uint8_t*)0x200000017578 = 9; *(uint8_t*)0x200000017579 = 5; *(uint8_t*)0x20000001757a = 1; *(uint8_t*)0x20000001757b = 0; *(uint16_t*)0x20000001757c = 0x10; *(uint8_t*)0x20000001757e = 0x5e; *(uint8_t*)0x20000001757f = 1; *(uint8_t*)0x200000017580 = 0x33; *(uint8_t*)0x200000017581 = 7; *(uint8_t*)0x200000017582 = 0x25; *(uint8_t*)0x200000017583 = 1; *(uint8_t*)0x200000017584 = 0x81; *(uint8_t*)0x200000017585 = 0; *(uint16_t*)0x200000017586 = 2; *(uint8_t*)0x200000017588 = 0xa; *(uint8_t*)0x200000017589 = 0xd; memcpy((void*)0x20000001758a, "\x0e\xa8\x35\xcf\x6f\x98\x97\xdd", 8); *(uint8_t*)0x200000017592 = 9; *(uint8_t*)0x200000017593 = 5; *(uint8_t*)0x200000017594 = 2; *(uint8_t*)0x200000017595 = 1; *(uint16_t*)0x200000017596 = 8; *(uint8_t*)0x200000017598 = 8; *(uint8_t*)0x200000017599 = 7; *(uint8_t*)0x20000001759a = 2; *(uint8_t*)0x20000001759b = 7; *(uint8_t*)0x20000001759c = 0x25; *(uint8_t*)0x20000001759d = 1; *(uint8_t*)0x20000001759e = 0x50; *(uint8_t*)0x20000001759f = 0x40; *(uint16_t*)0x2000000175a0 = 0xc590; *(uint8_t*)0x2000000175a2 = 7; *(uint8_t*)0x2000000175a3 = 0x25; *(uint8_t*)0x2000000175a4 = 1; *(uint8_t*)0x2000000175a5 = 3; *(uint8_t*)0x2000000175a6 = 2; *(uint16_t*)0x2000000175a7 = 4; *(uint8_t*)0x2000000175a9 = 9; *(uint8_t*)0x2000000175aa = 5; *(uint8_t*)0x2000000175ab = 2; *(uint8_t*)0x2000000175ac = 2; *(uint16_t*)0x2000000175ad = 0x400; *(uint8_t*)0x2000000175af = 6; *(uint8_t*)0x2000000175b0 = 6; *(uint8_t*)0x2000000175b1 = 7; *(uint8_t*)0x2000000175b2 = 9; *(uint8_t*)0x2000000175b3 = 5; *(uint8_t*)0x2000000175b4 = 2; *(uint8_t*)0x2000000175b5 = 3; *(uint16_t*)0x2000000175b6 = 0x200; *(uint8_t*)0x2000000175b8 = 0xe; *(uint8_t*)0x2000000175b9 = 4; *(uint8_t*)0x2000000175ba = 4; *(uint8_t*)0x2000000175bb = 5; *(uint8_t*)0x2000000175bc = 0x11; memcpy((void*)0x2000000175bd, "\xb9\xf5\xe7", 3); *(uint8_t*)0x2000000175c0 = 7; *(uint8_t*)0x2000000175c1 = 0x25; *(uint8_t*)0x2000000175c2 = 1; *(uint8_t*)0x2000000175c3 = 0x40; *(uint8_t*)0x2000000175c4 = 6; *(uint16_t*)0x2000000175c5 = 6; *(uint8_t*)0x2000000175c7 = 9; *(uint8_t*)0x2000000175c8 = 5; *(uint8_t*)0x2000000175c9 = 3; *(uint8_t*)0x2000000175ca = 0x10; *(uint16_t*)0x2000000175cb = 0; *(uint8_t*)0x2000000175cd = 0x8a; *(uint8_t*)0x2000000175ce = 7; *(uint8_t*)0x2000000175cf = 8; *(uint8_t*)0x2000000175d0 = 7; *(uint8_t*)0x2000000175d1 = 0x25; *(uint8_t*)0x2000000175d2 = 1; *(uint8_t*)0x2000000175d3 = 0x81; *(uint8_t*)0x2000000175d4 = 9; *(uint16_t*)0x2000000175d5 = 4; *(uint8_t*)0x2000000175d7 = 7; *(uint8_t*)0x2000000175d8 = 0x25; *(uint8_t*)0x2000000175d9 = 1; *(uint8_t*)0x2000000175da = 3; *(uint8_t*)0x2000000175db = 0x73; *(uint16_t*)0x2000000175dc = 0x1ff; *(uint8_t*)0x2000000175de = 9; *(uint8_t*)0x2000000175df = 5; *(uint8_t*)0x2000000175e0 = 3; *(uint8_t*)0x2000000175e1 = 2; *(uint16_t*)0x2000000175e2 = 0x40; *(uint8_t*)0x2000000175e4 = 4; *(uint8_t*)0x2000000175e5 = 8; *(uint8_t*)0x2000000175e6 = 4; *(uint8_t*)0x2000000175e7 = 7; *(uint8_t*)0x2000000175e8 = 0x25; *(uint8_t*)0x2000000175e9 = 1; *(uint8_t*)0x2000000175ea = 0; *(uint8_t*)0x2000000175eb = 0; *(uint16_t*)0x2000000175ec = 0xd; *(uint8_t*)0x2000000175ee = 9; *(uint8_t*)0x2000000175ef = 5; *(uint8_t*)0x2000000175f0 = 6; *(uint8_t*)0x2000000175f1 = 0x10; *(uint16_t*)0x2000000175f2 = 0x200; *(uint8_t*)0x2000000175f4 = 3; *(uint8_t*)0x2000000175f5 = 7; *(uint8_t*)0x2000000175f6 = 0; *(uint8_t*)0x2000000175f7 = 0x4e; *(uint8_t*)0x2000000175f8 = 0x21; memcpy((void*)0x2000000175f9, "\xde\x21\x8d\xdf\x30\x78\xa6\xfb\xd8\x6d\x42\x57\x31\x33\x4b\xc4\x6c\xce\x8c\xf5\x19\xb9\xce\xf7\xc4\x17\x70\x3a\xc6\xb7\xc8\xd9\x19\xdf\x45\xea\x16\xb8\x08\x90\x69\xbb\xf3\x4f\x03\xab\xe7\x52\xc1\xee\x7d\x7e\x03\xa0\x86\x37\xbc\xdc\x17\xd4\xcf\x34\xc2\x75\x6e\xda\x9f\xbf\x09\xfd\xfc\xfc\xa3\x05\x28\x59", 76); *(uint8_t*)0x200000017645 = 9; *(uint8_t*)0x200000017646 = 5; *(uint8_t*)0x200000017647 = 7; *(uint8_t*)0x200000017648 = 2; *(uint16_t*)0x200000017649 = 0x400; *(uint8_t*)0x20000001764b = 6; *(uint8_t*)0x20000001764c = 8; *(uint8_t*)0x20000001764d = 0; *(uint8_t*)0x20000001764e = 9; *(uint8_t*)0x20000001764f = 4; *(uint8_t*)0x200000017650 = 0xb9; *(uint8_t*)0x200000017651 = 8; *(uint8_t*)0x200000017652 = 3; *(uint8_t*)0x200000017653 = 0x5b; *(uint8_t*)0x200000017654 = 0x5d; *(uint8_t*)0x200000017655 = 0x4c; *(uint8_t*)0x200000017656 = 0xbf; *(uint8_t*)0x200000017657 = 9; *(uint8_t*)0x200000017658 = 5; *(uint8_t*)0x200000017659 = 5; *(uint8_t*)0x20000001765a = 0; *(uint16_t*)0x20000001765b = 0x400; *(uint8_t*)0x20000001765d = 9; *(uint8_t*)0x20000001765e = 5; *(uint8_t*)0x20000001765f = 0; *(uint8_t*)0x200000017660 = 9; *(uint8_t*)0x200000017661 = 5; *(uint8_t*)0x200000017662 = 0xe; *(uint8_t*)0x200000017663 = 4; *(uint16_t*)0x200000017664 = 0x10; *(uint8_t*)0x200000017666 = 0xf9; *(uint8_t*)0x200000017667 = 0xea; *(uint8_t*)0x200000017668 = 2; *(uint8_t*)0x200000017669 = 9; *(uint8_t*)0x20000001766a = 5; *(uint8_t*)0x20000001766b = 6; *(uint8_t*)0x20000001766c = 0x10; *(uint16_t*)0x20000001766d = 0x20; *(uint8_t*)0x20000001766f = 0xee; *(uint8_t*)0x200000017670 = 0xbf; *(uint8_t*)0x200000017671 = 4; *(uint8_t*)0x200000017672 = 7; *(uint8_t*)0x200000017673 = 0x25; *(uint8_t*)0x200000017674 = 1; *(uint8_t*)0x200000017675 = 0; *(uint8_t*)0x200000017676 = 9; *(uint16_t*)0x200000017677 = 0xc7; *(uint8_t*)0x200000017679 = 7; *(uint8_t*)0x20000001767a = 0x25; *(uint8_t*)0x20000001767b = 1; *(uint8_t*)0x20000001767c = 0x80; *(uint8_t*)0x20000001767d = 5; *(uint16_t*)0x20000001767e = 6; *(uint32_t*)0x200000017780 = 0xa; *(uint64_t*)0x200000017784 = 0x200000017680; *(uint8_t*)0x200000017680 = 0xa; *(uint8_t*)0x200000017681 = 6; *(uint16_t*)0x200000017682 = 0x300; *(uint8_t*)0x200000017684 = 8; *(uint8_t*)0x200000017685 = 4; *(uint8_t*)0x200000017686 = 4; *(uint8_t*)0x200000017687 = 0x10; *(uint8_t*)0x200000017688 = 3; *(uint8_t*)0x200000017689 = 0; *(uint32_t*)0x20000001778c = 5; *(uint64_t*)0x200000017790 = 0x2000000176c0; *(uint8_t*)0x2000000176c0 = 5; *(uint8_t*)0x2000000176c1 = 0xf; *(uint16_t*)0x2000000176c2 = 5; *(uint8_t*)0x2000000176c4 = 0; *(uint32_t*)0x200000017798 = 2; *(uint32_t*)0x20000001779c = 4; *(uint64_t*)0x2000000177a0 = 0x200000017700; *(uint8_t*)0x200000017700 = 4; *(uint8_t*)0x200000017701 = 3; *(uint16_t*)0x200000017702 = 0x41c; *(uint32_t*)0x2000000177a8 = 4; *(uint64_t*)0x2000000177ac = 0x200000017740; *(uint8_t*)0x200000017740 = 4; *(uint8_t*)0x200000017741 = 3; *(uint16_t*)0x200000017742 = 0x425; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0x840, /*dev=*/0x200000016e40, /*conn_descs=*/0x200000017780); if (res != -1) r[53] = res; break; case 75: *(uint8_t*)0x2000000177c0 = 0x12; *(uint8_t*)0x2000000177c1 = 1; *(uint16_t*)0x2000000177c2 = 0x200; *(uint8_t*)0x2000000177c4 = -1; *(uint8_t*)0x2000000177c5 = -1; *(uint8_t*)0x2000000177c6 = -1; *(uint8_t*)0x2000000177c7 = 0x40; *(uint16_t*)0x2000000177c8 = 0xcf3; *(uint16_t*)0x2000000177ca = 0x9271; *(uint16_t*)0x2000000177cc = 0x108; *(uint8_t*)0x2000000177ce = 1; *(uint8_t*)0x2000000177cf = 2; *(uint8_t*)0x2000000177d0 = 3; *(uint8_t*)0x2000000177d1 = 1; *(uint8_t*)0x2000000177d2 = 9; *(uint8_t*)0x2000000177d3 = 2; *(uint16_t*)0x2000000177d4 = 0x48; *(uint8_t*)0x2000000177d6 = 1; *(uint8_t*)0x2000000177d7 = 1; *(uint8_t*)0x2000000177d8 = 0; *(uint8_t*)0x2000000177d9 = 0x80; *(uint8_t*)0x2000000177da = 0xfa; *(uint8_t*)0x2000000177db = 9; *(uint8_t*)0x2000000177dc = 4; *(uint8_t*)0x2000000177dd = 0; *(uint8_t*)0x2000000177de = 0; *(uint8_t*)0x2000000177df = 6; *(uint8_t*)0x2000000177e0 = -1; *(uint8_t*)0x2000000177e1 = 0; *(uint8_t*)0x2000000177e2 = 0; *(uint8_t*)0x2000000177e3 = 0; *(uint8_t*)0x2000000177e4 = 9; *(uint8_t*)0x2000000177e5 = 5; *(uint8_t*)0x2000000177e6 = 1; *(uint8_t*)0x2000000177e7 = 2; *(uint16_t*)0x2000000177e8 = 0x200; *(uint8_t*)0x2000000177ea = 0; *(uint8_t*)0x2000000177eb = 0; *(uint8_t*)0x2000000177ec = 0; *(uint8_t*)0x2000000177ed = 9; *(uint8_t*)0x2000000177ee = 5; *(uint8_t*)0x2000000177ef = 0x82; *(uint8_t*)0x2000000177f0 = 2; *(uint16_t*)0x2000000177f1 = 0x200; *(uint8_t*)0x2000000177f3 = 0; *(uint8_t*)0x2000000177f4 = 0; *(uint8_t*)0x2000000177f5 = 0; *(uint8_t*)0x2000000177f6 = 9; *(uint8_t*)0x2000000177f7 = 5; *(uint8_t*)0x2000000177f8 = 0x83; *(uint8_t*)0x2000000177f9 = 3; *(uint16_t*)0x2000000177fa = 0x40; *(uint8_t*)0x2000000177fc = 1; *(uint8_t*)0x2000000177fd = 0; *(uint8_t*)0x2000000177fe = 0; *(uint8_t*)0x2000000177ff = 9; *(uint8_t*)0x200000017800 = 5; *(uint8_t*)0x200000017801 = 4; *(uint8_t*)0x200000017802 = 3; *(uint16_t*)0x200000017803 = 0x40; *(uint8_t*)0x200000017805 = 1; *(uint8_t*)0x200000017806 = 0; *(uint8_t*)0x200000017807 = 0; *(uint8_t*)0x200000017808 = 9; *(uint8_t*)0x200000017809 = 5; *(uint8_t*)0x20000001780a = 5; *(uint8_t*)0x20000001780b = 2; *(uint16_t*)0x20000001780c = 0x200; *(uint8_t*)0x20000001780e = 0; *(uint8_t*)0x20000001780f = 0; *(uint8_t*)0x200000017810 = 0; *(uint8_t*)0x200000017811 = 9; *(uint8_t*)0x200000017812 = 5; *(uint8_t*)0x200000017813 = 6; *(uint8_t*)0x200000017814 = 2; *(uint16_t*)0x200000017815 = 0x200; *(uint8_t*)0x200000017817 = 0; *(uint8_t*)0x200000017818 = 0; *(uint8_t*)0x200000017819 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x2000000177c0, /*conn_descs=*/0); if (res != -1) r[54] = res; break; case 76: *(uint32_t*)0x200000017a80 = 0x2c; *(uint64_t*)0x200000017a84 = 0x200000017840; *(uint8_t*)0x200000017840 = 0; *(uint8_t*)0x200000017841 = 1; *(uint32_t*)0x200000017842 = 0x101; *(uint8_t*)0x200000017846 = 1; *(uint8_t*)0x200000017847 = 0xa; memcpy((void*)0x200000017848, "\x36\x81\xdb\x17\x60\xf4\x76\xd1\x61\xe6\x33\x1a\xf0\x01\xdf\xf2\x60\xea\x6b\x4a\x4c\xea\x60\x97\xec\xb1\x95\x8b\x59\xfa\xab\x7a\x90\x28\x48\xc2\x62\xa0\xbb\x7b\xb0\x04\xa6\x45\x44\x44\xf3\x91\x14\x41\x63\x99\xcc\x7a\x71\xe7\x15\x47\xc5\x6a\x02\xf1\x33\x90\x7f\x22\xc3\xf1\x2c\xed\x90\xa4\xd6\xae\x9f\xf8\xfd\x98\xb3\xe7\xcd\x83\xd8\x74\x5c\x64\x92\x89\xb5\xfd\x78\xf7\x06\x85\x9e\x15\x21\x48\xd7\x6f\x8f\x0d\x0f\xa0\x49\x83\x43\x65\xbe\x85\xce\x2b\x50\x35\x87\x58\xa9\x0b\x57\x33\x9c\x87\x44\x57\x41\x0a\xe2\x77\xd2\xb1\x18\xf3\x84\x27\xa9\x32\xa2\xc7\xca\xcc\x09\xae\xd3\xee\x57\x30\x79\x3f\x36\xdc\xe0\xed\x57\xb9\xc6\x5f\xf6\x3c\x7e\xb7\xeb\xbf\xeb\xe9\x09\x4e\x08\x53\x05\x1b\x9f\x3d\xfa\xf6\xc2\xab\x61\x26\x5b\x3a\xf1\xf3\x48\x72\x56\x9f\xf3\xe0\x4b\x2e\xc1\xef\x09\xa3\x69\x2a\x88\x29\x2f\xfa\x38\xb8\x51\xe6\xfe\x03\x1a\x70\xa5\x51\xe8\x84\x4b\x16\xd1\x38\xce\x12\x6c\xe0\x41\x95\x71\xf4\x34\x9a\xee\x23\x7a\x2b\xf6\xfc\x52\xcb\x78\xf2\x6f\x30\xc9\x36\x90\x2d\x7f\x29\xd3\xa5\x61\x5d\xad\x86\xe4\xc6\x9c\xa0\x3f", 255); *(uint64_t*)0x200000017a8c = 0x200000017980; *(uint8_t*)0x200000017980 = 0; *(uint8_t*)0x200000017981 = 3; *(uint32_t*)0x200000017982 = 4; *(uint8_t*)0x200000017986 = 4; *(uint8_t*)0x200000017987 = 3; *(uint16_t*)0x200000017988 = 0x4c0a; *(uint64_t*)0x200000017a94 = 0x2000000179c0; *(uint8_t*)0x2000000179c0 = 0; *(uint8_t*)0x2000000179c1 = 0xf; *(uint32_t*)0x2000000179c2 = 5; *(uint8_t*)0x2000000179c6 = 5; *(uint8_t*)0x2000000179c7 = 0xf; *(uint16_t*)0x2000000179c8 = 5; *(uint8_t*)0x2000000179ca = 0; *(uint64_t*)0x200000017a9c = 0x200000017a00; *(uint8_t*)0x200000017a00 = 0x20; *(uint8_t*)0x200000017a01 = 0x29; *(uint32_t*)0x200000017a02 = 0xf; *(uint8_t*)0x200000017a06 = 0xf; *(uint8_t*)0x200000017a07 = 0x29; *(uint8_t*)0x200000017a08 = 0xeb; *(uint16_t*)0x200000017a09 = 0x10; *(uint8_t*)0x200000017a0b = 0x81; *(uint8_t*)0x200000017a0c = 0xc; memcpy((void*)0x200000017a0d, "\xe7\x67\x46\xf0", 4); memcpy((void*)0x200000017a11, "\xf1\x92\x76\xa0", 4); *(uint64_t*)0x200000017aa4 = 0x200000017a40; *(uint8_t*)0x200000017a40 = 0x20; *(uint8_t*)0x200000017a41 = 0x2a; *(uint32_t*)0x200000017a42 = 0xc; *(uint8_t*)0x200000017a46 = 0xc; *(uint8_t*)0x200000017a47 = 0x2a; *(uint8_t*)0x200000017a48 = 0xd; *(uint16_t*)0x200000017a49 = 2; *(uint8_t*)0x200000017a4b = 8; *(uint8_t*)0x200000017a4c = 0xe; *(uint8_t*)0x200000017a4d = 7; *(uint16_t*)0x200000017a4e = 8; *(uint16_t*)0x200000017a50 = 0x515; *(uint32_t*)0x200000017ec0 = 0x84; *(uint64_t*)0x200000017ec4 = 0x200000017ac0; *(uint8_t*)0x200000017ac0 = 0x40; *(uint8_t*)0x200000017ac1 = 0x17; *(uint32_t*)0x200000017ac2 = 0x1e; memcpy((void*)0x200000017ac6, "\x63\xfd\x64\x0c\x63\xa3\xd4\x0d\x56\xed\xf6\x4a\xcb\x10\x36\xdf\x01\xc3\x7d\xff\x2b\x11\xb8\xbd\x6d\xce\x4f\x20\xb2\xce", 30); *(uint64_t*)0x200000017ecc = 0x200000017b00; *(uint8_t*)0x200000017b00 = 0; *(uint8_t*)0x200000017b01 = 0xa; *(uint32_t*)0x200000017b02 = 1; *(uint8_t*)0x200000017b06 = 0xfd; *(uint64_t*)0x200000017ed4 = 0x200000017b40; *(uint8_t*)0x200000017b40 = 0; *(uint8_t*)0x200000017b41 = 8; *(uint32_t*)0x200000017b42 = 1; *(uint8_t*)0x200000017b46 = 5; *(uint64_t*)0x200000017edc = 0x200000017b80; *(uint8_t*)0x200000017b80 = 0x20; *(uint8_t*)0x200000017b81 = 0; *(uint32_t*)0x200000017b82 = 4; *(uint16_t*)0x200000017b86 = 1; *(uint16_t*)0x200000017b88 = 1; *(uint64_t*)0x200000017ee4 = 0x200000017bc0; *(uint8_t*)0x200000017bc0 = 0x20; *(uint8_t*)0x200000017bc1 = 0; *(uint32_t*)0x200000017bc2 = 8; *(uint16_t*)0x200000017bc6 = 0x80; *(uint16_t*)0x200000017bc8 = 1; *(uint32_t*)0x200000017bca = 0xf00f; *(uint64_t*)0x200000017eec = 0x200000017c00; *(uint8_t*)0x200000017c00 = 0x40; *(uint8_t*)0x200000017c01 = 7; *(uint32_t*)0x200000017c02 = 2; *(uint16_t*)0x200000017c06 = 2; *(uint64_t*)0x200000017ef4 = 0x200000017c40; *(uint8_t*)0x200000017c40 = 0x40; *(uint8_t*)0x200000017c41 = 9; *(uint32_t*)0x200000017c42 = 1; *(uint8_t*)0x200000017c46 = 6; *(uint64_t*)0x200000017efc = 0x200000017c80; *(uint8_t*)0x200000017c80 = 0x40; *(uint8_t*)0x200000017c81 = 0xb; *(uint32_t*)0x200000017c82 = 2; memcpy((void*)0x200000017c86, "\xdd\x91", 2); *(uint64_t*)0x200000017f04 = 0x200000017cc0; *(uint8_t*)0x200000017cc0 = 0x40; *(uint8_t*)0x200000017cc1 = 0xf; *(uint32_t*)0x200000017cc2 = 2; *(uint16_t*)0x200000017cc6 = 1; *(uint64_t*)0x200000017f0c = 0x200000017d00; *(uint8_t*)0x200000017d00 = 0x40; *(uint8_t*)0x200000017d01 = 0x13; *(uint32_t*)0x200000017d02 = 6; memset((void*)0x200000017d06, 187, 6); *(uint64_t*)0x200000017f14 = 0x200000017d40; *(uint8_t*)0x200000017d40 = 0x40; *(uint8_t*)0x200000017d41 = 0x17; *(uint32_t*)0x200000017d42 = 6; memset((void*)0x200000017d46, 170, 5); *(uint8_t*)0x200000017d4b = 0xaa; *(uint64_t*)0x200000017f1c = 0x200000017d80; *(uint8_t*)0x200000017d80 = 0x40; *(uint8_t*)0x200000017d81 = 0x19; *(uint32_t*)0x200000017d82 = 2; memcpy((void*)0x200000017d86, "\x73\xdc", 2); *(uint64_t*)0x200000017f24 = 0x200000017dc0; *(uint8_t*)0x200000017dc0 = 0x40; *(uint8_t*)0x200000017dc1 = 0x1a; *(uint32_t*)0x200000017dc2 = 2; *(uint16_t*)0x200000017dc6 = 8; *(uint64_t*)0x200000017f2c = 0x200000017e00; *(uint8_t*)0x200000017e00 = 0x40; *(uint8_t*)0x200000017e01 = 0x1c; *(uint32_t*)0x200000017e02 = 1; *(uint8_t*)0x200000017e06 = 0x81; *(uint64_t*)0x200000017f34 = 0x200000017e40; *(uint8_t*)0x200000017e40 = 0x40; *(uint8_t*)0x200000017e41 = 0x1e; *(uint32_t*)0x200000017e42 = 1; *(uint8_t*)0x200000017e46 = 0; *(uint64_t*)0x200000017f3c = 0x200000017e80; *(uint8_t*)0x200000017e80 = 0x40; *(uint8_t*)0x200000017e81 = 0x21; *(uint32_t*)0x200000017e82 = 1; *(uint8_t*)0x200000017e86 = 0x7f; syz_usb_control_io(/*fd=*/r[53], /*descs=*/0x200000017a80, /*resps=*/0x200000017ec0); break; case 77: syz_usb_disconnect(/*fd=*/r[53]); break; case 78: syz_usb_ep_read(/*fd=*/r[54], /*ep=*/0xb, /*len=*/0x6c, /*data=*/0x200000017f80); break; case 79: *(uint8_t*)0x200000018000 = 0x12; *(uint8_t*)0x200000018001 = 1; *(uint16_t*)0x200000018002 = 0x201; *(uint8_t*)0x200000018004 = 0; *(uint8_t*)0x200000018005 = 0; *(uint8_t*)0x200000018006 = 0; *(uint8_t*)0x200000018007 = 0x40; *(uint16_t*)0x200000018008 = 0x3f0; *(uint16_t*)0x20000001800a = 4; *(uint16_t*)0x20000001800c = 0x40; *(uint8_t*)0x20000001800e = 1; *(uint8_t*)0x20000001800f = 2; *(uint8_t*)0x200000018010 = 3; *(uint8_t*)0x200000018011 = 1; *(uint8_t*)0x200000018012 = 9; *(uint8_t*)0x200000018013 = 2; *(uint16_t*)0x200000018014 = 0x24; *(uint8_t*)0x200000018016 = 1; *(uint8_t*)0x200000018017 = 1; *(uint8_t*)0x200000018018 = 0xba; *(uint8_t*)0x200000018019 = 0x80; *(uint8_t*)0x20000001801a = 1; *(uint8_t*)0x20000001801b = 9; *(uint8_t*)0x20000001801c = 4; *(uint8_t*)0x20000001801d = 0; *(uint8_t*)0x20000001801e = 7; *(uint8_t*)0x20000001801f = 1; *(uint8_t*)0x200000018020 = 7; *(uint8_t*)0x200000018021 = 1; *(uint8_t*)0x200000018022 = 3; *(uint8_t*)0x200000018023 = 5; *(uint8_t*)0x200000018024 = 9; *(uint8_t*)0x200000018025 = 5; *(uint8_t*)0x200000018026 = 1; *(uint8_t*)0x200000018027 = 2; *(uint16_t*)0x200000018028 = 8; *(uint8_t*)0x20000001802a = 4; *(uint8_t*)0x20000001802b = 2; *(uint8_t*)0x20000001802c = 0xc9; *(uint8_t*)0x20000001802d = 9; *(uint8_t*)0x20000001802e = 5; *(uint8_t*)0x20000001802f = 0x82; *(uint8_t*)0x200000018030 = 2; *(uint16_t*)0x200000018031 = 0x20; *(uint8_t*)0x200000018033 = 0xfb; *(uint8_t*)0x200000018034 = 1; *(uint8_t*)0x200000018035 = 0xf; *(uint32_t*)0x200000018180 = 0xa; *(uint64_t*)0x200000018184 = 0x200000018040; *(uint8_t*)0x200000018040 = 0xa; *(uint8_t*)0x200000018041 = 6; *(uint16_t*)0x200000018042 = 0x300; *(uint8_t*)0x200000018044 = 0x4c; *(uint8_t*)0x200000018045 = 3; *(uint8_t*)0x200000018046 = 0x7f; *(uint8_t*)0x200000018047 = 0x20; *(uint8_t*)0x200000018048 = 0x81; *(uint8_t*)0x200000018049 = 0; *(uint32_t*)0x20000001818c = 0x2b; *(uint64_t*)0x200000018190 = 0x200000018080; *(uint8_t*)0x200000018080 = 5; *(uint8_t*)0x200000018081 = 0xf; *(uint16_t*)0x200000018082 = 0x2b; *(uint8_t*)0x200000018084 = 4; *(uint8_t*)0x200000018085 = 0xb; *(uint8_t*)0x200000018086 = 0x10; *(uint8_t*)0x200000018087 = 1; *(uint8_t*)0x200000018088 = 0xc; *(uint16_t*)0x200000018089 = 0x2c; *(uint8_t*)0x20000001808b = 6; *(uint8_t*)0x20000001808c = 0x60; *(uint16_t*)0x20000001808d = 0x64; *(uint8_t*)0x20000001808f = 4; *(uint8_t*)0x200000018090 = 0xa; *(uint8_t*)0x200000018091 = 0x10; *(uint8_t*)0x200000018092 = 3; *(uint8_t*)0x200000018093 = 0; *(uint16_t*)0x200000018094 = 6; *(uint8_t*)0x200000018096 = 7; *(uint8_t*)0x200000018097 = 1; *(uint16_t*)0x200000018098 = 0x680; *(uint8_t*)0x20000001809a = 7; *(uint8_t*)0x20000001809b = 0x10; *(uint8_t*)0x20000001809c = 2; STORE_BY_BITMASK(uint32_t, , 0x20000001809d, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20000001809e, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001809e, 2, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001809f, 3, 0, 16); *(uint8_t*)0x2000000180a1 = 0xa; *(uint8_t*)0x2000000180a2 = 0x10; *(uint8_t*)0x2000000180a3 = 3; *(uint8_t*)0x2000000180a4 = 0; *(uint16_t*)0x2000000180a5 = 0xc; *(uint8_t*)0x2000000180a7 = 5; *(uint8_t*)0x2000000180a8 = 0xd4; *(uint16_t*)0x2000000180a9 = 0x21bb; *(uint32_t*)0x200000018198 = 2; *(uint32_t*)0x20000001819c = 0x55; *(uint64_t*)0x2000000181a0 = 0x2000000180c0; *(uint8_t*)0x2000000180c0 = 0x55; *(uint8_t*)0x2000000180c1 = 3; memcpy((void*)0x2000000180c2, "\x8a\x42\x34\x83\x1e\x88\x88\xae\xdd\x9a\xd2\x2d\x4f\x28\x93\x8c\xda\x9a\xa9\xa9\x00\x03\x7c\x31\x1c\xae\x82\xfd\x23\x1c\xaa\x31\x27\x95\xc2\xb2\xf7\x47\xf7\xbe\xdc\x80\x7a\x10\x65\x2d\xcf\x37\x9d\xa0\x7e\xbe\x96\x35\x31\x02\x75\xc1\xf0\xed\x95\x6d\xa6\x4d\xf9\x8a\xf4\xea\x23\x9c\x45\x2a\xa8\x5b\x31\x1b\x94\xd4\x71\xe9\xd3\x42\x3a", 83); *(uint32_t*)0x2000000181a8 = 4; *(uint64_t*)0x2000000181ac = 0x200000018140; *(uint8_t*)0x200000018140 = 4; *(uint8_t*)0x200000018141 = 3; *(uint16_t*)0x200000018142 = 0x83e; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_FULL*/2, /*dev_len=*/0x36, /*dev=*/0x200000018000, /*conn_descs=*/0x200000018180); if (res != -1) r[55] = res; break; case 80: memcpy((void*)0x2000000181c0, "\xc9\xde\x81\xd2\xb7\xfd\x1d\x65\x61\x0b\x40\x83\xb8\x98\x28\xa1\xee\xb3\xc1\xfe\x78\xe8\x02\xb8\x7b\xca\xd5\x22\x05\xe7\xf4\xd5\x77\x30\x25\xc8\xc9\x2c\xf0\x09\x17\x1f\x12\x78\x8a\xa9\xaf\xbf\x01\x67\x11\x26\x93\xc5\x62\x5e\xec\xd4\x33\xf1\xb0\xed\x30\xd3\xef\x61\x94\xf9\xaf\xe3\x63\xc1\x33\x4d\xf3\x56\xe2\x61\xdc\x73\xf0\x7c\xac\x0e\x40\xa0\x34\x8c\x52\x25\x7f\x14\xf9\xa9\xf6\x0d\x56\x98\x35\x20\x69\xee\xd4\x6e\xf1\x0f\x4a\x97\xb1\x56\x0f\x76\x05\xb0\xaa\x63\x19\x49\xaf\x14\x35\x4c\x1a\xca\xbb\x76\x86\x09\xd1\x22\x46\x6f\x68\x49\x10\x29\x36\xf4\x00\x1d\x18\x01\x5d\xf4\x28\x57\x0b\x6e\x59\x75\x9b\x75\xe7\x23\xb1\xe6\x12\x80\x0b\x56\xea\x89\xa5\x5d\x2c\x63\x78", 167); syz_usb_ep_write(/*fd=*/r[55], /*ep=*/4, /*len=*/0xa7, /*data=*/0x2000000181c0); break; case 81: syz_usbip_server_init(/*speed=USB_SPEED_SUPER*/5); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); do_sandbox_none(); return 0; } : In function 'execute_call': :6127:17: error: '__NR_socketcall' undeclared (first use in this function) :6127:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor772550208 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/6 (1.28s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$MON_IOCX_MFETCH(0xffffffffffffffff, 0xc0109207, &(0x7f0000000040)={&(0x7f0000000000)=[0x0, 0x0, 0x0, 0x0, 0x0], 0x5}) (fail_nth: 1) r0 = syz_open_dev$dricontrol(&(0x7f0000000080), 0x3, 0x105400) (async) ioctl$DRM_IOCTL_RES_CTX(0xffffffffffffffff, 0xc0106426, &(0x7f0000000100)={0x1, &(0x7f00000000c0)=[{0x0}]}) (rerun: 4) ioctl$DRM_IOCTL_SET_SAREA_CTX(r0, 0x4010641c, &(0x7f00000001c0)={r1, &(0x7f0000000140)=""/106}) ioctl$DRM_IOCTL_MODE_GETENCODER(r0, 0xc01464a6, &(0x7f0000000200)={0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_MODE_GETENCODER(r0, 0xc01464a6, &(0x7f0000000240)={0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID(0xffffffffffffffff, 0xc0086465, &(0x7f0000000280)={0x0}) ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f0000000300)={&(0x7f00000002c0)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x8, 0x0, 0x0}) ioctl$DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID(0xffffffffffffffff, 0xc0086465, &(0x7f0000000380)={0x0}) ioctl$DRM_IOCTL_MODE_ATOMIC(r0, 0xc03864bc, &(0x7f00000009c0)={0x0, 0x6, &(0x7f00000003c0)=[r2, r3, r4, r5, r6, 0x0], &(0x7f0000000400)=[0x7, 0x80], &(0x7f0000000940)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000980)=[0xff, 0xfffffffffffffffb, 0x9, 0x100, 0x4, 0x10000, 0xfff, 0x484], 0x0, 0x73ca1ec4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@action_no_ack={{{0x0, 0x0, 0xe, 0x0, 0x0, 0x1, 0x1, 0x0, 0x1}, {0x6}, @broadcast, @device_b, @random="01abb5a42e6e", {0x0, 0x5}}, @smps={0x7, 0x1, {0x1, 0x1}}}, 0x1b) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_bprm_check_security\x00') r7 = syz_clone(0x42000100, &(0x7f0000000140)="d1a222a113afa50937eb93a69f4a6daeb1c51185973fcbcd8ac1511fee5166f0a2d7b107ca8ba74b42ac080422e3e26c8fd0707d3352f3e0467c446d0fd59fdc796204deb520c9f39ceb06b12c5dec1f8d80435d3a9531b3c8c63eca16670b0be3277698485a45d91a4737cdc17c96065423348e497b473b96cd4d870b360809cfb9631f7a2cdadf25baade0a028dfa84875eeaea710f44ee0c60be31d07667921375cbf5e90565a7594d78c49ee1a773a21696e3e0f6e9d5a9cc8261a51990269f06e5642a81055ab67", 0xca, &(0x7f0000000240), &(0x7f0000000280), &(0x7f00000002c0)="4ce639fae6a5b1dbfb9b05cdf44c3b14df7c001ef8931a5117ea1ba175c0a1e0806dec26a61e38c8b355e6334aab16936f3b9388ce1e115787f0a164e987d9e1339bbbdc21479403322cf6c7b55dafea9cf527b32532be38a2f0557907e357b05e1986227888aac6cc43a9e5ea5e3c093b693d4d13b378ac2243") r8 = openat$cgroup(0xffffffffffffffff, &(0x7f00000004c0)='syz0\x00', 0x200002, 0x0) r9 = syz_clone3(&(0x7f0000000500)={0x8000, &(0x7f0000000340)=0xffffffffffffffff, &(0x7f0000000380)=0x0, &(0x7f00000003c0), {0x3d}, &(0x7f0000000400)=""/54, 0x36, &(0x7f0000000440)=""/57, &(0x7f0000000480)=[r7, r7, r7, r7], 0x4, {r8}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x98, &(0x7f00000005c0)={@remote, @empty, @void, {@llc_tr={0x11, {@llc={0x0, 0x4, "d4f0", "3855a5dee3a80835452966b4819b8e62fe420ebc741cb5df2368e0d83b02a44133dda9714f0ae883ab9c1c66c38864627043bb1cb645f8ca7ee26fb421090e98e576724d716c681bc3e802709219450517396e0b82978a08ba9cd791a977b9971dfcc61a5318a165f4fccd530654e11d54ca4f12b28362bee6c70bcfa1ce0d983864306cf6ad"}}}}}, &(0x7f0000000680)={0x0, 0x1, [0xf2e, 0xb2e, 0xcd, 0xc93]}) syz_emit_vhci(&(0x7f00000006c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x2, 0x12}, @l2cap_cid_le_signaling={{0xe}, @l2cap_le_conn_rsp={{0x15, 0x3, 0xa}, {0x1, 0x1, 0x0, 0xb, 0x9b9d}}}}, 0x17) syz_extract_tcp_res(&(0x7f0000000700), 0x8001, 0x7fff) r12 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000000740)=0x5) ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f0000002900)={'\x00', 0x7, 0x7eb, 0xd8c, 0x6, 0x65c7, r7}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000002b00)={{{@in6=@loopback, @in6=@ipv4={""/10, ""/2, @local}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@multicast1}}, &(0x7f0000002c00)=0xe8) shmctl$auto_SHM_STAT(0xfffffffd, 0xd, &(0x7f0000002dc0)={{0x7, 0xee00, 0xee01, 0x3, 0x1, 0x2, 0x100}, 0x8, 0x1, 0x8, 0x0, @inferred=r9, @inferred=r9, 0x8000, 0x0, &(0x7f0000002c40)="04dbcb209f35e5ddfdb1b3b7a741cb0da9e7b4a97e26e4d64ca5560ad3ea50d519bbf049c3135111c4de1f36b6b308bbd028e4495d46ed8393e759fd0a3a8a87f1db8749da45e9a5f999f3e74d920ce20c4d2bfe9ca72e5faea34e254ebb9ca9", &(0x7f0000002cc0)="9e746e3d219f0df0db9f4dac0afe9fc6a3ef5fcab6058f83fa7cff2a82d20c2e4f575259eabbe06734843f871e50f4d47bd62ead38d7be8ce30b95115285d16abc718c0da482b90f24299f3017ce2a536dab659aca91d1cf689107448150e4566abf4c057bde3c378236a3781059cc800867309fb208ab69fe7d3fff31198f363305539ba5a17423bd8345e10a2507adfd0b0df310c33482d2cc9c9ba7bf80c8c7e2159c09d9402b1d7ca88f84e7b4ceb8a193ece6dd5faa70429fbac4f1020c7667302d4a57ab637f35ffe42e58593fe3ece07b5d637ef6d973342257fe2c5b1169399909ba6d369fde"}) newfstatat(0xffffffffffffff9c, &(0x7f0000002ec0)='./file0\x00', &(0x7f0000002f00)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x0) lstat(&(0x7f0000002f80)='./file1\x00', &(0x7f0000002fc0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) newfstatat(0xffffffffffffff9c, &(0x7f00000031c0)='./file0\x00', &(0x7f0000003200)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x400) shmctl$auto(0xfffffffa, 0x19, &(0x7f0000004380)={{0x8000, 0x0, 0xffffffffffffffff, 0xfffffbff, 0xff, 0x7, 0x5}, 0x3ff, 0x5, 0xffffffffffff05c3, 0xffffffff, @raw=0x10000, @inferred=r7, 0x6, 0x0, &(0x7f0000003280)="976ff34290bd8bc7a7cbfc2a01cd57bb3fef9efb9836923feab6b22096e6a7f305b4a4725f362d86ba08a346f5ad87651b24794b4ee5813e0557b0ef0a7c19b1eafef2a16909abb9c855ec4536adac1b482e8e5a1dc478a025feb8b6304bdcd475b1d917a5b6c9d27a6b4858cba4d25301fe261bf12313f6e8224fc5ab0bb2fd404104ddefc2f27a36d9d10ecac7929db5ffc1df4c6fb6e5637020abf5e6504310ab6de659b656cee8ad04d046756ddae33d8d223854dc8c318392482cb991827824f40daf98da166c916dbb8c156c42197b664d7590e6d2cf4ea3280f84051c9ee3114142db27536bcd983f170f221c15dae9a11a52e84253663ea4308f", &(0x7f0000003380)="2c9f8f388d233b4f054cde11358eb632feac99157236e370ad09ea7b82ba5785b9e9afa9e686a62a5d2d53e478ad6bdc5fffb647b0835e147419667c9a116d7dc9628b1e9f7f66533e8e736b4a659a784c610da8c50010c4ad47ecbb1eb2ee6aa0b49090e709138ab2d171e1dbdd6e8653e06212391e7dc1b28bdd23129424500dcd8343ba198c60cd9701af62b4662b082ddc55e8149d60891c650e774755fc3a0d100ff0bc676b466e3dec52ca77d2c4ce103fc44bb563b3c182cf2f65541303d2d29fcbf5a3f42288f8fe1c236c3e12170e7ac600c5265cc5974e25597f049e9c015c76dec0d7cd2979cce123ad647297958c9d7dfbc36afc2ae4b9d2c09ac172a04dacffae8a50219a4ec4adf06ff80747d40c46ddc0764af4d7782807b8f14fb797b2780bb68e6b2a95dde508f4063c65d87143ff2466fe29ff3afa65202a99240c57990e20c5f34a95bd813572f47d8d482db3fceb9f1c54c8a8dd6332e83fa39d6651c7b78fa971ee88756e2e5a3fb029c77a48fd4164f107c882d1743bf852c14866a437ca56d1d2d199f93f758719d2293c5891b77e860b2b7c665129fbce455e93ce66b675619bbb23629d2bc8682ed4695d8c6afe256d372f9fed839de5b5f68d1d30cffb1a4e7402b9551129edc4c2deec8c16714ea309cf20ac7f17f5fd3cb97bfbff2dd36216b8f73403607b4ecb2dc42448eed56fb23266bd0fdf7eee43f34be3706ecc705927ada3d84f94d8a2898ce00de369c607552f6994ec15f66ce65c4952e30581ede46a2033589d2c28994bda0531943919e301a6d8187da7b498966af1fe3e410e5c167afb133b3e5e40db618703977b24002f621183b61a6b680301387e2d89565f0f62de825516d349c174c07924f4a8dffb281709e997af6da5a62a954969b5335f3074f2400245a77b195131d26ce43e17c3a201a5b8518f8f961f2be9d170c6f5b2b236a394456e577bada3307f4eaa8e0352bb595037e7f30f5ddbdf014ba5b6f3cee6af1fd4744fd0bbac1e2ce29853c722956da7de4e3fb9241820b0586ffa29da5b6cdd12da1a0418643b4ba96bb43242146f6c0a33980b9385da283a2a052b8c201f4239f957fea5f23efcd5ad3bb076abee60ce467eae6805e186e974934280a267dbf7320cb90fe9322bdb6ce809bd35b4130be87119047efd755cc747743e6da51b24af5c01661be2f813cef7d7ed9b61e83e0dca2c8221525b281570276a5958c2614929794c2d55a6b15d1701b1961a078edeff50e0eb0e02d9b1d402657ce25bdaaf910ba4549483631a5489ca98fe979c54c7400c9cc68fed1ab00c402f49d36c4d7b2fb273f392aed4f8def256d409e50d26e7251f91b9f5bcd8e84202e520cb7fe434744fe3a8831c1af1eb20a8f88579ab19268d7eefc6dcd8c94e3b6896e336e0f738aa244c2dbec12324a8a1ca70e040d07a7900f76f0b09e0faab4244d568c00309b8f31157d91788c871d616d0572a26f9bf40b2ff8f034dd9646fb13ebad2951fb7a9ea5509211359759fa495722e0ce6e24b48e3d2a1ec6939838040d00cb908d9edafa8c3845754bd5be90f6f92cc70338b3b1fc072cf2682740371caedd80fece859b1587f04147f50c5a9be927b5d51ae428a1c7e4b594ec242a0dab90581742428e5db58ac1ae32496f37119820ae295a3df7a95509d05d75cd778b54e44a317eb901c7cc28ff74ab53b6f4fb4ade0fc4af2be36d760476ca853a782e7614a133a99f1e5f0f12b9a958e70250fc9bdb898dbe34d8ee32b23ee9f0192fd4bf8f9622edd9f7acaf4f4b92673ccff23227c94132271735ac83de739c85cee73abf94ea2fd0e5b9c54fb7a2bc8771edfe9ba3eb70dcce56f7890aa8a2028e6d318ec234b525626e2460c4d007e74f7ad4068015a5032fb6fc553b27faf764671222ef4b39804e300d9a58eb4d9db9f3fe20127daadee117874ff95e3676e37bfae3061e95a71e97b15e24349f07856def173d2ce459affa77c5b47f8b677a1658f7d89af72253c800e62ce2b11f4bd837fe980f02d4f9719c0fe48454f72809deddaa972d65282ecffee1569a2a5377096ff3f010044e71be8baabfe65e99be10386ada70abfe86e7a4ffa8753f862d2704ceceb6df34a6dd48675441f7cca635e401cb2306d1726e1c3c04266419e991188e77cdfe9e0aa13c76107a2a27f7216b42a690c0063c92fd222f45fb0820d0464ef0b7ae6515e8174c7f90ffdec6dc2913d5ad1feb80617701623363a4e735107b300231ca5624addf083e075aca1d18d95c01b7357a4118fc492c07ff1c0711a9e00bd78ff8e431d7af674dce55832f45901f235b7824e8ad0ed0d8d67f7ff612ff1eca74a4deac721fd1c85980d87dbc8dbef59f3754720f0b926c25e84b1d7605c505f8e75038fa29f38cbfc97712f92447585a45475a90db7d81ce2b42929fa6ae4a6790560025fe0577ab52358f0b098800458666bad646991e146ec904511ca2655183631bdf0d5405879d6f69932c844190e2d916a7ae65da287acf801209648800a1dfe3e9b38f7b58641b0fc1804f9a279d8f4c803d0565650606f60a7e99fe461ab36d725ca764611cc203ffde0f06ad87cf91602381f1ec7aa255b6d21a85fe2e32a060f18b53385476db436919f9ee6995704046350e098ce1e66a1b8328fce20e1f8c98cefaef29cbac0bd9c0f1914538abd48436e92bbcf1271ac66ced7a53013f815f015f36180e323ac8247128a915938c89f711332d9758935180eeac8b8c9f99f9f306d3481b3a68bf9613360681a92437c7bd80adf9899093f3286fd18540a8c742510db91e48a1255dbcd218fe7a34c5058ad59a6962abff5327facd4c2b3a51ae13347d56a19f484ef62d52799ffe802c9fedcf9c076896018db33cf2bd9b0ca59de3f7487a273f7e8cb6d090b14a83ddd2f261d41f0fd1948e0be62929fc668b9f13753e61d08b1a88752dbfa315e79c2d81881190d2b6ad33ad8ac036e5a22b5ea8225ea410e9e8ebf86c4a7ea49765953cd96d05431157a8048fa61b80ba606cf53af8349cfadb89559fdf204ed283d71bbf700a9cc3782607896c851b758405b007e6150cc7e6586debda12a1c4b2b6366b3879623cf9eed75d56f4abca9151eb504670a4a518c668ed9488d8b5f1f212ea69c51a7497260c2a4859488b75960313dd3f29bfb75ea094ba325f79a028d07dbf2137bfefd261b0c5609a169d5f1bbe1815f06ae4e26f5f3f4b36cccdd3fb7f8adcb7645e37ed7d9b63c9e21cdc5954e2852bbfee5bc30a978399189e63b92699d810c589d61d0cd0c6bf4ffb892537e0ef1887d1ea047290ff609584a00dec798f8e72e06c1be8399ea069fd13caf0e1b4cd66f84e26869167d54b8c43c967b270bd8561f99dc84024223402ce0957d93e8582bb8f4583cc2648861fc562fc2102a326e921a418fd518ce636e4e3edc36fd89bca25add71accb89d777070526d9cf7274dd486909c3b142d27fb0abd467be27c36e8487ccda73ad0c89adecd36a08c37ce15b876fd2121a7b0d11bde86759eeb66287b44c61ced7f74a143044ae805869d31a1b1c44b8150d8d630debff9e95c31187b774441fa8137c08ca316ab778159917dfbeec94529d3a12c16b9f39c4d77944e6f16cf9b819f9d8a42ee73291ed84e2d584b305aeb799c2cd76f3afd7e826bef0b77159bb4dad1139eaa9cde7bbfdca740addb511eb8b91d548e18d7cd691dce8578382ecd09ead356f85a4acee4bb8b19342c748ad9704b11e1d9b02c0218ca3e799ab80017052fdd66e9101a00b7657ebdc89cd425334a916df19dbdaf6e4f63bc03492913c86d058ea61685df77a06e0df07ed3fc1f92df067e86d0033640c10f40c279c264c477b2899d4a244b67ee884e519b4dbdc5d6f1c3ab67c123a597974bf3a57ecc909be9133917017db1d7c9e192618524a9392957afebeefb2d8bc4761034070f4179582226e34b1865d26be00c9bd31320c313cb509057c27f1274c78f471bf69b85dbd478237383be86c86f4b0117a2b157820832d07d88d2e78a9aba0b045a19dbf8a6faed40e41ca47c013c2903e69f2ba49b07b36e1f3bd69bd4a82ef2a428a831357d25f5568b69e9422a3ba9533fb5ec240a391aa7b612acdd3502fe9296d4fa02af39f21f159af528daa3894c3d10bc8f70f204153a066e1e6e1174232fc420ec647e29bb4688f26c7d463cdeb95eba4c0d1ed3f5fe41d5e34c0b27b587454fb403e8c9a0fe90f53174d547dbccadb6481c48c979cf3414d0d47160a0b9f6d9a4fa8489653ca2e924223a8a52ba63fbc1af034cbf44cca4728f09e1f57706d6107eedc0659bb9c6d8a3383f11cc87e53aae6dcb83853379a6c0d536b1e06773aff31ea600397c43a66f302837d521fb6abfde5beed88493a5eecfb26ab6fc3f879ec0121f3aa7330bfb82d14528d9c5e2033c05cc6b60f6669273f99099a5d72c2c5144dc0b2aafe0fe7bd01ebae29bcd82f4ca43c5a22974c3c9d923a62e390532e2774800015307b8aeaf1b7a061fe77131a5e12a9cb090eda584acdad7bd8afb20deab65d7d1cf3d16ca8187aded08a9dd9bf830ceb1113977211035b1a9051ae1ca5f1f326e4a6e257b62d7792effd005f183df782bad319bda67a92386c6622d002ee87cfcb1a4f9b4bb4217e8675299f2d8c8f8a6324d3602f768390a12478e7afd2d52cd23567b1984d48d855cf072140126ab0a8942759cf3898f118284d2a933721d71db420e830c88e23b1f07b4425b97d0b8374bde0cb8c3be352471c15c0db69276261763f46ba3d043ef637dcb3f9b0f2d4340029222be810bfcc54e447b9ed750f2f275971a63ad6127bc7423c3fe8fe22f281a727b9496b703f0f68878ca8e117485eb7c8a7b38266bd5a07b5a2f8a9c0d02ccf8c8f762bd1ad4b215b295969dfcb9f19c13d88f72b54e59400a7201ac79fe2fcaf329c8e35a3eaf2417621a00eb5cd2da50c611d5b33e35997071bc1fa35d6cc81247c17bce39d225172ed4a10640cad8178865b307b866323a25569b6ad3292cd47f73044ce58c454961cb5523788a14cc46228517312b74793f0336092e7e30a0da14318945ca2312922bdc8f6e9a4159913fd72dcb4e4c787796ee465ca2bf4cf3628725a391197efe8104ea71c630b72ccf8fe427be80a0ca6b14f53ff9697b6279f0b2cd23e356f951d7c08b7f146ebaa3cbaa6a90d1d9af187e21c829377781d75d544662845d403226516f4052479d8ff176e24ce5510d6e33f04438462386babfc53be7cfb6015296979fe4122192cd44b046ea7e71238c0d3060a38225b9afabaf1693354b3521e2aaf5de3e85e5c586765ef8e2f9c98b8ed4a535f6708f0f171895b57da981c4b3d851fc78322857b8fcffdfc34fa3ef658eabd567b2ff35f0ae288701a811f725c8719daab4725c7bae2a7174861812ec8e9a999a4a7dff379008fb7a93bb9d5da43ea9e10819f914119f474df29acdc90e1b4901fa8d2806394adb6d34f564489340015df154dbd9e9bfa669e277a4c3522074cda8f036e1c762a2abadf3878e7b70598e4df8f7d6e134e13509f1f3eb2a461872adedcc36407d03d453e710f3b0305b35c069bcf6550888be2c3df879622f7c091605c2b473384e4aabf373845b643893ea03ca9a2332f7276ab52ea5e69a3206d0b29eca19fe9b561d58748f0fb5f7cde5d32ad768133a5733db27411ac56849c31c9cc9877cd771ad87db0014b011c071a8a57afcc9111fad241"}) newfstatat(0xffffffffffffff9c, &(0x7f0000004400)='./file0\x00', &(0x7f0000004440)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x400) shmctl$auto_IPC_INFO(0xe, 0x3, &(0x7f00000046c0)={{0x89d, 0x0, 0xee01, 0x3, 0x0, 0x1, 0x7fff}, 0x8, 0xe40, 0x7fffffffffffffff, 0x5, @inferred=r7, @inferred=r11, 0x6, 0x0, &(0x7f00000044c0)="ab561aab77c583ce985b9783d96b5e4e3824cb3026da2efee0101d24cc3c6b58c7966f226c27699f3dc15a3304862622efda37f57e5797f736c482b334c0db1039382a78928d4708282c72dc714025c2cca6fef30b64fb050ee5845b1253799b15940b967116839e0075330da8af7ee9a5b52c5768fbf02f315471e6d7ac7780eedcf56dab90441764c1053f95a9e94feec9ea2b6820f3be40e34dcfbfe71b03378a751c0e0fd04fcda924050048f51708503500609235cc75d299eed66d2ac9583e91dd31b9cfe3af5c2489c204014b7a74549d85c8e8dbaceb6388f245c262986d6b26eadd8fcb38587b698b3c59fdf63a82c643db5aa17914bfa0", &(0x7f00000045c0)="be290174f8ce0f04911d69badae0bf37c4fa5b15fa3b1883ef707038444de4aef3a73f3383480e830ddb756243c29709eedf6974edf3be9df13637b48ed14edc03d7243bdb53fd99e2eea6025693ad0701b82ca38dd6d08cda9e31031dcc02ffa54384c4aa7d870f8b1ab9ff5c0e744cef60ad5418d5a3b9ecdf09a54a1d9b12b10ecd3bcc7bfe6ec02b568daf99a59ca92b8a9eec612f3829a08c44fd4b27611da5908b591f340e23f5ba2adb1e29e89f28f5f2514379e45462dbc30a7202bb25c19ac61489119c4a8aaea4000aac8281c3d426d8a082b7dc78f57a12a5c63562"}) fstat(r10, &(0x7f0000004740)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) msgctl$auto_IPC_INFO(0x8, 0x3, &(0x7f0000004840)={{0x8, 0x0, 0xee01, 0x0, 0x4, 0x2, 0x5}, &(0x7f00000047c0)=0x4, &(0x7f0000004800)=0x5, 0x4, 0x6, 0x0, 0x8, 0xac0, 0x3, 0x401, 0x2, @raw=0x400, @raw=0x7}) r26 = getegid() shmctl$auto_SHM_INFO(0x9, 0xe, &(0x7f0000004980)={{0x7, 0xee00, 0xffffffffffffffff, 0x1, 0x972, 0x2, 0x6}, 0x7, 0x6, 0xb9, 0x8, @inferred=r7, @raw=0x5, 0x83, 0x0, &(0x7f00000048c0)="4166dd81284669cc6529e5a0ef081d370a00722e0c7700e484177e2729e55d1fe0f7564690881382a850b3b8d6195ea5d032edc998535fc787928ab4a3b1891540d246d40daa7a5fd7db2bd6c99b3f2a7e514d0069f2bfb485d9e08e67c46824c2e704ffa0431e1c20432972adef084921d4", &(0x7f0000004940)="3c673d0f3bdbe20483bd0ef8f8a2c865bb817c75a3555f98dadf18fb4d805bd339d5717defd470ce"}) msgctl$auto_MSG_INFO(0xff, 0xc, &(0x7f0000004a80)={{0x80000001, 0x0, 0x0, 0x8b, 0x4000000, 0xe206, 0x366d}, &(0x7f0000004a00)=0x5, &(0x7f0000004a40)=0x7, 0xb5, 0x5a, 0x4, 0x7fffffff, 0x2, 0x4d49, 0x0, 0x2, @inferred=r9, @inferred=r11}) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000004b00)={0x0, 0x0}, &(0x7f0000004b40)=0xc) msgctl$auto_MSG_STAT(0x9, 0xb, &(0x7f0000004c00)={{0x9, 0x0, 0xffffffffffffffff, 0x0, 0x1, 0x5, 0x3}, &(0x7f0000004b80)=0x9, &(0x7f0000004bc0)=0x10, 0x93e, 0xb4, 0x7fffffffffffffff, 0x2, 0x8, 0x8, 0x77, 0x10, @raw=0xa711, @raw=0xd}) getresuid(&(0x7f0000004c80), &(0x7f0000004cc0)=0x0, &(0x7f0000004d00)) statx(0xffffffffffffffff, &(0x7f0000004d40)='./file0\x00', 0x800, 0x4, &(0x7f0000004d80)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) msgctl$auto_MSG_STAT_ANY(0x9, 0xd, &(0x7f0000004f00)={{0x8, 0x0, 0xee01, 0x6, 0x1000, 0x3ff, 0x2}, &(0x7f0000004e80)=0x7, &(0x7f0000004ec0)=0x95, 0x3, 0x3, 0x6, 0x8001, 0x7f, 0x5, 0x3, 0xc, @inferred=r7, @raw=0x9}) shmctl$auto_IPC_INFO(0x7, 0x3, &(0x7f0000005040)={{0x1, 0x0, 0xee00, 0x2, 0x8, 0xfffffff8, 0x2}, 0x2, 0x6, 0xb, 0x100000001, @inferred=r11, @raw=0xc, 0x8, 0x0, &(0x7f0000004f80), &(0x7f0000004fc0)="4f525e340cd5a86e0881814810a2a91a15b1d5d14f4a79d14dde318eefbdd8e8e728d413187ede4fd069fc173d33f251936658b970959cdd1a15bcc3c26ad76b38a5be0c00532ac5254d632a2d800357de96e6f2f7841688314922a5eb1530e0b7352ca60639db7697142de2aa07c7c6a7"}) shmctl$auto_IPC_RMID(0x9, 0x0, &(0x7f00000051c0)={{0x20000000, 0xffffffffffffffff, 0x0, 0x60000000, 0x5, 0xb, 0x4}, 0x7, 0x68b, 0x19, 0xfffffffffffffff8, @raw, @inferred=r9, 0xc90, 0x0, &(0x7f00000050c0)="390ceb0f410c002527eb3b46b10c24497104200a43cdd523e8a72786cf59380bde524cb59556d5b256cae07e343b52beb18b62eab07c445eefcb35dabf186ef840417c408f79b74aa6ed333f9462acfc1db146b667a8962992f20af86d7c20385025a74f9071c79844536cb7ac8f8865fed4a57d022beaf618bdcc6509c5be81037e584abb6ea9b8cf0d2e175fcbfe9bda3668d75268cb8605fec3ba1bb1e6c276a14929c3460e1693458f22612352db6a3efa4d7c7483d2", &(0x7f0000005180)="358f28870becbb"}) newfstatat$auto(0xffffffffffffffff, &(0x7f0000005240)='./file1\x00', &(0x7f0000005280)={0x4, 0x4, 0x100000001, 0xc49, 0x0, 0xee01, 0x0, 0x101, 0x8000000000000001, 0xfffffffffffffff8, 0x7, 0x0, 0x8, 0x8001, 0x5, 0x8, 0x9}, 0x6) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000005340)={0x0, 0x0}, &(0x7f0000005380)=0xc) msgctl$auto(0x10000, 0x1, &(0x7f0000005440)={{0x9, 0xffffffffffffffff, 0x0, 0x1, 0x0, 0xabc2, 0x100}, &(0x7f00000053c0)=0xe, &(0x7f0000005400)=0x7, 0x8, 0xa2, 0xf3, 0x4, 0x6, 0x5, 0xd7c4, 0x80, @inferred=r9, @inferred=r7}) lstat(&(0x7f0000005b40)='./file0\x00', &(0x7f0000005b80)={0x0, 0x0, 0x0, 0x0, 0x0}) statx(0xffffffffffffff9c, &(0x7f0000005c00)='./file0\x00', 0x100, 0x100, &(0x7f0000005c40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000005e40)={0x0, 0x0, 0x0}, &(0x7f0000005e80)=0xc) syz_fuse_handle_req(r12, &(0x7f0000000780)="68f4b9c022245b560b419427c3c56dc4ee17cd422ac481d8d2dc27c0c24adf782096477e5b7a147733cca0eed7ced0abb03ecfa0f83e914228ec4e019a38468e2e4ee4edbda02353ee9a4c106339d7b118a30e93e6de4552288afe032af1f897ef39ce140cb1d452644133199f16653b9215c37f78f192752d031c6428d735621149de6243a0ab6fc46528b0a0e2d64e65ecd9e13409abd5e73039dd00e08805e51adf3a8599d99d69f23775044d3840234f1db089fb0987d645ec25f4ad3eeeb9604d1f2ab69fc3bf8315bf2e7b91886d2a6f5071b66fe5048b6b654412900507340dd1add27448ea31685b4e867c68c9b551df246b90d0d0fd9af8dfc647fce7c377aa364862ff0243ffd04747b945baa37d755c236092b3ac7aacf612a40326de09063212aee86e163aaafffd8adee4b515465cc919c1513dc7c9678ee6483fc3fc68b884a9cc604f362386feeb1a7efbd41d42627f06fbf6cf913acaee584da6050cd6f49ab96ede69216b0aca3499947b02f1b623245d4cc5dfb5bc7c28c4f77733c3330d49bb25ce9b47978b576c20e1c4d8b6ee1ddb2c80eb99a3536968aaf2f01ba3142d6d7139f47ad871327d9eb2fc364bb42cb60a572c71d1a13f94056c727ad80dbc0b3803d3ed007cdfbdc6f986845b239671233ebe9c973bcd8653c3732e52516409020f4bd05164909329cf8b09d57bc49fdfc9c96ee78b92bdc6e865b56195bf2987b6b4adff6196f37ffd8de510800b328ed7bf86ae6d4fb1d8e83d1c8cc93c127dfb6589d7e61ad8559c8700741988a06c4b3a03ee3e9569f795d7f1433cdb520eb451c351c23013c8b6007d147d24dd1d52fa5b0e40540f38bcf7419eb98a47901e9357a78edc701ae82fd058cd6d96969f2c6b4b82eacae112d67d062d56f0fe3b9cae85672c679497707254763535092769d38d26b9a6510d9f64fb09dcb7283de42570546b0c763ed8cf60f53db86b7563e5726f616c4bb2beae0a9e186eea24f642d70d34545784e4630d4e3ac0289c2caa22628e299b293d2730cae7fb99d4dea073e5a0ba5f34f77dd928389543e00f2b595649ab73645425e273e4b6d754cd17a627aee1da767160bfe86b0416adaa61ebee1bf7409f284485d43f8f484d053a1736da79212859f48b71cec77ee23f771adced4fe526495975bd04ba08c799c07f57084abbd6ba4281140dd8ec0693180a4daaf48b72ed48df137f68dded9a411454faf88dad181aa2306c36c13c15a5fcaab5bb79201b417f403c83d0419e29f62a66a0e0276f9f96c87f94b7c8a32b94cea7ef64fc4ff41b21d6846c2dad67bfa8a4b57a6e5001e40205d386ba77ae13c9a112128315cd6a1a641b228de06eb0a709f5e74da475d22ffc6533c9d9b2be00d22bcc8b4718705609608ec3e4c43579cfae0b6002f3154da6147b856d82f3dc4d4bac4f509b910796aace375ae79c8bd3e75d709aa0d90e29ef0e03c69fb8e5bcb34e4cf14a6e7cf4a408e99aabddcaabe1f0c72383671b4563cd06ea9c75e5bc2e3c9556ac45f07bd0d6c9b391dbaa70171e71301fd5395de383d135814c1214ce33208c1bd8403e948fa0b39379a14029f11958fec9eb460e3f9c7349af6306d2e0cac9a4e4de43e93127c6ec8b17820a5700218f5b08e0a8ce0a448d688c945d36b719b2dc711a8d48098bf4edc5e26fa5647a647240fff4d76688bca713b8dd7172afefba6e4a95f11a111e3cf039bbfa41536d9ad7b0fbbb4ff82cf19a72eb07bdcaaba2291ffaa0d0775f1aeb6866c23cfd9c8ea68c1387f89772eaef2020bcaac5fefdf104ce5160aaddd65fe9c489851fb090cebf0220321dcc57fdf71e9a1c1ea53ff17d131304469eaded3a143833afff98a93c1c413494bc0d6cf3470b2eee534d4f17de37aca75d82169f1b63341230d47e85beb0e6f50ce72556e37b73961292b9f0343851e9dca9fbf4ee45a5814b04444454413a019f82949881c81a5dddd2097a8e5c45d68b808adc27fa3abe5516b2a5c1cc719ee0c979666831a15a964d5fc2e87068cbc4e470d64f34f0fa9ac7e94a0693dc21964297b96de293ad5a77f2a8dce271a89d10a10b458a8a8c521f27a50cd206bf0ec9f2abb3dc1682d3add75b813c5979ef56583b5212775d617322bdd7c344fb0c2dc1dbcc63123119bd652af941355f561b8fa49b8e0caba90002c48b88c80ebea67771fb479f5289caf5eae18f01a0cd7460f3de6c3f92f1d43b56b0ddedb7059e7f18069f804b2056a20acbdf25f8ca36dc1affa80e2203a0f3639263a42e9b3ad0614c6bb3cfa4376b2854f60bcd9297bb0cb45416136f21bca9fe38fef0a1c265ae423b36eff0c7f9e84d3edce5df6a2e768949ec9dc4f9186c489546e24c713db919bd51e6044592837c8b7f037a8b3a9084d961c02fd0aa4245baa5e917d7f93f096fc00cd3da057edaa7476f9a3883c1ab863a917746bd00e87855bb58001674ec10542e70306310d73399f34a254cfd03b4fda6dedc8d7f2a8c81e6e17beab6710a2c2a39d38daf05e04e38e9d10f308131de76a359bd59015fc9f10769d36c160d3efb66174a97b6a599e74baedf336c3d9b0ced617bf0a530882d9168e64bfb9c36ea351af436f780544cd1f006e5db439d1cd9c6e2b591c37698e3b956fdd6a96d0c1ff5a5c2b4f20e8204fa2394ebd18b636072f76d498713d7258f8fdaa7d173bb52619ecfbd037e9d9e8efd79e776ea36889904152981d398f34b5e7582b7373feb1310f6a3f43da3656211581c4dcf82bb82cb513462808cea9fe21d0cf8707453e9c1de7a96a3829212cbe885aff10c11171f5abf14a8e6f22fd0048ac5e4186380c14c5c2d4fe13be2dd3e6f26cfa94522d625dc49d179bcc48cb42ea40e94f33d9e76ef925746cb525139ea6205c6f1221d9342e202e57b818a7d1214de38ee9502993b73086602a97519f6a099901b8dbd576abd64a8b13d5a930f82c06fb9c5bcfc2dffa97783eaa3385e72f9985d57d7ccf93b7c607992cbd249ed74b6da3ff1dcf6c723ccb3725ef18be354160d21b9314a7d01cc297c6b1fdc8a24142e555dd8fd4a28e04c85836e46e66364908eb84facaabb833b1da7031967c10b8c2aa3cff44f7a9dcfd0665d1e90d93be0df77a25a4823d8dd35c35dc4cf1c73ba26ab20473f301223a6ac9672220be0950f92bf1679874544f8c10e23bc9ee1d40a006c989bf9885020a65a4e7663a8117bec09e2a2109c52789bf7fbc00cd3efd7a652b15c4c4c05f654118e90643e649d7fe431957b6f1dc5925ba9ab6fd8a1f6a0f83a8a519c1dfe4236034ca5567eac95ea12912e6067181d61294bcf09c17f9d948a03b0afcdfd3a5d470d289e4b4744e688aee68bf26da015438a9c336bea06ddad4874653289c34c032764180f9798f33cc0b82b3687df74fecadeba2e58b970d6e4654d7b09b0d85c78961276a94503098577ba4932d17e0a7dd1987e85c4afcf01f68d7442038246b6849bd16fe035936be75e5626cd3d068b9df93085a12b9569cb27d301caaf2f4f337ce6b194f4a85a1755a2b3805367e5de5e4134df4fc3941625d44171a9840ef2267ad81f2aee6c34ecd3ae96281285b54fbc217290fe1f4675fe64d1b844cb43c755ba29dab531e837ece7146009fe04b727257bfa7ad4180e82e9ad170a9ab781efc150600ce37043ccee03ccfbe76509d63ff8f21862736a4345578c87f8f4142c97a47add5c7d6d7359b2690155a11cdbe9be3479e0f4b2dd44a68a7848518d55897e49bfaf2eefe6bc06d560e25f52ad1231d4664427bad4aba0d615985afa47ebaf242d3b8c168ad59cc05a1ce750d732a67203b3fcfaa4ed6b2ff004152eef5652beea4c6270203f154c70bb6c5fdac24bd7fcb6389bd1b51759205ba1aa1beab6eca99736f4a43f21a639536461d2438a913ed03b63db2621c63acb496eecf9838bfa7f1852437b458b1046197e511ea81479690904bc3a0bb4b9ecc0962e33c4cdd921f824abc2c19588613efdee01db701ae5440cdd987d868314df9ac7bae59274021a5d0643f8d1d3a97b8c8bf02ee9fc056cc164724851435f907685c349db9429fec6e2df3c534d94cce4ecd2ea55d72aa88264c86a40fa669306b95bcdefcaf54f117770a04f35e721f284f681b9d3114c4bed29f209220638defe43fc436695a58ed3f20dc921e4a21c79e5803927deeb5a14c532e3cd83ba32981c192e20e93eef674402afba8d378119f634ff065fb294f9e38c1974d4d37cf673b58797b5e26e22b0291623ff15d002d55a8dd00fe4b1fd54177d1fd065da0b17479316b58a8495aca42c440b63c8f4b1a9538df10c8c9546fd8c4195e1eaed31543b8061c8602a8977123f56e5f11cd05f5a36a448cc257571f0e5bbde25ae82f583cb313ae7bf5dece56b617321cfa60aa9278a28ee9f78ec7ddfc5d0f665ab1a1d5531f2406ffa9b5ad6f9ae4c98f85447fbdb9efc2ab398801e905c229e16ad9f87bf61956a7829733fff1dbb2c355548c4e303d1fb2587abeaed6911b3d5578d9d4355193af1f6eef1870f0f1df73615a5d9ffe9d42b7f94c215f9ceb41d605e95a54b5fb3c62f34396f9f951c5650920f159c1c330ecf7bf70b1b8d0a973ff4af344e9950ffb9edfcd326818e28471cccbf70b71ac2863eaf7ef95dbcb2f988c85c266f869914719906213c0db18a4a4712b02f7201dc95305a3a531f466f949fef612cccaa936d47aef4bbad390850f2b8fd991542e3986de10000dbd2bc09f16c99ed0b461cab444a1db069381434540795150de12427b1b5d0601a523204283fdd6b69e403fdc3f94421140dbf94865f35af7a7bae5547978fdd805cc52d68f4ff49beec4920e25d8e4a237a86c785cccc3f2ee7ffac881e99e57612c8c94bde400915f3f75b546579f401e2be54930904b98c8242394d81fe94d267d3ca3ea3a0e1c9107ecc298efae6a19e7337883e27af271e06299acc7559f0ea461b875e27138cd35e046319fe9f838c511305fc803cc24309dbf335b225c58b6caeb2724e44a9278ca823519a72433ceb2166b4b73a35b97de2f55438b95826e0ab348501187375b0962367db5349534676f352835a1059c307421b2beb2e63c0a006d5271f493e59069882b103d536608d18d61e974222c43b7ca92529c8b0cc2ae9df8c2bc2b20d6833147ec411c4a5bff534cc72b267714592a4e43252684940f54ebf5f39f28deeab2c89abaddfb6fcd2b1c025bf30dc2edbc0823ccd19fe52f9c0b38c9c1acd6b0efc3f688b80bbef5473cddf820270d721245cdfa01bff1485864974b428dd1933fbce968d27aecea5dda0ca9561919d5d85b098fc4f3efbf7ead3912851924628b888a28e46320afe8a302239147f48f2cc2ab274db1aee565b15ba2db832fa630344d01cfba11287b25c226f28bc4ebe1d204e90a39a81c6b2136b0164edb65194ea5510a9b9efc0d0a2352642f0a8a23ef4e6eb8948f5ab42ebd45ac946bfdb689cba13767f8d5f778c42e2d07d088491e06db5cfbe29ea3f45a43157945d419de632db52fa133d990efe2c9e473ec36d689d0b815845af5761981d46d5b9f3865f916b5bb93cf8f2e8d4a11c8afacfac2c647e6ae9a8696c9ecb6bdbdb2179f971eb75e14d52598ed6c16ec1427e21df5c5abbbd85e42f32df37c485ff33d0654571ec60af8674ba35c3ef627d24b1c2d84ff2525416c2a4265fb6de8173faeccfd3138316c4c7c329017928fe1b64c29dfeb4570f7de93f944615316fd3ae6cc12b94332fadf75b15a13d6ff27f7c61981737efc6dfb528942532eef5e5dcb803c1ed04da23bfee623a89088d8783c7edda3f56c5404ee7e42f09854753c1a0dd78723c9c4ef12c7ead1863a53af48d8d61457f2432ffaebb356a6e78a1591f0424aaa1f025dda17a7b5eae3989b27a573f59bbfe2f993fb18273dc356aa59ec1b2f151f84b9733b271f1e04d17d41e728ef52cfbc0111f123213fb22237d81b0029bdff7017f8703e1ee301758ca9e22399c420b3631e5b998737c2a75939fa46d1e617d7b19fba4919e35ca92d8b59798da36a0a5d4341a6eb57d5129513a6e862ea94f27c783c9e68f930d5d337c289ded11d510847a50c61c47940c17a32b287f704664f1b61e1648850891f80a4b61479348b43440d0c9c91b89257a4af7253ee5be6bbd56f22986c38b536b8d5000102cffd10d93808b8b1c4eb53f0c697c217161c4cb7e091d4388ce3a20eb5351538c2af3a906e6ac664a5d083e395eaa5de791ace45bd02b5e26bd36be796e95c74422b7d8f00c7bdf4b648a1e9ccf68e912abbfff3c74d8c56385d7a89a84ad3c3946a38e82080c3b38a0298070d8850475b95b379d62f5029103a7b45def66d25a08e241c42c3438828e59f5b1d1fd8c975649d03fe3e536babaede3fc3cafef77a72cd27b94c1d774efbe19374702f393729898bd09bc8a407720d67e9fedf01852b893664e35c26bb48656a5689e7e3a632e9e5a3bbe875ec6b5eb73fee6e605547596d0ede39c48b9d9f63d7b38c1f619bc6f6903c02c47403ae8539aea7893fb8110e4b5a9070836853f3a61648327f0c6953794fab38937b278dc0a1ed331ef4a0360c41f4fb35b7ca6e117e785833a224fbea8241c59c9d96ad650959a23c747d47881021a530c9aeec13b5b99a268e2a63a2b96846cd3e8520c770fbeaf52f9a6e36b7d5e0db746788613f6ead88738d00c30206fe07295b70ed21e0528a7b909f3d2cc647b335dc7b9829907c380e583bb408ae2710b40d44df12ab98ac6f08882c257c26b25608ba5af2e00e7c33e6084ec86a2258cc3dc8bc63c2eef5483b8aaef1cb7ad63f4a286803acce81ad14097473c65d9c37f2578de04e18a71951458f2ae3ab1d45a548fe11d4764806e713b628c1967da918e8ed6556e619beef08ad8b93d7d70917457d9c894c7bbc304daca443d14656a0268d74e7658377441e5fdb14148964f56a3058a8e1a95e10022770da557445387f2425e7bcd386e621f88713fa57f442462fc8f7a588f849ec7a108c6a5a777283fc24c879874767526c5b6b2d22212f4bb8898811f731e78b001ae052c47d832cbd8678314cc313fb6b9966bcde9b1ce15b92f0597d58b15d91e31f221b2f1d6354e49de2a7a58d58f361fd647fc29dca3b5da3c6449c52cfc5b87bb4843cefb1052eb68478b51c1689128be434f0d34b511cbb1e84b8b211a9ff1aeba55185291ed5395d4ca5b966dcb7fbff432b931f6766a9b37d341d5f83d2969f49fb857913fd094ee9153e905fd3a000825f4c9d591cae9e1fa33abf94663fab49e460f1344cae1e6804f2a53108cb0f29bbc0f6a075688d987d6cf7ca3851008fd82c35589ec90e3902cb1ed0513555e303b91022a0454948aa7d866dfb4b97fdf6798be4c742276d99f685370a910fc2be7b289a44573785e09ad0a207940ea859befffd95cc97069777e3dd0506261a8edb94ab25deabd371bf0e8dbd5f035a753871faa5352cddfa90496dc3985ffbca1b31290e7eb460c20920126bb8ca9304e3553b3748a8f5df0a8977ab994728fbb540e073cc3f0805b5df288000831d8061c06d416f458a2547ff4e6036de1181cd1d42af41615ba4e16d6f7aef1cb34060722212ff561275bc4974f00948f542a5e06bf40b8572df1d8d68ba0608dcb027f8f11c0b93e65b2de9a16fe115ea940cd904e11b2fbb7c0e6729076657372c134ee6fe8e0fa6f9c2ec12bde36e4625212a472d1501051016814791e7a2fefbfca68589865f0837a32b1201c32291054bf7187e03cde3add7a3398aebe76672e4f8ad81a9eabec9fefabbb62c1d73adc3ef58a68775f516a99f54a75a7a7b530dffca82d2b222c993b785a1a7b6f7accb584ae25abe1517d70a69fa2df2c77e4e0755e187f60bc824658b8d88dafbc240abeec3493fdadd6a1a94680e5db4bc1862c758a519021c0121789f4cdf1e2a71cd536daaec9e4b72e9e25d9251fd3ee511f1e081f906d90dd4df5cef6edf411aabcfd5d933e2653581f1f0a49d85d503ab0f1288743a8ef5969fe4ae3af9affb7905ac3a904ca86cd7e8cc5b96677fbd2bbe3e3e67d564e2db1f14f6a982da3b7ab590a1fb43c44956ceb95d2d59db9e3517506c0e1643a07664f7a279f23b9945c32427960242e7478141ad1d1701f68033b69c7bd2d64318bbf48a05a32779956e161f42682bc1c9330cb6abf5afd31c8e11a4b078b03579e099fd3d8e347330a01fdc2b5ca05001a2d139a5bd7128a02f9d19b8581bad0e14faf9f0a132a6d85bbd291de696a8c67d2f8c3134aac24e41bb5a4fd742c1371f9a8e18ec9050b398a604888ab12a8edec792974456ac6c62989a78d72e84e0bd7aad9e1c08601e2070a4f2bb1009104088278263c2a645d3187edf12fcfebd3d8b37dd893b25e41edb518089e06e1e26a077bbcb6b7068ca74e1c4b59497ab481faa7d18349d0fdaff9f8a0cb6c242560e31a9f9e34c6d8da4e6b471000dce46d80252700fbbfa3922d5deed33d109206af07f3a2a348a61cec80df1302c98b7625797a113eb0b714ee647f7d13d6c10225bc121b6666083fc15b63c2b07e487167b0cd116ca2a399322b9c08f418d1bd83cfc397adaf8ba267ed4630fcb62037603caaaf968312e335afd663fced69900e25073963b5459f597d7e7e581647c994d0fdef88a1ae4c9214f6680e215ee6a15097bea901b467b5827522e68b020768e8a340faee75ecd46af90ae38eedadb6d751c5a1fc5ffb866a0cadf85949dd9631344a46e95091c5859ac7d0783153be8fc89a1adfd4cc3f453ac8b11d6bd637f95e63d28c3c665517000288e7a08ea71a7ac0d569ee05cf8a6631a9ba1af456d00fb049f1c3366e8d929b6820fbefb65883773bacb1cb1a7105dd2ca60edde95fa2f35a34a369c5f04b65e08156502f8cf176e4f9939afb6bbacdabc5c8116dbde9b6d212bf125f7697a8571d69de443d4d86f4be17a959148fd6105a674ce523f37c2c09e1ce1cc71274a475ca3b0931adca1899bf7baaf2dc3a9488adb13068577ed2ba96a7937fff3a9aeb461234532afb215083c89799a0fac0ad2afeba7a33def1b302b12a6a4d7a2201b915a2c3bfb5cbfce746885aecb3dbc4de9c4dc1ea7c3326b7318c65d3763a5f2b42a0a97be06e2a040636c2fac7db4272d9354d59cda5546a3415c8f04c709e0ae4ffac3ec82999b5c50ee28ae85193be4a6888db01c1b770f854fa3b66c2adc29c6c7c0d3a15a7224b235fbc61863bf9af6d8eeb35d67d9966e3220f0bbf0e101558a61559f9e6dbf286114a94e0950350f7010f3a46e1a98c939b3727f1d125ab2c0c5c1d7cabec0d7ea68697843c8ae9036c3d48469850440748e7cce6a2601654d8c597c5d226cd4ffbda153e2fecf0b58343eb7acfaeaee02970f011568ad26e4383bee5daf95802f742b0b8e35dadc20164979dc4eab6f333a29412916baecd7d11e18d7d566a9f709a4931433919514c735639dedf1df65ebde8a14555ecc254fa4e3179c611af0ae32c8c8129c0139e9904821c76971b2d2b08e839281429cc0b02cf5abc1fb78aead7d772a672cda2ec38b69f858a3007ed6d773e417521b94e7cfd21b3f76361a833bf0c8a58cda1c753236538e7d1be278cdab78fb73f36280615aa49d8ab1deac1292be4480fb609e7e6364c300a8613d37c8024aa6a72c1e4a334e77817f9cde0e10cc57b7c3bbca50f40e15b9a1042efb7802c404186e479f5f7636ab50d261473f5804a75f6cb1fcb693cecbe9a61bb9695801c7ca6f927e40e6aa91a9af71cb5d967f79057f955d0a4ed58ce999f9acd21c1a1ea10885956b46e44ca830ab2ee7add50d2c1fa3dea6f4c7331b1e53fbefc7e424aff178ceff95a8910d39952704ef7855419d3cc08c7205990af447e18d3945d133e99ba5506e50e31bb28ebb51337e38e5dabfdb6d20be68a04050dd9918748368d58b8349ee60de41dbbc83255db8e360c3581a3b5523f5c36d7e293eb4e2b014982367e286c6faacc8503cf4d91c4049804ce5a7fde5fa19c6a5b5f330fe3f44d7f33809bfc5b13956f64663acb8c324673829c132d3c73525f8f8ea3a832f88975d14c318c05bb5672c82bb02f9acf2dbcbaf68e5e478dc519e522840bd8f08b50c506a75bc2fd092e415199e5771d8ce03f088e9bfd4551c2e8eedb859303ed757601bdb16bff543123d7570ac50d2858cff2a7f9758cb24ff0554f9131299758c010113d9b6f0bc7246fabec33c58dea925b9ea73ab381c4aaa8fb2165c9d7d8b8a701202250d360fc617580565e78d5367e3fbcd841d4503a7c20c20560a03e397b0d3cab57254d365112aad995a9e3919614bcdc6ca2055d0d87429ee3305a67fa69c6024a3f636464bcab62c99a4d0453f5bf879cd5d46e3cf761bb91109bd328169f95e98b7442cd05a5dd86e18536d205262c620002e7a3a8afed4681c271a34f0b909d1c861f9c18fc76d3bfdd993785185dc3e2e34d7fba686ed0f733d16540670a657786421007cc1a8ff97236fb53d8664911dcaac2754350eade708374ef06b2f61232a3f5b45701cfc09284b6e3184c7c4143e9a304984c4bf1a14ec75511af82b2c6c3e6d5990728f4b724294dfefc35d1c75db9efc769dabfb5cfa0c548c2d5aa9e798410f2b2bdc32da95c945aeebbf06e2d1e22176b66e7d22bebed83875b4c863eb55a7194c75bde29a8c7816e5c3c650c32cf54f5d9ac35d38bf19ecdb005f476ab050d96b7b7fc622f1ac357b28fbd7c38f81abfa06355a30b3803f042c4c08a8274daf0183c0e52a634fd299aee994dd3554edb6adf99bad5b9130b491ec9353c7f36e5fa7c026627f68f67c775fe190aeb43febf56f55bc1a4f5c22948e5b29a117f6d06d4c68e51449f08a6d0d2e67520ebc0670e2df3d2f7aeebfbb87643e58d0176965d600d97a22c7a0556a2c0479de64f8b4492dfb542e8d3a3ef096f99d39e677a07ac97dc259d9f759b98e947f1ae8a9278b9bdcb8510fb06641218f79f67e4f5baffbe5d3cc38e1498938c5509a3f69f32392f660e005943ed14458529e82593bfb6c4d3e463103aab3cdc8d468c9a2c201bee3ae663f0792460d4b71e031a83c33f9172332b514f74b09c72cd6ad76e906fa4644f3c142b128c1ff2b84e79377599d4e2c71145c492ff3dab44793b905675895fe3df544fe725ea5f7d2fe3854d7030ce91957fad4f7bd7bd7f1d1a1654e3fcd0edf9daa72bd962d6b64d0d990d5a4850802b9297feb622aafccc107ea2a8eea4f0da89941b12a0ec1bfd72a2ed44fff9f82411ecfe9f19eb957b48f859ce045da233c9968b763ed94413ba0f68ddca65cea0abb6873c892902416f5eadd911d8442f0316fbdea9f1140b3e8305afb510a3ec590ce20fd58d3bf051c2663e74ae64eeb9a1463c8841ac0b72b732b7ef127f5a7d9a87d6b8491e753317350d7d1ae593e6c2006f23b2274db58ee344453c38e299c141821ac47e88ddd93893df56baf501fcedee34ac657f279a9c39cc38", 0x2000, &(0x7f0000006000)={&(0x7f0000002780)={0x50, 0x0, 0xf48, {0x7, 0x2d, 0xfffffff7, 0x10820000, 0x9, 0xa42, 0x7e, 0x1, 0x0, 0x0, 0x2}}, &(0x7f0000002800)={0x18, 0x0, 0x200, {0x5}}, &(0x7f0000002840)={0x18, 0x0, 0x3ff, {0x1}}, &(0x7f0000002880)={0x18, 0xffffffffffffffda, 0x7, {0xc6a}}, &(0x7f00000028c0)={0x18, 0x0, 0x3}, &(0x7f0000002980)={0x28, 0x0, 0xfffffffffffffff8, {{0x1ff, 0x6, 0x2, r13}}}, &(0x7f00000029c0)={0x60, 0x0, 0xf, {{0x0, 0x4, 0xb0e, 0x1, 0x6, 0x7, 0x40b4, 0x2594}}}, &(0x7f0000002a40)={0x18, 0x0, 0x75aeeeb5, {0xc}}, &(0x7f0000002a80)={0x11, 0x0, 0xc0000000000, {'\x00'}}, &(0x7f0000002ac0)={0x20, 0x0, 0x4, {0x0, 0x5}}, &(0x7f0000002e40)={0x78, 0x0, 0x6, {0x8, 0x8, 0x0, {0x0, 0xa2, 0x101, 0x279, 0x6, 0x4, 0x6, 0x6, 0x580, 0x8000, 0x8, r14, r15, 0x2, 0x2}}}, &(0x7f0000003040)={0x90, 0x0, 0x4, {0x4, 0x3, 0x1, 0x9, 0x0, 0x0, {0x6, 0xf84, 0xffff, 0x9, 0x6, 0x7, 0x4f, 0x8e, 0x8, 0xa000, 0x401, r17, r18, 0x0, 0x3674}}}, &(0x7f0000003100)={0x88, 0xffffffffffffffda, 0x7fffffffffffffff, [{0x3, 0x7, 0x1, 0x4, '\x00'}, {0x1, 0x5, 0x1, 0xfffffffc, '\x00'}, {0x6, 0x5, 0x0, 0x98}, {0x0, 0x8, 0x1, 0x1000, '['}]}, &(0x7f00000054c0)={0x648, 0x0, 0x1, [{{0x0, 0x3, 0x9, 0x5, 0xa, 0x2, {0x1, 0x9, 0x1, 0x7fff, 0x4, 0x1, 0x6, 0x7, 0x3, 0xc000, 0x3, r19, r20, 0x71a5, 0x5}}, {0x3, 0x911, 0x9, 0x7, '(--]!}}.:'}}, {{0x5, 0x1, 0x2, 0xffffffffffffffff, 0x8, 0x1, {0x5, 0x10, 0xf91, 0x7, 0x0, 0x7, 0x4, 0x4a, 0x6, 0x6000, 0x9, r21, r22, 0x6, 0x5}}, {0x0, 0x2, 0x0, 0x401}}, {{0x0, 0x3, 0x0, 0x401, 0x4, 0x3ff, {0x1, 0x1, 0xbc, 0x7, 0x8, 0x7, 0xffff, 0x6, 0x7f, 0x8000, 0x1, 0xee01, r23, 0x233d, 0x4}}, {0x3, 0x6, 0x5, 0x7, 'syz0\x00'}}, {{0x2, 0x2, 0x7, 0x80, 0x4, 0xdb, {0x3, 0x3, 0x7fff, 0x9, 0x0, 0xa8, 0x1000, 0x1f3, 0xfff0, 0x6000, 0x4, r24, r26, 0xccb2, 0x9}}, {0x6, 0x2, 0x6, 0x7, '\x01\x01\x01\x01\x01\x01'}}, {{0x4, 0x1, 0x100000000, 0x5, 0x0, 0x6, {0x1, 0x401, 0x1, 0x2, 0xf, 0x5, 0x100, 0x3, 0x0, 0x2000, 0x0, r27, r28, 0x7, 0x8}}, {0x4, 0x3, 0x6, 0xffff, '\x01\x01\x01\x01\x01\x01'}}, {{0x6, 0x2, 0x6, 0x9, 0x2, 0x2, {0x1, 0xb51, 0x7fffffff, 0x5, 0x8b89, 0x2800, 0x800, 0x6, 0x4, 0x8000, 0x3, r29, r30, 0x80, 0x3}}, {0x0, 0x6, 0x0, 0xef}}, {{0x2, 0x1, 0x5, 0xfff, 0x582, 0x15, {0x2, 0xbb, 0x7, 0x52a, 0x1, 0x5, 0x98, 0x5, 0x3, 0x5000, 0x6, r31, r32, 0x6, 0xffff}}, {0x6, 0x3ff, 0x2, 0x8, '*&'}}, {{0x2, 0x2, 0x3ff, 0x3, 0x2, 0xfffffff8, {0x3, 0x8a, 0x5, 0x8, 0x1, 0x0, 0x7fff, 0x8, 0xfffffffb, 0xc000, 0x8000, r33, r34, 0x5c5, 0x8d0d}}, {0x6, 0xd, 0x6, 0xffffffff, 'wlan1\x00'}}, {{0x6, 0x1, 0x5, 0xee, 0x8, 0x4, {0x1, 0x200, 0x80000000, 0xb81c, 0x7ff, 0x400, 0x122, 0x400, 0x689f, 0xa000, 0xfffffffc, r35, r36, 0x1000, 0x1}}, {0x4, 0x9, 0x6, 0xfffffffa, 'wlan1\x00'}}, {{0x1, 0x1, 0x6, 0x0, 0xf, 0x80000001, {0x0, 0xb8f, 0x57c, 0x8, 0x600, 0x4c44, 0xc833, 0x5, 0x3, 0xa000, 0xfffffff9, r37, r38, 0x6, 0x2}}, {0x3, 0x4, 0x6, 0x3, ':-)@\\['}}]}, &(0x7f0000005d40)={0xa0, 0x0, 0x1, {{0x2, 0x3, 0x100000000, 0x8, 0x5, 0x9, {0x2, 0x7fffffffffffffff, 0x2, 0x7f, 0x7ff, 0x4, 0x0, 0x2, 0x1, 0x2000, 0x7ff, r39, r40, 0x4, 0x8}}, {0x0, 0xd}}}, &(0x7f0000005e00)={0x20, 0x0, 0x10000, {0x9, 0x0, 0x1, 0xfffffffd}}, &(0x7f0000005ec0)={0x130, 0xfffffffffffffffe, 0x1000, {0x6, 0x3, 0x0, '\x00', {0x1, 0xc6d, 0xfffffffffffffffc, 0x8000, 0x0, r41, 0x1000, '\x00', 0x0, 0x7, 0x3, 0x4, {0xa, 0x7}, {0x1, 0x905a}, {0x8, 0x81}, {0x8, 0x2}, 0x10001, 0x7ff, 0x1, 0xffffffff}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f00000060c0), r12) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x50db, &(0x7f0000006100)={0x0, 0x45f9, 0x1000, 0x0, 0xd3, 0x0, r12}, &(0x7f0000006180)=0x0, &(0x7f00000061c0)) r43 = syz_io_uring_complete(r42) r44 = syz_io_uring_setup(0x539f, &(0x7f0000006200)={0x0, 0x25a5, 0x0, 0x2, 0x2b0, 0x0, r43}, &(0x7f0000006280), &(0x7f00000062c0)=0x0) r46 = io_uring_register$IORING_REGISTER_PERSONALITY(r44, 0x9, 0x0, 0x0) syz_io_uring_submit(r42, r45, &(0x7f0000006380)=@IORING_OP_SYMLINKAT={0x26, 0x0, 0x0, r43, &(0x7f0000006300)='./file0\x00', &(0x7f0000006340)='./file0\x00', 0x0, 0x0, 0x0, {0x0, r46}}) syz_kfuzztest_run(&(0x7f00000063c0)='SEG6\x00', &(0x7f0000006400)="8fc7c6d56396ba64559a2bfe12e1779d161166213ee3df8a88660735dadbfa0ee93d2bbf113a5d2f840414bb6a835c8b4664c16258d80aca5d75c4b0f7b9f481b32b056b2500cd38d5f745b2ca6f423c76ecb54c20df71f37e74a7c331e0867f", 0x60, &(0x7f0000006480)="26f86b73ccfe1577a8270fee84cb897698118d2edf06c754c8202386c681cc227fba179b5b9f4aa7b4574a9b1faa900d6db4338134c1988fa60dff908f1ed3f1d861e66fd378f4b75be0769db4b8875930df50ca44c3dde09f6112e7244a77991c9a813f74c0a8fb0a759dd430a1e46be99ade077227a164f6b567c0cbd3b2456c859d3295f82785295b18801aa57559a9190e85ac6205b4a0eec96417782d9a7e0afa0e3d274c00cfa118008b09a9f246051a7f0b9bce54acf1306b6463b474316fa9e8ed41cd670d09818621ed25ed037dfc6e1c5b4f196937b251d422ac00c3012556c45a9e1ee642f5cd2c2965178e24fb30c312a85f9db81cb084141203a2e5ecf64e03f1215f23ef654dd5e96b9001a8019db4e1361d0d275e4faedb83a4c6421575e98f8d7f68718a694f37796f04343f5774d6b76f3d503de622877febe827ae51a2b04b54714e4a512408a48f20e54831fa366670962cc5a6312a69baa14f4451b8abd6113fdbfec90a327b13300bc5743f171d4df0353063c8213905b5ea8e1239f6e4e5d45f8f2f7ee5209560532a091fcc584f0924ae02d756cec52f040e749a6277fbef1f9aca8df92ba05b02a0c1bcaf84b8d7b5d873815804b3c945bb81e759d3ce76cfd69432ee9c20ee168940f3ee98d1ae88247b3907a555751588528c6fbce8fd6ff9f446b331621be104fbc250882406a28594f3fec9ad498950cbef10ba41155632c1ea3551e6816f755c5538cbfd5931d9a37894faa6ed302d06b26f4cb97a986dc21111335bae909f8b399a874774ea24b66fba5d7a3d3d09369c26a026b279c62a9c6fa85f5ddca523f966e22cdaf18663a0c02f9cfa94b2474672de8e7f85b09130a8c37a47d02e4a180d73f635c5a180952db2362acb6665bee7cb74988c54daf3d58fed39371f50abc89cf1e564efae0370be817bd027a2fdd62839c6a7d9678a3087ae16fa48d1517a01d90ed743e5412615c5229b776169b8b9f956ace67a58ec419f91d1b8e3224c4f8836379aa947785a21bd20ab82677817f3ea2ea2caf193b1bf63fbc2eb574010abb261867121e1313b5d2a1e2c48c2202a3c072e8f3ee545cfc8c994ec9a44bcab7180ba95755e67c1906a5db72abc46d57ee053c6c8659878a25c4c8855cbd8836ccb6d8f6f12d434810555f9295880ca3d42164d1c864982756d001cdffcc3594362fddb3da0118d4b532aa9141ac6051b3f3e5b4c0b503045fb3166297c90ecb5ded55f6db34d89bd5d4518daa68ddb68c02ff1b80f9cb66a6a23db3b765608c4d672766273c17715e788c200f71c0e402fb513b6a8ffde67c40122d86347be658c4d0b91f4ea29fd5a4c017c288c41b40ca04e17bd3945d0e80fb7798706aa2e870fae9b91f1f7891fe4f1da063124e8c567198f670dbb75e82aca4fc0c8211899317920c058e1c371705d4dcf3c00cb4d2c136a4d828d3efeebdbdbcc7bf7df157bb0e743980f14844a7b466d12337a4815ed84117f56d719ab50a6c28ef55da35c8cce6eba0e8d2bafd9f812b4d5f265c0b442a075ef168500174ab27c876dc2d6094ce534920bc639f02c993dd8b07524e8118e8793fdc1b080e1e0181f36f4e2b7f047b23e607301e3d675360a8423a1e670a00ffb1a5ce87fb262ed01c58d779fab1589d9f374a0c001dc9c09828b000fe50ad21e53ba0a8129e223f7ffc79355d4e544fa731a0b4795b7f1c644161d7db3546f32f92ca5650eef1fc206568d367bcaf46411374dce9e44fb9e36836203842a7f2a2ea96f90ba76f81688d7746b8a4de9888b9d8a27a177f98ec9f100bcaaa76e6edc0c42c2d84fa84ad70e326e397f13a428b660559495c6d2a4c68fd49c29e229e0cd676cc895f6496a15f15c65de333d77839b13c9beb57823006d4d1f7f2d1e095016061a08be673779d7e29574dcd21934b248da6adcb98e9c5114ef92b4fd5b9fb3d334e945af586b0b9a47785017fe5a78da3d28b6960089bbab1c89bf549badfb57afaff8a3d6f1b310f945d590016f5612d7332c2a43dcda9326f498fe47f4907fbdc436df6c7f663daff7971d717e641f9cefe83f373e23e06125168af6a58134c425a3a7a519758a3100de2c8f3e447f0b9bcb87833647454518805ecf34128944f44cc075a9f9c47645a29412b66c7087d78539463deb2a138a2c504d8dbf638be8355e1a17fc92b094d16bc9280dbfea65905d56785d4a2b73c5e38c386dd9dd9a40f559b3742b658d216b49c5bf4173fab9de0ed22f81c3739aa925a14dead392e0ce12557a8e0d7861f1907aad63d6560889b4638c422f17021ad105108e155562bbce0a4c395787a1c881a61bf941461dc0f76d5890acc7cf2730a9ab1e9ccb1d133a5c158a19d7974d7f4a86f46a6485eb0896a6f6b06e35eb160187a0c453ba99ed1ae627785a87a3c581e4bd19fb9de755916877cc378b94df22fe4600b40f1e341af51427136377fdf88958aafb3028ca4600e62b40fcf88878bef7e1f89d9114fad5f25bcef274d370f51466e1fecf4b75b8dfcf4863f64f1d389553abce8500da93bf1058849f6b58d5541a7daf7a753895b0e71fc7ca986e8d1cae092897b3e3aed9141fd8d61bda060b1dd8397678bbb7f855e4b84f15b95579b86c1142b5823db9ceacfb2646b0c8ef61cc21a9bf121124367ce73dfdd23d85b37fa0e098e7d1c6c242bc2ad0315ba423db2806825ddee8623ab18196e913e48f379088d6e9cabe6fe00446aaccbc74dd52444114a7a9350946f6a19d9651a1fc29cbbd64e0783b6b8d414e20c84a610aa00d49363e2fd5b92c57e343785518a65faaf652612baff01c4e89ef57fc3b6eb64b0fa8efc5119de768ff25f9503807a29e06197d56f92b01d0fd68de8a952a0e23e16def8efbe7f3cc396963efb2d99cc16b4eb2b368d76666d574b33cd5843bea05c323baf4e427e27a45ec8d9a7abe245493eac3c6b1c54b5609ddee99b77991abcefb29f3f1957ea70a2e634b006a99ae1f72802d3df879ca068129dd503ea55780a1ad5043fbfd48b3061353d7972b3cc1bca5c1b907e8b0660a9128ea44dcf758f531fd3a872649633e0a383f63d082baf688447684a5fa46552b86de49159e5a056b8d3109892ae7f8b69006bd2056978e35b7ad6b38861c4af927f705b38020f123a8536da7125431565fb76d5cdb548277875c5bf5d9895f71965fc31fa264abf2d876bf447f339a7699068cca856bbe79dee93434e749abedba9c8d8ea79dc073076860ece6ffef7f4ee9e5a810fb541706566e9691bb4d2109ad768417fcb72a7f9f62fb45f772f93d8994591e1fb837e208489ee073ce443795aae6ee9b94d1ef06adbdd4cec7d4d091550aa5a6a3ee84c1e3095118ff42c92dff39e524d8524f75a1eec8e73f167c881fc3a6311360bea9c89b68a1895b2ed18711a074566c8ce180d1801ff327403212db90db06ce461d135d42236a49281179da493d71efde292ed3bbb39ccee3f3ef8bcb2197bf3a392d2fd0dbafe8185d2866e068a8b26b3495a8355959d0ada698e54c67f2b8e5ea10987844afd67a3bdf73de39326adac10edc8bc29c4300ceef4cf58c2e6961b87b05ef4bf00e53ec4acede2d15f38325dfd6d17d9a4deae4684af38816fbde94a9af0daf4a508aeef62fde4f2b29d033ad51da091066c768586cd77928661a9ceeecea9cf4ae67f3d5a3010ee4cad4c97047c3d9c3064cda34b0006cf18dfdf0d7ab25b3585cffdeb5367894349fd5788e1d73b507b21b66ee6a8897d74129b6dc76637b24149bb7722486c9ec0845e68c43e0552f23d5ecf5dca58b381d1d512dd6da5d0d8cdfbac3bea98b04fac0db9bbb687086b54993aa28fabbbe9e2dd7a2f9da3ddd791f2299470c6ccfe802353776e3d7ee03c0af8864289c0d6a6b731c450e40eb81baf1838f3d4199eff36c1159fbb64ee815de0c612ed5c276e05e670823e0ed232149e48ea6fbf8bb9b6a42a5ece8018015110da1656c63cda1ee5d66f21b77c244f097e86be5abbe4f4c3cbc043e05aa08f74bd28360c6b2862c2987db397ba7c68b88fad1826b00ddd9e06d2084138db5f4be5b0fbf88c3b309fd57906fc77ea3da69db4dc0e0f9f65eddbeab1432a746e586c632ccac3bf5440f20d8c1d6115f92ea06663fc157e08cb1216dd674619e301190443e01ce108d846cb6ae9a66b97fd2e477395d2724cb0e01a5a132dd1e34c468644d7989bca3e5edd368b350e248cc8f4dd20d0e14cec66ae019535a013ee53f7920cd8e92cbd0a0176d321dd447c129d97e09994beb449d6502672bb3cdcd136a4410e00d06ca537d650077f98fb8559f9fc5a19f0f3222bcc0afd11611d5b0b03eba32f5c89a12819cd019dd3d77ed0a0d1ecf01369792bf4beb2569dcd5e3505e9e90a95fe4b500b3157fe5e76a290bb5cba1749408b449777d7b75b6d77e87ffecccb859dfd0b81193677a00c29c8825b30be893e0cfd52bbcb2620c255c6364bbbe8e9f0dea6df565bc963c1464155df57d6ea396e92ae8279e7ab7ffc17f8ea6dcf4cf799bbe6284dc5573d4139e2908d69880d4484679b5e641ee30d25069c75a18fb7734b5fefe31bcd46a3dfd99ed4f024bc158a2db1acfb6d1b35527241336c4f04529e5052def1173636b09652812741e0eb1f547900809ca2366b5119c26eb79c21ffa728f46e5768c779f6f3ed1bba8c232c4041b4a0aa4b7b2105e3ef37842080c5f9a39cff3b058e11c8026bd682d3f7ee96fa090c966a2a08a17788a421e7ca6d3abcda616ec6c1325ea4e91fcbab9e06b4f9c2b5df14998ffce2cac00db9d2c95379b9fc55a447e797fbb8837faffccb8ba91a87887a12808ebf254fa45fad2ea4dee01a2f9f490410e220a0bcb5b1229729f6db3e10f97c5dc107ca9972a7123a68fee2902b2d044ea8f84b6d43c9920d1ef3ad113cee3d326ecbce096d865b80df759c0aac97e923062bdb8f5ba2249e7a54417429a9d09aad4e293116b991978ec7a61a1d71995e97cf4c37512b2ff5a67cb202304a8a90b34399ff98ac45f8fad4a87dbae9aa01239c0f2f97a67c12d50ad7aaadff0c418f9fa75a196959b7854fd92d73404851d6c53c13eace926b3f43b0ed8f0d101ea0eb88839cd57eb1c8c75d88a907b1e93b1c47586bbe1a83bd68074e300d75736ca5b98c70e36456cc696ba1646e938c46fccbb32fe5aed4509b2b09a0af5bc34b2b050d20d806988d46fe6f075ab3627bbf48b92d8b91ed67257de78dd44efe09fcb6aef805cc53ef285551e0b1a4d917d8411b24c74e9a02205a4018039cf31b647dd95a5f5aab3396a3a93b057088632d450c065ae9175c05a65e5062de24eeff15cc6e02718aea43b812ba7b0fbff2743862afa968241166631606256a83bc570c43c11d0148436bd3ff436a2d1b2e1ccba7441d03e1576ef38b7adfe04676d52bc692d2f66bf5f0c82e5e7dd89b268fb4536fa3870b5470acf462d5b2999543044066892ef54a306ae7244f9372afc83d696eac29e7c24963ffbf1468dbbba9d3d37a6b6543781bcf7005a9f46960786045afad33a61b6d13a72c8574777b7e80ec43f5df42614fc62097c2775e3f11add8f50f6ef09199dd68990ffc3aeb1fd120738ac65ec7d88444a8b022f3d719c8623cfecab626950779fb70ae87a3d7d5faedfe2ab843fe75fe980f9b98ab9ee42dc625db03c5cb1f1dbbbb943fbdb2d1a4a9350fb7f7662545a76483c0459fabcb8d8099ab81c581d90c36c8c0b7bd0dab09c1e3c12304069e431a74037bf7c4501d632a204be07d10ed809c9be6fc16293d9f9de366e36990236402f67242647768c77170c04764e1d82f0875d94fc0cb1d013b15d2fa9aba65fc245a68e17a656b968ec5620c429b31aee046b639b7c615b49524cc7ab71ee969158c67bad96b89f67e3a4e5fc67d6f11fb840907d279af0954b8f5e49a96e774d74b4ca7926bbad6511e96123d552db7d11839c7a53abe73c137c7ff1286704af9375722784cee8e0e73b6cf26c4521e339f9980a63955a155872f82466bd89efcf5846f9b05e09cc27b436ef8269df3c2d6b3b0ac04f5ccbe684ac43a26687f1e0fef066bff304b2266ed754da319e6528dbd0c3ea3d159e488d3d727628ab10fd0a908c82272485be5e17d442e91e01d8f77f9c12ebf680e5db6ef99b8166e190fc93c082c7416b6e9e90d31ca030188e1e5881ec279da425bb4885a1f6cd7ef0aea01a2607485255c8c4610a0efc08fd0b175254b827ceed23145fb86055eca1e6381e10be319a5ec83b00631fec9af8c5193716c4e8062642b067e24eb47bd1213bd6b321d2614a93992d8fd6caa1e6c9e40e808f4d9cb9b5ef1095194c12a80d0673113d6d85b83712beed19ad916a4e12b05e2a843c1869f864f2c7e56879407f9d645d6895760e4432962f15d066874055bdefbbfef33cb199f9ff90541f1f86199910464cd5002282cc32664aa092fc026ef8a0699ea4f71c9f6634cea39a7857e7b929c000b2ddb4112e32948b3b88f03b610ad00afd4677bec2e3d78c91e6c2787449a6bd418d60d5573aa9dc6b29ae0a15173debe501e42d93e96d1de719153ac531375d4214651664635a896b7e7bcbc225856585092d453bb63d40bd875d532aeac9d3ab2ae56e90691faa10a79ab1eab710d0cdffd5029a601c021deb60ada33bff122bb8ff85653f3bd9661d4888843584bf7a3c45d4ef980f4775e18b653af739f3d97919c3b008507e0ca983d46c87bfd180e384ad83aa0658e5fba968fe9168e1fd665f3be4e79da80abea73754f2b324d557eda10d7d8a84310167106a54cde7545f87ebd47da1d8bb99dac4814d59c854f14aead0e2f9bf13b980d157d887a50a966362c0496dc73ca4dbec42cf8133f9d644729a1e02ecd134384e442d328441edc9e09dff1143c79ba611d4402f2b698530c75c491ba8ccd2e9a10fc73eabc33adc16ccf91249eeaa03524f647ac49ab48a8dc275606419f801a3f048e4e47c5a4b17633c8e35c05a994849abd0a542a5c666d472fa1b3ed02962f35526ae61a11c7533b2ee3b5a9ed8884b4861bb5ab159f552e32fea79814450d0d78b4c83dc4654d1f7961a5ec735438c09e45c07393279199ca937b62ab9410607e6880d8047a49a1ea3cc711d126d5005b8aa916548aeef5fb9bee4e071c90ab63d46be03e6c46bae6453694082f65e070e82d765f5a038e725afdf2eaa1732060591db13df6497624c47d2c318ab5694f1f19e6f892b4728c2ae47d9093955d74690772b6d73876b85892c27f1280a42206e36dae7c871f11e30cae135b7582015304dec51632da7e9ada4cf41e1427965e2a3e0d9424a9a9cacc14592bd7b10652ca24fc6b9c056009ced0a3362adc053e22af3180efa3bc8201b82d20d91f0681133a27a1da17e4e6545ecdb3f7a31400cb046cfaf5fa0d0d55470d99eb983a5a4cfc0c7be58ac6d9b69f54d0776553c1055b122820a0f3854a2bc1a5f2e55dc9087eda7c3e33947b9df51dca3f916d7b387e283e104b620c1b8d2cbb5a95017e46391eaaeee2b3820dc2d69f6fe8e75b88304d7d55d7bf6d934f4a5bcee97fae8fcf029a5a8886531586203179ff2d7867460c0620f9dba32437b2c173cbe75ee57fdaa6d13e5d1cc6cee105e2b09fc1be865cd7bf112f0b68a93385c7dd72a75cebdc6bb4512cadacaa4a6b604b1e96a2298d622452766fd6725a198bac91e70790742998bb862d8519d32d48cfd435e03e7c261d7c242d2d026587890df4594cff4d4b60d0b7f90bcc293a74dc11bd2976369d667bc261b382e8eeb06b8dc04468c5c9ca971e9be8057c22902334740585a4d8933b91187936a993d505b39b96aa1c885be9944f8ae3b04640afefb1e354e537c35dd54868a09b3cff920c53855a358b693f2f17b60905a16fd0b0b7295bd873c921d15b2a1207e39cd89dbf895c958a8cdf49655a06a3831c6d2f402222e6a424252c01b5b12a3091e857ae506bb045a81b2692c5055e87c1cf5680754a0ac99cccca3b6addeb71b14694fba1fcf29382a556559f60c8a96638b5a01dbc35dfea26ac2a90975bbd8bd0a42c57e01fc6e84926e39c080d0f72dabbabddf023289c24d66a9b25ad687abd38ebb8a715b4acd5c4b6ff9c24e62bbb04e7b6fb6bc45a72c3c4972f279ebc863f169bee8c6977e516acbeb7910d0646c9b80e41fcea737451eab0413143e396760ea8f1f130de03356ff91c7cc46fea33d64ad83b0c2c187ba607a8149955573102ec1b06bf5fa84439a7266482e003a2c757f2453b75764c846eb392f1499a3afdb325d7be0e9ffb97ea7ef28f58f099a31aab74b63b705483811bbc96787a2637cefcaf14d7c890b9f6c37b69c20f63901c7899c0811a27421fe1b0a92cc34d9cc993e4e9ac404ec80e316d4b6a98922d3bef7a586b4202e9a4e9bc9782e5e7456f204690687089b1a0c0d8c5bca9590b7253f640b0c3fc5b1b4ec970db5a29a12ba8970456f941ad398c2b80290a7ef762057ec4c5cbd13d603321ecb3ae6261d3836720258720706ed18a87e9db2cd1301950a0bbee54ed2f08c12ca9a83dc158726b95a5f991e704837e7a13c7dc663d15281ead022062625e93f5d2643380c588139bece401876220e2997567045a7912b87d3b2219f7cc800524fe7dd3e7202dbc0fc294122499dae623147e1e3083580e6af9afb864de9412c7850c9c305d3723c0afcfcfef6741520d46582c199ca4346262ad10f96a82007afbce52f8fa4204030fb031ed4b25831089dd8a66e89207be1b8dab68ea0624fa2408582b79c17a0727a4a75cf0487cd904b236096845c47ab584724f72cb016abe1457a9672299ae6be756b15079d69b4021eaaeeb267233c12134ac7b14fddcd6ce0620e45499016a1c21709e38dc9825794e701e19635156d1a1b107ba9f16688e0774c15fd048e9e2d1e0f52c0833f765440bc18b9b07ca8c543d1cb1fbe9375ca3850d42d9d4e471b9100e8744cfb0d74bea8c315c7e1ea0a898a689bfaf2fa48d9049058c205241cec8bf5d9d1b7bb825d2292d182f74248ec275cb2ed9c99a8cc7228498ec6e3f0fa1814b6882a1b8d2d70898335fe92b75c7978beab754775b0834a363940aa6e6b82fdf04e07e9e95baeb3f8d89794c449090de16ccbab4db3d9cb040065e071595e7dc957dfacdbb62c6ee87a5878c283878aceee5432af9f506075a9c33564e6912fe34c37a11b4641200e32ab8832976930112f36e8dcea432c0101e841fe932edd860687568eb32105ead04437d05c65a5ac06f7e0cbeada054a9dbd1d0835281d0804bcfb19979d8b790810cd63ded2fceacd38e21067fb4688ff1f10c298db9484214f3b644159a8c179f90b5af19432074086e13492f7de36172053f11176a3111998a4c85cdb999a6481ea73efdc1708a36b3b9898e4484c2be19160b8355e435429195f0c9ec5a9335ee9e9161f025413ae6e549a86f2c241033eab2d7f88a15501e68c1d42aed109eb614aea34834f3f35e5275c5e8a73f401d8b70de6b87013b4ad8e55e959b2b49a6067be42a0aa41a7a86fe0899eabf3775477b9f79caaa253d6f4486994a69cd49445fb8fb13692091dd0aaeb62603f2eaea6064ac2621acd0e8e4b7363a7e2b9c2f88d34902d28460cd8455038a65d4b8fad9f61ed723c521b41626f364cf6f604420062d834b3e50175af09c7255fc7863978e56f659ed0578cfe196369c511325b8a4a2a72518d309d7386a339d71bbc2264d422fb89971ac935738e144b843a6f028d1f9477a2781c1471d89d2902ae0882419d9b4719c07c55b09ef9c9d3a7d43283541dd7c9f452b0e1cb62f77b797be9ff934e5021232dfc5e9cb9a42c0ec736961a8293504ac091ad9a71d72e084ed5e00d5406fbb84249ef2f0c6b364ac5de6999a50cad5d79017d32e879978a5a7fd3f828d45d34d6df690dd3a9862eb1f031b64720eac98777939fcde74643ffc7f87f003e7cf3797f5de33af8d3f2f7b0142c2f2ec61bc2681778640cc32a1c570bfde70dd421c305b439b3fed60e13342a30dbc76f01ba92c2e5e0102b5bebd33045256b550148b7d018f9d0e8f91da3a9f79f9c86ad41cf2b1b64520710c68967d030f9a71be3bf7871737e0eeb1988098128f3696305a33bbd2bd1698d6f982095235173bb10b99febe1aef7658ddb7e2c6bd4292a27779b399d19d9963fafc607756c122d35ab59a2445c03d56b101c06d3d43155b524db94b4d9f81d203ddaa8341b3818a69b2a47fef2c1a1f72bede8b0bf41935127923b5beefc9703fa3cacedce260d6917c72765466380a17a81270bd643b1cf5dd22c4ed7e7325c3078d30b490677e6c92664a8b849902d334b47bf3623a34fd709d1d83cd18affde688440e4db5570abc1ca2cff6d2be95ef7b53e8fb543024da35f2d2a524dc80bd1d5d22f9e644a23266981b5a470567a8566d82f8925ab34193057287f8fff68650b126dab15f9b533d2fe1e15ff9efa1a95f87706806134f71fcfbf0dbb8b7a767cbe7a0eabc575da88b321d6ab8ed27054490952e86b1a80c44ba83430de734be4ca3c2bb62841db05feaf4b352089da3859039cb0a0bc4e927a6019263a4032178f6beffa8b28b2efdf39146820ad5d6e20d694542d1873c87101a0ca2339c88830ca80bde901c58c042f95d0c9874f5984b7c278bd4ae2291ee1c0de6aa10ed0772df970ad2df98bd17be6af68f24bfb665b94c7089464983bd6c097650e409f4ebaee66ed3e07153d0e86966868770d90ed415456eeddaa44c38ac7aabc571f8a9bc38c236c5a7709b459043ef9c119f5bdf925dbddc2f351c7f8a4384efa86a5542202a5081854292b1b763f1495953ad8886d7d102d98dfc1483156a9f701a2cd98ca86156eaa1da5cd20f0b5ab52442e7cc83d885abb98df7cc27fbe1795c09e0a9ba03b327a9533a152d3876aea8051e96d86535c3f5705bf11be885a0b31011f806f192ec210894c32ae43c15b0bf9cef59ec6e6dec149c78400404381c09392a40ecd03547668672ea5a165345c5af4a735843b63a5dec5d5808f8fc5c696e5f82416ed278621b72bee86a7e2a4a982af9588c1ae65ca9806ed429b80169f743a6233dc628afd78b8c352f7f15f904e408e807a620439a58a91a51565dcb6faab6b1d1643f0a7442c422ce463f6cd4c92e9f598a94ff1e6b535b6cdcc62fc34e0ee02426bac9b5826d88396b9bcc8f872d9aedaf090fab51a55a898d57a152ef9183fdb59974ded32904e5f369058119b1729759bd570f3952bc18a7e81e292c6ec63f2db703c50d33d0425efc449c4b6cfba6c8aa314c2a1ba39937d582b67e222ba265b5d6c055d0cd81e5282388281b56738fd811d45d7ad25c080d61aa5946a794e9a0097f4555670948c8b127cfdbe8e924ffdab9845a1f085307088101de9108a3a13f013e65f5ac7e8c8634785b472a967889f47f16c219e374d94a40dd74778a0e77932b9b34ab1bb57aaf3a253d6fc4d642bc89bf28bdb27bcdf4e3742540c7f919a0a6e11e1fe9a1d9f2fb8f54e473424b086afcd50fc5c90ef3efac0e3816a2435a04ea880b23428f7c33c74529a7e426d33be341923e574ab2fe5b0e0c317fe17911e83ccb628c3bb6984e8f5e91f1d221597eee76de9d154e4340772a17e502e74318fecda7f3b7a076ea4af5743a369e18922378aca43e64b69bfe80e95b5be8b02b54fcfcd56e098e4f34f52061da69e5c0703dac0201b030897231255a34e3e358c587704ae52e3e21cc534e6797d5974146d05552b95ae1c39f10927829efd6ccc0bdb068259f597714650e240d202d26eba65f9e9e8e4b69fe335b9f0d4d1f6352d7da9311c8a42d3bd2639eaaefe33f9f6cb714ee94e026f572b73b5cb596d3d58bf3782b18784bc7db7b15d57708afea1a6c530029753cfe376cd56dbdc74357532a105129ed3828191e734bd3c8d914300c8d39d31266f50b5257bba25f6112b0a8375c2ebbd662b42c851a4a123c3993293dfbd66d5a2fe39dac6624e57c4d34b63b71ee7ce2aa01bf16f36e4a9e75cb93d7b6f5af670e61a03defb8fb90cb8f147933b58251899d99e906bd8e0ab4d2549e284d9b124cea9ea530ad82eaa66396b1831b61a310cbfe7c696e46af616d6f8e74019cf460ea0a423c9509678395cca9ef04b7ed6a57cac3c4540b7a560893331e93c175198a1ae4f45300eab8c0de8326b69991ed8e0b6d736ab7e1cf5ae53c4d6b0f5bc225726d0de0354a38d835684cae60d9002a6281e4e10fa5ec2882fc093cf709546b7caa2713dcfe5c5896f2877884cc6784afe6d9ecd4896d3ad7f36aa20761bfb2278616776efd742fe5773c73f85fc6b9d195043551781ec53c762c4fa2d1172aad4625b13b304c2334f320f765c24ea335e8a4c111ca8c12fdb53f518a7b2ac0a402610858c2a9990e1343faccf490b645d7011b9c4d2309e65f2c2210905dcb1d8b621895cad6176e8054c09c2a70eeec70d69a2c71617500bc0fd65bd8dd38b0f163ac77356d1961173eeafbd7e9d52440e045272ce0303a0b1ea5a0a66e53b316ac848f607742ddf13cace2f67a39ebe54eda13812854d2d03357300bd302e8305166b37d693fa5ca6a7b9cdbaf008d1a32a5218c1a9e3afec32e720ff9a2a29c71bbadd0639c90b89b52a40b7e528f79da543ac8a4abf73570c2e272ffb323bd23e950276137dde9cc0edf43441340c275f9a6fe6a3b44d41c2c9afdc28df53e4aab1926f4124d578ea48b6aac924082cd2e61154ab876451ca62453f9ab88a3967c14791da6335eef2c99b2843943ffe629d16d02a62637f66651c1ffe30e0179608cbf0ddb31428de80873548a4027c57444cf5e0f556a66c21abc0e0e8b42a5bc0669a617b072aa8cc905da8c4fb46fae4afcf100e1281cee420a399a1313f9dbe5f2bbf4b97dc0a0f72a43f83cc9c43a8f4442dbe1064ed7bf2fe108ef2c82d1b4b9e4cf1665eba50a50d7d18f41ae980624ead8ce19dbf77ffdc5b952c9bf3c1cb511e7482a038b0bec67b46666f08d35f3d906dfaf4c6cc7bd85893773dceb4ee399733f1dfc1a64d0010b209717dbdb1f8246742b54db5a9168c6705eb2bb33efd6afa381828cf5ab28351fda1f5a51055f871e469475bddfd6294c67a6aa2cbd6de1ab0dcd91728be8a98252807af581b3e5a99df0f68e4974bbcf5a674527559ce82d52abfeb6288bd1881246dae8ab743a516d8220b92fae01d065d8f0b490f292f27651dc94596f33e72013c776828c93dcffd424f7e3d68e9eb0bcb870e495ff242512d9d2e2b08f61143f9629190c9243d5afd13154e55183aed269f5655bb16c35c6daf2200ecd89b5b6bf43263ee57b164c477dd79988d2e2fe15cd733e4beffd04d7cf69c2f9fa331ee668fcf55be256cfa4317a301acb12fb7fedbd46b6f81c4c3f6341f7717e865de06c67487c4372653c2647d2e94b71fddb59444f3810ee96e1b70991e5d0b2f3d4375e7e019e76b0048cef4dcac18185bd2ac4a1e04fb99938812c3265a326cbe172c15965172bd0b014724f0c66b64be09266c991df65acc039c26cb57e35440e438190e1cc397f46fc88a6711fd2cd5001ecbdb191e0121d9b65c1ee849d943a05ff4968e81f2c86308e04e7e78dac38309438bfe2cc1c6de78c1d1a7e74ea8e25739abc371a8b74abd2c5ce80ea84bc5526f44dd4c1bda85495ef3589491327295364b11bd2f7e197003e9a102f71cd18e93dff681593054d5863e93d32913902ce741f740ceb56d20903d60df41ef4d914e1aec9a2f7c6de85727ce49f4d7ab4209927bd46e40b6f445ae69df15812aa51266ee22f176f8cfe19522aea1a0400342d1d41fcd616df8cb2f4bf8fff00994935c62b91f1cbe0e493b431b20ecbb0f3cb719f9c1660f606a569e970120ac50c34987303463580157d6fa38e92270014ad4dbd244107519298ed0420f087ee2a3134734ec674e214bdb64b2f2d1e556173dc082665cffd618f1e562b37c0e773d0f476a5b09f121937873a67f891c9f479d25dd3b2aab75c37ec64d5ca01e3c26bb81ee309419d27b45de0c7b56d57c96145ab66e276d7f297bf9b5249c7c82bf667277daf8c4af64425ca33e6f85fa58d1aef3c4a9ae913d6f299e9fb021d98cd983486d6ce39928864fa3d9a380de5a725846984392bc3d6f61bb70942e01fd1f55d8411e63b7e11d4ac54a09b38d936a1852e6695372686ec45290fd7773e800d0a56c4a570a276ad27ce6657fd9ea5281cfb463346210f6ec72d31ec78f7bac38debcb79a2fd8823f037507e621d88780ae83f6c7d530ec8e1a159eb7b4f4cce2c5405f800f388699ff80527d66c3bcfab234343643fdf7f47d0ec57d30741b385a16ee6fc2fd72245120caa8240d8f8104755d50151259e4d76589af883864947faa3ec7d1411b621b8d41d9374a427f19e29f5ca4398c420ae27b74a058b0325cd748ddca9d11c5d3f9c5fc70184de8653f3d01a4fde2ba3667c278c88557fd6fbaa3227063e457774781085a854f4b2cffb82910f61095f7ee9ef6ef2238bf74211d8cf1af9504f3eee229644d0fdc85565b8e66a0832041e21c98466c89ec72823b3edab0fb42ed65202a5eb5df409f5bda6ae748884a146b34f6cef3d6edb14c224b8b8ade40e04a7f61d021f680a71f72ace0de41625484a0adf988c6aa71257cc6a96b539a2fba55a2f986c9ebaf26ae574c3e837f98f08ae710c226761acff343807e40131469c9d5b9e78e14fac0264fda199b0a2571cd1b6c6e95c0b668ce5fa8ec0c91cdfad58afa5c1336d8901f57f05f115e71240c237c4a91776b8131c1a7809e3f35dcc8d28bde183398b8d61ef6bb8274784f083d3a8060b7436e315f941d71883abf8361bf66aa3538996519e6ee2a31b41865bd2f16063e7cc0198aa555d41c114ec41a8c047cee2e9b8e9cb56ca94b28906b64e9cbbf86b77d1b0bf2a8fc265eb06716f1181a7db11b31cc7b49d99ae19e86fab6383928ae0b3f73936e972b23b8ec1251404c1c85f4dfde89fbec9ab07578815ef077cfc2c6822a8efd2807ac5d382e4064a01890da79ef2e182fa52a2d31c98bf9566f58fa7eb87fb610ff66fe7063d16344f62b7d035653776ab3e63331585066206dd1b25b56275c589f802d57eff3f4ee4344ac30a38f947b26a76cb18a7fc63fd87738102e8f76f911dec4a172e7394544aca0b774be9f741b4dfa5af846a71773498727991b69e0d39542f72d4bc901642da1bf4771ee0149eec36f0c9924fa2adf7660365a015145bff5f19c07729520211c1cbec43298dffe8dc365733d37d8c67679593ac7327c45ee8ddc7d36b324c6f47fbf08d563328e21282f9c48158a37543ea13060a151e163a7e1800684652866344f69a3048f1ac1aedc348900c03ea380d08d1effe089939eddce6eccfc251d54e9ca111d69e9c9f67f9bca50129bcb19539f2a5a1d0a4b58907e6b3af5ca326465000701246b9af43e57a750f5424dc98fe032b84bfd6695017a47e6c88c445f3b3469beac2420da5177ba9e5f69c073d90fe22fabe1fd0eaa1049b2eefe258f5d6c13f6920268abb2350db060139fe338f2ffb2898517d014e0d5bc123370d602b3b7730544635e649be08ab7cdfb0067337e80ce43c34e6a68ad5bd3baffce51966c5fc369cb196ee799e901a153ddc43e6271cebbc75f4e438c70cf919d957015bc3caacc4d2bc75cdeeef793f75314dc7a5e9ef21182e895467e4d249c6e24905a9255694721d6f78745002642f1daa53ec015dededc3be0b1782e5ccd3f363d376a2870f4f888a88ef4837a41284792c6387c1a51e0e797b648012ecc98959c79c43cbb91460ec9b793e90009a6f7d4983324dd58ad457ea3c4d6e9212b528acdcc68c076e8f4f2f116a88e0f6eee395c716b0a5c4e1bb518d32e3ae2b0a1f13f875ad912c79aa467b80ae87cdd0e147d135c9072cc7d157903dbde16f536af5db399bdb670207a00428dc58fc6fd5e0b56f4339c5352588924ce64fd9f8ffcafa4273af44dce30a785d20bcb2d5ec8907e3e870b3e00a82ddd95a159c79c63b37ebfc916bfa6f65bffb956b936b0daf590d1edc47b76915e431b98523ec402ddc34c61621d1c0c90715dc385d3c926e1a0514b5be429488da7661c4200b50c3e1dbfa2a1445078188a3ea4d62679fd6fb3af16fed076be5bb3bb78f900311cf5f9c69d42817c30ac407f566c6ec8f53ecba6a06272c6154d1dbc5035590f9bd9284ee68b34e2cf7f6303796af1b9718aad56fc5f53b662beee3cc6e3f839ff57c65a3501dbe9e6052a6efa54354fcb4c5c92a631a34505de5d833c4de2de1615a27ef785b02325666e4529a7a6d66867a8b10052b8ea6760c8cfd224cbfa671cb87a140deecb0cf6e98d8fd7d7ae722c5b8625499f5e17e39684f79b289a71be2380a733bd730e588df0358491ba9c163d03d6992a9f7bb26d332a2dbbe9684efbd5354b2816571b16101798ba724282ac070fb0cc86c967632b5c91d66a3586a5091c64c9cbc2328e48b9f9073f187d0cd98601f087dce8e71bdb39463b36391980fd41c52c54ad5246b2cb0dddab7a94ecd8202b17c3aef9641cc491fe23879334edc139694d5a4d43fe4210fe4d5cee062dc3c7159447adc0d0b9a02ef1dbb31e4bf5e7fb445742687def2b8a0038d4e0ac15e9729f2e07593b92e9d2c98f891723ec406cfd99c85e8de345b776493a7fd6a5cb2fc6ea3c586755f931a335d06927e847aadc7d0957de40120557d887c3d76329a3e3df2424703f79c9edf9873598ece443c5d0ed7f01d5aa3c18841bb3f273b1d3ed11346b072bbb41184faffbb946b9a49fbe3f32c3f02a1af5bf422e71899d80a07cea7a0eb628b722e7aae7fc5d7efd2e4e3a6ff78af09efbb4c52d155b6572f89fc82fa281956af3963cd5ef45a7e6e2dca23ed512ea2031c60b074479b8578b97c9eb99f19010ba6fc7f54ef63d37a7340cbde9f08db8e0c3d9de8fd1ea82f6f4c06986fff71c3d6b1c91a771143f2d1e865296f6339e9da58bc91c1b6ba657f812bb627d214880f9ff72232d92191ee0ae5dc6a95bdf109436297a95b355b91b551993e6f2e1909e97210b0b879aae2aedb6c3580e6bbb518ccdc87a9ea969cabad03bd779125c1d33bdc4b24c0fa90d4e1f78a58f44154a8c2d673c32e92222532acde4b3c052bb031238a397d6395c575d13ad0124a9c000af4e71312105688e12568feb9236ae3a563c6054aa768a097952e5659ae37d6dd0319bbb96e0c5d3310a1f25615c1e356c61d2ce73ca8690fdb4333c32803099136f1ae523984f10cc6b91fc536f2c9c41526c900f73a1a8e0835363d3936776d6a61b7c069f0b60684fc05bc33e85cdf643599dacb4843d7a638d3e109a4a44a39297f8f128153a628cdd3269d8b725890be248c053a93ec586705acdc314e6d8924e4455c81845ca2257a87e67a3c923eab3fe00b0075e545ba4e5403d7fa5c5e4d2201be25ceabd6f648700466f6fd7c2b076e300ac3337bf66617a4b30fedfd2ad24ec3db0678ab1627758d49f61af1aa7a83083ea80e00d139c2a0a8c3bd9b804d25dc176b5beb20ddea55a79292797951c0e9f0fc06d526994426abe7111b96503378a9baf79b8cbae53946bb206bd15de8066cd44d406b45c3de677d228e012a6bc85fff297286f745481302b525928be85e2d882d3bd96abf112b15b0dcaf0ec308b5d1bb697ac0b85bb3e4e72342518aa55d97b57f23f5e567803b3e251a9cb964c7cb4dffcf9f831a6d61f34e93a7edbcdcb540f7476fe6330e4be6902c339d3571d94d8b61780153c8a0a34cecf86ec8ad4d52fbbb00f8841408259f5d435f5f57171e55353c022ac5a104d36f8114e3a68ae81b4a20225a5d2388cf32e56cddb136795b5e0aee2734ba2220c64c743cdeb0e2d330d4187ed0ac8db44cdfd624bd90314c600f42cc9a2ad46e53f9e8188ae2c7817c1789af6e647f2a2363e85d959dffb44cc7cf0609d7b36c30674ad45d8ba281f4710c49d20991943f0ff00a3b9f812b8ba75aef8e98a0bcb77e9e018dc5c05452a931e1482df7ac48b4ac4ed70ead862a828e19f4c07976e1e9a63bb95d66e9cfd47ee03290e7f0eefbbf870280b857718a1bb75ad7014b4201c961cdc7a6813382b786240ea8f4ece5e162bdd97bfa170ca6d90cc2511d592d3ac7400fd182b1aeb137db361b14f4ad626f7ea3d25ef16744e0e0e36c5b29381ea7933ecd47292635a6cf1fda3e52ee93a6375ca3a5ee60cdadcca5b446e3beeaa761ad8ed0510ad72f75a23357150ba8f5c12b63084dc8ca82bb62eb38f43ceae6aaa2d5fb8ac4132ac6e679118055b81dd736c9cdc9fc1bf0966bd09a218193f310c909e61a647c8215f7c4ee3e8f3b25eac636c8a96a0e464ffd0b4c1ec2082eb2399052554e47f3a34c3420f9ed5aa56cd9b0f1224cfed973eaa770fe099e9d3aedd3d42f6eb93a0115dc1fc715624