ok github.com/google/syzkaller/dashboard/app (cached) ? github.com/google/syzkaller/dashboard/dashapi [no test files] ok github.com/google/syzkaller/executor 0.009s ok github.com/google/syzkaller/pkg/ast 0.939s ok github.com/google/syzkaller/pkg/bisect 4.783s ok github.com/google/syzkaller/pkg/build 3.742s ? github.com/google/syzkaller/pkg/cmdprof [no test files] ok github.com/google/syzkaller/pkg/compiler 2.224s ok github.com/google/syzkaller/pkg/config (cached) ok github.com/google/syzkaller/pkg/cover 4.832s --- FAIL: TestGenerate (5.37s) --- FAIL: TestGenerate/linux/386 (0.89s) csource_test.go:66: seed=1596839843198335882 --- FAIL: TestGenerate/linux/386/23 (0.38s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/24 (0.38s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/1 (0.38s) csource_test.go:120: --- FAIL: TestGenerate/linux/386/3 (0.38s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:false RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$BLKROGET(0xffffffffffffffff, 0x125e, &(0x7f0000000000)) r0 = openat$nullb(0xffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x80000, 0x0) ioctl$BLKTRACESETUP(r0, 0xc0401273, &(0x7f0000000080)={[], 0x6, 0x4, 0x400, 0x0, 0x5f}) socketpair(0x21, 0x3, 0x4, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140)='l2tp\x00') sendmsg$L2TP_CMD_NOOP(r1, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x24, r3, 0x4, 0x70bd28, 0x25dfdbfb, {}, [@L2TP_ATTR_SESSION_ID={0x8, 0xb, 0x4}, @L2TP_ATTR_PEER_SESSION_ID={0x8, 0xc, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x20000000}, 0x8000) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000240)={0x0, 0x5, 0x0, 0x2}, &(0x7f0000000280)=0x10) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f00000002c0)={r4, 0x2}, 0x8) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x8, &(0x7f0000000300), &(0x7f0000000340)=0x4) write$capi20_data(0xffffffffffffffff, &(0x7f00000003c0)={{0x10, 0x3, 0x41, 0x83, 0x0, 0x401}, 0x43, "4a8e60634e3a9ebf0988474a70cdc44c935e71dca8a36e9f7339b733e7fdfa26d1763f8e1fc18c23484ff71c6ea76bf1db3e46cf80380322d296fbf193c54d4949ccdb"}, 0x55) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_post_notification\x00') syz_emit_ethernet(0x56, &(0x7f0000000040)={@multicast, @empty, @void, {@canfd={0xd, {{0x4, 0x0, 0x0, 0x1}, 0x23, 0x0, 0x0, 0x0, "90a4412ed481e39ec0787cae083fac93b90daa7595dc554b0d6fb720a6009835c929d9566687939954d14f0376d39039885d4b349e57791c3b2884b67a568716"}}}}, &(0x7f00000000c0)={0x1, 0x1, [0x4a, 0x2e7, 0x6f0, 0x1aa]}) syz_emit_vhci(&(0x7f0000000100)=@HCI_SCODATA_PKT={0x3, {0xc9, 0x56}, "af8c56ab2959dc534cc868e4b42b05a0de86bb45fd2bf9e32d58e9ad1fb7be75adc1e7aaa52319456531631ede47c2919bcdb3bafdaf560bf2a9ca3a75fa34d07026b7302dc391f9554e50cfc7f731c09f1c71262df3"}, 0x5a) syz_execute_func(&(0x7f0000000180)="c4c16f10fa660f65642a10c4e1fa70effbc4c37d096a42fec4e1416a5200f3abc4c1ccc6e474360f8fb8000000af0ffe98f0ffffff") syz_extract_tcp_res(&(0x7f00000001c0), 0x2, 0x7f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000200)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x5, 0xcb) r5 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xc, 0x800, 0xffffffffffffffff, 0x8000000) r6 = syz_io_uring_complete(r5) r7 = io_uring_setup(0xc43, &(0x7f0000000240)={0x0, 0xab13, 0x10, 0x0, 0x375}) syz_io_uring_setup(0x4759, &(0x7f00000002c0)={0x0, 0x3caa, 0x8, 0x3, 0x347, 0x0, r7}, &(0x7f0000ffd000/0x2000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000000340), &(0x7f0000000380)) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0xe, 0x3, 0xffffffffffffffff, 0x8000000) r9 = mmap$IORING_OFF_SQES(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x4000000, 0x20, r6, 0x10000000) syz_io_uring_submit(r8, r9, &(0x7f00000003c0)=@IORING_OP_WRITE_FIXED={0x5, 0x4, 0x2007, @fd_index=0x6, 0x3, 0x4, 0x4, 0xe, 0x1}, 0x80) r10 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000000400)='/selinux/checkreqprot\x00', 0x2000, 0x0) syz_kvm_setup_cpu$arm64(r6, r10, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000480)=[{0x0, &(0x7f0000000440)="1f53955cb3cecd2039609cfce532927f02de615e5e7716c374705f59102e00754dbaa369c6c1a1c2f4c530c3af81e8fe5609", 0x32}], 0x1, 0x0, &(0x7f00000004c0), 0x1) syz_io_uring_setup(0x7424, &(0x7f0000000500)={0x0, 0xe518, 0x10, 0x1, 0x3a5}, &(0x7f0000ffe000/0x2000)=nil, &(0x7f0000ff6000/0x4000)=nil, &(0x7f0000000580)=0x0, &(0x7f00000005c0)) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000000600)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000000640)='afs\x00', &(0x7f0000000680)='./file0\x00', 0x4, 0x2, &(0x7f0000000800)=[{&(0x7f00000006c0)="d632c19b", 0x4, 0xffff}, {&(0x7f0000000700)="3fe8370cede52efac054241da1ef6234cdc7766d9ceee05c36775d234a8f0259a880131689775a49e1c5d81ee5eed42da022a3c9b9d439ae779990d04cf551c084c093744e79ca6a4827d8c603053d29714d839363cf49add7d7323c0619a99cef609fc47e56c66630ec7973bffed214d451f064f36e3597506a51adfd6b0d61fdcdf2bfcb31b2c6c44c279ccdb6902891daf75e663f5942ea7682fbfd3e7369a9fe16f372476efb281aaad4bfe7e610e963629461e9033caf00d62a109d004b935b9079bd3df5be94a0fa1e1977f552baa492ba31e2ec4bf310c814dc753297", 0xe0, 0x4c}], 0x201000, &(0x7f0000000840)={[{@source={'source', 0x3d, 'SEG6\x00'}}, {@flock_strict='flock=strict'}, {@flock_strict='flock=strict'}, {@flock_local='flock=local'}, {@autocell='autocell'}, {@flock_openafs='flock=openafs'}], [{@measure='measure'}, {@subj_user={'subj_user', 0x3d, '$F!%[#&+-}^}'}}]}) syz_open_dev$I2C(&(0x7f00000008c0)='/dev/i2c-#\x00', 0x9a7, 0x60100) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000900)=0x0) syz_open_procfs(r12, &(0x7f0000000940)='net/ip6_mr_vif\x00') syz_open_pts(r6, 0x402000) syz_read_part_table(0x44, 0x5, &(0x7f0000001c80)=[{&(0x7f0000000980)="947bdd1338b6b9fdc7eec2776433191f827266cfa94bbf64cff83a00d975009f3b2738ac7067019447d693a3534dae5d3bf03b17d7a2bc093d2ab01fb079d13e4ca08ab23918a3fac50a48c32b4ba2170957d20cb4a4f731d660e88f40c30c3c40d41ff3ff7134dceb66b113b5c1bba630a7ee5cd68ab59e69f8c89530e4cac7f615dd3fadc7940d23b069d62b7ccf4149881045", 0x94, 0x7e}, {&(0x7f0000000a40)="3bece5e4b00d1aa5c6455d8ffddd35571382304733f47e93ba01d0220d3452425aa4a35a16adc96a1c87d3c09121df1c8aef26c20358a153a0ef1959f69c689acd2751f428f241c2decf4cd9a3b109e66b310fb1011f65329bef953ae02cf9db6133619b5bfa07a6e13251278da93de82635bcdd7640b6311da58d2a681065401d0753cef90bf7a0f541112453b9ce7527efcb09834f1073736d3ebdb9241736b61df70a13c76e54ddbc65a52d8a4fe42ed097a57c8d0426f916750e9a5c38281fbad7ae59c223bab1100592d42eda4e0bf4bf030420478fcd28c4057d41a9721b0014e91a1e7058d4c9290812f6de", 0xef, 0x800}, {&(0x7f0000000b40)="6daf7a1e0d14cb6b8c65d37ef988e670ca88b1", 0x13}, {&(0x7f0000000b80)="e2a379510738be3d3baf49a170f089f56f7b3a43bd926f2f3368f38e97340af9b0991ea98f4653252c0bef6ad26582b600545465591faefd00782e31c8aee9f23990d2d95f8710d110409dc3dad1581794fb09f6349e937b1df1bb8a9a09ce60c41282376e6ac607888c64fcd9ecf5405063ba5f642a295b4f778f2cabccf6c9007071b1a9ec31eea5daf62d371a56de309549974911a5797fa34026e85bb7f5427ab4965f11a3aba18ed0fe280e45c26412838fc5bbe0f6de63d011c06b413e3d4a15296b6f7915dffecdd407504faa2fe63bb190af9061709a982094f620793c042532f51314dd0753b832a65859e178d94dd169a1b767748566d13f170da36f2a51053d8b67fb5f12d86bf36046eab9b7c26c50786c9b29a2605c5631ab30261669971a48470d982c3088be7cffd1f0c6775e5757db6148dd74c5954e34c40088659a1f44d053465985ed20039bced7ea9dec7e25cd6d600d1ed31aed53885fc7ef8789eea0639d2b250dcdf4ad71bbdabf4ba18af29ac819ae431864db1b0353bc5cb2041943b44513f7c679f348bd2962b27487bc7dc7488cff13a24b658f31b4afc9e5013ab460cf3a014a8f19909e75bc3d4144f5d32e370de74f4402a0db5339c1e3616d2147743652dd73940d37550cc961b08b3a33b79c4a2f3f1ab4b2364c24031cce1f29beaf574b1318844fcc9387d2cf798334de0816d528f087f56751f763b82c760fe19ef95fd2e552c8ec74bfee9b6c8e3341b3baff5405edbed709fb1ea130a1a6e30acf7232c0194034daf0ef117115ab220f1161a838940ef60072c406557f56f13f3021b40842f9114b0ae9cd8244230c2227ce7c7e71503ba5253d63081ca9af8fc4a4e2c3039a0bad1af91ed4cb91b9bd42d8ee5e0bd9844f92f4af1ea5b88380a99b1adc7057b9157b61021abce377dca6af6c2dd98f02c23a8459ccbe650b66d06bbae0609928e84d5c611e2c6feb6a43d0aa532b12d5e3260448cd82372b11f9dc8f94665a3ab864eb3eb0e5b073200249a674047ee8fff8fb4f55653060efb6a00d70b0fe4a7f5dca7d9c71604fa70b0e40569339e52ba52b7d7008533306165c978d030a852c0dd75996904720a10a3a9d0f2f67f258e439047a6a5b08490409aa84ec296f67b88b8011cb39c67800efec6ec43e732aee04cc18c4ceddc9686a432011e1df5fa1292c7bdae62731573ec5233293ff4ed671e52c951d8e00836db9363534bc8c1e91d98cab7d0606c170d409d96d3225f56206b600fc1a783941aade248338dba66d56f8fc197d19cedd5f1a65d5f1d85a4cb4497342d197df417d4317777c81e707f1b9dadd38265324f41aa85021b2d7edc0ff4a527db85ff141652eeb5e766e189e11e6307a4475d5f793e822b7ecbc7e2ff3f6f9a8399af692649d67305c86b479169df12f749102069da164ad14655e0532fc419b51f29b28d1f408f5236ce921509f3f611a565a5e38685744470f6e457bdd057d727f7ecfaa468473bcba94c43ead22f8527843245f372275946bd4599f3a8ae91ec3140870be91d2fbfcbd7e504da3d6f49e905aca167832d7c35a56a28abc852090292318ec1f08bf3d71de7360d6d04900d773a7f40c3db7aabfc27a338e87d578f430ee490e48221406d31c62220c2bd9e1793eed1b84aba0adc3d54eed59ae3b83e5a1147721fcc227cff96c8065f8665cbfef93521ca1bf4b100e62896cfdca36e7f7b4b3fd3babf5c18c90030fbf904d4f4c3fb23af16b1e3744ca6ab123df90b168eaa138324ebf98ecd66dd64ee906236bf3a0296be1df81387ba95700e04ce26637ca4dfb70c67d32a2e7acde219cef54e4c9ec1c27b5b6a388ca515af6e5efc493a30fa9324e1f2b2b51267fbb26f3d4292e836cb709e92a6e0e11aff386b3d45d81a2d35fe971cbff8a32f52d046b9ba9a4bc77267a2e86a480a9ec50361d5ed59ba540ae1cf0e7eaaa5d8f5b2e38527fde78ecf842ec48cf681fd452aa5c60d06474f6422ad08db4fa0788c56563f52cbd383627e11f98eb40ec74961c028b1fcd7b25d4cd289dbc761fb1ec00a6183513c5f76da7546416fb81e8661f93f4234fdf3a3398d8bb8c69902e6d9f3fc165e6d9f39eb2acc189ab7b49013b2c74d0788ee05fc117335d478380013eab173ddc7a927f03080c2ea705b68f664a3be270221172d2995b15b4d0ab25d4668ab7587d24e831c5c7841fa00bd063021d3f43405b35c6c79dd4030fc630ee78d7e64a90cc2761421624d48ac0764d8a903c5a8b0a213120871b9e82a3b1f92455380b950832651b6d0d9bdb249055d55fa49fc7296147cbcec6059a0047ae6e86b51ae3b5aff498ceed671ddd0e2bd97fd7f39a3280bd80996ac7bb98187709938246f8e0cb9cca0a189d18cb9dcdd52186feb935f4a5326c3bc1348a05f0e7180452a43e7f2b6fb35a4196afda0f1993383dd203694c1ab53be64481c0d9c78801610789f9f5130b4a143f09229e8d89d0ad09edf971cf0fe495d7552b7a791a9054232e8d22976621b7f6be03e7e0bf8e5ed83db94efc748c93a06c124f55dd8efe11e15d83e1fce582b19be10dcc1b3eb594291aaabd56cb94df315920b042d07934ac796d0a91078626ee57e25763791f7dde8bc04e1883fb2273c799b97e3166c56ceaa3699c31739f63ef94605b20860606ceaf97be55b979fdc17fa9ba2990bbefde17eb5398176091e536730129c4c31504ce1fc41f13e7d90301ff02ad5b5f523c6ae7efa87c76af1ecc4b6715251a58ca3c68ca954a9345cf08697ec54376dfaf232cd6ede5ad85c1234fbcb4a992535b70135a5eb7d1f2de13629871b02acb455694e91d5bbb972c1c3998ec765749b4ca83c705529c046e8593ba4709e430cf190aba4fd00a6d722d0598e80b7af8fbb6c053dc4068e3bfaa0015d3545646e40eb312700e7b068ca644792d6d39447a353f6d6575b01f3a20cf310117a832dbc76b460146dee06c859580ba5e59946e90a168d98a06282d02f99540f4b1fce194cc7cc089b1b2da11d59bee5477383f83fe7f50011ec438561f17b39dabee3794761cdef6c54a60c49de8fd6aecf0b5a5b5c056a8de90805e0d5a4cba91eb7746e54498aad35d268e923c5c396581835cf2038e2a1f28a843228472aa2e4cbde6aa7665716f239ba5680d1d8d6cd7277af1f2db87e5f5332fa904d6975f4247f33f00c17b95df1db792398c0be2ab89c6f0ffb1d9f3d30e36b0bcdee55623e67ed59b641e1d3ad243a61ab8003ed9d50186457b845b0f5e59460aeb8d49fa236b691a9572f043f3d83d3853a658c092fec3eef9b58f3be0532e46da34f732398d418a82a47fd2bec7aa9fdf0a05a2a4abd650dcd99c095be5a025d4dd8de7b606f7c21fcf490a100ec288f419316b4add08591060f5c40230ee639aff35d4bb207fe401029cffd104715dcd48c7c598f5ea42b0bd271e6a10066d613217655dbf37bc467d973572d7c28779c9981cabc55e683fbb1e9af7e00cc4a222a54f24edf923762d8e0fbc099e420a78b1fcfb54a4002fdf6e30a3445f929dd97c4aef13cd8a0a3b19cb2ba731d3c99aad631166b75f13a95498e11dba4094eb5d1f1571b6987c278912a05a9ec5e2f93d21604e496ae6f763ed433bc26c5d2fdfeefc02d8732b29091c32ad16fbb47de0a56a36c5c7d26665ce565571aee87e729e1727e8e149b44cbc5819eb1abc317eabfdbc5447dc1fa9ed585281f1a9c33bd5bbae662621e6460e37617e88304fd6889d775ad30388b208b4102495dd4a601579fef079678b66816a46a91cd0d344af0afa8ee55ab222d720a0367275757aa38d043cec888e9e93a4ff91c1ccbbc685f6fe2710474da5c4376b6c037b2ac57ab078421ff2f06ef8abcc7bfa18195ae5d3236c492494f1c665dc2052e0b567e991727082f6f529cff4412d5cfd8aca31f0a4d32332e8cc992a39017d8e5a8525a9f6ab5009e7067b2773591779fa6de17c077445c39b4f3255c2df10701045fa070ac4aedb551bfe92ac48e0faca060768edf4b3fb101f3d4cdcb2ec9313c02898aa36874267468286e98ffdbacb29fb64072799bb3d885bf308d6ca001355642ad258b965f9597b30fe6c3af1e89c10d641f4e2ab7cf5a4687d6b69157a49f9f40791ef46f4cba6e0f248773c350bf3143cece92ef7c746d4988c8351c8067e3c4b841089d985e09ecb40157d7a171f4e645518c52598fa794425669f59a27d8bedc147e09057b5d2f9f4611cac951058b9d2527fe7b470289a2f16fa4dee150652086e4cc194c3cad63aee9aa77b00df7cb421401d1394e0fbae8e8e14ef28f128601aa1c91d3e71edc07a46267731ea085fea0b2781fe5b3337fb391f4a91ce752aeb7251aa0c3bf304e989220d414eab0af48d4a86bf43f13ee6b97615f51a3677feef14dc4ae47db07b874176d18f50094a309700279f412924e918eb3e6c1b9fa3c1444f28b691ceb9c33d34b5b3733d3eb0c9e69cb6f36bca69d1d69913aeb51f0cb59828527f791fe7f61fb430bace6456abc322fb52a131f5aed3221afd1d369d7bb41f60bfb349b5cf73043b9092613032c7dd3220bce9d9b84fd2ceb48a76ff0c34cf5bf8cc55b575e240f4e6c1c5cf93980cc6f68fd1ac7cc10e0e483339dde6691eb7d2b700e93ffdf810953762216e99b5640149af63144a09051b683db0dfb1b79371bc7a4a559ae6271838a868468e54aadef03ba40ca127aa2c2751da79202dcad72e4f1593041db53bbf4f8064170fe85c46e59ff00b9eb4bf2e01eab7197a00704e3c7084a80699ed5aaae7bbae0684e5fb3ed60c6620c73aa013313713279bf958a21f56f96746e160623f1076a5ea95a23fc908373bc078221894ccc77949ffd3659470d83f860762b0302bf3e404046c0c32a71eb85e674111cb9c2d490b8b4f5bfd1fa9382a4296d97326d6a728378ab35c0a349ed69349f75b89adf8dc9e5baed276c92614c29636f2f5b19d4dc661e2d0fe6fd64786d507b99b3979fe0f6ecb06b76fd64bfb316131a52d3db7445508c8f0bd394495a6c13ca64e3780a416c72a7a34996d5a342e6349d92bfcb8d75bd4edd225d4e8601838bffc604e9e3f0de83a1cf9e17c7fa7398fea49c8faed299d04a90a70bdaa0b111428e2e6224ae08c1bf0ea1a69e16e1ffd4bfa76afffdd5060ac992efa08fb7404fa1ff3456042654d3d51292624ac3bb3356f5bd3f492c169e8c7dc71ccd3b4e91cb298ef7f2b61d74a86e7cb6daf621a8b0b6a87e58ddcaa65f376fe0652c40c76d762b580f34da979ae0968b172a9ccc4cd8b34af3873e85d1653c9e5571dc34e8c39f7f04df191c0e81213d2fac0412664eb4769c480a80fdcd5cae2a2eb8b1d031cc6e649d8f0b29f9115ea2bb27cbe35cba040647ad9da8ad36931cfdce5c58dfd6b8d0bd83cf4f8cad6f6d6f3048380583d8ef0807a4d024ef8d0333a97183423c90e8dd1b62dc70c95ae30acd0ccc257de6feb89a9492b4214b65d8da2ada11b80fbd7689afdb99fa820cb7aaaca8ce32fd1adf5d724f50683a7924ed1b5de6b322a4932ea46d3b266a270420259a4fee480054f0675e77e5178ff255be000468a220a25c6879e039bc14c38cbf9040eded41f1c6d75fe4615cc57677c948c7bb9c3561184b0ffe0d0a9ed0e7212fabd5ef357ffb3ca40e8a97be2a9bcf35fc7e3d7ce8f6d50a4f7b42c246894683822db36b95528cd8061342c66c788bb6f63beadfe3559e896e4387a12cedf6f220888d218", 0x1000, 0xffffffff}, {&(0x7f0000001b80)="e0c6c9c01afb3e83241204cd6942a5f5b38dedc4871fea150ddbcb8c14ce515fa1fc5f1fb3ec606649a162c4e52ec328eb3565fb84abdf8b408d744ee19c67cce54acad1c6aa75a3f97f94267476e702bbe065e67188c3c826d4414e46695d71c9e24a31faf7fc28297092503bb10adb27fcb197438efe3605101abc127fda303e63a7423ef1693f6c005763fdf8b18e10a5a9fa34b3c00eced1f75bada7d26160aedf2758bf603b0c5890682884eb55b2760b3b7b9614b6bd1ddef9e9cc1df20892063f1ea058a4", 0xc8, 0x81}]) r13 = syz_usb_connect(0x4, 0x882, &(0x7f0000001cc0)={{0x12, 0x1, 0x310, 0xae, 0x73, 0xca, 0x40, 0x1740, 0x602, 0xfa57, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x870, 0x2, 0x7f, 0x90, 0x120, 0x3f, [{{0x9, 0x4, 0x86, 0x7f, 0xa, 0xf7, 0xf9, 0xf2, 0x7f, [@generic={0xd1, 0xb, "26e13a65ceb2c160694440c6e4b5d5107cd6f6eddf5f0f8f938606e7a789786c097626762da7881a4e46ee512ce1ce83d03ee01e8a390d4fe48a1a166b122a244f7e8453fe584352cdc748ded1737c61ffbc1f9f18441c5d61f5493a88bfea7776762bbf8a206eeca2f45c1f7aa6d15fb464cd1caf6a432babfc01bb86b1297b128997426c1a5a86533cb2c029f50b1c5b0b88719f7c78217d2bec910ff906b43860025e140fbad2bc0a91e23e65c5c8fefd91d0459c590e1f4bac91eac023ef5f1a248245df0d7c1276df72d955c6"}, @cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '8'}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x5, 0x5, 0x80}, {0x6, 0x24, 0x1a, 0x1, 0x14}, [@mdlm_detail={0x2b, 0x24, 0x13, 0xff, "8daa8e5cf59bef8c76ec7535d63fe2dc7686321afbd729f4d17d62a21b6f2b39495657220bc5d7"}, @mdlm_detail={0xa3, 0x24, 0x13, 0x3, "0bafa7ba56f9be68f7dafffabe7b7950e7f2b1efd530ab53da306650ae48618251bc41fe39065bb50d65f15e926fdb88acb4e7957bff5d5469ee741f51c117d8f0a4b9e497d8d85a58a425855da041d91bfe4cd20f11f6c7d3813027cd74921dbeb6e2015c4133a29832b2b9d342304dd6b709daeaea5f761d8c06f52edda9f2529ac51a96fab9bb2826cc63fcce0f174de2c5778a4d83f3eecfdb29635b60"}, @call_mgmt={0x5, 0x24, 0x1, 0x2, 0x9}, @mdlm={0x15, 0x24, 0x12, 0xc9}, @dmm={0x7, 0x24, 0x14, 0x8, 0x2}, @network_terminal={0x7, 0x24, 0xa, 0x1, 0x9, 0xeb, 0x1}]}], [{{0x9, 0x5, 0xe, 0x3, 0x400, 0xff, 0xf9, 0x20, [@generic={0x62, 0x22, "ecb3f2dd3048124fa1f639e7d99ab0903f7f551fbd28202bcaa038827262defd524b84d6778f83c751047ea1677d46229ac33b02db6865c9670bc47629020545fbf367e128c7e78e05972cd432ddc729863972a9559b806063550b9bb7992b0c"}, @generic={0xed, 0x21, "1c17fa34cf248a11740cae13b99062cf651bd3663bdf349afedd777e6ca509687c7308b2bd8a56d936cef72c17609c2cc7b825f122864f3e79a0f9563cecf3a2dea2dac5e4d83e7749cfb2a971e0f2a257ee5e91279d0dedf7aab353955c32bcab16d821c1868f655e7f503ece52acfb7c3070097b164ed6223eb6c1839fdc5cc6f1a92ebda8ad2a9e74f746cf37704a6c73076189ee3890b3a1c5cdb8076adec9bb4e53a65b09bc52a75250eb89e2407ee0d0d39a0bd925c00a5fd0f34ad2af88bf3b270fe94e5432288a66b3ee15b6e24ddca89639faa9c4b532663b24bfbdeb73d09b8f77f76fec507a"}]}}, {{0x9, 0x5, 0xe, 0x0, 0x58, 0x4, 0x0, 0x2}}, {{0x9, 0x5, 0x6, 0x8, 0x40, 0x40, 0x3, 0x18}}, {{0x9, 0x5, 0xb, 0xc, 0x200, 0xff, 0x47, 0x0, [@generic={0x6e, 0x24, "fc8886eca12dc85960c8497c87132b79fea0e2313e4e855671316f1c7a42b78b2be24c0cdd6af9de41a7fb57fe0a3ca6fe67191ce31165dc048245ba74c886d12b8accb001eee230dc1d7981e4d6ea3d52fdc1fd159f71fc18bfca51297b2348c777a86b16c07657793c9b75"}]}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x1, 0x4, 0x4, [@generic={0x8, 0x23, "ad6e68323124"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x3f, 0x400}]}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0xff, 0x4, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x2, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x7, 0x4}]}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0xcc, 0x8, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3f}, @generic={0x59, 0x11, "faada80932b10432ca81a63c83dd9f54a4051086ef07b6c9661ef8ec125683d5fcada3a346d08f6d44178fd1ce94f1a6921d2fd14a88d43a8051e18edaa3980645fa17123ca6c783b8b2c3b666956f52b183652992d6f5"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0x1, 0x3f}}, {{0x9, 0x5, 0x4, 0x1, 0x0, 0x81, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x3e}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x6, 0x8000}]}}, {{0x9, 0x5, 0x7, 0x4, 0x200, 0x4, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0x3f}]}}]}}, {{0x9, 0x4, 0x7d, 0xb6, 0x8, 0xe6, 0x75, 0xe1, 0xf9, [@generic={0x3d, 0x23, "0150ffae83df22d1d4dbd82454e66033463c3935e3d0c9fc2ea4661f7310c2e0b0acedd17e99cf960ede09c19eda6bfda699d8eacc2aba4acc34d4"}, @generic={0xc5, 0x1, "57fa93981a0686e512236511f17e4ec2dab7bd005c64fd896f9494ca0597583b239ddd29c3796c4ad669281440da422e6796877a9f123e343935d90dfe06ddfc99deedf24006031d9a2ef4b552629255bf0e7a4d5dd3bc80b266081141bde1b1a86e4ffd857000deeae82fb1850696ef2167c34ad97f91c14ac78ecb893d01ffa98e3c2dfda9adb762b9a9da03c6c60ed957fb494d1c960f7c707494bd984a0a582603fb87248aeeafc1b6005f79835b38b2eaa88653bc93427a33b0763ea36fcd987c"}], [{{0x9, 0x5, 0x3, 0x0, 0x40, 0x4, 0x7f, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x5}]}}, {{0x9, 0x5, 0x80, 0x10, 0x1ef, 0x1, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0x1f, 0x20, 0x0, [@generic={0xb3, 0x21, "95d3405d4d7a6dc896d90c4918b141315c1ae54b0882c4e0e3cc266e04178f9ae737260ac64b619ddf039568181bf92dd639ec49a0b1c9838b4cbbb2fbe6ca7be9bc84b77177867bb973d8c5eba1b49131bd10f645cffc3dd8ea462f4ba965f70a014bf1abe9269663634dad8baf99386d8b431912e4ddfcd1156c5ffeab207ca35f22f5c01673470deea1da6aaffcf0bba9a8e455420f053b28e404fea6261d36c07f7221c4986b6b122ccdf858f481ba"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7f, 0x5}]}}, {{0x9, 0x5, 0xc, 0x2, 0x200, 0x0, 0x6, 0x2, [@generic={0xaf, 0x6c08a2ddac8d29c1, "1449f06f8161d8159f42fb347eaa323cf3eb20fd5e501006d2e40a157da833536fb0b322436591a2bd1d2fe04e169858e11387ce1cbe1f6c7dc332afaadcc002c5832044e056950399e29431407349a8a47525164b4e6cd141303908186754e0282c6995c980f5e7d4f3c881c6b91d955e6ac681bd9073f4e05706f3c312d005bf1c5910956bf99553bba7b4ecb3f35ffbe7ab0763423796bb601e3f047a6581d52fb67c62d6b7278c76aab9a5"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x400, 0x5, 0x1, 0x6, [@generic={0xf1, 0x11, "25bf1f90f600dc8eae5954fb3ec4f488a926149d9893ca2b2900e245f0537432b7eccd35a0f33fe871eb0d1744d8058f6d67f7e1b97f3ef4e5fd8ac9d37d374905661c579d63d9bd3ed5cd30d99ef395e47c9e0f1b7f712016403434821baace41ad73ef6b84c1a41af5cbb6c2f65462a6ed32242c9d51da9915862860c22140f606601cfd82e5151e1db45092fecd653293f56c65b346e5deaf140950a0ac4a487e3bfa4f9ad35eeff8899bc2230798022600a08d06a9243611b421d90f1b53ca9f002636036f1125eda3dedaf6793fc098c6af9dcc5a538fe937572b4d1b174b58ba033714d19ef1085f663e5cd1"}]}}, {{0x9, 0x5, 0x5, 0x8, 0x400, 0x44, 0x1, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x85, 0x9b, 0x100}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x10, 0x20, 0x2, 0x4, 0x3}}, {{0x9, 0x5, 0x1, 0x0, 0x40, 0x80, 0x7, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x6, 0x8}]}}]}}]}}]}}, &(0x7f0000002840)={0xa, &(0x7f0000002580)={0xa, 0x6, 0xe5207157b6f35098, 0xfc, 0x1f, 0x0, 0x10, 0xe4}, 0xf5, &(0x7f00000025c0)={0x5, 0xf, 0xf5, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x4, 0xffff}, @ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x4, 0xf0f, 0x77e, [0xc000, 0x30, 0x0, 0x0]}, @ssp_cap={0x1c, 0x10, 0xa, 0x1, 0x4, 0x79ea, 0xf000, 0x4, [0xc0cf, 0xff3f3f, 0xffc05f, 0xff0000]}, @generic={0xb1, 0x10, 0x3, "c5bb0201c82e60fa0a8b07bbcefbe138079838cbf13161f69ec170637e6c504f0df58710112f2459c50df85c73a143e18fd846a786add8a359c882c3c6038f90c49ca63e13455794d759244a2bd1ee5a203cef62acd32e97d15afe1d47ad5c5234ca6fea0c022184578647d69bce06bc22d5deae21baaf870c3c6e9021211fda07e73607e16461e22526a70ab2e21f89d1b1a95215c644ee7b4b97d342f06cca75c17eaf3d1f578bec9e1b554c49"}]}, 0x4, [{0x4, &(0x7f00000026c0)=@lang_id={0x4, 0x3, 0x430}}, {0x4, &(0x7f0000002700)=@lang_id={0x4, 0x3, 0x240a}}, {0x4, &(0x7f0000002740)=@lang_id={0x4, 0x3, 0x458}}, {0xb1, &(0x7f0000002780)=@string={0xb1, 0x3, "2273bdc46b60f928123492096f1a60522067ca30229e521876bc2304c320596fd25f10254b5c9da57377738bccfbbc37f27f541833a2dfa06b929d0d3744ff77d9330d5a63e4bb268ce29e81de86de6cbbec22f151e7fa25d2ba9ead8f62d5eac2d6424465b3cb6481dbf50df043e68b8d133e27b4ae1c9ccf8a81027b656d442bbcbe5cfccd0c0ca38b73356ed5c37ea0894697ea5b37db2f607d4e958cf97848ef24eee817f96503650d0f3babcf"}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000002880)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r14 = syz_usb_connect$uac1(0x1, 0x100, &(0x7f0000002900)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xee, 0x3, 0x1, 0x6, 0x20, 0x1, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0xace, 0x2}, [@extension_unit={0x7, 0x24, 0x8, 0x5, 0x2, 0x5}, @extension_unit={0x7, 0x24, 0x8, 0x6, 0xffff, 0x30}, @mixer_unit={0xa, 0x24, 0x4, 0x4, 0x40, "7da3b2b272"}, @extension_unit={0x9, 0x24, 0x8, 0x5, 0x0, 0x40, '\tD'}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x11, 0x24, 0x2, 0x2, 0x1000, 0x6, 0x9, "94aa0cfea6a4c098"}, @as_header={0x7, 0x24, 0x1, 0xf7, 0xc1, 0x4}, @format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x3f, 0x2, 0xae, 0x7, "5b6fe7b19551"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0xfff8, 0x56d, 0x1f, "518f29b920"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0x4, 0x0, 0x80, "3f5e8aa3ac"}]}, {{0x9, 0x5, 0x1, 0x9, 0x10, 0x9c, 0x7, 0x6, {0x7, 0x25, 0x1, 0x0, 0x44, 0xff8a}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_i_continuous={0xa, 0x24, 0x2, 0x1, 0x7, 0x4, 0xf7, 0xf8, 'H]'}, @format_type_i_discrete={0xd, 0x24, 0x2, 0x1, 0x7, 0x1, 0xff, 0x72, "5c5ae72e12"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x3, 0x4, 0x3, 0x1, "fa23a4", 'q3'}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x71, 0x2, 0x0, 0x6}]}, {{0x9, 0x5, 0x82, 0x9, 0x200, 0x7f, 0x7f, 0x7f, {0x7, 0x25, 0x1, 0x2, 0x1, 0x8}}}}}}}]}}, &(0x7f0000002b80)={0xa, &(0x7f0000002a00)={0xa, 0x6, 0x300, 0x7f, 0x5d, 0x5c, 0x40}, 0x31, &(0x7f0000002a40)={0x5, 0xf, 0x31, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x20, 0x1, 0x2, 0x40}, @ssp_cap={0xc, 0x10, 0xa, 0x4, 0x0, 0xd3f, 0xf000, 0x8}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x2, 0x5, 0x4, 0x2}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x6, 0x0, 0xff, 0x7f}]}, 0x4, [{0x4, &(0x7f0000002a80)=@lang_id={0x4, 0x3, 0x40f}}, {0x4, &(0x7f0000002ac0)=@lang_id={0x4, 0x3, 0xc35}}, {0x2b, &(0x7f0000002b00)=@string={0x2b, 0x3, "a28e84c0cf02c07c3c0da8294506556d633c7a735bfb75cd80afc6ade8e4b580103ced6d9c87a5fe77"}}, {0x4, &(0x7f0000002b40)=@lang_id={0x4, 0x3, 0xf8ff}}]}) syz_usb_control_io(r14, &(0x7f0000002e40)={0x18, &(0x7f0000002bc0)={0x0, 0x22, 0xb9, {0xb9, 0xa, "83cf6e9b942d8a47074ac2e802b48378ecdca7956db2727b857b60f4e9d0c69e1c9a9aceb61cf17cc77167923b84e23372c5cf40cf1bbb7493e500b7effaf1b204ee034be11099e51567a87ae0bde210da92124d04a73a14dbd600dedd920953c472eda1ba46dbbb1ec474c8794849124dcf32d5c15fb14397b13c3d3c11a7a607c6b6d557c2806d9c2783bc1ef56c967bde90ce4a421361167c1a74c6527285ce425ea498884d7cc9ef76526a46a1c4360768980b39b3"}}, &(0x7f0000002c80)={0x0, 0x3, 0xd7, @string={0xd7, 0x3, "61168f700d1787de19d3e86fb3ac5e964cc5ede873351ca262cc8fc599651431c76dbad02dd835f0da83a5347cc21fc4f504b23bb32a7a67713db4480611e6e2eca4f0b498f700355db68df7d5cf46ba2b036090af695a7596b7d242b462bcf6e2091fb83248fe2a1c48dbcdb07c9666037d121b6893dcb945bdd7cf14075f805302a45fbb62652bd693b3240b5c6a76f690cdc9221579ec71dd253ca4250144e1160bc039ad44f6d51c96ad950c872cf626b0d559e81c0bec934cb32325dbb9ce8f5d0d943020b4a0795c1f2774e2207d0be8aa41"}}, &(0x7f0000002d80)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x10, 0x2, 0x5, 0x2}]}}, &(0x7f0000002dc0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x3, 0x8, 0x40, 0x7f, "77bc7738", "f1db003c"}}, &(0x7f0000002e00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x1, 0x10, 0x0, 0x20, 0x8, 0x3ec, 0xffff}}}, &(0x7f0000003300)={0x44, &(0x7f0000002e80)={0x20, 0x12, 0x7c, "bc67b786ae12c3f7c6dbb8560d2b242194c2199afa19d2b42b1a0c8a11e1a5ef146f395c3613f4dfeadda7c24b506d5b32a6a3f9a0eac98a935e647a1c838d4e09d530635f43358b5b10c5f04bc63b3bf96b5234359d4ead9d51217e65c9b0509990b00d1afb242c87660d04f9648ff79ce143b1a948981c28f50171"}, &(0x7f0000002f40)={0x0, 0xa, 0x1, 0x4c}, &(0x7f0000002f80)={0x0, 0x8, 0x1, 0x1}, &(0x7f0000002fc0)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000003000)={0x20, 0x0, 0x8, {0xc0, 0x20, [0xf0f]}}, &(0x7f0000003040)={0x40, 0x7, 0x2, 0x400}, &(0x7f0000003080)={0x40, 0x9, 0x1, 0x2}, &(0x7f00000030c0)={0x40, 0xb, 0x2, "b723"}, &(0x7f0000003100)={0x40, 0xf, 0x2, 0x5}, &(0x7f0000003140)={0x40, 0x13, 0x6, @random="dd8a72a99139"}, &(0x7f0000003180)={0x40, 0x17, 0x6, @remote}, &(0x7f00000031c0)={0x40, 0x19, 0x2, "7818"}, &(0x7f0000003200)={0x40, 0x1a, 0x2, 0x4}, &(0x7f0000003240)={0x40, 0x1c, 0x1, 0x4}, &(0x7f0000003280)={0x40, 0x1e, 0x1, 0x7}, &(0x7f00000032c0)={0x40, 0x21, 0x1, 0x5}}) syz_usb_disconnect(r13) r15 = syz_usb_connect$cdc_ncm(0xb40375e9cabe03ec, 0x160, &(0x7f0000003380)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x14e, 0x2, 0x1, 0xef, 0xe0, 0x3, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, '$'}, {0x5, 0x24, 0x0, 0xad}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x0, 0x1, 0x9}, {0x6, 0x24, 0x1a, 0x9, 0x20}, [@mdlm_detail={0xa2, 0x24, 0x13, 0x1, "a0afebc294237de30b4c81c6595fbaf30646c5ec3dd98f435df00d181cc13f9b0c5ffa84154998bf5c04ee0fd82d5f4cacfc90ffae241b840b0b18e2107e33398f46838380f84b6f9f2262e838df021231c9f0c50dc2eed7595eb1b789223fc37cf34f5c694aaad8a818c99ef44179bf5ba4b617c258f7db01d6096ccc71bb925e31b2f3f100bb8538bb84015af7b954c8fdf293de0231a491d36376b840"}, @mbim={0xc, 0x24, 0x1b, 0x340f, 0x4, 0x5, 0x40, 0x6, 0x1}, @acm={0x4, 0x24, 0x2, 0x9}, @mdlm_detail={0x3f, 0x24, 0x13, 0x40, "905d00a5a8b5cd53118f9cf9033eda0ad88fcfaf66e2b9e359e38aea371970c864d5983916a529367551aa247ba83009ebb5640b5317559900ddb8"}]}, {{0x9, 0x5, 0x81, 0x3, 0x8, 0x0, 0x1, 0xfc}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x40, 0x8, 0x40, 0x81}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x80, 0x81}}}}}}}]}}, &(0x7f0000003780)={0xa, &(0x7f0000003500)={0xa, 0x6, 0x250, 0x3, 0x2, 0x9, 0x40, 0x40}, 0x16, &(0x7f0000003540)={0x5, 0xf, 0x16, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x1a, 0x8, 0x4, 0x87}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0x0, 0x20, 0x9}]}, 0x5, [{0x54, &(0x7f0000003580)=@string={0x54, 0x3, "a44d24cdf3ffb9948faaf6b3c565826f57ef2b5e43e6ef9109dcaf0ff5f230b6f52d06ada7ebdfbf1c55e6551900f42f904aa25911de5d64d3cd32db26b2e48c150eacf51a16ddb311ac3d44b281a87d1c84"}}, {0x4, &(0x7f0000003600)=@lang_id={0x4, 0x3, 0x812}}, {0x4, &(0x7f0000003640)=@lang_id={0x4, 0x3, 0xf0ff}}, {0xc0, &(0x7f0000003680)=@string={0xc0, 0x3, "6f069d79ea952b3880027d5243d84aefe2bd1cf641da9ee290780232461026c5a535ae6214a8b6fd6112f368085c5cca57b84846bdd7653f325120cc01274c27930a934c2850058a34588778f4ae0255b96fcb4573f4c475fae53703ef82d785ece96adf02efc210e26fa9523111519cb037b5aebbcab0e12d228330eb466cefbc0a21984a6fd8657206b20d982f65c709ba3c6320f1066dda592fdad14a8c700cf1f5266f47fa42aa880b9aa0267cf53c9691f4fa0d4e059a6adc27da67"}}, {0x4, &(0x7f0000003740)=@lang_id={0x4, 0x3, 0xc0a}}]}) syz_usb_ep_read(r15, 0x7, 0xe4, &(0x7f00000037c0)=""/228) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000038c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_ep_write(r16, 0xff, 0xca, &(0x7f0000003940)="0338f2a1a6949150d950a200b97f820700402b58fec94c39a005f5386885991997960b3165c9dd0323faf9a69d00725916fa7fb5a9bb1f47b19829ca091f88c0999a2e187f6237ab2c7eae85923fa9636dc266076f2ae7b52c1f187ce62871c2f05bbf9d9a25fd16ff3833387073e69681b243e814b2549f032aa5b8dd2e2d64df2e69d357bc2c32b8fbd90f8a1638b31390be5a61ee6ee70e3a2027e1468d5f3fa234f4462a56d7e42ce29c52ccf5cd763590a426b8a06e226ffa4568c2ce31a54d74ca6f67e670852c") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 43; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 3000 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 3000 : 0) + (call == 42 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socketpair #define __NR_socketpair 360 #endif #ifndef __NR_write #define __NR_write 4 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_ioctl, -1, 0x125e, 0x20000000); break; case 1: memcpy((void*)0x20000040, "/dev/nullb0\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20000040, 0x80000, 0); if (res != -1) r[0] = res; break; case 2: *(uint8_t*)0x20000080 = 0; *(uint8_t*)0x20000081 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint8_t*)0x20000084 = 0; *(uint8_t*)0x20000085 = 0; *(uint8_t*)0x20000086 = 0; *(uint8_t*)0x20000087 = 0; *(uint8_t*)0x20000088 = 0; *(uint8_t*)0x20000089 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint8_t*)0x2000008c = 0; *(uint8_t*)0x2000008d = 0; *(uint8_t*)0x2000008e = 0; *(uint8_t*)0x2000008f = 0; *(uint8_t*)0x20000090 = 0; *(uint8_t*)0x20000091 = 0; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint8_t*)0x20000094 = 0; *(uint8_t*)0x20000095 = 0; *(uint8_t*)0x20000096 = 0; *(uint8_t*)0x20000097 = 0; *(uint8_t*)0x20000098 = 0; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint16_t*)0x200000a0 = 6; *(uint32_t*)0x200000a4 = 4; *(uint32_t*)0x200000a8 = 0x400; *(uint64_t*)0x200000ac = 0; *(uint64_t*)0x200000b4 = 0x5f; *(uint32_t*)0x200000bc = 0; syscall(__NR_ioctl, (intptr_t)r[0], 0xc0401273, 0x20000080); break; case 3: res = syscall(__NR_socketpair, 0x21, 3, 4, 0x200000c0); if (res != -1) { r[1] = *(uint32_t*)0x200000c0; r[2] = *(uint32_t*)0x200000c4; } break; case 4: memcpy((void*)0x20000140, "l2tp\000", 5); res = -1; res = syz_genetlink_get_family_id(0x20000140); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000200 = 0x20000100; *(uint16_t*)0x20000100 = 0x10; *(uint16_t*)0x20000102 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0x100; *(uint32_t*)0x20000204 = 0xc; *(uint32_t*)0x20000208 = 0x200001c0; *(uint32_t*)0x200001c0 = 0x20000180; *(uint32_t*)0x20000180 = 0x24; *(uint16_t*)0x20000184 = r[3]; *(uint16_t*)0x20000186 = 4; *(uint32_t*)0x20000188 = 0x70bd28; *(uint32_t*)0x2000018c = 0x25dfdbfb; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint16_t*)0x20000192 = 0; *(uint16_t*)0x20000194 = 8; *(uint16_t*)0x20000196 = 0xb; *(uint32_t*)0x20000198 = 4; *(uint16_t*)0x2000019c = 8; *(uint16_t*)0x2000019e = 0xc; *(uint32_t*)0x200001a0 = 1; *(uint32_t*)0x200001c4 = 0x24; *(uint32_t*)0x2000020c = 1; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0x20000000; syscall(__NR_sendmsg, (intptr_t)r[1], 0x20000200, 0x8000); break; case 6: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 5; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000280 = 0x10; res = syscall(__NR_getsockopt, -1, 0x84, 0, 0x20000240, 0x20000280); if (res != -1) r[4] = *(uint32_t*)0x20000240; break; case 7: *(uint32_t*)0x200002c0 = r[4]; *(uint32_t*)0x200002c4 = 2; syscall(__NR_setsockopt, (intptr_t)r[2], 0x84, 0x7b, 0x200002c0, 8); break; case 8: *(uint32_t*)0x20000340 = 4; syscall(__NR_getsockopt, -1, 0x84, 8, 0x20000300, 0x20000340); break; case 9: *(uint16_t*)0x200003c0 = 0x10; *(uint16_t*)0x200003c2 = 3; *(uint8_t*)0x200003c4 = 0x41; *(uint8_t*)0x200003c5 = 0x83; *(uint16_t*)0x200003c6 = 0; *(uint32_t*)0x200003c8 = 0x401; *(uint32_t*)0x200003cc = 0; *(uint16_t*)0x200003d0 = 0x43; memcpy((void*)0x200003d2, "\x4a\x8e\x60\x63\x4e\x3a\x9e\xbf\x09\x88\x47\x4a\x70\xcd\xc4\x4c\x93\x5e\x71\xdc\xa8\xa3\x6e\x9f\x73\x39\xb7\x33\xe7\xfd\xfa\x26\xd1\x76\x3f\x8e\x1f\xc1\x8c\x23\x48\x4f\xf7\x1c\x6e\xa7\x6b\xf1\xdb\x3e\x46\xcf\x80\x38\x03\x22\xd2\x96\xfb\xf1\x93\xc5\x4d\x49\x49\xcc\xdb", 67); syscall(__NR_write, -1, 0x200003c0, 0x55); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_post_notification\000", 26); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xbb; *(uint8_t*)0x20000041 = 0xbb; *(uint8_t*)0x20000042 = 0xbb; *(uint8_t*)0x20000043 = 0xbb; *(uint8_t*)0x20000044 = 0xbb; *(uint8_t*)0x20000045 = 0xbb; *(uint8_t*)0x20000046 = 0; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint16_t*)0x2000004c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 4, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 1, 31, 1); *(uint8_t*)0x20000052 = 0x23; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; memcpy((void*)0x20000056, "\x90\xa4\x41\x2e\xd4\x81\xe3\x9e\xc0\x78\x7c\xae\x08\x3f\xac\x93\xb9\x0d\xaa\x75\x95\xdc\x55\x4b\x0d\x6f\xb7\x20\xa6\x00\x98\x35\xc9\x29\xd9\x56\x66\x87\x93\x99\x54\xd1\x4f\x03\x76\xd3\x90\x39\x88\x5d\x4b\x34\x9e\x57\x79\x1c\x3b\x28\x84\xb6\x7a\x56\x87\x16", 64); *(uint32_t*)0x200000c0 = 1; *(uint32_t*)0x200000c4 = 1; *(uint32_t*)0x200000c8 = 0x4a; *(uint32_t*)0x200000cc = 0x2e7; *(uint32_t*)0x200000d0 = 0x6f0; *(uint32_t*)0x200000d4 = 0x1aa; break; case 12: *(uint8_t*)0x20000100 = 3; *(uint16_t*)0x20000101 = 0xc9; *(uint8_t*)0x20000103 = 0x56; memcpy((void*)0x20000104, "\xaf\x8c\x56\xab\x29\x59\xdc\x53\x4c\xc8\x68\xe4\xb4\x2b\x05\xa0\xde\x86\xbb\x45\xfd\x2b\xf9\xe3\x2d\x58\xe9\xad\x1f\xb7\xbe\x75\xad\xc1\xe7\xaa\xa5\x23\x19\x45\x65\x31\x63\x1e\xde\x47\xc2\x91\x9b\xcd\xb3\xba\xfd\xaf\x56\x0b\xf2\xa9\xca\x3a\x75\xfa\x34\xd0\x70\x26\xb7\x30\x2d\xc3\x91\xf9\x55\x4e\x50\xcf\xc7\xf7\x31\xc0\x9f\x1c\x71\x26\x2d\xf3", 86); break; case 13: memcpy((void*)0x20000180, "\xc4\xc1\x6f\x10\xfa\x66\x0f\x65\x64\x2a\x10\xc4\xe1\xfa\x70\xef\xfb\xc4\xc3\x7d\x09\x6a\x42\xfe\xc4\xe1\x41\x6a\x52\x00\xf3\xab\xc4\xc1\xcc\xc6\xe4\x74\x36\x0f\x8f\xb8\x00\x00\x00\xaf\x0f\xfe\x98\xf0\xff\xff\xff", 53); syz_execute_func(0x20000180); break; case 14: break; case 15: memcpy((void*)0x20000200, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000200); break; case 16: syz_init_net_socket(3, 5, 0xcb); break; case 17: res = syscall(__NR_mmap, 0x20ffd000, 0x1000, 0xc, 0x800, -1, 0x8000000); if (res != -1) r[5] = res; break; case 18: res = -1; res = syz_io_uring_complete(r[5]); if (res != -1) r[6] = res; break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xab13; *(uint32_t*)0x20000248 = 0x10; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0x375; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = -1; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = syscall(__NR_io_uring_setup, 0xc43, 0x20000240); if (res != -1) r[7] = res; break; case 20: *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0x3caa; *(uint32_t*)0x200002c8 = 8; *(uint32_t*)0x200002cc = 3; *(uint32_t*)0x200002d0 = 0x347; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = r[7]; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; *(uint32_t*)0x200002f8 = 0; *(uint32_t*)0x200002fc = 0; *(uint32_t*)0x20000300 = 0; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; *(uint32_t*)0x2000030c = 0; *(uint32_t*)0x20000310 = 0; *(uint32_t*)0x20000314 = 0; *(uint32_t*)0x20000318 = 0; *(uint32_t*)0x2000031c = 0; *(uint32_t*)0x20000320 = 0; *(uint32_t*)0x20000324 = 0; *(uint32_t*)0x20000328 = 0; *(uint32_t*)0x2000032c = 0; *(uint32_t*)0x20000330 = 0; *(uint32_t*)0x20000334 = 0; syz_io_uring_setup(0x4759, 0x200002c0, 0x20ffd000, 0x20ffc000, 0x20000340, 0x20000380); break; case 21: res = syscall(__NR_mmap, 0x20ffd000, 0x3000, 0xe, 3, -1, 0x8000000); if (res != -1) r[8] = res; break; case 22: res = syscall(__NR_mmap, 0x20fff000, 0x1000, 0x4000000, 0x20, (intptr_t)r[6], 0x10000000); if (res != -1) r[9] = res; break; case 23: *(uint8_t*)0x200003c0 = 5; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0x2007; *(uint32_t*)0x200003c4 = 6; *(uint64_t*)0x200003c8 = 3; *(uint64_t*)0x200003d0 = 4; *(uint32_t*)0x200003d8 = 4; *(uint32_t*)0x200003dc = 0xe; *(uint64_t*)0x200003e0 = 1; *(uint16_t*)0x200003e8 = 0; *(uint16_t*)0x200003ea = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; *(uint8_t*)0x200003fc = 0; *(uint8_t*)0x200003fd = 0; *(uint8_t*)0x200003fe = 0; *(uint8_t*)0x200003ff = 0; syz_io_uring_submit(r[8], r[9], 0x200003c0, 0x80); break; case 24: memcpy((void*)0x20000400, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20000400, 0x2000, 0); if (res != -1) r[10] = res; break; case 25: *(uint32_t*)0x20000480 = 0; *(uint32_t*)0x20000484 = 0x20000440; memcpy((void*)0x20000440, "\x1f\x53\x95\x5c\xb3\xce\xcd\x20\x39\x60\x9c\xfc\xe5\x32\x92\x7f\x02\xde\x61\x5e\x5e\x77\x16\xc3\x74\x70\x5f\x59\x10\x2e\x00\x75\x4d\xba\xa3\x69\xc6\xc1\xa1\xc2\xf4\xc5\x30\xc3\xaf\x81\xe8\xfe\x56\x09", 50); *(uint32_t*)0x20000488 = 0x32; *(uint64_t*)0x200004c0 = 1; *(uint64_t*)0x200004c8 = 0; syz_kvm_setup_cpu(r[6], r[10], 0x20fe8000, 0x20000480, 1, 0, 0x200004c0, 1); break; case 26: *(uint32_t*)0x20000500 = 0; *(uint32_t*)0x20000504 = 0xe518; *(uint32_t*)0x20000508 = 0x10; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0x3a5; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = -1; *(uint32_t*)0x2000051c = 0; *(uint32_t*)0x20000520 = 0; *(uint32_t*)0x20000524 = 0; *(uint32_t*)0x20000528 = 0; *(uint32_t*)0x2000052c = 0; *(uint32_t*)0x20000530 = 0; *(uint32_t*)0x20000534 = 0; *(uint32_t*)0x20000538 = 0; *(uint32_t*)0x2000053c = 0; *(uint32_t*)0x20000540 = 0; *(uint32_t*)0x20000544 = 0; *(uint32_t*)0x20000548 = 0; *(uint32_t*)0x2000054c = 0; *(uint32_t*)0x20000550 = 0; *(uint32_t*)0x20000554 = 0; *(uint32_t*)0x20000558 = 0; *(uint32_t*)0x2000055c = 0; *(uint32_t*)0x20000560 = 0; *(uint32_t*)0x20000564 = 0; *(uint32_t*)0x20000568 = 0; *(uint32_t*)0x2000056c = 0; *(uint32_t*)0x20000570 = 0; *(uint32_t*)0x20000574 = 0; res = -1; res = syz_io_uring_setup(0x7424, 0x20000500, 0x20ffe000, 0x20ff6000, 0x20000580, 0x200005c0); if (res != -1) r[11] = *(uint64_t*)0x20000580; break; case 27: *(uint32_t*)0x20000600 = 1; syz_memcpy_off(r[11], 0x114, 0x20000600, 0, 4); break; case 28: memcpy((void*)0x20000640, "afs\000", 4); memcpy((void*)0x20000680, "./file0\000", 8); *(uint32_t*)0x20000800 = 0x200006c0; memcpy((void*)0x200006c0, "\xd6\x32\xc1\x9b", 4); *(uint32_t*)0x20000804 = 4; *(uint32_t*)0x20000808 = 0xffff; *(uint32_t*)0x2000080c = 0x20000700; memcpy((void*)0x20000700, "\x3f\xe8\x37\x0c\xed\xe5\x2e\xfa\xc0\x54\x24\x1d\xa1\xef\x62\x34\xcd\xc7\x76\x6d\x9c\xee\xe0\x5c\x36\x77\x5d\x23\x4a\x8f\x02\x59\xa8\x80\x13\x16\x89\x77\x5a\x49\xe1\xc5\xd8\x1e\xe5\xee\xd4\x2d\xa0\x22\xa3\xc9\xb9\xd4\x39\xae\x77\x99\x90\xd0\x4c\xf5\x51\xc0\x84\xc0\x93\x74\x4e\x79\xca\x6a\x48\x27\xd8\xc6\x03\x05\x3d\x29\x71\x4d\x83\x93\x63\xcf\x49\xad\xd7\xd7\x32\x3c\x06\x19\xa9\x9c\xef\x60\x9f\xc4\x7e\x56\xc6\x66\x30\xec\x79\x73\xbf\xfe\xd2\x14\xd4\x51\xf0\x64\xf3\x6e\x35\x97\x50\x6a\x51\xad\xfd\x6b\x0d\x61\xfd\xcd\xf2\xbf\xcb\x31\xb2\xc6\xc4\x4c\x27\x9c\xcd\xb6\x90\x28\x91\xda\xf7\x5e\x66\x3f\x59\x42\xea\x76\x82\xfb\xfd\x3e\x73\x69\xa9\xfe\x16\xf3\x72\x47\x6e\xfb\x28\x1a\xaa\xd4\xbf\xe7\xe6\x10\xe9\x63\x62\x94\x61\xe9\x03\x3c\xaf\x00\xd6\x2a\x10\x9d\x00\x4b\x93\x5b\x90\x79\xbd\x3d\xf5\xbe\x94\xa0\xfa\x1e\x19\x77\xf5\x52\xba\xa4\x92\xba\x31\xe2\xec\x4b\xf3\x10\xc8\x14\xdc\x75\x32\x97", 224); *(uint32_t*)0x20000810 = 0xe0; *(uint32_t*)0x20000814 = 0x4c; memcpy((void*)0x20000840, "source", 6); *(uint8_t*)0x20000846 = 0x3d; memcpy((void*)0x20000847, "SEG6\000", 5); *(uint8_t*)0x2000084c = 0x2c; memcpy((void*)0x2000084d, "flock=strict", 12); *(uint8_t*)0x20000859 = 0x2c; memcpy((void*)0x2000085a, "flock=strict", 12); *(uint8_t*)0x20000866 = 0x2c; memcpy((void*)0x20000867, "flock=local", 11); *(uint8_t*)0x20000872 = 0x2c; memcpy((void*)0x20000873, "autocell", 8); *(uint8_t*)0x2000087b = 0x2c; memcpy((void*)0x2000087c, "flock=openafs", 13); *(uint8_t*)0x20000889 = 0x2c; memcpy((void*)0x2000088a, "measure", 7); *(uint8_t*)0x20000891 = 0x2c; memcpy((void*)0x20000892, "subj_user", 9); *(uint8_t*)0x2000089b = 0x3d; memcpy((void*)0x2000089c, "$F!%[#&+-}^}", 12); *(uint8_t*)0x200008a8 = 0x2c; *(uint8_t*)0x200008a9 = 0; syz_mount_image(0x20000640, 0x20000680, 4, 2, 0x20000800, 0x201000, 0x20000840); break; case 29: memcpy((void*)0x200008c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200008c0, 0x9a7, 0x60100); break; case 30: res = syscall(__NR_ioctl, -1, 0x540f, 0x20000900); if (res != -1) r[12] = *(uint32_t*)0x20000900; break; case 31: memcpy((void*)0x20000940, "net/ip6_mr_vif\000", 15); syz_open_procfs(r[12], 0x20000940); break; case 32: syz_open_pts(r[6], 0x402000); break; case 33: *(uint32_t*)0x20001c80 = 0x20000980; memcpy((void*)0x20000980, "\x94\x7b\xdd\x13\x38\xb6\xb9\xfd\xc7\xee\xc2\x77\x64\x33\x19\x1f\x82\x72\x66\xcf\xa9\x4b\xbf\x64\xcf\xf8\x3a\x00\xd9\x75\x00\x9f\x3b\x27\x38\xac\x70\x67\x01\x94\x47\xd6\x93\xa3\x53\x4d\xae\x5d\x3b\xf0\x3b\x17\xd7\xa2\xbc\x09\x3d\x2a\xb0\x1f\xb0\x79\xd1\x3e\x4c\xa0\x8a\xb2\x39\x18\xa3\xfa\xc5\x0a\x48\xc3\x2b\x4b\xa2\x17\x09\x57\xd2\x0c\xb4\xa4\xf7\x31\xd6\x60\xe8\x8f\x40\xc3\x0c\x3c\x40\xd4\x1f\xf3\xff\x71\x34\xdc\xeb\x66\xb1\x13\xb5\xc1\xbb\xa6\x30\xa7\xee\x5c\xd6\x8a\xb5\x9e\x69\xf8\xc8\x95\x30\xe4\xca\xc7\xf6\x15\xdd\x3f\xad\xc7\x94\x0d\x23\xb0\x69\xd6\x2b\x7c\xcf\x41\x49\x88\x10\x45", 148); *(uint32_t*)0x20001c84 = 0x94; *(uint32_t*)0x20001c88 = 0x7e; *(uint32_t*)0x20001c8c = 0x20000a40; memcpy((void*)0x20000a40, "\x3b\xec\xe5\xe4\xb0\x0d\x1a\xa5\xc6\x45\x5d\x8f\xfd\xdd\x35\x57\x13\x82\x30\x47\x33\xf4\x7e\x93\xba\x01\xd0\x22\x0d\x34\x52\x42\x5a\xa4\xa3\x5a\x16\xad\xc9\x6a\x1c\x87\xd3\xc0\x91\x21\xdf\x1c\x8a\xef\x26\xc2\x03\x58\xa1\x53\xa0\xef\x19\x59\xf6\x9c\x68\x9a\xcd\x27\x51\xf4\x28\xf2\x41\xc2\xde\xcf\x4c\xd9\xa3\xb1\x09\xe6\x6b\x31\x0f\xb1\x01\x1f\x65\x32\x9b\xef\x95\x3a\xe0\x2c\xf9\xdb\x61\x33\x61\x9b\x5b\xfa\x07\xa6\xe1\x32\x51\x27\x8d\xa9\x3d\xe8\x26\x35\xbc\xdd\x76\x40\xb6\x31\x1d\xa5\x8d\x2a\x68\x10\x65\x40\x1d\x07\x53\xce\xf9\x0b\xf7\xa0\xf5\x41\x11\x24\x53\xb9\xce\x75\x27\xef\xcb\x09\x83\x4f\x10\x73\x73\x6d\x3e\xbd\xb9\x24\x17\x36\xb6\x1d\xf7\x0a\x13\xc7\x6e\x54\xdd\xbc\x65\xa5\x2d\x8a\x4f\xe4\x2e\xd0\x97\xa5\x7c\x8d\x04\x26\xf9\x16\x75\x0e\x9a\x5c\x38\x28\x1f\xba\xd7\xae\x59\xc2\x23\xba\xb1\x10\x05\x92\xd4\x2e\xda\x4e\x0b\xf4\xbf\x03\x04\x20\x47\x8f\xcd\x28\xc4\x05\x7d\x41\xa9\x72\x1b\x00\x14\xe9\x1a\x1e\x70\x58\xd4\xc9\x29\x08\x12\xf6\xde", 239); *(uint32_t*)0x20001c90 = 0xef; *(uint32_t*)0x20001c94 = 0x800; *(uint32_t*)0x20001c98 = 0x20000b40; memcpy((void*)0x20000b40, "\x6d\xaf\x7a\x1e\x0d\x14\xcb\x6b\x8c\x65\xd3\x7e\xf9\x88\xe6\x70\xca\x88\xb1", 19); *(uint32_t*)0x20001c9c = 0x13; *(uint32_t*)0x20001ca0 = 0; *(uint32_t*)0x20001ca4 = 0x20000b80; memcpy((void*)0x20000b80, "\xe2\xa3\x79\x51\x07\x38\xbe\x3d\x3b\xaf\x49\xa1\x70\xf0\x89\xf5\x6f\x7b\x3a\x43\xbd\x92\x6f\x2f\x33\x68\xf3\x8e\x97\x34\x0a\xf9\xb0\x99\x1e\xa9\x8f\x46\x53\x25\x2c\x0b\xef\x6a\xd2\x65\x82\xb6\x00\x54\x54\x65\x59\x1f\xae\xfd\x00\x78\x2e\x31\xc8\xae\xe9\xf2\x39\x90\xd2\xd9\x5f\x87\x10\xd1\x10\x40\x9d\xc3\xda\xd1\x58\x17\x94\xfb\x09\xf6\x34\x9e\x93\x7b\x1d\xf1\xbb\x8a\x9a\x09\xce\x60\xc4\x12\x82\x37\x6e\x6a\xc6\x07\x88\x8c\x64\xfc\xd9\xec\xf5\x40\x50\x63\xba\x5f\x64\x2a\x29\x5b\x4f\x77\x8f\x2c\xab\xcc\xf6\xc9\x00\x70\x71\xb1\xa9\xec\x31\xee\xa5\xda\xf6\x2d\x37\x1a\x56\xde\x30\x95\x49\x97\x49\x11\xa5\x79\x7f\xa3\x40\x26\xe8\x5b\xb7\xf5\x42\x7a\xb4\x96\x5f\x11\xa3\xab\xa1\x8e\xd0\xfe\x28\x0e\x45\xc2\x64\x12\x83\x8f\xc5\xbb\xe0\xf6\xde\x63\xd0\x11\xc0\x6b\x41\x3e\x3d\x4a\x15\x29\x6b\x6f\x79\x15\xdf\xfe\xcd\xd4\x07\x50\x4f\xaa\x2f\xe6\x3b\xb1\x90\xaf\x90\x61\x70\x9a\x98\x20\x94\xf6\x20\x79\x3c\x04\x25\x32\xf5\x13\x14\xdd\x07\x53\xb8\x32\xa6\x58\x59\xe1\x78\xd9\x4d\xd1\x69\xa1\xb7\x67\x74\x85\x66\xd1\x3f\x17\x0d\xa3\x6f\x2a\x51\x05\x3d\x8b\x67\xfb\x5f\x12\xd8\x6b\xf3\x60\x46\xea\xb9\xb7\xc2\x6c\x50\x78\x6c\x9b\x29\xa2\x60\x5c\x56\x31\xab\x30\x26\x16\x69\x97\x1a\x48\x47\x0d\x98\x2c\x30\x88\xbe\x7c\xff\xd1\xf0\xc6\x77\x5e\x57\x57\xdb\x61\x48\xdd\x74\xc5\x95\x4e\x34\xc4\x00\x88\x65\x9a\x1f\x44\xd0\x53\x46\x59\x85\xed\x20\x03\x9b\xce\xd7\xea\x9d\xec\x7e\x25\xcd\x6d\x60\x0d\x1e\xd3\x1a\xed\x53\x88\x5f\xc7\xef\x87\x89\xee\xa0\x63\x9d\x2b\x25\x0d\xcd\xf4\xad\x71\xbb\xda\xbf\x4b\xa1\x8a\xf2\x9a\xc8\x19\xae\x43\x18\x64\xdb\x1b\x03\x53\xbc\x5c\xb2\x04\x19\x43\xb4\x45\x13\xf7\xc6\x79\xf3\x48\xbd\x29\x62\xb2\x74\x87\xbc\x7d\xc7\x48\x8c\xff\x13\xa2\x4b\x65\x8f\x31\xb4\xaf\xc9\xe5\x01\x3a\xb4\x60\xcf\x3a\x01\x4a\x8f\x19\x90\x9e\x75\xbc\x3d\x41\x44\xf5\xd3\x2e\x37\x0d\xe7\x4f\x44\x02\xa0\xdb\x53\x39\xc1\xe3\x61\x6d\x21\x47\x74\x36\x52\xdd\x73\x94\x0d\x37\x55\x0c\xc9\x61\xb0\x8b\x3a\x33\xb7\x9c\x4a\x2f\x3f\x1a\xb4\xb2\x36\x4c\x24\x03\x1c\xce\x1f\x29\xbe\xaf\x57\x4b\x13\x18\x84\x4f\xcc\x93\x87\xd2\xcf\x79\x83\x34\xde\x08\x16\xd5\x28\xf0\x87\xf5\x67\x51\xf7\x63\xb8\x2c\x76\x0f\xe1\x9e\xf9\x5f\xd2\xe5\x52\xc8\xec\x74\xbf\xee\x9b\x6c\x8e\x33\x41\xb3\xba\xff\x54\x05\xed\xbe\xd7\x09\xfb\x1e\xa1\x30\xa1\xa6\xe3\x0a\xcf\x72\x32\xc0\x19\x40\x34\xda\xf0\xef\x11\x71\x15\xab\x22\x0f\x11\x61\xa8\x38\x94\x0e\xf6\x00\x72\xc4\x06\x55\x7f\x56\xf1\x3f\x30\x21\xb4\x08\x42\xf9\x11\x4b\x0a\xe9\xcd\x82\x44\x23\x0c\x22\x27\xce\x7c\x7e\x71\x50\x3b\xa5\x25\x3d\x63\x08\x1c\xa9\xaf\x8f\xc4\xa4\xe2\xc3\x03\x9a\x0b\xad\x1a\xf9\x1e\xd4\xcb\x91\xb9\xbd\x42\xd8\xee\x5e\x0b\xd9\x84\x4f\x92\xf4\xaf\x1e\xa5\xb8\x83\x80\xa9\x9b\x1a\xdc\x70\x57\xb9\x15\x7b\x61\x02\x1a\xbc\xe3\x77\xdc\xa6\xaf\x6c\x2d\xd9\x8f\x02\xc2\x3a\x84\x59\xcc\xbe\x65\x0b\x66\xd0\x6b\xba\xe0\x60\x99\x28\xe8\x4d\x5c\x61\x1e\x2c\x6f\xeb\x6a\x43\xd0\xaa\x53\x2b\x12\xd5\xe3\x26\x04\x48\xcd\x82\x37\x2b\x11\xf9\xdc\x8f\x94\x66\x5a\x3a\xb8\x64\xeb\x3e\xb0\xe5\xb0\x73\x20\x02\x49\xa6\x74\x04\x7e\xe8\xff\xf8\xfb\x4f\x55\x65\x30\x60\xef\xb6\xa0\x0d\x70\xb0\xfe\x4a\x7f\x5d\xca\x7d\x9c\x71\x60\x4f\xa7\x0b\x0e\x40\x56\x93\x39\xe5\x2b\xa5\x2b\x7d\x70\x08\x53\x33\x06\x16\x5c\x97\x8d\x03\x0a\x85\x2c\x0d\xd7\x59\x96\x90\x47\x20\xa1\x0a\x3a\x9d\x0f\x2f\x67\xf2\x58\xe4\x39\x04\x7a\x6a\x5b\x08\x49\x04\x09\xaa\x84\xec\x29\x6f\x67\xb8\x8b\x80\x11\xcb\x39\xc6\x78\x00\xef\xec\x6e\xc4\x3e\x73\x2a\xee\x04\xcc\x18\xc4\xce\xdd\xc9\x68\x6a\x43\x20\x11\xe1\xdf\x5f\xa1\x29\x2c\x7b\xda\xe6\x27\x31\x57\x3e\xc5\x23\x32\x93\xff\x4e\xd6\x71\xe5\x2c\x95\x1d\x8e\x00\x83\x6d\xb9\x36\x35\x34\xbc\x8c\x1e\x91\xd9\x8c\xab\x7d\x06\x06\xc1\x70\xd4\x09\xd9\x6d\x32\x25\xf5\x62\x06\xb6\x00\xfc\x1a\x78\x39\x41\xaa\xde\x24\x83\x38\xdb\xa6\x6d\x56\xf8\xfc\x19\x7d\x19\xce\xdd\x5f\x1a\x65\xd5\xf1\xd8\x5a\x4c\xb4\x49\x73\x42\xd1\x97\xdf\x41\x7d\x43\x17\x77\x7c\x81\xe7\x07\xf1\xb9\xda\xdd\x38\x26\x53\x24\xf4\x1a\xa8\x50\x21\xb2\xd7\xed\xc0\xff\x4a\x52\x7d\xb8\x5f\xf1\x41\x65\x2e\xeb\x5e\x76\x6e\x18\x9e\x11\xe6\x30\x7a\x44\x75\xd5\xf7\x93\xe8\x22\xb7\xec\xbc\x7e\x2f\xf3\xf6\xf9\xa8\x39\x9a\xf6\x92\x64\x9d\x67\x30\x5c\x86\xb4\x79\x16\x9d\xf1\x2f\x74\x91\x02\x06\x9d\xa1\x64\xad\x14\x65\x5e\x05\x32\xfc\x41\x9b\x51\xf2\x9b\x28\xd1\xf4\x08\xf5\x23\x6c\xe9\x21\x50\x9f\x3f\x61\x1a\x56\x5a\x5e\x38\x68\x57\x44\x47\x0f\x6e\x45\x7b\xdd\x05\x7d\x72\x7f\x7e\xcf\xaa\x46\x84\x73\xbc\xba\x94\xc4\x3e\xad\x22\xf8\x52\x78\x43\x24\x5f\x37\x22\x75\x94\x6b\xd4\x59\x9f\x3a\x8a\xe9\x1e\xc3\x14\x08\x70\xbe\x91\xd2\xfb\xfc\xbd\x7e\x50\x4d\xa3\xd6\xf4\x9e\x90\x5a\xca\x16\x78\x32\xd7\xc3\x5a\x56\xa2\x8a\xbc\x85\x20\x90\x29\x23\x18\xec\x1f\x08\xbf\x3d\x71\xde\x73\x60\xd6\xd0\x49\x00\xd7\x73\xa7\xf4\x0c\x3d\xb7\xaa\xbf\xc2\x7a\x33\x8e\x87\xd5\x78\xf4\x30\xee\x49\x0e\x48\x22\x14\x06\xd3\x1c\x62\x22\x0c\x2b\xd9\xe1\x79\x3e\xed\x1b\x84\xab\xa0\xad\xc3\xd5\x4e\xed\x59\xae\x3b\x83\xe5\xa1\x14\x77\x21\xfc\xc2\x27\xcf\xf9\x6c\x80\x65\xf8\x66\x5c\xbf\xef\x93\x52\x1c\xa1\xbf\x4b\x10\x0e\x62\x89\x6c\xfd\xca\x36\xe7\xf7\xb4\xb3\xfd\x3b\xab\xf5\xc1\x8c\x90\x03\x0f\xbf\x90\x4d\x4f\x4c\x3f\xb2\x3a\xf1\x6b\x1e\x37\x44\xca\x6a\xb1\x23\xdf\x90\xb1\x68\xea\xa1\x38\x32\x4e\xbf\x98\xec\xd6\x6d\xd6\x4e\xe9\x06\x23\x6b\xf3\xa0\x29\x6b\xe1\xdf\x81\x38\x7b\xa9\x57\x00\xe0\x4c\xe2\x66\x37\xca\x4d\xfb\x70\xc6\x7d\x32\xa2\xe7\xac\xde\x21\x9c\xef\x54\xe4\xc9\xec\x1c\x27\xb5\xb6\xa3\x88\xca\x51\x5a\xf6\xe5\xef\xc4\x93\xa3\x0f\xa9\x32\x4e\x1f\x2b\x2b\x51\x26\x7f\xbb\x26\xf3\xd4\x29\x2e\x83\x6c\xb7\x09\xe9\x2a\x6e\x0e\x11\xaf\xf3\x86\xb3\xd4\x5d\x81\xa2\xd3\x5f\xe9\x71\xcb\xff\x8a\x32\xf5\x2d\x04\x6b\x9b\xa9\xa4\xbc\x77\x26\x7a\x2e\x86\xa4\x80\xa9\xec\x50\x36\x1d\x5e\xd5\x9b\xa5\x40\xae\x1c\xf0\xe7\xea\xaa\x5d\x8f\x5b\x2e\x38\x52\x7f\xde\x78\xec\xf8\x42\xec\x48\xcf\x68\x1f\xd4\x52\xaa\x5c\x60\xd0\x64\x74\xf6\x42\x2a\xd0\x8d\xb4\xfa\x07\x88\xc5\x65\x63\xf5\x2c\xbd\x38\x36\x27\xe1\x1f\x98\xeb\x40\xec\x74\x96\x1c\x02\x8b\x1f\xcd\x7b\x25\xd4\xcd\x28\x9d\xbc\x76\x1f\xb1\xec\x00\xa6\x18\x35\x13\xc5\xf7\x6d\xa7\x54\x64\x16\xfb\x81\xe8\x66\x1f\x93\xf4\x23\x4f\xdf\x3a\x33\x98\xd8\xbb\x8c\x69\x90\x2e\x6d\x9f\x3f\xc1\x65\xe6\xd9\xf3\x9e\xb2\xac\xc1\x89\xab\x7b\x49\x01\x3b\x2c\x74\xd0\x78\x8e\xe0\x5f\xc1\x17\x33\x5d\x47\x83\x80\x01\x3e\xab\x17\x3d\xdc\x7a\x92\x7f\x03\x08\x0c\x2e\xa7\x05\xb6\x8f\x66\x4a\x3b\xe2\x70\x22\x11\x72\xd2\x99\x5b\x15\xb4\xd0\xab\x25\xd4\x66\x8a\xb7\x58\x7d\x24\xe8\x31\xc5\xc7\x84\x1f\xa0\x0b\xd0\x63\x02\x1d\x3f\x43\x40\x5b\x35\xc6\xc7\x9d\xd4\x03\x0f\xc6\x30\xee\x78\xd7\xe6\x4a\x90\xcc\x27\x61\x42\x16\x24\xd4\x8a\xc0\x76\x4d\x8a\x90\x3c\x5a\x8b\x0a\x21\x31\x20\x87\x1b\x9e\x82\xa3\xb1\xf9\x24\x55\x38\x0b\x95\x08\x32\x65\x1b\x6d\x0d\x9b\xdb\x24\x90\x55\xd5\x5f\xa4\x9f\xc7\x29\x61\x47\xcb\xce\xc6\x05\x9a\x00\x47\xae\x6e\x86\xb5\x1a\xe3\xb5\xaf\xf4\x98\xce\xed\x67\x1d\xdd\x0e\x2b\xd9\x7f\xd7\xf3\x9a\x32\x80\xbd\x80\x99\x6a\xc7\xbb\x98\x18\x77\x09\x93\x82\x46\xf8\xe0\xcb\x9c\xca\x0a\x18\x9d\x18\xcb\x9d\xcd\xd5\x21\x86\xfe\xb9\x35\xf4\xa5\x32\x6c\x3b\xc1\x34\x8a\x05\xf0\xe7\x18\x04\x52\xa4\x3e\x7f\x2b\x6f\xb3\x5a\x41\x96\xaf\xda\x0f\x19\x93\x38\x3d\xd2\x03\x69\x4c\x1a\xb5\x3b\xe6\x44\x81\xc0\xd9\xc7\x88\x01\x61\x07\x89\xf9\xf5\x13\x0b\x4a\x14\x3f\x09\x22\x9e\x8d\x89\xd0\xad\x09\xed\xf9\x71\xcf\x0f\xe4\x95\xd7\x55\x2b\x7a\x79\x1a\x90\x54\x23\x2e\x8d\x22\x97\x66\x21\xb7\xf6\xbe\x03\xe7\xe0\xbf\x8e\x5e\xd8\x3d\xb9\x4e\xfc\x74\x8c\x93\xa0\x6c\x12\x4f\x55\xdd\x8e\xfe\x11\xe1\x5d\x83\xe1\xfc\xe5\x82\xb1\x9b\xe1\x0d\xcc\x1b\x3e\xb5\x94\x29\x1a\xaa\xbd\x56\xcb\x94\xdf\x31\x59\x20\xb0\x42\xd0\x79\x34\xac\x79\x6d\x0a\x91\x07\x86\x26\xee\x57\xe2\x57\x63\x79\x1f\x7d\xde\x8b\xc0\x4e\x18\x83\xfb\x22\x73\xc7\x99\xb9\x7e\x31\x66\xc5\x6c\xea\xa3\x69\x9c\x31\x73\x9f\x63\xef\x94\x60\x5b\x20\x86\x06\x06\xce\xaf\x97\xbe\x55\xb9\x79\xfd\xc1\x7f\xa9\xba\x29\x90\xbb\xef\xde\x17\xeb\x53\x98\x17\x60\x91\xe5\x36\x73\x01\x29\xc4\xc3\x15\x04\xce\x1f\xc4\x1f\x13\xe7\xd9\x03\x01\xff\x02\xad\x5b\x5f\x52\x3c\x6a\xe7\xef\xa8\x7c\x76\xaf\x1e\xcc\x4b\x67\x15\x25\x1a\x58\xca\x3c\x68\xca\x95\x4a\x93\x45\xcf\x08\x69\x7e\xc5\x43\x76\xdf\xaf\x23\x2c\xd6\xed\xe5\xad\x85\xc1\x23\x4f\xbc\xb4\xa9\x92\x53\x5b\x70\x13\x5a\x5e\xb7\xd1\xf2\xde\x13\x62\x98\x71\xb0\x2a\xcb\x45\x56\x94\xe9\x1d\x5b\xbb\x97\x2c\x1c\x39\x98\xec\x76\x57\x49\xb4\xca\x83\xc7\x05\x52\x9c\x04\x6e\x85\x93\xba\x47\x09\xe4\x30\xcf\x19\x0a\xba\x4f\xd0\x0a\x6d\x72\x2d\x05\x98\xe8\x0b\x7a\xf8\xfb\xb6\xc0\x53\xdc\x40\x68\xe3\xbf\xaa\x00\x15\xd3\x54\x56\x46\xe4\x0e\xb3\x12\x70\x0e\x7b\x06\x8c\xa6\x44\x79\x2d\x6d\x39\x44\x7a\x35\x3f\x6d\x65\x75\xb0\x1f\x3a\x20\xcf\x31\x01\x17\xa8\x32\xdb\xc7\x6b\x46\x01\x46\xde\xe0\x6c\x85\x95\x80\xba\x5e\x59\x94\x6e\x90\xa1\x68\xd9\x8a\x06\x28\x2d\x02\xf9\x95\x40\xf4\xb1\xfc\xe1\x94\xcc\x7c\xc0\x89\xb1\xb2\xda\x11\xd5\x9b\xee\x54\x77\x38\x3f\x83\xfe\x7f\x50\x01\x1e\xc4\x38\x56\x1f\x17\xb3\x9d\xab\xee\x37\x94\x76\x1c\xde\xf6\xc5\x4a\x60\xc4\x9d\xe8\xfd\x6a\xec\xf0\xb5\xa5\xb5\xc0\x56\xa8\xde\x90\x80\x5e\x0d\x5a\x4c\xba\x91\xeb\x77\x46\xe5\x44\x98\xaa\xd3\x5d\x26\x8e\x92\x3c\x5c\x39\x65\x81\x83\x5c\xf2\x03\x8e\x2a\x1f\x28\xa8\x43\x22\x84\x72\xaa\x2e\x4c\xbd\xe6\xaa\x76\x65\x71\x6f\x23\x9b\xa5\x68\x0d\x1d\x8d\x6c\xd7\x27\x7a\xf1\xf2\xdb\x87\xe5\xf5\x33\x2f\xa9\x04\xd6\x97\x5f\x42\x47\xf3\x3f\x00\xc1\x7b\x95\xdf\x1d\xb7\x92\x39\x8c\x0b\xe2\xab\x89\xc6\xf0\xff\xb1\xd9\xf3\xd3\x0e\x36\xb0\xbc\xde\xe5\x56\x23\xe6\x7e\xd5\x9b\x64\x1e\x1d\x3a\xd2\x43\xa6\x1a\xb8\x00\x3e\xd9\xd5\x01\x86\x45\x7b\x84\x5b\x0f\x5e\x59\x46\x0a\xeb\x8d\x49\xfa\x23\x6b\x69\x1a\x95\x72\xf0\x43\xf3\xd8\x3d\x38\x53\xa6\x58\xc0\x92\xfe\xc3\xee\xf9\xb5\x8f\x3b\xe0\x53\x2e\x46\xda\x34\xf7\x32\x39\x8d\x41\x8a\x82\xa4\x7f\xd2\xbe\xc7\xaa\x9f\xdf\x0a\x05\xa2\xa4\xab\xd6\x50\xdc\xd9\x9c\x09\x5b\xe5\xa0\x25\xd4\xdd\x8d\xe7\xb6\x06\xf7\xc2\x1f\xcf\x49\x0a\x10\x0e\xc2\x88\xf4\x19\x31\x6b\x4a\xdd\x08\x59\x10\x60\xf5\xc4\x02\x30\xee\x63\x9a\xff\x35\xd4\xbb\x20\x7f\xe4\x01\x02\x9c\xff\xd1\x04\x71\x5d\xcd\x48\xc7\xc5\x98\xf5\xea\x42\xb0\xbd\x27\x1e\x6a\x10\x06\x6d\x61\x32\x17\x65\x5d\xbf\x37\xbc\x46\x7d\x97\x35\x72\xd7\xc2\x87\x79\xc9\x98\x1c\xab\xc5\x5e\x68\x3f\xbb\x1e\x9a\xf7\xe0\x0c\xc4\xa2\x22\xa5\x4f\x24\xed\xf9\x23\x76\x2d\x8e\x0f\xbc\x09\x9e\x42\x0a\x78\xb1\xfc\xfb\x54\xa4\x00\x2f\xdf\x6e\x30\xa3\x44\x5f\x92\x9d\xd9\x7c\x4a\xef\x13\xcd\x8a\x0a\x3b\x19\xcb\x2b\xa7\x31\xd3\xc9\x9a\xad\x63\x11\x66\xb7\x5f\x13\xa9\x54\x98\xe1\x1d\xba\x40\x94\xeb\x5d\x1f\x15\x71\xb6\x98\x7c\x27\x89\x12\xa0\x5a\x9e\xc5\xe2\xf9\x3d\x21\x60\x4e\x49\x6a\xe6\xf7\x63\xed\x43\x3b\xc2\x6c\x5d\x2f\xdf\xee\xfc\x02\xd8\x73\x2b\x29\x09\x1c\x32\xad\x16\xfb\xb4\x7d\xe0\xa5\x6a\x36\xc5\xc7\xd2\x66\x65\xce\x56\x55\x71\xae\xe8\x7e\x72\x9e\x17\x27\xe8\xe1\x49\xb4\x4c\xbc\x58\x19\xeb\x1a\xbc\x31\x7e\xab\xfd\xbc\x54\x47\xdc\x1f\xa9\xed\x58\x52\x81\xf1\xa9\xc3\x3b\xd5\xbb\xae\x66\x26\x21\xe6\x46\x0e\x37\x61\x7e\x88\x30\x4f\xd6\x88\x9d\x77\x5a\xd3\x03\x88\xb2\x08\xb4\x10\x24\x95\xdd\x4a\x60\x15\x79\xfe\xf0\x79\x67\x8b\x66\x81\x6a\x46\xa9\x1c\xd0\xd3\x44\xaf\x0a\xfa\x8e\xe5\x5a\xb2\x22\xd7\x20\xa0\x36\x72\x75\x75\x7a\xa3\x8d\x04\x3c\xec\x88\x8e\x9e\x93\xa4\xff\x91\xc1\xcc\xbb\xc6\x85\xf6\xfe\x27\x10\x47\x4d\xa5\xc4\x37\x6b\x6c\x03\x7b\x2a\xc5\x7a\xb0\x78\x42\x1f\xf2\xf0\x6e\xf8\xab\xcc\x7b\xfa\x18\x19\x5a\xe5\xd3\x23\x6c\x49\x24\x94\xf1\xc6\x65\xdc\x20\x52\xe0\xb5\x67\xe9\x91\x72\x70\x82\xf6\xf5\x29\xcf\xf4\x41\x2d\x5c\xfd\x8a\xca\x31\xf0\xa4\xd3\x23\x32\xe8\xcc\x99\x2a\x39\x01\x7d\x8e\x5a\x85\x25\xa9\xf6\xab\x50\x09\xe7\x06\x7b\x27\x73\x59\x17\x79\xfa\x6d\xe1\x7c\x07\x74\x45\xc3\x9b\x4f\x32\x55\xc2\xdf\x10\x70\x10\x45\xfa\x07\x0a\xc4\xae\xdb\x55\x1b\xfe\x92\xac\x48\xe0\xfa\xca\x06\x07\x68\xed\xf4\xb3\xfb\x10\x1f\x3d\x4c\xdc\xb2\xec\x93\x13\xc0\x28\x98\xaa\x36\x87\x42\x67\x46\x82\x86\xe9\x8f\xfd\xba\xcb\x29\xfb\x64\x07\x27\x99\xbb\x3d\x88\x5b\xf3\x08\xd6\xca\x00\x13\x55\x64\x2a\xd2\x58\xb9\x65\xf9\x59\x7b\x30\xfe\x6c\x3a\xf1\xe8\x9c\x10\xd6\x41\xf4\xe2\xab\x7c\xf5\xa4\x68\x7d\x6b\x69\x15\x7a\x49\xf9\xf4\x07\x91\xef\x46\xf4\xcb\xa6\xe0\xf2\x48\x77\x3c\x35\x0b\xf3\x14\x3c\xec\xe9\x2e\xf7\xc7\x46\xd4\x98\x8c\x83\x51\xc8\x06\x7e\x3c\x4b\x84\x10\x89\xd9\x85\xe0\x9e\xcb\x40\x15\x7d\x7a\x17\x1f\x4e\x64\x55\x18\xc5\x25\x98\xfa\x79\x44\x25\x66\x9f\x59\xa2\x7d\x8b\xed\xc1\x47\xe0\x90\x57\xb5\xd2\xf9\xf4\x61\x1c\xac\x95\x10\x58\xb9\xd2\x52\x7f\xe7\xb4\x70\x28\x9a\x2f\x16\xfa\x4d\xee\x15\x06\x52\x08\x6e\x4c\xc1\x94\xc3\xca\xd6\x3a\xee\x9a\xa7\x7b\x00\xdf\x7c\xb4\x21\x40\x1d\x13\x94\xe0\xfb\xae\x8e\x8e\x14\xef\x28\xf1\x28\x60\x1a\xa1\xc9\x1d\x3e\x71\xed\xc0\x7a\x46\x26\x77\x31\xea\x08\x5f\xea\x0b\x27\x81\xfe\x5b\x33\x37\xfb\x39\x1f\x4a\x91\xce\x75\x2a\xeb\x72\x51\xaa\x0c\x3b\xf3\x04\xe9\x89\x22\x0d\x41\x4e\xab\x0a\xf4\x8d\x4a\x86\xbf\x43\xf1\x3e\xe6\xb9\x76\x15\xf5\x1a\x36\x77\xfe\xef\x14\xdc\x4a\xe4\x7d\xb0\x7b\x87\x41\x76\xd1\x8f\x50\x09\x4a\x30\x97\x00\x27\x9f\x41\x29\x24\xe9\x18\xeb\x3e\x6c\x1b\x9f\xa3\xc1\x44\x4f\x28\xb6\x91\xce\xb9\xc3\x3d\x34\xb5\xb3\x73\x3d\x3e\xb0\xc9\xe6\x9c\xb6\xf3\x6b\xca\x69\xd1\xd6\x99\x13\xae\xb5\x1f\x0c\xb5\x98\x28\x52\x7f\x79\x1f\xe7\xf6\x1f\xb4\x30\xba\xce\x64\x56\xab\xc3\x22\xfb\x52\xa1\x31\xf5\xae\xd3\x22\x1a\xfd\x1d\x36\x9d\x7b\xb4\x1f\x60\xbf\xb3\x49\xb5\xcf\x73\x04\x3b\x90\x92\x61\x30\x32\xc7\xdd\x32\x20\xbc\xe9\xd9\xb8\x4f\xd2\xce\xb4\x8a\x76\xff\x0c\x34\xcf\x5b\xf8\xcc\x55\xb5\x75\xe2\x40\xf4\xe6\xc1\xc5\xcf\x93\x98\x0c\xc6\xf6\x8f\xd1\xac\x7c\xc1\x0e\x0e\x48\x33\x39\xdd\xe6\x69\x1e\xb7\xd2\xb7\x00\xe9\x3f\xfd\xf8\x10\x95\x37\x62\x21\x6e\x99\xb5\x64\x01\x49\xaf\x63\x14\x4a\x09\x05\x1b\x68\x3d\xb0\xdf\xb1\xb7\x93\x71\xbc\x7a\x4a\x55\x9a\xe6\x27\x18\x38\xa8\x68\x46\x8e\x54\xaa\xde\xf0\x3b\xa4\x0c\xa1\x27\xaa\x2c\x27\x51\xda\x79\x20\x2d\xca\xd7\x2e\x4f\x15\x93\x04\x1d\xb5\x3b\xbf\x4f\x80\x64\x17\x0f\xe8\x5c\x46\xe5\x9f\xf0\x0b\x9e\xb4\xbf\x2e\x01\xea\xb7\x19\x7a\x00\x70\x4e\x3c\x70\x84\xa8\x06\x99\xed\x5a\xaa\xe7\xbb\xae\x06\x84\xe5\xfb\x3e\xd6\x0c\x66\x20\xc7\x3a\xa0\x13\x31\x37\x13\x27\x9b\xf9\x58\xa2\x1f\x56\xf9\x67\x46\xe1\x60\x62\x3f\x10\x76\xa5\xea\x95\xa2\x3f\xc9\x08\x37\x3b\xc0\x78\x22\x18\x94\xcc\xc7\x79\x49\xff\xd3\x65\x94\x70\xd8\x3f\x86\x07\x62\xb0\x30\x2b\xf3\xe4\x04\x04\x6c\x0c\x32\xa7\x1e\xb8\x5e\x67\x41\x11\xcb\x9c\x2d\x49\x0b\x8b\x4f\x5b\xfd\x1f\xa9\x38\x2a\x42\x96\xd9\x73\x26\xd6\xa7\x28\x37\x8a\xb3\x5c\x0a\x34\x9e\xd6\x93\x49\xf7\x5b\x89\xad\xf8\xdc\x9e\x5b\xae\xd2\x76\xc9\x26\x14\xc2\x96\x36\xf2\xf5\xb1\x9d\x4d\xc6\x61\xe2\xd0\xfe\x6f\xd6\x47\x86\xd5\x07\xb9\x9b\x39\x79\xfe\x0f\x6e\xcb\x06\xb7\x6f\xd6\x4b\xfb\x31\x61\x31\xa5\x2d\x3d\xb7\x44\x55\x08\xc8\xf0\xbd\x39\x44\x95\xa6\xc1\x3c\xa6\x4e\x37\x80\xa4\x16\xc7\x2a\x7a\x34\x99\x6d\x5a\x34\x2e\x63\x49\xd9\x2b\xfc\xb8\xd7\x5b\xd4\xed\xd2\x25\xd4\xe8\x60\x18\x38\xbf\xfc\x60\x4e\x9e\x3f\x0d\xe8\x3a\x1c\xf9\xe1\x7c\x7f\xa7\x39\x8f\xea\x49\xc8\xfa\xed\x29\x9d\x04\xa9\x0a\x70\xbd\xaa\x0b\x11\x14\x28\xe2\xe6\x22\x4a\xe0\x8c\x1b\xf0\xea\x1a\x69\xe1\x6e\x1f\xfd\x4b\xfa\x76\xaf\xff\xdd\x50\x60\xac\x99\x2e\xfa\x08\xfb\x74\x04\xfa\x1f\xf3\x45\x60\x42\x65\x4d\x3d\x51\x29\x26\x24\xac\x3b\xb3\x35\x6f\x5b\xd3\xf4\x92\xc1\x69\xe8\xc7\xdc\x71\xcc\xd3\xb4\xe9\x1c\xb2\x98\xef\x7f\x2b\x61\xd7\x4a\x86\xe7\xcb\x6d\xaf\x62\x1a\x8b\x0b\x6a\x87\xe5\x8d\xdc\xaa\x65\xf3\x76\xfe\x06\x52\xc4\x0c\x76\xd7\x62\xb5\x80\xf3\x4d\xa9\x79\xae\x09\x68\xb1\x72\xa9\xcc\xc4\xcd\x8b\x34\xaf\x38\x73\xe8\x5d\x16\x53\xc9\xe5\x57\x1d\xc3\x4e\x8c\x39\xf7\xf0\x4d\xf1\x91\xc0\xe8\x12\x13\xd2\xfa\xc0\x41\x26\x64\xeb\x47\x69\xc4\x80\xa8\x0f\xdc\xd5\xca\xe2\xa2\xeb\x8b\x1d\x03\x1c\xc6\xe6\x49\xd8\xf0\xb2\x9f\x91\x15\xea\x2b\xb2\x7c\xbe\x35\xcb\xa0\x40\x64\x7a\xd9\xda\x8a\xd3\x69\x31\xcf\xdc\xe5\xc5\x8d\xfd\x6b\x8d\x0b\xd8\x3c\xf4\xf8\xca\xd6\xf6\xd6\xf3\x04\x83\x80\x58\x3d\x8e\xf0\x80\x7a\x4d\x02\x4e\xf8\xd0\x33\x3a\x97\x18\x34\x23\xc9\x0e\x8d\xd1\xb6\x2d\xc7\x0c\x95\xae\x30\xac\xd0\xcc\xc2\x57\xde\x6f\xeb\x89\xa9\x49\x2b\x42\x14\xb6\x5d\x8d\xa2\xad\xa1\x1b\x80\xfb\xd7\x68\x9a\xfd\xb9\x9f\xa8\x20\xcb\x7a\xaa\xca\x8c\xe3\x2f\xd1\xad\xf5\xd7\x24\xf5\x06\x83\xa7\x92\x4e\xd1\xb5\xde\x6b\x32\x2a\x49\x32\xea\x46\xd3\xb2\x66\xa2\x70\x42\x02\x59\xa4\xfe\xe4\x80\x05\x4f\x06\x75\xe7\x7e\x51\x78\xff\x25\x5b\xe0\x00\x46\x8a\x22\x0a\x25\xc6\x87\x9e\x03\x9b\xc1\x4c\x38\xcb\xf9\x04\x0e\xde\xd4\x1f\x1c\x6d\x75\xfe\x46\x15\xcc\x57\x67\x7c\x94\x8c\x7b\xb9\xc3\x56\x11\x84\xb0\xff\xe0\xd0\xa9\xed\x0e\x72\x12\xfa\xbd\x5e\xf3\x57\xff\xb3\xca\x40\xe8\xa9\x7b\xe2\xa9\xbc\xf3\x5f\xc7\xe3\xd7\xce\x8f\x6d\x50\xa4\xf7\xb4\x2c\x24\x68\x94\x68\x38\x22\xdb\x36\xb9\x55\x28\xcd\x80\x61\x34\x2c\x66\xc7\x88\xbb\x6f\x63\xbe\xad\xfe\x35\x59\xe8\x96\xe4\x38\x7a\x12\xce\xdf\x6f\x22\x08\x88\xd2\x18", 4096); *(uint32_t*)0x20001ca8 = 0x1000; *(uint32_t*)0x20001cac = -1; *(uint32_t*)0x20001cb0 = 0x20001b80; memcpy((void*)0x20001b80, "\xe0\xc6\xc9\xc0\x1a\xfb\x3e\x83\x24\x12\x04\xcd\x69\x42\xa5\xf5\xb3\x8d\xed\xc4\x87\x1f\xea\x15\x0d\xdb\xcb\x8c\x14\xce\x51\x5f\xa1\xfc\x5f\x1f\xb3\xec\x60\x66\x49\xa1\x62\xc4\xe5\x2e\xc3\x28\xeb\x35\x65\xfb\x84\xab\xdf\x8b\x40\x8d\x74\x4e\xe1\x9c\x67\xcc\xe5\x4a\xca\xd1\xc6\xaa\x75\xa3\xf9\x7f\x94\x26\x74\x76\xe7\x02\xbb\xe0\x65\xe6\x71\x88\xc3\xc8\x26\xd4\x41\x4e\x46\x69\x5d\x71\xc9\xe2\x4a\x31\xfa\xf7\xfc\x28\x29\x70\x92\x50\x3b\xb1\x0a\xdb\x27\xfc\xb1\x97\x43\x8e\xfe\x36\x05\x10\x1a\xbc\x12\x7f\xda\x30\x3e\x63\xa7\x42\x3e\xf1\x69\x3f\x6c\x00\x57\x63\xfd\xf8\xb1\x8e\x10\xa5\xa9\xfa\x34\xb3\xc0\x0e\xce\xd1\xf7\x5b\xad\xa7\xd2\x61\x60\xae\xdf\x27\x58\xbf\x60\x3b\x0c\x58\x90\x68\x28\x84\xeb\x55\xb2\x76\x0b\x3b\x7b\x96\x14\xb6\xbd\x1d\xde\xf9\xe9\xcc\x1d\xf2\x08\x92\x06\x3f\x1e\xa0\x58\xa4", 200); *(uint32_t*)0x20001cb4 = 0xc8; *(uint32_t*)0x20001cb8 = 0x81; syz_read_part_table(0x44, 5, 0x20001c80); break; case 34: *(uint8_t*)0x20001cc0 = 0x12; *(uint8_t*)0x20001cc1 = 1; *(uint16_t*)0x20001cc2 = 0x310; *(uint8_t*)0x20001cc4 = 0xae; *(uint8_t*)0x20001cc5 = 0x73; *(uint8_t*)0x20001cc6 = 0xca; *(uint8_t*)0x20001cc7 = 0x40; *(uint16_t*)0x20001cc8 = 0x1740; *(uint16_t*)0x20001cca = 0x602; *(uint16_t*)0x20001ccc = 0xfa57; *(uint8_t*)0x20001cce = 1; *(uint8_t*)0x20001ccf = 2; *(uint8_t*)0x20001cd0 = 3; *(uint8_t*)0x20001cd1 = 1; *(uint8_t*)0x20001cd2 = 9; *(uint8_t*)0x20001cd3 = 2; *(uint16_t*)0x20001cd4 = 0x870; *(uint8_t*)0x20001cd6 = 2; *(uint8_t*)0x20001cd7 = 0x7f; *(uint8_t*)0x20001cd8 = 0x90; *(uint8_t*)0x20001cd9 = 0x20; *(uint8_t*)0x20001cda = 0x3f; *(uint8_t*)0x20001cdb = 9; *(uint8_t*)0x20001cdc = 4; *(uint8_t*)0x20001cdd = 0x86; *(uint8_t*)0x20001cde = 0x7f; *(uint8_t*)0x20001cdf = 0xa; *(uint8_t*)0x20001ce0 = 0xf7; *(uint8_t*)0x20001ce1 = 0xf9; *(uint8_t*)0x20001ce2 = 0xf2; *(uint8_t*)0x20001ce3 = 0x7f; *(uint8_t*)0x20001ce4 = 0xd1; *(uint8_t*)0x20001ce5 = 0xb; memcpy((void*)0x20001ce6, "\x26\xe1\x3a\x65\xce\xb2\xc1\x60\x69\x44\x40\xc6\xe4\xb5\xd5\x10\x7c\xd6\xf6\xed\xdf\x5f\x0f\x8f\x93\x86\x06\xe7\xa7\x89\x78\x6c\x09\x76\x26\x76\x2d\xa7\x88\x1a\x4e\x46\xee\x51\x2c\xe1\xce\x83\xd0\x3e\xe0\x1e\x8a\x39\x0d\x4f\xe4\x8a\x1a\x16\x6b\x12\x2a\x24\x4f\x7e\x84\x53\xfe\x58\x43\x52\xcd\xc7\x48\xde\xd1\x73\x7c\x61\xff\xbc\x1f\x9f\x18\x44\x1c\x5d\x61\xf5\x49\x3a\x88\xbf\xea\x77\x76\x76\x2b\xbf\x8a\x20\x6e\xec\xa2\xf4\x5c\x1f\x7a\xa6\xd1\x5f\xb4\x64\xcd\x1c\xaf\x6a\x43\x2b\xab\xfc\x01\xbb\x86\xb1\x29\x7b\x12\x89\x97\x42\x6c\x1a\x5a\x86\x53\x3c\xb2\xc0\x29\xf5\x0b\x1c\x5b\x0b\x88\x71\x9f\x7c\x78\x21\x7d\x2b\xec\x91\x0f\xf9\x06\xb4\x38\x60\x02\x5e\x14\x0f\xba\xd2\xbc\x0a\x91\xe2\x3e\x65\xc5\xc8\xfe\xfd\x91\xd0\x45\x9c\x59\x0e\x1f\x4b\xac\x91\xea\xc0\x23\xef\x5f\x1a\x24\x82\x45\xdf\x0d\x7c\x12\x76\xdf\x72\xd9\x55\xc6", 207); *(uint8_t*)0x20001db5 = 6; *(uint8_t*)0x20001db6 = 0x24; *(uint8_t*)0x20001db7 = 6; *(uint8_t*)0x20001db8 = 0; *(uint8_t*)0x20001db9 = 1; memcpy((void*)0x20001dba, "8", 1); *(uint8_t*)0x20001dbb = 5; *(uint8_t*)0x20001dbc = 0x24; *(uint8_t*)0x20001dbd = 0; *(uint16_t*)0x20001dbe = 8; *(uint8_t*)0x20001dc0 = 0xd; *(uint8_t*)0x20001dc1 = 0x24; *(uint8_t*)0x20001dc2 = 0xf; *(uint8_t*)0x20001dc3 = 1; *(uint32_t*)0x20001dc4 = 9; *(uint16_t*)0x20001dc8 = 5; *(uint16_t*)0x20001dca = 5; *(uint8_t*)0x20001dcc = 0x80; *(uint8_t*)0x20001dcd = 6; *(uint8_t*)0x20001dce = 0x24; *(uint8_t*)0x20001dcf = 0x1a; *(uint16_t*)0x20001dd0 = 1; *(uint8_t*)0x20001dd2 = 0x14; *(uint8_t*)0x20001dd3 = 0x2b; *(uint8_t*)0x20001dd4 = 0x24; *(uint8_t*)0x20001dd5 = 0x13; *(uint8_t*)0x20001dd6 = -1; memcpy((void*)0x20001dd7, "\x8d\xaa\x8e\x5c\xf5\x9b\xef\x8c\x76\xec\x75\x35\xd6\x3f\xe2\xdc\x76\x86\x32\x1a\xfb\xd7\x29\xf4\xd1\x7d\x62\xa2\x1b\x6f\x2b\x39\x49\x56\x57\x22\x0b\xc5\xd7", 39); *(uint8_t*)0x20001dfe = 0xa3; *(uint8_t*)0x20001dff = 0x24; *(uint8_t*)0x20001e00 = 0x13; *(uint8_t*)0x20001e01 = 3; memcpy((void*)0x20001e02, "\x0b\xaf\xa7\xba\x56\xf9\xbe\x68\xf7\xda\xff\xfa\xbe\x7b\x79\x50\xe7\xf2\xb1\xef\xd5\x30\xab\x53\xda\x30\x66\x50\xae\x48\x61\x82\x51\xbc\x41\xfe\x39\x06\x5b\xb5\x0d\x65\xf1\x5e\x92\x6f\xdb\x88\xac\xb4\xe7\x95\x7b\xff\x5d\x54\x69\xee\x74\x1f\x51\xc1\x17\xd8\xf0\xa4\xb9\xe4\x97\xd8\xd8\x5a\x58\xa4\x25\x85\x5d\xa0\x41\xd9\x1b\xfe\x4c\xd2\x0f\x11\xf6\xc7\xd3\x81\x30\x27\xcd\x74\x92\x1d\xbe\xb6\xe2\x01\x5c\x41\x33\xa2\x98\x32\xb2\xb9\xd3\x42\x30\x4d\xd6\xb7\x09\xda\xea\xea\x5f\x76\x1d\x8c\x06\xf5\x2e\xdd\xa9\xf2\x52\x9a\xc5\x1a\x96\xfa\xb9\xbb\x28\x26\xcc\x63\xfc\xce\x0f\x17\x4d\xe2\xc5\x77\x8a\x4d\x83\xf3\xee\xcf\xdb\x29\x63\x5b\x60", 159); *(uint8_t*)0x20001ea1 = 5; *(uint8_t*)0x20001ea2 = 0x24; *(uint8_t*)0x20001ea3 = 1; *(uint8_t*)0x20001ea4 = 2; *(uint8_t*)0x20001ea5 = 9; *(uint8_t*)0x20001ea6 = 0x15; *(uint8_t*)0x20001ea7 = 0x24; *(uint8_t*)0x20001ea8 = 0x12; *(uint16_t*)0x20001ea9 = 0xc9; *(uint64_t*)0x20001eab = 0x14f5e048ba817a3; *(uint64_t*)0x20001eb3 = 0x2a397ecbffc007a6; *(uint8_t*)0x20001ebb = 7; *(uint8_t*)0x20001ebc = 0x24; *(uint8_t*)0x20001ebd = 0x14; *(uint16_t*)0x20001ebe = 8; *(uint16_t*)0x20001ec0 = 2; *(uint8_t*)0x20001ec2 = 7; *(uint8_t*)0x20001ec3 = 0x24; *(uint8_t*)0x20001ec4 = 0xa; *(uint8_t*)0x20001ec5 = 1; *(uint8_t*)0x20001ec6 = 9; *(uint8_t*)0x20001ec7 = 0xeb; *(uint8_t*)0x20001ec8 = 1; *(uint8_t*)0x20001ec9 = 9; *(uint8_t*)0x20001eca = 5; *(uint8_t*)0x20001ecb = 0xe; *(uint8_t*)0x20001ecc = 3; *(uint16_t*)0x20001ecd = 0x400; *(uint8_t*)0x20001ecf = -1; *(uint8_t*)0x20001ed0 = 0xf9; *(uint8_t*)0x20001ed1 = 0x20; *(uint8_t*)0x20001ed2 = 0x62; *(uint8_t*)0x20001ed3 = 0x22; memcpy((void*)0x20001ed4, "\xec\xb3\xf2\xdd\x30\x48\x12\x4f\xa1\xf6\x39\xe7\xd9\x9a\xb0\x90\x3f\x7f\x55\x1f\xbd\x28\x20\x2b\xca\xa0\x38\x82\x72\x62\xde\xfd\x52\x4b\x84\xd6\x77\x8f\x83\xc7\x51\x04\x7e\xa1\x67\x7d\x46\x22\x9a\xc3\x3b\x02\xdb\x68\x65\xc9\x67\x0b\xc4\x76\x29\x02\x05\x45\xfb\xf3\x67\xe1\x28\xc7\xe7\x8e\x05\x97\x2c\xd4\x32\xdd\xc7\x29\x86\x39\x72\xa9\x55\x9b\x80\x60\x63\x55\x0b\x9b\xb7\x99\x2b\x0c", 96); *(uint8_t*)0x20001f34 = 0xed; *(uint8_t*)0x20001f35 = 0x21; memcpy((void*)0x20001f36, "\x1c\x17\xfa\x34\xcf\x24\x8a\x11\x74\x0c\xae\x13\xb9\x90\x62\xcf\x65\x1b\xd3\x66\x3b\xdf\x34\x9a\xfe\xdd\x77\x7e\x6c\xa5\x09\x68\x7c\x73\x08\xb2\xbd\x8a\x56\xd9\x36\xce\xf7\x2c\x17\x60\x9c\x2c\xc7\xb8\x25\xf1\x22\x86\x4f\x3e\x79\xa0\xf9\x56\x3c\xec\xf3\xa2\xde\xa2\xda\xc5\xe4\xd8\x3e\x77\x49\xcf\xb2\xa9\x71\xe0\xf2\xa2\x57\xee\x5e\x91\x27\x9d\x0d\xed\xf7\xaa\xb3\x53\x95\x5c\x32\xbc\xab\x16\xd8\x21\xc1\x86\x8f\x65\x5e\x7f\x50\x3e\xce\x52\xac\xfb\x7c\x30\x70\x09\x7b\x16\x4e\xd6\x22\x3e\xb6\xc1\x83\x9f\xdc\x5c\xc6\xf1\xa9\x2e\xbd\xa8\xad\x2a\x9e\x74\xf7\x46\xcf\x37\x70\x4a\x6c\x73\x07\x61\x89\xee\x38\x90\xb3\xa1\xc5\xcd\xb8\x07\x6a\xde\xc9\xbb\x4e\x53\xa6\x5b\x09\xbc\x52\xa7\x52\x50\xeb\x89\xe2\x40\x7e\xe0\xd0\xd3\x9a\x0b\xd9\x25\xc0\x0a\x5f\xd0\xf3\x4a\xd2\xaf\x88\xbf\x3b\x27\x0f\xe9\x4e\x54\x32\x28\x8a\x66\xb3\xee\x15\xb6\xe2\x4d\xdc\xa8\x96\x39\xfa\xa9\xc4\xb5\x32\x66\x3b\x24\xbf\xbd\xeb\x73\xd0\x9b\x8f\x77\xf7\x6f\xec\x50\x7a", 235); *(uint8_t*)0x20002021 = 9; *(uint8_t*)0x20002022 = 5; *(uint8_t*)0x20002023 = 0xe; *(uint8_t*)0x20002024 = 0; *(uint16_t*)0x20002025 = 0x58; *(uint8_t*)0x20002027 = 4; *(uint8_t*)0x20002028 = 0; *(uint8_t*)0x20002029 = 2; *(uint8_t*)0x2000202a = 9; *(uint8_t*)0x2000202b = 5; *(uint8_t*)0x2000202c = 6; *(uint8_t*)0x2000202d = 8; *(uint16_t*)0x2000202e = 0x40; *(uint8_t*)0x20002030 = 0x40; *(uint8_t*)0x20002031 = 3; *(uint8_t*)0x20002032 = 0x18; *(uint8_t*)0x20002033 = 9; *(uint8_t*)0x20002034 = 5; *(uint8_t*)0x20002035 = 0xb; *(uint8_t*)0x20002036 = 0xc; *(uint16_t*)0x20002037 = 0x200; *(uint8_t*)0x20002039 = -1; *(uint8_t*)0x2000203a = 0x47; *(uint8_t*)0x2000203b = 0; *(uint8_t*)0x2000203c = 0x6e; *(uint8_t*)0x2000203d = 0x24; memcpy((void*)0x2000203e, "\xfc\x88\x86\xec\xa1\x2d\xc8\x59\x60\xc8\x49\x7c\x87\x13\x2b\x79\xfe\xa0\xe2\x31\x3e\x4e\x85\x56\x71\x31\x6f\x1c\x7a\x42\xb7\x8b\x2b\xe2\x4c\x0c\xdd\x6a\xf9\xde\x41\xa7\xfb\x57\xfe\x0a\x3c\xa6\xfe\x67\x19\x1c\xe3\x11\x65\xdc\x04\x82\x45\xba\x74\xc8\x86\xd1\x2b\x8a\xcc\xb0\x01\xee\xe2\x30\xdc\x1d\x79\x81\xe4\xd6\xea\x3d\x52\xfd\xc1\xfd\x15\x9f\x71\xfc\x18\xbf\xca\x51\x29\x7b\x23\x48\xc7\x77\xa8\x6b\x16\xc0\x76\x57\x79\x3c\x9b\x75", 108); *(uint8_t*)0x200020aa = 9; *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 7; *(uint8_t*)0x200020ad = 0x10; *(uint16_t*)0x200020ae = 0x20; *(uint8_t*)0x200020b0 = 1; *(uint8_t*)0x200020b1 = 4; *(uint8_t*)0x200020b2 = 4; *(uint8_t*)0x200020b3 = 8; *(uint8_t*)0x200020b4 = 0x23; memcpy((void*)0x200020b5, "\xad\x6e\x68\x32\x31\x24", 6); *(uint8_t*)0x200020bb = 7; *(uint8_t*)0x200020bc = 0x25; *(uint8_t*)0x200020bd = 1; *(uint8_t*)0x200020be = 2; *(uint8_t*)0x200020bf = 0x3f; *(uint16_t*)0x200020c0 = 0x400; *(uint8_t*)0x200020c2 = 9; *(uint8_t*)0x200020c3 = 5; *(uint8_t*)0x200020c4 = 1; *(uint8_t*)0x200020c5 = 0; *(uint16_t*)0x200020c6 = 0x200; *(uint8_t*)0x200020c8 = -1; *(uint8_t*)0x200020c9 = 4; *(uint8_t*)0x200020ca = 5; *(uint8_t*)0x200020cb = 7; *(uint8_t*)0x200020cc = 0x25; *(uint8_t*)0x200020cd = 1; *(uint8_t*)0x200020ce = 0x82; *(uint8_t*)0x200020cf = 2; *(uint16_t*)0x200020d0 = 0x200; *(uint8_t*)0x200020d2 = 7; *(uint8_t*)0x200020d3 = 0x25; *(uint8_t*)0x200020d4 = 1; *(uint8_t*)0x200020d5 = 1; *(uint8_t*)0x200020d6 = 7; *(uint16_t*)0x200020d7 = 4; *(uint8_t*)0x200020d9 = 9; *(uint8_t*)0x200020da = 5; *(uint8_t*)0x200020db = 0x80; *(uint8_t*)0x200020dc = 0x10; *(uint16_t*)0x200020dd = 0x10; *(uint8_t*)0x200020df = 0xcc; *(uint8_t*)0x200020e0 = 8; *(uint8_t*)0x200020e1 = 0; *(uint8_t*)0x200020e2 = 7; *(uint8_t*)0x200020e3 = 0x25; *(uint8_t*)0x200020e4 = 1; *(uint8_t*)0x200020e5 = 0x81; *(uint8_t*)0x200020e6 = 7; *(uint16_t*)0x200020e7 = 0x3f; *(uint8_t*)0x200020e9 = 0x59; *(uint8_t*)0x200020ea = 0x11; memcpy((void*)0x200020eb, "\xfa\xad\xa8\x09\x32\xb1\x04\x32\xca\x81\xa6\x3c\x83\xdd\x9f\x54\xa4\x05\x10\x86\xef\x07\xb6\xc9\x66\x1e\xf8\xec\x12\x56\x83\xd5\xfc\xad\xa3\xa3\x46\xd0\x8f\x6d\x44\x17\x8f\xd1\xce\x94\xf1\xa6\x92\x1d\x2f\xd1\x4a\x88\xd4\x3a\x80\x51\xe1\x8e\xda\xa3\x98\x06\x45\xfa\x17\x12\x3c\xa6\xc7\x83\xb8\xb2\xc3\xb6\x66\x95\x6f\x52\xb1\x83\x65\x29\x92\xd6\xf5", 87); *(uint8_t*)0x20002142 = 9; *(uint8_t*)0x20002143 = 5; *(uint8_t*)0x20002144 = 7; *(uint8_t*)0x20002145 = 3; *(uint16_t*)0x20002146 = 0x400; *(uint8_t*)0x20002148 = 1; *(uint8_t*)0x20002149 = 0x3f; *(uint8_t*)0x2000214a = 0; *(uint8_t*)0x2000214b = 9; *(uint8_t*)0x2000214c = 5; *(uint8_t*)0x2000214d = 4; *(uint8_t*)0x2000214e = 1; *(uint16_t*)0x2000214f = 0; *(uint8_t*)0x20002151 = 0x81; *(uint8_t*)0x20002152 = 3; *(uint8_t*)0x20002153 = 0; *(uint8_t*)0x20002154 = 7; *(uint8_t*)0x20002155 = 0x25; *(uint8_t*)0x20002156 = 1; *(uint8_t*)0x20002157 = 0x80; *(uint8_t*)0x20002158 = 0xfd; *(uint16_t*)0x20002159 = 0x3e; *(uint8_t*)0x2000215b = 7; *(uint8_t*)0x2000215c = 0x25; *(uint8_t*)0x2000215d = 1; *(uint8_t*)0x2000215e = 0x82; *(uint8_t*)0x2000215f = 6; *(uint16_t*)0x20002160 = 0x8000; *(uint8_t*)0x20002162 = 9; *(uint8_t*)0x20002163 = 5; *(uint8_t*)0x20002164 = 7; *(uint8_t*)0x20002165 = 4; *(uint16_t*)0x20002166 = 0x200; *(uint8_t*)0x20002168 = 4; *(uint8_t*)0x20002169 = 7; *(uint8_t*)0x2000216a = 8; *(uint8_t*)0x2000216b = 7; *(uint8_t*)0x2000216c = 0x25; *(uint8_t*)0x2000216d = 1; *(uint8_t*)0x2000216e = 0; *(uint8_t*)0x2000216f = 0; *(uint16_t*)0x20002170 = 0x3f; *(uint8_t*)0x20002172 = 9; *(uint8_t*)0x20002173 = 4; *(uint8_t*)0x20002174 = 0x7d; *(uint8_t*)0x20002175 = 0xb6; *(uint8_t*)0x20002176 = 8; *(uint8_t*)0x20002177 = 0xe6; *(uint8_t*)0x20002178 = 0x75; *(uint8_t*)0x20002179 = 0xe1; *(uint8_t*)0x2000217a = 0xf9; *(uint8_t*)0x2000217b = 0x3d; *(uint8_t*)0x2000217c = 0x23; memcpy((void*)0x2000217d, "\x01\x50\xff\xae\x83\xdf\x22\xd1\xd4\xdb\xd8\x24\x54\xe6\x60\x33\x46\x3c\x39\x35\xe3\xd0\xc9\xfc\x2e\xa4\x66\x1f\x73\x10\xc2\xe0\xb0\xac\xed\xd1\x7e\x99\xcf\x96\x0e\xde\x09\xc1\x9e\xda\x6b\xfd\xa6\x99\xd8\xea\xcc\x2a\xba\x4a\xcc\x34\xd4", 59); *(uint8_t*)0x200021b8 = 0xc5; *(uint8_t*)0x200021b9 = 1; memcpy((void*)0x200021ba, "\x57\xfa\x93\x98\x1a\x06\x86\xe5\x12\x23\x65\x11\xf1\x7e\x4e\xc2\xda\xb7\xbd\x00\x5c\x64\xfd\x89\x6f\x94\x94\xca\x05\x97\x58\x3b\x23\x9d\xdd\x29\xc3\x79\x6c\x4a\xd6\x69\x28\x14\x40\xda\x42\x2e\x67\x96\x87\x7a\x9f\x12\x3e\x34\x39\x35\xd9\x0d\xfe\x06\xdd\xfc\x99\xde\xed\xf2\x40\x06\x03\x1d\x9a\x2e\xf4\xb5\x52\x62\x92\x55\xbf\x0e\x7a\x4d\x5d\xd3\xbc\x80\xb2\x66\x08\x11\x41\xbd\xe1\xb1\xa8\x6e\x4f\xfd\x85\x70\x00\xde\xea\xe8\x2f\xb1\x85\x06\x96\xef\x21\x67\xc3\x4a\xd9\x7f\x91\xc1\x4a\xc7\x8e\xcb\x89\x3d\x01\xff\xa9\x8e\x3c\x2d\xfd\xa9\xad\xb7\x62\xb9\xa9\xda\x03\xc6\xc6\x0e\xd9\x57\xfb\x49\x4d\x1c\x96\x0f\x7c\x70\x74\x94\xbd\x98\x4a\x0a\x58\x26\x03\xfb\x87\x24\x8a\xee\xaf\xc1\xb6\x00\x5f\x79\x83\x5b\x38\xb2\xea\xa8\x86\x53\xbc\x93\x42\x7a\x33\xb0\x76\x3e\xa3\x6f\xcd\x98\x7c", 195); *(uint8_t*)0x2000227d = 9; *(uint8_t*)0x2000227e = 5; *(uint8_t*)0x2000227f = 3; *(uint8_t*)0x20002280 = 0; *(uint16_t*)0x20002281 = 0x40; *(uint8_t*)0x20002283 = 4; *(uint8_t*)0x20002284 = 0x7f; *(uint8_t*)0x20002285 = 2; *(uint8_t*)0x20002286 = 7; *(uint8_t*)0x20002287 = 0x25; *(uint8_t*)0x20002288 = 1; *(uint8_t*)0x20002289 = 2; *(uint8_t*)0x2000228a = 5; *(uint16_t*)0x2000228b = 5; *(uint8_t*)0x2000228d = 7; *(uint8_t*)0x2000228e = 0x25; *(uint8_t*)0x2000228f = 1; *(uint8_t*)0x20002290 = 2; *(uint8_t*)0x20002291 = 4; *(uint16_t*)0x20002292 = 5; *(uint8_t*)0x20002294 = 9; *(uint8_t*)0x20002295 = 5; *(uint8_t*)0x20002296 = 0x80; *(uint8_t*)0x20002297 = 0x10; *(uint16_t*)0x20002298 = 0x1ef; *(uint8_t*)0x2000229a = 1; *(uint8_t*)0x2000229b = 6; *(uint8_t*)0x2000229c = 7; *(uint8_t*)0x2000229d = 9; *(uint8_t*)0x2000229e = 5; *(uint8_t*)0x2000229f = 0x80; *(uint8_t*)0x200022a0 = 0x10; *(uint16_t*)0x200022a1 = 0x10; *(uint8_t*)0x200022a3 = 0x1f; *(uint8_t*)0x200022a4 = 0x20; *(uint8_t*)0x200022a5 = 0; *(uint8_t*)0x200022a6 = 0xb3; *(uint8_t*)0x200022a7 = 0x21; memcpy((void*)0x200022a8, "\x95\xd3\x40\x5d\x4d\x7a\x6d\xc8\x96\xd9\x0c\x49\x18\xb1\x41\x31\x5c\x1a\xe5\x4b\x08\x82\xc4\xe0\xe3\xcc\x26\x6e\x04\x17\x8f\x9a\xe7\x37\x26\x0a\xc6\x4b\x61\x9d\xdf\x03\x95\x68\x18\x1b\xf9\x2d\xd6\x39\xec\x49\xa0\xb1\xc9\x83\x8b\x4c\xbb\xb2\xfb\xe6\xca\x7b\xe9\xbc\x84\xb7\x71\x77\x86\x7b\xb9\x73\xd8\xc5\xeb\xa1\xb4\x91\x31\xbd\x10\xf6\x45\xcf\xfc\x3d\xd8\xea\x46\x2f\x4b\xa9\x65\xf7\x0a\x01\x4b\xf1\xab\xe9\x26\x96\x63\x63\x4d\xad\x8b\xaf\x99\x38\x6d\x8b\x43\x19\x12\xe4\xdd\xfc\xd1\x15\x6c\x5f\xfe\xab\x20\x7c\xa3\x5f\x22\xf5\xc0\x16\x73\x47\x0d\xee\xa1\xda\x6a\xaf\xfc\xf0\xbb\xa9\xa8\xe4\x55\x42\x0f\x05\x3b\x28\xe4\x04\xfe\xa6\x26\x1d\x36\xc0\x7f\x72\x21\xc4\x98\x6b\x6b\x12\x2c\xcd\xf8\x58\xf4\x81\xba", 177); *(uint8_t*)0x20002359 = 7; *(uint8_t*)0x2000235a = 0x25; *(uint8_t*)0x2000235b = 1; *(uint8_t*)0x2000235c = 0x80; *(uint8_t*)0x2000235d = 0x7f; *(uint16_t*)0x2000235e = 5; *(uint8_t*)0x20002360 = 9; *(uint8_t*)0x20002361 = 5; *(uint8_t*)0x20002362 = 0xc; *(uint8_t*)0x20002363 = 2; *(uint16_t*)0x20002364 = 0x200; *(uint8_t*)0x20002366 = 0; *(uint8_t*)0x20002367 = 6; *(uint8_t*)0x20002368 = 2; *(uint8_t*)0x20002369 = 0xaf; *(uint8_t*)0x2000236a = 0xc1; memcpy((void*)0x2000236b, "\x14\x49\xf0\x6f\x81\x61\xd8\x15\x9f\x42\xfb\x34\x7e\xaa\x32\x3c\xf3\xeb\x20\xfd\x5e\x50\x10\x06\xd2\xe4\x0a\x15\x7d\xa8\x33\x53\x6f\xb0\xb3\x22\x43\x65\x91\xa2\xbd\x1d\x2f\xe0\x4e\x16\x98\x58\xe1\x13\x87\xce\x1c\xbe\x1f\x6c\x7d\xc3\x32\xaf\xaa\xdc\xc0\x02\xc5\x83\x20\x44\xe0\x56\x95\x03\x99\xe2\x94\x31\x40\x73\x49\xa8\xa4\x75\x25\x16\x4b\x4e\x6c\xd1\x41\x30\x39\x08\x18\x67\x54\xe0\x28\x2c\x69\x95\xc9\x80\xf5\xe7\xd4\xf3\xc8\x81\xc6\xb9\x1d\x95\x5e\x6a\xc6\x81\xbd\x90\x73\xf4\xe0\x57\x06\xf3\xc3\x12\xd0\x05\xbf\x1c\x59\x10\x95\x6b\xf9\x95\x53\xbb\xa7\xb4\xec\xb3\xf3\x5f\xfb\xe7\xab\x07\x63\x42\x37\x96\xbb\x60\x1e\x3f\x04\x7a\x65\x81\xd5\x2f\xb6\x7c\x62\xd6\xb7\x27\x8c\x76\xaa\xb9\xa5", 173); *(uint8_t*)0x20002418 = 9; *(uint8_t*)0x20002419 = 5; *(uint8_t*)0x2000241a = 0xa; *(uint8_t*)0x2000241b = 0; *(uint16_t*)0x2000241c = 0x400; *(uint8_t*)0x2000241e = 5; *(uint8_t*)0x2000241f = 1; *(uint8_t*)0x20002420 = 6; *(uint8_t*)0x20002421 = 0xf1; *(uint8_t*)0x20002422 = 0x11; memcpy((void*)0x20002423, "\x25\xbf\x1f\x90\xf6\x00\xdc\x8e\xae\x59\x54\xfb\x3e\xc4\xf4\x88\xa9\x26\x14\x9d\x98\x93\xca\x2b\x29\x00\xe2\x45\xf0\x53\x74\x32\xb7\xec\xcd\x35\xa0\xf3\x3f\xe8\x71\xeb\x0d\x17\x44\xd8\x05\x8f\x6d\x67\xf7\xe1\xb9\x7f\x3e\xf4\xe5\xfd\x8a\xc9\xd3\x7d\x37\x49\x05\x66\x1c\x57\x9d\x63\xd9\xbd\x3e\xd5\xcd\x30\xd9\x9e\xf3\x95\xe4\x7c\x9e\x0f\x1b\x7f\x71\x20\x16\x40\x34\x34\x82\x1b\xaa\xce\x41\xad\x73\xef\x6b\x84\xc1\xa4\x1a\xf5\xcb\xb6\xc2\xf6\x54\x62\xa6\xed\x32\x24\x2c\x9d\x51\xda\x99\x15\x86\x28\x60\xc2\x21\x40\xf6\x06\x60\x1c\xfd\x82\xe5\x15\x1e\x1d\xb4\x50\x92\xfe\xcd\x65\x32\x93\xf5\x6c\x65\xb3\x46\xe5\xde\xaf\x14\x09\x50\xa0\xac\x4a\x48\x7e\x3b\xfa\x4f\x9a\xd3\x5e\xef\xf8\x89\x9b\xc2\x23\x07\x98\x02\x26\x00\xa0\x8d\x06\xa9\x24\x36\x11\xb4\x21\xd9\x0f\x1b\x53\xca\x9f\x00\x26\x36\x03\x6f\x11\x25\xed\xa3\xde\xda\xf6\x79\x3f\xc0\x98\xc6\xaf\x9d\xcc\x5a\x53\x8f\xe9\x37\x57\x2b\x4d\x1b\x17\x4b\x58\xba\x03\x37\x14\xd1\x9e\xf1\x08\x5f\x66\x3e\x5c\xd1", 239); *(uint8_t*)0x20002512 = 9; *(uint8_t*)0x20002513 = 5; *(uint8_t*)0x20002514 = 5; *(uint8_t*)0x20002515 = 8; *(uint16_t*)0x20002516 = 0x400; *(uint8_t*)0x20002518 = 0x44; *(uint8_t*)0x20002519 = 1; *(uint8_t*)0x2000251a = 0; *(uint8_t*)0x2000251b = 7; *(uint8_t*)0x2000251c = 0x25; *(uint8_t*)0x2000251d = 1; *(uint8_t*)0x2000251e = 0x85; *(uint8_t*)0x2000251f = 0x9b; *(uint16_t*)0x20002520 = 0x100; *(uint8_t*)0x20002522 = 7; *(uint8_t*)0x20002523 = 0x25; *(uint8_t*)0x20002524 = 1; *(uint8_t*)0x20002525 = 0x82; *(uint8_t*)0x20002526 = 7; *(uint16_t*)0x20002527 = 1; *(uint8_t*)0x20002529 = 9; *(uint8_t*)0x2000252a = 5; *(uint8_t*)0x2000252b = 3; *(uint8_t*)0x2000252c = 0x10; *(uint16_t*)0x2000252d = 0x20; *(uint8_t*)0x2000252f = 2; *(uint8_t*)0x20002530 = 4; *(uint8_t*)0x20002531 = 3; *(uint8_t*)0x20002532 = 9; *(uint8_t*)0x20002533 = 5; *(uint8_t*)0x20002534 = 1; *(uint8_t*)0x20002535 = 0; *(uint16_t*)0x20002536 = 0x40; *(uint8_t*)0x20002538 = 0x80; *(uint8_t*)0x20002539 = 7; *(uint8_t*)0x2000253a = 0x27; *(uint8_t*)0x2000253b = 7; *(uint8_t*)0x2000253c = 0x25; *(uint8_t*)0x2000253d = 1; *(uint8_t*)0x2000253e = 0x80; *(uint8_t*)0x2000253f = 6; *(uint16_t*)0x20002540 = 8; *(uint32_t*)0x20002840 = 0xa; *(uint32_t*)0x20002844 = 0x20002580; *(uint8_t*)0x20002580 = 0xa; *(uint8_t*)0x20002581 = 6; *(uint16_t*)0x20002582 = 0x5098; *(uint8_t*)0x20002584 = 0xfc; *(uint8_t*)0x20002585 = 0x1f; *(uint8_t*)0x20002586 = 0; *(uint8_t*)0x20002587 = 0x10; *(uint8_t*)0x20002588 = 0xe4; *(uint8_t*)0x20002589 = 0; *(uint32_t*)0x20002848 = 0xf5; *(uint32_t*)0x2000284c = 0x200025c0; *(uint8_t*)0x200025c0 = 5; *(uint8_t*)0x200025c1 = 0xf; *(uint16_t*)0x200025c2 = 0xf5; *(uint8_t*)0x200025c4 = 4; *(uint8_t*)0x200025c5 = 7; *(uint8_t*)0x200025c6 = 0x10; *(uint8_t*)0x200025c7 = 2; STORE_BY_BITMASK(uint32_t, , 0x200025c8, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200025ca, 0xffff, 0, 16); *(uint8_t*)0x200025cc = 0x1c; *(uint8_t*)0x200025cd = 0x10; *(uint8_t*)0x200025ce = 0xa; *(uint8_t*)0x200025cf = 0; STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 5, 27); *(uint16_t*)0x200025d4 = 0xf0f; *(uint16_t*)0x200025d6 = 0x77e; *(uint32_t*)0x200025d8 = 0xc000; *(uint32_t*)0x200025dc = 0x30; *(uint32_t*)0x200025e0 = 0; *(uint32_t*)0x200025e4 = 0; *(uint8_t*)0x200025e8 = 0x1c; *(uint8_t*)0x200025e9 = 0x10; *(uint8_t*)0x200025ea = 0xa; *(uint8_t*)0x200025eb = 1; STORE_BY_BITMASK(uint32_t, , 0x200025ec, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025ec, 0x79ea, 5, 27); *(uint16_t*)0x200025f0 = 0xf000; *(uint16_t*)0x200025f2 = 4; *(uint32_t*)0x200025f4 = 0xc0cf; *(uint32_t*)0x200025f8 = 0xff3f3f; *(uint32_t*)0x200025fc = 0xffc05f; *(uint32_t*)0x20002600 = 0xff0000; *(uint8_t*)0x20002604 = 0xb1; *(uint8_t*)0x20002605 = 0x10; *(uint8_t*)0x20002606 = 3; memcpy((void*)0x20002607, "\xc5\xbb\x02\x01\xc8\x2e\x60\xfa\x0a\x8b\x07\xbb\xce\xfb\xe1\x38\x07\x98\x38\xcb\xf1\x31\x61\xf6\x9e\xc1\x70\x63\x7e\x6c\x50\x4f\x0d\xf5\x87\x10\x11\x2f\x24\x59\xc5\x0d\xf8\x5c\x73\xa1\x43\xe1\x8f\xd8\x46\xa7\x86\xad\xd8\xa3\x59\xc8\x82\xc3\xc6\x03\x8f\x90\xc4\x9c\xa6\x3e\x13\x45\x57\x94\xd7\x59\x24\x4a\x2b\xd1\xee\x5a\x20\x3c\xef\x62\xac\xd3\x2e\x97\xd1\x5a\xfe\x1d\x47\xad\x5c\x52\x34\xca\x6f\xea\x0c\x02\x21\x84\x57\x86\x47\xd6\x9b\xce\x06\xbc\x22\xd5\xde\xae\x21\xba\xaf\x87\x0c\x3c\x6e\x90\x21\x21\x1f\xda\x07\xe7\x36\x07\xe1\x64\x61\xe2\x25\x26\xa7\x0a\xb2\xe2\x1f\x89\xd1\xb1\xa9\x52\x15\xc6\x44\xee\x7b\x4b\x97\xd3\x42\xf0\x6c\xca\x75\xc1\x7e\xaf\x3d\x1f\x57\x8b\xec\x9e\x1b\x55\x4c\x49", 174); *(uint32_t*)0x20002850 = 4; *(uint32_t*)0x20002854 = 4; *(uint32_t*)0x20002858 = 0x200026c0; *(uint8_t*)0x200026c0 = 4; *(uint8_t*)0x200026c1 = 3; *(uint16_t*)0x200026c2 = 0x430; *(uint32_t*)0x2000285c = 4; *(uint32_t*)0x20002860 = 0x20002700; *(uint8_t*)0x20002700 = 4; *(uint8_t*)0x20002701 = 3; *(uint16_t*)0x20002702 = 0x240a; *(uint32_t*)0x20002864 = 4; *(uint32_t*)0x20002868 = 0x20002740; *(uint8_t*)0x20002740 = 4; *(uint8_t*)0x20002741 = 3; *(uint16_t*)0x20002742 = 0x458; *(uint32_t*)0x2000286c = 0xb1; *(uint32_t*)0x20002870 = 0x20002780; *(uint8_t*)0x20002780 = 0xb1; *(uint8_t*)0x20002781 = 3; memcpy((void*)0x20002782, "\x22\x73\xbd\xc4\x6b\x60\xf9\x28\x12\x34\x92\x09\x6f\x1a\x60\x52\x20\x67\xca\x30\x22\x9e\x52\x18\x76\xbc\x23\x04\xc3\x20\x59\x6f\xd2\x5f\x10\x25\x4b\x5c\x9d\xa5\x73\x77\x73\x8b\xcc\xfb\xbc\x37\xf2\x7f\x54\x18\x33\xa2\xdf\xa0\x6b\x92\x9d\x0d\x37\x44\xff\x77\xd9\x33\x0d\x5a\x63\xe4\xbb\x26\x8c\xe2\x9e\x81\xde\x86\xde\x6c\xbb\xec\x22\xf1\x51\xe7\xfa\x25\xd2\xba\x9e\xad\x8f\x62\xd5\xea\xc2\xd6\x42\x44\x65\xb3\xcb\x64\x81\xdb\xf5\x0d\xf0\x43\xe6\x8b\x8d\x13\x3e\x27\xb4\xae\x1c\x9c\xcf\x8a\x81\x02\x7b\x65\x6d\x44\x2b\xbc\xbe\x5c\xfc\xcd\x0c\x0c\xa3\x8b\x73\x35\x6e\xd5\xc3\x7e\xa0\x89\x46\x97\xea\x5b\x37\xdb\x2f\x60\x7d\x4e\x95\x8c\xf9\x78\x48\xef\x24\xee\xe8\x17\xf9\x65\x03\x65\x0d\x0f\x3b\xab\xcf", 175); res = -1; res = syz_usb_connect(4, 0x882, 0x20001cc0, 0x20002840); if (res != -1) r[13] = res; break; case 35: *(uint8_t*)0x20002880 = 0x12; *(uint8_t*)0x20002881 = 1; *(uint16_t*)0x20002882 = 0x200; *(uint8_t*)0x20002884 = -1; *(uint8_t*)0x20002885 = -1; *(uint8_t*)0x20002886 = -1; *(uint8_t*)0x20002887 = 0x40; *(uint16_t*)0x20002888 = 0xcf3; *(uint16_t*)0x2000288a = 0x9271; *(uint16_t*)0x2000288c = 0x108; *(uint8_t*)0x2000288e = 1; *(uint8_t*)0x2000288f = 2; *(uint8_t*)0x20002890 = 3; *(uint8_t*)0x20002891 = 1; *(uint8_t*)0x20002892 = 9; *(uint8_t*)0x20002893 = 2; *(uint16_t*)0x20002894 = 0x48; *(uint8_t*)0x20002896 = 1; *(uint8_t*)0x20002897 = 1; *(uint8_t*)0x20002898 = 0; *(uint8_t*)0x20002899 = 0x80; *(uint8_t*)0x2000289a = 0xfa; *(uint8_t*)0x2000289b = 9; *(uint8_t*)0x2000289c = 4; *(uint8_t*)0x2000289d = 0; *(uint8_t*)0x2000289e = 0; *(uint8_t*)0x2000289f = 6; *(uint8_t*)0x200028a0 = -1; *(uint8_t*)0x200028a1 = 0; *(uint8_t*)0x200028a2 = 0; *(uint8_t*)0x200028a3 = 0; *(uint8_t*)0x200028a4 = 9; *(uint8_t*)0x200028a5 = 5; *(uint8_t*)0x200028a6 = 1; *(uint8_t*)0x200028a7 = 2; *(uint16_t*)0x200028a8 = 0x200; *(uint8_t*)0x200028aa = 0; *(uint8_t*)0x200028ab = 0; *(uint8_t*)0x200028ac = 0; *(uint8_t*)0x200028ad = 9; *(uint8_t*)0x200028ae = 5; *(uint8_t*)0x200028af = 0x82; *(uint8_t*)0x200028b0 = 2; *(uint16_t*)0x200028b1 = 0x200; *(uint8_t*)0x200028b3 = 0; *(uint8_t*)0x200028b4 = 0; *(uint8_t*)0x200028b5 = 0; *(uint8_t*)0x200028b6 = 9; *(uint8_t*)0x200028b7 = 5; *(uint8_t*)0x200028b8 = 0x83; *(uint8_t*)0x200028b9 = 3; *(uint16_t*)0x200028ba = 0x40; *(uint8_t*)0x200028bc = 1; *(uint8_t*)0x200028bd = 0; *(uint8_t*)0x200028be = 0; *(uint8_t*)0x200028bf = 9; *(uint8_t*)0x200028c0 = 5; *(uint8_t*)0x200028c1 = 4; *(uint8_t*)0x200028c2 = 3; *(uint16_t*)0x200028c3 = 0x40; *(uint8_t*)0x200028c5 = 1; *(uint8_t*)0x200028c6 = 0; *(uint8_t*)0x200028c7 = 0; *(uint8_t*)0x200028c8 = 9; *(uint8_t*)0x200028c9 = 5; *(uint8_t*)0x200028ca = 5; *(uint8_t*)0x200028cb = 2; *(uint16_t*)0x200028cc = 0x200; *(uint8_t*)0x200028ce = 0; *(uint8_t*)0x200028cf = 0; *(uint8_t*)0x200028d0 = 0; *(uint8_t*)0x200028d1 = 9; *(uint8_t*)0x200028d2 = 5; *(uint8_t*)0x200028d3 = 6; *(uint8_t*)0x200028d4 = 2; *(uint16_t*)0x200028d5 = 0x200; *(uint8_t*)0x200028d7 = 0; *(uint8_t*)0x200028d8 = 0; *(uint8_t*)0x200028d9 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20002880, 0); break; case 36: *(uint8_t*)0x20002900 = 0x12; *(uint8_t*)0x20002901 = 1; *(uint16_t*)0x20002902 = 0x300; *(uint8_t*)0x20002904 = 0; *(uint8_t*)0x20002905 = 0; *(uint8_t*)0x20002906 = 0; *(uint8_t*)0x20002907 = 0x40; *(uint16_t*)0x20002908 = 0x1d6b; *(uint16_t*)0x2000290a = 0x101; *(uint16_t*)0x2000290c = 0x40; *(uint8_t*)0x2000290e = 1; *(uint8_t*)0x2000290f = 2; *(uint8_t*)0x20002910 = 3; *(uint8_t*)0x20002911 = 1; *(uint8_t*)0x20002912 = 9; *(uint8_t*)0x20002913 = 2; *(uint16_t*)0x20002914 = 0xee; *(uint8_t*)0x20002916 = 3; *(uint8_t*)0x20002917 = 1; *(uint8_t*)0x20002918 = 6; *(uint8_t*)0x20002919 = 0x20; *(uint8_t*)0x2000291a = 1; *(uint8_t*)0x2000291b = 9; *(uint8_t*)0x2000291c = 4; *(uint8_t*)0x2000291d = 0; *(uint8_t*)0x2000291e = 0; *(uint8_t*)0x2000291f = 0; *(uint8_t*)0x20002920 = 1; *(uint8_t*)0x20002921 = 1; *(uint8_t*)0x20002922 = 0; *(uint8_t*)0x20002923 = 0; *(uint8_t*)0x20002924 = 0xa; *(uint8_t*)0x20002925 = 0x24; *(uint8_t*)0x20002926 = 1; *(uint16_t*)0x20002927 = 0xace; *(uint8_t*)0x20002929 = 2; *(uint8_t*)0x2000292a = 2; *(uint8_t*)0x2000292b = 1; *(uint8_t*)0x2000292c = 2; *(uint8_t*)0x2000292d = 7; *(uint8_t*)0x2000292e = 0x24; *(uint8_t*)0x2000292f = 8; *(uint8_t*)0x20002930 = 5; *(uint16_t*)0x20002931 = 2; *(uint8_t*)0x20002933 = 5; *(uint8_t*)0x20002934 = 7; *(uint8_t*)0x20002935 = 0x24; *(uint8_t*)0x20002936 = 8; *(uint8_t*)0x20002937 = 6; *(uint16_t*)0x20002938 = -1; *(uint8_t*)0x2000293a = 0x30; *(uint8_t*)0x2000293b = 0xa; *(uint8_t*)0x2000293c = 0x24; *(uint8_t*)0x2000293d = 4; *(uint8_t*)0x2000293e = 4; *(uint8_t*)0x2000293f = 0x40; memcpy((void*)0x20002940, "\x7d\xa3\xb2\xb2\x72", 5); *(uint8_t*)0x20002945 = 9; *(uint8_t*)0x20002946 = 0x24; *(uint8_t*)0x20002947 = 8; *(uint8_t*)0x20002948 = 5; *(uint16_t*)0x20002949 = 0; *(uint8_t*)0x2000294b = 0x40; memcpy((void*)0x2000294c, "\tD", 2); *(uint8_t*)0x2000294e = 9; *(uint8_t*)0x2000294f = 4; *(uint8_t*)0x20002950 = 1; *(uint8_t*)0x20002951 = 0; *(uint8_t*)0x20002952 = 0; *(uint8_t*)0x20002953 = 1; *(uint8_t*)0x20002954 = 2; *(uint8_t*)0x20002955 = 0; *(uint8_t*)0x20002956 = 0; *(uint8_t*)0x20002957 = 9; *(uint8_t*)0x20002958 = 4; *(uint8_t*)0x20002959 = 1; *(uint8_t*)0x2000295a = 1; *(uint8_t*)0x2000295b = 1; *(uint8_t*)0x2000295c = 1; *(uint8_t*)0x2000295d = 2; *(uint8_t*)0x2000295e = 0; *(uint8_t*)0x2000295f = 0; *(uint8_t*)0x20002960 = 0x11; *(uint8_t*)0x20002961 = 0x24; *(uint8_t*)0x20002962 = 2; *(uint8_t*)0x20002963 = 2; *(uint16_t*)0x20002964 = 0x1000; *(uint16_t*)0x20002966 = 6; *(uint8_t*)0x20002968 = 9; memcpy((void*)0x20002969, "\x94\xaa\x0c\xfe\xa6\xa4\xc0\x98", 8); *(uint8_t*)0x20002971 = 7; *(uint8_t*)0x20002972 = 0x24; *(uint8_t*)0x20002973 = 1; *(uint8_t*)0x20002974 = 0xf7; *(uint8_t*)0x20002975 = 0xc1; *(uint16_t*)0x20002976 = 4; *(uint8_t*)0x20002978 = 0xe; *(uint8_t*)0x20002979 = 0x24; *(uint8_t*)0x2000297a = 2; *(uint8_t*)0x2000297b = 1; *(uint8_t*)0x2000297c = 0x3f; *(uint8_t*)0x2000297d = 2; *(uint8_t*)0x2000297e = 0xae; *(uint8_t*)0x2000297f = 7; memcpy((void*)0x20002980, "\x5b\x6f\xe7\xb1\x95\x51", 6); *(uint8_t*)0x20002986 = 0xe; *(uint8_t*)0x20002987 = 0x24; *(uint8_t*)0x20002988 = 2; *(uint8_t*)0x20002989 = 2; *(uint16_t*)0x2000298a = 0xfff8; *(uint16_t*)0x2000298c = 0x56d; *(uint8_t*)0x2000298e = 0x1f; memcpy((void*)0x2000298f, "\x51\x8f\x29\xb9\x20", 5); *(uint8_t*)0x20002994 = 0xe; *(uint8_t*)0x20002995 = 0x24; *(uint8_t*)0x20002996 = 2; *(uint8_t*)0x20002997 = 2; *(uint16_t*)0x20002998 = 4; *(uint16_t*)0x2000299a = 0; *(uint8_t*)0x2000299c = 0x80; memcpy((void*)0x2000299d, "\x3f\x5e\x8a\xa3\xac", 5); *(uint8_t*)0x200029a2 = 9; *(uint8_t*)0x200029a3 = 5; *(uint8_t*)0x200029a4 = 1; *(uint8_t*)0x200029a5 = 9; *(uint16_t*)0x200029a6 = 0x10; *(uint8_t*)0x200029a8 = 0x9c; *(uint8_t*)0x200029a9 = 7; *(uint8_t*)0x200029aa = 6; *(uint8_t*)0x200029ab = 7; *(uint8_t*)0x200029ac = 0x25; *(uint8_t*)0x200029ad = 1; *(uint8_t*)0x200029ae = 0; *(uint8_t*)0x200029af = 0x44; *(uint16_t*)0x200029b0 = 0xff8a; *(uint8_t*)0x200029b2 = 9; *(uint8_t*)0x200029b3 = 4; *(uint8_t*)0x200029b4 = 2; *(uint8_t*)0x200029b5 = 0; *(uint8_t*)0x200029b6 = 0; *(uint8_t*)0x200029b7 = 1; *(uint8_t*)0x200029b8 = 2; *(uint8_t*)0x200029b9 = 0; *(uint8_t*)0x200029ba = 0; *(uint8_t*)0x200029bb = 9; *(uint8_t*)0x200029bc = 4; *(uint8_t*)0x200029bd = 2; *(uint8_t*)0x200029be = 1; *(uint8_t*)0x200029bf = 1; *(uint8_t*)0x200029c0 = 1; *(uint8_t*)0x200029c1 = 2; *(uint8_t*)0x200029c2 = 0; *(uint8_t*)0x200029c3 = 0; *(uint8_t*)0x200029c4 = 0xa; *(uint8_t*)0x200029c5 = 0x24; *(uint8_t*)0x200029c6 = 2; *(uint8_t*)0x200029c7 = 1; *(uint8_t*)0x200029c8 = 7; *(uint8_t*)0x200029c9 = 4; *(uint8_t*)0x200029ca = 0xf7; *(uint8_t*)0x200029cb = 0xf8; memcpy((void*)0x200029cc, "H]", 2); *(uint8_t*)0x200029ce = 0xd; *(uint8_t*)0x200029cf = 0x24; *(uint8_t*)0x200029d0 = 2; *(uint8_t*)0x200029d1 = 1; *(uint8_t*)0x200029d2 = 7; *(uint8_t*)0x200029d3 = 1; *(uint8_t*)0x200029d4 = -1; *(uint8_t*)0x200029d5 = 0x72; memcpy((void*)0x200029d6, "\x5c\x5a\xe7\x2e\x12", 5); *(uint8_t*)0x200029db = 0xd; *(uint8_t*)0x200029dc = 0x24; *(uint8_t*)0x200029dd = 2; *(uint8_t*)0x200029de = 1; *(uint8_t*)0x200029df = 3; *(uint8_t*)0x200029e0 = 4; *(uint8_t*)0x200029e1 = 3; *(uint8_t*)0x200029e2 = 1; memcpy((void*)0x200029e3, "\xfa\x23\xa4", 3); memcpy((void*)0x200029e6, "q3", 2); *(uint8_t*)0x200029e8 = 8; *(uint8_t*)0x200029e9 = 0x24; *(uint8_t*)0x200029ea = 2; *(uint8_t*)0x200029eb = 1; *(uint8_t*)0x200029ec = 0x71; *(uint8_t*)0x200029ed = 2; *(uint8_t*)0x200029ee = 0; *(uint8_t*)0x200029ef = 6; *(uint8_t*)0x200029f0 = 9; *(uint8_t*)0x200029f1 = 5; *(uint8_t*)0x200029f2 = 0x82; *(uint8_t*)0x200029f3 = 9; *(uint16_t*)0x200029f4 = 0x200; *(uint8_t*)0x200029f6 = 0x7f; *(uint8_t*)0x200029f7 = 0x7f; *(uint8_t*)0x200029f8 = 0x7f; *(uint8_t*)0x200029f9 = 7; *(uint8_t*)0x200029fa = 0x25; *(uint8_t*)0x200029fb = 1; *(uint8_t*)0x200029fc = 2; *(uint8_t*)0x200029fd = 1; *(uint16_t*)0x200029fe = 8; *(uint32_t*)0x20002b80 = 0xa; *(uint32_t*)0x20002b84 = 0x20002a00; *(uint8_t*)0x20002a00 = 0xa; *(uint8_t*)0x20002a01 = 6; *(uint16_t*)0x20002a02 = 0x300; *(uint8_t*)0x20002a04 = 0x7f; *(uint8_t*)0x20002a05 = 0x5d; *(uint8_t*)0x20002a06 = 0x5c; *(uint8_t*)0x20002a07 = 0x40; *(uint8_t*)0x20002a08 = 0; *(uint8_t*)0x20002a09 = 0; *(uint32_t*)0x20002b88 = 0x31; *(uint32_t*)0x20002b8c = 0x20002a40; *(uint8_t*)0x20002a40 = 5; *(uint8_t*)0x20002a41 = 0xf; *(uint16_t*)0x20002a42 = 0x31; *(uint8_t*)0x20002a44 = 4; *(uint8_t*)0x20002a45 = 0xb; *(uint8_t*)0x20002a46 = 0x10; *(uint8_t*)0x20002a47 = 1; *(uint8_t*)0x20002a48 = 0xc; *(uint16_t*)0x20002a49 = 0x80; *(uint8_t*)0x20002a4b = 0x20; *(uint8_t*)0x20002a4c = 1; *(uint16_t*)0x20002a4d = 2; *(uint8_t*)0x20002a4f = 0x40; *(uint8_t*)0x20002a50 = 0xc; *(uint8_t*)0x20002a51 = 0x10; *(uint8_t*)0x20002a52 = 0xa; *(uint8_t*)0x20002a53 = 4; STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0xd3f, 5, 27); *(uint16_t*)0x20002a58 = 0xf000; *(uint16_t*)0x20002a5a = 8; *(uint8_t*)0x20002a5c = 0xb; *(uint8_t*)0x20002a5d = 0x10; *(uint8_t*)0x20002a5e = 1; *(uint8_t*)0x20002a5f = 0xc; *(uint16_t*)0x20002a60 = 0x80; *(uint8_t*)0x20002a62 = 2; *(uint8_t*)0x20002a63 = 5; *(uint16_t*)0x20002a64 = 4; *(uint8_t*)0x20002a66 = 2; *(uint8_t*)0x20002a67 = 0xa; *(uint8_t*)0x20002a68 = 0x10; *(uint8_t*)0x20002a69 = 3; *(uint8_t*)0x20002a6a = 2; *(uint16_t*)0x20002a6b = 6; *(uint8_t*)0x20002a6d = 0; *(uint8_t*)0x20002a6e = -1; *(uint16_t*)0x20002a6f = 0x7f; *(uint32_t*)0x20002b90 = 4; *(uint32_t*)0x20002b94 = 4; *(uint32_t*)0x20002b98 = 0x20002a80; *(uint8_t*)0x20002a80 = 4; *(uint8_t*)0x20002a81 = 3; *(uint16_t*)0x20002a82 = 0x40f; *(uint32_t*)0x20002b9c = 4; *(uint32_t*)0x20002ba0 = 0x20002ac0; *(uint8_t*)0x20002ac0 = 4; *(uint8_t*)0x20002ac1 = 3; *(uint16_t*)0x20002ac2 = 0xc35; *(uint32_t*)0x20002ba4 = 0x2b; *(uint32_t*)0x20002ba8 = 0x20002b00; *(uint8_t*)0x20002b00 = 0x2b; *(uint8_t*)0x20002b01 = 3; memcpy((void*)0x20002b02, "\xa2\x8e\x84\xc0\xcf\x02\xc0\x7c\x3c\x0d\xa8\x29\x45\x06\x55\x6d\x63\x3c\x7a\x73\x5b\xfb\x75\xcd\x80\xaf\xc6\xad\xe8\xe4\xb5\x80\x10\x3c\xed\x6d\x9c\x87\xa5\xfe\x77", 41); *(uint32_t*)0x20002bac = 4; *(uint32_t*)0x20002bb0 = 0x20002b40; *(uint8_t*)0x20002b40 = 4; *(uint8_t*)0x20002b41 = 3; *(uint16_t*)0x20002b42 = 0xf8ff; res = -1; res = syz_usb_connect(1, 0x100, 0x20002900, 0x20002b80); if (res != -1) r[14] = res; break; case 37: *(uint32_t*)0x20002e40 = 0x18; *(uint32_t*)0x20002e44 = 0x20002bc0; *(uint8_t*)0x20002bc0 = 0; *(uint8_t*)0x20002bc1 = 0x22; *(uint32_t*)0x20002bc2 = 0xb9; *(uint8_t*)0x20002bc6 = 0xb9; *(uint8_t*)0x20002bc7 = 0xa; memcpy((void*)0x20002bc8, "\x83\xcf\x6e\x9b\x94\x2d\x8a\x47\x07\x4a\xc2\xe8\x02\xb4\x83\x78\xec\xdc\xa7\x95\x6d\xb2\x72\x7b\x85\x7b\x60\xf4\xe9\xd0\xc6\x9e\x1c\x9a\x9a\xce\xb6\x1c\xf1\x7c\xc7\x71\x67\x92\x3b\x84\xe2\x33\x72\xc5\xcf\x40\xcf\x1b\xbb\x74\x93\xe5\x00\xb7\xef\xfa\xf1\xb2\x04\xee\x03\x4b\xe1\x10\x99\xe5\x15\x67\xa8\x7a\xe0\xbd\xe2\x10\xda\x92\x12\x4d\x04\xa7\x3a\x14\xdb\xd6\x00\xde\xdd\x92\x09\x53\xc4\x72\xed\xa1\xba\x46\xdb\xbb\x1e\xc4\x74\xc8\x79\x48\x49\x12\x4d\xcf\x32\xd5\xc1\x5f\xb1\x43\x97\xb1\x3c\x3d\x3c\x11\xa7\xa6\x07\xc6\xb6\xd5\x57\xc2\x80\x6d\x9c\x27\x83\xbc\x1e\xf5\x6c\x96\x7b\xde\x90\xce\x4a\x42\x13\x61\x16\x7c\x1a\x74\xc6\x52\x72\x85\xce\x42\x5e\xa4\x98\x88\x4d\x7c\xc9\xef\x76\x52\x6a\x46\xa1\xc4\x36\x07\x68\x98\x0b\x39\xb3", 183); *(uint32_t*)0x20002e48 = 0x20002c80; *(uint8_t*)0x20002c80 = 0; *(uint8_t*)0x20002c81 = 3; *(uint32_t*)0x20002c82 = 0xd7; *(uint8_t*)0x20002c86 = 0xd7; *(uint8_t*)0x20002c87 = 3; memcpy((void*)0x20002c88, "\x61\x16\x8f\x70\x0d\x17\x87\xde\x19\xd3\xe8\x6f\xb3\xac\x5e\x96\x4c\xc5\xed\xe8\x73\x35\x1c\xa2\x62\xcc\x8f\xc5\x99\x65\x14\x31\xc7\x6d\xba\xd0\x2d\xd8\x35\xf0\xda\x83\xa5\x34\x7c\xc2\x1f\xc4\xf5\x04\xb2\x3b\xb3\x2a\x7a\x67\x71\x3d\xb4\x48\x06\x11\xe6\xe2\xec\xa4\xf0\xb4\x98\xf7\x00\x35\x5d\xb6\x8d\xf7\xd5\xcf\x46\xba\x2b\x03\x60\x90\xaf\x69\x5a\x75\x96\xb7\xd2\x42\xb4\x62\xbc\xf6\xe2\x09\x1f\xb8\x32\x48\xfe\x2a\x1c\x48\xdb\xcd\xb0\x7c\x96\x66\x03\x7d\x12\x1b\x68\x93\xdc\xb9\x45\xbd\xd7\xcf\x14\x07\x5f\x80\x53\x02\xa4\x5f\xbb\x62\x65\x2b\xd6\x93\xb3\x24\x0b\x5c\x6a\x76\xf6\x90\xcd\xc9\x22\x15\x79\xec\x71\xdd\x25\x3c\xa4\x25\x01\x44\xe1\x16\x0b\xc0\x39\xad\x44\xf6\xd5\x1c\x96\xad\x95\x0c\x87\x2c\xf6\x26\xb0\xd5\x59\xe8\x1c\x0b\xec\x93\x4c\xb3\x23\x25\xdb\xb9\xce\x8f\x5d\x0d\x94\x30\x20\xb4\xa0\x79\x5c\x1f\x27\x74\xe2\x20\x7d\x0b\xe8\xaa\x41", 213); *(uint32_t*)0x20002e4c = 0x20002d80; *(uint8_t*)0x20002d80 = 0; *(uint8_t*)0x20002d81 = 0xf; *(uint32_t*)0x20002d82 = 0xc; *(uint8_t*)0x20002d86 = 5; *(uint8_t*)0x20002d87 = 0xf; *(uint16_t*)0x20002d88 = 0xc; *(uint8_t*)0x20002d8a = 1; *(uint8_t*)0x20002d8b = 7; *(uint8_t*)0x20002d8c = 0x10; *(uint8_t*)0x20002d8d = 2; STORE_BY_BITMASK(uint32_t, , 0x20002d8e, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 5, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d90, 2, 0, 16); *(uint32_t*)0x20002e50 = 0x20002dc0; *(uint8_t*)0x20002dc0 = 0x20; *(uint8_t*)0x20002dc1 = 0x29; *(uint32_t*)0x20002dc2 = 0xf; *(uint8_t*)0x20002dc6 = 0xf; *(uint8_t*)0x20002dc7 = 0x29; *(uint8_t*)0x20002dc8 = 3; *(uint16_t*)0x20002dc9 = 8; *(uint8_t*)0x20002dcb = 0x40; *(uint8_t*)0x20002dcc = 0x7f; memcpy((void*)0x20002dcd, "\x77\xbc\x77\x38", 4); memcpy((void*)0x20002dd1, "\xf1\xdb\x00\x3c", 4); *(uint32_t*)0x20002e54 = 0x20002e00; *(uint8_t*)0x20002e00 = 0x20; *(uint8_t*)0x20002e01 = 0x2a; *(uint32_t*)0x20002e02 = 0xc; *(uint8_t*)0x20002e06 = 0xc; *(uint8_t*)0x20002e07 = 0x2a; *(uint8_t*)0x20002e08 = 1; *(uint16_t*)0x20002e09 = 0x10; *(uint8_t*)0x20002e0b = 0; *(uint8_t*)0x20002e0c = 0x20; *(uint8_t*)0x20002e0d = 8; *(uint16_t*)0x20002e0e = 0x3ec; *(uint16_t*)0x20002e10 = -1; *(uint32_t*)0x20003300 = 0x44; *(uint32_t*)0x20003304 = 0x20002e80; *(uint8_t*)0x20002e80 = 0x20; *(uint8_t*)0x20002e81 = 0x12; *(uint32_t*)0x20002e82 = 0x7c; memcpy((void*)0x20002e86, "\xbc\x67\xb7\x86\xae\x12\xc3\xf7\xc6\xdb\xb8\x56\x0d\x2b\x24\x21\x94\xc2\x19\x9a\xfa\x19\xd2\xb4\x2b\x1a\x0c\x8a\x11\xe1\xa5\xef\x14\x6f\x39\x5c\x36\x13\xf4\xdf\xea\xdd\xa7\xc2\x4b\x50\x6d\x5b\x32\xa6\xa3\xf9\xa0\xea\xc9\x8a\x93\x5e\x64\x7a\x1c\x83\x8d\x4e\x09\xd5\x30\x63\x5f\x43\x35\x8b\x5b\x10\xc5\xf0\x4b\xc6\x3b\x3b\xf9\x6b\x52\x34\x35\x9d\x4e\xad\x9d\x51\x21\x7e\x65\xc9\xb0\x50\x99\x90\xb0\x0d\x1a\xfb\x24\x2c\x87\x66\x0d\x04\xf9\x64\x8f\xf7\x9c\xe1\x43\xb1\xa9\x48\x98\x1c\x28\xf5\x01\x71", 124); *(uint32_t*)0x20003308 = 0x20002f40; *(uint8_t*)0x20002f40 = 0; *(uint8_t*)0x20002f41 = 0xa; *(uint32_t*)0x20002f42 = 1; *(uint8_t*)0x20002f46 = 0x4c; *(uint32_t*)0x2000330c = 0x20002f80; *(uint8_t*)0x20002f80 = 0; *(uint8_t*)0x20002f81 = 8; *(uint32_t*)0x20002f82 = 1; *(uint8_t*)0x20002f86 = 1; *(uint32_t*)0x20003310 = 0x20002fc0; *(uint8_t*)0x20002fc0 = 0x20; *(uint8_t*)0x20002fc1 = 0; *(uint32_t*)0x20002fc2 = 4; *(uint16_t*)0x20002fc6 = 1; *(uint16_t*)0x20002fc8 = 3; *(uint32_t*)0x20003314 = 0x20003000; *(uint8_t*)0x20003000 = 0x20; *(uint8_t*)0x20003001 = 0; *(uint32_t*)0x20003002 = 8; *(uint16_t*)0x20003006 = 0xc0; *(uint16_t*)0x20003008 = 0x20; *(uint32_t*)0x2000300a = 0xf0f; *(uint32_t*)0x20003318 = 0x20003040; *(uint8_t*)0x20003040 = 0x40; *(uint8_t*)0x20003041 = 7; *(uint32_t*)0x20003042 = 2; *(uint16_t*)0x20003046 = 0x400; *(uint32_t*)0x2000331c = 0x20003080; *(uint8_t*)0x20003080 = 0x40; *(uint8_t*)0x20003081 = 9; *(uint32_t*)0x20003082 = 1; *(uint8_t*)0x20003086 = 2; *(uint32_t*)0x20003320 = 0x200030c0; *(uint8_t*)0x200030c0 = 0x40; *(uint8_t*)0x200030c1 = 0xb; *(uint32_t*)0x200030c2 = 2; memcpy((void*)0x200030c6, "\xb7\x23", 2); *(uint32_t*)0x20003324 = 0x20003100; *(uint8_t*)0x20003100 = 0x40; *(uint8_t*)0x20003101 = 0xf; *(uint32_t*)0x20003102 = 2; *(uint16_t*)0x20003106 = 5; *(uint32_t*)0x20003328 = 0x20003140; *(uint8_t*)0x20003140 = 0x40; *(uint8_t*)0x20003141 = 0x13; *(uint32_t*)0x20003142 = 6; memcpy((void*)0x20003146, "\xdd\x8a\x72\xa9\x91\x39", 6); *(uint32_t*)0x2000332c = 0x20003180; *(uint8_t*)0x20003180 = 0x40; *(uint8_t*)0x20003181 = 0x17; *(uint32_t*)0x20003182 = 6; *(uint8_t*)0x20003186 = 0xaa; *(uint8_t*)0x20003187 = 0xaa; *(uint8_t*)0x20003188 = 0xaa; *(uint8_t*)0x20003189 = 0xaa; *(uint8_t*)0x2000318a = 0xaa; *(uint8_t*)0x2000318b = 0xbb; *(uint32_t*)0x20003330 = 0x200031c0; *(uint8_t*)0x200031c0 = 0x40; *(uint8_t*)0x200031c1 = 0x19; *(uint32_t*)0x200031c2 = 2; memcpy((void*)0x200031c6, "\x78\x18", 2); *(uint32_t*)0x20003334 = 0x20003200; *(uint8_t*)0x20003200 = 0x40; *(uint8_t*)0x20003201 = 0x1a; *(uint32_t*)0x20003202 = 2; *(uint16_t*)0x20003206 = 4; *(uint32_t*)0x20003338 = 0x20003240; *(uint8_t*)0x20003240 = 0x40; *(uint8_t*)0x20003241 = 0x1c; *(uint32_t*)0x20003242 = 1; *(uint8_t*)0x20003246 = 4; *(uint32_t*)0x2000333c = 0x20003280; *(uint8_t*)0x20003280 = 0x40; *(uint8_t*)0x20003281 = 0x1e; *(uint32_t*)0x20003282 = 1; *(uint8_t*)0x20003286 = 7; *(uint32_t*)0x20003340 = 0x200032c0; *(uint8_t*)0x200032c0 = 0x40; *(uint8_t*)0x200032c1 = 0x21; *(uint32_t*)0x200032c2 = 1; *(uint8_t*)0x200032c6 = 5; syz_usb_control_io(r[14], 0x20002e40, 0x20003300); break; case 38: syz_usb_disconnect(r[13]); break; case 39: *(uint8_t*)0x20003380 = 0x12; *(uint8_t*)0x20003381 = 1; *(uint16_t*)0x20003382 = 0x110; *(uint8_t*)0x20003384 = 2; *(uint8_t*)0x20003385 = 0; *(uint8_t*)0x20003386 = 0; *(uint8_t*)0x20003387 = 0x20; *(uint16_t*)0x20003388 = 0x525; *(uint16_t*)0x2000338a = 0xa4a1; *(uint16_t*)0x2000338c = 0x40; *(uint8_t*)0x2000338e = 1; *(uint8_t*)0x2000338f = 2; *(uint8_t*)0x20003390 = 3; *(uint8_t*)0x20003391 = 1; *(uint8_t*)0x20003392 = 9; *(uint8_t*)0x20003393 = 2; *(uint16_t*)0x20003394 = 0x14e; *(uint8_t*)0x20003396 = 2; *(uint8_t*)0x20003397 = 1; *(uint8_t*)0x20003398 = 0xef; *(uint8_t*)0x20003399 = 0xe0; *(uint8_t*)0x2000339a = 3; *(uint8_t*)0x2000339b = 9; *(uint8_t*)0x2000339c = 4; *(uint8_t*)0x2000339d = 0; *(uint8_t*)0x2000339e = 0; *(uint8_t*)0x2000339f = 1; *(uint8_t*)0x200033a0 = 2; *(uint8_t*)0x200033a1 = 0xd; *(uint8_t*)0x200033a2 = 0; *(uint8_t*)0x200033a3 = 0; *(uint8_t*)0x200033a4 = 6; *(uint8_t*)0x200033a5 = 0x24; *(uint8_t*)0x200033a6 = 6; *(uint8_t*)0x200033a7 = 0; *(uint8_t*)0x200033a8 = 1; memcpy((void*)0x200033a9, "$", 1); *(uint8_t*)0x200033aa = 5; *(uint8_t*)0x200033ab = 0x24; *(uint8_t*)0x200033ac = 0; *(uint16_t*)0x200033ad = 0xad; *(uint8_t*)0x200033af = 0xd; *(uint8_t*)0x200033b0 = 0x24; *(uint8_t*)0x200033b1 = 0xf; *(uint8_t*)0x200033b2 = 1; *(uint32_t*)0x200033b3 = 2; *(uint16_t*)0x200033b7 = 0; *(uint16_t*)0x200033b9 = 1; *(uint8_t*)0x200033bb = 9; *(uint8_t*)0x200033bc = 6; *(uint8_t*)0x200033bd = 0x24; *(uint8_t*)0x200033be = 0x1a; *(uint16_t*)0x200033bf = 9; *(uint8_t*)0x200033c1 = 0x20; *(uint8_t*)0x200033c2 = 0xa2; *(uint8_t*)0x200033c3 = 0x24; *(uint8_t*)0x200033c4 = 0x13; *(uint8_t*)0x200033c5 = 1; memcpy((void*)0x200033c6, "\xa0\xaf\xeb\xc2\x94\x23\x7d\xe3\x0b\x4c\x81\xc6\x59\x5f\xba\xf3\x06\x46\xc5\xec\x3d\xd9\x8f\x43\x5d\xf0\x0d\x18\x1c\xc1\x3f\x9b\x0c\x5f\xfa\x84\x15\x49\x98\xbf\x5c\x04\xee\x0f\xd8\x2d\x5f\x4c\xac\xfc\x90\xff\xae\x24\x1b\x84\x0b\x0b\x18\xe2\x10\x7e\x33\x39\x8f\x46\x83\x83\x80\xf8\x4b\x6f\x9f\x22\x62\xe8\x38\xdf\x02\x12\x31\xc9\xf0\xc5\x0d\xc2\xee\xd7\x59\x5e\xb1\xb7\x89\x22\x3f\xc3\x7c\xf3\x4f\x5c\x69\x4a\xaa\xd8\xa8\x18\xc9\x9e\xf4\x41\x79\xbf\x5b\xa4\xb6\x17\xc2\x58\xf7\xdb\x01\xd6\x09\x6c\xcc\x71\xbb\x92\x5e\x31\xb2\xf3\xf1\x00\xbb\x85\x38\xbb\x84\x01\x5a\xf7\xb9\x54\xc8\xfd\xf2\x93\xde\x02\x31\xa4\x91\xd3\x63\x76\xb8\x40", 158); *(uint8_t*)0x20003464 = 0xc; *(uint8_t*)0x20003465 = 0x24; *(uint8_t*)0x20003466 = 0x1b; *(uint16_t*)0x20003467 = 0x340f; *(uint16_t*)0x20003469 = 4; *(uint8_t*)0x2000346b = 5; *(uint8_t*)0x2000346c = 0x40; *(uint16_t*)0x2000346d = 6; *(uint8_t*)0x2000346f = 1; *(uint8_t*)0x20003470 = 4; *(uint8_t*)0x20003471 = 0x24; *(uint8_t*)0x20003472 = 2; *(uint8_t*)0x20003473 = 9; *(uint8_t*)0x20003474 = 0x3f; *(uint8_t*)0x20003475 = 0x24; *(uint8_t*)0x20003476 = 0x13; *(uint8_t*)0x20003477 = 0x40; memcpy((void*)0x20003478, "\x90\x5d\x00\xa5\xa8\xb5\xcd\x53\x11\x8f\x9c\xf9\x03\x3e\xda\x0a\xd8\x8f\xcf\xaf\x66\xe2\xb9\xe3\x59\xe3\x8a\xea\x37\x19\x70\xc8\x64\xd5\x98\x39\x16\xa5\x29\x36\x75\x51\xaa\x24\x7b\xa8\x30\x09\xeb\xb5\x64\x0b\x53\x17\x55\x99\x00\xdd\xb8", 59); *(uint8_t*)0x200034b3 = 9; *(uint8_t*)0x200034b4 = 5; *(uint8_t*)0x200034b5 = 0x81; *(uint8_t*)0x200034b6 = 3; *(uint16_t*)0x200034b7 = 8; *(uint8_t*)0x200034b9 = 0; *(uint8_t*)0x200034ba = 1; *(uint8_t*)0x200034bb = 0xfc; *(uint8_t*)0x200034bc = 9; *(uint8_t*)0x200034bd = 4; *(uint8_t*)0x200034be = 1; *(uint8_t*)0x200034bf = 0; *(uint8_t*)0x200034c0 = 0; *(uint8_t*)0x200034c1 = 2; *(uint8_t*)0x200034c2 = 0xd; *(uint8_t*)0x200034c3 = 0; *(uint8_t*)0x200034c4 = 0; *(uint8_t*)0x200034c5 = 9; *(uint8_t*)0x200034c6 = 4; *(uint8_t*)0x200034c7 = 1; *(uint8_t*)0x200034c8 = 1; *(uint8_t*)0x200034c9 = 2; *(uint8_t*)0x200034ca = 2; *(uint8_t*)0x200034cb = 0xd; *(uint8_t*)0x200034cc = 0; *(uint8_t*)0x200034cd = 0; *(uint8_t*)0x200034ce = 9; *(uint8_t*)0x200034cf = 5; *(uint8_t*)0x200034d0 = 0x82; *(uint8_t*)0x200034d1 = 2; *(uint16_t*)0x200034d2 = 0x40; *(uint8_t*)0x200034d4 = 8; *(uint8_t*)0x200034d5 = 0x40; *(uint8_t*)0x200034d6 = 0x81; *(uint8_t*)0x200034d7 = 9; *(uint8_t*)0x200034d8 = 5; *(uint8_t*)0x200034d9 = 3; *(uint8_t*)0x200034da = 2; *(uint16_t*)0x200034db = 0x40; *(uint8_t*)0x200034dd = 5; *(uint8_t*)0x200034de = 0x80; *(uint8_t*)0x200034df = 0x81; *(uint32_t*)0x20003780 = 0xa; *(uint32_t*)0x20003784 = 0x20003500; *(uint8_t*)0x20003500 = 0xa; *(uint8_t*)0x20003501 = 6; *(uint16_t*)0x20003502 = 0x250; *(uint8_t*)0x20003504 = 3; *(uint8_t*)0x20003505 = 2; *(uint8_t*)0x20003506 = 9; *(uint8_t*)0x20003507 = 0x40; *(uint8_t*)0x20003508 = 0x40; *(uint8_t*)0x20003509 = 0; *(uint32_t*)0x20003788 = 0x16; *(uint32_t*)0x2000378c = 0x20003540; *(uint8_t*)0x20003540 = 5; *(uint8_t*)0x20003541 = 0xf; *(uint16_t*)0x20003542 = 0x16; *(uint8_t*)0x20003544 = 2; *(uint8_t*)0x20003545 = 7; *(uint8_t*)0x20003546 = 0x10; *(uint8_t*)0x20003547 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003548, 0x1a, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003549, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003549, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000354a, 0x87, 0, 16); *(uint8_t*)0x2000354c = 0xa; *(uint8_t*)0x2000354d = 0x10; *(uint8_t*)0x2000354e = 3; *(uint8_t*)0x2000354f = 0; *(uint16_t*)0x20003550 = 8; *(uint8_t*)0x20003552 = 0; *(uint8_t*)0x20003553 = 0x20; *(uint16_t*)0x20003554 = 9; *(uint32_t*)0x20003790 = 5; *(uint32_t*)0x20003794 = 0x54; *(uint32_t*)0x20003798 = 0x20003580; *(uint8_t*)0x20003580 = 0x54; *(uint8_t*)0x20003581 = 3; memcpy((void*)0x20003582, "\xa4\x4d\x24\xcd\xf3\xff\xb9\x94\x8f\xaa\xf6\xb3\xc5\x65\x82\x6f\x57\xef\x2b\x5e\x43\xe6\xef\x91\x09\xdc\xaf\x0f\xf5\xf2\x30\xb6\xf5\x2d\x06\xad\xa7\xeb\xdf\xbf\x1c\x55\xe6\x55\x19\x00\xf4\x2f\x90\x4a\xa2\x59\x11\xde\x5d\x64\xd3\xcd\x32\xdb\x26\xb2\xe4\x8c\x15\x0e\xac\xf5\x1a\x16\xdd\xb3\x11\xac\x3d\x44\xb2\x81\xa8\x7d\x1c\x84", 82); *(uint32_t*)0x2000379c = 4; *(uint32_t*)0x200037a0 = 0x20003600; *(uint8_t*)0x20003600 = 4; *(uint8_t*)0x20003601 = 3; *(uint16_t*)0x20003602 = 0x812; *(uint32_t*)0x200037a4 = 4; *(uint32_t*)0x200037a8 = 0x20003640; *(uint8_t*)0x20003640 = 4; *(uint8_t*)0x20003641 = 3; *(uint16_t*)0x20003642 = 0xf0ff; *(uint32_t*)0x200037ac = 0xc0; *(uint32_t*)0x200037b0 = 0x20003680; *(uint8_t*)0x20003680 = 0xc0; *(uint8_t*)0x20003681 = 3; memcpy((void*)0x20003682, "\x6f\x06\x9d\x79\xea\x95\x2b\x38\x80\x02\x7d\x52\x43\xd8\x4a\xef\xe2\xbd\x1c\xf6\x41\xda\x9e\xe2\x90\x78\x02\x32\x46\x10\x26\xc5\xa5\x35\xae\x62\x14\xa8\xb6\xfd\x61\x12\xf3\x68\x08\x5c\x5c\xca\x57\xb8\x48\x46\xbd\xd7\x65\x3f\x32\x51\x20\xcc\x01\x27\x4c\x27\x93\x0a\x93\x4c\x28\x50\x05\x8a\x34\x58\x87\x78\xf4\xae\x02\x55\xb9\x6f\xcb\x45\x73\xf4\xc4\x75\xfa\xe5\x37\x03\xef\x82\xd7\x85\xec\xe9\x6a\xdf\x02\xef\xc2\x10\xe2\x6f\xa9\x52\x31\x11\x51\x9c\xb0\x37\xb5\xae\xbb\xca\xb0\xe1\x2d\x22\x83\x30\xeb\x46\x6c\xef\xbc\x0a\x21\x98\x4a\x6f\xd8\x65\x72\x06\xb2\x0d\x98\x2f\x65\xc7\x09\xba\x3c\x63\x20\xf1\x06\x6d\xda\x59\x2f\xda\xd1\x4a\x8c\x70\x0c\xf1\xf5\x26\x6f\x47\xfa\x42\xaa\x88\x0b\x9a\xa0\x26\x7c\xf5\x3c\x96\x91\xf4\xfa\x0d\x4e\x05\x9a\x6a\xdc\x27\xda\x67", 190); *(uint32_t*)0x200037b4 = 4; *(uint32_t*)0x200037b8 = 0x20003740; *(uint8_t*)0x20003740 = 4; *(uint8_t*)0x20003741 = 3; *(uint16_t*)0x20003742 = 0xc0a; res = -1; res = syz_usb_connect(0xcabe03ec, 0x160, 0x20003380, 0x20003780); if (res != -1) r[15] = res; break; case 40: syz_usb_ep_read(r[15], 7, 0xe4, 0x200037c0); break; case 41: *(uint8_t*)0x200038c0 = 0x12; *(uint8_t*)0x200038c1 = 1; *(uint16_t*)0x200038c2 = 0x200; *(uint8_t*)0x200038c4 = -1; *(uint8_t*)0x200038c5 = -1; *(uint8_t*)0x200038c6 = -1; *(uint8_t*)0x200038c7 = 0x40; *(uint16_t*)0x200038c8 = 0xcf3; *(uint16_t*)0x200038ca = 0x9271; *(uint16_t*)0x200038cc = 0x108; *(uint8_t*)0x200038ce = 1; *(uint8_t*)0x200038cf = 2; *(uint8_t*)0x200038d0 = 3; *(uint8_t*)0x200038d1 = 1; *(uint8_t*)0x200038d2 = 9; *(uint8_t*)0x200038d3 = 2; *(uint16_t*)0x200038d4 = 0x48; *(uint8_t*)0x200038d6 = 1; *(uint8_t*)0x200038d7 = 1; *(uint8_t*)0x200038d8 = 0; *(uint8_t*)0x200038d9 = 0x80; *(uint8_t*)0x200038da = 0xfa; *(uint8_t*)0x200038db = 9; *(uint8_t*)0x200038dc = 4; *(uint8_t*)0x200038dd = 0; *(uint8_t*)0x200038de = 0; *(uint8_t*)0x200038df = 6; *(uint8_t*)0x200038e0 = -1; *(uint8_t*)0x200038e1 = 0; *(uint8_t*)0x200038e2 = 0; *(uint8_t*)0x200038e3 = 0; *(uint8_t*)0x200038e4 = 9; *(uint8_t*)0x200038e5 = 5; *(uint8_t*)0x200038e6 = 1; *(uint8_t*)0x200038e7 = 2; *(uint16_t*)0x200038e8 = 0x200; *(uint8_t*)0x200038ea = 0; *(uint8_t*)0x200038eb = 0; *(uint8_t*)0x200038ec = 0; *(uint8_t*)0x200038ed = 9; *(uint8_t*)0x200038ee = 5; *(uint8_t*)0x200038ef = 0x82; *(uint8_t*)0x200038f0 = 2; *(uint16_t*)0x200038f1 = 0x200; *(uint8_t*)0x200038f3 = 0; *(uint8_t*)0x200038f4 = 0; *(uint8_t*)0x200038f5 = 0; *(uint8_t*)0x200038f6 = 9; *(uint8_t*)0x200038f7 = 5; *(uint8_t*)0x200038f8 = 0x83; *(uint8_t*)0x200038f9 = 3; *(uint16_t*)0x200038fa = 0x40; *(uint8_t*)0x200038fc = 1; *(uint8_t*)0x200038fd = 0; *(uint8_t*)0x200038fe = 0; *(uint8_t*)0x200038ff = 9; *(uint8_t*)0x20003900 = 5; *(uint8_t*)0x20003901 = 4; *(uint8_t*)0x20003902 = 3; *(uint16_t*)0x20003903 = 0x40; *(uint8_t*)0x20003905 = 1; *(uint8_t*)0x20003906 = 0; *(uint8_t*)0x20003907 = 0; *(uint8_t*)0x20003908 = 9; *(uint8_t*)0x20003909 = 5; *(uint8_t*)0x2000390a = 5; *(uint8_t*)0x2000390b = 2; *(uint16_t*)0x2000390c = 0x200; *(uint8_t*)0x2000390e = 0; *(uint8_t*)0x2000390f = 0; *(uint8_t*)0x20003910 = 0; *(uint8_t*)0x20003911 = 9; *(uint8_t*)0x20003912 = 5; *(uint8_t*)0x20003913 = 6; *(uint8_t*)0x20003914 = 2; *(uint16_t*)0x20003915 = 0x200; *(uint8_t*)0x20003917 = 0; *(uint8_t*)0x20003918 = 0; *(uint8_t*)0x20003919 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200038c0, 0); if (res != -1) r[16] = res; break; case 42: memcpy((void*)0x20003940, "\x03\x38\xf2\xa1\xa6\x94\x91\x50\xd9\x50\xa2\x00\xb9\x7f\x82\x07\x00\x40\x2b\x58\xfe\xc9\x4c\x39\xa0\x05\xf5\x38\x68\x85\x99\x19\x97\x96\x0b\x31\x65\xc9\xdd\x03\x23\xfa\xf9\xa6\x9d\x00\x72\x59\x16\xfa\x7f\xb5\xa9\xbb\x1f\x47\xb1\x98\x29\xca\x09\x1f\x88\xc0\x99\x9a\x2e\x18\x7f\x62\x37\xab\x2c\x7e\xae\x85\x92\x3f\xa9\x63\x6d\xc2\x66\x07\x6f\x2a\xe7\xb5\x2c\x1f\x18\x7c\xe6\x28\x71\xc2\xf0\x5b\xbf\x9d\x9a\x25\xfd\x16\xff\x38\x33\x38\x70\x73\xe6\x96\x81\xb2\x43\xe8\x14\xb2\x54\x9f\x03\x2a\xa5\xb8\xdd\x2e\x2d\x64\xdf\x2e\x69\xd3\x57\xbc\x2c\x32\xb8\xfb\xd9\x0f\x8a\x16\x38\xb3\x13\x90\xbe\x5a\x61\xee\x6e\xe7\x0e\x3a\x20\x27\xe1\x46\x8d\x5f\x3f\xa2\x34\xf4\x46\x2a\x56\xd7\xe4\x2c\xe2\x9c\x52\xcc\xf5\xcd\x76\x35\x90\xa4\x26\xb8\xa0\x6e\x22\x6f\xfa\x45\x68\xc2\xce\x31\xa5\x4d\x74\xca\x6f\x67\xe6\x70\x85\x2c", 202); syz_usb_ep_write(r[16], -1, 0xca, 0x20003940); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :246:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :246:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor590415819 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/18 (0.38s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$BLKROGET(0xffffffffffffffff, 0x125e, &(0x7f0000000000)) r0 = openat$nullb(0xffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x80000, 0x0) ioctl$BLKTRACESETUP(r0, 0xc0401273, &(0x7f0000000080)={[], 0x6, 0x4, 0x400, 0x0, 0x5f}) socketpair(0x21, 0x3, 0x4, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140)='l2tp\x00') sendmsg$L2TP_CMD_NOOP(r1, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x24, r3, 0x4, 0x70bd28, 0x25dfdbfb, {}, [@L2TP_ATTR_SESSION_ID={0x8, 0xb, 0x4}, @L2TP_ATTR_PEER_SESSION_ID={0x8, 0xc, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x20000000}, 0x8000) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000240)={0x0, 0x5, 0x0, 0x2}, &(0x7f0000000280)=0x10) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f00000002c0)={r4, 0x2}, 0x8) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x8, &(0x7f0000000300), &(0x7f0000000340)=0x4) write$capi20_data(0xffffffffffffffff, &(0x7f00000003c0)={{0x10, 0x3, 0x41, 0x83, 0x0, 0x401}, 0x43, "4a8e60634e3a9ebf0988474a70cdc44c935e71dca8a36e9f7339b733e7fdfa26d1763f8e1fc18c23484ff71c6ea76bf1db3e46cf80380322d296fbf193c54d4949ccdb"}, 0x55) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_post_notification\x00') syz_emit_ethernet(0x56, &(0x7f0000000040)={@multicast, @empty, @void, {@canfd={0xd, {{0x4, 0x0, 0x0, 0x1}, 0x23, 0x0, 0x0, 0x0, "90a4412ed481e39ec0787cae083fac93b90daa7595dc554b0d6fb720a6009835c929d9566687939954d14f0376d39039885d4b349e57791c3b2884b67a568716"}}}}, &(0x7f00000000c0)={0x1, 0x1, [0x4a, 0x2e7, 0x6f0, 0x1aa]}) syz_emit_vhci(&(0x7f0000000100)=@HCI_SCODATA_PKT={0x3, {0xc9, 0x56}, "af8c56ab2959dc534cc868e4b42b05a0de86bb45fd2bf9e32d58e9ad1fb7be75adc1e7aaa52319456531631ede47c2919bcdb3bafdaf560bf2a9ca3a75fa34d07026b7302dc391f9554e50cfc7f731c09f1c71262df3"}, 0x5a) syz_execute_func(&(0x7f0000000180)="c4c16f10fa660f65642a10c4e1fa70effbc4c37d096a42fec4e1416a5200f3abc4c1ccc6e474360f8fb8000000af0ffe98f0ffffff") syz_extract_tcp_res(&(0x7f00000001c0), 0x2, 0x7f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000200)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x5, 0xcb) r5 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xc, 0x800, 0xffffffffffffffff, 0x8000000) r6 = syz_io_uring_complete(r5) r7 = io_uring_setup(0xc43, &(0x7f0000000240)={0x0, 0xab13, 0x10, 0x0, 0x375}) syz_io_uring_setup(0x4759, &(0x7f00000002c0)={0x0, 0x3caa, 0x8, 0x3, 0x347, 0x0, r7}, &(0x7f0000ffd000/0x2000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000000340), &(0x7f0000000380)) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0xe, 0x3, 0xffffffffffffffff, 0x8000000) r9 = mmap$IORING_OFF_SQES(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x4000000, 0x20, r6, 0x10000000) syz_io_uring_submit(r8, r9, &(0x7f00000003c0)=@IORING_OP_WRITE_FIXED={0x5, 0x4, 0x2007, @fd_index=0x6, 0x3, 0x4, 0x4, 0xe, 0x1}, 0x80) r10 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000000400)='/selinux/checkreqprot\x00', 0x2000, 0x0) syz_kvm_setup_cpu$arm64(r6, r10, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000480)=[{0x0, &(0x7f0000000440)="1f53955cb3cecd2039609cfce532927f02de615e5e7716c374705f59102e00754dbaa369c6c1a1c2f4c530c3af81e8fe5609", 0x32}], 0x1, 0x0, &(0x7f00000004c0), 0x1) syz_io_uring_setup(0x7424, &(0x7f0000000500)={0x0, 0xe518, 0x10, 0x1, 0x3a5}, &(0x7f0000ffe000/0x2000)=nil, &(0x7f0000ff6000/0x4000)=nil, &(0x7f0000000580)=0x0, &(0x7f00000005c0)) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000000600)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000000640)='afs\x00', &(0x7f0000000680)='./file0\x00', 0x4, 0x2, &(0x7f0000000800)=[{&(0x7f00000006c0)="d632c19b", 0x4, 0xffff}, {&(0x7f0000000700)="3fe8370cede52efac054241da1ef6234cdc7766d9ceee05c36775d234a8f0259a880131689775a49e1c5d81ee5eed42da022a3c9b9d439ae779990d04cf551c084c093744e79ca6a4827d8c603053d29714d839363cf49add7d7323c0619a99cef609fc47e56c66630ec7973bffed214d451f064f36e3597506a51adfd6b0d61fdcdf2bfcb31b2c6c44c279ccdb6902891daf75e663f5942ea7682fbfd3e7369a9fe16f372476efb281aaad4bfe7e610e963629461e9033caf00d62a109d004b935b9079bd3df5be94a0fa1e1977f552baa492ba31e2ec4bf310c814dc753297", 0xe0, 0x4c}], 0x201000, &(0x7f0000000840)={[{@source={'source', 0x3d, 'SEG6\x00'}}, {@flock_strict='flock=strict'}, {@flock_strict='flock=strict'}, {@flock_local='flock=local'}, {@autocell='autocell'}, {@flock_openafs='flock=openafs'}], [{@measure='measure'}, {@subj_user={'subj_user', 0x3d, '$F!%[#&+-}^}'}}]}) syz_open_dev$I2C(&(0x7f00000008c0)='/dev/i2c-#\x00', 0x9a7, 0x60100) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000900)=0x0) syz_open_procfs(r12, &(0x7f0000000940)='net/ip6_mr_vif\x00') syz_open_pts(r6, 0x402000) syz_read_part_table(0x44, 0x5, &(0x7f0000001c80)=[{&(0x7f0000000980)="947bdd1338b6b9fdc7eec2776433191f827266cfa94bbf64cff83a00d975009f3b2738ac7067019447d693a3534dae5d3bf03b17d7a2bc093d2ab01fb079d13e4ca08ab23918a3fac50a48c32b4ba2170957d20cb4a4f731d660e88f40c30c3c40d41ff3ff7134dceb66b113b5c1bba630a7ee5cd68ab59e69f8c89530e4cac7f615dd3fadc7940d23b069d62b7ccf4149881045", 0x94, 0x7e}, {&(0x7f0000000a40)="3bece5e4b00d1aa5c6455d8ffddd35571382304733f47e93ba01d0220d3452425aa4a35a16adc96a1c87d3c09121df1c8aef26c20358a153a0ef1959f69c689acd2751f428f241c2decf4cd9a3b109e66b310fb1011f65329bef953ae02cf9db6133619b5bfa07a6e13251278da93de82635bcdd7640b6311da58d2a681065401d0753cef90bf7a0f541112453b9ce7527efcb09834f1073736d3ebdb9241736b61df70a13c76e54ddbc65a52d8a4fe42ed097a57c8d0426f916750e9a5c38281fbad7ae59c223bab1100592d42eda4e0bf4bf030420478fcd28c4057d41a9721b0014e91a1e7058d4c9290812f6de", 0xef, 0x800}, {&(0x7f0000000b40)="6daf7a1e0d14cb6b8c65d37ef988e670ca88b1", 0x13}, {&(0x7f0000000b80)="e2a379510738be3d3baf49a170f089f56f7b3a43bd926f2f3368f38e97340af9b0991ea98f4653252c0bef6ad26582b600545465591faefd00782e31c8aee9f23990d2d95f8710d110409dc3dad1581794fb09f6349e937b1df1bb8a9a09ce60c41282376e6ac607888c64fcd9ecf5405063ba5f642a295b4f778f2cabccf6c9007071b1a9ec31eea5daf62d371a56de309549974911a5797fa34026e85bb7f5427ab4965f11a3aba18ed0fe280e45c26412838fc5bbe0f6de63d011c06b413e3d4a15296b6f7915dffecdd407504faa2fe63bb190af9061709a982094f620793c042532f51314dd0753b832a65859e178d94dd169a1b767748566d13f170da36f2a51053d8b67fb5f12d86bf36046eab9b7c26c50786c9b29a2605c5631ab30261669971a48470d982c3088be7cffd1f0c6775e5757db6148dd74c5954e34c40088659a1f44d053465985ed20039bced7ea9dec7e25cd6d600d1ed31aed53885fc7ef8789eea0639d2b250dcdf4ad71bbdabf4ba18af29ac819ae431864db1b0353bc5cb2041943b44513f7c679f348bd2962b27487bc7dc7488cff13a24b658f31b4afc9e5013ab460cf3a014a8f19909e75bc3d4144f5d32e370de74f4402a0db5339c1e3616d2147743652dd73940d37550cc961b08b3a33b79c4a2f3f1ab4b2364c24031cce1f29beaf574b1318844fcc9387d2cf798334de0816d528f087f56751f763b82c760fe19ef95fd2e552c8ec74bfee9b6c8e3341b3baff5405edbed709fb1ea130a1a6e30acf7232c0194034daf0ef117115ab220f1161a838940ef60072c406557f56f13f3021b40842f9114b0ae9cd8244230c2227ce7c7e71503ba5253d63081ca9af8fc4a4e2c3039a0bad1af91ed4cb91b9bd42d8ee5e0bd9844f92f4af1ea5b88380a99b1adc7057b9157b61021abce377dca6af6c2dd98f02c23a8459ccbe650b66d06bbae0609928e84d5c611e2c6feb6a43d0aa532b12d5e3260448cd82372b11f9dc8f94665a3ab864eb3eb0e5b073200249a674047ee8fff8fb4f55653060efb6a00d70b0fe4a7f5dca7d9c71604fa70b0e40569339e52ba52b7d7008533306165c978d030a852c0dd75996904720a10a3a9d0f2f67f258e439047a6a5b08490409aa84ec296f67b88b8011cb39c67800efec6ec43e732aee04cc18c4ceddc9686a432011e1df5fa1292c7bdae62731573ec5233293ff4ed671e52c951d8e00836db9363534bc8c1e91d98cab7d0606c170d409d96d3225f56206b600fc1a783941aade248338dba66d56f8fc197d19cedd5f1a65d5f1d85a4cb4497342d197df417d4317777c81e707f1b9dadd38265324f41aa85021b2d7edc0ff4a527db85ff141652eeb5e766e189e11e6307a4475d5f793e822b7ecbc7e2ff3f6f9a8399af692649d67305c86b479169df12f749102069da164ad14655e0532fc419b51f29b28d1f408f5236ce921509f3f611a565a5e38685744470f6e457bdd057d727f7ecfaa468473bcba94c43ead22f8527843245f372275946bd4599f3a8ae91ec3140870be91d2fbfcbd7e504da3d6f49e905aca167832d7c35a56a28abc852090292318ec1f08bf3d71de7360d6d04900d773a7f40c3db7aabfc27a338e87d578f430ee490e48221406d31c62220c2bd9e1793eed1b84aba0adc3d54eed59ae3b83e5a1147721fcc227cff96c8065f8665cbfef93521ca1bf4b100e62896cfdca36e7f7b4b3fd3babf5c18c90030fbf904d4f4c3fb23af16b1e3744ca6ab123df90b168eaa138324ebf98ecd66dd64ee906236bf3a0296be1df81387ba95700e04ce26637ca4dfb70c67d32a2e7acde219cef54e4c9ec1c27b5b6a388ca515af6e5efc493a30fa9324e1f2b2b51267fbb26f3d4292e836cb709e92a6e0e11aff386b3d45d81a2d35fe971cbff8a32f52d046b9ba9a4bc77267a2e86a480a9ec50361d5ed59ba540ae1cf0e7eaaa5d8f5b2e38527fde78ecf842ec48cf681fd452aa5c60d06474f6422ad08db4fa0788c56563f52cbd383627e11f98eb40ec74961c028b1fcd7b25d4cd289dbc761fb1ec00a6183513c5f76da7546416fb81e8661f93f4234fdf3a3398d8bb8c69902e6d9f3fc165e6d9f39eb2acc189ab7b49013b2c74d0788ee05fc117335d478380013eab173ddc7a927f03080c2ea705b68f664a3be270221172d2995b15b4d0ab25d4668ab7587d24e831c5c7841fa00bd063021d3f43405b35c6c79dd4030fc630ee78d7e64a90cc2761421624d48ac0764d8a903c5a8b0a213120871b9e82a3b1f92455380b950832651b6d0d9bdb249055d55fa49fc7296147cbcec6059a0047ae6e86b51ae3b5aff498ceed671ddd0e2bd97fd7f39a3280bd80996ac7bb98187709938246f8e0cb9cca0a189d18cb9dcdd52186feb935f4a5326c3bc1348a05f0e7180452a43e7f2b6fb35a4196afda0f1993383dd203694c1ab53be64481c0d9c78801610789f9f5130b4a143f09229e8d89d0ad09edf971cf0fe495d7552b7a791a9054232e8d22976621b7f6be03e7e0bf8e5ed83db94efc748c93a06c124f55dd8efe11e15d83e1fce582b19be10dcc1b3eb594291aaabd56cb94df315920b042d07934ac796d0a91078626ee57e25763791f7dde8bc04e1883fb2273c799b97e3166c56ceaa3699c31739f63ef94605b20860606ceaf97be55b979fdc17fa9ba2990bbefde17eb5398176091e536730129c4c31504ce1fc41f13e7d90301ff02ad5b5f523c6ae7efa87c76af1ecc4b6715251a58ca3c68ca954a9345cf08697ec54376dfaf232cd6ede5ad85c1234fbcb4a992535b70135a5eb7d1f2de13629871b02acb455694e91d5bbb972c1c3998ec765749b4ca83c705529c046e8593ba4709e430cf190aba4fd00a6d722d0598e80b7af8fbb6c053dc4068e3bfaa0015d3545646e40eb312700e7b068ca644792d6d39447a353f6d6575b01f3a20cf310117a832dbc76b460146dee06c859580ba5e59946e90a168d98a06282d02f99540f4b1fce194cc7cc089b1b2da11d59bee5477383f83fe7f50011ec438561f17b39dabee3794761cdef6c54a60c49de8fd6aecf0b5a5b5c056a8de90805e0d5a4cba91eb7746e54498aad35d268e923c5c396581835cf2038e2a1f28a843228472aa2e4cbde6aa7665716f239ba5680d1d8d6cd7277af1f2db87e5f5332fa904d6975f4247f33f00c17b95df1db792398c0be2ab89c6f0ffb1d9f3d30e36b0bcdee55623e67ed59b641e1d3ad243a61ab8003ed9d50186457b845b0f5e59460aeb8d49fa236b691a9572f043f3d83d3853a658c092fec3eef9b58f3be0532e46da34f732398d418a82a47fd2bec7aa9fdf0a05a2a4abd650dcd99c095be5a025d4dd8de7b606f7c21fcf490a100ec288f419316b4add08591060f5c40230ee639aff35d4bb207fe401029cffd104715dcd48c7c598f5ea42b0bd271e6a10066d613217655dbf37bc467d973572d7c28779c9981cabc55e683fbb1e9af7e00cc4a222a54f24edf923762d8e0fbc099e420a78b1fcfb54a4002fdf6e30a3445f929dd97c4aef13cd8a0a3b19cb2ba731d3c99aad631166b75f13a95498e11dba4094eb5d1f1571b6987c278912a05a9ec5e2f93d21604e496ae6f763ed433bc26c5d2fdfeefc02d8732b29091c32ad16fbb47de0a56a36c5c7d26665ce565571aee87e729e1727e8e149b44cbc5819eb1abc317eabfdbc5447dc1fa9ed585281f1a9c33bd5bbae662621e6460e37617e88304fd6889d775ad30388b208b4102495dd4a601579fef079678b66816a46a91cd0d344af0afa8ee55ab222d720a0367275757aa38d043cec888e9e93a4ff91c1ccbbc685f6fe2710474da5c4376b6c037b2ac57ab078421ff2f06ef8abcc7bfa18195ae5d3236c492494f1c665dc2052e0b567e991727082f6f529cff4412d5cfd8aca31f0a4d32332e8cc992a39017d8e5a8525a9f6ab5009e7067b2773591779fa6de17c077445c39b4f3255c2df10701045fa070ac4aedb551bfe92ac48e0faca060768edf4b3fb101f3d4cdcb2ec9313c02898aa36874267468286e98ffdbacb29fb64072799bb3d885bf308d6ca001355642ad258b965f9597b30fe6c3af1e89c10d641f4e2ab7cf5a4687d6b69157a49f9f40791ef46f4cba6e0f248773c350bf3143cece92ef7c746d4988c8351c8067e3c4b841089d985e09ecb40157d7a171f4e645518c52598fa794425669f59a27d8bedc147e09057b5d2f9f4611cac951058b9d2527fe7b470289a2f16fa4dee150652086e4cc194c3cad63aee9aa77b00df7cb421401d1394e0fbae8e8e14ef28f128601aa1c91d3e71edc07a46267731ea085fea0b2781fe5b3337fb391f4a91ce752aeb7251aa0c3bf304e989220d414eab0af48d4a86bf43f13ee6b97615f51a3677feef14dc4ae47db07b874176d18f50094a309700279f412924e918eb3e6c1b9fa3c1444f28b691ceb9c33d34b5b3733d3eb0c9e69cb6f36bca69d1d69913aeb51f0cb59828527f791fe7f61fb430bace6456abc322fb52a131f5aed3221afd1d369d7bb41f60bfb349b5cf73043b9092613032c7dd3220bce9d9b84fd2ceb48a76ff0c34cf5bf8cc55b575e240f4e6c1c5cf93980cc6f68fd1ac7cc10e0e483339dde6691eb7d2b700e93ffdf810953762216e99b5640149af63144a09051b683db0dfb1b79371bc7a4a559ae6271838a868468e54aadef03ba40ca127aa2c2751da79202dcad72e4f1593041db53bbf4f8064170fe85c46e59ff00b9eb4bf2e01eab7197a00704e3c7084a80699ed5aaae7bbae0684e5fb3ed60c6620c73aa013313713279bf958a21f56f96746e160623f1076a5ea95a23fc908373bc078221894ccc77949ffd3659470d83f860762b0302bf3e404046c0c32a71eb85e674111cb9c2d490b8b4f5bfd1fa9382a4296d97326d6a728378ab35c0a349ed69349f75b89adf8dc9e5baed276c92614c29636f2f5b19d4dc661e2d0fe6fd64786d507b99b3979fe0f6ecb06b76fd64bfb316131a52d3db7445508c8f0bd394495a6c13ca64e3780a416c72a7a34996d5a342e6349d92bfcb8d75bd4edd225d4e8601838bffc604e9e3f0de83a1cf9e17c7fa7398fea49c8faed299d04a90a70bdaa0b111428e2e6224ae08c1bf0ea1a69e16e1ffd4bfa76afffdd5060ac992efa08fb7404fa1ff3456042654d3d51292624ac3bb3356f5bd3f492c169e8c7dc71ccd3b4e91cb298ef7f2b61d74a86e7cb6daf621a8b0b6a87e58ddcaa65f376fe0652c40c76d762b580f34da979ae0968b172a9ccc4cd8b34af3873e85d1653c9e5571dc34e8c39f7f04df191c0e81213d2fac0412664eb4769c480a80fdcd5cae2a2eb8b1d031cc6e649d8f0b29f9115ea2bb27cbe35cba040647ad9da8ad36931cfdce5c58dfd6b8d0bd83cf4f8cad6f6d6f3048380583d8ef0807a4d024ef8d0333a97183423c90e8dd1b62dc70c95ae30acd0ccc257de6feb89a9492b4214b65d8da2ada11b80fbd7689afdb99fa820cb7aaaca8ce32fd1adf5d724f50683a7924ed1b5de6b322a4932ea46d3b266a270420259a4fee480054f0675e77e5178ff255be000468a220a25c6879e039bc14c38cbf9040eded41f1c6d75fe4615cc57677c948c7bb9c3561184b0ffe0d0a9ed0e7212fabd5ef357ffb3ca40e8a97be2a9bcf35fc7e3d7ce8f6d50a4f7b42c246894683822db36b95528cd8061342c66c788bb6f63beadfe3559e896e4387a12cedf6f220888d218", 0x1000, 0xffffffff}, {&(0x7f0000001b80)="e0c6c9c01afb3e83241204cd6942a5f5b38dedc4871fea150ddbcb8c14ce515fa1fc5f1fb3ec606649a162c4e52ec328eb3565fb84abdf8b408d744ee19c67cce54acad1c6aa75a3f97f94267476e702bbe065e67188c3c826d4414e46695d71c9e24a31faf7fc28297092503bb10adb27fcb197438efe3605101abc127fda303e63a7423ef1693f6c005763fdf8b18e10a5a9fa34b3c00eced1f75bada7d26160aedf2758bf603b0c5890682884eb55b2760b3b7b9614b6bd1ddef9e9cc1df20892063f1ea058a4", 0xc8, 0x81}]) r13 = syz_usb_connect(0x4, 0x882, &(0x7f0000001cc0)={{0x12, 0x1, 0x310, 0xae, 0x73, 0xca, 0x40, 0x1740, 0x602, 0xfa57, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x870, 0x2, 0x7f, 0x90, 0x120, 0x3f, [{{0x9, 0x4, 0x86, 0x7f, 0xa, 0xf7, 0xf9, 0xf2, 0x7f, [@generic={0xd1, 0xb, "26e13a65ceb2c160694440c6e4b5d5107cd6f6eddf5f0f8f938606e7a789786c097626762da7881a4e46ee512ce1ce83d03ee01e8a390d4fe48a1a166b122a244f7e8453fe584352cdc748ded1737c61ffbc1f9f18441c5d61f5493a88bfea7776762bbf8a206eeca2f45c1f7aa6d15fb464cd1caf6a432babfc01bb86b1297b128997426c1a5a86533cb2c029f50b1c5b0b88719f7c78217d2bec910ff906b43860025e140fbad2bc0a91e23e65c5c8fefd91d0459c590e1f4bac91eac023ef5f1a248245df0d7c1276df72d955c6"}, @cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '8'}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x5, 0x5, 0x80}, {0x6, 0x24, 0x1a, 0x1, 0x14}, [@mdlm_detail={0x2b, 0x24, 0x13, 0xff, "8daa8e5cf59bef8c76ec7535d63fe2dc7686321afbd729f4d17d62a21b6f2b39495657220bc5d7"}, @mdlm_detail={0xa3, 0x24, 0x13, 0x3, "0bafa7ba56f9be68f7dafffabe7b7950e7f2b1efd530ab53da306650ae48618251bc41fe39065bb50d65f15e926fdb88acb4e7957bff5d5469ee741f51c117d8f0a4b9e497d8d85a58a425855da041d91bfe4cd20f11f6c7d3813027cd74921dbeb6e2015c4133a29832b2b9d342304dd6b709daeaea5f761d8c06f52edda9f2529ac51a96fab9bb2826cc63fcce0f174de2c5778a4d83f3eecfdb29635b60"}, @call_mgmt={0x5, 0x24, 0x1, 0x2, 0x9}, @mdlm={0x15, 0x24, 0x12, 0xc9}, @dmm={0x7, 0x24, 0x14, 0x8, 0x2}, @network_terminal={0x7, 0x24, 0xa, 0x1, 0x9, 0xeb, 0x1}]}], [{{0x9, 0x5, 0xe, 0x3, 0x400, 0xff, 0xf9, 0x20, [@generic={0x62, 0x22, "ecb3f2dd3048124fa1f639e7d99ab0903f7f551fbd28202bcaa038827262defd524b84d6778f83c751047ea1677d46229ac33b02db6865c9670bc47629020545fbf367e128c7e78e05972cd432ddc729863972a9559b806063550b9bb7992b0c"}, @generic={0xed, 0x21, "1c17fa34cf248a11740cae13b99062cf651bd3663bdf349afedd777e6ca509687c7308b2bd8a56d936cef72c17609c2cc7b825f122864f3e79a0f9563cecf3a2dea2dac5e4d83e7749cfb2a971e0f2a257ee5e91279d0dedf7aab353955c32bcab16d821c1868f655e7f503ece52acfb7c3070097b164ed6223eb6c1839fdc5cc6f1a92ebda8ad2a9e74f746cf37704a6c73076189ee3890b3a1c5cdb8076adec9bb4e53a65b09bc52a75250eb89e2407ee0d0d39a0bd925c00a5fd0f34ad2af88bf3b270fe94e5432288a66b3ee15b6e24ddca89639faa9c4b532663b24bfbdeb73d09b8f77f76fec507a"}]}}, {{0x9, 0x5, 0xe, 0x0, 0x58, 0x4, 0x0, 0x2}}, {{0x9, 0x5, 0x6, 0x8, 0x40, 0x40, 0x3, 0x18}}, {{0x9, 0x5, 0xb, 0xc, 0x200, 0xff, 0x47, 0x0, [@generic={0x6e, 0x24, "fc8886eca12dc85960c8497c87132b79fea0e2313e4e855671316f1c7a42b78b2be24c0cdd6af9de41a7fb57fe0a3ca6fe67191ce31165dc048245ba74c886d12b8accb001eee230dc1d7981e4d6ea3d52fdc1fd159f71fc18bfca51297b2348c777a86b16c07657793c9b75"}]}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x1, 0x4, 0x4, [@generic={0x8, 0x23, "ad6e68323124"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x3f, 0x400}]}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0xff, 0x4, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x2, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x7, 0x4}]}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0xcc, 0x8, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3f}, @generic={0x59, 0x11, "faada80932b10432ca81a63c83dd9f54a4051086ef07b6c9661ef8ec125683d5fcada3a346d08f6d44178fd1ce94f1a6921d2fd14a88d43a8051e18edaa3980645fa17123ca6c783b8b2c3b666956f52b183652992d6f5"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0x1, 0x3f}}, {{0x9, 0x5, 0x4, 0x1, 0x0, 0x81, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x3e}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x6, 0x8000}]}}, {{0x9, 0x5, 0x7, 0x4, 0x200, 0x4, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0x3f}]}}]}}, {{0x9, 0x4, 0x7d, 0xb6, 0x8, 0xe6, 0x75, 0xe1, 0xf9, [@generic={0x3d, 0x23, "0150ffae83df22d1d4dbd82454e66033463c3935e3d0c9fc2ea4661f7310c2e0b0acedd17e99cf960ede09c19eda6bfda699d8eacc2aba4acc34d4"}, @generic={0xc5, 0x1, "57fa93981a0686e512236511f17e4ec2dab7bd005c64fd896f9494ca0597583b239ddd29c3796c4ad669281440da422e6796877a9f123e343935d90dfe06ddfc99deedf24006031d9a2ef4b552629255bf0e7a4d5dd3bc80b266081141bde1b1a86e4ffd857000deeae82fb1850696ef2167c34ad97f91c14ac78ecb893d01ffa98e3c2dfda9adb762b9a9da03c6c60ed957fb494d1c960f7c707494bd984a0a582603fb87248aeeafc1b6005f79835b38b2eaa88653bc93427a33b0763ea36fcd987c"}], [{{0x9, 0x5, 0x3, 0x0, 0x40, 0x4, 0x7f, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x5}]}}, {{0x9, 0x5, 0x80, 0x10, 0x1ef, 0x1, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0x1f, 0x20, 0x0, [@generic={0xb3, 0x21, "95d3405d4d7a6dc896d90c4918b141315c1ae54b0882c4e0e3cc266e04178f9ae737260ac64b619ddf039568181bf92dd639ec49a0b1c9838b4cbbb2fbe6ca7be9bc84b77177867bb973d8c5eba1b49131bd10f645cffc3dd8ea462f4ba965f70a014bf1abe9269663634dad8baf99386d8b431912e4ddfcd1156c5ffeab207ca35f22f5c01673470deea1da6aaffcf0bba9a8e455420f053b28e404fea6261d36c07f7221c4986b6b122ccdf858f481ba"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7f, 0x5}]}}, {{0x9, 0x5, 0xc, 0x2, 0x200, 0x0, 0x6, 0x2, [@generic={0xaf, 0x6c08a2ddac8d29c1, "1449f06f8161d8159f42fb347eaa323cf3eb20fd5e501006d2e40a157da833536fb0b322436591a2bd1d2fe04e169858e11387ce1cbe1f6c7dc332afaadcc002c5832044e056950399e29431407349a8a47525164b4e6cd141303908186754e0282c6995c980f5e7d4f3c881c6b91d955e6ac681bd9073f4e05706f3c312d005bf1c5910956bf99553bba7b4ecb3f35ffbe7ab0763423796bb601e3f047a6581d52fb67c62d6b7278c76aab9a5"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x400, 0x5, 0x1, 0x6, [@generic={0xf1, 0x11, "25bf1f90f600dc8eae5954fb3ec4f488a926149d9893ca2b2900e245f0537432b7eccd35a0f33fe871eb0d1744d8058f6d67f7e1b97f3ef4e5fd8ac9d37d374905661c579d63d9bd3ed5cd30d99ef395e47c9e0f1b7f712016403434821baace41ad73ef6b84c1a41af5cbb6c2f65462a6ed32242c9d51da9915862860c22140f606601cfd82e5151e1db45092fecd653293f56c65b346e5deaf140950a0ac4a487e3bfa4f9ad35eeff8899bc2230798022600a08d06a9243611b421d90f1b53ca9f002636036f1125eda3dedaf6793fc098c6af9dcc5a538fe937572b4d1b174b58ba033714d19ef1085f663e5cd1"}]}}, {{0x9, 0x5, 0x5, 0x8, 0x400, 0x44, 0x1, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x85, 0x9b, 0x100}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x10, 0x20, 0x2, 0x4, 0x3}}, {{0x9, 0x5, 0x1, 0x0, 0x40, 0x80, 0x7, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x6, 0x8}]}}]}}]}}]}}, &(0x7f0000002840)={0xa, &(0x7f0000002580)={0xa, 0x6, 0xe5207157b6f35098, 0xfc, 0x1f, 0x0, 0x10, 0xe4}, 0xf5, &(0x7f00000025c0)={0x5, 0xf, 0xf5, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x4, 0xffff}, @ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x4, 0xf0f, 0x77e, [0xc000, 0x30, 0x0, 0x0]}, @ssp_cap={0x1c, 0x10, 0xa, 0x1, 0x4, 0x79ea, 0xf000, 0x4, [0xc0cf, 0xff3f3f, 0xffc05f, 0xff0000]}, @generic={0xb1, 0x10, 0x3, "c5bb0201c82e60fa0a8b07bbcefbe138079838cbf13161f69ec170637e6c504f0df58710112f2459c50df85c73a143e18fd846a786add8a359c882c3c6038f90c49ca63e13455794d759244a2bd1ee5a203cef62acd32e97d15afe1d47ad5c5234ca6fea0c022184578647d69bce06bc22d5deae21baaf870c3c6e9021211fda07e73607e16461e22526a70ab2e21f89d1b1a95215c644ee7b4b97d342f06cca75c17eaf3d1f578bec9e1b554c49"}]}, 0x4, [{0x4, &(0x7f00000026c0)=@lang_id={0x4, 0x3, 0x430}}, {0x4, &(0x7f0000002700)=@lang_id={0x4, 0x3, 0x240a}}, {0x4, &(0x7f0000002740)=@lang_id={0x4, 0x3, 0x458}}, {0xb1, &(0x7f0000002780)=@string={0xb1, 0x3, "2273bdc46b60f928123492096f1a60522067ca30229e521876bc2304c320596fd25f10254b5c9da57377738bccfbbc37f27f541833a2dfa06b929d0d3744ff77d9330d5a63e4bb268ce29e81de86de6cbbec22f151e7fa25d2ba9ead8f62d5eac2d6424465b3cb6481dbf50df043e68b8d133e27b4ae1c9ccf8a81027b656d442bbcbe5cfccd0c0ca38b73356ed5c37ea0894697ea5b37db2f607d4e958cf97848ef24eee817f96503650d0f3babcf"}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000002880)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r14 = syz_usb_connect$uac1(0x1, 0x100, &(0x7f0000002900)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xee, 0x3, 0x1, 0x6, 0x20, 0x1, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0xace, 0x2}, [@extension_unit={0x7, 0x24, 0x8, 0x5, 0x2, 0x5}, @extension_unit={0x7, 0x24, 0x8, 0x6, 0xffff, 0x30}, @mixer_unit={0xa, 0x24, 0x4, 0x4, 0x40, "7da3b2b272"}, @extension_unit={0x9, 0x24, 0x8, 0x5, 0x0, 0x40, '\tD'}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x11, 0x24, 0x2, 0x2, 0x1000, 0x6, 0x9, "94aa0cfea6a4c098"}, @as_header={0x7, 0x24, 0x1, 0xf7, 0xc1, 0x4}, @format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x3f, 0x2, 0xae, 0x7, "5b6fe7b19551"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0xfff8, 0x56d, 0x1f, "518f29b920"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0x4, 0x0, 0x80, "3f5e8aa3ac"}]}, {{0x9, 0x5, 0x1, 0x9, 0x10, 0x9c, 0x7, 0x6, {0x7, 0x25, 0x1, 0x0, 0x44, 0xff8a}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_i_continuous={0xa, 0x24, 0x2, 0x1, 0x7, 0x4, 0xf7, 0xf8, 'H]'}, @format_type_i_discrete={0xd, 0x24, 0x2, 0x1, 0x7, 0x1, 0xff, 0x72, "5c5ae72e12"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x3, 0x4, 0x3, 0x1, "fa23a4", 'q3'}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x71, 0x2, 0x0, 0x6}]}, {{0x9, 0x5, 0x82, 0x9, 0x200, 0x7f, 0x7f, 0x7f, {0x7, 0x25, 0x1, 0x2, 0x1, 0x8}}}}}}}]}}, &(0x7f0000002b80)={0xa, &(0x7f0000002a00)={0xa, 0x6, 0x300, 0x7f, 0x5d, 0x5c, 0x40}, 0x31, &(0x7f0000002a40)={0x5, 0xf, 0x31, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x20, 0x1, 0x2, 0x40}, @ssp_cap={0xc, 0x10, 0xa, 0x4, 0x0, 0xd3f, 0xf000, 0x8}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x2, 0x5, 0x4, 0x2}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x6, 0x0, 0xff, 0x7f}]}, 0x4, [{0x4, &(0x7f0000002a80)=@lang_id={0x4, 0x3, 0x40f}}, {0x4, &(0x7f0000002ac0)=@lang_id={0x4, 0x3, 0xc35}}, {0x2b, &(0x7f0000002b00)=@string={0x2b, 0x3, "a28e84c0cf02c07c3c0da8294506556d633c7a735bfb75cd80afc6ade8e4b580103ced6d9c87a5fe77"}}, {0x4, &(0x7f0000002b40)=@lang_id={0x4, 0x3, 0xf8ff}}]}) syz_usb_control_io(r14, &(0x7f0000002e40)={0x18, &(0x7f0000002bc0)={0x0, 0x22, 0xb9, {0xb9, 0xa, "83cf6e9b942d8a47074ac2e802b48378ecdca7956db2727b857b60f4e9d0c69e1c9a9aceb61cf17cc77167923b84e23372c5cf40cf1bbb7493e500b7effaf1b204ee034be11099e51567a87ae0bde210da92124d04a73a14dbd600dedd920953c472eda1ba46dbbb1ec474c8794849124dcf32d5c15fb14397b13c3d3c11a7a607c6b6d557c2806d9c2783bc1ef56c967bde90ce4a421361167c1a74c6527285ce425ea498884d7cc9ef76526a46a1c4360768980b39b3"}}, &(0x7f0000002c80)={0x0, 0x3, 0xd7, @string={0xd7, 0x3, "61168f700d1787de19d3e86fb3ac5e964cc5ede873351ca262cc8fc599651431c76dbad02dd835f0da83a5347cc21fc4f504b23bb32a7a67713db4480611e6e2eca4f0b498f700355db68df7d5cf46ba2b036090af695a7596b7d242b462bcf6e2091fb83248fe2a1c48dbcdb07c9666037d121b6893dcb945bdd7cf14075f805302a45fbb62652bd693b3240b5c6a76f690cdc9221579ec71dd253ca4250144e1160bc039ad44f6d51c96ad950c872cf626b0d559e81c0bec934cb32325dbb9ce8f5d0d943020b4a0795c1f2774e2207d0be8aa41"}}, &(0x7f0000002d80)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x10, 0x2, 0x5, 0x2}]}}, &(0x7f0000002dc0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x3, 0x8, 0x40, 0x7f, "77bc7738", "f1db003c"}}, &(0x7f0000002e00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x1, 0x10, 0x0, 0x20, 0x8, 0x3ec, 0xffff}}}, &(0x7f0000003300)={0x44, &(0x7f0000002e80)={0x20, 0x12, 0x7c, "bc67b786ae12c3f7c6dbb8560d2b242194c2199afa19d2b42b1a0c8a11e1a5ef146f395c3613f4dfeadda7c24b506d5b32a6a3f9a0eac98a935e647a1c838d4e09d530635f43358b5b10c5f04bc63b3bf96b5234359d4ead9d51217e65c9b0509990b00d1afb242c87660d04f9648ff79ce143b1a948981c28f50171"}, &(0x7f0000002f40)={0x0, 0xa, 0x1, 0x4c}, &(0x7f0000002f80)={0x0, 0x8, 0x1, 0x1}, &(0x7f0000002fc0)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000003000)={0x20, 0x0, 0x8, {0xc0, 0x20, [0xf0f]}}, &(0x7f0000003040)={0x40, 0x7, 0x2, 0x400}, &(0x7f0000003080)={0x40, 0x9, 0x1, 0x2}, &(0x7f00000030c0)={0x40, 0xb, 0x2, "b723"}, &(0x7f0000003100)={0x40, 0xf, 0x2, 0x5}, &(0x7f0000003140)={0x40, 0x13, 0x6, @random="dd8a72a99139"}, &(0x7f0000003180)={0x40, 0x17, 0x6, @remote}, &(0x7f00000031c0)={0x40, 0x19, 0x2, "7818"}, &(0x7f0000003200)={0x40, 0x1a, 0x2, 0x4}, &(0x7f0000003240)={0x40, 0x1c, 0x1, 0x4}, &(0x7f0000003280)={0x40, 0x1e, 0x1, 0x7}, &(0x7f00000032c0)={0x40, 0x21, 0x1, 0x5}}) syz_usb_disconnect(r13) r15 = syz_usb_connect$cdc_ncm(0xb40375e9cabe03ec, 0x160, &(0x7f0000003380)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x14e, 0x2, 0x1, 0xef, 0xe0, 0x3, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, '$'}, {0x5, 0x24, 0x0, 0xad}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x0, 0x1, 0x9}, {0x6, 0x24, 0x1a, 0x9, 0x20}, [@mdlm_detail={0xa2, 0x24, 0x13, 0x1, "a0afebc294237de30b4c81c6595fbaf30646c5ec3dd98f435df00d181cc13f9b0c5ffa84154998bf5c04ee0fd82d5f4cacfc90ffae241b840b0b18e2107e33398f46838380f84b6f9f2262e838df021231c9f0c50dc2eed7595eb1b789223fc37cf34f5c694aaad8a818c99ef44179bf5ba4b617c258f7db01d6096ccc71bb925e31b2f3f100bb8538bb84015af7b954c8fdf293de0231a491d36376b840"}, @mbim={0xc, 0x24, 0x1b, 0x340f, 0x4, 0x5, 0x40, 0x6, 0x1}, @acm={0x4, 0x24, 0x2, 0x9}, @mdlm_detail={0x3f, 0x24, 0x13, 0x40, "905d00a5a8b5cd53118f9cf9033eda0ad88fcfaf66e2b9e359e38aea371970c864d5983916a529367551aa247ba83009ebb5640b5317559900ddb8"}]}, {{0x9, 0x5, 0x81, 0x3, 0x8, 0x0, 0x1, 0xfc}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x40, 0x8, 0x40, 0x81}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x80, 0x81}}}}}}}]}}, &(0x7f0000003780)={0xa, &(0x7f0000003500)={0xa, 0x6, 0x250, 0x3, 0x2, 0x9, 0x40, 0x40}, 0x16, &(0x7f0000003540)={0x5, 0xf, 0x16, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x1a, 0x8, 0x4, 0x87}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0x0, 0x20, 0x9}]}, 0x5, [{0x54, &(0x7f0000003580)=@string={0x54, 0x3, "a44d24cdf3ffb9948faaf6b3c565826f57ef2b5e43e6ef9109dcaf0ff5f230b6f52d06ada7ebdfbf1c55e6551900f42f904aa25911de5d64d3cd32db26b2e48c150eacf51a16ddb311ac3d44b281a87d1c84"}}, {0x4, &(0x7f0000003600)=@lang_id={0x4, 0x3, 0x812}}, {0x4, &(0x7f0000003640)=@lang_id={0x4, 0x3, 0xf0ff}}, {0xc0, &(0x7f0000003680)=@string={0xc0, 0x3, "6f069d79ea952b3880027d5243d84aefe2bd1cf641da9ee290780232461026c5a535ae6214a8b6fd6112f368085c5cca57b84846bdd7653f325120cc01274c27930a934c2850058a34588778f4ae0255b96fcb4573f4c475fae53703ef82d785ece96adf02efc210e26fa9523111519cb037b5aebbcab0e12d228330eb466cefbc0a21984a6fd8657206b20d982f65c709ba3c6320f1066dda592fdad14a8c700cf1f5266f47fa42aa880b9aa0267cf53c9691f4fa0d4e059a6adc27da67"}}, {0x4, &(0x7f0000003740)=@lang_id={0x4, 0x3, 0xc0a}}]}) syz_usb_ep_read(r15, 0x7, 0xe4, &(0x7f00000037c0)=""/228) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000038c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_ep_write(r16, 0xff, 0xca, &(0x7f0000003940)="0338f2a1a6949150d950a200b97f820700402b58fec94c39a005f5386885991997960b3165c9dd0323faf9a69d00725916fa7fb5a9bb1f47b19829ca091f88c0999a2e187f6237ab2c7eae85923fa9636dc266076f2ae7b52c1f187ce62871c2f05bbf9d9a25fd16ff3833387073e69681b243e814b2549f032aa5b8dd2e2d64df2e69d357bc2c32b8fbd90f8a1638b31390be5a61ee6ee70e3a2027e1468d5f3fa234f4462a56d7e42ce29c52ccf5cd763590a426b8a06e226ffa4568c2ce31a54d74ca6f67e670852c") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void close_fds() { int fd; for (fd = 3; fd < MAX_FDS; fd++) close(fd); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 43; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 3000 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 3000 : 0) + (call == 42 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); close_fds(); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socketpair #define __NR_socketpair 360 #endif #ifndef __NR_write #define __NR_write 4 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_ioctl, -1, 0x125e, 0x20000000); break; case 1: memcpy((void*)0x20000040, "/dev/nullb0\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20000040, 0x80000, 0); if (res != -1) r[0] = res; break; case 2: *(uint8_t*)0x20000080 = 0; *(uint8_t*)0x20000081 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint8_t*)0x20000084 = 0; *(uint8_t*)0x20000085 = 0; *(uint8_t*)0x20000086 = 0; *(uint8_t*)0x20000087 = 0; *(uint8_t*)0x20000088 = 0; *(uint8_t*)0x20000089 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint8_t*)0x2000008c = 0; *(uint8_t*)0x2000008d = 0; *(uint8_t*)0x2000008e = 0; *(uint8_t*)0x2000008f = 0; *(uint8_t*)0x20000090 = 0; *(uint8_t*)0x20000091 = 0; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint8_t*)0x20000094 = 0; *(uint8_t*)0x20000095 = 0; *(uint8_t*)0x20000096 = 0; *(uint8_t*)0x20000097 = 0; *(uint8_t*)0x20000098 = 0; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint16_t*)0x200000a0 = 6; *(uint32_t*)0x200000a4 = 4; *(uint32_t*)0x200000a8 = 0x400; *(uint64_t*)0x200000ac = 0; *(uint64_t*)0x200000b4 = 0x5f; *(uint32_t*)0x200000bc = 0; syscall(__NR_ioctl, (intptr_t)r[0], 0xc0401273, 0x20000080); break; case 3: res = syscall(__NR_socketpair, 0x21, 3, 4, 0x200000c0); if (res != -1) { r[1] = *(uint32_t*)0x200000c0; r[2] = *(uint32_t*)0x200000c4; } break; case 4: memcpy((void*)0x20000140, "l2tp\000", 5); res = -1; res = syz_genetlink_get_family_id(0x20000140); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000200 = 0x20000100; *(uint16_t*)0x20000100 = 0x10; *(uint16_t*)0x20000102 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0x100; *(uint32_t*)0x20000204 = 0xc; *(uint32_t*)0x20000208 = 0x200001c0; *(uint32_t*)0x200001c0 = 0x20000180; *(uint32_t*)0x20000180 = 0x24; *(uint16_t*)0x20000184 = r[3]; *(uint16_t*)0x20000186 = 4; *(uint32_t*)0x20000188 = 0x70bd28; *(uint32_t*)0x2000018c = 0x25dfdbfb; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint16_t*)0x20000192 = 0; *(uint16_t*)0x20000194 = 8; *(uint16_t*)0x20000196 = 0xb; *(uint32_t*)0x20000198 = 4; *(uint16_t*)0x2000019c = 8; *(uint16_t*)0x2000019e = 0xc; *(uint32_t*)0x200001a0 = 1; *(uint32_t*)0x200001c4 = 0x24; *(uint32_t*)0x2000020c = 1; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0x20000000; syscall(__NR_sendmsg, (intptr_t)r[1], 0x20000200, 0x8000); break; case 6: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 5; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000280 = 0x10; res = syscall(__NR_getsockopt, -1, 0x84, 0, 0x20000240, 0x20000280); if (res != -1) r[4] = *(uint32_t*)0x20000240; break; case 7: *(uint32_t*)0x200002c0 = r[4]; *(uint32_t*)0x200002c4 = 2; syscall(__NR_setsockopt, (intptr_t)r[2], 0x84, 0x7b, 0x200002c0, 8); break; case 8: *(uint32_t*)0x20000340 = 4; syscall(__NR_getsockopt, -1, 0x84, 8, 0x20000300, 0x20000340); break; case 9: *(uint16_t*)0x200003c0 = 0x10; *(uint16_t*)0x200003c2 = 3; *(uint8_t*)0x200003c4 = 0x41; *(uint8_t*)0x200003c5 = 0x83; *(uint16_t*)0x200003c6 = 0; *(uint32_t*)0x200003c8 = 0x401; *(uint32_t*)0x200003cc = 0; *(uint16_t*)0x200003d0 = 0x43; memcpy((void*)0x200003d2, "\x4a\x8e\x60\x63\x4e\x3a\x9e\xbf\x09\x88\x47\x4a\x70\xcd\xc4\x4c\x93\x5e\x71\xdc\xa8\xa3\x6e\x9f\x73\x39\xb7\x33\xe7\xfd\xfa\x26\xd1\x76\x3f\x8e\x1f\xc1\x8c\x23\x48\x4f\xf7\x1c\x6e\xa7\x6b\xf1\xdb\x3e\x46\xcf\x80\x38\x03\x22\xd2\x96\xfb\xf1\x93\xc5\x4d\x49\x49\xcc\xdb", 67); syscall(__NR_write, -1, 0x200003c0, 0x55); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_post_notification\000", 26); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xbb; *(uint8_t*)0x20000041 = 0xbb; *(uint8_t*)0x20000042 = 0xbb; *(uint8_t*)0x20000043 = 0xbb; *(uint8_t*)0x20000044 = 0xbb; *(uint8_t*)0x20000045 = 0xbb; *(uint8_t*)0x20000046 = 0; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint16_t*)0x2000004c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 4, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 1, 31, 1); *(uint8_t*)0x20000052 = 0x23; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; memcpy((void*)0x20000056, "\x90\xa4\x41\x2e\xd4\x81\xe3\x9e\xc0\x78\x7c\xae\x08\x3f\xac\x93\xb9\x0d\xaa\x75\x95\xdc\x55\x4b\x0d\x6f\xb7\x20\xa6\x00\x98\x35\xc9\x29\xd9\x56\x66\x87\x93\x99\x54\xd1\x4f\x03\x76\xd3\x90\x39\x88\x5d\x4b\x34\x9e\x57\x79\x1c\x3b\x28\x84\xb6\x7a\x56\x87\x16", 64); *(uint32_t*)0x200000c0 = 1; *(uint32_t*)0x200000c4 = 1; *(uint32_t*)0x200000c8 = 0x4a; *(uint32_t*)0x200000cc = 0x2e7; *(uint32_t*)0x200000d0 = 0x6f0; *(uint32_t*)0x200000d4 = 0x1aa; break; case 12: *(uint8_t*)0x20000100 = 3; *(uint16_t*)0x20000101 = 0xc9; *(uint8_t*)0x20000103 = 0x56; memcpy((void*)0x20000104, "\xaf\x8c\x56\xab\x29\x59\xdc\x53\x4c\xc8\x68\xe4\xb4\x2b\x05\xa0\xde\x86\xbb\x45\xfd\x2b\xf9\xe3\x2d\x58\xe9\xad\x1f\xb7\xbe\x75\xad\xc1\xe7\xaa\xa5\x23\x19\x45\x65\x31\x63\x1e\xde\x47\xc2\x91\x9b\xcd\xb3\xba\xfd\xaf\x56\x0b\xf2\xa9\xca\x3a\x75\xfa\x34\xd0\x70\x26\xb7\x30\x2d\xc3\x91\xf9\x55\x4e\x50\xcf\xc7\xf7\x31\xc0\x9f\x1c\x71\x26\x2d\xf3", 86); break; case 13: memcpy((void*)0x20000180, "\xc4\xc1\x6f\x10\xfa\x66\x0f\x65\x64\x2a\x10\xc4\xe1\xfa\x70\xef\xfb\xc4\xc3\x7d\x09\x6a\x42\xfe\xc4\xe1\x41\x6a\x52\x00\xf3\xab\xc4\xc1\xcc\xc6\xe4\x74\x36\x0f\x8f\xb8\x00\x00\x00\xaf\x0f\xfe\x98\xf0\xff\xff\xff", 53); syz_execute_func(0x20000180); break; case 14: break; case 15: memcpy((void*)0x20000200, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000200); break; case 16: syz_init_net_socket(3, 5, 0xcb); break; case 17: res = syscall(__NR_mmap, 0x20ffd000, 0x1000, 0xc, 0x800, -1, 0x8000000); if (res != -1) r[5] = res; break; case 18: res = -1; res = syz_io_uring_complete(r[5]); if (res != -1) r[6] = res; break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xab13; *(uint32_t*)0x20000248 = 0x10; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0x375; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = -1; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = syscall(__NR_io_uring_setup, 0xc43, 0x20000240); if (res != -1) r[7] = res; break; case 20: *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0x3caa; *(uint32_t*)0x200002c8 = 8; *(uint32_t*)0x200002cc = 3; *(uint32_t*)0x200002d0 = 0x347; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = r[7]; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; *(uint32_t*)0x200002f8 = 0; *(uint32_t*)0x200002fc = 0; *(uint32_t*)0x20000300 = 0; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; *(uint32_t*)0x2000030c = 0; *(uint32_t*)0x20000310 = 0; *(uint32_t*)0x20000314 = 0; *(uint32_t*)0x20000318 = 0; *(uint32_t*)0x2000031c = 0; *(uint32_t*)0x20000320 = 0; *(uint32_t*)0x20000324 = 0; *(uint32_t*)0x20000328 = 0; *(uint32_t*)0x2000032c = 0; *(uint32_t*)0x20000330 = 0; *(uint32_t*)0x20000334 = 0; syz_io_uring_setup(0x4759, 0x200002c0, 0x20ffd000, 0x20ffc000, 0x20000340, 0x20000380); break; case 21: res = syscall(__NR_mmap, 0x20ffd000, 0x3000, 0xe, 3, -1, 0x8000000); if (res != -1) r[8] = res; break; case 22: res = syscall(__NR_mmap, 0x20fff000, 0x1000, 0x4000000, 0x20, (intptr_t)r[6], 0x10000000); if (res != -1) r[9] = res; break; case 23: *(uint8_t*)0x200003c0 = 5; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0x2007; *(uint32_t*)0x200003c4 = 6; *(uint64_t*)0x200003c8 = 3; *(uint64_t*)0x200003d0 = 4; *(uint32_t*)0x200003d8 = 4; *(uint32_t*)0x200003dc = 0xe; *(uint64_t*)0x200003e0 = 1; *(uint16_t*)0x200003e8 = 0; *(uint16_t*)0x200003ea = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; *(uint8_t*)0x200003fc = 0; *(uint8_t*)0x200003fd = 0; *(uint8_t*)0x200003fe = 0; *(uint8_t*)0x200003ff = 0; syz_io_uring_submit(r[8], r[9], 0x200003c0, 0x80); break; case 24: memcpy((void*)0x20000400, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20000400, 0x2000, 0); if (res != -1) r[10] = res; break; case 25: *(uint32_t*)0x20000480 = 0; *(uint32_t*)0x20000484 = 0x20000440; memcpy((void*)0x20000440, "\x1f\x53\x95\x5c\xb3\xce\xcd\x20\x39\x60\x9c\xfc\xe5\x32\x92\x7f\x02\xde\x61\x5e\x5e\x77\x16\xc3\x74\x70\x5f\x59\x10\x2e\x00\x75\x4d\xba\xa3\x69\xc6\xc1\xa1\xc2\xf4\xc5\x30\xc3\xaf\x81\xe8\xfe\x56\x09", 50); *(uint32_t*)0x20000488 = 0x32; *(uint64_t*)0x200004c0 = 1; *(uint64_t*)0x200004c8 = 0; syz_kvm_setup_cpu(r[6], r[10], 0x20fe8000, 0x20000480, 1, 0, 0x200004c0, 1); break; case 26: *(uint32_t*)0x20000500 = 0; *(uint32_t*)0x20000504 = 0xe518; *(uint32_t*)0x20000508 = 0x10; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0x3a5; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = -1; *(uint32_t*)0x2000051c = 0; *(uint32_t*)0x20000520 = 0; *(uint32_t*)0x20000524 = 0; *(uint32_t*)0x20000528 = 0; *(uint32_t*)0x2000052c = 0; *(uint32_t*)0x20000530 = 0; *(uint32_t*)0x20000534 = 0; *(uint32_t*)0x20000538 = 0; *(uint32_t*)0x2000053c = 0; *(uint32_t*)0x20000540 = 0; *(uint32_t*)0x20000544 = 0; *(uint32_t*)0x20000548 = 0; *(uint32_t*)0x2000054c = 0; *(uint32_t*)0x20000550 = 0; *(uint32_t*)0x20000554 = 0; *(uint32_t*)0x20000558 = 0; *(uint32_t*)0x2000055c = 0; *(uint32_t*)0x20000560 = 0; *(uint32_t*)0x20000564 = 0; *(uint32_t*)0x20000568 = 0; *(uint32_t*)0x2000056c = 0; *(uint32_t*)0x20000570 = 0; *(uint32_t*)0x20000574 = 0; res = -1; res = syz_io_uring_setup(0x7424, 0x20000500, 0x20ffe000, 0x20ff6000, 0x20000580, 0x200005c0); if (res != -1) r[11] = *(uint64_t*)0x20000580; break; case 27: *(uint32_t*)0x20000600 = 1; syz_memcpy_off(r[11], 0x114, 0x20000600, 0, 4); break; case 28: memcpy((void*)0x20000640, "afs\000", 4); memcpy((void*)0x20000680, "./file0\000", 8); *(uint32_t*)0x20000800 = 0x200006c0; memcpy((void*)0x200006c0, "\xd6\x32\xc1\x9b", 4); *(uint32_t*)0x20000804 = 4; *(uint32_t*)0x20000808 = 0xffff; *(uint32_t*)0x2000080c = 0x20000700; memcpy((void*)0x20000700, "\x3f\xe8\x37\x0c\xed\xe5\x2e\xfa\xc0\x54\x24\x1d\xa1\xef\x62\x34\xcd\xc7\x76\x6d\x9c\xee\xe0\x5c\x36\x77\x5d\x23\x4a\x8f\x02\x59\xa8\x80\x13\x16\x89\x77\x5a\x49\xe1\xc5\xd8\x1e\xe5\xee\xd4\x2d\xa0\x22\xa3\xc9\xb9\xd4\x39\xae\x77\x99\x90\xd0\x4c\xf5\x51\xc0\x84\xc0\x93\x74\x4e\x79\xca\x6a\x48\x27\xd8\xc6\x03\x05\x3d\x29\x71\x4d\x83\x93\x63\xcf\x49\xad\xd7\xd7\x32\x3c\x06\x19\xa9\x9c\xef\x60\x9f\xc4\x7e\x56\xc6\x66\x30\xec\x79\x73\xbf\xfe\xd2\x14\xd4\x51\xf0\x64\xf3\x6e\x35\x97\x50\x6a\x51\xad\xfd\x6b\x0d\x61\xfd\xcd\xf2\xbf\xcb\x31\xb2\xc6\xc4\x4c\x27\x9c\xcd\xb6\x90\x28\x91\xda\xf7\x5e\x66\x3f\x59\x42\xea\x76\x82\xfb\xfd\x3e\x73\x69\xa9\xfe\x16\xf3\x72\x47\x6e\xfb\x28\x1a\xaa\xd4\xbf\xe7\xe6\x10\xe9\x63\x62\x94\x61\xe9\x03\x3c\xaf\x00\xd6\x2a\x10\x9d\x00\x4b\x93\x5b\x90\x79\xbd\x3d\xf5\xbe\x94\xa0\xfa\x1e\x19\x77\xf5\x52\xba\xa4\x92\xba\x31\xe2\xec\x4b\xf3\x10\xc8\x14\xdc\x75\x32\x97", 224); *(uint32_t*)0x20000810 = 0xe0; *(uint32_t*)0x20000814 = 0x4c; memcpy((void*)0x20000840, "source", 6); *(uint8_t*)0x20000846 = 0x3d; memcpy((void*)0x20000847, "SEG6\000", 5); *(uint8_t*)0x2000084c = 0x2c; memcpy((void*)0x2000084d, "flock=strict", 12); *(uint8_t*)0x20000859 = 0x2c; memcpy((void*)0x2000085a, "flock=strict", 12); *(uint8_t*)0x20000866 = 0x2c; memcpy((void*)0x20000867, "flock=local", 11); *(uint8_t*)0x20000872 = 0x2c; memcpy((void*)0x20000873, "autocell", 8); *(uint8_t*)0x2000087b = 0x2c; memcpy((void*)0x2000087c, "flock=openafs", 13); *(uint8_t*)0x20000889 = 0x2c; memcpy((void*)0x2000088a, "measure", 7); *(uint8_t*)0x20000891 = 0x2c; memcpy((void*)0x20000892, "subj_user", 9); *(uint8_t*)0x2000089b = 0x3d; memcpy((void*)0x2000089c, "$F!%[#&+-}^}", 12); *(uint8_t*)0x200008a8 = 0x2c; *(uint8_t*)0x200008a9 = 0; syz_mount_image(0x20000640, 0x20000680, 4, 2, 0x20000800, 0x201000, 0x20000840); break; case 29: memcpy((void*)0x200008c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200008c0, 0x9a7, 0x60100); break; case 30: res = syscall(__NR_ioctl, -1, 0x540f, 0x20000900); if (res != -1) r[12] = *(uint32_t*)0x20000900; break; case 31: memcpy((void*)0x20000940, "net/ip6_mr_vif\000", 15); syz_open_procfs(r[12], 0x20000940); break; case 32: syz_open_pts(r[6], 0x402000); break; case 33: *(uint32_t*)0x20001c80 = 0x20000980; memcpy((void*)0x20000980, "\x94\x7b\xdd\x13\x38\xb6\xb9\xfd\xc7\xee\xc2\x77\x64\x33\x19\x1f\x82\x72\x66\xcf\xa9\x4b\xbf\x64\xcf\xf8\x3a\x00\xd9\x75\x00\x9f\x3b\x27\x38\xac\x70\x67\x01\x94\x47\xd6\x93\xa3\x53\x4d\xae\x5d\x3b\xf0\x3b\x17\xd7\xa2\xbc\x09\x3d\x2a\xb0\x1f\xb0\x79\xd1\x3e\x4c\xa0\x8a\xb2\x39\x18\xa3\xfa\xc5\x0a\x48\xc3\x2b\x4b\xa2\x17\x09\x57\xd2\x0c\xb4\xa4\xf7\x31\xd6\x60\xe8\x8f\x40\xc3\x0c\x3c\x40\xd4\x1f\xf3\xff\x71\x34\xdc\xeb\x66\xb1\x13\xb5\xc1\xbb\xa6\x30\xa7\xee\x5c\xd6\x8a\xb5\x9e\x69\xf8\xc8\x95\x30\xe4\xca\xc7\xf6\x15\xdd\x3f\xad\xc7\x94\x0d\x23\xb0\x69\xd6\x2b\x7c\xcf\x41\x49\x88\x10\x45", 148); *(uint32_t*)0x20001c84 = 0x94; *(uint32_t*)0x20001c88 = 0x7e; *(uint32_t*)0x20001c8c = 0x20000a40; memcpy((void*)0x20000a40, "\x3b\xec\xe5\xe4\xb0\x0d\x1a\xa5\xc6\x45\x5d\x8f\xfd\xdd\x35\x57\x13\x82\x30\x47\x33\xf4\x7e\x93\xba\x01\xd0\x22\x0d\x34\x52\x42\x5a\xa4\xa3\x5a\x16\xad\xc9\x6a\x1c\x87\xd3\xc0\x91\x21\xdf\x1c\x8a\xef\x26\xc2\x03\x58\xa1\x53\xa0\xef\x19\x59\xf6\x9c\x68\x9a\xcd\x27\x51\xf4\x28\xf2\x41\xc2\xde\xcf\x4c\xd9\xa3\xb1\x09\xe6\x6b\x31\x0f\xb1\x01\x1f\x65\x32\x9b\xef\x95\x3a\xe0\x2c\xf9\xdb\x61\x33\x61\x9b\x5b\xfa\x07\xa6\xe1\x32\x51\x27\x8d\xa9\x3d\xe8\x26\x35\xbc\xdd\x76\x40\xb6\x31\x1d\xa5\x8d\x2a\x68\x10\x65\x40\x1d\x07\x53\xce\xf9\x0b\xf7\xa0\xf5\x41\x11\x24\x53\xb9\xce\x75\x27\xef\xcb\x09\x83\x4f\x10\x73\x73\x6d\x3e\xbd\xb9\x24\x17\x36\xb6\x1d\xf7\x0a\x13\xc7\x6e\x54\xdd\xbc\x65\xa5\x2d\x8a\x4f\xe4\x2e\xd0\x97\xa5\x7c\x8d\x04\x26\xf9\x16\x75\x0e\x9a\x5c\x38\x28\x1f\xba\xd7\xae\x59\xc2\x23\xba\xb1\x10\x05\x92\xd4\x2e\xda\x4e\x0b\xf4\xbf\x03\x04\x20\x47\x8f\xcd\x28\xc4\x05\x7d\x41\xa9\x72\x1b\x00\x14\xe9\x1a\x1e\x70\x58\xd4\xc9\x29\x08\x12\xf6\xde", 239); *(uint32_t*)0x20001c90 = 0xef; *(uint32_t*)0x20001c94 = 0x800; *(uint32_t*)0x20001c98 = 0x20000b40; memcpy((void*)0x20000b40, "\x6d\xaf\x7a\x1e\x0d\x14\xcb\x6b\x8c\x65\xd3\x7e\xf9\x88\xe6\x70\xca\x88\xb1", 19); *(uint32_t*)0x20001c9c = 0x13; *(uint32_t*)0x20001ca0 = 0; *(uint32_t*)0x20001ca4 = 0x20000b80; memcpy((void*)0x20000b80, "\xe2\xa3\x79\x51\x07\x38\xbe\x3d\x3b\xaf\x49\xa1\x70\xf0\x89\xf5\x6f\x7b\x3a\x43\xbd\x92\x6f\x2f\x33\x68\xf3\x8e\x97\x34\x0a\xf9\xb0\x99\x1e\xa9\x8f\x46\x53\x25\x2c\x0b\xef\x6a\xd2\x65\x82\xb6\x00\x54\x54\x65\x59\x1f\xae\xfd\x00\x78\x2e\x31\xc8\xae\xe9\xf2\x39\x90\xd2\xd9\x5f\x87\x10\xd1\x10\x40\x9d\xc3\xda\xd1\x58\x17\x94\xfb\x09\xf6\x34\x9e\x93\x7b\x1d\xf1\xbb\x8a\x9a\x09\xce\x60\xc4\x12\x82\x37\x6e\x6a\xc6\x07\x88\x8c\x64\xfc\xd9\xec\xf5\x40\x50\x63\xba\x5f\x64\x2a\x29\x5b\x4f\x77\x8f\x2c\xab\xcc\xf6\xc9\x00\x70\x71\xb1\xa9\xec\x31\xee\xa5\xda\xf6\x2d\x37\x1a\x56\xde\x30\x95\x49\x97\x49\x11\xa5\x79\x7f\xa3\x40\x26\xe8\x5b\xb7\xf5\x42\x7a\xb4\x96\x5f\x11\xa3\xab\xa1\x8e\xd0\xfe\x28\x0e\x45\xc2\x64\x12\x83\x8f\xc5\xbb\xe0\xf6\xde\x63\xd0\x11\xc0\x6b\x41\x3e\x3d\x4a\x15\x29\x6b\x6f\x79\x15\xdf\xfe\xcd\xd4\x07\x50\x4f\xaa\x2f\xe6\x3b\xb1\x90\xaf\x90\x61\x70\x9a\x98\x20\x94\xf6\x20\x79\x3c\x04\x25\x32\xf5\x13\x14\xdd\x07\x53\xb8\x32\xa6\x58\x59\xe1\x78\xd9\x4d\xd1\x69\xa1\xb7\x67\x74\x85\x66\xd1\x3f\x17\x0d\xa3\x6f\x2a\x51\x05\x3d\x8b\x67\xfb\x5f\x12\xd8\x6b\xf3\x60\x46\xea\xb9\xb7\xc2\x6c\x50\x78\x6c\x9b\x29\xa2\x60\x5c\x56\x31\xab\x30\x26\x16\x69\x97\x1a\x48\x47\x0d\x98\x2c\x30\x88\xbe\x7c\xff\xd1\xf0\xc6\x77\x5e\x57\x57\xdb\x61\x48\xdd\x74\xc5\x95\x4e\x34\xc4\x00\x88\x65\x9a\x1f\x44\xd0\x53\x46\x59\x85\xed\x20\x03\x9b\xce\xd7\xea\x9d\xec\x7e\x25\xcd\x6d\x60\x0d\x1e\xd3\x1a\xed\x53\x88\x5f\xc7\xef\x87\x89\xee\xa0\x63\x9d\x2b\x25\x0d\xcd\xf4\xad\x71\xbb\xda\xbf\x4b\xa1\x8a\xf2\x9a\xc8\x19\xae\x43\x18\x64\xdb\x1b\x03\x53\xbc\x5c\xb2\x04\x19\x43\xb4\x45\x13\xf7\xc6\x79\xf3\x48\xbd\x29\x62\xb2\x74\x87\xbc\x7d\xc7\x48\x8c\xff\x13\xa2\x4b\x65\x8f\x31\xb4\xaf\xc9\xe5\x01\x3a\xb4\x60\xcf\x3a\x01\x4a\x8f\x19\x90\x9e\x75\xbc\x3d\x41\x44\xf5\xd3\x2e\x37\x0d\xe7\x4f\x44\x02\xa0\xdb\x53\x39\xc1\xe3\x61\x6d\x21\x47\x74\x36\x52\xdd\x73\x94\x0d\x37\x55\x0c\xc9\x61\xb0\x8b\x3a\x33\xb7\x9c\x4a\x2f\x3f\x1a\xb4\xb2\x36\x4c\x24\x03\x1c\xce\x1f\x29\xbe\xaf\x57\x4b\x13\x18\x84\x4f\xcc\x93\x87\xd2\xcf\x79\x83\x34\xde\x08\x16\xd5\x28\xf0\x87\xf5\x67\x51\xf7\x63\xb8\x2c\x76\x0f\xe1\x9e\xf9\x5f\xd2\xe5\x52\xc8\xec\x74\xbf\xee\x9b\x6c\x8e\x33\x41\xb3\xba\xff\x54\x05\xed\xbe\xd7\x09\xfb\x1e\xa1\x30\xa1\xa6\xe3\x0a\xcf\x72\x32\xc0\x19\x40\x34\xda\xf0\xef\x11\x71\x15\xab\x22\x0f\x11\x61\xa8\x38\x94\x0e\xf6\x00\x72\xc4\x06\x55\x7f\x56\xf1\x3f\x30\x21\xb4\x08\x42\xf9\x11\x4b\x0a\xe9\xcd\x82\x44\x23\x0c\x22\x27\xce\x7c\x7e\x71\x50\x3b\xa5\x25\x3d\x63\x08\x1c\xa9\xaf\x8f\xc4\xa4\xe2\xc3\x03\x9a\x0b\xad\x1a\xf9\x1e\xd4\xcb\x91\xb9\xbd\x42\xd8\xee\x5e\x0b\xd9\x84\x4f\x92\xf4\xaf\x1e\xa5\xb8\x83\x80\xa9\x9b\x1a\xdc\x70\x57\xb9\x15\x7b\x61\x02\x1a\xbc\xe3\x77\xdc\xa6\xaf\x6c\x2d\xd9\x8f\x02\xc2\x3a\x84\x59\xcc\xbe\x65\x0b\x66\xd0\x6b\xba\xe0\x60\x99\x28\xe8\x4d\x5c\x61\x1e\x2c\x6f\xeb\x6a\x43\xd0\xaa\x53\x2b\x12\xd5\xe3\x26\x04\x48\xcd\x82\x37\x2b\x11\xf9\xdc\x8f\x94\x66\x5a\x3a\xb8\x64\xeb\x3e\xb0\xe5\xb0\x73\x20\x02\x49\xa6\x74\x04\x7e\xe8\xff\xf8\xfb\x4f\x55\x65\x30\x60\xef\xb6\xa0\x0d\x70\xb0\xfe\x4a\x7f\x5d\xca\x7d\x9c\x71\x60\x4f\xa7\x0b\x0e\x40\x56\x93\x39\xe5\x2b\xa5\x2b\x7d\x70\x08\x53\x33\x06\x16\x5c\x97\x8d\x03\x0a\x85\x2c\x0d\xd7\x59\x96\x90\x47\x20\xa1\x0a\x3a\x9d\x0f\x2f\x67\xf2\x58\xe4\x39\x04\x7a\x6a\x5b\x08\x49\x04\x09\xaa\x84\xec\x29\x6f\x67\xb8\x8b\x80\x11\xcb\x39\xc6\x78\x00\xef\xec\x6e\xc4\x3e\x73\x2a\xee\x04\xcc\x18\xc4\xce\xdd\xc9\x68\x6a\x43\x20\x11\xe1\xdf\x5f\xa1\x29\x2c\x7b\xda\xe6\x27\x31\x57\x3e\xc5\x23\x32\x93\xff\x4e\xd6\x71\xe5\x2c\x95\x1d\x8e\x00\x83\x6d\xb9\x36\x35\x34\xbc\x8c\x1e\x91\xd9\x8c\xab\x7d\x06\x06\xc1\x70\xd4\x09\xd9\x6d\x32\x25\xf5\x62\x06\xb6\x00\xfc\x1a\x78\x39\x41\xaa\xde\x24\x83\x38\xdb\xa6\x6d\x56\xf8\xfc\x19\x7d\x19\xce\xdd\x5f\x1a\x65\xd5\xf1\xd8\x5a\x4c\xb4\x49\x73\x42\xd1\x97\xdf\x41\x7d\x43\x17\x77\x7c\x81\xe7\x07\xf1\xb9\xda\xdd\x38\x26\x53\x24\xf4\x1a\xa8\x50\x21\xb2\xd7\xed\xc0\xff\x4a\x52\x7d\xb8\x5f\xf1\x41\x65\x2e\xeb\x5e\x76\x6e\x18\x9e\x11\xe6\x30\x7a\x44\x75\xd5\xf7\x93\xe8\x22\xb7\xec\xbc\x7e\x2f\xf3\xf6\xf9\xa8\x39\x9a\xf6\x92\x64\x9d\x67\x30\x5c\x86\xb4\x79\x16\x9d\xf1\x2f\x74\x91\x02\x06\x9d\xa1\x64\xad\x14\x65\x5e\x05\x32\xfc\x41\x9b\x51\xf2\x9b\x28\xd1\xf4\x08\xf5\x23\x6c\xe9\x21\x50\x9f\x3f\x61\x1a\x56\x5a\x5e\x38\x68\x57\x44\x47\x0f\x6e\x45\x7b\xdd\x05\x7d\x72\x7f\x7e\xcf\xaa\x46\x84\x73\xbc\xba\x94\xc4\x3e\xad\x22\xf8\x52\x78\x43\x24\x5f\x37\x22\x75\x94\x6b\xd4\x59\x9f\x3a\x8a\xe9\x1e\xc3\x14\x08\x70\xbe\x91\xd2\xfb\xfc\xbd\x7e\x50\x4d\xa3\xd6\xf4\x9e\x90\x5a\xca\x16\x78\x32\xd7\xc3\x5a\x56\xa2\x8a\xbc\x85\x20\x90\x29\x23\x18\xec\x1f\x08\xbf\x3d\x71\xde\x73\x60\xd6\xd0\x49\x00\xd7\x73\xa7\xf4\x0c\x3d\xb7\xaa\xbf\xc2\x7a\x33\x8e\x87\xd5\x78\xf4\x30\xee\x49\x0e\x48\x22\x14\x06\xd3\x1c\x62\x22\x0c\x2b\xd9\xe1\x79\x3e\xed\x1b\x84\xab\xa0\xad\xc3\xd5\x4e\xed\x59\xae\x3b\x83\xe5\xa1\x14\x77\x21\xfc\xc2\x27\xcf\xf9\x6c\x80\x65\xf8\x66\x5c\xbf\xef\x93\x52\x1c\xa1\xbf\x4b\x10\x0e\x62\x89\x6c\xfd\xca\x36\xe7\xf7\xb4\xb3\xfd\x3b\xab\xf5\xc1\x8c\x90\x03\x0f\xbf\x90\x4d\x4f\x4c\x3f\xb2\x3a\xf1\x6b\x1e\x37\x44\xca\x6a\xb1\x23\xdf\x90\xb1\x68\xea\xa1\x38\x32\x4e\xbf\x98\xec\xd6\x6d\xd6\x4e\xe9\x06\x23\x6b\xf3\xa0\x29\x6b\xe1\xdf\x81\x38\x7b\xa9\x57\x00\xe0\x4c\xe2\x66\x37\xca\x4d\xfb\x70\xc6\x7d\x32\xa2\xe7\xac\xde\x21\x9c\xef\x54\xe4\xc9\xec\x1c\x27\xb5\xb6\xa3\x88\xca\x51\x5a\xf6\xe5\xef\xc4\x93\xa3\x0f\xa9\x32\x4e\x1f\x2b\x2b\x51\x26\x7f\xbb\x26\xf3\xd4\x29\x2e\x83\x6c\xb7\x09\xe9\x2a\x6e\x0e\x11\xaf\xf3\x86\xb3\xd4\x5d\x81\xa2\xd3\x5f\xe9\x71\xcb\xff\x8a\x32\xf5\x2d\x04\x6b\x9b\xa9\xa4\xbc\x77\x26\x7a\x2e\x86\xa4\x80\xa9\xec\x50\x36\x1d\x5e\xd5\x9b\xa5\x40\xae\x1c\xf0\xe7\xea\xaa\x5d\x8f\x5b\x2e\x38\x52\x7f\xde\x78\xec\xf8\x42\xec\x48\xcf\x68\x1f\xd4\x52\xaa\x5c\x60\xd0\x64\x74\xf6\x42\x2a\xd0\x8d\xb4\xfa\x07\x88\xc5\x65\x63\xf5\x2c\xbd\x38\x36\x27\xe1\x1f\x98\xeb\x40\xec\x74\x96\x1c\x02\x8b\x1f\xcd\x7b\x25\xd4\xcd\x28\x9d\xbc\x76\x1f\xb1\xec\x00\xa6\x18\x35\x13\xc5\xf7\x6d\xa7\x54\x64\x16\xfb\x81\xe8\x66\x1f\x93\xf4\x23\x4f\xdf\x3a\x33\x98\xd8\xbb\x8c\x69\x90\x2e\x6d\x9f\x3f\xc1\x65\xe6\xd9\xf3\x9e\xb2\xac\xc1\x89\xab\x7b\x49\x01\x3b\x2c\x74\xd0\x78\x8e\xe0\x5f\xc1\x17\x33\x5d\x47\x83\x80\x01\x3e\xab\x17\x3d\xdc\x7a\x92\x7f\x03\x08\x0c\x2e\xa7\x05\xb6\x8f\x66\x4a\x3b\xe2\x70\x22\x11\x72\xd2\x99\x5b\x15\xb4\xd0\xab\x25\xd4\x66\x8a\xb7\x58\x7d\x24\xe8\x31\xc5\xc7\x84\x1f\xa0\x0b\xd0\x63\x02\x1d\x3f\x43\x40\x5b\x35\xc6\xc7\x9d\xd4\x03\x0f\xc6\x30\xee\x78\xd7\xe6\x4a\x90\xcc\x27\x61\x42\x16\x24\xd4\x8a\xc0\x76\x4d\x8a\x90\x3c\x5a\x8b\x0a\x21\x31\x20\x87\x1b\x9e\x82\xa3\xb1\xf9\x24\x55\x38\x0b\x95\x08\x32\x65\x1b\x6d\x0d\x9b\xdb\x24\x90\x55\xd5\x5f\xa4\x9f\xc7\x29\x61\x47\xcb\xce\xc6\x05\x9a\x00\x47\xae\x6e\x86\xb5\x1a\xe3\xb5\xaf\xf4\x98\xce\xed\x67\x1d\xdd\x0e\x2b\xd9\x7f\xd7\xf3\x9a\x32\x80\xbd\x80\x99\x6a\xc7\xbb\x98\x18\x77\x09\x93\x82\x46\xf8\xe0\xcb\x9c\xca\x0a\x18\x9d\x18\xcb\x9d\xcd\xd5\x21\x86\xfe\xb9\x35\xf4\xa5\x32\x6c\x3b\xc1\x34\x8a\x05\xf0\xe7\x18\x04\x52\xa4\x3e\x7f\x2b\x6f\xb3\x5a\x41\x96\xaf\xda\x0f\x19\x93\x38\x3d\xd2\x03\x69\x4c\x1a\xb5\x3b\xe6\x44\x81\xc0\xd9\xc7\x88\x01\x61\x07\x89\xf9\xf5\x13\x0b\x4a\x14\x3f\x09\x22\x9e\x8d\x89\xd0\xad\x09\xed\xf9\x71\xcf\x0f\xe4\x95\xd7\x55\x2b\x7a\x79\x1a\x90\x54\x23\x2e\x8d\x22\x97\x66\x21\xb7\xf6\xbe\x03\xe7\xe0\xbf\x8e\x5e\xd8\x3d\xb9\x4e\xfc\x74\x8c\x93\xa0\x6c\x12\x4f\x55\xdd\x8e\xfe\x11\xe1\x5d\x83\xe1\xfc\xe5\x82\xb1\x9b\xe1\x0d\xcc\x1b\x3e\xb5\x94\x29\x1a\xaa\xbd\x56\xcb\x94\xdf\x31\x59\x20\xb0\x42\xd0\x79\x34\xac\x79\x6d\x0a\x91\x07\x86\x26\xee\x57\xe2\x57\x63\x79\x1f\x7d\xde\x8b\xc0\x4e\x18\x83\xfb\x22\x73\xc7\x99\xb9\x7e\x31\x66\xc5\x6c\xea\xa3\x69\x9c\x31\x73\x9f\x63\xef\x94\x60\x5b\x20\x86\x06\x06\xce\xaf\x97\xbe\x55\xb9\x79\xfd\xc1\x7f\xa9\xba\x29\x90\xbb\xef\xde\x17\xeb\x53\x98\x17\x60\x91\xe5\x36\x73\x01\x29\xc4\xc3\x15\x04\xce\x1f\xc4\x1f\x13\xe7\xd9\x03\x01\xff\x02\xad\x5b\x5f\x52\x3c\x6a\xe7\xef\xa8\x7c\x76\xaf\x1e\xcc\x4b\x67\x15\x25\x1a\x58\xca\x3c\x68\xca\x95\x4a\x93\x45\xcf\x08\x69\x7e\xc5\x43\x76\xdf\xaf\x23\x2c\xd6\xed\xe5\xad\x85\xc1\x23\x4f\xbc\xb4\xa9\x92\x53\x5b\x70\x13\x5a\x5e\xb7\xd1\xf2\xde\x13\x62\x98\x71\xb0\x2a\xcb\x45\x56\x94\xe9\x1d\x5b\xbb\x97\x2c\x1c\x39\x98\xec\x76\x57\x49\xb4\xca\x83\xc7\x05\x52\x9c\x04\x6e\x85\x93\xba\x47\x09\xe4\x30\xcf\x19\x0a\xba\x4f\xd0\x0a\x6d\x72\x2d\x05\x98\xe8\x0b\x7a\xf8\xfb\xb6\xc0\x53\xdc\x40\x68\xe3\xbf\xaa\x00\x15\xd3\x54\x56\x46\xe4\x0e\xb3\x12\x70\x0e\x7b\x06\x8c\xa6\x44\x79\x2d\x6d\x39\x44\x7a\x35\x3f\x6d\x65\x75\xb0\x1f\x3a\x20\xcf\x31\x01\x17\xa8\x32\xdb\xc7\x6b\x46\x01\x46\xde\xe0\x6c\x85\x95\x80\xba\x5e\x59\x94\x6e\x90\xa1\x68\xd9\x8a\x06\x28\x2d\x02\xf9\x95\x40\xf4\xb1\xfc\xe1\x94\xcc\x7c\xc0\x89\xb1\xb2\xda\x11\xd5\x9b\xee\x54\x77\x38\x3f\x83\xfe\x7f\x50\x01\x1e\xc4\x38\x56\x1f\x17\xb3\x9d\xab\xee\x37\x94\x76\x1c\xde\xf6\xc5\x4a\x60\xc4\x9d\xe8\xfd\x6a\xec\xf0\xb5\xa5\xb5\xc0\x56\xa8\xde\x90\x80\x5e\x0d\x5a\x4c\xba\x91\xeb\x77\x46\xe5\x44\x98\xaa\xd3\x5d\x26\x8e\x92\x3c\x5c\x39\x65\x81\x83\x5c\xf2\x03\x8e\x2a\x1f\x28\xa8\x43\x22\x84\x72\xaa\x2e\x4c\xbd\xe6\xaa\x76\x65\x71\x6f\x23\x9b\xa5\x68\x0d\x1d\x8d\x6c\xd7\x27\x7a\xf1\xf2\xdb\x87\xe5\xf5\x33\x2f\xa9\x04\xd6\x97\x5f\x42\x47\xf3\x3f\x00\xc1\x7b\x95\xdf\x1d\xb7\x92\x39\x8c\x0b\xe2\xab\x89\xc6\xf0\xff\xb1\xd9\xf3\xd3\x0e\x36\xb0\xbc\xde\xe5\x56\x23\xe6\x7e\xd5\x9b\x64\x1e\x1d\x3a\xd2\x43\xa6\x1a\xb8\x00\x3e\xd9\xd5\x01\x86\x45\x7b\x84\x5b\x0f\x5e\x59\x46\x0a\xeb\x8d\x49\xfa\x23\x6b\x69\x1a\x95\x72\xf0\x43\xf3\xd8\x3d\x38\x53\xa6\x58\xc0\x92\xfe\xc3\xee\xf9\xb5\x8f\x3b\xe0\x53\x2e\x46\xda\x34\xf7\x32\x39\x8d\x41\x8a\x82\xa4\x7f\xd2\xbe\xc7\xaa\x9f\xdf\x0a\x05\xa2\xa4\xab\xd6\x50\xdc\xd9\x9c\x09\x5b\xe5\xa0\x25\xd4\xdd\x8d\xe7\xb6\x06\xf7\xc2\x1f\xcf\x49\x0a\x10\x0e\xc2\x88\xf4\x19\x31\x6b\x4a\xdd\x08\x59\x10\x60\xf5\xc4\x02\x30\xee\x63\x9a\xff\x35\xd4\xbb\x20\x7f\xe4\x01\x02\x9c\xff\xd1\x04\x71\x5d\xcd\x48\xc7\xc5\x98\xf5\xea\x42\xb0\xbd\x27\x1e\x6a\x10\x06\x6d\x61\x32\x17\x65\x5d\xbf\x37\xbc\x46\x7d\x97\x35\x72\xd7\xc2\x87\x79\xc9\x98\x1c\xab\xc5\x5e\x68\x3f\xbb\x1e\x9a\xf7\xe0\x0c\xc4\xa2\x22\xa5\x4f\x24\xed\xf9\x23\x76\x2d\x8e\x0f\xbc\x09\x9e\x42\x0a\x78\xb1\xfc\xfb\x54\xa4\x00\x2f\xdf\x6e\x30\xa3\x44\x5f\x92\x9d\xd9\x7c\x4a\xef\x13\xcd\x8a\x0a\x3b\x19\xcb\x2b\xa7\x31\xd3\xc9\x9a\xad\x63\x11\x66\xb7\x5f\x13\xa9\x54\x98\xe1\x1d\xba\x40\x94\xeb\x5d\x1f\x15\x71\xb6\x98\x7c\x27\x89\x12\xa0\x5a\x9e\xc5\xe2\xf9\x3d\x21\x60\x4e\x49\x6a\xe6\xf7\x63\xed\x43\x3b\xc2\x6c\x5d\x2f\xdf\xee\xfc\x02\xd8\x73\x2b\x29\x09\x1c\x32\xad\x16\xfb\xb4\x7d\xe0\xa5\x6a\x36\xc5\xc7\xd2\x66\x65\xce\x56\x55\x71\xae\xe8\x7e\x72\x9e\x17\x27\xe8\xe1\x49\xb4\x4c\xbc\x58\x19\xeb\x1a\xbc\x31\x7e\xab\xfd\xbc\x54\x47\xdc\x1f\xa9\xed\x58\x52\x81\xf1\xa9\xc3\x3b\xd5\xbb\xae\x66\x26\x21\xe6\x46\x0e\x37\x61\x7e\x88\x30\x4f\xd6\x88\x9d\x77\x5a\xd3\x03\x88\xb2\x08\xb4\x10\x24\x95\xdd\x4a\x60\x15\x79\xfe\xf0\x79\x67\x8b\x66\x81\x6a\x46\xa9\x1c\xd0\xd3\x44\xaf\x0a\xfa\x8e\xe5\x5a\xb2\x22\xd7\x20\xa0\x36\x72\x75\x75\x7a\xa3\x8d\x04\x3c\xec\x88\x8e\x9e\x93\xa4\xff\x91\xc1\xcc\xbb\xc6\x85\xf6\xfe\x27\x10\x47\x4d\xa5\xc4\x37\x6b\x6c\x03\x7b\x2a\xc5\x7a\xb0\x78\x42\x1f\xf2\xf0\x6e\xf8\xab\xcc\x7b\xfa\x18\x19\x5a\xe5\xd3\x23\x6c\x49\x24\x94\xf1\xc6\x65\xdc\x20\x52\xe0\xb5\x67\xe9\x91\x72\x70\x82\xf6\xf5\x29\xcf\xf4\x41\x2d\x5c\xfd\x8a\xca\x31\xf0\xa4\xd3\x23\x32\xe8\xcc\x99\x2a\x39\x01\x7d\x8e\x5a\x85\x25\xa9\xf6\xab\x50\x09\xe7\x06\x7b\x27\x73\x59\x17\x79\xfa\x6d\xe1\x7c\x07\x74\x45\xc3\x9b\x4f\x32\x55\xc2\xdf\x10\x70\x10\x45\xfa\x07\x0a\xc4\xae\xdb\x55\x1b\xfe\x92\xac\x48\xe0\xfa\xca\x06\x07\x68\xed\xf4\xb3\xfb\x10\x1f\x3d\x4c\xdc\xb2\xec\x93\x13\xc0\x28\x98\xaa\x36\x87\x42\x67\x46\x82\x86\xe9\x8f\xfd\xba\xcb\x29\xfb\x64\x07\x27\x99\xbb\x3d\x88\x5b\xf3\x08\xd6\xca\x00\x13\x55\x64\x2a\xd2\x58\xb9\x65\xf9\x59\x7b\x30\xfe\x6c\x3a\xf1\xe8\x9c\x10\xd6\x41\xf4\xe2\xab\x7c\xf5\xa4\x68\x7d\x6b\x69\x15\x7a\x49\xf9\xf4\x07\x91\xef\x46\xf4\xcb\xa6\xe0\xf2\x48\x77\x3c\x35\x0b\xf3\x14\x3c\xec\xe9\x2e\xf7\xc7\x46\xd4\x98\x8c\x83\x51\xc8\x06\x7e\x3c\x4b\x84\x10\x89\xd9\x85\xe0\x9e\xcb\x40\x15\x7d\x7a\x17\x1f\x4e\x64\x55\x18\xc5\x25\x98\xfa\x79\x44\x25\x66\x9f\x59\xa2\x7d\x8b\xed\xc1\x47\xe0\x90\x57\xb5\xd2\xf9\xf4\x61\x1c\xac\x95\x10\x58\xb9\xd2\x52\x7f\xe7\xb4\x70\x28\x9a\x2f\x16\xfa\x4d\xee\x15\x06\x52\x08\x6e\x4c\xc1\x94\xc3\xca\xd6\x3a\xee\x9a\xa7\x7b\x00\xdf\x7c\xb4\x21\x40\x1d\x13\x94\xe0\xfb\xae\x8e\x8e\x14\xef\x28\xf1\x28\x60\x1a\xa1\xc9\x1d\x3e\x71\xed\xc0\x7a\x46\x26\x77\x31\xea\x08\x5f\xea\x0b\x27\x81\xfe\x5b\x33\x37\xfb\x39\x1f\x4a\x91\xce\x75\x2a\xeb\x72\x51\xaa\x0c\x3b\xf3\x04\xe9\x89\x22\x0d\x41\x4e\xab\x0a\xf4\x8d\x4a\x86\xbf\x43\xf1\x3e\xe6\xb9\x76\x15\xf5\x1a\x36\x77\xfe\xef\x14\xdc\x4a\xe4\x7d\xb0\x7b\x87\x41\x76\xd1\x8f\x50\x09\x4a\x30\x97\x00\x27\x9f\x41\x29\x24\xe9\x18\xeb\x3e\x6c\x1b\x9f\xa3\xc1\x44\x4f\x28\xb6\x91\xce\xb9\xc3\x3d\x34\xb5\xb3\x73\x3d\x3e\xb0\xc9\xe6\x9c\xb6\xf3\x6b\xca\x69\xd1\xd6\x99\x13\xae\xb5\x1f\x0c\xb5\x98\x28\x52\x7f\x79\x1f\xe7\xf6\x1f\xb4\x30\xba\xce\x64\x56\xab\xc3\x22\xfb\x52\xa1\x31\xf5\xae\xd3\x22\x1a\xfd\x1d\x36\x9d\x7b\xb4\x1f\x60\xbf\xb3\x49\xb5\xcf\x73\x04\x3b\x90\x92\x61\x30\x32\xc7\xdd\x32\x20\xbc\xe9\xd9\xb8\x4f\xd2\xce\xb4\x8a\x76\xff\x0c\x34\xcf\x5b\xf8\xcc\x55\xb5\x75\xe2\x40\xf4\xe6\xc1\xc5\xcf\x93\x98\x0c\xc6\xf6\x8f\xd1\xac\x7c\xc1\x0e\x0e\x48\x33\x39\xdd\xe6\x69\x1e\xb7\xd2\xb7\x00\xe9\x3f\xfd\xf8\x10\x95\x37\x62\x21\x6e\x99\xb5\x64\x01\x49\xaf\x63\x14\x4a\x09\x05\x1b\x68\x3d\xb0\xdf\xb1\xb7\x93\x71\xbc\x7a\x4a\x55\x9a\xe6\x27\x18\x38\xa8\x68\x46\x8e\x54\xaa\xde\xf0\x3b\xa4\x0c\xa1\x27\xaa\x2c\x27\x51\xda\x79\x20\x2d\xca\xd7\x2e\x4f\x15\x93\x04\x1d\xb5\x3b\xbf\x4f\x80\x64\x17\x0f\xe8\x5c\x46\xe5\x9f\xf0\x0b\x9e\xb4\xbf\x2e\x01\xea\xb7\x19\x7a\x00\x70\x4e\x3c\x70\x84\xa8\x06\x99\xed\x5a\xaa\xe7\xbb\xae\x06\x84\xe5\xfb\x3e\xd6\x0c\x66\x20\xc7\x3a\xa0\x13\x31\x37\x13\x27\x9b\xf9\x58\xa2\x1f\x56\xf9\x67\x46\xe1\x60\x62\x3f\x10\x76\xa5\xea\x95\xa2\x3f\xc9\x08\x37\x3b\xc0\x78\x22\x18\x94\xcc\xc7\x79\x49\xff\xd3\x65\x94\x70\xd8\x3f\x86\x07\x62\xb0\x30\x2b\xf3\xe4\x04\x04\x6c\x0c\x32\xa7\x1e\xb8\x5e\x67\x41\x11\xcb\x9c\x2d\x49\x0b\x8b\x4f\x5b\xfd\x1f\xa9\x38\x2a\x42\x96\xd9\x73\x26\xd6\xa7\x28\x37\x8a\xb3\x5c\x0a\x34\x9e\xd6\x93\x49\xf7\x5b\x89\xad\xf8\xdc\x9e\x5b\xae\xd2\x76\xc9\x26\x14\xc2\x96\x36\xf2\xf5\xb1\x9d\x4d\xc6\x61\xe2\xd0\xfe\x6f\xd6\x47\x86\xd5\x07\xb9\x9b\x39\x79\xfe\x0f\x6e\xcb\x06\xb7\x6f\xd6\x4b\xfb\x31\x61\x31\xa5\x2d\x3d\xb7\x44\x55\x08\xc8\xf0\xbd\x39\x44\x95\xa6\xc1\x3c\xa6\x4e\x37\x80\xa4\x16\xc7\x2a\x7a\x34\x99\x6d\x5a\x34\x2e\x63\x49\xd9\x2b\xfc\xb8\xd7\x5b\xd4\xed\xd2\x25\xd4\xe8\x60\x18\x38\xbf\xfc\x60\x4e\x9e\x3f\x0d\xe8\x3a\x1c\xf9\xe1\x7c\x7f\xa7\x39\x8f\xea\x49\xc8\xfa\xed\x29\x9d\x04\xa9\x0a\x70\xbd\xaa\x0b\x11\x14\x28\xe2\xe6\x22\x4a\xe0\x8c\x1b\xf0\xea\x1a\x69\xe1\x6e\x1f\xfd\x4b\xfa\x76\xaf\xff\xdd\x50\x60\xac\x99\x2e\xfa\x08\xfb\x74\x04\xfa\x1f\xf3\x45\x60\x42\x65\x4d\x3d\x51\x29\x26\x24\xac\x3b\xb3\x35\x6f\x5b\xd3\xf4\x92\xc1\x69\xe8\xc7\xdc\x71\xcc\xd3\xb4\xe9\x1c\xb2\x98\xef\x7f\x2b\x61\xd7\x4a\x86\xe7\xcb\x6d\xaf\x62\x1a\x8b\x0b\x6a\x87\xe5\x8d\xdc\xaa\x65\xf3\x76\xfe\x06\x52\xc4\x0c\x76\xd7\x62\xb5\x80\xf3\x4d\xa9\x79\xae\x09\x68\xb1\x72\xa9\xcc\xc4\xcd\x8b\x34\xaf\x38\x73\xe8\x5d\x16\x53\xc9\xe5\x57\x1d\xc3\x4e\x8c\x39\xf7\xf0\x4d\xf1\x91\xc0\xe8\x12\x13\xd2\xfa\xc0\x41\x26\x64\xeb\x47\x69\xc4\x80\xa8\x0f\xdc\xd5\xca\xe2\xa2\xeb\x8b\x1d\x03\x1c\xc6\xe6\x49\xd8\xf0\xb2\x9f\x91\x15\xea\x2b\xb2\x7c\xbe\x35\xcb\xa0\x40\x64\x7a\xd9\xda\x8a\xd3\x69\x31\xcf\xdc\xe5\xc5\x8d\xfd\x6b\x8d\x0b\xd8\x3c\xf4\xf8\xca\xd6\xf6\xd6\xf3\x04\x83\x80\x58\x3d\x8e\xf0\x80\x7a\x4d\x02\x4e\xf8\xd0\x33\x3a\x97\x18\x34\x23\xc9\x0e\x8d\xd1\xb6\x2d\xc7\x0c\x95\xae\x30\xac\xd0\xcc\xc2\x57\xde\x6f\xeb\x89\xa9\x49\x2b\x42\x14\xb6\x5d\x8d\xa2\xad\xa1\x1b\x80\xfb\xd7\x68\x9a\xfd\xb9\x9f\xa8\x20\xcb\x7a\xaa\xca\x8c\xe3\x2f\xd1\xad\xf5\xd7\x24\xf5\x06\x83\xa7\x92\x4e\xd1\xb5\xde\x6b\x32\x2a\x49\x32\xea\x46\xd3\xb2\x66\xa2\x70\x42\x02\x59\xa4\xfe\xe4\x80\x05\x4f\x06\x75\xe7\x7e\x51\x78\xff\x25\x5b\xe0\x00\x46\x8a\x22\x0a\x25\xc6\x87\x9e\x03\x9b\xc1\x4c\x38\xcb\xf9\x04\x0e\xde\xd4\x1f\x1c\x6d\x75\xfe\x46\x15\xcc\x57\x67\x7c\x94\x8c\x7b\xb9\xc3\x56\x11\x84\xb0\xff\xe0\xd0\xa9\xed\x0e\x72\x12\xfa\xbd\x5e\xf3\x57\xff\xb3\xca\x40\xe8\xa9\x7b\xe2\xa9\xbc\xf3\x5f\xc7\xe3\xd7\xce\x8f\x6d\x50\xa4\xf7\xb4\x2c\x24\x68\x94\x68\x38\x22\xdb\x36\xb9\x55\x28\xcd\x80\x61\x34\x2c\x66\xc7\x88\xbb\x6f\x63\xbe\xad\xfe\x35\x59\xe8\x96\xe4\x38\x7a\x12\xce\xdf\x6f\x22\x08\x88\xd2\x18", 4096); *(uint32_t*)0x20001ca8 = 0x1000; *(uint32_t*)0x20001cac = -1; *(uint32_t*)0x20001cb0 = 0x20001b80; memcpy((void*)0x20001b80, "\xe0\xc6\xc9\xc0\x1a\xfb\x3e\x83\x24\x12\x04\xcd\x69\x42\xa5\xf5\xb3\x8d\xed\xc4\x87\x1f\xea\x15\x0d\xdb\xcb\x8c\x14\xce\x51\x5f\xa1\xfc\x5f\x1f\xb3\xec\x60\x66\x49\xa1\x62\xc4\xe5\x2e\xc3\x28\xeb\x35\x65\xfb\x84\xab\xdf\x8b\x40\x8d\x74\x4e\xe1\x9c\x67\xcc\xe5\x4a\xca\xd1\xc6\xaa\x75\xa3\xf9\x7f\x94\x26\x74\x76\xe7\x02\xbb\xe0\x65\xe6\x71\x88\xc3\xc8\x26\xd4\x41\x4e\x46\x69\x5d\x71\xc9\xe2\x4a\x31\xfa\xf7\xfc\x28\x29\x70\x92\x50\x3b\xb1\x0a\xdb\x27\xfc\xb1\x97\x43\x8e\xfe\x36\x05\x10\x1a\xbc\x12\x7f\xda\x30\x3e\x63\xa7\x42\x3e\xf1\x69\x3f\x6c\x00\x57\x63\xfd\xf8\xb1\x8e\x10\xa5\xa9\xfa\x34\xb3\xc0\x0e\xce\xd1\xf7\x5b\xad\xa7\xd2\x61\x60\xae\xdf\x27\x58\xbf\x60\x3b\x0c\x58\x90\x68\x28\x84\xeb\x55\xb2\x76\x0b\x3b\x7b\x96\x14\xb6\xbd\x1d\xde\xf9\xe9\xcc\x1d\xf2\x08\x92\x06\x3f\x1e\xa0\x58\xa4", 200); *(uint32_t*)0x20001cb4 = 0xc8; *(uint32_t*)0x20001cb8 = 0x81; syz_read_part_table(0x44, 5, 0x20001c80); break; case 34: *(uint8_t*)0x20001cc0 = 0x12; *(uint8_t*)0x20001cc1 = 1; *(uint16_t*)0x20001cc2 = 0x310; *(uint8_t*)0x20001cc4 = 0xae; *(uint8_t*)0x20001cc5 = 0x73; *(uint8_t*)0x20001cc6 = 0xca; *(uint8_t*)0x20001cc7 = 0x40; *(uint16_t*)0x20001cc8 = 0x1740; *(uint16_t*)0x20001cca = 0x602; *(uint16_t*)0x20001ccc = 0xfa57; *(uint8_t*)0x20001cce = 1; *(uint8_t*)0x20001ccf = 2; *(uint8_t*)0x20001cd0 = 3; *(uint8_t*)0x20001cd1 = 1; *(uint8_t*)0x20001cd2 = 9; *(uint8_t*)0x20001cd3 = 2; *(uint16_t*)0x20001cd4 = 0x870; *(uint8_t*)0x20001cd6 = 2; *(uint8_t*)0x20001cd7 = 0x7f; *(uint8_t*)0x20001cd8 = 0x90; *(uint8_t*)0x20001cd9 = 0x20; *(uint8_t*)0x20001cda = 0x3f; *(uint8_t*)0x20001cdb = 9; *(uint8_t*)0x20001cdc = 4; *(uint8_t*)0x20001cdd = 0x86; *(uint8_t*)0x20001cde = 0x7f; *(uint8_t*)0x20001cdf = 0xa; *(uint8_t*)0x20001ce0 = 0xf7; *(uint8_t*)0x20001ce1 = 0xf9; *(uint8_t*)0x20001ce2 = 0xf2; *(uint8_t*)0x20001ce3 = 0x7f; *(uint8_t*)0x20001ce4 = 0xd1; *(uint8_t*)0x20001ce5 = 0xb; memcpy((void*)0x20001ce6, "\x26\xe1\x3a\x65\xce\xb2\xc1\x60\x69\x44\x40\xc6\xe4\xb5\xd5\x10\x7c\xd6\xf6\xed\xdf\x5f\x0f\x8f\x93\x86\x06\xe7\xa7\x89\x78\x6c\x09\x76\x26\x76\x2d\xa7\x88\x1a\x4e\x46\xee\x51\x2c\xe1\xce\x83\xd0\x3e\xe0\x1e\x8a\x39\x0d\x4f\xe4\x8a\x1a\x16\x6b\x12\x2a\x24\x4f\x7e\x84\x53\xfe\x58\x43\x52\xcd\xc7\x48\xde\xd1\x73\x7c\x61\xff\xbc\x1f\x9f\x18\x44\x1c\x5d\x61\xf5\x49\x3a\x88\xbf\xea\x77\x76\x76\x2b\xbf\x8a\x20\x6e\xec\xa2\xf4\x5c\x1f\x7a\xa6\xd1\x5f\xb4\x64\xcd\x1c\xaf\x6a\x43\x2b\xab\xfc\x01\xbb\x86\xb1\x29\x7b\x12\x89\x97\x42\x6c\x1a\x5a\x86\x53\x3c\xb2\xc0\x29\xf5\x0b\x1c\x5b\x0b\x88\x71\x9f\x7c\x78\x21\x7d\x2b\xec\x91\x0f\xf9\x06\xb4\x38\x60\x02\x5e\x14\x0f\xba\xd2\xbc\x0a\x91\xe2\x3e\x65\xc5\xc8\xfe\xfd\x91\xd0\x45\x9c\x59\x0e\x1f\x4b\xac\x91\xea\xc0\x23\xef\x5f\x1a\x24\x82\x45\xdf\x0d\x7c\x12\x76\xdf\x72\xd9\x55\xc6", 207); *(uint8_t*)0x20001db5 = 6; *(uint8_t*)0x20001db6 = 0x24; *(uint8_t*)0x20001db7 = 6; *(uint8_t*)0x20001db8 = 0; *(uint8_t*)0x20001db9 = 1; memcpy((void*)0x20001dba, "8", 1); *(uint8_t*)0x20001dbb = 5; *(uint8_t*)0x20001dbc = 0x24; *(uint8_t*)0x20001dbd = 0; *(uint16_t*)0x20001dbe = 8; *(uint8_t*)0x20001dc0 = 0xd; *(uint8_t*)0x20001dc1 = 0x24; *(uint8_t*)0x20001dc2 = 0xf; *(uint8_t*)0x20001dc3 = 1; *(uint32_t*)0x20001dc4 = 9; *(uint16_t*)0x20001dc8 = 5; *(uint16_t*)0x20001dca = 5; *(uint8_t*)0x20001dcc = 0x80; *(uint8_t*)0x20001dcd = 6; *(uint8_t*)0x20001dce = 0x24; *(uint8_t*)0x20001dcf = 0x1a; *(uint16_t*)0x20001dd0 = 1; *(uint8_t*)0x20001dd2 = 0x14; *(uint8_t*)0x20001dd3 = 0x2b; *(uint8_t*)0x20001dd4 = 0x24; *(uint8_t*)0x20001dd5 = 0x13; *(uint8_t*)0x20001dd6 = -1; memcpy((void*)0x20001dd7, "\x8d\xaa\x8e\x5c\xf5\x9b\xef\x8c\x76\xec\x75\x35\xd6\x3f\xe2\xdc\x76\x86\x32\x1a\xfb\xd7\x29\xf4\xd1\x7d\x62\xa2\x1b\x6f\x2b\x39\x49\x56\x57\x22\x0b\xc5\xd7", 39); *(uint8_t*)0x20001dfe = 0xa3; *(uint8_t*)0x20001dff = 0x24; *(uint8_t*)0x20001e00 = 0x13; *(uint8_t*)0x20001e01 = 3; memcpy((void*)0x20001e02, "\x0b\xaf\xa7\xba\x56\xf9\xbe\x68\xf7\xda\xff\xfa\xbe\x7b\x79\x50\xe7\xf2\xb1\xef\xd5\x30\xab\x53\xda\x30\x66\x50\xae\x48\x61\x82\x51\xbc\x41\xfe\x39\x06\x5b\xb5\x0d\x65\xf1\x5e\x92\x6f\xdb\x88\xac\xb4\xe7\x95\x7b\xff\x5d\x54\x69\xee\x74\x1f\x51\xc1\x17\xd8\xf0\xa4\xb9\xe4\x97\xd8\xd8\x5a\x58\xa4\x25\x85\x5d\xa0\x41\xd9\x1b\xfe\x4c\xd2\x0f\x11\xf6\xc7\xd3\x81\x30\x27\xcd\x74\x92\x1d\xbe\xb6\xe2\x01\x5c\x41\x33\xa2\x98\x32\xb2\xb9\xd3\x42\x30\x4d\xd6\xb7\x09\xda\xea\xea\x5f\x76\x1d\x8c\x06\xf5\x2e\xdd\xa9\xf2\x52\x9a\xc5\x1a\x96\xfa\xb9\xbb\x28\x26\xcc\x63\xfc\xce\x0f\x17\x4d\xe2\xc5\x77\x8a\x4d\x83\xf3\xee\xcf\xdb\x29\x63\x5b\x60", 159); *(uint8_t*)0x20001ea1 = 5; *(uint8_t*)0x20001ea2 = 0x24; *(uint8_t*)0x20001ea3 = 1; *(uint8_t*)0x20001ea4 = 2; *(uint8_t*)0x20001ea5 = 9; *(uint8_t*)0x20001ea6 = 0x15; *(uint8_t*)0x20001ea7 = 0x24; *(uint8_t*)0x20001ea8 = 0x12; *(uint16_t*)0x20001ea9 = 0xc9; *(uint64_t*)0x20001eab = 0x14f5e048ba817a3; *(uint64_t*)0x20001eb3 = 0x2a397ecbffc007a6; *(uint8_t*)0x20001ebb = 7; *(uint8_t*)0x20001ebc = 0x24; *(uint8_t*)0x20001ebd = 0x14; *(uint16_t*)0x20001ebe = 8; *(uint16_t*)0x20001ec0 = 2; *(uint8_t*)0x20001ec2 = 7; *(uint8_t*)0x20001ec3 = 0x24; *(uint8_t*)0x20001ec4 = 0xa; *(uint8_t*)0x20001ec5 = 1; *(uint8_t*)0x20001ec6 = 9; *(uint8_t*)0x20001ec7 = 0xeb; *(uint8_t*)0x20001ec8 = 1; *(uint8_t*)0x20001ec9 = 9; *(uint8_t*)0x20001eca = 5; *(uint8_t*)0x20001ecb = 0xe; *(uint8_t*)0x20001ecc = 3; *(uint16_t*)0x20001ecd = 0x400; *(uint8_t*)0x20001ecf = -1; *(uint8_t*)0x20001ed0 = 0xf9; *(uint8_t*)0x20001ed1 = 0x20; *(uint8_t*)0x20001ed2 = 0x62; *(uint8_t*)0x20001ed3 = 0x22; memcpy((void*)0x20001ed4, "\xec\xb3\xf2\xdd\x30\x48\x12\x4f\xa1\xf6\x39\xe7\xd9\x9a\xb0\x90\x3f\x7f\x55\x1f\xbd\x28\x20\x2b\xca\xa0\x38\x82\x72\x62\xde\xfd\x52\x4b\x84\xd6\x77\x8f\x83\xc7\x51\x04\x7e\xa1\x67\x7d\x46\x22\x9a\xc3\x3b\x02\xdb\x68\x65\xc9\x67\x0b\xc4\x76\x29\x02\x05\x45\xfb\xf3\x67\xe1\x28\xc7\xe7\x8e\x05\x97\x2c\xd4\x32\xdd\xc7\x29\x86\x39\x72\xa9\x55\x9b\x80\x60\x63\x55\x0b\x9b\xb7\x99\x2b\x0c", 96); *(uint8_t*)0x20001f34 = 0xed; *(uint8_t*)0x20001f35 = 0x21; memcpy((void*)0x20001f36, "\x1c\x17\xfa\x34\xcf\x24\x8a\x11\x74\x0c\xae\x13\xb9\x90\x62\xcf\x65\x1b\xd3\x66\x3b\xdf\x34\x9a\xfe\xdd\x77\x7e\x6c\xa5\x09\x68\x7c\x73\x08\xb2\xbd\x8a\x56\xd9\x36\xce\xf7\x2c\x17\x60\x9c\x2c\xc7\xb8\x25\xf1\x22\x86\x4f\x3e\x79\xa0\xf9\x56\x3c\xec\xf3\xa2\xde\xa2\xda\xc5\xe4\xd8\x3e\x77\x49\xcf\xb2\xa9\x71\xe0\xf2\xa2\x57\xee\x5e\x91\x27\x9d\x0d\xed\xf7\xaa\xb3\x53\x95\x5c\x32\xbc\xab\x16\xd8\x21\xc1\x86\x8f\x65\x5e\x7f\x50\x3e\xce\x52\xac\xfb\x7c\x30\x70\x09\x7b\x16\x4e\xd6\x22\x3e\xb6\xc1\x83\x9f\xdc\x5c\xc6\xf1\xa9\x2e\xbd\xa8\xad\x2a\x9e\x74\xf7\x46\xcf\x37\x70\x4a\x6c\x73\x07\x61\x89\xee\x38\x90\xb3\xa1\xc5\xcd\xb8\x07\x6a\xde\xc9\xbb\x4e\x53\xa6\x5b\x09\xbc\x52\xa7\x52\x50\xeb\x89\xe2\x40\x7e\xe0\xd0\xd3\x9a\x0b\xd9\x25\xc0\x0a\x5f\xd0\xf3\x4a\xd2\xaf\x88\xbf\x3b\x27\x0f\xe9\x4e\x54\x32\x28\x8a\x66\xb3\xee\x15\xb6\xe2\x4d\xdc\xa8\x96\x39\xfa\xa9\xc4\xb5\x32\x66\x3b\x24\xbf\xbd\xeb\x73\xd0\x9b\x8f\x77\xf7\x6f\xec\x50\x7a", 235); *(uint8_t*)0x20002021 = 9; *(uint8_t*)0x20002022 = 5; *(uint8_t*)0x20002023 = 0xe; *(uint8_t*)0x20002024 = 0; *(uint16_t*)0x20002025 = 0x58; *(uint8_t*)0x20002027 = 4; *(uint8_t*)0x20002028 = 0; *(uint8_t*)0x20002029 = 2; *(uint8_t*)0x2000202a = 9; *(uint8_t*)0x2000202b = 5; *(uint8_t*)0x2000202c = 6; *(uint8_t*)0x2000202d = 8; *(uint16_t*)0x2000202e = 0x40; *(uint8_t*)0x20002030 = 0x40; *(uint8_t*)0x20002031 = 3; *(uint8_t*)0x20002032 = 0x18; *(uint8_t*)0x20002033 = 9; *(uint8_t*)0x20002034 = 5; *(uint8_t*)0x20002035 = 0xb; *(uint8_t*)0x20002036 = 0xc; *(uint16_t*)0x20002037 = 0x200; *(uint8_t*)0x20002039 = -1; *(uint8_t*)0x2000203a = 0x47; *(uint8_t*)0x2000203b = 0; *(uint8_t*)0x2000203c = 0x6e; *(uint8_t*)0x2000203d = 0x24; memcpy((void*)0x2000203e, "\xfc\x88\x86\xec\xa1\x2d\xc8\x59\x60\xc8\x49\x7c\x87\x13\x2b\x79\xfe\xa0\xe2\x31\x3e\x4e\x85\x56\x71\x31\x6f\x1c\x7a\x42\xb7\x8b\x2b\xe2\x4c\x0c\xdd\x6a\xf9\xde\x41\xa7\xfb\x57\xfe\x0a\x3c\xa6\xfe\x67\x19\x1c\xe3\x11\x65\xdc\x04\x82\x45\xba\x74\xc8\x86\xd1\x2b\x8a\xcc\xb0\x01\xee\xe2\x30\xdc\x1d\x79\x81\xe4\xd6\xea\x3d\x52\xfd\xc1\xfd\x15\x9f\x71\xfc\x18\xbf\xca\x51\x29\x7b\x23\x48\xc7\x77\xa8\x6b\x16\xc0\x76\x57\x79\x3c\x9b\x75", 108); *(uint8_t*)0x200020aa = 9; *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 7; *(uint8_t*)0x200020ad = 0x10; *(uint16_t*)0x200020ae = 0x20; *(uint8_t*)0x200020b0 = 1; *(uint8_t*)0x200020b1 = 4; *(uint8_t*)0x200020b2 = 4; *(uint8_t*)0x200020b3 = 8; *(uint8_t*)0x200020b4 = 0x23; memcpy((void*)0x200020b5, "\xad\x6e\x68\x32\x31\x24", 6); *(uint8_t*)0x200020bb = 7; *(uint8_t*)0x200020bc = 0x25; *(uint8_t*)0x200020bd = 1; *(uint8_t*)0x200020be = 2; *(uint8_t*)0x200020bf = 0x3f; *(uint16_t*)0x200020c0 = 0x400; *(uint8_t*)0x200020c2 = 9; *(uint8_t*)0x200020c3 = 5; *(uint8_t*)0x200020c4 = 1; *(uint8_t*)0x200020c5 = 0; *(uint16_t*)0x200020c6 = 0x200; *(uint8_t*)0x200020c8 = -1; *(uint8_t*)0x200020c9 = 4; *(uint8_t*)0x200020ca = 5; *(uint8_t*)0x200020cb = 7; *(uint8_t*)0x200020cc = 0x25; *(uint8_t*)0x200020cd = 1; *(uint8_t*)0x200020ce = 0x82; *(uint8_t*)0x200020cf = 2; *(uint16_t*)0x200020d0 = 0x200; *(uint8_t*)0x200020d2 = 7; *(uint8_t*)0x200020d3 = 0x25; *(uint8_t*)0x200020d4 = 1; *(uint8_t*)0x200020d5 = 1; *(uint8_t*)0x200020d6 = 7; *(uint16_t*)0x200020d7 = 4; *(uint8_t*)0x200020d9 = 9; *(uint8_t*)0x200020da = 5; *(uint8_t*)0x200020db = 0x80; *(uint8_t*)0x200020dc = 0x10; *(uint16_t*)0x200020dd = 0x10; *(uint8_t*)0x200020df = 0xcc; *(uint8_t*)0x200020e0 = 8; *(uint8_t*)0x200020e1 = 0; *(uint8_t*)0x200020e2 = 7; *(uint8_t*)0x200020e3 = 0x25; *(uint8_t*)0x200020e4 = 1; *(uint8_t*)0x200020e5 = 0x81; *(uint8_t*)0x200020e6 = 7; *(uint16_t*)0x200020e7 = 0x3f; *(uint8_t*)0x200020e9 = 0x59; *(uint8_t*)0x200020ea = 0x11; memcpy((void*)0x200020eb, "\xfa\xad\xa8\x09\x32\xb1\x04\x32\xca\x81\xa6\x3c\x83\xdd\x9f\x54\xa4\x05\x10\x86\xef\x07\xb6\xc9\x66\x1e\xf8\xec\x12\x56\x83\xd5\xfc\xad\xa3\xa3\x46\xd0\x8f\x6d\x44\x17\x8f\xd1\xce\x94\xf1\xa6\x92\x1d\x2f\xd1\x4a\x88\xd4\x3a\x80\x51\xe1\x8e\xda\xa3\x98\x06\x45\xfa\x17\x12\x3c\xa6\xc7\x83\xb8\xb2\xc3\xb6\x66\x95\x6f\x52\xb1\x83\x65\x29\x92\xd6\xf5", 87); *(uint8_t*)0x20002142 = 9; *(uint8_t*)0x20002143 = 5; *(uint8_t*)0x20002144 = 7; *(uint8_t*)0x20002145 = 3; *(uint16_t*)0x20002146 = 0x400; *(uint8_t*)0x20002148 = 1; *(uint8_t*)0x20002149 = 0x3f; *(uint8_t*)0x2000214a = 0; *(uint8_t*)0x2000214b = 9; *(uint8_t*)0x2000214c = 5; *(uint8_t*)0x2000214d = 4; *(uint8_t*)0x2000214e = 1; *(uint16_t*)0x2000214f = 0; *(uint8_t*)0x20002151 = 0x81; *(uint8_t*)0x20002152 = 3; *(uint8_t*)0x20002153 = 0; *(uint8_t*)0x20002154 = 7; *(uint8_t*)0x20002155 = 0x25; *(uint8_t*)0x20002156 = 1; *(uint8_t*)0x20002157 = 0x80; *(uint8_t*)0x20002158 = 0xfd; *(uint16_t*)0x20002159 = 0x3e; *(uint8_t*)0x2000215b = 7; *(uint8_t*)0x2000215c = 0x25; *(uint8_t*)0x2000215d = 1; *(uint8_t*)0x2000215e = 0x82; *(uint8_t*)0x2000215f = 6; *(uint16_t*)0x20002160 = 0x8000; *(uint8_t*)0x20002162 = 9; *(uint8_t*)0x20002163 = 5; *(uint8_t*)0x20002164 = 7; *(uint8_t*)0x20002165 = 4; *(uint16_t*)0x20002166 = 0x200; *(uint8_t*)0x20002168 = 4; *(uint8_t*)0x20002169 = 7; *(uint8_t*)0x2000216a = 8; *(uint8_t*)0x2000216b = 7; *(uint8_t*)0x2000216c = 0x25; *(uint8_t*)0x2000216d = 1; *(uint8_t*)0x2000216e = 0; *(uint8_t*)0x2000216f = 0; *(uint16_t*)0x20002170 = 0x3f; *(uint8_t*)0x20002172 = 9; *(uint8_t*)0x20002173 = 4; *(uint8_t*)0x20002174 = 0x7d; *(uint8_t*)0x20002175 = 0xb6; *(uint8_t*)0x20002176 = 8; *(uint8_t*)0x20002177 = 0xe6; *(uint8_t*)0x20002178 = 0x75; *(uint8_t*)0x20002179 = 0xe1; *(uint8_t*)0x2000217a = 0xf9; *(uint8_t*)0x2000217b = 0x3d; *(uint8_t*)0x2000217c = 0x23; memcpy((void*)0x2000217d, "\x01\x50\xff\xae\x83\xdf\x22\xd1\xd4\xdb\xd8\x24\x54\xe6\x60\x33\x46\x3c\x39\x35\xe3\xd0\xc9\xfc\x2e\xa4\x66\x1f\x73\x10\xc2\xe0\xb0\xac\xed\xd1\x7e\x99\xcf\x96\x0e\xde\x09\xc1\x9e\xda\x6b\xfd\xa6\x99\xd8\xea\xcc\x2a\xba\x4a\xcc\x34\xd4", 59); *(uint8_t*)0x200021b8 = 0xc5; *(uint8_t*)0x200021b9 = 1; memcpy((void*)0x200021ba, "\x57\xfa\x93\x98\x1a\x06\x86\xe5\x12\x23\x65\x11\xf1\x7e\x4e\xc2\xda\xb7\xbd\x00\x5c\x64\xfd\x89\x6f\x94\x94\xca\x05\x97\x58\x3b\x23\x9d\xdd\x29\xc3\x79\x6c\x4a\xd6\x69\x28\x14\x40\xda\x42\x2e\x67\x96\x87\x7a\x9f\x12\x3e\x34\x39\x35\xd9\x0d\xfe\x06\xdd\xfc\x99\xde\xed\xf2\x40\x06\x03\x1d\x9a\x2e\xf4\xb5\x52\x62\x92\x55\xbf\x0e\x7a\x4d\x5d\xd3\xbc\x80\xb2\x66\x08\x11\x41\xbd\xe1\xb1\xa8\x6e\x4f\xfd\x85\x70\x00\xde\xea\xe8\x2f\xb1\x85\x06\x96\xef\x21\x67\xc3\x4a\xd9\x7f\x91\xc1\x4a\xc7\x8e\xcb\x89\x3d\x01\xff\xa9\x8e\x3c\x2d\xfd\xa9\xad\xb7\x62\xb9\xa9\xda\x03\xc6\xc6\x0e\xd9\x57\xfb\x49\x4d\x1c\x96\x0f\x7c\x70\x74\x94\xbd\x98\x4a\x0a\x58\x26\x03\xfb\x87\x24\x8a\xee\xaf\xc1\xb6\x00\x5f\x79\x83\x5b\x38\xb2\xea\xa8\x86\x53\xbc\x93\x42\x7a\x33\xb0\x76\x3e\xa3\x6f\xcd\x98\x7c", 195); *(uint8_t*)0x2000227d = 9; *(uint8_t*)0x2000227e = 5; *(uint8_t*)0x2000227f = 3; *(uint8_t*)0x20002280 = 0; *(uint16_t*)0x20002281 = 0x40; *(uint8_t*)0x20002283 = 4; *(uint8_t*)0x20002284 = 0x7f; *(uint8_t*)0x20002285 = 2; *(uint8_t*)0x20002286 = 7; *(uint8_t*)0x20002287 = 0x25; *(uint8_t*)0x20002288 = 1; *(uint8_t*)0x20002289 = 2; *(uint8_t*)0x2000228a = 5; *(uint16_t*)0x2000228b = 5; *(uint8_t*)0x2000228d = 7; *(uint8_t*)0x2000228e = 0x25; *(uint8_t*)0x2000228f = 1; *(uint8_t*)0x20002290 = 2; *(uint8_t*)0x20002291 = 4; *(uint16_t*)0x20002292 = 5; *(uint8_t*)0x20002294 = 9; *(uint8_t*)0x20002295 = 5; *(uint8_t*)0x20002296 = 0x80; *(uint8_t*)0x20002297 = 0x10; *(uint16_t*)0x20002298 = 0x1ef; *(uint8_t*)0x2000229a = 1; *(uint8_t*)0x2000229b = 6; *(uint8_t*)0x2000229c = 7; *(uint8_t*)0x2000229d = 9; *(uint8_t*)0x2000229e = 5; *(uint8_t*)0x2000229f = 0x80; *(uint8_t*)0x200022a0 = 0x10; *(uint16_t*)0x200022a1 = 0x10; *(uint8_t*)0x200022a3 = 0x1f; *(uint8_t*)0x200022a4 = 0x20; *(uint8_t*)0x200022a5 = 0; *(uint8_t*)0x200022a6 = 0xb3; *(uint8_t*)0x200022a7 = 0x21; memcpy((void*)0x200022a8, "\x95\xd3\x40\x5d\x4d\x7a\x6d\xc8\x96\xd9\x0c\x49\x18\xb1\x41\x31\x5c\x1a\xe5\x4b\x08\x82\xc4\xe0\xe3\xcc\x26\x6e\x04\x17\x8f\x9a\xe7\x37\x26\x0a\xc6\x4b\x61\x9d\xdf\x03\x95\x68\x18\x1b\xf9\x2d\xd6\x39\xec\x49\xa0\xb1\xc9\x83\x8b\x4c\xbb\xb2\xfb\xe6\xca\x7b\xe9\xbc\x84\xb7\x71\x77\x86\x7b\xb9\x73\xd8\xc5\xeb\xa1\xb4\x91\x31\xbd\x10\xf6\x45\xcf\xfc\x3d\xd8\xea\x46\x2f\x4b\xa9\x65\xf7\x0a\x01\x4b\xf1\xab\xe9\x26\x96\x63\x63\x4d\xad\x8b\xaf\x99\x38\x6d\x8b\x43\x19\x12\xe4\xdd\xfc\xd1\x15\x6c\x5f\xfe\xab\x20\x7c\xa3\x5f\x22\xf5\xc0\x16\x73\x47\x0d\xee\xa1\xda\x6a\xaf\xfc\xf0\xbb\xa9\xa8\xe4\x55\x42\x0f\x05\x3b\x28\xe4\x04\xfe\xa6\x26\x1d\x36\xc0\x7f\x72\x21\xc4\x98\x6b\x6b\x12\x2c\xcd\xf8\x58\xf4\x81\xba", 177); *(uint8_t*)0x20002359 = 7; *(uint8_t*)0x2000235a = 0x25; *(uint8_t*)0x2000235b = 1; *(uint8_t*)0x2000235c = 0x80; *(uint8_t*)0x2000235d = 0x7f; *(uint16_t*)0x2000235e = 5; *(uint8_t*)0x20002360 = 9; *(uint8_t*)0x20002361 = 5; *(uint8_t*)0x20002362 = 0xc; *(uint8_t*)0x20002363 = 2; *(uint16_t*)0x20002364 = 0x200; *(uint8_t*)0x20002366 = 0; *(uint8_t*)0x20002367 = 6; *(uint8_t*)0x20002368 = 2; *(uint8_t*)0x20002369 = 0xaf; *(uint8_t*)0x2000236a = 0xc1; memcpy((void*)0x2000236b, "\x14\x49\xf0\x6f\x81\x61\xd8\x15\x9f\x42\xfb\x34\x7e\xaa\x32\x3c\xf3\xeb\x20\xfd\x5e\x50\x10\x06\xd2\xe4\x0a\x15\x7d\xa8\x33\x53\x6f\xb0\xb3\x22\x43\x65\x91\xa2\xbd\x1d\x2f\xe0\x4e\x16\x98\x58\xe1\x13\x87\xce\x1c\xbe\x1f\x6c\x7d\xc3\x32\xaf\xaa\xdc\xc0\x02\xc5\x83\x20\x44\xe0\x56\x95\x03\x99\xe2\x94\x31\x40\x73\x49\xa8\xa4\x75\x25\x16\x4b\x4e\x6c\xd1\x41\x30\x39\x08\x18\x67\x54\xe0\x28\x2c\x69\x95\xc9\x80\xf5\xe7\xd4\xf3\xc8\x81\xc6\xb9\x1d\x95\x5e\x6a\xc6\x81\xbd\x90\x73\xf4\xe0\x57\x06\xf3\xc3\x12\xd0\x05\xbf\x1c\x59\x10\x95\x6b\xf9\x95\x53\xbb\xa7\xb4\xec\xb3\xf3\x5f\xfb\xe7\xab\x07\x63\x42\x37\x96\xbb\x60\x1e\x3f\x04\x7a\x65\x81\xd5\x2f\xb6\x7c\x62\xd6\xb7\x27\x8c\x76\xaa\xb9\xa5", 173); *(uint8_t*)0x20002418 = 9; *(uint8_t*)0x20002419 = 5; *(uint8_t*)0x2000241a = 0xa; *(uint8_t*)0x2000241b = 0; *(uint16_t*)0x2000241c = 0x400; *(uint8_t*)0x2000241e = 5; *(uint8_t*)0x2000241f = 1; *(uint8_t*)0x20002420 = 6; *(uint8_t*)0x20002421 = 0xf1; *(uint8_t*)0x20002422 = 0x11; memcpy((void*)0x20002423, "\x25\xbf\x1f\x90\xf6\x00\xdc\x8e\xae\x59\x54\xfb\x3e\xc4\xf4\x88\xa9\x26\x14\x9d\x98\x93\xca\x2b\x29\x00\xe2\x45\xf0\x53\x74\x32\xb7\xec\xcd\x35\xa0\xf3\x3f\xe8\x71\xeb\x0d\x17\x44\xd8\x05\x8f\x6d\x67\xf7\xe1\xb9\x7f\x3e\xf4\xe5\xfd\x8a\xc9\xd3\x7d\x37\x49\x05\x66\x1c\x57\x9d\x63\xd9\xbd\x3e\xd5\xcd\x30\xd9\x9e\xf3\x95\xe4\x7c\x9e\x0f\x1b\x7f\x71\x20\x16\x40\x34\x34\x82\x1b\xaa\xce\x41\xad\x73\xef\x6b\x84\xc1\xa4\x1a\xf5\xcb\xb6\xc2\xf6\x54\x62\xa6\xed\x32\x24\x2c\x9d\x51\xda\x99\x15\x86\x28\x60\xc2\x21\x40\xf6\x06\x60\x1c\xfd\x82\xe5\x15\x1e\x1d\xb4\x50\x92\xfe\xcd\x65\x32\x93\xf5\x6c\x65\xb3\x46\xe5\xde\xaf\x14\x09\x50\xa0\xac\x4a\x48\x7e\x3b\xfa\x4f\x9a\xd3\x5e\xef\xf8\x89\x9b\xc2\x23\x07\x98\x02\x26\x00\xa0\x8d\x06\xa9\x24\x36\x11\xb4\x21\xd9\x0f\x1b\x53\xca\x9f\x00\x26\x36\x03\x6f\x11\x25\xed\xa3\xde\xda\xf6\x79\x3f\xc0\x98\xc6\xaf\x9d\xcc\x5a\x53\x8f\xe9\x37\x57\x2b\x4d\x1b\x17\x4b\x58\xba\x03\x37\x14\xd1\x9e\xf1\x08\x5f\x66\x3e\x5c\xd1", 239); *(uint8_t*)0x20002512 = 9; *(uint8_t*)0x20002513 = 5; *(uint8_t*)0x20002514 = 5; *(uint8_t*)0x20002515 = 8; *(uint16_t*)0x20002516 = 0x400; *(uint8_t*)0x20002518 = 0x44; *(uint8_t*)0x20002519 = 1; *(uint8_t*)0x2000251a = 0; *(uint8_t*)0x2000251b = 7; *(uint8_t*)0x2000251c = 0x25; *(uint8_t*)0x2000251d = 1; *(uint8_t*)0x2000251e = 0x85; *(uint8_t*)0x2000251f = 0x9b; *(uint16_t*)0x20002520 = 0x100; *(uint8_t*)0x20002522 = 7; *(uint8_t*)0x20002523 = 0x25; *(uint8_t*)0x20002524 = 1; *(uint8_t*)0x20002525 = 0x82; *(uint8_t*)0x20002526 = 7; *(uint16_t*)0x20002527 = 1; *(uint8_t*)0x20002529 = 9; *(uint8_t*)0x2000252a = 5; *(uint8_t*)0x2000252b = 3; *(uint8_t*)0x2000252c = 0x10; *(uint16_t*)0x2000252d = 0x20; *(uint8_t*)0x2000252f = 2; *(uint8_t*)0x20002530 = 4; *(uint8_t*)0x20002531 = 3; *(uint8_t*)0x20002532 = 9; *(uint8_t*)0x20002533 = 5; *(uint8_t*)0x20002534 = 1; *(uint8_t*)0x20002535 = 0; *(uint16_t*)0x20002536 = 0x40; *(uint8_t*)0x20002538 = 0x80; *(uint8_t*)0x20002539 = 7; *(uint8_t*)0x2000253a = 0x27; *(uint8_t*)0x2000253b = 7; *(uint8_t*)0x2000253c = 0x25; *(uint8_t*)0x2000253d = 1; *(uint8_t*)0x2000253e = 0x80; *(uint8_t*)0x2000253f = 6; *(uint16_t*)0x20002540 = 8; *(uint32_t*)0x20002840 = 0xa; *(uint32_t*)0x20002844 = 0x20002580; *(uint8_t*)0x20002580 = 0xa; *(uint8_t*)0x20002581 = 6; *(uint16_t*)0x20002582 = 0x5098; *(uint8_t*)0x20002584 = 0xfc; *(uint8_t*)0x20002585 = 0x1f; *(uint8_t*)0x20002586 = 0; *(uint8_t*)0x20002587 = 0x10; *(uint8_t*)0x20002588 = 0xe4; *(uint8_t*)0x20002589 = 0; *(uint32_t*)0x20002848 = 0xf5; *(uint32_t*)0x2000284c = 0x200025c0; *(uint8_t*)0x200025c0 = 5; *(uint8_t*)0x200025c1 = 0xf; *(uint16_t*)0x200025c2 = 0xf5; *(uint8_t*)0x200025c4 = 4; *(uint8_t*)0x200025c5 = 7; *(uint8_t*)0x200025c6 = 0x10; *(uint8_t*)0x200025c7 = 2; STORE_BY_BITMASK(uint32_t, , 0x200025c8, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200025ca, 0xffff, 0, 16); *(uint8_t*)0x200025cc = 0x1c; *(uint8_t*)0x200025cd = 0x10; *(uint8_t*)0x200025ce = 0xa; *(uint8_t*)0x200025cf = 0; STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 5, 27); *(uint16_t*)0x200025d4 = 0xf0f; *(uint16_t*)0x200025d6 = 0x77e; *(uint32_t*)0x200025d8 = 0xc000; *(uint32_t*)0x200025dc = 0x30; *(uint32_t*)0x200025e0 = 0; *(uint32_t*)0x200025e4 = 0; *(uint8_t*)0x200025e8 = 0x1c; *(uint8_t*)0x200025e9 = 0x10; *(uint8_t*)0x200025ea = 0xa; *(uint8_t*)0x200025eb = 1; STORE_BY_BITMASK(uint32_t, , 0x200025ec, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025ec, 0x79ea, 5, 27); *(uint16_t*)0x200025f0 = 0xf000; *(uint16_t*)0x200025f2 = 4; *(uint32_t*)0x200025f4 = 0xc0cf; *(uint32_t*)0x200025f8 = 0xff3f3f; *(uint32_t*)0x200025fc = 0xffc05f; *(uint32_t*)0x20002600 = 0xff0000; *(uint8_t*)0x20002604 = 0xb1; *(uint8_t*)0x20002605 = 0x10; *(uint8_t*)0x20002606 = 3; memcpy((void*)0x20002607, "\xc5\xbb\x02\x01\xc8\x2e\x60\xfa\x0a\x8b\x07\xbb\xce\xfb\xe1\x38\x07\x98\x38\xcb\xf1\x31\x61\xf6\x9e\xc1\x70\x63\x7e\x6c\x50\x4f\x0d\xf5\x87\x10\x11\x2f\x24\x59\xc5\x0d\xf8\x5c\x73\xa1\x43\xe1\x8f\xd8\x46\xa7\x86\xad\xd8\xa3\x59\xc8\x82\xc3\xc6\x03\x8f\x90\xc4\x9c\xa6\x3e\x13\x45\x57\x94\xd7\x59\x24\x4a\x2b\xd1\xee\x5a\x20\x3c\xef\x62\xac\xd3\x2e\x97\xd1\x5a\xfe\x1d\x47\xad\x5c\x52\x34\xca\x6f\xea\x0c\x02\x21\x84\x57\x86\x47\xd6\x9b\xce\x06\xbc\x22\xd5\xde\xae\x21\xba\xaf\x87\x0c\x3c\x6e\x90\x21\x21\x1f\xda\x07\xe7\x36\x07\xe1\x64\x61\xe2\x25\x26\xa7\x0a\xb2\xe2\x1f\x89\xd1\xb1\xa9\x52\x15\xc6\x44\xee\x7b\x4b\x97\xd3\x42\xf0\x6c\xca\x75\xc1\x7e\xaf\x3d\x1f\x57\x8b\xec\x9e\x1b\x55\x4c\x49", 174); *(uint32_t*)0x20002850 = 4; *(uint32_t*)0x20002854 = 4; *(uint32_t*)0x20002858 = 0x200026c0; *(uint8_t*)0x200026c0 = 4; *(uint8_t*)0x200026c1 = 3; *(uint16_t*)0x200026c2 = 0x430; *(uint32_t*)0x2000285c = 4; *(uint32_t*)0x20002860 = 0x20002700; *(uint8_t*)0x20002700 = 4; *(uint8_t*)0x20002701 = 3; *(uint16_t*)0x20002702 = 0x240a; *(uint32_t*)0x20002864 = 4; *(uint32_t*)0x20002868 = 0x20002740; *(uint8_t*)0x20002740 = 4; *(uint8_t*)0x20002741 = 3; *(uint16_t*)0x20002742 = 0x458; *(uint32_t*)0x2000286c = 0xb1; *(uint32_t*)0x20002870 = 0x20002780; *(uint8_t*)0x20002780 = 0xb1; *(uint8_t*)0x20002781 = 3; memcpy((void*)0x20002782, "\x22\x73\xbd\xc4\x6b\x60\xf9\x28\x12\x34\x92\x09\x6f\x1a\x60\x52\x20\x67\xca\x30\x22\x9e\x52\x18\x76\xbc\x23\x04\xc3\x20\x59\x6f\xd2\x5f\x10\x25\x4b\x5c\x9d\xa5\x73\x77\x73\x8b\xcc\xfb\xbc\x37\xf2\x7f\x54\x18\x33\xa2\xdf\xa0\x6b\x92\x9d\x0d\x37\x44\xff\x77\xd9\x33\x0d\x5a\x63\xe4\xbb\x26\x8c\xe2\x9e\x81\xde\x86\xde\x6c\xbb\xec\x22\xf1\x51\xe7\xfa\x25\xd2\xba\x9e\xad\x8f\x62\xd5\xea\xc2\xd6\x42\x44\x65\xb3\xcb\x64\x81\xdb\xf5\x0d\xf0\x43\xe6\x8b\x8d\x13\x3e\x27\xb4\xae\x1c\x9c\xcf\x8a\x81\x02\x7b\x65\x6d\x44\x2b\xbc\xbe\x5c\xfc\xcd\x0c\x0c\xa3\x8b\x73\x35\x6e\xd5\xc3\x7e\xa0\x89\x46\x97\xea\x5b\x37\xdb\x2f\x60\x7d\x4e\x95\x8c\xf9\x78\x48\xef\x24\xee\xe8\x17\xf9\x65\x03\x65\x0d\x0f\x3b\xab\xcf", 175); res = -1; res = syz_usb_connect(4, 0x882, 0x20001cc0, 0x20002840); if (res != -1) r[13] = res; break; case 35: *(uint8_t*)0x20002880 = 0x12; *(uint8_t*)0x20002881 = 1; *(uint16_t*)0x20002882 = 0x200; *(uint8_t*)0x20002884 = -1; *(uint8_t*)0x20002885 = -1; *(uint8_t*)0x20002886 = -1; *(uint8_t*)0x20002887 = 0x40; *(uint16_t*)0x20002888 = 0xcf3; *(uint16_t*)0x2000288a = 0x9271; *(uint16_t*)0x2000288c = 0x108; *(uint8_t*)0x2000288e = 1; *(uint8_t*)0x2000288f = 2; *(uint8_t*)0x20002890 = 3; *(uint8_t*)0x20002891 = 1; *(uint8_t*)0x20002892 = 9; *(uint8_t*)0x20002893 = 2; *(uint16_t*)0x20002894 = 0x48; *(uint8_t*)0x20002896 = 1; *(uint8_t*)0x20002897 = 1; *(uint8_t*)0x20002898 = 0; *(uint8_t*)0x20002899 = 0x80; *(uint8_t*)0x2000289a = 0xfa; *(uint8_t*)0x2000289b = 9; *(uint8_t*)0x2000289c = 4; *(uint8_t*)0x2000289d = 0; *(uint8_t*)0x2000289e = 0; *(uint8_t*)0x2000289f = 6; *(uint8_t*)0x200028a0 = -1; *(uint8_t*)0x200028a1 = 0; *(uint8_t*)0x200028a2 = 0; *(uint8_t*)0x200028a3 = 0; *(uint8_t*)0x200028a4 = 9; *(uint8_t*)0x200028a5 = 5; *(uint8_t*)0x200028a6 = 1; *(uint8_t*)0x200028a7 = 2; *(uint16_t*)0x200028a8 = 0x200; *(uint8_t*)0x200028aa = 0; *(uint8_t*)0x200028ab = 0; *(uint8_t*)0x200028ac = 0; *(uint8_t*)0x200028ad = 9; *(uint8_t*)0x200028ae = 5; *(uint8_t*)0x200028af = 0x82; *(uint8_t*)0x200028b0 = 2; *(uint16_t*)0x200028b1 = 0x200; *(uint8_t*)0x200028b3 = 0; *(uint8_t*)0x200028b4 = 0; *(uint8_t*)0x200028b5 = 0; *(uint8_t*)0x200028b6 = 9; *(uint8_t*)0x200028b7 = 5; *(uint8_t*)0x200028b8 = 0x83; *(uint8_t*)0x200028b9 = 3; *(uint16_t*)0x200028ba = 0x40; *(uint8_t*)0x200028bc = 1; *(uint8_t*)0x200028bd = 0; *(uint8_t*)0x200028be = 0; *(uint8_t*)0x200028bf = 9; *(uint8_t*)0x200028c0 = 5; *(uint8_t*)0x200028c1 = 4; *(uint8_t*)0x200028c2 = 3; *(uint16_t*)0x200028c3 = 0x40; *(uint8_t*)0x200028c5 = 1; *(uint8_t*)0x200028c6 = 0; *(uint8_t*)0x200028c7 = 0; *(uint8_t*)0x200028c8 = 9; *(uint8_t*)0x200028c9 = 5; *(uint8_t*)0x200028ca = 5; *(uint8_t*)0x200028cb = 2; *(uint16_t*)0x200028cc = 0x200; *(uint8_t*)0x200028ce = 0; *(uint8_t*)0x200028cf = 0; *(uint8_t*)0x200028d0 = 0; *(uint8_t*)0x200028d1 = 9; *(uint8_t*)0x200028d2 = 5; *(uint8_t*)0x200028d3 = 6; *(uint8_t*)0x200028d4 = 2; *(uint16_t*)0x200028d5 = 0x200; *(uint8_t*)0x200028d7 = 0; *(uint8_t*)0x200028d8 = 0; *(uint8_t*)0x200028d9 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20002880, 0); break; case 36: *(uint8_t*)0x20002900 = 0x12; *(uint8_t*)0x20002901 = 1; *(uint16_t*)0x20002902 = 0x300; *(uint8_t*)0x20002904 = 0; *(uint8_t*)0x20002905 = 0; *(uint8_t*)0x20002906 = 0; *(uint8_t*)0x20002907 = 0x40; *(uint16_t*)0x20002908 = 0x1d6b; *(uint16_t*)0x2000290a = 0x101; *(uint16_t*)0x2000290c = 0x40; *(uint8_t*)0x2000290e = 1; *(uint8_t*)0x2000290f = 2; *(uint8_t*)0x20002910 = 3; *(uint8_t*)0x20002911 = 1; *(uint8_t*)0x20002912 = 9; *(uint8_t*)0x20002913 = 2; *(uint16_t*)0x20002914 = 0xee; *(uint8_t*)0x20002916 = 3; *(uint8_t*)0x20002917 = 1; *(uint8_t*)0x20002918 = 6; *(uint8_t*)0x20002919 = 0x20; *(uint8_t*)0x2000291a = 1; *(uint8_t*)0x2000291b = 9; *(uint8_t*)0x2000291c = 4; *(uint8_t*)0x2000291d = 0; *(uint8_t*)0x2000291e = 0; *(uint8_t*)0x2000291f = 0; *(uint8_t*)0x20002920 = 1; *(uint8_t*)0x20002921 = 1; *(uint8_t*)0x20002922 = 0; *(uint8_t*)0x20002923 = 0; *(uint8_t*)0x20002924 = 0xa; *(uint8_t*)0x20002925 = 0x24; *(uint8_t*)0x20002926 = 1; *(uint16_t*)0x20002927 = 0xace; *(uint8_t*)0x20002929 = 2; *(uint8_t*)0x2000292a = 2; *(uint8_t*)0x2000292b = 1; *(uint8_t*)0x2000292c = 2; *(uint8_t*)0x2000292d = 7; *(uint8_t*)0x2000292e = 0x24; *(uint8_t*)0x2000292f = 8; *(uint8_t*)0x20002930 = 5; *(uint16_t*)0x20002931 = 2; *(uint8_t*)0x20002933 = 5; *(uint8_t*)0x20002934 = 7; *(uint8_t*)0x20002935 = 0x24; *(uint8_t*)0x20002936 = 8; *(uint8_t*)0x20002937 = 6; *(uint16_t*)0x20002938 = -1; *(uint8_t*)0x2000293a = 0x30; *(uint8_t*)0x2000293b = 0xa; *(uint8_t*)0x2000293c = 0x24; *(uint8_t*)0x2000293d = 4; *(uint8_t*)0x2000293e = 4; *(uint8_t*)0x2000293f = 0x40; memcpy((void*)0x20002940, "\x7d\xa3\xb2\xb2\x72", 5); *(uint8_t*)0x20002945 = 9; *(uint8_t*)0x20002946 = 0x24; *(uint8_t*)0x20002947 = 8; *(uint8_t*)0x20002948 = 5; *(uint16_t*)0x20002949 = 0; *(uint8_t*)0x2000294b = 0x40; memcpy((void*)0x2000294c, "\tD", 2); *(uint8_t*)0x2000294e = 9; *(uint8_t*)0x2000294f = 4; *(uint8_t*)0x20002950 = 1; *(uint8_t*)0x20002951 = 0; *(uint8_t*)0x20002952 = 0; *(uint8_t*)0x20002953 = 1; *(uint8_t*)0x20002954 = 2; *(uint8_t*)0x20002955 = 0; *(uint8_t*)0x20002956 = 0; *(uint8_t*)0x20002957 = 9; *(uint8_t*)0x20002958 = 4; *(uint8_t*)0x20002959 = 1; *(uint8_t*)0x2000295a = 1; *(uint8_t*)0x2000295b = 1; *(uint8_t*)0x2000295c = 1; *(uint8_t*)0x2000295d = 2; *(uint8_t*)0x2000295e = 0; *(uint8_t*)0x2000295f = 0; *(uint8_t*)0x20002960 = 0x11; *(uint8_t*)0x20002961 = 0x24; *(uint8_t*)0x20002962 = 2; *(uint8_t*)0x20002963 = 2; *(uint16_t*)0x20002964 = 0x1000; *(uint16_t*)0x20002966 = 6; *(uint8_t*)0x20002968 = 9; memcpy((void*)0x20002969, "\x94\xaa\x0c\xfe\xa6\xa4\xc0\x98", 8); *(uint8_t*)0x20002971 = 7; *(uint8_t*)0x20002972 = 0x24; *(uint8_t*)0x20002973 = 1; *(uint8_t*)0x20002974 = 0xf7; *(uint8_t*)0x20002975 = 0xc1; *(uint16_t*)0x20002976 = 4; *(uint8_t*)0x20002978 = 0xe; *(uint8_t*)0x20002979 = 0x24; *(uint8_t*)0x2000297a = 2; *(uint8_t*)0x2000297b = 1; *(uint8_t*)0x2000297c = 0x3f; *(uint8_t*)0x2000297d = 2; *(uint8_t*)0x2000297e = 0xae; *(uint8_t*)0x2000297f = 7; memcpy((void*)0x20002980, "\x5b\x6f\xe7\xb1\x95\x51", 6); *(uint8_t*)0x20002986 = 0xe; *(uint8_t*)0x20002987 = 0x24; *(uint8_t*)0x20002988 = 2; *(uint8_t*)0x20002989 = 2; *(uint16_t*)0x2000298a = 0xfff8; *(uint16_t*)0x2000298c = 0x56d; *(uint8_t*)0x2000298e = 0x1f; memcpy((void*)0x2000298f, "\x51\x8f\x29\xb9\x20", 5); *(uint8_t*)0x20002994 = 0xe; *(uint8_t*)0x20002995 = 0x24; *(uint8_t*)0x20002996 = 2; *(uint8_t*)0x20002997 = 2; *(uint16_t*)0x20002998 = 4; *(uint16_t*)0x2000299a = 0; *(uint8_t*)0x2000299c = 0x80; memcpy((void*)0x2000299d, "\x3f\x5e\x8a\xa3\xac", 5); *(uint8_t*)0x200029a2 = 9; *(uint8_t*)0x200029a3 = 5; *(uint8_t*)0x200029a4 = 1; *(uint8_t*)0x200029a5 = 9; *(uint16_t*)0x200029a6 = 0x10; *(uint8_t*)0x200029a8 = 0x9c; *(uint8_t*)0x200029a9 = 7; *(uint8_t*)0x200029aa = 6; *(uint8_t*)0x200029ab = 7; *(uint8_t*)0x200029ac = 0x25; *(uint8_t*)0x200029ad = 1; *(uint8_t*)0x200029ae = 0; *(uint8_t*)0x200029af = 0x44; *(uint16_t*)0x200029b0 = 0xff8a; *(uint8_t*)0x200029b2 = 9; *(uint8_t*)0x200029b3 = 4; *(uint8_t*)0x200029b4 = 2; *(uint8_t*)0x200029b5 = 0; *(uint8_t*)0x200029b6 = 0; *(uint8_t*)0x200029b7 = 1; *(uint8_t*)0x200029b8 = 2; *(uint8_t*)0x200029b9 = 0; *(uint8_t*)0x200029ba = 0; *(uint8_t*)0x200029bb = 9; *(uint8_t*)0x200029bc = 4; *(uint8_t*)0x200029bd = 2; *(uint8_t*)0x200029be = 1; *(uint8_t*)0x200029bf = 1; *(uint8_t*)0x200029c0 = 1; *(uint8_t*)0x200029c1 = 2; *(uint8_t*)0x200029c2 = 0; *(uint8_t*)0x200029c3 = 0; *(uint8_t*)0x200029c4 = 0xa; *(uint8_t*)0x200029c5 = 0x24; *(uint8_t*)0x200029c6 = 2; *(uint8_t*)0x200029c7 = 1; *(uint8_t*)0x200029c8 = 7; *(uint8_t*)0x200029c9 = 4; *(uint8_t*)0x200029ca = 0xf7; *(uint8_t*)0x200029cb = 0xf8; memcpy((void*)0x200029cc, "H]", 2); *(uint8_t*)0x200029ce = 0xd; *(uint8_t*)0x200029cf = 0x24; *(uint8_t*)0x200029d0 = 2; *(uint8_t*)0x200029d1 = 1; *(uint8_t*)0x200029d2 = 7; *(uint8_t*)0x200029d3 = 1; *(uint8_t*)0x200029d4 = -1; *(uint8_t*)0x200029d5 = 0x72; memcpy((void*)0x200029d6, "\x5c\x5a\xe7\x2e\x12", 5); *(uint8_t*)0x200029db = 0xd; *(uint8_t*)0x200029dc = 0x24; *(uint8_t*)0x200029dd = 2; *(uint8_t*)0x200029de = 1; *(uint8_t*)0x200029df = 3; *(uint8_t*)0x200029e0 = 4; *(uint8_t*)0x200029e1 = 3; *(uint8_t*)0x200029e2 = 1; memcpy((void*)0x200029e3, "\xfa\x23\xa4", 3); memcpy((void*)0x200029e6, "q3", 2); *(uint8_t*)0x200029e8 = 8; *(uint8_t*)0x200029e9 = 0x24; *(uint8_t*)0x200029ea = 2; *(uint8_t*)0x200029eb = 1; *(uint8_t*)0x200029ec = 0x71; *(uint8_t*)0x200029ed = 2; *(uint8_t*)0x200029ee = 0; *(uint8_t*)0x200029ef = 6; *(uint8_t*)0x200029f0 = 9; *(uint8_t*)0x200029f1 = 5; *(uint8_t*)0x200029f2 = 0x82; *(uint8_t*)0x200029f3 = 9; *(uint16_t*)0x200029f4 = 0x200; *(uint8_t*)0x200029f6 = 0x7f; *(uint8_t*)0x200029f7 = 0x7f; *(uint8_t*)0x200029f8 = 0x7f; *(uint8_t*)0x200029f9 = 7; *(uint8_t*)0x200029fa = 0x25; *(uint8_t*)0x200029fb = 1; *(uint8_t*)0x200029fc = 2; *(uint8_t*)0x200029fd = 1; *(uint16_t*)0x200029fe = 8; *(uint32_t*)0x20002b80 = 0xa; *(uint32_t*)0x20002b84 = 0x20002a00; *(uint8_t*)0x20002a00 = 0xa; *(uint8_t*)0x20002a01 = 6; *(uint16_t*)0x20002a02 = 0x300; *(uint8_t*)0x20002a04 = 0x7f; *(uint8_t*)0x20002a05 = 0x5d; *(uint8_t*)0x20002a06 = 0x5c; *(uint8_t*)0x20002a07 = 0x40; *(uint8_t*)0x20002a08 = 0; *(uint8_t*)0x20002a09 = 0; *(uint32_t*)0x20002b88 = 0x31; *(uint32_t*)0x20002b8c = 0x20002a40; *(uint8_t*)0x20002a40 = 5; *(uint8_t*)0x20002a41 = 0xf; *(uint16_t*)0x20002a42 = 0x31; *(uint8_t*)0x20002a44 = 4; *(uint8_t*)0x20002a45 = 0xb; *(uint8_t*)0x20002a46 = 0x10; *(uint8_t*)0x20002a47 = 1; *(uint8_t*)0x20002a48 = 0xc; *(uint16_t*)0x20002a49 = 0x80; *(uint8_t*)0x20002a4b = 0x20; *(uint8_t*)0x20002a4c = 1; *(uint16_t*)0x20002a4d = 2; *(uint8_t*)0x20002a4f = 0x40; *(uint8_t*)0x20002a50 = 0xc; *(uint8_t*)0x20002a51 = 0x10; *(uint8_t*)0x20002a52 = 0xa; *(uint8_t*)0x20002a53 = 4; STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0xd3f, 5, 27); *(uint16_t*)0x20002a58 = 0xf000; *(uint16_t*)0x20002a5a = 8; *(uint8_t*)0x20002a5c = 0xb; *(uint8_t*)0x20002a5d = 0x10; *(uint8_t*)0x20002a5e = 1; *(uint8_t*)0x20002a5f = 0xc; *(uint16_t*)0x20002a60 = 0x80; *(uint8_t*)0x20002a62 = 2; *(uint8_t*)0x20002a63 = 5; *(uint16_t*)0x20002a64 = 4; *(uint8_t*)0x20002a66 = 2; *(uint8_t*)0x20002a67 = 0xa; *(uint8_t*)0x20002a68 = 0x10; *(uint8_t*)0x20002a69 = 3; *(uint8_t*)0x20002a6a = 2; *(uint16_t*)0x20002a6b = 6; *(uint8_t*)0x20002a6d = 0; *(uint8_t*)0x20002a6e = -1; *(uint16_t*)0x20002a6f = 0x7f; *(uint32_t*)0x20002b90 = 4; *(uint32_t*)0x20002b94 = 4; *(uint32_t*)0x20002b98 = 0x20002a80; *(uint8_t*)0x20002a80 = 4; *(uint8_t*)0x20002a81 = 3; *(uint16_t*)0x20002a82 = 0x40f; *(uint32_t*)0x20002b9c = 4; *(uint32_t*)0x20002ba0 = 0x20002ac0; *(uint8_t*)0x20002ac0 = 4; *(uint8_t*)0x20002ac1 = 3; *(uint16_t*)0x20002ac2 = 0xc35; *(uint32_t*)0x20002ba4 = 0x2b; *(uint32_t*)0x20002ba8 = 0x20002b00; *(uint8_t*)0x20002b00 = 0x2b; *(uint8_t*)0x20002b01 = 3; memcpy((void*)0x20002b02, "\xa2\x8e\x84\xc0\xcf\x02\xc0\x7c\x3c\x0d\xa8\x29\x45\x06\x55\x6d\x63\x3c\x7a\x73\x5b\xfb\x75\xcd\x80\xaf\xc6\xad\xe8\xe4\xb5\x80\x10\x3c\xed\x6d\x9c\x87\xa5\xfe\x77", 41); *(uint32_t*)0x20002bac = 4; *(uint32_t*)0x20002bb0 = 0x20002b40; *(uint8_t*)0x20002b40 = 4; *(uint8_t*)0x20002b41 = 3; *(uint16_t*)0x20002b42 = 0xf8ff; res = -1; res = syz_usb_connect(1, 0x100, 0x20002900, 0x20002b80); if (res != -1) r[14] = res; break; case 37: *(uint32_t*)0x20002e40 = 0x18; *(uint32_t*)0x20002e44 = 0x20002bc0; *(uint8_t*)0x20002bc0 = 0; *(uint8_t*)0x20002bc1 = 0x22; *(uint32_t*)0x20002bc2 = 0xb9; *(uint8_t*)0x20002bc6 = 0xb9; *(uint8_t*)0x20002bc7 = 0xa; memcpy((void*)0x20002bc8, "\x83\xcf\x6e\x9b\x94\x2d\x8a\x47\x07\x4a\xc2\xe8\x02\xb4\x83\x78\xec\xdc\xa7\x95\x6d\xb2\x72\x7b\x85\x7b\x60\xf4\xe9\xd0\xc6\x9e\x1c\x9a\x9a\xce\xb6\x1c\xf1\x7c\xc7\x71\x67\x92\x3b\x84\xe2\x33\x72\xc5\xcf\x40\xcf\x1b\xbb\x74\x93\xe5\x00\xb7\xef\xfa\xf1\xb2\x04\xee\x03\x4b\xe1\x10\x99\xe5\x15\x67\xa8\x7a\xe0\xbd\xe2\x10\xda\x92\x12\x4d\x04\xa7\x3a\x14\xdb\xd6\x00\xde\xdd\x92\x09\x53\xc4\x72\xed\xa1\xba\x46\xdb\xbb\x1e\xc4\x74\xc8\x79\x48\x49\x12\x4d\xcf\x32\xd5\xc1\x5f\xb1\x43\x97\xb1\x3c\x3d\x3c\x11\xa7\xa6\x07\xc6\xb6\xd5\x57\xc2\x80\x6d\x9c\x27\x83\xbc\x1e\xf5\x6c\x96\x7b\xde\x90\xce\x4a\x42\x13\x61\x16\x7c\x1a\x74\xc6\x52\x72\x85\xce\x42\x5e\xa4\x98\x88\x4d\x7c\xc9\xef\x76\x52\x6a\x46\xa1\xc4\x36\x07\x68\x98\x0b\x39\xb3", 183); *(uint32_t*)0x20002e48 = 0x20002c80; *(uint8_t*)0x20002c80 = 0; *(uint8_t*)0x20002c81 = 3; *(uint32_t*)0x20002c82 = 0xd7; *(uint8_t*)0x20002c86 = 0xd7; *(uint8_t*)0x20002c87 = 3; memcpy((void*)0x20002c88, "\x61\x16\x8f\x70\x0d\x17\x87\xde\x19\xd3\xe8\x6f\xb3\xac\x5e\x96\x4c\xc5\xed\xe8\x73\x35\x1c\xa2\x62\xcc\x8f\xc5\x99\x65\x14\x31\xc7\x6d\xba\xd0\x2d\xd8\x35\xf0\xda\x83\xa5\x34\x7c\xc2\x1f\xc4\xf5\x04\xb2\x3b\xb3\x2a\x7a\x67\x71\x3d\xb4\x48\x06\x11\xe6\xe2\xec\xa4\xf0\xb4\x98\xf7\x00\x35\x5d\xb6\x8d\xf7\xd5\xcf\x46\xba\x2b\x03\x60\x90\xaf\x69\x5a\x75\x96\xb7\xd2\x42\xb4\x62\xbc\xf6\xe2\x09\x1f\xb8\x32\x48\xfe\x2a\x1c\x48\xdb\xcd\xb0\x7c\x96\x66\x03\x7d\x12\x1b\x68\x93\xdc\xb9\x45\xbd\xd7\xcf\x14\x07\x5f\x80\x53\x02\xa4\x5f\xbb\x62\x65\x2b\xd6\x93\xb3\x24\x0b\x5c\x6a\x76\xf6\x90\xcd\xc9\x22\x15\x79\xec\x71\xdd\x25\x3c\xa4\x25\x01\x44\xe1\x16\x0b\xc0\x39\xad\x44\xf6\xd5\x1c\x96\xad\x95\x0c\x87\x2c\xf6\x26\xb0\xd5\x59\xe8\x1c\x0b\xec\x93\x4c\xb3\x23\x25\xdb\xb9\xce\x8f\x5d\x0d\x94\x30\x20\xb4\xa0\x79\x5c\x1f\x27\x74\xe2\x20\x7d\x0b\xe8\xaa\x41", 213); *(uint32_t*)0x20002e4c = 0x20002d80; *(uint8_t*)0x20002d80 = 0; *(uint8_t*)0x20002d81 = 0xf; *(uint32_t*)0x20002d82 = 0xc; *(uint8_t*)0x20002d86 = 5; *(uint8_t*)0x20002d87 = 0xf; *(uint16_t*)0x20002d88 = 0xc; *(uint8_t*)0x20002d8a = 1; *(uint8_t*)0x20002d8b = 7; *(uint8_t*)0x20002d8c = 0x10; *(uint8_t*)0x20002d8d = 2; STORE_BY_BITMASK(uint32_t, , 0x20002d8e, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 5, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d90, 2, 0, 16); *(uint32_t*)0x20002e50 = 0x20002dc0; *(uint8_t*)0x20002dc0 = 0x20; *(uint8_t*)0x20002dc1 = 0x29; *(uint32_t*)0x20002dc2 = 0xf; *(uint8_t*)0x20002dc6 = 0xf; *(uint8_t*)0x20002dc7 = 0x29; *(uint8_t*)0x20002dc8 = 3; *(uint16_t*)0x20002dc9 = 8; *(uint8_t*)0x20002dcb = 0x40; *(uint8_t*)0x20002dcc = 0x7f; memcpy((void*)0x20002dcd, "\x77\xbc\x77\x38", 4); memcpy((void*)0x20002dd1, "\xf1\xdb\x00\x3c", 4); *(uint32_t*)0x20002e54 = 0x20002e00; *(uint8_t*)0x20002e00 = 0x20; *(uint8_t*)0x20002e01 = 0x2a; *(uint32_t*)0x20002e02 = 0xc; *(uint8_t*)0x20002e06 = 0xc; *(uint8_t*)0x20002e07 = 0x2a; *(uint8_t*)0x20002e08 = 1; *(uint16_t*)0x20002e09 = 0x10; *(uint8_t*)0x20002e0b = 0; *(uint8_t*)0x20002e0c = 0x20; *(uint8_t*)0x20002e0d = 8; *(uint16_t*)0x20002e0e = 0x3ec; *(uint16_t*)0x20002e10 = -1; *(uint32_t*)0x20003300 = 0x44; *(uint32_t*)0x20003304 = 0x20002e80; *(uint8_t*)0x20002e80 = 0x20; *(uint8_t*)0x20002e81 = 0x12; *(uint32_t*)0x20002e82 = 0x7c; memcpy((void*)0x20002e86, "\xbc\x67\xb7\x86\xae\x12\xc3\xf7\xc6\xdb\xb8\x56\x0d\x2b\x24\x21\x94\xc2\x19\x9a\xfa\x19\xd2\xb4\x2b\x1a\x0c\x8a\x11\xe1\xa5\xef\x14\x6f\x39\x5c\x36\x13\xf4\xdf\xea\xdd\xa7\xc2\x4b\x50\x6d\x5b\x32\xa6\xa3\xf9\xa0\xea\xc9\x8a\x93\x5e\x64\x7a\x1c\x83\x8d\x4e\x09\xd5\x30\x63\x5f\x43\x35\x8b\x5b\x10\xc5\xf0\x4b\xc6\x3b\x3b\xf9\x6b\x52\x34\x35\x9d\x4e\xad\x9d\x51\x21\x7e\x65\xc9\xb0\x50\x99\x90\xb0\x0d\x1a\xfb\x24\x2c\x87\x66\x0d\x04\xf9\x64\x8f\xf7\x9c\xe1\x43\xb1\xa9\x48\x98\x1c\x28\xf5\x01\x71", 124); *(uint32_t*)0x20003308 = 0x20002f40; *(uint8_t*)0x20002f40 = 0; *(uint8_t*)0x20002f41 = 0xa; *(uint32_t*)0x20002f42 = 1; *(uint8_t*)0x20002f46 = 0x4c; *(uint32_t*)0x2000330c = 0x20002f80; *(uint8_t*)0x20002f80 = 0; *(uint8_t*)0x20002f81 = 8; *(uint32_t*)0x20002f82 = 1; *(uint8_t*)0x20002f86 = 1; *(uint32_t*)0x20003310 = 0x20002fc0; *(uint8_t*)0x20002fc0 = 0x20; *(uint8_t*)0x20002fc1 = 0; *(uint32_t*)0x20002fc2 = 4; *(uint16_t*)0x20002fc6 = 1; *(uint16_t*)0x20002fc8 = 3; *(uint32_t*)0x20003314 = 0x20003000; *(uint8_t*)0x20003000 = 0x20; *(uint8_t*)0x20003001 = 0; *(uint32_t*)0x20003002 = 8; *(uint16_t*)0x20003006 = 0xc0; *(uint16_t*)0x20003008 = 0x20; *(uint32_t*)0x2000300a = 0xf0f; *(uint32_t*)0x20003318 = 0x20003040; *(uint8_t*)0x20003040 = 0x40; *(uint8_t*)0x20003041 = 7; *(uint32_t*)0x20003042 = 2; *(uint16_t*)0x20003046 = 0x400; *(uint32_t*)0x2000331c = 0x20003080; *(uint8_t*)0x20003080 = 0x40; *(uint8_t*)0x20003081 = 9; *(uint32_t*)0x20003082 = 1; *(uint8_t*)0x20003086 = 2; *(uint32_t*)0x20003320 = 0x200030c0; *(uint8_t*)0x200030c0 = 0x40; *(uint8_t*)0x200030c1 = 0xb; *(uint32_t*)0x200030c2 = 2; memcpy((void*)0x200030c6, "\xb7\x23", 2); *(uint32_t*)0x20003324 = 0x20003100; *(uint8_t*)0x20003100 = 0x40; *(uint8_t*)0x20003101 = 0xf; *(uint32_t*)0x20003102 = 2; *(uint16_t*)0x20003106 = 5; *(uint32_t*)0x20003328 = 0x20003140; *(uint8_t*)0x20003140 = 0x40; *(uint8_t*)0x20003141 = 0x13; *(uint32_t*)0x20003142 = 6; memcpy((void*)0x20003146, "\xdd\x8a\x72\xa9\x91\x39", 6); *(uint32_t*)0x2000332c = 0x20003180; *(uint8_t*)0x20003180 = 0x40; *(uint8_t*)0x20003181 = 0x17; *(uint32_t*)0x20003182 = 6; *(uint8_t*)0x20003186 = 0xaa; *(uint8_t*)0x20003187 = 0xaa; *(uint8_t*)0x20003188 = 0xaa; *(uint8_t*)0x20003189 = 0xaa; *(uint8_t*)0x2000318a = 0xaa; *(uint8_t*)0x2000318b = 0xbb; *(uint32_t*)0x20003330 = 0x200031c0; *(uint8_t*)0x200031c0 = 0x40; *(uint8_t*)0x200031c1 = 0x19; *(uint32_t*)0x200031c2 = 2; memcpy((void*)0x200031c6, "\x78\x18", 2); *(uint32_t*)0x20003334 = 0x20003200; *(uint8_t*)0x20003200 = 0x40; *(uint8_t*)0x20003201 = 0x1a; *(uint32_t*)0x20003202 = 2; *(uint16_t*)0x20003206 = 4; *(uint32_t*)0x20003338 = 0x20003240; *(uint8_t*)0x20003240 = 0x40; *(uint8_t*)0x20003241 = 0x1c; *(uint32_t*)0x20003242 = 1; *(uint8_t*)0x20003246 = 4; *(uint32_t*)0x2000333c = 0x20003280; *(uint8_t*)0x20003280 = 0x40; *(uint8_t*)0x20003281 = 0x1e; *(uint32_t*)0x20003282 = 1; *(uint8_t*)0x20003286 = 7; *(uint32_t*)0x20003340 = 0x200032c0; *(uint8_t*)0x200032c0 = 0x40; *(uint8_t*)0x200032c1 = 0x21; *(uint32_t*)0x200032c2 = 1; *(uint8_t*)0x200032c6 = 5; syz_usb_control_io(r[14], 0x20002e40, 0x20003300); break; case 38: syz_usb_disconnect(r[13]); break; case 39: *(uint8_t*)0x20003380 = 0x12; *(uint8_t*)0x20003381 = 1; *(uint16_t*)0x20003382 = 0x110; *(uint8_t*)0x20003384 = 2; *(uint8_t*)0x20003385 = 0; *(uint8_t*)0x20003386 = 0; *(uint8_t*)0x20003387 = 0x20; *(uint16_t*)0x20003388 = 0x525; *(uint16_t*)0x2000338a = 0xa4a1; *(uint16_t*)0x2000338c = 0x40; *(uint8_t*)0x2000338e = 1; *(uint8_t*)0x2000338f = 2; *(uint8_t*)0x20003390 = 3; *(uint8_t*)0x20003391 = 1; *(uint8_t*)0x20003392 = 9; *(uint8_t*)0x20003393 = 2; *(uint16_t*)0x20003394 = 0x14e; *(uint8_t*)0x20003396 = 2; *(uint8_t*)0x20003397 = 1; *(uint8_t*)0x20003398 = 0xef; *(uint8_t*)0x20003399 = 0xe0; *(uint8_t*)0x2000339a = 3; *(uint8_t*)0x2000339b = 9; *(uint8_t*)0x2000339c = 4; *(uint8_t*)0x2000339d = 0; *(uint8_t*)0x2000339e = 0; *(uint8_t*)0x2000339f = 1; *(uint8_t*)0x200033a0 = 2; *(uint8_t*)0x200033a1 = 0xd; *(uint8_t*)0x200033a2 = 0; *(uint8_t*)0x200033a3 = 0; *(uint8_t*)0x200033a4 = 6; *(uint8_t*)0x200033a5 = 0x24; *(uint8_t*)0x200033a6 = 6; *(uint8_t*)0x200033a7 = 0; *(uint8_t*)0x200033a8 = 1; memcpy((void*)0x200033a9, "$", 1); *(uint8_t*)0x200033aa = 5; *(uint8_t*)0x200033ab = 0x24; *(uint8_t*)0x200033ac = 0; *(uint16_t*)0x200033ad = 0xad; *(uint8_t*)0x200033af = 0xd; *(uint8_t*)0x200033b0 = 0x24; *(uint8_t*)0x200033b1 = 0xf; *(uint8_t*)0x200033b2 = 1; *(uint32_t*)0x200033b3 = 2; *(uint16_t*)0x200033b7 = 0; *(uint16_t*)0x200033b9 = 1; *(uint8_t*)0x200033bb = 9; *(uint8_t*)0x200033bc = 6; *(uint8_t*)0x200033bd = 0x24; *(uint8_t*)0x200033be = 0x1a; *(uint16_t*)0x200033bf = 9; *(uint8_t*)0x200033c1 = 0x20; *(uint8_t*)0x200033c2 = 0xa2; *(uint8_t*)0x200033c3 = 0x24; *(uint8_t*)0x200033c4 = 0x13; *(uint8_t*)0x200033c5 = 1; memcpy((void*)0x200033c6, "\xa0\xaf\xeb\xc2\x94\x23\x7d\xe3\x0b\x4c\x81\xc6\x59\x5f\xba\xf3\x06\x46\xc5\xec\x3d\xd9\x8f\x43\x5d\xf0\x0d\x18\x1c\xc1\x3f\x9b\x0c\x5f\xfa\x84\x15\x49\x98\xbf\x5c\x04\xee\x0f\xd8\x2d\x5f\x4c\xac\xfc\x90\xff\xae\x24\x1b\x84\x0b\x0b\x18\xe2\x10\x7e\x33\x39\x8f\x46\x83\x83\x80\xf8\x4b\x6f\x9f\x22\x62\xe8\x38\xdf\x02\x12\x31\xc9\xf0\xc5\x0d\xc2\xee\xd7\x59\x5e\xb1\xb7\x89\x22\x3f\xc3\x7c\xf3\x4f\x5c\x69\x4a\xaa\xd8\xa8\x18\xc9\x9e\xf4\x41\x79\xbf\x5b\xa4\xb6\x17\xc2\x58\xf7\xdb\x01\xd6\x09\x6c\xcc\x71\xbb\x92\x5e\x31\xb2\xf3\xf1\x00\xbb\x85\x38\xbb\x84\x01\x5a\xf7\xb9\x54\xc8\xfd\xf2\x93\xde\x02\x31\xa4\x91\xd3\x63\x76\xb8\x40", 158); *(uint8_t*)0x20003464 = 0xc; *(uint8_t*)0x20003465 = 0x24; *(uint8_t*)0x20003466 = 0x1b; *(uint16_t*)0x20003467 = 0x340f; *(uint16_t*)0x20003469 = 4; *(uint8_t*)0x2000346b = 5; *(uint8_t*)0x2000346c = 0x40; *(uint16_t*)0x2000346d = 6; *(uint8_t*)0x2000346f = 1; *(uint8_t*)0x20003470 = 4; *(uint8_t*)0x20003471 = 0x24; *(uint8_t*)0x20003472 = 2; *(uint8_t*)0x20003473 = 9; *(uint8_t*)0x20003474 = 0x3f; *(uint8_t*)0x20003475 = 0x24; *(uint8_t*)0x20003476 = 0x13; *(uint8_t*)0x20003477 = 0x40; memcpy((void*)0x20003478, "\x90\x5d\x00\xa5\xa8\xb5\xcd\x53\x11\x8f\x9c\xf9\x03\x3e\xda\x0a\xd8\x8f\xcf\xaf\x66\xe2\xb9\xe3\x59\xe3\x8a\xea\x37\x19\x70\xc8\x64\xd5\x98\x39\x16\xa5\x29\x36\x75\x51\xaa\x24\x7b\xa8\x30\x09\xeb\xb5\x64\x0b\x53\x17\x55\x99\x00\xdd\xb8", 59); *(uint8_t*)0x200034b3 = 9; *(uint8_t*)0x200034b4 = 5; *(uint8_t*)0x200034b5 = 0x81; *(uint8_t*)0x200034b6 = 3; *(uint16_t*)0x200034b7 = 8; *(uint8_t*)0x200034b9 = 0; *(uint8_t*)0x200034ba = 1; *(uint8_t*)0x200034bb = 0xfc; *(uint8_t*)0x200034bc = 9; *(uint8_t*)0x200034bd = 4; *(uint8_t*)0x200034be = 1; *(uint8_t*)0x200034bf = 0; *(uint8_t*)0x200034c0 = 0; *(uint8_t*)0x200034c1 = 2; *(uint8_t*)0x200034c2 = 0xd; *(uint8_t*)0x200034c3 = 0; *(uint8_t*)0x200034c4 = 0; *(uint8_t*)0x200034c5 = 9; *(uint8_t*)0x200034c6 = 4; *(uint8_t*)0x200034c7 = 1; *(uint8_t*)0x200034c8 = 1; *(uint8_t*)0x200034c9 = 2; *(uint8_t*)0x200034ca = 2; *(uint8_t*)0x200034cb = 0xd; *(uint8_t*)0x200034cc = 0; *(uint8_t*)0x200034cd = 0; *(uint8_t*)0x200034ce = 9; *(uint8_t*)0x200034cf = 5; *(uint8_t*)0x200034d0 = 0x82; *(uint8_t*)0x200034d1 = 2; *(uint16_t*)0x200034d2 = 0x40; *(uint8_t*)0x200034d4 = 8; *(uint8_t*)0x200034d5 = 0x40; *(uint8_t*)0x200034d6 = 0x81; *(uint8_t*)0x200034d7 = 9; *(uint8_t*)0x200034d8 = 5; *(uint8_t*)0x200034d9 = 3; *(uint8_t*)0x200034da = 2; *(uint16_t*)0x200034db = 0x40; *(uint8_t*)0x200034dd = 5; *(uint8_t*)0x200034de = 0x80; *(uint8_t*)0x200034df = 0x81; *(uint32_t*)0x20003780 = 0xa; *(uint32_t*)0x20003784 = 0x20003500; *(uint8_t*)0x20003500 = 0xa; *(uint8_t*)0x20003501 = 6; *(uint16_t*)0x20003502 = 0x250; *(uint8_t*)0x20003504 = 3; *(uint8_t*)0x20003505 = 2; *(uint8_t*)0x20003506 = 9; *(uint8_t*)0x20003507 = 0x40; *(uint8_t*)0x20003508 = 0x40; *(uint8_t*)0x20003509 = 0; *(uint32_t*)0x20003788 = 0x16; *(uint32_t*)0x2000378c = 0x20003540; *(uint8_t*)0x20003540 = 5; *(uint8_t*)0x20003541 = 0xf; *(uint16_t*)0x20003542 = 0x16; *(uint8_t*)0x20003544 = 2; *(uint8_t*)0x20003545 = 7; *(uint8_t*)0x20003546 = 0x10; *(uint8_t*)0x20003547 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003548, 0x1a, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003549, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003549, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000354a, 0x87, 0, 16); *(uint8_t*)0x2000354c = 0xa; *(uint8_t*)0x2000354d = 0x10; *(uint8_t*)0x2000354e = 3; *(uint8_t*)0x2000354f = 0; *(uint16_t*)0x20003550 = 8; *(uint8_t*)0x20003552 = 0; *(uint8_t*)0x20003553 = 0x20; *(uint16_t*)0x20003554 = 9; *(uint32_t*)0x20003790 = 5; *(uint32_t*)0x20003794 = 0x54; *(uint32_t*)0x20003798 = 0x20003580; *(uint8_t*)0x20003580 = 0x54; *(uint8_t*)0x20003581 = 3; memcpy((void*)0x20003582, "\xa4\x4d\x24\xcd\xf3\xff\xb9\x94\x8f\xaa\xf6\xb3\xc5\x65\x82\x6f\x57\xef\x2b\x5e\x43\xe6\xef\x91\x09\xdc\xaf\x0f\xf5\xf2\x30\xb6\xf5\x2d\x06\xad\xa7\xeb\xdf\xbf\x1c\x55\xe6\x55\x19\x00\xf4\x2f\x90\x4a\xa2\x59\x11\xde\x5d\x64\xd3\xcd\x32\xdb\x26\xb2\xe4\x8c\x15\x0e\xac\xf5\x1a\x16\xdd\xb3\x11\xac\x3d\x44\xb2\x81\xa8\x7d\x1c\x84", 82); *(uint32_t*)0x2000379c = 4; *(uint32_t*)0x200037a0 = 0x20003600; *(uint8_t*)0x20003600 = 4; *(uint8_t*)0x20003601 = 3; *(uint16_t*)0x20003602 = 0x812; *(uint32_t*)0x200037a4 = 4; *(uint32_t*)0x200037a8 = 0x20003640; *(uint8_t*)0x20003640 = 4; *(uint8_t*)0x20003641 = 3; *(uint16_t*)0x20003642 = 0xf0ff; *(uint32_t*)0x200037ac = 0xc0; *(uint32_t*)0x200037b0 = 0x20003680; *(uint8_t*)0x20003680 = 0xc0; *(uint8_t*)0x20003681 = 3; memcpy((void*)0x20003682, "\x6f\x06\x9d\x79\xea\x95\x2b\x38\x80\x02\x7d\x52\x43\xd8\x4a\xef\xe2\xbd\x1c\xf6\x41\xda\x9e\xe2\x90\x78\x02\x32\x46\x10\x26\xc5\xa5\x35\xae\x62\x14\xa8\xb6\xfd\x61\x12\xf3\x68\x08\x5c\x5c\xca\x57\xb8\x48\x46\xbd\xd7\x65\x3f\x32\x51\x20\xcc\x01\x27\x4c\x27\x93\x0a\x93\x4c\x28\x50\x05\x8a\x34\x58\x87\x78\xf4\xae\x02\x55\xb9\x6f\xcb\x45\x73\xf4\xc4\x75\xfa\xe5\x37\x03\xef\x82\xd7\x85\xec\xe9\x6a\xdf\x02\xef\xc2\x10\xe2\x6f\xa9\x52\x31\x11\x51\x9c\xb0\x37\xb5\xae\xbb\xca\xb0\xe1\x2d\x22\x83\x30\xeb\x46\x6c\xef\xbc\x0a\x21\x98\x4a\x6f\xd8\x65\x72\x06\xb2\x0d\x98\x2f\x65\xc7\x09\xba\x3c\x63\x20\xf1\x06\x6d\xda\x59\x2f\xda\xd1\x4a\x8c\x70\x0c\xf1\xf5\x26\x6f\x47\xfa\x42\xaa\x88\x0b\x9a\xa0\x26\x7c\xf5\x3c\x96\x91\xf4\xfa\x0d\x4e\x05\x9a\x6a\xdc\x27\xda\x67", 190); *(uint32_t*)0x200037b4 = 4; *(uint32_t*)0x200037b8 = 0x20003740; *(uint8_t*)0x20003740 = 4; *(uint8_t*)0x20003741 = 3; *(uint16_t*)0x20003742 = 0xc0a; res = -1; res = syz_usb_connect(0xcabe03ec, 0x160, 0x20003380, 0x20003780); if (res != -1) r[15] = res; break; case 40: syz_usb_ep_read(r[15], 7, 0xe4, 0x200037c0); break; case 41: *(uint8_t*)0x200038c0 = 0x12; *(uint8_t*)0x200038c1 = 1; *(uint16_t*)0x200038c2 = 0x200; *(uint8_t*)0x200038c4 = -1; *(uint8_t*)0x200038c5 = -1; *(uint8_t*)0x200038c6 = -1; *(uint8_t*)0x200038c7 = 0x40; *(uint16_t*)0x200038c8 = 0xcf3; *(uint16_t*)0x200038ca = 0x9271; *(uint16_t*)0x200038cc = 0x108; *(uint8_t*)0x200038ce = 1; *(uint8_t*)0x200038cf = 2; *(uint8_t*)0x200038d0 = 3; *(uint8_t*)0x200038d1 = 1; *(uint8_t*)0x200038d2 = 9; *(uint8_t*)0x200038d3 = 2; *(uint16_t*)0x200038d4 = 0x48; *(uint8_t*)0x200038d6 = 1; *(uint8_t*)0x200038d7 = 1; *(uint8_t*)0x200038d8 = 0; *(uint8_t*)0x200038d9 = 0x80; *(uint8_t*)0x200038da = 0xfa; *(uint8_t*)0x200038db = 9; *(uint8_t*)0x200038dc = 4; *(uint8_t*)0x200038dd = 0; *(uint8_t*)0x200038de = 0; *(uint8_t*)0x200038df = 6; *(uint8_t*)0x200038e0 = -1; *(uint8_t*)0x200038e1 = 0; *(uint8_t*)0x200038e2 = 0; *(uint8_t*)0x200038e3 = 0; *(uint8_t*)0x200038e4 = 9; *(uint8_t*)0x200038e5 = 5; *(uint8_t*)0x200038e6 = 1; *(uint8_t*)0x200038e7 = 2; *(uint16_t*)0x200038e8 = 0x200; *(uint8_t*)0x200038ea = 0; *(uint8_t*)0x200038eb = 0; *(uint8_t*)0x200038ec = 0; *(uint8_t*)0x200038ed = 9; *(uint8_t*)0x200038ee = 5; *(uint8_t*)0x200038ef = 0x82; *(uint8_t*)0x200038f0 = 2; *(uint16_t*)0x200038f1 = 0x200; *(uint8_t*)0x200038f3 = 0; *(uint8_t*)0x200038f4 = 0; *(uint8_t*)0x200038f5 = 0; *(uint8_t*)0x200038f6 = 9; *(uint8_t*)0x200038f7 = 5; *(uint8_t*)0x200038f8 = 0x83; *(uint8_t*)0x200038f9 = 3; *(uint16_t*)0x200038fa = 0x40; *(uint8_t*)0x200038fc = 1; *(uint8_t*)0x200038fd = 0; *(uint8_t*)0x200038fe = 0; *(uint8_t*)0x200038ff = 9; *(uint8_t*)0x20003900 = 5; *(uint8_t*)0x20003901 = 4; *(uint8_t*)0x20003902 = 3; *(uint16_t*)0x20003903 = 0x40; *(uint8_t*)0x20003905 = 1; *(uint8_t*)0x20003906 = 0; *(uint8_t*)0x20003907 = 0; *(uint8_t*)0x20003908 = 9; *(uint8_t*)0x20003909 = 5; *(uint8_t*)0x2000390a = 5; *(uint8_t*)0x2000390b = 2; *(uint16_t*)0x2000390c = 0x200; *(uint8_t*)0x2000390e = 0; *(uint8_t*)0x2000390f = 0; *(uint8_t*)0x20003910 = 0; *(uint8_t*)0x20003911 = 9; *(uint8_t*)0x20003912 = 5; *(uint8_t*)0x20003913 = 6; *(uint8_t*)0x20003914 = 2; *(uint16_t*)0x20003915 = 0x200; *(uint8_t*)0x20003917 = 0; *(uint8_t*)0x20003918 = 0; *(uint8_t*)0x20003919 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200038c0, 0); if (res != -1) r[16] = res; break; case 42: memcpy((void*)0x20003940, "\x03\x38\xf2\xa1\xa6\x94\x91\x50\xd9\x50\xa2\x00\xb9\x7f\x82\x07\x00\x40\x2b\x58\xfe\xc9\x4c\x39\xa0\x05\xf5\x38\x68\x85\x99\x19\x97\x96\x0b\x31\x65\xc9\xdd\x03\x23\xfa\xf9\xa6\x9d\x00\x72\x59\x16\xfa\x7f\xb5\xa9\xbb\x1f\x47\xb1\x98\x29\xca\x09\x1f\x88\xc0\x99\x9a\x2e\x18\x7f\x62\x37\xab\x2c\x7e\xae\x85\x92\x3f\xa9\x63\x6d\xc2\x66\x07\x6f\x2a\xe7\xb5\x2c\x1f\x18\x7c\xe6\x28\x71\xc2\xf0\x5b\xbf\x9d\x9a\x25\xfd\x16\xff\x38\x33\x38\x70\x73\xe6\x96\x81\xb2\x43\xe8\x14\xb2\x54\x9f\x03\x2a\xa5\xb8\xdd\x2e\x2d\x64\xdf\x2e\x69\xd3\x57\xbc\x2c\x32\xb8\xfb\xd9\x0f\x8a\x16\x38\xb3\x13\x90\xbe\x5a\x61\xee\x6e\xe7\x0e\x3a\x20\x27\xe1\x46\x8d\x5f\x3f\xa2\x34\xf4\x46\x2a\x56\xd7\xe4\x2c\xe2\x9c\x52\xcc\xf5\xcd\x76\x35\x90\xa4\x26\xb8\xa0\x6e\x22\x6f\xfa\x45\x68\xc2\xce\x31\xa5\x4d\x74\xca\x6f\x67\xe6\x70\x85\x2c", 202); syz_usb_ep_write(r[16], -1, 0xca, 0x20003940); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor967850566 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/0 (0.38s) csource_test.go:122: opts: {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$BLKROGET(0xffffffffffffffff, 0x125e, &(0x7f0000000000)) r0 = openat$nullb(0xffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x80000, 0x0) ioctl$BLKTRACESETUP(r0, 0xc0401273, &(0x7f0000000080)={[], 0x6, 0x4, 0x400, 0x0, 0x5f}) socketpair(0x21, 0x3, 0x4, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140)='l2tp\x00') sendmsg$L2TP_CMD_NOOP(r1, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x24, r3, 0x4, 0x70bd28, 0x25dfdbfb, {}, [@L2TP_ATTR_SESSION_ID={0x8, 0xb, 0x4}, @L2TP_ATTR_PEER_SESSION_ID={0x8, 0xc, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x20000000}, 0x8000) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000240)={0x0, 0x5, 0x0, 0x2}, &(0x7f0000000280)=0x10) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f00000002c0)={r4, 0x2}, 0x8) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x8, &(0x7f0000000300), &(0x7f0000000340)=0x4) write$capi20_data(0xffffffffffffffff, &(0x7f00000003c0)={{0x10, 0x3, 0x41, 0x83, 0x0, 0x401}, 0x43, "4a8e60634e3a9ebf0988474a70cdc44c935e71dca8a36e9f7339b733e7fdfa26d1763f8e1fc18c23484ff71c6ea76bf1db3e46cf80380322d296fbf193c54d4949ccdb"}, 0x55) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_post_notification\x00') syz_emit_ethernet(0x56, &(0x7f0000000040)={@multicast, @empty, @void, {@canfd={0xd, {{0x4, 0x0, 0x0, 0x1}, 0x23, 0x0, 0x0, 0x0, "90a4412ed481e39ec0787cae083fac93b90daa7595dc554b0d6fb720a6009835c929d9566687939954d14f0376d39039885d4b349e57791c3b2884b67a568716"}}}}, &(0x7f00000000c0)={0x1, 0x1, [0x4a, 0x2e7, 0x6f0, 0x1aa]}) syz_emit_vhci(&(0x7f0000000100)=@HCI_SCODATA_PKT={0x3, {0xc9, 0x56}, "af8c56ab2959dc534cc868e4b42b05a0de86bb45fd2bf9e32d58e9ad1fb7be75adc1e7aaa52319456531631ede47c2919bcdb3bafdaf560bf2a9ca3a75fa34d07026b7302dc391f9554e50cfc7f731c09f1c71262df3"}, 0x5a) syz_execute_func(&(0x7f0000000180)="c4c16f10fa660f65642a10c4e1fa70effbc4c37d096a42fec4e1416a5200f3abc4c1ccc6e474360f8fb8000000af0ffe98f0ffffff") syz_extract_tcp_res(&(0x7f00000001c0), 0x2, 0x7f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000200)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x5, 0xcb) r5 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xc, 0x800, 0xffffffffffffffff, 0x8000000) r6 = syz_io_uring_complete(r5) r7 = io_uring_setup(0xc43, &(0x7f0000000240)={0x0, 0xab13, 0x10, 0x0, 0x375}) syz_io_uring_setup(0x4759, &(0x7f00000002c0)={0x0, 0x3caa, 0x8, 0x3, 0x347, 0x0, r7}, &(0x7f0000ffd000/0x2000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000000340), &(0x7f0000000380)) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0xe, 0x3, 0xffffffffffffffff, 0x8000000) r9 = mmap$IORING_OFF_SQES(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x4000000, 0x20, r6, 0x10000000) syz_io_uring_submit(r8, r9, &(0x7f00000003c0)=@IORING_OP_WRITE_FIXED={0x5, 0x4, 0x2007, @fd_index=0x6, 0x3, 0x4, 0x4, 0xe, 0x1}, 0x80) r10 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000000400)='/selinux/checkreqprot\x00', 0x2000, 0x0) syz_kvm_setup_cpu$arm64(r6, r10, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000480)=[{0x0, &(0x7f0000000440)="1f53955cb3cecd2039609cfce532927f02de615e5e7716c374705f59102e00754dbaa369c6c1a1c2f4c530c3af81e8fe5609", 0x32}], 0x1, 0x0, &(0x7f00000004c0), 0x1) syz_io_uring_setup(0x7424, &(0x7f0000000500)={0x0, 0xe518, 0x10, 0x1, 0x3a5}, &(0x7f0000ffe000/0x2000)=nil, &(0x7f0000ff6000/0x4000)=nil, &(0x7f0000000580)=0x0, &(0x7f00000005c0)) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000000600)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000000640)='afs\x00', &(0x7f0000000680)='./file0\x00', 0x4, 0x2, &(0x7f0000000800)=[{&(0x7f00000006c0)="d632c19b", 0x4, 0xffff}, {&(0x7f0000000700)="3fe8370cede52efac054241da1ef6234cdc7766d9ceee05c36775d234a8f0259a880131689775a49e1c5d81ee5eed42da022a3c9b9d439ae779990d04cf551c084c093744e79ca6a4827d8c603053d29714d839363cf49add7d7323c0619a99cef609fc47e56c66630ec7973bffed214d451f064f36e3597506a51adfd6b0d61fdcdf2bfcb31b2c6c44c279ccdb6902891daf75e663f5942ea7682fbfd3e7369a9fe16f372476efb281aaad4bfe7e610e963629461e9033caf00d62a109d004b935b9079bd3df5be94a0fa1e1977f552baa492ba31e2ec4bf310c814dc753297", 0xe0, 0x4c}], 0x201000, &(0x7f0000000840)={[{@source={'source', 0x3d, 'SEG6\x00'}}, {@flock_strict='flock=strict'}, {@flock_strict='flock=strict'}, {@flock_local='flock=local'}, {@autocell='autocell'}, {@flock_openafs='flock=openafs'}], [{@measure='measure'}, {@subj_user={'subj_user', 0x3d, '$F!%[#&+-}^}'}}]}) syz_open_dev$I2C(&(0x7f00000008c0)='/dev/i2c-#\x00', 0x9a7, 0x60100) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000900)=0x0) syz_open_procfs(r12, &(0x7f0000000940)='net/ip6_mr_vif\x00') syz_open_pts(r6, 0x402000) syz_read_part_table(0x44, 0x5, &(0x7f0000001c80)=[{&(0x7f0000000980)="947bdd1338b6b9fdc7eec2776433191f827266cfa94bbf64cff83a00d975009f3b2738ac7067019447d693a3534dae5d3bf03b17d7a2bc093d2ab01fb079d13e4ca08ab23918a3fac50a48c32b4ba2170957d20cb4a4f731d660e88f40c30c3c40d41ff3ff7134dceb66b113b5c1bba630a7ee5cd68ab59e69f8c89530e4cac7f615dd3fadc7940d23b069d62b7ccf4149881045", 0x94, 0x7e}, {&(0x7f0000000a40)="3bece5e4b00d1aa5c6455d8ffddd35571382304733f47e93ba01d0220d3452425aa4a35a16adc96a1c87d3c09121df1c8aef26c20358a153a0ef1959f69c689acd2751f428f241c2decf4cd9a3b109e66b310fb1011f65329bef953ae02cf9db6133619b5bfa07a6e13251278da93de82635bcdd7640b6311da58d2a681065401d0753cef90bf7a0f541112453b9ce7527efcb09834f1073736d3ebdb9241736b61df70a13c76e54ddbc65a52d8a4fe42ed097a57c8d0426f916750e9a5c38281fbad7ae59c223bab1100592d42eda4e0bf4bf030420478fcd28c4057d41a9721b0014e91a1e7058d4c9290812f6de", 0xef, 0x800}, {&(0x7f0000000b40)="6daf7a1e0d14cb6b8c65d37ef988e670ca88b1", 0x13}, {&(0x7f0000000b80)="e2a379510738be3d3baf49a170f089f56f7b3a43bd926f2f3368f38e97340af9b0991ea98f4653252c0bef6ad26582b600545465591faefd00782e31c8aee9f23990d2d95f8710d110409dc3dad1581794fb09f6349e937b1df1bb8a9a09ce60c41282376e6ac607888c64fcd9ecf5405063ba5f642a295b4f778f2cabccf6c9007071b1a9ec31eea5daf62d371a56de309549974911a5797fa34026e85bb7f5427ab4965f11a3aba18ed0fe280e45c26412838fc5bbe0f6de63d011c06b413e3d4a15296b6f7915dffecdd407504faa2fe63bb190af9061709a982094f620793c042532f51314dd0753b832a65859e178d94dd169a1b767748566d13f170da36f2a51053d8b67fb5f12d86bf36046eab9b7c26c50786c9b29a2605c5631ab30261669971a48470d982c3088be7cffd1f0c6775e5757db6148dd74c5954e34c40088659a1f44d053465985ed20039bced7ea9dec7e25cd6d600d1ed31aed53885fc7ef8789eea0639d2b250dcdf4ad71bbdabf4ba18af29ac819ae431864db1b0353bc5cb2041943b44513f7c679f348bd2962b27487bc7dc7488cff13a24b658f31b4afc9e5013ab460cf3a014a8f19909e75bc3d4144f5d32e370de74f4402a0db5339c1e3616d2147743652dd73940d37550cc961b08b3a33b79c4a2f3f1ab4b2364c24031cce1f29beaf574b1318844fcc9387d2cf798334de0816d528f087f56751f763b82c760fe19ef95fd2e552c8ec74bfee9b6c8e3341b3baff5405edbed709fb1ea130a1a6e30acf7232c0194034daf0ef117115ab220f1161a838940ef60072c406557f56f13f3021b40842f9114b0ae9cd8244230c2227ce7c7e71503ba5253d63081ca9af8fc4a4e2c3039a0bad1af91ed4cb91b9bd42d8ee5e0bd9844f92f4af1ea5b88380a99b1adc7057b9157b61021abce377dca6af6c2dd98f02c23a8459ccbe650b66d06bbae0609928e84d5c611e2c6feb6a43d0aa532b12d5e3260448cd82372b11f9dc8f94665a3ab864eb3eb0e5b073200249a674047ee8fff8fb4f55653060efb6a00d70b0fe4a7f5dca7d9c71604fa70b0e40569339e52ba52b7d7008533306165c978d030a852c0dd75996904720a10a3a9d0f2f67f258e439047a6a5b08490409aa84ec296f67b88b8011cb39c67800efec6ec43e732aee04cc18c4ceddc9686a432011e1df5fa1292c7bdae62731573ec5233293ff4ed671e52c951d8e00836db9363534bc8c1e91d98cab7d0606c170d409d96d3225f56206b600fc1a783941aade248338dba66d56f8fc197d19cedd5f1a65d5f1d85a4cb4497342d197df417d4317777c81e707f1b9dadd38265324f41aa85021b2d7edc0ff4a527db85ff141652eeb5e766e189e11e6307a4475d5f793e822b7ecbc7e2ff3f6f9a8399af692649d67305c86b479169df12f749102069da164ad14655e0532fc419b51f29b28d1f408f5236ce921509f3f611a565a5e38685744470f6e457bdd057d727f7ecfaa468473bcba94c43ead22f8527843245f372275946bd4599f3a8ae91ec3140870be91d2fbfcbd7e504da3d6f49e905aca167832d7c35a56a28abc852090292318ec1f08bf3d71de7360d6d04900d773a7f40c3db7aabfc27a338e87d578f430ee490e48221406d31c62220c2bd9e1793eed1b84aba0adc3d54eed59ae3b83e5a1147721fcc227cff96c8065f8665cbfef93521ca1bf4b100e62896cfdca36e7f7b4b3fd3babf5c18c90030fbf904d4f4c3fb23af16b1e3744ca6ab123df90b168eaa138324ebf98ecd66dd64ee906236bf3a0296be1df81387ba95700e04ce26637ca4dfb70c67d32a2e7acde219cef54e4c9ec1c27b5b6a388ca515af6e5efc493a30fa9324e1f2b2b51267fbb26f3d4292e836cb709e92a6e0e11aff386b3d45d81a2d35fe971cbff8a32f52d046b9ba9a4bc77267a2e86a480a9ec50361d5ed59ba540ae1cf0e7eaaa5d8f5b2e38527fde78ecf842ec48cf681fd452aa5c60d06474f6422ad08db4fa0788c56563f52cbd383627e11f98eb40ec74961c028b1fcd7b25d4cd289dbc761fb1ec00a6183513c5f76da7546416fb81e8661f93f4234fdf3a3398d8bb8c69902e6d9f3fc165e6d9f39eb2acc189ab7b49013b2c74d0788ee05fc117335d478380013eab173ddc7a927f03080c2ea705b68f664a3be270221172d2995b15b4d0ab25d4668ab7587d24e831c5c7841fa00bd063021d3f43405b35c6c79dd4030fc630ee78d7e64a90cc2761421624d48ac0764d8a903c5a8b0a213120871b9e82a3b1f92455380b950832651b6d0d9bdb249055d55fa49fc7296147cbcec6059a0047ae6e86b51ae3b5aff498ceed671ddd0e2bd97fd7f39a3280bd80996ac7bb98187709938246f8e0cb9cca0a189d18cb9dcdd52186feb935f4a5326c3bc1348a05f0e7180452a43e7f2b6fb35a4196afda0f1993383dd203694c1ab53be64481c0d9c78801610789f9f5130b4a143f09229e8d89d0ad09edf971cf0fe495d7552b7a791a9054232e8d22976621b7f6be03e7e0bf8e5ed83db94efc748c93a06c124f55dd8efe11e15d83e1fce582b19be10dcc1b3eb594291aaabd56cb94df315920b042d07934ac796d0a91078626ee57e25763791f7dde8bc04e1883fb2273c799b97e3166c56ceaa3699c31739f63ef94605b20860606ceaf97be55b979fdc17fa9ba2990bbefde17eb5398176091e536730129c4c31504ce1fc41f13e7d90301ff02ad5b5f523c6ae7efa87c76af1ecc4b6715251a58ca3c68ca954a9345cf08697ec54376dfaf232cd6ede5ad85c1234fbcb4a992535b70135a5eb7d1f2de13629871b02acb455694e91d5bbb972c1c3998ec765749b4ca83c705529c046e8593ba4709e430cf190aba4fd00a6d722d0598e80b7af8fbb6c053dc4068e3bfaa0015d3545646e40eb312700e7b068ca644792d6d39447a353f6d6575b01f3a20cf310117a832dbc76b460146dee06c859580ba5e59946e90a168d98a06282d02f99540f4b1fce194cc7cc089b1b2da11d59bee5477383f83fe7f50011ec438561f17b39dabee3794761cdef6c54a60c49de8fd6aecf0b5a5b5c056a8de90805e0d5a4cba91eb7746e54498aad35d268e923c5c396581835cf2038e2a1f28a843228472aa2e4cbde6aa7665716f239ba5680d1d8d6cd7277af1f2db87e5f5332fa904d6975f4247f33f00c17b95df1db792398c0be2ab89c6f0ffb1d9f3d30e36b0bcdee55623e67ed59b641e1d3ad243a61ab8003ed9d50186457b845b0f5e59460aeb8d49fa236b691a9572f043f3d83d3853a658c092fec3eef9b58f3be0532e46da34f732398d418a82a47fd2bec7aa9fdf0a05a2a4abd650dcd99c095be5a025d4dd8de7b606f7c21fcf490a100ec288f419316b4add08591060f5c40230ee639aff35d4bb207fe401029cffd104715dcd48c7c598f5ea42b0bd271e6a10066d613217655dbf37bc467d973572d7c28779c9981cabc55e683fbb1e9af7e00cc4a222a54f24edf923762d8e0fbc099e420a78b1fcfb54a4002fdf6e30a3445f929dd97c4aef13cd8a0a3b19cb2ba731d3c99aad631166b75f13a95498e11dba4094eb5d1f1571b6987c278912a05a9ec5e2f93d21604e496ae6f763ed433bc26c5d2fdfeefc02d8732b29091c32ad16fbb47de0a56a36c5c7d26665ce565571aee87e729e1727e8e149b44cbc5819eb1abc317eabfdbc5447dc1fa9ed585281f1a9c33bd5bbae662621e6460e37617e88304fd6889d775ad30388b208b4102495dd4a601579fef079678b66816a46a91cd0d344af0afa8ee55ab222d720a0367275757aa38d043cec888e9e93a4ff91c1ccbbc685f6fe2710474da5c4376b6c037b2ac57ab078421ff2f06ef8abcc7bfa18195ae5d3236c492494f1c665dc2052e0b567e991727082f6f529cff4412d5cfd8aca31f0a4d32332e8cc992a39017d8e5a8525a9f6ab5009e7067b2773591779fa6de17c077445c39b4f3255c2df10701045fa070ac4aedb551bfe92ac48e0faca060768edf4b3fb101f3d4cdcb2ec9313c02898aa36874267468286e98ffdbacb29fb64072799bb3d885bf308d6ca001355642ad258b965f9597b30fe6c3af1e89c10d641f4e2ab7cf5a4687d6b69157a49f9f40791ef46f4cba6e0f248773c350bf3143cece92ef7c746d4988c8351c8067e3c4b841089d985e09ecb40157d7a171f4e645518c52598fa794425669f59a27d8bedc147e09057b5d2f9f4611cac951058b9d2527fe7b470289a2f16fa4dee150652086e4cc194c3cad63aee9aa77b00df7cb421401d1394e0fbae8e8e14ef28f128601aa1c91d3e71edc07a46267731ea085fea0b2781fe5b3337fb391f4a91ce752aeb7251aa0c3bf304e989220d414eab0af48d4a86bf43f13ee6b97615f51a3677feef14dc4ae47db07b874176d18f50094a309700279f412924e918eb3e6c1b9fa3c1444f28b691ceb9c33d34b5b3733d3eb0c9e69cb6f36bca69d1d69913aeb51f0cb59828527f791fe7f61fb430bace6456abc322fb52a131f5aed3221afd1d369d7bb41f60bfb349b5cf73043b9092613032c7dd3220bce9d9b84fd2ceb48a76ff0c34cf5bf8cc55b575e240f4e6c1c5cf93980cc6f68fd1ac7cc10e0e483339dde6691eb7d2b700e93ffdf810953762216e99b5640149af63144a09051b683db0dfb1b79371bc7a4a559ae6271838a868468e54aadef03ba40ca127aa2c2751da79202dcad72e4f1593041db53bbf4f8064170fe85c46e59ff00b9eb4bf2e01eab7197a00704e3c7084a80699ed5aaae7bbae0684e5fb3ed60c6620c73aa013313713279bf958a21f56f96746e160623f1076a5ea95a23fc908373bc078221894ccc77949ffd3659470d83f860762b0302bf3e404046c0c32a71eb85e674111cb9c2d490b8b4f5bfd1fa9382a4296d97326d6a728378ab35c0a349ed69349f75b89adf8dc9e5baed276c92614c29636f2f5b19d4dc661e2d0fe6fd64786d507b99b3979fe0f6ecb06b76fd64bfb316131a52d3db7445508c8f0bd394495a6c13ca64e3780a416c72a7a34996d5a342e6349d92bfcb8d75bd4edd225d4e8601838bffc604e9e3f0de83a1cf9e17c7fa7398fea49c8faed299d04a90a70bdaa0b111428e2e6224ae08c1bf0ea1a69e16e1ffd4bfa76afffdd5060ac992efa08fb7404fa1ff3456042654d3d51292624ac3bb3356f5bd3f492c169e8c7dc71ccd3b4e91cb298ef7f2b61d74a86e7cb6daf621a8b0b6a87e58ddcaa65f376fe0652c40c76d762b580f34da979ae0968b172a9ccc4cd8b34af3873e85d1653c9e5571dc34e8c39f7f04df191c0e81213d2fac0412664eb4769c480a80fdcd5cae2a2eb8b1d031cc6e649d8f0b29f9115ea2bb27cbe35cba040647ad9da8ad36931cfdce5c58dfd6b8d0bd83cf4f8cad6f6d6f3048380583d8ef0807a4d024ef8d0333a97183423c90e8dd1b62dc70c95ae30acd0ccc257de6feb89a9492b4214b65d8da2ada11b80fbd7689afdb99fa820cb7aaaca8ce32fd1adf5d724f50683a7924ed1b5de6b322a4932ea46d3b266a270420259a4fee480054f0675e77e5178ff255be000468a220a25c6879e039bc14c38cbf9040eded41f1c6d75fe4615cc57677c948c7bb9c3561184b0ffe0d0a9ed0e7212fabd5ef357ffb3ca40e8a97be2a9bcf35fc7e3d7ce8f6d50a4f7b42c246894683822db36b95528cd8061342c66c788bb6f63beadfe3559e896e4387a12cedf6f220888d218", 0x1000, 0xffffffff}, {&(0x7f0000001b80)="e0c6c9c01afb3e83241204cd6942a5f5b38dedc4871fea150ddbcb8c14ce515fa1fc5f1fb3ec606649a162c4e52ec328eb3565fb84abdf8b408d744ee19c67cce54acad1c6aa75a3f97f94267476e702bbe065e67188c3c826d4414e46695d71c9e24a31faf7fc28297092503bb10adb27fcb197438efe3605101abc127fda303e63a7423ef1693f6c005763fdf8b18e10a5a9fa34b3c00eced1f75bada7d26160aedf2758bf603b0c5890682884eb55b2760b3b7b9614b6bd1ddef9e9cc1df20892063f1ea058a4", 0xc8, 0x81}]) r13 = syz_usb_connect(0x4, 0x882, &(0x7f0000001cc0)={{0x12, 0x1, 0x310, 0xae, 0x73, 0xca, 0x40, 0x1740, 0x602, 0xfa57, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x870, 0x2, 0x7f, 0x90, 0x120, 0x3f, [{{0x9, 0x4, 0x86, 0x7f, 0xa, 0xf7, 0xf9, 0xf2, 0x7f, [@generic={0xd1, 0xb, "26e13a65ceb2c160694440c6e4b5d5107cd6f6eddf5f0f8f938606e7a789786c097626762da7881a4e46ee512ce1ce83d03ee01e8a390d4fe48a1a166b122a244f7e8453fe584352cdc748ded1737c61ffbc1f9f18441c5d61f5493a88bfea7776762bbf8a206eeca2f45c1f7aa6d15fb464cd1caf6a432babfc01bb86b1297b128997426c1a5a86533cb2c029f50b1c5b0b88719f7c78217d2bec910ff906b43860025e140fbad2bc0a91e23e65c5c8fefd91d0459c590e1f4bac91eac023ef5f1a248245df0d7c1276df72d955c6"}, @cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '8'}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x5, 0x5, 0x80}, {0x6, 0x24, 0x1a, 0x1, 0x14}, [@mdlm_detail={0x2b, 0x24, 0x13, 0xff, "8daa8e5cf59bef8c76ec7535d63fe2dc7686321afbd729f4d17d62a21b6f2b39495657220bc5d7"}, @mdlm_detail={0xa3, 0x24, 0x13, 0x3, "0bafa7ba56f9be68f7dafffabe7b7950e7f2b1efd530ab53da306650ae48618251bc41fe39065bb50d65f15e926fdb88acb4e7957bff5d5469ee741f51c117d8f0a4b9e497d8d85a58a425855da041d91bfe4cd20f11f6c7d3813027cd74921dbeb6e2015c4133a29832b2b9d342304dd6b709daeaea5f761d8c06f52edda9f2529ac51a96fab9bb2826cc63fcce0f174de2c5778a4d83f3eecfdb29635b60"}, @call_mgmt={0x5, 0x24, 0x1, 0x2, 0x9}, @mdlm={0x15, 0x24, 0x12, 0xc9}, @dmm={0x7, 0x24, 0x14, 0x8, 0x2}, @network_terminal={0x7, 0x24, 0xa, 0x1, 0x9, 0xeb, 0x1}]}], [{{0x9, 0x5, 0xe, 0x3, 0x400, 0xff, 0xf9, 0x20, [@generic={0x62, 0x22, "ecb3f2dd3048124fa1f639e7d99ab0903f7f551fbd28202bcaa038827262defd524b84d6778f83c751047ea1677d46229ac33b02db6865c9670bc47629020545fbf367e128c7e78e05972cd432ddc729863972a9559b806063550b9bb7992b0c"}, @generic={0xed, 0x21, "1c17fa34cf248a11740cae13b99062cf651bd3663bdf349afedd777e6ca509687c7308b2bd8a56d936cef72c17609c2cc7b825f122864f3e79a0f9563cecf3a2dea2dac5e4d83e7749cfb2a971e0f2a257ee5e91279d0dedf7aab353955c32bcab16d821c1868f655e7f503ece52acfb7c3070097b164ed6223eb6c1839fdc5cc6f1a92ebda8ad2a9e74f746cf37704a6c73076189ee3890b3a1c5cdb8076adec9bb4e53a65b09bc52a75250eb89e2407ee0d0d39a0bd925c00a5fd0f34ad2af88bf3b270fe94e5432288a66b3ee15b6e24ddca89639faa9c4b532663b24bfbdeb73d09b8f77f76fec507a"}]}}, {{0x9, 0x5, 0xe, 0x0, 0x58, 0x4, 0x0, 0x2}}, {{0x9, 0x5, 0x6, 0x8, 0x40, 0x40, 0x3, 0x18}}, {{0x9, 0x5, 0xb, 0xc, 0x200, 0xff, 0x47, 0x0, [@generic={0x6e, 0x24, "fc8886eca12dc85960c8497c87132b79fea0e2313e4e855671316f1c7a42b78b2be24c0cdd6af9de41a7fb57fe0a3ca6fe67191ce31165dc048245ba74c886d12b8accb001eee230dc1d7981e4d6ea3d52fdc1fd159f71fc18bfca51297b2348c777a86b16c07657793c9b75"}]}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x1, 0x4, 0x4, [@generic={0x8, 0x23, "ad6e68323124"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x3f, 0x400}]}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0xff, 0x4, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x2, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x7, 0x4}]}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0xcc, 0x8, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3f}, @generic={0x59, 0x11, "faada80932b10432ca81a63c83dd9f54a4051086ef07b6c9661ef8ec125683d5fcada3a346d08f6d44178fd1ce94f1a6921d2fd14a88d43a8051e18edaa3980645fa17123ca6c783b8b2c3b666956f52b183652992d6f5"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0x1, 0x3f}}, {{0x9, 0x5, 0x4, 0x1, 0x0, 0x81, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x3e}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x6, 0x8000}]}}, {{0x9, 0x5, 0x7, 0x4, 0x200, 0x4, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0x3f}]}}]}}, {{0x9, 0x4, 0x7d, 0xb6, 0x8, 0xe6, 0x75, 0xe1, 0xf9, [@generic={0x3d, 0x23, "0150ffae83df22d1d4dbd82454e66033463c3935e3d0c9fc2ea4661f7310c2e0b0acedd17e99cf960ede09c19eda6bfda699d8eacc2aba4acc34d4"}, @generic={0xc5, 0x1, "57fa93981a0686e512236511f17e4ec2dab7bd005c64fd896f9494ca0597583b239ddd29c3796c4ad669281440da422e6796877a9f123e343935d90dfe06ddfc99deedf24006031d9a2ef4b552629255bf0e7a4d5dd3bc80b266081141bde1b1a86e4ffd857000deeae82fb1850696ef2167c34ad97f91c14ac78ecb893d01ffa98e3c2dfda9adb762b9a9da03c6c60ed957fb494d1c960f7c707494bd984a0a582603fb87248aeeafc1b6005f79835b38b2eaa88653bc93427a33b0763ea36fcd987c"}], [{{0x9, 0x5, 0x3, 0x0, 0x40, 0x4, 0x7f, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x5}]}}, {{0x9, 0x5, 0x80, 0x10, 0x1ef, 0x1, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0x1f, 0x20, 0x0, [@generic={0xb3, 0x21, "95d3405d4d7a6dc896d90c4918b141315c1ae54b0882c4e0e3cc266e04178f9ae737260ac64b619ddf039568181bf92dd639ec49a0b1c9838b4cbbb2fbe6ca7be9bc84b77177867bb973d8c5eba1b49131bd10f645cffc3dd8ea462f4ba965f70a014bf1abe9269663634dad8baf99386d8b431912e4ddfcd1156c5ffeab207ca35f22f5c01673470deea1da6aaffcf0bba9a8e455420f053b28e404fea6261d36c07f7221c4986b6b122ccdf858f481ba"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7f, 0x5}]}}, {{0x9, 0x5, 0xc, 0x2, 0x200, 0x0, 0x6, 0x2, [@generic={0xaf, 0x6c08a2ddac8d29c1, "1449f06f8161d8159f42fb347eaa323cf3eb20fd5e501006d2e40a157da833536fb0b322436591a2bd1d2fe04e169858e11387ce1cbe1f6c7dc332afaadcc002c5832044e056950399e29431407349a8a47525164b4e6cd141303908186754e0282c6995c980f5e7d4f3c881c6b91d955e6ac681bd9073f4e05706f3c312d005bf1c5910956bf99553bba7b4ecb3f35ffbe7ab0763423796bb601e3f047a6581d52fb67c62d6b7278c76aab9a5"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x400, 0x5, 0x1, 0x6, [@generic={0xf1, 0x11, "25bf1f90f600dc8eae5954fb3ec4f488a926149d9893ca2b2900e245f0537432b7eccd35a0f33fe871eb0d1744d8058f6d67f7e1b97f3ef4e5fd8ac9d37d374905661c579d63d9bd3ed5cd30d99ef395e47c9e0f1b7f712016403434821baace41ad73ef6b84c1a41af5cbb6c2f65462a6ed32242c9d51da9915862860c22140f606601cfd82e5151e1db45092fecd653293f56c65b346e5deaf140950a0ac4a487e3bfa4f9ad35eeff8899bc2230798022600a08d06a9243611b421d90f1b53ca9f002636036f1125eda3dedaf6793fc098c6af9dcc5a538fe937572b4d1b174b58ba033714d19ef1085f663e5cd1"}]}}, {{0x9, 0x5, 0x5, 0x8, 0x400, 0x44, 0x1, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x85, 0x9b, 0x100}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x10, 0x20, 0x2, 0x4, 0x3}}, {{0x9, 0x5, 0x1, 0x0, 0x40, 0x80, 0x7, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x6, 0x8}]}}]}}]}}]}}, &(0x7f0000002840)={0xa, &(0x7f0000002580)={0xa, 0x6, 0xe5207157b6f35098, 0xfc, 0x1f, 0x0, 0x10, 0xe4}, 0xf5, &(0x7f00000025c0)={0x5, 0xf, 0xf5, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x4, 0xffff}, @ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x4, 0xf0f, 0x77e, [0xc000, 0x30, 0x0, 0x0]}, @ssp_cap={0x1c, 0x10, 0xa, 0x1, 0x4, 0x79ea, 0xf000, 0x4, [0xc0cf, 0xff3f3f, 0xffc05f, 0xff0000]}, @generic={0xb1, 0x10, 0x3, "c5bb0201c82e60fa0a8b07bbcefbe138079838cbf13161f69ec170637e6c504f0df58710112f2459c50df85c73a143e18fd846a786add8a359c882c3c6038f90c49ca63e13455794d759244a2bd1ee5a203cef62acd32e97d15afe1d47ad5c5234ca6fea0c022184578647d69bce06bc22d5deae21baaf870c3c6e9021211fda07e73607e16461e22526a70ab2e21f89d1b1a95215c644ee7b4b97d342f06cca75c17eaf3d1f578bec9e1b554c49"}]}, 0x4, [{0x4, &(0x7f00000026c0)=@lang_id={0x4, 0x3, 0x430}}, {0x4, &(0x7f0000002700)=@lang_id={0x4, 0x3, 0x240a}}, {0x4, &(0x7f0000002740)=@lang_id={0x4, 0x3, 0x458}}, {0xb1, &(0x7f0000002780)=@string={0xb1, 0x3, "2273bdc46b60f928123492096f1a60522067ca30229e521876bc2304c320596fd25f10254b5c9da57377738bccfbbc37f27f541833a2dfa06b929d0d3744ff77d9330d5a63e4bb268ce29e81de86de6cbbec22f151e7fa25d2ba9ead8f62d5eac2d6424465b3cb6481dbf50df043e68b8d133e27b4ae1c9ccf8a81027b656d442bbcbe5cfccd0c0ca38b73356ed5c37ea0894697ea5b37db2f607d4e958cf97848ef24eee817f96503650d0f3babcf"}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000002880)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r14 = syz_usb_connect$uac1(0x1, 0x100, &(0x7f0000002900)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xee, 0x3, 0x1, 0x6, 0x20, 0x1, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0xace, 0x2}, [@extension_unit={0x7, 0x24, 0x8, 0x5, 0x2, 0x5}, @extension_unit={0x7, 0x24, 0x8, 0x6, 0xffff, 0x30}, @mixer_unit={0xa, 0x24, 0x4, 0x4, 0x40, "7da3b2b272"}, @extension_unit={0x9, 0x24, 0x8, 0x5, 0x0, 0x40, '\tD'}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x11, 0x24, 0x2, 0x2, 0x1000, 0x6, 0x9, "94aa0cfea6a4c098"}, @as_header={0x7, 0x24, 0x1, 0xf7, 0xc1, 0x4}, @format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x3f, 0x2, 0xae, 0x7, "5b6fe7b19551"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0xfff8, 0x56d, 0x1f, "518f29b920"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0x4, 0x0, 0x80, "3f5e8aa3ac"}]}, {{0x9, 0x5, 0x1, 0x9, 0x10, 0x9c, 0x7, 0x6, {0x7, 0x25, 0x1, 0x0, 0x44, 0xff8a}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_i_continuous={0xa, 0x24, 0x2, 0x1, 0x7, 0x4, 0xf7, 0xf8, 'H]'}, @format_type_i_discrete={0xd, 0x24, 0x2, 0x1, 0x7, 0x1, 0xff, 0x72, "5c5ae72e12"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x3, 0x4, 0x3, 0x1, "fa23a4", 'q3'}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x71, 0x2, 0x0, 0x6}]}, {{0x9, 0x5, 0x82, 0x9, 0x200, 0x7f, 0x7f, 0x7f, {0x7, 0x25, 0x1, 0x2, 0x1, 0x8}}}}}}}]}}, &(0x7f0000002b80)={0xa, &(0x7f0000002a00)={0xa, 0x6, 0x300, 0x7f, 0x5d, 0x5c, 0x40}, 0x31, &(0x7f0000002a40)={0x5, 0xf, 0x31, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x20, 0x1, 0x2, 0x40}, @ssp_cap={0xc, 0x10, 0xa, 0x4, 0x0, 0xd3f, 0xf000, 0x8}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x2, 0x5, 0x4, 0x2}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x6, 0x0, 0xff, 0x7f}]}, 0x4, [{0x4, &(0x7f0000002a80)=@lang_id={0x4, 0x3, 0x40f}}, {0x4, &(0x7f0000002ac0)=@lang_id={0x4, 0x3, 0xc35}}, {0x2b, &(0x7f0000002b00)=@string={0x2b, 0x3, "a28e84c0cf02c07c3c0da8294506556d633c7a735bfb75cd80afc6ade8e4b580103ced6d9c87a5fe77"}}, {0x4, &(0x7f0000002b40)=@lang_id={0x4, 0x3, 0xf8ff}}]}) syz_usb_control_io(r14, &(0x7f0000002e40)={0x18, &(0x7f0000002bc0)={0x0, 0x22, 0xb9, {0xb9, 0xa, "83cf6e9b942d8a47074ac2e802b48378ecdca7956db2727b857b60f4e9d0c69e1c9a9aceb61cf17cc77167923b84e23372c5cf40cf1bbb7493e500b7effaf1b204ee034be11099e51567a87ae0bde210da92124d04a73a14dbd600dedd920953c472eda1ba46dbbb1ec474c8794849124dcf32d5c15fb14397b13c3d3c11a7a607c6b6d557c2806d9c2783bc1ef56c967bde90ce4a421361167c1a74c6527285ce425ea498884d7cc9ef76526a46a1c4360768980b39b3"}}, &(0x7f0000002c80)={0x0, 0x3, 0xd7, @string={0xd7, 0x3, "61168f700d1787de19d3e86fb3ac5e964cc5ede873351ca262cc8fc599651431c76dbad02dd835f0da83a5347cc21fc4f504b23bb32a7a67713db4480611e6e2eca4f0b498f700355db68df7d5cf46ba2b036090af695a7596b7d242b462bcf6e2091fb83248fe2a1c48dbcdb07c9666037d121b6893dcb945bdd7cf14075f805302a45fbb62652bd693b3240b5c6a76f690cdc9221579ec71dd253ca4250144e1160bc039ad44f6d51c96ad950c872cf626b0d559e81c0bec934cb32325dbb9ce8f5d0d943020b4a0795c1f2774e2207d0be8aa41"}}, &(0x7f0000002d80)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x10, 0x2, 0x5, 0x2}]}}, &(0x7f0000002dc0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x3, 0x8, 0x40, 0x7f, "77bc7738", "f1db003c"}}, &(0x7f0000002e00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x1, 0x10, 0x0, 0x20, 0x8, 0x3ec, 0xffff}}}, &(0x7f0000003300)={0x44, &(0x7f0000002e80)={0x20, 0x12, 0x7c, "bc67b786ae12c3f7c6dbb8560d2b242194c2199afa19d2b42b1a0c8a11e1a5ef146f395c3613f4dfeadda7c24b506d5b32a6a3f9a0eac98a935e647a1c838d4e09d530635f43358b5b10c5f04bc63b3bf96b5234359d4ead9d51217e65c9b0509990b00d1afb242c87660d04f9648ff79ce143b1a948981c28f50171"}, &(0x7f0000002f40)={0x0, 0xa, 0x1, 0x4c}, &(0x7f0000002f80)={0x0, 0x8, 0x1, 0x1}, &(0x7f0000002fc0)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000003000)={0x20, 0x0, 0x8, {0xc0, 0x20, [0xf0f]}}, &(0x7f0000003040)={0x40, 0x7, 0x2, 0x400}, &(0x7f0000003080)={0x40, 0x9, 0x1, 0x2}, &(0x7f00000030c0)={0x40, 0xb, 0x2, "b723"}, &(0x7f0000003100)={0x40, 0xf, 0x2, 0x5}, &(0x7f0000003140)={0x40, 0x13, 0x6, @random="dd8a72a99139"}, &(0x7f0000003180)={0x40, 0x17, 0x6, @remote}, &(0x7f00000031c0)={0x40, 0x19, 0x2, "7818"}, &(0x7f0000003200)={0x40, 0x1a, 0x2, 0x4}, &(0x7f0000003240)={0x40, 0x1c, 0x1, 0x4}, &(0x7f0000003280)={0x40, 0x1e, 0x1, 0x7}, &(0x7f00000032c0)={0x40, 0x21, 0x1, 0x5}}) syz_usb_disconnect(r13) r15 = syz_usb_connect$cdc_ncm(0xb40375e9cabe03ec, 0x160, &(0x7f0000003380)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x14e, 0x2, 0x1, 0xef, 0xe0, 0x3, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, '$'}, {0x5, 0x24, 0x0, 0xad}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x0, 0x1, 0x9}, {0x6, 0x24, 0x1a, 0x9, 0x20}, [@mdlm_detail={0xa2, 0x24, 0x13, 0x1, "a0afebc294237de30b4c81c6595fbaf30646c5ec3dd98f435df00d181cc13f9b0c5ffa84154998bf5c04ee0fd82d5f4cacfc90ffae241b840b0b18e2107e33398f46838380f84b6f9f2262e838df021231c9f0c50dc2eed7595eb1b789223fc37cf34f5c694aaad8a818c99ef44179bf5ba4b617c258f7db01d6096ccc71bb925e31b2f3f100bb8538bb84015af7b954c8fdf293de0231a491d36376b840"}, @mbim={0xc, 0x24, 0x1b, 0x340f, 0x4, 0x5, 0x40, 0x6, 0x1}, @acm={0x4, 0x24, 0x2, 0x9}, @mdlm_detail={0x3f, 0x24, 0x13, 0x40, "905d00a5a8b5cd53118f9cf9033eda0ad88fcfaf66e2b9e359e38aea371970c864d5983916a529367551aa247ba83009ebb5640b5317559900ddb8"}]}, {{0x9, 0x5, 0x81, 0x3, 0x8, 0x0, 0x1, 0xfc}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x40, 0x8, 0x40, 0x81}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x80, 0x81}}}}}}}]}}, &(0x7f0000003780)={0xa, &(0x7f0000003500)={0xa, 0x6, 0x250, 0x3, 0x2, 0x9, 0x40, 0x40}, 0x16, &(0x7f0000003540)={0x5, 0xf, 0x16, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x1a, 0x8, 0x4, 0x87}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0x0, 0x20, 0x9}]}, 0x5, [{0x54, &(0x7f0000003580)=@string={0x54, 0x3, "a44d24cdf3ffb9948faaf6b3c565826f57ef2b5e43e6ef9109dcaf0ff5f230b6f52d06ada7ebdfbf1c55e6551900f42f904aa25911de5d64d3cd32db26b2e48c150eacf51a16ddb311ac3d44b281a87d1c84"}}, {0x4, &(0x7f0000003600)=@lang_id={0x4, 0x3, 0x812}}, {0x4, &(0x7f0000003640)=@lang_id={0x4, 0x3, 0xf0ff}}, {0xc0, &(0x7f0000003680)=@string={0xc0, 0x3, "6f069d79ea952b3880027d5243d84aefe2bd1cf641da9ee290780232461026c5a535ae6214a8b6fd6112f368085c5cca57b84846bdd7653f325120cc01274c27930a934c2850058a34588778f4ae0255b96fcb4573f4c475fae53703ef82d785ece96adf02efc210e26fa9523111519cb037b5aebbcab0e12d228330eb466cefbc0a21984a6fd8657206b20d982f65c709ba3c6320f1066dda592fdad14a8c700cf1f5266f47fa42aa880b9aa0267cf53c9691f4fa0d4e059a6adc27da67"}}, {0x4, &(0x7f0000003740)=@lang_id={0x4, 0x3, 0xc0a}}]}) syz_usb_ep_read(r15, 0x7, 0xe4, &(0x7f00000037c0)=""/228) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000038c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_ep_write(r16, 0xff, 0xca, &(0x7f0000003940)="0338f2a1a6949150d950a200b97f820700402b58fec94c39a005f5386885991997960b3165c9dd0323faf9a69d00725916fa7fb5a9bb1f47b19829ca091f88c0999a2e187f6237ab2c7eae85923fa9636dc266076f2ae7b52c1f187ce62871c2f05bbf9d9a25fd16ff3833387073e69681b243e814b2549f032aa5b8dd2e2d64df2e69d357bc2c32b8fbd90f8a1638b31390be5a61ee6ee70e3a2027e1468d5f3fa234f4462a56d7e42ce29c52ccf5cd763590a426b8a06e226ffa4568c2ce31a54d74ca6f67e670852c") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socketpair #define __NR_socketpair 360 #endif #ifndef __NR_write #define __NR_write 4 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; syscall(__NR_ioctl, -1, 0x125e, 0x20000000); memcpy((void*)0x20000040, "/dev/nullb0\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20000040, 0x80000, 0); if (res != -1) r[0] = res; *(uint8_t*)0x20000080 = 0; *(uint8_t*)0x20000081 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint8_t*)0x20000084 = 0; *(uint8_t*)0x20000085 = 0; *(uint8_t*)0x20000086 = 0; *(uint8_t*)0x20000087 = 0; *(uint8_t*)0x20000088 = 0; *(uint8_t*)0x20000089 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint8_t*)0x2000008c = 0; *(uint8_t*)0x2000008d = 0; *(uint8_t*)0x2000008e = 0; *(uint8_t*)0x2000008f = 0; *(uint8_t*)0x20000090 = 0; *(uint8_t*)0x20000091 = 0; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint8_t*)0x20000094 = 0; *(uint8_t*)0x20000095 = 0; *(uint8_t*)0x20000096 = 0; *(uint8_t*)0x20000097 = 0; *(uint8_t*)0x20000098 = 0; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint16_t*)0x200000a0 = 6; *(uint32_t*)0x200000a4 = 4; *(uint32_t*)0x200000a8 = 0x400; *(uint64_t*)0x200000ac = 0; *(uint64_t*)0x200000b4 = 0x5f; *(uint32_t*)0x200000bc = 0; syscall(__NR_ioctl, (intptr_t)r[0], 0xc0401273, 0x20000080); res = syscall(__NR_socketpair, 0x21, 3, 4, 0x200000c0); if (res != -1) { r[1] = *(uint32_t*)0x200000c0; r[2] = *(uint32_t*)0x200000c4; } memcpy((void*)0x20000140, "l2tp\000", 5); res = -1; res = syz_genetlink_get_family_id(0x20000140); if (res != -1) r[3] = res; *(uint32_t*)0x20000200 = 0x20000100; *(uint16_t*)0x20000100 = 0x10; *(uint16_t*)0x20000102 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0x100; *(uint32_t*)0x20000204 = 0xc; *(uint32_t*)0x20000208 = 0x200001c0; *(uint32_t*)0x200001c0 = 0x20000180; *(uint32_t*)0x20000180 = 0x24; *(uint16_t*)0x20000184 = r[3]; *(uint16_t*)0x20000186 = 4; *(uint32_t*)0x20000188 = 0x70bd28; *(uint32_t*)0x2000018c = 0x25dfdbfb; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint16_t*)0x20000192 = 0; *(uint16_t*)0x20000194 = 8; *(uint16_t*)0x20000196 = 0xb; *(uint32_t*)0x20000198 = 4; *(uint16_t*)0x2000019c = 8; *(uint16_t*)0x2000019e = 0xc; *(uint32_t*)0x200001a0 = 1; *(uint32_t*)0x200001c4 = 0x24; *(uint32_t*)0x2000020c = 1; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0x20000000; syscall(__NR_sendmsg, (intptr_t)r[1], 0x20000200, 0x8000); *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 5; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000280 = 0x10; res = syscall(__NR_getsockopt, -1, 0x84, 0, 0x20000240, 0x20000280); if (res != -1) r[4] = *(uint32_t*)0x20000240; *(uint32_t*)0x200002c0 = r[4]; *(uint32_t*)0x200002c4 = 2; syscall(__NR_setsockopt, (intptr_t)r[2], 0x84, 0x7b, 0x200002c0, 8); *(uint32_t*)0x20000340 = 4; syscall(__NR_getsockopt, -1, 0x84, 8, 0x20000300, 0x20000340); *(uint16_t*)0x200003c0 = 0x10; *(uint16_t*)0x200003c2 = 3; *(uint8_t*)0x200003c4 = 0x41; *(uint8_t*)0x200003c5 = 0x83; *(uint16_t*)0x200003c6 = 0; *(uint32_t*)0x200003c8 = 0x401; *(uint32_t*)0x200003cc = 0; *(uint16_t*)0x200003d0 = 0x43; memcpy((void*)0x200003d2, "\x4a\x8e\x60\x63\x4e\x3a\x9e\xbf\x09\x88\x47\x4a\x70\xcd\xc4\x4c\x93\x5e\x71\xdc\xa8\xa3\x6e\x9f\x73\x39\xb7\x33\xe7\xfd\xfa\x26\xd1\x76\x3f\x8e\x1f\xc1\x8c\x23\x48\x4f\xf7\x1c\x6e\xa7\x6b\xf1\xdb\x3e\x46\xcf\x80\x38\x03\x22\xd2\x96\xfb\xf1\x93\xc5\x4d\x49\x49\xcc\xdb", 67); syscall(__NR_write, -1, 0x200003c0, 0x55); memcpy((void*)0x20000000, "bpf_lsm_post_notification\000", 26); syz_btf_id_by_name(0x20000000); *(uint8_t*)0x20000040 = 0xbb; *(uint8_t*)0x20000041 = 0xbb; *(uint8_t*)0x20000042 = 0xbb; *(uint8_t*)0x20000043 = 0xbb; *(uint8_t*)0x20000044 = 0xbb; *(uint8_t*)0x20000045 = 0xbb; *(uint8_t*)0x20000046 = 0; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint16_t*)0x2000004c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 4, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 1, 31, 1); *(uint8_t*)0x20000052 = 0x23; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; memcpy((void*)0x20000056, "\x90\xa4\x41\x2e\xd4\x81\xe3\x9e\xc0\x78\x7c\xae\x08\x3f\xac\x93\xb9\x0d\xaa\x75\x95\xdc\x55\x4b\x0d\x6f\xb7\x20\xa6\x00\x98\x35\xc9\x29\xd9\x56\x66\x87\x93\x99\x54\xd1\x4f\x03\x76\xd3\x90\x39\x88\x5d\x4b\x34\x9e\x57\x79\x1c\x3b\x28\x84\xb6\x7a\x56\x87\x16", 64); *(uint32_t*)0x200000c0 = 1; *(uint32_t*)0x200000c4 = 1; *(uint32_t*)0x200000c8 = 0x4a; *(uint32_t*)0x200000cc = 0x2e7; *(uint32_t*)0x200000d0 = 0x6f0; *(uint32_t*)0x200000d4 = 0x1aa; *(uint8_t*)0x20000100 = 3; *(uint16_t*)0x20000101 = 0xc9; *(uint8_t*)0x20000103 = 0x56; memcpy((void*)0x20000104, "\xaf\x8c\x56\xab\x29\x59\xdc\x53\x4c\xc8\x68\xe4\xb4\x2b\x05\xa0\xde\x86\xbb\x45\xfd\x2b\xf9\xe3\x2d\x58\xe9\xad\x1f\xb7\xbe\x75\xad\xc1\xe7\xaa\xa5\x23\x19\x45\x65\x31\x63\x1e\xde\x47\xc2\x91\x9b\xcd\xb3\xba\xfd\xaf\x56\x0b\xf2\xa9\xca\x3a\x75\xfa\x34\xd0\x70\x26\xb7\x30\x2d\xc3\x91\xf9\x55\x4e\x50\xcf\xc7\xf7\x31\xc0\x9f\x1c\x71\x26\x2d\xf3", 86); memcpy((void*)0x20000180, "\xc4\xc1\x6f\x10\xfa\x66\x0f\x65\x64\x2a\x10\xc4\xe1\xfa\x70\xef\xfb\xc4\xc3\x7d\x09\x6a\x42\xfe\xc4\xe1\x41\x6a\x52\x00\xf3\xab\xc4\xc1\xcc\xc6\xe4\x74\x36\x0f\x8f\xb8\x00\x00\x00\xaf\x0f\xfe\x98\xf0\xff\xff\xff", 53); syz_execute_func(0x20000180); memcpy((void*)0x20000200, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000200); syz_init_net_socket(3, 5, 0xcb); res = syscall(__NR_mmap, 0x20ffd000, 0x1000, 0xc, 0x800, -1, 0x8000000); if (res != -1) r[5] = res; res = -1; res = syz_io_uring_complete(r[5]); if (res != -1) r[6] = res; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xab13; *(uint32_t*)0x20000248 = 0x10; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0x375; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = -1; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = syscall(__NR_io_uring_setup, 0xc43, 0x20000240); if (res != -1) r[7] = res; *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0x3caa; *(uint32_t*)0x200002c8 = 8; *(uint32_t*)0x200002cc = 3; *(uint32_t*)0x200002d0 = 0x347; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = r[7]; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; *(uint32_t*)0x200002f8 = 0; *(uint32_t*)0x200002fc = 0; *(uint32_t*)0x20000300 = 0; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; *(uint32_t*)0x2000030c = 0; *(uint32_t*)0x20000310 = 0; *(uint32_t*)0x20000314 = 0; *(uint32_t*)0x20000318 = 0; *(uint32_t*)0x2000031c = 0; *(uint32_t*)0x20000320 = 0; *(uint32_t*)0x20000324 = 0; *(uint32_t*)0x20000328 = 0; *(uint32_t*)0x2000032c = 0; *(uint32_t*)0x20000330 = 0; *(uint32_t*)0x20000334 = 0; syz_io_uring_setup(0x4759, 0x200002c0, 0x20ffd000, 0x20ffc000, 0x20000340, 0x20000380); res = syscall(__NR_mmap, 0x20ffd000, 0x3000, 0xe, 3, -1, 0x8000000); if (res != -1) r[8] = res; res = syscall(__NR_mmap, 0x20fff000, 0x1000, 0x4000000, 0x20, (intptr_t)r[6], 0x10000000); if (res != -1) r[9] = res; *(uint8_t*)0x200003c0 = 5; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0x2007; *(uint32_t*)0x200003c4 = 6; *(uint64_t*)0x200003c8 = 3; *(uint64_t*)0x200003d0 = 4; *(uint32_t*)0x200003d8 = 4; *(uint32_t*)0x200003dc = 0xe; *(uint64_t*)0x200003e0 = 1; *(uint16_t*)0x200003e8 = 0; *(uint16_t*)0x200003ea = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; *(uint8_t*)0x200003fc = 0; *(uint8_t*)0x200003fd = 0; *(uint8_t*)0x200003fe = 0; *(uint8_t*)0x200003ff = 0; syz_io_uring_submit(r[8], r[9], 0x200003c0, 0x80); memcpy((void*)0x20000400, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20000400, 0x2000, 0); if (res != -1) r[10] = res; *(uint32_t*)0x20000480 = 0; *(uint32_t*)0x20000484 = 0x20000440; memcpy((void*)0x20000440, "\x1f\x53\x95\x5c\xb3\xce\xcd\x20\x39\x60\x9c\xfc\xe5\x32\x92\x7f\x02\xde\x61\x5e\x5e\x77\x16\xc3\x74\x70\x5f\x59\x10\x2e\x00\x75\x4d\xba\xa3\x69\xc6\xc1\xa1\xc2\xf4\xc5\x30\xc3\xaf\x81\xe8\xfe\x56\x09", 50); *(uint32_t*)0x20000488 = 0x32; *(uint64_t*)0x200004c0 = 1; *(uint64_t*)0x200004c8 = 0; syz_kvm_setup_cpu(r[6], r[10], 0x20fe8000, 0x20000480, 1, 0, 0x200004c0, 1); *(uint32_t*)0x20000500 = 0; *(uint32_t*)0x20000504 = 0xe518; *(uint32_t*)0x20000508 = 0x10; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0x3a5; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = -1; *(uint32_t*)0x2000051c = 0; *(uint32_t*)0x20000520 = 0; *(uint32_t*)0x20000524 = 0; *(uint32_t*)0x20000528 = 0; *(uint32_t*)0x2000052c = 0; *(uint32_t*)0x20000530 = 0; *(uint32_t*)0x20000534 = 0; *(uint32_t*)0x20000538 = 0; *(uint32_t*)0x2000053c = 0; *(uint32_t*)0x20000540 = 0; *(uint32_t*)0x20000544 = 0; *(uint32_t*)0x20000548 = 0; *(uint32_t*)0x2000054c = 0; *(uint32_t*)0x20000550 = 0; *(uint32_t*)0x20000554 = 0; *(uint32_t*)0x20000558 = 0; *(uint32_t*)0x2000055c = 0; *(uint32_t*)0x20000560 = 0; *(uint32_t*)0x20000564 = 0; *(uint32_t*)0x20000568 = 0; *(uint32_t*)0x2000056c = 0; *(uint32_t*)0x20000570 = 0; *(uint32_t*)0x20000574 = 0; res = -1; res = syz_io_uring_setup(0x7424, 0x20000500, 0x20ffe000, 0x20ff6000, 0x20000580, 0x200005c0); if (res != -1) r[11] = *(uint64_t*)0x20000580; *(uint32_t*)0x20000600 = 1; syz_memcpy_off(r[11], 0x114, 0x20000600, 0, 4); memcpy((void*)0x20000640, "afs\000", 4); memcpy((void*)0x20000680, "./file0\000", 8); *(uint32_t*)0x20000800 = 0x200006c0; memcpy((void*)0x200006c0, "\xd6\x32\xc1\x9b", 4); *(uint32_t*)0x20000804 = 4; *(uint32_t*)0x20000808 = 0xffff; *(uint32_t*)0x2000080c = 0x20000700; memcpy((void*)0x20000700, "\x3f\xe8\x37\x0c\xed\xe5\x2e\xfa\xc0\x54\x24\x1d\xa1\xef\x62\x34\xcd\xc7\x76\x6d\x9c\xee\xe0\x5c\x36\x77\x5d\x23\x4a\x8f\x02\x59\xa8\x80\x13\x16\x89\x77\x5a\x49\xe1\xc5\xd8\x1e\xe5\xee\xd4\x2d\xa0\x22\xa3\xc9\xb9\xd4\x39\xae\x77\x99\x90\xd0\x4c\xf5\x51\xc0\x84\xc0\x93\x74\x4e\x79\xca\x6a\x48\x27\xd8\xc6\x03\x05\x3d\x29\x71\x4d\x83\x93\x63\xcf\x49\xad\xd7\xd7\x32\x3c\x06\x19\xa9\x9c\xef\x60\x9f\xc4\x7e\x56\xc6\x66\x30\xec\x79\x73\xbf\xfe\xd2\x14\xd4\x51\xf0\x64\xf3\x6e\x35\x97\x50\x6a\x51\xad\xfd\x6b\x0d\x61\xfd\xcd\xf2\xbf\xcb\x31\xb2\xc6\xc4\x4c\x27\x9c\xcd\xb6\x90\x28\x91\xda\xf7\x5e\x66\x3f\x59\x42\xea\x76\x82\xfb\xfd\x3e\x73\x69\xa9\xfe\x16\xf3\x72\x47\x6e\xfb\x28\x1a\xaa\xd4\xbf\xe7\xe6\x10\xe9\x63\x62\x94\x61\xe9\x03\x3c\xaf\x00\xd6\x2a\x10\x9d\x00\x4b\x93\x5b\x90\x79\xbd\x3d\xf5\xbe\x94\xa0\xfa\x1e\x19\x77\xf5\x52\xba\xa4\x92\xba\x31\xe2\xec\x4b\xf3\x10\xc8\x14\xdc\x75\x32\x97", 224); *(uint32_t*)0x20000810 = 0xe0; *(uint32_t*)0x20000814 = 0x4c; memcpy((void*)0x20000840, "source", 6); *(uint8_t*)0x20000846 = 0x3d; memcpy((void*)0x20000847, "SEG6\000", 5); *(uint8_t*)0x2000084c = 0x2c; memcpy((void*)0x2000084d, "flock=strict", 12); *(uint8_t*)0x20000859 = 0x2c; memcpy((void*)0x2000085a, "flock=strict", 12); *(uint8_t*)0x20000866 = 0x2c; memcpy((void*)0x20000867, "flock=local", 11); *(uint8_t*)0x20000872 = 0x2c; memcpy((void*)0x20000873, "autocell", 8); *(uint8_t*)0x2000087b = 0x2c; memcpy((void*)0x2000087c, "flock=openafs", 13); *(uint8_t*)0x20000889 = 0x2c; memcpy((void*)0x2000088a, "measure", 7); *(uint8_t*)0x20000891 = 0x2c; memcpy((void*)0x20000892, "subj_user", 9); *(uint8_t*)0x2000089b = 0x3d; memcpy((void*)0x2000089c, "$F!