ff6b0f8f3a4b51db5ab630cc95ec7021c6b4fd123ad355873247d550265bdca2960e74a3d8888cada88e9343b70d5340eeadb155564c62dc1eebdaf002c2c35e0990b695c536a0a752cc2695d668f52b00724230654d6dec51c1f0876e7e29cd662e12e8ce6bc40a318c25e6de630ab705b7843fb15c4a3dbf9a335d07a70f46c70bf28f058625eafc018ef105f83c4564324171e19464cde9ae0f2388c438c41fdb8f81b278cfed8cbcbb9d8a2a5496ea8cf4203edec4669142f2b037f9e5f55298a2467f1088ba13c48188b3ab2cc09d6cd9967acc1e8def2cdb1482bf4e6c5bef3760061a81ad22e77aa882ad1f5d598345b3d18bbec6d4df314cad4e667242b2a9210abfe74b301c4721c8711f9cfdba932ed74a10effcf3cf73bc94ed13dabec7b6ccb0814e71bd52a1c7103bf47ef214b9cd6ca6a12f880857cf01d141b1d88513fe7f2e02282582480f9c257ef4e0ff52920c25a3d0604b3485916065540bf8b9480608e29ac2d5a5a78b1546aae0972620f9e3264a1b1b73b43c7935959d7726b07bc9da0ae4ac08f0db548446c5241ea9f19aa29d5db2de3cdb1e3430a157308855e273dc1f74c1b609aeb2f70bb0021315d33bde8a60a1cc7465b70bb5c652074bb9a030ed8761ec25a35c102b86a8562c827f1536faf2d96e3a88d3549d5e7306754a431de06a58506db917894eef0d484c2e1c897993aede2ffcd0c51f2252924ac82d91e8d364c78d987fd3510bc7518709aaad6a2b0abb237d4860271ec5772f74eecca7915fdd16d93674c4ec0bb130bc8235ff613f9dba91c21a0227dd9d5a3ee0d9ff183868eba5ef8e16c80ae913ce1386e77fba65c125ea036f399de4e88059012de120f5b2271a511d338c9d8e3b297012fc00842dab541e846faeada68cb5dd5fd380087c68e246f2ce721258e7c5e5d4aecab33a5d15fd5be9554998ec6ec4f3884632071ea772d1bc7ef5423435cda7e240e0d715e00af37e6dd81f04c804703e04d62c6a6f90f478ae5189783b634b8f08fb6c6b6703ba8c2f7b167f81a328ffea16b39fba14c67ef2d7d45ef85240682f90148c94a60b0168dc35d9ebd82704be02741988c4e65e0016f9dc0b204220cc49bde0302219d01c500c9acd2c351dd6367cc1e922f7a1ebe4051ea1cae12950ae4a72c86ed5cb078d5f52a4fddd820f5efa141508cdd3b29c642e1d1126ad669fdb2e5899b02087f23443ea5ba8aff0d901bfdf7e314684add3e4732974ea750e098ce5e207eae30eecfff87c11da0c3b79ac9e69d751dc544fd615bd352ed552492e406859f04ea015800d472ee34bf0322e3e144feef67bed694dbaf8781aa7985b2a9f2c19c386d7dcf60b734f6e562682f67730147751fe6a1fe477257a7e0bc107e6b6a4f4782c935de86c3b6a5d80b2318c21637dc91eb4dd348265db094ae44012454ed4d54bb17e6c14f772de430c9844a91f163b1814634b79f47923ba80ce4f17eeaabab729ca92812e4670a6cd0bb7ca70fd9fd021d1c81e0f8c11bf501687816aa7602f483b8134397abd6761fc175ee21353bb7bdc1e908c603e5bcbd9352a1f65fd6491c006e58a74f4375b01a9a578710efbdff05586b26b13574a20079cf7beb322c2b01bbad4c78be74001aacf129c13cb6f34f8de5077c7cd3bc6a090b5ef37922fb015d66e97c1f739bd573064d9616e2807f4c6e9490d151c31ad4eedd2defb466a7a9b196eccceb3ac48d2b9b751c2014c080774d49c027ba17ae7dec21edeb4477fb8f82df7e6ee07fab528b74c5ff178329636eea4bb95af8c7676ad15b68d78d0bdc998e228f15712cec3441609807e264f55d74af423168bc216f73640e018d3897ecba58d2910c2c8c6403333f38d15218a2ab2dc0dd0c644faec131e51c5fac7092540b07964dc0674427cbf279b7ce964ca8f4afc080718c6be492da65303224e8ed558e490c0932b365fda70b20226b2d432d5687d1b7ac1c97ea9c90b26735ce9e7d5406d18a887dbc3d1c38c91450a8212feb0aed675d69ffb666f6c127aeeaf72dbe343947443515365af41d6c23c0d73ef4fd26d77b8560ea45983afa4b7c34bccf59a63f4d29ba6c26f6fde6410277759b496b433b6c7a350bb7d5de314b04d49a0e479ccc43211f5f3727dae8e4a7625275661eb03c9cccd6d39a716e12720d2f9aaff7a6cf29a7e03487049d771313d5291832b914a1bf3ff8bf276beacfdccea9b46a03a68f6a160c590f904fcd7669510c767bc3e6cc690dbf9518ce7ab640d9af22ac1c30ac8fb864760a2127024f18caa2bda498e2d3e94b0745b420d9be240b1272f02d65d90f1ccf89c7248562634a7ae3ee5ee89a50334316c227a00e020488b7761999f7a912a35ff6da837ebc8ee8250e80b0c0d44c1cbbfc8ea73fac70cb988295b76428dfc9edb2c0b3db5186db4da41b6e526b52660373145cef0f977e6e9c751ee95af0a610fcb1a95edfc365bb285bd68738a2ab22c9c0fb75a5e65c6cfc9931285b35bae5adc7d881041742ebbfbc540a50848eb454f42afe27e87c5c56438f5d46200905fee3c3c04a6f8ec4d4aede1e97ee48ab7a340e5e99b643ce2e30d1c400893664a5bae786d658324625846aae9df7d8826fbe2c56d8fc5f01e099e5d3fc371303f30a24014991069d7d7799840cc4311f8853b627b035a6e6ff1530eac65e4064ba53631b16e03c81e6643b776647b4ac341ff7266e8fd6eef7119e116ba25be5b1efe88d0a76442788b7feb647459335b3f1e229cc7ce62c5cca833a8892d25964e13e67b02dfd377d15601c946b04b2db184efce76ac99eb391b269728dcd8356906ad4c0c7439af67701bfabb22664af7a05a0305a5be36765780f505cf35353e9bbf6631d43b66ca2f027e982e495ecdb761cca4b5b87f0e6174817bcb85f9b83e928250f53f1bd30991798306b753abbb32d7689bca88f30d5c51c7e2f5b22ffdf47b9ece1a048633c89a9eeba81697a44e5de6314756734d391c668d0cd39d210a1bcf7ac8b9ebd60b96e6d9535760039beb13147c5b72567de0b1151b822ac28ef3fe2eecb88ae4539a9edca3b2497221ccf70e3d301507a37c075d7f479aa795822e50baac5b38aabc100bb1a606830c22c3d1250682537b71acd4fc46cb640fae47f2a8ac53fae7c758fd8968a3e9f5272d290ed64e2fe7f3963e4cbd7607ab247625ea7fd9c2c02acb5a48fbb069e7cd9498eb9a4806eaac24f122d4f32e8b22f188f5a7418364c4b6d08efe20b2958673ea5c65c14172907b360a76690b6d7939598ff936f4872aa8dc02b63e872f8bfa36de066dc29e4183e515826d41a82e0ec34d50455c80e67b7a0f91c1e65753e0659de39799b97cf64c46849420b490d115ec421bb4f3426452d35b154d0388a2943f2df1e0aa6d96773942949c0742e30061c748543ffbc43cccbfc30fac29573b11cfc6a7245b2e0526fe60c2e086501b719676bff083fa90847b295f1524481e6fc34bb8776d2e404be2494797a5322ca9fd801b9447b5becd81812edf1209b5629aff62a64cac5e492f9ed49a642af548741905a64c6ee1018dbde86e9421e4145b98bbd87b4f8ab567f9383a8e32d710761a336b5f06584c62f215cb53f1544dc250752bedf2db67dd11062e986647622ebcc30bb941c764bbfb58d9e325d344c8155d8bb00680116cbcecd33b0033e6467688bc5963e9300c23c844aed4cdfac4a7c55186b6b1b04d2c804d88271bcb68139a1751aa40aa143bf5ec59468a94fba390366e0de94b8c9aa7cf537ee2b0133683592e744ecae4fec7746fddae8855d5a5a507deb9eefbbcb78a4af7723f97038e42c247d61cbea2af1fc6b79772e4e4b0dc56100763219c347ae49f11d85a99574f5e468298abe5e533abbaaf881c53fdfc465dd041f7440f22de41f66eec7f53fc45284f1192a1c0a1927268255d7cbc82ada9ee289c35536b9ce4db916f934277e9870030bcea055afe6057dd93ca95a51834029e18c601c412469901a1bc373c84eb7c430ac7072e5bc1751db05da3b6a1f78d85dac2a67d4f080f521e8bd687570a4f7cc2d6a4ba68d4ebcd2f4c6135e14b86bd233bafeb3536c9743c470b8a075745afd000c207c07384818da9862a9388b5b6131fa86f26b2d583cbef2bbbde4b10a08a13c933c98a5de81ed6d4c4dd1489d13825a6f682322bfeceb1568c2082ed4bafe2130b6aaf9556d630bc0a380f8e5ab0de573ff1dba4da8e99d7f240a9e462796ea0bc1d79df3ec93b44c5e6d580c42d48ed2717ac1b77d17093f8c182298f0406f1387a1952c53494a3af2b4a4f4e71558146f1ade4ff9b1c6c3f7d3d2d6a52fb4b78b3bb549edc280bb0a62ad2e2790482ab8d2b0a555dae5fdd5ad601842047a513cdc8a83401036284e9e335ace2df626b585009e936b603ef2583f91b43c3313b9e341c6bead96451d6e2c0b675fa1032ec40e562e863b7c13b3998e8af390702dc8a838cc5b172f97de3be22c0d72e5b6d07d5b23d50b43f6b5bec70b26cf98c94f9f69e98287bdbc25f5d7c5c76e70533fd70a35fa7932e28c64496f4006954ca4f2cefa69402dc42d2323b78302f9c32867bfe6971480eb578baa396a6cbb0857b709f7e1fcf46002af470fd213df33aff29f3754d957339349f64c2f4bc5d05c534704c76159ad67a70254cbc913b30ec58eac9c2d666f701660df0207448fe8920c8e34bf8c35084a14f0686762f17c593af38347769f728c27ec85e372d653db326a85baaa53a2b17f9c82f698354c33695b35400a8ad39f4c84ea281f4dec1756666f338b19914ac9551962ece1f79c58bff2d514dd9d6127da07b550f93441e782d7d08d0f53ed7b1aeb1fd1a49768b2548fcedf7e5fa27c8e9c705891ce2248610e1075637f9e0c73359e94994a44b15296eafd3e511db1f53003050d91fcb9fefc1dc7479ae8467d2a4ec9f8b93c36936b11e0a348781033b3b38f00fb60709a8f09bdc966a2fcec23f15f1625bfe3b8fa9daad9110ca7e84c654077e97e848ca49117287c306d88a69ea3e9030c40222a302361dc3c620075fc7fbebc6422f1b86cd0e76865b17ec475f6524a363ae61bb3e396c34e71abda64393a8f7035dea7cf95e3e77edefc6b5864fda81b485973c536b2764bb1c00b968e39da7896a2957032bf2fc87651dd0e973a2c2c01183d233b6efc77efe909c0ee2897318a2b30addf777acb98c812327e33a9d997c278c5b63a6f7c2f7f854c5cbe2f2aa8c29ab81d7db1aa609a84c325ed926cc5b3c14d12cd93014238a6594887db01036ee8dc085b5a5c8511964331d90be82b302a78218ad129634a0d9a7c8290f20881aa9ab9cedf2aa41da6996a6f7e56945595d2f073783dbe23abbcbaaea59f997630a849c0dee8d27f56ccc8804ee3a48ef5d783939cb59fad8f3beb48dbd206b96248045084fff3f5137fcf98267c5aca0649482873029f2beb7f7e5e09543e2cd31013e6461a5e43cfb9a7d93d2eb78aa80ef3392dedbafe383128c150ef201fbadd629e6988907d891f599cff591532dffbefa2d590a77869118e8fcc28ba45d7c96843a9016858507cb26a71d2250d62b73d420392a81ebb9518c20edc442d7d231958ebef08a2761d8198f18875ee02a532e10cfe2f4ac2940101f4f8d324f75c56b4085c666bab933b402423c0f633fdb995cc72269cc6f73c761af37af310b77775685c345e59ef3f03fb434688507a1909614bb9408e0f3b3881c6b792761b36600184a0f3b24055f4f366e230613dd6aaee90ee02826bda6a8cf8e2a09cbd1f2e7bd332b9ec49249485126571db52eb4cd89533a7a89270cb089706d9c3c402bedb6ffec31d4a95a41dfd0d28ba8de934f2ee02aaa900218157c1ab5c2bcf377f698b66519cdc1a2bcd91114a5fee3f4edadb991679f8ce1601125acd9fa0e34818971f7bfe6f73d8b6070ec5f9bb502b921abd42bc89b741dab7b0dcdd089b24b0d29f13772082b0ed5735b7e2a3e59fa49daf044904475c01883b0b5e456462a9735ffc4959ce2d2e0601005832bb433bf845702c89bbd281ae5f019413752461654a48cf352ad64fb2b5e3c8c6e1e6e197dbb9aaa69d5e2ea415d1406df7cab3c1e63e03b3ecdd95578a88ef88d8d97153cd475d0ac82105f6c5cb1c698920f763a28455c434e642a8291d28be47e047ef1d404458dbc5868da4000c8521ba677cb2ea4112f1ff11acfcacacc4478aec9983aa8fc7f93b33b7734dd1045ec82dc56d5967619070750c40a123bf62c4250938f59d7824e5fdd45a8382544ec43ecec0bc963990e4825bec5116e7d9565aa7b30aeb7cbd7d2ce423e1d60d919635e05e7d0c6462e470924268ebd031c9027bd0d744afe1e3a00d76e08555425f28351b281392a146b526cb0b073df83a0350fbb91dd7e99a55d84bd8d9b0766454a440a5eceee43da4b6bbc1b8d16578c70973f5edd80739b283d02316d22fddc5fa4a41d72c4f8ee694822886735ef4c8e31ca8d214c5e1d6788c71d5364ce135d7cf68da884aec54c6ed09c8c60f55a32e00797b823a5fd9cdab39c49033a03c7c4d772f836cc718cd06048a259e830610bd40e98c4b83b5d94f62b7d324590f8d9d45ead5bceca225e7d47bb7af3d590bd7efb531cc1d7967acdd6e32dddea757b3254ec21caa08534625e67d9117697276795f0704a98b9925a0251996b4c6496ac0457120cb7a2a1cde6fcf428484388b078d2de5caa62bee6e28134fab5478dd7db35ecbaf84c157c6dec4941d2ab15b8520e1b8a2690ff45aabfa8600c112ccfa2881a09f9164ae359439ec088f11e70d2f9420cee5658388ca53f6265b561cfb167098e480e84bc2c6fc71c47b650e83561e88511711afd06deae6086818ef5602a031f3e7d788e4a4908978e97b47ebf2965adc9aa3c8811d3dfa60bafd76cfbea6687a028fb16400a68725380835e81dbce18b7b2eae567271e05254ec5ec0f4c659d0eb40522efb90bca5bcccd4ea40b2f6b2e367f1044e04e8a6a0fb802da3fa181ec59274d59ba62315cdc498078e1a879337ac6352bb0837f8842c5cb78c50f626468845c2746c94735e49e3ea984ebc5472ed77edd2be976059e191f2792dae6ac6f6cd021d8ad774a48d7e6ae5d844c983df44ea1b1d98d2ebfb7de1ceb1d64afe45510b328540d0a8841db866d60ecd83b546844335d021f8ed9ee3619288a15127ce7f690c1d08923c2d619af85438f207d8d118094b9a09869d1225f7553d77d22cb70e6624e95963d1fd2dec4a97cc23b052952b04ee1d2a2134cad6c40f834675815282a6b17a3ef354a7b5d01b0de2a2c84620844d1f825a0d146d4bc82ffd4734c9c166a935618530d5bab8205977b237653881e27d7c35af729baf4b89d071b9da5d5a9bc4a174fbbfde49e1ec60dc3965df566f920b3bb79aeae1a0604da0ed78599b3e19416d3633d7d4bbff85fafda5a8b5a400eb8fdeb0552b5e8a6ac1f3a581fbe06c31d14734453b17c273c42b44fb697ecc67a2bd3cf2825d2cc9f53b57bc3502455274cce8c35b61d413f58624d93a172a1354632987a178f79093b65385ba546a83f52c11575d3ecd3f95f682a8b761817fa9d0b066a7d8fa59ceb795bc26765b550bce03de99ce3d7c3cd8a18476f60c265dfa7ece8bdbfc7a69548c8123840ff42750c8fba5a96516df4fd548a90207972a09c530aa610359a569b4b7f4ffb21e05b02b9cbe52e9dfcdb51fbfc9dec214c797e117ae9007d25c66d7eeb16b6dc5582845cd6849ff42519ee7c4ce05893b7123a218584c619dd4eceffcf49e67d7e359747c765ccf1e94135f68abf02a7812520c9db8cffc51b4e69e524e6270d5d5d091a7181ec67b7f10088e28acebec5f85414c6400ba37496fc168113733646f30d7c495b9f9801ca0339fb4b92ea21a011deee9a1ea29e669e2b94c88511dfdeca1e5ec24666f8e7664fae61445fc766e49bfb224259a41b3815a1d5bfeffea8fa905203ba84f33e9d53e8f1261c936da7fda2998039e777f5df2652f7a19dec4d08d9c0f91330ebc8a5ca32c719ee798e3519cf6d13386384be2514b3e34f8b5022979ac68ec2acd730041fe765f303ba780da36351696dc2b44992342a411e5742baf7ac3c824f191dcdcce858efa130f09ccfb8064d3b4119e7638447c8018e97233663f04561b1d643a1410c1e4f7b6c044965a16436de4c611e151bfa8f81cc4ce0237be991a2f1034cbdea685486c30f291ef3825496d5319ed5e60e81f638b3e40619670bf3f27c7a3327f2c0a1bb964f5f7aa6d94f9deddde0a8be85dd8f2aae927d5179c02a86d4d73d0ecae31dd44769f386323f860db52462743aab384d78497f9b586aefad8e9b3a1ad17823b525cf5ad7a9ba60a30d464e6862faddb3bfdbbf9149c4898098f32ce8d085c820683a034e9623234b11da066cb08e040805a36673a08e10353d2bad805b92bb9f263f63793b079a976ad43821d340a414f17a261ef4860923a954990ae90b3fff7abf53d1ca172c560dcc2bcdfc30ea4b332026fa4a90cca908dcf6e86555983e346bfd47e1ac30253ec321672009465133e7617db631dbe94e3f619478a0fcb54c5d484257108e07b928136cecb15c47ae1e440c71d0e2b689328cf848a27cbd7afee367360ac33b63f8b25c89076821634148bcdccfda5cef8461cedf4eb81b2a74aeccbb5ee510ade1349b17e5549ec0ae20e486bb2110dc74ea5ac84f7178581cbe15986feb0220c4e22d274dc27e55bed125dbe2b5ab35f868ee7a41e877d2627a263075585106a9d20ab2eee48b66cf32eab5e5d2858f70a16d504c8a264a5e4782abb630e5f42c2a567bebe4be5aab32a2168ef08bbe8667a5c8d1e23e942a629d14d4ac5b1a4bf28658f1e4fff98ef03e9970e25e1e27bba55b324ab9b946598a7f09b5e05ceb2c823987ec3305c22ea91e11b14f0da3b724229916eab58450cf406b7a6d1e788180ebba5bf36288df975c75de5af01218b59cdd4e2c00b56b7f4e8ab7463ad1fb8e86e0c6b2206b4445180d4e647c701602d7f50cb28705a67e9a2830f8720a7ff04fab9a983ea65e3f6fac6231ce97498921dbf57ebdb431747b5cedc0e6c2826c500102557f7183c9088aec663647b6a2cee3e311ddcf64aa7579cf928cddb6edcb096b970a50b3f3e75afb2d2944b89deed0c22bf45a55652a3cf387aaf1e5dc1888990270c9faa0ec9b63bf812e46fbcf9ea10a8eb482db5c7632fed20cefca9fa684a21954bcac619d54454f4733c20b20114c39fcdd8662bdbbf33824936b33603a4f5c20b9f9198f3ef20c096b8714f5271372693c6ab0b8a91b2345c58b65c6ad0764dba34455498e24c2b7836a8b2bbad5b3b65aaaaf88cbeb271cdf15e68629814c27afb60f1a33bf2231b960e31f1ffa1e1db225f148338c289ed7370b1e473f99e8825caf75127e38d39ef7914c61e7f587e9b550fdb41c5ae104363a7e23a39c02c1a2455d1276f272bbcb0eccbe7d5463d9bad4ccc64f5ee8a440aa37044753268b417a4fd5be17eeac953c8424960cb81c6f51cc6ba90f5edfd083436f83da153edc214b4dd0fc954cae2b8901f11f2edf9210d89d8483635b6e49911df7c85fd95ebe122267f63afb690b881d5704937bec22baef5bee2152e6b1efac781c6ce7926c34424b64da91e4b7be8685aea4a265af4975331f3660e773f9b481bea50b52f8a14467a28beb8d5c48044232c778b71801a5a96fb43edb5b702bb463a3f4f31a91e6e913e2c13b483040e2c8a5b12fbfc5fb8faa4fb3f2e8d05225bc4cc7d137a3974030dfc3f9d02208fcc4eab8c3c82ae230f7b9548ab2ed40c370d51f452a2e58a52e7397a11389aa245808820f2dfca44d48ed0141acd57fdfe898a8f1c7223043bf75ea7c36b7e98c4cf9a52669ab4747c896dffc41d71c633c6af88c1bb4fd394059e700ab78c12c370b8ab9380e0c33937e019daf2edf8063a3f7e81dfc3ed4cb3a062a512da3fac62d0a4ed78da4af45ac27c673762028a7b88662471ee8189fa7bf40b6731aa1d272d211cf60bced3c4ab7a96d51c1f64fa8458f011309f66166322f8515034235418168c92b9f167492558b33e0eb1e97ee73da546d46f4f1a37649fc6dbc65b0402a56b0d5851f0ea74ef59b827f9d03829fcbbffdb7079916d6c7e70fe4c58ef8b6788ae0bebb86f56a28c07e296dd8672e0d0c564fa5e87a23dfb56dc3f37aca7fcecdf51980c10d897d273d0bf74b08be922a60bcc77f014ee561cbcf9efd9abd993afbaf59e197acf69a7ef78374cf56559b7b29801b678d7148a2be12eb251f488ad0d0581b448f227fce1c5e2ff8aecf174b85fea64e4a0f696eac33e43d5dccb4e44c9dbc707bb1615674f621526e849ead4cbc9df142644a970c2ce0c428d82eb2c7f7767f77438325f7f5b6114ef35d1d30b88289f8e3336e42e0242e3b55679f978c5abdd47bc0a20ccca20f9f3f7aec9295506ffc60145138f0b212db959444c8351643892739a8e5d9d198d3978bf320e9faa08b05b321072e42a6e84f143431d73efafd49c09c91a36b9a4baf19ce4861467283c671c5c05c34511e460fb200be5926557f4fe02127976ebe9960b4df2d628348d1ad6820d39dfd387d5725f0671632f437b5b4f08ceac46bf53cd23ce038a5917d18a37bbb6d2d921e7f7eac21396ff1405e88662ee70a6a4976e275fecbb2e6a3ab29f37566b108dbccbb99cdeca790f7e4e94e94cb8c2e25eee5270c12a7ecb2684be2c0f0c779d72fe6f515527dee833b67fb4997d850438d2cec07505e8022bc45522e0140ca86016950c4378326a81113efa6831c165951a57363c761e825a8639dd2f9ad5d77cd1f9bd84278366fd73579dfa8397423b37c5c68dcd6843f9b5349b84ba4a9a3f747e05d33b149f856751857d68735e9621d2b923d7029835ec4dec7e4ed0215dab9e4bdf49bfeb7a75ce4584ba82b73b456a6f161d07051ec0c45d268c1c56f6fe5d4eed4b178e4532c0623563cc8f77b0f2d8a7eecfadc469a7a7f84a13df5d6fb8dc3d6a3ce52fb421153229b3a9e75cf23949c5d4fa7ad217ce0f967d9383f9062370c542f0de1b6213e7e2443333c898218ce3a8cf1c2b4874b2f892669209e3e08a3bf9d86305fce578f461c14535966107ce0ee3725f979e66eb621da145d84084ce080fff1d8a38127af10e2d28768f71282939016be46d3e3e1e9cb3d9e432fd343124a7c1c5abf256732fc241adb39ca84dc8106e3615aa3d011a2d57a74d3e7541908649249ffc9999806c0280062e62c947d6699553d8512dd9c88faaa855012ebea256a9081d6842d7d016d4e342df0fc1208df4c966a263dc0b77c8cbd34ebf8a9fad2e6176a3c5950628fcfcf8e5fb72c055b5a48ca3e8cdd2cace66c847b36bb78d83de519d05156c41e5dd435596a3f17bc9e45a441e24a51758d7dbbf1dc9f87cf49134fb7003aec1fbdc5ba5526dc76018abe3cb6a29a582cf0984ac27142a5b34072109a7e633b5d7e77ae353cb52aab1b3b8421659c93ff7b9f806e204cbf8c2861f1d9ff97bd895c4fba32842c29e54e0933308bdc9d6b54549ea27978796452125f1206d7b064aa55d7bff57b955edc4a869e3f61e2192f2eb6b80717e9022df833f4149fcec282c5316876d64db6c14a409320997011ed38e60dd4a6905540d85a9c6b2f42fb5d72e63938934ec33d892e34fbfa9d9d4590ac645fd34882bff5cfde49f13d14e56993b82a94fd438a31bc13df519843ec0380d8580ea11eb331d0ff28effb573f24dcadff957f569f21d21ce52c0fa8dc51703411129cfb14e9eecfb496a0f866ef4e2b43c8accda1b1d514266f1fc10d927733397a097c25e0fb04ae1daa86b76f85449fb8dc1f33c5134d90545fc920541a7c8738f73bff3dd7bfc0da6bb79417fcd015ce6e3b6c22c8ca113f2820c169a4ea4065e34a23cc2e7763c8652083238e2b943c2c00b0819b857c2775ee6d4e15744626db64b66c91a2b392bb482aac0ea4ef2d1162e89baf54ce29fc52cacfa6b26768aef138e9f95076f221d808ffba799deb65d72824b94367a8cd852b31b5f983b4b0a88263f16030201479d70f1589e566b7a9dc62c6e1811f6cb1e8cdbdadc18f27464253cb541aa07a99a6d32f1555bfa8f75b3843ad9cb0e9a6dc9036c89824ff10d875a6009ae7995edd0a416c471af1e9927e102c906c132db59ada47d43d9b92e50bee2e6589ffef909bf22e5f3fd664c5ef1f87e1daca90f23bebbbff179019054d9565a35573bc9d56ae85bb9ff49681a37fba09114ff9355009d96f9d9db84fbbd9c904fe5ee6e67bbecac7b7666d086083d012bcf456b8cee6006d3af06c72c01c1ae9b884f4661b83522a70d1f6a03a8df63e469237e8ab1b2ef1afb93ac4da75aeec8cb359a285012ade904dfdfa6b19852c135d752ca7a233f11650b7e98837c01b180d77db02f0ab7518138cf3080130c2123944a78dc71da1ce68e4a20f56db8050e1ef77193534840e45e89083e7ebee8bb267d18ce003bce614e8d0b5d5aedcdfac4718c3c96e5ce6e83d9a06a9a1fa3784dfef8a6ea13f8f9cb0de615d591dcd80f996495305dbd18025c3a21fcd80feccebf211734a3c015d899695ee4777dd3209b4cfe9ea507f6d303bd8697b91b3fd500e0d8abf97579b097f6f733350aa0ab6e8837b4ca21b6b3e6924d0003924bf6b785daef844d1348c4e036432eebc42acc53e1285b94a5a2332860dad6f4881a54881970a8a21acd13477fa4ed1aafd274ee57b30fc60eb265c8da486ed14ad74c24670428fc2db71c929e27c4d9234e199bbd3366f1d170038850eb3e891077bc6f17636d1507cc9f884abb5c37e5b64f1b532b74bb331517f526325047da3abbe1dcc9d9d33ff7ed18ad35ddd0f63ba668b057eee21bd3d0c8af93d57a965d778cebd4c220c8e6aa08b66dac10fb05bee04135407f6397813a543df798a7f69c653f714940217c3788ef63a6efa9773bf2127c909e4f9b9c2d9428bf861830f99ea98810f508f45a5e1d803622b12da5a4f79d1da89402d888f9b03a064d7bf51c3ca508a3dad504a57533589381350076b8c0e371a36f97b6e8b460db84c35e7b0f9129c4a635f70c7ebb102e3051ffbf70653a97fb82e74b332045f21a3327757beebcd99183ae13656a9854cfa94ef811137f9f62fe3d14df9f43842e8edaf7fbc41715f8a8ac155a0f76b6c856d964943a0a7a3471d04867beafb56b5430f0ce3246604edf62bf40150b2b8d64631c047ab2eea30fae9ea0f00713b85906209bff7953fd9a7c6434b1455652140da6979326536998173a2bc29edfb5457e9b622b4236fdadc886981c32f5a79f783fc877b23daeaa847607ae4c6206168ffa025e3af1ecdc96f97881e6aa5a99cd26359f467f78d294c4f82d33ae60a0164c9f1b961763a1f8fe6e9b9d1215d6e09a5c8a6210b6271f26925d333562405617bb5c81095a3cc8e69b603233fc10105d09b4a910a7a9f38da427d65ff33132d86b79eaa4589389ee8e782af6ad78bb6f3a4600738d8825fb2368fcd45b773f19e7956092d827ee7367fe7b07beeae2bc104758bcb83bc11ce020f40ed12ceee2e54cec254747c94fed44d94f97e04288b3ce084512b4983d07bef645f2c998da102d76d095cfa23cc675d92a51c1e4c35402f14ac3f122dd5f733a55ce0e73151a04b83e2ff92061e5780a7485f450c1c6e6d6855c15a2eec8f8641d30637144f9924ae2358bc321abd57f42adbc8f4051e14056d5cda5468d4e0c8cf7c216a8faf7b01f5612eb4b32a44e3eb42f906771df8af9aef4dc5d2c56244518a24c101b95da839cfdbffe9a494cdcbcae3278844bfad094e65a6d0f5ae64a64e5bec9d52aa9a2150208011dea5a877da8d63a6579127eb7211c73aec87e7862a284f81432f9db58922d9b3e7c0c8e195bfde7eacb1703f27feec737c8c9ffdb1d65f24d4a1bfef2bf484fd8004f2450c0dc5f581fe4e7b82e830c603346e372cf55be6760a7a9d8c0d80d979003b5ff31c1a9ed9fcce9dec2d471dc1a09f7b92cb9d0876b18f9f370067cdcc62a02bca773175f247eecbff0418820853d75c8c6e51f040d472554bec4e2f3c413e171937f75cfac70fdf1d42a7411b2e9379ba3ed1b3fcb353de14231e9f7d2a45e910578be4c214b29a77d4d171dc174037422baf292c4068897677b74696f5bdbd480d20497ddd3793e1163b79cd6ab42e34ca844c6cf4de7bd3bdfd2fef5f530d4321be4592b9a1284a9c7003e5198bb2793e575460b908610b01f7b1f3bda844f533ce1827653b00267c8cff861b17ece7f73a9447bd46140cb567a276a0cb61feb7a6fa6e66ab3a8e64cec77ae604265939937d932c43d7b320d01749b29e46c3e3e900477e43521febbfb6694746f2d2e5ba94f4e22a511bd464c604721c8e2abd8da27e027d125b49cf69dd0d4fb2f9b9a58644b59c62479302edcf9d4d5560b4f98ed0c5269d9fcfbcca1ea0a06bb1a6d9fa3368d06cd9410e0e9faed3af97077411e3116093f041f815d2238626d142a82b3045f7b12c7ef329f1835f9f7d4f471e97959629e4a46446ccd7c8c3f45d5cba6e2b00904f1331f9d1c29490f628cfa26072613b552726d20fb72ed02fadb06ec193af0356ff509a48c804ceac80b6744d0f53f7afd0d4bd13370f3269b6358775cf9e0adb2666319354e6e1d00e7f7e54f4c6957ab2865d51da471abdeb55f9a50987fc5a0e75ac6c225edeb4bce0eb0ebb18b6e97b5abc9f3138c86f12642c30e434cd75f99ea6773229dbb2b06367466522514f0747e053a46fce6489e261433ef1a806df46506ecf535cc0bfae278492301e4b775a05223ed47a4bbc9b70994b62b2aa1fa836cb59ff9487cc44b2f60205bd9a205ecfaf3e29667b340feac372b19893580ec578724e519d03b79a731e10f6b54501fc7cc8e0eb0ecf3f88f209eae11632d4a0880befe1fbecb957817e0b1ed2f7554c27653b4fcec8dccc56b351755f73c7a3fc55a13f28ba927283732e27d828702cb1880047f95ba9e3b5b599ca6f67166ab2d1f558408900b265ad627f2117a0339c48831aab555bec7332709a5278e175bca4e88a3b7c30e7b24631d199ca115ac5f8d5d71d0b1140a4161c23b7e12c4e7a47762efc3d2b8b916be45b4a02f825c28e1f10d2ec44aa248c7a2e06b7aabd811f066e850b8451c7ef787f0cd5a7c03673f5ac95533c4253c86ae33f1c8fa4b7c084985d34bde2efdc9d819e6ad6127e114cd2794260399421532191fee76341cccc542308d78eed40840ce163c1ebd2c725480a4389fb500f81578ab833d099ca1e41a0075e104d19a78ab0d3fdf2412976a087d4e6ecc052eae45fe106f4fafb15d25642dabfdeb64642b7578999c6837c7381d0e5c2b87a255ba6cb5162b011277d96417940784bdf7d6ed3ade3417a94eab59d446ede653eb293521072f630d87a437bf7bc5ed46ec5c1784af12deb751837eceaf17b624988d1e9645923cac68158d47f5e4ff80eccf38b9e40868a7adfe431c5a15b2f76c081b0338c7aa870ef1f526b989feb21f5e08d14fb98c839c459da04295a4febd38e828213e39451a969753f4bfd6b7e545e9ad92ed5f089f4abc160eec723aa137b3d104d45a7edfe82dda9a79fb772a329d9df3a08b19a30dd066a1accdee98bec27b430bb2523e507b96a0e8e802ecdcfe5be550f6d4469fe3c78f75bb0cb52a9590ac84c41bdfd6ccc86ddefc5108405bdb1b53324619007662d9d318f4eda9ac61d010c14d41976396b58e1c870daa1a7c7cd2b90fd354dd5c96c4a632df6b0437336ee305c90d66ef5c5ece98311a9e89f38d73180a6421f484d70af4acd39881b4647ce2a9dd2ca5f6e64a98922b0411516e12311bfdd02b73514e9c27d330af650117be3ba69e5e32a4fbdaf97d822e4d0d5fdc31b447b3edecb0f85746dc203d1a08152754089c2b7708b20859da0dd480bb96c6fb57ab5e4611a8f36358be854764b1e8631d64df259ac7ef4167463d3dc64b7c0eac787ce3319e5795ad39760590f20203b6257320a445ef56093e8eba3b1d2b93944fcbed6f9646dea5e8976169406a19dbc1f67d4f9326abc806c88da9913373fcd061bfe42e6a282ec21f381ff788599dff51adeb69c2f3e5cb2efc9315cdf5dff35bb686320fa93d478619749d29e3dabe61785f2eddec9ad36b45f64d1e464bd5bb518d6cee2f2afdd9a34ec04d7e91cdf2604b7f10225c322e2c9c342ab6eb88d17e88a0430ed01a4c62709a1a70157433081f4673150e1ed37cba6659958ad54c2908d7043e9e895da00ae7706973c379cb33ad547ecb7b330bc16998a612b7b3d19b914f16e02fa0012d23bc54334d905dc6fe682c2d4cb6fdff12a03b7f777a822cf6c00a44900dd7c4c53d712566027b9550ec6066fcf2f2893d379fa408bb182f617ec78e3a7cb7ff55b3b2e798ff92a544dc307c48d5f679f88b162feaae78b7e0dada8cdcdb12fc7989614e974a5d271e50f7b61272aa41b30568b04fac1f9c7418857f38c6d15ed166498c80ec33c9630efdf522a87cfdbb3d0dab6a241c751449638d47682f51d623eb0eb9b4a7a285bd3a0a36510be957d0b3e16ba11b653928bc842c42ef79eddb8e5d9116edf5864a5d7b5cfd057243eef7dcac48d93aeea1774c417dc6827363c084d7340ab139e1a2b89216d0b8154ba26df8aa74cfe080fcf08fdfaffe6b36c54c199e0e7a3dbc4338418dc24249218c7fb6aedef9fec1a8cb825ddeac2ac94e99b21c666d16745238819d6da3f67985251342c373fc97b8809406fb17a081403bdf7fb3da27bb58c552bb284ec6410b5e45df014b98b834ef01803aa8625ba87b0f00393097323210ba0a915e787825d9cb8a8bfb8ea40e312c18139c43b6cb8e237040657bda21c3fde2f1fe7a650a89586e4bca0041b4e69c8401cd57d508cfa1d763bfabc0017a55c501c0954a20bb607998d61caddc0c296e610371b16ea333098c75283d0e77a328e60537d3ab81a9579d10053f87a4f16671a29c27c9a64e14a80808db4c5aa7877413a0b9bfa63028b1779f691ca0923555a0f593ed606058f5e3d002dd2f2ebc7be41922224e1d8826aecd3c9c6d84a40e5c6cc93700a2bebe156d03dfb7af0f183505b04413d5db154d614512db9631a845246ffd58aeee7660c86b6333c3afc864a046a407ffb10b55194e9b787553e85c0b1a8458fea3a60fb3c4d571a5ff8f5d58addb1ff5812d30009176d22e81cf669bf9ad9bec471fdcd7ef1afb242e9140d3e36ac4494b9fa1e443586c30a5e247a23d5c9388eb13909630cdfdbc830dfa586e04e36e1a9f548a864cee4568b18b49f688b805cd90a7371463ee7ec3b02408da61be4f52a6009dbdac474e7487b76b81602c6ddd10f02ef334aa4d7e543cdfa9d323da5a99cc417c5883c2d6e94a378bc8795ae7db4734d97342f19e1ebd81b97549117bce2f0c9c8709620e2659bfa78fc3550b8dacf92aa7f95a9a16424b54a5d3598bf9acc6d440113575818ba8d6351b47d09c5f2f140da4f266e9cd90c6dde5f313ae56e1b56bf303739e33ab6592bda5fe3b49116c86ed0637a6217d979a3af7dd9d94d15c9057df74abaa1697379d3c6bee43b452da087f9c35c5e0211eb0deafbb1c74907faef22f3641c2241f4a33fd15b76d3d18ab1768f4a898bd8ba2628a36bc48db1fcf8df73b7055f0e903f3a75b2686bca706f8e6c73a037fc0543291b91f5b45558006826003ead468952e9fb811dacf719a2a3073022c761ab89ab9a71131d3e9c13e4f3bbc01e869850b3e1a458c52e6ae48d4977e84584738e2e3cdf7f500d59cb16291906ee06cb852adf0e65c1b142a3258136e2d5b39291ae22b82ec70cfa96fdc3cb27a04fae3f7f1840278033ef7a8a9893245687c7533f9583bc84bc49fda4817ef517e373e4ee9078e59ced48aaf7f57b765cdb3b035ccacf875bdca1b81048402eaa4983cf9a5f30a98a1143f56e7a9b16a5abb0d7851a95f98c73e603a27d15a35dd79cd9f55008377d7c4335eca83e698662c0efb4f523f0608b58e0effb50fc31d068a461899ea711e4cb5cf0d44941e3110de8510e76bc80d8ec588b84d6323a10bac9b526e810e664079bea7d333e75598a1d0be419c55232bb2400c88153f890993a3be5a3d51ffd196544c49841a16cbd79f9a9294cbd9313c170a5fd1651d104cf6839b050c58ff546071969a7ad0aebc0af8ae8ea4085252aeba1f8eef8d87a6f62be24a86112b1d17c4191c5c5d28c54e91bdd57ed096f1de81e3b0be0dd1d76d1f308d053b9ec63df8f59998d6b748aa0d18142ae0d84698c5c9076ee58108bbc37996132da724a5a756df578087e1c8e342b9eee8c249b4e87352879f65f2ee14a0d863966c20c723e5621103b37ce14dbbf238e3dad7b6ed0e2f5c2b13c20d2688639b9ce5bbb5a52132975d580e57e3ad7b4701762c3a6aa75b2b45ce5d4a6364abbe9205fe61ce8e2d844261da5c566ee3217e1542a8f4e99558069fdcaef675aed96dde432b44b520d2cb2b6c2dda6a930871cf5f9d8fbcaf84f31abf8efac1194172d02a12de345341356152deafa2e64a51e8f5e6c075817ed375cd4bc30a795e25a28c9311cc3bf4fa4612509d4d242e6fe2696c43702af4c5d2240358d73a28657edfc676007818f546c4cb2b07259ddad85028cf89648a059f09f69af3643f4f0b0aaeac33f662980e9bead7565616e2c706f0e259d0d442647fe34ce5cacd1de06af33e1ac8bb0414a9fc4640691428364678ef0346d05831f255e8cc15c11d6e8a570ea463fd0fdb599eaa2f0e1155a876c049a80bd72f9a41b44aee461c5b40cd03e41c01b5d65346aef3c2fd62fd0240163318b3fafe0ff12f6cd9e6baf5a1640d2cdb720b84059b2c01258ba78efbdd42d044784de9457184b7c4ebb155378e5ce213cad095d1afd076568916d03868e2604168045ce20ca54d30a15c8adb979db9f46cd70785567b8d5f6fac89d7f2892b36fbb4fe8de9c0bada9f24000636a5a5d79a31b09d71ce95eda30369a195ea2657758529423d485630038e8d2f38c1cf69f44528b19a029529977c9191b9c4be2b1383ea3f04c7dd21dc7741ffeedb19fea62e0d17a3019122649b541fcefcd6fec8d69cdb71b93cd345a4b2ee643f7e78ac2d97a0dc0f7e0ce6f699640750101603597e18872d0840323bc88a5e1e1718ff9c5f11532506f4cd3eeea4f5a58736a3a12bd9315b5fcc2693df2dd9640b9539b7ae7ae13edb6f12ca95cd58410b5c379d2f5612c1a474b1189d4aa1826402ebd595e79d5522230bfd278161f9043d4f10aee32c133522152b2cdeaa27708dc5aa66273e531420621f61cd748c875f5c6376e4344cf13c38dd7acd03474e4c19b6e06aabc43b4de310e35f93c652555c9d4c702c7c8fbf3f15e393c4742e79a8aaf67c20eceb4c8a65678306094740d8d7bae5fd6d1d1e87cd1f1e34db80fa101dca0c9fa204f1504c59ab6c324b34e36c00311b0be8db4ada1a33d634fd5f07ce1d5196acb05261107d031733b8d302a1bca19776f2d24c2601a402a38416889b681a036e735e572502df8b3067f7ed4200df04a01ac1c1eb2f499833c04ff1a7b5d5c5779bb8e05eda1596b877427591e9a0d0da0af1203039101466f57f59377888e4bce0b29616c1040aeb2a7fea1b6fd7abe843784f673df495460515f32563e5921fd63285122d6ce4dd402488c3aa5756ab2d0aeb57c0c5daa167f96ae079120045727ce3b7c9580fe39bc689f30c51ef6389170f484871bc75da2d25f26efc50a2c308c60f5e4c8624b5867df59d03217e2d8c990530ff10c00da427e06d01618acc7cbb01a501a750028caf0e9bb3cd4a8ca415504290510209d566940981ffb0e99beeb47ba01e0c8c62e431105a99fcdcc3e0fe4fb5c4e69dbd182b5346a42ca09a5eddc7bb78c0ce979a62da6ce1d0805fc5a924e1aa952f0e15fa59a3e095c27f6d15faee367f2299168e73378ef24ad16d934d3e55053113601d32c5a04ee6f1e7c9943060348cf8c8d7400fa5fcfd22ee5e911f1221f42a0c392cb30ca2ed10a72e0c339a1c7ca8c71efe9540e1ec0cc6643ff6d0f07289ec373e9b96320a4fc571251916e60d9f968a368bd3b4ba338571027ada63f6779c2feaa9a70186950426c9aa6ab0b3293dd4d59b0f85c4e833f2edf873f6b27b20e41cdb56359e8f9bfad2b58b981f5a07aec4a15e52b6f55a35cea858f5ac1c438f69477808986fb4f8afe656b3575662b31435fe7f6028b1c24840243c76351ddabd313775395739487155bf0c377694d31150b3b14b28576dfc0c86f9baeea5646f7a0ef6c1d0ac2f448113e5ca027a262b74bfc9711d597749d11333ce2a5723d019d44f54bbf1da9664721dd833b51cbeca4ca3212317e97da6d3e44b059420f1536e194b5447e12e1c5f8a19e17c0d1831631774aefbc677a4676a6c6e408ce4c41cdcaadc6b9089c6bf4832e81bc5d80f75a1233a700e8149800c5556d70f032b38b467404a56850d6604e3d082fc078681fa89d5fc422b5ee06fd6a65ea1ca77aad5b859fa615fc2d5b41b4b4edb4b7376833089e75cc0bd56f3917a4a70b0c4e6c0cfaabd238dde8be4bc260f4fe158baf11f97a80d7a6c6c30d08d48d1af64d8c1882638001ece74d9b2f42aaaeddeaf5501d26c7a479215bcb05f56f1d472db703df639fc7fa35c997669fd41183cb48baad730eebfa5931dcb20a683a81b2599655fc1c52757ddafa6a26b677e7a06b11335aa41806b4b1fcaf05f186352f6fd3d7000efa4e667a28be5787e9dd323fe7910fd7cd2c8b17e983febd5b0f8d72596d1b4e6b4be1399f372fcc3b473b667be087fa8dededbe06ba3054e9b885e5c930af4043ee17e1d052e3e270eb91835e7459eeb65a72f6a2ee019bfbf04297f0b21040885c57b6d189dc54d470b5996e28ece3a6830c3483e07727d76d1a570c305fb0c75d7935493280470fc847990f4551bbfae5842725c4855f9f9885a418623ce71a7d52d1f5a1e522e6caefaadb9bc29160882b52754e3d8478644144de4addd4f2fd33a2516b7fe2ba322d59265983bf8a4c89908a5c9f9669880355cfb6fdfd0d50658fa743dd3bab9a69a95c217220a054b9453e4c48d18a8b5ff40184c8e2b973f7772865fc370692714321594de0cec2bd022912149d7e8acc9e5df154041fde6be7b810256074a60c24842e0590ec7d7f1d1b45aa6ccdd88c30b23bfd3160d40ecb41420cfb408d82b7f8fbaf461bb12d5c912a94f2f7a7cc2639a3f36cd07b521495b9aed21e1122bae1e06f77bacfd2fd7db691aba1153e7f4634e1f48011789063059dd5a8cec72d8ab33048c4605d3e8bb6a37079c3548e0e14eaba0bd045d2642df445d707b82e4177275e9c09844f3c5a8b01c961784b307a42d88e8de36d07293bf13bafcd754c7cc0a9dfc86c6cbaf5138bee089f3a53d12cbb9d720ad453eb509dabf437154f4a36d4a3d31473977cd0f832f927812cbfa2730d87a2547480f7f6ae7581af11274b6c5bdacfc27d1ed51a7f3449752385f815da048b5569c8e726214ad3864cd0003fff7910479ac27860e22700a27a804b57066957798741fc22536e449d640ddf163715860b7a473393316ffc568ef809a995822c551be8b17dcf29e6b4b7497ac0985b933b9793760ae1ab847c27fd2fdac29b087135ac83cdf2dc7cb960cd2e6fe16dd07e4a9359868e2db4915e3af47437dc412e916e99145b0b47b2026703a1147ec6e8c066c8ef351a9fa9e151b8afbbf4c055d919af5f727ffae6731c5ee85b9ac1674d7f51125f5607d9a5ac2c880659feb59f3a3c235336a2ae80a58c26a121993099d84aef36319850788c315151f6a509147d9eb7c321a3021dee5002fb39da17a2b2046f5aefb95ff9effc3e6a8e7c202efd008f4dac8d6fcea6458362639416b1085f51ae259fa23c4ace0e906408b88b77fe24fb4cd05cc4eda1ecabbfae95c5d01286aeb26245222cef988a2e8dae71777e3925a3b31eafdbd8d86c538455682f862f079bc844a60c4d9a9f04434b4cbdf4ebb0edcf08aa2c8d1b5841b824b7df1951a67f0d2ef55dfe8f44f03812c0578e9a1410e4ac8c0d8110256438d358256091bb28318156f6d4d31d66925ba26f38e70158d4808950c9727f8df13e0c6bc45075b0ff411a5510def9d32a246ceb55fae12784928dd6f5f1e86498896c42aab6e7a8c4b0c26b5f98f6e7f3fe5e8d1d22f7ee5fdac89febce5bd645e2649f7f68183b6dd47c5fc6de90dfa7e241dea4401e276506dbba98dc06d6fb36164288ef98ece7e041fb62e2f56c38e80202a50a46e63aefec721e72e1a5d7a0345b70311d22cdfc1b6660ae744e142316bcc6c1fb2f62746d6e994a7259f10bcc4692fd6d6e18d6a4a8f1b3ddf8a9ed1e5056a77ada221514a64c4d13af4cdd0ec51dd612b0904a89f6849485afbb4066b3026dbfea1d723bd47436a5cafbb359f3ebc00a116772a595b7169252ba53bb09a330baa2dde9cad0b66d2fb1a22aee18791a9286d4fc7eb82b8c0d87ff26eb8f38b72df26a5f0e49c4f24bca5174b8c671e32895b8e2cd824b2dcd2a9229f8065606c12f5ac718c60c7416bccfb465277d533c9697402c804fa6c21b2b1ffc14fff2e81322e0f0db4821785247f46192f1039726010bb308429e35048c9a715365dc253a9a6786cd2103038f9dd2c04df2dc3bdf37b27b1ec4706887aeeb1ed3133352c124ebea6b695ce84f65b7d61b2c21b1b58e5c6369ad03d9ef7a1f08cdd6dfaafbdee77de92b5317720f5af67da104cc197d5e5fe2b4ddb11c67d7550de91822e30d54372ae2305334458111793ab020222f3f9e2b6dfe6532796c2ad82d1063bd30164e7e6e236917a722834239abcb83e683f5186b557172fcefe7e2042a08628e7f290cd483cec6abb60604e0de363b205fbd0dd909e283dc12cc466085f40c4244f04e92719206fdea4e5997122ff2b0b1bdec992adba91771239d0e7eab11172191f5f2ce33b459388ac06474a2e7543d3600b942f5a277b4dfb68dd22a1bb88fe1a8f92b03cd8ef9dd1b094d84eaea5dd3e66517eaf78efb5fdd6feaca9ab9ff5266ed1f46ad6a138b9d3b2c6ec095a14bb04afa3c8f31a6957a5c4b4916bb6916fb45b3d9d426906191bc6ecb92dc1fe2dfcb20c04f5a115d9c87e8eb07096ad17e54968289bd9b33c53e073af0df28bb98d9567e67585c3ed73a35df82969cae3875e058563d45b3bcd69b7f7b94d4be40314b1b1205c672d9e9b385ee98fa2941657f05be4f0bb504b917db99ac1876ada05933890711690971a0c953ad5c3431447ed3de363606b7076b975b7fe7daa76525c34c59b9f4f28952b40cdb7a827459c9db7dd3068a9db8a104800d95dabd81005532db44c7c37892660d466386fbf3040c47172f7a5199b568e3fe86122dd5c65595f786ff3322cb7cdfb10223df5a7cd3b9abf322dc30ac8162dbe680a10db03a72cd66278a8f243f91a0857c93d2c34c83849239867df3714a216e72599a7bb8666f97e3c76ee1a865f962ec03e2cfb05d221a5f5078c3c722ba848895eebc1e3175db6f46f890c85edcca9425f5c1a5e31f2e776af9eceb6edefa065b3b4fd0d2764613899b81965d6311bde99348bd2b6dfb4314deb6cd034df8ddde1e169c6d95a4189e1ddcfae8ede44358ddf38d790a188aa4b991c2f8934c88a130a9b04c4b610e33c86a28c771ce6648cacf3d6a6eddfb2d9d55d59a8fd192edcaca3bd86dbae88ec8c003930036a1ae404fc701e9e249a7a2aece876c04715f04d688e859e476dbd78dc1aa27eed4a59e67cc538045df964551be2c906fefbd0a3525eb2bce91315bdcbd98846cdc7370406494aa58278cff320b94ced78635d6c766c3376448c659a80f2ada03176b849d49465f4cb3ed14f2cc93c3cc48521bccc63e5981f8cf3a425e81220ceb75b5356a88440079aa7267515eff287bdf1f3150d78ab4a8d3b54202a7d8f5f64c0f1523f663d8d8cff76713727d45f0880a5498173dcb97cbfccabdd66d1f763175a1a05909c86a56a658ccda11a97d1caf5c5be5d549f0c5da991459954185fd818800ee92fe1ee5cf47e5bd9b300e9794e6e24231e1b7e4e023436e94b912f76dcf888be422bfa2a5a459b0ac76e4420774d9ce1253ebbb476b027be4a135b5ded8b4bf1e5f9b7d466ee9419202953aca61b4260c743869e8fa5d9aa612e34886e6b3f9f2b56c49d2605ccb2e5e295d73c5733fd9721b9f1e663f52f755d27939e20f7df3b2b5e27bc18b0db0ec30ed32da3340cd5e80d5b990d27d96e6aca3cfef8671327c5e287bbba53968a2aef825efa837ef6b8b09cfb2f8f2e47cbb4da26cb5d569c43b26c7278d24164a4e91c8c77b928e479f46b1a0cc0dd56a49d257bab2ba329c1b0f8fc4ed775af6b465ee93d21534780f62e76fb6a9a4a6cf72de55407b144db3e9b1c508f3539c9dc04d525b7634a588ba6665a549ce5819a2e05112503e75f6969bae2690677197310e093d1e30fcc1dc7ea08c4795efcec23695eee4e79df7a44d0a6495c86c42655e8e2500202d9363e76f365a10f94a600907cc220407a2d5bebd94ed6b3900ae13c2be21b4da43350ad5f45c01d00c6aad3bc75d21231abe4eededac5669b4d74fc2cb6862698d8d703d6cb3fb8592ce54fe2db486adf4c52777bd62ec85a4b7d9f5dab140c3adba05395329a644161e398a84539017f88b3bda46c6c96ab19115082fed39b28b94ced75167272db5d32f110ddbdf4234b4397d3490da1ebd649f1df80b3c2a6b5552ed460f84466b6a9b591c1616ae2381c938cdb6d12085eea42f2cca2fbc21692bb46ce0e84ae9acd67148be4e0d75802179d8238fbee123f678694f1cd640f360588493afdda30cd2ae6246e79a5267344b7a9ef1120b7e1e927bc42dd762d13e6163fad74d6ac4ee5e7db7ff3f1262abcd2cd18a1f90df47ec4afd04bbec83f8012c28a67e316d7e9c4da243737de9d96486a0d3e61214df870ad9b00dde612a5168d24d8c1e92af0481e9c8fde6d3fb597fffb590bf5c3008253928be16ddbf85126475d0ce2a9d8ceecc66ac0c7f1b62048287cfa18ae4acca5ec5abb616f17b2c3e1b9ce4eb742486229fee9507565ae40254581ae8ad6251db3a5f18ee440bfaca7787c28c53258f2a879b53e711f826aeb2333e915944910c82a1b7f233c22ab2328d6e275a5a04968f6ae2e990b8d8832a37dbb1745204d705ee542621ee86ae8dd89139dda8339ceb37e6cfb74dd0df89644391a0a4c397bef6fd3ad7ebf41f44c084ead35e0d8f12e0c114974654b797750eb71649d5b25d87f978c85116fa2aa4c17131593c8872fa5287311f92939a3eb03f77bbba7e9f0550fb8965ac1b8fa1a848aacd6bf177a7b12b6c8ee7313e90f17d21d404a1175c61ce4231b48ff900f1c964fc2b2940cb93d49b54727d9d757ee1ec5cada2a7aae117550fbf0652943a4fc5ab09ec81df6a0503df2883a7d07333ad3f8de88c2d7c0645c30ee088e6276fe7db16d8882f253f66026ee7501b3e9b812ed7cfee345559216422ccf2c852771cde9721237a2df3cc7a88f31ce41f832f8a473d481affb1c0e22000b0e00a0ac2822de3193aa28da3557e60cd4a3d3057d6b46fc7578d39bcfe5d5525f5cedeebbcbbd945e178c672a4a2c640c9af291900293c4c334aecc803263d018021e4285f0724bfd2081bf1a174a5b90bc8b8ea9ba8585fb3eeb2e0b5b341713e4a83eeda01a118f26d854604049d2d9b20c6da259299c8da79f08dcf89be7fa954dfdc9e8c03e129be0d9c6f033fae8ae038b6aff930e52d4e8cd6c77d19fccfe3fd7d3afff1162493ba7bdbb092ec64a81ad7cf85baf9604194566cb1750fc66322382e2956e57300785fc4c3c471484357780c143f969f0ce4c57866e3b81e46dc2770fb3e7bfbb470bb26e7aa9c94523724e63d5dcdda911e6ef9b8a48f00cf93a8b5ade72cde22560ba5e57458cbc8b86d145d67423129e7989e1ff5e78fd79156e6013b0a1a3f9e31e3ac0f89648728237cc83d7bfdd3ab899d56d553aef00a831e96b8a72e1ddaa5a0865174dd3195362d370d1213f92909784f027e4a45a6611d3793904582a600b1953da6b4d0eb27b172bf98162c44703b24485eb286f424e7b5a47a8aee1037e28720348d616b28b150e98bdaa1875fb2692de470fb1191f3386c2b37b47fab695b1757ac0e5bb838b99ef666201d2027f6403494ac52e742c0fd62ab8bae223e9ef005014385f73cd040b2474143aa1454bcc56212a854a436550a2a74a73938f6045937ff3338d512a3e85d1209807a2c393ed6e418e32ed2be3d37df94fd967d607503347dd2369d3a14a8e4671a1a856d5b803baf9383ece69667718fe907866f10262a58c02eb5f0706073610353b09ed8dbdca307ba9decb7a8f0a026119173b972312095ca5cdfd3a7dfddbdc5a037327fe7f41764105047b4a19d7e87d81c4dbc7b9c7c158dfeeb1e7e3fa45d06ba327593bba7e28bb7a010dd9fe9130164110ddb9ff54d2302d8c476b6145d1f89a055728acb30d510bc93f59328d3582239ac28e5ac3a4c971f19ea95355eabcc55a22ffc35b9dad29163ec662224c524dc545a86787adc89d7db9b197eabfd1d995ae01f248340b1697155ddb2ad540247a59ac8574ed41c8258b74a6fb651f2d33d347d6d38c629c87c188ee4310c199de7f0bbe768e8cc1e7ecb3601af0c8c26d8266cabfc8c83ad1520442cdedef6b59ed8b3bca8c38385a34c360750ea3f8e570252c8bb6c31eb24d12f87eafd4c332b12008a44186ac648c75f9adeb621748906dad542b289bef5fdeb83a23af903fb38540975cb5282709c3a3c9e7dc0ac244dd1827e5197192bbcb023506c8f1fba9db637702007b474bc663c40e8551302185ebe8b06cb30f59e1c569baf9466d2eba8b7023de824b6bdff0c77d6d76c7e528902e4cddcdda2bfea46ca9c5181268d57aea77972e8bda85ca2476d23d662487f6d2e1e5613c5ecd2fb05cc31abfbc509d1756dcc8c0bf8b4901cdb387342b62cbb8fbaff5437d862b3cacea99fe298ecb527d7bc90e89a39b6db7140ad4939d8fea8664b77aa2ded74a0a0118d695e1da97c3c3fcbef58cb59809ba359c7462d58f3fecdadf94a856efd5543768d8a3b27db5f548efe2e51a9b4243c231743f52f5c0355a1a5ddc5f6173f2b24a906d910737dc632a25d1705090f957a3eabccd8f65b62baf4008641c20e8ee6d67c0eff376ec2f88d8cc003d3ef456bfb5da571d55cd7b0a515e278ceb4a2c84422ad291a6bda7210d35ce1f7d3e2144ec7030cc753859dc5533b86e4942394e71acf9f8fe2b9fa5be163484c85cec615e1353a3a5f1a82c55d916fa4ac7f31b1023dcd9130f61a8a7c00301a8e6d871d859139a7852a60829f2087e93e14e59b2762660727da193ecc0dc15e97234bcfdfcea68ff968207c4fbc5e7bff4d9408d0b252da323d2613c3ab9971be3a6c6e8982a1ea2ea6b020cd0b78ad83e248f38f9d7b2c0f81266544b93bc0f02980ab0bf873ed0527d1a78c1283b5cdc12314d22b5e182921d46ddcdf7402a465044a16b2d59df62adc53e689f6e300c53352f267749b79e005062b07d62b029ce5e82845ca6b695ae6c9bc13ab011f22707dfce7e98940231f7704afc12eef282bce1ff8f0dba329cf70fc56fe1cf1d6dd4ca3d079d81ad5f639ff8fd904a54047e2b99d4ef027fce4b70b05b4b5dca48864cb19a65a42148e3e2b9ad158f9bf814a0fc0c9d35c61ecb9a6d39ce0aff53f72c63c93778fa9e01d81ab985ec1ab9337252a4634e4047cd92913d85db0194ad9278e751f02e126c8d9f103cb9fd5b0dd883ee17130460313e6bfb066a2693532785af70fb7bab2a9d45e2853e6f624ff1f4b2d362c63b8fec8f8840969900b1898c11f4aaa950f6be042eef4f57b0b5decd0d4c463a1cc015b517f151431ce6267c02e12dcc119351e3f099187598c7a804a5a736927da508c9a052b6f792a6f24502029c0f758151b65c7cf3e4239b4732b44ecdfe2c8fd3cfac6005a13d132a72f6b6da2d5cc2c8801600eb16c1488187bc7d43bd5c9f6bf4052e7928b17c4f0b9d5bcb2208970780fd8a3fa479fe60a3def0332f2b9a321a36886fac104a4f739db35aecf71bf1588ca6fc3c3430776d304e6fd2c6e335908902d815593ae06c4ba29eddf5f5e3d715f5d2c772e2b0f62c8d53a84a6835a4995af4ad186b21b55d011684ad07f1317d93fd32a87bac3b2027c39173d51c95c486768cb924c628653541146a2850c8a571b2db560eae73e5118b2cb125f273ebeed428a83dc103faa06018ab58facf4c23d4f80a058e509aa5cb88de2e74096ed8c73cf4c1c18fb766af48f8c1f09c85af655ef243567973e2650919fe4289e1b949161560cdfd1436d0eb34fa5dcb1fc6b655e5de8e47dcd61987e28b2b67ee560d3e5bf06f08d1740b541dbf5fe966c548477744009ba253e1799ea46842411f7c66bc59bcdf3c62f265169bd53e2d157ae268f239ce8147f5f7d3f6e1613a4bc45a010e6d7efab1ebcf3666ec3320c356ec9374d4b55b5e226d2976b63f1263c01b5dcfa45b5bd0be9c9c3d11e2ca18f6fcc1b9673e5292c7354047752b0f88934129c4ef7562991261a35bffd61ba0912fc03b776a8ba37588d1fcb98e4e70734778f88795c5e53f9d894eb502b095ec3f2680c1af1b1db4d049d9c4e5d5b65a784b318b2dc1862176a36b64568ead48397ce6c684532a3ceac8d54178ed2c4876008bcf686e1e9bb60fc7f271693110f9cbf43dcb496a70fdab4aaf65bc6119d34c1c5a8138faa23b2b347f2bf0f6cb9605f3f504b0080689091688f03c2dbcdaee698912ae4e5366fae05ac4bf34f3a001f39c612e0a511ef4fa6b71ae32c6a805837530755b7552baac76f76215628592929629ec4e7f386ea26ae151a9fc1858e270621116802af43107b3b952084a19be63734b8effda36de57586b29c50737113d04e1ad7fce51419001d1fbb4c77191321fb3d26be954e8ec78d8f3c5ea6aa0a7c30d2a817b8ec5c3df841147f63a39eea423298d8a05cee34e6db542f4aa58461ea0319251e84b1b4289c2e8f2f3f76cbb459527954bc00128dcf53a015e330f2bb9a43e9703299de6ea9ff7ae84beffb479f94b4cdbf24bde604d69c9378cf8387bb9831c46a619fb99915923d8ca6ce536f47370599f4dde04c823c067c773ac7b6f40ff5af9b30e9fa17cbf1e34e30cf503477d554d7a4c8e085b1900cff0b0a80ee5961942b57b485498ac8683cb52069ed367edd614555d7f53ce7601ab779df7a28cf7be8bc1b6a9e1636c697e22b5f2901ecf6c7348c335c8b4a3c69d9fe63df416760c0c747de61c2e0960dfbe5ce7a553b532b2da5d9645c5d5ef103cd1af91a240311c1d4c3fd0596f4f65f3113f87aae24504e633443ca5b5de854a74d1c619c727a1bd6764a214be118698b17766e2a95d661acb2d0412c7d36cdf4467f6daf14b962cd97e24fa3cd5ad9adf2f3d1093cca7dc676de770970c44c599b996d49b81050c744c7c9049f93c03462089dcf60b9befa1f419a45563f82e7b587b26ebcdf5dc8b4cf190b73e4bd6d6b84a19d4ac62902ae8177d3aedad512b80c9573547bed38d9f02170d4e8b3a1b18fc90e0b8b871ec5227d4c8e114f44ca8c9fe9c5d02054c190559b26b166b7f9480aba380aec7ef6384dfdcf57c2c6119698b0f2a21228dc6d5cab83037bbaa475ce900d18daab7349e11a18e915509c23a50002c3a24ffb02be8686c190c8b40d7f044bb227db73858293befa17719915a8bdbe9f8ce384b9e46541941c0d964abfcf81e701cd72c7bd935eb1678463135b834396f38068ff485b409f310a1b0514bb3ddc46f109f689f9ad498bac5509acbd6579c2bfdbf5411ba85b067ff2733ac937edf72b1c74126e89017dc34e8826218015e25a28af71d9bc21f4dc3a2fdc6e6ece6c2d1b54e5fd3c669f57b054f5d3362935d3022869c3c3a92275a66dda55981262f10f75839a40576f6e39e354336faa442133575f0af25d64bf8c029239dea3b16dd6fe97d11361791cac093dba5668f3e696c12a304cff2613fb886bec87976af2ad8efe68aa8e0efca8fdd663bb65cc5ff4fe114a57ce0a7e3ed2a183614818794437e91fa03d3a7042ddddfaec07cd927a8abb492ba026779a9b029e84f32cbf3f100321cf1b9380ecd8b21f8f492fdf2e34a754a0599635ffb84eaeae713bcde5c55ca74d446c4b04352a18cdfeb00aee0f8c7df00d7b9ea5cfb8d00db3ddf702a5519f03fc02539b540fac4453c36d763dc0f387f38c953abdb2bcf8e1c1942b6adbef0f89163b5ca7def027d09c03106af8b2571613924a815e319db4f0acb27a32da871003bd0e14b69365e8d9a7b9d87a232e018cd277d7b2b5ed2da56363ce9cb64a754419473f714e183c6b663df0090ab6d1cee4a04ea68780806ba2680e95d80b2111df2091fcc06874d044e3cfffd2515e2fc08b720be1ee43839282724aa05ba713d50bdebc6753829cda0999d310d107f534b84d981504d986c3cac8888aa0ee67380d324cf541971b092c9cbc86254bd537f5bb68c0386af4a228104fc03db6aa3258a4b9517150c037cfa34be268dd0c2159833a75caf4da248f71a34a78077e15b44d8d7770999762b0e70b92332009999e5a2390944620363433d01ea4ee78efa89540f652eb622a9373c51c8e4194324070621bcc6ec1a5f99964a6fbe2c2699cf63ec3ab6074cba2f395da358e8ff63048ddee805d13f51bcb470324abc4db5a9df832cacf88ce12d4a759d83e527f4923addf1d846986bb22ed457056287e399622ddb1b6546ecad1d159822d96b84dfae694d2ca66dfb9666a3f2ac1cd69a3e0a57a8c3264b7eae27c3dfdc0679fd79e179b0a05ef73d8a16be7724a23a23df607ee7ef8bf1c85f4f8d48ac70262c0791fd38cac8ac9972a04671434477e34cc1e242605c9e8a03a5ba68e4834e805fa271a998ac9046eb9c2ec1fa24e4fff377e277c978655af4abacfeb9f7f19b0b6ec116a9d59d773b409dbaec6a1f571507ab3d9c3254f6adc8771783a2477a8f744ef678db947efef1b1260fb8d98686a892f1a7d78afb4861754b37780673854c74c7789587771f39299d638e22a4a40f5224144cb8933dbbecef6b141ff990c59f0148c63b338eec3b7e2ef7aae262714d5b0b98879f1b3d5455b84e8730097c7c092a16306e8fdab596985eaa5cc048d4c7cac7120b7348a9840b7934440569592a83196c7858798c6b342daaedf49ec2fd7756b2d63e2ab21b8402fc4f0e47e886fe99a272b1acc04f69ba722f3bd3a87485cf06d9996fd56c544f4d3f03fae0c67aa974c5aebdab64ea11d40c7c2617b9d3664d39d42ca94f314d7069d974c8300035b501d37d55bbd52d78d4cfcab2ea886a685732f3a2e2683fe97b1da11b21dce654e5fba9dc527226d7c1b6149b63f27c489eb3ad183f06d1ce71ca2df5324f4a2082158d1905c328c35b5c5cc38e60eec085e7d86c6b9e0d181856ed08968627a00bd04fa63bd6fa1e995d903abdc76b6f727fe0b51f87721ba1f8943e043725f8213565ad1281eed856a3f5b7320066c05fa7dd7e1e8f87c1beeaaf20ea990a28debfe38ae440592ede139895f613100a99b2de0710505c123d28c280ab440fc264f51281c77e1bf685a12c12f3fc35765f9fc734f318d54f41dd9510d52af3baad403d5281792ad98b396ba3a3fcc61812ed729d877b541f5dede5d6c808ca93d74082a3cde16b615fda486cb7cbf20e045160c5f22c0b498066bd038da324f3db078964e626e023263cffe37b7e7b60689ba612c0d5c0b7377427ce241092c3342ae27f1263ebd1b1e9ac95ceaab495152db27bc30db4b3deba2d736d53fe660bc6758348d5bd643d1ff21aa4d8eb1e5dd4576729ee1e649e1dac96a3995bea6e742116c4c860f8924a8b85d5ebc2214082bab0d48a98626da328bd2fd787ddef88d16ae19ca23c65be3cd3452751ad669aacd2e6085042cfa3b299decc5e538985fe4c2607fb3e74be761d9c33dbaeed9259683a16054bf0022d253d0a2c94062a556ddd41c3220f8aa26cdbac4cff3df5e9b16dfabd6eeee4928636cd693e708c69edc1a5164213ecb0e35e1ebb90c1f202ae37d0ddba7f97b2df5b517e74bfa121a03fbcae3a85541f31895cba0e8d4aece5c935742f27211dc65e14f3311f26371afce2b9dd236d9be1918a5ddc9760d421a06fd455ab36a1ec95f45fc67892836e40e0869973a97d07fbc7cc5598ff7967fb78bf2871ee3b23f78b3dc109f7a0a9e940b5e01ab2a910992fe1ea9e1b8c601d9696d2c2c04fbdd5100c4436cd9bb0840d5de3beca66a72e1e981dc5b7f53d08eeb4ba8352c6d3597cd75d7da630d8a9d016f9906fee70614a2bd0c37a3b1dd3a813ad2708ec8a54b22bfce4433f6bea28fe6bfff5b96f3593da7c3bd3a863ed6503721cbebb9cf5e5c51bbf2170ddf1b7298b82778a98a946d7f2f14e838a3e2db7537ad67d5c276de11095e473da2c43d7635babbab6cb80d7ce1486e614c904fbe0082a74e46c8d07674ebaad6e6ee40f0f6882d4c1b3243d061e81b3be8640f207bb194453ea6c1e252d2a04a2031bd1342fe39369a897f26417d968759a5c3a06f030ad0abb20cba76d22646f9edbabe55561c1a6a262fb965cb00a618faa07fd544270dd212be31615708aaec4096858bc7f660e6899b52171e9396ebe48c12caddc3dc40b2c7493e43b3b3e12b642f1da857d6bac348b2521c50d5ab6b844b5074cf68209cd349a44f480ffe634a0b5f7b29ec26626d36c8f9f0413e6728b5c0f18a2e936cd71ba050d4e8a009f917920498200b457832ba65c0466d64209e93f35115955079a6178ef9ab982395c2c11e0f4099ff31cceb2ef4cbde0319fd77588d0e7b0f824ddf879e4b3668c370b7aba875080a97c455d287c0b591c52fdf3fb190b9f1c52ad92886f8563ac9305e47bfc9272a60ce0172fc83c82e0c640cbe2b2febb171ca215397998223886cf6b1f723657752f48e24a083d95130ac30673282fbb95a40abc93db075439772b5ae02412677ef88a76f9922b0ea85f038f6e5c0bf2c8502db3f5578a4f34d244d61ae4399bc7721d936da326b6d1deb4d005a964f6da05952cc27ee6ab7c985f67b05d8fb1eba7c2a5d154ae867d176386377073e2626b0a3a2b5f882144664a1675cfd107ceeb37620a4a4768b55a24dbf71ceb7d9ba4f0d1e734ae46fd3baa491da572a380d86ddbb40d6e5195e683350e6b58bbcbfff111f24b36d6de9d8fcd3ee8068b9b7450a190edd21869fe43ba26478d3655c53b76ddf67dc282a7d5657e93c252771f53fc1602ada31b000dec61c813f053c692c49b09e4805a5411fc76998e7f82d53128fb4e42ad2e288ee9e003dec36edc7e039fb87721a4126355db44eb43e89bc29c70526158563132349f441e7e85a415b48b9ba536efdc8ef722c7f4a3f52c78072c7ae1d6894bd27583259f6a577edf4007cd320252b73426a1bc5bd7e260625527340e90a369fca1e88d7eaba501cd43207028b7fec5d3d2ec35e90da793ecf3638a1dc0e26104264439cafd8c62df72ad385d0dbba724ba5962b92ff8b0c6c5ef31fb668ba242e74fafbf4fd81b1d526ca3e3a2f25bde45c3c0c17f9f387f90161631b9623aaca870281ec3fd45796de02aee61b9e32e9d3c370bd4b9816b977b34dccfcc6bd71a86d7e8c9ecd8884386cf94e70f4711eee06b68170d1279821148ea161031d9aacd6e4a769450ddab1dbeb4cee429a339713094884fa439968f9b01837492066e6ee6e3f7a6962e5b0bf5b60deb6c25be3121b6b47b65cb457cc82e95fd30a861ba11830bb09741b180c4ad2a5d58b6e1f7b97d1489a06129583552450d15cdb74ec177e18bfd2cf6202e883817dec4ecc60af4fda42f88c6d54b8ec1170255323ee838a16dc547d24afdd9429327371f0a8dd5926faa063d15c3ff3eec70873a53ce5983259ddd9944d5ed780eeb19f334cf61aaf7aab0feb70b3a50ca55d205b647a333daa962aaef9e37761fac411268412fedbf24b783a83783a3cbdecf15aa17a49789ba5352cc197bc9fb66b4f4cff97b79a25aa43c40f5213acd927c104a392724070e347bdd482fc8b3afff1882c3e9e5eaf5027e88efd72ebd37e3d9810e76ea4d7b2b079cfd5d942b59f774f221395b06fa92446db9a8d10de948977645221a7b1e3a564f614878fa1f2d2efb388105e0e1c03d0fc361cb42ec3296e5c68cdbe0f7b3f0d1cf56f667706ba90c2a15607d4e99ad588176ee795a135420e4797a91c9d404628a726ead95f9780a239c2dddd5cc745d2cd4629e659cba34a9e83d014eea0dfa57d641f6109728f6bf964bf397e304dd436680d1fb8d0280a37b06acb4edd16eefb339269e38ce4b9f454ac7c79cd634fd6f19e713c2955c234eac508ea754bc05354f5af089187863479d4840804284c780077c4e4df4a47f395384cfbd00e024a81386abd84fd11bb8c65c769e4a821f01820350487f309197e72b6462f29977519101ebc520008ce3306bb902964c69bd1a0002747e4ceaeb26239f3e1913f290a8182fd838f2de5c3f3ce4904baf398768aac3b9ea9d45af2556ce9cddfbb48255f4e615b3d77a4ecc802a9e338be342db986deeda8fe021cbf6ab9995931e8f624aaf084485e798f4e05d1f50dc81107f9f55f7a3998d3f4cc51f975d38fa4721bb55578473b1be71ed627832435cace367b3d7d5fa6e912249209e0323657b8e5fa6e8530d75911f36258bc32cfda0ca3b8bd067b67440a3101fa9d7c41e4002312e32dd1321c5be4656bbcd28ab4411bfd23aecd6d1f66d2b25e9d518623f8ee2964172c4061a20fe45be641c1a85727968b19e87844f936fbf217de8b985113e5462b0b0507f571be2e81b2a2d1b1d7fd1017f47a5146cfacf0bdebfc833b880b4f73477c8649d70d7db8f1e352d6e3a943012722a02533d61606d93cf024b18a9dc4cbe872b9a2a693d25cdc2d34f8dd8cfa6c25e648c37ab322b30e9776e359fe2e0fbb93b38b688fff75f3bef9d4b93368e89a7f204031ab35ec2250a1a9ebc84f2dc2a93203e955c97109ab59a1dfdfc4d5b009daf69916349f1aa530453d36cd4001fcf1e60d2dde684aa43f4d872fb193776f032e90a39ee4d9f5c5e602503ea9b42a22e88ec83f7049870ee77dde87776fb6ec6fd2064b6150efd3a3246fb21ac7d1df9f51e2ab7188ef3118a7f98d2263f0cc6e5dc171d43df53ac00b226fd2ddcdf075afc85567b47c37c34f0e9bed40f0ccfd5b347a4206f6c661e08e979e28f426cbd7b0180963fcfaff6ceb9aba3b12be95d2dd8bba3c658a41a12d4112e2ae05ed9dbabe27ca541059b61190cde566e56fe9d5bc69d2f53e52b52f8c023a58ec0453a417e84edf37760aa0e3fcbe6ef6ec7f4a203e9ffe3f7cd23cc395ce5e72ef8a3665298599da4de58a712388b4ff9eedb63484b92f0ba8033b1c3c7a9cd1dda07d4ef3d3485eb7232adecc421dbc5ca0a7860f5140c8e93d0b770f0d07bd09ff86b166f6e1efbb467c89d67da9f674e1039bce15bca3c33cf626c29257d4c397562b802c1e254fe1a2cf5803d9f571a83115e1c940d52b862d29657c75e32ec71af341af4998f37e129ed717e7fff26f4d45964cb4a04aa77ce0ce0a9bd53269170704f64811c3848e5b05bd8ec7d92974019f2c5ceb23648417da1cde22a2f0b91f4d62938c21ccba16b957dbe400dfb59949c01c68f59fe11d96d5dad7a39e6a875f3a84cc3b62cd230654812899f4118f136b896743c67de85f820745036a373c039175e1e8bfd363e535f49248059110a119a94a65eba95659964257a531bf1311b2ed28e834fda74222c3604c90c2305c8a4a2bb7b5513a9a60f5a924eb9f1c7acd4b15811da5f4128f2d48efb43573d3b6978bdb8495aa4b80afaddfc9aa74a57a6e5d82a201cbd6cb6d4e6dd9cbf545265d646385aee2d055f4bf039e879a6086088e5c5a37c1a1d47fa374d265fecd3775309a43bcbb520139d08ebaaebd8f1d5a9c1e282ef45084f60ba838b47957f4c9eb363336a923d69c2e18bcd4e68a8f5e74931cf1a67acbe84d8064628d5c429d5398443b8cf487485094c9341c4ec6f8dfb7043bcf5d87a2d833d818ac8e5501e5accafa6b4cfb7b4c00490d1af2106689d42f61382472419c17e1f6f278681cb6821600e645943be22f03c3b8dbf6290201767c763bc07bb1407aee28e507f03fdd18c1ffe29b0fc7b3f0a8ab7e3cc2c13558984ef80856e2286f0bdebc790dc7e7bde03bc271011dd226195ef86d91e57066f5b933007f4d9a96fe2f2ed4861761bdbf3d46739d4aeeeb28bfc98d8515878e637a25ed115060ab2597eba14ef2cc67d247cfa89288a2fb83ccf5af26317617cc9339fbf8adb192567dd24bc11dd8144ff087a758baa2fe6335a5751a18ccd8038facfccc0ed74ad1b6afca6489fac1465623f0af17149a58a33da6da90d1aae212a3db863abfe10ecb680367428634e409d9f85dd4414adf1da3d667c4693b26ff29dbc25475754bac474efc8aed58463b540394e48dd00143550bf53d823c2dba3d20783bc1e49d0d79f75e1fa2e293124c16971f50ab024d6369d42ca2ab3cc75463c3a8bbc580bc1708a40688b341f8d1004e5a4c60ab0e6f315bf686bb21c671b7034a236337bb77a1b7f6d01abc4f4f7558247f59aa10e11bfd6f4c5e65015f09d3eadbb11b854913b93ccad9c8feda1b96363bffc8a06536b7d00f725ce5d6fcf0823dd86e57838d3a02b50bc11813e8a8d8775c06fcf841a943c0d9e025bcf4f5c6946ef4a95b03d97d9e7bbbd3e5a1bcd0ad5fe4323db859c1e43282e82aa29324e97a9925dab3d675d48e663414ddac15f56e9e9de9c39f856bb528358dd003050df5c336116cc29ef8a0e449d5c609db104a5bd53ca5c28fa7dfffc1073d511448ef5e5d86f25f8e81bec9214285700c05f601ebd472d71623ddb2f19aeeeecaf7685890a3644f81f69c1788c3cfafc3f2c8df72cc7d927835e9eb666b129d663c425224778be8dd0d87a1665aad99334ee71c13b2a1a4b96d4c91f70fca27999e6e829017d25bdb870d5e479c6ed087db835c9ac10cd4ee956328c10731fdbfa647de841a72fe9e8ef0ae1e57d81ac3a8573667c41472ab68aac5f4189236436f758c35d07e590a01801626995a3fe4b1bc2dbd37e018610b01f5e0c1f6f11c7bd3f6cfd38bab2529b7795191bd2b36206d468ed501e44c8ca1219f300d8a5da74bec71e9aae07799baa6afdde68ba604712a69ac2c858e76fb309145a2d4e125e2010ba0a12ebd50ed3523b1b65465aea1939c036183313864d16dfdc9bf30ee13c16aee3cb45e4b08e78ce9f7c32f15d686fb670b29b9bd1c9b4064852325383d7526c1c9077fd17b244069fff72a363d86a7306dc96b1a3a42df87d3e85b18ebf4950a11c0469c015fdd0da7e97744a1bce5faebfefd86c4d5b2aa60178c4c5b3f74a266125ca1d65cf9c1558b4a2051554db67569855aafb720d65a233d26e012ad097c0b42c524fa146a70b7b59c1a856d51ceeda5696781762f6c441a95cc4177d0f01de33bd400d0fb582d2d1c44745b068a5cbb98859c4f4e823f680e8fc4c91b0f0399584eb93488d9e601baae47e4b293eda1517ae062a4d3ac1f14f81b856d85a9230a31cf15320272824009143ec4f96213f0d3d560c645db3edf47c66e4fd9d757c09f98e64aa9deb59f8cb1aa2d8dc11f13733e745cedfcd024d90c986829a9215aa16571066d6034709312b1cc8458ae5ed13d2c7dba13401a959a0d9a90fb4a2ae45c8465f8e0ed5119d7c908e228e3244ef2f9ccfb72e1df9c32604a496cf49a9d4d98815a2309542bce0cf234df48458d3dc70c5fbbc78d7376cdd99e53760cfc1612cd6f8e712442f3c54ead35788e561c0adf910956241faa9d40aca975b2c7ae1ee400f3209df2670384a5dfb24663950701f918d374fac88ece0429eaab46a4f3286945e7bf44f688de8dbb6b441d43d2c7be1c557746e318630c9def2168a079bde3b75ddb42b5526685e7b5250012900c241eee5636d8e8ca6f1f8bca6925661df17bfbab26d69c6f332663f9e13fc9f3d40785008bfd9b540e055bdaba231b5be79401424e42b8c4edb81f1d8a33ab13db4f8517729fb352fb41a99c94f5eee3d220c2e1ad319e6f1ec234aefb515a4d2428ce011384c505bc4173eb0bdbdcf18f2a88b76697996b73032a1135ddb11da5805b46c9528fd5fab4b1c46acda6c70389f204131ba63ba20a6db14fdb9de6b6caa65d19d8fed70ef4d179ee3429b1c9084ef7e005a4893faa2f3a8879597efb8c3f7bdd660a6a96028189a35d575d8d433825ca487e033789839963667a4e4ba66bc8d2f2ff04e9d081903e31ad437e73b96ffdb434e650b10756a3ded0e501fd4c2a1db985438368228926d00de93a523b32ca92df73262ab71067b974e85c5a8a8a70eff2ac73cc7eb1b216c7a3d9d6c233486fb02e42af56d5ba1cc7ee0707a8f95dd4b03e6d11c251eca065ad865d908e2cb063adb50e327d72f4bb33be11000aa81c8077467582d347e19b042cdac85bb3beb153c7dc54e7298038c9ee604f61c4feffc214955dcc76a7e41f7edaf0ef597b1f132ea9138301964b60db44a3879f21b53636ed34520ed44095c6a41cc035e3e0e0fff219206be7002524aae8ea29404feef63344cd8720fbb4a204e06b49e9583f49df470fc66a69b61955d0ab9c98221d56ad967fb07534eaddbdcbaebc9840ad3a615fd7ac48113e4dd498d9199bf4e18fc664ce05c2c3d0d9219a3e91213d2b2336af861e2ed206010ec735fb5960e39c10d6feb45ae1de2d441ace81f9cd8067df109bf585dd85bf2f4e081760d3bccc32d1be7634daaba664e3eaaeb03a35262237c2637cad8acc75b3c667147bd2cc40d89ba3d811acafbabd26e0448bb39ea96f631211d5700cb1da53594f13bf5823b70f0a45db205defa29ea47dc2ed7a34b2e7ff21babf6e03f1628f0ccd1a55d845a778f0791e819d2551b93d90d3f96a9c30a3682165be95a63044fae89d2172dd24fb48d98f50ac624e82c3acc2f120457aaa383ea134fe4baabed8bf52f3faa3b2dc6d326d400b59e4c642d3c428c45fe55b4d5beab5831be487ba6f4fa10bdb4d0bd5fada469bcb78debe24338bbf00ec475e41bf5d199d77a59b8bd42da5bf52e3768b5f493933927e795c976d20aa39642fa92d85990cedc181feb750e86f4fcda2c85bf9799e4cbd4c47246ed388749d461adba8f28f00a434f4be9e48ac5d937165e7dc07a87e594688a1fd84513f5518c16d0739452d16d2f0ff801c5b2279d9b4ae47cee523c30a7d566faef8722cd233e32706e8ff7254bc2fff3d869e8865cf411cfe921d13f2b982288755b79c3324382f81a7cd6d39b5d6497b3ee3123f6c4e3f86f159eef64db07a765907a53312c7ef9f0d264c8285c0574eecbb218e58bc7c24eda425ddebedfc077da54928ce0db1e393f8057c790ab25c166dba9ce3228ed24450c7689b6e41ba2c47350cfb1e852f86f5b92dac1a67d08c880d4312e3c33e84e761fedbd4b375b486bd4c2ca4b41ae5cf2aa197b34504a05aae991986ea5048c885022e3818b0c01b98dee1152f9152b8e7b22dd7ead3a18e366017f3fd43312122e25f17f44dceca8c657767f5a43da3d7b92a24b2d382069a37f6efb12108c627e45258de90b851a7565e74de95d7fd8496c74a88406d6fa6067dda480af196b0ad89e25236ffe91b35ef9bb7d0c5f9328ec586c30122f990ade0d3f2eca78812f9ed5380b8de50f5e7af78001ada4aa802b6a6d33185644c815370b6923db1a40e6f00f50936ebdddc4dc6c06d877db1f3f840c641aff595c3464faad7354c35955072744e8db9d5db02a2b83402894bb005bce11fdf278f0e9b4bcbe77d08b865f09d3bad4a37c14be547e10fe843bf2051cecf572790f4f0ba6cb00efeac12fe65bf77a5eafba80983ce0a0535cf83f551cf44f4fdccf192b928b0fb0a30760be6b996ebc0e9ed771f740c9bbbd7bdadb68cbcb4a0b14117c5c1a12936bc1d345197455d0de73544647b89be0ec947259ba3404de085f36fb257ed7de19449cbba351e11b40bb6c0e125ccd70b96caa46b282bfe94925b811ccca25f4e1e40ba30c20a14417811521be70d381abe5a02f86d6fdcdb582aa996f646e53d9d5526582554cca3b13680657b769e92b006603e6f3d7ba8be50ac1e6ac5528b9a6f6b7621c71cf94b29bafb75d052a4a386ea6c9aedb2329ff9422a4129a98ef180996080333b26855ba1d58bebd80ec98a3e2647eb27686bc51908616bcfb30e21ab0e4dd64cfc71b9c2fd6b50430703298c08181c8e12a4988c2b12a04f56fd371e64938a703b33d8edb13e5736f0c35e23264e892273cd2dff5be3b291821dd598826a01703b5efe6ebc7adb87f9615db4e7979be5b8bc804fcb4eccd18794cb765db45301697864d484e2e94035c94676a2a509c09feb6bcdb4df69fef92d782abb5f75f9c920f8d2e81270df0326d86adfe3968d1adcaf0841cd0916ff41a2ad5bd6fe282d82af891d748c1ee3c1341c71e065c23b4ab7b35aad856835425d8f4291a63d65c3f34048d53b8b4cbd2934f13a22ea158af9098dee6278dab79c743eec53cc032786a8ba2a5c03f437f3363f34b1b99f7307ae118c1d288ab2d8fa3f1c512113464713e0c8cef34c650219ecd48f86429234ff11a74386903d9879ff7d66aa48e8809a2ee447a3d9a1ae3ddb45b26997ca4173387c25d43fa9294ec061fbd359341912473cf29bd4423d266752c229012f4eb9da6d89d9330b60c2745f3c85e161c5041dd65401a10a891d45a1a851cd5a0b1dfd35ddf370acd42d2f3990c9aa8c638b42c07b25d5b6db2fb6781416ab0a38bd94893ba79c205a2a022440a37450201483cb8b18e046663e519c24dfae21f161e10af16eb22c8dee528ff21acdf10a99d9278590fe00e6c8b86d8f3bcfc044100dea358aaa8d7859f7fc4e646327dc14f19b267d3635b994e2adc92e242dd01c9f011099a0495e4c5b9400556bd6f46c2a882bb0d9901217697d97f9df64f3667ea61b5a8dbcd0783bb4f088d16c4c3075e2fae72917270514ed309849412aaadc588dd595593a0ebd0e81d9eef36c17ff2455349ecae85095ac89633f1f4d2173b20ca6a9f6ed4c733d9ebe9abaf14c242bb190dd5d9868da91ee4e2a79edf116be25aafed829eeb0cf12e384a548bd5c546cceb7cfd0fb7bb85c0397d78cbe6ff452fd42ab4e5d99b8e94f75aa79f5386f103409f9d542c19e0af95ff59fec624f9c13acacbcc4f2a49d8d5712f67643ca4a2737f9a330945b4f910639bfbf7943267ebe772aa2282d67595cc7932d227eca38b082f8573c8e8a6940122f1ee2fbb125bed9e3156be0d6f7b0d3b7ed912c1ff35bd465cf2dc1563c9f238a4e19aff160f2362055a810bafdbdd3a43b3bb9316818b7f0c2b25e9f0513cb76da1ed85bd49ec58b66f167b933bfd0e9e5d4385b820d888f79436fc8204df5a27da41d4de0e677c4276ce7cd9caa87332ee942a6580cac0fda2002c3e151ceba03f367b141cd76d797e6413b3637aa131cd55e62ff4cac1604336339a9aec619803a8229ab78e01d905c768cb638b1ead3fb6290273f7fd1b5b05ce1ea7ec4635462c149444069bb4aa2fd24eb5a25f9bdc2b7513d1e36c902669af56be86330f3ab20bdbbd40c26d3692525fa1e69c5017ff468fb3499a6e11a3d441364948527b65d2566580badfa7c7d32feba6126b2e96d13916c251734b18fbf8418a23598f8829ad220e8c3b75e1fdc242eaabc63769e40ef61d9ffd8c3384b89be02e4b2267043dbf59010e8bf01c2022defe0677545559209585a6d14bb95de6190ec89e7e4d2fccb6bd5eb0d43c533f64161cc06cfcd2671f98e2ea403e1ad009dedb1d4059d3314dc244b8e108b954e9dfe2fe6ed4fdb59f57beb8416d985776254ef746333f75886bbd413b43c279d1ade19a590b6c8756030b33ce5daccd585d25e8607093a1d2dcc45f34f1a7ba57010887f135126a1d8d296dc904c4e654717107ce8624f1647247ad2787e7a1030208d4818ef748aa407a28cc528bdd1aa2734f6d2f2aaa783f74099048cbabedd8abd97c7922e5f2e4e6e99867691f4594d89028681c03d29ea0ad84e1c17970e18786243aad1ccc3185813aeb1e25eee6936a79c1dfe668c7c28062b91a751512f0630f1a9f45eede84d76496b02155c0ec263276b146bed6ec54eeab246b2187d7db507d82dd1313a02ac64806556818f7b7bf730c05c924f373e5e019e81a5d9286b056db5ea059fd7a92d169e61c4781d0741c2eea0e45b6d523e4a995561472828cfe54180e8ffff44dbd58a1d3f978236f2709c3f3a879d9a0a81845309b3bca02c5f15e62d07ec48b7306c4a5f7404f031551e9c7870b8d817c784f87964ed6edee7aefc2c4c58dd0b222c402ab15b0f71c36755a8356418187b616ebc7e239786f9322a7939a79c7bee0b7e2131ec7ee00cd2981b78f16cbd72d0b7ed160f4153c39ff7072c50a4ceba047bc802c4991fff7edef396827d38a8cf4b24efe92b0f9851970d6d97654b3ff63bd679e664565801000be865caa84825643c0ff73076b9d83a83211f540e6ecae8e8b1760050daf81695e999228989ae1013e4061abbe7929a5c6a126f89e8bfa16557ff99afe16246fbed5ed96b30438e412cee635dd3cc47fa526f28e81dab2942eb2f0dfacbb1ac55d30d42090fcccb7f0b9e520418e195cd682ca17bb7822240bb87c13d6074f20b7895fdd44d7e09498f5af1400cae141764f5ceb29d3fe64c69d851a2d53f34b8015f0d1a32bf461e4356ebc53939c7865b714af2e451e6411a042aa0c0165ff6be2df6b7f6947c8eaab100cf06adab6ab25482b90cd818cffd92f7a3a3d9e71c81fec82348ca359c554adc88948a22e5952348a6f67a7a7359e6bc1dba3fd58e4d079bf205fdd4c69410aef784b8304e7a81ec413a3c7eb1c6117db137f601248dfa6e712506d9006013b9aa22a6bc2fedfc48d36be89c7a498ca237b94e1e1684713e01303a11d06b87f142a43f502e4964a8446e45a09d038f15ce713fb9b5c0a059da2ecfc4a7c0a036e5289de3e7588071c36f654d5bfa869682c47573e404a78ba21a3827fb69278d2ff34b7991e221c31473ae438266969cb42ead936f84b633184bf2a12e7591a836e3562734b7453be3a450fedea17a495b6279734f23f57bcb76385b9afdbb3089b5a74366e307e4272341f3f0929ae356eea3261b228b6c493d04517cbc6c71de51a00633745f09ea4f89f5e6f764bca0f0e9325749ae3bc4076436f896f06db550e5b80e36e9828afe831f05b312f0bac91dd4a93fe73f5f12f22995c0076441512efe2d7431c92876a0cedcc5fa33b829009a53b16a35f1a2b70c8c64759c3a89505b8cade9bd7df76c108ab6d0dd4944a44b3993130df06ad281af953406cea6abc2dad514aec8a516b7751dc0f010dd3e32cc817a09fb727f78326114427d145fd1def774307362bb9e7efb03d66e92394667f0bc8cf35802f06f70caf46f8076a7e5dfac9f50c475348c5d828b74e890abfa42fa4f4aaf6fcf097cf37e623df847dc7cc471334e98791622bff991fda8b2bcfce0db32a62d8a824b84dbef0403ba8a11f03d09882351bb550d0e471d8658079382793ca995a8393ce22af6d9b86f8dc993a02015eea651fcc0902eccafdc773b2ca0791e7a12c9b7b3e2f768758787fdc1a04b372ac12728b8ab081b384b7f2c3c5511f3ab3d2427a183c8434be53076f9112b6c1c2b6573209357795edfa89349dcc27acb33a49a64c7620275f3c6bb8055482ce98348c013e63dc5a8d04fd54386d4cf7e171889d76b12b7996d1fc9ca4d74e30ef9c2bf034cfccb33755650357561ad738c0a06ec467aaee2688fcc9801fb38f89ff4ff869865ae3a2c68863987cd20891df42d9368b311cb77047ab4bebeb0fdcac990127642d7b1dd4c8307678c6c7594e23eb0eeecdc773a95ddbff54ee1e9aff119e7380a9c97733f41440989fc2a51c74cfd44f29d45bb104dce651e8ca87449b3863e8c6f4c089283455f17597189a40c2d4a46d50f16bf7e2053c3bb126ba4649a0ad09a8e91a9126a0bde5089a77e939996fda8226bc0df3527a49be8913489e34273b175a32fdeb1bd1890a314c155e0d5e33c326d159116d3da4699d1e6b78b1f917fd61e32adfadf673a567e44502554376cc4d644819e6cfc759e5bdc13bd90941351ec1e8afebbf02cef9b5e385b3ed54d27bf23400db36dcebefe43dae4358b1ff91cfca3d9896bcdbaa7342805553f117014017c34022ce3d8ff3bb51ea345f24398f97e84af303e29302cded3908aa1a98fd4c0b47ac9480af48fe6141e802623de2a516ab34d50d1591fbb0e57b980447d52ece095ceff30b6ae49d8722d824940fd0b9c19158e5bb2f13c31e87c84b6288457f578aeb0d288ab6306bf48ee87cc13a05953f9f04595b7293f8a0ed45519a29a4f749401a244fd8ca2e0b484012aff425972d03a4322ce17b3d91b2c21026cc37ed2d30636f41182e50fa19218a9a9423290f1545963889a99828707065d1cf44e461692fc7ea7fdfb2d706fb7430281d6af5fa7b2c2827e9685d3e0f98163189b2a270c57540f7ecbb2b8332ccf526c1cd02d39016399a8a246370012c0d77cf921b554510367470e431be8e2c0ea450309d1abfaf1891320315bdf5f6361c3ccf8923f38ecef2f2acf5cbe17ffdf0a3615283cd514fa7b2c8fcc638eb3abc35266ec45f0c658a6547405f3adad038b73adb6571c25e342b28c83f8fa4dbbb1c95aca1359254204b374bf2d6102ac8bbe81e52344b4c65b52f39bc0281da9d395a834e3a037ae9e624927a647945be7a3d870be536991fbd1947efa3f1277cda877fe78ae8cd554553f496834b486b223962b448fda013fcd2ce5b1a9d828ca95f64b03c0fdc723a46a1d1698b06f86002c96a03a7a124193f8d692db772338a87a4b4839e74b65c00a374883295f15d5b4bbca2118aaf054aeefeaa14261693ff617c70ae71a24c734c60e1e456dd25b605c0cd396538d9c46b0dfbe264188b1ff7f6f06d70446a3b544accc7eee607ebc2482da96244a6dff1c837d3b3fedbda3e4e63a18efdeb1b7afc6808a57844cbe34a7ec24ee5dfb94857608af2a388da0918f5658da02e6f77fc791f3cc3f61f998f443850316943e1569bc36c3600587caef17d49adb7ad319be9f536e1486e2f9063cc0f3bdf51bca6c2399803c7c71d7a17402b36a6dfe17c73a3c1d13e7be065a2b9fc9063cd1c40090b80b7b2ad146fdcd3b3e07fe161a6d7ebc78821d8fe69198772707adb23e722f3b4abffb942e38e43707b422487dd7bcdaba7caa78b58e6a08feff3fdc36584bf0ecdee7a8bbf2bf339b8ffff64108944a8493f9304b702b9382b4a74e3bcd6b3a3abc1872f2588a7b934ebb0cb66723c1a7183811a7313289569bcc77953d2e2f968a8ba6c87bd6e914effd25334952d0a75bbeebdce54ad3c09125e9b7c186570650a6021285aa546cfda1167c6836f2f42d415f4c8c80df6bfb3341d7de2bf2b69838f338d0e032b52de5f0fc2d689c40f9762ec49f03124fc76a4737a7724a17c17a7228e9cc94664831fb0f77192625f4e933c9f4c7584565f6f1f71115f5eee76db2d15f7f6ea37c7afcff25023d43cafc0ff58bb2939791fa9ad6438a278f0e2a527287c847158951d45986068b22ee976c5282a27632d849a042bcea33a863f3a9f1631b405c543f89446a0dd1a2107513ed4acdc17269bbe4a8ebe0bc141a8944340b6ef3b6261fc465d47edbc13ae8af122dd39cbc2747919f91df46fa4f93835ae0197eef16a503bf19668d456c3e4671ea9480d9699eec10d48bb439e752d5b2e7cd65f888c5ebf7d507f42a62b0020ee61cfde1084351f53b8e787aa62cc0ce526485260eb077eda45d195235555d761367057d222d01747968a88afe9d5a15ffb8f3f0017e1a0db732c9ce637fae1a140dbbf161dcb6721826435eb3957bc21f4ca15a2b5d75b88805e1344fe106a615e5828438ba9065bb5cc69d4951c7ff0d5f4d6e116413597596f83c15f12458ae47bc040ba41b407c2087c79f606f0ec78455e0a0d760687df908479021fa031c03e44699260389d522184ccde2bc11ba860bc8717fd65126a7593e31a970d5cc8295fa64d95e369410c89abcce17e8f764da51df70c4695b6c9ac2a5c84811c5e8177d2ef3db5c0b09536c2c14f939311d3010d95fe0f4a41e0f4732179d46de7b4f1a9fd701b9631041b042d4a35a9961b04c9c15fab918fc3690b3b8d3f201dcba20f28545b51bd4f3a3dedc1ed84dfd7cf57a48604ac649100448e97a405fd2788415ea35db940f381974669234c4697ab99377591ea90b1b70a012e10843ffb89d8d6c3554e37bbc7a6c431ad787479ab06929b7bece589cbf14771666031faf14d9589cbbcbc0adbab688190d2542ad043507b49359a3457cb1d32964d51fc9bad791cf727d72e7efb543f359838aa761c09625298c1266e249ddd847c34d1d9dc30b5619db4e366769841bf79e14981f4b3832e43d2032b7312920998a6d97b39a7fb281538f15fdb64ebaac2d05456bbcb8374669dcac64e140024406f28f9accbd07cbd5603229d1774ca8b5d1327539643cd6373ed27b99f2e6d12e351ed7932eb48b995ff685243613b40b7fcbd1c6f6455e1ba9195fe2244e086dced7e594665834d67a83f7571e9c610dc5cb014a01e20be288399aca77757850c24b83fde46d94ad2286c29c61e1346cc925c64d055ad9b1fdcef2cfcab92d3e8cc5bcdd6b9d302677e29b5d6e8d151ef60fb092f36654ed958e113965a32e1be0340ee1ec79cdba9c01f9112c9549b1777af5184d4958775ea737d0bce9083f050fe01c51fbe18552b0af3411dce5a711bc2f01d764ccb0d48a4c598ddcc93e5a19a4c46778af04c5e7d217a137e81edf4e388bfbe7307a5bd7a61fb052d7af124bde91c0410c6982297a479d51bcca12bb0019a30f2d722e9f64d3424c192b4acb964f979bd1e600d88e4ab1dadd350886fd47589710f833219b4e6c48d89c23fcfac4a25250686f164674db5d7f259edeb044745bfc53e6c2b60ff4647add5cdf6bd84cba451c23397c6e6ed10eda000ee898f79d8691e3b2397b7053e21026e9184c93ba76aea5a0acceeda2062aba823f053eb6647a367c2a84d7aeece8977b259bc8cffa6326af0378cb996797959ac7863b0b23d8d50ca10cf235d849691408624da22dd333d9147bea937150d9b67809d30fca392212c4274a78df05572595879e922f8c5e8e41d5729a010cec5f4eab78fad2524a4198a541060c07e89a26c95a6d64a2624b8ce9130ad56157730c75b7eacd1fcf6573571fe5150ae8af7e0c70bdeb7ba99608e8ee3aeb2dc46a17ce827bd8f119b70ab86b4a644bcdbc217dfad9eba00e31d7ea081875dde28eb9b2fbe9bc2d14d3f88776206471b538ab6e4b3f305d8610942d5b9d194b0fd218cf1522f283ee9fd36e553fff43f9d8a2164d8336e58869d66f8e245f61dbf7b00e92f1d620c80583d01cf610d402a016a65d728cdffd2ed3492139bcb2b399c6267dd4b1839dc1797aed44ea29e31997acf4cfb9455e98a903ed26a1a16e30610dbc27542aa125a8de3418d2fd159693e4a70436421cbd6f32b46096d61507b889eef280c41b70c8a678a0b6e240fb403b2545b46e534353c53b8bb78382ddb27413b3e4c34a9a1c48d31b49db7137905e7198701fcf7e998434058d27c717b055703c6dbf06f6ef96c5b8784546682e7e4731809dd9ebcfacef5369439905481c642b544777b451883cdfc88729c1207af308523e578e1b96d833ea762cb6524f7d79b25ffdeae3d77a74c86417a622b06ae608f25c7de98448327508caf620faae5e7b6a0624b743b766c1825ed6bb5361e35a46370e7a5f2e9c1cafb3b2e48a025ac572a2b33dc7ad9c1618911e7112e1c3f1d5bc192fe84cfb1feb38cbb28e497a619cf897131a56d037c78b867df4c833d5facb4df496813b438d7f559bd29a0b7f6cbe474246e1a1482e513aa38158e855a6731ee8933fe0384b7c08827b47491e897bf54f45fa14d421988a40ff164086189c5e1507dc446c2291ea41646d3bd2923294a5e4fc140ae44c5d9e4ee8a0c9cc4e47cc6231c7c465a49514a6781983cadf729111b2fb5a52dec0cfa38ac9cdb792049e649212411ffb3636d864c12821a4cae63a7bee3ed225abc2c20c69f55cf506d3d11165a28cce2e74a42c43d721a9663554cfad7d43c5ec731bd499ff8a9cde0ebf5b2d44a3111788b73c1d116e1a2f95f17f920dd1e75f2130ca32b84c8236e19864c7e726ebaaed8635d347df758f8884284c3f18c3dae2ff11805fe906cf07a13fb63212be3c950fe69f539dff4f1e108c9210452d96fcf84427eb7c9b919063809d53fbc8176121550a6bf367ed99d6d8290a1c6413b4764b008e7c2225f83d6c9cb64351fa98fc276b6b283d453d4a20ae4182b825cee869a37dee50a1c65a4493ea20ec05e68c416965e43d16ed4402e7a90560e5d13aec2c88d70d3237cc9c697fdd309034e2566e8d1851af4c7180dcedb2578b94a770d4e1f89f3d4f1a40091605ead60133ff7a29fb53e59c988a8aabe9f5fcadbcd5ace0b00d791224a838f117490d09d84628e1773eed664b9f24b46e6432917cc08e5c68fd35c66e2469083a883aae9fa97d92b536660d5b0d2d2bffcc0e5a586d3ec5a35d5e14d1b79e55090ee4d5915e8deb660dbd12bf08003890e87a8ff6f340e58bac7aae4daca841c3f81220fe530a9a8d30d8593dff96b6e41a3a2a42e446df280d97d6e6d1f71442e816a2fef1ad9d8614353f4f0da36342caceef6030fc65377631dcbe85633cc1d754f769f4e8103c3592e8a8fb8dc23b5a8f863f759610d90325aa2c253b33260ee26118830ab604cc5c7832e0718a176770904b23dd862a7766b728b5ecfe7f9c98f001e34267138c45224c2e4bed63638925ead4c94677421f47cd604fef4f7e09a325d65876c0229e8ac520038acfd818b093a214e0747bdc52f95de043afa49a0af63de8af0033e470425d633c2ee54afdba089fd988bb0a381fc1afbafa2d41b2869b445f6f0992b3e37e35e11af682ffa92b5e1788451c7d6eec4da34aa87132cb1404afffbb416b2de0ba7a29231942eb310b561dc41171bd05e7bca28e08c15f152b2655b8951cff32100fd81dca16b37f5196a3561cd77e0640b6227e5fded500849a65869542695196a96958d44d3c91df65abcdc5f668454e898a53bbb0dc49e18a77c79dfb82562f57983ac258ad181187d929c59ae4ce96b4dc12ff6db7b68e05c46fb4b1d7d7f76eb7a56b8159a56030b7b553a067df186bd9684916665339ae838d30644ab509544f354f4390525e3083f35a6b262ea0e0ba600cfa06012f2c3123c74ed2d54b929b3b38417acb1ee04f3e83feb04b73692604e77efc35319a2c6d57a3c2a96c99aff7dafd87327cf56de81cb75b1c6f4d2a28ff5b45d20cd55675ac671c92a1bb087c3aedf25a716cad3581b09097e9f50263d1b8ec68c3c08d83d26d7feb30e689b0e8602e9ddbce83b3cc67d49d871a1ebcf25c75406ab7a46168dbe07f3fd19f9d0e56d116e50f46df34e2ef12925aa17c78d2a0472b6c95842603f5fffc33a3c47dfe95232909970f9e83cd796b723fafdcc0495ab5989b0f6915a88832d87eab015f9db41cc67cf64c73373b13b9460c9cd47542b59c664a9efb9bf4a254c669ef888bfc6313b2a9375d8986e83062319767c79a0962fce06b8d4b97b9b8472bf1581ee38859a398daf003bed4cb2f332c3a25bd32326d9561cf2dfc38d6ccb029d152c67ca8dd4cb525031198bc17b99b00d3e0a93c180c72e1d85ea63f2543d892fd59b2805032c8a5c5fcd6505fa286302adb0971a091a5c30df3d317db4d608cc08b424b7b98bbf12e2ea62b14ca626ffc73fd4ad81667afe5097fa210a1bb9c87d358f2fcc0ded7c72e22897910cfda6bd5c5e5ca884a61c2a98cbc7dbbbe6403ab9e4830a7f5e408ddbc9ec1ac85dd13c1497ec12d2c9db5de89438f0ac690409af159eeb7e7e71ce83e5557de89d660214e814c1138b5c4cde47d111a59d96554a7616a2b400641ea7d2da8811acbd26c87dbdb4fa5bab3b9dd806b258a4480d822e28cc27a505ce24c96ca4698a90eace94cc95849b2c7fa2d8c709ab586df85edeae7c035c8af4668123f16c68f248c7400360eb000da0d66e7f167fc2b5232102d2f73779910783e619f323edf942c85e4a318809a7b118f718c98e401fc49bc59b02390560e815dfa1bc2cb5dc1f2266fb9d33b7d9a9ac85522efc8eaa278696a32f5cec3cb5556a9ca0ffc006f93a9ae68a927fb6969e92b06b4fdc234dc42731a4b38daf8ac9f8f1f4f73aacdc76b2bcb021474d039c3454eaa0cb47aef8fcd328d94003a3df8a70081663bd1aa5295ba5793c7665bb9ddf265345bed4530956081f327c7572786f98aecf92091c13de5902f36063d1d21f12580afeffb761eea79d373341f2b1d2f48e6d49f3671bdf1f5d822d88fbbca41cba6355d2a73654215cc80eddbb373980d6f2ac89522543585bcd1bd519a2e7b2e9f518c889f26a96e6b3a86c23dc91988cfc3c65c950d0d9b00c231ca30868d908a5cc31c85297c7e08845850dcbfa5b9d209be2f7b29ee11f2bd5247572aaa44931e233d9b04bb6ef83e8f3256df0ebef09ccb4bb58177a5d7a62272947ceda2a2f95a2214fae1304eedf840b949ce8ce5289d3e4ee204bf0f46ceccc37adc80dc34360f12e7c386f443a37664d80fb0190827783968e49a3d7a0ab9df0948bc1eee0f299d4f55982e5bf589e433eec23f9f30b32afb1eabe2b6d15413a541b8eef0a4bed9f2e5db753713c2dbdfcd77029470397a374b17168951bd63ba27f5d8266f908f5f75d8dcf40b17e412a8cba20656acacbf777bca914dd158c58df1e6d57f70f78d7f758cfdbb3a7f42b095fa72be13637a764f291ff36343a9efa4cd4f9ce83e21d088eb5da57d60facc253a9809ad694f82c630d07f86dd4c5a5a3fb28fac1963e924d9a203ba59974070d3b8aa983dd1126c6ed34bf61a48470be943cedc78e4f5ee3ee81f61d434ae2b823625e006b81262cbcafe87b146e1b38de1725997fe0595151ec82bc7de3ca8dd9d275c7fcbbbff048edd6bcb87c7d89bbc8190e36c5eb25d09cf6163a91944bc8d81b8d705f87d9397c4dfb5eae7eb84747b732645475786db6370e433f4b562bbb810eaa5f5fa504571d7072a89da2c7d830006acc5df1750c64965633b8e31aad1c22649b609a0434fc4f5d677dd268f4c87410d416aa392e97557524f7aeb076741addc1eafab923bd95b70683045e96d34314ef449c25d3e1e8173f1d5796d860da62f16a9abc3ec6047a2c6735a97c37c12ac644f461eab32f9755ac9850848b2004ee9a5f696f39ee9d5c5e0c260414abee7407da6f59689c034d116cfaf9f63ea867ff5b170b34fe761c538874553ab0a83361be6241bda4757ffb4bd4c10ed83860ff85268651f557223d0c701dbc2603b3ab33d94c1344bda45b774660736125a1235597f7b64dd504cbb3e17b095b3b836476a8bd87e288377cd1422b2c9552a04569d54a826eac1b4d0ea98cbcaf7ae2ce93df4bbd6af17daa3e353f6bd69eb46035a2109a652ae1f5a7c40d36e117ce1e56496cd34f8e398b77c5742778360b8232174e7fc1a990a3d6b8fc6403392b893e7bf5517b829e86bc4b623e76c7d650ad3131aa1d8a869c9fce8fe156d1b08f39db6dad072f06d687ab143703c89282fe094ef04f88767419f05783f4080c475a3b2d172e0996bc0528173a4c53537699c9959d932afd99e666c98dd85ba0e6b5356ed144ab486ffd190f2bdfa8d4967ec65aaf827a1b23f674cf82a516daae99a5623bfb696e3f7897299199472a7a987898bdb7c92e62ffa43427f1b0748511e78e050998b7ccef263f7b64ec61a011268138ac40a3605ae867c49c85bbf1a7565806f052769916e11f54a96b2ad31771b5f875e77f0765f64e4d92ac79da30c29826d506bf3dce7fef9ab740af9757c2875831fdfcf1d2bf8ca68bccab73eff85e5cb300f4e6cf923a0b0e6288c08d958965d41420315e948b62994325c7d5a995d800514369a73cdaa245e2425a837ed7bd0a7eacd93f8c639857d7df4cbc2c90a4756470252480646261c5e2f7008de8b2de349cab0aac0b5a5f3b97ff9c6dab8da4d2385520cec793e0d9b64ba2e40b635b61027e197940d056a5fdc90859798a36e816b3747b0fff8793a12a0808ef40d957c77a557cabd5801d4f04e9e1d134b104da9b5df9aa72c059afdf9c1d1c8c8b15ec30314450f013a84e101252d435be1c4bef351bf74ffcfd7531283db85d6e129f731934ad35585d166ebc5384fab61a32f64dc669af6333cfdf723888e5fbd9c2731f49794ad64ab51640154a69d0697ade33fdec21f93c1215493a7abd08ce4df3805c5ee985f1212cafd942e45751ce5e668df052015db35b69e6440b02e256eb2db473cbca04009893e052274b340a24aea3a3dbce536a11640aac624e160856de20e4779b9d5f2162f5ef54356ccb48f67cda8222258c4520de17c9082b6ed813a0a02e75a158e0271091128252379a292db04498f928fbc24759b902bd5c30a3cc0ef40793dafb6525201d5a6003cc927cb6f828d383e8ce8f8f746fae9ec102177772ce71405504faee5137c385e949407030a8e83ecce66cf256afc930426404ae9c56c7ac1ee68a79a3c6cc52081a32c6367c82d7bee755014cb3e47d32aa71fe6b6fe7c8e1b7004d827eb396b1995eb4ee2737fac63cd15de6ba73c9c5b6abb278a7b53dc97ba1317b1f8f6764e49fa0f854b0d4489e55c1b8cbd6592454b4db830e7b37f41e021d1901c210256b1d5f3b0c699b586b2b3884254825dce42b5a3f9879d74a09b2675f7342fcd7e9182bf2da246decb6ec6bb37855ae19dd71ef73c547ed51eec6a6182a5b951614fe52e600c7fbec6f0edd9b813f2b77168cc6082c6845e52862ebdf2d72d280b1183e60c9ea8aeb895de7fe51e71b1e68adc70623c0d320567a0d2456a7f3bf8fd9bb685c74bcf349105e39c23a41af529a20d6d6a6b137266ff7393ec67cb4cd6404363007f1b427d5cb430b9e46a784b6084643cb87c1a0c889c2419e7fdb2c44e4cec50fb754fed38cc8a86ae3d805ea4ed88665580d2911070c0306630ee1adfbaf762cf665f7240e9f9daf02709981d509556b1f809c234087d30ecc96eabe644ec6de5aaa2c96e818e2d4353f6ee4582575b18feb7db59518ed901669cac04d537baa9f2084847f602db1368d2447f1a1e40b410db5f9d0b31536b414a7ddd3e0c17893574822c1a90a7136c2ca98ba1cfa11508fccb12618df8b53ca2aca58846b8689b9efc4d539e525d9a0a1a58fc9fe190bedd168b21d6b2d20018b332fe92bb005f3fe7e43055fb57017503ff82109b564d413ea22e09c09d46add02eeb9d00f92738e7028f9e69af72080cc680bca0b0356e947e315b30f5ae9143bae3129d7b45641204cf960d05f81e2a3c7b3301564cc5fed34b49c2e443d28862af7c0c5323e7a2b77b6c54358d703904a4277123bdce070d7d56befb71cb36fb8419c3d1a06e5ad60046c40416718d929c4268fb011aa7a2966cc8995ce8e13d27f5d7087ccbccbac5f9cb765cd057d48f508b9640ac1b5ff8eef95261b2cd5304652b843ef5387b29c996e5b08c98350d26bf97cb169654bd36b1a96a1d029c3c6769579cbbb05355b50f56837f574f9f10e32d0837c4714487ce1fdb2c8dda869fe6bf5c2da3d2c2a7319370d736aa6f5311911f4caa4966d60e4cb9515b31608f8f591d3d2e185b41fc770eae7931b0b2225e4bae67a5f467cb92bb838bf2d21e644f68cb4c146350cce1dc386eb41c1f1fcf80ac04e449391648fef5b9e0c1437fd08bdecbe26f6feddcda6d7495cf19e71fc589e6154a68d4208163b17c67a5a68d663a2bbb3d363a2974bc2bbb60c1d23febacf7f6fb192ec1b6dbc0da7eed3ede4bef53742c1d1b0619bb8dcfc58e4a58da0ddb3c7af660fc6577af12cbf11ff1f6b2ed0558d3df215bf9cf1ee95b17248e002a40f85ab560535c72dc227a0b6939958518e3ea7a049f596284f4987f670e771401e22fb675f22f842c875ab9d535517fbb74209b36f11faba7f8c654f69abccaaf03151272deedb474b787dc4606a278c5d90de97b7962ddfc0101a49856e85090a554f7381aba540278691abdfd48fbbb4346c4669dd6dc8892b4af232c7f566eeb1523ccf9906a6d46d8207f0e68913539449118be01f53cf05c9acd11ca80faeb300d3489aa9b6033cf130f58ad8b76b4b41846288d2a31380855dcfbfbb95d166d2ce8bbb7770ecdfd3c17a3fdb0c68d081e27e0e1173b0e80448ba44ac29fbdef015fd9a21d3c4bd2e16e3f7cc457a9cf2bed6c9e7c54393d15ddc0fdbf6b5b16ce50ec92f55438ad2db792e9d72a87bd5eccd2e1ee0e1f8b750d84e0371b84ab84d6ed81968a7acba1fb32db32d9fbaea613464a03137c12f1f98250b078aa6d72fde8bf73b00d244b92ecd237f4789afac3fe7723c19b761ea85d9cf636fb8ab754987bff19646a584154063ca645b5aa7ab8710af4125c9623f5c1b940431265a0922ab0622778730b50d05218151ca993a4303bd9c0576940cbb8b1f70b48914a69193355cb80b6b70b40e2db3ce7a81be303dc4c12552e5fbdbf527fdd7f47d3cab480fc509d57bda7470f1daee34e0820296c942eedccbdc4a8e2faffa4511c1c9ac1d97e8d51cf696f2c320eabccdccc4e37ed5632f1a6f726920fbf7defac511e1be4f9e0ca7b18ecb9fca1963f420d174d56150aec196489e0d243b67f15a792bb6dfc5e69c0fcd7546438a0b29d927a505c18c5237b090e18adcf5baa0b8bf65dcf059c03e8ac7055094b898ecef7b8de5d0c2449d9931613304f2efb4e1f7154453ba6e0573de2b4d921768f56adfb00f3b2e4d167b868081fd5fc2b9daa3c9e914fcc31cb74747d2e60de4957c03ed2a9297b6f0ec81b80562e288f888158a4f2609d9e6fe2447d8a04f5c30bad4616345670190ca05cd0882f3320c2d6380554b52d132ba7b97a96c6a2e6e4aaa73c13b000c0843dfdb6fb32d1b048998b97b26c4f6ddb2556de1c3f91bc0f1d12d7b235185b639aea6918621bdf568767ae6bbd69414a53839d46c4d8c4183a7b4f54ed4fbcc676d14ad06ace7ffafa84261b535222901615506ddb62dd60f6becdc9ee40ea0d0bbe7612533aff8c3fb0b79c2ef93363f8cd66c17cfb4917aa074b970c1a79c4e56bdbb11f1ad97b61ed0c160a39dcdcc36b419aeeaefacd300e8073d0b1b4643874fe3985a54c7cd843857abe53e00442ea4203ce7b0f71e8ae501ba340c6b41c24ed279cd3dc321734eedfcd750e5be1ff10f8f029ec8effa41a40687e45fb0cd87a7915bb495c86ac607b9eafb16d12dd02163ddaaed934e02d18b04b5009ed61f9bea82b42780f5a0a638c240c11558f16cc18dc645478d464570ad58f3994d64de964d0dc25295067a232ebcf67a37cc5a5000a37c35963b3c1c0ebc9ff09a5037bc60bac8fccbb789ff1450d630d86eef8b3b9d7a02466185509200fe739f90f50112c7efafab7974b573f10537d37f185bd1f17cbda779d0dce20a02b8a8bdd253f6ca79b35c6ec4577d79691b09f687d485f5de692ae432121f7524166a33e84506ec3a15fec7c7cd23a72b03c8dd937da3743dff7289f9d3fe1cfe9135a97115f78879a68457e55b7a7287225722d38b02aa2d4eaf591fa04174fa272f5306027eb780bff53e956e649d682dec1b19cefa412f758869f135f70166ad61bfcd71268775916d2717ce4e217c57e6a8f5a9df18302b7e10333dffb33d42dd5e544f5a765e5ad1dc6c5f5a845717d126152df28db896c4085be134cf86fc37304f5d921cd0dfb5fb869eed41771b9843cc91dacef563608ce29a0b2c94a61c48221c96401702bbb1985a476fb353d17154ee1cd3b9c0cd16acd63b3a2aa3de75053a19d769e3388e25a77106af3af27d2a1fe0484e216851ad994339d0d62fa6fd34bc75a576bb9c9967443886956b61019e72eceba602cb66abdbc477d6fb3a02c72d9c3828faec4cd977345c8b7791b140ca99032a2b3dc8a70316b0ede00244d528aa603c1f60b9c34e1f3120db3901e0e21b8a8197fc7ba079bae0ff7dcfa36413c21ea3add015e6640745855181fca5322d9600766ed15bcaa9734ea6b912b2e79239a36a6c1d0a9ee5715d43eced66ee1356589c75d2f443aa4514af88b760e28846235cdbb236dc5ba0a4cc58a41d087fb01ee287768b43fdd04d2b342e4f55f25feb0406c5b4dacc41eda78909afe2db87a449013235b34af900c8b017a1fbdf365ed73749db9331a4527038d515ed961cf01e64aa34640107499b2a298acaa93509d8f250b1ea197ab9351f2238c22687ebe830ed2b7832bc162660622456628c872f7780da9cd10c5b560385e4c89a59dfa2cbb93ed379ecf54949f5b80b444c6f88ef9546206c21cad477e6cacaf7138b104182c94862359b54b38e18dd1c3179496fc9af47a4bea9dd013d46e841c1813da7b4140362a87b3ed2a7f43dabd42a585bca5bce51dbca618a34256d04d0e8fc8a1c6e8f890c90a049ef5c2e6ec35b9731e44781bbd8212fb947b1b2020dde9d5e01b93842f9026499d9caa48e111d460a55b4bcc045b6e620ee0d67862dce0b3744b568180f2f4c0bd8542631366970b5609cca0a52da26ddde0a3fb4660a5723288e9b1a3ddb92cf966722ce75d2eb94f39775db1c9f8d67bbf449c00ca586cb8c5bee8ecf96f1672bc878e93933ad808b349b3b969d978b4e7f08102349adcc5dbc04b784dac05b4dafbc227d826dd8732a4582b4df626369d5f04975b4b12688e87ff1325171d1ac9340707dcf27b9b8c701cef7a0fc6651f0f5b8b23444b00b9563cf7ba9d3dfd85ae3107abc6d7a712b485fee201ce013728d30d5ff682102cd628f4fcbdca65f6cdfcd30f049b65d5a7db0b9d7d9a23ac177a8e06b5802e26df262ab55e0d31d6b83c0b5abaea33475c08dd85a94514f0be84a8e878c1756106e300eec6008e3c59fa129982a1841d3aae965430c2972b6677c99d2ef43a9b4470f2ef262de3eb09285d7c2d6196a04da4bcefa3436ec9ee6d2dd586a52204785561847d3bba701e699bb10ac4c706718206c671ffb070e94008d8244efb63e7f943c5f4daf2d4a4e4e7f0a80e797e0fda919f51395612b35d9229be7181cd73b4ccc40098bee247f25435ea701e862f1faba7760a40a7ec9c85c660014e52109bde52e015e8aa853723fe1bbc59a9876601ac1bd69b4a0e53cf02d8826b954952545276a02a82eb6d9905eeefd672329945a2433b3712a63f3585141cc8f95bcb34c0e9b67bb07eda92239cb11b22a02b11c88672e2a05bd4541e34352b737d86909072d3c458cb7bc64e6e34673247249fa7066a43e50ca708a26123676c16ca78a059ceb7591153ad82104c39b3b601f205ebbba9fe0c290546520e7c29247d34e23940e01811cf7f01352b016ed17db1cfe68b1b91e981457b647f101e87f175fa872e85f2d4fca6a0e37b57c8048d26e532d1ba95cfeb448c63da96632fb2b84bcb4ba0c93f9abac0e20eaaf92b257ec49a7b58027f47bdada1a335dc6e1b181abde9c6c8358030c09e69b49705c905b7ca95fdd92c886cbedae09819f5ffb4adb2cfb0970c362bf6df5fb40fed75a04b79ac3d898683c8e518567d5e7246be5cc05e046b19ae1b2800afa939164b4543874ed58a0b0afed66e9d6b715e97e5af0584f890d1627f1bf6dc48e0f97c68915f740aec2bd8dbbcd07f613d5a3c205c716c6010e2e0b60d3ec7f80f482167f53b7c7bcfd3a05962033e7218d9e1b751121d91623b1783bf318655d8320202dd274d319e9cbab8f7c3aa8d0851d16c77d075c7758cfc1ac71de99d4acc1d46a5bd1e5aeb6a9d9ad4951d169b38f67d4d1315bdc4be2c6872eef97ae407eba15b8f3a148f376c6f40660513234e8ca9fb0055ec776c1bf8c77269a9a65f75e2891a6d5aaf083d58550e9acc9b91498ef992bd69a1bd137914cc545fa7f4879e06e709e264f49f5fea67612d28c4ba39a0e3378f847cdbb8b35536ddad7d1eed35660005f1079f747c294f02b9d5f59d265970f95bc22f081a92c747f2d860440085a1ce07e4a165589d617292324dcfdf3189f6f65ac5decaaba7f293d69fde6398a97f074f1766cb2907c053da7ce251abb62df9aa66c4f6141e611243eba93dc3f5bdec369036b8f55cf9d25fc29275b1eba5fc1a6208272c2adcd42df07873e2135ad41d949e7bea8556b31544be9f7475776b3e181faa20ced0cc9d2bfc6808bc14c9edc373ba816a239f623bcddb9b6f52265eb66ea56b6873e4a0ff5c90871ce7d5f8b1965d4783873098d57069b89f602eacaede3bd06562d129b72ec0cb4d53388d02a0dcee63b78e59add36a5187d221feaf6042f9115a584e427ed41c3c3a0fcc398959568a134bc89638aa1f2cc93a71385f13e5dde60882daac67bb564925e32eede3fb2ae13cf18d0ef7cf3639db3d109845b752716007d399488c6e127d7922abf621290665d995fb9ec29d1498b56b40667ad240d79e1fc06a9f81413904a83c32937f90bfaa299aafc1bb858f4fb6ab2c953e3cf34fc853f1eabbd8d1d5f61ed9a68d6737104d4deae043243cb4d4a2dd42e3949ed57d3af91cf0444b0c987a23e993e7aaad547c0e869a1e4fe17182a440d64355a16419f529cd0eeee117ae3150f871c5b60d772c064e9173d11279b447e4ce544ede7b2d87128bcbcc46837359e6019ac8a60541d688111165f5748ed56948be7afa0862a466160a8d6eefc7470d35a8e5f83e7f2a08b3a62ac501fbc2003173c0ab20531879dcd278ca8d6dadb279775110d33f2525f806395c42ba375ad2d6c49093f500b29a2e7a9cfaffa6e57b351a41747d7f1cf38e5931d6002dfed68383c6cb629fc78e1c3729e769b67d8b15cc3c4619da98dc03680cc3cffada726820ef2a20508fc26a31b40e498e07d06f411ea7857ae1b13297b3c1ca8199213ed7efb1e6935f4a73541a9fcbe403376f1ab8cee6b049eaeeb1d08f8e414ba52a9656914003438755df172a78013aa9a31833dacae0cec92951e93fda5c2ccd9eb62e8159406023ae08708e64399d98e3980d7defa2ff7ecae3ecf1a3412ab39ec6c40f0dfdeb51fed4d8b0f6f9f908aafa48d6a4d2f68d75c0fc135b30bbf1d5a84189c59b12deab58c122487f4a30c9483115d8f379a8888156055dd30f83a22f7fd19e8c795e8508d939311eeee92b8497fae57dd3d398dddadff411003dc978991690b9b92bbfc8e28b2c8a41499f1abb71ea8e68020055973ccc479c860eef79a4016f23bec03256efbefadc1763f62ee6fa568a6b007ac9f9c69b0068d743da6734f38d5f2b5542aae2f387fefbd3d38e7383a8f7ffdf94811a9e24dad68eda226d67f182ee97ee03230ed10b5054300553fc89d3d70b8b44bfb63e2df86b6c25c486b9a09f2070c3e667c464deec0419619c649dd782aa4dd048ce3c6e60d3069ae0e74a8a635e0fdb3628d561f243d395a81c3a336f577cf0cc3d4faa0f143dff71e0e56e8d6e2e6353a180a8e31f6e8f142d86b0bdd1756a2d4d9e7fa7c35e9deb7e4574cf04c95f44d5aa4b4934c1a7269d8ac37b7d680f9a66ac63268cfa9f4b94dd6107cda2270146a822c1b61841996c605584c9de4e2cbbb40a4a3a0f89636a3b7acae205ea7fc114d71ec2b8c927682af71d74112618ccb3dcf48a23e7acf0b8e59d75c9a0ab17358219b757e650e71cb85c2b43d7e0c90b81c29e352d3b11c52f29c7fe37972a39a712d4f4fc0544f5ebfb5bbdfdfe803a2b407e5056e3bff3048b1ad4d2c786ae6e1712f1a0a538ec3852e13b457f88023bcd9deaadc0e6d8f2f2227632d47f3d57262eb9b6e3cad6fb5af2ed5126dc536bb78483d7d92f711a4a9acf7e2b76e067dee9df1ece3b0a3758cc498a90214037d66478aff037dc8f214b36af08c630378c25b3019c6a492960c1a80b8af87370105942be92789b5f9c2b736108a311a7abfc31cc96d90a9e5d1a28d2e2f31c51644b7cb4537817b816a7125d985d85fd3b601302030cf3bcd1d040d8f902644457ef61444285ee32d157a5301501f73774ee6fa1bb7f8996c07c69dba0e8e0ae1c2f4810a07ba6e49be858cd182a69253d3388c4963d121ac6659345d41d382920b6d66420c3052742eb19b8da15e430592678a7e14ebf6ece85e070d22f5ef1497e46e52d0463417bfdc32ecc7d83d60f5c116d56b8e6b787743c1556af55cc32499c21a866b96ee95d15fb22312da89cbdd88060ad067da68e5985bc596f4bd303ae65d76eda2aa71bb2b04ef4ff2c3bf0c515138e0f5f396f1c7e7d4434910a93bf94e8e7f4ac87709ddf345f5966b4e3efeadbcdab0bb6191c409f574d20bbe9fba2ad7b47970d8b7e7c74639b0070d3da91e2d928d58a8c113fab36dd2cc19afdfe814880c3c09a3085ada44ead79189787e2cd4969b039664097c2651ec46e8ebb3698e0916362a36b22490ba2643570e27d00d02bae7a368589cd35b3604dbdec2fd1b7dcfdcb501207e9f557ebd980fdcc4abb239b541232858ef2d9bb7d0e25989a345de398258c8708b278a9a06596cc49bdc06dbed4a4f8d8ff4574448a4c7e1be70f7e85acd340905668a12646a1669d52b4c9a75b137c5d5d6d26ed14bc3f54b292977a61210c6ac8865dc5a3549dc4a72d0be26031