%[#&+-}^}", 12); *(uint8_t*)0x200008a8 = 0x2c; *(uint8_t*)0x200008a9 = 0; syz_mount_image(0x20000640, 0x20000680, 4, 2, 0x20000800, 0x201000, 0x20000840); memcpy((void*)0x200008c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200008c0, 0x9a7, 0x60100); res = syscall(__NR_ioctl, -1, 0x540f, 0x20000900); if (res != -1) r[12] = *(uint32_t*)0x20000900; memcpy((void*)0x20000940, "net/ip6_mr_vif\000", 15); syz_open_procfs(r[12], 0x20000940); syz_open_pts(r[6], 0x402000); *(uint32_t*)0x20001c80 = 0x20000980; memcpy((void*)0x20000980, "\x94\x7b\xdd\x13\x38\xb6\xb9\xfd\xc7\xee\xc2\x77\x64\x33\x19\x1f\x82\x72\x66\xcf\xa9\x4b\xbf\x64\xcf\xf8\x3a\x00\xd9\x75\x00\x9f\x3b\x27\x38\xac\x70\x67\x01\x94\x47\xd6\x93\xa3\x53\x4d\xae\x5d\x3b\xf0\x3b\x17\xd7\xa2\xbc\x09\x3d\x2a\xb0\x1f\xb0\x79\xd1\x3e\x4c\xa0\x8a\xb2\x39\x18\xa3\xfa\xc5\x0a\x48\xc3\x2b\x4b\xa2\x17\x09\x57\xd2\x0c\xb4\xa4\xf7\x31\xd6\x60\xe8\x8f\x40\xc3\x0c\x3c\x40\xd4\x1f\xf3\xff\x71\x34\xdc\xeb\x66\xb1\x13\xb5\xc1\xbb\xa6\x30\xa7\xee\x5c\xd6\x8a\xb5\x9e\x69\xf8\xc8\x95\x30\xe4\xca\xc7\xf6\x15\xdd\x3f\xad\xc7\x94\x0d\x23\xb0\x69\xd6\x2b\x7c\xcf\x41\x49\x88\x10\x45", 148); *(uint32_t*)0x20001c84 = 0x94; *(uint32_t*)0x20001c88 = 0x7e; *(uint32_t*)0x20001c8c = 0x20000a40; memcpy((void*)0x20000a40, "\x3b\xec\xe5\xe4\xb0\x0d\x1a\xa5\xc6\x45\x5d\x8f\xfd\xdd\x35\x57\x13\x82\x30\x47\x33\xf4\x7e\x93\xba\x01\xd0\x22\x0d\x34\x52\x42\x5a\xa4\xa3\x5a\x16\xad\xc9\x6a\x1c\x87\xd3\xc0\x91\x21\xdf\x1c\x8a\xef\x26\xc2\x03\x58\xa1\x53\xa0\xef\x19\x59\xf6\x9c\x68\x9a\xcd\x27\x51\xf4\x28\xf2\x41\xc2\xde\xcf\x4c\xd9\xa3\xb1\x09\xe6\x6b\x31\x0f\xb1\x01\x1f\x65\x32\x9b\xef\x95\x3a\xe0\x2c\xf9\xdb\x61\x33\x61\x9b\x5b\xfa\x07\xa6\xe1\x32\x51\x27\x8d\xa9\x3d\xe8\x26\x35\xbc\xdd\x76\x40\xb6\x31\x1d\xa5\x8d\x2a\x68\x10\x65\x40\x1d\x07\x53\xce\xf9\x0b\xf7\xa0\xf5\x41\x11\x24\x53\xb9\xce\x75\x27\xef\xcb\x09\x83\x4f\x10\x73\x73\x6d\x3e\xbd\xb9\x24\x17\x36\xb6\x1d\xf7\x0a\x13\xc7\x6e\x54\xdd\xbc\x65\xa5\x2d\x8a\x4f\xe4\x2e\xd0\x97\xa5\x7c\x8d\x04\x26\xf9\x16\x75\x0e\x9a\x5c\x38\x28\x1f\xba\xd7\xae\x59\xc2\x23\xba\xb1\x10\x05\x92\xd4\x2e\xda\x4e\x0b\xf4\xbf\x03\x04\x20\x47\x8f\xcd\x28\xc4\x05\x7d\x41\xa9\x72\x1b\x00\x14\xe9\x1a\x1e\x70\x58\xd4\xc9\x29\x08\x12\xf6\xde", 239); *(uint32_t*)0x20001c90 = 0xef; *(uint32_t*)0x20001c94 = 0x800; *(uint32_t*)0x20001c98 = 0x20000b40; memcpy((void*)0x20000b40, "\x6d\xaf\x7a\x1e\x0d\x14\xcb\x6b\x8c\x65\xd3\x7e\xf9\x88\xe6\x70\xca\x88\xb1", 19); *(uint32_t*)0x20001c9c = 0x13; *(uint32_t*)0x20001ca0 = 0; *(uint32_t*)0x20001ca4 = 0x20000b80; memcpy((void*)0x20000b80, "\xe2\xa3\x79\x51\x07\x38\xbe\x3d\x3b\xaf\x49\xa1\x70\xf0\x89\xf5\x6f\x7b\x3a\x43\xbd\x92\x6f\x2f\x33\x68\xf3\x8e\x97\x34\x0a\xf9\xb0\x99\x1e\xa9\x8f\x46\x53\x25\x2c\x0b\xef\x6a\xd2\x65\x82\xb6\x00\x54\x54\x65\x59\x1f\xae\xfd\x00\x78\x2e\x31\xc8\xae\xe9\xf2\x39\x90\xd2\xd9\x5f\x87\x10\xd1\x10\x40\x9d\xc3\xda\xd1\x58\x17\x94\xfb\x09\xf6\x34\x9e\x93\x7b\x1d\xf1\xbb\x8a\x9a\x09\xce\x60\xc4\x12\x82\x37\x6e\x6a\xc6\x07\x88\x8c\x64\xfc\xd9\xec\xf5\x40\x50\x63\xba\x5f\x64\x2a\x29\x5b\x4f\x77\x8f\x2c\xab\xcc\xf6\xc9\x00\x70\x71\xb1\xa9\xec\x31\xee\xa5\xda\xf6\x2d\x37\x1a\x56\xde\x30\x95\x49\x97\x49\x11\xa5\x79\x7f\xa3\x40\x26\xe8\x5b\xb7\xf5\x42\x7a\xb4\x96\x5f\x11\xa3\xab\xa1\x8e\xd0\xfe\x28\x0e\x45\xc2\x64\x12\x83\x8f\xc5\xbb\xe0\xf6\xde\x63\xd0\x11\xc0\x6b\x41\x3e\x3d\x4a\x15\x29\x6b\x6f\x79\x15\xdf\xfe\xcd\xd4\x07\x50\x4f\xaa\x2f\xe6\x3b\xb1\x90\xaf\x90\x61\x70\x9a\x98\x20\x94\xf6\x20\x79\x3c\x04\x25\x32\xf5\x13\x14\xdd\x07\x53\xb8\x32\xa6\x58\x59\xe1\x78\xd9\x4d\xd1\x69\xa1\xb7\x67\x74\x85\x66\xd1\x3f\x17\x0d\xa3\x6f\x2a\x51\x05\x3d\x8b\x67\xfb\x5f\x12\xd8\x6b\xf3\x60\x46\xea\xb9\xb7\xc2\x6c\x50\x78\x6c\x9b\x29\xa2\x60\x5c\x56\x31\xab\x30\x26\x16\x69\x97\x1a\x48\x47\x0d\x98\x2c\x30\x88\xbe\x7c\xff\xd1\xf0\xc6\x77\x5e\x57\x57\xdb\x61\x48\xdd\x74\xc5\x95\x4e\x34\xc4\x00\x88\x65\x9a\x1f\x44\xd0\x53\x46\x59\x85\xed\x20\x03\x9b\xce\xd7\xea\x9d\xec\x7e\x25\xcd\x6d\x60\x0d\x1e\xd3\x1a\xed\x53\x88\x5f\xc7\xef\x87\x89\xee\xa0\x63\x9d\x2b\x25\x0d\xcd\xf4\xad\x71\xbb\xda\xbf\x4b\xa1\x8a\xf2\x9a\xc8\x19\xae\x43\x18\x64\xdb\x1b\x03\x53\xbc\x5c\xb2\x04\x19\x43\xb4\x45\x13\xf7\xc6\x79\xf3\x48\xbd\x29\x62\xb2\x74\x87\xbc\x7d\xc7\x48\x8c\xff\x13\xa2\x4b\x65\x8f\x31\xb4\xaf\xc9\xe5\x01\x3a\xb4\x60\xcf\x3a\x01\x4a\x8f\x19\x90\x9e\x75\xbc\x3d\x41\x44\xf5\xd3\x2e\x37\x0d\xe7\x4f\x44\x02\xa0\xdb\x53\x39\xc1\xe3\x61\x6d\x21\x47\x74\x36\x52\xdd\x73\x94\x0d\x37\x55\x0c\xc9\x61\xb0\x8b\x3a\x33\xb7\x9c\x4a\x2f\x3f\x1a\xb4\xb2\x36\x4c\x24\x03\x1c\xce\x1f\x29\xbe\xaf\x57\x4b\x13\x18\x84\x4f\xcc\x93\x87\xd2\xcf\x79\x83\x34\xde\x08\x16\xd5\x28\xf0\x87\xf5\x67\x51\xf7\x63\xb8\x2c\x76\x0f\xe1\x9e\xf9\x5f\xd2\xe5\x52\xc8\xec\x74\xbf\xee\x9b\x6c\x8e\x33\x41\xb3\xba\xff\x54\x05\xed\xbe\xd7\x09\xfb\x1e\xa1\x30\xa1\xa6\xe3\x0a\xcf\x72\x32\xc0\x19\x40\x34\xda\xf0\xef\x11\x71\x15\xab\x22\x0f\x11\x61\xa8\x38\x94\x0e\xf6\x00\x72\xc4\x06\x55\x7f\x56\xf1\x3f\x30\x21\xb4\x08\x42\xf9\x11\x4b\x0a\xe9\xcd\x82\x44\x23\x0c\x22\x27\xce\x7c\x7e\x71\x50\x3b\xa5\x25\x3d\x63\x08\x1c\xa9\xaf\x8f\xc4\xa4\xe2\xc3\x03\x9a\x0b\xad\x1a\xf9\x1e\xd4\xcb\x91\xb9\xbd\x42\xd8\xee\x5e\x0b\xd9\x84\x4f\x92\xf4\xaf\x1e\xa5\xb8\x83\x80\xa9\x9b\x1a\xdc\x70\x57\xb9\x15\x7b\x61\x02\x1a\xbc\xe3\x77\xdc\xa6\xaf\x6c\x2d\xd9\x8f\x02\xc2\x3a\x84\x59\xcc\xbe\x65\x0b\x66\xd0\x6b\xba\xe0\x60\x99\x28\xe8\x4d\x5c\x61\x1e\x2c\x6f\xeb\x6a\x43\xd0\xaa\x53\x2b\x12\xd5\xe3\x26\x04\x48\xcd\x82\x37\x2b\x11\xf9\xdc\x8f\x94\x66\x5a\x3a\xb8\x64\xeb\x3e\xb0\xe5\xb0\x73\x20\x02\x49\xa6\x74\x04\x7e\xe8\xff\xf8\xfb\x4f\x55\x65\x30\x60\xef\xb6\xa0\x0d\x70\xb0\xfe\x4a\x7f\x5d\xca\x7d\x9c\x71\x60\x4f\xa7\x0b\x0e\x40\x56\x93\x39\xe5\x2b\xa5\x2b\x7d\x70\x08\x53\x33\x06\x16\x5c\x97\x8d\x03\x0a\x85\x2c\x0d\xd7\x59\x96\x90\x47\x20\xa1\x0a\x3a\x9d\x0f\x2f\x67\xf2\x58\xe4\x39\x04\x7a\x6a\x5b\x08\x49\x04\x09\xaa\x84\xec\x29\x6f\x67\xb8\x8b\x80\x11\xcb\x39\xc6\x78\x00\xef\xec\x6e\xc4\x3e\x73\x2a\xee\x04\xcc\x18\xc4\xce\xdd\xc9\x68\x6a\x43\x20\x11\xe1\xdf\x5f\xa1\x29\x2c\x7b\xda\xe6\x27\x31\x57\x3e\xc5\x23\x32\x93\xff\x4e\xd6\x71\xe5\x2c\x95\x1d\x8e\x00\x83\x6d\xb9\x36\x35\x34\xbc\x8c\x1e\x91\xd9\x8c\xab\x7d\x06\x06\xc1\x70\xd4\x09\xd9\x6d\x32\x25\xf5\x62\x06\xb6\x00\xfc\x1a\x78\x39\x41\xaa\xde\x24\x83\x38\xdb\xa6\x6d\x56\xf8\xfc\x19\x7d\x19\xce\xdd\x5f\x1a\x65\xd5\xf1\xd8\x5a\x4c\xb4\x49\x73\x42\xd1\x97\xdf\x41\x7d\x43\x17\x77\x7c\x81\xe7\x07\xf1\xb9\xda\xdd\x38\x26\x53\x24\xf4\x1a\xa8\x50\x21\xb2\xd7\xed\xc0\xff\x4a\x52\x7d\xb8\x5f\xf1\x41\x65\x2e\xeb\x5e\x76\x6e\x18\x9e\x11\xe6\x30\x7a\x44\x75\xd5\xf7\x93\xe8\x22\xb7\xec\xbc\x7e\x2f\xf3\xf6\xf9\xa8\x39\x9a\xf6\x92\x64\x9d\x67\x30\x5c\x86\xb4\x79\x16\x9d\xf1\x2f\x74\x91\x02\x06\x9d\xa1\x64\xad\x14\x65\x5e\x05\x32\xfc\x41\x9b\x51\xf2\x9b\x28\xd1\xf4\x08\xf5\x23\x6c\xe9\x21\x50\x9f\x3f\x61\x1a\x56\x5a\x5e\x38\x68\x57\x44\x47\x0f\x6e\x45\x7b\xdd\x05\x7d\x72\x7f\x7e\xcf\xaa\x46\x84\x73\xbc\xba\x94\xc4\x3e\xad\x22\xf8\x52\x78\x43\x24\x5f\x37\x22\x75\x94\x6b\xd4\x59\x9f\x3a\x8a\xe9\x1e\xc3\x14\x08\x70\xbe\x91\xd2\xfb\xfc\xbd\x7e\x50\x4d\xa3\xd6\xf4\x9e\x90\x5a\xca\x16\x78\x32\xd7\xc3\x5a\x56\xa2\x8a\xbc\x85\x20\x90\x29\x23\x18\xec\x1f\x08\xbf\x3d\x71\xde\x73\x60\xd6\xd0\x49\x00\xd7\x73\xa7\xf4\x0c\x3d\xb7\xaa\xbf\xc2\x7a\x33\x8e\x87\xd5\x78\xf4\x30\xee\x49\x0e\x48\x22\x14\x06\xd3\x1c\x62\x22\x0c\x2b\xd9\xe1\x79\x3e\xed\x1b\x84\xab\xa0\xad\xc3\xd5\x4e\xed\x59\xae\x3b\x83\xe5\xa1\x14\x77\x21\xfc\xc2\x27\xcf\xf9\x6c\x80\x65\xf8\x66\x5c\xbf\xef\x93\x52\x1c\xa1\xbf\x4b\x10\x0e\x62\x89\x6c\xfd\xca\x36\xe7\xf7\xb4\xb3\xfd\x3b\xab\xf5\xc1\x8c\x90\x03\x0f\xbf\x90\x4d\x4f\x4c\x3f\xb2\x3a\xf1\x6b\x1e\x37\x44\xca\x6a\xb1\x23\xdf\x90\xb1\x68\xea\xa1\x38\x32\x4e\xbf\x98\xec\xd6\x6d\xd6\x4e\xe9\x06\x23\x6b\xf3\xa0\x29\x6b\xe1\xdf\x81\x38\x7b\xa9\x57\x00\xe0\x4c\xe2\x66\x37\xca\x4d\xfb\x70\xc6\x7d\x32\xa2\xe7\xac\xde\x21\x9c\xef\x54\xe4\xc9\xec\x1c\x27\xb5\xb6\xa3\x88\xca\x51\x5a\xf6\xe5\xef\xc4\x93\xa3\x0f\xa9\x32\x4e\x1f\x2b\x2b\x51\x26\x7f\xbb\x26\xf3\xd4\x29\x2e\x83\x6c\xb7\x09\xe9\x2a\x6e\x0e\x11\xaf\xf3\x86\xb3\xd4\x5d\x81\xa2\xd3\x5f\xe9\x71\xcb\xff\x8a\x32\xf5\x2d\x04\x6b\x9b\xa9\xa4\xbc\x77\x26\x7a\x2e\x86\xa4\x80\xa9\xec\x50\x36\x1d\x5e\xd5\x9b\xa5\x40\xae\x1c\xf0\xe7\xea\xaa\x5d\x8f\x5b\x2e\x38\x52\x7f\xde\x78\xec\xf8\x42\xec\x48\xcf\x68\x1f\xd4\x52\xaa\x5c\x60\xd0\x64\x74\xf6\x42\x2a\xd0\x8d\xb4\xfa\x07\x88\xc5\x65\x63\xf5\x2c\xbd\x38\x36\x27\xe1\x1f\x98\xeb\x40\xec\x74\x96\x1c\x02\x8b\x1f\xcd\x7b\x25\xd4\xcd\x28\x9d\xbc\x76\x1f\xb1\xec\x00\xa6\x18\x35\x13\xc5\xf7\x6d\xa7\x54\x64\x16\xfb\x81\xe8\x66\x1f\x93\xf4\x23\x4f\xdf\x3a\x33\x98\xd8\xbb\x8c\x69\x90\x2e\x6d\x9f\x3f\xc1\x65\xe6\xd9\xf3\x9e\xb2\xac\xc1\x89\xab\x7b\x49\x01\x3b\x2c\x74\xd0\x78\x8e\xe0\x5f\xc1\x17\x33\x5d\x47\x83\x80\x01\x3e\xab\x17\x3d\xdc\x7a\x92\x7f\x03\x08\x0c\x2e\xa7\x05\xb6\x8f\x66\x4a\x3b\xe2\x70\x22\x11\x72\xd2\x99\x5b\x15\xb4\xd0\xab\x25\xd4\x66\x8a\xb7\x58\x7d\x24\xe8\x31\xc5\xc7\x84\x1f\xa0\x0b\xd0\x63\x02\x1d\x3f\x43\x40\x5b\x35\xc6\xc7\x9d\xd4\x03\x0f\xc6\x30\xee\x78\xd7\xe6\x4a\x90\xcc\x27\x61\x42\x16\x24\xd4\x8a\xc0\x76\x4d\x8a\x90\x3c\x5a\x8b\x0a\x21\x31\x20\x87\x1b\x9e\x82\xa3\xb1\xf9\x24\x55\x38\x0b\x95\x08\x32\x65\x1b\x6d\x0d\x9b\xdb\x24\x90\x55\xd5\x5f\xa4\x9f\xc7\x29\x61\x47\xcb\xce\xc6\x05\x9a\x00\x47\xae\x6e\x86\xb5\x1a\xe3\xb5\xaf\xf4\x98\xce\xed\x67\x1d\xdd\x0e\x2b\xd9\x7f\xd7\xf3\x9a\x32\x80\xbd\x80\x99\x6a\xc7\xbb\x98\x18\x77\x09\x93\x82\x46\xf8\xe0\xcb\x9c\xca\x0a\x18\x9d\x18\xcb\x9d\xcd\xd5\x21\x86\xfe\xb9\x35\xf4\xa5\x32\x6c\x3b\xc1\x34\x8a\x05\xf0\xe7\x18\x04\x52\xa4\x3e\x7f\x2b\x6f\xb3\x5a\x41\x96\xaf\xda\x0f\x19\x93\x38\x3d\xd2\x03\x69\x4c\x1a\xb5\x3b\xe6\x44\x81\xc0\xd9\xc7\x88\x01\x61\x07\x89\xf9\xf5\x13\x0b\x4a\x14\x3f\x09\x22\x9e\x8d\x89\xd0\xad\x09\xed\xf9\x71\xcf\x0f\xe4\x95\xd7\x55\x2b\x7a\x79\x1a\x90\x54\x23\x2e\x8d\x22\x97\x66\x21\xb7\xf6\xbe\x03\xe7\xe0\xbf\x8e\x5e\xd8\x3d\xb9\x4e\xfc\x74\x8c\x93\xa0\x6c\x12\x4f\x55\xdd\x8e\xfe\x11\xe1\x5d\x83\xe1\xfc\xe5\x82\xb1\x9b\xe1\x0d\xcc\x1b\x3e\xb5\x94\x29\x1a\xaa\xbd\x56\xcb\x94\xdf\x31\x59\x20\xb0\x42\xd0\x79\x34\xac\x79\x6d\x0a\x91\x07\x86\x26\xee\x57\xe2\x57\x63\x79\x1f\x7d\xde\x8b\xc0\x4e\x18\x83\xfb\x22\x73\xc7\x99\xb9\x7e\x31\x66\xc5\x6c\xea\xa3\x69\x9c\x31\x73\x9f\x63\xef\x94\x60\x5b\x20\x86\x06\x06\xce\xaf\x97\xbe\x55\xb9\x79\xfd\xc1\x7f\xa9\xba\x29\x90\xbb\xef\xde\x17\xeb\x53\x98\x17\x60\x91\xe5\x36\x73\x01\x29\xc4\xc3\x15\x04\xce\x1f\xc4\x1f\x13\xe7\xd9\x03\x01\xff\x02\xad\x5b\x5f\x52\x3c\x6a\xe7\xef\xa8\x7c\x76\xaf\x1e\xcc\x4b\x67\x15\x25\x1a\x58\xca\x3c\x68\xca\x95\x4a\x93\x45\xcf\x08\x69\x7e\xc5\x43\x76\xdf\xaf\x23\x2c\xd6\xed\xe5\xad\x85\xc1\x23\x4f\xbc\xb4\xa9\x92\x53\x5b\x70\x13\x5a\x5e\xb7\xd1\xf2\xde\x13\x62\x98\x71\xb0\x2a\xcb\x45\x56\x94\xe9\x1d\x5b\xbb\x97\x2c\x1c\x39\x98\xec\x76\x57\x49\xb4\xca\x83\xc7\x05\x52\x9c\x04\x6e\x85\x93\xba\x47\x09\xe4\x30\xcf\x19\x0a\xba\x4f\xd0\x0a\x6d\x72\x2d\x05\x98\xe8\x0b\x7a\xf8\xfb\xb6\xc0\x53\xdc\x40\x68\xe3\xbf\xaa\x00\x15\xd3\x54\x56\x46\xe4\x0e\xb3\x12\x70\x0e\x7b\x06\x8c\xa6\x44\x79\x2d\x6d\x39\x44\x7a\x35\x3f\x6d\x65\x75\xb0\x1f\x3a\x20\xcf\x31\x01\x17\xa8\x32\xdb\xc7\x6b\x46\x01\x46\xde\xe0\x6c\x85\x95\x80\xba\x5e\x59\x94\x6e\x90\xa1\x68\xd9\x8a\x06\x28\x2d\x02\xf9\x95\x40\xf4\xb1\xfc\xe1\x94\xcc\x7c\xc0\x89\xb1\xb2\xda\x11\xd5\x9b\xee\x54\x77\x38\x3f\x83\xfe\x7f\x50\x01\x1e\xc4\x38\x56\x1f\x17\xb3\x9d\xab\xee\x37\x94\x76\x1c\xde\xf6\xc5\x4a\x60\xc4\x9d\xe8\xfd\x6a\xec\xf0\xb5\xa5\xb5\xc0\x56\xa8\xde\x90\x80\x5e\x0d\x5a\x4c\xba\x91\xeb\x77\x46\xe5\x44\x98\xaa\xd3\x5d\x26\x8e\x92\x3c\x5c\x39\x65\x81\x83\x5c\xf2\x03\x8e\x2a\x1f\x28\xa8\x43\x22\x84\x72\xaa\x2e\x4c\xbd\xe6\xaa\x76\x65\x71\x6f\x23\x9b\xa5\x68\x0d\x1d\x8d\x6c\xd7\x27\x7a\xf1\xf2\xdb\x87\xe5\xf5\x33\x2f\xa9\x04\xd6\x97\x5f\x42\x47\xf3\x3f\x00\xc1\x7b\x95\xdf\x1d\xb7\x92\x39\x8c\x0b\xe2\xab\x89\xc6\xf0\xff\xb1\xd9\xf3\xd3\x0e\x36\xb0\xbc\xde\xe5\x56\x23\xe6\x7e\xd5\x9b\x64\x1e\x1d\x3a\xd2\x43\xa6\x1a\xb8\x00\x3e\xd9\xd5\x01\x86\x45\x7b\x84\x5b\x0f\x5e\x59\x46\x0a\xeb\x8d\x49\xfa\x23\x6b\x69\x1a\x95\x72\xf0\x43\xf3\xd8\x3d\x38\x53\xa6\x58\xc0\x92\xfe\xc3\xee\xf9\xb5\x8f\x3b\xe0\x53\x2e\x46\xda\x34\xf7\x32\x39\x8d\x41\x8a\x82\xa4\x7f\xd2\xbe\xc7\xaa\x9f\xdf\x0a\x05\xa2\xa4\xab\xd6\x50\xdc\xd9\x9c\x09\x5b\xe5\xa0\x25\xd4\xdd\x8d\xe7\xb6\x06\xf7\xc2\x1f\xcf\x49\x0a\x10\x0e\xc2\x88\xf4\x19\x31\x6b\x4a\xdd\x08\x59\x10\x60\xf5\xc4\x02\x30\xee\x63\x9a\xff\x35\xd4\xbb\x20\x7f\xe4\x01\x02\x9c\xff\xd1\x04\x71\x5d\xcd\x48\xc7\xc5\x98\xf5\xea\x42\xb0\xbd\x27\x1e\x6a\x10\x06\x6d\x61\x32\x17\x65\x5d\xbf\x37\xbc\x46\x7d\x97\x35\x72\xd7\xc2\x87\x79\xc9\x98\x1c\xab\xc5\x5e\x68\x3f\xbb\x1e\x9a\xf7\xe0\x0c\xc4\xa2\x22\xa5\x4f\x24\xed\xf9\x23\x76\x2d\x8e\x0f\xbc\x09\x9e\x42\x0a\x78\xb1\xfc\xfb\x54\xa4\x00\x2f\xdf\x6e\x30\xa3\x44\x5f\x92\x9d\xd9\x7c\x4a\xef\x13\xcd\x8a\x0a\x3b\x19\xcb\x2b\xa7\x31\xd3\xc9\x9a\xad\x63\x11\x66\xb7\x5f\x13\xa9\x54\x98\xe1\x1d\xba\x40\x94\xeb\x5d\x1f\x15\x71\xb6\x98\x7c\x27\x89\x12\xa0\x5a\x9e\xc5\xe2\xf9\x3d\x21\x60\x4e\x49\x6a\xe6\xf7\x63\xed\x43\x3b\xc2\x6c\x5d\x2f\xdf\xee\xfc\x02\xd8\x73\x2b\x29\x09\x1c\x32\xad\x16\xfb\xb4\x7d\xe0\xa5\x6a\x36\xc5\xc7\xd2\x66\x65\xce\x56\x55\x71\xae\xe8\x7e\x72\x9e\x17\x27\xe8\xe1\x49\xb4\x4c\xbc\x58\x19\xeb\x1a\xbc\x31\x7e\xab\xfd\xbc\x54\x47\xdc\x1f\xa9\xed\x58\x52\x81\xf1\xa9\xc3\x3b\xd5\xbb\xae\x66\x26\x21\xe6\x46\x0e\x37\x61\x7e\x88\x30\x4f\xd6\x88\x9d\x77\x5a\xd3\x03\x88\xb2\x08\xb4\x10\x24\x95\xdd\x4a\x60\x15\x79\xfe\xf0\x79\x67\x8b\x66\x81\x6a\x46\xa9\x1c\xd0\xd3\x44\xaf\x0a\xfa\x8e\xe5\x5a\xb2\x22\xd7\x20\xa0\x36\x72\x75\x75\x7a\xa3\x8d\x04\x3c\xec\x88\x8e\x9e\x93\xa4\xff\x91\xc1\xcc\xbb\xc6\x85\xf6\xfe\x27\x10\x47\x4d\xa5\xc4\x37\x6b\x6c\x03\x7b\x2a\xc5\x7a\xb0\x78\x42\x1f\xf2\xf0\x6e\xf8\xab\xcc\x7b\xfa\x18\x19\x5a\xe5\xd3\x23\x6c\x49\x24\x94\xf1\xc6\x65\xdc\x20\x52\xe0\xb5\x67\xe9\x91\x72\x70\x82\xf6\xf5\x29\xcf\xf4\x41\x2d\x5c\xfd\x8a\xca\x31\xf0\xa4\xd3\x23\x32\xe8\xcc\x99\x2a\x39\x01\x7d\x8e\x5a\x85\x25\xa9\xf6\xab\x50\x09\xe7\x06\x7b\x27\x73\x59\x17\x79\xfa\x6d\xe1\x7c\x07\x74\x45\xc3\x9b\x4f\x32\x55\xc2\xdf\x10\x70\x10\x45\xfa\x07\x0a\xc4\xae\xdb\x55\x1b\xfe\x92\xac\x48\xe0\xfa\xca\x06\x07\x68\xed\xf4\xb3\xfb\x10\x1f\x3d\x4c\xdc\xb2\xec\x93\x13\xc0\x28\x98\xaa\x36\x87\x42\x67\x46\x82\x86\xe9\x8f\xfd\xba\xcb\x29\xfb\x64\x07\x27\x99\xbb\x3d\x88\x5b\xf3\x08\xd6\xca\x00\x13\x55\x64\x2a\xd2\x58\xb9\x65\xf9\x59\x7b\x30\xfe\x6c\x3a\xf1\xe8\x9c\x10\xd6\x41\xf4\xe2\xab\x7c\xf5\xa4\x68\x7d\x6b\x69\x15\x7a\x49\xf9\xf4\x07\x91\xef\x46\xf4\xcb\xa6\xe0\xf2\x48\x77\x3c\x35\x0b\xf3\x14\x3c\xec\xe9\x2e\xf7\xc7\x46\xd4\x98\x8c\x83\x51\xc8\x06\x7e\x3c\x4b\x84\x10\x89\xd9\x85\xe0\x9e\xcb\x40\x15\x7d\x7a\x17\x1f\x4e\x64\x55\x18\xc5\x25\x98\xfa\x79\x44\x25\x66\x9f\x59\xa2\x7d\x8b\xed\xc1\x47\xe0\x90\x57\xb5\xd2\xf9\xf4\x61\x1c\xac\x95\x10\x58\xb9\xd2\x52\x7f\xe7\xb4\x70\x28\x9a\x2f\x16\xfa\x4d\xee\x15\x06\x52\x08\x6e\x4c\xc1\x94\xc3\xca\xd6\x3a\xee\x9a\xa7\x7b\x00\xdf\x7c\xb4\x21\x40\x1d\x13\x94\xe0\xfb\xae\x8e\x8e\x14\xef\x28\xf1\x28\x60\x1a\xa1\xc9\x1d\x3e\x71\xed\xc0\x7a\x46\x26\x77\x31\xea\x08\x5f\xea\x0b\x27\x81\xfe\x5b\x33\x37\xfb\x39\x1f\x4a\x91\xce\x75\x2a\xeb\x72\x51\xaa\x0c\x3b\xf3\x04\xe9\x89\x22\x0d\x41\x4e\xab\x0a\xf4\x8d\x4a\x86\xbf\x43\xf1\x3e\xe6\xb9\x76\x15\xf5\x1a\x36\x77\xfe\xef\x14\xdc\x4a\xe4\x7d\xb0\x7b\x87\x41\x76\xd1\x8f\x50\x09\x4a\x30\x97\x00\x27\x9f\x41\x29\x24\xe9\x18\xeb\x3e\x6c\x1b\x9f\xa3\xc1\x44\x4f\x28\xb6\x91\xce\xb9\xc3\x3d\x34\xb5\xb3\x73\x3d\x3e\xb0\xc9\xe6\x9c\xb6\xf3\x6b\xca\x69\xd1\xd6\x99\x13\xae\xb5\x1f\x0c\xb5\x98\x28\x52\x7f\x79\x1f\xe7\xf6\x1f\xb4\x30\xba\xce\x64\x56\xab\xc3\x22\xfb\x52\xa1\x31\xf5\xae\xd3\x22\x1a\xfd\x1d\x36\x9d\x7b\xb4\x1f\x60\xbf\xb3\x49\xb5\xcf\x73\x04\x3b\x90\x92\x61\x30\x32\xc7\xdd\x32\x20\xbc\xe9\xd9\xb8\x4f\xd2\xce\xb4\x8a\x76\xff\x0c\x34\xcf\x5b\xf8\xcc\x55\xb5\x75\xe2\x40\xf4\xe6\xc1\xc5\xcf\x93\x98\x0c\xc6\xf6\x8f\xd1\xac\x7c\xc1\x0e\x0e\x48\x33\x39\xdd\xe6\x69\x1e\xb7\xd2\xb7\x00\xe9\x3f\xfd\xf8\x10\x95\x37\x62\x21\x6e\x99\xb5\x64\x01\x49\xaf\x63\x14\x4a\x09\x05\x1b\x68\x3d\xb0\xdf\xb1\xb7\x93\x71\xbc\x7a\x4a\x55\x9a\xe6\x27\x18\x38\xa8\x68\x46\x8e\x54\xaa\xde\xf0\x3b\xa4\x0c\xa1\x27\xaa\x2c\x27\x51\xda\x79\x20\x2d\xca\xd7\x2e\x4f\x15\x93\x04\x1d\xb5\x3b\xbf\x4f\x80\x64\x17\x0f\xe8\x5c\x46\xe5\x9f\xf0\x0b\x9e\xb4\xbf\x2e\x01\xea\xb7\x19\x7a\x00\x70\x4e\x3c\x70\x84\xa8\x06\x99\xed\x5a\xaa\xe7\xbb\xae\x06\x84\xe5\xfb\x3e\xd6\x0c\x66\x20\xc7\x3a\xa0\x13\x31\x37\x13\x27\x9b\xf9\x58\xa2\x1f\x56\xf9\x67\x46\xe1\x60\x62\x3f\x10\x76\xa5\xea\x95\xa2\x3f\xc9\x08\x37\x3b\xc0\x78\x22\x18\x94\xcc\xc7\x79\x49\xff\xd3\x65\x94\x70\xd8\x3f\x86\x07\x62\xb0\x30\x2b\xf3\xe4\x04\x04\x6c\x0c\x32\xa7\x1e\xb8\x5e\x67\x41\x11\xcb\x9c\x2d\x49\x0b\x8b\x4f\x5b\xfd\x1f\xa9\x38\x2a\x42\x96\xd9\x73\x26\xd6\xa7\x28\x37\x8a\xb3\x5c\x0a\x34\x9e\xd6\x93\x49\xf7\x5b\x89\xad\xf8\xdc\x9e\x5b\xae\xd2\x76\xc9\x26\x14\xc2\x96\x36\xf2\xf5\xb1\x9d\x4d\xc6\x61\xe2\xd0\xfe\x6f\xd6\x47\x86\xd5\x07\xb9\x9b\x39\x79\xfe\x0f\x6e\xcb\x06\xb7\x6f\xd6\x4b\xfb\x31\x61\x31\xa5\x2d\x3d\xb7\x44\x55\x08\xc8\xf0\xbd\x39\x44\x95\xa6\xc1\x3c\xa6\x4e\x37\x80\xa4\x16\xc7\x2a\x7a\x34\x99\x6d\x5a\x34\x2e\x63\x49\xd9\x2b\xfc\xb8\xd7\x5b\xd4\xed\xd2\x25\xd4\xe8\x60\x18\x38\xbf\xfc\x60\x4e\x9e\x3f\x0d\xe8\x3a\x1c\xf9\xe1\x7c\x7f\xa7\x39\x8f\xea\x49\xc8\xfa\xed\x29\x9d\x04\xa9\x0a\x70\xbd\xaa\x0b\x11\x14\x28\xe2\xe6\x22\x4a\xe0\x8c\x1b\xf0\xea\x1a\x69\xe1\x6e\x1f\xfd\x4b\xfa\x76\xaf\xff\xdd\x50\x60\xac\x99\x2e\xfa\x08\xfb\x74\x04\xfa\x1f\xf3\x45\x60\x42\x65\x4d\x3d\x51\x29\x26\x24\xac\x3b\xb3\x35\x6f\x5b\xd3\xf4\x92\xc1\x69\xe8\xc7\xdc\x71\xcc\xd3\xb4\xe9\x1c\xb2\x98\xef\x7f\x2b\x61\xd7\x4a\x86\xe7\xcb\x6d\xaf\x62\x1a\x8b\x0b\x6a\x87\xe5\x8d\xdc\xaa\x65\xf3\x76\xfe\x06\x52\xc4\x0c\x76\xd7\x62\xb5\x80\xf3\x4d\xa9\x79\xae\x09\x68\xb1\x72\xa9\xcc\xc4\xcd\x8b\x34\xaf\x38\x73\xe8\x5d\x16\x53\xc9\xe5\x57\x1d\xc3\x4e\x8c\x39\xf7\xf0\x4d\xf1\x91\xc0\xe8\x12\x13\xd2\xfa\xc0\x41\x26\x64\xeb\x47\x69\xc4\x80\xa8\x0f\xdc\xd5\xca\xe2\xa2\xeb\x8b\x1d\x03\x1c\xc6\xe6\x49\xd8\xf0\xb2\x9f\x91\x15\xea\x2b\xb2\x7c\xbe\x35\xcb\xa0\x40\x64\x7a\xd9\xda\x8a\xd3\x69\x31\xcf\xdc\xe5\xc5\x8d\xfd\x6b\x8d\x0b\xd8\x3c\xf4\xf8\xca\xd6\xf6\xd6\xf3\x04\x83\x80\x58\x3d\x8e\xf0\x80\x7a\x4d\x02\x4e\xf8\xd0\x33\x3a\x97\x18\x34\x23\xc9\x0e\x8d\xd1\xb6\x2d\xc7\x0c\x95\xae\x30\xac\xd0\xcc\xc2\x57\xde\x6f\xeb\x89\xa9\x49\x2b\x42\x14\xb6\x5d\x8d\xa2\xad\xa1\x1b\x80\xfb\xd7\x68\x9a\xfd\xb9\x9f\xa8\x20\xcb\x7a\xaa\xca\x8c\xe3\x2f\xd1\xad\xf5\xd7\x24\xf5\x06\x83\xa7\x92\x4e\xd1\xb5\xde\x6b\x32\x2a\x49\x32\xea\x46\xd3\xb2\x66\xa2\x70\x42\x02\x59\xa4\xfe\xe4\x80\x05\x4f\x06\x75\xe7\x7e\x51\x78\xff\x25\x5b\xe0\x00\x46\x8a\x22\x0a\x25\xc6\x87\x9e\x03\x9b\xc1\x4c\x38\xcb\xf9\x04\x0e\xde\xd4\x1f\x1c\x6d\x75\xfe\x46\x15\xcc\x57\x67\x7c\x94\x8c\x7b\xb9\xc3\x56\x11\x84\xb0\xff\xe0\xd0\xa9\xed\x0e\x72\x12\xfa\xbd\x5e\xf3\x57\xff\xb3\xca\x40\xe8\xa9\x7b\xe2\xa9\xbc\xf3\x5f\xc7\xe3\xd7\xce\x8f\x6d\x50\xa4\xf7\xb4\x2c\x24\x68\x94\x68\x38\x22\xdb\x36\xb9\x55\x28\xcd\x80\x61\x34\x2c\x66\xc7\x88\xbb\x6f\x63\xbe\xad\xfe\x35\x59\xe8\x96\xe4\x38\x7a\x12\xce\xdf\x6f\x22\x08\x88\xd2\x18", 4096); *(uint32_t*)0x20001ca8 = 0x1000; *(uint32_t*)0x20001cac = -1; *(uint32_t*)0x20001cb0 = 0x20001b80; memcpy((void*)0x20001b80, "\xe0\xc6\xc9\xc0\x1a\xfb\x3e\x83\x24\x12\x04\xcd\x69\x42\xa5\xf5\xb3\x8d\xed\xc4\x87\x1f\xea\x15\x0d\xdb\xcb\x8c\x14\xce\x51\x5f\xa1\xfc\x5f\x1f\xb3\xec\x60\x66\x49\xa1\x62\xc4\xe5\x2e\xc3\x28\xeb\x35\x65\xfb\x84\xab\xdf\x8b\x40\x8d\x74\x4e\xe1\x9c\x67\xcc\xe5\x4a\xca\xd1\xc6\xaa\x75\xa3\xf9\x7f\x94\x26\x74\x76\xe7\x02\xbb\xe0\x65\xe6\x71\x88\xc3\xc8\x26\xd4\x41\x4e\x46\x69\x5d\x71\xc9\xe2\x4a\x31\xfa\xf7\xfc\x28\x29\x70\x92\x50\x3b\xb1\x0a\xdb\x27\xfc\xb1\x97\x43\x8e\xfe\x36\x05\x10\x1a\xbc\x12\x7f\xda\x30\x3e\x63\xa7\x42\x3e\xf1\x69\x3f\x6c\x00\x57\x63\xfd\xf8\xb1\x8e\x10\xa5\xa9\xfa\x34\xb3\xc0\x0e\xce\xd1\xf7\x5b\xad\xa7\xd2\x61\x60\xae\xdf\x27\x58\xbf\x60\x3b\x0c\x58\x90\x68\x28\x84\xeb\x55\xb2\x76\x0b\x3b\x7b\x96\x14\xb6\xbd\x1d\xde\xf9\xe9\xcc\x1d\xf2\x08\x92\x06\x3f\x1e\xa0\x58\xa4", 200); *(uint32_t*)0x20001cb4 = 0xc8; *(uint32_t*)0x20001cb8 = 0x81; syz_read_part_table(0x44, 5, 0x20001c80); *(uint8_t*)0x20001cc0 = 0x12; *(uint8_t*)0x20001cc1 = 1; *(uint16_t*)0x20001cc2 = 0x310; *(uint8_t*)0x20001cc4 = 0xae; *(uint8_t*)0x20001cc5 = 0x73; *(uint8_t*)0x20001cc6 = 0xca; *(uint8_t*)0x20001cc7 = 0x40; *(uint16_t*)0x20001cc8 = 0x1740; *(uint16_t*)0x20001cca = 0x602; *(uint16_t*)0x20001ccc = 0xfa57; *(uint8_t*)0x20001cce = 1; *(uint8_t*)0x20001ccf = 2; *(uint8_t*)0x20001cd0 = 3; *(uint8_t*)0x20001cd1 = 1; *(uint8_t*)0x20001cd2 = 9; *(uint8_t*)0x20001cd3 = 2; *(uint16_t*)0x20001cd4 = 0x870; *(uint8_t*)0x20001cd6 = 2; *(uint8_t*)0x20001cd7 = 0x7f; *(uint8_t*)0x20001cd8 = 0x90; *(uint8_t*)0x20001cd9 = 0x20; *(uint8_t*)0x20001cda = 0x3f; *(uint8_t*)0x20001cdb = 9; *(uint8_t*)0x20001cdc = 4; *(uint8_t*)0x20001cdd = 0x86; *(uint8_t*)0x20001cde = 0x7f; *(uint8_t*)0x20001cdf = 0xa; *(uint8_t*)0x20001ce0 = 0xf7; *(uint8_t*)0x20001ce1 = 0xf9; *(uint8_t*)0x20001ce2 = 0xf2; *(uint8_t*)0x20001ce3 = 0x7f; *(uint8_t*)0x20001ce4 = 0xd1; *(uint8_t*)0x20001ce5 = 0xb; memcpy((void*)0x20001ce6, "\x26\xe1\x3a\x65\xce\xb2\xc1\x60\x69\x44\x40\xc6\xe4\xb5\xd5\x10\x7c\xd6\xf6\xed\xdf\x5f\x0f\x8f\x93\x86\x06\xe7\xa7\x89\x78\x6c\x09\x76\x26\x76\x2d\xa7\x88\x1a\x4e\x46\xee\x51\x2c\xe1\xce\x83\xd0\x3e\xe0\x1e\x8a\x39\x0d\x4f\xe4\x8a\x1a\x16\x6b\x12\x2a\x24\x4f\x7e\x84\x53\xfe\x58\x43\x52\xcd\xc7\x48\xde\xd1\x73\x7c\x61\xff\xbc\x1f\x9f\x18\x44\x1c\x5d\x61\xf5\x49\x3a\x88\xbf\xea\x77\x76\x76\x2b\xbf\x8a\x20\x6e\xec\xa2\xf4\x5c\x1f\x7a\xa6\xd1\x5f\xb4\x64\xcd\x1c\xaf\x6a\x43\x2b\xab\xfc\x01\xbb\x86\xb1\x29\x7b\x12\x89\x97\x42\x6c\x1a\x5a\x86\x53\x3c\xb2\xc0\x29\xf5\x0b\x1c\x5b\x0b\x88\x71\x9f\x7c\x78\x21\x7d\x2b\xec\x91\x0f\xf9\x06\xb4\x38\x60\x02\x5e\x14\x0f\xba\xd2\xbc\x0a\x91\xe2\x3e\x65\xc5\xc8\xfe\xfd\x91\xd0\x45\x9c\x59\x0e\x1f\x4b\xac\x91\xea\xc0\x23\xef\x5f\x1a\x24\x82\x45\xdf\x0d\x7c\x12\x76\xdf\x72\xd9\x55\xc6", 207); *(uint8_t*)0x20001db5 = 6; *(uint8_t*)0x20001db6 = 0x24; *(uint8_t*)0x20001db7 = 6; *(uint8_t*)0x20001db8 = 0; *(uint8_t*)0x20001db9 = 1; memcpy((void*)0x20001dba, "8", 1); *(uint8_t*)0x20001dbb = 5; *(uint8_t*)0x20001dbc = 0x24; *(uint8_t*)0x20001dbd = 0; *(uint16_t*)0x20001dbe = 8; *(uint8_t*)0x20001dc0 = 0xd; *(uint8_t*)0x20001dc1 = 0x24; *(uint8_t*)0x20001dc2 = 0xf; *(uint8_t*)0x20001dc3 = 1; *(uint32_t*)0x20001dc4 = 9; *(uint16_t*)0x20001dc8 = 5; *(uint16_t*)0x20001dca = 5; *(uint8_t*)0x20001dcc = 0x80; *(uint8_t*)0x20001dcd = 6; *(uint8_t*)0x20001dce = 0x24; *(uint8_t*)0x20001dcf = 0x1a; *(uint16_t*)0x20001dd0 = 1; *(uint8_t*)0x20001dd2 = 0x14; *(uint8_t*)0x20001dd3 = 0x2b; *(uint8_t*)0x20001dd4 = 0x24; *(uint8_t*)0x20001dd5 = 0x13; *(uint8_t*)0x20001dd6 = -1; memcpy((void*)0x20001dd7, "\x8d\xaa\x8e\x5c\xf5\x9b\xef\x8c\x76\xec\x75\x35\xd6\x3f\xe2\xdc\x76\x86\x32\x1a\xfb\xd7\x29\xf4\xd1\x7d\x62\xa2\x1b\x6f\x2b\x39\x49\x56\x57\x22\x0b\xc5\xd7", 39); *(uint8_t*)0x20001dfe = 0xa3; *(uint8_t*)0x20001dff = 0x24; *(uint8_t*)0x20001e00 = 0x13; *(uint8_t*)0x20001e01 = 3; memcpy((void*)0x20001e02, "\x0b\xaf\xa7\xba\x56\xf9\xbe\x68\xf7\xda\xff\xfa\xbe\x7b\x79\x50\xe7\xf2\xb1\xef\xd5\x30\xab\x53\xda\x30\x66\x50\xae\x48\x61\x82\x51\xbc\x41\xfe\x39\x06\x5b\xb5\x0d\x65\xf1\x5e\x92\x6f\xdb\x88\xac\xb4\xe7\x95\x7b\xff\x5d\x54\x69\xee\x74\x1f\x51\xc1\x17\xd8\xf0\xa4\xb9\xe4\x97\xd8\xd8\x5a\x58\xa4\x25\x85\x5d\xa0\x41\xd9\x1b\xfe\x4c\xd2\x0f\x11\xf6\xc7\xd3\x81\x30\x27\xcd\x74\x92\x1d\xbe\xb6\xe2\x01\x5c\x41\x33\xa2\x98\x32\xb2\xb9\xd3\x42\x30\x4d\xd6\xb7\x09\xda\xea\xea\x5f\x76\x1d\x8c\x06\xf5\x2e\xdd\xa9\xf2\x52\x9a\xc5\x1a\x96\xfa\xb9\xbb\x28\x26\xcc\x63\xfc\xce\x0f\x17\x4d\xe2\xc5\x77\x8a\x4d\x83\xf3\xee\xcf\xdb\x29\x63\x5b\x60", 159); *(uint8_t*)0x20001ea1 = 5; *(uint8_t*)0x20001ea2 = 0x24; *(uint8_t*)0x20001ea3 = 1; *(uint8_t*)0x20001ea4 = 2; *(uint8_t*)0x20001ea5 = 9; *(uint8_t*)0x20001ea6 = 0x15; *(uint8_t*)0x20001ea7 = 0x24; *(uint8_t*)0x20001ea8 = 0x12; *(uint16_t*)0x20001ea9 = 0xc9; *(uint64_t*)0x20001eab = 0x14f5e048ba817a3; *(uint64_t*)0x20001eb3 = 0x2a397ecbffc007a6; *(uint8_t*)0x20001ebb = 7; *(uint8_t*)0x20001ebc = 0x24; *(uint8_t*)0x20001ebd = 0x14; *(uint16_t*)0x20001ebe = 8; *(uint16_t*)0x20001ec0 = 2; *(uint8_t*)0x20001ec2 = 7; *(uint8_t*)0x20001ec3 = 0x24; *(uint8_t*)0x20001ec4 = 0xa; *(uint8_t*)0x20001ec5 = 1; *(uint8_t*)0x20001ec6 = 9; *(uint8_t*)0x20001ec7 = 0xeb; *(uint8_t*)0x20001ec8 = 1; *(uint8_t*)0x20001ec9 = 9; *(uint8_t*)0x20001eca = 5; *(uint8_t*)0x20001ecb = 0xe; *(uint8_t*)0x20001ecc = 3; *(uint16_t*)0x20001ecd = 0x400; *(uint8_t*)0x20001ecf = -1; *(uint8_t*)0x20001ed0 = 0xf9; *(uint8_t*)0x20001ed1 = 0x20; *(uint8_t*)0x20001ed2 = 0x62; *(uint8_t*)0x20001ed3 = 0x22; memcpy((void*)0x20001ed4, "\xec\xb3\xf2\xdd\x30\x48\x12\x4f\xa1\xf6\x39\xe7\xd9\x9a\xb0\x90\x3f\x7f\x55\x1f\xbd\x28\x20\x2b\xca\xa0\x38\x82\x72\x62\xde\xfd\x52\x4b\x84\xd6\x77\x8f\x83\xc7\x51\x04\x7e\xa1\x67\x7d\x46\x22\x9a\xc3\x3b\x02\xdb\x68\x65\xc9\x67\x0b\xc4\x76\x29\x02\x05\x45\xfb\xf3\x67\xe1\x28\xc7\xe7\x8e\x05\x97\x2c\xd4\x32\xdd\xc7\x29\x86\x39\x72\xa9\x55\x9b\x80\x60\x63\x55\x0b\x9b\xb7\x99\x2b\x0c", 96); *(uint8_t*)0x20001f34 = 0xed; *(uint8_t*)0x20001f35 = 0x21; memcpy((void*)0x20001f36, "\x1c\x17\xfa\x34\xcf\x24\x8a\x11\x74\x0c\xae\x13\xb9\x90\x62\xcf\x65\x1b\xd3\x66\x3b\xdf\x34\x9a\xfe\xdd\x77\x7e\x6c\xa5\x09\x68\x7c\x73\x08\xb2\xbd\x8a\x56\xd9\x36\xce\xf7\x2c\x17\x60\x9c\x2c\xc7\xb8\x25\xf1\x22\x86\x4f\x3e\x79\xa0\xf9\x56\x3c\xec\xf3\xa2\xde\xa2\xda\xc5\xe4\xd8\x3e\x77\x49\xcf\xb2\xa9\x71\xe0\xf2\xa2\x57\xee\x5e\x91\x27\x9d\x0d\xed\xf7\xaa\xb3\x53\x95\x5c\x32\xbc\xab\x16\xd8\x21\xc1\x86\x8f\x65\x5e\x7f\x50\x3e\xce\x52\xac\xfb\x7c\x30\x70\x09\x7b\x16\x4e\xd6\x22\x3e\xb6\xc1\x83\x9f\xdc\x5c\xc6\xf1\xa9\x2e\xbd\xa8\xad\x2a\x9e\x74\xf7\x46\xcf\x37\x70\x4a\x6c\x73\x07\x61\x89\xee\x38\x90\xb3\xa1\xc5\xcd\xb8\x07\x6a\xde\xc9\xbb\x4e\x53\xa6\x5b\x09\xbc\x52\xa7\x52\x50\xeb\x89\xe2\x40\x7e\xe0\xd0\xd3\x9a\x0b\xd9\x25\xc0\x0a\x5f\xd0\xf3\x4a\xd2\xaf\x88\xbf\x3b\x27\x0f\xe9\x4e\x54\x32\x28\x8a\x66\xb3\xee\x15\xb6\xe2\x4d\xdc\xa8\x96\x39\xfa\xa9\xc4\xb5\x32\x66\x3b\x24\xbf\xbd\xeb\x73\xd0\x9b\x8f\x77\xf7\x6f\xec\x50\x7a", 235); *(uint8_t*)0x20002021 = 9; *(uint8_t*)0x20002022 = 5; *(uint8_t*)0x20002023 = 0xe; *(uint8_t*)0x20002024 = 0; *(uint16_t*)0x20002025 = 0x58; *(uint8_t*)0x20002027 = 4; *(uint8_t*)0x20002028 = 0; *(uint8_t*)0x20002029 = 2; *(uint8_t*)0x2000202a = 9; *(uint8_t*)0x2000202b = 5; *(uint8_t*)0x2000202c = 6; *(uint8_t*)0x2000202d = 8; *(uint16_t*)0x2000202e = 0x40; *(uint8_t*)0x20002030 = 0x40; *(uint8_t*)0x20002031 = 3; *(uint8_t*)0x20002032 = 0x18; *(uint8_t*)0x20002033 = 9; *(uint8_t*)0x20002034 = 5; *(uint8_t*)0x20002035 = 0xb; *(uint8_t*)0x20002036 = 0xc; *(uint16_t*)0x20002037 = 0x200; *(uint8_t*)0x20002039 = -1; *(uint8_t*)0x2000203a = 0x47; *(uint8_t*)0x2000203b = 0; *(uint8_t*)0x2000203c = 0x6e; *(uint8_t*)0x2000203d = 0x24; memcpy((void*)0x2000203e, "\xfc\x88\x86\xec\xa1\x2d\xc8\x59\x60\xc8\x49\x7c\x87\x13\x2b\x79\xfe\xa0\xe2\x31\x3e\x4e\x85\x56\x71\x31\x6f\x1c\x7a\x42\xb7\x8b\x2b\xe2\x4c\x0c\xdd\x6a\xf9\xde\x41\xa7\xfb\x57\xfe\x0a\x3c\xa6\xfe\x67\x19\x1c\xe3\x11\x65\xdc\x04\x82\x45\xba\x74\xc8\x86\xd1\x2b\x8a\xcc\xb0\x01\xee\xe2\x30\xdc\x1d\x79\x81\xe4\xd6\xea\x3d\x52\xfd\xc1\xfd\x15\x9f\x71\xfc\x18\xbf\xca\x51\x29\x7b\x23\x48\xc7\x77\xa8\x6b\x16\xc0\x76\x57\x79\x3c\x9b\x75", 108); *(uint8_t*)0x200020aa = 9; *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 7; *(uint8_t*)0x200020ad = 0x10; *(uint16_t*)0x200020ae = 0x20; *(uint8_t*)0x200020b0 = 1; *(uint8_t*)0x200020b1 = 4; *(uint8_t*)0x200020b2 = 4; *(uint8_t*)0x200020b3 = 8; *(uint8_t*)0x200020b4 = 0x23; memcpy((void*)0x200020b5, "\xad\x6e\x68\x32\x31\x24", 6); *(uint8_t*)0x200020bb = 7; *(uint8_t*)0x200020bc = 0x25; *(uint8_t*)0x200020bd = 1; *(uint8_t*)0x200020be = 2; *(uint8_t*)0x200020bf = 0x3f; *(uint16_t*)0x200020c0 = 0x400; *(uint8_t*)0x200020c2 = 9; *(uint8_t*)0x200020c3 = 5; *(uint8_t*)0x200020c4 = 1; *(uint8_t*)0x200020c5 = 0; *(uint16_t*)0x200020c6 = 0x200; *(uint8_t*)0x200020c8 = -1; *(uint8_t*)0x200020c9 = 4; *(uint8_t*)0x200020ca = 5; *(uint8_t*)0x200020cb = 7; *(uint8_t*)0x200020cc = 0x25; *(uint8_t*)0x200020cd = 1; *(uint8_t*)0x200020ce = 0x82; *(uint8_t*)0x200020cf = 2; *(uint16_t*)0x200020d0 = 0x200; *(uint8_t*)0x200020d2 = 7; *(uint8_t*)0x200020d3 = 0x25; *(uint8_t*)0x200020d4 = 1; *(uint8_t*)0x200020d5 = 1; *(uint8_t*)0x200020d6 = 7; *(uint16_t*)0x200020d7 = 4; *(uint8_t*)0x200020d9 = 9; *(uint8_t*)0x200020da = 5; *(uint8_t*)0x200020db = 0x80; *(uint8_t*)0x200020dc = 0x10; *(uint16_t*)0x200020dd = 0x10; *(uint8_t*)0x200020df = 0xcc; *(uint8_t*)0x200020e0 = 8; *(uint8_t*)0x200020e1 = 0; *(uint8_t*)0x200020e2 = 7; *(uint8_t*)0x200020e3 = 0x25; *(uint8_t*)0x200020e4 = 1; *(uint8_t*)0x200020e5 = 0x81; *(uint8_t*)0x200020e6 = 7; *(uint16_t*)0x200020e7 = 0x3f; *(uint8_t*)0x200020e9 = 0x59; *(uint8_t*)0x200020ea = 0x11; memcpy((void*)0x200020eb, "\xfa\xad\xa8\x09\x32\xb1\x04\x32\xca\x81\xa6\x3c\x83\xdd\x9f\x54\xa4\x05\x10\x86\xef\x07\xb6\xc9\x66\x1e\xf8\xec\x12\x56\x83\xd5\xfc\xad\xa3\xa3\x46\xd0\x8f\x6d\x44\x17\x8f\xd1\xce\x94\xf1\xa6\x92\x1d\x2f\xd1\x4a\x88\xd4\x3a\x80\x51\xe1\x8e\xda\xa3\x98\x06\x45\xfa\x17\x12\x3c\xa6\xc7\x83\xb8\xb2\xc3\xb6\x66\x95\x6f\x52\xb1\x83\x65\x29\x92\xd6\xf5", 87); *(uint8_t*)0x20002142 = 9; *(uint8_t*)0x20002143 = 5; *(uint8_t*)0x20002144 = 7; *(uint8_t*)0x20002145 = 3; *(uint16_t*)0x20002146 = 0x400; *(uint8_t*)0x20002148 = 1; *(uint8_t*)0x20002149 = 0x3f; *(uint8_t*)0x2000214a = 0; *(uint8_t*)0x2000214b = 9; *(uint8_t*)0x2000214c = 5; *(uint8_t*)0x2000214d = 4; *(uint8_t*)0x2000214e = 1; *(uint16_t*)0x2000214f = 0; *(uint8_t*)0x20002151 = 0x81; *(uint8_t*)0x20002152 = 3; *(uint8_t*)0x20002153 = 0; *(uint8_t*)0x20002154 = 7; *(uint8_t*)0x20002155 = 0x25; *(uint8_t*)0x20002156 = 1; *(uint8_t*)0x20002157 = 0x80; *(uint8_t*)0x20002158 = 0xfd; *(uint16_t*)0x20002159 = 0x3e; *(uint8_t*)0x2000215b = 7; *(uint8_t*)0x2000215c = 0x25; *(uint8_t*)0x2000215d = 1; *(uint8_t*)0x2000215e = 0x82; *(uint8_t*)0x2000215f = 6; *(uint16_t*)0x20002160 = 0x8000; *(uint8_t*)0x20002162 = 9; *(uint8_t*)0x20002163 = 5; *(uint8_t*)0x20002164 = 7; *(uint8_t*)0x20002165 = 4; *(uint16_t*)0x20002166 = 0x200; *(uint8_t*)0x20002168 = 4; *(uint8_t*)0x20002169 = 7; *(uint8_t*)0x2000216a = 8; *(uint8_t*)0x2000216b = 7; *(uint8_t*)0x2000216c = 0x25; *(uint8_t*)0x2000216d = 1; *(uint8_t*)0x2000216e = 0; *(uint8_t*)0x2000216f = 0; *(uint16_t*)0x20002170 = 0x3f; *(uint8_t*)0x20002172 = 9; *(uint8_t*)0x20002173 = 4; *(uint8_t*)0x20002174 = 0x7d; *(uint8_t*)0x20002175 = 0xb6; *(uint8_t*)0x20002176 = 8; *(uint8_t*)0x20002177 = 0xe6; *(uint8_t*)0x20002178 = 0x75; *(uint8_t*)0x20002179 = 0xe1; *(uint8_t*)0x2000217a = 0xf9; *(uint8_t*)0x2000217b = 0x3d; *(uint8_t*)0x2000217c = 0x23; memcpy((void*)0x2000217d, "\x01\x50\xff\xae\x83\xdf\x22\xd1\xd4\xdb\xd8\x24\x54\xe6\x60\x33\x46\x3c\x39\x35\xe3\xd0\xc9\xfc\x2e\xa4\x66\x1f\x73\x10\xc2\xe0\xb0\xac\xed\xd1\x7e\x99\xcf\x96\x0e\xde\x09\xc1\x9e\xda\x6b\xfd\xa6\x99\xd8\xea\xcc\x2a\xba\x4a\xcc\x34\xd4", 59); *(uint8_t*)0x200021b8 = 0xc5; *(uint8_t*)0x200021b9 = 1; memcpy((void*)0x200021ba, "\x57\xfa\x93\x98\x1a\x06\x86\xe5\x12\x23\x65\x11\xf1\x7e\x4e\xc2\xda\xb7\xbd\x00\x5c\x64\xfd\x89\x6f\x94\x94\xca\x05\x97\x58\x3b\x23\x9d\xdd\x29\xc3\x79\x6c\x4a\xd6\x69\x28\x14\x40\xda\x42\x2e\x67\x96\x87\x7a\x9f\x12\x3e\x34\x39\x35\xd9\x0d\xfe\x06\xdd\xfc\x99\xde\xed\xf2\x40\x06\x03\x1d\x9a\x2e\xf4\xb5\x52\x62\x92\x55\xbf\x0e\x7a\x4d\x5d\xd3\xbc\x80\xb2\x66\x08\x11\x41\xbd\xe1\xb1\xa8\x6e\x4f\xfd\x85\x70\x00\xde\xea\xe8\x2f\xb1\x85\x06\x96\xef\x21\x67\xc3\x4a\xd9\x7f\x91\xc1\x4a\xc7\x8e\xcb\x89\x3d\x01\xff\xa9\x8e\x3c\x2d\xfd\xa9\xad\xb7\x62\xb9\xa9\xda\x03\xc6\xc6\x0e\xd9\x57\xfb\x49\x4d\x1c\x96\x0f\x7c\x70\x74\x94\xbd\x98\x4a\x0a\x58\x26\x03\xfb\x87\x24\x8a\xee\xaf\xc1\xb6\x00\x5f\x79\x83\x5b\x38\xb2\xea\xa8\x86\x53\xbc\x93\x42\x7a\x33\xb0\x76\x3e\xa3\x6f\xcd\x98\x7c", 195); *(uint8_t*)0x2000227d = 9; *(uint8_t*)0x2000227e = 5; *(uint8_t*)0x2000227f = 3; *(uint8_t*)0x20002280 = 0; *(uint16_t*)0x20002281 = 0x40; *(uint8_t*)0x20002283 = 4; *(uint8_t*)0x20002284 = 0x7f; *(uint8_t*)0x20002285 = 2; *(uint8_t*)0x20002286 = 7; *(uint8_t*)0x20002287 = 0x25; *(uint8_t*)0x20002288 = 1; *(uint8_t*)0x20002289 = 2; *(uint8_t*)0x2000228a = 5; *(uint16_t*)0x2000228b = 5; *(uint8_t*)0x2000228d = 7; *(uint8_t*)0x2000228e = 0x25; *(uint8_t*)0x2000228f = 1; *(uint8_t*)0x20002290 = 2; *(uint8_t*)0x20002291 = 4; *(uint16_t*)0x20002292 = 5; *(uint8_t*)0x20002294 = 9; *(uint8_t*)0x20002295 = 5; *(uint8_t*)0x20002296 = 0x80; *(uint8_t*)0x20002297 = 0x10; *(uint16_t*)0x20002298 = 0x1ef; *(uint8_t*)0x2000229a = 1; *(uint8_t*)0x2000229b = 6; *(uint8_t*)0x2000229c = 7; *(uint8_t*)0x2000229d = 9; *(uint8_t*)0x2000229e = 5; *(uint8_t*)0x2000229f = 0x80; *(uint8_t*)0x200022a0 = 0x10; *(uint16_t*)0x200022a1 = 0x10; *(uint8_t*)0x200022a3 = 0x1f; *(uint8_t*)0x200022a4 = 0x20; *(uint8_t*)0x200022a5 = 0; *(uint8_t*)0x200022a6 = 0xb3; *(uint8_t*)0x200022a7 = 0x21; memcpy((void*)0x200022a8, "\x95\xd3\x40\x5d\x4d\x7a\x6d\xc8\x96\xd9\x0c\x49\x18\xb1\x41\x31\x5c\x1a\xe5\x4b\x08\x82\xc4\xe0\xe3\xcc\x26\x6e\x04\x17\x8f\x9a\xe7\x37\x26\x0a\xc6\x4b\x61\x9d\xdf\x03\x95\x68\x18\x1b\xf9\x2d\xd6\x39\xec\x49\xa0\xb1\xc9\x83\x8b\x4c\xbb\xb2\xfb\xe6\xca\x7b\xe9\xbc\x84\xb7\x71\x77\x86\x7b\xb9\x73\xd8\xc5\xeb\xa1\xb4\x91\x31\xbd\x10\xf6\x45\xcf\xfc\x3d\xd8\xea\x46\x2f\x4b\xa9\x65\xf7\x0a\x01\x4b\xf1\xab\xe9\x26\x96\x63\x63\x4d\xad\x8b\xaf\x99\x38\x6d\x8b\x43\x19\x12\xe4\xdd\xfc\xd1\x15\x6c\x5f\xfe\xab\x20\x7c\xa3\x5f\x22\xf5\xc0\x16\x73\x47\x0d\xee\xa1\xda\x6a\xaf\xfc\xf0\xbb\xa9\xa8\xe4\x55\x42\x0f\x05\x3b\x28\xe4\x04\xfe\xa6\x26\x1d\x36\xc0\x7f\x72\x21\xc4\x98\x6b\x6b\x12\x2c\xcd\xf8\x58\xf4\x81\xba", 177); *(uint8_t*)0x20002359 = 7; *(uint8_t*)0x2000235a = 0x25; *(uint8_t*)0x2000235b = 1; *(uint8_t*)0x2000235c = 0x80; *(uint8_t*)0x2000235d = 0x7f; *(uint16_t*)0x2000235e = 5; *(uint8_t*)0x20002360 = 9; *(uint8_t*)0x20002361 = 5; *(uint8_t*)0x20002362 = 0xc; *(uint8_t*)0x20002363 = 2; *(uint16_t*)0x20002364 = 0x200; *(uint8_t*)0x20002366 = 0; *(uint8_t*)0x20002367 = 6; *(uint8_t*)0x20002368 = 2; *(uint8_t*)0x20002369 = 0xaf; *(uint8_t*)0x2000236a = 0xc1; memcpy((void*)0x2000236b, "\x14\x49\xf0\x6f\x81\x61\xd8\x15\x9f\x42\xfb\x34\x7e\xaa\x32\x3c\xf3\xeb\x20\xfd\x5e\x50\x10\x06\xd2\xe4\x0a\x15\x7d\xa8\x33\x53\x6f\xb0\xb3\x22\x43\x65\x91\xa2\xbd\x1d\x2f\xe0\x4e\x16\x98\x58\xe1\x13\x87\xce\x1c\xbe\x1f\x6c\x7d\xc3\x32\xaf\xaa\xdc\xc0\x02\xc5\x83\x20\x44\xe0\x56\x95\x03\x99\xe2\x94\x31\x40\x73\x49\xa8\xa4\x75\x25\x16\x4b\x4e\x6c\xd1\x41\x30\x39\x08\x18\x67\x54\xe0\x28\x2c\x69\x95\xc9\x80\xf5\xe7\xd4\xf3\xc8\x81\xc6\xb9\x1d\x95\x5e\x6a\xc6\x81\xbd\x90\x73\xf4\xe0\x57\x06\xf3\xc3\x12\xd0\x05\xbf\x1c\x59\x10\x95\x6b\xf9\x95\x53\xbb\xa7\xb4\xec\xb3\xf3\x5f\xfb\xe7\xab\x07\x63\x42\x37\x96\xbb\x60\x1e\x3f\x04\x7a\x65\x81\xd5\x2f\xb6\x7c\x62\xd6\xb7\x27\x8c\x76\xaa\xb9\xa5", 173); *(uint8_t*)0x20002418 = 9; *(uint8_t*)0x20002419 = 5; *(uint8_t*)0x2000241a = 0xa; *(uint8_t*)0x2000241b = 0; *(uint16_t*)0x2000241c = 0x400; *(uint8_t*)0x2000241e = 5; *(uint8_t*)0x2000241f = 1; *(uint8_t*)0x20002420 = 6; *(uint8_t*)0x20002421 = 0xf1; *(uint8_t*)0x20002422 = 0x11; memcpy((void*)0x20002423, "\x25\xbf\x1f\x90\xf6\x00\xdc\x8e\xae\x59\x54\xfb\x3e\xc4\xf4\x88\xa9\x26\x14\x9d\x98\x93\xca\x2b\x29\x00\xe2\x45\xf0\x53\x74\x32\xb7\xec\xcd\x35\xa0\xf3\x3f\xe8\x71\xeb\x0d\x17\x44\xd8\x05\x8f\x6d\x67\xf7\xe1\xb9\x7f\x3e\xf4\xe5\xfd\x8a\xc9\xd3\x7d\x37\x49\x05\x66\x1c\x57\x9d\x63\xd9\xbd\x3e\xd5\xcd\x30\xd9\x9e\xf3\x95\xe4\x7c\x9e\x0f\x1b\x7f\x71\x20\x16\x40\x34\x34\x82\x1b\xaa\xce\x41\xad\x73\xef\x6b\x84\xc1\xa4\x1a\xf5\xcb\xb6\xc2\xf6\x54\x62\xa6\xed\x32\x24\x2c\x9d\x51\xda\x99\x15\x86\x28\x60\xc2\x21\x40\xf6\x06\x60\x1c\xfd\x82\xe5\x15\x1e\x1d\xb4\x50\x92\xfe\xcd\x65\x32\x93\xf5\x6c\x65\xb3\x46\xe5\xde\xaf\x14\x09\x50\xa0\xac\x4a\x48\x7e\x3b\xfa\x4f\x9a\xd3\x5e\xef\xf8\x89\x9b\xc2\x23\x07\x98\x02\x26\x00\xa0\x8d\x06\xa9\x24\x36\x11\xb4\x21\xd9\x0f\x1b\x53\xca\x9f\x00\x26\x36\x03\x6f\x11\x25\xed\xa3\xde\xda\xf6\x79\x3f\xc0\x98\xc6\xaf\x9d\xcc\x5a\x53\x8f\xe9\x37\x57\x2b\x4d\x1b\x17\x4b\x58\xba\x03\x37\x14\xd1\x9e\xf1\x08\x5f\x66\x3e\x5c\xd1", 239); *(uint8_t*)0x20002512 = 9; *(uint8_t*)0x20002513 = 5; *(uint8_t*)0x20002514 = 5; *(uint8_t*)0x20002515 = 8; *(uint16_t*)0x20002516 = 0x400; *(uint8_t*)0x20002518 = 0x44; *(uint8_t*)0x20002519 = 1; *(uint8_t*)0x2000251a = 0; *(uint8_t*)0x2000251b = 7; *(uint8_t*)0x2000251c = 0x25; *(uint8_t*)0x2000251d = 1; *(uint8_t*)0x2000251e = 0x85; *(uint8_t*)0x2000251f = 0x9b; *(uint16_t*)0x20002520 = 0x100; *(uint8_t*)0x20002522 = 7; *(uint8_t*)0x20002523 = 0x25; *(uint8_t*)0x20002524 = 1; *(uint8_t*)0x20002525 = 0x82; *(uint8_t*)0x20002526 = 7; *(uint16_t*)0x20002527 = 1; *(uint8_t*)0x20002529 = 9; *(uint8_t*)0x2000252a = 5; *(uint8_t*)0x2000252b = 3; *(uint8_t*)0x2000252c = 0x10; *(uint16_t*)0x2000252d = 0x20; *(uint8_t*)0x2000252f = 2; *(uint8_t*)0x20002530 = 4; *(uint8_t*)0x20002531 = 3; *(uint8_t*)0x20002532 = 9; *(uint8_t*)0x20002533 = 5; *(uint8_t*)0x20002534 = 1; *(uint8_t*)0x20002535 = 0; *(uint16_t*)0x20002536 = 0x40; *(uint8_t*)0x20002538 = 0x80; *(uint8_t*)0x20002539 = 7; *(uint8_t*)0x2000253a = 0x27; *(uint8_t*)0x2000253b = 7; *(uint8_t*)0x2000253c = 0x25; *(uint8_t*)0x2000253d = 1; *(uint8_t*)0x2000253e = 0x80; *(uint8_t*)0x2000253f = 6; *(uint16_t*)0x20002540 = 8; *(uint32_t*)0x20002840 = 0xa; *(uint32_t*)0x20002844 = 0x20002580; *(uint8_t*)0x20002580 = 0xa; *(uint8_t*)0x20002581 = 6; *(uint16_t*)0x20002582 = 0x5098; *(uint8_t*)0x20002584 = 0xfc; *(uint8_t*)0x20002585 = 0x1f; *(uint8_t*)0x20002586 = 0; *(uint8_t*)0x20002587 = 0x10; *(uint8_t*)0x20002588 = 0xe4; *(uint8_t*)0x20002589 = 0; *(uint32_t*)0x20002848 = 0xf5; *(uint32_t*)0x2000284c = 0x200025c0; *(uint8_t*)0x200025c0 = 5; *(uint8_t*)0x200025c1 = 0xf; *(uint16_t*)0x200025c2 = 0xf5; *(uint8_t*)0x200025c4 = 4; *(uint8_t*)0x200025c5 = 7; *(uint8_t*)0x200025c6 = 0x10; *(uint8_t*)0x200025c7 = 2; STORE_BY_BITMASK(uint32_t, , 0x200025c8, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200025ca, 0xffff, 0, 16); *(uint8_t*)0x200025cc = 0x1c; *(uint8_t*)0x200025cd = 0x10; *(uint8_t*)0x200025ce = 0xa; *(uint8_t*)0x200025cf = 0; STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 5, 27); *(uint16_t*)0x200025d4 = 0xf0f; *(uint16_t*)0x200025d6 = 0x77e; *(uint32_t*)0x200025d8 = 0xc000; *(uint32_t*)0x200025dc = 0x30; *(uint32_t*)0x200025e0 = 0; *(uint32_t*)0x200025e4 = 0; *(uint8_t*)0x200025e8 = 0x1c; *(uint8_t*)0x200025e9 = 0x10; *(uint8_t*)0x200025ea = 0xa; *(uint8_t*)0x200025eb = 1; STORE_BY_BITMASK(uint32_t, , 0x200025ec, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025ec, 0x79ea, 5, 27); *(uint16_t*)0x200025f0 = 0xf000; *(uint16_t*)0x200025f2 = 4; *(uint32_t*)0x200025f4 = 0xc0cf; *(uint32_t*)0x200025f8 = 0xff3f3f; *(uint32_t*)0x200025fc = 0xffc05f; *(uint32_t*)0x20002600 = 0xff0000; *(uint8_t*)0x20002604 = 0xb1; *(uint8_t*)0x20002605 = 0x10; *(uint8_t*)0x20002606 = 3; memcpy((void*)0x20002607, "\xc5\xbb\x02\x01\xc8\x2e\x60\xfa\x0a\x8b\x07\xbb\xce\xfb\xe1\x38\x07\x98\x38\xcb\xf1\x31\x61\xf6\x9e\xc1\x70\x63\x7e\x6c\x50\x4f\x0d\xf5\x87\x10\x11\x2f\x24\x59\xc5\x0d\xf8\x5c\x73\xa1\x43\xe1\x8f\xd8\x46\xa7\x86\xad\xd8\xa3\x59\xc8\x82\xc3\xc6\x03\x8f\x90\xc4\x9c\xa6\x3e\x13\x45\x57\x94\xd7\x59\x24\x4a\x2b\xd1\xee\x5a\x20\x3c\xef\x62\xac\xd3\x2e\x97\xd1\x5a\xfe\x1d\x47\xad\x5c\x52\x34\xca\x6f\xea\x0c\x02\x21\x84\x57\x86\x47\xd6\x9b\xce\x06\xbc\x22\xd5\xde\xae\x21\xba\xaf\x87\x0c\x3c\x6e\x90\x21\x21\x1f\xda\x07\xe7\x36\x07\xe1\x64\x61\xe2\x25\x26\xa7\x0a\xb2\xe2\x1f\x89\xd1\xb1\xa9\x52\x15\xc6\x44\xee\x7b\x4b\x97\xd3\x42\xf0\x6c\xca\x75\xc1\x7e\xaf\x3d\x1f\x57\x8b\xec\x9e\x1b\x55\x4c\x49", 174); *(uint32_t*)0x20002850 = 4; *(uint32_t*)0x20002854 = 4; *(uint32_t*)0x20002858 = 0x200026c0; *(uint8_t*)0x200026c0 = 4; *(uint8_t*)0x200026c1 = 3; *(uint16_t*)0x200026c2 = 0x430; *(uint32_t*)0x2000285c = 4; *(uint32_t*)0x20002860 = 0x20002700; *(uint8_t*)0x20002700 = 4; *(uint8_t*)0x20002701 = 3; *(uint16_t*)0x20002702 = 0x240a; *(uint32_t*)0x20002864 = 4; *(uint32_t*)0x20002868 = 0x20002740; *(uint8_t*)0x20002740 = 4; *(uint8_t*)0x20002741 = 3; *(uint16_t*)0x20002742 = 0x458; *(uint32_t*)0x2000286c = 0xb1; *(uint32_t*)0x20002870 = 0x20002780; *(uint8_t*)0x20002780 = 0xb1; *(uint8_t*)0x20002781 = 3; memcpy((void*)0x20002782, "\x22\x73\xbd\xc4\x6b\x60\xf9\x28\x12\x34\x92\x09\x6f\x1a\x60\x52\x20\x67\xca\x30\x22\x9e\x52\x18\x76\xbc\x23\x04\xc3\x20\x59\x6f\xd2\x5f\x10\x25\x4b\x5c\x9d\xa5\x73\x77\x73\x8b\xcc\xfb\xbc\x37\xf2\x7f\x54\x18\x33\xa2\xdf\xa0\x6b\x92\x9d\x0d\x37\x44\xff\x77\xd9\x33\x0d\x5a\x63\xe4\xbb\x26\x8c\xe2\x9e\x81\xde\x86\xde\x6c\xbb\xec\x22\xf1\x51\xe7\xfa\x25\xd2\xba\x9e\xad\x8f\x62\xd5\xea\xc2\xd6\x42\x44\x65\xb3\xcb\x64\x81\xdb\xf5\x0d\xf0\x43\xe6\x8b\x8d\x13\x3e\x27\xb4\xae\x1c\x9c\xcf\x8a\x81\x02\x7b\x65\x6d\x44\x2b\xbc\xbe\x5c\xfc\xcd\x0c\x0c\xa3\x8b\x73\x35\x6e\xd5\xc3\x7e\xa0\x89\x46\x97\xea\x5b\x37\xdb\x2f\x60\x7d\x4e\x95\x8c\xf9\x78\x48\xef\x24\xee\xe8\x17\xf9\x65\x03\x65\x0d\x0f\x3b\xab\xcf", 175); res = -1; res = syz_usb_connect(4, 0x882, 0x20001cc0, 0x20002840); if (res != -1) r[13] = res; *(uint8_t*)0x20002880 = 0x12; *(uint8_t*)0x20002881 = 1; *(uint16_t*)0x20002882 = 0x200; *(uint8_t*)0x20002884 = -1; *(uint8_t*)0x20002885 = -1; *(uint8_t*)0x20002886 = -1; *(uint8_t*)0x20002887 = 0x40; *(uint16_t*)0x20002888 = 0xcf3; *(uint16_t*)0x2000288a = 0x9271; *(uint16_t*)0x2000288c = 0x108; *(uint8_t*)0x2000288e = 1; *(uint8_t*)0x2000288f = 2; *(uint8_t*)0x20002890 = 3; *(uint8_t*)0x20002891 = 1; *(uint8_t*)0x20002892 = 9; *(uint8_t*)0x20002893 = 2; *(uint16_t*)0x20002894 = 0x48; *(uint8_t*)0x20002896 = 1; *(uint8_t*)0x20002897 = 1; *(uint8_t*)0x20002898 = 0; *(uint8_t*)0x20002899 = 0x80; *(uint8_t*)0x2000289a = 0xfa; *(uint8_t*)0x2000289b = 9; *(uint8_t*)0x2000289c = 4; *(uint8_t*)0x2000289d = 0; *(uint8_t*)0x2000289e = 0; *(uint8_t*)0x2000289f = 6; *(uint8_t*)0x200028a0 = -1; *(uint8_t*)0x200028a1 = 0; *(uint8_t*)0x200028a2 = 0; *(uint8_t*)0x200028a3 = 0; *(uint8_t*)0x200028a4 = 9; *(uint8_t*)0x200028a5 = 5; *(uint8_t*)0x200028a6 = 1; *(uint8_t*)0x200028a7 = 2; *(uint16_t*)0x200028a8 = 0x200; *(uint8_t*)0x200028aa = 0; *(uint8_t*)0x200028ab = 0; *(uint8_t*)0x200028ac = 0; *(uint8_t*)0x200028ad = 9; *(uint8_t*)0x200028ae = 5; *(uint8_t*)0x200028af = 0x82; *(uint8_t*)0x200028b0 = 2; *(uint16_t*)0x200028b1 = 0x200; *(uint8_t*)0x200028b3 = 0; *(uint8_t*)0x200028b4 = 0; *(uint8_t*)0x200028b5 = 0; *(uint8_t*)0x200028b6 = 9; *(uint8_t*)0x200028b7 = 5; *(uint8_t*)0x200028b8 = 0x83; *(uint8_t*)0x200028b9 = 3; *(uint16_t*)0x200028ba = 0x40; *(uint8_t*)0x200028bc = 1; *(uint8_t*)0x200028bd = 0; *(uint8_t*)0x200028be = 0; *(uint8_t*)0x200028bf = 9; *(uint8_t*)0x200028c0 = 5; *(uint8_t*)0x200028c1 = 4; *(uint8_t*)0x200028c2 = 3; *(uint16_t*)0x200028c3 = 0x40; *(uint8_t*)0x200028c5 = 1; *(uint8_t*)0x200028c6 = 0; *(uint8_t*)0x200028c7 = 0; *(uint8_t*)0x200028c8 = 9; *(uint8_t*)0x200028c9 = 5; *(uint8_t*)0x200028ca = 5; *(uint8_t*)0x200028cb = 2; *(uint16_t*)0x200028cc = 0x200; *(uint8_t*)0x200028ce = 0; *(uint8_t*)0x200028cf = 0; *(uint8_t*)0x200028d0 = 0; *(uint8_t*)0x200028d1 = 9; *(uint8_t*)0x200028d2 = 5; *(uint8_t*)0x200028d3 = 6; *(uint8_t*)0x200028d4 = 2; *(uint16_t*)0x200028d5 = 0x200; *(uint8_t*)0x200028d7 = 0; *(uint8_t*)0x200028d8 = 0; *(uint8_t*)0x200028d9 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20002880, 0); *(uint8_t*)0x20002900 = 0x12; *(uint8_t*)0x20002901 = 1; *(uint16_t*)0x20002902 = 0x300; *(uint8_t*)0x20002904 = 0; *(uint8_t*)0x20002905 = 0; *(uint8_t*)0x20002906 = 0; *(uint8_t*)0x20002907 = 0x40; *(uint16_t*)0x20002908 = 0x1d6b; *(uint16_t*)0x2000290a = 0x101; *(uint16_t*)0x2000290c = 0x40; *(uint8_t*)0x2000290e = 1; *(uint8_t*)0x2000290f = 2; *(uint8_t*)0x20002910 = 3; *(uint8_t*)0x20002911 = 1; *(uint8_t*)0x20002912 = 9; *(uint8_t*)0x20002913 = 2; *(uint16_t*)0x20002914 = 0xee; *(uint8_t*)0x20002916 = 3; *(uint8_t*)0x20002917 = 1; *(uint8_t*)0x20002918 = 6; *(uint8_t*)0x20002919 = 0x20; *(uint8_t*)0x2000291a = 1; *(uint8_t*)0x2000291b = 9; *(uint8_t*)0x2000291c = 4; *(uint8_t*)0x2000291d = 0; *(uint8_t*)0x2000291e = 0; *(uint8_t*)0x2000291f = 0; *(uint8_t*)0x20002920 = 1; *(uint8_t*)0x20002921 = 1; *(uint8_t*)0x20002922 = 0; *(uint8_t*)0x20002923 = 0; *(uint8_t*)0x20002924 = 0xa; *(uint8_t*)0x20002925 = 0x24; *(uint8_t*)0x20002926 = 1; *(uint16_t*)0x20002927 = 0xace; *(uint8_t*)0x20002929 = 2; *(uint8_t*)0x2000292a = 2; *(uint8_t*)0x2000292b = 1; *(uint8_t*)0x2000292c = 2; *(uint8_t*)0x2000292d = 7; *(uint8_t*)0x2000292e = 0x24; *(uint8_t*)0x2000292f = 8; *(uint8_t*)0x20002930 = 5; *(uint16_t*)0x20002931 = 2; *(uint8_t*)0x20002933 = 5; *(uint8_t*)0x20002934 = 7; *(uint8_t*)0x20002935 = 0x24; *(uint8_t*)0x20002936 = 8; *(uint8_t*)0x20002937 = 6; *(uint16_t*)0x20002938 = -1; *(uint8_t*)0x2000293a = 0x30; *(uint8_t*)0x2000293b = 0xa; *(uint8_t*)0x2000293c = 0x24; *(uint8_t*)0x2000293d = 4; *(uint8_t*)0x2000293e = 4; *(uint8_t*)0x2000293f = 0x40; memcpy((void*)0x20002940, "\x7d\xa3\xb2\xb2\x72", 5); *(uint8_t*)0x20002945 = 9; *(uint8_t*)0x20002946 = 0x24; *(uint8_t*)0x20002947 = 8; *(uint8_t*)0x20002948 = 5; *(uint16_t*)0x20002949 = 0; *(uint8_t*)0x2000294b = 0x40; memcpy((void*)0x2000294c, "\tD", 2); *(uint8_t*)0x2000294e = 9; *(uint8_t*)0x2000294f = 4; *(uint8_t*)0x20002950 = 1; *(uint8_t*)0x20002951 = 0; *(uint8_t*)0x20002952 = 0; *(uint8_t*)0x20002953 = 1; *(uint8_t*)0x20002954 = 2; *(uint8_t*)0x20002955 = 0; *(uint8_t*)0x20002956 = 0; *(uint8_t*)0x20002957 = 9; *(uint8_t*)0x20002958 = 4; *(uint8_t*)0x20002959 = 1; *(uint8_t*)0x2000295a = 1; *(uint8_t*)0x2000295b = 1; *(uint8_t*)0x2000295c = 1; *(uint8_t*)0x2000295d = 2; *(uint8_t*)0x2000295e = 0; *(uint8_t*)0x2000295f = 0; *(uint8_t*)0x20002960 = 0x11; *(uint8_t*)0x20002961 = 0x24; *(uint8_t*)0x20002962 = 2; *(uint8_t*)0x20002963 = 2; *(uint16_t*)0x20002964 = 0x1000; *(uint16_t*)0x20002966 = 6; *(uint8_t*)0x20002968 = 9; memcpy((void*)0x20002969, "\x94\xaa\x0c\xfe\xa6\xa4\xc0\x98", 8); *(uint8_t*)0x20002971 = 7; *(uint8_t*)0x20002972 = 0x24; *(uint8_t*)0x20002973 = 1; *(uint8_t*)0x20002974 = 0xf7; *(uint8_t*)0x20002975 = 0xc1; *(uint16_t*)0x20002976 = 4; *(uint8_t*)0x20002978 = 0xe; *(uint8_t*)0x20002979 = 0x24; *(uint8_t*)0x2000297a = 2; *(uint8_t*)0x2000297b = 1; *(uint8_t*)0x2000297c = 0x3f; *(uint8_t*)0x2000297d = 2; *(uint8_t*)0x2000297e = 0xae; *(uint8_t*)0x2000297f = 7; memcpy((void*)0x20002980, "\x5b\x6f\xe7\xb1\x95\x51", 6); *(uint8_t*)0x20002986 = 0xe; *(uint8_t*)0x20002987 = 0x24; *(uint8_t*)0x20002988 = 2; *(uint8_t*)0x20002989 = 2; *(uint16_t*)0x2000298a = 0xfff8; *(uint16_t*)0x2000298c = 0x56d; *(uint8_t*)0x2000298e = 0x1f; memcpy((void*)0x2000298f, "\x51\x8f\x29\xb9\x20", 5); *(uint8_t*)0x20002994 = 0xe; *(uint8_t*)0x20002995 = 0x24; *(uint8_t*)0x20002996 = 2; *(uint8_t*)0x20002997 = 2; *(uint16_t*)0x20002998 = 4; *(uint16_t*)0x2000299a = 0; *(uint8_t*)0x2000299c = 0x80; memcpy((void*)0x2000299d, "\x3f\x5e\x8a\xa3\xac", 5); *(uint8_t*)0x200029a2 = 9; *(uint8_t*)0x200029a3 = 5; *(uint8_t*)0x200029a4 = 1; *(uint8_t*)0x200029a5 = 9; *(uint16_t*)0x200029a6 = 0x10; *(uint8_t*)0x200029a8 = 0x9c; *(uint8_t*)0x200029a9 = 7; *(uint8_t*)0x200029aa = 6; *(uint8_t*)0x200029ab = 7; *(uint8_t*)0x200029ac = 0x25; *(uint8_t*)0x200029ad = 1; *(uint8_t*)0x200029ae = 0; *(uint8_t*)0x200029af = 0x44; *(uint16_t*)0x200029b0 = 0xff8a; *(uint8_t*)0x200029b2 = 9; *(uint8_t*)0x200029b3 = 4; *(uint8_t*)0x200029b4 = 2; *(uint8_t*)0x200029b5 = 0; *(uint8_t*)0x200029b6 = 0; *(uint8_t*)0x200029b7 = 1; *(uint8_t*)0x200029b8 = 2; *(uint8_t*)0x200029b9 = 0; *(uint8_t*)0x200029ba = 0; *(uint8_t*)0x200029bb = 9; *(uint8_t*)0x200029bc = 4; *(uint8_t*)0x200029bd = 2; *(uint8_t*)0x200029be = 1; *(uint8_t*)0x200029bf = 1; *(uint8_t*)0x200029c0 = 1; *(uint8_t*)0x200029c1 = 2; *(uint8_t*)0x200029c2 = 0; *(uint8_t*)0x200029c3 = 0; *(uint8_t*)0x200029c4 = 0xa; *(uint8_t*)0x200029c5 = 0x24; *(uint8_t*)0x200029c6 = 2; *(uint8_t*)0x200029c7 = 1; *(uint8_t*)0x200029c8 = 7; *(uint8_t*)0x200029c9 = 4; *(uint8_t*)0x200029ca = 0xf7; *(uint8_t*)0x200029cb = 0xf8; memcpy((void*)0x200029cc, "H]", 2); *(uint8_t*)0x200029ce = 0xd; *(uint8_t*)0x200029cf = 0x24; *(uint8_t*)0x200029d0 = 2; *(uint8_t*)0x200029d1 = 1; *(uint8_t*)0x200029d2 = 7; *(uint8_t*)0x200029d3 = 1; *(uint8_t*)0x200029d4 = -1; *(uint8_t*)0x200029d5 = 0x72; memcpy((void*)0x200029d6, "\x5c\x5a\xe7\x2e\x12", 5); *(uint8_t*)0x200029db = 0xd; *(uint8_t*)0x200029dc = 0x24; *(uint8_t*)0x200029dd = 2; *(uint8_t*)0x200029de = 1; *(uint8_t*)0x200029df = 3; *(uint8_t*)0x200029e0 = 4; *(uint8_t*)0x200029e1 = 3; *(uint8_t*)0x200029e2 = 1; memcpy((void*)0x200029e3, "\xfa\x23\xa4", 3); memcpy((void*)0x200029e6, "q3", 2); *(uint8_t*)0x200029e8 = 8; *(uint8_t*)0x200029e9 = 0x24; *(uint8_t*)0x200029ea = 2; *(uint8_t*)0x200029eb = 1; *(uint8_t*)0x200029ec = 0x71; *(uint8_t*)0x200029ed = 2; *(uint8_t*)0x200029ee = 0; *(uint8_t*)0x200029ef = 6; *(uint8_t*)0x200029f0 = 9; *(uint8_t*)0x200029f1 = 5; *(uint8_t*)0x200029f2 = 0x82; *(uint8_t*)0x200029f3 = 9; *(uint16_t*)0x200029f4 = 0x200; *(uint8_t*)0x200029f6 = 0x7f; *(uint8_t*)0x200029f7 = 0x7f; *(uint8_t*)0x200029f8 = 0x7f; *(uint8_t*)0x200029f9 = 7; *(uint8_t*)0x200029fa = 0x25; *(uint8_t*)0x200029fb = 1; *(uint8_t*)0x200029fc = 2; *(uint8_t*)0x200029fd = 1; *(uint16_t*)0x200029fe = 8; *(uint32_t*)0x20002b80 = 0xa; *(uint32_t*)0x20002b84 = 0x20002a00; *(uint8_t*)0x20002a00 = 0xa; *(uint8_t*)0x20002a01 = 6; *(uint16_t*)0x20002a02 = 0x300; *(uint8_t*)0x20002a04 = 0x7f; *(uint8_t*)0x20002a05 = 0x5d; *(uint8_t*)0x20002a06 = 0x5c; *(uint8_t*)0x20002a07 = 0x40; *(uint8_t*)0x20002a08 = 0; *(uint8_t*)0x20002a09 = 0; *(uint32_t*)0x20002b88 = 0x31; *(uint32_t*)0x20002b8c = 0x20002a40; *(uint8_t*)0x20002a40 = 5; *(uint8_t*)0x20002a41 = 0xf; *(uint16_t*)0x20002a42 = 0x31; *(uint8_t*)0x20002a44 = 4; *(uint8_t*)0x20002a45 = 0xb; *(uint8_t*)0x20002a46 = 0x10; *(uint8_t*)0x20002a47 = 1; *(uint8_t*)0x20002a48 = 0xc; *(uint16_t*)0x20002a49 = 0x80; *(uint8_t*)0x20002a4b = 0x20; *(uint8_t*)0x20002a4c = 1; *(uint16_t*)0x20002a4d = 2; *(uint8_t*)0x20002a4f = 0x40; *(uint8_t*)0x20002a50 = 0xc; *(uint8_t*)0x20002a51 = 0x10; *(uint8_t*)0x20002a52 = 0xa; *(uint8_t*)0x20002a53 = 4; STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0xd3f, 5, 27); *(uint16_t*)0x20002a58 = 0xf000; *(uint16_t*)0x20002a5a = 8; *(uint8_t*)0x20002a5c = 0xb; *(uint8_t*)0x20002a5d = 0x10; *(uint8_t*)0x20002a5e = 1; *(uint8_t*)0x20002a5f = 0xc; *(uint16_t*)0x20002a60 = 0x80; *(uint8_t*)0x20002a62 = 2; *(uint8_t*)0x20002a63 = 5; *(uint16_t*)0x20002a64 = 4; *(uint8_t*)0x20002a66 = 2; *(uint8_t*)0x20002a67 = 0xa; *(uint8_t*)0x20002a68 = 0x10; *(uint8_t*)0x20002a69 = 3; *(uint8_t*)0x20002a6a = 2; *(uint16_t*)0x20002a6b = 6; *(uint8_t*)0x20002a6d = 0; *(uint8_t*)0x20002a6e = -1; *(uint16_t*)0x20002a6f = 0x7f; *(uint32_t*)0x20002b90 = 4; *(uint32_t*)0x20002b94 = 4; *(uint32_t*)0x20002b98 = 0x20002a80; *(uint8_t*)0x20002a80 = 4; *(uint8_t*)0x20002a81 = 3; *(uint16_t*)0x20002a82 = 0x40f; *(uint32_t*)0x20002b9c = 4; *(uint32_t*)0x20002ba0 = 0x20002ac0; *(uint8_t*)0x20002ac0 = 4; *(uint8_t*)0x20002ac1 = 3; *(uint16_t*)0x20002ac2 = 0xc35; *(uint32_t*)0x20002ba4 = 0x2b; *(uint32_t*)0x20002ba8 = 0x20002b00; *(uint8_t*)0x20002b00 = 0x2b; *(uint8_t*)0x20002b01 = 3; memcpy((void*)0x20002b02, "\xa2\x8e\x84\xc0\xcf\x02\xc0\x7c\x3c\x0d\xa8\x29\x45\x06\x55\x6d\x63\x3c\x7a\x73\x5b\xfb\x75\xcd\x80\xaf\xc6\xad\xe8\xe4\xb5\x80\x10\x3c\xed\x6d\x9c\x87\xa5\xfe\x77", 41); *(uint32_t*)0x20002bac = 4; *(uint32_t*)0x20002bb0 = 0x20002b40; *(uint8_t*)0x20002b40 = 4; *(uint8_t*)0x20002b41 = 3; *(uint16_t*)0x20002b42 = 0xf8ff; res = -1; res = syz_usb_connect(1, 0x100, 0x20002900, 0x20002b80); if (res != -1) r[14] = res; *(uint32_t*)0x20002e40 = 0x18; *(uint32_t*)0x20002e44 = 0x20002bc0; *(uint8_t*)0x20002bc0 = 0; *(uint8_t*)0x20002bc1 = 0x22; *(uint32_t*)0x20002bc2 = 0xb9; *(uint8_t*)0x20002bc6 = 0xb9; *(uint8_t*)0x20002bc7 = 0xa; memcpy((void*)0x20002bc8, "\x83\xcf\x6e\x9b\x94\x2d\x8a\x47\x07\x4a\xc2\xe8\x02\xb4\x83\x78\xec\xdc\xa7\x95\x6d\xb2\x72\x7b\x85\x7b\x60\xf4\xe9\xd0\xc6\x9e\x1c\x9a\x9a\xce\xb6\x1c\xf1\x7c\xc7\x71\x67\x92\x3b\x84\xe2\x33\x72\xc5\xcf\x40\xcf\x1b\xbb\x74\x93\xe5\x00\xb7\xef\xfa\xf1\xb2\x04\xee\x03\x4b\xe1\x10\x99\xe5\x15\x67\xa8\x7a\xe0\xbd\xe2\x10\xda\x92\x12\x4d\x04\xa7\x3a\x14\xdb\xd6\x00\xde\xdd\x92\x09\x53\xc4\x72\xed\xa1\xba\x46\xdb\xbb\x1e\xc4\x74\xc8\x79\x48\x49\x12\x4d\xcf\x32\xd5\xc1\x5f\xb1\x43\x97\xb1\x3c\x3d\x3c\x11\xa7\xa6\x07\xc6\xb6\xd5\x57\xc2\x80\x6d\x9c\x27\x83\xbc\x1e\xf5\x6c\x96\x7b\xde\x90\xce\x4a\x42\x13\x61\x16\x7c\x1a\x74\xc6\x52\x72\x85\xce\x42\x5e\xa4\x98\x88\x4d\x7c\xc9\xef\x76\x52\x6a\x46\xa1\xc4\x36\x07\x68\x98\x0b\x39\xb3", 183); *(uint32_t*)0x20002e48 = 0x20002c80; *(uint8_t*)0x20002c80 = 0; *(uint8_t*)0x20002c81 = 3; *(uint32_t*)0x20002c82 = 0xd7; *(uint8_t*)0x20002c86 = 0xd7; *(uint8_t*)0x20002c87 = 3; memcpy((void*)0x20002c88, "\x61\x16\x8f\x70\x0d\x17\x87\xde\x19\xd3\xe8\x6f\xb3\xac\x5e\x96\x4c\xc5\xed\xe8\x73\x35\x1c\xa2\x62\xcc\x8f\xc5\x99\x65\x14\x31\xc7\x6d\xba\xd0\x2d\xd8\x35\xf0\xda\x83\xa5\x34\x7c\xc2\x1f\xc4\xf5\x04\xb2\x3b\xb3\x2a\x7a\x67\x71\x3d\xb4\x48\x06\x11\xe6\xe2\xec\xa4\xf0\xb4\x98\xf7\x00\x35\x5d\xb6\x8d\xf7\xd5\xcf\x46\xba\x2b\x03\x60\x90\xaf\x69\x5a\x75\x96\xb7\xd2\x42\xb4\x62\xbc\xf6\xe2\x09\x1f\xb8\x32\x48\xfe\x2a\x1c\x48\xdb\xcd\xb0\x7c\x96\x66\x03\x7d\x12\x1b\x68\x93\xdc\xb9\x45\xbd\xd7\xcf\x14\x07\x5f\x80\x53\x02\xa4\x5f\xbb\x62\x65\x2b\xd6\x93\xb3\x24\x0b\x5c\x6a\x76\xf6\x90\xcd\xc9\x22\x15\x79\xec\x71\xdd\x25\x3c\xa4\x25\x01\x44\xe1\x16\x0b\xc0\x39\xad\x44\xf6\xd5\x1c\x96\xad\x95\x0c\x87\x2c\xf6\x26\xb0\xd5\x59\xe8\x1c\x0b\xec\x93\x4c\xb3\x23\x25\xdb\xb9\xce\x8f\x5d\x0d\x94\x30\x20\xb4\xa0\x79\x5c\x1f\x27\x74\xe2\x20\x7d\x0b\xe8\xaa\x41", 213); *(uint32_t*)0x20002e4c = 0x20002d80; *(uint8_t*)0x20002d80 = 0; *(uint8_t*)0x20002d81 = 0xf; *(uint32_t*)0x20002d82 = 0xc; *(uint8_t*)0x20002d86 = 5; *(uint8_t*)0x20002d87 = 0xf; *(uint16_t*)0x20002d88 = 0xc; *(uint8_t*)0x20002d8a = 1; *(uint8_t*)0x20002d8b = 7; *(uint8_t*)0x20002d8c = 0x10; *(uint8_t*)0x20002d8d = 2; STORE_BY_BITMASK(uint32_t, , 0x20002d8e, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 5, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d90, 2, 0, 16); *(uint32_t*)0x20002e50 = 0x20002dc0; *(uint8_t*)0x20002dc0 = 0x20; *(uint8_t*)0x20002dc1 = 0x29; *(uint32_t*)0x20002dc2 = 0xf; *(uint8_t*)0x20002dc6 = 0xf; *(uint8_t*)0x20002dc7 = 0x29; *(uint8_t*)0x20002dc8 = 3; *(uint16_t*)0x20002dc9 = 8; *(uint8_t*)0x20002dcb = 0x40; *(uint8_t*)0x20002dcc = 0x7f; memcpy((void*)0x20002dcd, "\x77\xbc\x77\x38", 4); memcpy((void*)0x20002dd1, "\xf1\xdb\x00\x3c", 4); *(uint32_t*)0x20002e54 = 0x20002e00; *(uint8_t*)0x20002e00 = 0x20; *(uint8_t*)0x20002e01 = 0x2a; *(uint32_t*)0x20002e02 = 0xc; *(uint8_t*)0x20002e06 = 0xc; *(uint8_t*)0x20002e07 = 0x2a; *(uint8_t*)0x20002e08 = 1; *(uint16_t*)0x20002e09 = 0x10; *(uint8_t*)0x20002e0b = 0; *(uint8_t*)0x20002e0c = 0x20; *(uint8_t*)0x20002e0d = 8; *(uint16_t*)0x20002e0e = 0x3ec; *(uint16_t*)0x20002e10 = -1; *(uint32_t*)0x20003300 = 0x44; *(uint32_t*)0x20003304 = 0x20002e80; *(uint8_t*)0x20002e80 = 0x20; *(uint8_t*)0x20002e81 = 0x12; *(uint32_t*)0x20002e82 = 0x7c; memcpy((void*)0x20002e86, "\xbc\x67\xb7\x86\xae\x12\xc3\xf7\xc6\xdb\xb8\x56\x0d\x2b\x24\x21\x94\xc2\x19\x9a\xfa\x19\xd2\xb4\x2b\x1a\x0c\x8a\x11\xe1\xa5\xef\x14\x6f\x39\x5c\x36\x13\xf4\xdf\xea\xdd\xa7\xc2\x4b\x50\x6d\x5b\x32\xa6\xa3\xf9\xa0\xea\xc9\x8a\x93\x5e\x64\x7a\x1c\x83\x8d\x4e\x09\xd5\x30\x63\x5f\x43\x35\x8b\x5b\x10\xc5\xf0\x4b\xc6\x3b\x3b\xf9\x6b\x52\x34\x35\x9d\x4e\xad\x9d\x51\x21\x7e\x65\xc9\xb0\x50\x99\x90\xb0\x0d\x1a\xfb\x24\x2c\x87\x66\x0d\x04\xf9\x64\x8f\xf7\x9c\xe1\x43\xb1\xa9\x48\x98\x1c\x28\xf5\x01\x71", 124); *(uint32_t*)0x20003308 = 0x20002f40; *(uint8_t*)0x20002f40 = 0; *(uint8_t*)0x20002f41 = 0xa; *(uint32_t*)0x20002f42 = 1; *(uint8_t*)0x20002f46 = 0x4c; *(uint32_t*)0x2000330c = 0x20002f80; *(uint8_t*)0x20002f80 = 0; *(uint8_t*)0x20002f81 = 8; *(uint32_t*)0x20002f82 = 1; *(uint8_t*)0x20002f86 = 1; *(uint32_t*)0x20003310 = 0x20002fc0; *(uint8_t*)0x20002fc0 = 0x20; *(uint8_t*)0x20002fc1 = 0; *(uint32_t*)0x20002fc2 = 4; *(uint16_t*)0x20002fc6 = 1; *(uint16_t*)0x20002fc8 = 3; *(uint32_t*)0x20003314 = 0x20003000; *(uint8_t*)0x20003000 = 0x20; *(uint8_t*)0x20003001 = 0; *(uint32_t*)0x20003002 = 8; *(uint16_t*)0x20003006 = 0xc0; *(uint16_t*)0x20003008 = 0x20; *(uint32_t*)0x2000300a = 0xf0f; *(uint32_t*)0x20003318 = 0x20003040; *(uint8_t*)0x20003040 = 0x40; *(uint8_t*)0x20003041 = 7; *(uint32_t*)0x20003042 = 2; *(uint16_t*)0x20003046 = 0x400; *(uint32_t*)0x2000331c = 0x20003080; *(uint8_t*)0x20003080 = 0x40; *(uint8_t*)0x20003081 = 9; *(uint32_t*)0x20003082 = 1; *(uint8_t*)0x20003086 = 2; *(uint32_t*)0x20003320 = 0x200030c0; *(uint8_t*)0x200030c0 = 0x40; *(uint8_t*)0x200030c1 = 0xb; *(uint32_t*)0x200030c2 = 2; memcpy((void*)0x200030c6, "\xb7\x23", 2); *(uint32_t*)0x20003324 = 0x20003100; *(uint8_t*)0x20003100 = 0x40; *(uint8_t*)0x20003101 = 0xf; *(uint32_t*)0x20003102 = 2; *(uint16_t*)0x20003106 = 5; *(uint32_t*)0x20003328 = 0x20003140; *(uint8_t*)0x20003140 = 0x40; *(uint8_t*)0x20003141 = 0x13; *(uint32_t*)0x20003142 = 6; memcpy((void*)0x20003146, "\xdd\x8a\x72\xa9\x91\x39", 6); *(uint32_t*)0x2000332c = 0x20003180; *(uint8_t*)0x20003180 = 0x40; *(uint8_t*)0x20003181 = 0x17; *(uint32_t*)0x20003182 = 6; *(uint8_t*)0x20003186 = 0xaa; *(uint8_t*)0x20003187 = 0xaa; *(uint8_t*)0x20003188 = 0xaa; *(uint8_t*)0x20003189 = 0xaa; *(uint8_t*)0x2000318a = 0xaa; *(uint8_t*)0x2000318b = 0xbb; *(uint32_t*)0x20003330 = 0x200031c0; *(uint8_t*)0x200031c0 = 0x40; *(uint8_t*)0x200031c1 = 0x19; *(uint32_t*)0x200031c2 = 2; memcpy((void*)0x200031c6, "\x78\x18", 2); *(uint32_t*)0x20003334 = 0x20003200; *(uint8_t*)0x20003200 = 0x40; *(uint8_t*)0x20003201 = 0x1a; *(uint32_t*)0x20003202 = 2; *(uint16_t*)0x20003206 = 4; *(uint32_t*)0x20003338 = 0x20003240; *(uint8_t*)0x20003240 = 0x40; *(uint8_t*)0x20003241 = 0x1c; *(uint32_t*)0x20003242 = 1; *(uint8_t*)0x20003246 = 4; *(uint32_t*)0x2000333c = 0x20003280; *(uint8_t*)0x20003280 = 0x40; *(uint8_t*)0x20003281 = 0x1e; *(uint32_t*)0x20003282 = 1; *(uint8_t*)0x20003286 = 7; *(uint32_t*)0x20003340 = 0x200032c0; *(uint8_t*)0x200032c0 = 0x40; *(uint8_t*)0x200032c1 = 0x21; *(uint32_t*)0x200032c2 = 1; *(uint8_t*)0x200032c6 = 5; syz_usb_control_io(r[14], 0x20002e40, 0x20003300); syz_usb_disconnect(r[13]); *(uint8_t*)0x20003380 = 0x12; *(uint8_t*)0x20003381 = 1; *(uint16_t*)0x20003382 = 0x110; *(uint8_t*)0x20003384 = 2; *(uint8_t*)0x20003385 = 0; *(uint8_t*)0x20003386 = 0; *(uint8_t*)0x20003387 = 0x20; *(uint16_t*)0x20003388 = 0x525; *(uint16_t*)0x2000338a = 0xa4a1; *(uint16_t*)0x2000338c = 0x40; *(uint8_t*)0x2000338e = 1; *(uint8_t*)0x2000338f = 2; *(uint8_t*)0x20003390 = 3; *(uint8_t*)0x20003391 = 1; *(uint8_t*)0x20003392 = 9; *(uint8_t*)0x20003393 = 2; *(uint16_t*)0x20003394 = 0x14e; *(uint8_t*)0x20003396 = 2; *(uint8_t*)0x20003397 = 1; *(uint8_t*)0x20003398 = 0xef; *(uint8_t*)0x20003399 = 0xe0; *(uint8_t*)0x2000339a = 3; *(uint8_t*)0x2000339b = 9; *(uint8_t*)0x2000339c = 4; *(uint8_t*)0x2000339d = 0; *(uint8_t*)0x2000339e = 0; *(uint8_t*)0x2000339f = 1; *(uint8_t*)0x200033a0 = 2; *(uint8_t*)0x200033a1 = 0xd; *(uint8_t*)0x200033a2 = 0; *(uint8_t*)0x200033a3 = 0; *(uint8_t*)0x200033a4 = 6; *(uint8_t*)0x200033a5 = 0x24; *(uint8_t*)0x200033a6 = 6; *(uint8_t*)0x200033a7 = 0; *(uint8_t*)0x200033a8 = 1; memcpy((void*)0x200033a9, "$", 1); *(uint8_t*)0x200033aa = 5; *(uint8_t*)0x200033ab = 0x24; *(uint8_t*)0x200033ac = 0; *(uint16_t*)0x200033ad = 0xad; *(uint8_t*)0x200033af = 0xd; *(uint8_t*)0x200033b0 = 0x24; *(uint8_t*)0x200033b1 = 0xf; *(uint8_t*)0x200033b2 = 1; *(uint32_t*)0x200033b3 = 2; *(uint16_t*)0x200033b7 = 0; *(uint16_t*)0x200033b9 = 1; *(uint8_t*)0x200033bb = 9; *(uint8_t*)0x200033bc = 6; *(uint8_t*)0x200033bd = 0x24; *(uint8_t*)0x200033be = 0x1a; *(uint16_t*)0x200033bf = 9; *(uint8_t*)0x200033c1 = 0x20; *(uint8_t*)0x200033c2 = 0xa2; *(uint8_t*)0x200033c3 = 0x24; *(uint8_t*)0x200033c4 = 0x13; *(uint8_t*)0x200033c5 = 1; memcpy((void*)0x200033c6, "\xa0\xaf\xeb\xc2\x94\x23\x7d\xe3\x0b\x4c\x81\xc6\x59\x5f\xba\xf3\x06\x46\xc5\xec\x3d\xd9\x8f\x43\x5d\xf0\x0d\x18\x1c\xc1\x3f\x9b\x0c\x5f\xfa\x84\x15\x49\x98\xbf\x5c\x04\xee\x0f\xd8\x2d\x5f\x4c\xac\xfc\x90\xff\xae\x24\x1b\x84\x0b\x0b\x18\xe2\x10\x7e\x33\x39\x8f\x46\x83\x83\x80\xf8\x4b\x6f\x9f\x22\x62\xe8\x38\xdf\x02\x12\x31\xc9\xf0\xc5\x0d\xc2\xee\xd7\x59\x5e\xb1\xb7\x89\x22\x3f\xc3\x7c\xf3\x4f\x5c\x69\x4a\xaa\xd8\xa8\x18\xc9\x9e\xf4\x41\x79\xbf\x5b\xa4\xb6\x17\xc2\x58\xf7\xdb\x01\xd6\x09\x6c\xcc\x71\xbb\x92\x5e\x31\xb2\xf3\xf1\x00\xbb\x85\x38\xbb\x84\x01\x5a\xf7\xb9\x54\xc8\xfd\xf2\x93\xde\x02\x31\xa4\x91\xd3\x63\x76\xb8\x40", 158); *(uint8_t*)0x20003464 = 0xc; *(uint8_t*)0x20003465 = 0x24; *(uint8_t*)0x20003466 = 0x1b; *(uint16_t*)0x20003467 = 0x340f; *(uint16_t*)0x20003469 = 4; *(uint8_t*)0x2000346b = 5; *(uint8_t*)0x2000346c = 0x40; *(uint16_t*)0x2000346d = 6; *(uint8_t*)0x2000346f = 1; *(uint8_t*)0x20003470 = 4; *(uint8_t*)0x20003471 = 0x24; *(uint8_t*)0x20003472 = 2; *(uint8_t*)0x20003473 = 9; *(uint8_t*)0x20003474 = 0x3f; *(uint8_t*)0x20003475 = 0x24; *(uint8_t*)0x20003476 = 0x13; *(uint8_t*)0x20003477 = 0x40; memcpy((void*)0x20003478, "\x90\x5d\x00\xa5\xa8\xb5\xcd\x53\x11\x8f\x9c\xf9\x03\x3e\xda\x0a\xd8\x8f\xcf\xaf\x66\xe2\xb9\xe3\x59\xe3\x8a\xea\x37\x19\x70\xc8\x64\xd5\x98\x39\x16\xa5\x29\x36\x75\x51\xaa\x24\x7b\xa8\x30\x09\xeb\xb5\x64\x0b\x53\x17\x55\x99\x00\xdd\xb8", 59); *(uint8_t*)0x200034b3 = 9; *(uint8_t*)0x200034b4 = 5; *(uint8_t*)0x200034b5 = 0x81; *(uint8_t*)0x200034b6 = 3; *(uint16_t*)0x200034b7 = 8; *(uint8_t*)0x200034b9 = 0; *(uint8_t*)0x200034ba = 1; *(uint8_t*)0x200034bb = 0xfc; *(uint8_t*)0x200034bc = 9; *(uint8_t*)0x200034bd = 4; *(uint8_t*)0x200034be = 1; *(uint8_t*)0x200034bf = 0; *(uint8_t*)0x200034c0 = 0; *(uint8_t*)0x200034c1 = 2; *(uint8_t*)0x200034c2 = 0xd; *(uint8_t*)0x200034c3 = 0; *(uint8_t*)0x200034c4 = 0; *(uint8_t*)0x200034c5 = 9; *(uint8_t*)0x200034c6 = 4; *(uint8_t*)0x200034c7 = 1; *(uint8_t*)0x200034c8 = 1; *(uint8_t*)0x200034c9 = 2; *(uint8_t*)0x200034ca = 2; *(uint8_t*)0x200034cb = 0xd; *(uint8_t*)0x200034cc = 0; *(uint8_t*)0x200034cd = 0; *(uint8_t*)0x200034ce = 9; *(uint8_t*)0x200034cf = 5; *(uint8_t*)0x200034d0 = 0x82; *(uint8_t*)0x200034d1 = 2; *(uint16_t*)0x200034d2 = 0x40; *(uint8_t*)0x200034d4 = 8; *(uint8_t*)0x200034d5 = 0x40; *(uint8_t*)0x200034d6 = 0x81; *(uint8_t*)0x200034d7 = 9; *(uint8_t*)0x200034d8 = 5; *(uint8_t*)0x200034d9 = 3; *(uint8_t*)0x200034da = 2; *(uint16_t*)0x200034db = 0x40; *(uint8_t*)0x200034dd = 5; *(uint8_t*)0x200034de = 0x80; *(uint8_t*)0x200034df = 0x81; *(uint32_t*)0x20003780 = 0xa; *(uint32_t*)0x20003784 = 0x20003500; *(uint8_t*)0x20003500 = 0xa; *(uint8_t*)0x20003501 = 6; *(uint16_t*)0x20003502 = 0x250; *(uint8_t*)0x20003504 = 3; *(uint8_t*)0x20003505 = 2; *(uint8_t*)0x20003506 = 9; *(uint8_t*)0x20003507 = 0x40; *(uint8_t*)0x20003508 = 0x40; *(uint8_t*)0x20003509 = 0; *(uint32_t*)0x20003788 = 0x16; *(uint32_t*)0x2000378c = 0x20003540; *(uint8_t*)0x20003540 = 5; *(uint8_t*)0x20003541 = 0xf; *(uint16_t*)0x20003542 = 0x16; *(uint8_t*)0x20003544 = 2; *(uint8_t*)0x20003545 = 7; *(uint8_t*)0x20003546 = 0x10; *(uint8_t*)0x20003547 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003548, 0x1a, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003549, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003549, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000354a, 0x87, 0, 16); *(uint8_t*)0x2000354c = 0xa; *(uint8_t*)0x2000354d = 0x10; *(uint8_t*)0x2000354e = 3; *(uint8_t*)0x2000354f = 0; *(uint16_t*)0x20003550 = 8; *(uint8_t*)0x20003552 = 0; *(uint8_t*)0x20003553 = 0x20; *(uint16_t*)0x20003554 = 9; *(uint32_t*)0x20003790 = 5; *(uint32_t*)0x20003794 = 0x54; *(uint32_t*)0x20003798 = 0x20003580; *(uint8_t*)0x20003580 = 0x54; *(uint8_t*)0x20003581 = 3; memcpy((void*)0x20003582, "\xa4\x4d\x24\xcd\xf3\xff\xb9\x94\x8f\xaa\xf6\xb3\xc5\x65\x82\x6f\x57\xef\x2b\x5e\x43\xe6\xef\x91\x09\xdc\xaf\x0f\xf5\xf2\x30\xb6\xf5\x2d\x06\xad\xa7\xeb\xdf\xbf\x1c\x55\xe6\x55\x19\x00\xf4\x2f\x90\x4a\xa2\x59\x11\xde\x5d\x64\xd3\xcd\x32\xdb\x26\xb2\xe4\x8c\x15\x0e\xac\xf5\x1a\x16\xdd\xb3\x11\xac\x3d\x44\xb2\x81\xa8\x7d\x1c\x84", 82); *(uint32_t*)0x2000379c = 4; *(uint32_t*)0x200037a0 = 0x20003600; *(uint8_t*)0x20003600 = 4; *(uint8_t*)0x20003601 = 3; *(uint16_t*)0x20003602 = 0x812; *(uint32_t*)0x200037a4 = 4; *(uint32_t*)0x200037a8 = 0x20003640; *(uint8_t*)0x20003640 = 4; *(uint8_t*)0x20003641 = 3; *(uint16_t*)0x20003642 = 0xf0ff; *(uint32_t*)0x200037ac = 0xc0; *(uint32_t*)0x200037b0 = 0x20003680; *(uint8_t*)0x20003680 = 0xc0; *(uint8_t*)0x20003681 = 3; memcpy((void*)0x20003682, "\x6f\x06\x9d\x79\xea\x95\x2b\x38\x80\x02\x7d\x52\x43\xd8\x4a\xef\xe2\xbd\x1c\xf6\x41\xda\x9e\xe2\x90\x78\x02\x32\x46\x10\x26\xc5\xa5\x35\xae\x62\x14\xa8\xb6\xfd\x61\x12\xf3\x68\x08\x5c\x5c\xca\x57\xb8\x48\x46\xbd\xd7\x65\x3f\x32\x51\x20\xcc\x01\x27\x4c\x27\x93\x0a\x93\x4c\x28\x50\x05\x8a\x34\x58\x87\x78\xf4\xae\x02\x55\xb9\x6f\xcb\x45\x73\xf4\xc4\x75\xfa\xe5\x37\x03\xef\x82\xd7\x85\xec\xe9\x6a\xdf\x02\xef\xc2\x10\xe2\x6f\xa9\x52\x31\x11\x51\x9c\xb0\x37\xb5\xae\xbb\xca\xb0\xe1\x2d\x22\x83\x30\xeb\x46\x6c\xef\xbc\x0a\x21\x98\x4a\x6f\xd8\x65\x72\x06\xb2\x0d\x98\x2f\x65\xc7\x09\xba\x3c\x63\x20\xf1\x06\x6d\xda\x59\x2f\xda\xd1\x4a\x8c\x70\x0c\xf1\xf5\x26\x6f\x47\xfa\x42\xaa\x88\x0b\x9a\xa0\x26\x7c\xf5\x3c\x96\x91\xf4\xfa\x0d\x4e\x05\x9a\x6a\xdc\x27\xda\x67", 190); *(uint32_t*)0x200037b4 = 4; *(uint32_t*)0x200037b8 = 0x20003740; *(uint8_t*)0x20003740 = 4; *(uint8_t*)0x20003741 = 3; *(uint16_t*)0x20003742 = 0xc0a; res = -1; res = syz_usb_connect(0xcabe03ec, 0x160, 0x20003380, 0x20003780); if (res != -1) r[15] = res; syz_usb_ep_read(r[15], 7, 0xe4, 0x200037c0); *(uint8_t*)0x200038c0 = 0x12; *(uint8_t*)0x200038c1 = 1; *(uint16_t*)0x200038c2 = 0x200; *(uint8_t*)0x200038c4 = -1; *(uint8_t*)0x200038c5 = -1; *(uint8_t*)0x200038c6 = -1; *(uint8_t*)0x200038c7 = 0x40; *(uint16_t*)0x200038c8 = 0xcf3; *(uint16_t*)0x200038ca = 0x9271; *(uint16_t*)0x200038cc = 0x108; *(uint8_t*)0x200038ce = 1; *(uint8_t*)0x200038cf = 2; *(uint8_t*)0x200038d0 = 3; *(uint8_t*)0x200038d1 = 1; *(uint8_t*)0x200038d2 = 9; *(uint8_t*)0x200038d3 = 2; *(uint16_t*)0x200038d4 = 0x48; *(uint8_t*)0x200038d6 = 1; *(uint8_t*)0x200038d7 = 1; *(uint8_t*)0x200038d8 = 0; *(uint8_t*)0x200038d9 = 0x80; *(uint8_t*)0x200038da = 0xfa; *(uint8_t*)0x200038db = 9; *(uint8_t*)0x200038dc = 4; *(uint8_t*)0x200038dd = 0; *(uint8_t*)0x200038de = 0; *(uint8_t*)0x200038df = 6; *(uint8_t*)0x200038e0 = -1; *(uint8_t*)0x200038e1 = 0; *(uint8_t*)0x200038e2 = 0; *(uint8_t*)0x200038e3 = 0; *(uint8_t*)0x200038e4 = 9; *(uint8_t*)0x200038e5 = 5; *(uint8_t*)0x200038e6 = 1; *(uint8_t*)0x200038e7 = 2; *(uint16_t*)0x200038e8 = 0x200; *(uint8_t*)0x200038ea = 0; *(uint8_t*)0x200038eb = 0; *(uint8_t*)0x200038ec = 0; *(uint8_t*)0x200038ed = 9; *(uint8_t*)0x200038ee = 5; *(uint8_t*)0x200038ef = 0x82; *(uint8_t*)0x200038f0 = 2; *(uint16_t*)0x200038f1 = 0x200; *(uint8_t*)0x200038f3 = 0; *(uint8_t*)0x200038f4 = 0; *(uint8_t*)0x200038f5 = 0; *(uint8_t*)0x200038f6 = 9; *(uint8_t*)0x200038f7 = 5; *(uint8_t*)0x200038f8 = 0x83; *(uint8_t*)0x200038f9 = 3; *(uint16_t*)0x200038fa = 0x40; *(uint8_t*)0x200038fc = 1; *(uint8_t*)0x200038fd = 0; *(uint8_t*)0x200038fe = 0; *(uint8_t*)0x200038ff = 9; *(uint8_t*)0x20003900 = 5; *(uint8_t*)0x20003901 = 4; *(uint8_t*)0x20003902 = 3; *(uint16_t*)0x20003903 = 0x40; *(uint8_t*)0x20003905 = 1; *(uint8_t*)0x20003906 = 0; *(uint8_t*)0x20003907 = 0; *(uint8_t*)0x20003908 = 9; *(uint8_t*)0x20003909 = 5; *(uint8_t*)0x2000390a = 5; *(uint8_t*)0x2000390b = 2; *(uint16_t*)0x2000390c = 0x200; *(uint8_t*)0x2000390e = 0; *(uint8_t*)0x2000390f = 0; *(uint8_t*)0x20003910 = 0; *(uint8_t*)0x20003911 = 9; *(uint8_t*)0x20003912 = 5; *(uint8_t*)0x20003913 = 6; *(uint8_t*)0x20003914 = 2; *(uint16_t*)0x20003915 = 0x200; *(uint8_t*)0x20003917 = 0; *(uint8_t*)0x20003918 = 0; *(uint8_t*)0x20003919 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200038c0, 0); if (res != -1) r[16] = res; memcpy((void*)0x20003940, "\x03\x38\xf2\xa1\xa6\x94\x91\x50\xd9\x50\xa2\x00\xb9\x7f\x82\x07\x00\x40\x2b\x58\xfe\xc9\x4c\x39\xa0\x05\xf5\x38\x68\x85\x99\x19\x97\x96\x0b\x31\x65\xc9\xdd\x03\x23\xfa\xf9\xa6\x9d\x00\x72\x59\x16\xfa\x7f\xb5\xa9\xbb\x1f\x47\xb1\x98\x29\xca\x09\x1f\x88\xc0\x99\x9a\x2e\x18\x7f\x62\x37\xab\x2c\x7e\xae\x85\x92\x3f\xa9\x63\x6d\xc2\x66\x07\x6f\x2a\xe7\xb5\x2c\x1f\x18\x7c\xe6\x28\x71\xc2\xf0\x5b\xbf\x9d\x9a\x25\xfd\x16\xff\x38\x33\x38\x70\x73\xe6\x96\x81\xb2\x43\xe8\x14\xb2\x54\x9f\x03\x2a\xa5\xb8\xdd\x2e\x2d\x64\xdf\x2e\x69\xd3\x57\xbc\x2c\x32\xb8\xfb\xd9\x0f\x8a\x16\x38\xb3\x13\x90\xbe\x5a\x61\xee\x6e\xe7\x0e\x3a\x20\x27\xe1\x46\x8d\x5f\x3f\xa2\x34\xf4\x46\x2a\x56\xd7\xe4\x2c\xe2\x9c\x52\xcc\xf5\xcd\x76\x35\x90\xa4\x26\xb8\xa0\x6e\x22\x6f\xfa\x45\x68\xc2\xce\x31\xa5\x4d\x74\xca\x6f\x67\xe6\x70\x85\x2c", 202); syz_usb_ep_write(r[16], -1, 0xca, 0x20003940); } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :174:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :174:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor094884465 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/21 (0.38s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:true VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$BLKROGET(0xffffffffffffffff, 0x125e, &(0x7f0000000000)) r0 = openat$nullb(0xffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x80000, 0x0) ioctl$BLKTRACESETUP(r0, 0xc0401273, &(0x7f0000000080)={[], 0x6, 0x4, 0x400, 0x0, 0x5f}) socketpair(0x21, 0x3, 0x4, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140)='l2tp\x00') sendmsg$L2TP_CMD_NOOP(r1, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x24, r3, 0x4, 0x70bd28, 0x25dfdbfb, {}, [@L2TP_ATTR_SESSION_ID={0x8, 0xb, 0x4}, @L2TP_ATTR_PEER_SESSION_ID={0x8, 0xc, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x20000000}, 0x8000) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000240)={0x0, 0x5, 0x0, 0x2}, &(0x7f0000000280)=0x10) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f00000002c0)={r4, 0x2}, 0x8) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x8, &(0x7f0000000300), &(0x7f0000000340)=0x4) write$capi20_data(0xffffffffffffffff, &(0x7f00000003c0)={{0x10, 0x3, 0x41, 0x83, 0x0, 0x401}, 0x43, "4a8e60634e3a9ebf0988474a70cdc44c935e71dca8a36e9f7339b733e7fdfa26d1763f8e1fc18c23484ff71c6ea76bf1db3e46cf80380322d296fbf193c54d4949ccdb"}, 0x55) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_post_notification\x00') syz_emit_ethernet(0x56, &(0x7f0000000040)={@multicast, @empty, @void, {@canfd={0xd, {{0x4, 0x0, 0x0, 0x1}, 0x23, 0x0, 0x0, 0x0, "90a4412ed481e39ec0787cae083fac93b90daa7595dc554b0d6fb720a6009835c929d9566687939954d14f0376d39039885d4b349e57791c3b2884b67a568716"}}}}, &(0x7f00000000c0)={0x1, 0x1, [0x4a, 0x2e7, 0x6f0, 0x1aa]}) syz_emit_vhci(&(0x7f0000000100)=@HCI_SCODATA_PKT={0x3, {0xc9, 0x56}, "af8c56ab2959dc534cc868e4b42b05a0de86bb45fd2bf9e32d58e9ad1fb7be75adc1e7aaa52319456531631ede47c2919bcdb3bafdaf560bf2a9ca3a75fa34d07026b7302dc391f9554e50cfc7f731c09f1c71262df3"}, 0x5a) syz_execute_func(&(0x7f0000000180)="c4c16f10fa660f65642a10c4e1fa70effbc4c37d096a42fec4e1416a5200f3abc4c1ccc6e474360f8fb8000000af0ffe98f0ffffff") syz_extract_tcp_res(&(0x7f00000001c0), 0x2, 0x7f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000200)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x5, 0xcb) r5 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xc, 0x800, 0xffffffffffffffff, 0x8000000) r6 = syz_io_uring_complete(r5) r7 = io_uring_setup(0xc43, &(0x7f0000000240)={0x0, 0xab13, 0x10, 0x0, 0x375}) syz_io_uring_setup(0x4759, &(0x7f00000002c0)={0x0, 0x3caa, 0x8, 0x3, 0x347, 0x0, r7}, &(0x7f0000ffd000/0x2000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000000340), &(0x7f0000000380)) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0xe, 0x3, 0xffffffffffffffff, 0x8000000) r9 = mmap$IORING_OFF_SQES(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x4000000, 0x20, r6, 0x10000000) syz_io_uring_submit(r8, r9, &(0x7f00000003c0)=@IORING_OP_WRITE_FIXED={0x5, 0x4, 0x2007, @fd_index=0x6, 0x3, 0x4, 0x4, 0xe, 0x1}, 0x80) r10 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000000400)='/selinux/checkreqprot\x00', 0x2000, 0x0) syz_kvm_setup_cpu$arm64(r6, r10, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000480)=[{0x0, &(0x7f0000000440)="1f53955cb3cecd2039609cfce532927f02de615e5e7716c374705f59102e00754dbaa369c6c1a1c2f4c530c3af81e8fe5609", 0x32}], 0x1, 0x0, &(0x7f00000004c0), 0x1) syz_io_uring_setup(0x7424, &(0x7f0000000500)={0x0, 0xe518, 0x10, 0x1, 0x3a5}, &(0x7f0000ffe000/0x2000)=nil, &(0x7f0000ff6000/0x4000)=nil, &(0x7f0000000580)=0x0, &(0x7f00000005c0)) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000000600)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000000640)='afs\x00', &(0x7f0000000680)='./file0\x00', 0x4, 0x2, &(0x7f0000000800)=[{&(0x7f00000006c0)="d632c19b", 0x4, 0xffff}, {&(0x7f0000000700)="3fe8370cede52efac054241da1ef6234cdc7766d9ceee05c36775d234a8f0259a880131689775a49e1c5d81ee5eed42da022a3c9b9d439ae779990d04cf551c084c093744e79ca6a4827d8c603053d29714d839363cf49add7d7323c0619a99cef609fc47e56c66630ec7973bffed214d451f064f36e3597506a51adfd6b0d61fdcdf2bfcb31b2c6c44c279ccdb6902891daf75e663f5942ea7682fbfd3e7369a9fe16f372476efb281aaad4bfe7e610e963629461e9033caf00d62a109d004b935b9079bd3df5be94a0fa1e1977f552baa492ba31e2ec4bf310c814dc753297", 0xe0, 0x4c}], 0x201000, &(0x7f0000000840)={[{@source={'source', 0x3d, 'SEG6\x00'}}, {@flock_strict='flock=strict'}, {@flock_strict='flock=strict'}, {@flock_local='flock=local'}, {@autocell='autocell'}, {@flock_openafs='flock=openafs'}], [{@measure='measure'}, {@subj_user={'subj_user', 0x3d, '$F!%[#&+-}^}'}}]}) syz_open_dev$I2C(&(0x7f00000008c0)='/dev/i2c-#\x00', 0x9a7, 0x60100) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000900)=0x0) syz_open_procfs(r12, &(0x7f0000000940)='net/ip6_mr_vif\x00') syz_open_pts(r6, 0x402000) syz_read_part_table(0x44, 0x5, &(0x7f0000001c80)=[{&(0x7f0000000980)="947bdd1338b6b9fdc7eec2776433191f827266cfa94bbf64cff83a00d975009f3b2738ac7067019447d693a3534dae5d3bf03b17d7a2bc093d2ab01fb079d13e4ca08ab23918a3fac50a48c32b4ba2170957d20cb4a4f731d660e88f40c30c3c40d41ff3ff7134dceb66b113b5c1bba630a7ee5cd68ab59e69f8c89530e4cac7f615dd3fadc7940d23b069d62b7ccf4149881045", 0x94, 0x7e}, {&(0x7f0000000a40)="3bece5e4b00d1aa5c6455d8ffddd35571382304733f47e93ba01d0220d3452425aa4a35a16adc96a1c87d3c09121df1c8aef26c20358a153a0ef1959f69c689acd2751f428f241c2decf4cd9a3b109e66b310fb1011f65329bef953ae02cf9db6133619b5bfa07a6e13251278da93de82635bcdd7640b6311da58d2a681065401d0753cef90bf7a0f541112453b9ce7527efcb09834f1073736d3ebdb9241736b61df70a13c76e54ddbc65a52d8a4fe42ed097a57c8d0426f916750e9a5c38281fbad7ae59c223bab1100592d42eda4e0bf4bf030420478fcd28c4057d41a9721b0014e91a1e7058d4c9290812f6de", 0xef, 0x800}, {&(0x7f0000000b40)="6daf7a1e0d14cb6b8c65d37ef988e670ca88b1", 0x13}, {&(0x7f0000000b80)="e2a379510738be3d3baf49a170f089f56f7b3a43bd926f2f3368f38e97340af9b0991ea98f4653252c0bef6ad26582b600545465591faefd00782e31c8aee9f23990d2d95f8710d110409dc3dad1581794fb09f6349e937b1df1bb8a9a09ce60c41282376e6ac607888c64fcd9ecf5405063ba5f642a295b4f778f2cabccf6c9007071b1a9ec31eea5daf62d371a56de309549974911a5797fa34026e85bb7f5427ab4965f11a3aba18ed0fe280e45c26412838fc5bbe0f6de63d011c06b413e3d4a15296b6f7915dffecdd407504faa2fe63bb190af9061709a982094f620793c042532f51314dd0753b832a65859e178d94dd169a1b767748566d13f170da36f2a51053d8b67fb5f12d86bf36046eab9b7c26c50786c9b29a2605c5631ab30261669971a48470d982c3088be7cffd1f0c6775e5757db6148dd74c5954e34c40088659a1f44d053465985ed20039bced7ea9dec7e25cd6d600d1ed31aed53885fc7ef8789eea0639d2b250dcdf4ad71bbdabf4ba18af29ac819ae431864db1b0353bc5cb2041943b44513f7c679f348bd2962b27487bc7dc7488cff13a24b658f31b4afc9e5013ab460cf3a014a8f19909e75bc3d4144f5d32e370de74f4402a0db5339c1e3616d2147743652dd73940d37550cc961b08b3a33b79c4a2f3f1ab4b2364c24031cce1f29beaf574b1318844fcc9387d2cf798334de0816d528f087f56751f763b82c760fe19ef95fd2e552c8ec74bfee9b6c8e3341b3baff5405edbed709fb1ea130a1a6e30acf7232c0194034daf0ef117115ab220f1161a838940ef60072c406557f56f13f3021b40842f9114b0ae9cd8244230c2227ce7c7e71503ba5253d63081ca9af8fc4a4e2c3039a0bad1af91ed4cb91b9bd42d8ee5e0bd9844f92f4af1ea5b88380a99b1adc7057b9157b61021abce377dca6af6c2dd98f02c23a8459ccbe650b66d06bbae0609928e84d5c611e2c6feb6a43d0aa532b12d5e3260448cd82372b11f9dc8f94665a3ab864eb3eb0e5b073200249a674047ee8fff8fb4f55653060efb6a00d70b0fe4a7f5dca7d9c71604fa70b0e40569339e52ba52b7d7008533306165c978d030a852c0dd75996904720a10a3a9d0f2f67f258e439047a6a5b08490409aa84ec296f67b88b8011cb39c67800efec6ec43e732aee04cc18c4ceddc9686a432011e1df5fa1292c7bdae62731573ec5233293ff4ed671e52c951d8e00836db9363534bc8c1e91d98cab7d0606c170d409d96d3225f56206b600fc1a783941aade248338dba66d56f8fc197d19cedd5f1a65d5f1d85a4cb4497342d197df417d4317777c81e707f1b9dadd38265324f41aa85021b2d7edc0ff4a527db85ff141652eeb5e766e189e11e6307a4475d5f793e822b7ecbc7e2ff3f6f9a8399af692649d67305c86b479169df12f749102069da164ad14655e0532fc419b51f29b28d1f408f5236ce921509f3f611a565a5e38685744470f6e457bdd057d727f7ecfaa468473bcba94c43ead22f8527843245f372275946bd4599f3a8ae91ec3140870be91d2fbfcbd7e504da3d6f49e905aca167832d7c35a56a28abc852090292318ec1f08bf3d71de7360d6d04900d773a7f40c3db7aabfc27a338e87d578f430ee490e48221406d31c62220c2bd9e1793eed1b84aba0adc3d54eed59ae3b83e5a1147721fcc227cff96c8065f8665cbfef93521ca1bf4b100e62896cfdca36e7f7b4b3fd3babf5c18c90030fbf904d4f4c3fb23af16b1e3744ca6ab123df90b168eaa138324ebf98ecd66dd64ee906236bf3a0296be1df81387ba95700e04ce26637ca4dfb70c67d32a2e7acde219cef54e4c9ec1c27b5b6a388ca515af6e5efc493a30fa9324e1f2b2b51267fbb26f3d4292e836cb709e92a6e0e11aff386b3d45d81a2d35fe971cbff8a32f52d046b9ba9a4bc77267a2e86a480a9ec50361d5ed59ba540ae1cf0e7eaaa5d8f5b2e38527fde78ecf842ec48cf681fd452aa5c60d06474f6422ad08db4fa0788c56563f52cbd383627e11f98eb40ec74961c028b1fcd7b25d4cd289dbc761fb1ec00a6183513c5f76da7546416fb81e8661f93f4234fdf3a3398d8bb8c69902e6d9f3fc165e6d9f39eb2acc189ab7b49013b2c74d0788ee05fc117335d478380013eab173ddc7a927f03080c2ea705b68f664a3be270221172d2995b15b4d0ab25d4668ab7587d24e831c5c7841fa00bd063021d3f43405b35c6c79dd4030fc630ee78d7e64a90cc2761421624d48ac0764d8a903c5a8b0a213120871b9e82a3b1f92455380b950832651b6d0d9bdb249055d55fa49fc7296147cbcec6059a0047ae6e86b51ae3b5aff498ceed671ddd0e2bd97fd7f39a3280bd80996ac7bb98187709938246f8e0cb9cca0a189d18cb9dcdd52186feb935f4a5326c3bc1348a05f0e7180452a43e7f2b6fb35a4196afda0f1993383dd203694c1ab53be64481c0d9c78801610789f9f5130b4a143f09229e8d89d0ad09edf971cf0fe495d7552b7a791a9054232e8d22976621b7f6be03e7e0bf8e5ed83db94efc748c93a06c124f55dd8efe11e15d83e1fce582b19be10dcc1b3eb594291aaabd56cb94df315920b042d07934ac796d0a91078626ee57e25763791f7dde8bc04e1883fb2273c799b97e3166c56ceaa3699c31739f63ef94605b20860606ceaf97be55b979fdc17fa9ba2990bbefde17eb5398176091e536730129c4c31504ce1fc41f13e7d90301ff02ad5b5f523c6ae7efa87c76af1ecc4b6715251a58ca3c68ca954a9345cf08697ec54376dfaf232cd6ede5ad85c1234fbcb4a992535b70135a5eb7d1f2de13629871b02acb455694e91d5bbb972c1c3998ec765749b4ca83c705529c046e8593ba4709e430cf190aba4fd00a6d722d0598e80b7af8fbb6c053dc4068e3bfaa0015d3545646e40eb312700e7b068ca644792d6d39447a353f6d6575b01f3a20cf310117a832dbc76b460146dee06c859580ba5e59946e90a168d98a06282d02f99540f4b1fce194cc7cc089b1b2da11d59bee5477383f83fe7f50011ec438561f17b39dabee3794761cdef6c54a60c49de8fd6aecf0b5a5b5c056a8de90805e0d5a4cba91eb7746e54498aad35d268e923c5c396581835cf2038e2a1f28a843228472aa2e4cbde6aa7665716f239ba5680d1d8d6cd7277af1f2db87e5f5332fa904d6975f4247f33f00c17b95df1db792398c0be2ab89c6f0ffb1d9f3d30e36b0bcdee55623e67ed59b641e1d3ad243a61ab8003ed9d50186457b845b0f5e59460aeb8d49fa236b691a9572f043f3d83d3853a658c092fec3eef9b58f3be0532e46da34f732398d418a82a47fd2bec7aa9fdf0a05a2a4abd650dcd99c095be5a025d4dd8de7b606f7c21fcf490a100ec288f419316b4add08591060f5c40230ee639aff35d4bb207fe401029cffd104715dcd48c7c598f5ea42b0bd271e6a10066d613217655dbf37bc467d973572d7c28779c9981cabc55e683fbb1e9af7e00cc4a222a54f24edf923762d8e0fbc099e420a78b1fcfb54a4002fdf6e30a3445f929dd97c4aef13cd8a0a3b19cb2ba731d3c99aad631166b75f13a95498e11dba4094eb5d1f1571b6987c278912a05a9ec5e2f93d21604e496ae6f763ed433bc26c5d2fdfeefc02d8732b29091c32ad16fbb47de0a56a36c5c7d26665ce565571aee87e729e1727e8e149b44cbc5819eb1abc317eabfdbc5447dc1fa9ed585281f1a9c33bd5bbae662621e6460e37617e88304fd6889d775ad30388b208b4102495dd4a601579fef079678b66816a46a91cd0d344af0afa8ee55ab222d720a0367275757aa38d043cec888e9e93a4ff91c1ccbbc685f6fe2710474da5c4376b6c037b2ac57ab078421ff2f06ef8abcc7bfa18195ae5d3236c492494f1c665dc2052e0b567e991727082f6f529cff4412d5cfd8aca31f0a4d32332e8cc992a39017d8e5a8525a9f6ab5009e7067b2773591779fa6de17c077445c39b4f3255c2df10701045fa070ac4aedb551bfe92ac48e0faca060768edf4b3fb101f3d4cdcb2ec9313c02898aa36874267468286e98ffdbacb29fb64072799bb3d885bf308d6ca001355642ad258b965f9597b30fe6c3af1e89c10d641f4e2ab7cf5a4687d6b69157a49f9f40791ef46f4cba6e0f248773c350bf3143cece92ef7c746d4988c8351c8067e3c4b841089d985e09ecb40157d7a171f4e645518c52598fa794425669f59a27d8bedc147e09057b5d2f9f4611cac951058b9d2527fe7b470289a2f16fa4dee150652086e4cc194c3cad63aee9aa77b00df7cb421401d1394e0fbae8e8e14ef28f128601aa1c91d3e71edc07a46267731ea085fea0b2781fe5b3337fb391f4a91ce752aeb7251aa0c3bf304e989220d414eab0af48d4a86bf43f13ee6b97615f51a3677feef14dc4ae47db07b874176d18f50094a309700279f412924e918eb3e6c1b9fa3c1444f28b691ceb9c33d34b5b3733d3eb0c9e69cb6f36bca69d1d69913aeb51f0cb59828527f791fe7f61fb430bace6456abc322fb52a131f5aed3221afd1d369d7bb41f60bfb349b5cf73043b9092613032c7dd3220bce9d9b84fd2ceb48a76ff0c34cf5bf8cc55b575e240f4e6c1c5cf93980cc6f68fd1ac7cc10e0e483339dde6691eb7d2b700e93ffdf810953762216e99b5640149af63144a09051b683db0dfb1b79371bc7a4a559ae6271838a868468e54aadef03ba40ca127aa2c2751da79202dcad72e4f1593041db53bbf4f8064170fe85c46e59ff00b9eb4bf2e01eab7197a00704e3c7084a80699ed5aaae7bbae0684e5fb3ed60c6620c73aa013313713279bf958a21f56f96746e160623f1076a5ea95a23fc908373bc078221894ccc77949ffd3659470d83f860762b0302bf3e404046c0c32a71eb85e674111cb9c2d490b8b4f5bfd1fa9382a4296d97326d6a728378ab35c0a349ed69349f75b89adf8dc9e5baed276c92614c29636f2f5b19d4dc661e2d0fe6fd64786d507b99b3979fe0f6ecb06b76fd64bfb316131a52d3db7445508c8f0bd394495a6c13ca64e3780a416c72a7a34996d5a342e6349d92bfcb8d75bd4edd225d4e8601838bffc604e9e3f0de83a1cf9e17c7fa7398fea49c8faed299d04a90a70bdaa0b111428e2e6224ae08c1bf0ea1a69e16e1ffd4bfa76afffdd5060ac992efa08fb7404fa1ff3456042654d3d51292624ac3bb3356f5bd3f492c169e8c7dc71ccd3b4e91cb298ef7f2b61d74a86e7cb6daf621a8b0b6a87e58ddcaa65f376fe0652c40c76d762b580f34da979ae0968b172a9ccc4cd8b34af3873e85d1653c9e5571dc34e8c39f7f04df191c0e81213d2fac0412664eb4769c480a80fdcd5cae2a2eb8b1d031cc6e649d8f0b29f9115ea2bb27cbe35cba040647ad9da8ad36931cfdce5c58dfd6b8d0bd83cf4f8cad6f6d6f3048380583d8ef0807a4d024ef8d0333a97183423c90e8dd1b62dc70c95ae30acd0ccc257de6feb89a9492b4214b65d8da2ada11b80fbd7689afdb99fa820cb7aaaca8ce32fd1adf5d724f50683a7924ed1b5de6b322a4932ea46d3b266a270420259a4fee480054f0675e77e5178ff255be000468a220a25c6879e039bc14c38cbf9040eded41f1c6d75fe4615cc57677c948c7bb9c3561184b0ffe0d0a9ed0e7212fabd5ef357ffb3ca40e8a97be2a9bcf35fc7e3d7ce8f6d50a4f7b42c246894683822db36b95528cd8061342c66c788bb6f63beadfe3559e896e4387a12cedf6f220888d218", 0x1000, 0xffffffff}, {&(0x7f0000001b80)="e0c6c9c01afb3e83241204cd6942a5f5b38dedc4871fea150ddbcb8c14ce515fa1fc5f1fb3ec606649a162c4e52ec328eb3565fb84abdf8b408d744ee19c67cce54acad1c6aa75a3f97f94267476e702bbe065e67188c3c826d4414e46695d71c9e24a31faf7fc28297092503bb10adb27fcb197438efe3605101abc127fda303e63a7423ef1693f6c005763fdf8b18e10a5a9fa34b3c00eced1f75bada7d26160aedf2758bf603b0c5890682884eb55b2760b3b7b9614b6bd1ddef9e9cc1df20892063f1ea058a4", 0xc8, 0x81}]) r13 = syz_usb_connect(0x4, 0x882, &(0x7f0000001cc0)={{0x12, 0x1, 0x310, 0xae, 0x73, 0xca, 0x40, 0x1740, 0x602, 0xfa57, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x870, 0x2, 0x7f, 0x90, 0x120, 0x3f, [{{0x9, 0x4, 0x86, 0x7f, 0xa, 0xf7, 0xf9, 0xf2, 0x7f, [@generic={0xd1, 0xb, "26e13a65ceb2c160694440c6e4b5d5107cd6f6eddf5f0f8f938606e7a789786c097626762da7881a4e46ee512ce1ce83d03ee01e8a390d4fe48a1a166b122a244f7e8453fe584352cdc748ded1737c61ffbc1f9f18441c5d61f5493a88bfea7776762bbf8a206eeca2f45c1f7aa6d15fb464cd1caf6a432babfc01bb86b1297b128997426c1a5a86533cb2c029f50b1c5b0b88719f7c78217d2bec910ff906b43860025e140fbad2bc0a91e23e65c5c8fefd91d0459c590e1f4bac91eac023ef5f1a248245df0d7c1276df72d955c6"}, @cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '8'}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x5, 0x5, 0x80}, {0x6, 0x24, 0x1a, 0x1, 0x14}, [@mdlm_detail={0x2b, 0x24, 0x13, 0xff, "8daa8e5cf59bef8c76ec7535d63fe2dc7686321afbd729f4d17d62a21b6f2b39495657220bc5d7"}, @mdlm_detail={0xa3, 0x24, 0x13, 0x3, "0bafa7ba56f9be68f7dafffabe7b7950e7f2b1efd530ab53da306650ae48618251bc41fe39065bb50d65f15e926fdb88acb4e7957bff5d5469ee741f51c117d8f0a4b9e497d8d85a58a425855da041d91bfe4cd20f11f6c7d3813027cd74921dbeb6e2015c4133a29832b2b9d342304dd6b709daeaea5f761d8c06f52edda9f2529ac51a96fab9bb2826cc63fcce0f174de2c5778a4d83f3eecfdb29635b60"}, @call_mgmt={0x5, 0x24, 0x1, 0x2, 0x9}, @mdlm={0x15, 0x24, 0x12, 0xc9}, @dmm={0x7, 0x24, 0x14, 0x8, 0x2}, @network_terminal={0x7, 0x24, 0xa, 0x1, 0x9, 0xeb, 0x1}]}], [{{0x9, 0x5, 0xe, 0x3, 0x400, 0xff, 0xf9, 0x20, [@generic={0x62, 0x22, "ecb3f2dd3048124fa1f639e7d99ab0903f7f551fbd28202bcaa038827262defd524b84d6778f83c751047ea1677d46229ac33b02db6865c9670bc47629020545fbf367e128c7e78e05972cd432ddc729863972a9559b806063550b9bb7992b0c"}, @generic={0xed, 0x21, "1c17fa34cf248a11740cae13b99062cf651bd3663bdf349afedd777e6ca509687c7308b2bd8a56d936cef72c17609c2cc7b825f122864f3e79a0f9563cecf3a2dea2dac5e4d83e7749cfb2a971e0f2a257ee5e91279d0dedf7aab353955c32bcab16d821c1868f655e7f503ece52acfb7c3070097b164ed6223eb6c1839fdc5cc6f1a92ebda8ad2a9e74f746cf37704a6c73076189ee3890b3a1c5cdb8076adec9bb4e53a65b09bc52a75250eb89e2407ee0d0d39a0bd925c00a5fd0f34ad2af88bf3b270fe94e5432288a66b3ee15b6e24ddca89639faa9c4b532663b24bfbdeb73d09b8f77f76fec507a"}]}}, {{0x9, 0x5, 0xe, 0x0, 0x58, 0x4, 0x0, 0x2}}, {{0x9, 0x5, 0x6, 0x8, 0x40, 0x40, 0x3, 0x18}}, {{0x9, 0x5, 0xb, 0xc, 0x200, 0xff, 0x47, 0x0, [@generic={0x6e, 0x24, "fc8886eca12dc85960c8497c87132b79fea0e2313e4e855671316f1c7a42b78b2be24c0cdd6af9de41a7fb57fe0a3ca6fe67191ce31165dc048245ba74c886d12b8accb001eee230dc1d7981e4d6ea3d52fdc1fd159f71fc18bfca51297b2348c777a86b16c07657793c9b75"}]}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x1, 0x4, 0x4, [@generic={0x8, 0x23, "ad6e68323124"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x3f, 0x400}]}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0xff, 0x4, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x2, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x7, 0x4}]}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0xcc, 0x8, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3f}, @generic={0x59, 0x11, "faada80932b10432ca81a63c83dd9f54a4051086ef07b6c9661ef8ec125683d5fcada3a346d08f6d44178fd1ce94f1a6921d2fd14a88d43a8051e18edaa3980645fa17123ca6c783b8b2c3b666956f52b183652992d6f5"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0x1, 0x3f}}, {{0x9, 0x5, 0x4, 0x1, 0x0, 0x81, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x3e}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x6, 0x8000}]}}, {{0x9, 0x5, 0x7, 0x4, 0x200, 0x4, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0x3f}]}}]}}, {{0x9, 0x4, 0x7d, 0xb6, 0x8, 0xe6, 0x75, 0xe1, 0xf9, [@generic={0x3d, 0x23, "0150ffae83df22d1d4dbd82454e66033463c3935e3d0c9fc2ea4661f7310c2e0b0acedd17e99cf960ede09c19eda6bfda699d8eacc2aba4acc34d4"}, @generic={0xc5, 0x1, "57fa93981a0686e512236511f17e4ec2dab7bd005c64fd896f9494ca0597583b239ddd29c3796c4ad669281440da422e6796877a9f123e343935d90dfe06ddfc99deedf24006031d9a2ef4b552629255bf0e7a4d5dd3bc80b266081141bde1b1a86e4ffd857000deeae82fb1850696ef2167c34ad97f91c14ac78ecb893d01ffa98e3c2dfda9adb762b9a9da03c6c60ed957fb494d1c960f7c707494bd984a0a582603fb87248aeeafc1b6005f79835b38b2eaa88653bc93427a33b0763ea36fcd987c"}], [{{0x9, 0x5, 0x3, 0x0, 0x40, 0x4, 0x7f, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x5}]}}, {{0x9, 0x5, 0x80, 0x10, 0x1ef, 0x1, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0x1f, 0x20, 0x0, [@generic={0xb3, 0x21, "95d3405d4d7a6dc896d90c4918b141315c1ae54b0882c4e0e3cc266e04178f9ae737260ac64b619ddf039568181bf92dd639ec49a0b1c9838b4cbbb2fbe6ca7be9bc84b77177867bb973d8c5eba1b49131bd10f645cffc3dd8ea462f4ba965f70a014bf1abe9269663634dad8baf99386d8b431912e4ddfcd1156c5ffeab207ca35f22f5c01673470deea1da6aaffcf0bba9a8e455420f053b28e404fea6261d36c07f7221c4986b6b122ccdf858f481ba"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7f, 0x5}]}}, {{0x9, 0x5, 0xc, 0x2, 0x200, 0x0, 0x6, 0x2, [@generic={0xaf, 0x6c08a2ddac8d29c1, "1449f06f8161d8159f42fb347eaa323cf3eb20fd5e501006d2e40a157da833536fb0b322436591a2bd1d2fe04e169858e11387ce1cbe1f6c7dc332afaadcc002c5832044e056950399e29431407349a8a47525164b4e6cd141303908186754e0282c6995c980f5e7d4f3c881c6b91d955e6ac681bd9073f4e05706f3c312d005bf1c5910956bf99553bba7b4ecb3f35ffbe7ab0763423796bb601e3f047a6581d52fb67c62d6b7278c76aab9a5"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x400, 0x5, 0x1, 0x6, [@generic={0xf1, 0x11, "25bf1f90f600dc8eae5954fb3ec4f488a926149d9893ca2b2900e245f0537432b7eccd35a0f33fe871eb0d1744d8058f6d67f7e1b97f3ef4e5fd8ac9d37d374905661c579d63d9bd3ed5cd30d99ef395e47c9e0f1b7f712016403434821baace41ad73ef6b84c1a41af5cbb6c2f65462a6ed32242c9d51da9915862860c22140f606601cfd82e5151e1db45092fecd653293f56c65b346e5deaf140950a0ac4a487e3bfa4f9ad35eeff8899bc2230798022600a08d06a9243611b421d90f1b53ca9f002636036f1125eda3dedaf6793fc098c6af9dcc5a538fe937572b4d1b174b58ba033714d19ef1085f663e5cd1"}]}}, {{0x9, 0x5, 0x5, 0x8, 0x400, 0x44, 0x1, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x85, 0x9b, 0x100}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x10, 0x20, 0x2, 0x4, 0x3}}, {{0x9, 0x5, 0x1, 0x0, 0x40, 0x80, 0x7, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x6, 0x8}]}}]}}]}}]}}, &(0x7f0000002840)={0xa, &(0x7f0000002580)={0xa, 0x6, 0xe5207157b6f35098, 0xfc, 0x1f, 0x0, 0x10, 0xe4}, 0xf5, &(0x7f00000025c0)={0x5, 0xf, 0xf5, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x4, 0xffff}, @ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x4, 0xf0f, 0x77e, [0xc000, 0x30, 0x0, 0x0]}, @ssp_cap={0x1c, 0x10, 0xa, 0x1, 0x4, 0x79ea, 0xf000, 0x4, [0xc0cf, 0xff3f3f, 0xffc05f, 0xff0000]}, @generic={0xb1, 0x10, 0x3, "c5bb0201c82e60fa0a8b07bbcefbe138079838cbf13161f69ec170637e6c504f0df58710112f2459c50df85c73a143e18fd846a786add8a359c882c3c6038f90c49ca63e13455794d759244a2bd1ee5a203cef62acd32e97d15afe1d47ad5c5234ca6fea0c022184578647d69bce06bc22d5deae21baaf870c3c6e9021211fda07e73607e16461e22526a70ab2e21f89d1b1a95215c644ee7b4b97d342f06cca75c17eaf3d1f578bec9e1b554c49"}]}, 0x4, [{0x4, &(0x7f00000026c0)=@lang_id={0x4, 0x3, 0x430}}, {0x4, &(0x7f0000002700)=@lang_id={0x4, 0x3, 0x240a}}, {0x4, &(0x7f0000002740)=@lang_id={0x4, 0x3, 0x458}}, {0xb1, &(0x7f0000002780)=@string={0xb1, 0x3, "2273bdc46b60f928123492096f1a60522067ca30229e521876bc2304c320596fd25f10254b5c9da57377738bccfbbc37f27f541833a2dfa06b929d0d3744ff77d9330d5a63e4bb268ce29e81de86de6cbbec22f151e7fa25d2ba9ead8f62d5eac2d6424465b3cb6481dbf50df043e68b8d133e27b4ae1c9ccf8a81027b656d442bbcbe5cfccd0c0ca38b73356ed5c37ea0894697ea5b37db2f607d4e958cf97848ef24eee817f96503650d0f3babcf"}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000002880)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r14 = syz_usb_connect$uac1(0x1, 0x100, &(0x7f0000002900)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xee, 0x3, 0x1, 0x6, 0x20, 0x1, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0xace, 0x2}, [@extension_unit={0x7, 0x24, 0x8, 0x5, 0x2, 0x5}, @extension_unit={0x7, 0x24, 0x8, 0x6, 0xffff, 0x30}, @mixer_unit={0xa, 0x24, 0x4, 0x4, 0x40, "7da3b2b272"}, @extension_unit={0x9, 0x24, 0x8, 0x5, 0x0, 0x40, '\tD'}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x11, 0x24, 0x2, 0x2, 0x1000, 0x6, 0x9, "94aa0cfea6a4c098"}, @as_header={0x7, 0x24, 0x1, 0xf7, 0xc1, 0x4}, @format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x3f, 0x2, 0xae, 0x7, "5b6fe7b19551"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0xfff8, 0x56d, 0x1f, "518f29b920"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0x4, 0x0, 0x80, "3f5e8aa3ac"}]}, {{0x9, 0x5, 0x1, 0x9, 0x10, 0x9c, 0x7, 0x6, {0x7, 0x25, 0x1, 0x0, 0x44, 0xff8a}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_i_continuous={0xa, 0x24, 0x2, 0x1, 0x7, 0x4, 0xf7, 0xf8, 'H]'}, @format_type_i_discrete={0xd, 0x24, 0x2, 0x1, 0x7, 0x1, 0xff, 0x72, "5c5ae72e12"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x3, 0x4, 0x3, 0x1, "fa23a4", 'q3'}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x71, 0x2, 0x0, 0x6}]}, {{0x9, 0x5, 0x82, 0x9, 0x200, 0x7f, 0x7f, 0x7f, {0x7, 0x25, 0x1, 0x2, 0x1, 0x8}}}}}}}]}}, &(0x7f0000002b80)={0xa, &(0x7f0000002a00)={0xa, 0x6, 0x300, 0x7f, 0x5d, 0x5c, 0x40}, 0x31, &(0x7f0000002a40)={0x5, 0xf, 0x31, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x20, 0x1, 0x2, 0x40}, @ssp_cap={0xc, 0x10, 0xa, 0x4, 0x0, 0xd3f, 0xf000, 0x8}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x2, 0x5, 0x4, 0x2}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x6, 0x0, 0xff, 0x7f}]}, 0x4, [{0x4, &(0x7f0000002a80)=@lang_id={0x4, 0x3, 0x40f}}, {0x4, &(0x7f0000002ac0)=@lang_id={0x4, 0x3, 0xc35}}, {0x2b, &(0x7f0000002b00)=@string={0x2b, 0x3, "a28e84c0cf02c07c3c0da8294506556d633c7a735bfb75cd80afc6ade8e4b580103ced6d9c87a5fe77"}}, {0x4, &(0x7f0000002b40)=@lang_id={0x4, 0x3, 0xf8ff}}]}) syz_usb_control_io(r14, &(0x7f0000002e40)={0x18, &(0x7f0000002bc0)={0x0, 0x22, 0xb9, {0xb9, 0xa, "83cf6e9b942d8a47074ac2e802b48378ecdca7956db2727b857b60f4e9d0c69e1c9a9aceb61cf17cc77167923b84e23372c5cf40cf1bbb7493e500b7effaf1b204ee034be11099e51567a87ae0bde210da92124d04a73a14dbd600dedd920953c472eda1ba46dbbb1ec474c8794849124dcf32d5c15fb14397b13c3d3c11a7a607c6b6d557c2806d9c2783bc1ef56c967bde90ce4a421361167c1a74c6527285ce425ea498884d7cc9ef76526a46a1c4360768980b39b3"}}, &(0x7f0000002c80)={0x0, 0x3, 0xd7, @string={0xd7, 0x3, "61168f700d1787de19d3e86fb3ac5e964cc5ede873351ca262cc8fc599651431c76dbad02dd835f0da83a5347cc21fc4f504b23bb32a7a67713db4480611e6e2eca4f0b498f700355db68df7d5cf46ba2b036090af695a7596b7d242b462bcf6e2091fb83248fe2a1c48dbcdb07c9666037d121b6893dcb945bdd7cf14075f805302a45fbb62652bd693b3240b5c6a76f690cdc9221579ec71dd253ca4250144e1160bc039ad44f6d51c96ad950c872cf626b0d559e81c0bec934cb32325dbb9ce8f5d0d943020b4a0795c1f2774e2207d0be8aa41"}}, &(0x7f0000002d80)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x10, 0x2, 0x5, 0x2}]}}, &(0x7f0000002dc0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x3, 0x8, 0x40, 0x7f, "77bc7738", "f1db003c"}}, &(0x7f0000002e00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x1, 0x10, 0x0, 0x20, 0x8, 0x3ec, 0xffff}}}, &(0x7f0000003300)={0x44, &(0x7f0000002e80)={0x20, 0x12, 0x7c, "bc67b786ae12c3f7c6dbb8560d2b242194c2199afa19d2b42b1a0c8a11e1a5ef146f395c3613f4dfeadda7c24b506d5b32a6a3f9a0eac98a935e647a1c838d4e09d530635f43358b5b10c5f04bc63b3bf96b5234359d4ead9d51217e65c9b0509990b00d1afb242c87660d04f9648ff79ce143b1a948981c28f50171"}, &(0x7f0000002f40)={0x0, 0xa, 0x1, 0x4c}, &(0x7f0000002f80)={0x0, 0x8, 0x1, 0x1}, &(0x7f0000002fc0)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000003000)={0x20, 0x0, 0x8, {0xc0, 0x20, [0xf0f]}}, &(0x7f0000003040)={0x40, 0x7, 0x2, 0x400}, &(0x7f0000003080)={0x40, 0x9, 0x1, 0x2}, &(0x7f00000030c0)={0x40, 0xb, 0x2, "b723"}, &(0x7f0000003100)={0x40, 0xf, 0x2, 0x5}, &(0x7f0000003140)={0x40, 0x13, 0x6, @random="dd8a72a99139"}, &(0x7f0000003180)={0x40, 0x17, 0x6, @remote}, &(0x7f00000031c0)={0x40, 0x19, 0x2, "7818"}, &(0x7f0000003200)={0x40, 0x1a, 0x2, 0x4}, &(0x7f0000003240)={0x40, 0x1c, 0x1, 0x4}, &(0x7f0000003280)={0x40, 0x1e, 0x1, 0x7}, &(0x7f00000032c0)={0x40, 0x21, 0x1, 0x5}}) syz_usb_disconnect(r13) r15 = syz_usb_connect$cdc_ncm(0xb40375e9cabe03ec, 0x160, &(0x7f0000003380)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x14e, 0x2, 0x1, 0xef, 0xe0, 0x3, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, '$'}, {0x5, 0x24, 0x0, 0xad}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x0, 0x1, 0x9}, {0x6, 0x24, 0x1a, 0x9, 0x20}, [@mdlm_detail={0xa2, 0x24, 0x13, 0x1, "a0afebc294237de30b4c81c6595fbaf30646c5ec3dd98f435df00d181cc13f9b0c5ffa84154998bf5c04ee0fd82d5f4cacfc90ffae241b840b0b18e2107e33398f46838380f84b6f9f2262e838df021231c9f0c50dc2eed7595eb1b789223fc37cf34f5c694aaad8a818c99ef44179bf5ba4b617c258f7db01d6096ccc71bb925e31b2f3f100bb8538bb84015af7b954c8fdf293de0231a491d36376b840"}, @mbim={0xc, 0x24, 0x1b, 0x340f, 0x4, 0x5, 0x40, 0x6, 0x1}, @acm={0x4, 0x24, 0x2, 0x9}, @mdlm_detail={0x3f, 0x24, 0x13, 0x40, "905d00a5a8b5cd53118f9cf9033eda0ad88fcfaf66e2b9e359e38aea371970c864d5983916a529367551aa247ba83009ebb5640b5317559900ddb8"}]}, {{0x9, 0x5, 0x81, 0x3, 0x8, 0x0, 0x1, 0xfc}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x40, 0x8, 0x40, 0x81}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x80, 0x81}}}}}}}]}}, &(0x7f0000003780)={0xa, &(0x7f0000003500)={0xa, 0x6, 0x250, 0x3, 0x2, 0x9, 0x40, 0x40}, 0x16, &(0x7f0000003540)={0x5, 0xf, 0x16, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x1a, 0x8, 0x4, 0x87}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0x0, 0x20, 0x9}]}, 0x5, [{0x54, &(0x7f0000003580)=@string={0x54, 0x3, "a44d24cdf3ffb9948faaf6b3c565826f57ef2b5e43e6ef9109dcaf0ff5f230b6f52d06ada7ebdfbf1c55e6551900f42f904aa25911de5d64d3cd32db26b2e48c150eacf51a16ddb311ac3d44b281a87d1c84"}}, {0x4, &(0x7f0000003600)=@lang_id={0x4, 0x3, 0x812}}, {0x4, &(0x7f0000003640)=@lang_id={0x4, 0x3, 0xf0ff}}, {0xc0, &(0x7f0000003680)=@string={0xc0, 0x3, "6f069d79ea952b3880027d5243d84aefe2bd1cf641da9ee290780232461026c5a535ae6214a8b6fd6112f368085c5cca57b84846bdd7653f325120cc01274c27930a934c2850058a34588778f4ae0255b96fcb4573f4c475fae53703ef82d785ece96adf02efc210e26fa9523111519cb037b5aebbcab0e12d228330eb466cefbc0a21984a6fd8657206b20d982f65c709ba3c6320f1066dda592fdad14a8c700cf1f5266f47fa42aa880b9aa0267cf53c9691f4fa0d4e059a6adc27da67"}}, {0x4, &(0x7f0000003740)=@lang_id={0x4, 0x3, 0xc0a}}]}) syz_usb_ep_read(r15, 0x7, 0xe4, &(0x7f00000037c0)=""/228) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000038c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_ep_write(r16, 0xff, 0xca, &(0x7f0000003940)="0338f2a1a6949150d950a200b97f820700402b58fec94c39a005f5386885991997960b3165c9dd0323faf9a69d00725916fa7fb5a9bb1f47b19829ca091f88c0999a2e187f6237ab2c7eae85923fa9636dc266076f2ae7b52c1f187ce62871c2f05bbf9d9a25fd16ff3833387073e69681b243e814b2549f032aa5b8dd2e2d64df2e69d357bc2c32b8fbd90f8a1638b31390be5a61ee6ee70e3a2027e1468d5f3fa234f4462a56d7e42ce29c52ccf5cd763590a426b8a06e226ffa4568c2ce31a54d74ca6f67e670852c") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_usb() { if (chmod("/dev/raw-gadget", 0666)) exit(1); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 43; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 3000 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 3000 : 0) + (call == 42 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socketpair #define __NR_socketpair 360 #endif #ifndef __NR_write #define __NR_write 4 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_ioctl, -1, 0x125e, 0x20000000); break; case 1: memcpy((void*)0x20000040, "/dev/nullb0\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20000040, 0x80000, 0); if (res != -1) r[0] = res; break; case 2: *(uint8_t*)0x20000080 = 0; *(uint8_t*)0x20000081 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint8_t*)0x20000084 = 0; *(uint8_t*)0x20000085 = 0; *(uint8_t*)0x20000086 = 0; *(uint8_t*)0x20000087 = 0; *(uint8_t*)0x20000088 = 0; *(uint8_t*)0x20000089 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint8_t*)0x2000008c = 0; *(uint8_t*)0x2000008d = 0; *(uint8_t*)0x2000008e = 0; *(uint8_t*)0x2000008f = 0; *(uint8_t*)0x20000090 = 0; *(uint8_t*)0x20000091 = 0; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint8_t*)0x20000094 = 0; *(uint8_t*)0x20000095 = 0; *(uint8_t*)0x20000096 = 0; *(uint8_t*)0x20000097 = 0; *(uint8_t*)0x20000098 = 0; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint16_t*)0x200000a0 = 6; *(uint32_t*)0x200000a4 = 4; *(uint32_t*)0x200000a8 = 0x400; *(uint64_t*)0x200000ac = 0; *(uint64_t*)0x200000b4 = 0x5f; *(uint32_t*)0x200000bc = 0; syscall(__NR_ioctl, (intptr_t)r[0], 0xc0401273, 0x20000080); break; case 3: res = syscall(__NR_socketpair, 0x21, 3, 4, 0x200000c0); if (res != -1) { r[1] = *(uint32_t*)0x200000c0; r[2] = *(uint32_t*)0x200000c4; } break; case 4: memcpy((void*)0x20000140, "l2tp\000", 5); res = -1; res = syz_genetlink_get_family_id(0x20000140); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000200 = 0x20000100; *(uint16_t*)0x20000100 = 0x10; *(uint16_t*)0x20000102 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0x100; *(uint32_t*)0x20000204 = 0xc; *(uint32_t*)0x20000208 = 0x200001c0; *(uint32_t*)0x200001c0 = 0x20000180; *(uint32_t*)0x20000180 = 0x24; *(uint16_t*)0x20000184 = r[3]; *(uint16_t*)0x20000186 = 4; *(uint32_t*)0x20000188 = 0x70bd28; *(uint32_t*)0x2000018c = 0x25dfdbfb; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint16_t*)0x20000192 = 0; *(uint16_t*)0x20000194 = 8; *(uint16_t*)0x20000196 = 0xb; *(uint32_t*)0x20000198 = 4; *(uint16_t*)0x2000019c = 8; *(uint16_t*)0x2000019e = 0xc; *(uint32_t*)0x200001a0 = 1; *(uint32_t*)0x200001c4 = 0x24; *(uint32_t*)0x2000020c = 1; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0x20000000; syscall(__NR_sendmsg, (intptr_t)r[1], 0x20000200, 0x8000); break; case 6: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 5; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000280 = 0x10; res = syscall(__NR_getsockopt, -1, 0x84, 0, 0x20000240, 0x20000280); if (res != -1) r[4] = *(uint32_t*)0x20000240; break; case 7: *(uint32_t*)0x200002c0 = r[4]; *(uint32_t*)0x200002c4 = 2; syscall(__NR_setsockopt, (intptr_t)r[2], 0x84, 0x7b, 0x200002c0, 8); break; case 8: *(uint32_t*)0x20000340 = 4; syscall(__NR_getsockopt, -1, 0x84, 8, 0x20000300, 0x20000340); break; case 9: *(uint16_t*)0x200003c0 = 0x10; *(uint16_t*)0x200003c2 = 3; *(uint8_t*)0x200003c4 = 0x41; *(uint8_t*)0x200003c5 = 0x83; *(uint16_t*)0x200003c6 = 0; *(uint32_t*)0x200003c8 = 0x401; *(uint32_t*)0x200003cc = 0; *(uint16_t*)0x200003d0 = 0x43; memcpy((void*)0x200003d2, "\x4a\x8e\x60\x63\x4e\x3a\x9e\xbf\x09\x88\x47\x4a\x70\xcd\xc4\x4c\x93\x5e\x71\xdc\xa8\xa3\x6e\x9f\x73\x39\xb7\x33\xe7\xfd\xfa\x26\xd1\x76\x3f\x8e\x1f\xc1\x8c\x23\x48\x4f\xf7\x1c\x6e\xa7\x6b\xf1\xdb\x3e\x46\xcf\x80\x38\x03\x22\xd2\x96\xfb\xf1\x93\xc5\x4d\x49\x49\xcc\xdb", 67); syscall(__NR_write, -1, 0x200003c0, 0x55); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_post_notification\000", 26); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xbb; *(uint8_t*)0x20000041 = 0xbb; *(uint8_t*)0x20000042 = 0xbb; *(uint8_t*)0x20000043 = 0xbb; *(uint8_t*)0x20000044 = 0xbb; *(uint8_t*)0x20000045 = 0xbb; *(uint8_t*)0x20000046 = 0; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint16_t*)0x2000004c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 4, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 1, 31, 1); *(uint8_t*)0x20000052 = 0x23; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; memcpy((void*)0x20000056, "\x90\xa4\x41\x2e\xd4\x81\xe3\x9e\xc0\x78\x7c\xae\x08\x3f\xac\x93\xb9\x0d\xaa\x75\x95\xdc\x55\x4b\x0d\x6f\xb7\x20\xa6\x00\x98\x35\xc9\x29\xd9\x56\x66\x87\x93\x99\x54\xd1\x4f\x03\x76\xd3\x90\x39\x88\x5d\x4b\x34\x9e\x57\x79\x1c\x3b\x28\x84\xb6\x7a\x56\x87\x16", 64); *(uint32_t*)0x200000c0 = 1; *(uint32_t*)0x200000c4 = 1; *(uint32_t*)0x200000c8 = 0x4a; *(uint32_t*)0x200000cc = 0x2e7; *(uint32_t*)0x200000d0 = 0x6f0; *(uint32_t*)0x200000d4 = 0x1aa; break; case 12: *(uint8_t*)0x20000100 = 3; *(uint16_t*)0x20000101 = 0xc9; *(uint8_t*)0x20000103 = 0x56; memcpy((void*)0x20000104, "\xaf\x8c\x56\xab\x29\x59\xdc\x53\x4c\xc8\x68\xe4\xb4\x2b\x05\xa0\xde\x86\xbb\x45\xfd\x2b\xf9\xe3\x2d\x58\xe9\xad\x1f\xb7\xbe\x75\xad\xc1\xe7\xaa\xa5\x23\x19\x45\x65\x31\x63\x1e\xde\x47\xc2\x91\x9b\xcd\xb3\xba\xfd\xaf\x56\x0b\xf2\xa9\xca\x3a\x75\xfa\x34\xd0\x70\x26\xb7\x30\x2d\xc3\x91\xf9\x55\x4e\x50\xcf\xc7\xf7\x31\xc0\x9f\x1c\x71\x26\x2d\xf3", 86); break; case 13: memcpy((void*)0x20000180, "\xc4\xc1\x6f\x10\xfa\x66\x0f\x65\x64\x2a\x10\xc4\xe1\xfa\x70\xef\xfb\xc4\xc3\x7d\x09\x6a\x42\xfe\xc4\xe1\x41\x6a\x52\x00\xf3\xab\xc4\xc1\xcc\xc6\xe4\x74\x36\x0f\x8f\xb8\x00\x00\x00\xaf\x0f\xfe\x98\xf0\xff\xff\xff", 53); syz_execute_func(0x20000180); break; case 14: break; case 15: memcpy((void*)0x20000200, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000200); break; case 16: syz_init_net_socket(3, 5, 0xcb); break; case 17: res = syscall(__NR_mmap, 0x20ffd000, 0x1000, 0xc, 0x800, -1, 0x8000000); if (res != -1) r[5] = res; break; case 18: res = -1; res = syz_io_uring_complete(r[5]); if (res != -1) r[6] = res; break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xab13; *(uint32_t*)0x20000248 = 0x10; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0x375; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = -1; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = syscall(__NR_io_uring_setup, 0xc43, 0x20000240); if (res != -1) r[7] = res; break; case 20: *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0x3caa; *(uint32_t*)0x200002c8 = 8; *(uint32_t*)0x200002cc = 3; *(uint32_t*)0x200002d0 = 0x347; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = r[7]; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; *(uint32_t*)0x200002f8 = 0; *(uint32_t*)0x200002fc = 0; *(uint32_t*)0x20000300 = 0; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; *(uint32_t*)0x2000030c = 0; *(uint32_t*)0x20000310 = 0; *(uint32_t*)0x20000314 = 0; *(uint32_t*)0x20000318 = 0; *(uint32_t*)0x2000031c = 0; *(uint32_t*)0x20000320 = 0; *(uint32_t*)0x20000324 = 0; *(uint32_t*)0x20000328 = 0; *(uint32_t*)0x2000032c = 0; *(uint32_t*)0x20000330 = 0; *(uint32_t*)0x20000334 = 0; syz_io_uring_setup(0x4759, 0x200002c0, 0x20ffd000, 0x20ffc000, 0x20000340, 0x20000380); break; case 21: res = syscall(__NR_mmap, 0x20ffd000, 0x3000, 0xe, 3, -1, 0x8000000); if (res != -1) r[8] = res; break; case 22: res = syscall(__NR_mmap, 0x20fff000, 0x1000, 0x4000000, 0x20, (intptr_t)r[6], 0x10000000); if (res != -1) r[9] = res; break; case 23: *(uint8_t*)0x200003c0 = 5; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0x2007; *(uint32_t*)0x200003c4 = 6; *(uint64_t*)0x200003c8 = 3; *(uint64_t*)0x200003d0 = 4; *(uint32_t*)0x200003d8 = 4; *(uint32_t*)0x200003dc = 0xe; *(uint64_t*)0x200003e0 = 1; *(uint16_t*)0x200003e8 = 0; *(uint16_t*)0x200003ea = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; *(uint8_t*)0x200003fc = 0; *(uint8_t*)0x200003fd = 0; *(uint8_t*)0x200003fe = 0; *(uint8_t*)0x200003ff = 0; syz_io_uring_submit(r[8], r[9], 0x200003c0, 0x80); break; case 24: memcpy((void*)0x20000400, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20000400, 0x2000, 0); if (res != -1) r[10] = res; break; case 25: *(uint32_t*)0x20000480 = 0; *(uint32_t*)0x20000484 = 0x20000440; memcpy((void*)0x20000440, "\x1f\x53\x95\x5c\xb3\xce\xcd\x20\x39\x60\x9c\xfc\xe5\x32\x92\x7f\x02\xde\x61\x5e\x5e\x77\x16\xc3\x74\x70\x5f\x59\x10\x2e\x00\x75\x4d\xba\xa3\x69\xc6\xc1\xa1\xc2\xf4\xc5\x30\xc3\xaf\x81\xe8\xfe\x56\x09", 50); *(uint32_t*)0x20000488 = 0x32; *(uint64_t*)0x200004c0 = 1; *(uint64_t*)0x200004c8 = 0; syz_kvm_setup_cpu(r[6], r[10], 0x20fe8000, 0x20000480, 1, 0, 0x200004c0, 1); break; case 26: *(uint32_t*)0x20000500 = 0; *(uint32_t*)0x20000504 = 0xe518; *(uint32_t*)0x20000508 = 0x10; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0x3a5; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = -1; *(uint32_t*)0x2000051c = 0; *(uint32_t*)0x20000520 = 0; *(uint32_t*)0x20000524 = 0; *(uint32_t*)0x20000528 = 0; *(uint32_t*)0x2000052c = 0; *(uint32_t*)0x20000530 = 0; *(uint32_t*)0x20000534 = 0; *(uint32_t*)0x20000538 = 0; *(uint32_t*)0x2000053c = 0; *(uint32_t*)0x20000540 = 0; *(uint32_t*)0x20000544 = 0; *(uint32_t*)0x20000548 = 0; *(uint32_t*)0x2000054c = 0; *(uint32_t*)0x20000550 = 0; *(uint32_t*)0x20000554 = 0; *(uint32_t*)0x20000558 = 0; *(uint32_t*)0x2000055c = 0; *(uint32_t*)0x20000560 = 0; *(uint32_t*)0x20000564 = 0; *(uint32_t*)0x20000568 = 0; *(uint32_t*)0x2000056c = 0; *(uint32_t*)0x20000570 = 0; *(uint32_t*)0x20000574 = 0; res = -1; res = syz_io_uring_setup(0x7424, 0x20000500, 0x20ffe000, 0x20ff6000, 0x20000580, 0x200005c0); if (res != -1) r[11] = *(uint64_t*)0x20000580; break; case 27: *(uint32_t*)0x20000600 = 1; syz_memcpy_off(r[11], 0x114, 0x20000600, 0, 4); break; case 28: memcpy((void*)0x20000640, "afs\000", 4); memcpy((void*)0x20000680, "./file0\000", 8); *(uint32_t*)0x20000800 = 0x200006c0; memcpy((void*)0x200006c0, "\xd6\x32\xc1\x9b", 4); *(uint32_t*)0x20000804 = 4; *(uint32_t*)0x20000808 = 0xffff; *(uint32_t*)0x2000080c = 0x20000700; memcpy((void*)0x20000700, "\x3f\xe8\x37\x0c\xed\xe5\x2e\xfa\xc0\x54\x24\x1d\xa1\xef\x62\x34\xcd\xc7\x76\x6d\x9c\xee\xe0\x5c\x36\x77\x5d\x23\x4a\x8f\x02\x59\xa8\x80\x13\x16\x89\x77\x5a\x49\xe1\xc5\xd8\x1e\xe5\xee\xd4\x2d\xa0\x22\xa3\xc9\xb9\xd4\x39\xae\x77\x99\x90\xd0\x4c\xf5\x51\xc0\x84\xc0\x93\x74\x4e\x79\xca\x6a\x48\x27\xd8\xc6\x03\x05\x3d\x29\x71\x4d\x83\x93\x63\xcf\x49\xad\xd7\xd7\x32\x3c\x06\x19\xa9\x9c\xef\x60\x9f\xc4\x7e\x56\xc6\x66\x30\xec\x79\x73\xbf\xfe\xd2\x14\xd4\x51\xf0\x64\xf3\x6e\x35\x97\x50\x6a\x51\xad\xfd\x6b\x0d\x61\xfd\xcd\xf2\xbf\xcb\x31\xb2\xc6\xc4\x4c\x27\x9c\xcd\xb6\x90\x28\x91\xda\xf7\x5e\x66\x3f\x59\x42\xea\x76\x82\xfb\xfd\x3e\x73\x69\xa9\xfe\x16\xf3\x72\x47\x6e\xfb\x28\x1a\xaa\xd4\xbf\xe7\xe6\x10\xe9\x63\x62\x94\x61\xe9\x03\x3c\xaf\x00\xd6\x2a\x10\x9d\x00\x4b\x93\x5b\x90\x79\xbd\x3d\xf5\xbe\x94\xa0\xfa\x1e\x19\x77\xf5\x52\xba\xa4\x92\xba\x31\xe2\xec\x4b\xf3\x10\xc8\x14\xdc\x75\x32\x97", 224); *(uint32_t*)0x20000810 = 0xe0; *(uint32_t*)0x20000814 = 0x4c; memcpy((void*)0x20000840, "source", 6); *(uint8_t*)0x20000846 = 0x3d; memcpy((void*)0x20000847, "SEG6\000", 5); *(uint8_t*)0x2000084c = 0x2c; memcpy((void*)0x2000084d, "flock=strict", 12); *(uint8_t*)0x20000859 = 0x2c; memcpy((void*)0x2000085a, "flock=strict", 12); *(uint8_t*)0x20000866 = 0x2c; memcpy((void*)0x20000867, "flock=local", 11); *(uint8_t*)0x20000872 = 0x2c; memcpy((void*)0x20000873, "autocell", 8); *(uint8_t*)0x2000087b = 0x2c; memcpy((void*)0x2000087c, "flock=openafs", 13); *(uint8_t*)0x20000889 = 0x2c; memcpy((void*)0x2000088a, "measure", 7); *(uint8_t*)0x20000891 = 0x2c; memcpy((void*)0x20000892, "subj_user", 9); *(uint8_t*)0x2000089b = 0x3d; memcpy((void*)0x2000089c, "$F!%[#&+-}^}", 12); *(uint8_t*)0x200008a8 = 0x2c; *(uint8_t*)0x200008a9 = 0; syz_mount_image(0x20000640, 0x20000680, 4, 2, 0x20000800, 0x201000, 0x20000840); break; case 29: memcpy((void*)0x200008c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200008c0, 0x9a7, 0x60100); break; case 30: res = syscall(__NR_ioctl, -1, 0x540f, 0x20000900); if (res != -1) r[12] = *(uint32_t*)0x20000900; break; case 31: memcpy((void*)0x20000940, "net/ip6_mr_vif\000", 15); syz_open_procfs(r[12], 0x20000940); break; case 32: syz_open_pts(r[6], 0x402000); break; case 33: *(uint32_t*)0x20001c80 = 0x20000980; memcpy((void*)0x20000980, "\x94\x7b\xdd\x13\x38\xb6\xb9\xfd\xc7\xee\xc2\x77\x64\x33\x19\x1f\x82\x72\x66\xcf\xa9\x4b\xbf\x64\xcf\xf8\x3a\x00\xd9\x75\x00\x9f\x3b\x27\x38\xac\x70\x67\x01\x94\x47\xd6\x93\xa3\x53\x4d\xae\x5d\x3b\xf0\x3b\x17\xd7\xa2\xbc\x09\x3d\x2a\xb0\x1f\xb0\x79\xd1\x3e\x4c\xa0\x8a\xb2\x39\x18\xa3\xfa\xc5\x0a\x48\xc3\x2b\x4b\xa2\x17\x09\x57\xd2\x0c\xb4\xa4\xf7\x31\xd6\x60\xe8\x8f\x40\xc3\x0c\x3c\x40\xd4\x1f\xf3\xff\x71\x34\xdc\xeb\x66\xb1\x13\xb5\xc1\xbb\xa6\x30\xa7\xee\x5c\xd6\x8a\xb5\x9e\x69\xf8\xc8\x95\x30\xe4\xca\xc7\xf6\x15\xdd\x3f\xad\xc7\x94\x0d\x23\xb0\x69\xd6\x2b\x7c\xcf\x41\x49\x88\x10\x45", 148); *(uint32_t*)0x20001c84 = 0x94; *(uint32_t*)0x20001c88 = 0x7e; *(uint32_t*)0x20001c8c = 0x20000a40; memcpy((void*)0x20000a40, "\x3b\xec\xe5\xe4\xb0\x0d\x1a\xa5\xc6\x45\x5d\x8f\xfd\xdd\x35\x57\x13\x82\x30\x47\x33\xf4\x7e\x93\xba\x01\xd0\x22\x0d\x34\x52\x42\x5a\xa4\xa3\x5a\x16\xad\xc9\x6a\x1c\x87\xd3\xc0\x91\x21\xdf\x1c\x8a\xef\x26\xc2\x03\x58\xa1\x53\xa0\xef\x19\x59\xf6\x9c\x68\x9a\xcd\x27\x51\xf4\x28\xf2\x41\xc2\xde\xcf\x4c\xd9\xa3\xb1\x09\xe6\x6b\x31\x0f\xb1\x01\x1f\x65\x32\x9b\xef\x95\x3a\xe0\x2c\xf9\xdb\x61\x33\x61\x9b\x5b\xfa\x07\xa6\xe1\x32\x51\x27\x8d\xa9\x3d\xe8\x26\x35\xbc\xdd\x76\x40\xb6\x31\x1d\xa5\x8d\x2a\x68\x10\x65\x40\x1d\x07\x53\xce\xf9\x0b\xf7\xa0\xf5\x41\x11\x24\x53\xb9\xce\x75\x27\xef\xcb\x09\x83\x4f\x10\x73\x73\x6d\x3e\xbd\xb9\x24\x17\x36\xb6\x1d\xf7\x0a\x13\xc7\x6e\x54\xdd\xbc\x65\xa5\x2d\x8a\x4f\xe4\x2e\xd0\x97\xa5\x7c\x8d\x04\x26\xf9\x16\x75\x0e\x9a\x5c\x38\x28\x1f\xba\xd7\xae\x59\xc2\x23\xba\xb1\x10\x05\x92\xd4\x2e\xda\x4e\x0b\xf4\xbf\x03\x04\x20\x47\x8f\xcd\x28\xc4\x05\x7d\x41\xa9\x72\x1b\x00\x14\xe9\x1a\x1e\x70\x58\xd4\xc9\x29\x08\x12\xf6\xde", 239); *(uint32_t*)0x20001c90 = 0xef; *(uint32_t*)0x20001c94 = 0x800; *(uint32_t*)0x20001c98 = 0x20000b40; memcpy((void*)0x20000b40, "\x6d\xaf\x7a\x1e\x0d\x14\xcb\x6b\x8c\x65\xd3\x7e\xf9\x88\xe6\x70\xca\x88\xb1", 19); *(uint32_t*)0x20001c9c = 0x13; *(uint32_t*)0x20001ca0 = 0; *(uint32_t*)0x20001ca4 = 0x20000b80; memcpy((void*)0x20000b80, "\xe2\xa3\x79\x51\x07\x38\xbe\x3d\x3b\xaf\x49\xa1\x70\xf0\x89\xf5\x6f\x7b\x3a\x43\xbd\x92\x6f\x2f\x33\x68\xf3\x8e\x97\x34\x0a\xf9\xb0\x99\x1e\xa9\x8f\x46\x53\x25\x2c\x0b\xef\x6a\xd2\x65\x82\xb6\x00\x54\x54\x65\x59\x1f\xae\xfd\x00\x78\x2e\x31\xc8\xae\xe9\xf2\x39\x90\xd2\xd9\x5f\x87\x10\xd1\x10\x40\x9d\xc3\xda\xd1\x58\x17\x94\xfb\x09\xf6\x34\x9e\x93\x7b\x1d\xf1\xbb\x8a\x9a\x09\xce\x60\xc4\x12\x82\x37\x6e\x6a\xc6\x07\x88\x8c\x64\xfc\xd9\xec\xf5\x40\x50\x63\xba\x5f\x64\x2a\x29\x5b\x4f\x77\x8f\x2c\xab\xcc\xf6\xc9\x00\x70\x71\xb1\xa9\xec\x31\xee\xa5\xda\xf6\x2d\x37\x1a\x56\xde\x30\x95\x49\x97\x49\x11\xa5\x79\x7f\xa3\x40\x26\xe8\x5b\xb7\xf5\x42\x7a\xb4\x96\x5f\x11\xa3\xab\xa1\x8e\xd0\xfe\x28\x0e\x45\xc2\x64\x12\x83\x8f\xc5\xbb\xe0\xf6\xde\x63\xd0\x11\xc0\x6b\x41\x3e\x3d\x4a\x15\x29\x6b\x6f\x79\x15\xdf\xfe\xcd\xd4\x07\x50\x4f\xaa\x2f\xe6\x3b\xb1\x90\xaf\x90\x61\x70\x9a\x98\x20\x94\xf6\x20\x79\x3c\x04\x25\x32\xf5\x13\x14\xdd\x07\x53\xb8\x32\xa6\x58\x59\xe1\x78\xd9\x4d\xd1\x69\xa1\xb7\x67\x74\x85\x66\xd1\x3f\x17\x0d\xa3\x6f\x2a\x51\x05\x3d\x8b\x67\xfb\x5f\x12\xd8\x6b\xf3\x60\x46\xea\xb9\xb7\xc2\x6c\x50\x78\x6c\x9b\x29\xa2\x60\x5c\x56\x31\xab\x30\x26\x16\x69\x97\x1a\x48\x47\x0d\x98\x2c\x30\x88\xbe\x7c\xff\xd1\xf0\xc6\x77\x5e\x57\x57\xdb\x61\x48\xdd\x74\xc5\x95\x4e\x34\xc4\x00\x88\x65\x9a\x1f\x44\xd0\x53\x46\x59\x85\xed\x20\x03\x9b\xce\xd7\xea\x9d\xec\x7e\x25\xcd\x6d\x60\x0d\x1e\xd3\x1a\xed\x53\x88\x5f\xc7\xef\x87\x89\xee\xa0\x63\x9d\x2b\x25\x0d\xcd\xf4\xad\x71\xbb\xda\xbf\x4b\xa1\x8a\xf2\x9a\xc8\x19\xae\x43\x18\x64\xdb\x1b\x03\x53\xbc\x5c\xb2\x04\x19\x43\xb4\x45\x13\xf7\xc6\x79\xf3\x48\xbd\x29\x62\xb2\x74\x87\xbc\x7d\xc7\x48\x8c\xff\x13\xa2\x4b\x65\x8f\x31\xb4\xaf\xc9\xe5\x01\x3a\xb4\x60\xcf\x3a\x01\x4a\x8f\x19\x90\x9e\x75\xbc\x3d\x41\x44\xf5\xd3\x2e\x37\x0d\xe7\x4f\x44\x02\xa0\xdb\x53\x39\xc1\xe3\x61\x6d\x21\x47\x74\x36\x52\xdd\x73\x94\x0d\x37\x55\x0c\xc9\x61\xb0\x8b\x3a\x33\xb7\x9c\x4a\x2f\x3f\x1a\xb4\xb2\x36\x4c\x24\x03\x1c\xce\x1f\x29\xbe\xaf\x57\x4b\x13\x18\x84\x4f\xcc\x93\x87\xd2\xcf\x79\x83\x34\xde\x08\x16\xd5\x28\xf0\x87\xf5\x67\x51\xf7\x63\xb8\x2c\x76\x0f\xe1\x9e\xf9\x5f\xd2\xe5\x52\xc8\xec\x74\xbf\xee\x9b\x6c\x8e\x33\x41\xb3\xba\xff\x54\x05\xed\xbe\xd7\x09\xfb\x1e\xa1\x30\xa1\xa6\xe3\x0a\xcf\x72\x32\xc0\x19\x40\x34\xda\xf0\xef\x11\x71\x15\xab\x22\x0f\x11\x61\xa8\x38\x94\x0e\xf6\x00\x72\xc4\x06\x55\x7f\x56\xf1\x3f\x30\x21\xb4\x08\x42\xf9\x11\x4b\x0a\xe9\xcd\x82\x44\x23\x0c\x22\x27\xce\x7c\x7e\x71\x50\x3b\xa5\x25\x3d\x63\x08\x1c\xa9\xaf\x8f\xc4\xa4\xe2\xc3\x03\x9a\x0b\xad\x1a\xf9\x1e\xd4\xcb\x91\xb9\xbd\x42\xd8\xee\x5e\x0b\xd9\x84\x4f\x92\xf4\xaf\x1e\xa5\xb8\x83\x80\xa9\x9b\x1a\xdc\x70\x57\xb9\x15\x7b\x61\x02\x1a\xbc\xe3\x77\xdc\xa6\xaf\x6c\x2d\xd9\x8f\x02\xc2\x3a\x84\x59\xcc\xbe\x65\x0b\x66\xd0\x6b\xba\xe0\x60\x99\x28\xe8\x4d\x5c\x61\x1e\x2c\x6f\xeb\x6a\x43\xd0\xaa\x53\x2b\x12\xd5\xe3\x26\x04\x48\xcd\x82\x37\x2b\x11\xf9\xdc\x8f\x94\x66\x5a\x3a\xb8\x64\xeb\x3e\xb0\xe5\xb0\x73\x20\x02\x49\xa6\x74\x04\x7e\xe8\xff\xf8\xfb\x4f\x55\x65\x30\x60\xef\xb6\xa0\x0d\x70\xb0\xfe\x4a\x7f\x5d\xca\x7d\x9c\x71\x60\x4f\xa7\x0b\x0e\x40\x56\x93\x39\xe5\x2b\xa5\x2b\x7d\x70\x08\x53\x33\x06\x16\x5c\x97\x8d\x03\x0a\x85\x2c\x0d\xd7\x59\x96\x90\x47\x20\xa1\x0a\x3a\x9d\x0f\x2f\x67\xf2\x58\xe4\x39\x04\x7a\x6a\x5b\x08\x49\x04\x09\xaa\x84\xec\x29\x6f\x67\xb8\x8b\x80\x11\xcb\x39\xc6\x78\x00\xef\xec\x6e\xc4\x3e\x73\x2a\xee\x04\xcc\x18\xc4\xce\xdd\xc9\x68\x6a\x43\x20\x11\xe1\xdf\x5f\xa1\x29\x2c\x7b\xda\xe6\x27\x31\x57\x3e\xc5\x23\x32\x93\xff\x4e\xd6\x71\xe5\x2c\x95\x1d\x8e\x00\x83\x6d\xb9\x36\x35\x34\xbc\x8c\x1e\x91\xd9\x8c\xab\x7d\x06\x06\xc1\x70\xd4\x09\xd9\x6d\x32\x25\xf5\x62\x06\xb6\x00\xfc\x1a\x78\x39\x41\xaa\xde\x24\x83\x38\xdb\xa6\x6d\x56\xf8\xfc\x19\x7d\x19\xce\xdd\x5f\x1a\x65\xd5\xf1\xd8\x5a\x4c\xb4\x49\x73\x42\xd1\x97\xdf\x41\x7d\x43\x17\x77\x7c\x81\xe7\x07\xf1\xb9\xda\xdd\x38\x26\x53\x24\xf4\x1a\xa8\x50\x21\xb2\xd7\xed\xc0\xff\x4a\x52\x7d\xb8\x5f\xf1\x41\x65\x2e\xeb\x5e\x76\x6e\x18\x9e\x11\xe6\x30\x7a\x44\x75\xd5\xf7\x93\xe8\x22\xb7\xec\xbc\x7e\x2f\xf3\xf6\xf9\xa8\x39\x9a\xf6\x92\x64\x9d\x67\x30\x5c\x86\xb4\x79\x16\x9d\xf1\x2f\x74\x91\x02\x06\x9d\xa1\x64\xad\x14\x65\x5e\x05\x32\xfc\x41\x9b\x51\xf2\x9b\x28\xd1\xf4\x08\xf5\x23\x6c\xe9\x21\x50\x9f\x3f\x61\x1a\x56\x5a\x5e\x38\x68\x57\x44\x47\x0f\x6e\x45\x7b\xdd\x05\x7d\x72\x7f\x7e\xcf\xaa\x46\x84\x73\xbc\xba\x94\xc4\x3e\xad\x22\xf8\x52\x78\x43\x24\x5f\x37\x22\x75\x94\x6b\xd4\x59\x9f\x3a\x8a\xe9\x1e\xc3\x14\x08\x70\xbe\x91\xd2\xfb\xfc\xbd\x7e\x50\x4d\xa3\xd6\xf4\x9e\x90\x5a\xca\x16\x78\x32\xd7\xc3\x5a\x56\xa2\x8a\xbc\x85\x20\x90\x29\x23\x18\xec\x1f\x08\xbf\x3d\x71\xde\x73\x60\xd6\xd0\x49\x00\xd7\x73\xa7\xf4\x0c\x3d\xb7\xaa\xbf\xc2\x7a\x33\x8e\x87\xd5\x78\xf4\x30\xee\x49\x0e\x48\x22\x14\x06\xd3\x1c\x62\x22\x0c\x2b\xd9\xe1\x79\x3e\xed\x1b\x84\xab\xa0\xad\xc3\xd5\x4e\xed\x59\xae\x3b\x83\xe5\xa1\x14\x77\x21\xfc\xc2\x27\xcf\xf9\x6c\x80\x65\xf8\x66\x5c\xbf\xef\x93\x52\x1c\xa1\xbf\x4b\x10\x0e\x62\x89\x6c\xfd\xca\x36\xe7\xf7\xb4\xb3\xfd\x3b\xab\xf5\xc1\x8c\x90\x03\x0f\xbf\x90\x4d\x4f\x4c\x3f\xb2\x3a\xf1\x6b\x1e\x37\x44\xca\x6a\xb1\x23\xdf\x90\xb1\x68\xea\xa1\x38\x32\x4e\xbf\x98\xec\xd6\x6d\xd6\x4e\xe9\x06\x23\x6b\xf3\xa0\x29\x6b\xe1\xdf\x81\x38\x7b\xa9\x57\x00\xe0\x4c\xe2\x66\x37\xca\x4d\xfb\x70\xc6\x7d\x32\xa2\xe7\xac\xde\x21\x9c\xef\x54\xe4\xc9\xec\x1c\x27\xb5\xb6\xa3\x88\xca\x51\x5a\xf6\xe5\xef\xc4\x93\xa3\x0f\xa9\x32\x4e\x1f\x2b\x2b\x51\x26\x7f\xbb\x26\xf3\xd4\x29\x2e\x83\x6c\xb7\x09\xe9\x2a\x6e\x0e\x11\xaf\xf3\x86\xb3\xd4\x5d\x81\xa2\xd3\x5f\xe9\x71\xcb\xff\x8a\x32\xf5\x2d\x04\x6b\x9b\xa9\xa4\xbc\x77\x26\x7a\x2e\x86\xa4\x80\xa9\xec\x50\x36\x1d\x5e\xd5\x9b\xa5\x40\xae\x1c\xf0\xe7\xea\xaa\x5d\x8f\x5b\x2e\x38\x52\x7f\xde\x78\xec\xf8\x42\xec\x48\xcf\x68\x1f\xd4\x52\xaa\x5c\x60\xd0\x64\x74\xf6\x42\x2a\xd0\x8d\xb4\xfa\x07\x88\xc5\x65\x63\xf5\x2c\xbd\x38\x36\x27\xe1\x1f\x98\xeb\x40\xec\x74\x96\x1c\x02\x8b\x1f\xcd\x7b\x25\xd4\xcd\x28\x9d\xbc\x76\x1f\xb1\xec\x00\xa6\x18\x35\x13\xc5\xf7\x6d\xa7\x54\x64\x16\xfb\x81\xe8\x66\x1f\x93\xf4\x23\x4f\xdf\x3a\x33\x98\xd8\xbb\x8c\x69\x90\x2e\x6d\x9f\x3f\xc1\x65\xe6\xd9\xf3\x9e\xb2\xac\xc1\x89\xab\x7b\x49\x01\x3b\x2c\x74\xd0\x78\x8e\xe0\x5f\xc1\x17\x33\x5d\x47\x83\x80\x01\x3e\xab\x17\x3d\xdc\x7a\x92\x7f\x03\x08\x0c\x2e\xa7\x05\xb6\x8f\x66\x4a\x3b\xe2\x70\x22\x11\x72\xd2\x99\x5b\x15\xb4\xd0\xab\x25\xd4\x66\x8a\xb7\x58\x7d\x24\xe8\x31\xc5\xc7\x84\x1f\xa0\x0b\xd0\x63\x02\x1d\x3f\x43\x40\x5b\x35\xc6\xc7\x9d\xd4\x03\x0f\xc6\x30\xee\x78\xd7\xe6\x4a\x90\xcc\x27\x61\x42\x16\x24\xd4\x8a\xc0\x76\x4d\x8a\x90\x3c\x5a\x8b\x0a\x21\x31\x20\x87\x1b\x9e\x82\xa3\xb1\xf9\x24\x55\x38\x0b\x95\x08\x32\x65\x1b\x6d\x0d\x9b\xdb\x24\x90\x55\xd5\x5f\xa4\x9f\xc7\x29\x61\x47\xcb\xce\xc6\x05\x9a\x00\x47\xae\x6e\x86\xb5\x1a\xe3\xb5\xaf\xf4\x98\xce\xed\x67\x1d\xdd\x0e\x2b\xd9\x7f\xd7\xf3\x9a\x32\x80\xbd\x80\x99\x6a\xc7\xbb\x98\x18\x77\x09\x93\x82\x46\xf8\xe0\xcb\x9c\xca\x0a\x18\x9d\x18\xcb\x9d\xcd\xd5\x21\x86\xfe\xb9\x35\xf4\xa5\x32\x6c\x3b\xc1\x34\x8a\x05\xf0\xe7\x18\x04\x52\xa4\x3e\x7f\x2b\x6f\xb3\x5a\x41\x96\xaf\xda\x0f\x19\x93\x38\x3d\xd2\x03\x69\x4c\x1a\xb5\x3b\xe6\x44\x81\xc0\xd9\xc7\x88\x01\x61\x07\x89\xf9\xf5\x13\x0b\x4a\x14\x3f\x09\x22\x9e\x8d\x89\xd0\xad\x09\xed\xf9\x71\xcf\x0f\xe4\x95\xd7\x55\x2b\x7a\x79\x1a\x90\x54\x23\x2e\x8d\x22\x97\x66\x21\xb7\xf6\xbe\x03\xe7\xe0\xbf\x8e\x5e\xd8\x3d\xb9\x4e\xfc\x74\x8c\x93\xa0\x6c\x12\x4f\x55\xdd\x8e\xfe\x11\xe1\x5d\x83\xe1\xfc\xe5\x82\xb1\x9b\xe1\x0d\xcc\x1b\x3e\xb5\x94\x29\x1a\xaa\xbd\x56\xcb\x94\xdf\x31\x59\x20\xb0\x42\xd0\x79\x34\xac\x79\x6d\x0a\x91\x07\x86\x26\xee\x57\xe2\x57\x63\x79\x1f\x7d\xde\x8b\xc0\x4e\x18\x83\xfb\x22\x73\xc7\x99\xb9\x7e\x31\x66\xc5\x6c\xea\xa3\x69\x9c\x31\x73\x9f\x63\xef\x94\x60\x5b\x20\x86\x06\x06\xce\xaf\x97\xbe\x55\xb9\x79\xfd\xc1\x7f\xa9\xba\x29\x90\xbb\xef\xde\x17\xeb\x53\x98\x17\x60\x91\xe5\x36\x73\x01\x29\xc4\xc3\x15\x04\xce\x1f\xc4\x1f\x13\xe7\xd9\x03\x01\xff\x02\xad\x5b\x5f\x52\x3c\x6a\xe7\xef\xa8\x7c\x76\xaf\x1e\xcc\x4b\x67\x15\x25\x1a\x58\xca\x3c\x68\xca\x95\x4a\x93\x45\xcf\x08\x69\x7e\xc5\x43\x76\xdf\xaf\x23\x2c\xd6\xed\xe5\xad\x85\xc1\x23\x4f\xbc\xb4\xa9\x92\x53\x5b\x70\x13\x5a\x5e\xb7\xd1\xf2\xde\x13\x62\x98\x71\xb0\x2a\xcb\x45\x56\x94\xe9\x1d\x5b\xbb\x97\x2c\x1c\x39\x98\xec\x76\x57\x49\xb4\xca\x83\xc7\x05\x52\x9c\x04\x6e\x85\x93\xba\x47\x09\xe4\x30\xcf\x19\x0a\xba\x4f\xd0\x0a\x6d\x72\x2d\x05\x98\xe8\x0b\x7a\xf8\xfb\xb6\xc0\x53\xdc\x40\x68\xe3\xbf\xaa\x00\x15\xd3\x54\x56\x46\xe4\x0e\xb3\x12\x70\x0e\x7b\x06\x8c\xa6\x44\x79\x2d\x6d\x39\x44\x7a\x35\x3f\x6d\x65\x75\xb0\x1f\x3a\x20\xcf\x31\x01\x17\xa8\x32\xdb\xc7\x6b\x46\x01\x46\xde\xe0\x6c\x85\x95\x80\xba\x5e\x59\x94\x6e\x90\xa1\x68\xd9\x8a\x06\x28\x2d\x02\xf9\x95\x40\xf4\xb1\xfc\xe1\x94\xcc\x7c\xc0\x89\xb1\xb2\xda\x11\xd5\x9b\xee\x54\x77\x38\x3f\x83\xfe\x7f\x50\x01\x1e\xc4\x38\x56\x1f\x17\xb3\x9d\xab\xee\x37\x94\x76\x1c\xde\xf6\xc5\x4a\x60\xc4\x9d\xe8\xfd\x6a\xec\xf0\xb5\xa5\xb5\xc0\x56\xa8\xde\x90\x80\x5e\x0d\x5a\x4c\xba\x91\xeb\x77\x46\xe5\x44\x98\xaa\xd3\x5d\x26\x8e\x92\x3c\x5c\x39\x65\x81\x83\x5c\xf2\x03\x8e\x2a\x1f\x28\xa8\x43\x22\x84\x72\xaa\x2e\x4c\xbd\xe6\xaa\x76\x65\x71\x6f\x23\x9b\xa5\x68\x0d\x1d\x8d\x6c\xd7\x27\x7a\xf1\xf2\xdb\x87\xe5\xf5\x33\x2f\xa9\x04\xd6\x97\x5f\x42\x47\xf3\x3f\x00\xc1\x7b\x95\xdf\x1d\xb7\x92\x39\x8c\x0b\xe2\xab\x89\xc6\xf0\xff\xb1\xd9\xf3\xd3\x0e\x36\xb0\xbc\xde\xe5\x56\x23\xe6\x7e\xd5\x9b\x64\x1e\x1d\x3a\xd2\x43\xa6\x1a\xb8\x00\x3e\xd9\xd5\x01\x86\x45\x7b\x84\x5b\x0f\x5e\x59\x46\x0a\xeb\x8d\x49\xfa\x23\x6b\x69\x1a\x95\x72\xf0\x43\xf3\xd8\x3d\x38\x53\xa6\x58\xc0\x92\xfe\xc3\xee\xf9\xb5\x8f\x3b\xe0\x53\x2e\x46\xda\x34\xf7\x32\x39\x8d\x41\x8a\x82\xa4\x7f\xd2\xbe\xc7\xaa\x9f\xdf\x0a\x05\xa2\xa4\xab\xd6\x50\xdc\xd9\x9c\x09\x5b\xe5\xa0\x25\xd4\xdd\x8d\xe7\xb6\x06\xf7\xc2\x1f\xcf\x49\x0a\x10\x0e\xc2\x88\xf4\x19\x31\x6b\x4a\xdd\x08\x59\x10\x60\xf5\xc4\x02\x30\xee\x63\x9a\xff\x35\xd4\xbb\x20\x7f\xe4\x01\x02\x9c\xff\xd1\x04\x71\x5d\xcd\x48\xc7\xc5\x98\xf5\xea\x42\xb0\xbd\x27\x1e\x6a\x10\x06\x6d\x61\x32\x17\x65\x5d\xbf\x37\xbc\x46\x7d\x97\x35\x72\xd7\xc2\x87\x79\xc9\x98\x1c\xab\xc5\x5e\x68\x3f\xbb\x1e\x9a\xf7\xe0\x0c\xc4\xa2\x22\xa5\x4f\x24\xed\xf9\x23\x76\x2d\x8e\x0f\xbc\x09\x9e\x42\x0a\x78\xb1\xfc\xfb\x54\xa4\x00\x2f\xdf\x6e\x30\xa3\x44\x5f\x92\x9d\xd9\x7c\x4a\xef\x13\xcd\x8a\x0a\x3b\x19\xcb\x2b\xa7\x31\xd3\xc9\x9a\xad\x63\x11\x66\xb7\x5f\x13\xa9\x54\x98\xe1\x1d\xba\x40\x94\xeb\x5d\x1f\x15\x71\xb6\x98\x7c\x27\x89\x12\xa0\x5a\x9e\xc5\xe2\xf9\x3d\x21\x60\x4e\x49\x6a\xe6\xf7\x63\xed\x43\x3b\xc2\x6c\x5d\x2f\xdf\xee\xfc\x02\xd8\x73\x2b\x29\x09\x1c\x32\xad\x16\xfb\xb4\x7d\xe0\xa5\x6a\x36\xc5\xc7\xd2\x66\x65\xce\x56\x55\x71\xae\xe8\x7e\x72\x9e\x17\x27\xe8\xe1\x49\xb4\x4c\xbc\x58\x19\xeb\x1a\xbc\x31\x7e\xab\xfd\xbc\x54\x47\xdc\x1f\xa9\xed\x58\x52\x81\xf1\xa9\xc3\x3b\xd5\xbb\xae\x66\x26\x21\xe6\x46\x0e\x37\x61\x7e\x88\x30\x4f\xd6\x88\x9d\x77\x5a\xd3\x03\x88\xb2\x08\xb4\x10\x24\x95\xdd\x4a\x60\x15\x79\xfe\xf0\x79\x67\x8b\x66\x81\x6a\x46\xa9\x1c\xd0\xd3\x44\xaf\x0a\xfa\x8e\xe5\x5a\xb2\x22\xd7\x20\xa0\x36\x72\x75\x75\x7a\xa3\x8d\x04\x3c\xec\x88\x8e\x9e\x93\xa4\xff\x91\xc1\xcc\xbb\xc6\x85\xf6\xfe\x27\x10\x47\x4d\xa5\xc4\x37\x6b\x6c\x03\x7b\x2a\xc5\x7a\xb0\x78\x42\x1f\xf2\xf0\x6e\xf8\xab\xcc\x7b\xfa\x18\x19\x5a\xe5\xd3\x23\x6c\x49\x24\x94\xf1\xc6\x65\xdc\x20\x52\xe0\xb5\x67\xe9\x91\x72\x70\x82\xf6\xf5\x29\xcf\xf4\x41\x2d\x5c\xfd\x8a\xca\x31\xf0\xa4\xd3\x23\x32\xe8\xcc\x99\x2a\x39\x01\x7d\x8e\x5a\x85\x25\xa9\xf6\xab\x50\x09\xe7\x06\x7b\x27\x73\x59\x17\x79\xfa\x6d\xe1\x7c\x07\x74\x45\xc3\x9b\x4f\x32\x55\xc2\xdf\x10\x70\x10\x45\xfa\x07\x0a\xc4\xae\xdb\x55\x1b\xfe\x92\xac\x48\xe0\xfa\xca\x06\x07\x68\xed\xf4\xb3\xfb\x10\x1f\x3d\x4c\xdc\xb2\xec\x93\x13\xc0\x28\x98\xaa\x36\x87\x42\x67\x46\x82\x86\xe9\x8f\xfd\xba\xcb\x29\xfb\x64\x07\x27\x99\xbb\x3d\x88\x5b\xf3\x08\xd6\xca\x00\x13\x55\x64\x2a\xd2\x58\xb9\x65\xf9\x59\x7b\x30\xfe\x6c\x3a\xf1\xe8\x9c\x10\xd6\x41\xf4\xe2\xab\x7c\xf5\xa4\x68\x7d\x6b\x69\x15\x7a\x49\xf9\xf4\x07\x91\xef\x46\xf4\xcb\xa6\xe0\xf2\x48\x77\x3c\x35\x0b\xf3\x14\x3c\xec\xe9\x2e\xf7\xc7\x46\xd4\x98\x8c\x83\x51\xc8\x06\x7e\x3c\x4b\x84\x10\x89\xd9\x85\xe0\x9e\xcb\x40\x15\x7d\x7a\x17\x1f\x4e\x64\x55\x18\xc5\x25\x98\xfa\x79\x44\x25\x66\x9f\x59\xa2\x7d\x8b\xed\xc1\x47\xe0\x90\x57\xb5\xd2\xf9\xf4\x61\x1c\xac\x95\x10\x58\xb9\xd2\x52\x7f\xe7\xb4\x70\x28\x9a\x2f\x16\xfa\x4d\xee\x15\x06\x52\x08\x6e\x4c\xc1\x94\xc3\xca\xd6\x3a\xee\x9a\xa7\x7b\x00\xdf\x7c\xb4\x21\x40\x1d\x13\x94\xe0\xfb\xae\x8e\x8e\x14\xef\x28\xf1\x28\x60\x1a\xa1\xc9\x1d\x3e\x71\xed\xc0\x7a\x46\x26\x77\x31\xea\x08\x5f\xea\x0b\x27\x81\xfe\x5b\x33\x37\xfb\x39\x1f\x4a\x91\xce\x75\x2a\xeb\x72\x51\xaa\x0c\x3b\xf3\x04\xe9\x89\x22\x0d\x41\x4e\xab\x0a\xf4\x8d\x4a\x86\xbf\x43\xf1\x3e\xe6\xb9\x76\x15\xf5\x1a\x36\x77\xfe\xef\x14\xdc\x4a\xe4\x7d\xb0\x7b\x87\x41\x76\xd1\x8f\x50\x09\x4a\x30\x97\x00\x27\x9f\x41\x29\x24\xe9\x18\xeb\x3e\x6c\x1b\x9f\xa3\xc1\x44\x4f\x28\xb6\x91\xce\xb9\xc3\x3d\x34\xb5\xb3\x73\x3d\x3e\xb0\xc9\xe6\x9c\xb6\xf3\x6b\xca\x69\xd1\xd6\x99\x13\xae\xb5\x1f\x0c\xb5\x98\x28\x52\x7f\x79\x1f\xe7\xf6\x1f\xb4\x30\xba\xce\x64\x56\xab\xc3\x22\xfb\x52\xa1\x31\xf5\xae\xd3\x22\x1a\xfd\x1d\x36\x9d\x7b\xb4\x1f\x60\xbf\xb3\x49\xb5\xcf\x73\x04\x3b\x90\x92\x61\x30\x32\xc7\xdd\x32\x20\xbc\xe9\xd9\xb8\x4f\xd2\xce\xb4\x8a\x76\xff\x0c\x34\xcf\x5b\xf8\xcc\x55\xb5\x75\xe2\x40\xf4\xe6\xc1\xc5\xcf\x93\x98\x0c\xc6\xf6\x8f\xd1\xac\x7c\xc1\x0e\x0e\x48\x33\x39\xdd\xe6\x69\x1e\xb7\xd2\xb7\x00\xe9\x3f\xfd\xf8\x10\x95\x37\x62\x21\x6e\x99\xb5\x64\x01\x49\xaf\x63\x14\x4a\x09\x05\x1b\x68\x3d\xb0\xdf\xb1\xb7\x93\x71\xbc\x7a\x4a\x55\x9a\xe6\x27\x18\x38\xa8\x68\x46\x8e\x54\xaa\xde\xf0\x3b\xa4\x0c\xa1\x27\xaa\x2c\x27\x51\xda\x79\x20\x2d\xca\xd7\x2e\x4f\x15\x93\x04\x1d\xb5\x3b\xbf\x4f\x80\x64\x17\x0f\xe8\x5c\x46\xe5\x9f\xf0\x0b\x9e\xb4\xbf\x2e\x01\xea\xb7\x19\x7a\x00\x70\x4e\x3c\x70\x84\xa8\x06\x99\xed\x5a\xaa\xe7\xbb\xae\x06\x84\xe5\xfb\x3e\xd6\x0c\x66\x20\xc7\x3a\xa0\x13\x31\x37\x13\x27\x9b\xf9\x58\xa2\x1f\x56\xf9\x67\x46\xe1\x60\x62\x3f\x10\x76\xa5\xea\x95\xa2\x3f\xc9\x08\x37\x3b\xc0\x78\x22\x18\x94\xcc\xc7\x79\x49\xff\xd3\x65\x94\x70\xd8\x3f\x86\x07\x62\xb0\x30\x2b\xf3\xe4\x04\x04\x6c\x0c\x32\xa7\x1e\xb8\x5e\x67\x41\x11\xcb\x9c\x2d\x49\x0b\x8b\x4f\x5b\xfd\x1f\xa9\x38\x2a\x42\x96\xd9\x73\x26\xd6\xa7\x28\x37\x8a\xb3\x5c\x0a\x34\x9e\xd6\x93\x49\xf7\x5b\x89\xad\xf8\xdc\x9e\x5b\xae\xd2\x76\xc9\x26\x14\xc2\x96\x36\xf2\xf5\xb1\x9d\x4d\xc6\x61\xe2\xd0\xfe\x6f\xd6\x47\x86\xd5\x07\xb9\x9b\x39\x79\xfe\x0f\x6e\xcb\x06\xb7\x6f\xd6\x4b\xfb\x31\x61\x31\xa5\x2d\x3d\xb7\x44\x55\x08\xc8\xf0\xbd\x39\x44\x95\xa6\xc1\x3c\xa6\x4e\x37\x80\xa4\x16\xc7\x2a\x7a\x34\x99\x6d\x5a\x34\x2e\x63\x49\xd9\x2b\xfc\xb8\xd7\x5b\xd4\xed\xd2\x25\xd4\xe8\x60\x18\x38\xbf\xfc\x60\x4e\x9e\x3f\x0d\xe8\x3a\x1c\xf9\xe1\x7c\x7f\xa7\x39\x8f\xea\x49\xc8\xfa\xed\x29\x9d\x04\xa9\x0a\x70\xbd\xaa\x0b\x11\x14\x28\xe2\xe6\x22\x4a\xe0\x8c\x1b\xf0\xea\x1a\x69\xe1\x6e\x1f\xfd\x4b\xfa\x76\xaf\xff\xdd\x50\x60\xac\x99\x2e\xfa\x08\xfb\x74\x04\xfa\x1f\xf3\x45\x60\x42\x65\x4d\x3d\x51\x29\x26\x24\xac\x3b\xb3\x35\x6f\x5b\xd3\xf4\x92\xc1\x69\xe8\xc7\xdc\x71\xcc\xd3\xb4\xe9\x1c\xb2\x98\xef\x7f\x2b\x61\xd7\x4a\x86\xe7\xcb\x6d\xaf\x62\x1a\x8b\x0b\x6a\x87\xe5\x8d\xdc\xaa\x65\xf3\x76\xfe\x06\x52\xc4\x0c\x76\xd7\x62\xb5\x80\xf3\x4d\xa9\x79\xae\x09\x68\xb1\x72\xa9\xcc\xc4\xcd\x8b\x34\xaf\x38\x73\xe8\x5d\x16\x53\xc9\xe5\x57\x1d\xc3\x4e\x8c\x39\xf7\xf0\x4d\xf1\x91\xc0\xe8\x12\x13\xd2\xfa\xc0\x41\x26\x64\xeb\x47\x69\xc4\x80\xa8\x0f\xdc\xd5\xca\xe2\xa2\xeb\x8b\x1d\x03\x1c\xc6\xe6\x49\xd8\xf0\xb2\x9f\x91\x15\xea\x2b\xb2\x7c\xbe\x35\xcb\xa0\x40\x64\x7a\xd9\xda\x8a\xd3\x69\x31\xcf\xdc\xe5\xc5\x8d\xfd\x6b\x8d\x0b\xd8\x3c\xf4\xf8\xca\xd6\xf6\xd6\xf3\x04\x83\x80\x58\x3d\x8e\xf0\x80\x7a\x4d\x02\x4e\xf8\xd0\x33\x3a\x97\x18\x34\x23\xc9\x0e\x8d\xd1\xb6\x2d\xc7\x0c\x95\xae\x30\xac\xd0\xcc\xc2\x57\xde\x6f\xeb\x89\xa9\x49\x2b\x42\x14\xb6\x5d\x8d\xa2\xad\xa1\x1b\x80\xfb\xd7\x68\x9a\xfd\xb9\x9f\xa8\x20\xcb\x7a\xaa\xca\x8c\xe3\x2f\xd1\xad\xf5\xd7\x24\xf5\x06\x83\xa7\x92\x4e\xd1\xb5\xde\x6b\x32\x2a\x49\x32\xea\x46\xd3\xb2\x66\xa2\x70\x42\x02\x59\xa4\xfe\xe4\x80\x05\x4f\x06\x75\xe7\x7e\x51\x78\xff\x25\x5b\xe0\x00\x46\x8a\x22\x0a\x25\xc6\x87\x9e\x03\x9b\xc1\x4c\x38\xcb\xf9\x04\x0e\xde\xd4\x1f\x1c\x6d\x75\xfe\x46\x15\xcc\x57\x67\x7c\x94\x8c\x7b\xb9\xc3\x56\x11\x84\xb0\xff\xe0\xd0\xa9\xed\x0e\x72\x12\xfa\xbd\x5e\xf3\x57\xff\xb3\xca\x40\xe8\xa9\x7b\xe2\xa9\xbc\xf3\x5f\xc7\xe3\xd7\xce\x8f\x6d\x50\xa4\xf7\xb4\x2c\x24\x68\x94\x68\x38\x22\xdb\x36\xb9\x55\x28\xcd\x80\x61\x34\x2c\x66\xc7\x88\xbb\x6f\x63\xbe\xad\xfe\x35\x59\xe8\x96\xe4\x38\x7a\x12\xce\xdf\x6f\x22\x08\x88\xd2\x18", 4096); *(uint32_t*)0x20001ca8 = 0x1000; *(uint32_t*)0x20001cac = -1; *(uint32_t*)0x20001cb0 = 0x20001b80; memcpy((void*)0x20001b80, "\xe0\xc6\xc9\xc0\x1a\xfb\x3e\x83\x24\x12\x04\xcd\x69\x42\xa5\xf5\xb3\x8d\xed\xc4\x87\x1f\xea\x15\x0d\xdb\xcb\x8c\x14\xce\x51\x5f\xa1\xfc\x5f\x1f\xb3\xec\x60\x66\x49\xa1\x62\xc4\xe5\x2e\xc3\x28\xeb\x35\x65\xfb\x84\xab\xdf\x8b\x40\x8d\x74\x4e\xe1\x9c\x67\xcc\xe5\x4a\xca\xd1\xc6\xaa\x75\xa3\xf9\x7f\x94\x26\x74\x76\xe7\x02\xbb\xe0\x65\xe6\x71\x88\xc3\xc8\x26\xd4\x41\x4e\x46\x69\x5d\x71\xc9\xe2\x4a\x31\xfa\xf7\xfc\x28\x29\x70\x92\x50\x3b\xb1\x0a\xdb\x27\xfc\xb1\x97\x43\x8e\xfe\x36\x05\x10\x1a\xbc\x12\x7f\xda\x30\x3e\x63\xa7\x42\x3e\xf1\x69\x3f\x6c\x00\x57\x63\xfd\xf8\xb1\x8e\x10\xa5\xa9\xfa\x34\xb3\xc0\x0e\xce\xd1\xf7\x5b\xad\xa7\xd2\x61\x60\xae\xdf\x27\x58\xbf\x60\x3b\x0c\x58\x90\x68\x28\x84\xeb\x55\xb2\x76\x0b\x3b\x7b\x96\x14\xb6\xbd\x1d\xde\xf9\xe9\xcc\x1d\xf2\x08\x92\x06\x3f\x1e\xa0\x58\xa4", 200); *(uint32_t*)0x20001cb4 = 0xc8; *(uint32_t*)0x20001cb8 = 0x81; syz_read_part_table(0x44, 5, 0x20001c80); break; case 34: *(uint8_t*)0x20001cc0 = 0x12; *(uint8_t*)0x20001cc1 = 1; *(uint16_t*)0x20001cc2 = 0x310; *(uint8_t*)0x20001cc4 = 0xae; *(uint8_t*)0x20001cc5 = 0x73; *(uint8_t*)0x20001cc6 = 0xca; *(uint8_t*)0x20001cc7 = 0x40; *(uint16_t*)0x20001cc8 = 0x1740; *(uint16_t*)0x20001cca = 0x602; *(uint16_t*)0x20001ccc = 0xfa57; *(uint8_t*)0x20001cce = 1; *(uint8_t*)0x20001ccf = 2; *(uint8_t*)0x20001cd0 = 3; *(uint8_t*)0x20001cd1 = 1; *(uint8_t*)0x20001cd2 = 9; *(uint8_t*)0x20001cd3 = 2; *(uint16_t*)0x20001cd4 = 0x870; *(uint8_t*)0x20001cd6 = 2; *(uint8_t*)0x20001cd7 = 0x7f; *(uint8_t*)0x20001cd8 = 0x90; *(uint8_t*)0x20001cd9 = 0x20; *(uint8_t*)0x20001cda = 0x3f; *(uint8_t*)0x20001cdb = 9; *(uint8_t*)0x20001cdc = 4; *(uint8_t*)0x20001cdd = 0x86; *(uint8_t*)0x20001cde = 0x7f; *(uint8_t*)0x20001cdf = 0xa; *(uint8_t*)0x20001ce0 = 0xf7; *(uint8_t*)0x20001ce1 = 0xf9; *(uint8_t*)0x20001ce2 = 0xf2; *(uint8_t*)0x20001ce3 = 0x7f; *(uint8_t*)0x20001ce4 = 0xd1; *(uint8_t*)0x20001ce5 = 0xb; memcpy((void*)0x20001ce6, "\x26\xe1\x3a\x65\xce\xb2\xc1\x60\x69\x44\x40\xc6\xe4\xb5\xd5\x10\x7c\xd6\xf6\xed\xdf\x5f\x0f\x8f\x93\x86\x06\xe7\xa7\x89\x78\x6c\x09\x76\x26\x76\x2d\xa7\x88\x1a\x4e\x46\xee\x51\x2c\xe1\xce\x83\xd0\x3e\xe0\x1e\x8a\x39\x0d\x4f\xe4\x8a\x1a\x16\x6b\x12\x2a\x24\x4f\x7e\x84\x53\xfe\x58\x43\x52\xcd\xc7\x48\xde\xd1\x73\x7c\x61\xff\xbc\x1f\x9f\x18\x44\x1c\x5d\x61\xf5\x49\x3a\x88\xbf\xea\x77\x76\x76\x2b\xbf\x8a\x20\x6e\xec\xa2\xf4\x5c\x1f\x7a\xa6\xd1\x5f\xb4\x64\xcd\x1c\xaf\x6a\x43\x2b\xab\xfc\x01\xbb\x86\xb1\x29\x7b\x12\x89\x97\x42\x6c\x1a\x5a\x86\x53\x3c\xb2\xc0\x29\xf5\x0b\x1c\x5b\x0b\x88\x71\x9f\x7c\x78\x21\x7d\x2b\xec\x91\x0f\xf9\x06\xb4\x38\x60\x02\x5e\x14\x0f\xba\xd2\xbc\x0a\x91\xe2\x3e\x65\xc5\xc8\xfe\xfd\x91\xd0\x45\x9c\x59\x0e\x1f\x4b\xac\x91\xea\xc0\x23\xef\x5f\x1a\x24\x82\x45\xdf\x0d\x7c\x12\x76\xdf\x72\xd9\x55\xc6", 207); *(uint8_t*)0x20001db5 = 6; *(uint8_t*)0x20001db6 = 0x24; *(uint8_t*)0x20001db7 = 6; *(uint8_t*)0x20001db8 = 0; *(uint8_t*)0x20001db9 = 1; memcpy((void*)0x20001dba, "8", 1); *(uint8_t*)0x20001dbb = 5; *(uint8_t*)0x20001dbc = 0x24; *(uint8_t*)0x20001dbd = 0; *(uint16_t*)0x20001dbe = 8; *(uint8_t*)0x20001dc0 = 0xd; *(uint8_t*)0x20001dc1 = 0x24; *(uint8_t*)0x20001dc2 = 0xf; *(uint8_t*)0x20001dc3 = 1; *(uint32_t*)0x20001dc4 = 9; *(uint16_t*)0x20001dc8 = 5; *(uint16_t*)0x20001dca = 5; *(uint8_t*)0x20001dcc = 0x80; *(uint8_t*)0x20001dcd = 6; *(uint8_t*)0x20001dce = 0x24; *(uint8_t*)0x20001dcf = 0x1a; *(uint16_t*)0x20001dd0 = 1; *(uint8_t*)0x20001dd2 = 0x14; *(uint8_t*)0x20001dd3 = 0x2b; *(uint8_t*)0x20001dd4 = 0x24; *(uint8_t*)0x20001dd5 = 0x13; *(uint8_t*)0x20001dd6 = -1; memcpy((void*)0x20001dd7, "\x8d\xaa\x8e\x5c\xf5\x9b\xef\x8c\x76\xec\x75\x35\xd6\x3f\xe2\xdc\x76\x86\x32\x1a\xfb\xd7\x29\xf4\xd1\x7d\x62\xa2\x1b\x6f\x2b\x39\x49\x56\x57\x22\x0b\xc5\xd7", 39); *(uint8_t*)0x20001dfe = 0xa3; *(uint8_t*)0x20001dff = 0x24; *(uint8_t*)0x20001e00 = 0x13; *(uint8_t*)0x20001e01 = 3; memcpy((void*)0x20001e02, "\x0b\xaf\xa7\xba\x56\xf9\xbe\x68\xf7\xda\xff\xfa\xbe\x7b\x79\x50\xe7\xf2\xb1\xef\xd5\x30\xab\x53\xda\x30\x66\x50\xae\x48\x61\x82\x51\xbc\x41\xfe\x39\x06\x5b\xb5\x0d\x65\xf1\x5e\x92\x6f\xdb\x88\xac\xb4\xe7\x95\x7b\xff\x5d\x54\x69\xee\x74\x1f\x51\xc1\x17\xd8\xf0\xa4\xb9\xe4\x97\xd8\xd8\x5a\x58\xa4\x25\x85\x5d\xa0\x41\xd9\x1b\xfe\x4c\xd2\x0f\x11\xf6\xc7\xd3\x81\x30\x27\xcd\x74\x92\x1d\xbe\xb6\xe2\x01\x5c\x41\x33\xa2\x98\x32\xb2\xb9\xd3\x42\x30\x4d\xd6\xb7\x09\xda\xea\xea\x5f\x76\x1d\x8c\x06\xf5\x2e\xdd\xa9\xf2\x52\x9a\xc5\x1a\x96\xfa\xb9\xbb\x28\x26\xcc\x63\xfc\xce\x0f\x17\x4d\xe2\xc5\x77\x8a\x4d\x83\xf3\xee\xcf\xdb\x29\x63\x5b\x60", 159); *(uint8_t*)0x20001ea1 = 5; *(uint8_t*)0x20001ea2 = 0x24; *(uint8_t*)0x20001ea3 = 1; *(uint8_t*)0x20001ea4 = 2; *(uint8_t*)0x20001ea5 = 9; *(uint8_t*)0x20001ea6 = 0x15; *(uint8_t*)0x20001ea7 = 0x24; *(uint8_t*)0x20001ea8 = 0x12; *(uint16_t*)0x20001ea9 = 0xc9; *(uint64_t*)0x20001eab = 0x14f5e048ba817a3; *(uint64_t*)0x20001eb3 = 0x2a397ecbffc007a6; *(uint8_t*)0x20001ebb = 7; *(uint8_t*)0x20001ebc = 0x24; *(uint8_t*)0x20001ebd = 0x14; *(uint16_t*)0x20001ebe = 8; *(uint16_t*)0x20001ec0 = 2; *(uint8_t*)0x20001ec2 = 7; *(uint8_t*)0x20001ec3 = 0x24; *(uint8_t*)0x20001ec4 = 0xa; *(uint8_t*)0x20001ec5 = 1; *(uint8_t*)0x20001ec6 = 9; *(uint8_t*)0x20001ec7 = 0xeb; *(uint8_t*)0x20001ec8 = 1; *(uint8_t*)0x20001ec9 = 9; *(uint8_t*)0x20001eca = 5; *(uint8_t*)0x20001ecb = 0xe; *(uint8_t*)0x20001ecc = 3; *(uint16_t*)0x20001ecd = 0x400; *(uint8_t*)0x20001ecf = -1; *(uint8_t*)0x20001ed0 = 0xf9; *(uint8_t*)0x20001ed1 = 0x20; *(uint8_t*)0x20001ed2 = 0x62; *(uint8_t*)0x20001ed3 = 0x22; memcpy((void*)0x20001ed4, "\xec\xb3\xf2\xdd\x30\x48\x12\x4f\xa1\xf6\x39\xe7\xd9\x9a\xb0\x90\x3f\x7f\x55\x1f\xbd\x28\x20\x2b\xca\xa0\x38\x82\x72\x62\xde\xfd\x52\x4b\x84\xd6\x77\x8f\x83\xc7\x51\x04\x7e\xa1\x67\x7d\x46\x22\x9a\xc3\x3b\x02\xdb\x68\x65\xc9\x67\x0b\xc4\x76\x29\x02\x05\x45\xfb\xf3\x67\xe1\x28\xc7\xe7\x8e\x05\x97\x2c\xd4\x32\xdd\xc7\x29\x86\x39\x72\xa9\x55\x9b\x80\x60\x63\x55\x0b\x9b\xb7\x99\x2b\x0c", 96); *(uint8_t*)0x20001f34 = 0xed; *(uint8_t*)0x20001f35 = 0x21; memcpy((void*)0x20001f36, "\x1c\x17\xfa\x34\xcf\x24\x8a\x11\x74\x0c\xae\x13\xb9\x90\x62\xcf\x65\x1b\xd3\x66\x3b\xdf\x34\x9a\xfe\xdd\x77\x7e\x6c\xa5\x09\x68\x7c\x73\x08\xb2\xbd\x8a\x56\xd9\x36\xce\xf7\x2c\x17\x60\x9c\x2c\xc7\xb8\x25\xf1\x22\x86\x4f\x3e\x79\xa0\xf9\x56\x3c\xec\xf3\xa2\xde\xa2\xda\xc5\xe4\xd8\x3e\x77\x49\xcf\xb2\xa9\x71\xe0\xf2\xa2\x57\xee\x5e\x91\x27\x9d\x0d\xed\xf7\xaa\xb3\x53\x95\x5c\x32\xbc\xab\x16\xd8\x21\xc1\x86\x8f\x65\x5e\x7f\x50\x3e\xce\x52\xac\xfb\x7c\x30\x70\x09\x7b\x16\x4e\xd6\x22\x3e\xb6\xc1\x83\x9f\xdc\x5c\xc6\xf1\xa9\x2e\xbd\xa8\xad\x2a\x9e\x74\xf7\x46\xcf\x37\x70\x4a\x6c\x73\x07\x61\x89\xee\x38\x90\xb3\xa1\xc5\xcd\xb8\x07\x6a\xde\xc9\xbb\x4e\x53\xa6\x5b\x09\xbc\x52\xa7\x52\x50\xeb\x89\xe2\x40\x7e\xe0\xd0\xd3\x9a\x0b\xd9\x25\xc0\x0a\x5f\xd0\xf3\x4a\xd2\xaf\x88\xbf\x3b\x27\x0f\xe9\x4e\x54\x32\x28\x8a\x66\xb3\xee\x15\xb6\xe2\x4d\xdc\xa8\x96\x39\xfa\xa9\xc4\xb5\x32\x66\x3b\x24\xbf\xbd\xeb\x73\xd0\x9b\x8f\x77\xf7\x6f\xec\x50\x7a", 235); *(uint8_t*)0x20002021 = 9; *(uint8_t*)0x20002022 = 5; *(uint8_t*)0x20002023 = 0xe; *(uint8_t*)0x20002024 = 0; *(uint16_t*)0x20002025 = 0x58; *(uint8_t*)0x20002027 = 4; *(uint8_t*)0x20002028 = 0; *(uint8_t*)0x20002029 = 2; *(uint8_t*)0x2000202a = 9; *(uint8_t*)0x2000202b = 5; *(uint8_t*)0x2000202c = 6; *(uint8_t*)0x2000202d = 8; *(uint16_t*)0x2000202e = 0x40; *(uint8_t*)0x20002030 = 0x40; *(uint8_t*)0x20002031 = 3; *(uint8_t*)0x20002032 = 0x18; *(uint8_t*)0x20002033 = 9; *(uint8_t*)0x20002034 = 5; *(uint8_t*)0x20002035 = 0xb; *(uint8_t*)0x20002036 = 0xc; *(uint16_t*)0x20002037 = 0x200; *(uint8_t*)0x20002039 = -1; *(uint8_t*)0x2000203a = 0x47; *(uint8_t*)0x2000203b = 0; *(uint8_t*)0x2000203c = 0x6e; *(uint8_t*)0x2000203d = 0x24; memcpy((void*)0x2000203e, "\xfc\x88\x86\xec\xa1\x2d\xc8\x59\x60\xc8\x49\x7c\x87\x13\x2b\x79\xfe\xa0\xe2\x31\x3e\x4e\x85\x56\x71\x31\x6f\x1c\x7a\x42\xb7\x8b\x2b\xe2\x4c\x0c\xdd\x6a\xf9\xde\x41\xa7\xfb\x57\xfe\x0a\x3c\xa6\xfe\x67\x19\x1c\xe3\x11\x65\xdc\x04\x82\x45\xba\x74\xc8\x86\xd1\x2b\x8a\xcc\xb0\x01\xee\xe2\x30\xdc\x1d\x79\x81\xe4\xd6\xea\x3d\x52\xfd\xc1\xfd\x15\x9f\x71\xfc\x18\xbf\xca\x51\x29\x7b\x23\x48\xc7\x77\xa8\x6b\x16\xc0\x76\x57\x79\x3c\x9b\x75", 108); *(uint8_t*)0x200020aa = 9; *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 7; *(uint8_t*)0x200020ad = 0x10; *(uint16_t*)0x200020ae = 0x20; *(uint8_t*)0x200020b0 = 1; *(uint8_t*)0x200020b1 = 4; *(uint8_t*)0x200020b2 = 4; *(uint8_t*)0x200020b3 = 8; *(uint8_t*)0x200020b4 = 0x23; memcpy((void*)0x200020b5, "\xad\x6e\x68\x32\x31\x24", 6); *(uint8_t*)0x200020bb = 7; *(uint8_t*)0x200020bc = 0x25; *(uint8_t*)0x200020bd = 1; *(uint8_t*)0x200020be = 2; *(uint8_t*)0x200020bf = 0x3f; *(uint16_t*)0x200020c0 = 0x400; *(uint8_t*)0x200020c2 = 9; *(uint8_t*)0x200020c3 = 5; *(uint8_t*)0x200020c4 = 1; *(uint8_t*)0x200020c5 = 0; *(uint16_t*)0x200020c6 = 0x200; *(uint8_t*)0x200020c8 = -1; *(uint8_t*)0x200020c9 = 4; *(uint8_t*)0x200020ca = 5; *(uint8_t*)0x200020cb = 7; *(uint8_t*)0x200020cc = 0x25; *(uint8_t*)0x200020cd = 1; *(uint8_t*)0x200020ce = 0x82; *(uint8_t*)0x200020cf = 2; *(uint16_t*)0x200020d0 = 0x200; *(uint8_t*)0x200020d2 = 7; *(uint8_t*)0x200020d3 = 0x25; *(uint8_t*)0x200020d4 = 1; *(uint8_t*)0x200020d5 = 1; *(uint8_t*)0x200020d6 = 7; *(uint16_t*)0x200020d7 = 4; *(uint8_t*)0x200020d9 = 9; *(uint8_t*)0x200020da = 5; *(uint8_t*)0x200020db = 0x80; *(uint8_t*)0x200020dc = 0x10; *(uint16_t*)0x200020dd = 0x10; *(uint8_t*)0x200020df = 0xcc; *(uint8_t*)0x200020e0 = 8; *(uint8_t*)0x200020e1 = 0; *(uint8_t*)0x200020e2 = 7; *(uint8_t*)0x200020e3 = 0x25; *(uint8_t*)0x200020e4 = 1; *(uint8_t*)0x200020e5 = 0x81; *(uint8_t*)0x200020e6 = 7; *(uint16_t*)0x200020e7 = 0x3f; *(uint8_t*)0x200020e9 = 0x59; *(uint8_t*)0x200020ea = 0x11; memcpy((void*)0x200020eb, "\xfa\xad\xa8\x09\x32\xb1\x04\x32\xca\x81\xa6\x3c\x83\xdd\x9f\x54\xa4\x05\x10\x86\xef\x07\xb6\xc9\x66\x1e\xf8\xec\x12\x56\x83\xd5\xfc\xad\xa3\xa3\x46\xd0\x8f\x6d\x44\x17\x8f\xd1\xce\x94\xf1\xa6\x92\x1d\x2f\xd1\x4a\x88\xd4\x3a\x80\x51\xe1\x8e\xda\xa3\x98\x06\x45\xfa\x17\x12\x3c\xa6\xc7\x83\xb8\xb2\xc3\xb6\x66\x95\x6f\x52\xb1\x83\x65\x29\x92\xd6\xf5", 87); *(uint8_t*)0x20002142 = 9; *(uint8_t*)0x20002143 = 5; *(uint8_t*)0x20002144 = 7; *(uint8_t*)0x20002145 = 3; *(uint16_t*)0x20002146 = 0x400; *(uint8_t*)0x20002148 = 1; *(uint8_t*)0x20002149 = 0x3f; *(uint8_t*)0x2000214a = 0; *(uint8_t*)0x2000214b = 9; *(uint8_t*)0x2000214c = 5; *(uint8_t*)0x2000214d = 4; *(uint8_t*)0x2000214e = 1; *(uint16_t*)0x2000214f = 0; *(uint8_t*)0x20002151 = 0x81; *(uint8_t*)0x20002152 = 3; *(uint8_t*)0x20002153 = 0; *(uint8_t*)0x20002154 = 7; *(uint8_t*)0x20002155 = 0x25; *(uint8_t*)0x20002156 = 1; *(uint8_t*)0x20002157 = 0x80; *(uint8_t*)0x20002158 = 0xfd; *(uint16_t*)0x20002159 = 0x3e; *(uint8_t*)0x2000215b = 7; *(uint8_t*)0x2000215c = 0x25; *(uint8_t*)0x2000215d = 1; *(uint8_t*)0x2000215e = 0x82; *(uint8_t*)0x2000215f = 6; *(uint16_t*)0x20002160 = 0x8000; *(uint8_t*)0x20002162 = 9; *(uint8_t*)0x20002163 = 5; *(uint8_t*)0x20002164 = 7; *(uint8_t*)0x20002165 = 4; *(uint16_t*)0x20002166 = 0x200; *(uint8_t*)0x20002168 = 4; *(uint8_t*)0x20002169 = 7; *(uint8_t*)0x2000216a = 8; *(uint8_t*)0x2000216b = 7; *(uint8_t*)0x2000216c = 0x25; *(uint8_t*)0x2000216d = 1; *(uint8_t*)0x2000216e = 0; *(uint8_t*)0x2000216f = 0; *(uint16_t*)0x20002170 = 0x3f; *(uint8_t*)0x20002172 = 9; *(uint8_t*)0x20002173 = 4; *(uint8_t*)0x20002174 = 0x7d; *(uint8_t*)0x20002175 = 0xb6; *(uint8_t*)0x20002176 = 8; *(uint8_t*)0x20002177 = 0xe6; *(uint8_t*)0x20002178 = 0x75; *(uint8_t*)0x20002179 = 0xe1; *(uint8_t*)0x2000217a = 0xf9; *(uint8_t*)0x2000217b = 0x3d; *(uint8_t*)0x2000217c = 0x23; memcpy((void*)0x2000217d, "\x01\x50\xff\xae\x83\xdf\x22\xd1\xd4\xdb\xd8\x24\x54\xe6\x60\x33\x46\x3c\x39\x35\xe3\xd0\xc9\xfc\x2e\xa4\x66\x1f\x73\x10\xc2\xe0\xb0\xac\xed\xd1\x7e\x99\xcf\x96\x0e\xde\x09\xc1\x9e\xda\x6b\xfd\xa6\x99\xd8\xea\xcc\x2a\xba\x4a\xcc\x34\xd4", 59); *(uint8_t*)0x200021b8 = 0xc5; *(uint8_t*)0x200021b9 = 1; memcpy((void*)0x200021ba, "\x57\xfa\x93\x98\x1a\x06\x86\xe5\x12\x23\x65\x11\xf1\x7e\x4e\xc2\xda\xb7\xbd\x00\x5c\x64\xfd\x89\x6f\x94\x94\xca\x05\x97\x58\x3b\x23\x9d\xdd\x29\xc3\x79\x6c\x4a\xd6\x69\x28\x14\x40\xda\x42\x2e\x67\x96\x87\x7a\x9f\x12\x3e\x34\x39\x35\xd9\x0d\xfe\x06\xdd\xfc\x99\xde\xed\xf2\x40\x06\x03\x1d\x9a\x2e\xf4\xb5\x52\x62\x92\x55\xbf\x0e\x7a\x4d\x5d\xd3\xbc\x80\xb2\x66\x08\x11\x41\xbd\xe1\xb1\xa8\x6e\x4f\xfd\x85\x70\x00\xde\xea\xe8\x2f\xb1\x85\x06\x96\xef\x21\x67\xc3\x4a\xd9\x7f\x91\xc1\x4a\xc7\x8e\xcb\x89\x3d\x01\xff\xa9\x8e\x3c\x2d\xfd\xa9\xad\xb7\x62\xb9\xa9\xda\x03\xc6\xc6\x0e\xd9\x57\xfb\x49\x4d\x1c\x96\x0f\x7c\x70\x74\x94\xbd\x98\x4a\x0a\x58\x26\x03\xfb\x87\x24\x8a\xee\xaf\xc1\xb6\x00\x5f\x79\x83\x5b\x38\xb2\xea\xa8\x86\x53\xbc\x93\x42\x7a\x33\xb0\x76\x3e\xa3\x6f\xcd\x98\x7c", 195); *(uint8_t*)0x2000227d = 9; *(uint8_t*)0x2000227e = 5; *(uint8_t*)0x2000227f = 3; *(uint8_t*)0x20002280 = 0; *(uint16_t*)0x20002281 = 0x40; *(uint8_t*)0x20002283 = 4; *(uint8_t*)0x20002284 = 0x7f; *(uint8_t*)0x20002285 = 2; *(uint8_t*)0x20002286 = 7; *(uint8_t*)0x20002287 = 0x25; *(uint8_t*)0x20002288 = 1; *(uint8_t*)0x20002289 = 2; *(uint8_t*)0x2000228a = 5; *(uint16_t*)0x2000228b = 5; *(uint8_t*)0x2000228d = 7; *(uint8_t*)0x2000228e = 0x25; *(uint8_t*)0x2000228f = 1; *(uint8_t*)0x20002290 = 2; *(uint8_t*)0x20002291 = 4; *(uint16_t*)0x20002292 = 5; *(uint8_t*)0x20002294 = 9; *(uint8_t*)0x20002295 = 5; *(uint8_t*)0x20002296 = 0x80; *(uint8_t*)0x20002297 = 0x10; *(uint16_t*)0x20002298 = 0x1ef; *(uint8_t*)0x2000229a = 1; *(uint8_t*)0x2000229b = 6; *(uint8_t*)0x2000229c = 7; *(uint8_t*)0x2000229d = 9; *(uint8_t*)0x2000229e = 5; *(uint8_t*)0x2000229f = 0x80; *(uint8_t*)0x200022a0 = 0x10; *(uint16_t*)0x200022a1 = 0x10; *(uint8_t*)0x200022a3 = 0x1f; *(uint8_t*)0x200022a4 = 0x20; *(uint8_t*)0x200022a5 = 0; *(uint8_t*)0x200022a6 = 0xb3; *(uint8_t*)0x200022a7 = 0x21; memcpy((void*)0x200022a8, "\x95\xd3\x40\x5d\x4d\x7a\x6d\xc8\x96\xd9\x0c\x49\x18\xb1\x41\x31\x5c\x1a\xe5\x4b\x08\x82\xc4\xe0\xe3\xcc\x26\x6e\x04\x17\x8f\x9a\xe7\x37\x26\x0a\xc6\x4b\x61\x9d\xdf\x03\x95\x68\x18\x1b\xf9\x2d\xd6\x39\xec\x49\xa0\xb1\xc9\x83\x8b\x4c\xbb\xb2\xfb\xe6\xca\x7b\xe9\xbc\x84\xb7\x71\x77\x86\x7b\xb9\x73\xd8\xc5\xeb\xa1\xb4\x91\x31\xbd\x10\xf6\x45\xcf\xfc\x3d\xd8\xea\x46\x2f\x4b\xa9\x65\xf7\x0a\x01\x4b\xf1\xab\xe9\x26\x96\x63\x63\x4d\xad\x8b\xaf\x99\x38\x6d\x8b\x43\x19\x12\xe4\xdd\xfc\xd1\x15\x6c\x5f\xfe\xab\x20\x7c\xa3\x5f\x22\xf5\xc0\x16\x73\x47\x0d\xee\xa1\xda\x6a\xaf\xfc\xf0\xbb\xa9\xa8\xe4\x55\x42\x0f\x05\x3b\x28\xe4\x04\xfe\xa6\x26\x1d\x36\xc0\x7f\x72\x21\xc4\x98\x6b\x6b\x12\x2c\xcd\xf8\x58\xf4\x81\xba", 177); *(uint8_t*)0x20002359 = 7; *(uint8_t*)0x2000235a = 0x25; *(uint8_t*)0x2000235b = 1; *(uint8_t*)0x2000235c = 0x80; *(uint8_t*)0x2000235d = 0x7f; *(uint16_t*)0x2000235e = 5; *(uint8_t*)0x20002360 = 9; *(uint8_t*)0x20002361 = 5; *(uint8_t*)0x20002362 = 0xc; *(uint8_t*)0x20002363 = 2; *(uint16_t*)0x20002364 = 0x200; *(uint8_t*)0x20002366 = 0; *(uint8_t*)0x20002367 = 6; *(uint8_t*)0x20002368 = 2; *(uint8_t*)0x20002369 = 0xaf; *(uint8_t*)0x2000236a = 0xc1; memcpy((void*)0x2000236b, "\x14\x49\xf0\x6f\x81\x61\xd8\x15\x9f\x42\xfb\x34\x7e\xaa\x32\x3c\xf3\xeb\x20\xfd\x5e\x50\x10\x06\xd2\xe4\x0a\x15\x7d\xa8\x33\x53\x6f\xb0\xb3\x22\x43\x65\x91\xa2\xbd\x1d\x2f\xe0\x4e\x16\x98\x58\xe1\x13\x87\xce\x1c\xbe\x1f\x6c\x7d\xc3\x32\xaf\xaa\xdc\xc0\x02\xc5\x83\x20\x44\xe0\x56\x95\x03\x99\xe2\x94\x31\x40\x73\x49\xa8\xa4\x75\x25\x16\x4b\x4e\x6c\xd1\x41\x30\x39\x08\x18\x67\x54\xe0\x28\x2c\x69\x95\xc9\x80\xf5\xe7\xd4\xf3\xc8\x81\xc6\xb9\x1d\x95\x5e\x6a\xc6\x81\xbd\x90\x73\xf4\xe0\x57\x06\xf3\xc3\x12\xd0\x05\xbf\x1c\x59\x10\x95\x6b\xf9\x95\x53\xbb\xa7\xb4\xec\xb3\xf3\x5f\xfb\xe7\xab\x07\x63\x42\x37\x96\xbb\x60\x1e\x3f\x04\x7a\x65\x81\xd5\x2f\xb6\x7c\x62\xd6\xb7\x27\x8c\x76\xaa\xb9\xa5", 173); *(uint8_t*)0x20002418 = 9; *(uint8_t*)0x20002419 = 5; *(uint8_t*)0x2000241a = 0xa; *(uint8_t*)0x2000241b = 0; *(uint16_t*)0x2000241c = 0x400; *(uint8_t*)0x2000241e = 5; *(uint8_t*)0x2000241f = 1; *(uint8_t*)0x20002420 = 6; *(uint8_t*)0x20002421 = 0xf1; *(uint8_t*)0x20002422 = 0x11; memcpy((void*)0x20002423, "\x25\xbf\x1f\x90\xf6\x00\xdc\x8e\xae\x59\x54\xfb\x3e\xc4\xf4\x88\xa9\x26\x14\x9d\x98\x93\xca\x2b\x29\x00\xe2\x45\xf0\x53\x74\x32\xb7\xec\xcd\x35\xa0\xf3\x3f\xe8\x71\xeb\x0d\x17\x44\xd8\x05\x8f\x6d\x67\xf7\xe1\xb9\x7f\x3e\xf4\xe5\xfd\x8a\xc9\xd3\x7d\x37\x49\x05\x66\x1c\x57\x9d\x63\xd9\xbd\x3e\xd5\xcd\x30\xd9\x9e\xf3\x95\xe4\x7c\x9e\x0f\x1b\x7f\x71\x20\x16\x40\x34\x34\x82\x1b\xaa\xce\x41\xad\x73\xef\x6b\x84\xc1\xa4\x1a\xf5\xcb\xb6\xc2\xf6\x54\x62\xa6\xed\x32\x24\x2c\x9d\x51\xda\x99\x15\x86\x28\x60\xc2\x21\x40\xf6\x06\x60\x1c\xfd\x82\xe5\x15\x1e\x1d\xb4\x50\x92\xfe\xcd\x65\x32\x93\xf5\x6c\x65\xb3\x46\xe5\xde\xaf\x14\x09\x50\xa0\xac\x4a\x48\x7e\x3b\xfa\x4f\x9a\xd3\x5e\xef\xf8\x89\x9b\xc2\x23\x07\x98\x02\x26\x00\xa0\x8d\x06\xa9\x24\x36\x11\xb4\x21\xd9\x0f\x1b\x53\xca\x9f\x00\x26\x36\x03\x6f\x11\x25\xed\xa3\xde\xda\xf6\x79\x3f\xc0\x98\xc6\xaf\x9d\xcc\x5a\x53\x8f\xe9\x37\x57\x2b\x4d\x1b\x17\x4b\x58\xba\x03\x37\x14\xd1\x9e\xf1\x08\x5f\x66\x3e\x5c\xd1", 239); *(uint8_t*)0x20002512 = 9; *(uint8_t*)0x20002513 = 5; *(uint8_t*)0x20002514 = 5; *(uint8_t*)0x20002515 = 8; *(uint16_t*)0x20002516 = 0x400; *(uint8_t*)0x20002518 = 0x44; *(uint8_t*)0x20002519 = 1; *(uint8_t*)0x2000251a = 0; *(uint8_t*)0x2000251b = 7; *(uint8_t*)0x2000251c = 0x25; *(uint8_t*)0x2000251d = 1; *(uint8_t*)0x2000251e = 0x85; *(uint8_t*)0x2000251f = 0x9b; *(uint16_t*)0x20002520 = 0x100; *(uint8_t*)0x20002522 = 7; *(uint8_t*)0x20002523 = 0x25; *(uint8_t*)0x20002524 = 1; *(uint8_t*)0x20002525 = 0x82; *(uint8_t*)0x20002526 = 7; *(uint16_t*)0x20002527 = 1; *(uint8_t*)0x20002529 = 9; *(uint8_t*)0x2000252a = 5; *(uint8_t*)0x2000252b = 3; *(uint8_t*)0x2000252c = 0x10; *(uint16_t*)0x2000252d = 0x20; *(uint8_t*)0x2000252f = 2; *(uint8_t*)0x20002530 = 4; *(uint8_t*)0x20002531 = 3; *(uint8_t*)0x20002532 = 9; *(uint8_t*)0x20002533 = 5; *(uint8_t*)0x20002534 = 1; *(uint8_t*)0x20002535 = 0; *(uint16_t*)0x20002536 = 0x40; *(uint8_t*)0x20002538 = 0x80; *(uint8_t*)0x20002539 = 7; *(uint8_t*)0x2000253a = 0x27; *(uint8_t*)0x2000253b = 7; *(uint8_t*)0x2000253c = 0x25; *(uint8_t*)0x2000253d = 1; *(uint8_t*)0x2000253e = 0x80; *(uint8_t*)0x2000253f = 6; *(uint16_t*)0x20002540 = 8; *(uint32_t*)0x20002840 = 0xa; *(uint32_t*)0x20002844 = 0x20002580; *(uint8_t*)0x20002580 = 0xa; *(uint8_t*)0x20002581 = 6; *(uint16_t*)0x20002582 = 0x5098; *(uint8_t*)0x20002584 = 0xfc; *(uint8_t*)0x20002585 = 0x1f; *(uint8_t*)0x20002586 = 0; *(uint8_t*)0x20002587 = 0x10; *(uint8_t*)0x20002588 = 0xe4; *(uint8_t*)0x20002589 = 0; *(uint32_t*)0x20002848 = 0xf5; *(uint32_t*)0x2000284c = 0x200025c0; *(uint8_t*)0x200025c0 = 5; *(uint8_t*)0x200025c1 = 0xf; *(uint16_t*)0x200025c2 = 0xf5; *(uint8_t*)0x200025c4 = 4; *(uint8_t*)0x200025c5 = 7; *(uint8_t*)0x200025c6 = 0x10; *(uint8_t*)0x200025c7 = 2; STORE_BY_BITMASK(uint32_t, , 0x200025c8, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200025ca, 0xffff, 0, 16); *(uint8_t*)0x200025cc = 0x1c; *(uint8_t*)0x200025cd = 0x10; *(uint8_t*)0x200025ce = 0xa; *(uint8_t*)0x200025cf = 0; STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 5, 27); *(uint16_t*)0x200025d4 = 0xf0f; *(uint16_t*)0x200025d6 = 0x77e; *(uint32_t*)0x200025d8 = 0xc000; *(uint32_t*)0x200025dc = 0x30; *(uint32_t*)0x200025e0 = 0; *(uint32_t*)0x200025e4 = 0; *(uint8_t*)0x200025e8 = 0x1c; *(uint8_t*)0x200025e9 = 0x10; *(uint8_t*)0x200025ea = 0xa; *(uint8_t*)0x200025eb = 1; STORE_BY_BITMASK(uint32_t, , 0x200025ec, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025ec, 0x79ea, 5, 27); *(uint16_t*)0x200025f0 = 0xf000; *(uint16_t*)0x200025f2 = 4; *(uint32_t*)0x200025f4 = 0xc0cf; *(uint32_t*)0x200025f8 = 0xff3f3f; *(uint32_t*)0x200025fc = 0xffc05f; *(uint32_t*)0x20002600 = 0xff0000; *(uint8_t*)0x20002604 = 0xb1; *(uint8_t*)0x20002605 = 0x10; *(uint8_t*)0x20002606 = 3; memcpy((void*)0x20002607, "\xc5\xbb\x02\x01\xc8\x2e\x60\xfa\x0a\x8b\x07\xbb\xce\xfb\xe1\x38\x07\x98\x38\xcb\xf1\x31\x61\xf6\x9e\xc1\x70\x63\x7e\x6c\x50\x4f\x0d\xf5\x87\x10\x11\x2f\x24\x59\xc5\x0d\xf8\x5c\x73\xa1\x43\xe1\x8f\xd8\x46\xa7\x86\xad\xd8\xa3\x59\xc8\x82\xc3\xc6\x03\x8f\x90\xc4\x9c\xa6\x3e\x13\x45\x57\x94\xd7\x59\x24\x4a\x2b\xd1\xee\x5a\x20\x3c\xef\x62\xac\xd3\x2e\x97\xd1\x5a\xfe\x1d\x47\xad\x5c\x52\x34\xca\x6f\xea\x0c\x02\x21\x84\x57\x86\x47\xd6\x9b\xce\x06\xbc\x22\xd5\xde\xae\x21\xba\xaf\x87\x0c\x3c\x6e\x90\x21\x21\x1f\xda\x07\xe7\x36\x07\xe1\x64\x61\xe2\x25\x26\xa7\x0a\xb2\xe2\x1f\x89\xd1\xb1\xa9\x52\x15\xc6\x44\xee\x7b\x4b\x97\xd3\x42\xf0\x6c\xca\x75\xc1\x7e\xaf\x3d\x1f\x57\x8b\xec\x9e\x1b\x55\x4c\x49", 174); *(uint32_t*)0x20002850 = 4; *(uint32_t*)0x20002854 = 4; *(uint32_t*)0x20002858 = 0x200026c0; *(uint8_t*)0x200026c0 = 4; *(uint8_t*)0x200026c1 = 3; *(uint16_t*)0x200026c2 = 0x430; *(uint32_t*)0x2000285c = 4; *(uint32_t*)0x20002860 = 0x20002700; *(uint8_t*)0x20002700 = 4; *(uint8_t*)0x20002701 = 3; *(uint16_t*)0x20002702 = 0x240a; *(uint32_t*)0x20002864 = 4; *(uint32_t*)0x20002868 = 0x20002740; *(uint8_t*)0x20002740 = 4; *(uint8_t*)0x20002741 = 3; *(uint16_t*)0x20002742 = 0x458; *(uint32_t*)0x2000286c = 0xb1; *(uint32_t*)0x20002870 = 0x20002780; *(uint8_t*)0x20002780 = 0xb1; *(uint8_t*)0x20002781 = 3; memcpy((void*)0x20002782, "\x22\x73\xbd\xc4\x6b\x60\xf9\x28\x12\x34\x92\x09\x6f\x1a\x60\x52\x20\x67\xca\x30\x22\x9e\x52\x18\x76\xbc\x23\x04\xc3\x20\x59\x6f\xd2\x5f\x10\x25\x4b\x5c\x9d\xa5\x73\x77\x73\x8b\xcc\xfb\xbc\x37\xf2\x7f\x54\x18\x33\xa2\xdf\xa0\x6b\x92\x9d\x0d\x37\x44\xff\x77\xd9\x33\x0d\x5a\x63\xe4\xbb\x26\x8c\xe2\x9e\x81\xde\x86\xde\x6c\xbb\xec\x22\xf1\x51\xe7\xfa\x25\xd2\xba\x9e\xad\x8f\x62\xd5\xea\xc2\xd6\x42\x44\x65\xb3\xcb\x64\x81\xdb\xf5\x0d\xf0\x43\xe6\x8b\x8d\x13\x3e\x27\xb4\xae\x1c\x9c\xcf\x8a\x81\x02\x7b\x65\x6d\x44\x2b\xbc\xbe\x5c\xfc\xcd\x0c\x0c\xa3\x8b\x73\x35\x6e\xd5\xc3\x7e\xa0\x89\x46\x97\xea\x5b\x37\xdb\x2f\x60\x7d\x4e\x95\x8c\xf9\x78\x48\xef\x24\xee\xe8\x17\xf9\x65\x03\x65\x0d\x0f\x3b\xab\xcf", 175); res = -1; res = syz_usb_connect(4, 0x882, 0x20001cc0, 0x20002840); if (res != -1) r[13] = res; break; case 35: *(uint8_t*)0x20002880 = 0x12; *(uint8_t*)0x20002881 = 1; *(uint16_t*)0x20002882 = 0x200; *(uint8_t*)0x20002884 = -1; *(uint8_t*)0x20002885 = -1; *(uint8_t*)0x20002886 = -1; *(uint8_t*)0x20002887 = 0x40; *(uint16_t*)0x20002888 = 0xcf3; *(uint16_t*)0x2000288a = 0x9271; *(uint16_t*)0x2000288c = 0x108; *(uint8_t*)0x2000288e = 1; *(uint8_t*)0x2000288f = 2; *(uint8_t*)0x20002890 = 3; *(uint8_t*)0x20002891 = 1; *(uint8_t*)0x20002892 = 9; *(uint8_t*)0x20002893 = 2; *(uint16_t*)0x20002894 = 0x48; *(uint8_t*)0x20002896 = 1; *(uint8_t*)0x20002897 = 1; *(uint8_t*)0x20002898 = 0; *(uint8_t*)0x20002899 = 0x80; *(uint8_t*)0x2000289a = 0xfa; *(uint8_t*)0x2000289b = 9; *(uint8_t*)0x2000289c = 4; *(uint8_t*)0x2000289d = 0; *(uint8_t*)0x2000289e = 0; *(uint8_t*)0x2000289f = 6; *(uint8_t*)0x200028a0 = -1; *(uint8_t*)0x200028a1 = 0; *(uint8_t*)0x200028a2 = 0; *(uint8_t*)0x200028a3 = 0; *(uint8_t*)0x200028a4 = 9; *(uint8_t*)0x200028a5 = 5; *(uint8_t*)0x200028a6 = 1; *(uint8_t*)0x200028a7 = 2; *(uint16_t*)0x200028a8 = 0x200; *(uint8_t*)0x200028aa = 0; *(uint8_t*)0x200028ab = 0; *(uint8_t*)0x200028ac = 0; *(uint8_t*)0x200028ad = 9; *(uint8_t*)0x200028ae = 5; *(uint8_t*)0x200028af = 0x82; *(uint8_t*)0x200028b0 = 2; *(uint16_t*)0x200028b1 = 0x200; *(uint8_t*)0x200028b3 = 0; *(uint8_t*)0x200028b4 = 0; *(uint8_t*)0x200028b5 = 0; *(uint8_t*)0x200028b6 = 9; *(uint8_t*)0x200028b7 = 5; *(uint8_t*)0x200028b8 = 0x83; *(uint8_t*)0x200028b9 = 3; *(uint16_t*)0x200028ba = 0x40; *(uint8_t*)0x200028bc = 1; *(uint8_t*)0x200028bd = 0; *(uint8_t*)0x200028be = 0; *(uint8_t*)0x200028bf = 9; *(uint8_t*)0x200028c0 = 5; *(uint8_t*)0x200028c1 = 4; *(uint8_t*)0x200028c2 = 3; *(uint16_t*)0x200028c3 = 0x40; *(uint8_t*)0x200028c5 = 1; *(uint8_t*)0x200028c6 = 0; *(uint8_t*)0x200028c7 = 0; *(uint8_t*)0x200028c8 = 9; *(uint8_t*)0x200028c9 = 5; *(uint8_t*)0x200028ca = 5; *(uint8_t*)0x200028cb = 2; *(uint16_t*)0x200028cc = 0x200; *(uint8_t*)0x200028ce = 0; *(uint8_t*)0x200028cf = 0; *(uint8_t*)0x200028d0 = 0; *(uint8_t*)0x200028d1 = 9; *(uint8_t*)0x200028d2 = 5; *(uint8_t*)0x200028d3 = 6; *(uint8_t*)0x200028d4 = 2; *(uint16_t*)0x200028d5 = 0x200; *(uint8_t*)0x200028d7 = 0; *(uint8_t*)0x200028d8 = 0; *(uint8_t*)0x200028d9 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20002880, 0); break; case 36: *(uint8_t*)0x20002900 = 0x12; *(uint8_t*)0x20002901 = 1; *(uint16_t*)0x20002902 = 0x300; *(uint8_t*)0x20002904 = 0; *(uint8_t*)0x20002905 = 0; *(uint8_t*)0x20002906 = 0; *(uint8_t*)0x20002907 = 0x40; *(uint16_t*)0x20002908 = 0x1d6b; *(uint16_t*)0x2000290a = 0x101; *(uint16_t*)0x2000290c = 0x40; *(uint8_t*)0x2000290e = 1; *(uint8_t*)0x2000290f = 2; *(uint8_t*)0x20002910 = 3; *(uint8_t*)0x20002911 = 1; *(uint8_t*)0x20002912 = 9; *(uint8_t*)0x20002913 = 2; *(uint16_t*)0x20002914 = 0xee; *(uint8_t*)0x20002916 = 3; *(uint8_t*)0x20002917 = 1; *(uint8_t*)0x20002918 = 6; *(uint8_t*)0x20002919 = 0x20; *(uint8_t*)0x2000291a = 1; *(uint8_t*)0x2000291b = 9; *(uint8_t*)0x2000291c = 4; *(uint8_t*)0x2000291d = 0; *(uint8_t*)0x2000291e = 0; *(uint8_t*)0x2000291f = 0; *(uint8_t*)0x20002920 = 1; *(uint8_t*)0x20002921 = 1; *(uint8_t*)0x20002922 = 0; *(uint8_t*)0x20002923 = 0; *(uint8_t*)0x20002924 = 0xa; *(uint8_t*)0x20002925 = 0x24; *(uint8_t*)0x20002926 = 1; *(uint16_t*)0x20002927 = 0xace; *(uint8_t*)0x20002929 = 2; *(uint8_t*)0x2000292a = 2; *(uint8_t*)0x2000292b = 1; *(uint8_t*)0x2000292c = 2; *(uint8_t*)0x2000292d = 7; *(uint8_t*)0x2000292e = 0x24; *(uint8_t*)0x2000292f = 8; *(uint8_t*)0x20002930 = 5; *(uint16_t*)0x20002931 = 2; *(uint8_t*)0x20002933 = 5; *(uint8_t*)0x20002934 = 7; *(uint8_t*)0x20002935 = 0x24; *(uint8_t*)0x20002936 = 8; *(uint8_t*)0x20002937 = 6; *(uint16_t*)0x20002938 = -1; *(uint8_t*)0x2000293a = 0x30; *(uint8_t*)0x2000293b = 0xa; *(uint8_t*)0x2000293c = 0x24; *(uint8_t*)0x2000293d = 4; *(uint8_t*)0x2000293e = 4; *(uint8_t*)0x2000293f = 0x40; memcpy((void*)0x20002940, "\x7d\xa3\xb2\xb2\x72", 5); *(uint8_t*)0x20002945 = 9; *(uint8_t*)0x20002946 = 0x24; *(uint8_t*)0x20002947 = 8; *(uint8_t*)0x20002948 = 5; *(uint16_t*)0x20002949 = 0; *(uint8_t*)0x2000294b = 0x40; memcpy((void*)0x2000294c, "\tD", 2); *(uint8_t*)0x2000294e = 9; *(uint8_t*)0x2000294f = 4; *(uint8_t*)0x20002950 = 1; *(uint8_t*)0x20002951 = 0; *(uint8_t*)0x20002952 = 0; *(uint8_t*)0x20002953 = 1; *(uint8_t*)0x20002954 = 2; *(uint8_t*)0x20002955 = 0; *(uint8_t*)0x20002956 = 0; *(uint8_t*)0x20002957 = 9; *(uint8_t*)0x20002958 = 4; *(uint8_t*)0x20002959 = 1; *(uint8_t*)0x2000295a = 1; *(uint8_t*)0x2000295b = 1; *(uint8_t*)0x2000295c = 1; *(uint8_t*)0x2000295d = 2; *(uint8_t*)0x2000295e = 0; *(uint8_t*)0x2000295f = 0; *(uint8_t*)0x20002960 = 0x11; *(uint8_t*)0x20002961 = 0x24; *(uint8_t*)0x20002962 = 2; *(uint8_t*)0x20002963 = 2; *(uint16_t*)0x20002964 = 0x1000; *(uint16_t*)0x20002966 = 6; *(uint8_t*)0x20002968 = 9; memcpy((void*)0x20002969, "\x94\xaa\x0c\xfe\xa6\xa4\xc0\x98", 8); *(uint8_t*)0x20002971 = 7; *(uint8_t*)0x20002972 = 0x24; *(uint8_t*)0x20002973 = 1; *(uint8_t*)0x20002974 = 0xf7; *(uint8_t*)0x20002975 = 0xc1; *(uint16_t*)0x20002976 = 4; *(uint8_t*)0x20002978 = 0xe; *(uint8_t*)0x20002979 = 0x24; *(uint8_t*)0x2000297a = 2; *(uint8_t*)0x2000297b = 1; *(uint8_t*)0x2000297c = 0x3f; *(uint8_t*)0x2000297d = 2; *(uint8_t*)0x2000297e = 0xae; *(uint8_t*)0x2000297f = 7; memcpy((void*)0x20002980, "\x5b\x6f\xe7\xb1\x95\x51", 6); *(uint8_t*)0x20002986 = 0xe; *(uint8_t*)0x20002987 = 0x24; *(uint8_t*)0x20002988 = 2; *(uint8_t*)0x20002989 = 2; *(uint16_t*)0x2000298a = 0xfff8; *(uint16_t*)0x2000298c = 0x56d; *(uint8_t*)0x2000298e = 0x1f; memcpy((void*)0x2000298f, "\x51\x8f\x29\xb9\x20", 5); *(uint8_t*)0x20002994 = 0xe; *(uint8_t*)0x20002995 = 0x24; *(uint8_t*)0x20002996 = 2; *(uint8_t*)0x20002997 = 2; *(uint16_t*)0x20002998 = 4; *(uint16_t*)0x2000299a = 0; *(uint8_t*)0x2000299c = 0x80; memcpy((void*)0x2000299d, "\x3f\x5e\x8a\xa3\xac", 5); *(uint8_t*)0x200029a2 = 9; *(uint8_t*)0x200029a3 = 5; *(uint8_t*)0x200029a4 = 1; *(uint8_t*)0x200029a5 = 9; *(uint16_t*)0x200029a6 = 0x10; *(uint8_t*)0x200029a8 = 0x9c; *(uint8_t*)0x200029a9 = 7; *(uint8_t*)0x200029aa = 6; *(uint8_t*)0x200029ab = 7; *(uint8_t*)0x200029ac = 0x25; *(uint8_t*)0x200029ad = 1; *(uint8_t*)0x200029ae = 0; *(uint8_t*)0x200029af = 0x44; *(uint16_t*)0x200029b0 = 0xff8a; *(uint8_t*)0x200029b2 = 9; *(uint8_t*)0x200029b3 = 4; *(uint8_t*)0x200029b4 = 2; *(uint8_t*)0x200029b5 = 0; *(uint8_t*)0x200029b6 = 0; *(uint8_t*)0x200029b7 = 1; *(uint8_t*)0x200029b8 = 2; *(uint8_t*)0x200029b9 = 0; *(uint8_t*)0x200029ba = 0; *(uint8_t*)0x200029bb = 9; *(uint8_t*)0x200029bc = 4; *(uint8_t*)0x200029bd = 2; *(uint8_t*)0x200029be = 1; *(uint8_t*)0x200029bf = 1; *(uint8_t*)0x200029c0 = 1; *(uint8_t*)0x200029c1 = 2; *(uint8_t*)0x200029c2 = 0; *(uint8_t*)0x200029c3 = 0; *(uint8_t*)0x200029c4 = 0xa; *(uint8_t*)0x200029c5 = 0x24; *(uint8_t*)0x200029c6 = 2; *(uint8_t*)0x200029c7 = 1; *(uint8_t*)0x200029c8 = 7; *(uint8_t*)0x200029c9 = 4; *(uint8_t*)0x200029ca = 0xf7; *(uint8_t*)0x200029cb = 0xf8; memcpy((void*)0x200029cc, "H]", 2); *(uint8_t*)0x200029ce = 0xd; *(uint8_t*)0x200029cf = 0x24; *(uint8_t*)0x200029d0 = 2; *(uint8_t*)0x200029d1 = 1; *(uint8_t*)0x200029d2 = 7; *(uint8_t*)0x200029d3 = 1; *(uint8_t*)0x200029d4 = -1; *(uint8_t*)0x200029d5 = 0x72; memcpy((void*)0x200029d6, "\x5c\x5a\xe7\x2e\x12", 5); *(uint8_t*)0x200029db = 0xd; *(uint8_t*)0x200029dc = 0x24; *(uint8_t*)0x200029dd = 2; *(uint8_t*)0x200029de = 1; *(uint8_t*)0x200029df = 3; *(uint8_t*)0x200029e0 = 4; *(uint8_t*)0x200029e1 = 3; *(uint8_t*)0x200029e2 = 1; memcpy((void*)0x200029e3, "\xfa\x23\xa4", 3); memcpy((void*)0x200029e6, "q3", 2); *(uint8_t*)0x200029e8 = 8; *(uint8_t*)0x200029e9 = 0x24; *(uint8_t*)0x200029ea = 2; *(uint8_t*)0x200029eb = 1; *(uint8_t*)0x200029ec = 0x71; *(uint8_t*)0x200029ed = 2; *(uint8_t*)0x200029ee = 0; *(uint8_t*)0x200029ef = 6; *(uint8_t*)0x200029f0 = 9; *(uint8_t*)0x200029f1 = 5; *(uint8_t*)0x200029f2 = 0x82; *(uint8_t*)0x200029f3 = 9; *(uint16_t*)0x200029f4 = 0x200; *(uint8_t*)0x200029f6 = 0x7f; *(uint8_t*)0x200029f7 = 0x7f; *(uint8_t*)0x200029f8 = 0x7f; *(uint8_t*)0x200029f9 = 7; *(uint8_t*)0x200029fa = 0x25; *(uint8_t*)0x200029fb = 1; *(uint8_t*)0x200029fc = 2; *(uint8_t*)0x200029fd = 1; *(uint16_t*)0x200029fe = 8; *(uint32_t*)0x20002b80 = 0xa; *(uint32_t*)0x20002b84 = 0x20002a00; *(uint8_t*)0x20002a00 = 0xa; *(uint8_t*)0x20002a01 = 6; *(uint16_t*)0x20002a02 = 0x300; *(uint8_t*)0x20002a04 = 0x7f; *(uint8_t*)0x20002a05 = 0x5d; *(uint8_t*)0x20002a06 = 0x5c; *(uint8_t*)0x20002a07 = 0x40; *(uint8_t*)0x20002a08 = 0; *(uint8_t*)0x20002a09 = 0; *(uint32_t*)0x20002b88 = 0x31; *(uint32_t*)0x20002b8c = 0x20002a40; *(uint8_t*)0x20002a40 = 5; *(uint8_t*)0x20002a41 = 0xf; *(uint16_t*)0x20002a42 = 0x31; *(uint8_t*)0x20002a44 = 4; *(uint8_t*)0x20002a45 = 0xb; *(uint8_t*)0x20002a46 = 0x10; *(uint8_t*)0x20002a47 = 1; *(uint8_t*)0x20002a48 = 0xc; *(uint16_t*)0x20002a49 = 0x80; *(uint8_t*)0x20002a4b = 0x20; *(uint8_t*)0x20002a4c = 1; *(uint16_t*)0x20002a4d = 2; *(uint8_t*)0x20002a4f = 0x40; *(uint8_t*)0x20002a50 = 0xc; *(uint8_t*)0x20002a51 = 0x10; *(uint8_t*)0x20002a52 = 0xa; *(uint8_t*)0x20002a53 = 4; STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0xd3f, 5, 27); *(uint16_t*)0x20002a58 = 0xf000; *(uint16_t*)0x20002a5a = 8; *(uint8_t*)0x20002a5c = 0xb; *(uint8_t*)0x20002a5d = 0x10; *(uint8_t*)0x20002a5e = 1; *(uint8_t*)0x20002a5f = 0xc; *(uint16_t*)0x20002a60 = 0x80; *(uint8_t*)0x20002a62 = 2; *(uint8_t*)0x20002a63 = 5; *(uint16_t*)0x20002a64 = 4; *(uint8_t*)0x20002a66 = 2; *(uint8_t*)0x20002a67 = 0xa; *(uint8_t*)0x20002a68 = 0x10; *(uint8_t*)0x20002a69 = 3; *(uint8_t*)0x20002a6a = 2; *(uint16_t*)0x20002a6b = 6; *(uint8_t*)0x20002a6d = 0; *(uint8_t*)0x20002a6e = -1; *(uint16_t*)0x20002a6f = 0x7f; *(uint32_t*)0x20002b90 = 4; *(uint32_t*)0x20002b94 = 4; *(uint32_t*)0x20002b98 = 0x20002a80; *(uint8_t*)0x20002a80 = 4; *(uint8_t*)0x20002a81 = 3; *(uint16_t*)0x20002a82 = 0x40f; *(uint32_t*)0x20002b9c = 4; *(uint32_t*)0x20002ba0 = 0x20002ac0; *(uint8_t*)0x20002ac0 = 4; *(uint8_t*)0x20002ac1 = 3; *(uint16_t*)0x20002ac2 = 0xc35; *(uint32_t*)0x20002ba4 = 0x2b; *(uint32_t*)0x20002ba8 = 0x20002b00; *(uint8_t*)0x20002b00 = 0x2b; *(uint8_t*)0x20002b01 = 3; memcpy((void*)0x20002b02, "\xa2\x8e\x84\xc0\xcf\x02\xc0\x7c\x3c\x0d\xa8\x29\x45\x06\x55\x6d\x63\x3c\x7a\x73\x5b\xfb\x75\xcd\x80\xaf\xc6\xad\xe8\xe4\xb5\x80\x10\x3c\xed\x6d\x9c\x87\xa5\xfe\x77", 41); *(uint32_t*)0x20002bac = 4; *(uint32_t*)0x20002bb0 = 0x20002b40; *(uint8_t*)0x20002b40 = 4; *(uint8_t*)0x20002b41 = 3; *(uint16_t*)0x20002b42 = 0xf8ff; res = -1; res = syz_usb_connect(1, 0x100, 0x20002900, 0x20002b80); if (res != -1) r[14] = res; break; case 37: *(uint32_t*)0x20002e40 = 0x18; *(uint32_t*)0x20002e44 = 0x20002bc0; *(uint8_t*)0x20002bc0 = 0; *(uint8_t*)0x20002bc1 = 0x22; *(uint32_t*)0x20002bc2 = 0xb9; *(uint8_t*)0x20002bc6 = 0xb9; *(uint8_t*)0x20002bc7 = 0xa; memcpy((void*)0x20002bc8, "\x83\xcf\x6e\x9b\x94\x2d\x8a\x47\x07\x4a\xc2\xe8\x02\xb4\x83\x78\xec\xdc\xa7\x95\x6d\xb2\x72\x7b\x85\x7b\x60\xf4\xe9\xd0\xc6\x9e\x1c\x9a\x9a\xce\xb6\x1c\xf1\x7c\xc7\x71\x67\x92\x3b\x84\xe2\x33\x72\xc5\xcf\x40\xcf\x1b\xbb\x74\x93\xe5\x00\xb7\xef\xfa\xf1\xb2\x04\xee\x03\x4b\xe1\x10\x99\xe5\x15\x67\xa8\x7a\xe0\xbd\xe2\x10\xda\x92\x12\x4d\x04\xa7\x3a\x14\xdb\xd6\x00\xde\xdd\x92\x09\x53\xc4\x72\xed\xa1\xba\x46\xdb\xbb\x1e\xc4\x74\xc8\x79\x48\x49\x12\x4d\xcf\x32\xd5\xc1\x5f\xb1\x43\x97\xb1\x3c\x3d\x3c\x11\xa7\xa6\x07\xc6\xb6\xd5\x57\xc2\x80\x6d\x9c\x27\x83\xbc\x1e\xf5\x6c\x96\x7b\xde\x90\xce\x4a\x42\x13\x61\x16\x7c\x1a\x74\xc6\x52\x72\x85\xce\x42\x5e\xa4\x98\x88\x4d\x7c\xc9\xef\x76\x52\x6a\x46\xa1\xc4\x36\x07\x68\x98\x0b\x39\xb3", 183); *(uint32_t*)0x20002e48 = 0x20002c80; *(uint8_t*)0x20002c80 = 0; *(uint8_t*)0x20002c81 = 3; *(uint32_t*)0x20002c82 = 0xd7; *(uint8_t*)0x20002c86 = 0xd7; *(uint8_t*)0x20002c87 = 3; memcpy((void*)0x20002c88, "\x61\x16\x8f\x70\x0d\x17\x87\xde\x19\xd3\xe8\x6f\xb3\xac\x5e\x96\x4c\xc5\xed\xe8\x73\x35\x1c\xa2\x62\xcc\x8f\xc5\x99\x65\x14\x31\xc7\x6d\xba\xd0\x2d\xd8\x35\xf0\xda\x83\xa5\x34\x7c\xc2\x1f\xc4\xf5\x04\xb2\x3b\xb3\x2a\x7a\x67\x71\x3d\xb4\x48\x06\x11\xe6\xe2\xec\xa4\xf0\xb4\x98\xf7\x00\x35\x5d\xb6\x8d\xf7\xd5\xcf\x46\xba\x2b\x03\x60\x90\xaf\x69\x5a\x75\x96\xb7\xd2\x42\xb4\x62\xbc\xf6\xe2\x09\x1f\xb8\x32\x48\xfe\x2a\x1c\x48\xdb\xcd\xb0\x7c\x96\x66\x03\x7d\x12\x1b\x68\x93\xdc\xb9\x45\xbd\xd7\xcf\x14\x07\x5f\x80\x53\x02\xa4\x5f\xbb\x62\x65\x2b\xd6\x93\xb3\x24\x0b\x5c\x6a\x76\xf6\x90\xcd\xc9\x22\x15\x79\xec\x71\xdd\x25\x3c\xa4\x25\x01\x44\xe1\x16\x0b\xc0\x39\xad\x44\xf6\xd5\x1c\x96\xad\x95\x0c\x87\x2c\xf6\x26\xb0\xd5\x59\xe8\x1c\x0b\xec\x93\x4c\xb3\x23\x25\xdb\xb9\xce\x8f\x5d\x0d\x94\x30\x20\xb4\xa0\x79\x5c\x1f\x27\x74\xe2\x20\x7d\x0b\xe8\xaa\x41", 213); *(uint32_t*)0x20002e4c = 0x20002d80; *(uint8_t*)0x20002d80 = 0; *(uint8_t*)0x20002d81 = 0xf; *(uint32_t*)0x20002d82 = 0xc; *(uint8_t*)0x20002d86 = 5; *(uint8_t*)0x20002d87 = 0xf; *(uint16_t*)0x20002d88 = 0xc; *(uint8_t*)0x20002d8a = 1; *(uint8_t*)0x20002d8b = 7; *(uint8_t*)0x20002d8c = 0x10; *(uint8_t*)0x20002d8d = 2; STORE_BY_BITMASK(uint32_t, , 0x20002d8e, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 5, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d90, 2, 0, 16); *(uint32_t*)0x20002e50 = 0x20002dc0; *(uint8_t*)0x20002dc0 = 0x20; *(uint8_t*)0x20002dc1 = 0x29; *(uint32_t*)0x20002dc2 = 0xf; *(uint8_t*)0x20002dc6 = 0xf; *(uint8_t*)0x20002dc7 = 0x29; *(uint8_t*)0x20002dc8 = 3; *(uint16_t*)0x20002dc9 = 8; *(uint8_t*)0x20002dcb = 0x40; *(uint8_t*)0x20002dcc = 0x7f; memcpy((void*)0x20002dcd, "\x77\xbc\x77\x38", 4); memcpy((void*)0x20002dd1, "\xf1\xdb\x00\x3c", 4); *(uint32_t*)0x20002e54 = 0x20002e00; *(uint8_t*)0x20002e00 = 0x20; *(uint8_t*)0x20002e01 = 0x2a; *(uint32_t*)0x20002e02 = 0xc; *(uint8_t*)0x20002e06 = 0xc; *(uint8_t*)0x20002e07 = 0x2a; *(uint8_t*)0x20002e08 = 1; *(uint16_t*)0x20002e09 = 0x10; *(uint8_t*)0x20002e0b = 0; *(uint8_t*)0x20002e0c = 0x20; *(uint8_t*)0x20002e0d = 8; *(uint16_t*)0x20002e0e = 0x3ec; *(uint16_t*)0x20002e10 = -1; *(uint32_t*)0x20003300 = 0x44; *(uint32_t*)0x20003304 = 0x20002e80; *(uint8_t*)0x20002e80 = 0x20; *(uint8_t*)0x20002e81 = 0x12; *(uint32_t*)0x20002e82 = 0x7c; memcpy((void*)0x20002e86, "\xbc\x67\xb7\x86\xae\x12\xc3\xf7\xc6\xdb\xb8\x56\x0d\x2b\x24\x21\x94\xc2\x19\x9a\xfa\x19\xd2\xb4\x2b\x1a\x0c\x8a\x11\xe1\xa5\xef\x14\x6f\x39\x5c\x36\x13\xf4\xdf\xea\xdd\xa7\xc2\x4b\x50\x6d\x5b\x32\xa6\xa3\xf9\xa0\xea\xc9\x8a\x93\x5e\x64\x7a\x1c\x83\x8d\x4e\x09\xd5\x30\x63\x5f\x43\x35\x8b\x5b\x10\xc5\xf0\x4b\xc6\x3b\x3b\xf9\x6b\x52\x34\x35\x9d\x4e\xad\x9d\x51\x21\x7e\x65\xc9\xb0\x50\x99\x90\xb0\x0d\x1a\xfb\x24\x2c\x87\x66\x0d\x04\xf9\x64\x8f\xf7\x9c\xe1\x43\xb1\xa9\x48\x98\x1c\x28\xf5\x01\x71", 124); *(uint32_t*)0x20003308 = 0x20002f40; *(uint8_t*)0x20002f40 = 0; *(uint8_t*)0x20002f41 = 0xa; *(uint32_t*)0x20002f42 = 1; *(uint8_t*)0x20002f46 = 0x4c; *(uint32_t*)0x2000330c = 0x20002f80; *(uint8_t*)0x20002f80 = 0; *(uint8_t*)0x20002f81 = 8; *(uint32_t*)0x20002f82 = 1; *(uint8_t*)0x20002f86 = 1; *(uint32_t*)0x20003310 = 0x20002fc0; *(uint8_t*)0x20002fc0 = 0x20; *(uint8_t*)0x20002fc1 = 0; *(uint32_t*)0x20002fc2 = 4; *(uint16_t*)0x20002fc6 = 1; *(uint16_t*)0x20002fc8 = 3; *(uint32_t*)0x20003314 = 0x20003000; *(uint8_t*)0x20003000 = 0x20; *(uint8_t*)0x20003001 = 0; *(uint32_t*)0x20003002 = 8; *(uint16_t*)0x20003006 = 0xc0; *(uint16_t*)0x20003008 = 0x20; *(uint32_t*)0x2000300a = 0xf0f; *(uint32_t*)0x20003318 = 0x20003040; *(uint8_t*)0x20003040 = 0x40; *(uint8_t*)0x20003041 = 7; *(uint32_t*)0x20003042 = 2; *(uint16_t*)0x20003046 = 0x400; *(uint32_t*)0x2000331c = 0x20003080; *(uint8_t*)0x20003080 = 0x40; *(uint8_t*)0x20003081 = 9; *(uint32_t*)0x20003082 = 1; *(uint8_t*)0x20003086 = 2; *(uint32_t*)0x20003320 = 0x200030c0; *(uint8_t*)0x200030c0 = 0x40; *(uint8_t*)0x200030c1 = 0xb; *(uint32_t*)0x200030c2 = 2; memcpy((void*)0x200030c6, "\xb7\x23", 2); *(uint32_t*)0x20003324 = 0x20003100; *(uint8_t*)0x20003100 = 0x40; *(uint8_t*)0x20003101 = 0xf; *(uint32_t*)0x20003102 = 2; *(uint16_t*)0x20003106 = 5; *(uint32_t*)0x20003328 = 0x20003140; *(uint8_t*)0x20003140 = 0x40; *(uint8_t*)0x20003141 = 0x13; *(uint32_t*)0x20003142 = 6; memcpy((void*)0x20003146, "\xdd\x8a\x72\xa9\x91\x39", 6); *(uint32_t*)0x2000332c = 0x20003180; *(uint8_t*)0x20003180 = 0x40; *(uint8_t*)0x20003181 = 0x17; *(uint32_t*)0x20003182 = 6; *(uint8_t*)0x20003186 = 0xaa; *(uint8_t*)0x20003187 = 0xaa; *(uint8_t*)0x20003188 = 0xaa; *(uint8_t*)0x20003189 = 0xaa; *(uint8_t*)0x2000318a = 0xaa; *(uint8_t*)0x2000318b = 0xbb; *(uint32_t*)0x20003330 = 0x200031c0; *(uint8_t*)0x200031c0 = 0x40; *(uint8_t*)0x200031c1 = 0x19; *(uint32_t*)0x200031c2 = 2; memcpy((void*)0x200031c6, "\x78\x18", 2); *(uint32_t*)0x20003334 = 0x20003200; *(uint8_t*)0x20003200 = 0x40; *(uint8_t*)0x20003201 = 0x1a; *(uint32_t*)0x20003202 = 2; *(uint16_t*)0x20003206 = 4; *(uint32_t*)0x20003338 = 0x20003240; *(uint8_t*)0x20003240 = 0x40; *(uint8_t*)0x20003241 = 0x1c; *(uint32_t*)0x20003242 = 1; *(uint8_t*)0x20003246 = 4; *(uint32_t*)0x2000333c = 0x20003280; *(uint8_t*)0x20003280 = 0x40; *(uint8_t*)0x20003281 = 0x1e; *(uint32_t*)0x20003282 = 1; *(uint8_t*)0x20003286 = 7; *(uint32_t*)0x20003340 = 0x200032c0; *(uint8_t*)0x200032c0 = 0x40; *(uint8_t*)0x200032c1 = 0x21; *(uint32_t*)0x200032c2 = 1; *(uint8_t*)0x200032c6 = 5; syz_usb_control_io(r[14], 0x20002e40, 0x20003300); break; case 38: syz_usb_disconnect(r[13]); break; case 39: *(uint8_t*)0x20003380 = 0x12; *(uint8_t*)0x20003381 = 1; *(uint16_t*)0x20003382 = 0x110; *(uint8_t*)0x20003384 = 2; *(uint8_t*)0x20003385 = 0; *(uint8_t*)0x20003386 = 0; *(uint8_t*)0x20003387 = 0x20; *(uint16_t*)0x20003388 = 0x525; *(uint16_t*)0x2000338a = 0xa4a1; *(uint16_t*)0x2000338c = 0x40; *(uint8_t*)0x2000338e = 1; *(uint8_t*)0x2000338f = 2; *(uint8_t*)0x20003390 = 3; *(uint8_t*)0x20003391 = 1; *(uint8_t*)0x20003392 = 9; *(uint8_t*)0x20003393 = 2; *(uint16_t*)0x20003394 = 0x14e; *(uint8_t*)0x20003396 = 2; *(uint8_t*)0x20003397 = 1; *(uint8_t*)0x20003398 = 0xef; *(uint8_t*)0x20003399 = 0xe0; *(uint8_t*)0x2000339a = 3; *(uint8_t*)0x2000339b = 9; *(uint8_t*)0x2000339c = 4; *(uint8_t*)0x2000339d = 0; *(uint8_t*)0x2000339e = 0; *(uint8_t*)0x2000339f = 1; *(uint8_t*)0x200033a0 = 2; *(uint8_t*)0x200033a1 = 0xd; *(uint8_t*)0x200033a2 = 0; *(uint8_t*)0x200033a3 = 0; *(uint8_t*)0x200033a4 = 6; *(uint8_t*)0x200033a5 = 0x24; *(uint8_t*)0x200033a6 = 6; *(uint8_t*)0x200033a7 = 0; *(uint8_t*)0x200033a8 = 1; memcpy((void*)0x200033a9, "$", 1); *(uint8_t*)0x200033aa = 5; *(uint8_t*)0x200033ab = 0x24; *(uint8_t*)0x200033ac = 0; *(uint16_t*)0x200033ad = 0xad; *(uint8_t*)0x200033af = 0xd; *(uint8_t*)0x200033b0 = 0x24; *(uint8_t*)0x200033b1 = 0xf; *(uint8_t*)0x200033b2 = 1; *(uint32_t*)0x200033b3 = 2; *(uint16_t*)0x200033b7 = 0; *(uint16_t*)0x200033b9 = 1; *(uint8_t*)0x200033bb = 9; *(uint8_t*)0x200033bc = 6; *(uint8_t*)0x200033bd = 0x24; *(uint8_t*)0x200033be = 0x1a; *(uint16_t*)0x200033bf = 9; *(uint8_t*)0x200033c1 = 0x20; *(uint8_t*)0x200033c2 = 0xa2; *(uint8_t*)0x200033c3 = 0x24; *(uint8_t*)0x200033c4 = 0x13; *(uint8_t*)0x200033c5 = 1; memcpy((void*)0x200033c6, "\xa0\xaf\xeb\xc2\x94\x23\x7d\xe3\x0b\x4c\x81\xc6\x59\x5f\xba\xf3\x06\x46\xc5\xec\x3d\xd9\x8f\x43\x5d\xf0\x0d\x18\x1c\xc1\x3f\x9b\x0c\x5f\xfa\x84\x15\x49\x98\xbf\x5c\x04\xee\x0f\xd8\x2d\x5f\x4c\xac\xfc\x90\xff\xae\x24\x1b\x84\x0b\x0b\x18\xe2\x10\x7e\x33\x39\x8f\x46\x83\x83\x80\xf8\x4b\x6f\x9f\x22\x62\xe8\x38\xdf\x02\x12\x31\xc9\xf0\xc5\x0d\xc2\xee\xd7\x59\x5e\xb1\xb7\x89\x22\x3f\xc3\x7c\xf3\x4f\x5c\x69\x4a\xaa\xd8\xa8\x18\xc9\x9e\xf4\x41\x79\xbf\x5b\xa4\xb6\x17\xc2\x58\xf7\xdb\x01\xd6\x09\x6c\xcc\x71\xbb\x92\x5e\x31\xb2\xf3\xf1\x00\xbb\x85\x38\xbb\x84\x01\x5a\xf7\xb9\x54\xc8\xfd\xf2\x93\xde\x02\x31\xa4\x91\xd3\x63\x76\xb8\x40", 158); *(uint8_t*)0x20003464 = 0xc; *(uint8_t*)0x20003465 = 0x24; *(uint8_t*)0x20003466 = 0x1b; *(uint16_t*)0x20003467 = 0x340f; *(uint16_t*)0x20003469 = 4; *(uint8_t*)0x2000346b = 5; *(uint8_t*)0x2000346c = 0x40; *(uint16_t*)0x2000346d = 6; *(uint8_t*)0x2000346f = 1; *(uint8_t*)0x20003470 = 4; *(uint8_t*)0x20003471 = 0x24; *(uint8_t*)0x20003472 = 2; *(uint8_t*)0x20003473 = 9; *(uint8_t*)0x20003474 = 0x3f; *(uint8_t*)0x20003475 = 0x24; *(uint8_t*)0x20003476 = 0x13; *(uint8_t*)0x20003477 = 0x40; memcpy((void*)0x20003478, "\x90\x5d\x00\xa5\xa8\xb5\xcd\x53\x11\x8f\x9c\xf9\x03\x3e\xda\x0a\xd8\x8f\xcf\xaf\x66\xe2\xb9\xe3\x59\xe3\x8a\xea\x37\x19\x70\xc8\x64\xd5\x98\x39\x16\xa5\x29\x36\x75\x51\xaa\x24\x7b\xa8\x30\x09\xeb\xb5\x64\x0b\x53\x17\x55\x99\x00\xdd\xb8", 59); *(uint8_t*)0x200034b3 = 9; *(uint8_t*)0x200034b4 = 5; *(uint8_t*)0x200034b5 = 0x81; *(uint8_t*)0x200034b6 = 3; *(uint16_t*)0x200034b7 = 8; *(uint8_t*)0x200034b9 = 0; *(uint8_t*)0x200034ba = 1; *(uint8_t*)0x200034bb = 0xfc; *(uint8_t*)0x200034bc = 9; *(uint8_t*)0x200034bd = 4; *(uint8_t*)0x200034be = 1; *(uint8_t*)0x200034bf = 0; *(uint8_t*)0x200034c0 = 0; *(uint8_t*)0x200034c1 = 2; *(uint8_t*)0x200034c2 = 0xd; *(uint8_t*)0x200034c3 = 0; *(uint8_t*)0x200034c4 = 0; *(uint8_t*)0x200034c5 = 9; *(uint8_t*)0x200034c6 = 4; *(uint8_t*)0x200034c7 = 1; *(uint8_t*)0x200034c8 = 1; *(uint8_t*)0x200034c9 = 2; *(uint8_t*)0x200034ca = 2; *(uint8_t*)0x200034cb = 0xd; *(uint8_t*)0x200034cc = 0; *(uint8_t*)0x200034cd = 0; *(uint8_t*)0x200034ce = 9; *(uint8_t*)0x200034cf = 5; *(uint8_t*)0x200034d0 = 0x82; *(uint8_t*)0x200034d1 = 2; *(uint16_t*)0x200034d2 = 0x40; *(uint8_t*)0x200034d4 = 8; *(uint8_t*)0x200034d5 = 0x40; *(uint8_t*)0x200034d6 = 0x81; *(uint8_t*)0x200034d7 = 9; *(uint8_t*)0x200034d8 = 5; *(uint8_t*)0x200034d9 = 3; *(uint8_t*)0x200034da = 2; *(uint16_t*)0x200034db = 0x40; *(uint8_t*)0x200034dd = 5; *(uint8_t*)0x200034de = 0x80; *(uint8_t*)0x200034df = 0x81; *(uint32_t*)0x20003780 = 0xa; *(uint32_t*)0x20003784 = 0x20003500; *(uint8_t*)0x20003500 = 0xa; *(uint8_t*)0x20003501 = 6; *(uint16_t*)0x20003502 = 0x250; *(uint8_t*)0x20003504 = 3; *(uint8_t*)0x20003505 = 2; *(uint8_t*)0x20003506 = 9; *(uint8_t*)0x20003507 = 0x40; *(uint8_t*)0x20003508 = 0x40; *(uint8_t*)0x20003509 = 0; *(uint32_t*)0x20003788 = 0x16; *(uint32_t*)0x2000378c = 0x20003540; *(uint8_t*)0x20003540 = 5; *(uint8_t*)0x20003541 = 0xf; *(uint16_t*)0x20003542 = 0x16; *(uint8_t*)0x20003544 = 2; *(uint8_t*)0x20003545 = 7; *(uint8_t*)0x20003546 = 0x10; *(uint8_t*)0x20003547 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003548, 0x1a, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003549, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003549, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000354a, 0x87, 0, 16); *(uint8_t*)0x2000354c = 0xa; *(uint8_t*)0x2000354d = 0x10; *(uint8_t*)0x2000354e = 3; *(uint8_t*)0x2000354f = 0; *(uint16_t*)0x20003550 = 8; *(uint8_t*)0x20003552 = 0; *(uint8_t*)0x20003553 = 0x20; *(uint16_t*)0x20003554 = 9; *(uint32_t*)0x20003790 = 5; *(uint32_t*)0x20003794 = 0x54; *(uint32_t*)0x20003798 = 0x20003580; *(uint8_t*)0x20003580 = 0x54; *(uint8_t*)0x20003581 = 3; memcpy((void*)0x20003582, "\xa4\x4d\x24\xcd\xf3\xff\xb9\x94\x8f\xaa\xf6\xb3\xc5\x65\x82\x6f\x57\xef\x2b\x5e\x43\xe6\xef\x91\x09\xdc\xaf\x0f\xf5\xf2\x30\xb6\xf5\x2d\x06\xad\xa7\xeb\xdf\xbf\x1c\x55\xe6\x55\x19\x00\xf4\x2f\x90\x4a\xa2\x59\x11\xde\x5d\x64\xd3\xcd\x32\xdb\x26\xb2\xe4\x8c\x15\x0e\xac\xf5\x1a\x16\xdd\xb3\x11\xac\x3d\x44\xb2\x81\xa8\x7d\x1c\x84", 82); *(uint32_t*)0x2000379c = 4; *(uint32_t*)0x200037a0 = 0x20003600; *(uint8_t*)0x20003600 = 4; *(uint8_t*)0x20003601 = 3; *(uint16_t*)0x20003602 = 0x812; *(uint32_t*)0x200037a4 = 4; *(uint32_t*)0x200037a8 = 0x20003640; *(uint8_t*)0x20003640 = 4; *(uint8_t*)0x20003641 = 3; *(uint16_t*)0x20003642 = 0xf0ff; *(uint32_t*)0x200037ac = 0xc0; *(uint32_t*)0x200037b0 = 0x20003680; *(uint8_t*)0x20003680 = 0xc0; *(uint8_t*)0x20003681 = 3; memcpy((void*)0x20003682, "\x6f\x06\x9d\x79\xea\x95\x2b\x38\x80\x02\x7d\x52\x43\xd8\x4a\xef\xe2\xbd\x1c\xf6\x41\xda\x9e\xe2\x90\x78\x02\x32\x46\x10\x26\xc5\xa5\x35\xae\x62\x14\xa8\xb6\xfd\x61\x12\xf3\x68\x08\x5c\x5c\xca\x57\xb8\x48\x46\xbd\xd7\x65\x3f\x32\x51\x20\xcc\x01\x27\x4c\x27\x93\x0a\x93\x4c\x28\x50\x05\x8a\x34\x58\x87\x78\xf4\xae\x02\x55\xb9\x6f\xcb\x45\x73\xf4\xc4\x75\xfa\xe5\x37\x03\xef\x82\xd7\x85\xec\xe9\x6a\xdf\x02\xef\xc2\x10\xe2\x6f\xa9\x52\x31\x11\x51\x9c\xb0\x37\xb5\xae\xbb\xca\xb0\xe1\x2d\x22\x83\x30\xeb\x46\x6c\xef\xbc\x0a\x21\x98\x4a\x6f\xd8\x65\x72\x06\xb2\x0d\x98\x2f\x65\xc7\x09\xba\x3c\x63\x20\xf1\x06\x6d\xda\x59\x2f\xda\xd1\x4a\x8c\x70\x0c\xf1\xf5\x26\x6f\x47\xfa\x42\xaa\x88\x0b\x9a\xa0\x26\x7c\xf5\x3c\x96\x91\xf4\xfa\x0d\x4e\x05\x9a\x6a\xdc\x27\xda\x67", 190); *(uint32_t*)0x200037b4 = 4; *(uint32_t*)0x200037b8 = 0x20003740; *(uint8_t*)0x20003740 = 4; *(uint8_t*)0x20003741 = 3; *(uint16_t*)0x20003742 = 0xc0a; res = -1; res = syz_usb_connect(0xcabe03ec, 0x160, 0x20003380, 0x20003780); if (res != -1) r[15] = res; break; case 40: syz_usb_ep_read(r[15], 7, 0xe4, 0x200037c0); break; case 41: *(uint8_t*)0x200038c0 = 0x12; *(uint8_t*)0x200038c1 = 1; *(uint16_t*)0x200038c2 = 0x200; *(uint8_t*)0x200038c4 = -1; *(uint8_t*)0x200038c5 = -1; *(uint8_t*)0x200038c6 = -1; *(uint8_t*)0x200038c7 = 0x40; *(uint16_t*)0x200038c8 = 0xcf3; *(uint16_t*)0x200038ca = 0x9271; *(uint16_t*)0x200038cc = 0x108; *(uint8_t*)0x200038ce = 1; *(uint8_t*)0x200038cf = 2; *(uint8_t*)0x200038d0 = 3; *(uint8_t*)0x200038d1 = 1; *(uint8_t*)0x200038d2 = 9; *(uint8_t*)0x200038d3 = 2; *(uint16_t*)0x200038d4 = 0x48; *(uint8_t*)0x200038d6 = 1; *(uint8_t*)0x200038d7 = 1; *(uint8_t*)0x200038d8 = 0; *(uint8_t*)0x200038d9 = 0x80; *(uint8_t*)0x200038da = 0xfa; *(uint8_t*)0x200038db = 9; *(uint8_t*)0x200038dc = 4; *(uint8_t*)0x200038dd = 0; *(uint8_t*)0x200038de = 0; *(uint8_t*)0x200038df = 6; *(uint8_t*)0x200038e0 = -1; *(uint8_t*)0x200038e1 = 0; *(uint8_t*)0x200038e2 = 0; *(uint8_t*)0x200038e3 = 0; *(uint8_t*)0x200038e4 = 9; *(uint8_t*)0x200038e5 = 5; *(uint8_t*)0x200038e6 = 1; *(uint8_t*)0x200038e7 = 2; *(uint16_t*)0x200038e8 = 0x200; *(uint8_t*)0x200038ea = 0; *(uint8_t*)0x200038eb = 0; *(uint8_t*)0x200038ec = 0; *(uint8_t*)0x200038ed = 9; *(uint8_t*)0x200038ee = 5; *(uint8_t*)0x200038ef = 0x82; *(uint8_t*)0x200038f0 = 2; *(uint16_t*)0x200038f1 = 0x200; *(uint8_t*)0x200038f3 = 0; *(uint8_t*)0x200038f4 = 0; *(uint8_t*)0x200038f5 = 0; *(uint8_t*)0x200038f6 = 9; *(uint8_t*)0x200038f7 = 5; *(uint8_t*)0x200038f8 = 0x83; *(uint8_t*)0x200038f9 = 3; *(uint16_t*)0x200038fa = 0x40; *(uint8_t*)0x200038fc = 1; *(uint8_t*)0x200038fd = 0; *(uint8_t*)0x200038fe = 0; *(uint8_t*)0x200038ff = 9; *(uint8_t*)0x20003900 = 5; *(uint8_t*)0x20003901 = 4; *(uint8_t*)0x20003902 = 3; *(uint16_t*)0x20003903 = 0x40; *(uint8_t*)0x20003905 = 1; *(uint8_t*)0x20003906 = 0; *(uint8_t*)0x20003907 = 0; *(uint8_t*)0x20003908 = 9; *(uint8_t*)0x20003909 = 5; *(uint8_t*)0x2000390a = 5; *(uint8_t*)0x2000390b = 2; *(uint16_t*)0x2000390c = 0x200; *(uint8_t*)0x2000390e = 0; *(uint8_t*)0x2000390f = 0; *(uint8_t*)0x20003910 = 0; *(uint8_t*)0x20003911 = 9; *(uint8_t*)0x20003912 = 5; *(uint8_t*)0x20003913 = 6; *(uint8_t*)0x20003914 = 2; *(uint16_t*)0x20003915 = 0x200; *(uint8_t*)0x20003917 = 0; *(uint8_t*)0x20003918 = 0; *(uint8_t*)0x20003919 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200038c0, 0); if (res != -1) r[16] = res; break; case 42: memcpy((void*)0x20003940, "\x03\x38\xf2\xa1\xa6\x94\x91\x50\xd9\x50\xa2\x00\xb9\x7f\x82\x07\x00\x40\x2b\x58\xfe\xc9\x4c\x39\xa0\x05\xf5\x38\x68\x85\x99\x19\x97\x96\x0b\x31\x65\xc9\xdd\x03\x23\xfa\xf9\xa6\x9d\x00\x72\x59\x16\xfa\x7f\xb5\xa9\xbb\x1f\x47\xb1\x98\x29\xca\x09\x1f\x88\xc0\x99\x9a\x2e\x18\x7f\x62\x37\xab\x2c\x7e\xae\x85\x92\x3f\xa9\x63\x6d\xc2\x66\x07\x6f\x2a\xe7\xb5\x2c\x1f\x18\x7c\xe6\x28\x71\xc2\xf0\x5b\xbf\x9d\x9a\x25\xfd\x16\xff\x38\x33\x38\x70\x73\xe6\x96\x81\xb2\x43\xe8\x14\xb2\x54\x9f\x03\x2a\xa5\xb8\xdd\x2e\x2d\x64\xdf\x2e\x69\xd3\x57\xbc\x2c\x32\xb8\xfb\xd9\x0f\x8a\x16\x38\xb3\x13\x90\xbe\x5a\x61\xee\x6e\xe7\x0e\x3a\x20\x27\xe1\x46\x8d\x5f\x3f\xa2\x34\xf4\x46\x2a\x56\xd7\xe4\x2c\xe2\x9c\x52\xcc\xf5\xcd\x76\x35\x90\xa4\x26\xb8\xa0\x6e\x22\x6f\xfa\x45\x68\xc2\xce\x31\xa5\x4d\x74\xca\x6f\x67\xe6\x70\x85\x2c", 202); syz_usb_ep_write(r[16], -1, 0xca, 0x20003940); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_usb(); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor174280131 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/6 (0.39s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:4 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$BLKROGET(0xffffffffffffffff, 0x125e, &(0x7f0000000000)) r0 = openat$nullb(0xffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x80000, 0x0) ioctl$BLKTRACESETUP(r0, 0xc0401273, &(0x7f0000000080)={[], 0x6, 0x4, 0x400, 0x0, 0x5f}) socketpair(0x21, 0x3, 0x4, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140)='l2tp\x00') sendmsg$L2TP_CMD_NOOP(r1, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x24, r3, 0x4, 0x70bd28, 0x25dfdbfb, {}, [@L2TP_ATTR_SESSION_ID={0x8, 0xb, 0x4}, @L2TP_ATTR_PEER_SESSION_ID={0x8, 0xc, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x20000000}, 0x8000) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000240)={0x0, 0x5, 0x0, 0x2}, &(0x7f0000000280)=0x10) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f00000002c0)={r4, 0x2}, 0x8) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x8, &(0x7f0000000300), &(0x7f0000000340)=0x4) write$capi20_data(0xffffffffffffffff, &(0x7f00000003c0)={{0x10, 0x3, 0x41, 0x83, 0x0, 0x401}, 0x43, "4a8e60634e3a9ebf0988474a70cdc44c935e71dca8a36e9f7339b733e7fdfa26d1763f8e1fc18c23484ff71c6ea76bf1db3e46cf80380322d296fbf193c54d4949ccdb"}, 0x55) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_post_notification\x00') syz_emit_ethernet(0x56, &(0x7f0000000040)={@multicast, @empty, @void, {@canfd={0xd, {{0x4, 0x0, 0x0, 0x1}, 0x23, 0x0, 0x0, 0x0, "90a4412ed481e39ec0787cae083fac93b90daa7595dc554b0d6fb720a6009835c929d9566687939954d14f0376d39039885d4b349e57791c3b2884b67a568716"}}}}, &(0x7f00000000c0)={0x1, 0x1, [0x4a, 0x2e7, 0x6f0, 0x1aa]}) syz_emit_vhci(&(0x7f0000000100)=@HCI_SCODATA_PKT={0x3, {0xc9, 0x56}, "af8c56ab2959dc534cc868e4b42b05a0de86bb45fd2bf9e32d58e9ad1fb7be75adc1e7aaa52319456531631ede47c2919bcdb3bafdaf560bf2a9ca3a75fa34d07026b7302dc391f9554e50cfc7f731c09f1c71262df3"}, 0x5a) syz_execute_func(&(0x7f0000000180)="c4c16f10fa660f65642a10c4e1fa70effbc4c37d096a42fec4e1416a5200f3abc4c1ccc6e474360f8fb8000000af0ffe98f0ffffff") syz_extract_tcp_res(&(0x7f00000001c0), 0x2, 0x7f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000200)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x5, 0xcb) r5 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xc, 0x800, 0xffffffffffffffff, 0x8000000) r6 = syz_io_uring_complete(r5) r7 = io_uring_setup(0xc43, &(0x7f0000000240)={0x0, 0xab13, 0x10, 0x0, 0x375}) syz_io_uring_setup(0x4759, &(0x7f00000002c0)={0x0, 0x3caa, 0x8, 0x3, 0x347, 0x0, r7}, &(0x7f0000ffd000/0x2000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000000340), &(0x7f0000000380)) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0xe, 0x3, 0xffffffffffffffff, 0x8000000) r9 = mmap$IORING_OFF_SQES(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x4000000, 0x20, r6, 0x10000000) syz_io_uring_submit(r8, r9, &(0x7f00000003c0)=@IORING_OP_WRITE_FIXED={0x5, 0x4, 0x2007, @fd_index=0x6, 0x3, 0x4, 0x4, 0xe, 0x1}, 0x80) r10 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000000400)='/selinux/checkreqprot\x00', 0x2000, 0x0) syz_kvm_setup_cpu$arm64(r6, r10, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000480)=[{0x0, &(0x7f0000000440)="1f53955cb3cecd2039609cfce532927f02de615e5e7716c374705f59102e00754dbaa369c6c1a1c2f4c530c3af81e8fe5609", 0x32}], 0x1, 0x0, &(0x7f00000004c0), 0x1) syz_io_uring_setup(0x7424, &(0x7f0000000500)={0x0, 0xe518, 0x10, 0x1, 0x3a5}, &(0x7f0000ffe000/0x2000)=nil, &(0x7f0000ff6000/0x4000)=nil, &(0x7f0000000580)=0x0, &(0x7f00000005c0)) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000000600)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000000640)='afs\x00', &(0x7f0000000680)='./file0\x00', 0x4, 0x2, &(0x7f0000000800)=[{&(0x7f00000006c0)="d632c19b", 0x4, 0xffff}, {&(0x7f0000000700)="3fe8370cede52efac054241da1ef6234cdc7766d9ceee05c36775d234a8f0259a880131689775a49e1c5d81ee5eed42da022a3c9b9d439ae779990d04cf551c084c093744e79ca6a4827d8c603053d29714d839363cf49add7d7323c0619a99cef609fc47e56c66630ec7973bffed214d451f064f36e3597506a51adfd6b0d61fdcdf2bfcb31b2c6c44c279ccdb6902891daf75e663f5942ea7682fbfd3e7369a9fe16f372476efb281aaad4bfe7e610e963629461e9033caf00d62a109d004b935b9079bd3df5be94a0fa1e1977f552baa492ba31e2ec4bf310c814dc753297", 0xe0, 0x4c}], 0x201000, &(0x7f0000000840)={[{@source={'source', 0x3d, 'SEG6\x00'}}, {@flock_strict='flock=strict'}, {@flock_strict='flock=strict'}, {@flock_local='flock=local'}, {@autocell='autocell'}, {@flock_openafs='flock=openafs'}], [{@measure='measure'}, {@subj_user={'subj_user', 0x3d, '$F!%[#&+-}^}'}}]}) syz_open_dev$I2C(&(0x7f00000008c0)='/dev/i2c-#\x00', 0x9a7, 0x60100) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000900)=0x0) syz_open_procfs(r12, &(0x7f0000000940)='net/ip6_mr_vif\x00') syz_open_pts(r6, 0x402000) syz_read_part_table(0x44, 0x5, &(0x7f0000001c80)=[{&(0x7f0000000980)="947bdd1338b6b9fdc7eec2776433191f827266cfa94bbf64cff83a00d975009f3b2738ac7067019447d693a3534dae5d3bf03b17d7a2bc093d2ab01fb079d13e4ca08ab23918a3fac50a48c32b4ba2170957d20cb4a4f731d660e88f40c30c3c40d41ff3ff7134dceb66b113b5c1bba630a7ee5cd68ab59e69f8c89530e4cac7f615dd3fadc7940d23b069d62b7ccf4149881045", 0x94, 0x7e}, {&(0x7f0000000a40)="3bece5e4b00d1aa5c6455d8ffddd35571382304733f47e93ba01d0220d3452425aa4a35a16adc96a1c87d3c09121df1c8aef26c20358a153a0ef1959f69c689acd2751f428f241c2decf4cd9a3b109e66b310fb1011f65329bef953ae02cf9db6133619b5bfa07a6e13251278da93de82635bcdd7640b6311da58d2a681065401d0753cef90bf7a0f541112453b9ce7527efcb09834f1073736d3ebdb9241736b61df70a13c76e54ddbc65a52d8a4fe42ed097a57c8d0426f916750e9a5c38281fbad7ae59c223bab1100592d42eda4e0bf4bf030420478fcd28c4057d41a9721b0014e91a1e7058d4c9290812f6de", 0xef, 0x800}, {&(0x7f0000000b40)="6daf7a1e0d14cb6b8c65d37ef988e670ca88b1", 0x13}, {&(0x7f0000000b80)="e2a379510738be3d3baf49a170f089f56f7b3a43bd926f2f3368f38e97340af9b0991ea98f4653252c0bef6ad26582b600545465591faefd00782e31c8aee9f23990d2d95f8710d110409dc3dad1581794fb09f6349e937b1df1bb8a9a09ce60c41282376e6ac607888c64fcd9ecf5405063ba5f642a295b4f778f2cabccf6c9007071b1a9ec31eea5daf62d371a56de309549974911a5797fa34026e85bb7f5427ab4965f11a3aba18ed0fe280e45c26412838fc5bbe0f6de63d011c06b413e3d4a15296b6f7915dffecdd407504faa2fe63bb190af9061709a982094f620793c042532f51314dd0753b832a65859e178d94dd169a1b767748566d13f170da36f2a51053d8b67fb5f12d86bf36046eab9b7c26c50786c9b29a2605c5631ab30261669971a48470d982c3088be7cffd1f0c6775e5757db6148dd74c5954e34c40088659a1f44d053465985ed20039bced7ea9dec7e25cd6d600d1ed31aed53885fc7ef8789eea0639d2b250dcdf4ad71bbdabf4ba18af29ac819ae431864db1b0353bc5cb2041943b44513f7c679f348bd2962b27487bc7dc7488cff13a24b658f31b4afc9e5013ab460cf3a014a8f19909e75bc3d4144f5d32e370de74f4402a0db5339c1e3616d2147743652dd73940d37550cc961b08b3a33b79c4a2f3f1ab4b2364c24031cce1f29beaf574b1318844fcc9387d2cf798334de0816d528f087f56751f763b82c760fe19ef95fd2e552c8ec74bfee9b6c8e3341b3baff5405edbed709fb1ea130a1a6e30acf7232c0194034daf0ef117115ab220f1161a838940ef60072c406557f56f13f3021b40842f9114b0ae9cd8244230c2227ce7c7e71503ba5253d63081ca9af8fc4a4e2c3039a0bad1af91ed4cb91b9bd42d8ee5e0bd9844f92f4af1ea5b88380a99b1adc7057b9157b61021abce377dca6af6c2dd98f02c23a8459ccbe650b66d06bbae0609928e84d5c611e2c6feb6a43d0aa532b12d5e3260448cd82372b11f9dc8f94665a3ab864eb3eb0e5b073200249a674047ee8fff8fb4f55653060efb6a00d70b0fe4a7f5dca7d9c71604fa70b0e40569339e52ba52b7d7008533306165c978d030a852c0dd75996904720a10a3a9d0f2f67f258e439047a6a5b08490409aa84ec296f67b88b8011cb39c67800efec6ec43e732aee04cc18c4ceddc9686a432011e1df5fa1292c7bdae62731573ec5233293ff4ed671e52c951d8e00836db9363534bc8c1e91d98cab7d0606c170d409d96d3225f56206b600fc1a783941aade248338dba66d56f8fc197d19cedd5f1a65d5f1d85a4cb4497342d197df417d4317777c81e707f1b9dadd38265324f41aa85021b2d7edc0ff4a527db85ff141652eeb5e766e189e11e6307a4475d5f793e822b7ecbc7e2ff3f6f9a8399af692649d67305c86b479169df12f749102069da164ad14655e0532fc419b51f29b28d1f408f5236ce921509f3f611a565a5e38685744470f6e457bdd057d727f7ecfaa468473bcba94c43ead22f8527843245f372275946bd4599f3a8ae91ec3140870be91d2fbfcbd7e504da3d6f49e905aca167832d7c35a56a28abc852090292318ec1f08bf3d71de7360d6d04900d773a7f40c3db7aabfc27a338e87d578f430ee490e48221406d31c62220c2bd9e1793eed1b84aba0adc3d54eed59ae3b83e5a1147721fcc227cff96c8065f8665cbfef93521ca1bf4b100e62896cfdca36e7f7b4b3fd3babf5c18c90030fbf904d4f4c3fb23af16b1e3744ca6ab123df90b168eaa138324ebf98ecd66dd64ee906236bf3a0296be1df81387ba95700e04ce26637ca4dfb70c67d32a2e7acde219cef54e4c9ec1c27b5b6a388ca515af6e5efc493a30fa9324e1f2b2b51267fbb26f3d4292e836cb709e92a6e0e11aff386b3d45d81a2d35fe971cbff8a32f52d046b9ba9a4bc77267a2e86a480a9ec50361d5ed59ba540ae1cf0e7eaaa5d8f5b2e38527fde78ecf842ec48cf681fd452aa5c60d06474f6422ad08db4fa0788c56563f52cbd383627e11f98eb40ec74961c028b1fcd7b25d4cd289dbc761fb1ec00a6183513c5f76da7546416fb81e8661f93f4234fdf3a3398d8bb8c69902e6d9f3fc165e6d9f39eb2acc189ab7b49013b2c74d0788ee05fc117335d478380013eab173ddc7a927f03080c2ea705b68f664a3be270221172d2995b15b4d0ab25d4668ab7587d24e831c5c7841fa00bd063021d3f43405b35c6c79dd4030fc630ee78d7e64a90cc2761421624d48ac0764d8a903c5a8b0a213120871b9e82a3b1f92455380b950832651b6d0d9bdb249055d55fa49fc7296147cbcec6059a0047ae6e86b51ae3b5aff498ceed671ddd0e2bd97fd7f39a3280bd80996ac7bb98187709938246f8e0cb9cca0a189d18cb9dcdd52186feb935f4a5326c3bc1348a05f0e7180452a43e7f2b6fb35a4196afda0f1993383dd203694c1ab53be64481c0d9c78801610789f9f5130b4a143f09229e8d89d0ad09edf971cf0fe495d7552b7a791a9054232e8d22976621b7f6be03e7e0bf8e5ed83db94efc748c93a06c124f55dd8efe11e15d83e1fce582b19be10dcc1b3eb594291aaabd56cb94df315920b042d07934ac796d0a91078626ee57e25763791f7dde8bc04e1883fb2273c799b97e3166c56ceaa3699c31739f63ef94605b20860606ceaf97be55b979fdc17fa9ba2990bbefde17eb5398176091e536730129c4c31504ce1fc41f13e7d90301ff02ad5b5f523c6ae7efa87c76af1ecc4b6715251a58ca3c68ca954a9345cf08697ec54376dfaf232cd6ede5ad85c1234fbcb4a992535b70135a5eb7d1f2de13629871b02acb455694e91d5bbb972c1c3998ec765749b4ca83c705529c046e8593ba4709e430cf190aba4fd00a6d722d0598e80b7af8fbb6c053dc4068e3bfaa0015d3545646e40eb312700e7b068ca644792d6d39447a353f6d6575b01f3a20cf310117a832dbc76b460146dee06c859580ba5e59946e90a168d98a06282d02f99540f4b1fce194cc7cc089b1b2da11d59bee5477383f83fe7f50011ec438561f17b39dabee3794761cdef6c54a60c49de8fd6aecf0b5a5b5c056a8de90805e0d5a4cba91eb7746e54498aad35d268e923c5c396581835cf2038e2a1f28a843228472aa2e4cbde6aa7665716f239ba5680d1d8d6cd7277af1f2db87e5f5332fa904d6975f4247f33f00c17b95df1db792398c0be2ab89c6f0ffb1d9f3d30e36b0bcdee55623e67ed59b641e1d3ad243a61ab8003ed9d50186457b845b0f5e59460aeb8d49fa236b691a9572f043f3d83d3853a658c092fec3eef9b58f3be0532e46da34f732398d418a82a47fd2bec7aa9fdf0a05a2a4abd650dcd99c095be5a025d4dd8de7b606f7c21fcf490a100ec288f419316b4add08591060f5c40230ee639aff35d4bb207fe401029cffd104715dcd48c7c598f5ea42b0bd271e6a10066d613217655dbf37bc467d973572d7c28779c9981cabc55e683fbb1e9af7e00cc4a222a54f24edf923762d8e0fbc099e420a78b1fcfb54a4002fdf6e30a3445f929dd97c4aef13cd8a0a3b19cb2ba731d3c99aad631166b75f13a95498e11dba4094eb5d1f1571b6987c278912a05a9ec5e2f93d21604e496ae6f763ed433bc26c5d2fdfeefc02d8732b29091c32ad16fbb47de0a56a36c5c7d26665ce565571aee87e729e1727e8e149b44cbc5819eb1abc317eabfdbc5447dc1fa9ed585281f1a9c33bd5bbae662621e6460e37617e88304fd6889d775ad30388b208b4102495dd4a601579fef079678b66816a46a91cd0d344af0afa8ee55ab222d720a0367275757aa38d043cec888e9e93a4ff91c1ccbbc685f6fe2710474da5c4376b6c037b2ac57ab078421ff2f06ef8abcc7bfa18195ae5d3236c492494f1c665dc2052e0b567e991727082f6f529cff4412d5cfd8aca31f0a4d32332e8cc992a39017d8e5a8525a9f6ab5009e7067b2773591779fa6de17c077445c39b4f3255c2df10701045fa070ac4aedb551bfe92ac48e0faca060768edf4b3fb101f3d4cdcb2ec9313c02898aa36874267468286e98ffdbacb29fb64072799bb3d885bf308d6ca001355642ad258b965f9597b30fe6c3af1e89c10d641f4e2ab7cf5a4687d6b69157a49f9f40791ef46f4cba6e0f248773c350bf3143cece92ef7c746d4988c8351c8067e3c4b841089d985e09ecb40157d7a171f4e645518c52598fa794425669f59a27d8bedc147e09057b5d2f9f4611cac951058b9d2527fe7b470289a2f16fa4dee150652086e4cc194c3cad63aee9aa77b00df7cb421401d1394e0fbae8e8e14ef28f128601aa1c91d3e71edc07a46267731ea085fea0b2781fe5b3337fb391f4a91ce752aeb7251aa0c3bf304e989220d414eab0af48d4a86bf43f13ee6b97615f51a3677feef14dc4ae47db07b874176d18f50094a309700279f412924e918eb3e6c1b9fa3c1444f28b691ceb9c33d34b5b3733d3eb0c9e69cb6f36bca69d1d69913aeb51f0cb59828527f791fe7f61fb430bace6456abc322fb52a131f5aed3221afd1d369d7bb41f60bfb349b5cf73043b9092613032c7dd3220bce9d9b84fd2ceb48a76ff0c34cf5bf8cc55b575e240f4e6c1c5cf93980cc6f68fd1ac7cc10e0e483339dde6691eb7d2b700e93ffdf810953762216e99b5640149af63144a09051b683db0dfb1b79371bc7a4a559ae6271838a868468e54aadef03ba40ca127aa2c2751da79202dcad72e4f1593041db53bbf4f8064170fe85c46e59ff00b9eb4bf2e01eab7197a00704e3c7084a80699ed5aaae7bbae0684e5fb3ed60c6620c73aa013313713279bf958a21f56f96746e160623f1076a5ea95a23fc908373bc078221894ccc77949ffd3659470d83f860762b0302bf3e404046c0c32a71eb85e674111cb9c2d490b8b4f5bfd1fa9382a4296d97326d6a728378ab35c0a349ed69349f75b89adf8dc9e5baed276c92614c29636f2f5b19d4dc661e2d0fe6fd64786d507b99b3979fe0f6ecb06b76fd64bfb316131a52d3db7445508c8f0bd394495a6c13ca64e3780a416c72a7a34996d5a342e6349d92bfcb8d75bd4edd225d4e8601838bffc604e9e3f0de83a1cf9e17c7fa7398fea49c8faed299d04a90a70bdaa0b111428e2e6224ae08c1bf0ea1a69e16e1ffd4bfa76afffdd5060ac992efa08fb7404fa1ff3456042654d3d51292624ac3bb3356f5bd3f492c169e8c7dc71ccd3b4e91cb298ef7f2b61d74a86e7cb6daf621a8b0b6a87e58ddcaa65f376fe0652c40c76d762b580f34da979ae0968b172a9ccc4cd8b34af3873e85d1653c9e5571dc34e8c39f7f04df191c0e81213d2fac0412664eb4769c480a80fdcd5cae2a2eb8b1d031cc6e649d8f0b29f9115ea2bb27cbe35cba040647ad9da8ad36931cfdce5c58dfd6b8d0bd83cf4f8cad6f6d6f3048380583d8ef0807a4d024ef8d0333a97183423c90e8dd1b62dc70c95ae30acd0ccc257de6feb89a9492b4214b65d8da2ada11b80fbd7689afdb99fa820cb7aaaca8ce32fd1adf5d724f50683a7924ed1b5de6b322a4932ea46d3b266a270420259a4fee480054f0675e77e5178ff255be000468a220a25c6879e039bc14c38cbf9040eded41f1c6d75fe4615cc57677c948c7bb9c3561184b0ffe0d0a9ed0e7212fabd5ef357ffb3ca40e8a97be2a9bcf35fc7e3d7ce8f6d50a4f7b42c246894683822db36b95528cd8061342c66c788bb6f63beadfe3559e896e4387a12cedf6f220888d218", 0x1000, 0xffffffff}, {&(0x7f0000001b80)="e0c6c9c01afb3e83241204cd6942a5f5b38dedc4871fea150ddbcb8c14ce515fa1fc5f1fb3ec606649a162c4e52ec328eb3565fb84abdf8b408d744ee19c67cce54acad1c6aa75a3f97f94267476e702bbe065e67188c3c826d4414e46695d71c9e24a31faf7fc28297092503bb10adb27fcb197438efe3605101abc127fda303e63a7423ef1693f6c005763fdf8b18e10a5a9fa34b3c00eced1f75bada7d26160aedf2758bf603b0c5890682884eb55b2760b3b7b9614b6bd1ddef9e9cc1df20892063f1ea058a4", 0xc8, 0x81}]) r13 = syz_usb_connect(0x4, 0x882, &(0x7f0000001cc0)={{0x12, 0x1, 0x310, 0xae, 0x73, 0xca, 0x40, 0x1740, 0x602, 0xfa57, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x870, 0x2, 0x7f, 0x90, 0x120, 0x3f, [{{0x9, 0x4, 0x86, 0x7f, 0xa, 0xf7, 0xf9, 0xf2, 0x7f, [@generic={0xd1, 0xb, "26e13a65ceb2c160694440c6e4b5d5107cd6f6eddf5f0f8f938606e7a789786c097626762da7881a4e46ee512ce1ce83d03ee01e8a390d4fe48a1a166b122a244f7e8453fe584352cdc748ded1737c61ffbc1f9f18441c5d61f5493a88bfea7776762bbf8a206eeca2f45c1f7aa6d15fb464cd1caf6a432babfc01bb86b1297b128997426c1a5a86533cb2c029f50b1c5b0b88719f7c78217d2bec910ff906b43860025e140fbad2bc0a91e23e65c5c8fefd91d0459c590e1f4bac91eac023ef5f1a248245df0d7c1276df72d955c6"}, @cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '8'}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x5, 0x5, 0x80}, {0x6, 0x24, 0x1a, 0x1, 0x14}, [@mdlm_detail={0x2b, 0x24, 0x13, 0xff, "8daa8e5cf59bef8c76ec7535d63fe2dc7686321afbd729f4d17d62a21b6f2b39495657220bc5d7"}, @mdlm_detail={0xa3, 0x24, 0x13, 0x3, "0bafa7ba56f9be68f7dafffabe7b7950e7f2b1efd530ab53da306650ae48618251bc41fe39065bb50d65f15e926fdb88acb4e7957bff5d5469ee741f51c117d8f0a4b9e497d8d85a58a425855da041d91bfe4cd20f11f6c7d3813027cd74921dbeb6e2015c4133a29832b2b9d342304dd6b709daeaea5f761d8c06f52edda9f2529ac51a96fab9bb2826cc63fcce0f174de2c5778a4d83f3eecfdb29635b60"}, @call_mgmt={0x5, 0x24, 0x1, 0x2, 0x9}, @mdlm={0x15, 0x24, 0x12, 0xc9}, @dmm={0x7, 0x24, 0x14, 0x8, 0x2}, @network_terminal={0x7, 0x24, 0xa, 0x1, 0x9, 0xeb, 0x1}]}], [{{0x9, 0x5, 0xe, 0x3, 0x400, 0xff, 0xf9, 0x20, [@generic={0x62, 0x22, "ecb3f2dd3048124fa1f639e7d99ab0903f7f551fbd28202bcaa038827262defd524b84d6778f83c751047ea1677d46229ac33b02db6865c9670bc47629020545fbf367e128c7e78e05972cd432ddc729863972a9559b806063550b9bb7992b0c"}, @generic={0xed, 0x21, "1c17fa34cf248a11740cae13b99062cf651bd3663bdf349afedd777e6ca509687c7308b2bd8a56d936cef72c17609c2cc7b825f122864f3e79a0f9563cecf3a2dea2dac5e4d83e7749cfb2a971e0f2a257ee5e91279d0dedf7aab353955c32bcab16d821c1868f655e7f503ece52acfb7c3070097b164ed6223eb6c1839fdc5cc6f1a92ebda8ad2a9e74f746cf37704a6c73076189ee3890b3a1c5cdb8076adec9bb4e53a65b09bc52a75250eb89e2407ee0d0d39a0bd925c00a5fd0f34ad2af88bf3b270fe94e5432288a66b3ee15b6e24ddca89639faa9c4b532663b24bfbdeb73d09b8f77f76fec507a"}]}}, {{0x9, 0x5, 0xe, 0x0, 0x58, 0x4, 0x0, 0x2}}, {{0x9, 0x5, 0x6, 0x8, 0x40, 0x40, 0x3, 0x18}}, {{0x9, 0x5, 0xb, 0xc, 0x200, 0xff, 0x47, 0x0, [@generic={0x6e, 0x24, "fc8886eca12dc85960c8497c87132b79fea0e2313e4e855671316f1c7a42b78b2be24c0cdd6af9de41a7fb57fe0a3ca6fe67191ce31165dc048245ba74c886d12b8accb001eee230dc1d7981e4d6ea3d52fdc1fd159f71fc18bfca51297b2348c777a86b16c07657793c9b75"}]}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x1, 0x4, 0x4, [@generic={0x8, 0x23, "ad6e68323124"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x3f, 0x400}]}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0xff, 0x4, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x2, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x7, 0x4}]}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0xcc, 0x8, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3f}, @generic={0x59, 0x11, "faada80932b10432ca81a63c83dd9f54a4051086ef07b6c9661ef8ec125683d5fcada3a346d08f6d44178fd1ce94f1a6921d2fd14a88d43a8051e18edaa3980645fa17123ca6c783b8b2c3b666956f52b183652992d6f5"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0x1, 0x3f}}, {{0x9, 0x5, 0x4, 0x1, 0x0, 0x81, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x3e}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x6, 0x8000}]}}, {{0x9, 0x5, 0x7, 0x4, 0x200, 0x4, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0x3f}]}}]}}, {{0x9, 0x4, 0x7d, 0xb6, 0x8, 0xe6, 0x75, 0xe1, 0xf9, [@generic={0x3d, 0x23, "0150ffae83df22d1d4dbd82454e66033463c3935e3d0c9fc2ea4661f7310c2e0b0acedd17e99cf960ede09c19eda6bfda699d8eacc2aba4acc34d4"}, @generic={0xc5, 0x1, "57fa93981a0686e512236511f17e4ec2dab7bd005c64fd896f9494ca0597583b239ddd29c3796c4ad669281440da422e6796877a9f123e343935d90dfe06ddfc99deedf24006031d9a2ef4b552629255bf0e7a4d5dd3bc80b266081141bde1b1a86e4ffd857000deeae82fb1850696ef2167c34ad97f91c14ac78ecb893d01ffa98e3c2dfda9adb762b9a9da03c6c60ed957fb494d1c960f7c707494bd984a0a582603fb87248aeeafc1b6005f79835b38b2eaa88653bc93427a33b0763ea36fcd987c"}], [{{0x9, 0x5, 0x3, 0x0, 0x40, 0x4, 0x7f, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x5}]}}, {{0x9, 0x5, 0x80, 0x10, 0x1ef, 0x1, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0x1f, 0x20, 0x0, [@generic={0xb3, 0x21, "95d3405d4d7a6dc896d90c4918b141315c1ae54b0882c4e0e3cc266e04178f9ae737260ac64b619ddf039568181bf92dd639ec49a0b1c9838b4cbbb2fbe6ca7be9bc84b77177867bb973d8c5eba1b49131bd10f645cffc3dd8ea462f4ba965f70a014bf1abe9269663634dad8baf99386d8b431912e4ddfcd1156c5ffeab207ca35f22f5c01673470deea1da6aaffcf0bba9a8e455420f053b28e404fea6261d36c07f7221c4986b6b122ccdf858f481ba"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7f, 0x5}]}}, {{0x9, 0x5, 0xc, 0x2, 0x200, 0x0, 0x6, 0x2, [@generic={0xaf, 0x6c08a2ddac8d29c1, "1449f06f8161d8159f42fb347eaa323cf3eb20fd5e501006d2e40a157da833536fb0b322436591a2bd1d2fe04e169858e11387ce1cbe1f6c7dc332afaadcc002c5832044e056950399e29431407349a8a47525164b4e6cd141303908186754e0282c6995c980f5e7d4f3c881c6b91d955e6ac681bd9073f4e05706f3c312d005bf1c5910956bf99553bba7b4ecb3f35ffbe7ab0763423796bb601e3f047a6581d52fb67c62d6b7278c76aab9a5"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x400, 0x5, 0x1, 0x6, [@generic={0xf1, 0x11, "25bf1f90f600dc8eae5954fb3ec4f488a926149d9893ca2b2900e245f0537432b7eccd35a0f33fe871eb0d1744d8058f6d67f7e1b97f3ef4e5fd8ac9d37d374905661c579d63d9bd3ed5cd30d99ef395e47c9e0f1b7f712016403434821baace41ad73ef6b84c1a41af5cbb6c2f65462a6ed32242c9d51da9915862860c22140f606601cfd82e5151e1db45092fecd653293f56c65b346e5deaf140950a0ac4a487e3bfa4f9ad35eeff8899bc2230798022600a08d06a9243611b421d90f1b53ca9f002636036f1125eda3dedaf6793fc098c6af9dcc5a538fe937572b4d1b174b58ba033714d19ef1085f663e5cd1"}]}}, {{0x9, 0x5, 0x5, 0x8, 0x400, 0x44, 0x1, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x85, 0x9b, 0x100}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x10, 0x20, 0x2, 0x4, 0x3}}, {{0x9, 0x5, 0x1, 0x0, 0x40, 0x80, 0x7, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x6, 0x8}]}}]}}]}}]}}, &(0x7f0000002840)={0xa, &(0x7f0000002580)={0xa, 0x6, 0xe5207157b6f35098, 0xfc, 0x1f, 0x0, 0x10, 0xe4}, 0xf5, &(0x7f00000025c0)={0x5, 0xf, 0xf5, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x4, 0xffff}, @ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x4, 0xf0f, 0x77e, [0xc000, 0x30, 0x0, 0x0]}, @ssp_cap={0x1c, 0x10, 0xa, 0x1, 0x4, 0x79ea, 0xf000, 0x4, [0xc0cf, 0xff3f3f, 0xffc05f, 0xff0000]}, @generic={0xb1, 0x10, 0x3, "c5bb0201c82e60fa0a8b07bbcefbe138079838cbf13161f69ec170637e6c504f0df58710112f2459c50df85c73a143e18fd846a786add8a359c882c3c6038f90c49ca63e13455794d759244a2bd1ee5a203cef62acd32e97d15afe1d47ad5c5234ca6fea0c022184578647d69bce06bc22d5deae21baaf870c3c6e9021211fda07e73607e16461e22526a70ab2e21f89d1b1a95215c644ee7b4b97d342f06cca75c17eaf3d1f578bec9e1b554c49"}]}, 0x4, [{0x4, &(0x7f00000026c0)=@lang_id={0x4, 0x3, 0x430}}, {0x4, &(0x7f0000002700)=@lang_id={0x4, 0x3, 0x240a}}, {0x4, &(0x7f0000002740)=@lang_id={0x4, 0x3, 0x458}}, {0xb1, &(0x7f0000002780)=@string={0xb1, 0x3, "2273bdc46b60f928123492096f1a60522067ca30229e521876bc2304c320596fd25f10254b5c9da57377738bccfbbc37f27f541833a2dfa06b929d0d3744ff77d9330d5a63e4bb268ce29e81de86de6cbbec22f151e7fa25d2ba9ead8f62d5eac2d6424465b3cb6481dbf50df043e68b8d133e27b4ae1c9ccf8a81027b656d442bbcbe5cfccd0c0ca38b73356ed5c37ea0894697ea5b37db2f607d4e958cf97848ef24eee817f96503650d0f3babcf"}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000002880)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r14 = syz_usb_connect$uac1(0x1, 0x100, &(0x7f0000002900)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xee, 0x3, 0x1, 0x6, 0x20, 0x1, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0xace, 0x2}, [@extension_unit={0x7, 0x24, 0x8, 0x5, 0x2, 0x5}, @extension_unit={0x7, 0x24, 0x8, 0x6, 0xffff, 0x30}, @mixer_unit={0xa, 0x24, 0x4, 0x4, 0x40, "7da3b2b272"}, @extension_unit={0x9, 0x24, 0x8, 0x5, 0x0, 0x40, '\tD'}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x11, 0x24, 0x2, 0x2, 0x1000, 0x6, 0x9, "94aa0cfea6a4c098"}, @as_header={0x7, 0x24, 0x1, 0xf7, 0xc1, 0x4}, @format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x3f, 0x2, 0xae, 0x7, "5b6fe7b19551"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0xfff8, 0x56d, 0x1f, "518f29b920"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0x4, 0x0, 0x80, "3f5e8aa3ac"}]}, {{0x9, 0x5, 0x1, 0x9, 0x10, 0x9c, 0x7, 0x6, {0x7, 0x25, 0x1, 0x0, 0x44, 0xff8a}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_i_continuous={0xa, 0x24, 0x2, 0x1, 0x7, 0x4, 0xf7, 0xf8, 'H]'}, @format_type_i_discrete={0xd, 0x24, 0x2, 0x1, 0x7, 0x1, 0xff, 0x72, "5c5ae72e12"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x3, 0x4, 0x3, 0x1, "fa23a4", 'q3'}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x71, 0x2, 0x0, 0x6}]}, {{0x9, 0x5, 0x82, 0x9, 0x200, 0x7f, 0x7f, 0x7f, {0x7, 0x25, 0x1, 0x2, 0x1, 0x8}}}}}}}]}}, &(0x7f0000002b80)={0xa, &(0x7f0000002a00)={0xa, 0x6, 0x300, 0x7f, 0x5d, 0x5c, 0x40}, 0x31, &(0x7f0000002a40)={0x5, 0xf, 0x31, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x20, 0x1, 0x2, 0x40}, @ssp_cap={0xc, 0x10, 0xa, 0x4, 0x0, 0xd3f, 0xf000, 0x8}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x2, 0x5, 0x4, 0x2}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x6, 0x0, 0xff, 0x7f}]}, 0x4, [{0x4, &(0x7f0000002a80)=@lang_id={0x4, 0x3, 0x40f}}, {0x4, &(0x7f0000002ac0)=@lang_id={0x4, 0x3, 0xc35}}, {0x2b, &(0x7f0000002b00)=@string={0x2b, 0x3, "a28e84c0cf02c07c3c0da8294506556d633c7a735bfb75cd80afc6ade8e4b580103ced6d9c87a5fe77"}}, {0x4, &(0x7f0000002b40)=@lang_id={0x4, 0x3, 0xf8ff}}]}) syz_usb_control_io(r14, &(0x7f0000002e40)={0x18, &(0x7f0000002bc0)={0x0, 0x22, 0xb9, {0xb9, 0xa, "83cf6e9b942d8a47074ac2e802b48378ecdca7956db2727b857b60f4e9d0c69e1c9a9aceb61cf17cc77167923b84e23372c5cf40cf1bbb7493e500b7effaf1b204ee034be11099e51567a87ae0bde210da92124d04a73a14dbd600dedd920953c472eda1ba46dbbb1ec474c8794849124dcf32d5c15fb14397b13c3d3c11a7a607c6b6d557c2806d9c2783bc1ef56c967bde90ce4a421361167c1a74c6527285ce425ea498884d7cc9ef76526a46a1c4360768980b39b3"}}, &(0x7f0000002c80)={0x0, 0x3, 0xd7, @string={0xd7, 0x3, "61168f700d1787de19d3e86fb3ac5e964cc5ede873351ca262cc8fc599651431c76dbad02dd835f0da83a5347cc21fc4f504b23bb32a7a67713db4480611e6e2eca4f0b498f700355db68df7d5cf46ba2b036090af695a7596b7d242b462bcf6e2091fb83248fe2a1c48dbcdb07c9666037d121b6893dcb945bdd7cf14075f805302a45fbb62652bd693b3240b5c6a76f690cdc9221579ec71dd253ca4250144e1160bc039ad44f6d51c96ad950c872cf626b0d559e81c0bec934cb32325dbb9ce8f5d0d943020b4a0795c1f2774e2207d0be8aa41"}}, &(0x7f0000002d80)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x10, 0x2, 0x5, 0x2}]}}, &(0x7f0000002dc0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x3, 0x8, 0x40, 0x7f, "77bc7738", "f1db003c"}}, &(0x7f0000002e00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x1, 0x10, 0x0, 0x20, 0x8, 0x3ec, 0xffff}}}, &(0x7f0000003300)={0x44, &(0x7f0000002e80)={0x20, 0x12, 0x7c, "bc67b786ae12c3f7c6dbb8560d2b242194c2199afa19d2b42b1a0c8a11e1a5ef146f395c3613f4dfeadda7c24b506d5b32a6a3f9a0eac98a935e647a1c838d4e09d530635f43358b5b10c5f04bc63b3bf96b5234359d4ead9d51217e65c9b0509990b00d1afb242c87660d04f9648ff79ce143b1a948981c28f50171"}, &(0x7f0000002f40)={0x0, 0xa, 0x1, 0x4c}, &(0x7f0000002f80)={0x0, 0x8, 0x1, 0x1}, &(0x7f0000002fc0)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000003000)={0x20, 0x0, 0x8, {0xc0, 0x20, [0xf0f]}}, &(0x7f0000003040)={0x40, 0x7, 0x2, 0x400}, &(0x7f0000003080)={0x40, 0x9, 0x1, 0x2}, &(0x7f00000030c0)={0x40, 0xb, 0x2, "b723"}, &(0x7f0000003100)={0x40, 0xf, 0x2, 0x5}, &(0x7f0000003140)={0x40, 0x13, 0x6, @random="dd8a72a99139"}, &(0x7f0000003180)={0x40, 0x17, 0x6, @remote}, &(0x7f00000031c0)={0x40, 0x19, 0x2, "7818"}, &(0x7f0000003200)={0x40, 0x1a, 0x2, 0x4}, &(0x7f0000003240)={0x40, 0x1c, 0x1, 0x4}, &(0x7f0000003280)={0x40, 0x1e, 0x1, 0x7}, &(0x7f00000032c0)={0x40, 0x21, 0x1, 0x5}}) syz_usb_disconnect(r13) r15 = syz_usb_connect$cdc_ncm(0xb40375e9cabe03ec, 0x160, &(0x7f0000003380)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x14e, 0x2, 0x1, 0xef, 0xe0, 0x3, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, '$'}, {0x5, 0x24, 0x0, 0xad}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x0, 0x1, 0x9}, {0x6, 0x24, 0x1a, 0x9, 0x20}, [@mdlm_detail={0xa2, 0x24, 0x13, 0x1, "a0afebc294237de30b4c81c6595fbaf30646c5ec3dd98f435df00d181cc13f9b0c5ffa84154998bf5c04ee0fd82d5f4cacfc90ffae241b840b0b18e2107e33398f46838380f84b6f9f2262e838df021231c9f0c50dc2eed7595eb1b789223fc37cf34f5c694aaad8a818c99ef44179bf5ba4b617c258f7db01d6096ccc71bb925e31b2f3f100bb8538bb84015af7b954c8fdf293de0231a491d36376b840"}, @mbim={0xc, 0x24, 0x1b, 0x340f, 0x4, 0x5, 0x40, 0x6, 0x1}, @acm={0x4, 0x24, 0x2, 0x9}, @mdlm_detail={0x3f, 0x24, 0x13, 0x40, "905d00a5a8b5cd53118f9cf9033eda0ad88fcfaf66e2b9e359e38aea371970c864d5983916a529367551aa247ba83009ebb5640b5317559900ddb8"}]}, {{0x9, 0x5, 0x81, 0x3, 0x8, 0x0, 0x1, 0xfc}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x40, 0x8, 0x40, 0x81}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x80, 0x81}}}}}}}]}}, &(0x7f0000003780)={0xa, &(0x7f0000003500)={0xa, 0x6, 0x250, 0x3, 0x2, 0x9, 0x40, 0x40}, 0x16, &(0x7f0000003540)={0x5, 0xf, 0x16, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x1a, 0x8, 0x4, 0x87}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0x0, 0x20, 0x9}]}, 0x5, [{0x54, &(0x7f0000003580)=@string={0x54, 0x3, "a44d24cdf3ffb9948faaf6b3c565826f57ef2b5e43e6ef9109dcaf0ff5f230b6f52d06ada7ebdfbf1c55e6551900f42f904aa25911de5d64d3cd32db26b2e48c150eacf51a16ddb311ac3d44b281a87d1c84"}}, {0x4, &(0x7f0000003600)=@lang_id={0x4, 0x3, 0x812}}, {0x4, &(0x7f0000003640)=@lang_id={0x4, 0x3, 0xf0ff}}, {0xc0, &(0x7f0000003680)=@string={0xc0, 0x3, "6f069d79ea952b3880027d5243d84aefe2bd1cf641da9ee290780232461026c5a535ae6214a8b6fd6112f368085c5cca57b84846bdd7653f325120cc01274c27930a934c2850058a34588778f4ae0255b96fcb4573f4c475fae53703ef82d785ece96adf02efc210e26fa9523111519cb037b5aebbcab0e12d228330eb466cefbc0a21984a6fd8657206b20d982f65c709ba3c6320f1066dda592fdad14a8c700cf1f5266f47fa42aa880b9aa0267cf53c9691f4fa0d4e059a6adc27da67"}}, {0x4, &(0x7f0000003740)=@lang_id={0x4, 0x3, 0xc0a}}]}) syz_usb_ep_read(r15, 0x7, 0xe4, &(0x7f00000037c0)=""/228) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000038c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_ep_write(r16, 0xff, 0xca, &(0x7f0000003940)="0338f2a1a6949150d950a200b97f820700402b58fec94c39a005f5386885991997960b3165c9dd0323faf9a69d00725916fa7fb5a9bb1f47b19829ca091f88c0999a2e187f6237ab2c7eae85923fa9636dc266076f2ae7b52c1f187ce62871c2f05bbf9d9a25fd16ff3833387073e69681b243e814b2549f032aa5b8dd2e2d64df2e69d357bc2c32b8fbd90f8a1638b31390be5a61ee6ee70e3a2027e1468d5f3fa234f4462a56d7e42ce29c52ccf5cd763590a426b8a06e226ffa4568c2ce31a54d74ca6f67e670852c") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 43; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 3000 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 3000 : 0) + (call == 42 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socketpair #define __NR_socketpair 360 #endif #ifndef __NR_write #define __NR_write 4 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_ioctl, -1, 0x125e, 0x20000000); break; case 1: memcpy((void*)0x20000040, "/dev/nullb0\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20000040, 0x80000, 0); if (res != -1) r[0] = res; break; case 2: *(uint8_t*)0x20000080 = 0; *(uint8_t*)0x20000081 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint8_t*)0x20000084 = 0; *(uint8_t*)0x20000085 = 0; *(uint8_t*)0x20000086 = 0; *(uint8_t*)0x20000087 = 0; *(uint8_t*)0x20000088 = 0; *(uint8_t*)0x20000089 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint8_t*)0x2000008c = 0; *(uint8_t*)0x2000008d = 0; *(uint8_t*)0x2000008e = 0; *(uint8_t*)0x2000008f = 0; *(uint8_t*)0x20000090 = 0; *(uint8_t*)0x20000091 = 0; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint8_t*)0x20000094 = 0; *(uint8_t*)0x20000095 = 0; *(uint8_t*)0x20000096 = 0; *(uint8_t*)0x20000097 = 0; *(uint8_t*)0x20000098 = 0; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint16_t*)0x200000a0 = 6; *(uint32_t*)0x200000a4 = 4; *(uint32_t*)0x200000a8 = 0x400; *(uint64_t*)0x200000ac = 0; *(uint64_t*)0x200000b4 = 0x5f; *(uint32_t*)0x200000bc = 0; syscall(__NR_ioctl, (intptr_t)r[0], 0xc0401273, 0x20000080); break; case 3: res = syscall(__NR_socketpair, 0x21, 3, 4, 0x200000c0); if (res != -1) { r[1] = *(uint32_t*)0x200000c0; r[2] = *(uint32_t*)0x200000c4; } break; case 4: memcpy((void*)0x20000140, "l2tp\000", 5); res = -1; res = syz_genetlink_get_family_id(0x20000140); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000200 = 0x20000100; *(uint16_t*)0x20000100 = 0x10; *(uint16_t*)0x20000102 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0x100; *(uint32_t*)0x20000204 = 0xc; *(uint32_t*)0x20000208 = 0x200001c0; *(uint32_t*)0x200001c0 = 0x20000180; *(uint32_t*)0x20000180 = 0x24; *(uint16_t*)0x20000184 = r[3]; *(uint16_t*)0x20000186 = 4; *(uint32_t*)0x20000188 = 0x70bd28; *(uint32_t*)0x2000018c = 0x25dfdbfb; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint16_t*)0x20000192 = 0; *(uint16_t*)0x20000194 = 8; *(uint16_t*)0x20000196 = 0xb; *(uint32_t*)0x20000198 = 4; *(uint16_t*)0x2000019c = 8; *(uint16_t*)0x2000019e = 0xc; *(uint32_t*)0x200001a0 = 1; *(uint32_t*)0x200001c4 = 0x24; *(uint32_t*)0x2000020c = 1; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0x20000000; syscall(__NR_sendmsg, (intptr_t)r[1], 0x20000200, 0x8000); break; case 6: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 5; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000280 = 0x10; res = syscall(__NR_getsockopt, -1, 0x84, 0, 0x20000240, 0x20000280); if (res != -1) r[4] = *(uint32_t*)0x20000240; break; case 7: *(uint32_t*)0x200002c0 = r[4]; *(uint32_t*)0x200002c4 = 2; syscall(__NR_setsockopt, (intptr_t)r[2], 0x84, 0x7b, 0x200002c0, 8); break; case 8: *(uint32_t*)0x20000340 = 4; syscall(__NR_getsockopt, -1, 0x84, 8, 0x20000300, 0x20000340); break; case 9: *(uint16_t*)0x200003c0 = 0x10; *(uint16_t*)0x200003c2 = 3; *(uint8_t*)0x200003c4 = 0x41; *(uint8_t*)0x200003c5 = 0x83; *(uint16_t*)0x200003c6 = 0; *(uint32_t*)0x200003c8 = 0x401; *(uint32_t*)0x200003cc = 0; *(uint16_t*)0x200003d0 = 0x43; memcpy((void*)0x200003d2, "\x4a\x8e\x60\x63\x4e\x3a\x9e\xbf\x09\x88\x47\x4a\x70\xcd\xc4\x4c\x93\x5e\x71\xdc\xa8\xa3\x6e\x9f\x73\x39\xb7\x33\xe7\xfd\xfa\x26\xd1\x76\x3f\x8e\x1f\xc1\x8c\x23\x48\x4f\xf7\x1c\x6e\xa7\x6b\xf1\xdb\x3e\x46\xcf\x80\x38\x03\x22\xd2\x96\xfb\xf1\x93\xc5\x4d\x49\x49\xcc\xdb", 67); syscall(__NR_write, -1, 0x200003c0, 0x55); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_post_notification\000", 26); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xbb; *(uint8_t*)0x20000041 = 0xbb; *(uint8_t*)0x20000042 = 0xbb; *(uint8_t*)0x20000043 = 0xbb; *(uint8_t*)0x20000044 = 0xbb; *(uint8_t*)0x20000045 = 0xbb; *(uint8_t*)0x20000046 = 0; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint16_t*)0x2000004c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 4, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 1, 31, 1); *(uint8_t*)0x20000052 = 0x23; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; memcpy((void*)0x20000056, "\x90\xa4\x41\x2e\xd4\x81\xe3\x9e\xc0\x78\x7c\xae\x08\x3f\xac\x93\xb9\x0d\xaa\x75\x95\xdc\x55\x4b\x0d\x6f\xb7\x20\xa6\x00\x98\x35\xc9\x29\xd9\x56\x66\x87\x93\x99\x54\xd1\x4f\x03\x76\xd3\x90\x39\x88\x5d\x4b\x34\x9e\x57\x79\x1c\x3b\x28\x84\xb6\x7a\x56\x87\x16", 64); *(uint32_t*)0x200000c0 = 1; *(uint32_t*)0x200000c4 = 1; *(uint32_t*)0x200000c8 = 0x4a; *(uint32_t*)0x200000cc = 0x2e7; *(uint32_t*)0x200000d0 = 0x6f0; *(uint32_t*)0x200000d4 = 0x1aa; break; case 12: *(uint8_t*)0x20000100 = 3; *(uint16_t*)0x20000101 = 0xc9; *(uint8_t*)0x20000103 = 0x56; memcpy((void*)0x20000104, "\xaf\x8c\x56\xab\x29\x59\xdc\x53\x4c\xc8\x68\xe4\xb4\x2b\x05\xa0\xde\x86\xbb\x45\xfd\x2b\xf9\xe3\x2d\x58\xe9\xad\x1f\xb7\xbe\x75\xad\xc1\xe7\xaa\xa5\x23\x19\x45\x65\x31\x63\x1e\xde\x47\xc2\x91\x9b\xcd\xb3\xba\xfd\xaf\x56\x0b\xf2\xa9\xca\x3a\x75\xfa\x34\xd0\x70\x26\xb7\x30\x2d\xc3\x91\xf9\x55\x4e\x50\xcf\xc7\xf7\x31\xc0\x9f\x1c\x71\x26\x2d\xf3", 86); break; case 13: memcpy((void*)0x20000180, "\xc4\xc1\x6f\x10\xfa\x66\x0f\x65\x64\x2a\x10\xc4\xe1\xfa\x70\xef\xfb\xc4\xc3\x7d\x09\x6a\x42\xfe\xc4\xe1\x41\x6a\x52\x00\xf3\xab\xc4\xc1\xcc\xc6\xe4\x74\x36\x0f\x8f\xb8\x00\x00\x00\xaf\x0f\xfe\x98\xf0\xff\xff\xff", 53); syz_execute_func(0x20000180); break; case 14: break; case 15: memcpy((void*)0x20000200, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000200); break; case 16: syz_init_net_socket(3, 5, 0xcb); break; case 17: res = syscall(__NR_mmap, 0x20ffd000, 0x1000, 0xc, 0x800, -1, 0x8000000); if (res != -1) r[5] = res; break; case 18: res = -1; res = syz_io_uring_complete(r[5]); if (res != -1) r[6] = res; break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xab13; *(uint32_t*)0x20000248 = 0x10; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0x375; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = -1; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = syscall(__NR_io_uring_setup, 0xc43, 0x20000240); if (res != -1) r[7] = res; break; case 20: *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0x3caa; *(uint32_t*)0x200002c8 = 8; *(uint32_t*)0x200002cc = 3; *(uint32_t*)0x200002d0 = 0x347; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = r[7]; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; *(uint32_t*)0x200002f8 = 0; *(uint32_t*)0x200002fc = 0; *(uint32_t*)0x20000300 = 0; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; *(uint32_t*)0x2000030c = 0; *(uint32_t*)0x20000310 = 0; *(uint32_t*)0x20000314 = 0; *(uint32_t*)0x20000318 = 0; *(uint32_t*)0x2000031c = 0; *(uint32_t*)0x20000320 = 0; *(uint32_t*)0x20000324 = 0; *(uint32_t*)0x20000328 = 0; *(uint32_t*)0x2000032c = 0; *(uint32_t*)0x20000330 = 0; *(uint32_t*)0x20000334 = 0; syz_io_uring_setup(0x4759, 0x200002c0, 0x20ffd000, 0x20ffc000, 0x20000340, 0x20000380); break; case 21: res = syscall(__NR_mmap, 0x20ffd000, 0x3000, 0xe, 3, -1, 0x8000000); if (res != -1) r[8] = res; break; case 22: res = syscall(__NR_mmap, 0x20fff000, 0x1000, 0x4000000, 0x20, (intptr_t)r[6], 0x10000000); if (res != -1) r[9] = res; break; case 23: *(uint8_t*)0x200003c0 = 5; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0x2007; *(uint32_t*)0x200003c4 = 6; *(uint64_t*)0x200003c8 = 3; *(uint64_t*)0x200003d0 = 4; *(uint32_t*)0x200003d8 = 4; *(uint32_t*)0x200003dc = 0xe; *(uint64_t*)0x200003e0 = 1; *(uint16_t*)0x200003e8 = 0; *(uint16_t*)0x200003ea = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; *(uint8_t*)0x200003fc = 0; *(uint8_t*)0x200003fd = 0; *(uint8_t*)0x200003fe = 0; *(uint8_t*)0x200003ff = 0; syz_io_uring_submit(r[8], r[9], 0x200003c0, 0x80); break; case 24: memcpy((void*)0x20000400, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20000400, 0x2000, 0); if (res != -1) r[10] = res; break; case 25: *(uint32_t*)0x20000480 = 0; *(uint32_t*)0x20000484 = 0x20000440; memcpy((void*)0x20000440, "\x1f\x53\x95\x5c\xb3\xce\xcd\x20\x39\x60\x9c\xfc\xe5\x32\x92\x7f\x02\xde\x61\x5e\x5e\x77\x16\xc3\x74\x70\x5f\x59\x10\x2e\x00\x75\x4d\xba\xa3\x69\xc6\xc1\xa1\xc2\xf4\xc5\x30\xc3\xaf\x81\xe8\xfe\x56\x09", 50); *(uint32_t*)0x20000488 = 0x32; *(uint64_t*)0x200004c0 = 1; *(uint64_t*)0x200004c8 = 0; syz_kvm_setup_cpu(r[6], r[10], 0x20fe8000, 0x20000480, 1, 0, 0x200004c0, 1); break; case 26: *(uint32_t*)0x20000500 = 0; *(uint32_t*)0x20000504 = 0xe518; *(uint32_t*)0x20000508 = 0x10; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0x3a5; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = -1; *(uint32_t*)0x2000051c = 0; *(uint32_t*)0x20000520 = 0; *(uint32_t*)0x20000524 = 0; *(uint32_t*)0x20000528 = 0; *(uint32_t*)0x2000052c = 0; *(uint32_t*)0x20000530 = 0; *(uint32_t*)0x20000534 = 0; *(uint32_t*)0x20000538 = 0; *(uint32_t*)0x2000053c = 0; *(uint32_t*)0x20000540 = 0; *(uint32_t*)0x20000544 = 0; *(uint32_t*)0x20000548 = 0; *(uint32_t*)0x2000054c = 0; *(uint32_t*)0x20000550 = 0; *(uint32_t*)0x20000554 = 0; *(uint32_t*)0x20000558 = 0; *(uint32_t*)0x2000055c = 0; *(uint32_t*)0x20000560 = 0; *(uint32_t*)0x20000564 = 0; *(uint32_t*)0x20000568 = 0; *(uint32_t*)0x2000056c = 0; *(uint32_t*)0x20000570 = 0; *(uint32_t*)0x20000574 = 0; res = -1; res = syz_io_uring_setup(0x7424, 0x20000500, 0x20ffe000, 0x20ff6000, 0x20000580, 0x200005c0); if (res != -1) r[11] = *(uint64_t*)0x20000580; break; case 27: *(uint32_t*)0x20000600 = 1; syz_memcpy_off(r[11], 0x114, 0x20000600, 0, 4); break; case 28: memcpy((void*)0x20000640, "afs\000", 4); memcpy((void*)0x20000680, "./file0\000", 8); *(uint32_t*)0x20000800 = 0x200006c0; memcpy((void*)0x200006c0, "\xd6\x32\xc1\x9b", 4); *(uint32_t*)0x20000804 = 4; *(uint32_t*)0x20000808 = 0xffff; *(uint32_t*)0x2000080c = 0x20000700; memcpy((void*)0x20000700, "\x3f\xe8\x37\x0c\xed\xe5\x2e\xfa\xc0\x54\x24\x1d\xa1\xef\x62\x34\xcd\xc7\x76\x6d\x9c\xee\xe0\x5c\x36\x77\x5d\x23\x4a\x8f\x02\x59\xa8\x80\x13\x16\x89\x77\x5a\x49\xe1\xc5\xd8\x1e\xe5\xee\xd4\x2d\xa0\x22\xa3\xc9\xb9\xd4\x39\xae\x77\x99\x90\xd0\x4c\xf5\x51\xc0\x84\xc0\x93\x74\x4e\x79\xca\x6a\x48\x27\xd8\xc6\x03\x05\x3d\x29\x71\x4d\x83\x93\x63\xcf\x49\xad\xd7\xd7\x32\x3c\x06\x19\xa9\x9c\xef\x60\x9f\xc4\x7e\x56\xc6\x66\x30\xec\x79\x73\xbf\xfe\xd2\x14\xd4\x51\xf0\x64\xf3\x6e\x35\x97\x50\x6a\x51\xad\xfd\x6b\x0d\x61\xfd\xcd\xf2\xbf\xcb\x31\xb2\xc6\xc4\x4c\x27\x9c\xcd\xb6\x90\x28\x91\xda\xf7\x5e\x66\x3f\x59\x42\xea\x76\x82\xfb\xfd\x3e\x73\x69\xa9\xfe\x16\xf3\x72\x47\x6e\xfb\x28\x1a\xaa\xd4\xbf\xe7\xe6\x10\xe9\x63\x62\x94\x61\xe9\x03\x3c\xaf\x00\xd6\x2a\x10\x9d\x00\x4b\x93\x5b\x90\x79\xbd\x3d\xf5\xbe\x94\xa0\xfa\x1e\x19\x77\xf5\x52\xba\xa4\x92\xba\x31\xe2\xec\x4b\xf3\x10\xc8\x14\xdc\x75\x32\x97", 224); *(uint32_t*)0x20000810 = 0xe0; *(uint32_t*)0x20000814 = 0x4c; memcpy((void*)0x20000840, "source", 6); *(uint8_t*)0x20000846 = 0x3d; memcpy((void*)0x20000847, "SEG6\000", 5); *(uint8_t*)0x2000084c = 0x2c; memcpy((void*)0x2000084d, "flock=strict", 12); *(uint8_t*)0x20000859 = 0x2c; memcpy((void*)0x2000085a, "flock=strict", 12); *(uint8_t*)0x20000866 = 0x2c; memcpy((void*)0x20000867, "flock=local", 11); *(uint8_t*)0x20000872 = 0x2c; memcpy((void*)0x20000873, "autocell", 8); *(uint8_t*)0x2000087b = 0x2c; memcpy((void*)0x2000087c, "flock=openafs", 13); *(uint8_t*)0x20000889 = 0x2c; memcpy((void*)0x2000088a, "measure", 7); *(uint8_t*)0x20000891 = 0x2c; memcpy((void*)0x20000892, "subj_user", 9); *(uint8_t*)0x2000089b = 0x3d; memcpy((void*)0x2000089c, "$F!%[#&+-}^}", 12); *(uint8_t*)0x200008a8 = 0x2c; *(uint8_t*)0x200008a9 = 0; syz_mount_image(0x20000640, 0x20000680, 4, 2, 0x20000800, 0x201000, 0x20000840); break; case 29: memcpy((void*)0x200008c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200008c0, 0x9a7, 0x60100); break; case 30: res = syscall(__NR_ioctl, -1, 0x540f, 0x20000900); if (res != -1) r[12] = *(uint32_t*)0x20000900; break; case 31: memcpy((void*)0x20000940, "net/ip6_mr_vif\000", 15); syz_open_procfs(r[12], 0x20000940); break; case 32: syz_open_pts(r[6], 0x402000); break; case 33: *(uint32_t*)0x20001c80 = 0x20000980; memcpy((void*)0x20000980, "\x94\x7b\xdd\x13\x38\xb6\xb9\xfd\xc7\xee\xc2\x77\x64\x33\x19\x1f\x82\x72\x66\xcf\xa9\x4b\xbf\x64\xcf\xf8\x3a\x00\xd9\x75\x00\x9f\x3b\x27\x38\xac\x70\x67\x01\x94\x47\xd6\x93\xa3\x53\x4d\xae\x5d\x3b\xf0\x3b\x17\xd7\xa2\xbc\x09\x3d\x2a\xb0\x1f\xb0\x79\xd1\x3e\x4c\xa0\x8a\xb2\x39\x18\xa3\xfa\xc5\x0a\x48\xc3\x2b\x4b\xa2\x17\x09\x57\xd2\x0c\xb4\xa4\xf7\x31\xd6\x60\xe8\x8f\x40\xc3\x0c\x3c\x40\xd4\x1f\xf3\xff\x71\x34\xdc\xeb\x66\xb1\x13\xb5\xc1\xbb\xa6\x30\xa7\xee\x5c\xd6\x8a\xb5\x9e\x69\xf8\xc8\x95\x30\xe4\xca\xc7\xf6\x15\xdd\x3f\xad\xc7\x94\x0d\x23\xb0\x69\xd6\x2b\x7c\xcf\x41\x49\x88\x10\x45", 148); *(uint32_t*)0x20001c84 = 0x94; *(uint32_t*)0x20001c88 = 0x7e; *(uint32_t*)0x20001c8c = 0x20000a40; memcpy((void*)0x20000a40, "\x3b\xec\xe5\xe4\xb0\x0d\x1a\xa5\xc6\x45\x5d\x8f\xfd\xdd\x35\x57\x13\x82\x30\x47\x33\xf4\x7e\x93\xba\x01\xd0\x22\x0d\x34\x52\x42\x5a\xa4\xa3\x5a\x16\xad\xc9\x6a\x1c\x87\xd3\xc0\x91\x21\xdf\x1c\x8a\xef\x26\xc2\x03\x58\xa1\x53\xa0\xef\x19\x59\xf6\x9c\x68\x9a\xcd\x27\x51\xf4\x28\xf2\x41\xc2\xde\xcf\x4c\xd9\xa3\xb1\x09\xe6\x6b\x31\x0f\xb1\x01\x1f\x65\x32\x9b\xef\x95\x3a\xe0\x2c\xf9\xdb\x61\x33\x61\x9b\x5b\xfa\x07\xa6\xe1\x32\x51\x27\x8d\xa9\x3d\xe8\x26\x35\xbc\xdd\x76\x40\xb6\x31\x1d\xa5\x8d\x2a\x68\x10\x65\x40\x1d\x07\x53\xce\xf9\x0b\xf7\xa0\xf5\x41\x11\x24\x53\xb9\xce\x75\x27\xef\xcb\x09\x83\x4f\x10\x73\x73\x6d\x3e\xbd\xb9\x24\x17\x36\xb6\x1d\xf7\x0a\x13\xc7\x6e\x54\xdd\xbc\x65\xa5\x2d\x8a\x4f\xe4\x2e\xd0\x97\xa5\x7c\x8d\x04\x26\xf9\x16\x75\x0e\x9a\x5c\x38\x28\x1f\xba\xd7\xae\x59\xc2\x23\xba\xb1\x10\x05\x92\xd4\x2e\xda\x4e\x0b\xf4\xbf\x03\x04\x20\x47\x8f\xcd\x28\xc4\x05\x7d\x41\xa9\x72\x1b\x00\x14\xe9\x1a\x1e\x70\x58\xd4\xc9\x29\x08\x12\xf6\xde", 239); *(uint32_t*)0x20001c90 = 0xef; *(uint32_t*)0x20001c94 = 0x800; *(uint32_t*)0x20001c98 = 0x20000b40; memcpy((void*)0x20000b40, "\x6d\xaf\x7a\x1e\x0d\x14\xcb\x6b\x8c\x65\xd3\x7e\xf9\x88\xe6\x70\xca\x88\xb1", 19); *(uint32_t*)0x20001c9c = 0x13; *(uint32_t*)0x20001ca0 = 0; *(uint32_t*)0x20001ca4 = 0x20000b80; memcpy((void*)0x20000b80, "\xe2\xa3\x79\x51\x07\x38\xbe\x3d\x3b\xaf\x49\xa1\x70\xf0\x89\xf5\x6f\x7b\x3a\x43\xbd\x92\x6f\x2f\x33\x68\xf3\x8e\x97\x34\x0a\xf9\xb0\x99\x1e\xa9\x8f\x46\x53\x25\x2c\x0b\xef\x6a\xd2\x65\x82\xb6\x00\x54\x54\x65\x59\x1f\xae\xfd\x00\x78\x2e\x31\xc8\xae\xe9\xf2\x39\x90\xd2\xd9\x5f\x87\x10\xd1\x10\x40\x9d\xc3\xda\xd1\x58\x17\x94\xfb\x09\xf6\x34\x9e\x93\x7b\x1d\xf1\xbb\x8a\x9a\x09\xce\x60\xc4\x12\x82\x37\x6e\x6a\xc6\x07\x88\x8c\x64\xfc\xd9\xec\xf5\x40\x50\x63\xba\x5f\x64\x2a\x29\x5b\x4f\x77\x8f\x2c\xab\xcc\xf6\xc9\x00\x70\x71\xb1\xa9\xec\x31\xee\xa5\xda\xf6\x2d\x37\x1a\x56\xde\x30\x95\x49\x97\x49\x11\xa5\x79\x7f\xa3\x40\x26\xe8\x5b\xb7\xf5\x42\x7a\xb4\x96\x5f\x11\xa3\xab\xa1\x8e\xd0\xfe\x28\x0e\x45\xc2\x64\x12\x83\x8f\xc5\xbb\xe0\xf6\xde\x63\xd0\x11\xc0\x6b\x41\x3e\x3d\x4a\x15\x29\x6b\x6f\x79\x15\xdf\xfe\xcd\xd4\x07\x50\x4f\xaa\x2f\xe6\x3b\xb1\x90\xaf\x90\x61\x70\x9a\x98\x20\x94\xf6\x20\x79\x3c\x04\x25\x32\xf5\x13\x14\xdd\x07\x53\xb8\x32\xa6\x58\x59\xe1\x78\xd9\x4d\xd1\x69\xa1\xb7\x67\x74\x85\x66\xd1\x3f\x17\x0d\xa3\x6f\x2a\x51\x05\x3d\x8b\x67\xfb\x5f\x12\xd8\x6b\xf3\x60\x46\xea\xb9\xb7\xc2\x6c\x50\x78\x6c\x9b\x29\xa2\x60\x5c\x56\x31\xab\x30\x26\x16\x69\x97\x1a\x48\x47\x0d\x98\x2c\x30\x88\xbe\x7c\xff\xd1\xf0\xc6\x77\x5e\x57\x57\xdb\x61\x48\xdd\x74\xc5\x95\x4e\x34\xc4\x00\x88\x65\x9a\x1f\x44\xd0\x53\x46\x59\x85\xed\x20\x03\x9b\xce\xd7\xea\x9d\xec\x7e\x25\xcd\x6d\x60\x0d\x1e\xd3\x1a\xed\x53\x88\x5f\xc7\xef\x87\x89\xee\xa0\x63\x9d\x2b\x25\x0d\xcd\xf4\xad\x71\xbb\xda\xbf\x4b\xa1\x8a\xf2\x9a\xc8\x19\xae\x43\x18\x64\xdb\x1b\x03\x53\xbc\x5c\xb2\x04\x19\x43\xb4\x45\x13\xf7\xc6\x79\xf3\x48\xbd\x29\x62\xb2\x74\x87\xbc\x7d\xc7\x48\x8c\xff\x13\xa2\x4b\x65\x8f\x31\xb4\xaf\xc9\xe5\x01\x3a\xb4\x60\xcf\x3a\x01\x4a\x8f\x19\x90\x9e\x75\xbc\x3d\x41\x44\xf5\xd3\x2e\x37\x0d\xe7\x4f\x44\x02\xa0\xdb\x53\x39\xc1\xe3\x61\x6d\x21\x47\x74\x36\x52\xdd\x73\x94\x0d\x37\x55\x0c\xc9\x61\xb0\x8b\x3a\x33\xb7\x9c\x4a\x2f\x3f\x1a\xb4\xb2\x36\x4c\x24\x03\x1c\xce\x1f\x29\xbe\xaf\x57\x4b\x13\x18\x84\x4f\xcc\x93\x87\xd2\xcf\x79\x83\x34\xde\x08\x16\xd5\x28\xf0\x87\xf5\x67\x51\xf7\x63\xb8\x2c\x76\x0f\xe1\x9e\xf9\x5f\xd2\xe5\x52\xc8\xec\x74\xbf\xee\x9b\x6c\x8e\x33\x41\xb3\xba\xff\x54\x05\xed\xbe\xd7\x09\xfb\x1e\xa1\x30\xa1\xa6\xe3\x0a\xcf\x72\x32\xc0\x19\x40\x34\xda\xf0\xef\x11\x71\x15\xab\x22\x0f\x11\x61\xa8\x38\x94\x0e\xf6\x00\x72\xc4\x06\x55\x7f\x56\xf1\x3f\x30\x21\xb4\x08\x42\xf9\x11\x4b\x0a\xe9\xcd\x82\x44\x23\x0c\x22\x27\xce\x7c\x7e\x71\x50\x3b\xa5\x25\x3d\x63\x08\x1c\xa9\xaf\x8f\xc4\xa4\xe2\xc3\x03\x9a\x0b\xad\x1a\xf9\x1e\xd4\xcb\x91\xb9\xbd\x42\xd8\xee\x5e\x0b\xd9\x84\x4f\x92\xf4\xaf\x1e\xa5\xb8\x83\x80\xa9\x9b\x1a\xdc\x70\x57\xb9\x15\x7b\x61\x02\x1a\xbc\xe3\x77\xdc\xa6\xaf\x6c\x2d\xd9\x8f\x02\xc2\x3a\x84\x59\xcc\xbe\x65\x0b\x66\xd0\x6b\xba\xe0\x60\x99\x28\xe8\x4d\x5c\x61\x1e\x2c\x6f\xeb\x6a\x43\xd0\xaa\x53\x2b\x12\xd5\xe3\x26\x04\x48\xcd\x82\x37\x2b\x11\xf9\xdc\x8f\x94\x66\x5a\x3a\xb8\x64\xeb\x3e\xb0\xe5\xb0\x73\x20\x02\x49\xa6\x74\x04\x7e\xe8\xff\xf8\xfb\x4f\x55\x65\x30\x60\xef\xb6\xa0\x0d\x70\xb0\xfe\x4a\x7f\x5d\xca\x7d\x9c\x71\x60\x4f\xa7\x0b\x0e\x40\x56\x93\x39\xe5\x2b\xa5\x2b\x7d\x70\x08\x53\x33\x06\x16\x5c\x97\x8d\x03\x0a\x85\x2c\x0d\xd7\x59\x96\x90\x47\x20\xa1\x0a\x3a\x9d\x0f\x2f\x67\xf2\x58\xe4\x39\x04\x7a\x6a\x5b\x08\x49\x04\x09\xaa\x84\xec\x29\x6f\x67\xb8\x8b\x80\x11\xcb\x39\xc6\x78\x00\xef\xec\x6e\xc4\x3e\x73\x2a\xee\x04\xcc\x18\xc4\xce\xdd\xc9\x68\x6a\x43\x20\x11\xe1\xdf\x5f\xa1\x29\x2c\x7b\xda\xe6\x27\x31\x57\x3e\xc5\x23\x32\x93\xff\x4e\xd6\x71\xe5\x2c\x95\x1d\x8e\x00\x83\x6d\xb9\x36\x35\x34\xbc\x8c\x1e\x91\xd9\x8c\xab\x7d\x06\x06\xc1\x70\xd4\x09\xd9\x6d\x32\x25\xf5\x62\x06\xb6\x00\xfc\x1a\x78\x39\x41\xaa\xde\x24\x83\x38\xdb\xa6\x6d\x56\xf8\xfc\x19\x7d\x19\xce\xdd\x5f\x1a\x65\xd5\xf1\xd8\x5a\x4c\xb4\x49\x73\x42\xd1\x97\xdf\x41\x7d\x43\x17\x77\x7c\x81\xe7\x07\xf1\xb9\xda\xdd\x38\x26\x53\x24\xf4\x1a\xa8\x50\x21\xb2\xd7\xed\xc0\xff\x4a\x52\x7d\xb8\x5f\xf1\x41\x65\x2e\xeb\x5e\x76\x6e\x18\x9e\x11\xe6\x30\x7a\x44\x75\xd5\xf7\x93\xe8\x22\xb7\xec\xbc\x7e\x2f\xf3\xf6\xf9\xa8\x39\x9a\xf6\x92\x64\x9d\x67\x30\x5c\x86\xb4\x79\x16\x9d\xf1\x2f\x74\x91\x02\x06\x9d\xa1\x64\xad\x14\x65\x5e\x05\x32\xfc\x41\x9b\x51\xf2\x9b\x28\xd1\xf4\x08\xf5\x23\x6c\xe9\x21\x50\x9f\x3f\x61\x1a\x56\x5a\x5e\x38\x68\x57\x44\x47\x0f\x6e\x45\x7b\xdd\x05\x7d\x72\x7f\x7e\xcf\xaa\x46\x84\x73\xbc\xba\x94\xc4\x3e\xad\x22\xf8\x52\x78\x43\x24\x5f\x37\x22\x75\x94\x6b\xd4\x59\x9f\x3a\x8a\xe9\x1e\xc3\x14\x08\x70\xbe\x91\xd2\xfb\xfc\xbd\x7e\x50\x4d\xa3\xd6\xf4\x9e\x90\x5a\xca\x16\x78\x32\xd7\xc3\x5a\x56\xa2\x8a\xbc\x85\x20\x90\x29\x23\x18\xec\x1f\x08\xbf\x3d\x71\xde\x73\x60\xd6\xd0\x49\x00\xd7\x73\xa7\xf4\x0c\x3d\xb7\xaa\xbf\xc2\x7a\x33\x8e\x87\xd5\x78\xf4\x30\xee\x49\x0e\x48\x22\x14\x06\xd3\x1c\x62\x22\x0c\x2b\xd9\xe1\x79\x3e\xed\x1b\x84\xab\xa0\xad\xc3\xd5\x4e\xed\x59\xae\x3b\x83\xe5\xa1\x14\x77\x21\xfc\xc2\x27\xcf\xf9\x6c\x80\x65\xf8\x66\x5c\xbf\xef\x93\x52\x1c\xa1\xbf\x4b\x10\x0e\x62\x89\x6c\xfd\xca\x36\xe7\xf7\xb4\xb3\xfd\x3b\xab\xf5\xc1\x8c\x90\x03\x0f\xbf\x90\x4d\x4f\x4c\x3f\xb2\x3a\xf1\x6b\x1e\x37\x44\xca\x6a\xb1\x23\xdf\x90\xb1\x68\xea\xa1\x38\x32\x4e\xbf\x98\xec\xd6\x6d\xd6\x4e\xe9\x06\x23\x6b\xf3\xa0\x29\x6b\xe1\xdf\x81\x38\x7b\xa9\x57\x00\xe0\x4c\xe2\x66\x37\xca\x4d\xfb\x70\xc6\x7d\x32\xa2\xe7\xac\xde\x21\x9c\xef\x54\xe4\xc9\xec\x1c\x27\xb5\xb6\xa3\x88\xca\x51\x5a\xf6\xe5\xef\xc4\x93\xa3\x0f\xa9\x32\x4e\x1f\x2b\x2b\x51\x26\x7f\xbb\x26\xf3\xd4\x29\x2e\x83\x6c\xb7\x09\xe9\x2a\x6e\x0e\x11\xaf\xf3\x86\xb3\xd4\x5d\x81\xa2\xd3\x5f\xe9\x71\xcb\xff\x8a\x32\xf5\x2d\x04\x6b\x9b\xa9\xa4\xbc\x77\x26\x7a\x2e\x86\xa4\x80\xa9\xec\x50\x36\x1d\x5e\xd5\x9b\xa5\x40\xae\x1c\xf0\xe7\xea\xaa\x5d\x8f\x5b\x2e\x38\x52\x7f\xde\x78\xec\xf8\x42\xec\x48\xcf\x68\x1f\xd4\x52\xaa\x5c\x60\xd0\x64\x74\xf6\x42\x2a\xd0\x8d\xb4\xfa\x07\x88\xc5\x65\x63\xf5\x2c\xbd\x38\x36\x27\xe1\x1f\x98\xeb\x40\xec\x74\x96\x1c\x02\x8b\x1f\xcd\x7b\x25\xd4\xcd\x28\x9d\xbc\x76\x1f\xb1\xec\x00\xa6\x18\x35\x13\xc5\xf7\x6d\xa7\x54\x64\x16\xfb\x81\xe8\x66\x1f\x93\xf4\x23\x4f\xdf\x3a\x33\x98\xd8\xbb\x8c\x69\x90\x2e\x6d\x9f\x3f\xc1\x65\xe6\xd9\xf3\x9e\xb2\xac\xc1\x89\xab\x7b\x49\x01\x3b\x2c\x74\xd0\x78\x8e\xe0\x5f\xc1\x17\x33\x5d\x47\x83\x80\x01\x3e\xab\x17\x3d\xdc\x7a\x92\x7f\x03\x08\x0c\x2e\xa7\x05\xb6\x8f\x66\x4a\x3b\xe2\x70\x22\x11\x72\xd2\x99\x5b\x15\xb4\xd0\xab\x25\xd4\x66\x8a\xb7\x58\x7d\x24\xe8\x31\xc5\xc7\x84\x1f\xa0\x0b\xd0\x63\x02\x1d\x3f\x43\x40\x5b\x35\xc6\xc7\x9d\xd4\x03\x0f\xc6\x30\xee\x78\xd7\xe6\x4a\x90\xcc\x27\x61\x42\x16\x24\xd4\x8a\xc0\x76\x4d\x8a\x90\x3c\x5a\x8b\x0a\x21\x31\x20\x87\x1b\x9e\x82\xa3\xb1\xf9\x24\x55\x38\x0b\x95\x08\x32\x65\x1b\x6d\x0d\x9b\xdb\x24\x90\x55\xd5\x5f\xa4\x9f\xc7\x29\x61\x47\xcb\xce\xc6\x05\x9a\x00\x47\xae\x6e\x86\xb5\x1a\xe3\xb5\xaf\xf4\x98\xce\xed\x67\x1d\xdd\x0e\x2b\xd9\x7f\xd7\xf3\x9a\x32\x80\xbd\x80\x99\x6a\xc7\xbb\x98\x18\x77\x09\x93\x82\x46\xf8\xe0\xcb\x9c\xca\x0a\x18\x9d\x18\xcb\x9d\xcd\xd5\x21\x86\xfe\xb9\x35\xf4\xa5\x32\x6c\x3b\xc1\x34\x8a\x05\xf0\xe7\x18\x04\x52\xa4\x3e\x7f\x2b\x6f\xb3\x5a\x41\x96\xaf\xda\x0f\x19\x93\x38\x3d\xd2\x03\x69\x4c\x1a\xb5\x3b\xe6\x44\x81\xc0\xd9\xc7\x88\x01\x61\x07\x89\xf9\xf5\x13\x0b\x4a\x14\x3f\x09\x22\x9e\x8d\x89\xd0\xad\x09\xed\xf9\x71\xcf\x0f\xe4\x95\xd7\x55\x2b\x7a\x79\x1a\x90\x54\x23\x2e\x8d\x22\x97\x66\x21\xb7\xf6\xbe\x03\xe7\xe0\xbf\x8e\x5e\xd8\x3d\xb9\x4e\xfc\x74\x8c\x93\xa0\x6c\x12\x4f\x55\xdd\x8e\xfe\x11\xe1\x5d\x83\xe1\xfc\xe5\x82\xb1\x9b\xe1\x0d\xcc\x1b\x3e\xb5\x94\x29\x1a\xaa\xbd\x56\xcb\x94\xdf\x31\x59\x20\xb0\x42\xd0\x79\x34\xac\x79\x6d\x0a\x91\x07\x86\x26\xee\x57\xe2\x57\x63\x79\x1f\x7d\xde\x8b\xc0\x4e\x18\x83\xfb\x22\x73\xc7\x99\xb9\x7e\x31\x66\xc5\x6c\xea\xa3\x69\x9c\x31\x73\x9f\x63\xef\x94\x60\x5b\x20\x86\x06\x06\xce\xaf\x97\xbe\x55\xb9\x79\xfd\xc1\x7f\xa9\xba\x29\x90\xbb\xef\xde\x17\xeb\x53\x98\x17\x60\x91\xe5\x36\x73\x01\x29\xc4\xc3\x15\x04\xce\x1f\xc4\x1f\x13\xe7\xd9\x03\x01\xff\x02\xad\x5b\x5f\x52\x3c\x6a\xe7\xef\xa8\x7c\x76\xaf\x1e\xcc\x4b\x67\x15\x25\x1a\x58\xca\x3c\x68\xca\x95\x4a\x93\x45\xcf\x08\x69\x7e\xc5\x43\x76\xdf\xaf\x23\x2c\xd6\xed\xe5\xad\x85\xc1\x23\x4f\xbc\xb4\xa9\x92\x53\x5b\x70\x13\x5a\x5e\xb7\xd1\xf2\xde\x13\x62\x98\x71\xb0\x2a\xcb\x45\x56\x94\xe9\x1d\x5b\xbb\x97\x2c\x1c\x39\x98\xec\x76\x57\x49\xb4\xca\x83\xc7\x05\x52\x9c\x04\x6e\x85\x93\xba\x47\x09\xe4\x30\xcf\x19\x0a\xba\x4f\xd0\x0a\x6d\x72\x2d\x05\x98\xe8\x0b\x7a\xf8\xfb\xb6\xc0\x53\xdc\x40\x68\xe3\xbf\xaa\x00\x15\xd3\x54\x56\x46\xe4\x0e\xb3\x12\x70\x0e\x7b\x06\x8c\xa6\x44\x79\x2d\x6d\x39\x44\x7a\x35\x3f\x6d\x65\x75\xb0\x1f\x3a\x20\xcf\x31\x01\x17\xa8\x32\xdb\xc7\x6b\x46\x01\x46\xde\xe0\x6c\x85\x95\x80\xba\x5e\x59\x94\x6e\x90\xa1\x68\xd9\x8a\x06\x28\x2d\x02\xf9\x95\x40\xf4\xb1\xfc\xe1\x94\xcc\x7c\xc0\x89\xb1\xb2\xda\x11\xd5\x9b\xee\x54\x77\x38\x3f\x83\xfe\x7f\x50\x01\x1e\xc4\x38\x56\x1f\x17\xb3\x9d\xab\xee\x37\x94\x76\x1c\xde\xf6\xc5\x4a\x60\xc4\x9d\xe8\xfd\x6a\xec\xf0\xb5\xa5\xb5\xc0\x56\xa8\xde\x90\x80\x5e\x0d\x5a\x4c\xba\x91\xeb\x77\x46\xe5\x44\x98\xaa\xd3\x5d\x26\x8e\x92\x3c\x5c\x39\x65\x81\x83\x5c\xf2\x03\x8e\x2a\x1f\x28\xa8\x43\x22\x84\x72\xaa\x2e\x4c\xbd\xe6\xaa\x76\x65\x71\x6f\x23\x9b\xa5\x68\x0d\x1d\x8d\x6c\xd7\x27\x7a\xf1\xf2\xdb\x87\xe5\xf5\x33\x2f\xa9\x04\xd6\x97\x5f\x42\x47\xf3\x3f\x00\xc1\x7b\x95\xdf\x1d\xb7\x92\x39\x8c\x0b\xe2\xab\x89\xc6\xf0\xff\xb1\xd9\xf3\xd3\x0e\x36\xb0\xbc\xde\xe5\x56\x23\xe6\x7e\xd5\x9b\x64\x1e\x1d\x3a\xd2\x43\xa6\x1a\xb8\x00\x3e\xd9\xd5\x01\x86\x45\x7b\x84\x5b\x0f\x5e\x59\x46\x0a\xeb\x8d\x49\xfa\x23\x6b\x69\x1a\x95\x72\xf0\x43\xf3\xd8\x3d\x38\x53\xa6\x58\xc0\x92\xfe\xc3\xee\xf9\xb5\x8f\x3b\xe0\x53\x2e\x46\xda\x34\xf7\x32\x39\x8d\x41\x8a\x82\xa4\x7f\xd2\xbe\xc7\xaa\x9f\xdf\x0a\x05\xa2\xa4\xab\xd6\x50\xdc\xd9\x9c\x09\x5b\xe5\xa0\x25\xd4\xdd\x8d\xe7\xb6\x06\xf7\xc2\x1f\xcf\x49\x0a\x10\x0e\xc2\x88\xf4\x19\x31\x6b\x4a\xdd\x08\x59\x10\x60\xf5\xc4\x02\x30\xee\x63\x9a\xff\x35\xd4\xbb\x20\x7f\xe4\x01\x02\x9c\xff\xd1\x04\x71\x5d\xcd\x48\xc7\xc5\x98\xf5\xea\x42\xb0\xbd\x27\x1e\x6a\x10\x06\x6d\x61\x32\x17\x65\x5d\xbf\x37\xbc\x46\x7d\x97\x35\x72\xd7\xc2\x87\x79\xc9\x98\x1c\xab\xc5\x5e\x68\x3f\xbb\x1e\x9a\xf7\xe0\x0c\xc4\xa2\x22\xa5\x4f\x24\xed\xf9\x23\x76\x2d\x8e\x0f\xbc\x09\x9e\x42\x0a\x78\xb1\xfc\xfb\x54\xa4\x00\x2f\xdf\x6e\x30\xa3\x44\x5f\x92\x9d\xd9\x7c\x4a\xef\x13\xcd\x8a\x0a\x3b\x19\xcb\x2b\xa7\x31\xd3\xc9\x9a\xad\x63\x11\x66\xb7\x5f\x13\xa9\x54\x98\xe1\x1d\xba\x40\x94\xeb\x5d\x1f\x15\x71\xb6\x98\x7c\x27\x89\x12\xa0\x5a\x9e\xc5\xe2\xf9\x3d\x21\x60\x4e\x49\x6a\xe6\xf7\x63\xed\x43\x3b\xc2\x6c\x5d\x2f\xdf\xee\xfc\x02\xd8\x73\x2b\x29\x09\x1c\x32\xad\x16\xfb\xb4\x7d\xe0\xa5\x6a\x36\xc5\xc7\xd2\x66\x65\xce\x56\x55\x71\xae\xe8\x7e\x72\x9e\x17\x27\xe8\xe1\x49\xb4\x4c\xbc\x58\x19\xeb\x1a\xbc\x31\x7e\xab\xfd\xbc\x54\x47\xdc\x1f\xa9\xed\x58\x52\x81\xf1\xa9\xc3\x3b\xd5\xbb\xae\x66\x26\x21\xe6\x46\x0e\x37\x61\x7e\x88\x30\x4f\xd6\x88\x9d\x77\x5a\xd3\x03\x88\xb2\x08\xb4\x10\x24\x95\xdd\x4a\x60\x15\x79\xfe\xf0\x79\x67\x8b\x66\x81\x6a\x46\xa9\x1c\xd0\xd3\x44\xaf\x0a\xfa\x8e\xe5\x5a\xb2\x22\xd7\x20\xa0\x36\x72\x75\x75\x7a\xa3\x8d\x04\x3c\xec\x88\x8e\x9e\x93\xa4\xff\x91\xc1\xcc\xbb\xc6\x85\xf6\xfe\x27\x10\x47\x4d\xa5\xc4\x37\x6b\x6c\x03\x7b\x2a\xc5\x7a\xb0\x78\x42\x1f\xf2\xf0\x6e\xf8\xab\xcc\x7b\xfa\x18\x19\x5a\xe5\xd3\x23\x6c\x49\x24\x94\xf1\xc6\x65\xdc\x20\x52\xe0\xb5\x67\xe9\x91\x72\x70\x82\xf6\xf5\x29\xcf\xf4\x41\x2d\x5c\xfd\x8a\xca\x31\xf0\xa4\xd3\x23\x32\xe8\xcc\x99\x2a\x39\x01\x7d\x8e\x5a\x85\x25\xa9\xf6\xab\x50\x09\xe7\x06\x7b\x27\x73\x59\x17\x79\xfa\x6d\xe1\x7c\x07\x74\x45\xc3\x9b\x4f\x32\x55\xc2\xdf\x10\x70\x10\x45\xfa\x07\x0a\xc4\xae\xdb\x55\x1b\xfe\x92\xac\x48\xe0\xfa\xca\x06\x07\x68\xed\xf4\xb3\xfb\x10\x1f\x3d\x4c\xdc\xb2\xec\x93\x13\xc0\x28\x98\xaa\x36\x87\x42\x67\x46\x82\x86\xe9\x8f\xfd\xba\xcb\x29\xfb\x64\x07\x27\x99\xbb\x3d\x88\x5b\xf3\x08\xd6\xca\x00\x13\x55\x64\x2a\xd2\x58\xb9\x65\xf9\x59\x7b\x30\xfe\x6c\x3a\xf1\xe8\x9c\x10\xd6\x41\xf4\xe2\xab\x7c\xf5\xa4\x68\x7d\x6b\x69\x15\x7a\x49\xf9\xf4\x07\x91\xef\x46\xf4\xcb\xa6\xe0\xf2\x48\x77\x3c\x35\x0b\xf3\x14\x3c\xec\xe9\x2e\xf7\xc7\x46\xd4\x98\x8c\x83\x51\xc8\x06\x7e\x3c\x4b\x84\x10\x89\xd9\x85\xe0\x9e\xcb\x40\x15\x7d\x7a\x17\x1f\x4e\x64\x55\x18\xc5\x25\x98\xfa\x79\x44\x25\x66\x9f\x59\xa2\x7d\x8b\xed\xc1\x47\xe0\x90\x57\xb5\xd2\xf9\xf4\x61\x1c\xac\x95\x10\x58\xb9\xd2\x52\x7f\xe7\xb4\x70\x28\x9a\x2f\x16\xfa\x4d\xee\x15\x06\x52\x08\x6e\x4c\xc1\x94\xc3\xca\xd6\x3a\xee\x9a\xa7\x7b\x00\xdf\x7c\xb4\x21\x40\x1d\x13\x94\xe0\xfb\xae\x8e\x8e\x14\xef\x28\xf1\x28\x60\x1a\xa1\xc9\x1d\x3e\x71\xed\xc0\x7a\x46\x26\x77\x31\xea\x08\x5f\xea\x0b\x27\x81\xfe\x5b\x33\x37\xfb\x39\x1f\x4a\x91\xce\x75\x2a\xeb\x72\x51\xaa\x0c\x3b\xf3\x04\xe9\x89\x22\x0d\x41\x4e\xab\x0a\xf4\x8d\x4a\x86\xbf\x43\xf1\x3e\xe6\xb9\x76\x15\xf5\x1a\x36\x77\xfe\xef\x14\xdc\x4a\xe4\x7d\xb0\x7b\x87\x41\x76\xd1\x8f\x50\x09\x4a\x30\x97\x00\x27\x9f\x41\x29\x24\xe9\x18\xeb\x3e\x6c\x1b\x9f\xa3\xc1\x44\x4f\x28\xb6\x91\xce\xb9\xc3\x3d\x34\xb5\xb3\x73\x3d\x3e\xb0\xc9\xe6\x9c\xb6\xf3\x6b\xca\x69\xd1\xd6\x99\x13\xae\xb5\x1f\x0c\xb5\x98\x28\x52\x7f\x79\x1f\xe7\xf6\x1f\xb4\x30\xba\xce\x64\x56\xab\xc3\x22\xfb\x52\xa1\x31\xf5\xae\xd3\x22\x1a\xfd\x1d\x36\x9d\x7b\xb4\x1f\x60\xbf\xb3\x49\xb5\xcf\x73\x04\x3b\x90\x92\x61\x30\x32\xc7\xdd\x32\x20\xbc\xe9\xd9\xb8\x4f\xd2\xce\xb4\x8a\x76\xff\x0c\x34\xcf\x5b\xf8\xcc\x55\xb5\x75\xe2\x40\xf4\xe6\xc1\xc5\xcf\x93\x98\x0c\xc6\xf6\x8f\xd1\xac\x7c\xc1\x0e\x0e\x48\x33\x39\xdd\xe6\x69\x1e\xb7\xd2\xb7\x00\xe9\x3f\xfd\xf8\x10\x95\x37\x62\x21\x6e\x99\xb5\x64\x01\x49\xaf\x63\x14\x4a\x09\x05\x1b\x68\x3d\xb0\xdf\xb1\xb7\x93\x71\xbc\x7a\x4a\x55\x9a\xe6\x27\x18\x38\xa8\x68\x46\x8e\x54\xaa\xde\xf0\x3b\xa4\x0c\xa1\x27\xaa\x2c\x27\x51\xda\x79\x20\x2d\xca\xd7\x2e\x4f\x15\x93\x04\x1d\xb5\x3b\xbf\x4f\x80\x64\x17\x0f\xe8\x5c\x46\xe5\x9f\xf0\x0b\x9e\xb4\xbf\x2e\x01\xea\xb7\x19\x7a\x00\x70\x4e\x3c\x70\x84\xa8\x06\x99\xed\x5a\xaa\xe7\xbb\xae\x06\x84\xe5\xfb\x3e\xd6\x0c\x66\x20\xc7\x3a\xa0\x13\x31\x37\x13\x27\x9b\xf9\x58\xa2\x1f\x56\xf9\x67\x46\xe1\x60\x62\x3f\x10\x76\xa5\xea\x95\xa2\x3f\xc9\x08\x37\x3b\xc0\x78\x22\x18\x94\xcc\xc7\x79\x49\xff\xd3\x65\x94\x70\xd8\x3f\x86\x07\x62\xb0\x30\x2b\xf3\xe4\x04\x04\x6c\x0c\x32\xa7\x1e\xb8\x5e\x67\x41\x11\xcb\x9c\x2d\x49\x0b\x8b\x4f\x5b\xfd\x1f\xa9\x38\x2a\x42\x96\xd9\x73\x26\xd6\xa7\x28\x37\x8a\xb3\x5c\x0a\x34\x9e\xd6\x93\x49\xf7\x5b\x89\xad\xf8\xdc\x9e\x5b\xae\xd2\x76\xc9\x26\x14\xc2\x96\x36\xf2\xf5\xb1\x9d\x4d\xc6\x61\xe2\xd0\xfe\x6f\xd6\x47\x86\xd5\x07\xb9\x9b\x39\x79\xfe\x0f\x6e\xcb\x06\xb7\x6f\xd6\x4b\xfb\x31\x61\x31\xa5\x2d\x3d\xb7\x44\x55\x08\xc8\xf0\xbd\x39\x44\x95\xa6\xc1\x3c\xa6\x4e\x37\x80\xa4\x16\xc7\x2a\x7a\x34\x99\x6d\x5a\x34\x2e\x63\x49\xd9\x2b\xfc\xb8\xd7\x5b\xd4\xed\xd2\x25\xd4\xe8\x60\x18\x38\xbf\xfc\x60\x4e\x9e\x3f\x0d\xe8\x3a\x1c\xf9\xe1\x7c\x7f\xa7\x39\x8f\xea\x49\xc8\xfa\xed\x29\x9d\x04\xa9\x0a\x70\xbd\xaa\x0b\x11\x14\x28\xe2\xe6\x22\x4a\xe0\x8c\x1b\xf0\xea\x1a\x69\xe1\x6e\x1f\xfd\x4b\xfa\x76\xaf\xff\xdd\x50\x60\xac\x99\x2e\xfa\x08\xfb\x74\x04\xfa\x1f\xf3\x45\x60\x42\x65\x4d\x3d\x51\x29\x26\x24\xac\x3b\xb3\x35\x6f\x5b\xd3\xf4\x92\xc1\x69\xe8\xc7\xdc\x71\xcc\xd3\xb4\xe9\x1c\xb2\x98\xef\x7f\x2b\x61\xd7\x4a\x86\xe7\xcb\x6d\xaf\x62\x1a\x8b\x0b\x6a\x87\xe5\x8d\xdc\xaa\x65\xf3\x76\xfe\x06\x52\xc4\x0c\x76\xd7\x62\xb5\x80\xf3\x4d\xa9\x79\xae\x09\x68\xb1\x72\xa9\xcc\xc4\xcd\x8b\x34\xaf\x38\x73\xe8\x5d\x16\x53\xc9\xe5\x57\x1d\xc3\x4e\x8c\x39\xf7\xf0\x4d\xf1\x91\xc0\xe8\x12\x13\xd2\xfa\xc0\x41\x26\x64\xeb\x47\x69\xc4\x80\xa8\x0f\xdc\xd5\xca\xe2\xa2\xeb\x8b\x1d\x03\x1c\xc6\xe6\x49\xd8\xf0\xb2\x9f\x91\x15\xea\x2b\xb2\x7c\xbe\x35\xcb\xa0\x40\x64\x7a\xd9\xda\x8a\xd3\x69\x31\xcf\xdc\xe5\xc5\x8d\xfd\x6b\x8d\x0b\xd8\x3c\xf4\xf8\xca\xd6\xf6\xd6\xf3\x04\x83\x80\x58\x3d\x8e\xf0\x80\x7a\x4d\x02\x4e\xf8\xd0\x33\x3a\x97\x18\x34\x23\xc9\x0e\x8d\xd1\xb6\x2d\xc7\x0c\x95\xae\x30\xac\xd0\xcc\xc2\x57\xde\x6f\xeb\x89\xa9\x49\x2b\x42\x14\xb6\x5d\x8d\xa2\xad\xa1\x1b\x80\xfb\xd7\x68\x9a\xfd\xb9\x9f\xa8\x20\xcb\x7a\xaa\xca\x8c\xe3\x2f\xd1\xad\xf5\xd7\x24\xf5\x06\x83\xa7\x92\x4e\xd1\xb5\xde\x6b\x32\x2a\x49\x32\xea\x46\xd3\xb2\x66\xa2\x70\x42\x02\x59\xa4\xfe\xe4\x80\x05\x4f\x06\x75\xe7\x7e\x51\x78\xff\x25\x5b\xe0\x00\x46\x8a\x22\x0a\x25\xc6\x87\x9e\x03\x9b\xc1\x4c\x38\xcb\xf9\x04\x0e\xde\xd4\x1f\x1c\x6d\x75\xfe\x46\x15\xcc\x57\x67\x7c\x94\x8c\x7b\xb9\xc3\x56\x11\x84\xb0\xff\xe0\xd0\xa9\xed\x0e\x72\x12\xfa\xbd\x5e\xf3\x57\xff\xb3\xca\x40\xe8\xa9\x7b\xe2\xa9\xbc\xf3\x5f\xc7\xe3\xd7\xce\x8f\x6d\x50\xa4\xf7\xb4\x2c\x24\x68\x94\x68\x38\x22\xdb\x36\xb9\x55\x28\xcd\x80\x61\x34\x2c\x66\xc7\x88\xbb\x6f\x63\xbe\xad\xfe\x35\x59\xe8\x96\xe4\x38\x7a\x12\xce\xdf\x6f\x22\x08\x88\xd2\x18", 4096); *(uint32_t*)0x20001ca8 = 0x1000; *(uint32_t*)0x20001cac = -1; *(uint32_t*)0x20001cb0 = 0x20001b80; memcpy((void*)0x20001b80, "\xe0\xc6\xc9\xc0\x1a\xfb\x3e\x83\x24\x12\x04\xcd\x69\x42\xa5\xf5\xb3\x8d\xed\xc4\x87\x1f\xea\x15\x0d\xdb\xcb\x8c\x14\xce\x51\x5f\xa1\xfc\x5f\x1f\xb3\xec\x60\x66\x49\xa1\x62\xc4\xe5\x2e\xc3\x28\xeb\x35\x65\xfb\x84\xab\xdf\x8b\x40\x8d\x74\x4e\xe1\x9c\x67\xcc\xe5\x4a\xca\xd1\xc6\xaa\x75\xa3\xf9\x7f\x94\x26\x74\x76\xe7\x02\xbb\xe0\x65\xe6\x71\x88\xc3\xc8\x26\xd4\x41\x4e\x46\x69\x5d\x71\xc9\xe2\x4a\x31\xfa\xf7\xfc\x28\x29\x70\x92\x50\x3b\xb1\x0a\xdb\x27\xfc\xb1\x97\x43\x8e\xfe\x36\x05\x10\x1a\xbc\x12\x7f\xda\x30\x3e\x63\xa7\x42\x3e\xf1\x69\x3f\x6c\x00\x57\x63\xfd\xf8\xb1\x8e\x10\xa5\xa9\xfa\x34\xb3\xc0\x0e\xce\xd1\xf7\x5b\xad\xa7\xd2\x61\x60\xae\xdf\x27\x58\xbf\x60\x3b\x0c\x58\x90\x68\x28\x84\xeb\x55\xb2\x76\x0b\x3b\x7b\x96\x14\xb6\xbd\x1d\xde\xf9\xe9\xcc\x1d\xf2\x08\x92\x06\x3f\x1e\xa0\x58\xa4", 200); *(uint32_t*)0x20001cb4 = 0xc8; *(uint32_t*)0x20001cb8 = 0x81; syz_read_part_table(0x44, 5, 0x20001c80); break; case 34: *(uint8_t*)0x20001cc0 = 0x12; *(uint8_t*)0x20001cc1 = 1; *(uint16_t*)0x20001cc2 = 0x310; *(uint8_t*)0x20001cc4 = 0xae; *(uint8_t*)0x20001cc5 = 0x73; *(uint8_t*)0x20001cc6 = 0xca; *(uint8_t*)0x20001cc7 = 0x40; *(uint16_t*)0x20001cc8 = 0x1740; *(uint16_t*)0x20001cca = 0x602; *(uint16_t*)0x20001ccc = 0xfa57; *(uint8_t*)0x20001cce = 1; *(uint8_t*)0x20001ccf = 2; *(uint8_t*)0x20001cd0 = 3; *(uint8_t*)0x20001cd1 = 1; *(uint8_t*)0x20001cd2 = 9; *(uint8_t*)0x20001cd3 = 2; *(uint16_t*)0x20001cd4 = 0x870; *(uint8_t*)0x20001cd6 = 2; *(uint8_t*)0x20001cd7 = 0x7f; *(uint8_t*)0x20001cd8 = 0x90; *(uint8_t*)0x20001cd9 = 0x20; *(uint8_t*)0x20001cda = 0x3f; *(uint8_t*)0x20001cdb = 9; *(uint8_t*)0x20001cdc = 4; *(uint8_t*)0x20001cdd = 0x86; *(uint8_t*)0x20001cde = 0x7f; *(uint8_t*)0x20001cdf = 0xa; *(uint8_t*)0x20001ce0 = 0xf7; *(uint8_t*)0x20001ce1 = 0xf9; *(uint8_t*)0x20001ce2 = 0xf2; *(uint8_t*)0x20001ce3 = 0x7f; *(uint8_t*)0x20001ce4 = 0xd1; *(uint8_t*)0x20001ce5 = 0xb; memcpy((void*)0x20001ce6, "\x26\xe1\x3a\x65\xce\xb2\xc1\x60\x69\x44\x40\xc6\xe4\xb5\xd5\x10\x7c\xd6\xf6\xed\xdf\x5f\x0f\x8f\x93\x86\x06\xe7\xa7\x89\x78\x6c\x09\x76\x26\x76\x2d\xa7\x88\x1a\x4e\x46\xee\x51\x2c\xe1\xce\x83\xd0\x3e\xe0\x1e\x8a\x39\x0d\x4f\xe4\x8a\x1a\x16\x6b\x12\x2a\x24\x4f\x7e\x84\x53\xfe\x58\x43\x52\xcd\xc7\x48\xde\xd1\x73\x7c\x61\xff\xbc\x1f\x9f\x18\x44\x1c\x5d\x61\xf5\x49\x3a\x88\xbf\xea\x77\x76\x76\x2b\xbf\x8a\x20\x6e\xec\xa2\xf4\x5c\x1f\x7a\xa6\xd1\x5f\xb4\x64\xcd\x1c\xaf\x6a\x43\x2b\xab\xfc\x01\xbb\x86\xb1\x29\x7b\x12\x89\x97\x42\x6c\x1a\x5a\x86\x53\x3c\xb2\xc0\x29\xf5\x0b\x1c\x5b\x0b\x88\x71\x9f\x7c\x78\x21\x7d\x2b\xec\x91\x0f\xf9\x06\xb4\x38\x60\x02\x5e\x14\x0f\xba\xd2\xbc\x0a\x91\xe2\x3e\x65\xc5\xc8\xfe\xfd\x91\xd0\x45\x9c\x59\x0e\x1f\x4b\xac\x91\xea\xc0\x23\xef\x5f\x1a\x24\x82\x45\xdf\x0d\x7c\x12\x76\xdf\x72\xd9\x55\xc6", 207); *(uint8_t*)0x20001db5 = 6; *(uint8_t*)0x20001db6 = 0x24; *(uint8_t*)0x20001db7 = 6; *(uint8_t*)0x20001db8 = 0; *(uint8_t*)0x20001db9 = 1; memcpy((void*)0x20001dba, "8", 1); *(uint8_t*)0x20001dbb = 5; *(uint8_t*)0x20001dbc = 0x24; *(uint8_t*)0x20001dbd = 0; *(uint16_t*)0x20001dbe = 8; *(uint8_t*)0x20001dc0 = 0xd; *(uint8_t*)0x20001dc1 = 0x24; *(uint8_t*)0x20001dc2 = 0xf; *(uint8_t*)0x20001dc3 = 1; *(uint32_t*)0x20001dc4 = 9; *(uint16_t*)0x20001dc8 = 5; *(uint16_t*)0x20001dca = 5; *(uint8_t*)0x20001dcc = 0x80; *(uint8_t*)0x20001dcd = 6; *(uint8_t*)0x20001dce = 0x24; *(uint8_t*)0x20001dcf = 0x1a; *(uint16_t*)0x20001dd0 = 1; *(uint8_t*)0x20001dd2 = 0x14; *(uint8_t*)0x20001dd3 = 0x2b; *(uint8_t*)0x20001dd4 = 0x24; *(uint8_t*)0x20001dd5 = 0x13; *(uint8_t*)0x20001dd6 = -1; memcpy((void*)0x20001dd7, "\x8d\xaa\x8e\x5c\xf5\x9b\xef\x8c\x76\xec\x75\x35\xd6\x3f\xe2\xdc\x76\x86\x32\x1a\xfb\xd7\x29\xf4\xd1\x7d\x62\xa2\x1b\x6f\x2b\x39\x49\x56\x57\x22\x0b\xc5\xd7", 39); *(uint8_t*)0x20001dfe = 0xa3; *(uint8_t*)0x20001dff = 0x24; *(uint8_t*)0x20001e00 = 0x13; *(uint8_t*)0x20001e01 = 3; memcpy((void*)0x20001e02, "\x0b\xaf\xa7\xba\x56\xf9\xbe\x68\xf7\xda\xff\xfa\xbe\x7b\x79\x50\xe7\xf2\xb1\xef\xd5\x30\xab\x53\xda\x30\x66\x50\xae\x48\x61\x82\x51\xbc\x41\xfe\x39\x06\x5b\xb5\x0d\x65\xf1\x5e\x92\x6f\xdb\x88\xac\xb4\xe7\x95\x7b\xff\x5d\x54\x69\xee\x74\x1f\x51\xc1\x17\xd8\xf0\xa4\xb9\xe4\x97\xd8\xd8\x5a\x58\xa4\x25\x85\x5d\xa0\x41\xd9\x1b\xfe\x4c\xd2\x0f\x11\xf6\xc7\xd3\x81\x30\x27\xcd\x74\x92\x1d\xbe\xb6\xe2\x01\x5c\x41\x33\xa2\x98\x32\xb2\xb9\xd3\x42\x30\x4d\xd6\xb7\x09\xda\xea\xea\x5f\x76\x1d\x8c\x06\xf5\x2e\xdd\xa9\xf2\x52\x9a\xc5\x1a\x96\xfa\xb9\xbb\x28\x26\xcc\x63\xfc\xce\x0f\x17\x4d\xe2\xc5\x77\x8a\x4d\x83\xf3\xee\xcf\xdb\x29\x63\x5b\x60", 159); *(uint8_t*)0x20001ea1 = 5; *(uint8_t*)0x20001ea2 = 0x24; *(uint8_t*)0x20001ea3 = 1; *(uint8_t*)0x20001ea4 = 2; *(uint8_t*)0x20001ea5 = 9; *(uint8_t*)0x20001ea6 = 0x15; *(uint8_t*)0x20001ea7 = 0x24; *(uint8_t*)0x20001ea8 = 0x12; *(uint16_t*)0x20001ea9 = 0xc9; *(uint64_t*)0x20001eab = 0x14f5e048ba817a3; *(uint64_t*)0x20001eb3 = 0x2a397ecbffc007a6; *(uint8_t*)0x20001ebb = 7; *(uint8_t*)0x20001ebc = 0x24; *(uint8_t*)0x20001ebd = 0x14; *(uint16_t*)0x20001ebe = 8; *(uint16_t*)0x20001ec0 = 2; *(uint8_t*)0x20001ec2 = 7; *(uint8_t*)0x20001ec3 = 0x24; *(uint8_t*)0x20001ec4 = 0xa; *(uint8_t*)0x20001ec5 = 1; *(uint8_t*)0x20001ec6 = 9; *(uint8_t*)0x20001ec7 = 0xeb; *(uint8_t*)0x20001ec8 = 1; *(uint8_t*)0x20001ec9 = 9; *(uint8_t*)0x20001eca = 5; *(uint8_t*)0x20001ecb = 0xe; *(uint8_t*)0x20001ecc = 3; *(uint16_t*)0x20001ecd = 0x400; *(uint8_t*)0x20001ecf = -1; *(uint8_t*)0x20001ed0 = 0xf9; *(uint8_t*)0x20001ed1 = 0x20; *(uint8_t*)0x20001ed2 = 0x62; *(uint8_t*)0x20001ed3 = 0x22; memcpy((void*)0x20001ed4, "\xec\xb3\xf2\xdd\x30\x48\x12\x4f\xa1\xf6\x39\xe7\xd9\x9a\xb0\x90\x3f\x7f\x55\x1f\xbd\x28\x20\x2b\xca\xa0\x38\x82\x72\x62\xde\xfd\x52\x4b\x84\xd6\x77\x8f\x83\xc7\x51\x04\x7e\xa1\x67\x7d\x46\x22\x9a\xc3\x3b\x02\xdb\x68\x65\xc9\x67\x0b\xc4\x76\x29\x02\x05\x45\xfb\xf3\x67\xe1\x28\xc7\xe7\x8e\x05\x97\x2c\xd4\x32\xdd\xc7\x29\x86\x39\x72\xa9\x55\x9b\x80\x60\x63\x55\x0b\x9b\xb7\x99\x2b\x0c", 96); *(uint8_t*)0x20001f34 = 0xed; *(uint8_t*)0x20001f35 = 0x21; memcpy((void*)0x20001f36, "\x1c\x17\xfa\x34\xcf\x24\x8a\x11\x74\x0c\xae\x13\xb9\x90\x62\xcf\x65\x1b\xd3\x66\x3b\xdf\x34\x9a\xfe\xdd\x77\x7e\x6c\xa5\x09\x68\x7c\x73\x08\xb2\xbd\x8a\x56\xd9\x36\xce\xf7\x2c\x17\x60\x9c\x2c\xc7\xb8\x25\xf1\x22\x86\x4f\x3e\x79\xa0\xf9\x56\x3c\xec\xf3\xa2\xde\xa2\xda\xc5\xe4\xd8\x3e\x77\x49\xcf\xb2\xa9\x71\xe0\xf2\xa2\x57\xee\x5e\x91\x27\x9d\x0d\xed\xf7\xaa\xb3\x53\x95\x5c\x32\xbc\xab\x16\xd8\x21\xc1\x86\x8f\x65\x5e\x7f\x50\x3e\xce\x52\xac\xfb\x7c\x30\x70\x09\x7b\x16\x4e\xd6\x22\x3e\xb6\xc1\x83\x9f\xdc\x5c\xc6\xf1\xa9\x2e\xbd\xa8\xad\x2a\x9e\x74\xf7\x46\xcf\x37\x70\x4a\x6c\x73\x07\x61\x89\xee\x38\x90\xb3\xa1\xc5\xcd\xb8\x07\x6a\xde\xc9\xbb\x4e\x53\xa6\x5b\x09\xbc\x52\xa7\x52\x50\xeb\x89\xe2\x40\x7e\xe0\xd0\xd3\x9a\x0b\xd9\x25\xc0\x0a\x5f\xd0\xf3\x4a\xd2\xaf\x88\xbf\x3b\x27\x0f\xe9\x4e\x54\x32\x28\x8a\x66\xb3\xee\x15\xb6\xe2\x4d\xdc\xa8\x96\x39\xfa\xa9\xc4\xb5\x32\x66\x3b\x24\xbf\xbd\xeb\x73\xd0\x9b\x8f\x77\xf7\x6f\xec\x50\x7a", 235); *(uint8_t*)0x20002021 = 9; *(uint8_t*)0x20002022 = 5; *(uint8_t*)0x20002023 = 0xe; *(uint8_t*)0x20002024 = 0; *(uint16_t*)0x20002025 = 0x58; *(uint8_t*)0x20002027 = 4; *(uint8_t*)0x20002028 = 0; *(uint8_t*)0x20002029 = 2; *(uint8_t*)0x2000202a = 9; *(uint8_t*)0x2000202b = 5; *(uint8_t*)0x2000202c = 6; *(uint8_t*)0x2000202d = 8; *(uint16_t*)0x2000202e = 0x40; *(uint8_t*)0x20002030 = 0x40; *(uint8_t*)0x20002031 = 3; *(uint8_t*)0x20002032 = 0x18; *(uint8_t*)0x20002033 = 9; *(uint8_t*)0x20002034 = 5; *(uint8_t*)0x20002035 = 0xb; *(uint8_t*)0x20002036 = 0xc; *(uint16_t*)0x20002037 = 0x200; *(uint8_t*)0x20002039 = -1; *(uint8_t*)0x2000203a = 0x47; *(uint8_t*)0x2000203b = 0; *(uint8_t*)0x2000203c = 0x6e; *(uint8_t*)0x2000203d = 0x24; memcpy((void*)0x2000203e, "\xfc\x88\x86\xec\xa1\x2d\xc8\x59\x60\xc8\x49\x7c\x87\x13\x2b\x79\xfe\xa0\xe2\x31\x3e\x4e\x85\x56\x71\x31\x6f\x1c\x7a\x42\xb7\x8b\x2b\xe2\x4c\x0c\xdd\x6a\xf9\xde\x41\xa7\xfb\x57\xfe\x0a\x3c\xa6\xfe\x67\x19\x1c\xe3\x11\x65\xdc\x04\x82\x45\xba\x74\xc8\x86\xd1\x2b\x8a\xcc\xb0\x01\xee\xe2\x30\xdc\x1d\x79\x81\xe4\xd6\xea\x3d\x52\xfd\xc1\xfd\x15\x9f\x71\xfc\x18\xbf\xca\x51\x29\x7b\x23\x48\xc7\x77\xa8\x6b\x16\xc0\x76\x57\x79\x3c\x9b\x75", 108); *(uint8_t*)0x200020aa = 9; *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 7; *(uint8_t*)0x200020ad = 0x10; *(uint16_t*)0x200020ae = 0x20; *(uint8_t*)0x200020b0 = 1; *(uint8_t*)0x200020b1 = 4; *(uint8_t*)0x200020b2 = 4; *(uint8_t*)0x200020b3 = 8; *(uint8_t*)0x200020b4 = 0x23; memcpy((void*)0x200020b5, "\xad\x6e\x68\x32\x31\x24", 6); *(uint8_t*)0x200020bb = 7; *(uint8_t*)0x200020bc = 0x25; *(uint8_t*)0x200020bd = 1; *(uint8_t*)0x200020be = 2; *(uint8_t*)0x200020bf = 0x3f; *(uint16_t*)0x200020c0 = 0x400; *(uint8_t*)0x200020c2 = 9; *(uint8_t*)0x200020c3 = 5; *(uint8_t*)0x200020c4 = 1; *(uint8_t*)0x200020c5 = 0; *(uint16_t*)0x200020c6 = 0x200; *(uint8_t*)0x200020c8 = -1; *(uint8_t*)0x200020c9 = 4; *(uint8_t*)0x200020ca = 5; *(uint8_t*)0x200020cb = 7; *(uint8_t*)0x200020cc = 0x25; *(uint8_t*)0x200020cd = 1; *(uint8_t*)0x200020ce = 0x82; *(uint8_t*)0x200020cf = 2; *(uint16_t*)0x200020d0 = 0x200; *(uint8_t*)0x200020d2 = 7; *(uint8_t*)0x200020d3 = 0x25; *(uint8_t*)0x200020d4 = 1; *(uint8_t*)0x200020d5 = 1; *(uint8_t*)0x200020d6 = 7; *(uint16_t*)0x200020d7 = 4; *(uint8_t*)0x200020d9 = 9; *(uint8_t*)0x200020da = 5; *(uint8_t*)0x200020db = 0x80; *(uint8_t*)0x200020dc = 0x10; *(uint16_t*)0x200020dd = 0x10; *(uint8_t*)0x200020df = 0xcc; *(uint8_t*)0x200020e0 = 8; *(uint8_t*)0x200020e1 = 0; *(uint8_t*)0x200020e2 = 7; *(uint8_t*)0x200020e3 = 0x25; *(uint8_t*)0x200020e4 = 1; *(uint8_t*)0x200020e5 = 0x81; *(uint8_t*)0x200020e6 = 7; *(uint16_t*)0x200020e7 = 0x3f; *(uint8_t*)0x200020e9 = 0x59; *(uint8_t*)0x200020ea = 0x11; memcpy((void*)0x200020eb, "\xfa\xad\xa8\x09\x32\xb1\x04\x32\xca\x81\xa6\x3c\x83\xdd\x9f\x54\xa4\x05\x10\x86\xef\x07\xb6\xc9\x66\x1e\xf8\xec\x12\x56\x83\xd5\xfc\xad\xa3\xa3\x46\xd0\x8f\x6d\x44\x17\x8f\xd1\xce\x94\xf1\xa6\x92\x1d\x2f\xd1\x4a\x88\xd4\x3a\x80\x51\xe1\x8e\xda\xa3\x98\x06\x45\xfa\x17\x12\x3c\xa6\xc7\x83\xb8\xb2\xc3\xb6\x66\x95\x6f\x52\xb1\x83\x65\x29\x92\xd6\xf5", 87); *(uint8_t*)0x20002142 = 9; *(uint8_t*)0x20002143 = 5; *(uint8_t*)0x20002144 = 7; *(uint8_t*)0x20002145 = 3; *(uint16_t*)0x20002146 = 0x400; *(uint8_t*)0x20002148 = 1; *(uint8_t*)0x20002149 = 0x3f; *(uint8_t*)0x2000214a = 0; *(uint8_t*)0x2000214b = 9; *(uint8_t*)0x2000214c = 5; *(uint8_t*)0x2000214d = 4; *(uint8_t*)0x2000214e = 1; *(uint16_t*)0x2000214f = 0; *(uint8_t*)0x20002151 = 0x81; *(uint8_t*)0x20002152 = 3; *(uint8_t*)0x20002153 = 0; *(uint8_t*)0x20002154 = 7; *(uint8_t*)0x20002155 = 0x25; *(uint8_t*)0x20002156 = 1; *(uint8_t*)0x20002157 = 0x80; *(uint8_t*)0x20002158 = 0xfd; *(uint16_t*)0x20002159 = 0x3e; *(uint8_t*)0x2000215b = 7; *(uint8_t*)0x2000215c = 0x25; *(uint8_t*)0x2000215d = 1; *(uint8_t*)0x2000215e = 0x82; *(uint8_t*)0x2000215f = 6; *(uint16_t*)0x20002160 = 0x8000; *(uint8_t*)0x20002162 = 9; *(uint8_t*)0x20002163 = 5; *(uint8_t*)0x20002164 = 7; *(uint8_t*)0x20002165 = 4; *(uint16_t*)0x20002166 = 0x200; *(uint8_t*)0x20002168 = 4; *(uint8_t*)0x20002169 = 7; *(uint8_t*)0x2000216a = 8; *(uint8_t*)0x2000216b = 7; *(uint8_t*)0x2000216c = 0x25; *(uint8_t*)0x2000216d = 1; *(uint8_t*)0x2000216e = 0; *(uint8_t*)0x2000216f = 0; *(uint16_t*)0x20002170 = 0x3f; *(uint8_t*)0x20002172 = 9; *(uint8_t*)0x20002173 = 4; *(uint8_t*)0x20002174 = 0x7d; *(uint8_t*)0x20002175 = 0xb6; *(uint8_t*)0x20002176 = 8; *(uint8_t*)0x20002177 = 0xe6; *(uint8_t*)0x20002178 = 0x75; *(uint8_t*)0x20002179 = 0xe1; *(uint8_t*)0x2000217a = 0xf9; *(uint8_t*)0x2000217b = 0x3d; *(uint8_t*)0x2000217c = 0x23; memcpy((void*)0x2000217d, "\x01\x50\xff\xae\x83\xdf\x22\xd1\xd4\xdb\xd8\x24\x54\xe6\x60\x33\x46\x3c\x39\x35\xe3\xd0\xc9\xfc\x2e\xa4\x66\x1f\x73\x10\xc2\xe0\xb0\xac\xed\xd1\x7e\x99\xcf\x96\x0e\xde\x09\xc1\x9e\xda\x6b\xfd\xa6\x99\xd8\xea\xcc\x2a\xba\x4a\xcc\x34\xd4", 59); *(uint8_t*)0x200021b8 = 0xc5; *(uint8_t*)0x200021b9 = 1; memcpy((void*)0x200021ba, "\x57\xfa\x93\x98\x1a\x06\x86\xe5\x12\x23\x65\x11\xf1\x7e\x4e\xc2\xda\xb7\xbd\x00\x5c\x64\xfd\x89\x6f\x94\x94\xca\x05\x97\x58\x3b\x23\x9d\xdd\x29\xc3\x79\x6c\x4a\xd6\x69\x28\x14\x40\xda\x42\x2e\x67\x96\x87\x7a\x9f\x12\x3e\x34\x39\x35\xd9\x0d\xfe\x06\xdd\xfc\x99\xde\xed\xf2\x40\x06\x03\x1d\x9a\x2e\xf4\xb5\x52\x62\x92\x55\xbf\x0e\x7a\x4d\x5d\xd3\xbc\x80\xb2\x66\x08\x11\x41\xbd\xe1\xb1\xa8\x6e\x4f\xfd\x85\x70\x00\xde\xea\xe8\x2f\xb1\x85\x06\x96\xef\x21\x67\xc3\x4a\xd9\x7f\x91\xc1\x4a\xc7\x8e\xcb\x89\x3d\x01\xff\xa9\x8e\x3c\x2d\xfd\xa9\xad\xb7\x62\xb9\xa9\xda\x03\xc6\xc6\x0e\xd9\x57\xfb\x49\x4d\x1c\x96\x0f\x7c\x70\x74\x94\xbd\x98\x4a\x0a\x58\x26\x03\xfb\x87\x24\x8a\xee\xaf\xc1\xb6\x00\x5f\x79\x83\x5b\x38\xb2\xea\xa8\x86\x53\xbc\x93\x42\x7a\x33\xb0\x76\x3e\xa3\x6f\xcd\x98\x7c", 195); *(uint8_t*)0x2000227d = 9; *(uint8_t*)0x2000227e = 5; *(uint8_t*)0x2000227f = 3; *(uint8_t*)0x20002280 = 0; *(uint16_t*)0x20002281 = 0x40; *(uint8_t*)0x20002283 = 4; *(uint8_t*)0x20002284 = 0x7f; *(uint8_t*)0x20002285 = 2; *(uint8_t*)0x20002286 = 7; *(uint8_t*)0x20002287 = 0x25; *(uint8_t*)0x20002288 = 1; *(uint8_t*)0x20002289 = 2; *(uint8_t*)0x2000228a = 5; *(uint16_t*)0x2000228b = 5; *(uint8_t*)0x2000228d = 7; *(uint8_t*)0x2000228e = 0x25; *(uint8_t*)0x2000228f = 1; *(uint8_t*)0x20002290 = 2; *(uint8_t*)0x20002291 = 4; *(uint16_t*)0x20002292 = 5; *(uint8_t*)0x20002294 = 9; *(uint8_t*)0x20002295 = 5; *(uint8_t*)0x20002296 = 0x80; *(uint8_t*)0x20002297 = 0x10; *(uint16_t*)0x20002298 = 0x1ef; *(uint8_t*)0x2000229a = 1; *(uint8_t*)0x2000229b = 6; *(uint8_t*)0x2000229c = 7; *(uint8_t*)0x2000229d = 9; *(uint8_t*)0x2000229e = 5; *(uint8_t*)0x2000229f = 0x80; *(uint8_t*)0x200022a0 = 0x10; *(uint16_t*)0x200022a1 = 0x10; *(uint8_t*)0x200022a3 = 0x1f; *(uint8_t*)0x200022a4 = 0x20; *(uint8_t*)0x200022a5 = 0; *(uint8_t*)0x200022a6 = 0xb3; *(uint8_t*)0x200022a7 = 0x21; memcpy((void*)0x200022a8, "\x95\xd3\x40\x5d\x4d\x7a\x6d\xc8\x96\xd9\x0c\x49\x18\xb1\x41\x31\x5c\x1a\xe5\x4b\x08\x82\xc4\xe0\xe3\xcc\x26\x6e\x04\x17\x8f\x9a\xe7\x37\x26\x0a\xc6\x4b\x61\x9d\xdf\x03\x95\x68\x18\x1b\xf9\x2d\xd6\x39\xec\x49\xa0\xb1\xc9\x83\x8b\x4c\xbb\xb2\xfb\xe6\xca\x7b\xe9\xbc\x84\xb7\x71\x77\x86\x7b\xb9\x73\xd8\xc5\xeb\xa1\xb4\x91\x31\xbd\x10\xf6\x45\xcf\xfc\x3d\xd8\xea\x46\x2f\x4b\xa9\x65\xf7\x0a\x01\x4b\xf1\xab\xe9\x26\x96\x63\x63\x4d\xad\x8b\xaf\x99\x38\x6d\x8b\x43\x19\x12\xe4\xdd\xfc\xd1\x15\x6c\x5f\xfe\xab\x20\x7c\xa3\x5f\x22\xf5\xc0\x16\x73\x47\x0d\xee\xa1\xda\x6a\xaf\xfc\xf0\xbb\xa9\xa8\xe4\x55\x42\x0f\x05\x3b\x28\xe4\x04\xfe\xa6\x26\x1d\x36\xc0\x7f\x72\x21\xc4\x98\x6b\x6b\x12\x2c\xcd\xf8\x58\xf4\x81\xba", 177); *(uint8_t*)0x20002359 = 7; *(uint8_t*)0x2000235a = 0x25; *(uint8_t*)0x2000235b = 1; *(uint8_t*)0x2000235c = 0x80; *(uint8_t*)0x2000235d = 0x7f; *(uint16_t*)0x2000235e = 5; *(uint8_t*)0x20002360 = 9; *(uint8_t*)0x20002361 = 5; *(uint8_t*)0x20002362 = 0xc; *(uint8_t*)0x20002363 = 2; *(uint16_t*)0x20002364 = 0x200; *(uint8_t*)0x20002366 = 0; *(uint8_t*)0x20002367 = 6; *(uint8_t*)0x20002368 = 2; *(uint8_t*)0x20002369 = 0xaf; *(uint8_t*)0x2000236a = 0xc1; memcpy((void*)0x2000236b, "\x14\x49\xf0\x6f\x81\x61\xd8\x15\x9f\x42\xfb\x34\x7e\xaa\x32\x3c\xf3\xeb\x20\xfd\x5e\x50\x10\x06\xd2\xe4\x0a\x15\x7d\xa8\x33\x53\x6f\xb0\xb3\x22\x43\x65\x91\xa2\xbd\x1d\x2f\xe0\x4e\x16\x98\x58\xe1\x13\x87\xce\x1c\xbe\x1f\x6c\x7d\xc3\x32\xaf\xaa\xdc\xc0\x02\xc5\x83\x20\x44\xe0\x56\x95\x03\x99\xe2\x94\x31\x40\x73\x49\xa8\xa4\x75\x25\x16\x4b\x4e\x6c\xd1\x41\x30\x39\x08\x18\x67\x54\xe0\x28\x2c\x69\x95\xc9\x80\xf5\xe7\xd4\xf3\xc8\x81\xc6\xb9\x1d\x95\x5e\x6a\xc6\x81\xbd\x90\x73\xf4\xe0\x57\x06\xf3\xc3\x12\xd0\x05\xbf\x1c\x59\x10\x95\x6b\xf9\x95\x53\xbb\xa7\xb4\xec\xb3\xf3\x5f\xfb\xe7\xab\x07\x63\x42\x37\x96\xbb\x60\x1e\x3f\x04\x7a\x65\x81\xd5\x2f\xb6\x7c\x62\xd6\xb7\x27\x8c\x76\xaa\xb9\xa5", 173); *(uint8_t*)0x20002418 = 9; *(uint8_t*)0x20002419 = 5; *(uint8_t*)0x2000241a = 0xa; *(uint8_t*)0x2000241b = 0; *(uint16_t*)0x2000241c = 0x400; *(uint8_t*)0x2000241e = 5; *(uint8_t*)0x2000241f = 1; *(uint8_t*)0x20002420 = 6; *(uint8_t*)0x20002421 = 0xf1; *(uint8_t*)0x20002422 = 0x11; memcpy((void*)0x20002423, "\x25\xbf\x1f\x90\xf6\x00\xdc\x8e\xae\x59\x54\xfb\x3e\xc4\xf4\x88\xa9\x26\x14\x9d\x98\x93\xca\x2b\x29\x00\xe2\x45\xf0\x53\x74\x32\xb7\xec\xcd\x35\xa0\xf3\x3f\xe8\x71\xeb\x0d\x17\x44\xd8\x05\x8f\x6d\x67\xf7\xe1\xb9\x7f\x3e\xf4\xe5\xfd\x8a\xc9\xd3\x7d\x37\x49\x05\x66\x1c\x57\x9d\x63\xd9\xbd\x3e\xd5\xcd\x30\xd9\x9e\xf3\x95\xe4\x7c\x9e\x0f\x1b\x7f\x71\x20\x16\x40\x34\x34\x82\x1b\xaa\xce\x41\xad\x73\xef\x6b\x84\xc1\xa4\x1a\xf5\xcb\xb6\xc2\xf6\x54\x62\xa6\xed\x32\x24\x2c\x9d\x51\xda\x99\x15\x86\x28\x60\xc2\x21\x40\xf6\x06\x60\x1c\xfd\x82\xe5\x15\x1e\x1d\xb4\x50\x92\xfe\xcd\x65\x32\x93\xf5\x6c\x65\xb3\x46\xe5\xde\xaf\x14\x09\x50\xa0\xac\x4a\x48\x7e\x3b\xfa\x4f\x9a\xd3\x5e\xef\xf8\x89\x9b\xc2\x23\x07\x98\x02\x26\x00\xa0\x8d\x06\xa9\x24\x36\x11\xb4\x21\xd9\x0f\x1b\x53\xca\x9f\x00\x26\x36\x03\x6f\x11\x25\xed\xa3\xde\xda\xf6\x79\x3f\xc0\x98\xc6\xaf\x9d\xcc\x5a\x53\x8f\xe9\x37\x57\x2b\x4d\x1b\x17\x4b\x58\xba\x03\x37\x14\xd1\x9e\xf1\x08\x5f\x66\x3e\x5c\xd1", 239); *(uint8_t*)0x20002512 = 9; *(uint8_t*)0x20002513 = 5; *(uint8_t*)0x20002514 = 5; *(uint8_t*)0x20002515 = 8; *(uint16_t*)0x20002516 = 0x400; *(uint8_t*)0x20002518 = 0x44; *(uint8_t*)0x20002519 = 1; *(uint8_t*)0x2000251a = 0; *(uint8_t*)0x2000251b = 7; *(uint8_t*)0x2000251c = 0x25; *(uint8_t*)0x2000251d = 1; *(uint8_t*)0x2000251e = 0x85; *(uint8_t*)0x2000251f = 0x9b; *(uint16_t*)0x20002520 = 0x100; *(uint8_t*)0x20002522 = 7; *(uint8_t*)0x20002523 = 0x25; *(uint8_t*)0x20002524 = 1; *(uint8_t*)0x20002525 = 0x82; *(uint8_t*)0x20002526 = 7; *(uint16_t*)0x20002527 = 1; *(uint8_t*)0x20002529 = 9; *(uint8_t*)0x2000252a = 5; *(uint8_t*)0x2000252b = 3; *(uint8_t*)0x2000252c = 0x10; *(uint16_t*)0x2000252d = 0x20; *(uint8_t*)0x2000252f = 2; *(uint8_t*)0x20002530 = 4; *(uint8_t*)0x20002531 = 3; *(uint8_t*)0x20002532 = 9; *(uint8_t*)0x20002533 = 5; *(uint8_t*)0x20002534 = 1; *(uint8_t*)0x20002535 = 0; *(uint16_t*)0x20002536 = 0x40; *(uint8_t*)0x20002538 = 0x80; *(uint8_t*)0x20002539 = 7; *(uint8_t*)0x2000253a = 0x27; *(uint8_t*)0x2000253b = 7; *(uint8_t*)0x2000253c = 0x25; *(uint8_t*)0x2000253d = 1; *(uint8_t*)0x2000253e = 0x80; *(uint8_t*)0x2000253f = 6; *(uint16_t*)0x20002540 = 8; *(uint32_t*)0x20002840 = 0xa; *(uint32_t*)0x20002844 = 0x20002580; *(uint8_t*)0x20002580 = 0xa; *(uint8_t*)0x20002581 = 6; *(uint16_t*)0x20002582 = 0x5098; *(uint8_t*)0x20002584 = 0xfc; *(uint8_t*)0x20002585 = 0x1f; *(uint8_t*)0x20002586 = 0; *(uint8_t*)0x20002587 = 0x10; *(uint8_t*)0x20002588 = 0xe4; *(uint8_t*)0x20002589 = 0; *(uint32_t*)0x20002848 = 0xf5; *(uint32_t*)0x2000284c = 0x200025c0; *(uint8_t*)0x200025c0 = 5; *(uint8_t*)0x200025c1 = 0xf; *(uint16_t*)0x200025c2 = 0xf5; *(uint8_t*)0x200025c4 = 4; *(uint8_t*)0x200025c5 = 7; *(uint8_t*)0x200025c6 = 0x10; *(uint8_t*)0x200025c7 = 2; STORE_BY_BITMASK(uint32_t, , 0x200025c8, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200025ca, 0xffff, 0, 16); *(uint8_t*)0x200025cc = 0x1c; *(uint8_t*)0x200025cd = 0x10; *(uint8_t*)0x200025ce = 0xa; *(uint8_t*)0x200025cf = 0; STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 5, 27); *(uint16_t*)0x200025d4 = 0xf0f; *(uint16_t*)0x200025d6 = 0x77e; *(uint32_t*)0x200025d8 = 0xc000; *(uint32_t*)0x200025dc = 0x30; *(uint32_t*)0x200025e0 = 0; *(uint32_t*)0x200025e4 = 0; *(uint8_t*)0x200025e8 = 0x1c; *(uint8_t*)0x200025e9 = 0x10; *(uint8_t*)0x200025ea = 0xa; *(uint8_t*)0x200025eb = 1; STORE_BY_BITMASK(uint32_t, , 0x200025ec, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025ec, 0x79ea, 5, 27); *(uint16_t*)0x200025f0 = 0xf000; *(uint16_t*)0x200025f2 = 4; *(uint32_t*)0x200025f4 = 0xc0cf; *(uint32_t*)0x200025f8 = 0xff3f3f; *(uint32_t*)0x200025fc = 0xffc05f; *(uint32_t*)0x20002600 = 0xff0000; *(uint8_t*)0x20002604 = 0xb1; *(uint8_t*)0x20002605 = 0x10; *(uint8_t*)0x20002606 = 3; memcpy((void*)0x20002607, "\xc5\xbb\x02\x01\xc8\x2e\x60\xfa\x0a\x8b\x07\xbb\xce\xfb\xe1\x38\x07\x98\x38\xcb\xf1\x31\x61\xf6\x9e\xc1\x70\x63\x7e\x6c\x50\x4f\x0d\xf5\x87\x10\x11\x2f\x24\x59\xc5\x0d\xf8\x5c\x73\xa1\x43\xe1\x8f\xd8\x46\xa7\x86\xad\xd8\xa3\x59\xc8\x82\xc3\xc6\x03\x8f\x90\xc4\x9c\xa6\x3e\x13\x45\x57\x94\xd7\x59\x24\x4a\x2b\xd1\xee\x5a\x20\x3c\xef\x62\xac\xd3\x2e\x97\xd1\x5a\xfe\x1d\x47\xad\x5c\x52\x34\xca\x6f\xea\x0c\x02\x21\x84\x57\x86\x47\xd6\x9b\xce\x06\xbc\x22\xd5\xde\xae\x21\xba\xaf\x87\x0c\x3c\x6e\x90\x21\x21\x1f\xda\x07\xe7\x36\x07\xe1\x64\x61\xe2\x25\x26\xa7\x0a\xb2\xe2\x1f\x89\xd1\xb1\xa9\x52\x15\xc6\x44\xee\x7b\x4b\x97\xd3\x42\xf0\x6c\xca\x75\xc1\x7e\xaf\x3d\x1f\x57\x8b\xec\x9e\x1b\x55\x4c\x49", 174); *(uint32_t*)0x20002850 = 4; *(uint32_t*)0x20002854 = 4; *(uint32_t*)0x20002858 = 0x200026c0; *(uint8_t*)0x200026c0 = 4; *(uint8_t*)0x200026c1 = 3; *(uint16_t*)0x200026c2 = 0x430; *(uint32_t*)0x2000285c = 4; *(uint32_t*)0x20002860 = 0x20002700; *(uint8_t*)0x20002700 = 4; *(uint8_t*)0x20002701 = 3; *(uint16_t*)0x20002702 = 0x240a; *(uint32_t*)0x20002864 = 4; *(uint32_t*)0x20002868 = 0x20002740; *(uint8_t*)0x20002740 = 4; *(uint8_t*)0x20002741 = 3; *(uint16_t*)0x20002742 = 0x458; *(uint32_t*)0x2000286c = 0xb1; *(uint32_t*)0x20002870 = 0x20002780; *(uint8_t*)0x20002780 = 0xb1; *(uint8_t*)0x20002781 = 3; memcpy((void*)0x20002782, "\x22\x73\xbd\xc4\x6b\x60\xf9\x28\x12\x34\x92\x09\x6f\x1a\x60\x52\x20\x67\xca\x30\x22\x9e\x52\x18\x76\xbc\x23\x04\xc3\x20\x59\x6f\xd2\x5f\x10\x25\x4b\x5c\x9d\xa5\x73\x77\x73\x8b\xcc\xfb\xbc\x37\xf2\x7f\x54\x18\x33\xa2\xdf\xa0\x6b\x92\x9d\x0d\x37\x44\xff\x77\xd9\x33\x0d\x5a\x63\xe4\xbb\x26\x8c\xe2\x9e\x81\xde\x86\xde\x6c\xbb\xec\x22\xf1\x51\xe7\xfa\x25\xd2\xba\x9e\xad\x8f\x62\xd5\xea\xc2\xd6\x42\x44\x65\xb3\xcb\x64\x81\xdb\xf5\x0d\xf0\x43\xe6\x8b\x8d\x13\x3e\x27\xb4\xae\x1c\x9c\xcf\x8a\x81\x02\x7b\x65\x6d\x44\x2b\xbc\xbe\x5c\xfc\xcd\x0c\x0c\xa3\x8b\x73\x35\x6e\xd5\xc3\x7e\xa0\x89\x46\x97\xea\x5b\x37\xdb\x2f\x60\x7d\x4e\x95\x8c\xf9\x78\x48\xef\x24\xee\xe8\x17\xf9\x65\x03\x65\x0d\x0f\x3b\xab\xcf", 175); res = -1; res = syz_usb_connect(4, 0x882, 0x20001cc0, 0x20002840); if (res != -1) r[13] = res; break; case 35: *(uint8_t*)0x20002880 = 0x12; *(uint8_t*)0x20002881 = 1; *(uint16_t*)0x20002882 = 0x200; *(uint8_t*)0x20002884 = -1; *(uint8_t*)0x20002885 = -1; *(uint8_t*)0x20002886 = -1; *(uint8_t*)0x20002887 = 0x40; *(uint16_t*)0x20002888 = 0xcf3; *(uint16_t*)0x2000288a = 0x9271; *(uint16_t*)0x2000288c = 0x108; *(uint8_t*)0x2000288e = 1; *(uint8_t*)0x2000288f = 2; *(uint8_t*)0x20002890 = 3; *(uint8_t*)0x20002891 = 1; *(uint8_t*)0x20002892 = 9; *(uint8_t*)0x20002893 = 2; *(uint16_t*)0x20002894 = 0x48; *(uint8_t*)0x20002896 = 1; *(uint8_t*)0x20002897 = 1; *(uint8_t*)0x20002898 = 0; *(uint8_t*)0x20002899 = 0x80; *(uint8_t*)0x2000289a = 0xfa; *(uint8_t*)0x2000289b = 9; *(uint8_t*)0x2000289c = 4; *(uint8_t*)0x2000289d = 0; *(uint8_t*)0x2000289e = 0; *(uint8_t*)0x2000289f = 6; *(uint8_t*)0x200028a0 = -1; *(uint8_t*)0x200028a1 = 0; *(uint8_t*)0x200028a2 = 0; *(uint8_t*)0x200028a3 = 0; *(uint8_t*)0x200028a4 = 9; *(uint8_t*)0x200028a5 = 5; *(uint8_t*)0x200028a6 = 1; *(uint8_t*)0x200028a7 = 2; *(uint16_t*)0x200028a8 = 0x200; *(uint8_t*)0x200028aa = 0; *(uint8_t*)0x200028ab = 0; *(uint8_t*)0x200028ac = 0; *(uint8_t*)0x200028ad = 9; *(uint8_t*)0x200028ae = 5; *(uint8_t*)0x200028af = 0x82; *(uint8_t*)0x200028b0 = 2; *(uint16_t*)0x200028b1 = 0x200; *(uint8_t*)0x200028b3 = 0; *(uint8_t*)0x200028b4 = 0; *(uint8_t*)0x200028b5 = 0; *(uint8_t*)0x200028b6 = 9; *(uint8_t*)0x200028b7 = 5; *(uint8_t*)0x200028b8 = 0x83; *(uint8_t*)0x200028b9 = 3; *(uint16_t*)0x200028ba = 0x40; *(uint8_t*)0x200028bc = 1; *(uint8_t*)0x200028bd = 0; *(uint8_t*)0x200028be = 0; *(uint8_t*)0x200028bf = 9; *(uint8_t*)0x200028c0 = 5; *(uint8_t*)0x200028c1 = 4; *(uint8_t*)0x200028c2 = 3; *(uint16_t*)0x200028c3 = 0x40; *(uint8_t*)0x200028c5 = 1; *(uint8_t*)0x200028c6 = 0; *(uint8_t*)0x200028c7 = 0; *(uint8_t*)0x200028c8 = 9; *(uint8_t*)0x200028c9 = 5; *(uint8_t*)0x200028ca = 5; *(uint8_t*)0x200028cb = 2; *(uint16_t*)0x200028cc = 0x200; *(uint8_t*)0x200028ce = 0; *(uint8_t*)0x200028cf = 0; *(uint8_t*)0x200028d0 = 0; *(uint8_t*)0x200028d1 = 9; *(uint8_t*)0x200028d2 = 5; *(uint8_t*)0x200028d3 = 6; *(uint8_t*)0x200028d4 = 2; *(uint16_t*)0x200028d5 = 0x200; *(uint8_t*)0x200028d7 = 0; *(uint8_t*)0x200028d8 = 0; *(uint8_t*)0x200028d9 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20002880, 0); break; case 36: *(uint8_t*)0x20002900 = 0x12; *(uint8_t*)0x20002901 = 1; *(uint16_t*)0x20002902 = 0x300; *(uint8_t*)0x20002904 = 0; *(uint8_t*)0x20002905 = 0; *(uint8_t*)0x20002906 = 0; *(uint8_t*)0x20002907 = 0x40; *(uint16_t*)0x20002908 = 0x1d6b; *(uint16_t*)0x2000290a = 0x101; *(uint16_t*)0x2000290c = 0x40; *(uint8_t*)0x2000290e = 1; *(uint8_t*)0x2000290f = 2; *(uint8_t*)0x20002910 = 3; *(uint8_t*)0x20002911 = 1; *(uint8_t*)0x20002912 = 9; *(uint8_t*)0x20002913 = 2; *(uint16_t*)0x20002914 = 0xee; *(uint8_t*)0x20002916 = 3; *(uint8_t*)0x20002917 = 1; *(uint8_t*)0x20002918 = 6; *(uint8_t*)0x20002919 = 0x20; *(uint8_t*)0x2000291a = 1; *(uint8_t*)0x2000291b = 9; *(uint8_t*)0x2000291c = 4; *(uint8_t*)0x2000291d = 0; *(uint8_t*)0x2000291e = 0; *(uint8_t*)0x2000291f = 0; *(uint8_t*)0x20002920 = 1; *(uint8_t*)0x20002921 = 1; *(uint8_t*)0x20002922 = 0; *(uint8_t*)0x20002923 = 0; *(uint8_t*)0x20002924 = 0xa; *(uint8_t*)0x20002925 = 0x24; *(uint8_t*)0x20002926 = 1; *(uint16_t*)0x20002927 = 0xace; *(uint8_t*)0x20002929 = 2; *(uint8_t*)0x2000292a = 2; *(uint8_t*)0x2000292b = 1; *(uint8_t*)0x2000292c = 2; *(uint8_t*)0x2000292d = 7; *(uint8_t*)0x2000292e = 0x24; *(uint8_t*)0x2000292f = 8; *(uint8_t*)0x20002930 = 5; *(uint16_t*)0x20002931 = 2; *(uint8_t*)0x20002933 = 5; *(uint8_t*)0x20002934 = 7; *(uint8_t*)0x20002935 = 0x24; *(uint8_t*)0x20002936 = 8; *(uint8_t*)0x20002937 = 6; *(uint16_t*)0x20002938 = -1; *(uint8_t*)0x2000293a = 0x30; *(uint8_t*)0x2000293b = 0xa; *(uint8_t*)0x2000293c = 0x24; *(uint8_t*)0x2000293d = 4; *(uint8_t*)0x2000293e = 4; *(uint8_t*)0x2000293f = 0x40; memcpy((void*)0x20002940, "\x7d\xa3\xb2\xb2\x72", 5); *(uint8_t*)0x20002945 = 9; *(uint8_t*)0x20002946 = 0x24; *(uint8_t*)0x20002947 = 8; *(uint8_t*)0x20002948 = 5; *(uint16_t*)0x20002949 = 0; *(uint8_t*)0x2000294b = 0x40; memcpy((void*)0x2000294c, "\tD", 2); *(uint8_t*)0x2000294e = 9; *(uint8_t*)0x2000294f = 4; *(uint8_t*)0x20002950 = 1; *(uint8_t*)0x20002951 = 0; *(uint8_t*)0x20002952 = 0; *(uint8_t*)0x20002953 = 1; *(uint8_t*)0x20002954 = 2; *(uint8_t*)0x20002955 = 0; *(uint8_t*)0x20002956 = 0; *(uint8_t*)0x20002957 = 9; *(uint8_t*)0x20002958 = 4; *(uint8_t*)0x20002959 = 1; *(uint8_t*)0x2000295a = 1; *(uint8_t*)0x2000295b = 1; *(uint8_t*)0x2000295c = 1; *(uint8_t*)0x2000295d = 2; *(uint8_t*)0x2000295e = 0; *(uint8_t*)0x2000295f = 0; *(uint8_t*)0x20002960 = 0x11; *(uint8_t*)0x20002961 = 0x24; *(uint8_t*)0x20002962 = 2; *(uint8_t*)0x20002963 = 2; *(uint16_t*)0x20002964 = 0x1000; *(uint16_t*)0x20002966 = 6; *(uint8_t*)0x20002968 = 9; memcpy((void*)0x20002969, "\x94\xaa\x0c\xfe\xa6\xa4\xc0\x98", 8); *(uint8_t*)0x20002971 = 7; *(uint8_t*)0x20002972 = 0x24; *(uint8_t*)0x20002973 = 1; *(uint8_t*)0x20002974 = 0xf7; *(uint8_t*)0x20002975 = 0xc1; *(uint16_t*)0x20002976 = 4; *(uint8_t*)0x20002978 = 0xe; *(uint8_t*)0x20002979 = 0x24; *(uint8_t*)0x2000297a = 2; *(uint8_t*)0x2000297b = 1; *(uint8_t*)0x2000297c = 0x3f; *(uint8_t*)0x2000297d = 2; *(uint8_t*)0x2000297e = 0xae; *(uint8_t*)0x2000297f = 7; memcpy((void*)0x20002980, "\x5b\x6f\xe7\xb1\x95\x51", 6); *(uint8_t*)0x20002986 = 0xe; *(uint8_t*)0x20002987 = 0x24; *(uint8_t*)0x20002988 = 2; *(uint8_t*)0x20002989 = 2; *(uint16_t*)0x2000298a = 0xfff8; *(uint16_t*)0x2000298c = 0x56d; *(uint8_t*)0x2000298e = 0x1f; memcpy((void*)0x2000298f, "\x51\x8f\x29\xb9\x20", 5); *(uint8_t*)0x20002994 = 0xe; *(uint8_t*)0x20002995 = 0x24; *(uint8_t*)0x20002996 = 2; *(uint8_t*)0x20002997 = 2; *(uint16_t*)0x20002998 = 4; *(uint16_t*)0x2000299a = 0; *(uint8_t*)0x2000299c = 0x80; memcpy((void*)0x2000299d, "\x3f\x5e\x8a\xa3\xac", 5); *(uint8_t*)0x200029a2 = 9; *(uint8_t*)0x200029a3 = 5; *(uint8_t*)0x200029a4 = 1; *(uint8_t*)0x200029a5 = 9; *(uint16_t*)0x200029a6 = 0x10; *(uint8_t*)0x200029a8 = 0x9c; *(uint8_t*)0x200029a9 = 7; *(uint8_t*)0x200029aa = 6; *(uint8_t*)0x200029ab = 7; *(uint8_t*)0x200029ac = 0x25; *(uint8_t*)0x200029ad = 1; *(uint8_t*)0x200029ae = 0; *(uint8_t*)0x200029af = 0x44; *(uint16_t*)0x200029b0 = 0xff8a; *(uint8_t*)0x200029b2 = 9; *(uint8_t*)0x200029b3 = 4; *(uint8_t*)0x200029b4 = 2; *(uint8_t*)0x200029b5 = 0; *(uint8_t*)0x200029b6 = 0; *(uint8_t*)0x200029b7 = 1; *(uint8_t*)0x200029b8 = 2; *(uint8_t*)0x200029b9 = 0; *(uint8_t*)0x200029ba = 0; *(uint8_t*)0x200029bb = 9; *(uint8_t*)0x200029bc = 4; *(uint8_t*)0x200029bd = 2; *(uint8_t*)0x200029be = 1; *(uint8_t*)0x200029bf = 1; *(uint8_t*)0x200029c0 = 1; *(uint8_t*)0x200029c1 = 2; *(uint8_t*)0x200029c2 = 0; *(uint8_t*)0x200029c3 = 0; *(uint8_t*)0x200029c4 = 0xa; *(uint8_t*)0x200029c5 = 0x24; *(uint8_t*)0x200029c6 = 2; *(uint8_t*)0x200029c7 = 1; *(uint8_t*)0x200029c8 = 7; *(uint8_t*)0x200029c9 = 4; *(uint8_t*)0x200029ca = 0xf7; *(uint8_t*)0x200029cb = 0xf8; memcpy((void*)0x200029cc, "H]", 2); *(uint8_t*)0x200029ce = 0xd; *(uint8_t*)0x200029cf = 0x24; *(uint8_t*)0x200029d0 = 2; *(uint8_t*)0x200029d1 = 1; *(uint8_t*)0x200029d2 = 7; *(uint8_t*)0x200029d3 = 1; *(uint8_t*)0x200029d4 = -1; *(uint8_t*)0x200029d5 = 0x72; memcpy((void*)0x200029d6, "\x5c\x5a\xe7\x2e\x12", 5); *(uint8_t*)0x200029db = 0xd; *(uint8_t*)0x200029dc = 0x24; *(uint8_t*)0x200029dd = 2; *(uint8_t*)0x200029de = 1; *(uint8_t*)0x200029df = 3; *(uint8_t*)0x200029e0 = 4; *(uint8_t*)0x200029e1 = 3; *(uint8_t*)0x200029e2 = 1; memcpy((void*)0x200029e3, "\xfa\x23\xa4", 3); memcpy((void*)0x200029e6, "q3", 2); *(uint8_t*)0x200029e8 = 8; *(uint8_t*)0x200029e9 = 0x24; *(uint8_t*)0x200029ea = 2; *(uint8_t*)0x200029eb = 1; *(uint8_t*)0x200029ec = 0x71; *(uint8_t*)0x200029ed = 2; *(uint8_t*)0x200029ee = 0; *(uint8_t*)0x200029ef = 6; *(uint8_t*)0x200029f0 = 9; *(uint8_t*)0x200029f1 = 5; *(uint8_t*)0x200029f2 = 0x82; *(uint8_t*)0x200029f3 = 9; *(uint16_t*)0x200029f4 = 0x200; *(uint8_t*)0x200029f6 = 0x7f; *(uint8_t*)0x200029f7 = 0x7f; *(uint8_t*)0x200029f8 = 0x7f; *(uint8_t*)0x200029f9 = 7; *(uint8_t*)0x200029fa = 0x25; *(uint8_t*)0x200029fb = 1; *(uint8_t*)0x200029fc = 2; *(uint8_t*)0x200029fd = 1; *(uint16_t*)0x200029fe = 8; *(uint32_t*)0x20002b80 = 0xa; *(uint32_t*)0x20002b84 = 0x20002a00; *(uint8_t*)0x20002a00 = 0xa; *(uint8_t*)0x20002a01 = 6; *(uint16_t*)0x20002a02 = 0x300; *(uint8_t*)0x20002a04 = 0x7f; *(uint8_t*)0x20002a05 = 0x5d; *(uint8_t*)0x20002a06 = 0x5c; *(uint8_t*)0x20002a07 = 0x40; *(uint8_t*)0x20002a08 = 0; *(uint8_t*)0x20002a09 = 0; *(uint32_t*)0x20002b88 = 0x31; *(uint32_t*)0x20002b8c = 0x20002a40; *(uint8_t*)0x20002a40 = 5; *(uint8_t*)0x20002a41 = 0xf; *(uint16_t*)0x20002a42 = 0x31; *(uint8_t*)0x20002a44 = 4; *(uint8_t*)0x20002a45 = 0xb; *(uint8_t*)0x20002a46 = 0x10; *(uint8_t*)0x20002a47 = 1; *(uint8_t*)0x20002a48 = 0xc; *(uint16_t*)0x20002a49 = 0x80; *(uint8_t*)0x20002a4b = 0x20; *(uint8_t*)0x20002a4c = 1; *(uint16_t*)0x20002a4d = 2; *(uint8_t*)0x20002a4f = 0x40; *(uint8_t*)0x20002a50 = 0xc; *(uint8_t*)0x20002a51 = 0x10; *(uint8_t*)0x20002a52 = 0xa; *(uint8_t*)0x20002a53 = 4; STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0xd3f, 5, 27); *(uint16_t*)0x20002a58 = 0xf000; *(uint16_t*)0x20002a5a = 8; *(uint8_t*)0x20002a5c = 0xb; *(uint8_t*)0x20002a5d = 0x10; *(uint8_t*)0x20002a5e = 1; *(uint8_t*)0x20002a5f = 0xc; *(uint16_t*)0x20002a60 = 0x80; *(uint8_t*)0x20002a62 = 2; *(uint8_t*)0x20002a63 = 5; *(uint16_t*)0x20002a64 = 4; *(uint8_t*)0x20002a66 = 2; *(uint8_t*)0x20002a67 = 0xa; *(uint8_t*)0x20002a68 = 0x10; *(uint8_t*)0x20002a69 = 3; *(uint8_t*)0x20002a6a = 2; *(uint16_t*)0x20002a6b = 6; *(uint8_t*)0x20002a6d = 0; *(uint8_t*)0x20002a6e = -1; *(uint16_t*)0x20002a6f = 0x7f; *(uint32_t*)0x20002b90 = 4; *(uint32_t*)0x20002b94 = 4; *(uint32_t*)0x20002b98 = 0x20002a80; *(uint8_t*)0x20002a80 = 4; *(uint8_t*)0x20002a81 = 3; *(uint16_t*)0x20002a82 = 0x40f; *(uint32_t*)0x20002b9c = 4; *(uint32_t*)0x20002ba0 = 0x20002ac0; *(uint8_t*)0x20002ac0 = 4; *(uint8_t*)0x20002ac1 = 3; *(uint16_t*)0x20002ac2 = 0xc35; *(uint32_t*)0x20002ba4 = 0x2b; *(uint32_t*)0x20002ba8 = 0x20002b00; *(uint8_t*)0x20002b00 = 0x2b; *(uint8_t*)0x20002b01 = 3; memcpy((void*)0x20002b02, "\xa2\x8e\x84\xc0\xcf\x02\xc0\x7c\x3c\x0d\xa8\x29\x45\x06\x55\x6d\x63\x3c\x7a\x73\x5b\xfb\x75\xcd\x80\xaf\xc6\xad\xe8\xe4\xb5\x80\x10\x3c\xed\x6d\x9c\x87\xa5\xfe\x77", 41); *(uint32_t*)0x20002bac = 4; *(uint32_t*)0x20002bb0 = 0x20002b40; *(uint8_t*)0x20002b40 = 4; *(uint8_t*)0x20002b41 = 3; *(uint16_t*)0x20002b42 = 0xf8ff; res = -1; res = syz_usb_connect(1, 0x100, 0x20002900, 0x20002b80); if (res != -1) r[14] = res; break; case 37: *(uint32_t*)0x20002e40 = 0x18; *(uint32_t*)0x20002e44 = 0x20002bc0; *(uint8_t*)0x20002bc0 = 0; *(uint8_t*)0x20002bc1 = 0x22; *(uint32_t*)0x20002bc2 = 0xb9; *(uint8_t*)0x20002bc6 = 0xb9; *(uint8_t*)0x20002bc7 = 0xa; memcpy((void*)0x20002bc8, "\x83\xcf\x6e\x9b\x94\x2d\x8a\x47\x07\x4a\xc2\xe8\x02\xb4\x83\x78\xec\xdc\xa7\x95\x6d\xb2\x72\x7b\x85\x7b\x60\xf4\xe9\xd0\xc6\x9e\x1c\x9a\x9a\xce\xb6\x1c\xf1\x7c\xc7\x71\x67\x92\x3b\x84\xe2\x33\x72\xc5\xcf\x40\xcf\x1b\xbb\x74\x93\xe5\x00\xb7\xef\xfa\xf1\xb2\x04\xee\x03\x4b\xe1\x10\x99\xe5\x15\x67\xa8\x7a\xe0\xbd\xe2\x10\xda\x92\x12\x4d\x04\xa7\x3a\x14\xdb\xd6\x00\xde\xdd\x92\x09\x53\xc4\x72\xed\xa1\xba\x46\xdb\xbb\x1e\xc4\x74\xc8\x79\x48\x49\x12\x4d\xcf\x32\xd5\xc1\x5f\xb1\x43\x97\xb1\x3c\x3d\x3c\x11\xa7\xa6\x07\xc6\xb6\xd5\x57\xc2\x80\x6d\x9c\x27\x83\xbc\x1e\xf5\x6c\x96\x7b\xde\x90\xce\x4a\x42\x13\x61\x16\x7c\x1a\x74\xc6\x52\x72\x85\xce\x42\x5e\xa4\x98\x88\x4d\x7c\xc9\xef\x76\x52\x6a\x46\xa1\xc4\x36\x07\x68\x98\x0b\x39\xb3", 183); *(uint32_t*)0x20002e48 = 0x20002c80; *(uint8_t*)0x20002c80 = 0; *(uint8_t*)0x20002c81 = 3; *(uint32_t*)0x20002c82 = 0xd7; *(uint8_t*)0x20002c86 = 0xd7; *(uint8_t*)0x20002c87 = 3; memcpy((void*)0x20002c88, "\x61\x16\x8f\x70\x0d\x17\x87\xde\x19\xd3\xe8\x6f\xb3\xac\x5e\x96\x4c\xc5\xed\xe8\x73\x35\x1c\xa2\x62\xcc\x8f\xc5\x99\x65\x14\x31\xc7\x6d\xba\xd0\x2d\xd8\x35\xf0\xda\x83\xa5\x34\x7c\xc2\x1f\xc4\xf5\x04\xb2\x3b\xb3\x2a\x7a\x67\x71\x3d\xb4\x48\x06\x11\xe6\xe2\xec\xa4\xf0\xb4\x98\xf7\x00\x35\x5d\xb6\x8d\xf7\xd5\xcf\x46\xba\x2b\x03\x60\x90\xaf\x69\x5a\x75\x96\xb7\xd2\x42\xb4\x62\xbc\xf6\xe2\x09\x1f\xb8\x32\x48\xfe\x2a\x1c\x48\xdb\xcd\xb0\x7c\x96\x66\x03\x7d\x12\x1b\x68\x93\xdc\xb9\x45\xbd\xd7\xcf\x14\x07\x5f\x80\x53\x02\xa4\x5f\xbb\x62\x65\x2b\xd6\x93\xb3\x24\x0b\x5c\x6a\x76\xf6\x90\xcd\xc9\x22\x15\x79\xec\x71\xdd\x25\x3c\xa4\x25\x01\x44\xe1\x16\x0b\xc0\x39\xad\x44\xf6\xd5\x1c\x96\xad\x95\x0c\x87\x2c\xf6\x26\xb0\xd5\x59\xe8\x1c\x0b\xec\x93\x4c\xb3\x23\x25\xdb\xb9\xce\x8f\x5d\x0d\x94\x30\x20\xb4\xa0\x79\x5c\x1f\x27\x74\xe2\x20\x7d\x0b\xe8\xaa\x41", 213); *(uint32_t*)0x20002e4c = 0x20002d80; *(uint8_t*)0x20002d80 = 0; *(uint8_t*)0x20002d81 = 0xf; *(uint32_t*)0x20002d82 = 0xc; *(uint8_t*)0x20002d86 = 5; *(uint8_t*)0x20002d87 = 0xf; *(uint16_t*)0x20002d88 = 0xc; *(uint8_t*)0x20002d8a = 1; *(uint8_t*)0x20002d8b = 7; *(uint8_t*)0x20002d8c = 0x10; *(uint8_t*)0x20002d8d = 2; STORE_BY_BITMASK(uint32_t, , 0x20002d8e, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 5, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d90, 2, 0, 16); *(uint32_t*)0x20002e50 = 0x20002dc0; *(uint8_t*)0x20002dc0 = 0x20; *(uint8_t*)0x20002dc1 = 0x29; *(uint32_t*)0x20002dc2 = 0xf; *(uint8_t*)0x20002dc6 = 0xf; *(uint8_t*)0x20002dc7 = 0x29; *(uint8_t*)0x20002dc8 = 3; *(uint16_t*)0x20002dc9 = 8; *(uint8_t*)0x20002dcb = 0x40; *(uint8_t*)0x20002dcc = 0x7f; memcpy((void*)0x20002dcd, "\x77\xbc\x77\x38", 4); memcpy((void*)0x20002dd1, "\xf1\xdb\x00\x3c", 4); *(uint32_t*)0x20002e54 = 0x20002e00; *(uint8_t*)0x20002e00 = 0x20; *(uint8_t*)0x20002e01 = 0x2a; *(uint32_t*)0x20002e02 = 0xc; *(uint8_t*)0x20002e06 = 0xc; *(uint8_t*)0x20002e07 = 0x2a; *(uint8_t*)0x20002e08 = 1; *(uint16_t*)0x20002e09 = 0x10; *(uint8_t*)0x20002e0b = 0; *(uint8_t*)0x20002e0c = 0x20; *(uint8_t*)0x20002e0d = 8; *(uint16_t*)0x20002e0e = 0x3ec; *(uint16_t*)0x20002e10 = -1; *(uint32_t*)0x20003300 = 0x44; *(uint32_t*)0x20003304 = 0x20002e80; *(uint8_t*)0x20002e80 = 0x20; *(uint8_t*)0x20002e81 = 0x12; *(uint32_t*)0x20002e82 = 0x7c; memcpy((void*)0x20002e86, "\xbc\x67\xb7\x86\xae\x12\xc3\xf7\xc6\xdb\xb8\x56\x0d\x2b\x24\x21\x94\xc2\x19\x9a\xfa\x19\xd2\xb4\x2b\x1a\x0c\x8a\x11\xe1\xa5\xef\x14\x6f\x39\x5c\x36\x13\xf4\xdf\xea\xdd\xa7\xc2\x4b\x50\x6d\x5b\x32\xa6\xa3\xf9\xa0\xea\xc9\x8a\x93\x5e\x64\x7a\x1c\x83\x8d\x4e\x09\xd5\x30\x63\x5f\x43\x35\x8b\x5b\x10\xc5\xf0\x4b\xc6\x3b\x3b\xf9\x6b\x52\x34\x35\x9d\x4e\xad\x9d\x51\x21\x7e\x65\xc9\xb0\x50\x99\x90\xb0\x0d\x1a\xfb\x24\x2c\x87\x66\x0d\x04\xf9\x64\x8f\xf7\x9c\xe1\x43\xb1\xa9\x48\x98\x1c\x28\xf5\x01\x71", 124); *(uint32_t*)0x20003308 = 0x20002f40; *(uint8_t*)0x20002f40 = 0; *(uint8_t*)0x20002f41 = 0xa; *(uint32_t*)0x20002f42 = 1; *(uint8_t*)0x20002f46 = 0x4c; *(uint32_t*)0x2000330c = 0x20002f80; *(uint8_t*)0x20002f80 = 0; *(uint8_t*)0x20002f81 = 8; *(uint32_t*)0x20002f82 = 1; *(uint8_t*)0x20002f86 = 1; *(uint32_t*)0x20003310 = 0x20002fc0; *(uint8_t*)0x20002fc0 = 0x20; *(uint8_t*)0x20002fc1 = 0; *(uint32_t*)0x20002fc2 = 4; *(uint16_t*)0x20002fc6 = 1; *(uint16_t*)0x20002fc8 = 3; *(uint32_t*)0x20003314 = 0x20003000; *(uint8_t*)0x20003000 = 0x20; *(uint8_t*)0x20003001 = 0; *(uint32_t*)0x20003002 = 8; *(uint16_t*)0x20003006 = 0xc0; *(uint16_t*)0x20003008 = 0x20; *(uint32_t*)0x2000300a = 0xf0f; *(uint32_t*)0x20003318 = 0x20003040; *(uint8_t*)0x20003040 = 0x40; *(uint8_t*)0x20003041 = 7; *(uint32_t*)0x20003042 = 2; *(uint16_t*)0x20003046 = 0x400; *(uint32_t*)0x2000331c = 0x20003080; *(uint8_t*)0x20003080 = 0x40; *(uint8_t*)0x20003081 = 9; *(uint32_t*)0x20003082 = 1; *(uint8_t*)0x20003086 = 2; *(uint32_t*)0x20003320 = 0x200030c0; *(uint8_t*)0x200030c0 = 0x40; *(uint8_t*)0x200030c1 = 0xb; *(uint32_t*)0x200030c2 = 2; memcpy((void*)0x200030c6, "\xb7\x23", 2); *(uint32_t*)0x20003324 = 0x20003100; *(uint8_t*)0x20003100 = 0x40; *(uint8_t*)0x20003101 = 0xf; *(uint32_t*)0x20003102 = 2; *(uint16_t*)0x20003106 = 5; *(uint32_t*)0x20003328 = 0x20003140; *(uint8_t*)0x20003140 = 0x40; *(uint8_t*)0x20003141 = 0x13; *(uint32_t*)0x20003142 = 6; memcpy((void*)0x20003146, "\xdd\x8a\x72\xa9\x91\x39", 6); *(uint32_t*)0x2000332c = 0x20003180; *(uint8_t*)0x20003180 = 0x40; *(uint8_t*)0x20003181 = 0x17; *(uint32_t*)0x20003182 = 6; *(uint8_t*)0x20003186 = 0xaa; *(uint8_t*)0x20003187 = 0xaa; *(uint8_t*)0x20003188 = 0xaa; *(uint8_t*)0x20003189 = 0xaa; *(uint8_t*)0x2000318a = 0xaa; *(uint8_t*)0x2000318b = 0xbb; *(uint32_t*)0x20003330 = 0x200031c0; *(uint8_t*)0x200031c0 = 0x40; *(uint8_t*)0x200031c1 = 0x19; *(uint32_t*)0x200031c2 = 2; memcpy((void*)0x200031c6, "\x78\x18", 2); *(uint32_t*)0x20003334 = 0x20003200; *(uint8_t*)0x20003200 = 0x40; *(uint8_t*)0x20003201 = 0x1a; *(uint32_t*)0x20003202 = 2; *(uint16_t*)0x20003206 = 4; *(uint32_t*)0x20003338 = 0x20003240; *(uint8_t*)0x20003240 = 0x40; *(uint8_t*)0x20003241 = 0x1c; *(uint32_t*)0x20003242 = 1; *(uint8_t*)0x20003246 = 4; *(uint32_t*)0x2000333c = 0x20003280; *(uint8_t*)0x20003280 = 0x40; *(uint8_t*)0x20003281 = 0x1e; *(uint32_t*)0x20003282 = 1; *(uint8_t*)0x20003286 = 7; *(uint32_t*)0x20003340 = 0x200032c0; *(uint8_t*)0x200032c0 = 0x40; *(uint8_t*)0x200032c1 = 0x21; *(uint32_t*)0x200032c2 = 1; *(uint8_t*)0x200032c6 = 5; syz_usb_control_io(r[14], 0x20002e40, 0x20003300); break; case 38: syz_usb_disconnect(r[13]); break; case 39: *(uint8_t*)0x20003380 = 0x12; *(uint8_t*)0x20003381 = 1; *(uint16_t*)0x20003382 = 0x110; *(uint8_t*)0x20003384 = 2; *(uint8_t*)0x20003385 = 0; *(uint8_t*)0x20003386 = 0; *(uint8_t*)0x20003387 = 0x20; *(uint16_t*)0x20003388 = 0x525; *(uint16_t*)0x2000338a = 0xa4a1; *(uint16_t*)0x2000338c = 0x40; *(uint8_t*)0x2000338e = 1; *(uint8_t*)0x2000338f = 2; *(uint8_t*)0x20003390 = 3; *(uint8_t*)0x20003391 = 1; *(uint8_t*)0x20003392 = 9; *(uint8_t*)0x20003393 = 2; *(uint16_t*)0x20003394 = 0x14e; *(uint8_t*)0x20003396 = 2; *(uint8_t*)0x20003397 = 1; *(uint8_t*)0x20003398 = 0xef; *(uint8_t*)0x20003399 = 0xe0; *(uint8_t*)0x2000339a = 3; *(uint8_t*)0x2000339b = 9; *(uint8_t*)0x2000339c = 4; *(uint8_t*)0x2000339d = 0; *(uint8_t*)0x2000339e = 0; *(uint8_t*)0x2000339f = 1; *(uint8_t*)0x200033a0 = 2; *(uint8_t*)0x200033a1 = 0xd; *(uint8_t*)0x200033a2 = 0; *(uint8_t*)0x200033a3 = 0; *(uint8_t*)0x200033a4 = 6; *(uint8_t*)0x200033a5 = 0x24; *(uint8_t*)0x200033a6 = 6; *(uint8_t*)0x200033a7 = 0; *(uint8_t*)0x200033a8 = 1; memcpy((void*)0x200033a9, "$", 1); *(uint8_t*)0x200033aa = 5; *(uint8_t*)0x200033ab = 0x24; *(uint8_t*)0x200033ac = 0; *(uint16_t*)0x200033ad = 0xad; *(uint8_t*)0x200033af = 0xd; *(uint8_t*)0x200033b0 = 0x24; *(uint8_t*)0x200033b1 = 0xf; *(uint8_t*)0x200033b2 = 1; *(uint32_t*)0x200033b3 = 2; *(uint16_t*)0x200033b7 = 0; *(uint16_t*)0x200033b9 = 1; *(uint8_t*)0x200033bb = 9; *(uint8_t*)0x200033bc = 6; *(uint8_t*)0x200033bd = 0x24; *(uint8_t*)0x200033be = 0x1a; *(uint16_t*)0x200033bf = 9; *(uint8_t*)0x200033c1 = 0x20; *(uint8_t*)0x200033c2 = 0xa2; *(uint8_t*)0x200033c3 = 0x24; *(uint8_t*)0x200033c4 = 0x13; *(uint8_t*)0x200033c5 = 1; memcpy((void*)0x200033c6, "\xa0\xaf\xeb\xc2\x94\x23\x7d\xe3\x0b\x4c\x81\xc6\x59\x5f\xba\xf3\x06\x46\xc5\xec\x3d\xd9\x8f\x43\x5d\xf0\x0d\x18\x1c\xc1\x3f\x9b\x0c\x5f\xfa\x84\x15\x49\x98\xbf\x5c\x04\xee\x0f\xd8\x2d\x5f\x4c\xac\xfc\x90\xff\xae\x24\x1b\x84\x0b\x0b\x18\xe2\x10\x7e\x33\x39\x8f\x46\x83\x83\x80\xf8\x4b\x6f\x9f\x22\x62\xe8\x38\xdf\x02\x12\x31\xc9\xf0\xc5\x0d\xc2\xee\xd7\x59\x5e\xb1\xb7\x89\x22\x3f\xc3\x7c\xf3\x4f\x5c\x69\x4a\xaa\xd8\xa8\x18\xc9\x9e\xf4\x41\x79\xbf\x5b\xa4\xb6\x17\xc2\x58\xf7\xdb\x01\xd6\x09\x6c\xcc\x71\xbb\x92\x5e\x31\xb2\xf3\xf1\x00\xbb\x85\x38\xbb\x84\x01\x5a\xf7\xb9\x54\xc8\xfd\xf2\x93\xde\x02\x31\xa4\x91\xd3\x63\x76\xb8\x40", 158); *(uint8_t*)0x20003464 = 0xc; *(uint8_t*)0x20003465 = 0x24; *(uint8_t*)0x20003466 = 0x1b; *(uint16_t*)0x20003467 = 0x340f; *(uint16_t*)0x20003469 = 4; *(uint8_t*)0x2000346b = 5; *(uint8_t*)0x2000346c = 0x40; *(uint16_t*)0x2000346d = 6; *(uint8_t*)0x2000346f = 1; *(uint8_t*)0x20003470 = 4; *(uint8_t*)0x20003471 = 0x24; *(uint8_t*)0x20003472 = 2; *(uint8_t*)0x20003473 = 9; *(uint8_t*)0x20003474 = 0x3f; *(uint8_t*)0x20003475 = 0x24; *(uint8_t*)0x20003476 = 0x13; *(uint8_t*)0x20003477 = 0x40; memcpy((void*)0x20003478, "\x90\x5d\x00\xa5\xa8\xb5\xcd\x53\x11\x8f\x9c\xf9\x03\x3e\xda\x0a\xd8\x8f\xcf\xaf\x66\xe2\xb9\xe3\x59\xe3\x8a\xea\x37\x19\x70\xc8\x64\xd5\x98\x39\x16\xa5\x29\x36\x75\x51\xaa\x24\x7b\xa8\x30\x09\xeb\xb5\x64\x0b\x53\x17\x55\x99\x00\xdd\xb8", 59); *(uint8_t*)0x200034b3 = 9; *(uint8_t*)0x200034b4 = 5; *(uint8_t*)0x200034b5 = 0x81; *(uint8_t*)0x200034b6 = 3; *(uint16_t*)0x200034b7 = 8; *(uint8_t*)0x200034b9 = 0; *(uint8_t*)0x200034ba = 1; *(uint8_t*)0x200034bb = 0xfc; *(uint8_t*)0x200034bc = 9; *(uint8_t*)0x200034bd = 4; *(uint8_t*)0x200034be = 1; *(uint8_t*)0x200034bf = 0; *(uint8_t*)0x200034c0 = 0; *(uint8_t*)0x200034c1 = 2; *(uint8_t*)0x200034c2 = 0xd; *(uint8_t*)0x200034c3 = 0; *(uint8_t*)0x200034c4 = 0; *(uint8_t*)0x200034c5 = 9; *(uint8_t*)0x200034c6 = 4; *(uint8_t*)0x200034c7 = 1; *(uint8_t*)0x200034c8 = 1; *(uint8_t*)0x200034c9 = 2; *(uint8_t*)0x200034ca = 2; *(uint8_t*)0x200034cb = 0xd; *(uint8_t*)0x200034cc = 0; *(uint8_t*)0x200034cd = 0; *(uint8_t*)0x200034ce = 9; *(uint8_t*)0x200034cf = 5; *(uint8_t*)0x200034d0 = 0x82; *(uint8_t*)0x200034d1 = 2; *(uint16_t*)0x200034d2 = 0x40; *(uint8_t*)0x200034d4 = 8; *(uint8_t*)0x200034d5 = 0x40; *(uint8_t*)0x200034d6 = 0x81; *(uint8_t*)0x200034d7 = 9; *(uint8_t*)0x200034d8 = 5; *(uint8_t*)0x200034d9 = 3; *(uint8_t*)0x200034da = 2; *(uint16_t*)0x200034db = 0x40; *(uint8_t*)0x200034dd = 5; *(uint8_t*)0x200034de = 0x80; *(uint8_t*)0x200034df = 0x81; *(uint32_t*)0x20003780 = 0xa; *(uint32_t*)0x20003784 = 0x20003500; *(uint8_t*)0x20003500 = 0xa; *(uint8_t*)0x20003501 = 6; *(uint16_t*)0x20003502 = 0x250; *(uint8_t*)0x20003504 = 3; *(uint8_t*)0x20003505 = 2; *(uint8_t*)0x20003506 = 9; *(uint8_t*)0x20003507 = 0x40; *(uint8_t*)0x20003508 = 0x40; *(uint8_t*)0x20003509 = 0; *(uint32_t*)0x20003788 = 0x16; *(uint32_t*)0x2000378c = 0x20003540; *(uint8_t*)0x20003540 = 5; *(uint8_t*)0x20003541 = 0xf; *(uint16_t*)0x20003542 = 0x16; *(uint8_t*)0x20003544 = 2; *(uint8_t*)0x20003545 = 7; *(uint8_t*)0x20003546 = 0x10; *(uint8_t*)0x20003547 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003548, 0x1a, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003549, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003549, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000354a, 0x87, 0, 16); *(uint8_t*)0x2000354c = 0xa; *(uint8_t*)0x2000354d = 0x10; *(uint8_t*)0x2000354e = 3; *(uint8_t*)0x2000354f = 0; *(uint16_t*)0x20003550 = 8; *(uint8_t*)0x20003552 = 0; *(uint8_t*)0x20003553 = 0x20; *(uint16_t*)0x20003554 = 9; *(uint32_t*)0x20003790 = 5; *(uint32_t*)0x20003794 = 0x54; *(uint32_t*)0x20003798 = 0x20003580; *(uint8_t*)0x20003580 = 0x54; *(uint8_t*)0x20003581 = 3; memcpy((void*)0x20003582, "\xa4\x4d\x24\xcd\xf3\xff\xb9\x94\x8f\xaa\xf6\xb3\xc5\x65\x82\x6f\x57\xef\x2b\x5e\x43\xe6\xef\x91\x09\xdc\xaf\x0f\xf5\xf2\x30\xb6\xf5\x2d\x06\xad\xa7\xeb\xdf\xbf\x1c\x55\xe6\x55\x19\x00\xf4\x2f\x90\x4a\xa2\x59\x11\xde\x5d\x64\xd3\xcd\x32\xdb\x26\xb2\xe4\x8c\x15\x0e\xac\xf5\x1a\x16\xdd\xb3\x11\xac\x3d\x44\xb2\x81\xa8\x7d\x1c\x84", 82); *(uint32_t*)0x2000379c = 4; *(uint32_t*)0x200037a0 = 0x20003600; *(uint8_t*)0x20003600 = 4; *(uint8_t*)0x20003601 = 3; *(uint16_t*)0x20003602 = 0x812; *(uint32_t*)0x200037a4 = 4; *(uint32_t*)0x200037a8 = 0x20003640; *(uint8_t*)0x20003640 = 4; *(uint8_t*)0x20003641 = 3; *(uint16_t*)0x20003642 = 0xf0ff; *(uint32_t*)0x200037ac = 0xc0; *(uint32_t*)0x200037b0 = 0x20003680; *(uint8_t*)0x20003680 = 0xc0; *(uint8_t*)0x20003681 = 3; memcpy((void*)0x20003682, "\x6f\x06\x9d\x79\xea\x95\x2b\x38\x80\x02\x7d\x52\x43\xd8\x4a\xef\xe2\xbd\x1c\xf6\x41\xda\x9e\xe2\x90\x78\x02\x32\x46\x10\x26\xc5\xa5\x35\xae\x62\x14\xa8\xb6\xfd\x61\x12\xf3\x68\x08\x5c\x5c\xca\x57\xb8\x48\x46\xbd\xd7\x65\x3f\x32\x51\x20\xcc\x01\x27\x4c\x27\x93\x0a\x93\x4c\x28\x50\x05\x8a\x34\x58\x87\x78\xf4\xae\x02\x55\xb9\x6f\xcb\x45\x73\xf4\xc4\x75\xfa\xe5\x37\x03\xef\x82\xd7\x85\xec\xe9\x6a\xdf\x02\xef\xc2\x10\xe2\x6f\xa9\x52\x31\x11\x51\x9c\xb0\x37\xb5\xae\xbb\xca\xb0\xe1\x2d\x22\x83\x30\xeb\x46\x6c\xef\xbc\x0a\x21\x98\x4a\x6f\xd8\x65\x72\x06\xb2\x0d\x98\x2f\x65\xc7\x09\xba\x3c\x63\x20\xf1\x06\x6d\xda\x59\x2f\xda\xd1\x4a\x8c\x70\x0c\xf1\xf5\x26\x6f\x47\xfa\x42\xaa\x88\x0b\x9a\xa0\x26\x7c\xf5\x3c\x96\x91\xf4\xfa\x0d\x4e\x05\x9a\x6a\xdc\x27\xda\x67", 190); *(uint32_t*)0x200037b4 = 4; *(uint32_t*)0x200037b8 = 0x20003740; *(uint8_t*)0x20003740 = 4; *(uint8_t*)0x20003741 = 3; *(uint16_t*)0x20003742 = 0xc0a; res = -1; res = syz_usb_connect(0xcabe03ec, 0x160, 0x20003380, 0x20003780); if (res != -1) r[15] = res; break; case 40: syz_usb_ep_read(r[15], 7, 0xe4, 0x200037c0); break; case 41: *(uint8_t*)0x200038c0 = 0x12; *(uint8_t*)0x200038c1 = 1; *(uint16_t*)0x200038c2 = 0x200; *(uint8_t*)0x200038c4 = -1; *(uint8_t*)0x200038c5 = -1; *(uint8_t*)0x200038c6 = -1; *(uint8_t*)0x200038c7 = 0x40; *(uint16_t*)0x200038c8 = 0xcf3; *(uint16_t*)0x200038ca = 0x9271; *(uint16_t*)0x200038cc = 0x108; *(uint8_t*)0x200038ce = 1; *(uint8_t*)0x200038cf = 2; *(uint8_t*)0x200038d0 = 3; *(uint8_t*)0x200038d1 = 1; *(uint8_t*)0x200038d2 = 9; *(uint8_t*)0x200038d3 = 2; *(uint16_t*)0x200038d4 = 0x48; *(uint8_t*)0x200038d6 = 1; *(uint8_t*)0x200038d7 = 1; *(uint8_t*)0x200038d8 = 0; *(uint8_t*)0x200038d9 = 0x80; *(uint8_t*)0x200038da = 0xfa; *(uint8_t*)0x200038db = 9; *(uint8_t*)0x200038dc = 4; *(uint8_t*)0x200038dd = 0; *(uint8_t*)0x200038de = 0; *(uint8_t*)0x200038df = 6; *(uint8_t*)0x200038e0 = -1; *(uint8_t*)0x200038e1 = 0; *(uint8_t*)0x200038e2 = 0; *(uint8_t*)0x200038e3 = 0; *(uint8_t*)0x200038e4 = 9; *(uint8_t*)0x200038e5 = 5; *(uint8_t*)0x200038e6 = 1; *(uint8_t*)0x200038e7 = 2; *(uint16_t*)0x200038e8 = 0x200; *(uint8_t*)0x200038ea = 0; *(uint8_t*)0x200038eb = 0; *(uint8_t*)0x200038ec = 0; *(uint8_t*)0x200038ed = 9; *(uint8_t*)0x200038ee = 5; *(uint8_t*)0x200038ef = 0x82; *(uint8_t*)0x200038f0 = 2; *(uint16_t*)0x200038f1 = 0x200; *(uint8_t*)0x200038f3 = 0; *(uint8_t*)0x200038f4 = 0; *(uint8_t*)0x200038f5 = 0; *(uint8_t*)0x200038f6 = 9; *(uint8_t*)0x200038f7 = 5; *(uint8_t*)0x200038f8 = 0x83; *(uint8_t*)0x200038f9 = 3; *(uint16_t*)0x200038fa = 0x40; *(uint8_t*)0x200038fc = 1; *(uint8_t*)0x200038fd = 0; *(uint8_t*)0x200038fe = 0; *(uint8_t*)0x200038ff = 9; *(uint8_t*)0x20003900 = 5; *(uint8_t*)0x20003901 = 4; *(uint8_t*)0x20003902 = 3; *(uint16_t*)0x20003903 = 0x40; *(uint8_t*)0x20003905 = 1; *(uint8_t*)0x20003906 = 0; *(uint8_t*)0x20003907 = 0; *(uint8_t*)0x20003908 = 9; *(uint8_t*)0x20003909 = 5; *(uint8_t*)0x2000390a = 5; *(uint8_t*)0x2000390b = 2; *(uint16_t*)0x2000390c = 0x200; *(uint8_t*)0x2000390e = 0; *(uint8_t*)0x2000390f = 0; *(uint8_t*)0x20003910 = 0; *(uint8_t*)0x20003911 = 9; *(uint8_t*)0x20003912 = 5; *(uint8_t*)0x20003913 = 6; *(uint8_t*)0x20003914 = 2; *(uint16_t*)0x20003915 = 0x200; *(uint8_t*)0x20003917 = 0; *(uint8_t*)0x20003918 = 0; *(uint8_t*)0x20003919 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200038c0, 0); if (res != -1) r[16] = res; break; case 42: memcpy((void*)0x20003940, "\x03\x38\xf2\xa1\xa6\x94\x91\x50\xd9\x50\xa2\x00\xb9\x7f\x82\x07\x00\x40\x2b\x58\xfe\xc9\x4c\x39\xa0\x05\xf5\x38\x68\x85\x99\x19\x97\x96\x0b\x31\x65\xc9\xdd\x03\x23\xfa\xf9\xa6\x9d\x00\x72\x59\x16\xfa\x7f\xb5\xa9\xbb\x1f\x47\xb1\x98\x29\xca\x09\x1f\x88\xc0\x99\x9a\x2e\x18\x7f\x62\x37\xab\x2c\x7e\xae\x85\x92\x3f\xa9\x63\x6d\xc2\x66\x07\x6f\x2a\xe7\xb5\x2c\x1f\x18\x7c\xe6\x28\x71\xc2\xf0\x5b\xbf\x9d\x9a\x25\xfd\x16\xff\x38\x33\x38\x70\x73\xe6\x96\x81\xb2\x43\xe8\x14\xb2\x54\x9f\x03\x2a\xa5\xb8\xdd\x2e\x2d\x64\xdf\x2e\x69\xd3\x57\xbc\x2c\x32\xb8\xfb\xd9\x0f\x8a\x16\x38\xb3\x13\x90\xbe\x5a\x61\xee\x6e\xe7\x0e\x3a\x20\x27\xe1\x46\x8d\x5f\x3f\xa2\x34\xf4\x46\x2a\x56\xd7\xe4\x2c\xe2\x9c\x52\xcc\xf5\xcd\x76\x35\x90\xa4\x26\xb8\xa0\x6e\x22\x6f\xfa\x45\x68\xc2\xce\x31\xa5\x4d\x74\xca\x6f\x67\xe6\x70\x85\x2c", 202); syz_usb_ep_write(r[16], -1, 0xca, 0x20003940); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor687234607 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/17 (0.38s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$BLKROGET(0xffffffffffffffff, 0x125e, &(0x7f0000000000)) r0 = openat$nullb(0xffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x80000, 0x0) ioctl$BLKTRACESETUP(r0, 0xc0401273, &(0x7f0000000080)={[], 0x6, 0x4, 0x400, 0x0, 0x5f}) socketpair(0x21, 0x3, 0x4, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140)='l2tp\x00') sendmsg$L2TP_CMD_NOOP(r1, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x24, r3, 0x4, 0x70bd28, 0x25dfdbfb, {}, [@L2TP_ATTR_SESSION_ID={0x8, 0xb, 0x4}, @L2TP_ATTR_PEER_SESSION_ID={0x8, 0xc, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x20000000}, 0x8000) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000240)={0x0, 0x5, 0x0, 0x2}, &(0x7f0000000280)=0x10) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f00000002c0)={r4, 0x2}, 0x8) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x8, &(0x7f0000000300), &(0x7f0000000340)=0x4) write$capi20_data(0xffffffffffffffff, &(0x7f00000003c0)={{0x10, 0x3, 0x41, 0x83, 0x0, 0x401}, 0x43, "4a8e60634e3a9ebf0988474a70cdc44c935e71dca8a36e9f7339b733e7fdfa26d1763f8e1fc18c23484ff71c6ea76bf1db3e46cf80380322d296fbf193c54d4949ccdb"}, 0x55) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_post_notification\x00') syz_emit_ethernet(0x56, &(0x7f0000000040)={@multicast, @empty, @void, {@canfd={0xd, {{0x4, 0x0, 0x0, 0x1}, 0x23, 0x0, 0x0, 0x0, "90a4412ed481e39ec0787cae083fac93b90daa7595dc554b0d6fb720a6009835c929d9566687939954d14f0376d39039885d4b349e57791c3b2884b67a568716"}}}}, &(0x7f00000000c0)={0x1, 0x1, [0x4a, 0x2e7, 0x6f0, 0x1aa]}) syz_emit_vhci(&(0x7f0000000100)=@HCI_SCODATA_PKT={0x3, {0xc9, 0x56}, "af8c56ab2959dc534cc868e4b42b05a0de86bb45fd2bf9e32d58e9ad1fb7be75adc1e7aaa52319456531631ede47c2919bcdb3bafdaf560bf2a9ca3a75fa34d07026b7302dc391f9554e50cfc7f731c09f1c71262df3"}, 0x5a) syz_execute_func(&(0x7f0000000180)="c4c16f10fa660f65642a10c4e1fa70effbc4c37d096a42fec4e1416a5200f3abc4c1ccc6e474360f8fb8000000af0ffe98f0ffffff") syz_extract_tcp_res(&(0x7f00000001c0), 0x2, 0x7f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000200)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x5, 0xcb) r5 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xc, 0x800, 0xffffffffffffffff, 0x8000000) r6 = syz_io_uring_complete(r5) r7 = io_uring_setup(0xc43, &(0x7f0000000240)={0x0, 0xab13, 0x10, 0x0, 0x375}) syz_io_uring_setup(0x4759, &(0x7f00000002c0)={0x0, 0x3caa, 0x8, 0x3, 0x347, 0x0, r7}, &(0x7f0000ffd000/0x2000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000000340), &(0x7f0000000380)) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0xe, 0x3, 0xffffffffffffffff, 0x8000000) r9 = mmap$IORING_OFF_SQES(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x4000000, 0x20, r6, 0x10000000) syz_io_uring_submit(r8, r9, &(0x7f00000003c0)=@IORING_OP_WRITE_FIXED={0x5, 0x4, 0x2007, @fd_index=0x6, 0x3, 0x4, 0x4, 0xe, 0x1}, 0x80) r10 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000000400)='/selinux/checkreqprot\x00', 0x2000, 0x0) syz_kvm_setup_cpu$arm64(r6, r10, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000480)=[{0x0, &(0x7f0000000440)="1f53955cb3cecd2039609cfce532927f02de615e5e7716c374705f59102e00754dbaa369c6c1a1c2f4c530c3af81e8fe5609", 0x32}], 0x1, 0x0, &(0x7f00000004c0), 0x1) syz_io_uring_setup(0x7424, &(0x7f0000000500)={0x0, 0xe518, 0x10, 0x1, 0x3a5}, &(0x7f0000ffe000/0x2000)=nil, &(0x7f0000ff6000/0x4000)=nil, &(0x7f0000000580)=0x0, &(0x7f00000005c0)) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000000600)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000000640)='afs\x00', &(0x7f0000000680)='./file0\x00', 0x4, 0x2, &(0x7f0000000800)=[{&(0x7f00000006c0)="d632c19b", 0x4, 0xffff}, {&(0x7f0000000700)="3fe8370cede52efac054241da1ef6234cdc7766d9ceee05c36775d234a8f0259a880131689775a49e1c5d81ee5eed42da022a3c9b9d439ae779990d04cf551c084c093744e79ca6a4827d8c603053d29714d839363cf49add7d7323c0619a99cef609fc47e56c66630ec7973bffed214d451f064f36e3597506a51adfd6b0d61fdcdf2bfcb31b2c6c44c279ccdb6902891daf75e663f5942ea7682fbfd3e7369a9fe16f372476efb281aaad4bfe7e610e963629461e9033caf00d62a109d004b935b9079bd3df5be94a0fa1e1977f552baa492ba31e2ec4bf310c814dc753297", 0xe0, 0x4c}], 0x201000, &(0x7f0000000840)={[{@source={'source', 0x3d, 'SEG6\x00'}}, {@flock_strict='flock=strict'}, {@flock_strict='flock=strict'}, {@flock_local='flock=local'}, {@autocell='autocell'}, {@flock_openafs='flock=openafs'}], [{@measure='measure'}, {@subj_user={'subj_user', 0x3d, '$F!%[#&+-}^}'}}]}) syz_open_dev$I2C(&(0x7f00000008c0)='/dev/i2c-#\x00', 0x9a7, 0x60100) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000900)=0x0) syz_open_procfs(r12, &(0x7f0000000940)='net/ip6_mr_vif\x00') syz_open_pts(r6, 0x402000) syz_read_part_table(0x44, 0x5, &(0x7f0000001c80)=[{&(0x7f0000000980)="947bdd1338b6b9fdc7eec2776433191f827266cfa94bbf64cff83a00d975009f3b2738ac7067019447d693a3534dae5d3bf03b17d7a2bc093d2ab01fb079d13e4ca08ab23918a3fac50a48c32b4ba2170957d20cb4a4f731d660e88f40c30c3c40d41ff3ff7134dceb66b113b5c1bba630a7ee5cd68ab59e69f8c89530e4cac7f615dd3fadc7940d23b069d62b7ccf4149881045", 0x94, 0x7e}, {&(0x7f0000000a40)="3bece5e4b00d1aa5c6455d8ffddd35571382304733f47e93ba01d0220d3452425aa4a35a16adc96a1c87d3c09121df1c8aef26c20358a153a0ef1959f69c689acd2751f428f241c2decf4cd9a3b109e66b310fb1011f65329bef953ae02cf9db6133619b5bfa07a6e13251278da93de82635bcdd7640b6311da58d2a681065401d0753cef90bf7a0f541112453b9ce7527efcb09834f1073736d3ebdb9241736b61df70a13c76e54ddbc65a52d8a4fe42ed097a57c8d0426f916750e9a5c38281fbad7ae59c223bab1100592d42eda4e0bf4bf030420478fcd28c4057d41a9721b0014e91a1e7058d4c9290812f6de", 0xef, 0x800}, {&(0x7f0000000b40)="6daf7a1e0d14cb6b8c65d37ef988e670ca88b1", 0x13}, {&(0x7f0000000b80)="e2a379510738be3d3baf49a170f089f56f7b3a43bd926f2f3368f38e97340af9b0991ea98f4653252c0bef6ad26582b600545465591faefd00782e31c8aee9f23990d2d95f8710d110409dc3dad1581794fb09f6349e937b1df1bb8a9a09ce60c41282376e6ac607888c64fcd9ecf5405063ba5f642a295b4f778f2cabccf6c9007071b1a9ec31eea5daf62d371a56de309549974911a5797fa34026e85bb7f5427ab4965f11a3aba18ed0fe280e45c26412838fc5bbe0f6de63d011c06b413e3d4a15296b6f7915dffecdd407504faa2fe63bb190af9061709a982094f620793c042532f51314dd0753b832a65859e178d94dd169a1b767748566d13f170da36f2a51053d8b67fb5f12d86bf36046eab9b7c26c50786c9b29a2605c5631ab30261669971a48470d982c3088be7cffd1f0c6775e5757db6148dd74c5954e34c40088659a1f44d053465985ed20039bced7ea9dec7e25cd6d600d1ed31aed53885fc7ef8789eea0639d2b250dcdf4ad71bbdabf4ba18af29ac819ae431864db1b0353bc5cb2041943b44513f7c679f348bd2962b27487bc7dc7488cff13a24b658f31b4afc9e5013ab460cf3a014a8f19909e75bc3d4144f5d32e370de74f4402a0db5339c1e3616d2147743652dd73940d37550cc961b08b3a33b79c4a2f3f1ab4b2364c24031cce1f29beaf574b1318844fcc9387d2cf798334de0816d528f087f56751f763b82c760fe19ef95fd2e552c8ec74bfee9b6c8e3341b3baff5405edbed709fb1ea130a1a6e30acf7232c0194034daf0ef117115ab220f1161a838940ef60072c406557f56f13f3021b40842f9114b0ae9cd8244230c2227ce7c7e71503ba5253d63081ca9af8fc4a4e2c3039a0bad1af91ed4cb91b9bd42d8ee5e0bd9844f92f4af1ea5b88380a99b1adc7057b9157b61021abce377dca6af6c2dd98f02c23a8459ccbe650b66d06bbae0609928e84d5c611e2c6feb6a43d0aa532b12d5e3260448cd82372b11f9dc8f94665a3ab864eb3eb0e5b073200249a674047ee8fff8fb4f55653060efb6a00d70b0fe4a7f5dca7d9c71604fa70b0e40569339e52ba52b7d7008533306165c978d030a852c0dd75996904720a10a3a9d0f2f67f258e439047a6a5b08490409aa84ec296f67b88b8011cb39c67800efec6ec43e732aee04cc18c4ceddc9686a432011e1df5fa1292c7bdae62731573ec5233293ff4ed671e52c951d8e00836db9363534bc8c1e91d98cab7d0606c170d409d96d3225f56206b600fc1a783941aade248338dba66d56f8fc197d19cedd5f1a65d5f1d85a4cb4497342d197df417d4317777c81e707f1b9dadd38265324f41aa85021b2d7edc0ff4a527db85ff141652eeb5e766e189e11e6307a4475d5f793e822b7ecbc7e2ff3f6f9a8399af692649d67305c86b479169df12f749102069da164ad14655e0532fc419b51f29b28d1f408f5236ce921509f3f611a565a5e38685744470f6e457bdd057d727f7ecfaa468473bcba94c43ead22f8527843245f372275946bd4599f3a8ae91ec3140870be91d2fbfcbd7e504da3d6f49e905aca167832d7c35a56a28abc852090292318ec1f08bf3d71de7360d6d04900d773a7f40c3db7aabfc27a338e87d578f430ee490e48221406d31c62220c2bd9e1793eed1b84aba0adc3d54eed59ae3b83e5a1147721fcc227cff96c8065f8665cbfef93521ca1bf4b100e62896cfdca36e7f7b4b3fd3babf5c18c90030fbf904d4f4c3fb23af16b1e3744ca6ab123df90b168eaa138324ebf98ecd66dd64ee906236bf3a0296be1df81387ba95700e04ce26637ca4dfb70c67d32a2e7acde219cef54e4c9ec1c27b5b6a388ca515af6e5efc493a30fa9324e1f2b2b51267fbb26f3d4292e836cb709e92a6e0e11aff386b3d45d81a2d35fe971cbff8a32f52d046b9ba9a4bc77267a2e86a480a9ec50361d5ed59ba540ae1cf0e7eaaa5d8f5b2e38527fde78ecf842ec48cf681fd452aa5c60d06474f6422ad08db4fa0788c56563f52cbd383627e11f98eb40ec74961c028b1fcd7b25d4cd289dbc761fb1ec00a6183513c5f76da7546416fb81e8661f93f4234fdf3a3398d8bb8c69902e6d9f3fc165e6d9f39eb2acc189ab7b49013b2c74d0788ee05fc117335d478380013eab173ddc7a927f03080c2ea705b68f664a3be270221172d2995b15b4d0ab25d4668ab7587d24e831c5c7841fa00bd063021d3f43405b35c6c79dd4030fc630ee78d7e64a90cc2761421624d48ac0764d8a903c5a8b0a213120871b9e82a3b1f92455380b950832651b6d0d9bdb249055d55fa49fc7296147cbcec6059a0047ae6e86b51ae3b5aff498ceed671ddd0e2bd97fd7f39a3280bd80996ac7bb98187709938246f8e0cb9cca0a189d18cb9dcdd52186feb935f4a5326c3bc1348a05f0e7180452a43e7f2b6fb35a4196afda0f1993383dd203694c1ab53be64481c0d9c78801610789f9f5130b4a143f09229e8d89d0ad09edf971cf0fe495d7552b7a791a9054232e8d22976621b7f6be03e7e0bf8e5ed83db94efc748c93a06c124f55dd8efe11e15d83e1fce582b19be10dcc1b3eb594291aaabd56cb94df315920b042d07934ac796d0a91078626ee57e25763791f7dde8bc04e1883fb2273c799b97e3166c56ceaa3699c31739f63ef94605b20860606ceaf97be55b979fdc17fa9ba2990bbefde17eb5398176091e536730129c4c31504ce1fc41f13e7d90301ff02ad5b5f523c6ae7efa87c76af1ecc4b6715251a58ca3c68ca954a9345cf08697ec54376dfaf232cd6ede5ad85c1234fbcb4a992535b70135a5eb7d1f2de13629871b02acb455694e91d5bbb972c1c3998ec765749b4ca83c705529c046e8593ba4709e430cf190aba4fd00a6d722d0598e80b7af8fbb6c053dc4068e3bfaa0015d3545646e40eb312700e7b068ca644792d6d39447a353f6d6575b01f3a20cf310117a832dbc76b460146dee06c859580ba5e59946e90a168d98a06282d02f99540f4b1fce194cc7cc089b1b2da11d59bee5477383f83fe7f50011ec438561f17b39dabee3794761cdef6c54a60c49de8fd6aecf0b5a5b5c056a8de90805e0d5a4cba91eb7746e54498aad35d268e923c5c396581835cf2038e2a1f28a843228472aa2e4cbde6aa7665716f239ba5680d1d8d6cd7277af1f2db87e5f5332fa904d6975f4247f33f00c17b95df1db792398c0be2ab89c6f0ffb1d9f3d30e36b0bcdee55623e67ed59b641e1d3ad243a61ab8003ed9d50186457b845b0f5e59460aeb8d49fa236b691a9572f043f3d83d3853a658c092fec3eef9b58f3be0532e46da34f732398d418a82a47fd2bec7aa9fdf0a05a2a4abd650dcd99c095be5a025d4dd8de7b606f7c21fcf490a100ec288f419316b4add08591060f5c40230ee639aff35d4bb207fe401029cffd104715dcd48c7c598f5ea42b0bd271e6a10066d613217655dbf37bc467d973572d7c28779c9981cabc55e683fbb1e9af7e00cc4a222a54f24edf923762d8e0fbc099e420a78b1fcfb54a4002fdf6e30a3445f929dd97c4aef13cd8a0a3b19cb2ba731d3c99aad631166b75f13a95498e11dba4094eb5d1f1571b6987c278912a05a9ec5e2f93d21604e496ae6f763ed433bc26c5d2fdfeefc02d8732b29091c32ad16fbb47de0a56a36c5c7d26665ce565571aee87e729e1727e8e149b44cbc5819eb1abc317eabfdbc5447dc1fa9ed585281f1a9c33bd5bbae662621e6460e37617e88304fd6889d775ad30388b208b4102495dd4a601579fef079678b66816a46a91cd0d344af0afa8ee55ab222d720a0367275757aa38d043cec888e9e93a4ff91c1ccbbc685f6fe2710474da5c4376b6c037b2ac57ab078421ff2f06ef8abcc7bfa18195ae5d3236c492494f1c665dc2052e0b567e991727082f6f529cff4412d5cfd8aca31f0a4d32332e8cc992a39017d8e5a8525a9f6ab5009e7067b2773591779fa6de17c077445c39b4f3255c2df10701045fa070ac4aedb551bfe92ac48e0faca060768edf4b3fb101f3d4cdcb2ec9313c02898aa36874267468286e98ffdbacb29fb64072799bb3d885bf308d6ca001355642ad258b965f9597b30fe6c3af1e89c10d641f4e2ab7cf5a4687d6b69157a49f9f40791ef46f4cba6e0f248773c350bf3143cece92ef7c746d4988c8351c8067e3c4b841089d985e09ecb40157d7a171f4e645518c52598fa794425669f59a27d8bedc147e09057b5d2f9f4611cac951058b9d2527fe7b470289a2f16fa4dee150652086e4cc194c3cad63aee9aa77b00df7cb421401d1394e0fbae8e8e14ef28f128601aa1c91d3e71edc07a46267731ea085fea0b2781fe5b3337fb391f4a91ce752aeb7251aa0c3bf304e989220d414eab0af48d4a86bf43f13ee6b97615f51a3677feef14dc4ae47db07b874176d18f50094a309700279f412924e918eb3e6c1b9fa3c1444f28b691ceb9c33d34b5b3733d3eb0c9e69cb6f36bca69d1d69913aeb51f0cb59828527f791fe7f61fb430bace6456abc322fb52a131f5aed3221afd1d369d7bb41f60bfb349b5cf73043b9092613032c7dd3220bce9d9b84fd2ceb48a76ff0c34cf5bf8cc55b575e240f4e6c1c5cf93980cc6f68fd1ac7cc10e0e483339dde6691eb7d2b700e93ffdf810953762216e99b5640149af63144a09051b683db0dfb1b79371bc7a4a559ae6271838a868468e54aadef03ba40ca127aa2c2751da79202dcad72e4f1593041db53bbf4f8064170fe85c46e59ff00b9eb4bf2e01eab7197a00704e3c7084a80699ed5aaae7bbae0684e5fb3ed60c6620c73aa013313713279bf958a21f56f96746e160623f1076a5ea95a23fc908373bc078221894ccc77949ffd3659470d83f860762b0302bf3e404046c0c32a71eb85e674111cb9c2d490b8b4f5bfd1fa9382a4296d97326d6a728378ab35c0a349ed69349f75b89adf8dc9e5baed276c92614c29636f2f5b19d4dc661e2d0fe6fd64786d507b99b3979fe0f6ecb06b76fd64bfb316131a52d3db7445508c8f0bd394495a6c13ca64e3780a416c72a7a34996d5a342e6349d92bfcb8d75bd4edd225d4e8601838bffc604e9e3f0de83a1cf9e17c7fa7398fea49c8faed299d04a90a70bdaa0b111428e2e6224ae08c1bf0ea1a69e16e1ffd4bfa76afffdd5060ac992efa08fb7404fa1ff3456042654d3d51292624ac3bb3356f5bd3f492c169e8c7dc71ccd3b4e91cb298ef7f2b61d74a86e7cb6daf621a8b0b6a87e58ddcaa65f376fe0652c40c76d762b580f34da979ae0968b172a9ccc4cd8b34af3873e85d1653c9e5571dc34e8c39f7f04df191c0e81213d2fac0412664eb4769c480a80fdcd5cae2a2eb8b1d031cc6e649d8f0b29f9115ea2bb27cbe35cba040647ad9da8ad36931cfdce5c58dfd6b8d0bd83cf4f8cad6f6d6f3048380583d8ef0807a4d024ef8d0333a97183423c90e8dd1b62dc70c95ae30acd0ccc257de6feb89a9492b4214b65d8da2ada11b80fbd7689afdb99fa820cb7aaaca8ce32fd1adf5d724f50683a7924ed1b5de6b322a4932ea46d3b266a270420259a4fee480054f0675e77e5178ff255be000468a220a25c6879e039bc14c38cbf9040eded41f1c6d75fe4615cc57677c948c7bb9c3561184b0ffe0d0a9ed0e7212fabd5ef357ffb3ca40e8a97be2a9bcf35fc7e3d7ce8f6d50a4f7b42c246894683822db36b95528cd8061342c66c788bb6f63beadfe3559e896e4387a12cedf6f220888d218", 0x1000, 0xffffffff}, {&(0x7f0000001b80)="e0c6c9c01afb3e83241204cd6942a5f5b38dedc4871fea150ddbcb8c14ce515fa1fc5f1fb3ec606649a162c4e52ec328eb3565fb84abdf8b408d744ee19c67cce54acad1c6aa75a3f97f94267476e702bbe065e67188c3c826d4414e46695d71c9e24a31faf7fc28297092503bb10adb27fcb197438efe3605101abc127fda303e63a7423ef1693f6c005763fdf8b18e10a5a9fa34b3c00eced1f75bada7d26160aedf2758bf603b0c5890682884eb55b2760b3b7b9614b6bd1ddef9e9cc1df20892063f1ea058a4", 0xc8, 0x81}]) r13 = syz_usb_connect(0x4, 0x882, &(0x7f0000001cc0)={{0x12, 0x1, 0x310, 0xae, 0x73, 0xca, 0x40, 0x1740, 0x602, 0xfa57, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x870, 0x2, 0x7f, 0x90, 0x120, 0x3f, [{{0x9, 0x4, 0x86, 0x7f, 0xa, 0xf7, 0xf9, 0xf2, 0x7f, [@generic={0xd1, 0xb, "26e13a65ceb2c160694440c6e4b5d5107cd6f6eddf5f0f8f938606e7a789786c097626762da7881a4e46ee512ce1ce83d03ee01e8a390d4fe48a1a166b122a244f7e8453fe584352cdc748ded1737c61ffbc1f9f18441c5d61f5493a88bfea7776762bbf8a206eeca2f45c1f7aa6d15fb464cd1caf6a432babfc01bb86b1297b128997426c1a5a86533cb2c029f50b1c5b0b88719f7c78217d2bec910ff906b43860025e140fbad2bc0a91e23e65c5c8fefd91d0459c590e1f4bac91eac023ef5f1a248245df0d7c1276df72d955c6"}, @cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '8'}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x5, 0x5, 0x80}, {0x6, 0x24, 0x1a, 0x1, 0x14}, [@mdlm_detail={0x2b, 0x24, 0x13, 0xff, "8daa8e5cf59bef8c76ec7535d63fe2dc7686321afbd729f4d17d62a21b6f2b39495657220bc5d7"}, @mdlm_detail={0xa3, 0x24, 0x13, 0x3, "0bafa7ba56f9be68f7dafffabe7b7950e7f2b1efd530ab53da306650ae48618251bc41fe39065bb50d65f15e926fdb88acb4e7957bff5d5469ee741f51c117d8f0a4b9e497d8d85a58a425855da041d91bfe4cd20f11f6c7d3813027cd74921dbeb6e2015c4133a29832b2b9d342304dd6b709daeaea5f761d8c06f52edda9f2529ac51a96fab9bb2826cc63fcce0f174de2c5778a4d83f3eecfdb29635b60"}, @call_mgmt={0x5, 0x24, 0x1, 0x2, 0x9}, @mdlm={0x15, 0x24, 0x12, 0xc9}, @dmm={0x7, 0x24, 0x14, 0x8, 0x2}, @network_terminal={0x7, 0x24, 0xa, 0x1, 0x9, 0xeb, 0x1}]}], [{{0x9, 0x5, 0xe, 0x3, 0x400, 0xff, 0xf9, 0x20, [@generic={0x62, 0x22, "ecb3f2dd3048124fa1f639e7d99ab0903f7f551fbd28202bcaa038827262defd524b84d6778f83c751047ea1677d46229ac33b02db6865c9670bc47629020545fbf367e128c7e78e05972cd432ddc729863972a9559b806063550b9bb7992b0c"}, @generic={0xed, 0x21, "1c17fa34cf248a11740cae13b99062cf651bd3663bdf349afedd777e6ca509687c7308b2bd8a56d936cef72c17609c2cc7b825f122864f3e79a0f9563cecf3a2dea2dac5e4d83e7749cfb2a971e0f2a257ee5e91279d0dedf7aab353955c32bcab16d821c1868f655e7f503ece52acfb7c3070097b164ed6223eb6c1839fdc5cc6f1a92ebda8ad2a9e74f746cf37704a6c73076189ee3890b3a1c5cdb8076adec9bb4e53a65b09bc52a75250eb89e2407ee0d0d39a0bd925c00a5fd0f34ad2af88bf3b270fe94e5432288a66b3ee15b6e24ddca89639faa9c4b532663b24bfbdeb73d09b8f77f76fec507a"}]}}, {{0x9, 0x5, 0xe, 0x0, 0x58, 0x4, 0x0, 0x2}}, {{0x9, 0x5, 0x6, 0x8, 0x40, 0x40, 0x3, 0x18}}, {{0x9, 0x5, 0xb, 0xc, 0x200, 0xff, 0x47, 0x0, [@generic={0x6e, 0x24, "fc8886eca12dc85960c8497c87132b79fea0e2313e4e855671316f1c7a42b78b2be24c0cdd6af9de41a7fb57fe0a3ca6fe67191ce31165dc048245ba74c886d12b8accb001eee230dc1d7981e4d6ea3d52fdc1fd159f71fc18bfca51297b2348c777a86b16c07657793c9b75"}]}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x1, 0x4, 0x4, [@generic={0x8, 0x23, "ad6e68323124"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x3f, 0x400}]}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0xff, 0x4, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x2, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x7, 0x4}]}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0xcc, 0x8, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3f}, @generic={0x59, 0x11, "faada80932b10432ca81a63c83dd9f54a4051086ef07b6c9661ef8ec125683d5fcada3a346d08f6d44178fd1ce94f1a6921d2fd14a88d43a8051e18edaa3980645fa17123ca6c783b8b2c3b666956f52b183652992d6f5"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0x1, 0x3f}}, {{0x9, 0x5, 0x4, 0x1, 0x0, 0x81, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x3e}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x6, 0x8000}]}}, {{0x9, 0x5, 0x7, 0x4, 0x200, 0x4, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0x3f}]}}]}}, {{0x9, 0x4, 0x7d, 0xb6, 0x8, 0xe6, 0x75, 0xe1, 0xf9, [@generic={0x3d, 0x23, "0150ffae83df22d1d4dbd82454e66033463c3935e3d0c9fc2ea4661f7310c2e0b0acedd17e99cf960ede09c19eda6bfda699d8eacc2aba4acc34d4"}, @generic={0xc5, 0x1, "57fa93981a0686e512236511f17e4ec2dab7bd005c64fd896f9494ca0597583b239ddd29c3796c4ad669281440da422e6796877a9f123e343935d90dfe06ddfc99deedf24006031d9a2ef4b552629255bf0e7a4d5dd3bc80b266081141bde1b1a86e4ffd857000deeae82fb1850696ef2167c34ad97f91c14ac78ecb893d01ffa98e3c2dfda9adb762b9a9da03c6c60ed957fb494d1c960f7c707494bd984a0a582603fb87248aeeafc1b6005f79835b38b2eaa88653bc93427a33b0763ea36fcd987c"}], [{{0x9, 0x5, 0x3, 0x0, 0x40, 0x4, 0x7f, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x5}]}}, {{0x9, 0x5, 0x80, 0x10, 0x1ef, 0x1, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0x1f, 0x20, 0x0, [@generic={0xb3, 0x21, "95d3405d4d7a6dc896d90c4918b141315c1ae54b0882c4e0e3cc266e04178f9ae737260ac64b619ddf039568181bf92dd639ec49a0b1c9838b4cbbb2fbe6ca7be9bc84b77177867bb973d8c5eba1b49131bd10f645cffc3dd8ea462f4ba965f70a014bf1abe9269663634dad8baf99386d8b431912e4ddfcd1156c5ffeab207ca35f22f5c01673470deea1da6aaffcf0bba9a8e455420f053b28e404fea6261d36c07f7221c4986b6b122ccdf858f481ba"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7f, 0x5}]}}, {{0x9, 0x5, 0xc, 0x2, 0x200, 0x0, 0x6, 0x2, [@generic={0xaf, 0x6c08a2ddac8d29c1, "1449f06f8161d8159f42fb347eaa323cf3eb20fd5e501006d2e40a157da833536fb0b322436591a2bd1d2fe04e169858e11387ce1cbe1f6c7dc332afaadcc002c5832044e056950399e29431407349a8a47525164b4e6cd141303908186754e0282c6995c980f5e7d4f3c881c6b91d955e6ac681bd9073f4e05706f3c312d005bf1c5910956bf99553bba7b4ecb3f35ffbe7ab0763423796bb601e3f047a6581d52fb67c62d6b7278c76aab9a5"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x400, 0x5, 0x1, 0x6, [@generic={0xf1, 0x11, "25bf1f90f600dc8eae5954fb3ec4f488a926149d9893ca2b2900e245f0537432b7eccd35a0f33fe871eb0d1744d8058f6d67f7e1b97f3ef4e5fd8ac9d37d374905661c579d63d9bd3ed5cd30d99ef395e47c9e0f1b7f712016403434821baace41ad73ef6b84c1a41af5cbb6c2f65462a6ed32242c9d51da9915862860c22140f606601cfd82e5151e1db45092fecd653293f56c65b346e5deaf140950a0ac4a487e3bfa4f9ad35eeff8899bc2230798022600a08d06a9243611b421d90f1b53ca9f002636036f1125eda3dedaf6793fc098c6af9dcc5a538fe937572b4d1b174b58ba033714d19ef1085f663e5cd1"}]}}, {{0x9, 0x5, 0x5, 0x8, 0x400, 0x44, 0x1, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x85, 0x9b, 0x100}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x10, 0x20, 0x2, 0x4, 0x3}}, {{0x9, 0x5, 0x1, 0x0, 0x40, 0x80, 0x7, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x6, 0x8}]}}]}}]}}]}}, &(0x7f0000002840)={0xa, &(0x7f0000002580)={0xa, 0x6, 0xe5207157b6f35098, 0xfc, 0x1f, 0x0, 0x10, 0xe4}, 0xf5, &(0x7f00000025c0)={0x5, 0xf, 0xf5, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x4, 0xffff}, @ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x4, 0xf0f, 0x77e, [0xc000, 0x30, 0x0, 0x0]}, @ssp_cap={0x1c, 0x10, 0xa, 0x1, 0x4, 0x79ea, 0xf000, 0x4, [0xc0cf, 0xff3f3f, 0xffc05f, 0xff0000]}, @generic={0xb1, 0x10, 0x3, "c5bb0201c82e60fa0a8b07bbcefbe138079838cbf13161f69ec170637e6c504f0df58710112f2459c50df85c73a143e18fd846a786add8a359c882c3c6038f90c49ca63e13455794d759244a2bd1ee5a203cef62acd32e97d15afe1d47ad5c5234ca6fea0c022184578647d69bce06bc22d5deae21baaf870c3c6e9021211fda07e73607e16461e22526a70ab2e21f89d1b1a95215c644ee7b4b97d342f06cca75c17eaf3d1f578bec9e1b554c49"}]}, 0x4, [{0x4, &(0x7f00000026c0)=@lang_id={0x4, 0x3, 0x430}}, {0x4, &(0x7f0000002700)=@lang_id={0x4, 0x3, 0x240a}}, {0x4, &(0x7f0000002740)=@lang_id={0x4, 0x3, 0x458}}, {0xb1, &(0x7f0000002780)=@string={0xb1, 0x3, "2273bdc46b60f928123492096f1a60522067ca30229e521876bc2304c320596fd25f10254b5c9da57377738bccfbbc37f27f541833a2dfa06b929d0d3744ff77d9330d5a63e4bb268ce29e81de86de6cbbec22f151e7fa25d2ba9ead8f62d5eac2d6424465b3cb6481dbf50df043e68b8d133e27b4ae1c9ccf8a81027b656d442bbcbe5cfccd0c0ca38b73356ed5c37ea0894697ea5b37db2f607d4e958cf97848ef24eee817f96503650d0f3babcf"}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000002880)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r14 = syz_usb_connect$uac1(0x1, 0x100, &(0x7f0000002900)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xee, 0x3, 0x1, 0x6, 0x20, 0x1, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0xace, 0x2}, [@extension_unit={0x7, 0x24, 0x8, 0x5, 0x2, 0x5}, @extension_unit={0x7, 0x24, 0x8, 0x6, 0xffff, 0x30}, @mixer_unit={0xa, 0x24, 0x4, 0x4, 0x40, "7da3b2b272"}, @extension_unit={0x9, 0x24, 0x8, 0x5, 0x0, 0x40, '\tD'}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x11, 0x24, 0x2, 0x2, 0x1000, 0x6, 0x9, "94aa0cfea6a4c098"}, @as_header={0x7, 0x24, 0x1, 0xf7, 0xc1, 0x4}, @format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x3f, 0x2, 0xae, 0x7, "5b6fe7b19551"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0xfff8, 0x56d, 0x1f, "518f29b920"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0x4, 0x0, 0x80, "3f5e8aa3ac"}]}, {{0x9, 0x5, 0x1, 0x9, 0x10, 0x9c, 0x7, 0x6, {0x7, 0x25, 0x1, 0x0, 0x44, 0xff8a}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_i_continuous={0xa, 0x24, 0x2, 0x1, 0x7, 0x4, 0xf7, 0xf8, 'H]'}, @format_type_i_discrete={0xd, 0x24, 0x2, 0x1, 0x7, 0x1, 0xff, 0x72, "5c5ae72e12"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x3, 0x4, 0x3, 0x1, "fa23a4", 'q3'}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x71, 0x2, 0x0, 0x6}]}, {{0x9, 0x5, 0x82, 0x9, 0x200, 0x7f, 0x7f, 0x7f, {0x7, 0x25, 0x1, 0x2, 0x1, 0x8}}}}}}}]}}, &(0x7f0000002b80)={0xa, &(0x7f0000002a00)={0xa, 0x6, 0x300, 0x7f, 0x5d, 0x5c, 0x40}, 0x31, &(0x7f0000002a40)={0x5, 0xf, 0x31, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x20, 0x1, 0x2, 0x40}, @ssp_cap={0xc, 0x10, 0xa, 0x4, 0x0, 0xd3f, 0xf000, 0x8}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x2, 0x5, 0x4, 0x2}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x6, 0x0, 0xff, 0x7f}]}, 0x4, [{0x4, &(0x7f0000002a80)=@lang_id={0x4, 0x3, 0x40f}}, {0x4, &(0x7f0000002ac0)=@lang_id={0x4, 0x3, 0xc35}}, {0x2b, &(0x7f0000002b00)=@string={0x2b, 0x3, "a28e84c0cf02c07c3c0da8294506556d633c7a735bfb75cd80afc6ade8e4b580103ced6d9c87a5fe77"}}, {0x4, &(0x7f0000002b40)=@lang_id={0x4, 0x3, 0xf8ff}}]}) syz_usb_control_io(r14, &(0x7f0000002e40)={0x18, &(0x7f0000002bc0)={0x0, 0x22, 0xb9, {0xb9, 0xa, "83cf6e9b942d8a47074ac2e802b48378ecdca7956db2727b857b60f4e9d0c69e1c9a9aceb61cf17cc77167923b84e23372c5cf40cf1bbb7493e500b7effaf1b204ee034be11099e51567a87ae0bde210da92124d04a73a14dbd600dedd920953c472eda1ba46dbbb1ec474c8794849124dcf32d5c15fb14397b13c3d3c11a7a607c6b6d557c2806d9c2783bc1ef56c967bde90ce4a421361167c1a74c6527285ce425ea498884d7cc9ef76526a46a1c4360768980b39b3"}}, &(0x7f0000002c80)={0x0, 0x3, 0xd7, @string={0xd7, 0x3, "61168f700d1787de19d3e86fb3ac5e964cc5ede873351ca262cc8fc599651431c76dbad02dd835f0da83a5347cc21fc4f504b23bb32a7a67713db4480611e6e2eca4f0b498f700355db68df7d5cf46ba2b036090af695a7596b7d242b462bcf6e2091fb83248fe2a1c48dbcdb07c9666037d121b6893dcb945bdd7cf14075f805302a45fbb62652bd693b3240b5c6a76f690cdc9221579ec71dd253ca4250144e1160bc039ad44f6d51c96ad950c872cf626b0d559e81c0bec934cb32325dbb9ce8f5d0d943020b4a0795c1f2774e2207d0be8aa41"}}, &(0x7f0000002d80)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x10, 0x2, 0x5, 0x2}]}}, &(0x7f0000002dc0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x3, 0x8, 0x40, 0x7f, "77bc7738", "f1db003c"}}, &(0x7f0000002e00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x1, 0x10, 0x0, 0x20, 0x8, 0x3ec, 0xffff}}}, &(0x7f0000003300)={0x44, &(0x7f0000002e80)={0x20, 0x12, 0x7c, "bc67b786ae12c3f7c6dbb8560d2b242194c2199afa19d2b42b1a0c8a11e1a5ef146f395c3613f4dfeadda7c24b506d5b32a6a3f9a0eac98a935e647a1c838d4e09d530635f43358b5b10c5f04bc63b3bf96b5234359d4ead9d51217e65c9b0509990b00d1afb242c87660d04f9648ff79ce143b1a948981c28f50171"}, &(0x7f0000002f40)={0x0, 0xa, 0x1, 0x4c}, &(0x7f0000002f80)={0x0, 0x8, 0x1, 0x1}, &(0x7f0000002fc0)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000003000)={0x20, 0x0, 0x8, {0xc0, 0x20, [0xf0f]}}, &(0x7f0000003040)={0x40, 0x7, 0x2, 0x400}, &(0x7f0000003080)={0x40, 0x9, 0x1, 0x2}, &(0x7f00000030c0)={0x40, 0xb, 0x2, "b723"}, &(0x7f0000003100)={0x40, 0xf, 0x2, 0x5}, &(0x7f0000003140)={0x40, 0x13, 0x6, @random="dd8a72a99139"}, &(0x7f0000003180)={0x40, 0x17, 0x6, @remote}, &(0x7f00000031c0)={0x40, 0x19, 0x2, "7818"}, &(0x7f0000003200)={0x40, 0x1a, 0x2, 0x4}, &(0x7f0000003240)={0x40, 0x1c, 0x1, 0x4}, &(0x7f0000003280)={0x40, 0x1e, 0x1, 0x7}, &(0x7f00000032c0)={0x40, 0x21, 0x1, 0x5}}) syz_usb_disconnect(r13) r15 = syz_usb_connect$cdc_ncm(0xb40375e9cabe03ec, 0x160, &(0x7f0000003380)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x14e, 0x2, 0x1, 0xef, 0xe0, 0x3, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, '$'}, {0x5, 0x24, 0x0, 0xad}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x0, 0x1, 0x9}, {0x6, 0x24, 0x1a, 0x9, 0x20}, [@mdlm_detail={0xa2, 0x24, 0x13, 0x1, "a0afebc294237de30b4c81c6595fbaf30646c5ec3dd98f435df00d181cc13f9b0c5ffa84154998bf5c04ee0fd82d5f4cacfc90ffae241b840b0b18e2107e33398f46838380f84b6f9f2262e838df021231c9f0c50dc2eed7595eb1b789223fc37cf34f5c694aaad8a818c99ef44179bf5ba4b617c258f7db01d6096ccc71bb925e31b2f3f100bb8538bb84015af7b954c8fdf293de0231a491d36376b840"}, @mbim={0xc, 0x24, 0x1b, 0x340f, 0x4, 0x5, 0x40, 0x6, 0x1}, @acm={0x4, 0x24, 0x2, 0x9}, @mdlm_detail={0x3f, 0x24, 0x13, 0x40, "905d00a5a8b5cd53118f9cf9033eda0ad88fcfaf66e2b9e359e38aea371970c864d5983916a529367551aa247ba83009ebb5640b5317559900ddb8"}]}, {{0x9, 0x5, 0x81, 0x3, 0x8, 0x0, 0x1, 0xfc}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x40, 0x8, 0x40, 0x81}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x80, 0x81}}}}}}}]}}, &(0x7f0000003780)={0xa, &(0x7f0000003500)={0xa, 0x6, 0x250, 0x3, 0x2, 0x9, 0x40, 0x40}, 0x16, &(0x7f0000003540)={0x5, 0xf, 0x16, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x1a, 0x8, 0x4, 0x87}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0x0, 0x20, 0x9}]}, 0x5, [{0x54, &(0x7f0000003580)=@string={0x54, 0x3, "a44d24cdf3ffb9948faaf6b3c565826f57ef2b5e43e6ef9109dcaf0ff5f230b6f52d06ada7ebdfbf1c55e6551900f42f904aa25911de5d64d3cd32db26b2e48c150eacf51a16ddb311ac3d44b281a87d1c84"}}, {0x4, &(0x7f0000003600)=@lang_id={0x4, 0x3, 0x812}}, {0x4, &(0x7f0000003640)=@lang_id={0x4, 0x3, 0xf0ff}}, {0xc0, &(0x7f0000003680)=@string={0xc0, 0x3, "6f069d79ea952b3880027d5243d84aefe2bd1cf641da9ee290780232461026c5a535ae6214a8b6fd6112f368085c5cca57b84846bdd7653f325120cc01274c27930a934c2850058a34588778f4ae0255b96fcb4573f4c475fae53703ef82d785ece96adf02efc210e26fa9523111519cb037b5aebbcab0e12d228330eb466cefbc0a21984a6fd8657206b20d982f65c709ba3c6320f1066dda592fdad14a8c700cf1f5266f47fa42aa880b9aa0267cf53c9691f4fa0d4e059a6adc27da67"}}, {0x4, &(0x7f0000003740)=@lang_id={0x4, 0x3, 0xc0a}}]}) syz_usb_ep_read(r15, 0x7, 0xe4, &(0x7f00000037c0)=""/228) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000038c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_ep_write(r16, 0xff, 0xca, &(0x7f0000003940)="0338f2a1a6949150d950a200b97f820700402b58fec94c39a005f5386885991997960b3165c9dd0323faf9a69d00725916fa7fb5a9bb1f47b19829ca091f88c0999a2e187f6237ab2c7eae85923fa9636dc266076f2ae7b52c1f187ce62871c2f05bbf9d9a25fd16ff3833387073e69681b243e814b2549f032aa5b8dd2e2d64df2e69d357bc2c32b8fbd90f8a1638b31390be5a61ee6ee70e3a2027e1468d5f3fa234f4462a56d7e42ce29c52ccf5cd763590a426b8a06e226ffa4568c2ce31a54d74ca6f67e670852c") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_binfmt_misc() { if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0)) { } write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:"); write_file("/proc/sys/fs/binfmt_misc/register", ":syz1:M:1:\x02::./file0:POC"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 43; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 3000 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 3000 : 0) + (call == 42 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socketpair #define __NR_socketpair 360 #endif #ifndef __NR_write #define __NR_write 4 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_ioctl, -1, 0x125e, 0x20000000); break; case 1: memcpy((void*)0x20000040, "/dev/nullb0\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20000040, 0x80000, 0); if (res != -1) r[0] = res; break; case 2: *(uint8_t*)0x20000080 = 0; *(uint8_t*)0x20000081 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint8_t*)0x20000084 = 0; *(uint8_t*)0x20000085 = 0; *(uint8_t*)0x20000086 = 0; *(uint8_t*)0x20000087 = 0; *(uint8_t*)0x20000088 = 0; *(uint8_t*)0x20000089 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint8_t*)0x2000008c = 0; *(uint8_t*)0x2000008d = 0; *(uint8_t*)0x2000008e = 0; *(uint8_t*)0x2000008f = 0; *(uint8_t*)0x20000090 = 0; *(uint8_t*)0x20000091 = 0; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint8_t*)0x20000094 = 0; *(uint8_t*)0x20000095 = 0; *(uint8_t*)0x20000096 = 0; *(uint8_t*)0x20000097 = 0; *(uint8_t*)0x20000098 = 0; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint16_t*)0x200000a0 = 6; *(uint32_t*)0x200000a4 = 4; *(uint32_t*)0x200000a8 = 0x400; *(uint64_t*)0x200000ac = 0; *(uint64_t*)0x200000b4 = 0x5f; *(uint32_t*)0x200000bc = 0; syscall(__NR_ioctl, (intptr_t)r[0], 0xc0401273, 0x20000080); break; case 3: res = syscall(__NR_socketpair, 0x21, 3, 4, 0x200000c0); if (res != -1) { r[1] = *(uint32_t*)0x200000c0; r[2] = *(uint32_t*)0x200000c4; } break; case 4: memcpy((void*)0x20000140, "l2tp\000", 5); res = -1; res = syz_genetlink_get_family_id(0x20000140); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000200 = 0x20000100; *(uint16_t*)0x20000100 = 0x10; *(uint16_t*)0x20000102 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0x100; *(uint32_t*)0x20000204 = 0xc; *(uint32_t*)0x20000208 = 0x200001c0; *(uint32_t*)0x200001c0 = 0x20000180; *(uint32_t*)0x20000180 = 0x24; *(uint16_t*)0x20000184 = r[3]; *(uint16_t*)0x20000186 = 4; *(uint32_t*)0x20000188 = 0x70bd28; *(uint32_t*)0x2000018c = 0x25dfdbfb; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint16_t*)0x20000192 = 0; *(uint16_t*)0x20000194 = 8; *(uint16_t*)0x20000196 = 0xb; *(uint32_t*)0x20000198 = 4; *(uint16_t*)0x2000019c = 8; *(uint16_t*)0x2000019e = 0xc; *(uint32_t*)0x200001a0 = 1; *(uint32_t*)0x200001c4 = 0x24; *(uint32_t*)0x2000020c = 1; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0x20000000; syscall(__NR_sendmsg, (intptr_t)r[1], 0x20000200, 0x8000); break; case 6: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 5; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000280 = 0x10; res = syscall(__NR_getsockopt, -1, 0x84, 0, 0x20000240, 0x20000280); if (res != -1) r[4] = *(uint32_t*)0x20000240; break; case 7: *(uint32_t*)0x200002c0 = r[4]; *(uint32_t*)0x200002c4 = 2; syscall(__NR_setsockopt, (intptr_t)r[2], 0x84, 0x7b, 0x200002c0, 8); break; case 8: *(uint32_t*)0x20000340 = 4; syscall(__NR_getsockopt, -1, 0x84, 8, 0x20000300, 0x20000340); break; case 9: *(uint16_t*)0x200003c0 = 0x10; *(uint16_t*)0x200003c2 = 3; *(uint8_t*)0x200003c4 = 0x41; *(uint8_t*)0x200003c5 = 0x83; *(uint16_t*)0x200003c6 = 0; *(uint32_t*)0x200003c8 = 0x401; *(uint32_t*)0x200003cc = 0; *(uint16_t*)0x200003d0 = 0x43; memcpy((void*)0x200003d2, "\x4a\x8e\x60\x63\x4e\x3a\x9e\xbf\x09\x88\x47\x4a\x70\xcd\xc4\x4c\x93\x5e\x71\xdc\xa8\xa3\x6e\x9f\x73\x39\xb7\x33\xe7\xfd\xfa\x26\xd1\x76\x3f\x8e\x1f\xc1\x8c\x23\x48\x4f\xf7\x1c\x6e\xa7\x6b\xf1\xdb\x3e\x46\xcf\x80\x38\x03\x22\xd2\x96\xfb\xf1\x93\xc5\x4d\x49\x49\xcc\xdb", 67); syscall(__NR_write, -1, 0x200003c0, 0x55); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_post_notification\000", 26); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xbb; *(uint8_t*)0x20000041 = 0xbb; *(uint8_t*)0x20000042 = 0xbb; *(uint8_t*)0x20000043 = 0xbb; *(uint8_t*)0x20000044 = 0xbb; *(uint8_t*)0x20000045 = 0xbb; *(uint8_t*)0x20000046 = 0; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint16_t*)0x2000004c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 4, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 1, 31, 1); *(uint8_t*)0x20000052 = 0x23; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; memcpy((void*)0x20000056, "\x90\xa4\x41\x2e\xd4\x81\xe3\x9e\xc0\x78\x7c\xae\x08\x3f\xac\x93\xb9\x0d\xaa\x75\x95\xdc\x55\x4b\x0d\x6f\xb7\x20\xa6\x00\x98\x35\xc9\x29\xd9\x56\x66\x87\x93\x99\x54\xd1\x4f\x03\x76\xd3\x90\x39\x88\x5d\x4b\x34\x9e\x57\x79\x1c\x3b\x28\x84\xb6\x7a\x56\x87\x16", 64); *(uint32_t*)0x200000c0 = 1; *(uint32_t*)0x200000c4 = 1; *(uint32_t*)0x200000c8 = 0x4a; *(uint32_t*)0x200000cc = 0x2e7; *(uint32_t*)0x200000d0 = 0x6f0; *(uint32_t*)0x200000d4 = 0x1aa; break; case 12: *(uint8_t*)0x20000100 = 3; *(uint16_t*)0x20000101 = 0xc9; *(uint8_t*)0x20000103 = 0x56; memcpy((void*)0x20000104, "\xaf\x8c\x56\xab\x29\x59\xdc\x53\x4c\xc8\x68\xe4\xb4\x2b\x05\xa0\xde\x86\xbb\x45\xfd\x2b\xf9\xe3\x2d\x58\xe9\xad\x1f\xb7\xbe\x75\xad\xc1\xe7\xaa\xa5\x23\x19\x45\x65\x31\x63\x1e\xde\x47\xc2\x91\x9b\xcd\xb3\xba\xfd\xaf\x56\x0b\xf2\xa9\xca\x3a\x75\xfa\x34\xd0\x70\x26\xb7\x30\x2d\xc3\x91\xf9\x55\x4e\x50\xcf\xc7\xf7\x31\xc0\x9f\x1c\x71\x26\x2d\xf3", 86); break; case 13: memcpy((void*)0x20000180, "\xc4\xc1\x6f\x10\xfa\x66\x0f\x65\x64\x2a\x10\xc4\xe1\xfa\x70\xef\xfb\xc4\xc3\x7d\x09\x6a\x42\xfe\xc4\xe1\x41\x6a\x52\x00\xf3\xab\xc4\xc1\xcc\xc6\xe4\x74\x36\x0f\x8f\xb8\x00\x00\x00\xaf\x0f\xfe\x98\xf0\xff\xff\xff", 53); syz_execute_func(0x20000180); break; case 14: break; case 15: memcpy((void*)0x20000200, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000200); break; case 16: syz_init_net_socket(3, 5, 0xcb); break; case 17: res = syscall(__NR_mmap, 0x20ffd000, 0x1000, 0xc, 0x800, -1, 0x8000000); if (res != -1) r[5] = res; break; case 18: res = -1; res = syz_io_uring_complete(r[5]); if (res != -1) r[6] = res; break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xab13; *(uint32_t*)0x20000248 = 0x10; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0x375; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = -1; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = syscall(__NR_io_uring_setup, 0xc43, 0x20000240); if (res != -1) r[7] = res; break; case 20: *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0x3caa; *(uint32_t*)0x200002c8 = 8; *(uint32_t*)0x200002cc = 3; *(uint32_t*)0x200002d0 = 0x347; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = r[7]; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; *(uint32_t*)0x200002f8 = 0; *(uint32_t*)0x200002fc = 0; *(uint32_t*)0x20000300 = 0; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; *(uint32_t*)0x2000030c = 0; *(uint32_t*)0x20000310 = 0; *(uint32_t*)0x20000314 = 0; *(uint32_t*)0x20000318 = 0; *(uint32_t*)0x2000031c = 0; *(uint32_t*)0x20000320 = 0; *(uint32_t*)0x20000324 = 0; *(uint32_t*)0x20000328 = 0; *(uint32_t*)0x2000032c = 0; *(uint32_t*)0x20000330 = 0; *(uint32_t*)0x20000334 = 0; syz_io_uring_setup(0x4759, 0x200002c0, 0x20ffd000, 0x20ffc000, 0x20000340, 0x20000380); break; case 21: res = syscall(__NR_mmap, 0x20ffd000, 0x3000, 0xe, 3, -1, 0x8000000); if (res != -1) r[8] = res; break; case 22: res = syscall(__NR_mmap, 0x20fff000, 0x1000, 0x4000000, 0x20, (intptr_t)r[6], 0x10000000); if (res != -1) r[9] = res; break; case 23: *(uint8_t*)0x200003c0 = 5; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0x2007; *(uint32_t*)0x200003c4 = 6; *(uint64_t*)0x200003c8 = 3; *(uint64_t*)0x200003d0 = 4; *(uint32_t*)0x200003d8 = 4; *(uint32_t*)0x200003dc = 0xe; *(uint64_t*)0x200003e0 = 1; *(uint16_t*)0x200003e8 = 0; *(uint16_t*)0x200003ea = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; *(uint8_t*)0x200003fc = 0; *(uint8_t*)0x200003fd = 0; *(uint8_t*)0x200003fe = 0; *(uint8_t*)0x200003ff = 0; syz_io_uring_submit(r[8], r[9], 0x200003c0, 0x80); break; case 24: memcpy((void*)0x20000400, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20000400, 0x2000, 0); if (res != -1) r[10] = res; break; case 25: *(uint32_t*)0x20000480 = 0; *(uint32_t*)0x20000484 = 0x20000440; memcpy((void*)0x20000440, "\x1f\x53\x95\x5c\xb3\xce\xcd\x20\x39\x60\x9c\xfc\xe5\x32\x92\x7f\x02\xde\x61\x5e\x5e\x77\x16\xc3\x74\x70\x5f\x59\x10\x2e\x00\x75\x4d\xba\xa3\x69\xc6\xc1\xa1\xc2\xf4\xc5\x30\xc3\xaf\x81\xe8\xfe\x56\x09", 50); *(uint32_t*)0x20000488 = 0x32; *(uint64_t*)0x200004c0 = 1; *(uint64_t*)0x200004c8 = 0; syz_kvm_setup_cpu(r[6], r[10], 0x20fe8000, 0x20000480, 1, 0, 0x200004c0, 1); break; case 26: *(uint32_t*)0x20000500 = 0; *(uint32_t*)0x20000504 = 0xe518; *(uint32_t*)0x20000508 = 0x10; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0x3a5; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = -1; *(uint32_t*)0x2000051c = 0; *(uint32_t*)0x20000520 = 0; *(uint32_t*)0x20000524 = 0; *(uint32_t*)0x20000528 = 0; *(uint32_t*)0x2000052c = 0; *(uint32_t*)0x20000530 = 0; *(uint32_t*)0x20000534 = 0; *(uint32_t*)0x20000538 = 0; *(uint32_t*)0x2000053c = 0; *(uint32_t*)0x20000540 = 0; *(uint32_t*)0x20000544 = 0; *(uint32_t*)0x20000548 = 0; *(uint32_t*)0x2000054c = 0; *(uint32_t*)0x20000550 = 0; *(uint32_t*)0x20000554 = 0; *(uint32_t*)0x20000558 = 0; *(uint32_t*)0x2000055c = 0; *(uint32_t*)0x20000560 = 0; *(uint32_t*)0x20000564 = 0; *(uint32_t*)0x20000568 = 0; *(uint32_t*)0x2000056c = 0; *(uint32_t*)0x20000570 = 0; *(uint32_t*)0x20000574 = 0; res = -1; res = syz_io_uring_setup(0x7424, 0x20000500, 0x20ffe000, 0x20ff6000, 0x20000580, 0x200005c0); if (res != -1) r[11] = *(uint64_t*)0x20000580; break; case 27: *(uint32_t*)0x20000600 = 1; syz_memcpy_off(r[11], 0x114, 0x20000600, 0, 4); break; case 28: memcpy((void*)0x20000640, "afs\000", 4); memcpy((void*)0x20000680, "./file0\000", 8); *(uint32_t*)0x20000800 = 0x200006c0; memcpy((void*)0x200006c0, "\xd6\x32\xc1\x9b", 4); *(uint32_t*)0x20000804 = 4; *(uint32_t*)0x20000808 = 0xffff; *(uint32_t*)0x2000080c = 0x20000700; memcpy((void*)0x20000700, "\x3f\xe8\x37\x0c\xed\xe5\x2e\xfa\xc0\x54\x24\x1d\xa1\xef\x62\x34\xcd\xc7\x76\x6d\x9c\xee\xe0\x5c\x36\x77\x5d\x23\x4a\x8f\x02\x59\xa8\x80\x13\x16\x89\x77\x5a\x49\xe1\xc5\xd8\x1e\xe5\xee\xd4\x2d\xa0\x22\xa3\xc9\xb9\xd4\x39\xae\x77\x99\x90\xd0\x4c\xf5\x51\xc0\x84\xc0\x93\x74\x4e\x79\xca\x6a\x48\x27\xd8\xc6\x03\x05\x3d\x29\x71\x4d\x83\x93\x63\xcf\x49\xad\xd7\xd7\x32\x3c\x06\x19\xa9\x9c\xef\x60\x9f\xc4\x7e\x56\xc6\x66\x30\xec\x79\x73\xbf\xfe\xd2\x14\xd4\x51\xf0\x64\xf3\x6e\x35\x97\x50\x6a\x51\xad\xfd\x6b\x0d\x61\xfd\xcd\xf2\xbf\xcb\x31\xb2\xc6\xc4\x4c\x27\x9c\xcd\xb6\x90\x28\x91\xda\xf7\x5e\x66\x3f\x59\x42\xea\x76\x82\xfb\xfd\x3e\x73\x69\xa9\xfe\x16\xf3\x72\x47\x6e\xfb\x28\x1a\xaa\xd4\xbf\xe7\xe6\x10\xe9\x63\x62\x94\x61\xe9\x03\x3c\xaf\x00\xd6\x2a\x10\x9d\x00\x4b\x93\x5b\x90\x79\xbd\x3d\xf5\xbe\x94\xa0\xfa\x1e\x19\x77\xf5\x52\xba\xa4\x92\xba\x31\xe2\xec\x4b\xf3\x10\xc8\x14\xdc\x75\x32\x97", 224); *(uint32_t*)0x20000810 = 0xe0; *(uint32_t*)0x20000814 = 0x4c; memcpy((void*)0x20000840, "source", 6); *(uint8_t*)0x20000846 = 0x3d; memcpy((void*)0x20000847, "SEG6\000", 5); *(uint8_t*)0x2000084c = 0x2c; memcpy((void*)0x2000084d, "flock=strict", 12); *(uint8_t*)0x20000859 = 0x2c; memcpy((void*)0x2000085a, "flock=strict", 12); *(uint8_t*)0x20000866 = 0x2c; memcpy((void*)0x20000867, "flock=local", 11); *(uint8_t*)0x20000872 = 0x2c; memcpy((void*)0x20000873, "autocell", 8); *(uint8_t*)0x2000087b = 0x2c; memcpy((void*)0x2000087c, "flock=openafs", 13); *(uint8_t*)0x20000889 = 0x2c; memcpy((void*)0x2000088a, "measure", 7); *(uint8_t*)0x20000891 = 0x2c; memcpy((void*)0x20000892, "subj_user", 9); *(uint8_t*)0x2000089b = 0x3d; memcpy((void*)0x2000089c, "$F!%[#&+-}^}", 12); *(uint8_t*)0x200008a8 = 0x2c; *(uint8_t*)0x200008a9 = 0; syz_mount_image(0x20000640, 0x20000680, 4, 2, 0x20000800, 0x201000, 0x20000840); break; case 29: memcpy((void*)0x200008c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200008c0, 0x9a7, 0x60100); break; case 30: res = syscall(__NR_ioctl, -1, 0x540f, 0x20000900); if (res != -1) r[12] = *(uint32_t*)0x20000900; break; case 31: memcpy((void*)0x20000940, "net/ip6_mr_vif\000", 15); syz_open_procfs(r[12], 0x20000940); break; case 32: syz_open_pts(r[6], 0x402000); break; case 33: *(uint32_t*)0x20001c80 = 0x20000980; memcpy((void*)0x20000980, "\x94\x7b\xdd\x13\x38\xb6\xb9\xfd\xc7\xee\xc2\x77\x64\x33\x19\x1f\x82\x72\x66\xcf\xa9\x4b\xbf\x64\xcf\xf8\x3a\x00\xd9\x75\x00\x9f\x3b\x27\x38\xac\x70\x67\x01\x94\x47\xd6\x93\xa3\x53\x4d\xae\x5d\x3b\xf0\x3b\x17\xd7\xa2\xbc\x09\x3d\x2a\xb0\x1f\xb0\x79\xd1\x3e\x4c\xa0\x8a\xb2\x39\x18\xa3\xfa\xc5\x0a\x48\xc3\x2b\x4b\xa2\x17\x09\x57\xd2\x0c\xb4\xa4\xf7\x31\xd6\x60\xe8\x8f\x40\xc3\x0c\x3c\x40\xd4\x1f\xf3\xff\x71\x34\xdc\xeb\x66\xb1\x13\xb5\xc1\xbb\xa6\x30\xa7\xee\x5c\xd6\x8a\xb5\x9e\x69\xf8\xc8\x95\x30\xe4\xca\xc7\xf6\x15\xdd\x3f\xad\xc7\x94\x0d\x23\xb0\x69\xd6\x2b\x7c\xcf\x41\x49\x88\x10\x45", 148); *(uint32_t*)0x20001c84 = 0x94; *(uint32_t*)0x20001c88 = 0x7e; *(uint32_t*)0x20001c8c = 0x20000a40; memcpy((void*)0x20000a40, "\x3b\xec\xe5\xe4\xb0\x0d\x1a\xa5\xc6\x45\x5d\x8f\xfd\xdd\x35\x57\x13\x82\x30\x47\x33\xf4\x7e\x93\xba\x01\xd0\x22\x0d\x34\x52\x42\x5a\xa4\xa3\x5a\x16\xad\xc9\x6a\x1c\x87\xd3\xc0\x91\x21\xdf\x1c\x8a\xef\x26\xc2\x03\x58\xa1\x53\xa0\xef\x19\x59\xf6\x9c\x68\x9a\xcd\x27\x51\xf4\x28\xf2\x41\xc2\xde\xcf\x4c\xd9\xa3\xb1\x09\xe6\x6b\x31\x0f\xb1\x01\x1f\x65\x32\x9b\xef\x95\x3a\xe0\x2c\xf9\xdb\x61\x33\x61\x9b\x5b\xfa\x07\xa6\xe1\x32\x51\x27\x8d\xa9\x3d\xe8\x26\x35\xbc\xdd\x76\x40\xb6\x31\x1d\xa5\x8d\x2a\x68\x10\x65\x40\x1d\x07\x53\xce\xf9\x0b\xf7\xa0\xf5\x41\x11\x24\x53\xb9\xce\x75\x27\xef\xcb\x09\x83\x4f\x10\x73\x73\x6d\x3e\xbd\xb9\x24\x17\x36\xb6\x1d\xf7\x0a\x13\xc7\x6e\x54\xdd\xbc\x65\xa5\x2d\x8a\x4f\xe4\x2e\xd0\x97\xa5\x7c\x8d\x04\x26\xf9\x16\x75\x0e\x9a\x5c\x38\x28\x1f\xba\xd7\xae\x59\xc2\x23\xba\xb1\x10\x05\x92\xd4\x2e\xda\x4e\x0b\xf4\xbf\x03\x04\x20\x47\x8f\xcd\x28\xc4\x05\x7d\x41\xa9\x72\x1b\x00\x14\xe9\x1a\x1e\x70\x58\xd4\xc9\x29\x08\x12\xf6\xde", 239); *(uint32_t*)0x20001c90 = 0xef; *(uint32_t*)0x20001c94 = 0x800; *(uint32_t*)0x20001c98 = 0x20000b40; memcpy((void*)0x20000b40, "\x6d\xaf\x7a\x1e\x0d\x14\xcb\x6b\x8c\x65\xd3\x7e\xf9\x88\xe6\x70\xca\x88\xb1", 19); *(uint32_t*)0x20001c9c = 0x13; *(uint32_t*)0x20001ca0 = 0; *(uint32_t*)0x20001ca4 = 0x20000b80; memcpy((void*)0x20000b80, "\xe2\xa3\x79\x51\x07\x38\xbe\x3d\x3b\xaf\x49\xa1\x70\xf0\x89\xf5\x6f\x7b\x3a\x43\xbd\x92\x6f\x2f\x33\x68\xf3\x8e\x97\x34\x0a\xf9\xb0\x99\x1e\xa9\x8f\x46\x53\x25\x2c\x0b\xef\x6a\xd2\x65\x82\xb6\x00\x54\x54\x65\x59\x1f\xae\xfd\x00\x78\x2e\x31\xc8\xae\xe9\xf2\x39\x90\xd2\xd9\x5f\x87\x10\xd1\x10\x40\x9d\xc3\xda\xd1\x58\x17\x94\xfb\x09\xf6\x34\x9e\x93\x7b\x1d\xf1\xbb\x8a\x9a\x09\xce\x60\xc4\x12\x82\x37\x6e\x6a\xc6\x07\x88\x8c\x64\xfc\xd9\xec\xf5\x40\x50\x63\xba\x5f\x64\x2a\x29\x5b\x4f\x77\x8f\x2c\xab\xcc\xf6\xc9\x00\x70\x71\xb1\xa9\xec\x31\xee\xa5\xda\xf6\x2d\x37\x1a\x56\xde\x30\x95\x49\x97\x49\x11\xa5\x79\x7f\xa3\x40\x26\xe8\x5b\xb7\xf5\x42\x7a\xb4\x96\x5f\x11\xa3\xab\xa1\x8e\xd0\xfe\x28\x0e\x45\xc2\x64\x12\x83\x8f\xc5\xbb\xe0\xf6\xde\x63\xd0\x11\xc0\x6b\x41\x3e\x3d\x4a\x15\x29\x6b\x6f\x79\x15\xdf\xfe\xcd\xd4\x07\x50\x4f\xaa\x2f\xe6\x3b\xb1\x90\xaf\x90\x61\x70\x9a\x98\x20\x94\xf6\x20\x79\x3c\x04\x25\x32\xf5\x13\x14\xdd\x07\x53\xb8\x32\xa6\x58\x59\xe1\x78\xd9\x4d\xd1\x69\xa1\xb7\x67\x74\x85\x66\xd1\x3f\x17\x0d\xa3\x6f\x2a\x51\x05\x3d\x8b\x67\xfb\x5f\x12\xd8\x6b\xf3\x60\x46\xea\xb9\xb7\xc2\x6c\x50\x78\x6c\x9b\x29\xa2\x60\x5c\x56\x31\xab\x30\x26\x16\x69\x97\x1a\x48\x47\x0d\x98\x2c\x30\x88\xbe\x7c\xff\xd1\xf0\xc6\x77\x5e\x57\x57\xdb\x61\x48\xdd\x74\xc5\x95\x4e\x34\xc4\x00\x88\x65\x9a\x1f\x44\xd0\x53\x46\x59\x85\xed\x20\x03\x9b\xce\xd7\xea\x9d\xec\x7e\x25\xcd\x6d\x60\x0d\x1e\xd3\x1a\xed\x53\x88\x5f\xc7\xef\x87\x89\xee\xa0\x63\x9d\x2b\x25\x0d\xcd\xf4\xad\x71\xbb\xda\xbf\x4b\xa1\x8a\xf2\x9a\xc8\x19\xae\x43\x18\x64\xdb\x1b\x03\x53\xbc\x5c\xb2\x04\x19\x43\xb4\x45\x13\xf7\xc6\x79\xf3\x48\xbd\x29\x62\xb2\x74\x87\xbc\x7d\xc7\x48\x8c\xff\x13\xa2\x4b\x65\x8f\x31\xb4\xaf\xc9\xe5\x01\x3a\xb4\x60\xcf\x3a\x01\x4a\x8f\x19\x90\x9e\x75\xbc\x3d\x41\x44\xf5\xd3\x2e\x37\x0d\xe7\x4f\x44\x02\xa0\xdb\x53\x39\xc1\xe3\x61\x6d\x21\x47\x74\x36\x52\xdd\x73\x94\x0d\x37\x55\x0c\xc9\x61\xb0\x8b\x3a\x33\xb7\x9c\x4a\x2f\x3f\x1a\xb4\xb2\x36\x4c\x24\x03\x1c\xce\x1f\x29\xbe\xaf\x57\x4b\x13\x18\x84\x4f\xcc\x93\x87\xd2\xcf\x79\x83\x34\xde\x08\x16\xd5\x28\xf0\x87\xf5\x67\x51\xf7\x63\xb8\x2c\x76\x0f\xe1\x9e\xf9\x5f\xd2\xe5\x52\xc8\xec\x74\xbf\xee\x9b\x6c\x8e\x33\x41\xb3\xba\xff\x54\x05\xed\xbe\xd7\x09\xfb\x1e\xa1\x30\xa1\xa6\xe3\x0a\xcf\x72\x32\xc0\x19\x40\x34\xda\xf0\xef\x11\x71\x15\xab\x22\x0f\x11\x61\xa8\x38\x94\x0e\xf6\x00\x72\xc4\x06\x55\x7f\x56\xf1\x3f\x30\x21\xb4\x08\x42\xf9\x11\x4b\x0a\xe9\xcd\x82\x44\x23\x0c\x22\x27\xce\x7c\x7e\x71\x50\x3b\xa5\x25\x3d\x63\x08\x1c\xa9\xaf\x8f\xc4\xa4\xe2\xc3\x03\x9a\x0b\xad\x1a\xf9\x1e\xd4\xcb\x91\xb9\xbd\x42\xd8\xee\x5e\x0b\xd9\x84\x4f\x92\xf4\xaf\x1e\xa5\xb8\x83\x80\xa9\x9b\x1a\xdc\x70\x57\xb9\x15\x7b\x61\x02\x1a\xbc\xe3\x77\xdc\xa6\xaf\x6c\x2d\xd9\x8f\x02\xc2\x3a\x84\x59\xcc\xbe\x65\x0b\x66\xd0\x6b\xba\xe0\x60\x99\x28\xe8\x4d\x5c\x61\x1e\x2c\x6f\xeb\x6a\x43\xd0\xaa\x53\x2b\x12\xd5\xe3\x26\x04\x48\xcd\x82\x37\x2b\x11\xf9\xdc\x8f\x94\x66\x5a\x3a\xb8\x64\xeb\x3e\xb0\xe5\xb0\x73\x20\x02\x49\xa6\x74\x04\x7e\xe8\xff\xf8\xfb\x4f\x55\x65\x30\x60\xef\xb6\xa0\x0d\x70\xb0\xfe\x4a\x7f\x5d\xca\x7d\x9c\x71\x60\x4f\xa7\x0b\x0e\x40\x56\x93\x39\xe5\x2b\xa5\x2b\x7d\x70\x08\x53\x33\x06\x16\x5c\x97\x8d\x03\x0a\x85\x2c\x0d\xd7\x59\x96\x90\x47\x20\xa1\x0a\x3a\x9d\x0f\x2f\x67\xf2\x58\xe4\x39\x04\x7a\x6a\x5b\x08\x49\x04\x09\xaa\x84\xec\x29\x6f\x67\xb8\x8b\x80\x11\xcb\x39\xc6\x78\x00\xef\xec\x6e\xc4\x3e\x73\x2a\xee\x04\xcc\x18\xc4\xce\xdd\xc9\x68\x6a\x43\x20\x11\xe1\xdf\x5f\xa1\x29\x2c\x7b\xda\xe6\x27\x31\x57\x3e\xc5\x23\x32\x93\xff\x4e\xd6\x71\xe5\x2c\x95\x1d\x8e\x00\x83\x6d\xb9\x36\x35\x34\xbc\x8c\x1e\x91\xd9\x8c\xab\x7d\x06\x06\xc1\x70\xd4\x09\xd9\x6d\x32\x25\xf5\x62\x06\xb6\x00\xfc\x1a\x78\x39\x41\xaa\xde\x24\x83\x38\xdb\xa6\x6d\x56\xf8\xfc\x19\x7d\x19\xce\xdd\x5f\x1a\x65\xd5\xf1\xd8\x5a\x4c\xb4\x49\x73\x42\xd1\x97\xdf\x41\x7d\x43\x17\x77\x7c\x81\xe7\x07\xf1\xb9\xda\xdd\x38\x26\x53\x24\xf4\x1a\xa8\x50\x21\xb2\xd7\xed\xc0\xff\x4a\x52\x7d\xb8\x5f\xf1\x41\x65\x2e\xeb\x5e\x76\x6e\x18\x9e\x11\xe6\x30\x7a\x44\x75\xd5\xf7\x93\xe8\x22\xb7\xec\xbc\x7e\x2f\xf3\xf6\xf9\xa8\x39\x9a\xf6\x92\x64\x9d\x67\x30\x5c\x86\xb4\x79\x16\x9d\xf1\x2f\x74\x91\x02\x06\x9d\xa1\x64\xad\x14\x65\x5e\x05\x32\xfc\x41\x9b\x51\xf2\x9b\x28\xd1\xf4\x08\xf5\x23\x6c\xe9\x21\x50\x9f\x3f\x61\x1a\x56\x5a\x5e\x38\x68\x57\x44\x47\x0f\x6e\x45\x7b\xdd\x05\x7d\x72\x7f\x7e\xcf\xaa\x46\x84\x73\xbc\xba\x94\xc4\x3e\xad\x22\xf8\x52\x78\x43\x24\x5f\x37\x22\x75\x94\x6b\xd4\x59\x9f\x3a\x8a\xe9\x1e\xc3\x14\x08\x70\xbe\x91\xd2\xfb\xfc\xbd\x7e\x50\x4d\xa3\xd6\xf4\x9e\x90\x5a\xca\x16\x78\x32\xd7\xc3\x5a\x56\xa2\x8a\xbc\x85\x20\x90\x29\x23\x18\xec\x1f\x08\xbf\x3d\x71\xde\x73\x60\xd6\xd0\x49\x00\xd7\x73\xa7\xf4\x0c\x3d\xb7\xaa\xbf\xc2\x7a\x33\x8e\x87\xd5\x78\xf4\x30\xee\x49\x0e\x48\x22\x14\x06\xd3\x1c\x62\x22\x0c\x2b\xd9\xe1\x79\x3e\xed\x1b\x84\xab\xa0\xad\xc3\xd5\x4e\xed\x59\xae\x3b\x83\xe5\xa1\x14\x77\x21\xfc\xc2\x27\xcf\xf9\x6c\x80\x65\xf8\x66\x5c\xbf\xef\x93\x52\x1c\xa1\xbf\x4b\x10\x0e\x62\x89\x6c\xfd\xca\x36\xe7\xf7\xb4\xb3\xfd\x3b\xab\xf5\xc1\x8c\x90\x03\x0f\xbf\x90\x4d\x4f\x4c\x3f\xb2\x3a\xf1\x6b\x1e\x37\x44\xca\x6a\xb1\x23\xdf\x90\xb1\x68\xea\xa1\x38\x32\x4e\xbf\x98\xec\xd6\x6d\xd6\x4e\xe9\x06\x23\x6b\xf3\xa0\x29\x6b\xe1\xdf\x81\x38\x7b\xa9\x57\x00\xe0\x4c\xe2\x66\x37\xca\x4d\xfb\x70\xc6\x7d\x32\xa2\xe7\xac\xde\x21\x9c\xef\x54\xe4\xc9\xec\x1c\x27\xb5\xb6\xa3\x88\xca\x51\x5a\xf6\xe5\xef\xc4\x93\xa3\x0f\xa9\x32\x4e\x1f\x2b\x2b\x51\x26\x7f\xbb\x26\xf3\xd4\x29\x2e\x83\x6c\xb7\x09\xe9\x2a\x6e\x0e\x11\xaf\xf3\x86\xb3\xd4\x5d\x81\xa2\xd3\x5f\xe9\x71\xcb\xff\x8a\x32\xf5\x2d\x04\x6b\x9b\xa9\xa4\xbc\x77\x26\x7a\x2e\x86\xa4\x80\xa9\xec\x50\x36\x1d\x5e\xd5\x9b\xa5\x40\xae\x1c\xf0\xe7\xea\xaa\x5d\x8f\x5b\x2e\x38\x52\x7f\xde\x78\xec\xf8\x42\xec\x48\xcf\x68\x1f\xd4\x52\xaa\x5c\x60\xd0\x64\x74\xf6\x42\x2a\xd0\x8d\xb4\xfa\x07\x88\xc5\x65\x63\xf5\x2c\xbd\x38\x36\x27\xe1\x1f\x98\xeb\x40\xec\x74\x96\x1c\x02\x8b\x1f\xcd\x7b\x25\xd4\xcd\x28\x9d\xbc\x76\x1f\xb1\xec\x00\xa6\x18\x35\x13\xc5\xf7\x6d\xa7\x54\x64\x16\xfb\x81\xe8\x66\x1f\x93\xf4\x23\x4f\xdf\x3a\x33\x98\xd8\xbb\x8c\x69\x90\x2e\x6d\x9f\x3f\xc1\x65\xe6\xd9\xf3\x9e\xb2\xac\xc1\x89\xab\x7b\x49\x01\x3b\x2c\x74\xd0\x78\x8e\xe0\x5f\xc1\x17\x33\x5d\x47\x83\x80\x01\x3e\xab\x17\x3d\xdc\x7a\x92\x7f\x03\x08\x0c\x2e\xa7\x05\xb6\x8f\x66\x4a\x3b\xe2\x70\x22\x11\x72\xd2\x99\x5b\x15\xb4\xd0\xab\x25\xd4\x66\x8a\xb7\x58\x7d\x24\xe8\x31\xc5\xc7\x84\x1f\xa0\x0b\xd0\x63\x02\x1d\x3f\x43\x40\x5b\x35\xc6\xc7\x9d\xd4\x03\x0f\xc6\x30\xee\x78\xd7\xe6\x4a\x90\xcc\x27\x61\x42\x16\x24\xd4\x8a\xc0\x76\x4d\x8a\x90\x3c\x5a\x8b\x0a\x21\x31\x20\x87\x1b\x9e\x82\xa3\xb1\xf9\x24\x55\x38\x0b\x95\x08\x32\x65\x1b\x6d\x0d\x9b\xdb\x24\x90\x55\xd5\x5f\xa4\x9f\xc7\x29\x61\x47\xcb\xce\xc6\x05\x9a\x00\x47\xae\x6e\x86\xb5\x1a\xe3\xb5\xaf\xf4\x98\xce\xed\x67\x1d\xdd\x0e\x2b\xd9\x7f\xd7\xf3\x9a\x32\x80\xbd\x80\x99\x6a\xc7\xbb\x98\x18\x77\x09\x93\x82\x46\xf8\xe0\xcb\x9c\xca\x0a\x18\x9d\x18\xcb\x9d\xcd\xd5\x21\x86\xfe\xb9\x35\xf4\xa5\x32\x6c\x3b\xc1\x34\x8a\x05\xf0\xe7\x18\x04\x52\xa4\x3e\x7f\x2b\x6f\xb3\x5a\x41\x96\xaf\xda\x0f\x19\x93\x38\x3d\xd2\x03\x69\x4c\x1a\xb5\x3b\xe6\x44\x81\xc0\xd9\xc7\x88\x01\x61\x07\x89\xf9\xf5\x13\x0b\x4a\x14\x3f\x09\x22\x9e\x8d\x89\xd0\xad\x09\xed\xf9\x71\xcf\x0f\xe4\x95\xd7\x55\x2b\x7a\x79\x1a\x90\x54\x23\x2e\x8d\x22\x97\x66\x21\xb7\xf6\xbe\x03\xe7\xe0\xbf\x8e\x5e\xd8\x3d\xb9\x4e\xfc\x74\x8c\x93\xa0\x6c\x12\x4f\x55\xdd\x8e\xfe\x11\xe1\x5d\x83\xe1\xfc\xe5\x82\xb1\x9b\xe1\x0d\xcc\x1b\x3e\xb5\x94\x29\x1a\xaa\xbd\x56\xcb\x94\xdf\x31\x59\x20\xb0\x42\xd0\x79\x34\xac\x79\x6d\x0a\x91\x07\x86\x26\xee\x57\xe2\x57\x63\x79\x1f\x7d\xde\x8b\xc0\x4e\x18\x83\xfb\x22\x73\xc7\x99\xb9\x7e\x31\x66\xc5\x6c\xea\xa3\x69\x9c\x31\x73\x9f\x63\xef\x94\x60\x5b\x20\x86\x06\x06\xce\xaf\x97\xbe\x55\xb9\x79\xfd\xc1\x7f\xa9\xba\x29\x90\xbb\xef\xde\x17\xeb\x53\x98\x17\x60\x91\xe5\x36\x73\x01\x29\xc4\xc3\x15\x04\xce\x1f\xc4\x1f\x13\xe7\xd9\x03\x01\xff\x02\xad\x5b\x5f\x52\x3c\x6a\xe7\xef\xa8\x7c\x76\xaf\x1e\xcc\x4b\x67\x15\x25\x1a\x58\xca\x3c\x68\xca\x95\x4a\x93\x45\xcf\x08\x69\x7e\xc5\x43\x76\xdf\xaf\x23\x2c\xd6\xed\xe5\xad\x85\xc1\x23\x4f\xbc\xb4\xa9\x92\x53\x5b\x70\x13\x5a\x5e\xb7\xd1\xf2\xde\x13\x62\x98\x71\xb0\x2a\xcb\x45\x56\x94\xe9\x1d\x5b\xbb\x97\x2c\x1c\x39\x98\xec\x76\x57\x49\xb4\xca\x83\xc7\x05\x52\x9c\x04\x6e\x85\x93\xba\x47\x09\xe4\x30\xcf\x19\x0a\xba\x4f\xd0\x0a\x6d\x72\x2d\x05\x98\xe8\x0b\x7a\xf8\xfb\xb6\xc0\x53\xdc\x40\x68\xe3\xbf\xaa\x00\x15\xd3\x54\x56\x46\xe4\x0e\xb3\x12\x70\x0e\x7b\x06\x8c\xa6\x44\x79\x2d\x6d\x39\x44\x7a\x35\x3f\x6d\x65\x75\xb0\x1f\x3a\x20\xcf\x31\x01\x17\xa8\x32\xdb\xc7\x6b\x46\x01\x46\xde\xe0\x6c\x85\x95\x80\xba\x5e\x59\x94\x6e\x90\xa1\x68\xd9\x8a\x06\x28\x2d\x02\xf9\x95\x40\xf4\xb1\xfc\xe1\x94\xcc\x7c\xc0\x89\xb1\xb2\xda\x11\xd5\x9b\xee\x54\x77\x38\x3f\x83\xfe\x7f\x50\x01\x1e\xc4\x38\x56\x1f\x17\xb3\x9d\xab\xee\x37\x94\x76\x1c\xde\xf6\xc5\x4a\x60\xc4\x9d\xe8\xfd\x6a\xec\xf0\xb5\xa5\xb5\xc0\x56\xa8\xde\x90\x80\x5e\x0d\x5a\x4c\xba\x91\xeb\x77\x46\xe5\x44\x98\xaa\xd3\x5d\x26\x8e\x92\x3c\x5c\x39\x65\x81\x83\x5c\xf2\x03\x8e\x2a\x1f\x28\xa8\x43\x22\x84\x72\xaa\x2e\x4c\xbd\xe6\xaa\x76\x65\x71\x6f\x23\x9b\xa5\x68\x0d\x1d\x8d\x6c\xd7\x27\x7a\xf1\xf2\xdb\x87\xe5\xf5\x33\x2f\xa9\x04\xd6\x97\x5f\x42\x47\xf3\x3f\x00\xc1\x7b\x95\xdf\x1d\xb7\x92\x39\x8c\x0b\xe2\xab\x89\xc6\xf0\xff\xb1\xd9\xf3\xd3\x0e\x36\xb0\xbc\xde\xe5\x56\x23\xe6\x7e\xd5\x9b\x64\x1e\x1d\x3a\xd2\x43\xa6\x1a\xb8\x00\x3e\xd9\xd5\x01\x86\x45\x7b\x84\x5b\x0f\x5e\x59\x46\x0a\xeb\x8d\x49\xfa\x23\x6b\x69\x1a\x95\x72\xf0\x43\xf3\xd8\x3d\x38\x53\xa6\x58\xc0\x92\xfe\xc3\xee\xf9\xb5\x8f\x3b\xe0\x53\x2e\x46\xda\x34\xf7\x32\x39\x8d\x41\x8a\x82\xa4\x7f\xd2\xbe\xc7\xaa\x9f\xdf\x0a\x05\xa2\xa4\xab\xd6\x50\xdc\xd9\x9c\x09\x5b\xe5\xa0\x25\xd4\xdd\x8d\xe7\xb6\x06\xf7\xc2\x1f\xcf\x49\x0a\x10\x0e\xc2\x88\xf4\x19\x31\x6b\x4a\xdd\x08\x59\x10\x60\xf5\xc4\x02\x30\xee\x63\x9a\xff\x35\xd4\xbb\x20\x7f\xe4\x01\x02\x9c\xff\xd1\x04\x71\x5d\xcd\x48\xc7\xc5\x98\xf5\xea\x42\xb0\xbd\x27\x1e\x6a\x10\x06\x6d\x61\x32\x17\x65\x5d\xbf\x37\xbc\x46\x7d\x97\x35\x72\xd7\xc2\x87\x79\xc9\x98\x1c\xab\xc5\x5e\x68\x3f\xbb\x1e\x9a\xf7\xe0\x0c\xc4\xa2\x22\xa5\x4f\x24\xed\xf9\x23\x76\x2d\x8e\x0f\xbc\x09\x9e\x42\x0a\x78\xb1\xfc\xfb\x54\xa4\x00\x2f\xdf\x6e\x30\xa3\x44\x5f\x92\x9d\xd9\x7c\x4a\xef\x13\xcd\x8a\x0a\x3b\x19\xcb\x2b\xa7\x31\xd3\xc9\x9a\xad\x63\x11\x66\xb7\x5f\x13\xa9\x54\x98\xe1\x1d\xba\x40\x94\xeb\x5d\x1f\x15\x71\xb6\x98\x7c\x27\x89\x12\xa0\x5a\x9e\xc5\xe2\xf9\x3d\x21\x60\x4e\x49\x6a\xe6\xf7\x63\xed\x43\x3b\xc2\x6c\x5d\x2f\xdf\xee\xfc\x02\xd8\x73\x2b\x29\x09\x1c\x32\xad\x16\xfb\xb4\x7d\xe0\xa5\x6a\x36\xc5\xc7\xd2\x66\x65\xce\x56\x55\x71\xae\xe8\x7e\x72\x9e\x17\x27\xe8\xe1\x49\xb4\x4c\xbc\x58\x19\xeb\x1a\xbc\x31\x7e\xab\xfd\xbc\x54\x47\xdc\x1f\xa9\xed\x58\x52\x81\xf1\xa9\xc3\x3b\xd5\xbb\xae\x66\x26\x21\xe6\x46\x0e\x37\x61\x7e\x88\x30\x4f\xd6\x88\x9d\x77\x5a\xd3\x03\x88\xb2\x08\xb4\x10\x24\x95\xdd\x4a\x60\x15\x79\xfe\xf0\x79\x67\x8b\x66\x81\x6a\x46\xa9\x1c\xd0\xd3\x44\xaf\x0a\xfa\x8e\xe5\x5a\xb2\x22\xd7\x20\xa0\x36\x72\x75\x75\x7a\xa3\x8d\x04\x3c\xec\x88\x8e\x9e\x93\xa4\xff\x91\xc1\xcc\xbb\xc6\x85\xf6\xfe\x27\x10\x47\x4d\xa5\xc4\x37\x6b\x6c\x03\x7b\x2a\xc5\x7a\xb0\x78\x42\x1f\xf2\xf0\x6e\xf8\xab\xcc\x7b\xfa\x18\x19\x5a\xe5\xd3\x23\x6c\x49\x24\x94\xf1\xc6\x65\xdc\x20\x52\xe0\xb5\x67\xe9\x91\x72\x70\x82\xf6\xf5\x29\xcf\xf4\x41\x2d\x5c\xfd\x8a\xca\x31\xf0\xa4\xd3\x23\x32\xe8\xcc\x99\x2a\x39\x01\x7d\x8e\x5a\x85\x25\xa9\xf6\xab\x50\x09\xe7\x06\x7b\x27\x73\x59\x17\x79\xfa\x6d\xe1\x7c\x07\x74\x45\xc3\x9b\x4f\x32\x55\xc2\xdf\x10\x70\x10\x45\xfa\x07\x0a\xc4\xae\xdb\x55\x1b\xfe\x92\xac\x48\xe0\xfa\xca\x06\x07\x68\xed\xf4\xb3\xfb\x10\x1f\x3d\x4c\xdc\xb2\xec\x93\x13\xc0\x28\x98\xaa\x36\x87\x42\x67\x46\x82\x86\xe9\x8f\xfd\xba\xcb\x29\xfb\x64\x07\x27\x99\xbb\x3d\x88\x5b\xf3\x08\xd6\xca\x00\x13\x55\x64\x2a\xd2\x58\xb9\x65\xf9\x59\x7b\x30\xfe\x6c\x3a\xf1\xe8\x9c\x10\xd6\x41\xf4\xe2\xab\x7c\xf5\xa4\x68\x7d\x6b\x69\x15\x7a\x49\xf9\xf4\x07\x91\xef\x46\xf4\xcb\xa6\xe0\xf2\x48\x77\x3c\x35\x0b\xf3\x14\x3c\xec\xe9\x2e\xf7\xc7\x46\xd4\x98\x8c\x83\x51\xc8\x06\x7e\x3c\x4b\x84\x10\x89\xd9\x85\xe0\x9e\xcb\x40\x15\x7d\x7a\x17\x1f\x4e\x64\x55\x18\xc5\x25\x98\xfa\x79\x44\x25\x66\x9f\x59\xa2\x7d\x8b\xed\xc1\x47\xe0\x90\x57\xb5\xd2\xf9\xf4\x61\x1c\xac\x95\x10\x58\xb9\xd2\x52\x7f\xe7\xb4\x70\x28\x9a\x2f\x16\xfa\x4d\xee\x15\x06\x52\x08\x6e\x4c\xc1\x94\xc3\xca\xd6\x3a\xee\x9a\xa7\x7b\x00\xdf\x7c\xb4\x21\x40\x1d\x13\x94\xe0\xfb\xae\x8e\x8e\x14\xef\x28\xf1\x28\x60\x1a\xa1\xc9\x1d\x3e\x71\xed\xc0\x7a\x46\x26\x77\x31\xea\x08\x5f\xea\x0b\x27\x81\xfe\x5b\x33\x37\xfb\x39\x1f\x4a\x91\xce\x75\x2a\xeb\x72\x51\xaa\x0c\x3b\xf3\x04\xe9\x89\x22\x0d\x41\x4e\xab\x0a\xf4\x8d\x4a\x86\xbf\x43\xf1\x3e\xe6\xb9\x76\x15\xf5\x1a\x36\x77\xfe\xef\x14\xdc\x4a\xe4\x7d\xb0\x7b\x87\x41\x76\xd1\x8f\x50\x09\x4a\x30\x97\x00\x27\x9f\x41\x29\x24\xe9\x18\xeb\x3e\x6c\x1b\x9f\xa3\xc1\x44\x4f\x28\xb6\x91\xce\xb9\xc3\x3d\x34\xb5\xb3\x73\x3d\x3e\xb0\xc9\xe6\x9c\xb6\xf3\x6b\xca\x69\xd1\xd6\x99\x13\xae\xb5\x1f\x0c\xb5\x98\x28\x52\x7f\x79\x1f\xe7\xf6\x1f\xb4\x30\xba\xce\x64\x56\xab\xc3\x22\xfb\x52\xa1\x31\xf5\xae\xd3\x22\x1a\xfd\x1d\x36\x9d\x7b\xb4\x1f\x60\xbf\xb3\x49\xb5\xcf\x73\x04\x3b\x90\x92\x61\x30\x32\xc7\xdd\x32\x20\xbc\xe9\xd9\xb8\x4f\xd2\xce\xb4\x8a\x76\xff\x0c\x34\xcf\x5b\xf8\xcc\x55\xb5\x75\xe2\x40\xf4\xe6\xc1\xc5\xcf\x93\x98\x0c\xc6\xf6\x8f\xd1\xac\x7c\xc1\x0e\x0e\x48\x33\x39\xdd\xe6\x69\x1e\xb7\xd2\xb7\x00\xe9\x3f\xfd\xf8\x10\x95\x37\x62\x21\x6e\x99\xb5\x64\x01\x49\xaf\x63\x14\x4a\x09\x05\x1b\x68\x3d\xb0\xdf\xb1\xb7\x93\x71\xbc\x7a\x4a\x55\x9a\xe6\x27\x18\x38\xa8\x68\x46\x8e\x54\xaa\xde\xf0\x3b\xa4\x0c\xa1\x27\xaa\x2c\x27\x51\xda\x79\x20\x2d\xca\xd7\x2e\x4f\x15\x93\x04\x1d\xb5\x3b\xbf\x4f\x80\x64\x17\x0f\xe8\x5c\x46\xe5\x9f\xf0\x0b\x9e\xb4\xbf\x2e\x01\xea\xb7\x19\x7a\x00\x70\x4e\x3c\x70\x84\xa8\x06\x99\xed\x5a\xaa\xe7\xbb\xae\x06\x84\xe5\xfb\x3e\xd6\x0c\x66\x20\xc7\x3a\xa0\x13\x31\x37\x13\x27\x9b\xf9\x58\xa2\x1f\x56\xf9\x67\x46\xe1\x60\x62\x3f\x10\x76\xa5\xea\x95\xa2\x3f\xc9\x08\x37\x3b\xc0\x78\x22\x18\x94\xcc\xc7\x79\x49\xff\xd3\x65\x94\x70\xd8\x3f\x86\x07\x62\xb0\x30\x2b\xf3\xe4\x04\x04\x6c\x0c\x32\xa7\x1e\xb8\x5e\x67\x41\x11\xcb\x9c\x2d\x49\x0b\x8b\x4f\x5b\xfd\x1f\xa9\x38\x2a\x42\x96\xd9\x73\x26\xd6\xa7\x28\x37\x8a\xb3\x5c\x0a\x34\x9e\xd6\x93\x49\xf7\x5b\x89\xad\xf8\xdc\x9e\x5b\xae\xd2\x76\xc9\x26\x14\xc2\x96\x36\xf2\xf5\xb1\x9d\x4d\xc6\x61\xe2\xd0\xfe\x6f\xd6\x47\x86\xd5\x07\xb9\x9b\x39\x79\xfe\x0f\x6e\xcb\x06\xb7\x6f\xd6\x4b\xfb\x31\x61\x31\xa5\x2d\x3d\xb7\x44\x55\x08\xc8\xf0\xbd\x39\x44\x95\xa6\xc1\x3c\xa6\x4e\x37\x80\xa4\x16\xc7\x2a\x7a\x34\x99\x6d\x5a\x34\x2e\x63\x49\xd9\x2b\xfc\xb8\xd7\x5b\xd4\xed\xd2\x25\xd4\xe8\x60\x18\x38\xbf\xfc\x60\x4e\x9e\x3f\x0d\xe8\x3a\x1c\xf9\xe1\x7c\x7f\xa7\x39\x8f\xea\x49\xc8\xfa\xed\x29\x9d\x04\xa9\x0a\x70\xbd\xaa\x0b\x11\x14\x28\xe2\xe6\x22\x4a\xe0\x8c\x1b\xf0\xea\x1a\x69\xe1\x6e\x1f\xfd\x4b\xfa\x76\xaf\xff\xdd\x50\x60\xac\x99\x2e\xfa\x08\xfb\x74\x04\xfa\x1f\xf3\x45\x60\x42\x65\x4d\x3d\x51\x29\x26\x24\xac\x3b\xb3\x35\x6f\x5b\xd3\xf4\x92\xc1\x69\xe8\xc7\xdc\x71\xcc\xd3\xb4\xe9\x1c\xb2\x98\xef\x7f\x2b\x61\xd7\x4a\x86\xe7\xcb\x6d\xaf\x62\x1a\x8b\x0b\x6a\x87\xe5\x8d\xdc\xaa\x65\xf3\x76\xfe\x06\x52\xc4\x0c\x76\xd7\x62\xb5\x80\xf3\x4d\xa9\x79\xae\x09\x68\xb1\x72\xa9\xcc\xc4\xcd\x8b\x34\xaf\x38\x73\xe8\x5d\x16\x53\xc9\xe5\x57\x1d\xc3\x4e\x8c\x39\xf7\xf0\x4d\xf1\x91\xc0\xe8\x12\x13\xd2\xfa\xc0\x41\x26\x64\xeb\x47\x69\xc4\x80\xa8\x0f\xdc\xd5\xca\xe2\xa2\xeb\x8b\x1d\x03\x1c\xc6\xe6\x49\xd8\xf0\xb2\x9f\x91\x15\xea\x2b\xb2\x7c\xbe\x35\xcb\xa0\x40\x64\x7a\xd9\xda\x8a\xd3\x69\x31\xcf\xdc\xe5\xc5\x8d\xfd\x6b\x8d\x0b\xd8\x3c\xf4\xf8\xca\xd6\xf6\xd6\xf3\x04\x83\x80\x58\x3d\x8e\xf0\x80\x7a\x4d\x02\x4e\xf8\xd0\x33\x3a\x97\x18\x34\x23\xc9\x0e\x8d\xd1\xb6\x2d\xc7\x0c\x95\xae\x30\xac\xd0\xcc\xc2\x57\xde\x6f\xeb\x89\xa9\x49\x2b\x42\x14\xb6\x5d\x8d\xa2\xad\xa1\x1b\x80\xfb\xd7\x68\x9a\xfd\xb9\x9f\xa8\x20\xcb\x7a\xaa\xca\x8c\xe3\x2f\xd1\xad\xf5\xd7\x24\xf5\x06\x83\xa7\x92\x4e\xd1\xb5\xde\x6b\x32\x2a\x49\x32\xea\x46\xd3\xb2\x66\xa2\x70\x42\x02\x59\xa4\xfe\xe4\x80\x05\x4f\x06\x75\xe7\x7e\x51\x78\xff\x25\x5b\xe0\x00\x46\x8a\x22\x0a\x25\xc6\x87\x9e\x03\x9b\xc1\x4c\x38\xcb\xf9\x04\x0e\xde\xd4\x1f\x1c\x6d\x75\xfe\x46\x15\xcc\x57\x67\x7c\x94\x8c\x7b\xb9\xc3\x56\x11\x84\xb0\xff\xe0\xd0\xa9\xed\x0e\x72\x12\xfa\xbd\x5e\xf3\x57\xff\xb3\xca\x40\xe8\xa9\x7b\xe2\xa9\xbc\xf3\x5f\xc7\xe3\xd7\xce\x8f\x6d\x50\xa4\xf7\xb4\x2c\x24\x68\x94\x68\x38\x22\xdb\x36\xb9\x55\x28\xcd\x80\x61\x34\x2c\x66\xc7\x88\xbb\x6f\x63\xbe\xad\xfe\x35\x59\xe8\x96\xe4\x38\x7a\x12\xce\xdf\x6f\x22\x08\x88\xd2\x18", 4096); *(uint32_t*)0x20001ca8 = 0x1000; *(uint32_t*)0x20001cac = -1; *(uint32_t*)0x20001cb0 = 0x20001b80; memcpy((void*)0x20001b80, "\xe0\xc6\xc9\xc0\x1a\xfb\x3e\x83\x24\x12\x04\xcd\x69\x42\xa5\xf5\xb3\x8d\xed\xc4\x87\x1f\xea\x15\x0d\xdb\xcb\x8c\x14\xce\x51\x5f\xa1\xfc\x5f\x1f\xb3\xec\x60\x66\x49\xa1\x62\xc4\xe5\x2e\xc3\x28\xeb\x35\x65\xfb\x84\xab\xdf\x8b\x40\x8d\x74\x4e\xe1\x9c\x67\xcc\xe5\x4a\xca\xd1\xc6\xaa\x75\xa3\xf9\x7f\x94\x26\x74\x76\xe7\x02\xbb\xe0\x65\xe6\x71\x88\xc3\xc8\x26\xd4\x41\x4e\x46\x69\x5d\x71\xc9\xe2\x4a\x31\xfa\xf7\xfc\x28\x29\x70\x92\x50\x3b\xb1\x0a\xdb\x27\xfc\xb1\x97\x43\x8e\xfe\x36\x05\x10\x1a\xbc\x12\x7f\xda\x30\x3e\x63\xa7\x42\x3e\xf1\x69\x3f\x6c\x00\x57\x63\xfd\xf8\xb1\x8e\x10\xa5\xa9\xfa\x34\xb3\xc0\x0e\xce\xd1\xf7\x5b\xad\xa7\xd2\x61\x60\xae\xdf\x27\x58\xbf\x60\x3b\x0c\x58\x90\x68\x28\x84\xeb\x55\xb2\x76\x0b\x3b\x7b\x96\x14\xb6\xbd\x1d\xde\xf9\xe9\xcc\x1d\xf2\x08\x92\x06\x3f\x1e\xa0\x58\xa4", 200); *(uint32_t*)0x20001cb4 = 0xc8; *(uint32_t*)0x20001cb8 = 0x81; syz_read_part_table(0x44, 5, 0x20001c80); break; case 34: *(uint8_t*)0x20001cc0 = 0x12; *(uint8_t*)0x20001cc1 = 1; *(uint16_t*)0x20001cc2 = 0x310; *(uint8_t*)0x20001cc4 = 0xae; *(uint8_t*)0x20001cc5 = 0x73; *(uint8_t*)0x20001cc6 = 0xca; *(uint8_t*)0x20001cc7 = 0x40; *(uint16_t*)0x20001cc8 = 0x1740; *(uint16_t*)0x20001cca = 0x602; *(uint16_t*)0x20001ccc = 0xfa57; *(uint8_t*)0x20001cce = 1; *(uint8_t*)0x20001ccf = 2; *(uint8_t*)0x20001cd0 = 3; *(uint8_t*)0x20001cd1 = 1; *(uint8_t*)0x20001cd2 = 9; *(uint8_t*)0x20001cd3 = 2; *(uint16_t*)0x20001cd4 = 0x870; *(uint8_t*)0x20001cd6 = 2; *(uint8_t*)0x20001cd7 = 0x7f; *(uint8_t*)0x20001cd8 = 0x90; *(uint8_t*)0x20001cd9 = 0x20; *(uint8_t*)0x20001cda = 0x3f; *(uint8_t*)0x20001cdb = 9; *(uint8_t*)0x20001cdc = 4; *(uint8_t*)0x20001cdd = 0x86; *(uint8_t*)0x20001cde = 0x7f; *(uint8_t*)0x20001cdf = 0xa; *(uint8_t*)0x20001ce0 = 0xf7; *(uint8_t*)0x20001ce1 = 0xf9; *(uint8_t*)0x20001ce2 = 0xf2; *(uint8_t*)0x20001ce3 = 0x7f; *(uint8_t*)0x20001ce4 = 0xd1; *(uint8_t*)0x20001ce5 = 0xb; memcpy((void*)0x20001ce6, "\x26\xe1\x3a\x65\xce\xb2\xc1\x60\x69\x44\x40\xc6\xe4\xb5\xd5\x10\x7c\xd6\xf6\xed\xdf\x5f\x0f\x8f\x93\x86\x06\xe7\xa7\x89\x78\x6c\x09\x76\x26\x76\x2d\xa7\x88\x1a\x4e\x46\xee\x51\x2c\xe1\xce\x83\xd0\x3e\xe0\x1e\x8a\x39\x0d\x4f\xe4\x8a\x1a\x16\x6b\x12\x2a\x24\x4f\x7e\x84\x53\xfe\x58\x43\x52\xcd\xc7\x48\xde\xd1\x73\x7c\x61\xff\xbc\x1f\x9f\x18\x44\x1c\x5d\x61\xf5\x49\x3a\x88\xbf\xea\x77\x76\x76\x2b\xbf\x8a\x20\x6e\xec\xa2\xf4\x5c\x1f\x7a\xa6\xd1\x5f\xb4\x64\xcd\x1c\xaf\x6a\x43\x2b\xab\xfc\x01\xbb\x86\xb1\x29\x7b\x12\x89\x97\x42\x6c\x1a\x5a\x86\x53\x3c\xb2\xc0\x29\xf5\x0b\x1c\x5b\x0b\x88\x71\x9f\x7c\x78\x21\x7d\x2b\xec\x91\x0f\xf9\x06\xb4\x38\x60\x02\x5e\x14\x0f\xba\xd2\xbc\x0a\x91\xe2\x3e\x65\xc5\xc8\xfe\xfd\x91\xd0\x45\x9c\x59\x0e\x1f\x4b\xac\x91\xea\xc0\x23\xef\x5f\x1a\x24\x82\x45\xdf\x0d\x7c\x12\x76\xdf\x72\xd9\x55\xc6", 207); *(uint8_t*)0x20001db5 = 6; *(uint8_t*)0x20001db6 = 0x24; *(uint8_t*)0x20001db7 = 6; *(uint8_t*)0x20001db8 = 0; *(uint8_t*)0x20001db9 = 1; memcpy((void*)0x20001dba, "8", 1); *(uint8_t*)0x20001dbb = 5; *(uint8_t*)0x20001dbc = 0x24; *(uint8_t*)0x20001dbd = 0; *(uint16_t*)0x20001dbe = 8; *(uint8_t*)0x20001dc0 = 0xd; *(uint8_t*)0x20001dc1 = 0x24; *(uint8_t*)0x20001dc2 = 0xf; *(uint8_t*)0x20001dc3 = 1; *(uint32_t*)0x20001dc4 = 9; *(uint16_t*)0x20001dc8 = 5; *(uint16_t*)0x20001dca = 5; *(uint8_t*)0x20001dcc = 0x80; *(uint8_t*)0x20001dcd = 6; *(uint8_t*)0x20001dce = 0x24; *(uint8_t*)0x20001dcf = 0x1a; *(uint16_t*)0x20001dd0 = 1; *(uint8_t*)0x20001dd2 = 0x14; *(uint8_t*)0x20001dd3 = 0x2b; *(uint8_t*)0x20001dd4 = 0x24; *(uint8_t*)0x20001dd5 = 0x13; *(uint8_t*)0x20001dd6 = -1; memcpy((void*)0x20001dd7, "\x8d\xaa\x8e\x5c\xf5\x9b\xef\x8c\x76\xec\x75\x35\xd6\x3f\xe2\xdc\x76\x86\x32\x1a\xfb\xd7\x29\xf4\xd1\x7d\x62\xa2\x1b\x6f\x2b\x39\x49\x56\x57\x22\x0b\xc5\xd7", 39); *(uint8_t*)0x20001dfe = 0xa3; *(uint8_t*)0x20001dff = 0x24; *(uint8_t*)0x20001e00 = 0x13; *(uint8_t*)0x20001e01 = 3; memcpy((void*)0x20001e02, "\x0b\xaf\xa7\xba\x56\xf9\xbe\x68\xf7\xda\xff\xfa\xbe\x7b\x79\x50\xe7\xf2\xb1\xef\xd5\x30\xab\x53\xda\x30\x66\x50\xae\x48\x61\x82\x51\xbc\x41\xfe\x39\x06\x5b\xb5\x0d\x65\xf1\x5e\x92\x6f\xdb\x88\xac\xb4\xe7\x95\x7b\xff\x5d\x54\x69\xee\x74\x1f\x51\xc1\x17\xd8\xf0\xa4\xb9\xe4\x97\xd8\xd8\x5a\x58\xa4\x25\x85\x5d\xa0\x41\xd9\x1b\xfe\x4c\xd2\x0f\x11\xf6\xc7\xd3\x81\x30\x27\xcd\x74\x92\x1d\xbe\xb6\xe2\x01\x5c\x41\x33\xa2\x98\x32\xb2\xb9\xd3\x42\x30\x4d\xd6\xb7\x09\xda\xea\xea\x5f\x76\x1d\x8c\x06\xf5\x2e\xdd\xa9\xf2\x52\x9a\xc5\x1a\x96\xfa\xb9\xbb\x28\x26\xcc\x63\xfc\xce\x0f\x17\x4d\xe2\xc5\x77\x8a\x4d\x83\xf3\xee\xcf\xdb\x29\x63\x5b\x60", 159); *(uint8_t*)0x20001ea1 = 5; *(uint8_t*)0x20001ea2 = 0x24; *(uint8_t*)0x20001ea3 = 1; *(uint8_t*)0x20001ea4 = 2; *(uint8_t*)0x20001ea5 = 9; *(uint8_t*)0x20001ea6 = 0x15; *(uint8_t*)0x20001ea7 = 0x24; *(uint8_t*)0x20001ea8 = 0x12; *(uint16_t*)0x20001ea9 = 0xc9; *(uint64_t*)0x20001eab = 0x14f5e048ba817a3; *(uint64_t*)0x20001eb3 = 0x2a397ecbffc007a6; *(uint8_t*)0x20001ebb = 7; *(uint8_t*)0x20001ebc = 0x24; *(uint8_t*)0x20001ebd = 0x14; *(uint16_t*)0x20001ebe = 8; *(uint16_t*)0x20001ec0 = 2; *(uint8_t*)0x20001ec2 = 7; *(uint8_t*)0x20001ec3 = 0x24; *(uint8_t*)0x20001ec4 = 0xa; *(uint8_t*)0x20001ec5 = 1; *(uint8_t*)0x20001ec6 = 9; *(uint8_t*)0x20001ec7 = 0xeb; *(uint8_t*)0x20001ec8 = 1; *(uint8_t*)0x20001ec9 = 9; *(uint8_t*)0x20001eca = 5; *(uint8_t*)0x20001ecb = 0xe; *(uint8_t*)0x20001ecc = 3; *(uint16_t*)0x20001ecd = 0x400; *(uint8_t*)0x20001ecf = -1; *(uint8_t*)0x20001ed0 = 0xf9; *(uint8_t*)0x20001ed1 = 0x20; *(uint8_t*)0x20001ed2 = 0x62; *(uint8_t*)0x20001ed3 = 0x22; memcpy((void*)0x20001ed4, "\xec\xb3\xf2\xdd\x30\x48\x12\x4f\xa1\xf6\x39\xe7\xd9\x9a\xb0\x90\x3f\x7f\x55\x1f\xbd\x28\x20\x2b\xca\xa0\x38\x82\x72\x62\xde\xfd\x52\x4b\x84\xd6\x77\x8f\x83\xc7\x51\x04\x7e\xa1\x67\x7d\x46\x22\x9a\xc3\x3b\x02\xdb\x68\x65\xc9\x67\x0b\xc4\x76\x29\x02\x05\x45\xfb\xf3\x67\xe1\x28\xc7\xe7\x8e\x05\x97\x2c\xd4\x32\xdd\xc7\x29\x86\x39\x72\xa9\x55\x9b\x80\x60\x63\x55\x0b\x9b\xb7\x99\x2b\x0c", 96); *(uint8_t*)0x20001f34 = 0xed; *(uint8_t*)0x20001f35 = 0x21; memcpy((void*)0x20001f36, "\x1c\x17\xfa\x34\xcf\x24\x8a\x11\x74\x0c\xae\x13\xb9\x90\x62\xcf\x65\x1b\xd3\x66\x3b\xdf\x34\x9a\xfe\xdd\x77\x7e\x6c\xa5\x09\x68\x7c\x73\x08\xb2\xbd\x8a\x56\xd9\x36\xce\xf7\x2c\x17\x60\x9c\x2c\xc7\xb8\x25\xf1\x22\x86\x4f\x3e\x79\xa0\xf9\x56\x3c\xec\xf3\xa2\xde\xa2\xda\xc5\xe4\xd8\x3e\x77\x49\xcf\xb2\xa9\x71\xe0\xf2\xa2\x57\xee\x5e\x91\x27\x9d\x0d\xed\xf7\xaa\xb3\x53\x95\x5c\x32\xbc\xab\x16\xd8\x21\xc1\x86\x8f\x65\x5e\x7f\x50\x3e\xce\x52\xac\xfb\x7c\x30\x70\x09\x7b\x16\x4e\xd6\x22\x3e\xb6\xc1\x83\x9f\xdc\x5c\xc6\xf1\xa9\x2e\xbd\xa8\xad\x2a\x9e\x74\xf7\x46\xcf\x37\x70\x4a\x6c\x73\x07\x61\x89\xee\x38\x90\xb3\xa1\xc5\xcd\xb8\x07\x6a\xde\xc9\xbb\x4e\x53\xa6\x5b\x09\xbc\x52\xa7\x52\x50\xeb\x89\xe2\x40\x7e\xe0\xd0\xd3\x9a\x0b\xd9\x25\xc0\x0a\x5f\xd0\xf3\x4a\xd2\xaf\x88\xbf\x3b\x27\x0f\xe9\x4e\x54\x32\x28\x8a\x66\xb3\xee\x15\xb6\xe2\x4d\xdc\xa8\x96\x39\xfa\xa9\xc4\xb5\x32\x66\x3b\x24\xbf\xbd\xeb\x73\xd0\x9b\x8f\x77\xf7\x6f\xec\x50\x7a", 235); *(uint8_t*)0x20002021 = 9; *(uint8_t*)0x20002022 = 5; *(uint8_t*)0x20002023 = 0xe; *(uint8_t*)0x20002024 = 0; *(uint16_t*)0x20002025 = 0x58; *(uint8_t*)0x20002027 = 4; *(uint8_t*)0x20002028 = 0; *(uint8_t*)0x20002029 = 2; *(uint8_t*)0x2000202a = 9; *(uint8_t*)0x2000202b = 5; *(uint8_t*)0x2000202c = 6; *(uint8_t*)0x2000202d = 8; *(uint16_t*)0x2000202e = 0x40; *(uint8_t*)0x20002030 = 0x40; *(uint8_t*)0x20002031 = 3; *(uint8_t*)0x20002032 = 0x18; *(uint8_t*)0x20002033 = 9; *(uint8_t*)0x20002034 = 5; *(uint8_t*)0x20002035 = 0xb; *(uint8_t*)0x20002036 = 0xc; *(uint16_t*)0x20002037 = 0x200; *(uint8_t*)0x20002039 = -1; *(uint8_t*)0x2000203a = 0x47; *(uint8_t*)0x2000203b = 0; *(uint8_t*)0x2000203c = 0x6e; *(uint8_t*)0x2000203d = 0x24; memcpy((void*)0x2000203e, "\xfc\x88\x86\xec\xa1\x2d\xc8\x59\x60\xc8\x49\x7c\x87\x13\x2b\x79\xfe\xa0\xe2\x31\x3e\x4e\x85\x56\x71\x31\x6f\x1c\x7a\x42\xb7\x8b\x2b\xe2\x4c\x0c\xdd\x6a\xf9\xde\x41\xa7\xfb\x57\xfe\x0a\x3c\xa6\xfe\x67\x19\x1c\xe3\x11\x65\xdc\x04\x82\x45\xba\x74\xc8\x86\xd1\x2b\x8a\xcc\xb0\x01\xee\xe2\x30\xdc\x1d\x79\x81\xe4\xd6\xea\x3d\x52\xfd\xc1\xfd\x15\x9f\x71\xfc\x18\xbf\xca\x51\x29\x7b\x23\x48\xc7\x77\xa8\x6b\x16\xc0\x76\x57\x79\x3c\x9b\x75", 108); *(uint8_t*)0x200020aa = 9; *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 7; *(uint8_t*)0x200020ad = 0x10; *(uint16_t*)0x200020ae = 0x20; *(uint8_t*)0x200020b0 = 1; *(uint8_t*)0x200020b1 = 4; *(uint8_t*)0x200020b2 = 4; *(uint8_t*)0x200020b3 = 8; *(uint8_t*)0x200020b4 = 0x23; memcpy((void*)0x200020b5, "\xad\x6e\x68\x32\x31\x24", 6); *(uint8_t*)0x200020bb = 7; *(uint8_t*)0x200020bc = 0x25; *(uint8_t*)0x200020bd = 1; *(uint8_t*)0x200020be = 2; *(uint8_t*)0x200020bf = 0x3f; *(uint16_t*)0x200020c0 = 0x400; *(uint8_t*)0x200020c2 = 9; *(uint8_t*)0x200020c3 = 5; *(uint8_t*)0x200020c4 = 1; *(uint8_t*)0x200020c5 = 0; *(uint16_t*)0x200020c6 = 0x200; *(uint8_t*)0x200020c8 = -1; *(uint8_t*)0x200020c9 = 4; *(uint8_t*)0x200020ca = 5; *(uint8_t*)0x200020cb = 7; *(uint8_t*)0x200020cc = 0x25; *(uint8_t*)0x200020cd = 1; *(uint8_t*)0x200020ce = 0x82; *(uint8_t*)0x200020cf = 2; *(uint16_t*)0x200020d0 = 0x200; *(uint8_t*)0x200020d2 = 7; *(uint8_t*)0x200020d3 = 0x25; *(uint8_t*)0x200020d4 = 1; *(uint8_t*)0x200020d5 = 1; *(uint8_t*)0x200020d6 = 7; *(uint16_t*)0x200020d7 = 4; *(uint8_t*)0x200020d9 = 9; *(uint8_t*)0x200020da = 5; *(uint8_t*)0x200020db = 0x80; *(uint8_t*)0x200020dc = 0x10; *(uint16_t*)0x200020dd = 0x10; *(uint8_t*)0x200020df = 0xcc; *(uint8_t*)0x200020e0 = 8; *(uint8_t*)0x200020e1 = 0; *(uint8_t*)0x200020e2 = 7; *(uint8_t*)0x200020e3 = 0x25; *(uint8_t*)0x200020e4 = 1; *(uint8_t*)0x200020e5 = 0x81; *(uint8_t*)0x200020e6 = 7; *(uint16_t*)0x200020e7 = 0x3f; *(uint8_t*)0x200020e9 = 0x59; *(uint8_t*)0x200020ea = 0x11; memcpy((void*)0x200020eb, "\xfa\xad\xa8\x09\x32\xb1\x04\x32\xca\x81\xa6\x3c\x83\xdd\x9f\x54\xa4\x05\x10\x86\xef\x07\xb6\xc9\x66\x1e\xf8\xec\x12\x56\x83\xd5\xfc\xad\xa3\xa3\x46\xd0\x8f\x6d\x44\x17\x8f\xd1\xce\x94\xf1\xa6\x92\x1d\x2f\xd1\x4a\x88\xd4\x3a\x80\x51\xe1\x8e\xda\xa3\x98\x06\x45\xfa\x17\x12\x3c\xa6\xc7\x83\xb8\xb2\xc3\xb6\x66\x95\x6f\x52\xb1\x83\x65\x29\x92\xd6\xf5", 87); *(uint8_t*)0x20002142 = 9; *(uint8_t*)0x20002143 = 5; *(uint8_t*)0x20002144 = 7; *(uint8_t*)0x20002145 = 3; *(uint16_t*)0x20002146 = 0x400; *(uint8_t*)0x20002148 = 1; *(uint8_t*)0x20002149 = 0x3f; *(uint8_t*)0x2000214a = 0; *(uint8_t*)0x2000214b = 9; *(uint8_t*)0x2000214c = 5; *(uint8_t*)0x2000214d = 4; *(uint8_t*)0x2000214e = 1; *(uint16_t*)0x2000214f = 0; *(uint8_t*)0x20002151 = 0x81; *(uint8_t*)0x20002152 = 3; *(uint8_t*)0x20002153 = 0; *(uint8_t*)0x20002154 = 7; *(uint8_t*)0x20002155 = 0x25; *(uint8_t*)0x20002156 = 1; *(uint8_t*)0x20002157 = 0x80; *(uint8_t*)0x20002158 = 0xfd; *(uint16_t*)0x20002159 = 0x3e; *(uint8_t*)0x2000215b = 7; *(uint8_t*)0x2000215c = 0x25; *(uint8_t*)0x2000215d = 1; *(uint8_t*)0x2000215e = 0x82; *(uint8_t*)0x2000215f = 6; *(uint16_t*)0x20002160 = 0x8000; *(uint8_t*)0x20002162 = 9; *(uint8_t*)0x20002163 = 5; *(uint8_t*)0x20002164 = 7; *(uint8_t*)0x20002165 = 4; *(uint16_t*)0x20002166 = 0x200; *(uint8_t*)0x20002168 = 4; *(uint8_t*)0x20002169 = 7; *(uint8_t*)0x2000216a = 8; *(uint8_t*)0x2000216b = 7; *(uint8_t*)0x2000216c = 0x25; *(uint8_t*)0x2000216d = 1; *(uint8_t*)0x2000216e = 0; *(uint8_t*)0x2000216f = 0; *(uint16_t*)0x20002170 = 0x3f; *(uint8_t*)0x20002172 = 9; *(uint8_t*)0x20002173 = 4; *(uint8_t*)0x20002174 = 0x7d; *(uint8_t*)0x20002175 = 0xb6; *(uint8_t*)0x20002176 = 8; *(uint8_t*)0x20002177 = 0xe6; *(uint8_t*)0x20002178 = 0x75; *(uint8_t*)0x20002179 = 0xe1; *(uint8_t*)0x2000217a = 0xf9; *(uint8_t*)0x2000217b = 0x3d; *(uint8_t*)0x2000217c = 0x23; memcpy((void*)0x2000217d, "\x01\x50\xff\xae\x83\xdf\x22\xd1\xd4\xdb\xd8\x24\x54\xe6\x60\x33\x46\x3c\x39\x35\xe3\xd0\xc9\xfc\x2e\xa4\x66\x1f\x73\x10\xc2\xe0\xb0\xac\xed\xd1\x7e\x99\xcf\x96\x0e\xde\x09\xc1\x9e\xda\x6b\xfd\xa6\x99\xd8\xea\xcc\x2a\xba\x4a\xcc\x34\xd4", 59); *(uint8_t*)0x200021b8 = 0xc5; *(uint8_t*)0x200021b9 = 1; memcpy((void*)0x200021ba, "\x57\xfa\x93\x98\x1a\x06\x86\xe5\x12\x23\x65\x11\xf1\x7e\x4e\xc2\xda\xb7\xbd\x00\x5c\x64\xfd\x89\x6f\x94\x94\xca\x05\x97\x58\x3b\x23\x9d\xdd\x29\xc3\x79\x6c\x4a\xd6\x69\x28\x14\x40\xda\x42\x2e\x67\x96\x87\x7a\x9f\x12\x3e\x34\x39\x35\xd9\x0d\xfe\x06\xdd\xfc\x99\xde\xed\xf2\x40\x06\x03\x1d\x9a\x2e\xf4\xb5\x52\x62\x92\x55\xbf\x0e\x7a\x4d\x5d\xd3\xbc\x80\xb2\x66\x08\x11\x41\xbd\xe1\xb1\xa8\x6e\x4f\xfd\x85\x70\x00\xde\xea\xe8\x2f\xb1\x85\x06\x96\xef\x21\x67\xc3\x4a\xd9\x7f\x91\xc1\x4a\xc7\x8e\xcb\x89\x3d\x01\xff\xa9\x8e\x3c\x2d\xfd\xa9\xad\xb7\x62\xb9\xa9\xda\x03\xc6\xc6\x0e\xd9\x57\xfb\x49\x4d\x1c\x96\x0f\x7c\x70\x74\x94\xbd\x98\x4a\x0a\x58\x26\x03\xfb\x87\x24\x8a\xee\xaf\xc1\xb6\x00\x5f\x79\x83\x5b\x38\xb2\xea\xa8\x86\x53\xbc\x93\x42\x7a\x33\xb0\x76\x3e\xa3\x6f\xcd\x98\x7c", 195); *(uint8_t*)0x2000227d = 9; *(uint8_t*)0x2000227e = 5; *(uint8_t*)0x2000227f = 3; *(uint8_t*)0x20002280 = 0; *(uint16_t*)0x20002281 = 0x40; *(uint8_t*)0x20002283 = 4; *(uint8_t*)0x20002284 = 0x7f; *(uint8_t*)0x20002285 = 2; *(uint8_t*)0x20002286 = 7; *(uint8_t*)0x20002287 = 0x25; *(uint8_t*)0x20002288 = 1; *(uint8_t*)0x20002289 = 2; *(uint8_t*)0x2000228a = 5; *(uint16_t*)0x2000228b = 5; *(uint8_t*)0x2000228d = 7; *(uint8_t*)0x2000228e = 0x25; *(uint8_t*)0x2000228f = 1; *(uint8_t*)0x20002290 = 2; *(uint8_t*)0x20002291 = 4; *(uint16_t*)0x20002292 = 5; *(uint8_t*)0x20002294 = 9; *(uint8_t*)0x20002295 = 5; *(uint8_t*)0x20002296 = 0x80; *(uint8_t*)0x20002297 = 0x10; *(uint16_t*)0x20002298 = 0x1ef; *(uint8_t*)0x2000229a = 1; *(uint8_t*)0x2000229b = 6; *(uint8_t*)0x2000229c = 7; *(uint8_t*)0x2000229d = 9; *(uint8_t*)0x2000229e = 5; *(uint8_t*)0x2000229f = 0x80; *(uint8_t*)0x200022a0 = 0x10; *(uint16_t*)0x200022a1 = 0x10; *(uint8_t*)0x200022a3 = 0x1f; *(uint8_t*)0x200022a4 = 0x20; *(uint8_t*)0x200022a5 = 0; *(uint8_t*)0x200022a6 = 0xb3; *(uint8_t*)0x200022a7 = 0x21; memcpy((void*)0x200022a8, "\x95\xd3\x40\x5d\x4d\x7a\x6d\xc8\x96\xd9\x0c\x49\x18\xb1\x41\x31\x5c\x1a\xe5\x4b\x08\x82\xc4\xe0\xe3\xcc\x26\x6e\x04\x17\x8f\x9a\xe7\x37\x26\x0a\xc6\x4b\x61\x9d\xdf\x03\x95\x68\x18\x1b\xf9\x2d\xd6\x39\xec\x49\xa0\xb1\xc9\x83\x8b\x4c\xbb\xb2\xfb\xe6\xca\x7b\xe9\xbc\x84\xb7\x71\x77\x86\x7b\xb9\x73\xd8\xc5\xeb\xa1\xb4\x91\x31\xbd\x10\xf6\x45\xcf\xfc\x3d\xd8\xea\x46\x2f\x4b\xa9\x65\xf7\x0a\x01\x4b\xf1\xab\xe9\x26\x96\x63\x63\x4d\xad\x8b\xaf\x99\x38\x6d\x8b\x43\x19\x12\xe4\xdd\xfc\xd1\x15\x6c\x5f\xfe\xab\x20\x7c\xa3\x5f\x22\xf5\xc0\x16\x73\x47\x0d\xee\xa1\xda\x6a\xaf\xfc\xf0\xbb\xa9\xa8\xe4\x55\x42\x0f\x05\x3b\x28\xe4\x04\xfe\xa6\x26\x1d\x36\xc0\x7f\x72\x21\xc4\x98\x6b\x6b\x12\x2c\xcd\xf8\x58\xf4\x81\xba", 177); *(uint8_t*)0x20002359 = 7; *(uint8_t*)0x2000235a = 0x25; *(uint8_t*)0x2000235b = 1; *(uint8_t*)0x2000235c = 0x80; *(uint8_t*)0x2000235d = 0x7f; *(uint16_t*)0x2000235e = 5; *(uint8_t*)0x20002360 = 9; *(uint8_t*)0x20002361 = 5; *(uint8_t*)0x20002362 = 0xc; *(uint8_t*)0x20002363 = 2; *(uint16_t*)0x20002364 = 0x200; *(uint8_t*)0x20002366 = 0; *(uint8_t*)0x20002367 = 6; *(uint8_t*)0x20002368 = 2; *(uint8_t*)0x20002369 = 0xaf; *(uint8_t*)0x2000236a = 0xc1; memcpy((void*)0x2000236b, "\x14\x49\xf0\x6f\x81\x61\xd8\x15\x9f\x42\xfb\x34\x7e\xaa\x32\x3c\xf3\xeb\x20\xfd\x5e\x50\x10\x06\xd2\xe4\x0a\x15\x7d\xa8\x33\x53\x6f\xb0\xb3\x22\x43\x65\x91\xa2\xbd\x1d\x2f\xe0\x4e\x16\x98\x58\xe1\x13\x87\xce\x1c\xbe\x1f\x6c\x7d\xc3\x32\xaf\xaa\xdc\xc0\x02\xc5\x83\x20\x44\xe0\x56\x95\x03\x99\xe2\x94\x31\x40\x73\x49\xa8\xa4\x75\x25\x16\x4b\x4e\x6c\xd1\x41\x30\x39\x08\x18\x67\x54\xe0\x28\x2c\x69\x95\xc9\x80\xf5\xe7\xd4\xf3\xc8\x81\xc6\xb9\x1d\x95\x5e\x6a\xc6\x81\xbd\x90\x73\xf4\xe0\x57\x06\xf3\xc3\x12\xd0\x05\xbf\x1c\x59\x10\x95\x6b\xf9\x95\x53\xbb\xa7\xb4\xec\xb3\xf3\x5f\xfb\xe7\xab\x07\x63\x42\x37\x96\xbb\x60\x1e\x3f\x04\x7a\x65\x81\xd5\x2f\xb6\x7c\x62\xd6\xb7\x27\x8c\x76\xaa\xb9\xa5", 173); *(uint8_t*)0x20002418 = 9; *(uint8_t*)0x20002419 = 5; *(uint8_t*)0x2000241a = 0xa; *(uint8_t*)0x2000241b = 0; *(uint16_t*)0x2000241c = 0x400; *(uint8_t*)0x2000241e = 5; *(uint8_t*)0x2000241f = 1; *(uint8_t*)0x20002420 = 6; *(uint8_t*)0x20002421 = 0xf1; *(uint8_t*)0x20002422 = 0x11; memcpy((void*)0x20002423, "\x25\xbf\x1f\x90\xf6\x00\xdc\x8e\xae\x59\x54\xfb\x3e\xc4\xf4\x88\xa9\x26\x14\x9d\x98\x93\xca\x2b\x29\x00\xe2\x45\xf0\x53\x74\x32\xb7\xec\xcd\x35\xa0\xf3\x3f\xe8\x71\xeb\x0d\x17\x44\xd8\x05\x8f\x6d\x67\xf7\xe1\xb9\x7f\x3e\xf4\xe5\xfd\x8a\xc9\xd3\x7d\x37\x49\x05\x66\x1c\x57\x9d\x63\xd9\xbd\x3e\xd5\xcd\x30\xd9\x9e\xf3\x95\xe4\x7c\x9e\x0f\x1b\x7f\x71\x20\x16\x40\x34\x34\x82\x1b\xaa\xce\x41\xad\x73\xef\x6b\x84\xc1\xa4\x1a\xf5\xcb\xb6\xc2\xf6\x54\x62\xa6\xed\x32\x24\x2c\x9d\x51\xda\x99\x15\x86\x28\x60\xc2\x21\x40\xf6\x06\x60\x1c\xfd\x82\xe5\x15\x1e\x1d\xb4\x50\x92\xfe\xcd\x65\x32\x93\xf5\x6c\x65\xb3\x46\xe5\xde\xaf\x14\x09\x50\xa0\xac\x4a\x48\x7e\x3b\xfa\x4f\x9a\xd3\x5e\xef\xf8\x89\x9b\xc2\x23\x07\x98\x02\x26\x00\xa0\x8d\x06\xa9\x24\x36\x11\xb4\x21\xd9\x0f\x1b\x53\xca\x9f\x00\x26\x36\x03\x6f\x11\x25\xed\xa3\xde\xda\xf6\x79\x3f\xc0\x98\xc6\xaf\x9d\xcc\x5a\x53\x8f\xe9\x37\x57\x2b\x4d\x1b\x17\x4b\x58\xba\x03\x37\x14\xd1\x9e\xf1\x08\x5f\x66\x3e\x5c\xd1", 239); *(uint8_t*)0x20002512 = 9; *(uint8_t*)0x20002513 = 5; *(uint8_t*)0x20002514 = 5; *(uint8_t*)0x20002515 = 8; *(uint16_t*)0x20002516 = 0x400; *(uint8_t*)0x20002518 = 0x44; *(uint8_t*)0x20002519 = 1; *(uint8_t*)0x2000251a = 0; *(uint8_t*)0x2000251b = 7; *(uint8_t*)0x2000251c = 0x25; *(uint8_t*)0x2000251d = 1; *(uint8_t*)0x2000251e = 0x85; *(uint8_t*)0x2000251f = 0x9b; *(uint16_t*)0x20002520 = 0x100; *(uint8_t*)0x20002522 = 7; *(uint8_t*)0x20002523 = 0x25; *(uint8_t*)0x20002524 = 1; *(uint8_t*)0x20002525 = 0x82; *(uint8_t*)0x20002526 = 7; *(uint16_t*)0x20002527 = 1; *(uint8_t*)0x20002529 = 9; *(uint8_t*)0x2000252a = 5; *(uint8_t*)0x2000252b = 3; *(uint8_t*)0x2000252c = 0x10; *(uint16_t*)0x2000252d = 0x20; *(uint8_t*)0x2000252f = 2; *(uint8_t*)0x20002530 = 4; *(uint8_t*)0x20002531 = 3; *(uint8_t*)0x20002532 = 9; *(uint8_t*)0x20002533 = 5; *(uint8_t*)0x20002534 = 1; *(uint8_t*)0x20002535 = 0; *(uint16_t*)0x20002536 = 0x40; *(uint8_t*)0x20002538 = 0x80; *(uint8_t*)0x20002539 = 7; *(uint8_t*)0x2000253a = 0x27; *(uint8_t*)0x2000253b = 7; *(uint8_t*)0x2000253c = 0x25; *(uint8_t*)0x2000253d = 1; *(uint8_t*)0x2000253e = 0x80; *(uint8_t*)0x2000253f = 6; *(uint16_t*)0x20002540 = 8; *(uint32_t*)0x20002840 = 0xa; *(uint32_t*)0x20002844 = 0x20002580; *(uint8_t*)0x20002580 = 0xa; *(uint8_t*)0x20002581 = 6; *(uint16_t*)0x20002582 = 0x5098; *(uint8_t*)0x20002584 = 0xfc; *(uint8_t*)0x20002585 = 0x1f; *(uint8_t*)0x20002586 = 0; *(uint8_t*)0x20002587 = 0x10; *(uint8_t*)0x20002588 = 0xe4; *(uint8_t*)0x20002589 = 0; *(uint32_t*)0x20002848 = 0xf5; *(uint32_t*)0x2000284c = 0x200025c0; *(uint8_t*)0x200025c0 = 5; *(uint8_t*)0x200025c1 = 0xf; *(uint16_t*)0x200025c2 = 0xf5; *(uint8_t*)0x200025c4 = 4; *(uint8_t*)0x200025c5 = 7; *(uint8_t*)0x200025c6 = 0x10; *(uint8_t*)0x200025c7 = 2; STORE_BY_BITMASK(uint32_t, , 0x200025c8, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200025ca, 0xffff, 0, 16); *(uint8_t*)0x200025cc = 0x1c; *(uint8_t*)0x200025cd = 0x10; *(uint8_t*)0x200025ce = 0xa; *(uint8_t*)0x200025cf = 0; STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 5, 27); *(uint16_t*)0x200025d4 = 0xf0f; *(uint16_t*)0x200025d6 = 0x77e; *(uint32_t*)0x200025d8 = 0xc000; *(uint32_t*)0x200025dc = 0x30; *(uint32_t*)0x200025e0 = 0; *(uint32_t*)0x200025e4 = 0; *(uint8_t*)0x200025e8 = 0x1c; *(uint8_t*)0x200025e9 = 0x10; *(uint8_t*)0x200025ea = 0xa; *(uint8_t*)0x200025eb = 1; STORE_BY_BITMASK(uint32_t, , 0x200025ec, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025ec, 0x79ea, 5, 27); *(uint16_t*)0x200025f0 = 0xf000; *(uint16_t*)0x200025f2 = 4; *(uint32_t*)0x200025f4 = 0xc0cf; *(uint32_t*)0x200025f8 = 0xff3f3f; *(uint32_t*)0x200025fc = 0xffc05f; *(uint32_t*)0x20002600 = 0xff0000; *(uint8_t*)0x20002604 = 0xb1; *(uint8_t*)0x20002605 = 0x10; *(uint8_t*)0x20002606 = 3; memcpy((void*)0x20002607, "\xc5\xbb\x02\x01\xc8\x2e\x60\xfa\x0a\x8b\x07\xbb\xce\xfb\xe1\x38\x07\x98\x38\xcb\xf1\x31\x61\xf6\x9e\xc1\x70\x63\x7e\x6c\x50\x4f\x0d\xf5\x87\x10\x11\x2f\x24\x59\xc5\x0d\xf8\x5c\x73\xa1\x43\xe1\x8f\xd8\x46\xa7\x86\xad\xd8\xa3\x59\xc8\x82\xc3\xc6\x03\x8f\x90\xc4\x9c\xa6\x3e\x13\x45\x57\x94\xd7\x59\x24\x4a\x2b\xd1\xee\x5a\x20\x3c\xef\x62\xac\xd3\x2e\x97\xd1\x5a\xfe\x1d\x47\xad\x5c\x52\x34\xca\x6f\xea\x0c\x02\x21\x84\x57\x86\x47\xd6\x9b\xce\x06\xbc\x22\xd5\xde\xae\x21\xba\xaf\x87\x0c\x3c\x6e\x90\x21\x21\x1f\xda\x07\xe7\x36\x07\xe1\x64\x61\xe2\x25\x26\xa7\x0a\xb2\xe2\x1f\x89\xd1\xb1\xa9\x52\x15\xc6\x44\xee\x7b\x4b\x97\xd3\x42\xf0\x6c\xca\x75\xc1\x7e\xaf\x3d\x1f\x57\x8b\xec\x9e\x1b\x55\x4c\x49", 174); *(uint32_t*)0x20002850 = 4; *(uint32_t*)0x20002854 = 4; *(uint32_t*)0x20002858 = 0x200026c0; *(uint8_t*)0x200026c0 = 4; *(uint8_t*)0x200026c1 = 3; *(uint16_t*)0x200026c2 = 0x430; *(uint32_t*)0x2000285c = 4; *(uint32_t*)0x20002860 = 0x20002700; *(uint8_t*)0x20002700 = 4; *(uint8_t*)0x20002701 = 3; *(uint16_t*)0x20002702 = 0x240a; *(uint32_t*)0x20002864 = 4; *(uint32_t*)0x20002868 = 0x20002740; *(uint8_t*)0x20002740 = 4; *(uint8_t*)0x20002741 = 3; *(uint16_t*)0x20002742 = 0x458; *(uint32_t*)0x2000286c = 0xb1; *(uint32_t*)0x20002870 = 0x20002780; *(uint8_t*)0x20002780 = 0xb1; *(uint8_t*)0x20002781 = 3; memcpy((void*)0x20002782, "\x22\x73\xbd\xc4\x6b\x60\xf9\x28\x12\x34\x92\x09\x6f\x1a\x60\x52\x20\x67\xca\x30\x22\x9e\x52\x18\x76\xbc\x23\x04\xc3\x20\x59\x6f\xd2\x5f\x10\x25\x4b\x5c\x9d\xa5\x73\x77\x73\x8b\xcc\xfb\xbc\x37\xf2\x7f\x54\x18\x33\xa2\xdf\xa0\x6b\x92\x9d\x0d\x37\x44\xff\x77\xd9\x33\x0d\x5a\x63\xe4\xbb\x26\x8c\xe2\x9e\x81\xde\x86\xde\x6c\xbb\xec\x22\xf1\x51\xe7\xfa\x25\xd2\xba\x9e\xad\x8f\x62\xd5\xea\xc2\xd6\x42\x44\x65\xb3\xcb\x64\x81\xdb\xf5\x0d\xf0\x43\xe6\x8b\x8d\x13\x3e\x27\xb4\xae\x1c\x9c\xcf\x8a\x81\x02\x7b\x65\x6d\x44\x2b\xbc\xbe\x5c\xfc\xcd\x0c\x0c\xa3\x8b\x73\x35\x6e\xd5\xc3\x7e\xa0\x89\x46\x97\xea\x5b\x37\xdb\x2f\x60\x7d\x4e\x95\x8c\xf9\x78\x48\xef\x24\xee\xe8\x17\xf9\x65\x03\x65\x0d\x0f\x3b\xab\xcf", 175); res = -1; res = syz_usb_connect(4, 0x882, 0x20001cc0, 0x20002840); if (res != -1) r[13] = res; break; case 35: *(uint8_t*)0x20002880 = 0x12; *(uint8_t*)0x20002881 = 1; *(uint16_t*)0x20002882 = 0x200; *(uint8_t*)0x20002884 = -1; *(uint8_t*)0x20002885 = -1; *(uint8_t*)0x20002886 = -1; *(uint8_t*)0x20002887 = 0x40; *(uint16_t*)0x20002888 = 0xcf3; *(uint16_t*)0x2000288a = 0x9271; *(uint16_t*)0x2000288c = 0x108; *(uint8_t*)0x2000288e = 1; *(uint8_t*)0x2000288f = 2; *(uint8_t*)0x20002890 = 3; *(uint8_t*)0x20002891 = 1; *(uint8_t*)0x20002892 = 9; *(uint8_t*)0x20002893 = 2; *(uint16_t*)0x20002894 = 0x48; *(uint8_t*)0x20002896 = 1; *(uint8_t*)0x20002897 = 1; *(uint8_t*)0x20002898 = 0; *(uint8_t*)0x20002899 = 0x80; *(uint8_t*)0x2000289a = 0xfa; *(uint8_t*)0x2000289b = 9; *(uint8_t*)0x2000289c = 4; *(uint8_t*)0x2000289d = 0; *(uint8_t*)0x2000289e = 0; *(uint8_t*)0x2000289f = 6; *(uint8_t*)0x200028a0 = -1; *(uint8_t*)0x200028a1 = 0; *(uint8_t*)0x200028a2 = 0; *(uint8_t*)0x200028a3 = 0; *(uint8_t*)0x200028a4 = 9; *(uint8_t*)0x200028a5 = 5; *(uint8_t*)0x200028a6 = 1; *(uint8_t*)0x200028a7 = 2; *(uint16_t*)0x200028a8 = 0x200; *(uint8_t*)0x200028aa = 0; *(uint8_t*)0x200028ab = 0; *(uint8_t*)0x200028ac = 0; *(uint8_t*)0x200028ad = 9; *(uint8_t*)0x200028ae = 5; *(uint8_t*)0x200028af = 0x82; *(uint8_t*)0x200028b0 = 2; *(uint16_t*)0x200028b1 = 0x200; *(uint8_t*)0x200028b3 = 0; *(uint8_t*)0x200028b4 = 0; *(uint8_t*)0x200028b5 = 0; *(uint8_t*)0x200028b6 = 9; *(uint8_t*)0x200028b7 = 5; *(uint8_t*)0x200028b8 = 0x83; *(uint8_t*)0x200028b9 = 3; *(uint16_t*)0x200028ba = 0x40; *(uint8_t*)0x200028bc = 1; *(uint8_t*)0x200028bd = 0; *(uint8_t*)0x200028be = 0; *(uint8_t*)0x200028bf = 9; *(uint8_t*)0x200028c0 = 5; *(uint8_t*)0x200028c1 = 4; *(uint8_t*)0x200028c2 = 3; *(uint16_t*)0x200028c3 = 0x40; *(uint8_t*)0x200028c5 = 1; *(uint8_t*)0x200028c6 = 0; *(uint8_t*)0x200028c7 = 0; *(uint8_t*)0x200028c8 = 9; *(uint8_t*)0x200028c9 = 5; *(uint8_t*)0x200028ca = 5; *(uint8_t*)0x200028cb = 2; *(uint16_t*)0x200028cc = 0x200; *(uint8_t*)0x200028ce = 0; *(uint8_t*)0x200028cf = 0; *(uint8_t*)0x200028d0 = 0; *(uint8_t*)0x200028d1 = 9; *(uint8_t*)0x200028d2 = 5; *(uint8_t*)0x200028d3 = 6; *(uint8_t*)0x200028d4 = 2; *(uint16_t*)0x200028d5 = 0x200; *(uint8_t*)0x200028d7 = 0; *(uint8_t*)0x200028d8 = 0; *(uint8_t*)0x200028d9 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20002880, 0); break; case 36: *(uint8_t*)0x20002900 = 0x12; *(uint8_t*)0x20002901 = 1; *(uint16_t*)0x20002902 = 0x300; *(uint8_t*)0x20002904 = 0; *(uint8_t*)0x20002905 = 0; *(uint8_t*)0x20002906 = 0; *(uint8_t*)0x20002907 = 0x40; *(uint16_t*)0x20002908 = 0x1d6b; *(uint16_t*)0x2000290a = 0x101; *(uint16_t*)0x2000290c = 0x40; *(uint8_t*)0x2000290e = 1; *(uint8_t*)0x2000290f = 2; *(uint8_t*)0x20002910 = 3; *(uint8_t*)0x20002911 = 1; *(uint8_t*)0x20002912 = 9; *(uint8_t*)0x20002913 = 2; *(uint16_t*)0x20002914 = 0xee; *(uint8_t*)0x20002916 = 3; *(uint8_t*)0x20002917 = 1; *(uint8_t*)0x20002918 = 6; *(uint8_t*)0x20002919 = 0x20; *(uint8_t*)0x2000291a = 1; *(uint8_t*)0x2000291b = 9; *(uint8_t*)0x2000291c = 4; *(uint8_t*)0x2000291d = 0; *(uint8_t*)0x2000291e = 0; *(uint8_t*)0x2000291f = 0; *(uint8_t*)0x20002920 = 1; *(uint8_t*)0x20002921 = 1; *(uint8_t*)0x20002922 = 0; *(uint8_t*)0x20002923 = 0; *(uint8_t*)0x20002924 = 0xa; *(uint8_t*)0x20002925 = 0x24; *(uint8_t*)0x20002926 = 1; *(uint16_t*)0x20002927 = 0xace; *(uint8_t*)0x20002929 = 2; *(uint8_t*)0x2000292a = 2; *(uint8_t*)0x2000292b = 1; *(uint8_t*)0x2000292c = 2; *(uint8_t*)0x2000292d = 7; *(uint8_t*)0x2000292e = 0x24; *(uint8_t*)0x2000292f = 8; *(uint8_t*)0x20002930 = 5; *(uint16_t*)0x20002931 = 2; *(uint8_t*)0x20002933 = 5; *(uint8_t*)0x20002934 = 7; *(uint8_t*)0x20002935 = 0x24; *(uint8_t*)0x20002936 = 8; *(uint8_t*)0x20002937 = 6; *(uint16_t*)0x20002938 = -1; *(uint8_t*)0x2000293a = 0x30; *(uint8_t*)0x2000293b = 0xa; *(uint8_t*)0x2000293c = 0x24; *(uint8_t*)0x2000293d = 4; *(uint8_t*)0x2000293e = 4; *(uint8_t*)0x2000293f = 0x40; memcpy((void*)0x20002940, "\x7d\xa3\xb2\xb2\x72", 5); *(uint8_t*)0x20002945 = 9; *(uint8_t*)0x20002946 = 0x24; *(uint8_t*)0x20002947 = 8; *(uint8_t*)0x20002948 = 5; *(uint16_t*)0x20002949 = 0; *(uint8_t*)0x2000294b = 0x40; memcpy((void*)0x2000294c, "\tD", 2); *(uint8_t*)0x2000294e = 9; *(uint8_t*)0x2000294f = 4; *(uint8_t*)0x20002950 = 1; *(uint8_t*)0x20002951 = 0; *(uint8_t*)0x20002952 = 0; *(uint8_t*)0x20002953 = 1; *(uint8_t*)0x20002954 = 2; *(uint8_t*)0x20002955 = 0; *(uint8_t*)0x20002956 = 0; *(uint8_t*)0x20002957 = 9; *(uint8_t*)0x20002958 = 4; *(uint8_t*)0x20002959 = 1; *(uint8_t*)0x2000295a = 1; *(uint8_t*)0x2000295b = 1; *(uint8_t*)0x2000295c = 1; *(uint8_t*)0x2000295d = 2; *(uint8_t*)0x2000295e = 0; *(uint8_t*)0x2000295f = 0; *(uint8_t*)0x20002960 = 0x11; *(uint8_t*)0x20002961 = 0x24; *(uint8_t*)0x20002962 = 2; *(uint8_t*)0x20002963 = 2; *(uint16_t*)0x20002964 = 0x1000; *(uint16_t*)0x20002966 = 6; *(uint8_t*)0x20002968 = 9; memcpy((void*)0x20002969, "\x94\xaa\x0c\xfe\xa6\xa4\xc0\x98", 8); *(uint8_t*)0x20002971 = 7; *(uint8_t*)0x20002972 = 0x24; *(uint8_t*)0x20002973 = 1; *(uint8_t*)0x20002974 = 0xf7; *(uint8_t*)0x20002975 = 0xc1; *(uint16_t*)0x20002976 = 4; *(uint8_t*)0x20002978 = 0xe; *(uint8_t*)0x20002979 = 0x24; *(uint8_t*)0x2000297a = 2; *(uint8_t*)0x2000297b = 1; *(uint8_t*)0x2000297c = 0x3f; *(uint8_t*)0x2000297d = 2; *(uint8_t*)0x2000297e = 0xae; *(uint8_t*)0x2000297f = 7; memcpy((void*)0x20002980, "\x5b\x6f\xe7\xb1\x95\x51", 6); *(uint8_t*)0x20002986 = 0xe; *(uint8_t*)0x20002987 = 0x24; *(uint8_t*)0x20002988 = 2; *(uint8_t*)0x20002989 = 2; *(uint16_t*)0x2000298a = 0xfff8; *(uint16_t*)0x2000298c = 0x56d; *(uint8_t*)0x2000298e = 0x1f; memcpy((void*)0x2000298f, "\x51\x8f\x29\xb9\x20", 5); *(uint8_t*)0x20002994 = 0xe; *(uint8_t*)0x20002995 = 0x24; *(uint8_t*)0x20002996 = 2; *(uint8_t*)0x20002997 = 2; *(uint16_t*)0x20002998 = 4; *(uint16_t*)0x2000299a = 0; *(uint8_t*)0x2000299c = 0x80; memcpy((void*)0x2000299d, "\x3f\x5e\x8a\xa3\xac", 5); *(uint8_t*)0x200029a2 = 9; *(uint8_t*)0x200029a3 = 5; *(uint8_t*)0x200029a4 = 1; *(uint8_t*)0x200029a5 = 9; *(uint16_t*)0x200029a6 = 0x10; *(uint8_t*)0x200029a8 = 0x9c; *(uint8_t*)0x200029a9 = 7; *(uint8_t*)0x200029aa = 6; *(uint8_t*)0x200029ab = 7; *(uint8_t*)0x200029ac = 0x25; *(uint8_t*)0x200029ad = 1; *(uint8_t*)0x200029ae = 0; *(uint8_t*)0x200029af = 0x44; *(uint16_t*)0x200029b0 = 0xff8a; *(uint8_t*)0x200029b2 = 9; *(uint8_t*)0x200029b3 = 4; *(uint8_t*)0x200029b4 = 2; *(uint8_t*)0x200029b5 = 0; *(uint8_t*)0x200029b6 = 0; *(uint8_t*)0x200029b7 = 1; *(uint8_t*)0x200029b8 = 2; *(uint8_t*)0x200029b9 = 0; *(uint8_t*)0x200029ba = 0; *(uint8_t*)0x200029bb = 9; *(uint8_t*)0x200029bc = 4; *(uint8_t*)0x200029bd = 2; *(uint8_t*)0x200029be = 1; *(uint8_t*)0x200029bf = 1; *(uint8_t*)0x200029c0 = 1; *(uint8_t*)0x200029c1 = 2; *(uint8_t*)0x200029c2 = 0; *(uint8_t*)0x200029c3 = 0; *(uint8_t*)0x200029c4 = 0xa; *(uint8_t*)0x200029c5 = 0x24; *(uint8_t*)0x200029c6 = 2; *(uint8_t*)0x200029c7 = 1; *(uint8_t*)0x200029c8 = 7; *(uint8_t*)0x200029c9 = 4; *(uint8_t*)0x200029ca = 0xf7; *(uint8_t*)0x200029cb = 0xf8; memcpy((void*)0x200029cc, "H]", 2); *(uint8_t*)0x200029ce = 0xd; *(uint8_t*)0x200029cf = 0x24; *(uint8_t*)0x200029d0 = 2; *(uint8_t*)0x200029d1 = 1; *(uint8_t*)0x200029d2 = 7; *(uint8_t*)0x200029d3 = 1; *(uint8_t*)0x200029d4 = -1; *(uint8_t*)0x200029d5 = 0x72; memcpy((void*)0x200029d6, "\x5c\x5a\xe7\x2e\x12", 5); *(uint8_t*)0x200029db = 0xd; *(uint8_t*)0x200029dc = 0x24; *(uint8_t*)0x200029dd = 2; *(uint8_t*)0x200029de = 1; *(uint8_t*)0x200029df = 3; *(uint8_t*)0x200029e0 = 4; *(uint8_t*)0x200029e1 = 3; *(uint8_t*)0x200029e2 = 1; memcpy((void*)0x200029e3, "\xfa\x23\xa4", 3); memcpy((void*)0x200029e6, "q3", 2); *(uint8_t*)0x200029e8 = 8; *(uint8_t*)0x200029e9 = 0x24; *(uint8_t*)0x200029ea = 2; *(uint8_t*)0x200029eb = 1; *(uint8_t*)0x200029ec = 0x71; *(uint8_t*)0x200029ed = 2; *(uint8_t*)0x200029ee = 0; *(uint8_t*)0x200029ef = 6; *(uint8_t*)0x200029f0 = 9; *(uint8_t*)0x200029f1 = 5; *(uint8_t*)0x200029f2 = 0x82; *(uint8_t*)0x200029f3 = 9; *(uint16_t*)0x200029f4 = 0x200; *(uint8_t*)0x200029f6 = 0x7f; *(uint8_t*)0x200029f7 = 0x7f; *(uint8_t*)0x200029f8 = 0x7f; *(uint8_t*)0x200029f9 = 7; *(uint8_t*)0x200029fa = 0x25; *(uint8_t*)0x200029fb = 1; *(uint8_t*)0x200029fc = 2; *(uint8_t*)0x200029fd = 1; *(uint16_t*)0x200029fe = 8; *(uint32_t*)0x20002b80 = 0xa; *(uint32_t*)0x20002b84 = 0x20002a00; *(uint8_t*)0x20002a00 = 0xa; *(uint8_t*)0x20002a01 = 6; *(uint16_t*)0x20002a02 = 0x300; *(uint8_t*)0x20002a04 = 0x7f; *(uint8_t*)0x20002a05 = 0x5d; *(uint8_t*)0x20002a06 = 0x5c; *(uint8_t*)0x20002a07 = 0x40; *(uint8_t*)0x20002a08 = 0; *(uint8_t*)0x20002a09 = 0; *(uint32_t*)0x20002b88 = 0x31; *(uint32_t*)0x20002b8c = 0x20002a40; *(uint8_t*)0x20002a40 = 5; *(uint8_t*)0x20002a41 = 0xf; *(uint16_t*)0x20002a42 = 0x31; *(uint8_t*)0x20002a44 = 4; *(uint8_t*)0x20002a45 = 0xb; *(uint8_t*)0x20002a46 = 0x10; *(uint8_t*)0x20002a47 = 1; *(uint8_t*)0x20002a48 = 0xc; *(uint16_t*)0x20002a49 = 0x80; *(uint8_t*)0x20002a4b = 0x20; *(uint8_t*)0x20002a4c = 1; *(uint16_t*)0x20002a4d = 2; *(uint8_t*)0x20002a4f = 0x40; *(uint8_t*)0x20002a50 = 0xc; *(uint8_t*)0x20002a51 = 0x10; *(uint8_t*)0x20002a52 = 0xa; *(uint8_t*)0x20002a53 = 4; STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0xd3f, 5, 27); *(uint16_t*)0x20002a58 = 0xf000; *(uint16_t*)0x20002a5a = 8; *(uint8_t*)0x20002a5c = 0xb; *(uint8_t*)0x20002a5d = 0x10; *(uint8_t*)0x20002a5e = 1; *(uint8_t*)0x20002a5f = 0xc; *(uint16_t*)0x20002a60 = 0x80; *(uint8_t*)0x20002a62 = 2; *(uint8_t*)0x20002a63 = 5; *(uint16_t*)0x20002a64 = 4; *(uint8_t*)0x20002a66 = 2; *(uint8_t*)0x20002a67 = 0xa; *(uint8_t*)0x20002a68 = 0x10; *(uint8_t*)0x20002a69 = 3; *(uint8_t*)0x20002a6a = 2; *(uint16_t*)0x20002a6b = 6; *(uint8_t*)0x20002a6d = 0; *(uint8_t*)0x20002a6e = -1; *(uint16_t*)0x20002a6f = 0x7f; *(uint32_t*)0x20002b90 = 4; *(uint32_t*)0x20002b94 = 4; *(uint32_t*)0x20002b98 = 0x20002a80; *(uint8_t*)0x20002a80 = 4; *(uint8_t*)0x20002a81 = 3; *(uint16_t*)0x20002a82 = 0x40f; *(uint32_t*)0x20002b9c = 4; *(uint32_t*)0x20002ba0 = 0x20002ac0; *(uint8_t*)0x20002ac0 = 4; *(uint8_t*)0x20002ac1 = 3; *(uint16_t*)0x20002ac2 = 0xc35; *(uint32_t*)0x20002ba4 = 0x2b; *(uint32_t*)0x20002ba8 = 0x20002b00; *(uint8_t*)0x20002b00 = 0x2b; *(uint8_t*)0x20002b01 = 3; memcpy((void*)0x20002b02, "\xa2\x8e\x84\xc0\xcf\x02\xc0\x7c\x3c\x0d\xa8\x29\x45\x06\x55\x6d\x63\x3c\x7a\x73\x5b\xfb\x75\xcd\x80\xaf\xc6\xad\xe8\xe4\xb5\x80\x10\x3c\xed\x6d\x9c\x87\xa5\xfe\x77", 41); *(uint32_t*)0x20002bac = 4; *(uint32_t*)0x20002bb0 = 0x20002b40; *(uint8_t*)0x20002b40 = 4; *(uint8_t*)0x20002b41 = 3; *(uint16_t*)0x20002b42 = 0xf8ff; res = -1; res = syz_usb_connect(1, 0x100, 0x20002900, 0x20002b80); if (res != -1) r[14] = res; break; case 37: *(uint32_t*)0x20002e40 = 0x18; *(uint32_t*)0x20002e44 = 0x20002bc0; *(uint8_t*)0x20002bc0 = 0; *(uint8_t*)0x20002bc1 = 0x22; *(uint32_t*)0x20002bc2 = 0xb9; *(uint8_t*)0x20002bc6 = 0xb9; *(uint8_t*)0x20002bc7 = 0xa; memcpy((void*)0x20002bc8, "\x83\xcf\x6e\x9b\x94\x2d\x8a\x47\x07\x4a\xc2\xe8\x02\xb4\x83\x78\xec\xdc\xa7\x95\x6d\xb2\x72\x7b\x85\x7b\x60\xf4\xe9\xd0\xc6\x9e\x1c\x9a\x9a\xce\xb6\x1c\xf1\x7c\xc7\x71\x67\x92\x3b\x84\xe2\x33\x72\xc5\xcf\x40\xcf\x1b\xbb\x74\x93\xe5\x00\xb7\xef\xfa\xf1\xb2\x04\xee\x03\x4b\xe1\x10\x99\xe5\x15\x67\xa8\x7a\xe0\xbd\xe2\x10\xda\x92\x12\x4d\x04\xa7\x3a\x14\xdb\xd6\x00\xde\xdd\x92\x09\x53\xc4\x72\xed\xa1\xba\x46\xdb\xbb\x1e\xc4\x74\xc8\x79\x48\x49\x12\x4d\xcf\x32\xd5\xc1\x5f\xb1\x43\x97\xb1\x3c\x3d\x3c\x11\xa7\xa6\x07\xc6\xb6\xd5\x57\xc2\x80\x6d\x9c\x27\x83\xbc\x1e\xf5\x6c\x96\x7b\xde\x90\xce\x4a\x42\x13\x61\x16\x7c\x1a\x74\xc6\x52\x72\x85\xce\x42\x5e\xa4\x98\x88\x4d\x7c\xc9\xef\x76\x52\x6a\x46\xa1\xc4\x36\x07\x68\x98\x0b\x39\xb3", 183); *(uint32_t*)0x20002e48 = 0x20002c80; *(uint8_t*)0x20002c80 = 0; *(uint8_t*)0x20002c81 = 3; *(uint32_t*)0x20002c82 = 0xd7; *(uint8_t*)0x20002c86 = 0xd7; *(uint8_t*)0x20002c87 = 3; memcpy((void*)0x20002c88, "\x61\x16\x8f\x70\x0d\x17\x87\xde\x19\xd3\xe8\x6f\xb3\xac\x5e\x96\x4c\xc5\xed\xe8\x73\x35\x1c\xa2\x62\xcc\x8f\xc5\x99\x65\x14\x31\xc7\x6d\xba\xd0\x2d\xd8\x35\xf0\xda\x83\xa5\x34\x7c\xc2\x1f\xc4\xf5\x04\xb2\x3b\xb3\x2a\x7a\x67\x71\x3d\xb4\x48\x06\x11\xe6\xe2\xec\xa4\xf0\xb4\x98\xf7\x00\x35\x5d\xb6\x8d\xf7\xd5\xcf\x46\xba\x2b\x03\x60\x90\xaf\x69\x5a\x75\x96\xb7\xd2\x42\xb4\x62\xbc\xf6\xe2\x09\x1f\xb8\x32\x48\xfe\x2a\x1c\x48\xdb\xcd\xb0\x7c\x96\x66\x03\x7d\x12\x1b\x68\x93\xdc\xb9\x45\xbd\xd7\xcf\x14\x07\x5f\x80\x53\x02\xa4\x5f\xbb\x62\x65\x2b\xd6\x93\xb3\x24\x0b\x5c\x6a\x76\xf6\x90\xcd\xc9\x22\x15\x79\xec\x71\xdd\x25\x3c\xa4\x25\x01\x44\xe1\x16\x0b\xc0\x39\xad\x44\xf6\xd5\x1c\x96\xad\x95\x0c\x87\x2c\xf6\x26\xb0\xd5\x59\xe8\x1c\x0b\xec\x93\x4c\xb3\x23\x25\xdb\xb9\xce\x8f\x5d\x0d\x94\x30\x20\xb4\xa0\x79\x5c\x1f\x27\x74\xe2\x20\x7d\x0b\xe8\xaa\x41", 213); *(uint32_t*)0x20002e4c = 0x20002d80; *(uint8_t*)0x20002d80 = 0; *(uint8_t*)0x20002d81 = 0xf; *(uint32_t*)0x20002d82 = 0xc; *(uint8_t*)0x20002d86 = 5; *(uint8_t*)0x20002d87 = 0xf; *(uint16_t*)0x20002d88 = 0xc; *(uint8_t*)0x20002d8a = 1; *(uint8_t*)0x20002d8b = 7; *(uint8_t*)0x20002d8c = 0x10; *(uint8_t*)0x20002d8d = 2; STORE_BY_BITMASK(uint32_t, , 0x20002d8e, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 5, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d90, 2, 0, 16); *(uint32_t*)0x20002e50 = 0x20002dc0; *(uint8_t*)0x20002dc0 = 0x20; *(uint8_t*)0x20002dc1 = 0x29; *(uint32_t*)0x20002dc2 = 0xf; *(uint8_t*)0x20002dc6 = 0xf; *(uint8_t*)0x20002dc7 = 0x29; *(uint8_t*)0x20002dc8 = 3; *(uint16_t*)0x20002dc9 = 8; *(uint8_t*)0x20002dcb = 0x40; *(uint8_t*)0x20002dcc = 0x7f; memcpy((void*)0x20002dcd, "\x77\xbc\x77\x38", 4); memcpy((void*)0x20002dd1, "\xf1\xdb\x00\x3c", 4); *(uint32_t*)0x20002e54 = 0x20002e00; *(uint8_t*)0x20002e00 = 0x20; *(uint8_t*)0x20002e01 = 0x2a; *(uint32_t*)0x20002e02 = 0xc; *(uint8_t*)0x20002e06 = 0xc; *(uint8_t*)0x20002e07 = 0x2a; *(uint8_t*)0x20002e08 = 1; *(uint16_t*)0x20002e09 = 0x10; *(uint8_t*)0x20002e0b = 0; *(uint8_t*)0x20002e0c = 0x20; *(uint8_t*)0x20002e0d = 8; *(uint16_t*)0x20002e0e = 0x3ec; *(uint16_t*)0x20002e10 = -1; *(uint32_t*)0x20003300 = 0x44; *(uint32_t*)0x20003304 = 0x20002e80; *(uint8_t*)0x20002e80 = 0x20; *(uint8_t*)0x20002e81 = 0x12; *(uint32_t*)0x20002e82 = 0x7c; memcpy((void*)0x20002e86, "\xbc\x67\xb7\x86\xae\x12\xc3\xf7\xc6\xdb\xb8\x56\x0d\x2b\x24\x21\x94\xc2\x19\x9a\xfa\x19\xd2\xb4\x2b\x1a\x0c\x8a\x11\xe1\xa5\xef\x14\x6f\x39\x5c\x36\x13\xf4\xdf\xea\xdd\xa7\xc2\x4b\x50\x6d\x5b\x32\xa6\xa3\xf9\xa0\xea\xc9\x8a\x93\x5e\x64\x7a\x1c\x83\x8d\x4e\x09\xd5\x30\x63\x5f\x43\x35\x8b\x5b\x10\xc5\xf0\x4b\xc6\x3b\x3b\xf9\x6b\x52\x34\x35\x9d\x4e\xad\x9d\x51\x21\x7e\x65\xc9\xb0\x50\x99\x90\xb0\x0d\x1a\xfb\x24\x2c\x87\x66\x0d\x04\xf9\x64\x8f\xf7\x9c\xe1\x43\xb1\xa9\x48\x98\x1c\x28\xf5\x01\x71", 124); *(uint32_t*)0x20003308 = 0x20002f40; *(uint8_t*)0x20002f40 = 0; *(uint8_t*)0x20002f41 = 0xa; *(uint32_t*)0x20002f42 = 1; *(uint8_t*)0x20002f46 = 0x4c; *(uint32_t*)0x2000330c = 0x20002f80; *(uint8_t*)0x20002f80 = 0; *(uint8_t*)0x20002f81 = 8; *(uint32_t*)0x20002f82 = 1; *(uint8_t*)0x20002f86 = 1; *(uint32_t*)0x20003310 = 0x20002fc0; *(uint8_t*)0x20002fc0 = 0x20; *(uint8_t*)0x20002fc1 = 0; *(uint32_t*)0x20002fc2 = 4; *(uint16_t*)0x20002fc6 = 1; *(uint16_t*)0x20002fc8 = 3; *(uint32_t*)0x20003314 = 0x20003000; *(uint8_t*)0x20003000 = 0x20; *(uint8_t*)0x20003001 = 0; *(uint32_t*)0x20003002 = 8; *(uint16_t*)0x20003006 = 0xc0; *(uint16_t*)0x20003008 = 0x20; *(uint32_t*)0x2000300a = 0xf0f; *(uint32_t*)0x20003318 = 0x20003040; *(uint8_t*)0x20003040 = 0x40; *(uint8_t*)0x20003041 = 7; *(uint32_t*)0x20003042 = 2; *(uint16_t*)0x20003046 = 0x400; *(uint32_t*)0x2000331c = 0x20003080; *(uint8_t*)0x20003080 = 0x40; *(uint8_t*)0x20003081 = 9; *(uint32_t*)0x20003082 = 1; *(uint8_t*)0x20003086 = 2; *(uint32_t*)0x20003320 = 0x200030c0; *(uint8_t*)0x200030c0 = 0x40; *(uint8_t*)0x200030c1 = 0xb; *(uint32_t*)0x200030c2 = 2; memcpy((void*)0x200030c6, "\xb7\x23", 2); *(uint32_t*)0x20003324 = 0x20003100; *(uint8_t*)0x20003100 = 0x40; *(uint8_t*)0x20003101 = 0xf; *(uint32_t*)0x20003102 = 2; *(uint16_t*)0x20003106 = 5; *(uint32_t*)0x20003328 = 0x20003140; *(uint8_t*)0x20003140 = 0x40; *(uint8_t*)0x20003141 = 0x13; *(uint32_t*)0x20003142 = 6; memcpy((void*)0x20003146, "\xdd\x8a\x72\xa9\x91\x39", 6); *(uint32_t*)0x2000332c = 0x20003180; *(uint8_t*)0x20003180 = 0x40; *(uint8_t*)0x20003181 = 0x17; *(uint32_t*)0x20003182 = 6; *(uint8_t*)0x20003186 = 0xaa; *(uint8_t*)0x20003187 = 0xaa; *(uint8_t*)0x20003188 = 0xaa; *(uint8_t*)0x20003189 = 0xaa; *(uint8_t*)0x2000318a = 0xaa; *(uint8_t*)0x2000318b = 0xbb; *(uint32_t*)0x20003330 = 0x200031c0; *(uint8_t*)0x200031c0 = 0x40; *(uint8_t*)0x200031c1 = 0x19; *(uint32_t*)0x200031c2 = 2; memcpy((void*)0x200031c6, "\x78\x18", 2); *(uint32_t*)0x20003334 = 0x20003200; *(uint8_t*)0x20003200 = 0x40; *(uint8_t*)0x20003201 = 0x1a; *(uint32_t*)0x20003202 = 2; *(uint16_t*)0x20003206 = 4; *(uint32_t*)0x20003338 = 0x20003240; *(uint8_t*)0x20003240 = 0x40; *(uint8_t*)0x20003241 = 0x1c; *(uint32_t*)0x20003242 = 1; *(uint8_t*)0x20003246 = 4; *(uint32_t*)0x2000333c = 0x20003280; *(uint8_t*)0x20003280 = 0x40; *(uint8_t*)0x20003281 = 0x1e; *(uint32_t*)0x20003282 = 1; *(uint8_t*)0x20003286 = 7; *(uint32_t*)0x20003340 = 0x200032c0; *(uint8_t*)0x200032c0 = 0x40; *(uint8_t*)0x200032c1 = 0x21; *(uint32_t*)0x200032c2 = 1; *(uint8_t*)0x200032c6 = 5; syz_usb_control_io(r[14], 0x20002e40, 0x20003300); break; case 38: syz_usb_disconnect(r[13]); break; case 39: *(uint8_t*)0x20003380 = 0x12; *(uint8_t*)0x20003381 = 1; *(uint16_t*)0x20003382 = 0x110; *(uint8_t*)0x20003384 = 2; *(uint8_t*)0x20003385 = 0; *(uint8_t*)0x20003386 = 0; *(uint8_t*)0x20003387 = 0x20; *(uint16_t*)0x20003388 = 0x525; *(uint16_t*)0x2000338a = 0xa4a1; *(uint16_t*)0x2000338c = 0x40; *(uint8_t*)0x2000338e = 1; *(uint8_t*)0x2000338f = 2; *(uint8_t*)0x20003390 = 3; *(uint8_t*)0x20003391 = 1; *(uint8_t*)0x20003392 = 9; *(uint8_t*)0x20003393 = 2; *(uint16_t*)0x20003394 = 0x14e; *(uint8_t*)0x20003396 = 2; *(uint8_t*)0x20003397 = 1; *(uint8_t*)0x20003398 = 0xef; *(uint8_t*)0x20003399 = 0xe0; *(uint8_t*)0x2000339a = 3; *(uint8_t*)0x2000339b = 9; *(uint8_t*)0x2000339c = 4; *(uint8_t*)0x2000339d = 0; *(uint8_t*)0x2000339e = 0; *(uint8_t*)0x2000339f = 1; *(uint8_t*)0x200033a0 = 2; *(uint8_t*)0x200033a1 = 0xd; *(uint8_t*)0x200033a2 = 0; *(uint8_t*)0x200033a3 = 0; *(uint8_t*)0x200033a4 = 6; *(uint8_t*)0x200033a5 = 0x24; *(uint8_t*)0x200033a6 = 6; *(uint8_t*)0x200033a7 = 0; *(uint8_t*)0x200033a8 = 1; memcpy((void*)0x200033a9, "$", 1); *(uint8_t*)0x200033aa = 5; *(uint8_t*)0x200033ab = 0x24; *(uint8_t*)0x200033ac = 0; *(uint16_t*)0x200033ad = 0xad; *(uint8_t*)0x200033af = 0xd; *(uint8_t*)0x200033b0 = 0x24; *(uint8_t*)0x200033b1 = 0xf; *(uint8_t*)0x200033b2 = 1; *(uint32_t*)0x200033b3 = 2; *(uint16_t*)0x200033b7 = 0; *(uint16_t*)0x200033b9 = 1; *(uint8_t*)0x200033bb = 9; *(uint8_t*)0x200033bc = 6; *(uint8_t*)0x200033bd = 0x24; *(uint8_t*)0x200033be = 0x1a; *(uint16_t*)0x200033bf = 9; *(uint8_t*)0x200033c1 = 0x20; *(uint8_t*)0x200033c2 = 0xa2; *(uint8_t*)0x200033c3 = 0x24; *(uint8_t*)0x200033c4 = 0x13; *(uint8_t*)0x200033c5 = 1; memcpy((void*)0x200033c6, "\xa0\xaf\xeb\xc2\x94\x23\x7d\xe3\x0b\x4c\x81\xc6\x59\x5f\xba\xf3\x06\x46\xc5\xec\x3d\xd9\x8f\x43\x5d\xf0\x0d\x18\x1c\xc1\x3f\x9b\x0c\x5f\xfa\x84\x15\x49\x98\xbf\x5c\x04\xee\x0f\xd8\x2d\x5f\x4c\xac\xfc\x90\xff\xae\x24\x1b\x84\x0b\x0b\x18\xe2\x10\x7e\x33\x39\x8f\x46\x83\x83\x80\xf8\x4b\x6f\x9f\x22\x62\xe8\x38\xdf\x02\x12\x31\xc9\xf0\xc5\x0d\xc2\xee\xd7\x59\x5e\xb1\xb7\x89\x22\x3f\xc3\x7c\xf3\x4f\x5c\x69\x4a\xaa\xd8\xa8\x18\xc9\x9e\xf4\x41\x79\xbf\x5b\xa4\xb6\x17\xc2\x58\xf7\xdb\x01\xd6\x09\x6c\xcc\x71\xbb\x92\x5e\x31\xb2\xf3\xf1\x00\xbb\x85\x38\xbb\x84\x01\x5a\xf7\xb9\x54\xc8\xfd\xf2\x93\xde\x02\x31\xa4\x91\xd3\x63\x76\xb8\x40", 158); *(uint8_t*)0x20003464 = 0xc; *(uint8_t*)0x20003465 = 0x24; *(uint8_t*)0x20003466 = 0x1b; *(uint16_t*)0x20003467 = 0x340f; *(uint16_t*)0x20003469 = 4; *(uint8_t*)0x2000346b = 5; *(uint8_t*)0x2000346c = 0x40; *(uint16_t*)0x2000346d = 6; *(uint8_t*)0x2000346f = 1; *(uint8_t*)0x20003470 = 4; *(uint8_t*)0x20003471 = 0x24; *(uint8_t*)0x20003472 = 2; *(uint8_t*)0x20003473 = 9; *(uint8_t*)0x20003474 = 0x3f; *(uint8_t*)0x20003475 = 0x24; *(uint8_t*)0x20003476 = 0x13; *(uint8_t*)0x20003477 = 0x40; memcpy((void*)0x20003478, "\x90\x5d\x00\xa5\xa8\xb5\xcd\x53\x11\x8f\x9c\xf9\x03\x3e\xda\x0a\xd8\x8f\xcf\xaf\x66\xe2\xb9\xe3\x59\xe3\x8a\xea\x37\x19\x70\xc8\x64\xd5\x98\x39\x16\xa5\x29\x36\x75\x51\xaa\x24\x7b\xa8\x30\x09\xeb\xb5\x64\x0b\x53\x17\x55\x99\x00\xdd\xb8", 59); *(uint8_t*)0x200034b3 = 9; *(uint8_t*)0x200034b4 = 5; *(uint8_t*)0x200034b5 = 0x81; *(uint8_t*)0x200034b6 = 3; *(uint16_t*)0x200034b7 = 8; *(uint8_t*)0x200034b9 = 0; *(uint8_t*)0x200034ba = 1; *(uint8_t*)0x200034bb = 0xfc; *(uint8_t*)0x200034bc = 9; *(uint8_t*)0x200034bd = 4; *(uint8_t*)0x200034be = 1; *(uint8_t*)0x200034bf = 0; *(uint8_t*)0x200034c0 = 0; *(uint8_t*)0x200034c1 = 2; *(uint8_t*)0x200034c2 = 0xd; *(uint8_t*)0x200034c3 = 0; *(uint8_t*)0x200034c4 = 0; *(uint8_t*)0x200034c5 = 9; *(uint8_t*)0x200034c6 = 4; *(uint8_t*)0x200034c7 = 1; *(uint8_t*)0x200034c8 = 1; *(uint8_t*)0x200034c9 = 2; *(uint8_t*)0x200034ca = 2; *(uint8_t*)0x200034cb = 0xd; *(uint8_t*)0x200034cc = 0; *(uint8_t*)0x200034cd = 0; *(uint8_t*)0x200034ce = 9; *(uint8_t*)0x200034cf = 5; *(uint8_t*)0x200034d0 = 0x82; *(uint8_t*)0x200034d1 = 2; *(uint16_t*)0x200034d2 = 0x40; *(uint8_t*)0x200034d4 = 8; *(uint8_t*)0x200034d5 = 0x40; *(uint8_t*)0x200034d6 = 0x81; *(uint8_t*)0x200034d7 = 9; *(uint8_t*)0x200034d8 = 5; *(uint8_t*)0x200034d9 = 3; *(uint8_t*)0x200034da = 2; *(uint16_t*)0x200034db = 0x40; *(uint8_t*)0x200034dd = 5; *(uint8_t*)0x200034de = 0x80; *(uint8_t*)0x200034df = 0x81; *(uint32_t*)0x20003780 = 0xa; *(uint32_t*)0x20003784 = 0x20003500; *(uint8_t*)0x20003500 = 0xa; *(uint8_t*)0x20003501 = 6; *(uint16_t*)0x20003502 = 0x250; *(uint8_t*)0x20003504 = 3; *(uint8_t*)0x20003505 = 2; *(uint8_t*)0x20003506 = 9; *(uint8_t*)0x20003507 = 0x40; *(uint8_t*)0x20003508 = 0x40; *(uint8_t*)0x20003509 = 0; *(uint32_t*)0x20003788 = 0x16; *(uint32_t*)0x2000378c = 0x20003540; *(uint8_t*)0x20003540 = 5; *(uint8_t*)0x20003541 = 0xf; *(uint16_t*)0x20003542 = 0x16; *(uint8_t*)0x20003544 = 2; *(uint8_t*)0x20003545 = 7; *(uint8_t*)0x20003546 = 0x10; *(uint8_t*)0x20003547 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003548, 0x1a, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003549, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003549, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000354a, 0x87, 0, 16); *(uint8_t*)0x2000354c = 0xa; *(uint8_t*)0x2000354d = 0x10; *(uint8_t*)0x2000354e = 3; *(uint8_t*)0x2000354f = 0; *(uint16_t*)0x20003550 = 8; *(uint8_t*)0x20003552 = 0; *(uint8_t*)0x20003553 = 0x20; *(uint16_t*)0x20003554 = 9; *(uint32_t*)0x20003790 = 5; *(uint32_t*)0x20003794 = 0x54; *(uint32_t*)0x20003798 = 0x20003580; *(uint8_t*)0x20003580 = 0x54; *(uint8_t*)0x20003581 = 3; memcpy((void*)0x20003582, "\xa4\x4d\x24\xcd\xf3\xff\xb9\x94\x8f\xaa\xf6\xb3\xc5\x65\x82\x6f\x57\xef\x2b\x5e\x43\xe6\xef\x91\x09\xdc\xaf\x0f\xf5\xf2\x30\xb6\xf5\x2d\x06\xad\xa7\xeb\xdf\xbf\x1c\x55\xe6\x55\x19\x00\xf4\x2f\x90\x4a\xa2\x59\x11\xde\x5d\x64\xd3\xcd\x32\xdb\x26\xb2\xe4\x8c\x15\x0e\xac\xf5\x1a\x16\xdd\xb3\x11\xac\x3d\x44\xb2\x81\xa8\x7d\x1c\x84", 82); *(uint32_t*)0x2000379c = 4; *(uint32_t*)0x200037a0 = 0x20003600; *(uint8_t*)0x20003600 = 4; *(uint8_t*)0x20003601 = 3; *(uint16_t*)0x20003602 = 0x812; *(uint32_t*)0x200037a4 = 4; *(uint32_t*)0x200037a8 = 0x20003640; *(uint8_t*)0x20003640 = 4; *(uint8_t*)0x20003641 = 3; *(uint16_t*)0x20003642 = 0xf0ff; *(uint32_t*)0x200037ac = 0xc0; *(uint32_t*)0x200037b0 = 0x20003680; *(uint8_t*)0x20003680 = 0xc0; *(uint8_t*)0x20003681 = 3; memcpy((void*)0x20003682, "\x6f\x06\x9d\x79\xea\x95\x2b\x38\x80\x02\x7d\x52\x43\xd8\x4a\xef\xe2\xbd\x1c\xf6\x41\xda\x9e\xe2\x90\x78\x02\x32\x46\x10\x26\xc5\xa5\x35\xae\x62\x14\xa8\xb6\xfd\x61\x12\xf3\x68\x08\x5c\x5c\xca\x57\xb8\x48\x46\xbd\xd7\x65\x3f\x32\x51\x20\xcc\x01\x27\x4c\x27\x93\x0a\x93\x4c\x28\x50\x05\x8a\x34\x58\x87\x78\xf4\xae\x02\x55\xb9\x6f\xcb\x45\x73\xf4\xc4\x75\xfa\xe5\x37\x03\xef\x82\xd7\x85\xec\xe9\x6a\xdf\x02\xef\xc2\x10\xe2\x6f\xa9\x52\x31\x11\x51\x9c\xb0\x37\xb5\xae\xbb\xca\xb0\xe1\x2d\x22\x83\x30\xeb\x46\x6c\xef\xbc\x0a\x21\x98\x4a\x6f\xd8\x65\x72\x06\xb2\x0d\x98\x2f\x65\xc7\x09\xba\x3c\x63\x20\xf1\x06\x6d\xda\x59\x2f\xda\xd1\x4a\x8c\x70\x0c\xf1\xf5\x26\x6f\x47\xfa\x42\xaa\x88\x0b\x9a\xa0\x26\x7c\xf5\x3c\x96\x91\xf4\xfa\x0d\x4e\x05\x9a\x6a\xdc\x27\xda\x67", 190); *(uint32_t*)0x200037b4 = 4; *(uint32_t*)0x200037b8 = 0x20003740; *(uint8_t*)0x20003740 = 4; *(uint8_t*)0x20003741 = 3; *(uint16_t*)0x20003742 = 0xc0a; res = -1; res = syz_usb_connect(0xcabe03ec, 0x160, 0x20003380, 0x20003780); if (res != -1) r[15] = res; break; case 40: syz_usb_ep_read(r[15], 7, 0xe4, 0x200037c0); break; case 41: *(uint8_t*)0x200038c0 = 0x12; *(uint8_t*)0x200038c1 = 1; *(uint16_t*)0x200038c2 = 0x200; *(uint8_t*)0x200038c4 = -1; *(uint8_t*)0x200038c5 = -1; *(uint8_t*)0x200038c6 = -1; *(uint8_t*)0x200038c7 = 0x40; *(uint16_t*)0x200038c8 = 0xcf3; *(uint16_t*)0x200038ca = 0x9271; *(uint16_t*)0x200038cc = 0x108; *(uint8_t*)0x200038ce = 1; *(uint8_t*)0x200038cf = 2; *(uint8_t*)0x200038d0 = 3; *(uint8_t*)0x200038d1 = 1; *(uint8_t*)0x200038d2 = 9; *(uint8_t*)0x200038d3 = 2; *(uint16_t*)0x200038d4 = 0x48; *(uint8_t*)0x200038d6 = 1; *(uint8_t*)0x200038d7 = 1; *(uint8_t*)0x200038d8 = 0; *(uint8_t*)0x200038d9 = 0x80; *(uint8_t*)0x200038da = 0xfa; *(uint8_t*)0x200038db = 9; *(uint8_t*)0x200038dc = 4; *(uint8_t*)0x200038dd = 0; *(uint8_t*)0x200038de = 0; *(uint8_t*)0x200038df = 6; *(uint8_t*)0x200038e0 = -1; *(uint8_t*)0x200038e1 = 0; *(uint8_t*)0x200038e2 = 0; *(uint8_t*)0x200038e3 = 0; *(uint8_t*)0x200038e4 = 9; *(uint8_t*)0x200038e5 = 5; *(uint8_t*)0x200038e6 = 1; *(uint8_t*)0x200038e7 = 2; *(uint16_t*)0x200038e8 = 0x200; *(uint8_t*)0x200038ea = 0; *(uint8_t*)0x200038eb = 0; *(uint8_t*)0x200038ec = 0; *(uint8_t*)0x200038ed = 9; *(uint8_t*)0x200038ee = 5; *(uint8_t*)0x200038ef = 0x82; *(uint8_t*)0x200038f0 = 2; *(uint16_t*)0x200038f1 = 0x200; *(uint8_t*)0x200038f3 = 0; *(uint8_t*)0x200038f4 = 0; *(uint8_t*)0x200038f5 = 0; *(uint8_t*)0x200038f6 = 9; *(uint8_t*)0x200038f7 = 5; *(uint8_t*)0x200038f8 = 0x83; *(uint8_t*)0x200038f9 = 3; *(uint16_t*)0x200038fa = 0x40; *(uint8_t*)0x200038fc = 1; *(uint8_t*)0x200038fd = 0; *(uint8_t*)0x200038fe = 0; *(uint8_t*)0x200038ff = 9; *(uint8_t*)0x20003900 = 5; *(uint8_t*)0x20003901 = 4; *(uint8_t*)0x20003902 = 3; *(uint16_t*)0x20003903 = 0x40; *(uint8_t*)0x20003905 = 1; *(uint8_t*)0x20003906 = 0; *(uint8_t*)0x20003907 = 0; *(uint8_t*)0x20003908 = 9; *(uint8_t*)0x20003909 = 5; *(uint8_t*)0x2000390a = 5; *(uint8_t*)0x2000390b = 2; *(uint16_t*)0x2000390c = 0x200; *(uint8_t*)0x2000390e = 0; *(uint8_t*)0x2000390f = 0; *(uint8_t*)0x20003910 = 0; *(uint8_t*)0x20003911 = 9; *(uint8_t*)0x20003912 = 5; *(uint8_t*)0x20003913 = 6; *(uint8_t*)0x20003914 = 2; *(uint16_t*)0x20003915 = 0x200; *(uint8_t*)0x20003917 = 0; *(uint8_t*)0x20003918 = 0; *(uint8_t*)0x20003919 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200038c0, 0); if (res != -1) r[16] = res; break; case 42: memcpy((void*)0x20003940, "\x03\x38\xf2\xa1\xa6\x94\x91\x50\xd9\x50\xa2\x00\xb9\x7f\x82\x07\x00\x40\x2b\x58\xfe\xc9\x4c\x39\xa0\x05\xf5\x38\x68\x85\x99\x19\x97\x96\x0b\x31\x65\xc9\xdd\x03\x23\xfa\xf9\xa6\x9d\x00\x72\x59\x16\xfa\x7f\xb5\xa9\xbb\x1f\x47\xb1\x98\x29\xca\x09\x1f\x88\xc0\x99\x9a\x2e\x18\x7f\x62\x37\xab\x2c\x7e\xae\x85\x92\x3f\xa9\x63\x6d\xc2\x66\x07\x6f\x2a\xe7\xb5\x2c\x1f\x18\x7c\xe6\x28\x71\xc2\xf0\x5b\xbf\x9d\x9a\x25\xfd\x16\xff\x38\x33\x38\x70\x73\xe6\x96\x81\xb2\x43\xe8\x14\xb2\x54\x9f\x03\x2a\xa5\xb8\xdd\x2e\x2d\x64\xdf\x2e\x69\xd3\x57\xbc\x2c\x32\xb8\xfb\xd9\x0f\x8a\x16\x38\xb3\x13\x90\xbe\x5a\x61\xee\x6e\xe7\x0e\x3a\x20\x27\xe1\x46\x8d\x5f\x3f\xa2\x34\xf4\x46\x2a\x56\xd7\xe4\x2c\xe2\x9c\x52\xcc\xf5\xcd\x76\x35\x90\xa4\x26\xb8\xa0\x6e\x22\x6f\xfa\x45\x68\xc2\xce\x31\xa5\x4d\x74\xca\x6f\x67\xe6\x70\x85\x2c", 202); syz_usb_ep_write(r[16], -1, 0xca, 0x20003940); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); setup_binfmt_misc(); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor414633756 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/7 (0.39s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox: Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$BLKROGET(0xffffffffffffffff, 0x125e, &(0x7f0000000000)) r0 = openat$nullb(0xffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x80000, 0x0) ioctl$BLKTRACESETUP(r0, 0xc0401273, &(0x7f0000000080)={[], 0x6, 0x4, 0x400, 0x0, 0x5f}) socketpair(0x21, 0x3, 0x4, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140)='l2tp\x00') sendmsg$L2TP_CMD_NOOP(r1, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x24, r3, 0x4, 0x70bd28, 0x25dfdbfb, {}, [@L2TP_ATTR_SESSION_ID={0x8, 0xb, 0x4}, @L2TP_ATTR_PEER_SESSION_ID={0x8, 0xc, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x20000000}, 0x8000) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000240)={0x0, 0x5, 0x0, 0x2}, &(0x7f0000000280)=0x10) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f00000002c0)={r4, 0x2}, 0x8) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x8, &(0x7f0000000300), &(0x7f0000000340)=0x4) write$capi20_data(0xffffffffffffffff, &(0x7f00000003c0)={{0x10, 0x3, 0x41, 0x83, 0x0, 0x401}, 0x43, "4a8e60634e3a9ebf0988474a70cdc44c935e71dca8a36e9f7339b733e7fdfa26d1763f8e1fc18c23484ff71c6ea76bf1db3e46cf80380322d296fbf193c54d4949ccdb"}, 0x55) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_post_notification\x00') syz_emit_ethernet(0x56, &(0x7f0000000040)={@multicast, @empty, @void, {@canfd={0xd, {{0x4, 0x0, 0x0, 0x1}, 0x23, 0x0, 0x0, 0x0, "90a4412ed481e39ec0787cae083fac93b90daa7595dc554b0d6fb720a6009835c929d9566687939954d14f0376d39039885d4b349e57791c3b2884b67a568716"}}}}, &(0x7f00000000c0)={0x1, 0x1, [0x4a, 0x2e7, 0x6f0, 0x1aa]}) syz_emit_vhci(&(0x7f0000000100)=@HCI_SCODATA_PKT={0x3, {0xc9, 0x56}, "af8c56ab2959dc534cc868e4b42b05a0de86bb45fd2bf9e32d58e9ad1fb7be75adc1e7aaa52319456531631ede47c2919bcdb3bafdaf560bf2a9ca3a75fa34d07026b7302dc391f9554e50cfc7f731c09f1c71262df3"}, 0x5a) syz_execute_func(&(0x7f0000000180)="c4c16f10fa660f65642a10c4e1fa70effbc4c37d096a42fec4e1416a5200f3abc4c1ccc6e474360f8fb8000000af0ffe98f0ffffff") syz_extract_tcp_res(&(0x7f00000001c0), 0x2, 0x7f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000200)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x5, 0xcb) r5 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xc, 0x800, 0xffffffffffffffff, 0x8000000) r6 = syz_io_uring_complete(r5) r7 = io_uring_setup(0xc43, &(0x7f0000000240)={0x0, 0xab13, 0x10, 0x0, 0x375}) syz_io_uring_setup(0x4759, &(0x7f00000002c0)={0x0, 0x3caa, 0x8, 0x3, 0x347, 0x0, r7}, &(0x7f0000ffd000/0x2000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000000340), &(0x7f0000000380)) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0xe, 0x3, 0xffffffffffffffff, 0x8000000) r9 = mmap$IORING_OFF_SQES(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x4000000, 0x20, r6, 0x10000000) syz_io_uring_submit(r8, r9, &(0x7f00000003c0)=@IORING_OP_WRITE_FIXED={0x5, 0x4, 0x2007, @fd_index=0x6, 0x3, 0x4, 0x4, 0xe, 0x1}, 0x80) r10 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000000400)='/selinux/checkreqprot\x00', 0x2000, 0x0) syz_kvm_setup_cpu$arm64(r6, r10, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000480)=[{0x0, &(0x7f0000000440)="1f53955cb3cecd2039609cfce532927f02de615e5e7716c374705f59102e00754dbaa369c6c1a1c2f4c530c3af81e8fe5609", 0x32}], 0x1, 0x0, &(0x7f00000004c0), 0x1) syz_io_uring_setup(0x7424, &(0x7f0000000500)={0x0, 0xe518, 0x10, 0x1, 0x3a5}, &(0x7f0000ffe000/0x2000)=nil, &(0x7f0000ff6000/0x4000)=nil, &(0x7f0000000580)=0x0, &(0x7f00000005c0)) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000000600)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000000640)='afs\x00', &(0x7f0000000680)='./file0\x00', 0x4, 0x2, &(0x7f0000000800)=[{&(0x7f00000006c0)="d632c19b", 0x4, 0xffff}, {&(0x7f0000000700)="3fe8370cede52efac054241da1ef6234cdc7766d9ceee05c36775d234a8f0259a880131689775a49e1c5d81ee5eed42da022a3c9b9d439ae779990d04cf551c084c093744e79ca6a4827d8c603053d29714d839363cf49add7d7323c0619a99cef609fc47e56c66630ec7973bffed214d451f064f36e3597506a51adfd6b0d61fdcdf2bfcb31b2c6c44c279ccdb6902891daf75e663f5942ea7682fbfd3e7369a9fe16f372476efb281aaad4bfe7e610e963629461e9033caf00d62a109d004b935b9079bd3df5be94a0fa1e1977f552baa492ba31e2ec4bf310c814dc753297", 0xe0, 0x4c}], 0x201000, &(0x7f0000000840)={[{@source={'source', 0x3d, 'SEG6\x00'}}, {@flock_strict='flock=strict'}, {@flock_strict='flock=strict'}, {@flock_local='flock=local'}, {@autocell='autocell'}, {@flock_openafs='flock=openafs'}], [{@measure='measure'}, {@subj_user={'subj_user', 0x3d, '$F!