395130cdca259d85fbec800281b0a1f1fdbb9b5bc0c44aa35ebfe24f9e75c1c3bb87cb11eb37bac91a4de8f6a5869748b67fbf2b0a9a07c9ddb7b39f6356160e9db49a7264e982cbc9be684920c03b1905dc6d6952759b9a68ca71e18468a6ba7d21155e07bcd72a007e2de595239b6ee4a869111af53b249440373eab8c34865f3f9a6feee1e9c45a94b8e7d2c0d8cee30ecb7014734fc0f8228d88ad3da449156b2d4d474c1dc383ba7d8c7a418427347dc566c72a1fc9a42230f4d94c73c67468b6cfa7f1b10512732d59a8c58bedce61fe3d79fd0920899136ae7512cb81f178b9771f778b66656cc4949fe2603629618eb6949f94f50affc2801878eb33516b5b1105a4abd0590005222acf112dafbd274029dc92f33de2a40777bdc5f8a05387cea45ce5f209182dccadb470e4f5e93067cec4b71b7621ca8e84ff0b53a125ca922fb8ffdf38b8e25bbb160764039ce1d5622afe9559d91ea2b83d3fb95e3a6d78fc120984815d77f9522147da1ad688c942f6a7b3f7ac89e3feb1633ac631c824fa1597e8a0dcd745c92a08a8eafa3f0a42c873cc9d836a4273e4008305c03b8c0b1171d10979e64e23ddc352ee6418a766ded4ff90cc242dc6e0821be9999b8ad456e6556285b394577db8950f800b1b0418d32e06e39fdbd3de4b15bb03155e8a36ea38f2416d337ac525d36ae7d0a5509f7557b1218f60e8b114e6c41c3a4934a2c42c903e5ca5183e04733c03e305b26a3b781a16c073e0ff730a06af039c84b329110f25f1238d24910688f6bb28f5ebfe4c8f5bccf67409c8ed4252575754e380f77028b36208e62018be69ac2858d30c9da3dfe5ed3d1c4841b6346aacfa00b0fa81d9dc9f525a2e3c74f9952d3c46b5684464ad156e13e50362e5e77401fdbfc100dfa22f6995fa1aba855dd2bf02df75a0537b3b9ce038a55d846da4f4c4933c8b06cd8b03affd065f722a8e02a6acda9c7b5b6bb6ca98407404c320633d08d47dbdb2b951624f66c352abb57f0f7a7b959ac45f218c0417d5aaf0f9fdeedc2ec3bfca719cacac2e24867429d1daf7e35b80ca1b711f0f3b3e983417f16e62f9122ead0aa16cd948638a820274536c694fc03336f28c0479dcf3d38bf664704eeb477068396ced416b04ec7c9a8dd4b2a246d4673559a5827f426edaa0805164b854f06cd9d440f24ed009ebf6e9d98bf632a9ccdaf41a71831a7bb1cd04a3659ea80110bc4f4af7fedd7494888df4eedc26e1535d1852ce90fcc83a8a2239bf8071305acadff8dbec924db638b81836e2ca6d272f75e99b3f85188d8bbfe1172e82ae3752a3443c423e5acfcff25aec15a9a886c842685c40cdeb27a10c2b2d381374ad8dfea4b217fccd05160af1ff8107a1b06bb49c15978c77a6cb17f81a576ddf8e892935ee1214b433c270ba7ab12e013e569c2fb2ee60127f3b43ac005c41cfeef83472fe9f57409af5c66df3c5365b74eb2388c2e2ff1457585ba8ceef02558bb4ab2214f9e70ed7a3ca9376318a2344478481a845816277b384c5c7f40f794e2c5b2c106a4fe7be7a16d7038548b4d91eeeba040e89193e8ebb1669c953d8c20ade675675661f2e1c097cbd7c5e1be210305950a7017af947b19e0413ce496f78ef1edbc54c25bd25886ec81b4d68a46492cc3a2e43e9a29ab8b0885f962c760e4f8da705ecad7060975c84f71470ec539ae4fb71aceb55d07fecdcc6f149fbe0f67fdd56d5fb276e56746f91e529e3c072010698ff71ce02d6ccf1df24370b4665cf579af55e37a8aa8d986dd3a97b6ec2cf92737fb9a8f856ac45807eb905ed54a28e2419ef1526e71d487bb7ac85b89075e6026277a3d8fe9bebb178efacd63b894b158eb59467d2d63e68b3617717b8c2f7bee9e10bc580f85735fcfcc0f0f4b2a62eb9aa3351aa682147be2beb6d3c976aa99e66d92cdd10ea3133535545f7371e8f908b8e91fa25652afd89cb4e0f58434948f116928c576805edc7554efd71c554947e14871c64404ae8357fc81d719d1d3427c63d77ec271c0cb94279a4851b0a372fe08b7343a6bb0863076a28c111c1819d7b7404fdfb2df9242d3b9e92e3d9e54074e2c56ec902a745a71433c50fd91e108549a716f5e1c23ff4c2b94eee99e5b6a9871b0dafbc4d4c668130010fdcb383e9f689c2bb1b1b0afb1fb3fe12d1cd4e889b5243c2ef2805814756b0e35c104090215114555cef6439845c438de3cf688daec9fe1cf353285b61735121d78d3481ab5fec2dac4841eaa04da6d40c731da37b80faaa85373b525d1fa6a1074139e677feaac46216ac231fe03a36c1e9395c9f9ad0d6208da73e79ceba1a1ea4e8e3e93ac914687f883e767024522b581f95e0250388f329310ed9d0a5b746b60b31994de35850c43662daf52edbed05f2a1dc157a726fd0e5d73034a993a42476bd9ca2dc0dfa93ca6ee6d27e3677e1afba84f1c17a5949db355d94ee39e553df882680c982974c17bd96330e8b5cffdb350db87032424966a4868ff37c328288506238a46c45e9c35ab60fd807fb8923e381530db9cf8b085e9604ae6fbfbd221f08882f09b43824e578c63406b85737aee796c1a63b86d325ac8663db8c549e6b647abbdd402b5e6fc031caeb1736c4dc2b38f85a0055c3b0ad70e01953c51c15fa28c57a293e3c28a7ffaecbbaf6565fcd9446257c0f9c64b495c63c99398d115b3b86824e103a7d790319cfa8d3384fb6bf7832c8c9f7a0f63967e23c0c63e515d97c3985f0e921028c76d471f1ea5ddc016e2b177bafa49e7160d87a54de1f7eedffaca5c2262bce6852382430b307b8c107060b835e197e3e15c87f69f74246db59c767219e2932cf5a42cd646766a48bc0146acccbe0db08d12cbf83c518adfadf8c3efb8ce0480babfeb4616313c3a5de5f75a9f02e8277209a88990598e77f4e3ab2f4b943fc28e78755ff3105e4765132b1fadf38183ed60e24c8dc8155fd8ba2687b7a96dffb74fdc143fe26877129772a8d92df9fc240a69e9a20bb66eef414760b51e263ab82b2e7a24eb7683debb4a32ebf847f57e20adbfb8678b1e2eaa315e14921c1f822aa0c01c63bdb595779d5766b9bf1ca25f15ddc54e3aea3ed247a0ab497ed9d0d735559b0df6510830171c0434641a92e7e15aad7615b86c6d042c39fce84d8a822c1b3b17eb94fc31f394d01a0f9898271dc0c139c4182d66f8694c2d589a29040209effd7674a644cf1993077f9d886a0f9d99501b388e411d8a02ea6d50ae4be31b224a22e276c4f5d24d3bc14f19f50232a1fffb5a0b3d8f34017d60001ae987b38538989a9f9a8838d2a16d8eb62cdda34885785aef8e97ec8b8756c27c9320d00feea3ac530ceeccf1f0126d377a6804993605e2bdd6f60eee748ee77c93c30c27ea20e74a8c4a07e69e7e7111b416f0ac2563f9746a0edc814384ab35d9b6213a96d0e73892529e907f6a725d3afffab6d2bb6963798a533e62cccbbb63d2722b9801ca7fdee7a3eba6208cdb76139716eaa082b8aad3fade9ea46f074e9746c0aa5f6a2ac43e0df2853644b15415b4fc50cba3fd1113073cb7ba313582a44145bca5cbab59e397d34b90ef184cc4d848414b1e483e93cdbba330370acf791e436720221b3fb8c8745cd1836e25e1310d1a38f2dd41111844fa224672ac380d632d8c0bda7be5c5259951515c92d02727a9a64e37160ca21b75de5322e3031429b2de246c262b64aa8937d3d5389b5d219abe41a526fc979af670dd1d12c08e35c57063d8a5218501c69c00f1152d5355b65215dae5bb959c26610ce997141a10fa7cd91caf89acc012d7621c282643e94ff6b9916f1a0a37fe6f11b2294f2fdd1f49cdf0e6225371385ee0d6255d848dd206f11bb74f9cb201d0d8b809f048829d6e7f3df2edbff32694129fb4fe4fbe4bc87e145c2242900ea4b86f62143228ba06611b9a7889b0fbc46c904b60799f80a6d49df2fa9ee1522561b65da25fd64ea2435e6f4aa7f21fcdc32eec2a2694592f8c8f2f5bf2b56caa5c158a411c48f8af3524d0d5e1325492ba7d806d09473745b962d2d531f27e237a556eacc014ae2e4c83062f9fb99b0356bd32709c7444eb5c6579a03e5f07e9d61fc843bda7447d35069b0939d35c359ac22f55628e212f7b9167d922f271c6a6fa78d8a29bee50f1a0532e9e36f9b51729c73a6caf89555c57a48c052426d544053cf826228cfc59c6703c0c0a5a5ba69c2a2dd855d301f7a4f6e500d7f01fdb749921856eaec9417d55cf262b3082f29ccefa9c6de696d2e94cdf6ef377d1d9ec55d628d68f23010076eab2c20a70f1f35f5ccb14d41379daa5fda6ec7dc77fc062cd8c11a14b26b37596d63501ef00e7d9e4c94a76c15afe225a2936968ec501b632fad0e3c34a50cd2d4e77fba16bb03b4f3d7d049cac5637d812a8ec95c84d11c1b2b5ecf2e103566ab88d835d3bc72a36e5116fbc668b26c3db42e9d21e263650c4039466f69c2e42248b209b47fc00f950d7e0374a7627b35e33f5a2a8370a2cc8900a3cf9e7873d0ecc53c32349ca9ff05c323c8807bd054a04055cd7fa3ceb641f7dbdc1827309268e6c0aba7c908a19b0e0ce9180b317c7027b2778c95cb853adc636eaacd67bf6d7740100f091fc874bc0c4943728eb5b4c8c4d6c89a0e90b96eabfa38262e99f81cad9edf20299bf78dd48c4602a8122b1311c331b427f29ea5ea214500d096eef4b5ead952df75b5e189266edf30258e815ea970ad8227756a8f60f5debd25d5fcab92e8a0ff5e1369961d796730fcd4d2cb400cdc46d67e77365b846ceb1991e6d492603ad9b61336cc180e40de55c1aa2e51399698a1d23b3b31ac5d5cec5fb10bcf10a506ce52d2320f615f810f781358ca0d23d2d324977156c1b5c18e5a2c6a02028a40373ffd5c3afccccb92f7cefde2891e69aa49e7a8ecf8e275cbed5176c0a1a7ad96fa8faca234b32b1683e78321a82c05e316e2e15d52c89fcfb233815e9981ecf3684dd41d84286097e78ae1afb89c94488659cb274f765c72244f1936733c40d8894fc3717580e681dc6571edf1aea38cc4c65270f44ac368b7d1cd7a86d491ad50cec56470b451dd16f0f26d336c6b355fa176a1fbcad193d996b1877660574805dfd8bdf4c2d5ad5d521a4a5745028dc7069aa724e8135d1c7ce1ea7601a9f824c0aed405e3475ae16e5ed1998d139bd028e9375068ae42a6df9b3dced7e22c493f50ea13d200f056c79e5cea73d4b3dd8e07d81b3433698f322913cdc117a9a46d6236b93f36eb1c2388eed31fa56c960e2b6c706378536a2ca2b9542c8dbac145ae109e65202af98a72582406b3eecf41ff166518d574c88c9b03e2b7c112611a5688bfcdfe830e0d5e04cf3c4d75f40c1d7395f7f84c5d23bd164c619c9a0baa214ca31fcafcb2791d99da41f381cf652cdc98a6134f679c1118b7fa503e9ad1b06a7c26c6339069485910515acc89b43d6f31d773be54560101775234dff26cebb9138a7f865b9d6d792284f011b7b1d910e3235ccdca0bf0f96b80e1fa1a9c93e0a9cdfa3f712d3f139f9df4479d0ee1f4d4d67a354e975837247802c87c594e5716808d3dc404890beb51fe5896d8a045c9d1f8d5ed015a86fce9d1e81d74ac80404c30083b5a7336ef13989620dac8e7a2a558c8d1f1b6e929add6b9a3622739ad4eb93afe997ddb4fecce60f5fc775b6efb527fdc055982fe2ad505c002516175e6284d872056a927b48be6aad370183d815c58af790f618e0f748d725146193f618aef1b5a064635b50ce682b3961a2f19eab84e293abe4087d7ee117c08608fc4bc9637ebbeb945bcdd66207b2f02331cf5796611c8e2dbfc45c2195ed1c197916f5b493606b99e0c9abb38bd933a2f70fca4d675d4e1b6635d7a607a224f91caa438323bf9e1a70e0ca5c16d0d882b6d35b2103ea8c5e7314a4516627251a825b3902540048ba48fae626af3fa4a21e81367d4758cff6c429904376e9594089e7f5527074cb1ccff7799eeb71bd16953aa4c851d45e938980bbd56cfaececbe9ff393630c24f763c48a6e28c9a77a25b915f1a99d74cb33218179f46e78a2d6eeba8477a6144f6d2deb294c8da6d95a950b77fb133236b3e5d2f540c092a58746c797c3868e380347c0a9b9ebdb67db8b5f51cbd135a73c270cd2b30c435804f43e443c0815fc5f375a73010926d7864388523d2eea07007cf3f817704efd0319f0487c515981f29723ace36d167b990ddcc7e064d521b3aa6a6655a0a365afa6caf1ef40fae23a9e42ce08c57bbf5a41a0bd54354b0dcf74ca77771d78aaef2a0c51c5998b91642fdd4f953d2a4291ce308e726427bded86fa0ce56ac0ed4a16e6f0541efaf845d5350b6117f79b8646b49601800b732adf992358298c59e64921b7ac430e4872ce0a9cb37c483a4451f4dd08e68e6c87905c50031e3b0f730985564a3a5c29db28aafef3f8cb05c2644d9aaa1015e2ec8bafc2640481abac6b18b12f3e7233704d47e0a1df4accfb03d3e6a3222929157ed1f6dc2d86b0536f2b48e99996247412266c9a28c3230d2ce20ea9d43808a9af936aa81710853a1b1bfa5797c1655fced7912f19041702d8a4f7e9626a4a793b6e58b155011c9447ff926844c820828202859fc75394f45b2bad859b34f36fa98f6a9e8ede680b23b51f793fd996dba5e6c23a6740aa6a46b07d6e53b74b65c041733ca156a3698772c3eede0e0887993a85e6290dc7fd14545e5d923a512e1d7b4cbd96010445c9d9e855afaa7c53f53baff420ac332d316a35a238a1815d272f60c3e886ca858d6448ed51a0c7676db70b8fb7b04980b976ccbf0a3110437b7c21e85d4944edb7b6ce0f652cd5da561a9b34211b26e641236a857dc1fbc43c12a4eb9ebbf96cfea736f2d8298cedafdd0ab073a7ac697960c4d65e64d956058c1acb02dbaa11c7a169b4be13952694d8dfe84ef06b1a3583171d99de754b32c41861c1be8b6dda60687e67aa6d8249e528349cccec97e399bb639dfbf4479f54c591d31f588932af57b5ab87843aba2c8063c55664bb8375e24e5346ea03cfadfe42795453c46a8f3ccec7d5b9d2896d34e0432cefa1464f6338b40fb1b2e1ff9026898ebd6eb806339f488464ff70eb741239556b55e6872e2d90ad69f11e6ca2bd7ccb8b6d39933fcf3dca15b13a76b4adee2b1898b60bd6bd051f9e4e516aac6650a50a5077b9caeba9f286e58886ed39dfe8cf9ba25dc84e1ae847b5637962b4c08b01601808dfbd93c644c9dec8d62123c9005b51dbb02d7144a12d49ffe018fb832aa5eedfaaff32784001f0f4801396189e0e5f525b79caa0f010d6574cd479fa9cc632f6a2558fdd4eb2931375e7ac9eb99f31c1039a9780bfec6430b155cb4d205bb33c735509c270167dfbfefe65062c757b41493beda43133ce24d497744a907fd78ddd8a0fc896a8eb60dd174690672c6952789f29024ef540d21e99f15fb127a0d8b7b7f0e48233c5778f578a1e83088a659bded44bf41e8edb8a02f091509f0b05f06df737891fd7e0971a0e1735d22da7018386792fd5f2bda365f48194a00b89faa4bb1d972788d740c57418921eb4d6176d160b209460d544734ae43e99658aa367e8973c3ce1137d936103a842da4dbb085f25236be94f9cbea7fe4e8dbfaab901de38ac0ed4458fa7d94503d42cbb8eb53042cbcb7e12ecdd5cdaf655b51d61c0a6a07b562b619b6dff90e0edf99d8c20278ba17ac5480f04a3a60ba83678b3dbb4247e5fb96ef134fd77a699bc7812d1c9d31875a298c701da0f17e426e4f6074f82dac60c9e0d2387ef54d602ee9b77587513c97cf3c29ec5c1fe318cd1d0d049968498da6916ab56edf7a4c16c4c55b3f52c21989b196276d2a7c5a7e21b47665876be4b0f3f5f69554cd404fd4453a4d14b58bdd623007e51eb90615a65c959305ba93337ade682e432daff7eb2beb47cd08917290dca5421775a24f8656ff18b0a918fe4f77dc8a63a151093b8441552885aa993d0ea6eec60e1d60a0ce8d264d66dd29ded7ae9c08704998667ce116c870d7970abe04cd3a58b9df79728b7b73854425b5cbcc62c66a8b38d6b7ca8fe55eedf9e265be8f100f8e6d95b2ff66c4570439b6932dda3f16d73e69625206551b85fa977ecb8181d95696777455a09d5197a22ac5d1a780d7746726eb0a84f93a11d4972871e24a587dca5442b449727a6ece2db6f3d8f513ff2906c7860f972e8d99bcee1e88739aad134b14618241b9a2d97997e7893582306f11e08fb979c34d31f96b39a09d51451e277442c3b8a26b98aed6990d57e44e2d9e99ecba825ac8b51d19f46441bd3a3a726b39336b09600a68097e8d73a01bfc0c739abf599897d19e7e81f2945351b10f1af8b9e62604b30addf0194ce8e88d78d8361f23ad92b8603e20c7e70929e843b22dbb8840fe4ba461008eef25a51a564bd33d85b992996de97a0f4b5dc3356f54413e53b36f24d31876f9133db4691d1ba5519d82ebfe05a11212c21a1083cf8645dcc7425fdef414131cbfc4a40f82ca79815c5533c5700093810cdc284a84305511395cf12a8b76227ff02af2558c56ba6e611fcfeebf77f05393797a8b67c20acdf593c47cac0bc599f10f622e4168b2930a9be32e499637d90777f07fcf86d9bc65d98d2e0332e92feefd802fd59cfc93ff4f71a7c29b33b9f06fb16c3aa23254030f015a1fd288d3df8dd3fe00cdab8cf6859311a18f76a90acd1f3db082d9222a3e488ac69513d6bfd5a326f749680c6e710466e411c20ed352fe8fe90d6c3cdab7e10c96c86c63f4960015132efafac31ab38f2849a4180392742c71566383e79db7e1114a74ddb19d66febab0a96ac3fd4dac337a073c07319d5538ab41f2b87aaccad5b33e1a830bb277ffb09d0e4d9eda6a9df9e24d7579a31e820d46ec07a17be8913c6259ec9714fe024ec03a6f2656d4904905328f7e9788088bbc7ec666588581ec522f6a6bb7e4edb9c85fe87a8d5cfb788d477248a6daa3960850e5a13e0df41b3db8b07cdf166bd90ad3f777ae2456751434886bc7d57189e66f0e6e1d9f5db57428cdf098b833c1b2ca8390a9bd483e5afb6e8ca11f12614fec46985e0ca98818ab2c3a3c311e3f3c53e6776f42f6ff35b12805f3ca9b390c20aed909b23d7e1e19f322809c28d6c7ee96a36cfe268b2dae202ed172814d62650423241b98a7d617b91f8e81a00b15bd1c7e6e5660923c0831034e7518b26a8f90c8b1588a23945325f0bf152d6eca65a04a330c08f67b2524adf4f5292d6c254e4bea7fcc9d87d1721a93f969554bcba69a3be8d20b4baeb7afcd8353438c13eedf4b2aec0642196f43e8b5a3addd5901b2645d2794ff144a7bee876b33968fa2485982710e944c0b175728a51c1865a51867ae0e889d4a94d9c76347c0eb4430e9a2399a79f4055e7bc1542b2bf8478edd5cdd174e0907a1487bff7a3d8ea85d480d55c90ed84c0bd0bbe287c5f5598829c7a8a2e16220231db90cb7f8fca22c73a67275df2f23aea835c86797cc0c6f2081cb4d70370f89a58eba3f5b2acbfe97fe8cd1ae5e0c3bf42dd13f2cd958ea9735c6aa0e51e1e5d85d3f037a2d3ffb640934ec7468fcddd42946be81bfd801942f95694c3267a6237fa8229aaaa51d8156c9d575596fbb24c2082423272f3f02da12c870b58b64e747044fcdd933685e7b4c3247e9fc4b1dad8834fdad50103b8c7ea4f4434a4a0c982060e4a095d4ae7c3a1165af8220fcf2ee380841e32d7cb2f67b535c09c5af35d935eb091f072001f9ea70e289e2a9d8c9b107fb5b6a87bd3282a0ab8484f603c9e0e8aabeade763deca697e7373592c69b9429c7622eba408cd56554a94b1ab5e789015dafbc636bcc3e099129c023424e6c2cbf319db97fde78a14b78f767da6524d06da7b8dc0df81c19905ff225dc17bf225ae5ba75546cb2ca9cd99dc133f338f191ff049a3de4fc3ba7d1b22097c7e40cd13b66aa7ff3421259002d19fc47fcba16eb20a476c138866258926c0a87fea8841488a807c5502237a9e8d96445586892c53641d72ba9f876eaaf269e810658af5b1d7b5dcde6e4f1a009a92c63a9e8c3e19c29316a23848693a0921c68f2b4a40e007bb85308c8ad32f15f21c1ba42d902e17fc7e930325ce2459a99e2e81b6b0b94209d405361e9938af2d2b0d3e1be93bb5b1aa38c5ba1ac76caba677be41ac7112448a72c97ec8ee62e0979c4fd23ebf7c6d151762a36061ecd9507b91f6bbf363744544602a2dec64667ce5d106fbdcbb143276dc8f723250caa9d24b9495b8d76bd72d8bc93b4d7b22d8ff0a9a82f668fd1e54a478b59e54bf9a0529e9a148b8f146bfb1e4de9bd52ec1747be2fa875ddd1cdf6345d3393799065c4cd8118e33d695dd4b98efca18e10003aab586d84617512ab40e5f6ecb5fd6712ede74c3882ac8810b806d4707326d623ea4865abb0ca150476a2dee29e05047fa778dd34857fd63d4a0ee8dbab244603ad067c236d190fb89fc46f7f21d163f43d36d92092ac4ef498e89b66b5ef96b08b41e0e358f3b1bee336ab6e6386128bb8f2c25c734569e7c100427608d0c8b1754165aed4c56f0214c9fc5e15018a0de32ffbb7172e969736b690f96c50f3b85b0fddcf55c5fb526ea0dd6c42e1883e12c718299ee97d321601369351aab917c0a427c1bb63541acff3c9479e4db1a9c81bd6e9a71cb75aaee0d6649b3382a1b03e5677f74b42659c381e1cffa14843f6efbd51f5ac5a7f31bd54ab7ddec536327539f4f1258567650981228da5df32958112e2d8de27ed481a83c810b92668a4dcfbd6767798c3c899c8f5184b0ad30525bf102ba40c375d86cfe8eee601ce96829981ab56a86cafa2a154d63312fe97b19f243b326921f049bd48e37729cc96f26d2b07ce46377b7397c1f536f5ef6fd66f6c4116ea96b08330448ac72ffb5faa8eeb9ded68fe7e54a0e49271d37d658341e16737ce37bf47cb4b7fd6cbdcd6e6117b7f006ec8f4290c3b935f491f1356940e5c96195d4c022bc03f03b579eca67263444275d8d3c288014dc9169d3297b54c1a628ffbf74ee9e7511812aedda4039dcb0892d180b50f940992fc920d6f748dcc4b9155186b0e5474be0e68a3b4bb7ea52d0a136664d251560b037e8f8df2b0a2640e420b19d143400d9678dac4e7a2b4be287f6891ffcfb1c11bb4f2b9688aeae272b701b2471bd12f82c8f2ad9b8ce1e9aa4084912a498944bacf4faf75d6fb092b61fbac442f64e66dbe570545f0995dedba17e72673364a8a07b3d33affc79fef0e4e4fe41ae8db6ae027d5821026561b61498f75de599f46d7743cef145b741aa2fd67205c18e8757073d1b6bf0a66f06e0c1ec6fd1ce3daf913b016b427cdf4f7b19f9fb22b2a1fc4510449fd020e54fc93f7609f56519f7e6caf02f5b8be3a36d9263890e2068a9bee98469a117964a4b5e39cfee8eb1605ded96b2acc51afc99821ae7bf50d4b4791eb3eca53b7ae0005e5d74135fcfc112fbbee5a68125f10249cf8340c0f22d412a74fae14068ece35c4617f90f1b75e84b1ae9ecf6c18c7504f068b034462cbf349316fc63d580eff2fcf36cd296379a8bfff91294c58dbfdd93c98285e7aed4489a4670c7070907b7cced1c54419034f69e81edec13b35c49bbf473c6ca32ee4bfa9b1676053b79807350c55f3ae6005d6e5adc4328d78e8197854c45b5ddd5a1dce9a6b03d0ca45aebc068f3bd70d3202f5e1e17398e0a7c957aa6436b061fb80db2e726df5607b496194f911098faac0608b03eca5058fc43beb56865cef28fb9aa0d311bca89b8a0acb02b583e01f2089adc1dfa113ec812f1cc5b4b7fcfbe044ea2b3b2a93f2945d31db3e1c5e9e35f99b607d14fa0221b61644fb66e8c7a22f329cddfb22d2bcae360d22ac556bc7f35a00a3f2760d1fbbc297a3a08502985f69a7524d997c6fe3002e0fd6703b67d70dbb57926069fd7433f4cb82173e542ea4be236fcf30d03a82a32bccfa7b373a46db0ac27bba4cb00edf6bccf3c8270cacdd0730a3d7b46b71084821a5e85d3a9493da176569df13162bd8bc911da153d7976e73121a025301997f2aad8ccfe4b9939665dc6699ce20fcfcfa2e1278039f3fdf2db0d7de3c9de4ee4e64453670a2be516c33b06f545a6063f121553cd096e12f4dee94f5a2858aad5dc12c081fe614fdc4ba0fbbd623a38835f7c1c5ef8414c24dbd32b37e4bf0a0bdcbbd12946ca82032ec338256786beb027d62d832fb99b579a8e162c10c67d479d397caa7d7e0c714c4491b5d804c87be8afdb26204d37548b869aa0e94adadb97f5e7db32bcb471bd5bb2aebd80d6947786b6a322ab569679856413eba30e0dcb1d31cae96b71d43846c39044691d5ffefa1cad55e5d59d8f8302bcc410086ca41b576c5dc18e5ce80e2de4f7eb57b1414ef29cd00c1fbd906852915d03f9f5265411d428d23f04a70fb46aa7b60146c6f272136f13a0426d149256b936505f03997fa86e2507b04e25c871578fa980d2323fef7e8031209043ae56baa4e0ec407084ada94d96ea836080d5a66e0d87aa7deea927ae9f5b80a58bbc2555f7a95680ac7b7c0f7ada2f5769a5dd272a102b94c883116daad90be2595175f99656aad3dd36336d84ebaf97d1d5e2782b4c392df227") r47 = syz_kvm_setup_syzos_vm$x86(r43, &(0x7f0000bfe000/0x400000)=nil) syz_kvm_add_vcpu$x86(r47, &(0x7f0000016780)={0x0, &(0x7f0000016480)=[@out_dx={0x6a, 0x28, {0x351c, 0x2, 0x3}}, @out_dx={0x6a, 0x28, {0xbe7d, 0x2, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0xf10c, 0x5, 0x90, 0x2}}, @out_dx={0x6a, 0x28, {0x4c98, 0x6, 0x59fe}}, @nested_load_syzos={0x136, 0xa8, {0x3, 0x2, [@enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x2, @guest64=0x280d, 0x2e0, 0x4, 0xfffffffffffffff8}}, @wrmsr={0x65, 0x20, {0x285, 0x7}}, @uexit={0x0, 0x18, 0x5}]}}, @nested_amd_clgi={0x17f, 0x10}, @wr_crn={0x67, 0x20, {0x4, 0x4}}, @rdmsr={0x66, 0x18, {0x2e6}}, @uexit={0x0, 0x18, 0xe}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x0, @ro_nat=0x6404, 0x10, 0xfffffffffffffff7, 0xe}}, @enable_nested={0x12c, 0x18}, @nested_vmresume={0x130, 0x18, 0x3}, @nested_amd_vmload={0x182, 0x18, 0x3}, @nested_load_code={0x12e, 0x63, {0x2, "2e0f017133c4216ac2c00066baf80cb86e897c81ef66bafc0c66b8af0b66ef420f01c33601e312ec0f00dec74424007a000000c74424020b000000ff1c24400fa1c443314a890a0000000b"}}, @nested_amd_stgi={0x17e, 0x10}], 0x2c3}) r48 = mmap$KVM_VCPU(&(0x7f0000cbe000/0x1000)=nil, 0x0, 0xd, 0x80000, r12, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r48, 0x4) syz_kvm_assert_syzos_uexit$x86(r44, r48, 0x3) r49 = ioctl$KVM_CREATE_VM(r12, 0xae01, 0x20) syz_kvm_setup_cpu$ppc64(r49, r43, &(0x7f0000e17000/0x18000)=nil, &(0x7f0000016a40)=[{0x0, &(0x7f00000167c0)="0000003d0000086104000879000008650c0008610000803f00009c6304009c7b00009c67d0049c63246bc07ffacddffe0000603c00006360040063780000636404006360269fe17f0000603c0000636004006378000063643c02636042000044f5009007d6db8bef0000a03e0000b5620400b57a0000b5662a00b5620001c03e0000d6620000d5920000a03e0000b5620400b57a0000b5662a00b562736fc03ea7f7d6620000d5920000a03e0000b5620400b57a0000b5662e00b562905ec03ee010d6620000d5920000a03e0000b5620400b57a0000b5663200b5620000c03ee0d1d6620000d5920000603c00006360040063780000636400f063600000803c0000846004008478000084642a008460220000448fed9ff30000603c00006360040063780000636400ef6360b5ad803cca82846004008478ea5e8464a2e88460f167a03cbee3a5600400a578a557a5645546a56003f4c03cb487c6600400c67873edc6641551c6601de9e03ce4a0e7600400e778d884e7642576e7600870003deef70861040008791f720865674008617fc5203d5dc62961040029797f83296531e82961ec4b403dd8c04a6104004a79e3f44a6576a04a6142000044c7dd79120000603c00006360040063780000636408ef6360ae15803c967484600400847848298464f27b8460fb2ba03c3a84a5600400a57866dfa5640e85a5609421c03c544cc6600400c6788ed8c6642d18c6602715e03c9877e7600400e778527ae7644a11e760b221003d4162086104000879f61f0865aa6f086100f5203d4c23296104002979da1a296595bf296193f7403dde994a6104004a795ee84a65a0514a61d50a603d34f96b6104006b7921196b65ab4f6b6122000044", 0x278}], 0x1, 0x15, &(0x7f0000016a80)=[@featur1={0x1, 0xfff}], 0x1) syz_kvm_setup_syzos_vm$x86(r49, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(r42, 0x0, &(0x7f0000016ac0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000016b00), &(0x7f0000016b40)='./file1\x00', 0x1000840, &(0x7f0000016b80)={[{@ownmask={'ownmask', 0x3d, 0x9}}, {@uid={'uid', 0x3d, r39}}, {@gid={'gid', 0x3d, r25}}, {@ftsuffix={'ftsuffix', 0x3d, 0x1b2a}}, {@ftsuffix={'ftsuffix', 0x3d, 0x95}}, {@ftsuffix={'ftsuffix', 0x3d, 0x2}}], [{@uid_lt={'uid<', r37}}, {@subj_type}]}, 0x1, 0x2a, &(0x7f0000016c80)="$eJyq3PSiSzhjn1ni6QQv2eL9NXzv/l1Tb+R79PvXuQuAAAAA///Puw+p") syz_open_dev$I2C(&(0x7f0000016cc0), 0x9, 0x107c00) r50 = clone3$auto(&(0x7f0000016d00)={0x2, 0x27e, 0x5, 0x2, 0x6, 0x0, 0x6, 0x5, 0xd, 0x7ea2, 0xffffffffffffffff}, 0x90c4) syz_open_procfs(r50, &(0x7f0000016d80)='fdinfo/3\x00') r51 = syz_open_dev$ttys(0xc, 0x2, 0x1) syz_open_pts(r51, 0x8400) syz_pidfd_open(r16, 0x0) r52 = pkey_alloc(0x0, 0x0) syz_pkey_set(r52, 0x1) syz_read_part_table(0x67, &(0x7f0000016dc0)="$eJwAVwCo/6k57hMEqlDNSDO4ZVQCcLxIue9czoZuafU/43B5GQ8/SfKEAJSVthoZct6TJycbea3BUcvLUazBD0Yw9qOvvKZmop6ihOZrQz9pF64MLnCI87vjyBXT9QEAAP//A0oqtA==") syz_socket_connect_nvme_tcp() r53 = syz_usb_connect(0x3, 0x840, &(0x7f0000016e40)={{0x12, 0x1, 0x300, 0x42, 0x66, 0x24, 0x8, 0x2357, 0x9000, 0x8c65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x82e, 0x3, 0x7f, 0x2, 0x20, 0x5, [{{0x9, 0x4, 0xce, 0x7, 0xf, 0xaf, 0xe8, 0x6e, 0x0, [@uac_control={{0xa, 0x24, 0x1, 0x7ff, 0x6}, [@processing_unit={0x7, 0x24, 0x7, 0x4, 0x4, 0x1}]}, @cdc_ncm={{0x7, 0x24, 0x6, 0x0, 0x1, "a34e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x7fffffff, 0x0, 0x7, 0x8}, {0x6, 0x24, 0x1a, 0x9, 0x4}, [@mdlm_detail={0xd8, 0x24, 0x13, 0x1, "fcb64e07cbc613ee0fb47b172d8cb25490f7d08dca4c04f248b0d2c6c5d4fd13c90c337dbfe045783ce1ee1399fa76c14b25f5c338b041833f787b776e0c3c255189f0694e731cc1edd1269dee99eed04d16af2ae0f124510006a64280fbf1ac1146beee985883566c169abff09e46018c5ddfdcefb4c06a4626f8eeb21b618fe70adf76c204c1a9305d06d90852b606a0698c6678280d4829c78171526b7cf0cf95cab7e3afb3b58fcfaf6d70eb433347fbae1294b288b8d339b3d78fdbc0f227907aaa921ca3026e4c5ce34211e3c907b42ca6"}, @mbim_extended={0x8, 0x24, 0x1c, 0xfff, 0x1, 0xf51}, @mbim_extended={0x8, 0x24, 0x1c, 0x80, 0x2, 0x7f}, @obex={0x5, 0x24, 0x15, 0x4d}, @mbim_extended={0x8, 0x24, 0x1c, 0xbf26, 0x10, 0x7806}]}], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x6, 0x40, 0xb, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x4, 0x8}, @generic={0xe8, 0x30, "68849f67c98033bfdc9bc67c706e689f08da2d587b668f1f676bbbc38f71f68c0129159b912f3288af2d8f5b2a9e6a416c8e3445c333df5f7008233683c674208456cfcb7a598fd1430b9bb55e9b6fbf6cd0797ffdb48e94a2bb0a7b924dc3fe2c8b37ff8b6d67a0551a582d713454dc2f829c5fa9bb41053a7b74b601c8ab8454e2d48d213eb4f873d9693119cf01d9779afaa261bd19f84e3998a27cc27fdbaa15467cd6f5442aec6c7d12861746b6bab7b93701f011de1e995c1c204b4c2680503a47bad86fa429cf00ded48239fb555ab98087edeaeeba89b14dad51b1993c25e60109bf"}]}}, {{0x9, 0x5, 0xa, 0x1, 0x40, 0xf7, 0x2, 0x5}}, {{0x9, 0x5, 0x5, 0x10, 0x3ff, 0x7, 0x14}}, {{0x9, 0x5, 0xe, 0x10, 0x200, 0xc7, 0x46, 0x2}}, {{0x9, 0x5, 0xd, 0xa, 0x10, 0x40, 0x8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x1, 0x7}]}}, {{0x9, 0x5, 0x8, 0x2, 0x3ff, 0x10, 0x9, 0x8, [@generic={0xf8, 0x1, "8709dae6274078001913ce2efbcb79ab1133baa4f7e07b3b2c7ff70389e902b3684a95a29997f2d20ff4af270d19a8e0b4f24df512a7981b5cc217941cc55d0ee52777d5469f8d59a8b5b4a6e4fe8c2c9450b47d3153ab98f8e25d699873d3bdb2640075123c4c4bf270db5a2e30c478e75e0e80aca0d41af746e3efb598b2dbec647abd397b0efbb2e744238a48cefe4299f48385e74d325ba52c15b168234a996d3257eaab4fefcba6b898c91dd99e0c080a10191184ea552c28223c35e63ea9406888a94759ad4c30baec3d37bc12628f39fd0e1ea1665122b4a04adec0d9632421ac7518851c5c9256a33e291201a3af1af8df0a"}, @generic={0x66, 0x4, "e24af39366d6cc5b860379367e9b5af91238a8ad60d4d3330b86615c238b9adc150ca8d4d89f347cefed3502f2a64669ec10c9352cc3f00bb7bfff70a34070247f372fd56b348f50f94509038994df699dd0bd1e0f291424502d0abfa275df94ab99686b"}]}}, {{0x9, 0x5, 0x3, 0x3, 0x20, 0x10, 0x6, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x2, 0xf}]}}, {{0x9, 0x5, 0xa, 0x10, 0x20, 0x2, 0x6a, 0x9c}}, {{0x9, 0x5, 0x6, 0x0, 0x8, 0xa6, 0x0, 0x3}}, {{0x9, 0x5, 0xe, 0x10, 0x400, 0x8, 0x6, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x80, 0xfffe}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x8, 0x6}]}}, {{0x9, 0x5, 0x2, 0xc, 0x20, 0x7, 0xfe, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0x8, 0x0, 0x20, 0x5, 0x7}}, {{0x9, 0x5, 0x5, 0x10, 0x400, 0x94, 0x9, 0x7, [@generic={0xdd, 0x30, "77867ea85d1b66ca1b835f1ffe80b4e15a4297fd75060e9ca4a21e385adab09508051dd6105eaa7cdcecdcc320bc7f956eeb82394feeae2b09c0990c54433f3734da18ccf13f5fcc5bb32eb3bb6b062a282989582d898d9e25f97d5d3927fbc22c45904983860eb61eafd34b54ed2cc8b55cf197d31bbb18106360ad77240c1f44fd50f1a944b9f5557f95e94513b0ad4d6079e15e8d3b4301027dece5a5ba8488a265ab3067ce7d0f2d5ad3117bddf068f591f61d6646f96a3772bb1d8807ba9dd6d7a0beecb27298c3f090b2b7ed72979d14deae685d250f2cc0"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x81, 0x70}]}}, {{0x9, 0x5, 0x5, 0x0, 0x3ff, 0x7, 0x0, 0xd5}}, {{0x9, 0x5, 0xc, 0x0, 0x40, 0x0, 0xb, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc4, 0x6e}, @generic={0xe, 0xd, "36cb58afca23d3e3cd43840a"}]}}]}}, {{0x9, 0x4, 0x8c, 0x0, 0xc, 0x77, 0x71, 0x4d, 0xff, [@cdc_ecm={{0xb, 0x24, 0x6, 0x0, 0x0, "378790738559"}, {0x5, 0x24, 0x0, 0xdd}, {0xd, 0x24, 0xf, 0x1, 0x5, 0x926, 0x1, 0x5}, [@mdlm={0x15, 0x24, 0x12, 0x7}, @country_functional={0x10, 0x24, 0x7, 0xf, 0x47f, [0x7, 0x5, 0xa5a, 0xf25d, 0x10]}, @ncm={0x6, 0x24, 0x1a, 0x100, 0x1}, @country_functional={0x6, 0x24, 0x7, 0x9, 0x81}, @country_functional={0xe, 0x24, 0x7, 0x10, 0x3a, [0x1400, 0x1, 0x3, 0x8]}]}, @uac_control={{0xa, 0x24, 0x1, 0x80, 0x80}}], [{{0x9, 0x5, 0x5, 0x8, 0x200, 0x39, 0x3, 0x2}}, {{0x9, 0x5, 0x0, 0x1, 0x10, 0x6c, 0x9, 0x4, [@generic={0xec, 0xc, "cd0d3ce6b75c2b01f97fcb20adf4d99a5a6276a0a0717a5cbdaae5bde2286c78f23ec6527fe1490d74ccaf86bae71c9879a22fb098f798415a4210a098cc4d7658353019718991bb6a8d77a8e7b5d4507404e96ff45614cb5cdad6985e76eec52fa70774a80ce5407b62d01051262f8136aa68c22ea4115b5e27653c40a81cff49a13bf79d599e1eea6f2ab7897c7165b36cb683a87ae079d8ff5f450ddff53f2a7a042d0732f9357ce23fb6a1310f9584d8a7557b654936d97d49be797a565302d1e615a70061101f01cb75333ed4fc3fb983e30f4904195e253a3add43bd069794bcace63863b8c55b"}, @generic={0x31, 0xe, "a6772f6053bbf3fbcc2e4b92794df700a7499308d02da807f64c0bb6a2df535b939af7a1a2e98682e084019d17ff1e"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0xf8, 0x0, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x1d2}]}}, {{0x9, 0x5, 0x0, 0x7, 0x400, 0x7f, 0xf9, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x5, 0xb57}, @generic={0x43, 0x1a, "cb18238b9bb4f2cf09a9e512ee7299837421b4dea8530c6a24f72229b4c3803db0b8159c4fc1d0c512c36706f72652839ab687708e60653bc855f3efc0191d44ce"}]}}, {{0x9, 0x5, 0x1, 0x0, 0x10, 0x5e, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x0, 0x2}, @generic={0xa, 0xd, "0ea835cf6f9897dd"}]}}, {{0x9, 0x5, 0x2, 0x1, 0x8, 0x8, 0x7, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x81377ff213a15d50, 0x40, 0xc590}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x2, 0x4}]}}, {{0x9, 0x5, 0x2, 0x2, 0x400, 0x6, 0x6, 0x7}}, {{0x9, 0x5, 0x2, 0x3, 0x200, 0xe, 0x4, 0x4, [@generic={0x5, 0x11, "b9f5e7"}, @uac_iso={0x7, 0x25, 0x1, 0x40, 0x6, 0x6}]}}, {{0x9, 0x5, 0x3, 0x10, 0x0, 0x8a, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x9, 0x4}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x73, 0x1ff}]}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x4, 0x8, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xd}]}}, {{0x9, 0x5, 0x6, 0x10, 0x200, 0x3, 0x7, 0x0, [@generic={0x4e, 0x21, "de218ddf3078a6fbd86d425731334bc46cce8cf519b9cef7c417703ac6b7c8d919df45ea16b8089069bbf34f03abe752c1ee7d7e03a08637bcdc17d4cf34c2756eda9fbf09fdfcfca3052859"}]}}, {{0x9, 0x5, 0x7, 0x2, 0x400, 0x6, 0x8}}]}}, {{0x9, 0x4, 0xb9, 0x8, 0x3, 0x5b, 0x5d, 0x4c, 0xbf, [], [{{0x9, 0x5, 0x5, 0x0, 0x400, 0x9, 0x5}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0xf9, 0xea, 0x2}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xee, 0xbf, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xc7}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x5, 0x6}]}}]}}]}}]}}, &(0x7f0000017780)={0xa, &(0x7f0000017680)={0xa, 0x6, 0x300, 0x8, 0x4, 0x4, 0x10, 0x3}, 0x5, &(0x7f00000176c0)={0x5, 0xf, 0x5}, 0x2, [{0x4, &(0x7f0000017700)=@lang_id={0x4, 0x3, 0x41c}}, {0x4, &(0x7f0000017740)=@lang_id={0x4, 0x3, 0x425}}]}) r54 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000177c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r53, &(0x7f0000017a80)={0x2c, &(0x7f0000017840)={0x0, 0x1, 0x101, {0x101, 0xa, "3681db1760f476d161e6331af001dff260ea6b4a4cea6097ecb1958b59faab7a902848c262a0bb7bb004a6454444f39114416399cc7a71e71547c56a02f133907f22c3f12ced90a4d6ae9ff8fd98b3e7cd83d8745c649289b5fd78f706859e152148d76f8f0d0fa049834365be85ce2b50358758a90b57339c874457410ae277d2b118f38427a932a2c7cacc09aed3ee5730793f36dce0ed57b9c65ff63c7eb7ebbfebe9094e0853051b9f3dfaf6c2ab61265b3af1f34872569ff3e04b2ec1ef09a3692a88292ffa38b851e6fe031a70a551e8844b16d138ce126ce0419571f4349aee237a2bf6fc52cb78f26f30c936902d7f29d3a5615dad86e4c69ca03f"}}, &(0x7f0000017980)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x4c0a}}, &(0x7f00000179c0)={0x0, 0xf, 0x5, {0x5, 0xf, 0x5}}, &(0x7f0000017a00)={0x20, 0x29, 0xf, {0xf, 0x29, 0xeb, 0x10, 0x81, 0xc, "e76746f0", "f19276a0"}}, &(0x7f0000017a40)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xd, 0x2, 0x8, 0xe, 0x7, 0x8, 0x515}}}, &(0x7f0000017ec0)={0x84, &(0x7f0000017ac0)={0x40, 0x17, 0x1e, "63fd640c63a3d40d56edf64acb1036df01c37dff2b11b8bd6dce4f20b2ce"}, &(0x7f0000017b00)={0x0, 0xa, 0x1, 0xfd}, &(0x7f0000017b40)={0x0, 0x8, 0x1, 0x5}, &(0x7f0000017b80)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000017bc0)={0x20, 0x0, 0x8, {0x80, 0x1, [0xf00f]}}, &(0x7f0000017c00)={0x40, 0x7, 0x2, 0x2}, &(0x7f0000017c40)={0x40, 0x9, 0x1, 0x6}, &(0x7f0000017c80)={0x40, 0xb, 0x2, "dd91"}, &(0x7f0000017cc0)={0x40, 0xf, 0x2, 0x1}, &(0x7f0000017d00)={0x40, 0x13, 0x6, @multicast}, &(0x7f0000017d40)={0x40, 0x17, 0x6, @local}, &(0x7f0000017d80)={0x40, 0x19, 0x2, "73dc"}, &(0x7f0000017dc0)={0x40, 0x1a, 0x2, 0x8}, &(0x7f0000017e00)={0x40, 0x1c, 0x1, 0x81}, &(0x7f0000017e40)={0x40, 0x1e, 0x1}, &(0x7f0000017e80)={0x40, 0x21, 0x1, 0x7f}}) syz_usb_disconnect(r53) syz_usb_ep_read(r54, 0xb, 0x6c, &(0x7f0000017f80)=""/108) r55 = syz_usb_connect$printer(0x2, 0x36, &(0x7f0000018000)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x40, 0x3f0, 0x4, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xba, 0x80, 0x1, [{{0x9, 0x4, 0x0, 0x7, 0x1, 0x7, 0x1, 0x3, 0x5, "", {{{0x9, 0x5, 0x1, 0x2, 0x8, 0x4, 0x2, 0xc9}}, [{{0x9, 0x5, 0x82, 0x2, 0x20, 0xfb, 0x1, 0xf}}]}}}]}}]}}, &(0x7f0000018180)={0xa, &(0x7f0000018040)={0xa, 0x6, 0x300, 0x4c, 0x3, 0x7f, 0x20, 0x81}, 0x2b, &(0x7f0000018080)={0x5, 0xf, 0x2b, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x2c, 0x6, 0x60, 0x64, 0x4}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x6, 0x7, 0x1, 0x680}, @ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x2, 0x3}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0xc, 0x5, 0xd4, 0x21bb}]}, 0x2, [{0x55, &(0x7f00000180c0)=@string={0x55, 0x3, "8a4234831e8888aedd9ad22d4f28938cda9aa9a900037c311cae82fd231caa312795c2b2f747f7bedc807a10652dcf379da07ebe9635310275c1f0ed956da64df98af4ea239c452aa85b311b94d471e9d3423a"}}, {0x4, &(0x7f0000018140)=@lang_id={0x4, 0x3, 0x83e}}]}) syz_usb_ep_write(r55, 0x4, 0xa7, &(0x7f00000181c0)="c9de81d2b7fd1d65610b4083b89828a1eeb3c1fe78e802b87bcad52205e7f4d5773025c8c92cf009171f12788aa9afbf0167112693c5625eecd433f1b0ed30d3ef6194f9afe363c1334df356e261dc73f07cac0e40a0348c52257f14f9a9f60d5698352069eed46ef10f4a97b1560f7605b0aa631949af14354c1acabb768609d122466f6849102936f4001d18015df428570b6e59759b75e723b1e612800b56ea89a55d2c6378") syz_usbip_server_init(0x5) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif #ifndef __NR_statx #define __NR_statx 332 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 500 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 82; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 500 + (call == 12 ? 1500 : 0) + (call == 63 ? 12000 : 0) + (call == 72 ? 600 : 0) + (call == 74 ? 9000 : 0) + (call == 75 ? 9000 : 0) + (call == 76 ? 900 : 0) + (call == 77 ? 900 : 0) + (call == 78 ? 900 : 0) + (call == 79 ? 9000 : 0) + (call == 80 ? 900 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 15000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[56] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x200000000040 = 0x200000000000; *(uint32_t*)0x200000000048 = 5; *(uint32_t*)0x20000000004c = 0; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0109207, /*arg=*/0x200000000040ul); break; case 1: memcpy((void*)0x200000000080, "/dev/dri/controlD#\000", 19); res = -1; res = syz_open_dev(/*dev=*/0x200000000080, /*id=*/3, /*flags=O_SYNC|O_DIRECT|O_APPEND*/0x105400); if (res != -1) r[0] = res; break; case 2: *(uint32_t*)0x200000000100 = 1; *(uint64_t*)0x200000000108 = 0x2000000000c0; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0106426, /*arg=*/0x200000000100ul); for (int i = 0; i < 4; i++) { syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0106426, /*arg=*/0x200000000100ul); } if (res != -1) r[1] = *(uint32_t*)0x2000000000c0; break; case 3: *(uint32_t*)0x2000000001c0 = r[1]; *(uint64_t*)0x2000000001c8 = 0x200000000140; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x4010641c, /*arg=*/0x2000000001c0ul); break; case 4: *(uint32_t*)0x200000000200 = 0; *(uint32_t*)0x200000000204 = 0; *(uint32_t*)0x20000000020c = 0; *(uint32_t*)0x200000000210 = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc01464a6, /*arg=*/0x200000000200ul); if (res != -1) r[2] = *(uint32_t*)0x200000000208; break; case 5: *(uint32_t*)0x200000000240 = 0; *(uint32_t*)0x200000000244 = 0; *(uint32_t*)0x20000000024c = 0; *(uint32_t*)0x200000000250 = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc01464a6, /*arg=*/0x200000000240ul); if (res != -1) r[3] = *(uint32_t*)0x200000000248; break; case 6: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0086465, /*arg=*/0x200000000280ul); if (res != -1) r[4] = *(uint32_t*)0x200000000280; break; case 7: *(uint64_t*)0x200000000300 = 0x2000000002c0; *(uint32_t*)0x2000000002c0 = 0; *(uint32_t*)0x2000000002c4 = 0; *(uint32_t*)0x2000000002c8 = 0; *(uint32_t*)0x2000000002cc = 0; *(uint32_t*)0x2000000002d0 = 0; *(uint32_t*)0x2000000002d4 = 0; *(uint32_t*)0x2000000002d8 = 0; *(uint32_t*)0x2000000002dc = 0; *(uint32_t*)0x200000000308 = 8; *(uint32_t*)0x20000000030c = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc06864a1, /*arg=*/0x200000000300ul); if (res != -1) r[5] = *(uint32_t*)0x200000000310; break; case 8: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0086465, /*arg=*/0x200000000380ul); if (res != -1) r[6] = *(uint32_t*)0x200000000380; break; case 9: *(uint32_t*)0x2000000009c0 = 0; *(uint32_t*)0x2000000009c4 = 6; *(uint64_t*)0x2000000009c8 = 0x2000000003c0; *(uint32_t*)0x2000000003c0 = r[2]; *(uint32_t*)0x2000000003c4 = r[3]; *(uint32_t*)0x2000000003c8 = r[4]; *(uint32_t*)0x2000000003cc = r[5]; *(uint32_t*)0x2000000003d0 = r[6]; *(uint32_t*)0x2000000003d4 = 0; *(uint64_t*)0x2000000009d0 = 0x200000000400; *(uint32_t*)0x200000000400 = 7; *(uint32_t*)0x200000000404 = 0x80; *(uint64_t*)0x2000000009d8 = 0x200000000940; *(uint32_t*)0x200000000940 = 0; *(uint32_t*)0x200000000944 = 0; *(uint32_t*)0x200000000948 = 0; *(uint32_t*)0x20000000094c = 0; *(uint32_t*)0x200000000950 = 0; *(uint32_t*)0x200000000954 = 0; *(uint64_t*)0x2000000009e0 = 0x200000000980; *(uint64_t*)0x200000000980 = 0xff; *(uint64_t*)0x200000000988 = 0xfffffffffffffffb; *(uint64_t*)0x200000000990 = 9; *(uint64_t*)0x200000000998 = 0x100; *(uint64_t*)0x2000000009a0 = 4; *(uint64_t*)0x2000000009a8 = 0x10000; *(uint64_t*)0x2000000009b0 = 0xfff; *(uint64_t*)0x2000000009b8 = 0x484; *(uint64_t*)0x2000000009e8 = 0; *(uint64_t*)0x2000000009f0 = 0x73ca1ec4; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc03864bc, /*arg=*/0x2000000009c0ul); break; case 10: *(uint8_t*)0x200000000000 = 8; *(uint8_t*)0x200000000001 = 2; *(uint8_t*)0x200000000002 = 0x11; *(uint8_t*)0x200000000003 = 0; *(uint8_t*)0x200000000004 = 0; *(uint8_t*)0x200000000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xe, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 6, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); memset((void*)0x200000000044, 255, 6); *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 1; memcpy((void*)0x200000000050, "\x01\xab\xb5\xa4\x2e\x6e", 6); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 5, 4, 12); *(uint8_t*)0x200000000058 = 7; *(uint8_t*)0x200000000059 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 2, 6); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x1b); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memset((void*)0x2000000000c0, 1, 6); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/6, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_bprm_check_security\000", 28); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xd1\xa2\x22\xa1\x13\xaf\xa5\x09\x37\xeb\x93\xa6\x9f\x4a\x6d\xae\xb1\xc5\x11\x85\x97\x3f\xcb\xcd\x8a\xc1\x51\x1f\xee\x51\x66\xf0\xa2\xd7\xb1\x07\xca\x8b\xa7\x4b\x42\xac\x08\x04\x22\xe3\xe2\x6c\x8f\xd0\x70\x7d\x33\x52\xf3\xe0\x46\x7c\x44\x6d\x0f\xd5\x9f\xdc\x79\x62\x04\xde\xb5\x20\xc9\xf3\x9c\xeb\x06\xb1\x2c\x5d\xec\x1f\x8d\x80\x43\x5d\x3a\x95\x31\xb3\xc8\xc6\x3e\xca\x16\x67\x0b\x0b\xe3\x27\x76\x98\x48\x5a\x45\xd9\x1a\x47\x37\xcd\xc1\x7c\x96\x06\x54\x23\x34\x8e\x49\x7b\x47\x3b\x96\xcd\x4d\x87\x0b\x36\x08\x09\xcf\xb9\x63\x1f\x7a\x2c\xda\xdf\x25\xba\xad\xe0\xa0\x28\xdf\xa8\x48\x75\xee\xae\xa7\x10\xf4\x4e\xe0\xc6\x0b\xe3\x1d\x07\x66\x79\x21\x37\x5c\xbf\x5e\x90\x56\x5a\x75\x94\xd7\x8c\x49\xee\x1a\x77\x3a\x21\x69\x6e\x3e\x0f\x6e\x9d\x5a\x9c\xc8\x26\x1a\x51\x99\x02\x69\xf0\x6e\x56\x42\xa8\x10\x55\xab\x67", 202); memcpy((void*)0x2000000002c0, "\x4c\xe6\x39\xfa\xe6\xa5\xb1\xdb\xfb\x9b\x05\xcd\xf4\x4c\x3b\x14\xdf\x7c\x00\x1e\xf8\x93\x1a\x51\x17\xea\x1b\xa1\x75\xc0\xa1\xe0\x80\x6d\xec\x26\xa6\x1e\x38\xc8\xb3\x55\xe6\x33\x4a\xab\x16\x93\x6f\x3b\x93\x88\xce\x1e\x11\x57\x87\xf0\xa1\x64\xe9\x87\xd9\xe1\x33\x9b\xbb\xdc\x21\x47\x94\x03\x32\x2c\xf6\xc7\xb5\x5d\xaf\xea\x9c\xf5\x27\xb3\x25\x32\xbe\x38\xa2\xf0\x55\x79\x07\xe3\x57\xb0\x5e\x19\x86\x22\x78\x88\xaa\xc6\xcc\x43\xa9\xe5\xea\x5e\x3c\x09\x3b\x69\x3d\x4d\x13\xb3\x78\xac\x22\x43", 122); res = -1; res = syz_clone(/*flags=CLONE_NEWNET|CLONE_NEWCGROUP|CLONE_VM*/0x42000100, /*stack=*/0x200000000140, /*stack_len=*/0xca, /*parentid=*/0x200000000240, /*childtid=*/0x200000000280, /*tls=*/0x2000000002c0); if (res != -1) r[7] = res; break; case 14: memcpy((void*)0x2000000004c0, "syz0\000", 5); res = syscall(__NR_openat, /*fd=*/(intptr_t)-1, /*file=*/0x2000000004c0ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[8] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x8000; *(uint64_t*)0x200000000508 = 0x200000000340; *(uint64_t*)0x200000000510 = 0x200000000380; *(uint64_t*)0x200000000518 = 0x2000000003c0; *(uint32_t*)0x200000000520 = 0x3d; *(uint64_t*)0x200000000528 = 0x200000000400; *(uint64_t*)0x200000000530 = 0x36; *(uint64_t*)0x200000000538 = 0x200000000440; *(uint64_t*)0x200000000540 = 0x200000000480; *(uint32_t*)0x200000000480 = r[7]; *(uint32_t*)0x200000000484 = r[7]; *(uint32_t*)0x200000000488 = r[7]; *(uint32_t*)0x20000000048c = r[7]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = r[8]; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[9] = res; r[10] = *(uint32_t*)0x200000000340; r[11] = *(uint32_t*)0x200000000380; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000000740 = 5; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000000740ul); if (res != -1) r[12] = res; break; case 18: memset((void*)0x200000002900, 0, 32); *(uint16_t*)0x200000002920 = 7; *(uint32_t*)0x200000002924 = 0x7eb; *(uint32_t*)0x200000002928 = 0xd8c; *(uint64_t*)0x200000002930 = 6; *(uint64_t*)0x200000002938 = 0x65c7; *(uint32_t*)0x200000002940 = r[7]; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0481273, /*arg=*/0x200000002900ul); if (res != -1) r[13] = *(uint32_t*)0x200000002940; break; case 19: *(uint32_t*)0x200000002c00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000002b00ul, /*optlen=*/0x200000002c00ul); if (res != -1) r[14] = *(uint32_t*)0x200000002b34; break; case 20: *(uint32_t*)0x200000002dc0 = 7; *(uint32_t*)0x200000002dc4 = 0xee00; *(uint32_t*)0x200000002dc8 = 0xee01; *(uint32_t*)0x200000002dcc = 3; *(uint32_t*)0x200000002dd0 = 1; *(uint32_t*)0x200000002dd4 = 2; *(uint16_t*)0x200000002dd8 = 0x100; *(uint32_t*)0x200000002ddc = 8; *(uint64_t*)0x200000002de0 = 1; *(uint64_t*)0x200000002de8 = 8; *(uint64_t*)0x200000002df0 = 0; *(uint32_t*)0x200000002df8 = r[9]; *(uint32_t*)0x200000002dfc = r[9]; *(uint16_t*)0x200000002e00 = 0x8000; *(uint16_t*)0x200000002e02 = 0; *(uint64_t*)0x200000002e08 = 0x200000002c40; memcpy((void*)0x200000002c40, "\x04\xdb\xcb\x20\x9f\x35\xe5\xdd\xfd\xb1\xb3\xb7\xa7\x41\xcb\x0d\xa9\xe7\xb4\xa9\x7e\x26\xe4\xd6\x4c\xa5\x56\x0a\xd3\xea\x50\xd5\x19\xbb\xf0\x49\xc3\x13\x51\x11\xc4\xde\x1f\x36\xb6\xb3\x08\xbb\xd0\x28\xe4\x49\x5d\x46\xed\x83\x93\xe7\x59\xfd\x0a\x3a\x8a\x87\xf1\xdb\x87\x49\xda\x45\xe9\xa5\xf9\x99\xf3\xe7\x4d\x92\x0c\xe2\x0c\x4d\x2b\xfe\x9c\xa7\x2e\x5f\xae\xa3\x4e\x25\x4e\xbb\x9c\xa9", 96); *(uint64_t*)0x200000002e10 = 0x200000002cc0; memcpy((void*)0x200000002cc0, "\x9e\x74\x6e\x3d\x21\x9f\x0d\xf0\xdb\x9f\x4d\xac\x0a\xfe\x9f\xc6\xa3\xef\x5f\xca\xb6\x05\x8f\x83\xfa\x7c\xff\x2a\x82\xd2\x0c\x2e\x4f\x57\x52\x59\xea\xbb\xe0\x67\x34\x84\x3f\x87\x1e\x50\xf4\xd4\x7b\xd6\x2e\xad\x38\xd7\xbe\x8c\xe3\x0b\x95\x11\x52\x85\xd1\x6a\xbc\x71\x8c\x0d\xa4\x82\xb9\x0f\x24\x29\x9f\x30\x17\xce\x2a\x53\x6d\xab\x65\x9a\xca\x91\xd1\xcf\x68\x91\x07\x44\x81\x50\xe4\x56\x6a\xbf\x4c\x05\x7b\xde\x3c\x37\x82\x36\xa3\x78\x10\x59\xcc\x80\x08\x67\x30\x9f\xb2\x08\xab\x69\xfe\x7d\x3f\xff\x31\x19\x8f\x36\x33\x05\x53\x9b\xa5\xa1\x74\x23\xbd\x83\x45\xe1\x0a\x25\x07\xad\xfd\x0b\x0d\xf3\x10\xc3\x34\x82\xd2\xcc\x9c\x9b\xa7\xbf\x80\xc8\xc7\xe2\x15\x9c\x09\xd9\x40\x2b\x1d\x7c\xa8\x8f\x84\xe7\xb4\xce\xb8\xa1\x93\xec\xe6\xdd\x5f\xaa\x70\x42\x9f\xba\xc4\xf1\x02\x0c\x76\x67\x30\x2d\x4a\x57\xab\x63\x7f\x35\xff\xe4\x2e\x58\x59\x3f\xe3\xec\xe0\x7b\x5d\x63\x7e\xf6\xd9\x73\x34\x22\x57\xfe\x2c\x5b\x11\x69\x39\x99\x09\xba\x6d\x36\x9f\xde", 234); res = syscall(__NR_shmctl, /*shmid=*/0xfffffffd, /*cmd=*/0xdul, /*buf=*/0x200000002dc0ul); if (res != -1) { r[15] = *(uint32_t*)0x200000002dc8; r[16] = *(uint32_t*)0x200000002dfc; } break; case 21: memcpy((void*)0x200000002ec0, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x200000002ec0ul, /*statbuf=*/0x200000002f00ul, /*flag=*/0ul); if (res != -1) r[17] = *(uint32_t*)0x200000002f18; break; case 22: memcpy((void*)0x200000002f80, "./file1\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000002f80ul, /*statbuf=*/0x200000002fc0ul); if (res != -1) r[18] = *(uint32_t*)0x200000002fdc; break; case 23: memcpy((void*)0x2000000031c0, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x2000000031c0ul, /*statbuf=*/0x200000003200ul, /*flag=AT_SYMLINK_FOLLOW*/0x400ul); if (res != -1) r[19] = *(uint32_t*)0x200000003218; break; case 24: *(uint32_t*)0x200000004380 = 0x8000; *(uint32_t*)0x200000004384 = 0; *(uint32_t*)0x200000004388 = -1; *(uint32_t*)0x20000000438c = 0xfffffbff; *(uint32_t*)0x200000004390 = 0xff; *(uint32_t*)0x200000004394 = 7; *(uint16_t*)0x200000004398 = 5; *(uint32_t*)0x20000000439c = 0x3ff; *(uint64_t*)0x2000000043a0 = 5; *(uint64_t*)0x2000000043a8 = 0xffffffffffff05c3; *(uint64_t*)0x2000000043b0 = 0xffffffff; *(uint32_t*)0x2000000043b8 = 0x10000; *(uint32_t*)0x2000000043bc = r[7]; *(uint16_t*)0x2000000043c0 = 6; *(uint16_t*)0x2000000043c2 = 0; *(uint64_t*)0x2000000043c8 = 0x200000003280; memcpy((void*)0x200000003280, "\x97\x6f\xf3\x42\x90\xbd\x8b\xc7\xa7\xcb\xfc\x2a\x01\xcd\x57\xbb\x3f\xef\x9e\xfb\x98\x36\x92\x3f\xea\xb6\xb2\x20\x96\xe6\xa7\xf3\x05\xb4\xa4\x72\x5f\x36\x2d\x86\xba\x08\xa3\x46\xf5\xad\x87\x65\x1b\x24\x79\x4b\x4e\xe5\x81\x3e\x05\x57\xb0\xef\x0a\x7c\x19\xb1\xea\xfe\xf2\xa1\x69\x09\xab\xb9\xc8\x55\xec\x45\x36\xad\xac\x1b\x48\x2e\x8e\x5a\x1d\xc4\x78\xa0\x25\xfe\xb8\xb6\x30\x4b\xdc\xd4\x75\xb1\xd9\x17\xa5\xb6\xc9\xd2\x7a\x6b\x48\x58\xcb\xa4\xd2\x53\x01\xfe\x26\x1b\xf1\x23\x13\xf6\xe8\x22\x4f\xc5\xab\x0b\xb2\xfd\x40\x41\x04\xdd\xef\xc2\xf2\x7a\x36\xd9\xd1\x0e\xca\xc7\x92\x9d\xb5\xff\xc1\xdf\x4c\x6f\xb6\xe5\x63\x70\x20\xab\xf5\xe6\x50\x43\x10\xab\x6d\xe6\x59\xb6\x56\xce\xe8\xad\x04\xd0\x46\x75\x6d\xda\xe3\x3d\x8d\x22\x38\x54\xdc\x8c\x31\x83\x92\x48\x2c\xb9\x91\x82\x78\x24\xf4\x0d\xaf\x98\xda\x16\x6c\x91\x6d\xbb\x8c\x15\x6c\x42\x19\x7b\x66\x4d\x75\x90\xe6\xd2\xcf\x4e\xa3\x28\x0f\x84\x05\x1c\x9e\xe3\x11\x41\x42\xdb\x27\x53\x6b\xcd\x98\x3f\x17\x0f\x22\x1c\x15\xda\xe9\xa1\x1a\x52\xe8\x42\x53\x66\x3e\xa4\x30\x8f", 254); *(uint64_t*)0x2000000043d0 = 0x200000003380; memcpy((void*)0x200000003380, "\x2c\x9f\x8f\x38\x8d\x23\x3b\x4f\x05\x4c\xde\x11\x35\x8e\xb6\x32\xfe\xac\x99\x15\x72\x36\xe3\x70\xad\x09\xea\x7b\x82\xba\x57\x85\xb9\xe9\xaf\xa9\xe6\x86\xa6\x2a\x5d\x2d\x53\xe4\x78\xad\x6b\xdc\x5f\xff\xb6\x47\xb0\x83\x5e\x14\x74\x19\x66\x7c\x9a\x11\x6d\x7d\xc9\x62\x8b\x1e\x9f\x7f\x66\x53\x3e\x8e\x73\x6b\x4a\x65\x9a\x78\x4c\x61\x0d\xa8\xc5\x00\x10\xc4\xad\x47\xec\xbb\x1e\xb2\xee\x6a\xa0\xb4\x90\x90\xe7\x09\x13\x8a\xb2\xd1\x71\xe1\xdb\xdd\x6e\x86\x53\xe0\x62\x12\x39\x1e\x7d\xc1\xb2\x8b\xdd\x23\x12\x94\x24\x50\x0d\xcd\x83\x43\xba\x19\x8c\x60\xcd\x97\x01\xaf\x62\xb4\x66\x2b\x08\x2d\xdc\x55\xe8\x14\x9d\x60\x89\x1c\x65\x0e\x77\x47\x55\xfc\x3a\x0d\x10\x0f\xf0\xbc\x67\x6b\x46\x6e\x3d\xec\x52\xca\x77\xd2\xc4\xce\x10\x3f\xc4\x4b\xb5\x63\xb3\xc1\x82\xcf\x2f\x65\x54\x13\x03\xd2\xd2\x9f\xcb\xf5\xa3\xf4\x22\x88\xf8\xfe\x1c\x23\x6c\x3e\x12\x17\x0e\x7a\xc6\x00\xc5\x26\x5c\xc5\x97\x4e\x25\x59\x7f\x04\x9e\x9c\x01\x5c\x76\xde\xc0\xd7\xcd\x29\x79\xcc\xe1\x23\xad\x64\x72\x97\x95\x8c\x9d\x7d\xfb\xc3\x6a\xfc\x2a\xe4\xb9\xd2\xc0\x9a\xc1\x72\xa0\x4d\xac\xff\xae\x8a\x50\x21\x9a\x4e\xc4\xad\xf0\x6f\xf8\x07\x47\xd4\x0c\x46\xdd\xc0\x76\x4a\xf4\xd7\x78\x28\x07\xb8\xf1\x4f\xb7\x97\xb2\x78\x0b\xb6\x8e\x6b\x2a\x95\xdd\xe5\x08\xf4\x06\x3c\x65\xd8\x71\x43\xff\x24\x66\xfe\x29\xff\x3a\xfa\x65\x20\x2a\x99\x24\x0c\x57\x99\x0e\x20\xc5\xf3\x4a\x95\xbd\x81\x35\x72\xf4\x7d\x8d\x48\x2d\xb3\xfc\xeb\x9f\x1c\x54\xc8\xa8\xdd\x63\x32\xe8\x3f\xa3\x9d\x66\x51\xc7\xb7\x8f\xa9\x71\xee\x88\x75\x6e\x2e\x5a\x3f\xb0\x29\xc7\x7a\x48\xfd\x41\x64\xf1\x07\xc8\x82\xd1\x74\x3b\xf8\x52\xc1\x48\x66\xa4\x37\xca\x56\xd1\xd2\xd1\x99\xf9\x3f\x75\x87\x19\xd2\x29\x3c\x58\x91\xb7\x7e\x86\x0b\x2b\x7c\x66\x51\x29\xfb\xce\x45\x5e\x93\xce\x66\xb6\x75\x61\x9b\xbb\x23\x62\x9d\x2b\xc8\x68\x2e\xd4\x69\x5d\x8c\x6a\xfe\x25\x6d\x37\x2f\x9f\xed\x83\x9d\xe5\xb5\xf6\x8d\x1d\x30\xcf\xfb\x1a\x4e\x74\x02\xb9\x55\x11\x29\xed\xc4\xc2\xde\xec\x8c\x16\x71\x4e\xa3\x09\xcf\x20\xac\x7f\x17\xf5\xfd\x3c\xb9\x7b\xfb\xff\x2d\xd3\x62\x16\xb8\xf7\x34\x03\x60\x7b\x4e\xcb\x2d\xc4\x24\x48\xee\xd5\x6f\xb2\x32\x66\xbd\x0f\xdf\x7e\xee\x43\xf3\x4b\xe3\x70\x6e\xcc\x70\x59\x27\xad\xa3\xd8\x4f\x94\xd8\xa2\x89\x8c\xe0\x0d\xe3\x69\xc6\x07\x55\x2f\x69\x94\xec\x15\xf6\x6c\xe6\x5c\x49\x52\xe3\x05\x81\xed\xe4\x6a\x20\x33\x58\x9d\x2c\x28\x99\x4b\xda\x05\x31\x94\x39\x19\xe3\x01\xa6\xd8\x18\x7d\xa7\xb4\x98\x96\x6a\xf1\xfe\x3e\x41\x0e\x5c\x16\x7a\xfb\x13\x3b\x3e\x5e\x40\xdb\x61\x87\x03\x97\x7b\x24\x00\x2f\x62\x11\x83\xb6\x1a\x6b\x68\x03\x01\x38\x7e\x2d\x89\x56\x5f\x0f\x62\xde\x82\x55\x16\xd3\x49\xc1\x74\xc0\x79\x24\xf4\xa8\xdf\xfb\x28\x17\x09\xe9\x97\xaf\x6d\xa5\xa6\x2a\x95\x49\x69\xb5\x33\x5f\x30\x74\xf2\x40\x02\x45\xa7\x7b\x19\x51\x31\xd2\x6c\xe4\x3e\x17\xc3\xa2\x01\xa5\xb8\x51\x8f\x8f\x96\x1f\x2b\xe9\xd1\x70\xc6\xf5\xb2\xb2\x36\xa3\x94\x45\x6e\x57\x7b\xad\xa3\x30\x7f\x4e\xaa\x8e\x03\x52\xbb\x59\x50\x37\xe7\xf3\x0f\x5d\xdb\xdf\x01\x4b\xa5\xb6\xf3\xce\xe6\xaf\x1f\xd4\x74\x4f\xd0\xbb\xac\x1e\x2c\xe2\x98\x53\xc7\x22\x95\x6d\xa7\xde\x4e\x3f\xb9\x24\x18\x20\xb0\x58\x6f\xfa\x29\xda\x5b\x6c\xdd\x12\xda\x1a\x04\x18\x64\x3b\x4b\xa9\x6b\xb4\x32\x42\x14\x6f\x6c\x0a\x33\x98\x0b\x93\x85\xda\x28\x3a\x2a\x05\x2b\x8c\x20\x1f\x42\x39\xf9\x57\xfe\xa5\xf2\x3e\xfc\xd5\xad\x3b\xb0\x76\xab\xee\x60\xce\x46\x7e\xae\x68\x05\xe1\x86\xe9\x74\x93\x42\x80\xa2\x67\xdb\xf7\x32\x0c\xb9\x0f\xe9\x32\x2b\xdb\x6c\xe8\x09\xbd\x35\xb4\x13\x0b\xe8\x71\x19\x04\x7e\xfd\x75\x5c\xc7\x47\x74\x3e\x6d\xa5\x1b\x24\xaf\x5c\x01\x66\x1b\xe2\xf8\x13\xce\xf7\xd7\xed\x9b\x61\xe8\x3e\x0d\xca\x2c\x82\x21\x52\x5b\x28\x15\x70\x27\x6a\x59\x58\xc2\x61\x49\x29\x79\x4c\x2d\x55\xa6\xb1\x5d\x17\x01\xb1\x96\x1a\x07\x8e\xde\xff\x50\xe0\xeb\x0e\x02\xd9\xb1\xd4\x02\x65\x7c\xe2\x5b\xda\xaf\x91\x0b\xa4\x54\x94\x83\x63\x1a\x54\x89\xca\x98\xfe\x97\x9c\x54\xc7\x40\x0c\x9c\xc6\x8f\xed\x1a\xb0\x0c\x40\x2f\x49\xd3\x6c\x4d\x7b\x2f\xb2\x73\xf3\x92\xae\xd4\xf8\xde\xf2\x56\xd4\x09\xe5\x0d\x26\xe7\x25\x1f\x91\xb9\xf5\xbc\xd8\xe8\x42\x02\xe5\x20\xcb\x7f\xe4\x34\x74\x4f\xe3\xa8\x83\x1c\x1a\xf1\xeb\x20\xa8\xf8\x85\x79\xab\x19\x26\x8d\x7e\xef\xc6\xdc\xd8\xc9\x4e\x3b\x68\x96\xe3\x36\xe0\xf7\x38\xaa\x24\x4c\x2d\xbe\xc1\x23\x24\xa8\xa1\xca\x70\xe0\x40\xd0\x7a\x79\x00\xf7\x6f\x0b\x09\xe0\xfa\xab\x42\x44\xd5\x68\xc0\x03\x09\xb8\xf3\x11\x57\xd9\x17\x88\xc8\x71\xd6\x16\xd0\x57\x2a\x26\xf9\xbf\x40\xb2\xff\x8f\x03\x4d\xd9\x64\x6f\xb1\x3e\xba\xd2\x95\x1f\xb7\xa9\xea\x55\x09\x21\x13\x59\x75\x9f\xa4\x95\x72\x2e\x0c\xe6\xe2\x4b\x48\xe3\xd2\xa1\xec\x69\x39\x83\x80\x40\xd0\x0c\xb9\x08\xd9\xed\xaf\xa8\xc3\x84\x57\x54\xbd\x5b\xe9\x0f\x6f\x92\xcc\x70\x33\x8b\x3b\x1f\xc0\x72\xcf\x26\x82\x74\x03\x71\xca\xed\xd8\x0f\xec\xe8\x59\xb1\x58\x7f\x04\x14\x7f\x50\xc5\xa9\xbe\x92\x7b\x5d\x51\xae\x42\x8a\x1c\x7e\x4b\x59\x4e\xc2\x42\xa0\xda\xb9\x05\x81\x74\x24\x28\xe5\xdb\x58\xac\x1a\xe3\x24\x96\xf3\x71\x19\x82\x0a\xe2\x95\xa3\xdf\x7a\x95\x50\x9d\x05\xd7\x5c\xd7\x78\xb5\x4e\x44\xa3\x17\xeb\x90\x1c\x7c\xc2\x8f\xf7\x4a\xb5\x3b\x6f\x4f\xb4\xad\xe0\xfc\x4a\xf2\xbe\x36\xd7\x60\x47\x6c\xa8\x53\xa7\x82\xe7\x61\x4a\x13\x3a\x99\xf1\xe5\xf0\xf1\x2b\x9a\x95\x8e\x70\x25\x0f\xc9\xbd\xb8\x98\xdb\xe3\x4d\x8e\xe3\x2b\x23\xee\x9f\x01\x92\xfd\x4b\xf8\xf9\x62\x2e\xdd\x9f\x7a\xca\xf4\xf4\xb9\x26\x73\xcc\xff\x23\x22\x7c\x94\x13\x22\x71\x73\x5a\xc8\x3d\xe7\x39\xc8\x5c\xee\x73\xab\xf9\x4e\xa2\xfd\x0e\x5b\x9c\x54\xfb\x7a\x2b\xc8\x77\x1e\xdf\xe9\xba\x3e\xb7\x0d\xcc\xe5\x6f\x78\x90\xaa\x8a\x20\x28\xe6\xd3\x18\xec\x23\x4b\x52\x56\x26\xe2\x46\x0c\x4d\x00\x7e\x74\xf7\xad\x40\x68\x01\x5a\x50\x32\xfb\x6f\xc5\x53\xb2\x7f\xaf\x76\x46\x71\x22\x2e\xf4\xb3\x98\x04\xe3\x00\xd9\xa5\x8e\xb4\xd9\xdb\x9f\x3f\xe2\x01\x27\xda\xad\xee\x11\x78\x74\xff\x95\xe3\x67\x6e\x37\xbf\xae\x30\x61\xe9\x5a\x71\xe9\x7b\x15\xe2\x43\x49\xf0\x78\x56\xde\xf1\x73\xd2\xce\x45\x9a\xff\xa7\x7c\x5b\x47\xf8\xb6\x77\xa1\x65\x8f\x7d\x89\xaf\x72\x25\x3c\x80\x0e\x62\xce\x2b\x11\xf4\xbd\x83\x7f\xe9\x80\xf0\x2d\x4f\x97\x19\xc0\xfe\x48\x45\x4f\x72\x80\x9d\xed\xda\xa9\x72\xd6\x52\x82\xec\xff\xee\x15\x69\xa2\xa5\x37\x70\x96\xff\x3f\x01\x00\x44\xe7\x1b\xe8\xba\xab\xfe\x65\xe9\x9b\xe1\x03\x86\xad\xa7\x0a\xbf\xe8\x6e\x7a\x4f\xfa\x87\x53\xf8\x62\xd2\x70\x4c\xec\xeb\x6d\xf3\x4a\x6d\xd4\x86\x75\x44\x1f\x7c\xca\x63\x5e\x40\x1c\xb2\x30\x6d\x17\x26\xe1\xc3\xc0\x42\x66\x41\x9e\x99\x11\x88\xe7\x7c\xdf\xe9\xe0\xaa\x13\xc7\x61\x07\xa2\xa2\x7f\x72\x16\xb4\x2a\x69\x0c\x00\x63\xc9\x2f\xd2\x22\xf4\x5f\xb0\x82\x0d\x04\x64\xef\x0b\x7a\xe6\x51\x5e\x81\x74\xc7\xf9\x0f\xfd\xec\x6d\xc2\x91\x3d\x5a\xd1\xfe\xb8\x06\x17\x70\x16\x23\x36\x3a\x4e\x73\x51\x07\xb3\x00\x23\x1c\xa5\x62\x4a\xdd\xf0\x83\xe0\x75\xac\xa1\xd1\x8d\x95\xc0\x1b\x73\x57\xa4\x11\x8f\xc4\x92\xc0\x7f\xf1\xc0\x71\x1a\x9e\x00\xbd\x78\xff\x8e\x43\x1d\x7a\xf6\x74\xdc\xe5\x58\x32\xf4\x59\x01\xf2\x35\xb7\x82\x4e\x8a\xd0\xed\x0d\x8d\x67\xf7\xff\x61\x2f\xf1\xec\xa7\x4a\x4d\xea\xc7\x21\xfd\x1c\x85\x98\x0d\x87\xdb\xc8\xdb\xef\x59\xf3\x75\x47\x20\xf0\xb9\x26\xc2\x5e\x84\xb1\xd7\x60\x5c\x50\x5f\x8e\x75\x03\x8f\xa2\x9f\x38\xcb\xfc\x97\x71\x2f\x92\x44\x75\x85\xa4\x54\x75\xa9\x0d\xb7\xd8\x1c\xe2\xb4\x29\x29\xfa\x6a\xe4\xa6\x79\x05\x60\x02\x5f\xe0\x57\x7a\xb5\x23\x58\xf0\xb0\x98\x80\x04\x58\x66\x6b\xad\x64\x69\x91\xe1\x46\xec\x90\x45\x11\xca\x26\x55\x18\x36\x31\xbd\xf0\xd5\x40\x58\x79\xd6\xf6\x99\x32\xc8\x44\x19\x0e\x2d\x91\x6a\x7a\xe6\x5d\xa2\x87\xac\xf8\x01\x20\x96\x48\x80\x0a\x1d\xfe\x3e\x9b\x38\xf7\xb5\x86\x41\xb0\xfc\x18\x04\xf9\xa2\x79\xd8\xf4\xc8\x03\xd0\x56\x56\x50\x60\x6f\x60\xa7\xe9\x9f\xe4\x61\xab\x36\xd7\x25\xca\x76\x46\x11\xcc\x20\x3f\xfd\xe0\xf0\x6a\xd8\x7c\xf9\x16\x02\x38\x1f\x1e\xc7\xaa\x25\x5b\x6d\x21\xa8\x5f\xe2\xe3\x2a\x06\x0f\x18\xb5\x33\x85\x47\x6d\xb4\x36\x91\x9f\x9e\xe6\x99\x57\x04\x04\x63\x50\xe0\x98\xce\x1e\x66\xa1\xb8\x32\x8f\xce\x20\xe1\xf8\xc9\x8c\xef\xae\xf2\x9c\xba\xc0\xbd\x9c\x0f\x19\x14\x53\x8a\xbd\x48\x43\x6e\x92\xbb\xcf\x12\x71\xac\x66\xce\xd7\xa5\x30\x13\xf8\x15\xf0\x15\xf3\x61\x80\xe3\x23\xac\x82\x47\x12\x8a\x91\x59\x38\xc8\x9f\x71\x13\x32\xd9\x75\x89\x35\x18\x0e\xea\xc8\xb8\xc9\xf9\x9f\x9f\x30\x6d\x34\x81\xb3\xa6\x8b\xf9\x61\x33\x60\x68\x1a\x92\x43\x7c\x7b\xd8\x0a\xdf\x98\x99\x09\x3f\x32\x86\xfd\x18\x54\x0a\x8c\x74\x25\x10\xdb\x91\xe4\x8a\x12\x55\xdb\xcd\x21\x8f\xe7\xa3\x4c\x50\x58\xad\x59\xa6\x96\x2a\xbf\xf5\x32\x7f\xac\xd4\xc2\xb3\xa5\x1a\xe1\x33\x47\xd5\x6a\x19\xf4\x84\xef\x62\xd5\x27\x99\xff\xe8\x02\xc9\xfe\xdc\xf9\xc0\x76\x89\x60\x18\xdb\x33\xcf\x2b\xd9\xb0\xca\x59\xde\x3f\x74\x87\xa2\x73\xf7\xe8\xcb\x6d\x09\x0b\x14\xa8\x3d\xdd\x2f\x26\x1d\x41\xf0\xfd\x19\x48\xe0\xbe\x62\x92\x9f\xc6\x68\xb9\xf1\x37\x53\xe6\x1d\x08\xb1\xa8\x87\x52\xdb\xfa\x31\x5e\x79\xc2\xd8\x18\x81\x19\x0d\x2b\x6a\xd3\x3a\xd8\xac\x03\x6e\x5a\x22\xb5\xea\x82\x25\xea\x41\x0e\x9e\x8e\xbf\x86\xc4\xa7\xea\x49\x76\x59\x53\xcd\x96\xd0\x54\x31\x15\x7a\x80\x48\xfa\x61\xb8\x0b\xa6\x06\xcf\x53\xaf\x83\x49\xcf\xad\xb8\x95\x59\xfd\xf2\x04\xed\x28\x3d\x71\xbb\xf7\x00\xa9\xcc\x37\x82\x60\x78\x96\xc8\x51\xb7\x58\x40\x5b\x00\x7e\x61\x50\xcc\x7e\x65\x86\xde\xbd\xa1\x2a\x1c\x4b\x2b\x63\x66\xb3\x87\x96\x23\xcf\x9e\xed\x75\xd5\x6f\x4a\xbc\xa9\x15\x1e\xb5\x04\x67\x0a\x4a\x51\x8c\x66\x8e\xd9\x48\x8d\x8b\x5f\x1f\x21\x2e\xa6\x9c\x51\xa7\x49\x72\x60\xc2\xa4\x85\x94\x88\xb7\x59\x60\x31\x3d\xd3\xf2\x9b\xfb\x75\xea\x09\x4b\xa3\x25\xf7\x9a\x02\x8d\x07\xdb\xf2\x13\x7b\xfe\xfd\x26\x1b\x0c\x56\x09\xa1\x69\xd5\xf1\xbb\xe1\x81\x5f\x06\xae\x4e\x26\xf5\xf3\xf4\xb3\x6c\xcc\xdd\x3f\xb7\xf8\xad\xcb\x76\x45\xe3\x7e\xd7\xd9\xb6\x3c\x9e\x21\xcd\xc5\x95\x4e\x28\x52\xbb\xfe\xe5\xbc\x30\xa9\x78\x39\x91\x89\xe6\x3b\x92\x69\x9d\x81\x0c\x58\x9d\x61\xd0\xcd\x0c\x6b\xf4\xff\xb8\x92\x53\x7e\x0e\xf1\x88\x7d\x1e\xa0\x47\x29\x0f\xf6\x09\x58\x4a\x00\xde\xc7\x98\xf8\xe7\x2e\x06\xc1\xbe\x83\x99\xea\x06\x9f\xd1\x3c\xaf\x0e\x1b\x4c\xd6\x6f\x84\xe2\x68\x69\x16\x7d\x54\xb8\xc4\x3c\x96\x7b\x27\x0b\xd8\x56\x1f\x99\xdc\x84\x02\x42\x23\x40\x2c\xe0\x95\x7d\x93\xe8\x58\x2b\xb8\xf4\x58\x3c\xc2\x64\x88\x61\xfc\x56\x2f\xc2\x10\x2a\x32\x6e\x92\x1a\x41\x8f\xd5\x18\xce\x63\x6e\x4e\x3e\xdc\x36\xfd\x89\xbc\xa2\x5a\xdd\x71\xac\xcb\x89\xd7\x77\x07\x05\x26\xd9\xcf\x72\x74\xdd\x48\x69\x09\xc3\xb1\x42\xd2\x7f\xb0\xab\xd4\x67\xbe\x27\xc3\x6e\x84\x87\xcc\xda\x73\xad\x0c\x89\xad\xec\xd3\x6a\x08\xc3\x7c\xe1\x5b\x87\x6f\xd2\x12\x1a\x7b\x0d\x11\xbd\xe8\x67\x59\xee\xb6\x62\x87\xb4\x4c\x61\xce\xd7\xf7\x4a\x14\x30\x44\xae\x80\x58\x69\xd3\x1a\x1b\x1c\x44\xb8\x15\x0d\x8d\x63\x0d\xeb\xff\x9e\x95\xc3\x11\x87\xb7\x74\x44\x1f\xa8\x13\x7c\x08\xca\x31\x6a\xb7\x78\x15\x99\x17\xdf\xbe\xec\x94\x52\x9d\x3a\x12\xc1\x6b\x9f\x39\xc4\xd7\x79\x44\xe6\xf1\x6c\xf9\xb8\x19\xf9\xd8\xa4\x2e\xe7\x32\x91\xed\x84\xe2\xd5\x84\xb3\x05\xae\xb7\x99\xc2\xcd\x76\xf3\xaf\xd7\xe8\x26\xbe\xf0\xb7\x71\x59\xbb\x4d\xad\x11\x39\xea\xa9\xcd\xe7\xbb\xfd\xca\x74\x0a\xdd\xb5\x11\xeb\x8b\x91\xd5\x48\xe1\x8d\x7c\xd6\x91\xdc\xe8\x57\x83\x82\xec\xd0\x9e\xad\x35\x6f\x85\xa4\xac\xee\x4b\xb8\xb1\x93\x42\xc7\x48\xad\x97\x04\xb1\x1e\x1d\x9b\x02\xc0\x21\x8c\xa3\xe7\x99\xab\x80\x01\x70\x52\xfd\xd6\x6e\x91\x01\xa0\x0b\x76\x57\xeb\xdc\x89\xcd\x42\x53\x34\xa9\x16\xdf\x19\xdb\xda\xf6\xe4\xf6\x3b\xc0\x34\x92\x91\x3c\x86\xd0\x58\xea\x61\x68\x5d\xf7\x7a\x06\xe0\xdf\x07\xed\x3f\xc1\xf9\x2d\xf0\x67\xe8\x6d\x00\x33\x64\x0c\x10\xf4\x0c\x27\x9c\x26\x4c\x47\x7b\x28\x99\xd4\xa2\x44\xb6\x7e\xe8\x84\xe5\x19\xb4\xdb\xdc\x5d\x6f\x1c\x3a\xb6\x7c\x12\x3a\x59\x79\x74\xbf\x3a\x57\xec\xc9\x09\xbe\x91\x33\x91\x70\x17\xdb\x1d\x7c\x9e\x19\x26\x18\x52\x4a\x93\x92\x95\x7a\xfe\xbe\xef\xb2\xd8\xbc\x47\x61\x03\x40\x70\xf4\x17\x95\x82\x22\x6e\x34\xb1\x86\x5d\x26\xbe\x00\xc9\xbd\x31\x32\x0c\x31\x3c\xb5\x09\x05\x7c\x27\xf1\x27\x4c\x78\xf4\x71\xbf\x69\xb8\x5d\xbd\x47\x82\x37\x38\x3b\xe8\x6c\x86\xf4\xb0\x11\x7a\x2b\x15\x78\x20\x83\x2d\x07\xd8\x8d\x2e\x78\xa9\xab\xa0\xb0\x45\xa1\x9d\xbf\x8a\x6f\xae\xd4\x0e\x41\xca\x47\xc0\x13\xc2\x90\x3e\x69\xf2\xba\x49\xb0\x7b\x36\xe1\xf3\xbd\x69\xbd\x4a\x82\xef\x2a\x42\x8a\x83\x13\x57\xd2\x5f\x55\x68\xb6\x9e\x94\x22\xa3\xba\x95\x33\xfb\x5e\xc2\x40\xa3\x91\xaa\x7b\x61\x2a\xcd\xd3\x50\x2f\xe9\x29\x6d\x4f\xa0\x2a\xf3\x9f\x21\xf1\x59\xaf\x52\x8d\xaa\x38\x94\xc3\xd1\x0b\xc8\xf7\x0f\x20\x41\x53\xa0\x66\xe1\xe6\xe1\x17\x42\x32\xfc\x42\x0e\xc6\x47\xe2\x9b\xb4\x68\x8f\x26\xc7\xd4\x63\xcd\xeb\x95\xeb\xa4\xc0\xd1\xed\x3f\x5f\xe4\x1d\x5e\x34\xc0\xb2\x7b\x58\x74\x54\xfb\x40\x3e\x8c\x9a\x0f\xe9\x0f\x53\x17\x4d\x54\x7d\xbc\xca\xdb\x64\x81\xc4\x8c\x97\x9c\xf3\x41\x4d\x0d\x47\x16\x0a\x0b\x9f\x6d\x9a\x4f\xa8\x48\x96\x53\xca\x2e\x92\x42\x23\xa8\xa5\x2b\xa6\x3f\xbc\x1a\xf0\x34\xcb\xf4\x4c\xca\x47\x28\xf0\x9e\x1f\x57\x70\x6d\x61\x07\xee\xdc\x06\x59\xbb\x9c\x6d\x8a\x33\x83\xf1\x1c\xc8\x7e\x53\xaa\xe6\xdc\xb8\x38\x53\x37\x9a\x6c\x0d\x53\x6b\x1e\x06\x77\x3a\xff\x31\xea\x60\x03\x97\xc4\x3a\x66\xf3\x02\x83\x7d\x52\x1f\xb6\xab\xfd\xe5\xbe\xed\x88\x49\x3a\x5e\xec\xfb\x26\xab\x6f\xc3\xf8\x79\xec\x01\x21\xf3\xaa\x73\x30\xbf\xb8\x2d\x14\x52\x8d\x9c\x5e\x20\x33\xc0\x5c\xc6\xb6\x0f\x66\x69\x27\x3f\x99\x09\x9a\x5d\x72\xc2\xc5\x14\x4d\xc0\xb2\xaa\xfe\x0f\xe7\xbd\x01\xeb\xae\x29\xbc\xd8\x2f\x4c\xa4\x3c\x5a\x22\x97\x4c\x3c\x9d\x92\x3a\x62\xe3\x90\x53\x2e\x27\x74\x80\x00\x15\x30\x7b\x8a\xea\xf1\xb7\xa0\x61\xfe\x77\x13\x1a\x5e\x12\xa9\xcb\x09\x0e\xda\x58\x4a\xcd\xad\x7b\xd8\xaf\xb2\x0d\xea\xb6\x5d\x7d\x1c\xf3\xd1\x6c\xa8\x18\x7a\xde\xd0\x8a\x9d\xd9\xbf\x83\x0c\xeb\x11\x13\x97\x72\x11\x03\x5b\x1a\x90\x51\xae\x1c\xa5\xf1\xf3\x26\xe4\xa6\xe2\x57\xb6\x2d\x77\x92\xef\xfd\x00\x5f\x18\x3d\xf7\x82\xba\xd3\x19\xbd\xa6\x7a\x92\x38\x6c\x66\x22\xd0\x02\xee\x87\xcf\xcb\x1a\x4f\x9b\x4b\xb4\x21\x7e\x86\x75\x29\x9f\x2d\x8c\x8f\x8a\x63\x24\xd3\x60\x2f\x76\x83\x90\xa1\x24\x78\xe7\xaf\xd2\xd5\x2c\xd2\x35\x67\xb1\x98\x4d\x48\xd8\x55\xcf\x07\x21\x40\x12\x6a\xb0\xa8\x94\x27\x59\xcf\x38\x98\xf1\x18\x28\x4d\x2a\x93\x37\x21\xd7\x1d\xb4\x20\xe8\x30\xc8\x8e\x23\xb1\xf0\x7b\x44\x25\xb9\x7d\x0b\x83\x74\xbd\xe0\xcb\x8c\x3b\xe3\x52\x47\x1c\x15\xc0\xdb\x69\x27\x62\x61\x76\x3f\x46\xba\x3d\x04\x3e\xf6\x37\xdc\xb3\xf9\xb0\xf2\xd4\x34\x00\x29\x22\x2b\xe8\x10\xbf\xcc\x54\xe4\x47\xb9\xed\x75\x0f\x2f\x27\x59\x71\xa6\x3a\xd6\x12\x7b\xc7\x42\x3c\x3f\xe8\xfe\x22\xf2\x81\xa7\x27\xb9\x49\x6b\x70\x3f\x0f\x68\x87\x8c\xa8\xe1\x17\x48\x5e\xb7\xc8\xa7\xb3\x82\x66\xbd\x5a\x07\xb5\xa2\xf8\xa9\xc0\xd0\x2c\xcf\x8c\x8f\x76\x2b\xd1\xad\x4b\x21\x5b\x29\x59\x69\xdf\xcb\x9f\x19\xc1\x3d\x88\xf7\x2b\x54\xe5\x94\x00\xa7\x20\x1a\xc7\x9f\xe2\xfc\xaf\x32\x9c\x8e\x35\xa3\xea\xf2\x41\x76\x21\xa0\x0e\xb5\xcd\x2d\xa5\x0c\x61\x1d\x5b\x33\xe3\x59\x97\x07\x1b\xc1\xfa\x35\xd6\xcc\x81\x24\x7c\x17\xbc\xe3\x9d\x22\x51\x72\xed\x4a\x10\x64\x0c\xad\x81\x78\x86\x5b\x30\x7b\x86\x63\x23\xa2\x55\x69\xb6\xad\x32\x92\xcd\x47\xf7\x30\x44\xce\x58\xc4\x54\x96\x1c\xb5\x52\x37\x88\xa1\x4c\xc4\x62\x28\x51\x73\x12\xb7\x47\x93\xf0\x33\x60\x92\xe7\xe3\x0a\x0d\xa1\x43\x18\x94\x5c\xa2\x31\x29\x22\xbd\xc8\xf6\xe9\xa4\x15\x99\x13\xfd\x72\xdc\xb4\xe4\xc7\x87\x79\x6e\xe4\x65\xca\x2b\xf4\xcf\x36\x28\x72\x5a\x39\x11\x97\xef\xe8\x10\x4e\xa7\x1c\x63\x0b\x72\xcc\xf8\xfe\x42\x7b\xe8\x0a\x0c\xa6\xb1\x4f\x53\xff\x96\x97\xb6\x27\x9f\x0b\x2c\xd2\x3e\x35\x6f\x95\x1d\x7c\x08\xb7\xf1\x46\xeb\xaa\x3c\xba\xa6\xa9\x0d\x1d\x9a\xf1\x87\xe2\x1c\x82\x93\x77\x78\x1d\x75\xd5\x44\x66\x28\x45\xd4\x03\x22\x65\x16\xf4\x05\x24\x79\xd8\xff\x17\x6e\x24\xce\x55\x10\xd6\xe3\x3f\x04\x43\x84\x62\x38\x6b\xab\xfc\x53\xbe\x7c\xfb\x60\x15\x29\x69\x79\xfe\x41\x22\x19\x2c\xd4\x4b\x04\x6e\xa7\xe7\x12\x38\xc0\xd3\x06\x0a\x38\x22\x5b\x9a\xfa\xba\xf1\x69\x33\x54\xb3\x52\x1e\x2a\xaf\x5d\xe3\xe8\x5e\x5c\x58\x67\x65\xef\x8e\x2f\x9c\x98\xb8\xed\x4a\x53\x5f\x67\x08\xf0\xf1\x71\x89\x5b\x57\xda\x98\x1c\x4b\x3d\x85\x1f\xc7\x83\x22\x85\x7b\x8f\xcf\xfd\xfc\x34\xfa\x3e\xf6\x58\xea\xbd\x56\x7b\x2f\xf3\x5f\x0a\xe2\x88\x70\x1a\x81\x1f\x72\x5c\x87\x19\xda\xab\x47\x25\xc7\xba\xe2\xa7\x17\x48\x61\x81\x2e\xc8\xe9\xa9\x99\xa4\xa7\xdf\xf3\x79\x00\x8f\xb7\xa9\x3b\xb9\xd5\xda\x43\xea\x9e\x10\x81\x9f\x91\x41\x19\xf4\x74\xdf\x29\xac\xdc\x90\xe1\xb4\x90\x1f\xa8\xd2\x80\x63\x94\xad\xb6\xd3\x4f\x56\x44\x89\x34\x00\x15\xdf\x15\x4d\xbd\x9e\x9b\xfa\x66\x9e\x27\x7a\x4c\x35\x22\x07\x4c\xda\x8f\x03\x6e\x1c\x76\x2a\x2a\xba\xdf\x38\x78\xe7\xb7\x05\x98\xe4\xdf\x8f\x7d\x6e\x13\x4e\x13\x50\x9f\x1f\x3e\xb2\xa4\x61\x87\x2a\xde\xdc\xc3\x64\x07\xd0\x3d\x45\x3e\x71\x0f\x3b\x03\x05\xb3\x5c\x06\x9b\xcf\x65\x50\x88\x8b\xe2\xc3\xdf\x87\x96\x22\xf7\xc0\x91\x60\x5c\x2b\x47\x33\x84\xe4\xaa\xbf\x37\x38\x45\xb6\x43\x89\x3e\xa0\x3c\xa9\xa2\x33\x2f\x72\x76\xab\x52\xea\x5e\x69\xa3\x20\x6d\x0b\x29\xec\xa1\x9f\xe9\xb5\x61\xd5\x87\x48\xf0\xfb\x5f\x7c\xde\x5d\x32\xad\x76\x81\x33\xa5\x73\x3d\xb2\x74\x11\xac\x56\x84\x9c\x31\xc9\xcc\x98\x77\xcd\x77\x1a\xd8\x7d\xb0\x01\x4b\x01\x1c\x07\x1a\x8a\x57\xaf\xcc\x91\x11\xfa\xd2\x41", 4096); res = syscall(__NR_shmctl, /*shmid=*/0xfffffffa, /*cmd=*/0x19, /*buf=*/0x200000004380ul); if (res != -1) r[20] = *(uint32_t*)0x200000004388; break; case 25: memcpy((void*)0x200000004400, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x200000004400ul, /*statbuf=*/0x200000004440ul, /*flag=AT_SYMLINK_FOLLOW*/0x400ul); if (res != -1) r[21] = *(uint32_t*)0x200000004458; break; case 26: *(uint32_t*)0x2000000046c0 = 0x89d; *(uint32_t*)0x2000000046c4 = 0; *(uint32_t*)0x2000000046c8 = 0xee01; *(uint32_t*)0x2000000046cc = 3; *(uint32_t*)0x2000000046d0 = 0; *(uint32_t*)0x2000000046d4 = 1; *(uint16_t*)0x2000000046d8 = 0x7fff; *(uint32_t*)0x2000000046dc = 8; *(uint64_t*)0x2000000046e0 = 0xe40; *(uint64_t*)0x2000000046e8 = 0x7fffffffffffffff; *(uint64_t*)0x2000000046f0 = 5; *(uint32_t*)0x2000000046f8 = r[7]; *(uint32_t*)0x2000000046fc = r[11]; *(uint16_t*)0x200000004700 = 6; *(uint16_t*)0x200000004702 = 0; *(uint64_t*)0x200000004708 = 0x2000000044c0; memcpy((void*)0x2000000044c0, "\xab\x56\x1a\xab\x77\xc5\x83\xce\x98\x5b\x97\x83\xd9\x6b\x5e\x4e\x38\x24\xcb\x30\x26\xda\x2e\xfe\xe0\x10\x1d\x24\xcc\x3c\x6b\x58\xc7\x96\x6f\x22\x6c\x27\x69\x9f\x3d\xc1\x5a\x33\x04\x86\x26\x22\xef\xda\x37\xf5\x7e\x57\x97\xf7\x36\xc4\x82\xb3\x34\xc0\xdb\x10\x39\x38\x2a\x78\x92\x8d\x47\x08\x28\x2c\x72\xdc\x71\x40\x25\xc2\xcc\xa6\xfe\xf3\x0b\x64\xfb\x05\x0e\xe5\x84\x5b\x12\x53\x79\x9b\x15\x94\x0b\x96\x71\x16\x83\x9e\x00\x75\x33\x0d\xa8\xaf\x7e\xe9\xa5\xb5\x2c\x57\x68\xfb\xf0\x2f\x31\x54\x71\xe6\xd7\xac\x77\x80\xee\xdc\xf5\x6d\xab\x90\x44\x17\x64\xc1\x05\x3f\x95\xa9\xe9\x4f\xee\xc9\xea\x2b\x68\x20\xf3\xbe\x40\xe3\x4d\xcf\xbf\xe7\x1b\x03\x37\x8a\x75\x1c\x0e\x0f\xd0\x4f\xcd\xa9\x24\x05\x00\x48\xf5\x17\x08\x50\x35\x00\x60\x92\x35\xcc\x75\xd2\x99\xee\xd6\x6d\x2a\xc9\x58\x3e\x91\xdd\x31\xb9\xcf\xe3\xaf\x5c\x24\x89\xc2\x04\x01\x4b\x7a\x74\x54\x9d\x85\xc8\xe8\xdb\xac\xeb\x63\x88\xf2\x45\xc2\x62\x98\x6d\x6b\x26\xea\xdd\x8f\xcb\x38\x58\x7b\x69\x8b\x3c\x59\xfd\xf6\x3a\x82\xc6\x43\xdb\x5a\xa1\x79\x14\xbf\xa0", 252); *(uint64_t*)0x200000004710 = 0x2000000045c0; memcpy((void*)0x2000000045c0, "\xbe\x29\x01\x74\xf8\xce\x0f\x04\x91\x1d\x69\xba\xda\xe0\xbf\x37\xc4\xfa\x5b\x15\xfa\x3b\x18\x83\xef\x70\x70\x38\x44\x4d\xe4\xae\xf3\xa7\x3f\x33\x83\x48\x0e\x83\x0d\xdb\x75\x62\x43\xc2\x97\x09\xee\xdf\x69\x74\xed\xf3\xbe\x9d\xf1\x36\x37\xb4\x8e\xd1\x4e\xdc\x03\xd7\x24\x3b\xdb\x53\xfd\x99\xe2\xee\xa6\x02\x56\x93\xad\x07\x01\xb8\x2c\xa3\x8d\xd6\xd0\x8c\xda\x9e\x31\x03\x1d\xcc\x02\xff\xa5\x43\x84\xc4\xaa\x7d\x87\x0f\x8b\x1a\xb9\xff\x5c\x0e\x74\x4c\xef\x60\xad\x54\x18\xd5\xa3\xb9\xec\xdf\x09\xa5\x4a\x1d\x9b\x12\xb1\x0e\xcd\x3b\xcc\x7b\xfe\x6e\xc0\x2b\x56\x8d\xaf\x99\xa5\x9c\xa9\x2b\x8a\x9e\xec\x61\x2f\x38\x29\xa0\x8c\x44\xfd\x4b\x27\x61\x1d\xa5\x90\x8b\x59\x1f\x34\x0e\x23\xf5\xba\x2a\xdb\x1e\x29\xe8\x9f\x28\xf5\xf2\x51\x43\x79\xe4\x54\x62\xdb\xc3\x0a\x72\x02\xbb\x25\xc1\x9a\xc6\x14\x89\x11\x9c\x4a\x8a\xae\xa4\x00\x0a\xac\x82\x81\xc3\xd4\x26\xd8\xa0\x82\xb7\xdc\x78\xf5\x7a\x12\xa5\xc6\x35\x62", 225); res = syscall(__NR_shmctl, /*shmid=*/0xe, /*cmd=*/3ul, /*buf=*/0x2000000046c0ul); if (res != -1) r[22] = *(uint32_t*)0x2000000046c8; break; case 27: res = syscall(__NR_fstat, /*fd=*/r[10], /*statbuf=*/0x200000004740ul); if (res != -1) r[23] = *(uint32_t*)0x20000000475c; break; case 28: *(uint32_t*)0x200000004840 = 8; *(uint32_t*)0x200000004844 = 0; *(uint32_t*)0x200000004848 = 0xee01; *(uint32_t*)0x20000000484c = 0; *(uint32_t*)0x200000004850 = 4; *(uint32_t*)0x200000004854 = 2; *(uint16_t*)0x200000004858 = 5; *(uint64_t*)0x200000004860 = 0x2000000047c0; *(uint8_t*)0x2000000047c0 = 4; *(uint64_t*)0x200000004868 = 0x200000004800; *(uint8_t*)0x200000004800 = 5; *(uint64_t*)0x200000004870 = 4; *(uint64_t*)0x200000004878 = 6; *(uint64_t*)0x200000004880 = 0; *(uint64_t*)0x200000004888 = 8; *(uint64_t*)0x200000004890 = 0xac0; *(uint16_t*)0x200000004898 = 3; *(uint16_t*)0x20000000489a = 0x401; *(uint16_t*)0x20000000489c = 2; *(uint32_t*)0x2000000048a0 = 0x400; *(uint32_t*)0x2000000048a4 = 7; res = syscall(__NR_msgctl, /*msqid=*/8, /*cmd=*/3ul, /*buf=*/0x200000004840ul); if (res != -1) { r[24] = *(uint32_t*)0x200000004844; r[25] = *(uint32_t*)0x200000004848; } break; case 29: res = syscall(__NR_getegid); if (res != -1) r[26] = res; break; case 30: *(uint32_t*)0x200000004980 = 7; *(uint32_t*)0x200000004984 = 0xee00; *(uint32_t*)0x200000004988 = -1; *(uint32_t*)0x20000000498c = 1; *(uint32_t*)0x200000004990 = 0x972; *(uint32_t*)0x200000004994 = 2; *(uint16_t*)0x200000004998 = 6; *(uint32_t*)0x20000000499c = 7; *(uint64_t*)0x2000000049a0 = 6; *(uint64_t*)0x2000000049a8 = 0xb9; *(uint64_t*)0x2000000049b0 = 8; *(uint32_t*)0x2000000049b8 = r[7]; *(uint32_t*)0x2000000049bc = 5; *(uint16_t*)0x2000000049c0 = 0x83; *(uint16_t*)0x2000000049c2 = 0; *(uint64_t*)0x2000000049c8 = 0x2000000048c0; memcpy((void*)0x2000000048c0, "\x41\x66\xdd\x81\x28\x46\x69\xcc\x65\x29\xe5\xa0\xef\x08\x1d\x37\x0a\x00\x72\x2e\x0c\x77\x00\xe4\x84\x17\x7e\x27\x29\xe5\x5d\x1f\xe0\xf7\x56\x46\x90\x88\x13\x82\xa8\x50\xb3\xb8\xd6\x19\x5e\xa5\xd0\x32\xed\xc9\x98\x53\x5f\xc7\x87\x92\x8a\xb4\xa3\xb1\x89\x15\x40\xd2\x46\xd4\x0d\xaa\x7a\x5f\xd7\xdb\x2b\xd6\xc9\x9b\x3f\x2a\x7e\x51\x4d\x00\x69\xf2\xbf\xb4\x85\xd9\xe0\x8e\x67\xc4\x68\x24\xc2\xe7\x04\xff\xa0\x43\x1e\x1c\x20\x43\x29\x72\xad\xef\x08\x49\x21\xd4", 114); *(uint64_t*)0x2000000049d0 = 0x200000004940; memcpy((void*)0x200000004940, "\x3c\x67\x3d\x0f\x3b\xdb\xe2\x04\x83\xbd\x0e\xf8\xf8\xa2\xc8\x65\xbb\x81\x7c\x75\xa3\x55\x5f\x98\xda\xdf\x18\xfb\x4d\x80\x5b\xd3\x39\xd5\x71\x7d\xef\xd4\x70\xce", 40); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0xeul, /*buf=*/0x200000004980ul); if (res != -1) r[27] = *(uint32_t*)0x200000004984; break; case 31: *(uint32_t*)0x200000004a80 = 0x80000001; *(uint32_t*)0x200000004a84 = 0; *(uint32_t*)0x200000004a88 = 0; *(uint32_t*)0x200000004a8c = 0x8b; *(uint32_t*)0x200000004a90 = 0x4000000; *(uint32_t*)0x200000004a94 = 0xe206; *(uint16_t*)0x200000004a98 = 0x366d; *(uint64_t*)0x200000004aa0 = 0x200000004a00; *(uint8_t*)0x200000004a00 = 5; *(uint64_t*)0x200000004aa8 = 0x200000004a40; *(uint8_t*)0x200000004a40 = 7; *(uint64_t*)0x200000004ab0 = 0xb5; *(uint64_t*)0x200000004ab8 = 0x5a; *(uint64_t*)0x200000004ac0 = 4; *(uint64_t*)0x200000004ac8 = 0x7fffffff; *(uint64_t*)0x200000004ad0 = 2; *(uint16_t*)0x200000004ad8 = 0x4d49; *(uint16_t*)0x200000004ada = 0; *(uint16_t*)0x200000004adc = 2; *(uint32_t*)0x200000004ae0 = r[9]; *(uint32_t*)0x200000004ae4 = r[11]; res = syscall(__NR_msgctl, /*msqid=*/0xff, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[28] = *(uint32_t*)0x200000004a88; break; case 32: *(uint32_t*)0x200000004b40 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000004b00ul, /*optlen=*/0x200000004b40ul); if (res != -1) r[29] = *(uint32_t*)0x200000004b04; break; case 33: *(uint32_t*)0x200000004c00 = 9; *(uint32_t*)0x200000004c04 = 0; *(uint32_t*)0x200000004c08 = -1; *(uint32_t*)0x200000004c0c = 0; *(uint32_t*)0x200000004c10 = 1; *(uint32_t*)0x200000004c14 = 5; *(uint16_t*)0x200000004c18 = 3; *(uint64_t*)0x200000004c20 = 0x200000004b80; *(uint8_t*)0x200000004b80 = 9; *(uint64_t*)0x200000004c28 = 0x200000004bc0; *(uint8_t*)0x200000004bc0 = 0x10; *(uint64_t*)0x200000004c30 = 0x93e; *(uint64_t*)0x200000004c38 = 0xb4; *(uint64_t*)0x200000004c40 = 0x7fffffffffffffff; *(uint64_t*)0x200000004c48 = 2; *(uint64_t*)0x200000004c50 = 8; *(uint16_t*)0x200000004c58 = 8; *(uint16_t*)0x200000004c5a = 0x77; *(uint16_t*)0x200000004c5c = 0x10; *(uint32_t*)0x200000004c60 = 0xa711; *(uint32_t*)0x200000004c64 = 0xd; res = syscall(__NR_msgctl, /*msqid=*/9, /*cmd=*/0xbul, /*buf=*/0x200000004c00ul); if (res != -1) r[30] = *(uint32_t*)0x200000004c08; break; case 34: res = syscall(__NR_getresuid, /*ruid=*/0x200000004c80ul, /*euid=*/0x200000004cc0ul, /*suid=*/0x200000004d00ul); if (res != -1) r[31] = *(uint32_t*)0x200000004cc0; break; case 35: memcpy((void*)0x200000004d40, "./file0\000", 8); res = syscall(__NR_statx, /*fd=*/(intptr_t)-1, /*file=*/0x200000004d40ul, /*flags=AT_NO_AUTOMOUNT*/0x800ul, /*mask=STATX_NLINK*/4ul, /*statxbuf=*/0x200000004d80ul); if (res != -1) r[32] = *(uint32_t*)0x200000004d98; break; case 36: *(uint32_t*)0x200000004f00 = 8; *(uint32_t*)0x200000004f04 = 0; *(uint32_t*)0x200000004f08 = 0xee01; *(uint32_t*)0x200000004f0c = 6; *(uint32_t*)0x200000004f10 = 0x1000; *(uint32_t*)0x200000004f14 = 0x3ff; *(uint16_t*)0x200000004f18 = 2; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 7; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 0x95; *(uint64_t*)0x200000004f30 = 3; *(uint64_t*)0x200000004f38 = 3; *(uint64_t*)0x200000004f40 = 6; *(uint64_t*)0x200000004f48 = 0x8001; *(uint64_t*)0x200000004f50 = 0x7f; *(uint16_t*)0x200000004f58 = 5; *(uint16_t*)0x200000004f5a = 3; *(uint16_t*)0x200000004f5c = 0xc; *(uint32_t*)0x200000004f60 = r[7]; *(uint32_t*)0x200000004f64 = 9; res = syscall(__NR_msgctl, /*msqid=*/9, /*cmd=*/0xdul, /*buf=*/0x200000004f00ul); if (res != -1) r[33] = *(uint32_t*)0x200000004f04; break; case 37: *(uint32_t*)0x200000005040 = 1; *(uint32_t*)0x200000005044 = 0; *(uint32_t*)0x200000005048 = 0xee00; *(uint32_t*)0x20000000504c = 2; *(uint32_t*)0x200000005050 = 8; *(uint32_t*)0x200000005054 = 0xfffffff8; *(uint16_t*)0x200000005058 = 2; *(uint32_t*)0x20000000505c = 2; *(uint64_t*)0x200000005060 = 6; *(uint64_t*)0x200000005068 = 0xb; *(uint64_t*)0x200000005070 = 0x100000001; *(uint32_t*)0x200000005078 = r[11]; *(uint32_t*)0x20000000507c = 0xc; *(uint16_t*)0x200000005080 = 8; *(uint16_t*)0x200000005082 = 0; *(uint64_t*)0x200000005088 = 0x200000004f80; *(uint64_t*)0x200000005090 = 0x200000004fc0; memcpy((void*)0x200000004fc0, "\x4f\x52\x5e\x34\x0c\xd5\xa8\x6e\x08\x81\x81\x48\x10\xa2\xa9\x1a\x15\xb1\xd5\xd1\x4f\x4a\x79\xd1\x4d\xde\x31\x8e\xef\xbd\xd8\xe8\xe7\x28\xd4\x13\x18\x7e\xde\x4f\xd0\x69\xfc\x17\x3d\x33\xf2\x51\x93\x66\x58\xb9\x70\x95\x9c\xdd\x1a\x15\xbc\xc3\xc2\x6a\xd7\x6b\x38\xa5\xbe\x0c\x00\x53\x2a\xc5\x25\x4d\x63\x2a\x2d\x80\x03\x57\xde\x96\xe6\xf2\xf7\x84\x16\x88\x31\x49\x22\xa5\xeb\x15\x30\xe0\xb7\x35\x2c\xa6\x06\x39\xdb\x76\x97\x14\x2d\xe2\xaa\x07\xc7\xc6\xa7", 113); res = syscall(__NR_shmctl, /*shmid=*/7, /*cmd=*/3ul, /*buf=*/0x200000005040ul); if (res != -1) r[34] = *(uint32_t*)0x200000005048; break; case 38: *(uint32_t*)0x2000000051c0 = 0x20000000; *(uint32_t*)0x2000000051c4 = -1; *(uint32_t*)0x2000000051c8 = 0; *(uint32_t*)0x2000000051cc = 0x60000000; *(uint32_t*)0x2000000051d0 = 5; *(uint32_t*)0x2000000051d4 = 0xb; *(uint16_t*)0x2000000051d8 = 4; *(uint32_t*)0x2000000051dc = 7; *(uint64_t*)0x2000000051e0 = 0x68b; *(uint64_t*)0x2000000051e8 = 0x19; *(uint64_t*)0x2000000051f0 = 0xfffffffffffffff8; *(uint32_t*)0x2000000051f8 = 0; *(uint32_t*)0x2000000051fc = r[9]; *(uint16_t*)0x200000005200 = 0xc90; *(uint16_t*)0x200000005202 = 0; *(uint64_t*)0x200000005208 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\x39\x0c\xeb\x0f\x41\x0c\x00\x25\x27\xeb\x3b\x46\xb1\x0c\x24\x49\x71\x04\x20\x0a\x43\xcd\xd5\x23\xe8\xa7\x27\x86\xcf\x59\x38\x0b\xde\x52\x4c\xb5\x95\x56\xd5\xb2\x56\xca\xe0\x7e\x34\x3b\x52\xbe\xb1\x8b\x62\xea\xb0\x7c\x44\x5e\xef\xcb\x35\xda\xbf\x18\x6e\xf8\x40\x41\x7c\x40\x8f\x79\xb7\x4a\xa6\xed\x33\x3f\x94\x62\xac\xfc\x1d\xb1\x46\xb6\x67\xa8\x96\x29\x92\xf2\x0a\xf8\x6d\x7c\x20\x38\x50\x25\xa7\x4f\x90\x71\xc7\x98\x44\x53\x6c\xb7\xac\x8f\x88\x65\xfe\xd4\xa5\x7d\x02\x2b\xea\xf6\x18\xbd\xcc\x65\x09\xc5\xbe\x81\x03\x7e\x58\x4a\xbb\x6e\xa9\xb8\xcf\x0d\x2e\x17\x5f\xcb\xfe\x9b\xda\x36\x68\xd7\x52\x68\xcb\x86\x05\xfe\xc3\xba\x1b\xb1\xe6\xc2\x76\xa1\x49\x29\xc3\x46\x0e\x16\x93\x45\x8f\x22\x61\x23\x52\xdb\x6a\x3e\xfa\x4d\x7c\x74\x83\xd2", 184); *(uint64_t*)0x200000005210 = 0x200000005180; memcpy((void*)0x200000005180, "\x35\x8f\x28\x87\x0b\xec\xbb", 7); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0ul, /*buf=*/0x2000000051c0ul); if (res != -1) r[35] = *(uint32_t*)0x2000000051c4; break; case 39: memcpy((void*)0x200000005240, "./file1\000", 8); *(uint64_t*)0x200000005280 = 4; *(uint64_t*)0x200000005288 = 4; *(uint64_t*)0x200000005290 = 0x100000001; *(uint32_t*)0x200000005298 = 0xc49; *(uint32_t*)0x20000000529c = 0; *(uint32_t*)0x2000000052a0 = 0xee01; *(uint32_t*)0x2000000052a4 = 0; *(uint64_t*)0x2000000052a8 = 0x101; *(uint64_t*)0x2000000052b0 = 0x8000000000000001; *(uint64_t*)0x2000000052b8 = 0xfffffffffffffff8; *(uint64_t*)0x2000000052c0 = 7; *(uint64_t*)0x2000000052c8 = 0; *(uint64_t*)0x2000000052d0 = 8; *(uint64_t*)0x2000000052d8 = 0x8001; *(uint64_t*)0x2000000052e0 = 5; *(uint64_t*)0x2000000052e8 = 8; *(uint64_t*)0x2000000052f0 = 9; memset((void*)0x2000000052f8, 0, 24); res = syscall(__NR_newfstatat, /*dfd=*/(intptr_t)-1, /*filename=*/0x200000005240ul, /*statbuf=*/0x200000005280ul, /*flag=*/6); if (res != -1) r[36] = *(uint32_t*)0x2000000052a0; break; case 40: *(uint32_t*)0x200000005380 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000005340ul, /*optlen=*/0x200000005380ul); if (res != -1) r[37] = *(uint32_t*)0x200000005344; break; case 41: *(uint32_t*)0x200000005440 = 9; *(uint32_t*)0x200000005444 = -1; *(uint32_t*)0x200000005448 = 0; *(uint32_t*)0x20000000544c = 1; *(uint32_t*)0x200000005450 = 0; *(uint32_t*)0x200000005454 = 0xabc2; *(uint16_t*)0x200000005458 = 0x100; *(uint64_t*)0x200000005460 = 0x2000000053c0; *(uint8_t*)0x2000000053c0 = 0xe; *(uint64_t*)0x200000005468 = 0x200000005400; *(uint8_t*)0x200000005400 = 7; *(uint64_t*)0x200000005470 = 8; *(uint64_t*)0x200000005478 = 0xa2; *(uint64_t*)0x200000005480 = 0xf3; *(uint64_t*)0x200000005488 = 4; *(uint64_t*)0x200000005490 = 6; *(uint16_t*)0x200000005498 = 5; *(uint16_t*)0x20000000549a = 0xd7c4; *(uint16_t*)0x20000000549c = 0x80; *(uint32_t*)0x2000000054a0 = r[9]; *(uint32_t*)0x2000000054a4 = r[7]; res = syscall(__NR_msgctl, /*msqid=*/0x10000, /*cmd=*/1, /*buf=*/0x200000005440ul); if (res != -1) r[38] = *(uint32_t*)0x200000005448; break; case 42: memcpy((void*)0x200000005b40, "./file0\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000005b40ul, /*statbuf=*/0x200000005b80ul); if (res != -1) r[39] = *(uint32_t*)0x200000005b98; break; case 43: memcpy((void*)0x200000005c00, "./file0\000", 8); res = syscall(__NR_statx, /*fd=*/0xffffff9c, /*file=*/0x200000005c00ul, /*flags=AT_SYMLINK_NOFOLLOW*/0x100ul, /*mask=STATX_INO*/0x100ul, /*statxbuf=*/0x200000005c40ul); if (res != -1) r[40] = *(uint32_t*)0x200000005c58; break; case 44: *(uint32_t*)0x200000005e80 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000005e40ul, /*optlen=*/0x200000005e80ul); if (res != -1) r[41] = *(uint32_t*)0x200000005e48; break; case 45: memcpy((void*)0x200000000780, "\x68\xf4\xb9\xc0\x22\x24\x5b\x56\x0b\x41\x94\x27\xc3\xc5\x6d\xc4\xee\x17\xcd\x42\x2a\xc4\x81\xd8\xd2\xdc\x27\xc0\xc2\x4a\xdf\x78\x20\x96\x47\x7e\x5b\x7a\x14\x77\x33\xcc\xa0\xee\xd7\xce\xd0\xab\xb0\x3e\xcf\xa0\xf8\x3e\x91\x42\x28\xec\x4e\x01\x9a\x38\x46\x8e\x2e\x4e\xe4\xed\xbd\xa0\x23\x53\xee\x9a\x4c\x10\x63\x39\xd7\xb1\x18\xa3\x0e\x93\xe6\xde\x45\x52\x28\x8a\xfe\x03\x2a\xf1\xf8\x97\xef\x39\xce\x14\x0c\xb1\xd4\x52\x64\x41\x33\x19\x9f\x16\x65\x3b\x92\x15\xc3\x7f\x78\xf1\x92\x75\x2d\x03\x1c\x64\x28\xd7\x35\x62\x11\x49\xde\x62\x43\xa0\xab\x6f\xc4\x65\x28\xb0\xa0\xe2\xd6\x4e\x65\xec\xd9\xe1\x34\x09\xab\xd5\xe7\x30\x39\xdd\x00\xe0\x88\x05\xe5\x1a\xdf\x3a\x85\x99\xd9\x9d\x69\xf2\x37\x75\x04\x4d\x38\x40\x23\x4f\x1d\xb0\x89\xfb\x09\x87\xd6\x45\xec\x25\xf4\xad\x3e\xee\xb9\x60\x4d\x1f\x2a\xb6\x9f\xc3\xbf\x83\x15\xbf\x2e\x7b\x91\x88\x6d\x2a\x6f\x50\x71\xb6\x6f\xe5\x04\x8b\x6b\x65\x44\x12\x90\x05\x07\x34\x0d\xd1\xad\xd2\x74\x48\xea\x31\x68\x5b\x4e\x86\x7c\x68\xc9\xb5\x51\xdf\x24\x6b\x90\xd0\xd0\xfd\x9a\xf8\xdf\xc6\x47\xfc\xe7\xc3\x77\xaa\x36\x48\x62\xff\x02\x43\xff\xd0\x47\x47\xb9\x45\xba\xa3\x7d\x75\x5c\x23\x60\x92\xb3\xac\x7a\xac\xf6\x12\xa4\x03\x26\xde\x09\x06\x32\x12\xae\xe8\x6e\x16\x3a\xaa\xff\xfd\x8a\xde\xe4\xb5\x15\x46\x5c\xc9\x19\xc1\x51\x3d\xc7\xc9\x67\x8e\xe6\x48\x3f\xc3\xfc\x68\xb8\x84\xa9\xcc\x60\x4f\x36\x23\x86\xfe\xeb\x1a\x7e\xfb\xd4\x1d\x42\x62\x7f\x06\xfb\xf6\xcf\x91\x3a\xca\xee\x58\x4d\xa6\x05\x0c\xd6\xf4\x9a\xb9\x6e\xde\x69\x21\x6b\x0a\xca\x34\x99\x94\x7b\x02\xf1\xb6\x23\x24\x5d\x4c\xc5\xdf\xb5\xbc\x7c\x28\xc4\xf7\x77\x33\xc3\x33\x0d\x49\xbb\x25\xce\x9b\x47\x97\x8b\x57\x6c\x20\xe1\xc4\xd8\xb6\xee\x1d\xdb\x2c\x80\xeb\x99\xa3\x53\x69\x68\xaa\xf2\xf0\x1b\xa3\x14\x2d\x6d\x71\x39\xf4\x7a\xd8\x71\x32\x7d\x9e\xb2\xfc\x36\x4b\xb4\x2c\xb6\x0a\x57\x2c\x71\xd1\xa1\x3f\x94\x05\x6c\x72\x7a\xd8\x0d\xbc\x0b\x38\x03\xd3\xed\x00\x7c\xdf\xbd\xc6\xf9\x86\x84\x5b\x23\x96\x71\x23\x3e\xbe\x9c\x97\x3b\xcd\x86\x53\xc3\x73\x2e\x52\x51\x64\x09\x02\x0f\x4b\xd0\x51\x64\x90\x93\x29\xcf\x8b\x09\xd5\x7b\xc4\x9f\xdf\xc9\xc9\x6e\xe7\x8b\x92\xbd\xc6\xe8\x65\xb5\x61\x95\xbf\x29\x87\xb6\xb4\xad\xff\x61\x96\xf3\x7f\xfd\x8d\xe5\x10\x80\x0b\x32\x8e\xd7\xbf\x86\xae\x6d\x4f\xb1\xd8\xe8\x3d\x1c\x8c\xc9\x3c\x12\x7d\xfb\x65\x89\xd7\xe6\x1a\xd8\x55\x9c\x87\x00\x74\x19\x88\xa0\x6c\x4b\x3a\x03\xee\x3e\x95\x69\xf7\x95\xd7\xf1\x43\x3c\xdb\x52\x0e\xb4\x51\xc3\x51\xc2\x30\x13\xc8\xb6\x00\x7d\x14\x7d\x24\xdd\x1d\x52\xfa\x5b\x0e\x40\x54\x0f\x38\xbc\xf7\x41\x9e\xb9\x8a\x47\x90\x1e\x93\x57\xa7\x8e\xdc\x70\x1a\xe8\x2f\xd0\x58\xcd\x6d\x96\x96\x9f\x2c\x6b\x4b\x82\xea\xca\xe1\x12\xd6\x7d\x06\x2d\x56\xf0\xfe\x3b\x9c\xae\x85\x67\x2c\x67\x94\x97\x70\x72\x54\x76\x35\x35\x09\x27\x69\xd3\x8d\x26\xb9\xa6\x51\x0d\x9f\x64\xfb\x09\xdc\xb7\x28\x3d\xe4\x25\x70\x54\x6b\x0c\x76\x3e\xd8\xcf\x60\xf5\x3d\xb8\x6b\x75\x63\xe5\x72\x6f\x61\x6c\x4b\xb2\xbe\xae\x0a\x9e\x18\x6e\xea\x24\xf6\x42\xd7\x0d\x34\x54\x57\x84\xe4\x63\x0d\x4e\x3a\xc0\x28\x9c\x2c\xaa\x22\x62\x8e\x29\x9b\x29\x3d\x27\x30\xca\xe7\xfb\x99\xd4\xde\xa0\x73\xe5\xa0\xba\x5f\x34\xf7\x7d\xd9\x28\x38\x95\x43\xe0\x0f\x2b\x59\x56\x49\xab\x73\x64\x54\x25\xe2\x73\xe4\xb6\xd7\x54\xcd\x17\xa6\x27\xae\xe1\xda\x76\x71\x60\xbf\xe8\x6b\x04\x16\xad\xaa\x61\xeb\xee\x1b\xf7\x40\x9f\x28\x44\x85\xd4\x3f\x8f\x48\x4d\x05\x3a\x17\x36\xda\x79\x21\x28\x59\xf4\x8b\x71\xce\xc7\x7e\xe2\x3f\x77\x1a\xdc\xed\x4f\xe5\x26\x49\x59\x75\xbd\x04\xba\x08\xc7\x99\xc0\x7f\x57\x08\x4a\xbb\xd6\xba\x42\x81\x14\x0d\xd8\xec\x06\x93\x18\x0a\x4d\xaa\xf4\x8b\x72\xed\x48\xdf\x13\x7f\x68\xdd\xed\x9a\x41\x14\x54\xfa\xf8\x8d\xad\x18\x1a\xa2\x30\x6c\x36\xc1\x3c\x15\xa5\xfc\xaa\xb5\xbb\x79\x20\x1b\x41\x7f\x40\x3c\x83\xd0\x41\x9e\x29\xf6\x2a\x66\xa0\xe0\x27\x6f\x9f\x96\xc8\x7f\x94\xb7\xc8\xa3\x2b\x94\xce\xa7\xef\x64\xfc\x4f\xf4\x1b\x21\xd6\x84\x6c\x2d\xad\x67\xbf\xa8\xa4\xb5\x7a\x6e\x50\x01\xe4\x02\x05\xd3\x86\xba\x77\xae\x13\xc9\xa1\x12\x12\x83\x15\xcd\x6a\x1a\x64\x1b\x22\x8d\xe0\x6e\xb0\xa7\x09\xf5\xe7\x4d\xa4\x75\xd2\x2f\xfc\x65\x33\xc9\xd9\xb2\xbe\x00\xd2\x2b\xcc\x8b\x47\x18\x70\x56\x09\x60\x8e\xc3\xe4\xc4\x35\x79\xcf\xae\x0b\x60\x02\xf3\x15\x4d\xa6\x14\x7b\x85\x6d\x82\xf3\xdc\x4d\x4b\xac\x4f\x50\x9b\x91\x07\x96\xaa\xce\x37\x5a\xe7\x9c\x8b\xd3\xe7\x5d\x70\x9a\xa0\xd9\x0e\x29\xef\x0e\x03\xc6\x9f\xb8\xe5\xbc\xb3\x4e\x4c\xf1\x4a\x6e\x7c\xf4\xa4\x08\xe9\x9a\xab\xdd\xca\xab\xe1\xf0\xc7\x23\x83\x67\x1b\x45\x63\xcd\x06\xea\x9c\x75\xe5\xbc\x2e\x3c\x95\x56\xac\x45\xf0\x7b\xd0\xd6\xc9\xb3\x91\xdb\xaa\x70\x17\x1e\x71\x30\x1f\xd5\x39\x5d\xe3\x83\xd1\x35\x81\x4c\x12\x14\xce\x33\x20\x8c\x1b\xd8\x40\x3e\x94\x8f\xa0\xb3\x93\x79\xa1\x40\x29\xf1\x19\x58\xfe\xc9\xeb\x46\x0e\x3f\x9c\x73\x49\xaf\x63\x06\xd2\xe0\xca\xc9\xa4\xe4\xde\x43\xe9\x31\x27\xc6\xec\x8b\x17\x82\x0a\x57\x00\x21\x8f\x5b\x08\xe0\xa8\xce\x0a\x44\x8d\x68\x8c\x94\x5d\x36\xb7\x19\xb2\xdc\x71\x1a\x8d\x48\x09\x8b\xf4\xed\xc5\xe2\x6f\xa5\x64\x7a\x64\x72\x40\xff\xf4\xd7\x66\x88\xbc\xa7\x13\xb8\xdd\x71\x72\xaf\xef\xba\x6e\x4a\x95\xf1\x1a\x11\x1e\x3c\xf0\x39\xbb\xfa\x41\x53\x6d\x9a\xd7\xb0\xfb\xbb\x4f\xf8\x2c\xf1\x9a\x72\xeb\x07\xbd\xca\xab\xa2\x29\x1f\xfa\xa0\xd0\x77\x5f\x1a\xeb\x68\x66\xc2\x3c\xfd\x9c\x8e\xa6\x8c\x13\x87\xf8\x97\x72\xea\xef\x20\x20\xbc\xaa\xc5\xfe\xfd\xf1\x04\xce\x51\x60\xaa\xdd\xd6\x5f\xe9\xc4\x89\x85\x1f\xb0\x90\xce\xbf\x02\x20\x32\x1d\xcc\x57\xfd\xf7\x1e\x9a\x1c\x1e\xa5\x3f\xf1\x7d\x13\x13\x04\x46\x9e\xad\xed\x3a\x14\x38\x33\xaf\xff\x98\xa9\x3c\x1c\x41\x34\x94\xbc\x0d\x6c\xf3\x47\x0b\x2e\xee\x53\x4d\x4f\x17\xde\x37\xac\xa7\x5d\x82\x16\x9f\x1b\x63\x34\x12\x30\xd4\x7e\x85\xbe\xb0\xe6\xf5\x0c\xe7\x25\x56\xe3\x7b\x73\x96\x12\x92\xb9\xf0\x34\x38\x51\xe9\xdc\xa9\xfb\xf4\xee\x45\xa5\x81\x4b\x04\x44\x44\x54\x41\x3a\x01\x9f\x82\x94\x98\x81\xc8\x1a\x5d\xdd\xd2\x09\x7a\x8e\x5c\x45\xd6\x8b\x80\x8a\xdc\x27\xfa\x3a\xbe\x55\x16\xb2\xa5\xc1\xcc\x71\x9e\xe0\xc9\x79\x66\x68\x31\xa1\x5a\x96\x4d\x5f\xc2\xe8\x70\x68\xcb\xc4\xe4\x70\xd6\x4f\x34\xf0\xfa\x9a\xc7\xe9\x4a\x06\x93\xdc\x21\x96\x42\x97\xb9\x6d\xe2\x93\xad\x5a\x77\xf2\xa8\xdc\xe2\x71\xa8\x9d\x10\xa1\x0b\x45\x8a\x8a\x8c\x52\x1f\x27\xa5\x0c\xd2\x06\xbf\x0e\xc9\xf2\xab\xb3\xdc\x16\x82\xd3\xad\xd7\x5b\x81\x3c\x59\x79\xef\x56\x58\x3b\x52\x12\x77\x5d\x61\x73\x22\xbd\xd7\xc3\x44\xfb\x0c\x2d\xc1\xdb\xcc\x63\x12\x31\x19\xbd\x65\x2a\xf9\x41\x35\x5f\x56\x1b\x8f\xa4\x9b\x8e\x0c\xab\xa9\x00\x02\xc4\x8b\x88\xc8\x0e\xbe\xa6\x77\x71\xfb\x47\x9f\x52\x89\xca\xf5\xea\xe1\x8f\x01\xa0\xcd\x74\x60\xf3\xde\x6c\x3f\x92\xf1\xd4\x3b\x56\xb0\xdd\xed\xb7\x05\x9e\x7f\x18\x06\x9f\x80\x4b\x20\x56\xa2\x0a\xcb\xdf\x25\xf8\xca\x36\xdc\x1a\xff\xa8\x0e\x22\x03\xa0\xf3\x63\x92\x63\xa4\x2e\x9b\x3a\xd0\x61\x4c\x6b\xb3\xcf\xa4\x37\x6b\x28\x54\xf6\x0b\xcd\x92\x97\xbb\x0c\xb4\x54\x16\x13\x6f\x21\xbc\xa9\xfe\x38\xfe\xf0\xa1\xc2\x65\xae\x42\x3b\x36\xef\xf0\xc7\xf9\xe8\x4d\x3e\xdc\xe5\xdf\x6a\x2e\x76\x89\x49\xec\x9d\xc4\xf9\x18\x6c\x48\x95\x46\xe2\x4c\x71\x3d\xb9\x19\xbd\x51\xe6\x04\x45\x92\x83\x7c\x8b\x7f\x03\x7a\x8b\x3a\x90\x84\xd9\x61\xc0\x2f\xd0\xaa\x42\x45\xba\xa5\xe9\x17\xd7\xf9\x3f\x09\x6f\xc0\x0c\xd3\xda\x05\x7e\xda\xa7\x47\x6f\x9a\x38\x83\xc1\xab\x86\x3a\x91\x77\x46\xbd\x00\xe8\x78\x55\xbb\x58\x00\x16\x74\xec\x10\x54\x2e\x70\x30\x63\x10\xd7\x33\x99\xf3\x4a\x25\x4c\xfd\x03\xb4\xfd\xa6\xde\xdc\x8d\x7f\x2a\x8c\x81\xe6\xe1\x7b\xea\xb6\x71\x0a\x2c\x2a\x39\xd3\x8d\xaf\x05\xe0\x4e\x38\xe9\xd1\x0f\x30\x81\x31\xde\x76\xa3\x59\xbd\x59\x01\x5f\xc9\xf1\x07\x69\xd3\x6c\x16\x0d\x3e\xfb\x66\x17\x4a\x97\xb6\xa5\x99\xe7\x4b\xae\xdf\x33\x6c\x3d\x9b\x0c\xed\x61\x7b\xf0\xa5\x30\x88\x2d\x91\x68\xe6\x4b\xfb\x9c\x36\xea\x35\x1a\xf4\x36\xf7\x80\x54\x4c\xd1\xf0\x06\xe5\xdb\x43\x9d\x1c\xd9\xc6\xe2\xb5\x91\xc3\x76\x98\xe3\xb9\x56\xfd\xd6\xa9\x6d\x0c\x1f\xf5\xa5\xc2\xb4\xf2\x0e\x82\x04\xfa\x23\x94\xeb\xd1\x8b\x63\x60\x72\xf7\x6d\x49\x87\x13\xd7\x25\x8f\x8f\xda\xa7\xd1\x73\xbb\x52\x61\x9e\xcf\xbd\x03\x7e\x9d\x9e\x8e\xfd\x79\xe7\x76\xea\x36\x88\x99\x04\x15\x29\x81\xd3\x98\xf3\x4b\x5e\x75\x82\xb7\x37\x3f\xeb\x13\x10\xf6\xa3\xf4\x3d\xa3\x65\x62\x11\x58\x1c\x4d\xcf\x82\xbb\x82\xcb\x51\x34\x62\x80\x8c\xea\x9f\xe2\x1d\x0c\xf8\x70\x74\x53\xe9\xc1\xde\x7a\x96\xa3\x82\x92\x12\xcb\xe8\x85\xaf\xf1\x0c\x11\x17\x1f\x5a\xbf\x14\xa8\xe6\xf2\x2f\xd0\x04\x8a\xc5\xe4\x18\x63\x80\xc1\x4c\x5c\x2d\x4f\xe1\x3b\xe2\xdd\x3e\x6f\x26\xcf\xa9\x45\x22\xd6\x25\xdc\x49\xd1\x79\xbc\xc4\x8c\xb4\x2e\xa4\x0e\x94\xf3\x3d\x9e\x76\xef\x92\x57\x46\xcb\x52\x51\x39\xea\x62\x05\xc6\xf1\x22\x1d\x93\x42\xe2\x02\xe5\x7b\x81\x8a\x7d\x12\x14\xde\x38\xee\x95\x02\x99\x3b\x73\x08\x66\x02\xa9\x75\x19\xf6\xa0\x99\x90\x1b\x8d\xbd\x57\x6a\xbd\x64\xa8\xb1\x3d\x5a\x93\x0f\x82\xc0\x6f\xb9\xc5\xbc\xfc\x2d\xff\xa9\x77\x83\xea\xa3\x38\x5e\x72\xf9\x98\x5d\x57\xd7\xcc\xf9\x3b\x7c\x60\x79\x92\xcb\xd2\x49\xed\x74\xb6\xda\x3f\xf1\xdc\xf6\xc7\x23\xcc\xb3\x72\x5e\xf1\x8b\xe3\x54\x16\x0d\x21\xb9\x31\x4a\x7d\x01\xcc\x29\x7c\x6b\x1f\xdc\x8a\x24\x14\x2e\x55\x5d\xd8\xfd\x4a\x28\xe0\x4c\x85\x83\x6e\x46\xe6\x63\x64\x90\x8e\xb8\x4f\xac\xaa\xbb\x83\x3b\x1d\xa7\x03\x19\x67\xc1\x0b\x8c\x2a\xa3\xcf\xf4\x4f\x7a\x9d\xcf\xd0\x66\x5d\x1e\x90\xd9\x3b\xe0\xdf\x77\xa2\x5a\x48\x23\xd8\xdd\x35\xc3\x5d\xc4\xcf\x1c\x73\xba\x26\xab\x20\x47\x3f\x30\x12\x23\xa6\xac\x96\x72\x22\x0b\xe0\x95\x0f\x92\xbf\x16\x79\x87\x45\x44\xf8\xc1\x0e\x23\xbc\x9e\xe1\xd4\x0a\x00\x6c\x98\x9b\xf9\x88\x50\x20\xa6\x5a\x4e\x76\x63\xa8\x11\x7b\xec\x09\xe2\xa2\x10\x9c\x52\x78\x9b\xf7\xfb\xc0\x0c\xd3\xef\xd7\xa6\x52\xb1\x5c\x4c\x4c\x05\xf6\x54\x11\x8e\x90\x64\x3e\x64\x9d\x7f\xe4\x31\x95\x7b\x6f\x1d\xc5\x92\x5b\xa9\xab\x6f\xd8\xa1\xf6\xa0\xf8\x3a\x8a\x51\x9c\x1d\xfe\x42\x36\x03\x4c\xa5\x56\x7e\xac\x95\xea\x12\x91\x2e\x60\x67\x18\x1d\x61\x29\x4b\xcf\x09\xc1\x7f\x9d\x94\x8a\x03\xb0\xaf\xcd\xfd\x3a\x5d\x47\x0d\x28\x9e\x4b\x47\x44\xe6\x88\xae\xe6\x8b\xf2\x6d\xa0\x15\x43\x8a\x9c\x33\x6b\xea\x06\xdd\xad\x48\x74\x65\x32\x89\xc3\x4c\x03\x27\x64\x18\x0f\x97\x98\xf3\x3c\xc0\xb8\x2b\x36\x87\xdf\x74\xfe\xca\xde\xba\x2e\x58\xb9\x70\xd6\xe4\x65\x4d\x7b\x09\xb0\xd8\x5c\x78\x96\x12\x76\xa9\x45\x03\x09\x85\x77\xba\x49\x32\xd1\x7e\x0a\x7d\xd1\x98\x7e\x85\xc4\xaf\xcf\x01\xf6\x8d\x74\x42\x03\x82\x46\xb6\x84\x9b\xd1\x6f\xe0\x35\x93\x6b\xe7\x5e\x56\x26\xcd\x3d\x06\x8b\x9d\xf9\x30\x85\xa1\x2b\x95\x69\xcb\x27\xd3\x01\xca\xaf\x2f\x4f\x33\x7c\xe6\xb1\x94\xf4\xa8\x5a\x17\x55\xa2\xb3\x80\x53\x67\xe5\xde\x5e\x41\x34\xdf\x4f\xc3\x94\x16\x25\xd4\x41\x71\xa9\x84\x0e\xf2\x26\x7a\xd8\x1f\x2a\xee\x6c\x34\xec\xd3\xae\x96\x28\x12\x85\xb5\x4f\xbc\x21\x72\x90\xfe\x1f\x46\x75\xfe\x64\xd1\xb8\x44\xcb\x43\xc7\x55\xba\x29\xda\xb5\x31\xe8\x37\xec\xe7\x14\x60\x09\xfe\x04\xb7\x27\x25\x7b\xfa\x7a\xd4\x18\x0e\x82\xe9\xad\x17\x0a\x9a\xb7\x81\xef\xc1\x50\x60\x0c\xe3\x70\x43\xcc\xee\x03\xcc\xfb\xe7\x65\x09\xd6\x3f\xf8\xf2\x18\x62\x73\x6a\x43\x45\x57\x8c\x87\xf8\xf4\x14\x2c\x97\xa4\x7a\xdd\x5c\x7d\x6d\x73\x59\xb2\x69\x01\x55\xa1\x1c\xdb\xe9\xbe\x34\x79\xe0\xf4\xb2\xdd\x44\xa6\x8a\x78\x48\x51\x8d\x55\x89\x7e\x49\xbf\xaf\x2e\xef\xe6\xbc\x06\xd5\x60\xe2\x5f\x52\xad\x12\x31\xd4\x66\x44\x27\xba\xd4\xab\xa0\xd6\x15\x98\x5a\xfa\x47\xeb\xaf\x24\x2d\x3b\x8c\x16\x8a\xd5\x9c\xc0\x5a\x1c\xe7\x50\xd7\x32\xa6\x72\x03\xb3\xfc\xfa\xa4\xed\x6b\x2f\xf0\x04\x15\x2e\xef\x56\x52\xbe\xea\x4c\x62\x70\x20\x3f\x15\x4c\x70\xbb\x6c\x5f\xda\xc2\x4b\xd7\xfc\xb6\x38\x9b\xd1\xb5\x17\x59\x20\x5b\xa1\xaa\x1b\xea\xb6\xec\xa9\x97\x36\xf4\xa4\x3f\x21\xa6\x39\x53\x64\x61\xd2\x43\x8a\x91\x3e\xd0\x3b\x63\xdb\x26\x21\xc6\x3a\xcb\x49\x6e\xec\xf9\x83\x8b\xfa\x7f\x18\x52\x43\x7b\x45\x8b\x10\x46\x19\x7e\x51\x1e\xa8\x14\x79\x69\x09\x04\xbc\x3a\x0b\xb4\xb9\xec\xc0\x96\x2e\x33\xc4\xcd\xd9\x21\xf8\x24\xab\xc2\xc1\x95\x88\x61\x3e\xfd\xee\x01\xdb\x70\x1a\xe5\x44\x0c\xdd\x98\x7d\x86\x83\x14\xdf\x9a\xc7\xba\xe5\x92\x74\x02\x1a\x5d\x06\x43\xf8\xd1\xd3\xa9\x7b\x8c\x8b\xf0\x2e\xe9\xfc\x05\x6c\xc1\x64\x72\x48\x51\x43\x5f\x90\x76\x85\xc3\x49\xdb\x94\x29\xfe\xc6\xe2\xdf\x3c\x53\x4d\x94\xcc\xe4\xec\xd2\xea\x55\xd7\x2a\xa8\x82\x64\xc8\x6a\x40\xfa\x66\x93\x06\xb9\x5b\xcd\xef\xca\xf5\x4f\x11\x77\x70\xa0\x4f\x35\xe7\x21\xf2\x84\xf6\x81\xb9\xd3\x11\x4c\x4b\xed\x29\xf2\x09\x22\x06\x38\xde\xfe\x43\xfc\x43\x66\x95\xa5\x8e\xd3\xf2\x0d\xc9\x21\xe4\xa2\x1c\x79\xe5\x80\x39\x27\xde\xeb\x5a\x14\xc5\x32\xe3\xcd\x83\xba\x32\x98\x1c\x19\x2e\x20\xe9\x3e\xef\x67\x44\x02\xaf\xba\x8d\x37\x81\x19\xf6\x34\xff\x06\x5f\xb2\x94\xf9\xe3\x8c\x19\x74\xd4\xd3\x7c\xf6\x73\xb5\x87\x97\xb5\xe2\x6e\x22\xb0\x29\x16\x23\xff\x15\xd0\x02\xd5\x5a\x8d\xd0\x0f\xe4\xb1\xfd\x54\x17\x7d\x1f\xd0\x65\xda\x0b\x17\x47\x93\x16\xb5\x8a\x84\x95\xac\xa4\x2c\x44\x0b\x63\xc8\xf4\xb1\xa9\x53\x8d\xf1\x0c\x8c\x95\x46\xfd\x8c\x41\x95\xe1\xea\xed\x31\x54\x3b\x80\x61\xc8\x60\x2a\x89\x77\x12\x3f\x56\xe5\xf1\x1c\xd0\x5f\x5a\x36\xa4\x48\xcc\x25\x75\x71\xf0\xe5\xbb\xde\x25\xae\x82\xf5\x83\xcb\x31\x3a\xe7\xbf\x5d\xec\xe5\x6b\x61\x73\x21\xcf\xa6\x0a\xa9\x27\x8a\x28\xee\x9f\x78\xec\x7d\xdf\xc5\xd0\xf6\x65\xab\x1a\x1d\x55\x31\xf2\x40\x6f\xfa\x9b\x5a\xd6\xf9\xae\x4c\x98\xf8\x54\x47\xfb\xdb\x9e\xfc\x2a\xb3\x98\x80\x1e\x90\x5c\x22\x9e\x16\xad\x9f\x87\xbf\x61\x95\x6a\x78\x29\x73\x3f\xff\x1d\xbb\x2c\x35\x55\x48\xc4\xe3\x03\xd1\xfb\x25\x87\xab\xea\xed\x69\x11\xb3\xd5\x57\x8d\x9d\x43\x55\x19\x3a\xf1\xf6\xee\xf1\x87\x0f\x0f\x1d\xf7\x36\x15\xa5\xd9\xff\xe9\xd4\x2b\x7f\x94\xc2\x15\xf9\xce\xb4\x1d\x60\x5e\x95\xa5\x4b\x5f\xb3\xc6\x2f\x34\x39\x6f\x9f\x95\x1c\x56\x50\x92\x0f\x15\x9c\x1c\x33\x0e\xcf\x7b\xf7\x0b\x1b\x8d\x0a\x97\x3f\xf4\xaf\x34\x4e\x99\x50\xff\xb9\xed\xfc\xd3\x26\x81\x8e\x28\x47\x1c\xcc\xbf\x70\xb7\x1a\xc2\x86\x3e\xaf\x7e\xf9\x5d\xbc\xb2\xf9\x88\xc8\x5c\x26\x6f\x86\x99\x14\x71\x99\x06\x21\x3c\x0d\xb1\x8a\x4a\x47\x12\xb0\x2f\x72\x01\xdc\x95\x30\x5a\x3a\x53\x1f\x46\x6f\x94\x9f\xef\x61\x2c\xcc\xaa\x93\x6d\x47\xae\xf4\xbb\xad\x39\x08\x50\xf2\xb8\xfd\x99\x15\x42\xe3\x98\x6d\xe1\x00\x00\xdb\xd2\xbc\x09\xf1\x6c\x99\xed\x0b\x46\x1c\xab\x44\x4a\x1d\xb0\x69\x38\x14\x34\x54\x07\x95\x15\x0d\xe1\x24\x27\xb1\xb5\xd0\x60\x1a\x52\x32\x04\x28\x3f\xdd\x6b\x69\xe4\x03\xfd\xc3\xf9\x44\x21\x14\x0d\xbf\x94\x86\x5f\x35\xaf\x7a\x7b\xae\x55\x47\x97\x8f\xdd\x80\x5c\xc5\x2d\x68\xf4\xff\x49\xbe\xec\x49\x20\xe2\x5d\x8e\x4a\x23\x7a\x86\xc7\x85\xcc\xcc\x3f\x2e\xe7\xff\xac\x88\x1e\x99\xe5\x76\x12\xc8\xc9\x4b\xde\x40\x09\x15\xf3\xf7\x5b\x54\x65\x79\xf4\x01\xe2\xbe\x54\x93\x09\x04\xb9\x8c\x82\x42\x39\x4d\x81\xfe\x94\xd2\x67\xd3\xca\x3e\xa3\xa0\xe1\xc9\x10\x7e\xcc\x29\x8e\xfa\xe6\xa1\x9e\x73\x37\x88\x3e\x27\xaf\x27\x1e\x06\x29\x9a\xcc\x75\x59\xf0\xea\x46\x1b\x87\x5e\x27\x13\x8c\xd3\x5e\x04\x63\x19\xfe\x9f\x83\x8c\x51\x13\x05\xfc\x80\x3c\xc2\x43\x09\xdb\xf3\x35\xb2\x25\xc5\x8b\x6c\xae\xb2\x72\x4e\x44\xa9\x27\x8c\xa8\x23\x51\x9a\x72\x43\x3c\xeb\x21\x66\xb4\xb7\x3a\x35\xb9\x7d\xe2\xf5\x54\x38\xb9\x58\x26\xe0\xab\x34\x85\x01\x18\x73\x75\xb0\x96\x23\x67\xdb\x53\x49\x53\x46\x76\xf3\x52\x83\x5a\x10\x59\xc3\x07\x42\x1b\x2b\xeb\x2e\x63\xc0\xa0\x06\xd5\x27\x1f\x49\x3e\x59\x06\x98\x82\xb1\x03\xd5\x36\x60\x8d\x18\xd6\x1e\x97\x42\x22\xc4\x3b\x7c\xa9\x25\x29\xc8\xb0\xcc\x2a\xe9\xdf\x8c\x2b\xc2\xb2\x0d\x68\x33\x14\x7e\xc4\x11\xc4\xa5\xbf\xf5\x34\xcc\x72\xb2\x67\x71\x45\x92\xa4\xe4\x32\x52\x68\x49\x40\xf5\x4e\xbf\x5f\x39\xf2\x8d\xee\xab\x2c\x89\xab\xad\xdf\xb6\xfc\xd2\xb1\xc0\x25\xbf\x30\xdc\x2e\xdb\xc0\x82\x3c\xcd\x19\xfe\x52\xf9\xc0\xb3\x8c\x9c\x1a\xcd\x6b\x0e\xfc\x3f\x68\x8b\x80\xbb\xef\x54\x73\xcd\xdf\x82\x02\x70\xd7\x21\x24\x5c\xdf\xa0\x1b\xff\x14\x85\x86\x49\x74\xb4\x28\xdd\x19\x33\xfb\xce\x96\x8d\x27\xae\xce\xa5\xdd\xa0\xca\x95\x61\x91\x9d\x5d\x85\xb0\x98\xfc\x4f\x3e\xfb\xf7\xea\xd3\x91\x28\x51\x92\x46\x28\xb8\x88\xa2\x8e\x46\x32\x0a\xfe\x8a\x30\x22\x39\x14\x7f\x48\xf2\xcc\x2a\xb2\x74\xdb\x1a\xee\x56\x5b\x15\xba\x2d\xb8\x32\xfa\x63\x03\x44\xd0\x1c\xfb\xa1\x12\x87\xb2\x5c\x22\x6f\x28\xbc\x4e\xbe\x1d\x20\x4e\x90\xa3\x9a\x81\xc6\xb2\x13\x6b\x01\x64\xed\xb6\x51\x94\xea\x55\x10\xa9\xb9\xef\xc0\xd0\xa2\x35\x26\x42\xf0\xa8\xa2\x3e\xf4\xe6\xeb\x89\x48\xf5\xab\x42\xeb\xd4\x5a\xc9\x46\xbf\xdb\x68\x9c\xba\x13\x76\x7f\x8d\x5f\x77\x8c\x42\xe2\xd0\x7d\x08\x84\x91\xe0\x6d\xb5\xcf\xbe\x29\xea\x3f\x45\xa4\x31\x57\x94\x5d\x41\x9d\xe6\x32\xdb\x52\xfa\x13\x3d\x99\x0e\xfe\x2c\x9e\x47\x3e\xc3\x6d\x68\x9d\x0b\x81\x58\x45\xaf\x57\x61\x98\x1d\x46\xd5\xb9\xf3\x86\x5f\x91\x6b\x5b\xb9\x3c\xf8\xf2\xe8\xd4\xa1\x1c\x8a\xfa\xcf\xac\x2c\x64\x7e\x6a\xe9\xa8\x69\x6c\x9e\xcb\x6b\xdb\xdb\x21\x79\xf9\x71\xeb\x75\xe1\x4d\x52\x59\x8e\xd6\xc1\x6e\xc1\x42\x7e\x21\xdf\x5c\x5a\xbb\xbd\x85\xe4\x2f\x32\xdf\x37\xc4\x85\xff\x33\xd0\x65\x45\x71\xec\x60\xaf\x86\x74\xba\x35\xc3\xef\x62\x7d\x24\xb1\xc2\xd8\x4f\xf2\x52\x54\x16\xc2\xa4\x26\x5f\xb6\xde\x81\x73\xfa\xec\xcf\xd3\x13\x83\x16\xc4\xc7\xc3\x29\x01\x79\x28\xfe\x1b\x64\xc2\x9d\xfe\xb4\x57\x0f\x7d\xe9\x3f\x94\x46\x15\x31\x6f\xd3\xae\x6c\xc1\x2b\x94\x33\x2f\xad\xf7\x5b\x15\xa1\x3d\x6f\xf2\x7f\x7c\x61\x98\x17\x37\xef\xc6\xdf\xb5\x28\x94\x25\x32\xee\xf5\xe5\xdc\xb8\x03\xc1\xed\x04\xda\x23\xbf\xee\x62\x3a\x89\x08\x8d\x87\x83\xc7\xed\xda\x3f\x56\xc5\x40\x4e\xe7\xe4\x2f\x09\x85\x47\x53\xc1\xa0\xdd\x78\x72\x3c\x9c\x4e\xf1\x2c\x7e\xad\x18\x63\xa5\x3a\xf4\x8d\x8d\x61\x45\x7f\x24\x32\xff\xae\xbb\x35\x6a\x6e\x78\xa1\x59\x1f\x04\x24\xaa\xa1\xf0\x25\xdd\xa1\x7a\x7b\x5e\xae\x39\x89\xb2\x7a\x57\x3f\x59\xbb\xfe\x2f\x99\x3f\xb1\x82\x73\xdc\x35\x6a\xa5\x9e\xc1\xb2\xf1\x51\xf8\x4b\x97\x33\xb2\x71\xf1\xe0\x4d\x17\xd4\x1e\x72\x8e\xf5\x2c\xfb\xc0\x11\x1f\x12\x32\x13\xfb\x22\x23\x7d\x81\xb0\x02\x9b\xdf\xf7\x01\x7f\x87\x03\xe1\xee\x30\x17\x58\xca\x9e\x22\x39\x9c\x42\x0b\x36\x31\xe5\xb9\x98\x73\x7c\x2a\x75\x93\x9f\xa4\x6d\x1e\x61\x7d\x7b\x19\xfb\xa4\x91\x9e\x35\xca\x92\xd8\xb5\x97\x98\xda\x36\xa0\xa5\xd4\x34\x1a\x6e\xb5\x7d\x51\x29\x51\x3a\x6e\x86\x2e\xa9\x4f\x27\xc7\x83\xc9\xe6\x8f\x93\x0d\x5d\x33\x7c\x28\x9d\xed\x11\xd5\x10\x84\x7a\x50\xc6\x1c\x47\x94\x0c\x17\xa3\x2b\x28\x7f\x70\x46\x64\xf1\xb6\x1e\x16\x48\x85\x08\x91\xf8\x0a\x4b\x61\x47\x93\x48\xb4\x34\x40\xd0\xc9\xc9\x1b\x89\x25\x7a\x4a\xf7\x25\x3e\xe5\xbe\x6b\xbd\x56\xf2\x29\x86\xc3\x8b\x53\x6b\x8d\x50\x00\x10\x2c\xff\xd1\x0d\x93\x80\x8b\x8b\x1c\x4e\xb5\x3f\x0c\x69\x7c\x21\x71\x61\xc4\xcb\x7e\x09\x1d\x43\x88\xce\x3a\x20\xeb\x53\x51\x53\x8c\x2a\xf3\xa9\x06\xe6\xac\x66\x4a\x5d\x08\x3e\x39\x5e\xaa\x5d\xe7\x91\xac\xe4\x5b\xd0\x2b\x5e\x26\xbd\x36\xbe\x79\x6e\x95\xc7\x44\x22\xb7\xd8\xf0\x0c\x7b\xdf\x4b\x64\x8a\x1e\x9c\xcf\x68\xe9\x12\xab\xbf\xff\x3c\x74\xd8\xc5\x63\x85\xd7\xa8\x9a\x84\xad\x3c\x39\x46\xa3\x8e\x82\x08\x0c\x3b\x38\xa0\x29\x80\x70\xd8\x85\x04\x75\xb9\x5b\x37\x9d\x62\xf5\x02\x91\x03\xa7\xb4\x5d\xef\x66\xd2\x5a\x08\xe2\x41\xc4\x2c\x34\x38\x82\x8e\x59\xf5\xb1\xd1\xfd\x8c\x97\x56\x49\xd0\x3f\xe3\xe5\x36\xba\xba\xed\xe3\xfc\x3c\xaf\xef\x77\xa7\x2c\xd2\x7b\x94\xc1\xd7\x74\xef\xbe\x19\x37\x47\x02\xf3\x93\x72\x98\x98\xbd\x09\xbc\x8a\x40\x77\x20\xd6\x7e\x9f\xed\xf0\x18\x52\xb8\x93\x66\x4e\x35\xc2\x6b\xb4\x86\x56\xa5\x68\x9e\x7e\x3a\x63\x2e\x9e\x5a\x3b\xbe\x87\x5e\xc6\xb5\xeb\x73\xfe\xe6\xe6\x05\x54\x75\x96\xd0\xed\xe3\x9c\x48\xb9\xd9\xf6\x3d\x7b\x38\xc1\xf6\x19\xbc\x6f\x69\x03\xc0\x2c\x47\x40\x3a\xe8\x53\x9a\xea\x78\x93\xfb\x81\x10\xe4\xb5\xa9\x07\x08\x36\x85\x3f\x3a\x61\x64\x83\x27\xf0\xc6\x95\x37\x94\xfa\xb3\x89\x37\xb2\x78\xdc\x0a\x1e\xd3\x31\xef\x4a\x03\x60\xc4\x1f\x4f\xb3\x5b\x7c\xa6\xe1\x17\xe7\x85\x83\x3a\x22\x4f\xbe\xa8\x24\x1c\x59\xc9\xd9\x6a\xd6\x50\x95\x9a\x23\xc7\x47\xd4\x78\x81\x02\x1a\x53\x0c\x9a\xee\xc1\x3b\x5b\x99\xa2\x68\xe2\xa6\x3a\x2b\x96\x84\x6c\xd3\xe8\x52\x0c\x77\x0f\xbe\xaf\x52\xf9\xa6\xe3\x6b\x7d\x5e\x0d\xb7\x46\x78\x86\x13\xf6\xea\xd8\x87\x38\xd0\x0c\x30\x20\x6f\xe0\x72\x95\xb7\x0e\xd2\x1e\x05\x28\xa7\xb9\x09\xf3\xd2\xcc\x64\x7b\x33\x5d\xc7\xb9\x82\x99\x07\xc3\x80\xe5\x83\xbb\x40\x8a\xe2\x71\x0b\x40\xd4\x4d\xf1\x2a\xb9\x8a\xc6\xf0\x88\x82\xc2\x57\xc2\x6b\x25\x60\x8b\xa5\xaf\x2e\x00\xe7\xc3\x3e\x60\x84\xec\x86\xa2\x25\x8c\xc3\xdc\x8b\xc6\x3c\x2e\xef\x54\x83\xb8\xaa\xef\x1c\xb7\xad\x63\xf4\xa2\x86\x80\x3a\xcc\xe8\x1a\xd1\x40\x97\x47\x3c\x65\xd9\xc3\x7f\x25\x78\xde\x04\xe1\x8a\x71\x95\x14\x58\xf2\xae\x3a\xb1\xd4\x5a\x54\x8f\xe1\x1d\x47\x64\x80\x6e\x71\x3b\x62\x8c\x19\x67\xda\x91\x8e\x8e\xd6\x55\x6e\x61\x9b\xee\xf0\x8a\xd8\xb9\x3d\x7d\x70\x91\x74\x57\xd9\xc8\x94\xc7\xbb\xc3\x04\xda\xca\x44\x3d\x14\x65\x6a\x02\x68\xd7\x4e\x76\x58\x37\x74\x41\xe5\xfd\xb1\x41\x48\x96\x4f\x56\xa3\x05\x8a\x8e\x1a\x95\xe1\x00\x22\x77\x0d\xa5\x57\x44\x53\x87\xf2\x42\x5e\x7b\xcd\x38\x6e\x62\x1f\x88\x71\x3f\xa5\x7f\x44\x24\x62\xfc\x8f\x7a\x58\x8f\x84\x9e\xc7\xa1\x08\xc6\xa5\xa7\x77\x28\x3f\xc2\x4c\x87\x98\x74\x76\x75\x26\xc5\xb6\xb2\xd2\x22\x12\xf4\xbb\x88\x98\x81\x1f\x73\x1e\x78\xb0\x01\xae\x05\x2c\x47\xd8\x32\xcb\xd8\x67\x83\x14\xcc\x31\x3f\xb6\xb9\x96\x6b\xcd\xe9\xb1\xce\x15\xb9\x2f\x05\x97\xd5\x8b\x15\xd9\x1e\x31\xf2\x21\xb2\xf1\xd6\x35\x4e\x49\xde\x2a\x7a\x58\xd5\x8f\x36\x1f\xd6\x47\xfc\x29\xdc\xa3\xb5\xda\x3c\x64\x49\xc5\x2c\xfc\x5b\x87\xbb\x48\x43\xce\xfb\x10\x52\xeb\x68\x47\x8b\x51\xc1\x68\x91\x28\xbe\x43\x4f\x0d\x34\xb5\x11\xcb\xb1\xe8\x4b\x8b\x21\x1a\x9f\xf1\xae\xba\x55\x18\x52\x91\xed\x53\x95\xd4\xca\x5b\x96\x6d\xcb\x7f\xbf\xf4\x32\xb9\x31\xf6\x76\x6a\x9b\x37\xd3\x41\xd5\xf8\x3d\x29\x69\xf4\x9f\xb8\x57\x91\x3f\xd0\x94\xee\x91\x53\xe9\x05\xfd\x3a\x00\x08\x25\xf4\xc9\xd5\x91\xca\xe9\xe1\xfa\x33\xab\xf9\x46\x63\xfa\xb4\x9e\x46\x0f\x13\x44\xca\xe1\xe6\x80\x4f\x2a\x53\x10\x8c\xb0\xf2\x9b\xbc\x0f\x6a\x07\x56\x88\xd9\x87\xd6\xcf\x7c\xa3\x85\x10\x08\xfd\x82\xc3\x55\x89\xec\x90\xe3\x90\x2c\xb1\xed\x05\x13\x55\x5e\x30\x3b\x91\x02\x2a\x04\x54\x94\x8a\xa7\xd8\x66\xdf\xb4\xb9\x7f\xdf\x67\x98\xbe\x4c\x74\x22\x76\xd9\x9f\x68\x53\x70\xa9\x10\xfc\x2b\xe7\xb2\x89\xa4\x45\x73\x78\x5e\x09\xad\x0a\x20\x79\x40\xea\x85\x9b\xef\xff\xd9\x5c\xc9\x70\x69\x77\x7e\x3d\xd0\x50\x62\x61\xa8\xed\xb9\x4a\xb2\x5d\xea\xbd\x37\x1b\xf0\xe8\xdb\xd5\xf0\x35\xa7\x53\x87\x1f\xaa\x53\x52\xcd\xdf\xa9\x04\x96\xdc\x39\x85\xff\xbc\xa1\xb3\x12\x90\xe7\xeb\x46\x0c\x20\x92\x01\x26\xbb\x8c\xa9\x30\x4e\x35\x53\xb3\x74\x8a\x8f\x5d\xf0\xa8\x97\x7a\xb9\x94\x72\x8f\xbb\x54\x0e\x07\x3c\xc3\xf0\x80\x5b\x5d\xf2\x88\x00\x08\x31\xd8\x06\x1c\x06\xd4\x16\xf4\x58\xa2\x54\x7f\xf4\xe6\x03\x6d\xe1\x18\x1c\xd1\xd4\x2a\xf4\x16\x15\xba\x4e\x16\xd6\xf7\xae\xf1\xcb\x34\x06\x07\x22\x21\x2f\xf5\x61\x27\x5b\xc4\x97\x4f\x00\x94\x8f\x54\x2a\x5e\x06\xbf\x40\xb8\x57\x2d\xf1\xd8\xd6\x8b\xa0\x60\x8d\xcb\x02\x7f\x8f\x11\xc0\xb9\x3e\x65\xb2\xde\x9a\x16\xfe\x11\x5e\xa9\x40\xcd\x90\x4e\x11\xb2\xfb\xb7\xc0\xe6\x72\x90\x76\x65\x73\x72\xc1\x34\xee\x6f\xe8\xe0\xfa\x6f\x9c\x2e\xc1\x2b\xde\x36\xe4\x62\x52\x12\xa4\x72\xd1\x50\x10\x51\x01\x68\x14\x79\x1e\x7a\x2f\xef\xbf\xca\x68\x58\x98\x65\xf0\x83\x7a\x32\xb1\x20\x1c\x32\x29\x10\x54\xbf\x71\x87\xe0\x3c\xde\x3a\xdd\x7a\x33\x98\xae\xbe\x76\x67\x2e\x4f\x8a\xd8\x1a\x9e\xab\xec\x9f\xef\xab\xbb\x62\xc1\xd7\x3a\xdc\x3e\xf5\x8a\x68\x77\x5f\x51\x6a\x99\xf5\x4a\x75\xa7\xa7\xb5\x30\xdf\xfc\xa8\x2d\x2b\x22\x2c\x99\x3b\x78\x5a\x1a\x7b\x6f\x7a\xcc\xb5\x84\xae\x25\xab\xe1\x51\x7d\x70\xa6\x9f\xa2\xdf\x2c\x77\xe4\xe0\x75\x5e\x18\x7f\x60\xbc\x82\x46\x58\xb8\xd8\x8d\xaf\xbc\x24\x0a\xbe\xec\x34\x93\xfd\xad\xd6\xa1\xa9\x46\x80\xe5\xdb\x4b\xc1\x86\x2c\x75\x8a\x51\x90\x21\xc0\x12\x17\x89\xf4\xcd\xf1\xe2\xa7\x1c\xd5\x36\xda\xae\xc9\xe4\xb7\x2e\x9e\x25\xd9\x25\x1f\xd3\xee\x51\x1f\x1e\x08\x1f\x90\x6d\x90\xdd\x4d\xf5\xce\xf6\xed\xf4\x11\xaa\xbc\xfd\x5d\x93\x3e\x26\x53\x58\x1f\x1f\x0a\x49\xd8\x5d\x50\x3a\xb0\xf1\x28\x87\x43\xa8\xef\x59\x69\xfe\x4a\xe3\xaf\x9a\xff\xb7\x90\x5a\xc3\xa9\x04\xca\x86\xcd\x7e\x8c\xc5\xb9\x66\x77\xfb\xd2\xbb\xe3\xe3\xe6\x7d\x56\x4e\x2d\xb1\xf1\x4f\x6a\x98\x2d\xa3\xb7\xab\x59\x0a\x1f\xb4\x3c\x44\x95\x6c\xeb\x95\xd2\xd5\x9d\xb9\xe3\x51\x75\x06\xc0\xe1\x64\x3a\x07\x66\x4f\x7a\x27\x9f\x23\xb9\x94\x5c\x32\x42\x79\x60\x24\x2e\x74\x78\x14\x1a\xd1\xd1\x70\x1f\x68\x03\x3b\x69\xc7\xbd\x2d\x64\x31\x8b\xbf\x48\xa0\x5a\x32\x77\x99\x56\xe1\x61\xf4\x26\x82\xbc\x1c\x93\x30\xcb\x6a\xbf\x5a\xfd\x31\xc8\xe1\x1a\x4b\x07\x8b\x03\x57\x9e\x09\x9f\xd3\xd8\xe3\x47\x33\x0a\x01\xfd\xc2\xb5\xca\x05\x00\x1a\x2d\x13\x9a\x5b\xd7\x12\x8a\x02\xf9\xd1\x9b\x85\x81\xba\xd0\xe1\x4f\xaf\x9f\x0a\x13\x2a\x6d\x85\xbb\xd2\x91\xde\x69\x6a\x8c\x67\xd2\xf8\xc3\x13\x4a\xac\x24\xe4\x1b\xb5\xa4\xfd\x74\x2c\x13\x71\xf9\xa8\xe1\x8e\xc9\x05\x0b\x39\x8a\x60\x48\x88\xab\x12\xa8\xed\xec\x79\x29\x74\x45\x6a\xc6\xc6\x29\x89\xa7\x8d\x72\xe8\x4e\x0b\xd7\xaa\xd9\xe1\xc0\x86\x01\xe2\x07\x0a\x4f\x2b\xb1\x00\x91\x04\x08\x82\x78\x26\x3c\x2a\x64\x5d\x31\x87\xed\xf1\x2f\xcf\xeb\xd3\xd8\xb3\x7d\xd8\x93\xb2\x5e\x41\xed\xb5\x18\x08\x9e\x06\xe1\xe2\x6a\x07\x7b\xbc\xb6\xb7\x06\x8c\xa7\x4e\x1c\x4b\x59\x49\x7a\xb4\x81\xfa\xa7\xd1\x83\x49\xd0\xfd\xaf\xf9\xf8\xa0\xcb\x6c\x24\x25\x60\xe3\x1a\x9f\x9e\x34\xc6\xd8\xda\x4e\x6b\x47\x10\x00\xdc\xe4\x6d\x80\x25\x27\x00\xfb\xbf\xa3\x92\x2d\x5d\xee\xd3\x3d\x10\x92\x06\xaf\x07\xf3\xa2\xa3\x48\xa6\x1c\xec\x80\xdf\x13\x02\xc9\x8b\x76\x25\x79\x7a\x11\x3e\xb0\xb7\x14\xee\x64\x7f\x7d\x13\xd6\xc1\x02\x25\xbc\x12\x1b\x66\x66\x08\x3f\xc1\x5b\x63\xc2\xb0\x7e\x48\x71\x67\xb0\xcd\x11\x6c\xa2\xa3\x99\x32\x2b\x9c\x08\xf4\x18\xd1\xbd\x83\xcf\xc3\x97\xad\xaf\x8b\xa2\x67\xed\x46\x30\xfc\xb6\x20\x37\x60\x3c\xaa\xaf\x96\x83\x12\xe3\x35\xaf\xd6\x63\xfc\xed\x69\x90\x0e\x25\x07\x39\x63\xb5\x45\x9f\x59\x7d\x7e\x7e\x58\x16\x47\xc9\x94\xd0\xfd\xef\x88\xa1\xae\x4c\x92\x14\xf6\x68\x0e\x21\x5e\xe6\xa1\x50\x97\xbe\xa9\x01\xb4\x67\xb5\x82\x75\x22\xe6\x8b\x02\x07\x68\xe8\xa3\x40\xfa\xee\x75\xec\xd4\x6a\xf9\x0a\xe3\x8e\xed\xad\xb6\xd7\x51\xc5\xa1\xfc\x5f\xfb\x86\x6a\x0c\xad\xf8\x59\x49\xdd\x96\x31\x34\x4a\x46\xe9\x50\x91\xc5\x85\x9a\xc7\xd0\x78\x31\x53\xbe\x8f\xc8\x9a\x1a\xdf\xd4\xcc\x3f\x45\x3a\xc8\xb1\x1d\x6b\xd6\x37\xf9\x5e\x63\xd2\x8c\x3c\x66\x55\x17\x00\x02\x88\xe7\xa0\x8e\xa7\x1a\x7a\xc0\xd5\x69\xee\x05\xcf\x8a\x66\x31\xa9\xba\x1a\xf4\x56\xd0\x0f\xb0\x49\xf1\xc3\x36\x6e\x8d\x92\x9b\x68\x20\xfb\xef\xb6\x58\x83\x77\x3b\xac\xb1\xcb\x1a\x71\x05\xdd\x2c\xa6\x0e\xdd\xe9\x5f\xa2\xf3\x5a\x34\xa3\x69\xc5\xf0\x4b\x65\xe0\x81\x56\x50\x2f\x8c\xf1\x76\xe4\xf9\x93\x9a\xfb\x6b\xba\xcd\xab\xc5\xc8\x11\x6d\xbd\xe9\xb6\xd2\x12\xbf\x12\x5f\x76\x97\xa8\x57\x1d\x69\xde\x44\x3d\x4d\x86\xf4\xbe\x17\xa9\x59\x14\x8f\xd6\x10\x5a\x67\x4c\xe5\x23\xf3\x7c\x2c\x09\xe1\xce\x1c\xc7\x12\x74\xa4\x75\xca\x3b\x09\x31\xad\xca\x18\x99\xbf\x7b\xaa\xf2\xdc\x3a\x94\x88\xad\xb1\x30\x68\x57\x7e\xd2\xba\x96\xa7\x93\x7f\xff\x3a\x9a\xeb\x46\x12\x34\x53\x2a\xfb\x21\x50\x83\xc8\x97\x99\xa0\xfa\xc0\xad\x2a\xfe\xba\x7a\x33\xde\xf1\xb3\x02\xb1\x2a\x6a\x4d\x7a\x22\x01\xb9\x15\xa2\xc3\xbf\xb5\xcb\xfc\xe7\x46\x88\x5a\xec\xb3\xdb\xc4\xde\x9c\x4d\xc1\xea\x7c\x33\x26\xb7\x31\x8c\x65\xd3\x76\x3a\x5f\x2b\x42\xa0\xa9\x7b\xe0\x6e\x2a\x04\x06\x36\xc2\xfa\xc7\xdb\x42\x72\xd9\x35\x4d\x59\xcd\xa5\x54\x6a\x34\x15\xc8\xf0\x4c\x70\x9e\x0a\xe4\xff\xac\x3e\xc8\x29\x99\xb5\xc5\x0e\xe2\x8a\xe8\x51\x93\xbe\x4a\x68\x88\xdb\x01\xc1\xb7\x70\xf8\x54\xfa\x3b\x66\xc2\xad\xc2\x9c\x6c\x7c\x0d\x3a\x15\xa7\x22\x4b\x23\x5f\xbc\x61\x86\x3b\xf9\xaf\x6d\x8e\xeb\x35\xd6\x7d\x99\x66\xe3\x22\x0f\x0b\xbf\x0e\x10\x15\x58\xa6\x15\x59\xf9\xe6\xdb\xf2\x86\x11\x4a\x94\xe0\x95\x03\x50\xf7\x01\x0f\x3a\x46\xe1\xa9\x8c\x93\x9b\x37\x27\xf1\xd1\x25\xab\x2c\x0c\x5c\x1d\x7c\xab\xec\x0d\x7e\xa6\x86\x97\x84\x3c\x8a\xe9\x03\x6c\x3d\x48\x46\x98\x50\x44\x07\x48\xe7\xcc\xe6\xa2\x60\x16\x54\xd8\xc5\x97\xc5\xd2\x26\xcd\x4f\xfb\xda\x15\x3e\x2f\xec\xf0\xb5\x83\x43\xeb\x7a\xcf\xae\xae\xe0\x29\x70\xf0\x11\x56\x8a\xd2\x6e\x43\x83\xbe\xe5\xda\xf9\x58\x02\xf7\x42\xb0\xb8\xe3\x5d\xad\xc2\x01\x64\x97\x9d\xc4\xea\xb6\xf3\x33\xa2\x94\x12\x91\x6b\xae\xcd\x7d\x11\xe1\x8d\x7d\x56\x6a\x9f\x70\x9a\x49\x31\x43\x39\x19\x51\x4c\x73\x56\x39\xde\xdf\x1d\xf6\x5e\xbd\xe8\xa1\x45\x55\xec\xc2\x54\xfa\x4e\x31\x79\xc6\x11\xaf\x0a\xe3\x2c\x8c\x81\x29\xc0\x13\x9e\x99\x04\x82\x1c\x76\x97\x1b\x2d\x2b\x08\xe8\x39\x28\x14\x29\xcc\x0b\x02\xcf\x5a\xbc\x1f\xb7\x8a\xea\xd7\xd7\x72\xa6\x72\xcd\xa2\xec\x38\xb6\x9f\x85\x8a\x30\x07\xed\x6d\x77\x3e\x41\x75\x21\xb9\x4e\x7c\xfd\x21\xb3\xf7\x63\x61\xa8\x33\xbf\x0c\x8a\x58\xcd\xa1\xc7\x53\x23\x65\x38\xe7\xd1\xbe\x27\x8c\xda\xb7\x8f\xb7\x3f\x36\x28\x06\x15\xaa\x49\xd8\xab\x1d\xea\xc1\x29\x2b\xe4\x48\x0f\xb6\x09\xe7\xe6\x36\x4c\x30\x0a\x86\x13\xd3\x7c\x80\x24\xaa\x6a\x72\xc1\xe4\xa3\x34\xe7\x78\x17\xf9\xcd\xe0\xe1\x0c\xc5\x7b\x7c\x3b\xbc\xa5\x0f\x40\xe1\x5b\x9a\x10\x42\xef\xb7\x80\x2c\x40\x41\x86\xe4\x79\xf5\xf7\x63\x6a\xb5\x0d\x26\x14\x73\xf5\x80\x4a\x75\xf6\xcb\x1f\xcb\x69\x3c\xec\xbe\x9a\x61\xbb\x96\x95\x80\x1c\x7c\xa6\xf9\x27\xe4\x0e\x6a\xa9\x1a\x9a\xf7\x1c\xb5\xd9\x67\xf7\x90\x57\xf9\x55\xd0\xa4\xed\x58\xce\x99\x9f\x9a\xcd\x21\xc1\xa1\xea\x10\x88\x59\x56\xb4\x6e\x44\xca\x83\x0a\xb2\xee\x7a\xdd\x50\xd2\xc1\xfa\x3d\xea\x6f\x4c\x73\x31\xb1\xe5\x3f\xbe\xfc\x7e\x42\x4a\xff\x17\x8c\xef\xf9\x5a\x89\x10\xd3\x99\x52\x70\x4e\xf7\x85\x54\x19\xd3\xcc\x08\xc7\x20\x59\x90\xaf\x44\x7e\x18\xd3\x94\x5d\x13\x3e\x99\xba\x55\x06\xe5\x0e\x31\xbb\x28\xeb\xb5\x13\x37\xe3\x8e\x5d\xab\xfd\xb6\xd2\x0b\xe6\x8a\x04\x05\x0d\xd9\x91\x87\x48\x36\x8d\x58\xb8\x34\x9e\xe6\x0d\xe4\x1d\xbb\xc8\x32\x55\xdb\x8e\x36\x0c\x35\x81\xa3\xb5\x52\x3f\x5c\x36\xd7\xe2\x93\xeb\x4e\x2b\x01\x49\x82\x36\x7e\x28\x6c\x6f\xaa\xcc\x85\x03\xcf\x4d\x91\xc4\x04\x98\x04\xce\x5a\x7f\xde\x5f\xa1\x9c\x6a\x5b\x5f\x33\x0f\xe3\xf4\x4d\x7f\x33\x80\x9b\xfc\x5b\x13\x95\x6f\x64\x66\x3a\xcb\x8c\x32\x46\x73\x82\x9c\x13\x2d\x3c\x73\x52\x5f\x8f\x8e\xa3\xa8\x32\xf8\x89\x75\xd1\x4c\x31\x8c\x05\xbb\x56\x72\xc8\x2b\xb0\x2f\x9a\xcf\x2d\xbc\xba\xf6\x8e\x5e\x47\x8d\xc5\x19\xe5\x22\x84\x0b\xd8\xf0\x8b\x50\xc5\x06\xa7\x5b\xc2\xfd\x09\x2e\x41\x51\x99\xe5\x77\x1d\x8c\xe0\x3f\x08\x8e\x9b\xfd\x45\x51\xc2\xe8\xee\xdb\x85\x93\x03\xed\x75\x76\x01\xbd\xb1\x6b\xff\x54\x31\x23\xd7\x57\x0a\xc5\x0d\x28\x58\xcf\xf2\xa7\xf9\x75\x8c\xb2\x4f\xf0\x55\x4f\x91\x31\x29\x97\x58\xc0\x10\x11\x3d\x9b\x6f\x0b\xc7\x24\x6f\xab\xec\x33\xc5\x8d\xea\x92\x5b\x9e\xa7\x3a\xb3\x81\xc4\xaa\xa8\xfb\x21\x65\xc9\xd7\xd8\xb8\xa7\x01\x20\x22\x50\xd3\x60\xfc\x61\x75\x80\x56\x5e\x78\xd5\x36\x7e\x3f\xbc\xd8\x41\xd4\x50\x3a\x7c\x20\xc2\x05\x60\xa0\x3e\x39\x7b\x0d\x3c\xab\x57\x25\x4d\x36\x51\x12\xaa\xd9\x95\xa9\xe3\x91\x96\x14\xbc\xdc\x6c\xa2\x05\x5d\x0d\x87\x42\x9e\xe3\x30\x5a\x67\xfa\x69\xc6\x02\x4a\x3f\x63\x64\x64\xbc\xab\x62\xc9\x9a\x4d\x04\x53\xf5\xbf\x87\x9c\xd5\xd4\x6e\x3c\xf7\x61\xbb\x91\x10\x9b\xd3\x28\x16\x9f\x95\xe9\x8b\x74\x42\xcd\x05\xa5\xdd\x86\xe1\x85\x36\xd2\x05\x26\x2c\x62\x00\x02\xe7\xa3\xa8\xaf\xed\x46\x81\xc2\x71\xa3\x4f\x0b\x90\x9d\x1c\x86\x1f\x9c\x18\xfc\x76\xd3\xbf\xdd\x99\x37\x85\x18\x5d\xc3\xe2\xe3\x4d\x7f\xba\x68\x6e\xd0\xf7\x33\xd1\x65\x40\x67\x0a\x65\x77\x86\x42\x10\x07\xcc\x1a\x8f\xf9\x72\x36\xfb\x53\xd8\x66\x49\x11\xdc\xaa\xc2\x75\x43\x50\xea\xde\x70\x83\x74\xef\x06\xb2\xf6\x12\x32\xa3\xf5\xb4\x57\x01\xcf\xc0\x92\x84\xb6\xe3\x18\x4c\x7c\x41\x43\xe9\xa3\x04\x98\x4c\x4b\xf1\xa1\x4e\xc7\x55\x11\xaf\x82\xb2\xc6\xc3\xe6\xd5\x99\x07\x28\xf4\xb7\x24\x29\x4d\xfe\xfc\x35\xd1\xc7\x5d\xb9\xef\xc7\x69\xda\xbf\xb5\xcf\xa0\xc5\x48\xc2\xd5\xaa\x9e\x79\x84\x10\xf2\xb2\xbd\xc3\x2d\xa9\x5c\x94\x5a\xee\xbb\xf0\x6e\x2d\x1e\x22\x17\x6b\x66\xe7\xd2\x2b\xeb\xed\x83\x87\x5b\x4c\x86\x3e\xb5\x5a\x71\x94\xc7\x5b\xde\x29\xa8\xc7\x81\x6e\x5c\x3c\x65\x0c\x32\xcf\x54\xf5\xd9\xac\x35\xd3\x8b\xf1\x9e\xcd\xb0\x05\xf4\x76\xab\x05\x0d\x96\xb7\xb7\xfc\x62\x2f\x1a\xc3\x57\xb2\x8f\xbd\x7c\x38\xf8\x1a\xbf\xa0\x63\x55\xa3\x0b\x38\x03\xf0\x42\xc4\xc0\x8a\x82\x74\xda\xf0\x18\x3c\x0e\x52\xa6\x34\xfd\x29\x9a\xee\x99\x4d\xd3\x55\x4e\xdb\x6a\xdf\x99\xba\xd5\xb9\x13\x0b\x49\x1e\xc9\x35\x3c\x7f\x36\xe5\xfa\x7c\x02\x66\x27\xf6\x8f\x67\xc7\x75\xfe\x19\x0a\xeb\x43\xfe\xbf\x56\xf5\x5b\xc1\xa4\xf5\xc2\x29\x48\xe5\xb2\x9a\x11\x7f\x6d\x06\xd4\xc6\x8e\x51\x44\x9f\x08\xa6\xd0\xd2\xe6\x75\x20\xeb\xc0\x67\x0e\x2d\xf3\xd2\xf7\xae\xeb\xfb\xb8\x76\x43\xe5\x8d\x01\x76\x96\x5d\x60\x0d\x97\xa2\x2c\x7a\x05\x56\xa2\xc0\x47\x9d\xe6\x4f\x8b\x44\x92\xdf\xb5\x42\xe8\xd3\xa3\xef\x09\x6f\x99\xd3\x9e\x67\x7a\x07\xac\x97\xdc\x25\x9d\x9f\x75\x9b\x98\xe9\x47\xf1\xae\x8a\x92\x78\xb9\xbd\xcb\x85\x10\xfb\x06\x64\x12\x18\xf7\x9f\x67\xe4\xf5\xba\xff\xbe\x5d\x3c\xc3\x8e\x14\x98\x93\x8c\x55\x09\xa3\xf6\x9f\x32\x39\x2f\x66\x0e\x00\x59\x43\xed\x14\x45\x85\x29\xe8\x25\x93\xbf\xb6\xc4\xd3\xe4\x63\x10\x3a\xab\x3c\xdc\x8d\x46\x8c\x9a\x2c\x20\x1b\xee\x3a\xe6\x63\xf0\x79\x24\x60\xd4\xb7\x1e\x03\x1a\x83\xc3\x3f\x91\x72\x33\x2b\x51\x4f\x74\xb0\x9c\x72\xcd\x6a\xd7\x6e\x90\x6f\xa4\x64\x4f\x3c\x14\x2b\x12\x8c\x1f\xf2\xb8\x4e\x79\x37\x75\x99\xd4\xe2\xc7\x11\x45\xc4\x92\xff\x3d\xab\x44\x79\x3b\x90\x56\x75\x89\x5f\xe3\xdf\x54\x4f\xe7\x25\xea\x5f\x7d\x2f\xe3\x85\x4d\x70\x30\xce\x91\x95\x7f\xad\x4f\x7b\xd7\xbd\x7f\x1d\x1a\x16\x54\xe3\xfc\xd0\xed\xf9\xda\xa7\x2b\xd9\x62\xd6\xb6\x4d\x0d\x99\x0d\x5a\x48\x50\x80\x2b\x92\x97\xfe\xb6\x22\xaa\xfc\xcc\x10\x7e\xa2\xa8\xee\xa4\xf0\xda\x89\x94\x1b\x12\xa0\xec\x1b\xfd\x72\xa2\xed\x44\xff\xf9\xf8\x24\x11\xec\xfe\x9f\x19\xeb\x95\x7b\x48\xf8\x59\xce\x04\x5d\xa2\x33\xc9\x96\x8b\x76\x3e\xd9\x44\x13\xba\x0f\x68\xdd\xca\x65\xce\xa0\xab\xb6\x87\x3c\x89\x29\x02\x41\x6f\x5e\xad\xd9\x11\xd8\x44\x2f\x03\x16\xfb\xde\xa9\xf1\x14\x0b\x3e\x83\x05\xaf\xb5\x10\xa3\xec\x59\x0c\xe2\x0f\xd5\x8d\x3b\xf0\x51\xc2\x66\x3e\x74\xae\x64\xee\xb9\xa1\x46\x3c\x88\x41\xac\x0b\x72\xb7\x32\xb7\xef\x12\x7f\x5a\x7d\x9a\x87\xd6\xb8\x49\x1e\x75\x33\x17\x35\x0d\x7d\x1a\xe5\x93\xe6\xc2\x00\x6f\x23\xb2\x27\x4d\xb5\x8e\xe3\x44\x45\x3c\x38\xe2\x99\xc1\x41\x82\x1a\xc4\x7e\x88\xdd\xd9\x38\x93\xdf\x56\xba\xf5\x01\xfc\xed\xee\x34\xac\x65\x7f\x27\x9a\x9c\x39\xcc\x38", 8192); *(uint64_t*)0x200000006000 = 0x200000002780; *(uint32_t*)0x200000002780 = 0x50; *(uint32_t*)0x200000002784 = 0; *(uint64_t*)0x200000002788 = 0xf48; *(uint32_t*)0x200000002790 = 7; *(uint32_t*)0x200000002794 = 0x2d; *(uint32_t*)0x200000002798 = 0xfffffff7; *(uint32_t*)0x20000000279c = 0x10820000; *(uint16_t*)0x2000000027a0 = 9; *(uint16_t*)0x2000000027a2 = 0xa42; *(uint32_t*)0x2000000027a4 = 0x7e; *(uint32_t*)0x2000000027a8 = 1; *(uint16_t*)0x2000000027ac = 0; *(uint16_t*)0x2000000027ae = 0; *(uint32_t*)0x2000000027b0 = 2; *(uint32_t*)0x2000000027b4 = 0; memset((void*)0x2000000027b8, 0, 24); *(uint64_t*)0x200000006008 = 0x200000002800; *(uint32_t*)0x200000002800 = 0x18; *(uint32_t*)0x200000002804 = 0; *(uint64_t*)0x200000002808 = 0x200; *(uint64_t*)0x200000002810 = 5; *(uint64_t*)0x200000006010 = 0x200000002840; *(uint32_t*)0x200000002840 = 0x18; *(uint32_t*)0x200000002844 = 0; *(uint64_t*)0x200000002848 = 0x3ff; *(uint64_t*)0x200000002850 = 1; *(uint64_t*)0x200000006018 = 0x200000002880; *(uint32_t*)0x200000002880 = 0x18; *(uint32_t*)0x200000002884 = 0xffffffda; *(uint64_t*)0x200000002888 = 7; *(uint32_t*)0x200000002890 = 0xc6a; *(uint32_t*)0x200000002894 = 0; *(uint64_t*)0x200000006020 = 0x2000000028c0; *(uint32_t*)0x2000000028c0 = 0x18; *(uint32_t*)0x2000000028c4 = 0; *(uint64_t*)0x2000000028c8 = 3; *(uint32_t*)0x2000000028d0 = 0; *(uint32_t*)0x2000000028d4 = 0; *(uint64_t*)0x200000006028 = 0x200000002980; *(uint32_t*)0x200000002980 = 0x28; *(uint32_t*)0x200000002984 = 0; *(uint64_t*)0x200000002988 = 0xfffffffffffffff8; *(uint64_t*)0x200000002990 = 0x1ff; *(uint64_t*)0x200000002998 = 6; *(uint32_t*)0x2000000029a0 = 2; *(uint32_t*)0x2000000029a4 = r[13]; *(uint64_t*)0x200000006030 = 0x2000000029c0; *(uint32_t*)0x2000000029c0 = 0x60; *(uint32_t*)0x2000000029c4 = 0; *(uint64_t*)0x2000000029c8 = 0xf; *(uint64_t*)0x2000000029d0 = 0; *(uint64_t*)0x2000000029d8 = 4; *(uint64_t*)0x2000000029e0 = 0xb0e; *(uint64_t*)0x2000000029e8 = 1; *(uint64_t*)0x2000000029f0 = 6; *(uint32_t*)0x2000000029f8 = 7; *(uint32_t*)0x2000000029fc = 0x40b4; *(uint32_t*)0x200000002a00 = 0x2594; *(uint32_t*)0x200000002a04 = 0; memset((void*)0x200000002a08, 0, 24); *(uint64_t*)0x200000006038 = 0x200000002a40; *(uint32_t*)0x200000002a40 = 0x18; *(uint32_t*)0x200000002a44 = 0; *(uint64_t*)0x200000002a48 = 0x75aeeeb5; *(uint32_t*)0x200000002a50 = 0xc; *(uint32_t*)0x200000002a54 = 0; *(uint64_t*)0x200000006040 = 0x200000002a80; *(uint32_t*)0x200000002a80 = 0x11; *(uint32_t*)0x200000002a84 = 0; *(uint64_t*)0x200000002a88 = 0xc0000000000; memset((void*)0x200000002a90, 0, 1); *(uint64_t*)0x200000006048 = 0x200000002ac0; *(uint32_t*)0x200000002ac0 = 0x20; *(uint32_t*)0x200000002ac4 = 0; *(uint64_t*)0x200000002ac8 = 4; *(uint64_t*)0x200000002ad0 = 0; *(uint32_t*)0x200000002ad8 = 5; *(uint32_t*)0x200000002adc = 0; *(uint64_t*)0x200000006050 = 0x200000002e40; *(uint32_t*)0x200000002e40 = 0x78; *(uint32_t*)0x200000002e44 = 0; *(uint64_t*)0x200000002e48 = 6; *(uint64_t*)0x200000002e50 = 8; *(uint32_t*)0x200000002e58 = 8; *(uint32_t*)0x200000002e5c = 0; *(uint64_t*)0x200000002e60 = 0; *(uint64_t*)0x200000002e68 = 0xa2; *(uint64_t*)0x200000002e70 = 0x101; *(uint64_t*)0x200000002e78 = 0x279; *(uint64_t*)0x200000002e80 = 6; *(uint64_t*)0x200000002e88 = 4; *(uint32_t*)0x200000002e90 = 6; *(uint32_t*)0x200000002e94 = 6; *(uint32_t*)0x200000002e98 = 0x580; *(uint32_t*)0x200000002e9c = 0x8000; *(uint32_t*)0x200000002ea0 = 8; *(uint32_t*)0x200000002ea4 = r[14]; *(uint32_t*)0x200000002ea8 = r[15]; *(uint32_t*)0x200000002eac = 2; *(uint32_t*)0x200000002eb0 = 2; *(uint32_t*)0x200000002eb4 = 0; *(uint64_t*)0x200000006058 = 0x200000003040; *(uint32_t*)0x200000003040 = 0x90; *(uint32_t*)0x200000003044 = 0; *(uint64_t*)0x200000003048 = 4; *(uint64_t*)0x200000003050 = 4; *(uint64_t*)0x200000003058 = 3; *(uint64_t*)0x200000003060 = 1; *(uint64_t*)0x200000003068 = 9; *(uint32_t*)0x200000003070 = 0; *(uint32_t*)0x200000003074 = 0; *(uint64_t*)0x200000003078 = 6; *(uint64_t*)0x200000003080 = 0xf84; *(uint64_t*)0x200000003088 = 0xffff; *(uint64_t*)0x200000003090 = 9; *(uint64_t*)0x200000003098 = 6; *(uint64_t*)0x2000000030a0 = 7; *(uint32_t*)0x2000000030a8 = 0x4f; *(uint32_t*)0x2000000030ac = 0x8e; *(uint32_t*)0x2000000030b0 = 8; *(uint32_t*)0x2000000030b4 = 0xa000; *(uint32_t*)0x2000000030b8 = 0x401; *(uint32_t*)0x2000000030bc = r[17]; *(uint32_t*)0x2000000030c0 = r[18]; *(uint32_t*)0x2000000030c4 = 0; *(uint32_t*)0x2000000030c8 = 0x3674; *(uint32_t*)0x2000000030cc = 0; *(uint64_t*)0x200000006060 = 0x200000003100; *(uint32_t*)0x200000003100 = 0x88; *(uint32_t*)0x200000003104 = 0xffffffda; *(uint64_t*)0x200000003108 = 0x7fffffffffffffff; *(uint64_t*)0x200000003110 = 3; *(uint64_t*)0x200000003118 = 7; *(uint32_t*)0x200000003120 = 1; *(uint32_t*)0x200000003124 = 4; memset((void*)0x200000003128, 0, 1); *(uint64_t*)0x200000003130 = 1; *(uint64_t*)0x200000003138 = 5; *(uint32_t*)0x200000003140 = 1; *(uint32_t*)0x200000003144 = 0xfffffffc; memset((void*)0x200000003148, 0, 1); *(uint64_t*)0x200000003150 = 6; *(uint64_t*)0x200000003158 = 5; *(uint32_t*)0x200000003160 = 0; *(uint32_t*)0x200000003164 = 0x98; *(uint64_t*)0x200000003168 = 0; *(uint64_t*)0x200000003170 = 8; *(uint32_t*)0x200000003178 = 1; *(uint32_t*)0x20000000317c = 0x1000; memset((void*)0x200000003180, 91, 1); *(uint64_t*)0x200000006068 = 0x2000000054c0; *(uint32_t*)0x2000000054c0 = 0x648; *(uint32_t*)0x2000000054c4 = 0; *(uint64_t*)0x2000000054c8 = 1; *(uint64_t*)0x2000000054d0 = 0; *(uint64_t*)0x2000000054d8 = 3; *(uint64_t*)0x2000000054e0 = 9; *(uint64_t*)0x2000000054e8 = 5; *(uint32_t*)0x2000000054f0 = 0xa; *(uint32_t*)0x2000000054f4 = 2; *(uint64_t*)0x2000000054f8 = 1; *(uint64_t*)0x200000005500 = 9; *(uint64_t*)0x200000005508 = 1; *(uint64_t*)0x200000005510 = 0x7fff; *(uint64_t*)0x200000005518 = 4; *(uint64_t*)0x200000005520 = 1; *(uint32_t*)0x200000005528 = 6; *(uint32_t*)0x20000000552c = 7; *(uint32_t*)0x200000005530 = 3; *(uint32_t*)0x200000005534 = 0xc000; *(uint32_t*)0x200000005538 = 3; *(uint32_t*)0x20000000553c = r[19]; *(uint32_t*)0x200000005540 = r[20]; *(uint32_t*)0x200000005544 = 0x71a5; *(uint32_t*)0x200000005548 = 5; *(uint32_t*)0x20000000554c = 0; *(uint64_t*)0x200000005550 = 3; *(uint64_t*)0x200000005558 = 0x911; *(uint32_t*)0x200000005560 = 9; *(uint32_t*)0x200000005564 = 7; memcpy((void*)0x200000005568, "(--]!}}.:", 9); *(uint64_t*)0x200000005578 = 5; *(uint64_t*)0x200000005580 = 1; *(uint64_t*)0x200000005588 = 2; *(uint64_t*)0x200000005590 = -1; *(uint32_t*)0x200000005598 = 8; *(uint32_t*)0x20000000559c = 1; *(uint64_t*)0x2000000055a0 = 5; *(uint64_t*)0x2000000055a8 = 0x10; *(uint64_t*)0x2000000055b0 = 0xf91; *(uint64_t*)0x2000000055b8 = 7; *(uint64_t*)0x2000000055c0 = 0; *(uint64_t*)0x2000000055c8 = 7; *(uint32_t*)0x2000000055d0 = 4; *(uint32_t*)0x2000000055d4 = 0x4a; *(uint32_t*)0x2000000055d8 = 6; *(uint32_t*)0x2000000055dc = 0x6000; *(uint32_t*)0x2000000055e0 = 9; *(uint32_t*)0x2000000055e4 = r[21]; *(uint32_t*)0x2000000055e8 = r[22]; *(uint32_t*)0x2000000055ec = 6; *(uint32_t*)0x2000000055f0 = 5; *(uint32_t*)0x2000000055f4 = 0; *(uint64_t*)0x2000000055f8 = 0; *(uint64_t*)0x200000005600 = 2; *(uint32_t*)0x200000005608 = 0; *(uint32_t*)0x20000000560c = 0x401; *(uint64_t*)0x200000005610 = 0; *(uint64_t*)0x200000005618 = 3; *(uint64_t*)0x200000005620 = 0; *(uint64_t*)0x200000005628 = 0x401; *(uint32_t*)0x200000005630 = 4; *(uint32_t*)0x200000005634 = 0x3ff; *(uint64_t*)0x200000005638 = 1; *(uint64_t*)0x200000005640 = 1; *(uint64_t*)0x200000005648 = 0xbc; *(uint64_t*)0x200000005650 = 7; *(uint64_t*)0x200000005658 = 8; *(uint64_t*)0x200000005660 = 7; *(uint32_t*)0x200000005668 = 0xffff; *(uint32_t*)0x20000000566c = 6; *(uint32_t*)0x200000005670 = 0x7f; *(uint32_t*)0x200000005674 = 0x8000; *(uint32_t*)0x200000005678 = 1; *(uint32_t*)0x20000000567c = 0xee01; *(uint32_t*)0x200000005680 = r[23]; *(uint32_t*)0x200000005684 = 0x233d; *(uint32_t*)0x200000005688 = 4; *(uint32_t*)0x20000000568c = 0; *(uint64_t*)0x200000005690 = 3; *(uint64_t*)0x200000005698 = 6; *(uint32_t*)0x2000000056a0 = 5; *(uint32_t*)0x2000000056a4 = 7; memcpy((void*)0x2000000056a8, "syz0\000", 5); *(uint64_t*)0x2000000056b0 = 2; *(uint64_t*)0x2000000056b8 = 2; *(uint64_t*)0x2000000056c0 = 7; *(uint64_t*)0x2000000056c8 = 0x80; *(uint32_t*)0x2000000056d0 = 4; *(uint32_t*)0x2000000056d4 = 0xdb; *(uint64_t*)0x2000000056d8 = 3; *(uint64_t*)0x2000000056e0 = 3; *(uint64_t*)0x2000000056e8 = 0x7fff; *(uint64_t*)0x2000000056f0 = 9; *(uint64_t*)0x2000000056f8 = 0; *(uint64_t*)0x200000005700 = 0xa8; *(uint32_t*)0x200000005708 = 0x1000; *(uint32_t*)0x20000000570c = 0x1f3; *(uint32_t*)0x200000005710 = 0xfff0; *(uint32_t*)0x200000005714 = 0x6000; *(uint32_t*)0x200000005718 = 4; *(uint32_t*)0x20000000571c = r[24]; *(uint32_t*)0x200000005720 = r[26]; *(uint32_t*)0x200000005724 = 0xccb2; *(uint32_t*)0x200000005728 = 9; *(uint32_t*)0x20000000572c = 0; *(uint64_t*)0x200000005730 = 6; *(uint64_t*)0x200000005738 = 2; *(uint32_t*)0x200000005740 = 6; *(uint32_t*)0x200000005744 = 7; memset((void*)0x200000005748, 1, 6); *(uint64_t*)0x200000005750 = 4; *(uint64_t*)0x200000005758 = 1; *(uint64_t*)0x200000005760 = 0x100000000; *(uint64_t*)0x200000005768 = 5; *(uint32_t*)0x200000005770 = 0; *(uint32_t*)0x200000005774 = 6; *(uint64_t*)0x200000005778 = 1; *(uint64_t*)0x200000005780 = 0x401; *(uint64_t*)0x200000005788 = 1; *(uint64_t*)0x200000005790 = 2; *(uint64_t*)0x200000005798 = 0xf; *(uint64_t*)0x2000000057a0 = 5; *(uint32_t*)0x2000000057a8 = 0x100; *(uint32_t*)0x2000000057ac = 3; *(uint32_t*)0x2000000057b0 = 0; *(uint32_t*)0x2000000057b4 = 0x2000; *(uint32_t*)0x2000000057b8 = 0; *(uint32_t*)0x2000000057bc = r[27]; *(uint32_t*)0x2000000057c0 = r[28]; *(uint32_t*)0x2000000057c4 = 7; *(uint32_t*)0x2000000057c8 = 8; *(uint32_t*)0x2000000057cc = 0; *(uint64_t*)0x2000000057d0 = 4; *(uint64_t*)0x2000000057d8 = 3; *(uint32_t*)0x2000000057e0 = 6; *(uint32_t*)0x2000000057e4 = 0xffff; memset((void*)0x2000000057e8, 1, 6); *(uint64_t*)0x2000000057f0 = 6; *(uint64_t*)0x2000000057f8 = 2; *(uint64_t*)0x200000005800 = 6; *(uint64_t*)0x200000005808 = 9; *(uint32_t*)0x200000005810 = 2; *(uint32_t*)0x200000005814 = 2; *(uint64_t*)0x200000005818 = 1; *(uint64_t*)0x200000005820 = 0xb51; *(uint64_t*)0x200000005828 = 0x7fffffff; *(uint64_t*)0x200000005830 = 5; *(uint64_t*)0x200000005838 = 0x8b89; *(uint64_t*)0x200000005840 = 0x2800; *(uint32_t*)0x200000005848 = 0x800; *(uint32_t*)0x20000000584c = 6; *(uint32_t*)0x200000005850 = 4; *(uint32_t*)0x200000005854 = 0x8000; *(uint32_t*)0x200000005858 = 3; *(uint32_t*)0x20000000585c = r[29]; *(uint32_t*)0x200000005860 = r[30]; *(uint32_t*)0x200000005864 = 0x80; *(uint32_t*)0x200000005868 = 3; *(uint32_t*)0x20000000586c = 0; *(uint64_t*)0x200000005870 = 0; *(uint64_t*)0x200000005878 = 6; *(uint32_t*)0x200000005880 = 0; *(uint32_t*)0x200000005884 = 0xef; *(uint64_t*)0x200000005888 = 2; *(uint64_t*)0x200000005890 = 1; *(uint64_t*)0x200000005898 = 5; *(uint64_t*)0x2000000058a0 = 0xfff; *(uint32_t*)0x2000000058a8 = 0x582; *(uint32_t*)0x2000000058ac = 0x15; *(uint64_t*)0x2000000058b0 = 2; *(uint64_t*)0x2000000058b8 = 0xbb; *(uint64_t*)0x2000000058c0 = 7; *(uint64_t*)0x2000000058c8 = 0x52a; *(uint64_t*)0x2000000058d0 = 1; *(uint64_t*)0x2000000058d8 = 5; *(uint32_t*)0x2000000058e0 = 0x98; *(uint32_t*)0x2000000058e4 = 5; *(uint32_t*)0x2000000058e8 = 3; *(uint32_t*)0x2000000058ec = 0x5000; *(uint32_t*)0x2000000058f0 = 6; *(uint32_t*)0x2000000058f4 = r[31]; *(uint32_t*)0x2000000058f8 = r[32]; *(uint32_t*)0x2000000058fc = 6; *(uint32_t*)0x200000005900 = 0xffff; *(uint32_t*)0x200000005904 = 0; *(uint64_t*)0x200000005908 = 6; *(uint64_t*)0x200000005910 = 0x3ff; *(uint32_t*)0x200000005918 = 2; *(uint32_t*)0x20000000591c = 8; memcpy((void*)0x200000005920, "*&", 2); *(uint64_t*)0x200000005928 = 2; *(uint64_t*)0x200000005930 = 2; *(uint64_t*)0x200000005938 = 0x3ff; *(uint64_t*)0x200000005940 = 3; *(uint32_t*)0x200000005948 = 2; *(uint32_t*)0x20000000594c = 0xfffffff8; *(uint64_t*)0x200000005950 = 3; *(uint64_t*)0x200000005958 = 0x8a; *(uint64_t*)0x200000005960 = 5; *(uint64_t*)0x200000005968 = 8; *(uint64_t*)0x200000005970 = 1; *(uint64_t*)0x200000005978 = 0; *(uint32_t*)0x200000005980 = 0x7fff; *(uint32_t*)0x200000005984 = 8; *(uint32_t*)0x200000005988 = 0xfffffffb; *(uint32_t*)0x20000000598c = 0xc000; *(uint32_t*)0x200000005990 = 0x8000; *(uint32_t*)0x200000005994 = r[33]; *(uint32_t*)0x200000005998 = r[34]; *(uint32_t*)0x20000000599c = 0x5c5; *(uint32_t*)0x2000000059a0 = 0x8d0d; *(uint32_t*)0x2000000059a4 = 0; *(uint64_t*)0x2000000059a8 = 6; *(uint64_t*)0x2000000059b0 = 0xd; *(uint32_t*)0x2000000059b8 = 6; *(uint32_t*)0x2000000059bc = -1; memcpy((void*)0x2000000059c0, "wlan1\000", 6); *(uint64_t*)0x2000000059c8 = 6; *(uint64_t*)0x2000000059d0 = 1; *(uint64_t*)0x2000000059d8 = 5; *(uint64_t*)0x2000000059e0 = 0xee; *(uint32_t*)0x2000000059e8 = 8; *(uint32_t*)0x2000000059ec = 4; *(uint64_t*)0x2000000059f0 = 1; *(uint64_t*)0x2000000059f8 = 0x200; *(uint64_t*)0x200000005a00 = 0x80000000; *(uint64_t*)0x200000005a08 = 0xb81c; *(uint64_t*)0x200000005a10 = 0x7ff; *(uint64_t*)0x200000005a18 = 0x400; *(uint32_t*)0x200000005a20 = 0x122; *(uint32_t*)0x200000005a24 = 0x400; *(uint32_t*)0x200000005a28 = 0x689f; *(uint32_t*)0x200000005a2c = 0xa000; *(uint32_t*)0x200000005a30 = 0xfffffffc; *(uint32_t*)0x200000005a34 = r[35]; *(uint32_t*)0x200000005a38 = r[36]; *(uint32_t*)0x200000005a3c = 0x1000; *(uint32_t*)0x200000005a40 = 1; *(uint32_t*)0x200000005a44 = 0; *(uint64_t*)0x200000005a48 = 4; *(uint64_t*)0x200000005a50 = 9; *(uint32_t*)0x200000005a58 = 6; *(uint32_t*)0x200000005a5c = 0xfffffffa; memcpy((void*)0x200000005a60, "wlan1\000", 6); *(uint64_t*)0x200000005a68 = 1; *(uint64_t*)0x200000005a70 = 1; *(uint64_t*)0x200000005a78 = 6; *(uint64_t*)0x200000005a80 = 0; *(uint32_t*)0x200000005a88 = 0xf; *(uint32_t*)0x200000005a8c = 0x80000001; *(uint64_t*)0x200000005a90 = 0; *(uint64_t*)0x200000005a98 = 0xb8f; *(uint64_t*)0x200000005aa0 = 0x57c; *(uint64_t*)0x200000005aa8 = 8; *(uint64_t*)0x200000005ab0 = 0x600; *(uint64_t*)0x200000005ab8 = 0x4c44; *(uint32_t*)0x200000005ac0 = 0xc833; *(uint32_t*)0x200000005ac4 = 5; *(uint32_t*)0x200000005ac8 = 3; *(uint32_t*)0x200000005acc = 0xa000; *(uint32_t*)0x200000005ad0 = 0xfffffff9; *(uint32_t*)0x200000005ad4 = r[37]; *(uint32_t*)0x200000005ad8 = r[38]; *(uint32_t*)0x200000005adc = 6; *(uint32_t*)0x200000005ae0 = 2; *(uint32_t*)0x200000005ae4 = 0; *(uint64_t*)0x200000005ae8 = 3; *(uint64_t*)0x200000005af0 = 4; *(uint32_t*)0x200000005af8 = 6; *(uint32_t*)0x200000005afc = 3; memcpy((void*)0x200000005b00, ":-)@\\[", 6); *(uint64_t*)0x200000006070 = 0x200000005d40; *(uint32_t*)0x200000005d40 = 0xa0; *(uint32_t*)0x200000005d44 = 0; *(uint64_t*)0x200000005d48 = 1; *(uint64_t*)0x200000005d50 = 2; *(uint64_t*)0x200000005d58 = 3; *(uint64_t*)0x200000005d60 = 0x100000000; *(uint64_t*)0x200000005d68 = 8; *(uint32_t*)0x200000005d70 = 5; *(uint32_t*)0x200000005d74 = 9; *(uint64_t*)0x200000005d78 = 2; *(uint64_t*)0x200000005d80 = 0x7fffffffffffffff; *(uint64_t*)0x200000005d88 = 2; *(uint64_t*)0x200000005d90 = 0x7f; *(uint64_t*)0x200000005d98 = 0x7ff; *(uint64_t*)0x200000005da0 = 4; *(uint32_t*)0x200000005da8 = 0; *(uint32_t*)0x200000005dac = 2; *(uint32_t*)0x200000005db0 = 1; *(uint32_t*)0x200000005db4 = 0x2000; *(uint32_t*)0x200000005db8 = 0x7ff; *(uint32_t*)0x200000005dbc = r[39]; *(uint32_t*)0x200000005dc0 = r[40]; *(uint32_t*)0x200000005dc4 = 4; *(uint32_t*)0x200000005dc8 = 8; *(uint32_t*)0x200000005dcc = 0; *(uint64_t*)0x200000005dd0 = 0; *(uint32_t*)0x200000005dd8 = 0xd; *(uint32_t*)0x200000005ddc = 0; *(uint64_t*)0x200000006078 = 0x200000005e00; *(uint32_t*)0x200000005e00 = 0x20; *(uint32_t*)0x200000005e04 = 0; *(uint64_t*)0x200000005e08 = 0x10000; *(uint32_t*)0x200000005e10 = 9; *(uint32_t*)0x200000005e14 = 0; *(uint32_t*)0x200000005e18 = 1; *(uint32_t*)0x200000005e1c = 0xfffffffd; *(uint64_t*)0x200000006080 = 0x200000005ec0; *(uint32_t*)0x200000005ec0 = 0x130; *(uint32_t*)0x200000005ec4 = 0xfffffffe; *(uint64_t*)0x200000005ec8 = 0x1000; *(uint64_t*)0x200000005ed0 = 6; *(uint32_t*)0x200000005ed8 = 3; *(uint32_t*)0x200000005edc = 0; memset((void*)0x200000005ee0, 0, 16); *(uint32_t*)0x200000005ef0 = 1; *(uint32_t*)0x200000005ef4 = 0xc6d; *(uint64_t*)0x200000005ef8 = 0xfffffffffffffffc; *(uint32_t*)0x200000005f00 = 0x8000; *(uint32_t*)0x200000005f04 = 0; *(uint32_t*)0x200000005f08 = r[41]; *(uint16_t*)0x200000005f0c = 0x1000; memset((void*)0x200000005f0e, 0, 2); *(uint64_t*)0x200000005f10 = 0; *(uint64_t*)0x200000005f18 = 7; *(uint64_t*)0x200000005f20 = 3; *(uint64_t*)0x200000005f28 = 4; *(uint64_t*)0x200000005f30 = 0xa; *(uint32_t*)0x200000005f38 = 7; *(uint32_t*)0x200000005f3c = 0; *(uint64_t*)0x200000005f40 = 1; *(uint32_t*)0x200000005f48 = 0x905a; *(uint32_t*)0x200000005f4c = 0; *(uint64_t*)0x200000005f50 = 8; *(uint32_t*)0x200000005f58 = 0x81; *(uint32_t*)0x200000005f5c = 0; *(uint64_t*)0x200000005f60 = 8; *(uint32_t*)0x200000005f68 = 2; *(uint32_t*)0x200000005f6c = 0; *(uint32_t*)0x200000005f70 = 0x10001; *(uint32_t*)0x200000005f74 = 0x7ff; *(uint32_t*)0x200000005f78 = 1; *(uint32_t*)0x200000005f7c = -1; memset((void*)0x200000005f80, 0, 112); syz_fuse_handle_req(/*fd=*/r[12], /*buf=*/0x200000000780, /*len=*/0x2000, /*res=*/0x200000006000); break; case 46: memcpy((void*)0x2000000060c0, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x2000000060c0, /*fd=*/r[12]); break; case 47: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 48: *(uint32_t*)0x200000006104 = 0x45f9; *(uint32_t*)0x200000006108 = 0x1000; *(uint32_t*)0x20000000610c = 0; *(uint32_t*)0x200000006110 = 0xd3; *(uint32_t*)0x200000006118 = r[12]; memset((void*)0x20000000611c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x50db, /*params=*/0x200000006100, /*ring_ptr=*/0x200000006180, /*sqes_ptr=*/0x2000000061c0); if (res != -1) r[42] = *(uint64_t*)0x200000006180; break; case 49: res = -1; res = syz_io_uring_complete(/*ring_ptr=*/r[42]); if (res != -1) r[43] = res; break; case 50: *(uint32_t*)0x200000006204 = 0x25a5; *(uint32_t*)0x200000006208 = 0; *(uint32_t*)0x20000000620c = 2; *(uint32_t*)0x200000006210 = 0x2b0; *(uint32_t*)0x200000006218 = r[43]; memset((void*)0x20000000621c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x539f, /*params=*/0x200000006200, /*ring_ptr=*/0x200000006280, /*sqes_ptr=*/0x2000000062c0); if (res != -1) { r[44] = res; r[45] = *(uint64_t*)0x2000000062c0; } break; case 51: res = syscall(__NR_io_uring_register, /*fd=*/r[44], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[46] = res; break; case 52: *(uint8_t*)0x200000006380 = 0x26; *(uint8_t*)0x200000006381 = 0; *(uint16_t*)0x200000006382 = 0; *(uint32_t*)0x200000006384 = r[43]; *(uint64_t*)0x200000006388 = 0x200000006300; memcpy((void*)0x200000006300, "./file0\000", 8); *(uint64_t*)0x200000006390 = 0x200000006340; memcpy((void*)0x200000006340, "./file0\000", 8); *(uint32_t*)0x200000006398 = 0; *(uint32_t*)0x20000000639c = 0; *(uint64_t*)0x2000000063a0 = 0; *(uint16_t*)0x2000000063a8 = 0; *(uint16_t*)0x2000000063aa = r[46]; memset((void*)0x2000000063ac, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[42], /*sqes_ptr=*/r[45], /*sqe=*/0x200000006380); break; case 53: memcpy((void*)0x2000000063c0, "SEG6\000", 5); memcpy((void*)0x200000006480, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xc7\xc6\xd5\x63\x96\xba\x64\x55\x9a\x2b\xfe\x12\xe1\x77\x9d\x16\x11\x66\x21\x3e\xe3\xdf\x8a\x88\x66\x07\x35\xda\xdb\xfa\x0e\xe9\x3d\x2b\xbf\x11\x3a\x5d\x2f\x84\x04\x14\xbb\x6a\x83\x5c\x8b\x46\x64\xc1\x62\x58\xd8\x0a\xca\x5d\x75\xc4\xb0\xf7\xb9\xf4\x81\xb3\x2b\x05\x6b\x25\x00\xcd\x38\xd5\xf7\x45\xb2\xca\x6f\x42\x3c\x76\xec\xb5\x4c\x20\xdf\x71\xf3\x7e\x74\xa7\xc3\x31\xe0\x86\x7f\x00\x00\x00\x00\x00\x00\x00\x00", 144); syz_kfuzztest_run(/*name=*/0x2000000063c0, /*data=*/0x200000006400, /*len=*/0x90, /*buf=*/0x200000006480); break; case 54: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[43], /*usermem=*/0x200000bfe000); if (res != -1) r[47] = res; break; case 55: *(uint64_t*)0x200000016780 = 0; *(uint64_t*)0x200000016788 = 0x200000016480; *(uint64_t*)0x200000016480 = 0x6a; *(uint64_t*)0x200000016488 = 0x28; *(uint64_t*)0x200000016490 = 0x351c; *(uint64_t*)0x200000016498 = 2; *(uint64_t*)0x2000000164a0 = 3; *(uint64_t*)0x2000000164a8 = 0x6a; *(uint64_t*)0x2000000164b0 = 0x28; *(uint64_t*)0x2000000164b8 = 0xbe7d; *(uint64_t*)0x2000000164c0 = 2; *(uint64_t*)0x2000000164c8 = 8; *(uint64_t*)0x2000000164d0 = 0x180; *(uint64_t*)0x2000000164d8 = 0x38; *(uint64_t*)0x2000000164e0 = 3; *(uint64_t*)0x2000000164e8 = 0xf10c; *(uint64_t*)0x2000000164f0 = 5; *(uint64_t*)0x2000000164f8 = 0x90; *(uint64_t*)0x200000016500 = 2; *(uint64_t*)0x200000016508 = 0x6a; *(uint64_t*)0x200000016510 = 0x28; *(uint64_t*)0x200000016518 = 0x4c98; *(uint64_t*)0x200000016520 = 6; *(uint64_t*)0x200000016528 = 0x59fe; *(uint64_t*)0x200000016530 = 0x136; *(uint64_t*)0x200000016538 = 0xa8; *(uint64_t*)0x200000016540 = 3; *(uint64_t*)0x200000016548 = 2; *(uint64_t*)0x200000016550 = 0x12c; *(uint64_t*)0x200000016558 = 0x18; *(uint64_t*)0x200000016560 = 0; *(uint64_t*)0x200000016568 = 0x154; *(uint64_t*)0x200000016570 = 0x38; *(uint64_t*)0x200000016578 = 2; *(uint64_t*)0x200000016580 = 0x280d; *(uint64_t*)0x200000016588 = 0x2e0; *(uint64_t*)0x200000016590 = 4; *(uint64_t*)0x200000016598 = 0xfffffffffffffff8; *(uint64_t*)0x2000000165a0 = 0x65; *(uint64_t*)0x2000000165a8 = 0x20; *(uint64_t*)0x2000000165b0 = 0x285; *(uint64_t*)0x2000000165b8 = 7; *(uint64_t*)0x2000000165c0 = 0; *(uint64_t*)0x2000000165c8 = 0x18; *(uint64_t*)0x2000000165d0 = 5; *(uint64_t*)0x2000000165d8 = 0x17f; *(uint64_t*)0x2000000165e0 = 0x10; *(uint64_t*)0x2000000165e8 = 0x67; *(uint64_t*)0x2000000165f0 = 0x20; *(uint64_t*)0x2000000165f8 = 4; *(uint64_t*)0x200000016600 = 4; *(uint64_t*)0x200000016608 = 0x66; *(uint64_t*)0x200000016610 = 0x18; *(uint64_t*)0x200000016618 = 0x2e6; *(uint64_t*)0x200000016620 = 0; *(uint64_t*)0x200000016628 = 0x18; *(uint64_t*)0x200000016630 = 0xe; *(uint64_t*)0x200000016638 = 0x12f; *(uint64_t*)0x200000016640 = 0x18; *(uint64_t*)0x200000016648 = 3; *(uint64_t*)0x200000016650 = 0x154; *(uint64_t*)0x200000016658 = 0x38; *(uint64_t*)0x200000016660 = 0; *(uint64_t*)0x200000016668 = 0x6404; *(uint64_t*)0x200000016670 = 0x10; *(uint64_t*)0x200000016678 = 0xfffffffffffffff7; *(uint64_t*)0x200000016680 = 0xe; *(uint64_t*)0x200000016688 = 0x12c; *(uint64_t*)0x200000016690 = 0x18; *(uint64_t*)0x200000016698 = 0; *(uint64_t*)0x2000000166a0 = 0x130; *(uint64_t*)0x2000000166a8 = 0x18; *(uint64_t*)0x2000000166b0 = 3; *(uint64_t*)0x2000000166b8 = 0x182; *(uint64_t*)0x2000000166c0 = 0x18; *(uint64_t*)0x2000000166c8 = 3; *(uint64_t*)0x2000000166d0 = 0x12e; *(uint64_t*)0x2000000166d8 = 0x63; *(uint64_t*)0x2000000166e0 = 2; memcpy((void*)0x2000000166e8, "\x2e\x0f\x01\x71\x33\xc4\x21\x6a\xc2\xc0\x00\x66\xba\xf8\x0c\xb8\x6e\x89\x7c\x81\xef\x66\xba\xfc\x0c\x66\xb8\xaf\x0b\x66\xef\x42\x0f\x01\xc3\x36\x01\xe3\x12\xec\x0f\x00\xde\xc7\x44\x24\x00\x7a\x00\x00\x00\xc7\x44\x24\x02\x0b\x00\x00\x00\xff\x1c\x24\x40\x0f\xa1\xc4\x43\x31\x4a\x89\x0a\x00\x00\x00\x0b", 75); *(uint64_t*)0x200000016733 = 0x17e; *(uint64_t*)0x20000001673b = 0x10; *(uint64_t*)0x200000016790 = 0x2c3; syz_kvm_add_vcpu(/*vm=*/r[47], /*text=*/0x200000016780); break; case 56: res = syscall(__NR_mmap, /*addr=*/0x200000cbe000ul, /*len=*/0ul, /*prot=PROT_SEM|PROT_READ|PROT_EXEC*/0xdul, /*flags=MAP_SYNC*/0x80000ul, /*cpufd=*/r[12], /*offset=*/0ul); if (res != -1) r[48] = res; break; case 57: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[48], /*exitcode=*/4); break; case 58: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[44], /*run=*/r[48], /*exitcode=*/3); break; case 59: res = syscall(__NR_ioctl, /*fd=*/r[12], /*cmd=*/0xae01, /*type=*/0x20ul); if (res != -1) r[49] = res; break; case 60: *(uint64_t*)0x200000016a40 = 0; *(uint64_t*)0x200000016a48 = 0x2000000167c0; memcpy((void*)0x2000000167c0, "\x00\x00\x00\x3d\x00\x00\x08\x61\x04\x00\x08\x79\x00\x00\x08\x65\x0c\x00\x08\x61\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\xd0\x04\x9c\x63\x24\x6b\xc0\x7f\xfa\xcd\xdf\xfe\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x04\x00\x63\x60\x26\x9f\xe1\x7f\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x3c\x02\x63\x60\x42\x00\x00\x44\xf5\x00\x90\x07\xd6\xdb\x8b\xef\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2a\x00\xb5\x62\x00\x01\xc0\x3e\x00\x00\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2a\x00\xb5\x62\x73\x6f\xc0\x3e\xa7\xf7\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2e\x00\xb5\x62\x90\x5e\xc0\x3e\xe0\x10\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x32\x00\xb5\x62\x00\x00\xc0\x3e\xe0\xd1\xd6\x62\x00\x00\xd5\x92\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x2a\x00\x84\x60\x22\x00\x00\x44\x8f\xed\x9f\xf3\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xef\x63\x60\xb5\xad\x80\x3c\xca\x82\x84\x60\x04\x00\x84\x78\xea\x5e\x84\x64\xa2\xe8\x84\x60\xf1\x67\xa0\x3c\xbe\xe3\xa5\x60\x04\x00\xa5\x78\xa5\x57\xa5\x64\x55\x46\xa5\x60\x03\xf4\xc0\x3c\xb4\x87\xc6\x60\x04\x00\xc6\x78\x73\xed\xc6\x64\x15\x51\xc6\x60\x1d\xe9\xe0\x3c\xe4\xa0\xe7\x60\x04\x00\xe7\x78\xd8\x84\xe7\x64\x25\x76\xe7\x60\x08\x70\x00\x3d\xee\xf7\x08\x61\x04\x00\x08\x79\x1f\x72\x08\x65\x67\x40\x08\x61\x7f\xc5\x20\x3d\x5d\xc6\x29\x61\x04\x00\x29\x79\x7f\x83\x29\x65\x31\xe8\x29\x61\xec\x4b\x40\x3d\xd8\xc0\x4a\x61\x04\x00\x4a\x79\xe3\xf4\x4a\x65\x76\xa0\x4a\x61\x42\x00\x00\x44\xc7\xdd\x79\x12\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x08\xef\x63\x60\xae\x15\x80\x3c\x96\x74\x84\x60\x04\x00\x84\x78\x48\x29\x84\x64\xf2\x7b\x84\x60\xfb\x2b\xa0\x3c\x3a\x84\xa5\x60\x04\x00\xa5\x78\x66\xdf\xa5\x64\x0e\x85\xa5\x60\x94\x21\xc0\x3c\x54\x4c\xc6\x60\x04\x00\xc6\x78\x8e\xd8\xc6\x64\x2d\x18\xc6\x60\x27\x15\xe0\x3c\x98\x77\xe7\x60\x04\x00\xe7\x78\x52\x7a\xe7\x64\x4a\x11\xe7\x60\xb2\x21\x00\x3d\x41\x62\x08\x61\x04\x00\x08\x79\xf6\x1f\x08\x65\xaa\x6f\x08\x61\x00\xf5\x20\x3d\x4c\x23\x29\x61\x04\x00\x29\x79\xda\x1a\x29\x65\x95\xbf\x29\x61\x93\xf7\x40\x3d\xde\x99\x4a\x61\x04\x00\x4a\x79\x5e\xe8\x4a\x65\xa0\x51\x4a\x61\xd5\x0a\x60\x3d\x34\xf9\x6b\x61\x04\x00\x6b\x79\x21\x19\x6b\x65\xab\x4f\x6b\x61\x22\x00\x00\x44", 632); *(uint64_t*)0x200000016a50 = 0x278; *(uint64_t*)0x200000016a80 = 1; *(uint64_t*)0x200000016a88 = 0xfff; syz_kvm_setup_cpu(/*fd=*/r[49], /*cpufd=*/r[43], /*usermem=*/0x200000e17000, /*text=*/0x200000016a40, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_PID1|KVM_SETUP_PPC64_DR|KVM_SETUP_PPC64_LE*/0x15, /*opts=*/0x200000016a80, /*nopt=*/1); break; case 61: syz_kvm_setup_syzos_vm(/*fd=*/r[49], /*usermem=*/0x200000c00000); break; case 62: *(uint32_t*)0x200000016ac0 = 1; syz_memcpy_off(/*ring_ptr=*/r[42], /*flag_off=*/0, /*src=*/0x200000016ac0, /*src_off=*/0, /*nbytes=*/4); break; case 63: memcpy((void*)0x200000016b00, "adfs\000", 5); memcpy((void*)0x200000016b40, "./file1\000", 8); memcpy((void*)0x200000016b80, "ownmask", 7); *(uint8_t*)0x200000016b87 = 0x3d; sprintf((char*)0x200000016b88, "%023llo", (long long)9); *(uint8_t*)0x200000016b9f = 0x2c; memcpy((void*)0x200000016ba0, "uid", 3); *(uint8_t*)0x200000016ba3 = 0x3d; sprintf((char*)0x200000016ba4, "0x%016llx", (long long)r[39]); *(uint8_t*)0x200000016bb6 = 0x2c; memcpy((void*)0x200000016bb7, "gid", 3); *(uint8_t*)0x200000016bba = 0x3d; sprintf((char*)0x200000016bbb, "0x%016llx", (long long)r[25]); *(uint8_t*)0x200000016bcd = 0x2c; memcpy((void*)0x200000016bce, "ftsuffix", 8); *(uint8_t*)0x200000016bd6 = 0x3d; sprintf((char*)0x200000016bd7, "%020llu", (long long)0x1b2a); *(uint8_t*)0x200000016beb = 0x2c; memcpy((void*)0x200000016bec, "ftsuffix", 8); *(uint8_t*)0x200000016bf4 = 0x3d; sprintf((char*)0x200000016bf5, "%020llu", (long long)0x95); *(uint8_t*)0x200000016c09 = 0x2c; memcpy((void*)0x200000016c0a, "ftsuffix", 8); *(uint8_t*)0x200000016c12 = 0x3d; sprintf((char*)0x200000016c13, "%020llu", (long long)2); *(uint8_t*)0x200000016c27 = 0x2c; memcpy((void*)0x200000016c28, "uid<", 4); sprintf((char*)0x200000016c2c, "%020llu", (long long)r[37]); *(uint8_t*)0x200000016c40 = 0x2c; memcpy((void*)0x200000016c41, "subj_type", 9); *(uint8_t*)0x200000016c4a = 0x3d; *(uint8_t*)0x200000016c4b = 0x2c; *(uint8_t*)0x200000016c4c = 0; memcpy((void*)0x200000016c80, "\x78\x9c\xaa\xdc\xf4\xa2\x4b\x38\x63\x9f\x59\xe2\xe9\x04\x2f\xd9\xe2\xfd\x35\x7c\xef\xfe\x5d\x53\x6f\xe4\x7b\xf4\xfb\xd7\xb9\x0b\x80\x00\x00\x00\xff\xff\xcf\xbb\x0f\xa9", 42); syz_mount_image(/*fs=*/0x200000016b00, /*dir=*/0x200000016b40, /*flags=MS_STRICTATIME|MS_NODIRATIME|MS_MANDLOCK*/0x1000840, /*opts=*/0x200000016b80, /*chdir=*/1, /*size=*/0x2a, /*img=*/0x200000016c80); break; case 64: memcpy((void*)0x200000016cc0, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000016cc0, /*id=*/9, /*flags=O_SYNC|O_NONBLOCK|O_DIRECT|FASYNC|O_APPEND*/0x107c00); break; case 65: *(uint64_t*)0x200000016d00 = 2; *(uint64_t*)0x200000016d08 = 0x27e; *(uint64_t*)0x200000016d10 = 5; *(uint64_t*)0x200000016d18 = 2; *(uint64_t*)0x200000016d20 = 6; *(uint64_t*)0x200000016d28 = 0; *(uint64_t*)0x200000016d30 = 6; *(uint64_t*)0x200000016d38 = 5; *(uint64_t*)0x200000016d40 = 0xd; *(uint64_t*)0x200000016d48 = 0x7ea2; *(uint64_t*)0x200000016d50 = -1; res = syscall(__NR_clone3, /*uargs=*/0x200000016d00ul, /*size=*/0x90c4ul); if (res != -1) r[50] = res; break; case 66: memcpy((void*)0x200000016d80, "fdinfo/3\000", 9); syz_open_procfs(/*pid=*/r[50], /*file=*/0x200000016d80); break; case 67: res = -1; res = syz_open_dev(/*dev=*/0xc, /*major=*/2, /*minor=*/0x15); if (res != -1) r[51] = res; break; case 68: syz_open_pts(/*fd=*/r[51], /*flags=O_LARGEFILE|O_APPEND*/0x8400); break; case 69: syz_pidfd_open(/*pid=*/r[16], /*flags=*/0); break; case 70: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[52] = res; break; case 71: syz_pkey_set(/*key=*/r[52], /*val=PKEY_DISABLE_ACCESS*/1); break; case 72: memcpy((void*)0x200000016dc0, "\x78\x9c\x00\x57\x00\xa8\xff\xa9\x39\xee\x13\x04\xaa\x50\xcd\x48\x33\xb8\x65\x54\x02\x70\xbc\x48\xb9\xef\x5c\xce\x86\x6e\x69\xf5\x3f\xe3\x70\x79\x19\x0f\x3f\x49\xf2\x84\x00\x94\x95\xb6\x1a\x19\x72\xde\x93\x27\x27\x1b\x79\xad\xc1\x51\xcb\xcb\x51\xac\xc1\x0f\x46\x30\xf6\xa3\xaf\xbc\xa6\x66\xa2\x9e\xa2\x84\xe6\x6b\x43\x3f\x69\x17\xae\x0c\x2e\x70\x88\xf3\xbb\xe3\xc8\x15\xd3\xf5\x01\x00\x00\xff\xff\x03\x4a\x2a\xb4", 103); syz_read_part_table(/*size=*/0x67, /*img=*/0x200000016dc0); break; case 73: syz_socket_connect_nvme_tcp(); break; case 74: *(uint8_t*)0x200000016e40 = 0x12; *(uint8_t*)0x200000016e41 = 1; *(uint16_t*)0x200000016e42 = 0x300; *(uint8_t*)0x200000016e44 = 0x42; *(uint8_t*)0x200000016e45 = 0x66; *(uint8_t*)0x200000016e46 = 0x24; *(uint8_t*)0x200000016e47 = 8; *(uint16_t*)0x200000016e48 = 0x2357; *(uint16_t*)0x200000016e4a = 0x9000; *(uint16_t*)0x200000016e4c = 0x8c65; *(uint8_t*)0x200000016e4e = 1; *(uint8_t*)0x200000016e4f = 2; *(uint8_t*)0x200000016e50 = 3; *(uint8_t*)0x200000016e51 = 1; *(uint8_t*)0x200000016e52 = 9; *(uint8_t*)0x200000016e53 = 2; *(uint16_t*)0x200000016e54 = 0x82e; *(uint8_t*)0x200000016e56 = 3; *(uint8_t*)0x200000016e57 = 0x7f; *(uint8_t*)0x200000016e58 = 2; *(uint8_t*)0x200000016e59 = 0x20; *(uint8_t*)0x200000016e5a = 5; *(uint8_t*)0x200000016e5b = 9; *(uint8_t*)0x200000016e5c = 4; *(uint8_t*)0x200000016e5d = 0xce; *(uint8_t*)0x200000016e5e = 7; *(uint8_t*)0x200000016e5f = 0xf; *(uint8_t*)0x200000016e60 = 0xaf; *(uint8_t*)0x200000016e61 = 0xe8; *(uint8_t*)0x200000016e62 = 0x6e; *(uint8_t*)0x200000016e63 = 0; *(uint8_t*)0x200000016e64 = 0xa; *(uint8_t*)0x200000016e65 = 0x24; *(uint8_t*)0x200000016e66 = 1; *(uint16_t*)0x200000016e67 = 0x7ff; *(uint8_t*)0x200000016e69 = 6; *(uint8_t*)0x200000016e6a = 2; *(uint8_t*)0x200000016e6b = 1; *(uint8_t*)0x200000016e6c = 2; *(uint8_t*)0x200000016e6d = 7; *(uint8_t*)0x200000016e6e = 0x24; *(uint8_t*)0x200000016e6f = 7; *(uint8_t*)0x200000016e70 = 4; *(uint16_t*)0x200000016e71 = 4; *(uint8_t*)0x200000016e73 = 1; *(uint8_t*)0x200000016e74 = 7; *(uint8_t*)0x200000016e75 = 0x24; *(uint8_t*)0x200000016e76 = 6; *(uint8_t*)0x200000016e77 = 0; *(uint8_t*)0x200000016e78 = 1; memcpy((void*)0x200000016e79, "\xa3\x4e", 2); *(uint8_t*)0x200000016e7b = 5; *(uint8_t*)0x200000016e7c = 0x24; *(uint8_t*)0x200000016e7d = 0; *(uint16_t*)0x200000016e7e = 2; *(uint8_t*)0x200000016e80 = 0xd; *(uint8_t*)0x200000016e81 = 0x24; *(uint8_t*)0x200000016e82 = 0xf; *(uint8_t*)0x200000016e83 = 1; *(uint32_t*)0x200000016e84 = 0x7fffffff; *(uint16_t*)0x200000016e88 = 0; *(uint16_t*)0x200000016e8a = 7; *(uint8_t*)0x200000016e8c = 8; *(uint8_t*)0x200000016e8d = 6; *(uint8_t*)0x200000016e8e = 0x24; *(uint8_t*)0x200000016e8f = 0x1a; *(uint16_t*)0x200000016e90 = 9; *(uint8_t*)0x200000016e92 = 4; *(uint8_t*)0x200000016e93 = 0xd8; *(uint8_t*)0x200000016e94 = 0x24; *(uint8_t*)0x200000016e95 = 0x13; *(uint8_t*)0x200000016e96 = 1; memcpy((void*)0x200000016e97, "\xfc\xb6\x4e\x07\xcb\xc6\x13\xee\x0f\xb4\x7b\x17\x2d\x8c\xb2\x54\x90\xf7\xd0\x8d\xca\x4c\x04\xf2\x48\xb0\xd2\xc6\xc5\xd4\xfd\x13\xc9\x0c\x33\x7d\xbf\xe0\x45\x78\x3c\xe1\xee\x13\x99\xfa\x76\xc1\x4b\x25\xf5\xc3\x38\xb0\x41\x83\x3f\x78\x7b\x77\x6e\x0c\x3c\x25\x51\x89\xf0\x69\x4e\x73\x1c\xc1\xed\xd1\x26\x9d\xee\x99\xee\xd0\x4d\x16\xaf\x2a\xe0\xf1\x24\x51\x00\x06\xa6\x42\x80\xfb\xf1\xac\x11\x46\xbe\xee\x98\x58\x83\x56\x6c\x16\x9a\xbf\xf0\x9e\x46\x01\x8c\x5d\xdf\xdc\xef\xb4\xc0\x6a\x46\x26\xf8\xee\xb2\x1b\x61\x8f\xe7\x0a\xdf\x76\xc2\x04\xc1\xa9\x30\x5d\x06\xd9\x08\x52\xb6\x06\xa0\x69\x8c\x66\x78\x28\x0d\x48\x29\xc7\x81\x71\x52\x6b\x7c\xf0\xcf\x95\xca\xb7\xe3\xaf\xb3\xb5\x8f\xcf\xaf\x6d\x70\xeb\x43\x33\x47\xfb\xae\x12\x94\xb2\x88\xb8\xd3\x39\xb3\xd7\x8f\xdb\xc0\xf2\x27\x90\x7a\xaa\x92\x1c\xa3\x02\x6e\x4c\x5c\xe3\x42\x11\xe3\xc9\x07\xb4\x2c\xa6", 212); *(uint8_t*)0x200000016f6b = 8; *(uint8_t*)0x200000016f6c = 0x24; *(uint8_t*)0x200000016f6d = 0x1c; *(uint16_t*)0x200000016f6e = 0xfff; *(uint8_t*)0x200000016f70 = 1; *(uint16_t*)0x200000016f71 = 0xf51; *(uint8_t*)0x200000016f73 = 8; *(uint8_t*)0x200000016f74 = 0x24; *(uint8_t*)0x200000016f75 = 0x1c; *(uint16_t*)0x200000016f76 = 0x80; *(uint8_t*)0x200000016f78 = 2; *(uint16_t*)0x200000016f79 = 0x7f; *(uint8_t*)0x200000016f7b = 5; *(uint8_t*)0x200000016f7c = 0x24; *(uint8_t*)0x200000016f7d = 0x15; *(uint16_t*)0x200000016f7e = 0x4d; *(uint8_t*)0x200000016f80 = 8; *(uint8_t*)0x200000016f81 = 0x24; *(uint8_t*)0x200000016f82 = 0x1c; *(uint16_t*)0x200000016f83 = 0xbf26; *(uint8_t*)0x200000016f85 = 0x10; *(uint16_t*)0x200000016f86 = 0x7806; *(uint8_t*)0x200000016f88 = 9; *(uint8_t*)0x200000016f89 = 5; *(uint8_t*)0x200000016f8a = 1; *(uint8_t*)0x200000016f8b = 0; *(uint16_t*)0x200000016f8c = 0x200; *(uint8_t*)0x200000016f8e = 6; *(uint8_t*)0x200000016f8f = 0x40; *(uint8_t*)0x200000016f90 = 0xb; *(uint8_t*)0x200000016f91 = 7; *(uint8_t*)0x200000016f92 = 0x25; *(uint8_t*)0x200000016f93 = 1; *(uint8_t*)0x200000016f94 = 3; *(uint8_t*)0x200000016f95 = 4; *(uint16_t*)0x200000016f96 = 8; *(uint8_t*)0x200000016f98 = 0xe8; *(uint8_t*)0x200000016f99 = 0x30; memcpy((void*)0x200000016f9a, "\x68\x84\x9f\x67\xc9\x80\x33\xbf\xdc\x9b\xc6\x7c\x70\x6e\x68\x9f\x08\xda\x2d\x58\x7b\x66\x8f\x1f\x67\x6b\xbb\xc3\x8f\x71\xf6\x8c\x01\x29\x15\x9b\x91\x2f\x32\x88\xaf\x2d\x8f\x5b\x2a\x9e\x6a\x41\x6c\x8e\x34\x45\xc3\x33\xdf\x5f\x70\x08\x23\x36\x83\xc6\x74\x20\x84\x56\xcf\xcb\x7a\x59\x8f\xd1\x43\x0b\x9b\xb5\x5e\x9b\x6f\xbf\x6c\xd0\x79\x7f\xfd\xb4\x8e\x94\xa2\xbb\x0a\x7b\x92\x4d\xc3\xfe\x2c\x8b\x37\xff\x8b\x6d\x67\xa0\x55\x1a\x58\x2d\x71\x34\x54\xdc\x2f\x82\x9c\x5f\xa9\xbb\x41\x05\x3a\x7b\x74\xb6\x01\xc8\xab\x84\x54\xe2\xd4\x8d\x21\x3e\xb4\xf8\x73\xd9\x69\x31\x19\xcf\x01\xd9\x77\x9a\xfa\xa2\x61\xbd\x19\xf8\x4e\x39\x98\xa2\x7c\xc2\x7f\xdb\xaa\x15\x46\x7c\xd6\xf5\x44\x2a\xec\x6c\x7d\x12\x86\x17\x46\xb6\xba\xb7\xb9\x37\x01\xf0\x11\xde\x1e\x99\x5c\x1c\x20\x4b\x4c\x26\x80\x50\x3a\x47\xba\xd8\x6f\xa4\x29\xcf\x00\xde\xd4\x82\x39\xfb\x55\x5a\xb9\x80\x87\xed\xea\xee\xba\x89\xb1\x4d\xad\x51\xb1\x99\x3c\x25\xe6\x01\x09\xbf", 230); *(uint8_t*)0x200000017080 = 9; *(uint8_t*)0x200000017081 = 5; *(uint8_t*)0x200000017082 = 0xa; *(uint8_t*)0x200000017083 = 1; *(uint16_t*)0x200000017084 = 0x40; *(uint8_t*)0x200000017086 = 0xf7; *(uint8_t*)0x200000017087 = 2; *(uint8_t*)0x200000017088 = 5; *(uint8_t*)0x200000017089 = 9; *(uint8_t*)0x20000001708a = 5; *(uint8_t*)0x20000001708b = 5; *(uint8_t*)0x20000001708c = 0x10; *(uint16_t*)0x20000001708d = 0x3ff; *(uint8_t*)0x20000001708f = 7; *(uint8_t*)0x200000017090 = 0x14; *(uint8_t*)0x200000017091 = 0; *(uint8_t*)0x200000017092 = 9; *(uint8_t*)0x200000017093 = 5; *(uint8_t*)0x200000017094 = 0xe; *(uint8_t*)0x200000017095 = 0x10; *(uint16_t*)0x200000017096 = 0x200; *(uint8_t*)0x200000017098 = 0xc7; *(uint8_t*)0x200000017099 = 0x46; *(uint8_t*)0x20000001709a = 2; *(uint8_t*)0x20000001709b = 9; *(uint8_t*)0x20000001709c = 5; *(uint8_t*)0x20000001709d = 0xd; *(uint8_t*)0x20000001709e = 0xa; *(uint16_t*)0x20000001709f = 0x10; *(uint8_t*)0x2000000170a1 = 0x40; *(uint8_t*)0x2000000170a2 = 8; *(uint8_t*)0x2000000170a3 = 2; *(uint8_t*)0x2000000170a4 = 7; *(uint8_t*)0x2000000170a5 = 0x25; *(uint8_t*)0x2000000170a6 = 1; *(uint8_t*)0x2000000170a7 = 0x82; *(uint8_t*)0x2000000170a8 = 1; *(uint16_t*)0x2000000170a9 = 7; *(uint8_t*)0x2000000170ab = 9; *(uint8_t*)0x2000000170ac = 5; *(uint8_t*)0x2000000170ad = 8; *(uint8_t*)0x2000000170ae = 2; *(uint16_t*)0x2000000170af = 0x3ff; *(uint8_t*)0x2000000170b1 = 0x10; *(uint8_t*)0x2000000170b2 = 9; *(uint8_t*)0x2000000170b3 = 8; *(uint8_t*)0x2000000170b4 = 0xf8; *(uint8_t*)0x2000000170b5 = 1; memcpy((void*)0x2000000170b6, "\x87\x09\xda\xe6\x27\x40\x78\x00\x19\x13\xce\x2e\xfb\xcb\x79\xab\x11\x33\xba\xa4\xf7\xe0\x7b\x3b\x2c\x7f\xf7\x03\x89\xe9\x02\xb3\x68\x4a\x95\xa2\x99\x97\xf2\xd2\x0f\xf4\xaf\x27\x0d\x19\xa8\xe0\xb4\xf2\x4d\xf5\x12\xa7\x98\x1b\x5c\xc2\x17\x94\x1c\xc5\x5d\x0e\xe5\x27\x77\xd5\x46\x9f\x8d\x59\xa8\xb5\xb4\xa6\xe4\xfe\x8c\x2c\x94\x50\xb4\x7d\x31\x53\xab\x98\xf8\xe2\x5d\x69\x98\x73\xd3\xbd\xb2\x64\x00\x75\x12\x3c\x4c\x4b\xf2\x70\xdb\x5a\x2e\x30\xc4\x78\xe7\x5e\x0e\x80\xac\xa0\xd4\x1a\xf7\x46\xe3\xef\xb5\x98\xb2\xdb\xec\x64\x7a\xbd\x39\x7b\x0e\xfb\xb2\xe7\x44\x23\x8a\x48\xce\xfe\x42\x99\xf4\x83\x85\xe7\x4d\x32\x5b\xa5\x2c\x15\xb1\x68\x23\x4a\x99\x6d\x32\x57\xea\xab\x4f\xef\xcb\xa6\xb8\x98\xc9\x1d\xd9\x9e\x0c\x08\x0a\x10\x19\x11\x84\xea\x55\x2c\x28\x22\x3c\x35\xe6\x3e\xa9\x40\x68\x88\xa9\x47\x59\xad\x4c\x30\xba\xec\x3d\x37\xbc\x12\x62\x8f\x39\xfd\x0e\x1e\xa1\x66\x51\x22\xb4\xa0\x4a\xde\xc0\xd9\x63\x24\x21\xac\x75\x18\x85\x1c\x5c\x92\x56\xa3\x3e\x29\x12\x01\xa3\xaf\x1a\xf8\xdf\x0a", 246); *(uint8_t*)0x2000000171ac = 0x66; *(uint8_t*)0x2000000171ad = 4; memcpy((void*)0x2000000171ae, "\xe2\x4a\xf3\x93\x66\xd6\xcc\x5b\x86\x03\x79\x36\x7e\x9b\x5a\xf9\x12\x38\xa8\xad\x60\xd4\xd3\x33\x0b\x86\x61\x5c\x23\x8b\x9a\xdc\x15\x0c\xa8\xd4\xd8\x9f\x34\x7c\xef\xed\x35\x02\xf2\xa6\x46\x69\xec\x10\xc9\x35\x2c\xc3\xf0\x0b\xb7\xbf\xff\x70\xa3\x40\x70\x24\x7f\x37\x2f\xd5\x6b\x34\x8f\x50\xf9\x45\x09\x03\x89\x94\xdf\x69\x9d\xd0\xbd\x1e\x0f\x29\x14\x24\x50\x2d\x0a\xbf\xa2\x75\xdf\x94\xab\x99\x68\x6b", 100); *(uint8_t*)0x200000017212 = 9; *(uint8_t*)0x200000017213 = 5; *(uint8_t*)0x200000017214 = 3; *(uint8_t*)0x200000017215 = 3; *(uint16_t*)0x200000017216 = 0x20; *(uint8_t*)0x200000017218 = 0x10; *(uint8_t*)0x200000017219 = 6; *(uint8_t*)0x20000001721a = 4; *(uint8_t*)0x20000001721b = 7; *(uint8_t*)0x20000001721c = 0x25; *(uint8_t*)0x20000001721d = 1; *(uint8_t*)0x20000001721e = 0; *(uint8_t*)0x20000001721f = 2; *(uint16_t*)0x200000017220 = 0xf; *(uint8_t*)0x200000017222 = 9; *(uint8_t*)0x200000017223 = 5; *(uint8_t*)0x200000017224 = 0xa; *(uint8_t*)0x200000017225 = 0x10; *(uint16_t*)0x200000017226 = 0x20; *(uint8_t*)0x200000017228 = 2; *(uint8_t*)0x200000017229 = 0x6a; *(uint8_t*)0x20000001722a = 0x9c; *(uint8_t*)0x20000001722b = 9; *(uint8_t*)0x20000001722c = 5; *(uint8_t*)0x20000001722d = 6; *(uint8_t*)0x20000001722e = 0; *(uint16_t*)0x20000001722f = 8; *(uint8_t*)0x200000017231 = 0xa6; *(uint8_t*)0x200000017232 = 0; *(uint8_t*)0x200000017233 = 3; *(uint8_t*)0x200000017234 = 9; *(uint8_t*)0x200000017235 = 5; *(uint8_t*)0x200000017236 = 0xe; *(uint8_t*)0x200000017237 = 0x10; *(uint16_t*)0x200000017238 = 0x400; *(uint8_t*)0x20000001723a = 8; *(uint8_t*)0x20000001723b = 6; *(uint8_t*)0x20000001723c = 2; *(uint8_t*)0x20000001723d = 7; *(uint8_t*)0x20000001723e = 0x25; *(uint8_t*)0x20000001723f = 1; *(uint8_t*)0x200000017240 = 0x80; *(uint8_t*)0x200000017241 = 0x80; *(uint16_t*)0x200000017242 = 0xfffe; *(uint8_t*)0x200000017244 = 7; *(uint8_t*)0x200000017245 = 0x25; *(uint8_t*)0x200000017246 = 1; *(uint8_t*)0x200000017247 = 0; *(uint8_t*)0x200000017248 = 8; *(uint16_t*)0x200000017249 = 6; *(uint8_t*)0x20000001724b = 9; *(uint8_t*)0x20000001724c = 5; *(uint8_t*)0x20000001724d = 2; *(uint8_t*)0x20000001724e = 0xc; *(uint16_t*)0x20000001724f = 0x20; *(uint8_t*)0x200000017251 = 7; *(uint8_t*)0x200000017252 = 0xfe; *(uint8_t*)0x200000017253 = 1; *(uint8_t*)0x200000017254 = 7; *(uint8_t*)0x200000017255 = 0x25; *(uint8_t*)0x200000017256 = 1; *(uint8_t*)0x200000017257 = 2; *(uint8_t*)0x200000017258 = 3; *(uint16_t*)0x200000017259 = 7; *(uint8_t*)0x20000001725b = 9; *(uint8_t*)0x20000001725c = 5; *(uint8_t*)0x20000001725d = 8; *(uint8_t*)0x20000001725e = 0; *(uint16_t*)0x20000001725f = 0x20; *(uint8_t*)0x200000017261 = 5; *(uint8_t*)0x200000017262 = 7; *(uint8_t*)0x200000017263 = 0; *(uint8_t*)0x200000017264 = 9; *(uint8_t*)0x200000017265 = 5; *(uint8_t*)0x200000017266 = 5; *(uint8_t*)0x200000017267 = 0x10; *(uint16_t*)0x200000017268 = 0x400; *(uint8_t*)0x20000001726a = 0x94; *(uint8_t*)0x20000001726b = 9; *(uint8_t*)0x20000001726c = 7; *(uint8_t*)0x20000001726d = 0xdd; *(uint8_t*)0x20000001726e = 0x30; memcpy((void*)0x20000001726f, "\x77\x86\x7e\xa8\x5d\x1b\x66\xca\x1b\x83\x5f\x1f\xfe\x80\xb4\xe1\x5a\x42\x97\xfd\x75\x06\x0e\x9c\xa4\xa2\x1e\x38\x5a\xda\xb0\x95\x08\x05\x1d\xd6\x10\x5e\xaa\x7c\xdc\xec\xdc\xc3\x20\xbc\x7f\x95\x6e\xeb\x82\x39\x4f\xee\xae\x2b\x09\xc0\x99\x0c\x54\x43\x3f\x37\x34\xda\x18\xcc\xf1\x3f\x5f\xcc\x5b\xb3\x2e\xb3\xbb\x6b\x06\x2a\x28\x29\x89\x58\x2d\x89\x8d\x9e\x25\xf9\x7d\x5d\x39\x27\xfb\xc2\x2c\x45\x90\x49\x83\x86\x0e\xb6\x1e\xaf\xd3\x4b\x54\xed\x2c\xc8\xb5\x5c\xf1\x97\xd3\x1b\xbb\x18\x10\x63\x60\xad\x77\x24\x0c\x1f\x44\xfd\x50\xf1\xa9\x44\xb9\xf5\x55\x7f\x95\xe9\x45\x13\xb0\xad\x4d\x60\x79\xe1\x5e\x8d\x3b\x43\x01\x02\x7d\xec\xe5\xa5\xba\x84\x88\xa2\x65\xab\x30\x67\xce\x7d\x0f\x2d\x5a\xd3\x11\x7b\xdd\xf0\x68\xf5\x91\xf6\x1d\x66\x46\xf9\x6a\x37\x72\xbb\x1d\x88\x07\xba\x9d\xd6\xd7\xa0\xbe\xec\xb2\x72\x98\xc3\xf0\x90\xb2\xb7\xed\x72\x97\x9d\x14\xde\xae\x68\x5d\x25\x0f\x2c\xc0", 219); *(uint8_t*)0x20000001734a = 7; *(uint8_t*)0x20000001734b = 0x25; *(uint8_t*)0x20000001734c = 1; *(uint8_t*)0x20000001734d = 2; *(uint8_t*)0x20000001734e = 0x81; *(uint16_t*)0x20000001734f = 0x70; *(uint8_t*)0x200000017351 = 9; *(uint8_t*)0x200000017352 = 5; *(uint8_t*)0x200000017353 = 5; *(uint8_t*)0x200000017354 = 0; *(uint16_t*)0x200000017355 = 0x3ff; *(uint8_t*)0x200000017357 = 7; *(uint8_t*)0x200000017358 = 0; *(uint8_t*)0x200000017359 = 0xd5; *(uint8_t*)0x20000001735a = 9; *(uint8_t*)0x20000001735b = 5; *(uint8_t*)0x20000001735c = 0xc; *(uint8_t*)0x20000001735d = 0; *(uint16_t*)0x20000001735e = 0x40; *(uint8_t*)0x200000017360 = 0; *(uint8_t*)0x200000017361 = 0xb; *(uint8_t*)0x200000017362 = 6; *(uint8_t*)0x200000017363 = 7; *(uint8_t*)0x200000017364 = 0x25; *(uint8_t*)0x200000017365 = 1; *(uint8_t*)0x200000017366 = 0x80; *(uint8_t*)0x200000017367 = 0xc4; *(uint16_t*)0x200000017368 = 0x6e; *(uint8_t*)0x20000001736a = 0xe; *(uint8_t*)0x20000001736b = 0xd; memcpy((void*)0x20000001736c, "\x36\xcb\x58\xaf\xca\x23\xd3\xe3\xcd\x43\x84\x0a", 12); *(uint8_t*)0x200000017378 = 9; *(uint8_t*)0x200000017379 = 4; *(uint8_t*)0x20000001737a = 0x8c; *(uint8_t*)0x20000001737b = 0; *(uint8_t*)0x20000001737c = 0xc; *(uint8_t*)0x20000001737d = 0x77; *(uint8_t*)0x20000001737e = 0x71; *(uint8_t*)0x20000001737f = 0x4d; *(uint8_t*)0x200000017380 = -1; *(uint8_t*)0x200000017381 = 0xb; *(uint8_t*)0x200000017382 = 0x24; *(uint8_t*)0x200000017383 = 6; *(uint8_t*)0x200000017384 = 0; *(uint8_t*)0x200000017385 = 0; memcpy((void*)0x200000017386, "\x37\x87\x90\x73\x85\x59", 6); *(uint8_t*)0x20000001738c = 5; *(uint8_t*)0x20000001738d = 0x24; *(uint8_t*)0x20000001738e = 0; *(uint16_t*)0x20000001738f = 0xdd; *(uint8_t*)0x200000017391 = 0xd; *(uint8_t*)0x200000017392 = 0x24; *(uint8_t*)0x200000017393 = 0xf; *(uint8_t*)0x200000017394 = 1; *(uint32_t*)0x200000017395 = 5; *(uint16_t*)0x200000017399 = 0x926; *(uint16_t*)0x20000001739b = 1; *(uint8_t*)0x20000001739d = 5; *(uint8_t*)0x20000001739e = 0x15; *(uint8_t*)0x20000001739f = 0x24; *(uint8_t*)0x2000000173a0 = 0x12; *(uint16_t*)0x2000000173a1 = 7; *(uint64_t*)0x2000000173a3 = 0x14f5e048ba817a3; *(uint64_t*)0x2000000173ab = 0x2a397ecbffc007a6; *(uint8_t*)0x2000000173b3 = 0x10; *(uint8_t*)0x2000000173b4 = 0x24; *(uint8_t*)0x2000000173b5 = 7; *(uint8_t*)0x2000000173b6 = 0xf; *(uint16_t*)0x2000000173b7 = 0x47f; *(uint16_t*)0x2000000173b9 = 7; *(uint16_t*)0x2000000173bb = 5; *(uint16_t*)0x2000000173bd = 0xa5a; *(uint16_t*)0x2000000173bf = 0xf25d; *(uint16_t*)0x2000000173c1 = 0x10; *(uint8_t*)0x2000000173c3 = 6; *(uint8_t*)0x2000000173c4 = 0x24; *(uint8_t*)0x2000000173c5 = 0x1a; *(uint16_t*)0x2000000173c6 = 0x100; *(uint8_t*)0x2000000173c8 = 1; *(uint8_t*)0x2000000173c9 = 6; *(uint8_t*)0x2000000173ca = 0x24; *(uint8_t*)0x2000000173cb = 7; *(uint8_t*)0x2000000173cc = 9; *(uint16_t*)0x2000000173cd = 0x81; *(uint8_t*)0x2000000173cf = 0xe; *(uint8_t*)0x2000000173d0 = 0x24; *(uint8_t*)0x2000000173d1 = 7; *(uint8_t*)0x2000000173d2 = 0x10; *(uint16_t*)0x2000000173d3 = 0x3a; *(uint16_t*)0x2000000173d5 = 0x1400; *(uint16_t*)0x2000000173d7 = 1; *(uint16_t*)0x2000000173d9 = 3; *(uint16_t*)0x2000000173db = 8; *(uint8_t*)0x2000000173dd = 0xa; *(uint8_t*)0x2000000173de = 0x24; *(uint8_t*)0x2000000173df = 1; *(uint16_t*)0x2000000173e0 = 0x80; *(uint8_t*)0x2000000173e2 = 0x80; *(uint8_t*)0x2000000173e3 = 2; *(uint8_t*)0x2000000173e4 = 1; *(uint8_t*)0x2000000173e5 = 2; *(uint8_t*)0x2000000173e6 = 9; *(uint8_t*)0x2000000173e7 = 5; *(uint8_t*)0x2000000173e8 = 5; *(uint8_t*)0x2000000173e9 = 8; *(uint16_t*)0x2000000173ea = 0x200; *(uint8_t*)0x2000000173ec = 0x39; *(uint8_t*)0x2000000173ed = 3; *(uint8_t*)0x2000000173ee = 2; *(uint8_t*)0x2000000173ef = 9; *(uint8_t*)0x2000000173f0 = 5; *(uint8_t*)0x2000000173f1 = 0; *(uint8_t*)0x2000000173f2 = 1; *(uint16_t*)0x2000000173f3 = 0x10; *(uint8_t*)0x2000000173f5 = 0x6c; *(uint8_t*)0x2000000173f6 = 9; *(uint8_t*)0x2000000173f7 = 4; *(uint8_t*)0x2000000173f8 = 0xec; *(uint8_t*)0x2000000173f9 = 0xc; memcpy((void*)0x2000000173fa, "\xcd\x0d\x3c\xe6\xb7\x5c\x2b\x01\xf9\x7f\xcb\x20\xad\xf4\xd9\x9a\x5a\x62\x76\xa0\xa0\x71\x7a\x5c\xbd\xaa\xe5\xbd\xe2\x28\x6c\x78\xf2\x3e\xc6\x52\x7f\xe1\x49\x0d\x74\xcc\xaf\x86\xba\xe7\x1c\x98\x79\xa2\x2f\xb0\x98\xf7\x98\x41\x5a\x42\x10\xa0\x98\xcc\x4d\x76\x58\x35\x30\x19\x71\x89\x91\xbb\x6a\x8d\x77\xa8\xe7\xb5\xd4\x50\x74\x04\xe9\x6f\xf4\x56\x14\xcb\x5c\xda\xd6\x98\x5e\x76\xee\xc5\x2f\xa7\x07\x74\xa8\x0c\xe5\x40\x7b\x62\xd0\x10\x51\x26\x2f\x81\x36\xaa\x68\xc2\x2e\xa4\x11\x5b\x5e\x27\x65\x3c\x40\xa8\x1c\xff\x49\xa1\x3b\xf7\x9d\x59\x9e\x1e\xea\x6f\x2a\xb7\x89\x7c\x71\x65\xb3\x6c\xb6\x83\xa8\x7a\xe0\x79\xd8\xff\x5f\x45\x0d\xdf\xf5\x3f\x2a\x7a\x04\x2d\x07\x32\xf9\x35\x7c\xe2\x3f\xb6\xa1\x31\x0f\x95\x84\xd8\xa7\x55\x7b\x65\x49\x36\xd9\x7d\x49\xbe\x79\x7a\x56\x53\x02\xd1\xe6\x15\xa7\x00\x61\x10\x1f\x01\xcb\x75\x33\x3e\xd4\xfc\x3f\xb9\x83\xe3\x0f\x49\x04\x19\x5e\x25\x3a\x3a\xdd\x43\xbd\x06\x97\x94\xbc\xac\xe6\x38\x63\xb8\xc5\x5b", 234); *(uint8_t*)0x2000000174e4 = 0x31; *(uint8_t*)0x2000000174e5 = 0xe; memcpy((void*)0x2000000174e6, "\xa6\x77\x2f\x60\x53\xbb\xf3\xfb\xcc\x2e\x4b\x92\x79\x4d\xf7\x00\xa7\x49\x93\x08\xd0\x2d\xa8\x07\xf6\x4c\x0b\xb6\xa2\xdf\x53\x5b\x93\x9a\xf7\xa1\xa2\xe9\x86\x82\xe0\x84\x01\x9d\x17\xff\x1e", 47); *(uint8_t*)0x200000017515 = 9; *(uint8_t*)0x200000017516 = 5; *(uint8_t*)0x200000017517 = 7; *(uint8_t*)0x200000017518 = 3; *(uint16_t*)0x200000017519 = 0x400; *(uint8_t*)0x20000001751b = 0xf8; *(uint8_t*)0x20000001751c = 0; *(uint8_t*)0x20000001751d = 3; *(uint8_t*)0x20000001751e = 7; *(uint8_t*)0x20000001751f = 0x25; *(uint8_t*)0x200000017520 = 1; *(uint8_t*)0x200000017521 = 2; *(uint8_t*)0x200000017522 = 5; *(uint16_t*)0x200000017523 = 0x1d2; *(uint8_t*)0x200000017525 = 9; *(uint8_t*)0x200000017526 = 5; *(uint8_t*)0x200000017527 = 0; *(uint8_t*)0x200000017528 = 7; *(uint16_t*)0x200000017529 = 0x400; *(uint8_t*)0x20000001752b = 0x7f; *(uint8_t*)0x20000001752c = 0xf9; *(uint8_t*)0x20000001752d = 0x27; *(uint8_t*)0x20000001752e = 7; *(uint8_t*)0x20000001752f = 0x25; *(uint8_t*)0x200000017530 = 1; *(uint8_t*)0x200000017531 = 0x81; *(uint8_t*)0x200000017532 = 5; *(uint16_t*)0x200000017533 = 0xb57; *(uint8_t*)0x200000017535 = 0x43; *(uint8_t*)0x200000017536 = 0x1a; memcpy((void*)0x200000017537, "\xcb\x18\x23\x8b\x9b\xb4\xf2\xcf\x09\xa9\xe5\x12\xee\x72\x99\x83\x74\x21\xb4\xde\xa8\x53\x0c\x6a\x24\xf7\x22\x29\xb4\xc3\x80\x3d\xb0\xb8\x15\x9c\x4f\xc1\xd0\xc5\x12\xc3\x67\x06\xf7\x26\x52\x83\x9a\xb6\x87\x70\x8e\x60\x65\x3b\xc8\x55\xf3\xef\xc0\x19\x1d\x44\xce", 65); *(uint8_t*)0x200000017578 = 9; *(uint8_t*)0x200000017579 = 5; *(uint8_t*)0x20000001757a = 1; *(uint8_t*)0x20000001757b = 0; *(uint16_t*)0x20000001757c = 0x10; *(uint8_t*)0x20000001757e = 0x5e; *(uint8_t*)0x20000001757f = 1; *(uint8_t*)0x200000017580 = 0x33; *(uint8_t*)0x200000017581 = 7; *(uint8_t*)0x200000017582 = 0x25; *(uint8_t*)0x200000017583 = 1; *(uint8_t*)0x200000017584 = 0x81; *(uint8_t*)0x200000017585 = 0; *(uint16_t*)0x200000017586 = 2; *(uint8_t*)0x200000017588 = 0xa; *(uint8_t*)0x200000017589 = 0xd; memcpy((void*)0x20000001758a, "\x0e\xa8\x35\xcf\x6f\x98\x97\xdd", 8); *(uint8_t*)0x200000017592 = 9; *(uint8_t*)0x200000017593 = 5; *(uint8_t*)0x200000017594 = 2; *(uint8_t*)0x200000017595 = 1; *(uint16_t*)0x200000017596 = 8; *(uint8_t*)0x200000017598 = 8; *(uint8_t*)0x200000017599 = 7; *(uint8_t*)0x20000001759a = 2; *(uint8_t*)0x20000001759b = 7; *(uint8_t*)0x20000001759c = 0x25; *(uint8_t*)0x20000001759d = 1; *(uint8_t*)0x20000001759e = 0x50; *(uint8_t*)0x20000001759f = 0x40; *(uint16_t*)0x2000000175a0 = 0xc590; *(uint8_t*)0x2000000175a2 = 7; *(uint8_t*)0x2000000175a3 = 0x25; *(uint8_t*)0x2000000175a4 = 1; *(uint8_t*)0x2000000175a5 = 3; *(uint8_t*)0x2000000175a6 = 2; *(uint16_t*)0x2000000175a7 = 4; *(uint8_t*)0x2000000175a9 = 9; *(uint8_t*)0x2000000175aa = 5; *(uint8_t*)0x2000000175ab = 2; *(uint8_t*)0x2000000175ac = 2; *(uint16_t*)0x2000000175ad = 0x400; *(uint8_t*)0x2000000175af = 6; *(uint8_t*)0x2000000175b0 = 6; *(uint8_t*)0x2000000175b1 = 7; *(uint8_t*)0x2000000175b2 = 9; *(uint8_t*)0x2000000175b3 = 5; *(uint8_t*)0x2000000175b4 = 2; *(uint8_t*)0x2000000175b5 = 3; *(uint16_t*)0x2000000175b6 = 0x200; *(uint8_t*)0x2000000175b8 = 0xe; *(uint8_t*)0x2000000175b9 = 4; *(uint8_t*)0x2000000175ba = 4; *(uint8_t*)0x2000000175bb = 5; *(uint8_t*)0x2000000175bc = 0x11; memcpy((void*)0x2000000175bd, "\xb9\xf5\xe7", 3); *(uint8_t*)0x2000000175c0 = 7; *(uint8_t*)0x2000000175c1 = 0x25; *(uint8_t*)0x2000000175c2 = 1; *(uint8_t*)0x2000000175c3 = 0x40; *(uint8_t*)0x2000000175c4 = 6; *(uint16_t*)0x2000000175c5 = 6; *(uint8_t*)0x2000000175c7 = 9; *(uint8_t*)0x2000000175c8 = 5; *(uint8_t*)0x2000000175c9 = 3; *(uint8_t*)0x2000000175ca = 0x10; *(uint16_t*)0x2000000175cb = 0; *(uint8_t*)0x2000000175cd = 0x8a; *(uint8_t*)0x2000000175ce = 7; *(uint8_t*)0x2000000175cf = 8; *(uint8_t*)0x2000000175d0 = 7; *(uint8_t*)0x2000000175d1 = 0x25; *(uint8_t*)0x2000000175d2 = 1; *(uint8_t*)0x2000000175d3 = 0x81; *(uint8_t*)0x2000000175d4 = 9; *(uint16_t*)0x2000000175d5 = 4; *(uint8_t*)0x2000000175d7 = 7; *(uint8_t*)0x2000000175d8 = 0x25; *(uint8_t*)0x2000000175d9 = 1; *(uint8_t*)0x2000000175da = 3; *(uint8_t*)0x2000000175db = 0x73; *(uint16_t*)0x2000000175dc = 0x1ff; *(uint8_t*)0x2000000175de = 9; *(uint8_t*)0x2000000175df = 5; *(uint8_t*)0x2000000175e0 = 3; *(uint8_t*)0x2000000175e1 = 2; *(uint16_t*)0x2000000175e2 = 0x40; *(uint8_t*)0x2000000175e4 = 4; *(uint8_t*)0x2000000175e5 = 8; *(uint8_t*)0x2000000175e6 = 4; *(uint8_t*)0x2000000175e7 = 7; *(uint8_t*)0x2000000175e8 = 0x25; *(uint8_t*)0x2000000175e9 = 1; *(uint8_t*)0x2000000175ea = 0; *(uint8_t*)0x2000000175eb = 0; *(uint16_t*)0x2000000175ec = 0xd; *(uint8_t*)0x2000000175ee = 9; *(uint8_t*)0x2000000175ef = 5; *(uint8_t*)0x2000000175f0 = 6; *(uint8_t*)0x2000000175f1 = 0x10; *(uint16_t*)0x2000000175f2 = 0x200; *(uint8_t*)0x2000000175f4 = 3; *(uint8_t*)0x2000000175f5 = 7; *(uint8_t*)0x2000000175f6 = 0; *(uint8_t*)0x2000000175f7 = 0x4e; *(uint8_t*)0x2000000175f8 = 0x21; memcpy((void*)0x2000000175f9, "\xde\x21\x8d\xdf\x30\x78\xa6\xfb\xd8\x6d\x42\x57\x31\x33\x4b\xc4\x6c\xce\x8c\xf5\x19\xb9\xce\xf7\xc4\x17\x70\x3a\xc6\xb7\xc8\xd9\x19\xdf\x45\xea\x16\xb8\x08\x90\x69\xbb\xf3\x4f\x03\xab\xe7\x52\xc1\xee\x7d\x7e\x03\xa0\x86\x37\xbc\xdc\x17\xd4\xcf\x34\xc2\x75\x6e\xda\x9f\xbf\x09\xfd\xfc\xfc\xa3\x05\x28\x59", 76); *(uint8_t*)0x200000017645 = 9; *(uint8_t*)0x200000017646 = 5; *(uint8_t*)0x200000017647 = 7; *(uint8_t*)0x200000017648 = 2; *(uint16_t*)0x200000017649 = 0x400; *(uint8_t*)0x20000001764b = 6; *(uint8_t*)0x20000001764c = 8; *(uint8_t*)0x20000001764d = 0; *(uint8_t*)0x20000001764e = 9; *(uint8_t*)0x20000001764f = 4; *(uint8_t*)0x200000017650 = 0xb9; *(uint8_t*)0x200000017651 = 8; *(uint8_t*)0x200000017652 = 3; *(uint8_t*)0x200000017653 = 0x5b; *(uint8_t*)0x200000017654 = 0x5d; *(uint8_t*)0x200000017655 = 0x4c; *(uint8_t*)0x200000017656 = 0xbf; *(uint8_t*)0x200000017657 = 9; *(uint8_t*)0x200000017658 = 5; *(uint8_t*)0x200000017659 = 5; *(uint8_t*)0x20000001765a = 0; *(uint16_t*)0x20000001765b = 0x400; *(uint8_t*)0x20000001765d = 9; *(uint8_t*)0x20000001765e = 5; *(uint8_t*)0x20000001765f = 0; *(uint8_t*)0x200000017660 = 9; *(uint8_t*)0x200000017661 = 5; *(uint8_t*)0x200000017662 = 0xe; *(uint8_t*)0x200000017663 = 4; *(uint16_t*)0x200000017664 = 0x10; *(uint8_t*)0x200000017666 = 0xf9; *(uint8_t*)0x200000017667 = 0xea; *(uint8_t*)0x200000017668 = 2; *(uint8_t*)0x200000017669 = 9; *(uint8_t*)0x20000001766a = 5; *(uint8_t*)0x20000001766b = 6; *(uint8_t*)0x20000001766c = 0x10; *(uint16_t*)0x20000001766d = 0x20; *(uint8_t*)0x20000001766f = 0xee; *(uint8_t*)0x200000017670 = 0xbf; *(uint8_t*)0x200000017671 = 4; *(uint8_t*)0x200000017672 = 7; *(uint8_t*)0x200000017673 = 0x25; *(uint8_t*)0x200000017674 = 1; *(uint8_t*)0x200000017675 = 0; *(uint8_t*)0x200000017676 = 9; *(uint16_t*)0x200000017677 = 0xc7; *(uint8_t*)0x200000017679 = 7; *(uint8_t*)0x20000001767a = 0x25; *(uint8_t*)0x20000001767b = 1; *(uint8_t*)0x20000001767c = 0x80; *(uint8_t*)0x20000001767d = 5; *(uint16_t*)0x20000001767e = 6; *(uint32_t*)0x200000017780 = 0xa; *(uint64_t*)0x200000017784 = 0x200000017680; *(uint8_t*)0x200000017680 = 0xa; *(uint8_t*)0x200000017681 = 6; *(uint16_t*)0x200000017682 = 0x300; *(uint8_t*)0x200000017684 = 8; *(uint8_t*)0x200000017685 = 4; *(uint8_t*)0x200000017686 = 4; *(uint8_t*)0x200000017687 = 0x10; *(uint8_t*)0x200000017688 = 3; *(uint8_t*)0x200000017689 = 0; *(uint32_t*)0x20000001778c = 5; *(uint64_t*)0x200000017790 = 0x2000000176c0; *(uint8_t*)0x2000000176c0 = 5; *(uint8_t*)0x2000000176c1 = 0xf; *(uint16_t*)0x2000000176c2 = 5; *(uint8_t*)0x2000000176c4 = 0; *(uint32_t*)0x200000017798 = 2; *(uint32_t*)0x20000001779c = 4; *(uint64_t*)0x2000000177a0 = 0x200000017700; *(uint8_t*)0x200000017700 = 4; *(uint8_t*)0x200000017701 = 3; *(uint16_t*)0x200000017702 = 0x41c; *(uint32_t*)0x2000000177a8 = 4; *(uint64_t*)0x2000000177ac = 0x200000017740; *(uint8_t*)0x200000017740 = 4; *(uint8_t*)0x200000017741 = 3; *(uint16_t*)0x200000017742 = 0x425; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0x840, /*dev=*/0x200000016e40, /*conn_descs=*/0x200000017780); if (res != -1) r[53] = res; break; case 75: *(uint8_t*)0x2000000177c0 = 0x12; *(uint8_t*)0x2000000177c1 = 1; *(uint16_t*)0x2000000177c2 = 0x200; *(uint8_t*)0x2000000177c4 = -1; *(uint8_t*)0x2000000177c5 = -1; *(uint8_t*)0x2000000177c6 = -1; *(uint8_t*)0x2000000177c7 = 0x40; *(uint16_t*)0x2000000177c8 = 0xcf3; *(uint16_t*)0x2000000177ca = 0x9271; *(uint16_t*)0x2000000177cc = 0x108; *(uint8_t*)0x2000000177ce = 1; *(uint8_t*)0x2000000177cf = 2; *(uint8_t*)0x2000000177d0 = 3; *(uint8_t*)0x2000000177d1 = 1; *(uint8_t*)0x2000000177d2 = 9; *(uint8_t*)0x2000000177d3 = 2; *(uint16_t*)0x2000000177d4 = 0x48; *(uint8_t*)0x2000000177d6 = 1; *(uint8_t*)0x2000000177d7 = 1; *(uint8_t*)0x2000000177d8 = 0; *(uint8_t*)0x2000000177d9 = 0x80; *(uint8_t*)0x2000000177da = 0xfa; *(uint8_t*)0x2000000177db = 9; *(uint8_t*)0x2000000177dc = 4; *(uint8_t*)0x2000000177dd = 0; *(uint8_t*)0x2000000177de = 0; *(uint8_t*)0x2000000177df = 6; *(uint8_t*)0x2000000177e0 = -1; *(uint8_t*)0x2000000177e1 = 0; *(uint8_t*)0x2000000177e2 = 0; *(uint8_t*)0x2000000177e3 = 0; *(uint8_t*)0x2000000177e4 = 9; *(uint8_t*)0x2000000177e5 = 5; *(uint8_t*)0x2000000177e6 = 1; *(uint8_t*)0x2000000177e7 = 2; *(uint16_t*)0x2000000177e8 = 0x200; *(uint8_t*)0x2000000177ea = 0; *(uint8_t*)0x2000000177eb = 0; *(uint8_t*)0x2000000177ec = 0; *(uint8_t*)0x2000000177ed = 9; *(uint8_t*)0x2000000177ee = 5; *(uint8_t*)0x2000000177ef = 0x82; *(uint8_t*)0x2000000177f0 = 2; *(uint16_t*)0x2000000177f1 = 0x200; *(uint8_t*)0x2000000177f3 = 0; *(uint8_t*)0x2000000177f4 = 0; *(uint8_t*)0x2000000177f5 = 0; *(uint8_t*)0x2000000177f6 = 9; *(uint8_t*)0x2000000177f7 = 5; *(uint8_t*)0x2000000177f8 = 0x83; *(uint8_t*)0x2000000177f9 = 3; *(uint16_t*)0x2000000177fa = 0x40; *(uint8_t*)0x2000000177fc = 1; *(uint8_t*)0x2000000177fd = 0; *(uint8_t*)0x2000000177fe = 0; *(uint8_t*)0x2000000177ff = 9; *(uint8_t*)0x200000017800 = 5; *(uint8_t*)0x200000017801 = 4; *(uint8_t*)0x200000017802 = 3; *(uint16_t*)0x200000017803 = 0x40; *(uint8_t*)0x200000017805 = 1; *(uint8_t*)0x200000017806 = 0; *(uint8_t*)0x200000017807 = 0; *(uint8_t*)0x200000017808 = 9; *(uint8_t*)0x200000017809 = 5; *(uint8_t*)0x20000001780a = 5; *(uint8_t*)0x20000001780b = 2; *(uint16_t*)0x20000001780c = 0x200; *(uint8_t*)0x20000001780e = 0; *(uint8_t*)0x20000001780f = 0; *(uint8_t*)0x200000017810 = 0; *(uint8_t*)0x200000017811 = 9; *(uint8_t*)0x200000017812 = 5; *(uint8_t*)0x200000017813 = 6; *(uint8_t*)0x200000017814 = 2; *(uint16_t*)0x200000017815 = 0x200; *(uint8_t*)0x200000017817 = 0; *(uint8_t*)0x200000017818 = 0; *(uint8_t*)0x200000017819 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x2000000177c0, /*conn_descs=*/0); if (res != -1) r[54] = res; break; case 76: *(uint32_t*)0x200000017a80 = 0x2c; *(uint64_t*)0x200000017a84 = 0x200000017840; *(uint8_t*)0x200000017840 = 0; *(uint8_t*)0x200000017841 = 1; *(uint32_t*)0x200000017842 = 0x101; *(uint8_t*)0x200000017846 = 1; *(uint8_t*)0x200000017847 = 0xa; memcpy((void*)0x200000017848, "\x36\x81\xdb\x17\x60\xf4\x76\xd1\x61\xe6\x33\x1a\xf0\x01\xdf\xf2\x60\xea\x6b\x4a\x4c\xea\x60\x97\xec\xb1\x95\x8b\x59\xfa\xab\x7a\x90\x28\x48\xc2\x62\xa0\xbb\x7b\xb0\x04\xa6\x45\x44\x44\xf3\x91\x14\x41\x63\x99\xcc\x7a\x71\xe7\x15\x47\xc5\x6a\x02\xf1\x33\x90\x7f\x22\xc3\xf1\x2c\xed\x90\xa4\xd6\xae\x9f\xf8\xfd\x98\xb3\xe7\xcd\x83\xd8\x74\x5c\x64\x92\x89\xb5\xfd\x78\xf7\x06\x85\x9e\x15\x21\x48\xd7\x6f\x8f\x0d\x0f\xa0\x49\x83\x43\x65\xbe\x85\xce\x2b\x50\x35\x87\x58\xa9\x0b\x57\x33\x9c\x87\x44\x57\x41\x0a\xe2\x77\xd2\xb1\x18\xf3\x84\x27\xa9\x32\xa2\xc7\xca\xcc\x09\xae\xd3\xee\x57\x30\x79\x3f\x36\xdc\xe0\xed\x57\xb9\xc6\x5f\xf6\x3c\x7e\xb7\xeb\xbf\xeb\xe9\x09\x4e\x08\x53\x05\x1b\x9f\x3d\xfa\xf6\xc2\xab\x61\x26\x5b\x3a\xf1\xf3\x48\x72\x56\x9f\xf3\xe0\x4b\x2e\xc1\xef\x09\xa3\x69\x2a\x88\x29\x2f\xfa\x38\xb8\x51\xe6\xfe\x03\x1a\x70\xa5\x51\xe8\x84\x4b\x16\xd1\x38\xce\x12\x6c\xe0\x41\x95\x71\xf4\x34\x9a\xee\x23\x7a\x2b\xf6\xfc\x52\xcb\x78\xf2\x6f\x30\xc9\x36\x90\x2d\x7f\x29\xd3\xa5\x61\x5d\xad\x86\xe4\xc6\x9c\xa0\x3f", 255); *(uint64_t*)0x200000017a8c = 0x200000017980; *(uint8_t*)0x200000017980 = 0; *(uint8_t*)0x200000017981 = 3; *(uint32_t*)0x200000017982 = 4; *(uint8_t*)0x200000017986 = 4; *(uint8_t*)0x200000017987 = 3; *(uint16_t*)0x200000017988 = 0x4c0a; *(uint64_t*)0x200000017a94 = 0x2000000179c0; *(uint8_t*)0x2000000179c0 = 0; *(uint8_t*)0x2000000179c1 = 0xf; *(uint32_t*)0x2000000179c2 = 5; *(uint8_t*)0x2000000179c6 = 5; *(uint8_t*)0x2000000179c7 = 0xf; *(uint16_t*)0x2000000179c8 = 5; *(uint8_t*)0x2000000179ca = 0; *(uint64_t*)0x200000017a9c = 0x200000017a00; *(uint8_t*)0x200000017a00 = 0x20; *(uint8_t*)0x200000017a01 = 0x29; *(uint32_t*)0x200000017a02 = 0xf; *(uint8_t*)0x200000017a06 = 0xf; *(uint8_t*)0x200000017a07 = 0x29; *(uint8_t*)0x200000017a08 = 0xeb; *(uint16_t*)0x200000017a09 = 0x10; *(uint8_t*)0x200000017a0b = 0x81; *(uint8_t*)0x200000017a0c = 0xc; memcpy((void*)0x200000017a0d, "\xe7\x67\x46\xf0", 4); memcpy((void*)0x200000017a11, "\xf1\x92\x76\xa0", 4); *(uint64_t*)0x200000017aa4 = 0x200000017a40; *(uint8_t*)0x200000017a40 = 0x20; *(uint8_t*)0x200000017a41 = 0x2a; *(uint32_t*)0x200000017a42 = 0xc; *(uint8_t*)0x200000017a46 = 0xc; *(uint8_t*)0x200000017a47 = 0x2a; *(uint8_t*)0x200000017a48 = 0xd; *(uint16_t*)0x200000017a49 = 2; *(uint8_t*)0x200000017a4b = 8; *(uint8_t*)0x200000017a4c = 0xe; *(uint8_t*)0x200000017a4d = 7; *(uint16_t*)0x200000017a4e = 8; *(uint16_t*)0x200000017a50 = 0x515; *(uint32_t*)0x200000017ec0 = 0x84; *(uint64_t*)0x200000017ec4 = 0x200000017ac0; *(uint8_t*)0x200000017ac0 = 0x40; *(uint8_t*)0x200000017ac1 = 0x17; *(uint32_t*)0x200000017ac2 = 0x1e; memcpy((void*)0x200000017ac6, "\x63\xfd\x64\x0c\x63\xa3\xd4\x0d\x56\xed\xf6\x4a\xcb\x10\x36\xdf\x01\xc3\x7d\xff\x2b\x11\xb8\xbd\x6d\xce\x4f\x20\xb2\xce", 30); *(uint64_t*)0x200000017ecc = 0x200000017b00; *(uint8_t*)0x200000017b00 = 0; *(uint8_t*)0x200000017b01 = 0xa; *(uint32_t*)0x200000017b02 = 1; *(uint8_t*)0x200000017b06 = 0xfd; *(uint64_t*)0x200000017ed4 = 0x200000017b40; *(uint8_t*)0x200000017b40 = 0; *(uint8_t*)0x200000017b41 = 8; *(uint32_t*)0x200000017b42 = 1; *(uint8_t*)0x200000017b46 = 5; *(uint64_t*)0x200000017edc = 0x200000017b80; *(uint8_t*)0x200000017b80 = 0x20; *(uint8_t*)0x200000017b81 = 0; *(uint32_t*)0x200000017b82 = 4; *(uint16_t*)0x200000017b86 = 1; *(uint16_t*)0x200000017b88 = 1; *(uint64_t*)0x200000017ee4 = 0x200000017bc0; *(uint8_t*)0x200000017bc0 = 0x20; *(uint8_t*)0x200000017bc1 = 0; *(uint32_t*)0x200000017bc2 = 8; *(uint16_t*)0x200000017bc6 = 0x80; *(uint16_t*)0x200000017bc8 = 1; *(uint32_t*)0x200000017bca = 0xf00f; *(uint64_t*)0x200000017eec = 0x200000017c00; *(uint8_t*)0x200000017c00 = 0x40; *(uint8_t*)0x200000017c01 = 7; *(uint32_t*)0x200000017c02 = 2; *(uint16_t*)0x200000017c06 = 2; *(uint64_t*)0x200000017ef4 = 0x200000017c40; *(uint8_t*)0x200000017c40 = 0x40; *(uint8_t*)0x200000017c41 = 9; *(uint32_t*)0x200000017c42 = 1; *(uint8_t*)0x200000017c46 = 6; *(uint64_t*)0x200000017efc = 0x200000017c80; *(uint8_t*)0x200000017c80 = 0x40; *(uint8_t*)0x200000017c81 = 0xb; *(uint32_t*)0x200000017c82 = 2; memcpy((void*)0x200000017c86, "\xdd\x91", 2); *(uint64_t*)0x200000017f04 = 0x200000017cc0; *(uint8_t*)0x200000017cc0 = 0x40; *(uint8_t*)0x200000017cc1 = 0xf; *(uint32_t*)0x200000017cc2 = 2; *(uint16_t*)0x200000017cc6 = 1; *(uint64_t*)0x200000017f0c = 0x200000017d00; *(uint8_t*)0x200000017d00 = 0x40; *(uint8_t*)0x200000017d01 = 0x13; *(uint32_t*)0x200000017d02 = 6; memset((void*)0x200000017d06, 187, 6); *(uint64_t*)0x200000017f14 = 0x200000017d40; *(uint8_t*)0x200000017d40 = 0x40; *(uint8_t*)0x200000017d41 = 0x17; *(uint32_t*)0x200000017d42 = 6; memset((void*)0x200000017d46, 170, 5); *(uint8_t*)0x200000017d4b = 0xaa; *(uint64_t*)0x200000017f1c = 0x200000017d80; *(uint8_t*)0x200000017d80 = 0x40; *(uint8_t*)0x200000017d81 = 0x19; *(uint32_t*)0x200000017d82 = 2; memcpy((void*)0x200000017d86, "\x73\xdc", 2); *(uint64_t*)0x200000017f24 = 0x200000017dc0; *(uint8_t*)0x200000017dc0 = 0x40; *(uint8_t*)0x200000017dc1 = 0x1a; *(uint32_t*)0x200000017dc2 = 2; *(uint16_t*)0x200000017dc6 = 8; *(uint64_t*)0x200000017f2c = 0x200000017e00; *(uint8_t*)0x200000017e00 = 0x40; *(uint8_t*)0x200000017e01 = 0x1c; *(uint32_t*)0x200000017e02 = 1; *(uint8_t*)0x200000017e06 = 0x81; *(uint64_t*)0x200000017f34 = 0x200000017e40; *(uint8_t*)0x200000017e40 = 0x40; *(uint8_t*)0x200000017e41 = 0x1e; *(uint32_t*)0x200000017e42 = 1; *(uint8_t*)0x200000017e46 = 0; *(uint64_t*)0x200000017f3c = 0x200000017e80; *(uint8_t*)0x200000017e80 = 0x40; *(uint8_t*)0x200000017e81 = 0x21; *(uint32_t*)0x200000017e82 = 1; *(uint8_t*)0x200000017e86 = 