%[#&+-}^}'}}]}) syz_open_dev$I2C(&(0x7f00000008c0)='/dev/i2c-#\x00', 0x9a7, 0x60100) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000900)=0x0) syz_open_procfs(r12, &(0x7f0000000940)='net/ip6_mr_vif\x00') syz_open_pts(r6, 0x402000) syz_read_part_table(0x44, 0x5, &(0x7f0000001c80)=[{&(0x7f0000000980)="947bdd1338b6b9fdc7eec2776433191f827266cfa94bbf64cff83a00d975009f3b2738ac7067019447d693a3534dae5d3bf03b17d7a2bc093d2ab01fb079d13e4ca08ab23918a3fac50a48c32b4ba2170957d20cb4a4f731d660e88f40c30c3c40d41ff3ff7134dceb66b113b5c1bba630a7ee5cd68ab59e69f8c89530e4cac7f615dd3fadc7940d23b069d62b7ccf4149881045", 0x94, 0x7e}, {&(0x7f0000000a40)="3bece5e4b00d1aa5c6455d8ffddd35571382304733f47e93ba01d0220d3452425aa4a35a16adc96a1c87d3c09121df1c8aef26c20358a153a0ef1959f69c689acd2751f428f241c2decf4cd9a3b109e66b310fb1011f65329bef953ae02cf9db6133619b5bfa07a6e13251278da93de82635bcdd7640b6311da58d2a681065401d0753cef90bf7a0f541112453b9ce7527efcb09834f1073736d3ebdb9241736b61df70a13c76e54ddbc65a52d8a4fe42ed097a57c8d0426f916750e9a5c38281fbad7ae59c223bab1100592d42eda4e0bf4bf030420478fcd28c4057d41a9721b0014e91a1e7058d4c9290812f6de", 0xef, 0x800}, {&(0x7f0000000b40)="6daf7a1e0d14cb6b8c65d37ef988e670ca88b1", 0x13}, {&(0x7f0000000b80)="e2a379510738be3d3baf49a170f089f56f7b3a43bd926f2f3368f38e97340af9b0991ea98f4653252c0bef6ad26582b600545465591faefd00782e31c8aee9f23990d2d95f8710d110409dc3dad1581794fb09f6349e937b1df1bb8a9a09ce60c41282376e6ac607888c64fcd9ecf5405063ba5f642a295b4f778f2cabccf6c9007071b1a9ec31eea5daf62d371a56de309549974911a5797fa34026e85bb7f5427ab4965f11a3aba18ed0fe280e45c26412838fc5bbe0f6de63d011c06b413e3d4a15296b6f7915dffecdd407504faa2fe63bb190af9061709a982094f620793c042532f51314dd0753b832a65859e178d94dd169a1b767748566d13f170da36f2a51053d8b67fb5f12d86bf36046eab9b7c26c50786c9b29a2605c5631ab30261669971a48470d982c3088be7cffd1f0c6775e5757db6148dd74c5954e34c40088659a1f44d053465985ed20039bced7ea9dec7e25cd6d600d1ed31aed53885fc7ef8789eea0639d2b250dcdf4ad71bbdabf4ba18af29ac819ae431864db1b0353bc5cb2041943b44513f7c679f348bd2962b27487bc7dc7488cff13a24b658f31b4afc9e5013ab460cf3a014a8f19909e75bc3d4144f5d32e370de74f4402a0db5339c1e3616d2147743652dd73940d37550cc961b08b3a33b79c4a2f3f1ab4b2364c24031cce1f29beaf574b1318844fcc9387d2cf798334de0816d528f087f56751f763b82c760fe19ef95fd2e552c8ec74bfee9b6c8e3341b3baff5405edbed709fb1ea130a1a6e30acf7232c0194034daf0ef117115ab220f1161a838940ef60072c406557f56f13f3021b40842f9114b0ae9cd8244230c2227ce7c7e71503ba5253d63081ca9af8fc4a4e2c3039a0bad1af91ed4cb91b9bd42d8ee5e0bd9844f92f4af1ea5b88380a99b1adc7057b9157b61021abce377dca6af6c2dd98f02c23a8459ccbe650b66d06bbae0609928e84d5c611e2c6feb6a43d0aa532b12d5e3260448cd82372b11f9dc8f94665a3ab864eb3eb0e5b073200249a674047ee8fff8fb4f55653060efb6a00d70b0fe4a7f5dca7d9c71604fa70b0e40569339e52ba52b7d7008533306165c978d030a852c0dd75996904720a10a3a9d0f2f67f258e439047a6a5b08490409aa84ec296f67b88b8011cb39c67800efec6ec43e732aee04cc18c4ceddc9686a432011e1df5fa1292c7bdae62731573ec5233293ff4ed671e52c951d8e00836db9363534bc8c1e91d98cab7d0606c170d409d96d3225f56206b600fc1a783941aade248338dba66d56f8fc197d19cedd5f1a65d5f1d85a4cb4497342d197df417d4317777c81e707f1b9dadd38265324f41aa85021b2d7edc0ff4a527db85ff141652eeb5e766e189e11e6307a4475d5f793e822b7ecbc7e2ff3f6f9a8399af692649d67305c86b479169df12f749102069da164ad14655e0532fc419b51f29b28d1f408f5236ce921509f3f611a565a5e38685744470f6e457bdd057d727f7ecfaa468473bcba94c43ead22f8527843245f372275946bd4599f3a8ae91ec3140870be91d2fbfcbd7e504da3d6f49e905aca167832d7c35a56a28abc852090292318ec1f08bf3d71de7360d6d04900d773a7f40c3db7aabfc27a338e87d578f430ee490e48221406d31c62220c2bd9e1793eed1b84aba0adc3d54eed59ae3b83e5a1147721fcc227cff96c8065f8665cbfef93521ca1bf4b100e62896cfdca36e7f7b4b3fd3babf5c18c90030fbf904d4f4c3fb23af16b1e3744ca6ab123df90b168eaa138324ebf98ecd66dd64ee906236bf3a0296be1df81387ba95700e04ce26637ca4dfb70c67d32a2e7acde219cef54e4c9ec1c27b5b6a388ca515af6e5efc493a30fa9324e1f2b2b51267fbb26f3d4292e836cb709e92a6e0e11aff386b3d45d81a2d35fe971cbff8a32f52d046b9ba9a4bc77267a2e86a480a9ec50361d5ed59ba540ae1cf0e7eaaa5d8f5b2e38527fde78ecf842ec48cf681fd452aa5c60d06474f6422ad08db4fa0788c56563f52cbd383627e11f98eb40ec74961c028b1fcd7b25d4cd289dbc761fb1ec00a6183513c5f76da7546416fb81e8661f93f4234fdf3a3398d8bb8c69902e6d9f3fc165e6d9f39eb2acc189ab7b49013b2c74d0788ee05fc117335d478380013eab173ddc7a927f03080c2ea705b68f664a3be270221172d2995b15b4d0ab25d4668ab7587d24e831c5c7841fa00bd063021d3f43405b35c6c79dd4030fc630ee78d7e64a90cc2761421624d48ac0764d8a903c5a8b0a213120871b9e82a3b1f92455380b950832651b6d0d9bdb249055d55fa49fc7296147cbcec6059a0047ae6e86b51ae3b5aff498ceed671ddd0e2bd97fd7f39a3280bd80996ac7bb98187709938246f8e0cb9cca0a189d18cb9dcdd52186feb935f4a5326c3bc1348a05f0e7180452a43e7f2b6fb35a4196afda0f1993383dd203694c1ab53be64481c0d9c78801610789f9f5130b4a143f09229e8d89d0ad09edf971cf0fe495d7552b7a791a9054232e8d22976621b7f6be03e7e0bf8e5ed83db94efc748c93a06c124f55dd8efe11e15d83e1fce582b19be10dcc1b3eb594291aaabd56cb94df315920b042d07934ac796d0a91078626ee57e25763791f7dde8bc04e1883fb2273c799b97e3166c56ceaa3699c31739f63ef94605b20860606ceaf97be55b979fdc17fa9ba2990bbefde17eb5398176091e536730129c4c31504ce1fc41f13e7d90301ff02ad5b5f523c6ae7efa87c76af1ecc4b6715251a58ca3c68ca954a9345cf08697ec54376dfaf232cd6ede5ad85c1234fbcb4a992535b70135a5eb7d1f2de13629871b02acb455694e91d5bbb972c1c3998ec765749b4ca83c705529c046e8593ba4709e430cf190aba4fd00a6d722d0598e80b7af8fbb6c053dc4068e3bfaa0015d3545646e40eb312700e7b068ca644792d6d39447a353f6d6575b01f3a20cf310117a832dbc76b460146dee06c859580ba5e59946e90a168d98a06282d02f99540f4b1fce194cc7cc089b1b2da11d59bee5477383f83fe7f50011ec438561f17b39dabee3794761cdef6c54a60c49de8fd6aecf0b5a5b5c056a8de90805e0d5a4cba91eb7746e54498aad35d268e923c5c396581835cf2038e2a1f28a843228472aa2e4cbde6aa7665716f239ba5680d1d8d6cd7277af1f2db87e5f5332fa904d6975f4247f33f00c17b95df1db792398c0be2ab89c6f0ffb1d9f3d30e36b0bcdee55623e67ed59b641e1d3ad243a61ab8003ed9d50186457b845b0f5e59460aeb8d49fa236b691a9572f043f3d83d3853a658c092fec3eef9b58f3be0532e46da34f732398d418a82a47fd2bec7aa9fdf0a05a2a4abd650dcd99c095be5a025d4dd8de7b606f7c21fcf490a100ec288f419316b4add08591060f5c40230ee639aff35d4bb207fe401029cffd104715dcd48c7c598f5ea42b0bd271e6a10066d613217655dbf37bc467d973572d7c28779c9981cabc55e683fbb1e9af7e00cc4a222a54f24edf923762d8e0fbc099e420a78b1fcfb54a4002fdf6e30a3445f929dd97c4aef13cd8a0a3b19cb2ba731d3c99aad631166b75f13a95498e11dba4094eb5d1f1571b6987c278912a05a9ec5e2f93d21604e496ae6f763ed433bc26c5d2fdfeefc02d8732b29091c32ad16fbb47de0a56a36c5c7d26665ce565571aee87e729e1727e8e149b44cbc5819eb1abc317eabfdbc5447dc1fa9ed585281f1a9c33bd5bbae662621e6460e37617e88304fd6889d775ad30388b208b4102495dd4a601579fef079678b66816a46a91cd0d344af0afa8ee55ab222d720a0367275757aa38d043cec888e9e93a4ff91c1ccbbc685f6fe2710474da5c4376b6c037b2ac57ab078421ff2f06ef8abcc7bfa18195ae5d3236c492494f1c665dc2052e0b567e991727082f6f529cff4412d5cfd8aca31f0a4d32332e8cc992a39017d8e5a8525a9f6ab5009e7067b2773591779fa6de17c077445c39b4f3255c2df10701045fa070ac4aedb551bfe92ac48e0faca060768edf4b3fb101f3d4cdcb2ec9313c02898aa36874267468286e98ffdbacb29fb64072799bb3d885bf308d6ca001355642ad258b965f9597b30fe6c3af1e89c10d641f4e2ab7cf5a4687d6b69157a49f9f40791ef46f4cba6e0f248773c350bf3143cece92ef7c746d4988c8351c8067e3c4b841089d985e09ecb40157d7a171f4e645518c52598fa794425669f59a27d8bedc147e09057b5d2f9f4611cac951058b9d2527fe7b470289a2f16fa4dee150652086e4cc194c3cad63aee9aa77b00df7cb421401d1394e0fbae8e8e14ef28f128601aa1c91d3e71edc07a46267731ea085fea0b2781fe5b3337fb391f4a91ce752aeb7251aa0c3bf304e989220d414eab0af48d4a86bf43f13ee6b97615f51a3677feef14dc4ae47db07b874176d18f50094a309700279f412924e918eb3e6c1b9fa3c1444f28b691ceb9c33d34b5b3733d3eb0c9e69cb6f36bca69d1d69913aeb51f0cb59828527f791fe7f61fb430bace6456abc322fb52a131f5aed3221afd1d369d7bb41f60bfb349b5cf73043b9092613032c7dd3220bce9d9b84fd2ceb48a76ff0c34cf5bf8cc55b575e240f4e6c1c5cf93980cc6f68fd1ac7cc10e0e483339dde6691eb7d2b700e93ffdf810953762216e99b5640149af63144a09051b683db0dfb1b79371bc7a4a559ae6271838a868468e54aadef03ba40ca127aa2c2751da79202dcad72e4f1593041db53bbf4f8064170fe85c46e59ff00b9eb4bf2e01eab7197a00704e3c7084a80699ed5aaae7bbae0684e5fb3ed60c6620c73aa013313713279bf958a21f56f96746e160623f1076a5ea95a23fc908373bc078221894ccc77949ffd3659470d83f860762b0302bf3e404046c0c32a71eb85e674111cb9c2d490b8b4f5bfd1fa9382a4296d97326d6a728378ab35c0a349ed69349f75b89adf8dc9e5baed276c92614c29636f2f5b19d4dc661e2d0fe6fd64786d507b99b3979fe0f6ecb06b76fd64bfb316131a52d3db7445508c8f0bd394495a6c13ca64e3780a416c72a7a34996d5a342e6349d92bfcb8d75bd4edd225d4e8601838bffc604e9e3f0de83a1cf9e17c7fa7398fea49c8faed299d04a90a70bdaa0b111428e2e6224ae08c1bf0ea1a69e16e1ffd4bfa76afffdd5060ac992efa08fb7404fa1ff3456042654d3d51292624ac3bb3356f5bd3f492c169e8c7dc71ccd3b4e91cb298ef7f2b61d74a86e7cb6daf621a8b0b6a87e58ddcaa65f376fe0652c40c76d762b580f34da979ae0968b172a9ccc4cd8b34af3873e85d1653c9e5571dc34e8c39f7f04df191c0e81213d2fac0412664eb4769c480a80fdcd5cae2a2eb8b1d031cc6e649d8f0b29f9115ea2bb27cbe35cba040647ad9da8ad36931cfdce5c58dfd6b8d0bd83cf4f8cad6f6d6f3048380583d8ef0807a4d024ef8d0333a97183423c90e8dd1b62dc70c95ae30acd0ccc257de6feb89a9492b4214b65d8da2ada11b80fbd7689afdb99fa820cb7aaaca8ce32fd1adf5d724f50683a7924ed1b5de6b322a4932ea46d3b266a270420259a4fee480054f0675e77e5178ff255be000468a220a25c6879e039bc14c38cbf9040eded41f1c6d75fe4615cc57677c948c7bb9c3561184b0ffe0d0a9ed0e7212fabd5ef357ffb3ca40e8a97be2a9bcf35fc7e3d7ce8f6d50a4f7b42c246894683822db36b95528cd8061342c66c788bb6f63beadfe3559e896e4387a12cedf6f220888d218", 0x1000, 0xffffffff}, {&(0x7f0000001b80)="e0c6c9c01afb3e83241204cd6942a5f5b38dedc4871fea150ddbcb8c14ce515fa1fc5f1fb3ec606649a162c4e52ec328eb3565fb84abdf8b408d744ee19c67cce54acad1c6aa75a3f97f94267476e702bbe065e67188c3c826d4414e46695d71c9e24a31faf7fc28297092503bb10adb27fcb197438efe3605101abc127fda303e63a7423ef1693f6c005763fdf8b18e10a5a9fa34b3c00eced1f75bada7d26160aedf2758bf603b0c5890682884eb55b2760b3b7b9614b6bd1ddef9e9cc1df20892063f1ea058a4", 0xc8, 0x81}]) r13 = syz_usb_connect(0x4, 0x882, &(0x7f0000001cc0)={{0x12, 0x1, 0x310, 0xae, 0x73, 0xca, 0x40, 0x1740, 0x602, 0xfa57, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x870, 0x2, 0x7f, 0x90, 0x120, 0x3f, [{{0x9, 0x4, 0x86, 0x7f, 0xa, 0xf7, 0xf9, 0xf2, 0x7f, [@generic={0xd1, 0xb, "26e13a65ceb2c160694440c6e4b5d5107cd6f6eddf5f0f8f938606e7a789786c097626762da7881a4e46ee512ce1ce83d03ee01e8a390d4fe48a1a166b122a244f7e8453fe584352cdc748ded1737c61ffbc1f9f18441c5d61f5493a88bfea7776762bbf8a206eeca2f45c1f7aa6d15fb464cd1caf6a432babfc01bb86b1297b128997426c1a5a86533cb2c029f50b1c5b0b88719f7c78217d2bec910ff906b43860025e140fbad2bc0a91e23e65c5c8fefd91d0459c590e1f4bac91eac023ef5f1a248245df0d7c1276df72d955c6"}, @cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '8'}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x5, 0x5, 0x80}, {0x6, 0x24, 0x1a, 0x1, 0x14}, [@mdlm_detail={0x2b, 0x24, 0x13, 0xff, "8daa8e5cf59bef8c76ec7535d63fe2dc7686321afbd729f4d17d62a21b6f2b39495657220bc5d7"}, @mdlm_detail={0xa3, 0x24, 0x13, 0x3, "0bafa7ba56f9be68f7dafffabe7b7950e7f2b1efd530ab53da306650ae48618251bc41fe39065bb50d65f15e926fdb88acb4e7957bff5d5469ee741f51c117d8f0a4b9e497d8d85a58a425855da041d91bfe4cd20f11f6c7d3813027cd74921dbeb6e2015c4133a29832b2b9d342304dd6b709daeaea5f761d8c06f52edda9f2529ac51a96fab9bb2826cc63fcce0f174de2c5778a4d83f3eecfdb29635b60"}, @call_mgmt={0x5, 0x24, 0x1, 0x2, 0x9}, @mdlm={0x15, 0x24, 0x12, 0xc9}, @dmm={0x7, 0x24, 0x14, 0x8, 0x2}, @network_terminal={0x7, 0x24, 0xa, 0x1, 0x9, 0xeb, 0x1}]}], [{{0x9, 0x5, 0xe, 0x3, 0x400, 0xff, 0xf9, 0x20, [@generic={0x62, 0x22, "ecb3f2dd3048124fa1f639e7d99ab0903f7f551fbd28202bcaa038827262defd524b84d6778f83c751047ea1677d46229ac33b02db6865c9670bc47629020545fbf367e128c7e78e05972cd432ddc729863972a9559b806063550b9bb7992b0c"}, @generic={0xed, 0x21, "1c17fa34cf248a11740cae13b99062cf651bd3663bdf349afedd777e6ca509687c7308b2bd8a56d936cef72c17609c2cc7b825f122864f3e79a0f9563cecf3a2dea2dac5e4d83e7749cfb2a971e0f2a257ee5e91279d0dedf7aab353955c32bcab16d821c1868f655e7f503ece52acfb7c3070097b164ed6223eb6c1839fdc5cc6f1a92ebda8ad2a9e74f746cf37704a6c73076189ee3890b3a1c5cdb8076adec9bb4e53a65b09bc52a75250eb89e2407ee0d0d39a0bd925c00a5fd0f34ad2af88bf3b270fe94e5432288a66b3ee15b6e24ddca89639faa9c4b532663b24bfbdeb73d09b8f77f76fec507a"}]}}, {{0x9, 0x5, 0xe, 0x0, 0x58, 0x4, 0x0, 0x2}}, {{0x9, 0x5, 0x6, 0x8, 0x40, 0x40, 0x3, 0x18}}, {{0x9, 0x5, 0xb, 0xc, 0x200, 0xff, 0x47, 0x0, [@generic={0x6e, 0x24, "fc8886eca12dc85960c8497c87132b79fea0e2313e4e855671316f1c7a42b78b2be24c0cdd6af9de41a7fb57fe0a3ca6fe67191ce31165dc048245ba74c886d12b8accb001eee230dc1d7981e4d6ea3d52fdc1fd159f71fc18bfca51297b2348c777a86b16c07657793c9b75"}]}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x1, 0x4, 0x4, [@generic={0x8, 0x23, "ad6e68323124"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x3f, 0x400}]}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0xff, 0x4, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x2, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x7, 0x4}]}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0xcc, 0x8, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3f}, @generic={0x59, 0x11, "faada80932b10432ca81a63c83dd9f54a4051086ef07b6c9661ef8ec125683d5fcada3a346d08f6d44178fd1ce94f1a6921d2fd14a88d43a8051e18edaa3980645fa17123ca6c783b8b2c3b666956f52b183652992d6f5"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0x1, 0x3f}}, {{0x9, 0x5, 0x4, 0x1, 0x0, 0x81, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x3e}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x6, 0x8000}]}}, {{0x9, 0x5, 0x7, 0x4, 0x200, 0x4, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0x3f}]}}]}}, {{0x9, 0x4, 0x7d, 0xb6, 0x8, 0xe6, 0x75, 0xe1, 0xf9, [@generic={0x3d, 0x23, "0150ffae83df22d1d4dbd82454e66033463c3935e3d0c9fc2ea4661f7310c2e0b0acedd17e99cf960ede09c19eda6bfda699d8eacc2aba4acc34d4"}, @generic={0xc5, 0x1, "57fa93981a0686e512236511f17e4ec2dab7bd005c64fd896f9494ca0597583b239ddd29c3796c4ad669281440da422e6796877a9f123e343935d90dfe06ddfc99deedf24006031d9a2ef4b552629255bf0e7a4d5dd3bc80b266081141bde1b1a86e4ffd857000deeae82fb1850696ef2167c34ad97f91c14ac78ecb893d01ffa98e3c2dfda9adb762b9a9da03c6c60ed957fb494d1c960f7c707494bd984a0a582603fb87248aeeafc1b6005f79835b38b2eaa88653bc93427a33b0763ea36fcd987c"}], [{{0x9, 0x5, 0x3, 0x0, 0x40, 0x4, 0x7f, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x5}]}}, {{0x9, 0x5, 0x80, 0x10, 0x1ef, 0x1, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0x1f, 0x20, 0x0, [@generic={0xb3, 0x21, "95d3405d4d7a6dc896d90c4918b141315c1ae54b0882c4e0e3cc266e04178f9ae737260ac64b619ddf039568181bf92dd639ec49a0b1c9838b4cbbb2fbe6ca7be9bc84b77177867bb973d8c5eba1b49131bd10f645cffc3dd8ea462f4ba965f70a014bf1abe9269663634dad8baf99386d8b431912e4ddfcd1156c5ffeab207ca35f22f5c01673470deea1da6aaffcf0bba9a8e455420f053b28e404fea6261d36c07f7221c4986b6b122ccdf858f481ba"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7f, 0x5}]}}, {{0x9, 0x5, 0xc, 0x2, 0x200, 0x0, 0x6, 0x2, [@generic={0xaf, 0x6c08a2ddac8d29c1, "1449f06f8161d8159f42fb347eaa323cf3eb20fd5e501006d2e40a157da833536fb0b322436591a2bd1d2fe04e169858e11387ce1cbe1f6c7dc332afaadcc002c5832044e056950399e29431407349a8a47525164b4e6cd141303908186754e0282c6995c980f5e7d4f3c881c6b91d955e6ac681bd9073f4e05706f3c312d005bf1c5910956bf99553bba7b4ecb3f35ffbe7ab0763423796bb601e3f047a6581d52fb67c62d6b7278c76aab9a5"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x400, 0x5, 0x1, 0x6, [@generic={0xf1, 0x11, "25bf1f90f600dc8eae5954fb3ec4f488a926149d9893ca2b2900e245f0537432b7eccd35a0f33fe871eb0d1744d8058f6d67f7e1b97f3ef4e5fd8ac9d37d374905661c579d63d9bd3ed5cd30d99ef395e47c9e0f1b7f712016403434821baace41ad73ef6b84c1a41af5cbb6c2f65462a6ed32242c9d51da9915862860c22140f606601cfd82e5151e1db45092fecd653293f56c65b346e5deaf140950a0ac4a487e3bfa4f9ad35eeff8899bc2230798022600a08d06a9243611b421d90f1b53ca9f002636036f1125eda3dedaf6793fc098c6af9dcc5a538fe937572b4d1b174b58ba033714d19ef1085f663e5cd1"}]}}, {{0x9, 0x5, 0x5, 0x8, 0x400, 0x44, 0x1, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x85, 0x9b, 0x100}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x10, 0x20, 0x2, 0x4, 0x3}}, {{0x9, 0x5, 0x1, 0x0, 0x40, 0x80, 0x7, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x6, 0x8}]}}]}}]}}]}}, &(0x7f0000002840)={0xa, &(0x7f0000002580)={0xa, 0x6, 0xe5207157b6f35098, 0xfc, 0x1f, 0x0, 0x10, 0xe4}, 0xf5, &(0x7f00000025c0)={0x5, 0xf, 0xf5, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x4, 0xffff}, @ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x4, 0xf0f, 0x77e, [0xc000, 0x30, 0x0, 0x0]}, @ssp_cap={0x1c, 0x10, 0xa, 0x1, 0x4, 0x79ea, 0xf000, 0x4, [0xc0cf, 0xff3f3f, 0xffc05f, 0xff0000]}, @generic={0xb1, 0x10, 0x3, "c5bb0201c82e60fa0a8b07bbcefbe138079838cbf13161f69ec170637e6c504f0df58710112f2459c50df85c73a143e18fd846a786add8a359c882c3c6038f90c49ca63e13455794d759244a2bd1ee5a203cef62acd32e97d15afe1d47ad5c5234ca6fea0c022184578647d69bce06bc22d5deae21baaf870c3c6e9021211fda07e73607e16461e22526a70ab2e21f89d1b1a95215c644ee7b4b97d342f06cca75c17eaf3d1f578bec9e1b554c49"}]}, 0x4, [{0x4, &(0x7f00000026c0)=@lang_id={0x4, 0x3, 0x430}}, {0x4, &(0x7f0000002700)=@lang_id={0x4, 0x3, 0x240a}}, {0x4, &(0x7f0000002740)=@lang_id={0x4, 0x3, 0x458}}, {0xb1, &(0x7f0000002780)=@string={0xb1, 0x3, "2273bdc46b60f928123492096f1a60522067ca30229e521876bc2304c320596fd25f10254b5c9da57377738bccfbbc37f27f541833a2dfa06b929d0d3744ff77d9330d5a63e4bb268ce29e81de86de6cbbec22f151e7fa25d2ba9ead8f62d5eac2d6424465b3cb6481dbf50df043e68b8d133e27b4ae1c9ccf8a81027b656d442bbcbe5cfccd0c0ca38b73356ed5c37ea0894697ea5b37db2f607d4e958cf97848ef24eee817f96503650d0f3babcf"}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000002880)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r14 = syz_usb_connect$uac1(0x1, 0x100, &(0x7f0000002900)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xee, 0x3, 0x1, 0x6, 0x20, 0x1, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0xace, 0x2}, [@extension_unit={0x7, 0x24, 0x8, 0x5, 0x2, 0x5}, @extension_unit={0x7, 0x24, 0x8, 0x6, 0xffff, 0x30}, @mixer_unit={0xa, 0x24, 0x4, 0x4, 0x40, "7da3b2b272"}, @extension_unit={0x9, 0x24, 0x8, 0x5, 0x0, 0x40, '\tD'}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x11, 0x24, 0x2, 0x2, 0x1000, 0x6, 0x9, "94aa0cfea6a4c098"}, @as_header={0x7, 0x24, 0x1, 0xf7, 0xc1, 0x4}, @format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x3f, 0x2, 0xae, 0x7, "5b6fe7b19551"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0xfff8, 0x56d, 0x1f, "518f29b920"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0x4, 0x0, 0x80, "3f5e8aa3ac"}]}, {{0x9, 0x5, 0x1, 0x9, 0x10, 0x9c, 0x7, 0x6, {0x7, 0x25, 0x1, 0x0, 0x44, 0xff8a}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_i_continuous={0xa, 0x24, 0x2, 0x1, 0x7, 0x4, 0xf7, 0xf8, 'H]'}, @format_type_i_discrete={0xd, 0x24, 0x2, 0x1, 0x7, 0x1, 0xff, 0x72, "5c5ae72e12"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x3, 0x4, 0x3, 0x1, "fa23a4", 'q3'}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x71, 0x2, 0x0, 0x6}]}, {{0x9, 0x5, 0x82, 0x9, 0x200, 0x7f, 0x7f, 0x7f, {0x7, 0x25, 0x1, 0x2, 0x1, 0x8}}}}}}}]}}, &(0x7f0000002b80)={0xa, &(0x7f0000002a00)={0xa, 0x6, 0x300, 0x7f, 0x5d, 0x5c, 0x40}, 0x31, &(0x7f0000002a40)={0x5, 0xf, 0x31, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x20, 0x1, 0x2, 0x40}, @ssp_cap={0xc, 0x10, 0xa, 0x4, 0x0, 0xd3f, 0xf000, 0x8}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x2, 0x5, 0x4, 0x2}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x6, 0x0, 0xff, 0x7f}]}, 0x4, [{0x4, &(0x7f0000002a80)=@lang_id={0x4, 0x3, 0x40f}}, {0x4, &(0x7f0000002ac0)=@lang_id={0x4, 0x3, 0xc35}}, {0x2b, &(0x7f0000002b00)=@string={0x2b, 0x3, "a28e84c0cf02c07c3c0da8294506556d633c7a735bfb75cd80afc6ade8e4b580103ced6d9c87a5fe77"}}, {0x4, &(0x7f0000002b40)=@lang_id={0x4, 0x3, 0xf8ff}}]}) syz_usb_control_io(r14, &(0x7f0000002e40)={0x18, &(0x7f0000002bc0)={0x0, 0x22, 0xb9, {0xb9, 0xa, "83cf6e9b942d8a47074ac2e802b48378ecdca7956db2727b857b60f4e9d0c69e1c9a9aceb61cf17cc77167923b84e23372c5cf40cf1bbb7493e500b7effaf1b204ee034be11099e51567a87ae0bde210da92124d04a73a14dbd600dedd920953c472eda1ba46dbbb1ec474c8794849124dcf32d5c15fb14397b13c3d3c11a7a607c6b6d557c2806d9c2783bc1ef56c967bde90ce4a421361167c1a74c6527285ce425ea498884d7cc9ef76526a46a1c4360768980b39b3"}}, &(0x7f0000002c80)={0x0, 0x3, 0xd7, @string={0xd7, 0x3, "61168f700d1787de19d3e86fb3ac5e964cc5ede873351ca262cc8fc599651431c76dbad02dd835f0da83a5347cc21fc4f504b23bb32a7a67713db4480611e6e2eca4f0b498f700355db68df7d5cf46ba2b036090af695a7596b7d242b462bcf6e2091fb83248fe2a1c48dbcdb07c9666037d121b6893dcb945bdd7cf14075f805302a45fbb62652bd693b3240b5c6a76f690cdc9221579ec71dd253ca4250144e1160bc039ad44f6d51c96ad950c872cf626b0d559e81c0bec934cb32325dbb9ce8f5d0d943020b4a0795c1f2774e2207d0be8aa41"}}, &(0x7f0000002d80)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x10, 0x2, 0x5, 0x2}]}}, &(0x7f0000002dc0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x3, 0x8, 0x40, 0x7f, "77bc7738", "f1db003c"}}, &(0x7f0000002e00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x1, 0x10, 0x0, 0x20, 0x8, 0x3ec, 0xffff}}}, &(0x7f0000003300)={0x44, &(0x7f0000002e80)={0x20, 0x12, 0x7c, "bc67b786ae12c3f7c6dbb8560d2b242194c2199afa19d2b42b1a0c8a11e1a5ef146f395c3613f4dfeadda7c24b506d5b32a6a3f9a0eac98a935e647a1c838d4e09d530635f43358b5b10c5f04bc63b3bf96b5234359d4ead9d51217e65c9b0509990b00d1afb242c87660d04f9648ff79ce143b1a948981c28f50171"}, &(0x7f0000002f40)={0x0, 0xa, 0x1, 0x4c}, &(0x7f0000002f80)={0x0, 0x8, 0x1, 0x1}, &(0x7f0000002fc0)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000003000)={0x20, 0x0, 0x8, {0xc0, 0x20, [0xf0f]}}, &(0x7f0000003040)={0x40, 0x7, 0x2, 0x400}, &(0x7f0000003080)={0x40, 0x9, 0x1, 0x2}, &(0x7f00000030c0)={0x40, 0xb, 0x2, "b723"}, &(0x7f0000003100)={0x40, 0xf, 0x2, 0x5}, &(0x7f0000003140)={0x40, 0x13, 0x6, @random="dd8a72a99139"}, &(0x7f0000003180)={0x40, 0x17, 0x6, @remote}, &(0x7f00000031c0)={0x40, 0x19, 0x2, "7818"}, &(0x7f0000003200)={0x40, 0x1a, 0x2, 0x4}, &(0x7f0000003240)={0x40, 0x1c, 0x1, 0x4}, &(0x7f0000003280)={0x40, 0x1e, 0x1, 0x7}, &(0x7f00000032c0)={0x40, 0x21, 0x1, 0x5}}) syz_usb_disconnect(r13) r15 = syz_usb_connect$cdc_ncm(0xb40375e9cabe03ec, 0x160, &(0x7f0000003380)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x14e, 0x2, 0x1, 0xef, 0xe0, 0x3, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, '$'}, {0x5, 0x24, 0x0, 0xad}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x0, 0x1, 0x9}, {0x6, 0x24, 0x1a, 0x9, 0x20}, [@mdlm_detail={0xa2, 0x24, 0x13, 0x1, "a0afebc294237de30b4c81c6595fbaf30646c5ec3dd98f435df00d181cc13f9b0c5ffa84154998bf5c04ee0fd82d5f4cacfc90ffae241b840b0b18e2107e33398f46838380f84b6f9f2262e838df021231c9f0c50dc2eed7595eb1b789223fc37cf34f5c694aaad8a818c99ef44179bf5ba4b617c258f7db01d6096ccc71bb925e31b2f3f100bb8538bb84015af7b954c8fdf293de0231a491d36376b840"}, @mbim={0xc, 0x24, 0x1b, 0x340f, 0x4, 0x5, 0x40, 0x6, 0x1}, @acm={0x4, 0x24, 0x2, 0x9}, @mdlm_detail={0x3f, 0x24, 0x13, 0x40, "905d00a5a8b5cd53118f9cf9033eda0ad88fcfaf66e2b9e359e38aea371970c864d5983916a529367551aa247ba83009ebb5640b5317559900ddb8"}]}, {{0x9, 0x5, 0x81, 0x3, 0x8, 0x0, 0x1, 0xfc}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x40, 0x8, 0x40, 0x81}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x80, 0x81}}}}}}}]}}, &(0x7f0000003780)={0xa, &(0x7f0000003500)={0xa, 0x6, 0x250, 0x3, 0x2, 0x9, 0x40, 0x40}, 0x16, &(0x7f0000003540)={0x5, 0xf, 0x16, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x1a, 0x8, 0x4, 0x87}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0x0, 0x20, 0x9}]}, 0x5, [{0x54, &(0x7f0000003580)=@string={0x54, 0x3, "a44d24cdf3ffb9948faaf6b3c565826f57ef2b5e43e6ef9109dcaf0ff5f230b6f52d06ada7ebdfbf1c55e6551900f42f904aa25911de5d64d3cd32db26b2e48c150eacf51a16ddb311ac3d44b281a87d1c84"}}, {0x4, &(0x7f0000003600)=@lang_id={0x4, 0x3, 0x812}}, {0x4, &(0x7f0000003640)=@lang_id={0x4, 0x3, 0xf0ff}}, {0xc0, &(0x7f0000003680)=@string={0xc0, 0x3, "6f069d79ea952b3880027d5243d84aefe2bd1cf641da9ee290780232461026c5a535ae6214a8b6fd6112f368085c5cca57b84846bdd7653f325120cc01274c27930a934c2850058a34588778f4ae0255b96fcb4573f4c475fae53703ef82d785ece96adf02efc210e26fa9523111519cb037b5aebbcab0e12d228330eb466cefbc0a21984a6fd8657206b20d982f65c709ba3c6320f1066dda592fdad14a8c700cf1f5266f47fa42aa880b9aa0267cf53c9691f4fa0d4e059a6adc27da67"}}, {0x4, &(0x7f0000003740)=@lang_id={0x4, 0x3, 0xc0a}}]}) syz_usb_ep_read(r15, 0x7, 0xe4, &(0x7f00000037c0)=""/228) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000038c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_ep_write(r16, 0xff, 0xca, &(0x7f0000003940)="0338f2a1a6949150d950a200b97f820700402b58fec94c39a005f5386885991997960b3165c9dd0323faf9a69d00725916fa7fb5a9bb1f47b19829ca091f88c0999a2e187f6237ab2c7eae85923fa9636dc266076f2ae7b52c1f187ce62871c2f05bbf9d9a25fd16ff3833387073e69681b243e814b2549f032aa5b8dd2e2d64df2e69d357bc2c32b8fbd90f8a1638b31390be5a61ee6ee70e3a2027e1468d5f3fa234f4462a56d7e42ce29c52ccf5cd763590a426b8a06e226ffa4568c2ce31a54d74ca6f67e670852c") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { return syscall(__NR_socket, domain, type, proto); } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 43; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 3000 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 3000 : 0) + (call == 42 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socketpair #define __NR_socketpair 360 #endif #ifndef __NR_write #define __NR_write 4 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_ioctl, -1, 0x125e, 0x20000000); break; case 1: memcpy((void*)0x20000040, "/dev/nullb0\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20000040, 0x80000, 0); if (res != -1) r[0] = res; break; case 2: *(uint8_t*)0x20000080 = 0; *(uint8_t*)0x20000081 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint8_t*)0x20000084 = 0; *(uint8_t*)0x20000085 = 0; *(uint8_t*)0x20000086 = 0; *(uint8_t*)0x20000087 = 0; *(uint8_t*)0x20000088 = 0; *(uint8_t*)0x20000089 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint8_t*)0x2000008c = 0; *(uint8_t*)0x2000008d = 0; *(uint8_t*)0x2000008e = 0; *(uint8_t*)0x2000008f = 0; *(uint8_t*)0x20000090 = 0; *(uint8_t*)0x20000091 = 0; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint8_t*)0x20000094 = 0; *(uint8_t*)0x20000095 = 0; *(uint8_t*)0x20000096 = 0; *(uint8_t*)0x20000097 = 0; *(uint8_t*)0x20000098 = 0; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint16_t*)0x200000a0 = 6; *(uint32_t*)0x200000a4 = 4; *(uint32_t*)0x200000a8 = 0x400; *(uint64_t*)0x200000ac = 0; *(uint64_t*)0x200000b4 = 0x5f; *(uint32_t*)0x200000bc = 0; syscall(__NR_ioctl, (intptr_t)r[0], 0xc0401273, 0x20000080); break; case 3: res = syscall(__NR_socketpair, 0x21, 3, 4, 0x200000c0); if (res != -1) { r[1] = *(uint32_t*)0x200000c0; r[2] = *(uint32_t*)0x200000c4; } break; case 4: memcpy((void*)0x20000140, "l2tp\000", 5); res = -1; res = syz_genetlink_get_family_id(0x20000140); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000200 = 0x20000100; *(uint16_t*)0x20000100 = 0x10; *(uint16_t*)0x20000102 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0x100; *(uint32_t*)0x20000204 = 0xc; *(uint32_t*)0x20000208 = 0x200001c0; *(uint32_t*)0x200001c0 = 0x20000180; *(uint32_t*)0x20000180 = 0x24; *(uint16_t*)0x20000184 = r[3]; *(uint16_t*)0x20000186 = 4; *(uint32_t*)0x20000188 = 0x70bd28; *(uint32_t*)0x2000018c = 0x25dfdbfb; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint16_t*)0x20000192 = 0; *(uint16_t*)0x20000194 = 8; *(uint16_t*)0x20000196 = 0xb; *(uint32_t*)0x20000198 = 4; *(uint16_t*)0x2000019c = 8; *(uint16_t*)0x2000019e = 0xc; *(uint32_t*)0x200001a0 = 1; *(uint32_t*)0x200001c4 = 0x24; *(uint32_t*)0x2000020c = 1; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0x20000000; syscall(__NR_sendmsg, (intptr_t)r[1], 0x20000200, 0x8000); break; case 6: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 5; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000280 = 0x10; res = syscall(__NR_getsockopt, -1, 0x84, 0, 0x20000240, 0x20000280); if (res != -1) r[4] = *(uint32_t*)0x20000240; break; case 7: *(uint32_t*)0x200002c0 = r[4]; *(uint32_t*)0x200002c4 = 2; syscall(__NR_setsockopt, (intptr_t)r[2], 0x84, 0x7b, 0x200002c0, 8); break; case 8: *(uint32_t*)0x20000340 = 4; syscall(__NR_getsockopt, -1, 0x84, 8, 0x20000300, 0x20000340); break; case 9: *(uint16_t*)0x200003c0 = 0x10; *(uint16_t*)0x200003c2 = 3; *(uint8_t*)0x200003c4 = 0x41; *(uint8_t*)0x200003c5 = 0x83; *(uint16_t*)0x200003c6 = 0; *(uint32_t*)0x200003c8 = 0x401; *(uint32_t*)0x200003cc = 0; *(uint16_t*)0x200003d0 = 0x43; memcpy((void*)0x200003d2, "\x4a\x8e\x60\x63\x4e\x3a\x9e\xbf\x09\x88\x47\x4a\x70\xcd\xc4\x4c\x93\x5e\x71\xdc\xa8\xa3\x6e\x9f\x73\x39\xb7\x33\xe7\xfd\xfa\x26\xd1\x76\x3f\x8e\x1f\xc1\x8c\x23\x48\x4f\xf7\x1c\x6e\xa7\x6b\xf1\xdb\x3e\x46\xcf\x80\x38\x03\x22\xd2\x96\xfb\xf1\x93\xc5\x4d\x49\x49\xcc\xdb", 67); syscall(__NR_write, -1, 0x200003c0, 0x55); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_post_notification\000", 26); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xbb; *(uint8_t*)0x20000041 = 0xbb; *(uint8_t*)0x20000042 = 0xbb; *(uint8_t*)0x20000043 = 0xbb; *(uint8_t*)0x20000044 = 0xbb; *(uint8_t*)0x20000045 = 0xbb; *(uint8_t*)0x20000046 = 0; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint16_t*)0x2000004c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 4, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 1, 31, 1); *(uint8_t*)0x20000052 = 0x23; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; memcpy((void*)0x20000056, "\x90\xa4\x41\x2e\xd4\x81\xe3\x9e\xc0\x78\x7c\xae\x08\x3f\xac\x93\xb9\x0d\xaa\x75\x95\xdc\x55\x4b\x0d\x6f\xb7\x20\xa6\x00\x98\x35\xc9\x29\xd9\x56\x66\x87\x93\x99\x54\xd1\x4f\x03\x76\xd3\x90\x39\x88\x5d\x4b\x34\x9e\x57\x79\x1c\x3b\x28\x84\xb6\x7a\x56\x87\x16", 64); *(uint32_t*)0x200000c0 = 1; *(uint32_t*)0x200000c4 = 1; *(uint32_t*)0x200000c8 = 0x4a; *(uint32_t*)0x200000cc = 0x2e7; *(uint32_t*)0x200000d0 = 0x6f0; *(uint32_t*)0x200000d4 = 0x1aa; break; case 12: *(uint8_t*)0x20000100 = 3; *(uint16_t*)0x20000101 = 0xc9; *(uint8_t*)0x20000103 = 0x56; memcpy((void*)0x20000104, "\xaf\x8c\x56\xab\x29\x59\xdc\x53\x4c\xc8\x68\xe4\xb4\x2b\x05\xa0\xde\x86\xbb\x45\xfd\x2b\xf9\xe3\x2d\x58\xe9\xad\x1f\xb7\xbe\x75\xad\xc1\xe7\xaa\xa5\x23\x19\x45\x65\x31\x63\x1e\xde\x47\xc2\x91\x9b\xcd\xb3\xba\xfd\xaf\x56\x0b\xf2\xa9\xca\x3a\x75\xfa\x34\xd0\x70\x26\xb7\x30\x2d\xc3\x91\xf9\x55\x4e\x50\xcf\xc7\xf7\x31\xc0\x9f\x1c\x71\x26\x2d\xf3", 86); break; case 13: memcpy((void*)0x20000180, "\xc4\xc1\x6f\x10\xfa\x66\x0f\x65\x64\x2a\x10\xc4\xe1\xfa\x70\xef\xfb\xc4\xc3\x7d\x09\x6a\x42\xfe\xc4\xe1\x41\x6a\x52\x00\xf3\xab\xc4\xc1\xcc\xc6\xe4\x74\x36\x0f\x8f\xb8\x00\x00\x00\xaf\x0f\xfe\x98\xf0\xff\xff\xff", 53); syz_execute_func(0x20000180); break; case 14: break; case 15: memcpy((void*)0x20000200, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000200); break; case 16: syz_init_net_socket(3, 5, 0xcb); break; case 17: res = syscall(__NR_mmap, 0x20ffd000, 0x1000, 0xc, 0x800, -1, 0x8000000); if (res != -1) r[5] = res; break; case 18: res = -1; res = syz_io_uring_complete(r[5]); if (res != -1) r[6] = res; break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xab13; *(uint32_t*)0x20000248 = 0x10; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0x375; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = -1; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = syscall(__NR_io_uring_setup, 0xc43, 0x20000240); if (res != -1) r[7] = res; break; case 20: *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0x3caa; *(uint32_t*)0x200002c8 = 8; *(uint32_t*)0x200002cc = 3; *(uint32_t*)0x200002d0 = 0x347; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = r[7]; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; *(uint32_t*)0x200002f8 = 0; *(uint32_t*)0x200002fc = 0; *(uint32_t*)0x20000300 = 0; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; *(uint32_t*)0x2000030c = 0; *(uint32_t*)0x20000310 = 0; *(uint32_t*)0x20000314 = 0; *(uint32_t*)0x20000318 = 0; *(uint32_t*)0x2000031c = 0; *(uint32_t*)0x20000320 = 0; *(uint32_t*)0x20000324 = 0; *(uint32_t*)0x20000328 = 0; *(uint32_t*)0x2000032c = 0; *(uint32_t*)0x20000330 = 0; *(uint32_t*)0x20000334 = 0; syz_io_uring_setup(0x4759, 0x200002c0, 0x20ffd000, 0x20ffc000, 0x20000340, 0x20000380); break; case 21: res = syscall(__NR_mmap, 0x20ffd000, 0x3000, 0xe, 3, -1, 0x8000000); if (res != -1) r[8] = res; break; case 22: res = syscall(__NR_mmap, 0x20fff000, 0x1000, 0x4000000, 0x20, (intptr_t)r[6], 0x10000000); if (res != -1) r[9] = res; break; case 23: *(uint8_t*)0x200003c0 = 5; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0x2007; *(uint32_t*)0x200003c4 = 6; *(uint64_t*)0x200003c8 = 3; *(uint64_t*)0x200003d0 = 4; *(uint32_t*)0x200003d8 = 4; *(uint32_t*)0x200003dc = 0xe; *(uint64_t*)0x200003e0 = 1; *(uint16_t*)0x200003e8 = 0; *(uint16_t*)0x200003ea = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; *(uint8_t*)0x200003fc = 0; *(uint8_t*)0x200003fd = 0; *(uint8_t*)0x200003fe = 0; *(uint8_t*)0x200003ff = 0; syz_io_uring_submit(r[8], r[9], 0x200003c0, 0x80); break; case 24: memcpy((void*)0x20000400, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20000400, 0x2000, 0); if (res != -1) r[10] = res; break; case 25: *(uint32_t*)0x20000480 = 0; *(uint32_t*)0x20000484 = 0x20000440; memcpy((void*)0x20000440, "\x1f\x53\x95\x5c\xb3\xce\xcd\x20\x39\x60\x9c\xfc\xe5\x32\x92\x7f\x02\xde\x61\x5e\x5e\x77\x16\xc3\x74\x70\x5f\x59\x10\x2e\x00\x75\x4d\xba\xa3\x69\xc6\xc1\xa1\xc2\xf4\xc5\x30\xc3\xaf\x81\xe8\xfe\x56\x09", 50); *(uint32_t*)0x20000488 = 0x32; *(uint64_t*)0x200004c0 = 1; *(uint64_t*)0x200004c8 = 0; syz_kvm_setup_cpu(r[6], r[10], 0x20fe8000, 0x20000480, 1, 0, 0x200004c0, 1); break; case 26: *(uint32_t*)0x20000500 = 0; *(uint32_t*)0x20000504 = 0xe518; *(uint32_t*)0x20000508 = 0x10; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0x3a5; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = -1; *(uint32_t*)0x2000051c = 0; *(uint32_t*)0x20000520 = 0; *(uint32_t*)0x20000524 = 0; *(uint32_t*)0x20000528 = 0; *(uint32_t*)0x2000052c = 0; *(uint32_t*)0x20000530 = 0; *(uint32_t*)0x20000534 = 0; *(uint32_t*)0x20000538 = 0; *(uint32_t*)0x2000053c = 0; *(uint32_t*)0x20000540 = 0; *(uint32_t*)0x20000544 = 0; *(uint32_t*)0x20000548 = 0; *(uint32_t*)0x2000054c = 0; *(uint32_t*)0x20000550 = 0; *(uint32_t*)0x20000554 = 0; *(uint32_t*)0x20000558 = 0; *(uint32_t*)0x2000055c = 0; *(uint32_t*)0x20000560 = 0; *(uint32_t*)0x20000564 = 0; *(uint32_t*)0x20000568 = 0; *(uint32_t*)0x2000056c = 0; *(uint32_t*)0x20000570 = 0; *(uint32_t*)0x20000574 = 0; res = -1; res = syz_io_uring_setup(0x7424, 0x20000500, 0x20ffe000, 0x20ff6000, 0x20000580, 0x200005c0); if (res != -1) r[11] = *(uint64_t*)0x20000580; break; case 27: *(uint32_t*)0x20000600 = 1; syz_memcpy_off(r[11], 0x114, 0x20000600, 0, 4); break; case 28: memcpy((void*)0x20000640, "afs\000", 4); memcpy((void*)0x20000680, "./file0\000", 8); *(uint32_t*)0x20000800 = 0x200006c0; memcpy((void*)0x200006c0, "\xd6\x32\xc1\x9b", 4); *(uint32_t*)0x20000804 = 4; *(uint32_t*)0x20000808 = 0xffff; *(uint32_t*)0x2000080c = 0x20000700; memcpy((void*)0x20000700, "\x3f\xe8\x37\x0c\xed\xe5\x2e\xfa\xc0\x54\x24\x1d\xa1\xef\x62\x34\xcd\xc7\x76\x6d\x9c\xee\xe0\x5c\x36\x77\x5d\x23\x4a\x8f\x02\x59\xa8\x80\x13\x16\x89\x77\x5a\x49\xe1\xc5\xd8\x1e\xe5\xee\xd4\x2d\xa0\x22\xa3\xc9\xb9\xd4\x39\xae\x77\x99\x90\xd0\x4c\xf5\x51\xc0\x84\xc0\x93\x74\x4e\x79\xca\x6a\x48\x27\xd8\xc6\x03\x05\x3d\x29\x71\x4d\x83\x93\x63\xcf\x49\xad\xd7\xd7\x32\x3c\x06\x19\xa9\x9c\xef\x60\x9f\xc4\x7e\x56\xc6\x66\x30\xec\x79\x73\xbf\xfe\xd2\x14\xd4\x51\xf0\x64\xf3\x6e\x35\x97\x50\x6a\x51\xad\xfd\x6b\x0d\x61\xfd\xcd\xf2\xbf\xcb\x31\xb2\xc6\xc4\x4c\x27\x9c\xcd\xb6\x90\x28\x91\xda\xf7\x5e\x66\x3f\x59\x42\xea\x76\x82\xfb\xfd\x3e\x73\x69\xa9\xfe\x16\xf3\x72\x47\x6e\xfb\x28\x1a\xaa\xd4\xbf\xe7\xe6\x10\xe9\x63\x62\x94\x61\xe9\x03\x3c\xaf\x00\xd6\x2a\x10\x9d\x00\x4b\x93\x5b\x90\x79\xbd\x3d\xf5\xbe\x94\xa0\xfa\x1e\x19\x77\xf5\x52\xba\xa4\x92\xba\x31\xe2\xec\x4b\xf3\x10\xc8\x14\xdc\x75\x32\x97", 224); *(uint32_t*)0x20000810 = 0xe0; *(uint32_t*)0x20000814 = 0x4c; memcpy((void*)0x20000840, "source", 6); *(uint8_t*)0x20000846 = 0x3d; memcpy((void*)0x20000847, "SEG6\000", 5); *(uint8_t*)0x2000084c = 0x2c; memcpy((void*)0x2000084d, "flock=strict", 12); *(uint8_t*)0x20000859 = 0x2c; memcpy((void*)0x2000085a, "flock=strict", 12); *(uint8_t*)0x20000866 = 0x2c; memcpy((void*)0x20000867, "flock=local", 11); *(uint8_t*)0x20000872 = 0x2c; memcpy((void*)0x20000873, "autocell", 8); *(uint8_t*)0x2000087b = 0x2c; memcpy((void*)0x2000087c, "flock=openafs", 13); *(uint8_t*)0x20000889 = 0x2c; memcpy((void*)0x2000088a, "measure", 7); *(uint8_t*)0x20000891 = 0x2c; memcpy((void*)0x20000892, "subj_user", 9); *(uint8_t*)0x2000089b = 0x3d; memcpy((void*)0x2000089c, "$F!%[#&+-}^}", 12); *(uint8_t*)0x200008a8 = 0x2c; *(uint8_t*)0x200008a9 = 0; syz_mount_image(0x20000640, 0x20000680, 4, 2, 0x20000800, 0x201000, 0x20000840); break; case 29: memcpy((void*)0x200008c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200008c0, 0x9a7, 0x60100); break; case 30: res = syscall(__NR_ioctl, -1, 0x540f, 0x20000900); if (res != -1) r[12] = *(uint32_t*)0x20000900; break; case 31: memcpy((void*)0x20000940, "net/ip6_mr_vif\000", 15); syz_open_procfs(r[12], 0x20000940); break; case 32: syz_open_pts(r[6], 0x402000); break; case 33: *(uint32_t*)0x20001c80 = 0x20000980; memcpy((void*)0x20000980, "\x94\x7b\xdd\x13\x38\xb6\xb9\xfd\xc7\xee\xc2\x77\x64\x33\x19\x1f\x82\x72\x66\xcf\xa9\x4b\xbf\x64\xcf\xf8\x3a\x00\xd9\x75\x00\x9f\x3b\x27\x38\xac\x70\x67\x01\x94\x47\xd6\x93\xa3\x53\x4d\xae\x5d\x3b\xf0\x3b\x17\xd7\xa2\xbc\x09\x3d\x2a\xb0\x1f\xb0\x79\xd1\x3e\x4c\xa0\x8a\xb2\x39\x18\xa3\xfa\xc5\x0a\x48\xc3\x2b\x4b\xa2\x17\x09\x57\xd2\x0c\xb4\xa4\xf7\x31\xd6\x60\xe8\x8f\x40\xc3\x0c\x3c\x40\xd4\x1f\xf3\xff\x71\x34\xdc\xeb\x66\xb1\x13\xb5\xc1\xbb\xa6\x30\xa7\xee\x5c\xd6\x8a\xb5\x9e\x69\xf8\xc8\x95\x30\xe4\xca\xc7\xf6\x15\xdd\x3f\xad\xc7\x94\x0d\x23\xb0\x69\xd6\x2b\x7c\xcf\x41\x49\x88\x10\x45", 148); *(uint32_t*)0x20001c84 = 0x94; *(uint32_t*)0x20001c88 = 0x7e; *(uint32_t*)0x20001c8c = 0x20000a40; memcpy((void*)0x20000a40, "\x3b\xec\xe5\xe4\xb0\x0d\x1a\xa5\xc6\x45\x5d\x8f\xfd\xdd\x35\x57\x13\x82\x30\x47\x33\xf4\x7e\x93\xba\x01\xd0\x22\x0d\x34\x52\x42\x5a\xa4\xa3\x5a\x16\xad\xc9\x6a\x1c\x87\xd3\xc0\x91\x21\xdf\x1c\x8a\xef\x26\xc2\x03\x58\xa1\x53\xa0\xef\x19\x59\xf6\x9c\x68\x9a\xcd\x27\x51\xf4\x28\xf2\x41\xc2\xde\xcf\x4c\xd9\xa3\xb1\x09\xe6\x6b\x31\x0f\xb1\x01\x1f\x65\x32\x9b\xef\x95\x3a\xe0\x2c\xf9\xdb\x61\x33\x61\x9b\x5b\xfa\x07\xa6\xe1\x32\x51\x27\x8d\xa9\x3d\xe8\x26\x35\xbc\xdd\x76\x40\xb6\x31\x1d\xa5\x8d\x2a\x68\x10\x65\x40\x1d\x07\x53\xce\xf9\x0b\xf7\xa0\xf5\x41\x11\x24\x53\xb9\xce\x75\x27\xef\xcb\x09\x83\x4f\x10\x73\x73\x6d\x3e\xbd\xb9\x24\x17\x36\xb6\x1d\xf7\x0a\x13\xc7\x6e\x54\xdd\xbc\x65\xa5\x2d\x8a\x4f\xe4\x2e\xd0\x97\xa5\x7c\x8d\x04\x26\xf9\x16\x75\x0e\x9a\x5c\x38\x28\x1f\xba\xd7\xae\x59\xc2\x23\xba\xb1\x10\x05\x92\xd4\x2e\xda\x4e\x0b\xf4\xbf\x03\x04\x20\x47\x8f\xcd\x28\xc4\x05\x7d\x41\xa9\x72\x1b\x00\x14\xe9\x1a\x1e\x70\x58\xd4\xc9\x29\x08\x12\xf6\xde", 239); *(uint32_t*)0x20001c90 = 0xef; *(uint32_t*)0x20001c94 = 0x800; *(uint32_t*)0x20001c98 = 0x20000b40; memcpy((void*)0x20000b40, "\x6d\xaf\x7a\x1e\x0d\x14\xcb\x6b\x8c\x65\xd3\x7e\xf9\x88\xe6\x70\xca\x88\xb1", 19); *(uint32_t*)0x20001c9c = 0x13; *(uint32_t*)0x20001ca0 = 0; *(uint32_t*)0x20001ca4 = 0x20000b80; memcpy((void*)0x20000b80, "\xe2\xa3\x79\x51\x07\x38\xbe\x3d\x3b\xaf\x49\xa1\x70\xf0\x89\xf5\x6f\x7b\x3a\x43\xbd\x92\x6f\x2f\x33\x68\xf3\x8e\x97\x34\x0a\xf9\xb0\x99\x1e\xa9\x8f\x46\x53\x25\x2c\x0b\xef\x6a\xd2\x65\x82\xb6\x00\x54\x54\x65\x59\x1f\xae\xfd\x00\x78\x2e\x31\xc8\xae\xe9\xf2\x39\x90\xd2\xd9\x5f\x87\x10\xd1\x10\x40\x9d\xc3\xda\xd1\x58\x17\x94\xfb\x09\xf6\x34\x9e\x93\x7b\x1d\xf1\xbb\x8a\x9a\x09\xce\x60\xc4\x12\x82\x37\x6e\x6a\xc6\x07\x88\x8c\x64\xfc\xd9\xec\xf5\x40\x50\x63\xba\x5f\x64\x2a\x29\x5b\x4f\x77\x8f\x2c\xab\xcc\xf6\xc9\x00\x70\x71\xb1\xa9\xec\x31\xee\xa5\xda\xf6\x2d\x37\x1a\x56\xde\x30\x95\x49\x97\x49\x11\xa5\x79\x7f\xa3\x40\x26\xe8\x5b\xb7\xf5\x42\x7a\xb4\x96\x5f\x11\xa3\xab\xa1\x8e\xd0\xfe\x28\x0e\x45\xc2\x64\x12\x83\x8f\xc5\xbb\xe0\xf6\xde\x63\xd0\x11\xc0\x6b\x41\x3e\x3d\x4a\x15\x29\x6b\x6f\x79\x15\xdf\xfe\xcd\xd4\x07\x50\x4f\xaa\x2f\xe6\x3b\xb1\x90\xaf\x90\x61\x70\x9a\x98\x20\x94\xf6\x20\x79\x3c\x04\x25\x32\xf5\x13\x14\xdd\x07\x53\xb8\x32\xa6\x58\x59\xe1\x78\xd9\x4d\xd1\x69\xa1\xb7\x67\x74\x85\x66\xd1\x3f\x17\x0d\xa3\x6f\x2a\x51\x05\x3d\x8b\x67\xfb\x5f\x12\xd8\x6b\xf3\x60\x46\xea\xb9\xb7\xc2\x6c\x50\x78\x6c\x9b\x29\xa2\x60\x5c\x56\x31\xab\x30\x26\x16\x69\x97\x1a\x48\x47\x0d\x98\x2c\x30\x88\xbe\x7c\xff\xd1\xf0\xc6\x77\x5e\x57\x57\xdb\x61\x48\xdd\x74\xc5\x95\x4e\x34\xc4\x00\x88\x65\x9a\x1f\x44\xd0\x53\x46\x59\x85\xed\x20\x03\x9b\xce\xd7\xea\x9d\xec\x7e\x25\xcd\x6d\x60\x0d\x1e\xd3\x1a\xed\x53\x88\x5f\xc7\xef\x87\x89\xee\xa0\x63\x9d\x2b\x25\x0d\xcd\xf4\xad\x71\xbb\xda\xbf\x4b\xa1\x8a\xf2\x9a\xc8\x19\xae\x43\x18\x64\xdb\x1b\x03\x53\xbc\x5c\xb2\x04\x19\x43\xb4\x45\x13\xf7\xc6\x79\xf3\x48\xbd\x29\x62\xb2\x74\x87\xbc\x7d\xc7\x48\x8c\xff\x13\xa2\x4b\x65\x8f\x31\xb4\xaf\xc9\xe5\x01\x3a\xb4\x60\xcf\x3a\x01\x4a\x8f\x19\x90\x9e\x75\xbc\x3d\x41\x44\xf5\xd3\x2e\x37\x0d\xe7\x4f\x44\x02\xa0\xdb\x53\x39\xc1\xe3\x61\x6d\x21\x47\x74\x36\x52\xdd\x73\x94\x0d\x37\x55\x0c\xc9\x61\xb0\x8b\x3a\x33\xb7\x9c\x4a\x2f\x3f\x1a\xb4\xb2\x36\x4c\x24\x03\x1c\xce\x1f\x29\xbe\xaf\x57\x4b\x13\x18\x84\x4f\xcc\x93\x87\xd2\xcf\x79\x83\x34\xde\x08\x16\xd5\x28\xf0\x87\xf5\x67\x51\xf7\x63\xb8\x2c\x76\x0f\xe1\x9e\xf9\x5f\xd2\xe5\x52\xc8\xec\x74\xbf\xee\x9b\x6c\x8e\x33\x41\xb3\xba\xff\x54\x05\xed\xbe\xd7\x09\xfb\x1e\xa1\x30\xa1\xa6\xe3\x0a\xcf\x72\x32\xc0\x19\x40\x34\xda\xf0\xef\x11\x71\x15\xab\x22\x0f\x11\x61\xa8\x38\x94\x0e\xf6\x00\x72\xc4\x06\x55\x7f\x56\xf1\x3f\x30\x21\xb4\x08\x42\xf9\x11\x4b\x0a\xe9\xcd\x82\x44\x23\x0c\x22\x27\xce\x7c\x7e\x71\x50\x3b\xa5\x25\x3d\x63\x08\x1c\xa9\xaf\x8f\xc4\xa4\xe2\xc3\x03\x9a\x0b\xad\x1a\xf9\x1e\xd4\xcb\x91\xb9\xbd\x42\xd8\xee\x5e\x0b\xd9\x84\x4f\x92\xf4\xaf\x1e\xa5\xb8\x83\x80\xa9\x9b\x1a\xdc\x70\x57\xb9\x15\x7b\x61\x02\x1a\xbc\xe3\x77\xdc\xa6\xaf\x6c\x2d\xd9\x8f\x02\xc2\x3a\x84\x59\xcc\xbe\x65\x0b\x66\xd0\x6b\xba\xe0\x60\x99\x28\xe8\x4d\x5c\x61\x1e\x2c\x6f\xeb\x6a\x43\xd0\xaa\x53\x2b\x12\xd5\xe3\x26\x04\x48\xcd\x82\x37\x2b\x11\xf9\xdc\x8f\x94\x66\x5a\x3a\xb8\x64\xeb\x3e\xb0\xe5\xb0\x73\x20\x02\x49\xa6\x74\x04\x7e\xe8\xff\xf8\xfb\x4f\x55\x65\x30\x60\xef\xb6\xa0\x0d\x70\xb0\xfe\x4a\x7f\x5d\xca\x7d\x9c\x71\x60\x4f\xa7\x0b\x0e\x40\x56\x93\x39\xe5\x2b\xa5\x2b\x7d\x70\x08\x53\x33\x06\x16\x5c\x97\x8d\x03\x0a\x85\x2c\x0d\xd7\x59\x96\x90\x47\x20\xa1\x0a\x3a\x9d\x0f\x2f\x67\xf2\x58\xe4\x39\x04\x7a\x6a\x5b\x08\x49\x04\x09\xaa\x84\xec\x29\x6f\x67\xb8\x8b\x80\x11\xcb\x39\xc6\x78\x00\xef\xec\x6e\xc4\x3e\x73\x2a\xee\x04\xcc\x18\xc4\xce\xdd\xc9\x68\x6a\x43\x20\x11\xe1\xdf\x5f\xa1\x29\x2c\x7b\xda\xe6\x27\x31\x57\x3e\xc5\x23\x32\x93\xff\x4e\xd6\x71\xe5\x2c\x95\x1d\x8e\x00\x83\x6d\xb9\x36\x35\x34\xbc\x8c\x1e\x91\xd9\x8c\xab\x7d\x06\x06\xc1\x70\xd4\x09\xd9\x6d\x32\x25\xf5\x62\x06\xb6\x00\xfc\x1a\x78\x39\x41\xaa\xde\x24\x83\x38\xdb\xa6\x6d\x56\xf8\xfc\x19\x7d\x19\xce\xdd\x5f\x1a\x65\xd5\xf1\xd8\x5a\x4c\xb4\x49\x73\x42\xd1\x97\xdf\x41\x7d\x43\x17\x77\x7c\x81\xe7\x07\xf1\xb9\xda\xdd\x38\x26\x53\x24\xf4\x1a\xa8\x50\x21\xb2\xd7\xed\xc0\xff\x4a\x52\x7d\xb8\x5f\xf1\x41\x65\x2e\xeb\x5e\x76\x6e\x18\x9e\x11\xe6\x30\x7a\x44\x75\xd5\xf7\x93\xe8\x22\xb7\xec\xbc\x7e\x2f\xf3\xf6\xf9\xa8\x39\x9a\xf6\x92\x64\x9d\x67\x30\x5c\x86\xb4\x79\x16\x9d\xf1\x2f\x74\x91\x02\x06\x9d\xa1\x64\xad\x14\x65\x5e\x05\x32\xfc\x41\x9b\x51\xf2\x9b\x28\xd1\xf4\x08\xf5\x23\x6c\xe9\x21\x50\x9f\x3f\x61\x1a\x56\x5a\x5e\x38\x68\x57\x44\x47\x0f\x6e\x45\x7b\xdd\x05\x7d\x72\x7f\x7e\xcf\xaa\x46\x84\x73\xbc\xba\x94\xc4\x3e\xad\x22\xf8\x52\x78\x43\x24\x5f\x37\x22\x75\x94\x6b\xd4\x59\x9f\x3a\x8a\xe9\x1e\xc3\x14\x08\x70\xbe\x91\xd2\xfb\xfc\xbd\x7e\x50\x4d\xa3\xd6\xf4\x9e\x90\x5a\xca\x16\x78\x32\xd7\xc3\x5a\x56\xa2\x8a\xbc\x85\x20\x90\x29\x23\x18\xec\x1f\x08\xbf\x3d\x71\xde\x73\x60\xd6\xd0\x49\x00\xd7\x73\xa7\xf4\x0c\x3d\xb7\xaa\xbf\xc2\x7a\x33\x8e\x87\xd5\x78\xf4\x30\xee\x49\x0e\x48\x22\x14\x06\xd3\x1c\x62\x22\x0c\x2b\xd9\xe1\x79\x3e\xed\x1b\x84\xab\xa0\xad\xc3\xd5\x4e\xed\x59\xae\x3b\x83\xe5\xa1\x14\x77\x21\xfc\xc2\x27\xcf\xf9\x6c\x80\x65\xf8\x66\x5c\xbf\xef\x93\x52\x1c\xa1\xbf\x4b\x10\x0e\x62\x89\x6c\xfd\xca\x36\xe7\xf7\xb4\xb3\xfd\x3b\xab\xf5\xc1\x8c\x90\x03\x0f\xbf\x90\x4d\x4f\x4c\x3f\xb2\x3a\xf1\x6b\x1e\x37\x44\xca\x6a\xb1\x23\xdf\x90\xb1\x68\xea\xa1\x38\x32\x4e\xbf\x98\xec\xd6\x6d\xd6\x4e\xe9\x06\x23\x6b\xf3\xa0\x29\x6b\xe1\xdf\x81\x38\x7b\xa9\x57\x00\xe0\x4c\xe2\x66\x37\xca\x4d\xfb\x70\xc6\x7d\x32\xa2\xe7\xac\xde\x21\x9c\xef\x54\xe4\xc9\xec\x1c\x27\xb5\xb6\xa3\x88\xca\x51\x5a\xf6\xe5\xef\xc4\x93\xa3\x0f\xa9\x32\x4e\x1f\x2b\x2b\x51\x26\x7f\xbb\x26\xf3\xd4\x29\x2e\x83\x6c\xb7\x09\xe9\x2a\x6e\x0e\x11\xaf\xf3\x86\xb3\xd4\x5d\x81\xa2\xd3\x5f\xe9\x71\xcb\xff\x8a\x32\xf5\x2d\x04\x6b\x9b\xa9\xa4\xbc\x77\x26\x7a\x2e\x86\xa4\x80\xa9\xec\x50\x36\x1d\x5e\xd5\x9b\xa5\x40\xae\x1c\xf0\xe7\xea\xaa\x5d\x8f\x5b\x2e\x38\x52\x7f\xde\x78\xec\xf8\x42\xec\x48\xcf\x68\x1f\xd4\x52\xaa\x5c\x60\xd0\x64\x74\xf6\x42\x2a\xd0\x8d\xb4\xfa\x07\x88\xc5\x65\x63\xf5\x2c\xbd\x38\x36\x27\xe1\x1f\x98\xeb\x40\xec\x74\x96\x1c\x02\x8b\x1f\xcd\x7b\x25\xd4\xcd\x28\x9d\xbc\x76\x1f\xb1\xec\x00\xa6\x18\x35\x13\xc5\xf7\x6d\xa7\x54\x64\x16\xfb\x81\xe8\x66\x1f\x93\xf4\x23\x4f\xdf\x3a\x33\x98\xd8\xbb\x8c\x69\x90\x2e\x6d\x9f\x3f\xc1\x65\xe6\xd9\xf3\x9e\xb2\xac\xc1\x89\xab\x7b\x49\x01\x3b\x2c\x74\xd0\x78\x8e\xe0\x5f\xc1\x17\x33\x5d\x47\x83\x80\x01\x3e\xab\x17\x3d\xdc\x7a\x92\x7f\x03\x08\x0c\x2e\xa7\x05\xb6\x8f\x66\x4a\x3b\xe2\x70\x22\x11\x72\xd2\x99\x5b\x15\xb4\xd0\xab\x25\xd4\x66\x8a\xb7\x58\x7d\x24\xe8\x31\xc5\xc7\x84\x1f\xa0\x0b\xd0\x63\x02\x1d\x3f\x43\x40\x5b\x35\xc6\xc7\x9d\xd4\x03\x0f\xc6\x30\xee\x78\xd7\xe6\x4a\x90\xcc\x27\x61\x42\x16\x24\xd4\x8a\xc0\x76\x4d\x8a\x90\x3c\x5a\x8b\x0a\x21\x31\x20\x87\x1b\x9e\x82\xa3\xb1\xf9\x24\x55\x38\x0b\x95\x08\x32\x65\x1b\x6d\x0d\x9b\xdb\x24\x90\x55\xd5\x5f\xa4\x9f\xc7\x29\x61\x47\xcb\xce\xc6\x05\x9a\x00\x47\xae\x6e\x86\xb5\x1a\xe3\xb5\xaf\xf4\x98\xce\xed\x67\x1d\xdd\x0e\x2b\xd9\x7f\xd7\xf3\x9a\x32\x80\xbd\x80\x99\x6a\xc7\xbb\x98\x18\x77\x09\x93\x82\x46\xf8\xe0\xcb\x9c\xca\x0a\x18\x9d\x18\xcb\x9d\xcd\xd5\x21\x86\xfe\xb9\x35\xf4\xa5\x32\x6c\x3b\xc1\x34\x8a\x05\xf0\xe7\x18\x04\x52\xa4\x3e\x7f\x2b\x6f\xb3\x5a\x41\x96\xaf\xda\x0f\x19\x93\x38\x3d\xd2\x03\x69\x4c\x1a\xb5\x3b\xe6\x44\x81\xc0\xd9\xc7\x88\x01\x61\x07\x89\xf9\xf5\x13\x0b\x4a\x14\x3f\x09\x22\x9e\x8d\x89\xd0\xad\x09\xed\xf9\x71\xcf\x0f\xe4\x95\xd7\x55\x2b\x7a\x79\x1a\x90\x54\x23\x2e\x8d\x22\x97\x66\x21\xb7\xf6\xbe\x03\xe7\xe0\xbf\x8e\x5e\xd8\x3d\xb9\x4e\xfc\x74\x8c\x93\xa0\x6c\x12\x4f\x55\xdd\x8e\xfe\x11\xe1\x5d\x83\xe1\xfc\xe5\x82\xb1\x9b\xe1\x0d\xcc\x1b\x3e\xb5\x94\x29\x1a\xaa\xbd\x56\xcb\x94\xdf\x31\x59\x20\xb0\x42\xd0\x79\x34\xac\x79\x6d\x0a\x91\x07\x86\x26\xee\x57\xe2\x57\x63\x79\x1f\x7d\xde\x8b\xc0\x4e\x18\x83\xfb\x22\x73\xc7\x99\xb9\x7e\x31\x66\xc5\x6c\xea\xa3\x69\x9c\x31\x73\x9f\x63\xef\x94\x60\x5b\x20\x86\x06\x06\xce\xaf\x97\xbe\x55\xb9\x79\xfd\xc1\x7f\xa9\xba\x29\x90\xbb\xef\xde\x17\xeb\x53\x98\x17\x60\x91\xe5\x36\x73\x01\x29\xc4\xc3\x15\x04\xce\x1f\xc4\x1f\x13\xe7\xd9\x03\x01\xff\x02\xad\x5b\x5f\x52\x3c\x6a\xe7\xef\xa8\x7c\x76\xaf\x1e\xcc\x4b\x67\x15\x25\x1a\x58\xca\x3c\x68\xca\x95\x4a\x93\x45\xcf\x08\x69\x7e\xc5\x43\x76\xdf\xaf\x23\x2c\xd6\xed\xe5\xad\x85\xc1\x23\x4f\xbc\xb4\xa9\x92\x53\x5b\x70\x13\x5a\x5e\xb7\xd1\xf2\xde\x13\x62\x98\x71\xb0\x2a\xcb\x45\x56\x94\xe9\x1d\x5b\xbb\x97\x2c\x1c\x39\x98\xec\x76\x57\x49\xb4\xca\x83\xc7\x05\x52\x9c\x04\x6e\x85\x93\xba\x47\x09\xe4\x30\xcf\x19\x0a\xba\x4f\xd0\x0a\x6d\x72\x2d\x05\x98\xe8\x0b\x7a\xf8\xfb\xb6\xc0\x53\xdc\x40\x68\xe3\xbf\xaa\x00\x15\xd3\x54\x56\x46\xe4\x0e\xb3\x12\x70\x0e\x7b\x06\x8c\xa6\x44\x79\x2d\x6d\x39\x44\x7a\x35\x3f\x6d\x65\x75\xb0\x1f\x3a\x20\xcf\x31\x01\x17\xa8\x32\xdb\xc7\x6b\x46\x01\x46\xde\xe0\x6c\x85\x95\x80\xba\x5e\x59\x94\x6e\x90\xa1\x68\xd9\x8a\x06\x28\x2d\x02\xf9\x95\x40\xf4\xb1\xfc\xe1\x94\xcc\x7c\xc0\x89\xb1\xb2\xda\x11\xd5\x9b\xee\x54\x77\x38\x3f\x83\xfe\x7f\x50\x01\x1e\xc4\x38\x56\x1f\x17\xb3\x9d\xab\xee\x37\x94\x76\x1c\xde\xf6\xc5\x4a\x60\xc4\x9d\xe8\xfd\x6a\xec\xf0\xb5\xa5\xb5\xc0\x56\xa8\xde\x90\x80\x5e\x0d\x5a\x4c\xba\x91\xeb\x77\x46\xe5\x44\x98\xaa\xd3\x5d\x26\x8e\x92\x3c\x5c\x39\x65\x81\x83\x5c\xf2\x03\x8e\x2a\x1f\x28\xa8\x43\x22\x84\x72\xaa\x2e\x4c\xbd\xe6\xaa\x76\x65\x71\x6f\x23\x9b\xa5\x68\x0d\x1d\x8d\x6c\xd7\x27\x7a\xf1\xf2\xdb\x87\xe5\xf5\x33\x2f\xa9\x04\xd6\x97\x5f\x42\x47\xf3\x3f\x00\xc1\x7b\x95\xdf\x1d\xb7\x92\x39\x8c\x0b\xe2\xab\x89\xc6\xf0\xff\xb1\xd9\xf3\xd3\x0e\x36\xb0\xbc\xde\xe5\x56\x23\xe6\x7e\xd5\x9b\x64\x1e\x1d\x3a\xd2\x43\xa6\x1a\xb8\x00\x3e\xd9\xd5\x01\x86\x45\x7b\x84\x5b\x0f\x5e\x59\x46\x0a\xeb\x8d\x49\xfa\x23\x6b\x69\x1a\x95\x72\xf0\x43\xf3\xd8\x3d\x38\x53\xa6\x58\xc0\x92\xfe\xc3\xee\xf9\xb5\x8f\x3b\xe0\x53\x2e\x46\xda\x34\xf7\x32\x39\x8d\x41\x8a\x82\xa4\x7f\xd2\xbe\xc7\xaa\x9f\xdf\x0a\x05\xa2\xa4\xab\xd6\x50\xdc\xd9\x9c\x09\x5b\xe5\xa0\x25\xd4\xdd\x8d\xe7\xb6\x06\xf7\xc2\x1f\xcf\x49\x0a\x10\x0e\xc2\x88\xf4\x19\x31\x6b\x4a\xdd\x08\x59\x10\x60\xf5\xc4\x02\x30\xee\x63\x9a\xff\x35\xd4\xbb\x20\x7f\xe4\x01\x02\x9c\xff\xd1\x04\x71\x5d\xcd\x48\xc7\xc5\x98\xf5\xea\x42\xb0\xbd\x27\x1e\x6a\x10\x06\x6d\x61\x32\x17\x65\x5d\xbf\x37\xbc\x46\x7d\x97\x35\x72\xd7\xc2\x87\x79\xc9\x98\x1c\xab\xc5\x5e\x68\x3f\xbb\x1e\x9a\xf7\xe0\x0c\xc4\xa2\x22\xa5\x4f\x24\xed\xf9\x23\x76\x2d\x8e\x0f\xbc\x09\x9e\x42\x0a\x78\xb1\xfc\xfb\x54\xa4\x00\x2f\xdf\x6e\x30\xa3\x44\x5f\x92\x9d\xd9\x7c\x4a\xef\x13\xcd\x8a\x0a\x3b\x19\xcb\x2b\xa7\x31\xd3\xc9\x9a\xad\x63\x11\x66\xb7\x5f\x13\xa9\x54\x98\xe1\x1d\xba\x40\x94\xeb\x5d\x1f\x15\x71\xb6\x98\x7c\x27\x89\x12\xa0\x5a\x9e\xc5\xe2\xf9\x3d\x21\x60\x4e\x49\x6a\xe6\xf7\x63\xed\x43\x3b\xc2\x6c\x5d\x2f\xdf\xee\xfc\x02\xd8\x73\x2b\x29\x09\x1c\x32\xad\x16\xfb\xb4\x7d\xe0\xa5\x6a\x36\xc5\xc7\xd2\x66\x65\xce\x56\x55\x71\xae\xe8\x7e\x72\x9e\x17\x27\xe8\xe1\x49\xb4\x4c\xbc\x58\x19\xeb\x1a\xbc\x31\x7e\xab\xfd\xbc\x54\x47\xdc\x1f\xa9\xed\x58\x52\x81\xf1\xa9\xc3\x3b\xd5\xbb\xae\x66\x26\x21\xe6\x46\x0e\x37\x61\x7e\x88\x30\x4f\xd6\x88\x9d\x77\x5a\xd3\x03\x88\xb2\x08\xb4\x10\x24\x95\xdd\x4a\x60\x15\x79\xfe\xf0\x79\x67\x8b\x66\x81\x6a\x46\xa9\x1c\xd0\xd3\x44\xaf\x0a\xfa\x8e\xe5\x5a\xb2\x22\xd7\x20\xa0\x36\x72\x75\x75\x7a\xa3\x8d\x04\x3c\xec\x88\x8e\x9e\x93\xa4\xff\x91\xc1\xcc\xbb\xc6\x85\xf6\xfe\x27\x10\x47\x4d\xa5\xc4\x37\x6b\x6c\x03\x7b\x2a\xc5\x7a\xb0\x78\x42\x1f\xf2\xf0\x6e\xf8\xab\xcc\x7b\xfa\x18\x19\x5a\xe5\xd3\x23\x6c\x49\x24\x94\xf1\xc6\x65\xdc\x20\x52\xe0\xb5\x67\xe9\x91\x72\x70\x82\xf6\xf5\x29\xcf\xf4\x41\x2d\x5c\xfd\x8a\xca\x31\xf0\xa4\xd3\x23\x32\xe8\xcc\x99\x2a\x39\x01\x7d\x8e\x5a\x85\x25\xa9\xf6\xab\x50\x09\xe7\x06\x7b\x27\x73\x59\x17\x79\xfa\x6d\xe1\x7c\x07\x74\x45\xc3\x9b\x4f\x32\x55\xc2\xdf\x10\x70\x10\x45\xfa\x07\x0a\xc4\xae\xdb\x55\x1b\xfe\x92\xac\x48\xe0\xfa\xca\x06\x07\x68\xed\xf4\xb3\xfb\x10\x1f\x3d\x4c\xdc\xb2\xec\x93\x13\xc0\x28\x98\xaa\x36\x87\x42\x67\x46\x82\x86\xe9\x8f\xfd\xba\xcb\x29\xfb\x64\x07\x27\x99\xbb\x3d\x88\x5b\xf3\x08\xd6\xca\x00\x13\x55\x64\x2a\xd2\x58\xb9\x65\xf9\x59\x7b\x30\xfe\x6c\x3a\xf1\xe8\x9c\x10\xd6\x41\xf4\xe2\xab\x7c\xf5\xa4\x68\x7d\x6b\x69\x15\x7a\x49\xf9\xf4\x07\x91\xef\x46\xf4\xcb\xa6\xe0\xf2\x48\x77\x3c\x35\x0b\xf3\x14\x3c\xec\xe9\x2e\xf7\xc7\x46\xd4\x98\x8c\x83\x51\xc8\x06\x7e\x3c\x4b\x84\x10\x89\xd9\x85\xe0\x9e\xcb\x40\x15\x7d\x7a\x17\x1f\x4e\x64\x55\x18\xc5\x25\x98\xfa\x79\x44\x25\x66\x9f\x59\xa2\x7d\x8b\xed\xc1\x47\xe0\x90\x57\xb5\xd2\xf9\xf4\x61\x1c\xac\x95\x10\x58\xb9\xd2\x52\x7f\xe7\xb4\x70\x28\x9a\x2f\x16\xfa\x4d\xee\x15\x06\x52\x08\x6e\x4c\xc1\x94\xc3\xca\xd6\x3a\xee\x9a\xa7\x7b\x00\xdf\x7c\xb4\x21\x40\x1d\x13\x94\xe0\xfb\xae\x8e\x8e\x14\xef\x28\xf1\x28\x60\x1a\xa1\xc9\x1d\x3e\x71\xed\xc0\x7a\x46\x26\x77\x31\xea\x08\x5f\xea\x0b\x27\x81\xfe\x5b\x33\x37\xfb\x39\x1f\x4a\x91\xce\x75\x2a\xeb\x72\x51\xaa\x0c\x3b\xf3\x04\xe9\x89\x22\x0d\x41\x4e\xab\x0a\xf4\x8d\x4a\x86\xbf\x43\xf1\x3e\xe6\xb9\x76\x15\xf5\x1a\x36\x77\xfe\xef\x14\xdc\x4a\xe4\x7d\xb0\x7b\x87\x41\x76\xd1\x8f\x50\x09\x4a\x30\x97\x00\x27\x9f\x41\x29\x24\xe9\x18\xeb\x3e\x6c\x1b\x9f\xa3\xc1\x44\x4f\x28\xb6\x91\xce\xb9\xc3\x3d\x34\xb5\xb3\x73\x3d\x3e\xb0\xc9\xe6\x9c\xb6\xf3\x6b\xca\x69\xd1\xd6\x99\x13\xae\xb5\x1f\x0c\xb5\x98\x28\x52\x7f\x79\x1f\xe7\xf6\x1f\xb4\x30\xba\xce\x64\x56\xab\xc3\x22\xfb\x52\xa1\x31\xf5\xae\xd3\x22\x1a\xfd\x1d\x36\x9d\x7b\xb4\x1f\x60\xbf\xb3\x49\xb5\xcf\x73\x04\x3b\x90\x92\x61\x30\x32\xc7\xdd\x32\x20\xbc\xe9\xd9\xb8\x4f\xd2\xce\xb4\x8a\x76\xff\x0c\x34\xcf\x5b\xf8\xcc\x55\xb5\x75\xe2\x40\xf4\xe6\xc1\xc5\xcf\x93\x98\x0c\xc6\xf6\x8f\xd1\xac\x7c\xc1\x0e\x0e\x48\x33\x39\xdd\xe6\x69\x1e\xb7\xd2\xb7\x00\xe9\x3f\xfd\xf8\x10\x95\x37\x62\x21\x6e\x99\xb5\x64\x01\x49\xaf\x63\x14\x4a\x09\x05\x1b\x68\x3d\xb0\xdf\xb1\xb7\x93\x71\xbc\x7a\x4a\x55\x9a\xe6\x27\x18\x38\xa8\x68\x46\x8e\x54\xaa\xde\xf0\x3b\xa4\x0c\xa1\x27\xaa\x2c\x27\x51\xda\x79\x20\x2d\xca\xd7\x2e\x4f\x15\x93\x04\x1d\xb5\x3b\xbf\x4f\x80\x64\x17\x0f\xe8\x5c\x46\xe5\x9f\xf0\x0b\x9e\xb4\xbf\x2e\x01\xea\xb7\x19\x7a\x00\x70\x4e\x3c\x70\x84\xa8\x06\x99\xed\x5a\xaa\xe7\xbb\xae\x06\x84\xe5\xfb\x3e\xd6\x0c\x66\x20\xc7\x3a\xa0\x13\x31\x37\x13\x27\x9b\xf9\x58\xa2\x1f\x56\xf9\x67\x46\xe1\x60\x62\x3f\x10\x76\xa5\xea\x95\xa2\x3f\xc9\x08\x37\x3b\xc0\x78\x22\x18\x94\xcc\xc7\x79\x49\xff\xd3\x65\x94\x70\xd8\x3f\x86\x07\x62\xb0\x30\x2b\xf3\xe4\x04\x04\x6c\x0c\x32\xa7\x1e\xb8\x5e\x67\x41\x11\xcb\x9c\x2d\x49\x0b\x8b\x4f\x5b\xfd\x1f\xa9\x38\x2a\x42\x96\xd9\x73\x26\xd6\xa7\x28\x37\x8a\xb3\x5c\x0a\x34\x9e\xd6\x93\x49\xf7\x5b\x89\xad\xf8\xdc\x9e\x5b\xae\xd2\x76\xc9\x26\x14\xc2\x96\x36\xf2\xf5\xb1\x9d\x4d\xc6\x61\xe2\xd0\xfe\x6f\xd6\x47\x86\xd5\x07\xb9\x9b\x39\x79\xfe\x0f\x6e\xcb\x06\xb7\x6f\xd6\x4b\xfb\x31\x61\x31\xa5\x2d\x3d\xb7\x44\x55\x08\xc8\xf0\xbd\x39\x44\x95\xa6\xc1\x3c\xa6\x4e\x37\x80\xa4\x16\xc7\x2a\x7a\x34\x99\x6d\x5a\x34\x2e\x63\x49\xd9\x2b\xfc\xb8\xd7\x5b\xd4\xed\xd2\x25\xd4\xe8\x60\x18\x38\xbf\xfc\x60\x4e\x9e\x3f\x0d\xe8\x3a\x1c\xf9\xe1\x7c\x7f\xa7\x39\x8f\xea\x49\xc8\xfa\xed\x29\x9d\x04\xa9\x0a\x70\xbd\xaa\x0b\x11\x14\x28\xe2\xe6\x22\x4a\xe0\x8c\x1b\xf0\xea\x1a\x69\xe1\x6e\x1f\xfd\x4b\xfa\x76\xaf\xff\xdd\x50\x60\xac\x99\x2e\xfa\x08\xfb\x74\x04\xfa\x1f\xf3\x45\x60\x42\x65\x4d\x3d\x51\x29\x26\x24\xac\x3b\xb3\x35\x6f\x5b\xd3\xf4\x92\xc1\x69\xe8\xc7\xdc\x71\xcc\xd3\xb4\xe9\x1c\xb2\x98\xef\x7f\x2b\x61\xd7\x4a\x86\xe7\xcb\x6d\xaf\x62\x1a\x8b\x0b\x6a\x87\xe5\x8d\xdc\xaa\x65\xf3\x76\xfe\x06\x52\xc4\x0c\x76\xd7\x62\xb5\x80\xf3\x4d\xa9\x79\xae\x09\x68\xb1\x72\xa9\xcc\xc4\xcd\x8b\x34\xaf\x38\x73\xe8\x5d\x16\x53\xc9\xe5\x57\x1d\xc3\x4e\x8c\x39\xf7\xf0\x4d\xf1\x91\xc0\xe8\x12\x13\xd2\xfa\xc0\x41\x26\x64\xeb\x47\x69\xc4\x80\xa8\x0f\xdc\xd5\xca\xe2\xa2\xeb\x8b\x1d\x03\x1c\xc6\xe6\x49\xd8\xf0\xb2\x9f\x91\x15\xea\x2b\xb2\x7c\xbe\x35\xcb\xa0\x40\x64\x7a\xd9\xda\x8a\xd3\x69\x31\xcf\xdc\xe5\xc5\x8d\xfd\x6b\x8d\x0b\xd8\x3c\xf4\xf8\xca\xd6\xf6\xd6\xf3\x04\x83\x80\x58\x3d\x8e\xf0\x80\x7a\x4d\x02\x4e\xf8\xd0\x33\x3a\x97\x18\x34\x23\xc9\x0e\x8d\xd1\xb6\x2d\xc7\x0c\x95\xae\x30\xac\xd0\xcc\xc2\x57\xde\x6f\xeb\x89\xa9\x49\x2b\x42\x14\xb6\x5d\x8d\xa2\xad\xa1\x1b\x80\xfb\xd7\x68\x9a\xfd\xb9\x9f\xa8\x20\xcb\x7a\xaa\xca\x8c\xe3\x2f\xd1\xad\xf5\xd7\x24\xf5\x06\x83\xa7\x92\x4e\xd1\xb5\xde\x6b\x32\x2a\x49\x32\xea\x46\xd3\xb2\x66\xa2\x70\x42\x02\x59\xa4\xfe\xe4\x80\x05\x4f\x06\x75\xe7\x7e\x51\x78\xff\x25\x5b\xe0\x00\x46\x8a\x22\x0a\x25\xc6\x87\x9e\x03\x9b\xc1\x4c\x38\xcb\xf9\x04\x0e\xde\xd4\x1f\x1c\x6d\x75\xfe\x46\x15\xcc\x57\x67\x7c\x94\x8c\x7b\xb9\xc3\x56\x11\x84\xb0\xff\xe0\xd0\xa9\xed\x0e\x72\x12\xfa\xbd\x5e\xf3\x57\xff\xb3\xca\x40\xe8\xa9\x7b\xe2\xa9\xbc\xf3\x5f\xc7\xe3\xd7\xce\x8f\x6d\x50\xa4\xf7\xb4\x2c\x24\x68\x94\x68\x38\x22\xdb\x36\xb9\x55\x28\xcd\x80\x61\x34\x2c\x66\xc7\x88\xbb\x6f\x63\xbe\xad\xfe\x35\x59\xe8\x96\xe4\x38\x7a\x12\xce\xdf\x6f\x22\x08\x88\xd2\x18", 4096); *(uint32_t*)0x20001ca8 = 0x1000; *(uint32_t*)0x20001cac = -1; *(uint32_t*)0x20001cb0 = 0x20001b80; memcpy((void*)0x20001b80, "\xe0\xc6\xc9\xc0\x1a\xfb\x3e\x83\x24\x12\x04\xcd\x69\x42\xa5\xf5\xb3\x8d\xed\xc4\x87\x1f\xea\x15\x0d\xdb\xcb\x8c\x14\xce\x51\x5f\xa1\xfc\x5f\x1f\xb3\xec\x60\x66\x49\xa1\x62\xc4\xe5\x2e\xc3\x28\xeb\x35\x65\xfb\x84\xab\xdf\x8b\x40\x8d\x74\x4e\xe1\x9c\x67\xcc\xe5\x4a\xca\xd1\xc6\xaa\x75\xa3\xf9\x7f\x94\x26\x74\x76\xe7\x02\xbb\xe0\x65\xe6\x71\x88\xc3\xc8\x26\xd4\x41\x4e\x46\x69\x5d\x71\xc9\xe2\x4a\x31\xfa\xf7\xfc\x28\x29\x70\x92\x50\x3b\xb1\x0a\xdb\x27\xfc\xb1\x97\x43\x8e\xfe\x36\x05\x10\x1a\xbc\x12\x7f\xda\x30\x3e\x63\xa7\x42\x3e\xf1\x69\x3f\x6c\x00\x57\x63\xfd\xf8\xb1\x8e\x10\xa5\xa9\xfa\x34\xb3\xc0\x0e\xce\xd1\xf7\x5b\xad\xa7\xd2\x61\x60\xae\xdf\x27\x58\xbf\x60\x3b\x0c\x58\x90\x68\x28\x84\xeb\x55\xb2\x76\x0b\x3b\x7b\x96\x14\xb6\xbd\x1d\xde\xf9\xe9\xcc\x1d\xf2\x08\x92\x06\x3f\x1e\xa0\x58\xa4", 200); *(uint32_t*)0x20001cb4 = 0xc8; *(uint32_t*)0x20001cb8 = 0x81; syz_read_part_table(0x44, 5, 0x20001c80); break; case 34: *(uint8_t*)0x20001cc0 = 0x12; *(uint8_t*)0x20001cc1 = 1; *(uint16_t*)0x20001cc2 = 0x310; *(uint8_t*)0x20001cc4 = 0xae; *(uint8_t*)0x20001cc5 = 0x73; *(uint8_t*)0x20001cc6 = 0xca; *(uint8_t*)0x20001cc7 = 0x40; *(uint16_t*)0x20001cc8 = 0x1740; *(uint16_t*)0x20001cca = 0x602; *(uint16_t*)0x20001ccc = 0xfa57; *(uint8_t*)0x20001cce = 1; *(uint8_t*)0x20001ccf = 2; *(uint8_t*)0x20001cd0 = 3; *(uint8_t*)0x20001cd1 = 1; *(uint8_t*)0x20001cd2 = 9; *(uint8_t*)0x20001cd3 = 2; *(uint16_t*)0x20001cd4 = 0x870; *(uint8_t*)0x20001cd6 = 2; *(uint8_t*)0x20001cd7 = 0x7f; *(uint8_t*)0x20001cd8 = 0x90; *(uint8_t*)0x20001cd9 = 0x20; *(uint8_t*)0x20001cda = 0x3f; *(uint8_t*)0x20001cdb = 9; *(uint8_t*)0x20001cdc = 4; *(uint8_t*)0x20001cdd = 0x86; *(uint8_t*)0x20001cde = 0x7f; *(uint8_t*)0x20001cdf = 0xa; *(uint8_t*)0x20001ce0 = 0xf7; *(uint8_t*)0x20001ce1 = 0xf9; *(uint8_t*)0x20001ce2 = 0xf2; *(uint8_t*)0x20001ce3 = 0x7f; *(uint8_t*)0x20001ce4 = 0xd1; *(uint8_t*)0x20001ce5 = 0xb; memcpy((void*)0x20001ce6, "\x26\xe1\x3a\x65\xce\xb2\xc1\x60\x69\x44\x40\xc6\xe4\xb5\xd5\x10\x7c\xd6\xf6\xed\xdf\x5f\x0f\x8f\x93\x86\x06\xe7\xa7\x89\x78\x6c\x09\x76\x26\x76\x2d\xa7\x88\x1a\x4e\x46\xee\x51\x2c\xe1\xce\x83\xd0\x3e\xe0\x1e\x8a\x39\x0d\x4f\xe4\x8a\x1a\x16\x6b\x12\x2a\x24\x4f\x7e\x84\x53\xfe\x58\x43\x52\xcd\xc7\x48\xde\xd1\x73\x7c\x61\xff\xbc\x1f\x9f\x18\x44\x1c\x5d\x61\xf5\x49\x3a\x88\xbf\xea\x77\x76\x76\x2b\xbf\x8a\x20\x6e\xec\xa2\xf4\x5c\x1f\x7a\xa6\xd1\x5f\xb4\x64\xcd\x1c\xaf\x6a\x43\x2b\xab\xfc\x01\xbb\x86\xb1\x29\x7b\x12\x89\x97\x42\x6c\x1a\x5a\x86\x53\x3c\xb2\xc0\x29\xf5\x0b\x1c\x5b\x0b\x88\x71\x9f\x7c\x78\x21\x7d\x2b\xec\x91\x0f\xf9\x06\xb4\x38\x60\x02\x5e\x14\x0f\xba\xd2\xbc\x0a\x91\xe2\x3e\x65\xc5\xc8\xfe\xfd\x91\xd0\x45\x9c\x59\x0e\x1f\x4b\xac\x91\xea\xc0\x23\xef\x5f\x1a\x24\x82\x45\xdf\x0d\x7c\x12\x76\xdf\x72\xd9\x55\xc6", 207); *(uint8_t*)0x20001db5 = 6; *(uint8_t*)0x20001db6 = 0x24; *(uint8_t*)0x20001db7 = 6; *(uint8_t*)0x20001db8 = 0; *(uint8_t*)0x20001db9 = 1; memcpy((void*)0x20001dba, "8", 1); *(uint8_t*)0x20001dbb = 5; *(uint8_t*)0x20001dbc = 0x24; *(uint8_t*)0x20001dbd = 0; *(uint16_t*)0x20001dbe = 8; *(uint8_t*)0x20001dc0 = 0xd; *(uint8_t*)0x20001dc1 = 0x24; *(uint8_t*)0x20001dc2 = 0xf; *(uint8_t*)0x20001dc3 = 1; *(uint32_t*)0x20001dc4 = 9; *(uint16_t*)0x20001dc8 = 5; *(uint16_t*)0x20001dca = 5; *(uint8_t*)0x20001dcc = 0x80; *(uint8_t*)0x20001dcd = 6; *(uint8_t*)0x20001dce = 0x24; *(uint8_t*)0x20001dcf = 0x1a; *(uint16_t*)0x20001dd0 = 1; *(uint8_t*)0x20001dd2 = 0x14; *(uint8_t*)0x20001dd3 = 0x2b; *(uint8_t*)0x20001dd4 = 0x24; *(uint8_t*)0x20001dd5 = 0x13; *(uint8_t*)0x20001dd6 = -1; memcpy((void*)0x20001dd7, "\x8d\xaa\x8e\x5c\xf5\x9b\xef\x8c\x76\xec\x75\x35\xd6\x3f\xe2\xdc\x76\x86\x32\x1a\xfb\xd7\x29\xf4\xd1\x7d\x62\xa2\x1b\x6f\x2b\x39\x49\x56\x57\x22\x0b\xc5\xd7", 39); *(uint8_t*)0x20001dfe = 0xa3; *(uint8_t*)0x20001dff = 0x24; *(uint8_t*)0x20001e00 = 0x13; *(uint8_t*)0x20001e01 = 3; memcpy((void*)0x20001e02, "\x0b\xaf\xa7\xba\x56\xf9\xbe\x68\xf7\xda\xff\xfa\xbe\x7b\x79\x50\xe7\xf2\xb1\xef\xd5\x30\xab\x53\xda\x30\x66\x50\xae\x48\x61\x82\x51\xbc\x41\xfe\x39\x06\x5b\xb5\x0d\x65\xf1\x5e\x92\x6f\xdb\x88\xac\xb4\xe7\x95\x7b\xff\x5d\x54\x69\xee\x74\x1f\x51\xc1\x17\xd8\xf0\xa4\xb9\xe4\x97\xd8\xd8\x5a\x58\xa4\x25\x85\x5d\xa0\x41\xd9\x1b\xfe\x4c\xd2\x0f\x11\xf6\xc7\xd3\x81\x30\x27\xcd\x74\x92\x1d\xbe\xb6\xe2\x01\x5c\x41\x33\xa2\x98\x32\xb2\xb9\xd3\x42\x30\x4d\xd6\xb7\x09\xda\xea\xea\x5f\x76\x1d\x8c\x06\xf5\x2e\xdd\xa9\xf2\x52\x9a\xc5\x1a\x96\xfa\xb9\xbb\x28\x26\xcc\x63\xfc\xce\x0f\x17\x4d\xe2\xc5\x77\x8a\x4d\x83\xf3\xee\xcf\xdb\x29\x63\x5b\x60", 159); *(uint8_t*)0x20001ea1 = 5; *(uint8_t*)0x20001ea2 = 0x24; *(uint8_t*)0x20001ea3 = 1; *(uint8_t*)0x20001ea4 = 2; *(uint8_t*)0x20001ea5 = 9; *(uint8_t*)0x20001ea6 = 0x15; *(uint8_t*)0x20001ea7 = 0x24; *(uint8_t*)0x20001ea8 = 0x12; *(uint16_t*)0x20001ea9 = 0xc9; *(uint64_t*)0x20001eab = 0x14f5e048ba817a3; *(uint64_t*)0x20001eb3 = 0x2a397ecbffc007a6; *(uint8_t*)0x20001ebb = 7; *(uint8_t*)0x20001ebc = 0x24; *(uint8_t*)0x20001ebd = 0x14; *(uint16_t*)0x20001ebe = 8; *(uint16_t*)0x20001ec0 = 2; *(uint8_t*)0x20001ec2 = 7; *(uint8_t*)0x20001ec3 = 0x24; *(uint8_t*)0x20001ec4 = 0xa; *(uint8_t*)0x20001ec5 = 1; *(uint8_t*)0x20001ec6 = 9; *(uint8_t*)0x20001ec7 = 0xeb; *(uint8_t*)0x20001ec8 = 1; *(uint8_t*)0x20001ec9 = 9; *(uint8_t*)0x20001eca = 5; *(uint8_t*)0x20001ecb = 0xe; *(uint8_t*)0x20001ecc = 3; *(uint16_t*)0x20001ecd = 0x400; *(uint8_t*)0x20001ecf = -1; *(uint8_t*)0x20001ed0 = 0xf9; *(uint8_t*)0x20001ed1 = 0x20; *(uint8_t*)0x20001ed2 = 0x62; *(uint8_t*)0x20001ed3 = 0x22; memcpy((void*)0x20001ed4, "\xec\xb3\xf2\xdd\x30\x48\x12\x4f\xa1\xf6\x39\xe7\xd9\x9a\xb0\x90\x3f\x7f\x55\x1f\xbd\x28\x20\x2b\xca\xa0\x38\x82\x72\x62\xde\xfd\x52\x4b\x84\xd6\x77\x8f\x83\xc7\x51\x04\x7e\xa1\x67\x7d\x46\x22\x9a\xc3\x3b\x02\xdb\x68\x65\xc9\x67\x0b\xc4\x76\x29\x02\x05\x45\xfb\xf3\x67\xe1\x28\xc7\xe7\x8e\x05\x97\x2c\xd4\x32\xdd\xc7\x29\x86\x39\x72\xa9\x55\x9b\x80\x60\x63\x55\x0b\x9b\xb7\x99\x2b\x0c", 96); *(uint8_t*)0x20001f34 = 0xed; *(uint8_t*)0x20001f35 = 0x21; memcpy((void*)0x20001f36, "\x1c\x17\xfa\x34\xcf\x24\x8a\x11\x74\x0c\xae\x13\xb9\x90\x62\xcf\x65\x1b\xd3\x66\x3b\xdf\x34\x9a\xfe\xdd\x77\x7e\x6c\xa5\x09\x68\x7c\x73\x08\xb2\xbd\x8a\x56\xd9\x36\xce\xf7\x2c\x17\x60\x9c\x2c\xc7\xb8\x25\xf1\x22\x86\x4f\x3e\x79\xa0\xf9\x56\x3c\xec\xf3\xa2\xde\xa2\xda\xc5\xe4\xd8\x3e\x77\x49\xcf\xb2\xa9\x71\xe0\xf2\xa2\x57\xee\x5e\x91\x27\x9d\x0d\xed\xf7\xaa\xb3\x53\x95\x5c\x32\xbc\xab\x16\xd8\x21\xc1\x86\x8f\x65\x5e\x7f\x50\x3e\xce\x52\xac\xfb\x7c\x30\x70\x09\x7b\x16\x4e\xd6\x22\x3e\xb6\xc1\x83\x9f\xdc\x5c\xc6\xf1\xa9\x2e\xbd\xa8\xad\x2a\x9e\x74\xf7\x46\xcf\x37\x70\x4a\x6c\x73\x07\x61\x89\xee\x38\x90\xb3\xa1\xc5\xcd\xb8\x07\x6a\xde\xc9\xbb\x4e\x53\xa6\x5b\x09\xbc\x52\xa7\x52\x50\xeb\x89\xe2\x40\x7e\xe0\xd0\xd3\x9a\x0b\xd9\x25\xc0\x0a\x5f\xd0\xf3\x4a\xd2\xaf\x88\xbf\x3b\x27\x0f\xe9\x4e\x54\x32\x28\x8a\x66\xb3\xee\x15\xb6\xe2\x4d\xdc\xa8\x96\x39\xfa\xa9\xc4\xb5\x32\x66\x3b\x24\xbf\xbd\xeb\x73\xd0\x9b\x8f\x77\xf7\x6f\xec\x50\x7a", 235); *(uint8_t*)0x20002021 = 9; *(uint8_t*)0x20002022 = 5; *(uint8_t*)0x20002023 = 0xe; *(uint8_t*)0x20002024 = 0; *(uint16_t*)0x20002025 = 0x58; *(uint8_t*)0x20002027 = 4; *(uint8_t*)0x20002028 = 0; *(uint8_t*)0x20002029 = 2; *(uint8_t*)0x2000202a = 9; *(uint8_t*)0x2000202b = 5; *(uint8_t*)0x2000202c = 6; *(uint8_t*)0x2000202d = 8; *(uint16_t*)0x2000202e = 0x40; *(uint8_t*)0x20002030 = 0x40; *(uint8_t*)0x20002031 = 3; *(uint8_t*)0x20002032 = 0x18; *(uint8_t*)0x20002033 = 9; *(uint8_t*)0x20002034 = 5; *(uint8_t*)0x20002035 = 0xb; *(uint8_t*)0x20002036 = 0xc; *(uint16_t*)0x20002037 = 0x200; *(uint8_t*)0x20002039 = -1; *(uint8_t*)0x2000203a = 0x47; *(uint8_t*)0x2000203b = 0; *(uint8_t*)0x2000203c = 0x6e; *(uint8_t*)0x2000203d = 0x24; memcpy((void*)0x2000203e, "\xfc\x88\x86\xec\xa1\x2d\xc8\x59\x60\xc8\x49\x7c\x87\x13\x2b\x79\xfe\xa0\xe2\x31\x3e\x4e\x85\x56\x71\x31\x6f\x1c\x7a\x42\xb7\x8b\x2b\xe2\x4c\x0c\xdd\x6a\xf9\xde\x41\xa7\xfb\x57\xfe\x0a\x3c\xa6\xfe\x67\x19\x1c\xe3\x11\x65\xdc\x04\x82\x45\xba\x74\xc8\x86\xd1\x2b\x8a\xcc\xb0\x01\xee\xe2\x30\xdc\x1d\x79\x81\xe4\xd6\xea\x3d\x52\xfd\xc1\xfd\x15\x9f\x71\xfc\x18\xbf\xca\x51\x29\x7b\x23\x48\xc7\x77\xa8\x6b\x16\xc0\x76\x57\x79\x3c\x9b\x75", 108); *(uint8_t*)0x200020aa = 9; *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 7; *(uint8_t*)0x200020ad = 0x10; *(uint16_t*)0x200020ae = 0x20; *(uint8_t*)0x200020b0 = 1; *(uint8_t*)0x200020b1 = 4; *(uint8_t*)0x200020b2 = 4; *(uint8_t*)0x200020b3 = 8; *(uint8_t*)0x200020b4 = 0x23; memcpy((void*)0x200020b5, "\xad\x6e\x68\x32\x31\x24", 6); *(uint8_t*)0x200020bb = 7; *(uint8_t*)0x200020bc = 0x25; *(uint8_t*)0x200020bd = 1; *(uint8_t*)0x200020be = 2; *(uint8_t*)0x200020bf = 0x3f; *(uint16_t*)0x200020c0 = 0x400; *(uint8_t*)0x200020c2 = 9; *(uint8_t*)0x200020c3 = 5; *(uint8_t*)0x200020c4 = 1; *(uint8_t*)0x200020c5 = 0; *(uint16_t*)0x200020c6 = 0x200; *(uint8_t*)0x200020c8 = -1; *(uint8_t*)0x200020c9 = 4; *(uint8_t*)0x200020ca = 5; *(uint8_t*)0x200020cb = 7; *(uint8_t*)0x200020cc = 0x25; *(uint8_t*)0x200020cd = 1; *(uint8_t*)0x200020ce = 0x82; *(uint8_t*)0x200020cf = 2; *(uint16_t*)0x200020d0 = 0x200; *(uint8_t*)0x200020d2 = 7; *(uint8_t*)0x200020d3 = 0x25; *(uint8_t*)0x200020d4 = 1; *(uint8_t*)0x200020d5 = 1; *(uint8_t*)0x200020d6 = 7; *(uint16_t*)0x200020d7 = 4; *(uint8_t*)0x200020d9 = 9; *(uint8_t*)0x200020da = 5; *(uint8_t*)0x200020db = 0x80; *(uint8_t*)0x200020dc = 0x10; *(uint16_t*)0x200020dd = 0x10; *(uint8_t*)0x200020df = 0xcc; *(uint8_t*)0x200020e0 = 8; *(uint8_t*)0x200020e1 = 0; *(uint8_t*)0x200020e2 = 7; *(uint8_t*)0x200020e3 = 0x25; *(uint8_t*)0x200020e4 = 1; *(uint8_t*)0x200020e5 = 0x81; *(uint8_t*)0x200020e6 = 7; *(uint16_t*)0x200020e7 = 0x3f; *(uint8_t*)0x200020e9 = 0x59; *(uint8_t*)0x200020ea = 0x11; memcpy((void*)0x200020eb, "\xfa\xad\xa8\x09\x32\xb1\x04\x32\xca\x81\xa6\x3c\x83\xdd\x9f\x54\xa4\x05\x10\x86\xef\x07\xb6\xc9\x66\x1e\xf8\xec\x12\x56\x83\xd5\xfc\xad\xa3\xa3\x46\xd0\x8f\x6d\x44\x17\x8f\xd1\xce\x94\xf1\xa6\x92\x1d\x2f\xd1\x4a\x88\xd4\x3a\x80\x51\xe1\x8e\xda\xa3\x98\x06\x45\xfa\x17\x12\x3c\xa6\xc7\x83\xb8\xb2\xc3\xb6\x66\x95\x6f\x52\xb1\x83\x65\x29\x92\xd6\xf5", 87); *(uint8_t*)0x20002142 = 9; *(uint8_t*)0x20002143 = 5; *(uint8_t*)0x20002144 = 7; *(uint8_t*)0x20002145 = 3; *(uint16_t*)0x20002146 = 0x400; *(uint8_t*)0x20002148 = 1; *(uint8_t*)0x20002149 = 0x3f; *(uint8_t*)0x2000214a = 0; *(uint8_t*)0x2000214b = 9; *(uint8_t*)0x2000214c = 5; *(uint8_t*)0x2000214d = 4; *(uint8_t*)0x2000214e = 1; *(uint16_t*)0x2000214f = 0; *(uint8_t*)0x20002151 = 0x81; *(uint8_t*)0x20002152 = 3; *(uint8_t*)0x20002153 = 0; *(uint8_t*)0x20002154 = 7; *(uint8_t*)0x20002155 = 0x25; *(uint8_t*)0x20002156 = 1; *(uint8_t*)0x20002157 = 0x80; *(uint8_t*)0x20002158 = 0xfd; *(uint16_t*)0x20002159 = 0x3e; *(uint8_t*)0x2000215b = 7; *(uint8_t*)0x2000215c = 0x25; *(uint8_t*)0x2000215d = 1; *(uint8_t*)0x2000215e = 0x82; *(uint8_t*)0x2000215f = 6; *(uint16_t*)0x20002160 = 0x8000; *(uint8_t*)0x20002162 = 9; *(uint8_t*)0x20002163 = 5; *(uint8_t*)0x20002164 = 7; *(uint8_t*)0x20002165 = 4; *(uint16_t*)0x20002166 = 0x200; *(uint8_t*)0x20002168 = 4; *(uint8_t*)0x20002169 = 7; *(uint8_t*)0x2000216a = 8; *(uint8_t*)0x2000216b = 7; *(uint8_t*)0x2000216c = 0x25; *(uint8_t*)0x2000216d = 1; *(uint8_t*)0x2000216e = 0; *(uint8_t*)0x2000216f = 0; *(uint16_t*)0x20002170 = 0x3f; *(uint8_t*)0x20002172 = 9; *(uint8_t*)0x20002173 = 4; *(uint8_t*)0x20002174 = 0x7d; *(uint8_t*)0x20002175 = 0xb6; *(uint8_t*)0x20002176 = 8; *(uint8_t*)0x20002177 = 0xe6; *(uint8_t*)0x20002178 = 0x75; *(uint8_t*)0x20002179 = 0xe1; *(uint8_t*)0x2000217a = 0xf9; *(uint8_t*)0x2000217b = 0x3d; *(uint8_t*)0x2000217c = 0x23; memcpy((void*)0x2000217d, "\x01\x50\xff\xae\x83\xdf\x22\xd1\xd4\xdb\xd8\x24\x54\xe6\x60\x33\x46\x3c\x39\x35\xe3\xd0\xc9\xfc\x2e\xa4\x66\x1f\x73\x10\xc2\xe0\xb0\xac\xed\xd1\x7e\x99\xcf\x96\x0e\xde\x09\xc1\x9e\xda\x6b\xfd\xa6\x99\xd8\xea\xcc\x2a\xba\x4a\xcc\x34\xd4", 59); *(uint8_t*)0x200021b8 = 0xc5; *(uint8_t*)0x200021b9 = 1; memcpy((void*)0x200021ba, "\x57\xfa\x93\x98\x1a\x06\x86\xe5\x12\x23\x65\x11\xf1\x7e\x4e\xc2\xda\xb7\xbd\x00\x5c\x64\xfd\x89\x6f\x94\x94\xca\x05\x97\x58\x3b\x23\x9d\xdd\x29\xc3\x79\x6c\x4a\xd6\x69\x28\x14\x40\xda\x42\x2e\x67\x96\x87\x7a\x9f\x12\x3e\x34\x39\x35\xd9\x0d\xfe\x06\xdd\xfc\x99\xde\xed\xf2\x40\x06\x03\x1d\x9a\x2e\xf4\xb5\x52\x62\x92\x55\xbf\x0e\x7a\x4d\x5d\xd3\xbc\x80\xb2\x66\x08\x11\x41\xbd\xe1\xb1\xa8\x6e\x4f\xfd\x85\x70\x00\xde\xea\xe8\x2f\xb1\x85\x06\x96\xef\x21\x67\xc3\x4a\xd9\x7f\x91\xc1\x4a\xc7\x8e\xcb\x89\x3d\x01\xff\xa9\x8e\x3c\x2d\xfd\xa9\xad\xb7\x62\xb9\xa9\xda\x03\xc6\xc6\x0e\xd9\x57\xfb\x49\x4d\x1c\x96\x0f\x7c\x70\x74\x94\xbd\x98\x4a\x0a\x58\x26\x03\xfb\x87\x24\x8a\xee\xaf\xc1\xb6\x00\x5f\x79\x83\x5b\x38\xb2\xea\xa8\x86\x53\xbc\x93\x42\x7a\x33\xb0\x76\x3e\xa3\x6f\xcd\x98\x7c", 195); *(uint8_t*)0x2000227d = 9; *(uint8_t*)0x2000227e = 5; *(uint8_t*)0x2000227f = 3; *(uint8_t*)0x20002280 = 0; *(uint16_t*)0x20002281 = 0x40; *(uint8_t*)0x20002283 = 4; *(uint8_t*)0x20002284 = 0x7f; *(uint8_t*)0x20002285 = 2; *(uint8_t*)0x20002286 = 7; *(uint8_t*)0x20002287 = 0x25; *(uint8_t*)0x20002288 = 1; *(uint8_t*)0x20002289 = 2; *(uint8_t*)0x2000228a = 5; *(uint16_t*)0x2000228b = 5; *(uint8_t*)0x2000228d = 7; *(uint8_t*)0x2000228e = 0x25; *(uint8_t*)0x2000228f = 1; *(uint8_t*)0x20002290 = 2; *(uint8_t*)0x20002291 = 4; *(uint16_t*)0x20002292 = 5; *(uint8_t*)0x20002294 = 9; *(uint8_t*)0x20002295 = 5; *(uint8_t*)0x20002296 = 0x80; *(uint8_t*)0x20002297 = 0x10; *(uint16_t*)0x20002298 = 0x1ef; *(uint8_t*)0x2000229a = 1; *(uint8_t*)0x2000229b = 6; *(uint8_t*)0x2000229c = 7; *(uint8_t*)0x2000229d = 9; *(uint8_t*)0x2000229e = 5; *(uint8_t*)0x2000229f = 0x80; *(uint8_t*)0x200022a0 = 0x10; *(uint16_t*)0x200022a1 = 0x10; *(uint8_t*)0x200022a3 = 0x1f; *(uint8_t*)0x200022a4 = 0x20; *(uint8_t*)0x200022a5 = 0; *(uint8_t*)0x200022a6 = 0xb3; *(uint8_t*)0x200022a7 = 0x21; memcpy((void*)0x200022a8, "\x95\xd3\x40\x5d\x4d\x7a\x6d\xc8\x96\xd9\x0c\x49\x18\xb1\x41\x31\x5c\x1a\xe5\x4b\x08\x82\xc4\xe0\xe3\xcc\x26\x6e\x04\x17\x8f\x9a\xe7\x37\x26\x0a\xc6\x4b\x61\x9d\xdf\x03\x95\x68\x18\x1b\xf9\x2d\xd6\x39\xec\x49\xa0\xb1\xc9\x83\x8b\x4c\xbb\xb2\xfb\xe6\xca\x7b\xe9\xbc\x84\xb7\x71\x77\x86\x7b\xb9\x73\xd8\xc5\xeb\xa1\xb4\x91\x31\xbd\x10\xf6\x45\xcf\xfc\x3d\xd8\xea\x46\x2f\x4b\xa9\x65\xf7\x0a\x01\x4b\xf1\xab\xe9\x26\x96\x63\x63\x4d\xad\x8b\xaf\x99\x38\x6d\x8b\x43\x19\x12\xe4\xdd\xfc\xd1\x15\x6c\x5f\xfe\xab\x20\x7c\xa3\x5f\x22\xf5\xc0\x16\x73\x47\x0d\xee\xa1\xda\x6a\xaf\xfc\xf0\xbb\xa9\xa8\xe4\x55\x42\x0f\x05\x3b\x28\xe4\x04\xfe\xa6\x26\x1d\x36\xc0\x7f\x72\x21\xc4\x98\x6b\x6b\x12\x2c\xcd\xf8\x58\xf4\x81\xba", 177); *(uint8_t*)0x20002359 = 7; *(uint8_t*)0x2000235a = 0x25; *(uint8_t*)0x2000235b = 1; *(uint8_t*)0x2000235c = 0x80; *(uint8_t*)0x2000235d = 0x7f; *(uint16_t*)0x2000235e = 5; *(uint8_t*)0x20002360 = 9; *(uint8_t*)0x20002361 = 5; *(uint8_t*)0x20002362 = 0xc; *(uint8_t*)0x20002363 = 2; *(uint16_t*)0x20002364 = 0x200; *(uint8_t*)0x20002366 = 0; *(uint8_t*)0x20002367 = 6; *(uint8_t*)0x20002368 = 2; *(uint8_t*)0x20002369 = 0xaf; *(uint8_t*)0x2000236a = 0xc1; memcpy((void*)0x2000236b, "\x14\x49\xf0\x6f\x81\x61\xd8\x15\x9f\x42\xfb\x34\x7e\xaa\x32\x3c\xf3\xeb\x20\xfd\x5e\x50\x10\x06\xd2\xe4\x0a\x15\x7d\xa8\x33\x53\x6f\xb0\xb3\x22\x43\x65\x91\xa2\xbd\x1d\x2f\xe0\x4e\x16\x98\x58\xe1\x13\x87\xce\x1c\xbe\x1f\x6c\x7d\xc3\x32\xaf\xaa\xdc\xc0\x02\xc5\x83\x20\x44\xe0\x56\x95\x03\x99\xe2\x94\x31\x40\x73\x49\xa8\xa4\x75\x25\x16\x4b\x4e\x6c\xd1\x41\x30\x39\x08\x18\x67\x54\xe0\x28\x2c\x69\x95\xc9\x80\xf5\xe7\xd4\xf3\xc8\x81\xc6\xb9\x1d\x95\x5e\x6a\xc6\x81\xbd\x90\x73\xf4\xe0\x57\x06\xf3\xc3\x12\xd0\x05\xbf\x1c\x59\x10\x95\x6b\xf9\x95\x53\xbb\xa7\xb4\xec\xb3\xf3\x5f\xfb\xe7\xab\x07\x63\x42\x37\x96\xbb\x60\x1e\x3f\x04\x7a\x65\x81\xd5\x2f\xb6\x7c\x62\xd6\xb7\x27\x8c\x76\xaa\xb9\xa5", 173); *(uint8_t*)0x20002418 = 9; *(uint8_t*)0x20002419 = 5; *(uint8_t*)0x2000241a = 0xa; *(uint8_t*)0x2000241b = 0; *(uint16_t*)0x2000241c = 0x400; *(uint8_t*)0x2000241e = 5; *(uint8_t*)0x2000241f = 1; *(uint8_t*)0x20002420 = 6; *(uint8_t*)0x20002421 = 0xf1; *(uint8_t*)0x20002422 = 0x11; memcpy((void*)0x20002423, "\x25\xbf\x1f\x90\xf6\x00\xdc\x8e\xae\x59\x54\xfb\x3e\xc4\xf4\x88\xa9\x26\x14\x9d\x98\x93\xca\x2b\x29\x00\xe2\x45\xf0\x53\x74\x32\xb7\xec\xcd\x35\xa0\xf3\x3f\xe8\x71\xeb\x0d\x17\x44\xd8\x05\x8f\x6d\x67\xf7\xe1\xb9\x7f\x3e\xf4\xe5\xfd\x8a\xc9\xd3\x7d\x37\x49\x05\x66\x1c\x57\x9d\x63\xd9\xbd\x3e\xd5\xcd\x30\xd9\x9e\xf3\x95\xe4\x7c\x9e\x0f\x1b\x7f\x71\x20\x16\x40\x34\x34\x82\x1b\xaa\xce\x41\xad\x73\xef\x6b\x84\xc1\xa4\x1a\xf5\xcb\xb6\xc2\xf6\x54\x62\xa6\xed\x32\x24\x2c\x9d\x51\xda\x99\x15\x86\x28\x60\xc2\x21\x40\xf6\x06\x60\x1c\xfd\x82\xe5\x15\x1e\x1d\xb4\x50\x92\xfe\xcd\x65\x32\x93\xf5\x6c\x65\xb3\x46\xe5\xde\xaf\x14\x09\x50\xa0\xac\x4a\x48\x7e\x3b\xfa\x4f\x9a\xd3\x5e\xef\xf8\x89\x9b\xc2\x23\x07\x98\x02\x26\x00\xa0\x8d\x06\xa9\x24\x36\x11\xb4\x21\xd9\x0f\x1b\x53\xca\x9f\x00\x26\x36\x03\x6f\x11\x25\xed\xa3\xde\xda\xf6\x79\x3f\xc0\x98\xc6\xaf\x9d\xcc\x5a\x53\x8f\xe9\x37\x57\x2b\x4d\x1b\x17\x4b\x58\xba\x03\x37\x14\xd1\x9e\xf1\x08\x5f\x66\x3e\x5c\xd1", 239); *(uint8_t*)0x20002512 = 9; *(uint8_t*)0x20002513 = 5; *(uint8_t*)0x20002514 = 5; *(uint8_t*)0x20002515 = 8; *(uint16_t*)0x20002516 = 0x400; *(uint8_t*)0x20002518 = 0x44; *(uint8_t*)0x20002519 = 1; *(uint8_t*)0x2000251a = 0; *(uint8_t*)0x2000251b = 7; *(uint8_t*)0x2000251c = 0x25; *(uint8_t*)0x2000251d = 1; *(uint8_t*)0x2000251e = 0x85; *(uint8_t*)0x2000251f = 0x9b; *(uint16_t*)0x20002520 = 0x100; *(uint8_t*)0x20002522 = 7; *(uint8_t*)0x20002523 = 0x25; *(uint8_t*)0x20002524 = 1; *(uint8_t*)0x20002525 = 0x82; *(uint8_t*)0x20002526 = 7; *(uint16_t*)0x20002527 = 1; *(uint8_t*)0x20002529 = 9; *(uint8_t*)0x2000252a = 5; *(uint8_t*)0x2000252b = 3; *(uint8_t*)0x2000252c = 0x10; *(uint16_t*)0x2000252d = 0x20; *(uint8_t*)0x2000252f = 2; *(uint8_t*)0x20002530 = 4; *(uint8_t*)0x20002531 = 3; *(uint8_t*)0x20002532 = 9; *(uint8_t*)0x20002533 = 5; *(uint8_t*)0x20002534 = 1; *(uint8_t*)0x20002535 = 0; *(uint16_t*)0x20002536 = 0x40; *(uint8_t*)0x20002538 = 0x80; *(uint8_t*)0x20002539 = 7; *(uint8_t*)0x2000253a = 0x27; *(uint8_t*)0x2000253b = 7; *(uint8_t*)0x2000253c = 0x25; *(uint8_t*)0x2000253d = 1; *(uint8_t*)0x2000253e = 0x80; *(uint8_t*)0x2000253f = 6; *(uint16_t*)0x20002540 = 8; *(uint32_t*)0x20002840 = 0xa; *(uint32_t*)0x20002844 = 0x20002580; *(uint8_t*)0x20002580 = 0xa; *(uint8_t*)0x20002581 = 6; *(uint16_t*)0x20002582 = 0x5098; *(uint8_t*)0x20002584 = 0xfc; *(uint8_t*)0x20002585 = 0x1f; *(uint8_t*)0x20002586 = 0; *(uint8_t*)0x20002587 = 0x10; *(uint8_t*)0x20002588 = 0xe4; *(uint8_t*)0x20002589 = 0; *(uint32_t*)0x20002848 = 0xf5; *(uint32_t*)0x2000284c = 0x200025c0; *(uint8_t*)0x200025c0 = 5; *(uint8_t*)0x200025c1 = 0xf; *(uint16_t*)0x200025c2 = 0xf5; *(uint8_t*)0x200025c4 = 4; *(uint8_t*)0x200025c5 = 7; *(uint8_t*)0x200025c6 = 0x10; *(uint8_t*)0x200025c7 = 2; STORE_BY_BITMASK(uint32_t, , 0x200025c8, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200025ca, 0xffff, 0, 16); *(uint8_t*)0x200025cc = 0x1c; *(uint8_t*)0x200025cd = 0x10; *(uint8_t*)0x200025ce = 0xa; *(uint8_t*)0x200025cf = 0; STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 5, 27); *(uint16_t*)0x200025d4 = 0xf0f; *(uint16_t*)0x200025d6 = 0x77e; *(uint32_t*)0x200025d8 = 0xc000; *(uint32_t*)0x200025dc = 0x30; *(uint32_t*)0x200025e0 = 0; *(uint32_t*)0x200025e4 = 0; *(uint8_t*)0x200025e8 = 0x1c; *(uint8_t*)0x200025e9 = 0x10; *(uint8_t*)0x200025ea = 0xa; *(uint8_t*)0x200025eb = 1; STORE_BY_BITMASK(uint32_t, , 0x200025ec, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025ec, 0x79ea, 5, 27); *(uint16_t*)0x200025f0 = 0xf000; *(uint16_t*)0x200025f2 = 4; *(uint32_t*)0x200025f4 = 0xc0cf; *(uint32_t*)0x200025f8 = 0xff3f3f; *(uint32_t*)0x200025fc = 0xffc05f; *(uint32_t*)0x20002600 = 0xff0000; *(uint8_t*)0x20002604 = 0xb1; *(uint8_t*)0x20002605 = 0x10; *(uint8_t*)0x20002606 = 3; memcpy((void*)0x20002607, "\xc5\xbb\x02\x01\xc8\x2e\x60\xfa\x0a\x8b\x07\xbb\xce\xfb\xe1\x38\x07\x98\x38\xcb\xf1\x31\x61\xf6\x9e\xc1\x70\x63\x7e\x6c\x50\x4f\x0d\xf5\x87\x10\x11\x2f\x24\x59\xc5\x0d\xf8\x5c\x73\xa1\x43\xe1\x8f\xd8\x46\xa7\x86\xad\xd8\xa3\x59\xc8\x82\xc3\xc6\x03\x8f\x90\xc4\x9c\xa6\x3e\x13\x45\x57\x94\xd7\x59\x24\x4a\x2b\xd1\xee\x5a\x20\x3c\xef\x62\xac\xd3\x2e\x97\xd1\x5a\xfe\x1d\x47\xad\x5c\x52\x34\xca\x6f\xea\x0c\x02\x21\x84\x57\x86\x47\xd6\x9b\xce\x06\xbc\x22\xd5\xde\xae\x21\xba\xaf\x87\x0c\x3c\x6e\x90\x21\x21\x1f\xda\x07\xe7\x36\x07\xe1\x64\x61\xe2\x25\x26\xa7\x0a\xb2\xe2\x1f\x89\xd1\xb1\xa9\x52\x15\xc6\x44\xee\x7b\x4b\x97\xd3\x42\xf0\x6c\xca\x75\xc1\x7e\xaf\x3d\x1f\x57\x8b\xec\x9e\x1b\x55\x4c\x49", 174); *(uint32_t*)0x20002850 = 4; *(uint32_t*)0x20002854 = 4; *(uint32_t*)0x20002858 = 0x200026c0; *(uint8_t*)0x200026c0 = 4; *(uint8_t*)0x200026c1 = 3; *(uint16_t*)0x200026c2 = 0x430; *(uint32_t*)0x2000285c = 4; *(uint32_t*)0x20002860 = 0x20002700; *(uint8_t*)0x20002700 = 4; *(uint8_t*)0x20002701 = 3; *(uint16_t*)0x20002702 = 0x240a; *(uint32_t*)0x20002864 = 4; *(uint32_t*)0x20002868 = 0x20002740; *(uint8_t*)0x20002740 = 4; *(uint8_t*)0x20002741 = 3; *(uint16_t*)0x20002742 = 0x458; *(uint32_t*)0x2000286c = 0xb1; *(uint32_t*)0x20002870 = 0x20002780; *(uint8_t*)0x20002780 = 0xb1; *(uint8_t*)0x20002781 = 3; memcpy((void*)0x20002782, "\x22\x73\xbd\xc4\x6b\x60\xf9\x28\x12\x34\x92\x09\x6f\x1a\x60\x52\x20\x67\xca\x30\x22\x9e\x52\x18\x76\xbc\x23\x04\xc3\x20\x59\x6f\xd2\x5f\x10\x25\x4b\x5c\x9d\xa5\x73\x77\x73\x8b\xcc\xfb\xbc\x37\xf2\x7f\x54\x18\x33\xa2\xdf\xa0\x6b\x92\x9d\x0d\x37\x44\xff\x77\xd9\x33\x0d\x5a\x63\xe4\xbb\x26\x8c\xe2\x9e\x81\xde\x86\xde\x6c\xbb\xec\x22\xf1\x51\xe7\xfa\x25\xd2\xba\x9e\xad\x8f\x62\xd5\xea\xc2\xd6\x42\x44\x65\xb3\xcb\x64\x81\xdb\xf5\x0d\xf0\x43\xe6\x8b\x8d\x13\x3e\x27\xb4\xae\x1c\x9c\xcf\x8a\x81\x02\x7b\x65\x6d\x44\x2b\xbc\xbe\x5c\xfc\xcd\x0c\x0c\xa3\x8b\x73\x35\x6e\xd5\xc3\x7e\xa0\x89\x46\x97\xea\x5b\x37\xdb\x2f\x60\x7d\x4e\x95\x8c\xf9\x78\x48\xef\x24\xee\xe8\x17\xf9\x65\x03\x65\x0d\x0f\x3b\xab\xcf", 175); res = -1; res = syz_usb_connect(4, 0x882, 0x20001cc0, 0x20002840); if (res != -1) r[13] = res; break; case 35: *(uint8_t*)0x20002880 = 0x12; *(uint8_t*)0x20002881 = 1; *(uint16_t*)0x20002882 = 0x200; *(uint8_t*)0x20002884 = -1; *(uint8_t*)0x20002885 = -1; *(uint8_t*)0x20002886 = -1; *(uint8_t*)0x20002887 = 0x40; *(uint16_t*)0x20002888 = 0xcf3; *(uint16_t*)0x2000288a = 0x9271; *(uint16_t*)0x2000288c = 0x108; *(uint8_t*)0x2000288e = 1; *(uint8_t*)0x2000288f = 2; *(uint8_t*)0x20002890 = 3; *(uint8_t*)0x20002891 = 1; *(uint8_t*)0x20002892 = 9; *(uint8_t*)0x20002893 = 2; *(uint16_t*)0x20002894 = 0x48; *(uint8_t*)0x20002896 = 1; *(uint8_t*)0x20002897 = 1; *(uint8_t*)0x20002898 = 0; *(uint8_t*)0x20002899 = 0x80; *(uint8_t*)0x2000289a = 0xfa; *(uint8_t*)0x2000289b = 9; *(uint8_t*)0x2000289c = 4; *(uint8_t*)0x2000289d = 0; *(uint8_t*)0x2000289e = 0; *(uint8_t*)0x2000289f = 6; *(uint8_t*)0x200028a0 = -1; *(uint8_t*)0x200028a1 = 0; *(uint8_t*)0x200028a2 = 0; *(uint8_t*)0x200028a3 = 0; *(uint8_t*)0x200028a4 = 9; *(uint8_t*)0x200028a5 = 5; *(uint8_t*)0x200028a6 = 1; *(uint8_t*)0x200028a7 = 2; *(uint16_t*)0x200028a8 = 0x200; *(uint8_t*)0x200028aa = 0; *(uint8_t*)0x200028ab = 0; *(uint8_t*)0x200028ac = 0; *(uint8_t*)0x200028ad = 9; *(uint8_t*)0x200028ae = 5; *(uint8_t*)0x200028af = 0x82; *(uint8_t*)0x200028b0 = 2; *(uint16_t*)0x200028b1 = 0x200; *(uint8_t*)0x200028b3 = 0; *(uint8_t*)0x200028b4 = 0; *(uint8_t*)0x200028b5 = 0; *(uint8_t*)0x200028b6 = 9; *(uint8_t*)0x200028b7 = 5; *(uint8_t*)0x200028b8 = 0x83; *(uint8_t*)0x200028b9 = 3; *(uint16_t*)0x200028ba = 0x40; *(uint8_t*)0x200028bc = 1; *(uint8_t*)0x200028bd = 0; *(uint8_t*)0x200028be = 0; *(uint8_t*)0x200028bf = 9; *(uint8_t*)0x200028c0 = 5; *(uint8_t*)0x200028c1 = 4; *(uint8_t*)0x200028c2 = 3; *(uint16_t*)0x200028c3 = 0x40; *(uint8_t*)0x200028c5 = 1; *(uint8_t*)0x200028c6 = 0; *(uint8_t*)0x200028c7 = 0; *(uint8_t*)0x200028c8 = 9; *(uint8_t*)0x200028c9 = 5; *(uint8_t*)0x200028ca = 5; *(uint8_t*)0x200028cb = 2; *(uint16_t*)0x200028cc = 0x200; *(uint8_t*)0x200028ce = 0; *(uint8_t*)0x200028cf = 0; *(uint8_t*)0x200028d0 = 0; *(uint8_t*)0x200028d1 = 9; *(uint8_t*)0x200028d2 = 5; *(uint8_t*)0x200028d3 = 6; *(uint8_t*)0x200028d4 = 2; *(uint16_t*)0x200028d5 = 0x200; *(uint8_t*)0x200028d7 = 0; *(uint8_t*)0x200028d8 = 0; *(uint8_t*)0x200028d9 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20002880, 0); break; case 36: *(uint8_t*)0x20002900 = 0x12; *(uint8_t*)0x20002901 = 1; *(uint16_t*)0x20002902 = 0x300; *(uint8_t*)0x20002904 = 0; *(uint8_t*)0x20002905 = 0; *(uint8_t*)0x20002906 = 0; *(uint8_t*)0x20002907 = 0x40; *(uint16_t*)0x20002908 = 0x1d6b; *(uint16_t*)0x2000290a = 0x101; *(uint16_t*)0x2000290c = 0x40; *(uint8_t*)0x2000290e = 1; *(uint8_t*)0x2000290f = 2; *(uint8_t*)0x20002910 = 3; *(uint8_t*)0x20002911 = 1; *(uint8_t*)0x20002912 = 9; *(uint8_t*)0x20002913 = 2; *(uint16_t*)0x20002914 = 0xee; *(uint8_t*)0x20002916 = 3; *(uint8_t*)0x20002917 = 1; *(uint8_t*)0x20002918 = 6; *(uint8_t*)0x20002919 = 0x20; *(uint8_t*)0x2000291a = 1; *(uint8_t*)0x2000291b = 9; *(uint8_t*)0x2000291c = 4; *(uint8_t*)0x2000291d = 0; *(uint8_t*)0x2000291e = 0; *(uint8_t*)0x2000291f = 0; *(uint8_t*)0x20002920 = 1; *(uint8_t*)0x20002921 = 1; *(uint8_t*)0x20002922 = 0; *(uint8_t*)0x20002923 = 0; *(uint8_t*)0x20002924 = 0xa; *(uint8_t*)0x20002925 = 0x24; *(uint8_t*)0x20002926 = 1; *(uint16_t*)0x20002927 = 0xace; *(uint8_t*)0x20002929 = 2; *(uint8_t*)0x2000292a = 2; *(uint8_t*)0x2000292b = 1; *(uint8_t*)0x2000292c = 2; *(uint8_t*)0x2000292d = 7; *(uint8_t*)0x2000292e = 0x24; *(uint8_t*)0x2000292f = 8; *(uint8_t*)0x20002930 = 5; *(uint16_t*)0x20002931 = 2; *(uint8_t*)0x20002933 = 5; *(uint8_t*)0x20002934 = 7; *(uint8_t*)0x20002935 = 0x24; *(uint8_t*)0x20002936 = 8; *(uint8_t*)0x20002937 = 6; *(uint16_t*)0x20002938 = -1; *(uint8_t*)0x2000293a = 0x30; *(uint8_t*)0x2000293b = 0xa; *(uint8_t*)0x2000293c = 0x24; *(uint8_t*)0x2000293d = 4; *(uint8_t*)0x2000293e = 4; *(uint8_t*)0x2000293f = 0x40; memcpy((void*)0x20002940, "\x7d\xa3\xb2\xb2\x72", 5); *(uint8_t*)0x20002945 = 9; *(uint8_t*)0x20002946 = 0x24; *(uint8_t*)0x20002947 = 8; *(uint8_t*)0x20002948 = 5; *(uint16_t*)0x20002949 = 0; *(uint8_t*)0x2000294b = 0x40; memcpy((void*)0x2000294c, "\tD", 2); *(uint8_t*)0x2000294e = 9; *(uint8_t*)0x2000294f = 4; *(uint8_t*)0x20002950 = 1; *(uint8_t*)0x20002951 = 0; *(uint8_t*)0x20002952 = 0; *(uint8_t*)0x20002953 = 1; *(uint8_t*)0x20002954 = 2; *(uint8_t*)0x20002955 = 0; *(uint8_t*)0x20002956 = 0; *(uint8_t*)0x20002957 = 9; *(uint8_t*)0x20002958 = 4; *(uint8_t*)0x20002959 = 1; *(uint8_t*)0x2000295a = 1; *(uint8_t*)0x2000295b = 1; *(uint8_t*)0x2000295c = 1; *(uint8_t*)0x2000295d = 2; *(uint8_t*)0x2000295e = 0; *(uint8_t*)0x2000295f = 0; *(uint8_t*)0x20002960 = 0x11; *(uint8_t*)0x20002961 = 0x24; *(uint8_t*)0x20002962 = 2; *(uint8_t*)0x20002963 = 2; *(uint16_t*)0x20002964 = 0x1000; *(uint16_t*)0x20002966 = 6; *(uint8_t*)0x20002968 = 9; memcpy((void*)0x20002969, "\x94\xaa\x0c\xfe\xa6\xa4\xc0\x98", 8); *(uint8_t*)0x20002971 = 7; *(uint8_t*)0x20002972 = 0x24; *(uint8_t*)0x20002973 = 1; *(uint8_t*)0x20002974 = 0xf7; *(uint8_t*)0x20002975 = 0xc1; *(uint16_t*)0x20002976 = 4; *(uint8_t*)0x20002978 = 0xe; *(uint8_t*)0x20002979 = 0x24; *(uint8_t*)0x2000297a = 2; *(uint8_t*)0x2000297b = 1; *(uint8_t*)0x2000297c = 0x3f; *(uint8_t*)0x2000297d = 2; *(uint8_t*)0x2000297e = 0xae; *(uint8_t*)0x2000297f = 7; memcpy((void*)0x20002980, "\x5b\x6f\xe7\xb1\x95\x51", 6); *(uint8_t*)0x20002986 = 0xe; *(uint8_t*)0x20002987 = 0x24; *(uint8_t*)0x20002988 = 2; *(uint8_t*)0x20002989 = 2; *(uint16_t*)0x2000298a = 0xfff8; *(uint16_t*)0x2000298c = 0x56d; *(uint8_t*)0x2000298e = 0x1f; memcpy((void*)0x2000298f, "\x51\x8f\x29\xb9\x20", 5); *(uint8_t*)0x20002994 = 0xe; *(uint8_t*)0x20002995 = 0x24; *(uint8_t*)0x20002996 = 2; *(uint8_t*)0x20002997 = 2; *(uint16_t*)0x20002998 = 4; *(uint16_t*)0x2000299a = 0; *(uint8_t*)0x2000299c = 0x80; memcpy((void*)0x2000299d, "\x3f\x5e\x8a\xa3\xac", 5); *(uint8_t*)0x200029a2 = 9; *(uint8_t*)0x200029a3 = 5; *(uint8_t*)0x200029a4 = 1; *(uint8_t*)0x200029a5 = 9; *(uint16_t*)0x200029a6 = 0x10; *(uint8_t*)0x200029a8 = 0x9c; *(uint8_t*)0x200029a9 = 7; *(uint8_t*)0x200029aa = 6; *(uint8_t*)0x200029ab = 7; *(uint8_t*)0x200029ac = 0x25; *(uint8_t*)0x200029ad = 1; *(uint8_t*)0x200029ae = 0; *(uint8_t*)0x200029af = 0x44; *(uint16_t*)0x200029b0 = 0xff8a; *(uint8_t*)0x200029b2 = 9; *(uint8_t*)0x200029b3 = 4; *(uint8_t*)0x200029b4 = 2; *(uint8_t*)0x200029b5 = 0; *(uint8_t*)0x200029b6 = 0; *(uint8_t*)0x200029b7 = 1; *(uint8_t*)0x200029b8 = 2; *(uint8_t*)0x200029b9 = 0; *(uint8_t*)0x200029ba = 0; *(uint8_t*)0x200029bb = 9; *(uint8_t*)0x200029bc = 4; *(uint8_t*)0x200029bd = 2; *(uint8_t*)0x200029be = 1; *(uint8_t*)0x200029bf = 1; *(uint8_t*)0x200029c0 = 1; *(uint8_t*)0x200029c1 = 2; *(uint8_t*)0x200029c2 = 0; *(uint8_t*)0x200029c3 = 0; *(uint8_t*)0x200029c4 = 0xa; *(uint8_t*)0x200029c5 = 0x24; *(uint8_t*)0x200029c6 = 2; *(uint8_t*)0x200029c7 = 1; *(uint8_t*)0x200029c8 = 7; *(uint8_t*)0x200029c9 = 4; *(uint8_t*)0x200029ca = 0xf7; *(uint8_t*)0x200029cb = 0xf8; memcpy((void*)0x200029cc, "H]", 2); *(uint8_t*)0x200029ce = 0xd; *(uint8_t*)0x200029cf = 0x24; *(uint8_t*)0x200029d0 = 2; *(uint8_t*)0x200029d1 = 1; *(uint8_t*)0x200029d2 = 7; *(uint8_t*)0x200029d3 = 1; *(uint8_t*)0x200029d4 = -1; *(uint8_t*)0x200029d5 = 0x72; memcpy((void*)0x200029d6, "\x5c\x5a\xe7\x2e\x12", 5); *(uint8_t*)0x200029db = 0xd; *(uint8_t*)0x200029dc = 0x24; *(uint8_t*)0x200029dd = 2; *(uint8_t*)0x200029de = 1; *(uint8_t*)0x200029df = 3; *(uint8_t*)0x200029e0 = 4; *(uint8_t*)0x200029e1 = 3; *(uint8_t*)0x200029e2 = 1; memcpy((void*)0x200029e3, "\xfa\x23\xa4", 3); memcpy((void*)0x200029e6, "q3", 2); *(uint8_t*)0x200029e8 = 8; *(uint8_t*)0x200029e9 = 0x24; *(uint8_t*)0x200029ea = 2; *(uint8_t*)0x200029eb = 1; *(uint8_t*)0x200029ec = 0x71; *(uint8_t*)0x200029ed = 2; *(uint8_t*)0x200029ee = 0; *(uint8_t*)0x200029ef = 6; *(uint8_t*)0x200029f0 = 9; *(uint8_t*)0x200029f1 = 5; *(uint8_t*)0x200029f2 = 0x82; *(uint8_t*)0x200029f3 = 9; *(uint16_t*)0x200029f4 = 0x200; *(uint8_t*)0x200029f6 = 0x7f; *(uint8_t*)0x200029f7 = 0x7f; *(uint8_t*)0x200029f8 = 0x7f; *(uint8_t*)0x200029f9 = 7; *(uint8_t*)0x200029fa = 0x25; *(uint8_t*)0x200029fb = 1; *(uint8_t*)0x200029fc = 2; *(uint8_t*)0x200029fd = 1; *(uint16_t*)0x200029fe = 8; *(uint32_t*)0x20002b80 = 0xa; *(uint32_t*)0x20002b84 = 0x20002a00; *(uint8_t*)0x20002a00 = 0xa; *(uint8_t*)0x20002a01 = 6; *(uint16_t*)0x20002a02 = 0x300; *(uint8_t*)0x20002a04 = 0x7f; *(uint8_t*)0x20002a05 = 0x5d; *(uint8_t*)0x20002a06 = 0x5c; *(uint8_t*)0x20002a07 = 0x40; *(uint8_t*)0x20002a08 = 0; *(uint8_t*)0x20002a09 = 0; *(uint32_t*)0x20002b88 = 0x31; *(uint32_t*)0x20002b8c = 0x20002a40; *(uint8_t*)0x20002a40 = 5; *(uint8_t*)0x20002a41 = 0xf; *(uint16_t*)0x20002a42 = 0x31; *(uint8_t*)0x20002a44 = 4; *(uint8_t*)0x20002a45 = 0xb; *(uint8_t*)0x20002a46 = 0x10; *(uint8_t*)0x20002a47 = 1; *(uint8_t*)0x20002a48 = 0xc; *(uint16_t*)0x20002a49 = 0x80; *(uint8_t*)0x20002a4b = 0x20; *(uint8_t*)0x20002a4c = 1; *(uint16_t*)0x20002a4d = 2; *(uint8_t*)0x20002a4f = 0x40; *(uint8_t*)0x20002a50 = 0xc; *(uint8_t*)0x20002a51 = 0x10; *(uint8_t*)0x20002a52 = 0xa; *(uint8_t*)0x20002a53 = 4; STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0xd3f, 5, 27); *(uint16_t*)0x20002a58 = 0xf000; *(uint16_t*)0x20002a5a = 8; *(uint8_t*)0x20002a5c = 0xb; *(uint8_t*)0x20002a5d = 0x10; *(uint8_t*)0x20002a5e = 1; *(uint8_t*)0x20002a5f = 0xc; *(uint16_t*)0x20002a60 = 0x80; *(uint8_t*)0x20002a62 = 2; *(uint8_t*)0x20002a63 = 5; *(uint16_t*)0x20002a64 = 4; *(uint8_t*)0x20002a66 = 2; *(uint8_t*)0x20002a67 = 0xa; *(uint8_t*)0x20002a68 = 0x10; *(uint8_t*)0x20002a69 = 3; *(uint8_t*)0x20002a6a = 2; *(uint16_t*)0x20002a6b = 6; *(uint8_t*)0x20002a6d = 0; *(uint8_t*)0x20002a6e = -1; *(uint16_t*)0x20002a6f = 0x7f; *(uint32_t*)0x20002b90 = 4; *(uint32_t*)0x20002b94 = 4; *(uint32_t*)0x20002b98 = 0x20002a80; *(uint8_t*)0x20002a80 = 4; *(uint8_t*)0x20002a81 = 3; *(uint16_t*)0x20002a82 = 0x40f; *(uint32_t*)0x20002b9c = 4; *(uint32_t*)0x20002ba0 = 0x20002ac0; *(uint8_t*)0x20002ac0 = 4; *(uint8_t*)0x20002ac1 = 3; *(uint16_t*)0x20002ac2 = 0xc35; *(uint32_t*)0x20002ba4 = 0x2b; *(uint32_t*)0x20002ba8 = 0x20002b00; *(uint8_t*)0x20002b00 = 0x2b; *(uint8_t*)0x20002b01 = 3; memcpy((void*)0x20002b02, "\xa2\x8e\x84\xc0\xcf\x02\xc0\x7c\x3c\x0d\xa8\x29\x45\x06\x55\x6d\x63\x3c\x7a\x73\x5b\xfb\x75\xcd\x80\xaf\xc6\xad\xe8\xe4\xb5\x80\x10\x3c\xed\x6d\x9c\x87\xa5\xfe\x77", 41); *(uint32_t*)0x20002bac = 4; *(uint32_t*)0x20002bb0 = 0x20002b40; *(uint8_t*)0x20002b40 = 4; *(uint8_t*)0x20002b41 = 3; *(uint16_t*)0x20002b42 = 0xf8ff; res = -1; res = syz_usb_connect(1, 0x100, 0x20002900, 0x20002b80); if (res != -1) r[14] = res; break; case 37: *(uint32_t*)0x20002e40 = 0x18; *(uint32_t*)0x20002e44 = 0x20002bc0; *(uint8_t*)0x20002bc0 = 0; *(uint8_t*)0x20002bc1 = 0x22; *(uint32_t*)0x20002bc2 = 0xb9; *(uint8_t*)0x20002bc6 = 0xb9; *(uint8_t*)0x20002bc7 = 0xa; memcpy((void*)0x20002bc8, "\x83\xcf\x6e\x9b\x94\x2d\x8a\x47\x07\x4a\xc2\xe8\x02\xb4\x83\x78\xec\xdc\xa7\x95\x6d\xb2\x72\x7b\x85\x7b\x60\xf4\xe9\xd0\xc6\x9e\x1c\x9a\x9a\xce\xb6\x1c\xf1\x7c\xc7\x71\x67\x92\x3b\x84\xe2\x33\x72\xc5\xcf\x40\xcf\x1b\xbb\x74\x93\xe5\x00\xb7\xef\xfa\xf1\xb2\x04\xee\x03\x4b\xe1\x10\x99\xe5\x15\x67\xa8\x7a\xe0\xbd\xe2\x10\xda\x92\x12\x4d\x04\xa7\x3a\x14\xdb\xd6\x00\xde\xdd\x92\x09\x53\xc4\x72\xed\xa1\xba\x46\xdb\xbb\x1e\xc4\x74\xc8\x79\x48\x49\x12\x4d\xcf\x32\xd5\xc1\x5f\xb1\x43\x97\xb1\x3c\x3d\x3c\x11\xa7\xa6\x07\xc6\xb6\xd5\x57\xc2\x80\x6d\x9c\x27\x83\xbc\x1e\xf5\x6c\x96\x7b\xde\x90\xce\x4a\x42\x13\x61\x16\x7c\x1a\x74\xc6\x52\x72\x85\xce\x42\x5e\xa4\x98\x88\x4d\x7c\xc9\xef\x76\x52\x6a\x46\xa1\xc4\x36\x07\x68\x98\x0b\x39\xb3", 183); *(uint32_t*)0x20002e48 = 0x20002c80; *(uint8_t*)0x20002c80 = 0; *(uint8_t*)0x20002c81 = 3; *(uint32_t*)0x20002c82 = 0xd7; *(uint8_t*)0x20002c86 = 0xd7; *(uint8_t*)0x20002c87 = 3; memcpy((void*)0x20002c88, "\x61\x16\x8f\x70\x0d\x17\x87\xde\x19\xd3\xe8\x6f\xb3\xac\x5e\x96\x4c\xc5\xed\xe8\x73\x35\x1c\xa2\x62\xcc\x8f\xc5\x99\x65\x14\x31\xc7\x6d\xba\xd0\x2d\xd8\x35\xf0\xda\x83\xa5\x34\x7c\xc2\x1f\xc4\xf5\x04\xb2\x3b\xb3\x2a\x7a\x67\x71\x3d\xb4\x48\x06\x11\xe6\xe2\xec\xa4\xf0\xb4\x98\xf7\x00\x35\x5d\xb6\x8d\xf7\xd5\xcf\x46\xba\x2b\x03\x60\x90\xaf\x69\x5a\x75\x96\xb7\xd2\x42\xb4\x62\xbc\xf6\xe2\x09\x1f\xb8\x32\x48\xfe\x2a\x1c\x48\xdb\xcd\xb0\x7c\x96\x66\x03\x7d\x12\x1b\x68\x93\xdc\xb9\x45\xbd\xd7\xcf\x14\x07\x5f\x80\x53\x02\xa4\x5f\xbb\x62\x65\x2b\xd6\x93\xb3\x24\x0b\x5c\x6a\x76\xf6\x90\xcd\xc9\x22\x15\x79\xec\x71\xdd\x25\x3c\xa4\x25\x01\x44\xe1\x16\x0b\xc0\x39\xad\x44\xf6\xd5\x1c\x96\xad\x95\x0c\x87\x2c\xf6\x26\xb0\xd5\x59\xe8\x1c\x0b\xec\x93\x4c\xb3\x23\x25\xdb\xb9\xce\x8f\x5d\x0d\x94\x30\x20\xb4\xa0\x79\x5c\x1f\x27\x74\xe2\x20\x7d\x0b\xe8\xaa\x41", 213); *(uint32_t*)0x20002e4c = 0x20002d80; *(uint8_t*)0x20002d80 = 0; *(uint8_t*)0x20002d81 = 0xf; *(uint32_t*)0x20002d82 = 0xc; *(uint8_t*)0x20002d86 = 5; *(uint8_t*)0x20002d87 = 0xf; *(uint16_t*)0x20002d88 = 0xc; *(uint8_t*)0x20002d8a = 1; *(uint8_t*)0x20002d8b = 7; *(uint8_t*)0x20002d8c = 0x10; *(uint8_t*)0x20002d8d = 2; STORE_BY_BITMASK(uint32_t, , 0x20002d8e, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 5, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d90, 2, 0, 16); *(uint32_t*)0x20002e50 = 0x20002dc0; *(uint8_t*)0x20002dc0 = 0x20; *(uint8_t*)0x20002dc1 = 0x29; *(uint32_t*)0x20002dc2 = 0xf; *(uint8_t*)0x20002dc6 = 0xf; *(uint8_t*)0x20002dc7 = 0x29; *(uint8_t*)0x20002dc8 = 3; *(uint16_t*)0x20002dc9 = 8; *(uint8_t*)0x20002dcb = 0x40; *(uint8_t*)0x20002dcc = 0x7f; memcpy((void*)0x20002dcd, "\x77\xbc\x77\x38", 4); memcpy((void*)0x20002dd1, "\xf1\xdb\x00\x3c", 4); *(uint32_t*)0x20002e54 = 0x20002e00; *(uint8_t*)0x20002e00 = 0x20; *(uint8_t*)0x20002e01 = 0x2a; *(uint32_t*)0x20002e02 = 0xc; *(uint8_t*)0x20002e06 = 0xc; *(uint8_t*)0x20002e07 = 0x2a; *(uint8_t*)0x20002e08 = 1; *(uint16_t*)0x20002e09 = 0x10; *(uint8_t*)0x20002e0b = 0; *(uint8_t*)0x20002e0c = 0x20; *(uint8_t*)0x20002e0d = 8; *(uint16_t*)0x20002e0e = 0x3ec; *(uint16_t*)0x20002e10 = -1; *(uint32_t*)0x20003300 = 0x44; *(uint32_t*)0x20003304 = 0x20002e80; *(uint8_t*)0x20002e80 = 0x20; *(uint8_t*)0x20002e81 = 0x12; *(uint32_t*)0x20002e82 = 0x7c; memcpy((void*)0x20002e86, "\xbc\x67\xb7\x86\xae\x12\xc3\xf7\xc6\xdb\xb8\x56\x0d\x2b\x24\x21\x94\xc2\x19\x9a\xfa\x19\xd2\xb4\x2b\x1a\x0c\x8a\x11\xe1\xa5\xef\x14\x6f\x39\x5c\x36\x13\xf4\xdf\xea\xdd\xa7\xc2\x4b\x50\x6d\x5b\x32\xa6\xa3\xf9\xa0\xea\xc9\x8a\x93\x5e\x64\x7a\x1c\x83\x8d\x4e\x09\xd5\x30\x63\x5f\x43\x35\x8b\x5b\x10\xc5\xf0\x4b\xc6\x3b\x3b\xf9\x6b\x52\x34\x35\x9d\x4e\xad\x9d\x51\x21\x7e\x65\xc9\xb0\x50\x99\x90\xb0\x0d\x1a\xfb\x24\x2c\x87\x66\x0d\x04\xf9\x64\x8f\xf7\x9c\xe1\x43\xb1\xa9\x48\x98\x1c\x28\xf5\x01\x71", 124); *(uint32_t*)0x20003308 = 0x20002f40; *(uint8_t*)0x20002f40 = 0; *(uint8_t*)0x20002f41 = 0xa; *(uint32_t*)0x20002f42 = 1; *(uint8_t*)0x20002f46 = 0x4c; *(uint32_t*)0x2000330c = 0x20002f80; *(uint8_t*)0x20002f80 = 0; *(uint8_t*)0x20002f81 = 8; *(uint32_t*)0x20002f82 = 1; *(uint8_t*)0x20002f86 = 1; *(uint32_t*)0x20003310 = 0x20002fc0; *(uint8_t*)0x20002fc0 = 0x20; *(uint8_t*)0x20002fc1 = 0; *(uint32_t*)0x20002fc2 = 4; *(uint16_t*)0x20002fc6 = 1; *(uint16_t*)0x20002fc8 = 3; *(uint32_t*)0x20003314 = 0x20003000; *(uint8_t*)0x20003000 = 0x20; *(uint8_t*)0x20003001 = 0; *(uint32_t*)0x20003002 = 8; *(uint16_t*)0x20003006 = 0xc0; *(uint16_t*)0x20003008 = 0x20; *(uint32_t*)0x2000300a = 0xf0f; *(uint32_t*)0x20003318 = 0x20003040; *(uint8_t*)0x20003040 = 0x40; *(uint8_t*)0x20003041 = 7; *(uint32_t*)0x20003042 = 2; *(uint16_t*)0x20003046 = 0x400; *(uint32_t*)0x2000331c = 0x20003080; *(uint8_t*)0x20003080 = 0x40; *(uint8_t*)0x20003081 = 9; *(uint32_t*)0x20003082 = 1; *(uint8_t*)0x20003086 = 2; *(uint32_t*)0x20003320 = 0x200030c0; *(uint8_t*)0x200030c0 = 0x40; *(uint8_t*)0x200030c1 = 0xb; *(uint32_t*)0x200030c2 = 2; memcpy((void*)0x200030c6, "\xb7\x23", 2); *(uint32_t*)0x20003324 = 0x20003100; *(uint8_t*)0x20003100 = 0x40; *(uint8_t*)0x20003101 = 0xf; *(uint32_t*)0x20003102 = 2; *(uint16_t*)0x20003106 = 5; *(uint32_t*)0x20003328 = 0x20003140; *(uint8_t*)0x20003140 = 0x40; *(uint8_t*)0x20003141 = 0x13; *(uint32_t*)0x20003142 = 6; memcpy((void*)0x20003146, "\xdd\x8a\x72\xa9\x91\x39", 6); *(uint32_t*)0x2000332c = 0x20003180; *(uint8_t*)0x20003180 = 0x40; *(uint8_t*)0x20003181 = 0x17; *(uint32_t*)0x20003182 = 6; *(uint8_t*)0x20003186 = 0xaa; *(uint8_t*)0x20003187 = 0xaa; *(uint8_t*)0x20003188 = 0xaa; *(uint8_t*)0x20003189 = 0xaa; *(uint8_t*)0x2000318a = 0xaa; *(uint8_t*)0x2000318b = 0xbb; *(uint32_t*)0x20003330 = 0x200031c0; *(uint8_t*)0x200031c0 = 0x40; *(uint8_t*)0x200031c1 = 0x19; *(uint32_t*)0x200031c2 = 2; memcpy((void*)0x200031c6, "\x78\x18", 2); *(uint32_t*)0x20003334 = 0x20003200; *(uint8_t*)0x20003200 = 0x40; *(uint8_t*)0x20003201 = 0x1a; *(uint32_t*)0x20003202 = 2; *(uint16_t*)0x20003206 = 4; *(uint32_t*)0x20003338 = 0x20003240; *(uint8_t*)0x20003240 = 0x40; *(uint8_t*)0x20003241 = 0x1c; *(uint32_t*)0x20003242 = 1; *(uint8_t*)0x20003246 = 4; *(uint32_t*)0x2000333c = 0x20003280; *(uint8_t*)0x20003280 = 0x40; *(uint8_t*)0x20003281 = 0x1e; *(uint32_t*)0x20003282 = 1; *(uint8_t*)0x20003286 = 7; *(uint32_t*)0x20003340 = 0x200032c0; *(uint8_t*)0x200032c0 = 0x40; *(uint8_t*)0x200032c1 = 0x21; *(uint32_t*)0x200032c2 = 1; *(uint8_t*)0x200032c6 = 5; syz_usb_control_io(r[14], 0x20002e40, 0x20003300); break; case 38: syz_usb_disconnect(r[13]); break; case 39: *(uint8_t*)0x20003380 = 0x12; *(uint8_t*)0x20003381 = 1; *(uint16_t*)0x20003382 = 0x110; *(uint8_t*)0x20003384 = 2; *(uint8_t*)0x20003385 = 0; *(uint8_t*)0x20003386 = 0; *(uint8_t*)0x20003387 = 0x20; *(uint16_t*)0x20003388 = 0x525; *(uint16_t*)0x2000338a = 0xa4a1; *(uint16_t*)0x2000338c = 0x40; *(uint8_t*)0x2000338e = 1; *(uint8_t*)0x2000338f = 2; *(uint8_t*)0x20003390 = 3; *(uint8_t*)0x20003391 = 1; *(uint8_t*)0x20003392 = 9; *(uint8_t*)0x20003393 = 2; *(uint16_t*)0x20003394 = 0x14e; *(uint8_t*)0x20003396 = 2; *(uint8_t*)0x20003397 = 1; *(uint8_t*)0x20003398 = 0xef; *(uint8_t*)0x20003399 = 0xe0; *(uint8_t*)0x2000339a = 3; *(uint8_t*)0x2000339b = 9; *(uint8_t*)0x2000339c = 4; *(uint8_t*)0x2000339d = 0; *(uint8_t*)0x2000339e = 0; *(uint8_t*)0x2000339f = 1; *(uint8_t*)0x200033a0 = 2; *(uint8_t*)0x200033a1 = 0xd; *(uint8_t*)0x200033a2 = 0; *(uint8_t*)0x200033a3 = 0; *(uint8_t*)0x200033a4 = 6; *(uint8_t*)0x200033a5 = 0x24; *(uint8_t*)0x200033a6 = 6; *(uint8_t*)0x200033a7 = 0; *(uint8_t*)0x200033a8 = 1; memcpy((void*)0x200033a9, "$", 1); *(uint8_t*)0x200033aa = 5; *(uint8_t*)0x200033ab = 0x24; *(uint8_t*)0x200033ac = 0; *(uint16_t*)0x200033ad = 0xad; *(uint8_t*)0x200033af = 0xd; *(uint8_t*)0x200033b0 = 0x24; *(uint8_t*)0x200033b1 = 0xf; *(uint8_t*)0x200033b2 = 1; *(uint32_t*)0x200033b3 = 2; *(uint16_t*)0x200033b7 = 0; *(uint16_t*)0x200033b9 = 1; *(uint8_t*)0x200033bb = 9; *(uint8_t*)0x200033bc = 6; *(uint8_t*)0x200033bd = 0x24; *(uint8_t*)0x200033be = 0x1a; *(uint16_t*)0x200033bf = 9; *(uint8_t*)0x200033c1 = 0x20; *(uint8_t*)0x200033c2 = 0xa2; *(uint8_t*)0x200033c3 = 0x24; *(uint8_t*)0x200033c4 = 0x13; *(uint8_t*)0x200033c5 = 1; memcpy((void*)0x200033c6, "\xa0\xaf\xeb\xc2\x94\x23\x7d\xe3\x0b\x4c\x81\xc6\x59\x5f\xba\xf3\x06\x46\xc5\xec\x3d\xd9\x8f\x43\x5d\xf0\x0d\x18\x1c\xc1\x3f\x9b\x0c\x5f\xfa\x84\x15\x49\x98\xbf\x5c\x04\xee\x0f\xd8\x2d\x5f\x4c\xac\xfc\x90\xff\xae\x24\x1b\x84\x0b\x0b\x18\xe2\x10\x7e\x33\x39\x8f\x46\x83\x83\x80\xf8\x4b\x6f\x9f\x22\x62\xe8\x38\xdf\x02\x12\x31\xc9\xf0\xc5\x0d\xc2\xee\xd7\x59\x5e\xb1\xb7\x89\x22\x3f\xc3\x7c\xf3\x4f\x5c\x69\x4a\xaa\xd8\xa8\x18\xc9\x9e\xf4\x41\x79\xbf\x5b\xa4\xb6\x17\xc2\x58\xf7\xdb\x01\xd6\x09\x6c\xcc\x71\xbb\x92\x5e\x31\xb2\xf3\xf1\x00\xbb\x85\x38\xbb\x84\x01\x5a\xf7\xb9\x54\xc8\xfd\xf2\x93\xde\x02\x31\xa4\x91\xd3\x63\x76\xb8\x40", 158); *(uint8_t*)0x20003464 = 0xc; *(uint8_t*)0x20003465 = 0x24; *(uint8_t*)0x20003466 = 0x1b; *(uint16_t*)0x20003467 = 0x340f; *(uint16_t*)0x20003469 = 4; *(uint8_t*)0x2000346b = 5; *(uint8_t*)0x2000346c = 0x40; *(uint16_t*)0x2000346d = 6; *(uint8_t*)0x2000346f = 1; *(uint8_t*)0x20003470 = 4; *(uint8_t*)0x20003471 = 0x24; *(uint8_t*)0x20003472 = 2; *(uint8_t*)0x20003473 = 9; *(uint8_t*)0x20003474 = 0x3f; *(uint8_t*)0x20003475 = 0x24; *(uint8_t*)0x20003476 = 0x13; *(uint8_t*)0x20003477 = 0x40; memcpy((void*)0x20003478, "\x90\x5d\x00\xa5\xa8\xb5\xcd\x53\x11\x8f\x9c\xf9\x03\x3e\xda\x0a\xd8\x8f\xcf\xaf\x66\xe2\xb9\xe3\x59\xe3\x8a\xea\x37\x19\x70\xc8\x64\xd5\x98\x39\x16\xa5\x29\x36\x75\x51\xaa\x24\x7b\xa8\x30\x09\xeb\xb5\x64\x0b\x53\x17\x55\x99\x00\xdd\xb8", 59); *(uint8_t*)0x200034b3 = 9; *(uint8_t*)0x200034b4 = 5; *(uint8_t*)0x200034b5 = 0x81; *(uint8_t*)0x200034b6 = 3; *(uint16_t*)0x200034b7 = 8; *(uint8_t*)0x200034b9 = 0; *(uint8_t*)0x200034ba = 1; *(uint8_t*)0x200034bb = 0xfc; *(uint8_t*)0x200034bc = 9; *(uint8_t*)0x200034bd = 4; *(uint8_t*)0x200034be = 1; *(uint8_t*)0x200034bf = 0; *(uint8_t*)0x200034c0 = 0; *(uint8_t*)0x200034c1 = 2; *(uint8_t*)0x200034c2 = 0xd; *(uint8_t*)0x200034c3 = 0; *(uint8_t*)0x200034c4 = 0; *(uint8_t*)0x200034c5 = 9; *(uint8_t*)0x200034c6 = 4; *(uint8_t*)0x200034c7 = 1; *(uint8_t*)0x200034c8 = 1; *(uint8_t*)0x200034c9 = 2; *(uint8_t*)0x200034ca = 2; *(uint8_t*)0x200034cb = 0xd; *(uint8_t*)0x200034cc = 0; *(uint8_t*)0x200034cd = 0; *(uint8_t*)0x200034ce = 9; *(uint8_t*)0x200034cf = 5; *(uint8_t*)0x200034d0 = 0x82; *(uint8_t*)0x200034d1 = 2; *(uint16_t*)0x200034d2 = 0x40; *(uint8_t*)0x200034d4 = 8; *(uint8_t*)0x200034d5 = 0x40; *(uint8_t*)0x200034d6 = 0x81; *(uint8_t*)0x200034d7 = 9; *(uint8_t*)0x200034d8 = 5; *(uint8_t*)0x200034d9 = 3; *(uint8_t*)0x200034da = 2; *(uint16_t*)0x200034db = 0x40; *(uint8_t*)0x200034dd = 5; *(uint8_t*)0x200034de = 0x80; *(uint8_t*)0x200034df = 0x81; *(uint32_t*)0x20003780 = 0xa; *(uint32_t*)0x20003784 = 0x20003500; *(uint8_t*)0x20003500 = 0xa; *(uint8_t*)0x20003501 = 6; *(uint16_t*)0x20003502 = 0x250; *(uint8_t*)0x20003504 = 3; *(uint8_t*)0x20003505 = 2; *(uint8_t*)0x20003506 = 9; *(uint8_t*)0x20003507 = 0x40; *(uint8_t*)0x20003508 = 0x40; *(uint8_t*)0x20003509 = 0; *(uint32_t*)0x20003788 = 0x16; *(uint32_t*)0x2000378c = 0x20003540; *(uint8_t*)0x20003540 = 5; *(uint8_t*)0x20003541 = 0xf; *(uint16_t*)0x20003542 = 0x16; *(uint8_t*)0x20003544 = 2; *(uint8_t*)0x20003545 = 7; *(uint8_t*)0x20003546 = 0x10; *(uint8_t*)0x20003547 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003548, 0x1a, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003549, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003549, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000354a, 0x87, 0, 16); *(uint8_t*)0x2000354c = 0xa; *(uint8_t*)0x2000354d = 0x10; *(uint8_t*)0x2000354e = 3; *(uint8_t*)0x2000354f = 0; *(uint16_t*)0x20003550 = 8; *(uint8_t*)0x20003552 = 0; *(uint8_t*)0x20003553 = 0x20; *(uint16_t*)0x20003554 = 9; *(uint32_t*)0x20003790 = 5; *(uint32_t*)0x20003794 = 0x54; *(uint32_t*)0x20003798 = 0x20003580; *(uint8_t*)0x20003580 = 0x54; *(uint8_t*)0x20003581 = 3; memcpy((void*)0x20003582, "\xa4\x4d\x24\xcd\xf3\xff\xb9\x94\x8f\xaa\xf6\xb3\xc5\x65\x82\x6f\x57\xef\x2b\x5e\x43\xe6\xef\x91\x09\xdc\xaf\x0f\xf5\xf2\x30\xb6\xf5\x2d\x06\xad\xa7\xeb\xdf\xbf\x1c\x55\xe6\x55\x19\x00\xf4\x2f\x90\x4a\xa2\x59\x11\xde\x5d\x64\xd3\xcd\x32\xdb\x26\xb2\xe4\x8c\x15\x0e\xac\xf5\x1a\x16\xdd\xb3\x11\xac\x3d\x44\xb2\x81\xa8\x7d\x1c\x84", 82); *(uint32_t*)0x2000379c = 4; *(uint32_t*)0x200037a0 = 0x20003600; *(uint8_t*)0x20003600 = 4; *(uint8_t*)0x20003601 = 3; *(uint16_t*)0x20003602 = 0x812; *(uint32_t*)0x200037a4 = 4; *(uint32_t*)0x200037a8 = 0x20003640; *(uint8_t*)0x20003640 = 4; *(uint8_t*)0x20003641 = 3; *(uint16_t*)0x20003642 = 0xf0ff; *(uint32_t*)0x200037ac = 0xc0; *(uint32_t*)0x200037b0 = 0x20003680; *(uint8_t*)0x20003680 = 0xc0; *(uint8_t*)0x20003681 = 3; memcpy((void*)0x20003682, "\x6f\x06\x9d\x79\xea\x95\x2b\x38\x80\x02\x7d\x52\x43\xd8\x4a\xef\xe2\xbd\x1c\xf6\x41\xda\x9e\xe2\x90\x78\x02\x32\x46\x10\x26\xc5\xa5\x35\xae\x62\x14\xa8\xb6\xfd\x61\x12\xf3\x68\x08\x5c\x5c\xca\x57\xb8\x48\x46\xbd\xd7\x65\x3f\x32\x51\x20\xcc\x01\x27\x4c\x27\x93\x0a\x93\x4c\x28\x50\x05\x8a\x34\x58\x87\x78\xf4\xae\x02\x55\xb9\x6f\xcb\x45\x73\xf4\xc4\x75\xfa\xe5\x37\x03\xef\x82\xd7\x85\xec\xe9\x6a\xdf\x02\xef\xc2\x10\xe2\x6f\xa9\x52\x31\x11\x51\x9c\xb0\x37\xb5\xae\xbb\xca\xb0\xe1\x2d\x22\x83\x30\xeb\x46\x6c\xef\xbc\x0a\x21\x98\x4a\x6f\xd8\x65\x72\x06\xb2\x0d\x98\x2f\x65\xc7\x09\xba\x3c\x63\x20\xf1\x06\x6d\xda\x59\x2f\xda\xd1\x4a\x8c\x70\x0c\xf1\xf5\x26\x6f\x47\xfa\x42\xaa\x88\x0b\x9a\xa0\x26\x7c\xf5\x3c\x96\x91\xf4\xfa\x0d\x4e\x05\x9a\x6a\xdc\x27\xda\x67", 190); *(uint32_t*)0x200037b4 = 4; *(uint32_t*)0x200037b8 = 0x20003740; *(uint8_t*)0x20003740 = 4; *(uint8_t*)0x20003741 = 3; *(uint16_t*)0x20003742 = 0xc0a; res = -1; res = syz_usb_connect(0xcabe03ec, 0x160, 0x20003380, 0x20003780); if (res != -1) r[15] = res; break; case 40: syz_usb_ep_read(r[15], 7, 0xe4, 0x200037c0); break; case 41: *(uint8_t*)0x200038c0 = 0x12; *(uint8_t*)0x200038c1 = 1; *(uint16_t*)0x200038c2 = 0x200; *(uint8_t*)0x200038c4 = -1; *(uint8_t*)0x200038c5 = -1; *(uint8_t*)0x200038c6 = -1; *(uint8_t*)0x200038c7 = 0x40; *(uint16_t*)0x200038c8 = 0xcf3; *(uint16_t*)0x200038ca = 0x9271; *(uint16_t*)0x200038cc = 0x108; *(uint8_t*)0x200038ce = 1; *(uint8_t*)0x200038cf = 2; *(uint8_t*)0x200038d0 = 3; *(uint8_t*)0x200038d1 = 1; *(uint8_t*)0x200038d2 = 9; *(uint8_t*)0x200038d3 = 2; *(uint16_t*)0x200038d4 = 0x48; *(uint8_t*)0x200038d6 = 1; *(uint8_t*)0x200038d7 = 1; *(uint8_t*)0x200038d8 = 0; *(uint8_t*)0x200038d9 = 0x80; *(uint8_t*)0x200038da = 0xfa; *(uint8_t*)0x200038db = 9; *(uint8_t*)0x200038dc = 4; *(uint8_t*)0x200038dd = 0; *(uint8_t*)0x200038de = 0; *(uint8_t*)0x200038df = 6; *(uint8_t*)0x200038e0 = -1; *(uint8_t*)0x200038e1 = 0; *(uint8_t*)0x200038e2 = 0; *(uint8_t*)0x200038e3 = 0; *(uint8_t*)0x200038e4 = 9; *(uint8_t*)0x200038e5 = 5; *(uint8_t*)0x200038e6 = 1; *(uint8_t*)0x200038e7 = 2; *(uint16_t*)0x200038e8 = 0x200; *(uint8_t*)0x200038ea = 0; *(uint8_t*)0x200038eb = 0; *(uint8_t*)0x200038ec = 0; *(uint8_t*)0x200038ed = 9; *(uint8_t*)0x200038ee = 5; *(uint8_t*)0x200038ef = 0x82; *(uint8_t*)0x200038f0 = 2; *(uint16_t*)0x200038f1 = 0x200; *(uint8_t*)0x200038f3 = 0; *(uint8_t*)0x200038f4 = 0; *(uint8_t*)0x200038f5 = 0; *(uint8_t*)0x200038f6 = 9; *(uint8_t*)0x200038f7 = 5; *(uint8_t*)0x200038f8 = 0x83; *(uint8_t*)0x200038f9 = 3; *(uint16_t*)0x200038fa = 0x40; *(uint8_t*)0x200038fc = 1; *(uint8_t*)0x200038fd = 0; *(uint8_t*)0x200038fe = 0; *(uint8_t*)0x200038ff = 9; *(uint8_t*)0x20003900 = 5; *(uint8_t*)0x20003901 = 4; *(uint8_t*)0x20003902 = 3; *(uint16_t*)0x20003903 = 0x40; *(uint8_t*)0x20003905 = 1; *(uint8_t*)0x20003906 = 0; *(uint8_t*)0x20003907 = 0; *(uint8_t*)0x20003908 = 9; *(uint8_t*)0x20003909 = 5; *(uint8_t*)0x2000390a = 5; *(uint8_t*)0x2000390b = 2; *(uint16_t*)0x2000390c = 0x200; *(uint8_t*)0x2000390e = 0; *(uint8_t*)0x2000390f = 0; *(uint8_t*)0x20003910 = 0; *(uint8_t*)0x20003911 = 9; *(uint8_t*)0x20003912 = 5; *(uint8_t*)0x20003913 = 6; *(uint8_t*)0x20003914 = 2; *(uint16_t*)0x20003915 = 0x200; *(uint8_t*)0x20003917 = 0; *(uint8_t*)0x20003918 = 0; *(uint8_t*)0x20003919 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200038c0, 0); if (res != -1) r[16] = res; break; case 42: memcpy((void*)0x20003940, "\x03\x38\xf2\xa1\xa6\x94\x91\x50\xd9\x50\xa2\x00\xb9\x7f\x82\x07\x00\x40\x2b\x58\xfe\xc9\x4c\x39\xa0\x05\xf5\x38\x68\x85\x99\x19\x97\x96\x0b\x31\x65\xc9\xdd\x03\x23\xfa\xf9\xa6\x9d\x00\x72\x59\x16\xfa\x7f\xb5\xa9\xbb\x1f\x47\xb1\x98\x29\xca\x09\x1f\x88\xc0\x99\x9a\x2e\x18\x7f\x62\x37\xab\x2c\x7e\xae\x85\x92\x3f\xa9\x63\x6d\xc2\x66\x07\x6f\x2a\xe7\xb5\x2c\x1f\x18\x7c\xe6\x28\x71\xc2\xf0\x5b\xbf\x9d\x9a\x25\xfd\x16\xff\x38\x33\x38\x70\x73\xe6\x96\x81\xb2\x43\xe8\x14\xb2\x54\x9f\x03\x2a\xa5\xb8\xdd\x2e\x2d\x64\xdf\x2e\x69\xd3\x57\xbc\x2c\x32\xb8\xfb\xd9\x0f\x8a\x16\x38\xb3\x13\x90\xbe\x5a\x61\xee\x6e\xe7\x0e\x3a\x20\x27\xe1\x46\x8d\x5f\x3f\xa2\x34\xf4\x46\x2a\x56\xd7\xe4\x2c\xe2\x9c\x52\xcc\xf5\xcd\x76\x35\x90\xa4\x26\xb8\xa0\x6e\x22\x6f\xfa\x45\x68\xc2\xce\x31\xa5\x4d\x74\xca\x6f\x67\xe6\x70\x85\x2c", 202); syz_usb_ep_write(r[16], -1, 0xca, 0x20003940); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); loop(); return 0; } : In function ‘syz_io_uring_setup’: :244:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :244:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor419675189 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/8 (0.39s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:setuid Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$BLKROGET(0xffffffffffffffff, 0x125e, &(0x7f0000000000)) r0 = openat$nullb(0xffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x80000, 0x0) ioctl$BLKTRACESETUP(r0, 0xc0401273, &(0x7f0000000080)={[], 0x6, 0x4, 0x400, 0x0, 0x5f}) socketpair(0x21, 0x3, 0x4, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140)='l2tp\x00') sendmsg$L2TP_CMD_NOOP(r1, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x24, r3, 0x4, 0x70bd28, 0x25dfdbfb, {}, [@L2TP_ATTR_SESSION_ID={0x8, 0xb, 0x4}, @L2TP_ATTR_PEER_SESSION_ID={0x8, 0xc, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x20000000}, 0x8000) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000240)={0x0, 0x5, 0x0, 0x2}, &(0x7f0000000280)=0x10) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f00000002c0)={r4, 0x2}, 0x8) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x8, &(0x7f0000000300), &(0x7f0000000340)=0x4) write$capi20_data(0xffffffffffffffff, &(0x7f00000003c0)={{0x10, 0x3, 0x41, 0x83, 0x0, 0x401}, 0x43, "4a8e60634e3a9ebf0988474a70cdc44c935e71dca8a36e9f7339b733e7fdfa26d1763f8e1fc18c23484ff71c6ea76bf1db3e46cf80380322d296fbf193c54d4949ccdb"}, 0x55) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_post_notification\x00') syz_emit_ethernet(0x56, &(0x7f0000000040)={@multicast, @empty, @void, {@canfd={0xd, {{0x4, 0x0, 0x0, 0x1}, 0x23, 0x0, 0x0, 0x0, "90a4412ed481e39ec0787cae083fac93b90daa7595dc554b0d6fb720a6009835c929d9566687939954d14f0376d39039885d4b349e57791c3b2884b67a568716"}}}}, &(0x7f00000000c0)={0x1, 0x1, [0x4a, 0x2e7, 0x6f0, 0x1aa]}) syz_emit_vhci(&(0x7f0000000100)=@HCI_SCODATA_PKT={0x3, {0xc9, 0x56}, "af8c56ab2959dc534cc868e4b42b05a0de86bb45fd2bf9e32d58e9ad1fb7be75adc1e7aaa52319456531631ede47c2919bcdb3bafdaf560bf2a9ca3a75fa34d07026b7302dc391f9554e50cfc7f731c09f1c71262df3"}, 0x5a) syz_execute_func(&(0x7f0000000180)="c4c16f10fa660f65642a10c4e1fa70effbc4c37d096a42fec4e1416a5200f3abc4c1ccc6e474360f8fb8000000af0ffe98f0ffffff") syz_extract_tcp_res(&(0x7f00000001c0), 0x2, 0x7f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000200)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x5, 0xcb) r5 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xc, 0x800, 0xffffffffffffffff, 0x8000000) r6 = syz_io_uring_complete(r5) r7 = io_uring_setup(0xc43, &(0x7f0000000240)={0x0, 0xab13, 0x10, 0x0, 0x375}) syz_io_uring_setup(0x4759, &(0x7f00000002c0)={0x0, 0x3caa, 0x8, 0x3, 0x347, 0x0, r7}, &(0x7f0000ffd000/0x2000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000000340), &(0x7f0000000380)) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0xe, 0x3, 0xffffffffffffffff, 0x8000000) r9 = mmap$IORING_OFF_SQES(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x4000000, 0x20, r6, 0x10000000) syz_io_uring_submit(r8, r9, &(0x7f00000003c0)=@IORING_OP_WRITE_FIXED={0x5, 0x4, 0x2007, @fd_index=0x6, 0x3, 0x4, 0x4, 0xe, 0x1}, 0x80) r10 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000000400)='/selinux/checkreqprot\x00', 0x2000, 0x0) syz_kvm_setup_cpu$arm64(r6, r10, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000480)=[{0x0, &(0x7f0000000440)="1f53955cb3cecd2039609cfce532927f02de615e5e7716c374705f59102e00754dbaa369c6c1a1c2f4c530c3af81e8fe5609", 0x32}], 0x1, 0x0, &(0x7f00000004c0), 0x1) syz_io_uring_setup(0x7424, &(0x7f0000000500)={0x0, 0xe518, 0x10, 0x1, 0x3a5}, &(0x7f0000ffe000/0x2000)=nil, &(0x7f0000ff6000/0x4000)=nil, &(0x7f0000000580)=0x0, &(0x7f00000005c0)) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000000600)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000000640)='afs\x00', &(0x7f0000000680)='./file0\x00', 0x4, 0x2, &(0x7f0000000800)=[{&(0x7f00000006c0)="d632c19b", 0x4, 0xffff}, {&(0x7f0000000700)="3fe8370cede52efac054241da1ef6234cdc7766d9ceee05c36775d234a8f0259a880131689775a49e1c5d81ee5eed42da022a3c9b9d439ae779990d04cf551c084c093744e79ca6a4827d8c603053d29714d839363cf49add7d7323c0619a99cef609fc47e56c66630ec7973bffed214d451f064f36e3597506a51adfd6b0d61fdcdf2bfcb31b2c6c44c279ccdb6902891daf75e663f5942ea7682fbfd3e7369a9fe16f372476efb281aaad4bfe7e610e963629461e9033caf00d62a109d004b935b9079bd3df5be94a0fa1e1977f552baa492ba31e2ec4bf310c814dc753297", 0xe0, 0x4c}], 0x201000, &(0x7f0000000840)={[{@source={'source', 0x3d, 'SEG6\x00'}}, {@flock_strict='flock=strict'}, {@flock_strict='flock=strict'}, {@flock_local='flock=local'}, {@autocell='autocell'}, {@flock_openafs='flock=openafs'}], [{@measure='measure'}, {@subj_user={'subj_user', 0x3d, '$F!%[#&+-}^}'}}]}) syz_open_dev$I2C(&(0x7f00000008c0)='/dev/i2c-#\x00', 0x9a7, 0x60100) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000900)=0x0) syz_open_procfs(r12, &(0x7f0000000940)='net/ip6_mr_vif\x00') syz_open_pts(r6, 0x402000) syz_read_part_table(0x44, 0x5, &(0x7f0000001c80)=[{&(0x7f0000000980)="947bdd1338b6b9fdc7eec2776433191f827266cfa94bbf64cff83a00d975009f3b2738ac7067019447d693a3534dae5d3bf03b17d7a2bc093d2ab01fb079d13e4ca08ab23918a3fac50a48c32b4ba2170957d20cb4a4f731d660e88f40c30c3c40d41ff3ff7134dceb66b113b5c1bba630a7ee5cd68ab59e69f8c89530e4cac7f615dd3fadc7940d23b069d62b7ccf4149881045", 0x94, 0x7e}, {&(0x7f0000000a40)="3bece5e4b00d1aa5c6455d8ffddd35571382304733f47e93ba01d0220d3452425aa4a35a16adc96a1c87d3c09121df1c8aef26c20358a153a0ef1959f69c689acd2751f428f241c2decf4cd9a3b109e66b310fb1011f65329bef953ae02cf9db6133619b5bfa07a6e13251278da93de82635bcdd7640b6311da58d2a681065401d0753cef90bf7a0f541112453b9ce7527efcb09834f1073736d3ebdb9241736b61df70a13c76e54ddbc65a52d8a4fe42ed097a57c8d0426f916750e9a5c38281fbad7ae59c223bab1100592d42eda4e0bf4bf030420478fcd28c4057d41a9721b0014e91a1e7058d4c9290812f6de", 0xef, 0x800}, {&(0x7f0000000b40)="6daf7a1e0d14cb6b8c65d37ef988e670ca88b1", 0x13}, {&(0x7f0000000b80)="e2a379510738be3d3baf49a170f089f56f7b3a43bd926f2f3368f38e97340af9b0991ea98f4653252c0bef6ad26582b600545465591faefd00782e31c8aee9f23990d2d95f8710d110409dc3dad1581794fb09f6349e937b1df1bb8a9a09ce60c41282376e6ac607888c64fcd9ecf5405063ba5f642a295b4f778f2cabccf6c9007071b1a9ec31eea5daf62d371a56de309549974911a5797fa34026e85bb7f5427ab4965f11a3aba18ed0fe280e45c26412838fc5bbe0f6de63d011c06b413e3d4a15296b6f7915dffecdd407504faa2fe63bb190af9061709a982094f620793c042532f51314dd0753b832a65859e178d94dd169a1b767748566d13f170da36f2a51053d8b67fb5f12d86bf36046eab9b7c26c50786c9b29a2605c5631ab30261669971a48470d982c3088be7cffd1f0c6775e5757db6148dd74c5954e34c40088659a1f44d053465985ed20039bced7ea9dec7e25cd6d600d1ed31aed53885fc7ef8789eea0639d2b250dcdf4ad71bbdabf4ba18af29ac819ae431864db1b0353bc5cb2041943b44513f7c679f348bd2962b27487bc7dc7488cff13a24b658f31b4afc9e5013ab460cf3a014a8f19909e75bc3d4144f5d32e370de74f4402a0db5339c1e3616d2147743652dd73940d37550cc961b08b3a33b79c4a2f3f1ab4b2364c24031cce1f29beaf574b1318844fcc9387d2cf798334de0816d528f087f56751f763b82c760fe19ef95fd2e552c8ec74bfee9b6c8e3341b3baff5405edbed709fb1ea130a1a6e30acf7232c0194034daf0ef117115ab220f1161a838940ef60072c406557f56f13f3021b40842f9114b0ae9cd8244230c2227ce7c7e71503ba5253d63081ca9af8fc4a4e2c3039a0bad1af91ed4cb91b9bd42d8ee5e0bd9844f92f4af1ea5b88380a99b1adc7057b9157b61021abce377dca6af6c2dd98f02c23a8459ccbe650b66d06bbae0609928e84d5c611e2c6feb6a43d0aa532b12d5e3260448cd82372b11f9dc8f94665a3ab864eb3eb0e5b073200249a674047ee8fff8fb4f55653060efb6a00d70b0fe4a7f5dca7d9c71604fa70b0e40569339e52ba52b7d7008533306165c978d030a852c0dd75996904720a10a3a9d0f2f67f258e439047a6a5b08490409aa84ec296f67b88b8011cb39c67800efec6ec43e732aee04cc18c4ceddc9686a432011e1df5fa1292c7bdae62731573ec5233293ff4ed671e52c951d8e00836db9363534bc8c1e91d98cab7d0606c170d409d96d3225f56206b600fc1a783941aade248338dba66d56f8fc197d19cedd5f1a65d5f1d85a4cb4497342d197df417d4317777c81e707f1b9dadd38265324f41aa85021b2d7edc0ff4a527db85ff141652eeb5e766e189e11e6307a4475d5f793e822b7ecbc7e2ff3f6f9a8399af692649d67305c86b479169df12f749102069da164ad14655e0532fc419b51f29b28d1f408f5236ce921509f3f611a565a5e38685744470f6e457bdd057d727f7ecfaa468473bcba94c43ead22f8527843245f372275946bd4599f3a8ae91ec3140870be91d2fbfcbd7e504da3d6f49e905aca167832d7c35a56a28abc852090292318ec1f08bf3d71de7360d6d04900d773a7f40c3db7aabfc27a338e87d578f430ee490e48221406d31c62220c2bd9e1793eed1b84aba0adc3d54eed59ae3b83e5a1147721fcc227cff96c8065f8665cbfef93521ca1bf4b100e62896cfdca36e7f7b4b3fd3babf5c18c90030fbf904d4f4c3fb23af16b1e3744ca6ab123df90b168eaa138324ebf98ecd66dd64ee906236bf3a0296be1df81387ba95700e04ce26637ca4dfb70c67d32a2e7acde219cef54e4c9ec1c27b5b6a388ca515af6e5efc493a30fa9324e1f2b2b51267fbb26f3d4292e836cb709e92a6e0e11aff386b3d45d81a2d35fe971cbff8a32f52d046b9ba9a4bc77267a2e86a480a9ec50361d5ed59ba540ae1cf0e7eaaa5d8f5b2e38527fde78ecf842ec48cf681fd452aa5c60d06474f6422ad08db4fa0788c56563f52cbd383627e11f98eb40ec74961c028b1fcd7b25d4cd289dbc761fb1ec00a6183513c5f76da7546416fb81e8661f93f4234fdf3a3398d8bb8c69902e6d9f3fc165e6d9f39eb2acc189ab7b49013b2c74d0788ee05fc117335d478380013eab173ddc7a927f03080c2ea705b68f664a3be270221172d2995b15b4d0ab25d4668ab7587d24e831c5c7841fa00bd063021d3f43405b35c6c79dd4030fc630ee78d7e64a90cc2761421624d48ac0764d8a903c5a8b0a213120871b9e82a3b1f92455380b950832651b6d0d9bdb249055d55fa49fc7296147cbcec6059a0047ae6e86b51ae3b5aff498ceed671ddd0e2bd97fd7f39a3280bd80996ac7bb98187709938246f8e0cb9cca0a189d18cb9dcdd52186feb935f4a5326c3bc1348a05f0e7180452a43e7f2b6fb35a4196afda0f1993383dd203694c1ab53be64481c0d9c78801610789f9f5130b4a143f09229e8d89d0ad09edf971cf0fe495d7552b7a791a9054232e8d22976621b7f6be03e7e0bf8e5ed83db94efc748c93a06c124f55dd8efe11e15d83e1fce582b19be10dcc1b3eb594291aaabd56cb94df315920b042d07934ac796d0a91078626ee57e25763791f7dde8bc04e1883fb2273c799b97e3166c56ceaa3699c31739f63ef94605b20860606ceaf97be55b979fdc17fa9ba2990bbefde17eb5398176091e536730129c4c31504ce1fc41f13e7d90301ff02ad5b5f523c6ae7efa87c76af1ecc4b6715251a58ca3c68ca954a9345cf08697ec54376dfaf232cd6ede5ad85c1234fbcb4a992535b70135a5eb7d1f2de13629871b02acb455694e91d5bbb972c1c3998ec765749b4ca83c705529c046e8593ba4709e430cf190aba4fd00a6d722d0598e80b7af8fbb6c053dc4068e3bfaa0015d3545646e40eb312700e7b068ca644792d6d39447a353f6d6575b01f3a20cf310117a832dbc76b460146dee06c859580ba5e59946e90a168d98a06282d02f99540f4b1fce194cc7cc089b1b2da11d59bee5477383f83fe7f50011ec438561f17b39dabee3794761cdef6c54a60c49de8fd6aecf0b5a5b5c056a8de90805e0d5a4cba91eb7746e54498aad35d268e923c5c396581835cf2038e2a1f28a843228472aa2e4cbde6aa7665716f239ba5680d1d8d6cd7277af1f2db87e5f5332fa904d6975f4247f33f00c17b95df1db792398c0be2ab89c6f0ffb1d9f3d30e36b0bcdee55623e67ed59b641e1d3ad243a61ab8003ed9d50186457b845b0f5e59460aeb8d49fa236b691a9572f043f3d83d3853a658c092fec3eef9b58f3be0532e46da34f732398d418a82a47fd2bec7aa9fdf0a05a2a4abd650dcd99c095be5a025d4dd8de7b606f7c21fcf490a100ec288f419316b4add08591060f5c40230ee639aff35d4bb207fe401029cffd104715dcd48c7c598f5ea42b0bd271e6a10066d613217655dbf37bc467d973572d7c28779c9981cabc55e683fbb1e9af7e00cc4a222a54f24edf923762d8e0fbc099e420a78b1fcfb54a4002fdf6e30a3445f929dd97c4aef13cd8a0a3b19cb2ba731d3c99aad631166b75f13a95498e11dba4094eb5d1f1571b6987c278912a05a9ec5e2f93d21604e496ae6f763ed433bc26c5d2fdfeefc02d8732b29091c32ad16fbb47de0a56a36c5c7d26665ce565571aee87e729e1727e8e149b44cbc5819eb1abc317eabfdbc5447dc1fa9ed585281f1a9c33bd5bbae662621e6460e37617e88304fd6889d775ad30388b208b4102495dd4a601579fef079678b66816a46a91cd0d344af0afa8ee55ab222d720a0367275757aa38d043cec888e9e93a4ff91c1ccbbc685f6fe2710474da5c4376b6c037b2ac57ab078421ff2f06ef8abcc7bfa18195ae5d3236c492494f1c665dc2052e0b567e991727082f6f529cff4412d5cfd8aca31f0a4d32332e8cc992a39017d8e5a8525a9f6ab5009e7067b2773591779fa6de17c077445c39b4f3255c2df10701045fa070ac4aedb551bfe92ac48e0faca060768edf4b3fb101f3d4cdcb2ec9313c02898aa36874267468286e98ffdbacb29fb64072799bb3d885bf308d6ca001355642ad258b965f9597b30fe6c3af1e89c10d641f4e2ab7cf5a4687d6b69157a49f9f40791ef46f4cba6e0f248773c350bf3143cece92ef7c746d4988c8351c8067e3c4b841089d985e09ecb40157d7a171f4e645518c52598fa794425669f59a27d8bedc147e09057b5d2f9f4611cac951058b9d2527fe7b470289a2f16fa4dee150652086e4cc194c3cad63aee9aa77b00df7cb421401d1394e0fbae8e8e14ef28f128601aa1c91d3e71edc07a46267731ea085fea0b2781fe5b3337fb391f4a91ce752aeb7251aa0c3bf304e989220d414eab0af48d4a86bf43f13ee6b97615f51a3677feef14dc4ae47db07b874176d18f50094a309700279f412924e918eb3e6c1b9fa3c1444f28b691ceb9c33d34b5b3733d3eb0c9e69cb6f36bca69d1d69913aeb51f0cb59828527f791fe7f61fb430bace6456abc322fb52a131f5aed3221afd1d369d7bb41f60bfb349b5cf73043b9092613032c7dd3220bce9d9b84fd2ceb48a76ff0c34cf5bf8cc55b575e240f4e6c1c5cf93980cc6f68fd1ac7cc10e0e483339dde6691eb7d2b700e93ffdf810953762216e99b5640149af63144a09051b683db0dfb1b79371bc7a4a559ae6271838a868468e54aadef03ba40ca127aa2c2751da79202dcad72e4f1593041db53bbf4f8064170fe85c46e59ff00b9eb4bf2e01eab7197a00704e3c7084a80699ed5aaae7bbae0684e5fb3ed60c6620c73aa013313713279bf958a21f56f96746e160623f1076a5ea95a23fc908373bc078221894ccc77949ffd3659470d83f860762b0302bf3e404046c0c32a71eb85e674111cb9c2d490b8b4f5bfd1fa9382a4296d97326d6a728378ab35c0a349ed69349f75b89adf8dc9e5baed276c92614c29636f2f5b19d4dc661e2d0fe6fd64786d507b99b3979fe0f6ecb06b76fd64bfb316131a52d3db7445508c8f0bd394495a6c13ca64e3780a416c72a7a34996d5a342e6349d92bfcb8d75bd4edd225d4e8601838bffc604e9e3f0de83a1cf9e17c7fa7398fea49c8faed299d04a90a70bdaa0b111428e2e6224ae08c1bf0ea1a69e16e1ffd4bfa76afffdd5060ac992efa08fb7404fa1ff3456042654d3d51292624ac3bb3356f5bd3f492c169e8c7dc71ccd3b4e91cb298ef7f2b61d74a86e7cb6daf621a8b0b6a87e58ddcaa65f376fe0652c40c76d762b580f34da979ae0968b172a9ccc4cd8b34af3873e85d1653c9e5571dc34e8c39f7f04df191c0e81213d2fac0412664eb4769c480a80fdcd5cae2a2eb8b1d031cc6e649d8f0b29f9115ea2bb27cbe35cba040647ad9da8ad36931cfdce5c58dfd6b8d0bd83cf4f8cad6f6d6f3048380583d8ef0807a4d024ef8d0333a97183423c90e8dd1b62dc70c95ae30acd0ccc257de6feb89a9492b4214b65d8da2ada11b80fbd7689afdb99fa820cb7aaaca8ce32fd1adf5d724f50683a7924ed1b5de6b322a4932ea46d3b266a270420259a4fee480054f0675e77e5178ff255be000468a220a25c6879e039bc14c38cbf9040eded41f1c6d75fe4615cc57677c948c7bb9c3561184b0ffe0d0a9ed0e7212fabd5ef357ffb3ca40e8a97be2a9bcf35fc7e3d7ce8f6d50a4f7b42c246894683822db36b95528cd8061342c66c788bb6f63beadfe3559e896e4387a12cedf6f220888d218", 0x1000, 0xffffffff}, {&(0x7f0000001b80)="e0c6c9c01afb3e83241204cd6942a5f5b38dedc4871fea150ddbcb8c14ce515fa1fc5f1fb3ec606649a162c4e52ec328eb3565fb84abdf8b408d744ee19c67cce54acad1c6aa75a3f97f94267476e702bbe065e67188c3c826d4414e46695d71c9e24a31faf7fc28297092503bb10adb27fcb197438efe3605101abc127fda303e63a7423ef1693f6c005763fdf8b18e10a5a9fa34b3c00eced1f75bada7d26160aedf2758bf603b0c5890682884eb55b2760b3b7b9614b6bd1ddef9e9cc1df20892063f1ea058a4", 0xc8, 0x81}]) r13 = syz_usb_connect(0x4, 0x882, &(0x7f0000001cc0)={{0x12, 0x1, 0x310, 0xae, 0x73, 0xca, 0x40, 0x1740, 0x602, 0xfa57, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x870, 0x2, 0x7f, 0x90, 0x120, 0x3f, [{{0x9, 0x4, 0x86, 0x7f, 0xa, 0xf7, 0xf9, 0xf2, 0x7f, [@generic={0xd1, 0xb, "26e13a65ceb2c160694440c6e4b5d5107cd6f6eddf5f0f8f938606e7a789786c097626762da7881a4e46ee512ce1ce83d03ee01e8a390d4fe48a1a166b122a244f7e8453fe584352cdc748ded1737c61ffbc1f9f18441c5d61f5493a88bfea7776762bbf8a206eeca2f45c1f7aa6d15fb464cd1caf6a432babfc01bb86b1297b128997426c1a5a86533cb2c029f50b1c5b0b88719f7c78217d2bec910ff906b43860025e140fbad2bc0a91e23e65c5c8fefd91d0459c590e1f4bac91eac023ef5f1a248245df0d7c1276df72d955c6"}, @cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '8'}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x5, 0x5, 0x80}, {0x6, 0x24, 0x1a, 0x1, 0x14}, [@mdlm_detail={0x2b, 0x24, 0x13, 0xff, "8daa8e5cf59bef8c76ec7535d63fe2dc7686321afbd729f4d17d62a21b6f2b39495657220bc5d7"}, @mdlm_detail={0xa3, 0x24, 0x13, 0x3, "0bafa7ba56f9be68f7dafffabe7b7950e7f2b1efd530ab53da306650ae48618251bc41fe39065bb50d65f15e926fdb88acb4e7957bff5d5469ee741f51c117d8f0a4b9e497d8d85a58a425855da041d91bfe4cd20f11f6c7d3813027cd74921dbeb6e2015c4133a29832b2b9d342304dd6b709daeaea5f761d8c06f52edda9f2529ac51a96fab9bb2826cc63fcce0f174de2c5778a4d83f3eecfdb29635b60"}, @call_mgmt={0x5, 0x24, 0x1, 0x2, 0x9}, @mdlm={0x15, 0x24, 0x12, 0xc9}, @dmm={0x7, 0x24, 0x14, 0x8, 0x2}, @network_terminal={0x7, 0x24, 0xa, 0x1, 0x9, 0xeb, 0x1}]}], [{{0x9, 0x5, 0xe, 0x3, 0x400, 0xff, 0xf9, 0x20, [@generic={0x62, 0x22, "ecb3f2dd3048124fa1f639e7d99ab0903f7f551fbd28202bcaa038827262defd524b84d6778f83c751047ea1677d46229ac33b02db6865c9670bc47629020545fbf367e128c7e78e05972cd432ddc729863972a9559b806063550b9bb7992b0c"}, @generic={0xed, 0x21, "1c17fa34cf248a11740cae13b99062cf651bd3663bdf349afedd777e6ca509687c7308b2bd8a56d936cef72c17609c2cc7b825f122864f3e79a0f9563cecf3a2dea2dac5e4d83e7749cfb2a971e0f2a257ee5e91279d0dedf7aab353955c32bcab16d821c1868f655e7f503ece52acfb7c3070097b164ed6223eb6c1839fdc5cc6f1a92ebda8ad2a9e74f746cf37704a6c73076189ee3890b3a1c5cdb8076adec9bb4e53a65b09bc52a75250eb89e2407ee0d0d39a0bd925c00a5fd0f34ad2af88bf3b270fe94e5432288a66b3ee15b6e24ddca89639faa9c4b532663b24bfbdeb73d09b8f77f76fec507a"}]}}, {{0x9, 0x5, 0xe, 0x0, 0x58, 0x4, 0x0, 0x2}}, {{0x9, 0x5, 0x6, 0x8, 0x40, 0x40, 0x3, 0x18}}, {{0x9, 0x5, 0xb, 0xc, 0x200, 0xff, 0x47, 0x0, [@generic={0x6e, 0x24, "fc8886eca12dc85960c8497c87132b79fea0e2313e4e855671316f1c7a42b78b2be24c0cdd6af9de41a7fb57fe0a3ca6fe67191ce31165dc048245ba74c886d12b8accb001eee230dc1d7981e4d6ea3d52fdc1fd159f71fc18bfca51297b2348c777a86b16c07657793c9b75"}]}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x1, 0x4, 0x4, [@generic={0x8, 0x23, "ad6e68323124"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x3f, 0x400}]}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0xff, 0x4, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x2, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x7, 0x4}]}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0xcc, 0x8, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3f}, @generic={0x59, 0x11, "faada80932b10432ca81a63c83dd9f54a4051086ef07b6c9661ef8ec125683d5fcada3a346d08f6d44178fd1ce94f1a6921d2fd14a88d43a8051e18edaa3980645fa17123ca6c783b8b2c3b666956f52b183652992d6f5"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0x1, 0x3f}}, {{0x9, 0x5, 0x4, 0x1, 0x0, 0x81, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x3e}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x6, 0x8000}]}}, {{0x9, 0x5, 0x7, 0x4, 0x200, 0x4, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0x3f}]}}]}}, {{0x9, 0x4, 0x7d, 0xb6, 0x8, 0xe6, 0x75, 0xe1, 0xf9, [@generic={0x3d, 0x23, "0150ffae83df22d1d4dbd82454e66033463c3935e3d0c9fc2ea4661f7310c2e0b0acedd17e99cf960ede09c19eda6bfda699d8eacc2aba4acc34d4"}, @generic={0xc5, 0x1, "57fa93981a0686e512236511f17e4ec2dab7bd005c64fd896f9494ca0597583b239ddd29c3796c4ad669281440da422e6796877a9f123e343935d90dfe06ddfc99deedf24006031d9a2ef4b552629255bf0e7a4d5dd3bc80b266081141bde1b1a86e4ffd857000deeae82fb1850696ef2167c34ad97f91c14ac78ecb893d01ffa98e3c2dfda9adb762b9a9da03c6c60ed957fb494d1c960f7c707494bd984a0a582603fb87248aeeafc1b6005f79835b38b2eaa88653bc93427a33b0763ea36fcd987c"}], [{{0x9, 0x5, 0x3, 0x0, 0x40, 0x4, 0x7f, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x5}]}}, {{0x9, 0x5, 0x80, 0x10, 0x1ef, 0x1, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0x1f, 0x20, 0x0, [@generic={0xb3, 0x21, "95d3405d4d7a6dc896d90c4918b141315c1ae54b0882c4e0e3cc266e04178f9ae737260ac64b619ddf039568181bf92dd639ec49a0b1c9838b4cbbb2fbe6ca7be9bc84b77177867bb973d8c5eba1b49131bd10f645cffc3dd8ea462f4ba965f70a014bf1abe9269663634dad8baf99386d8b431912e4ddfcd1156c5ffeab207ca35f22f5c01673470deea1da6aaffcf0bba9a8e455420f053b28e404fea6261d36c07f7221c4986b6b122ccdf858f481ba"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7f, 0x5}]}}, {{0x9, 0x5, 0xc, 0x2, 0x200, 0x0, 0x6, 0x2, [@generic={0xaf, 0x6c08a2ddac8d29c1, "1449f06f8161d8159f42fb347eaa323cf3eb20fd5e501006d2e40a157da833536fb0b322436591a2bd1d2fe04e169858e11387ce1cbe1f6c7dc332afaadcc002c5832044e056950399e29431407349a8a47525164b4e6cd141303908186754e0282c6995c980f5e7d4f3c881c6b91d955e6ac681bd9073f4e05706f3c312d005bf1c5910956bf99553bba7b4ecb3f35ffbe7ab0763423796bb601e3f047a6581d52fb67c62d6b7278c76aab9a5"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x400, 0x5, 0x1, 0x6, [@generic={0xf1, 0x11, "25bf1f90f600dc8eae5954fb3ec4f488a926149d9893ca2b2900e245f0537432b7eccd35a0f33fe871eb0d1744d8058f6d67f7e1b97f3ef4e5fd8ac9d37d374905661c579d63d9bd3ed5cd30d99ef395e47c9e0f1b7f712016403434821baace41ad73ef6b84c1a41af5cbb6c2f65462a6ed32242c9d51da9915862860c22140f606601cfd82e5151e1db45092fecd653293f56c65b346e5deaf140950a0ac4a487e3bfa4f9ad35eeff8899bc2230798022600a08d06a9243611b421d90f1b53ca9f002636036f1125eda3dedaf6793fc098c6af9dcc5a538fe937572b4d1b174b58ba033714d19ef1085f663e5cd1"}]}}, {{0x9, 0x5, 0x5, 0x8, 0x400, 0x44, 0x1, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x85, 0x9b, 0x100}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x10, 0x20, 0x2, 0x4, 0x3}}, {{0x9, 0x5, 0x1, 0x0, 0x40, 0x80, 0x7, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x6, 0x8}]}}]}}]}}]}}, &(0x7f0000002840)={0xa, &(0x7f0000002580)={0xa, 0x6, 0xe5207157b6f35098, 0xfc, 0x1f, 0x0, 0x10, 0xe4}, 0xf5, &(0x7f00000025c0)={0x5, 0xf, 0xf5, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x4, 0xffff}, @ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x4, 0xf0f, 0x77e, [0xc000, 0x30, 0x0, 0x0]}, @ssp_cap={0x1c, 0x10, 0xa, 0x1, 0x4, 0x79ea, 0xf000, 0x4, [0xc0cf, 0xff3f3f, 0xffc05f, 0xff0000]}, @generic={0xb1, 0x10, 0x3, "c5bb0201c82e60fa0a8b07bbcefbe138079838cbf13161f69ec170637e6c504f0df58710112f2459c50df85c73a143e18fd846a786add8a359c882c3c6038f90c49ca63e13455794d759244a2bd1ee5a203cef62acd32e97d15afe1d47ad5c5234ca6fea0c022184578647d69bce06bc22d5deae21baaf870c3c6e9021211fda07e73607e16461e22526a70ab2e21f89d1b1a95215c644ee7b4b97d342f06cca75c17eaf3d1f578bec9e1b554c49"}]}, 0x4, [{0x4, &(0x7f00000026c0)=@lang_id={0x4, 0x3, 0x430}}, {0x4, &(0x7f0000002700)=@lang_id={0x4, 0x3, 0x240a}}, {0x4, &(0x7f0000002740)=@lang_id={0x4, 0x3, 0x458}}, {0xb1, &(0x7f0000002780)=@string={0xb1, 0x3, "2273bdc46b60f928123492096f1a60522067ca30229e521876bc2304c320596fd25f10254b5c9da57377738bccfbbc37f27f541833a2dfa06b929d0d3744ff77d9330d5a63e4bb268ce29e81de86de6cbbec22f151e7fa25d2ba9ead8f62d5eac2d6424465b3cb6481dbf50df043e68b8d133e27b4ae1c9ccf8a81027b656d442bbcbe5cfccd0c0ca38b73356ed5c37ea0894697ea5b37db2f607d4e958cf97848ef24eee817f96503650d0f3babcf"}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000002880)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r14 = syz_usb_connect$uac1(0x1, 0x100, &(0x7f0000002900)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xee, 0x3, 0x1, 0x6, 0x20, 0x1, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0xace, 0x2}, [@extension_unit={0x7, 0x24, 0x8, 0x5, 0x2, 0x5}, @extension_unit={0x7, 0x24, 0x8, 0x6, 0xffff, 0x30}, @mixer_unit={0xa, 0x24, 0x4, 0x4, 0x40, "7da3b2b272"}, @extension_unit={0x9, 0x24, 0x8, 0x5, 0x0, 0x40, '\tD'}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x11, 0x24, 0x2, 0x2, 0x1000, 0x6, 0x9, "94aa0cfea6a4c098"}, @as_header={0x7, 0x24, 0x1, 0xf7, 0xc1, 0x4}, @format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x3f, 0x2, 0xae, 0x7, "5b6fe7b19551"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0xfff8, 0x56d, 0x1f, "518f29b920"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0x4, 0x0, 0x80, "3f5e8aa3ac"}]}, {{0x9, 0x5, 0x1, 0x9, 0x10, 0x9c, 0x7, 0x6, {0x7, 0x25, 0x1, 0x0, 0x44, 0xff8a}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_i_continuous={0xa, 0x24, 0x2, 0x1, 0x7, 0x4, 0xf7, 0xf8, 'H]'}, @format_type_i_discrete={0xd, 0x24, 0x2, 0x1, 0x7, 0x1, 0xff, 0x72, "5c5ae72e12"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x3, 0x4, 0x3, 0x1, "fa23a4", 'q3'}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x71, 0x2, 0x0, 0x6}]}, {{0x9, 0x5, 0x82, 0x9, 0x200, 0x7f, 0x7f, 0x7f, {0x7, 0x25, 0x1, 0x2, 0x1, 0x8}}}}}}}]}}, &(0x7f0000002b80)={0xa, &(0x7f0000002a00)={0xa, 0x6, 0x300, 0x7f, 0x5d, 0x5c, 0x40}, 0x31, &(0x7f0000002a40)={0x5, 0xf, 0x31, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x20, 0x1, 0x2, 0x40}, @ssp_cap={0xc, 0x10, 0xa, 0x4, 0x0, 0xd3f, 0xf000, 0x8}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x2, 0x5, 0x4, 0x2}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x6, 0x0, 0xff, 0x7f}]}, 0x4, [{0x4, &(0x7f0000002a80)=@lang_id={0x4, 0x3, 0x40f}}, {0x4, &(0x7f0000002ac0)=@lang_id={0x4, 0x3, 0xc35}}, {0x2b, &(0x7f0000002b00)=@string={0x2b, 0x3, "a28e84c0cf02c07c3c0da8294506556d633c7a735bfb75cd80afc6ade8e4b580103ced6d9c87a5fe77"}}, {0x4, &(0x7f0000002b40)=@lang_id={0x4, 0x3, 0xf8ff}}]}) syz_usb_control_io(r14, &(0x7f0000002e40)={0x18, &(0x7f0000002bc0)={0x0, 0x22, 0xb9, {0xb9, 0xa, "83cf6e9b942d8a47074ac2e802b48378ecdca7956db2727b857b60f4e9d0c69e1c9a9aceb61cf17cc77167923b84e23372c5cf40cf1bbb7493e500b7effaf1b204ee034be11099e51567a87ae0bde210da92124d04a73a14dbd600dedd920953c472eda1ba46dbbb1ec474c8794849124dcf32d5c15fb14397b13c3d3c11a7a607c6b6d557c2806d9c2783bc1ef56c967bde90ce4a421361167c1a74c6527285ce425ea498884d7cc9ef76526a46a1c4360768980b39b3"}}, &(0x7f0000002c80)={0x0, 0x3, 0xd7, @string={0xd7, 0x3, "61168f700d1787de19d3e86fb3ac5e964cc5ede873351ca262cc8fc599651431c76dbad02dd835f0da83a5347cc21fc4f504b23bb32a7a67713db4480611e6e2eca4f0b498f700355db68df7d5cf46ba2b036090af695a7596b7d242b462bcf6e2091fb83248fe2a1c48dbcdb07c9666037d121b6893dcb945bdd7cf14075f805302a45fbb62652bd693b3240b5c6a76f690cdc9221579ec71dd253ca4250144e1160bc039ad44f6d51c96ad950c872cf626b0d559e81c0bec934cb32325dbb9ce8f5d0d943020b4a0795c1f2774e2207d0be8aa41"}}, &(0x7f0000002d80)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x10, 0x2, 0x5, 0x2}]}}, &(0x7f0000002dc0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x3, 0x8, 0x40, 0x7f, "77bc7738", "f1db003c"}}, &(0x7f0000002e00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x1, 0x10, 0x0, 0x20, 0x8, 0x3ec, 0xffff}}}, &(0x7f0000003300)={0x44, &(0x7f0000002e80)={0x20, 0x12, 0x7c, "bc67b786ae12c3f7c6dbb8560d2b242194c2199afa19d2b42b1a0c8a11e1a5ef146f395c3613f4dfeadda7c24b506d5b32a6a3f9a0eac98a935e647a1c838d4e09d530635f43358b5b10c5f04bc63b3bf96b5234359d4ead9d51217e65c9b0509990b00d1afb242c87660d04f9648ff79ce143b1a948981c28f50171"}, &(0x7f0000002f40)={0x0, 0xa, 0x1, 0x4c}, &(0x7f0000002f80)={0x0, 0x8, 0x1, 0x1}, &(0x7f0000002fc0)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000003000)={0x20, 0x0, 0x8, {0xc0, 0x20, [0xf0f]}}, &(0x7f0000003040)={0x40, 0x7, 0x2, 0x400}, &(0x7f0000003080)={0x40, 0x9, 0x1, 0x2}, &(0x7f00000030c0)={0x40, 0xb, 0x2, "b723"}, &(0x7f0000003100)={0x40, 0xf, 0x2, 0x5}, &(0x7f0000003140)={0x40, 0x13, 0x6, @random="dd8a72a99139"}, &(0x7f0000003180)={0x40, 0x17, 0x6, @remote}, &(0x7f00000031c0)={0x40, 0x19, 0x2, "7818"}, &(0x7f0000003200)={0x40, 0x1a, 0x2, 0x4}, &(0x7f0000003240)={0x40, 0x1c, 0x1, 0x4}, &(0x7f0000003280)={0x40, 0x1e, 0x1, 0x7}, &(0x7f00000032c0)={0x40, 0x21, 0x1, 0x5}}) syz_usb_disconnect(r13) r15 = syz_usb_connect$cdc_ncm(0xb40375e9cabe03ec, 0x160, &(0x7f0000003380)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x14e, 0x2, 0x1, 0xef, 0xe0, 0x3, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, '$'}, {0x5, 0x24, 0x0, 0xad}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x0, 0x1, 0x9}, {0x6, 0x24, 0x1a, 0x9, 0x20}, [@mdlm_detail={0xa2, 0x24, 0x13, 0x1, "a0afebc294237de30b4c81c6595fbaf30646c5ec3dd98f435df00d181cc13f9b0c5ffa84154998bf5c04ee0fd82d5f4cacfc90ffae241b840b0b18e2107e33398f46838380f84b6f9f2262e838df021231c9f0c50dc2eed7595eb1b789223fc37cf34f5c694aaad8a818c99ef44179bf5ba4b617c258f7db01d6096ccc71bb925e31b2f3f100bb8538bb84015af7b954c8fdf293de0231a491d36376b840"}, @mbim={0xc, 0x24, 0x1b, 0x340f, 0x4, 0x5, 0x40, 0x6, 0x1}, @acm={0x4, 0x24, 0x2, 0x9}, @mdlm_detail={0x3f, 0x24, 0x13, 0x40, "905d00a5a8b5cd53118f9cf9033eda0ad88fcfaf66e2b9e359e38aea371970c864d5983916a529367551aa247ba83009ebb5640b5317559900ddb8"}]}, {{0x9, 0x5, 0x81, 0x3, 0x8, 0x0, 0x1, 0xfc}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x40, 0x8, 0x40, 0x81}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x80, 0x81}}}}}}}]}}, &(0x7f0000003780)={0xa, &(0x7f0000003500)={0xa, 0x6, 0x250, 0x3, 0x2, 0x9, 0x40, 0x40}, 0x16, &(0x7f0000003540)={0x5, 0xf, 0x16, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x1a, 0x8, 0x4, 0x87}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0x0, 0x20, 0x9}]}, 0x5, [{0x54, &(0x7f0000003580)=@string={0x54, 0x3, "a44d24cdf3ffb9948faaf6b3c565826f57ef2b5e43e6ef9109dcaf0ff5f230b6f52d06ada7ebdfbf1c55e6551900f42f904aa25911de5d64d3cd32db26b2e48c150eacf51a16ddb311ac3d44b281a87d1c84"}}, {0x4, &(0x7f0000003600)=@lang_id={0x4, 0x3, 0x812}}, {0x4, &(0x7f0000003640)=@lang_id={0x4, 0x3, 0xf0ff}}, {0xc0, &(0x7f0000003680)=@string={0xc0, 0x3, "6f069d79ea952b3880027d5243d84aefe2bd1cf641da9ee290780232461026c5a535ae6214a8b6fd6112f368085c5cca57b84846bdd7653f325120cc01274c27930a934c2850058a34588778f4ae0255b96fcb4573f4c475fae53703ef82d785ece96adf02efc210e26fa9523111519cb037b5aebbcab0e12d228330eb466cefbc0a21984a6fd8657206b20d982f65c709ba3c6320f1066dda592fdad14a8c700cf1f5266f47fa42aa880b9aa0267cf53c9691f4fa0d4e059a6adc27da67"}}, {0x4, &(0x7f0000003740)=@lang_id={0x4, 0x3, 0xc0a}}]}) syz_usb_ep_read(r15, 0x7, 0xe4, &(0x7f00000037c0)=""/228) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000038c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_ep_write(r16, 0xff, 0xca, &(0x7f0000003940)="0338f2a1a6949150d950a200b97f820700402b58fec94c39a005f5386885991997960b3165c9dd0323faf9a69d00725916fa7fb5a9bb1f47b19829ca091f88c0999a2e187f6237ab2c7eae85923fa9636dc266076f2ae7b52c1f187ce62871c2f05bbf9d9a25fd16ff3833387073e69681b243e814b2549f032aa5b8dd2e2d64df2e69d357bc2c32b8fbd90f8a1638b31390be5a61ee6ee70e3a2027e1468d5f3fa234f4462a56d7e42ce29c52ccf5cd763590a426b8a06e226ffa4568c2ce31a54d74ca6f67e670852c") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static int do_sandbox_setuid(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); if (unshare(CLONE_NEWNET)) { } const int nobody = 65534; if (setgroups(0, NULL)) exit(1); if (syscall(SYS_setresgid, nobody, nobody, nobody)) exit(1); if (syscall(SYS_setresuid, nobody, nobody, nobody)) exit(1); prctl(PR_SET_DUMPABLE, 1, 0, 0, 0); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 43; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 3000 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 3000 : 0) + (call == 42 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socketpair #define __NR_socketpair 360 #endif #ifndef __NR_write #define __NR_write 4 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_ioctl, -1, 0x125e, 0x20000000); break; case 1: memcpy((void*)0x20000040, "/dev/nullb0\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20000040, 0x80000, 0); if (res != -1) r[0] = res; break; case 2: *(uint8_t*)0x20000080 = 0; *(uint8_t*)0x20000081 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint8_t*)0x20000084 = 0; *(uint8_t*)0x20000085 = 0; *(uint8_t*)0x20000086 = 0; *(uint8_t*)0x20000087 = 0; *(uint8_t*)0x20000088 = 0; *(uint8_t*)0x20000089 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint8_t*)0x2000008c = 0; *(uint8_t*)0x2000008d = 0; *(uint8_t*)0x2000008e = 0; *(uint8_t*)0x2000008f = 0; *(uint8_t*)0x20000090 = 0; *(uint8_t*)0x20000091 = 0; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint8_t*)0x20000094 = 0; *(uint8_t*)0x20000095 = 0; *(uint8_t*)0x20000096 = 0; *(uint8_t*)0x20000097 = 0; *(uint8_t*)0x20000098 = 0; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint16_t*)0x200000a0 = 6; *(uint32_t*)0x200000a4 = 4; *(uint32_t*)0x200000a8 = 0x400; *(uint64_t*)0x200000ac = 0; *(uint64_t*)0x200000b4 = 0x5f; *(uint32_t*)0x200000bc = 0; syscall(__NR_ioctl, (intptr_t)r[0], 0xc0401273, 0x20000080); break; case 3: res = syscall(__NR_socketpair, 0x21, 3, 4, 0x200000c0); if (res != -1) { r[1] = *(uint32_t*)0x200000c0; r[2] = *(uint32_t*)0x200000c4; } break; case 4: memcpy((void*)0x20000140, "l2tp\000", 5); res = -1; res = syz_genetlink_get_family_id(0x20000140); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000200 = 0x20000100; *(uint16_t*)0x20000100 = 0x10; *(uint16_t*)0x20000102 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0x100; *(uint32_t*)0x20000204 = 0xc; *(uint32_t*)0x20000208 = 0x200001c0; *(uint32_t*)0x200001c0 = 0x20000180; *(uint32_t*)0x20000180 = 0x24; *(uint16_t*)0x20000184 = r[3]; *(uint16_t*)0x20000186 = 4; *(uint32_t*)0x20000188 = 0x70bd28; *(uint32_t*)0x2000018c = 0x25dfdbfb; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint16_t*)0x20000192 = 0; *(uint16_t*)0x20000194 = 8; *(uint16_t*)0x20000196 = 0xb; *(uint32_t*)0x20000198 = 4; *(uint16_t*)0x2000019c = 8; *(uint16_t*)0x2000019e = 0xc; *(uint32_t*)0x200001a0 = 1; *(uint32_t*)0x200001c4 = 0x24; *(uint32_t*)0x2000020c = 1; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0x20000000; syscall(__NR_sendmsg, (intptr_t)r[1], 0x20000200, 0x8000); break; case 6: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 5; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000280 = 0x10; res = syscall(__NR_getsockopt, -1, 0x84, 0, 0x20000240, 0x20000280); if (res != -1) r[4] = *(uint32_t*)0x20000240; break; case 7: *(uint32_t*)0x200002c0 = r[4]; *(uint32_t*)0x200002c4 = 2; syscall(__NR_setsockopt, (intptr_t)r[2], 0x84, 0x7b, 0x200002c0, 8); break; case 8: *(uint32_t*)0x20000340 = 4; syscall(__NR_getsockopt, -1, 0x84, 8, 0x20000300, 0x20000340); break; case 9: *(uint16_t*)0x200003c0 = 0x10; *(uint16_t*)0x200003c2 = 3; *(uint8_t*)0x200003c4 = 0x41; *(uint8_t*)0x200003c5 = 0x83; *(uint16_t*)0x200003c6 = 0; *(uint32_t*)0x200003c8 = 0x401; *(uint32_t*)0x200003cc = 0; *(uint16_t*)0x200003d0 = 0x43; memcpy((void*)0x200003d2, "\x4a\x8e\x60\x63\x4e\x3a\x9e\xbf\x09\x88\x47\x4a\x70\xcd\xc4\x4c\x93\x5e\x71\xdc\xa8\xa3\x6e\x9f\x73\x39\xb7\x33\xe7\xfd\xfa\x26\xd1\x76\x3f\x8e\x1f\xc1\x8c\x23\x48\x4f\xf7\x1c\x6e\xa7\x6b\xf1\xdb\x3e\x46\xcf\x80\x38\x03\x22\xd2\x96\xfb\xf1\x93\xc5\x4d\x49\x49\xcc\xdb", 67); syscall(__NR_write, -1, 0x200003c0, 0x55); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_post_notification\000", 26); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xbb; *(uint8_t*)0x20000041 = 0xbb; *(uint8_t*)0x20000042 = 0xbb; *(uint8_t*)0x20000043 = 0xbb; *(uint8_t*)0x20000044 = 0xbb; *(uint8_t*)0x20000045 = 0xbb; *(uint8_t*)0x20000046 = 0; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint16_t*)0x2000004c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 4, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 1, 31, 1); *(uint8_t*)0x20000052 = 0x23; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; memcpy((void*)0x20000056, "\x90\xa4\x41\x2e\xd4\x81\xe3\x9e\xc0\x78\x7c\xae\x08\x3f\xac\x93\xb9\x0d\xaa\x75\x95\xdc\x55\x4b\x0d\x6f\xb7\x20\xa6\x00\x98\x35\xc9\x29\xd9\x56\x66\x87\x93\x99\x54\xd1\x4f\x03\x76\xd3\x90\x39\x88\x5d\x4b\x34\x9e\x57\x79\x1c\x3b\x28\x84\xb6\x7a\x56\x87\x16", 64); *(uint32_t*)0x200000c0 = 1; *(uint32_t*)0x200000c4 = 1; *(uint32_t*)0x200000c8 = 0x4a; *(uint32_t*)0x200000cc = 0x2e7; *(uint32_t*)0x200000d0 = 0x6f0; *(uint32_t*)0x200000d4 = 0x1aa; break; case 12: *(uint8_t*)0x20000100 = 3; *(uint16_t*)0x20000101 = 0xc9; *(uint8_t*)0x20000103 = 0x56; memcpy((void*)0x20000104, "\xaf\x8c\x56\xab\x29\x59\xdc\x53\x4c\xc8\x68\xe4\xb4\x2b\x05\xa0\xde\x86\xbb\x45\xfd\x2b\xf9\xe3\x2d\x58\xe9\xad\x1f\xb7\xbe\x75\xad\xc1\xe7\xaa\xa5\x23\x19\x45\x65\x31\x63\x1e\xde\x47\xc2\x91\x9b\xcd\xb3\xba\xfd\xaf\x56\x0b\xf2\xa9\xca\x3a\x75\xfa\x34\xd0\x70\x26\xb7\x30\x2d\xc3\x91\xf9\x55\x4e\x50\xcf\xc7\xf7\x31\xc0\x9f\x1c\x71\x26\x2d\xf3", 86); break; case 13: memcpy((void*)0x20000180, "\xc4\xc1\x6f\x10\xfa\x66\x0f\x65\x64\x2a\x10\xc4\xe1\xfa\x70\xef\xfb\xc4\xc3\x7d\x09\x6a\x42\xfe\xc4\xe1\x41\x6a\x52\x00\xf3\xab\xc4\xc1\xcc\xc6\xe4\x74\x36\x0f\x8f\xb8\x00\x00\x00\xaf\x0f\xfe\x98\xf0\xff\xff\xff", 53); syz_execute_func(0x20000180); break; case 14: break; case 15: memcpy((void*)0x20000200, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000200); break; case 16: syz_init_net_socket(3, 5, 0xcb); break; case 17: res = syscall(__NR_mmap, 0x20ffd000, 0x1000, 0xc, 0x800, -1, 0x8000000); if (res != -1) r[5] = res; break; case 18: res = -1; res = syz_io_uring_complete(r[5]); if (res != -1) r[6] = res; break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xab13; *(uint32_t*)0x20000248 = 0x10; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0x375; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = -1; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = syscall(__NR_io_uring_setup, 0xc43, 0x20000240); if (res != -1) r[7] = res; break; case 20: *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0x3caa; *(uint32_t*)0x200002c8 = 8; *(uint32_t*)0x200002cc = 3; *(uint32_t*)0x200002d0 = 0x347; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = r[7]; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; *(uint32_t*)0x200002f8 = 0; *(uint32_t*)0x200002fc = 0; *(uint32_t*)0x20000300 = 0; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; *(uint32_t*)0x2000030c = 0; *(uint32_t*)0x20000310 = 0; *(uint32_t*)0x20000314 = 0; *(uint32_t*)0x20000318 = 0; *(uint32_t*)0x2000031c = 0; *(uint32_t*)0x20000320 = 0; *(uint32_t*)0x20000324 = 0; *(uint32_t*)0x20000328 = 0; *(uint32_t*)0x2000032c = 0; *(uint32_t*)0x20000330 = 0; *(uint32_t*)0x20000334 = 0; syz_io_uring_setup(0x4759, 0x200002c0, 0x20ffd000, 0x20ffc000, 0x20000340, 0x20000380); break; case 21: res = syscall(__NR_mmap, 0x20ffd000, 0x3000, 0xe, 3, -1, 0x8000000); if (res != -1) r[8] = res; break; case 22: res = syscall(__NR_mmap, 0x20fff000, 0x1000, 0x4000000, 0x20, (intptr_t)r[6], 0x10000000); if (res != -1) r[9] = res; break; case 23: *(uint8_t*)0x200003c0 = 5; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0x2007; *(uint32_t*)0x200003c4 = 6; *(uint64_t*)0x200003c8 = 3; *(uint64_t*)0x200003d0 = 4; *(uint32_t*)0x200003d8 = 4; *(uint32_t*)0x200003dc = 0xe; *(uint64_t*)0x200003e0 = 1; *(uint16_t*)0x200003e8 = 0; *(uint16_t*)0x200003ea = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; *(uint8_t*)0x200003fc = 0; *(uint8_t*)0x200003fd = 0; *(uint8_t*)0x200003fe = 0; *(uint8_t*)0x200003ff = 0; syz_io_uring_submit(r[8], r[9], 0x200003c0, 0x80); break; case 24: memcpy((void*)0x20000400, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20000400, 0x2000, 0); if (res != -1) r[10] = res; break; case 25: *(uint32_t*)0x20000480 = 0; *(uint32_t*)0x20000484 = 0x20000440; memcpy((void*)0x20000440, "\x1f\x53\x95\x5c\xb3\xce\xcd\x20\x39\x60\x9c\xfc\xe5\x32\x92\x7f\x02\xde\x61\x5e\x5e\x77\x16\xc3\x74\x70\x5f\x59\x10\x2e\x00\x75\x4d\xba\xa3\x69\xc6\xc1\xa1\xc2\xf4\xc5\x30\xc3\xaf\x81\xe8\xfe\x56\x09", 50); *(uint32_t*)0x20000488 = 0x32; *(uint64_t*)0x200004c0 = 1; *(uint64_t*)0x200004c8 = 0; syz_kvm_setup_cpu(r[6], r[10], 0x20fe8000, 0x20000480, 1, 0, 0x200004c0, 1); break; case 26: *(uint32_t*)0x20000500 = 0; *(uint32_t*)0x20000504 = 0xe518; *(uint32_t*)0x20000508 = 0x10; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0x3a5; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = -1; *(uint32_t*)0x2000051c = 0; *(uint32_t*)0x20000520 = 0; *(uint32_t*)0x20000524 = 0; *(uint32_t*)0x20000528 = 0; *(uint32_t*)0x2000052c = 0; *(uint32_t*)0x20000530 = 0; *(uint32_t*)0x20000534 = 0; *(uint32_t*)0x20000538 = 0; *(uint32_t*)0x2000053c = 0; *(uint32_t*)0x20000540 = 0; *(uint32_t*)0x20000544 = 0; *(uint32_t*)0x20000548 = 0; *(uint32_t*)0x2000054c = 0; *(uint32_t*)0x20000550 = 0; *(uint32_t*)0x20000554 = 0; *(uint32_t*)0x20000558 = 0; *(uint32_t*)0x2000055c = 0; *(uint32_t*)0x20000560 = 0; *(uint32_t*)0x20000564 = 0; *(uint32_t*)0x20000568 = 0; *(uint32_t*)0x2000056c = 0; *(uint32_t*)0x20000570 = 0; *(uint32_t*)0x20000574 = 0; res = -1; res = syz_io_uring_setup(0x7424, 0x20000500, 0x20ffe000, 0x20ff6000, 0x20000580, 0x200005c0); if (res != -1) r[11] = *(uint64_t*)0x20000580; break; case 27: *(uint32_t*)0x20000600 = 1; syz_memcpy_off(r[11], 0x114, 0x20000600, 0, 4); break; case 28: memcpy((void*)0x20000640, "afs\000", 4); memcpy((void*)0x20000680, "./file0\000", 8); *(uint32_t*)0x20000800 = 0x200006c0; memcpy((void*)0x200006c0, "\xd6\x32\xc1\x9b", 4); *(uint32_t*)0x20000804 = 4; *(uint32_t*)0x20000808 = 0xffff; *(uint32_t*)0x2000080c = 0x20000700; memcpy((void*)0x20000700, "\x3f\xe8\x37\x0c\xed\xe5\x2e\xfa\xc0\x54\x24\x1d\xa1\xef\x62\x34\xcd\xc7\x76\x6d\x9c\xee\xe0\x5c\x36\x77\x5d\x23\x4a\x8f\x02\x59\xa8\x80\x13\x16\x89\x77\x5a\x49\xe1\xc5\xd8\x1e\xe5\xee\xd4\x2d\xa0\x22\xa3\xc9\xb9\xd4\x39\xae\x77\x99\x90\xd0\x4c\xf5\x51\xc0\x84\xc0\x93\x74\x4e\x79\xca\x6a\x48\x27\xd8\xc6\x03\x05\x3d\x29\x71\x4d\x83\x93\x63\xcf\x49\xad\xd7\xd7\x32\x3c\x06\x19\xa9\x9c\xef\x60\x9f\xc4\x7e\x56\xc6\x66\x30\xec\x79\x73\xbf\xfe\xd2\x14\xd4\x51\xf0\x64\xf3\x6e\x35\x97\x50\x6a\x51\xad\xfd\x6b\x0d\x61\xfd\xcd\xf2\xbf\xcb\x31\xb2\xc6\xc4\x4c\x27\x9c\xcd\xb6\x90\x28\x91\xda\xf7\x5e\x66\x3f\x59\x42\xea\x76\x82\xfb\xfd\x3e\x73\x69\xa9\xfe\x16\xf3\x72\x47\x6e\xfb\x28\x1a\xaa\xd4\xbf\xe7\xe6\x10\xe9\x63\x62\x94\x61\xe9\x03\x3c\xaf\x00\xd6\x2a\x10\x9d\x00\x4b\x93\x5b\x90\x79\xbd\x3d\xf5\xbe\x94\xa0\xfa\x1e\x19\x77\xf5\x52\xba\xa4\x92\xba\x31\xe2\xec\x4b\xf3\x10\xc8\x14\xdc\x75\x32\x97", 224); *(uint32_t*)0x20000810 = 0xe0; *(uint32_t*)0x20000814 = 0x4c; memcpy((void*)0x20000840, "source", 6); *(uint8_t*)0x20000846 = 0x3d; memcpy((void*)0x20000847, "SEG6\000", 5); *(uint8_t*)0x2000084c = 0x2c; memcpy((void*)0x2000084d, "flock=strict", 12); *(uint8_t*)0x20000859 = 0x2c; memcpy((void*)0x2000085a, "flock=strict", 12); *(uint8_t*)0x20000866 = 0x2c; memcpy((void*)0x20000867, "flock=local", 11); *(uint8_t*)0x20000872 = 0x2c; memcpy((void*)0x20000873, "autocell", 8); *(uint8_t*)0x2000087b = 0x2c; memcpy((void*)0x2000087c, "flock=openafs", 13); *(uint8_t*)0x20000889 = 0x2c; memcpy((void*)0x2000088a, "measure", 7); *(uint8_t*)0x20000891 = 0x2c; memcpy((void*)0x20000892, "subj_user", 9); *(uint8_t*)0x2000089b = 0x3d; memcpy((void*)0x2000089c, "$F!