0x7f; syz_usb_control_io(/*fd=*/r[53], /*descs=*/0x200000017a80, /*resps=*/0x200000017ec0); break; case 77: syz_usb_disconnect(/*fd=*/r[53]); break; case 78: syz_usb_ep_read(/*fd=*/r[54], /*ep=*/0xb, /*len=*/0x6c, /*data=*/0x200000017f80); break; case 79: *(uint8_t*)0x200000018000 = 0x12; *(uint8_t*)0x200000018001 = 1; *(uint16_t*)0x200000018002 = 0x201; *(uint8_t*)0x200000018004 = 0; *(uint8_t*)0x200000018005 = 0; *(uint8_t*)0x200000018006 = 0; *(uint8_t*)0x200000018007 = 0x40; *(uint16_t*)0x200000018008 = 0x3f0; *(uint16_t*)0x20000001800a = 4; *(uint16_t*)0x20000001800c = 0x40; *(uint8_t*)0x20000001800e = 1; *(uint8_t*)0x20000001800f = 2; *(uint8_t*)0x200000018010 = 3; *(uint8_t*)0x200000018011 = 1; *(uint8_t*)0x200000018012 = 9; *(uint8_t*)0x200000018013 = 2; *(uint16_t*)0x200000018014 = 0x24; *(uint8_t*)0x200000018016 = 1; *(uint8_t*)0x200000018017 = 1; *(uint8_t*)0x200000018018 = 0xba; *(uint8_t*)0x200000018019 = 0x80; *(uint8_t*)0x20000001801a = 1; *(uint8_t*)0x20000001801b = 9; *(uint8_t*)0x20000001801c = 4; *(uint8_t*)0x20000001801d = 0; *(uint8_t*)0x20000001801e = 7; *(uint8_t*)0x20000001801f = 1; *(uint8_t*)0x200000018020 = 7; *(uint8_t*)0x200000018021 = 1; *(uint8_t*)0x200000018022 = 3; *(uint8_t*)0x200000018023 = 5; *(uint8_t*)0x200000018024 = 9; *(uint8_t*)0x200000018025 = 5; *(uint8_t*)0x200000018026 = 1; *(uint8_t*)0x200000018027 = 2; *(uint16_t*)0x200000018028 = 8; *(uint8_t*)0x20000001802a = 4; *(uint8_t*)0x20000001802b = 2; *(uint8_t*)0x20000001802c = 0xc9; *(uint8_t*)0x20000001802d = 9; *(uint8_t*)0x20000001802e = 5; *(uint8_t*)0x20000001802f = 0x82; *(uint8_t*)0x200000018030 = 2; *(uint16_t*)0x200000018031 = 0x20; *(uint8_t*)0x200000018033 = 0xfb; *(uint8_t*)0x200000018034 = 1; *(uint8_t*)0x200000018035 = 0xf; *(uint32_t*)0x200000018180 = 0xa; *(uint64_t*)0x200000018184 = 0x200000018040; *(uint8_t*)0x200000018040 = 0xa; *(uint8_t*)0x200000018041 = 6; *(uint16_t*)0x200000018042 = 0x300; *(uint8_t*)0x200000018044 = 0x4c; *(uint8_t*)0x200000018045 = 3; *(uint8_t*)0x200000018046 = 0x7f; *(uint8_t*)0x200000018047 = 0x20; *(uint8_t*)0x200000018048 = 0x81; *(uint8_t*)0x200000018049 = 0; *(uint32_t*)0x20000001818c = 0x2b; *(uint64_t*)0x200000018190 = 0x200000018080; *(uint8_t*)0x200000018080 = 5; *(uint8_t*)0x200000018081 = 0xf; *(uint16_t*)0x200000018082 = 0x2b; *(uint8_t*)0x200000018084 = 4; *(uint8_t*)0x200000018085 = 0xb; *(uint8_t*)0x200000018086 = 0x10; *(uint8_t*)0x200000018087 = 1; *(uint8_t*)0x200000018088 = 0xc; *(uint16_t*)0x200000018089 = 0x2c; *(uint8_t*)0x20000001808b = 6; *(uint8_t*)0x20000001808c = 0x60; *(uint16_t*)0x20000001808d = 0x64; *(uint8_t*)0x20000001808f = 4; *(uint8_t*)0x200000018090 = 0xa; *(uint8_t*)0x200000018091 = 0x10; *(uint8_t*)0x200000018092 = 3; *(uint8_t*)0x200000018093 = 0; *(uint16_t*)0x200000018094 = 6; *(uint8_t*)0x200000018096 = 7; *(uint8_t*)0x200000018097 = 1; *(uint16_t*)0x200000018098 = 0x680; *(uint8_t*)0x20000001809a = 7; *(uint8_t*)0x20000001809b = 0x10; *(uint8_t*)0x20000001809c = 2; STORE_BY_BITMASK(uint32_t, , 0x20000001809d, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20000001809e, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001809e, 2, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001809f, 3, 0, 16); *(uint8_t*)0x2000000180a1 = 0xa; *(uint8_t*)0x2000000180a2 = 0x10; *(uint8_t*)0x2000000180a3 = 3; *(uint8_t*)0x2000000180a4 = 0; *(uint16_t*)0x2000000180a5 = 0xc; *(uint8_t*)0x2000000180a7 = 5; *(uint8_t*)0x2000000180a8 = 0xd4; *(uint16_t*)0x2000000180a9 = 0x21bb; *(uint32_t*)0x200000018198 = 2; *(uint32_t*)0x20000001819c = 0x55; *(uint64_t*)0x2000000181a0 = 0x2000000180c0; *(uint8_t*)0x2000000180c0 = 0x55; *(uint8_t*)0x2000000180c1 = 3; memcpy((void*)0x2000000180c2, "\x8a\x42\x34\x83\x1e\x88\x88\xae\xdd\x9a\xd2\x2d\x4f\x28\x93\x8c\xda\x9a\xa9\xa9\x00\x03\x7c\x31\x1c\xae\x82\xfd\x23\x1c\xaa\x31\x27\x95\xc2\xb2\xf7\x47\xf7\xbe\xdc\x80\x7a\x10\x65\x2d\xcf\x37\x9d\xa0\x7e\xbe\x96\x35\x31\x02\x75\xc1\xf0\xed\x95\x6d\xa6\x4d\xf9\x8a\xf4\xea\x23\x9c\x45\x2a\xa8\x5b\x31\x1b\x94\xd4\x71\xe9\xd3\x42\x3a", 83); *(uint32_t*)0x2000000181a8 = 4; *(uint64_t*)0x2000000181ac = 0x200000018140; *(uint8_t*)0x200000018140 = 4; *(uint8_t*)0x200000018141 = 3; *(uint16_t*)0x200000018142 = 0x83e; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_FULL*/2, /*dev_len=*/0x36, /*dev=*/0x200000018000, /*conn_descs=*/0x200000018180); if (res != -1) r[55] = res; break; case 80: memcpy((void*)0x2000000181c0, "\xc9\xde\x81\xd2\xb7\xfd\x1d\x65\x61\x0b\x40\x83\xb8\x98\x28\xa1\xee\xb3\xc1\xfe\x78\xe8\x02\xb8\x7b\xca\xd5\x22\x05\xe7\xf4\xd5\x77\x30\x25\xc8\xc9\x2c\xf0\x09\x17\x1f\x12\x78\x8a\xa9\xaf\xbf\x01\x67\x11\x26\x93\xc5\x62\x5e\xec\xd4\x33\xf1\xb0\xed\x30\xd3\xef\x61\x94\xf9\xaf\xe3\x63\xc1\x33\x4d\xf3\x56\xe2\x61\xdc\x73\xf0\x7c\xac\x0e\x40\xa0\x34\x8c\x52\x25\x7f\x14\xf9\xa9\xf6\x0d\x56\x98\x35\x20\x69\xee\xd4\x6e\xf1\x0f\x4a\x97\xb1\x56\x0f\x76\x05\xb0\xaa\x63\x19\x49\xaf\x14\x35\x4c\x1a\xca\xbb\x76\x86\x09\xd1\x22\x46\x6f\x68\x49\x10\x29\x36\xf4\x00\x1d\x18\x01\x5d\xf4\x28\x57\x0b\x6e\x59\x75\x9b\x75\xe7\x23\xb1\xe6\x12\x80\x0b\x56\xea\x89\xa5\x5d\x2c\x63\x78", 167); syz_usb_ep_write(/*fd=*/r[55], /*ep=*/4, /*len=*/0xa7, /*data=*/0x2000000181c0); break; case 81: syz_usbip_server_init(/*speed=USB_SPEED_SUPER*/5); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6235:17: error: '__NR_socketcall' undeclared (first use in this function) :6235:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor996533647 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/17 (1.29s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/7 (1.29s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$MON_IOCX_MFETCH(0xffffffffffffffff, 0xc0109207, &(0x7f0000000040)={&(0x7f0000000000)=[0x0, 0x0, 0x0, 0x0, 0x0], 0x5}) (fail_nth: 1) r0 = syz_open_dev$dricontrol(&(0x7f0000000080), 0x3, 0x105400) (async) ioctl$DRM_IOCTL_RES_CTX(0xffffffffffffffff, 0xc0106426, &(0x7f0000000100)={0x1, &(0x7f00000000c0)=[{0x0}]}) (rerun: 4) ioctl$DRM_IOCTL_SET_SAREA_CTX(r0, 0x4010641c, &(0x7f00000001c0)={r1, &(0x7f0000000140)=""/106}) ioctl$DRM_IOCTL_MODE_GETENCODER(r0, 0xc01464a6, &(0x7f0000000200)={0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_MODE_GETENCODER(r0, 0xc01464a6, &(0x7f0000000240)={0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID(0xffffffffffffffff, 0xc0086465, &(0x7f0000000280)={0x0}) ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f0000000300)={&(0x7f00000002c0)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x8, 0x0, 0x0}) ioctl$DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID(0xffffffffffffffff, 0xc0086465, &(0x7f0000000380)={0x0}) ioctl$DRM_IOCTL_MODE_ATOMIC(r0, 0xc03864bc, &(0x7f00000009c0)={0x0, 0x6, &(0x7f00000003c0)=[r2, r3, r4, r5, r6, 0x0], &(0x7f0000000400)=[0x7, 0x80], &(0x7f0000000940)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000980)=[0xff, 0xfffffffffffffffb, 0x9, 0x100, 0x4, 0x10000, 0xfff, 0x484], 0x0, 0x73ca1ec4}) syz_80211_inject_frame(&(0x7f0000000000), &(0x7f0000000040)=@mgmt_frame=@action_no_ack={{{0x0, 0x0, 0xe, 0x0, 0x0, 0x1, 0x1, 0x0, 0x1}, {0x6}, @broadcast, @device_b, @random="01abb5a42e6e", {0x0, 0x5}}, @smps={0x7, 0x1, {0x1, 0x1}}}, 0x1b) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@default_ibss_ssid, 0x6, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_bprm_check_security\x00') r7 = syz_clone(0x42000100, &(0x7f0000000140)="d1a222a113afa50937eb93a69f4a6daeb1c51185973fcbcd8ac1511fee5166f0a2d7b107ca8ba74b42ac080422e3e26c8fd0707d3352f3e0467c446d0fd59fdc796204deb520c9f39ceb06b12c5dec1f8d80435d3a9531b3c8c63eca16670b0be3277698485a45d91a4737cdc17c96065423348e497b473b96cd4d870b360809cfb9631f7a2cdadf25baade0a028dfa84875eeaea710f44ee0c60be31d07667921375cbf5e90565a7594d78c49ee1a773a21696e3e0f6e9d5a9cc8261a51990269f06e5642a81055ab67", 0xca, &(0x7f0000000240), &(0x7f0000000280), &(0x7f00000002c0)="4ce639fae6a5b1dbfb9b05cdf44c3b14df7c001ef8931a5117ea1ba175c0a1e0806dec26a61e38c8b355e6334aab16936f3b9388ce1e115787f0a164e987d9e1339bbbdc21479403322cf6c7b55dafea9cf527b32532be38a2f0557907e357b05e1986227888aac6cc43a9e5ea5e3c093b693d4d13b378ac2243") r8 = openat$cgroup(0xffffffffffffffff, &(0x7f00000004c0)='syz0\x00', 0x200002, 0x0) r9 = syz_clone3(&(0x7f0000000500)={0x8000, &(0x7f0000000340)=0xffffffffffffffff, &(0x7f0000000380)=0x0, &(0x7f00000003c0), {0x3d}, &(0x7f0000000400)=""/54, 0x36, &(0x7f0000000440)=""/57, &(0x7f0000000480)=[r7, r7, r7, r7], 0x4, {r8}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x98, &(0x7f00000005c0)={@remote, @empty, @void, {@llc_tr={0x11, {@llc={0x0, 0x4, "d4f0", "3855a5dee3a80835452966b4819b8e62fe420ebc741cb5df2368e0d83b02a44133dda9714f0ae883ab9c1c66c38864627043bb1cb645f8ca7ee26fb421090e98e576724d716c681bc3e802709219450517396e0b82978a08ba9cd791a977b9971dfcc61a5318a165f4fccd530654e11d54ca4f12b28362bee6c70bcfa1ce0d983864306cf6ad"}}}}}, &(0x7f0000000680)={0x0, 0x1, [0xf2e, 0xb2e, 0xcd, 0xc93]}) syz_emit_vhci(&(0x7f00000006c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x2, 0x12}, @l2cap_cid_le_signaling={{0xe}, @l2cap_le_conn_rsp={{0x15, 0x3, 0xa}, {0x1, 0x1, 0x0, 0xb, 0x9b9d}}}}, 0x17) syz_extract_tcp_res(&(0x7f0000000700), 0x8001, 0x7fff) r12 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000000740)=0x5) ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f0000002900)={'\x00', 0x7, 0x7eb, 0xd8c, 0x6, 0x65c7, r7}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000002b00)={{{@in6=@loopback, @in6=@ipv4={""/10, ""/2, @local}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@multicast1}}, &(0x7f0000002c00)=0xe8) shmctl$auto_SHM_STAT(0xfffffffd, 0xd, &(0x7f0000002dc0)={{0x7, 0xee00, 0xee01, 0x3, 0x1, 0x2, 0x100}, 0x8, 0x1, 0x8, 0x0, @inferred=r9, @inferred=r9, 0x8000, 0x0, &(0x7f0000002c40)="04dbcb209f35e5ddfdb1b3b7a741cb0da9e7b4a97e26e4d64ca5560ad3ea50d519bbf049c3135111c4de1f36b6b308bbd028e4495d46ed8393e759fd0a3a8a87f1db8749da45e9a5f999f3e74d920ce20c4d2bfe9ca72e5faea34e254ebb9ca9", &(0x7f0000002cc0)="9e746e3d219f0df0db9f4dac0afe9fc6a3ef5fcab6058f83fa7cff2a82d20c2e4f575259eabbe06734843f871e50f4d47bd62ead38d7be8ce30b95115285d16abc718c0da482b90f24299f3017ce2a536dab659aca91d1cf689107448150e4566abf4c057bde3c378236a3781059cc800867309fb208ab69fe7d3fff31198f363305539ba5a17423bd8345e10a2507adfd0b0df310c33482d2cc9c9ba7bf80c8c7e2159c09d9402b1d7ca88f84e7b4ceb8a193ece6dd5faa70429fbac4f1020c7667302d4a57ab637f35ffe42e58593fe3ece07b5d637ef6d973342257fe2c5b1169399909ba6d369fde"}) newfstatat(0xffffffffffffff9c, &(0x7f0000002ec0)='./file0\x00', &(0x7f0000002f00)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x0) lstat(&(0x7f0000002f80)='./file1\x00', &(0x7f0000002fc0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) newfstatat(0xffffffffffffff9c, &(0x7f00000031c0)='./file0\x00', &(0x7f0000003200)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x400) shmctl$auto(0xfffffffa, 0x19, &(0x7f0000004380)={{0x8000, 0x0, 0xffffffffffffffff, 0xfffffbff, 0xff, 0x7, 0x5}, 0x3ff, 0x5, 0xffffffffffff05c3, 0xffffffff, @raw=0x10000, @inferred=r7, 0x6, 0x0, &(0x7f0000003280)="976ff34290bd8bc7a7cbfc2a01cd57bb3fef9efb9836923feab6b22096e6a7f305b4a4725f362d86ba08a346f5ad87651b24794b4ee5813e0557b0ef0a7c19b1eafef2a16909abb9c855ec4536adac1b482e8e5a1dc478a025feb8b6304bdcd475b1d917a5b6c9d27a6b4858cba4d25301fe261bf12313f6e8224fc5ab0bb2fd404104ddefc2f27a36d9d10ecac7929db5ffc1df4c6fb6e5637020abf5e6504310ab6de659b656cee8ad04d046756ddae33d8d223854dc8c318392482cb991827824f40daf98da166c916dbb8c156c42197b664d7590e6d2cf4ea3280f84051c9ee3114142db27536bcd983f170f221c15dae9a11a52e84253663ea4308f", &(0x7f0000003380)="2c9f8f388d233b4f054cde11358eb632feac99157236e370ad09ea7b82ba5785b9e9afa9e686a62a5d2d53e478ad6bdc5fffb647b0835e147419667c9a116d7dc9628b1e9f7f66533e8e736b4a659a784c610da8c50010c4ad47ecbb1eb2ee6aa0b49090e709138ab2d171e1dbdd6e8653e06212391e7dc1b28bdd23129424500dcd8343ba198c60cd9701af62b4662b082ddc55e8149d60891c650e774755fc3a0d100ff0bc676b466e3dec52ca77d2c4ce103fc44bb563b3c182cf2f65541303d2d29fcbf5a3f42288f8fe1c236c3e12170e7ac600c5265cc5974e25597f049e9c015c76dec0d7cd2979cce123ad647297958c9d7dfbc36afc2ae4b9d2c09ac172a04dacffae8a50219a4ec4adf06ff80747d40c46ddc0764af4d7782807b8f14fb797b2780bb68e6b2a95dde508f4063c65d87143ff2466fe29ff3afa65202a99240c57990e20c5f34a95bd813572f47d8d482db3fceb9f1c54c8a8dd6332e83fa39d6651c7b78fa971ee88756e2e5a3fb029c77a48fd4164f107c882d1743bf852c14866a437ca56d1d2d199f93f758719d2293c5891b77e860b2b7c665129fbce455e93ce66b675619bbb23629d2bc8682ed4695d8c6afe256d372f9fed839de5b5f68d1d30cffb1a4e7402b9551129edc4c2deec8c16714ea309cf20ac7f17f5fd3cb97bfbff2dd36216b8f73403607b4ecb2dc42448eed56fb23266bd0fdf7eee43f34be3706ecc705927ada3d84f94d8a2898ce00de369c607552f6994ec15f66ce65c4952e30581ede46a2033589d2c28994bda0531943919e301a6d8187da7b498966af1fe3e410e5c167afb133b3e5e40db618703977b24002f621183b61a6b680301387e2d89565f0f62de825516d349c174c07924f4a8dffb281709e997af6da5a62a954969b5335f3074f2400245a77b195131d26ce43e17c3a201a5b8518f8f961f2be9d170c6f5b2b236a394456e577bada3307f4eaa8e0352bb595037e7f30f5ddbdf014ba5b6f3cee6af1fd4744fd0bbac1e2ce29853c722956da7de4e3fb9241820b0586ffa29da5b6cdd12da1a0418643b4ba96bb43242146f6c0a33980b9385da283a2a052b8c201f4239f957fea5f23efcd5ad3bb076abee60ce467eae6805e186e974934280a267dbf7320cb90fe9322bdb6ce809bd35b4130be87119047efd755cc747743e6da51b24af5c01661be2f813cef7d7ed9b61e83e0dca2c8221525b281570276a5958c2614929794c2d55a6b15d1701b1961a078edeff50e0eb0e02d9b1d402657ce25bdaaf910ba4549483631a5489ca98fe979c54c7400c9cc68fed1ab00c402f49d36c4d7b2fb273f392aed4f8def256d409e50d26e7251f91b9f5bcd8e84202e520cb7fe434744fe3a8831c1af1eb20a8f88579ab19268d7eefc6dcd8c94e3b6896e336e0f738aa244c2dbec12324a8a1ca70e040d07a7900f76f0b09e0faab4244d568c00309b8f31157d91788c871d616d0572a26f9bf40b2ff8f034dd9646fb13ebad2951fb7a9ea5509211359759fa495722e0ce6e24b48e3d2a1ec6939838040d00cb908d9edafa8c3845754bd5be90f6f92cc70338b3b1fc072cf2682740371caedd80fece859b1587f04147f50c5a9be927b5d51ae428a1c7e4b594ec242a0dab90581742428e5db58ac1ae32496f37119820ae295a3df7a95509d05d75cd778b54e44a317eb901c7cc28ff74ab53b6f4fb4ade0fc4af2be36d760476ca853a782e7614a133a99f1e5f0f12b9a958e70250fc9bdb898dbe34d8ee32b23ee9f0192fd4bf8f9622edd9f7acaf4f4b92673ccff23227c94132271735ac83de739c85cee73abf94ea2fd0e5b9c54fb7a2bc8771edfe9ba3eb70dcce56f7890aa8a2028e6d318ec234b525626e2460c4d007e74f7ad4068015a5032fb6fc553b27faf764671222ef4b39804e300d9a58eb4d9db9f3fe20127daadee117874ff95e3676e37bfae3061e95a71e97b15e24349f07856def173d2ce459affa77c5b47f8b677a1658f7d89af72253c800e62ce2b11f4bd837fe980f02d4f9719c0fe48454f72809deddaa972d65282ecffee1569a2a5377096ff3f010044e71be8baabfe65e99be10386ada70abfe86e7a4ffa8753f862d2704ceceb6df34a6dd48675441f7cca635e401cb2306d1726e1c3c04266419e991188e77cdfe9e0aa13c76107a2a27f7216b42a690c0063c92fd222f45fb0820d0464ef0b7ae6515e8174c7f90ffdec6dc2913d5ad1feb80617701623363a4e735107b300231ca5624addf083e075aca1d18d95c01b7357a4118fc492c07ff1c0711a9e00bd78ff8e431d7af674dce55832f45901f235b7824e8ad0ed0d8d67f7ff612ff1eca74a4deac721fd1c85980d87dbc8dbef59f3754720f0b926c25e84b1d7605c505f8e75038fa29f38cbfc97712f92447585a45475a90db7d81ce2b42929fa6ae4a6790560025fe0577ab52358f0b098800458666bad646991e146ec904511ca2655183631bdf0d5405879d6f69932c844190e2d916a7ae65da287acf801209648800a1dfe3e9b38f7b58641b0fc1804f9a279d8f4c803d0565650606f60a7e99fe461ab36d725ca764611cc203ffde0f06ad87cf91602381f1ec7aa255b6d21a85fe2e32a060f18b53385476db436919f9ee6995704046350e098ce1e66a1b8328fce20e1f8c98cefaef29cbac0bd9c0f1914538abd48436e92bbcf1271ac66ced7a53013f815f015f36180e323ac8247128a915938c89f711332d9758935180eeac8b8c9f99f9f306d3481b3a68bf9613360681a92437c7bd80adf9899093f3286fd18540a8c742510db91e48a1255dbcd218fe7a34c5058ad59a6962abff5327facd4c2b3a51ae13347d56a19f484ef62d52799ffe802c9fedcf9c076896018db33cf2bd9b0ca59de3f7487a273f7e8cb6d090b14a83ddd2f261d41f0fd1948e0be62929fc668b9f13753e61d08b1a88752dbfa315e79c2d81881190d2b6ad33ad8ac036e5a22b5ea8225ea410e9e8ebf86c4a7ea49765953cd96d05431157a8048fa61b80ba606cf53af8349cfadb89559fdf204ed283d71bbf700a9cc3782607896c851b758405b007e6150cc7e6586debda12a1c4b2b6366b3879623cf9eed75d56f4abca9151eb504670a4a518c668ed9488d8b5f1f212ea69c51a7497260c2a4859488b75960313dd3f29bfb75ea094ba325f79a028d07dbf2137bfefd261b0c5609a169d5f1bbe1815f06ae4e26f5f3f4b36cccdd3fb7f8adcb7645e37ed7d9b63c9e21cdc5954e2852bbfee5bc30a978399189e63b92699d810c589d61d0cd0c6bf4ffb892537e0ef1887d1ea047290ff609584a00dec798f8e72e06c1be8399ea069fd13caf0e1b4cd66f84e26869167d54b8c43c967b270bd8561f99dc84024223402ce0957d93e8582bb8f4583cc2648861fc562fc2102a326e921a418fd518ce636e4e3edc36fd89bca25add71accb89d777070526d9cf7274dd486909c3b142d27fb0abd467be27c36e8487ccda73ad0c89adecd36a08c37ce15b876fd2121a7b0d11bde86759eeb66287b44c61ced7f74a143044ae805869d31a1b1c44b8150d8d630debff9e95c31187b774441fa8137c08ca316ab778159917dfbeec94529d3a12c16b9f39c4d77944e6f16cf9b819f9d8a42ee73291ed84e2d584b305aeb799c2cd76f3afd7e826bef0b77159bb4dad1139eaa9cde7bbfdca740addb511eb8b91d548e18d7cd691dce8578382ecd09ead356f85a4acee4bb8b19342c748ad9704b11e1d9b02c0218ca3e799ab80017052fdd66e9101a00b7657ebdc89cd425334a916df19dbdaf6e4f63bc03492913c86d058ea61685df77a06e0df07ed3fc1f92df067e86d0033640c10f40c279c264c477b2899d4a244b67ee884e519b4dbdc5d6f1c3ab67c123a597974bf3a57ecc909be9133917017db1d7c9e192618524a9392957afebeefb2d8bc4761034070f4179582226e34b1865d26be00c9bd31320c313cb509057c27f1274c78f471bf69b85dbd478237383be86c86f4b0117a2b157820832d07d88d2e78a9aba0b045a19dbf8a6faed40e41ca47c013c2903e69f2ba49b07b36e1f3bd69bd4a82ef2a428a831357d25f5568b69e9422a3ba9533fb5ec240a391aa7b612acdd3502fe9296d4fa02af39f21f159af528daa3894c3d10bc8f70f204153a066e1e6e1174232fc420ec647e29bb4688f26c7d463cdeb95eba4c0d1ed3f5fe41d5e34c0b27b587454fb403e8c9a0fe90f53174d547dbccadb6481c48c979cf3414d0d47160a0b9f6d9a4fa8489653ca2e924223a8a52ba63fbc1af034cbf44cca4728f09e1f57706d6107eedc0659bb9c6d8a3383f11cc87e53aae6dcb83853379a6c0d536b1e06773aff31ea600397c43a66f302837d521fb6abfde5beed88493a5eecfb26ab6fc3f879ec0121f3aa7330bfb82d14528d9c5e2033c05cc6b60f6669273f99099a5d72c2c5144dc0b2aafe0fe7bd01ebae29bcd82f4ca43c5a22974c3c9d923a62e390532e2774800015307b8aeaf1b7a061fe77131a5e12a9cb090eda584acdad7bd8afb20deab65d7d1cf3d16ca8187aded08a9dd9bf830ceb1113977211035b1a9051ae1ca5f1f326e4a6e257b62d7792effd005f183df782bad319bda67a92386c6622d002ee87cfcb1a4f9b4bb4217e8675299f2d8c8f8a6324d3602f768390a12478e7afd2d52cd23567b1984d48d855cf072140126ab0a8942759cf3898f118284d2a933721d71db420e830c88e23b1f07b4425b97d0b8374bde0cb8c3be352471c15c0db69276261763f46ba3d043ef637dcb3f9b0f2d4340029222be810bfcc54e447b9ed750f2f275971a63ad6127bc7423c3fe8fe22f281a727b9496b703f0f68878ca8e117485eb7c8a7b38266bd5a07b5a2f8a9c0d02ccf8c8f762bd1ad4b215b295969dfcb9f19c13d88f72b54e59400a7201ac79fe2fcaf329c8e35a3eaf2417621a00eb5cd2da50c611d5b33e35997071bc1fa35d6cc81247c17bce39d225172ed4a10640cad8178865b307b866323a25569b6ad3292cd47f73044ce58c454961cb5523788a14cc46228517312b74793f0336092e7e30a0da14318945ca2312922bdc8f6e9a4159913fd72dcb4e4c787796ee465ca2bf4cf3628725a391197efe8104ea71c630b72ccf8fe427be80a0ca6b14f53ff9697b6279f0b2cd23e356f951d7c08b7f146ebaa3cbaa6a90d1d9af187e21c829377781d75d544662845d403226516f4052479d8ff176e24ce5510d6e33f04438462386babfc53be7cfb6015296979fe4122192cd44b046ea7e71238c0d3060a38225b9afabaf1693354b3521e2aaf5de3e85e5c586765ef8e2f9c98b8ed4a535f6708f0f171895b57da981c4b3d851fc78322857b8fcffdfc34fa3ef658eabd567b2ff35f0ae288701a811f725c8719daab4725c7bae2a7174861812ec8e9a999a4a7dff379008fb7a93bb9d5da43ea9e10819f914119f474df29acdc90e1b4901fa8d2806394adb6d34f564489340015df154dbd9e9bfa669e277a4c3522074cda8f036e1c762a2abadf3878e7b70598e4df8f7d6e134e13509f1f3eb2a461872adedcc36407d03d453e710f3b0305b35c069bcf6550888be2c3df879622f7c091605c2b473384e4aabf373845b643893ea03ca9a2332f7276ab52ea5e69a3206d0b29eca19fe9b561d58748f0fb5f7cde5d32ad768133a5733db27411ac56849c31c9cc9877cd771ad87db0014b011c071a8a57afcc9111fad241"}) newfstatat(0xffffffffffffff9c, &(0x7f0000004400)='./file0\x00', &(0x7f0000004440)={0x0, 0x0, 0x0, 0x0, 0x0}, 0x400) shmctl$auto_IPC_INFO(0xe, 0x3, &(0x7f00000046c0)={{0x89d, 0x0, 0xee01, 0x3, 0x0, 0x1, 0x7fff}, 0x8, 0xe40, 0x7fffffffffffffff, 0x5, @inferred=r7, @inferred=r11, 0x6, 0x0, &(0x7f00000044c0)="ab561aab77c583ce985b9783d96b5e4e3824cb3026da2efee0101d24cc3c6b58c7966f226c27699f3dc15a3304862622efda37f57e5797f736c482b334c0db1039382a78928d4708282c72dc714025c2cca6fef30b64fb050ee5845b1253799b15940b967116839e0075330da8af7ee9a5b52c5768fbf02f315471e6d7ac7780eedcf56dab90441764c1053f95a9e94feec9ea2b6820f3be40e34dcfbfe71b03378a751c0e0fd04fcda924050048f51708503500609235cc75d299eed66d2ac9583e91dd31b9cfe3af5c2489c204014b7a74549d85c8e8dbaceb6388f245c262986d6b26eadd8fcb38587b698b3c59fdf63a82c643db5aa17914bfa0", &(0x7f00000045c0)="be290174f8ce0f04911d69badae0bf37c4fa5b15fa3b1883ef707038444de4aef3a73f3383480e830ddb756243c29709eedf6974edf3be9df13637b48ed14edc03d7243bdb53fd99e2eea6025693ad0701b82ca38dd6d08cda9e31031dcc02ffa54384c4aa7d870f8b1ab9ff5c0e744cef60ad5418d5a3b9ecdf09a54a1d9b12b10ecd3bcc7bfe6ec02b568daf99a59ca92b8a9eec612f3829a08c44fd4b27611da5908b591f340e23f5ba2adb1e29e89f28f5f2514379e45462dbc30a7202bb25c19ac61489119c4a8aaea4000aac8281c3d426d8a082b7dc78f57a12a5c63562"}) fstat(r10, &(0x7f0000004740)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) msgctl$auto_IPC_INFO(0x8, 0x3, &(0x7f0000004840)={{0x8, 0x0, 0xee01, 0x0, 0x4, 0x2, 0x5}, &(0x7f00000047c0)=0x4, &(0x7f0000004800)=0x5, 0x4, 0x6, 0x0, 0x8, 0xac0, 0x3, 0x401, 0x2, @raw=0x400, @raw=0x7}) r26 = getegid() shmctl$auto_SHM_INFO(0x9, 0xe, &(0x7f0000004980)={{0x7, 0xee00, 0xffffffffffffffff, 0x1, 0x972, 0x2, 0x6}, 0x7, 0x6, 0xb9, 0x8, @inferred=r7, @raw=0x5, 0x83, 0x0, &(0x7f00000048c0)="4166dd81284669cc6529e5a0ef081d370a00722e0c7700e484177e2729e55d1fe0f7564690881382a850b3b8d6195ea5d032edc998535fc787928ab4a3b1891540d246d40daa7a5fd7db2bd6c99b3f2a7e514d0069f2bfb485d9e08e67c46824c2e704ffa0431e1c20432972adef084921d4", &(0x7f0000004940)="3c673d0f3bdbe20483bd0ef8f8a2c865bb817c75a3555f98dadf18fb4d805bd339d5717defd470ce"}) msgctl$auto_MSG_INFO(0xff, 0xc, &(0x7f0000004a80)={{0x80000001, 0x0, 0x0, 0x8b, 0x4000000, 0xe206, 0x366d}, &(0x7f0000004a00)=0x5, &(0x7f0000004a40)=0x7, 0xb5, 0x5a, 0x4, 0x7fffffff, 0x2, 0x4d49, 0x0, 0x2, @inferred=r9, @inferred=r11}) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000004b00)={0x0, 0x0}, &(0x7f0000004b40)=0xc) msgctl$auto_MSG_STAT(0x9, 0xb, &(0x7f0000004c00)={{0x9, 0x0, 0xffffffffffffffff, 0x0, 0x1, 0x5, 0x3}, &(0x7f0000004b80)=0x9, &(0x7f0000004bc0)=0x10, 0x93e, 0xb4, 0x7fffffffffffffff, 0x2, 0x8, 0x8, 0x77, 0x10, @raw=0xa711, @raw=0xd}) getresuid(&(0x7f0000004c80), &(0x7f0000004cc0)=0x0, &(0x7f0000004d00)) statx(0xffffffffffffffff, &(0x7f0000004d40)='./file0\x00', 0x800, 0x4, &(0x7f0000004d80)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) msgctl$auto_MSG_STAT_ANY(0x9, 0xd, &(0x7f0000004f00)={{0x8, 0x0, 0xee01, 0x6, 0x1000, 0x3ff, 0x2}, &(0x7f0000004e80)=0x7, &(0x7f0000004ec0)=0x95, 0x3, 0x3, 0x6, 0x8001, 0x7f, 0x5, 0x3, 0xc, @inferred=r7, @raw=0x9}) shmctl$auto_IPC_INFO(0x7, 0x3, &(0x7f0000005040)={{0x1, 0x0, 0xee00, 0x2, 0x8, 0xfffffff8, 0x2}, 0x2, 0x6, 0xb, 0x100000001, @inferred=r11, @raw=0xc, 0x8, 0x0, &(0x7f0000004f80), &(0x7f0000004fc0)="4f525e340cd5a86e0881814810a2a91a15b1d5d14f4a79d14dde318eefbdd8e8e728d413187ede4fd069fc173d33f251936658b970959cdd1a15bcc3c26ad76b38a5be0c00532ac5254d632a2d800357de96e6f2f7841688314922a5eb1530e0b7352ca60639db7697142de2aa07c7c6a7"}) shmctl$auto_IPC_RMID(0x9, 0x0, &(0x7f00000051c0)={{0x20000000, 0xffffffffffffffff, 0x0, 0x60000000, 0x5, 0xb, 0x4}, 0x7, 0x68b, 0x19, 0xfffffffffffffff8, @raw, @inferred=r9, 0xc90, 0x0, &(0x7f00000050c0)="390ceb0f410c002527eb3b46b10c24497104200a43cdd523e8a72786cf59380bde524cb59556d5b256cae07e343b52beb18b62eab07c445eefcb35dabf186ef840417c408f79b74aa6ed333f9462acfc1db146b667a8962992f20af86d7c20385025a74f9071c79844536cb7ac8f8865fed4a57d022beaf618bdcc6509c5be81037e584abb6ea9b8cf0d2e175fcbfe9bda3668d75268cb8605fec3ba1bb1e6c276a14929c3460e1693458f22612352db6a3efa4d7c7483d2", &(0x7f0000005180)="358f28870becbb"}) newfstatat$auto(0xffffffffffffffff, &(0x7f0000005240)='./file1\x00', &(0x7f0000005280)={0x4, 0x4, 0x100000001, 0xc49, 0x0, 0xee01, 0x0, 0x101, 0x8000000000000001, 0xfffffffffffffff8, 0x7, 0x0, 0x8, 0x8001, 0x5, 0x8, 0x9}, 0x6) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000005340)={0x0, 0x0}, &(0x7f0000005380)=0xc) msgctl$auto(0x10000, 0x1, &(0x7f0000005440)={{0x9, 0xffffffffffffffff, 0x0, 0x1, 0x0, 0xabc2, 0x100}, &(0x7f00000053c0)=0xe, &(0x7f0000005400)=0x7, 0x8, 0xa2, 0xf3, 0x4, 0x6, 0x5, 0xd7c4, 0x80, @inferred=r9, @inferred=r7}) lstat(&(0x7f0000005b40)='./file0\x00', &(0x7f0000005b80)={0x0, 0x0, 0x0, 0x0, 0x0}) statx(0xffffffffffffff9c, &(0x7f0000005c00)='./file0\x00', 0x100, 0x100, &(0x7f0000005c40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000005e40)={0x0, 0x0, 0x0}, &(0x7f0000005e80)=0xc) syz_fuse_handle_req(r12, &(0x7f0000000780)="68f4b9c022245b560b419427c3c56dc4ee17cd422ac481d8d2dc27c0c24adf782096477e5b7a147733cca0eed7ced0abb03ecfa0f83e914228ec4e019a38468e2e4ee4edbda02353ee9a4c106339d7b118a30e93e6de4552288afe032af1f897ef39ce140cb1d452644133199f16653b9215c37f78f192752d031c6428d735621149de6243a0ab6fc46528b0a0e2d64e65ecd9e13409abd5e73039dd00e08805e51adf3a8599d99d69f23775044d3840234f1db089fb0987d645ec25f4ad3eeeb9604d1f2ab69fc3bf8315bf2e7b91886d2a6f5071b66fe5048b6b654412900507340dd1add27448ea31685b4e867c68c9b551df246b90d0d0fd9af8dfc647fce7c377aa364862ff0243ffd04747b945baa37d755c236092b3ac7aacf612a40326de09063212aee86e163aaafffd8adee4b515465cc919c1513dc7c9678ee6483fc3fc68b884a9cc604f362386feeb1a7efbd41d42627f06fbf6cf913acaee584da6050cd6f49ab96ede69216b0aca3499947b02f1b623245d4cc5dfb5bc7c28c4f77733c3330d49bb25ce9b47978b576c20e1c4d8b6ee1ddb2c80eb99a3536968aaf2f01ba3142d6d7139f47ad871327d9eb2fc364bb42cb60a572c71d1a13f94056c727ad80dbc0b3803d3ed007cdfbdc6f986845b239671233ebe9c973bcd8653c3732e52516409020f4bd05164909329cf8b09d57bc49fdfc9c96ee78b92bdc6e865b56195bf2987b6b4adff6196f37ffd8de510800b328ed7bf86ae6d4fb1d8e83d1c8cc93c127dfb6589d7e61ad8559c8700741988a06c4b3a03ee3e9569f795d7f1433cdb520eb451c351c23013c8b6007d147d24dd1d52fa5b0e40540f38bcf7419eb98a47901e9357a78edc701ae82fd058cd6d96969f2c6b4b82eacae112d67d062d56f0fe3b9cae85672c679497707254763535092769d38d26b9a6510d9f64fb09dcb7283de42570546b0c763ed8cf60f53db86b7563e5726f616c4bb2beae0a9e186eea24f642d70d34545784e4630d4e3ac0289c2caa22628e299b293d2730cae7fb99d4dea073e5a0ba5f34f77dd928389543e00f2b595649ab73645425e273e4b6d754cd17a627aee1da767160bfe86b0416adaa61ebee1bf7409f284485d43f8f484d053a1736da79212859f48b71cec77ee23f771adced4fe526495975bd04ba08c799c07f57084abbd6ba4281140dd8ec0693180a4daaf48b72ed48df137f68dded9a411454faf88dad181aa2306c36c13c15a5fcaab5bb79201b417f403c83d0419e29f62a66a0e0276f9f96c87f94b7c8a32b94cea7ef64fc4ff41b21d6846c2dad67bfa8a4b57a6e5001e40205d386ba77ae13c9a112128315cd6a1a641b228de06eb0a709f5e74da475d22ffc6533c9d9b2be00d22bcc8b4718705609608ec3e4c43579cfae0b6002f3154da6147b856d82f3dc4d4bac4f509b910796aace375ae79c8bd3e75d709aa0d90e29ef0e03c69fb8e5bcb34e4cf14a6e7cf4a408e99aabddcaabe1f0c72383671b4563cd06ea9c75e5bc2e3c9556ac45f07bd0d6c9b391dbaa70171e71301fd5395de383d135814c1214ce33208c1bd8403e948fa0b39379a14029f11958fec9eb460e3f9c7349af6306d2e0cac9a4e4de43e93127c6ec8b17820a5700218f5b08e0a8ce0a448d688c945d36b719b2dc711a8d48098bf4edc5e26fa5647a647240fff4d76688bca713b8dd7172afefba6e4a95f11a111e3cf039bbfa41536d9ad7b0fbbb4ff82cf19a72eb07bdcaaba2291ffaa0d0775f1aeb6866c23cfd9c8ea68c1387f89772eaef2020bcaac5fefdf104ce5160aaddd65fe9c489851fb090cebf0220321dcc57fdf71e9a1c1ea53ff17d131304469eaded3a143833afff98a93c1c413494bc0d6cf3470b2eee534d4f17de37aca75d82169f1b63341230d47e85beb0e6f50ce72556e37b73961292b9f0343851e9dca9fbf4ee45a5814b04444454413a019f82949881c81a5dddd2097a8e5c45d68b808adc27fa3abe5516b2a5c1cc719ee0c979666831a15a964d5fc2e87068cbc4e470d64f34f0fa9ac7e94a0693dc21964297b96de293ad5a77f2a8dce271a89d10a10b458a8a8c521f27a50cd206bf0ec9f2abb3dc1682d3add75b813c5979ef56583b5212775d617322bdd7c344fb0c2dc1dbcc63123119bd652af941355f561b8fa49b8e0caba90002c48b88c80ebea67771fb479f5289caf5eae18f01a0cd7460f3de6c3f92f1d43b56b0ddedb7059e7f18069f804b2056a20acbdf25f8ca36dc1affa80e2203a0f3639263a42e9b3ad0614c6bb3cfa4376b2854f60bcd9297bb0cb45416136f21bca9fe38fef0a1c265ae423b36eff0c7f9e84d3edce5df6a2e768949ec9dc4f9186c489546e24c713db919bd51e6044592837c8b7f037a8b3a9084d961c02fd0aa4245baa5e917d7f93f096fc00cd3da057edaa7476f9a3883c1ab863a917746bd00e87855bb58001674ec10542e70306310d73399f34a254cfd03b4fda6dedc8d7f2a8c81e6e17beab6710a2c2a39d38daf05e04e38e9d10f308131de76a359bd59015fc9f10769d36c160d3efb66174a97b6a599e74baedf336c3d9b0ced617bf0a530882d9168e64bfb9c36ea351af436f780544cd1f006e5db439d1cd9c6e2b591c37698e3b956fdd6a96d0c1ff5a5c2b4f20e8204fa2394ebd18b636072f76d498713d7258f8fdaa7d173bb52619ecfbd037e9d9e8efd79e776ea36889904152981d398f34b5e7582b7373feb1310f6a3f43da3656211581c4dcf82bb82cb513462808cea9fe21d0cf8707453e9c1de7a96a3829212cbe885aff10c11171f5abf14a8e6f22fd0048ac5e4186380c14c5c2d4fe13be2dd3e6f26cfa94522d625dc49d179bcc48cb42ea40e94f33d9e76ef925746cb525139ea6205c6f1221d9342e202e57b818a7d1214de38ee9502993b73086602a97519f6a099901b8dbd576abd64a8b13d5a930f82c06fb9c5bcfc2dffa97783eaa3385e72f9985d57d7ccf93b7c607992cbd249ed74b6da3ff1dcf6c723ccb3725ef18be354160d21b9314a7d01cc297c6b1fdc8a24142e555dd8fd4a28e04c85836e46e66364908eb84facaabb833b1da7031967c10b8c2aa3cff44f7a9dcfd0665d1e90d93be0df77a25a4823d8dd35c35dc4cf1c73ba26ab20473f301223a6ac9672220be0950f92bf1679874544f8c10e23bc9ee1d40a006c989bf9885020a65a4e7663a8117bec09e2a2109c52789bf7fbc00cd3efd7a652b15c4c4c05f654118e90643e649d7fe431957b6f1dc5925ba9ab6fd8a1f6a0f83a8a519c1dfe4236034ca5567eac95ea12912e6067181d61294bcf09c17f9d948a03b0afcdfd3a5d470d289e4b4744e688aee68bf26da015438a9c336bea06ddad4874653289c34c032764180f9798f33cc0b82b3687df74fecadeba2e58b970d6e4654d7b09b0d85c78961276a94503098577ba4932d17e0a7dd1987e85c4afcf01f68d7442038246b6849bd16fe035936be75e5626cd3d068b9df93085a12b9569cb27d301caaf2f4f337ce6b194f4a85a1755a2b3805367e5de5e4134df4fc3941625d44171a9840ef2267ad81f2aee6c34ecd3ae96281285b54fbc217290fe1f4675fe64d1b844cb43c755ba29dab531e837ece7146009fe04b727257bfa7ad4180e82e9ad170a9ab781efc150600ce37043ccee03ccfbe76509d63ff8f21862736a4345578c87f8f4142c97a47add5c7d6d7359b2690155a11cdbe9be3479e0f4b2dd44a68a7848518d55897e49bfaf2eefe6bc06d560e25f52ad1231d4664427bad4aba0d615985afa47ebaf242d3b8c168ad59cc05a1ce750d732a67203b3fcfaa4ed6b2ff004152eef5652beea4c6270203f154c70bb6c5fdac24bd7fcb6389bd1b51759205ba1aa1beab6eca99736f4a43f21a639536461d2438a913ed03b63db2621c63acb496eecf9838bfa7f1852437b458b1046197e511ea81479690904bc3a0bb4b9ecc0962e33c4cdd921f824abc2c19588613efdee01db701ae5440cdd987d868314df9ac7bae59274021a5d0643f8d1d3a97b8c8bf02ee9fc056cc164724851435f907685c349db9429fec6e2df3c534d94cce4ecd2ea55d72aa88264c86a40fa669306b95bcdefcaf54f117770a04f35e721f284f681b9d3114c4bed29f209220638defe43fc436695a58ed3f20dc921e4a21c79e5803927deeb5a14c532e3cd83ba32981c192e20e93eef674402afba8d378119f634ff065fb294f9e38c1974d4d37cf673b58797b5e26e22b0291623ff15d002d55a8dd00fe4b1fd54177d1fd065da0b17479316b58a8495aca42c440b63c8f4b1a9538df10c8c9546fd8c4195e1eaed31543b8061c8602a8977123f56e5f11cd05f5a36a448cc257571f0e5bbde25ae82f583cb313ae7bf5dece56b617321cfa60aa9278a28ee9f78ec7ddfc5d0f665ab1a1d5531f2406ffa9b5ad6f9ae4c98f85447fbdb9efc2ab398801e905c229e16ad9f87bf61956a7829733fff1dbb2c355548c4e303d1fb2587abeaed6911b3d5578d9d4355193af1f6eef1870f0f1df73615a5d9ffe9d42b7f94c215f9ceb41d605e95a54b5fb3c62f34396f9f951c5650920f159c1c330ecf7bf70b1b8d0a973ff4af344e9950ffb9edfcd326818e28471cccbf70b71ac2863eaf7ef95dbcb2f988c85c266f869914719906213c0db18a4a4712b02f7201dc95305a3a531f466f949fef612cccaa936d47aef4bbad390850f2b8fd991542e3986de10000dbd2bc09f16c99ed0b461cab444a1db069381434540795150de12427b1b5d0601a523204283fdd6b69e403fdc3f94421140dbf94865f35af7a7bae5547978fdd805cc52d68f4ff49beec4920e25d8e4a237a86c785cccc3f2ee7ffac881e99e57612c8c94bde400915f3f75b546579f401e2be54930904b98c8242394d81fe94d267d3ca3ea3a0e1c9107ecc298efae6a19e7337883e27af271e06299acc7559f0ea461b875e27138cd35e046319fe9f838c511305fc803cc24309dbf335b225c58b6caeb2724e44a9278ca823519a72433ceb2166b4b73a35b97de2f55438b95826e0ab348501187375b0962367db5349534676f352835a1059c307421b2beb2e63c0a006d5271f493e59069882b103d536608d18d61e974222c43b7ca92529c8b0cc2ae9df8c2bc2b20d6833147ec411c4a5bff534cc72b267714592a4e43252684940f54ebf5f39f28deeab2c89abaddfb6fcd2b1c025bf30dc2edbc0823ccd19fe52f9c0b38c9c1acd6b0efc3f688b80bbef5473cddf820270d721245cdfa01bff1485864974b428dd1933fbce968d27aecea5dda0ca9561919d5d85b098fc4f3efbf7ead3912851924628b888a28e46320afe8a302239147f48f2cc2ab274db1aee565b15ba2db832fa630344d01cfba11287b25c226f28bc4ebe1d204e90a39a81c6b2136b0164edb65194ea5510a9b9efc0d0a2352642f0a8a23ef4e6eb8948f5ab42ebd45ac946bfdb689cba13767f8d5f778c42e2d07d088491e06db5cfbe29ea3f45a43157945d419de632db52fa133d990efe2c9e473ec36d689d0b815845af5761981d46d5b9f3865f916b5bb93cf8f2e8d4a11c8afacfac2c647e6ae9a8696c9ecb6bdbdb2179f971eb75e14d52598ed6c16ec1427e21df5c5abbbd85e42f32df37c485ff33d0654571ec60af8674ba35c3ef627d24b1c2d84ff2525416c2a4265fb6de8173faeccfd3138316c4c7c329017928fe1b64c29dfeb4570f7de93f944615316fd3ae6cc12b94332fadf75b15a13d6ff27f7c61981737efc6dfb528942532eef5e5dcb803c1ed04da23bfee623a89088d8783c7edda3f56c5404ee7e42f09854753c1a0dd78723c9c4ef12c7ead1863a53af48d8d61457f2432ffaebb356a6e78a1591f0424aaa1f025dda17a7b5eae3989b27a573f59bbfe2f993fb18273dc356aa59ec1b2f151f84b9733b271f1e04d17d41e728ef52cfbc0111f123213fb22237d81b0029bdff7017f8703e1ee301758ca9e22399c420b3631e5b998737c2a75939fa46d1e617d7b19fba4919e35ca92d8b59798da36a0a5d4341a6eb57d5129513a6e862ea94f27c783c9e68f930d5d337c289ded11d510847a50c61c47940c17a32b287f704664f1b61e1648850891f80a4b61479348b43440d0c9c91b89257a4af7253ee5be6bbd56f22986c38b536b8d5000102cffd10d93808b8b1c4eb53f0c697c217161c4cb7e091d4388ce3a20eb5351538c2af3a906e6ac664a5d083e395eaa5de791ace45bd02b5e26bd36be796e95c74422b7d8f00c7bdf4b648a1e9ccf68e912abbfff3c74d8c56385d7a89a84ad3c3946a38e82080c3b38a0298070d8850475b95b379d62f5029103a7b45def66d25a08e241c42c3438828e59f5b1d1fd8c975649d03fe3e536babaede3fc3cafef77a72cd27b94c1d774efbe19374702f393729898bd09bc8a407720d67e9fedf01852b893664e35c26bb48656a5689e7e3a632e9e5a3bbe875ec6b5eb73fee6e605547596d0ede39c48b9d9f63d7b38c1f619bc6f6903c02c47403ae8539aea7893fb8110e4b5a9070836853f3a61648327f0c6953794fab38937b278dc0a1ed331ef4a0360c41f4fb35b7ca6e117e785833a224fbea8241c59c9d96ad650959a23c747d47881021a530c9aeec13b5b99a268e2a63a2b96846cd3e8520c770fbeaf52f9a6e36b7d5e0db746788613f6ead88738d00c30206fe07295b70ed21e0528a7b909f3d2cc647b335dc7b9829907c380e583bb408ae2710b40d44df12ab98ac6f08882c257c26b25608ba5af2e00e7c33e6084ec86a2258cc3dc8bc63c2eef5483b8aaef1cb7ad63f4a286803acce81ad14097473c65d9c37f2578de04e18a71951458f2ae3ab1d45a548fe11d4764806e713b628c1967da918e8ed6556e619beef08ad8b93d7d70917457d9c894c7bbc304daca443d14656a0268d74e7658377441e5fdb14148964f56a3058a8e1a95e10022770da557445387f2425e7bcd386e621f88713fa57f442462fc8f7a588f849ec7a108c6a5a777283fc24c879874767526c5b6b2d22212f4bb8898811f731e78b001ae052c47d832cbd8678314cc313fb6b9966bcde9b1ce15b92f0597d58b15d91e31f221b2f1d6354e49de2a7a58d58f361fd647fc29dca3b5da3c6449c52cfc5b87bb4843cefb1052eb68478b51c1689128be434f0d34b511cbb1e84b8b211a9ff1aeba55185291ed5395d4ca5b966dcb7fbff432b931f6766a9b37d341d5f83d2969f49fb857913fd094ee9153e905fd3a000825f4c9d591cae9e1fa33abf94663fab49e460f1344cae1e6804f2a53108cb0f29bbc0f6a075688d987d6cf7ca3851008fd82c35589ec90e3902cb1ed0513555e303b91022a0454948aa7d866dfb4b97fdf6798be4c742276d99f685370a910fc2be7b289a44573785e09ad0a207940ea859befffd95cc97069777e3dd0506261a8edb94ab25deabd371bf0e8dbd5f035a753871faa5352cddfa90496dc3985ffbca1b31290e7eb460c20920126bb8ca9304e3553b3748a8f5df0a8977ab994728fbb540e073cc3f0805b5df288000831d8061c06d416f458a2547ff4e6036de1181cd1d42af41615ba4e16d6f7aef1cb34060722212ff561275bc4974f00948f542a5e06bf40b8572df1d8d68ba0608dcb027f8f11c0b93e65b2de9a16fe115ea940cd904e11b2fbb7c0e6729076657372c134ee6fe8e0fa6f9c2ec12bde36e4625212a472d1501051016814791e7a2fefbfca68589865f0837a32b1201c32291054bf7187e03cde3add7a3398aebe76672e4f8ad81a9eabec9fefabbb62c1d73adc3ef58a68775f516a99f54a75a7a7b530dffca82d2b222c993b785a1a7b6f7accb584ae25abe1517d70a69fa2df2c77e4e0755e187f60bc824658b8d88dafbc240abeec3493fdadd6a1a94680e5db4bc1862c758a519021c0121789f4cdf1e2a71cd536daaec9e4b72e9e25d9251fd3ee511f1e081f906d90dd4df5cef6edf411aabcfd5d933e2653581f1f0a49d85d503ab0f1288743a8ef5969fe4ae3af9affb7905ac3a904ca86cd7e8cc5b96677fbd2bbe3e3e67d564e2db1f14f6a982da3b7ab590a1fb43c44956ceb95d2d59db9e3517506c0e1643a07664f7a279f23b9945c32427960242e7478141ad1d1701f68033b69c7bd2d64318bbf48a05a32779956e161f42682bc1c9330cb6abf5afd31c8e11a4b078b03579e099fd3d8e347330a01fdc2b5ca05001a2d139a5bd7128a02f9d19b8581bad0e14faf9f0a132a6d85bbd291de696a8c67d2f8c3134aac24e41bb5a4fd742c1371f9a8e18ec9050b398a604888ab12a8edec792974456ac6c62989a78d72e84e0bd7aad9e1c08601e2070a4f2bb1009104088278263c2a645d3187edf12fcfebd3d8b37dd893b25e41edb518089e06e1e26a077bbcb6b7068ca74e1c4b59497ab481faa7d18349d0fdaff9f8a0cb6c242560e31a9f9e34c6d8da4e6b471000dce46d80252700fbbfa3922d5deed33d109206af07f3a2a348a61cec80df1302c98b7625797a113eb0b714ee647f7d13d6c10225bc121b6666083fc15b63c2b07e487167b0cd116ca2a399322b9c08f418d1bd83cfc397adaf8ba267ed4630fcb62037603caaaf968312e335afd663fced69900e25073963b5459f597d7e7e581647c994d0fdef88a1ae4c9214f6680e215ee6a15097bea901b467b5827522e68b020768e8a340faee75ecd46af90ae38eedadb6d751c5a1fc5ffb866a0cadf85949dd9631344a46e95091c5859ac7d0783153be8fc89a1adfd4cc3f453ac8b11d6bd637f95e63d28c3c665517000288e7a08ea71a7ac0d569ee05cf8a6631a9ba1af456d00fb049f1c3366e8d929b6820fbefb65883773bacb1cb1a7105dd2ca60edde95fa2f35a34a369c5f04b65e08156502f8cf176e4f9939afb6bbacdabc5c8116dbde9b6d212bf125f7697a8571d69de443d4d86f4be17a959148fd6105a674ce523f37c2c09e1ce1cc71274a475ca3b0931adca1899bf7baaf2dc3a9488adb13068577ed2ba96a7937fff3a9aeb461234532afb215083c89799a0fac0ad2afeba7a33def1b302b12a6a4d7a2201b915a2c3bfb5cbfce746885aecb3dbc4de9c4dc1ea7c3326b7318c65d3763a5f2b42a0a97be06e2a040636c2fac7db4272d9354d59cda5546a3415c8f04c709e0ae4ffac3ec82999b5c50ee28ae85193be4a6888db01c1b770f854fa3b66c2adc29c6c7c0d3a15a7224b235fbc61863bf9af6d8eeb35d67d9966e3220f0bbf0e101558a61559f9e6dbf286114a94e0950350f7010f3a46e1a98c939b3727f1d125ab2c0c5c1d7cabec0d7ea68697843c8ae9036c3d48469850440748e7cce6a2601654d8c597c5d226cd4ffbda153e2fecf0b58343eb7acfaeaee02970f011568ad26e4383bee5daf95802f742b0b8e35dadc20164979dc4eab6f333a29412916baecd7d11e18d7d566a9f709a4931433919514c735639dedf1df65ebde8a14555ecc254fa4e3179c611af0ae32c8c8129c0139e9904821c76971b2d2b08e839281429cc0b02cf5abc1fb78aead7d772a672cda2ec38b69f858a3007ed6d773e417521b94e7cfd21b3f76361a833bf0c8a58cda1c753236538e7d1be278cdab78fb73f36280615aa49d8ab1deac1292be4480fb609e7e6364c300a8613d37c8024aa6a72c1e4a334e77817f9cde0e10cc57b7c3bbca50f40e15b9a1042efb7802c404186e479f5f7636ab50d261473f5804a75f6cb1fcb693cecbe9a61bb9695801c7ca6f927e40e6aa91a9af71cb5d967f79057f955d0a4ed58ce999f9acd21c1a1ea10885956b46e44ca830ab2ee7add50d2c1fa3dea6f4c7331b1e53fbefc7e424aff178ceff95a8910d39952704ef7855419d3cc08c7205990af447e18d3945d133e99ba5506e50e31bb28ebb51337e38e5dabfdb6d20be68a04050dd9918748368d58b8349ee60de41dbbc83255db8e360c3581a3b5523f5c36d7e293eb4e2b014982367e286c6faacc8503cf4d91c4049804ce5a7fde5fa19c6a5b5f330fe3f44d7f33809bfc5b13956f64663acb8c324673829c132d3c73525f8f8ea3a832f88975d14c318c05bb5672c82bb02f9acf2dbcbaf68e5e478dc519e522840bd8f08b50c506a75bc2fd092e415199e5771d8ce03f088e9bfd4551c2e8eedb859303ed757601bdb16bff543123d7570ac50d2858cff2a7f9758cb24ff0554f9131299758c010113d9b6f0bc7246fabec33c58dea925b9ea73ab381c4aaa8fb2165c9d7d8b8a701202250d360fc617580565e78d5367e3fbcd841d4503a7c20c20560a03e397b0d3cab57254d365112aad995a9e3919614bcdc6ca2055d0d87429ee3305a67fa69c6024a3f636464bcab62c99a4d0453f5bf879cd5d46e3cf761bb91109bd328169f95e98b7442cd05a5dd86e18536d205262c620002e7a3a8afed4681c271a34f0b909d1c861f9c18fc76d3bfdd993785185dc3e2e34d7fba686ed0f733d16540670a657786421007cc1a8ff97236fb53d8664911dcaac2754350eade708374ef06b2f61232a3f5b45701cfc09284b6e3184c7c4143e9a304984c4bf1a14ec75511af82b2c6c3e6d5990728f4b724294dfefc35d1c75db9efc769dabfb5cfa0c548c2d5aa9e798410f2b2bdc32da95c945aeebbf06e2d1e22176b66e7d22bebed83875b4c863eb55a7194c75bde29a8c7816e5c3c650c32cf54f5d9ac35d38bf19ecdb005f476ab050d96b7b7fc622f1ac357b28fbd7c38f81abfa06355a30b3803f042c4c08a8274daf0183c0e52a634fd299aee994dd3554edb6adf99bad5b9130b491ec9353c7f36e5fa7c026627f68f67c775fe190aeb43febf56f55bc1a4f5c22948e5b29a117f6d06d4c68e51449f08a6d0d2e67520ebc0670e2df3d2f7aeebfbb87643e58d0176965d600d97a22c7a0556a2c0479de64f8b4492dfb542e8d3a3ef096f99d39e677a07ac97dc259d9f759b98e947f1ae8a9278b9bdcb8510fb06641218f79f67e4f5baffbe5d3cc38e1498938c5509a3f69f32392f660e005943ed14458529e82593bfb6c4d3e463103aab3cdc8d468c9a2c201bee3ae663f0792460d4b71e031a83c33f9172332b514f74b09c72cd6ad76e906fa4644f3c142b128c1ff2b84e79377599d4e2c71145c492ff3dab44793b905675895fe3df544fe725ea5f7d2fe3854d7030ce91957fad4f7bd7bd7f1d1a1654e3fcd0edf9daa72bd962d6b64d0d990d5a4850802b9297feb622aafccc107ea2a8eea4f0da89941b12a0ec1bfd72a2ed44fff9f82411ecfe9f19eb957b48f859ce045da233c9968b763ed94413ba0f68ddca65cea0abb6873c892902416f5eadd911d8442f0316fbdea9f1140b3e8305afb510a3ec590ce20fd58d3bf051c2663e74ae64eeb9a1463c8841ac0b72b732b7ef127f5a7d9a87d6b8491e753317350d7d1ae593e6c2006f23b2274db58ee344453c38e299c141821ac47e88ddd93893df56baf501fcedee34ac657f279a9c39cc38", 0x2000, &(0x7f0000006000)={&(0x7f0000002780)={0x50, 0x0, 0xf48, {0x7, 0x2d, 0xfffffff7, 0x10820000, 0x9, 0xa42, 0x7e, 0x1, 0x0, 0x0, 0x2}}, &(0x7f0000002800)={0x18, 0x0, 0x200, {0x5}}, &(0x7f0000002840)={0x18, 0x0, 0x3ff, {0x1}}, &(0x7f0000002880)={0x18, 0xffffffffffffffda, 0x7, {0xc6a}}, &(0x7f00000028c0)={0x18, 0x0, 0x3}, &(0x7f0000002980)={0x28, 0x0, 0xfffffffffffffff8, {{0x1ff, 0x6, 0x2, r13}}}, &(0x7f00000029c0)={0x60, 0x0, 0xf, {{0x0, 0x4, 0xb0e, 0x1, 0x6, 0x7, 0x40b4, 0x2594}}}, &(0x7f0000002a40)={0x18, 0x0, 0x75aeeeb5, {0xc}}, &(0x7f0000002a80)={0x11, 0x0, 0xc0000000000, {'\x00'}}, &(0x7f0000002ac0)={0x20, 0x0, 0x4, {0x0, 0x5}}, &(0x7f0000002e40)={0x78, 0x0, 0x6, {0x8, 0x8, 0x0, {0x0, 0xa2, 0x101, 0x279, 0x6, 0x4, 0x6, 0x6, 0x580, 0x8000, 0x8, r14, r15, 0x2, 0x2}}}, &(0x7f0000003040)={0x90, 0x0, 0x4, {0x4, 0x3, 0x1, 0x9, 0x0, 0x0, {0x6, 0xf84, 0xffff, 0x9, 0x6, 0x7, 0x4f, 0x8e, 0x8, 0xa000, 0x401, r17, r18, 0x0, 0x3674}}}, &(0x7f0000003100)={0x88, 0xffffffffffffffda, 0x7fffffffffffffff, [{0x3, 0x7, 0x1, 0x4, '\x00'}, {0x1, 0x5, 0x1, 0xfffffffc, '\x00'}, {0x6, 0x5, 0x0, 0x98}, {0x0, 0x8, 0x1, 0x1000, '['}]}, &(0x7f00000054c0)={0x648, 0x0, 0x1, [{{0x0, 0x3, 0x9, 0x5, 0xa, 0x2, {0x1, 0x9, 0x1, 0x7fff, 0x4, 0x1, 0x6, 0x7, 0x3, 0xc000, 0x3, r19, r20, 0x71a5, 0x5}}, {0x3, 0x911, 0x9, 0x7, '(--]!}}.:'}}, {{0x5, 0x1, 0x2, 0xffffffffffffffff, 0x8, 0x1, {0x5, 0x10, 0xf91, 0x7, 0x0, 0x7, 0x4, 0x4a, 0x6, 0x6000, 0x9, r21, r22, 0x6, 0x5}}, {0x0, 0x2, 0x0, 0x401}}, {{0x0, 0x3, 0x0, 0x401, 0x4, 0x3ff, {0x1, 0x1, 0xbc, 0x7, 0x8, 0x7, 0xffff, 0x6, 0x7f, 0x8000, 0x1, 0xee01, r23, 0x233d, 0x4}}, {0x3, 0x6, 0x5, 0x7, 'syz0\x00'}}, {{0x2, 0x2, 0x7, 0x80, 0x4, 0xdb, {0x3, 0x3, 0x7fff, 0x9, 0x0, 0xa8, 0x1000, 0x1f3, 0xfff0, 0x6000, 0x4, r24, r26, 0xccb2, 0x9}}, {0x6, 0x2, 0x6, 0x7, '\x01\x01\x01\x01\x01\x01'}}, {{0x4, 0x1, 0x100000000, 0x5, 0x0, 0x6, {0x1, 0x401, 0x1, 0x2, 0xf, 0x5, 0x100, 0x3, 0x0, 0x2000, 0x0, r27, r28, 0x7, 0x8}}, {0x4, 0x3, 0x6, 0xffff, '\x01\x01\x01\x01\x01\x01'}}, {{0x6, 0x2, 0x6, 0x9, 0x2, 0x2, {0x1, 0xb51, 0x7fffffff, 0x5, 0x8b89, 0x2800, 0x800, 0x6, 0x4, 0x8000, 0x3, r29, r30, 0x80, 0x3}}, {0x0, 0x6, 0x0, 0xef}}, {{0x2, 0x1, 0x5, 0xfff, 0x582, 0x15, {0x2, 0xbb, 0x7, 0x52a, 0x1, 0x5, 0x98, 0x5, 0x3, 0x5000, 0x6, r31, r32, 0x6, 0xffff}}, {0x6, 0x3ff, 0x2, 0x8, '*&'}}, {{0x2, 0x2, 0x3ff, 0x3, 0x2, 0xfffffff8, {0x3, 0x8a, 0x5, 0x8, 0x1, 0x0, 0x7fff, 0x8, 0xfffffffb, 0xc000, 0x8000, r33, r34, 0x5c5, 0x8d0d}}, {0x6, 0xd, 0x6, 0xffffffff, 'wlan1\x00'}}, {{0x6, 0x1, 0x5, 0xee, 0x8, 0x4, {0x1, 0x200, 0x80000000, 0xb81c, 0x7ff, 0x400, 0x122, 0x400, 0x689f, 0xa000, 0xfffffffc, r35, r36, 0x1000, 0x1}}, {0x4, 0x9, 0x6, 0xfffffffa, 'wlan1\x00'}}, {{0x1, 0x1, 0x6, 0x0, 0xf, 0x80000001, {0x0, 0xb8f, 0x57c, 0x8, 0x600, 0x4c44, 0xc833, 0x5, 0x3, 0xa000, 0xfffffff9, r37, r38, 0x6, 0x2}}, {0x3, 0x4, 0x6, 0x3, ':-)@\\['}}]}, &(0x7f0000005d40)={0xa0, 0x0, 0x1, {{0x2, 0x3, 0x100000000, 0x8, 0x5, 0x9, {0x2, 0x7fffffffffffffff, 0x2, 0x7f, 0x7ff, 0x4, 0x0, 0x2, 0x1, 0x2000, 0x7ff, r39, r40, 0x4, 0x8}}, {0x0, 0xd}}}, &(0x7f0000005e00)={0x20, 0x0, 0x10000, {0x9, 0x0, 0x1, 0xfffffffd}}, &(0x7f0000005ec0)={0x130, 0xfffffffffffffffe, 0x1000, {0x6, 0x3, 0x0, '\x00', {0x1, 0xc6d, 0xfffffffffffffffc, 0x8000, 0x0, r41, 0x1000, '\x00', 0x0, 0x7, 0x3, 0x4, {0xa, 0x7}, {0x1, 0x905a}, {0x8, 0x81}, {0x8, 0x2}, 0x10001, 0x7ff, 0x1, 0xffffffff}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f00000060c0), r12) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x50db, &(0x7f0000006100)={0x0, 0x45f9, 0x1000, 0x0, 0xd3, 0x0, r12}, &(0x7f0000006180)=0x0, &(0x7f00000061c0)) r43 = syz_io_uring_complete(r42) r44 = syz_io_uring_setup(0x539f, &(0x7f0000006200)={0x0, 0x25a5, 0x0, 0x2, 0x2b0, 0x0, r43}, &(0x7f0000006280), &(0x7f00000062c0)=0x0) r46 = io_uring_register$IORING_REGISTER_PERSONALITY(r44, 0x9, 0x0, 0x0) syz_io_uring_submit(r42, r45, &(0x7f0000006380)=@IORING_OP_SYMLINKAT={0x26, 0x0, 0x0, r43, &(0x7f0000006300)='./file0\x00', &(0x7f0000006340)='./file0\x00', 0x0, 0x0, 0x0, {0x0, r46}}) syz_kfuzztest_run(&(0x7f00000063c0)='SEG6\x00', &(0x7f0000006400)="8fc7c6d56396ba64559a2bfe12e1779d161166213ee3df8a88660735dadbfa0ee93d2bbf113a5d2f840414bb6a835c8b4664c16258d80aca5d75c4b0f7b9f481b32b056b2500cd38d5f745b2ca6f423c76ecb54c20df71f37e74a7c331e0867f", 0x60, &(0x7f0000006480)="26f86b73ccfe1577a8270fee84cb897698118d2edf06c754c8202386c681cc227fba179b5b9f4aa7b4574a9b1faa900d6db4338134c1988fa60dff908f1ed3f1d861e66fd378f4b75be0769db4b8875930df50ca44c3dde09f6112e7244a77991c9a813f74c0a8fb0a759dd430a1e46be99ade077227a164f6b567c0cbd3b2456c859d3295f82785295b18801aa57559a9190e85ac6205b4a0eec96417782d9a7e0afa0e3d274c00cfa118008b09a9f246051a7f0b9bce54acf1306b6463b474316fa9e8ed41cd670d09818621ed25ed037dfc6e1c5b4f196937b251d422ac00c3012556c45a9e1ee642f5cd2c2965178e24fb30c312a85f9db81cb084141203a2e5ecf64e03f1215f23ef654dd5e96b9001a8019db4e1361d0d275e4faedb83a4c6421575e98f8d7f68718a694f37796f04343f5774d6b76f3d503de622877febe827ae51a2b04b54714e4a512408a48f20e54831fa366670962cc5a6312a69baa14f4451b8abd6113fdbfec90a327b13300bc5743f171d4df0353063c8213905b5ea8e1239f6e4e5d45f8f2f7ee5209560532a091fcc584f0924ae02d756cec52f040e749a6277fbef1f9aca8df92ba05b02a0c1bcaf84b8d7b5d873815804b3c945bb81e759d3ce76cfd69432ee9c20ee168940f3ee98d1ae88247b3907a555751588528c6fbce8fd6ff9f446b331621be104fbc250882406a28594f3fec9ad498950cbef10ba41155632c1ea3551e6816f755c5538cbfd5931d9a37894faa6ed302d06b26f4cb97a986dc21111335bae909f8b399a874774ea24b66fba5d7a3d3d09369c26a026b279c62a9c6fa85f5ddca523f966e22cdaf18663a0c02f9cfa94b2474672de8e7f85b09130a8c37a47d02e4a180d73f635c5a180952db2362acb6665bee7cb74988c54daf3d58fed39371f50abc89cf1e564efae0370be817bd027a2fdd62839c6a7d9678a3087ae16fa48d1517a01d90ed743e5412615c5229b776169b8b9f956ace67a58ec419f91d1b8e3224c4f8836379aa947785a21bd20ab82677817f3ea2ea2caf193b1bf63fbc2eb574010abb261867121e1313b5d2a1e2c48c2202a3c072e8f3ee545cfc8c994ec9a44bcab7180ba95755e67c1906a5db72abc46d57ee053c6c8659878a25c4c8855cbd8836ccb6d8f6f12d434810555f9295880ca3d42164d1c864982756d001cdffcc3594362fddb3da0118d4b532aa9141ac6051b3f3e5b4c0b503045fb3166297c90ecb5ded55f6db34d89bd5d4518daa68ddb68c02ff1b80f9cb66a6a23db3b765608c4d672766273c17715e788c200f71c0e402fb513b6a8ffde67c40122d86347be658c4d0b91f4ea29fd5a4c017c288c41b40ca04e17bd3945d0e80fb7798706aa2e870fae9b91f1f7891fe4f1da063124e8c567198f670dbb75e82aca4fc0c8211899317920c058e1c371705d4dcf3c00cb4d2c136a4d828d3efeebdbdbcc7bf7df157bb0e743980f14844a7b466d12337a4815ed84117f56d719ab50a6c28ef55da35c8cce6eba0e8d2bafd9f812b4d5f265c0b442a075ef168500174ab27c876dc2d6094ce534920bc639f02c993dd8b07524e8118e8793fdc1b080e1e0181f36f4e2b7f047b23e607301e3d675360a8423a1e670a00ffb1a5ce87fb262ed01c58d779fab1589d9f374a0c001dc9c09828b000fe50ad21e53ba0a8129e223f7ffc79355d4e544fa731a0b4795b7f1c644161d7db3546f32f92ca5650eef1fc206568d367bcaf46411374dce9e44fb9e36836203842a7f2a2ea96f90ba76f81688d7746b8a4de9888b9d8a27a177f98ec9f100bcaaa76e6edc0c42c2d84fa84ad70e326e397f13a428b660559495c6d2a4c68fd49c29e229e0cd676cc895f6496a15f15c65de333d77839b13c9beb57823006d4d1f7f2d1e095016061a08be673779d7e29574dcd21934b248da6adcb98e9c5114ef92b4fd5b9fb3d334e945af586b0b9a47785017fe5a78da3d28b6960089bbab1c89bf549badfb57afaff8a3d6f1b310f945d590016f5612d7332c2a43dcda9326f498fe47f4907fbdc436df6c7f663daff7971d717e641f9cefe83f373e23e06125168af6a58134c425a3a7a519758a3100de2c8f3e447f0b9bcb87833647454518805ecf34128944f44cc075a9f9c47645a29412b66c7087d78539463deb2a138a2c504d8dbf638be8355e1a17fc92b094d16bc9280dbfea65905d56785d4a2b73c5e38c386dd9dd9a40f559b3742b658d216b49c5bf4173fab9de0ed22f81c3739aa925a14dead392e0ce12557a8e0d7861f1907aad63d6560889b4638c422f17021ad105108e155562bbce0a4c395787a1c881a61bf941461dc0f76d5890acc7cf2730a9ab1e9ccb1d133a5c158a19d7974d7f4a86f46a6485eb0896a6f6b06e35eb160187a0c453ba99ed1ae627785a87a3c581e4bd19fb9de755916877cc378b94df22fe4600b40f1e341af51427136377fdf88958aafb3028ca4600e62b40fcf88878bef7e1f89d9114fad5f25bcef274d370f51466e1fecf4b75b8dfcf4863f64f1d389553abce8500da93bf1058849f6b58d5541a7daf7a753895b0e71fc7ca986e8d1cae092897b3e3aed9141fd8d61bda060b1dd8397678bbb7f855e4b84f15b95579b86c1142b5823db9ceacfb2646b0c8ef61cc21a9bf121124367ce73dfdd23d85b37fa0e098e7d1c6c242bc2ad0315ba423db2806825ddee8623ab18196e913e48f379088d6e9cabe6fe00446aaccbc74dd52444114a7a9350946f6a19d9651a1fc29cbbd64e0783b6b8d414e20c84a610aa00d49363e2fd5b92c57e343785518a65faaf652612baff01c4e89ef57fc3b6eb64b0fa8efc5119de768ff25f9503807a29e06197d56f92b01d0fd68de8a952a0e23e16def8efbe7f3cc396963efb2d99cc16b4eb2b368d76666d574b33cd5843bea05c323baf4e427e27a45ec8d9a7abe245493eac3c6b1c54b5609ddee99b77991abcefb29f3f1957ea70a2e634b006a99ae1f72802d3df879ca068129dd503ea55780a1ad5043fbfd48b3061353d7972b3cc1bca5c1b907e8b0660a9128ea44dcf758f531fd3a872649633e0a383f63d082baf688447684a5fa46552b86de49159e5a056b8d3109892ae7f8b69006bd2056978e35b7ad6b38861c4af927f705b38020f123a8536da7125431565fb76d5cdb548277875c5bf5d9895f71965fc31fa264abf2d876bf447f339a7699068cca856bbe79dee93434e749abedba9c8d8ea79dc073076860ece6ffef7f4ee9e5a810fb541706566e9691bb4d2109ad768417fcb72a7f9f62fb45f772f93d8994591e1fb837e208489ee073ce443795aae6ee9b94d1ef06adbdd4cec7d4d091550aa5a6a3ee84c1e3095118ff42c92dff39e524d8524f75a1eec8e73f167c881fc3a6311360bea9c89b68a1895b2ed18711a074566c8ce180d1801ff327403212db90db06ce461d135d42236a49281179da493d71efde292ed3bbb39ccee3f3ef8bcb2197bf3a392d2fd0dbafe8185d2866e068a8b26b3495a8355959d0ada698e54c67f2b8e5ea10987844afd67a3bdf73de39326adac10edc8bc29c4300ceef4cf58c2e6961b87b05ef4bf00e53ec4acede2d15f38325dfd6d17d9a4deae4684af38816fbde94a9af0daf4a508aeef62fde4f2b29d033ad51da091066c768586cd77928661a9ceeecea9cf4ae67f3d5a3010ee4cad4c97047c3d9c3064cda34b0006cf18dfdf0d7ab25b3585cffdeb5367894349fd5788e1d73b507b21b66ee6a8897d74129b6dc76637b24149bb7722486c9ec0845e68c43e0552f23d5ecf5dca58b381d1d512dd6da5d0d8cdfbac3bea98b04fac0db9bbb687086b54993aa28fabbbe9e2dd7a2f9da3ddd791f2299470c6ccfe802353776e3d7ee03c0af8864289c0d6a6b731c450e40eb81baf1838f3d4199eff36c1159fbb64ee815de0c612ed5c276e05e670823e0ed232149e48ea6fbf8bb9b6a42a5ece8018015110da1656c63cda1ee5d66f21b77c244f097e86be5abbe4f4c3cbc043e05aa08f74bd28360c6b2862c2987db397ba7c68b88fad1826b00ddd9e06d2084138db5f4be5b0fbf88c3b309fd57906fc77ea3da69db4dc0e0f9f65eddbeab1432a746e586c632ccac3bf5440f20d8c1d6115f92ea06663fc157e08cb1216dd674619e301190443e01ce108d846cb6ae9a66b97fd2e477395d2724cb0e01a5a132dd1e34c468644d7989bca3e5edd368b350e248cc8f4dd20d0e14cec66ae019535a013ee53f7920cd8e92cbd0a0176d321dd447c129d97e09994beb449d6502672bb3cdcd136a4410e00d06ca537d650077f98fb8559f9fc5a19f0f3222bcc0afd11611d5b0b03eba32f5c89a12819cd019dd3d77ed0a0d1ecf01369792bf4beb2569dcd5e3505e9e90a95fe4b500b3157fe5e76a290bb5cba1749408b449777d7b75b6d77e87ffecccb859dfd0b81193677a00c29c8825b30be893e0cfd52bbcb2620c255c6364bbbe8e9f0dea6df565bc963c1464155df57d6ea396e92ae8279e7ab7ffc17f8ea6dcf4cf799bbe6284dc5573d4139e2908d69880d4484679b5e641ee30d25069c75a18fb7734b5fefe31bcd46a3dfd99ed4f024bc158a2db1acfb6d1b35527241336c4f04529e5052def1173636b09652812741e0eb1f547900809ca2366b5119c26eb79c21ffa728f46e5768c779f6f3ed1bba8c232c4041b4a0aa4b7b2105e3ef37842080c5f9a39cff3b058e11c8026bd682d3f7ee96fa090c966a2a08a17788a421e7ca6d3abcda616ec6c1325ea4e91fcbab9e06b4f9c2b5df14998ffce2cac00db9d2c95379b9fc55a447e797fbb8837faffccb8ba91a87887a12808ebf254fa45fad2ea4dee01a2f9f490410e220a0bcb5b1229729f6db3e10f97c5dc107ca9972a7123a68fee2902b2d044ea8f84b6d43c9920d1ef3ad113cee3d326ecbce096d865b80df759c0aac97e923062bdb8f5ba2249e7a54417429a9d09aad4e293116b991978ec7a61a1d71995e97cf4c37512b2ff5a67cb202304a8a90b34399ff98ac45f8fad4a87dbae9aa01239c0f2f97a67c12d50ad7aaadff0c418f9fa75a196959b7854fd92d73404851d6c53c13eace926b3f43b0ed8f0d101ea0eb88839cd57eb1c8c75d88a907b1e93b1c47586bbe1a83bd68074e300d75736ca5b98c70e36456cc696ba1646e938c46fccbb32fe5aed4509b2b09a0af5bc34b2b050d20d806988d46fe6f075ab3627bbf48b92d8b91ed67257de78dd44efe09fcb6aef805cc53ef285551e0b1a4d917d8411b24c74e9a02205a4018039cf31b647dd95a5f5aab3396a3a93b057088632d450c065ae9175c05a65e5062de24eeff15cc6e02718aea43b812ba7b0fbff2743862afa968241166631606256a83bc570c43c11d0148436bd3ff436a2d1b2e1ccba7441d03e1576ef38b7adfe04676d52bc692d2f66bf5f0c82e5e7dd89b268fb4536fa3870b5470acf462d5b2999543044066892ef54a306ae7244f9372afc83d696eac29e7c24963ffbf1468dbbba9d3d37a6b6543781bcf7005a9f46960786045afad33a61b6d13a72c8574777b7e80ec43f5df42614fc62097c2775e3f11add8f50f6ef09199dd68990ffc3aeb1fd120738ac65ec7d88444a8b022f3d719c8623cfecab626950779fb70ae87a3d7d5faedfe2ab843fe75fe980f9b98ab9ee42dc625db03c5cb1f1dbbbb943fbdb2d1a4a9350fb7f7662545a76483c0459fabcb8d8099ab81c581d90c36c8c0b7bd0dab09c1e3c12304069e431a74037bf7c4501d632a204be07d10ed809c9be6fc16293d9f9de366e36990236402f67242647768c77170c04764e1d82f0875d94fc0cb1d013b15d2fa9aba65fc245a68e17a656b968ec5620c429b31aee046b639b7c615b49524cc7ab71ee969158c67bad96b89f67e3a4e5fc67d6f11fb840907d279af0954b8f5e49a96e774d74b4ca7926bbad6511e96123d552db7d11839c7a53abe73c137c7ff1286704af9375722784cee8e0e73b6cf26c4521e339f9980a63955a155872f82466bd89efcf5846f9b05e09cc27b436ef8269df3c2d6b3b0ac04f5ccbe684ac43a26687f1e0fef066bff304b2266ed754da319e6528dbd0c3ea3d159e488d3d727628ab10fd0a908c82272485be5e17d442e91e01d8f77f9c12ebf680e5db6ef99b8166e190fc93c082c7416b6e9e90d31ca030188e1e5881ec279da425bb4885a1f6cd7ef0aea01a2607485255c8c4610a0efc08fd0b175254b827ceed23145fb86055eca1e6381e10be319a5ec83b00631fec9af8c5193716c4e8062642b067e24eb47bd1213bd6b321d2614a93992d8fd6caa1e6c9e40e808f4d9cb9b5ef1095194c12a80d0673113d6d85b83712beed19ad916a4e12b05e2a843c1869f864f2c7e56879407f9d645d6895760e4432962f15d066874055bdefbbfef33cb199f9ff90541f1f86199910464cd5002282cc32664aa092fc026ef8a0699ea4f71c9f6634cea39a7857e7b929c000b2ddb4112e32948b3b88f03b610ad00afd4677bec2e3d78c91e6c2787449a6bd418d60d5573aa9dc6b29ae0a15173debe501e42d93e96d1de719153ac531375d4214651664635a896b7e7bcbc225856585092d453bb63d40bd875d532aeac9d3ab2ae56e90691faa10a79ab1eab710d0cdffd5029a601c021deb60ada33bff122bb8ff85653f3bd9661d4888843584bf7a3c45d4ef980f4775e18b653af739f3d97919c3b008507e0ca983d46c87bfd180e384ad83aa0658e5fba968fe9168e1fd665f3be4e79da80abea73754f2b324d557eda10d7d8a84310167106a54cde7545f87ebd47da1d8bb99dac4814d59c854f14aead0e2f9bf13b980d157d887a50a966362c0496dc73ca4dbec42cf8133f9d644729a1e02ecd134384e442d328441edc9e09dff1143c79ba611d4402f2b698530c75c491ba8ccd2e9a10fc73eabc33adc16ccf91249eeaa03524f647ac49ab48a8dc275606419f801a3f048e4e47c5a4b17633c8e35c05a994849abd0a542a5c666d472fa1b3ed02962f35526ae61a11c7533b2ee3b5a9ed8884b4861bb5ab159f552e32fea79814450d0d78b4c83dc4654d1f7961a5ec735438c09e45c07393279199ca937b62ab9410607e6880d8047a49a1ea3cc711d126d5005b8aa916548aeef5fb9bee4e071c90ab63d46be03e6c46bae6453694082f65e070e82d765f5a038e725afdf2eaa1732060591db13df6497624c47d2c318ab5694f1f19e6f892b4728c2ae47d9093955d74690772b6d73876b85892c27f1280a42206e36dae7c871f11e30cae135b7582015304dec51632da7e9ada4cf41e1427965e2a3e0d9424a9a9cacc14592bd7b10652ca24fc6b9c056009ced0a3362adc053e22af3180efa3bc8201b82d20d91f0681133a27a1da17e4e6545ecdb3f7a31400cb046cfaf5fa0d0d55470d99eb983a5a4cfc0c7be58ac6d9b69f54d0776553c1055b122820a0f3854a2bc1a5f2e55dc9087eda7c3e33947b9df51dca3f916d7b387e283e104b620c1b8d2cbb5a95017e46391eaaeee2b3820dc2d69f6fe8e75b88304d7d55d7bf6d934f4a5bcee97fae8fcf029a5a8886531586203179ff2d7867460c0620f9dba32437b2c173cbe75ee57fdaa6d13e5d1cc6cee105e2b09fc1be865cd7bf112f0b68a93385c7dd72a75cebdc6bb4512cadacaa4a6b604b1e96a2298d622452766fd6725a198bac91e70790742998bb862d8519d32d48cfd435e03e7c261d7c242d2d026587890df4594cff4d4b60d0b7f90bcc293a74dc11bd2976369d667bc261b382e8eeb06b8dc04468c5c9ca971e9be8057c22902334740585a4d8933b91187936a993d505b39b96aa1c885be9944f8ae3b04640afefb1e354e537c35dd54868a09b3cff920c53855a358b693f2f17b60905a16fd0b0b7295bd873c921d15b2a1207e39cd89dbf895c958a8cdf49655a06a3831c6d2f402222e6a424252c01b5b12a3091e857ae506bb045a81b2692c5055e87c1cf5680754a0ac99cccca3b6addeb71b14694fba1fcf29382a556559f60c8a96638b5a01dbc35dfea26ac2a90975bbd8bd0a42c57e01fc6e84926e39c080d0f72dabbabddf023289c24d66a9b25ad687abd38ebb8a715b4acd5c4b6ff9c24e62bbb04e7b6fb6bc45a72c3c4972f279ebc863f169bee8c6977e516acbeb7910d0646c9b80e41fcea737451eab0413143e396760ea8f1f130de03356ff91c7cc46fea33d64ad83b0c2c187ba607a8149955573102ec1b06bf5fa84439a7266482e003a2c757f2453b75764c846eb392f1499a3afdb325d7be0e9ffb97ea7ef28f58f099a31aab74b63b705483811bbc96787a2637cefcaf14d7c890b9f6c37b69c20f63901c7899c0811a27421fe1b0a92cc34d9cc993e4e9ac404ec80e316d4b6a98922d3bef7a586b4202e9a4e9bc9782e5e7456f204690687089b1a0c0d8c5bca9590b7253f640b0c3fc5b1b4ec970db5a29a12ba8970456f941ad398c2b80290a7ef762057ec4c5cbd13d603321ecb3ae6261d3836720258720706ed18a87e9db2cd1301950a0bbee54ed2f08c12ca9a83dc158726b95a5f991e704837e7a13c7dc663d15281ead022062625e93f5d2643380c588139bece401876220e2997567045a7912b87d3b2219f7cc800524fe7dd3e7202dbc0fc294122499dae623147e1e3083580e6af9afb864de9412c7850c9c305d3723c0afcfcfef6741520d46582c199ca4346262ad10f96a82007afbce52f8fa4204030fb031ed4b25831089dd8a66e89207be1b8dab68ea0624fa2408582b79c17a0727a4a75cf0487cd904b236096845c47ab584724f72cb016abe1457a9672299ae6be756b15079d69b4021eaaeeb267233c12134ac7b14fddcd6ce0620e45499016a1c21709e38dc9825794e701e19635156d1a1b107ba9f16688e0774c15fd048e9e2d1e0f52c0833f765440bc18b9b07ca8c543d1cb1fbe9375ca3850d42d9d4e471b9100e8744cfb0d74bea8c315c7e1ea0a898a689bfaf2fa48d9049058c205241cec8bf5d9d1b7bb825d2292d182f74248ec275cb2ed9c99a8cc7228498ec6e3f0fa1814b6882a1b8d2d70898335fe92b75c7978beab754775b0834a363940aa6e6b82fdf04e07e9e95baeb3f8d89794c449090de16ccbab4db3d9cb040065e071595e7dc957dfacdbb62c6ee87a5878c283878aceee5432af9f506075a9c33564e6912fe34c37a11b4641200e32ab8832976930112f36e8dcea432c0101e841fe932edd860687568eb32105ead04437d05c65a5ac06f7e0cbeada054a9dbd1d0835281d0804bcfb19979d8b790810cd63ded2fceacd38e21067fb4688ff1f10c298db9484214f3b644159a8c179f90b5af19432074086e13492f7de36172053f11176a3111998a4c85cdb999a6481ea73efdc1708a36b3b9898e4484c2be19160b8355e435429195f0c9ec5a9335ee9e9161f025413ae6e549a86f2c241033eab2d7f88a15501e68c1d42aed109eb614aea34834f3f35e5275c5e8a73f401d8b70de6b87013b4ad8e55e959b2b49a6067be42a0aa41a7a86fe0899eabf3775477b9f79caaa253d6f4486994a69cd49445fb8fb13692091dd0aaeb62603f2eaea6064ac2621acd0e8e4b7363a7e2b9c2f88d34902d28460cd8455038a65d4b8fad9f61ed723c521b41626f364cf6f604420062d834b3e50175af09c7255fc7863978e56f659ed0578cfe196369c511325b8a4a2a72518d309d7386a339d71bbc2264d422fb89971ac935738e144b843a6f028d1f9477a2781c1471d89d2902ae0882419d9b4719c07c55b09ef9c9d3a7d43283541dd7c9f452b0e1cb62f77b797be9ff934e5021232dfc5e9cb9a42c0ec736961a8293504ac091ad9a71d72e084ed5e00d5406fbb84249ef2f0c6b364ac5de6999a50cad5d79017d32e879978a5a7fd3f828d45d34d6df690dd3a9862eb1f031b64720eac98777939fcde74643ffc7f87f003e7cf3797f5de33af8d3f2f7b0142c2f2ec61bc2681778640cc32a1c570bfde70dd421c305b439b3fed60e13342a30dbc76f01ba92c2e5e0102b5bebd33045256b550148b7d018f9d0e8f91da3a9f79f9c86ad41cf2b1b64520710c68967d030f9a71be3bf7871737e0eeb1988098128f3696305a33bbd2bd1698d6f982095235173bb10b99febe1aef7658ddb7e2c6bd4292a27779b399d19d9963fafc607756c122d35ab59a2445c03d56b101c06d3d43155b524db94b4d9f81d203ddaa8341b3818a69b2a47fef2c1a1f72bede8b0bf41935127923b5beefc9703fa3cacedce260d6917c72765466380a17a81270bd643b1cf5dd22c4ed7e7325c3078d30b490677e6c92664a8b849902d334b47bf3623a34fd709d1d83cd18affde688440e4db5570abc1ca2cff6d2be95ef7b53e8fb543024da35f2d2a524dc80bd1d5d22f9e644a23266981b5a470567a8566d82f8925ab34193057287f8fff68650b126dab15f9b533d2fe1e15ff9efa1a95f87706806134f71fcfbf0dbb8b7a767cbe7a0eabc575da88b321d6ab8ed27054490952e86b1a80c44ba83430de734be4ca3c2bb62841db05feaf4b352089da3859039cb0a0bc4e927a6019263a4032178f6beffa8b28b2efdf39146820ad5d6e20d694542d1873c87101a0ca2339c88830ca80bde901c58c042f95d0c9874f5984b7c278bd4ae2291ee1c0de6aa10ed0772df970ad2df98bd17be6af68f24bfb665b94c7089464983bd6c097650e409f4ebaee66ed3e07153d0e86966868770d90ed415456eeddaa44c38ac7aabc571f8a9bc38c236c5a7709b459043ef9c119f5bdf925dbddc2f351c7f8a4384efa86a5542202a5081854292b1b763f1495953ad8886d7d102d98dfc1483156a9f701a2cd98ca86156eaa1da5cd20f0b5ab52442e7cc83d885abb98df7cc27fbe1795c09e0a9ba03b327a9533a152d3876aea8051e96d86535c3f5705bf11be885a0b31011f806f192ec210894c32ae43c15b0bf9cef59ec6e6dec149c78400404381c09392a40ecd03547668672ea5a165345c5af4a735843b63a5dec5d5808f8fc5c696e5f82416ed278621b72bee86a7e2a4a982af9588c1ae65ca9806ed429b80169f743a6233dc628afd78b8c352f7f15f904e408e807a620439a58a91a51565dcb6faab6b1d1643f0a7442c422ce463f6cd4c92e9f598a94ff1e6b535b6cdcc62fc34e0ee02426bac9b5826d88396b9bcc8f872d9aedaf090fab51a55a898d57a152ef9183fdb59974ded32904e5f369058119b1729759bd570f3952bc18a7e81e292c6ec63f2db703c50d33d0425efc449c4b6cfba6c8aa314c2a1ba39937d582b67e222ba265b5d6c055d0cd81e5282388281b56738fd811d45d7ad25c080d61aa5946a794e9a0097f4555670948c8b127cfdbe8e924ffdab9845a1f085307088101de9108a3a13f013e65f5ac7e8c8634785b472a967889f47f16c219e374d94a40dd74778a0e77932b9b34ab1bb57aaf3a253d6fc4d642bc89bf28bdb27bcdf4e3742540c7f919a0a6e11e1fe9a1d9f2fb8f54e473424b086afcd50fc5c90ef3efac0e3816a2435a04ea880b23428f7c33c74529a7e426d33be341923e574ab2fe5b0e0c317fe17911e83ccb628c3bb6984e8f5e91f1d221597eee76de9d154e4340772a17e502e74318fecda7f3b7a076ea4af5743a369e18922378aca43e64b69bfe80e95b5be8b02b54fcfcd56e098e4f34f52061da69e5c0703dac0201b030897231255a34e3e358c587704ae52e3e21cc534e6797d5974146d05552b95ae1c39f10927829efd6ccc0bdb068259f597714650e240d202d26eba65f9e9e8e4b69fe335b9f0d4d1f6352d7da9311c8a42d3bd2639eaaefe33f9f6cb714ee94e026f572b73b5cb596d3d58bf3782b18784bc7db7b15d57708afea1a6c530029753cfe376cd56dbdc74357532a105129ed3828191e734bd3c8d914300c8d39d31266f50b5257bba25f6112b0a8375c2ebbd662b42c851a4a123c3993293dfbd66d5a2fe39dac6624e57c4d34b63b71ee7ce2aa01bf16f36e4a9e75cb93d7b6f5af670e61a03defb8fb90cb8f147933b58251899d99e906bd8e0ab4d2549e284d9b124cea9ea530ad82eaa66396b1831b61a310cbfe7c696e46af616d6f8e74019cf460ea0a423c9509678395cca9ef04b7ed6a57cac3c4540b7a560893331e93c175198a1ae4f45300eab8c0de8326b69991ed8e0b6d736ab7e1cf5ae53c4d6b0f5bc225726d0de0354a38d835684cae60d9002a6281e4e10fa5ec2882fc093cf709546b7caa2713dcfe5c5896f2877884cc6784afe6d9ecd4896d3ad7f36aa20761bfb2278616776efd742fe5773c73f85fc6b9d195043551781ec53c762c4fa2d1172aad4625b13b304c2334f320f765c24ea335e8a4c111ca8c12fdb53f518a7b2ac0a402610858c2a9990e1343faccf490b645d7011b9c4d2309e65f2c2210905dcb1d8b621895cad6176e8054c09c2a70eeec70d69a2c71617500bc0fd65bd8dd38b0f163ac77356d1961173eeafbd7e9d52440e045272ce0303a0b1ea5a0a66e53b316ac848f607742ddf13cace2f67a39ebe54eda13812854d2d03357300bd302e8305166b37d693fa5ca6a7b9cdbaf008d1a32a5218c1a9e3afec32e720ff9a2a29c71bbadd0639c90b89b52a40b7e528f79da543ac8a4abf73570c2e272ffb323bd23e950276137dde9cc0edf43441340c275f9a6fe6a3b44d41c2c9afdc28df53e4aab1926f4124d578ea48b6aac924082cd2e61154ab876451ca62453f9ab88a3967c14791da6335eef2c99b2843943ffe629d16d02a62637f66651c1ffe30e0179608cbf0ddb31428de80873548a4027c57444cf5e0f556a66c21abc0e0e8b42a5bc0669a617b072aa8cc905da8c4fb46fae4afcf100e1281cee420a399a1313f9dbe5f2bbf4b97dc0a0f72a43f83cc9c43a8f4442dbe1064ed7bf2fe108ef2c82d1b4b9e4cf1665eba50a50d7d18f41ae980624ead8ce19dbf77ffdc5b952c9bf3c1cb511e7482a038b0bec67b46666f08d35f3d906dfaf4c6cc7bd85893773dceb4ee399733f1dfc1a64d0010b209717dbdb1f8246742b54db5a9168c6705eb2bb33efd6afa381828cf5ab28351fda1f5a51055f871e469475bddfd6294c67a6aa2cbd6de1ab0dcd91728be8a98252807af581b3e5a99df0f68e4974bbcf5a674527559ce82d52abfeb6288bd1881246dae8ab743a516d8220b92fae01d065d8f0b490f292f27651dc94596f33e72013c776828c93dcffd424f7e3d68e9eb0bcb870e495ff242512d9d2e2b08f61143f9629190c9243d5afd13154e55183aed269f5655bb16c35c6daf2200ecd89b5b6bf43263ee57b164c477dd79988d2e2fe15cd733e4beffd04d7cf69c2f9fa331ee668fcf55be256cfa4317a301acb12fb7fedbd46b6f81c4c3f6341f7717e865de06c67487c4372653c2647d2e94b71fddb59444f3810ee96e1b70991e5d0b2f3d4375e7e019e76b0048cef4dcac18185bd2ac4a1e04fb99938812c3265a326cbe172c15965172bd0b014724f0c66b64be09266c991df65acc039c26cb57e35440e438190e1cc397f46fc88a6711fd2cd5001ecbdb191e0121d9b65c1ee849d943a05ff4968e81f2c86308e04e7e78dac38309438bfe2cc1c6de78c1d1a7e74ea8e25739abc371a8b74abd2c5ce80ea84bc5526f44dd4c1bda85495ef3589491327295364b11bd2f7e197003e9a102f71cd18e93dff681593054d5863e93d32913902ce741f740ceb56d20903d60df41ef4d914e1aec9a2f7c6de85727ce49f4d7ab4209927bd46e40b6f445ae69df15812aa51266ee22f176f8cfe19522aea1a0400342d1d41fcd616df8cb2f4bf8fff00994935c62b91f1cbe0e493b431b20ecbb0f3cb719f9c1660f606a569e970120ac50c34987303463580157d6fa38e92270014ad4dbd244107519298ed0420f087ee2a3134734ec674e214bdb64b2f2d1e556173dc082665cffd618f1e562b37c0e773d0f476a5b09f121937873a67f891c9f479d25dd3b2aab75c37ec64d5ca01e3c26bb81ee309419d27b45de0c7b56d57c96145ab66e276d7f297bf9b5249c7c82bf667277daf8c4af64425ca33e6f85fa58d1aef3c4a9ae913d6f299e9fb021d98cd983486d6ce39928864fa3d9a380de5a725846984392bc3d6f61bb70942e01fd1f55d8411e63b7e11d4ac54a09b38d936a1852e6695372686ec45290fd7773e800d0a56c4a570a276ad27ce6657fd9ea5281cfb463346210f6ec72d31ec78f7bac38debcb79a2fd8823f037507e621d88780ae83f6c7d530ec8e1a159eb7b4f4cce2c5405f800f388699ff80527d66c3bcfab234343643fdf7f47d0ec57d30741b385a16ee6fc2fd72245120caa8240d8f8104755d50151259e4d76589af883864947faa3ec7d1411b621b8d41d9374a427f19e29f5ca4398c420ae27b74a058b0325cd748ddca9d11c5d3f9c5fc70184de8653f3d01a4fde2ba3667c278c88557fd6fbaa3227063e457774781085a854f4b2cffb82910f61095f7ee9ef6ef2238bf74211d8cf1af9504f3eee229644d0fdc85565b8e66a0832041e21c98466c89ec72823b3edab0fb42ed65202a5eb5df409f5bda6ae748884a146b34f6cef3d6edb14c224b8b8ade40e04a7f61d021f680a71f72ace0de41625484a0adf988c6aa71257cc6a96b539a2fba55a2f986c9ebaf26ae574c3e837f98f08ae710c226761acff343807e40131469c9d5b9e78e14fac0264fda199b0a2571cd1b6c6e95c0b668ce5fa8ec0c91cdfad58afa5c1336d8901f57f05f115e71240c237c4a91776b8131c1a7809e3f35dcc8d28bde183398b8d61ef6bb8274784f083d3a8060b7436e315f941d71883abf8361bf66aa3538996519e6ee2a31b41865bd2f16063e7cc0198aa555d41c114ec41a8c047cee2e9b8e9cb56ca94b28906b64e9cbbf86b77d1b0bf2a8fc265eb06716f1181a7db11b31cc7b49d99ae19e86fab6383928ae0b3f73936e972b23b8ec1251404c1c85f4dfde89fbec9ab07578815ef077cfc2c6822a8efd2807ac5d382e4064a01890da79ef2e182fa52a2d31c98bf9566f58fa7eb87fb610ff66fe7063d16344f62b7d035653776ab3e63331585066206dd1b25b56275c589f802d57eff3f4ee4344ac30a38f947b26a76cb18a7fc63fd87738102e8f76f911dec4a172e7394544aca0b774be9f741b4dfa5af846a71773498727991b69e0d39542f72d4bc901642da1bf4771ee0149eec36f0c9924fa2adf7660365a015145bff5f19c07729520211c1cbec43298dffe8dc365733d37d8c67679593ac7327c45ee8ddc7d36b324c6f47fbf08d563328e21282f9c48158a37543ea13060a151e163a7e1800684652866344f69a3048f1ac1aedc348900c03ea380d08d1effe089939eddce6eccfc251d54e9ca111d69e9c9f67f9bca50129bcb19539f2a5a1d0a4b58907e6b3af5ca326465000701246b9af43e57a750f5424dc98fe032b84bfd6695017a47e6c88c445f3b3469beac2420da5177ba9e5f69c073d90fe22fabe1fd0eaa1049b2eefe258f5d6c13f6920268abb2350db060139fe338f2ffb2898517d014e0d5bc123370d602b3b7730544635e649be08ab7cdfb0067337e80ce43c34e6a68ad5bd3baffce51966c5fc369cb196ee799e901a153ddc43e6271cebbc75f4e438c70cf919d957015bc3caacc4d2bc75cdeeef793f75314dc7a5e9ef21182e895467e4d249c6e24905a9255694721d6f78745002642f1daa53ec015dededc3be0b1782e5ccd3f363d376a2870f4f888a88ef4837a41284792c6387c1a51e0e797b648012ecc98959c79c43cbb91460ec9b793e90009a6f7d4983324dd58ad457ea3c4d6e9212b528acdcc68c076e8f4f2f116a88e0f6eee395c716b0a5c4e1bb518d32e3ae2b0a1f13f875ad912c79aa467b80ae87cdd0e147d135c9072cc7d157903dbde16f536af5db399bdb670207a00428dc58fc6fd5e0b56f4339c5352588924ce64fd9f8ffcafa4273af44dce30a785d20bcb2d5ec8907e3e870b3e00a82ddd95a159c79c63b37ebfc916bfa6f65bffb956b936b0daf590d1edc47b76915e431b98523ec402ddc34c61621d1c0c90715dc385d3c926e1a0514b5be429488da7661c4200b50c3e1dbfa2a1445078188a3ea4d62679fd6fb3af16fed076be5bb3bb78f900311cf5f9c69d42817c30ac407f566c6ec8f53ecba6a06272c6154d1dbc5035590f9bd9284ee68b34e2cf7f6303796af1b9718aad56fc5f53b662beee3cc6e3f839ff57c65a3501dbe9e6052a6efa54354fcb4c5c92a631a34505de5d833c4de2de1615a27ef785b02325666e4529a7a6d66867a8b10052b8ea6760c8cfd224cbfa671cb87a140deecb0cf6e98d8fd7d7ae722c5b8625499f5e17e39684f79b289a71be2380a733bd730e588df0358491ba9c163d03d6992a9f7bb26d332a2dbbe9684efbd5354b2816571b16101798ba724282ac070fb0cc86c967632b5c91d66a3586a5091c64c9cbc2328e48b9f9073f187d0cd98601f087dce8e71bdb39463b36391980fd41c52c54ad5246b2cb0dddab7a94ecd8202b17c3aef9641cc491fe23879334edc139694d5a4d43fe4210fe4d5cee062dc3c7159447adc0d0b9a02ef1dbb31e4bf5e7fb445742687def2b8a0038d4e0ac15e9729f2e07593b92e9d2c98f891723ec406cfd99c85e8de345b776493a7fd6a5cb2fc6ea3c586755f931a335d06927e847aadc7d0957de40120557d887c3d76329a3e3df2424703f79c9edf9873598ece443c5d0ed7f01d5aa3c18841bb3f273b1d3ed11346b072bbb41184faffbb946b9a49fbe3f32c3f02a1af5bf422e71899d80a07cea7a0eb628b722e7aae7fc5d7efd2e4e3a6ff78af09efbb4c52d155b6572f89fc82fa281956af3963cd5ef45a7e6e2dca23ed512ea2031c60b074479b8578b97c9eb99f19010ba6fc7f54ef63d37a7340cbde9f08db8e0c3d9de8fd1ea82f6f4c06986fff71c3d6b1c91a771143f2d1e865296f6339e9da58bc91c1b6ba657f812bb627d214880f9ff72232d92191ee0ae5dc6a95bdf109436297a95b355b91b551993e6f2e1909e97210b0b879aae2aedb6c3580e6bbb518ccdc87a9ea969cabad03bd779125c1d33bdc4b24c0fa90d4e1f78a58f44154a8c2d673c32e92222532acde4b3c052bb031238a397d6395c575d13ad0124a9c000af4e71312105688e12568feb9236ae3a563c6054aa768a097952e5659ae37d6dd0319bbb96e0c5d3310a1f25615c1e356c61d2ce73ca8690fdb4333c32803099136f1ae523984f10cc6b91fc536f2c9c41526c900f73a1a8e0835363d3936776d6a61b7c069f0b60684fc05bc33e85cdf643599dacb4843d7a638d3e109a4a44a39297f8f128153a628cdd3269d8b725890be248c053a93ec586705acdc314e6d8924e4455c81845ca2257a87e67a3c923eab3fe00b0075e545ba4e5403d7fa5c5e4d2201be25ceabd6f648700466f6fd7c2b076e300ac3337bf66617a4b30fedfd2ad24ec3db0678ab1627758d49f61af1aa7a83083ea80e00d139c2a0a8c3bd9b804d25dc176b5beb20ddea55a79292797951c0e9f0fc06d526994426abe7111b96503378a9baf79b8cbae53946bb206bd15de8066cd44d406b45c3de677d228e012a6bc85fff297286f745481302b525928be85e2d882d3bd96abf112b15b0dcaf0ec308b5d1bb697ac0b85bb3e4e72342518aa55d97b57f23f5e567803b3e251a9cb964c7cb4dffcf9f831a6d61f34e93a7edbcdcb540f7476fe6330e4be6902c339d3571d94d8b61780153c8a0a34cecf86ec8ad4d52fbbb00f8841408259f5d435f5f57171e55353c022ac5a104d36f8114e3a68ae81b4a20225a5d2388cf32e56cddb136795b5e0aee2734ba2220c64c743cdeb0e2d330d4187ed0ac8db44cdfd624bd90314c600f42cc9a2ad46e53f9e8188ae2c7817c1789af6e647f2a2363e85d959dffb44cc7cf0609d7b36c30674ad45d8ba281f4710c49d20991943f0ff00a3b9f812b8ba75aef8e98a0bcb77e9e018dc5c05452a931e1482df7ac48b4ac4ed70ead862a828e19f4c07976e1e9a63bb95d66e9cfd47ee03290e7f0eefbbf870280b857718a1bb75ad7014b4201c961cdc7a6813382b786240ea8f4ece5e162bdd97bfa170ca6d90cc2511d592d3ac7400fd182b1aeb137db361b14f4ad626f7ea3d25ef16744e0e0e36c5b29381ea7933ecd47292635a6cf1fda3e52ee93a6375ca3a5ee60cdadcca5b446e3beeaa761ad8ed0510ad72f75a23357150ba8f5c12b63084dc8ca82bb62eb38f43ceae6aaa2d5fb8ac4132ac6e679118055b81dd736c9cdc9fc1bf0966bd09a218193f310c909e61a647c8215f7c4ee3e8f3b25eac636c8a96a0e464ffd0b4c1ec2082eb2399052554e47f3a34c3420f9ed5aa56cd9b0f1224cfed973eaa770fe099e9d3aedd3d42f6eb93a0115dc1fc715624ff6b0f8f3a4b51db5ab630cc95ec7021c6b4fd123ad355873247d550265bdca2960e74a3d8888cada88e9343b70d5340eeadb155564c62dc1eebdaf002c2c35e0990b695c536a0a752cc2695d668f52b00724230654d6dec51c1f0876e7e29cd662e12e8ce6bc40a318c25e6de630ab705b7843fb15c4a3dbf9a335d07a70f46c70bf28f058625eafc018ef105f83c4564324171e19464cde9ae0f2388c438c41fdb8f81b278cfed8cbcbb9d8a2a5496ea8cf4203edec4669142f2b037f9e5f55298a2467f1088ba13c48188b3ab2cc09d6cd9967acc1e8def2cdb1482bf4e6c5bef3760061a81ad22e77aa882ad1f5d598345b3d18bbec6d4df314cad4e667242b2a9210abfe74b301c4721c8711f9cfdba932ed74a10effcf3cf73bc94ed13dabec7b6ccb0814e71bd52a1c7103bf47ef214b9cd6ca6a12f880857cf01d141b1d88513fe7f2e02282582480f9c257ef4e0ff52920c25a3d0604b3485916065540bf8b9480608e29ac2d5a5a78b1546aae0972620f9e3264a1b1b73b43c7935959d7726b07bc9da0ae4ac08f0db548446c5241ea9f19aa29d5db2de3cdb1e3430a157308855e273dc1f74c1b609aeb2f70bb0021315d33bde8a60a1cc7465b70bb5c652074bb9a030ed8761ec25a35c102b86a8562c827f1536faf2d96e3a88d3549d5e7306754a431de06a58506db917894eef0d484c2e1c897993aede2ffcd0c51f2252924ac82d91e8d364c78d987fd3510bc7518709aaad6a2b0abb237d4860271ec5772f74eecca7915fdd16d93674c4ec0bb130bc8235ff613f9dba91c21a0227dd9d5a3ee0d9ff183868eba5ef8e16c80ae913ce1386e77fba65c125ea036f399de4e88059012de120f5b2271a511d338c9d8e3b297012fc00842dab541e846faeada68cb5dd5fd380087c68e246f2ce721258e7c5e5d4aecab33a5d15fd5be9554998ec6ec4f3884632071ea772d1bc7ef5423435cda7e240e0d715e00af37e6dd81f04c804703e04d62c6a6f90f478ae5189783b634b8f08fb6c6b6703ba8c2f7b167f81a328ffea16b39fba14c67ef2d7d45ef85240682f90148c94a60b0168dc35d9ebd82704be02741988c4e65e0016f9dc0b204220cc49bde0302219d01c500c9acd2c351dd6367cc1e922f7a1ebe4051ea1cae12950ae4a72c86ed5cb078d5f52a4fddd820f5efa141508cdd3b29c642e1d1126ad669fdb2e5899b02087f23443ea5ba8aff0d901bfdf7e314684add3e4732974ea750e098ce5e207eae30eecfff87c11da0c3b79ac9e69d751dc544fd615bd352ed552492e406859f04ea015800d472ee34bf0322e3e144feef67bed694dbaf8781aa7985b2a9f2c19c386d7dcf60b734f6e562682f67730147751fe6a1fe477257a7e0bc107e6b6a4f4782c935de86c3b6a5d80b2318c21637dc91eb4dd348265db094ae44012454ed4d54bb17e6c14f772de430c9844a91f163b1814634b79f47923ba80ce4f17eeaabab729ca92812e4670a6cd0bb7ca70fd9fd021d1c81e0f8c11bf501687816aa7602f483b8134397abd6761fc175ee21353bb7bdc1e908c603e5bcbd9352a1f65fd6491c006e58a74f4375b01a9a578710efbdff05586b26b13574a20079cf7beb322c2b01bbad4c78be74001aacf129c13cb6f34f8de5077c7cd3bc6a090b5ef37922fb015d66e97c1f739bd573064d9616e2807f4c6e9490d151c31ad4eedd2defb466a7a9b196eccceb3ac48d2b9b751c2014c080774d49c027ba17ae7dec21edeb4477fb8f82df7e6ee07fab528b74c5ff178329636eea4bb95af8c7676ad15b68d78d0bdc998e228f15712cec3441609807e264f55d74af423168bc216f73640e018d3897ecba58d2910c2c8c6403333f38d15218a2ab2dc0dd0c644faec131e51c5fac7092540b07964dc0674427cbf279b7ce964ca8f4afc080718c6be492da65303224e8ed558e490c0932b365fda70b20226b2d432d5687d1b7ac1c97ea9c90b26735ce9e7d5406d18a887dbc3d1c38c91450a8212feb0aed675d69ffb666f6c127aeeaf72dbe343947443515365af41d6c23c0d73ef4fd26d77b8560ea45983afa4b7c34bccf59a63f4d29ba6c26f6fde6410277759b496b433b6c7a350bb7d5de314b04d49a0e479ccc43211f5f3727dae8e4a7625275661eb03c9cccd6d39a716e12720d2f9aaff7a6cf29a7e03487049d771313d5291832b914a1bf3ff8bf276beacfdccea9b46a03a68f6a160c590f904fcd7669510c767bc3e6cc690dbf9518ce7ab640d9af22ac1c30ac8fb864760a2127024f18caa2bda498e2d3e94b0745b420d9be240b1272f02d65d90f1ccf89c7248562634a7ae3ee5ee89a50334316c227a00e020488b7761999f7a912a35ff6da837ebc8ee8250e80b0c0d44c1cbbfc8ea73fac70cb988295b76428dfc9edb2c0b3db5186db4da41b6e526b52660373145cef0f977e6e9c751ee95af0a610fcb1a95edfc365bb285bd68738a2ab22c9c0fb75a5e65c6cfc9931285b35bae5adc7d881041742ebbfbc540a50848eb454f42afe27e87c5c56438f5d46200905fee3c3c04a6f8ec4d4aede1e97ee48ab7a340e5e99b643ce2e30d1c400893664a5bae786d658324625846aae9df7d8826fbe2c56d8fc5f01e099e5d3fc371303f30a24014991069d7d7799840cc4311f8853b627b035a6e6ff1530eac65e4064ba53631b16e03c81e6643b776647b4ac341ff7266e8fd6eef7119e116ba25be5b1efe88d0a76442788b7feb647459335b3f1e229cc7ce62c5cca833a8892d25964e13e67b02dfd377d15601c946b04b2db184efce76ac99eb391b269728dcd8356906ad4c0c7439af67701bfabb22664af7a05a0305a5be36765780f505cf35353e9bbf6631d43b66ca2f027e982e495ecdb761cca4b5b87f0e6174817bcb85f9b83e928250f53f1bd30991798306b753abbb32d7689bca88f30d5c51c7e2f5b22ffdf47b9ece1a048633c89a9eeba81697a44e5de6314756734d391c668d0cd39d210a1bcf7ac8b9ebd60b96e6d9535760039beb13147c5b72567de0b1151b822ac28ef3fe2eecb88ae4539a9edca3b2497221ccf70e3d301507a37c075d7f479aa795822e50baac5b38aabc100bb1a606830c22c3d1250682537b71acd4fc46cb640fae47f2a8ac53fae7c758fd8968a3e9f5272d290ed64e2fe7f3963e4cbd7607ab247625ea7fd9c2c02acb5a48fbb069e7cd9498eb9a4806eaac24f122d4f32e8b22f188f5a7418364c4b6d08efe20b2958673ea5c65c14172907b360a76690b6d7939598ff936f4872aa8dc02b63e872f8bfa36de066dc29e4183e515826d41a82e0ec34d50455c80e67b7a0f91c1e65753e0659de39799b97cf64c46849420b490d115ec421bb4f3426452d35b154d0388a2943f2df1e0aa6d96773942949c0742e30061c748543ffbc43cccbfc30fac29573b11cfc6a7245b2e0526fe60c2e086501b719676bff083fa90847b295f1524481e6fc34bb8776d2e404be2494797a5322ca9fd801b9447b5becd81812edf1209b5629aff62a64cac5e492f9ed49a642af548741905a64c6ee1018dbde86e9421e4145b98bbd87b4f8ab567f9383a8e32d710761a336b5f06584c62f215cb53f1544dc250752bedf2db67dd11062e986647622ebcc30bb941c764bbfb58d9e325d344c8155d8bb00680116cbcecd33b0033e6467688bc5963e9300c23c844aed4cdfac4a7c55186b6b1b04d2c804d88271bcb68139a1751aa40aa143bf5ec59468a94fba390366e0de94b8c9aa7cf537ee2b0133683592e744ecae4fec7746fddae8855d5a5a507deb9eefbbcb78a4af7723f97038e42c247d61cbea2af1fc6b79772e4e4b0dc56100763219c347ae49f11d85a99574f5e468298abe5e533abbaaf881c53fdfc465dd041f7440f22de41f66eec7f53fc45284f1192a1c0a1927268255d7cbc82ada9ee289c35536b9ce4db916f934277e9870030bcea055afe6057dd93ca95a51834029e18c601c412469901a1bc373c84eb7c430ac7072e5bc1751db05da3b6a1f78d85dac2a67d4f080f521e8bd687570a4f7cc2d6a4ba68d4ebcd2f4c6135e14b86bd233bafeb3536c9743c470b8a075745afd000c207c07384818da9862a9388b5b6131fa86f26b2d583cbef2bbbde4b10a08a13c933c98a5de81ed6d4c4dd1489d13825a6f682322bfeceb1568c2082ed4bafe2130b6aaf9556d630bc0a380f8e5ab0de573ff1dba4da8e99d7f240a9e462796ea0bc1d79df3ec93b44c5e6d580c42d48ed2717ac1b77d17093f8c182298f0406f1387a1952c53494a3af2b4a4f4e71558146f1ade4ff9b1c6c3f7d3d2d6a52fb4b78b3bb549edc280bb0a62ad2e2790482ab8d2b0a555dae5fdd5ad601842047a513cdc8a83401036284e9e335ace2df626b585009e936b603ef2583f91b43c3313b9e341c6bead96451d6e2c0b675fa1032ec40e562e863b7c13b3998e8af390702dc8a838cc5b172f97de3be22c0d72e5b6d07d5b23d50b43f6b5bec70b26cf98c94f9f69e98287bdbc25f5d7c5c76e70533fd70a35fa7932e28c64496f4006954ca4f2cefa69402dc42d2323b78302f9c32867bfe6971480eb578baa396a6cbb0857b709f7e1fcf46002af470fd213df33aff29f3754d957339349f64c2f4bc5d05c534704c76159ad67a70254cbc913b30ec58eac9c2d666f701660df0207448fe8920c8e34bf8c35084a14f0686762f17c593af38347769f728c27ec85e372d653db326a85baaa53a2b17f9c82f698354c33695b35400a8ad39f4c84ea281f4dec1756666f338b19914ac9551962ece1f79c58bff2d514dd9d6127da07b550f93441e782d7d08d0f53ed7b1aeb1fd1a49768b2548fcedf7e5fa27c8e9c705891ce2248610e1075637f9e0c73359e94994a44b15296eafd3e511db1f53003050d91fcb9fefc1dc7479ae8467d2a4ec9f8b93c36936b11e0a348781033b3b38f00fb60709a8f09bdc966a2fcec23f15f1625bfe3b8fa9daad9110ca7e84c654077e97e848ca49117287c306d88a69ea3e9030c40222a302361dc3c620075fc7fbebc6422f1b86cd0e76865b17ec475f6524a363ae61bb3e396c34e71abda64393a8f7035dea7cf95e3e77edefc6b5864fda81b485973c536b2764bb1c00b968e39da7896a2957032bf2fc87651dd0e973a2c2c01183d233b6efc77efe909c0ee2897318a2b30addf777acb98c812327e33a9d997c278c5b63a6f7c2f7f854c5cbe2f2aa8c29ab81d7db1aa609a84c325ed926cc5b3c14d12cd93014238a6594887db01036ee8dc085b5a5c8511964331d90be82b302a78218ad129634a0d9a7c8290f20881aa9ab9cedf2aa41da6996a6f7e56945595d2f073783dbe23abbcbaaea59f997630a849c0dee8d27f56ccc8804ee3a48ef5d783939cb59fad8f3beb48dbd206b96248045084fff3f5137fcf98267c5aca0649482873029f2beb7f7e5e09543e2cd31013e6461a5e43cfb9a7d93d2eb78aa80ef3392dedbafe383128c150ef201fbadd629e6988907d891f599cff591532dffbefa2d590a77869118e8fcc28ba45d7c96843a9016858507cb26a71d2250d62b73d420392a81ebb9518c20edc442d7d231958ebef08a2761d8198f18875ee02a532e10cfe2f4ac2940101f4f8d324f75c56b4085c666bab933b402423c0f633fdb995cc72269cc6f73c761af37af310b77775685c345e59ef3f03fb434688507a1909614bb9408e0f3b3881c6b792761b36600184a0f3b24055f4f366e230613dd6aaee90ee02826bda6a8cf8e2a09cbd1f2e7bd332b9ec49249485126571db52eb4cd89533a7a89270cb089706d9c3c402bedb6ffec31d4a95a41dfd0d28ba8de934f2ee02aaa900218157c1ab5c2bcf377f698b66519cdc1a2bcd91114a5fee3f4edadb991679f8ce1601125acd9fa0e34818971f7bfe6f73d8b6070ec5f9bb502b921abd42bc89b741dab7b0dcdd089b24b0d29f13772082b0ed5735b7e2a3e59fa49daf044904475c01883b0b5e456462a9735ffc4959ce2d2e0601005832bb433bf845702c89bbd281ae5f019413752461654a48cf352ad64fb2b5e3c8c6e1e6e197dbb9aaa69d5e2ea415d1406df7cab3c1e63e03b3ecdd95578a88ef88d8d97153cd475d0ac82105f6c5cb1c698920f763a28455c434e642a8291d28be47e047ef1d404458dbc5868da4000c8521ba677cb2ea4112f1ff11acfcacacc4478aec9983aa8fc7f93b33b7734dd1045ec82dc56d5967619070750c40a123bf62c4250938f59d7824e5fdd45a8382544ec43ecec0bc963990e4825bec5116e7d9565aa7b30aeb7cbd7d2ce423e1d60d919635e05e7d0c6462e470924268ebd031c9027bd0d744afe1e3a00d76e08555425f28351b281392a146b526cb0b073df83a0350fbb91dd7e99a55d84bd8d9b0766454a440a5eceee43da4b6bbc1b8d16578c70973f5edd80739b283d02316d22fddc5fa4a41d72c4f8ee694822886735ef4c8e31ca8d214c5e1d6788c71d5364ce135d7cf68da884aec54c6ed09c8c60f55a32e00797b823a5fd9cdab39c49033a03c7c4d772f836cc718cd06048a259e830610bd40e98c4b83b5d94f62b7d324590f8d9d45ead5bceca225e7d47bb7af3d590bd7efb531cc1d7967acdd6e32dddea757b3254ec21caa08534625e67d9117697276795f0704a98b9925a0251996b4c6496ac0457120cb7a2a1cde6fcf428484388b078d2de5caa62bee6e28134fab5478dd7db35ecbaf84c157c6dec4941d2ab15b8520e1b8a2690ff45aabfa8600c112ccfa2881a09f9164ae359439ec088f11e70d2f9420cee5658388ca53f6265b561cfb167098e480e84bc2c6fc71c47b650e83561e88511711afd06deae6086818ef5602a031f3e7d788e4a4908978e97b47ebf2965adc9aa3c8811d3dfa60bafd76cfbea6687a028fb16400a68725380835e81dbce18b7b2eae567271e05254ec5ec0f4c659d0eb40522efb90bca5bcccd4ea40b2f6b2e367f1044e04e8a6a0fb802da3fa181ec59274d59ba62315cdc498078e1a879337ac6352bb0837f8842c5cb78c50f626468845c2746c94735e49e3ea984ebc5472ed77edd2be976059e191f2792dae6ac6f6cd021d8ad774a48d7e6ae5d844c983df44ea1b1d98d2ebfb7de1ceb1d64afe45510b328540d0a8841db866d60ecd83b546844335d021f8ed9ee3619288a15127ce7f690c1d08923c2d619af85438f207d8d118094b9a09869d1225f7553d77d22cb70e6624e95963d1fd2dec4a97cc23b052952b04ee1d2a2134cad6c40f834675815282a6b17a3ef354a7b5d01b0de2a2c84620844d1f825a0d146d4bc82ffd4734c9c166a935618530d5bab8205977b237653881e27d7c35af729baf4b89d071b9da5d5a9bc4a174fbbfde49e1ec60dc3965df566f920b3bb79aeae1a0604da0ed78599b3e19416d3633d7d4bbff85fafda5a8b5a400eb8fdeb0552b5e8a6ac1f3a581fbe06c31d14734453b17c273c42b44fb697ecc67a2bd3cf2825d2cc9f53b57bc3502455274cce8c35b61d413f58624d93a172a1354632987a178f79093b65385ba546a83f52c11575d3ecd3f95f682a8b761817fa9d0b066a7d8fa59ceb795bc26765b550bce03de99ce3d7c3cd8a18476f60c265dfa7ece8bdbfc7a69548c8123840ff42750c8fba5a96516df4fd548a90207972a09c530aa610359a569b4b7f4ffb21e05b02b9cbe52e9dfcdb51fbfc9dec214c797e117ae9007d25c66d7eeb16b6dc5582845cd6849ff42519ee7c4ce05893b7123a218584c619dd4eceffcf49e67d7e359747c765ccf1e94135f68abf02a7812520c9db8cffc51b4e69e524e6270d5d5d091a7181ec67b7f10088e28acebec5f85414c6400ba37496fc168113733646f30d7c495b9f9801ca0339fb4b92ea21a011deee9a1ea29e669e2b94c88511dfdeca1e5ec24666f8e7664fae61445fc766e49bfb224259a41b3815a1d5bfeffea8fa905203ba84f33e9d53e8f1261c936da7fda2998039e777f5df2652f7a19dec4d08d9c0f91330ebc8a5ca32c719ee798e3519cf6d13386384be2514b3e34f8b5022979ac68ec2acd730041fe765f303ba780da36351696dc2b44992342a411e5742baf7ac3c824f191dcdcce858efa130f09ccfb8064d3b4119e7638447c8018e97233663f04561b1d643a1410c1e4f7b6c044965a16436de4c611e151bfa8f81cc4ce0237be991a2f1034cbdea685486c30f291ef3825496d5319ed5e60e81f638b3e40619670bf3f27c7a3327f2c0a1bb964f5f7aa6d94f9deddde0a8be85dd8f2aae927d5179c02a86d4d73d0ecae31dd44769f386323f860db52462743aab384d78497f9b586aefad8e9b3a1ad17823b525cf5ad7a9ba60a30d464e6862faddb3bfdbbf9149c4898098f32ce8d085c820683a034e9623234b11da066cb08e040805a36673a08e10353d2bad805b92bb9f263f63793b079a976ad43821d340a414f17a261ef4860923a954990ae90b3fff7abf53d1ca172c560dcc2bcdfc30ea4b332026fa4a90cca908dcf6e86555983e346bfd47e1ac30253ec321672009465133e7617db631dbe94e3f619478a0fcb54c5d484257108e07b928136cecb15c47ae1e440c71d0e2b689328cf848a27cbd7afee367360ac33b63f8b25c89076821634148bcdccfda5cef8461cedf4eb81b2a74aeccbb5ee510ade1349b17e5549ec0ae20e486bb2110dc74ea5ac84f7178581cbe15986feb0220c4e22d274dc27e55bed125dbe2b5ab35f868ee7a41e877d2627a263075585106a9d20ab2eee48b66cf32eab5e5d2858f70a16d504c8a264a5e4782abb630e5f42c2a567bebe4be5aab32a2168ef08bbe8667a5c8d1e23e942a629d14d4ac5b1a4bf28658f1e4fff98ef03e9970e25e1e27bba55b324ab9b946598a7f09b5e05ceb2c823987ec3305c22ea91e11b14f0da3b724229916eab58450cf406b7a6d1e788180ebba5bf36288df975c75de5af01218b59cdd4e2c00b56b7f4e8ab7463ad1fb8e86e0c6b2206b4445180d4e647c701602d7f50cb28705a67e9a2830f8720a7ff04fab9a983ea65e3f6fac6231ce97498921dbf57ebdb431747b5cedc0e6c2826c500102557f7183c9088aec663647b6a2cee3e311ddcf64aa7579cf928cddb6edcb096b970a50b3f3e75afb2d2944b89deed0c22bf45a55652a3cf387aaf1e5dc1888990270c9faa0ec9b63bf812e46fbcf9ea10a8eb482db5c7632fed20cefca9fa684a21954bcac619d54454f4733c20b20114c39fcdd8662bdbbf33824936b33603a4f5c20b9f9198f3ef20c096b8714f5271372693c6ab0b8a91b2345c58b65c6ad0764dba34455498e24c2b7836a8b2bbad5b3b65aaaaf88cbeb271cdf15e68629814c27afb60f1a33bf2231b960e31f1ffa1e1db225f148338c289ed7370b1e473f99e8825caf75127e38d39ef7914c61e7f587e9b550fdb41c5ae104363a7e23a39c02c1a2455d1276f272bbcb0eccbe7d5463d9bad4ccc64f5ee8a440aa37044753268b417a4fd5be17eeac953c8424960cb81c6f51cc6ba90f5edfd083436f83da153edc214b4dd0fc954cae2b8901f11f2edf9210d89d8483635b6e49911df7c85fd95ebe122267f63afb690b881d5704937bec22baef5bee2152e6b1efac781c6ce7926c34424b64da91e4b7be8685aea4a265af4975331f3660e773f9b481bea50b52f8a14467a28beb8d5c48044232c778b71801a5a96fb43edb5b702bb463a3f4f31a91e6e913e2c13b483040e2c8a5b12fbfc5fb8faa4fb3f2e8d05225bc4cc7d137a3974030dfc3f9d02208fcc4eab8c3c82ae230f7b9548ab2ed40c370d51f452a2e58a52e7397a11389aa245808820f2dfca44d48ed0141acd57fdfe898a8f1c7223043bf75ea7c36b7e98c4cf9a52669ab4747c896dffc41d71c633c6af88c1bb4fd394059e700ab78c12c370b8ab9380e0c33937e019daf2edf8063a3f7e81dfc3ed4cb3a062a512da3fac62d0a4ed78da4af45ac27c673762028a7b88662471ee8189fa7bf40b6731aa1d272d211cf60bced3c4ab7a96d51c1f64fa8458f011309f66166322f8515034235418168c92b9f167492558b33e0eb1e97ee73da546d46f4f1a37649fc6dbc65b0402a56b0d5851f0ea74ef59b827f9d03829fcbbffdb7079916d6c7e70fe4c58ef8b6788ae0bebb86f56a28c07e296dd8672e0d0c564fa5e87a23dfb56dc3f37aca7fcecdf51980c10d897d273d0bf74b08be922a60bcc77f014ee561cbcf9efd9abd993afbaf59e197acf69a7ef78374cf56559b7b29801b678d7148a2be12eb251f488ad0d0581b448f227fce1c5e2ff8aecf174b85fea64e4a0f696eac33e43d5dccb4e44c9dbc707bb1615674f621526e849ead4cbc9df142644a970c2ce0c428d82eb2c7f7767f77438325f7f5b6114ef35d1d30b88289f8e3336e42e0242e3b55679f978c5abdd47bc0a20ccca20f9f3f7aec9295506ffc60145138f0b212db959444c8351643892739a8e5d9d198d3978bf320e9faa08b05b321072e42a6e84f143431d73efafd49c09c91a36b9a4baf19ce4861467283c671c5c05c34511e460fb200be5926557f4fe02127976