%[#&+-}^}", 12); *(uint8_t*)0x200008a8 = 0x2c; *(uint8_t*)0x200008a9 = 0; syz_mount_image(0x20000640, 0x20000680, 4, 2, 0x20000800, 0x201000, 0x20000840); break; case 29: memcpy((void*)0x200008c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200008c0, 0x9a7, 0x60100); break; case 30: res = syscall(__NR_ioctl, -1, 0x540f, 0x20000900); if (res != -1) r[12] = *(uint32_t*)0x20000900; break; case 31: memcpy((void*)0x20000940, "net/ip6_mr_vif\000", 15); syz_open_procfs(r[12], 0x20000940); break; case 32: syz_open_pts(r[6], 0x402000); break; case 33: *(uint32_t*)0x20001c80 = 0x20000980; memcpy((void*)0x20000980, "\x94\x7b\xdd\x13\x38\xb6\xb9\xfd\xc7\xee\xc2\x77\x64\x33\x19\x1f\x82\x72\x66\xcf\xa9\x4b\xbf\x64\xcf\xf8\x3a\x00\xd9\x75\x00\x9f\x3b\x27\x38\xac\x70\x67\x01\x94\x47\xd6\x93\xa3\x53\x4d\xae\x5d\x3b\xf0\x3b\x17\xd7\xa2\xbc\x09\x3d\x2a\xb0\x1f\xb0\x79\xd1\x3e\x4c\xa0\x8a\xb2\x39\x18\xa3\xfa\xc5\x0a\x48\xc3\x2b\x4b\xa2\x17\x09\x57\xd2\x0c\xb4\xa4\xf7\x31\xd6\x60\xe8\x8f\x40\xc3\x0c\x3c\x40\xd4\x1f\xf3\xff\x71\x34\xdc\xeb\x66\xb1\x13\xb5\xc1\xbb\xa6\x30\xa7\xee\x5c\xd6\x8a\xb5\x9e\x69\xf8\xc8\x95\x30\xe4\xca\xc7\xf6\x15\xdd\x3f\xad\xc7\x94\x0d\x23\xb0\x69\xd6\x2b\x7c\xcf\x41\x49\x88\x10\x45", 148); *(uint32_t*)0x20001c84 = 0x94; *(uint32_t*)0x20001c88 = 0x7e; *(uint32_t*)0x20001c8c = 0x20000a40; memcpy((void*)0x20000a40, "\x3b\xec\xe5\xe4\xb0\x0d\x1a\xa5\xc6\x45\x5d\x8f\xfd\xdd\x35\x57\x13\x82\x30\x47\x33\xf4\x7e\x93\xba\x01\xd0\x22\x0d\x34\x52\x42\x5a\xa4\xa3\x5a\x16\xad\xc9\x6a\x1c\x87\xd3\xc0\x91\x21\xdf\x1c\x8a\xef\x26\xc2\x03\x58\xa1\x53\xa0\xef\x19\x59\xf6\x9c\x68\x9a\xcd\x27\x51\xf4\x28\xf2\x41\xc2\xde\xcf\x4c\xd9\xa3\xb1\x09\xe6\x6b\x31\x0f\xb1\x01\x1f\x65\x32\x9b\xef\x95\x3a\xe0\x2c\xf9\xdb\x61\x33\x61\x9b\x5b\xfa\x07\xa6\xe1\x32\x51\x27\x8d\xa9\x3d\xe8\x26\x35\xbc\xdd\x76\x40\xb6\x31\x1d\xa5\x8d\x2a\x68\x10\x65\x40\x1d\x07\x53\xce\xf9\x0b\xf7\xa0\xf5\x41\x11\x24\x53\xb9\xce\x75\x27\xef\xcb\x09\x83\x4f\x10\x73\x73\x6d\x3e\xbd\xb9\x24\x17\x36\xb6\x1d\xf7\x0a\x13\xc7\x6e\x54\xdd\xbc\x65\xa5\x2d\x8a\x4f\xe4\x2e\xd0\x97\xa5\x7c\x8d\x04\x26\xf9\x16\x75\x0e\x9a\x5c\x38\x28\x1f\xba\xd7\xae\x59\xc2\x23\xba\xb1\x10\x05\x92\xd4\x2e\xda\x4e\x0b\xf4\xbf\x03\x04\x20\x47\x8f\xcd\x28\xc4\x05\x7d\x41\xa9\x72\x1b\x00\x14\xe9\x1a\x1e\x70\x58\xd4\xc9\x29\x08\x12\xf6\xde", 239); *(uint32_t*)0x20001c90 = 0xef; *(uint32_t*)0x20001c94 = 0x800; *(uint32_t*)0x20001c98 = 0x20000b40; memcpy((void*)0x20000b40, "\x6d\xaf\x7a\x1e\x0d\x14\xcb\x6b\x8c\x65\xd3\x7e\xf9\x88\xe6\x70\xca\x88\xb1", 19); *(uint32_t*)0x20001c9c = 0x13; *(uint32_t*)0x20001ca0 = 0; *(uint32_t*)0x20001ca4 = 0x20000b80; memcpy((void*)0x20000b80, "\xe2\xa3\x79\x51\x07\x38\xbe\x3d\x3b\xaf\x49\xa1\x70\xf0\x89\xf5\x6f\x7b\x3a\x43\xbd\x92\x6f\x2f\x33\x68\xf3\x8e\x97\x34\x0a\xf9\xb0\x99\x1e\xa9\x8f\x46\x53\x25\x2c\x0b\xef\x6a\xd2\x65\x82\xb6\x00\x54\x54\x65\x59\x1f\xae\xfd\x00\x78\x2e\x31\xc8\xae\xe9\xf2\x39\x90\xd2\xd9\x5f\x87\x10\xd1\x10\x40\x9d\xc3\xda\xd1\x58\x17\x94\xfb\x09\xf6\x34\x9e\x93\x7b\x1d\xf1\xbb\x8a\x9a\x09\xce\x60\xc4\x12\x82\x37\x6e\x6a\xc6\x07\x88\x8c\x64\xfc\xd9\xec\xf5\x40\x50\x63\xba\x5f\x64\x2a\x29\x5b\x4f\x77\x8f\x2c\xab\xcc\xf6\xc9\x00\x70\x71\xb1\xa9\xec\x31\xee\xa5\xda\xf6\x2d\x37\x1a\x56\xde\x30\x95\x49\x97\x49\x11\xa5\x79\x7f\xa3\x40\x26\xe8\x5b\xb7\xf5\x42\x7a\xb4\x96\x5f\x11\xa3\xab\xa1\x8e\xd0\xfe\x28\x0e\x45\xc2\x64\x12\x83\x8f\xc5\xbb\xe0\xf6\xde\x63\xd0\x11\xc0\x6b\x41\x3e\x3d\x4a\x15\x29\x6b\x6f\x79\x15\xdf\xfe\xcd\xd4\x07\x50\x4f\xaa\x2f\xe6\x3b\xb1\x90\xaf\x90\x61\x70\x9a\x98\x20\x94\xf6\x20\x79\x3c\x04\x25\x32\xf5\x13\x14\xdd\x07\x53\xb8\x32\xa6\x58\x59\xe1\x78\xd9\x4d\xd1\x69\xa1\xb7\x67\x74\x85\x66\xd1\x3f\x17\x0d\xa3\x6f\x2a\x51\x05\x3d\x8b\x67\xfb\x5f\x12\xd8\x6b\xf3\x60\x46\xea\xb9\xb7\xc2\x6c\x50\x78\x6c\x9b\x29\xa2\x60\x5c\x56\x31\xab\x30\x26\x16\x69\x97\x1a\x48\x47\x0d\x98\x2c\x30\x88\xbe\x7c\xff\xd1\xf0\xc6\x77\x5e\x57\x57\xdb\x61\x48\xdd\x74\xc5\x95\x4e\x34\xc4\x00\x88\x65\x9a\x1f\x44\xd0\x53\x46\x59\x85\xed\x20\x03\x9b\xce\xd7\xea\x9d\xec\x7e\x25\xcd\x6d\x60\x0d\x1e\xd3\x1a\xed\x53\x88\x5f\xc7\xef\x87\x89\xee\xa0\x63\x9d\x2b\x25\x0d\xcd\xf4\xad\x71\xbb\xda\xbf\x4b\xa1\x8a\xf2\x9a\xc8\x19\xae\x43\x18\x64\xdb\x1b\x03\x53\xbc\x5c\xb2\x04\x19\x43\xb4\x45\x13\xf7\xc6\x79\xf3\x48\xbd\x29\x62\xb2\x74\x87\xbc\x7d\xc7\x48\x8c\xff\x13\xa2\x4b\x65\x8f\x31\xb4\xaf\xc9\xe5\x01\x3a\xb4\x60\xcf\x3a\x01\x4a\x8f\x19\x90\x9e\x75\xbc\x3d\x41\x44\xf5\xd3\x2e\x37\x0d\xe7\x4f\x44\x02\xa0\xdb\x53\x39\xc1\xe3\x61\x6d\x21\x47\x74\x36\x52\xdd\x73\x94\x0d\x37\x55\x0c\xc9\x61\xb0\x8b\x3a\x33\xb7\x9c\x4a\x2f\x3f\x1a\xb4\xb2\x36\x4c\x24\x03\x1c\xce\x1f\x29\xbe\xaf\x57\x4b\x13\x18\x84\x4f\xcc\x93\x87\xd2\xcf\x79\x83\x34\xde\x08\x16\xd5\x28\xf0\x87\xf5\x67\x51\xf7\x63\xb8\x2c\x76\x0f\xe1\x9e\xf9\x5f\xd2\xe5\x52\xc8\xec\x74\xbf\xee\x9b\x6c\x8e\x33\x41\xb3\xba\xff\x54\x05\xed\xbe\xd7\x09\xfb\x1e\xa1\x30\xa1\xa6\xe3\x0a\xcf\x72\x32\xc0\x19\x40\x34\xda\xf0\xef\x11\x71\x15\xab\x22\x0f\x11\x61\xa8\x38\x94\x0e\xf6\x00\x72\xc4\x06\x55\x7f\x56\xf1\x3f\x30\x21\xb4\x08\x42\xf9\x11\x4b\x0a\xe9\xcd\x82\x44\x23\x0c\x22\x27\xce\x7c\x7e\x71\x50\x3b\xa5\x25\x3d\x63\x08\x1c\xa9\xaf\x8f\xc4\xa4\xe2\xc3\x03\x9a\x0b\xad\x1a\xf9\x1e\xd4\xcb\x91\xb9\xbd\x42\xd8\xee\x5e\x0b\xd9\x84\x4f\x92\xf4\xaf\x1e\xa5\xb8\x83\x80\xa9\x9b\x1a\xdc\x70\x57\xb9\x15\x7b\x61\x02\x1a\xbc\xe3\x77\xdc\xa6\xaf\x6c\x2d\xd9\x8f\x02\xc2\x3a\x84\x59\xcc\xbe\x65\x0b\x66\xd0\x6b\xba\xe0\x60\x99\x28\xe8\x4d\x5c\x61\x1e\x2c\x6f\xeb\x6a\x43\xd0\xaa\x53\x2b\x12\xd5\xe3\x26\x04\x48\xcd\x82\x37\x2b\x11\xf9\xdc\x8f\x94\x66\x5a\x3a\xb8\x64\xeb\x3e\xb0\xe5\xb0\x73\x20\x02\x49\xa6\x74\x04\x7e\xe8\xff\xf8\xfb\x4f\x55\x65\x30\x60\xef\xb6\xa0\x0d\x70\xb0\xfe\x4a\x7f\x5d\xca\x7d\x9c\x71\x60\x4f\xa7\x0b\x0e\x40\x56\x93\x39\xe5\x2b\xa5\x2b\x7d\x70\x08\x53\x33\x06\x16\x5c\x97\x8d\x03\x0a\x85\x2c\x0d\xd7\x59\x96\x90\x47\x20\xa1\x0a\x3a\x9d\x0f\x2f\x67\xf2\x58\xe4\x39\x04\x7a\x6a\x5b\x08\x49\x04\x09\xaa\x84\xec\x29\x6f\x67\xb8\x8b\x80\x11\xcb\x39\xc6\x78\x00\xef\xec\x6e\xc4\x3e\x73\x2a\xee\x04\xcc\x18\xc4\xce\xdd\xc9\x68\x6a\x43\x20\x11\xe1\xdf\x5f\xa1\x29\x2c\x7b\xda\xe6\x27\x31\x57\x3e\xc5\x23\x32\x93\xff\x4e\xd6\x71\xe5\x2c\x95\x1d\x8e\x00\x83\x6d\xb9\x36\x35\x34\xbc\x8c\x1e\x91\xd9\x8c\xab\x7d\x06\x06\xc1\x70\xd4\x09\xd9\x6d\x32\x25\xf5\x62\x06\xb6\x00\xfc\x1a\x78\x39\x41\xaa\xde\x24\x83\x38\xdb\xa6\x6d\x56\xf8\xfc\x19\x7d\x19\xce\xdd\x5f\x1a\x65\xd5\xf1\xd8\x5a\x4c\xb4\x49\x73\x42\xd1\x97\xdf\x41\x7d\x43\x17\x77\x7c\x81\xe7\x07\xf1\xb9\xda\xdd\x38\x26\x53\x24\xf4\x1a\xa8\x50\x21\xb2\xd7\xed\xc0\xff\x4a\x52\x7d\xb8\x5f\xf1\x41\x65\x2e\xeb\x5e\x76\x6e\x18\x9e\x11\xe6\x30\x7a\x44\x75\xd5\xf7\x93\xe8\x22\xb7\xec\xbc\x7e\x2f\xf3\xf6\xf9\xa8\x39\x9a\xf6\x92\x64\x9d\x67\x30\x5c\x86\xb4\x79\x16\x9d\xf1\x2f\x74\x91\x02\x06\x9d\xa1\x64\xad\x14\x65\x5e\x05\x32\xfc\x41\x9b\x51\xf2\x9b\x28\xd1\xf4\x08\xf5\x23\x6c\xe9\x21\x50\x9f\x3f\x61\x1a\x56\x5a\x5e\x38\x68\x57\x44\x47\x0f\x6e\x45\x7b\xdd\x05\x7d\x72\x7f\x7e\xcf\xaa\x46\x84\x73\xbc\xba\x94\xc4\x3e\xad\x22\xf8\x52\x78\x43\x24\x5f\x37\x22\x75\x94\x6b\xd4\x59\x9f\x3a\x8a\xe9\x1e\xc3\x14\x08\x70\xbe\x91\xd2\xfb\xfc\xbd\x7e\x50\x4d\xa3\xd6\xf4\x9e\x90\x5a\xca\x16\x78\x32\xd7\xc3\x5a\x56\xa2\x8a\xbc\x85\x20\x90\x29\x23\x18\xec\x1f\x08\xbf\x3d\x71\xde\x73\x60\xd6\xd0\x49\x00\xd7\x73\xa7\xf4\x0c\x3d\xb7\xaa\xbf\xc2\x7a\x33\x8e\x87\xd5\x78\xf4\x30\xee\x49\x0e\x48\x22\x14\x06\xd3\x1c\x62\x22\x0c\x2b\xd9\xe1\x79\x3e\xed\x1b\x84\xab\xa0\xad\xc3\xd5\x4e\xed\x59\xae\x3b\x83\xe5\xa1\x14\x77\x21\xfc\xc2\x27\xcf\xf9\x6c\x80\x65\xf8\x66\x5c\xbf\xef\x93\x52\x1c\xa1\xbf\x4b\x10\x0e\x62\x89\x6c\xfd\xca\x36\xe7\xf7\xb4\xb3\xfd\x3b\xab\xf5\xc1\x8c\x90\x03\x0f\xbf\x90\x4d\x4f\x4c\x3f\xb2\x3a\xf1\x6b\x1e\x37\x44\xca\x6a\xb1\x23\xdf\x90\xb1\x68\xea\xa1\x38\x32\x4e\xbf\x98\xec\xd6\x6d\xd6\x4e\xe9\x06\x23\x6b\xf3\xa0\x29\x6b\xe1\xdf\x81\x38\x7b\xa9\x57\x00\xe0\x4c\xe2\x66\x37\xca\x4d\xfb\x70\xc6\x7d\x32\xa2\xe7\xac\xde\x21\x9c\xef\x54\xe4\xc9\xec\x1c\x27\xb5\xb6\xa3\x88\xca\x51\x5a\xf6\xe5\xef\xc4\x93\xa3\x0f\xa9\x32\x4e\x1f\x2b\x2b\x51\x26\x7f\xbb\x26\xf3\xd4\x29\x2e\x83\x6c\xb7\x09\xe9\x2a\x6e\x0e\x11\xaf\xf3\x86\xb3\xd4\x5d\x81\xa2\xd3\x5f\xe9\x71\xcb\xff\x8a\x32\xf5\x2d\x04\x6b\x9b\xa9\xa4\xbc\x77\x26\x7a\x2e\x86\xa4\x80\xa9\xec\x50\x36\x1d\x5e\xd5\x9b\xa5\x40\xae\x1c\xf0\xe7\xea\xaa\x5d\x8f\x5b\x2e\x38\x52\x7f\xde\x78\xec\xf8\x42\xec\x48\xcf\x68\x1f\xd4\x52\xaa\x5c\x60\xd0\x64\x74\xf6\x42\x2a\xd0\x8d\xb4\xfa\x07\x88\xc5\x65\x63\xf5\x2c\xbd\x38\x36\x27\xe1\x1f\x98\xeb\x40\xec\x74\x96\x1c\x02\x8b\x1f\xcd\x7b\x25\xd4\xcd\x28\x9d\xbc\x76\x1f\xb1\xec\x00\xa6\x18\x35\x13\xc5\xf7\x6d\xa7\x54\x64\x16\xfb\x81\xe8\x66\x1f\x93\xf4\x23\x4f\xdf\x3a\x33\x98\xd8\xbb\x8c\x69\x90\x2e\x6d\x9f\x3f\xc1\x65\xe6\xd9\xf3\x9e\xb2\xac\xc1\x89\xab\x7b\x49\x01\x3b\x2c\x74\xd0\x78\x8e\xe0\x5f\xc1\x17\x33\x5d\x47\x83\x80\x01\x3e\xab\x17\x3d\xdc\x7a\x92\x7f\x03\x08\x0c\x2e\xa7\x05\xb6\x8f\x66\x4a\x3b\xe2\x70\x22\x11\x72\xd2\x99\x5b\x15\xb4\xd0\xab\x25\xd4\x66\x8a\xb7\x58\x7d\x24\xe8\x31\xc5\xc7\x84\x1f\xa0\x0b\xd0\x63\x02\x1d\x3f\x43\x40\x5b\x35\xc6\xc7\x9d\xd4\x03\x0f\xc6\x30\xee\x78\xd7\xe6\x4a\x90\xcc\x27\x61\x42\x16\x24\xd4\x8a\xc0\x76\x4d\x8a\x90\x3c\x5a\x8b\x0a\x21\x31\x20\x87\x1b\x9e\x82\xa3\xb1\xf9\x24\x55\x38\x0b\x95\x08\x32\x65\x1b\x6d\x0d\x9b\xdb\x24\x90\x55\xd5\x5f\xa4\x9f\xc7\x29\x61\x47\xcb\xce\xc6\x05\x9a\x00\x47\xae\x6e\x86\xb5\x1a\xe3\xb5\xaf\xf4\x98\xce\xed\x67\x1d\xdd\x0e\x2b\xd9\x7f\xd7\xf3\x9a\x32\x80\xbd\x80\x99\x6a\xc7\xbb\x98\x18\x77\x09\x93\x82\x46\xf8\xe0\xcb\x9c\xca\x0a\x18\x9d\x18\xcb\x9d\xcd\xd5\x21\x86\xfe\xb9\x35\xf4\xa5\x32\x6c\x3b\xc1\x34\x8a\x05\xf0\xe7\x18\x04\x52\xa4\x3e\x7f\x2b\x6f\xb3\x5a\x41\x96\xaf\xda\x0f\x19\x93\x38\x3d\xd2\x03\x69\x4c\x1a\xb5\x3b\xe6\x44\x81\xc0\xd9\xc7\x88\x01\x61\x07\x89\xf9\xf5\x13\x0b\x4a\x14\x3f\x09\x22\x9e\x8d\x89\xd0\xad\x09\xed\xf9\x71\xcf\x0f\xe4\x95\xd7\x55\x2b\x7a\x79\x1a\x90\x54\x23\x2e\x8d\x22\x97\x66\x21\xb7\xf6\xbe\x03\xe7\xe0\xbf\x8e\x5e\xd8\x3d\xb9\x4e\xfc\x74\x8c\x93\xa0\x6c\x12\x4f\x55\xdd\x8e\xfe\x11\xe1\x5d\x83\xe1\xfc\xe5\x82\xb1\x9b\xe1\x0d\xcc\x1b\x3e\xb5\x94\x29\x1a\xaa\xbd\x56\xcb\x94\xdf\x31\x59\x20\xb0\x42\xd0\x79\x34\xac\x79\x6d\x0a\x91\x07\x86\x26\xee\x57\xe2\x57\x63\x79\x1f\x7d\xde\x8b\xc0\x4e\x18\x83\xfb\x22\x73\xc7\x99\xb9\x7e\x31\x66\xc5\x6c\xea\xa3\x69\x9c\x31\x73\x9f\x63\xef\x94\x60\x5b\x20\x86\x06\x06\xce\xaf\x97\xbe\x55\xb9\x79\xfd\xc1\x7f\xa9\xba\x29\x90\xbb\xef\xde\x17\xeb\x53\x98\x17\x60\x91\xe5\x36\x73\x01\x29\xc4\xc3\x15\x04\xce\x1f\xc4\x1f\x13\xe7\xd9\x03\x01\xff\x02\xad\x5b\x5f\x52\x3c\x6a\xe7\xef\xa8\x7c\x76\xaf\x1e\xcc\x4b\x67\x15\x25\x1a\x58\xca\x3c\x68\xca\x95\x4a\x93\x45\xcf\x08\x69\x7e\xc5\x43\x76\xdf\xaf\x23\x2c\xd6\xed\xe5\xad\x85\xc1\x23\x4f\xbc\xb4\xa9\x92\x53\x5b\x70\x13\x5a\x5e\xb7\xd1\xf2\xde\x13\x62\x98\x71\xb0\x2a\xcb\x45\x56\x94\xe9\x1d\x5b\xbb\x97\x2c\x1c\x39\x98\xec\x76\x57\x49\xb4\xca\x83\xc7\x05\x52\x9c\x04\x6e\x85\x93\xba\x47\x09\xe4\x30\xcf\x19\x0a\xba\x4f\xd0\x0a\x6d\x72\x2d\x05\x98\xe8\x0b\x7a\xf8\xfb\xb6\xc0\x53\xdc\x40\x68\xe3\xbf\xaa\x00\x15\xd3\x54\x56\x46\xe4\x0e\xb3\x12\x70\x0e\x7b\x06\x8c\xa6\x44\x79\x2d\x6d\x39\x44\x7a\x35\x3f\x6d\x65\x75\xb0\x1f\x3a\x20\xcf\x31\x01\x17\xa8\x32\xdb\xc7\x6b\x46\x01\x46\xde\xe0\x6c\x85\x95\x80\xba\x5e\x59\x94\x6e\x90\xa1\x68\xd9\x8a\x06\x28\x2d\x02\xf9\x95\x40\xf4\xb1\xfc\xe1\x94\xcc\x7c\xc0\x89\xb1\xb2\xda\x11\xd5\x9b\xee\x54\x77\x38\x3f\x83\xfe\x7f\x50\x01\x1e\xc4\x38\x56\x1f\x17\xb3\x9d\xab\xee\x37\x94\x76\x1c\xde\xf6\xc5\x4a\x60\xc4\x9d\xe8\xfd\x6a\xec\xf0\xb5\xa5\xb5\xc0\x56\xa8\xde\x90\x80\x5e\x0d\x5a\x4c\xba\x91\xeb\x77\x46\xe5\x44\x98\xaa\xd3\x5d\x26\x8e\x92\x3c\x5c\x39\x65\x81\x83\x5c\xf2\x03\x8e\x2a\x1f\x28\xa8\x43\x22\x84\x72\xaa\x2e\x4c\xbd\xe6\xaa\x76\x65\x71\x6f\x23\x9b\xa5\x68\x0d\x1d\x8d\x6c\xd7\x27\x7a\xf1\xf2\xdb\x87\xe5\xf5\x33\x2f\xa9\x04\xd6\x97\x5f\x42\x47\xf3\x3f\x00\xc1\x7b\x95\xdf\x1d\xb7\x92\x39\x8c\x0b\xe2\xab\x89\xc6\xf0\xff\xb1\xd9\xf3\xd3\x0e\x36\xb0\xbc\xde\xe5\x56\x23\xe6\x7e\xd5\x9b\x64\x1e\x1d\x3a\xd2\x43\xa6\x1a\xb8\x00\x3e\xd9\xd5\x01\x86\x45\x7b\x84\x5b\x0f\x5e\x59\x46\x0a\xeb\x8d\x49\xfa\x23\x6b\x69\x1a\x95\x72\xf0\x43\xf3\xd8\x3d\x38\x53\xa6\x58\xc0\x92\xfe\xc3\xee\xf9\xb5\x8f\x3b\xe0\x53\x2e\x46\xda\x34\xf7\x32\x39\x8d\x41\x8a\x82\xa4\x7f\xd2\xbe\xc7\xaa\x9f\xdf\x0a\x05\xa2\xa4\xab\xd6\x50\xdc\xd9\x9c\x09\x5b\xe5\xa0\x25\xd4\xdd\x8d\xe7\xb6\x06\xf7\xc2\x1f\xcf\x49\x0a\x10\x0e\xc2\x88\xf4\x19\x31\x6b\x4a\xdd\x08\x59\x10\x60\xf5\xc4\x02\x30\xee\x63\x9a\xff\x35\xd4\xbb\x20\x7f\xe4\x01\x02\x9c\xff\xd1\x04\x71\x5d\xcd\x48\xc7\xc5\x98\xf5\xea\x42\xb0\xbd\x27\x1e\x6a\x10\x06\x6d\x61\x32\x17\x65\x5d\xbf\x37\xbc\x46\x7d\x97\x35\x72\xd7\xc2\x87\x79\xc9\x98\x1c\xab\xc5\x5e\x68\x3f\xbb\x1e\x9a\xf7\xe0\x0c\xc4\xa2\x22\xa5\x4f\x24\xed\xf9\x23\x76\x2d\x8e\x0f\xbc\x09\x9e\x42\x0a\x78\xb1\xfc\xfb\x54\xa4\x00\x2f\xdf\x6e\x30\xa3\x44\x5f\x92\x9d\xd9\x7c\x4a\xef\x13\xcd\x8a\x0a\x3b\x19\xcb\x2b\xa7\x31\xd3\xc9\x9a\xad\x63\x11\x66\xb7\x5f\x13\xa9\x54\x98\xe1\x1d\xba\x40\x94\xeb\x5d\x1f\x15\x71\xb6\x98\x7c\x27\x89\x12\xa0\x5a\x9e\xc5\xe2\xf9\x3d\x21\x60\x4e\x49\x6a\xe6\xf7\x63\xed\x43\x3b\xc2\x6c\x5d\x2f\xdf\xee\xfc\x02\xd8\x73\x2b\x29\x09\x1c\x32\xad\x16\xfb\xb4\x7d\xe0\xa5\x6a\x36\xc5\xc7\xd2\x66\x65\xce\x56\x55\x71\xae\xe8\x7e\x72\x9e\x17\x27\xe8\xe1\x49\xb4\x4c\xbc\x58\x19\xeb\x1a\xbc\x31\x7e\xab\xfd\xbc\x54\x47\xdc\x1f\xa9\xed\x58\x52\x81\xf1\xa9\xc3\x3b\xd5\xbb\xae\x66\x26\x21\xe6\x46\x0e\x37\x61\x7e\x88\x30\x4f\xd6\x88\x9d\x77\x5a\xd3\x03\x88\xb2\x08\xb4\x10\x24\x95\xdd\x4a\x60\x15\x79\xfe\xf0\x79\x67\x8b\x66\x81\x6a\x46\xa9\x1c\xd0\xd3\x44\xaf\x0a\xfa\x8e\xe5\x5a\xb2\x22\xd7\x20\xa0\x36\x72\x75\x75\x7a\xa3\x8d\x04\x3c\xec\x88\x8e\x9e\x93\xa4\xff\x91\xc1\xcc\xbb\xc6\x85\xf6\xfe\x27\x10\x47\x4d\xa5\xc4\x37\x6b\x6c\x03\x7b\x2a\xc5\x7a\xb0\x78\x42\x1f\xf2\xf0\x6e\xf8\xab\xcc\x7b\xfa\x18\x19\x5a\xe5\xd3\x23\x6c\x49\x24\x94\xf1\xc6\x65\xdc\x20\x52\xe0\xb5\x67\xe9\x91\x72\x70\x82\xf6\xf5\x29\xcf\xf4\x41\x2d\x5c\xfd\x8a\xca\x31\xf0\xa4\xd3\x23\x32\xe8\xcc\x99\x2a\x39\x01\x7d\x8e\x5a\x85\x25\xa9\xf6\xab\x50\x09\xe7\x06\x7b\x27\x73\x59\x17\x79\xfa\x6d\xe1\x7c\x07\x74\x45\xc3\x9b\x4f\x32\x55\xc2\xdf\x10\x70\x10\x45\xfa\x07\x0a\xc4\xae\xdb\x55\x1b\xfe\x92\xac\x48\xe0\xfa\xca\x06\x07\x68\xed\xf4\xb3\xfb\x10\x1f\x3d\x4c\xdc\xb2\xec\x93\x13\xc0\x28\x98\xaa\x36\x87\x42\x67\x46\x82\x86\xe9\x8f\xfd\xba\xcb\x29\xfb\x64\x07\x27\x99\xbb\x3d\x88\x5b\xf3\x08\xd6\xca\x00\x13\x55\x64\x2a\xd2\x58\xb9\x65\xf9\x59\x7b\x30\xfe\x6c\x3a\xf1\xe8\x9c\x10\xd6\x41\xf4\xe2\xab\x7c\xf5\xa4\x68\x7d\x6b\x69\x15\x7a\x49\xf9\xf4\x07\x91\xef\x46\xf4\xcb\xa6\xe0\xf2\x48\x77\x3c\x35\x0b\xf3\x14\x3c\xec\xe9\x2e\xf7\xc7\x46\xd4\x98\x8c\x83\x51\xc8\x06\x7e\x3c\x4b\x84\x10\x89\xd9\x85\xe0\x9e\xcb\x40\x15\x7d\x7a\x17\x1f\x4e\x64\x55\x18\xc5\x25\x98\xfa\x79\x44\x25\x66\x9f\x59\xa2\x7d\x8b\xed\xc1\x47\xe0\x90\x57\xb5\xd2\xf9\xf4\x61\x1c\xac\x95\x10\x58\xb9\xd2\x52\x7f\xe7\xb4\x70\x28\x9a\x2f\x16\xfa\x4d\xee\x15\x06\x52\x08\x6e\x4c\xc1\x94\xc3\xca\xd6\x3a\xee\x9a\xa7\x7b\x00\xdf\x7c\xb4\x21\x40\x1d\x13\x94\xe0\xfb\xae\x8e\x8e\x14\xef\x28\xf1\x28\x60\x1a\xa1\xc9\x1d\x3e\x71\xed\xc0\x7a\x46\x26\x77\x31\xea\x08\x5f\xea\x0b\x27\x81\xfe\x5b\x33\x37\xfb\x39\x1f\x4a\x91\xce\x75\x2a\xeb\x72\x51\xaa\x0c\x3b\xf3\x04\xe9\x89\x22\x0d\x41\x4e\xab\x0a\xf4\x8d\x4a\x86\xbf\x43\xf1\x3e\xe6\xb9\x76\x15\xf5\x1a\x36\x77\xfe\xef\x14\xdc\x4a\xe4\x7d\xb0\x7b\x87\x41\x76\xd1\x8f\x50\x09\x4a\x30\x97\x00\x27\x9f\x41\x29\x24\xe9\x18\xeb\x3e\x6c\x1b\x9f\xa3\xc1\x44\x4f\x28\xb6\x91\xce\xb9\xc3\x3d\x34\xb5\xb3\x73\x3d\x3e\xb0\xc9\xe6\x9c\xb6\xf3\x6b\xca\x69\xd1\xd6\x99\x13\xae\xb5\x1f\x0c\xb5\x98\x28\x52\x7f\x79\x1f\xe7\xf6\x1f\xb4\x30\xba\xce\x64\x56\xab\xc3\x22\xfb\x52\xa1\x31\xf5\xae\xd3\x22\x1a\xfd\x1d\x36\x9d\x7b\xb4\x1f\x60\xbf\xb3\x49\xb5\xcf\x73\x04\x3b\x90\x92\x61\x30\x32\xc7\xdd\x32\x20\xbc\xe9\xd9\xb8\x4f\xd2\xce\xb4\x8a\x76\xff\x0c\x34\xcf\x5b\xf8\xcc\x55\xb5\x75\xe2\x40\xf4\xe6\xc1\xc5\xcf\x93\x98\x0c\xc6\xf6\x8f\xd1\xac\x7c\xc1\x0e\x0e\x48\x33\x39\xdd\xe6\x69\x1e\xb7\xd2\xb7\x00\xe9\x3f\xfd\xf8\x10\x95\x37\x62\x21\x6e\x99\xb5\x64\x01\x49\xaf\x63\x14\x4a\x09\x05\x1b\x68\x3d\xb0\xdf\xb1\xb7\x93\x71\xbc\x7a\x4a\x55\x9a\xe6\x27\x18\x38\xa8\x68\x46\x8e\x54\xaa\xde\xf0\x3b\xa4\x0c\xa1\x27\xaa\x2c\x27\x51\xda\x79\x20\x2d\xca\xd7\x2e\x4f\x15\x93\x04\x1d\xb5\x3b\xbf\x4f\x80\x64\x17\x0f\xe8\x5c\x46\xe5\x9f\xf0\x0b\x9e\xb4\xbf\x2e\x01\xea\xb7\x19\x7a\x00\x70\x4e\x3c\x70\x84\xa8\x06\x99\xed\x5a\xaa\xe7\xbb\xae\x06\x84\xe5\xfb\x3e\xd6\x0c\x66\x20\xc7\x3a\xa0\x13\x31\x37\x13\x27\x9b\xf9\x58\xa2\x1f\x56\xf9\x67\x46\xe1\x60\x62\x3f\x10\x76\xa5\xea\x95\xa2\x3f\xc9\x08\x37\x3b\xc0\x78\x22\x18\x94\xcc\xc7\x79\x49\xff\xd3\x65\x94\x70\xd8\x3f\x86\x07\x62\xb0\x30\x2b\xf3\xe4\x04\x04\x6c\x0c\x32\xa7\x1e\xb8\x5e\x67\x41\x11\xcb\x9c\x2d\x49\x0b\x8b\x4f\x5b\xfd\x1f\xa9\x38\x2a\x42\x96\xd9\x73\x26\xd6\xa7\x28\x37\x8a\xb3\x5c\x0a\x34\x9e\xd6\x93\x49\xf7\x5b\x89\xad\xf8\xdc\x9e\x5b\xae\xd2\x76\xc9\x26\x14\xc2\x96\x36\xf2\xf5\xb1\x9d\x4d\xc6\x61\xe2\xd0\xfe\x6f\xd6\x47\x86\xd5\x07\xb9\x9b\x39\x79\xfe\x0f\x6e\xcb\x06\xb7\x6f\xd6\x4b\xfb\x31\x61\x31\xa5\x2d\x3d\xb7\x44\x55\x08\xc8\xf0\xbd\x39\x44\x95\xa6\xc1\x3c\xa6\x4e\x37\x80\xa4\x16\xc7\x2a\x7a\x34\x99\x6d\x5a\x34\x2e\x63\x49\xd9\x2b\xfc\xb8\xd7\x5b\xd4\xed\xd2\x25\xd4\xe8\x60\x18\x38\xbf\xfc\x60\x4e\x9e\x3f\x0d\xe8\x3a\x1c\xf9\xe1\x7c\x7f\xa7\x39\x8f\xea\x49\xc8\xfa\xed\x29\x9d\x04\xa9\x0a\x70\xbd\xaa\x0b\x11\x14\x28\xe2\xe6\x22\x4a\xe0\x8c\x1b\xf0\xea\x1a\x69\xe1\x6e\x1f\xfd\x4b\xfa\x76\xaf\xff\xdd\x50\x60\xac\x99\x2e\xfa\x08\xfb\x74\x04\xfa\x1f\xf3\x45\x60\x42\x65\x4d\x3d\x51\x29\x26\x24\xac\x3b\xb3\x35\x6f\x5b\xd3\xf4\x92\xc1\x69\xe8\xc7\xdc\x71\xcc\xd3\xb4\xe9\x1c\xb2\x98\xef\x7f\x2b\x61\xd7\x4a\x86\xe7\xcb\x6d\xaf\x62\x1a\x8b\x0b\x6a\x87\xe5\x8d\xdc\xaa\x65\xf3\x76\xfe\x06\x52\xc4\x0c\x76\xd7\x62\xb5\x80\xf3\x4d\xa9\x79\xae\x09\x68\xb1\x72\xa9\xcc\xc4\xcd\x8b\x34\xaf\x38\x73\xe8\x5d\x16\x53\xc9\xe5\x57\x1d\xc3\x4e\x8c\x39\xf7\xf0\x4d\xf1\x91\xc0\xe8\x12\x13\xd2\xfa\xc0\x41\x26\x64\xeb\x47\x69\xc4\x80\xa8\x0f\xdc\xd5\xca\xe2\xa2\xeb\x8b\x1d\x03\x1c\xc6\xe6\x49\xd8\xf0\xb2\x9f\x91\x15\xea\x2b\xb2\x7c\xbe\x35\xcb\xa0\x40\x64\x7a\xd9\xda\x8a\xd3\x69\x31\xcf\xdc\xe5\xc5\x8d\xfd\x6b\x8d\x0b\xd8\x3c\xf4\xf8\xca\xd6\xf6\xd6\xf3\x04\x83\x80\x58\x3d\x8e\xf0\x80\x7a\x4d\x02\x4e\xf8\xd0\x33\x3a\x97\x18\x34\x23\xc9\x0e\x8d\xd1\xb6\x2d\xc7\x0c\x95\xae\x30\xac\xd0\xcc\xc2\x57\xde\x6f\xeb\x89\xa9\x49\x2b\x42\x14\xb6\x5d\x8d\xa2\xad\xa1\x1b\x80\xfb\xd7\x68\x9a\xfd\xb9\x9f\xa8\x20\xcb\x7a\xaa\xca\x8c\xe3\x2f\xd1\xad\xf5\xd7\x24\xf5\x06\x83\xa7\x92\x4e\xd1\xb5\xde\x6b\x32\x2a\x49\x32\xea\x46\xd3\xb2\x66\xa2\x70\x42\x02\x59\xa4\xfe\xe4\x80\x05\x4f\x06\x75\xe7\x7e\x51\x78\xff\x25\x5b\xe0\x00\x46\x8a\x22\x0a\x25\xc6\x87\x9e\x03\x9b\xc1\x4c\x38\xcb\xf9\x04\x0e\xde\xd4\x1f\x1c\x6d\x75\xfe\x46\x15\xcc\x57\x67\x7c\x94\x8c\x7b\xb9\xc3\x56\x11\x84\xb0\xff\xe0\xd0\xa9\xed\x0e\x72\x12\xfa\xbd\x5e\xf3\x57\xff\xb3\xca\x40\xe8\xa9\x7b\xe2\xa9\xbc\xf3\x5f\xc7\xe3\xd7\xce\x8f\x6d\x50\xa4\xf7\xb4\x2c\x24\x68\x94\x68\x38\x22\xdb\x36\xb9\x55\x28\xcd\x80\x61\x34\x2c\x66\xc7\x88\xbb\x6f\x63\xbe\xad\xfe\x35\x59\xe8\x96\xe4\x38\x7a\x12\xce\xdf\x6f\x22\x08\x88\xd2\x18", 4096); *(uint32_t*)0x20001ca8 = 0x1000; *(uint32_t*)0x20001cac = -1; *(uint32_t*)0x20001cb0 = 0x20001b80; memcpy((void*)0x20001b80, "\xe0\xc6\xc9\xc0\x1a\xfb\x3e\x83\x24\x12\x04\xcd\x69\x42\xa5\xf5\xb3\x8d\xed\xc4\x87\x1f\xea\x15\x0d\xdb\xcb\x8c\x14\xce\x51\x5f\xa1\xfc\x5f\x1f\xb3\xec\x60\x66\x49\xa1\x62\xc4\xe5\x2e\xc3\x28\xeb\x35\x65\xfb\x84\xab\xdf\x8b\x40\x8d\x74\x4e\xe1\x9c\x67\xcc\xe5\x4a\xca\xd1\xc6\xaa\x75\xa3\xf9\x7f\x94\x26\x74\x76\xe7\x02\xbb\xe0\x65\xe6\x71\x88\xc3\xc8\x26\xd4\x41\x4e\x46\x69\x5d\x71\xc9\xe2\x4a\x31\xfa\xf7\xfc\x28\x29\x70\x92\x50\x3b\xb1\x0a\xdb\x27\xfc\xb1\x97\x43\x8e\xfe\x36\x05\x10\x1a\xbc\x12\x7f\xda\x30\x3e\x63\xa7\x42\x3e\xf1\x69\x3f\x6c\x00\x57\x63\xfd\xf8\xb1\x8e\x10\xa5\xa9\xfa\x34\xb3\xc0\x0e\xce\xd1\xf7\x5b\xad\xa7\xd2\x61\x60\xae\xdf\x27\x58\xbf\x60\x3b\x0c\x58\x90\x68\x28\x84\xeb\x55\xb2\x76\x0b\x3b\x7b\x96\x14\xb6\xbd\x1d\xde\xf9\xe9\xcc\x1d\xf2\x08\x92\x06\x3f\x1e\xa0\x58\xa4", 200); *(uint32_t*)0x20001cb4 = 0xc8; *(uint32_t*)0x20001cb8 = 0x81; syz_read_part_table(0x44, 5, 0x20001c80); break; case 34: *(uint8_t*)0x20001cc0 = 0x12; *(uint8_t*)0x20001cc1 = 1; *(uint16_t*)0x20001cc2 = 0x310; *(uint8_t*)0x20001cc4 = 0xae; *(uint8_t*)0x20001cc5 = 0x73; *(uint8_t*)0x20001cc6 = 0xca; *(uint8_t*)0x20001cc7 = 0x40; *(uint16_t*)0x20001cc8 = 0x1740; *(uint16_t*)0x20001cca = 0x602; *(uint16_t*)0x20001ccc = 0xfa57; *(uint8_t*)0x20001cce = 1; *(uint8_t*)0x20001ccf = 2; *(uint8_t*)0x20001cd0 = 3; *(uint8_t*)0x20001cd1 = 1; *(uint8_t*)0x20001cd2 = 9; *(uint8_t*)0x20001cd3 = 2; *(uint16_t*)0x20001cd4 = 0x870; *(uint8_t*)0x20001cd6 = 2; *(uint8_t*)0x20001cd7 = 0x7f; *(uint8_t*)0x20001cd8 = 0x90; *(uint8_t*)0x20001cd9 = 0x20; *(uint8_t*)0x20001cda = 0x3f; *(uint8_t*)0x20001cdb = 9; *(uint8_t*)0x20001cdc = 4; *(uint8_t*)0x20001cdd = 0x86; *(uint8_t*)0x20001cde = 0x7f; *(uint8_t*)0x20001cdf = 0xa; *(uint8_t*)0x20001ce0 = 0xf7; *(uint8_t*)0x20001ce1 = 0xf9; *(uint8_t*)0x20001ce2 = 0xf2; *(uint8_t*)0x20001ce3 = 0x7f; *(uint8_t*)0x20001ce4 = 0xd1; *(uint8_t*)0x20001ce5 = 0xb; memcpy((void*)0x20001ce6, "\x26\xe1\x3a\x65\xce\xb2\xc1\x60\x69\x44\x40\xc6\xe4\xb5\xd5\x10\x7c\xd6\xf6\xed\xdf\x5f\x0f\x8f\x93\x86\x06\xe7\xa7\x89\x78\x6c\x09\x76\x26\x76\x2d\xa7\x88\x1a\x4e\x46\xee\x51\x2c\xe1\xce\x83\xd0\x3e\xe0\x1e\x8a\x39\x0d\x4f\xe4\x8a\x1a\x16\x6b\x12\x2a\x24\x4f\x7e\x84\x53\xfe\x58\x43\x52\xcd\xc7\x48\xde\xd1\x73\x7c\x61\xff\xbc\x1f\x9f\x18\x44\x1c\x5d\x61\xf5\x49\x3a\x88\xbf\xea\x77\x76\x76\x2b\xbf\x8a\x20\x6e\xec\xa2\xf4\x5c\x1f\x7a\xa6\xd1\x5f\xb4\x64\xcd\x1c\xaf\x6a\x43\x2b\xab\xfc\x01\xbb\x86\xb1\x29\x7b\x12\x89\x97\x42\x6c\x1a\x5a\x86\x53\x3c\xb2\xc0\x29\xf5\x0b\x1c\x5b\x0b\x88\x71\x9f\x7c\x78\x21\x7d\x2b\xec\x91\x0f\xf9\x06\xb4\x38\x60\x02\x5e\x14\x0f\xba\xd2\xbc\x0a\x91\xe2\x3e\x65\xc5\xc8\xfe\xfd\x91\xd0\x45\x9c\x59\x0e\x1f\x4b\xac\x91\xea\xc0\x23\xef\x5f\x1a\x24\x82\x45\xdf\x0d\x7c\x12\x76\xdf\x72\xd9\x55\xc6", 207); *(uint8_t*)0x20001db5 = 6; *(uint8_t*)0x20001db6 = 0x24; *(uint8_t*)0x20001db7 = 6; *(uint8_t*)0x20001db8 = 0; *(uint8_t*)0x20001db9 = 1; memcpy((void*)0x20001dba, "8", 1); *(uint8_t*)0x20001dbb = 5; *(uint8_t*)0x20001dbc = 0x24; *(uint8_t*)0x20001dbd = 0; *(uint16_t*)0x20001dbe = 8; *(uint8_t*)0x20001dc0 = 0xd; *(uint8_t*)0x20001dc1 = 0x24; *(uint8_t*)0x20001dc2 = 0xf; *(uint8_t*)0x20001dc3 = 1; *(uint32_t*)0x20001dc4 = 9; *(uint16_t*)0x20001dc8 = 5; *(uint16_t*)0x20001dca = 5; *(uint8_t*)0x20001dcc = 0x80; *(uint8_t*)0x20001dcd = 6; *(uint8_t*)0x20001dce = 0x24; *(uint8_t*)0x20001dcf = 0x1a; *(uint16_t*)0x20001dd0 = 1; *(uint8_t*)0x20001dd2 = 0x14; *(uint8_t*)0x20001dd3 = 0x2b; *(uint8_t*)0x20001dd4 = 0x24; *(uint8_t*)0x20001dd5 = 0x13; *(uint8_t*)0x20001dd6 = -1; memcpy((void*)0x20001dd7, "\x8d\xaa\x8e\x5c\xf5\x9b\xef\x8c\x76\xec\x75\x35\xd6\x3f\xe2\xdc\x76\x86\x32\x1a\xfb\xd7\x29\xf4\xd1\x7d\x62\xa2\x1b\x6f\x2b\x39\x49\x56\x57\x22\x0b\xc5\xd7", 39); *(uint8_t*)0x20001dfe = 0xa3; *(uint8_t*)0x20001dff = 0x24; *(uint8_t*)0x20001e00 = 0x13; *(uint8_t*)0x20001e01 = 3; memcpy((void*)0x20001e02, "\x0b\xaf\xa7\xba\x56\xf9\xbe\x68\xf7\xda\xff\xfa\xbe\x7b\x79\x50\xe7\xf2\xb1\xef\xd5\x30\xab\x53\xda\x30\x66\x50\xae\x48\x61\x82\x51\xbc\x41\xfe\x39\x06\x5b\xb5\x0d\x65\xf1\x5e\x92\x6f\xdb\x88\xac\xb4\xe7\x95\x7b\xff\x5d\x54\x69\xee\x74\x1f\x51\xc1\x17\xd8\xf0\xa4\xb9\xe4\x97\xd8\xd8\x5a\x58\xa4\x25\x85\x5d\xa0\x41\xd9\x1b\xfe\x4c\xd2\x0f\x11\xf6\xc7\xd3\x81\x30\x27\xcd\x74\x92\x1d\xbe\xb6\xe2\x01\x5c\x41\x33\xa2\x98\x32\xb2\xb9\xd3\x42\x30\x4d\xd6\xb7\x09\xda\xea\xea\x5f\x76\x1d\x8c\x06\xf5\x2e\xdd\xa9\xf2\x52\x9a\xc5\x1a\x96\xfa\xb9\xbb\x28\x26\xcc\x63\xfc\xce\x0f\x17\x4d\xe2\xc5\x77\x8a\x4d\x83\xf3\xee\xcf\xdb\x29\x63\x5b\x60", 159); *(uint8_t*)0x20001ea1 = 5; *(uint8_t*)0x20001ea2 = 0x24; *(uint8_t*)0x20001ea3 = 1; *(uint8_t*)0x20001ea4 = 2; *(uint8_t*)0x20001ea5 = 9; *(uint8_t*)0x20001ea6 = 0x15; *(uint8_t*)0x20001ea7 = 0x24; *(uint8_t*)0x20001ea8 = 0x12; *(uint16_t*)0x20001ea9 = 0xc9; *(uint64_t*)0x20001eab = 0x14f5e048ba817a3; *(uint64_t*)0x20001eb3 = 0x2a397ecbffc007a6; *(uint8_t*)0x20001ebb = 7; *(uint8_t*)0x20001ebc = 0x24; *(uint8_t*)0x20001ebd = 0x14; *(uint16_t*)0x20001ebe = 8; *(uint16_t*)0x20001ec0 = 2; *(uint8_t*)0x20001ec2 = 7; *(uint8_t*)0x20001ec3 = 0x24; *(uint8_t*)0x20001ec4 = 0xa; *(uint8_t*)0x20001ec5 = 1; *(uint8_t*)0x20001ec6 = 9; *(uint8_t*)0x20001ec7 = 0xeb; *(uint8_t*)0x20001ec8 = 1; *(uint8_t*)0x20001ec9 = 9; *(uint8_t*)0x20001eca = 5; *(uint8_t*)0x20001ecb = 0xe; *(uint8_t*)0x20001ecc = 3; *(uint16_t*)0x20001ecd = 0x400; *(uint8_t*)0x20001ecf = -1; *(uint8_t*)0x20001ed0 = 0xf9; *(uint8_t*)0x20001ed1 = 0x20; *(uint8_t*)0x20001ed2 = 0x62; *(uint8_t*)0x20001ed3 = 0x22; memcpy((void*)0x20001ed4, "\xec\xb3\xf2\xdd\x30\x48\x12\x4f\xa1\xf6\x39\xe7\xd9\x9a\xb0\x90\x3f\x7f\x55\x1f\xbd\x28\x20\x2b\xca\xa0\x38\x82\x72\x62\xde\xfd\x52\x4b\x84\xd6\x77\x8f\x83\xc7\x51\x04\x7e\xa1\x67\x7d\x46\x22\x9a\xc3\x3b\x02\xdb\x68\x65\xc9\x67\x0b\xc4\x76\x29\x02\x05\x45\xfb\xf3\x67\xe1\x28\xc7\xe7\x8e\x05\x97\x2c\xd4\x32\xdd\xc7\x29\x86\x39\x72\xa9\x55\x9b\x80\x60\x63\x55\x0b\x9b\xb7\x99\x2b\x0c", 96); *(uint8_t*)0x20001f34 = 0xed; *(uint8_t*)0x20001f35 = 0x21; memcpy((void*)0x20001f36, "\x1c\x17\xfa\x34\xcf\x24\x8a\x11\x74\x0c\xae\x13\xb9\x90\x62\xcf\x65\x1b\xd3\x66\x3b\xdf\x34\x9a\xfe\xdd\x77\x7e\x6c\xa5\x09\x68\x7c\x73\x08\xb2\xbd\x8a\x56\xd9\x36\xce\xf7\x2c\x17\x60\x9c\x2c\xc7\xb8\x25\xf1\x22\x86\x4f\x3e\x79\xa0\xf9\x56\x3c\xec\xf3\xa2\xde\xa2\xda\xc5\xe4\xd8\x3e\x77\x49\xcf\xb2\xa9\x71\xe0\xf2\xa2\x57\xee\x5e\x91\x27\x9d\x0d\xed\xf7\xaa\xb3\x53\x95\x5c\x32\xbc\xab\x16\xd8\x21\xc1\x86\x8f\x65\x5e\x7f\x50\x3e\xce\x52\xac\xfb\x7c\x30\x70\x09\x7b\x16\x4e\xd6\x22\x3e\xb6\xc1\x83\x9f\xdc\x5c\xc6\xf1\xa9\x2e\xbd\xa8\xad\x2a\x9e\x74\xf7\x46\xcf\x37\x70\x4a\x6c\x73\x07\x61\x89\xee\x38\x90\xb3\xa1\xc5\xcd\xb8\x07\x6a\xde\xc9\xbb\x4e\x53\xa6\x5b\x09\xbc\x52\xa7\x52\x50\xeb\x89\xe2\x40\x7e\xe0\xd0\xd3\x9a\x0b\xd9\x25\xc0\x0a\x5f\xd0\xf3\x4a\xd2\xaf\x88\xbf\x3b\x27\x0f\xe9\x4e\x54\x32\x28\x8a\x66\xb3\xee\x15\xb6\xe2\x4d\xdc\xa8\x96\x39\xfa\xa9\xc4\xb5\x32\x66\x3b\x24\xbf\xbd\xeb\x73\xd0\x9b\x8f\x77\xf7\x6f\xec\x50\x7a", 235); *(uint8_t*)0x20002021 = 9; *(uint8_t*)0x20002022 = 5; *(uint8_t*)0x20002023 = 0xe; *(uint8_t*)0x20002024 = 0; *(uint16_t*)0x20002025 = 0x58; *(uint8_t*)0x20002027 = 4; *(uint8_t*)0x20002028 = 0; *(uint8_t*)0x20002029 = 2; *(uint8_t*)0x2000202a = 9; *(uint8_t*)0x2000202b = 5; *(uint8_t*)0x2000202c = 6; *(uint8_t*)0x2000202d = 8; *(uint16_t*)0x2000202e = 0x40; *(uint8_t*)0x20002030 = 0x40; *(uint8_t*)0x20002031 = 3; *(uint8_t*)0x20002032 = 0x18; *(uint8_t*)0x20002033 = 9; *(uint8_t*)0x20002034 = 5; *(uint8_t*)0x20002035 = 0xb; *(uint8_t*)0x20002036 = 0xc; *(uint16_t*)0x20002037 = 0x200; *(uint8_t*)0x20002039 = -1; *(uint8_t*)0x2000203a = 0x47; *(uint8_t*)0x2000203b = 0; *(uint8_t*)0x2000203c = 0x6e; *(uint8_t*)0x2000203d = 0x24; memcpy((void*)0x2000203e, "\xfc\x88\x86\xec\xa1\x2d\xc8\x59\x60\xc8\x49\x7c\x87\x13\x2b\x79\xfe\xa0\xe2\x31\x3e\x4e\x85\x56\x71\x31\x6f\x1c\x7a\x42\xb7\x8b\x2b\xe2\x4c\x0c\xdd\x6a\xf9\xde\x41\xa7\xfb\x57\xfe\x0a\x3c\xa6\xfe\x67\x19\x1c\xe3\x11\x65\xdc\x04\x82\x45\xba\x74\xc8\x86\xd1\x2b\x8a\xcc\xb0\x01\xee\xe2\x30\xdc\x1d\x79\x81\xe4\xd6\xea\x3d\x52\xfd\xc1\xfd\x15\x9f\x71\xfc\x18\xbf\xca\x51\x29\x7b\x23\x48\xc7\x77\xa8\x6b\x16\xc0\x76\x57\x79\x3c\x9b\x75", 108); *(uint8_t*)0x200020aa = 9; *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 7; *(uint8_t*)0x200020ad = 0x10; *(uint16_t*)0x200020ae = 0x20; *(uint8_t*)0x200020b0 = 1; *(uint8_t*)0x200020b1 = 4; *(uint8_t*)0x200020b2 = 4; *(uint8_t*)0x200020b3 = 8; *(uint8_t*)0x200020b4 = 0x23; memcpy((void*)0x200020b5, "\xad\x6e\x68\x32\x31\x24", 6); *(uint8_t*)0x200020bb = 7; *(uint8_t*)0x200020bc = 0x25; *(uint8_t*)0x200020bd = 1; *(uint8_t*)0x200020be = 2; *(uint8_t*)0x200020bf = 0x3f; *(uint16_t*)0x200020c0 = 0x400; *(uint8_t*)0x200020c2 = 9; *(uint8_t*)0x200020c3 = 5; *(uint8_t*)0x200020c4 = 1; *(uint8_t*)0x200020c5 = 0; *(uint16_t*)0x200020c6 = 0x200; *(uint8_t*)0x200020c8 = -1; *(uint8_t*)0x200020c9 = 4; *(uint8_t*)0x200020ca = 5; *(uint8_t*)0x200020cb = 7; *(uint8_t*)0x200020cc = 0x25; *(uint8_t*)0x200020cd = 1; *(uint8_t*)0x200020ce = 0x82; *(uint8_t*)0x200020cf = 2; *(uint16_t*)0x200020d0 = 0x200; *(uint8_t*)0x200020d2 = 7; *(uint8_t*)0x200020d3 = 0x25; *(uint8_t*)0x200020d4 = 1; *(uint8_t*)0x200020d5 = 1; *(uint8_t*)0x200020d6 = 7; *(uint16_t*)0x200020d7 = 4; *(uint8_t*)0x200020d9 = 9; *(uint8_t*)0x200020da = 5; *(uint8_t*)0x200020db = 0x80; *(uint8_t*)0x200020dc = 0x10; *(uint16_t*)0x200020dd = 0x10; *(uint8_t*)0x200020df = 0xcc; *(uint8_t*)0x200020e0 = 8; *(uint8_t*)0x200020e1 = 0; *(uint8_t*)0x200020e2 = 7; *(uint8_t*)0x200020e3 = 0x25; *(uint8_t*)0x200020e4 = 1; *(uint8_t*)0x200020e5 = 0x81; *(uint8_t*)0x200020e6 = 7; *(uint16_t*)0x200020e7 = 0x3f; *(uint8_t*)0x200020e9 = 0x59; *(uint8_t*)0x200020ea = 0x11; memcpy((void*)0x200020eb, "\xfa\xad\xa8\x09\x32\xb1\x04\x32\xca\x81\xa6\x3c\x83\xdd\x9f\x54\xa4\x05\x10\x86\xef\x07\xb6\xc9\x66\x1e\xf8\xec\x12\x56\x83\xd5\xfc\xad\xa3\xa3\x46\xd0\x8f\x6d\x44\x17\x8f\xd1\xce\x94\xf1\xa6\x92\x1d\x2f\xd1\x4a\x88\xd4\x3a\x80\x51\xe1\x8e\xda\xa3\x98\x06\x45\xfa\x17\x12\x3c\xa6\xc7\x83\xb8\xb2\xc3\xb6\x66\x95\x6f\x52\xb1\x83\x65\x29\x92\xd6\xf5", 87); *(uint8_t*)0x20002142 = 9; *(uint8_t*)0x20002143 = 5; *(uint8_t*)0x20002144 = 7; *(uint8_t*)0x20002145 = 3; *(uint16_t*)0x20002146 = 0x400; *(uint8_t*)0x20002148 = 1; *(uint8_t*)0x20002149 = 0x3f; *(uint8_t*)0x2000214a = 0; *(uint8_t*)0x2000214b = 9; *(uint8_t*)0x2000214c = 5; *(uint8_t*)0x2000214d = 4; *(uint8_t*)0x2000214e = 1; *(uint16_t*)0x2000214f = 0; *(uint8_t*)0x20002151 = 0x81; *(uint8_t*)0x20002152 = 3; *(uint8_t*)0x20002153 = 0; *(uint8_t*)0x20002154 = 7; *(uint8_t*)0x20002155 = 0x25; *(uint8_t*)0x20002156 = 1; *(uint8_t*)0x20002157 = 0x80; *(uint8_t*)0x20002158 = 0xfd; *(uint16_t*)0x20002159 = 0x3e; *(uint8_t*)0x2000215b = 7; *(uint8_t*)0x2000215c = 0x25; *(uint8_t*)0x2000215d = 1; *(uint8_t*)0x2000215e = 0x82; *(uint8_t*)0x2000215f = 6; *(uint16_t*)0x20002160 = 0x8000; *(uint8_t*)0x20002162 = 9; *(uint8_t*)0x20002163 = 5; *(uint8_t*)0x20002164 = 7; *(uint8_t*)0x20002165 = 4; *(uint16_t*)0x20002166 = 0x200; *(uint8_t*)0x20002168 = 4; *(uint8_t*)0x20002169 = 7; *(uint8_t*)0x2000216a = 8; *(uint8_t*)0x2000216b = 7; *(uint8_t*)0x2000216c = 0x25; *(uint8_t*)0x2000216d = 1; *(uint8_t*)0x2000216e = 0; *(uint8_t*)0x2000216f = 0; *(uint16_t*)0x20002170 = 0x3f; *(uint8_t*)0x20002172 = 9; *(uint8_t*)0x20002173 = 4; *(uint8_t*)0x20002174 = 0x7d; *(uint8_t*)0x20002175 = 0xb6; *(uint8_t*)0x20002176 = 8; *(uint8_t*)0x20002177 = 0xe6; *(uint8_t*)0x20002178 = 0x75; *(uint8_t*)0x20002179 = 0xe1; *(uint8_t*)0x2000217a = 0xf9; *(uint8_t*)0x2000217b = 0x3d; *(uint8_t*)0x2000217c = 0x23; memcpy((void*)0x2000217d, "\x01\x50\xff\xae\x83\xdf\x22\xd1\xd4\xdb\xd8\x24\x54\xe6\x60\x33\x46\x3c\x39\x35\xe3\xd0\xc9\xfc\x2e\xa4\x66\x1f\x73\x10\xc2\xe0\xb0\xac\xed\xd1\x7e\x99\xcf\x96\x0e\xde\x09\xc1\x9e\xda\x6b\xfd\xa6\x99\xd8\xea\xcc\x2a\xba\x4a\xcc\x34\xd4", 59); *(uint8_t*)0x200021b8 = 0xc5; *(uint8_t*)0x200021b9 = 1; memcpy((void*)0x200021ba, "\x57\xfa\x93\x98\x1a\x06\x86\xe5\x12\x23\x65\x11\xf1\x7e\x4e\xc2\xda\xb7\xbd\x00\x5c\x64\xfd\x89\x6f\x94\x94\xca\x05\x97\x58\x3b\x23\x9d\xdd\x29\xc3\x79\x6c\x4a\xd6\x69\x28\x14\x40\xda\x42\x2e\x67\x96\x87\x7a\x9f\x12\x3e\x34\x39\x35\xd9\x0d\xfe\x06\xdd\xfc\x99\xde\xed\xf2\x40\x06\x03\x1d\x9a\x2e\xf4\xb5\x52\x62\x92\x55\xbf\x0e\x7a\x4d\x5d\xd3\xbc\x80\xb2\x66\x08\x11\x41\xbd\xe1\xb1\xa8\x6e\x4f\xfd\x85\x70\x00\xde\xea\xe8\x2f\xb1\x85\x06\x96\xef\x21\x67\xc3\x4a\xd9\x7f\x91\xc1\x4a\xc7\x8e\xcb\x89\x3d\x01\xff\xa9\x8e\x3c\x2d\xfd\xa9\xad\xb7\x62\xb9\xa9\xda\x03\xc6\xc6\x0e\xd9\x57\xfb\x49\x4d\x1c\x96\x0f\x7c\x70\x74\x94\xbd\x98\x4a\x0a\x58\x26\x03\xfb\x87\x24\x8a\xee\xaf\xc1\xb6\x00\x5f\x79\x83\x5b\x38\xb2\xea\xa8\x86\x53\xbc\x93\x42\x7a\x33\xb0\x76\x3e\xa3\x6f\xcd\x98\x7c", 195); *(uint8_t*)0x2000227d = 9; *(uint8_t*)0x2000227e = 5; *(uint8_t*)0x2000227f = 3; *(uint8_t*)0x20002280 = 0; *(uint16_t*)0x20002281 = 0x40; *(uint8_t*)0x20002283 = 4; *(uint8_t*)0x20002284 = 0x7f; *(uint8_t*)0x20002285 = 2; *(uint8_t*)0x20002286 = 7; *(uint8_t*)0x20002287 = 0x25; *(uint8_t*)0x20002288 = 1; *(uint8_t*)0x20002289 = 2; *(uint8_t*)0x2000228a = 5; *(uint16_t*)0x2000228b = 5; *(uint8_t*)0x2000228d = 7; *(uint8_t*)0x2000228e = 0x25; *(uint8_t*)0x2000228f = 1; *(uint8_t*)0x20002290 = 2; *(uint8_t*)0x20002291 = 4; *(uint16_t*)0x20002292 = 5; *(uint8_t*)0x20002294 = 9; *(uint8_t*)0x20002295 = 5; *(uint8_t*)0x20002296 = 0x80; *(uint8_t*)0x20002297 = 0x10; *(uint16_t*)0x20002298 = 0x1ef; *(uint8_t*)0x2000229a = 1; *(uint8_t*)0x2000229b = 6; *(uint8_t*)0x2000229c = 7; *(uint8_t*)0x2000229d = 9; *(uint8_t*)0x2000229e = 5; *(uint8_t*)0x2000229f = 0x80; *(uint8_t*)0x200022a0 = 0x10; *(uint16_t*)0x200022a1 = 0x10; *(uint8_t*)0x200022a3 = 0x1f; *(uint8_t*)0x200022a4 = 0x20; *(uint8_t*)0x200022a5 = 0; *(uint8_t*)0x200022a6 = 0xb3; *(uint8_t*)0x200022a7 = 0x21; memcpy((void*)0x200022a8, "\x95\xd3\x40\x5d\x4d\x7a\x6d\xc8\x96\xd9\x0c\x49\x18\xb1\x41\x31\x5c\x1a\xe5\x4b\x08\x82\xc4\xe0\xe3\xcc\x26\x6e\x04\x17\x8f\x9a\xe7\x37\x26\x0a\xc6\x4b\x61\x9d\xdf\x03\x95\x68\x18\x1b\xf9\x2d\xd6\x39\xec\x49\xa0\xb1\xc9\x83\x8b\x4c\xbb\xb2\xfb\xe6\xca\x7b\xe9\xbc\x84\xb7\x71\x77\x86\x7b\xb9\x73\xd8\xc5\xeb\xa1\xb4\x91\x31\xbd\x10\xf6\x45\xcf\xfc\x3d\xd8\xea\x46\x2f\x4b\xa9\x65\xf7\x0a\x01\x4b\xf1\xab\xe9\x26\x96\x63\x63\x4d\xad\x8b\xaf\x99\x38\x6d\x8b\x43\x19\x12\xe4\xdd\xfc\xd1\x15\x6c\x5f\xfe\xab\x20\x7c\xa3\x5f\x22\xf5\xc0\x16\x73\x47\x0d\xee\xa1\xda\x6a\xaf\xfc\xf0\xbb\xa9\xa8\xe4\x55\x42\x0f\x05\x3b\x28\xe4\x04\xfe\xa6\x26\x1d\x36\xc0\x7f\x72\x21\xc4\x98\x6b\x6b\x12\x2c\xcd\xf8\x58\xf4\x81\xba", 177); *(uint8_t*)0x20002359 = 7; *(uint8_t*)0x2000235a = 0x25; *(uint8_t*)0x2000235b = 1; *(uint8_t*)0x2000235c = 0x80; *(uint8_t*)0x2000235d = 0x7f; *(uint16_t*)0x2000235e = 5; *(uint8_t*)0x20002360 = 9; *(uint8_t*)0x20002361 = 5; *(uint8_t*)0x20002362 = 0xc; *(uint8_t*)0x20002363 = 2; *(uint16_t*)0x20002364 = 0x200; *(uint8_t*)0x20002366 = 0; *(uint8_t*)0x20002367 = 6; *(uint8_t*)0x20002368 = 2; *(uint8_t*)0x20002369 = 0xaf; *(uint8_t*)0x2000236a = 0xc1; memcpy((void*)0x2000236b, "\x14\x49\xf0\x6f\x81\x61\xd8\x15\x9f\x42\xfb\x34\x7e\xaa\x32\x3c\xf3\xeb\x20\xfd\x5e\x50\x10\x06\xd2\xe4\x0a\x15\x7d\xa8\x33\x53\x6f\xb0\xb3\x22\x43\x65\x91\xa2\xbd\x1d\x2f\xe0\x4e\x16\x98\x58\xe1\x13\x87\xce\x1c\xbe\x1f\x6c\x7d\xc3\x32\xaf\xaa\xdc\xc0\x02\xc5\x83\x20\x44\xe0\x56\x95\x03\x99\xe2\x94\x31\x40\x73\x49\xa8\xa4\x75\x25\x16\x4b\x4e\x6c\xd1\x41\x30\x39\x08\x18\x67\x54\xe0\x28\x2c\x69\x95\xc9\x80\xf5\xe7\xd4\xf3\xc8\x81\xc6\xb9\x1d\x95\x5e\x6a\xc6\x81\xbd\x90\x73\xf4\xe0\x57\x06\xf3\xc3\x12\xd0\x05\xbf\x1c\x59\x10\x95\x6b\xf9\x95\x53\xbb\xa7\xb4\xec\xb3\xf3\x5f\xfb\xe7\xab\x07\x63\x42\x37\x96\xbb\x60\x1e\x3f\x04\x7a\x65\x81\xd5\x2f\xb6\x7c\x62\xd6\xb7\x27\x8c\x76\xaa\xb9\xa5", 173); *(uint8_t*)0x20002418 = 9; *(uint8_t*)0x20002419 = 5; *(uint8_t*)0x2000241a = 0xa; *(uint8_t*)0x2000241b = 0; *(uint16_t*)0x2000241c = 0x400; *(uint8_t*)0x2000241e = 5; *(uint8_t*)0x2000241f = 1; *(uint8_t*)0x20002420 = 6; *(uint8_t*)0x20002421 = 0xf1; *(uint8_t*)0x20002422 = 0x11; memcpy((void*)0x20002423, "\x25\xbf\x1f\x90\xf6\x00\xdc\x8e\xae\x59\x54\xfb\x3e\xc4\xf4\x88\xa9\x26\x14\x9d\x98\x93\xca\x2b\x29\x00\xe2\x45\xf0\x53\x74\x32\xb7\xec\xcd\x35\xa0\xf3\x3f\xe8\x71\xeb\x0d\x17\x44\xd8\x05\x8f\x6d\x67\xf7\xe1\xb9\x7f\x3e\xf4\xe5\xfd\x8a\xc9\xd3\x7d\x37\x49\x05\x66\x1c\x57\x9d\x63\xd9\xbd\x3e\xd5\xcd\x30\xd9\x9e\xf3\x95\xe4\x7c\x9e\x0f\x1b\x7f\x71\x20\x16\x40\x34\x34\x82\x1b\xaa\xce\x41\xad\x73\xef\x6b\x84\xc1\xa4\x1a\xf5\xcb\xb6\xc2\xf6\x54\x62\xa6\xed\x32\x24\x2c\x9d\x51\xda\x99\x15\x86\x28\x60\xc2\x21\x40\xf6\x06\x60\x1c\xfd\x82\xe5\x15\x1e\x1d\xb4\x50\x92\xfe\xcd\x65\x32\x93\xf5\x6c\x65\xb3\x46\xe5\xde\xaf\x14\x09\x50\xa0\xac\x4a\x48\x7e\x3b\xfa\x4f\x9a\xd3\x5e\xef\xf8\x89\x9b\xc2\x23\x07\x98\x02\x26\x00\xa0\x8d\x06\xa9\x24\x36\x11\xb4\x21\xd9\x0f\x1b\x53\xca\x9f\x00\x26\x36\x03\x6f\x11\x25\xed\xa3\xde\xda\xf6\x79\x3f\xc0\x98\xc6\xaf\x9d\xcc\x5a\x53\x8f\xe9\x37\x57\x2b\x4d\x1b\x17\x4b\x58\xba\x03\x37\x14\xd1\x9e\xf1\x08\x5f\x66\x3e\x5c\xd1", 239); *(uint8_t*)0x20002512 = 9; *(uint8_t*)0x20002513 = 5; *(uint8_t*)0x20002514 = 5; *(uint8_t*)0x20002515 = 8; *(uint16_t*)0x20002516 = 0x400; *(uint8_t*)0x20002518 = 0x44; *(uint8_t*)0x20002519 = 1; *(uint8_t*)0x2000251a = 0; *(uint8_t*)0x2000251b = 7; *(uint8_t*)0x2000251c = 0x25; *(uint8_t*)0x2000251d = 1; *(uint8_t*)0x2000251e = 0x85; *(uint8_t*)0x2000251f = 0x9b; *(uint16_t*)0x20002520 = 0x100; *(uint8_t*)0x20002522 = 7; *(uint8_t*)0x20002523 = 0x25; *(uint8_t*)0x20002524 = 1; *(uint8_t*)0x20002525 = 0x82; *(uint8_t*)0x20002526 = 7; *(uint16_t*)0x20002527 = 1; *(uint8_t*)0x20002529 = 9; *(uint8_t*)0x2000252a = 5; *(uint8_t*)0x2000252b = 3; *(uint8_t*)0x2000252c = 0x10; *(uint16_t*)0x2000252d = 0x20; *(uint8_t*)0x2000252f = 2; *(uint8_t*)0x20002530 = 4; *(uint8_t*)0x20002531 = 3; *(uint8_t*)0x20002532 = 9; *(uint8_t*)0x20002533 = 5; *(uint8_t*)0x20002534 = 1; *(uint8_t*)0x20002535 = 0; *(uint16_t*)0x20002536 = 0x40; *(uint8_t*)0x20002538 = 0x80; *(uint8_t*)0x20002539 = 7; *(uint8_t*)0x2000253a = 0x27; *(uint8_t*)0x2000253b = 7; *(uint8_t*)0x2000253c = 0x25; *(uint8_t*)0x2000253d = 1; *(uint8_t*)0x2000253e = 0x80; *(uint8_t*)0x2000253f = 6; *(uint16_t*)0x20002540 = 8; *(uint32_t*)0x20002840 = 0xa; *(uint32_t*)0x20002844 = 0x20002580; *(uint8_t*)0x20002580 = 0xa; *(uint8_t*)0x20002581 = 6; *(uint16_t*)0x20002582 = 0x5098; *(uint8_t*)0x20002584 = 0xfc; *(uint8_t*)0x20002585 = 0x1f; *(uint8_t*)0x20002586 = 0; *(uint8_t*)0x20002587 = 0x10; *(uint8_t*)0x20002588 = 0xe4; *(uint8_t*)0x20002589 = 0; *(uint32_t*)0x20002848 = 0xf5; *(uint32_t*)0x2000284c = 0x200025c0; *(uint8_t*)0x200025c0 = 5; *(uint8_t*)0x200025c1 = 0xf; *(uint16_t*)0x200025c2 = 0xf5; *(uint8_t*)0x200025c4 = 4; *(uint8_t*)0x200025c5 = 7; *(uint8_t*)0x200025c6 = 0x10; *(uint8_t*)0x200025c7 = 2; STORE_BY_BITMASK(uint32_t, , 0x200025c8, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200025ca, 0xffff, 0, 16); *(uint8_t*)0x200025cc = 0x1c; *(uint8_t*)0x200025cd = 0x10; *(uint8_t*)0x200025ce = 0xa; *(uint8_t*)0x200025cf = 0; STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 5, 27); *(uint16_t*)0x200025d4 = 0xf0f; *(uint16_t*)0x200025d6 = 0x77e; *(uint32_t*)0x200025d8 = 0xc000; *(uint32_t*)0x200025dc = 0x30; *(uint32_t*)0x200025e0 = 0; *(uint32_t*)0x200025e4 = 0; *(uint8_t*)0x200025e8 = 0x1c; *(uint8_t*)0x200025e9 = 0x10; *(uint8_t*)0x200025ea = 0xa; *(uint8_t*)0x200025eb = 1; STORE_BY_BITMASK(uint32_t, , 0x200025ec, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025ec, 0x79ea, 5, 27); *(uint16_t*)0x200025f0 = 0xf000; *(uint16_t*)0x200025f2 = 4; *(uint32_t*)0x200025f4 = 0xc0cf; *(uint32_t*)0x200025f8 = 0xff3f3f; *(uint32_t*)0x200025fc = 0xffc05f; *(uint32_t*)0x20002600 = 0xff0000; *(uint8_t*)0x20002604 = 0xb1; *(uint8_t*)0x20002605 = 0x10; *(uint8_t*)0x20002606 = 3; memcpy((void*)0x20002607, "\xc5\xbb\x02\x01\xc8\x2e\x60\xfa\x0a\x8b\x07\xbb\xce\xfb\xe1\x38\x07\x98\x38\xcb\xf1\x31\x61\xf6\x9e\xc1\x70\x63\x7e\x6c\x50\x4f\x0d\xf5\x87\x10\x11\x2f\x24\x59\xc5\x0d\xf8\x5c\x73\xa1\x43\xe1\x8f\xd8\x46\xa7\x86\xad\xd8\xa3\x59\xc8\x82\xc3\xc6\x03\x8f\x90\xc4\x9c\xa6\x3e\x13\x45\x57\x94\xd7\x59\x24\x4a\x2b\xd1\xee\x5a\x20\x3c\xef\x62\xac\xd3\x2e\x97\xd1\x5a\xfe\x1d\x47\xad\x5c\x52\x34\xca\x6f\xea\x0c\x02\x21\x84\x57\x86\x47\xd6\x9b\xce\x06\xbc\x22\xd5\xde\xae\x21\xba\xaf\x87\x0c\x3c\x6e\x90\x21\x21\x1f\xda\x07\xe7\x36\x07\xe1\x64\x61\xe2\x25\x26\xa7\x0a\xb2\xe2\x1f\x89\xd1\xb1\xa9\x52\x15\xc6\x44\xee\x7b\x4b\x97\xd3\x42\xf0\x6c\xca\x75\xc1\x7e\xaf\x3d\x1f\x57\x8b\xec\x9e\x1b\x55\x4c\x49", 174); *(uint32_t*)0x20002850 = 4; *(uint32_t*)0x20002854 = 4; *(uint32_t*)0x20002858 = 0x200026c0; *(uint8_t*)0x200026c0 = 4; *(uint8_t*)0x200026c1 = 3; *(uint16_t*)0x200026c2 = 0x430; *(uint32_t*)0x2000285c = 4; *(uint32_t*)0x20002860 = 0x20002700; *(uint8_t*)0x20002700 = 4; *(uint8_t*)0x20002701 = 3; *(uint16_t*)0x20002702 = 0x240a; *(uint32_t*)0x20002864 = 4; *(uint32_t*)0x20002868 = 0x20002740; *(uint8_t*)0x20002740 = 4; *(uint8_t*)0x20002741 = 3; *(uint16_t*)0x20002742 = 0x458; *(uint32_t*)0x2000286c = 0xb1; *(uint32_t*)0x20002870 = 0x20002780; *(uint8_t*)0x20002780 = 0xb1; *(uint8_t*)0x20002781 = 3; memcpy((void*)0x20002782, "\x22\x73\xbd\xc4\x6b\x60\xf9\x28\x12\x34\x92\x09\x6f\x1a\x60\x52\x20\x67\xca\x30\x22\x9e\x52\x18\x76\xbc\x23\x04\xc3\x20\x59\x6f\xd2\x5f\x10\x25\x4b\x5c\x9d\xa5\x73\x77\x73\x8b\xcc\xfb\xbc\x37\xf2\x7f\x54\x18\x33\xa2\xdf\xa0\x6b\x92\x9d\x0d\x37\x44\xff\x77\xd9\x33\x0d\x5a\x63\xe4\xbb\x26\x8c\xe2\x9e\x81\xde\x86\xde\x6c\xbb\xec\x22\xf1\x51\xe7\xfa\x25\xd2\xba\x9e\xad\x8f\x62\xd5\xea\xc2\xd6\x42\x44\x65\xb3\xcb\x64\x81\xdb\xf5\x0d\xf0\x43\xe6\x8b\x8d\x13\x3e\x27\xb4\xae\x1c\x9c\xcf\x8a\x81\x02\x7b\x65\x6d\x44\x2b\xbc\xbe\x5c\xfc\xcd\x0c\x0c\xa3\x8b\x73\x35\x6e\xd5\xc3\x7e\xa0\x89\x46\x97\xea\x5b\x37\xdb\x2f\x60\x7d\x4e\x95\x8c\xf9\x78\x48\xef\x24\xee\xe8\x17\xf9\x65\x03\x65\x0d\x0f\x3b\xab\xcf", 175); res = -1; res = syz_usb_connect(4, 0x882, 0x20001cc0, 0x20002840); if (res != -1) r[13] = res; break; case 35: *(uint8_t*)0x20002880 = 0x12; *(uint8_t*)0x20002881 = 1; *(uint16_t*)0x20002882 = 0x200; *(uint8_t*)0x20002884 = -1; *(uint8_t*)0x20002885 = -1; *(uint8_t*)0x20002886 = -1; *(uint8_t*)0x20002887 = 0x40; *(uint16_t*)0x20002888 = 0xcf3; *(uint16_t*)0x2000288a = 0x9271; *(uint16_t*)0x2000288c = 0x108; *(uint8_t*)0x2000288e = 1; *(uint8_t*)0x2000288f = 2; *(uint8_t*)0x20002890 = 3; *(uint8_t*)0x20002891 = 1; *(uint8_t*)0x20002892 = 9; *(uint8_t*)0x20002893 = 2; *(uint16_t*)0x20002894 = 0x48; *(uint8_t*)0x20002896 = 1; *(uint8_t*)0x20002897 = 1; *(uint8_t*)0x20002898 = 0; *(uint8_t*)0x20002899 = 0x80; *(uint8_t*)0x2000289a = 0xfa; *(uint8_t*)0x2000289b = 9; *(uint8_t*)0x2000289c = 4; *(uint8_t*)0x2000289d = 0; *(uint8_t*)0x2000289e = 0; *(uint8_t*)0x2000289f = 6; *(uint8_t*)0x200028a0 = -1; *(uint8_t*)0x200028a1 = 0; *(uint8_t*)0x200028a2 = 0; *(uint8_t*)0x200028a3 = 0; *(uint8_t*)0x200028a4 = 9; *(uint8_t*)0x200028a5 = 5; *(uint8_t*)0x200028a6 = 1; *(uint8_t*)0x200028a7 = 2; *(uint16_t*)0x200028a8 = 0x200; *(uint8_t*)0x200028aa = 0; *(uint8_t*)0x200028ab = 0; *(uint8_t*)0x200028ac = 0; *(uint8_t*)0x200028ad = 9; *(uint8_t*)0x200028ae = 5; *(uint8_t*)0x200028af = 0x82; *(uint8_t*)0x200028b0 = 2; *(uint16_t*)0x200028b1 = 0x200; *(uint8_t*)0x200028b3 = 0; *(uint8_t*)0x200028b4 = 0; *(uint8_t*)0x200028b5 = 0; *(uint8_t*)0x200028b6 = 9; *(uint8_t*)0x200028b7 = 5; *(uint8_t*)0x200028b8 = 0x83; *(uint8_t*)0x200028b9 = 3; *(uint16_t*)0x200028ba = 0x40; *(uint8_t*)0x200028bc = 1; *(uint8_t*)0x200028bd = 0; *(uint8_t*)0x200028be = 0; *(uint8_t*)0x200028bf = 9; *(uint8_t*)0x200028c0 = 5; *(uint8_t*)0x200028c1 = 4; *(uint8_t*)0x200028c2 = 3; *(uint16_t*)0x200028c3 = 0x40; *(uint8_t*)0x200028c5 = 1; *(uint8_t*)0x200028c6 = 0; *(uint8_t*)0x200028c7 = 0; *(uint8_t*)0x200028c8 = 9; *(uint8_t*)0x200028c9 = 5; *(uint8_t*)0x200028ca = 5; *(uint8_t*)0x200028cb = 2; *(uint16_t*)0x200028cc = 0x200; *(uint8_t*)0x200028ce = 0; *(uint8_t*)0x200028cf = 0; *(uint8_t*)0x200028d0 = 0; *(uint8_t*)0x200028d1 = 9; *(uint8_t*)0x200028d2 = 5; *(uint8_t*)0x200028d3 = 6; *(uint8_t*)0x200028d4 = 2; *(uint16_t*)0x200028d5 = 0x200; *(uint8_t*)0x200028d7 = 0; *(uint8_t*)0x200028d8 = 0; *(uint8_t*)0x200028d9 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20002880, 0); break; case 36: *(uint8_t*)0x20002900 = 0x12; *(uint8_t*)0x20002901 = 1; *(uint16_t*)0x20002902 = 0x300; *(uint8_t*)0x20002904 = 0; *(uint8_t*)0x20002905 = 0; *(uint8_t*)0x20002906 = 0; *(uint8_t*)0x20002907 = 0x40; *(uint16_t*)0x20002908 = 0x1d6b; *(uint16_t*)0x2000290a = 0x101; *(uint16_t*)0x2000290c = 0x40; *(uint8_t*)0x2000290e = 1; *(uint8_t*)0x2000290f = 2; *(uint8_t*)0x20002910 = 3; *(uint8_t*)0x20002911 = 1; *(uint8_t*)0x20002912 = 9; *(uint8_t*)0x20002913 = 2; *(uint16_t*)0x20002914 = 0xee; *(uint8_t*)0x20002916 = 3; *(uint8_t*)0x20002917 = 1; *(uint8_t*)0x20002918 = 6; *(uint8_t*)0x20002919 = 0x20; *(uint8_t*)0x2000291a = 1; *(uint8_t*)0x2000291b = 9; *(uint8_t*)0x2000291c = 4; *(uint8_t*)0x2000291d = 0; *(uint8_t*)0x2000291e = 0; *(uint8_t*)0x2000291f = 0; *(uint8_t*)0x20002920 = 1; *(uint8_t*)0x20002921 = 1; *(uint8_t*)0x20002922 = 0; *(uint8_t*)0x20002923 = 0; *(uint8_t*)0x20002924 = 0xa; *(uint8_t*)0x20002925 = 0x24; *(uint8_t*)0x20002926 = 1; *(uint16_t*)0x20002927 = 0xace; *(uint8_t*)0x20002929 = 2; *(uint8_t*)0x2000292a = 2; *(uint8_t*)0x2000292b = 1; *(uint8_t*)0x2000292c = 2; *(uint8_t*)0x2000292d = 7; *(uint8_t*)0x2000292e = 0x24; *(uint8_t*)0x2000292f = 8; *(uint8_t*)0x20002930 = 5; *(uint16_t*)0x20002931 = 2; *(uint8_t*)0x20002933 = 5; *(uint8_t*)0x20002934 = 7; *(uint8_t*)0x20002935 = 0x24; *(uint8_t*)0x20002936 = 8; *(uint8_t*)0x20002937 = 6; *(uint16_t*)0x20002938 = -1; *(uint8_t*)0x2000293a = 0x30; *(uint8_t*)0x2000293b = 0xa; *(uint8_t*)0x2000293c = 0x24; *(uint8_t*)0x2000293d = 4; *(uint8_t*)0x2000293e = 4; *(uint8_t*)0x2000293f = 0x40; memcpy((void*)0x20002940, "\x7d\xa3\xb2\xb2\x72", 5); *(uint8_t*)0x20002945 = 9; *(uint8_t*)0x20002946 = 0x24; *(uint8_t*)0x20002947 = 8; *(uint8_t*)0x20002948 = 5; *(uint16_t*)0x20002949 = 0; *(uint8_t*)0x2000294b = 0x40; memcpy((void*)0x2000294c, "\tD", 2); *(uint8_t*)0x2000294e = 9; *(uint8_t*)0x2000294f = 4; *(uint8_t*)0x20002950 = 1; *(uint8_t*)0x20002951 = 0; *(uint8_t*)0x20002952 = 0; *(uint8_t*)0x20002953 = 1; *(uint8_t*)0x20002954 = 2; *(uint8_t*)0x20002955 = 0; *(uint8_t*)0x20002956 = 0; *(uint8_t*)0x20002957 = 9; *(uint8_t*)0x20002958 = 4; *(uint8_t*)0x20002959 = 1; *(uint8_t*)0x2000295a = 1; *(uint8_t*)0x2000295b = 1; *(uint8_t*)0x2000295c = 1; *(uint8_t*)0x2000295d = 2; *(uint8_t*)0x2000295e = 0; *(uint8_t*)0x2000295f = 0; *(uint8_t*)0x20002960 = 0x11; *(uint8_t*)0x20002961 = 0x24; *(uint8_t*)0x20002962 = 2; *(uint8_t*)0x20002963 = 2; *(uint16_t*)0x20002964 = 0x1000; *(uint16_t*)0x20002966 = 6; *(uint8_t*)0x20002968 = 9; memcpy((void*)0x20002969, "\x94\xaa\x0c\xfe\xa6\xa4\xc0\x98", 8); *(uint8_t*)0x20002971 = 7; *(uint8_t*)0x20002972 = 0x24; *(uint8_t*)0x20002973 = 1; *(uint8_t*)0x20002974 = 0xf7; *(uint8_t*)0x20002975 = 0xc1; *(uint16_t*)0x20002976 = 4; *(uint8_t*)0x20002978 = 0xe; *(uint8_t*)0x20002979 = 0x24; *(uint8_t*)0x2000297a = 2; *(uint8_t*)0x2000297b = 1; *(uint8_t*)0x2000297c = 0x3f; *(uint8_t*)0x2000297d = 2; *(uint8_t*)0x2000297e = 0xae; *(uint8_t*)0x2000297f = 7; memcpy((void*)0x20002980, "\x5b\x6f\xe7\xb1\x95\x51", 6); *(uint8_t*)0x20002986 = 0xe; *(uint8_t*)0x20002987 = 0x24; *(uint8_t*)0x20002988 = 2; *(uint8_t*)0x20002989 = 2; *(uint16_t*)0x2000298a = 0xfff8; *(uint16_t*)0x2000298c = 0x56d; *(uint8_t*)0x2000298e = 0x1f; memcpy((void*)0x2000298f, "\x51\x8f\x29\xb9\x20", 5); *(uint8_t*)0x20002994 = 0xe; *(uint8_t*)0x20002995 = 0x24; *(uint8_t*)0x20002996 = 2; *(uint8_t*)0x20002997 = 2; *(uint16_t*)0x20002998 = 4; *(uint16_t*)0x2000299a = 0; *(uint8_t*)0x2000299c = 0x80; memcpy((void*)0x2000299d, "\x3f\x5e\x8a\xa3\xac", 5); *(uint8_t*)0x200029a2 = 9; *(uint8_t*)0x200029a3 = 5; *(uint8_t*)0x200029a4 = 1; *(uint8_t*)0x200029a5 = 9; *(uint16_t*)0x200029a6 = 0x10; *(uint8_t*)0x200029a8 = 0x9c; *(uint8_t*)0x200029a9 = 7; *(uint8_t*)0x200029aa = 6; *(uint8_t*)0x200029ab = 7; *(uint8_t*)0x200029ac = 0x25; *(uint8_t*)0x200029ad = 1; *(uint8_t*)0x200029ae = 0; *(uint8_t*)0x200029af = 0x44; *(uint16_t*)0x200029b0 = 0xff8a; *(uint8_t*)0x200029b2 = 9; *(uint8_t*)0x200029b3 = 4; *(uint8_t*)0x200029b4 = 2; *(uint8_t*)0x200029b5 = 0; *(uint8_t*)0x200029b6 = 0; *(uint8_t*)0x200029b7 = 1; *(uint8_t*)0x200029b8 = 2; *(uint8_t*)0x200029b9 = 0; *(uint8_t*)0x200029ba = 0; *(uint8_t*)0x200029bb = 9; *(uint8_t*)0x200029bc = 4; *(uint8_t*)0x200029bd = 2; *(uint8_t*)0x200029be = 1; *(uint8_t*)0x200029bf = 1; *(uint8_t*)0x200029c0 = 1; *(uint8_t*)0x200029c1 = 2; *(uint8_t*)0x200029c2 = 0; *(uint8_t*)0x200029c3 = 0; *(uint8_t*)0x200029c4 = 0xa; *(uint8_t*)0x200029c5 = 0x24; *(uint8_t*)0x200029c6 = 2; *(uint8_t*)0x200029c7 = 1; *(uint8_t*)0x200029c8 = 7; *(uint8_t*)0x200029c9 = 4; *(uint8_t*)0x200029ca = 0xf7; *(uint8_t*)0x200029cb = 0xf8; memcpy((void*)0x200029cc, "H]", 2); *(uint8_t*)0x200029ce = 0xd; *(uint8_t*)0x200029cf = 0x24; *(uint8_t*)0x200029d0 = 2; *(uint8_t*)0x200029d1 = 1; *(uint8_t*)0x200029d2 = 7; *(uint8_t*)0x200029d3 = 1; *(uint8_t*)0x200029d4 = -1; *(uint8_t*)0x200029d5 = 0x72; memcpy((void*)0x200029d6, "\x5c\x5a\xe7\x2e\x12", 5); *(uint8_t*)0x200029db = 0xd; *(uint8_t*)0x200029dc = 0x24; *(uint8_t*)0x200029dd = 2; *(uint8_t*)0x200029de = 1; *(uint8_t*)0x200029df = 3; *(uint8_t*)0x200029e0 = 4; *(uint8_t*)0x200029e1 = 3; *(uint8_t*)0x200029e2 = 1; memcpy((void*)0x200029e3, "\xfa\x23\xa4", 3); memcpy((void*)0x200029e6, "q3", 2); *(uint8_t*)0x200029e8 = 8; *(uint8_t*)0x200029e9 = 0x24; *(uint8_t*)0x200029ea = 2; *(uint8_t*)0x200029eb = 1; *(uint8_t*)0x200029ec = 0x71; *(uint8_t*)0x200029ed = 2; *(uint8_t*)0x200029ee = 0; *(uint8_t*)0x200029ef = 6; *(uint8_t*)0x200029f0 = 9; *(uint8_t*)0x200029f1 = 5; *(uint8_t*)0x200029f2 = 0x82; *(uint8_t*)0x200029f3 = 9; *(uint16_t*)0x200029f4 = 0x200; *(uint8_t*)0x200029f6 = 0x7f; *(uint8_t*)0x200029f7 = 0x7f; *(uint8_t*)0x200029f8 = 0x7f; *(uint8_t*)0x200029f9 = 7; *(uint8_t*)0x200029fa = 0x25; *(uint8_t*)0x200029fb = 1; *(uint8_t*)0x200029fc = 2; *(uint8_t*)0x200029fd = 1; *(uint16_t*)0x200029fe = 8; *(uint32_t*)0x20002b80 = 0xa; *(uint32_t*)0x20002b84 = 0x20002a00; *(uint8_t*)0x20002a00 = 0xa; *(uint8_t*)0x20002a01 = 6; *(uint16_t*)0x20002a02 = 0x300; *(uint8_t*)0x20002a04 = 0x7f; *(uint8_t*)0x20002a05 = 0x5d; *(uint8_t*)0x20002a06 = 0x5c; *(uint8_t*)0x20002a07 = 0x40; *(uint8_t*)0x20002a08 = 0; *(uint8_t*)0x20002a09 = 0; *(uint32_t*)0x20002b88 = 0x31; *(uint32_t*)0x20002b8c = 0x20002a40; *(uint8_t*)0x20002a40 = 5; *(uint8_t*)0x20002a41 = 0xf; *(uint16_t*)0x20002a42 = 0x31; *(uint8_t*)0x20002a44 = 4; *(uint8_t*)0x20002a45 = 0xb; *(uint8_t*)0x20002a46 = 0x10; *(uint8_t*)0x20002a47 = 1; *(uint8_t*)0x20002a48 = 0xc; *(uint16_t*)0x20002a49 = 0x80; *(uint8_t*)0x20002a4b = 0x20; *(uint8_t*)0x20002a4c = 1; *(uint16_t*)0x20002a4d = 2; *(uint8_t*)0x20002a4f = 0x40; *(uint8_t*)0x20002a50 = 0xc; *(uint8_t*)0x20002a51 = 0x10; *(uint8_t*)0x20002a52 = 0xa; *(uint8_t*)0x20002a53 = 4; STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0xd3f, 5, 27); *(uint16_t*)0x20002a58 = 0xf000; *(uint16_t*)0x20002a5a = 8; *(uint8_t*)0x20002a5c = 0xb; *(uint8_t*)0x20002a5d = 0x10; *(uint8_t*)0x20002a5e = 1; *(uint8_t*)0x20002a5f = 0xc; *(uint16_t*)0x20002a60 = 0x80; *(uint8_t*)0x20002a62 = 2; *(uint8_t*)0x20002a63 = 5; *(uint16_t*)0x20002a64 = 4; *(uint8_t*)0x20002a66 = 2; *(uint8_t*)0x20002a67 = 0xa; *(uint8_t*)0x20002a68 = 0x10; *(uint8_t*)0x20002a69 = 3; *(uint8_t*)0x20002a6a = 2; *(uint16_t*)0x20002a6b = 6; *(uint8_t*)0x20002a6d = 0; *(uint8_t*)0x20002a6e = -1; *(uint16_t*)0x20002a6f = 0x7f; *(uint32_t*)0x20002b90 = 4; *(uint32_t*)0x20002b94 = 4; *(uint32_t*)0x20002b98 = 0x20002a80; *(uint8_t*)0x20002a80 = 4; *(uint8_t*)0x20002a81 = 3; *(uint16_t*)0x20002a82 = 0x40f; *(uint32_t*)0x20002b9c = 4; *(uint32_t*)0x20002ba0 = 0x20002ac0; *(uint8_t*)0x20002ac0 = 4; *(uint8_t*)0x20002ac1 = 3; *(uint16_t*)0x20002ac2 = 0xc35; *(uint32_t*)0x20002ba4 = 0x2b; *(uint32_t*)0x20002ba8 = 0x20002b00; *(uint8_t*)0x20002b00 = 0x2b; *(uint8_t*)0x20002b01 = 3; memcpy((void*)0x20002b02, "\xa2\x8e\x84\xc0\xcf\x02\xc0\x7c\x3c\x0d\xa8\x29\x45\x06\x55\x6d\x63\x3c\x7a\x73\x5b\xfb\x75\xcd\x80\xaf\xc6\xad\xe8\xe4\xb5\x80\x10\x3c\xed\x6d\x9c\x87\xa5\xfe\x77", 41); *(uint32_t*)0x20002bac = 4; *(uint32_t*)0x20002bb0 = 0x20002b40; *(uint8_t*)0x20002b40 = 4; *(uint8_t*)0x20002b41 = 3; *(uint16_t*)0x20002b42 = 0xf8ff; res = -1; res = syz_usb_connect(1, 0x100, 0x20002900, 0x20002b80); if (res != -1) r[14] = res; break; case 37: *(uint32_t*)0x20002e40 = 0x18; *(uint32_t*)0x20002e44 = 0x20002bc0; *(uint8_t*)0x20002bc0 = 0; *(uint8_t*)0x20002bc1 = 0x22; *(uint32_t*)0x20002bc2 = 0xb9; *(uint8_t*)0x20002bc6 = 0xb9; *(uint8_t*)0x20002bc7 = 0xa; memcpy((void*)0x20002bc8, "\x83\xcf\x6e\x9b\x94\x2d\x8a\x47\x07\x4a\xc2\xe8\x02\xb4\x83\x78\xec\xdc\xa7\x95\x6d\xb2\x72\x7b\x85\x7b\x60\xf4\xe9\xd0\xc6\x9e\x1c\x9a\x9a\xce\xb6\x1c\xf1\x7c\xc7\x71\x67\x92\x3b\x84\xe2\x33\x72\xc5\xcf\x40\xcf\x1b\xbb\x74\x93\xe5\x00\xb7\xef\xfa\xf1\xb2\x04\xee\x03\x4b\xe1\x10\x99\xe5\x15\x67\xa8\x7a\xe0\xbd\xe2\x10\xda\x92\x12\x4d\x04\xa7\x3a\x14\xdb\xd6\x00\xde\xdd\x92\x09\x53\xc4\x72\xed\xa1\xba\x46\xdb\xbb\x1e\xc4\x74\xc8\x79\x48\x49\x12\x4d\xcf\x32\xd5\xc1\x5f\xb1\x43\x97\xb1\x3c\x3d\x3c\x11\xa7\xa6\x07\xc6\xb6\xd5\x57\xc2\x80\x6d\x9c\x27\x83\xbc\x1e\xf5\x6c\x96\x7b\xde\x90\xce\x4a\x42\x13\x61\x16\x7c\x1a\x74\xc6\x52\x72\x85\xce\x42\x5e\xa4\x98\x88\x4d\x7c\xc9\xef\x76\x52\x6a\x46\xa1\xc4\x36\x07\x68\x98\x0b\x39\xb3", 183); *(uint32_t*)0x20002e48 = 0x20002c80; *(uint8_t*)0x20002c80 = 0; *(uint8_t*)0x20002c81 = 3; *(uint32_t*)0x20002c82 = 0xd7; *(uint8_t*)0x20002c86 = 0xd7; *(uint8_t*)0x20002c87 = 3; memcpy((void*)0x20002c88, "\x61\x16\x8f\x70\x0d\x17\x87\xde\x19\xd3\xe8\x6f\xb3\xac\x5e\x96\x4c\xc5\xed\xe8\x73\x35\x1c\xa2\x62\xcc\x8f\xc5\x99\x65\x14\x31\xc7\x6d\xba\xd0\x2d\xd8\x35\xf0\xda\x83\xa5\x34\x7c\xc2\x1f\xc4\xf5\x04\xb2\x3b\xb3\x2a\x7a\x67\x71\x3d\xb4\x48\x06\x11\xe6\xe2\xec\xa4\xf0\xb4\x98\xf7\x00\x35\x5d\xb6\x8d\xf7\xd5\xcf\x46\xba\x2b\x03\x60\x90\xaf\x69\x5a\x75\x96\xb7\xd2\x42\xb4\x62\xbc\xf6\xe2\x09\x1f\xb8\x32\x48\xfe\x2a\x1c\x48\xdb\xcd\xb0\x7c\x96\x66\x03\x7d\x12\x1b\x68\x93\xdc\xb9\x45\xbd\xd7\xcf\x14\x07\x5f\x80\x53\x02\xa4\x5f\xbb\x62\x65\x2b\xd6\x93\xb3\x24\x0b\x5c\x6a\x76\xf6\x90\xcd\xc9\x22\x15\x79\xec\x71\xdd\x25\x3c\xa4\x25\x01\x44\xe1\x16\x0b\xc0\x39\xad\x44\xf6\xd5\x1c\x96\xad\x95\x0c\x87\x2c\xf6\x26\xb0\xd5\x59\xe8\x1c\x0b\xec\x93\x4c\xb3\x23\x25\xdb\xb9\xce\x8f\x5d\x0d\x94\x30\x20\xb4\xa0\x79\x5c\x1f\x27\x74\xe2\x20\x7d\x0b\xe8\xaa\x41", 213); *(uint32_t*)0x20002e4c = 0x20002d80; *(uint8_t*)0x20002d80 = 0; *(uint8_t*)0x20002d81 = 0xf; *(uint32_t*)0x20002d82 = 0xc; *(uint8_t*)0x20002d86 = 5; *(uint8_t*)0x20002d87 = 0xf; *(uint16_t*)0x20002d88 = 0xc; *(uint8_t*)0x20002d8a = 1; *(uint8_t*)0x20002d8b = 7; *(uint8_t*)0x20002d8c = 0x10; *(uint8_t*)0x20002d8d = 2; STORE_BY_BITMASK(uint32_t, , 0x20002d8e, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 5, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d90, 2, 0, 16); *(uint32_t*)0x20002e50 = 0x20002dc0; *(uint8_t*)0x20002dc0 = 0x20; *(uint8_t*)0x20002dc1 = 0x29; *(uint32_t*)0x20002dc2 = 0xf; *(uint8_t*)0x20002dc6 = 0xf; *(uint8_t*)0x20002dc7 = 0x29; *(uint8_t*)0x20002dc8 = 3; *(uint16_t*)0x20002dc9 = 8; *(uint8_t*)0x20002dcb = 0x40; *(uint8_t*)0x20002dcc = 0x7f; memcpy((void*)0x20002dcd, "\x77\xbc\x77\x38", 4); memcpy((void*)0x20002dd1, "\xf1\xdb\x00\x3c", 4); *(uint32_t*)0x20002e54 = 0x20002e00; *(uint8_t*)0x20002e00 = 0x20; *(uint8_t*)0x20002e01 = 0x2a; *(uint32_t*)0x20002e02 = 0xc; *(uint8_t*)0x20002e06 = 0xc; *(uint8_t*)0x20002e07 = 0x2a; *(uint8_t*)0x20002e08 = 1; *(uint16_t*)0x20002e09 = 0x10; *(uint8_t*)0x20002e0b = 0; *(uint8_t*)0x20002e0c = 0x20; *(uint8_t*)0x20002e0d = 8; *(uint16_t*)0x20002e0e = 0x3ec; *(uint16_t*)0x20002e10 = -1; *(uint32_t*)0x20003300 = 0x44; *(uint32_t*)0x20003304 = 0x20002e80; *(uint8_t*)0x20002e80 = 0x20; *(uint8_t*)0x20002e81 = 0x12; *(uint32_t*)0x20002e82 = 0x7c; memcpy((void*)0x20002e86, "\xbc\x67\xb7\x86\xae\x12\xc3\xf7\xc6\xdb\xb8\x56\x0d\x2b\x24\x21\x94\xc2\x19\x9a\xfa\x19\xd2\xb4\x2b\x1a\x0c\x8a\x11\xe1\xa5\xef\x14\x6f\x39\x5c\x36\x13\xf4\xdf\xea\xdd\xa7\xc2\x4b\x50\x6d\x5b\x32\xa6\xa3\xf9\xa0\xea\xc9\x8a\x93\x5e\x64\x7a\x1c\x83\x8d\x4e\x09\xd5\x30\x63\x5f\x43\x35\x8b\x5b\x10\xc5\xf0\x4b\xc6\x3b\x3b\xf9\x6b\x52\x34\x35\x9d\x4e\xad\x9d\x51\x21\x7e\x65\xc9\xb0\x50\x99\x90\xb0\x0d\x1a\xfb\x24\x2c\x87\x66\x0d\x04\xf9\x64\x8f\xf7\x9c\xe1\x43\xb1\xa9\x48\x98\x1c\x28\xf5\x01\x71", 124); *(uint32_t*)0x20003308 = 0x20002f40; *(uint8_t*)0x20002f40 = 0; *(uint8_t*)0x20002f41 = 0xa; *(uint32_t*)0x20002f42 = 1; *(uint8_t*)0x20002f46 = 0x4c; *(uint32_t*)0x2000330c = 0x20002f80; *(uint8_t*)0x20002f80 = 0; *(uint8_t*)0x20002f81 = 8; *(uint32_t*)0x20002f82 = 1; *(uint8_t*)0x20002f86 = 1; *(uint32_t*)0x20003310 = 0x20002fc0; *(uint8_t*)0x20002fc0 = 0x20; *(uint8_t*)0x20002fc1 = 0; *(uint32_t*)0x20002fc2 = 4; *(uint16_t*)0x20002fc6 = 1; *(uint16_t*)0x20002fc8 = 3; *(uint32_t*)0x20003314 = 0x20003000; *(uint8_t*)0x20003000 = 0x20; *(uint8_t*)0x20003001 = 0; *(uint32_t*)0x20003002 = 8; *(uint16_t*)0x20003006 = 0xc0; *(uint16_t*)0x20003008 = 0x20; *(uint32_t*)0x2000300a = 0xf0f; *(uint32_t*)0x20003318 = 0x20003040; *(uint8_t*)0x20003040 = 0x40; *(uint8_t*)0x20003041 = 7; *(uint32_t*)0x20003042 = 2; *(uint16_t*)0x20003046 = 0x400; *(uint32_t*)0x2000331c = 0x20003080; *(uint8_t*)0x20003080 = 0x40; *(uint8_t*)0x20003081 = 9; *(uint32_t*)0x20003082 = 1; *(uint8_t*)0x20003086 = 2; *(uint32_t*)0x20003320 = 0x200030c0; *(uint8_t*)0x200030c0 = 0x40; *(uint8_t*)0x200030c1 = 0xb; *(uint32_t*)0x200030c2 = 2; memcpy((void*)0x200030c6, "\xb7\x23", 2); *(uint32_t*)0x20003324 = 0x20003100; *(uint8_t*)0x20003100 = 0x40; *(uint8_t*)0x20003101 = 0xf; *(uint32_t*)0x20003102 = 2; *(uint16_t*)0x20003106 = 5; *(uint32_t*)0x20003328 = 0x20003140; *(uint8_t*)0x20003140 = 0x40; *(uint8_t*)0x20003141 = 0x13; *(uint32_t*)0x20003142 = 6; memcpy((void*)0x20003146, "\xdd\x8a\x72\xa9\x91\x39", 6); *(uint32_t*)0x2000332c = 0x20003180; *(uint8_t*)0x20003180 = 0x40; *(uint8_t*)0x20003181 = 0x17; *(uint32_t*)0x20003182 = 6; *(uint8_t*)0x20003186 = 0xaa; *(uint8_t*)0x20003187 = 0xaa; *(uint8_t*)0x20003188 = 0xaa; *(uint8_t*)0x20003189 = 0xaa; *(uint8_t*)0x2000318a = 0xaa; *(uint8_t*)0x2000318b = 0xbb; *(uint32_t*)0x20003330 = 0x200031c0; *(uint8_t*)0x200031c0 = 0x40; *(uint8_t*)0x200031c1 = 0x19; *(uint32_t*)0x200031c2 = 2; memcpy((void*)0x200031c6, "\x78\x18", 2); *(uint32_t*)0x20003334 = 0x20003200; *(uint8_t*)0x20003200 = 0x40; *(uint8_t*)0x20003201 = 0x1a; *(uint32_t*)0x20003202 = 2; *(uint16_t*)0x20003206 = 4; *(uint32_t*)0x20003338 = 0x20003240; *(uint8_t*)0x20003240 = 0x40; *(uint8_t*)0x20003241 = 0x1c; *(uint32_t*)0x20003242 = 1; *(uint8_t*)0x20003246 = 4; *(uint32_t*)0x2000333c = 0x20003280; *(uint8_t*)0x20003280 = 0x40; *(uint8_t*)0x20003281 = 0x1e; *(uint32_t*)0x20003282 = 1; *(uint8_t*)0x20003286 = 7; *(uint32_t*)0x20003340 = 0x200032c0; *(uint8_t*)0x200032c0 = 0x40; *(uint8_t*)0x200032c1 = 0x21; *(uint32_t*)0x200032c2 = 1; *(uint8_t*)0x200032c6 = 5; syz_usb_control_io(r[14], 0x20002e40, 0x20003300); break; case 38: syz_usb_disconnect(r[13]); break; case 39: *(uint8_t*)0x20003380 = 0x12; *(uint8_t*)0x20003381 = 1; *(uint16_t*)0x20003382 = 0x110; *(uint8_t*)0x20003384 = 2; *(uint8_t*)0x20003385 = 0; *(uint8_t*)0x20003386 = 0; *(uint8_t*)0x20003387 = 0x20; *(uint16_t*)0x20003388 = 0x525; *(uint16_t*)0x2000338a = 0xa4a1; *(uint16_t*)0x2000338c = 0x40; *(uint8_t*)0x2000338e = 1; *(uint8_t*)0x2000338f = 2; *(uint8_t*)0x20003390 = 3; *(uint8_t*)0x20003391 = 1; *(uint8_t*)0x20003392 = 9; *(uint8_t*)0x20003393 = 2; *(uint16_t*)0x20003394 = 0x14e; *(uint8_t*)0x20003396 = 2; *(uint8_t*)0x20003397 = 1; *(uint8_t*)0x20003398 = 0xef; *(uint8_t*)0x20003399 = 0xe0; *(uint8_t*)0x2000339a = 3; *(uint8_t*)0x2000339b = 9; *(uint8_t*)0x2000339c = 4; *(uint8_t*)0x2000339d = 0; *(uint8_t*)0x2000339e = 0; *(uint8_t*)0x2000339f = 1; *(uint8_t*)0x200033a0 = 2; *(uint8_t*)0x200033a1 = 0xd; *(uint8_t*)0x200033a2 = 0; *(uint8_t*)0x200033a3 = 0; *(uint8_t*)0x200033a4 = 6; *(uint8_t*)0x200033a5 = 0x24; *(uint8_t*)0x200033a6 = 6; *(uint8_t*)0x200033a7 = 0; *(uint8_t*)0x200033a8 = 1; memcpy((void*)0x200033a9, "$", 1); *(uint8_t*)0x200033aa = 5; *(uint8_t*)0x200033ab = 0x24; *(uint8_t*)0x200033ac = 0; *(uint16_t*)0x200033ad = 0xad; *(uint8_t*)0x200033af = 0xd; *(uint8_t*)0x200033b0 = 0x24; *(uint8_t*)0x200033b1 = 0xf; *(uint8_t*)0x200033b2 = 1; *(uint32_t*)0x200033b3 = 2; *(uint16_t*)0x200033b7 = 0; *(uint16_t*)0x200033b9 = 1; *(uint8_t*)0x200033bb = 9; *(uint8_t*)0x200033bc = 6; *(uint8_t*)0x200033bd = 0x24; *(uint8_t*)0x200033be = 0x1a; *(uint16_t*)0x200033bf = 9; *(uint8_t*)0x200033c1 = 0x20; *(uint8_t*)0x200033c2 = 0xa2; *(uint8_t*)0x200033c3 = 0x24; *(uint8_t*)0x200033c4 = 0x13; *(uint8_t*)0x200033c5 = 1; memcpy((void*)0x200033c6, "\xa0\xaf\xeb\xc2\x94\x23\x7d\xe3\x0b\x4c\x81\xc6\x59\x5f\xba\xf3\x06\x46\xc5\xec\x3d\xd9\x8f\x43\x5d\xf0\x0d\x18\x1c\xc1\x3f\x9b\x0c\x5f\xfa\x84\x15\x49\x98\xbf\x5c\x04\xee\x0f\xd8\x2d\x5f\x4c\xac\xfc\x90\xff\xae\x24\x1b\x84\x0b\x0b\x18\xe2\x10\x7e\x33\x39\x8f\x46\x83\x83\x80\xf8\x4b\x6f\x9f\x22\x62\xe8\x38\xdf\x02\x12\x31\xc9\xf0\xc5\x0d\xc2\xee\xd7\x59\x5e\xb1\xb7\x89\x22\x3f\xc3\x7c\xf3\x4f\x5c\x69\x4a\xaa\xd8\xa8\x18\xc9\x9e\xf4\x41\x79\xbf\x5b\xa4\xb6\x17\xc2\x58\xf7\xdb\x01\xd6\x09\x6c\xcc\x71\xbb\x92\x5e\x31\xb2\xf3\xf1\x00\xbb\x85\x38\xbb\x84\x01\x5a\xf7\xb9\x54\xc8\xfd\xf2\x93\xde\x02\x31\xa4\x91\xd3\x63\x76\xb8\x40", 158); *(uint8_t*)0x20003464 = 0xc; *(uint8_t*)0x20003465 = 0x24; *(uint8_t*)0x20003466 = 0x1b; *(uint16_t*)0x20003467 = 0x340f; *(uint16_t*)0x20003469 = 4; *(uint8_t*)0x2000346b = 5; *(uint8_t*)0x2000346c = 0x40; *(uint16_t*)0x2000346d = 6; *(uint8_t*)0x2000346f = 1; *(uint8_t*)0x20003470 = 4; *(uint8_t*)0x20003471 = 0x24; *(uint8_t*)0x20003472 = 2; *(uint8_t*)0x20003473 = 9; *(uint8_t*)0x20003474 = 0x3f; *(uint8_t*)0x20003475 = 0x24; *(uint8_t*)0x20003476 = 0x13; *(uint8_t*)0x20003477 = 0x40; memcpy((void*)0x20003478, "\x90\x5d\x00\xa5\xa8\xb5\xcd\x53\x11\x8f\x9c\xf9\x03\x3e\xda\x0a\xd8\x8f\xcf\xaf\x66\xe2\xb9\xe3\x59\xe3\x8a\xea\x37\x19\x70\xc8\x64\xd5\x98\x39\x16\xa5\x29\x36\x75\x51\xaa\x24\x7b\xa8\x30\x09\xeb\xb5\x64\x0b\x53\x17\x55\x99\x00\xdd\xb8", 59); *(uint8_t*)0x200034b3 = 9; *(uint8_t*)0x200034b4 = 5; *(uint8_t*)0x200034b5 = 0x81; *(uint8_t*)0x200034b6 = 3; *(uint16_t*)0x200034b7 = 8; *(uint8_t*)0x200034b9 = 0; *(uint8_t*)0x200034ba = 1; *(uint8_t*)0x200034bb = 0xfc; *(uint8_t*)0x200034bc = 9; *(uint8_t*)0x200034bd = 4; *(uint8_t*)0x200034be = 1; *(uint8_t*)0x200034bf = 0; *(uint8_t*)0x200034c0 = 0; *(uint8_t*)0x200034c1 = 2; *(uint8_t*)0x200034c2 = 0xd; *(uint8_t*)0x200034c3 = 0; *(uint8_t*)0x200034c4 = 0; *(uint8_t*)0x200034c5 = 9; *(uint8_t*)0x200034c6 = 4; *(uint8_t*)0x200034c7 = 1; *(uint8_t*)0x200034c8 = 1; *(uint8_t*)0x200034c9 = 2; *(uint8_t*)0x200034ca = 2; *(uint8_t*)0x200034cb = 0xd; *(uint8_t*)0x200034cc = 0; *(uint8_t*)0x200034cd = 0; *(uint8_t*)0x200034ce = 9; *(uint8_t*)0x200034cf = 5; *(uint8_t*)0x200034d0 = 0x82; *(uint8_t*)0x200034d1 = 2; *(uint16_t*)0x200034d2 = 0x40; *(uint8_t*)0x200034d4 = 8; *(uint8_t*)0x200034d5 = 0x40; *(uint8_t*)0x200034d6 = 0x81; *(uint8_t*)0x200034d7 = 9; *(uint8_t*)0x200034d8 = 5; *(uint8_t*)0x200034d9 = 3; *(uint8_t*)0x200034da = 2; *(uint16_t*)0x200034db = 0x40; *(uint8_t*)0x200034dd = 5; *(uint8_t*)0x200034de = 0x80; *(uint8_t*)0x200034df = 0x81; *(uint32_t*)0x20003780 = 0xa; *(uint32_t*)0x20003784 = 0x20003500; *(uint8_t*)0x20003500 = 0xa; *(uint8_t*)0x20003501 = 6; *(uint16_t*)0x20003502 = 0x250; *(uint8_t*)0x20003504 = 3; *(uint8_t*)0x20003505 = 2; *(uint8_t*)0x20003506 = 9; *(uint8_t*)0x20003507 = 0x40; *(uint8_t*)0x20003508 = 0x40; *(uint8_t*)0x20003509 = 0; *(uint32_t*)0x20003788 = 0x16; *(uint32_t*)0x2000378c = 0x20003540; *(uint8_t*)0x20003540 = 5; *(uint8_t*)0x20003541 = 0xf; *(uint16_t*)0x20003542 = 0x16; *(uint8_t*)0x20003544 = 2; *(uint8_t*)0x20003545 = 7; *(uint8_t*)0x20003546 = 0x10; *(uint8_t*)0x20003547 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003548, 0x1a, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003549, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003549, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000354a, 0x87, 0, 16); *(uint8_t*)0x2000354c = 0xa; *(uint8_t*)0x2000354d = 0x10; *(uint8_t*)0x2000354e = 3; *(uint8_t*)0x2000354f = 0; *(uint16_t*)0x20003550 = 8; *(uint8_t*)0x20003552 = 0; *(uint8_t*)0x20003553 = 0x20; *(uint16_t*)0x20003554 = 9; *(uint32_t*)0x20003790 = 5; *(uint32_t*)0x20003794 = 0x54; *(uint32_t*)0x20003798 = 0x20003580; *(uint8_t*)0x20003580 = 0x54; *(uint8_t*)0x20003581 = 3; memcpy((void*)0x20003582, "\xa4\x4d\x24\xcd\xf3\xff\xb9\x94\x8f\xaa\xf6\xb3\xc5\x65\x82\x6f\x57\xef\x2b\x5e\x43\xe6\xef\x91\x09\xdc\xaf\x0f\xf5\xf2\x30\xb6\xf5\x2d\x06\xad\xa7\xeb\xdf\xbf\x1c\x55\xe6\x55\x19\x00\xf4\x2f\x90\x4a\xa2\x59\x11\xde\x5d\x64\xd3\xcd\x32\xdb\x26\xb2\xe4\x8c\x15\x0e\xac\xf5\x1a\x16\xdd\xb3\x11\xac\x3d\x44\xb2\x81\xa8\x7d\x1c\x84", 82); *(uint32_t*)0x2000379c = 4; *(uint32_t*)0x200037a0 = 0x20003600; *(uint8_t*)0x20003600 = 4; *(uint8_t*)0x20003601 = 3; *(uint16_t*)0x20003602 = 0x812; *(uint32_t*)0x200037a4 = 4; *(uint32_t*)0x200037a8 = 0x20003640; *(uint8_t*)0x20003640 = 4; *(uint8_t*)0x20003641 = 3; *(uint16_t*)0x20003642 = 0xf0ff; *(uint32_t*)0x200037ac = 0xc0; *(uint32_t*)0x200037b0 = 0x20003680; *(uint8_t*)0x20003680 = 0xc0; *(uint8_t*)0x20003681 = 3; memcpy((void*)0x20003682, "\x6f\x06\x9d\x79\xea\x95\x2b\x38\x80\x02\x7d\x52\x43\xd8\x4a\xef\xe2\xbd\x1c\xf6\x41\xda\x9e\xe2\x90\x78\x02\x32\x46\x10\x26\xc5\xa5\x35\xae\x62\x14\xa8\xb6\xfd\x61\x12\xf3\x68\x08\x5c\x5c\xca\x57\xb8\x48\x46\xbd\xd7\x65\x3f\x32\x51\x20\xcc\x01\x27\x4c\x27\x93\x0a\x93\x4c\x28\x50\x05\x8a\x34\x58\x87\x78\xf4\xae\x02\x55\xb9\x6f\xcb\x45\x73\xf4\xc4\x75\xfa\xe5\x37\x03\xef\x82\xd7\x85\xec\xe9\x6a\xdf\x02\xef\xc2\x10\xe2\x6f\xa9\x52\x31\x11\x51\x9c\xb0\x37\xb5\xae\xbb\xca\xb0\xe1\x2d\x22\x83\x30\xeb\x46\x6c\xef\xbc\x0a\x21\x98\x4a\x6f\xd8\x65\x72\x06\xb2\x0d\x98\x2f\x65\xc7\x09\xba\x3c\x63\x20\xf1\x06\x6d\xda\x59\x2f\xda\xd1\x4a\x8c\x70\x0c\xf1\xf5\x26\x6f\x47\xfa\x42\xaa\x88\x0b\x9a\xa0\x26\x7c\xf5\x3c\x96\x91\xf4\xfa\x0d\x4e\x05\x9a\x6a\xdc\x27\xda\x67", 190); *(uint32_t*)0x200037b4 = 4; *(uint32_t*)0x200037b8 = 0x20003740; *(uint8_t*)0x20003740 = 4; *(uint8_t*)0x20003741 = 3; *(uint16_t*)0x20003742 = 0xc0a; res = -1; res = syz_usb_connect(0xcabe03ec, 0x160, 0x20003380, 0x20003780); if (res != -1) r[15] = res; break; case 40: syz_usb_ep_read(r[15], 7, 0xe4, 0x200037c0); break; case 41: *(uint8_t*)0x200038c0 = 0x12; *(uint8_t*)0x200038c1 = 1; *(uint16_t*)0x200038c2 = 0x200; *(uint8_t*)0x200038c4 = -1; *(uint8_t*)0x200038c5 = -1; *(uint8_t*)0x200038c6 = -1; *(uint8_t*)0x200038c7 = 0x40; *(uint16_t*)0x200038c8 = 0xcf3; *(uint16_t*)0x200038ca = 0x9271; *(uint16_t*)0x200038cc = 0x108; *(uint8_t*)0x200038ce = 1; *(uint8_t*)0x200038cf = 2; *(uint8_t*)0x200038d0 = 3; *(uint8_t*)0x200038d1 = 1; *(uint8_t*)0x200038d2 = 9; *(uint8_t*)0x200038d3 = 2; *(uint16_t*)0x200038d4 = 0x48; *(uint8_t*)0x200038d6 = 1; *(uint8_t*)0x200038d7 = 1; *(uint8_t*)0x200038d8 = 0; *(uint8_t*)0x200038d9 = 0x80; *(uint8_t*)0x200038da = 0xfa; *(uint8_t*)0x200038db = 9; *(uint8_t*)0x200038dc = 4; *(uint8_t*)0x200038dd = 0; *(uint8_t*)0x200038de = 0; *(uint8_t*)0x200038df = 6; *(uint8_t*)0x200038e0 = -1; *(uint8_t*)0x200038e1 = 0; *(uint8_t*)0x200038e2 = 0; *(uint8_t*)0x200038e3 = 0; *(uint8_t*)0x200038e4 = 9; *(uint8_t*)0x200038e5 = 5; *(uint8_t*)0x200038e6 = 1; *(uint8_t*)0x200038e7 = 2; *(uint16_t*)0x200038e8 = 0x200; *(uint8_t*)0x200038ea = 0; *(uint8_t*)0x200038eb = 0; *(uint8_t*)0x200038ec = 0; *(uint8_t*)0x200038ed = 9; *(uint8_t*)0x200038ee = 5; *(uint8_t*)0x200038ef = 0x82; *(uint8_t*)0x200038f0 = 2; *(uint16_t*)0x200038f1 = 0x200; *(uint8_t*)0x200038f3 = 0; *(uint8_t*)0x200038f4 = 0; *(uint8_t*)0x200038f5 = 0; *(uint8_t*)0x200038f6 = 9; *(uint8_t*)0x200038f7 = 5; *(uint8_t*)0x200038f8 = 0x83; *(uint8_t*)0x200038f9 = 3; *(uint16_t*)0x200038fa = 0x40; *(uint8_t*)0x200038fc = 1; *(uint8_t*)0x200038fd = 0; *(uint8_t*)0x200038fe = 0; *(uint8_t*)0x200038ff = 9; *(uint8_t*)0x20003900 = 5; *(uint8_t*)0x20003901 = 4; *(uint8_t*)0x20003902 = 3; *(uint16_t*)0x20003903 = 0x40; *(uint8_t*)0x20003905 = 1; *(uint8_t*)0x20003906 = 0; *(uint8_t*)0x20003907 = 0; *(uint8_t*)0x20003908 = 9; *(uint8_t*)0x20003909 = 5; *(uint8_t*)0x2000390a = 5; *(uint8_t*)0x2000390b = 2; *(uint16_t*)0x2000390c = 0x200; *(uint8_t*)0x2000390e = 0; *(uint8_t*)0x2000390f = 0; *(uint8_t*)0x20003910 = 0; *(uint8_t*)0x20003911 = 9; *(uint8_t*)0x20003912 = 5; *(uint8_t*)0x20003913 = 6; *(uint8_t*)0x20003914 = 2; *(uint16_t*)0x20003915 = 0x200; *(uint8_t*)0x20003917 = 0; *(uint8_t*)0x20003918 = 0; *(uint8_t*)0x20003919 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200038c0, 0); if (res != -1) r[16] = res; break; case 42: memcpy((void*)0x20003940, "\x03\x38\xf2\xa1\xa6\x94\x91\x50\xd9\x50\xa2\x00\xb9\x7f\x82\x07\x00\x40\x2b\x58\xfe\xc9\x4c\x39\xa0\x05\xf5\x38\x68\x85\x99\x19\x97\x96\x0b\x31\x65\xc9\xdd\x03\x23\xfa\xf9\xa6\x9d\x00\x72\x59\x16\xfa\x7f\xb5\xa9\xbb\x1f\x47\xb1\x98\x29\xca\x09\x1f\x88\xc0\x99\x9a\x2e\x18\x7f\x62\x37\xab\x2c\x7e\xae\x85\x92\x3f\xa9\x63\x6d\xc2\x66\x07\x6f\x2a\xe7\xb5\x2c\x1f\x18\x7c\xe6\x28\x71\xc2\xf0\x5b\xbf\x9d\x9a\x25\xfd\x16\xff\x38\x33\x38\x70\x73\xe6\x96\x81\xb2\x43\xe8\x14\xb2\x54\x9f\x03\x2a\xa5\xb8\xdd\x2e\x2d\x64\xdf\x2e\x69\xd3\x57\xbc\x2c\x32\xb8\xfb\xd9\x0f\x8a\x16\x38\xb3\x13\x90\xbe\x5a\x61\xee\x6e\xe7\x0e\x3a\x20\x27\xe1\x46\x8d\x5f\x3f\xa2\x34\xf4\x46\x2a\x56\xd7\xe4\x2c\xe2\x9c\x52\xcc\xf5\xcd\x76\x35\x90\xa4\x26\xb8\xa0\x6e\x22\x6f\xfa\x45\x68\xc2\xce\x31\xa5\x4d\x74\xca\x6f\x67\xe6\x70\x85\x2c", 202); syz_usb_ep_write(r[16], -1, 0xca, 0x20003940); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_setuid(); return 0; } : In function ‘syz_io_uring_setup’: :248:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :248:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor407682266 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/13 (0.38s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$BLKROGET(0xffffffffffffffff, 0x125e, &(0x7f0000000000)) r0 = openat$nullb(0xffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x80000, 0x0) ioctl$BLKTRACESETUP(r0, 0xc0401273, &(0x7f0000000080)={[], 0x6, 0x4, 0x400, 0x0, 0x5f}) socketpair(0x21, 0x3, 0x4, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140)='l2tp\x00') sendmsg$L2TP_CMD_NOOP(r1, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x24, r3, 0x4, 0x70bd28, 0x25dfdbfb, {}, [@L2TP_ATTR_SESSION_ID={0x8, 0xb, 0x4}, @L2TP_ATTR_PEER_SESSION_ID={0x8, 0xc, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x20000000}, 0x8000) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000240)={0x0, 0x5, 0x0, 0x2}, &(0x7f0000000280)=0x10) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f00000002c0)={r4, 0x2}, 0x8) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x8, &(0x7f0000000300), &(0x7f0000000340)=0x4) write$capi20_data(0xffffffffffffffff, &(0x7f00000003c0)={{0x10, 0x3, 0x41, 0x83, 0x0, 0x401}, 0x43, "4a8e60634e3a9ebf0988474a70cdc44c935e71dca8a36e9f7339b733e7fdfa26d1763f8e1fc18c23484ff71c6ea76bf1db3e46cf80380322d296fbf193c54d4949ccdb"}, 0x55) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_post_notification\x00') syz_emit_ethernet(0x56, &(0x7f0000000040)={@multicast, @empty, @void, {@canfd={0xd, {{0x4, 0x0, 0x0, 0x1}, 0x23, 0x0, 0x0, 0x0, "90a4412ed481e39ec0787cae083fac93b90daa7595dc554b0d6fb720a6009835c929d9566687939954d14f0376d39039885d4b349e57791c3b2884b67a568716"}}}}, &(0x7f00000000c0)={0x1, 0x1, [0x4a, 0x2e7, 0x6f0, 0x1aa]}) syz_emit_vhci(&(0x7f0000000100)=@HCI_SCODATA_PKT={0x3, {0xc9, 0x56}, "af8c56ab2959dc534cc868e4b42b05a0de86bb45fd2bf9e32d58e9ad1fb7be75adc1e7aaa52319456531631ede47c2919bcdb3bafdaf560bf2a9ca3a75fa34d07026b7302dc391f9554e50cfc7f731c09f1c71262df3"}, 0x5a) syz_execute_func(&(0x7f0000000180)="c4c16f10fa660f65642a10c4e1fa70effbc4c37d096a42fec4e1416a5200f3abc4c1ccc6e474360f8fb8000000af0ffe98f0ffffff") syz_extract_tcp_res(&(0x7f00000001c0), 0x2, 0x7f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000200)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x5, 0xcb) r5 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xc, 0x800, 0xffffffffffffffff, 0x8000000) r6 = syz_io_uring_complete(r5) r7 = io_uring_setup(0xc43, &(0x7f0000000240)={0x0, 0xab13, 0x10, 0x0, 0x375}) syz_io_uring_setup(0x4759, &(0x7f00000002c0)={0x0, 0x3caa, 0x8, 0x3, 0x347, 0x0, r7}, &(0x7f0000ffd000/0x2000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000000340), &(0x7f0000000380)) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0xe, 0x3, 0xffffffffffffffff, 0x8000000) r9 = mmap$IORING_OFF_SQES(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x4000000, 0x20, r6, 0x10000000) syz_io_uring_submit(r8, r9, &(0x7f00000003c0)=@IORING_OP_WRITE_FIXED={0x5, 0x4, 0x2007, @fd_index=0x6, 0x3, 0x4, 0x4, 0xe, 0x1}, 0x80) r10 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000000400)='/selinux/checkreqprot\x00', 0x2000, 0x0) syz_kvm_setup_cpu$arm64(r6, r10, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000480)=[{0x0, &(0x7f0000000440)="1f53955cb3cecd2039609cfce532927f02de615e5e7716c374705f59102e00754dbaa369c6c1a1c2f4c530c3af81e8fe5609", 0x32}], 0x1, 0x0, &(0x7f00000004c0), 0x1) syz_io_uring_setup(0x7424, &(0x7f0000000500)={0x0, 0xe518, 0x10, 0x1, 0x3a5}, &(0x7f0000ffe000/0x2000)=nil, &(0x7f0000ff6000/0x4000)=nil, &(0x7f0000000580)=0x0, &(0x7f00000005c0)) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000000600)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000000640)='afs\x00', &(0x7f0000000680)='./file0\x00', 0x4, 0x2, &(0x7f0000000800)=[{&(0x7f00000006c0)="d632c19b", 0x4, 0xffff}, {&(0x7f0000000700)="3fe8370cede52efac054241da1ef6234cdc7766d9ceee05c36775d234a8f0259a880131689775a49e1c5d81ee5eed42da022a3c9b9d439ae779990d04cf551c084c093744e79ca6a4827d8c603053d29714d839363cf49add7d7323c0619a99cef609fc47e56c66630ec7973bffed214d451f064f36e3597506a51adfd6b0d61fdcdf2bfcb31b2c6c44c279ccdb6902891daf75e663f5942ea7682fbfd3e7369a9fe16f372476efb281aaad4bfe7e610e963629461e9033caf00d62a109d004b935b9079bd3df5be94a0fa1e1977f552baa492ba31e2ec4bf310c814dc753297", 0xe0, 0x4c}], 0x201000, &(0x7f0000000840)={[{@source={'source', 0x3d, 'SEG6\x00'}}, {@flock_strict='flock=strict'}, {@flock_strict='flock=strict'}, {@flock_local='flock=local'}, {@autocell='autocell'}, {@flock_openafs='flock=openafs'}], [{@measure='measure'}, {@subj_user={'subj_user', 0x3d, '$F!%[#&+-}^}'}}]}) syz_open_dev$I2C(&(0x7f00000008c0)='/dev/i2c-#\x00', 0x9a7, 0x60100) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000900)=0x0) syz_open_procfs(r12, &(0x7f0000000940)='net/ip6_mr_vif\x00') syz_open_pts(r6, 0x402000) syz_read_part_table(0x44, 0x5, &(0x7f0000001c80)=[{&(0x7f0000000980)="947bdd1338b6b9fdc7eec2776433191f827266cfa94bbf64cff83a00d975009f3b2738ac7067019447d693a3534dae5d3bf03b17d7a2bc093d2ab01fb079d13e4ca08ab23918a3fac50a48c32b4ba2170957d20cb4a4f731d660e88f40c30c3c40d41ff3ff7134dceb66b113b5c1bba630a7ee5cd68ab59e69f8c89530e4cac7f615dd3fadc7940d23b069d62b7ccf4149881045", 0x94, 0x7e}, {&(0x7f0000000a40)="3bece5e4b00d1aa5c6455d8ffddd35571382304733f47e93ba01d0220d3452425aa4a35a16adc96a1c87d3c09121df1c8aef26c20358a153a0ef1959f69c689acd2751f428f241c2decf4cd9a3b109e66b310fb1011f65329bef953ae02cf9db6133619b5bfa07a6e13251278da93de82635bcdd7640b6311da58d2a681065401d0753cef90bf7a0f541112453b9ce7527efcb09834f1073736d3ebdb9241736b61df70a13c76e54ddbc65a52d8a4fe42ed097a57c8d0426f916750e9a5c38281fbad7ae59c223bab1100592d42eda4e0bf4bf030420478fcd28c4057d41a9721b0014e91a1e7058d4c9290812f6de", 0xef, 0x800}, {&(0x7f0000000b40)="6daf7a1e0d14cb6b8c65d37ef988e670ca88b1", 0x13}, {&(0x7f0000000b80)="e2a379510738be3d3baf49a170f089f56f7b3a43bd926f2f3368f38e97340af9b0991ea98f4653252c0bef6ad26582b600545465591faefd00782e31c8aee9f23990d2d95f8710d110409dc3dad1581794fb09f6349e937b1df1bb8a9a09ce60c41282376e6ac607888c64fcd9ecf5405063ba5f642a295b4f778f2cabccf6c9007071b1a9ec31eea5daf62d371a56de309549974911a5797fa34026e85bb7f5427ab4965f11a3aba18ed0fe280e45c26412838fc5bbe0f6de63d011c06b413e3d4a15296b6f7915dffecdd407504faa2fe63bb190af9061709a982094f620793c042532f51314dd0753b832a65859e178d94dd169a1b767748566d13f170da36f2a51053d8b67fb5f12d86bf36046eab9b7c26c50786c9b29a2605c5631ab30261669971a48470d982c3088be7cffd1f0c6775e5757db6148dd74c5954e34c40088659a1f44d053465985ed20039bced7ea9dec7e25cd6d600d1ed31aed53885fc7ef8789eea0639d2b250dcdf4ad71bbdabf4ba18af29ac819ae431864db1b0353bc5cb2041943b44513f7c679f348bd2962b27487bc7dc7488cff13a24b658f31b4afc9e5013ab460cf3a014a8f19909e75bc3d4144f5d32e370de74f4402a0db5339c1e3616d2147743652dd73940d37550cc961b08b3a33b79c4a2f3f1ab4b2364c24031cce1f29beaf574b1318844fcc9387d2cf798334de0816d528f087f56751f763b82c760fe19ef95fd2e552c8ec74bfee9b6c8e3341b3baff5405edbed709fb1ea130a1a6e30acf7232c0194034daf0ef117115ab220f1161a838940ef60072c406557f56f13f3021b40842f9114b0ae9cd8244230c2227ce7c7e71503ba5253d63081ca9af8fc4a4e2c3039a0bad1af91ed4cb91b9bd42d8ee5e0bd9844f92f4af1ea5b88380a99b1adc7057b9157b61021abce377dca6af6c2dd98f02c23a8459ccbe650b66d06bbae0609928e84d5c611e2c6feb6a43d0aa532b12d5e3260448cd82372b11f9dc8f94665a3ab864eb3eb0e5b073200249a674047ee8fff8fb4f55653060efb6a00d70b0fe4a7f5dca7d9c71604fa70b0e40569339e52ba52b7d7008533306165c978d030a852c0dd75996904720a10a3a9d0f2f67f258e439047a6a5b08490409aa84ec296f67b88b8011cb39c67800efec6ec43e732aee04cc18c4ceddc9686a432011e1df5fa1292c7bdae62731573ec5233293ff4ed671e52c951d8e00836db9363534bc8c1e91d98cab7d0606c170d409d96d3225f56206b600fc1a783941aade248338dba66d56f8fc197d19cedd5f1a65d5f1d85a4cb4497342d197df417d4317777c81e707f1b9dadd38265324f41aa85021b2d7edc0ff4a527db85ff141652eeb5e766e189e11e6307a4475d5f793e822b7ecbc7e2ff3f6f9a8399af692649d67305c86b479169df12f749102069da164ad14655e0532fc419b51f29b28d1f408f5236ce921509f3f611a565a5e38685744470f6e457bdd057d727f7ecfaa468473bcba94c43ead22f8527843245f372275946bd4599f3a8ae91ec3140870be91d2fbfcbd7e504da3d6f49e905aca167832d7c35a56a28abc852090292318ec1f08bf3d71de7360d6d04900d773a7f40c3db7aabfc27a338e87d578f430ee490e48221406d31c62220c2bd9e1793eed1b84aba0adc3d54eed59ae3b83e5a1147721fcc227cff96c8065f8665cbfef93521ca1bf4b100e62896cfdca36e7f7b4b3fd3babf5c18c90030fbf904d4f4c3fb23af16b1e3744ca6ab123df90b168eaa138324ebf98ecd66dd64ee906236bf3a0296be1df81387ba95700e04ce26637ca4dfb70c67d32a2e7acde219cef54e4c9ec1c27b5b6a388ca515af6e5efc493a30fa9324e1f2b2b51267fbb26f3d4292e836cb709e92a6e0e11aff386b3d45d81a2d35fe971cbff8a32f52d046b9ba9a4bc77267a2e86a480a9ec50361d5ed59ba540ae1cf0e7eaaa5d8f5b2e38527fde78ecf842ec48cf681fd452aa5c60d06474f6422ad08db4fa0788c56563f52cbd383627e11f98eb40ec74961c028b1fcd7b25d4cd289dbc761fb1ec00a6183513c5f76da7546416fb81e8661f93f4234fdf3a3398d8bb8c69902e6d9f3fc165e6d9f39eb2acc189ab7b49013b2c74d0788ee05fc117335d478380013eab173ddc7a927f03080c2ea705b68f664a3be270221172d2995b15b4d0ab25d4668ab7587d24e831c5c7841fa00bd063021d3f43405b35c6c79dd4030fc630ee78d7e64a90cc2761421624d48ac0764d8a903c5a8b0a213120871b9e82a3b1f92455380b950832651b6d0d9bdb249055d55fa49fc7296147cbcec6059a0047ae6e86b51ae3b5aff498ceed671ddd0e2bd97fd7f39a3280bd80996ac7bb98187709938246f8e0cb9cca0a189d18cb9dcdd52186feb935f4a5326c3bc1348a05f0e7180452a43e7f2b6fb35a4196afda0f1993383dd203694c1ab53be64481c0d9c78801610789f9f5130b4a143f09229e8d89d0ad09edf971cf0fe495d7552b7a791a9054232e8d22976621b7f6be03e7e0bf8e5ed83db94efc748c93a06c124f55dd8efe11e15d83e1fce582b19be10dcc1b3eb594291aaabd56cb94df315920b042d07934ac796d0a91078626ee57e25763791f7dde8bc04e1883fb2273c799b97e3166c56ceaa3699c31739f63ef94605b20860606ceaf97be55b979fdc17fa9ba2990bbefde17eb5398176091e536730129c4c31504ce1fc41f13e7d90301ff02ad5b5f523c6ae7efa87c76af1ecc4b6715251a58ca3c68ca954a9345cf08697ec54376dfaf232cd6ede5ad85c1234fbcb4a992535b70135a5eb7d1f2de13629871b02acb455694e91d5bbb972c1c3998ec765749b4ca83c705529c046e8593ba4709e430cf190aba4fd00a6d722d0598e80b7af8fbb6c053dc4068e3bfaa0015d3545646e40eb312700e7b068ca644792d6d39447a353f6d6575b01f3a20cf310117a832dbc76b460146dee06c859580ba5e59946e90a168d98a06282d02f99540f4b1fce194cc7cc089b1b2da11d59bee5477383f83fe7f50011ec438561f17b39dabee3794761cdef6c54a60c49de8fd6aecf0b5a5b5c056a8de90805e0d5a4cba91eb7746e54498aad35d268e923c5c396581835cf2038e2a1f28a843228472aa2e4cbde6aa7665716f239ba5680d1d8d6cd7277af1f2db87e5f5332fa904d6975f4247f33f00c17b95df1db792398c0be2ab89c6f0ffb1d9f3d30e36b0bcdee55623e67ed59b641e1d3ad243a61ab8003ed9d50186457b845b0f5e59460aeb8d49fa236b691a9572f043f3d83d3853a658c092fec3eef9b58f3be0532e46da34f732398d418a82a47fd2bec7aa9fdf0a05a2a4abd650dcd99c095be5a025d4dd8de7b606f7c21fcf490a100ec288f419316b4add08591060f5c40230ee639aff35d4bb207fe401029cffd104715dcd48c7c598f5ea42b0bd271e6a10066d613217655dbf37bc467d973572d7c28779c9981cabc55e683fbb1e9af7e00cc4a222a54f24edf923762d8e0fbc099e420a78b1fcfb54a4002fdf6e30a3445f929dd97c4aef13cd8a0a3b19cb2ba731d3c99aad631166b75f13a95498e11dba4094eb5d1f1571b6987c278912a05a9ec5e2f93d21604e496ae6f763ed433bc26c5d2fdfeefc02d8732b29091c32ad16fbb47de0a56a36c5c7d26665ce565571aee87e729e1727e8e149b44cbc5819eb1abc317eabfdbc5447dc1fa9ed585281f1a9c33bd5bbae662621e6460e37617e88304fd6889d775ad30388b208b4102495dd4a601579fef079678b66816a46a91cd0d344af0afa8ee55ab222d720a0367275757aa38d043cec888e9e93a4ff91c1ccbbc685f6fe2710474da5c4376b6c037b2ac57ab078421ff2f06ef8abcc7bfa18195ae5d3236c492494f1c665dc2052e0b567e991727082f6f529cff4412d5cfd8aca31f0a4d32332e8cc992a39017d8e5a8525a9f6ab5009e7067b2773591779fa6de17c077445c39b4f3255c2df10701045fa070ac4aedb551bfe92ac48e0faca060768edf4b3fb101f3d4cdcb2ec9313c02898aa36874267468286e98ffdbacb29fb64072799bb3d885bf308d6ca001355642ad258b965f9597b30fe6c3af1e89c10d641f4e2ab7cf5a4687d6b69157a49f9f40791ef46f4cba6e0f248773c350bf3143cece92ef7c746d4988c8351c8067e3c4b841089d985e09ecb40157d7a171f4e645518c52598fa794425669f59a27d8bedc147e09057b5d2f9f4611cac951058b9d2527fe7b470289a2f16fa4dee150652086e4cc194c3cad63aee9aa77b00df7cb421401d1394e0fbae8e8e14ef28f128601aa1c91d3e71edc07a46267731ea085fea0b2781fe5b3337fb391f4a91ce752aeb7251aa0c3bf304e989220d414eab0af48d4a86bf43f13ee6b97615f51a3677feef14dc4ae47db07b874176d18f50094a309700279f412924e918eb3e6c1b9fa3c1444f28b691ceb9c33d34b5b3733d3eb0c9e69cb6f36bca69d1d69913aeb51f0cb59828527f791fe7f61fb430bace6456abc322fb52a131f5aed3221afd1d369d7bb41f60bfb349b5cf73043b9092613032c7dd3220bce9d9b84fd2ceb48a76ff0c34cf5bf8cc55b575e240f4e6c1c5cf93980cc6f68fd1ac7cc10e0e483339dde6691eb7d2b700e93ffdf810953762216e99b5640149af63144a09051b683db0dfb1b79371bc7a4a559ae6271838a868468e54aadef03ba40ca127aa2c2751da79202dcad72e4f1593041db53bbf4f8064170fe85c46e59ff00b9eb4bf2e01eab7197a00704e3c7084a80699ed5aaae7bbae0684e5fb3ed60c6620c73aa013313713279bf958a21f56f96746e160623f1076a5ea95a23fc908373bc078221894ccc77949ffd3659470d83f860762b0302bf3e404046c0c32a71eb85e674111cb9c2d490b8b4f5bfd1fa9382a4296d97326d6a728378ab35c0a349ed69349f75b89adf8dc9e5baed276c92614c29636f2f5b19d4dc661e2d0fe6fd64786d507b99b3979fe0f6ecb06b76fd64bfb316131a52d3db7445508c8f0bd394495a6c13ca64e3780a416c72a7a34996d5a342e6349d92bfcb8d75bd4edd225d4e8601838bffc604e9e3f0de83a1cf9e17c7fa7398fea49c8faed299d04a90a70bdaa0b111428e2e6224ae08c1bf0ea1a69e16e1ffd4bfa76afffdd5060ac992efa08fb7404fa1ff3456042654d3d51292624ac3bb3356f5bd3f492c169e8c7dc71ccd3b4e91cb298ef7f2b61d74a86e7cb6daf621a8b0b6a87e58ddcaa65f376fe0652c40c76d762b580f34da979ae0968b172a9ccc4cd8b34af3873e85d1653c9e5571dc34e8c39f7f04df191c0e81213d2fac0412664eb4769c480a80fdcd5cae2a2eb8b1d031cc6e649d8f0b29f9115ea2bb27cbe35cba040647ad9da8ad36931cfdce5c58dfd6b8d0bd83cf4f8cad6f6d6f3048380583d8ef0807a4d024ef8d0333a97183423c90e8dd1b62dc70c95ae30acd0ccc257de6feb89a9492b4214b65d8da2ada11b80fbd7689afdb99fa820cb7aaaca8ce32fd1adf5d724f50683a7924ed1b5de6b322a4932ea46d3b266a270420259a4fee480054f0675e77e5178ff255be000468a220a25c6879e039bc14c38cbf9040eded41f1c6d75fe4615cc57677c948c7bb9c3561184b0ffe0d0a9ed0e7212fabd5ef357ffb3ca40e8a97be2a9bcf35fc7e3d7ce8f6d50a4f7b42c246894683822db36b95528cd8061342c66c788bb6f63beadfe3559e896e4387a12cedf6f220888d218", 0x1000, 0xffffffff}, {&(0x7f0000001b80)="e0c6c9c01afb3e83241204cd6942a5f5b38dedc4871fea150ddbcb8c14ce515fa1fc5f1fb3ec606649a162c4e52ec328eb3565fb84abdf8b408d744ee19c67cce54acad1c6aa75a3f97f94267476e702bbe065e67188c3c826d4414e46695d71c9e24a31faf7fc28297092503bb10adb27fcb197438efe3605101abc127fda303e63a7423ef1693f6c005763fdf8b18e10a5a9fa34b3c00eced1f75bada7d26160aedf2758bf603b0c5890682884eb55b2760b3b7b9614b6bd1ddef9e9cc1df20892063f1ea058a4", 0xc8, 0x81}]) r13 = syz_usb_connect(0x4, 0x882, &(0x7f0000001cc0)={{0x12, 0x1, 0x310, 0xae, 0x73, 0xca, 0x40, 0x1740, 0x602, 0xfa57, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x870, 0x2, 0x7f, 0x90, 0x120, 0x3f, [{{0x9, 0x4, 0x86, 0x7f, 0xa, 0xf7, 0xf9, 0xf2, 0x7f, [@generic={0xd1, 0xb, "26e13a65ceb2c160694440c6e4b5d5107cd6f6eddf5f0f8f938606e7a789786c097626762da7881a4e46ee512ce1ce83d03ee01e8a390d4fe48a1a166b122a244f7e8453fe584352cdc748ded1737c61ffbc1f9f18441c5d61f5493a88bfea7776762bbf8a206eeca2f45c1f7aa6d15fb464cd1caf6a432babfc01bb86b1297b128997426c1a5a86533cb2c029f50b1c5b0b88719f7c78217d2bec910ff906b43860025e140fbad2bc0a91e23e65c5c8fefd91d0459c590e1f4bac91eac023ef5f1a248245df0d7c1276df72d955c6"}, @cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '8'}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x5, 0x5, 0x80}, {0x6, 0x24, 0x1a, 0x1, 0x14}, [@mdlm_detail={0x2b, 0x24, 0x13, 0xff, "8daa8e5cf59bef8c76ec7535d63fe2dc7686321afbd729f4d17d62a21b6f2b39495657220bc5d7"}, @mdlm_detail={0xa3, 0x24, 0x13, 0x3, "0bafa7ba56f9be68f7dafffabe7b7950e7f2b1efd530ab53da306650ae48618251bc41fe39065bb50d65f15e926fdb88acb4e7957bff5d5469ee741f51c117d8f0a4b9e497d8d85a58a425855da041d91bfe4cd20f11f6c7d3813027cd74921dbeb6e2015c4133a29832b2b9d342304dd6b709daeaea5f761d8c06f52edda9f2529ac51a96fab9bb2826cc63fcce0f174de2c5778a4d83f3eecfdb29635b60"}, @call_mgmt={0x5, 0x24, 0x1, 0x2, 0x9}, @mdlm={0x15, 0x24, 0x12, 0xc9}, @dmm={0x7, 0x24, 0x14, 0x8, 0x2}, @network_terminal={0x7, 0x24, 0xa, 0x1, 0x9, 0xeb, 0x1}]}], [{{0x9, 0x5, 0xe, 0x3, 0x400, 0xff, 0xf9, 0x20, [@generic={0x62, 0x22, "ecb3f2dd3048124fa1f639e7d99ab0903f7f551fbd28202bcaa038827262defd524b84d6778f83c751047ea1677d46229ac33b02db6865c9670bc47629020545fbf367e128c7e78e05972cd432ddc729863972a9559b806063550b9bb7992b0c"}, @generic={0xed, 0x21, "1c17fa34cf248a11740cae13b99062cf651bd3663bdf349afedd777e6ca509687c7308b2bd8a56d936cef72c17609c2cc7b825f122864f3e79a0f9563cecf3a2dea2dac5e4d83e7749cfb2a971e0f2a257ee5e91279d0dedf7aab353955c32bcab16d821c1868f655e7f503ece52acfb7c3070097b164ed6223eb6c1839fdc5cc6f1a92ebda8ad2a9e74f746cf37704a6c73076189ee3890b3a1c5cdb8076adec9bb4e53a65b09bc52a75250eb89e2407ee0d0d39a0bd925c00a5fd0f34ad2af88bf3b270fe94e5432288a66b3ee15b6e24ddca89639faa9c4b532663b24bfbdeb73d09b8f77f76fec507a"}]}}, {{0x9, 0x5, 0xe, 0x0, 0x58, 0x4, 0x0, 0x2}}, {{0x9, 0x5, 0x6, 0x8, 0x40, 0x40, 0x3, 0x18}}, {{0x9, 0x5, 0xb, 0xc, 0x200, 0xff, 0x47, 0x0, [@generic={0x6e, 0x24, "fc8886eca12dc85960c8497c87132b79fea0e2313e4e855671316f1c7a42b78b2be24c0cdd6af9de41a7fb57fe0a3ca6fe67191ce31165dc048245ba74c886d12b8accb001eee230dc1d7981e4d6ea3d52fdc1fd159f71fc18bfca51297b2348c777a86b16c07657793c9b75"}]}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x1, 0x4, 0x4, [@generic={0x8, 0x23, "ad6e68323124"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x3f, 0x400}]}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0xff, 0x4, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x2, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x7, 0x4}]}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0xcc, 0x8, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3f}, @generic={0x59, 0x11, "faada80932b10432ca81a63c83dd9f54a4051086ef07b6c9661ef8ec125683d5fcada3a346d08f6d44178fd1ce94f1a6921d2fd14a88d43a8051e18edaa3980645fa17123ca6c783b8b2c3b666956f52b183652992d6f5"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0x1, 0x3f}}, {{0x9, 0x5, 0x4, 0x1, 0x0, 0x81, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x3e}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x6, 0x8000}]}}, {{0x9, 0x5, 0x7, 0x4, 0x200, 0x4, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0x3f}]}}]}}, {{0x9, 0x4, 0x7d, 0xb6, 0x8, 0xe6, 0x75, 0xe1, 0xf9, [@generic={0x3d, 0x23, "0150ffae83df22d1d4dbd82454e66033463c3935e3d0c9fc2ea4661f7310c2e0b0acedd17e99cf960ede09c19eda6bfda699d8eacc2aba4acc34d4"}, @generic={0xc5, 0x1, "57fa93981a0686e512236511f17e4ec2dab7bd005c64fd896f9494ca0597583b239ddd29c3796c4ad669281440da422e6796877a9f123e343935d90dfe06ddfc99deedf24006031d9a2ef4b552629255bf0e7a4d5dd3bc80b266081141bde1b1a86e4ffd857000deeae82fb1850696ef2167c34ad97f91c14ac78ecb893d01ffa98e3c2dfda9adb762b9a9da03c6c60ed957fb494d1c960f7c707494bd984a0a582603fb87248aeeafc1b6005f79835b38b2eaa88653bc93427a33b0763ea36fcd987c"}], [{{0x9, 0x5, 0x3, 0x0, 0x40, 0x4, 0x7f, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x5}]}}, {{0x9, 0x5, 0x80, 0x10, 0x1ef, 0x1, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0x1f, 0x20, 0x0, [@generic={0xb3, 0x21, "95d3405d4d7a6dc896d90c4918b141315c1ae54b0882c4e0e3cc266e04178f9ae737260ac64b619ddf039568181bf92dd639ec49a0b1c9838b4cbbb2fbe6ca7be9bc84b77177867bb973d8c5eba1b49131bd10f645cffc3dd8ea462f4ba965f70a014bf1abe9269663634dad8baf99386d8b431912e4ddfcd1156c5ffeab207ca35f22f5c01673470deea1da6aaffcf0bba9a8e455420f053b28e404fea6261d36c07f7221c4986b6b122ccdf858f481ba"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7f, 0x5}]}}, {{0x9, 0x5, 0xc, 0x2, 0x200, 0x0, 0x6, 0x2, [@generic={0xaf, 0x6c08a2ddac8d29c1, "1449f06f8161d8159f42fb347eaa323cf3eb20fd5e501006d2e40a157da833536fb0b322436591a2bd1d2fe04e169858e11387ce1cbe1f6c7dc332afaadcc002c5832044e056950399e29431407349a8a47525164b4e6cd141303908186754e0282c6995c980f5e7d4f3c881c6b91d955e6ac681bd9073f4e05706f3c312d005bf1c5910956bf99553bba7b4ecb3f35ffbe7ab0763423796bb601e3f047a6581d52fb67c62d6b7278c76aab9a5"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x400, 0x5, 0x1, 0x6, [@generic={0xf1, 0x11, "25bf1f90f600dc8eae5954fb3ec4f488a926149d9893ca2b2900e245f0537432b7eccd35a0f33fe871eb0d1744d8058f6d67f7e1b97f3ef4e5fd8ac9d37d374905661c579d63d9bd3ed5cd30d99ef395e47c9e0f1b7f712016403434821baace41ad73ef6b84c1a41af5cbb6c2f65462a6ed32242c9d51da9915862860c22140f606601cfd82e5151e1db45092fecd653293f56c65b346e5deaf140950a0ac4a487e3bfa4f9ad35eeff8899bc2230798022600a08d06a9243611b421d90f1b53ca9f002636036f1125eda3dedaf6793fc098c6af9dcc5a538fe937572b4d1b174b58ba033714d19ef1085f663e5cd1"}]}}, {{0x9, 0x5, 0x5, 0x8, 0x400, 0x44, 0x1, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x85, 0x9b, 0x100}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x10, 0x20, 0x2, 0x4, 0x3}}, {{0x9, 0x5, 0x1, 0x0, 0x40, 0x80, 0x7, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x6, 0x8}]}}]}}]}}]}}, &(0x7f0000002840)={0xa, &(0x7f0000002580)={0xa, 0x6, 0xe5207157b6f35098, 0xfc, 0x1f, 0x0, 0x10, 0xe4}, 0xf5, &(0x7f00000025c0)={0x5, 0xf, 0xf5, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x4, 0xffff}, @ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x4, 0xf0f, 0x77e, [0xc000, 0x30, 0x0, 0x0]}, @ssp_cap={0x1c, 0x10, 0xa, 0x1, 0x4, 0x79ea, 0xf000, 0x4, [0xc0cf, 0xff3f3f, 0xffc05f, 0xff0000]}, @generic={0xb1, 0x10, 0x3, "c5bb0201c82e60fa0a8b07bbcefbe138079838cbf13161f69ec170637e6c504f0df58710112f2459c50df85c73a143e18fd846a786add8a359c882c3c6038f90c49ca63e13455794d759244a2bd1ee5a203cef62acd32e97d15afe1d47ad5c5234ca6fea0c022184578647d69bce06bc22d5deae21baaf870c3c6e9021211fda07e73607e16461e22526a70ab2e21f89d1b1a95215c644ee7b4b97d342f06cca75c17eaf3d1f578bec9e1b554c49"}]}, 0x4, [{0x4, &(0x7f00000026c0)=@lang_id={0x4, 0x3, 0x430}}, {0x4, &(0x7f0000002700)=@lang_id={0x4, 0x3, 0x240a}}, {0x4, &(0x7f0000002740)=@lang_id={0x4, 0x3, 0x458}}, {0xb1, &(0x7f0000002780)=@string={0xb1, 0x3, "2273bdc46b60f928123492096f1a60522067ca30229e521876bc2304c320596fd25f10254b5c9da57377738bccfbbc37f27f541833a2dfa06b929d0d3744ff77d9330d5a63e4bb268ce29e81de86de6cbbec22f151e7fa25d2ba9ead8f62d5eac2d6424465b3cb6481dbf50df043e68b8d133e27b4ae1c9ccf8a81027b656d442bbcbe5cfccd0c0ca38b73356ed5c37ea0894697ea5b37db2f607d4e958cf97848ef24eee817f96503650d0f3babcf"}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000002880)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r14 = syz_usb_connect$uac1(0x1, 0x100, &(0x7f0000002900)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xee, 0x3, 0x1, 0x6, 0x20, 0x1, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0xace, 0x2}, [@extension_unit={0x7, 0x24, 0x8, 0x5, 0x2, 0x5}, @extension_unit={0x7, 0x24, 0x8, 0x6, 0xffff, 0x30}, @mixer_unit={0xa, 0x24, 0x4, 0x4, 0x40, "7da3b2b272"}, @extension_unit={0x9, 0x24, 0x8, 0x5, 0x0, 0x40, '\tD'}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x11, 0x24, 0x2, 0x2, 0x1000, 0x6, 0x9, "94aa0cfea6a4c098"}, @as_header={0x7, 0x24, 0x1, 0xf7, 0xc1, 0x4}, @format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x3f, 0x2, 0xae, 0x7, "5b6fe7b19551"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0xfff8, 0x56d, 0x1f, "518f29b920"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0x4, 0x0, 0x80, "3f5e8aa3ac"}]}, {{0x9, 0x5, 0x1, 0x9, 0x10, 0x9c, 0x7, 0x6, {0x7, 0x25, 0x1, 0x0, 0x44, 0xff8a}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_i_continuous={0xa, 0x24, 0x2, 0x1, 0x7, 0x4, 0xf7, 0xf8, 'H]'}, @format_type_i_discrete={0xd, 0x24, 0x2, 0x1, 0x7, 0x1, 0xff, 0x72, "5c5ae72e12"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x3, 0x4, 0x3, 0x1, "fa23a4", 'q3'}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x71, 0x2, 0x0, 0x6}]}, {{0x9, 0x5, 0x82, 0x9, 0x200, 0x7f, 0x7f, 0x7f, {0x7, 0x25, 0x1, 0x2, 0x1, 0x8}}}}}}}]}}, &(0x7f0000002b80)={0xa, &(0x7f0000002a00)={0xa, 0x6, 0x300, 0x7f, 0x5d, 0x5c, 0x40}, 0x31, &(0x7f0000002a40)={0x5, 0xf, 0x31, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x20, 0x1, 0x2, 0x40}, @ssp_cap={0xc, 0x10, 0xa, 0x4, 0x0, 0xd3f, 0xf000, 0x8}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x2, 0x5, 0x4, 0x2}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x6, 0x0, 0xff, 0x7f}]}, 0x4, [{0x4, &(0x7f0000002a80)=@lang_id={0x4, 0x3, 0x40f}}, {0x4, &(0x7f0000002ac0)=@lang_id={0x4, 0x3, 0xc35}}, {0x2b, &(0x7f0000002b00)=@string={0x2b, 0x3, "a28e84c0cf02c07c3c0da8294506556d633c7a735bfb75cd80afc6ade8e4b580103ced6d9c87a5fe77"}}, {0x4, &(0x7f0000002b40)=@lang_id={0x4, 0x3, 0xf8ff}}]}) syz_usb_control_io(r14, &(0x7f0000002e40)={0x18, &(0x7f0000002bc0)={0x0, 0x22, 0xb9, {0xb9, 0xa, "83cf6e9b942d8a47074ac2e802b48378ecdca7956db2727b857b60f4e9d0c69e1c9a9aceb61cf17cc77167923b84e23372c5cf40cf1bbb7493e500b7effaf1b204ee034be11099e51567a87ae0bde210da92124d04a73a14dbd600dedd920953c472eda1ba46dbbb1ec474c8794849124dcf32d5c15fb14397b13c3d3c11a7a607c6b6d557c2806d9c2783bc1ef56c967bde90ce4a421361167c1a74c6527285ce425ea498884d7cc9ef76526a46a1c4360768980b39b3"}}, &(0x7f0000002c80)={0x0, 0x3, 0xd7, @string={0xd7, 0x3, "61168f700d1787de19d3e86fb3ac5e964cc5ede873351ca262cc8fc599651431c76dbad02dd835f0da83a5347cc21fc4f504b23bb32a7a67713db4480611e6e2eca4f0b498f700355db68df7d5cf46ba2b036090af695a7596b7d242b462bcf6e2091fb83248fe2a1c48dbcdb07c9666037d121b6893dcb945bdd7cf14075f805302a45fbb62652bd693b3240b5c6a76f690cdc9221579ec71dd253ca4250144e1160bc039ad44f6d51c96ad950c872cf626b0d559e81c0bec934cb32325dbb9ce8f5d0d943020b4a0795c1f2774e2207d0be8aa41"}}, &(0x7f0000002d80)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x10, 0x2, 0x5, 0x2}]}}, &(0x7f0000002dc0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x3, 0x8, 0x40, 0x7f, "77bc7738", "f1db003c"}}, &(0x7f0000002e00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x1, 0x10, 0x0, 0x20, 0x8, 0x3ec, 0xffff}}}, &(0x7f0000003300)={0x44, &(0x7f0000002e80)={0x20, 0x12, 0x7c, "bc67b786ae12c3f7c6dbb8560d2b242194c2199afa19d2b42b1a0c8a11e1a5ef146f395c3613f4dfeadda7c24b506d5b32a6a3f9a0eac98a935e647a1c838d4e09d530635f43358b5b10c5f04bc63b3bf96b5234359d4ead9d51217e65c9b0509990b00d1afb242c87660d04f9648ff79ce143b1a948981c28f50171"}, &(0x7f0000002f40)={0x0, 0xa, 0x1, 0x4c}, &(0x7f0000002f80)={0x0, 0x8, 0x1, 0x1}, &(0x7f0000002fc0)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000003000)={0x20, 0x0, 0x8, {0xc0, 0x20, [0xf0f]}}, &(0x7f0000003040)={0x40, 0x7, 0x2, 0x400}, &(0x7f0000003080)={0x40, 0x9, 0x1, 0x2}, &(0x7f00000030c0)={0x40, 0xb, 0x2, "b723"}, &(0x7f0000003100)={0x40, 0xf, 0x2, 0x5}, &(0x7f0000003140)={0x40, 0x13, 0x6, @random="dd8a72a99139"}, &(0x7f0000003180)={0x40, 0x17, 0x6, @remote}, &(0x7f00000031c0)={0x40, 0x19, 0x2, "7818"}, &(0x7f0000003200)={0x40, 0x1a, 0x2, 0x4}, &(0x7f0000003240)={0x40, 0x1c, 0x1, 0x4}, &(0x7f0000003280)={0x40, 0x1e, 0x1, 0x7}, &(0x7f00000032c0)={0x40, 0x21, 0x1, 0x5}}) syz_usb_disconnect(r13) r15 = syz_usb_connect$cdc_ncm(0xb40375e9cabe03ec, 0x160, &(0x7f0000003380)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x14e, 0x2, 0x1, 0xef, 0xe0, 0x3, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, '$'}, {0x5, 0x24, 0x0, 0xad}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x0, 0x1, 0x9}, {0x6, 0x24, 0x1a, 0x9, 0x20}, [@mdlm_detail={0xa2, 0x24, 0x13, 0x1, "a0afebc294237de30b4c81c6595fbaf30646c5ec3dd98f435df00d181cc13f9b0c5ffa84154998bf5c04ee0fd82d5f4cacfc90ffae241b840b0b18e2107e33398f46838380f84b6f9f2262e838df021231c9f0c50dc2eed7595eb1b789223fc37cf34f5c694aaad8a818c99ef44179bf5ba4b617c258f7db01d6096ccc71bb925e31b2f3f100bb8538bb84015af7b954c8fdf293de0231a491d36376b840"}, @mbim={0xc, 0x24, 0x1b, 0x340f, 0x4, 0x5, 0x40, 0x6, 0x1}, @acm={0x4, 0x24, 0x2, 0x9}, @mdlm_detail={0x3f, 0x24, 0x13, 0x40, "905d00a5a8b5cd53118f9cf9033eda0ad88fcfaf66e2b9e359e38aea371970c864d5983916a529367551aa247ba83009ebb5640b5317559900ddb8"}]}, {{0x9, 0x5, 0x81, 0x3, 0x8, 0x0, 0x1, 0xfc}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x40, 0x8, 0x40, 0x81}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x80, 0x81}}}}}}}]}}, &(0x7f0000003780)={0xa, &(0x7f0000003500)={0xa, 0x6, 0x250, 0x3, 0x2, 0x9, 0x40, 0x40}, 0x16, &(0x7f0000003540)={0x5, 0xf, 0x16, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x1a, 0x8, 0x4, 0x87}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0x0, 0x20, 0x9}]}, 0x5, [{0x54, &(0x7f0000003580)=@string={0x54, 0x3, "a44d24cdf3ffb9948faaf6b3c565826f57ef2b5e43e6ef9109dcaf0ff5f230b6f52d06ada7ebdfbf1c55e6551900f42f904aa25911de5d64d3cd32db26b2e48c150eacf51a16ddb311ac3d44b281a87d1c84"}}, {0x4, &(0x7f0000003600)=@lang_id={0x4, 0x3, 0x812}}, {0x4, &(0x7f0000003640)=@lang_id={0x4, 0x3, 0xf0ff}}, {0xc0, &(0x7f0000003680)=@string={0xc0, 0x3, "6f069d79ea952b3880027d5243d84aefe2bd1cf641da9ee290780232461026c5a535ae6214a8b6fd6112f368085c5cca57b84846bdd7653f325120cc01274c27930a934c2850058a34588778f4ae0255b96fcb4573f4c475fae53703ef82d785ece96adf02efc210e26fa9523111519cb037b5aebbcab0e12d228330eb466cefbc0a21984a6fd8657206b20d982f65c709ba3c6320f1066dda592fdad14a8c700cf1f5266f47fa42aa880b9aa0267cf53c9691f4fa0d4e059a6adc27da67"}}, {0x4, &(0x7f0000003740)=@lang_id={0x4, 0x3, 0xc0a}}]}) syz_usb_ep_read(r15, 0x7, 0xe4, &(0x7f00000037c0)=""/228) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000038c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_ep_write(r16, 0xff, 0xca, &(0x7f0000003940)="0338f2a1a6949150d950a200b97f820700402b58fec94c39a005f5386885991997960b3165c9dd0323faf9a69d00725916fa7fb5a9bb1f47b19829ca091f88c0999a2e187f6237ab2c7eae85923fa9636dc266076f2ae7b52c1f187ce62871c2f05bbf9d9a25fd16ff3833387073e69681b243e814b2549f032aa5b8dd2e2d64df2e69d357bc2c32b8fbd90f8a1638b31390be5a61ee6ee70e3a2027e1468d5f3fa234f4462a56d7e42ce29c52ccf5cd763590a426b8a06e226ffa4568c2ce31a54d74ca6f67e670852c") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[1024]; }; static struct nlmsg nlmsg; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; unsigned n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != hdr->nlmsg_len) exit(1); n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (n < sizeof(struct nlmsghdr)) exit(1); if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr)) exit(1); if (hdr->nlmsg_type != NLMSG_ERROR) exit(1); return -((struct nlmsgerr*)(hdr + 1))->error; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL); } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); (void)err; } static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize); netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize); return netlink_send(nlmsg, sock); } static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr)); (void)err; } static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr)); (void)err; } static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name, const void* addr, int addrsize, const void* mac, int macsize) { struct ndmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ndm_ifindex = if_nametoindex(name); hdr.ndm_state = NUD_PERMANENT; netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, NDA_DST, addr, addrsize); netlink_attr(nlmsg, NDA_LLADDR, mac, macsize); int err = netlink_send(nlmsg, sock); (void)err; } static int tunfd = -1; #define TUN_IFACE "syz_tun" #define LOCAL_MAC 0xaaaaaaaaaaaa #define REMOTE_MAC 0xaaaaaaaaaabb #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 240; if (dup2(tunfd, kTunFd) < 0) exit(1); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { exit(1); } char sysctl[64]; sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE); write_file(sysctl, "0"); sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE); write_file(sysctl, "0"); int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4); netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6); uint64_t macaddr = REMOTE_MAC; struct in_addr in_addr; inet_pton(AF_INET, REMOTE_IPV4, &in_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, ETH_ALEN); struct in6_addr in6_addr; inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, ETH_ALEN); macaddr = LOCAL_MAC; netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN, NULL); close(sock); } const int kInitNetNsFd = 239; static int read_tun(char* data, int size) { if (tunfd < 0) return -1; int rv = read(tunfd, data, size); if (rv < 0) { if (errno == EAGAIN || errno == EBADFD) return -1; exit(1); } return rv; } static long syz_emit_ethernet(volatile long a0, volatile long a1, volatile long a2) { if (tunfd < 0) return (uintptr_t)-1; uint32_t length = a0; char* data = (char*)a1; return write(tunfd, data, length); } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static void flush_tun() { char data[1000]; while (read_tun(&data[0], sizeof(data)) != -1) { } } struct ipv6hdr { __u8 priority : 4, version : 4; __u8 flow_lbl[3]; __be16 payload_len; __u8 nexthdr; __u8 hop_limit; struct in6_addr saddr; struct in6_addr daddr; }; struct tcp_resources { uint32_t seq; uint32_t ack; }; static long syz_extract_tcp_res(volatile long a0, volatile long a1, volatile long a2) { if (tunfd < 0) return (uintptr_t)-1; char data[1000]; int rv = read_tun(&data[0], sizeof(data)); if (rv == -1) return (uintptr_t)-1; size_t length = rv; struct tcphdr* tcphdr; if (length < sizeof(struct ethhdr)) return (uintptr_t)-1; struct ethhdr* ethhdr = (struct ethhdr*)&data[0]; if (ethhdr->h_proto == htons(ETH_P_IP)) { if (length < sizeof(struct ethhdr) + sizeof(struct iphdr)) return (uintptr_t)-1; struct iphdr* iphdr = (struct iphdr*)&data[sizeof(struct ethhdr)]; if (iphdr->protocol != IPPROTO_TCP) return (uintptr_t)-1; if (length < sizeof(struct ethhdr) + iphdr->ihl * 4 + sizeof(struct tcphdr)) return (uintptr_t)-1; tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + iphdr->ihl * 4]; } else { if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr)) return (uintptr_t)-1; struct ipv6hdr* ipv6hdr = (struct ipv6hdr*)&data[sizeof(struct ethhdr)]; if (ipv6hdr->nexthdr != IPPROTO_TCP) return (uintptr_t)-1; if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr) + sizeof(struct tcphdr)) return (uintptr_t)-1; tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + sizeof(struct ipv6hdr)]; } struct tcp_resources* res = (struct tcp_resources*)a0; res->seq = htonl((ntohl(tcphdr->seq) + (uint32_t)a1)); res->ack = htonl((ntohl(tcphdr->ack_seq) + (uint32_t)a2)); return 0; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } initialize_tun(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); flush_tun(); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 43; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 3000 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 3000 : 0) + (call == 42 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socketpair #define __NR_socketpair 360 #endif #ifndef __NR_write #define __NR_write 4 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_ioctl, -1, 0x125e, 0x20000000); break; case 1: memcpy((void*)0x20000040, "/dev/nullb0\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20000040, 0x80000, 0); if (res != -1) r[0] = res; break; case 2: *(uint8_t*)0x20000080 = 0; *(uint8_t*)0x20000081 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint8_t*)0x20000084 = 0; *(uint8_t*)0x20000085 = 0; *(uint8_t*)0x20000086 = 0; *(uint8_t*)0x20000087 = 0; *(uint8_t*)0x20000088 = 0; *(uint8_t*)0x20000089 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint8_t*)0x2000008c = 0; *(uint8_t*)0x2000008d = 0; *(uint8_t*)0x2000008e = 0; *(uint8_t*)0x2000008f = 0; *(uint8_t*)0x20000090 = 0; *(uint8_t*)0x20000091 = 0; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint8_t*)0x20000094 = 0; *(uint8_t*)0x20000095 = 0; *(uint8_t*)0x20000096 = 0; *(uint8_t*)0x20000097 = 0; *(uint8_t*)0x20000098 = 0; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint16_t*)0x200000a0 = 6; *(uint32_t*)0x200000a4 = 4; *(uint32_t*)0x200000a8 = 0x400; *(uint64_t*)0x200000ac = 0; *(uint64_t*)0x200000b4 = 0x5f; *(uint32_t*)0x200000bc = 0; syscall(__NR_ioctl, (intptr_t)r[0], 0xc0401273, 0x20000080); break; case 3: res = syscall(__NR_socketpair, 0x21, 3, 4, 0x200000c0); if (res != -1) { r[1] = *(uint32_t*)0x200000c0; r[2] = *(uint32_t*)0x200000c4; } break; case 4: memcpy((void*)0x20000140, "l2tp\000", 5); res = -1; res = syz_genetlink_get_family_id(0x20000140); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000200 = 0x20000100; *(uint16_t*)0x20000100 = 0x10; *(uint16_t*)0x20000102 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0x100; *(uint32_t*)0x20000204 = 0xc; *(uint32_t*)0x20000208 = 0x200001c0; *(uint32_t*)0x200001c0 = 0x20000180; *(uint32_t*)0x20000180 = 0x24; *(uint16_t*)0x20000184 = r[3]; *(uint16_t*)0x20000186 = 4; *(uint32_t*)0x20000188 = 0x70bd28; *(uint32_t*)0x2000018c = 0x25dfdbfb; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint16_t*)0x20000192 = 0; *(uint16_t*)0x20000194 = 8; *(uint16_t*)0x20000196 = 0xb; *(uint32_t*)0x20000198 = 4; *(uint16_t*)0x2000019c = 8; *(uint16_t*)0x2000019e = 0xc; *(uint32_t*)0x200001a0 = 1; *(uint32_t*)0x200001c4 = 0x24; *(uint32_t*)0x2000020c = 1; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0x20000000; syscall(__NR_sendmsg, (intptr_t)r[1], 0x20000200, 0x8000); break; case 6: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 5; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000280 = 0x10; res = syscall(__NR_getsockopt, -1, 0x84, 0, 0x20000240, 0x20000280); if (res != -1) r[4] = *(uint32_t*)0x20000240; break; case 7: *(uint32_t*)0x200002c0 = r[4]; *(uint32_t*)0x200002c4 = 2; syscall(__NR_setsockopt, (intptr_t)r[2], 0x84, 0x7b, 0x200002c0, 8); break; case 8: *(uint32_t*)0x20000340 = 4; syscall(__NR_getsockopt, -1, 0x84, 8, 0x20000300, 0x20000340); break; case 9: *(uint16_t*)0x200003c0 = 0x10; *(uint16_t*)0x200003c2 = 3; *(uint8_t*)0x200003c4 = 0x41; *(uint8_t*)0x200003c5 = 0x83; *(uint16_t*)0x200003c6 = 0; *(uint32_t*)0x200003c8 = 0x401; *(uint32_t*)0x200003cc = 0; *(uint16_t*)0x200003d0 = 0x43; memcpy((void*)0x200003d2, "\x4a\x8e\x60\x63\x4e\x3a\x9e\xbf\x09\x88\x47\x4a\x70\xcd\xc4\x4c\x93\x5e\x71\xdc\xa8\xa3\x6e\x9f\x73\x39\xb7\x33\xe7\xfd\xfa\x26\xd1\x76\x3f\x8e\x1f\xc1\x8c\x23\x48\x4f\xf7\x1c\x6e\xa7\x6b\xf1\xdb\x3e\x46\xcf\x80\x38\x03\x22\xd2\x96\xfb\xf1\x93\xc5\x4d\x49\x49\xcc\xdb", 67); syscall(__NR_write, -1, 0x200003c0, 0x55); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_post_notification\000", 26); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xbb; *(uint8_t*)0x20000041 = 0xbb; *(uint8_t*)0x20000042 = 0xbb; *(uint8_t*)0x20000043 = 0xbb; *(uint8_t*)0x20000044 = 0xbb; *(uint8_t*)0x20000045 = 0xbb; *(uint8_t*)0x20000046 = 0; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint16_t*)0x2000004c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 4, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 1, 31, 1); *(uint8_t*)0x20000052 = 0x23; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; memcpy((void*)0x20000056, "\x90\xa4\x41\x2e\xd4\x81\xe3\x9e\xc0\x78\x7c\xae\x08\x3f\xac\x93\xb9\x0d\xaa\x75\x95\xdc\x55\x4b\x0d\x6f\xb7\x20\xa6\x00\x98\x35\xc9\x29\xd9\x56\x66\x87\x93\x99\x54\xd1\x4f\x03\x76\xd3\x90\x39\x88\x5d\x4b\x34\x9e\x57\x79\x1c\x3b\x28\x84\xb6\x7a\x56\x87\x16", 64); *(uint32_t*)0x200000c0 = 1; *(uint32_t*)0x200000c4 = 1; *(uint32_t*)0x200000c8 = 0x4a; *(uint32_t*)0x200000cc = 0x2e7; *(uint32_t*)0x200000d0 = 0x6f0; *(uint32_t*)0x200000d4 = 0x1aa; syz_emit_ethernet(0x56, 0x20000040, 0x200000c0); break; case 12: *(uint8_t*)0x20000100 = 3; *(uint16_t*)0x20000101 = 0xc9; *(uint8_t*)0x20000103 = 0x56; memcpy((void*)0x20000104, "\xaf\x8c\x56\xab\x29\x59\xdc\x53\x4c\xc8\x68\xe4\xb4\x2b\x05\xa0\xde\x86\xbb\x45\xfd\x2b\xf9\xe3\x2d\x58\xe9\xad\x1f\xb7\xbe\x75\xad\xc1\xe7\xaa\xa5\x23\x19\x45\x65\x31\x63\x1e\xde\x47\xc2\x91\x9b\xcd\xb3\xba\xfd\xaf\x56\x0b\xf2\xa9\xca\x3a\x75\xfa\x34\xd0\x70\x26\xb7\x30\x2d\xc3\x91\xf9\x55\x4e\x50\xcf\xc7\xf7\x31\xc0\x9f\x1c\x71\x26\x2d\xf3", 86); break; case 13: memcpy((void*)0x20000180, "\xc4\xc1\x6f\x10\xfa\x66\x0f\x65\x64\x2a\x10\xc4\xe1\xfa\x70\xef\xfb\xc4\xc3\x7d\x09\x6a\x42\xfe\xc4\xe1\x41\x6a\x52\x00\xf3\xab\xc4\xc1\xcc\xc6\xe4\x74\x36\x0f\x8f\xb8\x00\x00\x00\xaf\x0f\xfe\x98\xf0\xff\xff\xff", 53); syz_execute_func(0x20000180); break; case 14: syz_extract_tcp_res(0x200001c0, 2, 0x7f); break; case 15: memcpy((void*)0x20000200, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000200); break; case 16: syz_init_net_socket(3, 5, 0xcb); break; case 17: res = syscall(__NR_mmap, 0x20ffd000, 0x1000, 0xc, 0x800, -1, 0x8000000); if (res != -1) r[5] = res; break; case 18: res = -1; res = syz_io_uring_complete(r[5]); if (res != -1) r[6] = res; break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xab13; *(uint32_t*)0x20000248 = 0x10; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0x375; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = -1; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = syscall(__NR_io_uring_setup, 0xc43, 0x20000240); if (res != -1) r[7] = res; break; case 20: *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0x3caa; *(uint32_t*)0x200002c8 = 8; *(uint32_t*)0x200002cc = 3; *(uint32_t*)0x200002d0 = 0x347; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = r[7]; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; *(uint32_t*)0x200002f8 = 0; *(uint32_t*)0x200002fc = 0; *(uint32_t*)0x20000300 = 0; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; *(uint32_t*)0x2000030c = 0; *(uint32_t*)0x20000310 = 0; *(uint32_t*)0x20000314 = 0; *(uint32_t*)0x20000318 = 0; *(uint32_t*)0x2000031c = 0; *(uint32_t*)0x20000320 = 0; *(uint32_t*)0x20000324 = 0; *(uint32_t*)0x20000328 = 0; *(uint32_t*)0x2000032c = 0; *(uint32_t*)0x20000330 = 0; *(uint32_t*)0x20000334 = 0; syz_io_uring_setup(0x4759, 0x200002c0, 0x20ffd000, 0x20ffc000, 0x20000340, 0x20000380); break; case 21: res = syscall(__NR_mmap, 0x20ffd000, 0x3000, 0xe, 3, -1, 0x8000000); if (res != -1) r[8] = res; break; case 22: res = syscall(__NR_mmap, 0x20fff000, 0x1000, 0x4000000, 0x20, (intptr_t)r[6], 0x10000000); if (res != -1) r[9] = res; break; case 23: *(uint8_t*)0x200003c0 = 5; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0x2007; *(uint32_t*)0x200003c4 = 6; *(uint64_t*)0x200003c8 = 3; *(uint64_t*)0x200003d0 = 4; *(uint32_t*)0x200003d8 = 4; *(uint32_t*)0x200003dc = 0xe; *(uint64_t*)0x200003e0 = 1; *(uint16_t*)0x200003e8 = 0; *(uint16_t*)0x200003ea = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; *(uint8_t*)0x200003fc = 0; *(uint8_t*)0x200003fd = 0; *(uint8_t*)0x200003fe = 0; *(uint8_t*)0x200003ff = 0; syz_io_uring_submit(r[8], r[9], 0x200003c0, 0x80); break; case 24: memcpy((void*)0x20000400, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20000400, 0x2000, 0); if (res != -1) r[10] = res; break; case 25: *(uint32_t*)0x20000480 = 0; *(uint32_t*)0x20000484 = 0x20000440; memcpy((void*)0x20000440, "\x1f\x53\x95\x5c\xb3\xce\xcd\x20\x39\x60\x9c\xfc\xe5\x32\x92\x7f\x02\xde\x61\x5e\x5e\x77\x16\xc3\x74\x70\x5f\x59\x10\x2e\x00\x75\x4d\xba\xa3\x69\xc6\xc1\xa1\xc2\xf4\xc5\x30\xc3\xaf\x81\xe8\xfe\x56\x09", 50); *(uint32_t*)0x20000488 = 0x32; *(uint64_t*)0x200004c0 = 1; *(uint64_t*)0x200004c8 = 0; syz_kvm_setup_cpu(r[6], r[10], 0x20fe8000, 0x20000480, 1, 0, 0x200004c0, 1); break; case 26: *(uint32_t*)0x20000500 = 0; *(uint32_t*)0x20000504 = 0xe518; *(uint32_t*)0x20000508 = 0x10; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0x3a5; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = -1; *(uint32_t*)0x2000051c = 0; *(uint32_t*)0x20000520 = 0; *(uint32_t*)0x20000524 = 0; *(uint32_t*)0x20000528 = 0; *(uint32_t*)0x2000052c = 0; *(uint32_t*)0x20000530 = 0; *(uint32_t*)0x20000534 = 0; *(uint32_t*)0x20000538 = 0; *(uint32_t*)0x2000053c = 0; *(uint32_t*)0x20000540 = 0; *(uint32_t*)0x20000544 = 0; *(uint32_t*)0x20000548 = 0; *(uint32_t*)0x2000054c = 0; *(uint32_t*)0x20000550 = 0; *(uint32_t*)0x20000554 = 0; *(uint32_t*)0x20000558 = 0; *(uint32_t*)0x2000055c = 0; *(uint32_t*)0x20000560 = 0; *(uint32_t*)0x20000564 = 0; *(uint32_t*)0x20000568 = 0; *(uint32_t*)0x2000056c = 0; *(uint32_t*)0x20000570 = 0; *(uint32_t*)0x20000574 = 0; res = -1; res = syz_io_uring_setup(0x7424, 0x20000500, 0x20ffe000, 0x20ff6000, 0x20000580, 0x200005c0); if (res != -1) r[11] = *(uint64_t*)0x20000580; break; case 27: *(uint32_t*)0x20000600 = 1; syz_memcpy_off(r[11], 0x114, 0x20000600, 0, 4); break; case 28: memcpy((void*)0x20000640, "afs\000", 4); memcpy((void*)0x20000680, "./file0\000", 8); *(uint32_t*)0x20000800 = 0x200006c0; memcpy((void*)0x200006c0, "\xd6\x32\xc1\x9b", 4); *(uint32_t*)0x20000804 = 4; *(uint32_t*)0x20000808 = 0xffff; *(uint32_t*)0x2000080c = 0x20000700; memcpy((void*)0x20000700, "\x3f\xe8\x37\x0c\xed\xe5\x2e\xfa\xc0\x54\x24\x1d\xa1\xef\x62\x34\xcd\xc7\x76\x6d\x9c\xee\xe0\x5c\x36\x77\x5d\x23\x4a\x8f\x02\x59\xa8\x80\x13\x16\x89\x77\x5a\x49\xe1\xc5\xd8\x1e\xe5\xee\xd4\x2d\xa0\x22\xa3\xc9\xb9\xd4\x39\xae\x77\x99\x90\xd0\x4c\xf5\x51\xc0\x84\xc0\x93\x74\x4e\x79\xca\x6a\x48\x27\xd8\xc6\x03\x05\x3d\x29\x71\x4d\x83\x93\x63\xcf\x49\xad\xd7\xd7\x32\x3c\x06\x19\xa9\x9c\xef\x60\x9f\xc4\x7e\x56\xc6\x66\x30\xec\x79\x73\xbf\xfe\xd2\x14\xd4\x51\xf0\x64\xf3\x6e\x35\x97\x50\x6a\x51\xad\xfd\x6b\x0d\x61\xfd\xcd\xf2\xbf\xcb\x31\xb2\xc6\xc4\x4c\x27\x9c\xcd\xb6\x90\x28\x91\xda\xf7\x5e\x66\x3f\x59\x42\xea\x76\x82\xfb\xfd\x3e\x73\x69\xa9\xfe\x16\xf3\x72\x47\x6e\xfb\x28\x1a\xaa\xd4\xbf\xe7\xe6\x10\xe9\x63\x62\x94\x61\xe9\x03\x3c\xaf\x00\xd6\x2a\x10\x9d\x00\x4b\x93\x5b\x90\x79\xbd\x3d\xf5\xbe\x94\xa0\xfa\x1e\x19\x77\xf5\x52\xba\xa4\x92\xba\x31\xe2\xec\x4b\xf3\x10\xc8\x14\xdc\x75\x32\x97", 224); *(uint32_t*)0x20000810 = 0xe0; *(uint32_t*)0x20000814 = 0x4c; memcpy((void*)0x20000840, "source", 6); *(uint8_t*)0x20000846 = 0x3d; memcpy((void*)0x20000847, "SEG6\000", 5); *(uint8_t*)0x2000084c = 0x2c; memcpy((void*)0x2000084d, "flock=strict", 12); *(uint8_t*)0x20000859 = 0x2c; memcpy((void*)0x2000085a, "flock=strict", 12); *(uint8_t*)0x20000866 = 0x2c; memcpy((void*)0x20000867, "flock=local", 11); *(uint8_t*)0x20000872 = 0x2c; memcpy((void*)0x20000873, "autocell", 8); *(uint8_t*)0x2000087b = 0x2c; memcpy((void*)0x2000087c, "flock=openafs", 13); *(uint8_t*)0x20000889 = 0x2c; memcpy((void*)0x2000088a, "measure", 7); *(uint8_t*)0x20000891 = 0x2c; memcpy((void*)0x20000892, "subj_user", 9); *(uint8_t*)0x2000089b = 0x3d; memcpy((void*)0x2000089c, "$F!