ebe9960b4df2d628348d1ad6820d39dfd387d5725f0671632f437b5b4f08ceac46bf53cd23ce038a5917d18a37bbb6d2d921e7f7eac21396ff1405e88662ee70a6a4976e275fecbb2e6a3ab29f37566b108dbccbb99cdeca790f7e4e94e94cb8c2e25eee5270c12a7ecb2684be2c0f0c779d72fe6f515527dee833b67fb4997d850438d2cec07505e8022bc45522e0140ca86016950c4378326a81113efa6831c165951a57363c761e825a8639dd2f9ad5d77cd1f9bd84278366fd73579dfa8397423b37c5c68dcd6843f9b5349b84ba4a9a3f747e05d33b149f856751857d68735e9621d2b923d7029835ec4dec7e4ed0215dab9e4bdf49bfeb7a75ce4584ba82b73b456a6f161d07051ec0c45d268c1c56f6fe5d4eed4b178e4532c0623563cc8f77b0f2d8a7eecfadc469a7a7f84a13df5d6fb8dc3d6a3ce52fb421153229b3a9e75cf23949c5d4fa7ad217ce0f967d9383f9062370c542f0de1b6213e7e2443333c898218ce3a8cf1c2b4874b2f892669209e3e08a3bf9d86305fce578f461c14535966107ce0ee3725f979e66eb621da145d84084ce080fff1d8a38127af10e2d28768f71282939016be46d3e3e1e9cb3d9e432fd343124a7c1c5abf256732fc241adb39ca84dc8106e3615aa3d011a2d57a74d3e7541908649249ffc9999806c0280062e62c947d6699553d8512dd9c88faaa855012ebea256a9081d6842d7d016d4e342df0fc1208df4c966a263dc0b77c8cbd34ebf8a9fad2e6176a3c5950628fcfcf8e5fb72c055b5a48ca3e8cdd2cace66c847b36bb78d83de519d05156c41e5dd435596a3f17bc9e45a441e24a51758d7dbbf1dc9f87cf49134fb7003aec1fbdc5ba5526dc76018abe3cb6a29a582cf0984ac27142a5b34072109a7e633b5d7e77ae353cb52aab1b3b8421659c93ff7b9f806e204cbf8c2861f1d9ff97bd895c4fba32842c29e54e0933308bdc9d6b54549ea27978796452125f1206d7b064aa55d7bff57b955edc4a869e3f61e2192f2eb6b80717e9022df833f4149fcec282c5316876d64db6c14a409320997011ed38e60dd4a6905540d85a9c6b2f42fb5d72e63938934ec33d892e34fbfa9d9d4590ac645fd34882bff5cfde49f13d14e56993b82a94fd438a31bc13df519843ec0380d8580ea11eb331d0ff28effb573f24dcadff957f569f21d21ce52c0fa8dc51703411129cfb14e9eecfb496a0f866ef4e2b43c8accda1b1d514266f1fc10d927733397a097c25e0fb04ae1daa86b76f85449fb8dc1f33c5134d90545fc920541a7c8738f73bff3dd7bfc0da6bb79417fcd015ce6e3b6c22c8ca113f2820c169a4ea4065e34a23cc2e7763c8652083238e2b943c2c00b0819b857c2775ee6d4e15744626db64b66c91a2b392bb482aac0ea4ef2d1162e89baf54ce29fc52cacfa6b26768aef138e9f95076f221d808ffba799deb65d72824b94367a8cd852b31b5f983b4b0a88263f16030201479d70f1589e566b7a9dc62c6e1811f6cb1e8cdbdadc18f27464253cb541aa07a99a6d32f1555bfa8f75b3843ad9cb0e9a6dc9036c89824ff10d875a6009ae7995edd0a416c471af1e9927e102c906c132db59ada47d43d9b92e50bee2e6589ffef909bf22e5f3fd664c5ef1f87e1daca90f23bebbbff179019054d9565a35573bc9d56ae85bb9ff49681a37fba09114ff9355009d96f9d9db84fbbd9c904fe5ee6e67bbecac7b7666d086083d012bcf456b8cee6006d3af06c72c01c1ae9b884f4661b83522a70d1f6a03a8df63e469237e8ab1b2ef1afb93ac4da75aeec8cb359a285012ade904dfdfa6b19852c135d752ca7a233f11650b7e98837c01b180d77db02f0ab7518138cf3080130c2123944a78dc71da1ce68e4a20f56db8050e1ef77193534840e45e89083e7ebee8bb267d18ce003bce614e8d0b5d5aedcdfac4718c3c96e5ce6e83d9a06a9a1fa3784dfef8a6ea13f8f9cb0de615d591dcd80f996495305dbd18025c3a21fcd80feccebf211734a3c015d899695ee4777dd3209b4cfe9ea507f6d303bd8697b91b3fd500e0d8abf97579b097f6f733350aa0ab6e8837b4ca21b6b3e6924d0003924bf6b785daef844d1348c4e036432eebc42acc53e1285b94a5a2332860dad6f4881a54881970a8a21acd13477fa4ed1aafd274ee57b30fc60eb265c8da486ed14ad74c24670428fc2db71c929e27c4d9234e199bbd3366f1d170038850eb3e891077bc6f17636d1507cc9f884abb5c37e5b64f1b532b74bb331517f526325047da3abbe1dcc9d9d33ff7ed18ad35ddd0f63ba668b057eee21bd3d0c8af93d57a965d778cebd4c220c8e6aa08b66dac10fb05bee04135407f6397813a543df798a7f69c653f714940217c3788ef63a6efa9773bf2127c909e4f9b9c2d9428bf861830f99ea98810f508f45a5e1d803622b12da5a4f79d1da89402d888f9b03a064d7bf51c3ca508a3dad504a57533589381350076b8c0e371a36f97b6e8b460db84c35e7b0f9129c4a635f70c7ebb102e3051ffbf70653a97fb82e74b332045f21a3327757beebcd99183ae13656a9854cfa94ef811137f9f62fe3d14df9f43842e8edaf7fbc41715f8a8ac155a0f76b6c856d964943a0a7a3471d04867beafb56b5430f0ce3246604edf62bf40150b2b8d64631c047ab2eea30fae9ea0f00713b85906209bff7953fd9a7c6434b1455652140da6979326536998173a2bc29edfb5457e9b622b4236fdadc886981c32f5a79f783fc877b23daeaa847607ae4c6206168ffa025e3af1ecdc96f97881e6aa5a99cd26359f467f78d294c4f82d33ae60a0164c9f1b961763a1f8fe6e9b9d1215d6e09a5c8a6210b6271f26925d333562405617bb5c81095a3cc8e69b603233fc10105d09b4a910a7a9f38da427d65ff33132d86b79eaa4589389ee8e782af6ad78bb6f3a4600738d8825fb2368fcd45b773f19e7956092d827ee7367fe7b07beeae2bc104758bcb83bc11ce020f40ed12ceee2e54cec254747c94fed44d94f97e04288b3ce084512b4983d07bef645f2c998da102d76d095cfa23cc675d92a51c1e4c35402f14ac3f122dd5f733a55ce0e73151a04b83e2ff92061e5780a7485f450c1c6e6d6855c15a2eec8f8641d30637144f9924ae2358bc321abd57f42adbc8f4051e14056d5cda5468d4e0c8cf7c216a8faf7b01f5612eb4b32a44e3eb42f906771df8af9aef4dc5d2c56244518a24c101b95da839cfdbffe9a494cdcbcae3278844bfad094e65a6d0f5ae64a64e5bec9d52aa9a2150208011dea5a877da8d63a6579127eb7211c73aec87e7862a284f81432f9db58922d9b3e7c0c8e195bfde7eacb1703f27feec737c8c9ffdb1d65f24d4a1bfef2bf484fd8004f2450c0dc5f581fe4e7b82e830c603346e372cf55be6760a7a9d8c0d80d979003b5ff31c1a9ed9fcce9dec2d471dc1a09f7b92cb9d0876b18f9f370067cdcc62a02bca773175f247eecbff0418820853d75c8c6e51f040d472554bec4e2f3c413e171937f75cfac70fdf1d42a7411b2e9379ba3ed1b3fcb353de14231e9f7d2a45e910578be4c214b29a77d4d171dc174037422baf292c4068897677b74696f5bdbd480d20497ddd3793e1163b79cd6ab42e34ca844c6cf4de7bd3bdfd2fef5f530d4321be4592b9a1284a9c7003e5198bb2793e575460b908610b01f7b1f3bda844f533ce1827653b00267c8cff861b17ece7f73a9447bd46140cb567a276a0cb61feb7a6fa6e66ab3a8e64cec77ae604265939937d932c43d7b320d01749b29e46c3e3e900477e43521febbfb6694746f2d2e5ba94f4e22a511bd464c604721c8e2abd8da27e027d125b49cf69dd0d4fb2f9b9a58644b59c62479302edcf9d4d5560b4f98ed0c5269d9fcfbcca1ea0a06bb1a6d9fa3368d06cd9410e0e9faed3af97077411e3116093f041f815d2238626d142a82b3045f7b12c7ef329f1835f9f7d4f471e97959629e4a46446ccd7c8c3f45d5cba6e2b00904f1331f9d1c29490f628cfa26072613b552726d20fb72ed02fadb06ec193af0356ff509a48c804ceac80b6744d0f53f7afd0d4bd13370f3269b6358775cf9e0adb2666319354e6e1d00e7f7e54f4c6957ab2865d51da471abdeb55f9a50987fc5a0e75ac6c225edeb4bce0eb0ebb18b6e97b5abc9f3138c86f12642c30e434cd75f99ea6773229dbb2b06367466522514f0747e053a46fce6489e261433ef1a806df46506ecf535cc0bfae278492301e4b775a05223ed47a4bbc9b70994b62b2aa1fa836cb59ff9487cc44b2f60205bd9a205ecfaf3e29667b340feac372b19893580ec578724e519d03b79a731e10f6b54501fc7cc8e0eb0ecf3f88f209eae11632d4a0880befe1fbecb957817e0b1ed2f7554c27653b4fcec8dccc56b351755f73c7a3fc55a13f28ba927283732e27d828702cb1880047f95ba9e3b5b599ca6f67166ab2d1f558408900b265ad627f2117a0339c48831aab555bec7332709a5278e175bca4e88a3b7c30e7b24631d199ca115ac5f8d5d71d0b1140a4161c23b7e12c4e7a47762efc3d2b8b916be45b4a02f825c28e1f10d2ec44aa248c7a2e06b7aabd811f066e850b8451c7ef787f0cd5a7c03673f5ac95533c4253c86ae33f1c8fa4b7c084985d34bde2efdc9d819e6ad6127e114cd2794260399421532191fee76341cccc542308d78eed40840ce163c1ebd2c725480a4389fb500f81578ab833d099ca1e41a0075e104d19a78ab0d3fdf2412976a087d4e6ecc052eae45fe106f4fafb15d25642dabfdeb64642b7578999c6837c7381d0e5c2b87a255ba6cb5162b011277d96417940784bdf7d6ed3ade3417a94eab59d446ede653eb293521072f630d87a437bf7bc5ed46ec5c1784af12deb751837eceaf17b624988d1e9645923cac68158d47f5e4ff80eccf38b9e40868a7adfe431c5a15b2f76c081b0338c7aa870ef1f526b989feb21f5e08d14fb98c839c459da04295a4febd38e828213e39451a969753f4bfd6b7e545e9ad92ed5f089f4abc160eec723aa137b3d104d45a7edfe82dda9a79fb772a329d9df3a08b19a30dd066a1accdee98bec27b430bb2523e507b96a0e8e802ecdcfe5be550f6d4469fe3c78f75bb0cb52a9590ac84c41bdfd6ccc86ddefc5108405bdb1b53324619007662d9d318f4eda9ac61d010c14d41976396b58e1c870daa1a7c7cd2b90fd354dd5c96c4a632df6b0437336ee305c90d66ef5c5ece98311a9e89f38d73180a6421f484d70af4acd39881b4647ce2a9dd2ca5f6e64a98922b0411516e12311bfdd02b73514e9c27d330af650117be3ba69e5e32a4fbdaf97d822e4d0d5fdc31b447b3edecb0f85746dc203d1a08152754089c2b7708b20859da0dd480bb96c6fb57ab5e4611a8f36358be854764b1e8631d64df259ac7ef4167463d3dc64b7c0eac787ce3319e5795ad39760590f20203b6257320a445ef56093e8eba3b1d2b93944fcbed6f9646dea5e8976169406a19dbc1f67d4f9326abc806c88da9913373fcd061bfe42e6a282ec21f381ff788599dff51adeb69c2f3e5cb2efc9315cdf5dff35bb686320fa93d478619749d29e3dabe61785f2eddec9ad36b45f64d1e464bd5bb518d6cee2f2afdd9a34ec04d7e91cdf2604b7f10225c322e2c9c342ab6eb88d17e88a0430ed01a4c62709a1a70157433081f4673150e1ed37cba6659958ad54c2908d7043e9e895da00ae7706973c379cb33ad547ecb7b330bc16998a612b7b3d19b914f16e02fa0012d23bc54334d905dc6fe682c2d4cb6fdff12a03b7f777a822cf6c00a44900dd7c4c53d712566027b9550ec6066fcf2f2893d379fa408bb182f617ec78e3a7cb7ff55b3b2e798ff92a544dc307c48d5f679f88b162feaae78b7e0dada8cdcdb12fc7989614e974a5d271e50f7b61272aa41b30568b04fac1f9c7418857f38c6d15ed166498c80ec33c9630efdf522a87cfdbb3d0dab6a241c751449638d47682f51d623eb0eb9b4a7a285bd3a0a36510be957d0b3e16ba11b653928bc842c42ef79eddb8e5d9116edf5864a5d7b5cfd057243eef7dcac48d93aeea1774c417dc6827363c084d7340ab139e1a2b89216d0b8154ba26df8aa74cfe080fcf08fdfaffe6b36c54c199e0e7a3dbc4338418dc24249218c7fb6aedef9fec1a8cb825ddeac2ac94e99b21c666d16745238819d6da3f67985251342c373fc97b8809406fb17a081403bdf7fb3da27bb58c552bb284ec6410b5e45df014b98b834ef01803aa8625ba87b0f00393097323210ba0a915e787825d9cb8a8bfb8ea40e312c18139c43b6cb8e237040657bda21c3fde2f1fe7a650a89586e4bca0041b4e69c8401cd57d508cfa1d763bfabc0017a55c501c0954a20bb607998d61caddc0c296e610371b16ea333098c75283d0e77a328e60537d3ab81a9579d10053f87a4f16671a29c27c9a64e14a80808db4c5aa7877413a0b9bfa63028b1779f691ca0923555a0f593ed606058f5e3d002dd2f2ebc7be41922224e1d8826aecd3c9c6d84a40e5c6cc93700a2bebe156d03dfb7af0f183505b04413d5db154d614512db9631a845246ffd58aeee7660c86b6333c3afc864a046a407ffb10b55194e9b787553e85c0b1a8458fea3a60fb3c4d571a5ff8f5d58addb1ff5812d30009176d22e81cf669bf9ad9bec471fdcd7ef1afb242e9140d3e36ac4494b9fa1e443586c30a5e247a23d5c9388eb13909630cdfdbc830dfa586e04e36e1a9f548a864cee4568b18b49f688b805cd90a7371463ee7ec3b02408da61be4f52a6009dbdac474e7487b76b81602c6ddd10f02ef334aa4d7e543cdfa9d323da5a99cc417c5883c2d6e94a378bc8795ae7db4734d97342f19e1ebd81b97549117bce2f0c9c8709620e2659bfa78fc3550b8dacf92aa7f95a9a16424b54a5d3598bf9acc6d440113575818ba8d6351b47d09c5f2f140da4f266e9cd90c6dde5f313ae56e1b56bf303739e33ab6592bda5fe3b49116c86ed0637a6217d979a3af7dd9d94d15c9057df74abaa1697379d3c6bee43b452da087f9c35c5e0211eb0deafbb1c74907faef22f3641c2241f4a33fd15b76d3d18ab1768f4a898bd8ba2628a36bc48db1fcf8df73b7055f0e903f3a75b2686bca706f8e6c73a037fc0543291b91f5b45558006826003ead468952e9fb811dacf719a2a3073022c761ab89ab9a71131d3e9c13e4f3bbc01e869850b3e1a458c52e6ae48d4977e84584738e2e3cdf7f500d59cb16291906ee06cb852adf0e65c1b142a3258136e2d5b39291ae22b82ec70cfa96fdc3cb27a04fae3f7f1840278033ef7a8a9893245687c7533f9583bc84bc49fda4817ef517e373e4ee9078e59ced48aaf7f57b765cdb3b035ccacf875bdca1b81048402eaa4983cf9a5f30a98a1143f56e7a9b16a5abb0d7851a95f98c73e603a27d15a35dd79cd9f55008377d7c4335eca83e698662c0efb4f523f0608b58e0effb50fc31d068a461899ea711e4cb5cf0d44941e3110de8510e76bc80d8ec588b84d6323a10bac9b526e810e664079bea7d333e75598a1d0be419c55232bb2400c88153f890993a3be5a3d51ffd196544c49841a16cbd79f9a9294cbd9313c170a5fd1651d104cf6839b050c58ff546071969a7ad0aebc0af8ae8ea4085252aeba1f8eef8d87a6f62be24a86112b1d17c4191c5c5d28c54e91bdd57ed096f1de81e3b0be0dd1d76d1f308d053b9ec63df8f59998d6b748aa0d18142ae0d84698c5c9076ee58108bbc37996132da724a5a756df578087e1c8e342b9eee8c249b4e87352879f65f2ee14a0d863966c20c723e5621103b37ce14dbbf238e3dad7b6ed0e2f5c2b13c20d2688639b9ce5bbb5a52132975d580e57e3ad7b4701762c3a6aa75b2b45ce5d4a6364abbe9205fe61ce8e2d844261da5c566ee3217e1542a8f4e99558069fdcaef675aed96dde432b44b520d2cb2b6c2dda6a930871cf5f9d8fbcaf84f31abf8efac1194172d02a12de345341356152deafa2e64a51e8f5e6c075817ed375cd4bc30a795e25a28c9311cc3bf4fa4612509d4d242e6fe2696c43702af4c5d2240358d73a28657edfc676007818f546c4cb2b07259ddad85028cf89648a059f09f69af3643f4f0b0aaeac33f662980e9bead7565616e2c706f0e259d0d442647fe34ce5cacd1de06af33e1ac8bb0414a9fc4640691428364678ef0346d05831f255e8cc15c11d6e8a570ea463fd0fdb599eaa2f0e1155a876c049a80bd72f9a41b44aee461c5b40cd03e41c01b5d65346aef3c2fd62fd0240163318b3fafe0ff12f6cd9e6baf5a1640d2cdb720b84059b2c01258ba78efbdd42d044784de9457184b7c4ebb155378e5ce213cad095d1afd076568916d03868e2604168045ce20ca54d30a15c8adb979db9f46cd70785567b8d5f6fac89d7f2892b36fbb4fe8de9c0bada9f24000636a5a5d79a31b09d71ce95eda30369a195ea2657758529423d485630038e8d2f38c1cf69f44528b19a029529977c9191b9c4be2b1383ea3f04c7dd21dc7741ffeedb19fea62e0d17a3019122649b541fcefcd6fec8d69cdb71b93cd345a4b2ee643f7e78ac2d97a0dc0f7e0ce6f699640750101603597e18872d0840323bc88a5e1e1718ff9c5f11532506f4cd3eeea4f5a58736a3a12bd9315b5fcc2693df2dd9640b9539b7ae7ae13edb6f12ca95cd58410b5c379d2f5612c1a474b1189d4aa1826402ebd595e79d5522230bfd278161f9043d4f10aee32c133522152b2cdeaa27708dc5aa66273e531420621f61cd748c875f5c6376e4344cf13c38dd7acd03474e4c19b6e06aabc43b4de310e35f93c652555c9d4c702c7c8fbf3f15e393c4742e79a8aaf67c20eceb4c8a65678306094740d8d7bae5fd6d1d1e87cd1f1e34db80fa101dca0c9fa204f1504c59ab6c324b34e36c00311b0be8db4ada1a33d634fd5f07ce1d5196acb05261107d031733b8d302a1bca19776f2d24c2601a402a38416889b681a036e735e572502df8b3067f7ed4200df04a01ac1c1eb2f499833c04ff1a7b5d5c5779bb8e05eda1596b877427591e9a0d0da0af1203039101466f57f59377888e4bce0b29616c1040aeb2a7fea1b6fd7abe843784f673df495460515f32563e5921fd63285122d6ce4dd402488c3aa5756ab2d0aeb57c0c5daa167f96ae079120045727ce3b7c9580fe39bc689f30c51ef6389170f484871bc75da2d25f26efc50a2c308c60f5e4c8624b5867df59d03217e2d8c990530ff10c00da427e06d01618acc7cbb01a501a750028caf0e9bb3cd4a8ca415504290510209d566940981ffb0e99beeb47ba01e0c8c62e431105a99fcdcc3e0fe4fb5c4e69dbd182b5346a42ca09a5eddc7bb78c0ce979a62da6ce1d0805fc5a924e1aa952f0e15fa59a3e095c27f6d15faee367f2299168e73378ef24ad16d934d3e55053113601d32c5a04ee6f1e7c9943060348cf8c8d7400fa5fcfd22ee5e911f1221f42a0c392cb30ca2ed10a72e0c339a1c7ca8c71efe9540e1ec0cc6643ff6d0f07289ec373e9b96320a4fc571251916e60d9f968a368bd3b4ba338571027ada63f6779c2feaa9a70186950426c9aa6ab0b3293dd4d59b0f85c4e833f2edf873f6b27b20e41cdb56359e8f9bfad2b58b981f5a07aec4a15e52b6f55a35cea858f5ac1c438f69477808986fb4f8afe656b3575662b31435fe7f6028b1c24840243c76351ddabd313775395739487155bf0c377694d31150b3b14b28576dfc0c86f9baeea5646f7a0ef6c1d0ac2f448113e5ca027a262b74bfc9711d597749d11333ce2a5723d019d44f54bbf1da9664721dd833b51cbeca4ca3212317e97da6d3e44b059420f1536e194b5447e12e1c5f8a19e17c0d1831631774aefbc677a4676a6c6e408ce4c41cdcaadc6b9089c6bf4832e81bc5d80f75a1233a700e8149800c5556d70f032b38b467404a56850d6604e3d082fc078681fa89d5fc422b5ee06fd6a65ea1ca77aad5b859fa615fc2d5b41b4b4edb4b7376833089e75cc0bd56f3917a4a70b0c4e6c0cfaabd238dde8be4bc260f4fe158baf11f97a80d7a6c6c30d08d48d1af64d8c1882638001ece74d9b2f42aaaeddeaf5501d26c7a479215bcb05f56f1d472db703df639fc7fa35c997669fd41183cb48baad730eebfa5931dcb20a683a81b2599655fc1c52757ddafa6a26b677e7a06b11335aa41806b4b1fcaf05f186352f6fd3d7000efa4e667a28be5787e9dd323fe7910fd7cd2c8b17e983febd5b0f8d72596d1b4e6b4be1399f372fcc3b473b667be087fa8dededbe06ba3054e9b885e5c930af4043ee17e1d052e3e270eb91835e7459eeb65a72f6a2ee019bfbf04297f0b21040885c57b6d189dc54d470b5996e28ece3a6830c3483e07727d76d1a570c305fb0c75d7935493280470fc847990f4551bbfae5842725c4855f9f9885a418623ce71a7d52d1f5a1e522e6caefaadb9bc29160882b52754e3d8478644144de4addd4f2fd33a2516b7fe2ba322d59265983bf8a4c89908a5c9f9669880355cfb6fdfd0d50658fa743dd3bab9a69a95c217220a054b9453e4c48d18a8b5ff40184c8e2b973f7772865fc370692714321594de0cec2bd022912149d7e8acc9e5df154041fde6be7b810256074a60c24842e0590ec7d7f1d1b45aa6ccdd88c30b23bfd3160d40ecb41420cfb408d82b7f8fbaf461bb12d5c912a94f2f7a7cc2639a3f36cd07b521495b9aed21e1122bae1e06f77bacfd2fd7db691aba1153e7f4634e1f48011789063059dd5a8cec72d8ab33048c4605d3e8bb6a37079c3548e0e14eaba0bd045d2642df445d707b82e4177275e9c09844f3c5a8b01c961784b307a42d88e8de36d07293bf13bafcd754c7cc0a9dfc86c6cbaf5138bee089f3a53d12cbb9d720ad453eb509dabf437154f4a36d4a3d31473977cd0f832f927812cbfa2730d87a2547480f7f6ae7581af11274b6c5bdacfc27d1ed51a7f3449752385f815da048b5569c8e726214ad3864cd0003fff7910479ac27860e22700a27a804b57066957798741fc22536e449d640ddf163715860b7a473393316ffc568ef809a995822c551be8b17dcf29e6b4b7497ac0985b933b9793760ae1ab847c27fd2fdac29b087135ac83cdf2dc7cb960cd2e6fe16dd07e4a9359868e2db4915e3af47437dc412e916e99145b0b47b2026703a1147ec6e8c066c8ef351a9fa9e151b8afbbf4c055d919af5f727ffae6731c5ee85b9ac1674d7f51125f5607d9a5ac2c880659feb59f3a3c235336a2ae80a58c26a121993099d84aef36319850788c315151f6a509147d9eb7c321a3021dee5002fb39da17a2b2046f5aefb95ff9effc3e6a8e7c202efd008f4dac8d6fcea6458362639416b1085f51ae259fa23c4ace0e906408b88b77fe24fb4cd05cc4eda1ecabbfae95c5d01286aeb26245222cef988a2e8dae71777e3925a3b31eafdbd8d86c538455682f862f079bc844a60c4d9a9f04434b4cbdf4ebb0edcf08aa2c8d1b5841b824b7df1951a67f0d2ef55dfe8f44f03812c0578e9a1410e4ac8c0d8110256438d358256091bb28318156f6d4d31d66925ba26f38e70158d4808950c9727f8df13e0c6bc45075b0ff411a5510def9d32a246ceb55fae12784928dd6f5f1e86498896c42aab6e7a8c4b0c26b5f98f6e7f3fe5e8d1d22f7ee5fdac89febce5bd645e2649f7f68183b6dd47c5fc6de90dfa7e241dea4401e276506dbba98dc06d6fb36164288ef98ece7e041fb62e2f56c38e80202a50a46e63aefec721e72e1a5d7a0345b70311d22cdfc1b6660ae744e142316bcc6c1fb2f62746d6e994a7259f10bcc4692fd6d6e18d6a4a8f1b3ddf8a9ed1e5056a77ada221514a64c4d13af4cdd0ec51dd612b0904a89f6849485afbb4066b3026dbfea1d723bd47436a5cafbb359f3ebc00a116772a595b7169252ba53bb09a330baa2dde9cad0b66d2fb1a22aee18791a9286d4fc7eb82b8c0d87ff26eb8f38b72df26a5f0e49c4f24bca5174b8c671e32895b8e2cd824b2dcd2a9229f8065606c12f5ac718c60c7416bccfb465277d533c9697402c804fa6c21b2b1ffc14fff2e81322e0f0db4821785247f46192f1039726010bb308429e35048c9a715365dc253a9a6786cd2103038f9dd2c04df2dc3bdf37b27b1ec4706887aeeb1ed3133352c124ebea6b695ce84f65b7d61b2c21b1b58e5c6369ad03d9ef7a1f08cdd6dfaafbdee77de92b5317720f5af67da104cc197d5e5fe2b4ddb11c67d7550de91822e30d54372ae2305334458111793ab020222f3f9e2b6dfe6532796c2ad82d1063bd30164e7e6e236917a722834239abcb83e683f5186b557172fcefe7e2042a08628e7f290cd483cec6abb60604e0de363b205fbd0dd909e283dc12cc466085f40c4244f04e92719206fdea4e5997122ff2b0b1bdec992adba91771239d0e7eab11172191f5f2ce33b459388ac06474a2e7543d3600b942f5a277b4dfb68dd22a1bb88fe1a8f92b03cd8ef9dd1b094d84eaea5dd3e66517eaf78efb5fdd6feaca9ab9ff5266ed1f46ad6a138b9d3b2c6ec095a14bb04afa3c8f31a6957a5c4b4916bb6916fb45b3d9d426906191bc6ecb92dc1fe2dfcb20c04f5a115d9c87e8eb07096ad17e54968289bd9b33c53e073af0df28bb98d9567e67585c3ed73a35df82969cae3875e058563d45b3bcd69b7f7b94d4be40314b1b1205c672d9e9b385ee98fa2941657f05be4f0bb504b917db99ac1876ada05933890711690971a0c953ad5c3431447ed3de363606b7076b975b7fe7daa76525c34c59b9f4f28952b40cdb7a827459c9db7dd3068a9db8a104800d95dabd81005532db44c7c37892660d466386fbf3040c47172f7a5199b568e3fe86122dd5c65595f786ff3322cb7cdfb10223df5a7cd3b9abf322dc30ac8162dbe680a10db03a72cd66278a8f243f91a0857c93d2c34c83849239867df3714a216e72599a7bb8666f97e3c76ee1a865f962ec03e2cfb05d221a5f5078c3c722ba848895eebc1e3175db6f46f890c85edcca9425f5c1a5e31f2e776af9eceb6edefa065b3b4fd0d2764613899b81965d6311bde99348bd2b6dfb4314deb6cd034df8ddde1e169c6d95a4189e1ddcfae8ede44358ddf38d790a188aa4b991c2f8934c88a130a9b04c4b610e33c86a28c771ce6648cacf3d6a6eddfb2d9d55d59a8fd192edcaca3bd86dbae88ec8c003930036a1ae404fc701e9e249a7a2aece876c04715f04d688e859e476dbd78dc1aa27eed4a59e67cc538045df964551be2c906fefbd0a3525eb2bce91315bdcbd98846cdc7370406494aa58278cff320b94ced78635d6c766c3376448c659a80f2ada03176b849d49465f4cb3ed14f2cc93c3cc48521bccc63e5981f8cf3a425e81220ceb75b5356a88440079aa7267515eff287bdf1f3150d78ab4a8d3b54202a7d8f5f64c0f1523f663d8d8cff76713727d45f0880a5498173dcb97cbfccabdd66d1f763175a1a05909c86a56a658ccda11a97d1caf5c5be5d549f0c5da991459954185fd818800ee92fe1ee5cf47e5bd9b300e9794e6e24231e1b7e4e023436e94b912f76dcf888be422bfa2a5a459b0ac76e4420774d9ce1253ebbb476b027be4a135b5ded8b4bf1e5f9b7d466ee9419202953aca61b4260c743869e8fa5d9aa612e34886e6b3f9f2b56c49d2605ccb2e5e295d73c5733fd9721b9f1e663f52f755d27939e20f7df3b2b5e27bc18b0db0ec30ed32da3340cd5e80d5b990d27d96e6aca3cfef8671327c5e287bbba53968a2aef825efa837ef6b8b09cfb2f8f2e47cbb4da26cb5d569c43b26c7278d24164a4e91c8c77b928e479f46b1a0cc0dd56a49d257bab2ba329c1b0f8fc4ed775af6b465ee93d21534780f62e76fb6a9a4a6cf72de55407b144db3e9b1c508f3539c9dc04d525b7634a588ba6665a549ce5819a2e05112503e75f6969bae2690677197310e093d1e30fcc1dc7ea08c4795efcec23695eee4e79df7a44d0a6495c86c42655e8e2500202d9363e76f365a10f94a600907cc220407a2d5bebd94ed6b3900ae13c2be21b4da43350ad5f45c01d00c6aad3bc75d21231abe4eededac5669b4d74fc2cb6862698d8d703d6cb3fb8592ce54fe2db486adf4c52777bd62ec85a4b7d9f5dab140c3adba05395329a644161e398a84539017f88b3bda46c6c96ab19115082fed39b28b94ced75167272db5d32f110ddbdf4234b4397d3490da1ebd649f1df80b3c2a6b5552ed460f84466b6a9b591c1616ae2381c938cdb6d12085eea42f2cca2fbc21692bb46ce0e84ae9acd67148be4e0d75802179d8238fbee123f678694f1cd640f360588493afdda30cd2ae6246e79a5267344b7a9ef1120b7e1e927bc42dd762d13e6163fad74d6ac4ee5e7db7ff3f1262abcd2cd18a1f90df47ec4afd04bbec83f8012c28a67e316d7e9c4da243737de9d96486a0d3e61214df870ad9b00dde612a5168d24d8c1e92af0481e9c8fde6d3fb597fffb590bf5c3008253928be16ddbf85126475d0ce2a9d8ceecc66ac0c7f1b62048287cfa18ae4acca5ec5abb616f17b2c3e1b9ce4eb742486229fee9507565ae40254581ae8ad6251db3a5f18ee440bfaca7787c28c53258f2a879b53e711f826aeb2333e915944910c82a1b7f233c22ab2328d6e275a5a04968f6ae2e990b8d8832a37dbb1745204d705ee542621ee86ae8dd89139dda8339ceb37e6cfb74dd0df89644391a0a4c397bef6fd3ad7ebf41f44c084ead35e0d8f12e0c114974654b797750eb71649d5b25d87f978c85116fa2aa4c17131593c8872fa5287311f92939a3eb03f77bbba7e9f0550fb8965ac1b8fa1a848aacd6bf177a7b12b6c8ee7313e90f17d21d404a1175c61ce4231b48ff900f1c964fc2b2940cb93d49b54727d9d757ee1ec5cada2a7aae117550fbf0652943a4fc5ab09ec81df6a0503df2883a7d07333ad3f8de88c2d7c0645c30ee088e6276fe7db16d8882f253f66026ee7501b3e9b812ed7cfee345559216422ccf2c852771cde9721237a2df3cc7a88f31ce41f832f8a473d481affb1c0e22000b0e00a0ac2822de3193aa28da3557e60cd4a3d3057d6b46fc7578d39bcfe5d5525f5cedeebbcbbd945e178c672a4a2c640c9af291900293c4c334aecc803263d018021e4285f0724bfd2081bf1a174a5b90bc8b8ea9ba8585fb3eeb2e0b5b341713e4a83eeda01a118f26d854604049d2d9b20c6da259299c8da79f08dcf89be7fa954dfdc9e8c03e129be0d9c6f033fae8ae038b6aff930e52d4e8cd6c77d19fccfe3fd7d3afff1162493ba7bdbb092ec64a81ad7cf85baf9604194566cb1750fc66322382e2956e57300785fc4c3c471484357780c143f969f0ce4c57866e3b81e46dc2770fb3e7bfbb470bb26e7aa9c94523724e63d5dcdda911e6ef9b8a48f00cf93a8b5ade72cde22560ba5e57458cbc8b86d145d67423129e7989e1ff5e78fd79156e6013b0a1a3f9e31e3ac0f89648728237cc83d7bfdd3ab899d56d553aef00a831e96b8a72e1ddaa5a0865174dd3195362d370d1213f92909784f027e4a45a6611d3793904582a600b1953da6b4d0eb27b172bf98162c44703b24485eb286f424e7b5a47a8aee1037e28720348d616b28b150e98bdaa1875fb2692de470fb1191f3386c2b37b47fab695b1757ac0e5bb838b99ef666201d2027f6403494ac52e742c0fd62ab8bae223e9ef005014385f73cd040b2474143aa1454bcc56212a854a436550a2a74a73938f6045937ff3338d512a3e85d1209807a2c393ed6e418e32ed2be3d37df94fd967d607503347dd2369d3a14a8e4671a1a856d5b803baf9383ece69667718fe907866f10262a58c02eb5f0706073610353b09ed8dbdca307ba9decb7a8f0a026119173b972312095ca5cdfd3a7dfddbdc5a037327fe7f41764105047b4a19d7e87d81c4dbc7b9c7c158dfeeb1e7e3fa45d06ba327593bba7e28bb7a010dd9fe9130164110ddb9ff54d2302d8c476b6145d1f89a055728acb30d510bc93f59328d3582239ac28e5ac3a4c971f19ea95355eabcc55a22ffc35b9dad29163ec662224c524dc545a86787adc89d7db9b197eabfd1d995ae01f248340b1697155ddb2ad540247a59ac8574ed41c8258b74a6fb651f2d33d347d6d38c629c87c188ee4310c199de7f0bbe768e8cc1e7ecb3601af0c8c26d8266cabfc8c83ad1520442cdedef6b59ed8b3bca8c38385a34c360750ea3f8e570252c8bb6c31eb24d12f87eafd4c332b12008a44186ac648c75f9adeb621748906dad542b289bef5fdeb83a23af903fb38540975cb5282709c3a3c9e7dc0ac244dd1827e5197192bbcb023506c8f1fba9db637702007b474bc663c40e8551302185ebe8b06cb30f59e1c569baf9466d2eba8b7023de824b6bdff0c77d6d76c7e528902e4cddcdda2bfea46ca9c5181268d57aea77972e8bda85ca2476d23d662487f6d2e1e5613c5ecd2fb05cc31abfbc509d1756dcc8c0bf8b4901cdb387342b62cbb8fbaff5437d862b3cacea99fe298ecb527d7bc90e89a39b6db7140ad4939d8fea8664b77aa2ded74a0a0118d695e1da97c3c3fcbef58cb59809ba359c7462d58f3fecdadf94a856efd5543768d8a3b27db5f548efe2e51a9b4243c231743f52f5c0355a1a5ddc5f6173f2b24a906d910737dc632a25d1705090f957a3eabccd8f65b62baf4008641c20e8ee6d67c0eff376ec2f88d8cc003d3ef456bfb5da571d55cd7b0a515e278ceb4a2c84422ad291a6bda7210d35ce1f7d3e2144ec7030cc753859dc5533b86e4942394e71acf9f8fe2b9fa5be163484c85cec615e1353a3a5f1a82c55d916fa4ac7f31b1023dcd9130f61a8a7c00301a8e6d871d859139a7852a60829f2087e93e14e59b2762660727da193ecc0dc15e97234bcfdfcea68ff968207c4fbc5e7bff4d9408d0b252da323d2613c3ab9971be3a6c6e8982a1ea2ea6b020cd0b78ad83e248f38f9d7b2c0f81266544b93bc0f02980ab0bf873ed0527d1a78c1283b5cdc12314d22b5e182921d46ddcdf7402a465044a16b2d59df62adc53e689f6e300c53352f267749b79e005062b07d62b029ce5e82845ca6b695ae6c9bc13ab011f22707dfce7e98940231f7704afc12eef282bce1ff8f0dba329cf70fc56fe1cf1d6dd4ca3d079d81ad5f639ff8fd904a54047e2b99d4ef027fce4b70b05b4b5dca48864cb19a65a42148e3e2b9ad158f9bf814a0fc0c9d35c61ecb9a6d39ce0aff53f72c63c93778fa9e01d81ab985ec1ab9337252a4634e4047cd92913d85db0194ad9278e751f02e126c8d9f103cb9fd5b0dd883ee17130460313e6bfb066a2693532785af70fb7bab2a9d45e2853e6f624ff1f4b2d362c63b8fec8f8840969900b1898c11f4aaa950f6be042eef4f57b0b5decd0d4c463a1cc015b517f151431ce6267c02e12dcc119351e3f099187598c7a804a5a736927da508c9a052b6f792a6f24502029c0f758151b65c7cf3e4239b4732b44ecdfe2c8fd3cfac6005a13d132a72f6b6da2d5cc2c8801600eb16c1488187bc7d43bd5c9f6bf4052e7928b17c4f0b9d5bcb2208970780fd8a3fa479fe60a3def0332f2b9a321a36886fac104a4f739db35aecf71bf1588ca6fc3c3430776d304e6fd2c6e335908902d815593ae06c4ba29eddf5f5e3d715f5d2c772e2b0f62c8d53a84a6835a4995af4ad186b21b55d011684ad07f1317d93fd32a87bac3b2027c39173d51c95c486768cb924c628653541146a2850c8a571b2db560eae73e5118b2cb125f273ebeed428a83dc103faa06018ab58facf4c23d4f80a058e509aa5cb88de2e74096ed8c73cf4c1c18fb766af48f8c1f09c85af655ef243567973e2650919fe4289e1b949161560cdfd1436d0eb34fa5dcb1fc6b655e5de8e47dcd61987e28b2b67ee560d3e5bf06f08d1740b541dbf5fe966c548477744009ba253e1799ea46842411f7c66bc59bcdf3c62f265169bd53e2d157ae268f239ce8147f5f7d3f6e1613a4bc45a010e6d7efab1ebcf3666ec3320c356ec9374d4b55b5e226d2976b63f1263c01b5dcfa45b5bd0be9c9c3d11e2ca18f6fcc1b9673e5292c7354047752b0f88934129c4ef7562991261a35bffd61ba0912fc03b776a8ba37588d1fcb98e4e70734778f88795c5e53f9d894eb502b095ec3f2680c1af1b1db4d049d9c4e5d5b65a784b318b2dc1862176a36b64568ead48397ce6c684532a3ceac8d54178ed2c4876008bcf686e1e9bb60fc7f271693110f9cbf43dcb496a70fdab4aaf65bc6119d34c1c5a8138faa23b2b347f2bf0f6cb9605f3f504b0080689091688f03c2dbcdaee698912ae4e5366fae05ac4bf34f3a001f39c612e0a511ef4fa6b71ae32c6a805837530755b7552baac76f76215628592929629ec4e7f386ea26ae151a9fc1858e270621116802af43107b3b952084a19be63734b8effda36de57586b29c50737113d04e1ad7fce51419001d1fbb4c77191321fb3d26be954e8ec78d8f3c5ea6aa0a7c30d2a817b8ec5c3df841147f63a39eea423298d8a05cee34e6db542f4aa58461ea0319251e84b1b4289c2e8f2f3f76cbb459527954bc00128dcf53a015e330f2bb9a43e9703299de6ea9ff7ae84beffb479f94b4cdbf24bde604d69c9378cf8387bb9831c46a619fb99915923d8ca6ce536f47370599f4dde04c823c067c773ac7b6f40ff5af9b30e9fa17cbf1e34e30cf503477d554d7a4c8e085b1900cff0b0a80ee5961942b57b485498ac8683cb52069ed367edd614555d7f53ce7601ab779df7a28cf7be8bc1b6a9e1636c697e22b5f2901ecf6c7348c335c8b4a3c69d9fe63df416760c0c747de61c2e0960dfbe5ce7a553b532b2da5d9645c5d5ef103cd1af91a240311c1d4c3fd0596f4f65f3113f87aae24504e633443ca5b5de854a74d1c619c727a1bd6764a214be118698b17766e2a95d661acb2d0412c7d36cdf4467f6daf14b962cd97e24fa3cd5ad9adf2f3d1093cca7dc676de770970c44c599b996d49b81050c744c7c9049f93c03462089dcf60b9befa1f419a45563f82e7b587b26ebcdf5dc8b4cf190b73e4bd6d6b84a19d4ac62902ae8177d3aedad512b80c9573547bed38d9f02170d4e8b3a1b18fc90e0b8b871ec5227d4c8e114f44ca8c9fe9c5d02054c190559b26b166b7f9480aba380aec7ef6384dfdcf57c2c6119698b0f2a21228dc6d5cab83037bbaa475ce900d18daab7349e11a18e915509c23a50002c3a24ffb02be8686c190c8b40d7f044bb227db73858293befa17719915a8bdbe9f8ce384b9e46541941c0d964abfcf81e701cd72c7bd935eb1678463135b834396f38068ff485b409f310a1b0514bb3ddc46f109f689f9ad498bac5509acbd6579c2bfdbf5411ba85b067ff2733ac937edf72b1c74126e89017dc34e8826218015e25a28af71d9bc21f4dc3a2fdc6e6ece6c2d1b54e5fd3c669f57b054f5d3362935d3022869c3c3a92275a66dda55981262f10f75839a40576f6e39e354336faa442133575f0af25d64bf8c029239dea3b16dd6fe97d11361791cac093dba5668f3e696c12a304cff2613fb886bec87976af2ad8efe68aa8e0efca8fdd663bb65cc5ff4fe114a57ce0a7e3ed2a183614818794437e91fa03d3a7042ddddfaec07cd927a8abb492ba026779a9b029e84f32cbf3f100321cf1b9380ecd8b21f8f492fdf2e34a754a0599635ffb84eaeae713bcde5c55ca74d446c4b04352a18cdfeb00aee0f8c7df00d7b9ea5cfb8d00db3ddf702a5519f03fc02539b540fac4453c36d763dc0f387f38c953abdb2bcf8e1c1942b6adbef0f89163b5ca7def027d09c03106af8b2571613924a815e319db4f0acb27a32da871003bd0e14b69365e8d9a7b9d87a232e018cd277d7b2b5ed2da56363ce9cb64a754419473f714e183c6b663df0090ab6d1cee4a04ea68780806ba2680e95d80b2111df2091fcc06874d044e3cfffd2515e2fc08b720be1ee43839282724aa05ba713d50bdebc6753829cda0999d310d107f534b84d981504d986c3cac8888aa0ee67380d324cf541971b092c9cbc86254bd537f5bb68c0386af4a228104fc03db6aa3258a4b9517150c037cfa34be268dd0c2159833a75caf4da248f71a34a78077e15b44d8d7770999762b0e70b92332009999e5a2390944620363433d01ea4ee78efa89540f652eb622a9373c51c8e4194324070621bcc6ec1a5f99964a6fbe2c2699cf63ec3ab6074cba2f395da358e8ff63048ddee805d13f51bcb470324abc4db5a9df832cacf88ce12d4a759d83e527f4923addf1d846986bb22ed457056287e399622ddb1b6546ecad1d159822d96b84dfae694d2ca66dfb9666a3f2ac1cd69a3e0a57a8c3264b7eae27c3dfdc0679fd79e179b0a05ef73d8a16be7724a23a23df607ee7ef8bf1c85f4f8d48ac70262c0791fd38cac8ac9972a04671434477e34cc1e242605c9e8a03a5ba68e4834e805fa271a998ac9046eb9c2ec1fa24e4fff377e277c978655af4abacfeb9f7f19b0b6ec116a9d59d773b409dbaec6a1f571507ab3d9c3254f6adc8771783a2477a8f744ef678db947efef1b1260fb8d98686a892f1a7d78afb4861754b37780673854c74c7789587771f39299d638e22a4a40f5224144cb8933dbbecef6b141ff990c59f0148c63b338eec3b7e2ef7aae262714d5b0b98879f1b3d5455b84e8730097c7c092a16306e8fdab596985eaa5cc048d4c7cac7120b7348a9840b7934440569592a83196c7858798c6b342daaedf49ec2fd7756b2d63e2ab21b8402fc4f0e47e886fe99a272b1acc04f69ba722f3bd3a87485cf06d9996fd56c544f4d3f03fae0c67aa974c5aebdab64ea11d40c7c2617b9d3664d39d42ca94f314d7069d974c8300035b501d37d55bbd52d78d4cfcab2ea886a685732f3a2e2683fe97b1da11b21dce654e5fba9dc527226d7c1b6149b63f27c489eb3ad183f06d1ce71ca2df5324f4a2082158d1905c328c35b5c5cc38e60eec085e7d86c6b9e0d181856ed08968627a00bd04fa63bd6fa1e995d903abdc76b6f727fe0b51f87721ba1f8943e043725f8213565ad1281eed856a3f5b7320066c05fa7dd7e1e8f87c1beeaaf20ea990a28debfe38ae440592ede139895f613100a99b2de0710505c123d28c280ab440fc264f51281c77e1bf685a12c12f3fc35765f9fc734f318d54f41dd9510d52af3baad403d5281792ad98b396ba3a3fcc61812ed729d877b541f5dede5d6c808ca93d74082a3cde16b615fda486cb7cbf20e045160c5f22c0b498066bd038da324f3db078964e626e023263cffe37b7e7b60689ba612c0d5c0b7377427ce241092c3342ae27f1263ebd1b1e9ac95ceaab495152db27bc30db4b3deba2d736d53fe660bc6758348d5bd643d1ff21aa4d8eb1e5dd4576729ee1e649e1dac96a3995bea6e742116c4c860f8924a8b85d5ebc2214082bab0d48a98626da328bd2fd787ddef88d16ae19ca23c65be3cd3452751ad669aacd2e6085042cfa3b299decc5e538985fe4c2607fb3e74be761d9c33dbaeed9259683a16054bf0022d253d0a2c94062a556ddd41c3220f8aa26cdbac4cff3df5e9b16dfabd6eeee4928636cd693e708c69edc1a5164213ecb0e35e1ebb90c1f202ae37d0ddba7f97b2df5b517e74bfa121a03fbcae3a85541f31895cba0e8d4aece5c935742f27211dc65e14f3311f26371afce2b9dd236d9be1918a5ddc9760d421a06fd455ab36a1ec95f45fc67892836e40e0869973a97d07fbc7cc5598ff7967fb78bf2871ee3b23f78b3dc109f7a0a9e940b5e01ab2a910992fe1ea9e1b8c601d9696d2c2c04fbdd5100c4436cd9bb0840d5de3beca66a72e1e981dc5b7f53d08eeb4ba8352c6d3597cd75d7da630d8a9d016f9906fee70614a2bd0c37a3b1dd3a813ad2708ec8a54b22bfce4433f6bea28fe6bfff5b96f3593da7c3bd3a863ed6503721cbebb9cf5e5c51bbf2170ddf1b7298b82778a98a946d7f2f14e838a3e2db7537ad67d5c276de11095e473da2c43d7635babbab6cb80d7ce1486e614c904fbe0082a74e46c8d07674ebaad6e6ee40f0f6882d4c1b3243d061e81b3be8640f207bb194453ea6c1e252d2a04a2031bd1342fe39369a897f26417d968759a5c3a06f030ad0abb20cba76d22646f9edbabe55561c1a6a262fb965cb00a618faa07fd544270dd212be31615708aaec4096858bc7f660e6899b52171e9396ebe48c12caddc3dc40b2c7493e43b3b3e12b642f1da857d6bac348b2521c50d5ab6b844b5074cf68209cd349a44f480ffe634a0b5f7b29ec26626d36c8f9f0413e6728b5c0f18a2e936cd71ba050d4e8a009f917920498200b457832ba65c0466d64209e93f35115955079a6178ef9ab982395c2c11e0f4099ff31cceb2ef4cbde0319fd77588d0e7b0f824ddf879e4b3668c370b7aba875080a97c455d287c0b591c52fdf3fb190b9f1c52ad92886f8563ac9305e47bfc9272a60ce0172fc83c82e0c640cbe2b2febb171ca215397998223886cf6b1f723657752f48e24a083d95130ac30673282fbb95a40abc93db075439772b5ae02412677ef88a76f9922b0ea85f038f6e5c0bf2c8502db3f5578a4f34d244d61ae4399bc7721d936da326b6d1deb4d005a964f6da05952cc27ee6ab7c985f67b05d8fb1eba7c2a5d154ae867d176386377073e2626b0a3a2b5f882144664a1675cfd107ceeb37620a4a4768b55a24dbf71ceb7d9ba4f0d1e734ae46fd3baa491da572a380d86ddbb40d6e5195e683350e6b58bbcbfff111f24b36d6de9d8fcd3ee8068b9b7450a190edd21869fe43ba26478d3655c53b76ddf67dc282a7d5657e93c252771f53fc1602ada31b000dec61c813f053c692c49b09e4805a5411fc76998e7f82d53128fb4e42ad2e288ee9e003dec36edc7e039fb87721a4126355db44eb43e89bc29c70526158563132349f441e7e85a415b48b9ba536efdc8ef722c7f4a3f52c78072c7ae1d6894bd27583259f6a577edf4007cd320252b73426a1bc5bd7e260625527340e90a369fca1e88d7eaba501cd43207028b7fec5d3d2ec35e90da793ecf3638a1dc0e26104264439cafd8c62df72ad385d0dbba724ba5962b92ff8b0c6c5ef31fb668ba242e74fafbf4fd81b1d526ca3e3a2f25bde45c3c0c17f9f387f90161631b9623aaca870281ec3fd45796de02aee61b9e32e9d3c370bd4b9816b977b34dccfcc6bd71a86d7e8c9ecd8884386cf94e70f4711eee06b68170d1279821148ea161031d9aacd6e4a769450ddab1dbeb4cee429a339713094884fa439968f9b01837492066e6ee6e3f7a6962e5b0bf5b60deb6c25be3121b6b47b65cb457cc82e95fd30a861ba11830bb09741b180c4ad2a5d58b6e1f7b97d1489a06129583552450d15cdb74ec177e18bfd2cf6202e883817dec4ecc60af4fda42f88c6d54b8ec1170255323ee838a16dc547d24afdd9429327371f0a8dd5926faa063d15c3ff3eec70873a53ce5983259ddd9944d5ed780eeb19f334cf61aaf7aab0feb70b3a50ca55d205b647a333daa962aaef9e37761fac411268412fedbf24b783a83783a3cbdecf15aa17a49789ba5352cc197bc9fb66b4f4cff97b79a25aa43c40f5213acd927c104a392724070e347bdd482fc8b3afff1882c3e9e5eaf5027e88efd72ebd37e3d9810e76ea4d7b2b079cfd5d942b59f774f221395b06fa92446db9a8d10de948977645221a7b1e3a564f614878fa1f2d2efb388105e0e1c03d0fc361cb42ec3296e5c68cdbe0f7b3f0d1cf56f667706ba90c2a15607d4e99ad588176ee795a135420e4797a91c9d404628a726ead95f9780a239c2dddd5cc745d2cd4629e659cba34a9e83d014eea0dfa57d641f6109728f6bf964bf397e304dd436680d1fb8d0280a37b06acb4edd16eefb339269e38ce4b9f454ac7c79cd634fd6f19e713c2955c234eac508ea754bc05354f5af089187863479d4840804284c780077c4e4df4a47f395384cfbd00e024a81386abd84fd11bb8c65c769e4a821f01820350487f309197e72b6462f29977519101ebc520008ce3306bb902964c69bd1a0002747e4ceaeb26239f3e1913f290a8182fd838f2de5c3f3ce4904baf398768aac3b9ea9d45af2556ce9cddfbb48255f4e615b3d77a4ecc802a9e338be342db986deeda8fe021cbf6ab9995931e8f624aaf084485e798f4e05d1f50dc81107f9f55f7a3998d3f4cc51f975d38fa4721bb55578473b1be71ed627832435cace367b3d7d5fa6e912249209e0323657b8e5fa6e8530d75911f36258bc32cfda0ca3b8bd067b67440a3101fa9d7c41e4002312e32dd1321c5be4656bbcd28ab4411bfd23aecd6d1f66d2b25e9d518623f8ee2964172c4061a20fe45be641c1a85727968b19e87844f936fbf217de8b985113e5462b0b0507f571be2e81b2a2d1b1d7fd1017f47a5146cfacf0bdebfc833b880b4f73477c8649d70d7db8f1e352d6e3a943012722a02533d61606d93cf024b18a9dc4cbe872b9a2a693d25cdc2d34f8dd8cfa6c25e648c37ab322b30e9776e359fe2e0fbb93b38b688fff75f3bef9d4b93368e89a7f204031ab35ec2250a1a9ebc84f2dc2a93203e955c97109ab59a1dfdfc4d5b009daf69916349f1aa530453d36cd4001fcf1e60d2dde684aa43f4d872fb193776f032e90a39ee4d9f5c5e602503ea9b42a22e88ec83f7049870ee77dde87776fb6ec6fd2064b6150efd3a3246fb21ac7d1df9f51e2ab7188ef3118a7f98d2263f0cc6e5dc171d43df53ac00b226fd2ddcdf075afc85567b47c37c34f0e9bed40f0ccfd5b347a4206f6c661e08e979e28f426cbd7b0180963fcfaff6ceb9aba3b12be95d2dd8bba3c658a41a12d4112e2ae05ed9dbabe27ca541059b61190cde566e56fe9d5bc69d2f53e52b52f8c023a58ec0453a417e84edf37760aa0e3fcbe6ef6ec7f4a203e9ffe3f7cd23cc395ce5e72ef8a3665298599da4de58a712388b4ff9eedb63484b92f0ba8033b1c3c7a9cd1dda07d4ef3d3485eb7232adecc421dbc5ca0a7860f5140c8e93d0b770f0d07bd09ff86b166f6e1efbb467c89d67da9f674e1039bce15bca3c33cf626c29257d4c397562b802c1e254fe1a2cf5803d9f571a83115e1c940d52b862d29657c75e32ec71af341af4998f37e129ed717e7fff26f4d45964cb4a04aa77ce0ce0a9bd53269170704f64811c3848e5b05bd8ec7d92974019f2c5ceb23648417da1cde22a2f0b91f4d62938c21ccba16b957dbe400dfb59949c01c68f59fe11d96d5dad7a39e6a875f3a84cc3b62cd230654812899f4118f136b896743c67de85f820745036a373c039175e1e8bfd363e535f49248059110a119a94a65eba95659964257a531bf1311b2ed28e834fda74222c3604c90c2305c8a4a2bb7b5513a9a60f5a924eb9f1c7acd4b15811da5f4128f2d48efb43573d3b6978bdb8495aa4b80afaddfc9aa74a57a6e5d82a201cbd6cb6d4e6dd9cbf545265d646385aee2d055f4bf039e879a6086088e5c5a37c1a1d47fa374d265fecd3775309a43bcbb520139d08ebaaebd8f1d5a9c1e282ef45084f60ba838b47957f4c9eb363336a923d69c2e18bcd4e68a8f5e74931cf1a67acbe84d8064628d5c429d5398443b8cf487485094c9341c4ec6f8dfb7043bcf5d87a2d833d818ac8e5501e5accafa6b4cfb7b4c00490d1af2106689d42f61382472419c17e1f6f278681cb6821600e645943be22f03c3b8dbf6290201767c763bc07bb1407aee28e507f03fdd18c1ffe29b0fc7b3f0a8ab7e3cc2c13558984ef80856e2286f0bdebc790dc7e7bde03bc271011dd226195ef86d91e57066f5b933007f4d9a96fe2f2ed4861761bdbf3d46739d4aeeeb28bfc98d8515878e637a25ed115060ab2597eba14ef2cc67d247cfa89288a2fb83ccf5af26317617cc9339fbf8adb192567dd24bc11dd8144ff087a758baa2fe6335a5751a18ccd8038facfccc0ed74ad1b6afca6489fac1465623f0af17149a58a33da6da90d1aae212a3db863abfe10ecb680367428634e409d9f85dd4414adf1da3d667c4693b26ff29dbc25475754bac474efc8aed58463b540394e48dd00143550bf53d823c2dba3d20783bc1e49d0d79f75e1fa2e293124c16971f50ab024d6369d42ca2ab3cc75463c3a8bbc580bc1708a40688b341f8d1004e5a4c60ab0e6f315bf686bb21c671b7034a236337bb77a1b7f6d01abc4f4f7558247f59aa10e11bfd6f4c5e65015f09d3eadbb11b854913b93ccad9c8feda1b96363bffc8a06536b7d00f725ce5d6fcf0823dd86e57838d3a02b50bc11813e8a8d8775c06fcf841a943c0d9e025bcf4f5c6946ef4a95b03d97d9e7bbbd3e5a1bcd0ad5fe4323db859c1e43282e82aa29324e97a9925dab3d675d48e663414ddac15f56e9e9de9c39f856bb528358dd003050df5c336116cc29ef8a0e449d5c609db104a5bd53ca5c28fa7dfffc1073d511448ef5e5d86f25f8e81bec9214285700c05f601ebd472d71623ddb2f19aeeeecaf7685890a3644f81f69c1788c3cfafc3f2c8df72cc7d927835e9eb666b129d663c425224778be8dd0d87a1665aad99334ee71c13b2a1a4b96d4c91f70fca27999e6e829017d25bdb870d5e479c6ed087db835c9ac10cd4ee956328c10731fdbfa647de841a72fe9e8ef0ae1e57d81ac3a8573667c41472ab68aac5f4189236436f758c35d07e590a01801626995a3fe4b1bc2dbd37e018610b01f5e0c1f6f11c7bd3f6cfd38bab2529b7795191bd2b36206d468ed501e44c8ca1219f300d8a5da74bec71e9aae07799baa6afdde68ba604712a69ac2c858e76fb309145a2d4e125e2010ba0a12ebd50ed3523b1b65465aea1939c036183313864d16dfdc9bf30ee13c16aee3cb45e4b08e78ce9f7c32f15d686fb670b29b9bd1c9b4064852325383d7526c1c9077fd17b244069fff72a363d86a7306dc96b1a3a42df87d3e85b18ebf4950a11c0469c015fdd0da7e97744a1bce5faebfefd86c4d5b2aa60178c4c5b3f74a266125ca1d65cf9c1558b4a2051554db67569855aafb720d65a233d26e012ad097c0b42c524fa146a70b7b59c1a856d51ceeda5696781762f6c441a95cc4177d0f01de33bd400d0fb582d2d1c44745b068a5cbb98859c4f4e823f680e8fc4c91b0f0399584eb93488d9e601baae47e4b293eda1517ae062a4d3ac1f14f81b856d85a9230a31cf15320272824009143ec4f96213f0d3d560c645db3edf47c66e4fd9d757c09f98e64aa9deb59f8cb1aa2d8dc11f13733e745cedfcd024d90c986829a9215aa16571066d6034709312b1cc8458ae5ed13d2c7dba13401a959a0d9a90fb4a2ae45c8465f8e0ed5119d7c908e228e3244ef2f9ccfb72e1df9c32604a496cf49a9d4d98815a2309542bce0cf234df48458d3dc70c5fbbc78d7376cdd99e53760cfc1612cd6f8e712442f3c54ead35788e561c0adf910956241faa9d40aca975b2c7ae1ee400f3209df2670384a5dfb24663950701f918d374fac88ece0429eaab46a4f3286945e7bf44f688de8dbb6b441d43d2c7be1c557746e318630c9def2168a079bde3b75ddb42b5526685e7b5250012900c241eee5636d8e8ca6f1f8bca6925661df17bfbab26d69c6f332663f9e13fc9f3d40785008bfd9b540e055bdaba231b5be79401424e42b8c4edb81f1d8a33ab13db4f8517729fb352fb41a99c94f5eee3d220c2e1ad319e6f1ec234aefb515a4d2428ce011384c505bc4173eb0bdbdcf18f2a88b76697996b73032a1135ddb11da5805b46c9528fd5fab4b1c46acda6c70389f204131ba63ba20a6db14fdb9de6b6caa65d19d8fed70ef4d179ee3429b1c9084ef7e005a4893faa2f3a8879597efb8c3f7bdd660a6a96028189a35d575d8d433825ca487e033789839963667a4e4ba66bc8d2f2ff04e9d081903e31ad437e73b96ffdb434e650b10756a3ded0e501fd4c2a1db985438368228926d00de93a523b32ca92df73262ab71067b974e85c5a8a8a70eff2ac73cc7eb1b216c7a3d9d6c233486fb02e42af56d5ba1cc7ee0707a8f95dd4b03e6d11c251eca065ad865d908e2cb063adb50e327d72f4bb33be11000aa81c8077467582d347e19b042cdac85bb3beb153c7dc54e7298038c9ee604f61c4feffc214955dcc76a7e41f7edaf0ef597b1f132ea9138301964b60db44a3879f21b53636ed34520ed44095c6a41cc035e3e0e0fff219206be7002524aae8ea29404feef63344cd8720fbb4a204e06b49e9583f49df470fc66a69b61955d0ab9c98221d56ad967fb07534eaddbdcbaebc9840ad3a615fd7ac48113e4dd498d9199bf4e18fc664ce05c2c3d0d9219a3e91213d2b2336af861e2ed206010ec735fb5960e39c10d6feb45ae1de2d441ace81f9cd8067df109bf585dd85bf2f4e081760d3bccc32d1be7634daaba664e3eaaeb03a35262237c2637cad8acc75b3c667147bd2cc40d89ba3d811acafbabd26e0448bb39ea96f631211d5700cb1da53594f13bf5823b70f0a45db205defa29ea47dc2ed7a34b2e7ff21babf6e03f1628f0ccd1a55d845a778f0791e819d2551b93d90d3f96a9c30a3682165be95a63044fae89d2172dd24fb48d98f50ac624e82c3acc2f120457aaa383ea134fe4baabed8bf52f3faa3b2dc6d326d400b59e4c642d3c428c45fe55b4d5beab5831be487ba6f4fa10bdb4d0bd5fada469bcb78debe24338bbf00ec475e41bf5d199d77a59b8bd42da5bf52e3768b5f493933927e795c976d20aa39642fa92d85990cedc181feb750e86f4fcda2c85bf9799e4cbd4c47246ed388749d461adba8f28f00a434f4be9e48ac5d937165e7dc07a87e594688a1fd84513f5518c16d0739452d16d2f0ff801c5b2279d9b4ae47cee523c30a7d566faef8722cd233e32706e8ff7254bc2fff3d869e8865cf411cfe921d13f2b982288755b79c3324382f81a7cd6d39b5d6497b3ee3123f6c4e3f86f159eef64db07a765907a53312c7ef9f0d264c8285c0574eecbb218e58bc7c24eda425ddebedfc077da54928ce0db1e393f8057c790ab25c166dba9ce3228ed24450c7689b6e41ba2c47350cfb1e852f86f5b92dac1a67d08c880d4312e3c33e84e761fedbd4b375b486bd4c2ca4b41ae5cf2aa197b34504a05aae991986ea5048c885022e3818b0c01b98dee1152f9152b8e7b22dd7ead3a18e366017f3fd43312122e25f17f44dceca8c657767f5a43da3d7b92a24b2d382069a37f6efb12108c627e45258de90b851a7565e74de95d7fd8496c74a88406d6fa6067dda480af196b0ad89e25236ffe91b35ef9bb7d0c5f9328ec586c30122f990ade0d3f2eca78812f9ed5380b8de50f5e7af78001ada4aa802b6a6d33185644c815370b6923db1a40e6f00f50936ebdddc4dc6c06d877db1f3f840c641aff595c3464faad7354c35955072744e8db9d5db02a2b83402894bb005bce11fdf278f0e9b4bcbe77d08b865f09d3bad4a37c14be547e10fe843bf2051cecf572790f4f0ba6cb00efeac12fe65bf77a5eafba80983ce0a0535cf83f551cf44f4fdccf192b928b0fb0a30760be6b996ebc0e9ed771f740c9bbbd7bdadb68cbcb4a0b14117c5c1a12936bc1d345197455d0de73544647b89be0ec947259ba3404de085f36fb257ed7de19449cbba351e11b40bb6c0e125ccd70b96caa46b282bfe94925b811ccca25f4e1e40ba30c20a14417811521be70d381abe5a02f86d6fdcdb582aa996f646e53d9d5526582554cca3b13680657b769e92b006603e6f3d7ba8be50ac1e6ac5528b9a6f6b7621c71cf94b29bafb75d052a4a386ea6c9aedb2329ff9422a4129a98ef180996080333b26855ba1d58bebd80ec98a3e2647eb27686bc51908616bcfb30e21ab0e4dd64cfc71b9c2fd6b50430703298c08181c8e12a4988c2b12a04f56fd371e64938a703b33d8edb13e5736f0c35e23264e892273cd2dff5be3b291821dd598826a01703b5efe6ebc7adb87f9615db4e7979be5b8bc804fcb4eccd18794cb765db45301697864d484e2e94035c94676a2a509c09feb6bcdb4df69fef92d782abb5f75f9c920f8d2e81270df0326d86adfe3968d1adcaf0841cd0916ff41a2ad5bd6fe282d82af891d748c1ee3c1341c71e065c23b4ab7b35aad856835425d8f4291a63d65c3f34048d53b8b4cbd2934f13a22ea158af9098dee6278dab79c743eec53cc032786a8ba2a5c03f437f3363f34b1b99f7307ae118c1d288ab2d8fa3f1c512113464713e0c8cef34c650219ecd48f86429234ff11a74386903d9879ff7d66aa48e8809a2ee447a3d9a1ae3ddb45b26997ca4173387c25d43fa9294ec061fbd359341912473cf29bd4423d266752c229012f4eb9da6d89d9330b60c2745f3c85e161c5041dd65401a10a891d45a1a851cd5a0b1dfd35ddf370acd42d2f3990c9aa8c638b42c07b25d5b6db2fb6781416ab0a38bd94893ba79c205a2a022440a37450201483cb8b18e046663e519c24dfae21f161e10af16eb22c8dee528ff21acdf10a99d9278590fe00e6c8b86d8f3bcfc044100dea358aaa8d7859f7fc4e646327dc14f19b267d3635b994e2adc92e242dd01c9f011099a0495e4c5b9400556bd6f46c2a882bb0d9901217697d97f9df64f3667ea61b5a8dbcd0783bb4f088d16c4c3075e2fae72917270514ed309849412aaadc588dd595593a0ebd0e81d9eef36c17ff2455349ecae85095ac89633f1f4d2173b20ca6a9f6ed4c733d9ebe9abaf14c242bb190dd5d9868da91ee4e2a79edf116be25aafed829eeb0cf12e384a548bd5c546cceb7cfd0fb7bb85c0397d78cbe6ff452fd42ab4e5d99b8e94f75aa79f5386f103409f9d542c19e0af95ff59fec624f9c13acacbcc4f2a49d8d5712f67643ca4a2737f9a330945b4f910639bfbf7943267ebe772aa2282d67595cc7932d227eca38b082f8573c8e8a6940122f1ee2fbb125bed9e3156be0d6f7b0d3b7ed912c1ff35bd465cf2dc1563c9f238a4e19aff160f2362055a810bafdbdd3a43b3bb9316818b7f0c2b25e9f0513cb76da1ed85bd49ec58b66f167b933bfd0e9e5d4385b820d888f79436fc8204df5a27da41d4de0e677c4276ce7cd9caa87332ee942a6580cac0fda2002c3e151ceba03f367b141cd76d797e6413b3637aa131cd55e62ff4cac1604336339a9aec619803a8229ab78e01d905c768cb638b1ead3fb6290273f7fd1b5b05ce1ea7ec4635462c149444069bb4aa2fd24eb5a25f9bdc2b7513d1e36c902669af56be86330f3ab20bdbbd40c26d3692525fa1e69c5017ff468fb3499a6e11a3d441364948527b65d2566580badfa7c7d32feba6126b2e96d13916c251734b18fbf8418a23598f8829ad220e8c3b75e1fdc242eaabc63769e40ef61d9ffd8c3384b89be02e4b2267043dbf59010e8bf01c2022defe0677545559209585a6d14bb95de6190ec89e7e4d2fccb6bd5eb0d43c533f64161cc06cfcd2671f98e2ea403e1ad009dedb1d4059d3314dc244b8e108b954e9dfe2fe6ed4fdb59f57beb8416d985776254ef746333f75886bbd413b43c279d1ade19a590b6c8756030b33ce5daccd585d25e8607093a1d2dcc45f34f1a7ba57010887f135126a1d8d296dc904c4e654717107ce8624f1647247ad2787e7a1030208d4818ef748aa407a28cc528bdd1aa2734f6d2f2aaa783f74099048cbabedd8abd97c7922e5f2e4e6e99867691f4594d89028681c03d29ea0ad84e1c17970e18786243aad1ccc3185813aeb1e25eee6936a79c1dfe668c7c28062b91a751512f0630f1a9f45eede84d76496b02155c0ec263276b146bed6ec54eeab246b2187d7db507d82dd1313a02ac64806556818f7b7bf730c05c924f373e5e019e81a5d9286b056db5ea059fd7a92d169e61c4781d0741c2eea0e45b6d523e4a995561472828cfe54180e8ffff44dbd58a1d3f978236f2709c3f3a879d9a0a81845309b3bca02c5f15e62d07ec48b7306c4a5f7404f031551e9c7870b8d817c784f87964ed6edee7aefc2c4c58dd0b222c402ab15b0f71c36755a8356418187b616ebc7e239786f9322a7939a79c7bee0b7e2131ec7ee00cd2981b78f16cbd72d0b7ed160f4153c39ff7072c50a4ceba047bc802c4991fff7edef396827d38a8cf4b24efe92b0f9851970d6d97654b3ff63bd679e664565801000be865caa84825643c0ff73076b9d83a83211f540e6ecae8e8b1760050daf81695e999228989ae1013e4061abbe7929a5c6a126f89e8bfa16557ff99afe16246fbed5ed96b30438e412cee635dd3cc47fa526f28e81dab2942eb2f0dfacbb1ac55d30d42090fcccb7f0b9e520418e195cd682ca17bb7822240bb87c13d6074f20b7895fdd44d7e09498f5af1400cae141764f5ceb29d3fe64c69d851a2d53f34b8015f0d1a32bf461e4356ebc53939c7865b714af2e451e6411a042aa0c0165ff6be2df6b7f6947c8eaab100cf06adab6ab25482b90cd818cffd92f7a3a3d9e71c81fec82348ca359c554adc88948a22e5952348a6f67a7a7359e6bc1dba3fd58e4d079bf205fdd4c69410aef784b8304e7a81ec413a3c7eb1c6117db137f601248dfa6e712506d9006013b9aa22a6bc2fedfc48d36be89c7a498ca237b94e1e1684713e01303a11d06b87f142a43f502e4964a8446e45a09d038f15ce713fb9b5c0a059da2ecfc4a7c0a036e5289de3e7588071c36f654d5bfa869682c47573e404a78ba21a3827fb69278d2ff34b7991e221c31473ae438266969cb42ead936f84b633184bf2a12e7591a836e3562734b7453be3a450fedea17a495b6279734f23f57bcb76385b9afdbb3089b5a74366e307e4272341f3f0929ae356eea3261b228b6c493d04517cbc6c71de51a00633745f09ea4f89f5e6f764bca0f0e9325749ae3bc4076436f896f06db550e5b80e36e9828afe831f05b312f0bac91dd4a93fe73f5f12f22995c0076441512efe2d7431c92876a0cedcc5fa33b829009a53b16a35f1a2b70c8c64759c3a89505b8cade9bd7df76c108ab6d0dd4944a44b3993130df06ad281af953406cea6abc2dad514aec8a516b7751dc0f010dd3e32cc817a09fb727f78326114427d145fd1def774307362bb9e7efb03d66e92394667f0bc8cf35802f06f70caf46f8076a7e5dfac9f50c475348c5d828b74e890abfa42fa4f4aaf6fcf097cf37e623df847dc7cc471334e98791622bff991fda8b2bcfce0db32a62d8a824b84dbef0403ba8a11f03d09882351bb550d0e471d8658079382793ca995a8393ce22af6d9b86f8dc993a02015eea651fcc0902eccafdc773b2ca0791e7a12c9b7b3e2f768758787fdc1a04b372ac12728b8ab081b384b7f2c3c5511f3ab3d2427a183c8434be53076f9112b6c1c2b6573209357795edfa89349dcc27acb33a49a64c7620275f3c6bb8055482ce98348c013e63dc5a8d04fd54386d4cf7e171889d76b12b7996d1fc9ca4d74e30ef9c2bf034cfccb33755650357561ad738c0a06ec467aaee2688fcc9801fb38f89ff4ff869865ae3a2c68863987cd20891df42d9368b311cb77047ab4bebeb0fdcac990127642d7b1dd4c8307678c6c7594e23eb0eeecdc773a95ddbff54ee1e9aff119e7380a9c97733f41440989fc2a51c74cfd44f29d45bb104dce651e8ca87449b3863e8c6f4c089283455f17597189a40c2d4a46d50f16bf7e2053c3bb126ba4649a0ad09a8e91a9126a0bde5089a77e939996fda8226bc0df3527a49be8913489e34273b175a32fdeb1bd1890a314c155e0d5e33c326d159116d3da4699d1e6b78b1f917fd61e32adfadf673a567e44502554376cc4d644819e6cfc759e5bdc13bd90941351ec1e8afebbf02cef9b5e385b3ed54d27bf23400db36dcebefe43dae4358b1ff91cfca3d9896bcdbaa7342805553f117014017c34022ce3d8ff3bb51ea345f24398f97e84af303e29302cded3908aa1a98fd4c0b47ac9480af48fe6141e802623de2a516ab34d50d1591fbb0e57b980447d52ece095ceff30b6ae49d8722d824940fd0b9c19158e5bb2f13c31e87c84b6288457f578aeb0d288ab6306bf48ee87cc13a05953f9f04595b7293f8a0ed45519a29a4f749401a244fd8ca2e0b484012aff425972d03a4322ce17b3d91b2c21026cc37ed2d30636f41182e50fa19218a9a9423290f1545963889a99828707065d1cf44e461692fc7ea7fdfb2d706fb7430281d6af5fa7b2c2827e9685d3e0f98163189b2a270c57540f7ecbb2b8332ccf526c1cd02d39016399a8a246370012c0d77cf921b554510367470e431be8e2c0ea450309d1abfaf1891320315bdf5f6361c3ccf8923f38ecef2f2acf5cbe17ffdf0a3615283cd514fa7b2c8fcc638eb3abc35266ec45f0c658a6547405f3adad038b73adb6571c25e342b28c83f8fa4dbbb1c95aca1359254204b374bf2d6102ac8bbe81e52344b4c65b52f39bc0281da9d395a834e3a037ae9e624927a647945be7a3d870be536991fbd1947efa3f1277cda877fe78ae8cd554553f496834b486b223962b448fda013fcd2ce5b1a9d828ca95f64b03c0fdc723a46a1d1698b06f86002c96a03a7a124193f8d692db772338a87a4b4839e74b65c00a374883295f15d5b4bbca2118aaf054aeefeaa14261693ff617c70ae71a24c734c60e1e456dd25b605c0cd396538d9c46b0dfbe264188b1ff7f6f06d70446a3b544accc7eee607ebc2482da96244a6dff1c837d3b3fedbda3e4e63a18efdeb1b7afc6808a57844cbe34a7ec24ee5dfb94857608af2a388da0918f5658da02e6f77fc791f3cc3f61f998f443850316943e1569bc36c3600587caef17d49adb7ad319be9f536e1486e2f9063cc0f3bdf51bca6c2399803c7c71d7a17402b36a6dfe17c73a3c1d13e7be065a2b9fc9063cd1c40090b80b7b2ad146fdcd3b3e07fe161a6d7ebc78821d8fe69198772707adb23e722f3b4abffb942e38e43707b422487dd7bcdaba7caa78b58e6a08feff3fdc36584bf0ecdee7a8bbf2bf339b8ffff64108944a8493f9304b702b9382b4a74e3bcd6b3a3abc1872f2588a7b934ebb0cb66723c1a7183811a7313289569bcc77953d2e2f968a8ba6c87bd6e914effd25334952d0a75bbeebdce54ad3c09125e9b7c186570650a6021285aa546cfda1167c6836f2f42d415f4c8c80df6bfb3341d7de2bf2b69838f338d0e032b52de5f0fc2d689c40f9762ec49f03124fc76a4737a7724a17c17a7228e9cc94664831fb0f77192625f4e933c9f4c7584565f6f1f71115f5eee76db2d15f7f6ea37c7afcff25023d43cafc0ff58bb2939791fa9ad6438a278f0e2a527287c847158951d45986068b22ee976c5282a27632d849a042bcea33a863f3a9f1631b405c543f89446a0dd1a2107513ed4acdc17269bbe4a8ebe0bc141a8944340b6ef3b6261fc465d47edbc13ae8af122dd39cbc2747919f91df46fa4f93835ae0197eef16a503bf19668d456c3e4671ea9480d9699eec10d48bb439e752d5b2e7cd65f888c5ebf7d507f42a62b0020ee61cfde1084351f53b8e787aa62cc0ce526485260eb077eda45d195235555d761367057d222d01747968a88afe9d5a15ffb8f3f0017e1a0db732c9ce637fae1a140dbbf161dcb6721826435eb3957bc21f4ca15a2b5d75b88805e1344fe106a615e5828438ba9065bb5cc69d4951c7ff0d5f4d6e116413597596f83c15f12458ae47bc040ba41b407c2087c79f606f0ec78455e0a0d760687df908479021fa031c03e44699260389d522184ccde2bc11ba860bc8717fd65126a7593e31a970d5cc8295fa64d95e369410c89abcce17e8f764da51df70c4695b6c9ac2a5c84811c5e8177d2ef3db5c0b09536c2c14f939311d3010d95fe0f4a41e0f4732179d46de7b4f1a9fd701b9631041b042d4a35a9961b04c9c15fab918fc3690b3b8d3f201dcba20f28545b51bd4f3a3dedc1ed84dfd7cf57a48604ac649100448e97a405fd2788415ea35db940f381974669234c4697ab99377591ea90b1b70a012e10843ffb89d8d6c3554e37bbc7a6c431ad787479ab06929b7bece589cbf14771666031faf14d9589cbbcbc0adbab688190d2542ad043507b49359a3457cb1d32964d51fc9bad791cf727d72e7efb543f359838aa761c09625298c1266e249ddd847c34d1d9dc30b5619db4e366769841bf79e14981f4b3832e43d2032b7312920998a6d97b39a7fb281538f15fdb64ebaac2d05456bbcb8374669dcac64e140024406f28f9accbd07cbd5603229d1774ca8b5d1327539643cd6373ed27b99f2e6d12e351ed7932eb48b995ff685243613b40b7fcbd1c6f6455e1ba9195fe2244e086dced7e594665834d67a83f7571e9c610dc5cb014a01e20be288399aca77757850c24b83fde46d94ad2286c29c61e1346cc925c64d055ad9b1fdcef2cfcab92d3e8cc5bcdd6b9d302677e29b5d6e8d151ef60fb092f36654ed958e113965a32e1be0340ee1ec79cdba9c01f9112c9549b1777af5184d4958775ea737d0bce9083f050fe01c51fbe18552b0af3411dce5a711bc2f01d764ccb0d48a4c598ddcc93e5a19a4c46778af04c5e7d217a137e81edf4e388bfbe7307a5bd7a61fb052d7af124bde91c0410c6982297a479d51bcca12bb0019a30f2d722e9f64d3424c192b4acb964f979bd1e600d88e4ab1dadd350886fd47589710f833219b4e6c48d89c23fcfac4a25250686f164674db5d7f259edeb044745bfc53e6c2b60ff4647add5cdf6bd84cba451c23397c6e6ed10eda000ee898f79d8691e3b2397b7053e21026e9184c93ba76aea5a0acceeda2062aba823f053eb6647a367c2a84d7aeece8977b259bc8cffa6326af0378cb996797959ac7863b0b23d8d50ca10cf235d849691408624da22dd333d9147bea937150d9b67809d30fca392212c4274a78df05572595879e922f8c5e8e41d5729a010cec5f4eab78fad2524a4198a541060c07e89a26c95a6d64a2624b8ce9130ad56157730c75b7eacd1fcf6573571fe5150ae8af7e0c70bdeb7ba99608e8ee3aeb2dc46a17ce827bd8f119b70ab86b4a644bcdbc217dfad9eba00e31d7ea081875dde28eb9b2fbe9bc2d14d3f88776206471b538ab6e4b3f305d8610942d5b9d194b0fd218cf1522f283ee9fd36e553fff43f9d8a2164d8336e58869d66f8e245f61dbf7b00e92f1d620c80583d01cf610d402a016a65d728cdffd2ed3492139bcb2b399c6267dd4b1839dc1797aed44ea29e31997acf4cfb9455e98a903ed26a1a16e30610dbc27542aa125a8de3418d2fd159693e4a70436421cbd6f32b46096d61507b889eef280c41b70c8a678a0b6e240fb403b2545b46e534353c53b8bb78382ddb27413b3e4c34a9a1c48d31b49db7137905e7198701fcf7e998434058d27c717b055703c6dbf06f6ef96c5b8784546682e7e4731809dd9ebcfacef5369439905481c642b544777b451883cdfc88729c1207af308523e578e1b96d833ea762cb6524f7d79b25ffdeae3d77a74c86417a622b06ae608f25c7de98448327508caf620faae5e7b6a0624b743b766c1825ed6bb5361e35a46370e7a5f2e9c1cafb3b2e48a025ac572a2b33dc7ad9c1618911e7112e1c3f1d5bc192fe84cfb1feb38cbb28e497a619cf897131a56d037c78b867df4c833d5facb4df496813b438d7f559bd29a0b7f6cbe474246e1a1482e513aa38158e855a6731ee8933fe0384b7c08827b47491e897bf54f45fa14d421988a40ff164086189c5e1507dc446c2291ea41646d3bd2923294a5e4fc140ae44c5d9e4ee8a0c9cc4e47cc6231c7c465a49514a6781983cadf729111b2fb5a52dec0cfa38ac9cdb792049e649212411ffb3636d864c12821a4cae63a7bee3ed225abc2c20c69f55cf506d3d11165a28cce2e74a42c43d721a9663554cfad7d43c5ec731bd499ff8a9cde0ebf5b2d44a3111788b73c1d116e1a2f95f17f920dd1e75f2130ca32b84c8236e19864c7e726ebaaed8635d347df758f8884284c3f18c3dae2ff11805fe906cf07a13fb63212be3c950fe69f539dff4f1e108c9210452d96fcf84427eb7c9b919063809d53fbc8176121550a6bf367ed99d6d8290a1c6413b4764b008e7c2225f83d6c9cb64351fa98fc276b6b283d453d4a20ae4182b825cee869a37dee50a1c65a4493ea20ec05e68c416965e43d16ed4402e7a90560e5d13aec2c88d70d3237cc9c697fdd309034e2566e8d1851af4c7180dcedb2578b94a770d4e1f89f3d4f1a40091605ead60133ff7a29fb53e59c988a8aabe9f5fcadbcd5ace0b00d791224a838f117490d09d84628e1773eed664b9f24b46e6432917cc08e5c68fd35c66e2469083a883aae9fa97d92b536660d5b0d2d2bffcc0e5a586d3ec5a35d5e14d1b79e55090ee4d5915e8deb660dbd12bf08003890e87a8ff6f340e58bac7aae4daca841c3f81220fe530a9a8d30d8593dff96b6e41a3a2a42e446df280d97d6e6d1f71442e816a2fef1ad9d8614353f4f0da36342caceef6030fc65377631dcbe85633cc1d754f769f4e8103c3592e8a8fb8dc23b5a8f863f759610d90325aa2c253b33260ee26118830ab604cc5c7832e0718a176770904b23dd862a7766b728b5ecfe7f9c98f001e34267138c45224c2e4bed63638925ead4c94677421f47cd604fef4f7e09a325d65876c0229e8ac520038acfd818b093a214e0747bdc52f95de043afa49a0af63de8af0033e470425d633c2ee54afdba089fd988bb0a381fc1afbafa2d41b2869b445f6f0992b3e37e35e11af682ffa92b5e1788451c7d6eec4da34aa87132cb1404afffbb416b2de0ba7a29231942eb310b561dc41171bd05e7bca28e08c15f152b2655b8951cff32100fd81dca16b37f5196a3561cd77e0640b6227e5fded500849a65869542695196a96958d44d3c91df65abcdc5f668454e898a53bbb0dc49e18a77c79dfb82562f57983ac258ad181187d929c59ae4ce96b4dc12ff6db7b68e05c46fb4b1d7d7f76eb7a56b8159a56030b7b553a067df186bd9684916665339ae838d30644ab509544f354f4390525e3083f35a6b262ea0e0ba600cfa06012f2c3123c74ed2d54b929b3b38417acb1ee04f3e83feb04b73692604e77efc35319a2c6d57a3c2a96c99aff7dafd87327cf56de81cb75b1c6f4d2a28ff5b45d20cd55675ac671c92a1bb087c3aedf25a716cad3581b09097e9f50263d1b8ec68c3c08d83d26d7feb30e689b0e8602e9ddbce83b3cc67d49d871a1ebcf25c75406ab7a46168dbe07f3fd19f9d0e56d116e50f46df34e2ef12925aa17c78d2a0472b6c95842603f5fffc33a3c47dfe95232909970f9e83cd796b723fafdcc0495ab5989b0f6915a88832d87eab015f9db41cc67cf64c73373b13b9460c9cd47542b59c664a9efb9bf4a254c669ef888bfc6313b2a9375d8986e83062319767c79a0962fce06b8d4b97b9b8472bf1581ee38859a398daf003bed4cb2f332c3a25bd32326d9561cf2dfc38d6ccb029d152c67ca8dd4cb525031198bc17b99b00d3e0a93c180c72e1d85ea63f2543d892fd59b2805032c8a5c5fcd6505fa286302adb0971a091a5c30df3d317db4d608cc08b424b7b98bbf12e2ea62b14ca626ffc73fd4ad81667afe5097fa210a1bb9c87d358f2fcc0ded7c72e22897910cfda6bd5c5e5ca884a61c2a98cbc7dbbbe6403ab9e4830a7f5e408ddbc9ec1ac85dd13c1497ec12d2c9db5de89438f0ac690409af159eeb7e7e71ce83e5557de89d660214e814c1138b5c4cde47d111a59d96554a7616a2b400641ea7d2da8811acbd26c87dbdb4fa5bab3b9dd806b258a4480d822e28cc27a505ce24c96ca4698a90eace94cc95849b2c7fa2d8c709ab586df85edeae7c035c8af4668123f16c68f248c7400360eb000da0d66e7f167fc2b5232102d2f73779910783e619f323edf942c85e4a318809a7b118f718c98e401fc49bc59b02390560e815dfa1bc2cb5dc1f2266fb9d33b7d9a9ac85522efc8eaa278696a32f5cec3cb5556a9ca0ffc006f93a9ae68a927fb6969e92b06b4fdc234dc42731a4b38daf8ac9f8f1f4f73aacdc76b2bcb021474d039c3454eaa0cb47aef8fcd328d94003a3df8a70081663bd1aa5295ba5793c7665bb9ddf265345bed4530956081f327c7572786f98aecf92091c13de5902f36063d1d21f12580afeffb761eea79d373341f2b1d2f48e6d49f3671bdf1f5d822d88fbbca41cba6355d2a73654215cc80eddbb373980d6f2ac89522543585bcd1bd519a2e7b2e9f518c889f26a96e6b3a86c23dc91988cfc3c65c950d0d9b00c231ca30868d908a5cc31c85297c7e08845850dcbfa5b9d209be2f7b29ee11f2bd5247572aaa44931e233d9b04bb6ef83e8f3256df0ebef09ccb4bb58177a5d7a62272947ceda2a2f95a2214fae1304eedf840b949ce8ce5289d3e4ee204bf0f46ceccc37adc80dc34360f12e7c386f443a37664d80fb0190827783968e49a3d7a0ab9df0948bc1eee0f299d4f55982e5bf589e433eec23f9f30b32afb1eabe2b6d15413a541b8eef0a4bed9f2e5db753713c2dbdfcd77029470397a374b17168951bd63ba27f5d8266f908f5f75d8dcf40b17e412a8cba20656acacbf777bca914dd158c58df1e6d57f70f78d7f758cfdbb3a7f42b095fa72be13637a764f291ff36343a9efa4cd4f9ce83e21d088eb5da57d60facc253a9809ad694f82c630d07f86dd4c5a5a3fb28fac1963e924d9a203ba59974070d3b8aa983dd1126c6ed34bf61a48470be943cedc78e4f5ee3ee81f61d434ae2b823625e006b81262cbcafe87b146e1b38de1725997fe0595151ec82bc7de3ca8dd9d275c7fcbbbff048edd6bcb87c7d89bbc8190e36c5eb25d09cf6163a91944bc8d81b8d705f87d9397c4dfb5eae7eb84747b732645475786db6370e433f4b562bbb810eaa5f5fa504571d7072a89da2c7d830006acc5df1750c64965633b8e31aad1c22649b609a0434fc4f5d677dd268f4c87410d416aa392e97557524f7aeb076741addc1eafab923bd95b70683045e96d34314ef449c25d3e1e8173f1d5796d860da62f16a9abc3ec6047a2c6735a97c37c12ac644f461eab32f9755ac9850848b2004ee9a5f696f39ee9d5c5e0c260414abee7407da6f59689c034d116cfaf9f63ea867ff5b170b34fe761c538874553ab0a83361be6241bda4757ffb4bd4c10ed83860ff85268651f557223d0c701dbc2603b3ab33d94c1344bda45b774660736125a1235597f7b64dd504cbb3e17b095b3b836476a8bd87e288377cd1422b2c9552a04569d54a826eac1b4d0ea98cbcaf7ae2ce93df4bbd6af17daa3e353f6bd69eb46035a2109a652ae1f5a7c40d36e117ce1e56496cd34f8e398b77c5742778360b8232174e7fc1a990a3d6b8fc6403392b893e7bf5517b829e86bc4b623e76c7d650ad3131aa1d8a869c9fce8fe156d1b08f39db6dad072f06d687ab143703c89282fe094ef04f88767419f05783f4080c475a3b2d172e0996bc0528173a4c53537699c9959d932afd99e666c98dd85ba0e6b5356ed144ab486ffd190f2bdfa8d4967ec65aaf827a1b23f674cf82a516daae99a5623bfb696e3f7897299199472a7a987898bdb7c92e62ffa43427f1b0748511e78e050998b7ccef263f7b64ec61a011268138ac40a3605ae867c49c85bbf1a7565806f052769916e11f54a96b2ad31771b5f875e77f0765f64e4d92ac79da30c29826d506bf3dce7fef9ab740af9757c2875831fdfcf1d2bf8ca68bccab73eff85e5cb300f4e6cf923a0b0e6288c08d958965d41420315e948b62994325c7d5a995d800514369a73cdaa245e2425a837ed7bd0a7eacd93f8c639857d7df4cbc2c90a4756470252480646261c5e2f7008de8b2de349cab0aac0b5a5f3b97ff9c6dab8da4d2385520cec793e0d9b64ba2e40b635b61027e197940d056a5fdc90859798a36e816b3747b0fff8793a12a0808ef40d957c77a557cabd5801d4f04e9e1d134b104da9b5df9aa72c059afdf9c1d1c8c8b15ec30314450f013a84e101252d435be1c4bef351bf74ffcfd7531283db85d6e129f731934ad35585d166ebc5384fab61a32f64dc669af6333cfdf723888e5fbd9c2731f49794ad64ab51640154a69d0697ade33fdec21f93c1215493a7abd08ce4df3805c5ee985f1212cafd942e45751ce5e668df052015db35b69e6440b02e256eb2db473cbca04009893e052274b340a24aea3a3dbce536a11640aac624e160856de20e4779b9d5f2162f5ef54356ccb48f67cda8222258c4520de17c9082b6ed813a0a02e75a158e0271091128252379a292db04498f928fbc24759b902bd5c30a3cc0ef40793dafb6525201d5a6003cc927cb6f828d383e8ce8f8f746fae9ec102177772ce71405504faee5137c385e949407030a8e83ecce66cf256afc930426404ae9c56c7ac1ee68a79a3c6cc52081a32c6367c82d7bee755014cb3e47d32aa71fe6b6fe7c8e1b7004d827eb396b1995eb4ee2737fac63cd15de6ba73c9c5b6abb278a7b53dc97ba1317b1f8f6764e49fa0f854b0d4489e55c1b8cbd6592454b4db830e7b37f41e021d1901c210256b1d5f3b0c699b586b2b3884254825dce42b5a3f9879d74a09b2675f7342fcd7e9182bf2da246decb6ec6bb37855ae19dd71ef73c547ed51eec6a6182a5b951614fe52e600c7fbec6f0edd9b813f2b77168cc6082c6845e52862ebdf2d72d280b1183e60c9ea8aeb895de7fe51e71b1e68adc70623c0d320567a0d2456a7f3bf8fd9bb685c74bcf349105e39c23a41af529a20d6d6a6b137266ff7393ec67cb4cd6404363007f1b427d5cb430b9e46a784b6084643cb87c1a0c889c2419e7fdb2c44e4cec50fb754fed38cc8a86ae3d805ea4ed88665580d2911070c0306630ee1adfbaf762cf665f7240e9f9daf02709981d509556b1f809c234087d30ecc96eabe644ec6de5aaa2c96e818e2d4353f6ee4582575b18feb7db59518ed901669cac04d537baa9f2084847f602db1368d2447f1a1e40b410db5f9d0b31536b414a7ddd3e0c17893574822c1a90a7136c2ca98ba1cfa11508fccb12618df8b53ca2aca58846b8689b9efc4d539e525d9a0a1a58fc9fe190bedd168b21d6b2d20018b332fe92bb005f3fe7e43055fb57017503ff82109b564d413ea22e09c09d46add02eeb9d00f92738e7028f9e69af72080cc680bca0b0356e947e315b30f5ae9143bae3129d7b45641204cf960d05f81e2a3c7b3301564cc5fed34b49c2e443d28862af7c0c5323e7a2b77b6c54358d703904a4277123bdce070d7d56befb71cb36fb8419c3d1a06e5ad60046c40416718d929c4268fb011aa7a2966cc8995ce8e13d27f5d7087ccbccbac5f9cb765cd057d48f508b9640ac1b5ff8eef95261b2cd5304652b843ef5387b29c996e5b08c98350d26bf97cb169654bd36b1a96a1d029c3c6769579cbbb05355b50f56837f574f9f10e32d0837c4714487ce1fdb2c8dda869fe6bf5c2da3d2c2a7319370d736aa6f5311911f4caa4966d60e4cb9515b31608f8f591d3d2e185b41fc770eae7931b0b2225e4bae67a5f467cb92bb838bf2d21e644f68cb4c146350cce1dc386eb41c1f1fcf80ac04e449391648fef5b9e0c1437fd08bdecbe26f6feddcda6d7495cf19e71fc589e6154a68d4208163b17c67a5a68d663a2bbb3d363a2974bc2bbb60c1d23febacf7f6fb192ec1b6dbc0da7eed3ede4bef53742c1d1b0619bb8dcfc58e4a58da0ddb3c7af660fc6577af12cbf11ff1f6b2ed0558d3df215bf9cf1ee95b17248e002a40f85ab560535c72dc227a0b6939958518e3ea7a049f596284f4987f670e771401e22fb675f22f842c875ab9d535517fbb74209b36f11faba7f8c654f69abccaaf03151272deedb474b787dc4606a278c5d90de97b7962ddfc0101a49856e85090a554f7381aba540278691abdfd48fbbb4346c4669dd6dc8892b4af232c7f566eeb1523ccf9906a6d46d8207f0e68913539449118be01f53cf05c9acd11ca80faeb300d3489aa9b6033cf130f58ad8b76b4b41846288d2a31380855dcfbfbb95d166d2ce8bbb7770ecdfd3c17a3fdb0c68d081e27e0e1173b0e80448ba44ac29fbdef015fd9a21d3c4bd2e16e3f7cc457a9cf2bed6c9e7c54393d15ddc0fdbf6b5b16ce50ec92f55438ad2db792e9d72a87bd5eccd2e1ee0e1f8b750d84e0371b84ab84d6ed81968a7acba1fb32db32d9fbaea613464a03137c12f1f98250b078aa6d72fde8bf73b00d244b92ecd237f4789afac3fe7723c19b761ea85d9cf636fb8ab754987bff19646a584154063ca645b5aa7ab8710af4125c9623f5c1b940431265a0922ab0622778730b50d05218151ca993a4303bd9c0576940cbb8b1f70b48914a69193355cb80b6b70b40e2db3ce7a81be303dc4c12552e5fbdbf527fdd7f47d3cab480fc509d57bda7470f1daee34e0820296c942eedccbdc4a8e2faffa4511c1c9ac1d97e8d51cf696f2c320eabccdccc4e37ed5632f1a6f726920fbf7defac511e1be4f9e0ca7b18ecb9fca1963f420d174d56150aec196489e0d243b67f15a792bb6dfc5e69c0fcd7546438a0b29d927a505c18c5237b090e18adcf5baa0b8bf65dcf059c03e8ac7055094b898ecef7b8de5d0c2449d9931613304f2efb4e1f7154453ba6e0573de2b4d921768f56adfb00f3b2e4d167b868081fd5fc2b9daa3c9e914fcc31cb74747d2e60de4957c03ed2a9297b6f0ec81b80562e288f888158a4f2609d9e6fe2447d8a04f5c30bad4616345670190ca05cd0882f3320c2d6380554b52d132ba7b97a96c6a2e6e4aaa73c13b000c0843dfdb6fb32d1b048998b97b26c4f6ddb2556de1c3f91bc0f1d12d7b235185b639aea6918621bdf568767ae6bbd69414a53839d46c4d8c4183a7b4f54ed4fbcc676d14ad06ace7ffafa84261b535222901615506ddb62dd60f6becdc9ee40ea0d0bbe7612533aff8c3fb0b79c2ef93363f8cd66c17cfb4917aa074b970c1a79c4e56bdbb11f1ad97b61ed0c160a39dcdcc36b419aeeaefacd300e8073d0b1b4643874fe3985a54c7cd843857abe53e00442ea4203ce7b0f71e8ae501ba340c6b41c24ed279cd3dc321734eedfcd750e5be1ff10f8f029ec8effa41a40687e45fb0cd87a7915bb495c86ac607b9eafb16d12dd02163ddaaed934e02d18b04b5009ed61f9bea82b42780f5a0a638c240c11558f16cc18dc645478d464570ad58f3994d64de964d0dc25295067a232ebcf67a37cc5a5000a37c35963b3c1c0ebc9ff09a5037bc60bac8fccbb789ff1450d630d86eef8b3b9d7a02466185509200fe739f90f50112c7efafab7974b573f10537d37f185bd1f17cbda779d0dce20a02b8a8bdd253f6ca79b35c6ec4577d79691b09f687d485f5de692ae432121f7524166a33e84506ec3a15fec7c7cd23a72b03c8dd937da3743dff7289f9d3fe1cfe9135a97115f78879a68457e55b7a7287225722d38b02aa2d4eaf591fa04174fa272f5306027eb780bff53e956e649d682dec1b19cefa412f758869f135f70166ad61bfcd71268775916d2717ce4e217c57e6a8f5a9df18302b7e10333dffb33d42dd5e544f5a765e5ad1dc6c5f5a845717d126152df28db896c4085be134cf86fc37304f5d921cd0dfb5fb869eed41771b9843cc91dacef563608ce29a0b2c94a61c48221c96401702bbb1985a476fb353d17154ee1cd3b9c0cd16acd63b3a2aa3de75053a19d769e3388e25a77106af3af27d2a1fe0484e216851ad994339d0d62fa6fd34bc75a576bb9c9967443886956b61019e72eceba602cb66abdbc477d6fb3a02c72d9c3828faec4cd977345c8b7791b140ca99032a2b3dc8a70316b0ede00244d528aa603c1f60b9c34e1f3120db3901e0e21b8a8197fc7ba079bae0ff7dcfa36413c21ea3add015e6640745855181fca5322d9600766ed15bcaa9734ea6b912b2e79239a36a6c1d0a9ee5715d43eced66ee1356589c75d2f443aa4514af88b760e28846235cdbb236dc5ba0a4cc58a41d087fb01ee287768b43fdd04d2b342e4f55f25feb0406c5b4dacc41eda78909afe2db87a449013235b34af900c8b017a1fbdf365ed73749db9331a4527038d515ed961cf01e64aa34640107499b2a298acaa93509d8f250b1ea197ab9351f2238c22687ebe830ed2b7832bc162660622456628c872f7780da9cd10c5b560385e4c89a59dfa2cbb93ed379ecf54949f5b80b444c6f88ef9546206c21cad477e6cacaf7138b104182c94862359b54b38e18dd1c3179496fc9af47a4bea9dd013d46e841c1813da7b4140362a87b3ed2a7f43dabd42a585bca5bce51dbca618a34256d04d0e8fc8a1c6e8f890c90a049ef5c2e6ec35b9731e44781bbd8212fb947b1b2020dde9d5e01b93842f9026499d9caa48e111d460a55b4bcc045b6e620ee0d67862dce0b3744b568180f2f4c0bd8542631366970b5609cca0a52da26ddde0a3fb4660a5723288e9b1a3ddb92cf966722ce75d2eb94f39775db1c9f8d67bbf449c00ca586cb8c5bee8ecf96f1672bc878e93933ad808b349b3b969d978b4e7f08102349adcc5dbc04b784dac05b4dafbc227d826dd8732a4582b4df626369d5f04975b4b12688e87ff1325171d1ac9340707dcf27b9b8c701cef7a0fc6651f0f5b8b23444b00b9563cf7ba9d3dfd85ae3107abc6d7a712b485fee201ce013728d30d5ff682102cd628f4fcbdca65f6cdfcd30f049b65d5a7db0b9d7d9a23ac177a8e06b5802e26df262ab55e0d31d6b83c0b5abaea33475c08dd85a94514f0be84a8e878c1756106e300eec6008e3c59fa129982a1841d3aae965430c2972b6677c99d2ef43a9b4470f2ef262de3eb09285d7c2d6196a04da4bcefa3436ec9ee6d2dd586a52204785561847d3bba701e699bb10ac4c706718206c671ffb070e94008d8244efb63e7f943c5f4daf2d4a4e4e7f0a80e797e0fda919f51395612b35d9229be7181cd73b4ccc40098bee247f25435ea701e862f1faba7760a40a7ec9c85c660014e52109bde52e015e8aa853723fe1bbc59a9876601ac1bd69b4a0e53cf02d8826b954952545276a02a82eb6d9905eeefd672329945a2433b3712a63f3585141cc8f95bcb34c0e9b67bb07eda92239cb11b22a02b11c88672e2a05bd4541e34352b737d86909072d3c458cb7bc64e6e34673247249fa7066a43e50ca708a26123676c16ca78a059ceb7591153ad82104c39b3b601f205ebbba9fe0c290546520e7c29247d34e23940e01811cf7f01352b016ed17db1cfe68b1b91e981457b647f101e87f175fa872e85f2d4fca6a0e37b57c8048d26e532d1ba95cfeb448c63da96632fb2b84bcb4ba0c93f9abac0e20eaaf92b257ec49a7b58027f47bdada1a335dc6e1b181abde9c6c8358030c09e69b49705c905b7ca95fdd92c886cbedae09819f5ffb4adb2cfb0970c362bf6df5fb40fed75a04b79ac3d898683c8e518567d5e7246be5cc05e046b19ae1b2800afa939164b4543874ed58a0b0afed66e9d6b715e97e5af0584f890d1627f1bf6dc48e0f97c68915f740aec2bd8dbbcd07f613d5a3c205c716c6010e2e0b60d3ec7f80f482167f53b7c7bcfd3a05962033e7218d9e1b751121d91623b1783bf318655d8320202dd274d319e9cbab8f7c3aa8d0851d16c77d075c7758cfc1ac71de99d4acc1d46a5bd1e5aeb6a9d9ad4951d169b38f67d4d1315bdc4be2c6872eef97ae407eba15b8f3a148f376c6f40660513234e8ca9fb0055ec776c1bf8c77269a9a65f75e2891a6d5aaf083d58550e9acc9b91498ef992bd69a1bd137914cc545fa7f4879e06e709e264f49f5fea67612d28c4ba39a0e3378f847cdbb8b35536ddad7d1eed35660005f1079f747c294f02b9d5f59d265970f95bc22f081a92c747f2d860440085a1ce07e4a165589d617292324dcfdf3189f6f65ac5decaaba7f293d69fde6398a97f074f1766cb2907c053da7ce251abb62df9aa66c4f6141e611243eba93dc3f5bdec369036b8f55cf9d25fc29275b1eba5fc1a6208272c2adcd42df07873e2135ad41d949e7bea8556b31544be9f7475776b3e181faa20ced0cc9d2bfc6808bc14c9edc373ba816a239f623bcddb9b6f52265eb66ea56b6873e4a0ff5c90871ce7d5f8b1965d4783873098d57069b89f602eacaede3bd06562d129b72ec0cb4d53388d02a0dcee63b78e59add36a5187d221feaf6042f9115a584e427ed41c3c3a0fcc398959568a134bc89638aa1f2cc93a71385f13e5dde60882daac67bb564925e32eede3fb2ae13cf18d0ef7cf3639db3d109845b752716007d399488c6e127d7922abf621290665d995fb9ec29d1498b56b40667ad240d79e1fc06a9f81413904a83c32937f90bfaa299aafc1bb858f4fb6ab2c953e3cf34fc853f1eabbd8d1d5f61ed9a68d6737104d4deae043243cb4d4a2dd42e3949ed57d3af91cf0444b0c987a23e993e7aaad547c0e869a1e4fe17182a440d64355a16419f529cd0eeee117ae3150f871c5b60d772c064e9173d11279b447e4ce544ede7b2d87128bcbcc46837359e6019ac8a60541d688111165f5748ed56948be7afa0862a466160a8d6eefc7470d35a8e5f83e7f2a08b3a62ac501fbc2003173c0ab20531879dcd278ca8d6dadb279775110d33f2525f806395c42ba375ad2d6c49093f500b29a2e7a9cfaffa6e57b351a41747d7f1cf38e5931d6002dfed68383c6cb629fc78e1c3729e769b67d8b15cc3c4619da98dc03680cc3cffada726820ef2a20508fc26a31b40e498e07d06f411ea7857ae1b13297b3c1ca8199213ed7efb1e6935f4a73541a9fcbe403376f1ab8cee6b049eaeeb1d08f8e414ba52a9656914003438755df172a78013aa9a31833dacae0cec92951e93fda5c2ccd9eb62e8159406023ae08708e64399d98e3980d7defa2ff7ecae3ecf1a3412ab39ec6c40f0dfdeb51fed4d8b0f6f9f908aafa48d6a4d2f68d75c0fc135b30bbf1d5a84189c59b12deab58c122487f4a30c9483115d8f379a8888156055dd30f83a22f7fd19e8c795e8508d939311eeee92b8497fae57dd3d398dddadff411003dc978991690b9b92bbfc8e28b2c8a41499f1abb71ea8e68020055973ccc479c860eef79a4016f23bec03256efbefadc1763f62ee6fa568a6b007ac9f9c69b0068d743da6734f38d5f2b5542aae2f387fefbd3d38e7383a8f7ffdf94811a9e24dad68eda226d67f182ee97ee03230ed10b5054300553fc89d3d70b8b44bfb63e2df86b6c25c486b9a09f2070c3e667c464deec0419619c649dd782aa4dd048ce3c6e60d3069ae0e74a8a635e0fdb3628d561f243d395a81c3a336f577cf0cc3d4faa0f143dff71e0e56e8d6e2e6353a180a8e31f6e8f142d86b0bdd1756a2d4d9e7fa7c35e9deb7e4574cf04c95f44d5aa4b4934c1a7269d8ac37b7d680f9a66ac63268cfa9f4b94dd6107cda2270146a822c1b61841996c605584c9de4e2cbbb40a4a3a0f89636a3b7acae205ea7fc114d71ec2b8c927682af71d74112618ccb3dcf48a23e7acf0b8e59d75c9a0ab17358219b757e650e71cb85c2b43d7e0c90b81c29e352d3b11c52f29c7fe37972a39a712d4f4fc0544f5ebfb5bbdfdfe803a2b407e5056e3bff3048b1ad4d2c786ae6e1712f1a0a538ec3852e13b457f88023bcd9deaadc0e6d8f2f2227632d47f3d57262eb9b6e3cad6fb5af2ed5126dc536bb78483d7d92f711a4a9acf7e2b76e067dee9df1ece3b0a3758cc498a90214037d66478aff037dc8f214b36af08c630378c25b3019c6a492960c1a80b8af87370105942be92789b5f9c2b736108a311a7abfc31cc96d90a9e5d1a28d2e2f31c51644b7cb4537817b816a7125d985d85fd3b601302030cf3bcd1d040d8f902644457ef61444285ee32d157a5301501f73774ee6fa1bb7f8996c07c69dba0e8e0ae1c2f4810a07ba6e49be858cd182a69253d3388c4963d121ac6659345d41d382920b6d66420c3052742eb19b8da15e430592678a7e14ebf6ece85e070d22f5ef1497e46e52d0463417bfdc32ecc7d83d60f5c116d56b8e6b787743c1556af55cc32499c21a866b96ee95d15fb22312da89cbdd88060ad067da68e5985bc596f4bd303ae65d76eda2aa71bb2b04ef4ff2c3bf0c515138e0f5f396f1c7e7d4434910a93bf94e8e7f4ac87709ddf345f5966b4e3efeadbcdab0bb6191c409f574d20bbe9fba2ad7b47970d8b7e7c74639b0070d3da91e2d928d58a8c113fab36dd2cc19afdfe814880c3c09a3085ada44ead79189787e2cd4969b039664097c2651ec46e8ebb3698e0916362a36b22490ba2643570e27d00d02bae7a368589cd35b3604dbdec2fd1b7dcfdcb501207e9f557ebd980fdcc4abb239b541232858ef2d9bb7d0e25989a345de398258c8708b278a9a06596cc49bdc06dbed4a4f8d8ff4574448a4c7e1be70f7e85acd340905668a12646a1669d52b4c9a75b137c5d5d6d26ed14bc3f54b292977a61210c6ac8865dc5a3549dc4a72d0be26031395130cdca259d85fbec800281b0a1f1fdbb9b5bc0c44aa35ebfe24f9e75c1c3bb87cb11eb37bac91a4de8f6a5869748b67fbf2b0a9a07c9ddb7b39f6356160e9db49a7264e982cbc9be684920c03b1905dc6d6952759b9a68ca71e18468a6ba7d21155e07bcd72a007e2de595239b6ee4a869111af53b249440373eab8c34865f3f9a6feee1e9c45a94b8e7d2c0d8cee30ecb7014734fc0f8228d88ad3da449156b2d4d474c1dc383ba7d8c7a418427347dc566c72a1fc9a42230f4d94c73c67468b6cfa7f1b10512732d59a8c58bedce61fe3d79fd0920899136ae7512cb81f178b9771f778b66656cc4949fe2603629618eb6949f94f50affc2801878eb33516b5b1105a4abd0590005222acf112dafbd274029dc92f33de2a40777bdc5f8a05387cea45ce5f209182dccadb470e4f5e93067cec4b71b7621ca8e84ff0b53a125ca922fb8ffdf38b8e25bbb160764039ce1d5622afe9559d91ea2b83d3fb95e3a6d78fc120984815d77f9522147da1ad688c942f6a7b3f7ac89e3feb1633ac631c824fa1597e8a0dcd745c92a08a8eafa3f0a42c873cc9d836a4273e4008305c03b8c0b1171d10979e64e23ddc352ee6418a766ded4ff90cc242dc6e0821be9999b8ad456e6556285b394577db8950f800b1b0418d32e06e39fdbd3de4b15bb03155e8a36ea38f2416d337ac525d36ae7d0a5509f7557b1218f60e8b114e6c41c3a4934a2c42c903e5ca5183e04733c03e305b26a3b781a16c073e0ff730a06af039c84b329110f25f1238d24910688f6bb28f5ebfe4c8f5bccf67409c8ed4252575754e380f77028b36208e62018be69ac2858d30c9da3dfe5ed3d1c4841b6346aacfa00b0fa81d9dc9f525a2e3c74f9952d3c46b5684464ad156e13e50362e5e77401fdbfc100dfa22f6995fa1aba855dd2bf02df75a0537b3b9ce038a55d846da4f4c4933c8b06cd8b03affd065f722a8e02a6acda9c7b5b6bb6ca98407404c320633d08d47dbdb2b951624f66c352abb57f0f7a7b959ac45f218c0417d5aaf0f9fdeedc2ec3bfca719cacac2e24867429d1daf7e35b80ca1b711f0f3b3e983417f16e62f9122ead0aa16cd948638a820274536c694fc03336f28c0479dcf3d38bf664704eeb477068396ced416b04ec7c9a8dd4b2a246d4673559a5827f426edaa0805164b854f06cd9d440f24ed009ebf6e9d98bf632a9ccdaf41a71831a7bb1cd04a3659ea80110bc4f4af7fedd7494888df4eedc26e1535d1852ce90fcc83a8a2239bf8071305acadff8dbec924db638b81836e2ca6d272f75e99b3f85188d8bbfe1172e82ae3752a3443c423e5acfcff25aec15a9a886c842685c40cdeb27a10c2b2d381374ad8dfea4b217fccd05160af1ff8107a1b06bb49c15978c77a6cb17f81a576ddf8e892935ee1214b433c270ba7ab12e013e569c2fb2ee60127f3b43ac005c41cfeef83472fe9f57409af5c66df3c5365b74eb2388c2e2ff1457585ba8ceef02558bb4ab2214f9e70ed7a3ca9376318a2344478481a845816277b384c5c7f40f794e2c5b2c106a4fe7be7a16d7038548b4d91eeeba040e89193e8ebb1669c953d8c20ade675675661f2e1c097cbd7c5e1be210305950a7017af947b19e0413ce496f78ef1edbc54c25bd25886ec81b4d68a46492cc3a2e43e9a29ab8b0885f962c760e4f8da705ecad7060975c84f71470ec539ae4fb71aceb55d07fecdcc6f149fbe0f67fdd56d5fb276e56746f91e529e3c072010698ff71ce02d6ccf1df24370b4665cf579af55e37a8aa8d986dd3a97b6ec2cf92737fb9a8f856ac45807eb905ed54a28e2419ef1526e71d487bb7ac85b89075e6026277a3d8fe9bebb178efacd63b894b158eb59467d2d63e68b3617717b8c2f7bee9e10bc580f85735fcfcc0f0f4b2a62eb9aa3351aa682147be2beb6d3c976aa99e66d92cdd10ea3133535545f7371e8f908b8e91fa25652afd89cb4e0f58434948f116928c576805edc7554efd71c554947e14871c64404ae8357fc81d719d1d3427c63d77ec271c0cb94279a4851b0a372fe08b7343a6bb0863076a28c111c1819d7b7404fdfb2df9242d3b9e92e3d9e54074e2c56ec902a745a71433c50fd91e108549a716f5e1c23ff4c2b94eee99e5b6a9871b0dafbc4d4c668130010fdcb383e9f689c2bb1b1b0afb1fb3fe12d1cd4e889b5243c2ef2805814756b0e35c104090215114555cef6439845c438de3cf688daec9fe1cf353285b61735121d78d3481ab5fec2dac4841eaa04da6d40c731da37b80faaa85373b525d1fa6a1074139e677feaac46216ac231fe03a36c1e9395c9f9ad0d6208da73e79ceba1a1ea4e8e3e93ac914687f883e767024522b581f95e0250388f329310ed9d0a5b746b60b31994de35850c43662daf52edbed05f2a1dc157a726fd0e5d73034a993a42476bd9ca2dc0dfa93ca6ee6d27e3677e1afba84f1c17a5949db355d94ee39e553df882680c982974c17bd96330e8b5cffdb350db87032424966a4868ff37c328288506238a46c45e9c35ab60fd807fb8923e381530db9cf8b085e9604ae6fbfbd221f08882f09b43824e578c63406b85737aee796c1a63b86d325ac8663db8c549e6b647abbdd402b5e6fc031caeb1736c4dc2b38f85a0055c3b0ad70e01953c51c15fa28c57a293e3c28a7ffaecbbaf6565fcd9446257c0f9c64b495c63c99398d115b3b86824e103a7d790319cfa8d3384fb6bf7832c8c9f7a0f63967e23c0c63e515d97c3985f0e921028c76d471f1ea5ddc016e2b177bafa49e7160d87a54de1f7eedffaca5c2262bce6852382430b307b8c107060b835e197e3e15c87f69f74246db59c767219e2932cf5a42cd646766a48bc0146acccbe0db08d12cbf83c518adfadf8c3efb8ce0480babfeb4616313c3a5de5f75a9f02e8277209a88990598e77f4e3ab2f4b943fc28e78755ff3105e4765132b1fadf38183ed60e24c8dc8155fd8ba2687b7a96dffb74fdc143fe26877129772a8d92df9fc240a69e9a20bb66eef414760b51e263ab82b2e7a24eb7683debb4a32ebf847f57e20adbfb8678b1e2eaa315e14921c1f822aa0c01c63bdb595779d5766b9bf1ca25f15ddc54e3aea3ed247a0ab497ed9d0d735559b0df6510830171c0434641a92e7e15aad7615b86c6d042c39fce84d8a822c1b3b17eb94fc31f394d01a0f9898271dc0c139c4182d66f8694c2d589a29040209effd7674a644cf1993077f9d886a0f9d99501b388e411d8a02ea6d50ae4be31b224a22e276c4f5d24d3bc14f19f50232a1fffb5a0b3d8f34017d60001ae987b38538989a9f9a8838d2a16d8eb62cdda34885785aef8e97ec8b8756c27c9320d00feea3ac530ceeccf1f0126d377a6804993605e2bdd6f60eee748ee77c93c30c27ea20e74a8c4a07e69e7e7111b416f0ac2563f9746a0edc814384ab35d9b6213a96d0e73892529e907f6a725d3afffab6d2bb6963798a533e62cccbbb63d2722b9801ca7fdee7a3eba6208cdb76139716eaa082b8aad3fade9ea46f074e9746c0aa5f6a2ac43e0df2853644b15415b4fc50cba3fd1113073cb7ba313582a44145bca5cbab59e397d34b90ef184cc4d848414b1e483e93cdbba330370acf791e436720221b3fb8c8745cd1836e25e1310d1a38f2dd41111844fa224672ac380d632d8c0bda7be5c5259951515c92d02727a9a64e37160ca21b75de5322e3031429b2de246c262b64aa8937d3d5389b5d219abe41a526fc979af670dd1d12c08e35c57063d8a5218501c69c00f1152d5355b65215dae5bb959c26610ce997141a10fa7cd91caf89acc012d7621c282643e94ff6b9916f1a0a37fe6f11b2294f2fdd1f49cdf0e6225371385ee0d6255d848dd206f11bb74f9cb201d0d8b809f048829d6e7f3df2edbff32694129fb4fe4fbe4bc87e145c2242900ea4b86f62143228ba06611b9a7889b0fbc46c904b60799f80a6d49df2fa9ee1522561b65da25fd64ea2435e6f4aa7f21fcdc32eec2a2694592f8c8f2f5bf2b56caa5c158a411c48f8af3524d0d5e1325492ba7d806d09473745b962d2d531f27e237a556eacc014ae2e4c83062f9fb99b0356bd32709c7444eb5c6579a03e5f07e9d61fc843bda7447d35069b0939d35c359ac22f55628e212f7b9167d922f271c6a6fa78d8a29bee50f1a0532e9e36f9b51729c73a6caf89555c57a48c052426d544053cf826228cfc59c6703c0c0a5a5ba69c2a2dd855d301f7a4f6e500d7f01fdb749921856eaec9417d55cf262b3082f29ccefa9c6de696d2e94cdf6ef377d1d9ec55d628d68f23010076eab2c20a70f1f35f5ccb14d41379daa5fda6ec7dc77fc062cd8c11a14b26b37596d63501ef00e7d9e4c94a76c15afe225a2936968ec501b632fad0e3c34a50cd2d4e77fba16bb03b4f3d7d049cac5637d812a8ec95c84d11c1b2b5ecf2e103566ab88d835d3bc72a36e5116fbc668b26c3db42e9d21e263650c4039466f69c2e42248b209b47fc00f950d7e0374a7627b35e33f5a2a8370a2cc8900a3cf9e7873d0ecc53c32349ca9ff05c323c8807bd054a04055cd7fa3ceb641f7dbdc1827309268e6c0aba7c908a19b0e0ce9180b317c7027b2778c95cb853adc636eaacd67bf6d7740100f091fc874bc0c4943728eb5b4c8c4d6c89a0e90b96eabfa38262e99f81cad9edf20299bf78dd48c4602a8122b1311c331b427f29ea5ea214500d096eef4b5ead952df75b5e189266edf30258e815ea970ad8227756a8f60f5debd25d5fcab92e8a0ff5e1369961d796730fcd4d2cb400cdc46d67e77365b846ceb1991e6d492603ad9b61336cc180e40de55c1aa2e51399698a1d23b3b31ac5d5cec5fb10bcf10a506ce52d2320f615f810f781358ca0d23d2d324977156c1b5c18e5a2c6a02028a40373ffd5c3afccccb92f7cefde2891e69aa49e7a8ecf8e275cbed5176c0a1a7ad96fa8faca234b32b1683e78321a82c05e316e2e15d52c89fcfb233815e9981ecf3684dd41d84286097e78ae1afb89c94488659cb274f765c72244f1936733c40d8894fc3717580e681dc6571edf1aea38cc4c65270f44ac368b7d1cd7a86d491ad50cec56470b451dd16f0f26d336c6b355fa176a1fbcad193d996b1877660574805dfd8bdf4c2d5ad5d521a4a5745028dc7069aa724e8135d1c7ce1ea7601a9f824c0aed405e3475ae16e5ed1998d139bd028e9375068ae42a6df9b3dced7e22c493f50ea13d200f056c79e5cea73d4b3dd8e07d81b3433698f322913cdc117a9a46d6236b93f36eb1c2388eed31fa56c960e2b6c706378536a2ca2b9542c8dbac145ae109e65202af98a72582406b3eecf41ff166518d574c88c9b03e2b7c112611a5688bfcdfe830e0d5e04cf3c4d75f40c1d7395f7f84c5d23bd164c619c9a0baa214ca31fcafcb2791d99da41f381cf652cdc98a6134f679c1118b7fa503e9ad1b06a7c26c6339069485910515acc89b43d6f31d773be54560101775234dff26cebb9138a7f865b9d6d792284f011b7b1d910e3235ccdca0bf0f96b80e1fa1a9c93e0a9cdfa3f712d3f139f9df4479d0ee1f4d4d67a354e975837247802c87c594e5716808d3dc404890beb51fe5896d8a045c9d1f8d5ed015a86fce9d1e81d74ac80404c30083b5a7336ef13989620dac8e7a2a558c8d1f1b6e929add6b9a3622739ad4eb93afe997ddb4fecce60f5fc775b6efb527fdc055982fe2ad505c002516175e6284d872056a927b48be6aad370183d815c58af790f618e0f748d725146193f618aef1b5a064635b50ce682b3961a2f19eab84e293abe4087d7ee117c08608fc4bc9637ebbeb945bcdd66207b2f02331cf5796611c8e2dbfc45c2195ed1c197916f5b493606b99e0c9abb38bd933a2f70fca4d675d4e1b6635d7a607a224f91caa438323bf9e1a70e0ca5c16d0d882b6d35b2103ea8c5e7314a4516627251a825b3902540048ba48fae626af3fa4a21e81367d4758cff6c429904376e9594089e7f5527074cb1ccff7799eeb71bd16953aa4c851d45e938980bbd56cfaececbe9ff393630c24f763c48a6e28c9a77a25b915f1a99d74cb33218179f46e78a2d6eeba8477a6144f6d2deb294c8da6d95a950b77fb133236b3e5d2f540c092a58746c797c3868e380347c0a9b9ebdb67db8b5f51cbd135a73c270cd2b30c435804f43e443c0815fc5f375a73010926d7864388523d2eea07007cf3f817704efd0319f0487c515981f29723ace36d167b990ddcc7e064d521b3aa6a6655a0a365afa6caf1ef40fae23a9e42ce08c57bbf5a41a0bd54354b0dcf74ca77771d78aaef2a0c51c5998b91642fdd4f953d2a4291ce308e726427bded86fa0ce56ac0ed4a16e6f0541efaf845d5350b6117f79b8646b49601800b732adf992358298c59e64921b7ac430e4872ce0a9cb37c483a4451f4dd08e68e6c87905c50031e3b0f730985564a3a5c29db28aafef3f8cb05c2644d9aaa1015e2ec8bafc2640481abac6b18b12f3e7233704d47e0a1df4accfb03d3e6a3222929157ed1f6dc2d86b0536f2b48e99996247412266c9a28c3230d2ce20ea9d43808a9af936aa81710853a1b1bfa5797c1655fced7912f19041702d8a4f7e9626a4a793b6e58b155011c9447ff926844c820828202859fc75394f45b2bad859b34f36fa98f6a9e8ede680b23b51f793fd996dba5e6c23a6740aa6a46b07d6e53b74b65c041733ca156a3698772c3eede0e0887993a85e6290dc7fd14545e5d923a512e1d7b4cbd96010445c9d9e855afaa7c53f53baff420ac332d316a35a238a1815d272f60c3e886ca858d6448ed51a0c7676db70b8fb7b04980b976ccbf0a3110437b7c21e85d4944edb7b6ce0f652cd5da561a9b34211b26e641236a857dc1fbc43c12a4eb9ebbf96cfea736f2d8298cedafdd0ab073a7ac697960c4d65e64d956058c1acb02dbaa11c7a169b4be13952694d8dfe84ef06b1a3583171d99de754b32c41861c1be8b6dda60687e67aa6d8249e528349cccec97e399bb639dfbf4479f54c591d31f588932af57b5ab87843aba2c8063c55664bb8375e24e5346ea03cfadfe42795453c46a8f3ccec7d5b9d2896d34e0432cefa1464f6338b40fb1b2e1ff9026898ebd6eb806339f488464ff70eb741239556b55e6872e2d90ad69f11e6ca2bd7ccb8b6d39933fcf3dca15b13a76b4adee2b1898b60bd6bd051f9e4e516aac6650a50a5077b9caeba9f286e58886ed39dfe8cf9ba25dc84e1ae847b5637962b4c08b01601808dfbd93c644c9dec8d62123c9005b51dbb02d7144a12d49ffe018fb832aa5eedfaaff32784001f0f4801396189e0e5f525b79caa0f010d6574cd479fa9cc632f6a2558fdd4eb2931375e7ac9eb99f31c1039a9780bfec6430b155cb4d205bb33c735509c270167dfbfefe65062c757b41493beda43133ce24d497744a907fd78ddd8a0fc896a8eb60dd174690672c6952789f29024ef540d21e99f15fb127a0d8b7b7f0e48233c5778f578a1e83088a659bded44bf41e8edb8a02f091509f0b05f06df737891fd7e0971a0e1735d22da7018386792fd5f2bda365f48194a00b89faa4bb1d972788d740c57418921eb4d6176d160b209460d544734ae43e99658aa367e8973c3ce1137d936103a842da4dbb085f25236be94f9cbea7fe4e8dbfaab901de38ac0ed4458fa7d94503d42cbb8eb53042cbcb7e12ecdd5cdaf655b51d61c0a6a07b562b619b6dff90e0edf99d8c20278ba17ac5480f04a3a60ba83678b3dbb4247e5fb96ef134fd77a699bc7812d1c9d31875a298c701da0f17e426e4f6074f82dac60c9e0d2387ef54d602ee9b77587513c97cf3c29ec5c1fe318cd1d0d049968498da6916ab56edf7a4c16c4c55b3f52c21989b196276d2a7c5a7e21b47665876be4b0f3f5f69554cd404fd4453a4d14b58bdd623007e51eb90615a65c959305ba93337ade682e432daff7eb2beb47cd08917290dca5421775a24f8656ff18b0a918fe4f77dc8a63a151093b8441552885aa993d0ea6eec60e1d60a0ce8d264d66dd29ded7ae9c08704998667ce116c870d7970abe04cd3a58b9df79728b7b73854425b5cbcc62c66a8b38d6b7ca8fe55eedf9e265be8f100f8e6d95b2ff66c4570439b6932dda3f16d73e69625206551b85fa977ecb8181d95696777455a09d5197a22ac5d1a780d7746726eb0a84f93a11d4972871e24a587dca5442b449727a6ece2db6f3d8f513ff2906c7860f972e8d99bcee1e88739aad134b14618241b9a2d97997e7893582306f11e08fb979c34d31f96b39a09d51451e277442c3b8a26b98aed6990d57e44e2d9e99ecba825ac8b51d19f46441bd3a3a726b39336b09600a68097e8d73a01bfc0c739abf599897d19e7e81f2945351b10f1af8b9e62604b30addf0194ce8e88d78d8361f23ad92b8603e20c7e70929e843b22dbb8840fe4ba461008eef25a51a564bd33d85b992996de97a0f4b5dc3356f54413e53b36f24d31876f9133db4691d1ba5519d82ebfe05a11212c21a1083cf8645dcc7425fdef414131cbfc4a40f82ca79815c5533c5700093810cdc284a84305511395cf12a8b76227ff02af2558c56ba6e611fcfeebf77f05393797a8b67c20acdf593c47cac0bc599f10f622e4168b2930a9be32e499637d90777f07fcf86d9bc65d98d2e0332e92feefd802fd59cfc93ff4f71a7c29b33b9f06fb16c3aa23254030f015a1fd288d3df8dd3fe00cdab8cf6859311a18f76a90acd1f3db082d9222a3e488ac69513d6bfd5a326f749680c6e710466e411c20ed352fe8fe90d6c3cdab7e10c96c86c63f4960015132efafac31ab38f2849a4180392742c71566383e79db7e1114a74ddb19d66febab0a96ac3fd4dac337a073c07319d5538ab41f2b87aaccad5b33e1a830bb277ffb09d0e4d9eda6a9df9e24d7579a31e820d46ec07a17be8913c6259ec9714fe024ec03a6f2656d4904905328f7e9788088bbc7ec666588581ec522f6a6bb7e4edb9c85fe87a8d5cfb788d477248a6daa3960850e5a13e0df41b3db8b07cdf166bd90ad3f777ae2456751434886bc7d57189e66f0e6e1d9f5db57428cdf098b833c1b2ca8390a9bd483e5afb6e8ca11f12614fec46985e0ca98818ab2c3a3c311e3f3c53e6776f42f6ff35b12805f3ca9b390c20aed909b23d7e1e19f322809c28d6c7ee96a36cfe268b2dae202ed172814d62650423241b98a7d617b91f8e81a00b15bd1c7e6e5660923c0831034e7518b26a8f90c8b1588a23945325f0bf152d6eca65a04a330c08f67b2524adf4f5292d6c254e4bea7fcc9d87d1721a93f969554bcba69a3be8d20b4baeb7afcd8353438c13eedf4b2aec0642196f43e8b5a3addd5901b2645d2794ff144a7bee876b33968fa2485982710e944c0b175728a51c1865a51867ae0e889d4a94d9c76347c0eb4430e9a2399a79f4055e7bc1542b2bf8478edd5cdd174e0907a1487bff7a3d8ea85d480d55c90ed84c0bd0bbe287c5f5598829c7a8a2e16220231db90cb7f8fca22c73a67275df2f23aea835c86797cc0c6f2081cb4d70370f89a58eba3f5b2acbfe97fe8cd1ae5e0c3bf42dd13f2cd958ea9735c6aa0e51e1e5d85d3f037a2d3ffb640934ec7468fcddd42946be81bfd801942f95694c3267a6237fa8229aaaa51d8156c9d575596fbb24c2082423272f3f02da12c870b58b64e747044fcdd933685e7b4c3247e9fc4b1dad8834fdad50103b8c7ea4f4434a4a0c982060e4a095d4ae7c3a1165af8220fcf2ee380841e32d7cb2f67b535c09c5af35d935eb091f072001f9ea70e289e2a9d8c9b107fb5b6a87bd3282a0ab8484f603c9e0e8aabeade763deca697e7373592c69b9429c7622eba408cd56554a94b1ab5e789015dafbc636bcc3e099129c023424e6c2cbf319db97fde78a14b78f767da6524d06da7b8dc0df81c19905ff225dc17bf225ae5ba75546cb2ca9cd99dc133f338f191ff049a3de4fc3ba7d1b22097c7e40cd13b66aa7ff3421259002d19fc47fcba16eb20a476c138866258926c0a87fea8841488a807c5502237a9e8d96445586892c53641d72ba9f876eaaf269e810658af5b1d7b5dcde6e4f1a009a92c63a9e8c3e19c29316a23848693a0921c68f2b4a40e007bb85308c8ad32f15f21c1ba42d902e17fc7e930325ce2459a99e2e81b6b0b94209d405361e9938af2d2b0d3e1be93bb5b1aa38c5ba1ac76caba677be41ac7112448a72c97ec8ee62e0979c4fd23ebf7c6d151762a36061ecd9507b91f6bbf363744544602a2dec64667ce5d106fbdcbb143276dc8f723250caa9d24b9495b8d76bd72d8bc93b4d7b22d8ff0a9a82f668fd1e54a478b59e54bf9a0529e9a148b8f146bfb1e4de9bd52ec1747be2fa875ddd1cdf6345d3393799065c4cd8118e33d695dd4b98efca18e10003aab586d84617512ab40e5f6ecb5fd6712ede74c3882ac8810b806d4707326d623ea4865abb0ca150476a2dee29e05047fa778dd34857fd63d4a0ee8dbab244603ad067c236d190fb89fc46f7f21d163f43d36d92092ac4ef498e89b66b5ef96b08b41e0e358f3b1bee336ab6e6386128bb8f2c25c734569e7c100427608d0c8b1754165aed4c56f0214c9fc5e15018a0de32ffbb7172e969736b690f96c50f3b85b0fddcf55c5fb526ea0dd6c42e1883e12c718299ee97d321601369351aab917c0a427c1bb63541acff3c9479e4db1a9c81bd6e9a71cb75aaee0d6649b3382a1b03e5677f74b42659c381e1cffa14843f6efbd51f5ac5a7f31bd54ab7ddec536327539f4f1258567650981228da5df32958112e2d8de27ed481a83c810b92668a4dcfbd6767798c3c899c8f5184b0ad30525bf102ba40c375d86cfe8eee601ce96829981ab56a86cafa2a154d63312fe97b19f243b326921f049bd48e37729cc96f26d2b07ce46377b7397c1f536f5ef6fd66f6c4116ea96b08330448ac72ffb5faa8eeb9ded68fe7e54a0e49271d37d658341e16737ce37bf47cb4b7fd6cbdcd6e6117b7f006ec8f4290c3b935f491f1356940e5c96195d4c022bc03f03b579eca67263444275d8d3c288014dc9169d3297b54c1a628ffbf74ee9e7511812aedda4039dcb0892d180b50f940992fc920d6f748dcc4b9155186b0e5474be0e68a3b4bb7ea52d0a136664d251560b037e8f8df2b0a2640e420b19d143400d9678dac4e7a2b4be287f6891ffcfb1c11bb4f2b9688aeae272b701b2471bd12f82c8f2ad9b8ce1e9aa4084912a498944bacf4faf75d6fb092b61fbac442f64e66dbe570545f0995dedba17e72673364a8a07b3d33affc79fef0e4e4fe41ae8db6ae027d5821026561b61498f75de599f46d7743cef145b741aa2fd67205c18e8757073d1b6bf0a66f06e0c1ec6fd1ce3daf913b016b427cdf4f7b19f9fb22b2a1fc4510449fd020e54fc93f7609f56519f7e6caf02f5b8be3a36d9263890e2068a9bee98469a117964a4b5e39cfee8eb1605ded96b2acc51afc99821ae7bf50d4b4791eb3eca53b7ae0005e5d74135fcfc112fbbee5a68125f10249cf8340c0f22d412a74fae14068ece35c4617f90f1b75e84b1ae9ecf6c18c7504f068b034462cbf349316fc63d580eff2fcf36cd296379a8bfff91294c58dbfdd93c98285e7aed4489a4670c7070907b7cced1c54419034f69e81edec13b35c49bbf473c6ca32ee4bfa9b1676053b79807350c55f3ae6005d6e5adc4328d78e8197854c45b5ddd5a1dce9a6b03d0ca45aebc068f3bd70d3202f5e1e17398e0a7c957aa6436b061fb80db2e726df5607b496194f911098faac0608b03eca5058fc43beb56865cef28fb9aa0d311bca89b8a0acb02b583e01f2089adc1dfa113ec812f1cc5b4b7fcfbe044ea2b3b2a93f2945d31db3e1c5e9e35f99b607d14fa0221b61644fb66e8c7a22f329cddfb22d2bcae360d22ac556bc7f35a00a3f2760d1fbbc297a3a08502985f69a7524d997c6fe3002e0fd6703b67d70dbb57926069fd7433f4cb82173e542ea4be236fcf30d03a82a32bccfa7b373a46db0ac27bba4cb00edf6bccf3c8270cacdd0730a3d7b46b71084821a5e85d3a9493da176569df13162bd8bc911da153d7976e73121a025301997f2aad8ccfe4b9939665dc6699ce20fcfcfa2e1278039f3fdf2db0d7de3c9de4ee4e64453670a2be516c33b06f545a6063f121553cd096e12f4dee94f5a2858aad5dc12c081fe614fdc4ba0fbbd623a38835f7c1c5ef8414c24dbd32b37e4bf0a0bdcbbd12946ca82032ec338256786beb027d62d832fb99b579a8e162c10c67d479d397caa7d7e0c714c4491b5d804c87be8afdb26204d37548b869aa0e94adadb97f5e7db32bcb471bd5bb2aebd80d6947786b6a322ab569679856413eba30e0dcb1d31cae96b71d43846c39044691d5ffefa1cad55e5d59d8f8302bcc410086ca41b576c5dc18e5ce80e2de4f7eb57b1414ef29cd00c1fbd906852915d03f9f5265411d428d23f04a70fb46aa7b60146c6f272136f13a0426d149256b936505f03997fa86e2507b04e25c871578fa980d2323fef7e8031209043ae56baa4e0ec407084ada94d96ea836080d5a66e0d87aa7deea927ae9f5b80a58bbc2555f7a95680ac7b7c0f7ada2f5769a5dd272a102b94c883116daad90be2595175f99656aad3dd36336d84ebaf97d1d5e2782b4c392df227") r47 = syz_kvm_setup_syzos_vm$x86(r43, &(0x7f0000bfe000/0x400000)=nil) syz_kvm_add_vcpu$x86(r47, &(0x7f0000016780)={0x0, &(0x7f0000016480)=[@out_dx={0x6a, 0x28, {0x351c, 0x2, 0x3}}, @out_dx={0x6a, 0x28, {0xbe7d, 0x2, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0xf10c, 0x5, 0x90, 0x2}}, @out_dx={0x6a, 0x28, {0x4c98, 0x6, 0x59fe}}, @nested_load_syzos={0x136, 0xa8, {0x3, 0x2, [@enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x2, @guest64=0x280d, 0x2e0, 0x4, 0xfffffffffffffff8}}, @wrmsr={0x65, 0x20, {0x285, 0x7}}, @uexit={0x0, 0x18, 0x5}]}}, @nested_amd_clgi={0x17f, 0x10}, @wr_crn={0x67, 0x20, {0x4, 0x4}}, @rdmsr={0x66, 0x18, {0x2e6}}, @uexit={0x0, 0x18, 0xe}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x0, @ro_nat=0x6404, 0x10, 0xfffffffffffffff7, 0xe}}, @enable_nested={0x12c, 0x18}, @nested_vmresume={0x130, 0x18, 0x3}, @nested_amd_vmload={0x182, 0x18, 0x3}, @nested_load_code={0x12e, 0x63, {0x2, "2e0f017133c4216ac2c00066baf80cb86e897c81ef66bafc0c66b8af0b66ef420f01c33601e312ec0f00dec74424007a000000c74424020b000000ff1c24400fa1c443314a890a0000000b"}}, @nested_amd_stgi={0x17e, 0x10}], 0x2c3}) r48 = mmap$KVM_VCPU(&(0x7f0000cbe000/0x1000)=nil, 0x0, 0xd, 0x80000, r12, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r48, 0x4) syz_kvm_assert_syzos_uexit$x86(r44, r48, 0x3) r49 = ioctl$KVM_CREATE_VM(r12, 0xae01, 0x20) syz_kvm_setup_cpu$ppc64(r49, r43, &(0x7f0000e17000/0x18000)=nil, &(0x7f0000016a40)=[{0x0, &(0x7f00000167c0)="0000003d0000086104000879000008650c0008610000803f00009c6304009c7b00009c67d0049c63246bc07ffacddffe0000603c00006360040063780000636404006360269fe17f0000603c0000636004006378000063643c02636042000044f5009007d6db8bef0000a03e0000b5620400b57a0000b5662a00b5620001c03e0000d6620000d5920000a03e0000b5620400b57a0000b5662a00b562736fc03ea7f7d6620000d5920000a03e0000b5620400b57a0000b5662e00b562905ec03ee010d6620000d5920000a03e0000b5620400b57a0000b5663200b5620000c03ee0d1d6620000d5920000603c00006360040063780000636400f063600000803c0000846004008478000084642a008460220000448fed9ff30000603c00006360040063780000636400ef6360b5ad803cca82846004008478ea5e8464a2e88460f167a03cbee3a5600400a578a557a5645546a56003f4c03cb487c6600400c67873edc6641551c6601de9e03ce4a0e7600400e778d884e7642576e7600870003deef70861040008791f720865674008617fc5203d5dc62961040029797f83296531e82961ec4b403dd8c04a6104004a79e3f44a6576a04a6142000044c7dd79120000603c00006360040063780000636408ef6360ae15803c967484600400847848298464f27b8460fb2ba03c3a84a5600400a57866dfa5640e85a5609421c03c544cc6600400c6788ed8c6642d18c6602715e03c9877e7600400e778527ae7644a11e760b221003d4162086104000879f61f0865aa6f086100f5203d4c23296104002979da1a296595bf296193f7403dde994a6104004a795ee84a65a0514a61d50a603d34f96b6104006b7921196b65ab4f6b6122000044", 0x278}], 0x1, 0x15, &(0x7f0000016a80)=[@featur1={0x1, 0xfff}], 0x1) syz_kvm_setup_syzos_vm$x86(r49, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(r42, 0x0, &(0x7f0000016ac0)=0x1, 0x0, 0x4) syz_mount_image$adfs(&(0x7f0000016b00), &(0x7f0000016b40)='./file1\x00', 0x1000840, &(0x7f0000016b80)={[{@ownmask={'ownmask', 0x3d, 0x9}}, {@uid={'uid', 0x3d, r39}}, {@gid={'gid', 0x3d, r25}}, {@ftsuffix={'ftsuffix', 0x3d, 0x1b2a}}, {@ftsuffix={'ftsuffix', 0x3d, 0x95}}, {@ftsuffix={'ftsuffix', 0x3d, 0x2}}], [{@uid_lt={'uid<', r37}}, {@subj_type}]}, 0x1, 0x2a, &(0x7f0000016c80)="$eJyq3PSiSzhjn1ni6QQv2eL9NXzv/l1Tb+R79PvXuQuAAAAA///Puw+p") syz_open_dev$I2C(&(0x7f0000016cc0), 0x9, 0x107c00) r50 = clone3$auto(&(0x7f0000016d00)={0x2, 0x27e, 0x5, 0x2, 0x6, 0x0, 0x6, 0x5, 0xd, 0x7ea2, 0xffffffffffffffff}, 0x90c4) syz_open_procfs(r50, &(0x7f0000016d80)='fdinfo/3\x00') r51 = syz_open_dev$ttys(0xc, 0x2, 0x1) syz_open_pts(r51, 0x8400) syz_pidfd_open(r16, 0x0) r52 = pkey_alloc(0x0, 0x0) syz_pkey_set(r52, 0x1) syz_read_part_table(0x67, &(0x7f0000016dc0)="$eJwAVwCo/6k57hMEqlDNSDO4ZVQCcLxIue9czoZuafU/43B5GQ8/SfKEAJSVthoZct6TJycbea3BUcvLUazBD0Yw9qOvvKZmop6ihOZrQz9pF64MLnCI87vjyBXT9QEAAP//A0oqtA==") syz_socket_connect_nvme_tcp() r53 = syz_usb_connect(0x3, 0x840, &(0x7f0000016e40)={{0x12, 0x1, 0x300, 0x42, 0x66, 0x24, 0x8, 0x2357, 0x9000, 0x8c65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x82e, 0x3, 0x7f, 0x2, 0x20, 0x5, [{{0x9, 0x4, 0xce, 0x7, 0xf, 0xaf, 0xe8, 0x6e, 0x0, [@uac_control={{0xa, 0x24, 0x1, 0x7ff, 0x6}, [@processing_unit={0x7, 0x24, 0x7, 0x4, 0x4, 0x1}]}, @cdc_ncm={{0x7, 0x24, 0x6, 0x0, 0x1, "a34e"}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x7fffffff, 0x0, 0x7, 0x8}, {0x6, 0x24, 0x1a, 0x9, 0x4}, [@mdlm_detail={0xd8, 0x24, 0x13, 0x1, "fcb64e07cbc613ee0fb47b172d8cb25490f7d08dca4c04f248b0d2c6c5d4fd13c90c337dbfe045783ce1ee1399fa76c14b25f5c338b041833f787b776e0c3c255189f0694e731cc1edd1269dee99eed04d16af2ae0f124510006a64280fbf1ac1146beee985883566c169abff09e46018c5ddfdcefb4c06a4626f8eeb21b618fe70adf76c204c1a9305d06d90852b606a0698c6678280d4829c78171526b7cf0cf95cab7e3afb3b58fcfaf6d70eb433347fbae1294b288b8d339b3d78fdbc0f227907aaa921ca3026e4c5ce34211e3c907b42ca6"}, @mbim_extended={0x8, 0x24, 0x1c, 0xfff, 0x1, 0xf51}, @mbim_extended={0x8, 0x24, 0x1c, 0x80, 0x2, 0x7f}, @obex={0x5, 0x24, 0x15, 0x4d}, @mbim_extended={0x8, 0x24, 0x1c, 0xbf26, 0x10, 0x7806}]}], [{{0x9, 0x5, 0x1, 0x0, 0x200, 0x6, 0x40, 0xb, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x4, 0x8}, @generic={0xe8, 0x30, "68849f67c98033bfdc9bc67c706e689f08da2d587b668f1f676bbbc38f71f68c0129159b912f3288af2d8f5b2a9e6a416c8e3445c333df5f7008233683c674208456cfcb7a598fd1430b9bb55e9b6fbf6cd0797ffdb48e94a2bb0a7b924dc3fe2c8b37ff8b6d67a0551a582d713454dc2f829c5fa9bb41053a7b74b601c8ab8454e2d48d213eb4f873d9693119cf01d9779afaa261bd19f84e3998a27cc27fdbaa15467cd6f5442aec6c7d12861746b6bab7b93701f011de1e995c1c204b4c2680503a47bad86fa429cf00ded48239fb555ab98087edeaeeba89b14dad51b1993c25e60109bf"}]}}, {{0x9, 0x5, 0xa, 0x1, 0x40, 0xf7, 0x2, 0x5}}, {{0x9, 0x5, 0x5, 0x10, 0x3ff, 0x7, 0x14}}, {{0x9, 0x5, 0xe, 0x10, 0x200, 0xc7, 0x46, 0x2}}, {{0x9, 0x5, 0xd, 0xa, 0x10, 0x40, 0x8, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x1, 0x7}]}}, {{0x9, 0x5, 0x8, 0x2, 0x3ff, 0x10, 0x9, 0x8, [@generic={0xf8, 0x1, "8709dae6274078001913ce2efbcb79ab1133baa4f7e07b3b2c7ff70389e902b3684a95a29997f2d20ff4af270d19a8e0b4f24df512a7981b5cc217941cc55d0ee52777d5469f8d59a8b5b4a6e4fe8c2c9450b47d3153ab98f8e25d699873d3bdb2640075123c4c4bf270db5a2e30c478e75e0e80aca0d41af746e3efb598b2dbec647abd397b0efbb2e744238a48cefe4299f48385e74d325ba52c15b168234a996d3257eaab4fefcba6b898c91dd99e0c080a10191184ea552c28223c35e63ea9406888a94759ad4c30baec3d37bc12628f39fd0e1ea1665122b4a04adec0d9632421ac7518851c5c9256a33e291201a3af1af8df0a"}, @generic={0x66, 0x4, "e24af39366d6cc5b860379367e9b5af91238a8ad60d4d3330b86615c238b9adc150ca8d4d89f347cefed3502f2a64669ec10c9352cc3f00bb7bfff70a34070247f372fd56b348f50f94509038994df699dd0bd1e0f291424502d0abfa275df94ab99686b"}]}}, {{0x9, 0x5, 0x3, 0x3, 0x20, 0x10, 0x6, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x2, 0xf}]}}, {{0x9, 0x5, 0xa, 0x10, 0x20, 0x2, 0x6a, 0x9c}}, {{0x9, 0x5, 0x6, 0x0, 0x8, 0xa6, 0x0, 0x3}}, {{0x9, 0x5, 0xe, 0x10, 0x400, 0x8, 0x6, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x80, 0xfffe}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x8, 0x6}]}}, {{0x9, 0x5, 0x2, 0xc, 0x20, 0x7, 0xfe, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x3, 0x7}]}}, {{0x9, 0x5, 0x8, 0x0, 0x20, 0x5, 0x7}}, {{0x9, 0x5, 0x5, 0x10, 0x400, 0x94, 0x9, 0x7, [@generic={0xdd, 0x30, "77867ea85d1b66ca1b835f1ffe80b4e15a4297fd75060e9ca4a21e385adab09508051dd6105eaa7cdcecdcc320bc7f956eeb82394feeae2b09c0990c54433f3734da18ccf13f5fcc5bb32eb3bb6b062a282989582d898d9e25f97d5d3927fbc22c45904983860eb61eafd34b54ed2cc8b55cf197d31bbb18106360ad77240c1f44fd50f1a944b9f5557f95e94513b0ad4d6079e15e8d3b4301027dece5a5ba8488a265ab3067ce7d0f2d5ad3117bddf068f591f61d6646f96a3772bb1d8807ba9dd6d7a0beecb27298c3f090b2b7ed72979d14deae685d250f2cc0"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x81, 0x70}]}}, {{0x9, 0x5, 0x5, 0x0, 0x3ff, 0x7, 0x0, 0xd5}}, {{0x9, 0x5, 0xc, 0x0, 0x40, 0x0, 0xb, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc4, 0x6e}, @generic={0xe, 0xd, "36cb58afca23d3e3cd43840a"}]}}]}}, {{0x9, 0x4, 0x8c, 0x0, 0xc, 0x77, 0x71, 0x4d, 0xff, [@cdc_ecm={{0xb, 0x24, 0x6, 0x0, 0x0, "378790738559"}, {0x5, 0x24, 0x0, 0xdd}, {0xd, 0x24, 0xf, 0x1, 0x5, 0x926, 0x1, 0x5}, [@mdlm={0x15, 0x24, 0x12, 0x7}, @country_functional={0x10, 0x24, 0x7, 0xf, 0x47f, [0x7, 0x5, 0xa5a, 0xf25d, 0x10]}, @ncm={0x6, 0x24, 0x1a, 0x100, 0x1}, @country_functional={0x6, 0x24, 0x7, 0x9, 0x81}, @country_functional={0xe, 0x24, 0x7, 0x10, 0x3a, [0x1400, 0x1, 0x3, 0x8]}]}, @uac_control={{0xa, 0x24, 0x1, 0x80, 0x80}}], [{{0x9, 0x5, 0x5, 0x8, 0x200, 0x39, 0x3, 0x2}}, {{0x9, 0x5, 0x0, 0x1, 0x10, 0x6c, 0x9, 0x4, [@generic={0xec, 0xc, "cd0d3ce6b75c2b01f97fcb20adf4d99a5a6276a0a0717a5cbdaae5bde2286c78f23ec6527fe1490d74ccaf86bae71c9879a22fb098f798415a4210a098cc4d7658353019718991bb6a8d77a8e7b5d4507404e96ff45614cb5cdad6985e76eec52fa70774a80ce5407b62d01051262f8136aa68c22ea4115b5e27653c40a81cff49a13bf79d599e1eea6f2ab7897c7165b36cb683a87ae079d8ff5f450ddff53f2a7a042d0732f9357ce23fb6a1310f9584d8a7557b654936d97d49be797a565302d1e615a70061101f01cb75333ed4fc3fb983e30f4904195e253a3add43bd069794bcace63863b8c55b"}, @generic={0x31, 0xe, "a6772f6053bbf3fbcc2e4b92794df700a7499308d02da807f64c0bb6a2df535b939af7a1a2e98682e084019d17ff1e"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0xf8, 0x0, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x1d2}]}}, {{0x9, 0x5, 0x0, 0x7, 0x400, 0x7f, 0xf9, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x5, 0xb57}, @generic={0x43, 0x1a, "cb18238b9bb4f2cf09a9e512ee7299837421b4dea8530c6a24f72229b4c3803db0b8159c4fc1d0c512c36706f72652839ab687708e60653bc855f3efc0191d44ce"}]}}, {{0x9, 0x5, 0x1, 0x0, 0x10, 0x5e, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x0, 0x2}, @generic={0xa, 0xd, "0ea835cf6f9897dd"}]}}, {{0x9, 0x5, 0x2, 0x1, 0x8, 0x8, 0x7, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x81377ff213a15d50, 0x40, 0xc590}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x2, 0x4}]}}, {{0x9, 0x5, 0x2, 0x2, 0x400, 0x6, 0x6, 0x7}}, {{0x9, 0x5, 0x2, 0x3, 0x200, 0xe, 0x4, 0x4, [@generic={0x5, 0x11, "b9f5e7"}, @uac_iso={0x7, 0x25, 0x1, 0x40, 0x6, 0x6}]}}, {{0x9, 0x5, 0x3, 0x10, 0x0, 0x8a, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x9, 0x4}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x73, 0x1ff}]}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x4, 0x8, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xd}]}}, {{0x9, 0x5, 0x6, 0x10, 0x200, 0x3, 0x7, 0x0, [@generic={0x4e, 0x21, "de218ddf3078a6fbd86d425731334bc46cce8cf519b9cef7c417703ac6b7c8d919df45ea16b8089069bbf34f03abe752c1ee7d7e03a08637bcdc17d4cf34c2756eda9fbf09fdfcfca3052859"}]}}, {{0x9, 0x5, 0x7, 0x2, 0x400, 0x6, 0x8}}]}}, {{0x9, 0x4, 0xb9, 0x8, 0x3, 0x5b, 0x5d, 0x4c, 0xbf, [], [{{0x9, 0x5, 0x5, 0x0, 0x400, 0x9, 0x5}}, {{0x9, 0x5, 0xe, 0x4, 0x10, 0xf9, 0xea, 0x2}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xee, 0xbf, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0xc7}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x5, 0x6}]}}]}}]}}]}}, &(0x7f0000017780)={0xa, &(0x7f0000017680)={0xa, 0x6, 0x300, 0x8, 0x4, 0x4, 0x10, 0x3}, 0x5, &(0x7f00000176c0)={0x5, 0xf, 0x5}, 0x2, [{0x4, &(0x7f0000017700)=@lang_id={0x4, 0x3, 0x41c}}, {0x4, &(0x7f0000017740)=@lang_id={0x4, 0x3, 0x425}}]}) r54 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000177c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r53, &(0x7f0000017a80)={0x2c, &(0x7f0000017840)={0x0, 0x1, 0x101, {0x101, 0xa, "3681db1760f476d161e6331af001dff260ea6b4a4cea6097ecb1958b59faab7a902848c262a0bb7bb004a6454444f39114416399cc7a71e71547c56a02f133907f22c3f12ced90a4d6ae9ff8fd98b3e7cd83d8745c649289b5fd78f706859e152148d76f8f0d0fa049834365be85ce2b50358758a90b57339c874457410ae277d2b118f38427a932a2c7cacc09aed3ee5730793f36dce0ed57b9c65ff63c7eb7ebbfebe9094e0853051b9f3dfaf6c2ab61265b3af1f34872569ff3e04b2ec1ef09a3692a88292ffa38b851e6fe031a70a551e8844b16d138ce126ce0419571f4349aee237a2bf6fc52cb78f26f30c936902d7f29d3a5615dad86e4c69ca03f"}}, &(0x7f0000017980)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x4c0a}}, &(0x7f00000179c0)={0x0, 0xf, 0x5, {0x5, 0xf, 0x5}}, &(0x7f0000017a00)={0x20, 0x29, 0xf, {0xf, 0x29, 0xeb, 0x10, 0x81, 0xc, "e76746f0", "f19276a0"}}, &(0x7f0000017a40)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xd, 0x2, 0x8, 0xe, 0x7, 0x8, 0x515}}}, &(0x7f0000017ec0)={0x84, &(0x7f0000017ac0)={0x40, 0x17, 0x1e, "63fd640c63a3d40d56edf64acb1036df01c37dff2b11b8bd6dce4f20b2ce"}, &(0x7f0000017b00)={0x0, 0xa, 0x1, 0xfd}, &(0x7f0000017b40)={0x0, 0x8, 0x1, 0x5}, &(0x7f0000017b80)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f0000017bc0)={0x20, 0x0, 0x8, {0x80, 0x1, [0xf00f]}}, &(0x7f0000017c00)={0x40, 0x7, 0x2, 0x2}, &(0x7f0000017c40)={0x40, 0x9, 0x1, 0x6}, &(0x7f0000017c80)={0x40, 0xb, 0x2, "dd91"}, &(0x7f0000017cc0)={0x40, 0xf, 0x2, 0x1}, &(0x7f0000017d00)={0x40, 0x13, 0x6, @multicast}, &(0x7f0000017d40)={0x40, 0x17, 0x6, @local}, &(0x7f0000017d80)={0x40, 0x19, 0x2, "73dc"}, &(0x7f0000017dc0)={0x40, 0x1a, 0x2, 0x8}, &(0x7f0000017e00)={0x40, 0x1c, 0x1, 0x81}, &(0x7f0000017e40)={0x40, 0x1e, 0x1}, &(0x7f0000017e80)={0x40, 0x21, 0x1, 0x7f}}) syz_usb_disconnect(r53) syz_usb_ep_read(r54, 0xb, 0x6c, &(0x7f0000017f80)=""/108) r55 = syz_usb_connect$printer(0x2, 0x36, &(0x7f0000018000)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x40, 0x3f0, 0x4, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xba, 0x80, 0x1, [{{0x9, 0x4, 0x0, 0x7, 0x1, 0x7, 0x1, 0x3, 0x5, "", {{{0x9, 0x5, 0x1, 0x2, 0x8, 0x4, 0x2, 0xc9}}, [{{0x9, 0x5, 0x82, 0x2, 0x20, 0xfb, 0x1, 0xf}}]}}}]}}]}}, &(0x7f0000018180)={0xa, &(0x7f0000018040)={0xa, 0x6, 0x300, 0x4c, 0x3, 0x7f, 0x20, 0x81}, 0x2b, &(0x7f0000018080)={0x5, 0xf, 0x2b, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x2c, 0x6, 0x60, 0x64, 0x4}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x6, 0x7, 0x1, 0x680}, @ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x2, 0x3}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0xc, 0x5, 0xd4, 0x21bb}]}, 0x2, [{0x55, &(0x7f00000180c0)=@string={0x55, 0x3, "8a4234831e8888aedd9ad22d4f28938cda9aa9a900037c311cae82fd231caa312795c2b2f747f7bedc807a10652dcf379da07ebe9635310275c1f0ed956da64df98af4ea239c452aa85b311b94d471e9d3423a"}}, {0x4, &(0x7f0000018140)=@lang_id={0x4, 0x3, 0x83e}}]}) syz_usb_ep_write(r55, 0x4, 0xa7, &(0x7f00000181c0)="c9de81d2b7fd1d65610b4083b89828a1eeb3c1fe78e802b87bcad52205e7f4d5773025c8c92cf009171f12788aa9afbf0167112693c5625eecd433f1b0ed30d3ef6194f9afe363c1334df356e261dc73f07cac0e40a0348c52257f14f9a9f60d5698352069eed46ef10f4a97b1560f7605b0aa631949af14354c1acabb768609d122466f6849102936f4001d18015df428570b6e59759b75e723b1e612800b56ea89a55d2c6378") syz_usbip_server_init(0x5) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif #ifndef __NR_statx #define __NR_statx 332 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { return syscall(__NR_socket, domain, type, proto); } static long syz_socket_connect_nvme_tcp() { return syscall(__NR_socket, -1, 0, 0); } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 82; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 63 ? 4000 : 0) + (call == 72 ? 200 : 0) + (call == 74 ? 3000 : 0) + (call == 75 ? 3000 : 0) + (call == 76 ? 300 : 0) + (call == 77 ? 300 : 0) + (call == 78 ? 300 : 0) + (call == 79 ? 3000 : 0) + (call == 80 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[56] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x200000000040 = 0x200000000000; *(uint32_t*)0x200000000048 = 5; *(uint32_t*)0x20000000004c = 0; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0109207, /*arg=*/0x200000000040ul); break; case 1: memcpy((void*)0x200000000080, "/dev/dri/controlD#\000", 19); res = -1; res = syz_open_dev(/*dev=*/0x200000000080, /*id=*/3, /*flags=O_SYNC|O_DIRECT|O_APPEND*/0x105400); if (res != -1) r[0] = res; break; case 2: *(uint32_t*)0x200000000100 = 1; *(uint64_t*)0x200000000108 = 0x2000000000c0; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0106426, /*arg=*/0x200000000100ul); for (int i = 0; i < 4; i++) { syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0106426, /*arg=*/0x200000000100ul); } if (res != -1) r[1] = *(uint32_t*)0x2000000000c0; break; case 3: *(uint32_t*)0x2000000001c0 = r[1]; *(uint64_t*)0x2000000001c8 = 0x200000000140; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x4010641c, /*arg=*/0x2000000001c0ul); break; case 4: *(uint32_t*)0x200000000200 = 0; *(uint32_t*)0x200000000204 = 0; *(uint32_t*)0x20000000020c = 0; *(uint32_t*)0x200000000210 = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc01464a6, /*arg=*/0x200000000200ul); if (res != -1) r[2] = *(uint32_t*)0x200000000208; break; case 5: *(uint32_t*)0x200000000240 = 0; *(uint32_t*)0x200000000244 = 0; *(uint32_t*)0x20000000024c = 0; *(uint32_t*)0x200000000250 = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc01464a6, /*arg=*/0x200000000240ul); if (res != -1) r[3] = *(uint32_t*)0x200000000248; break; case 6: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0086465, /*arg=*/0x200000000280ul); if (res != -1) r[4] = *(uint32_t*)0x200000000280; break; case 7: *(uint64_t*)0x200000000300 = 0x2000000002c0; *(uint32_t*)0x2000000002c0 = 0; *(uint32_t*)0x2000000002c4 = 0; *(uint32_t*)0x2000000002c8 = 0; *(uint32_t*)0x2000000002cc = 0; *(uint32_t*)0x2000000002d0 = 0; *(uint32_t*)0x2000000002d4 = 0; *(uint32_t*)0x2000000002d8 = 0; *(uint32_t*)0x2000000002dc = 0; *(uint32_t*)0x200000000308 = 8; *(uint32_t*)0x20000000030c = 0; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc06864a1, /*arg=*/0x200000000300ul); if (res != -1) r[5] = *(uint32_t*)0x200000000310; break; case 8: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0086465, /*arg=*/0x200000000380ul); if (res != -1) r[6] = *(uint32_t*)0x200000000380; break; case 9: *(uint32_t*)0x2000000009c0 = 0; *(uint32_t*)0x2000000009c4 = 6; *(uint64_t*)0x2000000009c8 = 0x2000000003c0; *(uint32_t*)0x2000000003c0 = r[2]; *(uint32_t*)0x2000000003c4 = r[3]; *(uint32_t*)0x2000000003c8 = r[4]; *(uint32_t*)0x2000000003cc = r[5]; *(uint32_t*)0x2000000003d0 = r[6]; *(uint32_t*)0x2000000003d4 = 0; *(uint64_t*)0x2000000009d0 = 0x200000000400; *(uint32_t*)0x200000000400 = 7; *(uint32_t*)0x200000000404 = 0x80; *(uint64_t*)0x2000000009d8 = 0x200000000940; *(uint32_t*)0x200000000940 = 0; *(uint32_t*)0x200000000944 = 0; *(uint32_t*)0x200000000948 = 0; *(uint32_t*)0x20000000094c = 0; *(uint32_t*)0x200000000950 = 0; *(uint32_t*)0x200000000954 = 0; *(uint64_t*)0x2000000009e0 = 0x200000000980; *(uint64_t*)0x200000000980 = 0xff; *(uint64_t*)0x200000000988 = 0xfffffffffffffffb; *(uint64_t*)0x200000000990 = 9; *(uint64_t*)0x200000000998 = 0x100; *(uint64_t*)0x2000000009a0 = 4; *(uint64_t*)0x2000000009a8 = 0x10000; *(uint64_t*)0x2000000009b0 = 0xfff; *(uint64_t*)0x2000000009b8 = 0x484; *(uint64_t*)0x2000000009e8 = 0; *(uint64_t*)0x2000000009f0 = 0x73ca1ec4; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc03864bc, /*arg=*/0x2000000009c0ul); break; case 10: *(uint8_t*)0x200000000000 = 8; *(uint8_t*)0x200000000001 = 2; *(uint8_t*)0x200000000002 = 0x11; *(uint8_t*)0x200000000003 = 0; *(uint8_t*)0x200000000004 = 0; *(uint8_t*)0x200000000005 = 0; STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xe, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 6, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); memset((void*)0x200000000044, 255, 6); *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 1; memcpy((void*)0x200000000050, "\x01\xab\xb5\xa4\x2e\x6e", 6); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 5, 4, 12); *(uint8_t*)0x200000000058 = 7; *(uint8_t*)0x200000000059 = 1; STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 1, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000000005a, 0, 2, 6); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x1b); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memset((void*)0x2000000000c0, 1, 6); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/6, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_bprm_check_security\000", 28); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xd1\xa2\x22\xa1\x13\xaf\xa5\x09\x37\xeb\x93\xa6\x9f\x4a\x6d\xae\xb1\xc5\x11\x85\x97\x3f\xcb\xcd\x8a\xc1\x51\x1f\xee\x51\x66\xf0\xa2\xd7\xb1\x07\xca\x8b\xa7\x4b\x42\xac\x08\x04\x22\xe3\xe2\x6c\x8f\xd0\x70\x7d\x33\x52\xf3\xe0\x46\x7c\x44\x6d\x0f\xd5\x9f\xdc\x79\x62\x04\xde\xb5\x20\xc9\xf3\x9c\xeb\x06\xb1\x2c\x5d\xec\x1f\x8d\x80\x43\x5d\x3a\x95\x31\xb3\xc8\xc6\x3e\xca\x16\x67\x0b\x0b\xe3\x27\x76\x98\x48\x5a\x45\xd9\x1a\x47\x37\xcd\xc1\x7c\x96\x06\x54\x23\x34\x8e\x49\x7b\x47\x3b\x96\xcd\x4d\x87\x0b\x36\x08\x09\xcf\xb9\x63\x1f\x7a\x2c\xda\xdf\x25\xba\xad\xe0\xa0\x28\xdf\xa8\x48\x75\xee\xae\xa7\x10\xf4\x4e\xe0\xc6\x0b\xe3\x1d\x07\x66\x79\x21\x37\x5c\xbf\x5e\x90\x56\x5a\x75\x94\xd7\x8c\x49\xee\x1a\x77\x3a\x21\x69\x6e\x3e\x0f\x6e\x9d\x5a\x9c\xc8\x26\x1a\x51\x99\x02\x69\xf0\x6e\x56\x42\xa8\x10\x55\xab\x67", 202); memcpy((void*)0x2000000002c0, "\x4c\xe6\x39\xfa\xe6\xa5\xb1\xdb\xfb\x9b\x05\xcd\xf4\x4c\x3b\x14\xdf\x7c\x00\x1e\xf8\x93\x1a\x51\x17\xea\x1b\xa1\x75\xc0\xa1\xe0\x80\x6d\xec\x26\xa6\x1e\x38\xc8\xb3\x55\xe6\x33\x4a\xab\x16\x93\x6f\x3b\x93\x88\xce\x1e\x11\x57\x87\xf0\xa1\x64\xe9\x87\xd9\xe1\x33\x9b\xbb\xdc\x21\x47\x94\x03\x32\x2c\xf6\xc7\xb5\x5d\xaf\xea\x9c\xf5\x27\xb3\x25\x32\xbe\x38\xa2\xf0\x55\x79\x07\xe3\x57\xb0\x5e\x19\x86\x22\x78\x88\xaa\xc6\xcc\x43\xa9\xe5\xea\x5e\x3c\x09\x3b\x69\x3d\x4d\x13\xb3\x78\xac\x22\x43", 122); res = -1; res = syz_clone(/*flags=CLONE_NEWNET|CLONE_NEWCGROUP|CLONE_VM*/0x42000100, /*stack=*/0x200000000140, /*stack_len=*/0xca, /*parentid=*/0x200000000240, /*childtid=*/0x200000000280, /*tls=*/0x2000000002c0); if (res != -1) r[7] = res; break; case 14: memcpy((void*)0x2000000004c0, "syz0\000", 5); res = syscall(__NR_openat, /*fd=*/(intptr_t)-1, /*file=*/0x2000000004c0ul, /*flags=*/0x200002, /*mode=*/0); if (res != -1) r[8] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x8000; *(uint64_t*)0x200000000508 = 0x200000000340; *(uint64_t*)0x200000000510 = 0x200000000380; *(uint64_t*)0x200000000518 = 0x2000000003c0; *(uint32_t*)0x200000000520 = 0x3d; *(uint64_t*)0x200000000528 = 0x200000000400; *(uint64_t*)0x200000000530 = 0x36; *(uint64_t*)0x200000000538 = 0x200000000440; *(uint64_t*)0x200000000540 = 0x200000000480; *(uint32_t*)0x200000000480 = r[7]; *(uint32_t*)0x200000000484 = r[7]; *(uint32_t*)0x200000000488 = r[7]; *(uint32_t*)0x20000000048c = r[7]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = r[8]; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[9] = res; r[10] = *(uint32_t*)0x200000000340; r[11] = *(uint32_t*)0x200000000380; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000000740 = 5; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000000740ul); if (res != -1) r[12] = res; break; case 18: memset((void*)0x200000002900, 0, 32); *(uint16_t*)0x200000002920 = 7; *(uint32_t*)0x200000002924 = 0x7eb; *(uint32_t*)0x200000002928 = 0xd8c; *(uint64_t*)0x200000002930 = 6; *(uint64_t*)0x200000002938 = 0x65c7; *(uint32_t*)0x200000002940 = r[7]; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0481273, /*arg=*/0x200000002900ul); if (res != -1) r[13] = *(uint32_t*)0x200000002940; break; case 19: *(uint32_t*)0x200000002c00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000002b00ul, /*optlen=*/0x200000002c00ul); if (res != -1) r[14] = *(uint32_t*)0x200000002b34; break; case 20: *(uint32_t*)0x200000002dc0 = 7; *(uint32_t*)0x200000002dc4 = 0xee00; *(uint32_t*)0x200000002dc8 = 0xee01; *(uint32_t*)0x200000002dcc = 3; *(uint32_t*)0x200000002dd0 = 1; *(uint32_t*)0x200000002dd4 = 2; *(uint16_t*)0x200000002dd8 = 0x100; *(uint32_t*)0x200000002ddc = 8; *(uint64_t*)0x200000002de0 = 1; *(uint64_t*)0x200000002de8 = 8; *(uint64_t*)0x200000002df0 = 0; *(uint32_t*)0x200000002df8 = r[9]; *(uint32_t*)0x200000002dfc = r[9]; *(uint16_t*)0x200000002e00 = 0x8000; *(uint16_t*)0x200000002e02 = 0; *(uint64_t*)0x200000002e08 = 0x200000002c40; memcpy((void*)0x200000002c40, "\x04\xdb\xcb\x20\x9f\x35\xe5\xdd\xfd\xb1\xb3\xb7\xa7\x41\xcb\x0d\xa9\xe7\xb4\xa9\x7e\x26\xe4\xd6\x4c\xa5\x56\x0a\xd3\xea\x50\xd5\x19\xbb\xf0\x49\xc3\x13\x51\x11\xc4\xde\x1f\x36\xb6\xb3\x08\xbb\xd0\x28\xe4\x49\x5d\x46\xed\x83\x93\xe7\x59\xfd\x0a\x3a\x8a\x87\xf1\xdb\x87\x49\xda\x45\xe9\xa5\xf9\x99\xf3\xe7\x4d\x92\x0c\xe2\x0c\x4d\x2b\xfe\x9c\xa7\x2e\x5f\xae\xa3\x4e\x25\x4e\xbb\x9c\xa9", 96); *(uint64_t*)0x200000002e10 = 0x200000002cc0; memcpy((void*)0x200000002cc0, "\x9e\x74\x6e\x3d\x21\x9f\x0d\xf0\xdb\x9f\x4d\xac\x0a\xfe\x9f\xc6\xa3\xef\x5f\xca\xb6\x05\x8f\x83\xfa\x7c\xff\x2a\x82\xd2\x0c\x2e\x4f\x57\x52\x59\xea\xbb\xe0\x67\x34\x84\x3f\x87\x1e\x50\xf4\xd4\x7b\xd6\x2e\xad\x38\xd7\xbe\x8c\xe3\x0b\x95\x11\x52\x85\xd1\x6a\xbc\x71\x8c\x0d\xa4\x82\xb9\x0f\x24\x29\x9f\x30\x17\xce\x2a\x53\x6d\xab\x65\x9a\xca\x91\xd1\xcf\x68\x91\x07\x44\x81\x50\xe4\x56\x6a\xbf\x4c\x05\x7b\xde\x3c\x37\x82\x36\xa3\x78\x10\x59\xcc\x80\x08\x67\x30\x9f\xb2\x08\xab\x69\xfe\x7d\x3f\xff\x31\x19\x8f\x36\x33\x05\x53\x9b\xa5\xa1\x74\x23\xbd\x83\x45\xe1\x0a\x25\x07\xad\xfd\x0b\x0d\xf3\x10\xc3\x34\x82\xd2\xcc\x9c\x9b\xa7\xbf\x80\xc8\xc7\xe2\x15\x9c\x09\xd9\x40\x2b\x1d\x7c\xa8\x8f\x84\xe7\xb4\xce\xb8\xa1\x93\xec\xe6\xdd\x5f\xaa\x70\x42\x9f\xba\xc4\xf1\x02\x0c\x76\x67\x30\x2d\x4a\x57\xab\x63\x7f\x35\xff\xe4\x2e\x58\x59\x3f\xe3\xec\xe0\x7b\x5d\x63\x7e\xf6\xd9\x73\x34\x22\x57\xfe\x2c\x5b\x11\x69\x39\x99\x09\xba\x6d\x36\x9f\xde", 234); res = syscall(__NR_shmctl, /*shmid=*/0xfffffffd, /*cmd=*/0xdul, /*buf=*/0x200000002dc0ul); if (res != -1) { r[15] = *(uint32_t*)0x200000002dc8; r[16] = *(uint32_t*)0x200000002dfc; } break; case 21: memcpy((void*)0x200000002ec0, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x200000002ec0ul, /*statbuf=*/0x200000002f00ul, /*flag=*/0ul); if (res != -1) r[17] = *(uint32_t*)0x200000002f18; break; case 22: memcpy((void*)0x200000002f80, "./file1\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000002f80ul, /*statbuf=*/0x200000002fc0ul); if (res != -1) r[18] = *(uint32_t*)0x200000002fdc; break; case 23: memcpy((void*)0x2000000031c0, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x2000000031c0ul, /*statbuf=*/0x200000003200ul, /*flag=AT_SYMLINK_FOLLOW*/0x400ul); if (res != -1) r[19] = *(uint32_t*)0x200000003218; break; case 24: *(uint32_t*)0x200000004380 = 0x8000; *(uint32_t*)0x200000004384 = 0; *(uint32_t*)0x200000004388 = -1; *(uint32_t*)0x20000000438c = 0xfffffbff; *(uint32_t*)0x200000004390 = 0xff; *(uint32_t*)0x200000004394 = 7; *(uint16_t*)0x200000004398 = 5; *(uint32_t*)0x20000000439c = 0x3ff; *(uint64_t*)0x2000000043a0 = 5; *(uint64_t*)0x2000000043a8 = 0xffffffffffff05c3; *(uint64_t*)0x2000000043b0 = 0xffffffff; *(uint32_t*)0x2000000043b8 = 0x10000; *(uint32_t*)0x2000000043bc = r[7]; *(uint16_t*)0x2000000043c0 = 6; *(uint16_t*)0x2000000043c2 = 0; *(uint64_t*)0x2000000043c8 = 0x200000003280; memcpy((void*)0x200000003280, "\x97\x6f\xf3\x42\x90\xbd\x8b\xc7\xa7\xcb\xfc\x2a\x01\xcd\x57\xbb\x3f\xef\x9e\xfb\x98\x36\x92\x3f\xea\xb6\xb2\x20\x96\xe6\xa7\xf3\x05\xb4\xa4\x72\x5f\x36\x2d\x86\xba\x08\xa3\x46\xf5\xad\x87\x65\x1b\x24\x79\x4b\x4e\xe5\x81\x3e\x05\x57\xb0\xef\x0a\x7c\x19\xb1\xea\xfe\xf2\xa1\x69\x09\xab\xb9\xc8\x55\xec\x45\x36\xad\xac\x1b\x48\x2e\x8e\x5a\x1d\xc4\x78\xa0\x25\xfe\xb8\xb6\x30\x4b\xdc\xd4\x75\xb1\xd9\x17\xa5\xb6\xc9\xd2\x7a\x6b\x48\x58\xcb\xa4\xd2\x53\x01\xfe\x26\x1b\xf1\x23\x13\xf6\xe8\x22\x4f\xc5\xab\x0b\xb2\xfd\x40\x41\x04\xdd\xef\xc2\xf2\x7a\x36\xd9\xd1\x0e\xca\xc7\x92\x9d\xb5\xff\xc1\xdf\x4c\x6f\xb6\xe5\x63\x70\x20\xab\xf5\xe6\x50\x43\x10\xab\x6d\xe6\x59\xb6\x56\xce\xe8\xad\x04\xd0\x46\x75\x6d\xda\xe3\x3d\x8d\x22\x38\x54\xdc\x8c\x31\x83\x92\x48\x2c\xb9\x91\x82\x78\x24\xf4\x0d\xaf\x98\xda\x16\x6c\x91\x6d\xbb\x8c\x15\x6c\x42\x19\x7b\x66\x4d\x75\x90\xe6\xd2\xcf\x4e\xa3\x28\x0f\x84\x05\x1c\x9e\xe3\x11\x41\x42\xdb\x27\x53\x6b\xcd\x98\x3f\x17\x0f\x22\x1c\x15\xda\xe9\xa1\x1a\x52\xe8\x42\x53\x66\x3e\xa4\x30\x8f", 254); *(uint64_t*)0x2000000043d0 = 0x200000003380; memcpy((void*)0x200000003380, "\x2c\x9f\x8f\x38\x8d\x23\x3b\x4f\x05\x4c\xde\x11\x35\x8e\xb6\x32\xfe\xac\x99\x15\x72\x36\xe3\x70\xad\x09\xea\x7b\x82\xba\x57\x85\xb9\xe9\xaf\xa9\xe6\x86\xa6\x2a\x5d\x2d\x53\xe4\x78\xad\x6b\xdc\x5f\xff\xb6\x47\xb0\x83\x5e\x14\x74\x19\x66\x7c\x9a\x11\x6d\x7d\xc9\x62\x8b\x1e\x9f\x7f\x66\x53\x3e\x8e\x73\x6b\x4a\x65\x9a\x78\x4c\x61\x0d\xa8\xc5\x00\x10\xc4\xad\x47\xec\xbb\x1e\xb2\xee\x6a\xa0\xb4\x90\x90\xe7\x09\x13\x8a\xb2\xd1\x71\xe1\xdb\xdd\x6e\x86\x53\xe0\x62\x12\x39\x1e\x7d\xc1\xb2\x8b\xdd\x23\x12\x94\x24\x50\x0d\xcd\x83\x43\xba\x19\x8c\x60\xcd\x97\x01\xaf\x62\xb4\x66\x2b\x08\x2d\xdc\x55\xe8\x14\x9d\x60\x89\x1c\x65\x0e\x77\x47\x55\xfc\x3a\x0d\x10\x0f\xf0\xbc\x67\x6b\x46\x6e\x3d\xec\x52\xca\x77\xd2\xc4\xce\x10\x3f\xc4\x4b\xb5\x63\xb3\xc1\x82\xcf\x2f\x65\x54\x13\x03\xd2\xd2\x9f\xcb\xf5\xa3\xf4\x22\x88\xf8\xfe\x1c\x23\x6c\x3e\x12\x17\x0e\x7a\xc6\x00\xc5\x26\x5c\xc5\x97\x4e\x25\x59\x7f\x04\x9e\x9c\x01\x5c\x76\xde\xc0\xd7\xcd\x29\x79\xcc\xe1\x23\xad\x64\x72\x97\x95\x8c\x9d\x7d\xfb\xc3\x6a\xfc\x2a\xe4\xb9\xd2\xc0\x9a\xc1\x72\xa0\x4d\xac\xff\xae\x8a\x50\x21\x9a\x4e\xc4\xad\xf0\x6f\xf8\x07\x47\xd4\x0c\x46\xdd\xc0\x76\x4a\xf4\xd7\x78\x28\x07\xb8\xf1\x4f\xb7\x97\xb2\x78\x0b\xb6\x8e\x6b\x2a\x95\xdd\xe5\x08\xf4\x06\x3c\x65\xd8\x71\x43\xff\x24\x66\xfe\x29\xff\x3a\xfa\x65\x20\x2a\x99\x24\x0c\x57\x99\x0e\x20\xc5\xf3\x4a\x95\xbd\x81\x35\x72\xf4\x7d\x8d\x48\x2d\xb3\xfc\xeb\x9f\x1c\x54\xc8\xa8\xdd\x63\x32\xe8\x3f\xa3\x9d\x66\x51\xc7\xb7\x8f\xa9\x71\xee\x88\x75\x6e\x2e\x5a\x3f\xb0\x29\xc7\x7a\x48\xfd\x41\x64\xf1\x07\xc8\x82\xd1\x74\x3b\xf8\x52\xc1\x48\x66\xa4\x37\xca\x56\xd1\xd2\xd1\x99\xf9\x3f\x75\x87\x19\xd2\x29\x3c\x58\x91\xb7\x7e\x86\x0b\x2b\x7c\x66\x51\x29\xfb\xce\x45\x5e\x93\xce\x66\xb6\x75\x61\x9b\xbb\x23\x62\x9d\x2b\xc8\x68\x2e\xd4\x69\x5d\x8c\x6a\xfe\x25\x6d\x37\x2f\x9f\xed\x83\x9d\xe5\xb5\xf6\x8d\x1d\x30\xcf\xfb\x1a\x4e\x74\x02\xb9\x55\x11\x29\xed\xc4\xc2\xde\xec\x8c\x16\x71\x4e\xa3\x09\xcf\x20\xac\x7f\x17\xf5\xfd\x3c\xb9\x7b\xfb\xff\x2d\xd3\x62\x16\xb8\xf7\x34\x03\x60\x7b\x4e\xcb\x2d\xc4\x24\x48\xee\xd5\x6f\xb2\x32\x66\xbd\x0f\xdf\x7e\xee\x43\xf3\x4b\xe3\x70\x6e\xcc\x70\x59\x27\xad\xa3\xd8\x4f\x94\xd8\xa2\x89\x8c\xe0\x0d\xe3\x69\xc6\x07\x55\x2f\x69\x94\xec\x15\xf6\x6c\xe6\x5c\x49\x52\xe3\x05\x81\xed\xe4\x6a\x20\x33\x58\x9d\x2c\x28\x99\x4b\xda\x05\x31\x94\x39\x19\xe3\x01\xa6\xd8\x18\x7d\xa7\xb4\x98\x96\x6a\xf1\xfe\x3e\x41\x0e\x5c\x16\x7a\xfb\x13\x3b\x3e\x5e\x40\xdb\x61\x87\x03\x97\x7b\x24\x00\x2f\x62\x11\x83\xb6\x1a\x6b\x68\x03\x01\x38\x7e\x2d\x89\x56\x5f\x0f\x62\xde\x82\x55\x16\xd3\x49\xc1\x74\xc0\x79\x24\xf4\xa8\xdf\xfb\x28\x17\x09\xe9\x97\xaf\x6d\xa5\xa6\x2a\x95\x49\x69\xb5\x33\x5f\x30\x74\xf2\x40\x02\x45\xa7\x7b\x19\x51\x31\xd2\x6c\xe4\x3e\x17\xc3\xa2\x01\xa5\xb8\x51\x8f\x8f\x96\x1f\x2b\xe9\xd1\x70\xc6\xf5\xb2\xb2\x36\xa3\x94\x45\x6e\x57\x7b\xad\xa3\x30\x7f\x4e\xaa\x8e\x03\x52\xbb\x59\x50\x37\xe7\xf3\x0f\x5d\xdb\xdf\x01\x4b\xa5\xb6\xf3\xce\xe6\xaf\x1f\xd4\x74\x4f\xd0\xbb\xac\x1e\x2c\xe2\x98\x53\xc7\x22\x95\x6d\xa7\xde\x4e\x3f\xb9\x24\x18\x20\xb0\x58\x6f\xfa\x29\xda\x5b\x6c\xdd\x12\xda\x1a\x04\x18\x64\x3b\x4b\xa9\x6b\xb4\x32\x42\x14\x6f\x6c\x0a\x33\x98\x0b\x93\x85\xda\x28\x3a\x2a\x05\x2b\x8c\x20\x1f\x42\x39\xf9\x57\xfe\xa5\xf2\x3e\xfc\xd5\xad\x3b\xb0\x76\xab\xee\x60\xce\x46\x7e\xae\x68\x05\xe1\x86\xe9\x74\x93\x42\x80\xa2\x67\xdb\xf7\x32\x0c\xb9\x0f\xe9\x32\x2b\xdb\x6c\xe8\x09\xbd\x35\xb4\x13\x0b\xe8\x71\x19\x04\x7e\xfd\x75\x5c\xc7\x47\x74\x3e\x6d\xa5\x1b\x24\xaf\x5c\x01\x66\x1b\xe2\xf8\x13\xce\xf7\xd7\xed\x9b\x61\xe8\x3e\x0d\xca\x2c\x82\x21\x52\x5b\x28\x15\x70\x27\x6a\x59\x58\xc2\x61\x49\x29\x79\x4c\x2d\x55\xa6\xb1\x5d\x17\x01\xb1\x96\x1a\x07\x8e\xde\xff\x50\xe0\xeb\x0e\x02\xd9\xb1\xd4\x02\x65\x7c\xe2\x5b\xda\xaf\x91\x0b\xa4\x54\x94\x83\x63\x1a\x54\x89\xca\x98\xfe\x97\x9c\x54\xc7\x40\x0c\x9c\xc6\x8f\xed\x1a\xb0\x0c\x40\x2f\x49\xd3\x6c\x4d\x7b\x2f\xb2\x73\xf3\x92\xae\xd4\xf8\xde\xf2\x56\xd4\x09\xe5\x0d\x26\xe7\x25\x1f\x91\xb9\xf5\xbc\xd8\xe8\x42\x02\xe5\x20\xcb\x7f\xe4\x34\x74\x4f\xe3\xa8\x83\x1c\x1a\xf1\xeb\x20\xa8\xf8\x85\x79\xab\x19\x26\x8d\x7e\xef\xc6\xdc\xd8\xc9\x4e\x3b\x68\x96\xe3\x36\xe0\xf7\x38\xaa\x24\x4c\x2d\xbe\xc1\x23\x24\xa8\xa1\xca\x70\xe0\x40\xd0\x7a\x79\x00\xf7\x6f\x0b\x09\xe0\xfa\xab\x42\x44\xd5\x68\xc0\x03\x09\xb8\xf3\x11\x57\xd9\x17\x88\xc8\x71\xd6\x16\xd0\x57\x2a\x26\xf9\xbf\x40\xb2\xff\x8f\x03\x4d\xd9\x64\x6f\xb1\x3e\xba\xd2\x95\x1f\xb7\xa9\xea\x55\x09\x21\x13\x59\x75\x9f\xa4\x95\x72\x2e\x0c\xe6\xe2\x4b\x48\xe3\xd2\xa1\xec\x69\x39\x83\x80\x40\xd0\x0c\xb9\x08\xd9\xed\xaf\xa8\xc3\x84\x57\x54\xbd\x5b\xe9\x0f\x6f\x92\xcc\x70\x33\x8b\x3b\x1f\xc0\x72\xcf\x26\x82\x74\x03\x71\xca\xed\xd8\x0f\xec\xe8\x59\xb1\x58\x7f\x04\x14\x7f\x50\xc5\xa9\xbe\x92\x7b\x5d\x51\xae\x42\x8a\x1c\x7e\x4b\x59\x4e\xc2\x42\xa0\xda\xb9\x05\x81\x74\x24\x28\xe5\xdb\x58\xac\x1a\xe3\x24\x96\xf3\x71\x19\x82\x0a\xe2\x95\xa3\xdf\x7a\x95\x50\x9d\x05\xd7\x5c\xd7\x78\xb5\x4e\x44\xa3\x17\xeb\x90\x1c\x7c\xc2\x8f\xf7\x4a\xb5\x3b\x6f\x4f\xb4\xad\xe0\xfc\x4a\xf2\xbe\x36\xd7\x60\x47\x6c\xa8\x53\xa7\x82\xe7\x61\x4a\x13\x3a\x99\xf1\xe5\xf0\xf1\x2b\x9a\x95\x8e\x70\x25\x0f\xc9\xbd\xb8\x98\xdb\xe3\x4d\x8e\xe3\x2b\x23\xee\x9f\x01\x92\xfd\x4b\xf8\xf9\x62\x2e\xdd\x9f\x7a\xca\xf4\xf4\xb9\x26\x73\xcc\xff\x23\x22\x7c\x94\x13\x22\x71\x73\x5a\xc8\x3d\xe7\x39\xc8\x5c\xee\x73\xab\xf9\x4e\xa2\xfd\x0e\x5b\x9c\x54\xfb\x7a\x2b\xc8\x77\x1e\xdf\xe9\xba\x3e\xb7\x0d\xcc\xe5\x6f\x78\x90\xaa\x8a\x20\x28\xe6\xd3\x18\xec\x23\x4b\x52\x56\x26\xe2\x46\x0c\x4d\x00\x7e\x74\xf7\xad\x40\x68\x01\x5a\x50\x32\xfb\x6f\xc5\x53\xb2\x7f\xaf\x76\x46\x71\x22\x2e\xf4\xb3\x98\x04\xe3\x00\xd9\xa5\x8e\xb4\xd9\xdb\x9f\x3f\xe2\x01\x27\xda\xad\xee\x11\x78\x74\xff\x95\xe3\x67\x6e\x37\xbf\xae\x30\x61\xe9\x5a\x71\xe9\x7b\x15\xe2\x43\x49\xf0\x78\x56\xde\xf1\x73\xd2\xce\x45\x9a\xff\xa7\x7c\x5b\x47\xf8\xb6\x77\xa1\x65\x8f\x7d\x89\xaf\x72\x25\x3c\x80\x0e\x62\xce\x2b\x11\xf4\xbd\x83\x7f\xe9\x80\xf0\x2d\x4f\x97\x19\xc0\xfe\x48\x45\x4f\x72\x80\x9d\xed\xda\xa9\x72\xd6\x52\x82\xec\xff\xee\x15\x69\xa2\xa5\x37\x70\x96\xff\x3f\x01\x00\x44\xe7\x1b\xe8\xba\xab\xfe\x65\xe9\x9b\xe1\x03\x86\xad\xa7\x0a\xbf\xe8\x6e\x7a\x4f\xfa\x87\x53\xf8\x62\xd2\x70\x4c\xec\xeb\x6d\xf3\x4a\x6d\xd4\x86\x75\x44\x1f\x7c\xca\x63\x5e\x40\x1c\xb2\x30\x6d\x17\x26\xe1\xc3\xc0\x42\x66\x41\x9e\x99\x11\x88\xe7\x7c\xdf\xe9\xe0\xaa\x13\xc7\x61\x07\xa2\xa2\x7f\x72\x16\xb4\x2a\x69\x0c\x00\x63\xc9\x2f\xd2\x22\xf4\x5f\xb0\x82\x0d\x04\x64\xef\x0b\x7a\xe6\x51\x5e\x81\x74\xc7\xf9\x0f\xfd\xec\x6d\xc2\x91\x3d\x5a\xd1\xfe\xb8\x06\x17\x70\x16\x23\x36\x3a\x4e\x73\x51\x07\xb3\x00\x23\x1c\xa5\x62\x4a\xdd\xf0\x83\xe0\x75\xac\xa1\xd1\x8d\x95\xc0\x1b\x73\x57\xa4\x11\x8f\xc4\x92\xc0\x7f\xf1\xc0\x71\x1a\x9e\x00\xbd\x78\xff\x8e\x43\x1d\x7a\xf6\x74\xdc\xe5\x58\x32\xf4\x59\x01\xf2\x35\xb7\x82\x4e\x8a\xd0\xed\x0d\x8d\x67\xf7\xff\x61\x2f\xf1\xec\xa7\x4a\x4d\xea\xc7\x21\xfd\x1c\x85\x98\x0d\x87\xdb\xc8\xdb\xef\x59\xf3\x75\x47\x20\xf0\xb9\x26\xc2\x5e\x84\xb1\xd7\x60\x5c\x50\x5f\x8e\x75\x03\x8f\xa2\x9f\x38\xcb\xfc\x97\x71\x2f\x92\x44\x75\x85\xa4\x54\x75\xa9\x0d\xb7\xd8\x1c\xe2\xb4\x29\x29\xfa\x6a\xe4\xa6\x79\x05\x60\x02\x5f\xe0\x57\x7a\xb5\x23\x58\xf0\xb0\x98\x80\x04\x58\x66\x6b\xad\x64\x69\x91\xe1\x46\xec\x90\x45\x11\xca\x26\x55\x18\x36\x31\xbd\xf0\xd5\x40\x58\x79\xd6\xf6\x99\x32\xc8\x44\x19\x0e\x2d\x91\x6a\x7a\xe6\x5d\xa2\x87\xac\xf8\x01\x20\x96\x48\x80\x0a\x1d\xfe\x3e\x9b\x38\xf7\xb5\x86\x41\xb0\xfc\x18\x04\xf9\xa2\x79\xd8\xf4\xc8\x03\xd0\x56\x56\x50\x60\x6f\x60\xa7\xe9\x9f\xe4\x61\xab\x36\xd7\x25\xca\x76\x46\x11\xcc\x20\x3f\xfd\xe0\xf0\x6a\xd8\x7c\xf9\x16\x02\x38\x1f\x1e\xc7\xaa\x25\x5b\x6d\x21\xa8\x5f\xe2\xe3\x2a\x06\x0f\x18\xb5\x33\x85\x47\x6d\xb4\x36\x91\x9f\x9e\xe6\x99\x57\x04\x04\x63\x50\xe0\x98\xce\x1e\x66\xa1\xb8\x32\x8f\xce\x20\xe1\xf8\xc9\x8c\xef\xae\xf2\x9c\xba\xc0\xbd\x9c\x0f\x19\x14\x53\x8a\xbd\x48\x43\x6e\x92\xbb\xcf\x12\x71\xac\x66\xce\xd7\xa5\x30\x13\xf8\x15\xf0\x15\xf3\x61\x80\xe3\x23\xac\x82\x47\x12\x8a\x91\x59\x38\xc8\x9f\x71\x13\x32\xd9\x75\x89\x35\x18\x0e\xea\xc8\xb8\xc9\xf9\x9f\x9f\x30\x6d\x34\x81\xb3\xa6\x8b\xf9\x61\x33\x60\x68\x1a\x92\x43\x7c\x7b\xd8\x0a\xdf\x98\x99\x09\x3f\x32\x86\xfd\x18\x54\x0a\x8c\x74\x25\x10\xdb\x91\xe4\x8a\x12\x55\xdb\xcd\x21\x8f\xe7\xa3\x4c\x50\x58\xad\x59\xa6\x96\x2a\xbf\xf5\x32\x7f\xac\xd4\xc2\xb3\xa5\x1a\xe1\x33\x47\xd5\x6a\x19\xf4\x84\xef\x62\xd5\x27\x99\xff\xe8\x02\xc9\xfe\xdc\xf9\xc0\x76\x89\x60\x18\xdb\x33\xcf\x2b\xd9\xb0\xca\x59\xde\x3f\x74\x87\xa2\x73\xf7\xe8\xcb\x6d\x09\x0b\x14\xa8\x3d\xdd\x2f\x26\x1d\x41\xf0\xfd\x19\x48\xe0\xbe\x62\x92\x9f\xc6\x68\xb9\xf1\x37\x53\xe6\x1d\x08\xb1\xa8\x87\x52\xdb\xfa\x31\x5e\x79\xc2\xd8\x18\x81\x19\x0d\x2b\x6a\xd3\x3a\xd8\xac\x03\x6e\x5a\x22\xb5\xea\x82\x25\xea\x41\x0e\x9e\x8e\xbf\x86\xc4\xa7\xea\x49\x76\x59\x53\xcd\x96\xd0\x54\x31\x15\x7a\x80\x48\xfa\x61\xb8\x0b\xa6\x06\xcf\x53\xaf\x83\x49\xcf\xad\xb8\x95\x59\xfd\xf2\x04\xed\x28\x3d\x71\xbb\xf7\x00\xa9\xcc\x37\x82\x60\x78\x96\xc8\x51\xb7\x58\x40\x5b\x00\x7e\x61\x50\xcc\x7e\x65\x86\xde\xbd\xa1\x2a\x1c\x4b\x2b\x63\x66\xb3\x87\x96\x23\xcf\x9e\xed\x75\xd5\x6f\x4a\xbc\xa9\x15\x1e\xb5\x04\x67\x0a\x4a\x51\x8c\x66\x8e\xd9\x48\x8d\x8b\x5f\x1f\x21\x2e\xa6\x9c\x51\xa7\x49\x72\x60\xc2\xa4\x85\x94\x88\xb7\x59\x60\x31\x3d\xd3\xf2\x9b\xfb\x75\xea\x09\x4b\xa3\x25\xf7\x9a\x02\x8d\x07\xdb\xf2\x13\x7b\xfe\xfd\x26\x1b\x0c\x56\x09\xa1\x69\xd5\xf1\xbb\xe1\x81\x5f\x06\xae\x4e\x26\xf5\xf3\xf4\xb3\x6c\xcc\xdd\x3f\xb7\xf8\xad\xcb\x76\x45\xe3\x7e\xd7\xd9\xb6\x3c\x9e\x21\xcd\xc5\x95\x4e\x28\x52\xbb\xfe\xe5\xbc\x30\xa9\x78\x39\x91\x89\xe6\x3b\x92\x69\x9d\x81\x0c\x58\x9d\x61\xd0\xcd\x0c\x6b\xf4\xff\xb8\x92\x53\x7e\x0e\xf1\x88\x7d\x1e\xa0\x47\x29\x0f\xf6\x09\x58\x4a\x00\xde\xc7\x98\xf8\xe7\x2e\x06\xc1\xbe\x83\x99\xea\x06\x9f\xd1\x3c\xaf\x0e\x1b\x4c\xd6\x6f\x84\xe2\x68\x69\x16\x7d\x54\xb8\xc4\x3c\x96\x7b\x27\x0b\xd8\x56\x1f\x99\xdc\x84\x02\x42\x23\x40\x2c\xe0\x95\x7d\x93\xe8\x58\x2b\xb8\xf4\x58\x3c\xc2\x64\x88\x61\xfc\x56\x2f\xc2\x10\x2a\x32\x6e\x92\x1a\x41\x8f\xd5\x18\xce\x63\x6e\x4e\x3e\xdc\x36\xfd\x89\xbc\xa2\x5a\xdd\x71\xac\xcb\x89\xd7\x77\x07\x05\x26\xd9\xcf\x72\x74\xdd\x48\x69\x09\xc3\xb1\x42\xd2\x7f\xb0\xab\xd4\x67\xbe\x27\xc3\x6e\x84\x87\xcc\xda\x73\xad\x0c\x89\xad\xec\xd3\x6a\x08\xc3\x7c\xe1\x5b\x87\x6f\xd2\x12\x1a\x7b\x0d\x11\xbd\xe8\x67\x59\xee\xb6\x62\x87\xb4\x4c\x61\xce\xd7\xf7\x4a\x14\x30\x44\xae\x80\x58\x69\xd3\x1a\x1b\x1c\x44\xb8\x15\x0d\x8d\x63\x0d\xeb\xff\x9e\x95\xc3\x11\x87\xb7\x74\x44\x1f\xa8\x13\x7c\x08\xca\x31\x6a\xb7\x78\x15\x99\x17\xdf\xbe\xec\x94\x52\x9d\x3a\x12\xc1\x6b\x9f\x39\xc4\xd7\x79\x44\xe6\xf1\x6c\xf9\xb8\x19\xf9\xd8\xa4\x2e\xe7\x32\x91\xed\x84\xe2\xd5\x84\xb3\x05\xae\xb7\x99\xc2\xcd\x76\xf3\xaf\xd7\xe8\x26\xbe\xf0\xb7\x71\x59\xbb\x4d\xad\x11\x39\xea\xa9\xcd\xe7\xbb\xfd\xca\x74\x0a\xdd\xb5\x11\xeb\x8b\x91\xd5\x48\xe1\x8d\x7c\xd6\x91\xdc\xe8\x57\x83\x82\xec\xd0\x9e\xad\x35\x6f\x85\xa4\xac\xee\x4b\xb8\xb1\x93\x42\xc7\x48\xad\x97\x04\xb1\x1e\x1d\x9b\x02\xc0\x21\x8c\xa3\xe7\x99\xab\x80\x01\x70\x52\xfd\xd6\x6e\x91\x01\xa0\x0b\x76\x57\xeb\xdc\x89\xcd\x42\x53\x34\xa9\x16\xdf\x19\xdb\xda\xf6\xe4\xf6\x3b\xc0\x34\x92\x91\x3c\x86\xd0\x58\xea\x61\x68\x5d\xf7\x7a\x06\xe0\xdf\x07\xed\x3f\xc1\xf9\x2d\xf0\x67\xe8\x6d\x00\x33\x64\x0c\x10\xf4\x0c\x27\x9c\x26\x4c\x47\x7b\x28\x99\xd4\xa2\x44\xb6\x7e\xe8\x84\xe5\x19\xb4\xdb\xdc\x5d\x6f\x1c\x3a\xb6\x7c\x12\x3a\x59\x79\x74\xbf\x3a\x57\xec\xc9\x09\xbe\x91\x33\x91\x70\x17\xdb\x1d\x7c\x9e\x19\x26\x18\x52\x4a\x93\x92\x95\x7a\xfe\xbe\xef\xb2\xd8\xbc\x47\x61\x03\x40\x70\xf4\x17\x95\x82\x22\x6e\x34\xb1\x86\x5d\x26\xbe\x00\xc9\xbd\x31\x32\x0c\x31\x3c\xb5\x09\x05\x7c\x27\xf1\x27\x4c\x78\xf4\x71\xbf\x69\xb8\x5d\xbd\x47\x82\x37\x38\x3b\xe8\x6c\x86\xf4\xb0\x11\x7a\x2b\x15\x78\x20\x83\x2d\x07\xd8\x8d\x2e\x78\xa9\xab\xa0\xb0\x45\xa1\x9d\xbf\x8a\x6f\xae\xd4\x0e\x41\xca\x47\xc0\x13\xc2\x90\x3e\x69\xf2\xba\x49\xb0\x7b\x36\xe1\xf3\xbd\x69\xbd\x4a\x82\xef\x2a\x42\x8a\x83\x13\x57\xd2\x5f\x55\x68\xb6\x9e\x94\x22\xa3\xba\x95\x33\xfb\x5e\xc2\x40\xa3\x91\xaa\x7b\x61\x2a\xcd\xd3\x50\x2f\xe9\x29\x6d\x4f\xa0\x2a\xf3\x9f\x21\xf1\x59\xaf\x52\x8d\xaa\x38\x94\xc3\xd1\x0b\xc8\xf7\x0f\x20\x41\x53\xa0\x66\xe1\xe6\xe1\x17\x42\x32\xfc\x42\x0e\xc6\x47\xe2\x9b\xb4\x68\x8f\x26\xc7\xd4\x63\xcd\xeb\x95\xeb\xa4\xc0\xd1\xed\x3f\x5f\xe4\x1d\x5e\x34\xc0\xb2\x7b\x58\x74\x54\xfb\x40\x3e\x8c\x9a\x0f\xe9\x0f\x53\x17\x4d\x54\x7d\xbc\xca\xdb\x64\x81\xc4\x8c\x97\x9c\xf3\x41\x4d\x0d\x47\x16\x0a\x0b\x9f\x6d\x9a\x4f\xa8\x48\x96\x53\xca\x2e\x92\x42\x23\xa8\xa5\x2b\xa6\x3f\xbc\x1a\xf0\x34\xcb\xf4\x4c\xca\x47\x28\xf0\x9e\x1f\x57\x70\x6d\x61\x07\xee\xdc\x06\x59\xbb\x9c\x6d\x8a\x33\x83\xf1\x1c\xc8\x7e\x53\xaa\xe6\xdc\xb8\x38\x53\x37\x9a\x6c\x0d\x53\x6b\x1e\x06\x77\x3a\xff\x31\xea\x60\x03\x97\xc4\x3a\x66\xf3\x02\x83\x7d\x52\x1f\xb6\xab\xfd\xe5\xbe\xed\x88\x49\x3a\x5e\xec\xfb\x26\xab\x6f\xc3\xf8\x79\xec\x01\x21\xf3\xaa\x73\x30\xbf\xb8\x2d\x14\x52\x8d\x9c\x5e\x20\x33\xc0\x5c\xc6\xb6\x0f\x66\x69\x27\x3f\x99\x09\x9a\x5d\x72\xc2\xc5\x14\x4d\xc0\xb2\xaa\xfe\x0f\xe7\xbd\x01\xeb\xae\x29\xbc\xd8\x2f\x4c\xa4\x3c\x5a\x22\x97\x4c\x3c\x9d\x92\x3a\x62\xe3\x90\x53\x2e\x27\x74\x80\x00\x15\x30\x7b\x8a\xea\xf1\xb7\xa0\x61\xfe\x77\x13\x1a\x5e\x12\xa9\xcb\x09\x0e\xda\x58\x4a\xcd\xad\x7b\xd8\xaf\xb2\x0d\xea\xb6\x5d\x7d\x1c\xf3\xd1\x6c\xa8\x18\x7a\xde\xd0\x8a\x9d\xd9\xbf\x83\x0c\xeb\x11\x13\x97\x72\x11\x03\x5b\x1a\x90\x51\xae\x1c\xa5\xf1\xf3\x26\xe4\xa6\xe2\x57\xb6\x2d\x77\x92\xef\xfd\x00\x5f\x18\x3d\xf7\x82\xba\xd3\x19\xbd\xa6\x7a\x92\x38\x6c\x66\x22\xd0\x02\xee\x87\xcf\xcb\x1a\x4f\x9b\x4b\xb4\x21\x7e\x86\x75\x29\x9f\x2d\x8c\x8f\x8a\x63\x24\xd3\x60\x2f\x76\x83\x90\xa1\x24\x78\xe7\xaf\xd2\xd5\x2c\xd2\x35\x67\xb1\x98\x4d\x48\xd8\x55\xcf\x07\x21\x40\x12\x6a\xb0\xa8\x94\x27\x59\xcf\x38\x98\xf1\x18\x28\x4d\x2a\x93\x37\x21\xd7\x1d\xb4\x20\xe8\x30\xc8\x8e\x23\xb1\xf0\x7b\x44\x25\xb9\x7d\x0b\x83\x74\xbd\xe0\xcb\x8c\x3b\xe3\x52\x47\x1c\x15\xc0\xdb\x69\x27\x62\x61\x76\x3f\x46\xba\x3d\x04\x3e\xf6\x37\xdc\xb3\xf9\xb0\xf2\xd4\x34\x00\x29\x22\x2b\xe8\x10\xbf\xcc\x54\xe4\x47\xb9\xed\x75\x0f\x2f\x27\x59\x71\xa6\x3a\xd6\x12\x7b\xc7\x42\x3c\x3f\xe8\xfe\x22\xf2\x81\xa7\x27\xb9\x49\x6b\x70\x3f\x0f\x68\x87\x8c\xa8\xe1\x17\x48\x5e\xb7\xc8\xa7\xb3\x82\x66\xbd\x5a\x07\xb5\xa2\xf8\xa9\xc0\xd0\x2c\xcf\x8c\x8f\x76\x2b\xd1\xad\x4b\x21\x5b\x29\x59\x69\xdf\xcb\x9f\x19\xc1\x3d\x88\xf7\x2b\x54\xe5\x94\x00\xa7\x20\x1a\xc7\x9f\xe2\xfc\xaf\x32\x9c\x8e\x35\xa3\xea\xf2\x41\x76\x21\xa0\x0e\xb5\xcd\x2d\xa5\x0c\x61\x1d\x5b\x33\xe3\x59\x97\x07\x1b\xc1\xfa\x35\xd6\xcc\x81\x24\x7c\x17\xbc\xe3\x9d\x22\x51\x72\xed\x4a\x10\x64\x0c\xad\x81\x78\x86\x5b\x30\x7b\x86\x63\x23\xa2\x55\x69\xb6\xad\x32\x92\xcd\x47\xf7\x30\x44\xce\x58\xc4\x54\x96\x1c\xb5\x52\x37\x88\xa1\x4c\xc4\x62\x28\x51\x73\x12\xb7\x47\x93\xf0\x33\x60\x92\xe7\xe3\x0a\x0d\xa1\x43\x18\x94\x5c\xa2\x31\x29\x22\xbd\xc8\xf6\xe9\xa4\x15\x99\x13\xfd\x72\xdc\xb4\xe4\xc7\x87\x79\x6e\xe4\x65\xca\x2b\xf4\xcf\x36\x28\x72\x5a\x39\x11\x97\xef\xe8\x10\x4e\xa7\x1c\x63\x0b\x72\xcc\xf8\xfe\x42\x7b\xe8\x0a\x0c\xa6\xb1\x4f\x53\xff\x96\x97\xb6\x27\x9f\x0b\x2c\xd2\x3e\x35\x6f\x95\x1d\x7c\x08\xb7\xf1\x46\xeb\xaa\x3c\xba\xa6\xa9\x0d\x1d\x9a\xf1\x87\xe2\x1c\x82\x93\x77\x78\x1d\x75\xd5\x44\x66\x28\x45\xd4\x03\x22\x65\x16\xf4\x05\x24\x79\xd8\xff\x17\x6e\x24\xce\x55\x10\xd6\xe3\x3f\x04\x43\x84\x62\x38\x6b\xab\xfc\x53\xbe\x7c\xfb\x60\x15\x29\x69\x79\xfe\x41\x22\x19\x2c\xd4\x4b\x04\x6e\xa7\xe7\x12\x38\xc0\xd3\x06\x0a\x38\x22\x5b\x9a\xfa\xba\xf1\x69\x33\x54\xb3\x52\x1e\x2a\xaf\x5d\xe3\xe8\x5e\x5c\x58\x67\x65\xef\x8e\x2f\x9c\x98\xb8\xed\x4a\x53\x5f\x67\x08\xf0\xf1\x71\x89\x5b\x57\xda\x98\x1c\x4b\x3d\x85\x1f\xc7\x83\x22\x85\x7b\x8f\xcf\xfd\xfc\x34\xfa\x3e\xf6\x58\xea\xbd\x56\x7b\x2f\xf3\x5f\x0a\xe2\x88\x70\x1a\x81\x1f\x72\x5c\x87\x19\xda\xab\x47\x25\xc7\xba\xe2\xa7\x17\x48\x61\x81\x2e\xc8\xe9\xa9\x99\xa4\xa7\xdf\xf3\x79\x00\x8f\xb7\xa9\x3b\xb9\xd5\xda\x43\xea\x9e\x10\x81\x9f\x91\x41\x19\xf4\x74\xdf\x29\xac\xdc\x90\xe1\xb4\x90\x1f\xa8\xd2\x80\x63\x94\xad\xb6\xd3\x4f\x56\x44\x89\x34\x00\x15\xdf\x15\x4d\xbd\x9e\x9b\xfa\x66\x9e\x27\x7a\x4c\x35\x22\x07\x4c\xda\x8f\x03\x6e\x1c\x76\x2a\x2a\xba\xdf\x38\x78\xe7\xb7\x05\x98\xe4\xdf\x8f\x7d\x6e\x13\x4e\x13\x50\x9f\x1f\x3e\xb2\xa4\x61\x87\x2a\xde\xdc\xc3\x64\x07\xd0\x3d\x45\x3e\x71\x0f\x3b\x03\x05\xb3\x5c\x06\x9b\xcf\x65\x50\x88\x8b\xe2\xc3\xdf\x87\x96\x22\xf7\xc0\x91\x60\x5c\x2b\x47\x33\x84\xe4\xaa\xbf\x37\x38\x45\xb6\x43\x89\x3e\xa0\x3c\xa9\xa2\x33\x2f\x72\x76\xab\x52\xea\x5e\x69\xa3\x20\x6d\x0b\x29\xec\xa1\x9f\xe9\xb5\x61\xd5\x87\x48\xf0\xfb\x5f\x7c\xde\x5d\x32\xad\x76\x81\x33\xa5\x73\x3d\xb2\x74\x11\xac\x56\x84\x9c\x31\xc9\xcc\x98\x77\xcd\x77\x1a\xd8\x7d\xb0\x01\x4b\x01\x1c\x07\x1a\x8a\x57\xaf\xcc\x91\x11\xfa\xd2\x41", 4096); res = syscall(__NR_shmctl, /*shmid=*/0xfffffffa, /*cmd=*/0x19, /*buf=*/0x200000004380ul); if (res != -1) r[20] = *(uint32_t*)0x200000004388; break; case 25: memcpy((void*)0x200000004400, "./file0\000", 8); res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x200000004400ul, /*statbuf=*/0x200000004440ul, /*flag=AT_SYMLINK_FOLLOW*/0x400ul); if (res != -1) r[21] = *(uint32_t*)0x200000004458; break; case 26: *(uint32_t*)0x2000000046c0 = 0x89d; *(uint32_t*)0x2000000046c4 = 0; *(uint32_t*)0x2000000046c8 = 0xee01; *(uint32_t*)0x2000000046cc = 3; *(uint32_t*)0x2000000046d0 = 0; *(uint32_t*)0x2000000046d4 = 1; *(uint16_t*)0x2000000046d8 = 0x7fff; *(uint32_t*)0x2000000046dc = 8; *(uint64_t*)0x2000000046e0 = 0xe40; *(uint64_t*)0x2000000046e8 = 0x7fffffffffffffff; *(uint64_t*)0x2000000046f0 = 5; *(uint32_t*)0x2000000046f8 = r[7]; *(uint32_t*)0x2000000046fc = r[11]; *(uint16_t*)0x200000004700 = 6; *(uint16_t*)0x200000004702 = 0; *(uint64_t*)0x200000004708 = 0x2000000044c0; memcpy((void*)0x2000000044c0, "\xab\x56\x1a\xab\x77\xc5\x83\xce\x98\x5b\x97\x83\xd9\x6b\x5e\x4e\x38\x24\xcb\x30\x26\xda\x2e\xfe\xe0\x10\x1d\x24\xcc\x3c\x6b\x58\xc7\x96\x6f\x22\x6c\x27\x69\x9f\x3d\xc1\x5a\x33\x04\x86\x26\x22\xef\xda\x37\xf5\x7e\x57\x97\xf7\x36\xc4\x82\xb3\x34\xc0\xdb\x10\x39\x38\x2a\x78\x92\x8d\x47\x08\x28\x2c\x72\xdc\x71\x40\x25\xc2\xcc\xa6\xfe\xf3\x0b\x64\xfb\x05\x0e\xe5\x84\x5b\x12\x53\x79\x9b\x15\x94\x0b\x96\x71\x16\x83\x9e\x00\x75\x33\x0d\xa8\xaf\x7e\xe9\xa5\xb5\x2c\x57\x68\xfb\xf0\x2f\x31\x54\x71\xe6\xd7\xac\x77\x80\xee\xdc\xf5\x6d\xab\x90\x44\x17\x64\xc1\x05\x3f\x95\xa9\xe9\x4f\xee\xc9\xea\x2b\x68\x20\xf3\xbe\x40\xe3\x4d\xcf\xbf\xe7\x1b\x03\x37\x8a\x75\x1c\x0e\x0f\xd0\x4f\xcd\xa9\x24\x05\x00\x48\xf5\x17\x08\x50\x35\x00\x60\x92\x35\xcc\x75\xd2\x99\xee\xd6\x6d\x2a\xc9\x58\x3e\x91\xdd\x31\xb9\xcf\xe3\xaf\x5c\x24\x89\xc2\x04\x01\x4b\x7a\x74\x54\x9d\x85\xc8\xe8\xdb\xac\xeb\x63\x88\xf2\x45\xc2\x62\x98\x6d\x6b\x26\xea\xdd\x8f\xcb\x38\x58\x7b\x69\x8b\x3c\x59\xfd\xf6\x3a\x82\xc6\x43\xdb\x5a\xa1\x79\x14\xbf\xa0", 252); *(uint64_t*)0x200000004710 = 0x2000000045c0; memcpy((void*)0x2000000045c0, "\xbe\x29\x01\x74\xf8\xce\x0f\x04\x91\x1d\x69\xba\xda\xe0\xbf\x37\xc4\xfa\x5b\x15\xfa\x3b\x18\x83\xef\x70\x70\x38\x44\x4d\xe4\xae\xf3\xa7\x3f\x33\x83\x48\x0e\x83\x0d\xdb\x75\x62\x43\xc2\x97\x09\xee\xdf\x69\x74\xed\xf3\xbe\x9d\xf1\x36\x37\xb4\x8e\xd1\x4e\xdc\x03\xd7\x24\x3b\xdb\x53\xfd\x99\xe2\xee\xa6\x02\x56\x93\xad\x07\x01\xb8\x2c\xa3\x8d\xd6\xd0\x8c\xda\x9e\x31\x03\x1d\xcc\x02\xff\xa5\x43\x84\xc4\xaa\x7d\x87\x0f\x8b\x1a\xb9\xff\x5c\x0e\x74\x4c\xef\x60\xad\x54\x18\xd5\xa3\xb9\xec\xdf\x09\xa5\x4a\x1d\x9b\x12\xb1\x0e\xcd\x3b\xcc\x7b\xfe\x6e\xc0\x2b\x56\x8d\xaf\x99\xa5\x9c\xa9\x2b\x8a\x9e\xec\x61\x2f\x38\x29\xa0\x8c\x44\xfd\x4b\x27\x61\x1d\xa5\x90\x8b\x59\x1f\x34\x0e\x23\xf5\xba\x2a\xdb\x1e\x29\xe8\x9f\x28\xf5\xf2\x51\x43\x79\xe4\x54\x62\xdb\xc3\x0a\x72\x02\xbb\x25\xc1\x9a\xc6\x14\x89\x11\x9c\x4a\x8a\xae\xa4\x00\x0a\xac\x82\x81\xc3\xd4\x26\xd8\xa0\x82\xb7\xdc\x78\xf5\x7a\x12\xa5\xc6\x35\x62", 225); res = syscall(__NR_shmctl, /*shmid=*/0xe, /*cmd=*/3ul, /*buf=*/0x2000000046c0ul); if (res != -1) r[22] = *(uint32_t*)0x2000000046c8; break; case 27: res = syscall(__NR_fstat, /*fd=*/r[10], /*statbuf=*/0x200000004740ul); if (res != -1) r[23] = *(uint32_t*)0x20000000475c; break; case 28: *(uint32_t*)0x200000004840 = 8; *(uint32_t*)0x200000004844 = 0; *(uint32_t*)0x200000004848 = 0xee01; *(uint32_t*)0x20000000484c = 0; *(uint32_t*)0x200000004850 = 4; *(uint32_t*)0x200000004854 = 2; *(uint16_t*)0x200000004858 = 5; *(uint64_t*)0x200000004860 = 0x2000000047c0; *(uint8_t*)0x2000000047c0 = 4; *(uint64_t*)0x200000004868 = 0x200000004800; *(uint8_t*)0x200000004800 = 5; *(uint64_t*)0x200000004870 = 4; *(uint64_t*)0x200000004878 = 6; *(uint64_t*)0x200000004880 = 0; *(uint64_t*)0x200000004888 = 8; *(uint64_t*)0x200000004890 = 0xac0; *(uint16_t*)0x200000004898 = 3; *(uint16_t*)0x20000000489a = 0x401; *(uint16_t*)0x20000000489c = 2; *(uint32_t*)0x2000000048a0 = 0x400; *(uint32_t*)0x2000000048a4 = 7; res = syscall(__NR_msgctl, /*msqid=*/8, /*cmd=*/3ul, /*buf=*/0x200000004840ul); if (res != -1) { r[24] = *(uint32_t*)0x200000004844; r[25] = *(uint32_t*)0x200000004848; } break; case 29: res = syscall(__NR_getegid); if (res != -1) r[26] = res; break; case 30: *(uint32_t*)0x200000004980 = 7; *(uint32_t*)0x200000004984 = 0xee00; *(uint32_t*)0x200000004988 = -1; *(uint32_t*)0x20000000498c = 1; *(uint32_t*)0x200000004990 = 0x972; *(uint32_t*)0x200000004994 = 2; *(uint16_t*)0x200000004998 = 6; *(uint32_t*)0x20000000499c = 7; *(uint64_t*)0x2000000049a0 = 6; *(uint64_t*)0x2000000049a8 = 0xb9; *(uint64_t*)0x2000000049b0 = 8; *(uint32_t*)0x2000000049b8 = r[7]; *(uint32_t*)0x2000000049bc = 5; *(uint16_t*)0x2000000049c0 = 0x83; *(uint16_t*)0x2000000049c2 = 0; *(uint64_t*)0x2000000049c8 = 0x2000000048c0; memcpy((void*)0x2000000048c0, "\x41\x66\xdd\x81\x28\x46\x69\xcc\x65\x29\xe5\xa0\xef\x08\x1d\x37\x0a\x00\x72\x2e\x0c\x77\x00\xe4\x84\x17\x7e\x27\x29\xe5\x5d\x1f\xe0\xf7\x56\x46\x90\x88\x13\x82\xa8\x50\xb3\xb8\xd6\x19\x5e\xa5\xd0\x32\xed\xc9\x98\x53\x5f\xc7\x87\x92\x8a\xb4\xa3\xb1\x89\x15\x40\xd2\x46\xd4\x0d\xaa\x7a\x5f\xd7\xdb\x2b\xd6\xc9\x9b\x3f\x2a\x7e\x51\x4d\x00\x69\xf2\xbf\xb4\x85\xd9\xe0\x8e\x67\xc4\x68\x24\xc2\xe7\x04\xff\xa0\x43\x1e\x1c\x20\x43\x29\x72\xad\xef\x08\x49\x21\xd4", 114); *(uint64_t*)0x2000000049d0 = 0x200000004940; memcpy((void*)0x200000004940, "\x3c\x67\x3d\x0f\x3b\xdb\xe2\x04\x83\xbd\x0e\xf8\xf8\xa2\xc8\x65\xbb\x81\x7c\x75\xa3\x55\x5f\x98\xda\xdf\x18\xfb\x4d\x80\x5b\xd3\x39\xd5\x71\x7d\xef\xd4\x70\xce", 40); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0xeul, /*buf=*/0x200000004980ul); if (res != -1) r[27] = *(uint32_t*)0x200000004984; break; case 31: *(uint32_t*)0x200000004a80 = 0x80000001; *(uint32_t*)0x200000004a84 = 0; *(uint32_t*)0x200000004a88 = 0; *(uint32_t*)0x200000004a8c = 0x8b; *(uint32_t*)0x200000004a90 = 0x4000000; *(uint32_t*)0x200000004a94 = 0xe206; *(uint16_t*)0x200000004a98 = 0x366d; *(uint64_t*)0x200000004aa0 = 0x200000004a00; *(uint8_t*)0x200000004a00 = 5; *(uint64_t*)0x200000004aa8 = 0x200000004a40; *(uint8_t*)0x200000004a40 = 7; *(uint64_t*)0x200000004ab0 = 0xb5; *(uint64_t*)0x200000004ab8 = 0x5a; *(uint64_t*)0x200000004ac0 = 4; *(uint64_t*)0x200000004ac8 = 0x7fffffff; *(uint64_t*)0x200000004ad0 = 2; *(uint16_t*)0x200000004ad8 = 0x4d49; *(uint16_t*)0x200000004ada = 0; *(uint16_t*)0x200000004adc = 2; *(uint32_t*)0x200000004ae0 = r[9]; *(uint32_t*)0x200000004ae4 = r[11]; res = syscall(__NR_msgctl, /*msqid=*/0xff, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[28] = *(uint32_t*)0x200000004a88; break; case 32: *(uint32_t*)0x200000004b40 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000004b00ul, /*optlen=*/0x200000004b40ul); if (res != -1) r[29] = *(uint32_t*)0x200000004b04; break; case 33: *(uint32_t*)0x200000004c00 = 9; *(uint32_t*)0x200000004c04 = 0; *(uint32_t*)0x200000004c08 = -1; *(uint32_t*)0x200000004c0c = 0; *(uint32_t*)0x200000004c10 = 1; *(uint32_t*)0x200000004c14 = 5; *(uint16_t*)0x200000004c18 = 3; *(uint64_t*)0x200000004c20 = 0x200000004b80; *(uint8_t*)0x200000004b80 = 9; *(uint64_t*)0x200000004c28 = 0x200000004bc0; *(uint8_t*)0x200000004bc0 = 0x10; *(uint64_t*)0x200000004c30 = 0x93e; *(uint64_t*)0x200000004c38 = 0xb4; *(uint64_t*)0x200000004c40 = 0x7fffffffffffffff; *(uint64_t*)0x200000004c48 = 2; *(uint64_t*)0x200000004c50 = 8; *(uint16_t*)0x200000004c58 = 8; *(uint16_t*)0x200000004c5a = 0x77; *(uint16_t*)0x200000004c5c = 0x10; *(uint32_t*)0x200000004c60 = 0xa711; *(uint32_t*)0x200000004c64 = 0xd; res = syscall(__NR_msgctl, /*msqid=*/9, /*cmd=*/0xbul, /*buf=*/0x200000004c00ul); if (res != -1) r[30] = *(uint32_t*)0x200000004c08; break; case 34: res = syscall(__NR_getresuid, /*ruid=*/0x200000004c80ul, /*euid=*/0x200000004cc0ul, /*suid=*/0x200000004d00ul); if (res != -1) r[31] = *(uint32_t*)0x200000004cc0; break; case 35: memcpy((void*)0x200000004d40, "./file0\000", 8); res = syscall(__NR_statx, /*fd=*/(intptr_t)-1, /*file=*/0x200000004d40ul, /*flags=AT_NO_AUTOMOUNT*/0x800ul, /*mask=STATX_NLINK*/4ul, /*statxbuf=*/0x200000004d80ul); if (res != -1) r[32] = *(uint32_t*)0x200000004d98; break; case 36: *(uint32_t*)0x200000004f00 = 8; *(uint32_t*)0x200000004f04 = 0; *(uint32_t*)0x200000004f08 = 0xee01; *(uint32_t*)0x200000004f0c = 6; *(uint32_t*)0x200000004f10 = 0x1000; *(uint32_t*)0x200000004f14 = 0x3ff; *(uint16_t*)0x200000004f18 = 2; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 7; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 0x95; *(uint64_t*)0x200000004f30 = 3; *(uint64_t*)0x200000004f38 = 3; *(uint64_t*)0x200000004f40 = 6; *(uint64_t*)0x200000004f48 = 0x8001; *(uint64_t*)0x200000004f50 = 0x7f; *(uint16_t*)0x200000004f58 = 5; *(uint16_t*)0x200000004f5a = 3; *(uint16_t*)0x200000004f5c = 0xc; *(uint32_t*)0x200000004f60 = r[7]; *(uint32_t*)0x200000004f64 = 9; res = syscall(__NR_msgctl, /*msqid=*/9, /*cmd=*/0xdul, /*buf=*/0x200000004f00ul); if (res != -1) r[33] = *(uint32_t*)0x200000004f04; break; case 37: *(uint32_t*)0x200000005040 = 1; *(uint32_t*)0x200000005044 = 0; *(uint32_t*)0x200000005048 = 0xee00; *(uint32_t*)0x20000000504c = 2; *(uint32_t*)0x200000005050 = 8; *(uint32_t*)0x200000005054 = 0xfffffff8; *(uint16_t*)0x200000005058 = 2; *(uint32_t*)0x20000000505c = 2; *(uint64_t*)0x200000005060 = 6; *(uint64_t*)0x200000005068 = 0xb; *(uint64_t*)0x200000005070 = 0x100000001; *(uint32_t*)0x200000005078 = r[11]; *(uint32_t*)0x20000000507c = 0xc; *(uint16_t*)0x200000005080 = 8; *(uint16_t*)0x200000005082 = 0; *(uint64_t*)0x200000005088 = 0x200000004f80; *(uint64_t*)0x200000005090 = 0x200000004fc0; memcpy((void*)0x200000004fc0, "\x4f\x52\x5e\x34\x0c\xd5\xa8\x6e\x08\x81\x81\x48\x10\xa2\xa9\x1a\x15\xb1\xd5\xd1\x4f\x4a\x79\xd1\x4d\xde\x31\x8e\xef\xbd\xd8\xe8\xe7\x28\xd4\x13\x18\x7e\xde\x4f\xd0\x69\xfc\x17\x3d\x33\xf2\x51\x93\x66\x58\xb9\x70\x95\x9c\xdd\x1a\x15\xbc\xc3\xc2\x6a\xd7\x6b\x38\xa5\xbe\x0c\x00\x53\x2a\xc5\x25\x4d\x63\x2a\x2d\x80\x03\x57\xde\x96\xe6\xf2\xf7\x84\x16\x88\x31\x49\x22\xa5\xeb\x15\x30\xe0\xb7\x35\x2c\xa6\x06\x39\xdb\x76\x97\x14\x2d\xe2\xaa\x07\xc7\xc6\xa7", 113); res = syscall(__NR_shmctl, /*shmid=*/7, /*cmd=*/3ul, /*buf=*/0x200000005040ul); if (res != -1) r[34] = *(uint32_t*)0x200000005048; break; case 38: *(uint32_t*)0x2000000051c0 = 0x20000000; *(uint32_t*)0x2000000051c4 = -1; *(uint32_t*)0x2000000051c8 = 0; *(uint32_t*)0x2000000051cc = 0x60000000; *(uint32_t*)0x2000000051d0 = 5; *(uint32_t*)0x2000000051d4 = 0xb; *(uint16_t*)0x2000000051d8 = 4; *(uint32_t*)0x2000000051dc = 7; *(uint64_t*)0x2000000051e0 = 0x68b; *(uint64_t*)0x2000000051e8 = 0x19; *(uint64_t*)0x2000000051f0 = 0xfffffffffffffff8; *(uint32_t*)0x2000000051f8 = 0; *(uint32_t*)0x2000000051fc = r[9]; *(uint16_t*)0x200000005200 = 0xc90; *(uint16_t*)0x200000005202 = 0; *(uint64_t*)0x200000005208 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\x39\x0c\xeb\x0f\x41\x0c\x00\x25\x27\xeb\x3b\x46\xb1\x0c\x24\x49\x71\x04\x20\x0a\x43\xcd\xd5\x23\xe8\xa7\x27\x86\xcf\x59\x38\x0b\xde\x52\x4c\xb5\x95\x56\xd5\xb2\x56\xca\xe0\x7e\x34\x3b\x52\xbe\xb1\x8b\x62\xea\xb0\x7c\x44\x5e\xef\xcb\x35\xda\xbf\x18\x6e\xf8\x40\x41\x7c\x40\x8f\x79\xb7\x4a\xa6\xed\x33\x3f\x94\x62\xac\xfc\x1d\xb1\x46\xb6\x67\xa8\x96\x29\x92\xf2\x0a\xf8\x6d\x7c\x20\x38\x50\x25\xa7\x4f\x90\x71\xc7\x98\x44\x53\x6c\xb7\xac\x8f\x88\x65\xfe\xd4\xa5\x7d\x02\x2b\xea\xf6\x18\xbd\xcc\x65\x09\xc5\xbe\x81\x03\x7e\x58\x4a\xbb\x6e\xa9\xb8\xcf\x0d\x2e\x17\x5f\xcb\xfe\x9b\xda\x36\x68\xd7\x52\x68\xcb\x86\x05\xfe\xc3\xba\x1b\xb1\xe6\xc2\x76\xa1\x49\x29\xc3\x46\x0e\x16\x93\x45\x8f\x22\x61\x23\x52\xdb\x6a\x3e\xfa\x4d\x7c\x74\x83\xd2", 184); *(uint64_t*)0x200000005210 = 0x200000005180; memcpy((void*)0x200000005180, "\x35\x8f\x28\x87\x0b\xec\xbb", 7); res = syscall(__NR_shmctl, /*shmid=*/9, /*cmd=*/0ul, /*buf=*/0x2000000051c0ul); if (res != -1) r[35] = *(uint32_t*)0x2000000051c4; break; case 39: memcpy((void*)0x200000005240, "./file1\000", 8); *(uint64_t*)0x200000005280 = 4; *(uint64_t*)0x200000005288 = 4; *(uint64_t*)0x200000005290 = 0x100000001; *(uint32_t*)0x200000005298 = 0xc49; *(uint32_t*)0x20000000529c = 0; *(uint32_t*)0x2000000052a0 = 0xee01; *(uint32_t*)0x2000000052a4 = 0; *(uint64_t*)0x2000000052a8 = 0x101; *(uint64_t*)0x2000000052b0 = 0x8000000000000001; *(uint64_t*)0x2000000052b8 = 0xfffffffffffffff8; *(uint64_t*)0x2000000052c0 = 7; *(uint64_t*)0x2000000052c8 = 0; *(uint64_t*)0x2000000052d0 = 8; *(uint64_t*)0x2000000052d8 = 0x8001; *(uint64_t*)0x2000000052e0 = 5; *(uint64_t*)0x2000000052e8 = 8; *(uint64_t*)0x2000000052f0 = 9; memset((void*)0x2000000052f8, 0, 24); res = syscall(__NR_newfstatat, /*dfd=*/(intptr_t)-1, /*filename=*/0x200000005240ul, /*statbuf=*/0x200000005280ul, /*flag=*/6); if (res != -1) r[36] = *(uint32_t*)0x2000000052a0; break; case 40: *(uint32_t*)0x200000005380 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000005340ul, /*optlen=*/0x200000005380ul); if (res != -1) r[37] = *(uint32_t*)0x200000005344; break; case 41: *(uint32_t*)0x200000005440 = 9; *(uint32_t*)0x200000005444 = -1; *(uint32_t*)0x200000005448 = 0; *(uint32_t*)0x20000000544c = 1; *(uint32_t*)0x200000005450 = 0; *(uint32_t*)0x200000005454 = 0xabc2; *(uint16_t*)0x200000005458 = 0x100; *(uint64_t*)0x200000005460 = 0x2000000053c0; *(uint8_t*)0x2000000053c0 = 0xe; *(uint64_t*)0x200000005468 = 0x200000005400; *(uint8_t*)0x200000005400 = 7; *(uint64_t*)0x200000005470 = 8; *(uint64_t*)0x200000005478 = 0xa2; *(uint64_t*)0x200000005480 = 0xf3; *(uint64_t*)0x200000005488 = 4; *(uint64_t*)0x200000005490 = 6; *(uint16_t*)0x200000005498 = 5; *(uint16_t*)0x20000000549a = 0xd7c4; *(uint16_t*)0x20000000549c = 0x80; *(uint32_t*)0x2000000054a0 = r[9]; *(uint32_t*)0x2000000054a4 = r[7]; res = syscall(__NR_msgctl, /*msqid=*/0x10000, /*cmd=*/1, /*buf=*/0x200000005440ul); if (res != -1) r[38] = *(uint32_t*)0x200000005448; break; case 42: memcpy((void*)0x200000005b40, "./file0\000", 8); res = syscall(__NR_lstat, /*file=*/0x200000005b40ul, /*statbuf=*/0x200000005b80ul); if (res != -1) r[39] = *(uint32_t*)0x200000005b98; break; case 43: memcpy((void*)0x200000005c00, "./file0\000", 8); res = syscall(__NR_statx, /*fd=*/0xffffff9c, /*file=*/0x200000005c00ul, /*flags=AT_SYMLINK_NOFOLLOW*/0x100ul, /*mask=STATX_INO*/0x100ul, /*statxbuf=*/0x200000005c40ul); if (res != -1) r[40] = *(uint32_t*)0x200000005c58; break; case 44: *(uint32_t*)0x200000005e80 = 0xc; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/1, /*optname=*/0x11, /*optval=*/0x200000005e40ul, /*optlen=*/0x200000005e80ul); if (res != -1) r[41] = *(uint32_t*)0x200000005e48; break; case 45: memcpy((void*)0x200000000780, "\x68\xf4\xb9\xc0\x22\x24\x5b\x56\x0b\x41\x94\x27\xc3\xc5\x6d\xc4\xee\x17\xcd\x42\x2a\xc4\x81\xd8\xd2\xdc\x27\xc0\xc2\x4a\xdf\x78\x20\x96\x47\x7e\x5b\x7a\x14\x77\x33\xcc\xa0\xee\xd7\xce\xd0\xab\xb0\x3e\xcf\xa0\xf8\x3e\x91\x42\x28\xec\x4e\x01\x9a\x38\x46\x8e\x2e\x4e\xe4\xed\xbd\xa0\x23\x53\xee\x9a\x4c\x10\x63\x39\xd7\xb1\x18\xa3\x0e\x93\xe6\xde\x45\x52\x28\x8a\xfe\x03\x2a\xf1\xf8\x97\xef\x39\xce\x14\x0c\xb1\xd4\x52\x64\x41\x33\x19\x9f\x16\x65\x3b\x92\x15\xc3\x7f\x78\xf1\x92\x75\x2d\x03\x1c\x64\x28\xd7\x35\x62\x11\x49\xde\x62\x43\xa0\xab\x6f\xc4\x65\x28\xb0\xa0\xe2\xd6\x4e\x65\xec\xd9\xe1\x34\x09\xab\xd5\xe7\x30\x39\xdd\x00\xe0\x88\x05\xe5\x1a\xdf\x3a\x85\x99\xd9\x9d\x69\xf2\x37\x75\x04\x4d\x38\x40\x23\x4f\x1d\xb0\x89\xfb\x09\x87\xd6\x45\xec\x25\xf4\xad\x3e\xee\xb9\x60\x4d\x1f\x2a\xb6\x9f\xc3\xbf\x83\x15\xbf\x2e\x7b\x91\x88\x6d\x2a\x6f\x50\x71\xb6\x6f\xe5\x04\x8b\x6b\x65\x44\x12\x90\x05\x07\x34\x0d\xd1\xad\xd2\x74\x48\xea\x31\x68\x5b\x4e\x86\x7c\x68\xc9\xb5\x51\xdf\x24\x6b\x90\xd0\xd0\xfd\x9a\xf8\xdf\xc6\x47\xfc\xe7\xc3\x77\xaa\x36\x48\x62\xff\x02\x43\xff\xd0\x47\x47\xb9\x45\xba\xa3\x7d\x75\x5c\x23\x60\x92\xb3\xac\x7a\xac\xf6\x12\xa4\x03\x26\xde\x09\x06\x32\x12\xae\xe8\x6e\x16\x3a\xaa\xff\xfd\x8a\xde\xe4\xb5\x15\x46\x5c\xc9\x19\xc1\x51\x3d\xc7\xc9\x67\x8e\xe6\x48\x3f\xc3\xfc\x68\xb8\x84\xa9\xcc\x60\x4f\x36\x23\x86\xfe\xeb\x1a\x7e\xfb\xd4\x1d\x42\x62\x7f\x06\xfb\xf6\xcf\x91\x3a\xca\xee\x58\x4d\xa6\x05\x0c\xd6\xf4\x9a\xb9\x6e\xde\x69\x21\x6b\x0a\xca\x34\x99\x94\x7b\x02\xf1\xb6\x23\x24\x5d\x4c\xc5\xdf\xb5\xbc\x7c\x28\xc4\xf7\x77\x33\xc3\x33\x0d\x49\xbb\x25\xce\x9b\x47\x97\x8b\x57\x6c\x20\xe1\xc4\xd8\xb6\xee\x1d\xdb\x2c\x80\xeb\x99\xa3\x53\x69\x68\xaa\xf2\xf0\x1b\xa3\x14\x2d\x6d\x71\x39\xf4\x7a\xd8\x71\x32\x7d\x9e\xb2\xfc\x36\x4b\xb4\x2c\xb6\x0a\x57\x2c\x71\xd1\xa1\x3f\x94\x05\x6c\x72\x7a\xd8\x0d\xbc\x0b\x38\x03\xd3\xed\x00\x7c\xdf\xbd\xc6\xf9\x86\x84\x5b\x23\x96\x71\x23\x3e\xbe\x9c\x97\x3b\xcd\x86\x53\xc3\x73\x2e\x52\x51\x64\x09\x02\x0f\x4b\xd0\x51\x64\x90\x93\x29\xcf\x8b\x09\xd5\x7b\xc4\x9f\xdf\xc9\xc9\x6e\xe7\x8b\x92\xbd\xc6\xe8\x65\xb5\x61\x95\xbf\x29\x87\xb6\xb4\xad\xff\x61\x96\xf3\x7f\xfd\x8d\xe5\x10\x80\x0b\x32\x8e\xd7\xbf\x86\xae\x6d\x4f\xb1\xd8\xe8\x3d\x1c\x8c\xc9\x3c\x12\x7d\xfb\x65\x89\xd7\xe6\x1a\xd8\x55\x9c\x87\x00\x74\x19\x88\xa0\x6c\x4b\x3a\x03\xee\x3e\x95\x69\xf7\x95\xd7\xf1\x43\x3c\xdb\x52\x0e\xb4\x51\xc3\x51\xc2\x30\x13\xc8\xb6\x00\x7d\x14\x7d\x24\xdd\x1d\x52\xfa\x5b\x0e\x40\x54\x0f\x38\xbc\xf7\x41\x9e\xb9\x8a\x47\x90\x1e\x93\x57\xa7\x8e\xdc\x70\x1a\xe8\x2f\xd0\x58\xcd\x6d\x96\x96\x9f\x2c\x6b\x4b\x82\xea\xca\xe1\x12\xd6\x7d\x06\x2d\x56\xf0\xfe\x3b\x9c\xae\x85\x67\x2c\x67\x94\x97\x70\x72\x54\x76\x35\x35\x09\x27\x69\xd3\x8d\x26\xb9\xa6\x51\x0d\x9f\x64\xfb\x09\xdc\xb7\x28\x3d\xe4\x25\x70\x54\x6b\x0c\x76\x3e\xd8\xcf\x60\xf5\x3d\xb8\x6b\x75\x63\xe5\x72\x6f\x61\x6c\x4b\xb2\xbe\xae\x0a\x9e\x18\x6e\xea\x24\xf6\x42\xd7\x0d\x34\x54\x57\x84\xe4\x63\x0d\x4e\x3a\xc0\x28\x9c\x2c\xaa\x22\x62\x8e\x29\x9b\x29\x3d\x27\x30\xca\xe7\xfb\x99\xd4\xde\xa0\x73\xe5\xa0\xba\x5f\x34\xf7\x7d\xd9\x28\x38\x95\x43\xe0\x0f\x2b\x59\x56\x49\xab\x73\x64\x54\x25\xe2\x73\xe4\xb6\xd7\x54\xcd\x17\xa6\x27\xae\xe1\xda\x76\x71\x60\xbf\xe8\x6b\x04\x16\xad\xaa\x61\xeb\xee\x1b\xf7\x40\x9f\x28\x44\x85\xd4\x3f\x8f\x48\x4d\x05\x3a\x17\x36\xda\x79\x21\x28\x59\xf4\x8b\x71\xce\xc7\x7e\xe2\x3f\x77\x1a\xdc\xed\x4f\xe5\x26\x49\x59\x75\xbd\x04\xba\x08\xc7\x99\xc0\x7f\x57\x08\x4a\xbb\xd6\xba\x42\x81\x14\x0d\xd8\xec\x06\x93\x18\x0a\x4d\xaa\xf4\x8b\x72\xed\x48\xdf\x13\x7f\x68\xdd\xed\x9a\x41\x14\x54\xfa\xf8\x8d\xad\x18\x1a\xa2\x30\x6c\x36\xc1\x3c\x15\xa5\xfc\xaa\xb5\xbb\x79\x20\x1b\x41\x7f\x40\x3c\x83\xd0\x41\x9e\x29\xf6\x2a\x66\xa0\xe0\x27\x6f\x9f\x96\xc8\x7f\x94\xb7\xc8\xa3\x2b\x94\xce\xa7\xef\x64\xfc\x4f\xf4\x1b\x21\xd6\x84\x6c\x2d\xad\x67\xbf\xa8\xa4\xb5\x7a\x6e\x50\x01\xe4\x02\x05\xd3\x86\xba\x77\xae\x13\xc9\xa1\x12\x12\x83\x15\xcd\x6a\x1a\x64\x1b\x22\x8d\xe0\x6e\xb0\xa7\x09\xf5\xe7\x4d\xa4\x75\xd2\x2f\xfc\x65\x33\xc9\xd9\xb2\xbe\x00\xd2\x2b\xcc\x8b\x47\x18\x70\x56\x09\x60\x8e\xc3\xe4\xc4\x35\x79\xcf\xae\x0b\x60\x02\xf3\x15\x4d\xa6\x14\x7b\x85\x6d\x82\xf3\xdc\x4d\x4b\xac\x4f\x50\x9b\x91\x07\x96\xaa\xce\x37\x5a\xe7\x9c\x8b\xd3\xe7\x5d\x70\x9a\xa0\xd9\x0e\x29\xef\x0e\x03\xc6\x9f\xb8\xe5\xbc\xb3\x4e\x4c\xf1\x4a\x6e\x7c\xf4\xa4\x08\xe9\x9a\xab\xdd\xca\xab\xe1\xf0\xc7\x23\x83\x67\x1b\x45\x63\xcd\x06\xea\x9c\x75\xe5\xbc\x2e\x3c\x95\x56\xac\x45\xf0\x7b\xd0\xd6\xc9\xb3\x91\xdb\xaa\x70\x17\x1e\x71\x30\x1f\xd5\x39\x5d\xe3\x83\xd1\x35\x81\x4c\x12\x14\xce\x33\x20\x8c\x1b\xd8\x40\x3e\x94\x8f\xa0\xb3\x93\x79\xa1\x40\x29\xf1\x19\x58\xfe\xc9\xeb\x46\x0e\x3f\x9c\x73\x49\xaf\x63\x06\xd2\xe0\xca\xc9\xa4\xe4\xde\x43\xe9\x31\x27\xc6\xec\x8b\x17\x82\x0a\x57\x00\x21\x8f\x5b\x08\xe0\xa8\xce\x0a\x44\x8d\x68\x8c\x94\x5d\x36\xb7\x19\xb2\xdc\x71\x1a\x8d\x48\x09\x8b\xf4\xed\xc5\xe2\x6f\xa5\x64\x7a\x64\x72\x40\xff\xf4\xd7\x66\x88\xbc\xa7\x13\xb8\xdd\x71\x72\xaf\xef\xba\x6e\x4a\x95\xf1\x1a\x11\x1e\x3c\xf0\x39\xbb\xfa\x41\x53\x6d\x9a\xd7\xb0\xfb\xbb\x4f\xf8\x2c\xf1\x9a\x72\xeb\x07\xbd\xca\xab\xa2\x29\x1f\xfa\xa0\xd0\x77\x5f\x1a\xeb\x68\x66\xc2\x3c\xfd\x9c\x8e\xa6\x8c\x13\x87\xf8\x97\x72\xea\xef\x20\x20\xbc\xaa\xc5\xfe\xfd\xf1\x04\xce\x51\x60\xaa\xdd\xd6\x5f\xe9\xc4\x89\x85\x1f\xb0\x90\xce\xbf\x02\x20\x32\x1d\xcc\x57\xfd\xf7\x1e\x9a\x1c\x1e\xa5\x3f\xf1\x7d\x13\x13\x04\x46\x9e\xad\xed\x3a\x14\x38\x33\xaf\xff\x98\xa9\x3c\x1c\x41\x34\x94\xbc\x0d\x6c\xf3\x47\x0b\x2e\xee\x53\x4d\x4f\x17\xde\x37\xac\xa7\x5d\x82\x16\x9f\x1b\x63\x34\x12\x30\xd4\x7e\x85\xbe\xb0\xe6\xf5\x0c\xe7\x25\x56\xe3\x7b\x73\x96\x12\x92\xb9\xf0\x34\x38\x51\xe9\xdc\xa9\xfb\xf4\xee\x45\xa5\x81\x4b\x04\x44\x44\x54\x41\x3a\x01\x9f\x82\x94\x98\x81\xc8\x1a\x5d\xdd\xd2\x09\x7a\x8e\x5c\x45\xd6\x8b\x80\x8a\xdc\x27\xfa\x3a\xbe\x55\x16\xb2\xa5\xc1\xcc\x71\x9e\xe0\xc9\x79\x66\x68\x31\xa1\x5a\x96\x4d\x5f\xc2\xe8\x70\x68\xcb\xc4\xe4\x70\xd6\x4f\x34\xf0\xfa\x9a\xc7\xe9\x4a\x06\x93\xdc\x21\x96\x42\x97\xb9\x6d\xe2\x93\xad\x5a\x77\xf2\xa8\xdc\xe2\x71\xa8\x9d\x10\xa1\x0b\x45\x8a\x8a\x8c\x52\x1f\x27\xa5\x0c\xd2\x06\xbf\x0e\xc9\xf2\xab\xb3\xdc\x16\x82\xd3\xad\xd7\x5b\x81\x3c\x59\x79\xef\x56\x58\x3b\x52\x12\x77\x5d\x61\x73\x22\xbd\xd7\xc3\x44\xfb\x0c\x2d\xc1\xdb\xcc\x63\x12\x31\x19\xbd\x65\x2a\xf9\x41\x35\x5f\x56\x1b\x8f\xa4\x9b\x8e\x0c\xab\xa9\x00\x02\xc4\x8b\x88\xc8\x0e\xbe\xa6\x77\x71\xfb\x47\x9f\x52\x89\xca\xf5\xea\xe1\x8f\x01\xa0\xcd\x74\x60\xf3\xde\x6c\x3f\x92\xf1\xd4\x3b\x56\xb0\xdd\xed\xb7\x05\x9e\x7f\x18\x06\x9f\x80\x4b\x20\x56\xa2\x0a\xcb\xdf\x25\xf8\xca\x36\xdc\x1a\xff\xa8\x0e\x22\x03\xa0\xf3\x63\x92\x63\xa4\x2e\x9b\x3a\xd0\x61\x4c\x6b\xb3\xcf\xa4\x37\x6b\x28\x54\xf6\x0b\xcd\x92\x97\xbb\x0c\xb4\x54\x16\x13\x6f\x21\xbc\xa9\xfe\x38\xfe\xf0\xa1\xc2\x65\xae\x42\x3b\x36\xef\xf0\xc7\xf9\xe8\x4d\x3e\xdc\xe5\xdf\x6a\x2e\x76\x89\x49\xec\x9d\xc4\xf9\x18\x6c\x48\x95\x46\xe2\x4c\x71\x3d\xb9\x19\xbd\x51\xe6\x04\x45\x92\x83\x7c\x8b\x7f\x03\x7a\x8b\x3a\x90\x84\xd9\x61\xc0\x2f\xd0\xaa\x42\x45\xba\xa5\xe9\x17\xd7\xf9\x3f\x09\x6f\xc0\x0c\xd3\xda\x05\x7e\xda\xa7\x47\x6f\x9a\x38\x83\xc1\xab\x86\x3a\x91\x77\x46\xbd\x00\xe8\x78\x55\xbb\x58\x00\x16\x74\xec\x10\x54\x2e\x70\x30\x63\x10\xd7\x33\x99\xf3\x4a\x25\x4c\xfd\x03\xb4\xfd\xa6\xde\xdc\x8d\x7f\x2a\x8c\x81\xe6\xe1\x7b\xea\xb6\x71\x0a\x2c\x2a\x39\xd3\x8d\xaf\x05\xe0\x4e\x38\xe9\xd1\x0f\x30\x81\x31\xde\x76\xa3\x59\xbd\x59\x01\x5f\xc9\xf1\x07\x69\xd3\x6c\x16\x0d\x3e\xfb\x66\x17\x4a\x97\xb6\xa5\x99\xe7\x4b\xae\xdf\x33\x6c\x3d\x9b\x0c\xed\x61\x7b\xf0\xa5\x30\x88\x2d\x91\x68\xe6\x4b\xfb\x9c\x36\xea\x35\x1a\xf4\x36\xf7\x80\x54\x4c\xd1\xf0\x06\xe5\xdb\x43\x9d\x1c\xd9\xc6\xe2\xb5\x91\xc3\x76\x98\xe3\xb9\x56\xfd\xd6\xa9\x6d\x0c\x1f\xf5\xa5\xc2\xb4\xf2\x0e\x82\x04\xfa\x23\x94\xeb\xd1\x8b\x63\x60\x72\xf7\x6d\x49\x87\x13\xd7\x25\x8f\x8f\xda\xa7\xd1\x73\xbb\x52\x61\x9e\xcf\xbd\x03\x7e\x9d\x9e\x8e\xfd\x79\xe7\x76\xea\x36\x88\x99\x04\x15\x29\x81\xd3\x98\xf3\x4b\x5e\x75\x82\xb7\x37\x3f\xeb\x13\x10\xf6\xa3\xf4\x3d\xa3\x65\x62\x11\x58\x1c\x4d\xcf\x82\xbb\x82\xcb\x51\x34\x62\x80\x8c\xea\x9f\xe2\x1d\x0c\xf8\x70\x74\x53\xe9\xc1\xde\x7a\x96\xa3\x82\x92\x12\xcb\xe8\x85\xaf\xf1\x0c\x11\x17\x1f\x5a\xbf\x14\xa8\xe6\xf2\x2f\xd0\x04\x8a\xc5\xe4\x18\x63\x80\xc1\x4c\x5c\x2d\x4f\xe1\x3b\xe2\xdd\x3e\x6f\x26\xcf\xa9\x45\x22\xd6\x25\xdc\x49\xd1\x79\xbc\xc4\x8c\xb4\x2e\xa4\x0e\x94\xf3\x3d\x9e\x76\xef\x92\x57\x46\xcb\x52\x51\x39\xea\x62\x05\xc6\xf1\x22\x1d\x93\x42\xe2\x02\xe5\x7b\x81\x8a\x7d\x12\x14\xde\x38\xee\x95\x02\x99\x3b\x73\x08\x66\x02\xa9\x75\x19\xf6\xa0\x99\x90\x1b\x8d\xbd\x57\x6a\xbd\x64\xa8\xb1\x3d\x5a\x93\x0f\x82\xc0\x6f\xb9\xc5\xbc\xfc\x2d\xff\xa9\x77\x83\xea\xa3\x38\x5e\x72\xf9\x98\x5d\x57\xd7\xcc\xf9\x3b\x7c\x60\x79\x92\xcb\xd2\x49\xed\x74\xb6\xda\x3f\xf1\xdc\xf6\xc7\x23\xcc\xb3\x72\x5e\xf1\x8b\xe3\x54\x16\x0d\x21\xb9\x31\x4a\x7d\x01\xcc\x29\x7c\x6b\x1f\xdc\x8a\x24\x14\x2e\x55\x5d\xd8\xfd\x4a\x28\xe0\x4c\x85\x83\x6e\x46\xe6\x63\x64\x90\x8e\xb8\x4f\xac\xaa\xbb\x83\x3b\x1d\xa7\x03\x19\x67\xc1\x0b\x8c\x2a\xa3\xcf\xf4\x4f\x7a\x9d\xcf\xd0\x66\x5d\x1e\x90\xd9\x3b\xe0\xdf\x77\xa2\x5a\x48\x23\xd8\xdd\x35\xc3\x5d\xc4\xcf\x1c\x73\xba\x26\xab\x20\x47\x3f\x30\x12\x23\xa6\xac\x96\x72\x22\x0b\xe0\x95\x0f\x92\xbf\x16\x79\x87\x45\x44\xf8\xc1\x0e\x23\xbc\x9e\xe1\xd4\x0a\x00\x6c\x98\x9b\xf9\x88\x50\x20\xa6\x5a\x4e\x76\x63\xa8\x11\x7b\xec\x09\xe2\xa2\x10\x9c\x52\x78\x9b\xf7\xfb\xc0\x0c\xd3\xef\xd7\xa6\x52\xb1\x5c\x4c\x4c\x05\xf6\x54\x11\x8e\x90\x64\x3e\x64\x9d\x7f\xe4\x31\x95\x7b\x6f\x1d\xc5\x92\x5b\xa9\xab\x6f\xd8\xa1\xf6\xa0\xf8\x3a\x8a\x51\x9c\x1d\xfe\x42\x36\x03\x4c\xa5\x56\x7e\xac\x95\xea\x12\x91\x2e\x60\x67\x18\x1d\x61\x29\x4b\xcf\x09\xc1\x7f\x9d\x94\x8a\x03\xb0\xaf\xcd\xfd\x3a\x5d\x47\x0d\x28\x9e\x4b\x47\x44\xe6\x88\xae\xe6\x8b\xf2\x6d\xa0\x15\x43\x8a\x9c\x33\x6b\xea\x06\xdd\xad\x48\x74\x65\x32\x89\xc3\x4c\x03\x27\x64\x18\x0f\x97\x98\xf3\x3c\xc0\xb8\x2b\x36\x87\xdf\x74\xfe\xca\xde\xba\x2e\x58\xb9\x70\xd6\xe4\x65\x4d\x7b\x09\xb0\xd8\x5c\x78\x96\x12\x76\xa9\x45\x03\x09\x85\x77\xba\x49\x32\xd1\x7e\x0a\x7d\xd1\x98\x7e\x85\xc4\xaf\xcf\x01\xf6\x8d\x74\x42\x03\x82\x46\xb6\x84\x9b\xd1\x6f\xe0\x35\x93\x6b\xe7\x5e\x56\x26\xcd\x3d\x06\x8b\x9d\xf9\x30\x85\xa1\x2b\x95\x69\xcb\x27\xd3\x01\xca\xaf\x2f\x4f\x33\x7c\xe6\xb1\x94\xf4\xa8\x5a\x17\x55\xa2\xb3\x80\x53\x67\xe5\xde\x5e\x41\x34\xdf\x4f\xc3\x94\x16\x25\xd4\x41\x71\xa9\x84\x0e\xf2\x26\x7a\xd8\x1f\x2a\xee\x6c\x34\xec\xd3\xae\x96\x28\x12\x85\xb5\x4f\xbc\x21\x72\x90\xfe\x1f\x46\x75\xfe\x64\xd1\xb8\x44\xcb\x43\xc7\x55\xba\x29\xda\xb5\x31\xe8\x37\xec\xe7\x14\x60\x09\xfe\x04\xb7\x27\x25\x7b\xfa\x7a\xd4\x18\x0e\x82\xe9\xad\x17\x0a\x9a\xb7\x81\xef\xc1\x50\x60\x0c\xe3\x70\x43\xcc\xee\x03\xcc\xfb\xe7\x65\x09\xd6\x3f\xf8\xf2\x18\x62\x73\x6a\x43\x45\x57\x8c\x87\xf8\xf4\x14\x2c\x97\xa4\x7a\xdd\x5c\x7d\x6d\x73\x59\xb2\x69\x01\x55\xa1\x1c\xdb\xe9\xbe\x34\x79\xe0\xf4\xb2\xdd\x44\xa6\x8a\x78\x48\x51\x8d\x55\x89\x7e\x49\xbf\xaf\x2e\xef\xe6\xbc\x06\xd5\x60\xe2\x5f\x52\xad\x12\x31\xd4\x66\x44\x27\xba\xd4\xab\xa0\xd6\x15\x98\x5a\xfa\x47\xeb\xaf\x24\x2d\x3b\x8c\x16\x8a\xd5\x9c\xc0\x5a\x1c\xe7\x50\xd7\x32\xa6\x72\x03\xb3\xfc\xfa\xa4\xed\x6b\x2f\xf0\x04\x15\x2e\xef\x56\x52\xbe\xea\x4c\x62\x70\x20\x3f\x15\x4c\x70\xbb\x6c\x5f\xda\xc2\x4b\xd7\xfc\xb6\x38\x9b\xd1\xb5\x17\x59\x20\x5b\xa1\xaa\x1b\xea\xb6\xec\xa9\x97\x36\xf4\xa4\x3f\x21\xa6\x39\x53\x64\x61\xd2\x43\x8a\x91\x3e\xd0\x3b\x63\xdb\x26\x21\xc6\x3a\xcb\x49\x6e\xec\xf9\x83\x8b\xfa\x7f\x18\x52\x43\x7b\x45\x8b\x10\x46\x19\x7e\x51\x1e\xa8\x14\x79\x69\x09\x04\xbc\x3a\x0b\xb4\xb9\xec\xc0\x96\x2e\x33\xc4\xcd\xd9\x21\xf8\x24\xab\xc2\xc1\x95\x88\x61\x3e\xfd\xee\x01\xdb\x70\x1a\xe5\x44\x0c\xdd\x98\x7d\x86\x83\x14\xdf\x9a\xc7\xba\xe5\x92\x74\x02\x1a\x5d\x06\x43\xf8\xd1\xd3\xa9\x7b\x8c\x8b\xf0\x2e\xe9\xfc\x05\x6c\xc1\x64\x72\x48\x51\x43\x5f\x90\x76\x85\xc3\x49\xdb\x94\x29\xfe\xc6\xe2\xdf\x3c\x53\x4d\x94\xcc\xe4\xec\xd2\xea\x55\xd7\x2a\xa8\x82\x64\xc8\x6a\x40\xfa\x66\x93\x06\xb9\x5b\xcd\xef\xca\xf5\x4f\x11\x77\x70\xa0\x4f\x35\xe7\x21\xf2\x84\xf6\x81\xb9\xd3\x11\x4c\x4b\xed\x29\xf2\x09\x22\x06\x38\xde\xfe\x43\xfc\x43\x66\x95\xa5\x8e\xd3\xf2\x0d\xc9\x21\xe4\xa2\x1c\x79\xe5\x80\x39\x27\xde\xeb\x5a\x14\xc5\x32\xe3\xcd\x83\xba\x32\x98\x1c\x19\x2e\x20\xe9\x3e\xef\x67\x44\x02\xaf\xba\x8d\x37\x81\x19\xf6\x34\xff\x06\x5f\xb2\x94\xf9\xe3\x8c\x19\x74\xd4\xd3\x7c\xf6\x73\xb5\x87\x97\xb5\xe2\x6e\x22\xb0\x29\x16\x23\xff\x15\xd0\x02\xd5\x5a\x8d\xd0\x0f\xe4\xb1\xfd\x54\x17\x7d\x1f\xd0\x65\xda\x0b\x17\x47\x93\x16\xb5\x8a\x84\x95\xac\xa4\x2c\x44\x0b\x63\xc8\xf4\xb1\xa9\x53\x8d\xf1\x0c\x8c\x95\x46\xfd\x8c\x41\x95\xe1\xea\xed\x31\x54\x3b\x80\x61\xc8\x60\x2a\x89\x77\x12\x3f\x56\xe5\xf1\x1c\xd0\x5f\x5a\x36\xa4\x48\xcc\x25\x75\x71\xf0\xe5\xbb\xde\x25\xae\x82\xf5\x83\xcb\x31\x3a\xe7\xbf\x5d\xec\xe5\x6b\x61\x73\x21\xcf\xa6\x0a\xa9\x27\x8a\x28\xee\x9f\x78\xec\x7d\xdf\xc5\xd0\xf6\x65\xab\x1a\x1d\x55\x31\xf2\x40\x6f\xfa\x9b\x5a\xd6\xf9\xae\x4c\x98\xf8\x54\x47\xfb\xdb\x9e\xfc\x2a\xb3\x98\x80\x1e\x90\x5c\x22\x9e\x16\xad\x9f\x87\xbf\x61\x95\x6a\x78\x29\x73\x3f\xff\x1d\xbb\x2c\x35\x55\x48\xc4\xe3\x03\xd1\xfb\x25\x87\xab\xea\xed\x69\x11\xb3\xd5\x57\x8d\x9d\x43\x55\x19\x3a\xf1\xf6\xee\xf1\x87\x0f\x0f\x1d\xf7\x36\x15\xa5\xd9\xff\xe9\xd4\x2b\x7f\x94\xc2\x15\xf9\xce\xb4\x1d\x60\x5e\x95\xa5\x4b\x5f\xb3\xc6\x2f\x34\x39\x6f\x9f\x95\x1c\x56\x50\x92\x0f\x15\x9c\x1c\x33\x0e\xcf\x7b\xf7\x0b\x1b\x8d\x0a\x97\x3f\xf4\xaf\x34\x4e\x99\x50\xff\xb9\xed\xfc\xd3\x26\x81\x8e\x28\x47\x1c\xcc\xbf\x70\xb7\x1a\xc2\x86\x3e\xaf\x7e\xf9\x5d\xbc\xb2\xf9\x88\xc8\x5c\x26\x6f\x86\x99\x14\x71\x99\x06\x21\x3c\x0d\xb1\x8a\x4a\x47\x12\xb0\x2f\x72\x01\xdc\x95\x30\x5a\x3a\x53\x1f\x46\x6f\x94\x9f\xef\x61\x2c\xcc\xaa\x93\x6d\x47\xae\xf4\xbb\xad\x39\x08\x50\xf2\xb8\xfd\x99\x15\x42\xe3\x98\x6d\xe1\x00\x00\xdb\xd2\xbc\x09\xf1\x6c\x99\xed\x0b\x46\x1c\xab\x44\x4a\x1d\xb0\x69\x38\x14\x34\x54\x07\x95\x15\x0d\xe1\x24\x27\xb1\xb5\xd0\x60\x1a\x52\x32\x04\x28\x3f\xdd\x6b\x69\xe4\x03\xfd\xc3\xf9\x44\x21\x14\x0d\xbf\x94\x86\x5f\x35\xaf\x7a\x7b\xae\x55\x47\x97\x8f\xdd\x80\x5c\xc5\x2d\x68\xf4\xff\x49\xbe\xec\x49\x20\xe2\x5d\x8e\x4a\x23\x7a\x86\xc7\x85\xcc\xcc\x3f\x2e\xe7\xff\xac\x88\x1e\x99\xe5\x76\x12\xc8\xc9\x4b\xde\x40\x09\x15\xf3\xf7\x5b\x54\x65\x79\xf4\x01\xe2\xbe\x54\x93\x09\x04\xb9\x8c\x82\x42\x39\x4d\x81\xfe\x94\xd2\x67\xd3\xca\x3e\xa3\xa0\xe1\xc9\x10\x7e\xcc\x29\x8e\xfa\xe6\xa1\x9e\x73\x37\x88\x3e\x27\xaf\x27\x1e\x06\x29\x9a\xcc\x75\x59\xf0\xea\x46\x1b\x87\x5e\x27\x13\x8c\xd3\x5e\x04\x63\x19\xfe\x9f\x83\x8c\x51\x13\x05\xfc\x80\x3c\xc2\x43\x09\xdb\xf3\x35\xb2\x25\xc5\x8b\x6c\xae\xb2\x72\x4e\x44\xa9\x27\x8c\xa8\x23\x51\x9a\x72\x43\x3c\xeb\x21\x66\xb4\xb7\x3a\x35\xb9\x7d\xe2\xf5\x54\x38\xb9\x58\x26\xe0\xab\x34\x85\x01\x18\x73\x75\xb0\x96\x23\x67\xdb\x53\x49\x53\x46\x76\xf3\x52\x83\x5a\x10\x59\xc3\x07\x42\x1b\x2b\xeb\x2e\x63\xc0\xa0\x06\xd5\x27\x1f\x49\x3e\x59\x06\x98\x82\xb1\x03\xd5\x36\x60\x8d\x18\xd6\x1e\x97\x42\x22\xc4\x3b\x7c\xa9\x25\x29\xc8\xb0\xcc\x2a\xe9\xdf\x8c\x2b\xc2\xb2\x0d\x68\x33\x14\x7e\xc4\x11\xc4\xa5\xbf\xf5\x34\xcc\x72\xb2\x67\x71\x45\x92\xa4\xe4\x32\x52\x68\x49\x40\xf5\x4e\xbf\x5f\x39\xf2\x8d\xee\xab\x2c\x89\xab\xad\xdf\xb6\xfc\xd2\xb1\xc0\x25\xbf\x30\xdc\x2e\xdb\xc0\x82\x3c\xcd\x19\xfe\x52\xf9\xc0\xb3\x8c\x9c\x1a\xcd\x6b\x0e\xfc\x3f\x68\x8b\x80\xbb\xef\x54\x73\xcd\xdf\x82\x02\x70\xd7\x21\x24\x5c\xdf\xa0\x1b\xff\x14\x85\x86\x49\x74\xb4\x28\xdd\x19\x33\xfb\xce\x96\x8d\x27\xae\xce\xa5\xdd\xa0\xca\x95\x61\x91\x9d\x5d\x85\xb0\x98\xfc\x4f\x3e\xfb\xf7\xea\xd3\x91\x28\x51\x92\x46\x28\xb8\x88\xa2\x8e\x46\x32\x0a\xfe\x8a\x30\x22\x39\x14\x7f\x48\xf2\xcc\x2a\xb2\x74\xdb\x1a\xee\x56\x5b\x15\xba\x2d\xb8\x32\xfa\x63\x03\x44\xd0\x1c\xfb\xa1\x12\x87\xb2\x5c\x22\x6f\x28\xbc\x4e\xbe\x1d\x20\x4e\x90\xa3\x9a\x81\xc6\xb2\x13\x6b\x01\x64\xed\xb6\x51\x94\xea\x55\x10\xa9\xb9\xef\xc0\xd0\xa2\x35\x26\x42\xf0\xa8\xa2\x3e\xf4\xe6\xeb\x89\x48\xf5\xab\x42\xeb\xd4\x5a\xc9\x46\xbf\xdb\x68\x9c\xba\x13\x76\x7f\x8d\x5f\x77\x8c\x42\xe2\xd0\x7d\x08\x84\x91\xe0\x6d\xb5\xcf\xbe\x29\xea\x3f\x45\xa4\x31\x57\x94\x5d\x41\x9d\xe6\x32\xdb\x52\xfa\x13\x3d\x99\x0e\xfe\x2c\x9e\x47\x3e\xc3\x6d\x68\x9d\x0b\x81\x58\x45\xaf\x57\x61\x98\x1d\x46\xd5\xb9\xf3\x86\x5f\x91\x6b\x5b\xb9\x3c\xf8\xf2\xe8\xd4\xa1\x1c\x8a\xfa\xcf\xac\x2c\x64\x7e\x6a\xe9\xa8\x69\x6c\x9e\xcb\x6b\xdb\xdb\x21\x79\xf9\x71\xeb\x75\xe1\x4d\x52\x59\x8e\xd6\xc1\x6e\xc1\x42\x7e\x21\xdf\x5c\x5a\xbb\xbd\x85\xe4\x2f\x32\xdf\x37\xc4\x85\xff\x33\xd0\x65\x45\x71\xec\x60\xaf\x86\x74\xba\x35\xc3\xef\x62\x7d\x24\xb1\xc2\xd8\x4f\xf2\x52\x54\x16\xc2\xa4\x26\x5f\xb6\xde\x81\x73\xfa\xec\xcf\xd3\x13\x83\x16\xc4\xc7\xc3\x29\x01\x79\x28\xfe\x1b\x64\xc2\x9d\xfe\xb4\x57\x0f\x7d\xe9\x3f\x94\x46\x15\x31\x6f\xd3\xae\x6c\xc1\x2b\x94\x33\x2f\xad\xf7\x5b\x15\xa1\x3d\x6f\xf2\x7f\x7c\x61\x98\x17\x37\xef\xc6\xdf\xb5\x28\x94\x25\x32\xee\xf5\xe5\xdc\xb8\x03\xc1\xed\x04\xda\x23\xbf\xee\x62\x3a\x89\x08\x8d\x87\x83\xc7\xed\xda\x3f\x56\xc5\x40\x4e\xe7\xe4\x2f\x09\x85\x47\x53\xc1\xa0\xdd\x78\x72\x3c\x9c\x4e\xf1\x2c\x7e\xad\x18\x63\xa5\x3a\xf4\x8d\x8d\x61\x45\x7f\x24\x32\xff\xae\xbb\x35\x6a\x6e\x78\xa1\x59\x1f\x04\x24\xaa\xa1\xf0\x25\xdd\xa1\x7a\x7b\x5e\xae\x39\x89\xb2\x7a\x57\x3f\x59\xbb\xfe\x2f\x99\x3f\xb1\x82\x73\xdc\x35\x6a\xa5\x9e\xc1\xb2\xf1\x51\xf8\x4b\x97\x33\xb2\x71\xf1\xe0\x4d\x17\xd4\x1e\x72\x8e\xf5\x2c\xfb\xc0\x11\x1f\x12\x32\x13\xfb\x22\x23\x7d\x81\xb0\x02\x9b\xdf\xf7\x01\x7f\x87\x03\xe1\xee\x30\x17\x58\xca\x9e\x22\x39\x9c\x42\x0b\x36\x31\xe5\xb9\x98\x73\x7c\x2a\x75\x93\x9f\xa4\x6d\x1e\x61\x7d\x7b\x19\xfb\xa4\x91\x9e\x35\xca\x92\xd8\xb5\x97\x98\xda\x36\xa0\xa5\xd4\x34\x1a\x6e\xb5\x7d\x51\x29\x51\x3a\x6e\x86\x2e\xa9\x4f\x27\xc7\x83\xc9\xe6\x8f\x93\x0d\x5d\x33\x7c\x28\x9d\xed\x11\xd5\x10\x84\x7a\x50\xc6\x1c\x47\x94\x0c\x17\xa3\x2b\x28\x7f\x70\x46\x64\xf1\xb6\x1e\x16\x48\x85\x08\x91\xf8\x0a\x4b\x61\x47\x93\x48\xb4\x34\x40\xd0\xc9\xc9\x1b\x89\x25\x7a\x4a\xf7\x25\x3e\xe5\xbe\x6b\xbd\x56\xf2\x29\x86\xc3\x8b\x53\x6b\x8d\x50\x00\x10\x2c\xff\xd1\x0d\x93\x80\x8b\x8b\x1c\x4e\xb5\x3f\x0c\x69\x7c\x21\x71\x61\xc4\xcb\x7e\x09\x1d\x43\x88\xce\x3a\x20\xeb\x53\x51\x53\x8c\x2a\xf3\xa9\x06\xe6\xac\x66\x4a\x5d\x08\x3e\x39\x5e\xaa\x5d\xe7\x91\xac\xe4\x5b\xd0\x2b\x5e\x26\xbd\x36\xbe\x79\x6e\x95\xc7\x44\x22\xb7\xd8\xf0\x0c\x7b\xdf\x4b\x64\x8a\x1e\x9c\xcf\x68\xe9\x12\xab\xbf\xff\x3c\x74\xd8\xc5\x63\x85\xd7\xa8\x9a\x84\xad\x3c\x39\x46\xa3\x8e\x82\x08\x0c\x3b\x38\xa0\x29\x80\x70\xd8\x85\x04\x75\xb9\x5b\x37\x9d\x62\xf5\x02\x91\x03\xa7\xb4\x5d\xef\x66\xd2\x5a\x08\xe2\x41\xc4\x2c\x34\x38\x82\x8e\x59\xf5\xb1\xd1\xfd\x8c\x97\x56\x49\xd0\x3f\xe3\xe5\x36\xba\xba\xed\xe3\xfc\x3c\xaf\xef\x77\xa7\x2c\xd2\x7b\x94\xc1\xd7\x74\xef\xbe\x19\x37\x47\x02\xf3\x93\x72\x98\x98\xbd\x09\xbc\x8a\x40\x77\x20\xd6\x7e\x9f\xed\xf0\x18\x52\xb8\x93\x66\x4e\x35\xc2\x6b\xb4\x86\x56\xa5\x68\x9e\x7e\x3a\x63\x2e\x9e\x5a\x3b\xbe\x87\x5e\xc6\xb5\xeb\x73\xfe\xe6\xe6\x05\x54\x75\x96\xd0\xed\xe3\x9c\x48\xb9\xd9\xf6\x3d\x7b\x38\xc1\xf6\x19\xbc\x6f\x69\x03\xc0\x2c\x47\x40\x3a\xe8\x53\x9a\xea\x78\x93\xfb\x81\x10\xe4\xb5\xa9\x07\x08\x36\x85\x3f\x3a\x61\x64\x83\x27\xf0\xc6\x95\x37\x94\xfa\xb3\x89\x37\xb2\x78\xdc\x0a\x1e\xd3\x31\xef\x4a\x03\x60\xc4\x1f\x4f\xb3\x5b\x7c\xa6\xe1\x17\xe7\x85\x83\x3a\x22\x4f\xbe\xa8\x24\x1c\x59\xc9\xd9\x6a\xd6\x50\x95\x9a\x23\xc7\x47\xd4\x78\x81\x02\x1a\x53\x0c\x9a\xee\xc1\x3b\x5b\x99\xa2\x68\xe2\xa6\x3a\x2b\x96\x84\x6c\xd3\xe8\x52\x0c\x77\x0f\xbe\xaf\x52\xf9\xa6\xe3\x6b\x7d\x5e\x0d\xb7\x46\x78\x86\x13\xf6\xea\xd8\x87\x38\xd0\x0c\x30\x20\x6f\xe0\x72\x95\xb7\x0e\xd2\x1e\x05\x28\xa7\xb9\x09\xf3\xd2\xcc\x64\x7b\x33\x5d\xc7\xb9\x82\x99\x07\xc3\x80\xe5\x83\xbb\x40\x8a\xe2\x71\x0b\x40\xd4\x4d\xf1\x2a\xb9\x8a\xc6\xf0\x88\x82\xc2\x57\xc2\x6b\x25\x60\x8b\xa5\xaf\x2e\x00\xe7\xc3\x3e\x60\x84\xec\x86\xa2\x25\x8c\xc3\xdc\x8b\xc6\x3c\x2e\xef\x54\x83\xb8\xaa\xef\x1c\xb7\xad\x63\xf4\xa2\x86\x80\x3a\xcc\xe8\x1a\xd1\x40\x97\x47\x3c\x65\xd9\xc3\x7f\x25\x78\xde\x04\xe1\x8a\x71\x95\x14\x58\xf2\xae\x3a\xb1\xd4\x5a\x54\x8f\xe1\x1d\x47\x64\x80\x6e\x71\x3b\x62\x8c\x19\x67\xda\x91\x8e\x8e\xd6\x55\x6e\x61\x9b\xee\xf0\x8a\xd8\xb9\x3d\x7d\x70\x91\x74\x57\xd9\xc8\x94\xc7\xbb\xc3\x04\xda\xca\x44\x3d\x14\x65\x6a\x02\x68\xd7\x4e\x76\x58\x37\x74\x41\xe5\xfd\xb1\x41\x48\x96\x4f\x56\xa3\x05\x8a\x8e\x1a\x95\xe1\x00\x22\x77\x0d\xa5\x57\x44\x53\x87\xf2\x42\x5e\x7b\xcd\x38\x6e\x62\x1f\x88\x71\x3f\xa5\x7f\x44\x24\x62\xfc\x8f\x7a\x58\x8f\x84\x9e\xc7\xa1\x08\xc6\xa5\xa7\x77\x28\x3f\xc2\x4c\x87\x98\x74\x76\x75\x26\xc5\xb6\xb2\xd2\x22\x12\xf4\xbb\x88\x98\x81\x1f\x73\x1e\x78\xb0\x01\xae\x05\x2c\x47\xd8\x32\xcb\xd8\x67\x83\x14\xcc\x31\x3f\xb6\xb9\x96\x6b\xcd\xe9\xb1\xce\x15\xb9\x2f\x05\x97\xd5\x8b\x15\xd9\x1e\x31\xf2\x21\xb2\xf1\xd6\x35\x4e\x49\xde\x2a\x7a\x58\xd5\x8f\x36\x1f\xd6\x47\xfc\x29\xdc\xa3\xb5\xda\x3c\x64\x49\xc5\x2c\xfc\x5b\x87\xbb\x48\x43\xce\xfb\x10\x52\xeb\x68\x47\x8b\x51\xc1\x68\x91\x28\xbe\x43\x4f\x0d\x34\xb5\x11\xcb\xb1\xe8\x4b\x8b\x21\x1a\x9f\xf1\xae\xba\x55\x18\x52\x91\xed\x53\x95\xd4\xca\x5b\x96\x6d\xcb\x7f\xbf\xf4\x32\xb9\x31\xf6\x76\x6a\x9b\x37\xd3\x41\xd5\xf8\x3d\x29\x69\xf4\x9f\xb8\x57\x91\x3f\xd0\x94\xee\x91\x53\xe9\x05\xfd\x3a\x00\x08\x25\xf4\xc9\xd5\x91\xca\xe9\xe1\xfa\x33\xab\xf9\x46\x63\xfa\xb4\x9e\x46\x0f\x13\x44\xca\xe1\xe6\x80\x4f\x2a\x53\x10\x8c\xb0\xf2\x9b\xbc\x0f\x6a\x07\x56\x88\xd9\x87\xd6\xcf\x7c\xa3\x85\x10\x08\xfd\x82\xc3\x55\x89\xec\x90\xe3\x90\x2c\xb1\xed\x05\x13\x55\x5e\x30\x3b\x91\x02\x2a\x04\x54\x94\x8a\xa7\xd8\x66\xdf\xb4\xb9\x7f\xdf\x67\x98\xbe\x4c\x74\x22\x76\xd9\x9f\x68\x53\x70\xa9\x10\xfc\x2b\xe7\xb2\x89\xa4\x45\x73\x78\x5e\x09\xad\x0a\x20\x79\x40\xea\x85\x9b\xef\xff\xd9\x5c\xc9\x70\x69\x77\x7e\x3d\xd0\x50\x62\x61\xa8\xed\xb9\x4a\xb2\x5d\xea\xbd\x37\x1b\xf0\xe8\xdb\xd5\xf0\x35\xa7\x53\x87\x1f\xaa\x53\x52\xcd\xdf\xa9\x04\x96\xdc\x39\x85\xff\xbc\xa1\xb3\x12\x90\xe7\xeb\x46\x0c\x20\x92\x01\x26\xbb\x8c\xa9\x30\x4e\x35\x53\xb3\x74\x8a\x8f\x5d\xf0\xa8\x97\x7a\xb9\x94\x72\x8f\xbb\x54\x0e\x07\x3c\xc3\xf0\x80\x5b\x5d\xf2\x88\x00\x08\x31\xd8\x06\x1c\x06\xd4\x16\xf4\x58\xa2\x54\x7f\xf4\xe6\x03\x6d\xe1\x18\x1c\xd1\xd4\x2a\xf4\x16\x15\xba\x4e\x16\xd6\xf7\xae\xf1\xcb\x34\x06\x07\x22\x21\x2f\xf5\x61\x27\x5b\xc4\x97\x4f\x00\x94\x8f\x54\x2a\x5e\x06\xbf\x40\xb8\x57\x2d\xf1\xd8\xd6\x8b\xa0\x60\x8d\xcb\x02\x7f\x8f\x11\xc0\xb9\x3e\x65\xb2\xde\x9a\x16\xfe\x11\x5e\xa9\x40\xcd\x90\x4e\x11\xb2\xfb\xb7\xc0\xe6\x72\x90\x76\x65\x73\x72\xc1\x34\xee\x6f\xe8\xe0\xfa\x6f\x9c\x2e\xc1\x2b\xde\x36\xe4\x62\x52\x12\xa4\x72\xd1\x50\x10\x51\x01\x68\x14\x79\x1e\x7a\x2f\xef\xbf\xca\x68\x58\x98\x65\xf0\x83\x7a\x32\xb1\x20\x1c\x32\x29\x10\x54\xbf\x71\x87\xe0\x3c\xde\x3a\xdd\x7a\x33\x98\xae\xbe\x76\x67\x2e\x4f\x8a\xd8\x1a\x9e\xab\xec\x9f\xef\xab\xbb\x62\xc1\xd7\x3a\xdc\x3e\xf5\x8a\x68\x77\x5f\x51\x6a\x99\xf5\x4a\x75\xa7\xa7\xb5\x30\xdf\xfc\xa8\x2d\x2b\x22\x2c\x99\x3b\x78\x5a\x1a\x7b\x6f\x7a\xcc\xb5\x84\xae\x25\xab\xe1\x51\x7d\x70\xa6\x9f\xa2\xdf\x2c\x77\xe4\xe0\x75\x5e\x18\x7f\x60\xbc\x82\x46\x58\xb8\xd8\x8d\xaf\xbc\x24\x0a\xbe\xec\x34\x93\xfd\xad\xd6\xa1\xa9\x46\x80\xe5\xdb\x4b\xc1\x86\x2c\x75\x8a\x51\x90\x21\xc0\x12\x17\x89\xf4\xcd\xf1\xe2\xa7\x1c\xd5\x36\xda\xae\xc9\xe4\xb7\x2e\x9e\x25\xd9\x25\x1f\xd3\xee\x51\x1f\x1e\x08\x1f\x90\x6d\x90\xdd\x4d\xf5\xce\xf6\xed\xf4\x11\xaa\xbc\xfd\x5d\x93\x3e\x26\x53\x58\x1f\x1f\x0a\x49\xd8\x5d\x50\x3a\xb0\xf1\x28\x87\x43\xa8\xef\x59\x69\xfe\x4a\xe3\xaf\x9a\xff\xb7\x90\x5a\xc3\xa9\x04\xca\x86\xcd\x7e\x8c\xc5\xb9\x66\x77\xfb\xd2\xbb\xe3\xe3\xe6\x7d\x56\x4e\x2d\xb1\xf1\x4f\x6a\x98\x2d\xa3\xb7\xab\x59\x0a\x1f\xb4\x3c\x44\x95\x6c\xeb\x95\xd2\xd5\x9d\xb9\xe3\x51\x75\x06\xc0\xe1\x64\x3a\x07\x66\x4f\x7a\x27\x9f\x23\xb9\x94\x5c\x32\x42\x79\x60\x24\x2e\x74\x78\x14\x1a\xd1\xd1\x70\x1f\x68\x03\x3b\x69\xc7\xbd\x2d\x64\x31\x8b\xbf\x48\xa0\x5a\x32\x77\x99\x56\xe1\x61\xf4\x26\x82\xbc\x1c\x93\x30\xcb\x6a\xbf\x5a\xfd\x31\xc8\xe1\x1a\x4b\x07\x8b\x03\x57\x9e\x09\x9f\xd3\xd8\xe3\x47\x33\x0a\x01\xfd\xc2\xb5\xca\x05\x00\x1a\x2d\x13\x9a\x5b\xd7\x12\x8a\x02\xf9\xd1\x9b\x85\x81\xba\xd0\xe1\x4f\xaf\x9f\x0a\x13\x2a\x6d\x85\xbb\xd2\x91\xde\x69\x6a\x8c\x67\xd2\xf8\xc3\x13\x4a\xac\x24\xe4\x1b\xb5\xa4\xfd\x74\x2c\x13\x71\xf9\xa8\xe1\x8e\xc9\x05\x0b\x39\x8a\x60\x48\x88\xab\x12\xa8\xed\xec\x79\x29\x74\x45\x6a\xc6\xc6\x29\x89\xa7\x8d\x72\xe8\x4e\x0b\xd7\xaa\xd9\xe1\xc0\x86\x01\xe2\x07\x0a\x4f\x2b\xb1\x00\x91\x04\x08\x82\x78\x26\x3c\x2a\x64\x5d\x31\x87\xed\xf1\x2f\xcf\xeb\xd3\xd8\xb3\x7d\xd8\x93\xb2\x5e\x41\xed\xb5\x18\x08\x9e\x06\xe1\xe2\x6a\x07\x7b\xbc\xb6\xb7\x06\x8c\xa7\x4e\x1c\x4b\x59\x49\x7a\xb4\x81\xfa\xa7\xd1\x83\x49\xd0\xfd\xaf\xf9\xf8\xa0\xcb\x6c\x24\x25\x60\xe3\x1a\x9f\x9e\x34\xc6\xd8\xda\x4e\x6b\x47\x10\x00\xdc\xe4\x6d\x80\x25\x27\x00\xfb\xbf\xa3\x92\x2d\x5d\xee\xd3\x3d\x10\x92\x06\xaf\x07\xf3\xa2\xa3\x48\xa6\x1c\xec\x80\xdf\x13\x02\xc9\x8b\x76\x25\x79\x7a\x11\x3e\xb0\xb7\x14\xee\x64\x7f\x7d\x13\xd6\xc1\x02\x25\xbc\x12\x1b\x66\x66\x08\x3f\xc1\x5b\x63\xc2\xb0\x7e\x48\x71\x67\xb0\xcd\x11\x6c\xa2\xa3\x99\x32\x2b\x9c\x08\xf4\x18\xd1\xbd\x83\xcf\xc3\x97\xad\xaf\x8b\xa2\x67\xed\x46\x30\xfc\xb6\x20\x37\x60\x3c\xaa\xaf\x96\x83\x12\xe3\x35\xaf\xd6\x63\xfc\xed\x69\x90\x0e\x25\x07\x39\x63\xb5\x45\x9f\x59\x7d\x7e\x7e\x58\x16\x47\xc9\x94\xd0\xfd\xef\x88\xa1\xae\x4c\x92\x14\xf6\x68\x0e\x21\x5e\xe6\xa1\x50\x97\xbe\xa9\x01\xb4\x67\xb5\x82\x75\x22\xe6\x8b\x02\x07\x68\xe8\xa3\x40\xfa\xee\x75\xec\xd4\x6a\xf9\x0a\xe3\x8e\xed\xad\xb6\xd7\x51\xc5\xa1\xfc\x5f\xfb\x86\x6a\x0c\xad\xf8\x59\x49\xdd\x96\x31\x34\x4a\x46\xe9\x50\x91\xc5\x85\x9a\xc7\xd0\x78\x31\x53\xbe\x8f\xc8\x9a\x1a\xdf\xd4\xcc\x3f\x45\x3a\xc8\xb1\x1d\x6b\xd6\x37\xf9\x5e\x63\xd2\x8c\x3c\x66\x55\x17\x00\x02\x88\xe7\xa0\x8e\xa7\x1a\x7a\xc0\xd5\x69\xee\x05\xcf\x8a\x66\x31\xa9\xba\x1a\xf4\x56\xd0\x0f\xb0\x49\xf1\xc3\x36\x6e\x8d\x92\x9b\x68\x20\xfb\xef\xb6\x58\x83\x77\x3b\xac\xb1\xcb\x1a\x71\x05\xdd\x2c\xa6\x0e\xdd\xe9\x5f\xa2\xf3\x5a\x34\xa3\x69\xc5\xf0\x4b\x65\xe0\x81\x56\x50\x2f\x8c\xf1\x76\xe4\xf9\x93\x9a\xfb\x6b\xba\xcd\xab\xc5\xc8\x11\x6d\xbd\xe9\xb6\xd2\x12\xbf\x12\x5f\x76\x97\xa8\x57\x1d\x69\xde\x44\x3d\x4d\x86\xf4\xbe\x17\xa9\x59\x14\x8f\xd6\x10\x5a\x67\x4c\xe5\x23\xf3\x7c\x2c\x09\xe1\xce\x1c\xc7\x12\x74\xa4\x75\xca\x3b\x09\x31\xad\xca\x18\x99\xbf\x7b\xaa\xf2\xdc\x3a\x94\x88\xad\xb1\x30\x68\x57\x7e\xd2\xba\x96\xa7\x93\x7f\xff\x3a\x9a\xeb\x46\x12\x34\x53\x2a\xfb\x21\x50\x83\xc8\x97\x99\xa0\xfa\xc0\xad\x2a\xfe\xba\x7a\x33\xde\xf1\xb3\x02\xb1\x2a\x6a\x4d\x7a\x22\x01\xb9\x15\xa2\xc3\xbf\xb5\xcb\xfc\xe7\x46\x88\x5a\xec\xb3\xdb\xc4\xde\x9c\x4d\xc1\xea\x7c\x33\x26\xb7\x31\x8c\x65\xd3\x76\x3a\x5f\x2b\x42\xa0\xa9\x7b\xe0\x6e\x2a\x04\x06\x36\xc2\xfa\xc7\xdb\x42\x72\xd9\x35\x4d\x59\xcd\xa5\x54\x6a\x34\x15\xc8\xf0\x4c\x70\x9e\x0a\xe4\xff\xac\x3e\xc8\x29\x99\xb5\xc5\x0e\xe2\x8a\xe8\x51\x93\xbe\x4a\x68\x88\xdb\x01\xc1\xb7\x70\xf8\x54\xfa\x3b\x66\xc2\xad\xc2\x9c\x6c\x7c\x0d\x3a\x15\xa7\x22\x4b\x23\x5f\xbc\x61\x86\x3b\xf9\xaf\x6d\x8e\xeb\x35\xd6\x7d\x99\x66\xe3\x22\x0f\x0b\xbf\x0e\x10\x15\x58\xa6\x15\x59\xf9\xe6\xdb\xf2\x86\x11\x4a\x94\xe0\x95\x03\x50\xf7\x01\x0f\x3a\x46\xe1\xa9\x8c\x93\x9b\x37\x27\xf1\xd1\x25\xab\x2c\x0c\x5c\x1d\x7c\xab\xec\x0d\x7e\xa6\x86\x97\x84\x3c\x8a\xe9\x03\x6c\x3d\x48\x46\x98\x50\x44\x07\x48\xe7\xcc\xe6\xa2\x60\x16\x54\xd8\xc5\x97\xc5\xd2\x26\xcd\x4f\xfb\xda\x15\x3e\x2f\xec\xf0\xb5\x83\x43\xeb\x7a\xcf\xae\xae\xe0\x29\x70\xf0\x11\x56\x8a\xd2\x6e\x43\x83\xbe\xe5\xda\xf9\x58\x02\xf7\x42\xb0\xb8\xe3\x5d\xad\xc2\x01\x64\x97\x9d\xc4\xea\xb6\xf3\x33\xa2\x94\x12\x91\x6b\xae\xcd\x7d\x11\xe1\x8d\x7d\x56\x6a\x9f\x70\x9a\x49\x31\x43\x39\x19\x51\x4c\x73\x56\x39\xde\xdf\x1d\xf6\x5e\xbd\xe8\xa1\x45\x55\xec\xc2\x54\xfa\x4e\x31\x79\xc6\x11\xaf\x0a\xe3\x2c\x8c\x81\x29\xc0\x13\x9e\x99\x04\x82\x1c\x76\x97\x1b\x2d\x2b\x08\xe8\x39\x28\x14\x29\xcc\x0b\x02\xcf\x5a\xbc\x1f\xb7\x8a\xea\xd7\xd7\x72\xa6\x72\xcd\xa2\xec\x38\xb6\x9f\x85\x8a\x30\x07\xed\x6d\x77\x3e\x41\x75\x21\xb9\x4e\x7c\xfd\x21\xb3\xf7\x63\x61\xa8\x33\xbf\x0c\x8a\x58\xcd\xa1\xc7\x53\x23\x65\x38\xe7\xd1\xbe\x27\x8c\xda\xb7\x8f\xb7\x3f\x36\x28\x06\x15\xaa\x49\xd8\xab\x1d\xea\xc1\x29\x2b\xe4\x48\x0f\xb6\x09\xe7\xe6\x36\x4c\x30\x0a\x86\x13\xd3\x7c\x80\x24\xaa\x6a\x72\xc1\xe4\xa3\x34\xe7\x78\x17\xf9\xcd\xe0\xe1\x0c\xc5\x7b\x7c\x3b\xbc\xa5\x0f\x40\xe1\x5b\x9a\x10\x42\xef\xb7\x80\x2c\x40\x41\x86\xe4\x79\xf5\xf7\x63\x6a\xb5\x0d\x26\x14\x73\xf5\x80\x4a\x75\xf6\xcb\x1f\xcb\x69\x3c\xec\xbe\x9a\x61\xbb\x96\x95\x80\x1c\x7c\xa6\xf9\x27\xe4\x0e\x6a\xa9\x1a\x9a\xf7\x1c\xb5\xd9\x67\xf7\x90\x57\xf9\x55\xd0\xa4\xed\x58\xce\x99\x9f\x9a\xcd\x21\xc1\xa1\xea\x10\x88\x59\x56\xb4\x6e\x44\xca\x83\x0a\xb2\xee\x7a\xdd\x50\xd2\xc1\xfa\x3d\xea\x6f\x4c\x73\x31\xb1\xe5\x3f\xbe\xfc\x7e\x42\x4a\xff\x17\x8c\xef\xf9\x5a\x89\x10\xd3\x99\x52\x70\x4e\xf7\x85\x54\x19\xd3\xcc\x08\xc7\x20\x59\x90\xaf\x44\x7e\x18\xd3\x94\x5d\x13\x3e\x99\xba\x55\x06\xe5\x0e\x31\xbb\x28\xeb\xb5\x13\x37\xe3\x8e\x5d\xab\xfd\xb6\xd2\x0b\xe6\x8a\x04\x05\x0d\xd9\x91\x87\x48\x36\x8d\x58\xb8\x34\x9e\xe6\x0d\xe4\x1d\xbb\xc8\x32\x55\xdb\x8e\x36\x0c\x35\x81\xa3\xb5\x52\x3f\x5c\x36\xd7\xe2\x93\xeb\x4e\x2b\x01\x49\x82\x36\x7e\x28\x6c\x6f\xaa\xcc\x85\x03\xcf\x4d\x91\xc4\x04\x98\x04\xce\x5a\x7f\xde\x5f\xa1\x9c\x6a\x5b\x5f\x33\x0f\xe3\xf4\x4d\x7f\x33\x80\x9b\xfc\x5b\x13\x95\x6f\x64\x66\x3a\xcb\x8c\x32\x46\x73\x82\x9c\x13\x2d\x3c\x73\x52\x5f\x8f\x8e\xa3\xa8\x32\xf8\x89\x75\xd1\x4c\x31\x8c\x05\xbb\x56\x72\xc8\x2b\xb0\x2f\x9a\xcf\x2d\xbc\xba\xf6\x8e\x5e\x47\x8d\xc5\x19\xe5\x22\x84\x0b\xd8\xf0\x8b\x50\xc5\x06\xa7\x5b\xc2\xfd\x09\x2e\x41\x51\x99\xe5\x77\x1d\x8c\xe0\x3f\x08\x8e\x9b\xfd\x45\x51\xc2\xe8\xee\xdb\x85\x93\x03\xed\x75\x76\x01\xbd\xb1\x6b\xff\x54\x31\x23\xd7\x57\x0a\xc5\x0d\x28\x58\xcf\xf2\xa7\xf9\x75\x8c\xb2\x4f\xf0\x55\x4f\x91\x31\x29\x97\x58\xc0\x10\x11\x3d\x9b\x6f\x0b\xc7\x24\x6f\xab\xec\x33\xc5\x8d\xea\x92\x5b\x9e\xa7\x3a\xb3\x81\xc4\xaa\xa8\xfb\x21\x65\xc9\xd7\xd8\xb8\xa7\x01\x20\x22\x50\xd3\x60\xfc\x61\x75\x80\x56\x5e\x78\xd5\x36\x7e\x3f\xbc\xd8\x41\xd4\x50\x3a\x7c\x20\xc2\x05\x60\xa0\x3e\x39\x7b\x0d\x3c\xab\x57\x25\x4d\x36\x51\x12\xaa\xd9\x95\xa9\xe3\x91\x96\x14\xbc\xdc\x6c\xa2\x05\x5d\x0d\x87\x42\x9e\xe3\x30\x5a\x67\xfa\x69\xc6\x02\x4a\x3f\x63\x64\x64\xbc\xab\x62\xc9\x9a\x4d\x04\x53\xf5\xbf\x87\x9c\xd5\xd4\x6e\x3c\xf7\x61\xbb\x91\x10\x9b\xd3\x28\x16\x9f\x95\xe9\x8b\x74\x42\xcd\x05\xa5\xdd\x86\xe1\x85\x36\xd2\x05\x26\x2c\x62\x00\x02\xe7\xa3\xa8\xaf\xed\x46\x81\xc2\x71\xa3\x4f\x0b\x90\x9d\x1c\x86\x1f\x9c\x18\xfc\x76\xd3\xbf\xdd\x99\x37\x85\x18\x5d\xc3\xe2\xe3\x4d\x7f\xba\x68\x6e\xd0\xf7\x33\xd1\x65\x40\x67\x0a\x65\x77\x86\x42\x10\x07\xcc\x1a\x8f\xf9\x72\x36\xfb\x53\xd8\x66\x49\x11\xdc\xaa\xc2\x75\x43\x50\xea\xde\x70\x83\x74\xef\x06\xb2\xf6\x12\x32\xa3\xf5\xb4\x57\x01\xcf\xc0\x92\x84\xb6\xe3\x18\x4c\x7c\x41\x43\xe9\xa3\x04\x98\x4c\x4b\xf1\xa1\x4e\xc7\x55\x11\xaf\x82\xb2\xc6\xc3\xe6\xd5\x99\x07\x28\xf4\xb7\x24\x29\x4d\xfe\xfc\x35\xd1\xc7\x5d\xb9\xef\xc7\x69\xda\xbf\xb5\xcf\xa0\xc5\x48\xc2\xd5\xaa\x9e\x79\x84\x10\xf2\xb2\xbd\xc3\x2d\xa9\x5c\x94\x5a\xee\xbb\xf0\x6e\x2d\x1e\x22\x17\x6b\x66\xe7\xd2\x2b\xeb\xed\x83\x87\x5b\x4c\x86\x3e\xb5\x5a\x71\x94\xc7\x5b\xde\x29\xa8\xc7\x81\x6e\x5c\x3c\x65\x0c\x32\xcf\x54\xf5\xd9\xac\x35\xd3\x8b\xf1\x9e\xcd\xb0\x05\xf4\x76\xab\x05\x0d\x96\xb7\xb7\xfc\x62\x2f\x1a\xc3\x57\xb2\x8f\xbd\x7c\x38\xf8\x1a\xbf\xa0\x63\x55\xa3\x0b\x38\x03\xf0\x42\xc4\xc0\x8a\x82\x74\xda\xf0\x18\x3c\x0e\x52\xa6\x34\xfd\x29\x9a\xee\x99\x4d\xd3\x55\x4e\xdb\x6a\xdf\x99\xba\xd5\xb9\x13\x0b\x49\x1e\xc9\x35\x3c\x7f\x36\xe5\xfa\x7c\x02\x66\x27\xf6\x8f\x67\xc7\x75\xfe\x19\x0a\xeb\x43\xfe\xbf\x56\xf5\x5b\xc1\xa4\xf5\xc2\x29\x48\xe5\xb2\x9a\x11\x7f\x6d\x06\xd4\xc6\x8e\x51\x44\x9f\x08\xa6\xd0\xd2\xe6\x75\x20\xeb\xc0\x67\x0e\x2d\xf3\xd2\xf7\xae\xeb\xfb\xb8\x76\x43\xe5\x8d\x01\x76\x96\x5d\x60\x0d\x97\xa2\x2c\x7a\x05\x56\xa2\xc0\x47\x9d\xe6\x4f\x8b\x44\x92\xdf\xb5\x42\xe8\xd3\xa3\xef\x09\x6f\x99\xd3\x9e\x67\x7a\x07\xac\x97\xdc\x25\x9d\x9f\x75\x9b\x98\xe9\x47\xf1\xae\x8a\x92\x78\xb9\xbd\xcb\x85\x10\xfb\x06\x64\x12\x18\xf7\x9f\x67\xe4\xf5\xba\xff\xbe\x5d\x3c\xc3\x8e\x14\x98\x93\x8c\x55\x09\xa3\xf6\x9f\x32\x39\x2f\x66\x0e\x00\x59\x43\xed\x14\x45\x85\x29\xe8\x25\x93\xbf\xb6\xc4\xd3\xe4\x63\x10\x3a\xab\x3c\xdc\x8d\x46\x8c\x9a\x2c\x20\x1b\xee\x3a\xe6\x63\xf0\x79\x24\x60\xd4\xb7\x1e\x03\x1a\x83\xc3\x3f\x91\x72\x33\x2b\x51\x4f\x74\xb0\x9c\x72\xcd\x6a\xd7\x6e\x90\x6f\xa4\x64\x4f\x3c\x14\x2b\x12\x8c\x1f\xf2\xb8\x4e\x79\x37\x75\x99\xd4\xe2\xc7\x11\x45\xc4\x92\xff\x3d\xab\x44\x79\x3b\x90\x56\x75\x89\x5f\xe3\xdf\x54\x4f\xe7\x25\xea\x5f\x7d\x2f\xe3\x85\x4d\x70\x30\xce\x91\x95\x7f\xad\x4f\x7b\xd7\xbd\x7f\x1d\x1a\x16\x54\xe3\xfc\xd0\xed\xf9\xda\xa7\x2b\xd9\x62\xd6\xb6\x4d\x0d\x99\x0d\x5a\x48\x50\x80\x2b\x92\x97\xfe\xb6\x22\xaa\xfc\xcc\x10\x7e\xa2\xa8\xee\xa4\xf0\xda\x89\x94\x1b\x12\xa0\xec\x1b\xfd\x72\xa2\xed\x44\xff\xf9\xf8\x24\x11\xec\xfe\x9f\x19\xeb\x95\x7b\x48\xf8\x59\xce\x04\x5d\xa2\x33\xc9\x96\x8b\x76\x3e\xd9\x44\x13\xba\x0f\x68\xdd\xca\x65\xce\xa0\xab\xb6\x87\x3c\x89\x29\x02\x41\x6f\x5e\xad\xd9\x11\xd8\x44\x2f\x03\x16\xfb\xde\xa9\xf1\x14\x0b\x3e\x83\x05\xaf\xb5\x10\xa3\xec\x59\x0c\xe2\x0f\xd5\x8d\x3b\xf0\x51\xc2\x66\x3e\x74\xae\x64\xee\xb9\xa1\x46\x3c\x88\x41\xac\x0b\x72\xb7\x32\xb7\xef\x12\x7f\x5a\x7d\x9a\x87\xd6\xb8\x49\x1e\x75\x33\x17\x35\x0d\x7d\x1a\xe5\x93\xe6\xc2\x00\x6f\x23\xb2\x27\x4d\xb5\x8e\xe3\x44\x45\x3c\x38\xe2\x99\xc1\x41\x82\x1a\xc4\x7e\x88\xdd\xd9\x38\x93\xdf\x56\xba\xf5\x01\xfc\xed\xee\x34\xac\x65\x7f\x27\x9a\x9c\x39\xcc\x38", 8192); *(uint64_t*)0x200000006000 = 0x200000002780; *(uint32_t*)0x200000002780 = 0x50; *(uint32_t*)0x200000002784 = 0; *(uint64_t*)0x200000002788 = 0xf48; *(uint32_t*)0x200000002790 = 7; *(uint32_t*)0x200000002794 = 0x2d; *(uint32_t*)0x200000002798 = 0xfffffff7; *(uint32_t*)0x20000000279c = 0x10820000; *(uint16_t*)0x2000000027a0 = 9; *(uint16_t*)0x2000000027a2 = 0xa42; *(uint32_t*)0x2000000027a4 = 0x7e; *(uint32_t*)0x2000000027a8 = 1; *(uint16_t*)0x2000000027ac = 0; *(uint16_t*)0x2000000027ae = 0; *(uint32_t*)0x2000000027b0 = 2; *(uint32_t*)0x2000000027b4 = 0; memset((void*)0x2000000027b8, 0, 24); *(uint64_t*)0x200000006008 = 0x200000002800; *(uint32_t*)0x200000002800 = 0x18; *(uint32_t*)0x200000002804 = 0; *(uint64_t*)0x200000002808 = 0x200; *(uint64_t*)0x200000002810 = 5; *(uint64_t*)0x200000006010 = 0x200000002840; *(uint32_t*)0x200000002840 = 0x18; *(uint32_t*)0x200000002844 = 0; *(uint64_t*)0x200000002848 = 0x3ff; *(uint64_t*)0x200000002850 = 1; *(uint64_t*)0x200000006018 = 0x200000002880; *(uint32_t*)0x200000002880 = 0x18; *(uint32_t*)0x200000002884 = 0xffffffda; *(uint64_t*)0x200000002888 = 7; *(uint32_t*)0x200000002890 = 0xc6a; *(uint32_t*)0x200000002894 = 0; *(uint64_t*)0x200000006020 = 0x2000000028c0; *(uint32_t*)0x2000000028c0 = 0x18; *(uint32_t*)0x2000000028c4 = 0; *(uint64_t*)0x2000000028c8 = 3; *(uint32_t*)0x2000000028d0 = 0; *(uint32_t*)0x2000000028d4 = 0; *(uint64_t*)0x200000006028 = 0x200000002980; *(uint32_t*)0x200000002980 = 0x28; *(uint32_t*)0x200000002984 = 0; *(uint64_t*)0x200000002988 = 0xfffffffffffffff8; *(uint64_t*)0x200000002990 = 0x1ff; *(uint64_t*)0x200000002998 = 6; *(uint32_t*)0x2000000029a0 = 2; *(uint32_t*)0x2000000029a4 = r[13]; *(uint64_t*)0x200000006030 = 0x2000000029c0; *(uint32_t*)0x2000000029c0 = 0x60; *(uint32_t*)0x2000000029c4 = 0; *(uint64_t*)0x2000000029c8 = 0xf; *(uint64_t*)0x2000000029d0 = 0; *(uint64_t*)0x2000000029d8 = 4; *(uint64_t*)0x2000000029e0 = 0xb0e; *(uint64_t*)0x2000000029e8 = 1; *(uint64_t*)0x2000000029f0 = 6; *(uint32_t*)0x2000000029f8 = 7; *(uint32_t*)0x2000000029fc = 0x40b4; *(uint32_t*)0x200000002a00 = 0x2594; *(uint32_t*)0x200000002a04 = 0; memset((void*)0x200000002a08, 0, 24); *(uint64_t*)0x200000006038 = 0x200000002a40; *(uint32_t*)0x200000002a40 = 0x18; *(uint32_t*)0x200000002a44 = 0; *(uint64_t*)0x200000002a48 = 0x75aeeeb5; *(uint32_t*)0x200000002a50 = 0xc; *(uint32_t*)0x200000002a54 = 0; *(uint64_t*)0x200000006040 = 0x200000002a80; *(uint32_t*)0x200000002a80 = 0x11; *(uint32_t*)0x200000002a84 = 0; *(uint64_t*)0x200000002a88 = 0xc0000000000; memset((void*)0x200000002a90, 0, 1); *(uint64_t*)0x200000006048 = 0x200000002ac0; *(uint32_t*)0x200000002ac0 = 0x20; *(uint32_t*)0x200000002ac4 = 0; *(uint64_t*)0x200000002ac8 = 4; *(uint64_t*)0x200000002ad0 = 0; *(uint32_t*)0x200000002ad8 = 5; *(uint32_t*)0x200000002adc = 0; *(uint64_t*)0x200000006050 = 0x200000002e40; *(uint32_t*)0x200000002e40 = 0x78; *(uint32_t*)0x200000002e44 = 0; *(uint64_t*)0x200000002e48 = 6; *(uint64_t*)0x200000002e50 = 8; *(uint32_t*)0x200000002e58 = 8; *(uint32_t*)0x200000002e5c = 0; *(uint64_t*)0x200000002e60 = 0; *(uint64_t*)0x200000002e68 = 0xa2; *(uint64_t*)0x200000002e70 = 0x101; *(uint64_t*)0x200000002e78 = 0x279; *(uint64_t*)0x200000002e80 = 6; *(uint64_t*)0x200000002e88 = 4; *(uint32_t*)0x200000002e90 = 6; *(uint32_t*)0x200000002e94 = 6; *(uint32_t*)0x200000002e98 = 0x580; *(uint32_t*)0x200000002e9c = 0x8000; *(uint32_t*)0x200000002ea0 = 8; *(uint32_t*)0x200000002ea4 = r[14]; *(uint32_t*)0x200000002ea8 = r[15]; *(uint32_t*)0x200000002eac = 2; *(uint32_t*)0x200000002eb0 = 2; *(uint32_t*)0x200000002eb4 = 0; *(uint64_t*)0x200000006058 = 0x200000003040; *(uint32_t*)0x200000003040 = 0x90; *(uint32_t*)0x200000003044 = 0; *(uint64_t*)0x200000003048 = 4; *(uint64_t*)0x200000003050 = 4; *(uint64_t*)0x200000003058 = 3; *(uint64_t*)0x200000003060 = 1; *(uint64_t*)0x200000003068 = 9; *(uint32_t*)0x200000003070 = 0; *(uint32_t*)0x200000003074 = 0; *(uint64_t*)0x200000003078 = 6; *(uint64_t*)0x200000003080 = 0xf84; *(uint64_t*)0x200000003088 = 0xffff; *(uint64_t*)0x200000003090 = 9; *(uint64_t*)0x200000003098 = 6; *(uint64_t*)0x2000000030a0 = 7; *(uint32_t*)0x2000000030a8 = 0x4f; *(uint32_t*)0x2000000030ac = 0x8e; *(uint32_t*)0x2000000030b0 = 8; *(uint32_t*)0x2000000030b4 = 0xa000; *(uint32_t*)0x2000000030b8 = 0x401; *(uint32_t*)0x2000000030bc = r[17]; *(uint32_t*)0x2000000030c0 = r[18]; *(uint32_t*)0x2000000030c4 = 0; *(uint32_t*)0x2000000030c8 = 0x3674; *(uint32_t*)0x2000000030cc = 0; *(uint64_t*)0x200000006060 = 0x200000003100; *(uint32_t*)0x200000003100 = 0x88; *(uint32_t*)0x200000003104 = 0xffffffda; *(uint64_t*)0x200000003108 = 0x7fffffffffffffff; *(uint64_t*)0x200000003110 = 3; *(uint64_t*)0x200000003118 = 7; *(uint32_t*)0x200000003120 = 1; *(uint32_t*)0x200000003124 = 4; memset((void*)0x200000003128, 0, 1); *(uint64_t*)0x200000003130 = 1; *(uint64_t*)0x200000003138 = 5; *(uint32_t*)0x200000003140 = 1; *(uint32_t*)0x200000003144 = 0xfffffffc; memset((void*)0x200000003148, 0, 1); *(uint64_t*)0x200000003150 = 6; *(uint64_t*)0x200000003158 = 5; *(uint32_t*)0x200000003160 = 0; *(uint32_t*)0x200000003164 = 0x98; *(uint64_t*)0x200000003168 = 0; *(uint64_t*)0x200000003170 = 8; *(uint32_t*)0x200000003178 = 1; *(uint32_t*)0x20000000317c = 0x1000; memset((void*)0x200000003180, 91, 1); *(uint64_t*)0x200000006068 = 0x2000000054c0; *(uint32_t*)0x2000000054c0 = 0x648; *(uint32_t*)0x2000000054c4 = 0; *(uint64_t*)0x2000000054c8 = 1; *(uint64_t*)0x2000000054d0 = 0; *(uint64_t*)0x2000000054d8 = 3; *(uint64_t*)0x2000000054e0 = 9; *(uint64_t*)0x2000000054e8 = 5; *(uint32_t*)0x2000000054f0 = 0xa; *(uint32_t*)0x2000000054f4 = 2; *(uint64_t*)0x2000000054f8 = 1; *(uint64_t*)0x200000005500 = 9; *(uint64_t*)0x200000005508 = 1; *(uint64_t*)0x200000005510 = 0x7fff; *(uint64_t*)0x200000005518 = 4; *(uint64_t*)0x200000005520 = 1; *(uint32_t*)0x200000005528 = 6; *(uint32_t*)0x20000000552c = 7; *(uint32_t*)0x200000005530 = 3; *(uint32_t*)0x200000005534 = 0xc000; *(uint32_t*)0x200000005538 = 3; *(uint32_t*)0x20000000553c = r[19]; *(uint32_t*)0x200000005540 = r[20]; *(uint32_t*)0x200000005544 = 0x71a5; *(uint32_t*)0x200000005548 = 5; *(uint32_t*)0x20000000554c = 0; *(uint64_t*)0x200000005550 = 3; *(uint64_t*)0x200000005558 = 0x911; *(uint32_t*)0x200000005560 = 9; *(uint32_t*)0x200000005564 = 7; memcpy((void*)0x200000005568, "(--]!}}.:", 9); *(uint64_t*)0x200000005578 = 5; *(uint64_t*)0x200000005580 = 1; *(uint64_t*)0x200000005588 = 2; *(uint64_t*)0x200000005590 = -1; *(uint32_t*)0x200000005598 = 8; *(uint32_t*)0x20000000559c = 1; *(uint64_t*)0x2000000055a0 = 5; *(uint64_t*)0x2000000055a8 = 0x10; *(uint64_t*)0x2000000055b0 = 0xf91; *(uint64_t*)0x2000000055b8 = 7; *(uint64_t*)0x2000000055c0 = 0; *(uint64_t*)0x2000000055c8 = 7; *(uint32_t*)0x2000000055d0 = 4; *(uint32_t*)0x2000000055d4 = 0x4a; *(uint32_t*)0x2000000055d8 = 6; *(uint32_t*)0x2000000055dc = 0x6000; *(uint32_t*)0x2000000055e0 = 9; *(uint32_t*)0x2000000055e4 = r[21]; *(uint32_t*)0x2000000055e8 = r[22]; *(uint32_t*)0x2000000055ec = 6; *(uint32_t*)0x2000000055f0 = 5; *(uint32_t*)0x2000000055f4 = 0; *(uint64_t*)0x2000000055f8 = 0; *(uint64_t*)0x200000005600 = 2; *(uint32_t*)0x200000005608 = 0; *(uint32_t*)0x20000000560c = 0x401; *(uint64_t*)0x200000005610 = 0; *(uint64_t*)0x200000005618 = 3; *(uint64_t*)0x200000005620 = 0; *(uint64_t*)0x200000005628 = 0x401; *(uint32_t*)0x200000005630 = 4; *(uint32_t*)0x200000005634 = 0x3ff; *(uint64_t*)0x200000005638 = 1; *(uint64_t*)0x200000005640 = 1; *(uint64_t*)0x200000005648 = 0xbc; *(uint64_t*)0x200000005650 = 7; *(uint64_t*)0x200000005658 = 8; *(uint64_t*)0x200000005660 = 7; *(uint32_t*)0x200000005668 = 0xffff; *(uint32_t*)0x20000000566c = 6; *(uint32_t*)0x200000005670 = 0x7f; *(uint32_t*)0x200000005674 = 0x8000; *(uint32_t*)0x200000005678 = 1; *(uint32_t*)0x20000000567c = 0xee01; *(uint32_t*)0x200000005680 = r[23]; *(uint32_t*)0x200000005684 = 0x233d; *(uint32_t*)0x200000005688 = 4; *(uint32_t*)0x20000000568c = 0; *(uint64_t*)0x200000005690 = 3; *(uint64_t*)0x200000005698 = 6; *(uint32_t*)0x2000000056a0 = 5; *(uint32_t*)0x2000000056a4 = 7; memcpy((void*)0x2000000056a8, "syz0\000", 5); *(uint64_t*)0x2000000056b0 = 2; *(uint64_t*)0x2000000056b8 = 2; *(uint64_t*)0x2000000056c0 = 7; *(uint64_t*)0x2000000056c8 = 0x80; *(uint32_t*)0x2000000056d0 = 4; *(uint32_t*)0x2000000056d4 = 0xdb; *(uint64_t*)0x2000000056d8 = 3; *(uint64_t*)0x2000000056e0 = 3; *(uint64_t*)0x2000000056e8 = 0x7fff; *(uint64_t*)0x2000000056f0 = 9; *(uint64_t*)0x2000000056f8 = 0; *(uint64_t*)0x200000005700 = 0xa8; *(uint32_t*)0x200000005708 = 0x1000; *(uint32_t*)0x20000000570c = 0x1f3; *(uint32_t*)0x200000005710 = 0xfff0; *(uint32_t*)0x200000005714 = 0x6000; *(uint32_t*)0x200000005718 = 4; *(uint32_t*)0x20000000571c = r[24]; *(uint32_t*)0x200000005720 = r[26]; *(uint32_t*)0x200000005724 = 0xccb2; *(uint32_t*)0x200000005728 = 9; *(uint32_t*)0x20000000572c = 0; *(uint64_t*)0x200000005730 = 6; *(uint64_t*)0x200000005738 = 2; *(uint32_t*)0x200000005740 = 6; *(uint32_t*)0x200000005744 = 7; memset((void*)0x200000005748, 1, 6); *(uint64_t*)0x200000005750 = 4; *(uint64_t*)0x200000005758 = 1; *(uint64_t*)0x200000005760 = 0x100000000; *(uint64_t*)0x200000005768 = 5; *(uint32_t*)0x200000005770 = 0; *(uint32_t*)0x200000005774 = 6; *(uint64_t*)0x200000005778 = 1; *(uint64_t*)0x200000005780 = 0x401; *(uint64_t*)0x200000005788 = 1; *(uint64_t*)0x200000005790 = 2; *(uint64_t*)0x200000005798 = 0xf; *(uint64_t*)0x2000000057a0 = 5; *(uint32_t*)0x2000000057a8 = 0x100; *(uint32_t*)0x2000000057ac = 3; *(uint32_t*)0x2000000057b0 = 0; *(uint32_t*)0x2000000057b4 = 0x2000; *(uint32_t*)0x2000000057b8 = 0; *(uint32_t*)0x2000000057bc = r[27]; *(uint32_t*)0x2000000057c0 = r[28]; *(uint32_t*)0x2000000057c4 = 7; *(uint32_t*)0x2000000057c8 = 8; *(uint32_t*)0x2000000057cc = 0; *(uint64_t*)0x2000000057d0 = 4; *(uint64_t*)0x2000000057d8 = 3; *(uint32_t*)0x2000000057e0 = 6; *(uint32_t*)0x2000000057e4 = 0xffff; memset((void*)0x2000000057e8, 1, 6); *(uint64_t*)0x2000000057f0 = 6; *(uint64_t*)0x2000000057f8 = 2; *(uint64_t*)0x200000005800 = 6; *(uint64_t*)0x200000005808 = 9; *(uint32_t*)0x200000005810 = 2; *(uint32_t*)0x200000005814 = 2; *(uint64_t*)0x200000005818 = 1; *(uint64_t*)0x200000005820 = 0xb51; *(uint64_t*)0x200000005828 = 0x7fffffff; *(uint64_t*)0x200000005830 = 5; *(uint64_t*)0x200000005838 = 0x8b89; *(uint64_t*)0x200000005840 = 0x2800; *(uint32_t*)0x200000005848 = 0x800; *(uint32_t*)0x20000000584c = 6; *(uint32_t*)0x200000005850 = 4; *(uint32_t*)0x200000005854 = 0x8000; *(uint32_t*)0x200000005858 = 3; *(uint32_t*)0x20000000585c = r[29]; *(uint32_t*)0x200000005860 = r[30]; *(uint32_t*)0x200000005864 = 0x80; *(uint32_t*)0x200000005868 = 3; *(uint32_t*)0x20000000586c = 0; *(uint64_t*)0x200000005870 = 0; *(uint64_t*)0x200000005878 = 6; *(uint32_t*)0x200000005880 = 0; *(uint32_t*)0x200000005884 = 0xef; *(uint64_t*)0x200000005888 = 2; *(uint64_t*)0x200000005890 = 1; *(uint64_t*)0x200000005898 = 5; *(uint64_t*)0x2000000058a0 = 0xfff; *(uint32_t*)0x2000000058a8 = 0x582; *(uint32_t*)0x2000000058ac = 0x15; *(uint64_t*)0x2000000058b0 = 2; *(uint64_t*)0x2000000058b8 = 0xbb; *(uint64_t*)0x2000000058c0 = 7; *(uint64_t*)0x2000000058c8 = 0x52a; *(uint64_t*)0x2000000058d0 = 1; *(uint64_t*)0x2000000058d8 = 5; *(uint32_t*)0x2000000058e0 = 0x98; *(uint32_t*)0x2000000058e4 = 5; *(uint32_t*)0x2000000058e8 = 3; *(uint32_t*)0x2000000058ec = 0x5000; *(uint32_t*)0x2000000058f0 = 6; *(uint32_t*)0x2000000058f4 = r[31]; *(uint32_t*)0x2000000058f8 = r[32]; *(uint32_t*)0x2000000058fc = 6; *(uint32_t*)0x200000005900 = 0xffff; *(uint32_t*)0x200000005904 = 0; *(uint64_t*)0x200000005908 = 6; *(uint64_t*)0x200000005910 = 0x3ff; *(uint32_t*)0x200000005918 = 2; *(uint32_t*)0x20000000591c = 8; memcpy((void*)0x200000005920, "*&", 2); *(uint64_t*)0x200000005928 = 2; *(uint64_t*)0x200000005930 = 2; *(uint64_t*)0x200000005938 = 0x3ff; *(uint64_t*)0x200000005940 = 3; *(uint32_t*)0x200000005948 = 2; *(uint32_t*)0x20000000594c = 0xfffffff8; *(uint64_t*)0x200000005950 = 3; *(uint64_t*)0x200000005958 = 0x8a; *(uint64_t*)0x200000005960 = 5; *(uint64_t*)0x200000005968 = 8; *(uint64_t*)0x200000005970 = 1; *(uint64_t*)0x200000005978 = 0; *(uint32_t*)0x200000005980 = 0x7fff; *(uint32_t*)0x200000005984 = 8; *(uint32_t*)0x200000005988 = 0xfffffffb; *(uint32_t*)0x20000000598c = 0xc000; *(uint32_t*)0x200000005990 = 0x8000; *(uint32_t*)0x200000005994 = r[33]; *(uint32_t*)0x200000005998 = r[34]; *(uint32_t*)0x20000000599c = 0x5c5; *(uint32_t*)0x2000000059a0 = 0x8d0d; *(uint32_t*)0x2000000059a4 = 0; *(uint64_t*)0x2000000059a8 = 6; *(uint64_t*)0x2000000059b0 = 0xd; *(uint32_t*)0x2000000059b8 = 6; *(uint32_t*)0x2000000059bc = -1; memcpy((void*)0x2000000059c0, "wlan1\000", 6); *(uint64_t*)0x2000000059c8 = 6; *(uint64_t*)0x2000000059d0 = 1; *(uint64_t*)0x2000000059d8 = 5; *(uint64_t*)0x2000000059e0 = 0xee; *(uint32_t*)0x2000000059e8 = 8; *(uint32_t*)0x2000000059ec = 4; *(uint64_t*)0x2000000059f0 = 1; *(uint64_t*)0x2000000059f8 = 0x200; *(uint64_t*)0x200000005a00 = 0x80000000; *(uint64_t*)0x200000005a08 = 0xb81c; *(uint64_t*)0x200000005a10 = 0x7ff; *(uint64_t*)0x200000005a18 = 0x400; *(uint32_t*)0x200000005a20 = 0x122; *(uint32_t*)0x200000005a24 = 0x400; *(uint32_t*)0x200000005a28 = 0x689f; *(uint32_t*)0x200000005a2c = 0xa000; *(uint32_t*)0x200000005a30 = 0xfffffffc; *(uint32_t*)0x200000005a34 = r[35]; *(uint32_t*)0x200000005a38 = r[36]; *(uint32_t*)0x200000005a3c = 0x1000; *(uint32_t*)0x200000005a40 = 1; *(uint32_t*)0x200000005a44 = 0; *(uint64_t*)0x200000005a48 = 4; *(uint64_t*)0x200000005a50 = 9; *(uint32_t*)0x200000005a58 = 6; *(uint32_t*)0x200000005a5c = 0xfffffffa; memcpy((void*)0x200000005a60, "wlan1\000", 6); *(uint64_t*)0x200000005a68 = 1; *(uint64_t*)0x200000005a70 = 1; *(uint64_t*)0x200000005a78 = 6; *(uint64_t*)0x200000005a80 = 0; *(uint32_t*)0x200000005a88 = 0xf; *(uint32_t*)0x200000005a8c = 0x80000001; *(uint64_t*)0x200000005a90 = 0; *(uint64_t*)0x200000005a98 = 0xb8f; *(uint64_t*)0x200000005aa0 = 0x57c; *(uint64_t*)0x200000005aa8 = 8; *(uint64_t*)0x200000005ab0 = 0x600; *(uint64_t*)0x200000005ab8 = 0x4c44; *(uint32_t*)0x200000005ac0 = 0xc833; *(uint32_t*)0x200000005ac4 = 5; *(uint32_t*)0x200000005ac8 = 3; *(uint32_t*)0x200000005acc = 0xa000; *(uint32_t*)0x200000005ad0 = 0xfffffff9; *(uint32_t*)0x200000005ad4 = r[37]; *(uint32_t*)0x200000005ad8 = r[38]; *(uint32_t*)0x200000005adc = 6; *(uint32_t*)0x200000005ae0 = 2; *(uint32_t*)0x200000005ae4 = 0; *(uint64_t*)0x200000005ae8 = 3; *(uint64_t*)0x200000005af0 = 4; *(uint32_t*)0x200000005af8 = 6; *(uint32_t*)0x200000005afc = 3; memcpy((void*)0x200000005b00, ":-)@\\[", 6); *(uint64_t*)0x200000006070 = 0x200000005d40; *(uint32_t*)0x200000005d40 = 0xa0; *(uint32_t*)0x200000005d44 = 0; *(uint64_t*)0x200000005d48 = 1; *(uint64_t*)0x200000005d50 = 2; *(uint64_t*)0x200000005d58 = 3; *(uint64_t*)0x200000005d60 = 0x100000000; *(uint64_t*)0x200000005d68 = 8; *(uint32_t*)0x200000005d70 = 5; *(uint32_t*)0x200000005d74 = 9; *(uint64_t*)0x200000005d78 = 2; *(uint64_t*)0x200000005d80 = 0x7fffffffffffffff; *(uint64_t*)0x200000005d88 = 2; *(uint64_t*)0x200000005d90 = 0x7f; *(uint64_t*)0x200000005d98 = 0x7ff; *(uint64_t*)0x200000005da0 = 4; *(uint32_t*)0x200000005da8 = 0; *(uint32_t*)0x200000005dac = 2; *(uint32_t*)0x200000005db0 = 1; *(uint32_t*)0x200000005db4 = 0x2000; *(uint32_t*)0x200000005db8 = 0x7ff; *(uint32_t*)0x200000005dbc = r[39]; *(uint32_t*)0x200000005dc0 = r[40]; *(uint32_t*)0x200000005dc4 = 4; *(uint32_t*)0x200000005dc8 = 8; *(uint32_t*)0x200000005dcc = 0; *(uint64_t*)0x200000005dd0 = 0; *(uint32_t*)0x200000005dd8 = 0xd; *(uint32_t*)0x200000005ddc = 0; *(uint64_t*)0x200000006078 = 0x200000005e00; *(uint32_t*)0x200000005e00 = 0x20; *(uint32_t*)0x200000005e04 = 0; *(uint64_t*)0x200000005e08 = 0x10000; *(uint32_t*)0x200000005e10 = 9; *(uint32_t*)0x200000005e14 = 0; *(uint32_t*)0x200000005e18 = 1; *(uint32_t*)0x200000005e1c = 0xfffffffd; *(uint64_t*)0x200000006080 = 0x200000005ec0; *(uint32_t*)0x200000005ec0 = 0x130; *(uint32_t*)0x200000005ec4 = 0xfffffffe; *(uint64_t*)0x200000005ec8 = 0x1000; *(uint64_t*)0x200000005ed0 = 6; *(uint32_t*)0x200000005ed8 = 3; *(uint32_t*)0x200000005edc = 0; memset((void*)0x200000005ee0, 0, 16); *(uint32_t*)0x200000005ef0 = 1; *(uint32_t*)0x200000005ef4 = 0xc6d; *(uint64_t*)0x200000005ef8 = 0xfffffffffffffffc; *(uint32_t*)0x200000005f00 = 0x8000; *(uint32_t*)0x200000005f04 = 0; *(uint32_t*)0x200000005f08 = r[41]; *(uint16_t*)0x200000005f0c = 0x1000; memset((void*)0x200000005f0e, 0, 2); *(uint64_t*)0x200000005f10 = 0; *(uint64_t*)0x200000005f18 = 7; *(uint64_t*)0x200000005f20 = 3; *(uint64_t*)0x200000005f28 = 4; *(uint64_t*)0x200000005f30 = 0xa; *(uint32_t*)0x200000005f38 = 7; *(uint32_t*)0x200000005f3c = 0; *(uint64_t*)0x200000005f40 = 1; *(uint32_t*)0x200000005f48 = 0x905a; *(uint32_t*)0x200000005f4c = 0; *(uint64_t*)0x200000005f50 = 8; *(uint32_t*)0x200000005f58 = 0x81; *(uint32_t*)0x200000005f5c = 0; *(uint64_t*)0x200000005f60 = 8; *(uint32_t*)0x200000005f68 = 2; *(uint32_t*)0x200000005f6c = 0; *(uint32_t*)0x200000005f70 = 0x10001; *(uint32_t*)0x200000005f74 = 0x7ff; *(uint32_t*)0x200000005f78 = 1; *(uint32_t*)0x200000005f7c = -1; memset((void*)0x200000005f80, 0, 112); syz_fuse_handle_req(/*fd=*/r[12], /*buf=*/0x200000000780, /*len=*/0x2000, /*res=*/0x200000006000); break; case 46: memcpy((void*)0x2000000060c0, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x2000000060c0, /*fd=*/r[12]); break; case 47: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 48: *(uint32_t*)0x200000006104 = 0x45f9; *(uint32_t*)0x200000006108 = 0x1000; *(uint32_t*)0x20000000610c = 0; *(uint32_t*)0x200000006110 = 0xd3; *(uint32_t*)0x200000006118 = r[12]; memset((void*)0x20000000611c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x50db, /*params=*/0x200000006100, /*ring_ptr=*/0x200000006180, /*sqes_ptr=*/0x2000000061c0); if (res != -1) r[42] = *(uint64_t*)0x200000006180; break; case 49: res = -1; res = syz_io_uring_complete(/*ring_ptr=*/r[42]); if (res != -1) r[43] = res; break; case 50: *(uint32_t*)0x200000006204 = 0x25a5; *(uint32_t*)0x200000006208 = 0; *(uint32_t*)0x20000000620c = 2; *(uint32_t*)0x200000006210 = 0x2b0; *(uint32_t*)0x200000006218 = r[43]; memset((void*)0x20000000621c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x539f, /*params=*/0x200000006200, /*ring_ptr=*/0x200000006280, /*sqes_ptr=*/0x2000000062c0); if (res != -1) { r[44] = res; r[45] = *(uint64_t*)0x2000000062c0; } break; case 51: res = syscall(__NR_io_uring_register, /*fd=*/r[44], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[46] = res; break; case 52: *(uint8_t*)0x200000006380 = 0x26; *(uint8_t*)0x200000006381 = 0; *(uint16_t*)0x200000006382 = 0; *(uint32_t*)0x200000006384 = r[43]; *(uint64_t*)0x200000006388 = 0x200000006300; memcpy((void*)0x200000006300, "./file0\000", 8); *(uint64_t*)0x200000006390 = 0x200000006340; memcpy((void*)0x200000006340, "./file0\000", 8); *(uint32_t*)0x200000006398 = 0; *(uint32_t*)0x20000000639c = 0; *(uint64_t*)0x2000000063a0 = 0; *(uint16_t*)0x2000000063a8 = 0; *(uint16_t*)0x2000000063aa = r[46]; memset((void*)0x2000000063ac, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[42], /*sqes_ptr=*/r[45], /*sqe=*/0x200000006380); break; case 53: memcpy((void*)0x2000000063c0, "SEG6\000", 5); memcpy((void*)0x200000006480, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xc7\xc6\xd5\x63\x96\xba\x64\x55\x9a\x2b\xfe\x12\xe1\x77\x9d\x16\x11\x66\x21\x3e\xe3\xdf\x8a\x88\x66\x07\x35\xda\xdb\xfa\x0e\xe9\x3d\x2b\xbf\x11\x3a\x5d\x2f\x84\x04\x14\xbb\x6a\x83\x5c\x8b\x46\x64\xc1\x62\x58\xd8\x0a\xca\x5d\x75\xc4\xb0\xf7\xb9\xf4\x81\xb3\x2b\x05\x6b\x25\x00\xcd\x38\xd5\xf7\x45\xb2\xca\x6f\x42\x3c\x76\xec\xb5\x4c\x20\xdf\x71\xf3\x7e\x74\xa7\xc3\x31\xe0\x86\x7f\x00\x00\x00\x00\x00\x00\x00\x00", 144); syz_kfuzztest_run(/*name=*/0x2000000063c0, /*data=*/0x200000006400, /*len=*/0x90, /*buf=*/0x200000006480); break; case 54: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[43], /*usermem=*/0x200000bfe000); if (res != -1) r[47] = res; break; case 55: *(uint64_t*)0x200000016780 = 0; *(uint64_t*)0x200000016788 = 0x200000016480; *(uint64_t*)0x200000016480 = 0x6a; *(uint64_t*)0x200000016488 = 0x28; *(uint64_t*)0x200000016490 = 0x351c; *(uint64_t*)0x200000016498 = 2; *(uint64_t*)0x2000000164a0 = 3; *(uint64_t*)0x2000000164a8 = 0x6a; *(uint64_t*)0x2000000164b0 = 0x28; *(uint64_t*)0x2000000164b8 = 0xbe7d; *(uint64_t*)0x2000000164c0 = 2; *(uint64_t*)0x2000000164c8 = 8; *(uint64_t*)0x2000000164d0 = 0x180; *(uint64_t*)0x2000000164d8 = 0x38; *(uint64_t*)0x2000000164e0 = 3; *(uint64_t*)0x2000000164e8 = 0xf10c; *(uint64_t*)0x2000000164f0 = 5; *(uint64_t*)0x2000000164f8 = 0x90; *(uint64_t*)0x200000016500 = 2; *(uint64_t*)0x200000016508 = 0x6a; *(uint64_t*)0x200000016510 = 0x28; *(uint64_t*)0x200000016518 = 0x4c98; *(uint64_t*)0x200000016520 = 6; *(uint64_t*)0x200000016528 = 0x59fe; *(uint64_t*)0x200000016530 = 0x136; *(uint64_t*)0x200000016538 = 0xa8; *(uint64_t*)0x200000016540 = 3; *(uint64_t*)0x200000016548 = 2; *(uint64_t*)0x200000016550 = 0x12c; *(uint64_t*)0x200000016558 = 0x18; *(uint64_t*)0x200000016560 = 0; *(uint64_t*)0x200000016568 = 0x154; *(uint64_t*)0x200000016570 = 0x38; *(uint64_t*)0x200000016578 = 2; *(uint64_t*)0x200000016580 = 0x280d; *(uint64_t*)0x200000016588 = 0x2e0; *(uint64_t*)0x200000016590 = 4; *(uint64_t*)0x200000016598 = 0xfffffffffffffff8; *(uint64_t*)0x2000000165a0 = 0x65; *(uint64_t*)0x2000000165a8 = 0x20; *(uint64_t*)0x2000000165b0 = 0x285; *(uint64_t*)0x2000000165b8 = 7; *(uint64_t*)0x2000000165c0 = 0; *(uint64_t*)0x2000000165c8 = 0x18; *(uint64_t*)0x2000000165d0 = 5; *(uint64_t*)0x2000000165d8 = 0x17f; *(uint64_t*)0x2000000165e0 = 0x10; *(uint64_t*)0x2000000165e8 = 0x67; *(uint64_t*)0x2000000165f0 = 0x20; *(uint64_t*)0x2000000165f8 = 4; *(uint64_t*)0x200000016600 = 4; *(uint64_t*)0x200000016608 = 0x66; *(uint64_t*)0x200000016610 = 0x18; *(uint64_t*)0x200000016618 = 0x2e6; *(uint64_t*)0x200000016620 = 0; *(uint64_t*)0x200000016628 = 0x18; *(uint64_t*)0x200000016630 = 0xe; *(uint64_t*)0x200000016638 = 0x12f; *(uint64_t*)0x200000016640 = 0x18; *(uint64_t*)0x200000016648 = 3; *(uint64_t*)0x200000016650 = 0x154; *(uint64_t*)0x200000016658 = 0x38; *(uint64_t*)0x200000016660 = 0; *(uint64_t*)0x200000016668 = 0x6404; *(uint64_t*)0x200000016670 = 0x10; *(uint64_t*)0x200000016678 = 0xfffffffffffffff7; *(uint64_t*)0x200000016680 = 0xe; *(uint64_t*)0x200000016688 = 0x12c; *(uint64_t*)0x200000016690 = 0x18; *(uint64_t*)0x200000016698 = 0; *(uint64_t*)0x2000000166a0 = 0x130; *(uint64_t*)0x2000000166a8 = 0x18; *(uint64_t*)0x2000000166b0 = 3; *(uint64_t*)0x2000000166b8 = 0x182; *(uint64_t*)0x2000000166c0 = 0x18; *(uint64_t*)0x2000000166c8 = 3; *(uint64_t*)0x2000000166d0 = 0x12e; *(uint64_t*)0x2000000166d8 = 0x63; *(uint64_t*)0x2000000166e0 = 2; memcpy((void*)0x2000000166e8, "\x2e\x0f\x01\x71\x33\xc4\x21\x6a\xc2\xc0\x00\x66\xba\xf8\x0c\xb8\x6e\x89\x7c\x81\xef\x66\xba\xfc\x0c\x66\xb8\xaf\x0b\x66\xef\x42\x0f\x01\xc3\x36\x01\xe3\x12\xec\x0f\x00\xde\xc7\x44\x24\x00\x7a\x00\x00\x00\xc7\x44\x24\x02\x0b\x00\x00\x00\xff\x1c\x24\x40\x0f\xa1\xc4\x43\x31\x4a\x89\x0a\x00\x00\x00\x0b", 75); *(uint64_t*)0x200000016733 = 0x17e; *(uint64_t*)0x20000001673b = 0x10; *(uint64_t*)0x200000016790 = 0x2c3; syz_kvm_add_vcpu(/*vm=*/r[47], /*text=*/0x200000016780); break; case 56: res = syscall(__NR_mmap, /*addr=*/0x200000cbe000ul, /*len=*/0ul, /*prot=PROT_SEM|PROT_READ|PROT_EXEC*/0xdul, /*flags=MAP_SYNC*/0x80000ul, /*cpufd=*/r[12], /*offset=*/0ul); if (res != -1) r[48] = res; break; case 57: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[48], /*exitcode=*/4); break; case 58: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[44], /*run=*/r[48], /*exitcode=*/3); break; case 59: res = syscall(__NR_ioctl, /*fd=*/r[12], /*cmd=*/0xae01, /*type=*/0x20ul); if (res != -1) r[49] = res; break; case 60: *(uint64_t*)0x200000016a40 = 0; *(uint64_t*)0x200000016a48 = 0x2000000167c0; memcpy((void*)0x2000000167c0, "\x00\x00\x00\x3d\x00\x00\x08\x61\x04\x00\x08\x79\x00\x00\x08\x65\x0c\x00\x08\x61\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\xd0\x04\x9c\x63\x24\x6b\xc0\x7f\xfa\xcd\xdf\xfe\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x04\x00\x63\x60\x26\x9f\xe1\x7f\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x3c\x02\x63\x60\x42\x00\x00\x44\xf5\x00\x90\x07\xd6\xdb\x8b\xef\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2a\x00\xb5\x62\x00\x01\xc0\x3e\x00\x00\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2a\x00\xb5\x62\x73\x6f\xc0\x3e\xa7\xf7\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x2e\x00\xb5\x62\x90\x5e\xc0\x3e\xe0\x10\xd6\x62\x00\x00\xd5\x92\x00\x00\xa0\x3e\x00\x00\xb5\x62\x04\x00\xb5\x7a\x00\x00\xb5\x66\x32\x00\xb5\x62\x00\x00\xc0\x3e\xe0\xd1\xd6\x62\x00\x00\xd5\x92\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x2a\x00\x84\x60\x22\x00\x00\x44\x8f\xed\x9f\xf3\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xef\x63\x60\xb5\xad\x80\x3c\xca\x82\x84\x60\x04\x00\x84\x78\xea\x5e\x84\x64\xa2\xe8\x84\x60\xf1\x67\xa0\x3c\xbe\xe3\xa5\x60\x04\x00\xa5\x78\xa5\x57\xa5\x64\x55\x46\xa5\x60\x03\xf4\xc0\x3c\xb4\x87\xc6\x60\x04\x00\xc6\x78\x73\xed\xc6\x64\x15\x51\xc6\x60\x1d\xe9\xe0\x3c\xe4\xa0\xe7\x60\x04\x00\xe7\x78\xd8\x84\xe7\x64\x25\x76\xe7\x60\x08\x70\x00\x3d\xee\xf7\x08\x61\x04\x00\x08\x79\x1f\x72\x08\x65\x67\x40\x08\x61\x7f\xc5\x20\x3d\x5d\xc6\x29\x61\x04\x00\x29\x79\x7f\x83\x29\x65\x31\xe8\x29\x61\xec\x4b\x40\x3d\xd8\xc0\x4a\x61\x04\x00\x4a\x79\xe3\xf4\x4a\x65\x76\xa0\x4a\x61\x42\x00\x00\x44\xc7\xdd\x79\x12\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x08\xef\x63\x60\xae\x15\x80\x3c\x96\x74\x84\x60\x04\x00\x84\x78\x48\x29\x84\x64\xf2\x7b\x84\x60\xfb\x2b\xa0\x3c\x3a\x84\xa5\x60\x04\x00\xa5\x78\x66\xdf\xa5\x64\x0e\x85\xa5\x60\x94\x21\xc0\x3c\x54\x4c\xc6\x60\x04\x00\xc6\x78\x8e\xd8\xc6\x64\x2d\x18\xc6\x60\x27\x15\xe0\x3c\x98\x77\xe7\x60\x04\x00\xe7\x78\x52\x7a\xe7\x64\x4a\x11\xe7\x60\xb2\x21\x00\x3d\x41\x62\x08\x61\x04\x00\x08\x79\xf6\x1f\x08\x65\xaa\x6f\x08\x61\x00\xf5\x20\x3d\x4c\x23\x29\x61\x04\x00\x29\x79\xda\x1a\x29\x65\x95\xbf\x29\x61\x93\xf7\x40\x3d\xde\x99\x4a\x61\x04\x00\x4a\x79\x5e\xe8\x4a\x65\xa0\x51\x4a\x61\xd5\x0a\x60\x3d\x34\xf9\x6b\x61\x04\x00\x6b\x79\x21\x19\x6b\x65\xab\x4f\x6b\x61\x22\x00\x00\x44", 632); *(uint64_t*)0x200000016a50 = 0x278; *(uint64_t*)0x200000016a80 = 1; *(uint64_t*)0x200000016a88 = 0xfff; syz_kvm_setup_cpu(/*fd=*/r[49], /*cpufd=*/r[43], /*usermem=*/0x200000e17000, /*text=*/0x200000016a40, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_PID1|KVM_SETUP_PPC64_DR|KVM_SETUP_PPC64_LE*/0x15, /*opts=*/0x200000016a80, /*nopt=*/1); break; case 61: syz_kvm_setup_syzos_vm(/*fd=*/r[49], /*usermem=*/0x200000c00000); break; case 62: *(uint32_t*)0x200000016ac0 = 1; syz_memcpy_off(/*ring_ptr=*/r[42], /*flag_off=*/0, /*src=*/0x200000016ac0, /*src_off=*/0, /*nbytes=*/4); break; case 63: memcpy((void*)0x200000016b00, "adfs\000", 5); memcpy((void*)0x200000016b40, "./file1\000", 8); memcpy((void*)0x200000016b80, "ownmask", 7); *(uint8_t*)0x200000016b87 = 0x3d; sprintf((char*)0x200000016b88, "%023llo", (long long)9); *(uint8_t*)0x200000016b9f = 0x2c; memcpy((void*)0x200000016ba0, "uid", 3); *(uint8_t*)0x200000016ba3 = 0x3d; sprintf((char*)0x200000016ba4, "0x%016llx", (long long)r[39]); *(uint8_t*)0x200000016bb6 = 0x2c; memcpy((void*)0x200000016bb7, "gid", 3); *(uint8_t*)0x200000016bba = 0x3d; sprintf((char*)0x200000016bbb, "0x%016llx", (long long)r[25]); *(uint8_t*)0x200000016bcd = 0x2c; memcpy((void*)0x200000016bce, "ftsuffix", 8); *(uint8_t*)0x200000016bd6 = 0x3d; sprintf((char*)0x200000016bd7, "%020llu", (long long)0x1b2a); *(uint8_t*)0x200000016beb = 0x2c; memcpy((void*)0x200000016bec, "ftsuffix", 8); *(uint8_t*)0x200000016bf4 = 0x3d; sprintf((char*)0x200000016bf5, "%020llu", (long long)0x95); *(uint8_t*)0x200000016c09 = 0x2c; memcpy((void*)0x200000016c0a, "ftsuffix", 8); *(uint8_t*)0x200000016c12 = 0x3d; sprintf((char*)0x200000016c13, "%020llu", (long long)2); *(uint8_t*)0x200000016c27 = 0x2c; memcpy((void*)0x200000016c28, "uid<", 4); sprintf((char*)0x200000016c2c, "%020llu", (long long)r[37]); *(uint8_t*)0x200000016c40 = 0x2c; memcpy((void*)0x200000016c41, "subj_type", 9); *(uint8_t*)0x200000016c4a = 0x3d; *(uint8_t*)0x200000016c4b = 0x2c; *(uint8_t*)0x200000016c4c = 0; memcpy((void*)0x200000016c80, "\x78\x9c\xaa\xdc\xf4\xa2\x4b\x38\x63\x9f\x59\xe2\xe9\x04\x2f\xd9\xe2\xfd\x35\x7c\xef\xfe\x5d\x53\x6f\xe4\x7b\xf4\xfb\xd7\xb9\x0b\x80\x00\x00\x00\xff\xff\xcf\xbb\x0f\xa9", 42); syz_mount_image(/*fs=*/0x200000016b00, /*dir=*/0x200000016b40, /*flags=MS_STRICTATIME|MS_NODIRATIME|MS_MANDLOCK*/0x1000840, /*opts=*/0x200000016b80, /*chdir=*/1, /*size=*/0x2a, /*img=*/0x200000016c80); break; case 64: memcpy((void*)0x200000016cc0, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000016cc0, /*id=*/9, /*flags=O_SYNC|O_NONBLOCK|O_DIRECT|FASYNC|O_APPEND*/0x107c00); break; case 65: *(uint64_t*)0x200000016d00 = 2; *(uint64_t*)0x200000016d08 = 0x27e; *(uint64_t*)0x200000016d10 = 5; *(uint64_t*)0x200000016d18 = 2; *(uint64_t*)0x200000016d20 = 6; *(uint64_t*)0x200000016d28 = 0; *(uint64_t*)0x200000016d30 = 6; *(uint64_t*)0x200000016d38 = 5; *(uint64_t*)0x200000016d40 = 0xd; *(uint64_t*)0x200000016d48 = 0x7ea2; *(uint64_t*)0x200000016d50 = -1; res = syscall(__NR_clone3, /*uargs=*/0x200000016d00ul, /*size=*/0x90c4ul); if (res != -1) r[50] = res; break; case 66: memcpy((void*)0x200000016d80, "fdinfo/3\000", 9); syz_open_procfs(/*pid=*/r[50], /*file=*/0x200000016d80); break; case 67: res = -1; res = syz_open_dev(/*dev=*/0xc, /*major=*/2, /*minor=*/0x15); if (res != -1) r[51] = res; break; case 68: syz_open_pts(/*fd=*/r[51], /*flags=O_LARGEFILE|O_APPEND*/0x8400); break; case 69: syz_pidfd_open(/*pid=*/r[16], /*flags=*/0); break; case 70: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[52] = res; break; case 71: syz_pkey_set(/*key=*/r[52], /*val=PKEY_DISABLE_ACCESS*/1); break; case 72: memcpy((void*)0x200000016dc0, "\x78\x9c\x00\x57\x00\xa8\xff\xa9\x39\xee\x13\x04\xaa\x50\xcd\x48\x33\xb8\x65\x54\x02\x70\xbc\x48\xb9\xef\x5c\xce\x86\x6e\x69\xf5\x3f\xe3\x70\x79\x19\x0f\x3f\x49\xf2\x84\x00\x94\x95\xb6\x1a\x19\x72\xde\x93\x27\x27\x1b\x79\xad\xc1\x51\xcb\xcb\x51\xac\xc1\x0f\x46\x30\xf6\xa3\xaf\xbc\xa6\x66\xa2\x9e\xa2\x84\xe6\x6b\x43\x3f\x69\x17\xae\x0c\x2e\x70\x88\xf3\xbb\xe3\xc8\x15\xd3\xf5\x01\x00\x00\xff\xff\x03\x4a\x2a\xb4", 103); syz_read_part_table(/*size=*/0x67, /*img=*/0x200000016dc0); break; case 73: syz_socket_connect_nvme_tcp(); break; case 74: *(uint8_t*)0x200000016e40 = 0x12; *(uint8_t*)0x200000016e41 = 1; *(uint16_t*)0x200000016e42 = 0x300; *(uint8_t*)0x200000016e44 = 0x42; *(uint8_t*)0x200000016e45 = 0x66; *(uint8_t*)0x200000016e46 = 0x24; *(uint8_t*)0x200000016e47 = 8; *(uint16_t*)0x200000016e48 = 0x2357; *(uint16_t*)0x200000016e4a = 0x9000; *(uint16_t*)0x200000016e4c = 0x8c65; *(uint8_t*)0x200000016e4e = 1; *(uint8_t*)0x200000016e4f = 2; *(uint8_t*)0x200000016e50 = 3; *(uint8_t*)0x200000016e51 = 1; *(uint8_t*)0x200000016e52 = 9; *(uint8_t*)0x200000016e53 = 2; *(uint16_t*)0x200000016e54 = 0x82e; *(uint8_t*)0x200000016e56 = 3; *(uint8_t*)0x200000016e57 = 0x7f; *(uint8_t*)0x200000016e58 = 2; *(uint8_t*)0x200000016e59 = 0x20; *(uint8_t*)0x200000016e5a = 5; *(uint8_t*)0x200000016e5b = 9; *(uint8_t*)0x200000016e5c = 4; *(uint8_t*)0x200000016e5d = 0xce; *(uint8_t*)0x200000016e5e = 7; *(uint8_t*)0x200000016e5f = 0xf; *(uint8_t*)0x200000016e60 = 0xaf; *(uint8_t*)0x200000016e61 = 0xe8; *(uint8_t*)0x200000016e62 = 0x6e; *(uint8_t*)0x200000016e63 = 0; *(uint8_t*)0x200000016e64 = 0xa; *(uint8_t*)0x200000016e65 = 0x24; *(uint8_t*)0x200000016e66 = 1; *(uint16_t*)0x200000016e67 = 0x7ff; *(uint8_t*)0x200000016e69 = 6; *(uint8_t*)0x200000016e6a = 2; *(uint8_t*)0x200000016e6b = 1; *(uint8_t*)0x200000016e6c = 2; *(uint8_t*)0x200000016e6d = 7; *(uint8_t*)0x200000016e6e = 0x24; *(uint8_t*)0x200000016e6f = 7; *(uint8_t*)0x200000016e70 = 4; *(uint16_t*)0x200000016e71 = 4; *(uint8_t*)0x200000016e73 = 1; *(uint8_t*)0x200000016e74 = 7; *(uint8_t*)0x200000016e75 = 0x24; *(uint8_t*)0x200000016e76 = 6; *(uint8_t*)0x200000016e77 = 0; *(uint8_t*)0x200000016e78 = 1; memcpy((void*)0x200000016e79, "\xa3\x4e", 2); *(uint8_t*)0x200000016e7b = 5; *(uint8_t*)0x200000016e7c = 0x24; *(uint8_t*)0x200000016e7d = 0; *(uint16_t*)0x200000016e7e = 2; *(uint8_t*)0x200000016e80 = 0xd; *(uint8_t*)0x200000016e81 = 0x24; *(uint8_t*)0x200000016e82 = 0xf; *(uint8_t*)0x200000016e83 = 1; *(uint32_t*)0x200000016e84 = 0x7fffffff; *(uint16_t*)0x200000016e88 = 0; *(uint16_t*)0x200000016e8a = 7; *(uint8_t*)0x200000016e8c = 8; *(uint8_t*)0x200000016e8d = 6; *(uint8_t*)0x200000016e8e = 0x24; *(uint8_t*)0x200000016e8f = 0x1a; *(uint16_t*)0x200000016e90 = 9; *(uint8_t*)0x200000016e92 = 4; *(uint8_t*)0x200000016e93 = 0xd8; *(uint8_t*)0x200000016e94 = 0x24; *(uint8_t*)0x200000016e95 = 0x13; *(uint8_t*)0x200000016e96 = 1; memcpy((void*)0x200000016e97, "\xfc\xb6\x4e\x07\xcb\xc6\x13\xee\x0f\xb4\x7b\x17\x2d\x8c\xb2\x54\x90\xf7\xd0\x8d\xca\x4c\x04\xf2\x48\xb0\xd2\xc6\xc5\xd4\xfd\x13\xc9\x0c\x33\x7d\xbf\xe0\x45\x78\x3c\xe1\xee\x13\x99\xfa\x76\xc1\x4b\x25\xf5\xc3\x38\xb0\x41\x83\x3f\x78\x7b\x77\x6e\x0c\x3c\x25\x51\x89\xf0\x69\x4e\x73\x1c\xc1\xed\xd1\x26\x9d\xee\x99\xee\xd0\x4d\x16\xaf\x2a\xe0\xf1\x24\x51\x00\x06\xa6\x42\x80\xfb\xf1\xac\x11\x46\xbe\xee\x98\x58\x83\x56\x6c\x16\x9a\xbf\xf0\x9e\x46\x01\x8c\x5d\xdf\xdc\xef\xb4\xc0\x6a\x46\x26\xf8\xee\xb2\x1b\x61\x8f\xe7\x0a\xdf\x76\xc2\x04\xc1\xa9\x30\x5d\x06\xd9\x08\x52\xb6\x06\xa0\x69\x8c\x66\x78\x28\x0d\x48\x29\xc7\x81\x71\x52\x6b\x7c\xf0\xcf\x95\xca\xb7\xe3\xaf\xb3\xb5\x8f\xcf\xaf\x6d\x70\xeb\x43\x33\x47\xfb\xae\x12\x94\xb2\x88\xb8\xd3\x39\xb3\xd7\x8f\xdb\xc0\xf2\x27\x90\x7a\xaa\x92\x1c\xa3\x02\x6e\x4c\x5c\xe3\x42\x11\xe3\xc9\x07\xb4\x2c\xa6", 212); *(uint8_t*)0x200000016f6b = 8; *(uint8_t*)0x200000016f6c = 0x24; *(uint8_t*)0x200000016f6d = 0x1c; *(uint16_t*)0x200000016f6e = 0xfff; *(uint8_t*)0x200000016f70 = 1; *(uint16_t*)0x200000016f71 = 0xf51; *(uint8_t*)0x200000016f73 = 8; *(uint8_t*)0x200000016f74 = 0x24; *(uint8_t*)0x200000016f75 = 0x1c; *(uint16_t*)0x200000016f76 = 0x80; *(uint8_t*)0x200000016f78 = 2; *(uint16_t*)0x200000016f79 = 0x7f; *(uint8_t*)0x200000016f7b = 5; *(uint8_t*)0x200000016f7c = 0x24; *(uint8_t*)0x200000016f7d = 0x15; *(uint16_t*)0x200000016f7e = 0x4d; *(uint8_t*)0x200000016f80 = 8; *(uint8_t*)0x200000016f81 = 0x24; *(uint8_t*)0x200000016f82 = 0x1c; *(uint16_t*)0x200000016f83 = 0xbf26; *(uint8_t*)0x200000016f85 = 0x10; *(uint16_t*)0x200000016f86 = 0x7806; *(uint8_t*)0x200000016f88 = 9; *(uint8_t*)0x200000016f89 = 5; *(uint8_t*)0x200000016f8a = 1; *(uint8_t*)0x200000016f8b = 0; *(uint16_t*)0x200000016f8c = 0x200; *(uint8_t*)0x200000016f8e = 6; *(uint8_t*)0x200000016f8f = 0x40; *(uint8_t*)0x200000016f90 = 0xb; *(uint8_t*)0x200000016f91 = 7; *(uint8_t*)0x200000016f92 = 0x25; *(uint8_t*)0x200000016f93 = 1; *(uint8_t*)0x200000016f94 = 3; *(uint8_t*)0x200000016f95 = 4; *(uint16_t*)0x200000016f96 = 8; *(uint8_t*)0x200000016f98 = 0xe8; *(uint8_t*)0x200000016f99 = 0x30; memcpy((void*)0x200000016f9a, "\x68\x84\x9f\x67\xc9\x80\x33\xbf\xdc\x9b\xc6\x7c\x70\x6e\x68\x9f\x08\xda\x2d\x58\x7b\x66\x8f\x1f\x67\x6b\xbb\xc3\x8f\x71\xf6\x8c\x01\x29\x15\x9b\x91\x2f\x32\x88\xaf\x2d\x8f\x5b\x2a\x9e\x6a\x41\x6c\x8e\x34\x45\xc3\x33\xdf\x5f\x70\x08\x23\x36\x83\xc6\x74\x20\x84\x56\xcf\xcb\x7a\x59\x8f\xd1\x43\x0b\x9b\xb5\x5e\x9b\x6f\xbf\x6c\xd0\x79\x7f\xfd\xb4\x8e\x94\xa2\xbb\x0a\x7b\x92\x4d\xc3\xfe\x2c\x8b\x37\xff\x8b\x6d\x67\xa0\x55\x1a\x58\x2d\x71\x34\x54\xdc\x2f\x82\x9c\x5f\xa9\xbb\x41\x05\x3a\x7b\x74\xb6\x01\xc8\xab\x84\x54\xe2\xd4\x8d\x21\x3e\xb4\xf8\x73\xd9\x69\x31\x19\xcf\x01\xd9\x77\x9a\xfa\xa2\x61\xbd\x19\xf8\x4e\x39\x98\xa2\x7c\xc2\x7f\xdb\xaa\x15\x46\x7c\xd6\xf5\x44\x2a\xec\x6c\x7d\x12\x86\x17\x46\xb6\xba\xb7\xb9\x37\x01\xf0\x11\xde\x1e\x99\x5c\x1c\x20\x4b\x4c\x26\x80\x50\x3a\x47\xba\xd8\x6f\xa4\x29\xcf\x00\xde\xd4\x82\x39\xfb\x55\x5a\xb9\x80\x87\xed\xea\xee\xba\x89\xb1\x4d\xad\x51\xb1\x99\x3c\x25\xe6\x01\x09\xbf", 230); *(uint8_t*)0x200000017080 = 9; *(uint8_t*)0x200000017081 = 5; *(uint8_t*)0x200000017082 = 0xa; *(uint8_t*)0x200000017083 = 1; *(uint16_t*)0x200000017084 = 0x40; *(uint8_t*)0x200000017086 = 0xf7; *(uint8_t*)0x200000017087 = 2; *(uint8_t*)0x200000017088 = 5; *(uint8_t*)0x200000017089 = 9; *(uint8_t*)0x20000001708a = 5; *(uint8_t*)0x20000001708b = 5; *(uint8_t*)0x20000001708c = 0x10; *(uint16_t*)0x20000001708d = 0x3ff; *(uint8_t*)0x20000001708f = 7; *(uint8_t*)0x200000017090 = 0x14; *(uint8_t*)0x200000017091 = 0; *(uint8_t*)0x200000017092 = 9; *(uint8_t*)0x200000017093 = 5; *(uint8_t*)0x200000017094 = 0xe; *(uint8_t*)0x200000017095 = 0x10; *(uint16_t*)0x200000017096 = 0x200; *(uint8_t*)0x200000017098 = 0xc7; *(uint8_t*)0x200000017099 = 0x46; *(uint8_t*)0x20000001709a = 2; *(uint8_t*)0x20000001709b = 9; *(uint8_t*)0x20000001709c = 5; *(uint8_t*)0x20000001709d = 0xd; *(uint8_t*)0x20000001709e = 0xa; *(uint16_t*)0x20000001709f = 0x10; *(uint8_t*)0x2000000170a1 = 0x40; *(uint8_t*)0x2000000170a2 = 8; *(uint8_t*)0x2000000170a3 = 2; *(uint8_t*)0x2000000170a4 = 7; *(uint8_t*)0x2000000170a5 = 0x25; *(uint8_t*)0x2000000170a6 = 1; *(uint8_t*)0x2000000170a7 = 0x82; *(uint8_t*)0x2000000170a8 = 1; *(uint16_t*)0x2000000170a9 = 7; *(uint8_t*)0x2000000170ab = 9; *(uint8_t*)0x2000000170ac = 5; *(uint8_t*)0x2000000170ad = 8; *(uint8_t*)0x2000000170ae = 2; *(uint16_t*)0x2000000170af = 0x3ff; *(uint8_t*)0x2000000170b1 = 0x10; *(uint8_t*)0x2000000170b2 = 9; *(uint8_t*)0x2000000170b3 = 8; *(uint8_t*)0x2000000170b4 = 0xf8; *(uint8_t*)0x2000000170b5 = 1; memcpy((void*)0x2000000170b6, "\x87\x09\xda\xe6\x27\x40\x78\x00\x19\x13\xce\x2e\xfb\xcb\x79\xab\x11\x33\xba\xa4\xf7\xe0\x7b\x3b\x2c\x7f\xf7\x03\x89\xe9\x02\xb3\x68\x4a\x95\xa2\x99\x97\xf2\xd2\x0f\xf4\xaf\x27\x0d\x19\xa8\xe0\xb4\xf2\x4d\xf5\x12\xa7\x98\x1b\x5c\xc2\x17\x94\x1c\xc5\x5d\x0e\xe5\x27\x77\xd5\x46\x9f\x8d\x59\xa8\xb5\xb4\xa6\xe4\xfe\x8c\x2c\x94\x50\xb4\x7d\x31\x53\xab\x98\xf8\xe2\x5d\x69\x98\x73\xd3\xbd\xb2\x64\x00\x75\x12\x3c\x4c\x4b\xf2\x70\xdb\x5a\x2e\x30\xc4\x78\xe7\x5e\x0e\x80\xac\xa0\xd4\x1a\xf7\x46\xe3\xef\xb5\x98\xb2\xdb\xec\x64\x7a\xbd\x39\x7b\x0e\xfb\xb2\xe7\x44\x23\x8a\x48\xce\xfe\x42\x99\xf4\x83\x85\xe7\x4d\x32\x5b\xa5\x2c\x15\xb1\x68\x23\x4a\x99\x6d\x32\x57\xea\xab\x4f\xef\xcb\xa6\xb8\x98\xc9\x1d\xd9\x9e\x0c\x08\x0a\x10\x19\x11\x84\xea\x55\x2c\x28\x22\x3c\x35\xe6\x3e\xa9\x40\x68\x88\xa9\x47\x59\xad\x4c\x30\xba\xec\x3d\x37\xbc\x12\x62\x8f\x39\xfd\x0e\x1e\xa1\x66\x51\x22\xb4\xa0\x4a\xde\xc0\xd9\x63\x24\x21\xac\x75\x18\x85\x1c\x5c\x92\x56\xa3\x3e\x29\x12\x01\xa3\xaf\x1a\xf8\xdf\x0a", 246); *(uint8_t*)0x2000000171ac = 0x66; *(uint8_t*)0x2000000171ad = 4; memcpy((void*)0x2000000171ae, "\xe2\x4a\xf3\x93\x66\xd6\xcc\x5b\x86\x03\x79\x36\x7e\x9b\x5a\xf9\x12\x38\xa8\xad\x60\xd4\xd3\x33\x0b\x86\x61\x5c\x23\x8b\x9a\xdc\x15\x0c\xa8\xd4\xd8\x9f\x34\x7c\xef\xed\x35\x02\xf2\xa6\x46\x69\xec\x10\xc9\x35\x2c\xc3\xf0\x0b\xb7\xbf\xff\x70\xa3\x40\x70\x24\x7f\x37\x2f\xd5\x6b\x34\x8f\x50\xf9\x45\x09\x03\x89\x94\xdf\x69\x9d\xd0\xbd\x1e\x0f\x29\x14\x24\x50\x2d\x0a\xbf\xa2\x75\xdf\x94\xab\x99\x68\x6b", 100); *(uint8_t*)0x200000017212 = 9; *(uint8_t*)0x200000017213 = 5; *(uint8_t*)0x200000017214 = 3; *(uint8_t*)0x200000017215 = 3; *(uint16_t*)0x200000017216 = 0x20; *(uint8_t*)0x200000017218 = 0x10; *(uint8_t*)0x200000017219 = 6; *(uint8_t*)0x20000001721a = 4; *(uint8_t*)0x20000001721b = 7; *(uint8_t*)0x20000001721c = 0x25; *(uint8_t*)0x20000001721d = 1; *(uint8_t*)0x20000001721e = 0; *(uint8_t*)0x20000001721f = 2; *(uint16_t*)0x200000017220 = 0xf; *(uint8_t*)0x200000017222 = 9; *(uint8_t*)0x200000017223 = 5; *(uint8_t*)0x200000017224 = 0xa; *(uint8_t*)0x200000017225 = 0x10; *(uint16_t*)0x200000017226 = 0x20; *(uint8_t*)0x200000017228 = 2; *(uint8_t*)0x200000017229 = 0x6a; *(uint8_t*)0x20000001722a = 0x9c; *(uint8_t*)0x20000001722b = 9; *(uint8_t*)0x20000001722c = 5; *(uint8_t*)0x20000001722d = 6; *(uint8_t*)0x20000001722e = 0; *(uint16_t*)0x20000001722f = 8; *(uint8_t*)0x200000017231 = 0xa6; *(uint8_t*)0x200000017232 = 0; *(uint8_t*)0x200000017233 = 3; *(uint8_t*)0x200000017234 = 9; *(uint8_t*)0x200000017235 = 5; *(uint8_t*)0x200000017236 = 0xe; *(uint8_t*)0x200000017237 = 0x10; *(uint16_t*)0x200000017238 = 0x400; *(uint8_t*)0x20000001723a = 8; *(uint8_t*)0x20000001723b = 6; *(uint8_t*)0x20000001723c = 2; *(uint8_t*)0x20000001723d = 7; *(uint8_t*)0x20000001723e = 0x25; *(uint8_t*)0x20000001723f = 1; *(uint8_t*)0x200000017240 = 0x80; *(uint8_t*)0x200000017241 = 0x80; *(uint16_t*)0x200000017242 = 0xfffe; *(uint8_t*)0x200000017244 = 7; *(uint8_t*)0x200000017245 = 0x25; *(uint8_t*)0x200000017246 = 1; *(uint8_t*)0x200000017247 = 0; *(uint8_t*)0x200000017248 = 8; *(uint16_t*)0x200000017249 = 6; *(uint8_t*)0x20000001724b = 9; *(uint8_t*)0x20000001724c = 5; *(uint8_t*)0x20000001724d = 2; *(uint8_t*)0x20000001724e = 0xc; *(uint16_t*)0x20000001724f = 0x20; *(uint8_t*)0x200000017251 = 7; *(uint8_t*)0x200000017252 = 0xfe; *(uint8_t*)0x200000017253 = 1; *(uint8_t*)0x200000017254 = 7; *(uint8_t*)0x200000017255 = 0x25; *(uint8_t*)0x200000017256 = 1; *(uint8_t*)0x200000017257 = 2; *(uint8_t*)0x200000017258 = 3; *(uint16_t*)0x200000017259 = 7; *(uint8_t*)0x20000001725b = 9; *(uint8_t*)0x20000001725c = 5; *(uint8_t*)0x20000001725d = 8; *(uint8_t*)0x20000001725e = 0; *(uint16_t*)0x20000001725f = 0x20; *(uint8_t*)0x200000017261 = 5; *(uint8_t*)0x200000017262 = 7; *(uint8_t*)0x200000017263 = 0; *(uint8_t*)0x200000017264 = 9; *(uint8_t*)0x200000017265 = 5; *(uint8_t*)0x200000017266 = 5; *(uint8_t*)0x200000017267 = 0x10; *(uint16_t*)0x200000017268 = 0x400; *(uint8_t*)0x20000001726a = 0x94; *(uint8_t*)0x20000001726b = 9; *(uint8_t*)0x20000001726c = 7; *(uint8_t*)0x20000001726d = 0xdd; *(uint8_t*)0x20000001726e = 0x30; memcpy((void*)0x20000001726f, "\x77\x86\x7e\xa8\x5d\x1b\x66\xca\x1b\x83\x5f\x1f\xfe\x80\xb4\xe1\x5a\x42\x97\xfd\x75\x06\x0e\x9c\xa4\xa2\x1e\x38\x5a\xda\xb0\x95\x08\x05\x1d\xd6\x10\x5e\xaa\x7c\xdc\xec\xdc\xc3\x20\xbc\x7f\x95\x6e\xeb\x82\x39\x4f\xee\xae\x2b\x09\xc0\x99\x0c\x54\x43\x3f\x37\x34\xda\x18\xcc\xf1\x3f\x5f\xcc\x5b\xb3\x2e\xb3\xbb\x6b\x06\x2a\x28\x29\x89\x58\x2d\x89\x8d\x9e\x25\xf9\x7d\x5d\x39\x27\xfb\xc2\x2c\x45\x90\x49\x83\x86\x0e\xb6\x1e\xaf\xd3\x4b\x54\xed\x2c\xc8\xb5\x5c\xf1\x97\xd3\x1b\xbb\x18\x10\x63\x60\xad\x77\x24\x0c\x1f\x44\xfd\x50\xf1\xa9\x44\xb9\xf5\x55\x7f\x95\xe9\x45\x13\xb0\xad\x4d\x60\x79\xe1\x5e\x8d\x3b\x43\x01\x02\x7d\xec\xe5\xa5\xba\x84\x88\xa2\x65\xab\x30\x67\xce\x7d\x0f\x2d\x5a\xd3\x11\x7b\xdd\xf0\x68\xf5\x91\xf6\x1d\x66\x46\xf9\x6a\x37\x72\xbb\x1d\x88\x07\xba\x9d\xd6\xd7\xa0\xbe\xec\xb2\x72\x98\xc3\xf0\x90\xb2\xb7\xed\x72\x97\x9d\x14\xde\xae\x68\x5d\x25\x0f\x2c\xc0", 219); *(uint8_t*)0x20000001734a = 7; *(uint8_t*)0x20000001734b = 0x25; *(uint8_t*)0x20000001734c = 1; *(uint8_t*)0x20000001734d = 2; *(uint8_t*)0x20000001734e = 0x81; *(uint16_t*)0x20000001734f = 0x70; *(uint8_t*)0x200000017351 = 9; *(uint8_t*)0x200000017352 = 5; *(uint8_t*)0x200000017353 = 5; *(uint8_t*)0x200000017354 = 0; *(uint16_t*)0x200000017355 = 0x3ff; *(uint8_t*)0x200000017357 = 7; *(uint8_t*)0x200000017358 = 0; *(uint8_t*)0x200000017359 = 0xd5; *(uint8_t*)0x20000001735a = 9; *(uint8_t*)0x20000001735b = 5; *(uint8_t*)0x20000001735c = 0xc; *(uint8_t*)0x20000001735d = 0; *(uint16_t*)0x20000001735e = 0x40; *(uint8_t*)0x200000017360 = 0; *(uint8_t*)0x200000017361 = 0xb; *(uint8_t*)0x200000017362 = 6; *(uint8_t*)0x200000017363 = 7; *(uint8_t*)0x200000017364 = 0x25; *(uint8_t*)0x200000017365 = 1; *(uint8_t*)0x200000017366 = 0x80; *(uint8_t*)0x200000017367 = 0xc4; *(uint16_t*)0x200000017368 = 0x6e; *(uint8_t*)0x20000001736a = 0xe; *(uint8_t*)0x20000001736b = 0xd; memcpy((void*)0x20000001736c, "\x36\xcb\x58\xaf\xca\x23\xd3\xe3\xcd\x43\x84\x0a", 12); *(uint8_t*)0x200000017378 = 9; *(uint8_t*)0x200000017379 = 4; *(uint8_t*)0x20000001737a = 0x8c; *(uint8_t*)0x20000001737b = 0; *(uint8_t*)0x20000001737c = 0xc; *(uint8_t*)0x20000001737d = 0x77; *(uint8_t*)0x20000001737e = 0x71; *(uint8_t*)0x20000001737f = 0x4d; *(uint8_t*)0x200000017380 = -1; *(uint8_t*)0x200000017381 = 0xb; *(uint8_t*)0x200000017382 = 0x24; *(uint8_t*)0x200000017383 = 6; *(uint8_t*)0x200000017384 = 0; *(uint8_t*)0x200000017385 = 0; memcpy((void*)0x200000017386, "\x37\x87\x90\x73\x85\x59", 6); *(uint8_t*)0x20000001738c = 5; *(uint8_t*)0x20000001738d = 0x24; *(uint8_t*)0x20000001738e = 0; *(uint16_t*)0x20000001738f = 0xdd; *(uint8_t*)0x200000017391 = 0xd; *(uint8_t*)0x200000017392 = 0x24; *(uint8_t*)0x200000017393 = 0xf; *(uint8_t*)0x200000017394 = 1; *(uint32_t*)0x200000017395 = 5; *(uint16_t*)0x200000017399 = 0x926; *(uint16_t*)0x20000001739b = 1; *(uint8_t*)0x20000001739d = 5; *(uint8_t*)0x20000001739e = 0x15; *(uint8_t*)0x20000001739f = 0x24; *(uint8_t*)0x2000000173a0 = 0x12; *(uint16_t*)0x2000000173a1 = 7; *(uint64_t*)0x2000000173a3 = 0x14f5e048ba817a3; *(uint64_t*)0x2000000173ab = 0x2a397ecbffc007a6; *(uint8_t*)0x2000000173b3 = 0x10; *(uint8_t*)0x2000000173b4 = 0x24; *(uint8_t*)0x2000000173b5 = 7; *(uint8_t*)0x2000000173b6 = 0xf; *(uint16_t*)0x2000000173b7 = 0x47f; *(uint16_t*)0x2000000173b9 = 7; *(uint16_t*)0x2000000173bb = 5; *(uint16_t*)0x2000000173bd = 0xa5a; *(uint16_t*)0x2000000173bf = 0xf25d; *(uint16_t*)0x2000000173c1 = 0x10; *(uint8_t*)0x2000000173c3 = 6; *(uint8_t*)0x2000000173c4 = 0x24; *(uint8_t*)0x2000000173c5 = 0x1a; *(uint16_t*)0x2000000173c6 = 0x100; *(uint8_t*)0x2000000173c8 = 1; *(uint8_t*)0x2000000173c9 = 6; *(uint8_t*)0x2000000173ca = 0x24; *(uint8_t*)0x2000000173cb = 7; *(uint8_t*)0x2000000173cc = 9; *(uint16_t*)0x2000000173cd = 0x81; *(uint8_t*)0x2000000173cf = 0xe; *(uint8_t*)0x2000000173d0 = 0x24; *(uint8_t*)0x2000000173d1 = 7; *(uint8_t*)0x2000000173d2 = 0x10; *(uint16_t*)0x2000000173d3 = 0x3a; *(uint16_t*)0x2000000173d5 = 0x1400; *(uint16_t*)0x2000000173d7 = 1; *(uint16_t*)0x2000000173d9 = 3; *(uint16_t*)0x2000000173db = 8; *(uint8_t*)0x2000000173dd = 0xa; *(uint8_t*)0x2000000173de = 0x24; *(uint8_t*)0x2000000173df = 1; *(uint16_t*)0x2000000173e0 = 0x80; *(uint8_t*)0x2000000173e2 = 0x80; *(uint8_t*)0x2000000173e3 = 2; *(uint8_t*)0x2000000173e4 = 1; *(uint8_t*)0x2000000173e5 = 2; *(uint8_t*)0x2000000173e6 = 9; *(uint8_t*)0x2000000173e7 = 5; *(uint8_t*)0x2000000173e8 = 5; *(uint8_t*)0x2000000173e9 = 8; *(uint16_t*)0x2000000173ea = 0x200; *(uint8_t*)0x2000000173ec = 0x39; *(uint8_t*)0x2000000173ed = 3; *(uint8_t*)0x2000000173ee = 2; *(uint8_t*)0x2000000173ef = 9; *(uint8_t*)0x2000000173f0 = 5; *(uint8_t*)0x2000000173f1 = 0; *(uint8_t*)0x2000000173f2 = 1; *(uint16_t*)0x2000000173f3 = 0x10; *(uint8_t*)0x2000000173f5 = 0x6c; *(uint8_t*)0x2000000173f6 = 9; *(uint8_t*)0x2000000173f7 = 4; *(uint8_t*)0x2000000173f8 = 0xec; *(uint8_t*)0x2000000173f9 = 0xc; memcpy((void*)0x2000000173fa, "\xcd\x0d\x3c\xe6\xb7\x5c\x2b\x01\xf9\x7f\xcb\x20\xad\xf4\xd9\x9a\x5a\x62\x76\xa0\xa0\x71\x7a\x5c\xbd\xaa\xe5\xbd\xe2\x28\x6c\x78\xf2\x3e\xc6\x52\x7f\xe1\x49\x0d\x74\xcc\xaf\x86\xba\xe7\x1c\x98\x79\xa2\x2f\xb0\x98\xf7\x98\x41\x5a\x42\x10\xa0\x98\xcc\x4d\x76\x58\x35\x30\x19\x71\x89\x91\xbb\x6a\x8d\x77\xa8\xe7\xb5\xd4\x50\x74\x04\xe9\x6f\xf4\x56\x14\xcb\x5c\xda\xd6\x98\x5e\x76\xee\xc5\x2f\xa7\x07\x74\xa8\x0c\xe5\x40\x7b\x62\xd0\x10\x51\x26\x2f\x81\x36\xaa\x68\xc2\x2e\xa4\x11\x5b\x5e\x27\x65\x3c\x40\xa8\x1c\xff\x49\xa1\x3b\xf7\x9d\x59\x9e\x1e\xea\x6f\x2a\xb7\x89\x7c\x71\x65\xb3\x6c\xb6\x83\xa8\x7a\xe0\x79\xd8\xff\x5f\x45\x0d\xdf\xf5\x3f\x2a\x7a\x04\x2d\x07\x32\xf9\x35\x7c\xe2\x3f\xb6\xa1\x31\x0f\x95\x84\xd8\xa7\x55\x7b\x65\x49\x36\xd9\x7d\x49\xbe\x79\x7a\x56\x53\x02\xd1\xe6\x15\xa7\x00\x61\x10\x1f\x01\xcb\x75\x33\x3e\xd4\xfc\x3f\xb9\x83\xe3\x0f\x49\x04\x19\x5e\x25\x3a\x3a\xdd\x43\xbd\x06\x97\x94\xbc\xac\xe6\x38\x63\xb8\xc5\x5b", 234); *(uint8_t*)0x2000000174e4 = 0x31; *(uint8_t*)0x2000000174e5 = 0xe; memcpy((void*)0x2000000174e6, "\xa6\x77\x2f\x60\x53\xbb\xf3\xfb\xcc\x2e\x4b\x92\x79\x4d\xf7\x00\xa7\x49\x93\x08\xd0\x2d\xa8\x07\xf6\x4c\x0b\xb6\xa2\xdf\x53\x5b\x93\x9a\xf7\xa1\xa2\xe9\x86\x82\xe0\x84\x01\x9d\x17\xff\x1e", 47); *(uint8_t*)0x200000017515 = 9; *(uint8_t*)0x200000017516 = 5; *(uint8_t*)0x200000017517 = 7; *(uint8_t*)0x200000017518 = 3; *(uint16_t*)0x200000017519 = 0x400; *(uint8_t*)0x20000001751b = 0xf8; *(uint8_t*)0x20000001751c = 0; *(uint8_t*)0x20000001751d = 3; *(uint8_t*)0x20000001751e = 7; *(uint8_t*)0x20000001751f = 0x25; *(uint8_t*)0x200000017520 = 1; *(uint8_t*)0x200000017521 = 2; *(uint8_t*)0x200000017522 = 5; *(uint16_t*)0x200000017523 = 0x1d2; *(uint8_t*)0x200000017525 = 9; *(uint8_t*)0x200000017526 = 5; *(uint8_t*)0x200000017527 = 0; *(uint8_t*)0x200000017528 = 7; *(uint16_t*)0x200000017529 = 0x400; *(uint8_t*)0x20000001752b = 0x7f; *(uint8_t*)0x20000001752c = 0xf9; *(uint8_t*)0x20000001752d = 0x27; *(uint8_t*)0x20000001752e = 7; *(uint8_t*)0x20000001752f = 0x25; *(uint8_t*)0x200000017530 = 1; *(uint8_t*)0x200000017531 = 0x81; *(uint8_t*)0x200000017532 = 5; *(uint16_t*)0x200000017533 = 0xb57; *(uint8_t*)0x200000017535 = 0x43; *(uint8_t*)0x200000017536 = 0x1a; memcpy((void*)0x200000017537, "\xcb\x18\x23\x8b\x9b\xb4\xf2\xcf\x09\xa9\xe5\x12\xee\x72\x99\x83\x74\x21\xb4\xde\xa8\x53\x0c\x6a\x24\xf7\x22\x29\xb4\xc3\x80\x3d\xb0\xb8\x15\x9c\x4f\xc1\xd0\xc5\x12\xc3\x67\x06\xf7\x26\x52\x83\x9a\xb6\x87\x70\x8e\x60\x65\x3b\xc8\x55\xf3\xef\xc0\x19\x1d\x44\xce", 65); *(uint8_t*)0x200000017578 = 9; *(uint8_t*)0x200000017579 = 5; *(uint8_t*)0x20000001757a = 1; *(uint8_t*)0x20000001757b = 0; *(uint16_t*)0x20000001757c = 0x10; *(uint8_t*)0x20000001757e = 0x5e; *(uint8_t*)0x20000001757f = 1; *(uint8_t*)0x200000017580 = 0x33; *(uint8_t*)0x200000017581 = 7; *(uint8_t*)0x200000017582 = 0x25; *(uint8_t*)0x200000017583 = 1; *(uint8_t*)0x200000017584 = 0x81; *(uint8_t*)0x200000017585 = 0; *(uint16_t*)0x200000017586 = 2; *(uint8_t*)0x200000017588 = 0xa; *(uint8_t*)0x200000017589 = 0xd; memcpy((void*)0x20000001758a, "\x0e\xa8\x35\xcf\x6f\x98\x97\xdd", 8); *(uint8_t*)0x200000017592 = 9; *(uint8_t*)0x200000017593 = 5; *(uint8_t*)0x200000017594 = 2; *(uint8_t*)0x200000017595 = 1; *(uint16_t*)0x200000017596 = 8; *(uint8_t*)0x200000017598 = 8; *(uint8_t*)0x200000017599 = 7; *(uint8_t*)0x20000001759a = 2; *(uint8_t*)0x20000001759b = 7; *(uint8_t*)0x20000001759c = 0x25; *(uint8_t*)0x20000001759d = 1; *(uint8_t*)0x20000001759e = 0x50; *(uint8_t*)0x20000001759f = 0x40; *(uint16_t*)0x2000000175a0 = 0xc590; *(uint8_t*)0x2000000175a2 = 7; *(uint8_t*)0x2000000175a3 = 0x25; *(uint8_t*)0x2000000175a4 = 1; *(uint8_t*)0x2000000175a5 = 3; *(uint8_t*)0x2000000175a6 = 2; *(uint16_t*)0x2000000175a7 = 4; *(uint8_t*)0x2000000175a9 = 9; *(uint8_t*)0x2000000175aa = 5; *(uint8_t*)0x2000000175ab = 2; *(uint8_t*)0x2000000175ac = 2; *(uint16_t*)0x2000000175ad = 0x400; *(uint8_t*)0x2000000175af = 6; *(uint8_t*)0x2000000175b0 = 6; *(uint8_t*)0x2000000175b1 = 7; *(uint8_t*)0x2000000175b2 = 9; *(uint8_t*)0x2000000175b3 = 5; *(uint8_t*)0x2000000175b4 = 2; *(uint8_t*)0x2000000175b5 = 3; *(uint16_t*)0x2000000175b6 = 0x200; *(uint8_t*)0x2000000175b8 = 0xe; *(uint8_t*)0x2000000175b9 = 4; *(uint8_t*)0x2000000175ba = 4; *(uint8_t*)0x2000000175bb = 5; *(uint8_t*)0x2000000175bc = 0x11; memcpy((void*)0x2000000175bd, "\xb9\xf5\xe7", 3); *(uint8_t*)0x2000000175c0 = 7; *(uint8_t*)0x2000000175c1 = 0x25; *(uint8_t*)0x2000000175c2 = 1; *(uint8_t*)0x2000000175c3 = 0x40; *(uint8_t*)0x2000000175c4 = 6; *(uint16_t*)0x2000000175c5 = 6; *(uint8_t*)0x2000000175c7 = 9; *(uint8_t*)0x2000000175c8 = 5; *(uint8_t*)0x2000000175c9 = 3; *(uint8_t*)0x2000000175ca = 0x10; *(uint16_t*)0x2000000175cb = 0; *(uint8_t*)0x2000000175cd = 0x8a; *(uint8_t*)0x2000000175ce = 7; *(uint8_t*)0x2000000175cf = 8; *(uint8_t*)0x2000000175d0 = 7; *(uint8_t*)0x2000000175d1 = 0x25; *(uint8_t*)0x2000000175d2 = 1; *(uint8_t*)0x2000000175d3 = 0x81; *(uint8_t*)0x2000000175d4 = 9; *(uint16_t*)0x2000000175d5 = 4; *(uint8_t*)0x2000000175d7 = 7; *(uint8_t*)0x2000000175d8 = 0x25; *(uint8_t*)0x2000000175d9 = 1; *(uint8_t*)0x2000000175da = 3; *(uint8_t*)0x2000000175db = 0x73; *(uint16_t*)0x2000000175dc = 0x1ff; *(uint8_t*)0x2000000175de = 9; *(uint8_t*)0x2000000175df = 5; *(uint8_t*)0x2000000175e0 = 3; *(uint8_t*)0x2000000175e1 = 2; *(uint16_t*)0x2000000175e2 = 0x40; *(uint8_t*)0x2000000175e4 = 4; *(uint8_t*)0x2000000175e5 = 8; *(uint8_t*)0x2000000175e6 = 4; *(uint8_t*)0x2000000175e7 = 7; *(uint8_t*)0x2000000175e8 = 0x25; *(uint8_t*)0x2000000175e9 = 1; *(uint8_t*)0x2000000175ea = 0; *(uint8_t*)0x2000000175eb = 0; *(uint16_t*)0x2000000175ec = 0xd; *(uint8_t*)0x2000000175ee = 9; *(uint8_t*)0x2000000175ef = 5; *(uint8_t*)0x2000000175f0 = 6; *(uint8_t*)0x2000000175f1 = 0x10; *(uint16_t*)0x2000000175f2 = 0x200; *(uint8_t*)0x2000000175f4 = 3; *(uint8_t*)0x2000000175f5 = 7; *(uint8_t*)0x2000000175f6 = 0; *(uint8_t*)0x2000000175f7 = 0x4e; *(uint8_t*)0x2000000175f8 = 0x21; memcpy((void*)0x2000000175f9, "\xde\x21\x8d\xdf\x30\x78\xa6\xfb\xd8\x6d\x42\x57\x31\x33\x4b\xc4\x6c\xce\x8c\xf5\x19\xb9\xce\xf7\xc4\x17\x70\x3a\xc6\xb7\xc8\xd9\x19\xdf\x45\xea\x16\xb8\x08\x90\x69\xbb\xf3\x4f\x03\xab\xe7\x52\xc1\xee\x7d\x7e\x03\xa0\x86\x37\xbc\xdc\x17\xd4\xcf\x34\xc2\x75\x6e\xda\x9f\xbf\x09\xfd\xfc\xfc\xa3\x05\x28\x59", 76); *(uint8_t*)0x200000017645 = 9; *(uint8_t*)0x200000017646 = 5; *(uint8_t*)0x200000017647 = 7; *(uint8_t*)0x200000017648 = 2; *(uint16_t*)0x200000017649 = 0x400; *(uint8_t*)0x20000001764b = 6; *(uint8_t*)0x20000001764c = 8; *(uint8_t*)0x20000001764d = 0; *(uint8_t*)0x20000001764e = 9; *(uint8_t*)0x20000001764f = 4; *(uint8_t*)0x200000017650 = 0xb9; *(uint8_t*)0x200000017651 = 8; *(uint8_t*)0x200000017652 = 3; *(uint8_t*)0x200000017653 = 0x5b; *(uint8_t*)0x200000017654 = 0x5d; *(uint8_t*)0x200000017655 = 0x4c; *(uint8_t*)0x200000017656 = 0xbf; *(uint8_t*)0x200000017657 = 9; *(uint8_t*)0x200000017658 = 5; *(uint8_t*)0x200000017659 = 5; *(uint8_t*)0x20000001765a = 0; *(uint16_t*)0x20000001765b = 0x400; *(uint8_t*)0x20000001765d = 9; *(uint8_t*)0x20000001765e = 5; *(uint8_t*)0x20000001765f = 0; *(uint8_t*)0x200000017660 = 9; *(uint8_t*)0x200000017661 = 5; *(uint8_t*)0x200000017662 = 0xe; *(uint8_t*)0x200000017663 = 4; *(uint16_t*)0x200000017664 = 0x10; *(uint8_t*)0x200000017666 = 0xf9; *(uint8_t*)0x200000017667 = 0xea; *(uint8_t*)0x200000017668 = 2; *(uint8_t*)0x200000017669 = 9; *(uint8_t*)0x20000001766a = 5; *(uint8_t*)0x20000001766b = 6; *(uint8_t*)0x20000001766c = 0x10; *(uint16_t*)0x20000001766d = 0x20; *(uint8_t*)0x20000001766f = 0xee; *(uint8_t*)0x200000017670 = 0xbf; *(uint8_t*)0x200000017671 = 4; *(uint8_t*)0x200000017672 = 7; *(uint8_t*)0x200000017673 = 0x25; *(uint8_t*)0x200000017674 = 1; *(uint8_t*)0x200000017675 = 0; *(uint8_t*)0x200000017676 = 9; *(uint16_t*)0x200000017677 = 0xc7; *(uint8_t*)0x200000017679 = 7; *(uint8_t*)0x20000001767a = 0x25; *(uint8_t*)0x20000001767b = 1; *(uint8_t*)0x20000001767c = 0x80; *(uint8_t*)0x20000001767d = 5; *(uint16_t*)0x20000001767e = 6; *(uint32_t*)0x200000017780 = 0xa; *(uint64_t*)0x200000017784 = 0x200000017680; *(uint8_t*)0x200000017680 = 0xa; *(uint8_t*)0x200000017681 = 6; *(uint16_t*)0x200000017682 = 0x300; *(uint8_t*)0x200000017684 = 8; *(uint8_t*)0x200000017685 = 4; *(uint8_t*)0x200000017686 = 4; *(uint8_t*)0x200000017687 = 0x10; *(uint8_t*)0x200000017688 = 3; *(uint8_t*)0x200000017689 = 0; *(uint32_t*)0x20000001778c = 5; *(uint64_t*)0x200000017790 = 0x2000000176c0; *(uint8_t*)0x2000000176c0 = 5; *(uint8_t*)0x2000000176c1 = 0xf; *(uint16_t*)0x2000000176c2 = 5; *(uint8_t*)0x2000000176c4 = 0; *(uint32_t*)0x200000017798 = 2; *(uint32_t*)0x20000001779c = 4; *(uint64_t*)0x2000000177a0 = 0x200000017700; *(uint8_t*)0x200000017700 = 4; *(uint8_t*)0x200000017701 = 3; *(uint16_t*)0x200000017702 = 0x41c; *(uint32_t*)0x2000000177a8 = 4; *(uint64_t*)0x2000000177ac = 0x200000017740; *(uint8_t*)0x200000017740 = 4; *(uint8_t*)0x200000017741 = 3; *(uint16_t*)0x200000017742 = 0x425; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0x840, /*dev=*/0x200000016e40, /*conn_descs=*/0x200000017780); if (res != -1) r[53] = res; break; case 75: *(uint8_t*)0x2000000177c0 = 0x12; *(uint8_t*)0x2000000177c1 = 1; *(uint16_t*)0x2000000177c2 = 0x200; *(uint8_t*)0x2000000177c4 = -1; *(uint8_t*)0x2000000177c5 = -1; *(uint8_t*)0x2000000177c6 = -1; *(uint8_t*)0x2000000177c7 = 0x40; *(uint16_t*)0x2000000177c8 = 0xcf3; *(uint16_t*)0x2000000177ca = 0x9271; *(uint16_t*)0x2000000177cc = 0x108; *(uint8_t*)0x2000000177ce = 1; *(uint8_t*)0x2000000177cf = 2; *(uint8_t*)0x2000000177d0 = 3; *(uint8_t*)0x2000000177d1 = 1; *(uint8_t*)0x2000000177d2 = 9; *(uint8_t*)0x2000000177d3 = 2; *(uint16_t*)0x2000000177d4 = 0x48; *(uint8_t*)0x2000000177d6 = 1; *(uint8_t*)0x2000000177d7 = 1; *(uint8_t*)0x2000000177d8 = 0; *(uint8_t*)0x2000000177d9 = 0x80; *(uint8_t*)0x2000000177da = 0xfa; *(uint8_t*)0x2000000177db = 9; *(uint8_t*)0x2000000177dc = 4; *(uint8_t*)0x2000000177dd = 0; *(uint8_t*)0x2000000177de = 0; *(uint8_t*)0x2000000177df = 6; *(uint8_t*)0x2000000177e0 = -1; *(uint8_t*)0x2000000177e1 = 0; *(uint8_t*)0x2000000177e2 = 0; *(uint8_t*)0x2000000177e3 = 0; *(uint8_t*)0x2000000177e4 = 9; *(uint8_t*)0x2000000177e5 = 5; *(uint8_t*)0x2000000177e6 = 1; *(uint8_t*)0x2000000177e7 = 2; *(uint16_t*)0x2000000177e8 = 0x200; *(uint8_t*)0x2000000177ea = 0; *(uint8_t*)0x2000000177eb = 0; *(uint8_t*)0x2000000177ec = 0; *(uint8_t*)0x2000000177ed = 9; *(uint8_t*)0x2000000177ee = 5; *(uint8_t*)0x2000000177ef = 0x82; *(uint8_t*)0x2000000177f0 = 2; *(uint16_t*)0x2000000177f1 = 0x200; *(uint8_t*)0x2000000177f3 = 0; *(uint8_t*)0x2000000177f4 = 0; *(uint8_t*)0x2000000177f5 = 0; *(uint8_t*)0x2000000177f6 = 9; *(uint8_t*)0x2000000177f7 = 5; *(uint8_t*)0x2000000177f8 = 0x83; *(uint8_t*)0x2000000177f9 = 3; *(uint16_t*)0x2000000177fa = 0x40; *(uint8_t*)0x2000000177fc = 1; *(uint8_t*)0x2000000177fd = 0; *(uint8_t*)0x2000000177fe = 0; *(uint8_t*)0x2000000177ff = 9; *(uint8_t*)0x200000017800 = 5; *(uint8_t*)0x200000017801 = 4; *(uint8_t*)0x200000017802 = 3; *(uint16_t*)0x200000017803 = 0x40; *(uint8_t*)0x200000017805 = 1; *(uint8_t*)0x200000017806 = 0; *(uint8_t*)0x200000017807 = 0; *(uint8_t*)0x200000017808 = 9; *(uint8_t*)0x200000017809 = 5; *(uint8_t*)0x20000001780a = 5; *(uint8_t*)0x20000001780b = 2; *(uint16_t*)0x20000001780c = 0x200; *(uint8_t*)0x20000001780e = 0; *(uint8_t*)0x20000001780f = 0; *(uint8_t*)0x200000017810 = 0; *(uint8_t*)0x200000017811 = 9; *(uint8_t*)0x200000017812 = 5; *(uint8_t*)0x200000017813 = 6; *(uint8_t*)0x200000017814 = 2; *(uint16_t*)0x200000017815 = 0x200; *(uint8_t*)0x200000017817 = 0; *(uint8_t*)0x200000017818 = 0; *(uint8_t*)0x200000017819 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x2000000177c0, /*conn_descs=*/0); if (res != -1) r[54] = res; break; case 76: *(uint32_t*)0x200000017a80 = 0x2c; *(uint64_t*)0x200000017a84 = 0x200000017840; *(uint8_t*)0x200000017840 = 0; *(uint8_t*)0x200000017841 = 1; *(uint32_t*)0x200000017842 = 0x101; *(uint8_t*)0x200000017846 = 1; *(uint8_t*)0x200000017847 = 0xa; memcpy((void*)0x200000017848, "\x36\x81\xdb\x17\x60\xf4\x76\xd1\x61\xe6\x33\x1a\xf0\x01\xdf\xf2\x60\xea\x6b\x4a\x4c\xea\x60\x97\xec\xb1\x95\x8b\x59\xfa\xab\x7a\x90\x28\x48\xc2\x62\xa0\xbb\x7b\xb0\x04\xa6\x45\x44\x44\xf3\x91\x14\x41\x63\x99\xcc\x7a\x71\xe7\x15\x47\xc5\x6a\x02\xf1\x33\x90\x7f\x22\xc3\xf1\x2c\xed\x90\xa4\xd6\xae\x9f\xf8\xfd\x98\xb3\xe7\xcd\x83\xd8\x74\x5c\x64\x92\x89\xb5\xfd\x78\xf7\x06\x85\x9e\x15\x21\x48\xd7\x6f\x8f\x0d\x0f\xa0\x49\x83\x43\x65\xbe\x85\xce\x2b\x50\x35\x87\x58\xa9\x0b\x57\x33\x9c\x87\x44\x57\x41\x0a\xe2\x77\xd2\xb1\x18\xf3\x84\x27\xa9\x32\xa2\xc7\xca\xcc\x09\xae\xd3\xee\x57\x30\x79\x3f\x36\xdc\xe0\xed\x57\xb9\xc6\x5f\xf6\x3c\x7e\xb7\xeb\xbf\xeb\xe9\x09\x4e\x08\x53\x05\x1b\x9f\x3d\xfa\xf6\xc2\xab\x61\x26\x5b\x3a\xf1\xf3\x48\x72\x56\x9f\xf3\xe0\x4b\x2e\xc1\xef\x09\xa3\x69\x2a\x88\x29\x2f\xfa\x38\xb8\x51\xe6\xfe\x03\x1a\x70\xa5\x51\xe8\x84\x4b\x16\xd1\x38\xce\x12\x6c\xe0\x41\x95\x71\xf4\x34\x9a\xee\x23\x7a\x2b\xf6\xfc\x52\xcb\x78\xf2\x6f\x30\xc9\x36\x90\x2d\x7f\x29\xd3\xa5\x61\x5d\xad\x86\xe4\xc6\x9c\xa0\x3f", 255); *(uint64_t*)0x200000017a8c = 0x200000017980; *(uint8_t*)0x200000017980 = 0; *(uint8_t*)0x200000017981 = 3; *(uint32_t*)0x200000017982 = 4; *(uint8_t*)0x200000017986 = 4; *(uint8_t*)0x200000017987 = 3; *(uint16_t*)0x200000017988 = 0x4c0a; *(uint64_t*)0x200000017a94 = 0x2000000179c0; *(uint8_t*)0x2000000179c0 = 0; *(uint8_t*)0x2000000179c1 = 0xf; *(uint32_t*)0x2000000179c2 = 5; *(uint8_t*)0x2000000179c6 = 5; *(uint8_t*)0x2000000179c7 = 0xf; *(uint16_t*)0x2000000179c8 = 5; *(uint8_t*)0x2000000179ca = 0; *(uint64_t*)0x200000017a9c = 0x200000017a00; *(uint8_t*)0x200000017a00 = 0x20; *(uint8_t*)0x200000017a01 = 0x29; *(uint32_t*)0x200000017a02 = 0xf; *(uint8_t*)0x200000017a06 = 0xf; *(uint8_t*)0x200000017a07 = 0x29; *(uint8_t*)0x200000017a08 = 0xeb; *(uint16_t*)0x200000017a09 = 0x10; *(uint8_t*)0x200000017a0b = 0x81; *(uint8_t*)0x200000017a0c = 0xc; memcpy((void*)0x200000017a0d, "\xe7\x67\x46\xf0", 4); memcpy((void*)0x200000017a11, "\xf1\x92\x76\xa0", 4); *(uint64_t*)0x200000017aa4 = 0x200000017a40; *(uint8_t*)0x200000017a40 = 0x20; *(uint8_t*)0x200000017a41 = 0x2a; *(uint32_t*)0x200000017a42 = 0xc; *(uint8_t*)0x200000017a46 = 0xc; *(uint8_t*)0x200000017a47 = 0x2a; *(uint8_t*)0x200000017a48 = 0xd; *(uint16_t*)0x200000017a49 = 2; *(uint8_t*)0x200000017a4b = 8; *(uint8_t*)0x200000017a4c = 0xe; *(uint8_t*)0x200000017a4d = 7; *(uint16_t*)0x200000017a4e = 8; *(uint16_t*)0x200000017a50 = 0x515; *(uint32_t*)0x200000017ec0 = 0x84; *(uint64_t*)0x200000017ec4 = 0x200000017ac0; *(uint8_t*)0x200000017ac0 = 0x40; *(uint8_t*)0x200000017ac1 = 0x17; *(uint32_t*)0x200000017ac2 = 0x1e; memcpy((void*)0x200000017ac6, "\x63\xfd\x64\x0c\x63\xa3\xd4\x0d\x56\xed\xf6\x4a\xcb\x10\x36\xdf\x01\xc3\x7d\xff\x2b\x11\xb8\xbd\x6d\xce\x4f\x20\xb2\xce", 30); *(uint64_t*)0x200000017ecc = 0x200000017b00; *(uint8_t*)0x200000017b00 = 0; *(uint8_t*)0x200000017b01 = 0xa; *(uint32_t*)0x200000017b02 = 1; *(uint8_t*)0x200000017b06 = 0xfd; *(uint64_t*)0x200000017ed4 = 0x200000017b40; *(uint8_t*)0x200000017b40 = 0; *(uint8_t*)0x200000017b41 = 8; *(uint32_t*)0x200000017b42 = 1; *(uint8_t*)0x200000017b46 = 5; *(uint64_t*)0x200000017edc = 0x200000017b80; *(uint8_t*)0x200000017b80 = 0x20; *(uint8_t*)0x200000017b81 = 0; *(uint32_t*)0x200000017b82 = 4; *(uint16_t*)0x200000017b86 = 1; *(uint16_t*)0x200000017b88 = 1; *(uint64_t*)0x200000017ee4 = 0x200000017bc0; *(uint8_t*)0x200000017bc0 = 0x20; *(uint8_t*)0x200000017bc1 = 0; *(uint32_t*)0x200000017bc2 = 8; *(uint16_t*)0x200000017bc6 = 0x80; *(uint16_t*)0x200000017bc8 = 1; *(uint32_t*)0x200000017bca = 0xf00f; *(uint64_t*)0x200000017eec = 0x200000017c00; *(uint8_t*)0x200000017c00 = 0x40; *(uint8_t*)0x200000017c01 = 7; *(uint32_t*)0x200000017c02 = 2; *(uint16_t*)0x200000017c06 = 2; *(uint64_t*)0x200000017ef4 = 0x200000017c40; *(uint8_t*)0x200000017c40 = 0x40; *(uint8_t*)0x200000017c41 = 9; *(uint32_t*)0x200000017c42 = 1; *(uint8_t*)0x200000017c46 = 6; *(uint64_t*)0x200000017efc = 0x200000017c80; *(uint8_t*)0x200000017c80 = 0x40; *(uint8_t*)0x200000017c81 = 0xb; *(uint32_t*)0x200000017c82 = 2; memcpy((void*)0x200000017c86, "\xdd\x91", 2); *(uint64_t*)0x200000017f04 = 0x200000017cc0; *(uint8_t*)0x200000017cc0 = 0x40; *(uint8_t*)0x200000017cc1 = 0xf; *(uint32_t*)0x200000017cc2 = 2; *(uint16_t*)0x200000017cc6 = 1; *(uint64_t*)0x200000017f0c = 0x200000017d00; *(uint8_t*)0x200000017d00 = 0x40; *(uint8_t*)0x200000017d01 = 0x13; *(uint32_t*)0x200000017d02 = 6; memset((void*)0x200000017d06, 187, 6); *(uint64_t*)0x200000017f14 = 0x200000017d40; *(uint8_t*)0x200000017d40 = 0x40; *(uint8_t*)0x200000017d41 = 0x17; *(uint32_t*)0x200000017d42 = 6; memset((void*)0x200000017d46, 170, 5); *(uint8_t*)0x200000017d4b = 0xaa; *(uint64_t*)0x200000017f1c = 0x200000017d80; *(uint8_t*)0x200000017d80 = 0x40; *(uint8_t*)0x200000017d81 = 0x19; *(uint32_t*)0x200000017d82 = 2; memcpy((void*)0x200000017d86, "\x73\xdc", 2); *(uint64_t*)0x200000017f24 = 0x200000017dc0; *(uint8_t*)0x200000017dc0 = 0x40; *(uint8_t*)0x200000017dc1 = 0x1a; *(uint32_t*)0x200000017dc2 = 2; *(uint16_t*)0x200000017dc6 = 8; *(uint64_t*)0x200000017f2c = 0x200000017e00; *(uint8_t*)0x200000017e00 = 0x40; *(uint8_t*)0x200000017e01 = 0x1c; *(uint32_t*)0x200000017e02 = 1; *(uint8_t*)0x200000017e06 = 0x81; *(uint64_t*)0x200000017f34 = 0x200000017e40; *(uint8_t*)0x200000017e40 = 0x40; *(uint8_t*)0x200000017e41 = 0x1e; *(uint32_t*)0x200000017e42 = 1; *(uint8_t*)0x200000017e46 = 0; *(uint64_t*)0x200000017f3c = 0x200000017e80; *(uint8_t*)0x200000017e80 = 0x40; *(uint8_t*)0x200000017e81 = 0x21; *(uint32_t*)0x200000017e82 = 1; *(uint8_t*)0x200000017e86 = 0x7f; syz_usb_control_io(/*fd=*/r[53], /*descs=*/0x200000017a80, /*resps=*/0x200000017ec0); break; case 77: syz_usb_disconnect(/*fd=*/r[53]); break; case 78: syz_usb_ep_read(/*fd=*/r[54], /*ep=*/0xb, /*len=*/0x6c, /*data=*/0x200000017f80); break; case 79: *(uint8_t*)0x200000018000 = 0x12; *(uint8_t*)0x200000018001 = 1; *(uint16_t*)0x200000018002 = 0x201; *(uint8_t*)0x200000018004 = 0; *(uint8_t*)0x200000018005 = 0; *(uint8_t*)0x200000018006 = 0; *(uint8_t*)0x200000018007 = 0x40; *(uint16_t*)0x200000018008 = 0x3f0; *(uint16_t*)0x20000001800a = 4; *(uint16_t*)0x20000001800c = 0x40; *(uint8_t*)0x20000001800e = 1; *(uint8_t*)0x20000001800f = 2; *(uint8_t*)0x200000018010 = 3; *(uint8_t*)0x200000018011 = 1; *(uint8_t*)0x200000018012 = 9; *(uint8_t*)0x200000018013 = 2; *(uint16_t*)0x200000018014 = 0x24; *(uint8_t*)0x200000018016 = 1; *(uint8_t*)0x200000018017 = 1; *(uint8_t*)0x200000018018 = 0xba; *(uint8_t*)0x200000018019 = 0x80; *(uint8_t*)0x20000001801a = 1; *(uint8_t*)0x20000001801b = 9; *(uint8_t*)0x20000001801c = 4; *(uint8_t*)0x20000001801d = 0; *(uint8_t*)0x20000001801e = 7; *(uint8_t*)0x20000001801f = 1; *(uint8_t*)0x200000018020 = 7; *(uint8_t*)0x200000018021 = 1; *(uint8_t*)0x200000018022 = 3; *(uint8_t*)0x200000018023 = 5; *(uint8_t*)0x200000018024 = 9; *(uint8_t*)0x200000018025 = 5; *(uint8_t*)0x200000018026 = 1; *(uint8_t*)0x200000018027 = 2; *(uint16_t*)0x200000018028 = 8; *(uint8_t*)0x20000001802a = 4; *(uint8_t*)0x20000001802b = 2; *(uint8_t*)0x20000001802c = 0xc9; *(uint8_t*)0x20000001802d = 9; *(uint8_t*)0x20000001802e = 5; *(uint8_t*)0x20000001802f = 0x82; *(uint8_t*)0x200000018030 = 2; *(uint16_t*)0x200000018031 = 0x20; *(uint8_t*)0x200000018033 = 0xfb; *(uint8_t*)0x200000018034 = 1; *(uint8_t*)0x200000018035 = 0xf; *(uint32_t*)0x200000018180 = 0xa; *(uint64_t*)0x200000018184 = 0x200000018040; *(uint8_t*)0x200000018040 = 0xa; *(uint8_t*)0x200000018041 = 6; *(uint16_t*)0x200000018042 = 0x300; *(uint8_t*)0x200000018044 = 0x4c; *(uint8_t*)0x200000018045 = 3; *(uint8_t*)0x200000018046 = 0x7f; *(uint8_t*)0x200000018047 = 0x20; *(uint8_t*)0x200000018048 = 0x81; *(uint8_t*)0x200000018049 = 0; *(uint32_t*)0x20000001818c = 0x2b; *(uint64_t*)0x200000018190 = 0x200000018080; *(uint8_t*)0x200000018080 = 5; *(uint8_t*)0x200000018081 = 0xf; *(uint16_t*)0x200000018082 = 0x2b; *(uint8_t*)0x200000018084 = 4; *(uint8_t*)0x200000018085 = 0xb; *(uint8_t*)0x200000018086 = 0x10; *(uint8_t*)0x200000018087 = 1; *(uint8_t*)0x200000018088 = 0xc; *(uint16_t*)0x200000018089 = 0x2c; *(uint8_t*)0x20000001808b = 6; *(uint8_t*)0x20000001808c = 0x60; *(uint16_t*)0x20000001808d = 0x64; *(uint8_t*)0x20000001808f = 4; *(uint8_t*)0x200000018090 = 0xa; *(uint8_t*)0x200000018091 = 0x10; *(uint8_t*)0x200000018092 = 3; *(uint8_t*)0x200000018093 = 0; *(uint16_t*)0x200000018094 = 6; *(uint8_t*)0x200000018096 = 7; *(uint8_t*)0x200000018097 = 1; *(uint16_t*)0x200000018098 = 0x680; *(uint8_t*)0x20000001809a = 7; *(uint8_t*)0x20000001809b = 0x10; *(uint8_t*)0x20000001809c = 2; STORE_BY_BITMASK(uint32_t, , 0x20000001809d, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20000001809e, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001809e, 2, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20000001809f, 3, 0, 16); *(uint8_t*)0x2000000180a1 = 0xa; *(uint8_t*)0x2000000180a2 = 0x10; *(uint8_t*)0x2000000180a3 = 3; *(uint8_t*)0x2000000180a4 = 0; *(uint16_t*)0x2000000180a5 = 0xc; *(uint8_t*)0x2000000180a7 = 5; *(uint8_t*)0x2000000180a8 = 0xd4; *(uint16_t*)0x2000000180a9 = 0x21bb; *(uint32_t*)0x200000018198 = 2; *(uint32_t*)0x20000001819c = 0x55; *(uint64_t*)0x2000000181a0 = 0x2000000180c0; *(uint8_t*)0x2000000180c0 = 0x55; *(uint8_t*)0x2000000180c1 = 3; memcpy((void*)0x2000000180c2, "\x8a\x42\x34\x83\x1e\x88\x88\xae\xdd\x9a\xd2\x2d\x4f\x28\x93\x8c\xda\x9a\xa9\xa9\x00\x03\x7c\x31\x1c\xae\x82\xfd\x23\x1c\xaa\x31\x27\x95\xc2\xb2\xf7\x47\xf7\xbe\xdc\x80\x7a\x10\x65\x2d\xcf\x37\x9d\xa0\x7e\xbe\x96\x35\x31\x02\x75\xc1\xf0\xed\x95\x6d\xa6\x4d\xf9\x8a\xf4\xea\x23\x9c\x45\x2a\xa8\x5b\x31\x1b\x94\xd4\x71\xe9\xd3\x42\x3a", 83); *(uint32_t*)0x2000000181a8 = 4; *(uint64_t*)0x2000000181ac = 0x200000018140; *(uint8_t*)0x200000018140 = 4; *(uint8_t*)0x200000018141 = 3; *(uint16_t*)0x200000018142 = 0x83e; res = -1; res = syz_usb_connect(/*speed=USB_SPEED_FULL*/2, /*dev_len=*/0x36, /*dev=*/0x200000018000, /*conn_descs=*/0x200000018180); if (res != -1) r[55] = res; break; case 80: memcpy((void*)0x2000000181c0, "\xc9\xde\x81\xd2\xb7\xfd\x1d\x65\x61\x0b\x40\x83\xb8\x98\x28\xa1\xee\xb3\xc1\xfe\x78\xe8\x02\xb8\x7b\xca\xd5\x22\x05\xe7\xf4\xd5\x77\x30\x25\xc8\xc9\x2c\xf0\x09\x17\x1f\x12\x78\x8a\xa9\xaf\xbf\x01\x67\x11\x26\x93\xc5\x62\x5e\xec\xd4\x33\xf1\xb0\xed\x30\xd3\xef\x61\x94\xf9\xaf\xe3\x63\xc1\x33\x4d\xf3\x56\xe2\x61\xdc\x73\xf0\x7c\xac\x0e\x40\xa0\x34\x8c\x52\x25\x7f\x14\xf9\xa9\xf6\x0d\x56\x98\x35\x20\x69\xee\xd4\x6e\xf1\x0f\x4a\x97\xb1\x56\x0f\x76\x05\xb0\xaa\x63\x19\x49\xaf\x14\x35\x4c\x1a\xca\xbb\x76\x86\x09\xd1\x22\x46\x6f\x68\x49\x10\x29\x36\xf4\x00\x1d\x18\x01\x5d\xf4\x28\x57\x0b\x6e\x59\x75\x9b\x75\xe7\x23\xb1\xe6\x12\x80\x0b\x56\xea\x89\xa5\x5d\x2c\x63\x78", 167); syz_usb_ep_write(/*fd=*/r[55], /*ep=*/4, /*len=*/0xa7, /*data=*/0x2000000181c0); break; case 81: syz_usbip_server_init(/*speed=USB_SPEED_SUPER*/5); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); loop(); return 0; } : In function 'execute_call': :6014:17: error: '__NR_socketcall' undeclared (first use in this function) :6014:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor675430828 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/21 (1.31s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/3 (1.35s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/20 (1.40s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/33 (1.43s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/2 (1.44s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/16 (0.99s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/4 (1.48s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/32 (1.50s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/15 (1.05s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/8 (1.52s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/12 (0.98s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/23 (0.82s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/19 (0.70s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/18 (0.67s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/10 (0.86s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/11 (1.09s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/0 (1.59s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/26 (1.58s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/22 (1.58s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/28 (1.58s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/9 (1.60s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/14 (0.92s) csource_test.go:155: FAIL FAIL github.com/google/syzkaller/pkg/csource 36.445s ok github.com/google/syzkaller/pkg/db (cached) ? github.com/google/syzkaller/pkg/debugtracer [no test files] ? github.com/google/syzkaller/pkg/declextract [no test files] ok github.com/google/syzkaller/pkg/email 0.091s ok github.com/google/syzkaller/pkg/email/lore 0.042s ok github.com/google/syzkaller/pkg/flatrpc (cached) ok github.com/google/syzkaller/pkg/fuzzer 14.934s ok github.com/google/syzkaller/pkg/fuzzer/queue (cached) ok github.com/google/syzkaller/pkg/gce (cached) ? github.com/google/syzkaller/pkg/gcpsecret [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/gcs/mocks [no test files] ok github.com/google/syzkaller/pkg/gerrit (cached) ok github.com/google/syzkaller/pkg/hash (cached) ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/html/pages 0.142s ok github.com/google/syzkaller/pkg/html/urlutil (cached) ? github.com/google/syzkaller/pkg/ifaceprobe [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ok github.com/google/syzkaller/pkg/ifuzz/arm64 (cached) ? github.com/google/syzkaller/pkg/ifuzz/arm64/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/arm64/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/iset [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files] ok github.com/google/syzkaller/pkg/ifuzz/riscv64 (cached) ? github.com/google/syzkaller/pkg/ifuzz/riscv64/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/riscv64/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files] ok github.com/google/syzkaller/pkg/image (cached) ok github.com/google/syzkaller/pkg/instance (cached) ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kconfig (cached) ? github.com/google/syzkaller/pkg/kcov [no test files] ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/kfuzztest (cached) ? github.com/google/syzkaller/pkg/kfuzztest-executor [no test files] ? github.com/google/syzkaller/pkg/kfuzztest-manager [no test files] ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/manager (cached) ok github.com/google/syzkaller/pkg/manager/diff (cached) ok github.com/google/syzkaller/pkg/mgrconfig 2.264s ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report 6.265s ok github.com/google/syzkaller/pkg/report/crash (cached) ok github.com/google/syzkaller/pkg/repro (cached) ok github.com/google/syzkaller/pkg/rpcserver 9.774s ? github.com/google/syzkaller/pkg/rpcserver/mocks [no test files] ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest (cached) ok github.com/google/syzkaller/pkg/serializer (cached) ok github.com/google/syzkaller/pkg/signal (cached) ok github.com/google/syzkaller/pkg/stat (cached) ok github.com/google/syzkaller/pkg/stat/sample (cached) ? github.com/google/syzkaller/pkg/stat/syzbotstats [no test files] ok github.com/google/syzkaller/pkg/subsystem (cached) ok github.com/google/syzkaller/pkg/subsystem/linux (cached) ok github.com/google/syzkaller/pkg/subsystem/lists (cached) ok github.com/google/syzkaller/pkg/symbolizer (cached) ? github.com/google/syzkaller/pkg/testutil [no test files] ok github.com/google/syzkaller/pkg/tool (cached) ? github.com/google/syzkaller/pkg/updater [no test files] ok github.com/google/syzkaller/pkg/validator (cached) ok github.com/google/syzkaller/pkg/vcs 7.078s ok github.com/google/syzkaller/pkg/vminfo (cached) ok github.com/google/syzkaller/prog (cached) ok github.com/google/syzkaller/prog/test (cached) ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/darwin [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ? github.com/google/syzkaller/sys/generated [no test files] ok github.com/google/syzkaller/sys/linux (cached) ok github.com/google/syzkaller/sys/netbsd (cached) ok github.com/google/syzkaller/sys/openbsd (cached) ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/syz-agent [no test files] ok github.com/google/syzkaller/syz-ci (cached) ok github.com/google/syzkaller/syz-cluster/controller (cached) ok github.com/google/syzkaller/syz-cluster/dashboard (cached) ok github.com/google/syzkaller/syz-cluster/email-reporter (cached) ? github.com/google/syzkaller/syz-cluster/pkg/api [no test files] ? github.com/google/syzkaller/syz-cluster/pkg/app [no test files] ok github.com/google/syzkaller/syz-cluster/pkg/blob (cached) ok github.com/google/syzkaller/syz-cluster/pkg/controller (cached) ok github.com/google/syzkaller/syz-cluster/pkg/db (cached) ok github.com/google/syzkaller/syz-cluster/pkg/emailclient (cached) ok github.com/google/syzkaller/syz-cluster/pkg/fuzzconfig (cached) ok github.com/google/syzkaller/syz-cluster/pkg/report (cached) ok github.com/google/syzkaller/syz-cluster/pkg/reporter (cached) ? github.com/google/syzkaller/syz-cluster/pkg/service [no test files] ok github.com/google/syzkaller/syz-cluster/pkg/triage (cached) ? github.com/google/syzkaller/syz-cluster/pkg/workflow [no test files] ? github.com/google/syzkaller/syz-cluster/reporter-server [no test files] ok github.com/google/syzkaller/syz-cluster/series-tracker (cached) ? github.com/google/syzkaller/syz-cluster/tools/db-mgmt [no test files] ? github.com/google/syzkaller/syz-cluster/tools/send-test-email [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/boot [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/build [no test files] ok github.com/google/syzkaller/syz-cluster/workflow/fuzz (cached) ? github.com/google/syzkaller/syz-cluster/workflow/triage [no test files] ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state (cached) ? github.com/google/syzkaller/syz-kfuzztest [no test files] ok github.com/google/syzkaller/syz-manager (cached) ? github.com/google/syzkaller/tools/arm64 [no test files] ? github.com/google/syzkaller/tools/clang [no test files] ? github.com/google/syzkaller/tools/clang/codesearch [no test files] ? github.com/google/syzkaller/tools/clang/declextract [no test files] ? github.com/google/syzkaller/tools/kfuzztest-gen [no test files] ? github.com/google/syzkaller/tools/syz-aflow [no test files] ? github.com/google/syzkaller/tools/syz-base-commit [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-build [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-codesearch [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-covermerger [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ok github.com/google/syzkaller/tools/syz-db (cached) ? github.com/google/syzkaller/tools/syz-db-export [no test files] ok github.com/google/syzkaller/tools/syz-declextract (cached) ? github.com/google/syzkaller/tools/syz-diff [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fillreports [no test files] ? github.com/google/syzkaller/tools/syz-fix-analyzer [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-gemini-seed [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ok github.com/google/syzkaller/tools/syz-imagegen (cached) ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ok github.com/google/syzkaller/tools/syz-kconf 0.752s ok github.com/google/syzkaller/tools/syz-linter (cached) ? github.com/google/syzkaller/tools/syz-lore [no test files] ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-query-subsystems [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ok github.com/google/syzkaller/tools/syz-testbed (cached) ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/proggen (cached) ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm 22.043s ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/cuttlefish [no test files] ok github.com/google/syzkaller/vm/dispatcher (cached) ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated 0.759s ok github.com/google/syzkaller/vm/proxyapp 3.347s ? github.com/google/syzkaller/vm/proxyapp/mocks [no test files] ? github.com/google/syzkaller/vm/proxyapp/proxyrpc [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ? github.com/google/syzkaller/vm/starnix [no test files] ? github.com/google/syzkaller/vm/virtualbox [no test files] ok github.com/google/syzkaller/vm/vmimpl 0.830s ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] FAIL