%[#&+-}^}", 12); *(uint8_t*)0x200008a8 = 0x2c; *(uint8_t*)0x200008a9 = 0; syz_mount_image(0x20000640, 0x20000680, 4, 2, 0x20000800, 0x201000, 0x20000840); break; case 29: memcpy((void*)0x200008c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200008c0, 0x9a7, 0x60100); break; case 30: res = syscall(__NR_ioctl, -1, 0x540f, 0x20000900); if (res != -1) r[12] = *(uint32_t*)0x20000900; break; case 31: memcpy((void*)0x20000940, "net/ip6_mr_vif\000", 15); syz_open_procfs(r[12], 0x20000940); break; case 32: syz_open_pts(r[6], 0x402000); break; case 33: *(uint32_t*)0x20001c80 = 0x20000980; memcpy((void*)0x20000980, "\x94\x7b\xdd\x13\x38\xb6\xb9\xfd\xc7\xee\xc2\x77\x64\x33\x19\x1f\x82\x72\x66\xcf\xa9\x4b\xbf\x64\xcf\xf8\x3a\x00\xd9\x75\x00\x9f\x3b\x27\x38\xac\x70\x67\x01\x94\x47\xd6\x93\xa3\x53\x4d\xae\x5d\x3b\xf0\x3b\x17\xd7\xa2\xbc\x09\x3d\x2a\xb0\x1f\xb0\x79\xd1\x3e\x4c\xa0\x8a\xb2\x39\x18\xa3\xfa\xc5\x0a\x48\xc3\x2b\x4b\xa2\x17\x09\x57\xd2\x0c\xb4\xa4\xf7\x31\xd6\x60\xe8\x8f\x40\xc3\x0c\x3c\x40\xd4\x1f\xf3\xff\x71\x34\xdc\xeb\x66\xb1\x13\xb5\xc1\xbb\xa6\x30\xa7\xee\x5c\xd6\x8a\xb5\x9e\x69\xf8\xc8\x95\x30\xe4\xca\xc7\xf6\x15\xdd\x3f\xad\xc7\x94\x0d\x23\xb0\x69\xd6\x2b\x7c\xcf\x41\x49\x88\x10\x45", 148); *(uint32_t*)0x20001c84 = 0x94; *(uint32_t*)0x20001c88 = 0x7e; *(uint32_t*)0x20001c8c = 0x20000a40; memcpy((void*)0x20000a40, "\x3b\xec\xe5\xe4\xb0\x0d\x1a\xa5\xc6\x45\x5d\x8f\xfd\xdd\x35\x57\x13\x82\x30\x47\x33\xf4\x7e\x93\xba\x01\xd0\x22\x0d\x34\x52\x42\x5a\xa4\xa3\x5a\x16\xad\xc9\x6a\x1c\x87\xd3\xc0\x91\x21\xdf\x1c\x8a\xef\x26\xc2\x03\x58\xa1\x53\xa0\xef\x19\x59\xf6\x9c\x68\x9a\xcd\x27\x51\xf4\x28\xf2\x41\xc2\xde\xcf\x4c\xd9\xa3\xb1\x09\xe6\x6b\x31\x0f\xb1\x01\x1f\x65\x32\x9b\xef\x95\x3a\xe0\x2c\xf9\xdb\x61\x33\x61\x9b\x5b\xfa\x07\xa6\xe1\x32\x51\x27\x8d\xa9\x3d\xe8\x26\x35\xbc\xdd\x76\x40\xb6\x31\x1d\xa5\x8d\x2a\x68\x10\x65\x40\x1d\x07\x53\xce\xf9\x0b\xf7\xa0\xf5\x41\x11\x24\x53\xb9\xce\x75\x27\xef\xcb\x09\x83\x4f\x10\x73\x73\x6d\x3e\xbd\xb9\x24\x17\x36\xb6\x1d\xf7\x0a\x13\xc7\x6e\x54\xdd\xbc\x65\xa5\x2d\x8a\x4f\xe4\x2e\xd0\x97\xa5\x7c\x8d\x04\x26\xf9\x16\x75\x0e\x9a\x5c\x38\x28\x1f\xba\xd7\xae\x59\xc2\x23\xba\xb1\x10\x05\x92\xd4\x2e\xda\x4e\x0b\xf4\xbf\x03\x04\x20\x47\x8f\xcd\x28\xc4\x05\x7d\x41\xa9\x72\x1b\x00\x14\xe9\x1a\x1e\x70\x58\xd4\xc9\x29\x08\x12\xf6\xde", 239); *(uint32_t*)0x20001c90 = 0xef; *(uint32_t*)0x20001c94 = 0x800; *(uint32_t*)0x20001c98 = 0x20000b40; memcpy((void*)0x20000b40, "\x6d\xaf\x7a\x1e\x0d\x14\xcb\x6b\x8c\x65\xd3\x7e\xf9\x88\xe6\x70\xca\x88\xb1", 19); *(uint32_t*)0x20001c9c = 0x13; *(uint32_t*)0x20001ca0 = 0; *(uint32_t*)0x20001ca4 = 0x20000b80; memcpy((void*)0x20000b80, "\xe2\xa3\x79\x51\x07\x38\xbe\x3d\x3b\xaf\x49\xa1\x70\xf0\x89\xf5\x6f\x7b\x3a\x43\xbd\x92\x6f\x2f\x33\x68\xf3\x8e\x97\x34\x0a\xf9\xb0\x99\x1e\xa9\x8f\x46\x53\x25\x2c\x0b\xef\x6a\xd2\x65\x82\xb6\x00\x54\x54\x65\x59\x1f\xae\xfd\x00\x78\x2e\x31\xc8\xae\xe9\xf2\x39\x90\xd2\xd9\x5f\x87\x10\xd1\x10\x40\x9d\xc3\xda\xd1\x58\x17\x94\xfb\x09\xf6\x34\x9e\x93\x7b\x1d\xf1\xbb\x8a\x9a\x09\xce\x60\xc4\x12\x82\x37\x6e\x6a\xc6\x07\x88\x8c\x64\xfc\xd9\xec\xf5\x40\x50\x63\xba\x5f\x64\x2a\x29\x5b\x4f\x77\x8f\x2c\xab\xcc\xf6\xc9\x00\x70\x71\xb1\xa9\xec\x31\xee\xa5\xda\xf6\x2d\x37\x1a\x56\xde\x30\x95\x49\x97\x49\x11\xa5\x79\x7f\xa3\x40\x26\xe8\x5b\xb7\xf5\x42\x7a\xb4\x96\x5f\x11\xa3\xab\xa1\x8e\xd0\xfe\x28\x0e\x45\xc2\x64\x12\x83\x8f\xc5\xbb\xe0\xf6\xde\x63\xd0\x11\xc0\x6b\x41\x3e\x3d\x4a\x15\x29\x6b\x6f\x79\x15\xdf\xfe\xcd\xd4\x07\x50\x4f\xaa\x2f\xe6\x3b\xb1\x90\xaf\x90\x61\x70\x9a\x98\x20\x94\xf6\x20\x79\x3c\x04\x25\x32\xf5\x13\x14\xdd\x07\x53\xb8\x32\xa6\x58\x59\xe1\x78\xd9\x4d\xd1\x69\xa1\xb7\x67\x74\x85\x66\xd1\x3f\x17\x0d\xa3\x6f\x2a\x51\x05\x3d\x8b\x67\xfb\x5f\x12\xd8\x6b\xf3\x60\x46\xea\xb9\xb7\xc2\x6c\x50\x78\x6c\x9b\x29\xa2\x60\x5c\x56\x31\xab\x30\x26\x16\x69\x97\x1a\x48\x47\x0d\x98\x2c\x30\x88\xbe\x7c\xff\xd1\xf0\xc6\x77\x5e\x57\x57\xdb\x61\x48\xdd\x74\xc5\x95\x4e\x34\xc4\x00\x88\x65\x9a\x1f\x44\xd0\x53\x46\x59\x85\xed\x20\x03\x9b\xce\xd7\xea\x9d\xec\x7e\x25\xcd\x6d\x60\x0d\x1e\xd3\x1a\xed\x53\x88\x5f\xc7\xef\x87\x89\xee\xa0\x63\x9d\x2b\x25\x0d\xcd\xf4\xad\x71\xbb\xda\xbf\x4b\xa1\x8a\xf2\x9a\xc8\x19\xae\x43\x18\x64\xdb\x1b\x03\x53\xbc\x5c\xb2\x04\x19\x43\xb4\x45\x13\xf7\xc6\x79\xf3\x48\xbd\x29\x62\xb2\x74\x87\xbc\x7d\xc7\x48\x8c\xff\x13\xa2\x4b\x65\x8f\x31\xb4\xaf\xc9\xe5\x01\x3a\xb4\x60\xcf\x3a\x01\x4a\x8f\x19\x90\x9e\x75\xbc\x3d\x41\x44\xf5\xd3\x2e\x37\x0d\xe7\x4f\x44\x02\xa0\xdb\x53\x39\xc1\xe3\x61\x6d\x21\x47\x74\x36\x52\xdd\x73\x94\x0d\x37\x55\x0c\xc9\x61\xb0\x8b\x3a\x33\xb7\x9c\x4a\x2f\x3f\x1a\xb4\xb2\x36\x4c\x24\x03\x1c\xce\x1f\x29\xbe\xaf\x57\x4b\x13\x18\x84\x4f\xcc\x93\x87\xd2\xcf\x79\x83\x34\xde\x08\x16\xd5\x28\xf0\x87\xf5\x67\x51\xf7\x63\xb8\x2c\x76\x0f\xe1\x9e\xf9\x5f\xd2\xe5\x52\xc8\xec\x74\xbf\xee\x9b\x6c\x8e\x33\x41\xb3\xba\xff\x54\x05\xed\xbe\xd7\x09\xfb\x1e\xa1\x30\xa1\xa6\xe3\x0a\xcf\x72\x32\xc0\x19\x40\x34\xda\xf0\xef\x11\x71\x15\xab\x22\x0f\x11\x61\xa8\x38\x94\x0e\xf6\x00\x72\xc4\x06\x55\x7f\x56\xf1\x3f\x30\x21\xb4\x08\x42\xf9\x11\x4b\x0a\xe9\xcd\x82\x44\x23\x0c\x22\x27\xce\x7c\x7e\x71\x50\x3b\xa5\x25\x3d\x63\x08\x1c\xa9\xaf\x8f\xc4\xa4\xe2\xc3\x03\x9a\x0b\xad\x1a\xf9\x1e\xd4\xcb\x91\xb9\xbd\x42\xd8\xee\x5e\x0b\xd9\x84\x4f\x92\xf4\xaf\x1e\xa5\xb8\x83\x80\xa9\x9b\x1a\xdc\x70\x57\xb9\x15\x7b\x61\x02\x1a\xbc\xe3\x77\xdc\xa6\xaf\x6c\x2d\xd9\x8f\x02\xc2\x3a\x84\x59\xcc\xbe\x65\x0b\x66\xd0\x6b\xba\xe0\x60\x99\x28\xe8\x4d\x5c\x61\x1e\x2c\x6f\xeb\x6a\x43\xd0\xaa\x53\x2b\x12\xd5\xe3\x26\x04\x48\xcd\x82\x37\x2b\x11\xf9\xdc\x8f\x94\x66\x5a\x3a\xb8\x64\xeb\x3e\xb0\xe5\xb0\x73\x20\x02\x49\xa6\x74\x04\x7e\xe8\xff\xf8\xfb\x4f\x55\x65\x30\x60\xef\xb6\xa0\x0d\x70\xb0\xfe\x4a\x7f\x5d\xca\x7d\x9c\x71\x60\x4f\xa7\x0b\x0e\x40\x56\x93\x39\xe5\x2b\xa5\x2b\x7d\x70\x08\x53\x33\x06\x16\x5c\x97\x8d\x03\x0a\x85\x2c\x0d\xd7\x59\x96\x90\x47\x20\xa1\x0a\x3a\x9d\x0f\x2f\x67\xf2\x58\xe4\x39\x04\x7a\x6a\x5b\x08\x49\x04\x09\xaa\x84\xec\x29\x6f\x67\xb8\x8b\x80\x11\xcb\x39\xc6\x78\x00\xef\xec\x6e\xc4\x3e\x73\x2a\xee\x04\xcc\x18\xc4\xce\xdd\xc9\x68\x6a\x43\x20\x11\xe1\xdf\x5f\xa1\x29\x2c\x7b\xda\xe6\x27\x31\x57\x3e\xc5\x23\x32\x93\xff\x4e\xd6\x71\xe5\x2c\x95\x1d\x8e\x00\x83\x6d\xb9\x36\x35\x34\xbc\x8c\x1e\x91\xd9\x8c\xab\x7d\x06\x06\xc1\x70\xd4\x09\xd9\x6d\x32\x25\xf5\x62\x06\xb6\x00\xfc\x1a\x78\x39\x41\xaa\xde\x24\x83\x38\xdb\xa6\x6d\x56\xf8\xfc\x19\x7d\x19\xce\xdd\x5f\x1a\x65\xd5\xf1\xd8\x5a\x4c\xb4\x49\x73\x42\xd1\x97\xdf\x41\x7d\x43\x17\x77\x7c\x81\xe7\x07\xf1\xb9\xda\xdd\x38\x26\x53\x24\xf4\x1a\xa8\x50\x21\xb2\xd7\xed\xc0\xff\x4a\x52\x7d\xb8\x5f\xf1\x41\x65\x2e\xeb\x5e\x76\x6e\x18\x9e\x11\xe6\x30\x7a\x44\x75\xd5\xf7\x93\xe8\x22\xb7\xec\xbc\x7e\x2f\xf3\xf6\xf9\xa8\x39\x9a\xf6\x92\x64\x9d\x67\x30\x5c\x86\xb4\x79\x16\x9d\xf1\x2f\x74\x91\x02\x06\x9d\xa1\x64\xad\x14\x65\x5e\x05\x32\xfc\x41\x9b\x51\xf2\x9b\x28\xd1\xf4\x08\xf5\x23\x6c\xe9\x21\x50\x9f\x3f\x61\x1a\x56\x5a\x5e\x38\x68\x57\x44\x47\x0f\x6e\x45\x7b\xdd\x05\x7d\x72\x7f\x7e\xcf\xaa\x46\x84\x73\xbc\xba\x94\xc4\x3e\xad\x22\xf8\x52\x78\x43\x24\x5f\x37\x22\x75\x94\x6b\xd4\x59\x9f\x3a\x8a\xe9\x1e\xc3\x14\x08\x70\xbe\x91\xd2\xfb\xfc\xbd\x7e\x50\x4d\xa3\xd6\xf4\x9e\x90\x5a\xca\x16\x78\x32\xd7\xc3\x5a\x56\xa2\x8a\xbc\x85\x20\x90\x29\x23\x18\xec\x1f\x08\xbf\x3d\x71\xde\x73\x60\xd6\xd0\x49\x00\xd7\x73\xa7\xf4\x0c\x3d\xb7\xaa\xbf\xc2\x7a\x33\x8e\x87\xd5\x78\xf4\x30\xee\x49\x0e\x48\x22\x14\x06\xd3\x1c\x62\x22\x0c\x2b\xd9\xe1\x79\x3e\xed\x1b\x84\xab\xa0\xad\xc3\xd5\x4e\xed\x59\xae\x3b\x83\xe5\xa1\x14\x77\x21\xfc\xc2\x27\xcf\xf9\x6c\x80\x65\xf8\x66\x5c\xbf\xef\x93\x52\x1c\xa1\xbf\x4b\x10\x0e\x62\x89\x6c\xfd\xca\x36\xe7\xf7\xb4\xb3\xfd\x3b\xab\xf5\xc1\x8c\x90\x03\x0f\xbf\x90\x4d\x4f\x4c\x3f\xb2\x3a\xf1\x6b\x1e\x37\x44\xca\x6a\xb1\x23\xdf\x90\xb1\x68\xea\xa1\x38\x32\x4e\xbf\x98\xec\xd6\x6d\xd6\x4e\xe9\x06\x23\x6b\xf3\xa0\x29\x6b\xe1\xdf\x81\x38\x7b\xa9\x57\x00\xe0\x4c\xe2\x66\x37\xca\x4d\xfb\x70\xc6\x7d\x32\xa2\xe7\xac\xde\x21\x9c\xef\x54\xe4\xc9\xec\x1c\x27\xb5\xb6\xa3\x88\xca\x51\x5a\xf6\xe5\xef\xc4\x93\xa3\x0f\xa9\x32\x4e\x1f\x2b\x2b\x51\x26\x7f\xbb\x26\xf3\xd4\x29\x2e\x83\x6c\xb7\x09\xe9\x2a\x6e\x0e\x11\xaf\xf3\x86\xb3\xd4\x5d\x81\xa2\xd3\x5f\xe9\x71\xcb\xff\x8a\x32\xf5\x2d\x04\x6b\x9b\xa9\xa4\xbc\x77\x26\x7a\x2e\x86\xa4\x80\xa9\xec\x50\x36\x1d\x5e\xd5\x9b\xa5\x40\xae\x1c\xf0\xe7\xea\xaa\x5d\x8f\x5b\x2e\x38\x52\x7f\xde\x78\xec\xf8\x42\xec\x48\xcf\x68\x1f\xd4\x52\xaa\x5c\x60\xd0\x64\x74\xf6\x42\x2a\xd0\x8d\xb4\xfa\x07\x88\xc5\x65\x63\xf5\x2c\xbd\x38\x36\x27\xe1\x1f\x98\xeb\x40\xec\x74\x96\x1c\x02\x8b\x1f\xcd\x7b\x25\xd4\xcd\x28\x9d\xbc\x76\x1f\xb1\xec\x00\xa6\x18\x35\x13\xc5\xf7\x6d\xa7\x54\x64\x16\xfb\x81\xe8\x66\x1f\x93\xf4\x23\x4f\xdf\x3a\x33\x98\xd8\xbb\x8c\x69\x90\x2e\x6d\x9f\x3f\xc1\x65\xe6\xd9\xf3\x9e\xb2\xac\xc1\x89\xab\x7b\x49\x01\x3b\x2c\x74\xd0\x78\x8e\xe0\x5f\xc1\x17\x33\x5d\x47\x83\x80\x01\x3e\xab\x17\x3d\xdc\x7a\x92\x7f\x03\x08\x0c\x2e\xa7\x05\xb6\x8f\x66\x4a\x3b\xe2\x70\x22\x11\x72\xd2\x99\x5b\x15\xb4\xd0\xab\x25\xd4\x66\x8a\xb7\x58\x7d\x24\xe8\x31\xc5\xc7\x84\x1f\xa0\x0b\xd0\x63\x02\x1d\x3f\x43\x40\x5b\x35\xc6\xc7\x9d\xd4\x03\x0f\xc6\x30\xee\x78\xd7\xe6\x4a\x90\xcc\x27\x61\x42\x16\x24\xd4\x8a\xc0\x76\x4d\x8a\x90\x3c\x5a\x8b\x0a\x21\x31\x20\x87\x1b\x9e\x82\xa3\xb1\xf9\x24\x55\x38\x0b\x95\x08\x32\x65\x1b\x6d\x0d\x9b\xdb\x24\x90\x55\xd5\x5f\xa4\x9f\xc7\x29\x61\x47\xcb\xce\xc6\x05\x9a\x00\x47\xae\x6e\x86\xb5\x1a\xe3\xb5\xaf\xf4\x98\xce\xed\x67\x1d\xdd\x0e\x2b\xd9\x7f\xd7\xf3\x9a\x32\x80\xbd\x80\x99\x6a\xc7\xbb\x98\x18\x77\x09\x93\x82\x46\xf8\xe0\xcb\x9c\xca\x0a\x18\x9d\x18\xcb\x9d\xcd\xd5\x21\x86\xfe\xb9\x35\xf4\xa5\x32\x6c\x3b\xc1\x34\x8a\x05\xf0\xe7\x18\x04\x52\xa4\x3e\x7f\x2b\x6f\xb3\x5a\x41\x96\xaf\xda\x0f\x19\x93\x38\x3d\xd2\x03\x69\x4c\x1a\xb5\x3b\xe6\x44\x81\xc0\xd9\xc7\x88\x01\x61\x07\x89\xf9\xf5\x13\x0b\x4a\x14\x3f\x09\x22\x9e\x8d\x89\xd0\xad\x09\xed\xf9\x71\xcf\x0f\xe4\x95\xd7\x55\x2b\x7a\x79\x1a\x90\x54\x23\x2e\x8d\x22\x97\x66\x21\xb7\xf6\xbe\x03\xe7\xe0\xbf\x8e\x5e\xd8\x3d\xb9\x4e\xfc\x74\x8c\x93\xa0\x6c\x12\x4f\x55\xdd\x8e\xfe\x11\xe1\x5d\x83\xe1\xfc\xe5\x82\xb1\x9b\xe1\x0d\xcc\x1b\x3e\xb5\x94\x29\x1a\xaa\xbd\x56\xcb\x94\xdf\x31\x59\x20\xb0\x42\xd0\x79\x34\xac\x79\x6d\x0a\x91\x07\x86\x26\xee\x57\xe2\x57\x63\x79\x1f\x7d\xde\x8b\xc0\x4e\x18\x83\xfb\x22\x73\xc7\x99\xb9\x7e\x31\x66\xc5\x6c\xea\xa3\x69\x9c\x31\x73\x9f\x63\xef\x94\x60\x5b\x20\x86\x06\x06\xce\xaf\x97\xbe\x55\xb9\x79\xfd\xc1\x7f\xa9\xba\x29\x90\xbb\xef\xde\x17\xeb\x53\x98\x17\x60\x91\xe5\x36\x73\x01\x29\xc4\xc3\x15\x04\xce\x1f\xc4\x1f\x13\xe7\xd9\x03\x01\xff\x02\xad\x5b\x5f\x52\x3c\x6a\xe7\xef\xa8\x7c\x76\xaf\x1e\xcc\x4b\x67\x15\x25\x1a\x58\xca\x3c\x68\xca\x95\x4a\x93\x45\xcf\x08\x69\x7e\xc5\x43\x76\xdf\xaf\x23\x2c\xd6\xed\xe5\xad\x85\xc1\x23\x4f\xbc\xb4\xa9\x92\x53\x5b\x70\x13\x5a\x5e\xb7\xd1\xf2\xde\x13\x62\x98\x71\xb0\x2a\xcb\x45\x56\x94\xe9\x1d\x5b\xbb\x97\x2c\x1c\x39\x98\xec\x76\x57\x49\xb4\xca\x83\xc7\x05\x52\x9c\x04\x6e\x85\x93\xba\x47\x09\xe4\x30\xcf\x19\x0a\xba\x4f\xd0\x0a\x6d\x72\x2d\x05\x98\xe8\x0b\x7a\xf8\xfb\xb6\xc0\x53\xdc\x40\x68\xe3\xbf\xaa\x00\x15\xd3\x54\x56\x46\xe4\x0e\xb3\x12\x70\x0e\x7b\x06\x8c\xa6\x44\x79\x2d\x6d\x39\x44\x7a\x35\x3f\x6d\x65\x75\xb0\x1f\x3a\x20\xcf\x31\x01\x17\xa8\x32\xdb\xc7\x6b\x46\x01\x46\xde\xe0\x6c\x85\x95\x80\xba\x5e\x59\x94\x6e\x90\xa1\x68\xd9\x8a\x06\x28\x2d\x02\xf9\x95\x40\xf4\xb1\xfc\xe1\x94\xcc\x7c\xc0\x89\xb1\xb2\xda\x11\xd5\x9b\xee\x54\x77\x38\x3f\x83\xfe\x7f\x50\x01\x1e\xc4\x38\x56\x1f\x17\xb3\x9d\xab\xee\x37\x94\x76\x1c\xde\xf6\xc5\x4a\x60\xc4\x9d\xe8\xfd\x6a\xec\xf0\xb5\xa5\xb5\xc0\x56\xa8\xde\x90\x80\x5e\x0d\x5a\x4c\xba\x91\xeb\x77\x46\xe5\x44\x98\xaa\xd3\x5d\x26\x8e\x92\x3c\x5c\x39\x65\x81\x83\x5c\xf2\x03\x8e\x2a\x1f\x28\xa8\x43\x22\x84\x72\xaa\x2e\x4c\xbd\xe6\xaa\x76\x65\x71\x6f\x23\x9b\xa5\x68\x0d\x1d\x8d\x6c\xd7\x27\x7a\xf1\xf2\xdb\x87\xe5\xf5\x33\x2f\xa9\x04\xd6\x97\x5f\x42\x47\xf3\x3f\x00\xc1\x7b\x95\xdf\x1d\xb7\x92\x39\x8c\x0b\xe2\xab\x89\xc6\xf0\xff\xb1\xd9\xf3\xd3\x0e\x36\xb0\xbc\xde\xe5\x56\x23\xe6\x7e\xd5\x9b\x64\x1e\x1d\x3a\xd2\x43\xa6\x1a\xb8\x00\x3e\xd9\xd5\x01\x86\x45\x7b\x84\x5b\x0f\x5e\x59\x46\x0a\xeb\x8d\x49\xfa\x23\x6b\x69\x1a\x95\x72\xf0\x43\xf3\xd8\x3d\x38\x53\xa6\x58\xc0\x92\xfe\xc3\xee\xf9\xb5\x8f\x3b\xe0\x53\x2e\x46\xda\x34\xf7\x32\x39\x8d\x41\x8a\x82\xa4\x7f\xd2\xbe\xc7\xaa\x9f\xdf\x0a\x05\xa2\xa4\xab\xd6\x50\xdc\xd9\x9c\x09\x5b\xe5\xa0\x25\xd4\xdd\x8d\xe7\xb6\x06\xf7\xc2\x1f\xcf\x49\x0a\x10\x0e\xc2\x88\xf4\x19\x31\x6b\x4a\xdd\x08\x59\x10\x60\xf5\xc4\x02\x30\xee\x63\x9a\xff\x35\xd4\xbb\x20\x7f\xe4\x01\x02\x9c\xff\xd1\x04\x71\x5d\xcd\x48\xc7\xc5\x98\xf5\xea\x42\xb0\xbd\x27\x1e\x6a\x10\x06\x6d\x61\x32\x17\x65\x5d\xbf\x37\xbc\x46\x7d\x97\x35\x72\xd7\xc2\x87\x79\xc9\x98\x1c\xab\xc5\x5e\x68\x3f\xbb\x1e\x9a\xf7\xe0\x0c\xc4\xa2\x22\xa5\x4f\x24\xed\xf9\x23\x76\x2d\x8e\x0f\xbc\x09\x9e\x42\x0a\x78\xb1\xfc\xfb\x54\xa4\x00\x2f\xdf\x6e\x30\xa3\x44\x5f\x92\x9d\xd9\x7c\x4a\xef\x13\xcd\x8a\x0a\x3b\x19\xcb\x2b\xa7\x31\xd3\xc9\x9a\xad\x63\x11\x66\xb7\x5f\x13\xa9\x54\x98\xe1\x1d\xba\x40\x94\xeb\x5d\x1f\x15\x71\xb6\x98\x7c\x27\x89\x12\xa0\x5a\x9e\xc5\xe2\xf9\x3d\x21\x60\x4e\x49\x6a\xe6\xf7\x63\xed\x43\x3b\xc2\x6c\x5d\x2f\xdf\xee\xfc\x02\xd8\x73\x2b\x29\x09\x1c\x32\xad\x16\xfb\xb4\x7d\xe0\xa5\x6a\x36\xc5\xc7\xd2\x66\x65\xce\x56\x55\x71\xae\xe8\x7e\x72\x9e\x17\x27\xe8\xe1\x49\xb4\x4c\xbc\x58\x19\xeb\x1a\xbc\x31\x7e\xab\xfd\xbc\x54\x47\xdc\x1f\xa9\xed\x58\x52\x81\xf1\xa9\xc3\x3b\xd5\xbb\xae\x66\x26\x21\xe6\x46\x0e\x37\x61\x7e\x88\x30\x4f\xd6\x88\x9d\x77\x5a\xd3\x03\x88\xb2\x08\xb4\x10\x24\x95\xdd\x4a\x60\x15\x79\xfe\xf0\x79\x67\x8b\x66\x81\x6a\x46\xa9\x1c\xd0\xd3\x44\xaf\x0a\xfa\x8e\xe5\x5a\xb2\x22\xd7\x20\xa0\x36\x72\x75\x75\x7a\xa3\x8d\x04\x3c\xec\x88\x8e\x9e\x93\xa4\xff\x91\xc1\xcc\xbb\xc6\x85\xf6\xfe\x27\x10\x47\x4d\xa5\xc4\x37\x6b\x6c\x03\x7b\x2a\xc5\x7a\xb0\x78\x42\x1f\xf2\xf0\x6e\xf8\xab\xcc\x7b\xfa\x18\x19\x5a\xe5\xd3\x23\x6c\x49\x24\x94\xf1\xc6\x65\xdc\x20\x52\xe0\xb5\x67\xe9\x91\x72\x70\x82\xf6\xf5\x29\xcf\xf4\x41\x2d\x5c\xfd\x8a\xca\x31\xf0\xa4\xd3\x23\x32\xe8\xcc\x99\x2a\x39\x01\x7d\x8e\x5a\x85\x25\xa9\xf6\xab\x50\x09\xe7\x06\x7b\x27\x73\x59\x17\x79\xfa\x6d\xe1\x7c\x07\x74\x45\xc3\x9b\x4f\x32\x55\xc2\xdf\x10\x70\x10\x45\xfa\x07\x0a\xc4\xae\xdb\x55\x1b\xfe\x92\xac\x48\xe0\xfa\xca\x06\x07\x68\xed\xf4\xb3\xfb\x10\x1f\x3d\x4c\xdc\xb2\xec\x93\x13\xc0\x28\x98\xaa\x36\x87\x42\x67\x46\x82\x86\xe9\x8f\xfd\xba\xcb\x29\xfb\x64\x07\x27\x99\xbb\x3d\x88\x5b\xf3\x08\xd6\xca\x00\x13\x55\x64\x2a\xd2\x58\xb9\x65\xf9\x59\x7b\x30\xfe\x6c\x3a\xf1\xe8\x9c\x10\xd6\x41\xf4\xe2\xab\x7c\xf5\xa4\x68\x7d\x6b\x69\x15\x7a\x49\xf9\xf4\x07\x91\xef\x46\xf4\xcb\xa6\xe0\xf2\x48\x77\x3c\x35\x0b\xf3\x14\x3c\xec\xe9\x2e\xf7\xc7\x46\xd4\x98\x8c\x83\x51\xc8\x06\x7e\x3c\x4b\x84\x10\x89\xd9\x85\xe0\x9e\xcb\x40\x15\x7d\x7a\x17\x1f\x4e\x64\x55\x18\xc5\x25\x98\xfa\x79\x44\x25\x66\x9f\x59\xa2\x7d\x8b\xed\xc1\x47\xe0\x90\x57\xb5\xd2\xf9\xf4\x61\x1c\xac\x95\x10\x58\xb9\xd2\x52\x7f\xe7\xb4\x70\x28\x9a\x2f\x16\xfa\x4d\xee\x15\x06\x52\x08\x6e\x4c\xc1\x94\xc3\xca\xd6\x3a\xee\x9a\xa7\x7b\x00\xdf\x7c\xb4\x21\x40\x1d\x13\x94\xe0\xfb\xae\x8e\x8e\x14\xef\x28\xf1\x28\x60\x1a\xa1\xc9\x1d\x3e\x71\xed\xc0\x7a\x46\x26\x77\x31\xea\x08\x5f\xea\x0b\x27\x81\xfe\x5b\x33\x37\xfb\x39\x1f\x4a\x91\xce\x75\x2a\xeb\x72\x51\xaa\x0c\x3b\xf3\x04\xe9\x89\x22\x0d\x41\x4e\xab\x0a\xf4\x8d\x4a\x86\xbf\x43\xf1\x3e\xe6\xb9\x76\x15\xf5\x1a\x36\x77\xfe\xef\x14\xdc\x4a\xe4\x7d\xb0\x7b\x87\x41\x76\xd1\x8f\x50\x09\x4a\x30\x97\x00\x27\x9f\x41\x29\x24\xe9\x18\xeb\x3e\x6c\x1b\x9f\xa3\xc1\x44\x4f\x28\xb6\x91\xce\xb9\xc3\x3d\x34\xb5\xb3\x73\x3d\x3e\xb0\xc9\xe6\x9c\xb6\xf3\x6b\xca\x69\xd1\xd6\x99\x13\xae\xb5\x1f\x0c\xb5\x98\x28\x52\x7f\x79\x1f\xe7\xf6\x1f\xb4\x30\xba\xce\x64\x56\xab\xc3\x22\xfb\x52\xa1\x31\xf5\xae\xd3\x22\x1a\xfd\x1d\x36\x9d\x7b\xb4\x1f\x60\xbf\xb3\x49\xb5\xcf\x73\x04\x3b\x90\x92\x61\x30\x32\xc7\xdd\x32\x20\xbc\xe9\xd9\xb8\x4f\xd2\xce\xb4\x8a\x76\xff\x0c\x34\xcf\x5b\xf8\xcc\x55\xb5\x75\xe2\x40\xf4\xe6\xc1\xc5\xcf\x93\x98\x0c\xc6\xf6\x8f\xd1\xac\x7c\xc1\x0e\x0e\x48\x33\x39\xdd\xe6\x69\x1e\xb7\xd2\xb7\x00\xe9\x3f\xfd\xf8\x10\x95\x37\x62\x21\x6e\x99\xb5\x64\x01\x49\xaf\x63\x14\x4a\x09\x05\x1b\x68\x3d\xb0\xdf\xb1\xb7\x93\x71\xbc\x7a\x4a\x55\x9a\xe6\x27\x18\x38\xa8\x68\x46\x8e\x54\xaa\xde\xf0\x3b\xa4\x0c\xa1\x27\xaa\x2c\x27\x51\xda\x79\x20\x2d\xca\xd7\x2e\x4f\x15\x93\x04\x1d\xb5\x3b\xbf\x4f\x80\x64\x17\x0f\xe8\x5c\x46\xe5\x9f\xf0\x0b\x9e\xb4\xbf\x2e\x01\xea\xb7\x19\x7a\x00\x70\x4e\x3c\x70\x84\xa8\x06\x99\xed\x5a\xaa\xe7\xbb\xae\x06\x84\xe5\xfb\x3e\xd6\x0c\x66\x20\xc7\x3a\xa0\x13\x31\x37\x13\x27\x9b\xf9\x58\xa2\x1f\x56\xf9\x67\x46\xe1\x60\x62\x3f\x10\x76\xa5\xea\x95\xa2\x3f\xc9\x08\x37\x3b\xc0\x78\x22\x18\x94\xcc\xc7\x79\x49\xff\xd3\x65\x94\x70\xd8\x3f\x86\x07\x62\xb0\x30\x2b\xf3\xe4\x04\x04\x6c\x0c\x32\xa7\x1e\xb8\x5e\x67\x41\x11\xcb\x9c\x2d\x49\x0b\x8b\x4f\x5b\xfd\x1f\xa9\x38\x2a\x42\x96\xd9\x73\x26\xd6\xa7\x28\x37\x8a\xb3\x5c\x0a\x34\x9e\xd6\x93\x49\xf7\x5b\x89\xad\xf8\xdc\x9e\x5b\xae\xd2\x76\xc9\x26\x14\xc2\x96\x36\xf2\xf5\xb1\x9d\x4d\xc6\x61\xe2\xd0\xfe\x6f\xd6\x47\x86\xd5\x07\xb9\x9b\x39\x79\xfe\x0f\x6e\xcb\x06\xb7\x6f\xd6\x4b\xfb\x31\x61\x31\xa5\x2d\x3d\xb7\x44\x55\x08\xc8\xf0\xbd\x39\x44\x95\xa6\xc1\x3c\xa6\x4e\x37\x80\xa4\x16\xc7\x2a\x7a\x34\x99\x6d\x5a\x34\x2e\x63\x49\xd9\x2b\xfc\xb8\xd7\x5b\xd4\xed\xd2\x25\xd4\xe8\x60\x18\x38\xbf\xfc\x60\x4e\x9e\x3f\x0d\xe8\x3a\x1c\xf9\xe1\x7c\x7f\xa7\x39\x8f\xea\x49\xc8\xfa\xed\x29\x9d\x04\xa9\x0a\x70\xbd\xaa\x0b\x11\x14\x28\xe2\xe6\x22\x4a\xe0\x8c\x1b\xf0\xea\x1a\x69\xe1\x6e\x1f\xfd\x4b\xfa\x76\xaf\xff\xdd\x50\x60\xac\x99\x2e\xfa\x08\xfb\x74\x04\xfa\x1f\xf3\x45\x60\x42\x65\x4d\x3d\x51\x29\x26\x24\xac\x3b\xb3\x35\x6f\x5b\xd3\xf4\x92\xc1\x69\xe8\xc7\xdc\x71\xcc\xd3\xb4\xe9\x1c\xb2\x98\xef\x7f\x2b\x61\xd7\x4a\x86\xe7\xcb\x6d\xaf\x62\x1a\x8b\x0b\x6a\x87\xe5\x8d\xdc\xaa\x65\xf3\x76\xfe\x06\x52\xc4\x0c\x76\xd7\x62\xb5\x80\xf3\x4d\xa9\x79\xae\x09\x68\xb1\x72\xa9\xcc\xc4\xcd\x8b\x34\xaf\x38\x73\xe8\x5d\x16\x53\xc9\xe5\x57\x1d\xc3\x4e\x8c\x39\xf7\xf0\x4d\xf1\x91\xc0\xe8\x12\x13\xd2\xfa\xc0\x41\x26\x64\xeb\x47\x69\xc4\x80\xa8\x0f\xdc\xd5\xca\xe2\xa2\xeb\x8b\x1d\x03\x1c\xc6\xe6\x49\xd8\xf0\xb2\x9f\x91\x15\xea\x2b\xb2\x7c\xbe\x35\xcb\xa0\x40\x64\x7a\xd9\xda\x8a\xd3\x69\x31\xcf\xdc\xe5\xc5\x8d\xfd\x6b\x8d\x0b\xd8\x3c\xf4\xf8\xca\xd6\xf6\xd6\xf3\x04\x83\x80\x58\x3d\x8e\xf0\x80\x7a\x4d\x02\x4e\xf8\xd0\x33\x3a\x97\x18\x34\x23\xc9\x0e\x8d\xd1\xb6\x2d\xc7\x0c\x95\xae\x30\xac\xd0\xcc\xc2\x57\xde\x6f\xeb\x89\xa9\x49\x2b\x42\x14\xb6\x5d\x8d\xa2\xad\xa1\x1b\x80\xfb\xd7\x68\x9a\xfd\xb9\x9f\xa8\x20\xcb\x7a\xaa\xca\x8c\xe3\x2f\xd1\xad\xf5\xd7\x24\xf5\x06\x83\xa7\x92\x4e\xd1\xb5\xde\x6b\x32\x2a\x49\x32\xea\x46\xd3\xb2\x66\xa2\x70\x42\x02\x59\xa4\xfe\xe4\x80\x05\x4f\x06\x75\xe7\x7e\x51\x78\xff\x25\x5b\xe0\x00\x46\x8a\x22\x0a\x25\xc6\x87\x9e\x03\x9b\xc1\x4c\x38\xcb\xf9\x04\x0e\xde\xd4\x1f\x1c\x6d\x75\xfe\x46\x15\xcc\x57\x67\x7c\x94\x8c\x7b\xb9\xc3\x56\x11\x84\xb0\xff\xe0\xd0\xa9\xed\x0e\x72\x12\xfa\xbd\x5e\xf3\x57\xff\xb3\xca\x40\xe8\xa9\x7b\xe2\xa9\xbc\xf3\x5f\xc7\xe3\xd7\xce\x8f\x6d\x50\xa4\xf7\xb4\x2c\x24\x68\x94\x68\x38\x22\xdb\x36\xb9\x55\x28\xcd\x80\x61\x34\x2c\x66\xc7\x88\xbb\x6f\x63\xbe\xad\xfe\x35\x59\xe8\x96\xe4\x38\x7a\x12\xce\xdf\x6f\x22\x08\x88\xd2\x18", 4096); *(uint32_t*)0x20001ca8 = 0x1000; *(uint32_t*)0x20001cac = -1; *(uint32_t*)0x20001cb0 = 0x20001b80; memcpy((void*)0x20001b80, "\xe0\xc6\xc9\xc0\x1a\xfb\x3e\x83\x24\x12\x04\xcd\x69\x42\xa5\xf5\xb3\x8d\xed\xc4\x87\x1f\xea\x15\x0d\xdb\xcb\x8c\x14\xce\x51\x5f\xa1\xfc\x5f\x1f\xb3\xec\x60\x66\x49\xa1\x62\xc4\xe5\x2e\xc3\x28\xeb\x35\x65\xfb\x84\xab\xdf\x8b\x40\x8d\x74\x4e\xe1\x9c\x67\xcc\xe5\x4a\xca\xd1\xc6\xaa\x75\xa3\xf9\x7f\x94\x26\x74\x76\xe7\x02\xbb\xe0\x65\xe6\x71\x88\xc3\xc8\x26\xd4\x41\x4e\x46\x69\x5d\x71\xc9\xe2\x4a\x31\xfa\xf7\xfc\x28\x29\x70\x92\x50\x3b\xb1\x0a\xdb\x27\xfc\xb1\x97\x43\x8e\xfe\x36\x05\x10\x1a\xbc\x12\x7f\xda\x30\x3e\x63\xa7\x42\x3e\xf1\x69\x3f\x6c\x00\x57\x63\xfd\xf8\xb1\x8e\x10\xa5\xa9\xfa\x34\xb3\xc0\x0e\xce\xd1\xf7\x5b\xad\xa7\xd2\x61\x60\xae\xdf\x27\x58\xbf\x60\x3b\x0c\x58\x90\x68\x28\x84\xeb\x55\xb2\x76\x0b\x3b\x7b\x96\x14\xb6\xbd\x1d\xde\xf9\xe9\xcc\x1d\xf2\x08\x92\x06\x3f\x1e\xa0\x58\xa4", 200); *(uint32_t*)0x20001cb4 = 0xc8; *(uint32_t*)0x20001cb8 = 0x81; syz_read_part_table(0x44, 5, 0x20001c80); break; case 34: *(uint8_t*)0x20001cc0 = 0x12; *(uint8_t*)0x20001cc1 = 1; *(uint16_t*)0x20001cc2 = 0x310; *(uint8_t*)0x20001cc4 = 0xae; *(uint8_t*)0x20001cc5 = 0x73; *(uint8_t*)0x20001cc6 = 0xca; *(uint8_t*)0x20001cc7 = 0x40; *(uint16_t*)0x20001cc8 = 0x1740; *(uint16_t*)0x20001cca = 0x602; *(uint16_t*)0x20001ccc = 0xfa57; *(uint8_t*)0x20001cce = 1; *(uint8_t*)0x20001ccf = 2; *(uint8_t*)0x20001cd0 = 3; *(uint8_t*)0x20001cd1 = 1; *(uint8_t*)0x20001cd2 = 9; *(uint8_t*)0x20001cd3 = 2; *(uint16_t*)0x20001cd4 = 0x870; *(uint8_t*)0x20001cd6 = 2; *(uint8_t*)0x20001cd7 = 0x7f; *(uint8_t*)0x20001cd8 = 0x90; *(uint8_t*)0x20001cd9 = 0x20; *(uint8_t*)0x20001cda = 0x3f; *(uint8_t*)0x20001cdb = 9; *(uint8_t*)0x20001cdc = 4; *(uint8_t*)0x20001cdd = 0x86; *(uint8_t*)0x20001cde = 0x7f; *(uint8_t*)0x20001cdf = 0xa; *(uint8_t*)0x20001ce0 = 0xf7; *(uint8_t*)0x20001ce1 = 0xf9; *(uint8_t*)0x20001ce2 = 0xf2; *(uint8_t*)0x20001ce3 = 0x7f; *(uint8_t*)0x20001ce4 = 0xd1; *(uint8_t*)0x20001ce5 = 0xb; memcpy((void*)0x20001ce6, "\x26\xe1\x3a\x65\xce\xb2\xc1\x60\x69\x44\x40\xc6\xe4\xb5\xd5\x10\x7c\xd6\xf6\xed\xdf\x5f\x0f\x8f\x93\x86\x06\xe7\xa7\x89\x78\x6c\x09\x76\x26\x76\x2d\xa7\x88\x1a\x4e\x46\xee\x51\x2c\xe1\xce\x83\xd0\x3e\xe0\x1e\x8a\x39\x0d\x4f\xe4\x8a\x1a\x16\x6b\x12\x2a\x24\x4f\x7e\x84\x53\xfe\x58\x43\x52\xcd\xc7\x48\xde\xd1\x73\x7c\x61\xff\xbc\x1f\x9f\x18\x44\x1c\x5d\x61\xf5\x49\x3a\x88\xbf\xea\x77\x76\x76\x2b\xbf\x8a\x20\x6e\xec\xa2\xf4\x5c\x1f\x7a\xa6\xd1\x5f\xb4\x64\xcd\x1c\xaf\x6a\x43\x2b\xab\xfc\x01\xbb\x86\xb1\x29\x7b\x12\x89\x97\x42\x6c\x1a\x5a\x86\x53\x3c\xb2\xc0\x29\xf5\x0b\x1c\x5b\x0b\x88\x71\x9f\x7c\x78\x21\x7d\x2b\xec\x91\x0f\xf9\x06\xb4\x38\x60\x02\x5e\x14\x0f\xba\xd2\xbc\x0a\x91\xe2\x3e\x65\xc5\xc8\xfe\xfd\x91\xd0\x45\x9c\x59\x0e\x1f\x4b\xac\x91\xea\xc0\x23\xef\x5f\x1a\x24\x82\x45\xdf\x0d\x7c\x12\x76\xdf\x72\xd9\x55\xc6", 207); *(uint8_t*)0x20001db5 = 6; *(uint8_t*)0x20001db6 = 0x24; *(uint8_t*)0x20001db7 = 6; *(uint8_t*)0x20001db8 = 0; *(uint8_t*)0x20001db9 = 1; memcpy((void*)0x20001dba, "8", 1); *(uint8_t*)0x20001dbb = 5; *(uint8_t*)0x20001dbc = 0x24; *(uint8_t*)0x20001dbd = 0; *(uint16_t*)0x20001dbe = 8; *(uint8_t*)0x20001dc0 = 0xd; *(uint8_t*)0x20001dc1 = 0x24; *(uint8_t*)0x20001dc2 = 0xf; *(uint8_t*)0x20001dc3 = 1; *(uint32_t*)0x20001dc4 = 9; *(uint16_t*)0x20001dc8 = 5; *(uint16_t*)0x20001dca = 5; *(uint8_t*)0x20001dcc = 0x80; *(uint8_t*)0x20001dcd = 6; *(uint8_t*)0x20001dce = 0x24; *(uint8_t*)0x20001dcf = 0x1a; *(uint16_t*)0x20001dd0 = 1; *(uint8_t*)0x20001dd2 = 0x14; *(uint8_t*)0x20001dd3 = 0x2b; *(uint8_t*)0x20001dd4 = 0x24; *(uint8_t*)0x20001dd5 = 0x13; *(uint8_t*)0x20001dd6 = -1; memcpy((void*)0x20001dd7, "\x8d\xaa\x8e\x5c\xf5\x9b\xef\x8c\x76\xec\x75\x35\xd6\x3f\xe2\xdc\x76\x86\x32\x1a\xfb\xd7\x29\xf4\xd1\x7d\x62\xa2\x1b\x6f\x2b\x39\x49\x56\x57\x22\x0b\xc5\xd7", 39); *(uint8_t*)0x20001dfe = 0xa3; *(uint8_t*)0x20001dff = 0x24; *(uint8_t*)0x20001e00 = 0x13; *(uint8_t*)0x20001e01 = 3; memcpy((void*)0x20001e02, "\x0b\xaf\xa7\xba\x56\xf9\xbe\x68\xf7\xda\xff\xfa\xbe\x7b\x79\x50\xe7\xf2\xb1\xef\xd5\x30\xab\x53\xda\x30\x66\x50\xae\x48\x61\x82\x51\xbc\x41\xfe\x39\x06\x5b\xb5\x0d\x65\xf1\x5e\x92\x6f\xdb\x88\xac\xb4\xe7\x95\x7b\xff\x5d\x54\x69\xee\x74\x1f\x51\xc1\x17\xd8\xf0\xa4\xb9\xe4\x97\xd8\xd8\x5a\x58\xa4\x25\x85\x5d\xa0\x41\xd9\x1b\xfe\x4c\xd2\x0f\x11\xf6\xc7\xd3\x81\x30\x27\xcd\x74\x92\x1d\xbe\xb6\xe2\x01\x5c\x41\x33\xa2\x98\x32\xb2\xb9\xd3\x42\x30\x4d\xd6\xb7\x09\xda\xea\xea\x5f\x76\x1d\x8c\x06\xf5\x2e\xdd\xa9\xf2\x52\x9a\xc5\x1a\x96\xfa\xb9\xbb\x28\x26\xcc\x63\xfc\xce\x0f\x17\x4d\xe2\xc5\x77\x8a\x4d\x83\xf3\xee\xcf\xdb\x29\x63\x5b\x60", 159); *(uint8_t*)0x20001ea1 = 5; *(uint8_t*)0x20001ea2 = 0x24; *(uint8_t*)0x20001ea3 = 1; *(uint8_t*)0x20001ea4 = 2; *(uint8_t*)0x20001ea5 = 9; *(uint8_t*)0x20001ea6 = 0x15; *(uint8_t*)0x20001ea7 = 0x24; *(uint8_t*)0x20001ea8 = 0x12; *(uint16_t*)0x20001ea9 = 0xc9; *(uint64_t*)0x20001eab = 0x14f5e048ba817a3; *(uint64_t*)0x20001eb3 = 0x2a397ecbffc007a6; *(uint8_t*)0x20001ebb = 7; *(uint8_t*)0x20001ebc = 0x24; *(uint8_t*)0x20001ebd = 0x14; *(uint16_t*)0x20001ebe = 8; *(uint16_t*)0x20001ec0 = 2; *(uint8_t*)0x20001ec2 = 7; *(uint8_t*)0x20001ec3 = 0x24; *(uint8_t*)0x20001ec4 = 0xa; *(uint8_t*)0x20001ec5 = 1; *(uint8_t*)0x20001ec6 = 9; *(uint8_t*)0x20001ec7 = 0xeb; *(uint8_t*)0x20001ec8 = 1; *(uint8_t*)0x20001ec9 = 9; *(uint8_t*)0x20001eca = 5; *(uint8_t*)0x20001ecb = 0xe; *(uint8_t*)0x20001ecc = 3; *(uint16_t*)0x20001ecd = 0x400; *(uint8_t*)0x20001ecf = -1; *(uint8_t*)0x20001ed0 = 0xf9; *(uint8_t*)0x20001ed1 = 0x20; *(uint8_t*)0x20001ed2 = 0x62; *(uint8_t*)0x20001ed3 = 0x22; memcpy((void*)0x20001ed4, "\xec\xb3\xf2\xdd\x30\x48\x12\x4f\xa1\xf6\x39\xe7\xd9\x9a\xb0\x90\x3f\x7f\x55\x1f\xbd\x28\x20\x2b\xca\xa0\x38\x82\x72\x62\xde\xfd\x52\x4b\x84\xd6\x77\x8f\x83\xc7\x51\x04\x7e\xa1\x67\x7d\x46\x22\x9a\xc3\x3b\x02\xdb\x68\x65\xc9\x67\x0b\xc4\x76\x29\x02\x05\x45\xfb\xf3\x67\xe1\x28\xc7\xe7\x8e\x05\x97\x2c\xd4\x32\xdd\xc7\x29\x86\x39\x72\xa9\x55\x9b\x80\x60\x63\x55\x0b\x9b\xb7\x99\x2b\x0c", 96); *(uint8_t*)0x20001f34 = 0xed; *(uint8_t*)0x20001f35 = 0x21; memcpy((void*)0x20001f36, "\x1c\x17\xfa\x34\xcf\x24\x8a\x11\x74\x0c\xae\x13\xb9\x90\x62\xcf\x65\x1b\xd3\x66\x3b\xdf\x34\x9a\xfe\xdd\x77\x7e\x6c\xa5\x09\x68\x7c\x73\x08\xb2\xbd\x8a\x56\xd9\x36\xce\xf7\x2c\x17\x60\x9c\x2c\xc7\xb8\x25\xf1\x22\x86\x4f\x3e\x79\xa0\xf9\x56\x3c\xec\xf3\xa2\xde\xa2\xda\xc5\xe4\xd8\x3e\x77\x49\xcf\xb2\xa9\x71\xe0\xf2\xa2\x57\xee\x5e\x91\x27\x9d\x0d\xed\xf7\xaa\xb3\x53\x95\x5c\x32\xbc\xab\x16\xd8\x21\xc1\x86\x8f\x65\x5e\x7f\x50\x3e\xce\x52\xac\xfb\x7c\x30\x70\x09\x7b\x16\x4e\xd6\x22\x3e\xb6\xc1\x83\x9f\xdc\x5c\xc6\xf1\xa9\x2e\xbd\xa8\xad\x2a\x9e\x74\xf7\x46\xcf\x37\x70\x4a\x6c\x73\x07\x61\x89\xee\x38\x90\xb3\xa1\xc5\xcd\xb8\x07\x6a\xde\xc9\xbb\x4e\x53\xa6\x5b\x09\xbc\x52\xa7\x52\x50\xeb\x89\xe2\x40\x7e\xe0\xd0\xd3\x9a\x0b\xd9\x25\xc0\x0a\x5f\xd0\xf3\x4a\xd2\xaf\x88\xbf\x3b\x27\x0f\xe9\x4e\x54\x32\x28\x8a\x66\xb3\xee\x15\xb6\xe2\x4d\xdc\xa8\x96\x39\xfa\xa9\xc4\xb5\x32\x66\x3b\x24\xbf\xbd\xeb\x73\xd0\x9b\x8f\x77\xf7\x6f\xec\x50\x7a", 235); *(uint8_t*)0x20002021 = 9; *(uint8_t*)0x20002022 = 5; *(uint8_t*)0x20002023 = 0xe; *(uint8_t*)0x20002024 = 0; *(uint16_t*)0x20002025 = 0x58; *(uint8_t*)0x20002027 = 4; *(uint8_t*)0x20002028 = 0; *(uint8_t*)0x20002029 = 2; *(uint8_t*)0x2000202a = 9; *(uint8_t*)0x2000202b = 5; *(uint8_t*)0x2000202c = 6; *(uint8_t*)0x2000202d = 8; *(uint16_t*)0x2000202e = 0x40; *(uint8_t*)0x20002030 = 0x40; *(uint8_t*)0x20002031 = 3; *(uint8_t*)0x20002032 = 0x18; *(uint8_t*)0x20002033 = 9; *(uint8_t*)0x20002034 = 5; *(uint8_t*)0x20002035 = 0xb; *(uint8_t*)0x20002036 = 0xc; *(uint16_t*)0x20002037 = 0x200; *(uint8_t*)0x20002039 = -1; *(uint8_t*)0x2000203a = 0x47; *(uint8_t*)0x2000203b = 0; *(uint8_t*)0x2000203c = 0x6e; *(uint8_t*)0x2000203d = 0x24; memcpy((void*)0x2000203e, "\xfc\x88\x86\xec\xa1\x2d\xc8\x59\x60\xc8\x49\x7c\x87\x13\x2b\x79\xfe\xa0\xe2\x31\x3e\x4e\x85\x56\x71\x31\x6f\x1c\x7a\x42\xb7\x8b\x2b\xe2\x4c\x0c\xdd\x6a\xf9\xde\x41\xa7\xfb\x57\xfe\x0a\x3c\xa6\xfe\x67\x19\x1c\xe3\x11\x65\xdc\x04\x82\x45\xba\x74\xc8\x86\xd1\x2b\x8a\xcc\xb0\x01\xee\xe2\x30\xdc\x1d\x79\x81\xe4\xd6\xea\x3d\x52\xfd\xc1\xfd\x15\x9f\x71\xfc\x18\xbf\xca\x51\x29\x7b\x23\x48\xc7\x77\xa8\x6b\x16\xc0\x76\x57\x79\x3c\x9b\x75", 108); *(uint8_t*)0x200020aa = 9; *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 7; *(uint8_t*)0x200020ad = 0x10; *(uint16_t*)0x200020ae = 0x20; *(uint8_t*)0x200020b0 = 1; *(uint8_t*)0x200020b1 = 4; *(uint8_t*)0x200020b2 = 4; *(uint8_t*)0x200020b3 = 8; *(uint8_t*)0x200020b4 = 0x23; memcpy((void*)0x200020b5, "\xad\x6e\x68\x32\x31\x24", 6); *(uint8_t*)0x200020bb = 7; *(uint8_t*)0x200020bc = 0x25; *(uint8_t*)0x200020bd = 1; *(uint8_t*)0x200020be = 2; *(uint8_t*)0x200020bf = 0x3f; *(uint16_t*)0x200020c0 = 0x400; *(uint8_t*)0x200020c2 = 9; *(uint8_t*)0x200020c3 = 5; *(uint8_t*)0x200020c4 = 1; *(uint8_t*)0x200020c5 = 0; *(uint16_t*)0x200020c6 = 0x200; *(uint8_t*)0x200020c8 = -1; *(uint8_t*)0x200020c9 = 4; *(uint8_t*)0x200020ca = 5; *(uint8_t*)0x200020cb = 7; *(uint8_t*)0x200020cc = 0x25; *(uint8_t*)0x200020cd = 1; *(uint8_t*)0x200020ce = 0x82; *(uint8_t*)0x200020cf = 2; *(uint16_t*)0x200020d0 = 0x200; *(uint8_t*)0x200020d2 = 7; *(uint8_t*)0x200020d3 = 0x25; *(uint8_t*)0x200020d4 = 1; *(uint8_t*)0x200020d5 = 1; *(uint8_t*)0x200020d6 = 7; *(uint16_t*)0x200020d7 = 4; *(uint8_t*)0x200020d9 = 9; *(uint8_t*)0x200020da = 5; *(uint8_t*)0x200020db = 0x80; *(uint8_t*)0x200020dc = 0x10; *(uint16_t*)0x200020dd = 0x10; *(uint8_t*)0x200020df = 0xcc; *(uint8_t*)0x200020e0 = 8; *(uint8_t*)0x200020e1 = 0; *(uint8_t*)0x200020e2 = 7; *(uint8_t*)0x200020e3 = 0x25; *(uint8_t*)0x200020e4 = 1; *(uint8_t*)0x200020e5 = 0x81; *(uint8_t*)0x200020e6 = 7; *(uint16_t*)0x200020e7 = 0x3f; *(uint8_t*)0x200020e9 = 0x59; *(uint8_t*)0x200020ea = 0x11; memcpy((void*)0x200020eb, "\xfa\xad\xa8\x09\x32\xb1\x04\x32\xca\x81\xa6\x3c\x83\xdd\x9f\x54\xa4\x05\x10\x86\xef\x07\xb6\xc9\x66\x1e\xf8\xec\x12\x56\x83\xd5\xfc\xad\xa3\xa3\x46\xd0\x8f\x6d\x44\x17\x8f\xd1\xce\x94\xf1\xa6\x92\x1d\x2f\xd1\x4a\x88\xd4\x3a\x80\x51\xe1\x8e\xda\xa3\x98\x06\x45\xfa\x17\x12\x3c\xa6\xc7\x83\xb8\xb2\xc3\xb6\x66\x95\x6f\x52\xb1\x83\x65\x29\x92\xd6\xf5", 87); *(uint8_t*)0x20002142 = 9; *(uint8_t*)0x20002143 = 5; *(uint8_t*)0x20002144 = 7; *(uint8_t*)0x20002145 = 3; *(uint16_t*)0x20002146 = 0x400; *(uint8_t*)0x20002148 = 1; *(uint8_t*)0x20002149 = 0x3f; *(uint8_t*)0x2000214a = 0; *(uint8_t*)0x2000214b = 9; *(uint8_t*)0x2000214c = 5; *(uint8_t*)0x2000214d = 4; *(uint8_t*)0x2000214e = 1; *(uint16_t*)0x2000214f = 0; *(uint8_t*)0x20002151 = 0x81; *(uint8_t*)0x20002152 = 3; *(uint8_t*)0x20002153 = 0; *(uint8_t*)0x20002154 = 7; *(uint8_t*)0x20002155 = 0x25; *(uint8_t*)0x20002156 = 1; *(uint8_t*)0x20002157 = 0x80; *(uint8_t*)0x20002158 = 0xfd; *(uint16_t*)0x20002159 = 0x3e; *(uint8_t*)0x2000215b = 7; *(uint8_t*)0x2000215c = 0x25; *(uint8_t*)0x2000215d = 1; *(uint8_t*)0x2000215e = 0x82; *(uint8_t*)0x2000215f = 6; *(uint16_t*)0x20002160 = 0x8000; *(uint8_t*)0x20002162 = 9; *(uint8_t*)0x20002163 = 5; *(uint8_t*)0x20002164 = 7; *(uint8_t*)0x20002165 = 4; *(uint16_t*)0x20002166 = 0x200; *(uint8_t*)0x20002168 = 4; *(uint8_t*)0x20002169 = 7; *(uint8_t*)0x2000216a = 8; *(uint8_t*)0x2000216b = 7; *(uint8_t*)0x2000216c = 0x25; *(uint8_t*)0x2000216d = 1; *(uint8_t*)0x2000216e = 0; *(uint8_t*)0x2000216f = 0; *(uint16_t*)0x20002170 = 0x3f; *(uint8_t*)0x20002172 = 9; *(uint8_t*)0x20002173 = 4; *(uint8_t*)0x20002174 = 0x7d; *(uint8_t*)0x20002175 = 0xb6; *(uint8_t*)0x20002176 = 8; *(uint8_t*)0x20002177 = 0xe6; *(uint8_t*)0x20002178 = 0x75; *(uint8_t*)0x20002179 = 0xe1; *(uint8_t*)0x2000217a = 0xf9; *(uint8_t*)0x2000217b = 0x3d; *(uint8_t*)0x2000217c = 0x23; memcpy((void*)0x2000217d, "\x01\x50\xff\xae\x83\xdf\x22\xd1\xd4\xdb\xd8\x24\x54\xe6\x60\x33\x46\x3c\x39\x35\xe3\xd0\xc9\xfc\x2e\xa4\x66\x1f\x73\x10\xc2\xe0\xb0\xac\xed\xd1\x7e\x99\xcf\x96\x0e\xde\x09\xc1\x9e\xda\x6b\xfd\xa6\x99\xd8\xea\xcc\x2a\xba\x4a\xcc\x34\xd4", 59); *(uint8_t*)0x200021b8 = 0xc5; *(uint8_t*)0x200021b9 = 1; memcpy((void*)0x200021ba, "\x57\xfa\x93\x98\x1a\x06\x86\xe5\x12\x23\x65\x11\xf1\x7e\x4e\xc2\xda\xb7\xbd\x00\x5c\x64\xfd\x89\x6f\x94\x94\xca\x05\x97\x58\x3b\x23\x9d\xdd\x29\xc3\x79\x6c\x4a\xd6\x69\x28\x14\x40\xda\x42\x2e\x67\x96\x87\x7a\x9f\x12\x3e\x34\x39\x35\xd9\x0d\xfe\x06\xdd\xfc\x99\xde\xed\xf2\x40\x06\x03\x1d\x9a\x2e\xf4\xb5\x52\x62\x92\x55\xbf\x0e\x7a\x4d\x5d\xd3\xbc\x80\xb2\x66\x08\x11\x41\xbd\xe1\xb1\xa8\x6e\x4f\xfd\x85\x70\x00\xde\xea\xe8\x2f\xb1\x85\x06\x96\xef\x21\x67\xc3\x4a\xd9\x7f\x91\xc1\x4a\xc7\x8e\xcb\x89\x3d\x01\xff\xa9\x8e\x3c\x2d\xfd\xa9\xad\xb7\x62\xb9\xa9\xda\x03\xc6\xc6\x0e\xd9\x57\xfb\x49\x4d\x1c\x96\x0f\x7c\x70\x74\x94\xbd\x98\x4a\x0a\x58\x26\x03\xfb\x87\x24\x8a\xee\xaf\xc1\xb6\x00\x5f\x79\x83\x5b\x38\xb2\xea\xa8\x86\x53\xbc\x93\x42\x7a\x33\xb0\x76\x3e\xa3\x6f\xcd\x98\x7c", 195); *(uint8_t*)0x2000227d = 9; *(uint8_t*)0x2000227e = 5; *(uint8_t*)0x2000227f = 3; *(uint8_t*)0x20002280 = 0; *(uint16_t*)0x20002281 = 0x40; *(uint8_t*)0x20002283 = 4; *(uint8_t*)0x20002284 = 0x7f; *(uint8_t*)0x20002285 = 2; *(uint8_t*)0x20002286 = 7; *(uint8_t*)0x20002287 = 0x25; *(uint8_t*)0x20002288 = 1; *(uint8_t*)0x20002289 = 2; *(uint8_t*)0x2000228a = 5; *(uint16_t*)0x2000228b = 5; *(uint8_t*)0x2000228d = 7; *(uint8_t*)0x2000228e = 0x25; *(uint8_t*)0x2000228f = 1; *(uint8_t*)0x20002290 = 2; *(uint8_t*)0x20002291 = 4; *(uint16_t*)0x20002292 = 5; *(uint8_t*)0x20002294 = 9; *(uint8_t*)0x20002295 = 5; *(uint8_t*)0x20002296 = 0x80; *(uint8_t*)0x20002297 = 0x10; *(uint16_t*)0x20002298 = 0x1ef; *(uint8_t*)0x2000229a = 1; *(uint8_t*)0x2000229b = 6; *(uint8_t*)0x2000229c = 7; *(uint8_t*)0x2000229d = 9; *(uint8_t*)0x2000229e = 5; *(uint8_t*)0x2000229f = 0x80; *(uint8_t*)0x200022a0 = 0x10; *(uint16_t*)0x200022a1 = 0x10; *(uint8_t*)0x200022a3 = 0x1f; *(uint8_t*)0x200022a4 = 0x20; *(uint8_t*)0x200022a5 = 0; *(uint8_t*)0x200022a6 = 0xb3; *(uint8_t*)0x200022a7 = 0x21; memcpy((void*)0x200022a8, "\x95\xd3\x40\x5d\x4d\x7a\x6d\xc8\x96\xd9\x0c\x49\x18\xb1\x41\x31\x5c\x1a\xe5\x4b\x08\x82\xc4\xe0\xe3\xcc\x26\x6e\x04\x17\x8f\x9a\xe7\x37\x26\x0a\xc6\x4b\x61\x9d\xdf\x03\x95\x68\x18\x1b\xf9\x2d\xd6\x39\xec\x49\xa0\xb1\xc9\x83\x8b\x4c\xbb\xb2\xfb\xe6\xca\x7b\xe9\xbc\x84\xb7\x71\x77\x86\x7b\xb9\x73\xd8\xc5\xeb\xa1\xb4\x91\x31\xbd\x10\xf6\x45\xcf\xfc\x3d\xd8\xea\x46\x2f\x4b\xa9\x65\xf7\x0a\x01\x4b\xf1\xab\xe9\x26\x96\x63\x63\x4d\xad\x8b\xaf\x99\x38\x6d\x8b\x43\x19\x12\xe4\xdd\xfc\xd1\x15\x6c\x5f\xfe\xab\x20\x7c\xa3\x5f\x22\xf5\xc0\x16\x73\x47\x0d\xee\xa1\xda\x6a\xaf\xfc\xf0\xbb\xa9\xa8\xe4\x55\x42\x0f\x05\x3b\x28\xe4\x04\xfe\xa6\x26\x1d\x36\xc0\x7f\x72\x21\xc4\x98\x6b\x6b\x12\x2c\xcd\xf8\x58\xf4\x81\xba", 177); *(uint8_t*)0x20002359 = 7; *(uint8_t*)0x2000235a = 0x25; *(uint8_t*)0x2000235b = 1; *(uint8_t*)0x2000235c = 0x80; *(uint8_t*)0x2000235d = 0x7f; *(uint16_t*)0x2000235e = 5; *(uint8_t*)0x20002360 = 9; *(uint8_t*)0x20002361 = 5; *(uint8_t*)0x20002362 = 0xc; *(uint8_t*)0x20002363 = 2; *(uint16_t*)0x20002364 = 0x200; *(uint8_t*)0x20002366 = 0; *(uint8_t*)0x20002367 = 6; *(uint8_t*)0x20002368 = 2; *(uint8_t*)0x20002369 = 0xaf; *(uint8_t*)0x2000236a = 0xc1; memcpy((void*)0x2000236b, "\x14\x49\xf0\x6f\x81\x61\xd8\x15\x9f\x42\xfb\x34\x7e\xaa\x32\x3c\xf3\xeb\x20\xfd\x5e\x50\x10\x06\xd2\xe4\x0a\x15\x7d\xa8\x33\x53\x6f\xb0\xb3\x22\x43\x65\x91\xa2\xbd\x1d\x2f\xe0\x4e\x16\x98\x58\xe1\x13\x87\xce\x1c\xbe\x1f\x6c\x7d\xc3\x32\xaf\xaa\xdc\xc0\x02\xc5\x83\x20\x44\xe0\x56\x95\x03\x99\xe2\x94\x31\x40\x73\x49\xa8\xa4\x75\x25\x16\x4b\x4e\x6c\xd1\x41\x30\x39\x08\x18\x67\x54\xe0\x28\x2c\x69\x95\xc9\x80\xf5\xe7\xd4\xf3\xc8\x81\xc6\xb9\x1d\x95\x5e\x6a\xc6\x81\xbd\x90\x73\xf4\xe0\x57\x06\xf3\xc3\x12\xd0\x05\xbf\x1c\x59\x10\x95\x6b\xf9\x95\x53\xbb\xa7\xb4\xec\xb3\xf3\x5f\xfb\xe7\xab\x07\x63\x42\x37\x96\xbb\x60\x1e\x3f\x04\x7a\x65\x81\xd5\x2f\xb6\x7c\x62\xd6\xb7\x27\x8c\x76\xaa\xb9\xa5", 173); *(uint8_t*)0x20002418 = 9; *(uint8_t*)0x20002419 = 5; *(uint8_t*)0x2000241a = 0xa; *(uint8_t*)0x2000241b = 0; *(uint16_t*)0x2000241c = 0x400; *(uint8_t*)0x2000241e = 5; *(uint8_t*)0x2000241f = 1; *(uint8_t*)0x20002420 = 6; *(uint8_t*)0x20002421 = 0xf1; *(uint8_t*)0x20002422 = 0x11; memcpy((void*)0x20002423, "\x25\xbf\x1f\x90\xf6\x00\xdc\x8e\xae\x59\x54\xfb\x3e\xc4\xf4\x88\xa9\x26\x14\x9d\x98\x93\xca\x2b\x29\x00\xe2\x45\xf0\x53\x74\x32\xb7\xec\xcd\x35\xa0\xf3\x3f\xe8\x71\xeb\x0d\x17\x44\xd8\x05\x8f\x6d\x67\xf7\xe1\xb9\x7f\x3e\xf4\xe5\xfd\x8a\xc9\xd3\x7d\x37\x49\x05\x66\x1c\x57\x9d\x63\xd9\xbd\x3e\xd5\xcd\x30\xd9\x9e\xf3\x95\xe4\x7c\x9e\x0f\x1b\x7f\x71\x20\x16\x40\x34\x34\x82\x1b\xaa\xce\x41\xad\x73\xef\x6b\x84\xc1\xa4\x1a\xf5\xcb\xb6\xc2\xf6\x54\x62\xa6\xed\x32\x24\x2c\x9d\x51\xda\x99\x15\x86\x28\x60\xc2\x21\x40\xf6\x06\x60\x1c\xfd\x82\xe5\x15\x1e\x1d\xb4\x50\x92\xfe\xcd\x65\x32\x93\xf5\x6c\x65\xb3\x46\xe5\xde\xaf\x14\x09\x50\xa0\xac\x4a\x48\x7e\x3b\xfa\x4f\x9a\xd3\x5e\xef\xf8\x89\x9b\xc2\x23\x07\x98\x02\x26\x00\xa0\x8d\x06\xa9\x24\x36\x11\xb4\x21\xd9\x0f\x1b\x53\xca\x9f\x00\x26\x36\x03\x6f\x11\x25\xed\xa3\xde\xda\xf6\x79\x3f\xc0\x98\xc6\xaf\x9d\xcc\x5a\x53\x8f\xe9\x37\x57\x2b\x4d\x1b\x17\x4b\x58\xba\x03\x37\x14\xd1\x9e\xf1\x08\x5f\x66\x3e\x5c\xd1", 239); *(uint8_t*)0x20002512 = 9; *(uint8_t*)0x20002513 = 5; *(uint8_t*)0x20002514 = 5; *(uint8_t*)0x20002515 = 8; *(uint16_t*)0x20002516 = 0x400; *(uint8_t*)0x20002518 = 0x44; *(uint8_t*)0x20002519 = 1; *(uint8_t*)0x2000251a = 0; *(uint8_t*)0x2000251b = 7; *(uint8_t*)0x2000251c = 0x25; *(uint8_t*)0x2000251d = 1; *(uint8_t*)0x2000251e = 0x85; *(uint8_t*)0x2000251f = 0x9b; *(uint16_t*)0x20002520 = 0x100; *(uint8_t*)0x20002522 = 7; *(uint8_t*)0x20002523 = 0x25; *(uint8_t*)0x20002524 = 1; *(uint8_t*)0x20002525 = 0x82; *(uint8_t*)0x20002526 = 7; *(uint16_t*)0x20002527 = 1; *(uint8_t*)0x20002529 = 9; *(uint8_t*)0x2000252a = 5; *(uint8_t*)0x2000252b = 3; *(uint8_t*)0x2000252c = 0x10; *(uint16_t*)0x2000252d = 0x20; *(uint8_t*)0x2000252f = 2; *(uint8_t*)0x20002530 = 4; *(uint8_t*)0x20002531 = 3; *(uint8_t*)0x20002532 = 9; *(uint8_t*)0x20002533 = 5; *(uint8_t*)0x20002534 = 1; *(uint8_t*)0x20002535 = 0; *(uint16_t*)0x20002536 = 0x40; *(uint8_t*)0x20002538 = 0x80; *(uint8_t*)0x20002539 = 7; *(uint8_t*)0x2000253a = 0x27; *(uint8_t*)0x2000253b = 7; *(uint8_t*)0x2000253c = 0x25; *(uint8_t*)0x2000253d = 1; *(uint8_t*)0x2000253e = 0x80; *(uint8_t*)0x2000253f = 6; *(uint16_t*)0x20002540 = 8; *(uint32_t*)0x20002840 = 0xa; *(uint32_t*)0x20002844 = 0x20002580; *(uint8_t*)0x20002580 = 0xa; *(uint8_t*)0x20002581 = 6; *(uint16_t*)0x20002582 = 0x5098; *(uint8_t*)0x20002584 = 0xfc; *(uint8_t*)0x20002585 = 0x1f; *(uint8_t*)0x20002586 = 0; *(uint8_t*)0x20002587 = 0x10; *(uint8_t*)0x20002588 = 0xe4; *(uint8_t*)0x20002589 = 0; *(uint32_t*)0x20002848 = 0xf5; *(uint32_t*)0x2000284c = 0x200025c0; *(uint8_t*)0x200025c0 = 5; *(uint8_t*)0x200025c1 = 0xf; *(uint16_t*)0x200025c2 = 0xf5; *(uint8_t*)0x200025c4 = 4; *(uint8_t*)0x200025c5 = 7; *(uint8_t*)0x200025c6 = 0x10; *(uint8_t*)0x200025c7 = 2; STORE_BY_BITMASK(uint32_t, , 0x200025c8, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200025c9, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200025ca, 0xffff, 0, 16); *(uint8_t*)0x200025cc = 0x1c; *(uint8_t*)0x200025cd = 0x10; *(uint8_t*)0x200025ce = 0xa; *(uint8_t*)0x200025cf = 0; STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025d0, 4, 5, 27); *(uint16_t*)0x200025d4 = 0xf0f; *(uint16_t*)0x200025d6 = 0x77e; *(uint32_t*)0x200025d8 = 0xc000; *(uint32_t*)0x200025dc = 0x30; *(uint32_t*)0x200025e0 = 0; *(uint32_t*)0x200025e4 = 0; *(uint8_t*)0x200025e8 = 0x1c; *(uint8_t*)0x200025e9 = 0x10; *(uint8_t*)0x200025ea = 0xa; *(uint8_t*)0x200025eb = 1; STORE_BY_BITMASK(uint32_t, , 0x200025ec, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200025ec, 0x79ea, 5, 27); *(uint16_t*)0x200025f0 = 0xf000; *(uint16_t*)0x200025f2 = 4; *(uint32_t*)0x200025f4 = 0xc0cf; *(uint32_t*)0x200025f8 = 0xff3f3f; *(uint32_t*)0x200025fc = 0xffc05f; *(uint32_t*)0x20002600 = 0xff0000; *(uint8_t*)0x20002604 = 0xb1; *(uint8_t*)0x20002605 = 0x10; *(uint8_t*)0x20002606 = 3; memcpy((void*)0x20002607, "\xc5\xbb\x02\x01\xc8\x2e\x60\xfa\x0a\x8b\x07\xbb\xce\xfb\xe1\x38\x07\x98\x38\xcb\xf1\x31\x61\xf6\x9e\xc1\x70\x63\x7e\x6c\x50\x4f\x0d\xf5\x87\x10\x11\x2f\x24\x59\xc5\x0d\xf8\x5c\x73\xa1\x43\xe1\x8f\xd8\x46\xa7\x86\xad\xd8\xa3\x59\xc8\x82\xc3\xc6\x03\x8f\x90\xc4\x9c\xa6\x3e\x13\x45\x57\x94\xd7\x59\x24\x4a\x2b\xd1\xee\x5a\x20\x3c\xef\x62\xac\xd3\x2e\x97\xd1\x5a\xfe\x1d\x47\xad\x5c\x52\x34\xca\x6f\xea\x0c\x02\x21\x84\x57\x86\x47\xd6\x9b\xce\x06\xbc\x22\xd5\xde\xae\x21\xba\xaf\x87\x0c\x3c\x6e\x90\x21\x21\x1f\xda\x07\xe7\x36\x07\xe1\x64\x61\xe2\x25\x26\xa7\x0a\xb2\xe2\x1f\x89\xd1\xb1\xa9\x52\x15\xc6\x44\xee\x7b\x4b\x97\xd3\x42\xf0\x6c\xca\x75\xc1\x7e\xaf\x3d\x1f\x57\x8b\xec\x9e\x1b\x55\x4c\x49", 174); *(uint32_t*)0x20002850 = 4; *(uint32_t*)0x20002854 = 4; *(uint32_t*)0x20002858 = 0x200026c0; *(uint8_t*)0x200026c0 = 4; *(uint8_t*)0x200026c1 = 3; *(uint16_t*)0x200026c2 = 0x430; *(uint32_t*)0x2000285c = 4; *(uint32_t*)0x20002860 = 0x20002700; *(uint8_t*)0x20002700 = 4; *(uint8_t*)0x20002701 = 3; *(uint16_t*)0x20002702 = 0x240a; *(uint32_t*)0x20002864 = 4; *(uint32_t*)0x20002868 = 0x20002740; *(uint8_t*)0x20002740 = 4; *(uint8_t*)0x20002741 = 3; *(uint16_t*)0x20002742 = 0x458; *(uint32_t*)0x2000286c = 0xb1; *(uint32_t*)0x20002870 = 0x20002780; *(uint8_t*)0x20002780 = 0xb1; *(uint8_t*)0x20002781 = 3; memcpy((void*)0x20002782, "\x22\x73\xbd\xc4\x6b\x60\xf9\x28\x12\x34\x92\x09\x6f\x1a\x60\x52\x20\x67\xca\x30\x22\x9e\x52\x18\x76\xbc\x23\x04\xc3\x20\x59\x6f\xd2\x5f\x10\x25\x4b\x5c\x9d\xa5\x73\x77\x73\x8b\xcc\xfb\xbc\x37\xf2\x7f\x54\x18\x33\xa2\xdf\xa0\x6b\x92\x9d\x0d\x37\x44\xff\x77\xd9\x33\x0d\x5a\x63\xe4\xbb\x26\x8c\xe2\x9e\x81\xde\x86\xde\x6c\xbb\xec\x22\xf1\x51\xe7\xfa\x25\xd2\xba\x9e\xad\x8f\x62\xd5\xea\xc2\xd6\x42\x44\x65\xb3\xcb\x64\x81\xdb\xf5\x0d\xf0\x43\xe6\x8b\x8d\x13\x3e\x27\xb4\xae\x1c\x9c\xcf\x8a\x81\x02\x7b\x65\x6d\x44\x2b\xbc\xbe\x5c\xfc\xcd\x0c\x0c\xa3\x8b\x73\x35\x6e\xd5\xc3\x7e\xa0\x89\x46\x97\xea\x5b\x37\xdb\x2f\x60\x7d\x4e\x95\x8c\xf9\x78\x48\xef\x24\xee\xe8\x17\xf9\x65\x03\x65\x0d\x0f\x3b\xab\xcf", 175); res = -1; res = syz_usb_connect(4, 0x882, 0x20001cc0, 0x20002840); if (res != -1) r[13] = res; break; case 35: *(uint8_t*)0x20002880 = 0x12; *(uint8_t*)0x20002881 = 1; *(uint16_t*)0x20002882 = 0x200; *(uint8_t*)0x20002884 = -1; *(uint8_t*)0x20002885 = -1; *(uint8_t*)0x20002886 = -1; *(uint8_t*)0x20002887 = 0x40; *(uint16_t*)0x20002888 = 0xcf3; *(uint16_t*)0x2000288a = 0x9271; *(uint16_t*)0x2000288c = 0x108; *(uint8_t*)0x2000288e = 1; *(uint8_t*)0x2000288f = 2; *(uint8_t*)0x20002890 = 3; *(uint8_t*)0x20002891 = 1; *(uint8_t*)0x20002892 = 9; *(uint8_t*)0x20002893 = 2; *(uint16_t*)0x20002894 = 0x48; *(uint8_t*)0x20002896 = 1; *(uint8_t*)0x20002897 = 1; *(uint8_t*)0x20002898 = 0; *(uint8_t*)0x20002899 = 0x80; *(uint8_t*)0x2000289a = 0xfa; *(uint8_t*)0x2000289b = 9; *(uint8_t*)0x2000289c = 4; *(uint8_t*)0x2000289d = 0; *(uint8_t*)0x2000289e = 0; *(uint8_t*)0x2000289f = 6; *(uint8_t*)0x200028a0 = -1; *(uint8_t*)0x200028a1 = 0; *(uint8_t*)0x200028a2 = 0; *(uint8_t*)0x200028a3 = 0; *(uint8_t*)0x200028a4 = 9; *(uint8_t*)0x200028a5 = 5; *(uint8_t*)0x200028a6 = 1; *(uint8_t*)0x200028a7 = 2; *(uint16_t*)0x200028a8 = 0x200; *(uint8_t*)0x200028aa = 0; *(uint8_t*)0x200028ab = 0; *(uint8_t*)0x200028ac = 0; *(uint8_t*)0x200028ad = 9; *(uint8_t*)0x200028ae = 5; *(uint8_t*)0x200028af = 0x82; *(uint8_t*)0x200028b0 = 2; *(uint16_t*)0x200028b1 = 0x200; *(uint8_t*)0x200028b3 = 0; *(uint8_t*)0x200028b4 = 0; *(uint8_t*)0x200028b5 = 0; *(uint8_t*)0x200028b6 = 9; *(uint8_t*)0x200028b7 = 5; *(uint8_t*)0x200028b8 = 0x83; *(uint8_t*)0x200028b9 = 3; *(uint16_t*)0x200028ba = 0x40; *(uint8_t*)0x200028bc = 1; *(uint8_t*)0x200028bd = 0; *(uint8_t*)0x200028be = 0; *(uint8_t*)0x200028bf = 9; *(uint8_t*)0x200028c0 = 5; *(uint8_t*)0x200028c1 = 4; *(uint8_t*)0x200028c2 = 3; *(uint16_t*)0x200028c3 = 0x40; *(uint8_t*)0x200028c5 = 1; *(uint8_t*)0x200028c6 = 0; *(uint8_t*)0x200028c7 = 0; *(uint8_t*)0x200028c8 = 9; *(uint8_t*)0x200028c9 = 5; *(uint8_t*)0x200028ca = 5; *(uint8_t*)0x200028cb = 2; *(uint16_t*)0x200028cc = 0x200; *(uint8_t*)0x200028ce = 0; *(uint8_t*)0x200028cf = 0; *(uint8_t*)0x200028d0 = 0; *(uint8_t*)0x200028d1 = 9; *(uint8_t*)0x200028d2 = 5; *(uint8_t*)0x200028d3 = 6; *(uint8_t*)0x200028d4 = 2; *(uint16_t*)0x200028d5 = 0x200; *(uint8_t*)0x200028d7 = 0; *(uint8_t*)0x200028d8 = 0; *(uint8_t*)0x200028d9 = 0; syz_usb_connect_ath9k(3, 0x5a, 0x20002880, 0); break; case 36: *(uint8_t*)0x20002900 = 0x12; *(uint8_t*)0x20002901 = 1; *(uint16_t*)0x20002902 = 0x300; *(uint8_t*)0x20002904 = 0; *(uint8_t*)0x20002905 = 0; *(uint8_t*)0x20002906 = 0; *(uint8_t*)0x20002907 = 0x40; *(uint16_t*)0x20002908 = 0x1d6b; *(uint16_t*)0x2000290a = 0x101; *(uint16_t*)0x2000290c = 0x40; *(uint8_t*)0x2000290e = 1; *(uint8_t*)0x2000290f = 2; *(uint8_t*)0x20002910 = 3; *(uint8_t*)0x20002911 = 1; *(uint8_t*)0x20002912 = 9; *(uint8_t*)0x20002913 = 2; *(uint16_t*)0x20002914 = 0xee; *(uint8_t*)0x20002916 = 3; *(uint8_t*)0x20002917 = 1; *(uint8_t*)0x20002918 = 6; *(uint8_t*)0x20002919 = 0x20; *(uint8_t*)0x2000291a = 1; *(uint8_t*)0x2000291b = 9; *(uint8_t*)0x2000291c = 4; *(uint8_t*)0x2000291d = 0; *(uint8_t*)0x2000291e = 0; *(uint8_t*)0x2000291f = 0; *(uint8_t*)0x20002920 = 1; *(uint8_t*)0x20002921 = 1; *(uint8_t*)0x20002922 = 0; *(uint8_t*)0x20002923 = 0; *(uint8_t*)0x20002924 = 0xa; *(uint8_t*)0x20002925 = 0x24; *(uint8_t*)0x20002926 = 1; *(uint16_t*)0x20002927 = 0xace; *(uint8_t*)0x20002929 = 2; *(uint8_t*)0x2000292a = 2; *(uint8_t*)0x2000292b = 1; *(uint8_t*)0x2000292c = 2; *(uint8_t*)0x2000292d = 7; *(uint8_t*)0x2000292e = 0x24; *(uint8_t*)0x2000292f = 8; *(uint8_t*)0x20002930 = 5; *(uint16_t*)0x20002931 = 2; *(uint8_t*)0x20002933 = 5; *(uint8_t*)0x20002934 = 7; *(uint8_t*)0x20002935 = 0x24; *(uint8_t*)0x20002936 = 8; *(uint8_t*)0x20002937 = 6; *(uint16_t*)0x20002938 = -1; *(uint8_t*)0x2000293a = 0x30; *(uint8_t*)0x2000293b = 0xa; *(uint8_t*)0x2000293c = 0x24; *(uint8_t*)0x2000293d = 4; *(uint8_t*)0x2000293e = 4; *(uint8_t*)0x2000293f = 0x40; memcpy((void*)0x20002940, "\x7d\xa3\xb2\xb2\x72", 5); *(uint8_t*)0x20002945 = 9; *(uint8_t*)0x20002946 = 0x24; *(uint8_t*)0x20002947 = 8; *(uint8_t*)0x20002948 = 5; *(uint16_t*)0x20002949 = 0; *(uint8_t*)0x2000294b = 0x40; memcpy((void*)0x2000294c, "\tD", 2); *(uint8_t*)0x2000294e = 9; *(uint8_t*)0x2000294f = 4; *(uint8_t*)0x20002950 = 1; *(uint8_t*)0x20002951 = 0; *(uint8_t*)0x20002952 = 0; *(uint8_t*)0x20002953 = 1; *(uint8_t*)0x20002954 = 2; *(uint8_t*)0x20002955 = 0; *(uint8_t*)0x20002956 = 0; *(uint8_t*)0x20002957 = 9; *(uint8_t*)0x20002958 = 4; *(uint8_t*)0x20002959 = 1; *(uint8_t*)0x2000295a = 1; *(uint8_t*)0x2000295b = 1; *(uint8_t*)0x2000295c = 1; *(uint8_t*)0x2000295d = 2; *(uint8_t*)0x2000295e = 0; *(uint8_t*)0x2000295f = 0; *(uint8_t*)0x20002960 = 0x11; *(uint8_t*)0x20002961 = 0x24; *(uint8_t*)0x20002962 = 2; *(uint8_t*)0x20002963 = 2; *(uint16_t*)0x20002964 = 0x1000; *(uint16_t*)0x20002966 = 6; *(uint8_t*)0x20002968 = 9; memcpy((void*)0x20002969, "\x94\xaa\x0c\xfe\xa6\xa4\xc0\x98", 8); *(uint8_t*)0x20002971 = 7; *(uint8_t*)0x20002972 = 0x24; *(uint8_t*)0x20002973 = 1; *(uint8_t*)0x20002974 = 0xf7; *(uint8_t*)0x20002975 = 0xc1; *(uint16_t*)0x20002976 = 4; *(uint8_t*)0x20002978 = 0xe; *(uint8_t*)0x20002979 = 0x24; *(uint8_t*)0x2000297a = 2; *(uint8_t*)0x2000297b = 1; *(uint8_t*)0x2000297c = 0x3f; *(uint8_t*)0x2000297d = 2; *(uint8_t*)0x2000297e = 0xae; *(uint8_t*)0x2000297f = 7; memcpy((void*)0x20002980, "\x5b\x6f\xe7\xb1\x95\x51", 6); *(uint8_t*)0x20002986 = 0xe; *(uint8_t*)0x20002987 = 0x24; *(uint8_t*)0x20002988 = 2; *(uint8_t*)0x20002989 = 2; *(uint16_t*)0x2000298a = 0xfff8; *(uint16_t*)0x2000298c = 0x56d; *(uint8_t*)0x2000298e = 0x1f; memcpy((void*)0x2000298f, "\x51\x8f\x29\xb9\x20", 5); *(uint8_t*)0x20002994 = 0xe; *(uint8_t*)0x20002995 = 0x24; *(uint8_t*)0x20002996 = 2; *(uint8_t*)0x20002997 = 2; *(uint16_t*)0x20002998 = 4; *(uint16_t*)0x2000299a = 0; *(uint8_t*)0x2000299c = 0x80; memcpy((void*)0x2000299d, "\x3f\x5e\x8a\xa3\xac", 5); *(uint8_t*)0x200029a2 = 9; *(uint8_t*)0x200029a3 = 5; *(uint8_t*)0x200029a4 = 1; *(uint8_t*)0x200029a5 = 9; *(uint16_t*)0x200029a6 = 0x10; *(uint8_t*)0x200029a8 = 0x9c; *(uint8_t*)0x200029a9 = 7; *(uint8_t*)0x200029aa = 6; *(uint8_t*)0x200029ab = 7; *(uint8_t*)0x200029ac = 0x25; *(uint8_t*)0x200029ad = 1; *(uint8_t*)0x200029ae = 0; *(uint8_t*)0x200029af = 0x44; *(uint16_t*)0x200029b0 = 0xff8a; *(uint8_t*)0x200029b2 = 9; *(uint8_t*)0x200029b3 = 4; *(uint8_t*)0x200029b4 = 2; *(uint8_t*)0x200029b5 = 0; *(uint8_t*)0x200029b6 = 0; *(uint8_t*)0x200029b7 = 1; *(uint8_t*)0x200029b8 = 2; *(uint8_t*)0x200029b9 = 0; *(uint8_t*)0x200029ba = 0; *(uint8_t*)0x200029bb = 9; *(uint8_t*)0x200029bc = 4; *(uint8_t*)0x200029bd = 2; *(uint8_t*)0x200029be = 1; *(uint8_t*)0x200029bf = 1; *(uint8_t*)0x200029c0 = 1; *(uint8_t*)0x200029c1 = 2; *(uint8_t*)0x200029c2 = 0; *(uint8_t*)0x200029c3 = 0; *(uint8_t*)0x200029c4 = 0xa; *(uint8_t*)0x200029c5 = 0x24; *(uint8_t*)0x200029c6 = 2; *(uint8_t*)0x200029c7 = 1; *(uint8_t*)0x200029c8 = 7; *(uint8_t*)0x200029c9 = 4; *(uint8_t*)0x200029ca = 0xf7; *(uint8_t*)0x200029cb = 0xf8; memcpy((void*)0x200029cc, "H]", 2); *(uint8_t*)0x200029ce = 0xd; *(uint8_t*)0x200029cf = 0x24; *(uint8_t*)0x200029d0 = 2; *(uint8_t*)0x200029d1 = 1; *(uint8_t*)0x200029d2 = 7; *(uint8_t*)0x200029d3 = 1; *(uint8_t*)0x200029d4 = -1; *(uint8_t*)0x200029d5 = 0x72; memcpy((void*)0x200029d6, "\x5c\x5a\xe7\x2e\x12", 5); *(uint8_t*)0x200029db = 0xd; *(uint8_t*)0x200029dc = 0x24; *(uint8_t*)0x200029dd = 2; *(uint8_t*)0x200029de = 1; *(uint8_t*)0x200029df = 3; *(uint8_t*)0x200029e0 = 4; *(uint8_t*)0x200029e1 = 3; *(uint8_t*)0x200029e2 = 1; memcpy((void*)0x200029e3, "\xfa\x23\xa4", 3); memcpy((void*)0x200029e6, "q3", 2); *(uint8_t*)0x200029e8 = 8; *(uint8_t*)0x200029e9 = 0x24; *(uint8_t*)0x200029ea = 2; *(uint8_t*)0x200029eb = 1; *(uint8_t*)0x200029ec = 0x71; *(uint8_t*)0x200029ed = 2; *(uint8_t*)0x200029ee = 0; *(uint8_t*)0x200029ef = 6; *(uint8_t*)0x200029f0 = 9; *(uint8_t*)0x200029f1 = 5; *(uint8_t*)0x200029f2 = 0x82; *(uint8_t*)0x200029f3 = 9; *(uint16_t*)0x200029f4 = 0x200; *(uint8_t*)0x200029f6 = 0x7f; *(uint8_t*)0x200029f7 = 0x7f; *(uint8_t*)0x200029f8 = 0x7f; *(uint8_t*)0x200029f9 = 7; *(uint8_t*)0x200029fa = 0x25; *(uint8_t*)0x200029fb = 1; *(uint8_t*)0x200029fc = 2; *(uint8_t*)0x200029fd = 1; *(uint16_t*)0x200029fe = 8; *(uint32_t*)0x20002b80 = 0xa; *(uint32_t*)0x20002b84 = 0x20002a00; *(uint8_t*)0x20002a00 = 0xa; *(uint8_t*)0x20002a01 = 6; *(uint16_t*)0x20002a02 = 0x300; *(uint8_t*)0x20002a04 = 0x7f; *(uint8_t*)0x20002a05 = 0x5d; *(uint8_t*)0x20002a06 = 0x5c; *(uint8_t*)0x20002a07 = 0x40; *(uint8_t*)0x20002a08 = 0; *(uint8_t*)0x20002a09 = 0; *(uint32_t*)0x20002b88 = 0x31; *(uint32_t*)0x20002b8c = 0x20002a40; *(uint8_t*)0x20002a40 = 5; *(uint8_t*)0x20002a41 = 0xf; *(uint16_t*)0x20002a42 = 0x31; *(uint8_t*)0x20002a44 = 4; *(uint8_t*)0x20002a45 = 0xb; *(uint8_t*)0x20002a46 = 0x10; *(uint8_t*)0x20002a47 = 1; *(uint8_t*)0x20002a48 = 0xc; *(uint16_t*)0x20002a49 = 0x80; *(uint8_t*)0x20002a4b = 0x20; *(uint8_t*)0x20002a4c = 1; *(uint16_t*)0x20002a4d = 2; *(uint8_t*)0x20002a4f = 0x40; *(uint8_t*)0x20002a50 = 0xc; *(uint8_t*)0x20002a51 = 0x10; *(uint8_t*)0x20002a52 = 0xa; *(uint8_t*)0x20002a53 = 4; STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20002a54, 0xd3f, 5, 27); *(uint16_t*)0x20002a58 = 0xf000; *(uint16_t*)0x20002a5a = 8; *(uint8_t*)0x20002a5c = 0xb; *(uint8_t*)0x20002a5d = 0x10; *(uint8_t*)0x20002a5e = 1; *(uint8_t*)0x20002a5f = 0xc; *(uint16_t*)0x20002a60 = 0x80; *(uint8_t*)0x20002a62 = 2; *(uint8_t*)0x20002a63 = 5; *(uint16_t*)0x20002a64 = 4; *(uint8_t*)0x20002a66 = 2; *(uint8_t*)0x20002a67 = 0xa; *(uint8_t*)0x20002a68 = 0x10; *(uint8_t*)0x20002a69 = 3; *(uint8_t*)0x20002a6a = 2; *(uint16_t*)0x20002a6b = 6; *(uint8_t*)0x20002a6d = 0; *(uint8_t*)0x20002a6e = -1; *(uint16_t*)0x20002a6f = 0x7f; *(uint32_t*)0x20002b90 = 4; *(uint32_t*)0x20002b94 = 4; *(uint32_t*)0x20002b98 = 0x20002a80; *(uint8_t*)0x20002a80 = 4; *(uint8_t*)0x20002a81 = 3; *(uint16_t*)0x20002a82 = 0x40f; *(uint32_t*)0x20002b9c = 4; *(uint32_t*)0x20002ba0 = 0x20002ac0; *(uint8_t*)0x20002ac0 = 4; *(uint8_t*)0x20002ac1 = 3; *(uint16_t*)0x20002ac2 = 0xc35; *(uint32_t*)0x20002ba4 = 0x2b; *(uint32_t*)0x20002ba8 = 0x20002b00; *(uint8_t*)0x20002b00 = 0x2b; *(uint8_t*)0x20002b01 = 3; memcpy((void*)0x20002b02, "\xa2\x8e\x84\xc0\xcf\x02\xc0\x7c\x3c\x0d\xa8\x29\x45\x06\x55\x6d\x63\x3c\x7a\x73\x5b\xfb\x75\xcd\x80\xaf\xc6\xad\xe8\xe4\xb5\x80\x10\x3c\xed\x6d\x9c\x87\xa5\xfe\x77", 41); *(uint32_t*)0x20002bac = 4; *(uint32_t*)0x20002bb0 = 0x20002b40; *(uint8_t*)0x20002b40 = 4; *(uint8_t*)0x20002b41 = 3; *(uint16_t*)0x20002b42 = 0xf8ff; res = -1; res = syz_usb_connect(1, 0x100, 0x20002900, 0x20002b80); if (res != -1) r[14] = res; break; case 37: *(uint32_t*)0x20002e40 = 0x18; *(uint32_t*)0x20002e44 = 0x20002bc0; *(uint8_t*)0x20002bc0 = 0; *(uint8_t*)0x20002bc1 = 0x22; *(uint32_t*)0x20002bc2 = 0xb9; *(uint8_t*)0x20002bc6 = 0xb9; *(uint8_t*)0x20002bc7 = 0xa; memcpy((void*)0x20002bc8, "\x83\xcf\x6e\x9b\x94\x2d\x8a\x47\x07\x4a\xc2\xe8\x02\xb4\x83\x78\xec\xdc\xa7\x95\x6d\xb2\x72\x7b\x85\x7b\x60\xf4\xe9\xd0\xc6\x9e\x1c\x9a\x9a\xce\xb6\x1c\xf1\x7c\xc7\x71\x67\x92\x3b\x84\xe2\x33\x72\xc5\xcf\x40\xcf\x1b\xbb\x74\x93\xe5\x00\xb7\xef\xfa\xf1\xb2\x04\xee\x03\x4b\xe1\x10\x99\xe5\x15\x67\xa8\x7a\xe0\xbd\xe2\x10\xda\x92\x12\x4d\x04\xa7\x3a\x14\xdb\xd6\x00\xde\xdd\x92\x09\x53\xc4\x72\xed\xa1\xba\x46\xdb\xbb\x1e\xc4\x74\xc8\x79\x48\x49\x12\x4d\xcf\x32\xd5\xc1\x5f\xb1\x43\x97\xb1\x3c\x3d\x3c\x11\xa7\xa6\x07\xc6\xb6\xd5\x57\xc2\x80\x6d\x9c\x27\x83\xbc\x1e\xf5\x6c\x96\x7b\xde\x90\xce\x4a\x42\x13\x61\x16\x7c\x1a\x74\xc6\x52\x72\x85\xce\x42\x5e\xa4\x98\x88\x4d\x7c\xc9\xef\x76\x52\x6a\x46\xa1\xc4\x36\x07\x68\x98\x0b\x39\xb3", 183); *(uint32_t*)0x20002e48 = 0x20002c80; *(uint8_t*)0x20002c80 = 0; *(uint8_t*)0x20002c81 = 3; *(uint32_t*)0x20002c82 = 0xd7; *(uint8_t*)0x20002c86 = 0xd7; *(uint8_t*)0x20002c87 = 3; memcpy((void*)0x20002c88, "\x61\x16\x8f\x70\x0d\x17\x87\xde\x19\xd3\xe8\x6f\xb3\xac\x5e\x96\x4c\xc5\xed\xe8\x73\x35\x1c\xa2\x62\xcc\x8f\xc5\x99\x65\x14\x31\xc7\x6d\xba\xd0\x2d\xd8\x35\xf0\xda\x83\xa5\x34\x7c\xc2\x1f\xc4\xf5\x04\xb2\x3b\xb3\x2a\x7a\x67\x71\x3d\xb4\x48\x06\x11\xe6\xe2\xec\xa4\xf0\xb4\x98\xf7\x00\x35\x5d\xb6\x8d\xf7\xd5\xcf\x46\xba\x2b\x03\x60\x90\xaf\x69\x5a\x75\x96\xb7\xd2\x42\xb4\x62\xbc\xf6\xe2\x09\x1f\xb8\x32\x48\xfe\x2a\x1c\x48\xdb\xcd\xb0\x7c\x96\x66\x03\x7d\x12\x1b\x68\x93\xdc\xb9\x45\xbd\xd7\xcf\x14\x07\x5f\x80\x53\x02\xa4\x5f\xbb\x62\x65\x2b\xd6\x93\xb3\x24\x0b\x5c\x6a\x76\xf6\x90\xcd\xc9\x22\x15\x79\xec\x71\xdd\x25\x3c\xa4\x25\x01\x44\xe1\x16\x0b\xc0\x39\xad\x44\xf6\xd5\x1c\x96\xad\x95\x0c\x87\x2c\xf6\x26\xb0\xd5\x59\xe8\x1c\x0b\xec\x93\x4c\xb3\x23\x25\xdb\xb9\xce\x8f\x5d\x0d\x94\x30\x20\xb4\xa0\x79\x5c\x1f\x27\x74\xe2\x20\x7d\x0b\xe8\xaa\x41", 213); *(uint32_t*)0x20002e4c = 0x20002d80; *(uint8_t*)0x20002d80 = 0; *(uint8_t*)0x20002d81 = 0xf; *(uint32_t*)0x20002d82 = 0xc; *(uint8_t*)0x20002d86 = 5; *(uint8_t*)0x20002d87 = 0xf; *(uint16_t*)0x20002d88 = 0xc; *(uint8_t*)0x20002d8a = 1; *(uint8_t*)0x20002d8b = 7; *(uint8_t*)0x20002d8c = 0x10; *(uint8_t*)0x20002d8d = 2; STORE_BY_BITMASK(uint32_t, , 0x20002d8e, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 2, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d8f, 5, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x20002d90, 2, 0, 16); *(uint32_t*)0x20002e50 = 0x20002dc0; *(uint8_t*)0x20002dc0 = 0x20; *(uint8_t*)0x20002dc1 = 0x29; *(uint32_t*)0x20002dc2 = 0xf; *(uint8_t*)0x20002dc6 = 0xf; *(uint8_t*)0x20002dc7 = 0x29; *(uint8_t*)0x20002dc8 = 3; *(uint16_t*)0x20002dc9 = 8; *(uint8_t*)0x20002dcb = 0x40; *(uint8_t*)0x20002dcc = 0x7f; memcpy((void*)0x20002dcd, "\x77\xbc\x77\x38", 4); memcpy((void*)0x20002dd1, "\xf1\xdb\x00\x3c", 4); *(uint32_t*)0x20002e54 = 0x20002e00; *(uint8_t*)0x20002e00 = 0x20; *(uint8_t*)0x20002e01 = 0x2a; *(uint32_t*)0x20002e02 = 0xc; *(uint8_t*)0x20002e06 = 0xc; *(uint8_t*)0x20002e07 = 0x2a; *(uint8_t*)0x20002e08 = 1; *(uint16_t*)0x20002e09 = 0x10; *(uint8_t*)0x20002e0b = 0; *(uint8_t*)0x20002e0c = 0x20; *(uint8_t*)0x20002e0d = 8; *(uint16_t*)0x20002e0e = 0x3ec; *(uint16_t*)0x20002e10 = -1; *(uint32_t*)0x20003300 = 0x44; *(uint32_t*)0x20003304 = 0x20002e80; *(uint8_t*)0x20002e80 = 0x20; *(uint8_t*)0x20002e81 = 0x12; *(uint32_t*)0x20002e82 = 0x7c; memcpy((void*)0x20002e86, "\xbc\x67\xb7\x86\xae\x12\xc3\xf7\xc6\xdb\xb8\x56\x0d\x2b\x24\x21\x94\xc2\x19\x9a\xfa\x19\xd2\xb4\x2b\x1a\x0c\x8a\x11\xe1\xa5\xef\x14\x6f\x39\x5c\x36\x13\xf4\xdf\xea\xdd\xa7\xc2\x4b\x50\x6d\x5b\x32\xa6\xa3\xf9\xa0\xea\xc9\x8a\x93\x5e\x64\x7a\x1c\x83\x8d\x4e\x09\xd5\x30\x63\x5f\x43\x35\x8b\x5b\x10\xc5\xf0\x4b\xc6\x3b\x3b\xf9\x6b\x52\x34\x35\x9d\x4e\xad\x9d\x51\x21\x7e\x65\xc9\xb0\x50\x99\x90\xb0\x0d\x1a\xfb\x24\x2c\x87\x66\x0d\x04\xf9\x64\x8f\xf7\x9c\xe1\x43\xb1\xa9\x48\x98\x1c\x28\xf5\x01\x71", 124); *(uint32_t*)0x20003308 = 0x20002f40; *(uint8_t*)0x20002f40 = 0; *(uint8_t*)0x20002f41 = 0xa; *(uint32_t*)0x20002f42 = 1; *(uint8_t*)0x20002f46 = 0x4c; *(uint32_t*)0x2000330c = 0x20002f80; *(uint8_t*)0x20002f80 = 0; *(uint8_t*)0x20002f81 = 8; *(uint32_t*)0x20002f82 = 1; *(uint8_t*)0x20002f86 = 1; *(uint32_t*)0x20003310 = 0x20002fc0; *(uint8_t*)0x20002fc0 = 0x20; *(uint8_t*)0x20002fc1 = 0; *(uint32_t*)0x20002fc2 = 4; *(uint16_t*)0x20002fc6 = 1; *(uint16_t*)0x20002fc8 = 3; *(uint32_t*)0x20003314 = 0x20003000; *(uint8_t*)0x20003000 = 0x20; *(uint8_t*)0x20003001 = 0; *(uint32_t*)0x20003002 = 8; *(uint16_t*)0x20003006 = 0xc0; *(uint16_t*)0x20003008 = 0x20; *(uint32_t*)0x2000300a = 0xf0f; *(uint32_t*)0x20003318 = 0x20003040; *(uint8_t*)0x20003040 = 0x40; *(uint8_t*)0x20003041 = 7; *(uint32_t*)0x20003042 = 2; *(uint16_t*)0x20003046 = 0x400; *(uint32_t*)0x2000331c = 0x20003080; *(uint8_t*)0x20003080 = 0x40; *(uint8_t*)0x20003081 = 9; *(uint32_t*)0x20003082 = 1; *(uint8_t*)0x20003086 = 2; *(uint32_t*)0x20003320 = 0x200030c0; *(uint8_t*)0x200030c0 = 0x40; *(uint8_t*)0x200030c1 = 0xb; *(uint32_t*)0x200030c2 = 2; memcpy((void*)0x200030c6, "\xb7\x23", 2); *(uint32_t*)0x20003324 = 0x20003100; *(uint8_t*)0x20003100 = 0x40; *(uint8_t*)0x20003101 = 0xf; *(uint32_t*)0x20003102 = 2; *(uint16_t*)0x20003106 = 5; *(uint32_t*)0x20003328 = 0x20003140; *(uint8_t*)0x20003140 = 0x40; *(uint8_t*)0x20003141 = 0x13; *(uint32_t*)0x20003142 = 6; memcpy((void*)0x20003146, "\xdd\x8a\x72\xa9\x91\x39", 6); *(uint32_t*)0x2000332c = 0x20003180; *(uint8_t*)0x20003180 = 0x40; *(uint8_t*)0x20003181 = 0x17; *(uint32_t*)0x20003182 = 6; *(uint8_t*)0x20003186 = 0xaa; *(uint8_t*)0x20003187 = 0xaa; *(uint8_t*)0x20003188 = 0xaa; *(uint8_t*)0x20003189 = 0xaa; *(uint8_t*)0x2000318a = 0xaa; *(uint8_t*)0x2000318b = 0xbb; *(uint32_t*)0x20003330 = 0x200031c0; *(uint8_t*)0x200031c0 = 0x40; *(uint8_t*)0x200031c1 = 0x19; *(uint32_t*)0x200031c2 = 2; memcpy((void*)0x200031c6, "\x78\x18", 2); *(uint32_t*)0x20003334 = 0x20003200; *(uint8_t*)0x20003200 = 0x40; *(uint8_t*)0x20003201 = 0x1a; *(uint32_t*)0x20003202 = 2; *(uint16_t*)0x20003206 = 4; *(uint32_t*)0x20003338 = 0x20003240; *(uint8_t*)0x20003240 = 0x40; *(uint8_t*)0x20003241 = 0x1c; *(uint32_t*)0x20003242 = 1; *(uint8_t*)0x20003246 = 4; *(uint32_t*)0x2000333c = 0x20003280; *(uint8_t*)0x20003280 = 0x40; *(uint8_t*)0x20003281 = 0x1e; *(uint32_t*)0x20003282 = 1; *(uint8_t*)0x20003286 = 7; *(uint32_t*)0x20003340 = 0x200032c0; *(uint8_t*)0x200032c0 = 0x40; *(uint8_t*)0x200032c1 = 0x21; *(uint32_t*)0x200032c2 = 1; *(uint8_t*)0x200032c6 = 5; syz_usb_control_io(r[14], 0x20002e40, 0x20003300); break; case 38: syz_usb_disconnect(r[13]); break; case 39: *(uint8_t*)0x20003380 = 0x12; *(uint8_t*)0x20003381 = 1; *(uint16_t*)0x20003382 = 0x110; *(uint8_t*)0x20003384 = 2; *(uint8_t*)0x20003385 = 0; *(uint8_t*)0x20003386 = 0; *(uint8_t*)0x20003387 = 0x20; *(uint16_t*)0x20003388 = 0x525; *(uint16_t*)0x2000338a = 0xa4a1; *(uint16_t*)0x2000338c = 0x40; *(uint8_t*)0x2000338e = 1; *(uint8_t*)0x2000338f = 2; *(uint8_t*)0x20003390 = 3; *(uint8_t*)0x20003391 = 1; *(uint8_t*)0x20003392 = 9; *(uint8_t*)0x20003393 = 2; *(uint16_t*)0x20003394 = 0x14e; *(uint8_t*)0x20003396 = 2; *(uint8_t*)0x20003397 = 1; *(uint8_t*)0x20003398 = 0xef; *(uint8_t*)0x20003399 = 0xe0; *(uint8_t*)0x2000339a = 3; *(uint8_t*)0x2000339b = 9; *(uint8_t*)0x2000339c = 4; *(uint8_t*)0x2000339d = 0; *(uint8_t*)0x2000339e = 0; *(uint8_t*)0x2000339f = 1; *(uint8_t*)0x200033a0 = 2; *(uint8_t*)0x200033a1 = 0xd; *(uint8_t*)0x200033a2 = 0; *(uint8_t*)0x200033a3 = 0; *(uint8_t*)0x200033a4 = 6; *(uint8_t*)0x200033a5 = 0x24; *(uint8_t*)0x200033a6 = 6; *(uint8_t*)0x200033a7 = 0; *(uint8_t*)0x200033a8 = 1; memcpy((void*)0x200033a9, "$", 1); *(uint8_t*)0x200033aa = 5; *(uint8_t*)0x200033ab = 0x24; *(uint8_t*)0x200033ac = 0; *(uint16_t*)0x200033ad = 0xad; *(uint8_t*)0x200033af = 0xd; *(uint8_t*)0x200033b0 = 0x24; *(uint8_t*)0x200033b1 = 0xf; *(uint8_t*)0x200033b2 = 1; *(uint32_t*)0x200033b3 = 2; *(uint16_t*)0x200033b7 = 0; *(uint16_t*)0x200033b9 = 1; *(uint8_t*)0x200033bb = 9; *(uint8_t*)0x200033bc = 6; *(uint8_t*)0x200033bd = 0x24; *(uint8_t*)0x200033be = 0x1a; *(uint16_t*)0x200033bf = 9; *(uint8_t*)0x200033c1 = 0x20; *(uint8_t*)0x200033c2 = 0xa2; *(uint8_t*)0x200033c3 = 0x24; *(uint8_t*)0x200033c4 = 0x13; *(uint8_t*)0x200033c5 = 1; memcpy((void*)0x200033c6, "\xa0\xaf\xeb\xc2\x94\x23\x7d\xe3\x0b\x4c\x81\xc6\x59\x5f\xba\xf3\x06\x46\xc5\xec\x3d\xd9\x8f\x43\x5d\xf0\x0d\x18\x1c\xc1\x3f\x9b\x0c\x5f\xfa\x84\x15\x49\x98\xbf\x5c\x04\xee\x0f\xd8\x2d\x5f\x4c\xac\xfc\x90\xff\xae\x24\x1b\x84\x0b\x0b\x18\xe2\x10\x7e\x33\x39\x8f\x46\x83\x83\x80\xf8\x4b\x6f\x9f\x22\x62\xe8\x38\xdf\x02\x12\x31\xc9\xf0\xc5\x0d\xc2\xee\xd7\x59\x5e\xb1\xb7\x89\x22\x3f\xc3\x7c\xf3\x4f\x5c\x69\x4a\xaa\xd8\xa8\x18\xc9\x9e\xf4\x41\x79\xbf\x5b\xa4\xb6\x17\xc2\x58\xf7\xdb\x01\xd6\x09\x6c\xcc\x71\xbb\x92\x5e\x31\xb2\xf3\xf1\x00\xbb\x85\x38\xbb\x84\x01\x5a\xf7\xb9\x54\xc8\xfd\xf2\x93\xde\x02\x31\xa4\x91\xd3\x63\x76\xb8\x40", 158); *(uint8_t*)0x20003464 = 0xc; *(uint8_t*)0x20003465 = 0x24; *(uint8_t*)0x20003466 = 0x1b; *(uint16_t*)0x20003467 = 0x340f; *(uint16_t*)0x20003469 = 4; *(uint8_t*)0x2000346b = 5; *(uint8_t*)0x2000346c = 0x40; *(uint16_t*)0x2000346d = 6; *(uint8_t*)0x2000346f = 1; *(uint8_t*)0x20003470 = 4; *(uint8_t*)0x20003471 = 0x24; *(uint8_t*)0x20003472 = 2; *(uint8_t*)0x20003473 = 9; *(uint8_t*)0x20003474 = 0x3f; *(uint8_t*)0x20003475 = 0x24; *(uint8_t*)0x20003476 = 0x13; *(uint8_t*)0x20003477 = 0x40; memcpy((void*)0x20003478, "\x90\x5d\x00\xa5\xa8\xb5\xcd\x53\x11\x8f\x9c\xf9\x03\x3e\xda\x0a\xd8\x8f\xcf\xaf\x66\xe2\xb9\xe3\x59\xe3\x8a\xea\x37\x19\x70\xc8\x64\xd5\x98\x39\x16\xa5\x29\x36\x75\x51\xaa\x24\x7b\xa8\x30\x09\xeb\xb5\x64\x0b\x53\x17\x55\x99\x00\xdd\xb8", 59); *(uint8_t*)0x200034b3 = 9; *(uint8_t*)0x200034b4 = 5; *(uint8_t*)0x200034b5 = 0x81; *(uint8_t*)0x200034b6 = 3; *(uint16_t*)0x200034b7 = 8; *(uint8_t*)0x200034b9 = 0; *(uint8_t*)0x200034ba = 1; *(uint8_t*)0x200034bb = 0xfc; *(uint8_t*)0x200034bc = 9; *(uint8_t*)0x200034bd = 4; *(uint8_t*)0x200034be = 1; *(uint8_t*)0x200034bf = 0; *(uint8_t*)0x200034c0 = 0; *(uint8_t*)0x200034c1 = 2; *(uint8_t*)0x200034c2 = 0xd; *(uint8_t*)0x200034c3 = 0; *(uint8_t*)0x200034c4 = 0; *(uint8_t*)0x200034c5 = 9; *(uint8_t*)0x200034c6 = 4; *(uint8_t*)0x200034c7 = 1; *(uint8_t*)0x200034c8 = 1; *(uint8_t*)0x200034c9 = 2; *(uint8_t*)0x200034ca = 2; *(uint8_t*)0x200034cb = 0xd; *(uint8_t*)0x200034cc = 0; *(uint8_t*)0x200034cd = 0; *(uint8_t*)0x200034ce = 9; *(uint8_t*)0x200034cf = 5; *(uint8_t*)0x200034d0 = 0x82; *(uint8_t*)0x200034d1 = 2; *(uint16_t*)0x200034d2 = 0x40; *(uint8_t*)0x200034d4 = 8; *(uint8_t*)0x200034d5 = 0x40; *(uint8_t*)0x200034d6 = 0x81; *(uint8_t*)0x200034d7 = 9; *(uint8_t*)0x200034d8 = 5; *(uint8_t*)0x200034d9 = 3; *(uint8_t*)0x200034da = 2; *(uint16_t*)0x200034db = 0x40; *(uint8_t*)0x200034dd = 5; *(uint8_t*)0x200034de = 0x80; *(uint8_t*)0x200034df = 0x81; *(uint32_t*)0x20003780 = 0xa; *(uint32_t*)0x20003784 = 0x20003500; *(uint8_t*)0x20003500 = 0xa; *(uint8_t*)0x20003501 = 6; *(uint16_t*)0x20003502 = 0x250; *(uint8_t*)0x20003504 = 3; *(uint8_t*)0x20003505 = 2; *(uint8_t*)0x20003506 = 9; *(uint8_t*)0x20003507 = 0x40; *(uint8_t*)0x20003508 = 0x40; *(uint8_t*)0x20003509 = 0; *(uint32_t*)0x20003788 = 0x16; *(uint32_t*)0x2000378c = 0x20003540; *(uint8_t*)0x20003540 = 5; *(uint8_t*)0x20003541 = 0xf; *(uint16_t*)0x20003542 = 0x16; *(uint8_t*)0x20003544 = 2; *(uint8_t*)0x20003545 = 7; *(uint8_t*)0x20003546 = 0x10; *(uint8_t*)0x20003547 = 2; STORE_BY_BITMASK(uint32_t, , 0x20003548, 0x1a, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x20003549, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x20003549, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000354a, 0x87, 0, 16); *(uint8_t*)0x2000354c = 0xa; *(uint8_t*)0x2000354d = 0x10; *(uint8_t*)0x2000354e = 3; *(uint8_t*)0x2000354f = 0; *(uint16_t*)0x20003550 = 8; *(uint8_t*)0x20003552 = 0; *(uint8_t*)0x20003553 = 0x20; *(uint16_t*)0x20003554 = 9; *(uint32_t*)0x20003790 = 5; *(uint32_t*)0x20003794 = 0x54; *(uint32_t*)0x20003798 = 0x20003580; *(uint8_t*)0x20003580 = 0x54; *(uint8_t*)0x20003581 = 3; memcpy((void*)0x20003582, "\xa4\x4d\x24\xcd\xf3\xff\xb9\x94\x8f\xaa\xf6\xb3\xc5\x65\x82\x6f\x57\xef\x2b\x5e\x43\xe6\xef\x91\x09\xdc\xaf\x0f\xf5\xf2\x30\xb6\xf5\x2d\x06\xad\xa7\xeb\xdf\xbf\x1c\x55\xe6\x55\x19\x00\xf4\x2f\x90\x4a\xa2\x59\x11\xde\x5d\x64\xd3\xcd\x32\xdb\x26\xb2\xe4\x8c\x15\x0e\xac\xf5\x1a\x16\xdd\xb3\x11\xac\x3d\x44\xb2\x81\xa8\x7d\x1c\x84", 82); *(uint32_t*)0x2000379c = 4; *(uint32_t*)0x200037a0 = 0x20003600; *(uint8_t*)0x20003600 = 4; *(uint8_t*)0x20003601 = 3; *(uint16_t*)0x20003602 = 0x812; *(uint32_t*)0x200037a4 = 4; *(uint32_t*)0x200037a8 = 0x20003640; *(uint8_t*)0x20003640 = 4; *(uint8_t*)0x20003641 = 3; *(uint16_t*)0x20003642 = 0xf0ff; *(uint32_t*)0x200037ac = 0xc0; *(uint32_t*)0x200037b0 = 0x20003680; *(uint8_t*)0x20003680 = 0xc0; *(uint8_t*)0x20003681 = 3; memcpy((void*)0x20003682, "\x6f\x06\x9d\x79\xea\x95\x2b\x38\x80\x02\x7d\x52\x43\xd8\x4a\xef\xe2\xbd\x1c\xf6\x41\xda\x9e\xe2\x90\x78\x02\x32\x46\x10\x26\xc5\xa5\x35\xae\x62\x14\xa8\xb6\xfd\x61\x12\xf3\x68\x08\x5c\x5c\xca\x57\xb8\x48\x46\xbd\xd7\x65\x3f\x32\x51\x20\xcc\x01\x27\x4c\x27\x93\x0a\x93\x4c\x28\x50\x05\x8a\x34\x58\x87\x78\xf4\xae\x02\x55\xb9\x6f\xcb\x45\x73\xf4\xc4\x75\xfa\xe5\x37\x03\xef\x82\xd7\x85\xec\xe9\x6a\xdf\x02\xef\xc2\x10\xe2\x6f\xa9\x52\x31\x11\x51\x9c\xb0\x37\xb5\xae\xbb\xca\xb0\xe1\x2d\x22\x83\x30\xeb\x46\x6c\xef\xbc\x0a\x21\x98\x4a\x6f\xd8\x65\x72\x06\xb2\x0d\x98\x2f\x65\xc7\x09\xba\x3c\x63\x20\xf1\x06\x6d\xda\x59\x2f\xda\xd1\x4a\x8c\x70\x0c\xf1\xf5\x26\x6f\x47\xfa\x42\xaa\x88\x0b\x9a\xa0\x26\x7c\xf5\x3c\x96\x91\xf4\xfa\x0d\x4e\x05\x9a\x6a\xdc\x27\xda\x67", 190); *(uint32_t*)0x200037b4 = 4; *(uint32_t*)0x200037b8 = 0x20003740; *(uint8_t*)0x20003740 = 4; *(uint8_t*)0x20003741 = 3; *(uint16_t*)0x20003742 = 0xc0a; res = -1; res = syz_usb_connect(0xcabe03ec, 0x160, 0x20003380, 0x20003780); if (res != -1) r[15] = res; break; case 40: syz_usb_ep_read(r[15], 7, 0xe4, 0x200037c0); break; case 41: *(uint8_t*)0x200038c0 = 0x12; *(uint8_t*)0x200038c1 = 1; *(uint16_t*)0x200038c2 = 0x200; *(uint8_t*)0x200038c4 = -1; *(uint8_t*)0x200038c5 = -1; *(uint8_t*)0x200038c6 = -1; *(uint8_t*)0x200038c7 = 0x40; *(uint16_t*)0x200038c8 = 0xcf3; *(uint16_t*)0x200038ca = 0x9271; *(uint16_t*)0x200038cc = 0x108; *(uint8_t*)0x200038ce = 1; *(uint8_t*)0x200038cf = 2; *(uint8_t*)0x200038d0 = 3; *(uint8_t*)0x200038d1 = 1; *(uint8_t*)0x200038d2 = 9; *(uint8_t*)0x200038d3 = 2; *(uint16_t*)0x200038d4 = 0x48; *(uint8_t*)0x200038d6 = 1; *(uint8_t*)0x200038d7 = 1; *(uint8_t*)0x200038d8 = 0; *(uint8_t*)0x200038d9 = 0x80; *(uint8_t*)0x200038da = 0xfa; *(uint8_t*)0x200038db = 9; *(uint8_t*)0x200038dc = 4; *(uint8_t*)0x200038dd = 0; *(uint8_t*)0x200038de = 0; *(uint8_t*)0x200038df = 6; *(uint8_t*)0x200038e0 = -1; *(uint8_t*)0x200038e1 = 0; *(uint8_t*)0x200038e2 = 0; *(uint8_t*)0x200038e3 = 0; *(uint8_t*)0x200038e4 = 9; *(uint8_t*)0x200038e5 = 5; *(uint8_t*)0x200038e6 = 1; *(uint8_t*)0x200038e7 = 2; *(uint16_t*)0x200038e8 = 0x200; *(uint8_t*)0x200038ea = 0; *(uint8_t*)0x200038eb = 0; *(uint8_t*)0x200038ec = 0; *(uint8_t*)0x200038ed = 9; *(uint8_t*)0x200038ee = 5; *(uint8_t*)0x200038ef = 0x82; *(uint8_t*)0x200038f0 = 2; *(uint16_t*)0x200038f1 = 0x200; *(uint8_t*)0x200038f3 = 0; *(uint8_t*)0x200038f4 = 0; *(uint8_t*)0x200038f5 = 0; *(uint8_t*)0x200038f6 = 9; *(uint8_t*)0x200038f7 = 5; *(uint8_t*)0x200038f8 = 0x83; *(uint8_t*)0x200038f9 = 3; *(uint16_t*)0x200038fa = 0x40; *(uint8_t*)0x200038fc = 1; *(uint8_t*)0x200038fd = 0; *(uint8_t*)0x200038fe = 0; *(uint8_t*)0x200038ff = 9; *(uint8_t*)0x20003900 = 5; *(uint8_t*)0x20003901 = 4; *(uint8_t*)0x20003902 = 3; *(uint16_t*)0x20003903 = 0x40; *(uint8_t*)0x20003905 = 1; *(uint8_t*)0x20003906 = 0; *(uint8_t*)0x20003907 = 0; *(uint8_t*)0x20003908 = 9; *(uint8_t*)0x20003909 = 5; *(uint8_t*)0x2000390a = 5; *(uint8_t*)0x2000390b = 2; *(uint16_t*)0x2000390c = 0x200; *(uint8_t*)0x2000390e = 0; *(uint8_t*)0x2000390f = 0; *(uint8_t*)0x20003910 = 0; *(uint8_t*)0x20003911 = 9; *(uint8_t*)0x20003912 = 5; *(uint8_t*)0x20003913 = 6; *(uint8_t*)0x20003914 = 2; *(uint16_t*)0x20003915 = 0x200; *(uint8_t*)0x20003917 = 0; *(uint8_t*)0x20003918 = 0; *(uint8_t*)0x20003919 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200038c0, 0); if (res != -1) r[16] = res; break; case 42: memcpy((void*)0x20003940, "\x03\x38\xf2\xa1\xa6\x94\x91\x50\xd9\x50\xa2\x00\xb9\x7f\x82\x07\x00\x40\x2b\x58\xfe\xc9\x4c\x39\xa0\x05\xf5\x38\x68\x85\x99\x19\x97\x96\x0b\x31\x65\xc9\xdd\x03\x23\xfa\xf9\xa6\x9d\x00\x72\x59\x16\xfa\x7f\xb5\xa9\xbb\x1f\x47\xb1\x98\x29\xca\x09\x1f\x88\xc0\x99\x9a\x2e\x18\x7f\x62\x37\xab\x2c\x7e\xae\x85\x92\x3f\xa9\x63\x6d\xc2\x66\x07\x6f\x2a\xe7\xb5\x2c\x1f\x18\x7c\xe6\x28\x71\xc2\xf0\x5b\xbf\x9d\x9a\x25\xfd\x16\xff\x38\x33\x38\x70\x73\xe6\x96\x81\xb2\x43\xe8\x14\xb2\x54\x9f\x03\x2a\xa5\xb8\xdd\x2e\x2d\x64\xdf\x2e\x69\xd3\x57\xbc\x2c\x32\xb8\xfb\xd9\x0f\x8a\x16\x38\xb3\x13\x90\xbe\x5a\x61\xee\x6e\xe7\x0e\x3a\x20\x27\xe1\x46\x8d\x5f\x3f\xa2\x34\xf4\x46\x2a\x56\xd7\xe4\x2c\xe2\x9c\x52\xcc\xf5\xcd\x76\x35\x90\xa4\x26\xb8\xa0\x6e\x22\x6f\xfa\x45\x68\xc2\xce\x31\xa5\x4d\x74\xca\x6f\x67\xe6\x70\x85\x2c", 202); syz_usb_ep_write(r[16], -1, 0xca, 0x20003940); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000, 0x1000, 0, 0x32, -1, 0); syscall(__NR_mmap, 0x20000000, 0x1000000, 7, 0x32, -1, 0); syscall(__NR_mmap, 0x21000000, 0x1000, 0, 0x32, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :476:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :476:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor981083152 -DGOOS_linux=1 -DGOARCH_386=1 -DHOSTGOOS_linux=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -Wno-overflow] --- FAIL: TestGenerate/linux/386/5 (0.39s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$BLKROGET(0xffffffffffffffff, 0x125e, &(0x7f0000000000)) r0 = openat$nullb(0xffffff9c, &(0x7f0000000040)='/dev/nullb0\x00', 0x80000, 0x0) ioctl$BLKTRACESETUP(r0, 0xc0401273, &(0x7f0000000080)={[], 0x6, 0x4, 0x400, 0x0, 0x5f}) socketpair(0x21, 0x3, 0x4, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140)='l2tp\x00') sendmsg$L2TP_CMD_NOOP(r1, &(0x7f0000000200)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x24, r3, 0x4, 0x70bd28, 0x25dfdbfb, {}, [@L2TP_ATTR_SESSION_ID={0x8, 0xb, 0x4}, @L2TP_ATTR_PEER_SESSION_ID={0x8, 0xc, 0x1}]}, 0x24}, 0x1, 0x0, 0x0, 0x20000000}, 0x8000) getsockopt$inet_sctp_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000000240)={0x0, 0x5, 0x0, 0x2}, &(0x7f0000000280)=0x10) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(r2, 0x84, 0x7b, &(0x7f00000002c0)={r4, 0x2}, 0x8) getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x8, &(0x7f0000000300), &(0x7f0000000340)=0x4) write$capi20_data(0xffffffffffffffff, &(0x7f00000003c0)={{0x10, 0x3, 0x41, 0x83, 0x0, 0x401}, 0x43, "4a8e60634e3a9ebf0988474a70cdc44c935e71dca8a36e9f7339b733e7fdfa26d1763f8e1fc18c23484ff71c6ea76bf1db3e46cf80380322d296fbf193c54d4949ccdb"}, 0x55) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000000)='bpf_lsm_post_notification\x00') syz_emit_ethernet(0x56, &(0x7f0000000040)={@multicast, @empty, @void, {@canfd={0xd, {{0x4, 0x0, 0x0, 0x1}, 0x23, 0x0, 0x0, 0x0, "90a4412ed481e39ec0787cae083fac93b90daa7595dc554b0d6fb720a6009835c929d9566687939954d14f0376d39039885d4b349e57791c3b2884b67a568716"}}}}, &(0x7f00000000c0)={0x1, 0x1, [0x4a, 0x2e7, 0x6f0, 0x1aa]}) syz_emit_vhci(&(0x7f0000000100)=@HCI_SCODATA_PKT={0x3, {0xc9, 0x56}, "af8c56ab2959dc534cc868e4b42b05a0de86bb45fd2bf9e32d58e9ad1fb7be75adc1e7aaa52319456531631ede47c2919bcdb3bafdaf560bf2a9ca3a75fa34d07026b7302dc391f9554e50cfc7f731c09f1c71262df3"}, 0x5a) syz_execute_func(&(0x7f0000000180)="c4c16f10fa660f65642a10c4e1fa70effbc4c37d096a42fec4e1416a5200f3abc4c1ccc6e474360f8fb8000000af0ffe98f0ffffff") syz_extract_tcp_res(&(0x7f00000001c0), 0x2, 0x7f) syz_genetlink_get_family_id$SEG6(&(0x7f0000000200)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x5, 0xcb) r5 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xc, 0x800, 0xffffffffffffffff, 0x8000000) r6 = syz_io_uring_complete(r5) r7 = io_uring_setup(0xc43, &(0x7f0000000240)={0x0, 0xab13, 0x10, 0x0, 0x375}) syz_io_uring_setup(0x4759, &(0x7f00000002c0)={0x0, 0x3caa, 0x8, 0x3, 0x347, 0x0, r7}, &(0x7f0000ffd000/0x2000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000000340), &(0x7f0000000380)) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0xe, 0x3, 0xffffffffffffffff, 0x8000000) r9 = mmap$IORING_OFF_SQES(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x4000000, 0x20, r6, 0x10000000) syz_io_uring_submit(r8, r9, &(0x7f00000003c0)=@IORING_OP_WRITE_FIXED={0x5, 0x4, 0x2007, @fd_index=0x6, 0x3, 0x4, 0x4, 0xe, 0x1}, 0x80) r10 = openat$selinux_checkreqprot(0xffffff9c, &(0x7f0000000400)='/selinux/checkreqprot\x00', 0x2000, 0x0) syz_kvm_setup_cpu$arm64(r6, r10, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000480)=[{0x0, &(0x7f0000000440)="1f53955cb3cecd2039609cfce532927f02de615e5e7716c374705f59102e00754dbaa369c6c1a1c2f4c530c3af81e8fe5609", 0x32}], 0x1, 0x0, &(0x7f00000004c0), 0x1) syz_io_uring_setup(0x7424, &(0x7f0000000500)={0x0, 0xe518, 0x10, 0x1, 0x3a5}, &(0x7f0000ffe000/0x2000)=nil, &(0x7f0000ff6000/0x4000)=nil, &(0x7f0000000580)=0x0, &(0x7f00000005c0)) syz_memcpy_off$IO_URING_METADATA_FLAGS(r11, 0x114, &(0x7f0000000600)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f0000000640)='afs\x00', &(0x7f0000000680)='./file0\x00', 0x4, 0x2, &(0x7f0000000800)=[{&(0x7f00000006c0)="d632c19b", 0x4, 0xffff}, {&(0x7f0000000700)="3fe8370cede52efac054241da1ef6234cdc7766d9ceee05c36775d234a8f0259a880131689775a49e1c5d81ee5eed42da022a3c9b9d439ae779990d04cf551c084c093744e79ca6a4827d8c603053d29714d839363cf49add7d7323c0619a99cef609fc47e56c66630ec7973bffed214d451f064f36e3597506a51adfd6b0d61fdcdf2bfcb31b2c6c44c279ccdb6902891daf75e663f5942ea7682fbfd3e7369a9fe16f372476efb281aaad4bfe7e610e963629461e9033caf00d62a109d004b935b9079bd3df5be94a0fa1e1977f552baa492ba31e2ec4bf310c814dc753297", 0xe0, 0x4c}], 0x201000, &(0x7f0000000840)={[{@source={'source', 0x3d, 'SEG6\x00'}}, {@flock_strict='flock=strict'}, {@flock_strict='flock=strict'}, {@flock_local='flock=local'}, {@autocell='autocell'}, {@flock_openafs='flock=openafs'}], [{@measure='measure'}, {@subj_user={'subj_user', 0x3d, '$F!%[#&+-}^}'}}]}) syz_open_dev$I2C(&(0x7f00000008c0)='/dev/i2c-#\x00', 0x9a7, 0x60100) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000900)=0x0) syz_open_procfs(r12, &(0x7f0000000940)='net/ip6_mr_vif\x00') syz_open_pts(r6, 0x402000) syz_read_part_table(0x44, 0x5, &(0x7f0000001c80)=[{&(0x7f0000000980)="947bdd1338b6b9fdc7eec2776433191f827266cfa94bbf64cff83a00d975009f3b2738ac7067019447d693a3534dae5d3bf03b17d7a2bc093d2ab01fb079d13e4ca08ab23918a3fac50a48c32b4ba2170957d20cb4a4f731d660e88f40c30c3c40d41ff3ff7134dceb66b113b5c1bba630a7ee5cd68ab59e69f8c89530e4cac7f615dd3fadc7940d23b069d62b7ccf4149881045", 0x94, 0x7e}, {&(0x7f0000000a40)="3bece5e4b00d1aa5c6455d8ffddd35571382304733f47e93ba01d0220d3452425aa4a35a16adc96a1c87d3c09121df1c8aef26c20358a153a0ef1959f69c689acd2751f428f241c2decf4cd9a3b109e66b310fb1011f65329bef953ae02cf9db6133619b5bfa07a6e13251278da93de82635bcdd7640b6311da58d2a681065401d0753cef90bf7a0f541112453b9ce7527efcb09834f1073736d3ebdb9241736b61df70a13c76e54ddbc65a52d8a4fe42ed097a57c8d0426f916750e9a5c38281fbad7ae59c223bab1100592d42eda4e0bf4bf030420478fcd28c4057d41a9721b0014e91a1e7058d4c9290812f6de", 0xef, 0x800}, {&(0x7f0000000b40)="6daf7a1e0d14cb6b8c65d37ef988e670ca88b1", 0x13}, {&(0x7f0000000b80)="e2a379510738be3d3baf49a170f089f56f7b3a43bd926f2f3368f38e97340af9b0991ea98f4653252c0bef6ad26582b600545465591faefd00782e31c8aee9f23990d2d95f8710d110409dc3dad1581794fb09f6349e937b1df1bb8a9a09ce60c41282376e6ac607888c64fcd9ecf5405063ba5f642a295b4f778f2cabccf6c9007071b1a9ec31eea5daf62d371a56de309549974911a5797fa34026e85bb7f5427ab4965f11a3aba18ed0fe280e45c26412838fc5bbe0f6de63d011c06b413e3d4a15296b6f7915dffecdd407504faa2fe63bb190af9061709a982094f620793c042532f51314dd0753b832a65859e178d94dd169a1b767748566d13f170da36f2a51053d8b67fb5f12d86bf36046eab9b7c26c50786c9b29a2605c5631ab30261669971a48470d982c3088be7cffd1f0c6775e5757db6148dd74c5954e34c40088659a1f44d053465985ed20039bced7ea9dec7e25cd6d600d1ed31aed53885fc7ef8789eea0639d2b250dcdf4ad71bbdabf4ba18af29ac819ae431864db1b0353bc5cb2041943b44513f7c679f348bd2962b27487bc7dc7488cff13a24b658f31b4afc9e5013ab460cf3a014a8f19909e75bc3d4144f5d32e370de74f4402a0db5339c1e3616d2147743652dd73940d37550cc961b08b3a33b79c4a2f3f1ab4b2364c24031cce1f29beaf574b1318844fcc9387d2cf798334de0816d528f087f56751f763b82c760fe19ef95fd2e552c8ec74bfee9b6c8e3341b3baff5405edbed709fb1ea130a1a6e30acf7232c0194034daf0ef117115ab220f1161a838940ef60072c406557f56f13f3021b40842f9114b0ae9cd8244230c2227ce7c7e71503ba5253d63081ca9af8fc4a4e2c3039a0bad1af91ed4cb91b9bd42d8ee5e0bd9844f92f4af1ea5b88380a99b1adc7057b9157b61021abce377dca6af6c2dd98f02c23a8459ccbe650b66d06bbae0609928e84d5c611e2c6feb6a43d0aa532b12d5e3260448cd82372b11f9dc8f94665a3ab864eb3eb0e5b073200249a674047ee8fff8fb4f55653060efb6a00d70b0fe4a7f5dca7d9c71604fa70b0e40569339e52ba52b7d7008533306165c978d030a852c0dd75996904720a10a3a9d0f2f67f258e439047a6a5b08490409aa84ec296f67b88b8011cb39c67800efec6ec43e732aee04cc18c4ceddc9686a432011e1df5fa1292c7bdae62731573ec5233293ff4ed671e52c951d8e00836db9363534bc8c1e91d98cab7d0606c170d409d96d3225f56206b600fc1a783941aade248338dba66d56f8fc197d19cedd5f1a65d5f1d85a4cb4497342d197df417d4317777c81e707f1b9dadd38265324f41aa85021b2d7edc0ff4a527db85ff141652eeb5e766e189e11e6307a4475d5f793e822b7ecbc7e2ff3f6f9a8399af692649d67305c86b479169df12f749102069da164ad14655e0532fc419b51f29b28d1f408f5236ce921509f3f611a565a5e38685744470f6e457bdd057d727f7ecfaa468473bcba94c43ead22f8527843245f372275946bd4599f3a8ae91ec3140870be91d2fbfcbd7e504da3d6f49e905aca167832d7c35a56a28abc852090292318ec1f08bf3d71de7360d6d04900d773a7f40c3db7aabfc27a338e87d578f430ee490e48221406d31c62220c2bd9e1793eed1b84aba0adc3d54eed59ae3b83e5a1147721fcc227cff96c8065f8665cbfef93521ca1bf4b100e62896cfdca36e7f7b4b3fd3babf5c18c90030fbf904d4f4c3fb23af16b1e3744ca6ab123df90b168eaa138324ebf98ecd66dd64ee906236bf3a0296be1df81387ba95700e04ce26637ca4dfb70c67d32a2e7acde219cef54e4c9ec1c27b5b6a388ca515af6e5efc493a30fa9324e1f2b2b51267fbb26f3d4292e836cb709e92a6e0e11aff386b3d45d81a2d35fe971cbff8a32f52d046b9ba9a4bc77267a2e86a480a9ec50361d5ed59ba540ae1cf0e7eaaa5d8f5b2e38527fde78ecf842ec48cf681fd452aa5c60d06474f6422ad08db4fa0788c56563f52cbd383627e11f98eb40ec74961c028b1fcd7b25d4cd289dbc761fb1ec00a6183513c5f76da7546416fb81e8661f93f4234fdf3a3398d8bb8c69902e6d9f3fc165e6d9f39eb2acc189ab7b49013b2c74d0788ee05fc117335d478380013eab173ddc7a927f03080c2ea705b68f664a3be270221172d2995b15b4d0ab25d4668ab7587d24e831c5c7841fa00bd063021d3f43405b35c6c79dd4030fc630ee78d7e64a90cc2761421624d48ac0764d8a903c5a8b0a213120871b9e82a3b1f92455380b950832651b6d0d9bdb249055d55fa49fc7296147cbcec6059a0047ae6e86b51ae3b5aff498ceed671ddd0e2bd97fd7f39a3280bd80996ac7bb98187709938246f8e0cb9cca0a189d18cb9dcdd52186feb935f4a5326c3bc1348a05f0e7180452a43e7f2b6fb35a4196afda0f1993383dd203694c1ab53be64481c0d9c78801610789f9f5130b4a143f09229e8d89d0ad09edf971cf0fe495d7552b7a791a9054232e8d22976621b7f6be03e7e0bf8e5ed83db94efc748c93a06c124f55dd8efe11e15d83e1fce582b19be10dcc1b3eb594291aaabd56cb94df315920b042d07934ac796d0a91078626ee57e25763791f7dde8bc04e1883fb2273c799b97e3166c56ceaa3699c31739f63ef94605b20860606ceaf97be55b979fdc17fa9ba2990bbefde17eb5398176091e536730129c4c31504ce1fc41f13e7d90301ff02ad5b5f523c6ae7efa87c76af1ecc4b6715251a58ca3c68ca954a9345cf08697ec54376dfaf232cd6ede5ad85c1234fbcb4a992535b70135a5eb7d1f2de13629871b02acb455694e91d5bbb972c1c3998ec765749b4ca83c705529c046e8593ba4709e430cf190aba4fd00a6d722d0598e80b7af8fbb6c053dc4068e3bfaa0015d3545646e40eb312700e7b068ca644792d6d39447a353f6d6575b01f3a20cf310117a832dbc76b460146dee06c859580ba5e59946e90a168d98a06282d02f99540f4b1fce194cc7cc089b1b2da11d59bee5477383f83fe7f50011ec438561f17b39dabee3794761cdef6c54a60c49de8fd6aecf0b5a5b5c056a8de90805e0d5a4cba91eb7746e54498aad35d268e923c5c396581835cf2038e2a1f28a843228472aa2e4cbde6aa7665716f239ba5680d1d8d6cd7277af1f2db87e5f5332fa904d6975f4247f33f00c17b95df1db792398c0be2ab89c6f0ffb1d9f3d30e36b0bcdee55623e67ed59b641e1d3ad243a61ab8003ed9d50186457b845b0f5e59460aeb8d49fa236b691a9572f043f3d83d3853a658c092fec3eef9b58f3be0532e46da34f732398d418a82a47fd2bec7aa9fdf0a05a2a4abd650dcd99c095be5a025d4dd8de7b606f7c21fcf490a100ec288f419316b4add08591060f5c40230ee639aff35d4bb207fe401029cffd104715dcd48c7c598f5ea42b0bd271e6a10066d613217655dbf37bc467d973572d7c28779c9981cabc55e683fbb1e9af7e00cc4a222a54f24edf923762d8e0fbc099e420a78b1fcfb54a4002fdf6e30a3445f929dd97c4aef13cd8a0a3b19cb2ba731d3c99aad631166b75f13a95498e11dba4094eb5d1f1571b6987c278912a05a9ec5e2f93d21604e496ae6f763ed433bc26c5d2fdfeefc02d8732b29091c32ad16fbb47de0a56a36c5c7d26665ce565571aee87e729e1727e8e149b44cbc5819eb1abc317eabfdbc5447dc1fa9ed585281f1a9c33bd5bbae662621e6460e37617e88304fd6889d775ad30388b208b4102495dd4a601579fef079678b66816a46a91cd0d344af0afa8ee55ab222d720a0367275757aa38d043cec888e9e93a4ff91c1ccbbc685f6fe2710474da5c4376b6c037b2ac57ab078421ff2f06ef8abcc7bfa18195ae5d3236c492494f1c665dc2052e0b567e991727082f6f529cff4412d5cfd8aca31f0a4d32332e8cc992a39017d8e5a8525a9f6ab5009e7067b2773591779fa6de17c077445c39b4f3255c2df10701045fa070ac4aedb551bfe92ac48e0faca060768edf4b3fb101f3d4cdcb2ec9313c02898aa36874267468286e98ffdbacb29fb64072799bb3d885bf308d6ca001355642ad258b965f9597b30fe6c3af1e89c10d641f4e2ab7cf5a4687d6b69157a49f9f40791ef46f4cba6e0f248773c350bf3143cece92ef7c746d4988c8351c8067e3c4b841089d985e09ecb40157d7a171f4e645518c52598fa794425669f59a27d8bedc147e09057b5d2f9f4611cac951058b9d2527fe7b470289a2f16fa4dee150652086e4cc194c3cad63aee9aa77b00df7cb421401d1394e0fbae8e8e14ef28f128601aa1c91d3e71edc07a46267731ea085fea0b2781fe5b3337fb391f4a91ce752aeb7251aa0c3bf304e989220d414eab0af48d4a86bf43f13ee6b97615f51a3677feef14dc4ae47db07b874176d18f50094a309700279f412924e918eb3e6c1b9fa3c1444f28b691ceb9c33d34b5b3733d3eb0c9e69cb6f36bca69d1d69913aeb51f0cb59828527f791fe7f61fb430bace6456abc322fb52a131f5aed3221afd1d369d7bb41f60bfb349b5cf73043b9092613032c7dd3220bce9d9b84fd2ceb48a76ff0c34cf5bf8cc55b575e240f4e6c1c5cf93980cc6f68fd1ac7cc10e0e483339dde6691eb7d2b700e93ffdf810953762216e99b5640149af63144a09051b683db0dfb1b79371bc7a4a559ae6271838a868468e54aadef03ba40ca127aa2c2751da79202dcad72e4f1593041db53bbf4f8064170fe85c46e59ff00b9eb4bf2e01eab7197a00704e3c7084a80699ed5aaae7bbae0684e5fb3ed60c6620c73aa013313713279bf958a21f56f96746e160623f1076a5ea95a23fc908373bc078221894ccc77949ffd3659470d83f860762b0302bf3e404046c0c32a71eb85e674111cb9c2d490b8b4f5bfd1fa9382a4296d97326d6a728378ab35c0a349ed69349f75b89adf8dc9e5baed276c92614c29636f2f5b19d4dc661e2d0fe6fd64786d507b99b3979fe0f6ecb06b76fd64bfb316131a52d3db7445508c8f0bd394495a6c13ca64e3780a416c72a7a34996d5a342e6349d92bfcb8d75bd4edd225d4e8601838bffc604e9e3f0de83a1cf9e17c7fa7398fea49c8faed299d04a90a70bdaa0b111428e2e6224ae08c1bf0ea1a69e16e1ffd4bfa76afffdd5060ac992efa08fb7404fa1ff3456042654d3d51292624ac3bb3356f5bd3f492c169e8c7dc71ccd3b4e91cb298ef7f2b61d74a86e7cb6daf621a8b0b6a87e58ddcaa65f376fe0652c40c76d762b580f34da979ae0968b172a9ccc4cd8b34af3873e85d1653c9e5571dc34e8c39f7f04df191c0e81213d2fac0412664eb4769c480a80fdcd5cae2a2eb8b1d031cc6e649d8f0b29f9115ea2bb27cbe35cba040647ad9da8ad36931cfdce5c58dfd6b8d0bd83cf4f8cad6f6d6f3048380583d8ef0807a4d024ef8d0333a97183423c90e8dd1b62dc70c95ae30acd0ccc257de6feb89a9492b4214b65d8da2ada11b80fbd7689afdb99fa820cb7aaaca8ce32fd1adf5d724f50683a7924ed1b5de6b322a4932ea46d3b266a270420259a4fee480054f0675e77e5178ff255be000468a220a25c6879e039bc14c38cbf9040eded41f1c6d75fe4615cc57677c948c7bb9c3561184b0ffe0d0a9ed0e7212fabd5ef357ffb3ca40e8a97be2a9bcf35fc7e3d7ce8f6d50a4f7b42c246894683822db36b95528cd8061342c66c788bb6f63beadfe3559e896e4387a12cedf6f220888d218", 0x1000, 0xffffffff}, {&(0x7f0000001b80)="e0c6c9c01afb3e83241204cd6942a5f5b38dedc4871fea150ddbcb8c14ce515fa1fc5f1fb3ec606649a162c4e52ec328eb3565fb84abdf8b408d744ee19c67cce54acad1c6aa75a3f97f94267476e702bbe065e67188c3c826d4414e46695d71c9e24a31faf7fc28297092503bb10adb27fcb197438efe3605101abc127fda303e63a7423ef1693f6c005763fdf8b18e10a5a9fa34b3c00eced1f75bada7d26160aedf2758bf603b0c5890682884eb55b2760b3b7b9614b6bd1ddef9e9cc1df20892063f1ea058a4", 0xc8, 0x81}]) r13 = syz_usb_connect(0x4, 0x882, &(0x7f0000001cc0)={{0x12, 0x1, 0x310, 0xae, 0x73, 0xca, 0x40, 0x1740, 0x602, 0xfa57, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x870, 0x2, 0x7f, 0x90, 0x120, 0x3f, [{{0x9, 0x4, 0x86, 0x7f, 0xa, 0xf7, 0xf9, 0xf2, 0x7f, [@generic={0xd1, 0xb, "26e13a65ceb2c160694440c6e4b5d5107cd6f6eddf5f0f8f938606e7a789786c097626762da7881a4e46ee512ce1ce83d03ee01e8a390d4fe48a1a166b122a244f7e8453fe584352cdc748ded1737c61ffbc1f9f18441c5d61f5493a88bfea7776762bbf8a206eeca2f45c1f7aa6d15fb464cd1caf6a432babfc01bb86b1297b128997426c1a5a86533cb2c029f50b1c5b0b88719f7c78217d2bec910ff906b43860025e140fbad2bc0a91e23e65c5c8fefd91d0459c590e1f4bac91eac023ef5f1a248245df0d7c1276df72d955c6"}, @cdc_ncm={{0x6, 0x24, 0x6, 0x0, 0x1, '8'}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x5, 0x5, 0x80}, {0x6, 0x24, 0x1a, 0x1, 0x14}, [@mdlm_detail={0x2b, 0x24, 0x13, 0xff, "8daa8e5cf59bef8c76ec7535d63fe2dc7686321afbd729f4d17d62a21b6f2b39495657220bc5d7"}, @mdlm_detail={0xa3, 0x24, 0x13, 0x3, "0bafa7ba56f9be68f7dafffabe7b7950e7f2b1efd530ab53da306650ae48618251bc41fe39065bb50d65f15e926fdb88acb4e7957bff5d5469ee741f51c117d8f0a4b9e497d8d85a58a425855da041d91bfe4cd20f11f6c7d3813027cd74921dbeb6e2015c4133a29832b2b9d342304dd6b709daeaea5f761d8c06f52edda9f2529ac51a96fab9bb2826cc63fcce0f174de2c5778a4d83f3eecfdb29635b60"}, @call_mgmt={0x5, 0x24, 0x1, 0x2, 0x9}, @mdlm={0x15, 0x24, 0x12, 0xc9}, @dmm={0x7, 0x24, 0x14, 0x8, 0x2}, @network_terminal={0x7, 0x24, 0xa, 0x1, 0x9, 0xeb, 0x1}]}], [{{0x9, 0x5, 0xe, 0x3, 0x400, 0xff, 0xf9, 0x20, [@generic={0x62, 0x22, "ecb3f2dd3048124fa1f639e7d99ab0903f7f551fbd28202bcaa038827262defd524b84d6778f83c751047ea1677d46229ac33b02db6865c9670bc47629020545fbf367e128c7e78e05972cd432ddc729863972a9559b806063550b9bb7992b0c"}, @generic={0xed, 0x21, "1c17fa34cf248a11740cae13b99062cf651bd3663bdf349afedd777e6ca509687c7308b2bd8a56d936cef72c17609c2cc7b825f122864f3e79a0f9563cecf3a2dea2dac5e4d83e7749cfb2a971e0f2a257ee5e91279d0dedf7aab353955c32bcab16d821c1868f655e7f503ece52acfb7c3070097b164ed6223eb6c1839fdc5cc6f1a92ebda8ad2a9e74f746cf37704a6c73076189ee3890b3a1c5cdb8076adec9bb4e53a65b09bc52a75250eb89e2407ee0d0d39a0bd925c00a5fd0f34ad2af88bf3b270fe94e5432288a66b3ee15b6e24ddca89639faa9c4b532663b24bfbdeb73d09b8f77f76fec507a"}]}}, {{0x9, 0x5, 0xe, 0x0, 0x58, 0x4, 0x0, 0x2}}, {{0x9, 0x5, 0x6, 0x8, 0x40, 0x40, 0x3, 0x18}}, {{0x9, 0x5, 0xb, 0xc, 0x200, 0xff, 0x47, 0x0, [@generic={0x6e, 0x24, "fc8886eca12dc85960c8497c87132b79fea0e2313e4e855671316f1c7a42b78b2be24c0cdd6af9de41a7fb57fe0a3ca6fe67191ce31165dc048245ba74c886d12b8accb001eee230dc1d7981e4d6ea3d52fdc1fd159f71fc18bfca51297b2348c777a86b16c07657793c9b75"}]}}, {{0x9, 0x5, 0x7, 0x10, 0x20, 0x1, 0x4, 0x4, [@generic={0x8, 0x23, "ad6e68323124"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x3f, 0x400}]}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0xff, 0x4, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x2, 0x200}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x7, 0x4}]}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0xcc, 0x8, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x7, 0x3f}, @generic={0x59, 0x11, "faada80932b10432ca81a63c83dd9f54a4051086ef07b6c9661ef8ec125683d5fcada3a346d08f6d44178fd1ce94f1a6921d2fd14a88d43a8051e18edaa3980645fa17123ca6c783b8b2c3b666956f52b183652992d6f5"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0x1, 0x3f}}, {{0x9, 0x5, 0x4, 0x1, 0x0, 0x81, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xfd, 0x3e}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x6, 0x8000}]}}, {{0x9, 0x5, 0x7, 0x4, 0x200, 0x4, 0x7, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0x3f}]}}]}}, {{0x9, 0x4, 0x7d, 0xb6, 0x8, 0xe6, 0x75, 0xe1, 0xf9, [@generic={0x3d, 0x23, "0150ffae83df22d1d4dbd82454e66033463c3935e3d0c9fc2ea4661f7310c2e0b0acedd17e99cf960ede09c19eda6bfda699d8eacc2aba4acc34d4"}, @generic={0xc5, 0x1, "57fa93981a0686e512236511f17e4ec2dab7bd005c64fd896f9494ca0597583b239ddd29c3796c4ad669281440da422e6796877a9f123e343935d90dfe06ddfc99deedf24006031d9a2ef4b552629255bf0e7a4d5dd3bc80b266081141bde1b1a86e4ffd857000deeae82fb1850696ef2167c34ad97f91c14ac78ecb893d01ffa98e3c2dfda9adb762b9a9da03c6c60ed957fb494d1c960f7c707494bd984a0a582603fb87248aeeafc1b6005f79835b38b2eaa88653bc93427a33b0763ea36fcd987c"}], [{{0x9, 0x5, 0x3, 0x0, 0x40, 0x4, 0x7f, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x5}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x5}]}}, {{0x9, 0x5, 0x80, 0x10, 0x1ef, 0x1, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0x10, 0x10, 0x1f, 0x20, 0x0, [@generic={0xb3, 0x21, "95d3405d4d7a6dc896d90c4918b141315c1ae54b0882c4e0e3cc266e04178f9ae737260ac64b619ddf039568181bf92dd639ec49a0b1c9838b4cbbb2fbe6ca7be9bc84b77177867bb973d8c5eba1b49131bd10f645cffc3dd8ea462f4ba965f70a014bf1abe9269663634dad8baf99386d8b431912e4ddfcd1156c5ffeab207ca35f22f5c01673470deea1da6aaffcf0bba9a8e455420f053b28e404fea6261d36c07f7221c4986b6b122ccdf858f481ba"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7f, 0x5}]}}, {{0x9, 0x5, 0xc, 0x2, 0x200, 0x0, 0x6, 0x2, [@generic={0xaf, 0x6c08a2ddac8d29c1, "1449f06f8161d8159f42fb347eaa323cf3eb20fd5e501006d2e40a157da833536fb0b322436591a2bd1d2fe04e169858e11387ce1cbe1f6c7dc332afaadcc002c5832044e056950399e29431407349a8a47525164b4e6cd141303908186754e0282c6995c980f5e7d4f3c881c6b91d955e6ac681bd9073f4e05706f3c312d005bf1c5910956bf99553bba7b4ecb3f35ffbe7ab0763423796bb601e3f047a6581d52fb67c62d6b7278c76aab9a5"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x400, 0x5, 0x1, 0x6, [@generic={0xf1, 0x11, "25bf1f90f600dc8eae5954fb3ec4f488a926149d9893ca2b2900e245f0537432b7eccd35a0f33fe871eb0d1744d8058f6d67f7e1b97f3ef4e5fd8ac9d37d374905661c579d63d9bd3ed5cd30d99ef395e47c9e0f1b7f712016403434821baace41ad73ef6b84c1a41af5cbb6c2f65462a6ed32242c9d51da9915862860c22140f606601cfd82e5151e1db45092fecd653293f56c65b346e5deaf140950a0ac4a487e3bfa4f9ad35eeff8899bc2230798022600a08d06a9243611b421d90f1b53ca9f002636036f1125eda3dedaf6793fc098c6af9dcc5a538fe937572b4d1b174b58ba033714d19ef1085f663e5cd1"}]}}, {{0x9, 0x5, 0x5, 0x8, 0x400, 0x44, 0x1, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x85, 0x9b, 0x100}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x10, 0x20, 0x2, 0x4, 0x3}}, {{0x9, 0x5, 0x1, 0x0, 0x40, 0x80, 0x7, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x6, 0x8}]}}]}}]}}]}}, &(0x7f0000002840)={0xa, &(0x7f0000002580)={0xa, 0x6, 0xe5207157b6f35098, 0xfc, 0x1f, 0x0, 0x10, 0xe4}, 0xf5, &(0x7f00000025c0)={0x5, 0xf, 0xf5, 0x4, [@ext_cap={0x7, 0x10, 0x2, 0x0, 0x2, 0x4, 0xffff}, @ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x4, 0xf0f, 0x77e, [0xc000, 0x30, 0x0, 0x0]}, @ssp_cap={0x1c, 0x10, 0xa, 0x1, 0x4, 0x79ea, 0xf000, 0x4, [0xc0cf, 0xff3f3f, 0xffc05f, 0xff0000]}, @generic={0xb1, 0x10, 0x3, "c5bb0201c82e60fa0a8b07bbcefbe138079838cbf13161f69ec170637e6c504f0df58710112f2459c50df85c73a143e18fd846a786add8a359c882c3c6038f90c49ca63e13455794d759244a2bd1ee5a203cef62acd32e97d15afe1d47ad5c5234ca6fea0c022184578647d69bce06bc22d5deae21baaf870c3c6e9021211fda07e73607e16461e22526a70ab2e21f89d1b1a95215c644ee7b4b97d342f06cca75c17eaf3d1f578bec9e1b554c49"}]}, 0x4, [{0x4, &(0x7f00000026c0)=@lang_id={0x4, 0x3, 0x430}}, {0x4, &(0x7f0000002700)=@lang_id={0x4, 0x3, 0x240a}}, {0x4, &(0x7f0000002740)=@lang_id={0x4, 0x3, 0x458}}, {0xb1, &(0x7f0000002780)=@string={0xb1, 0x3, "2273bdc46b60f928123492096f1a60522067ca30229e521876bc2304c320596fd25f10254b5c9da57377738bccfbbc37f27f541833a2dfa06b929d0d3744ff77d9330d5a63e4bb268ce29e81de86de6cbbec22f151e7fa25d2ba9ead8f62d5eac2d6424465b3cb6481dbf50df043e68b8d133e27b4ae1c9ccf8a81027b656d442bbcbe5cfccd0c0ca38b73356ed5c37ea0894697ea5b37db2f607d4e958cf97848ef24eee817f96503650d0f3babcf"}}]}) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000002880)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r14 = syz_usb_connect$uac1(0x1, 0x100, &(0x7f0000002900)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xee, 0x3, 0x1, 0x6, 0x20, 0x1, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0xace, 0x2}, [@extension_unit={0x7, 0x24, 0x8, 0x5, 0x2, 0x5}, @extension_unit={0x7, 0x24, 0x8, 0x6, 0xffff, 0x30}, @mixer_unit={0xa, 0x24, 0x4, 0x4, 0x40, "7da3b2b272"}, @extension_unit={0x9, 0x24, 0x8, 0x5, 0x0, 0x40, '\tD'}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x11, 0x24, 0x2, 0x2, 0x1000, 0x6, 0x9, "94aa0cfea6a4c098"}, @as_header={0x7, 0x24, 0x1, 0xf7, 0xc1, 0x4}, @format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x3f, 0x2, 0xae, 0x7, "5b6fe7b19551"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0xfff8, 0x56d, 0x1f, "518f29b920"}, @format_type_ii_discrete={0xe, 0x24, 0x2, 0x2, 0x4, 0x0, 0x80, "3f5e8aa3ac"}]}, {{0x9, 0x5, 0x1, 0x9, 0x10, 0x9c, 0x7, 0x6, {0x7, 0x25, 0x1, 0x0, 0x44, 0xff8a}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_i_continuous={0xa, 0x24, 0x2, 0x1, 0x7, 0x4, 0xf7, 0xf8, 'H]'}, @format_type_i_discrete={0xd, 0x24, 0x2, 0x1, 0x7, 0x1, 0xff, 0x72, "5c5ae72e12"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x3, 0x4, 0x3, 0x1, "fa23a4", 'q3'}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x71, 0x2, 0x0, 0x6}]}, {{0x9, 0x5, 0x82, 0x9, 0x200, 0x7f, 0x7f, 0x7f, {0x7, 0x25, 0x1, 0x2, 0x1, 0x8}}}}}}}]}}, &(0x7f0000002b80)={0xa, &(0x7f0000002a00)={0xa, 0x6, 0x300, 0x7f, 0x5d, 0x5c, 0x40}, 0x31, &(0x7f0000002a40)={0x5, 0xf, 0x31, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x20, 0x1, 0x2, 0x40}, @ssp_cap={0xc, 0x10, 0xa, 0x4, 0x0, 0xd3f, 0xf000, 0x8}, @wireless={0xb, 0x10, 0x1, 0xc, 0x80, 0x2, 0x5, 0x4, 0x2}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x6, 0x0, 0xff, 0x7f}]}, 0x4, [{0x4, &(0x7f0000002a80)=@lang_id={0x4, 0x3, 0x40f}}, {0x4, &(0x7f0000002ac0)=@lang_id={0x4, 0x3, 0xc35}}, {0x2b, &(0x7f0000002b00)=@string={0x2b, 0x3, "a28e84c0cf02c07c3c0da8294506556d633c7a735bfb75cd80afc6ade8e4b580103ced6d9c87a5fe77"}}, {0x4, &(0x7f0000002b40)=@lang_id={0x4, 0x3, 0xf8ff}}]}) syz_usb_control_io(r14, &(0x7f0000002e40)={0x18, &(0x7f0000002bc0)={0x0, 0x22, 0xb9, {0xb9, 0xa, "83cf6e9b942d8a47074ac2e802b48378ecdca7956db2727b857b60f4e9d0c69e1c9a9aceb61cf17cc77167923b84e23372c5cf40cf1bbb7493e500b7effaf1b204ee034be11099e51567a87ae0bde210da92124d04a73a14dbd600dedd920953c472eda1ba46dbbb1ec474c8794849124dcf32d5c15fb14397b13c3d3c11a7a607c6b6d557c2806d9c2783bc1ef56c967bde90ce4a421361167c1a74c6527285ce425ea498884d7cc9ef76526a46a1c4360768980b39b3"}}, &(0x7f0000002c80)={0x0, 0x3, 0xd7, @string={0xd7, 0x3, "61168f700d1787de19d3e86fb3ac5e964cc5ede873351ca262cc8fc599651431c76dbad02dd835f0da83a5347cc21fc4f504b23bb32a7a67713db4480611e6e2eca4f0b498f700355db68df7d5cf46ba2b036090af695a7596b7d242b462bcf6e2091fb83248fe2a1c48dbcdb07c9666037d121b6893dcb945bdd7cf14075f805302a45fbb62652bd693b3240b5c6a76f690cdc9221579ec71dd253ca4250144e1160bc039ad44f6d51c96ad950c872cf626b0d559e81c0bec934cb32325dbb9ce8f5d0d943020b4a0795c1f2774e2207d0be8aa41"}}, &(0x7f0000002d80)={0x0, 0xf, 0xc, {0x5, 0xf, 0xc, 0x1, [@ext_cap={0x7, 0x10, 0x2, 0x10, 0x2, 0x5, 0x2}]}}, &(0x7f0000002dc0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x3, 0x8, 0x40, 0x7f, "77bc7738", "f1db003c"}}, &(0x7f0000002e00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x1, 0x10, 0x0, 0x20, 0x8, 0x3ec, 0xffff}}}, &(0x7f0000003300)={0x44, &(0x7f0000002e80)={0x20, 0x12, 0x7c, "bc67b786ae12c3f7c6dbb8560d2b242194c2199afa19d2b42b1a0c8a11e1a5ef146f395c3613f4dfeadda7c24b506d5b32a6a3f9a0eac98a935e647a1c838d4e09d530635f43358b5b10c5f04bc63b3bf96b5234359d4ead9d51217e65c9b0509990b00d1afb242c87660d04f9648ff79ce143b1a948981c28f50171"}, &(0x7f0000002f40)={0x0, 0xa, 0x1, 0x4c}, &(0x7f0000002f80)={0x0, 0x8, 0x1, 0x1}, &(0x7f0000002fc0)={0x20, 0x0, 0x4, {0x1, 0x3}}, &(0x7f0000003000)={0x20, 0x0, 0x8, {0xc0, 0x20, [0xf0f]}}, &(0x7f0000003040)={0x40, 0x7, 0x2, 0x400}, &(0x7f0000003080)={0x40, 0x9, 0x1, 0x2}, &(0x7f00000030c0)={0x40, 0xb, 0x2, "b723"}, &(0x7f0000003100)={0x40, 0xf, 0x2, 0x5}, &(0x7f0000003140)={0x40, 0x13, 0x6, @random="dd8a72a99139"}, &(0x7f0000003180)={0x40, 0x17, 0x6, @remote}, &(0x7f00000031c0)={0x40, 0x19, 0x2, "7818"}, &(0x7f0000003200)={0x40, 0x1a, 0x2, 0x4}, &(0x7f0000003240)={0x40, 0x1c, 0x1, 0x4}, &(0x7f0000003280)={0x40, 0x1e, 0x1, 0x7}, &(0x7f00000032c0)={0x40, 0x21, 0x1, 0x5}}) syz_usb_disconnect(r13) r15 = syz_usb_connect$cdc_ncm(0xb40375e9cabe03ec, 0x160, &(0x7f0000003380)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x14e, 0x2, 0x1, 0xef, 0xe0, 0x3, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x6, 0x24, 0x6, 0x0, 0x1, '$'}, {0x5, 0x24, 0x0, 0xad}, {0xd, 0x24, 0xf, 0x1, 0x2, 0x0, 0x1, 0x9}, {0x6, 0x24, 0x1a, 0x9, 0x20}, [@mdlm_detail={0xa2, 0x24, 0x13, 0x1, "a0afebc294237de30b4c81c6595fbaf30646c5ec3dd98f435df00d181cc13f9b0c5ffa84154998bf5c04ee0fd82d5f4cacfc90ffae241b840b0b18e2107e33398f46838380f84b6f9f2262e838df021231c9f0c50dc2eed7595eb1b789223fc37cf34f5c694aaad8a818c99ef44179bf5ba4b617c258f7db01d6096ccc71bb925e31b2f3f100bb8538bb84015af7b954c8fdf293de0231a491d36376b840"}, @mbim={0xc, 0x24, 0x1b, 0x340f, 0x4, 0x5, 0x40, 0x6, 0x1}, @acm={0x4, 0x24, 0x2, 0x9}, @mdlm_detail={0x3f, 0x24, 0x13, 0x40, "905d00a5a8b5cd53118f9cf9033eda0ad88fcfaf66e2b9e359e38aea371970c864d5983916a529367551aa247ba83009ebb5640b5317559900ddb8"}]}, {{0x9, 0x5, 0x81, 0x3, 0x8, 0x0, 0x1, 0xfc}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x40, 0x8, 0x40, 0x81}}, {{0x9, 0x5, 0x3, 0x2, 0x40, 0x5, 0x80, 0x81}}}}}}}]}}, &(0x7f0000003780)={0xa, &(0x7f0000003500)={0xa, 0x6, 0x250, 0x3, 0x2, 0x9, 0x40, 0x40}, 0x16, &(0x7f0000003540)={0x5, 0xf, 0x16, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x1a, 0x8, 0x4, 0x87}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x8, 0x0, 0x20, 0x9}]}, 0x5, [{0x54, &(0x7f0000003580)=@string={0x54, 0x3, "a44d24cdf3ffb9948faaf6b3c565826f57ef2b5e43e6ef9109dcaf0ff5f230b6f52d06ada7ebdfbf1c55e6551900f42f904aa25911de5d64d3cd32db26b2e48c150eacf51a16ddb311ac3d44b281a87d1c84"}}, {0x4, &(0x7f0000003600)=@lang_id={0x4, 0x3, 0x812}}, {0x4, &(0x7f0000003640)=@lang_id={0x4, 0x3, 0xf0ff}}, {0xc0, &(0x7f0000003680)=@string={0xc0, 0x3, "6f069d79ea952b3880027d5243d84aefe2bd1cf641da9ee290780232461026c5a535ae6214a8b6fd6112f368085c5cca57b84846bdd7653f325120cc01274c27930a934c2850058a34588778f4ae0255b96fcb4573f4c475fae53703ef82d785ece96adf02efc210e26fa9523111519cb037b5aebbcab0e12d228330eb466cefbc0a21984a6fd8657206b20d982f65c709ba3c6320f1066dda592fdad14a8c700cf1f5266f47fa42aa880b9aa0267cf53c9691f4fa0d4e059a6adc27da67"}}, {0x4, &(0x7f0000003740)=@lang_id={0x4, 0x3, 0xc0a}}]}) syz_usb_ep_read(r15, 0x7, 0xe4, &(0x7f00000037c0)=""/228) r16 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000038c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_ep_write(r16, 0xff, 0xca, &(0x7f0000003940)="0338f2a1a6949150d950a200b97f820700402b58fec94c39a005f5386885991997960b3165c9dd0323faf9a69d00725916fa7fb5a9bb1f47b19829ca091f88c0999a2e187f6237ab2c7eae85923fa9636dc266076f2ae7b52c1f187ce62871c2f05bbf9d9a25fd16ff3833387073e69681b243e814b2549f032aa5b8dd2e2d64df2e69d357bc2c32b8fbd90f8a1638b31390be5a61ee6ee70e3a2027e1468d5f3fa234f4462a56d7e42ce29c52ccf5cd763590a426b8a06e226ffa4568c2ce31a54d74ca6f67e670852c") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info)&0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 356 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 43; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 10 ? 500 : 0) + (call == 28 ? 50 : 0) + (call == 34 ? 3000 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 3000 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 300 : 0) + (call == 39 ? 3000 : 0) + (call == 40 ? 300 : 0) + (call == 41 ? 3000 : 0) + (call == 42 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socketpair #define __NR_socketpair 360 #endif #ifndef __NR_write #define __NR_write 4 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[17] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_ioctl, -1, 0x125e, 0x20000000); break; case 1: memcpy((void*)0x20000040, "/dev/nullb0\000", 12); res = syscall(__NR_openat, 0xffffff9c, 0x20000040, 0x80000, 0); if (res != -1) r[0] = res; break; case 2: *(uint8_t*)0x20000080 = 0; *(uint8_t*)0x20000081 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint8_t*)0x20000084 = 0; *(uint8_t*)0x20000085 = 0; *(uint8_t*)0x20000086 = 0; *(uint8_t*)0x20000087 = 0; *(uint8_t*)0x20000088 = 0; *(uint8_t*)0x20000089 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint8_t*)0x2000008c = 0; *(uint8_t*)0x2000008d = 0; *(uint8_t*)0x2000008e = 0; *(uint8_t*)0x2000008f = 0; *(uint8_t*)0x20000090 = 0; *(uint8_t*)0x20000091 = 0; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint8_t*)0x20000094 = 0; *(uint8_t*)0x20000095 = 0; *(uint8_t*)0x20000096 = 0; *(uint8_t*)0x20000097 = 0; *(uint8_t*)0x20000098 = 0; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint16_t*)0x200000a0 = 6; *(uint32_t*)0x200000a4 = 4; *(uint32_t*)0x200000a8 = 0x400; *(uint64_t*)0x200000ac = 0; *(uint64_t*)0x200000b4 = 0x5f; *(uint32_t*)0x200000bc = 0; syscall(__NR_ioctl, (intptr_t)r[0], 0xc0401273, 0x20000080); break; case 3: res = syscall(__NR_socketpair, 0x21, 3, 4, 0x200000c0); if (res != -1) { r[1] = *(uint32_t*)0x200000c0; r[2] = *(uint32_t*)0x200000c4; } break; case 4: memcpy((void*)0x20000140, "l2tp\000", 5); res = -1; res = syz_genetlink_get_family_id(0x20000140); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x20000200 = 0x20000100; *(uint16_t*)0x20000100 = 0x10; *(uint16_t*)0x20000102 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0x100; *(uint32_t*)0x20000204 = 0xc; *(uint32_t*)0x20000208 = 0x200001c0; *(uint32_t*)0x200001c0 = 0x20000180; *(uint32_t*)0x20000180 = 0x24; *(uint16_t*)0x20000184 = r[3]; *(uint16_t*)0x20000186 = 4; *(uint32_t*)0x20000188 = 0x70bd28; *(uint32_t*)0x2000018c = 0x25dfdbfb; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint16_t*)0x20000192 = 0; *(uint16_t*)0x20000194 = 8; *(uint16_t*)0x20000196 = 0xb; *(uint32_t*)0x20000198 = 4; *(uint16_t*)0x2000019c = 8; *(uint16_t*)0x2000019e = 0xc; *(uint32_t*)0x200001a0 = 1; *(uint32_t*)0x200001c4 = 0x24; *(uint32_t*)0x2000020c = 1; *(uint32_t*)0x20000210 = 0; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = 0x20000000; syscall(__NR_sendmsg, (intptr_t)r[1], 0x20000200, 0x8000); break; case 6: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 5; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 2; *(uint32_t*)0x20000280 = 0x10; res = syscall(__NR_getsockopt, -1, 0x84, 0, 0x20000240, 0x20000280); if (res != -1) r[4] = *(uint32_t*)0x20000240; break; case 7: *(uint32_t*)0x200002c0 = r[4]; *(uint32_t*)0x200002c4 = 2; syscall(__NR_setsockopt, (intptr_t)r[2], 0x84, 0x7b, 0x200002c0, 8); break; case 8: *(uint32_t*)0x20000340 = 4; syscall(__NR_getsockopt, -1, 0x84, 8, 0x20000300, 0x20000340); break; case 9: *(uint16_t*)0x200003c0 = 0x10; *(uint16_t*)0x200003c2 = 3; *(uint8_t*)0x200003c4 = 0x41; *(uint8_t*)0x200003c5 = 0x83; *(uint16_t*)0x200003c6 = 0; *(uint32_t*)0x200003c8 = 0x401; *(uint32_t*)0x200003cc = 0; *(uint16_t*)0x200003d0 = 0x43; memcpy((void*)0x200003d2, "\x4a\x8e\x60\x63\x4e\x3a\x9e\xbf\x09\x88\x47\x4a\x70\xcd\xc4\x4c\x93\x5e\x71\xdc\xa8\xa3\x6e\x9f\x73\x39\xb7\x33\xe7\xfd\xfa\x26\xd1\x76\x3f\x8e\x1f\xc1\x8c\x23\x48\x4f\xf7\x1c\x6e\xa7\x6b\xf1\xdb\x3e\x46\xcf\x80\x38\x03\x22\xd2\x96\xfb\xf1\x93\xc5\x4d\x49\x49\xcc\xdb", 67); syscall(__NR_write, -1, 0x200003c0, 0x55); break; case 10: memcpy((void*)0x20000000, "bpf_lsm_post_notification\000", 26); syz_btf_id_by_name(0x20000000); break; case 11: *(uint8_t*)0x20000040 = 0xbb; *(uint8_t*)0x20000041 = 0xbb; *(uint8_t*)0x20000042 = 0xbb; *(uint8_t*)0x20000043 = 0xbb; *(uint8_t*)0x20000044 = 0xbb; *(uint8_t*)0x20000045 = 0xbb; *(uint8_t*)0x20000046 = 0; *(uint8_t*)0x20000047 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint16_t*)0x2000004c = htobe16(0xd); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 4, 0, 29); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 29, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 0, 30, 1); STORE_BY_BITMASK(uint32_t, , 0x2000004e, 1, 31, 1); *(uint8_t*)0x20000052 = 0x23; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; memcpy((void*)0x20000056, "\x90\xa4\x41\x2e\xd4\x81\xe3\x9e\xc0\x78\x7c\xae\x08\x3f\xac\x93\xb9\x0d\xaa\x75\x95\xdc\x55\x4b\x0d\x6f\xb7\x20\xa6\x00\x98\x35\xc9\x29\xd9\x56\x66\x87\x93\x99\x54\xd1\x4f\x03\x76\xd3\x90\x39\x88\x5d\x4b\x34\x9e\x57\x79\x1c\x3b\x28\x84\xb6\x7a\x56\x87\x16", 64); *(uint32_t*)0x200000c0 = 1; *(uint32_t*)0x200000c4 = 1; *(uint32_t*)0x200000c8 = 0x4a; *(uint32_t*)0x200000cc = 0x2e7; *(uint32_t*)0x200000d0 = 0x6f0; *(uint32_t*)0x200000d4 = 0x1aa; break; case 12: *(uint8_t*)0x20000100 = 3; *(uint16_t*)0x20000101 = 0xc9; *(uint8_t*)0x20000103 = 0x56; memcpy((void*)0x20000104, "\xaf\x8c\x56\xab\x29\x59\xdc\x53\x4c\xc8\x68\xe4\xb4\x2b\x05\xa0\xde\x86\xbb\x45\xfd\x2b\xf9\xe3\x2d\x58\xe9\xad\x1f\xb7\xbe\x75\xad\xc1\xe7\xaa\xa5\x23\x19\x45\x65\x31\x63\x1e\xde\x47\xc2\x91\x9b\xcd\xb3\xba\xfd\xaf\x56\x0b\xf2\xa9\xca\x3a\x75\xfa\x34\xd0\x70\x26\xb7\x30\x2d\xc3\x91\xf9\x55\x4e\x50\xcf\xc7\xf7\x31\xc0\x9f\x1c\x71\x26\x2d\xf3", 86); break; case 13: memcpy((void*)0x20000180, "\xc4\xc1\x6f\x10\xfa\x66\x0f\x65\x64\x2a\x10\xc4\xe1\xfa\x70\xef\xfb\xc4\xc3\x7d\x09\x6a\x42\xfe\xc4\xe1\x41\x6a\x52\x00\xf3\xab\xc4\xc1\xcc\xc6\xe4\x74\x36\x0f\x8f\xb8\x00\x00\x00\xaf\x0f\xfe\x98\xf0\xff\xff\xff", 53); syz_execute_func(0x20000180); break; case 14: break; case 15: memcpy((void*)0x20000200, "SEG6\000", 5); syz_genetlink_get_family_id(0x20000200); break; case 16: syz_init_net_socket(3, 5, 0xcb); break; case 17: res = syscall(__NR_mmap, 0x20ffd000, 0x1000, 0xc, 0x800, -1, 0x8000000); if (res != -1) r[5] = res; break; case 18: res = -1; res = syz_io_uring_complete(r[5]); if (res != -1) r[6] = res; break; case 19: *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0xab13; *(uint32_t*)0x20000248 = 0x10; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0x375; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = -1; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint32_t*)0x20000278 = 0; *(uint32_t*)0x2000027c = 0; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0; *(uint32_t*)0x20000288 = 0; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = 0; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; res = syscall(__NR_io_uring_setup, 0xc43, 0x20000240); if (res != -1) r[7] = res; break; case 20: *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0x3caa; *(uint32_t*)0x200002c8 = 8; *(uint32_t*)0x200002cc = 3; *(uint32_t*)0x200002d0 = 0x347; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = r[7]; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; *(uint32_t*)0x200002f8 = 0; *(uint32_t*)0x200002fc = 0; *(uint32_t*)0x20000300 = 0; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; *(uint32_t*)0x2000030c = 0; *(uint32_t*)0x20000310 = 0; *(uint32_t*)0x20000314 = 0; *(uint32_t*)0x20000318 = 0; *(uint32_t*)0x2000031c = 0; *(uint32_t*)0x20000320 = 0; *(uint32_t*)0x20000324 = 0; *(uint32_t*)0x20000328 = 0; *(uint32_t*)0x2000032c = 0; *(uint32_t*)0x20000330 = 0; *(uint32_t*)0x20000334 = 0; syz_io_uring_setup(0x4759, 0x200002c0, 0x20ffd000, 0x20ffc000, 0x20000340, 0x20000380); break; case 21: res = syscall(__NR_mmap, 0x20ffd000, 0x3000, 0xe, 3, -1, 0x8000000); if (res != -1) r[8] = res; break; case 22: res = syscall(__NR_mmap, 0x20fff000, 0x1000, 0x4000000, 0x20, (intptr_t)r[6], 0x10000000); if (res != -1) r[9] = res; break; case 23: *(uint8_t*)0x200003c0 = 5; *(uint8_t*)0x200003c1 = 4; *(uint16_t*)0x200003c2 = 0x2007; *(uint32_t*)0x200003c4 = 6; *(uint64_t*)0x200003c8 = 3; *(uint64_t*)0x200003d0 = 4; *(uint32_t*)0x200003d8 = 4; *(uint32_t*)0x200003dc = 0xe; *(uint64_t*)0x200003e0 = 1; *(uint16_t*)0x200003e8 = 0; *(uint16_t*)0x200003ea = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; *(uint8_t*)0x200003fc = 0; *(uint8_t*)0x200003fd = 0; *(uint8_t*)0x200003fe = 0; *(uint8_t*)0x200003ff = 0; syz_io_uring_submit(r[8], r[9], 0x200003c0, 0x80); break; case 24: memcpy((void*)0x20000400, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffff9c, 0x20000400, 0x2000, 0); if (res != -1) r[10] = res; break; case 25: *(uint32_t*)0x20000480 = 0; *(uint32_t*)0x20000484 = 0x20000440; memcpy((void*)0x20000440, "\x1f\x53\x95\x5c\xb3\xce\xcd\x20\x39\x60\x9c\xfc\xe5\x32\x92\x7f\x02\xde\x61\x5e\x5e\x77\x16\xc3\x74\x70\x5f\x59\x10\x2e\x00\x75\x4d\xba\xa3\x69\xc6\xc1\xa1\xc2\xf4\xc5\x30\xc3\xaf\x81\xe8\xfe\x56\x09", 50); *(uint32_t*)0x20000488 = 0x32; *(uint64_t*)0x200004c0 = 1; *(uint64_t*)0x200004c8 = 0; syz_kvm_setup_cpu(r[6], r[10], 0x20fe8000, 0x20000480, 1, 0, 0x200004c0, 1); break; case 26: *(uint32_t*)0x20000500 = 0; *(uint32_t*)0x20000504 = 0xe518; *(uint32_t*)0x20000508 = 0x10; *(uint32_t*)0x2000050c = 1; *(uint32_t*)0x20000510 = 0x3a5; *(uint32_t*)0x20000514 = 0; *(uint32_t*)0x20000518 = -1; *(uint32_t*)0x2000051c = 0; *(uint32_t*)0x20000520 = 0; *(uint32_t*)0x20000524 = 0; *(uint32_t*)0x20000528 = 0; *(uint32_t*)0x2000052c = 0; *(uint32_t*)0x20000530 = 0; *(uint32_t*)0x20000534 = 0; *(uint32_t*)0x20000538 = 0; *(uint32_t*)0x2000053c = 0; *(uint32_t*)0x20000540 = 0; *(uint32_t*)0x20000544 = 0; *(uint32_t*)0x20000548 = 0; *(uint32_t*)0x2000054c = 0; *(uint32_t*)0x20000550 = 0; *(uint32_t*)0x20000554 = 0; *(uint32_t*)0x20000558 = 0; *(uint32_t*)0x2000055c = 0; *(uint32_t*)0x20000560 = 0; *(uint32_t*)0x20000564 = 0; *(uint32_t*)0x20000568 = 0; *(uint32_t*)0x2000056c = 0; *(uint32_t*)0x20000570 = 0; *(uint32_t*)0x20000574 = 0; res = -1; res = syz_io_uring_setup(0x7424, 0x20000500, 0x20ffe000, 0x20ff6000, 0x20000580, 0x200005c0); if (res != -1) r[11] = *(uint64_t*)0x20000580; break; case 27: *(uint32_t*)0x20000600 = 1; syz_memcpy_off(r[11], 0x114, 0x20000600, 0, 4); break; case 28: memcpy((void*)0x20000640, "afs\000", 4); memcpy((void*)0x20000680, "./file0\000", 8); *(uint32_t*)0x20000800 = 0x200006c0; memcpy((void*)0x200006c0, "\xd6\x32\xc1\x9b", 4); *(uint32_t*)0x20000804 = 4; *(uint32_t*)0x20000808 = 0xffff; *(uint32_t*)0x2000080c = 0x20000700; memcpy((void*)0x20000700, "\x3f\xe8\x37\x0c\xed\xe5\x2e\xfa\xc0\x54\x24\x1d\xa1\xef\x62\x34\xcd\xc7\x76\x6d\x9c\xee\xe0\x5c\x36\x77\x5d\x23\x4a\x8f\x02\x59\xa8\x80\x13\x16\x89\x77\x5a\x49\xe1\xc5\xd8\x1e\xe5\xee\xd4\x2d\xa0\x22\xa3\xc9\xb9\xd4\x39\xae\x77\x99\x90\xd0\x4c\xf5\x51\xc0\x84\xc0\x93\x74\x4e\x79\xca\x6a\x48\x27\xd8\xc6\x03\x05\x3d\x29\x71\x4d\x83\x93\x63\xcf\x49\xad\xd7\xd7\x32\x3c\x06\x19\xa9\x9c\xef\x60\x9f\xc4\x7e\x56\xc6\x66\x30\xec\x79\x73\xbf\xfe\xd2\x14\xd4\x51\xf0\x64\xf3\x6e\x35\x97\x50\x6a\x51\xad\xfd\x6b\x0d\x61\xfd\xcd\xf2\xbf\xcb\x31\xb2\xc6\xc4\x4c\x27\x9c\xcd\xb6\x90\x28\x91\xda\xf7\x5e\x66\x3f\x59\x42\xea\x76\x82\xfb\xfd\x3e\x73\x69\xa9\xfe\x16\xf3\x72\x47\x6e\xfb\x28\x1a\xaa\xd4\xbf\xe7\xe6\x10\xe9\x63\x62\x94\x61\xe9\x03\x3c\xaf\x00\xd6\x2a\x10\x9d\x00\x4b\x93\x5b\x90\x79\xbd\x3d\xf5\xbe\x94\xa0\xfa\x1e\x19\x77\xf5\x52\xba\xa4\x92\xba\x31\xe2\xec\x4b\xf3\x10\xc8\x14\xdc\x75\x32\x97", 224); *(uint32_t*)0x20000810 = 0xe0; *(uint32_t*)0x20000814 = 0x4c; memcpy((void*)0x20000840, "source", 6); *(uint8_t*)0x20000846 = 0x3d; memcpy((void*)0x20000847, "SEG6\000", 5); *(uint8_t*)0x2000084c = 0x2c; memcpy((void*)0x2000084d, "flock=strict", 12); *(uint8_t*)0x20000859 = 0x2c; memcpy((void*)0x2000085a, "flock=strict", 12); *(uint8_t*)0x20000866 = 0x2c; memcpy((void*)0x20000867, "flock=local", 11); *(uint8_t*)0x20000872 = 0x2c; memcpy((void*)0x20000873, "autocell", 8); *(uint8_t*)0x2000087b = 0x2c; memcpy((void*)0x2000087c, "flock=openafs", 13); *(uint8_t*)0x20000889 = 0x2c; memcpy((void*)0x2000088a, "measure", 7); *(uint8_t*)0x20000891 = 0x2c; memcpy((void*)0x20000892, "subj_user", 9); *(uint8_t*)0x2000089b = 0x3d; memcpy((void*)0x2000089c, "$F!%[#&+-}^}", 12); *(uint8_t*)0x200008a8 = 0x2c; *(uint8_t*)0x200008a9 = 0; syz_mount_image(0x20000640, 0x20000680, 4, 2, 0x20000800, 0x201000, 0x20000840); break; case 29: memcpy((void*)0x200008c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200008c0, 0x9a7, 0x60100); break; case 30: res = syscall(__NR_ioctl, -1, 0x540f, 0x20000900); if (res != -1) r[12] = *(uint32_t*)0x20000900; break; case 31: memcpy((void*)0x20000940, "net/ip6_mr_vif\000", 15); syz_open_procfs(r[12], 0x20000940); break; case 32: syz_open_pts(r[6], 0x402000); break; case 33: *(uint32_t*)0x20001c80 = 0x20000980; memcpy((void*)0x20000980, "\x94\x7b\xdd\x13\x38\xb6\xb9\xfd\xc7\xee\xc2\x77\x64\x33\x19\x1f\x82\x72\x66\xcf\xa9\x4b\xbf\x64\xcf\xf8\x3a\x00\xd9\x75\x00\x9f\x3b\x27\x38\xac\x70\x67\x01\x94\x47\xd6\x93\xa3\x53\x4d\xae\x5d\x3b\xf0\x3b\x17\xd7\xa2\xbc\x09\x3d\x2a\xb0\x1f\xb0\x79\xd1\x3e\x4c\xa0\x8a\xb2\x39\x18\xa3\xfa\xc5\x0a\x48\xc3\x2b\x4b\xa2\x17\x09\x57\xd2\x0c\xb4\xa4\xf7\x31\xd6\x60\xe8\x8f\x40\xc3\x0c\x3c\x40\xd4\x1f\xf3\xff\x71\x34\xdc\xeb\x66\xb1\x13\xb5\xc1\xbb\xa6\x30\xa7\xee\x5c\xd6\x8a\xb5\x9e\x69\xf8\xc8\x95\x30\xe4\xca\xc7\xf6\x15\xdd\x3f\xad\xc7\x94\x0d\x23\xb0\x69\xd6\x2b\x7c\xcf\x41\x49\x88\x10\x45", 148); *(uint32_t*)0x20001c84 = 0x94; *(uint32_t*)0x20001c88 = 0x7e; *(uint32_t*)0x20001c8c = 0x20000a40; memcpy((void*)0x20000a40, "\x3b\xec\xe5\xe4\xb0\x0d\x1a\xa5\xc6\x45\x5d\x8f\xfd\xdd\x35\x57\x13\x82\x30\x47\x33\xf4\x7e\x93\xba\x01\xd0\x22\x0d\x34\x52\x42\x5a\xa4\xa3\x5a\x16\xad\xc9\x6a\x1c\x87\xd3\xc0\x91\x21\xdf\x1c\x8a\xef\x26\xc2\x03\x58\xa1\x53\xa0\xef\x19\x59\xf6\x9c\x68\x9a\xcd\x27\x51\xf4\x28\xf2\x41\xc2\xde\xcf\x4c\xd9\xa3\xb1\x09\xe6\x6b\x31\x0f\xb1\x01\x1f\x65\x32\x9b\xef\x95\x3a\xe0\x2c\xf9\xdb\x61\x33\x61\x9b\x5b\xfa\x07\xa6\xe1\x32\x51\x27\x8d\xa9\x3d\xe8\x26\x35\xbc\xdd\x76\x40\xb6\x31\x1d\xa5\x8d\x2a\x68\x10\x65\x40\x1d\x07\x53\xce\xf9\x0b\xf7\xa0\xf5\x41\x11\x24\x53\xb9\xce\x75\x27\xef\xcb\x09\x83\x4f\x10\x73\x73\x6d\x3e\xbd\xb9\x24\x17\x36\xb6\x1d\xf7\x0a\x13\xc7\x6e\x54\xdd\xbc\x65\xa5\x2d\x8a\x4f\xe4\x2e\xd0\x97\xa5\x7c\x8d\x04\x26\xf9\x16\x75\x0e\x9a\x5c\x38\x28\x1f\xba\xd7\xae\x59\xc2\x23\xba\xb1\x10\x05\x92\xd4\x2e\xda\x4e\x0b\xf4\xbf\x03\x04\x20\x47\x8f\xcd\x28\xc4\x05\x7d\x41\xa9\x72\x1b\x00\x14\xe9\x1a\x1e\x70\x58\xd4\xc9\x29\x08\x12\xf6\xde", 239); *(uint32_t*)0x20001c90 = 0xef; *(uint32_t*)0x20001c94 = 0x800; *(uint32_t*)0x20001c98 = 0x20000b40; memcpy((void*)0x20000b40, "\x6d\xaf\x7a\x1e\x0d\x14\xcb\x6b\x8c\x65\xd3\x7e\xf9\x88\xe6\x70\xca\x88\xb1", 19); *(uint32_t*)0x20001c9c = 0x13; *(uint32_t*)0x20001ca0 = 0; *(uint32_t*)0x20001ca4 = 0x20000b80; memcpy((void*)0x20000b80, "\xe2\xa3\x79\x51\x07\x38\xbe\x3d\x3b\xaf\x49\xa1\x70\xf0\x89\xf5\x6f\x7b\x3a\x43\xbd\x92\x6f\x2f\x33\x68\xf3\x8e\x97\x34\x0a\xf9\xb0\x99\x1e\xa9\x8f\x46\x53\x25\x2c\x0b\xef\x6a\xd2\x65\x82\xb6\x00\x54\x54\x65\x59\x1f\xae\xfd\x00\x78\x2e\x31\xc8\xae\xe9\xf2\x39\x90\xd2\xd9\x5f\x87\x10\xd1\x10\x40\x9d\xc3\xda\xd1\x58\x17\x94\xfb\x09\xf6\x34\x9e\x93\x7b\x1d\xf1\xbb\x8a\x9a\x09\xce\x60\xc4\x12\x82\x37\x6e\x6a\xc6\x07\x88\x8c\x64\xfc\xd9\xec\xf5\x40\x50\x63\xba\x5f\x64\x2a\x29\x5b\x4f\x77\x8f\x2c\xab\xcc\xf6\xc9\x00\x70\x71\xb1\xa9\xec\x31\xee\xa5\xda\xf6\x2d\x37\x1a\x56\xde\x30\x95\x49\x97\x49\x11\xa5\x79\x7f\xa3\x40\x26\xe8\x5b\xb7\xf5\x42\x7a\xb4\x96\x5f\x11\xa3\xab\xa1\x8e\xd0\xfe\x28\x0e\x45\xc2\x64\x12\x83\x8f\xc5\xbb\xe0\xf6\xde\x63\xd0\x11\xc0\x6b\x41\x3e\x3d\x4a\x15\x29\x6b\x6f\x79\x15\xdf\xfe\xcd\xd4\x07\x50\x4f\xaa\x2f\xe6\x3b\xb1\x90\xaf\x90\x61\x70\x9a\x98\x20\x94\xf6\x20\x79\x3c\x04\x25\x32\xf5\x13\x14\xdd\x07\x53\xb8\x32\xa6\x58\x59\xe1\x78\xd9\x4d\xd1\x69\xa1\xb7\x67\x74\x85\x66\xd1\x3f\x17\x0d\xa3\x6f\x2a\x51\x05\x3d\x8b\x67\xfb\x5f\x12\xd8\x6b\xf3\x60\x46\xea\xb9\xb7\xc2\x6c\x50\x78\x6c\x9b\x29\xa2\x60\x5c\x56\x31\xab\x30\x26\x16\x69\x97\x1a\x48\x47\x0d\x98\x2c\x30\x88\xbe\x7c\xff\xd1\xf0\xc6\x77\x5e\x57\x57\xdb\x61\x48\xdd\x74\xc5\x95\x4e\x34\xc4\x00\x88\x65\x9a\x1f\x44\xd0\x53\x46\x59\x85\xed\x20\x03\x9b\xce\xd7\xea\x9d\xec\x7e\x25\xcd\x6d\x60\x0d\x1e\xd3\x1a\xed\x53\x88\x5f\xc7\xef\x87\x89\xee\xa0\x63\x9d\x2b\x25\x0d\xcd\xf4\xad\x71\xbb\xda\xbf\x4b\xa1\x8a\xf2\x9a\xc8\x19\xae\x43\x18\x64\xdb\x1b\x03\x53\xbc\x5c\xb2\x04\x19\x43\xb4\x45\x13\xf7\xc6\x79\xf3\x48\xbd\x29\x62\xb2\x74\x87\xbc\x7d\xc7\x48\x8c\xff\x13\xa2\x4b\x65\x8f\x31\xb4\xaf\xc9\xe5\x01\x3a\xb4\x60\xcf\x3a\x01\x4a\x8f\x19\x90\x9e\x75\xbc\x3d\x41\x44\xf5\xd3\x2e\x37\x0d\xe7\x4f\x44\x02\xa0\xdb\x53\x39\xc1\xe3\x61\x6d\x21\x47\x74\x36\x52\xdd\x73\x94\x0d\x37\x55\x0c\xc9\x61\xb0\x8b\x3a\x33\xb7\x9c\x4a\x2f\x3f\x1a\xb4\xb2\x36\x4c\x24\x03\x1c\xce\x1f\x29\xbe\xaf\x57\x4b\x13\x18\x84\x4f\xcc\x93\x87\xd2\xcf\x79\x83\x34\xde\x08\x16\xd5\x28\xf0\x87\xf5\x67\x51\xf7\x63\xb8\x2c\x76\x0f\xe1\x9e\xf9\x5f\xd2\xe5\x52\xc8\xec\x74\xbf\xee\x9b\x6c\x8e\x33\x41\xb3\xba\xff\x54\x05\xed\xbe\xd7\x09\xfb\x1e\xa1\x30\xa1\xa6\xe3\x0a\xcf\x72\x32\xc0\x19\x40\x34\xda\xf0\xef\x11\x71\x15\xab\x22\x0f\x11\x61\xa8\x38\x94\x0e\xf6\x00\x72\xc4\x06\x55\x7f\x56\xf1\x3f\x30\x21\xb4\x08\x42\xf9\x11\x4b\x0a\xe9\xcd\x82\x44\x23\x0c\x22\x27\xce\x7c\x7e\x71\x50\x3b\xa5\x25\x3d\x63\x08\x1c\xa9\xaf\x8f\xc4\xa4\xe2\xc3\x03\x9a\x0b\xad\x1a\xf9\x1e\xd4\xcb\x91\xb9\xbd\x42\xd8\xee\x5e\x0b\xd9\x84\x4f\x92\xf4\xaf\x1e\xa5\xb8\x83\x80\xa9\x9b\x1a\xdc\x70\x57\xb9\x15\x7b\x61\x02\x1a\xbc\xe3\x77\xdc\xa6\xaf\x6c\x2d\xd9\x8f\x02\xc2\x3a\x84\x59\xcc\xbe\x65\x0b\x66\xd0\x6b\xba\xe0\x60\x99\x28\xe8\x4d\x5c\x61\x1e\x2c\x6f\xeb\x6a\x43\xd0\xaa\x53\x2b\x12\xd5\xe3\x26\x04\x48\xcd\x82\x37\x2b\x11\xf9\xdc\x8f\x94\x66\x5a\x3a\xb8\x64\xeb\x3e\xb0\xe5\xb0\x73\x20\x02\x49\xa6\x74\x04\x7e\xe8\xff\xf8\xfb\x4f\x55\x65\x30\x60\xef\xb6\xa0\x0d\x70\xb0\xfe\x4a\x7f\x5d\xca\x7d\x9c\x71\x60\x4f\xa7\x0b\x0e\x40\x56\x93\x39\xe5\x2b\xa5\x2b\x7d\x70\x08\x53\x33\x06\x16\x5c\x97\x8d\x03\x0a\x85\x2c\x0d\xd7\x59\x96\x90\x47\x20\xa1\x0a\x3a\x9d\x0f\x2f\x67\xf2\x58\xe4\x39\x04\x7a\x6a\x5b\x08\x49\x04\x09\xaa\x84\xec\x29\x6f\x67\xb8\x8b\x80\x11\xcb\x39\xc6\x78\x00\xef\xec\x6e\xc4\x3e\x73\x2a\xee\x04\xcc\x18\xc4\xce\xdd\xc9\x68\x6a\x43\x20\x11\xe1\xdf\x5f\xa1\x29\x2c\x7b\xda\xe6\x27\x31\x57\x3e\xc5\x23\x32\x93\xff\x4e\xd6\x71\xe5\x2c\x95\x1d\x8e\x00\x83\x6d\xb9\x36\x35\x34\xbc\x8c\x1e\x91\xd9\x8c\xab\x7d\x06\x06\xc1\x70\xd4\x09\xd9\x6d\x32\x25\xf5\x62\x06\xb6\x00\xfc\x1a\x78\x39\x41\xaa\xde\x24\x83\x38\xdb\xa6\x6d\x56\xf8\xfc\x19\x7d\x19\xce\xdd\x5f\x1a\x65\xd5\xf1\xd8\x5a\x4c\xb4\x49\x73\x42\xd1\x97\xdf\x41\x7d\x43\x17\x77\x7c\x81\xe7\x07\xf1\xb9\xda\xdd\x38\x26\x53\x24\xf4\x1a\xa8\x50\x21\xb2\xd7\xed\xc0\xff\x4a\x52\x7d\xb8\x5f\xf1\x41\x65\x2e\xeb\x5e\x76\x6e\x18\x9e\x11\xe6\x30\x7a\x44\x75\xd5\xf7\x93\xe8\x22\xb7\xec\xbc\x7e\x2f\xf3\xf6\xf9\xa8\x39\x9a\xf6\x92\x64\x9d\x67\x30\x5c\x86\xb4\x79\x16\x9d\xf1\x2f\x74\x91\x02\x06\x9d\xa1\x64\xad\x14\x65\x5e\x05\x32\xfc\x41\x9b\x51\xf2\x9b\x28\xd1\xf4\x08\xf5\x23\x6c\xe9\x21\x50\x9f\x3f\x61\x1a\x56\x5a\x5e\x38\x68\x57\x44\x47\x0f\x6e\x45\x7b\xdd\x05\x7d\x72\x7f\x7e\xcf\xaa\x46\x84\x73\xbc\xba\x94\xc4\x3e\xad\x22\xf8\x52\x78\x43\x24\x5f\x37\x22\x75\x94\x6b\xd4\x59\x9f\x3a\x8a\xe9\x1e\xc3\x14\x08\x70\xbe\x91\xd2\xfb\xfc\xbd\x7e\x50\x4d\xa3\xd6\xf4\x9e\x90\x5a\xca\x16\x78\x32\xd7\xc3\x5a\x56\xa2\x8a\xbc\x85\x20\x90\x29\x23\x18\xec\x1f\x08\xbf\x3d\x71\xde\x73\x60\xd6\xd0\x49\x00\xd7\x73\xa7\xf4\x0c\x3d\xb7\xaa\xbf\xc2\x7a\x33\x8e\x87\xd5\x78\xf4\x30\xee\x49\x0e\x48\x22\x14\x06\xd3\x1c\x62\x22\x0c\x2b\xd9\xe1\x79\x3e\xed\x1b\x84\xab\xa0\xad\xc3\xd5\x4e\xed\x59\xae\x3b\x83\xe5\xa1\x14\x77\x21\xfc\xc2\x27\xcf\xf9\x6c\x80\x65\xf8\x66\x5c\xbf\xef\x93\x52\x1c\xa1\xbf\x4b\x10\x0e\x62\x89\x6c\xfd\xca\x36\xe7\xf7\xb4\xb3\xfd\x3b\xab\xf5\xc1\x8c\x90\x03\x0f\xbf\x90\x4d\x4f\x4c\x3f\xb2\x3a\xf1\x6b\x1e\x37\x44\xca\x6a\xb1\x23\xdf\x90\xb1\x68\xea\xa1\x38\x32\x4e\xbf\x98\xec\xd6\x6d\xd6\x4e\xe9\x06\x23\x6b\xf3\xa0\x29\x6b\xe1\xdf\x81\x38\x7b\xa9\x57\x00\xe0\x4c\xe2\x66\x37\xca\x4d\xfb\x70\xc6\x7d\x32\xa2\xe7\xac\xde\x21\x9c\xef\x54\xe4\xc9\xec\x1c\x27\xb5\xb6\xa3\x88\xca\x51\x5a\xf6\xe5\xef\xc4\x93\xa3\x0f\xa9\x32\x4e\x1f\x2b\x2b\x51\x26\x7f\xbb\x26\xf3\xd4\x29\x2e\x83\x6c\xb7\x09\xe9\x2a\x6e\x0e\x11\xaf\xf3\x86\xb3\xd4\x5d\x81\xa2\xd3\x5f\xe9\x71\xcb\xff\x8a\x32\xf5\x2d\x04\x6b\x9b\xa9\xa4\xbc\x77\x26\x7a\x2e\x86\xa4\x80\xa9\xec\x50\x36\x1d\x5e\xd5\x9b\xa5\x40\xae\x1c\xf0\xe7\xea\xaa\x5d\x8f\x5b\x2e\x38\x52\x7f\xde\x78\xec\xf8\x42\xec\x48\xcf\x68\x1f\xd4\x52\xaa\x5c\x60\xd0\x64\x74\xf6\x42\x2a\xd0\x8d\xb4\xfa\x07\x88\xc5\x65\x63\xf5\x2c\xbd\x38\x36\x27\xe1\x1f\x98\xeb\x40\xec\x74\x96\x1c\x02\x8b\x1f\xcd\x7b\x25\xd4\xcd\x28\x9d\xbc\x76\x1f\xb1\xec\x00\xa6\x18\x35\x13\xc5\xf7\x6d\xa7\x54\x64\x16\xfb\x81\xe8\x66\x1f\x93\xf4\x23\x4f\xdf\x3a\x33\x98\xd8\xbb\x8c\x69\x90\x2e\x6d\x9f\x3f\xc1\x65\xe6\xd9\xf3\x9e\xb2\xac\xc1\x89\xab\x7b\x49\x01\x3b\x2c\x74\xd0\x78\x8e\xe0\x5f\xc1\x17\x33\x5d\x47\x83\x80\x01\x3e\xab\x17\x3d\xdc\x7a\x92\x7f\x03\x08\x0c\x2e\xa7\x05\xb6\x8f\x66\x4a\x3b\xe2\x70\x22\x11\x72\xd2\x99\x5b\x15\xb4\xd0\xab\x25\xd4\x66\x8a\xb7\x58\x7d\x24\xe8\x31\xc5\xc7\x84\x1f\xa0\x0b\xd0\x63\x02\x1d\x3f\x43\x40\x5b\x35\xc6\xc7\x9d\xd4\x03\x0f\xc6\x30\xee\x78\xd7\xe6\x4a\x90\xcc\x27\x61\x42\x16\x24\xd4\x8a\xc0\x76\x4d\x8a\x90\x3c\x5a\x8b\x0a\x21\x31\x20\x87\x1b\x9e\x82\xa3\xb1\xf9\x24\x55\x38\x0b\x95\x08\x32\x65\x1b\x6d\x0d\x9b\xdb\x24\x90\x55\xd5\x5f\xa4\x9f\xc7\x29\x61\x47\xcb\xce\xc6\x05\x9a\x00\x47\xae\x6e\x86\xb5\x1a\xe3\xb5\xaf\xf4\x98\xce\xed\x67\x1d\xdd\x0e\x2b\xd9\x7f\xd7\xf3\x9a\x32\x80\xbd\x80\x99\x6a\xc7\xbb\x98\x18\x77\x09\x93\x82\x46\xf8\xe0\xcb\x9c\xca\x0a\x18\x9d\x18\xcb\x9d\xcd\xd5\x21\x86\xfe\xb9\x35\xf4\xa5\x32\x6c\x3b\xc1\x34\x8a\x05\xf0\xe7\x18\x04\x52\xa4\x3e\x7f\x2b\x6f\xb3\x5a\x41\x96\xaf\xda\x0f\x19\x93\x38\x3d\xd2\x03\x69\x4c\x1a\xb5\x3b\xe6\x44\x81\xc0\xd9\xc7\x88\x01\x61\x07\x89\xf9\xf5\x13\x0b\x4a\x14\x3f\x09\x22\x9e\x8d\x89\xd0\xad\x09\xed\xf9\x71\xcf\x0f\xe4\x95\xd7\x55\x2b\x7a\x79\x1a\x90\x54\x23\x2e\x8d\x22\x97\x66\x21\xb7\xf6\xbe\x03\xe7\xe0\xbf\x8e\x5e\xd8\x3d\xb9\x4e\xfc\x74\x8c\x93\xa0\x6c\x12\x4f\x55\xdd\x8e\xfe\x11\xe1\x5d\x83\xe1\xfc\xe5\x82\xb1\x9b\xe1\x0d\xcc\x1b\x3e\xb5\x94\x29\x1a\xaa\xbd\x56\xcb\x94\xdf\x31\x59\x20\xb0\x42\xd0\x79\x34\xac\x79\x6d\x0a\x91\x07\x86\x26\xee\x57\xe2\x57\x63\x79\x1f\x7d\xde\x8b\xc0\x4e\x18\x83\xfb\x22\x73\xc7\x99\xb9\x7e\x31\x66\xc5\x6c\xea\xa3\x69\x9c\x31\x73\x9f\x63\xef\x94\x60\x5b\x20\x86\x06\x06\xce\xaf\x97\xbe\x55\xb9\x79\xfd\xc1\x7f\xa9\xba\x29\x90\xbb\xef\xde\x17\xeb\x53\x98\x17\x60\x91\xe5\x36\x73\x01\x29\xc4\xc3\x15\x04\xce\x1f\xc4\x1f\x13\xe7\xd9\x03\x01\xff\x02\xad\x5b\x5f\x52\x3c\x6a\xe7\xef\xa8\x7c\x76\xaf\x1e\xcc\x4b\x67\x15\x25\x1a\x58\xca\x3c\x68\xca\x95\x4a\x93\x45\xcf\x08\x69\x7e\xc5\x43\x76\xdf\xaf\x23\x2c\xd6\xed\xe5\xad\x85\xc1\x23\x4f\xbc\xb4\xa9\x92\x53\x5b\x70\x13\x5a\x5e\xb7\xd1\xf2\xde\x13\x62\x98\x71\xb0\x2a\xcb\x45\x56\x94\xe9\x1d\x5b\xbb\x97\x2c\x1c\x39\x98\xec\x76\x57\x49\xb4\xca\x83\xc7\x05\x52\x9c\x04\x6e\x85\x93\xba\x47\x09\xe4\x30\xcf\x19\x0a\xba\x4f\xd0\x0a\x6d\x72\x2d\x05\x98\xe8\x0b\x7a\xf8\xfb\xb6\xc0\x53\xdc\x40\x68\xe3\xbf\xaa\x00\x15\xd3\x54\x56\x46\xe4\x0e\xb3\x12\x70\x0e\x7b\x06\x8c\xa6\x44\x79\x2d\x6d\x39\x44\x7a\x35\x3f\x6d\x65\x75\xb0\x1f\x3a\x20\xcf\x31\x01\x17\xa8\x32\xdb\xc7\x6b\x46\x01\x46\xde\xe0\x6c\x85\x95\x80\xba\x5e\x59\x94\x6e\x90\xa1\x68\xd9\x8a\x06\x28\x2d\x02\xf9\x95\x40\xf4\xb1\xfc\xe1\x94\xcc\x7c\xc0\x89\xb1\xb2\xda\x11\xd5\x9b\xee\x54\x77\x38\x3f\x83\xfe\x7f\x50\x01\x1e\xc4\x38\x56\x1f\x17\xb3\x9d\xab\xee\x37\x94\x76\x1c\xde\xf6\xc5\x4a\x60\xc4\x9d\xe8\xfd\x6a\xec\xf0\xb5\xa5\xb5\xc0\x56\xa8\xde\x90\x80\x5e\x0d\x5a\x4c\xba\x91\xeb\x77\x46\xe5\x44\x98\xaa\xd3\x5d\x26\x8e\x92\x3c\x5c\x39\x65\x81\x83\x5c\xf2\x03\x8e\x2a\x1f\x28\xa8\x43\x22\x84\x72\xaa\x2e\x4c\xbd\xe6\xaa\x76\x65\x71\x6f\x23\x9b\xa5\x68\x0d\x1d\x8d\x6c\xd7\x27\x7a\xf1\xf2\xdb\x87\xe5\xf5\x33\x2f\xa9\x04\xd6\x97\x5f\x42\x47\xf3\x3f\x00\xc1\x7b\x95\xdf\x1d\xb7\x92\x39\x8c\x0b\xe2\xab\x89\xc6\xf0\xff\xb1\xd9\xf3\xd3\x0e\x36\xb0\xbc\xde\xe5\x56\x23\xe6\x7e\xd5\x9b\x64\x1e\x1d\x3a\xd2\x43\xa6\x1a\xb8\x00\x3e\xd9\xd5\x01\x86\x45\x7b\x84\x5b\x0f\x5e\x59\x46\x0a\xeb\x8d\x49\xfa\x23\x6b\x69\x1a\x95\x72\xf0\x43\xf3\xd8\x3d\x38\x53\xa6\x58\xc0\x92\xfe\xc3\xee\xf9\xb5\x8f\x3b\xe0\x53\x2e\x46\xda\x34\xf7\x32\x39\x8d\x41\x8a\x82\xa4\x7f\xd2\xbe\xc7\xaa\x9f\xdf\x0a\x05\xa2\xa4\xab\xd6\x50\xdc\xd9\x9c\x09\x5b\xe5\xa0\x25\xd4\xdd\x8d\xe7\xb6\x06\xf7\xc2\x1f\xcf\x49\x0a\x10\x0e\xc2\x88\xf4\x19\x31\x6b\x4a\xdd\x08\x59\x10\x60\xf5\xc4\x02\x30\xee\x63\x9a\xff\x35\xd4\xbb\x20\x7f\xe4\x01\x02\x9c\xff\xd1\x04\x71\x5d\xcd\x48\xc7\xc5\x98\xf5\xea\x42\xb0\xbd\x27\x1e\x6a\x10\x06\x6d\x61\x32\x17\x65\x5d\xbf\x37\xbc\x46\x7d\x97\x35\x72\xd7\xc2\x87\x79\xc9\x98\x1c\xab\xc5\x5e\x68\x3f\xbb\x1e\x9a\xf7\xe0\x0c\xc4\xa2\x22\xa5\x4f\x24\xed\xf9\x23\x76\x2d\x8e\x0f\xbc\x09\x9e\x42\x0a\x78\xb1\xfc\xfb\x54\xa4\x00\x2f\xdf\x6e\x30\xa3\x44\x5f\x92\x9d\xd9\x7c\x4a\xef\x13\xcd\x8a\x0a\x3b\x19\xcb\x2b\xa7\x31\xd3\xc9\x9a\xad\x63\x11\x66\xb7\x5f\x13\xa9\x54\x98\xe1\x1d\xba\x40\x94\xeb\x5d\x1f\x15\x71\xb6\x98\x7c\x27\x89\x12\xa0\x5a\x9e\xc5\xe2\xf9\x3d\x21\x60\x4e\x49\x6a\xe6\xf7\x63\xed\x43\x3b\xc2\x6c\x5d\x2f\xdf\xee\xfc\x02\xd8\x73\x2b\x29\x09\x1c\x32\xad\x16\xfb\xb4\x7d\xe0\xa5\x6a\x36\xc5\xc7\xd2\x66\x65\xce\x56\x55\x71\xae\xe8\x7e\x72\x9e\x17\x27\xe8\xe1\x49\xb4\x4c\xbc\x58\x19\xeb\x1a\xbc\x31\x7e\xab\xfd\xbc\x54\x47\xdc\x1f\xa9\xed\x58\x52\x81\xf1\xa9\xc3\x3b\xd5\xbb\xae\x66\x26\x21\xe6\x46\x0e\x37\x61\x7e\x88\x30\x4f\xd6\x88\x9d\x77\x5a\xd3\x03\x88\xb2\x08\xb4\x10\x24\x95\xdd\x4a\x60\x15\x79\xfe\xf0\x79\x67\x8b\x66\x81\x6a\x46\xa9\x1c\xd0\xd3\x44\xaf\x0a\xfa\x8e\xe5\x5a\xb2\x22\xd7\x20\xa0\x36\x72\x75\x75\x7a\xa3\x8d\x04\x3c\xec\x88\x8e\x9e\x93\xa4\xff\x91\xc1\xcc\xbb\xc6\x85\xf6\xfe\x27\x10\x47\x4d\xa5\xc4\x37\x6b\x6c\x03\x7b\x2a\xc5\x7a\xb0\x78\x42\x1f\xf2\xf0\x6e\xf8\xab\xcc\x7b\xfa\x18\x19\x5a\xe5\xd3\x23\x6c\x49\x24\x94\xf1\xc6\x65\xdc\x20\x52\xe0\xb5\x67\xe9\x91\x72\x70\x82\xf6\xf5\x29\xcf\xf4\x41\x2d\x5c\xfd\x8a\xca\x31\xf0\xa4\xd3\x23\x32\xe8\xcc\x99\x2a\x39\x01\x7d\x8e\x5a\x85\x25\xa9\xf6\xab\x50\x09\xe7\x06\x7b\x27\x73\x59\x17\x79\xfa\x6d\xe1\x7c\x07\x74\x45\xc3\x9b\x4f\x32\x55\xc2\xdf\x10\x70\x10\x45\xfa\x07\x0a\xc4\xae\xdb\x55\x1b\xfe\x92\xac\x48\xe0\xfa\xca\x06\x07\x68\xed\xf4\xb3\xfb\x10\x1f\x3d\x4c\xdc\xb2\xec\x93\x13\xc0\x28\x98\xaa\x36\x87\x42\x67\x46\x82\x86\xe9\x8f\xfd\xba\xcb\x29\xfb\x64\x07\x27\x99\xbb\x3d\x88\x5b\xf3\x08\xd6\xca\x00\x13\x55\x64\x2a\xd2\x58\xb9\x65\xf9\x59\x7b\x30\xfe\x6c\x3a\xf1\xe8\x9c\x10\xd6\x41\xf4\xe2\xab\x7c\xf5\xa4\x68\x7d\x6b\x69\x15\x7a\x49\xf9\xf4\x07\x91\xef\x46\xf4\xcb\xa6\xe0\xf2\x48\x77\x3c\x35\x0b\xf3\x14\x3c\xec\xe9\x2e\xf7\xc7\x46\xd4\x98\x8c\x83\x51\xc8\x06\x7e\x3c\x4b\x84\x10\x89\xd9\x85\xe0\x9e\xcb\x40\x15\x7d\x7a\x17\x1f\x4e\x64\x55\x18\xc5\x25\x98\xfa\x79\x44\x25\x66\x9f\x59\xa2\x7d\x8b\xed\xc1\x47\xe0\x90\x57\xb5\xd2\xf9\xf4\x61\x1c\xac\x95\x10\x58\xb9\xd2\x52\x7f\xe7\xb4\x70\x28\x9a\x2f\x16\xfa\x4d\xee\x15\x06\x52\x08\x6e\x4c\xc1\x94\xc3\xca\xd6\x3a\xee\x9a\xa7\x7b\x00\xdf\x7c\xb4\x21\x40\x1d\x13\x94\xe0\xfb\xae\x8e\x8e\x14\xef\x28\xf1\x28\x60\x1a\xa1\xc9\x1d\x3e\x71\xed\xc0\x7a\x46\x26\x77\x31\xea\x08\x5f\xea\x0b\x27\x81\xfe\x5b\x33\x37\xfb\x39\x1f\x4a\x91\xce\x75\x2a\xeb\x72\x51\xaa\x0c\x3b\xf3\x04\xe9\x89\x22\x0d\x41\x4e\xab\x0a\xf4\x8d\x4a\x86\xbf\x43\xf1\x3e\xe6\xb9\x76\x15\xf5\x1a\x36\x77\xfe\xef\x14\xdc\x4a\xe4\x7d\xb0\x7b\x87\x41\x76\xd1\x8f\x50\x09\x4a\x30\x97\x00\x27\x9f\x41\x29\x24\xe9\x18\xeb\x3e\x6c\x1b\x9f\xa3\xc1\x44\x4f\x28\xb6\x91\xce\xb9\xc3\x3d\x34\xb5\xb3\x73\x3d\x3e\xb0\xc9\xe6\x9c\xb6\xf3\x6b\xca\x69\xd1\xd6\x99\x13\xae\xb5\x1f\x0c\xb5\x98\x28\x52\x7f\x79\x1f\xe7\xf6\x1f\xb4\x30\xba\xce\x64\x56\xab\xc3\x22\xfb\x52\xa1\x31\xf5\xae\xd3\x22\x1a\xfd\x1d\x36\x9d\x7b\xb4\x1f\x60\xbf\xb3\x49\xb5\xcf\x73\x04\x3b\x90\x92\x61\x30\x32\xc7\xdd\x32\x20\xbc\xe9\xd9\xb8\x4f\xd2\xce\xb4\x8a\x76\xff\x0c\x34\xcf\x5b\xf8\xcc\x55\xb5\x75\xe2\x40\xf4\xe6\xc1\xc5\xcf\x93\x98\x0c\xc6\xf6\x8f\xd1\xac\x7c\xc1\x0e\x0e\x48\x33\x39\xdd\xe6\x69\x1e\xb7\xd2\xb7\x00\xe9\x3f\xfd\xf8\x10\x95\x37\x62\x21\x6e\x99\xb5\x64\x01\x49\xaf\x63\x14\x4a\x09\x05\x1b\x68\x3d\xb0\xdf\xb1\xb7\x93\x71\xbc\x7a\x4a\x55\x9a\xe6\x27\x18\x38\xa8\x68\x46\x8e\x54\xaa\xde\xf0\x3b\xa4\x0c\xa1\x27\xaa\x2c\x27\x51\xda\x79\x20\x2d\xca\xd7\x2e\x4f\x15\x93\x04\x1d\xb5\x3b\xbf\x4f\x80\x64\x17\x0f\xe8\x5c\x46\xe5\x9f\xf0\x0b\x9e\xb4\xbf\x2e\x01\xea\xb7\x19\x7a\x00\x70\x4e\x3c\x70\x84\xa8\x06\x99\xed\x5a\xaa\xe7\xbb\xae\x06\x84\xe5\xfb\x3e\xd6\x0c\x66\x20\xc7\x3a\xa0\x13\x31\x37\x13\x27\x9b\xf9\x58\xa2\x1f\x56\xf9\x67\x46\xe1\x60\x62\x3f\x10\x76\xa5\xea\x95\xa2\x3f\xc9\x08\x37\x3b\xc0\x78\x22\x18\x94\xcc\xc7\x79\x49\xff\xd3\x65\x94\x70\xd8\x3f\x86\x07\x62\xb0\x30\x2b\xf3\xe4\x04\x04\x6c\x0c\x32\xa7\x1e\xb8\x5e\x67\x41\x11\xcb\x9c\x2d\x49\x0b\x8b\x4f\x5b\xfd\x1f\xa9\x38\x2a\x42\x96\xd9\x73\x26\xd6\xa7\x28\x37\x8a\xb3\x5c\x0a\x34\x9e\xd6\x93\x49\xf7\x5b\x89\xad\xf8\xdc\x9e\x5b\xae\xd2\x76\xc9\x26\x14\xc2\x96\x36\xf2\xf5\xb1\x9d\x4d\xc6\x61\xe2\xd0\xfe\x6f\xd6\x47\x86\xd5\x07\xb9\x9b\x39\x79\xfe\x0f\x6e\xcb\x06\xb7\x6f\xd6\x4b\xfb\x31\x61\x31\xa5\x2d\x3d\xb7\x44\x55\x08\xc8\xf0\xbd\x39\x44\x95\xa6\xc1\x3c\xa6\x4e\x37\x80\xa4\x16\xc7\x2a\x7a\x34\x99\x6d\x5a\x34\x2e\x63\x49\xd9\x2b\xfc\xb8\xd7\x5b\xd4\xed\xd2\x25\xd4\xe8\x60\x18\x38\xbf\xfc\x60\x4e\x9e\x3f\x0d\xe8\x3a\x1c\xf9\xe1\x7c\x7f\xa7\x39\x8f\xea\x49\xc8\xfa\xed\x29\x9d\x04\xa9\x0a\x70\xbd\xaa\x0b\x11\x14\x28\xe2\xe6\x22\x4a\xe0\x8c\x1b\xf0\xea\x1a\x69\xe1\x6e\x1f\xfd\x4b\xfa\x76\xaf\xff\xdd\x50\x60\xac\x99\x2e\xfa\x08\xfb\x74\x04\xfa\x1f\xf3\x45\x60\x42\x65\x4d\x3d\x51\x29\x26\x24\xac\x3b\xb3\x35\x6f\x5b\xd3\xf4\x92\xc1\x69\xe8\xc7\xdc\x71\xcc\xd3\xb4\xe9\x1c\xb2\x98\xef\x7f\x2b\x61\xd7\x4a\x86\xe7\xcb\x6d\xaf\x62\x1a\x8b\x0b\x6a\x87\xe5\x8d\xdc\xaa\x65\xf3\x76\xfe\x06\x52\xc4\x0c\x76\xd7\x62\xb5\x80\xf3\x4d\xa9\x79\xae\x09\x68\xb1\x72\xa9\xcc\xc4\xcd\x8b\x34\xaf\x38\x73\xe8\x5d\x16\x53\xc9\xe5\x57\x1d\xc3\x4e\x8c\x39\xf7\xf0\x4d\xf1\x91\xc0\xe8\x12\x13\xd2\xfa\xc0\x41\x26\x64\xeb\x47\x69\xc4\x80\xa8\x0f\xdc\xd5\xca\xe2\xa2\xeb\x8b\x1d\x03\x1c\xc6\xe6\x49\xd8\xf0\xb2\x9f\x91\x15\xea\x2b\xb2\x7c\xbe\x35\xcb\xa0\x40\x64\x7a\xd9\xda\x8a\xd3\x69\x31\xcf\xdc\xe5\xc5\x8d\xfd\x6b\x8d\x0b\xd8\x3c\xf4\xf8\xca\xd6\xf6\xd6\xf3\x04\x83\x80\x58\x3d\x8e\xf0\x80\x7a\x4d\x02\x4e\xf8\xd0\x33\x3a\x97\x18\x34\x23\xc9\x0e\x8d\xd1\xb6\x2d\xc7\x0c\x95\xae\x30\xac\xd0\xcc\xc2\x57\xde\x6f\xeb\x89\xa9\x49\x2b\x42\x14\xb6\x5d\x8d\xa2\xad\xa1\x1b\x80\xfb\xd7\x68\x9a\xfd\xb9\x9f\xa8\x20\xcb\x7a\xaa\xca\x8c\xe3\x2f\xd1\xad\xf5\xd7\x24\xf5\x06\x83\xa7\x92\x4e\xd1\xb5\xde\x6b\x32\x2a\x49\x32\xea\x46\xd3\xb2\x66\xa2\x70\x42\x02\x59\xa4\xfe\xe4\x80\x05\x4f\x06\x75\xe7\x7e\x51\x78\xff\x25\x5b\xe0\x00\x46\x8a\x22\x0a\x25\xc6\x87\x9e\x03\x9b\xc1\x4c\x38\xcb\xf9\x04\x0e\xde\xd4\x1f\x1c\x6d\x75\xfe\x46\x15\xcc\x57\x67\x7c\x94\x8c\x7b\xb9\xc3\x56\x11\x84\xb0\xff\xe0\xd0\xa9\xed\x0e\x72\x12\xfa\xbd\x5e\xf3\x57\xff\xb3\xca\x40\xe8\xa9\x7b\xe2\xa9\xbc\xf3\x5f\xc7\xe3\xd7\xce\x8f\x6d\x50\xa4\xf7\xb4\x2c\x24\x68\x94\x68\x38\x22\xdb\x36\xb9\x55\x28\xcd\x80\x61\x34\x2c\x66\xc7\x88\xbb\x6f\x63\xbe\xad\xfe\x35\x59\xe8\x96\xe4\x38\x7a\x12\xce\xdf\x6f\x22\x08\x88\xd2\x18", 4096); *(uint32_t*)0x20001ca8 = 0x1000; *(uint32_t*)0x20001cac = -1; *(uint32_t*)0x20001cb0 = 0x20001b80; memcpy((void*)0x20001b80, "\xe0\xc6\xc9\xc0\x1a\xfb\x3e\x83\x24\x12\x04\xcd\x69\x42\xa5\xf5\xb3\x8d\xed\xc4\x87\x1f\xea\x15\x0d\xdb\xcb\x8c\x14\xce\x51\x5f\xa1\xfc\x5f\x1f\xb3\xec\x60\x66\x49\xa1\x62\xc4\xe5\x2e\xc3\x28\xeb\x35\x65\xfb\x84\xab\xdf\x8b\x40\x8d\x74\x4e\xe1\x9c\x67\xcc\xe5\x4a\xca\xd1\xc6\xaa\x75\xa3\xf9\x7f\x94\x26\x74\x76\xe7\x02\xbb\xe0\x65\xe6\x71\x88\xc3\xc8\x26\xd4\x41\x4e\x46\x69\x5d\x71\xc9\xe2\x4a\x31\xfa\xf7\xfc\x28\x29\x70\x92\x50\x3b\xb1\x0a\xdb\x27\xfc\xb1\x97\x43\x8e\xfe\x36\x05\x10\x1a\xbc\x12\x7f\xda\x30\x3e\x63\xa7\x42\x3e\xf1\x69\x3f\x6c\x00\x57\x63\xfd\xf8\xb1\x8e\x10\xa5\xa9\xfa\x34\xb3\xc0\x0e\xce\xd1\xf7\x5b\xad\xa7\xd2\x61\x60\xae\xdf\x27\x58\xbf\x60\x3b\x0c\x58\x90\x68\x28\x84\xeb\x55\xb2\x76\x0b\x3b\x7b\x96\x14\xb6\xbd\x1d\xde\xf9\xe9\xcc\x1d\xf2\x08\x92\x06\x3f\x1e\xa0\x58\xa4", 200); *(uint32_t*)0x20001cb4 = 0xc8; *(uint32_t*)0x20001cb8 = 0x81; syz_read_part_table(0x44, 5, 0x20001c80); break; case 34: *(uint8_t*)0x20001cc0 = 0x12; *(uint8_t*)0x20001cc1 = 1; *(uint16_t*)0x20001cc2 = 0x310; *(uint8_t*)0x20001cc4 = 0xae; *(uint8_t*)0x20001cc5 = 0x73; *(uint8_t*)0x20001cc6 = 0xca; *(uint8_t*)0x20001cc7 = 0x40; *(uint16_t*)0x20001cc8 = 0x1740; *(uint16_t*)0x20001cca = 0x602; *(uint16_t*)0x20001ccc = 0xfa57; *(uint8_t*)0x20001cce = 1; *(uint8_t*)0x20001ccf = 2; *(uint8_t*)0x20001cd0 = 3; *(uint8_t*)0x20001cd1 = 1; *(uint8_t*)0x20001cd2 = 9; *(uint8_t*)0x20001cd3 = 2; *(uint16_t*)0x20001cd4 = 0x870; *(uint8_t*)0x20001cd6 = 2; *(uint8_t*)0x20001cd7 = 0x7f; *(uint8_t*)0x20001cd8 = 0x90; *(uint8_t*)0x20001cd9 = 0x20; *(uint8_t*)0x20001cda = 0x3f; *(uint8_t*)0